cedar-mcp-server 1.0.0

package/dist/tools/advise/avp-rules.d.ts

@@ -0,0 +1,49 @@
+/**
+ * AVP UpdatePolicy mutability rules — proven from official docs 2026-05-20:
+ * https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicy.html
+ *
+ * UpdatePolicy only updates STATIC policies. Template-linked → use UpdatePolicyTemplate.
+ */
+export type AvpUpdateMode = "in_place_via_update_policy" | "requires_delete_recreate" | "new_policy_via_create_policy";
+export interface AvpChangeClassification {
+    mode: AvpUpdateMode;
+    rationale: string;
+}
+/** Classify which AVP API call a given change type requires. */
+export declare function classifyAvpChange(changeField: string): AvpChangeClassification;
+/** Validation error categories AVP raises — pre-detectable during authoring. */
+export declare const AVP_VALIDATION_ERRORS: readonly [{
+    readonly id: "UnrecognizedEntityType";
+    readonly description: "Policy references an entity type not declared in the schema.";
+}, {
+    readonly id: "UnrecognizedActionId";
+    readonly description: "Policy references an action not declared in the schema.";
+}, {
+    readonly id: "InvalidActionApplication";
+    readonly description: "Action does not apply to the specified principal and resource types per the schema appliesTo definition.";
+}, {
+    readonly id: "UnexpectedType";
+    readonly description: "An operand has the wrong type for the operation (e.g. comparing a String to an entity).";
+}, {
+    readonly id: "IncompatibleTypes";
+    readonly description: "Types in a Set or if/then/else expression are incompatible.";
+}, {
+    readonly id: "MissingAttribute";
+    readonly description: "Policy accesses an attribute not declared in the schema. Add the attribute to the schema or use a has guard.";
+}, {
+    readonly id: "UnsafeOptionalAttributeAccess";
+    readonly description: "Policy accesses an optional attribute without a has guard. This causes Cedar to silently skip the policy for principals/resources missing the attribute.";
+}, {
+    readonly id: "ImpossiblePolicy";
+    readonly description: "Cedar determined the condition always evaluates to false — the policy can never match any request.";
+}, {
+    readonly id: "WrongNumberArguments";
+    readonly description: "Extension type function called with wrong number of arguments.";
+}, {
+    readonly id: "FunctionArgumentValidationError";
+    readonly description: "Argument to an extension type function could not be parsed (e.g. invalid IP address string).";
+}];
+export type AvpValidationErrorId = typeof AVP_VALIDATION_ERRORS[number]["id"];
+/** AVP immutability rules summary — for use in sampling prompts. */
+export declare const AVP_RULES_SUMMARY: string;
+//# sourceMappingURL=avp-rules.d.ts.map

package/dist/tools/advise/avp-rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"avp-rules.d.ts","sourceRoot":"","sources":["../../../src/tools/advise/avp-rules.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,MAAM,aAAa,GAAG,4BAA4B,GAAG,0BAA0B,GAAG,8BAA8B,CAAC;AAEvH,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,aAAa,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,gEAAgE;AAChE,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,uBAAuB,CA6B9E;AAED,gFAAgF;AAChF,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWxB,CAAC;AAEX,MAAM,MAAM,oBAAoB,GAAG,OAAO,qBAAqB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC;AAE9E,oEAAoE;AACpE,eAAO,MAAM,iBAAiB,QAMtB,CAAC"}

