cedar-mcp-server 1.0.0

package/dist/tools/generate-sample.js

@@ -0,0 +1,568 @@
+import { policyToJson, isAuthorized, schemaToJsonWithResolvedTypes, } from "@cedar-policy/cedar-wasm/nodejs";
+import { extractLikeConstraints, patternToString, } from "../parser/policy-ast.js";
+function extractConstraints(conditions) {
+    const constraints = [];
+    for (const clause of conditions) {
+        walkExpr(clause.body, clause.kind, constraints);
+    }
+    return constraints;
+}
+function walkExpr(expr, clauseKind, constraints) {
+    if (typeof expr !== "object" || expr === null)
+        return;
+    const e = expr;
+    // "like" is handled separately via extractLikeConstraints — skip here
+    if ("like" in e)
+        return;
+    if ("&&" in e || "||" in e) {
+        const key = "&&" in e ? "&&" : "||";
+        const node = e[key];
+        walkExpr(node.left, clauseKind, constraints);
+        walkExpr(node.right, clauseKind, constraints);
+        return;
+    }
+    // Equality: principal.attr == value  or  resource.attr == value
+    if ("==" in e) {
+        const node = e["=="];
+        const attr = extractAttrAccess(node.left);
+        if (attr && clauseKind === "when") {
+            const value = extractValue(node.right);
+            if (value !== undefined) {
+                constraints.push({ variable: attr.variable, attr: attr.attr, op: "eq", value });
+            }
+        }
+        return;
+    }
+    // Has (optional attribute guard): resource has attr
+    if ("has" in e) {
+        const node = e["has"];
+        const varName = extractVar(node.left);
+        if (varName && (varName === "principal" || varName === "resource")) {
+            if (clauseKind === "when") {
+                constraints.push({ variable: varName, attr: node.attr, op: "has" });
+            }
+            else {
+                constraints.push({ variable: varName, attr: node.attr, op: "not_has" });
+            }
+        }
+        return;
+    }
+    // in (set membership in condition body): { "in": { left: attrExpr, right: SetExpr } }
+    // e.g. resource.status in ["active", "pending"]
+    if ("in" in e && clauseKind === "when") {
+        const node = e["in"];
+        const attr = extractAttrAccess(node.left);
+        const right = node.right;
+        if (attr && "Set" in right) {
+            const values = right["Set"].map(extractValue).filter((v) => v !== undefined);
+            if (values.length > 0) {
+                constraints.push({ variable: attr.variable, attr: attr.attr, op: "contains", values });
+            }
+        }
+        return;
+    }
+    // contains(): { "contains": { "left": setExpr, "right": attrExpr } }
+    // e.g. ["active", "pending"].contains(resource.status)
+    if ("contains" in e && !Array.isArray(e["contains"]) && typeof e["contains"] === "object") {
+        const node = e["contains"];
+        const setExpr = node.left;
+        const attrExpr = node.right;
+        if ("Set" in setExpr && clauseKind === "when") {
+            const attr = extractAttrAccess(attrExpr);
+            const values = setExpr["Set"].map(extractValue).filter((v) => v !== undefined);
+            if (attr && values.length > 0) {
+                constraints.push({ variable: attr.variable, attr: attr.attr, op: "contains", values });
+            }
+        }
+        return;
+    }
+}
+function extractAttrAccess(expr) {
+    if (typeof expr !== "object" || expr === null)
+        return null;
+    const e = expr;
+    if ("." in e) {
+        const node = e["."];
+        const varName = extractVar(node.left);
+        if (varName === "principal" || varName === "resource" || varName === "context") {
+            return { variable: varName, attr: node.attr };
+        }
+    }
+    return null;
+}
+function extractVar(expr) {
+    if (typeof expr === "object" && expr !== null && "Var" in expr) {
+        return expr["Var"] ?? null;
+    }
+    return null;
+}
+function extractValue(expr) {
+    if (typeof expr !== "object" || expr === null)
+        return undefined;
+    const e = expr;
+    if ("Value" in e) {
+        const v = e["Value"];
+        if (v !== null && typeof v === "object" && "__entity" in v) {
+            return undefined; // entity reference — skip for simple attr matching
+        }
+        return v;
+    }
+    return undefined;
+}
+/**
+ * Returns required attributes for an entity type from the (resolved) schema JSON.
+ * Only includes `required: true` attributes — optional ones are omitted unless
+ * the policy conditions explicitly reference them.
+ * Returns a map of attrName → default value based on Cedar type.
+ */
+function requiredAttrsFromSchema(schemaJson, namespace, entityTypeName) {
+    try {
+        const ns = schemaJson?.[namespace];
+        const entityTypes = ns?.["entityTypes"];
+        // entityTypeName may be fully-qualified "Ns::Type" or just "Type"
+        const simpleTypeName = entityTypeName.includes("::")
+            ? entityTypeName.split("::").pop()
+            : entityTypeName;
+        const entityDef = entityTypes?.[simpleTypeName];
+        const shape = entityDef?.["shape"];
+        const attributes = shape?.["attributes"];
+        if (!attributes)
+            return {};
+        const defaults = {};
+        for (const [attrName, attrDef] of Object.entries(attributes)) {
+            // Cedar JSON-schema default for `required` is true (per the official
+            // spec); only attributes with an explicit `required: false` are optional.
+            // The old `!== true` check skipped attributes when the JSON omitted the
+            // flag entirely, which is the shape `schemaToJsonWithResolvedTypes`
+            // emits for cedarschema-text input like `entity User { name: String }`.
+            // Empty-attrs entities then failed `validateRequest` once the schema
+            // was supplied to the internal verification call (kickoff-14 14d audit
+            // Finding F3 follow-on).
+            if (attrDef["required"] === false)
+                continue;
+            const typeName = attrDef["type"]?.toLowerCase() ?? "";
+            if (typeName === "string")
+                defaults[attrName] = "";
+            else if (typeName === "long")
+                defaults[attrName] = 0;
+            else if (typeName === "boolean")
+                defaults[attrName] = false;
+            // Records, Sets, extension types: leave to the caller to set meaningfully
+        }
+        return defaults;
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Qualify a bare entity-type name with the schema's namespace. If the name
+ * already carries a `::` separator (which `schemaToJsonWithResolvedTypes`
+ * emits for entries declared inside `namespace X { ... }` cedarschema text),
+ * return it verbatim — re-prefixing produces `MyApp::MyApp::User` style
+ * double-namespace artifacts (kickoff-14 14b).
