npm - airlock-bot - Versions diffs - 0.0.1 → 0.2.2 - Mend

airlock-bot 0.0.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (342) hide show

package/LICENSE +21 -0
package/README.md +337 -0
package/airlock.service +27 -0
package/dist/allowlist/engine.d.ts +9 -0
package/dist/allowlist/engine.d.ts.map +1 -0
package/dist/allowlist/engine.js +24 -0
package/dist/allowlist/engine.js.map +1 -0
package/dist/allowlist/pattern.d.ts +13 -0
package/dist/allowlist/pattern.d.ts.map +1 -0
package/dist/allowlist/pattern.js +33 -0
package/dist/allowlist/pattern.js.map +1 -0
package/dist/audit/api.d.ts +7 -0
package/dist/audit/api.d.ts.map +1 -0
package/dist/audit/api.js +31 -0
package/dist/audit/api.js.map +1 -0
package/dist/audit/db.d.ts +44 -0
package/dist/audit/db.d.ts.map +1 -0
package/dist/audit/db.js +121 -0
package/dist/audit/db.js.map +1 -0
package/dist/audit/logger.d.ts +25 -0
package/dist/audit/logger.d.ts.map +1 -0
package/dist/audit/logger.js +58 -0
package/dist/audit/logger.js.map +1 -0
package/dist/audit/redactor.d.ts +5 -0
package/dist/audit/redactor.d.ts.map +1 -0
package/dist/audit/redactor.js +27 -0
package/dist/audit/redactor.js.map +1 -0
package/dist/backend/cli/adapter.d.ts +23 -0
package/dist/backend/cli/adapter.d.ts.map +1 -0
package/dist/backend/cli/adapter.js +176 -0
package/dist/backend/cli/adapter.js.map +1 -0
package/dist/backend/cli/builder.d.ts +3 -0
package/dist/backend/cli/builder.d.ts.map +1 -0
package/dist/backend/cli/builder.js +52 -0
package/dist/backend/cli/builder.js.map +1 -0
package/dist/backend/cli/escaper.d.ts +2 -0
package/dist/backend/cli/escaper.d.ts.map +1 -0
package/dist/backend/cli/escaper.js +8 -0
package/dist/backend/cli/escaper.js.map +1 -0
package/dist/backend/exec-adapter.d.ts +13 -0
package/dist/backend/exec-adapter.d.ts.map +1 -0
package/dist/backend/exec-adapter.js +39 -0
package/dist/backend/exec-adapter.js.map +1 -0
package/dist/backend/factory.d.ts +9 -0
package/dist/backend/factory.d.ts.map +1 -0
package/dist/backend/factory.js +35 -0
package/dist/backend/factory.js.map +1 -0
package/dist/backend/http-adapter.d.ts +15 -0
package/dist/backend/http-adapter.d.ts.map +1 -0
package/dist/backend/http-adapter.js +39 -0
package/dist/backend/http-adapter.js.map +1 -0
package/dist/backend/mcp-adapter.d.ts +14 -0
package/dist/backend/mcp-adapter.d.ts.map +1 -0
package/dist/backend/mcp-adapter.js +38 -0
package/dist/backend/mcp-adapter.js.map +1 -0
package/dist/backend/openapi/adapter.d.ts +17 -0
package/dist/backend/openapi/adapter.d.ts.map +1 -0
package/dist/backend/openapi/adapter.js +144 -0
package/dist/backend/openapi/adapter.js.map +1 -0
package/dist/backend/openapi/parser.d.ts +21 -0
package/dist/backend/openapi/parser.d.ts.map +1 -0
package/dist/backend/openapi/parser.js +145 -0
package/dist/backend/openapi/parser.js.map +1 -0
package/dist/backend/types.d.ts +9 -0
package/dist/backend/types.d.ts.map +1 -0
package/dist/backend/types.js +2 -0
package/dist/backend/types.js.map +1 -0
package/dist/config/loader.d.ts +12 -0
package/dist/config/loader.d.ts.map +1 -0
package/dist/config/loader.js +178 -0
package/dist/config/loader.js.map +1 -0
package/dist/config/profiles.d.ts +12 -0
package/dist/config/profiles.d.ts.map +1 -0
package/dist/config/profiles.js +34 -0
package/dist/config/profiles.js.map +1 -0
package/dist/config/schema.d.ts +2034 -0
package/dist/config/schema.d.ts.map +1 -0
package/dist/config/schema.js +257 -0
package/dist/config/schema.js.map +1 -0
package/dist/config/watcher.d.ts +11 -0
package/dist/config/watcher.d.ts.map +1 -0
package/dist/config/watcher.js +39 -0
package/dist/config/watcher.js.map +1 -0
package/dist/configure-agent/cli.d.ts +2 -0
package/dist/configure-agent/cli.d.ts.map +1 -0
package/dist/configure-agent/cli.js +390 -0
package/dist/configure-agent/cli.js.map +1 -0
package/dist/discover/cli.d.ts +2 -0
package/dist/discover/cli.d.ts.map +1 -0