package/dist/tools/advise/avp-rules.js

@@ -0,0 +1,59 @@
+/**
+ * AVP UpdatePolicy mutability rules — proven from official docs 2026-05-20:
+ * https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicy.html
+ *
+ * UpdatePolicy only updates STATIC policies. Template-linked → use UpdatePolicyTemplate.
+ */
+/** Classify which AVP API call a given change type requires. */
+export function classifyAvpChange(changeField) {
+    switch (changeField) {
+        case "action":
+        case "when_clause":
+        case "unless_clause":
+        case "policy_name":
+            return {
+                mode: "in_place_via_update_policy",
+                rationale: "AVP UpdatePolicy supports modifying actions, when/unless clauses, and policy name in-place.",
+            };
+        case "effect":
+        case "principal":
+        case "resource":
+        case "policy_type_conversion":
+            return {
+                mode: "requires_delete_recreate",
+                rationale: "AVP UpdatePolicy cannot change effect, principal scope, resource scope, or convert between static and template-linked policies. Delete the existing policy and create a new one.",
+            };
+        case "new_policy":
+            return {
+                mode: "new_policy_via_create_policy",
+                rationale: "New policy — use AVP CreatePolicy API.",
+            };
+        default:
+            return {
+                mode: "in_place_via_update_policy",
+                rationale: "Change type unclassified — assume in-place update is possible but verify.",
+            };
+    }
+}
+/** Validation error categories AVP raises — pre-detectable during authoring. */
+export const AVP_VALIDATION_ERRORS = [
+    { id: "UnrecognizedEntityType", description: "Policy references an entity type not declared in the schema." },
+    { id: "UnrecognizedActionId", description: "Policy references an action not declared in the schema." },
+    { id: "InvalidActionApplication", description: "Action does not apply to the specified principal and resource types per the schema appliesTo definition." },
+    { id: "UnexpectedType", description: "An operand has the wrong type for the operation (e.g. comparing a String to an entity)." },
+    { id: "IncompatibleTypes", description: "Types in a Set or if/then/else expression are incompatible." },
+    { id: "MissingAttribute", description: "Policy accesses an attribute not declared in the schema. Add the attribute to the schema or use a has guard." },
+    { id: "UnsafeOptionalAttributeAccess", description: "Policy accesses an optional attribute without a has guard. This causes Cedar to silently skip the policy for principals/resources missing the attribute." },
+    { id: "ImpossiblePolicy", description: "Cedar determined the condition always evaluates to false — the policy can never match any request." },
+    { id: "WrongNumberArguments", description: "Extension type function called with wrong number of arguments." },
+    { id: "FunctionArgumentValidationError", description: "Argument to an extension type function could not be parsed (e.g. invalid IP address string)." },
+];
+/** AVP immutability rules summary — for use in sampling prompts. */
+export const AVP_RULES_SUMMARY = `
+AVP UpdatePolicy constraints (verified from official API docs):
+MUTABLE via UpdatePolicy: action scope, when/unless conditions, policy name.
+IMMUTABLE (delete+recreate required): effect (permit↔forbid), principal scope, resource scope, static↔template-linked conversion.
+NEW policies: use CreatePolicy API.
+Template-linked policies: use UpdatePolicyTemplate, not UpdatePolicy.
+`.trim();
+//# sourceMappingURL=avp-rules.js.map

package/dist/tools/advise/avp-rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"avp-rules.js","sourceRoot":"","sources":["../../../src/tools/advise/avp-rules.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,gEAAgE;AAChE,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACnD,QAAQ,WAAW,EAAE,CAAC;QACpB,KAAK,QAAQ,CAAC;QACd,KAAK,aAAa,CAAC;QACnB,KAAK,eAAe,CAAC;QACrB,KAAK,aAAa;YAChB,OAAO;gBACL,IAAI,EAAE,4BAA4B;gBAClC,SAAS,EAAE,6FAA6F;aACzG,CAAC;QACJ,KAAK,QAAQ,CAAC;QACd,KAAK,WAAW,CAAC;QACjB,KAAK,UAAU,CAAC;QAChB,KAAK,wBAAwB;YAC3B,OAAO;gBACL,IAAI,EAAE,0BAA0B;gBAChC,SAAS,EAAE,kLAAkL;aAC9L,CAAC;QACJ,KAAK,YAAY;YACf,OAAO;gBACL,IAAI,EAAE,8BAA8B;gBACpC,SAAS,EAAE,wCAAwC;aACpD,CAAC;QACJ;YACE,OAAO;gBACL,IAAI,EAAE,4BAA4B;gBAClC,SAAS,EAAE,2EAA2E;aACvF,CAAC;IACN,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,EAAE,EAAE,EAAE,wBAAwB,EAAE,WAAW,EAAE,8DAA8D,EAAE;IAC7G,EAAE,EAAE,EAAE,sBAAsB,EAAE,WAAW,EAAE,yDAAyD,EAAE;IACtG,EAAE,EAAE,EAAE,0BAA0B,EAAE,WAAW,EAAE,0GAA0G,EAAE;IAC3J,EAAE,EAAE,EAAE,gBAAgB,EAAE,WAAW,EAAE,yFAAyF,EAAE;IAChI,EAAE,EAAE,EAAE,mBAAmB,EAAE,WAAW,EAAE,6DAA6D,EAAE;IACvG,EAAE,EAAE,EAAE,kBAAkB,EAAE,WAAW,EAAE,8GAA8G,EAAE;IACvJ,EAAE,EAAE,EAAE,+BAA+B,EAAE,WAAW,EAAE,0JAA0J,EAAE;IAChN,EAAE,EAAE,EAAE,kBAAkB,EAAE,WAAW,EAAE,oGAAoG,EAAE;IAC7I,EAAE,EAAE,EAAE,sBAAsB,EAAE,WAAW,EAAE,gEAAgE,EAAE;IAC7G,EAAE,EAAE,EAAE,iCAAiC,EAAE,WAAW,EAAE,8FAA8F,EAAE;CAC9I,CAAC;AAIX,oEAAoE;AACpE,MAAM,CAAC,MAAM,iBAAiB,GAAG;;;;;;CAMhC,CAAC,IAAI,EAAE,CAAC"}

