claude-flow-novice 2.15.3 → 2.15.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (461) hide show
  1. package/.claude/cfn-extras/skills/advanced-features/cfn-agent-swap/recommend-swap.sh +59 -59
  2. package/.claude/cfn-extras/skills/analytics/cfn-improvement-recommender/recommend-improvements.sh +91 -91
  3. package/.claude/cfn-extras/skills/analytics/cfn-pattern-extraction/extract-patterns.sh +79 -79
  4. package/.claude/cfn-extras/skills/analytics/cfn-retrospective-report/generate-report.sh +100 -100
  5. package/.claude/cfn-extras/skills/analytics/cfn-telemetry/start-telemetry.sh +110 -110
  6. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/add-bullet.sh +145 -145
  7. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/log-merge.sh +67 -67
  8. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/monitor-injection-performance.sh +137 -137
  9. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/optimize-injection-pipeline.sh +168 -168
  10. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/query-reflections.sh +35 -35
  11. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/store-reflection.sh +45 -45
  12. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/track-ab-test.sh +41 -41
  13. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/update-reflection.sh +41 -41
  14. package/.claude/cfn-extras/skills/deprecated/cfn-cli-setup/validate-cli-environment.sh +191 -191
  15. package/.claude/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/create-campaign.sh +231 -231
  16. package/.claude/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/get-campaign-performance.sh +190 -190
  17. package/.claude/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/pause-campaign.sh +142 -142
  18. package/.claude/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/set-budget.sh +181 -181
  19. package/.claude/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/update-bid-strategy.sh +133 -133
  20. package/.claude/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/get-conversation-history.sh +121 -121
  21. package/.claude/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/qualify-lead.sh +156 -156
  22. package/.claude/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/schedule-demo.sh +181 -181
  23. package/.claude/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/send-message.sh +137 -137
  24. package/.claude/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/transfer-to-human.sh +179 -179
  25. package/.claude/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/create-campaign.sh +183 -183
  26. package/.claude/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/get-delivery-status.sh +139 -139
  27. package/.claude/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/opt-out.sh +150 -150
  28. package/.claude/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/schedule-campaign.sh +187 -187
  29. package/.claude/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/send-sms.sh +181 -181
  30. package/.claude/cfn-extras/skills/ui-portal/cfn-web-portal/test-web-portal-skill.sh +50 -50
  31. package/.claude/cfn-extras/skills/ui-portal/cfn-web-portal/validate-deployment.sh +84 -84
  32. package/.claude/cfn-extras/skills/utility/cfn-environment-sanitization/sanitize-environment.sh +243 -243
  33. package/.claude/commands/cfn-loop-cli.md +16 -2
  34. package/.claude/commands/switch-api.md +31 -10
  35. package/.claude/hooks/cfn-lint-sql-injection.sh +61 -0
  36. package/.claude/hooks/cfn-post-edit-cfn-retrospective.sh +33 -2
  37. package/.claude/hooks/cfn-pre-edit-security-warning.sh +40 -0
  38. package/.claude/skills/cfn-agent-spawning/spawn-agent.sh +22 -24
  39. package/.claude/skills/cfn-docker-agent-spawning/SKILL.md +28 -4
  40. package/.claude/skills/cfn-docker-agent-spawning/spawn-agent.sh +3 -1
  41. package/.claude/skills/cfn-docker-loop-orchestration/orchestrate.sh +224 -20
  42. package/.claude/skills/cfn-loop-orchestration/helpers/gate-check.sh +550 -46
  43. package/.claude/skills/cfn-loop-orchestration/helpers/parse-test-results.sh +277 -0
  44. package/.claude/skills/cfn-loop-orchestration/orchestrate.sh +184 -23
  45. package/.claude/skills/cfn-loop-orchestration/security_utils.sh +24 -0
  46. package/.claude/skills/cfn-loop-orchestration/test-iteration-context-injection.sh +366 -0
  47. package/.claude/skills/cfn-redis-coordination/CENTRALIZED_REDIS_WRAPPER.md +319 -0
  48. package/.claude/skills/cfn-redis-coordination/agent-log.sh +4 -0
  49. package/.claude/skills/cfn-redis-coordination/agent-log.sh.bak +124 -0
  50. package/.claude/skills/cfn-redis-coordination/agent-recovery.sh +2 -2
  51. package/.claude/skills/cfn-redis-coordination/collect-confidence-scores.sh +30 -0
  52. package/.claude/skills/cfn-redis-coordination/get-context.sh +33 -0
  53. package/.claude/skills/cfn-redis-coordination/get-success-criteria.sh +54 -0
  54. package/.claude/skills/cfn-redis-coordination/invoke-waiting-mode.sh +3 -0
  55. package/.claude/skills/cfn-redis-coordination/redis-cli-wrapper.sh +24 -3
  56. package/.claude/skills/cfn-redis-coordination/redis-functions.sh +33 -0
  57. package/.claude/skills/cfn-redis-coordination/report-completion.sh +24 -31
  58. package/.claude/skills/cfn-redis-coordination/store-context.sh +4 -0
  59. package/.claude/skills/cfn-redis-coordination/store-success-criteria.sh +85 -0
  60. package/.claude/skills/cfn-redis-coordination/update-all-scripts.sh +67 -0
  61. package/.claude/skills/cfn-sqlite-memory/ttl-cleanup.sh +17 -25
  62. package/.claude/skills/cfn-transparency-middleware/test-e2e.sh +15 -0
  63. package/.claude/skills/cfn-transparency-middleware/tests/input-validation.sh +15 -0
  64. package/README.md +116 -475
  65. package/claude-assets/agents/cfn-dev-team/README.md +103 -0
  66. package/claude-assets/agents/cfn-dev-team/architecture/goal-planner.md +1 -1
  67. package/claude-assets/agents/cfn-dev-team/coordinators/cfn-frontend-coordinator.md +77 -15
  68. package/claude-assets/agents/cfn-dev-team/coordinators/cfn-v3-coordinator.md +355 -6
  69. package/claude-assets/agents/cfn-dev-team/coordinators/consensus-builder.md +82 -1
  70. package/claude-assets/agents/cfn-dev-team/coordinators/handoff-coordinator.md +82 -1
  71. package/claude-assets/agents/cfn-dev-team/coordinators/multi-sprint-coordinator.md +77 -15
  72. package/claude-assets/agents/cfn-dev-team/dev-ops/docker-specialist.md +99 -12
  73. package/claude-assets/agents/cfn-dev-team/dev-ops/github-commit-agent.md +1 -1
  74. package/claude-assets/agents/cfn-dev-team/dev-ops/kubernetes-specialist.md +97 -0
  75. package/claude-assets/agents/cfn-dev-team/dev-ops/monitoring-specialist.md +20 -1
  76. package/claude-assets/agents/cfn-dev-team/developers/api-gateway-specialist.md +97 -0
  77. package/claude-assets/agents/cfn-dev-team/developers/backend-developer.md +110 -13
  78. package/claude-assets/agents/cfn-dev-team/developers/data/data-engineer.md +106 -15
  79. package/claude-assets/agents/cfn-dev-team/developers/database/database-architect.md +115 -11
  80. package/claude-assets/agents/cfn-dev-team/developers/frontend/mobile-dev.md +94 -7
  81. package/claude-assets/agents/cfn-dev-team/developers/frontend/react-frontend-engineer.md +87 -9
  82. package/claude-assets/agents/cfn-dev-team/developers/frontend/typescript-specialist.md +85 -7
  83. package/claude-assets/agents/cfn-dev-team/developers/frontend/ui-designer.md +160 -28
  84. package/claude-assets/agents/cfn-dev-team/developers/graphql-specialist.md +101 -19
  85. package/claude-assets/agents/cfn-dev-team/developers/rust-developer.md +108 -14
  86. package/claude-assets/agents/cfn-dev-team/reviewers/{reviewer.md → code-reviewer.md} +95 -8
  87. package/claude-assets/agents/cfn-dev-team/reviewers/quality/code-quality-validator.md +107 -7
  88. package/claude-assets/agents/cfn-dev-team/reviewers/quality/perf-analyzer.md +98 -7
  89. package/claude-assets/agents/cfn-dev-team/reviewers/quality/performance-benchmarker.md +95 -7
  90. package/claude-assets/agents/cfn-dev-team/reviewers/quality/security-specialist.md +136 -9
  91. package/claude-assets/agents/cfn-dev-team/testers/api-testing-specialist.md +108 -1
  92. package/claude-assets/agents/cfn-dev-team/testers/chaos-engineering-specialist.md +107 -13
  93. package/claude-assets/agents/cfn-dev-team/testers/contract-tester.md +737 -0
  94. package/claude-assets/agents/cfn-dev-team/testers/e2e/playwright-tester.md +1 -1
  95. package/claude-assets/agents/cfn-dev-team/testers/integration-tester.md +828 -0
  96. package/claude-assets/agents/cfn-dev-team/testers/interaction-tester.md +106 -7
  97. package/claude-assets/agents/cfn-dev-team/testers/load-testing-specialist.md +77 -0
  98. package/claude-assets/agents/cfn-dev-team/testers/mutation-testing-specialist.md +684 -0
  99. package/claude-assets/agents/cfn-dev-team/testers/playwright-tester.md +110 -1
  100. package/claude-assets/agents/cfn-dev-team/testers/tester.md +94 -7
