defense-mcp-server 0.9.3 → 0.9.4

package/build/core/metrics.d.ts

@@ -1,74 +0,0 @@
-/**
- * metrics.ts — In-process metrics collection for observability.
- *
- * Collects tool invocation counts, error rates, and latency histograms
- * in memory. Exposes a `getMetrics()` function that returns a snapshot
- * for reporting via the `defense_mgmt` tool or external monitoring.
- *
- * **Design**: No external dependencies. Metrics are collected in a
- * simple Map structure and can be serialized to JSON. A future
- * Prometheus-compatible endpoint can be added without changing the
- * collection API.
- *
- * Environment:
- *   DEFENSE_MCP_METRICS=true   Enable metrics collection (default: true)
- *
- * @module metrics
- */
-/** Metrics snapshot for a single tool. */
-export interface ToolMetrics {
-    /** Tool name (e.g., "firewall", "harden_host") */
-    toolName: string;
-    /** Total invocations */
-    invocations: number;
-    /** Total errors (non-zero exit codes) */
-    errors: number;
-    /** Total rate-limiter rejections */
-    rateLimitHits: number;
-    /** Minimum latency in ms */
-    minLatencyMs: number;
-    /** Maximum latency in ms */
-    maxLatencyMs: number;
-    /** Sum of all latencies (for computing average) */
-    totalLatencyMs: number;
-    /** Last invocation timestamp (ISO 8601) */
-    lastInvoked: string | null;
-}
-/** Complete metrics snapshot. */
-export interface MetricsSnapshot {
-    /** ISO 8601 timestamp when this snapshot was taken */
-    timestamp: string;
-    /** Server uptime in seconds */
-    uptimeSeconds: number;
-    /** Total tool invocations across all tools */
-    totalInvocations: number;
-    /** Total errors across all tools */
-    totalErrors: number;
-    /** Per-tool metrics */
-    tools: ToolMetrics[];
-}
-/**
- * Record a tool invocation.
- *
- * @param toolName   - The tool that was invoked
- * @param durationMs - Wall-clock duration of the invocation in milliseconds
- * @param isError    - Whether the invocation resulted in an error
- */
-export declare function recordInvocation(toolName: string, durationMs: number, isError: boolean): void;
-/**
- * Record a rate-limiter rejection for a tool.
- *
- * @param toolName - The tool that was rate-limited
- */
-export declare function recordRateLimitHit(toolName: string): void;
-/**
- * Get a complete metrics snapshot.
- *
- * @returns MetricsSnapshot with per-tool breakdown
- */
-export declare function getMetrics(): MetricsSnapshot;
-/**
- * Reset all metrics. Primarily used in tests.
- */
-export declare function resetMetrics(): void;
-//# sourceMappingURL=metrics.d.ts.map

package/build/core/metrics.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"metrics.d.ts","sourceRoot":"","sources":["../../src/core/metrics.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,0CAA0C;AAC1C,MAAM,WAAW,WAAW;IAC1B,kDAAkD;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,yCAAyC;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,oCAAoC;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,4BAA4B;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,4BAA4B;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,2CAA2C;IAC3C,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,iCAAiC;AACjC,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,+BAA+B;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,KAAK,EAAE,WAAW,EAAE,CAAC;CACtB;AA2BD;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,OAAO,GACf,IAAI,CAYN;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAGzD;AAED;;;;GAIG;AACH,wBAAgB,UAAU,IAAI,eAAe,CAiB5C;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,IAAI,CAEnC"}