package/dist/discover/cli.js +97 -0
package/dist/discover/cli.js.map +1 -0
package/dist/discover/index.d.ts +19 -0
package/dist/discover/index.d.ts.map +1 -0
package/dist/discover/index.js +70 -0
package/dist/discover/index.js.map +1 -0
package/dist/discover/openapi.d.ts +9 -0
package/dist/discover/openapi.d.ts.map +1 -0
package/dist/discover/openapi.js +47 -0
package/dist/discover/openapi.js.map +1 -0
package/dist/discover/strategies/fig.d.ts +29 -0
package/dist/discover/strategies/fig.d.ts.map +1 -0
package/dist/discover/strategies/fig.js +82 -0
package/dist/discover/strategies/fig.js.map +1 -0
package/dist/discover/strategies/help-parser.d.ts +21 -0
package/dist/discover/strategies/help-parser.d.ts.map +1 -0
package/dist/discover/strategies/help-parser.js +121 -0
package/dist/discover/strategies/help-parser.js.map +1 -0
package/dist/discover/writer.d.ts +5 -0
package/dist/discover/writer.d.ts.map +1 -0
package/dist/discover/writer.js +14 -0
package/dist/discover/writer.js.map +1 -0
package/dist/gateway.d.ts +20 -0
package/dist/gateway.d.ts.map +1 -0
package/dist/gateway.js +125 -0
package/dist/gateway.js.map +1 -0
package/dist/hitl/api.d.ts +7 -0
package/dist/hitl/api.d.ts.map +1 -0
package/dist/hitl/api.js +35 -0
package/dist/hitl/api.js.map +1 -0
package/dist/hitl/batcher.d.ts +11 -0
package/dist/hitl/batcher.d.ts.map +1 -0
package/dist/hitl/batcher.js +37 -0
package/dist/hitl/batcher.js.map +1 -0
package/dist/hitl/engine.d.ts +36 -0
package/dist/hitl/engine.d.ts.map +1 -0
package/dist/hitl/engine.js +150 -0
package/dist/hitl/engine.js.map +1 -0
package/dist/hitl/formatter.d.ts +4 -0
package/dist/hitl/formatter.d.ts.map +1 -0
package/dist/hitl/formatter.js +31 -0
package/dist/hitl/formatter.js.map +1 -0
package/dist/hitl/parser.d.ts +7 -0
package/dist/hitl/parser.d.ts.map +1 -0
package/dist/hitl/parser.js +17 -0
package/dist/hitl/parser.js.map +1 -0
package/dist/hitl/provider-factory.d.ts +4 -0
package/dist/hitl/provider-factory.d.ts.map +1 -0
package/dist/hitl/provider-factory.js +42 -0
package/dist/hitl/provider-factory.js.map +1 -0
package/dist/hitl/providers/composite.d.ts +9 -0
package/dist/hitl/providers/composite.d.ts.map +1 -0
package/dist/hitl/providers/composite.js +23 -0
package/dist/hitl/providers/composite.js.map +1 -0
package/dist/hitl/providers/dashboard.d.ts +17 -0
package/dist/hitl/providers/dashboard.d.ts.map +1 -0
package/dist/hitl/providers/dashboard.js +210 -0
package/dist/hitl/providers/dashboard.js.map +1 -0
package/dist/hitl/providers/macos.d.ts +10 -0
package/dist/hitl/providers/macos.d.ts.map +1 -0
package/dist/hitl/providers/macos.js +65 -0
package/dist/hitl/providers/macos.js.map +1 -0
package/dist/hitl/providers/openclaw.d.ts +21 -0
package/dist/hitl/providers/openclaw.d.ts.map +1 -0
package/dist/hitl/providers/openclaw.js +106 -0
package/dist/hitl/providers/openclaw.js.map +1 -0
package/dist/hitl/providers/slack.d.ts +12 -0
package/dist/hitl/providers/slack.d.ts.map +1 -0
package/dist/hitl/providers/slack.js +24 -0
package/dist/hitl/providers/slack.js.map +1 -0
package/dist/hitl/providers/stdio.d.ts +12 -0
package/dist/hitl/providers/stdio.d.ts.map +1 -0
package/dist/hitl/providers/stdio.js +41 -0
package/dist/hitl/providers/stdio.js.map +1 -0
package/dist/hitl/providers/telegram.d.ts +22 -0
package/dist/hitl/providers/telegram.d.ts.map +1 -0
package/dist/hitl/providers/telegram.js +87 -0
package/dist/hitl/providers/telegram.js.map +1 -0
package/dist/hitl/providers/tui.d.ts +16 -0
package/dist/hitl/providers/tui.d.ts.map +1 -0
package/dist/hitl/providers/tui.js +169 -0
package/dist/hitl/providers/tui.js.map +1 -0
package/dist/hitl/providers/types.d.ts +18 -0
package/dist/hitl/providers/types.d.ts.map +1 -0
package/dist/hitl/providers/types.js +2 -0
package/dist/hitl/providers/types.js.map +1 -0
package/dist/hitl/providers/webhook.d.ts +13 -0
package/dist/hitl/providers/webhook.d.ts.map +1 -0
