npm - forge-sql-orm - Versions diffs - 2.1.12 → 2.1.14 - Mend

forge-sql-orm 2.1.12 → 2.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/README.md +922 -549
package/dist/core/ForgeSQLAnalyseOperations.d.ts.map +1 -1
package/dist/core/ForgeSQLAnalyseOperations.js +257 -0
package/dist/core/ForgeSQLAnalyseOperations.js.map +1 -0
package/dist/core/ForgeSQLCacheOperations.js +172 -0
package/dist/core/ForgeSQLCacheOperations.js.map +1 -0
package/dist/core/ForgeSQLCrudOperations.js +349 -0
package/dist/core/ForgeSQLCrudOperations.js.map +1 -0
package/dist/core/ForgeSQLORM.d.ts +29 -1
package/dist/core/ForgeSQLORM.d.ts.map +1 -1
package/dist/core/ForgeSQLORM.js +1252 -0
package/dist/core/ForgeSQLORM.js.map +1 -0
package/dist/core/ForgeSQLQueryBuilder.d.ts +179 -1
package/dist/core/ForgeSQLQueryBuilder.d.ts.map +1 -1
package/dist/core/ForgeSQLQueryBuilder.js +77 -0
package/dist/core/ForgeSQLQueryBuilder.js.map +1 -0
package/dist/core/ForgeSQLSelectOperations.js +81 -0
package/dist/core/ForgeSQLSelectOperations.js.map +1 -0
package/dist/core/Rovo.d.ts +116 -0
package/dist/core/Rovo.d.ts.map +1 -0
package/dist/core/Rovo.js +647 -0
package/dist/core/Rovo.js.map +1 -0
package/dist/core/SystemTables.js +258 -0
package/dist/core/SystemTables.js.map +1 -0
package/dist/index.js +30 -0
package/dist/index.js.map +1 -0
package/dist/lib/drizzle/extensions/additionalActions.d.ts.map +1 -1
package/dist/lib/drizzle/extensions/additionalActions.js +527 -0
package/dist/lib/drizzle/extensions/additionalActions.js.map +1 -0
package/dist/utils/cacheContextUtils.d.ts.map +1 -1
package/dist/utils/cacheContextUtils.js +198 -0
package/dist/utils/cacheContextUtils.js.map +1 -0
package/dist/utils/cacheUtils.d.ts.map +1 -1
package/dist/utils/cacheUtils.js +383 -0
package/dist/utils/cacheUtils.js.map +1 -0
package/dist/utils/forgeDriver.d.ts.map +1 -1
package/dist/utils/forgeDriver.js +139 -0
package/dist/utils/forgeDriver.js.map +1 -0
package/dist/utils/forgeDriverProxy.js +68 -0
package/dist/utils/forgeDriverProxy.js.map +1 -0
package/dist/utils/metadataContextUtils.d.ts.map +1 -1
package/dist/utils/metadataContextUtils.js +26 -0
package/dist/utils/metadataContextUtils.js.map +1 -0
package/dist/utils/requestTypeContextUtils.js +10 -0
package/dist/utils/requestTypeContextUtils.js.map +1 -0
package/dist/utils/sqlHints.js +52 -0
package/dist/utils/sqlHints.js.map +1 -0
package/dist/utils/sqlUtils.d.ts.map +1 -1
package/dist/utils/sqlUtils.js +590 -0
package/dist/utils/sqlUtils.js.map +1 -0
package/dist/webtriggers/applyMigrationsWebTrigger.js +77 -0
package/dist/webtriggers/applyMigrationsWebTrigger.js.map +1 -0
package/dist/webtriggers/clearCacheSchedulerTrigger.js +83 -0
package/dist/webtriggers/clearCacheSchedulerTrigger.js.map +1 -0
package/dist/webtriggers/dropMigrationWebTrigger.js +54 -0
package/dist/webtriggers/dropMigrationWebTrigger.js.map +1 -0
package/dist/webtriggers/dropTablesMigrationWebTrigger.js +54 -0
package/dist/webtriggers/dropTablesMigrationWebTrigger.js.map +1 -0
package/dist/webtriggers/fetchSchemaWebTrigger.js +82 -0
package/dist/webtriggers/fetchSchemaWebTrigger.js.map +1 -0
package/dist/webtriggers/index.js +40 -0
package/dist/webtriggers/index.js.map +1 -0
package/dist/webtriggers/slowQuerySchedulerTrigger.js +80 -0
package/dist/webtriggers/slowQuerySchedulerTrigger.js.map +1 -0
package/package.json +31 -25
package/src/core/ForgeSQLAnalyseOperations.ts +3 -2
package/src/core/ForgeSQLORM.ts +64 -0
package/src/core/ForgeSQLQueryBuilder.ts +200 -1
package/src/core/Rovo.ts +765 -0
package/src/lib/drizzle/extensions/additionalActions.ts +11 -0
package/src/utils/cacheContextUtils.ts +9 -6
package/src/utils/cacheUtils.ts +6 -4
package/src/utils/forgeDriver.ts +3 -7
package/src/utils/metadataContextUtils.ts +1 -3
package/src/utils/sqlUtils.ts +33 -34
package/dist/ForgeSQLORM.js +0 -3922
package/dist/ForgeSQLORM.js.map +0 -1
package/dist/ForgeSQLORM.mjs +0 -3905
package/dist/ForgeSQLORM.mjs.map +0 -1

package/dist/core/Rovo.js ADDED Viewed

@@ -0,0 +1,647 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Rovo = void 0;
+const sql_1 = require("@forge/sql");
+const node_sql_parser_1 = require("node-sql-parser");
+const table_1 = require("drizzle-orm/table");
+/**
+ * Implementation of RovoIntegrationSetting interface.