package/build/core/metrics.js

@@ -1,97 +0,0 @@
-/**
- * metrics.ts — In-process metrics collection for observability.
- *
- * Collects tool invocation counts, error rates, and latency histograms
- * in memory. Exposes a `getMetrics()` function that returns a snapshot
- * for reporting via the `defense_mgmt` tool or external monitoring.
- *
- * **Design**: No external dependencies. Metrics are collected in a
- * simple Map structure and can be serialized to JSON. A future
- * Prometheus-compatible endpoint can be added without changing the
- * collection API.
- *
- * Environment:
- *   DEFENSE_MCP_METRICS=true   Enable metrics collection (default: true)
- *
- * @module metrics
- */
-// ── Metrics Collector ────────────────────────────────────────────────────────
-const enabled = process.env.DEFENSE_MCP_METRICS !== "false";
-const startTime = Date.now();
-const toolMetrics = new Map();
-/** Get or create a metrics entry for a tool. */
-function getOrCreate(toolName) {
-    let entry = toolMetrics.get(toolName);
-    if (!entry) {
-        entry = {
-            toolName,
-            invocations: 0,
-            errors: 0,
-            rateLimitHits: 0,
-            minLatencyMs: Infinity,
-            maxLatencyMs: 0,
-            totalLatencyMs: 0,
-            lastInvoked: null,
-        };
-        toolMetrics.set(toolName, entry);
-    }
-    return entry;
-}
-/**
- * Record a tool invocation.
- *
- * @param toolName   - The tool that was invoked
- * @param durationMs - Wall-clock duration of the invocation in milliseconds
- * @param isError    - Whether the invocation resulted in an error
- */
-export function recordInvocation(toolName, durationMs, isError) {
-    if (!enabled)
-        return;
-    const entry = getOrCreate(toolName);
-    entry.invocations++;
-    entry.totalLatencyMs += durationMs;
-    entry.lastInvoked = new Date().toISOString();
-    if (durationMs < entry.minLatencyMs)
-        entry.minLatencyMs = durationMs;
-    if (durationMs > entry.maxLatencyMs)
-        entry.maxLatencyMs = durationMs;
-    if (isError)
-        entry.errors++;
-}
-/**
- * Record a rate-limiter rejection for a tool.
- *
- * @param toolName - The tool that was rate-limited
- */
-export function recordRateLimitHit(toolName) {
-    if (!enabled)
-        return;
-    getOrCreate(toolName).rateLimitHits++;
-}
-/**
- * Get a complete metrics snapshot.
- *
- * @returns MetricsSnapshot with per-tool breakdown
- */
-export function getMetrics() {
-    const tools = Array.from(toolMetrics.values()).map((t) => ({
-        ...t,
-        // Replace Infinity with 0 for tools that haven't been invoked
-        minLatencyMs: t.minLatencyMs === Infinity ? 0 : t.minLatencyMs,
-    }));
-    const totalInvocations = tools.reduce((sum, t) => sum + t.invocations, 0);
-    const totalErrors = tools.reduce((sum, t) => sum + t.errors, 0);
-    return {
-        timestamp: new Date().toISOString(),
-        uptimeSeconds: Math.floor((Date.now() - startTime) / 1000),
-        totalInvocations,
-        totalErrors,
-        tools,
-    };
-}
-/**
- * Reset all metrics. Primarily used in tests.
- */
-export function resetMetrics() {
-    toolMetrics.clear();
-}

package/build/core/output-redactor.d.ts

@@ -1,26 +0,0 @@
-/**
- * output-redactor.ts — Post-execution output sanitization.
- *
- * Scans command stdout/stderr for sensitive data patterns and replaces
- * them with [REDACTED] before returning results to the LLM.
- *
- * SECURITY: Over-redacting is preferred to under-redacting.
- *
- * @module output-redactor
- */
-export interface RedactionResult {
-    /** The sanitized text */
-    text: string;
-    /** Number of redactions applied */
-    redactionCount: number;
-    /** Labels of patterns that matched */
-    matchedPatterns: string[];
-}
-/**
- * Redact sensitive data from command output.
- *
- * @param text - Raw stdout or stderr text
- * @returns Sanitized text with redaction metadata
- */
-export declare function redactOutput(text: string): RedactionResult;
-//# sourceMappingURL=output-redactor.d.ts.map

package/build/core/output-redactor.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"output-redactor.d.ts","sourceRoot":"","sources":["../../src/core/output-redactor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAmFH,MAAM,WAAW,eAAe;IAC9B,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,sCAAsC;IACtC,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAmB1D"}

