dexe-mcp 0.8.2 → 0.9.0

package/CHANGELOG.md

@@ -1,5 +1,109 @@
 # Changelog
 
+## 0.9.0 — 2026-06-02
+
+### Security hardening (red-team audit remediation)
+
+Remediates the `dexe-mcp@0.7.2` red-team audit. The 1 CRITICAL (C-2) was guarded
+in 0.8.3; this release closes the MCP-fixable HIGH/MEDIUM/LOW findings. Each fix
+shipped as its own PR with a locking regression test, CI green throughout.
+
+#### Fixed — builders & numeric safety
+- **H-8 / H-9** — amount/id fields are validated (`^[0-9]+$`) before `BigInt()`
+  (`src/lib/amount.ts`), so empty/hex/negative values no longer silently
+  mis-encode; documented the on-chain `from18Safe` 18-decimal normalization on
+  the token-sale `buy` builders.
+- **H-4** — `apply_to_dao`'s short-treasury branch transfers what the treasury
+  holds (not the full amount) and mints the shortfall, so the proposal no longer
+  reverts on execution.
+- **H-10** — tier `vestingPercentage` is scaled by `PRECISION` (×1e25); raw
+  values no longer silently disable vesting, and out-of-`[0,100]` is rejected.
+- **W29** — OTC `buyer_buy` approves the exact amount, never `MAX_UINT256`.
+- **W39** — `read_staking_info` ABI matches the deployed `IStakingProposal`
+  (9-field `StakingInfoView`, 8-field `TierUserInfo`); a decode mismatch is
+  surfaced, not silently emptied.
+
+#### Fixed — disclosure, decode & data channels
+- **W36** — RPC provider API keys are redacted from tool output and errors
+  (`src/lib/redact.ts`); `get_config` masks the keyed RPC URL.
+- **H-13 / W24** — attacker-controlled on-chain/IPFS strings are sanitized
+  before rendering (`src/lib/sanitize.ts`): control chars escaped, NFKC
+  normalized, non-ASCII flagged — defeats prompt-injection / newline-forgery /
+  homoglyph spoofing.
+- **C-1 (decode-no-recursion)** — `decode_calldata` / `decode_proposal`
+  recursively unwrap nested `multicall` / `createProposal` / … and flag
+  privileged selectors.
+- **W20** — `ipfs_fetch` verifies fetched bytes against the requested CID
+  (raw/json codecs) and rejects a mismatch.
+- **W21 / L-6** — the Graph API key is only sent as a Bearer to trusted
+  `*.thegraph.com` hosts.
+
+#### Fixed — signer, flow & infra
+- **H-12** — broadcasts are serialized per chain (no nonce collision);
+  `tx_status` distinguishes `not_found` from `pending`.
+- **W10** — the composite flow verifies `govPool` against the canonical
+  `PoolRegistry` and approves the exact deposit amount, not `MAX_UINT256`.
+- **H-1 / H-2** — protocol bootstrap runs `npm install --ignore-scripts` and
+  supports pinning the clone via `DEXE_PROTOCOL_REF`.
+- **H-3** — `markdownToSlate` rejects input over a length cap
+  (`DEXE_MAX_DESCRIPTION_LEN`, default 16384) before the super-linear parse.
+- **L-1** — the Safe-TX propose path now applies the B6 (allowlist) + B7
+  (value-cap) guards.
+
+#### Added
+- `dexe_proposal_vote_and_execute` gains a `dryRun` flag (preview without
+  broadcasting), matching `dexe_proposal_create`.
+- Protocol-property advisories (`src/lib/protocolAdvisories.ts`) surfaced in the
+  `change_voting_settings`, `change_math_model`, and `custom_abi` previews.
+- New env vars: `DEXE_PROTOCOL_REF`, `DEXE_MAX_DESCRIPTION_LEN`.
+
+### Docs
+- **`docs/ESCALATION-DEXE.md`** — contract-level findings (C-2, H-11,
+  `executionDelay=0`, `changeVotePower`, PolynomialPower) for the DeXe protocol
+  team, with root cause, contract fix, and MCP mitigation.
+- **`docs/SECURITY.md`** — security posture and remediation summary.
+
+### Notes
+- `list_gov_contract_types` PoolRegistry source path corrected to
+  `contracts/factory/PoolRegistry.sol`.
+- Verified non-bugs (no change): H-5 (`cap=0` already guarded as uncapped),
+  H-7 (the `uniswap.json` timelock is the correct Uniswap Timelock).
+- Tool surface unchanged: still **153 tools across 19 groups**.
+
+## 0.8.3 — 2026-06-01
+
+### Security: guardrail against C-2 (DEFAULT-routing allowlist bypass)
+
+Red-team finding **C-2** (against 0.7.2): a DeXe proposal can drain an arbitrary
+depositor's *unlocked* balance by calling
+`GovUserKeeper.withdrawTokens(payer, receiver, amount)` from a DEFAULT-routed
+proposal that bypasses the `GovPoolCreate` INTERNAL allowlist. The root cause is
+in the **DeXe protocol contracts** (settings keyed on the last action only;
+`withdrawTokens` takes an unbound `payer`) and is **not fixable from the MCP** —
+only a contract upgrade closes it. dexe-mcp was an amplifier: the proposal
+builders encoded the malicious action with zero checks.
+
+### Added
+
+- **`src/lib/dangerousSelectors.ts`** — denylist of the 12 `GovUserKeeper`
+  `onlyOwner` accounting selectors (deposit / withdraw / delegate / undelegate,
+  token + NFT + treasury variants) that must never be a proposal-action target.
+
+### Changed
+
+- **`dexe_proposal_build_custom_abi` and `dexe_proposal_build_external` now
+  hard-refuse** (no override) any action whose calldata carries a denylisted
+  selector. Harm-reduction only — an attacker can still hand-craft calldata; the
+  protocol fix is the real remediation. See
+  `docs/security/C2-default-routing-bypass.md`.
+
+### Notes
+
+- Tool surface unchanged (no tools added/removed) — **153 tools / 19 groups**.
+  Corrected a stale README count: the badge said `149` and the catalog
+  header/group table said `152` (the table was missing `dexe_doctor`). All now
+  read `153`. `docs/TOOLS.md` was already correct at 153.
+
 ## 0.8.2 — 2026-06-01
 
 ### Modify DAO profile — partial-update preservation + isMeta guard

package/README.md

@@ -9,7 +9,7 @@
   <a href="https://nodejs.org"><img alt="node" src="https://img.shields.io/node/v/dexe-mcp.svg?style=flat-square&labelColor=0b0f1e&color=E07AFF"></a>
   <a href="https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/LICENSE"><img alt="license" src="https://img.shields.io/npm/l/dexe-mcp.svg?style=flat-square&labelColor=0b0f1e&color=FFC878"></a>
   <a href="https://modelcontextprotocol.io"><img alt="MCP-compatible" src="https://img.shields.io/badge/MCP-compatible-9BB4FF?style=flat-square&labelColor=0b0f1e"></a>
-  <a href="https://github.com/edward-arinin-web-dev/dexe-mcp"><img alt="tools" src="https://img.shields.io/badge/tools-149-7CF2D1?style=flat-square&labelColor=0b0f1e"></a>
+  <a href="https://github.com/edward-arinin-web-dev/dexe-mcp"><img alt="tools" src="https://img.shields.io/badge/tools-153-7CF2D1?style=flat-square&labelColor=0b0f1e"></a>
   <a href="https://github.com/edward-arinin-web-dev/dexe-mcp"><img alt="proposal types" src="https://img.shields.io/badge/proposal--types-33-E07AFF?style=flat-square&labelColor=0b0f1e"></a>
 </p>
 
@@ -194,7 +194,7 @@ All optional. Tools that need a missing variable fail with a clear, actionable m
 
 Full docs in [`docs/`](https://github.com/edward-arinin-web-dev/dexe-mcp/tree/main/docs):
 
-- [**`docs/TOOLS.md`**](https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/docs/TOOLS.md) — complete catalog of all 152 tools, grouped, with one-line descriptions and required envs.
+- [**`docs/TOOLS.md`**](https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/docs/TOOLS.md) — complete catalog of all 153 tools, grouped, with one-line descriptions and required envs.
 - [**`docs/GOVERNOR.md`**](https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/docs/GOVERNOR.md) — external OpenZeppelin / Bravo Governor surface (Uniswap, Compound, Optimism). Family branching, fixture map, paste-able JSON examples, Tally parity harness.
 - [**`docs/WALLETCONNECT.md`**](https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/docs/WALLETCONNECT.md) — `walletconnect` signer mode: phone-approved broadcast with no hot key. Phase A (config) + Phase B (live relay, `dexe_wc_connect` / `dexe_wc_disconnect`, per-tx phone approval) shipped in v0.7.0, validated end-to-end with a live MetaMask-mobile round-trip on BSC testnet.
 - [**`docs/USAGE.md`**](https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/docs/USAGE.md) — 10 worked examples (deploy DAO, create/vote/execute proposals, delegate, validator chamber, decode calldata, off-chain proposals, multicall batching). Copy-pasteable JSON.
@@ -207,7 +207,7 @@ Full docs in [`docs/`](https://github.com/edward-arinin-web-dev/dexe-mcp/tree/ma
 
