kastell 2.2.3 → 2.2.5

package/dist/core/lock.js

@@ -1,556 +0,0 @@
-import { sshExec, assertValidIp } from "../utils/ssh.js";
-import { buildHardeningCommand, buildFail2banCommand, buildKeyCheckCommand } from "./secure.js";
-import { buildFirewallSetupCommand } from "./firewall.js";
-import { runAudit } from "./audit/index.js";
-import { raw } from "../utils/sshCommand.js";
-import { LOCK_FIREWALL_TIMEOUT_MS, LOCK_UPGRADES_TIMEOUT_MS, LOCK_PACKAGES_TIMEOUT_MS, WEAK_CIPHERS, WEAK_MACS, WEAK_KEX } from "../constants.js";
-import { getErrorMessage } from "../utils/errorMapper.js";
-// ─── Command Builders ────────────────────────────────────────────────────────
-export function buildSysctlHardeningCommand() {
-    const settings = [
-        // Existing baseline settings
-        "net.ipv4.conf.all.accept_redirects=0",
-        "net.ipv4.conf.default.accept_redirects=0",
-        "net.ipv4.conf.all.accept_source_route=0",
-        "net.ipv4.conf.default.accept_source_route=0",
-        "net.ipv4.conf.all.log_martians=1",
-        "net.ipv4.tcp_syncookies=1",
-        "kernel.randomize_va_space=2",
-        "net.ipv4.icmp_echo_ignore_broadcasts=1",
-        // Deep kernel hardening (CIS L2)
-        "kernel.dmesg_restrict=1",
-        "kernel.kptr_restrict=1",
-        "fs.suid_dumpable=0",
-        "net.core.bpf_jit_harden=1",
-        "kernel.unprivileged_bpf_disabled=1",
-        // Reverse path filter — loose mode (2) to not break Docker bridge networking
-        "net.ipv4.conf.all.rp_filter=2",
-        "net.ipv4.conf.default.rp_filter=2",
-        // Disable ICMP redirect sending
-        "net.ipv4.conf.all.send_redirects=0",
-        "net.ipv4.conf.default.send_redirects=0",
-        // Disable secure redirects
-        "net.ipv4.conf.all.secure_redirects=0",
-        "net.ipv4.conf.default.secure_redirects=0",
-        // IPv6 redirect hardening
-        "net.ipv6.conf.all.accept_redirects=0",
-        "net.ipv6.conf.default.accept_redirects=0",
-    ].join("\\n");
-    return raw([
-        `printf '${settings}\\n' > /etc/sysctl.d/99-kastell.conf`,
-        "sysctl -p /etc/sysctl.d/99-kastell.conf 2>/dev/null || true",
-    ].join(" && "));
-}
-export function buildUnattendedUpgradesCommand() {
-    const periodicConfig = [
-        'APT::Periodic::Update-Package-Lists "1";',
-        'APT::Periodic::Unattended-Upgrade "1";',
-        'APT::Periodic::AutocleanInterval "7";',
-    ].join("\\n");
-    return raw([
-        "DEBIAN_FRONTEND=noninteractive apt-get install -y unattended-upgrades",
-        `printf '${periodicConfig}\\n' > /etc/apt/apt.conf.d/20auto-upgrades`,
-    ].join(" && "));
-}
-export function buildLoginBannersCommand() {
-    const bannerText = "Authorized access only. All activity is monitored and logged.";
-    return raw([
-        `printf '${bannerText}\\n' > /etc/issue`,
-        `printf '${bannerText}\\n' > /etc/issue.net`,
-        `printf '${bannerText}\\n' > /etc/motd`,
-        `grep -qE '^Banner' /etc/ssh/sshd_config || echo 'Banner /etc/issue.net' >> /etc/ssh/sshd_config`,
-        "systemctl restart ssh 2>/dev/null || systemctl restart sshd",
-    ].join(" && "));
-}
-export function buildAuditdCommand() {
-    // Deep rules go in 50-kastell-deep.rules (sorts BEFORE 99-kastell.rules -e 2 immutability)
-    const deepRules = [
-        "# Identity — file integrity",
-        "-w /etc/passwd -p wa -k identity",
-        "-w /etc/shadow -p wa -k identity",