package/dist/tools/advise/cedar-patterns.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Cedar design pattern definitions and classifier.
+ * Patterns proven from official docs 2026-05-20:
+ * https://docs.cedarpolicy.com/overview/patterns.html
+ */
+import type { PolicyJson } from "@cedar-policy/cedar-wasm/nodejs";
+export type CedarPattern = "membership" | "relationship" | "discretionary" | "hybrid" | "unknown";
+export interface PatternClassification {
+    pattern: CedarPattern;
+    confidence: "high" | "medium" | "low";
+    evidence: string;
+}
+/**
+ * Classify a single policy's primary Cedar pattern from its policyToJson AST.
+ *
+ * Membership (RBAC):  principal in Role::"X"  — scope uses "in" with a non-resource entity
+ * Relationship (ReBAC): principal in resource.attr — condition body has "in" with resource attribute
+ * Discretionary: principal == Service::"specific"  — scope uses "==" (specific entity)
+ * Hybrid: combination of the above
+ */
+export declare function classifyPolicy(json: PolicyJson): PatternClassification;
+/** Cedar patterns summary — for use in sampling prompts. */
+export declare const CEDAR_PATTERNS_SUMMARY: string;
+//# sourceMappingURL=cedar-patterns.d.ts.map

package/dist/tools/advise/cedar-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cedar-patterns.d.ts","sourceRoot":"","sources":["../../../src/tools/advise/cedar-patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAElE,MAAM,MAAM,YAAY,GAAG,YAAY,GAAG,cAAc,GAAG,eAAe,GAAG,QAAQ,GAAG,SAAS,CAAC;AAElG,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,YAAY,CAAC;IACtB,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,qBAAqB,CAgCtE;AAED,4DAA4D;AAC5D,eAAO,MAAM,sBAAsB,QAa3B,CAAC"}

package/dist/tools/advise/cedar-patterns.js

@@ -0,0 +1,57 @@
+/**
+ * Cedar design pattern definitions and classifier.
+ * Patterns proven from official docs 2026-05-20:
+ * https://docs.cedarpolicy.com/overview/patterns.html
+ */
+/**
+ * Classify a single policy's primary Cedar pattern from its policyToJson AST.
+ *
+ * Membership (RBAC):  principal in Role::"X"  — scope uses "in" with a non-resource entity
+ * Relationship (ReBAC): principal in resource.attr — condition body has "in" with resource attribute
+ * Discretionary: principal == Service::"specific"  — scope uses "==" (specific entity)
+ * Hybrid: combination of the above
+ */
+export function classifyPolicy(json) {
+    const principalOp = json.principal.op;
+    const conditionsText = JSON.stringify(json.conditions);
+    // Relationship: condition body contains "principal in resource" — ReBAC
+    const hasReBAC = conditionsText.includes('"in"') &&
+        conditionsText.includes('"Var":"principal"') &&
+        conditionsText.includes('"Var":"resource"');
+    // Membership: principal scope is "in" (role/group membership, not via condition)
+    const isMembership = principalOp === "in" && !hasReBAC;
+    // Discretionary: principal scope is "==" (specific entity)
+    const isDiscretionary = principalOp === "==";
+    if (hasReBAC && isMembership) {
+        return { pattern: "hybrid", confidence: "medium", evidence: "principal scope uses 'in' (Membership) and conditions use principal-in-resource pattern (Relationship)" };
+    }
+    if (hasReBAC) {
+        return { pattern: "relationship", confidence: "high", evidence: "condition body contains principal-in-resource relationship check" };
+    }
+    if (isMembership) {
+        return { pattern: "membership", confidence: "high", evidence: `principal scope uses 'in' — group/role membership (RBAC)` };
+    }
+    if (isDiscretionary) {
+        return { pattern: "discretionary", confidence: "high", evidence: `principal scope uses '==' — specific entity grant (Discretionary)` };
+    }
+    if (principalOp === "All") {
+        return { pattern: "unknown", confidence: "low", evidence: "principal is unconstrained in scope — pattern determined entirely by conditions" };
+    }
+    return { pattern: "unknown", confidence: "low", evidence: `principal op '${principalOp}' not recognized` };
+}
+/** Cedar patterns summary — for use in sampling prompts. */
+export const CEDAR_PATTERNS_SUMMARY = `
+Cedar supports three primary design patterns (official docs):
+
+1. MEMBERSHIP (RBAC): principal in Role::"group" — permissions follow group membership.
+   Example: permit(principal in Role::"editor", action in [...], resource);
+
+2. RELATIONSHIP (ReBAC): principal in resource.owners — permissions follow resource relationships.
+   Example: permit(principal is User, action in [...], resource is Doc) when { principal in resource.owners };
+
+3. DISCRETIONARY: principal == Service::"specific" — ad-hoc per-entity grants.
+   Example: permit(principal == Service::"Service-123", action == Action::"call", resource == Service::"Target");
+
+All three can coexist in a policy store. Individual policies should follow one pattern.
+`.trim();
+//# sourceMappingURL=cedar-patterns.js.map