 ## Tool catalog
 
-**152 tools, 19 groups.** Run `dexe_proposal_catalog` at runtime for the live proposal-type map. Full per-tool reference → [`docs/TOOLS.md`](https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/docs/TOOLS.md).
+**153 tools, 19 groups.** Run `dexe_proposal_catalog` at runtime for the live proposal-type map. Full per-tool reference → [`docs/TOOLS.md`](https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/docs/TOOLS.md).
 
 | Group | # | What it gives you |
 |-------|---|------|
@@ -221,7 +221,7 @@ Full docs in [`docs/`](https://github.com/edward-arinin-web-dev/dexe-mcp/tree/ma
 | **Internal validator wrappers** | 4 | Validator-chamber proposals: `_change_validator_balances`, `_change_validator_settings`, `_monthly_withdraw`, `_offchain_internal_proposal`. |
 | **Off-chain backend** | 8 | Full DeXe-backend integration — nonce + SIWE login, off-chain proposal creation (single-option / multi-option / for-against / settings), off-chain vote + cancel. |
 | **Vote / stake / delegate / execute / claim** | 26 | Every direct EOA write on `GovPool` and `Validators` — deposit, vote, delegate, undelegate, execute, claim rewards, micropool rewards, staking flows, token-sale buy/claim/vesting, distribution claim, NFT multiplier lock/unlock, privacy policy signing, multicall. |
-| **Composite signing flows** | 5 | High-level flows for power users: `_proposal_create`, `_proposal_vote_and_execute`, `_tx_send`, `_tx_status`, `_get_config`. Signing tools opt-in via `DEXE_PRIVATE_KEY`. |
+| **Composite flows + diagnostics** | 6 | High-level flows for power users, plus server self-check: `_proposal_create`, `_proposal_vote_and_execute`, `_tx_send`, `_tx_status`, `_get_config`, `_doctor`. Signing tools opt-in via `DEXE_PRIVATE_KEY`. |
 | **Subgraph reads** | 7 | The Graph queries: DAO list, members, experts, validator list, user activity, delegation map, OTC sale tiers. Decentralized-network endpoints + RPC fallback. |
 | **Merkle utility** | 2 | `dexe_merkle_build`, `dexe_merkle_proof` — OZ `StandardMerkleTree`-compatible. For whitelisted sales and airdrops. |
 | **OTC composites** | 4 | Full project-owner + buyer flows over `TokenSaleProposal`: open multi-tier sale, check buyer status, buy native or with merkle proof, claim vested payouts. See [`docs/OTC.md`](https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/docs/OTC.md). |
@@ -296,6 +296,7 @@ Supply-chain hardening is enforced in CI. See [SECURITY.md](SECURITY.md) for the
 - **npm provenance.** Releases publish with `npm publish --provenance`; verify with `npm audit signatures` against an installed copy.
 - **Reproducible installs.** A `verify-lockfile` CI job installs strictly from the committed `package-lock.json` and fails on any drift.
 - **Continuous scanning.** CodeQL (SAST) runs on every PR and weekly; OSSF Scorecard runs weekly and on push to `main`; Dependency Review runs on every PR.
+- **Audit remediation (v0.9.0).** Closes the MCP-fixable findings from an independent red-team audit — numeric-input guards, RPC-key redaction, untrusted-data sanitization, recursive decode, exact-amount approvals, per-chain nonce serialization, IPFS content-hash verification, and an `--ignore-scripts` bootstrap. Contract-level findings are escalated in [`docs/ESCALATION-DEXE.md`](https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/docs/ESCALATION-DEXE.md); per-finding detail in [`CHANGELOG.md`](https://github.com/edward-arinin-web-dev/dexe-mcp/blob/main/CHANGELOG.md).
 
 ## License
 

package/dist/bootstrap.d.ts

@@ -1,3 +1,17 @@
+/**
+ * Build the `git clone` args. H-1/H-2: when `DEXE_PROTOCOL_REF` is set we pin
+ * the checkout to that branch/tag instead of cloning the floating default-branch
+ * HEAD, so the runtime sources are reproducible and an upstream HEAD move can't
+ * silently change what is compiled and executed via `hardhat.config.js`.
+ */
+export declare function buildCloneArgs(repoUrl: string, dir: string, ref?: string): string[];
+/**
+ * Build the `npm install` args. H-1/H-2: `--ignore-scripts` blocks any
+ * preinstall/postinstall/prepare lifecycle script in the cloned tree (or a
+ * transitive dependency) from executing arbitrary code as the MCP user on the
+ * first build.
+ */
+export declare function buildNpmInstallArgs(prefixArgs: readonly string[]): string[];
 /**
  * Cheap, synchronous resolution of where the DeXe-Protocol checkout *should*
  * live. **Does not** clone or install anything — safe to call at MCP startup.

package/dist/bootstrap.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAqCA;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAI5C;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAO1D;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAiG1E"}
+{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAaA;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAKnF;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,EAAE,CAE3E;AA0BD;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAI5C;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAO1D;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAiG1E"}

package/dist/bootstrap.js

@@ -8,6 +8,28 @@ const execFileAsync = promisify(execFile);
 const REPO_URL = "https://github.com/dexe-network/DeXe-Protocol.git";
 const CACHE_DIR_NAME = "dexe-mcp";
 const CHECKOUT_DIR = "DeXe-Protocol";
+/**
+ * Build the `git clone` args. H-1/H-2: when `DEXE_PROTOCOL_REF` is set we pin
+ * the checkout to that branch/tag instead of cloning the floating default-branch
+ * HEAD, so the runtime sources are reproducible and an upstream HEAD move can't
+ * silently change what is compiled and executed via `hardhat.config.js`.
+ */
+export function buildCloneArgs(repoUrl, dir, ref) {
+    const args = ["clone", "--depth", "1"];
+    if (ref && ref.trim())
+        args.push("--branch", ref.trim());
+    args.push(repoUrl, dir);
+    return args;
+}
+/**
+ * Build the `npm install` args. H-1/H-2: `--ignore-scripts` blocks any
+ * preinstall/postinstall/prepare lifecycle script in the cloned tree (or a
+ * transitive dependency) from executing arbitrary code as the MCP user on the
+ * first build.
+ */
+export function buildNpmInstallArgs(prefixArgs) {
+    return [...prefixArgs, "install", "--ignore-scripts", "--no-audit", "--no-fund"];
+}
 /**
  * Returns the platform-appropriate cache directory for dexe-mcp.
  *
@@ -106,7 +128,7 @@ export async function ensureBuildReady(protocolPath) {
                 log(`Cloning DeXe-Protocol (shallow, ~200 MB) into ${protocolPath} …`);
                 log("This only happens once. Subsequent calls will be instant.");
                 try {
-                    await execFileAsync("git", ["clone", "--depth", "1", REPO_URL, CHECKOUT_DIR], { cwd: cacheDir, windowsHide: true });
+                    await execFileAsync("git", buildCloneArgs(REPO_URL, CHECKOUT_DIR, process.env.DEXE_PROTOCOL_REF), { cwd: cacheDir, windowsHide: true });
                 }
                 catch (err) {
                     const msg = err instanceof Error ? err.message : String(err);
@@ -123,7 +145,7 @@ export async function ensureBuildReady(protocolPath) {
                 if (npm.binDir)
                     log(`Prepending ${npm.binDir} to child PATH for npx/npm resolution`);
                 try {
-                    await execFileAsync(npm.command, [...npm.prefixArgs, "install", "--no-audit", "--no-fund"], {
+                    await execFileAsync(npm.command, buildNpmInstallArgs(npm.prefixArgs), {
                         cwd: protocolPath,
                         windowsHide: true,
                         maxBuffer: 64 * 1024 * 1024,