+ */
+function qualifyEntityType(typeName, namespace) {
+    if (typeName.includes("::"))
+        return typeName;
+    return namespace ? `${namespace}::${typeName}` : typeName;
+}
+function entityTypesFromSchema(schemaJson, namespace, actionId) {
+    try {
+        const ns = schemaJson?.[namespace];
+        const actions = ns?.["actions"];
+        const actionKey = actionId ? actions?.[actionId] : Object.values(actions ?? {})[0];
+        const appliesTo = actionKey?.["appliesTo"];
+        const principalTypes = appliesTo?.["principalTypes"];
+        const resourceTypes = appliesTo?.["resourceTypes"];
+        return {
+            principalType: principalTypes?.[0] ? qualifyEntityType(principalTypes[0], namespace) : qualifyEntityType("User", namespace),
+            resourceType: resourceTypes?.[0] ? qualifyEntityType(resourceTypes[0], namespace) : qualifyEntityType("Resource", namespace),
+        };
+    }
+    catch {
+        return { principalType: qualifyEntityType("User", namespace), resourceType: qualifyEntityType("Resource", namespace) };
+    }
+}
+function extractScope(json, schemaNamespace, schemaJson) {
+    // qualifyEntityType handles the empty-namespace case (Cedar's "" namespace
+    // for namespaceless schemas) by returning bare "Action" instead of "::Action".
+    const actionType = qualifyEntityType("Action", schemaNamespace);
+    let actionId;
+    let principalRoleType;
+    let principalRoleId;
+    // Direct principal/resource type pins (from `principal == Type::"id"` /
+    // `resource == Type::"id"`). When present, these override the
+    // schema-derived defaults so the generated request matches what the
+    // policy explicitly scoped to.
+    let pinnedPrincipalType;
+    let pinnedResourceType;
+    // Extract action from scope
+    if (json.action.op === "==") {
+        const e = "entity" in json.action ? json.action["entity"] : null;
+        if (e)
+            actionId = e.id;
+    }
+    else if (json.action.op === "in") {
+        const entities = "entities" in json.action
+            ? json.action["entities"]
+            : "entity" in json.action
+                ? [json.action["entity"]]
+                : [];
+        if (entities[0])
+            actionId = entities[0].id;
+    }
+    // Extract principal from scope.
+    //
+    // `op === "in"` is the role-membership pattern: principal in Role::"X".
+    //   We record principalRoleType + principalRoleId so the entity builder
+    //   can attach the role as a parent.
+    //
+    // `op === "=="` is the direct pin: principal == User::"alice".
+    //   The principal type itself is information the generator needs (it
+    //   tells us which entity type to instantiate). Without this, the
+    //   generator fell back to schema-derived defaults that didn't always
+    //   match the policy's principal pin — caught by a regression test on
+    //   defaultActionIdFromSchema when the schema's first action's
+    //   appliesTo.principalTypes disagreed with the policy's pinned type.
+    if (json.principal.op === "in") {
+        const e = "entity" in json.principal ? json.principal["entity"] : null;
+        if (e) {
+            principalRoleType = e.type;
+            principalRoleId = e.id;
+        }
+    }
+    else if (json.principal.op === "==") {
+        const e = "entity" in json.principal ? json.principal["entity"] : null;
+        if (e) {
+            pinnedPrincipalType = e.type;
+        }
+    }
+    // Same handling for resource direct-pin.
+    if (json.resource.op === "==") {
+        const e = "entity" in json.resource ? json.resource["entity"] : null;
+        if (e) {
+            pinnedResourceType = e.type;
+        }
+    }
+    const derived = entityTypesFromSchema(schemaJson, schemaNamespace, actionId);
+    const principalType = pinnedPrincipalType ?? derived.principalType;
+    const resourceType = pinnedResourceType ?? derived.resourceType;
+    return {
+        principalType,
+        principalRoleType,
+        principalRoleId,
+        actionType,
+        actionId,
+        resourceType,
+    };
+}
+// ─── Entity building ──────────────────────────────────────────────────────────
+/**
+ * Pick a default action id when the policy scope doesn't specify one.
+ *
+ * Original fallback was a hardcoded `"READ"` (uppercase) which mismatched
+ * schemas declaring lowercase action keys (e.g. `actions: { read: { ... } }`).
+ * Cedar's request validator then rejected the request because `Action::"READ"`
+ * isn't declared, causing a default-deny that contradicted the generator's
+ * own `decision: "Allow"` self-report. Caught by e2e behavior test B3.
+ *
+ * The fix evolved through two iterations:
+ *
+ *   v1: return Object.keys(actions)[0] — picked the first declared action.
+ *       Broke when the schema's first action had `appliesTo.principalTypes`
+ *       that didn't include the scope's principal type. Example:
+ *         { adminOnly: { appliesTo: ["Admin"] }, read: { appliesTo: ["User"] } }
+ *       with a policy targeting `User` would pick `adminOnly`, then schema
+ *       validation rejects because the principal type doesn't apply.
+ *
+ *   v2 (this version): find an action whose `appliesTo.principalTypes` includes
+ *       the scope's bare principal type (e.g. "User" extracted from
+ *       "DocMgmt::User"). Falls back to the first action only if no match.
+ *       Final fallback is lowercase "read" when no schema is supplied at all.
+ */
+function defaultActionIdFromSchema(schemaJson, namespace, principalType // full namespaced form like "DocMgmt::User"
+) {
+    try {
+        const ns = schemaJson?.[namespace];
+        const actions = ns?.["actions"];
+        if (!actions)
+            return "read";
+        const keys = Object.keys(actions);
+        if (keys.length === 0)
+            return "read";
+        // Extract bare principal type name ("User" from "DocMgmt::User") for matching
+        // against the schema's appliesTo.principalTypes (which are stored unprefixed).