+ * Stores configuration for Rovo query execution including user context, table name, and RLS settings.
+ *
+ * @class RovoIntegrationSettingImpl
+ * @implements {RovoIntegrationSetting}
+ */
+class RovoIntegrationSettingImpl {
+    accountId;
+    tableName;
+    contextParam;
+    rls;
+    rlsFields;
+    rlsWherePart;
+    /**
+     * Creates a new RovoIntegrationSettingImpl instance.
+     *
+     * @param {string} accountId - The account ID of the active user
+     * @param {string} tableName - The name of the table to query
+     * @param {Record<string, string>} contextParam - Context parameters for query substitution
+     * @param {boolean} rls - Whether Row-Level Security is enabled
+     * @param {string[]} rlsFields - Array of field names required for RLS validation
+     * @param {(alias: string) => string} rlsWherePart - Function that generates WHERE clause for RLS
+     */
+    constructor(accountId, tableName, contextParam, rls, rlsFields, rlsWherePart) {
+        this.accountId = accountId;
+        this.tableName = tableName;
+        this.contextParam = contextParam;
+        this.rls = rls;
+        this.rlsFields = rlsFields;
+        this.rlsWherePart = rlsWherePart;
+    }
+    /**
+     * Gets the account ID of the active user.
+     *
+     * @returns {string} The account ID of the active user
+     */
+    getActiveUser() {
+        return this.accountId;
+    }
+    /**
+     * Gets the context parameters for query substitution.
+     *
+     * @returns {Record<string, string>} Map of parameter names to their values
+     */
+    getParameters() {
+        return this.contextParam;
+    }
+    /**
+     * Gets the name of the table to query.
+     *
+     * @returns {string} The table name
+     */
+    getTableName() {
+        return this.tableName;
+    }
+    /**
+     * Checks if Row-Level Security is enabled.
+     *
+     * @returns {boolean} True if RLS is enabled, false otherwise
+     */
+    isUseRLS() {
+        return this.rls;
+    }
+    /**
+     * Gets the list of field names required for RLS validation.
+     *
+     * @returns {string[]} Array of field names that must be present in SELECT clause for RLS
+     */
+    userScopeFields() {
+        return this.rlsFields;
+    }
+    /**
+     * Generates the WHERE clause for Row-Level Security filtering.
+     *
+     * @param {string} alias - The table alias to use in the WHERE clause
+     * @returns {string} SQL WHERE clause condition for RLS filtering
+     */
+    userScopeWhere(alias) {
+        return this.rlsWherePart(alias);
+    }
+}
+/**
+ * Builder class for creating RovoIntegrationSetting instances.
+ * Provides a fluent API for configuring Rovo query settings including context parameters and RLS.
+ *
+ * @class RovoIntegrationSettingCreatorImpl
+ * @implements {RovoIntegrationSettingCreator}
+ */
+class RovoIntegrationSettingCreatorImpl {
+    tableName;
+    accountId;
+    contextParam = {};
+    rlsFields = [];
+    isUseRls = false;
+    isUseRlsConditional = async () => true;
+    wherePart = () => "";
+    /**
+     * Creates a new RovoIntegrationSettingCreatorImpl instance.
+     *
+     * @param {string} tableName - The name of the table to query
+     * @param {string} accountId - The account ID of the active user
+     */
+    constructor(tableName, accountId) {
+        this.tableName = tableName;
+        this.accountId = accountId;
+    }
+    /**
+     * Adds a context parameter for query substitution.
+     * Context parameters are replaced in the SQL query before execution.
+     *
+     * @param {string} parameterName - The parameter name to replace in the query
+     * @param {string} value - The value to substitute for the parameter
+     * @returns {RovoIntegrationSettingCreator} This builder instance for method chaining
+     *
+     * @example
+     * ```typescript
+     * builder.addContextParameter('{{projectKey}}', 'PROJ-123');
+     * ```
+     */
+    addContextParameter(parameterName, value) {
+        this.contextParam[parameterName] = value;
+        return this;
+    }
+    /**
+     * Enables Row-Level Security (RLS) for the query.
+     * Returns a RlsSettings builder for configuring RLS options.
+     *
+     * @returns {RlsSettings} RLS settings builder for configuring security options
+     *
+     * @example
+     * ```typescript
+     * builder.useRLS()
+     *   .addRlsColumn(usersTable.id)
+     *   .addRlsWherePart((alias) => `${alias}.id = '${accountId}'`)
+     *   .finish();
+     * ```
+     */
+    useRLS() {
+        const _this = this;
+        /**
+         * Internal implementation of RlsSettings interface.
+         * Provides fluent API for configuring Row-Level Security settings.
+         *
+         * @class RlsSettingsImpl
+         * @implements {RlsSettings}
+         */
+        return new (class RlsSettingsImpl {
+            isUseRlsConditionalSettings = async () => true;
+            rlsFieldsSettings = [];
+            wherePartSettings = () => "";
+            /**
+             * Sets a conditional function to determine if RLS should be applied.