package/dist/hitl/providers/webhook.js +27 -0
package/dist/hitl/providers/webhook.js.map +1 -0
package/dist/index.d.ts +3 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +115 -0
package/dist/index.js.map +1 -0
package/dist/middleware/chain-builder.d.ts +16 -0
package/dist/middleware/chain-builder.d.ts.map +1 -0
package/dist/middleware/chain-builder.js +139 -0
package/dist/middleware/chain-builder.js.map +1 -0
package/dist/middleware/compose.d.ts +3 -0
package/dist/middleware/compose.d.ts.map +1 -0
package/dist/middleware/compose.js +15 -0
package/dist/middleware/compose.js.map +1 -0
package/dist/middleware/core/allowlist.d.ts +3 -0
package/dist/middleware/core/allowlist.d.ts.map +1 -0
package/dist/middleware/core/allowlist.js +23 -0
package/dist/middleware/core/allowlist.js.map +1 -0
package/dist/middleware/core/exec-policy.d.ts +3 -0
package/dist/middleware/core/exec-policy.d.ts.map +1 -0
package/dist/middleware/core/exec-policy.js +30 -0
package/dist/middleware/core/exec-policy.js.map +1 -0
package/dist/middleware/core/execute.d.ts +3 -0
package/dist/middleware/core/execute.d.ts.map +1 -0
package/dist/middleware/core/execute.js +35 -0
package/dist/middleware/core/execute.js.map +1 -0
package/dist/middleware/core/hitl-gate.d.ts +3 -0
package/dist/middleware/core/hitl-gate.d.ts.map +1 -0
package/dist/middleware/core/hitl-gate.js +38 -0
package/dist/middleware/core/hitl-gate.js.map +1 -0
package/dist/middleware/core/rate-limiter.d.ts +10 -0
package/dist/middleware/core/rate-limiter.d.ts.map +1 -0
package/dist/middleware/core/rate-limiter.js +32 -0
package/dist/middleware/core/rate-limiter.js.map +1 -0
package/dist/middleware/core/schema-validator.d.ts +3 -0
package/dist/middleware/core/schema-validator.d.ts.map +1 -0
package/dist/middleware/core/schema-validator.js +31 -0
package/dist/middleware/core/schema-validator.js.map +1 -0
package/dist/middleware/detectors/injection-detector.d.ts +12 -0
package/dist/middleware/detectors/injection-detector.d.ts.map +1 -0
package/dist/middleware/detectors/injection-detector.js +129 -0
package/dist/middleware/detectors/injection-detector.js.map +1 -0
package/dist/middleware/detectors/sensitivity-classifier.d.ts +12 -0
package/dist/middleware/detectors/sensitivity-classifier.d.ts.map +1 -0
package/dist/middleware/detectors/sensitivity-classifier.js +125 -0
package/dist/middleware/detectors/sensitivity-classifier.js.map +1 -0
package/dist/middleware/post/canary-token-injector.d.ts +10 -0
package/dist/middleware/post/canary-token-injector.d.ts.map +1 -0
package/dist/middleware/post/canary-token-injector.js +53 -0
package/dist/middleware/post/canary-token-injector.js.map +1 -0
package/dist/middleware/post/output-injection-detector.d.ts +7 -0
package/dist/middleware/post/output-injection-detector.d.ts.map +1 -0
package/dist/middleware/post/output-injection-detector.js +46 -0
package/dist/middleware/post/output-injection-detector.js.map +1 -0
package/dist/middleware/post/output-size-limiter.d.ts +7 -0
package/dist/middleware/post/output-size-limiter.d.ts.map +1 -0
package/dist/middleware/post/output-size-limiter.js +47 -0
package/dist/middleware/post/output-size-limiter.js.map +1 -0
package/dist/middleware/post/output-summarizer.d.ts +15 -0
package/dist/middleware/post/output-summarizer.d.ts.map +1 -0
package/dist/middleware/post/output-summarizer.js +38 -0
package/dist/middleware/post/output-summarizer.js.map +1 -0
package/dist/middleware/post/strip-query-params.d.ts +3 -0
package/dist/middleware/post/strip-query-params.d.ts.map +1 -0
package/dist/middleware/post/strip-query-params.js +22 -0
package/dist/middleware/post/strip-query-params.js.map +1 -0
package/dist/middleware/post/untrusted-envelope.d.ts +3 -0
package/dist/middleware/post/untrusted-envelope.d.ts.map +1 -0
package/dist/middleware/post/untrusted-envelope.js +10 -0
package/dist/middleware/post/untrusted-envelope.js.map +1 -0
package/dist/middleware/types.d.ts +32 -0