package/dist/bootstrap.js.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAChD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAErE,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,QAAQ,GAAG,mDAAmD,CAAC;AACrE,MAAM,cAAc,GAAG,UAAU,CAAC;AAClC,MAAM,YAAY,GAAG,eAAe,CAAC;AAErC;;;;;;GAMG;AACH,SAAS,WAAW;IAClB,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC;IACtB,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;QACnB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAC7E,OAAO,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACpC,CAAC;IACD,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;IAC9D,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,GAAG,CAAC,GAAW;IACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;IACxD,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,OAAO,IAAI,CAAC,WAAW,EAAE,EAAE,YAAY,CAAC,CAAC;AAC3C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,YAAoB;IAC/C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,MAAM,SAAS,GACb,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;QACnD,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACtD,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,CAAC;IACtE,OAAO,SAAS,IAAI,cAAc,CAAC;AACrC,CAAC;AAED,yEAAyE;AACzE,sDAAsD;AACtD,IAAI,cAAc,GAAyB,IAAI,CAAC;AAEhD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,YAAoB;IACzD,IAAI,YAAY,CAAC,YAAY,CAAC;QAAE,OAAO;IACvC,IAAI,cAAc;QAAE,OAAO,cAAc,CAAC;IAE1C,cAAc,GAAG,CAAC,KAAK,IAAI,EAAE;QAC3B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;YAExD,IAAI,QAAQ,EAAE,CAAC;gBACb,iEAAiE;gBACjE,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC9B,MAAM,IAAI,KAAK,CACb,gCAAgC,YAAY,sCAAsC,CACnF,CAAC;gBACJ,CAAC;gBACD,IACE,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;oBACpD,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC,EACpD,CAAC;oBACD,MAAM,IAAI,KAAK,CACb,sBAAsB,YAAY,wDAAwD,CAC3F,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;oBACpD,MAAM,IAAI,KAAK,CACb,sBAAsB,YAAY,qEAAqE,CACxG,CAAC;gBACJ,CAAC;gBACD,OAAO;YACT,CAAC;YAED,sEAAsE;YACtE,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAAE,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAEpE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;gBAC5C,IAAI,CAAC,CAAC,MAAM,MAAM,EAAE,CAAC,EAAE,CAAC;oBACtB,MAAM,IAAI,KAAK,CACb,kJAAkJ,CACnJ,CAAC;gBACJ,CAAC;gBACD,GAAG,CAAC,iDAAiD,YAAY,IAAI,CAAC,CAAC;gBACvE,GAAG,CAAC,2DAA2D,CAAC,CAAC;gBACjE,IAAI,CAAC;oBACH,MAAM,aAAa,CACjB,KAAK,EACL,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,QAAQ,EAAE,YAAY,CAAC,EACjD,EAAE,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,CACrC,CAAC;gBACJ,CAAC;gBAAC,OAAO,GAAY,EAAE,CAAC;oBACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;oBAC7D,MAAM,IAAI,KAAK,CACb,8EAA8E,GAAG,EAAE,CACpF,CAAC;gBACJ,CAAC;gBACD,GAAG,CAAC,iBAAiB,CAAC,CAAC;YACzB,CAAC;YAED,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;gBACpD,GAAG,CAAC,yFAAyF,CAAC,CAAC;gBAC/F,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;gBACzB,GAAG,CACD,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;oBACvB,CAAC,CAAC,uBAAuB,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;oBAC5C,CAAC,CAAC,SAAS,GAAG,CAAC,OAAO,6BAA6B,CACtD,CAAC;gBACF,IAAI,GAAG,CAAC,MAAM;oBAAE,GAAG,CAAC,cAAc,GAAG,CAAC,MAAM,uCAAuC,CAAC,CAAC;gBACrF,IAAI,CAAC;oBACH,MAAM,aAAa,CACjB,GAAG,CAAC,OAAO,EACX,CAAC,GAAG,GAAG,CAAC,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,CAAC,EACzD;wBACE,GAAG,EAAE,YAAY;wBACjB,WAAW,EAAE,IAAI;wBACjB,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;wBAC3B,8DAA8D;wBAC9D,qDAAqD;wBACrD,KAAK,EAAE,GAAG,CAAC,UAAU;wBACrB,GAAG,EAAE,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC;qBACnC,CACF,CAAC;gBACJ,CAAC;gBAAC,OAAO,GAAY,EAAE,CAAC;oBACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;oBAC7D,MAAM,IAAI,KAAK,CACb,iCAAiC,YAAY,KAAK;wBAChD,uEAAuE;wBACvE,+DAA+D,GAAG,EAAE,CACvE,CAAC;gBACJ,CAAC;gBACD,GAAG,CAAC,yBAAyB,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,cAAc,GAAG,IAAI,CAAC;QACxB,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO,cAAc,CAAC;AACxB,CAAC"}
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAChD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAErE,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,QAAQ,GAAG,mDAAmD,CAAC;AACrE,MAAM,cAAc,GAAG,UAAU,CAAC;AAClC,MAAM,YAAY,GAAG,eAAe,CAAC;AAErC;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe,EAAE,GAAW,EAAE,GAAY;IACvE,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;IACvC,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE;QAAE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACzD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACxB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,UAA6B;IAC/D,OAAO,CAAC,GAAG,UAAU,EAAE,SAAS,EAAE,kBAAkB,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;AACnF,CAAC;AAED;;;;;;GAMG;AACH,SAAS,WAAW;IAClB,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC;IACtB,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;QACnB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAC7E,OAAO,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACpC,CAAC;IACD,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;IAC9D,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,GAAG,CAAC,GAAW;IACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;IACxD,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,OAAO,IAAI,CAAC,WAAW,EAAE,EAAE,YAAY,CAAC,CAAC;AAC3C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,YAAoB;IAC/C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,MAAM,SAAS,GACb,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;QACnD,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACtD,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,CAAC;IACtE,OAAO,SAAS,IAAI,cAAc,CAAC;AACrC,CAAC;AAED,yEAAyE;AACzE,sDAAsD;AACtD,IAAI,cAAc,GAAyB,IAAI,CAAC;AAEhD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,YAAoB;IACzD,IAAI,YAAY,CAAC,YAAY,CAAC;QAAE,OAAO;IACvC,IAAI,cAAc;QAAE,OAAO,cAAc,CAAC;IAE1C,cAAc,GAAG,CAAC,KAAK,IAAI,EAAE;QAC3B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;YAExD,IAAI,QAAQ,EAAE,CAAC;gBACb,iEAAiE;gBACjE,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC9B,MAAM,IAAI,KAAK,CACb,gCAAgC,YAAY,sCAAsC,CACnF,CAAC;gBACJ,CAAC;gBACD,IACE,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;oBACpD,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC,EACpD,CAAC;oBACD,MAAM,IAAI,KAAK,CACb,sBAAsB,YAAY,wDAAwD,CAC3F,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;oBACpD,MAAM,IAAI,KAAK,CACb,sBAAsB,YAAY,qEAAqE,CACxG,CAAC;gBACJ,CAAC;gBACD,OAAO;YACT,CAAC;YAED,sEAAsE;YACtE,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAAE,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAEpE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;gBAC5C,IAAI,CAAC,CAAC,MAAM,MAAM,EAAE,CAAC,EAAE,CAAC;oBACtB,MAAM,IAAI,KAAK,CACb,kJAAkJ,CACnJ,CAAC;gBACJ,CAAC;gBACD,GAAG,CAAC,iDAAiD,YAAY,IAAI,CAAC,CAAC;gBACvE,GAAG,CAAC,2DAA2D,CAAC,CAAC;gBACjE,IAAI,CAAC;oBACH,MAAM,aAAa,CACjB,KAAK,EACL,cAAc,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EACrE,EAAE,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,CACrC,CAAC;gBACJ,CAAC;gBAAC,OAAO,GAAY,EAAE,CAAC;oBACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;oBAC7D,MAAM,IAAI,KAAK,CACb,8EAA8E,GAAG,EAAE,CACpF,CAAC;gBACJ,CAAC;gBACD,GAAG,CAAC,iBAAiB,CAAC,CAAC;YACzB,CAAC;YAED,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;gBACpD,GAAG,CAAC,yFAAyF,CAAC,CAAC;gBAC/F,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;gBACzB,GAAG,CACD,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;oBACvB,CAAC,CAAC,uBAAuB,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE;oBAC5C,CAAC,CAAC,SAAS,GAAG,CAAC,OAAO,6BAA6B,CACtD,CAAC;gBACF,IAAI,GAAG,CAAC,MAAM;oBAAE,GAAG,CAAC,cAAc,GAAG,CAAC,MAAM,uCAAuC,CAAC,CAAC;gBACrF,IAAI,CAAC;oBACH,MAAM,aAAa,CACjB,GAAG,CAAC,OAAO,EACX,mBAAmB,CAAC,GAAG,CAAC,UAAU,CAAC,EACnC;wBACE,GAAG,EAAE,YAAY;wBACjB,WAAW,EAAE,IAAI;wBACjB,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;wBAC3B,8DAA8D;wBAC9D,qDAAqD;wBACrD,KAAK,EAAE,GAAG,CAAC,UAAU;wBACrB,GAAG,EAAE,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC;qBACnC,CACF,CAAC;gBACJ,CAAC;gBAAC,OAAO,GAAY,EAAE,CAAC;oBACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;oBAC7D,MAAM,IAAI,KAAK,CACb,iCAAiC,YAAY,KAAK;wBAChD,uEAAuE;wBACvE,+DAA+D,GAAG,EAAE,CACvE,CAAC;gBACJ,CAAC;gBACD,GAAG,CAAC,yBAAyB,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,cAAc,GAAG,IAAI,CAAC;QACxB,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO,cAAc,CAAC;AACxB,CAAC"}

package/dist/diag/checks.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../../src/diag/checks.ts"],"names":[],"mappings":"AACA,OAAO,EAA4C,KAAK,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAE9F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE/C,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AACnD,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG,SAAS,GAAG,SAAS,CAAC;AAEhE,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,aAAa,CAAC;IACxB,MAAM,EAAE,WAAW,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,uEAAuE;IACvE,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,qDAAqD;IACrD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAqBlF"}
+{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../../src/diag/checks.ts"],"names":[],"mappings":"AACA,OAAO,EAA4C,KAAK,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAE9F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG/C,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AACnD,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG,SAAS,GAAG,SAAS,CAAC;AAEhE,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,aAAa,CAAC;IACxB,MAAM,EAAE,WAAW,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,uEAAuE;IACvE,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,qDAAqD;IACrD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAqBlF"}