+             *
+             * @param {() => Promise<boolean>} condition - Async function that returns true if RLS should be enabled
+             * @returns {RlsSettings} This builder instance for method chaining
+             *
+             * @example
+             * ```typescript
+             * .addRlsCondition(async () => {
+             *   const user = await getUser();
+             *   return !user.isAdmin;
+             * })
+             * ```
+             */
+            addRlsCondition(condition) {
+                this.isUseRlsConditionalSettings = condition;
+                return this;
+            }
+            /**
+             * Adds a column name that must be present in the SELECT clause for RLS validation.
+             *
+             * @param {string} columnName - The name of the column to require
+             * @returns {RlsSettings} This builder instance for method chaining
+             *
+             * @example
+             * ```typescript
+             * .addRlsColumnName('userId')
+             * ```
+             */
+            addRlsColumnName(columnName) {
+                this.rlsFieldsSettings.push(columnName);
+                return this;
+            }
+            /**
+             * Adds a Drizzle column that must be present in the SELECT clause for RLS validation.
+             *
+             * @param {MySqlColumn} column - The Drizzle column object
+             * @returns {RlsSettings} This builder instance for method chaining
+             *
+             * @example
+             * ```typescript
+             * .addRlsColumn(usersTable.userId)
+             * ```
+             */
+            addRlsColumn(column) {
+                this.rlsFieldsSettings.push(column.name);
+                return this;
+            }
+            /**
+             * Sets the WHERE clause function for RLS filtering.
+             * The function receives a table alias and should return a SQL WHERE condition.
+             *
+             * @param {(alias: string) => string} wherePart - Function that generates WHERE clause
+             * @returns {RlsSettings} This builder instance for method chaining
+             *
+             * @example
+             * ```typescript
+             * .addRlsWherePart((alias) => `${alias}.userId = '${accountId}'`)
+             * ```
+             */
+            addRlsWherePart(wherePart) {
+                this.wherePartSettings = wherePart;
+                return this;
+            }
+            /**
+             * Finishes RLS configuration and returns to the settings builder.
+             *
+             * @returns {RovoIntegrationSettingCreator} The parent settings builder
+             */
+            finish() {
+                _this.isUseRls = true;
+                this.rlsFieldsSettings.forEach((columnName) => _this.rlsFields.push(columnName));
+                _this.wherePart = this.wherePartSettings;
+                _this.isUseRlsConditional = this.isUseRlsConditionalSettings;
+                return _this;
+            }
+        })();
+    }
+    /**
+     * Builds and returns the RovoIntegrationSetting instance.
+     * Evaluates the RLS condition if RLS is enabled.
+     *
+     * @returns {Promise<RovoIntegrationSetting>} The configured RovoIntegrationSetting instance
+     *
+     * @example
+     * ```typescript
+     * const settings = await builder
+     *   .addContextParameter('{{projectKey}}', 'PROJ-123')
+     *   .useRLS()
+     *   .addRlsColumn(usersTable.id)
+     *   .addRlsWherePart((alias) => `${alias}.id = '${accountId}'`)
+     *   .finish()
+     *   .build();
+     * ```
+     */
+    async build() {
+        const useRls = this.isUseRls ? await this.isUseRlsConditional() : false;
+        return new RovoIntegrationSettingImpl(this.accountId, this.tableName, this.contextParam, useRls, this.rlsFields, this.wherePart);
+    }
+}
+/**
+ * Main class for Rovo integration - a secure pattern for natural-language analytics in Forge apps.
+ *
+ * Rovo provides a secure way to execute dynamic SQL queries with comprehensive security validations:
+ * - Only SELECT queries are allowed
+ * - Queries are restricted to a single table
+ * - JOINs, subqueries, and window functions are blocked
+ * - Row-Level Security (RLS) support for data isolation
+ * - Post-execution validation of query results
+ *
+ * @class Rovo
+ * @implements {RovoIntegration}
+ *
+ * @example
+ * ```typescript
+ * const rovo = forgeSQL.rovo();
+ * const settings = await rovo.rovoSettingBuilder(usersTable, accountId)
+ *   .useRLS()
+ *   .addRlsColumn(usersTable.id)
+ *   .addRlsWherePart((alias) => `${alias}.id = '${accountId}'`)
+ *   .finish()
+ *   .build();
+ *
+ * const result = await rovo.dynamicIsolatedQuery(
+ *   "SELECT id, name FROM users WHERE status = 'active'",
+ *   settings
+ * );
+ * ```
+ */
+class Rovo {
+    forgeOperations;
+    options;
+    /**
+     * Creates a new Rovo instance.