package/build/core/pam-utils.d.ts

@@ -1,356 +0,0 @@
-/**
- * PAM configuration parser, serializer, validator, and file I/O manager.
- *
- * Replaces fragile sed-based PAM manipulation with safe in-memory operations:
- *   1. Parse PAM config into structured records
- *   2. Manipulate records (insert, remove, reorder)
- *   3. Serialize back with correct formatting
- *   4. Validate before writing
- *   5. Write atomically with mandatory backup and auto-rollback
- *
- * @see docs/PAM-HARDENING-FIX.md for architecture details
- */
-import { type BackupEntry } from "./backup-manager.js";
-/** A PAM rule line: type control module [args...] */
-export interface PamRule {
-    kind: "rule";
-    /** PAM type: auth, account, password, session (optionally prefixed with -) */
-    pamType: string;
-    /** Control flag: required, requisite, sufficient, optional, or [value=action ...] */
-    control: string;
-    /** Module path/name: pam_unix.so, pam_faillock.so, etc. */
-    module: string;
-    /** Module arguments: nullok, silent, deny=5, etc. */
-    args: string[];
-    /** Original raw text (preserved for round-trip fidelity). */
-    rawLine: string;
-}
-/** A comment line (starts with #). */
-export interface PamComment {
-    kind: "comment";
-    text: string;
-}
-/** A blank/empty line. */
-export interface PamBlank {
-    kind: "blank";
-}
-/** An @include directive. */
-export interface PamInclude {
-    kind: "include";
-    target: string;
-    rawLine: string;
-}
-/** Union of all PAM line types. */
-export type PamLine = PamRule | PamComment | PamBlank | PamInclude;
-/** Thrown when PAM config validation fails. */
-export declare class PamValidationError extends Error {
-    readonly errors: string[];
-    readonly filePath?: string | undefined;
-    constructor(errors: string[], filePath?: string | undefined);
-}
-/** Thrown when PAM file write fails or post-write validation fails. */
-export declare class PamWriteError extends Error {
-    readonly filePath: string;
-    readonly backupId?: string | undefined;
-    constructor(message: string, filePath: string, backupId?: string | undefined);
-}
-/**
- * Parse PAM config file content into structured records.
- *
- * Handles:
- * - Standard rules: auth required pam_unix.so nullok
- * - Complex controls: auth [success=1 default=ignore] pam_unix.so
- * - Comments: # This is a comment
- * - Blank lines: (preserved for formatting fidelity)
- * - Include directives: @include common-auth
- *
- * **Critical**: The parser is **lossless**. Every line in the input appears
- * in the output array. Unknown/unparseable lines are preserved as comments
- * to prevent silent data loss.
- *
- * @param content - Raw PAM config file text
- * @returns Array of PamLine records in file order
- */
-export declare function parsePamConfig(content: string): PamLine[];
-/**
- * Serialize structured PAM records back to file content.
- *
- * For PamRule records, generates lines with consistent formatting:
- *   - Fields separated by 4-space padding
- *   - Module args separated by single spaces
- *
- * For PamComment, PamBlank, and PamInclude records, the original
- * raw text is emitted unchanged (round-trip preservation).
- *
- * @param lines - Array of PamLine records
- * @returns PAM config file content string (with trailing newline)
- */
-export declare function serializePamConfig(lines: PamLine[]): string;
-/**
- * Validate PAM config for syntactic correctness.
- *
- * Checks:
- * 1. Every PamRule has a valid pamType, non-empty control, and module ending in .so
- * 2. At least one pam_unix.so rule exists (sanity check — PAM needs it)
- * 3. No lines have concatenated fields (the bug that caused the lockout)
- *
- * Does NOT check:
- * - Whether .so files exist on disk
- * - Semantic correctness of control flags
- *
- * @param lines - Parsed PamLine array
- * @returns Validation result with error details
- */
-export declare function validatePamConfig(lines: PamLine[]): {
-    valid: boolean;
-    errors: string[];
-};
-/**
- * Validate raw PAM config content string.
- *
- * Convenience wrapper that parses then validates.
- *
- * @param content - Raw PAM config file text
- * @returns Validation result
- */
-export declare function validatePamConfigContent(content: string): {
-    valid: boolean;
-    errors: string[];
-};
-/**
- * Create a new PamRule record.
- *
- * @param pamType - PAM type (auth, account, password, session)
- * @param control - Control flag (required, requisite, [success=1 default=ignore], etc.)
- * @param module - Module name (pam_faillock.so, pam_unix.so, etc.)
- * @param args - Module arguments
- * @returns New PamRule with generated rawLine
- */