+        const barePrincipalType = principalType
+            ? principalType.split("::").pop()
+            : undefined;
+        if (barePrincipalType) {
+            for (const key of keys) {
+                const appliesTo = actions[key]?.["appliesTo"];
+                const principalTypes = appliesTo?.["principalTypes"];
+                if (principalTypes && principalTypes.includes(barePrincipalType)) {
+                    return key;
+                }
+            }
+        }
+        // No action has appliesTo matching the scope's principal type, OR no principal
+        // type was passed. Fall back to first declared action — better than the old
+        // hardcoded "READ" because at least it's a real declared action.
+        return keys[0];
+    }
+    catch { /* fall through */ }
+    return "read";
+}
+function buildEntities(scope, constraints, targetDecision, schemaNamespace, likeConstraints = [], schemaJson) {
+    const principalId = "sample-principal";
+    const resourceId = "sample-resource";
+    const actionId = scope.actionId ?? defaultActionIdFromSchema(schemaJson, schemaNamespace, scope.principalType);
+    // Seed required attributes from schema so validateRequest: true doesn't fail on missing fields.
+    // Condition-derived values (eq, has, contains, like) overwrite these defaults below.
+    const principalAttrs = schemaJson
+        ? requiredAttrsFromSchema(schemaJson, schemaNamespace, scope.principalType)
+        : {};
+    const resourceAttrs = schemaJson
+        ? requiredAttrsFromSchema(schemaJson, schemaNamespace, scope.resourceType)
+        : {};
+    // For deny, prefer violating a "has" constraint first, then "contains"/"eq".
+    // Omitting an optional attribute is the clearest deny signal.
+    let violatedConstraint = null;
+    if (targetDecision === "deny") {
+        violatedConstraint =
+            constraints.find((c) => c.op === "has" && c.variable === "resource") ??
+                constraints.find((c) => c.op === "has" && c.variable === "principal") ??
+                constraints.find((c) => c.op === "contains") ??
+                constraints.find((c) => c.op === "eq") ??
+                null;
+    }
+    for (const c of constraints) {
+        const shouldSatisfy = targetDecision === "allow" || c !== violatedConstraint;
+        if (c.variable === "principal") {
+            if (c.op === "eq" && shouldSatisfy)
+                principalAttrs[c.attr] = c.value;
+            if (c.op === "eq" && !shouldSatisfy)
+                principalAttrs[c.attr] = `__deny_${c.attr}`;
+            if (c.op === "contains" && shouldSatisfy)
+                principalAttrs[c.attr] = c.values?.[0];
+            if (c.op === "contains" && !shouldSatisfy)
+                principalAttrs[c.attr] = `__deny_not_in_set`;
+        }
+        if (c.variable === "resource") {
+            // If we're denying by omitting this attr (has-violated), skip its eq constraint too
+            const attrOmittedByDeny = violatedConstraint?.op === "has" &&
+                violatedConstraint.variable === "resource" &&
+                violatedConstraint.attr === c.attr;
+            if (c.op === "eq" && shouldSatisfy && !attrOmittedByDeny)
+                resourceAttrs[c.attr] = c.value;
+            if (c.op === "eq" && !shouldSatisfy)
+                resourceAttrs[c.attr] = `__deny_${c.attr}`;
+            // contains/in: pick first value from set for allow, sentinel not in set for deny
+            if (c.op === "contains" && shouldSatisfy)
+                resourceAttrs[c.attr] = c.values?.[0];
+            if (c.op === "contains" && !shouldSatisfy)
+                resourceAttrs[c.attr] = `__deny_not_in_set`;
+            if (c.op === "has" && shouldSatisfy) {
+                // Include the optional attr — set to a neutral value if no eq constraint follows
+                const eqForAttr = constraints.find((x) => x.op === "eq" && x.variable === "resource" && x.attr === c.attr);
+                if (!eqForAttr)
+                    resourceAttrs[c.attr] = "present";
+            }
+            if (c.op === "has" && !shouldSatisfy) {
+                // Omit the optional attribute — deny by not having it
+                delete resourceAttrs[c.attr];
+            }
+            if (c.op === "not_has") {
+                // This is from an "unless" clause — omit the attr to satisfy the denial condition
+                delete resourceAttrs[c.attr];
+            }
+        }
+    }
+    // Apply like-based attribute generation.
+    // For deny: negative like (depth-limit) takes priority over eq-violation for the same attribute —
+    // it produces a more educational value (e.g. "/api/v1/projects/x/x" beats "__deny_path").
+    const attrsWithNegativeLike = new Set(likeConstraints
+        .filter((lc) => lc.negated && targetDecision === "deny")
+        .map((lc) => `${lc.variable}.${lc.attr}`));
+    for (const lc of likeConstraints) {
+        const target = lc.variable === "resource" ? resourceAttrs : principalAttrs;
+        const key = `${lc.variable}.${lc.attr}`;
+        // Allow: skip if already set by an eq constraint (== covers the allow case via ||)
+        // Deny: skip only if there's no negative like for this attr (eq-violation is the fallback)
+        if (target[lc.attr] !== undefined && !(targetDecision === "deny" && attrsWithNegativeLike.has(key)))
+            continue;
+        if (targetDecision === "allow" && !lc.negated) {
+            target[lc.attr] = patternToString(lc.pattern, "x");
+        }
+        else if (targetDecision === "deny" && lc.negated) {
+            // Satisfying the negative pattern makes !like false → deny
+            target[lc.attr] = patternToString(lc.pattern, "x");
+        }
+        else if (targetDecision === "deny" && !lc.negated) {
+            // No negative pattern to exploit — use a non-matching prefix
+            // Validation loop will catch if this doesn't produce a deny
+            if (target[lc.attr] === undefined)
+                target[lc.attr] = "/deny/path";
+        }
+    }
+    const principalEntity = {
+        uid: { type: scope.principalType, id: principalId },
+        attrs: principalAttrs,
+        parents: scope.principalRoleType && scope.principalRoleId
+            ? [{ type: scope.principalRoleType, id: scope.principalRoleId }]
+            : [],
+    };
+    const resourceEntity = {
+        uid: { type: scope.resourceType, id: resourceId },
+        attrs: resourceAttrs,
+        parents: [],
+    };
+    const entities = [principalEntity, resourceEntity];
+    // Add role entity if needed
+    if (scope.principalRoleType && scope.principalRoleId) {
+        entities.push({
+            uid: { type: scope.principalRoleType, id: scope.principalRoleId },
+            attrs: {},
+            parents: [],
+        });
+    }
+    return {
+        entities,
+        principalId,
+        actionId,
+        resourceId,
+    };
+}
+// ─── Handler ──────────────────────────────────────────────────────────────────
+export async function handleGenerateSample(input) {
+    // Parse policy
+    const policyResult = policyToJson(input.policy);
+    if (policyResult.type === "failure") {
+        return { principal: "", action: "", resource: "", entities: [], explanation: "", error: policyResult.errors.map((e) => e.message).join("; ") };
+    }
+    const json = policyResult.json;
+    // Extract namespace and schema JSON for entity type lookup.