+     *
+     * @param {ForgeSqlOperation} forgeSqlOperations - The ForgeSQL operations instance for query analysis
+     * @param options - Configuration options for the ORM
+     */
+    constructor(forgeSqlOperations, options) {
+        this.forgeOperations = forgeSqlOperations;
+        this.options = options;
+    }
+    /**
+     * Parses SQL query into AST and validates it's a single SELECT statement
+     * @param sqlQuery - Normalized SQL query string
+     * @returns Parsed AST of the SELECT statement
+     * @throws Error if parsing fails or query is not a single SELECT statement
+     */
+    parseSqlQuery(sqlQuery) {
+        const parser = new node_sql_parser_1.Parser();
+        let ast;
+        try {
+            ast = parser.astify(sqlQuery);
+        }
+        catch (parseError) {
+            throw new Error(`SQL parsing error: ${parseError.message || "Invalid SQL syntax"}. Please check your query syntax.`);
+        }
+        // Validate that query is a SELECT statement
+        // Parser can return either an object (single statement) or an array (multiple statements)
+        if (Array.isArray(ast)) {
+            if (ast.length !== 1 || ast[0].type !== "select") {
+                throw new Error("Only a single SELECT query is allowed. Multiple statements or non-SELECT statements are not permitted.");
+            }
+            return ast[0];
+        }
+        else if (ast && ast.type === "select") {
+            return ast;
+        }
+        else {
+            throw new Error("Only SELECT queries are allowed.");
+        }
+    }
+    /**
+     * Recursively extracts all table names from SQL AST node
+     * @param node - AST node to extract tables from
+     * @returns Array of table names (uppercase)
+     */
+    extractTables(node) {
+        const tables = [];
+        if (node.type === "table" || node.type === "dual") {
+            if (node.table) {
+                const tableName = node.table === "dual" ? "dual" : node.table.name || node.table;
+                if (tableName && tableName !== "dual") {
+                    tables.push(tableName.toUpperCase());
+                }
+            }
+        }
+        if (node.from) {
+            if (Array.isArray(node.from)) {
+                node.from.forEach((fromItem) => {
+                    tables.push(...this.extractTables(fromItem));
+                });
+            }
+            else {
+                tables.push(...this.extractTables(node.from));
+            }
+        }
+        if (node.join) {
+            if (Array.isArray(node.join)) {
+                node.join.forEach((joinItem) => {
+                    tables.push(...this.extractTables(joinItem));
+                });
+            }
+            else {
+                tables.push(...this.extractTables(node.join));
+            }
+        }
+        return tables;
+    }
+    /**
+     * Recursively checks if AST node contains scalar subqueries
+     * @param node - AST node to check
+     * @returns true if node contains scalar subquery, false otherwise
+     */
+    hasScalarSubquery(node) {
+        if (!node)
+            return false;
+        if (node.type === "subquery" || (node.ast && node.ast.type === "select")) {
+            return true;
+        }
+        if (Array.isArray(node)) {
+            return node.some((item) => this.hasScalarSubquery(item));
+        }
+        if (typeof node === "object") {
+            return Object.values(node).some((value) => this.hasScalarSubquery(value));
+        }
+        return false;
+    }
+    /**
+     * Creates a settings builder for Rovo queries using a raw table name.
+     *
+     * @param {string} tableName - The name of the table to query
+     * @param {string} accountId - The account ID of the active user
+     * @returns {RovoIntegrationSettingCreator} Builder for configuring Rovo query settings
+     *
+     * @example
+     * ```typescript
+     * const builder = rovo.rovoRawSettingBuilder('users', accountId);
+     * ```
+     */
+    rovoRawSettingBuilder(tableName, accountId) {
+        return new RovoIntegrationSettingCreatorImpl(tableName, accountId);
+    }
+    /**
+     * Creates a settings builder for Rovo queries using a Drizzle table object.
+     *
+     * @param {AnyMySqlTable} table - The Drizzle table object
+     * @param {string} accountId - The account ID of the active user
+     * @returns {RovoIntegrationSettingCreator} Builder for configuring Rovo query settings
+     *
+     * @example
+     * ```typescript
+     * const builder = rovo.rovoSettingBuilder(usersTable, accountId);
+     * ```
+     */
+    rovoSettingBuilder(table, accountId) {
+        return this.rovoRawSettingBuilder((0, table_1.getTableName)(table), accountId);
+    }
+    /**
+     * Executes a dynamic SQL query with comprehensive security validations.
+     *
+     * This method performs multiple security checks:
+     * 1. Validates that the query is a SELECT statement
+     * 2. Ensures the query targets only the specified table
+     * 3. Blocks JOINs, subqueries, and window functions
+     * 4. Applies Row-Level Security filtering if enabled
+     * 5. Validates query results to ensure security fields are present
+     *
+     * @param {string} dynamicSql - The SQL query to execute (must be a SELECT statement)
+     * @param {RovoIntegrationSetting} settings - Configuration settings for the query
+     * @returns {Promise<Result<unknown>>} Query execution result with metadata
+     * @throws {Error} If the query violates security restrictions
+     *
+     * @example
+     * ```typescript
+     * const result = await rovo.dynamicIsolatedQuery(
+     *   "SELECT id, name, email FROM users WHERE status = 'active' ORDER BY name",
+     *   settings
+     * );
+     *
+     * console.log(result.rows); // Query results
+     * console.log(result.metadata); // Query metadata
+     * ```
+     */
+    async dynamicIsolatedQuery(dynamicSql, settings) {
+        const query = dynamicSql;
+        const tableName = settings.getTableName();
+        const accountId = settings.getActiveUser();
+        const parameters = settings.getParameters();
+        if (!query || !query.trim()) {
+            throw new Error("SQL query is required. Please provide a valid SELECT query.");
+        }
+        if (!tableName) {
+            throw new Error("Table Name is required. Please provide a valid Table Name.");
+        }
+        // Quick validation: check if query starts with SELECT (case-insensitive)
+        // This allows us to fail fast for non-SELECT queries before normalization
+        const trimmedQuery = query.trim();
+        const quickUpper = trimmedQuery.toUpperCase();
+        if (!quickUpper.startsWith("SELECT")) {
+            throw new Error("Only SELECT queries are allowed. Data modification operations (INSERT, UPDATE, DELETE, etc.) are not permitted.");
+        }
+        /**
+         * Normalizes SQL query using AST parsing and stringification.