package/dist/tools/advise/cedar-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cedar-patterns.js","sourceRoot":"","sources":["../../../src/tools/advise/cedar-patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAYH;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,IAAgB;IAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;IACtC,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEvD,wEAAwE;IACxE,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC9C,cAAc,CAAC,QAAQ,CAAC,mBAAmB,CAAC;QAC5C,cAAc,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;IAE9C,iFAAiF;IACjF,MAAM,YAAY,GAAG,WAAW,KAAK,IAAI,IAAI,CAAC,QAAQ,CAAC;IAEvD,2DAA2D;IAC3D,MAAM,eAAe,GAAG,WAAW,KAAK,IAAI,CAAC;IAE7C,IAAI,QAAQ,IAAI,YAAY,EAAE,CAAC;QAC7B,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,wGAAwG,EAAE,CAAC;IACzK,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,kEAAkE,EAAE,CAAC;IACvI,CAAC;IACD,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,0DAA0D,EAAE,CAAC;IAC7H,CAAC;IACD,IAAI,eAAe,EAAE,CAAC;QACpB,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,mEAAmE,EAAE,CAAC;IACzI,CAAC;IACD,IAAI,WAAW,KAAK,KAAK,EAAE,CAAC;QAC1B,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,iFAAiF,EAAE,CAAC;IAChJ,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,iBAAiB,WAAW,kBAAkB,EAAE,CAAC;AAC7G,CAAC;AAED,4DAA4D;AAC5D,MAAM,CAAC,MAAM,sBAAsB,GAAG;;;;;;;;;;;;;CAarC,CAAC,IAAI,EAAE,CAAC"}

package/dist/tools/advise/context-builder.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Builds deterministic context from a policy store for cedar_advise sampling prompts.
+ * No LLM cost — pure AST walking and schema parsing.
+ */
+import { StoreManager } from "../../resources/store-manager.js";
+export interface PolicyInventoryEntry {
+    policy_id: string;
+    pattern: string;
+    pattern_confidence: string;
+    summary: string;
+    policy_text: string;
+}
+export interface StoreContext {
+    store_name: string;
+    schema_text: string;
+    policy_inventory: PolicyInventoryEntry[];
+    policy_count: number;
+}
+/**
+ * Build structured context from a named policy store.
+ * Returns null if the store doesn't exist or has no content.
+ */
+export declare function buildStoreContext(storeName: string, manager?: StoreManager): StoreContext | null;
+/** Resolve a store_ref to a store name. Accepts "mystore", "cedar://policies/mystore", etc. */
+export declare function resolveStoreRef(storeRef: string): string;
+/** Format store context as a prompt section. */
+export declare function formatContextForPrompt(ctx: StoreContext): string;
+//# sourceMappingURL=context-builder.d.ts.map

package/dist/tools/advise/context-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-builder.d.ts","sourceRoot":"","sources":["../../../src/tools/advise/context-builder.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAgB,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAG9E,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,oBAAoB,EAAE,CAAC;IACzC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,YAA2B,GAAG,YAAY,GAAG,IAAI,CAgD9G;AAED,+FAA+F;AAC/F,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAMxD;AAMD,gDAAgD;AAChD,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,YAAY,GAAG,MAAM,CAgBhE"}

