agentlock-shared 0.1.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/__tests__/billing.test.d.ts +2 -0
- package/dist/__tests__/billing.test.d.ts.map +1 -0
- package/dist/__tests__/billing.test.js +31 -0
- package/dist/__tests__/billing.test.js.map +1 -0
- package/dist/__tests__/crypto.test.js +137 -47
- package/dist/__tests__/crypto.test.js.map +1 -1
- package/dist/__tests__/dns-pinning.test.d.ts +2 -0
- package/dist/__tests__/dns-pinning.test.d.ts.map +1 -0
- package/dist/__tests__/dns-pinning.test.js +33 -0
- package/dist/__tests__/dns-pinning.test.js.map +1 -0
- package/dist/__tests__/llm-classifier-cache-store.test.d.ts +2 -0
- package/dist/__tests__/llm-classifier-cache-store.test.d.ts.map +1 -0
- package/dist/__tests__/llm-classifier-cache-store.test.js +65 -0
- package/dist/__tests__/llm-classifier-cache-store.test.js.map +1 -0
- package/dist/__tests__/llm-classifier-cache.test.d.ts +2 -0
- package/dist/__tests__/llm-classifier-cache.test.d.ts.map +1 -0
- package/dist/__tests__/llm-classifier-cache.test.js +44 -0
- package/dist/__tests__/llm-classifier-cache.test.js.map +1 -0
- package/dist/__tests__/llm-classifier.test.d.ts +2 -0
- package/dist/__tests__/llm-classifier.test.d.ts.map +1 -0
- package/dist/__tests__/llm-classifier.test.js +167 -0
- package/dist/__tests__/llm-classifier.test.js.map +1 -0
- package/dist/__tests__/messaging.test.d.ts +2 -0
- package/dist/__tests__/messaging.test.d.ts.map +1 -0
- package/dist/__tests__/messaging.test.js +75 -0
- package/dist/__tests__/messaging.test.js.map +1 -0
- package/dist/__tests__/plans-classifier-limits.test.d.ts +2 -0
- package/dist/__tests__/plans-classifier-limits.test.d.ts.map +1 -0
- package/dist/__tests__/plans-classifier-limits.test.js +22 -0
- package/dist/__tests__/plans-classifier-limits.test.js.map +1 -0
- package/dist/__tests__/policy-category-floor.test.d.ts +2 -0
- package/dist/__tests__/policy-category-floor.test.d.ts.map +1 -0
- package/dist/__tests__/policy-category-floor.test.js +46 -0
- package/dist/__tests__/policy-category-floor.test.js.map +1 -0
- package/dist/__tests__/policy-claude-bash.test.d.ts +2 -0
- package/dist/__tests__/policy-claude-bash.test.d.ts.map +1 -0
- package/dist/__tests__/policy-claude-bash.test.js +401 -0
- package/dist/__tests__/policy-claude-bash.test.js.map +1 -0
- package/dist/__tests__/policy-llm-floor.test.d.ts +2 -0
- package/dist/__tests__/policy-llm-floor.test.d.ts.map +1 -0
- package/dist/__tests__/policy-llm-floor.test.js +107 -0
- package/dist/__tests__/policy-llm-floor.test.js.map +1 -0
- package/dist/__tests__/policy-ssh-e2e.test.d.ts +2 -0
- package/dist/__tests__/policy-ssh-e2e.test.d.ts.map +1 -0
- package/dist/__tests__/policy-ssh-e2e.test.js +89 -0
- package/dist/__tests__/policy-ssh-e2e.test.js.map +1 -0
- package/dist/__tests__/policy-ssh-sessions.test.d.ts +2 -0
- package/dist/__tests__/policy-ssh-sessions.test.d.ts.map +1 -0
- package/dist/__tests__/policy-ssh-sessions.test.js +139 -0
- package/dist/__tests__/policy-ssh-sessions.test.js.map +1 -0
- package/dist/__tests__/policy-ssh.test.d.ts +2 -0
- package/dist/__tests__/policy-ssh.test.d.ts.map +1 -0
- package/dist/__tests__/policy-ssh.test.js +180 -0
- package/dist/__tests__/policy-ssh.test.js.map +1 -0
- package/dist/__tests__/policy.test.js +522 -7
- package/dist/__tests__/policy.test.js.map +1 -1
- package/dist/__tests__/redact.test.js +76 -0
- package/dist/__tests__/redact.test.js.map +1 -1
- package/dist/__tests__/signing.test.js +89 -0
- package/dist/__tests__/signing.test.js.map +1 -1
- package/dist/__tests__/ssh-fingerprint.test.d.ts +2 -0
- package/dist/__tests__/ssh-fingerprint.test.d.ts.map +1 -0
- package/dist/__tests__/ssh-fingerprint.test.js +19 -0
- package/dist/__tests__/ssh-fingerprint.test.js.map +1 -0
- package/dist/__tests__/vpn-route.test.d.ts +2 -0
- package/dist/__tests__/vpn-route.test.d.ts.map +1 -0
- package/dist/__tests__/vpn-route.test.js +72 -0
- package/dist/__tests__/vpn-route.test.js.map +1 -0
- package/dist/__tests__/wireguard.test.d.ts +2 -0
- package/dist/__tests__/wireguard.test.d.ts.map +1 -0
- package/dist/__tests__/wireguard.test.js +114 -0
- package/dist/__tests__/wireguard.test.js.map +1 -0
- package/dist/billing.d.ts +12 -0
- package/dist/billing.d.ts.map +1 -0
- package/dist/billing.js +41 -0
- package/dist/billing.js.map +1 -0
- package/dist/crypto.d.ts +41 -0
- package/dist/crypto.d.ts.map +1 -1
- package/dist/crypto.js +208 -6
- package/dist/crypto.js.map +1 -1
- package/dist/dns-pinning.d.ts +28 -0
- package/dist/dns-pinning.d.ts.map +1 -0
- package/dist/dns-pinning.js +113 -0
- package/dist/dns-pinning.js.map +1 -0
- package/dist/index.d.ts +6 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -0
- package/dist/index.js.map +1 -1
- package/dist/llm-classifier-cache-store.d.ts +49 -0
- package/dist/llm-classifier-cache-store.d.ts.map +1 -0
- package/dist/llm-classifier-cache-store.js +63 -0
- package/dist/llm-classifier-cache-store.js.map +1 -0
- package/dist/llm-classifier-cache.d.ts +6 -0
- package/dist/llm-classifier-cache.d.ts.map +1 -0
- package/dist/llm-classifier-cache.js +52 -0
- package/dist/llm-classifier-cache.js.map +1 -0
- package/dist/llm-classifier.d.ts +29 -0
- package/dist/llm-classifier.d.ts.map +1 -0
- package/dist/llm-classifier.js +191 -0
- package/dist/llm-classifier.js.map +1 -0
- package/dist/observability.d.ts +36 -0
- package/dist/observability.d.ts.map +1 -0
- package/dist/observability.js +75 -0
- package/dist/observability.js.map +1 -0
- package/dist/plans.d.ts +21 -0
- package/dist/plans.d.ts.map +1 -1
- package/dist/plans.js +52 -14
- package/dist/plans.js.map +1 -1
- package/dist/policy.d.ts +173 -3
- package/dist/policy.d.ts.map +1 -1
- package/dist/policy.js +951 -58
- package/dist/policy.js.map +1 -1
- package/dist/redact.d.ts.map +1 -1
- package/dist/redact.js +104 -7
- package/dist/redact.js.map +1 -1
- package/dist/regex-safety.d.ts +21 -0
- package/dist/regex-safety.d.ts.map +1 -0
- package/dist/regex-safety.js +49 -0
- package/dist/regex-safety.js.map +1 -0
- package/dist/sanitize.d.ts +31 -0
- package/dist/sanitize.d.ts.map +1 -0
- package/dist/sanitize.js +54 -0
- package/dist/sanitize.js.map +1 -0
- package/dist/schemas.d.ts +267 -14
- package/dist/schemas.d.ts.map +1 -1
- package/dist/schemas.js +152 -10
- package/dist/schemas.js.map +1 -1
- package/dist/signing.d.ts +15 -0
- package/dist/signing.d.ts.map +1 -1
- package/dist/signing.js +53 -4
- package/dist/signing.js.map +1 -1