  101. package/claude-assets/agents/cfn-dev-team/utility/code-booster.md +1 -3
  102. package/claude-assets/agents/cfn-dev-team/utility/epic-creator.md +87 -13
  103. package/claude-assets/agents/cfn-dev-team/utility/memory-leak-specialist.md +103 -7
  104. package/claude-assets/agents/cfn-dev-team/utility/researcher.md +1 -3
  105. package/claude-assets/agents/cfn-dev-team/utility/z-ai-specialist.md +94 -7
  106. package/claude-assets/agents/docker-coordinators/cfn-docker-v3-coordinator.md +46 -0
  107. package/claude-assets/agents/project-only-agents/npm-package-specialist.md +1 -1
  108. package/claude-assets/cfn-extras/skills/advanced-features/cfn-agent-swap/recommend-swap.sh +59 -59
  109. package/claude-assets/cfn-extras/skills/analytics/cfn-improvement-recommender/recommend-improvements.sh +91 -91
  110. package/claude-assets/cfn-extras/skills/analytics/cfn-pattern-extraction/extract-patterns.sh +79 -79
  111. package/claude-assets/cfn-extras/skills/analytics/cfn-retrospective-report/generate-report.sh +100 -100
  112. package/claude-assets/cfn-extras/skills/analytics/cfn-telemetry/start-telemetry.sh +110 -110
  113. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/add-bullet.sh +145 -145
  114. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/log-merge.sh +67 -67
  115. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/monitor-injection-performance.sh +137 -137
  116. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/optimize-injection-pipeline.sh +168 -168
  117. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/query-reflections.sh +35 -35
  118. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/store-reflection.sh +45 -45
  119. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/track-ab-test.sh +41 -41
  120. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/update-reflection.sh +41 -41
  121. package/claude-assets/cfn-extras/skills/deprecated/cfn-cli-setup/validate-cli-environment.sh +191 -191
  122. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/create-campaign.sh +231 -231
  123. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/get-campaign-performance.sh +190 -190
  124. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/pause-campaign.sh +142 -142
  125. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/set-budget.sh +181 -181
  126. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/update-bid-strategy.sh +133 -133
  127. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/get-conversation-history.sh +121 -121
  128. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/qualify-lead.sh +156 -156
  129. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/schedule-demo.sh +181 -181
  130. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/send-message.sh +137 -137
  131. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/transfer-to-human.sh +179 -179
  132. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/create-campaign.sh +183 -183
  133. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/get-delivery-status.sh +139 -139
  134. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/opt-out.sh +150 -150
  135. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/schedule-campaign.sh +187 -187
  136. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/send-sms.sh +181 -181
  137. package/claude-assets/cfn-extras/skills/ui-portal/cfn-web-portal/test-web-portal-skill.sh +50 -50
  138. package/claude-assets/cfn-extras/skills/ui-portal/cfn-web-portal/validate-deployment.sh +84 -84
  139. package/claude-assets/cfn-extras/skills/utility/cfn-environment-sanitization/sanitize-environment.sh +243 -243
  140. package/claude-assets/commands/cfn-loop-cli.md +16 -2
  141. package/claude-assets/commands/switch-api.md +31 -10
  142. package/claude-assets/hooks/cfn-lint-sql-injection.sh +61 -0
  143. package/claude-assets/hooks/cfn-post-edit-cfn-retrospective.sh +33 -2
  144. package/claude-assets/hooks/cfn-pre-edit-security-warning.sh +40 -0
  145. package/claude-assets/hooks/detect-hardcoded-credentials.sh +212 -0
  146. package/claude-assets/skills/SKILL_TEMPLATE.md +774 -0
  147. package/claude-assets/skills/agent-lifecycle/execute-lifecycle-hook.sh +84 -113
  148. package/claude-assets/skills/agent-lifecycle/simple-audit.sh +33 -6
  149. package/claude-assets/skills/agent-template-generator/SKILL.md +440 -0
  150. package/claude-assets/skills/agent-template-generator/generate-agent.sh +405 -0
  151. package/claude-assets/skills/agent-validation-linter/SKILL.md +589 -0
  152. package/claude-assets/skills/agent-validation-linter/lint-agents.sh +271 -0
  153. package/claude-assets/skills/bootstrap/bash-fundamentals.md +786 -0
  154. package/claude-assets/skills/bootstrap/database-connection.md +464 -0
  155. package/claude-assets/skills/bootstrap/error-handling.md +580 -0
  156. package/claude-assets/skills/bootstrap/file-operations.md +699 -0
  157. package/claude-assets/skills/bootstrap/skill-loader.md +616 -0
  158. package/claude-assets/skills/bootstrap/sqlite-params.sh +287 -0
  159. package/claude-assets/skills/cfn-agent-spawning/spawn-agent.sh +22 -24
  160. package/claude-assets/skills/cfn-automatic-memory-persistence/test-memory-persistence.sh +17 -16
  161. package/claude-assets/skills/cfn-deployment/SKILL.md +293 -0
  162. package/claude-assets/skills/cfn-deployment/execute.sh +21 -0
  163. package/claude-assets/skills/cfn-docker-agent-spawning/SKILL.md +28 -4
  164. package/claude-assets/skills/cfn-docker-agent-spawning/spawn-agent.sh +3 -1
  165. package/claude-assets/skills/cfn-docker-loop-orchestration/orchestrate.sh +224 -20
  166. package/claude-assets/skills/cfn-environment-sanitization/sanitize-environment.sh +38 -0
  167. package/claude-assets/skills/cfn-error-batching-strategy/lib/core-functions.sh +47 -47
  168. package/claude-assets/skills/cfn-file-operations/SKILL.md +290 -0
  169. package/claude-assets/skills/cfn-file-operations/execute.sh +129 -0
  170. package/claude-assets/skills/cfn-file-operations/lib/atomic-write.sh +294 -0
  171. package/claude-assets/skills/cfn-file-operations/lib/lock.sh +361 -0
  172. package/claude-assets/skills/cfn-file-operations/test.sh +369 -0
  173. package/claude-assets/skills/cfn-log-operations/SKILL.md +308 -0
  174. package/claude-assets/skills/cfn-log-operations/execute.sh +420 -0
  175. package/claude-assets/skills/cfn-log-operations/lib/rotate.sh +406 -0
  176. package/claude-assets/skills/cfn-log-operations/lib/search.sh +448 -0
  177. package/claude-assets/skills/cfn-log-operations/test.sh +394 -0
  178. package/claude-assets/skills/cfn-loop-orchestration/helpers/gate-check.sh +550 -46
  179. package/claude-assets/skills/cfn-loop-orchestration/helpers/parse-test-results.sh +277 -0
  180. package/claude-assets/skills/cfn-loop-orchestration/orchestrate.sh +184 -23
  181. package/claude-assets/skills/cfn-loop-orchestration/security_utils.sh +24 -0
  182. package/claude-assets/skills/cfn-loop-orchestration/test-iteration-context-injection.sh +366 -0
  183. package/claude-assets/skills/cfn-parameterized-queries/SKILL.md +339 -0
  184. package/claude-assets/skills/cfn-playbook/query-playbook.sh +19 -15
  185. package/claude-assets/skills/cfn-playbook/update-playbook.sh +25 -14
  186. package/claude-assets/skills/cfn-process-instrumentation/instrument-process.sh +44 -0
  187. package/claude-assets/skills/cfn-promotion/SKILL.md +305 -0
  188. package/claude-assets/skills/cfn-redis-coordination/CENTRALIZED_REDIS_WRAPPER.md +319 -0
  189. package/claude-assets/skills/cfn-redis-coordination/agent-log.sh +4 -0
  190. package/claude-assets/skills/cfn-redis-coordination/agent-log.sh.bak +124 -0
  191. package/claude-assets/skills/cfn-redis-coordination/agent-recovery.sh +2 -2
  192. package/claude-assets/skills/cfn-redis-coordination/collect-confidence-scores.sh +30 -0
  193. package/claude-assets/skills/cfn-redis-coordination/get-context.sh +33 -0
  194. package/claude-assets/skills/cfn-redis-coordination/get-success-criteria.sh +54 -0
  195. package/claude-assets/skills/cfn-redis-coordination/invoke-waiting-mode.sh +3 -0
  196. package/claude-assets/skills/cfn-redis-coordination/redis-cli-wrapper.sh +24 -3
  197. package/claude-assets/skills/cfn-redis-coordination/redis-functions.sh +33 -0
  198. package/claude-assets/skills/cfn-redis-coordination/report-completion.sh +24 -31
  199. package/claude-assets/skills/cfn-redis-coordination/store-context.sh +4 -0
  200. package/claude-assets/skills/cfn-redis-coordination/store-success-criteria.sh +85 -0
  201. package/claude-assets/skills/cfn-redis-coordination/update-all-scripts.sh +67 -0
  202. package/claude-assets/skills/cfn-skill-loader/SKILL.md +466 -0
  203. package/claude-assets/skills/cfn-skill-loader/execute.sh +344 -0
  204. package/claude-assets/skills/cfn-sqlite-memory/ttl-cleanup.sh +17 -25
  205. package/claude-assets/skills/cfn-task-audit/get-audit-data.sh +42 -21
  206. package/claude-assets/skills/cfn-task-audit/store-task-audit.sh +17 -10