-export declare function createPamRule(pamType: string, control: string, module: string, args: string[]): PamRule;
-/**
- * Remove all rules referencing a specific module.
- *
- * @param lines - Current PamLine array
- * @param moduleName - Module to remove (e.g., "pam_faillock.so")
- * @returns New array with matching rules removed
- */
-export declare function removeModuleRules(lines: PamLine[], moduleName: string): PamLine[];
-/**
- * Insert a new rule BEFORE the first rule matching targetModule.
- * If targetModule is not found, appends at the end.
- *
- * @param lines - Current PamLine array
- * @param targetModule - Module to insert before (e.g., "pam_unix.so")
- * @param newRule - The rule to insert
- * @param options - Optional filters: pamType restricts match to specific PAM type
- * @returns New array with the rule inserted
- */
-export declare function insertBeforeModule(lines: PamLine[], targetModule: string, newRule: PamRule, options?: {
-    pamType?: string;
-}): PamLine[];
-/**
- * Insert a new rule AFTER the first rule matching targetModule.
- * If targetModule is not found, appends at the end.
- *
- * @param lines - Current PamLine array
- * @param targetModule - Module to insert after (e.g., "pam_unix.so")
- * @param newRule - The rule to insert
- * @param options - Optional filters: pamType restricts match to specific PAM type
- * @returns New array with the rule inserted
- */
-export declare function insertAfterModule(lines: PamLine[], targetModule: string, newRule: PamRule, options?: {
-    pamType?: string;
-}): PamLine[];
-/**
- * Find all rules referencing a specific module.
- *
- * @param lines - PamLine array to search
- * @param moduleName - Module to find (e.g., "pam_faillock.so")
- * @returns Array of matching PamRule records
- */
-export declare function findModuleRules(lines: PamLine[], moduleName: string): PamRule[];
-/**
- * After inserting rules, adjust [success=N] jump counts on any rule
- * that uses bracket-style controls with a success=N pattern.
- *
- * For each rule with [success=N ...], count how many rules now exist
- * between that rule and pam_deny.so (requisite), and update N so that
- * success still jumps PAST pam_deny.so.
- *
- * @param lines - PamLine array (typically after insertions)
- * @returns New array with corrected jump counts
- */
-export declare function adjustJumpCounts(lines: PamLine[]): PamLine[];
-/**
- * Read a PAM config file via sudo.
- *
- * @param filePath - Absolute path (e.g., /etc/pam.d/common-auth)
- * @returns File content string
- * @throws If sudo cat fails
- */
-export declare function readPamFile(filePath: string): Promise<string>;
-/**
- * Write a PAM config file via sudo, with mandatory pre-write validation.
- *
- * Steps:
- * 1. Parse the content with parsePamConfig()
- * 2. Validate with validatePamConfig() — if invalid, throw (never write bad content)
- * 3. Write to a secure temp directory (mkdtempSync — eliminates symlink race)
- * 4. Use `sudo install -m 644 -o root -g root` for atomic write (eliminates partial-write state)
- * 5. Post-write verification
- *
- * @param filePath - Absolute path
- * @param content - PAM config content to write
- * @throws PamValidationError if pre-write validation fails
- * @throws PamWriteError if write or permission setting fails
- */
-export declare function writePamFile(filePath: string, content: string): Promise<void>;
-/**
- * Backup a PAM file using the project BackupManager.
- *
- * Since PAM files are root-owned, this:
- * 1. Reads content via sudo cat
- * 2. Writes to a secure temp directory (eliminates symlink race)
- * 3. Uses BackupManager.backupSync() to create a tracked backup
- * 4. Returns a new object (does NOT mutate BackupManager's internal entry)
- * 5. Cleans up the temp file/directory
- *
- * @param filePath - PAM file to backup
- * @returns BackupEntry for later restore (with corrected originalPath)
- */
-export declare function backupPamFile(filePath: string): Promise<BackupEntry>;
-/**
- * Restore a PAM file from backup.
- *
- * 1. Reads backup content from BackupManager's directory
- * 2. Validates the backup content (refuse to restore garbage)
- * 3. Writes to a secure temp file, then uses `sudo install` (eliminates tee stdout leak)
- *
- * @param backupEntry - The BackupEntry from backupPamFile()
- * @throws If backup file is missing, invalid, or restore fails
- */
-export declare function restorePamFile(backupEntry: BackupEntry): Promise<void>;
-/** A single finding from PAM policy sanity validation. */
-export interface PamSanityFinding {
-    /** warning = proceed with caution; critical = blocks operation unless forced */
-    severity: "warning" | "critical";
