guardrail-compliance 1.0.0

package/dist/audit/events.js

@@ -0,0 +1,267 @@
+"use strict";
+/**
+ * Audit Trail Event Schema
+ *
+ * Comprehensive audit logging for Compliance+ tier.
+ * All events are hash-chained for tamper evidence.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditActions = exports.AuditEventSchema = exports.AuditEventMetadataSchema = void 0;
+exports.redactSensitive = redactSensitive;
+exports.redactMetadataForTier = redactMetadataForTier;
+exports.computeEventHash = computeEventHash;
+exports.verifyEventHash = verifyEventHash;
+exports.createAuditEvent = createAuditEvent;
+const zod_1 = require("zod");
+const crypto_1 = require("crypto");
+// Zod schemas for validation
+exports.AuditEventMetadataSchema = zod_1.z.object({
+    // Command/action specific data
+    command: zod_1.z.string().optional(),
+    args: zod_1.z.array(zod_1.z.string()).optional(),
+    flags: zod_1.z.record(zod_1.z.unknown()).optional(),
+    // Results
+    score: zod_1.z.number().optional(),
+    grade: zod_1.z.string().optional(),
+    issueCount: zod_1.z.number().optional(),
+    fixCount: zod_1.z.number().optional(),
+    // Context
+    projectPath: zod_1.z.string().optional(),
+    gitBranch: zod_1.z.string().optional(),
+    gitCommit: zod_1.z.string().optional(),
+    // Performance
+    durationMs: zod_1.z.number().optional(),
+    // Error info (if result is error)
+    errorCode: zod_1.z.string().optional(),
+    errorMessage: zod_1.z.string().optional(),
+    // Custom metadata
+    custom: zod_1.z.record(zod_1.z.unknown()).optional(),
+}).passthrough();
+exports.AuditEventSchema = zod_1.z.object({
+    // Core identity
+    id: zod_1.z.string().uuid(),
+    timestamp: zod_1.z.string().datetime(),
+    // Actor information
+    actor: zod_1.z.object({
+        id: zod_1.z.string(),
+        type: zod_1.z.enum(['user', 'system', 'ci', 'api']),
+        name: zod_1.z.string().optional(),
+        email: zod_1.z.string().email().optional(),
+        ip: zod_1.z.string().optional(),
+    }),
+    // Event classification
+    surface: zod_1.z.enum(['cli', 'vscode', 'mcp', 'web', 'api', 'ci']),
+    action: zod_1.z.string(),
+    category: zod_1.z.enum(['scan', 'ship', 'reality', 'autopilot', 'fix', 'gate', 'auth', 'config', 'export', 'ai', 'tool', 'system']),
+    // Target of the action
+    target: zod_1.z.object({
+        type: zod_1.z.string(),
+        id: zod_1.z.string().optional(),
+        path: zod_1.z.string().optional(),
+        name: zod_1.z.string().optional(),
+    }),
+    // Access control
+    tier: zod_1.z.enum(['free', 'starter', 'pro', 'compliance', 'enterprise', 'unlimited']),
+    // Outcome
+    result: zod_1.z.enum(['success', 'failure', 'partial', 'skipped', 'error']),
+    // Additional context (tier-gated)
+    metadata: exports.AuditEventMetadataSchema.optional(),
+    // Hash chain for tamper evidence
+    hash: zod_1.z.string(),
+    prevHash: zod_1.z.string(),
+    // Version for schema evolution
+    version: zod_1.z.literal(1),
+});
+// Redaction patterns for sensitive data