+    // schemaToJsonWithResolvedTypes only accepts Cedar text — for JSON schemas, parse directly.
+    //
+    // Cedar's "namespaceless" schema uses an empty-string namespace key:
+    // `{"": {entityTypes: {...}}}`. Object.keys returns `[""]`, and treating
+    // that as truthy via `if (ns)` previously fell through to the hardcoded
+    // "MyApp" default, hallucinating a namespace the schema didn't declare.
+    // `if (ns !== undefined)` keeps the empty string as a legitimate namespace
+    // that downstream `qualifyEntityType` rewrites as no prefix at all
+    // (kickoff-14 14d audit Finding F2).
+    let schemaNamespace = "MyApp";
+    let schemaJson = undefined;
+    try {
+        const parsed = JSON.parse(input.schema);
+        const ns = Object.keys(parsed)[0];
+        if (ns !== undefined) {
+            schemaNamespace = ns;
+            schemaJson = parsed;
+        }
+    }
+    catch {
+        // Not JSON — try Cedar text schema
+        try {
+            const schemaResult = schemaToJsonWithResolvedTypes(input.schema);
+            if (schemaResult.type === "success") {
+                const ns = Object.keys(schemaResult.json)[0];
+                if (ns !== undefined) {
+                    schemaNamespace = ns;
+                    schemaJson = schemaResult.json;
+                }
+            }
+        }
+        catch {
+            // Non-fatal — proceed with default namespace
+        }
+    }
+    // Extract equality/has constraints and like constraints separately
+    const constraints = extractConstraints(json.conditions);
+    const likeConstraints = extractLikeConstraints(json.conditions);
+    const scope = extractScope(json, schemaNamespace, schemaJson);
+    // Build entities, passing like constraints for path-matching generation
+    const { entities, principalId, actionId, resourceId } = buildEntities(scope, constraints, input.target_decision, schemaNamespace, likeConstraints, schemaJson);
+    const principalRef = `${scope.principalType}::"${principalId}"`;
+    const actionRef = `${scope.actionType}::"${actionId}"`;
+    const resourceRef = `${scope.resourceType}::"${resourceId}"`;
+    // Validate the generated payload with isAuthorized. Pass the user's schema
+    // with `validateRequest: true` so a generator-fabricated entity type that
+    // doesn't exist in the schema (e.g. when the schema has no namespace and
+    // an earlier code path leaked a default like `MyApp::Resource`) flips
+    // `ready_to_test` to false instead of falsely claiming the payload is
+    // ready (kickoff-14 14d audit Finding F3).
+    let verifySchema;
+    try {
+        verifySchema = JSON.parse(input.schema);
+    }
+    catch {
+        verifySchema = input.schema;
+    }
+    const authResult = isAuthorized({
+        principal: { type: scope.principalType, id: principalId },
+        action: { type: scope.actionType, id: actionId },
+        resource: { type: scope.resourceType, id: resourceId },
+        context: {},
+        policies: { staticPolicies: input.policy },
+        entities: entities,
+        schema: verifySchema,
+        validateRequest: true,
+    });
+    if (authResult.type === "failure") {
+        return {
+            principal: principalRef,
+            action: actionRef,
+            resource: resourceRef,
+            entities,
+            explanation: "Authorization check failed during validation.",
+            error: authResult.errors.map((e) => e.message).join("; "),
+        };
+    }
+    let actualDecision = authResult.response.decision === "allow" ? "Allow" : "Deny";
+    const targetLabel = input.target_decision === "allow" ? "Allow" : "Deny";
+    // Retry once with fallback if initial generation missed the target.
+    // For like-deny with no negative pattern, try the opposite wildcard count.