-    /** Which module the finding relates to */
-    module: "pam_faillock.so" | "pam_pwquality.so" | "general";
-    /** The specific parameter that triggered the finding, if applicable */
-    parameter?: string;
-    /** The problematic value */
-    value?: string | number;
-    /** Human-readable description of the problem */
-    message: string;
-    /** What the user should do instead */
-    recommendation: string;
-}
-/** Result of PAM policy sanity validation. */
-export interface PamSanityResult {
-    /** true if no critical findings exist */
-    safe: boolean;
-    /** All findings, ordered by severity then module */
-    findings: PamSanityFinding[];
-    /** Count of critical-severity findings */
-    criticalCount: number;
-    /** Count of warning-severity findings */
-    warningCount: number;
-}
-/**
- * Thresholds for PAM policy sanity checks.
- * These define what constitutes "sane" vs "dangerous" PAM policy values.
- * Tuned to prevent lockouts while allowing reasonable security hardening.
- */
-export declare const PAM_SANITY_THRESHOLDS: {
-    readonly faillock: {
-        /** deny below this triggers critical — too few attempts before lockout */
-        readonly minDeny: 3;
-        /** unlock_time above this triggers warning — extended lockout */
-        readonly maxUnlockTimeWarn: 1800;
-        /** unlock_time above this triggers critical — extreme lockout */
-        readonly maxUnlockTimeCritical: 86400;
-        /** fail_interval below this triggers warning — unusually short window */
-        readonly minFailInterval: 60;
-    };
-    readonly pwquality: {
-        /** minlen above this triggers warning — unusually long */
-        readonly maxMinlenWarn: 24;
-        /** minlen above this triggers critical — unreasonably long */
-        readonly maxMinlenCritical: 64;
-        /** retry below this triggers critical — no second chance */
-        readonly minRetry: 2;
-        /** Combined credit threshold: all credits at this or below with high minlen */
-        readonly restrictiveCreditThreshold: -2;
-    };
-};
-/**
- * Validate faillock parameters for policy sanity.
- *
- * Checks for overly restrictive settings that could cause lockouts:
- * - deny too low (typos cause lockout)
- * - unlock_time too high or zero (extended/permanent lockout)
- * - deny + unlock_time=0 combination (permanent lock on typos)
- * - fail_interval too short
- *
- * @param params - Faillock parameters to validate
- * @returns Array of sanity findings (empty = all sane)
- */
-export declare function validateFaillockParams(params: {
-    deny?: number;
-    unlock_time?: number;
-    fail_interval?: number;
-}): PamSanityFinding[];
-/**
- * Validate pwquality parameters for policy sanity.
- *
- * Checks for overly restrictive settings that prevent password creation:
- * - minlen too high
- * - retry too low (no second chance)
- * - All character class requirements simultaneously very strict
- *
- * @param params - Pwquality parameters to validate
- * @returns Array of sanity findings (empty = all sane)
- */
-export declare function validatePwqualityParams(params: {
-    minlen?: number;
-    dcredit?: number;
-    ucredit?: number;
-    lcredit?: number;
-    ocredit?: number;
-    minclass?: number;
-    maxrepeat?: number;
-    retry?: number;
-}): PamSanityFinding[];
-/**
- * Validate a PAM config structure for dangerous patterns.
- *
- * Checks the resulting PamLine[] after manipulation for patterns
- * that would break authentication:
- * - pam_deny.so as first auth rule (blocks all auth)
- * - Missing pam_unix.so in auth stack
- * - Incomplete faillock setup (preauth without authfail or vice versa)
- * - Missing pam_permit.so in session stack
- *
- * @param lines - Parsed PAM config lines (after manipulation)
- * @returns Array of sanity findings
- */
-export declare function validatePamConfigSanity(lines: PamLine[]): PamSanityFinding[];
-/**
- * Validate PAM policy sanity — combined parameter + config check.
- *
- * This is the main entry point for sanity validation. It runs:
- * 1. Module-specific parameter checks (if module + params provided)
- * 2. Config structure checks (if lines provided)
- *
- * @param options - What to validate
- * @returns Combined sanity result with safe flag and all findings
- */
-export declare function validatePamPolicySanity(options: {
-    /** Which PAM module is being configured */
-    module?: "faillock" | "pwquality";
-    /** Module parameters being applied */
-    params?: Record<string, unknown>;
-    /** Resulting PAM config lines (after manipulation) */
-    lines?: PamLine[];
-}): PamSanityResult;
-//# sourceMappingURL=pam-utils.d.ts.map