- package/dist/ssh-fingerprint.d.ts +10 -0
- package/dist/ssh-fingerprint.d.ts.map +1 -0
- package/dist/ssh-fingerprint.js +52 -0
- package/dist/ssh-fingerprint.js.map +1 -0
- package/dist/ssrf.d.ts +36 -0
- package/dist/ssrf.d.ts.map +1 -0
- package/dist/ssrf.js +140 -0
- package/dist/ssrf.js.map +1 -0
- package/dist/types.d.ts +131 -0
- package/dist/types.d.ts.map +1 -1
- package/dist/wireguard.d.ts +63 -0
- package/dist/wireguard.d.ts.map +1 -0
- package/dist/wireguard.js +226 -0
- package/dist/wireguard.js.map +1 -0
- package/package.json +42 -29
- package/.turbo/turbo-build.log +0 -4
- package/.turbo/turbo-test.log +0 -34
- package/dist/__tests__/content-crypto.test.d.ts +0 -2
- package/dist/__tests__/content-crypto.test.d.ts.map +0 -1
- package/dist/__tests__/content-crypto.test.js +0 -117
- package/dist/__tests__/content-crypto.test.js.map +0 -1
- package/dist/content-crypto.d.ts +0 -24
- package/dist/content-crypto.d.ts.map +0 -1
- package/dist/content-crypto.js +0 -58
- package/dist/content-crypto.js.map +0 -1
- package/src/__tests__/policy.test.ts +0 -88
- package/src/__tests__/redact.test.ts +0 -41
- package/src/__tests__/signing.test.ts +0 -55
- package/src/crypto.ts +0 -87
- package/src/index.ts +0 -8
- package/src/mcp-catalog.ts +0 -181
- package/src/plans.ts +0 -96
- package/src/policy.ts +0 -186
- package/src/redact.ts +0 -114
- package/src/schemas.ts +0 -53
- package/src/signing.ts +0 -120
- package/src/types.ts +0 -212
- package/test-gateway.mjs +0 -47
- package/tsconfig.json +0 -10
- package/vitest.config.ts +0 -8
|
@@ -4,9 +4,20 @@ const vitest_1 = require("vitest");
|
|
|
4
4
|
const policy_js_1 = require("../policy.js");
|
|
5
5
|
(0, vitest_1.describe)('Policy Engine', () => {
|
|
6
6
|
(0, vitest_1.it)('should ALLOW read actions by default', () => {
|
|
7
|
-
|
|
7
|
+
// Use mcp.list_tools — classified `read` with no gating — to test the
|
|
8
|
+
// default read policy. (Unknown/unclassified tools now floor to `write`
|
|
9
|
+
// and require approval, so they are no longer a valid "safe read" sample.)
|
|
10
|
+
const action = { action_type: 'read', tool: 'mcp.list_tools', payload: {} };
|
|
8
11
|
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES).decision).toBe('ALLOW');
|
|
9
12
|
});
|
|
13
|
+
(0, vitest_1.it)('should REQUIRE_APPROVAL for an unrecognised tool even when declared read', () => {
|
|
14
|
+
// A tool the engine cannot classify must not ride the read→ALLOW default.
|
|
15
|
+
// It is floored to `write` and sent for approval rather than auto-allowed.
|
|
16
|
+
const action = { action_type: 'read', tool: 'custom.do_thing', payload: {} };
|
|
17
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
18
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('write');
|
|
19
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
20
|
+
});
|
|
10
21
|
(0, vitest_1.it)('should REQUIRE_APPROVAL for write actions', () => {
|
|
11
22
|
const action = { action_type: 'write', tool: 'demo', payload: {} };
|
|
12
23
|
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES).decision).toBe('REQUIRE_APPROVAL');
|
|
@@ -43,19 +54,37 @@ const policy_js_1 = require("../policy.js");
|
|
|
43
54
|
};
|
|
44
55
|
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
|
|
45
56
|
});
|
|
46
|
-
(0, vitest_1.it)('should
|
|
57
|
+
(0, vitest_1.it)('should REQUIRE_APPROVAL for admin actions even when defaultMode is allow', () => {
|
|
47
58
|
const action = { action_type: 'admin', tool: 'system', payload: {} };
|
|
48
59
|
const rules = { ...policy_js_1.DEFAULT_POLICY_RULES, defaultMode: 'allow', rules: [] };
|
|
49
60
|
const result = (0, policy_js_1.evaluatePolicy)(action, rules);
|
|
50
|
-
(0, vitest_1.expect)(result.decision).toBe('
|
|
51
|
-
(0, vitest_1.expect)(result.reason).toBe('Default policy');
|
|
61
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
52
62
|
});
|
|
53
|
-
(0, vitest_1.it)('should
|
|
63
|
+
(0, vitest_1.it)('should REQUIRE_APPROVAL for financial actions even when defaultMode is allow', () => {
|
|
54
64
|
const action = { action_type: 'financial', tool: 'stripe', payload: {} };
|
|
55
65
|
const rules = { ...policy_js_1.DEFAULT_POLICY_RULES, defaultMode: 'allow', rules: [] };
|
|
56
66
|
const result = (0, policy_js_1.evaluatePolicy)(action, rules);
|
|
57
|
-
(0, vitest_1.expect)(result.decision).toBe('
|
|
58
|
-
|
|
67
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
68
|
+
});
|
|
69
|
+
(0, vitest_1.it)('should REQUIRE_APPROVAL for admin action even with explicit ALLOW rule', () => {
|
|
70
|
+
const action = { action_type: 'admin', tool: 'admin.delete_user', payload: {} };
|
|
71
|
+
const rules = {
|
|
72
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
73
|
+
defaultMode: 'allow',
|
|
74
|
+
rules: [{ action_type: 'admin', decision: 'ALLOW' }],
|
|
75
|
+
};
|
|
76
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, rules);
|
|
77
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
78
|
+
});
|
|
79
|
+
(0, vitest_1.it)('should REQUIRE_APPROVAL for financial action even with explicit ALLOW rule', () => {
|
|
80
|
+
const action = { action_type: 'financial', tool: 'stripe.charge', payload: {} };
|
|
81
|
+
const rules = {
|
|
82
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
83
|
+
defaultMode: 'allow',
|
|
84
|
+
rules: [{ action_type: 'financial', decision: 'ALLOW' }],
|
|
85
|
+
};
|
|
86
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, rules);
|
|
87
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
59
88
|
});
|
|
60
89
|
(0, vitest_1.it)('should still respect explicit rules for admin even with defaultMode allow', () => {
|
|
61
90
|
const action = { action_type: 'admin', tool: 'system', payload: {} };
|
|
@@ -66,6 +95,44 @@ const policy_js_1 = require("../policy.js");
|
|
|
66
95
|
};
|
|
67
96
|
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
|
|
68
97
|
});
|
|
98
|
+
// --- High-risk auto-approval opt-in ---
|
|
99
|
+
(0, vitest_1.it)('should ALLOW financial action when allowHighRiskAutoApproval.financial is true and rule says ALLOW', () => {
|
|
100
|
+
const action = { action_type: 'financial', tool: 'stripe.charge', payload: {} };
|
|
101
|
+
const rules = {
|
|
102
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
103
|
+
rules: [{ action_type: 'financial', decision: 'ALLOW' }],
|
|
104
|
+
allowHighRiskAutoApproval: { financial: true },
|
|
105
|
+
};
|
|
106
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('ALLOW');