package/dist/tools/advise/context-builder.js

@@ -0,0 +1,89 @@
+/**
+ * Builds deterministic context from a policy store for cedar_advise sampling prompts.
+ * No LLM cost — pure AST walking and schema parsing.
+ */
+import { policyToJson } from "@cedar-policy/cedar-wasm/nodejs";
+import { storeManager } from "../../resources/store-manager.js";
+import { classifyPolicy } from "./cedar-patterns.js";
+/**
+ * Build structured context from a named policy store.
+ * Returns null if the store doesn't exist or has no content.
+ */
+export function buildStoreContext(storeName, manager = storeManager) {
+    try {
+        const schema = manager.readSchema(storeName);
+        const inventory = [];
+        const policyIds = manager.listPolicies(storeName);
+        for (const id of policyIds) {
+            const content = manager.readPolicy(storeName, id);
+            try {
+                const parseResult = policyToJson(content.trim());
+                if (parseResult.type === "success") {
+                    const classification = classifyPolicy(parseResult.json);
+                    inventory.push({
+                        policy_id: id,
+                        pattern: classification.pattern,
+                        pattern_confidence: classification.confidence,
+                        summary: buildPolicySummary(id, parseResult.json.effect, classification.evidence),
+                        policy_text: content.trim(),
+                    });
+                }
+                else {
+                    inventory.push({
+                        policy_id: id,
+                        pattern: "unknown",
+                        pattern_confidence: "low",
+                        summary: `${id}: parse failed — ${parseResult.errors[0]?.message ?? "unknown error"}`,
+                        policy_text: content.trim(),
+                    });
+                }
+            }
+            catch {
+                inventory.push({
+                    policy_id: id,
+                    pattern: "unknown",
+                    pattern_confidence: "low",
+                    summary: `${id}: could not analyze`,
+                    policy_text: content.trim(),
+                });
+            }
+        }
+        return {
+            store_name: storeName,
+            schema_text: schema,
+            policy_inventory: inventory,
+            policy_count: policyIds.length,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/** Resolve a store_ref to a store name. Accepts "mystore", "cedar://policies/mystore", etc. */
+export function resolveStoreRef(storeRef) {
+    if (storeRef.startsWith("cedar://")) {
+        const match = storeRef.match(/cedar:\/\/(?:policies|schema)\/([^/]+)/);
+        return match?.[1] ?? storeRef;
+    }
+    return storeRef;
+}
+function buildPolicySummary(id, effect, evidence) {
+    return `${id} (${effect}, ${evidence})`;
+}
+/** Format store context as a prompt section. */
+export function formatContextForPrompt(ctx) {
+    const lines = [
+        `Store: "${ctx.store_name}" (${ctx.policy_count} policies)`,
+        "",
+        "Schema:",
+        ctx.schema_text,
+        "",
+        "Existing policies:",
+    ];
+    for (const p of ctx.policy_inventory) {
+        lines.push(`  - ${p.policy_id}: pattern=${p.pattern} (${p.pattern_confidence} confidence) — ${p.summary}`);
+        lines.push(`    text: ${p.policy_text}`);
+    }
+    return lines.join("\n");
+}
+//# sourceMappingURL=context-builder.js.map

package/dist/tools/advise/context-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-builder.js","sourceRoot":"","sources":["../../../src/tools/advise/context-builder.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAwB,MAAM,iCAAiC,CAAC;AACrF,OAAO,EAAE,YAAY,EAAgB,MAAM,kCAAkC,CAAC;AAC9E,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAiBrD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,SAAiB,EAAE,UAAwB,YAAY;IACvF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC7C,MAAM,SAAS,GAA2B,EAAE,CAAC;QAC7C,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QAElD,KAAK,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;YAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAClD,IAAI,CAAC;gBACH,MAAM,WAAW,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;gBACjD,IAAI,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;oBACnC,MAAM,cAAc,GAAG,cAAc,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;oBACxD,SAAS,CAAC,IAAI,CAAC;wBACb,SAAS,EAAE,EAAE;wBACb,OAAO,EAAE,cAAc,CAAC,OAAO;wBAC/B,kBAAkB,EAAE,cAAc,CAAC,UAAU;wBAC7C,OAAO,EAAE,kBAAkB,CAAC,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,cAAc,CAAC,QAAQ,CAAC;wBACjF,WAAW,EAAE,OAAO,CAAC,IAAI,EAAE;qBAC5B,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,SAAS,CAAC,IAAI,CAAC;wBACb,SAAS,EAAE,EAAE;wBACb,OAAO,EAAE,SAAS;wBAClB,kBAAkB,EAAE,KAAK;wBACzB,OAAO,EAAE,GAAG,EAAE,oBAAoB,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,eAAe,EAAE;wBACrF,WAAW,EAAE,OAAO,CAAC,IAAI,EAAE;qBAC5B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,CAAC,IAAI,CAAC;oBACb,SAAS,EAAE,EAAE;oBACb,OAAO,EAAE,SAAS;oBAClB,kBAAkB,EAAE,KAAK;oBACzB,OAAO,EAAE,GAAG,EAAE,qBAAqB;oBACnC,WAAW,EAAE,OAAO,CAAC,IAAI,EAAE;iBAC5B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,UAAU,EAAE,SAAS;YACrB,WAAW,EAAE,MAAM;YACnB,gBAAgB,EAAE,SAAS;YAC3B,YAAY,EAAE,SAAS,CAAC,MAAM;SAC/B,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,+FAA+F;AAC/F,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC9C,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACvE,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC;IAChC,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,kBAAkB,CAAC,EAAU,EAAE,MAAc,EAAE,QAAgB;IACtE,OAAO,GAAG,EAAE,KAAK,MAAM,KAAK,QAAQ,GAAG,CAAC;AAC1C,CAAC;AAED,gDAAgD;AAChD,MAAM,UAAU,sBAAsB,CAAC,GAAiB;IACtD,MAAM,KAAK,GAAa;QACtB,WAAW,GAAG,CAAC,UAAU,MAAM,GAAG,CAAC,YAAY,YAAY;QAC3D,EAAE;QACF,SAAS;QACT,GAAG,CAAC,WAAW;QACf,EAAE;QACF,oBAAoB;KACrB,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACrC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,SAAS,aAAa,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,kBAAkB,kBAAkB,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3G,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/tools/advise/gotchas.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Cedar / AVP gotcha catalog.
+ * Drawn from 03-cedar-developer-guide.md and the AVP validation error categories.
+ */
+export interface Gotcha {
+    id: string;
+    severity: "high" | "medium" | "info";
+    description: string;
+    avp_error_category?: string;
+    keywords: string[];
+}
+export declare const GOTCHA_CATALOG: Gotcha[];
+/** Select relevant gotchas by matching intent keywords. */
+export declare function selectGotchas(intent: string, maxCount?: number): Gotcha[];
+//# sourceMappingURL=gotchas.d.ts.map