  207. package/claude-assets/skills/cfn-test-runner/detect-regressions.sh +17 -14
  208. package/claude-assets/skills/cfn-test-runner/detect-regressions.sh.backup-1763392821 +55 -0
  209. package/claude-assets/skills/cfn-test-runner/store-benchmarks.sh +17 -19
  210. package/claude-assets/skills/cfn-transparency-middleware/test-e2e.sh +15 -0
  211. package/claude-assets/skills/cfn-transparency-middleware/tests/input-validation.sh +15 -0
  212. package/claude-assets/skills/cfn-utilities/SKILL.md +237 -0
  213. package/claude-assets/skills/cfn-utilities/execute.sh +32 -0
  214. package/claude-assets/skills/cfn-utilities/lib/errors.sh +56 -0
  215. package/claude-assets/skills/cfn-utilities/lib/file-ops.sh +164 -0
  216. package/claude-assets/skills/cfn-utilities/lib/logging.sh +77 -0
  217. package/claude-assets/skills/cfn-utilities/lib/retry.sh +127 -0
  218. package/claude-assets/skills/cfn-utilities/test.sh +317 -0
  219. package/claude-assets/skills/integration/agent-handoff.sh +62 -64
  220. package/claude-assets/skills/json-validation/SKILL.md +431 -0
  221. package/claude-assets/skills/json-validation/test-validate-success-criteria.sh +421 -0
  222. package/claude-assets/skills/json-validation/validate-success-criteria.sh +197 -0
  223. package/claude-assets/skills/redis-coordination/validate-parameters.sh +34 -0
  224. package/claude-assets/skills/workflow-codification/DEPLOY_QUICK_REFERENCE.md +106 -0
  225. package/claude-assets/skills/workflow-codification/PROPAGATE_UPDATE_QUICK_REFERENCE.md +366 -0
  226. package/claude-assets/skills/workflow-codification/deploy-approved-skill.sh +481 -0
  227. package/claude-assets/skills/workflow-codification/deploy-approved-skill.sh.backup-1763392820 +512 -0
  228. package/claude-assets/skills/workflow-codification/lib/security-utils.sh +204 -0
  229. package/claude-assets/skills/workflow-codification/propagate-skill-update.sh +648 -0
  230. package/claude-assets/skills/workflow-codification/propagate-skill-update.sh.backup-1763392820 +664 -0
  231. package/claude-assets/skills/workflow-codification/test-integration.sh +15 -0
  232. package/claude-assets/skills/workflow-codification/test-metadata-update.sh +350 -0
  233. package/claude-assets/skills/workflow-codification/track-cost-savings.sh +55 -14
  234. package/claude-assets/skills/workflow-codification/track-cost-savings.sh.backup-1763392821 +445 -0
  235. package/claude-assets/skills/workflow-codification/track-edge-case.sh +27 -60
  236. package/claude-assets/skills/workflow-codification/workflow-codification.db +0 -0
  237. package/dist/ace/ace-curator.js +10 -2
  238. package/dist/ace/ace-curator.js.map +1 -1
  239. package/dist/ace/ace-generator.js +4 -0
  240. package/dist/ace/ace-generator.js.map +1 -1
  241. package/dist/ace/ace-reflector.js +1 -1
  242. package/dist/ace/ace-reflector.js.map +1 -1
  243. package/dist/ace/context-injection.js +24 -2
  244. package/dist/ace/context-injection.js.map +1 -1
  245. package/dist/agents/agent-loader.js +146 -165
  246. package/dist/agents/agent-loader.js.map +1 -1
  247. package/dist/agents/task-agent-integration.js +1 -1
  248. package/dist/agents/task-agent-integration.js.map +1 -1
  249. package/dist/api/health-endpoints.js +390 -0
  250. package/dist/api/health-endpoints.js.map +1 -0
  251. package/dist/cli/agent-executor.js +4 -1
  252. package/dist/cli/agent-executor.js.map +1 -1
  253. package/dist/cli/agent-prompt-builder.js +89 -1
  254. package/dist/cli/agent-prompt-builder.js.map +1 -1
  255. package/dist/cli/agent-spawn.js +130 -37
  256. package/dist/cli/agent-spawn.js.map +1 -1
  257. package/dist/cli/skill-cache-validator.js +412 -0
  258. package/dist/cli/skill-cache-validator.js.map +1 -0
  259. package/dist/cli/skill-cli.js +991 -0
  260. package/dist/cli/skill-cli.js.map +1 -0
  261. package/dist/cli/skill-execution-logger.js +284 -0
  262. package/dist/cli/skill-execution-logger.js.map +1 -0
  263. package/dist/cli/skill-loader.js +457 -0
  264. package/dist/cli/skill-loader.js.map +1 -0
  265. package/dist/coordination/event-bus.js +2 -2
  266. package/dist/coordination/event-bus.js.map +1 -1
  267. package/dist/coordination/fleet-manager.js +1 -1
  268. package/dist/coordination/fleet-manager.js.map +1 -1
  269. package/dist/coordination/index.js +23 -9
  270. package/dist/coordination/index.js.map +1 -1
  271. package/dist/coordination/types/fleet-manager.types.js.map +1 -1
  272. package/dist/db/migration-manager.js +483 -0
  273. package/dist/db/migration-manager.js.map +1 -0
  274. package/dist/db/skills-query.js +535 -0
  275. package/dist/db/skills-query.js.map +1 -0
  276. package/dist/integration/DatabaseHandoff.js +1 -1
  277. package/dist/integration/DatabaseHandoff.js.map +1 -1
  278. package/dist/jobs/edge-case-analyzer.js +367 -0
  279. package/dist/jobs/edge-case-analyzer.js.map +1 -0
  280. package/dist/jobs/promotion-sla-enforcer.js +288 -0
  281. package/dist/jobs/promotion-sla-enforcer.js.map +1 -0
  282. package/dist/lib/agent-output-parser.js.map +1 -1
  283. package/dist/lib/agent-output-validator.js.map +1 -1
  284. package/dist/lib/agent-workspace.js +281 -0
  285. package/dist/lib/agent-workspace.js.map +1 -0
  286. package/dist/lib/atomic-file-writer.js +377 -0
  287. package/dist/lib/atomic-file-writer.js.map +1 -0
  288. package/dist/lib/backup-manager.js +779 -0
  289. package/dist/lib/backup-manager.js.map +1 -0
  290. package/dist/lib/checkpoint-manager.js +837 -0
  291. package/dist/lib/checkpoint-manager.js.map +1 -0
  292. package/dist/lib/circuit-breaker.js +340 -0
  293. package/dist/lib/circuit-breaker.js.map +1 -0
  294. package/dist/lib/completion-signal-handler.js +243 -0
  295. package/dist/lib/completion-signal-handler.js.map +1 -0
  296. package/dist/lib/config-manager.js +312 -0
  297. package/dist/lib/config-manager.js.map +1 -0
  298. package/dist/lib/config-migrator.js +386 -0
  299. package/dist/lib/config-migrator.js.map +1 -0
  300. package/dist/lib/config-validator.js.map +1 -1
  301. package/dist/lib/correlation-cache.js +311 -0
  302. package/dist/lib/correlation-cache.js.map +1 -0
  303. package/dist/lib/correlation.js +263 -0
  304. package/dist/lib/correlation.js.map +1 -0
  305. package/dist/lib/database-service/connection-pool-manager.js +520 -0
  306. package/dist/lib/database-service/connection-pool-manager.js.map +1 -0
  307. package/dist/lib/database-service/correlation.js +329 -0
  308. package/dist/lib/database-service/correlation.js.map +1 -0
  309. package/dist/lib/database-service/errors.js +120 -0
  310. package/dist/lib/database-service/errors.js.map +1 -0
  311. package/dist/lib/database-service/index.js +168 -0
  312. package/dist/lib/database-service/index.js.map +1 -0
  313. package/dist/lib/database-service/postgres-adapter.js +526 -0
  314. package/dist/lib/database-service/postgres-adapter.js.map +1 -0
  315. package/dist/lib/database-service/redis-adapter.js +360 -0
  316. package/dist/lib/database-service/redis-adapter.js.map +1 -0
  317. package/dist/lib/database-service/sqlite-adapter.js +544 -0
  318. package/dist/lib/database-service/sqlite-adapter.js.map +1 -0
  319. package/dist/lib/database-service/transaction-manager.js +773 -0
  320. package/dist/lib/database-service/transaction-manager.js.map +1 -0
  321. package/dist/lib/database-service/types.js +23 -0
  322. package/dist/lib/database-service/types.js.map +1 -0
  323. package/dist/lib/deadlock-resolver.js +292 -0
  324. package/dist/lib/deadlock-resolver.js.map +1 -0
  325. package/dist/lib/distributed-lock.js +451 -0
  326. package/dist/lib/distributed-lock.js.map +1 -0
  327. package/dist/lib/edge-case-deduplicator.js +227 -0
  328. package/dist/lib/edge-case-deduplicator.js.map +1 -0
  329. package/dist/lib/encryption-manager.js +322 -0
  330. package/dist/lib/encryption-manager.js.map +1 -0
  331. package/dist/lib/error-aggregator.js +234 -0
  332. package/dist/lib/error-aggregator.js.map +1 -0
  333. package/dist/lib/errors.js +287 -0
  334. package/dist/lib/errors.js.map +1 -0
  335. package/dist/lib/file-lock-manager.js +578 -0
  336. package/dist/lib/file-lock-manager.js.map +1 -0
  337. package/dist/lib/file-operations.js +367 -0
  338. package/dist/lib/file-operations.js.map +1 -0
  339. package/dist/lib/idempotent-write.js +237 -0
  340. package/dist/lib/idempotent-write.js.map +1 -0
  341. package/dist/lib/integration-schema-validator.js +522 -0
  342. package/dist/lib/integration-schema-validator.js.map +1 -0
  343. package/dist/lib/lock-health-monitor.js +298 -0
  344. package/dist/lib/lock-health-monitor.js.map +1 -0
  345. package/dist/lib/log-shipper.js +422 -0
  346. package/dist/lib/log-shipper.js.map +1 -0
  347. package/dist/lib/logging.js +146 -0
  348. package/dist/lib/logging.js.map +1 -0
  349. package/dist/lib/message-deduplicator.js +439 -0
  350. package/dist/lib/message-deduplicator.js.map +1 -0
  351. package/dist/lib/multi-system-query.js +604 -0