|
|
107
|
+
});
|
|
108
|
+
(0, vitest_1.it)('should ALLOW admin action when allowHighRiskAutoApproval.admin is true and rule says ALLOW', () => {
|
|
109
|
+
const action = { action_type: 'admin', tool: 'admin.delete_user', payload: {} };
|
|
110
|
+
const rules = {
|
|
111
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
112
|
+
rules: [{ action_type: 'admin', decision: 'ALLOW' }],
|
|
113
|
+
allowHighRiskAutoApproval: { admin: true },
|
|
114
|
+
};
|
|
115
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('ALLOW');
|
|
116
|
+
});
|
|
117
|
+
(0, vitest_1.it)('should NOT auto-allow admin when only financial is opted in', () => {
|
|
118
|
+
const action = { action_type: 'admin', tool: 'admin.delete_user', payload: {} };
|
|
119
|
+
const rules = {
|
|
120
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
121
|
+
rules: [{ action_type: 'admin', decision: 'ALLOW' }],
|
|
122
|
+
allowHighRiskAutoApproval: { financial: true }, // admin NOT opted in
|
|
123
|
+
};
|
|
124
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('REQUIRE_APPROVAL');
|
|
125
|
+
});
|
|
126
|
+
(0, vitest_1.it)('should honor permissive defaultMode for financial when opted in', () => {
|
|
127
|
+
const action = { action_type: 'financial', tool: 'stripe', payload: {} };
|
|
128
|
+
const rules = {
|
|
129
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
130
|
+
defaultMode: 'allow',
|
|
131
|
+
rules: [],
|
|
132
|
+
allowHighRiskAutoApproval: { financial: true },
|
|
133
|
+
};
|
|
134
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('ALLOW');
|
|
135
|
+
});
|
|
69
136
|
(0, vitest_1.it)('should BLOCK when cost exceeds limit', () => {
|
|
70
137
|
const action = {
|
|
71
138
|
action_type: 'financial',
|
|
@@ -76,5 +143,453 @@ const policy_js_1 = require("../policy.js");
|
|
|
76
143
|
const rules = { ...policy_js_1.DEFAULT_POLICY_RULES, limits: { maxCostPerAction: 100 } };
|
|
77
144
|
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
|
|
78
145
|
});
|
|
146
|
+
// --- Case-sensitivity bypass tests ---
|
|
147
|
+
(0, vitest_1.it)('should enforce HTTP domain allowlist even with mixed-case tool name', () => {
|
|
148
|
+
const action = {
|
|
149
|
+
action_type: 'read',
|
|
150
|
+
tool: 'Http.get',
|
|
151
|
+
payload: { url: 'https://evil.com/data', method: 'GET' },
|
|
152
|
+
};
|
|
153
|
+
const rules = {
|
|
154
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
155
|
+
http: { allowedDomains: ['trusted.com'], allowedMethods: ['GET'], blockList: [] },
|
|
156
|
+
};
|
|
157
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
|
|
158
|
+
});
|
|
159
|
+
(0, vitest_1.it)('should match tool-specific rules case-insensitively', () => {
|
|
160
|
+
const action = {
|
|
161
|
+
action_type: 'read',
|
|
162
|
+
tool: 'MCP.list_tools',
|
|
163
|
+
payload: {},
|
|
164
|
+
};
|
|
165
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
166
|
+
(0, vitest_1.expect)(result.decision).toBe('ALLOW');
|
|
167
|
+
});
|
|
168
|
+
// --- URL edge cases ---
|
|
169
|
+
(0, vitest_1.it)('should not match subdomain of blocklisted domain (e.g., notevil.com vs evil.com)', () => {
|
|
170
|
+
const action = {
|
|
171
|
+
action_type: 'read',
|
|
172
|
+
tool: 'http.get',
|
|
173
|
+
payload: { url: 'https://notevil.com/data', method: 'GET' },
|
|
174
|
+
};
|
|
175
|
+
const rules = {
|
|
176
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
177
|
+
http: { allowedDomains: ['notevil.com', 'trusted.com'], allowedMethods: ['GET'], blockList: ['evil.com'] },
|
|
178
|
+
};
|
|
179
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).not.toBe('BLOCK');
|
|
180
|
+
});
|
|
181
|
+
(0, vitest_1.it)('should BLOCK HTTP tool with no URL in payload', () => {
|
|
182
|
+
const action = {
|
|
183
|
+
action_type: 'read',
|
|
184
|
+
tool: 'http.get',
|
|
185
|
+
payload: {},
|
|
186
|
+
};
|
|
187
|
+
const rules = {
|
|
188
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
189
|
+
http: { allowedDomains: ['trusted.com'], allowedMethods: ['GET'], blockList: [] },
|
|
190
|
+
};
|
|
191
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
|
|
192
|
+
});
|
|
193
|
+
// --- Browser tool policy ---
|
|
194
|
+
(0, vitest_1.it)('should REQUIRE_APPROVAL for browser.open', () => {
|
|
195
|
+
const action = {
|
|
196
|
+
action_type: 'write',
|
|
197
|
+
tool: 'browser.open',
|
|
198
|
+
payload: { url: 'https://example.com' },
|
|
199
|
+
};
|
|
200
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
201
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
202
|
+
});
|
|
203
|
+
(0, vitest_1.it)('should BLOCK browser.* actions without a session (reaching policy engine)', () => {
|
|
204
|
+
const action = {
|
|
205
|
+
action_type: 'write',
|
|
206
|
+
tool: 'browser.click',
|
|
207
|
+
payload: {},
|
|
208
|
+
};
|
|
209
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
210
|
+
(0, vitest_1.expect)(result.decision).toBe('BLOCK');
|
|
211
|
+
});
|
|
212
|
+
(0, vitest_1.it)('should fall through to default rules for browser.* with hasActiveSession (20.10 fix)', () => {
|
|
213
|
+
// When the gateway has pre-validated a browser_sessions row, the catch-all
|
|
214
|
+
// BLOCK for `browser.*` non-`.open` must be skipped so the request falls
|
|
215
|
+
// through to per-tool / default-mode evaluation. Before this fix, every
|
|
216
|
+
// browser.snapshot / browser.click / etc. after browser.open was BLOCKED
|
|
217
|
+
// with "Browser actions require an active session", even with a valid
|
|
218
|
+
// session_id — the policy engine had no session awareness.
|
|
219
|
+
const action = {
|
|
220
|
+
action_type: 'read',
|
|
221
|
+
tool: 'browser.snapshot',
|
|
222
|
+
payload: { session_id: 'bs_test' },
|
|
223
|
+
};
|
|
224
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES, {
|
|
225
|
+
hasActiveSession: true,
|
|
226
|
+
});
|
|
227
|
+
// Falls through to default rules (DEFAULT_POLICY_RULES has a read->ALLOW
|
|
228
|
+
// entry for browser.snapshot), so we expect ALLOW — *not* the catch-all
|
|
229
|
+
// BLOCK we would get without the flag.
|
|
230
|
+
(0, vitest_1.expect)(result.decision).not.toBe('BLOCK');
|
|
231
|
+
});
|
|
232
|
+
(0, vitest_1.it)('should still BLOCK browser.* when hasActiveSession is false or omitted', () => {
|
|
233
|
+
// Defense-in-depth: the catch-all must still fire for callers that forgot
|
|
234
|
+
// to pass hasActiveSession, otherwise an unverified session_id could
|
|
235
|
+
// survive policy eval.