package/dist/diag/checks.js

@@ -1,6 +1,7 @@
 import { resolve as dnsResolve } from "node:dns/promises";
 import { ENV_REGISTRY } from "../env/schema.js";
 import { parseEnv } from "../env/parse.js";
+import { maskUrl, redactUrlCredentials } from "../lib/redact.js";
 /**
  * Run every diagnostic check in parallel, gather results.
  *
@@ -80,7 +81,7 @@ function rpcReachabilityChecks(config, timeoutMs) {
                     id: `rpc.reachable.${chain.chainId}`,
                     category: "network",
                     status: "warn",
-                    message: `RPC ${chain.rpcUrl} timed out after ${timeoutMs}ms`,
+                    message: `RPC ${maskUrl(chain.rpcUrl)} timed out after ${timeoutMs}ms`,
                     remediation: "Check connectivity. If intermittent, ignore. Otherwise pick a different RPC at https://chainlist.org.",
                 };
             }
@@ -89,7 +90,7 @@ function rpcReachabilityChecks(config, timeoutMs) {
                     id: `rpc.reachable.${chain.chainId}`,
                     category: "network",
                     status: "fail",
-                    message: `RPC ${chain.rpcUrl} unreachable: ${res.error}`,
+                    message: `RPC ${maskUrl(chain.rpcUrl)} unreachable: ${redactUrlCredentials(String(res.error))}`,
                     remediation: "Replace the RPC URL. Browse alternatives at https://chainlist.org and restart the MCP.",
                 };
             }
@@ -101,14 +102,14 @@ function rpcReachabilityChecks(config, timeoutMs) {
                     category: "network",
                     status: "fail",
                     message: `RPC returned chainId=${got ?? "?"} but configured chainId=${chain.chainId}`,
-                    remediation: `RPC at ${chain.rpcUrl} is for the wrong chain. Replace it.`,
+                    remediation: `RPC at ${maskUrl(chain.rpcUrl)} is for the wrong chain. Replace it.`,
                 };
             }
             return {
                 id: `rpc.reachable.${chain.chainId}`,
                 category: "network",
                 status: "pass",
-                message: `eth_chainId=${chain.chainId} (${chain.rpcUrl})`,
+                message: `eth_chainId=${chain.chainId} (${maskUrl(chain.rpcUrl)})`,
             };
         })());
     }