+const REDACTION_PATTERNS = [
+    // API keys
+    /(?:api[_-]?key|apikey|token|secret|password|pwd|auth)[=:]\s*['"]?([a-zA-Z0-9_\-]{16,})['"]?/gi,
+    // JWT tokens
+    /eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g,
+    // AWS keys
+    /(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}/g,
+    // Generic secrets
+    /(?:sk_live_|sk_test_|pk_live_|pk_test_)[a-zA-Z0-9]+/g,
+    // Email addresses (partial redaction)
+    /([a-zA-Z0-9._%+-]+)@([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})/g,
+];
+/**
+ * Redact sensitive information from a string
+ */
+function redactSensitive(input) {
+    let result = input;
+    for (const pattern of REDACTION_PATTERNS) {
+        result = result.replace(pattern, (match, ...groups) => {
+            // For email, keep domain
+            if (match.includes('@')) {
+                return `[REDACTED]@${groups[1]}`;
+            }
+            // For other patterns, show type hint
+            const typeHint = match.slice(0, 4).toLowerCase();
+            return `[REDACTED:${typeHint}...]`;
+        });
+    }
+    return result;
+}
+/**
+ * Redact metadata based on tier
+ * - Compliance+: Full metadata
+ * - Pro: Limited metadata (no prompt bodies)
+ * - Free/Starter: Minimal (action + result only)
+ */
+function redactMetadataForTier(metadata, tier) {
+    if (!metadata)
+        return undefined;
+    // Compliance+ and Enterprise get full metadata (still redact secrets)
+    if (tier === 'compliance' || tier === 'enterprise' || tier === 'unlimited') {
+        return redactMetadataSecrets(metadata);
+    }
+    // Pro gets limited metadata
+    if (tier === 'pro') {
+        const limited = {
+            command: metadata.command,
+            score: metadata.score,
+            grade: metadata.grade,
+            issueCount: metadata.issueCount,
+            fixCount: metadata.fixCount,
+            durationMs: metadata.durationMs,
+            errorCode: metadata.errorCode,
+        };
+        return redactMetadataSecrets(limited);
+    }
+    // Free/Starter get minimal
+    return {
+        score: metadata.score,
+        grade: metadata.grade,
+    };
+}
+/**
+ * Recursively redact secrets from metadata
+ */
+function redactMetadataSecrets(metadata) {
+    const result = {};
+    for (const [key, value] of Object.entries(metadata)) {
+        if (value === undefined)
+            continue;
+        if (typeof value === 'string') {
+            result[key] = redactSensitive(value);
+        }
+        else if (Array.isArray(value)) {
+            result[key] = value.map(v => typeof v === 'string' ? redactSensitive(v) : v);
+        }
+        else if (typeof value === 'object' && value !== null) {
+            result[key] = redactMetadataSecrets(value);
+        }
+        else {
+            result[key] = value;
+        }
+    }
+    return result;
+}
+/**
+ * Compute SHA-256 hash of event for chain integrity
+ */
+function computeEventHash(event) {
+    const payload = JSON.stringify({
+        id: event.id,