|
|
236
|
+
const action = {
|
|
237
|
+
action_type: 'read',
|
|
238
|
+
tool: 'browser.snapshot',
|
|
239
|
+
payload: { session_id: 'bs_test' },
|
|
240
|
+
};
|
|
241
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES).decision).toBe('BLOCK');
|
|
242
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES, { hasActiveSession: false }).decision).toBe('BLOCK');
|
|
243
|
+
});
|
|
244
|
+
(0, vitest_1.it)('should honor per-tool BLOCK rules for browser.* even with hasActiveSession', () => {
|
|
245
|
+
// The gateway relies on this: admins can configure
|
|
246
|
+
// `rules: [{tool: 'browser.fill_credentials', decision: 'BLOCK'}]` and
|
|
247
|
+
// that rule must not be shadowed by the hasActiveSession fall-through.
|
|
248
|
+
const action = {
|
|
249
|
+
action_type: 'write',
|
|
250
|
+
tool: 'browser.fill_credentials',
|
|
251
|
+
payload: { session_id: 'bs_test', credential_name: 'gmail' },
|
|
252
|
+
};
|
|
253
|
+
const rulesWithToolBlock = {
|
|
254
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
255
|
+
rules: [
|
|
256
|
+
{ tool: 'browser.fill_credentials', decision: 'BLOCK' },
|
|
257
|
+
],
|
|
258
|
+
};
|
|
259
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, rulesWithToolBlock, {
|
|
260
|
+
hasActiveSession: true,
|
|
261
|
+
});
|
|
262
|
+
(0, vitest_1.expect)(result.decision).toBe('BLOCK');
|
|
263
|
+
});
|
|
264
|
+
// --- Unknown action_type ---
|
|
265
|
+
(0, vitest_1.it)('should BLOCK unknown action types', () => {
|
|
266
|
+
const action = {
|
|
267
|
+
action_type: 'delete',
|
|
268
|
+
tool: 'custom.tool',
|
|
269
|
+
payload: {},
|
|
270
|
+
};
|
|
271
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
272
|
+
(0, vitest_1.expect)(result.decision).toBe('BLOCK');
|
|
273
|
+
});
|
|
274
|
+
// --- cost_estimate omission ---
|
|
275
|
+
(0, vitest_1.it)('should not enforce budget check when cost_estimate is omitted', () => {
|
|
276
|
+
const action = {
|
|
277
|
+
action_type: 'write',
|
|
278
|
+
tool: 'demo',
|
|
279
|
+
payload: {},
|
|
280
|
+
// cost_estimate intentionally omitted
|
|
281
|
+
};
|
|
282
|
+
const rules = { ...policy_js_1.DEFAULT_POLICY_RULES, limits: { maxCostPerAction: 100 } };
|
|
283
|
+
// Should match action_type 'write' rule, not be BLOCK-ed by cost limit
|
|
284
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('REQUIRE_APPROVAL');
|
|
285
|
+
});
|
|
286
|
+
// --- HTTP allowlist not configured ---
|
|
287
|
+
(0, vitest_1.it)('should REQUIRE_APPROVAL when HTTP allowlist is empty (safe default)', () => {
|
|
288
|
+
const action = {
|
|
289
|
+
action_type: 'read',
|
|
290
|
+
tool: 'http.get',
|
|
291
|
+
payload: { url: 'https://any-site.com/data', method: 'GET' },
|
|
292
|
+
};
|
|
293
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
294
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
295
|
+
});
|
|
296
|
+
// --- Allow-all-domains opt-in ---
|
|
297
|
+
(0, vitest_1.it)('should skip allowlist check when allowAllDomains is true', () => {
|
|
298
|
+
const action = {
|
|
299
|
+
action_type: 'read',
|
|
300
|
+
tool: 'http.get',
|
|
301
|
+
payload: { url: 'https://any-site.com/data', method: 'GET' },
|
|
302
|
+
};
|
|
303
|
+
const rules = {
|
|
304
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
305
|
+
rules: [{ action_type: 'read', decision: 'ALLOW' }],
|
|
306
|
+
http: { allowedDomains: [], allowedMethods: ['GET'], blockList: [], allowAllDomains: true },
|
|
307
|
+
};
|
|
308
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('ALLOW');
|
|
309
|
+
});
|
|
310
|
+
(0, vitest_1.it)('should still enforce blockList when allowAllDomains is true', () => {
|
|
311
|
+
const action = {
|
|
312
|
+
action_type: 'read',
|
|
313
|
+
tool: 'http.get',
|
|
314
|
+
payload: { url: 'https://evil.com/data', method: 'GET' },
|
|
315
|
+
};
|
|
316
|
+
const rules = {
|
|
317
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
318
|
+
http: { allowedDomains: [], allowedMethods: ['GET'], blockList: ['evil.com'], allowAllDomains: true },
|
|
319
|
+
};
|
|
320
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
|
|
321
|
+
});
|
|
322
|
+
(0, vitest_1.it)('should still enforce method restrictions when allowAllDomains is true', () => {
|
|
323
|
+
const action = {
|
|
324
|
+
action_type: 'write',
|
|
325
|
+
tool: 'http.request',
|
|
326
|
+
payload: { url: 'https://any-site.com/data', method: 'DELETE' },
|
|
327
|
+
};
|
|
328
|
+
const rules = {
|
|
329
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
330
|
+
http: { allowedDomains: [], allowedMethods: ['GET'], blockList: [], allowAllDomains: true },
|
|
331
|
+
};
|
|
332
|
+
(0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
|
|
333
|
+
});
|
|
334
|
+
// --- Category floor / downgrade attack protection ---------------------------
|
|
335
|
+
//
|
|
336
|
+
// These tests cover the server-side category floor. The agent self-declares
|
|
337
|
+
// `action_type`, but a malicious/prompt-injected agent could label any action
|
|
338
|
+
// as `read` to bypass restrictions. The floor ensures that the tool+payload
|
|
339
|
+
// is independently classified and `effective = max(declared, floor)`.