  352. package/dist/lib/multi-system-query.js.map +1 -0
  353. package/dist/lib/orphan-detector.js +332 -0
  354. package/dist/lib/orphan-detector.js.map +1 -0
  355. package/dist/lib/password-generator.js +166 -0
  356. package/dist/lib/password-generator.js.map +1 -0
  357. package/dist/lib/path-validator.js +429 -0
  358. package/dist/lib/path-validator.js.map +1 -0
  359. package/dist/lib/query-translator.js +905 -0
  360. package/dist/lib/query-translator.js.map +1 -0
  361. package/dist/lib/queue-recovery.js +469 -0
  362. package/dist/lib/queue-recovery.js.map +1 -0
  363. package/dist/lib/redis-queue-manager.js +512 -0
  364. package/dist/lib/redis-queue-manager.js.map +1 -0
  365. package/dist/lib/reflection-archiver.js +272 -0
  366. package/dist/lib/reflection-archiver.js.map +1 -0
  367. package/dist/lib/retry-manager.js +453 -0
  368. package/dist/lib/retry-manager.js.map +1 -0
  369. package/dist/lib/retry.js +262 -0
  370. package/dist/lib/retry.js.map +1 -0
  371. package/dist/lib/schema-transform.js +695 -0
  372. package/dist/lib/schema-transform.js.map +1 -0
  373. package/dist/lib/schema-validator.js +491 -0
  374. package/dist/lib/schema-validator.js.map +1 -0
  375. package/dist/lib/skill-cache.js +297 -0
  376. package/dist/lib/skill-cache.js.map +1 -0
  377. package/dist/lib/skill-content-manager.js +337 -0
  378. package/dist/lib/skill-content-manager.js.map +1 -0
  379. package/dist/lib/skill-frontmatter-parser.js +237 -0
  380. package/dist/lib/skill-frontmatter-parser.js.map +1 -0
  381. package/dist/lib/skill-git-integration.js +275 -0
  382. package/dist/lib/skill-git-integration.js.map +1 -0
  383. package/dist/lib/skill-markdown-validator.js +396 -0
  384. package/dist/lib/skill-markdown-validator.js.map +1 -0
  385. package/dist/lib/skill-output-parser.js +312 -0
  386. package/dist/lib/skill-output-parser.js.map +1 -0
  387. package/dist/lib/unified-query-api.js +467 -0
  388. package/dist/lib/unified-query-api.js.map +1 -0
  389. package/dist/middleware/auth-middleware.js +350 -0
  390. package/dist/middleware/auth-middleware.js.map +1 -0
  391. package/dist/middleware/schema-validation.js +347 -0
  392. package/dist/middleware/schema-validation.js.map +1 -0
  393. package/dist/providers/anthropic-provider.js +1 -1
  394. package/dist/providers/anthropic-provider.js.map +1 -1
  395. package/dist/providers/provider-factory.js +2 -2
  396. package/dist/providers/provider-factory.js.map +1 -1
  397. package/dist/services/edge-case-analyzer.js +321 -0
  398. package/dist/services/edge-case-analyzer.js.map +1 -0
  399. package/dist/services/edge-case-deduplicator.js +266 -0
  400. package/dist/services/edge-case-deduplicator.js.map +1 -0
  401. package/dist/services/edge-case-detector.js +337 -0
  402. package/dist/services/edge-case-detector.js.map +1 -0
  403. package/dist/services/edge-case-tracker.js +547 -0
  404. package/dist/services/edge-case-tracker.js.map +1 -0
  405. package/dist/services/health-check-system.js +586 -0
  406. package/dist/services/health-check-system.js.map +1 -0
  407. package/dist/services/metrics-logger.js +412 -0
  408. package/dist/services/metrics-logger.js.map +1 -0
  409. package/dist/services/patch-generator.js +378 -0
  410. package/dist/services/patch-generator.js.map +1 -0
  411. package/dist/services/patch-validator.js +337 -0
  412. package/dist/services/patch-validator.js.map +1 -0
  413. package/dist/services/performance-monitor.js +811 -0
  414. package/dist/services/performance-monitor.js.map +1 -0
  415. package/dist/services/promotion-pipeline.js +918 -0
  416. package/dist/services/promotion-pipeline.js.map +1 -0
  417. package/dist/services/promotion-validator.js +394 -0
  418. package/dist/services/promotion-validator.js.map +1 -0
  419. package/dist/services/reflection-logger.js +388 -0
  420. package/dist/services/reflection-logger.js.map +1 -0
  421. package/dist/services/skill-deployment.js +472 -0
  422. package/dist/services/skill-deployment.js.map +1 -0
  423. package/dist/services/skill-loader.js +427 -0
  424. package/dist/services/skill-loader.js.map +1 -0
  425. package/dist/services/skill-promotion.js +372 -0
  426. package/dist/services/skill-promotion.js.map +1 -0
  427. package/dist/services/skill-validator.js +454 -0
  428. package/dist/services/skill-validator.js.map +1 -0
  429. package/dist/services/skill-versioning.js +244 -0
  430. package/dist/services/skill-versioning.js.map +1 -0
  431. package/dist/services/workspace-supervisor.js +597 -0
  432. package/dist/services/workspace-supervisor.js.map +1 -0
  433. package/dist/types/edge-case.js +45 -0
  434. package/dist/types/edge-case.js.map +1 -0
  435. package/package.json +201 -177
  436. package/readme/README.md +19 -4
  437. package/scripts/backup-cleanup.sh +627 -0
  438. package/scripts/cleanup-workspaces.sh +412 -0
  439. package/scripts/cleanup-yaml-configs.sh +141 -0
  440. package/scripts/deploy-approved-skills.sh +263 -0
  441. package/scripts/health-check.sh +447 -0
  442. package/scripts/log-aggregator.sh +554 -0
  443. package/scripts/log-monitor.sh +629 -0
  444. package/scripts/manage-agent-workspaces.sh +434 -0
  445. package/scripts/migrate-schema.sh +533 -0
  446. package/scripts/promote-staged-skills.sh +423 -0
  447. package/scripts/verify-no-secrets.sh +88 -35
  448. package/.claude/cfn-extras/agents/deprecated-coordinators/adaptive-coordinator.md.backup +0 -161
  449. package/.claude/cfn-extras/agents/deprecated-coordinators/blocking-coordinator-example.md.backup +0 -728
  450. package/.claude/cfn-extras/agents/deprecated-coordinators/mesh-coordinator.md.backup +0 -131
  451. package/.claude/skills/agent-lifecycle/SKILL.md +0 -60
  452. package/.claude/skills/agent-lifecycle/execute-lifecycle-hook.sh +0 -573
  453. package/.claude/skills/agent-lifecycle/simple-audit.sh +0 -31
  454. package/.claude/skills/cfn-agent-spawning/spawn-agent.sh.backup +0 -273
  455. package/.claude/skills/cfn-loop-orchestration/orchestrate.sh.backup +0 -949
  456. package/README.md.backup_before_replace +0 -781
  457. package/claude-assets/cfn-extras/agents/deprecated-coordinators/adaptive-coordinator.md.backup +0 -161
  458. package/claude-assets/cfn-extras/agents/deprecated-coordinators/blocking-coordinator-example.md.backup +0 -728
  459. package/claude-assets/cfn-extras/agents/deprecated-coordinators/mesh-coordinator.md.backup +0 -131
  460. package/claude-assets/skills/cfn-agent-spawning/spawn-agent.sh.backup +0 -273
  461. package/claude-assets/skills/cfn-loop-orchestration/orchestrate.sh.backup +0 -949
package/dist/middleware/auth-middleware.js ADDED
@@ -0,0 +1,350 @@
1
+ /**
2
+ * Authentication and Role-Based Access Control (RBAC) Middleware
3
+ *
4
+ * Implements JWT-based authentication and role-based access control for
5
+ * sensitive operations like skill promotion, approval, and deployment.
6
+ *
7
+ * Features:
8
+ * - JWT token validation and expiration checks
9
+ * - Role-based access control with granular permissions
10
+ * - Session-based authentication fallback
11
+ * - Audit logging for authorization failures
12
+ * - Per-operation permission validation
13
+ *
14
+ * Roles:
15
+ * - admin: Full access to all promotion operations
16
+ * - developer: Can initiate promotions, but not approve/deploy
17
+ * - readonly: Can view audit trails, but no promotion access
18
+ */ import { StandardError, ErrorCode } from '../lib/errors.js';
19
+ import { createLogger } from '../lib/logging.js';
20
+ import * as jwt from 'jsonwebtoken';
21
+ const logger = createLogger('auth-middleware');
22
+ /**
23
+ * User role enum
24
+ */ export var UserRole = /*#__PURE__*/ function(UserRole) {
25
+ UserRole["ADMIN"] = "admin";
26
+ UserRole["DEVELOPER"] = "developer";
27
+ UserRole["READONLY"] = "readonly";
28
+ return UserRole;
29
+ }({});
30
+ /**
31
+ * Promotion operation enum
32
+ */ export var PromotionOperation = /*#__PURE__*/ function(PromotionOperation) {
33
+ PromotionOperation["INITIATE"] = "initiate-promotion";
34
+ PromotionOperation["VALIDATE"] = "validate-skill";
35
+ PromotionOperation["TEST"] = "test-skill";
36
+ PromotionOperation["APPROVE"] = "approve-promotion";
37
+ PromotionOperation["DEPLOY"] = "deploy-to-production";
38
+ PromotionOperation["ROLLBACK"] = "rollback-deployment";
39
+ return PromotionOperation;
40
+ }({});
41
+ /**
42
+ * Permission mapping: role -> allowed operations
43
+ */ const ROLE_PERMISSIONS = {
44
+ ["admin"]: [
45
+ "initiate-promotion",
46
+ "validate-skill",
47
+ "test-skill",
48
+ "approve-promotion",
49
+ "deploy-to-production",
50
+ "rollback-deployment"
51
+ ],
52
+ ["developer"]: [
53
+ "initiate-promotion",
54
+ "validate-skill",
55
+ "test-skill"
56
+ ],
57
+ ["readonly"]: []
58
+ };
59
+ /**
60
+ * Authentication middleware for validating user identity
61
+ *
62
+ * SECURITY CRITICAL: JWT_SECRET must be configured via environment variable
63
+ * or explicitly provided. No default secrets are allowed in production.