+         * This approach is safer than regex-based normalization as it:
+         * - Avoids regex backtracking vulnerabilities
+         * - Preserves SQL semantics correctly
+         * - Handles complex SQL structures properly
+         *
+         * @param sql - SQL query string to normalize (must be a valid SELECT query)
+         * @returns Normalized SQL string
+         * @throws Error if parsing fails or query is invalid
+         */
+        const normalizeSqlString = (sql) => {
+            try {
+                const parser = new node_sql_parser_1.Parser();
+                // Parse SQL to AST
+                const ast = parser.astify(sql.trim());
+                // Validate it's a SELECT query before normalizing
+                if (Array.isArray(ast)) {
+                    if (ast.length !== 1 || ast[0].type !== "select") {
+                        throw new Error("Only a single SELECT query is allowed. Multiple statements or non-SELECT statements are not permitted.");
+                    }
+                }
+                else if (ast && ast.type !== "select") {
+                    throw new Error("Only SELECT queries are allowed.");
+                }
+                // Convert AST back to SQL (this normalizes formatting)
+                const normalized = parser.sqlify(Array.isArray(ast) ? ast[0] : ast);
+                // trim
+                return normalized.trim();
+            }
+            catch (error) {
+                // If it's a validation error we threw, re-throw it
+                if (error.message &&
+                    (error.message.includes("Only") || error.message.includes("single SELECT"))) {
+                    throw error;
+                }
+                // For parsing errors, wrap them in a more user-friendly message
+                // Check if error is already wrapped to avoid double wrapping
+                if (error.message && error.message.includes("SQL parsing error")) {
+                    throw error;
+                }
+                throw new Error(`SQL parsing error: ${error.message || "Invalid SQL syntax"}. Please check your query syntax.`);
+            }
+        };
+        let normalized;
+        try {
+            normalized = normalizeSqlString(trimmedQuery);
+        }
+        catch (error) {
+            // Re-throw validation errors as-is
+            if (error.message &&
+                (error.message.includes("Only") || error.message.includes("single SELECT"))) {
+                throw error;
+            }
+            // Check if error is already wrapped to avoid double wrapping
+            if (error.message && error.message.includes("SQL parsing error")) {
+                throw error;
+            }
+            // For other errors, wrap them
+            throw new Error(`SQL parsing error: ${error.message || "Invalid SQL syntax"}. Please check your query syntax.`);
+        }
+        const upperTableName = tableName.toUpperCase();
+        // Validate table name
+        // sqlify may add backticks, so we check for both formats: FROM table_name and FROM `table_name`
+        const tableNamePattern = new RegExp(`FROM\\s+[\`]?${upperTableName}[\`]?`, "i");
+        if (!tableNamePattern.test(normalized)) {
+            throw new Error("Queries must target the '" +
+                upperTableName +
+                "' table only. Other tables are not accessible.");
+        }
+        if (!accountId) {
+            throw new Error("Authentication error: User account ID is missing. Please ensure you are logged in.");
+        }
+        normalized = normalized.replaceAll("ari:cloud:identity::user/", "");
+        Object.entries(parameters).forEach(([key, value]) => {
+            normalized = normalized.replaceAll(key, value);
+        });
+        // Parse SQL query to validate structure before execution
+        const selectAst = this.parseSqlQuery(normalized);
+        // Extract all tables from the query
+        const tablesInQuery = this.extractTables(selectAst);
+        const uniqueTables = [...new Set(tablesInQuery)];
+        // Check that only table is used
+        const invalidTables = uniqueTables.filter((table) => table !== upperTableName);
+        if (invalidTables.length > 0) {
+            throw new Error(`Security violation: Query references table(s) other than '${tableName}': ${invalidTables.join(", ")}. ` +
+                `Only queries against the ${tableName} table are allowed. ` +
+                "JOINs, subqueries, or references to other tables are not permitted for security reasons.");
+        }
+        // Check for scalar subqueries in SELECT columns
+        if (selectAst.columns && Array.isArray(selectAst.columns)) {
+            const hasSubqueryInColumns = selectAst.columns.some((col) => {
+                if (col.expr) {
+                    return this.hasScalarSubquery(col.expr);
+                }
+                return this.hasScalarSubquery(col);
+            });
+            if (hasSubqueryInColumns) {
+                throw new Error("Security violation: Scalar subqueries in SELECT columns are not allowed. " +
+                    "Subqueries can be used to access data from other tables or bypass security restrictions. " +
+                    "Please rewrite your query without using subqueries in the SELECT clause.");
+            }
+        }
+        // Check for JOIN operations using EXPLAIN
+        const explainRows = await this.forgeOperations.analyze().explainRaw(normalized, []);
+        const hasJoin = explainRows.some((row) => {
+            const info = (row.operatorInfo ?? "").toUpperCase();
+            return (info.includes("JOIN") ||
+                info.includes("CARTESIAN") ||
+                info.includes("NESTED LOOP") ||
+                info.includes("HASH JOIN"));
+        });
+        if (hasJoin) {
+            throw new Error("Security violation: JOIN operations are not allowed. " +
+                `For security reasons, Rovo analytics only supports queries over the ${tableName} table without joins, subqueries, or references to other tables. ` +
+                `Please rewrite your query to use only the ${tableName} table.`);
+        }
+        // Detect window functions (e.g., COUNT(*) OVER(...), ROW_NUMBER() OVER(...))