package/dist/middleware/types.d.ts.map +1 -0
package/dist/middleware/types.js +2 -0
package/dist/middleware/types.js.map +1 -0
package/dist/pool/http-client.d.ts +26 -0
package/dist/pool/http-client.d.ts.map +1 -0
package/dist/pool/http-client.js +109 -0
package/dist/pool/http-client.js.map +1 -0
package/dist/pool/oauth-provider.d.ts +34 -0
package/dist/pool/oauth-provider.d.ts.map +1 -0
package/dist/pool/oauth-provider.js +135 -0
package/dist/pool/oauth-provider.js.map +1 -0
package/dist/pool/pool.d.ts +30 -0
package/dist/pool/pool.d.ts.map +1 -0
package/dist/pool/pool.js +119 -0
package/dist/pool/pool.js.map +1 -0
package/dist/pool/required-mcps.d.ts +7 -0
package/dist/pool/required-mcps.d.ts.map +1 -0
package/dist/pool/required-mcps.js +18 -0
package/dist/pool/required-mcps.js.map +1 -0
package/dist/pool/sse-client.d.ts +22 -0
package/dist/pool/sse-client.d.ts.map +1 -0
package/dist/pool/sse-client.js +70 -0
package/dist/pool/sse-client.js.map +1 -0
package/dist/pool/stdio-client.d.ts +24 -0
package/dist/pool/stdio-client.d.ts.map +1 -0
package/dist/pool/stdio-client.js +77 -0
package/dist/pool/stdio-client.js.map +1 -0
package/dist/registry/registry.d.ts +19 -0
package/dist/registry/registry.d.ts.map +1 -0
package/dist/registry/registry.js +85 -0
package/dist/registry/registry.js.map +1 -0
package/dist/registry/sanitizer.d.ts +2 -0
package/dist/registry/sanitizer.d.ts.map +1 -0
package/dist/registry/sanitizer.js +31 -0
package/dist/registry/sanitizer.js.map +1 -0
package/dist/security/blocked-hosts.d.ts +6 -0
package/dist/security/blocked-hosts.d.ts.map +1 -0
package/dist/security/blocked-hosts.js +26 -0
package/dist/security/blocked-hosts.js.map +1 -0
package/dist/security/domain-allowlist.d.ts +7 -0
package/dist/security/domain-allowlist.d.ts.map +1 -0
package/dist/security/domain-allowlist.js +19 -0
package/dist/security/domain-allowlist.js.map +1 -0
package/dist/stdio-mode.d.ts +3 -0
package/dist/stdio-mode.d.ts.map +1 -0
package/dist/stdio-mode.js +130 -0
package/dist/stdio-mode.js.map +1 -0
package/dist/tools/exec.d.ts +20 -0
package/dist/tools/exec.d.ts.map +1 -0
package/dist/tools/exec.js +105 -0
package/dist/tools/exec.js.map +1 -0
package/dist/tools/http.d.ts +13 -0
package/dist/tools/http.d.ts.map +1 -0
package/dist/tools/http.js +99 -0
package/dist/tools/http.js.map +1 -0
package/dist/transport/agent-server.d.ts +26 -0
package/dist/transport/agent-server.d.ts.map +1 -0
package/dist/transport/agent-server.js +55 -0
package/dist/transport/agent-server.js.map +1 -0
package/dist/transport/mcp-normalizer.d.ts +9 -0
package/dist/transport/mcp-normalizer.d.ts.map +1 -0
package/dist/transport/mcp-normalizer.js +12 -0
package/dist/transport/mcp-normalizer.js.map +1 -0
package/dist/transport/sse-server.d.ts +7 -0
package/dist/transport/sse-server.d.ts.map +1 -0
package/dist/transport/sse-server.js +94 -0
package/dist/transport/sse-server.js.map +1 -0
package/dist/transport/stdio-server.d.ts +3 -0
package/dist/transport/stdio-server.d.ts.map +1 -0
package/dist/transport/stdio-server.js +12 -0
package/dist/transport/stdio-server.js.map +1 -0
package/dist/types.d.ts +15 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +2 -0
package/dist/types.js.map +1 -0
package/dist/util/id.d.ts +5 -0
package/dist/util/id.d.ts.map +1 -0
package/dist/util/id.js +16 -0
package/dist/util/id.js.map +1 -0
package/dist/util/logger.d.ts +4 -0
package/dist/util/logger.d.ts.map +1 -0
package/dist/util/logger.js +24 -0
package/dist/util/logger.js.map +1 -0
package/dist/version.d.ts +2 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +4 -0
package/dist/version.js.map +1 -0
package/examples/claude-code-setup.md +77 -0
package/examples/gateway.yaml +118 -0
package/examples/local-dev.yaml +41 -0
package/examples/openclaw-setup.md +52 -0
package/examples/profiles.yaml +103 -0
package/package.json +80 -3
package/schema.json +943 -0