64
+ */ export class AuthMiddleware {
65
+ jwtSecret;
66
+ tokenExpirationSeconds;
67
+ sessions;
68
+ // List of insecure default secrets that must be rejected (CVSS 9.8 vulnerability)
69
+ static INSECURE_SECRETS = [
70
+ 'dev-secret-key',
71
+ 'secret',
72
+ 'password',
73
+ 'test',
74
+ 'default',
75
+ '123456',
76
+ 'changeme'
77
+ ];
78
+ /**
79
+ * Create authentication middleware
80
+ *
81
+ * @param jwtSecret - JWT signing secret (REQUIRED). If not provided, will attempt
82
+ * to load from JWT_SECRET environment variable. Throws error if
83
+ * neither is available.
84
+ * @param tokenExpirationSeconds - Token expiration time in seconds (default: 3600)
85
+ * @throws StandardError with CONFIGURATION_ERROR if JWT_SECRET is not configured
86
+ * @throws StandardError with VALIDATION_FAILED if JWT_SECRET is empty, too short
87
+ * (<16 chars), or matches known insecure defaults
88
+ *
89
+ * @example
90
+ * // Explicit secret (for testing)
91
+ * const auth = new AuthMiddleware('strong-secret-key-at-least-16-chars');
92
+ *
93
+ * @example
94
+ * // From environment variable (production)
95
+ * process.env.JWT_SECRET = 'production-secret-at-least-16-chars';
96
+ * const auth = new AuthMiddleware();
97
+ */ constructor(jwtSecret, tokenExpirationSeconds = 3600){
98
+ // Attempt to resolve JWT secret from parameter or environment
99
+ const resolvedSecret = jwtSecret ?? process.env.JWT_SECRET;
100
+ // Fail fast if JWT_SECRET is not configured
101
+ if (!resolvedSecret) {
102
+ throw new StandardError(ErrorCode.CONFIGURATION_ERROR, 'JWT_SECRET is required but not configured. Please set the JWT_SECRET environment variable or provide it explicitly to the constructor.', {
103
+ hint: 'Set JWT_SECRET in your .env file or environment: export JWT_SECRET="your-secret-key"',
104
+ securityNote: 'Never use default secrets in production. Generate a strong random secret.'
105
+ });
106
+ }
107
+ // Trim and validate secret is not empty or whitespace
108
+ const trimmedSecret = resolvedSecret.trim();
109
+ if (trimmedSecret.length === 0) {
110
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'JWT_SECRET cannot be empty or whitespace only.', {
111
+ hint: 'Provide a strong secret key of at least 16 characters'
112
+ });
113
+ }
114
+ // Validate minimum length (prevent weak secrets - CVSS 7.5)
115
+ if (trimmedSecret.length < 16) {
116
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'JWT_SECRET must be at least 16 characters long for security.', {
117
+ providedLength: trimmedSecret.length,
118
+ requiredLength: 16,
119
+ hint: 'Use a strong random secret of at least 16 characters'
120
+ });
121
+ }
122
+ // Reject known insecure default secrets (CVSS 9.8 vulnerability)
123
+ // Only reject if secret exactly matches known insecure defaults
124
+ const normalizedSecret = trimmedSecret.toLowerCase().replace(/[_-]/g, '');
125
+ const isInsecure = AuthMiddleware.INSECURE_SECRETS.some((insecure)=>{
126
+ const normalizedInsecure = insecure.toLowerCase().replace(/[_-]/g, '');
127
+ // Only exact match - do not match if contains
128
+ return normalizedSecret === normalizedInsecure;
129
+ });
130
+ if (isInsecure) {
131
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Detected insecure default secret. Please use a strong, unique JWT_SECRET in production.', {
132
+ securityRisk: 'CVSS 9.8 - Default secrets allow authentication bypass and token forgery',
133
+ hint: 'Generate a secure random secret: openssl rand -base64 32'
134
+ });
135
+ }
136
+ this.jwtSecret = trimmedSecret;
137
+ this.tokenExpirationSeconds = tokenExpirationSeconds;
138
+ this.sessions = new Map();
139
+ logger.debug('AuthMiddleware initialized with secure JWT secret');
140
+ }
141
+ /**
142
+ * Generate a JWT token for a user
143
+ *
144
+ * @param userId - User ID
145
+ * @param username - Username
146
+ * @param role - User role
147
+ * @param email - User email (optional)
148
+ * @returns JWT token
149
+ */ generateToken(userId, username, role, email) {
150
+ const payload = {
151
+ userId,
152
+ username,
153
+ role,
154
+ email
155
+ };
156
+ return jwt.sign(payload, this.jwtSecret, {
157
+ algorithm: 'HS256',
158
+ expiresIn: this.tokenExpirationSeconds
159
+ });
160
+ }
161
+ /**
162
+ * Validate JWT token and extract user context
163
+ *
164
+ * @param token - JWT token
165
+ * @returns User context if valid
166
+ * @throws StandardError if token is invalid or expired
167
+ */ validateToken(token) {
168
+ try {
169
+ if (!token || typeof token !== 'string') {
170
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Missing or invalid authentication token');
171
+ }
172
+ // Remove "Bearer " prefix if present
173
+ const cleanToken = token.startsWith('Bearer ') ? token.substring(7) : token;
174
+ const decoded = jwt.verify(cleanToken, this.jwtSecret, {
175
+ algorithms: [
176
+ 'HS256'
177
+ ]
178
+ });
179
+ // Validate required fields
180
+ if (!decoded.userId || !decoded.username || !decoded.role) {
181
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid token structure: missing required fields');
182
+ }
183
+ // Validate role is one of the allowed roles
184
+ if (!Object.values(UserRole).includes(decoded.role)) {
185
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, `Invalid role: ${decoded.role}`);
186
+ }
187
+ return {
188
+ userId: decoded.userId,
189
+ username: decoded.username,
190
+ role: decoded.role,
191
+ email: decoded.email,
192
+ issuedAt: decoded.iat || Math.floor(Date.now() / 1000),
193
+ expiresAt: decoded.exp || Math.floor(Date.now() / 1000) + this.tokenExpirationSeconds
194
+ };
195
+ } catch (error) {
196
+ if (error instanceof StandardError) {
197
+ throw error;
198
+ }
199
+ if (error instanceof jwt.TokenExpiredError) {
200
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Authentication token has expired', {
201
+ expiredAt: error.expiredAt?.toISOString()
202
+ }, error);
203
+ }
204
+ if (error instanceof jwt.JsonWebTokenError) {
205
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid authentication token', {}, error);
206
+ }
207
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Token validation failed', {}, error);
208
+ }
209
+ }
210
+ /**
211
+ * Register a session (for session-based authentication fallback)
212
+ *
213
+ * @param sessionId - Session ID
214
+ * @param userContext - User context
215
+ */ registerSession(sessionId, userContext) {
216
+ this.sessions.set(sessionId, {
217
+ ...userContext,
218
+ sessionId
219
+ });
220
+ logger.debug('Session registered', {
221
+ sessionId,
222
+ userId: userContext.userId
223
+ });
224
+ }
225
+ /**
226
+ * Validate session
227
+ *
228
+ * @param sessionId - Session ID
229
+ * @returns User context if valid
230
+ * @throws StandardError if session is invalid or expired
231
+ */ validateSession(sessionId) {
232
+ const session = this.sessions.get(sessionId);
233
+ if (!session) {
234
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid or expired session');
235
+ }
236
+ // Check if session has expired
237
+ if (session.expiresAt < Math.floor(Date.now() / 1000)) {
238
+ this.sessions.delete(sessionId);
239
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Session has expired');
240
+ }
241
+ return session;
242
+ }
243
+ /**
244
+ * Invalidate a session
245
+ *
246
+ * @param sessionId - Session ID
247
+ */ invalidateSession(sessionId) {
248
+ this.sessions.delete(sessionId);
249
+ logger.debug('Session invalidated', {
250
+ sessionId
251
+ });
252
+ }
253
+ /**
254
+ * Extract user context from Authorization header
255
+ *
256
+ * @param authHeader - Authorization header value