+        timestamp: event.timestamp,
+        actor: event.actor,
+        surface: event.surface,
+        action: event.action,
+        category: event.category,
+        target: event.target,
+        tier: event.tier,
+        result: event.result,
+        metadata: event.metadata,
+        prevHash: event.prevHash,
+        version: event.version,
+    });
+    return (0, crypto_1.createHash)('sha256').update(payload).digest('hex');
+}
+/**
+ * Verify hash chain integrity
+ */
+function verifyEventHash(event) {
+    const { hash, ...eventWithoutHash } = event;
+    const computedHash = computeEventHash(eventWithoutHash);
+    return computedHash === hash;
+}
+/**
+ * Create a new audit event with proper hash chaining
+ */
+function createAuditEvent(input, prevHash = '0'.repeat(64) // Genesis hash
+) {
+    const id = crypto.randomUUID();
+    const timestamp = new Date().toISOString();
+    // Redact metadata based on tier
+    const redactedMetadata = redactMetadataForTier(input.metadata, input.tier);
+    const eventWithoutHash = {
+        id,
+        timestamp,
+        actor: input.actor,
+        surface: input.surface,
+        action: input.action,
+        category: input.category,
+        target: input.target,
+        tier: input.tier,
+        result: input.result,
+        metadata: redactedMetadata,
+        prevHash,
+        version: 1,
+    };
+    const hash = computeEventHash(eventWithoutHash);
+    return {
+        ...eventWithoutHash,
+        hash,
+    };
+}
+// Pre-defined action types for consistency
+exports.AuditActions = {
+    // Scan actions
+    SCAN_START: 'scan.start',
+    SCAN_COMPLETE: 'scan.complete',
+    SCAN_ERROR: 'scan.error',
+    // Ship actions
+    SHIP_CHECK: 'ship.check',
+    SHIP_APPROVE: 'ship.approve',
+    SHIP_REJECT: 'ship.reject',
+    // Reality actions
+    REALITY_START: 'reality.start',
+    REALITY_COMPLETE: 'reality.complete',
+    REALITY_ERROR: 'reality.error',
+    // Autopilot actions
+    AUTOPILOT_ENABLE: 'autopilot.enable',
+    AUTOPILOT_DISABLE: 'autopilot.disable',
+    AUTOPILOT_RUN: 'autopilot.run',
+    AUTOPILOT_REPORT: 'autopilot.report',
+    // Fix actions
+    FIX_PLAN: 'fix.plan',
+    FIX_APPLY: 'fix.apply',
+    FIX_REVERT: 'fix.revert',
+    // Gate actions
+    GATE_CHECK: 'gate.check',
+    GATE_PASS: 'gate.pass',
+    GATE_FAIL: 'gate.fail',
+    // Auth actions
+    AUTH_LOGIN: 'auth.login',
+    AUTH_LOGOUT: 'auth.logout',
+    AUTH_TOKEN_REFRESH: 'auth.token_refresh',
+    // Config actions
+    CONFIG_UPDATE: 'config.update',
+    CONFIG_RESET: 'config.reset',
+    // Export actions
+    EXPORT_REPORT: 'export.report',
+    EXPORT_AUDIT: 'export.audit',
+    // AI actions
+    AI_VALIDATE: 'ai.validate',
+    AI_SUGGEST: 'ai.suggest',
+    AI_CHECKPOINT: 'ai.checkpoint',
+    // MCP Tool actions
+    TOOL_INVOKE: 'tool.invoke',
+    TOOL_COMPLETE: 'tool.complete',
+    TOOL_ERROR: 'tool.error',
+    // System actions
+    SYSTEM_INIT: 'system.init',
+    SYSTEM_UPGRADE: 'system.upgrade',
+    SYSTEM_ERROR: 'system.error',
+};