+    if (actualDecision !== targetLabel && likeConstraints.length > 0) {
+        const fallbackAttrs = { ...entities.find(e => e.uid.type === scope.resourceType)?.attrs ?? {} };
+        for (const lc of likeConstraints.filter(l => !l.negated && l.variable === "resource")) {
+            // For deny fallback: try a completely off-prefix path
+            if (input.target_decision === "deny")
+                fallbackAttrs[lc.attr] = "/deny/path/mismatch";
+            // For allow fallback: try two wildcard segments (sometimes needed for complex patterns)
+            if (input.target_decision === "allow")
+                fallbackAttrs[lc.attr] = patternToString(lc.pattern, "sample");
+        }
+        const retryEntities = entities.map(e => e.uid.type === scope.resourceType ? { ...e, attrs: fallbackAttrs } : e);
+        const retryResult = isAuthorized({
+            principal: { type: scope.principalType, id: principalId },
+            action: { type: scope.actionType, id: actionId },
+            resource: { type: scope.resourceType, id: resourceId },
+            context: {},
+            policies: { staticPolicies: input.policy },
+            entities: retryEntities,
+            schema: verifySchema,
+            validateRequest: true,
+        });
+        if (retryResult.type === "success") {
+            const retryDecision = retryResult.response.decision === "allow" ? "Allow" : "Deny";
+            if (retryDecision === targetLabel) {
+                actualDecision = retryDecision;
+                entities.splice(0, entities.length, ...retryEntities);
+            }
+        }
+    }
+    const explanation = actualDecision === targetLabel
+        ? `This request will be ${actualDecision.toUpperCase()} as expected.`
+        : `Generated payload produced ${actualDecision} instead of expected ${targetLabel}. The policy conditions may be more complex than automated extraction supports.`;
+    return {
+        principal: principalRef,
+        action: actionRef,
+        resource: resourceRef,
+        entities,
+        explanation,
+        decision: actualDecision,
+        ready_to_test: actualDecision === targetLabel,
+    };
+}
+//# sourceMappingURL=generate-sample.js.map

package/dist/tools/generate-sample.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-sample.js","sourceRoot":"","sources":["../../src/tools/generate-sample.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,6BAA6B,GAC9B,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,sBAAsB,EACtB,eAAe,GAEhB,MAAM,yBAAyB,CAAC;AAmCjC,SAAS,kBAAkB,CAAC,UAAoC;IAC9D,MAAM,WAAW,GAA0B,EAAE,CAAC;IAC9C,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAChC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,QAAQ,CACf,IAAa,EACb,UAA6B,EAC7B,WAAkC;IAElC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO;IACtD,MAAM,CAAC,GAAG,IAA+B,CAAC;IAE1C,sEAAsE;IACtE,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO;IAExB,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QACpC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAsC,CAAC;QACzD,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC,KAAK,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;QAC9C,OAAO;IACT,CAAC;IAED,gEAAgE;IAChE,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;QACd,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAsC,CAAC;QAC1D,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,IAAI,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,WAAW,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAClF,CAAC;QACH,CAAC;QACD,OAAO;IACT,CAAC;IAED,oDAAoD;IACpD,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;QACf,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAoC,CAAC;QACzD,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,WAAW,IAAI,OAAO,KAAK,UAAU,CAAC,EAAE,CAAC;YACnE,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;gBAC1B,WAAW,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YACtE,CAAC;iBAAM,CAAC;gBACN,WAAW,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC;QACD,OAAO;IACT,CAAC;IAED,sFAAsF;IACtF,gDAAgD;IAChD,IAAI,IAAI,IAAI,CAAC,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAsC,CAAC;QAC1D,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAgC,CAAC;QACpD,IAAI,IAAI,IAAI,KAAK,IAAI,KAAK,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAI,KAAK,CAAC,KAAK,CAAe,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;YAC5F,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,WAAW,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,CAAC;YACzF,CAAC;QACH,CAAC;QACD,OAAO;IACT,CAAC;IAED,qEAAqE;IACrE,uDAAuD;IACvD,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,UAAU,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC1F,MAAM,IAAI,GAAG,CAAC,CAAC,UAAU,CAAsC,CAAC;QAChE,MAAM,OAAO,GAAG,IAAI,CAAC,IAA+B,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC;QAC5B,IAAI,KAAK,IAAI,OAAO,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;YAC9C,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACzC,MAAM,MAAM,GAAI,OAAO,CAAC,KAAK,CAAe,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;YAC9F,IAAI,IAAI,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,WAAW,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,CAAC;YACzF,CAAC;QACH,CAAC;QACD,OAAO;IACT,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CACxB,IAAa;IAEb,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC3D,MAAM,CAAC,GAAG,IAA+B,CAAC;IAC1C,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAoC,CAAC;QACvD,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,OAAO,KAAK,WAAW,IAAI,OAAO,KAAK,UAAU,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