257
+ * @returns User context
258
+ * @throws StandardError if authorization header is invalid
259
+ */ extractUserContext(authHeader, sessionId) {
260
+ // Try JWT token first
261
+ if (authHeader) {
262
+ return this.validateToken(authHeader);
263
+ }
264
+ // Fallback to session
265
+ if (sessionId) {
266
+ return this.validateSession(sessionId);
267
+ }
268
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Missing authentication credentials (JWT token or session required)');
269
+ }
270
+ }
271
+ /**
272
+ * Role-Based Access Control (RBAC) enforcer
273
+ */ export class RBACEnforcer {
274
+ authMiddleware;
275
+ constructor(authMiddleware){
276
+ this.authMiddleware = authMiddleware;
277
+ }
278
+ /**
279
+ * Check if user has permission for an operation
280
+ *
281
+ * @param userContext - User context
282
+ * @param operation - Operation to perform
283
+ * @returns True if user has permission
284
+ */ hasPermission(userContext, operation) {
285
+ const allowedOperations = ROLE_PERMISSIONS[userContext.role];
286
+ return allowedOperations.includes(operation);
287
+ }
288
+ /**
289
+ * Enforce permission check - throws if user lacks permission
290
+ *
291
+ * @param userContext - User context
292
+ * @param operation - Operation to perform
293
+ * @param skillId - Skill ID (for audit context)
294
+ * @throws StandardError if user lacks permission
295
+ */ enforcePermission(userContext, operation, skillId) {
296
+ if (!this.hasPermission(userContext, operation)) {
297
+ logger.warn('Authorization denied', {
298
+ userId: userContext.userId,
299
+ role: userContext.role,
300
+ operation,
301
+ skillId
302
+ });
303
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, `User does not have permission to perform operation: ${operation}`, {
304
+ userId: userContext.userId,
305
+ role: userContext.role,
306
+ operation,
307
+ skillId,
308
+ allowedOperations: ROLE_PERMISSIONS[userContext.role]
309
+ });
310
+ }
311
+ logger.debug('Authorization granted', {
312
+ userId: userContext.userId,
313
+ role: userContext.role,
314
+ operation,
315
+ skillId
316
+ });
317
+ }
318
+ /**
319
+ * Get description of allowed operations for a role
320
+ *
321
+ * @param role - User role
322
+ * @returns List of allowed operations
323
+ */ getAllowedOperations(role) {
324
+ return ROLE_PERMISSIONS[role];
325
+ }
326
+ }
327
+ /**
328
+ * Authorization decorator factory
329
+ * Wrap promotion operations to enforce RBAC
330
+ */ export function requirePermission(operation) {
331
+ return function(target, propertyKey, descriptor) {
332
+ const originalMethod = descriptor.value;
333
+ descriptor.value = async function(...args) {
334
+ // Extract userContext and rbac from 'this' context
335
+ if (!this.userContext) {
336
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'User context not available - authentication required');
337
+ }
338
+ if (!this.rbacEnforcer) {
339
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'RBAC enforcer not configured');
340
+ }
341
+ const skillId = args[0]?.skillId || args[1]?.skillId;
342
+ this.rbacEnforcer.enforcePermission(this.userContext, operation, skillId);
343
+ return originalMethod.apply(this, args);
344
+ };
345
+ return descriptor;
346
+ };
347
+ }
348
+ export default AuthMiddleware;
349
+
350
+ //# sourceMappingURL=auth-middleware.js.map
package/dist/middleware/auth-middleware.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../../src/middleware/auth-middleware.ts"],"sourcesContent":["/**\n * Authentication and Role-Based Access Control (RBAC) Middleware\n *\n * Implements JWT-based authentication and role-based access control for\n * sensitive operations like skill promotion, approval, and deployment.\n *\n * Features:\n * - JWT token validation and expiration checks\n * - Role-based access control with granular permissions\n * - Session-based authentication fallback\n * - Audit logging for authorization failures\n * - Per-operation permission validation\n *\n * Roles:\n * - admin: Full access to all promotion operations\n * - developer: Can initiate promotions, but not approve/deploy\n * - readonly: Can view audit trails, but no promotion access\n */\n\nimport { StandardError, ErrorCode } from '../lib/errors.js';\nimport { createLogger } from '../lib/logging.js';\nimport * as jwt from 'jsonwebtoken';\n\nconst logger = createLogger('auth-middleware');\n\n/**\n * User role enum\n */\nexport enum UserRole {\n ADMIN = 'admin',\n DEVELOPER = 'developer',\n READONLY = 'readonly',\n}\n\n/**\n * Promotion operation enum\n */\nexport enum PromotionOperation {\n INITIATE = 'initiate-promotion',\n VALIDATE = 'validate-skill',\n TEST = 'test-skill',\n APPROVE = 'approve-promotion',\n DEPLOY = 'deploy-to-production',\n ROLLBACK = 'rollback-deployment',\n}\n\n/**\n * User context from authentication\n */\nexport interface UserContext {\n userId: string;\n username: string;\n role: UserRole;\n email?: string;\n issuedAt: number;\n expiresAt: number;\n sessionId?: string;\n}\n\n/**\n * Permission mapping: role -> allowed operations\n */\nconst ROLE_PERMISSIONS: Record<UserRole, PromotionOperation[]> = {\n [UserRole.ADMIN]: [\n PromotionOperation.INITIATE,\n PromotionOperation.VALIDATE,\n PromotionOperation.TEST,\n PromotionOperation.APPROVE,\n PromotionOperation.DEPLOY,\n PromotionOperation.ROLLBACK,\n ],\n [UserRole.DEVELOPER]: [\n PromotionOperation.INITIATE,\n PromotionOperation.VALIDATE,\n PromotionOperation.TEST,\n ],\n [UserRole.READONLY]: [],\n};\n\n/**\n * Authentication middleware for validating user identity\n *\n * SECURITY CRITICAL: JWT_SECRET must be configured via environment variable\n * or explicitly provided. No default secrets are allowed in production.\n */\nexport class AuthMiddleware {\n private jwtSecret: string;\n private tokenExpirationSeconds: number;\n private sessions: Map<string, UserContext>;\n\n // List of insecure default secrets that must be rejected (CVSS 9.8 vulnerability)\n private static readonly INSECURE_SECRETS = [\n 'dev-secret-key',\n 'secret',\n 'password',\n 'test',\n 'default',\n '123456',\n 'changeme',\n ];\n\n /**\n * Create authentication middleware\n *\n * @param jwtSecret - JWT signing secret (REQUIRED). If not provided, will attempt\n * to load from JWT_SECRET environment variable. Throws error if\n * neither is available.\n * @param tokenExpirationSeconds - Token expiration time in seconds (default: 3600)\n * @throws StandardError with CONFIGURATION_ERROR if JWT_SECRET is not configured\n * @throws StandardError with VALIDATION_FAILED if JWT_SECRET is empty, too short\n * (<16 chars), or matches known insecure defaults\n *\n * @example\n * // Explicit secret (for testing)\n * const auth = new AuthMiddleware('strong-secret-key-at-least-16-chars');\n *\n * @example\n * // From environment variable (production)\n * process.env.JWT_SECRET = 'production-secret-at-least-16-chars';\n * const auth = new AuthMiddleware();\n */\n constructor(jwtSecret?: string, tokenExpirationSeconds: number = 3600) {\n // Attempt to resolve JWT secret from parameter or environment\n const resolvedSecret = jwtSecret ?? process.env.JWT_SECRET;\n\n // Fail fast if JWT_SECRET is not configured\n if (!resolvedSecret) {\n throw new StandardError(\n ErrorCode.CONFIGURATION_ERROR,\n 'JWT_SECRET is required but not configured. Please set the JWT_SECRET environment variable or provide it explicitly to the constructor.',\n {\n hint: 'Set JWT_SECRET in your .env file or environment: export JWT_SECRET=\"your-secret-key\"',\n securityNote: 'Never use default secrets in production. Generate a strong random secret.',\n }\n );\n }\n\n // Trim and validate secret is not empty or whitespace\n const trimmedSecret = resolvedSecret.trim();\n if (trimmedSecret.length === 0) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'JWT_SECRET cannot be empty or whitespace only.',\n {\n hint: 'Provide a strong secret key of at least 16 characters',\n }\n );\n }\n\n // Validate minimum length (prevent weak secrets - CVSS 7.5)\n if (trimmedSecret.length < 16) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'JWT_SECRET must be at least 16 characters long for security.',\n {\n providedLength: trimmedSecret.length,\n requiredLength: 16,\n hint: 'Use a strong random secret of at least 16 characters',\n }\n );\n }\n\n // Reject known insecure default secrets (CVSS 9.8 vulnerability)\n // Only reject if secret exactly matches known insecure defaults\n const normalizedSecret = trimmedSecret.toLowerCase().replace(/[_-]/g, '');\n const isInsecure = AuthMiddleware.INSECURE_SECRETS.some((insecure) => {\n const normalizedInsecure = insecure.toLowerCase().replace(/[_-]/g, '');\n // Only exact match - do not match if contains\n return normalizedSecret === normalizedInsecure;\n });\n\n if (isInsecure) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'Detected insecure default secret. Please use a strong, unique JWT_SECRET in production.',\n {\n securityRisk: 'CVSS 9.8 - Default secrets allow authentication bypass and token forgery',\n hint: 'Generate a secure random secret: openssl rand -base64 32',\n }\n );\n }\n\n this.jwtSecret = trimmedSecret;\n this.tokenExpirationSeconds = tokenExpirationSeconds;\n this.sessions = new Map();\n\n logger.debug('AuthMiddleware initialized with secure JWT secret');\n }\n\n /**\n * Generate a JWT token for a user\n *\n * @param userId - User ID\n * @param username - Username\n * @param role - User role\n * @param email - User email (optional)\n * @returns JWT token\n */\n generateToken(userId: string, username: string, role: UserRole, email?: string): string {\n const payload = {\n userId,\n username,\n role,\n email,\n };\n\n return jwt.sign(payload, this.jwtSecret, {\n algorithm: 'HS256',\n expiresIn: this.tokenExpirationSeconds,\n });\n }\n\n /**\n * Validate JWT token and extract user context\n *\n * @param token - JWT token\n * @returns User context if valid\n * @throws StandardError if token is invalid or expired\n */\n validateToken(token: string): UserContext {\n try {\n if (!token || typeof token !== 'string') {\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Missing or invalid authentication token');\n }\n\n // Remove \"Bearer \" prefix if present\n const cleanToken = token.startsWith('Bearer ') ? token.substring(7) : token;\n\n const decoded = jwt.verify(cleanToken, this.jwtSecret, {\n algorithms: ['HS256'],\n }) as any;\n\n // Validate required fields\n if (!decoded.userId || !decoded.username || !decoded.role) {\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid token structure: missing required fields');\n }\n\n // Validate role is one of the allowed roles\n if (!Object.values(UserRole).includes(decoded.role)) {\n throw new StandardError(ErrorCode.VALIDATION_FAILED, `Invalid role: ${decoded.role}`);\n }\n\n return {\n userId: decoded.userId,\n username: decoded.username,\n role: decoded.role,\n email: decoded.email,\n issuedAt: decoded.iat || Math.floor(Date.now() / 1000),\n expiresAt: decoded.exp || Math.floor(Date.now() / 1000) + this.tokenExpirationSeconds,\n };\n } catch (error) {\n if (error instanceof StandardError) {\n throw error;\n }\n\n if (error instanceof jwt.TokenExpiredError) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'Authentication token has expired',\n { expiredAt: error.expiredAt?.toISOString() },\n error\n );\n }\n\n if (error instanceof jwt.JsonWebTokenError) {\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid authentication token', {}, error);\n }\n\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Token validation failed', {}, error as Error);\n }\n }\n\n /**\n * Register a session (for session-based authentication fallback)\n *\n * @param sessionId - Session ID\n * @param userContext - User context\n */\n registerSession(sessionId: string, userContext: UserContext): void {\n this.sessions.set(sessionId, { ...userContext, sessionId });\n logger.debug('Session registered', { sessionId, userId: userContext.userId });\n }\n\n /**\n * Validate session\n *\n * @param sessionId - Session ID\n * @returns User context if valid\n * @throws StandardError if session is invalid or expired\n */\n validateSession(sessionId: string): UserContext {\n const session = this.sessions.get(sessionId);\n\n if (!session) {\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid or expired session');\n }\n\n // Check if session has expired\n if (session.expiresAt < Math.floor(Date.now() / 1000)) {\n this.sessions.delete(sessionId);\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Session has expired');\n }\n\n return session;\n }\n\n /**\n * Invalidate a session\n *\n * @param sessionId - Session ID\n */\n invalidateSession(sessionId: string): void {\n this.sessions.delete(sessionId);\n logger.debug('Session invalidated', { sessionId });\n }\n\n /**\n * Extract user context from Authorization header\n *\n * @param authHeader - Authorization header value\n * @returns User context\n * @throws StandardError if authorization header is invalid\n */\n extractUserContext(authHeader?: string, sessionId?: string): UserContext {\n // Try JWT token first\n if (authHeader) {\n return this.validateToken(authHeader);\n }\n\n // Fallback to session\n if (sessionId) {\n return this.validateSession(sessionId);\n }\n\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'Missing authentication credentials (JWT token or session required)'\n );\n }\n}\n\n/**\n * Role-Based Access Control (RBAC) enforcer\n */\nexport class RBACEnforcer {\n private authMiddleware: AuthMiddleware;\n\n constructor(authMiddleware: AuthMiddleware) {\n this.authMiddleware = authMiddleware;\n }\n\n /**\n * Check if user has permission for an operation\n *\n * @param userContext - User context\n * @param operation - Operation to perform\n * @returns True if user has permission\n */\n hasPermission(userContext: UserContext, operation: PromotionOperation): boolean {\n const allowedOperations = ROLE_PERMISSIONS[userContext.role];\n return allowedOperations.includes(operation);\n }\n\n /**\n * Enforce permission check - throws if user lacks permission\n *\n * @param userContext - User context\n * @param operation - Operation to perform\n * @param skillId - Skill ID (for audit context)\n * @throws StandardError if user lacks permission\n */\n enforcePermission(userContext: UserContext, operation: PromotionOperation, skillId?: string): void {\n if (!this.hasPermission(userContext, operation)) {\n logger.warn('Authorization denied', {\n userId: userContext.userId,\n role: userContext.role,\n operation,\n skillId,\n });\n\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n `User does not have permission to perform operation: ${operation}`,\n {\n userId: userContext.userId,\n role: userContext.role,\n operation,\n skillId,\n allowedOperations: ROLE_PERMISSIONS[userContext.role],\n }\n );\n }\n\n logger.debug('Authorization granted', {\n userId: userContext.userId,\n role: userContext.role,\n operation,\n skillId,\n });\n }\n\n /**\n * Get description of allowed operations for a role\n *\n * @param role - User role\n * @returns List of allowed operations\n */\n getAllowedOperations(role: UserRole): PromotionOperation[] {\n return ROLE_PERMISSIONS[role];\n }\n}\n\n/**\n * Authorization decorator factory\n * Wrap promotion operations to enforce RBAC\n */\nexport function requirePermission(operation: PromotionOperation) {\n return function (target: any, propertyKey: string, descriptor: PropertyDescriptor) {\n const originalMethod = descriptor.value;\n\n descriptor.value = async function (this: any, ...args: any[]) {\n // Extract userContext and rbac from 'this' context\n if (!this.userContext) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'User context not available - authentication required'\n );\n }\n\n if (!this.rbacEnforcer) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'RBAC enforcer not configured'\n );\n }\n\n const skillId = args[0]?.skillId || args[1]?.skillId;\n this.rbacEnforcer.enforcePermission(this.userContext, operation, skillId);\n\n return originalMethod.apply(this, args);\n };\n\n return descriptor;\n };\n}\n\nexport default AuthMiddleware;\n"],"names":["StandardError","ErrorCode","createLogger","jwt","logger","UserRole","PromotionOperation","ROLE_PERMISSIONS","AuthMiddleware","jwtSecret","tokenExpirationSeconds","sessions","INSECURE_SECRETS","resolvedSecret","process","env","JWT_SECRET","CONFIGURATION_ERROR","hint","securityNote","trimmedSecret","trim","length","VALIDATION_FAILED","providedLength","requiredLength","normalizedSecret","toLowerCase","replace","isInsecure","some","insecure","normalizedInsecure","securityRisk","Map","debug","generateToken","userId","username","role","email","payload","sign","algorithm","expiresIn","validateToken","token","cleanToken","startsWith","substring","decoded","verify","algorithms","Object","values","includes","issuedAt","iat","Math","floor","Date","now","expiresAt","exp","error","TokenExpiredError","expiredAt","toISOString","JsonWebTokenError","registerSession","sessionId","userContext","set","validateSession","session","get","delete","invalidateSession","extractUserContext","authHeader","RBACEnforcer","authMiddleware","hasPermission","operation","allowedOperations","enforcePermission","skillId","warn","getAllowedOperations","requirePermission","target","propertyKey","descriptor","originalMethod","value","args","rbacEnforcer","apply"],"mappings":"AAAA;;;;;;;;;;;;;;;;;CAiBC,GAED,SAASA,aAAa,EAAEC,SAAS,QAAQ,mBAAmB;AAC5D,SAASC,YAAY,QAAQ,oBAAoB;AACjD,YAAYC,SAAS,eAAe;AAEpC,MAAMC,SAASF,aAAa;AAE5B;;CAEC,GACD,OAAO,IAAA,AAAKG,kCAAAA;;;;WAAAA;MAIX;AAED;;CAEC,GACD,OAAO,IAAA,AAAKC,4CAAAA;;;;;;;WAAAA;MAOX;AAeD;;CAEC,GACD,MAAMC,mBAA2D;IAC/D,SAAgB,EAAE;;;;;;;KAOjB;IACD,aAAoB,EAAE;;;;KAIrB;IACD,YAAmB,EAAE,EAAE;AACzB;AAEA;;;;;CAKC,GACD,OAAO,MAAMC;IACHC,UAAkB;IAClBC,uBAA+B;IAC/BC,SAAmC;IAE3C,kFAAkF;IAClF,OAAwBC,mBAAmB;QACzC;QACA;QACA;QACA;QACA;QACA;QACA;KACD,CAAC;IAEF;;;;;;;;;;;;;;;;;;;GAmBC,GACD,YAAYH,SAAkB,EAAEC,yBAAiC,IAAI,CAAE;QACrE,8DAA8D;QAC9D,MAAMG,iBAAiBJ,aAAaK,QAAQC,GAAG,CAACC,UAAU;QAE1D,4CAA4C;QAC5C,IAAI,CAACH,gBAAgB;YACnB,MAAM,IAAIb,cACRC,UAAUgB,mBAAmB,EAC7B,0IACA;gBACEC,MAAM;gBACNC,cAAc;YAChB;QAEJ;QAEA,sDAAsD;QACtD,MAAMC,gBAAgBP,eAAeQ,IAAI;QACzC,IAAID,cAAcE,MAAM,KAAK,GAAG;YAC9B,MAAM,IAAItB,cACRC,UAAUsB,iBAAiB,EAC3B,kDACA;gBACEL,MAAM;YACR;QAEJ;QAEA,4DAA4D;QAC5D,IAAIE,cAAcE,MAAM,GAAG,IAAI;YAC7B,MAAM,IAAItB,cACRC,UAAUsB,iBAAiB,EAC3B,gEACA;gBACEC,gBAAgBJ,cAAcE,MAAM;gBACpCG,gBAAgB;gBAChBP,MAAM;YACR;QAEJ;QAEA,iEAAiE;QACjE,gEAAgE;QAChE,MAAMQ,mBAAmBN,cAAcO,WAAW,GAAGC,OAAO,CAAC,SAAS;QACtE,MAAMC,aAAarB,eAAeI,gBAAgB,CAACkB,IAAI,CAAC,CAACC;YACvD,MAAMC,qBAAqBD,SAASJ,WAAW,GAAGC,OAAO,CAAC,SAAS;YACnE,8CAA8C;YAC9C,OAAOF,qBAAqBM;QAC9B;QAEA,IAAIH,YAAY;YACd,MAAM,IAAI7B,cACRC,UAAUsB,iBAAiB,EAC3B,2FACA;gBACEU,cAAc;gBACdf,MAAM;YACR;QAEJ;QAEA,IAAI,CAACT,SAAS,GAAGW;QACjB,IAAI,CAACV,sBAAsB,GAAGA;QAC9B,IAAI,CAACC,QAAQ,GAAG,IAAIuB;QAEpB9B,OAAO+B,KAAK,CAAC;IACf;IAEA;;;;;;;;GAQC,GACDC,cAAcC,MAAc,EAAEC,QAAgB,EAAEC,IAAc,EAAEC,KAAc,EAAU;QACtF,MAAMC,UAAU;YACdJ;YACAC;YACAC;YACAC;QACF;QAEA,OAAOrC,IAAIuC,IAAI,CAACD,SAAS,IAAI,CAAChC,SAAS,EAAE;YACvCkC,WAAW;YACXC,WAAW,IAAI,CAAClC,sBAAsB;QACxC;IACF;IAEA;;;;;;GAMC,GACDmC,cAAcC,KAAa,EAAe;QACxC,IAAI;YACF,IAAI,CAACA,SAAS,OAAOA,UAAU,UAAU;gBACvC,MAAM,IAAI9C,cAAcC,UAAUsB,iBAAiB,EAAE;YACvD;YAEA,qCAAqC;YACrC,MAAMwB,aAAaD,MAAME,UAAU,CAAC,aAAaF,MAAMG,SAAS,CAAC,KAAKH;YAEtE,MAAMI,UAAU/C,IAAIgD,MAAM,CAACJ,YAAY,IAAI,CAACtC,SAAS,EAAE;gBACrD2C,YAAY;oBAAC;iBAAQ;YACvB;YAEA,2BAA2B;YAC3B,IAAI,CAACF,QAAQb,MAAM,IAAI,CAACa,QAAQZ,QAAQ,IAAI,CAACY,QAAQX,IAAI,EAAE;gBACzD,MAAM,IAAIvC,cAAcC,UAAUsB,iBAAiB,EAAE;YACvD;YAEA,4CAA4C;YAC5C,IAAI,CAAC8B,OAAOC,MAAM,CAACjD,UAAUkD,QAAQ,CAACL,QAAQX,IAAI,GAAG;gBACnD,MAAM,IAAIvC,cAAcC,UAAUsB,iBAAiB,EAAE,CAAC,cAAc,EAAE2B,QAAQX,IAAI,EAAE;YACtF;YAEA,OAAO;gBACLF,QAAQa,QAAQb,MAAM;gBACtBC,UAAUY,QAAQZ,QAAQ;gBAC1BC,MAAMW,QAAQX,IAAI;gBAClBC,OAAOU,QAAQV,KAAK;gBACpBgB,UAAUN,QAAQO,GAAG,IAAIC,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK;gBACjDC,WAAWZ,QAAQa,GAAG,IAAIL,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK,QAAQ,IAAI,CAACnD,sBAAsB;YACvF;QACF,EAAE,OAAOsD,OAAO;YACd,IAAIA,iBAAiBhE,eAAe;gBAClC,MAAMgE;YACR;YAEA,IAAIA,iBAAiB7D,IAAI8D,iBAAiB,EAAE;gBAC1C,MAAM,IAAIjE,cACRC,UAAUsB,iBAAiB,EAC3B,oCACA;oBAAE2C,WAAWF,MAAME,SAAS,EAAEC;gBAAc,GAC5CH;YAEJ;YAEA,IAAIA,iBAAiB7D,IAAIiE,iBAAiB,EAAE;gBAC1C,MAAM,IAAIpE,cAAcC,UAAUsB,iBAAiB,EAAE,gCAAgC,CAAC,GAAGyC;YAC3F;YAEA,MAAM,IAAIhE,cAAcC,UAAUsB,iBAAiB,EAAE,2BAA2B,CAAC,GAAGyC;QACtF;IACF;IAEA;;;;;GAKC,GACDK,gBAAgBC,SAAiB,EAAEC,WAAwB,EAAQ;QACjE,IAAI,CAAC5D,QAAQ,CAAC6D,GAAG,CAACF,WAAW;YAAE,GAAGC,WAAW;YAAED;QAAU;QACzDlE,OAAO+B,KAAK,CAAC,sBAAsB;YAAEmC;YAAWjC,QAAQkC,YAAYlC,MAAM;QAAC;IAC7E;IAEA;;;;;;GAMC,GACDoC,gBAAgBH,SAAiB,EAAe;QAC9C,MAAMI,UAAU,IAAI,CAAC/D,QAAQ,CAACgE,GAAG,CAACL;QAElC,IAAI,CAACI,SAAS;YACZ,MAAM,IAAI1E,cAAcC,UAAUsB,iBAAiB,EAAE;QACvD;QAEA,+BAA+B;QAC/B,IAAImD,QAAQZ,SAAS,GAAGJ,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK,OAAO;YACrD,IAAI,CAAClD,QAAQ,CAACiE,MAAM,CAACN;YACrB,MAAM,IAAItE,cAAcC,UAAUsB,iBAAiB,EAAE;QACvD;QAEA,OAAOmD;IACT;IAEA;;;;GAIC,GACDG,kBAAkBP,SAAiB,EAAQ;QACzC,IAAI,CAAC3D,QAAQ,CAACiE,MAAM,CAACN;QACrBlE,OAAO+B,KAAK,CAAC,uBAAuB;YAAEmC;QAAU;IAClD;IAEA;;;;;;GAMC,GACDQ,mBAAmBC,UAAmB,EAAET,SAAkB,EAAe;QACvE,sBAAsB;QACtB,IAAIS,YAAY;YACd,OAAO,IAAI,CAAClC,aAAa,CAACkC;QAC5B;QAEA,sBAAsB;QACtB,IAAIT,WAAW;YACb,OAAO,IAAI,CAACG,eAAe,CAACH;QAC9B;QAEA,MAAM,IAAItE,cACRC,UAAUsB,iBAAiB,EAC3B;IAEJ;AACF;AAEA;;CAEC,GACD,OAAO,MAAMyD;IACHC,eAA+B;IAEvC,YAAYA,cAA8B,CAAE;QAC1C,IAAI,CAACA,cAAc,GAAGA;IACxB;IAEA;;;;;;GAMC,GACDC,cAAcX,WAAwB,EAAEY,SAA6B,EAAW;QAC9E,MAAMC,oBAAoB7E,gBAAgB,CAACgE,YAAYhC,IAAI,CAAC;QAC5D,OAAO6C,kBAAkB7B,QAAQ,CAAC4B;IACpC;IAEA;;;;;;;GAOC,GACDE,kBAAkBd,WAAwB,EAAEY,SAA6B,EAAEG,OAAgB,EAAQ;QACjG,IAAI,CAAC,IAAI,CAACJ,aAAa,CAACX,aAAaY,YAAY;YAC/C/E,OAAOmF,IAAI,CAAC,wBAAwB;gBAClClD,QAAQkC,YAAYlC,MAAM;gBAC1BE,MAAMgC,YAAYhC,IAAI;gBACtB4C;gBACAG;YACF;YAEA,MAAM,IAAItF,cACRC,UAAUsB,iBAAiB,EAC3B,CAAC,oDAAoD,EAAE4D,WAAW,EAClE;gBACE9C,QAAQkC,YAAYlC,MAAM;gBAC1BE,MAAMgC,YAAYhC,IAAI;gBACtB4C;gBACAG;gBACAF,mBAAmB7E,gBAAgB,CAACgE,YAAYhC,IAAI,CAAC;YACvD;QAEJ;QAEAnC,OAAO+B,KAAK,CAAC,yBAAyB;YACpCE,QAAQkC,YAAYlC,MAAM;YAC1BE,MAAMgC,YAAYhC,IAAI;YACtB4C;YACAG;QACF;IACF;IAEA;;;;;GAKC,GACDE,qBAAqBjD,IAAc,EAAwB;QACzD,OAAOhC,gBAAgB,CAACgC,KAAK;IAC/B;AACF;AAEA;;;CAGC,GACD,OAAO,SAASkD,kBAAkBN,SAA6B;IAC7D,OAAO,SAAUO,MAAW,EAAEC,WAAmB,EAAEC,UAA8B;QAC/E,MAAMC,iBAAiBD,WAAWE,KAAK;QAEvCF,WAAWE,KAAK,GAAG,eAA2B,GAAGC,IAAW;YAC1D,mDAAmD;YACnD,IAAI,CAAC,IAAI,CAACxB,WAAW,EAAE;gBACrB,MAAM,IAAIvE,cACRC,UAAUsB,iBAAiB,EAC3B;YAEJ;YAEA,IAAI,CAAC,IAAI,CAACyE,YAAY,EAAE;gBACtB,MAAM,IAAIhG,cACRC,UAAUsB,iBAAiB,EAC3B;YAEJ;YAEA,MAAM+D,UAAUS,IAAI,CAAC,EAAE,EAAET,WAAWS,IAAI,CAAC,EAAE,EAAET;YAC7C,IAAI,CAACU,YAAY,CAACX,iBAAiB,CAAC,IAAI,CAACd,WAAW,EAAEY,WAAWG;YAEjE,OAAOO,eAAeI,KAAK,CAAC,IAAI,EAAEF;QACpC;QAEA,OAAOH;IACT;AACF;AAEA,eAAepF,eAAe"}