package/dist/tools/advise/gotchas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gotchas.d.ts","sourceRoot":"","sources":["../../../src/tools/advise/gotchas.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,eAAO,MAAM,cAAc,EAAE,MAAM,EAgElC,CAAC;AAEF,2DAA2D;AAC3D,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,SAAI,GAAG,MAAM,EAAE,CAWpE"}

package/dist/tools/advise/gotchas.js

@@ -0,0 +1,83 @@
+/**
+ * Cedar / AVP gotcha catalog.
+ * Drawn from 03-cedar-developer-guide.md and the AVP validation error categories.
+ */
+export const GOTCHA_CATALOG = [
+    {
+        id: "optional_attribute_guard",
+        severity: "high",
+        description: "Optional schema attributes MUST be guarded with `entity has attr` before access. Without the guard, Cedar silently skips the policy for any entity missing the attribute — no error, just no match. This is one of the most common silent bugs in Cedar.",
+        avp_error_category: "UnsafeOptionalAttributeAccess",
+        keywords: ["optional", "has", "attribute", "guard", "email", "verified", "nullable"],
+    },
+    {
+        id: "forbid_overrides_permit",
+        severity: "high",
+        description: "A single matching `forbid` policy overrides ALL matching `permit` policies. There is no priority or weight system. Use `unless` to create exemptions inside the forbid itself.",
+        keywords: ["forbid", "block", "deny", "sensitive", "secret", "top_secret", "restrict"],
+    },
+    {
+        id: "avp_in_place_limitation",
+        severity: "high",
+        description: "AVP UpdatePolicy cannot change: effect (permit↔forbid), principal scope, or resource scope. These require deleting the old policy and creating a new one. Plan your deployment accordingly.",
+        avp_error_category: "ResourceNotFoundException",
+        keywords: ["change", "update", "modify", "rename", "role", "principal", "resource", "effect"],
+    },
+    {
+        id: "like_wildcard_crosses_slash",
+        severity: "medium",
+        description: "Cedar's `like` wildcard `*` matches ANY character sequence including `/`. To limit path depth, combine a positive `like` with a negated `like` for deeper patterns. Example: `resource.path like '/api/v1/*' && !(resource.path like '/api/v1/*/*')`.",
+        keywords: ["path", "like", "url", "endpoint", "api", "depth", "wildcard", "route"],
+    },
+    {
+        id: "array_containment_syntax",
+        severity: "medium",
+        description: "Cedar array containment is left-first: `[\"a\", \"b\"].contains(attr)` — the ARRAY is on the left. Writing `attr in [\"a\", \"b\"]` is an entity-hierarchy check, not a value containment check.",
+        keywords: ["contains", "list", "array", "set", "allowlist", "in"],
+    },
+    {
+        id: "schema_first_then_policy",
+        severity: "medium",
+        description: "Schema changes must be deployed BEFORE policies that reference new attributes or types. AVP validates policies against the current schema at creation/update time. Deploying a policy before its schema change causes UnrecognizedEntityType or MissingAttribute errors.",
+        avp_error_category: "MissingAttribute",
+        keywords: ["schema", "attribute", "entity", "add", "new", "field"],
+    },
+    {
+        id: "default_deny",
+        severity: "info",
+        description: "Cedar is default-deny. A request is denied unless at least one `permit` policy explicitly matches AND no `forbid` policy matches. There is no 'allow by default' mode.",
+        keywords: ["deny", "block", "default", "access"],
+    },
+    {
+        id: "rebac_migration_data",
+        severity: "medium",
+        description: "Migrating from RBAC to ReBAC (relationship-based) requires populating relationship attributes on existing resources BEFORE deploying the new policy. Without the data, the policy will deny all access for resources without the relationship attribute.",
+        keywords: ["owner", "owners", "relationship", "rebac", "migrate", "per-document", "per-resource"],
+    },
+    {
+        id: "avp_single_namespace",
+        severity: "info",
+        description: "AVP policy stores support only one namespace per schema. If your Cedar policies use multiple namespaces locally, they cannot be deployed to a single AVP policy store.",
+        keywords: ["namespace", "avp", "deploy"],
+    },
+    {
+        id: "action_groups_not_automatic",
+        severity: "medium",
+        description: "Action group entities must be included in the entity list when evaluating locally. AVP adds them automatically, but local evaluation via WASM (and this tool) does not. Pass action group entities explicitly in your entity list.",
+        keywords: ["action", "group", "batch", "evaluate", "test"],
+    },
+];
+/** Select relevant gotchas by matching intent keywords. */
+export function selectGotchas(intent, maxCount = 5) {
+    const lower = intent.toLowerCase();
+    const scored = GOTCHA_CATALOG.map(g => ({
+        gotcha: g,
+        score: g.keywords.filter(kw => lower.includes(kw)).length,
+    }));
+    return scored
+        .filter(s => s.score > 0)
+        .sort((a, b) => b.score - a.score || (a.gotcha.severity === "high" ? -1 : 1))
+        .slice(0, maxCount)
+        .map(s => s.gotcha);
+}
+//# sourceMappingURL=gotchas.js.map