package/dist/diag/checks.js.map

@@ -1 +1 @@
-{"version":3,"file":"checks.js","sourceRoot":"","sources":["../../src/diag/checks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAgD,MAAM,kBAAkB,CAAC;AAC9F,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAqB3C;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAqB,EAAE;IACxD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC;IACzC,MAAM,OAAO,GAAkB,EAAE,CAAC;IAElC,OAAO,CAAC,IAAI,CAAC,GAAG,iBAAiB,EAAE,CAAC,CAAC;IAErC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAChC,GAAG,qBAAqB,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;QAChD,cAAc,CAAC,SAAS,CAAC;QACzB,mBAAmB,CAAC,SAAS,CAAC;QAC9B,GAAG,cAAc,CAAC,SAAS,CAAC;QAC5B,YAAY,CAAC,SAAS,CAAC;KACxB,CAAC,CAAC;IACH,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,GAAG,sBAAsB,EAAE,CAAC,CAAC;IAC1C,OAAO,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAEpD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+EAA+E;AAE/E,SAAS,iBAAiB;IACxB,MAAM,GAAG,GAAkB,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,QAAQ,EAAE,CAAC;IAC1B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAyB,EAAE,CAAC;QAC1E,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC;QACnD,IAAI,KAAK,EAAE,CAAC;YACV,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,WAAW,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC,GAAG,EAAE;aAC1C,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,GAAG,EAAE,CAAC;YACf,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,KAAK;aAC7C,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;YACtB,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,oBAAoB;gBAC7B,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,aAAa,CAAC,CAAC,GAAG,EAAE;aACvD,CAAC,CAAC;QACL,CAAC;QACD,+CAA+C;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8EAA8E;AAE9E,SAAS,qBAAqB,CAC5B,MAA8B,EAC9B,SAAiB;IAEjB,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACnD,MAAM,GAAG,GAAkC,EAAE,CAAC;IAC9C,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;QAC3C,GAAG,CAAC,IAAI,CACN,CAAC,KAAK,IAAiC,EAAE;YACvC,MAAM,GAAG,GAAG,MAAM,oBAAoB,CACpC,KAAK,CAAC,MAAM,EACZ;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;aACnF,EACD,SAAS,CACV,CAAC;YACF,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC3B,OAAO;oBACL,EAAE,EAAE,iBAAiB,KAAK,CAAC,OAAO,EAAE;oBACpC,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,OAAO,KAAK,CAAC,MAAM,oBAAoB,SAAS,IAAI;oBAC7D,WAAW,EACT,uGAAuG;iBAC1G,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBACzB,OAAO;oBACL,EAAE,EAAE,iBAAiB,KAAK,CAAC,OAAO,EAAE;oBACpC,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,OAAO,KAAK,CAAC,MAAM,iBAAiB,GAAG,CAAC,KAAK,EAAE;oBACxD,WAAW,EACT,wFAAwF;iBAC3F,CAAC;YACJ,CAAC;YACD,MAAM,QAAQ,GAAG,KAAK,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACnD,MAAM,GAAG,GAAI,GAAG,CAAC,IAAwC,EAAE,MAAM,CAAC;YAClE,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACrB,OAAO;oBACL,EAAE,EAAE,iBAAiB,KAAK,CAAC,OAAO,EAAE;oBACpC,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,wBAAwB,GAAG,IAAI,GAAG,2BAA2B,KAAK,CAAC,OAAO,EAAE;oBACrF,WAAW,EAAE,UAAU,KAAK,CAAC,MAAM,sCAAsC;iBAC1E,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,iBAAiB,KAAK,CAAC,OAAO,EAAE;gBACpC,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,eAAe,KAAK,CAAC,OAAO,KAAK,KAAK,CAAC,MAAM,GAAG;aAC1D,CAAC;QACJ,CAAC,CAAC,EAAE,CACL,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4EAA4E;AAE5E,KAAK,UAAU,cAAc,CAAC,SAAiB;IAC7C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,CAAC;IAChD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,MAAM,oBAAoB,CACpC,kDAAkD,EAClD,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE,EAAE,EAC9D,SAAS,CACV,CAAC;IACF,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO;YACL,EAAE,EAAE,YAAY;YAChB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,gCAAgC,SAAS,KAAK;SACxD,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO;YACL,EAAE,EAAE,YAAY;YAChB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,wBAAwB,GAAG,CAAC,KAAK,EAAE;SAC7C,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;QACtB,OAAO;YACL,EAAE,EAAE,YAAY;YAChB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,2CAA2C,GAAG,CAAC,MAAM,EAAE;YAChE,WAAW,EACT,qHAAqH;SACxH,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;AAC1F,CAAC;AAED,8EAA8E;AAE9E,KAAK,UAAU,mBAAmB,CAAC,SAAiB;IAClD,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IACrB,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,EAAE,EAAE,kBAAkB;YACtB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,sCAAsC;YAC/C,WAAW,EAAE,iDAAiD;SAC/D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,IAAI,CAAC;YACjB,UAAU,CAAC,IAAI,CAAC;YAChB,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;SACvF,CAAC,CAAC;QACH,OAAO;YACL,EAAE,EAAE,kBAAkB;YACtB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,YAAY,IAAI,EAAE;SAC5B,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,kBAAkB;YACtB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,kBAAkB,IAAI,YAAY,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAC7F,WAAW,EACT,+GAA+G;SAClH,CAAC;IACJ,CAAC;AACH,CAAC;AAED,8EAA8E;AAE9E,SAAS,cAAc,CAAC,SAAiB;IACvC,MAAM,GAAG,GAAkC,EAAE,CAAC;IAC9C,MAAM,OAAO,GAA8H;QACzI,EAAE,GAAG,EAAE,yBAAyB,EAAE,EAAE,EAAE,gBAAgB,EAAE;QACxD,EAAE,GAAG,EAAE,8BAA8B,EAAE,EAAE,EAAE,qBAAqB,EAAE;QAClE,EAAE,GAAG,EAAE,gCAAgC,EAAE,EAAE,EAAE,uBAAuB,EAAE;KACvE,CAAC;IACF,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC;QACvC,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,GAAG,CAAC,IAAI,CACN,CAAC,KAAK,IAAiC,EAAE;YACvC,MAAM,OAAO,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;YAC/E,IAAI,MAAM;gBAAE,OAAO,CAAC,aAAa,GAAG,UAAU,MAAM,EAAE,CAAC;YACvD,MAAM,GAAG,GAAG,MAAM,oBAAoB,CACpC,GAAG,EACH,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,EAAE,EAC9E,SAAS,CACV,CAAC;YACF,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC3B,OAAO;oBACL,EAAE,EAAE,GAAG,CAAC,CAAC,EAAE,YAAY;oBACvB,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,GAAG,CAAC,CAAC,GAAG,YAAY;iBAC9B,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBACzB,OAAO;oBACL,EAAE,EAAE,GAAG,CAAC,CAAC,EAAE,YAAY;oBACvB,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,GAAG,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,KAAK,EAAE;iBAClC,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBACtB,OAAO;oBACL,EAAE,EAAE,GAAG,CAAC,CAAC,EAAE,YAAY;oBACvB,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,GAAG,CAAC,CAAC,GAAG,kBAAkB,GAAG,CAAC,MAAM,EAAE;oBAC/C,WAAW,EACT,oFAAoF;iBACvF,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,GAAG,CAAC,CAAC,EAAE,YAAY;gBACvB,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC,CAAC,EAAE,CACL,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4EAA4E;AAE5E,KAAK,UAAU,YAAY,CAAC,SAAiB;IAC3C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,IAAI,EAAE,CAAC;IACrD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IAC7E,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO;YACL,EAAE,EAAE,mBAAmB;YACvB,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,GAAG,GAAG,YAAY;SAC5B,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO;YACL,EAAE,EAAE,mBAAmB;YACvB,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,GAAG,GAAG,KAAK,GAAG,CAAC,KAAK,EAAE;SAChC,CAAC;IACJ,CAAC;IACD,OAAO;QACL,EAAE,EAAE,mBAAmB;QACvB,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE;KAC9B,CAAC;AACJ,CAAC;AAED,4EAA4E;AAE5E,SAAS,sBAAsB;IAC7B,MAAM,GAAG,GAAkB,EAAE,CAAC;IAE9B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,IAAI,EAAE,CAAC;IACxD,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACpE,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAChE,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;YACf,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,kBAAkB;gBACtB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,wBAAwB,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aAClD,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,kBAAkB;gBACtB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,kBAAkB;aAC7C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,CAAC;IAC3D,IAAI,IAAI,EAAE,CAAC;QACT,IAAI,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,CAAC;YACb,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,iBAAiB;gBACrB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,OAAO,IAAI,MAAM;aAC3B,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,iBAAiB;gBACrB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,sBAAsB,IAAI,EAAE;aACtC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,kCAAkC,EAAE,IAAI,EAAE,CAAC;IACpE,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;QACvB,IAAI,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,aAAa;gBACjB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,GAAG,CAAC,MAAM;aACpB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,aAAa;gBACjB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,uBAAuB,IAAI,EAAE;aACvC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4EAA4E;AAE5E,SAAS,qBAAqB,CAAC,MAA8B;IAC3D,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IACvB,MAAM,GAAG,GAAkB,EAAE,CAAC;IAC9B,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,EAAE,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACrE,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,sBAAsB;YAC1B,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,0EAA0E;YACnF,WAAW,EAAE,2DAA2D;SACzE,CAAC,CAAC;IACL,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5D,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,mBAAmB;YACvB,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,kBAAkB,MAAM,CAAC,cAAc,mBAAmB,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;SACrF,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AASD,KAAK,UAAU,oBAAoB,CACjC,GAAW,EACX,IAAiB,EACjB,SAAiB;IAEjB,MAAM,IAAI,GAAG,IAAI,eAAe,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IACxD,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,IAAI,IAAI,GAAY,SAAS,CAAC;QAC9B,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAAyB,CAAC,IAAI,KAAK,YAAY;YAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QACjF,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACpF,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;AACH,CAAC"}
+{"version":3,"file":"checks.js","sourceRoot":"","sources":["../../src/diag/checks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAgD,MAAM,kBAAkB,CAAC;AAC9F,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE3C,OAAO,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAoBjE;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAqB,EAAE;IACxD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC;IACzC,MAAM,OAAO,GAAkB,EAAE,CAAC;IAElC,OAAO,CAAC,IAAI,CAAC,GAAG,iBAAiB,EAAE,CAAC,CAAC;IAErC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAChC,GAAG,qBAAqB,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;QAChD,cAAc,CAAC,SAAS,CAAC;QACzB,mBAAmB,CAAC,SAAS,CAAC;QAC9B,GAAG,cAAc,CAAC,SAAS,CAAC;QAC5B,YAAY,CAAC,SAAS,CAAC;KACxB,CAAC,CAAC;IACH,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,GAAG,sBAAsB,EAAE,CAAC,CAAC;IAC1C,OAAO,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAEpD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+EAA+E;AAE/E,SAAS,iBAAiB;IACxB,MAAM,GAAG,GAAkB,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,QAAQ,EAAE,CAAC;IAC1B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAyB,EAAE,CAAC;QAC1E,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC;QACnD,IAAI,KAAK,EAAE,CAAC;YACV,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,WAAW,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC,GAAG,EAAE;aAC1C,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,GAAG,EAAE,CAAC;YACf,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,KAAK;aAC7C,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;YACtB,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,oBAAoB;gBAC7B,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,aAAa,CAAC,CAAC,GAAG,EAAE;aACvD,CAAC,CAAC;QACL,CAAC;QACD,+CAA+C;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8EAA8E;AAE9E,SAAS,qBAAqB,CAC5B,MAA8B,EAC9B,SAAiB;IAEjB,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACnD,MAAM,GAAG,GAAkC,EAAE,CAAC;IAC9C,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;QAC3C,GAAG,CAAC,IAAI,CACN,CAAC,KAAK,IAAiC,EAAE;YACvC,MAAM,GAAG,GAAG,MAAM,oBAAoB,CACpC,KAAK,CAAC,MAAM,EACZ;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;aACnF,EACD,SAAS,CACV,CAAC;YACF,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC3B,OAAO;oBACL,EAAE,EAAE,iBAAiB,KAAK,CAAC,OAAO,EAAE;oBACpC,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,OAAO,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,oBAAoB,SAAS,IAAI;oBACtE,WAAW,EACT,uGAAuG;iBAC1G,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBACzB,OAAO;oBACL,EAAE,EAAE,iBAAiB,KAAK,CAAC,OAAO,EAAE;oBACpC,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,OAAO,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,iBAAiB,oBAAoB,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE;oBAC/F,WAAW,EACT,wFAAwF;iBAC3F,CAAC;YACJ,CAAC;YACD,MAAM,QAAQ,GAAG,KAAK,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACnD,MAAM,GAAG,GAAI,GAAG,CAAC,IAAwC,EAAE,MAAM,CAAC;YAClE,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACrB,OAAO;oBACL,EAAE,EAAE,iBAAiB,KAAK,CAAC,OAAO,EAAE;oBACpC,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,wBAAwB,GAAG,IAAI,GAAG,2BAA2B,KAAK,CAAC,OAAO,EAAE;oBACrF,WAAW,EAAE,UAAU,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,sCAAsC;iBACnF,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,iBAAiB,KAAK,CAAC,OAAO,EAAE;gBACpC,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,eAAe,KAAK,CAAC,OAAO,KAAK,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG;aACnE,CAAC;QACJ,CAAC,CAAC,EAAE,CACL,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4EAA4E;AAE5E,KAAK,UAAU,cAAc,CAAC,SAAiB;IAC7C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,CAAC;IAChD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,MAAM,oBAAoB,CACpC,kDAAkD,EAClD,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE,EAAE,EAC9D,SAAS,CACV,CAAC;IACF,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO;YACL,EAAE,EAAE,YAAY;YAChB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,gCAAgC,SAAS,KAAK;SACxD,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO;YACL,EAAE,EAAE,YAAY;YAChB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,wBAAwB,GAAG,CAAC,KAAK,EAAE;SAC7C,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;QACtB,OAAO;YACL,EAAE,EAAE,YAAY;YAChB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,2CAA2C,GAAG,CAAC,MAAM,EAAE;YAChE,WAAW,EACT,qHAAqH;SACxH,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;AAC1F,CAAC;AAED,8EAA8E;AAE9E,KAAK,UAAU,mBAAmB,CAAC,SAAiB;IAClD,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IACrB,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,EAAE,EAAE,kBAAkB;YACtB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,sCAAsC;YAC/C,WAAW,EAAE,iDAAiD;SAC/D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,IAAI,CAAC;YACjB,UAAU,CAAC,IAAI,CAAC;YAChB,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;SACvF,CAAC,CAAC;QACH,OAAO;YACL,EAAE,EAAE,kBAAkB;YACtB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,YAAY,IAAI,EAAE;SAC5B,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,kBAAkB;YACtB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,kBAAkB,IAAI,YAAY,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAC7F,WAAW,EACT,+GAA+G;SAClH,CAAC;IACJ,CAAC;AACH,CAAC;AAED,8EAA8E;AAE9E,SAAS,cAAc,CAAC,SAAiB;IACvC,MAAM,GAAG,GAAkC,EAAE,CAAC;IAC9C,MAAM,OAAO,GAA8H;QACzI,EAAE,GAAG,EAAE,yBAAyB,EAAE,EAAE,EAAE,gBAAgB,EAAE;QACxD,EAAE,GAAG,EAAE,8BAA8B,EAAE,EAAE,EAAE,qBAAqB,EAAE;QAClE,EAAE,GAAG,EAAE,gCAAgC,EAAE,EAAE,EAAE,uBAAuB,EAAE;KACvE,CAAC;IACF,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC;QACvC,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,GAAG,CAAC,IAAI,CACN,CAAC,KAAK,IAAiC,EAAE;YACvC,MAAM,OAAO,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;YAC/E,IAAI,MAAM;gBAAE,OAAO,CAAC,aAAa,GAAG,UAAU,MAAM,EAAE,CAAC;YACvD,MAAM,GAAG,GAAG,MAAM,oBAAoB,CACpC,GAAG,EACH,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,EAAE,EAC9E,SAAS,CACV,CAAC;YACF,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC3B,OAAO;oBACL,EAAE,EAAE,GAAG,CAAC,CAAC,EAAE,YAAY;oBACvB,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,GAAG,CAAC,CAAC,GAAG,YAAY;iBAC9B,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBACzB,OAAO;oBACL,EAAE,EAAE,GAAG,CAAC,CAAC,EAAE,YAAY;oBACvB,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,GAAG,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,KAAK,EAAE;iBAClC,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBACtB,OAAO;oBACL,EAAE,EAAE,GAAG,CAAC,CAAC,EAAE,YAAY;oBACvB,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,GAAG,CAAC,CAAC,GAAG,kBAAkB,GAAG,CAAC,MAAM,EAAE;oBAC/C,WAAW,EACT,oFAAoF;iBACvF,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,GAAG,CAAC,CAAC,EAAE,YAAY;gBACvB,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC,CAAC,EAAE,CACL,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4EAA4E;AAE5E,KAAK,UAAU,YAAY,CAAC,SAAiB;IAC3C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,IAAI,EAAE,CAAC;IACrD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IAC7E,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO;YACL,EAAE,EAAE,mBAAmB;YACvB,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,GAAG,GAAG,YAAY;SAC5B,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO;YACL,EAAE,EAAE,mBAAmB;YACvB,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,GAAG,GAAG,KAAK,GAAG,CAAC,KAAK,EAAE;SAChC,CAAC;IACJ,CAAC;IACD,OAAO;QACL,EAAE,EAAE,mBAAmB;QACvB,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE;KAC9B,CAAC;AACJ,CAAC;AAED,4EAA4E;AAE5E,SAAS,sBAAsB;IAC7B,MAAM,GAAG,GAAkB,EAAE,CAAC;IAE9B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,IAAI,EAAE,CAAC;IACxD,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACpE,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAChE,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;YACf,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,kBAAkB;gBACtB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,wBAAwB,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aAClD,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,kBAAkB;gBACtB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,kBAAkB;aAC7C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,CAAC;IAC3D,IAAI,IAAI,EAAE,CAAC;QACT,IAAI,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,CAAC;YACb,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,iBAAiB;gBACrB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,OAAO,IAAI,MAAM;aAC3B,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,iBAAiB;gBACrB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,sBAAsB,IAAI,EAAE;aACtC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,kCAAkC,EAAE,IAAI,EAAE,CAAC;IACpE,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;QACvB,IAAI,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,aAAa;gBACjB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,GAAG,CAAC,MAAM;aACpB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,aAAa;gBACjB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,uBAAuB,IAAI,EAAE;aACvC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4EAA4E;AAE5E,SAAS,qBAAqB,CAAC,MAA8B;IAC3D,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IACvB,MAAM,GAAG,GAAkB,EAAE,CAAC;IAC9B,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,EAAE,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACrE,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,sBAAsB;YAC1B,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,0EAA0E;YACnF,WAAW,EAAE,2DAA2D;SACzE,CAAC,CAAC;IACL,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5D,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,mBAAmB;YACvB,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,kBAAkB,MAAM,CAAC,cAAc,mBAAmB,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;SACrF,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AASD,KAAK,UAAU,oBAAoB,CACjC,GAAW,EACX,IAAiB,EACjB,SAAiB;IAEjB,MAAM,IAAI,GAAG,IAAI,eAAe,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IACxD,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,IAAI,IAAI,GAAY,SAAS,CAAC;QAC9B,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAAyB,CAAC,IAAI,KAAK,YAAY;YAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QACjF,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACpF,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;AACH,CAAC"}