|
|
340
|
+
(0, vitest_1.describe)('maxCategory', () => {
|
|
341
|
+
(0, vitest_1.it)('returns the more restrictive category', () => {
|
|
342
|
+
(0, vitest_1.expect)((0, policy_js_1.maxCategory)('read', 'read')).toBe('read');
|
|
343
|
+
(0, vitest_1.expect)((0, policy_js_1.maxCategory)('read', 'write')).toBe('write');
|
|
344
|
+
(0, vitest_1.expect)((0, policy_js_1.maxCategory)('write', 'read')).toBe('write');
|
|
345
|
+
(0, vitest_1.expect)((0, policy_js_1.maxCategory)('read', 'financial')).toBe('financial');
|
|
346
|
+
(0, vitest_1.expect)((0, policy_js_1.maxCategory)('financial', 'admin')).toBe('admin');
|
|
347
|
+
(0, vitest_1.expect)((0, policy_js_1.maxCategory)('admin', 'read')).toBe('admin');
|
|
348
|
+
});
|
|
349
|
+
});
|
|
350
|
+
(0, vitest_1.describe)('getCategoryFloor', () => {
|
|
351
|
+
(0, vitest_1.it)('HTTP: GET/HEAD/OPTIONS => read', () => {
|
|
352
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('http.request', { url: 'https://api.example.com/x', method: 'GET' })).toBe('read');
|
|
353
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('http.request', { url: 'https://api.example.com/x', method: 'HEAD' })).toBe('read');
|
|
354
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('http.request', { url: 'https://api.example.com/x', method: 'OPTIONS' })).toBe('read');
|
|
355
|
+
});
|
|
356
|
+
(0, vitest_1.it)('HTTP: POST/PUT/PATCH/DELETE => write', () => {
|
|
357
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('http.request', { url: 'https://api.example.com/x', method: 'POST' })).toBe('write');
|
|
358
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('http.request', { url: 'https://api.example.com/x', method: 'PUT' })).toBe('write');
|
|
359
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('http.request', { url: 'https://api.example.com/x', method: 'PATCH' })).toBe('write');
|
|
360
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('http.request', { url: 'https://api.example.com/x', method: 'DELETE' })).toBe('write');
|
|
361
|
+
});
|
|
362
|
+
(0, vitest_1.it)('HTTP: URLs containing payment keywords => financial regardless of method', () => {
|
|
363
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('http.request', { url: 'https://api.stripe.com/v1/charges', method: 'GET' })).toBe('financial');
|
|
364
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('http.request', { url: 'https://api.example.com/billing/invoice', method: 'GET' })).toBe('financial');
|
|
365
|
+
});
|
|
366
|
+
(0, vitest_1.it)('HTTP: URLs containing admin keywords => admin', () => {
|
|
367
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('http.request', { url: 'https://api.example.com/admin/users/1', method: 'DELETE' })).toBe('admin');
|
|
368
|
+
});
|
|
369
|
+
(0, vitest_1.it)('Browser: read-only tools => read', () => {
|
|
370
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('browser.snapshot', {})).toBe('read');
|
|
371
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('browser.screenshot', {})).toBe('read');
|
|
372
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('browser.scroll', {})).toBe('read');
|
|
373
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('browser.close', {})).toBe('read');
|
|
374
|
+
});
|
|
375
|
+
(0, vitest_1.it)('Browser: everything else => write', () => {
|
|
376
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('browser.click', {})).toBe('write');
|
|
377
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('browser.type', {})).toBe('write');
|
|
378
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('browser.fill_credentials', {})).toBe('write');
|
|
379
|
+
});
|
|
380
|
+
(0, vitest_1.it)('MCP: list_tools => read', () => {
|
|
381
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('mcp.list_tools', { server: 'github' })).toBe('read');
|
|
382
|
+
});
|
|
383
|
+
(0, vitest_1.it)('MCP: call_tool floors based on downstream method name', () => {
|
|
384
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('mcp.call_tool', { server: 'stripe', method: 'create_charge' })).toBe('financial');
|
|
385
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('mcp.call_tool', { server: 'github', method: 'delete_user' })).toBe('admin');
|
|
386
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('mcp.call_tool', { server: 'db', method: 'read_row' })).toBe('write');
|
|
387
|
+
});
|
|
388
|
+
(0, vitest_1.it)('Direct tool name pattern matching', () => {
|
|
389
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('stripe.charge', {})).toBe('financial');
|
|
390
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('paypal.transfer', {})).toBe('financial');
|
|
391
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('admin.delete_user', {})).toBe('admin');
|
|
392
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('db.drop_table', {})).toBe('admin');
|
|
393
|
+
});
|
|
394
|
+
(0, vitest_1.it)('Unknown tools fail closed to write (untrusted)', () => {
|
|
395
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('demo.list_items', {})).toBe('write');
|
|
396
|
+
(0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('unknown.thing', {})).toBe('write');
|
|
397
|
+
});
|
|
398
|
+
});
|
|
399
|
+
(0, vitest_1.describe)('evaluatePolicy downgrade attack protection', () => {
|
|
400
|
+
(0, vitest_1.it)('blocks agent that declares stripe.charge as read', () => {
|
|
401
|
+
// Agent labels a financial tool as read — floor bumps it to financial,
|
|
402
|
+
// which matches the financial action-type rule (REQUIRE_APPROVAL).
|
|
403
|
+
const action = {
|
|
404
|
+
action_type: 'read',
|
|
405
|
+
tool: 'stripe.charge',
|
|
406
|
+
payload: { amount: 1000 },
|
|
407
|
+
};
|
|
408
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
409
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
410
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('financial');
|
|
411
|
+
(0, vitest_1.expect)(result.risk_level).toBe('high');
|
|
412
|
+
(0, vitest_1.expect)(result.reason).toContain('category floored');
|
|
413
|
+
});
|
|
414
|
+
(0, vitest_1.it)('blocks agent that declares admin.delete_user as read', () => {
|
|
415
|
+
const action = {
|
|
416
|
+
action_type: 'read',
|
|
417
|
+
tool: 'admin.delete_user',
|
|
418
|
+
payload: { user_id: 'u_123' },
|
|
419
|
+
};
|
|
420
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
421
|
+
// The admin action-type rule is BLOCK in DEFAULT_POLICY_RULES.
|
|
422
|
+
(0, vitest_1.expect)(result.decision).toBe('BLOCK');
|
|
423
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('admin');
|
|
424
|
+
(0, vitest_1.expect)(result.risk_level).toBe('critical');
|
|
425
|
+
});
|
|
426
|
+
(0, vitest_1.it)('blocks MCP downgrade: call_tool to stripe.create_charge labeled as read', () => {
|
|
427
|
+
const action = {
|
|
428
|
+
action_type: 'read',
|
|
429
|
+
tool: 'mcp.call_tool',
|
|
430
|
+
payload: { server: 'stripe', method: 'create_charge', params: { amount: 500 } },
|
|
431
|
+
};
|
|
432
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
433
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('financial');
|
|
434
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
435
|
+
});
|
|
436
|
+
(0, vitest_1.it)('HTTP POST labeled as read is floored to write', () => {
|
|
437
|
+
// Use a rules object without a tool rule for http so the action_type
|
|
438
|
+
// rule is the one that matches — that way we can observe the floor.
|
|
439
|
+
const action = {
|
|
440
|
+
action_type: 'read',
|
|
441
|
+
tool: 'http.request',
|
|
442
|
+
payload: { url: 'https://api.example.com/things', method: 'POST', body: {} },
|
|
443
|
+
};
|
|
444
|
+
const rules = {
|
|
445
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
446
|
+
rules: [
|
|
447
|
+
{ action_type: 'read', decision: 'ALLOW' },
|
|
448
|
+
{ action_type: 'write', decision: 'REQUIRE_APPROVAL' },
|
|
449
|
+
],
|
|
450
|
+
http: { allowedDomains: ['api.example.com'], allowedMethods: ['GET', 'POST'], blockList: [] },
|
|
451
|
+
};
|
|
452
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, rules);
|
|
453
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('write');
|
|
454
|
+
// The read rule would have ALLOWED, but the floor bumps us to write → REQUIRE_APPROVAL.
|
|
455
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
456
|
+
});
|
|
457
|
+
(0, vitest_1.it)('HTTP GET labeled as read stays read (no false positives)', () => {
|
|
458
|
+
const action = {
|
|
459
|
+
action_type: 'read',
|
|
460
|
+
tool: 'http.request',
|
|
461
|
+
payload: { url: 'https://api.example.com/things', method: 'GET' },
|
|
462
|
+
};
|
|
463
|
+
const rules = {
|
|
464
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
465
|
+
rules: [
|
|
466
|
+
{ action_type: 'read', decision: 'ALLOW' },
|
|
467
|
+
{ action_type: 'write', decision: 'REQUIRE_APPROVAL' },
|
|
468
|
+
],
|
|
469
|
+
http: { allowedDomains: ['api.example.com'], allowedMethods: ['GET'], blockList: [] },
|
|
470
|
+
};
|
|
471
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, rules);
|
|
472
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('read');
|
|
473
|
+
(0, vitest_1.expect)(result.decision).toBe('ALLOW');
|
|
474
|
+
// Reason should NOT mention floor upgrade (nothing was upgraded).