package/dist/tools/advise/gotchas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gotchas.js","sourceRoot":"","sources":["../../../src/tools/advise/gotchas.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAUH,MAAM,CAAC,MAAM,cAAc,GAAa;IACtC;QACE,EAAE,EAAE,0BAA0B;QAC9B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0PAA0P;QACvQ,kBAAkB,EAAE,+BAA+B;QACnD,QAAQ,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,CAAC;KACrF;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,gLAAgL;QAC7L,QAAQ,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,CAAC;KACvF;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6LAA6L;QAC1M,kBAAkB,EAAE,2BAA2B;QAC/C,QAAQ,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,CAAC;KAC9F;IACD;QACE,EAAE,EAAE,6BAA6B;QACjC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,uPAAuP;QACpQ,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC;KACnF;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,kMAAkM;QAC/M,QAAQ,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,CAAC;KAClE;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,0QAA0Q;QACvR,kBAAkB,EAAE,kBAAkB;QACtC,QAAQ,EAAE,CAAC,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC;KACnE;IACD;QACE,EAAE,EAAE,cAAc;QAClB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wKAAwK;QACrL,QAAQ,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;KACjD;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,0PAA0P;QACvQ,QAAQ,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,cAAc,CAAC;KAClG;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wKAAwK;QACrL,QAAQ,EAAE,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC;KACzC;IACD;QACE,EAAE,EAAE,6BAA6B;QACjC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,oOAAoO;QACjP,QAAQ,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC;KAC3D;CACF,CAAC;AAEF,2DAA2D;AAC3D,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,QAAQ,GAAG,CAAC;IACxD,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACnC,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,EAAE,CAAC;QACT,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM;KAC1D,CAAC,CAAC,CAAC;IACJ,OAAO,MAAM;SACV,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC;SACxB,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAC5E,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC;SAClB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;AACxB,CAAC"}