package/dist/lib/amount.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Strict parsing of user-supplied unsigned-integer (wei / id) strings.
+ *
+ * `BigInt()` silently accepts inputs that are almost never what the caller
+ * intended, producing a structurally-valid but semantically-wrong calldata:
+ *
+ *   BigInt("")      === 0n     → a blank amount field becomes a 0-value tx
+ *   BigInt("   ")   === 0n     → whitespace likewise coerces to 0
+ *   BigInt("0x10")  === 16n    → a hex string is reinterpreted as a number
+ *   BigInt("-5")    === -5n    → a negative wraps to a huge uint256 on-chain
+ *
+ * and `BigInt("1.5")` throws an opaque `SyntaxError` with no field context.
+ *
+ * This guard accepts only a plain base-10, non-negative integer string and
+ * returns the parsed `bigint`; otherwise it throws a clear, field-named error.
+ * Builders run inside the MCP tool callback, so a throw surfaces to the caller
+ * as a normal error result rather than a silent mis-encode.
+ *
+ * Use this everywhere a user-provided amount / id / nftId string flows into
+ * `BigInt(...)` before being encoded into transaction calldata.
+ */
+export declare function parseUintString(value: string, field?: string): bigint;
+//# sourceMappingURL=amount.d.ts.map

package/dist/lib/amount.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"amount.d.ts","sourceRoot":"","sources":["../../src/lib/amount.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,SAAW,GAAG,MAAM,CASvE"}

package/dist/lib/amount.js

@@ -0,0 +1,30 @@
+/**
+ * Strict parsing of user-supplied unsigned-integer (wei / id) strings.
+ *
+ * `BigInt()` silently accepts inputs that are almost never what the caller
+ * intended, producing a structurally-valid but semantically-wrong calldata:
+ *
+ *   BigInt("")      === 0n     → a blank amount field becomes a 0-value tx
+ *   BigInt("   ")   === 0n     → whitespace likewise coerces to 0
+ *   BigInt("0x10")  === 16n    → a hex string is reinterpreted as a number
+ *   BigInt("-5")    === -5n    → a negative wraps to a huge uint256 on-chain
+ *
+ * and `BigInt("1.5")` throws an opaque `SyntaxError` with no field context.
+ *
+ * This guard accepts only a plain base-10, non-negative integer string and
+ * returns the parsed `bigint`; otherwise it throws a clear, field-named error.
+ * Builders run inside the MCP tool callback, so a throw surfaces to the caller
+ * as a normal error result rather than a silent mis-encode.
+ *
+ * Use this everywhere a user-provided amount / id / nftId string flows into
+ * `BigInt(...)` before being encoded into transaction calldata.
+ */
+export function parseUintString(value, field = "amount") {
+    if (typeof value !== "string" || !/^[0-9]+$/.test(value)) {
+        throw new Error(`Invalid ${field}: ${JSON.stringify(value)}. ` +
+            `Expected a base-10 wei/id integer string — digits only, ` +
+            `no decimals, hex (0x…), sign, whitespace, or empty value.`);
+    }
+    return BigInt(value);
+}
+//# sourceMappingURL=amount.js.map

package/dist/lib/amount.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"amount.js","sourceRoot":"","sources":["../../src/lib/amount.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,eAAe,CAAC,KAAa,EAAE,KAAK,GAAG,QAAQ;IAC7D,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,KAAK,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI;YAC5C,0DAA0D;YAC1D,2DAA2D,CAC9D,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;AACvB,CAAC"}

package/dist/lib/broadcastGuards.d.ts

@@ -35,6 +35,16 @@ export declare class BroadcastGuardError extends Error {
 }
 /** Reset the B10 window. Test-only. */
 export declare function __resetBroadcastWindow(): void;
+/**
+ * B6 + B7: the stateless destination-allowlist and value-cap checks. Unlike B9
+ * (sim) and B10 (rate limit), these are safe to apply to ANY signed/queued tx —
+ * including a Safe-TX-Service propose (L-1), which previously signed and queued
+ * without any guard.
+ */
+export declare function assertAllowlistAndValueCap(tx: {
+    to: string;
+    value: string;
+}, cfg: DexeConfig): void;
 export declare function runBroadcastGuards(tx: BroadcastTx, cfg: DexeConfig, opts?: {
     skipSimulation?: boolean;
 }): Promise<void>;