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 Airlock
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,337 @@
+# Airlock
+[![CI](https://github.com/airlock-dev/airlock/actions/workflows/ci.yml/badge.svg)](https://github.com/airlock-dev/airlock/actions/workflows/ci.yml)
+[![Node](https://img.shields.io/node/v/airlock-bot)](https://www.npmjs.com/package/airlock-bot)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+A permissions-aware MCP gateway that sits between AI agents (Claude Code, Cursor, OpenClaw, etc.) and your downstream tool servers, CLI tools, and REST APIs. Airlock enforces per-agent allowlists, requires human approval for sensitive operations, and keeps a full audit trail of every tool call.
+```
+Agent (Claude Code / Cursor / OpenClaw)
+  │  stdio or SSE
+  ▼
+Airlock  ←→  HITL (Telegram / Slack / webhook / TUI / macOS / dashboard)
+  │
+  ├── MCP servers (github, filesystem, ...)
+  ├── CLI tools (git, docker, kubectl, ...)
+  ├── REST APIs (any OpenAPI spec)
+  ├── built-in: http/get, http/post, ...
+  └── built-in: exec/run
+```
+## Features
+- **Per-agent allowlists** — each agent sees only the tools it's allowed to call, presented with namespaced names (`github/create_pr`, `filesystem/read_file`)
+- **HITL approval** — flag sensitive tools as requiring human sign-off; the agent blocks until you approve or deny
+- **Composable profiles** — define reusable permission sets (`readonly`, `developer`) that agents inherit via `extends`
+- **Backend adapters** — unified interface for MCP servers, CLI tools, REST APIs, HTTP, and exec
+- **CLI tool discovery** — auto-generate config from `--help` output or [Fig autocomplete specs](https://github.com/withfig/autocomplete)
+- **API discovery** — auto-generate config from OpenAPI 3.x specs
+- **Configure agent TUI** — interactive terminal UI to assign allow/ask/deny per tool
+- **Batched notifications** — requests arriving within a time window are bundled into a single message
+- **Multiple HITL providers** — Telegram, Slack webhook, generic webhook, OpenClaw, TUI, macOS dialog, dashboard, or stdio
+- **Security defaults** — localhost and RFC-1918 ranges blocked for HTTP tools; per-agent domain allowlists; shell injection prevention
+- **Audit log** — every tool call logged to SQLite with agent, tool, args, result, duration, and HITL outcome
+- **Hot reload** — edit config and allowlist/HITL config updates without restarting
+- **Leaner stdio mode** — `--agent` flag runs with no HTTP server and only connects to MCPs the agent actually uses
+## Install
+```bash
+npm install -g airlock-bot
+```
+## Quick start
+```bash
+# 1. Discover tools from a CLI you want to expose
+airlock discover cli git --output git-commands.yaml
+# 2. Create your config referencing the discovered commands
+cat > airlock.yaml <<'EOF'
+providers:
+  github:
+    type: stdio
+    command: npx
+    args: ["-y", "@modelcontextprotocol/server-github"]
+    env:
+      GITHUB_PERSONAL_ACCESS_TOKEN: "${GITHUB_TOKEN}"
+  exec: builtin
+  http: builtin
+clis:
+  git:
+    discovered: ./git-commands.yaml
+    commands:
+      # Inline overrides take precedence over discovered commands
+      status:
+        exec: git status
+        params: {}
+agents:
+  claude-code:
+    allow:
+      - github/*
+      - git/*
+    ask:
+      - git/push
+    deny:
+      - exec/run
+EOF
+# 3. Run in stdio mode for a single agent (e.g. from Claude Code)
+airlock --agent claude-code --config airlock.yaml
+# 4. Or run as a full gateway server (SSE on port 4111)
+airlock --config airlock.yaml
+```
+## Claude Code setup
+Add Airlock as an MCP server in `~/.claude/mcp.json`:
+```json
+{
+  "mcpServers": {
+    "airlock": {
+      "command": "airlock",
+      "args": ["--agent", "claude-code", "--config", "/path/to/airlock.yaml"]
+    }
+  }
+}
+```
+Or without a global install:
+```json
+{
+  "mcpServers": {
+    "airlock": {
+      "command": "npx",
+      "args": ["airlock-bot", "--agent", "claude-code", "--config", "/path/to/airlock.yaml"]
+    }
+  }
+}
+```
+See [`examples/claude-code-setup.md`](examples/claude-code-setup.md) for a full walkthrough.
+## Discovery
+Auto-generate Airlock config from existing tools instead of writing YAML by hand.
+### CLI discovery
+```bash
+# Parse --help output (works with any CLI)
+airlock discover cli docker
+# Try Fig autocomplete specs first, fall back to --help
+airlock discover cli kubectl --fig
+# Write to a file, limit recursion depth
+airlock discover cli git --output git-commands.yaml --max-depth 2
+# Only include specific commands
+airlock discover cli npm --include install,test,run
+```
+Reference the output in your config:
+```yaml
+clis:
+  git:
+    discovered: ./git-commands.yaml
+    max_output_bytes: 30000   # default matches Claude Code's limit
+    commands:
+      # Inline commands override discovered ones with the same name
+      custom-deploy:
+        exec: "git push origin main"
+        params: {}
+```
+### API discovery
+```bash
+# From a local spec file
+airlock discover api ./petstore.json --output petstore-api.yaml