+        // Window functions are not allowed for security
+        // Users should use regular aggregate functions with GROUP BY instead
+        const hasWindow = explainRows.some((row) => {
+            const id = row.id.toUpperCase();
+            const info = (row.operatorInfo ?? "").toUpperCase();
+            return id.includes("WINDOW") || info.includes(" OVER(") || info.includes(" OVER()");
+        });
+        if (hasWindow) {
+            throw new Error("Window functions (for example COUNT(*) OVER(...)) are not allowed in Rovo SQL for this app. " +
+                "Please rephrase your question so that it uses regular aggregates instead of window functions.");
+        }
+        // Check for references to other tables in the query execution plan
+        // This detects JOINs, subqueries, or any other references to tables other than expected
+        const tablesInPlan = explainRows.filter((row) => row.accessObject?.startsWith("table:") &&
+            row.accessObject?.toLowerCase() !== "table:" + tableName.toLowerCase());
+        if (tablesInPlan.length > 0) {
+            throw new Error(`Security violation: Query execution plan detected references to tables other than '${tableName.toLowerCase()}'. ` +
+                `Only queries against the ${tableName.toLowerCase()} table are allowed. ` +
+                "JOINs, subqueries, or references to other tables are not permitted for security reasons.");
+        }
+        // row-level security protection
+        const isUseRLSFiltering = settings.isUseRLS();
+        if (isUseRLSFiltering) {
+            if (normalized.endsWith(";")) {
+                normalized = normalized.slice(0, -1);
+            }
+            normalized = `
+            SELECT *
+            FROM (
+                     ${normalized}
+                     ) AS t
+            WHERE (${settings.userScopeWhere("t")})
+        `;
+        }
+        if (this.options.logRawSqlQuery) {
+            // eslint-disable-next-line no-console
+            console.debug("Rovo query: " + normalized);
+        }
+        const result = await sql_1.sql.executeRaw(normalized);
+        // Post-execution validation for non-admin users
+        // Verify that required security fields exist and come from table
+        // Also ensure all fields with orgTable come from (no JOINs or subqueries)
+        if (isUseRLSFiltering && result?.metadata?.fields) {
+            const fields = result.metadata.fields;
+            settings.userScopeFields().forEach((field) => {
+                const actualFields = fields.filter((f) => f.name.toLowerCase() === field?.toLowerCase());
+                if (actualFields.length === 0) {
+                    throw new Error(`Security validation failed: The query must include ${field} as a raw column in the SELECT statement. This field is required for row-level security enforcement.`);
+                }
+                const actualField = actualFields.find((f) => !f.orgTable || f.orgTable.toUpperCase() !== upperTableName);
+                if (actualField) {
+                    throw new Error(`Security validation failed: '${field}' must come directly from the ${upperTableName} table. Joins, subqueries, or table aliases that change the origin of this column are not allowed.`);
+                }
+            });
+            // Check that all fields with orgTable come from table
+            // (This prevents JOINs or subqueries that reference other tables)
+            // Note: Fields without orgTable (empty/undefined) are allowed - these are computed/calculated fields
+            // We only check fields that have orgTable set - if orgTable exists, it must be table
+            const fieldsFromOtherTables = fields.filter((f) => f.orgTable && f.orgTable.toUpperCase() !== upperTableName);
+            if (fieldsFromOtherTables.length > 0) {
+                throw new Error(`Security validation failed: All fields must come from the ${upperTableName} table. ` +
+                    "Fields from other tables detected, which indicates the use of JOINs, subqueries, or references to other tables. " +
+                    "This is not allowed for security reasons.");
+            }
+        }
+        return result;
+    }
+}
+exports.Rovo = Rovo;
+//# sourceMappingURL=Rovo.js.map

package/dist/core/Rovo.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"Rovo.js","sourceRoot":"","sources":["../../src/core/Rovo.ts"],"names":[],"mappings":";;;AAQA,oCAAyC;AACzC,qDAAiD;AAEjD,6CAAiD;AAEjD;;;;;;GAMG;AACH,MAAM,0BAA0B;IACb,SAAS,CAAS;IAClB,SAAS,CAAS;IAClB,YAAY,CAAyB;IACrC,GAAG,CAAU;IACb,SAAS,CAAW;IACpB,YAAY,CAA4B;IAEzD;;;;;;;;;OASG;IACH,YACE,SAAiB,EACjB,SAAiB,EACjB,YAAoC,EACpC,GAAY,EACZ,SAAmB,EACnB,YAAuC;QAEvC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAED;;;;OAIG;IACH,aAAa;QACX,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;;OAIG;IACH,aAAa;QACX,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED;;;;OAIG;IACH,YAAY;QACV,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;;OAIG;IACH,QAAQ;QACN,OAAO,IAAI,CAAC,GAAG,CAAC;IAClB,CAAC;IAED;;;;OAIG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;;;OAKG;IACH,cAAc,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,iCAAiC;IACpB,SAAS,CAAS;IAClB,SAAS,CAAS;IAClB,YAAY,GAA2B,EAAE,CAAC;IAC1C,SAAS,GAAa,EAAE,CAAC;IAClC,QAAQ,GAAY,KAAK,CAAC;IAC1B,mBAAmB,GAA2B,KAAK,IAAI,EAAE,CAAC,IAAI,CAAC;IAC/D,SAAS,GAA8B,GAAG,EAAE,CAAC,EAAE,CAAC;IAExD;;;;;OAKG;IACH,YAAY,SAAiB,EAAE,SAAiB;QAC9C,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,mBAAmB,CAAC,aAAqB,EAAE,KAAa;QACtD,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,MAAM;QACJ,MAAM,KAAK,GAAG,IAAI,CAAC;QACnB;;;;;;WAMG;QACH,OAAO,IAAI,CAAC,MAAM,eAAe;YACvB,2BAA2B,GAA2B,KAAK,IAAI,EAAE,CAAC,IAAI,CAAC;YACvE,iBAAiB,GAAa,EAAE,CAAC;YACjC,iBAAiB,GAA8B,GAAG,EAAE,CAAC,EAAE,CAAC;YAEhE;;;;;;;;;;;;;eAaG;YACH,eAAe,CAAC,SAAiC;gBAC/C,IAAI,CAAC,2BAA2B,GAAG,SAAS,CAAC;gBAC7C,OAAO,IAAI,CAAC;YACd,CAAC;YAED;;;;;;;;;;eAUG;YACH,gBAAgB,CAAC,UAAkB;gBACjC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBACxC,OAAO,IAAI,CAAC;YACd,CAAC;YAED;;;;;;;;;;eAUG;YACH,YAAY,CAAC,MAAmB;gBAC9B,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBACzC,OAAO,IAAI,CAAC;YACd,CAAC;YAED;;;;;;;;;;;eAWG;YACH,eAAe,CAAC,SAAoC;gBAClD,IAAI,CAAC,iBAAiB,GAAG,SAAS,CAAC;gBACnC,OAAO,IAAI,CAAC;YACd,CAAC;YAED;;;;eAIG;YACH,MAAM;gBACJ,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC;gBACtB,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;gBACjF,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC;gBACzC,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC,2BAA2B,CAAC;gBAC7D,OAAO,KAAK,CAAC;YACf,CAAC;SACF,CAAC,EAAE,CAAC;IACP,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,KAAK;QACT,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;QACxE,OAAO,IAAI,0BAA0B,CACnC,IAAI,CAAC,SAAS,EACd,IAAI,CAAC,SAAS,EACd,IAAI,CAAC,YAAY,EACjB,MAAM,EACN,IAAI,CAAC,SAAS,EACd,IAAI,CAAC,SAAS,CACf,CAAC;IACJ,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAa,IAAI;IACE,eAAe,CAAoB;IACnC,OAAO,CAAqB;IAC7C;;;;;OAKG;IACH,YAAY,kBAAqC,EAAE,OAA2B;QAC5E,IAAI,CAAC,eAAe,GAAG,kBAAkB,CAAC;QAC1C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;;;;OAKG;IACK,aAAa,CAAC,QAAgB;QACpC,MAAM,MAAM,GAAG,IAAI,wBAAM,EAAE,CAAC;QAC5B,IAAI,GAAG,CAAC;QACR,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,UAAe,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,sBAAsB,UAAU,CAAC,OAAO,IAAI,oBAAoB,mCAAmC,CACpG,CAAC;QACJ,CAAC;QAED,4CAA4C;QAC5C,0FAA0F;QAC1F,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACjD,MAAM,IAAI,KAAK,CACb,wGAAwG,CACzG,CAAC;YACJ,CAAC;YACD,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;QAChB,CAAC;aAAM,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACxC,OAAO,GAAG,CAAC;QACb,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,aAAa,CAAC,IAAS;QAC7B,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAClD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC;gBACjF,IAAI,SAAS,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;oBACtC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAa,EAAE,EAAE;oBAClC,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAC/C,CAAC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAa,EAAE,EAAE;oBAClC,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAC/C,CAAC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;OAIG;IACK,iBAAiB,CAAC,IAAS;QACjC,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAExB,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;YACzE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC3D,CAAC;QAED,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC;QAC5E,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;;;;;;OAWG;IACH,qBAAqB,CAAC,SAAiB,EAAE,SAAiB;QACxD,OAAO,IAAI,iCAAiC,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IACrE,CAAC;IAED;;;;;;;;;;;OAWG;IACH,kBAAkB,CAAC,KAAoB,EAAE,SAAiB;QACxD,OAAO,IAAI,CAAC,qBAAqB,CAAC,IAAA,oBAAY,EAAC,KAAK,CAAC,EAAE,SAAS,CAAC,CAAC;IACpE,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACH,KAAK,CAAC,oBAAoB,CACxB,UAAkB,EAClB,QAAgC;QAEhC,MAAM,KAAK,GAAW,UAAU,CAAC;QACjC,MAAM,SAAS,GAAG,QAAQ,CAAC,YAAY,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC3C,MAAM,UAAU,GAAG,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC5C,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACjF,CAAC;QACD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QAED,yEAAyE;QACzE,0EAA0E;QAC1E,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAClC,MAAM,UAAU,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;QAC9C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CACb,iHAAiH,CAClH,CAAC;QACJ,CAAC;QAED;;;;;;;;;;WAUG;QACH,MAAM,kBAAkB,GAAG,CAAC,GAAW,EAAU,EAAE;YACjD,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,wBAAM,EAAE,CAAC;gBAC5B,mBAAmB;gBACnB,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtC,kDAAkD;gBAClD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBACvB,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;wBACjD,MAAM,IAAI,KAAK,CACb,wGAAwG,CACzG,CAAC;oBACJ,CAAC;gBACH,CAAC;qBAAM,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;gBACtD,CAAC;gBACD,uDAAuD;gBACvD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBACpE,OAAO;gBACP,OAAO,UAAU,CAAC,IAAI,EAAE,CAAC;YAC3B,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,mDAAmD;gBACnD,IACE,KAAK,CAAC,OAAO;oBACb,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,EAC3