|
|
475
|
+
(0, vitest_1.expect)(result.reason).not.toContain('category floored');
|
|
476
|
+
});
|
|
477
|
+
(0, vitest_1.it)('legitimate financial declaration is not penalized (idempotent with floor)', () => {
|
|
478
|
+
// Agent correctly declares financial — floor is financial too → effective = financial.
|
|
479
|
+
const action = {
|
|
480
|
+
action_type: 'financial',
|
|
481
|
+
tool: 'stripe.charge',
|
|
482
|
+
payload: { amount: 1000 },
|
|
483
|
+
};
|
|
484
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
485
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('financial');
|
|
486
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
487
|
+
(0, vitest_1.expect)(result.reason).not.toContain('category floored');
|
|
488
|
+
});
|
|
489
|
+
(0, vitest_1.it)('allowHighRiskAutoApproval.financial still works with floor upgrade', () => {
|
|
490
|
+
// Workspace explicitly opted in to auto-approve financial. A downgrade
|
|
491
|
+
// attempt should still end up in the financial bucket, which is then
|
|
492
|
+
// honored as ALLOW because of the opt-in.
|
|
493
|
+
const action = {
|
|
494
|
+
action_type: 'read',
|
|
495
|
+
tool: 'stripe.charge',
|
|
496
|
+
payload: { amount: 1000 },
|
|
497
|
+
};
|
|
498
|
+
const rules = {
|
|
499
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
500
|
+
rules: [{ action_type: 'financial', decision: 'ALLOW' }],
|
|
501
|
+
allowHighRiskAutoApproval: { financial: true },
|
|
502
|
+
};
|
|
503
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, rules);
|
|
504
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('financial');
|
|
505
|
+
(0, vitest_1.expect)(result.decision).toBe('ALLOW');
|
|
506
|
+
});
|
|
507
|
+
(0, vitest_1.it)('tool-specific rule still wins over action-type rule after floor', () => {
|
|
508
|
+
// If a workspace has an explicit tool rule for stripe.charge = BLOCK,
|
|
509
|
+
// that should take precedence regardless of what the agent declared.
|
|
510
|
+
const action = {
|
|
511
|
+
action_type: 'read',
|
|
512
|
+
tool: 'stripe.charge',
|
|
513
|
+
payload: { amount: 1000 },
|
|
514
|
+
};
|
|
515
|
+
const rules = {
|
|
516
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
517
|
+
rules: [
|
|
518
|
+
...policy_js_1.DEFAULT_POLICY_RULES.rules,
|
|
519
|
+
{ tool: 'stripe.charge', decision: 'BLOCK' },
|
|
520
|
+
],
|
|
521
|
+
};
|
|
522
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, rules);
|
|
523
|
+
(0, vitest_1.expect)(result.decision).toBe('BLOCK');
|
|
524
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('financial');
|
|
525
|
+
});
|
|
526
|
+
});
|
|
527
|
+
// --- Per-agent opt-out: skipCategoryFloor ----------------------------------
|
|
528
|
+
//
|
|
529
|
+
// Owners can disable the floor for a specific trusted agent. In that case,
|
|
530
|
+
// the declared action_type is used as-is and downgrade attempts succeed.
|
|
531
|
+
// These tests lock the escape-hatch semantics down so a refactor can't
|
|
532
|
+
// silently re-apply the floor for trusted agents.
|
|
533
|
+
(0, vitest_1.describe)('evaluatePolicy skipCategoryFloor option', () => {
|
|
534
|
+
(0, vitest_1.it)('trusts declared action_type when skipCategoryFloor is true (allows stripe.charge as read)', () => {
|
|
535
|
+
const action = {
|
|
536
|
+
action_type: 'read',
|
|
537
|
+
tool: 'stripe.charge',
|
|
538
|
+
payload: { amount: 1000 },
|
|
539
|
+
};
|
|
540
|
+
// With the default rules the read action_type rule is ALLOW — and because
|
|
541
|
+
// the floor is skipped, the request is no longer upgraded to financial.
|
|
542
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES, { skipCategoryFloor: true });
|
|
543
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('read');
|
|
544
|
+
(0, vitest_1.expect)(result.decision).toBe('ALLOW');
|
|
545
|
+
(0, vitest_1.expect)(result.reason).not.toContain('category floored');
|
|
546
|
+
});
|
|
547
|
+
(0, vitest_1.it)('still blocks admin when agent correctly declares admin (floor is a floor, not a ceiling)', () => {
|
|
548
|
+
const action = {
|
|
549
|
+
action_type: 'admin',
|
|
550
|
+
tool: 'admin.delete_user',
|
|
551
|
+
payload: { user_id: 'u_123' },
|
|
552
|
+
};
|
|
553
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES, { skipCategoryFloor: true });
|
|
554
|
+
// The admin rule is BLOCK regardless of the floor.
|
|
555
|
+
(0, vitest_1.expect)(result.decision).toBe('BLOCK');
|
|
556
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('admin');
|
|
557
|
+
});
|
|
558
|
+
(0, vitest_1.it)('default (no options) still applies the floor', () => {
|
|
559
|
+
const action = {
|
|
560
|
+
action_type: 'read',
|
|
561
|
+
tool: 'stripe.charge',
|
|
562
|
+
payload: { amount: 1000 },
|
|
563
|
+
};
|
|
564
|
+
// Same request without the option — floor bumps to financial.
|
|
565
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES);
|
|
566
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('financial');
|
|
567
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
568
|
+
});
|
|
569
|
+
(0, vitest_1.it)('explicit { skipCategoryFloor: false } applies the floor (no accidental opt-in)', () => {
|
|
570
|
+
const action = {
|
|
571
|
+
action_type: 'read',
|
|
572
|
+
tool: 'stripe.charge',
|
|
573
|
+
payload: { amount: 1000 },
|
|
574
|
+
};
|
|
575
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES, { skipCategoryFloor: false });
|
|
576
|
+
(0, vitest_1.expect)(result.effective_action_type).toBe('financial');
|
|
577
|
+
(0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
|
|
578
|
+
});
|
|
579
|
+
(0, vitest_1.it)('skipCategoryFloor does not bypass HTTP allowlist safety', () => {
|
|
580
|
+
// Even for trusted agents, the HTTP allowlist and block list still apply.