+# From a URL
+airlock discover api https://api.example.com/openapi.json --base-url https://api.example.com
+# Filter endpoints
+airlock discover api ./spec.json --include "GET *" --exclude "DELETE *"
+```
+Reference in config:
+```yaml
+apis:
+  petstore:
+    spec: ./petstore.json
+    base_url: https://petstore.example.com/v1
+    auth:
+      type: bearer
+      token: ${PETSTORE_TOKEN}
+    timeout_ms: 30000
+    max_response_bytes: 1048576
+```
+### Configure agent TUI
+Interactively assign allow/ask/deny to tools discovered from your live MCP servers:
+```bash
+npm run configure-agent -- --config ./airlock.yaml --agent claude-code
+```
+Navigate with `j/k`, set permissions with `a`/`s`/`d` (per tool or bulk per provider), then `Enter` to edit config directly, copy to clipboard, or print YAML.
+## Config
+```yaml
+providers:
+  github:
+    type: stdio
+    command: npx
+    args: ["-y", "@modelcontextprotocol/server-github"]
+    env:
+      GITHUB_PERSONAL_ACCESS_TOKEN: "${GITHUB_TOKEN}"
+  exec: builtin
+  http: builtin
+# CLI tools exposed as MCP tools
+clis:
+  git:
+    discovered: ./git-commands.yaml
+    shell: /bin/bash
+    max_output_bytes: 30000
+    commands:
+      status:
+        exec: git status
+        params: {}
+      log:
+        exec: "git log --oneline -n {count}"
+        params:
+          count:
+            type: number
+            required: false
+            default: 10
+# REST APIs exposed as MCP tools
+apis:
+  petstore:
+    spec: ./petstore.json
+    base_url: https://petstore.example.com/v1
+    auth:
+      type: bearer
+      token: ${PETSTORE_TOKEN}
+# Reusable permission profiles
+profiles:
+  readonly:
+    allow:
+      - github/list*
+      - github/get*
+      - http/get
+  developer:
+    allow:
+      - github/*
+      - git/*
+      - exec/run
+    ask:
+      - github/create_pr
+      - github/merge_pull_request
+agents:
+  helena:
+    extends: [readonly, developer]
+    exec:
+      allow: ["git status", "git diff*", "npm test*"]
+      ask:   ["git push*"]
+      deny:  ["sudo *", "rm -rf *"]
+      env:
+        PATH: "/usr/local/bin:/usr/bin:/bin"
+    http:
+      domain_allowlist: ["api.github.com", "*.sentry.io"]
+  claude-code:
+    extends: [readonly]
+    exec:
+      allow: ["git status", "git diff*", "npm test"]
+      deny: ["*"]
+approvals:
+  provider:
+    type: telegram
+    bot_token: "${TELEGRAM_BOT_TOKEN}"
+    chat_id: "${TELEGRAM_CHAT_ID}"
+  timeout_ms: 300000
+  batch_window_ms: 10000
+```
+Precedence: **deny > ask > allow > default-deny**
+See [`examples/gateway.yaml`](examples/gateway.yaml) for a fully annotated reference config and [`examples/profiles.yaml`](examples/profiles.yaml) for composable profile examples.
+## HITL providers
+| Provider | Config `type` | Notes |
+|----------|--------------|-------|
+| TUI | `tui` | Terminal UI on stderr — `[a]pprove` / `[d]eny` with `j/k` navigation via `/dev/tty` |
+| macOS dialog | `macos` | Native approve/deny popup via `osascript` — best for local dev on Mac |
+| Dashboard | `dashboard` | Localhost web UI (default port 4112) with live SSE updates |
+| Telegram bot | `telegram` | Long-polls for replies; reply `approve ABC123` or `deny ABC123` |
+| Slack webhook | `slack` | Incoming webhook, fire-and-forget; pair with slash commands for approvals |
+| Generic webhook | `webhook` | POSTs `{requests, text}` JSON; configurable headers |
+| OpenClaw | `openclaw` | WebSocket RPC to OpenClaw gateway; see [`examples/openclaw-setup.md`](examples/openclaw-setup.md) |
+| stdio | `stdio` | Prints to stderr, reads from stdin — for local dev and testing |
+## API
+When running in gateway mode, Airlock exposes a management API:
+```
+GET  /health                   — MCP health, pending HITL count, uptime
+GET  /hitl/pending             — list pending approval requests
+POST /hitl/approve/:id         — approve a request
+POST /hitl/deny/:id            — deny a request (body: {"reason": "..."})
+GET  /audit?agent=&tool=&since=&limit=  — query audit log
+```
+All management endpoints require `Authorization: Bearer <api_secret>` when `server.api_secret` is set.
+## Testing
+```bash
+npm test                              # unit + integration tests
+npm test -- test/integration.test.ts  # just the integration test (real child process)
+npm run typecheck                     # TypeScript type check (no emit)
+npm run build                         # Full build to dist/
+```
+### Interactive testing with MCP Inspector
+A self-contained test config with an echo MCP server is included — no tokens or external services needed:
+```bash
+npx @modelcontextprotocol/inspector npx tsx src/index.ts -- --agent test --config test/test-gateway.yaml
+```
+Open `http://localhost:6274`, then list tools and call `echo/echo` or `echo/add` through the UI.
+## systemd
+```bash
+sudo cp airlock.service /etc/systemd/system/
+sudo systemctl daemon-reload
+sudo systemctl enable --now airlock
+```
+See [`airlock.service`](airlock.service) for the full unit file.
+## License
+[MIT](LICENSE) © 2026 Airlock