package/dist/lib/broadcastGuards.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"broadcastGuards.d.ts","sourceRoot":"","sources":["../../src/lib/broadcastGuards.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI/C;;;;;;;;;;;;;;;;;;GAkBG;AAEH,yFAAyF;AACzF,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,mCAAmC;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,+DAA+D;IAC/D,IAAI,EAAE,MAAM,CAAC;CACd;AAED,yFAAyF;AACzF,qBAAa,mBAAoB,SAAQ,KAAK;IAE1C,QAAQ,CAAC,KAAK,EAAE,MAAM;gBAAb,KAAK,EAAE,MAAM,EACtB,OAAO,EAAE,MAAM;CAKlB;AASD,uCAAuC;AACvC,wBAAgB,sBAAsB,IAAI,IAAI,CAE7C;AAED,wBAAsB,kBAAkB,CACtC,EAAE,EAAE,WAAW,EACf,GAAG,EAAE,UAAU,EACf,IAAI,CAAC,EAAE;IAAE,cAAc,CAAC,EAAE,OAAO,CAAA;CAAE,GAClC,OAAO,CAAC,IAAI,CAAC,CA6Ef"}
+{"version":3,"file":"broadcastGuards.d.ts","sourceRoot":"","sources":["../../src/lib/broadcastGuards.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI/C;;;;;;;;;;;;;;;;;;GAkBG;AAEH,yFAAyF;AACzF,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,mCAAmC;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,+DAA+D;IAC/D,IAAI,EAAE,MAAM,CAAC;CACd;AAED,yFAAyF;AACzF,qBAAa,mBAAoB,SAAQ,KAAK;IAE1C,QAAQ,CAAC,KAAK,EAAE,MAAM;gBAAb,KAAK,EAAE,MAAM,EACtB,OAAO,EAAE,MAAM;CAKlB;AASD,uCAAuC;AACvC,wBAAgB,sBAAsB,IAAI,IAAI,CAE7C;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,EAAE,EAAE;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,EAAE,GAAG,EAAE,UAAU,GAAG,IAAI,CAwBnG;AAED,wBAAsB,kBAAkB,CACtC,EAAE,EAAE,WAAW,EACf,GAAG,EAAE,UAAU,EACf,IAAI,CAAC,EAAE;IAAE,cAAc,CAAC,EAAE,OAAO,CAAA;CAAE,GAClC,OAAO,CAAC,IAAI,CAAC,CAwDf"}

package/dist/lib/broadcastGuards.js

@@ -20,7 +20,13 @@ const broadcastTimestamps = [];
 export function __resetBroadcastWindow() {
     broadcastTimestamps.length = 0;
 }
-export async function runBroadcastGuards(tx, cfg, opts) {
+/**
+ * B6 + B7: the stateless destination-allowlist and value-cap checks. Unlike B9
+ * (sim) and B10 (rate limit), these are safe to apply to ANY signed/queued tx —
+ * including a Safe-TX-Service propose (L-1), which previously signed and queued
+ * without any guard.
+ */
+export function assertAllowlistAndValueCap(tx, cfg) {
     // ---- B6: destination allowlist ----------------------------------------
     if (cfg.signerAllowlist && cfg.signerAllowlist.length > 0) {
         const to = tx.to.toLowerCase();
@@ -37,6 +43,10 @@ export async function runBroadcastGuards(tx, cfg, opts) {
                 `Refusing to broadcast.`);
         }
     }
+}
+export async function runBroadcastGuards(tx, cfg, opts) {
+    // ---- B6 + B7: destination allowlist & value cap -----------------------
+    assertAllowlistAndValueCap(tx, cfg);
     // ---- B9: auto-simulation (eth_call preflight) -------------------------
     // Reuses the shared sim core; aborts before spending gas if the call would
     // revert. Must run against the SAME chain the broadcast targets — otherwise

package/dist/lib/broadcastGuards.js.map

@@ -1 +1 @@
-{"version":3,"file":"broadcastGuards.js","sourceRoot":"","sources":["../../src/lib/broadcastGuards.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,SAAS,CAAC;AAE7B,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAiCxD,yFAAyF;AACzF,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAEjC;IADX,YACW,KAAa,EACtB,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QAHN,UAAK,GAAL,KAAK,CAAQ;QAItB,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED,4EAA4E;AAC5E,yEAAyE;AACzE,0EAA0E;AAC1E,gDAAgD;AAChD,MAAM,aAAa,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AAChC,MAAM,mBAAmB,GAAa,EAAE,CAAC;AAEzC,uCAAuC;AACvC,MAAM,UAAU,sBAAsB;IACpC,mBAAmB,CAAC,MAAM,GAAG,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,EAAe,EACf,GAAe,EACf,IAAmC;IAEnC,0EAA0E;IAC1E,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;QAC/B,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,mBAAmB,CAC3B,IAAI,EACJ,eAAe,EAAE,CAAC,EAAE,qCAAqC,GAAG,CAAC,eAAe,CAAC,MAAM,aAAa;gBAC9F,wBAAwB,CAC3B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,IAAI,GAAG,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,CAAC,GAAG,GAAG,CAAC,iBAAiB,EAAE,CAAC;YAC9B,MAAM,IAAI,mBAAmB,CAC3B,IAAI,EACJ,SAAS,CAAC,CAAC,QAAQ,EAAE,iDAAiD,GAAG,CAAC,iBAAiB,CAAC,QAAQ,EAAE,QAAQ;gBAC5G,wBAAwB,CAC3B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,2EAA2E;IAC3E,4EAA4E;IAC5E,8EAA8E;IAC9E,8EAA8E;IAC9E,4EAA4E;IAC5E,iEAAiE;IACjE,IAAI,CAAC,IAAI,EAAE,cAAc,EAAE,CAAC;QAC1B,MAAM,MAAM,GACV,EAAE,CAAC,OAAO,KAAK,GAAG,CAAC,cAAc;YAC/B,CAAC,CAAC,GAAG;YACL,CAAC,CAAC,EAAE,GAAG,GAAG,EAAE,cAAc,EAAE,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC;QAClE,MAAM,GAAG,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;QACpC,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE;YACtC,EAAE,EAAE,EAAE,CAAC,EAAE;YACT,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,KAAK,EAAE,EAAE,CAAC,KAAK;YACf,IAAI,EAAE,EAAE,CAAC,IAAI;SACd,CAAC,CAAC;QACH,6EAA6E;QAC7E,2EAA2E;QAC3E,4CAA4C;QAC5C,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;YACtC,MAAM,IAAI,mBAAmB,CAC3B,IAAI,EACJ,iDAAiD,GAAG,CAAC,YAAY,IAAI,SAAS,IAAI;gBAChF,+BAA+B,CAClC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,IAAI,GAAG,CAAC,yBAAyB,KAAK,SAAS,EAAE,CAAC;QAChD,MAAM,GAAG,GAAG,GAAG,CAAC,yBAAyB,CAAC;QAC1C,MAAM,aAAa,CAAC,GAAG,EAAE;YACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC;YAC5B,OAAO,mBAAmB,CAAC,MAAM,GAAG,CAAC,IAAI,mBAAmB,CAAC,CAAC,CAAE,GAAG,MAAM,EAAE,CAAC;gBAC1E,mBAAmB,CAAC,KAAK,EAAE,CAAC;YAC9B,CAAC;YACD,IAAI,mBAAmB,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBACtC,MAAM,MAAM,GAAG,mBAAmB,CAAC,CAAC,CAAE,CAAC;gBACvC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;gBACxD,MAAM,IAAI,mBAAmB,CAC3B,KAAK,EACL,iCAAiC,GAAG,oDAAoD;oBACtF,aAAa,KAAK,IAAI,CACzB,CAAC;YACJ,CAAC;YACD,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}
+{"version":3,"file":"broadcastGuards.js","sourceRoot":"","sources":["../../src/lib/broadcastGuards.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,SAAS,CAAC;AAE7B,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAiCxD,yFAAyF;AACzF,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAEjC;IADX,YACW,KAAa,EACtB,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QAHN,UAAK,GAAL,KAAK,CAAQ;QAItB,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED,4EAA4E;AAC5E,yEAAyE;AACzE,0EAA0E;AAC1E,gDAAgD;AAChD,MAAM,aAAa,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AAChC,MAAM,mBAAmB,GAAa,EAAE,CAAC;AAEzC,uCAAuC;AACvC,MAAM,UAAU,sBAAsB;IACpC,mBAAmB,CAAC,MAAM,GAAG,CAAC,CAAC;AACjC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B,CAAC,EAAiC,EAAE,GAAe;IAC3F,0EAA0E;IAC1E,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;QAC/B,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,mBAAmB,CAC3B,IAAI,EACJ,eAAe,EAAE,CAAC,EAAE,qCAAqC,GAAG,CAAC,eAAe,CAAC,MAAM,aAAa;gBAC9F,wBAAwB,CAC3B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,IAAI,GAAG,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,CAAC,GAAG,GAAG,CAAC,iBAAiB,EAAE,CAAC;YAC9B,MAAM,IAAI,mBAAmB,CAC3B,IAAI,EACJ,SAAS,CAAC,CAAC,QAAQ,EAAE,iDAAiD,GAAG,CAAC,iBAAiB,CAAC,QAAQ,EAAE,QAAQ;gBAC5G,wBAAwB,CAC3B,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,EAAe,EACf,GAAe,EACf,IAAmC;IAEnC,0EAA0E;IAC1E,0BAA0B,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAEpC,0EAA0E;IAC1E,2EAA2E;IAC3E,4EAA4E;IAC5E,8EAA8E;IAC9E,8EAA8E;IAC9E,4EAA4E;IAC5E,iEAAiE;IACjE,IAAI,CAAC,IAAI,EAAE,cAAc,EAAE,CAAC;QAC1B,MAAM,MAAM,GACV,EAAE,CAAC,OAAO,KAAK,GAAG,CAAC,cAAc;YAC/B,CAAC,CAAC,GAAG;YACL,CAAC,CAAC,EAAE,GAAG,GAAG,EAAE,cAAc,EAAE,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC;QAClE,MAAM,GAAG,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;QACpC,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE;YACtC,EAAE,EAAE,EAAE,CAAC,EAAE;YACT,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,KAAK,EAAE,EAAE,CAAC,KAAK;YACf,IAAI,EAAE,EAAE,CAAC,IAAI;SACd,CAAC,CAAC;QACH,6EAA6E;QAC7E,2EAA2E;QAC3E,4CAA4C;QAC5C,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;YACtC,MAAM,IAAI,mBAAmB,CAC3B,IAAI,EACJ,iDAAiD,GAAG,CAAC,YAAY,IAAI,SAAS,IAAI;gBAChF,+BAA+B,CAClC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,IAAI,GAAG,CAAC,yBAAyB,KAAK,SAAS,EAAE,CAAC;QAChD,MAAM,GAAG,GAAG,GAAG,CAAC,yBAAyB,CAAC;QAC1C,MAAM,aAAa,CAAC,GAAG,EAAE;YACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC;YAC5B,OAAO,mBAAmB,CAAC,MAAM,GAAG,CAAC,IAAI,mBAAmB,CAAC,CAAC,CAAE,GAAG,MAAM,EAAE,CAAC;gBAC1E,mBAAmB,CAAC,KAAK,EAAE,CAAC;YAC9B,CAAC;YACD,IAAI,mBAAmB,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBACtC,MAAM,MAAM,GAAG,mBAAmB,CAAC,CAAC,CAAE,CAAC;gBACvC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;gBACxD,MAAM,IAAI,mBAAmB,CAC3B,KAAK,EACL,iCAAiC,GAAG,oDAAoD;oBACtF,aAAa,KAAK,IAAI,CACzB,CAAC;YACJ,CAAC;YACD,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/dist/lib/dangerousSelectors.d.ts