YAC/E,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,UAAU,CAAC,IAAa;IAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,IAAI,KAAK,IAAK,IAAgC,EAAE,CAAC;QAC5F,OAAQ,IAA+B,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,YAAY,CAAC,IAAa;IACjC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,SAAS,CAAC;IAChE,MAAM,CAAC,GAAG,IAA+B,CAAC;IAC1C,IAAI,OAAO,IAAI,CAAC,EAAE,CAAC;QACjB,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC;QACrB,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,UAAU,IAAK,CAA6B,EAAE,CAAC;YACxF,OAAO,SAAS,CAAC,CAAC,mDAAmD;QACvE,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAaD;;;;;GAKG;AACH,SAAS,uBAAuB,CAC9B,UAAmB,EACnB,SAAiB,EACjB,cAAsB;IAEtB,IAAI,CAAC;QACH,MAAM,EAAE,GAAI,UAAsC,EAAE,CAAC,SAAS,CAA4B,CAAC;QAC3F,MAAM,WAAW,GAAG,EAAE,EAAE,CAAC,aAAa,CAA4B,CAAC;QACnE,kEAAkE;QAClE,MAAM,cAAc,GAAG,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC;YAClD,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAG;YACnC,CAAC,CAAC,cAAc,CAAC;QACnB,MAAM,SAAS,GAAG,WAAW,EAAE,CAAC,cAAc,CAA4B,CAAC;QAC3E,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC,OAAO,CAA4B,CAAC;QAC9D,MAAM,UAAU,GAAG,KAAK,EAAE,CAAC,YAAY,CAA4C,CAAC;QACpF,IAAI,CAAC,UAAU;YAAE,OAAO,EAAE,CAAC;QAE3B,MAAM,QAAQ,GAA4B,EAAE,CAAC;QAC7C,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7D,qEAAqE;YACrE,0EAA0E;YAC1E,wEAAwE;YACxE,oEAAoE;YACpE,wEAAwE;YACxE,qEAAqE;YACrE,uEAAuE;YACvE,yBAAyB;YACzB,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,KAAK;gBAAE,SAAS;YAC5C,MAAM,QAAQ,GAAI,OAAO,CAAC,MAAM,CAAwB,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;YAC9E,IAAI,QAAQ,KAAK,QAAQ;gBAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;iBAC9C,IAAI,QAAQ,KAAK,MAAM;gBAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;iBAChD,IAAI,QAAQ,KAAK,SAAS;gBAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC;YAC5D,0EAA0E;QAC5E,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,QAAgB,EAAE,SAAiB;IAC5D,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC7C,OAAO,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS,KAAK,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;AAC5D,CAAC;AAED,SAAS,qBAAqB,CAC5B,UAAmB,EACnB,SAAiB,EACjB,QAA4B;IAE5B,IAAI,CAAC;QACH,MAAM,EAAE,GAAI,UAAsC,EAAE,CAAC,SAAS,CAA4B,CAAC;QAC3F,MAAM,OAAO,GAAG,EAAE,EAAE,CAAC,SAAS,CAA4B,CAAC;QAC3D,MAAM,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QACnF,MAAM,SAAS,GAAI,SAAqC,EAAE,CAAC,WAAW,CAA4B,CAAC;QACnG,MAAM,cAAc,GAAG,SAAS,EAAE,CAAC,gBAAgB,CAAyB,CAAC;QAC7E,MAAM,aAAa,GAAG,SAAS,EAAE,CAAC,eAAe,CAAyB,CAAC;QAC3E,OAAO;YACL,aAAa,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,MAAM,EAAE,SAAS,CAAC;YAC3H,YAAY,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,UAAU,EAAE,SAAS,CAAC;SAC7H,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,aAAa,EAAE,iBAAiB,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,YAAY,EAAE,iBAAiB,CAAC,UAAU,EAAE,SAAS,CAAC,EAAE,CAAC;IACzH,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,IAAgB,EAAE,eAAuB,EAAE,UAAoB;IACnF,2EAA2E;IAC3E,+EAA+E;IAC/E,MAAM,UAAU,GAAG,iBAAiB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAEhE,IAAI,QAA4B,CAAC;IACjC,IAAI,iBAAqC,CAAC;IAC1C,IAAI,eAAmC,CAAC;IACxC,wEAAwE;IACxE,8DAA8D;IAC9D,oEAAoE;IACpE,+BAA+B;IAC/B,IAAI,mBAAuC,CAAC;IAC5C,IAAI,kBAAsC,CAAC;IAE3C,4BAA4B;IAC5B,IAAI,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QAC5B,MAAM,CAAC,GAAG,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,IAAI,CAAC,MAAkC,CAAC,QAAQ,CAAiC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9H,IAAI,CAAC;YAAE,QAAQ,GAAG,CAAC,CAAC,EAAE,CAAC;IACzB,CAAC;SAAM,IAAI,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,UAAU,IAAI,IAAI,CAAC,MAAM;YACxC,CAAC,CAAE,IAAI,CAAC,MAAkC,CAAC,UAAU,CAAwC;YAC7F,CAAC,CAAC,QAAQ,IAAI,IAAI,CAAC,MAAM;gBACvB,CAAC,CAAC,CAAE,IAAI,CAAC,MAAkC,CAAC,QAAQ,CAAiC,CAAC;gBACtF,CAAC,CAAC,EAAE,CAAC;QACT,IAAI,QAAQ,CAAC,CAAC,CAAC;YAAE,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7C,CAAC;IAED,gCAAgC;IAChC,EAAE;IACF,wEAAwE;IACxE,wEAAwE;IACxE,qCAAqC;IACrC,EAAE;IACF,+DAA+D;IAC/D,qEAAqE;IACrE,kEAAkE;IAClE,sEAAsE;IACtE,sEAAsE;IACtE,+DAA+D;IAC/D,sEAAsE;IACtE,IAAI,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,QAAQ,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAE,IAAI,CAAC,SAAqC,CAAC,QAAQ,CAAiC,CAAC,CAAC,CAAC,IAAI,CAAC;QACpI,IAAI,CAAC,EAAE,CAAC;YACN,iBAAiB,GAAG,CAAC,CAAC,IAAI,CAAC;YAC3B,eAAe,GAAG,CAAC,CAAC,EAAE,CAAC;QACzB,CAAC;IACH,CAAC;SAAM,IAAI,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QACtC,MAAM,CAAC,GAAG,QAAQ,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAE,IAAI,CAAC,SAAqC,CAAC,QAAQ,CAAiC,CAAC,CAAC,CAAC,IAAI,CAAC;QACpI,IAAI,CAAC,EAAE,CAAC;YACN,mBAAmB,GAAG,CAAC,CAAC,IAAI,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,yCAAyC;IACzC,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAE,IAAI,CAAC,QAAoC,CAAC,QAAQ,CAAiC,CAAC,CAAC,CAAC,IAAI,CAAC;QAClI,IAAI,CAAC,EAAE,CAAC;YACN,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,qBAAqB,CAAC,UAAU,EAAE,eAAe,EAAE,QAAQ,CAAC,CAAC;IAC7E,MAAM,aAAa,GAAG,mBAAmB,IAAI,OAAO,CAAC,aAAa,CAAC;IACnE,MAAM,YAAY,GAAG,kBAAkB,IAAI,OAAO,CAAC,YAAY,CAAC;IAEhE,OAAO;QACL,aAAa;QACb,iBAAiB;QACjB,eAAe;QACf,UAAU;QACV,QAAQ;QACR,YAAY;KACb,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAS,yBAAyB,CAChC,UAAmB,EACnB,SAAiB,EACjB,aAAsB,CAAE,4CAA4C;;IAEpE,IAAI,CAAC;QACH,MAAM,EAAE,GAAI,UAAsC,EAAE,CAAC,SAAS,CAAwC,CAAC;QACvG,MAAM,OAAO,GAAG,EAAE,EAAE,CAAC,SAAS,CAAwD,CAAC;QACvF,IAAI,CAAC,OAAO;YAAE,OAAO,MAAM,CAAC;QAE5B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,MAAM,CAAC;QAErC,8EAA8E;QAC9E,+EAA+E;QAC/E,MAAM,iBAAiB,GAAG,aAAa;YACrC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE;YACjC,CAAC,CAAC,SAAS,CAAC;QAEd,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,WAAW,CAAwC,CAAC;gBACrF,MAAM,cAAc,GAAG,SAAS,EAAE,CAAC,gBAAgB,CAAyB,CAAC;gBAC7E,IAAI,cAAc,IAAI,cAAc,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBACjE,OAAO,GAAG,CAAC;gBACb,CAAC;YACH,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,4EAA4E;QAC5E,iEAAiE;QACjE,OAAO,IAAI,CAAC,CAAC,CAAE,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;IAC9B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,aAAa,CACpB,KAAgB,EAChB,WAAkC,EAClC,cAAgC,EAChC,eAAuB,EACvB,kBAAoC,EAAE,EACtC,UAAoB;IAEpB,MAAM,WAAW,GAAG,kBAAkB,CAAC;IACvC,MAAM,UAAU,GAAG,iBAAiB,CAAC;IACrC,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,yBAAyB,CAAC,UAAU,EAAE,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;IAE/G,gGAAgG;IAChG,qFAAqF;IACrF,MAAM,cAAc,GAA4B,UAAU;QACxD,CAAC,CAAC,uBAAuB,CAAC,UAAU,EAAE,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC;QAC3E,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,aAAa,GAA4B,UAAU;QACvD,CAAC,CAAC,uBAAuB,CAAC,UAAU,EAAE,eAAe,EAAE,KAAK,CAAC,YAAY,CAAC;QAC1E,CAAC,CAAC,EAAE,CAAC;IAEP,6EAA6E;IAC7E,8DAA8D;IAC9D,IAAI,kBAAkB,GAA+B,IAAI,CAAC;IAC1D,IAAI,cAAc,KAAK,MAAM,EAAE,CAAC;QAC9B,kBAAkB;YAChB,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC;gBACpE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,IAAI,CAAC,CAAC,QAAQ,KAAK,WAAW,CAAC;gBACrE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC;gBAC5C,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC;gBACtC,IAAI,CAAC;IACT,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,MAAM,aAAa,GAAG,cAAc,KAAK,OAAO,IAAI,CAAC,KAAK,kBAAkB,CAAC;QAE7E,IAAI,CAAC,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,aAAa;gBAAE,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YACrE,IAAI,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,aAAa;gBAAE,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;YACjF,IAAI,CAAC,CAAC,EAAE,KAAK,UAAU,IAAI,aAAa;gBAAE,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;YACjF,IAAI,CAAC,CAAC,EAAE,KAAK,UAAU,IAAI,CAAC,aAAa;gBAAE,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC;QAC1F,CAAC;QAED,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;YAC9B,oFAAoF;YACpF,MAAM,iBAAiB,GACrB,kBAAkB,EAAE,EAAE,KAAK,KAAK;gBAChC,kBAAkB,CAAC,QAAQ,KAAK,UAAU;gBAC1C,kBAAkB,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC;YAErC,IAAI,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,aAAa,IAAI,CAAC,iBAAiB;gBAAE,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC1F,IAAI,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,aAAa;gBAAE,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;YAChF,iFAAiF;YACjF,IAAI,CAAC,CAAC,EAAE,KAAK,UAAU,IAAI,aAAa;gBAAE,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;YAChF,IAAI,CAAC,CAAC,EAAE,KAAK,UAAU,IAAI,CAAC,aAAa;gBAAE,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC;YACvF,IAAI,CAAC,CAAC,EAAE,KAAK,KAAK,IAAI,aAAa,EAAE,CAAC;gBACpC,iFAAiF;gBACjF,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CACvE,CAAC;gBACF,IAAI,CAAC,SAAS;oBAAE,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC;YACpD,CAAC;YACD,IAAI,CAAC,CAAC,EAAE,KAAK,KAAK,IAAI,CAAC,aAAa,EAAE,CAAC;gBACrC,sDAAsD;gBACtD,OAAO,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;YACD,IAAI,CAAC,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;gBACvB,kFAAkF;gBAClF,OAAO,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;IACH,CAAC;IAED,yCAAyC;IACzC,kGAAkG;IAClG,0FAA0F;IAC1F,MAAM,qBAAqB,GAAG,IAAI,GAAG,CACnC,eAAe;SACZ,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,OAAO,IAAI,cAAc,KAAK,MAAM,CAAC;SACvD,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,CAC5C,CAAC;IAEF,KAAK,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,EAAE,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,cAAc,CAAC;QAC3E,MAAM,GAAG,GAAG,GAAG,EAAE,CAAC,QAAQ,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC;QACxC,mFAAmF;QACnF,2FAA2F;QAC3F,IAAI,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,CAAC,cAAc,KAAK,MAAM,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAAE,SAAS;QAE9G,IAAI,cAAc,KAAK,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC;YAC9C,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACrD,CAAC;aAAM,IAAI,cAAc,KAAK,MAAM,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;YACnD,2DAA2D;YAC3D,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACrD,CAAC;aAAM,IAAI,cAAc,KAAK,MAAM,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC;YACpD,6DAA6D;YAC7D,4DAA4D;YAC5D,IAAI,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,SAAS;gBAAE,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC;QACpE,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAkB;QACrC,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,aAAa,EAAE,EAAE,EAAE,WAAW,EAAE;QACnD,KAAK,EAAE,cAAc;QACrB,OAAO,EAAE,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC,eAAe;YACvD,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,iBAAiB,EAAE,EAAE,EAAE,KAAK,CAAC,eAAe,EAAE,CAAC;YAChE,CAAC,CAAC,EAAE;KACP,CAAC;IAEF,MAAM,cAAc,GAAkB;QACpC,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,YAAY,EAAE,EAAE,EAAE,UAAU,EAAE;QACjD,KAAK,EAAE,aAAa;QACpB,OAAO,EAAE,EAAE;KACZ,CAAC;IAEF,MAAM,QAAQ,GAAoB,CAAC,eAAe,EAAE,cAAc,CAAC,CAAC;IAEpE,4BAA4B;IAC5B,IAAI,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;QACrD,QAAQ,CAAC,IAAI,CAAC;YACZ,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,iBAAiB,EAAE,EAAE,EAAE,KAAK,CAAC,eAAe,EAAE;YACjE,KAAK,EAAE,EAAE;YACT,OAAO,EAAE,EAAE;SACZ,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,QAAQ;QACR,WAAW;QACX,QAAQ;QACR,UAAU;KACX,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,KAA0B;IACnE,eAAe;IACf,MAAM,