package/airlock.service ADDED Viewed

@@ -0,0 +1,27 @@
+[Unit]
+Description=Airlock MCP Gateway
+After=network.target openclaw-gateway.service
+Wants=openclaw-gateway.service
+[Service]
+Type=simple
+User=openclaw
+WorkingDirectory=/home/openclaw/airlock
+ExecStart=/usr/local/bin/airlock --config /etc/airlock/gateway.yaml
+Restart=on-failure
+RestartSec=5
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=airlock
+# Environment
+EnvironmentFile=-/etc/airlock/env
+# Hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=/var/lib/airlock
+[Install]
+WantedBy=multi-user.target

package/dist/allowlist/engine.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { AgentConfig } from '../config/schema.js';
+export type Decision = 'allow' | 'ask' | 'deny';
+export declare class AllowlistEngine {
+    private agents;
+    constructor(agents: Record<string, AgentConfig>);
+    reload(agents: Record<string, AgentConfig>): void;
+    evaluate(agentId: string, toolName: string): Decision;
+}
+//# sourceMappingURL=engine.d.ts.map

package/dist/allowlist/engine.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/allowlist/engine.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,KAAK,GAAG,MAAM,CAAC;AAEhD,qBAAa,eAAe;IACd,OAAO,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC;IAEvD,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,IAAI;IAIjD,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,QAAQ;CAWtD"}

package/dist/allowlist/engine.js ADDED Viewed

@@ -0,0 +1,24 @@
+import { matches } from './pattern.js';
+export class AllowlistEngine {
+    agents;
+    constructor(agents) {
+        this.agents = agents;
+    }
+    reload(agents) {
+        this.agents = agents;
+    }
+    evaluate(agentId, toolName) {
+        const agent = this.agents[agentId];
+        if (!agent)
+            return 'deny';
+        // deny > ask > allow > default-deny
+        if (agent.deny.some((p) => matches(p, toolName)))
+            return 'deny';
+        if (agent.ask.some((p) => matches(p, toolName)))
+            return 'ask';
+        if (agent.allow.some((p) => matches(p, toolName)))
+            return 'allow';
+        return 'deny'; // fail-closed
+    }
+}
+//# sourceMappingURL=engine.js.map

package/dist/allowlist/engine.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/allowlist/engine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAKvC,MAAM,OAAO,eAAe;IACN;IAApB,YAAoB,MAAmC;QAAnC,WAAM,GAAN,MAAM,CAA6B;IAAG,CAAC;IAE3D,MAAM,CAAC,MAAmC;QACxC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,QAAQ,CAAC,OAAe,EAAE,QAAgB;QACxC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,MAAM,CAAC;QAE1B,oCAAoC;QACpC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;YAAE,OAAO,MAAM,CAAC;QAChE,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9D,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;YAAE,OAAO,OAAO,CAAC;QAElE,OAAO,MAAM,CAAC,CAAC,cAAc;IAC/B,CAAC;CACF"}

package/dist/allowlist/pattern.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+/**
+ * Match a tool name against a pattern.
+ * Supports:
+ *   - Exact match: "github/create_pr"
+ *   - Wildcard suffix: "github/*" matches "github/create_pr" but NOT "github2/foo"
+ */
+export declare function matches(pattern: string, toolName: string): boolean;
+/**
+ * Match a command string against a pattern.
+ * Supports glob-style prefix matching with '*'.
+ */
+export declare function matchesCommand(pattern: string, command: string): boolean;
+//# sourceMappingURL=pattern.d.ts.map

package/dist/allowlist/pattern.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"pattern.d.ts","sourceRoot":"","sources":["../../src/allowlist/pattern.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,wBAAgB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAelE;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAMxE"}

package/dist/allowlist/pattern.js ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * Match a tool name against a pattern.
+ * Supports:
+ *   - Exact match: "github/create_pr"
+ *   - Wildcard suffix: "github/*" matches "github/create_pr" but NOT "github2/foo"
+ */
+export function matches(pattern, toolName) {
+    if (pattern === toolName)
+        return true;
+    if (pattern.endsWith('/*')) {
+        const prefix = pattern.slice(0, -1); // "github/"
+        return toolName.startsWith(prefix) && !toolName.slice(prefix.length).includes('/');
+    }
+    if (pattern.endsWith('*')) {
+        // e.g. "git*" — simple prefix match, but must stay within same namespace
+        const prefix = pattern.slice(0, -1);
+        return toolName.startsWith(prefix);
+    }
+    return false;
+}
+/**
+ * Match a command string against a pattern.
+ * Supports glob-style prefix matching with '*'.
+ */
+export function matchesCommand(pattern, command) {
+    if (pattern === command)
+        return true;
+    if (pattern.endsWith('*')) {
+        return command.startsWith(pattern.slice(0, -1));
+    }
+    return false;
+}
+//# sourceMappingURL=pattern.js.map