|
|
581
|
+
const action = {
|
|
582
|
+
action_type: 'read',
|
|
583
|
+
tool: 'http.request',
|
|
584
|
+
payload: { url: 'https://evil.com/data', method: 'GET' },
|
|
585
|
+
};
|
|
586
|
+
const rules = {
|
|
587
|
+
...policy_js_1.DEFAULT_POLICY_RULES,
|
|
588
|
+
http: { allowedDomains: [], allowedMethods: ['GET'], blockList: ['evil.com'] },
|
|
589
|
+
};
|
|
590
|
+
const result = (0, policy_js_1.evaluatePolicy)(action, rules, { skipCategoryFloor: true });
|
|
591
|
+
(0, vitest_1.expect)(result.decision).toBe('BLOCK');
|
|
592
|
+
});
|
|
593
|
+
});
|
|
79
594
|
});
|
|
80
595
|
//# sourceMappingURL=policy.test.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.test.js","sourceRoot":"","sources":["../../src/__tests__/policy.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAAoE;AAGpE,IAAA,iBAAQ,EAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACtF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACvF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC7F,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,EAAE,GAAG,EAAE,uBAAuB,EAAE,MAAM,EAAE,KAAK,EAAE;SACzD,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,CAAC,aAAa,CAAC,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;SAClF,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,EAAE,GAAG,EAAE,uBAAuB,EAAE,MAAM,EAAE,KAAK,EAAE;SACzD,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC,UAAU,CAAC,EAAE;SAC/E,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzF,MAAM,KAAK,GAAG,EAAE,GAAG,gCAAoB,EAAE,WAAW,EAAE,OAAgB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACpF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+EAA+E,EAAE,GAAG,EAAE;QACvF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC7F,MAAM,KAAK,GAAG,EAAE,GAAG,gCAAoB,EAAE,WAAW,EAAE,OAAgB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACpF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,WAAW,EAAE,OAAgB;YAC7B,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,OAAgB,EAAE,QAAQ,EAAE,OAAgB,EAAE,CAAC;SACvE,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,WAAW;YACxB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,EAAE;YACX,aAAa,EAAE,IAAI;SACpB,CAAC;QACF,MAAM,KAAK,GAAG,EAAE,GAAG,gCAAoB,EAAE,MAAM,EAAE,EAAE,gBAAgB,EAAE,GAAG,EAAE,EAAE,CAAC;QAC7E,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"policy.test.js","sourceRoot":"","sources":["../../src/__tests__/policy.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAKsB;AAGtB,IAAA,iBAAQ,EAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,sEAAsE;QACtE,wEAAwE;QACxE,2EAA2E;QAC3E,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChG,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,0EAA0E;QAC1E,2EAA2E;QAC3E,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjG,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;QAC5D,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACnD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACvF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC7F,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,EAAE,GAAG,EAAE,uBAAuB,EAAE,MAAM,EAAE,KAAK,EAAE;SACzD,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,CAAC,aAAa,CAAC,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;SAClF,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,EAAE,GAAG,EAAE,uBAAuB,EAAE,MAAM,EAAE,KAAK,EAAE;SACzD,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC,UAAU,CAAC,EAAE;SAC/E,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzF,MAAM,KAAK,GAAG,EAAE,GAAG,gCAAoB,EAAE,WAAW,EAAE,OAAgB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACpF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8EAA8E,EAAE,GAAG,EAAE;QACtF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC7F,MAAM,KAAK,GAAG,EAAE,GAAG,gCAAoB,EAAE,WAAW,EAAE,OAAgB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACpF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wEAAwE,EAAE,GAAG,EAAE;QAChF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACpG,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,WAAW,EAAE,OAAgB;YAC7B,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,OAAgB,EAAE,QAAQ,EAAE,OAAgB,EAAE,CAAC;SACvE,CAAC;QACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4EAA4E,EAAE,GAAG,EAAE;QACpF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACpG,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,WAAW,EAAE,OAAgB;YAC7B,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,WAAoB,EAAE,QAAQ,EAAE,OAAgB,EAAE,CAAC;SAC3E,CAAC;QACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,WAAW,EAAE,OAAgB;YAC7B,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,OAAgB,EAAE,QAAQ,EAAE,OAAgB,EAAE,CAAC;SACvE,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,yCAAyC;IAEzC,IAAA,WAAE,EAAC,oGAAoG,EAAE,GAAG,EAAE;QAC5G,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACpG,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,WAAoB,EAAE,QAAQ,EAAE,OAAgB,EAAE,CAAC;YAC1E,yBAAyB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE;SAC/C,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4FAA4F,EAAE,GAAG,EAAE;QACpG,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACpG,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,OAAgB,EAAE,QAAQ,EAAE,OAAgB,EAAE,CAAC;YACtE,yBAAyB,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;SAC3C,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACpG,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,OAAgB,EAAE,QAAQ,EAAE,OAAgB,EAAE,CAAC;YACtE,yBAAyB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,qBAAqB;SACtE,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC7F,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,WAAW,EAAE,OAAgB;YAC7B,KAAK,EAAE,EAAE;YACT,yBAAyB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE;SAC/C,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,WAAW;YACxB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,EAAE;YACX,aAAa,EAAE,IAAI;SACpB,CAAC;QACF,MAAM,KAAK,GAAG,EAAE,GAAG,gCAAoB,EAAE,MAAM,EAAE,EAAE,gBAAgB,EAAE,GAAG,EAAE,EAAE,CAAC;QAC7E,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,wCAAwC;IAExC,IAAA,WAAE,EAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,EAAE,GAAG,EAAE,uBAAuB,EAAE,MAAM,EAAE,KAAK,EAAE;SACzD,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,CAAC,aAAa,CAAC,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;SAClF,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE,EAAE;SACZ,CAAC;QACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;QAC5D,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,yBAAyB;IAEzB,IAAA,WAAE,EAAC,kFAAkF,EAAE,GAAG,EAAE;QAC1F,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,EAAE,GAAG,EAAE,0BAA0B,EAAE,MAAM,EAAE,KAAK,EAAE;SAC5D,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,CAAC,aAAa,EAAE,aAAa,CAAC,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC,UAAU,CAAC,EAAE;SAC3G,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,EAAE;SACZ,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,CAAC,aAAa,CAAC,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;SAClF,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,8BAA8B;IAE9B,IAAA,WAAE,EAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,OAAO;YACpB,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,EAAE,GAAG,EAAE,qBAAqB,EAAE;SACxC,CAAC;QACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;QAC5D,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,OAAO;YACpB,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,EAAE;SACZ,CAAC;QACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;QAC5D,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sFAAsF,EAAE,GAAG,EAAE;QAC9F,2EAA2E;QAC3E,yEAAyE;QACzE,wEAAwE;QACxE,yEAAyE;QACzE,sEAAsE;QACtE,2DAA2D;QAC3D,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,kBAAkB;YACxB,OAAO,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE;SACnC,CAAC;QACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,EAAE;YAC1D,gBAAgB,EAAE,IAAI;SACvB,CAAC,CAAC;QACH,yEAAyE;QACzE,wEAAwE;QACxE,uCAAuC;QACvC,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wEAAwE,EAAE,GAAG,EAAE;QAChF,0EAA0E;QAC1E,qEAAqE;QACrE,uBAAuB;QACvB,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,kBAAkB;YACxB,OAAO,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE;SACnC,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5E,IAAA,eAAM,EACJ,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC,CAAC,QAAQ,CACnF,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4EAA4E,EAAE,GAAG,EAAE;QACpF,mDAAmD;QACnD,uEAAuE;QACvE,uEAAuE;QACvE,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,OAAO;YACpB,IAAI,EAAE,0BAA0B;YAChC,OAAO,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,eAAe,EAAE,OAAO,EAAE;SAC7D,CAAC;QACF,MAAM,kBAAkB,GAAG;YACzB,GAAG,gCAAoB;YACvB,KAAK,EAAE;gBACL,EAAE,IAAI,EAAE,0BAA0B,EAAE,QAAQ,EAAE,OAAgB,EAAE;aACjE;SACF,CAAC;QACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,kBAAkB,EAAE;YACxD,gBAAgB,EAAE,IAAI;SACvB,CAAC,CAAC;QACH,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,8BAA8B;IAE9B,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,MAAM,GAAG;YACb,WAAW,EAAE,QAAkB;YAC/B,IAAI,EAAE,aAAa;YACnB,OAAO,EAAE,EAAE;SACZ,CAAC;QACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;QAC5D,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,iCAAiC;IAEjC,IAAA,WAAE,EAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,OAAO;YACpB,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,EAAE;YACX,sCAAsC;SACvC,CAAC;QACF,MAAM,KAAK,GAAG,EAAE,GAAG,gCAAoB,EAAE,MAAM,EAAE,EAAE,gBAAgB,EAAE,GAAG,EAAE,EAAE,CAAC;QAC7E,uEAAuE;QACvE,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,wCAAwC;IAExC,IAAA,WAAE,EAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE,MAAM,EAAE,KAAK,EAAE;SAC7D,CAAC;QACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;QAC5D,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,mCAAmC;IAEnC,IAAA,WAAE,EAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE,MAAM,EAAE,KAAK,EAAE;SAC7D,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,MAAe,EAAE,QAAQ,EAAE,OAAgB,EAAE,CAAC;YACrE,IAAI,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE;SAC5F,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,EAAE,GAAG,EAAE,uBAAuB,EAAE,MAAM,EAAE,KAAK,EAAE;SACzD,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC,UAAU,CAAC,EAAE,eAAe,EAAE,IAAI,EAAE;SACtG,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,OAAO;YACpB,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE,MAAM,EAAE,QAAQ,EAAE;SAChE,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE;SAC5F,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAC/E,EAAE;IACF,4EAA4E;IAC5E,8EAA8E;IAC9E,4EAA4E;IAC5E,sEAAsE;IAEtE,IAAA,iBAAQ,EAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,IAAA,eAAM,EAAC,IAAA,uBAAW,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACjD,IAAA,eAAM,EAAC,IAAA,uBAAW,EAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACnD,IAAA,eAAM,EAAC,IAAA,uBAAW,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACnD,IAAA,eAAM,EAAC,IAAA,uBAAW,EAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC3D,IAAA,eAAM,EAAC,IAAA,uBAAW,EAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACxD,IAAA,eAAM,EAAC,IAAA,uBAAW,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,kBAAkB,EAAE,GAAG,EAAE;QAChC,IAAA,WAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC3G,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5G,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjH,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC7G,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC5G,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9G,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,GAAG,EAAE,2BAA2B,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjH,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,0EAA0E,EAAE,GAAG,EAAE;YAClF,IAAA,eAAM,EACJ,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,GAAG,EAAE,mCAAmC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAC9F,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACpB,IAAA,eAAM,EACJ,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,GAAG,EAAE,yCAAyC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CACpG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtB,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,IAAA,eAAM,EACJ,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,GAAG,EAAE,uCAAuC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CACrG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC9D,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAChE,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5D,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,eAAe,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7D,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,eAAe,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC5D,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,cAAc,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3D,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,0BAA0B,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,yBAAyB,EAAE,GAAG,EAAE;YACjC,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChF,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;YAC/D,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,eAAe,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC3G,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,eAAe,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACrG,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,eAAe,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChG,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,eAAe,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAChE,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAClE,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAChE,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,eAAe,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9D,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,eAAe,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,4CAA4C,EAAE,GAAG,EAAE;QAC1D,IAAA,WAAE,EAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,uEAAuE;YACvE,mEAAmE;YACnE,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;aAC1B,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;YAC5D,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YACjD,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACvD,IAAA,eAAM,EAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,sDAAsD,EAAE,GAAG,EAAE;YAC9D,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE;aAC9B,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;YAC5D,+DAA+D;YAC/D,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACtC,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACnD,IAAA,eAAM,EAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,yEAAyE,EAAE,GAAG,EAAE;YACjF,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE;aAChF,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;YAC5D,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACvD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,qEAAqE;YACrE,oEAAoE;YACpE,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,EAAE,GAAG,EAAE,gCAAgC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;aAC7E,CAAC;YACF,MAAM,KAAK,GAAG;gBACZ,GAAG,gCAAoB;gBACvB,KAAK,EAAE;oBACL,EAAE,WAAW,EAAE,MAAe,EAAE,QAAQ,EAAE,OAAgB,EAAE;oBAC5D,EAAE,WAAW,EAAE,OAAgB,EAAE,QAAQ,EAAE,kBAA2B,EAAE;iBACzE;gBACD,IAAI,EAAE,EAAE,cAAc,EAAE,CAAC,iBAAiB,CAAC,EAAE,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;aAC9F,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACnD,wFAAwF;YACxF,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,0DAA0D,EAAE,GAAG,EAAE;YAClE,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,EAAE,GAAG,EAAE,gCAAgC,EAAE,MAAM,EAAE,KAAK,EAAE;aAClE,CAAC;YACF,MAAM,KAAK,GAAG;gBACZ,GAAG,gCAAoB;gBACvB,KAAK,EAAE;oBACL,EAAE,WAAW,EAAE,MAAe,EAAE,QAAQ,EAAE,OAAgB,EAAE;oBAC5D,EAAE,WAAW,EAAE,OAAgB,EAAE,QAAQ,EAAE,kBAA2B,EAAE;iBACzE;gBACD,IAAI,EAAE,EAAE,cAAc,EAAE,CAAC,iBAAiB,CAAC,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;aACtF,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAClD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACtC,kEAAkE;YAClE,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,2EAA2E,EAAE,GAAG,EAAE;YACnF,uFAAuF;YACvF,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,WAAW;gBACxB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;aAC1B,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;YAC5D,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACvD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YACjD,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,oEAAoE,EAAE,GAAG,EAAE;YAC5E,uEAAuE;YACvE,qEAAqE;YACrE,0CAA0C;YAC1C,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;aAC1B,CAAC;YACF,MAAM,KAAK,GAAG;gBACZ,GAAG,gCAAoB;gBACvB,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,WAAoB,EAAE,QAAQ,EAAE,OAAgB,EAAE,CAAC;gBAC1E,yBAAyB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE;aAC/C,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACvD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,iEAAiE,EAAE,GAAG,EAAE;YACzE,sEAAsE;YACtE,qEAAqE;YACrE,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;aAC1B,CAAC;YACF,MAAM,KAAK,GAAG;gBACZ,GAAG,gCAAoB;gBACvB,KAAK,EAAE;oBACL,GAAG,gCAAoB,CAAC,KAAK;oBAC7B,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,OAAgB,EAAE;iBACtD;aACF,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACtC,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,8EAA8E;IAC9E,EAAE;IACF,2EAA2E;IAC3E,yEAAyE;IACzE,uEAAuE;IACvE,kDAAkD;IAElD,IAAA,iBAAQ,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACvD,IAAA,WAAE,EAAC,2FAA2F,EAAE,GAAG,EAAE;YACnG,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;aAC1B,CAAC;YACF,0EAA0E;YAC1E,wEAAwE;YACxE,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAAC,CAAC;YACzF,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAClD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACtC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,0FAA0F,EAAE,GAAG,EAAE;YAClG,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,OAAO;gBACpB,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE;aAC9B,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAAC,CAAC;YACzF,mDAAmD;YACnD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACtC,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;aAC1B,CAAC;YACF,8DAA8D;YAC9D,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC;YAC5D,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACvD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,gFAAgF,EAAE,GAAG,EAAE;YACxF,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;aAC1B,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,EAAE,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAAC,CAAC;YAC1F,IAAA,eAAM,EAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACvD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,yDAAyD,EAAE,GAAG,EAAE;YACjE,0EAA0E;YAC1E,MAAM,MAAM,GAAuB;gBACjC,WAAW,EAAE,MAAM;gBACnB,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,EAAE,GAAG,EAAE,uBAAuB,EAAE,MAAM,EAAE,KAAK,EAAE;aACzD,CAAC;YACF,MAAM,KAAK,GAAG;gBACZ,GAAG,gCAAoB;gBACvB,IAAI,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC,UAAU,CAAC,EAAE;aAC/E,CAAC;YACF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1E,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|