package/dist/audit/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Audit Trail Module
+ *
+ * Comprehensive audit logging for Compliance+ tier.
+ * Exports all audit functionality.
+ */
+export * from './events';
+export * from './storage';
+export { audit, configureAudit, emit, emitAction, emitScanStart, emitScanComplete, emitShipCheck, emitRealityStart, emitRealityComplete, emitAutopilotAction, emitFixPlan, emitFixApply, emitGateCheck, emitToolInvoke, emitAuth, hasFullAuditAccess, } from './emitter';
+export { default } from './emitter';
+//# sourceMappingURL=index.d.ts.map

package/dist/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,cAAc,UAAU,CAAC;AAGzB,cAAc,WAAW,CAAC;AAG1B,OAAO,EACL,KAAK,EACL,cAAc,EACd,IAAI,EACJ,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,aAAa,EACb,gBAAgB,EAChB,mBAAmB,EACnB,mBAAmB,EACnB,WAAW,EACX,YAAY,EACZ,aAAa,EACb,cAAc,EACd,QAAQ,EACR,kBAAkB,GACnB,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC"}

package/dist/audit/index.js

@@ -0,0 +1,51 @@
+"use strict";
+/**
+ * Audit Trail Module
+ *
+ * Comprehensive audit logging for Compliance+ tier.
+ * Exports all audit functionality.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = exports.hasFullAuditAccess = exports.emitAuth = exports.emitToolInvoke = exports.emitGateCheck = exports.emitFixApply = exports.emitFixPlan = exports.emitAutopilotAction = exports.emitRealityComplete = exports.emitRealityStart = exports.emitShipCheck = exports.emitScanComplete = exports.emitScanStart = exports.emitAction = exports.emit = exports.configureAudit = exports.audit = void 0;
+// Event types and schemas
+__exportStar(require("./events"), exports);
+// Storage adapters
+__exportStar(require("./storage"), exports);
+// Emitter (main API)
+var emitter_1 = require("./emitter");
+Object.defineProperty(exports, "audit", { enumerable: true, get: function () { return emitter_1.audit; } });
+Object.defineProperty(exports, "configureAudit", { enumerable: true, get: function () { return emitter_1.configureAudit; } });
+Object.defineProperty(exports, "emit", { enumerable: true, get: function () { return emitter_1.emit; } });
+Object.defineProperty(exports, "emitAction", { enumerable: true, get: function () { return emitter_1.emitAction; } });
+Object.defineProperty(exports, "emitScanStart", { enumerable: true, get: function () { return emitter_1.emitScanStart; } });
+Object.defineProperty(exports, "emitScanComplete", { enumerable: true, get: function () { return emitter_1.emitScanComplete; } });
+Object.defineProperty(exports, "emitShipCheck", { enumerable: true, get: function () { return emitter_1.emitShipCheck; } });
+Object.defineProperty(exports, "emitRealityStart", { enumerable: true, get: function () { return emitter_1.emitRealityStart; } });
+Object.defineProperty(exports, "emitRealityComplete", { enumerable: true, get: function () { return emitter_1.emitRealityComplete; } });
+Object.defineProperty(exports, "emitAutopilotAction", { enumerable: true, get: function () { return emitter_1.emitAutopilotAction; } });
+Object.defineProperty(exports, "emitFixPlan", { enumerable: true, get: function () { return emitter_1.emitFixPlan; } });
+Object.defineProperty(exports, "emitFixApply", { enumerable: true, get: function () { return emitter_1.emitFixApply; } });
+Object.defineProperty(exports, "emitGateCheck", { enumerable: true, get: function () { return emitter_1.emitGateCheck; } });
+Object.defineProperty(exports, "emitToolInvoke", { enumerable: true, get: function () { return emitter_1.emitToolInvoke; } });
+Object.defineProperty(exports, "emitAuth", { enumerable: true, get: function () { return emitter_1.emitAuth; } });
+Object.defineProperty(exports, "hasFullAuditAccess", { enumerable: true, get: function () { return emitter_1.hasFullAuditAccess; } });
+// Default export
+var emitter_2 = require("./emitter");
+Object.defineProperty(exports, "default", { enumerable: true, get: function () { return __importDefault(emitter_2).default; } });