@@ -0,0 +1,18 @@
+export interface ForbiddenSelector {
+    /** 0x-prefixed 4-byte selector, lowercase. */
+    selector: string;
+    /** Canonical function signature, e.g. "withdrawTokens(address,address,uint256)". */
+    signature: string;
+}
+/** Extract the 4-byte selector (lowercase, 0x-prefixed) from calldata, or null. */
+export declare function selectorOf(data: string): string | null;
+/**
+ * Returns the matched forbidden entry if `data`'s leading selector is
+ * denylisted, else null. `data` is raw calldata (0x-hex).
+ */
+export declare function findForbiddenSelector(data: string): ForbiddenSelector | null;
+/** Human-readable hard-refusal explaining why the selector is blocked (C-2). */
+export declare function dangerousSelectorError(match: ForbiddenSelector, target?: string): string;
+/** The full denylist — for docs, tests, and introspection. */
+export declare function forbiddenSelectors(): ForbiddenSelector[];
+//# sourceMappingURL=dangerousSelectors.d.ts.map

package/dist/lib/dangerousSelectors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dangerousSelectors.d.ts","sourceRoot":"","sources":["../../src/lib/dangerousSelectors.ts"],"names":[],"mappings":"AAyCA,MAAM,WAAW,iBAAiB;IAChC,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,CAAC;IACjB,oFAAoF;IACpF,SAAS,EAAE,MAAM,CAAC;CACnB;AAaD,mFAAmF;AACnF,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAGtD;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAI5E;AAED,gFAAgF;AAChF,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,iBAAiB,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAYxF;AAED,8DAA8D;AAC9D,wBAAgB,kBAAkB,IAAI,iBAAiB,EAAE,CAExD"}

package/dist/lib/dangerousSelectors.js

@@ -0,0 +1,80 @@
+import { id } from "ethers";
+/**
+ * C-2 guardrail — forbidden proposal-action selectors.
+ *
+ * Every function below lives on `GovUserKeeper` and is `onlyOwner` (the owner is
+ * the GovPool). GovPool invokes them internally on behalf of users through its
+ * own deposit/withdraw/delegate entrypoints — they are NOT meant to be the
+ * `executor` + `data` of a raw governance proposal action.
+ *
+ * They are dangerous as proposal targets because the `payer` / `delegator`
+ * argument is decoupled from the funds' owner: e.g.
+ * `withdrawTokens(payer, receiver, amount)` debits `_usersInfo[payer]` and pays
+ * `receiver`. A proposal can therefore name an arbitrary victim as `payer` and
+ * the attacker as `receiver`.
+ *
+ * The DeXe protocol's INTERNAL allowlist
+ * (`GovPoolCreate._handleDataForInternalProposal`) is supposed to make these
+ * unreachable-by-proposal, but it only runs when the *last* action's executor is
+ * a registered INTERNAL executor. A proposal whose trailing action routes to
+ * DEFAULT skips the allowlist entirely, so these selectors slip through —
+ * finding C-2. This guard refuses to build any proposal action carrying one of
+ * them, regardless of routing. It is harm-reduction at the MCP layer ONLY: the
+ * root cause is in the protocol contracts, and an attacker can still hand-craft
+ * the calldata. See docs/security/C2-default-routing-bypass.md.
+ */
+const FORBIDDEN_SIGNATURES = [
+    "withdrawTokens(address,address,uint256)",
+    "depositTokens(address,address,uint256)",
+    "delegateTokens(address,address,uint256)",
+    "undelegateTokens(address,address,uint256)",
+    "delegateTokensTreasury(address,uint256)",
+    "undelegateTokensTreasury(address,uint256)",
+    "withdrawNfts(address,address,uint256[])",
+    "depositNfts(address,address,uint256[])",
+    "delegateNfts(address,address,uint256[])",
+    "undelegateNfts(address,address,uint256[])",
+    "delegateNftsTreasury(address,uint256[])",
+    "undelegateNftsTreasury(address,uint256[])",
+];
+/**
+ * selector -> entry, derived from the signatures at module load so the table can
+ * never drift from the canonical names.
+ */
+const FORBIDDEN_BY_SELECTOR = new Map(FORBIDDEN_SIGNATURES.map((signature) => {
+    const selector = id(signature).slice(0, 10).toLowerCase();
+    return [selector, { selector, signature }];
+}));
+/** Extract the 4-byte selector (lowercase, 0x-prefixed) from calldata, or null. */
+export function selectorOf(data) {
+    if (typeof data !== "string" || !data.startsWith("0x") || data.length < 10)
+        return null;
+    return data.slice(0, 10).toLowerCase();
+}
+/**
+ * Returns the matched forbidden entry if `data`'s leading selector is
+ * denylisted, else null. `data` is raw calldata (0x-hex).
+ */
+export function findForbiddenSelector(data) {
+    const sel = selectorOf(data);
+    if (sel === null)
+        return null;
+    return FORBIDDEN_BY_SELECTOR.get(sel) ?? null;
+}
+/** Human-readable hard-refusal explaining why the selector is blocked (C-2). */
+export function dangerousSelectorError(match, target) {
+    return (`Refusing to build: calldata selector ${match.selector} is ` +
+        `GovUserKeeper.${match.signature}, a privileged onlyOwner accounting function ` +
+        `that must never be a governance proposal action` +
+        (target ? ` (target ${target})` : "") +
+        `. Encoding it enables finding C-2: a DEFAULT-routed proposal bypasses the ` +
+        `GovPoolCreate INTERNAL allowlist and can drain an arbitrary depositor's ` +
+        `unlocked balance — the function takes a free 'payer'/'delegator' decoupled ` +
+        `from the caller. Users deposit/withdraw/delegate their OWN funds through the ` +
+        `GovPool entrypoints, never via a proposal. Hard block, no override.`);
+}
+/** The full denylist — for docs, tests, and introspection. */
+export function forbiddenSelectors() {
+    return [...FORBIDDEN_BY_SELECTOR.values()];
+}
+//# sourceMappingURL=dangerousSelectors.js.map

package/dist/lib/dangerousSelectors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dangerousSelectors.js","sourceRoot":"","sources":["../../src/lib/dangerousSelectors.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE5B;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,oBAAoB,GAAG;IAC3B,yCAAyC;IACzC,wCAAwC;IACxC,yCAAyC;IACzC,2CAA2C;IAC3C,yCAAyC;IACzC,2CAA2C;IAC3C,yCAAyC;IACzC,wCAAwC;IACxC,yCAAyC;IACzC,2CAA2C;IAC3C,yCAAyC;IACzC,2CAA2C;CACnC,CAAC;AASX;;;GAGG;AACH,MAAM,qBAAqB,GAA2C,IAAI,GAAG,CAC3E,oBAAoB,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE;IACrC,MAAM,QAAQ,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1D,OAAO,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAU,CAAC;AACtD,CAAC,CAAC,CACH,CAAC;AAEF,mFAAmF;AACnF,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IACxF,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;AACzC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAC7B,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC9B,OAAO,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;AAChD,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,sBAAsB,CAAC,KAAwB,EAAE,MAAe;IAC9E,OAAO,CACL,wCAAwC,KAAK,CAAC,QAAQ,MAAM;QAC5D,iBAAiB,KAAK,CAAC,SAAS,+CAA+C;QAC/E,iDAAiD;QACjD,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QACrC,4EAA4E;QAC5E,0EAA0E;QAC1E,6EAA6E;QAC7E,+EAA+E;QAC/E,qEAAqE,CACtE,CAAC;AACJ,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,kBAAkB;IAChC,OAAO,CAAC,GAAG,qBAAqB,CAAC,MAAM,EAAE,CAAC,CAAC;AAC7C,CAAC"}