E,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,gEAAgE;gBAChE,6DAA6D;gBAC7D,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;oBACjE,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,MAAM,IAAI,KAAK,CACb,sBAAsB,KAAK,CAAC,OAAO,IAAI,oBAAoB,mCAAmC,CAC/F,CAAC;YACJ,CAAC;QACH,CAAC,CAAC;QACF,IAAI,UAAkB,CAAC;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,mCAAmC;YACnC,IACE,KAAK,CAAC,OAAO;gBACb,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,EAC3E,CAAC;gBACD,MAAM,KAAK,CAAC;YACd,CAAC;YACD,6DAA6D;YAC7D,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;gBACjE,MAAM,KAAK,CAAC;YACd,CAAC;YACD,8BAA8B;YAC9B,MAAM,IAAI,KAAK,CACb,sBAAsB,KAAK,CAAC,OAAO,IAAI,oBAAoB,mCAAmC,CAC/F,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;QAC/C,sBAAsB;QACtB,gGAAgG;QAChG,MAAM,gBAAgB,GAAG,IAAI,MAAM,CAAC,gBAAgB,cAAc,OAAO,EAAE,GAAG,CAAC,CAAC;QAChF,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CACb,2BAA2B;gBACzB,cAAc;gBACd,gDAAgD,CACnD,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,oFAAoF,CACrF,CAAC;QACJ,CAAC;QACD,UAAU,GAAG,UAAU,CAAC,UAAU,CAAC,2BAA2B,EAAE,EAAE,CAAC,CAAC;QACpE,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;YAClD,UAAU,GAAG,UAAU,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,yDAAyD;QACzD,MAAM,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;QAEjD,oCAAoC;QACpC,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;QACpD,MAAM,YAAY,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;QAEjD,gCAAgC;QAChC,MAAM,aAAa,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,cAAc,CAAC,CAAC;QAE/E,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CACb,6DAA6D,SAAS,MAAM,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;gBACtG,4BAA4B,SAAS,sBAAsB;gBAC3D,0FAA0F,CAC7F,CAAC;QACJ,CAAC;QAED,gDAAgD;QAChD,IAAI,SAAS,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1D,MAAM,oBAAoB,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAQ,EAAE,EAAE;gBAC/D,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;oBACb,OAAO,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAC1C,CAAC;gBACD,OAAO,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;YACrC,CAAC,CAAC,CAAC;YAEH,IAAI,oBAAoB,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CACb,2EAA2E;oBACzE,2FAA2F;oBAC3F,0EAA0E,CAC7E,CAAC;YACJ,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAEpF,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;YACvC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YACpD,OAAO,CACL,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACrB,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC1B,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAC5B,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAC3B,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,uDAAuD;gBACrD,uEAAuE,SAAS,mEAAmE;gBACnJ,6CAA6C,SAAS,SAAS,CAClE,CAAC;QACJ,CAAC;QAED,6EAA6E;QAC7E,gDAAgD;QAChD,qEAAqE;QACrE,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;YACzC,MAAM,EAAE,GAAG,GAAG,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YACpD,OAAO,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACtF,CAAC,CAAC,CAAC;QAEH,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CACb,8FAA8F;gBAC5F,+FAA+F,CAClG,CAAC;QACJ,CAAC;QAED,mEAAmE;QACnE,wFAAwF;QACxF,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CACrC,CAAC,GAAG,EAAE,EAAE,CACN,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,QAAQ,CAAC;YACtC,GAAG,CAAC,YAAY,EAAE,WAAW,EAAE,KAAK,QAAQ,GAAG,SAAS,CAAC,WAAW,EAAE,CACzE,CAAC;QACF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CACb,sFAAsF,SAAS,CAAC,WAAW,EAAE,KAAK;gBAChH,4BAA4B,SAAS,CAAC,WAAW,EAAE,sBAAsB;gBACzE,0FAA0F,CAC7F,CAAC;QACJ,CAAC;QAED,gCAAgC;QAChC,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC9C,IAAI,iBAAiB,EAAE,CAAC;YACtB,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC7B,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACvC,CAAC;YAED,UAAU,GAAG;;;uBAGI,UAAU;;qBAEZ,QAAQ,CAAC,cAAc,CAAC,GAAG,CAAC;SACxC,CAAC;QACN,CAAC;QACD,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;YAChC,sCAAsC;YACtC,OAAO,CAAC,KAAK,CAAC,cAAc,GAAG,UAAU,CAAC,CAAC;QAC7C,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,SAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAEhD,gDAAgD;QAChD,iEAAiE;QACjE,0EAA0E;QAC1E,IAAI,iBAAiB,IAAI,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;YAClD,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,MAK7B,CAAC;YAEH,QAAQ,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC3C,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;gBACzF,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC9B,MAAM,IAAI,KAAK,CACb,sDAAsD,KAAK,sGAAsG,CAClK,CAAC;gBACJ,CAAC;gBACD,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,cAAc,CAClE,CAAC;gBACF,IAAI,WAAW,EAAE,CAAC;oBAChB,MAAM,IAAI,KAAK,CACb,gCAAgC,KAAK,iCAAiC,cAAc,oGAAoG,CACzL,CAAC;gBACJ,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,sDAAsD;YACtD,kEAAkE;YAClE,qGAAqG;YACrG,qFAAqF;YACrF,MAAM,qBAAqB,GAAG,MAAM,CAAC,MAAM,CACzC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,cAAc,CACjE,CAAC;YACF,IAAI,qBAAqB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,KAAK,CACb,6DAA6D,cAAc,UAAU;oBACnF,kHAAkH;oBAClH,2CAA2C,CAC9C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAvbD,oBAubC"}