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChD,IAAI,YAAY,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACpC,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,KAAK,EAAE,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IACjJ,CAAC;IACD,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC;IAE/B,4DAA4D;IAC5D,4FAA4F;IAC5F,EAAE;IACF,qEAAqE;IACrE,yEAAyE;IACzE,wEAAwE;IACxE,wEAAwE;IACxE,2EAA2E;IAC3E,mEAAmE;IACnE,qCAAqC;IACrC,IAAI,eAAe,GAAG,OAAO,CAAC;IAC9B,IAAI,UAAU,GAAY,SAAS,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACxC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,EAAE,KAAK,SAAS,EAAE,CAAC;YAAC,eAAe,GAAG,EAAE,CAAC;YAAC,UAAU,GAAG,MAAM,CAAC;QAAC,CAAC;IACtE,CAAC;IAAC,MAAM,CAAC;QACP,mCAAmC;QACnC,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,6BAA6B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YACjE,IAAI,YAAY,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACpC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC7C,IAAI,EAAE,KAAK,SAAS,EAAE,CAAC;oBAAC,eAAe,GAAG,EAAE,CAAC;oBAAC,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC;gBAAC,CAAC;YACjF,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;QAC/C,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,MAAM,WAAW,GAA0B,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC/E,MAAM,eAAe,GAAqB,sBAAsB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAElF,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,EAAE,eAAe,EAAE,UAAU,CAAC,CAAC;IAE9D,wEAAwE;IACxE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,aAAa,CACnE,KAAK,EAAE,WAAW,EAAE,KAAK,CAAC,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,UAAU,CACxF,CAAC;IAEF,MAAM,YAAY,GAAG,GAAG,KAAK,CAAC,aAAa,MAAM,WAAW,GAAG,CAAC;IAChE,MAAM,SAAS,GAAG,GAAG,KAAK,CAAC,UAAU,MAAM,QAAQ,GAAG,CAAC;IACvD,MAAM,WAAW,GAAG,GAAG,KAAK,CAAC,YAAY,MAAM,UAAU,GAAG,CAAC;IAE7D,2EAA2E;IAC3E,0EAA0E;IAC1E,yEAAyE;IACzE,sEAAsE;IACtE,sEAAsE;IACtE,2CAA2C;IAC3C,IAAI,YAAgC,CAAC;IACrC,IAAI,CAAC;QACH,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAW,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,YAAY,GAAG,KAAK,CAAC,MAAgB,CAAC;IACxC,CAAC;IACD,MAAM,UAAU,GAAG,YAAY,CAAC;QAC9B,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,aAAa,EAAE,EAAE,EAAE,WAAW,EAAE;QACzD,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE;QAChD,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,YAAY,EAAE,EAAE,EAAE,UAAU,EAAE;QACtD,OAAO,EAAE,EAAE;QACX,QAAQ,EAAE,EAAE,cAAc,EAAE,KAAK,CAAC,MAAM,EAAE;QAC1C,QAAQ,EAAE,QAAoB;QAC9B,MAAM,EAAE,YAAY;QACpB,eAAe,EAAE,IAAI;KACtB,CAAC,CAAC;IAEH,IAAI,UAAU,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAClC,OAAO;YACL,SAAS,EAAE,YAAY;YACvB,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,WAAW;YACrB,QAAQ;YACR,WAAW,EAAE,+CAA+C;YAC5D,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;SAC1D,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,GAAqB,UAAU,CAAC,QAAQ,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;IACnG,MAAM,WAAW,GAAG,KAAK,CAAC,eAAe,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;IAEzE,oEAAoE;IACpE,2EAA2E;IAC3E,IAAI,cAAc,KAAK,WAAW,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjE,MAAM,aAAa,GAAG,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,KAAK,CAAC,YAAY,CAAC,EAAE,KAAK,IAAI,EAAE,EAAE,CAAC;QAChG,KAAK,MAAM,EAAE,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,EAAE,CAAC;YACtF,sDAAsD;YACtD,IAAI,KAAK,CAAC,eAAe,KAAK,MAAM;gBAAE,aAAa,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC;YACrF,wFAAwF;YACxF,IAAI,KAAK,CAAC,eAAe,KAAK,OAAO;gBAAE,aAAa,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,EAAE,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACxG,CAAC;QACD,MAAM,aAAa,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,CAAC,CACvE,CAAC;QACF,MAAM,WAAW,GAAG,YAAY,CAAC;YAC/B,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,aAAa,EAAE,EAAE,EAAE,WAAW,EAAE;YACzD,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE;YAChD,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,YAAY,EAAE,EAAE,EAAE,UAAU,EAAE;YACtD,OAAO,EAAE,EAAE;YACX,QAAQ,EAAE,EAAE,cAAc,EAAE,KAAK,CAAC,MAAM,EAAE;YAC1C,QAAQ,EAAE,aAAyB;YACnC,MAAM,EAAE,YAAY;YACpB,eAAe,EAAE,IAAI;SACtB,CAAC,CAAC;QACH,IAAI,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,aAAa,GAAG,WAAW,CAAC,QAAQ,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;YACnF,IAAI,aAAa,KAAK,WAAW,EAAE,CAAC;gBAClC,cAAc,GAAG,aAAa,CAAC;gBAC/B,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,cAAc,KAAK,WAAW;QAChD,CAAC,CAAC,wBAAwB,cAAc,CAAC,WAAW,EAAE,eAAe;QACrE,CAAC,CAAC,8BAA8B,cAAc,wBAAwB,WAAW,iFAAiF,CAAC;IAErK,OAAO;QACL,SAAS,EAAE,YAAY;QACvB,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE,WAAW;QACrB,QAAQ;QACR,WAAW;QACX,QAAQ,EAAE,cAAc;QACxB,aAAa,EAAE,cAAc,KAAK,WAAW;KAC9C,CAAC;AACJ,CAAC"}

package/dist/tools/link-template.d.ts

@@ -0,0 +1,17 @@
+export interface LinkTemplateInput {
+    template: string;
+    principal?: string;
+    resource?: string;
+    schema?: string;
+}
+export interface LinkTemplateResult {
+    linked_policy?: string;
+    slots_bound: Record<string, string>;
+    valid?: boolean;
+    errors?: Array<{
+        message: string;
+    }>;
+    error?: string;
+}
+export declare function handleLinkTemplate(input: LinkTemplateInput): Promise<LinkTemplateResult>;
+//# sourceMappingURL=link-template.d.ts.map

package/dist/tools/link-template.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"link-template.d.ts","sourceRoot":"","sources":["../../src/tools/link-template.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACpC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAcD,wBAAsB,kBAAkB,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA8E9F"}