package/dist/allowlist/pattern.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pattern.js","sourceRoot":"","sources":["../../src/allowlist/pattern.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,UAAU,OAAO,CAAC,OAAe,EAAE,QAAgB;IACvD,IAAI,OAAO,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAEtC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY;QACjD,OAAO,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACrF,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,yEAAyE;QACzE,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACpC,OAAO,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe,EAAE,OAAe;IAC7D,IAAI,OAAO,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/audit/api.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { FastifyInstance } from 'fastify';
+import type { AuditLogger } from './logger.js';
+export declare function auditApiPlugin(app: FastifyInstance, opts: {
+    auditLogger: AuditLogger;
+    secret?: string;
+}): Promise<void>;
+//# sourceMappingURL=api.d.ts.map

package/dist/audit/api.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../../src/audit/api.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAU/C,wBAAsB,cAAc,CAClC,GAAG,EAAE,eAAe,EACpB,IAAI,EAAE;IAAE,WAAW,EAAE,WAAW,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GAClD,OAAO,CAAC,IAAI,CAAC,CAqBf"}

package/dist/audit/api.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { timingSafeEqual } from 'crypto';
+function constantTimeEqual(a, b) {
+    const bufA = Buffer.from(a);
+    const bufB = Buffer.from(b);
+    if (bufA.length !== bufB.length)
+        return false;
+    return timingSafeEqual(bufA, bufB);
+}
+// eslint-disable-next-line @typescript-eslint/require-await
+export async function auditApiPlugin(app, opts) {
+    const { auditLogger, secret } = opts;
+    app.addHook('preHandler', async (request, reply) => {
+        if (!secret)
+            return;
+        const auth = request.headers.authorization ?? '';
+        if (!constantTimeEqual(auth, `Bearer ${secret}`)) {
+            return reply.status(401).send({ error: 'Unauthorized' });
+        }
+    });
+    app.get('/audit', async (request, reply) => {
+        const { agent, tool, since, limit } = request.query;
+        const entries = auditLogger.query({
+            agent,
+            tool,
+            since,
+            limit: limit ? parseInt(limit, 10) : 100,
+        });
+        return reply.send(entries);
+    });
+}
+//# sourceMappingURL=api.js.map

package/dist/audit/api.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"api.js","sourceRoot":"","sources":["../../src/audit/api.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAIzC,SAAS,iBAAiB,CAAC,CAAS,EAAE,CAAS;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC9C,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED,4DAA4D;AAC5D,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAoB,EACpB,IAAmD;IAEnD,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAErC,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QACjD,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,UAAU,MAAM,EAAE,CAAC,EAAE,CAAC;YACjD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QACzC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC,KAA+B,CAAC;QAC9E,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,CAAC;YAChC,KAAK;YACL,IAAI;YACJ,KAAK;YACL,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG;SACzC,CAAC,CAAC;QACH,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/audit/db.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+export interface AuditEntry {
+    id?: number;
+    ts: string;
+    agent_id: string;
+    tool: string;
+    args: string;
+    result: string;
+    error?: string;
+    duration_ms?: number;
+    hitl_code?: string;
+}
+export interface HitlQueueEntry {
+    id: string;
+    code: string;
+    agent_id: string;
+    tool: string;
+    args: string;
+    status: 'pending' | 'approved' | 'denied' | 'timeout';
+    reason?: string;
+    created_at: string;
+    resolved_at?: string;
+}
+export declare class AuditDb {
+    private db;
+    private stmts;
+    constructor(dbPath: string);
+    private init;
+    private prepareStatements;
+    insertAudit(entry: Omit<AuditEntry, 'id'>): void;
+    queryAudit(filters: {
+        agent?: string;
+        tool?: string;
+        since?: string;
+        limit?: number;
+    }): AuditEntry[];
+    insertHitl(entry: HitlQueueEntry): void;
+    updateHitlStatus(id: string, status: HitlQueueEntry['status'], reason?: string): void;
+    getHitlByCode(code: string): HitlQueueEntry | undefined;
+    getHitlById(id: string): HitlQueueEntry | undefined;
+    getPendingHitl(): HitlQueueEntry[];
+    cleanup(retentionDays: number): void;
+    close(): void;
+}
+//# sourceMappingURL=db.d.ts.map

package/dist/audit/db.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../src/audit/db.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,CAAC;IACtD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,OAAO;IAClB,OAAO,CAAC,EAAE,CAAoB;IAC9B,OAAO,CAAC,KAAK,CASX;gBAEU,MAAM,EAAE,MAAM;IAM1B,OAAO,CAAC,IAAI;IAiCZ,OAAO,CAAC,iBAAiB;IAyBzB,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,GAAG,IAAI;IAShD,UAAU,CAAC,OAAO,EAAE;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GAAG,UAAU,EAAE;IA0BhB,UAAU,CAAC,KAAK,EAAE,cAAc,GAAG,IAAI;IAIvC,gBAAgB,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI;IASrF,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAIvD,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAInD,cAAc,IAAI,cAAc,EAAE;IAIlC,OAAO,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI;IAMpC,KAAK,IAAI,IAAI;CAGd"}