-        "-w /etc/group -p wa -k identity",
-        "-w /etc/gshadow -p wa -k identity",
-        "# Privilege escalation",
-        "-w /etc/sudoers -p wa -k privilege",
-        "-w /etc/sudoers.d/ -p wa -k privilege",
-        "-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k privilege",
-        "# Time change",
-        "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time-change",
-        "-w /etc/localtime -p wa -k time-change",
-        "# Login and session",
-        "-w /var/log/lastlog -p wa -k logins",
-        "-w /var/run/faillock/ -p wa -k logins",
-        "-w /var/run/utmp -p wa -k session",
-        "-w /var/log/wtmp -p wa -k session",
-        "-w /var/log/btmp -p wa -k session",
-        "# Network changes",
-        "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network-change",
-        "-w /etc/hostname -p wa -k network-change",
-        "-w /etc/hosts -p wa -k network-change",
-        "-w /etc/sysconfig/network -p wa -k network-change",
-        "# Kernel modules",
-        "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k kernel-module",
-        "-w /sbin/insmod -p x -k kernel-module",
-        "-w /sbin/modprobe -p x -k kernel-module",
-        "-w /sbin/rmmod -p x -k kernel-module",
-    ].join("\\n");
-    // Immutability directive in 99 — sorts AFTER 50
-    const immutableRule = "-e 2";
-    return raw([
-        "DEBIAN_FRONTEND=noninteractive apt-get install -y auditd audispd-plugins",
-        "systemctl enable auditd && systemctl start auditd",
-        `printf '${deepRules}\\n' > /etc/audit/rules.d/50-kastell-deep.rules`,
-        `printf '${immutableRule}\\n' > /etc/audit/rules.d/99-kastell.rules`,
-        "augenrules --load 2>/dev/null || true",
-        "service auditd restart 2>/dev/null || systemctl restart auditd 2>/dev/null || true",
-    ].join(" && "));
-}
-export function buildResourceLimitsCommand() {
-    const limitsContent = [
-        "* soft nproc 1024",
-        "* hard nproc 2048",
-        "* soft nofile 65536",
-        "* hard nofile 65536",
-        "root soft nproc unlimited",
-        "root hard nproc unlimited",
-    ].join("\\n");
-    return raw(`printf '${limitsContent}\\n' > /etc/security/limits.d/99-kastell.conf`);
-}
-export function buildServiceDisableCommand() {
-    const services = ["bluetooth", "avahi-daemon", "cups", "rpcbind"];
-    const disableScript = services
-        .map((s) => `systemctl list-unit-files '${s}.service' 2>/dev/null | grep -q '${s}' && systemctl stop ${s} && systemctl disable ${s} 2>/dev/null || true`)
-        .join("; ");
-    return raw(disableScript);
-}
-export function buildAptValidationCommand() {
-    const aptConf = [
-        'APT::Get::AllowUnauthenticated "false";',
-        'Acquire::AllowInsecureRepositories "false";',
-        'Acquire::AllowDowngradeToInsecureRepositories "false";',
-    ].join("\\n");
-    return raw(`printf '${aptConf}\\n' > /etc/apt/apt.conf.d/99-kastell-apt.conf`);
-}
-export function buildLogRetentionCommand() {
-    const logrotateConf = [
-        "/var/log/syslog",
-        "{",
-        "    daily",
-        "    missingok",
-        "    rotate 90",
-        "    compress",
-        "    delaycompress",
-        "    notifempty",
-        "    postrotate",
-        "        /usr/lib/rsyslog/rsyslog-rotate",
-        "    endscript",
-        "}",
-    ].join("\\n");
-    return raw([