package/dist/tools/advise.d.ts

@@ -0,0 +1,96 @@
+/**
+ * cedar_advise — Cedar policy change planning context preparator.
+ *
+ * This tool returns deterministic, structured context for the calling LLM to
+ * produce a Cedar policy change plan natively. No MCP sampling, no client LLM
+ * round-trip. The bundle encodes Cedar/AVP knowledge that does not live in the
+ * policy files themselves (pattern classification, AVP UpdatePolicy mutability
+ * rules, intent-selected gotchas, sequencing rules) and is what makes the
+ * server load-bearing rather than substitutable by Read.
+ *
+ * Design v2, 2026-05-21: pivoted from sampling-based planner. See
+ * projects/cedar-mcp-server/02-technical-design.md "design v2".
+ */
+import type { PolicyInventoryEntry } from "./advise/context-builder.js";
+import { StoreManager } from "../resources/store-manager.js";
+export interface AdviseInput {
+    intent: string;
+    store_ref?: string;
+}
+export interface AdviseGotcha {
+    id: string;
+    severity: "high" | "medium" | "info";
+    description: string;
+    avp_error_category?: string;
+}
+export interface SchemaSummary {
+    valid: boolean;
+    format: "json" | "cedarschema";
+    namespaces: string[];
+    entity_type_count: number;
+    action_count: number;
+    raw_text: string;
+    errors?: string[];
+}
+export interface PatternDetected {
+    pattern: string;
+    count: number;
+}
+export interface CedarPatternDescription {
+    name: string;
+    description: string;
+    example: string;
+}
+export interface AvpUpdatePolicyRules {
+    summary: string;
+    in_place_via_update_policy: string[];
+    requires_delete_recreate: string[];
+    new_via_create_policy: string[];
+    notes: string[];
+}
+export interface AdviseContextBundle {
+    tool: "cedar_advise";
+    bundle_version: "v2";
+    intent: string;
+    store_name?: string;
+    store_status: "loaded" | "not_provided" | "not_found" | "ambiguous";
+    /**
+     * Names of every currently loaded store, populated when the resolver could
+     * not commit to a single store: `not_found` (caller named an unknown store)
+     * and `ambiguous` (no `store_ref` passed but multiple stores are loaded).
+     * Lets the calling LLM recover by retrying with an explicit `store_ref`
+     * without making another tool call just to learn the candidate names.
+     */
+    available_stores?: string[];
+    /**
+     * Populated when the resolver inferred the store rather than honoring an
+     * explicit `store_ref`. Currently the only resolution path is
+     * `single_loaded_store` (no `store_ref`, exactly one store loaded).
+     */
+    auto_discovered?: {
+        store_from: "single_loaded_store";
+    };
+    schema_summary?: SchemaSummary;
+    policy_inventory: PolicyInventoryEntry[];
+    patterns_detected_in_store: PatternDetected[];
+    applicable_gotchas: AdviseGotcha[];
+    avp_update_policy_rules: AvpUpdatePolicyRules;
+    avp_validation_error_catalog: {
+        id: string;
+        description: string;
+    }[];
+    cedar_patterns_reference: {
+        summary: string;
+        patterns: CedarPatternDescription[];
+    };
+    sequencing_guidance: string[];
+    next_steps_for_llm: string;
+}
+/**
+ * Build the cedar_advise context bundle.
+ *
+ * Pure function — no sampler, no LLM round-trip. The calling MCP client's
+ * conversation LLM is expected to interpret this bundle and produce the plan.
+ */
+export declare function handleAdvise(input: AdviseInput, manager?: StoreManager): AdviseContextBundle;
+//# sourceMappingURL=advise.d.ts.map

package/dist/tools/advise.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"advise.d.ts","sourceRoot":"","sources":["../../src/tools/advise.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAIxE,OAAO,EAAgB,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAE3E,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,GAAG,aAAa,CAAC;IAC/B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,0BAA0B,EAAE,MAAM,EAAE,CAAC;IACrC,wBAAwB,EAAE,MAAM,EAAE,CAAC;IACnC,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,cAAc,CAAC;IACrB,cAAc,EAAE,IAAI,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,QAAQ,GAAG,cAAc,GAAG,WAAW,GAAG,WAAW,CAAC;IACpE;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B;;;;OAIG;IACH,eAAe,CAAC,EAAE;QAAE,UAAU,EAAE,qBAAqB,CAAA;KAAE,CAAC;IACxD,cAAc,CAAC,EAAE,aAAa,CAAC;IAC/B,gBAAgB,EAAE,oBAAoB,EAAE,CAAC;IACzC,0BAA0B,EAAE,eAAe,EAAE,CAAC;IAC9C,kBAAkB,EAAE,YAAY,EAAE,CAAC;IACnC,uBAAuB,EAAE,oBAAoB,CAAC;IAC9C,4BAA4B,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IACpE,wBAAwB,EAAE;QACxB,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,uBAAuB,EAAE,CAAC;KACrC,CAAC;IACF,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAiED;;;;;GAKG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,WAAW,EAClB,OAAO,GAAE,YAA2B,GACnC,mBAAmB,CA0BrB"}