package/build/core/pam-utils.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"pam-utils.d.ts","sourceRoot":"","sources":["../../src/core/pam-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,OAAO,EAAiB,KAAK,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAKtE,qDAAqD;AACrD,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,8EAA8E;IAC9E,OAAO,EAAE,MAAM,CAAC;IAChB,qFAAqF;IACrF,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,MAAM,EAAE,MAAM,CAAC;IACf,qDAAqD;IACrD,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,6DAA6D;IAC7D,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,sCAAsC;AACtC,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,0BAA0B;AAC1B,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,OAAO,CAAC;CACf;AAED,6BAA6B;AAC7B,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,mCAAmC;AACnC,MAAM,MAAM,OAAO,GAAG,OAAO,GAAG,UAAU,GAAG,QAAQ,GAAG,UAAU,CAAC;AAInE,+CAA+C;AAC/C,qBAAa,kBAAmB,SAAQ,KAAK;aAEzB,MAAM,EAAE,MAAM,EAAE;aAChB,QAAQ,CAAC,EAAE,MAAM;gBADjB,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,CAAC,EAAE,MAAM,YAAA;CAOpC;AAED,uEAAuE;AACvE,qBAAa,aAAc,SAAQ,KAAK;aAGpB,QAAQ,EAAE,MAAM;aAChB,QAAQ,CAAC,EAAE,MAAM;gBAFjC,OAAO,EAAE,MAAM,EACC,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,YAAA;CAKpC;AA+BD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,EAAE,CA2CzD;AAqDD;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,MAAM,CAyB3D;AAID;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,OAAO,EAAE,GACf;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CA0FtC;AAED;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,GACd;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAGtC;AAID;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAWT;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,OAAO,EAAE,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,EAAE,CAIX;AAED;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,OAAO,EAAE,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7B,OAAO,EAAE,CAgBX;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,OAAO,EAAE,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7B,OAAO,EAAE,CAgBX;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,OAAO,EAAE,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,EAAE,CAKX;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,OAAO,EAAE,CA2D5D;AAID;;;;;;GAMG;AACH,wBAAsB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAcnE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAqDf;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,WAAW,CAAC,CAyCtB;AAED;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,WAAW,EAAE,WAAW,GACvB,OAAO,CAAC,IAAI,CAAC,CAqDf;AAID,0DAA0D;AAC1D,MAAM,WAAW,gBAAgB;IAC/B,gFAAgF;IAChF,QAAQ,EAAE,SAAS,GAAG,UAAU,CAAC;IACjC,0CAA0C;IAC1C,MAAM,EAAE,iBAAiB,GAAG,kBAAkB,GAAG,SAAS,CAAC;IAC3D,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4BAA4B;IAC5B,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,gDAAgD;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,sCAAsC;IACtC,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,8CAA8C;AAC9C,MAAM,WAAW,eAAe;IAC9B,yCAAyC;IACzC,IAAI,EAAE,OAAO,CAAC;IACd,oDAAoD;IACpD,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,0CAA0C;IAC1C,aAAa,EAAE,MAAM,CAAC;IACtB,yCAAyC;IACzC,YAAY,EAAE,MAAM,CAAC;CACtB;AAID;;;;GAIG;AACH,eAAO,MAAM,qBAAqB;;QAE9B,0EAA0E;;QAE1E,iEAAiE;;QAEjE,iEAAiE;;QAEjE,yEAAyE;;;;QAIzE,0DAA0D;;QAE1D,8DAA8D;;QAE9D,4DAA4D;;QAE5D,+EAA+E;;;CAGzE,CAAC;AAIX;;;;;;;;;;;GAWG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE;IAC7C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GAAG,gBAAgB,EAAE,CAgErB;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE;IAC9C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,gBAAgB,EAAE,CA2ErB;AAID;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,gBAAgB,EAAE,CAoE5E;AAID;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE;IAC/C,2CAA2C;IAC3C,MAAM,CAAC,EAAE,UAAU,GAAG,WAAW,CAAC;IAClC,sCAAsC;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,sDAAsD;IACtD,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;CACnB,GAAG,eAAe,CAmDlB"}