-        "DEBIAN_FRONTEND=noninteractive apt-get install -y logrotate",
-        "systemctl enable rsyslog 2>/dev/null || true",
-        "systemctl start rsyslog 2>/dev/null || true",
-        `printf '${logrotateConf}\\n' > /etc/logrotate.d/99-kastell-syslog`,
-        "systemctl enable logrotate.timer 2>/dev/null || true",
-    ].join(" && "));
-}
-export function buildCloudMetaBlockCommand() {
-    return raw([
-        "ufw deny out to 169.254.169.254",
-        "ufw deny in from 169.254.169.254",
-    ].join(" && "));
-}
-export function buildAccountLockCommand() {
-    return raw([
-        "for user in $(awk -F: '($3 >= 1000 && $3 < 65534 && ($7 == \"/bin/bash\" || $7 == \"/bin/sh\")) {print $1}' /etc/passwd); do",
-        "  if ! who | grep -q \"^$user \"; then",
-        "    passwd -l $user 2>/dev/null || true",
-        "  fi",
-        "done",
-    ].join(" "));
-}
-export function buildAideInitCommand() {
-    const cronScript = "#!/bin/bash\\n/usr/sbin/aide --check 2>/dev/null || true";
-    return raw([
-        "DEBIAN_FRONTEND=noninteractive apt-get install -y aide",
-        "rm -f /etc/cron.d/kastell-aide",
-        `printf '${cronScript}\\n' > /etc/cron.daily/aide-check`,
-        "chmod 755 /etc/cron.daily/aide-check",
-        "nohup aide --init > /var/log/aide-init.log 2>&1 &",
-    ].join(" && "));
-}
-export function buildCronAccessCommand() {
-    return raw([
-        "echo root > /etc/cron.allow",
-        "chmod 600 /etc/cron.allow",
-        "echo root > /etc/at.allow",
-        "chmod 600 /etc/at.allow",
-        "touch /etc/at.deny",
-        "chmod 600 /etc/at.deny",
-    ].join(" && "));
-}
-export function buildBackupPermissionsCommand() {
-    return raw([
-        "DEBIAN_FRONTEND=noninteractive apt-get install -y rsync",
-        "mkdir -p /var/backups",
-        "chmod 700 /var/backups",
-        "chown root:root /var/backups",
-    ].join(" && "));
-}
-export function buildDnsSecurityCommand() {
-    const dropinContent = ["[Resolve]", "DNSSEC=yes", "DNSOverTLS=opportunistic"].join("\\n");
-    return raw([
-        "cp /etc/systemd/resolved.conf /etc/systemd/resolved.conf.kastell.bak 2>/dev/null || true",
-        "mkdir -p /etc/systemd/resolved.conf.d",
-        `printf '${dropinContent}\\n' > /etc/systemd/resolved.conf.d/99-kastell-dns.conf`,
-        "systemctl restart systemd-resolved",
-        "dig google.com +timeout=5 +tries=1 @127.0.0.53 >/dev/null 2>&1",
-    ].join(" && "));
-}
-export function buildDnsRollbackCommand() {
-    return raw([
-        "rm -f /etc/systemd/resolved.conf.d/99-kastell-dns.conf",
-        "systemctl restart systemd-resolved",
-    ].join(" && "));
-}
-export function buildPwqualityCommand() {
-    const conf = [
-        "minlen = 14",
-        "dcredit = -1",
-        "ucredit = -1",
-        "lcredit = -1",
-        "ocredit = -1",
-        "maxrepeat = 3",
-    ].join("\\n");
-    return raw([
-        "apt-cache show libpam-pwquality >/dev/null 2>&1 || { echo 'WARN: libpam-pwquality not available, skipping'; exit 0; }",
-        "DEBIAN_FRONTEND=noninteractive apt-get install -y libpam-pwquality",
-        `printf '${conf}\\n' > /etc/security/pwquality.conf`,
-    ].join(" && "));
-}
-export function buildDockerHardeningCommand(platform) {
-    const isCoolify = platform === "coolify";
-    const isDokploy = platform === "dokploy";
-    const settings = {
-        "log-driver": "json-file",
-        "log-opts": { "max-size": "10m", "max-file": "3" },