package/dist/audit/storage.d.ts

@@ -0,0 +1,93 @@
+/**
+ * Audit Trail Storage
+ *
+ * Hash-chained JSONL storage with adapter interface for future extensibility.
+ * Default: Local file storage at .guardrail/audit/audit.log.jsonl
+ */
+import { AuditEvent } from './events';
+export interface AuditStorageAdapter {
+    append(event: AuditEvent): Promise<void>;
+    getLastHash(): Promise<string>;
+    read(options?: AuditReadOptions): Promise<AuditEvent[]>;
+    tail(count: number): Promise<AuditEvent[]>;
+    validateChain(): Promise<AuditChainValidation>;
+    export(format: 'json' | 'csv', options?: AuditExportOptions): Promise<string>;
+    clear(): Promise<void>;
+}
+export interface AuditReadOptions {
+    limit?: number;
+    offset?: number;
+    startDate?: Date;
+    endDate?: Date;
+    surface?: string;
+    category?: string;
+    action?: string;
+    actorId?: string;
+    result?: string;
+}
+export interface AuditExportOptions {
+    startDate?: Date;
+    endDate?: Date;
+    includeMetadata?: boolean;
+}
+export interface AuditChainValidation {
+    valid: boolean;
+    totalEvents: number;
+    validEvents: number;
+    invalidEvents: number;
+    brokenLinks: Array<{
+        index: number;
+        eventId: string;
+        expectedPrevHash: string;
+        actualPrevHash: string;
+    }>;
+    tamperedEvents: Array<{
+        index: number;
+        eventId: string;
+        reason: string;
+    }>;
+}
+/**
+ * Local JSONL file storage adapter
+ */
+export declare class LocalJSONLStorage implements AuditStorageAdapter {
+    private filePath;
+    private lastHash;
+    private initialized;
+    constructor(basePath?: string);
+    private ensureDir;
+    private initialize;
+    append(event: AuditEvent): Promise<void>;
+    getLastHash(): Promise<string>;
+    read(options?: AuditReadOptions): Promise<AuditEvent[]>;
+    tail(count: number): Promise<AuditEvent[]>;
+    validateChain(): Promise<AuditChainValidation>;
+    export(format: 'json' | 'csv', options?: AuditExportOptions): Promise<string>;
+    clear(): Promise<void>;
+    getFilePath(): string;
+}
+/**
+ * Server storage adapter (placeholder for future implementation)
+ */
+export declare class ServerStorageAdapter implements AuditStorageAdapter {
+    private apiUrl;
+    private apiKey;
+    constructor(apiUrl: string, apiKey: string);
+    append(_event: AuditEvent): Promise<void>;
+    getLastHash(): Promise<string>;
+    read(_options?: AuditReadOptions): Promise<AuditEvent[]>;
+    tail(_count: number): Promise<AuditEvent[]>;
+    validateChain(): Promise<AuditChainValidation>;
+    export(_format: 'json' | 'csv', _options?: AuditExportOptions): Promise<string>;
+    clear(): Promise<void>;
+}
+/**
+ * Factory function to create storage adapter based on configuration
+ */
+export declare function createStorageAdapter(config?: {
+    type?: 'local' | 'server';
+    basePath?: string;
+    apiUrl?: string;
+    apiKey?: string;
+}): AuditStorageAdapter;
+//# sourceMappingURL=storage.d.ts.map

package/dist/audit/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/audit/storage.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,EACL,UAAU,EAEX,MAAM,UAAU,CAAC;AAGlB,MAAM,WAAW,mBAAmB;IAClC,MAAM,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACzC,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/B,IAAI,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IACxD,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IAC3C,aAAa,IAAI,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC/C,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,EAAE,OAAO,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9E,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,OAAO,CAAC,EAAE,IAAI,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,OAAO,CAAC,EAAE,IAAI,CAAC;IACf,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,OAAO,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,KAAK,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC;QAChB,gBAAgB,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC,CAAC;IACH,cAAc,EAAE,KAAK,CAAC;QACpB,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;CACJ;AAKD;;GAEG;AACH,qBAAa,iBAAkB,YAAW,mBAAmB;IAC3D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,QAAQ,CAAwB;IACxC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,QAAQ,GAAE,MAAsB;YAK9B,SAAS;YAOT,UAAU;IAgBlB,MAAM,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAQxC,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IAK9B,IAAI,CAAC,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAiD3D,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IA4B1C,aAAa,IAAI,OAAO,CAAC,oBAAoB,CAAC;IAwE9C,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,EAAE,OAAO,GAAE,kBAAuB,GAAG,OAAO,CAAC,MAAM,CAAC;IA0DjF,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ5B,WAAW,IAAI,MAAM;CAGtB;AAED;;GAEG;AACH,qBAAa,oBAAqB,YAAW,mBAAmB;IAC9D,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAKpC,MAAM,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAMzC,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IAI9B,IAAI,CAAC,QAAQ,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAIxD,IAAI,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAI3C,aAAa,IAAI,OAAO,CAAC,oBAAoB,CAAC;IAI9C,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,KAAK,EAAE,QAAQ,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC;IAI/E,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAG7B;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,CAAC,EAAE;IAC5C,IAAI,CAAC,EAAE,OAAO,GAAG,QAAQ,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GAAG,mBAAmB,CAQtB"}