-        "no-new-privileges": true,
-    };
-    if (!isDokploy) {
-        settings["live-restore"] = true;
-    }
-    if (!isCoolify && !isDokploy) {
-        settings["icc"] = false;
-    }
-    const hardeningJson = JSON.stringify(settings);
-    return raw([
-        "command -v jq >/dev/null 2>&1 || { echo 'WARN: jq not found, skipping Docker hardening'; exit 0; }",
-        "command -v docker >/dev/null 2>&1 || { echo 'WARN: Docker not installed, skipping Docker hardening'; exit 0; }",
-        "mkdir -p /etc/docker && ([ -f /etc/docker/daemon.json ] || echo '{}' > /etc/docker/daemon.json)",
-        "cp /etc/docker/daemon.json /etc/docker/daemon.json.bak-docker",
-        `printf '%s' '${hardeningJson}' | jq -s '.[0] * .[1]' /etc/docker/daemon.json - > /tmp/daemon-kastell.json`,
-        "jq -e . /tmp/daemon-kastell.json >/dev/null 2>&1 || { cp /etc/docker/daemon.json.bak-docker /etc/docker/daemon.json && echo 'daemon.json merge failed: rolled back' >&2 && exit 1; }",
-        "mv /tmp/daemon-kastell.json /etc/docker/daemon.json",
-        "systemctl reload docker 2>/dev/null || systemctl restart docker",
-    ].join(" && "));
-}
-export function buildSshCipherCommand() {
-    const cipherBlacklist = WEAK_CIPHERS.map((c) => `-${c}`).join(",");
-    const macBlacklist = WEAK_MACS.map((m) => `-${m}`).join(",");
-    const kexBlacklist = WEAK_KEX.map((k) => `-${k}`).join(",");
-    return raw([
-        "cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak-cipher",
-        "sed -i '/^Ciphers[ \\t]/d; /^MACs[ \\t]/d; /^KexAlgorithms[ \\t]/d' /etc/ssh/sshd_config",
-        `printf '\\nCiphers ${cipherBlacklist}\\nMACs ${macBlacklist}\\nKexAlgorithms ${kexBlacklist}\\n' >> /etc/ssh/sshd_config`,
-        "if sshd -t; then systemctl restart sshd; else cp /etc/ssh/sshd_config.bak-cipher /etc/ssh/sshd_config && echo 'SSH cipher hardening rolled back: sshd -t failed' >&2 && exit 1; fi",
-    ].join(" && "));
-}
-export function buildSshFineTuningCommand() {
-    const directives = [
-        ["ClientAliveInterval", "300"],
-        ["ClientAliveCountMax", "3"],
-        ["LoginGraceTime", "60"],
-        ["AllowAgentForwarding", "no"],
-        ["X11Forwarding", "no"],
-        ["MaxStartups", "10:30:60"],
-        ["StrictModes", "yes"],
-        ["PermitUserEnvironment", "no"],
-        ["LogLevel", "VERBOSE"],
-        ["UseDNS", "no"],
-        ["PrintMotd", "no"],
-        ["IgnoreRhosts", "yes"],
-        ["HostbasedAuthentication", "no"],
-        ["MaxSessions", "10"],
-        ["PermitEmptyPasswords", "no"],
-    ];
-    const sedLines = directives.map(([key, val]) => `grep -qE '^#?${key}' /etc/ssh/sshd_config && sed -i 's/^#\\?${key}.*/${key} ${val}/' /etc/ssh/sshd_config || echo '${key} ${val}' >> /etc/ssh/sshd_config`);
-    return raw([
-        "cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak-finetune",
-        ...sedLines,
-        "if sshd -t; then systemctl restart sshd 2>/dev/null || systemctl restart ssh; else cp /etc/ssh/sshd_config.bak-finetune /etc/ssh/sshd_config && echo 'SSH fine-tuning rolled back' >&2 && exit 1; fi",
-    ].join(" && "));
-}
-export function buildLoginDefsCommand() {
-    const entries = [
-        ["PASS_MIN_DAYS", "1", "/etc/login.defs"],
-        ["PASS_WARN_AGE", "7", "/etc/login.defs"],
-        ["ENCRYPT_METHOD", "SHA512", "/etc/login.defs"],
-        ["UMASK", "027", "/etc/login.defs"],
-    ];
-    const lines = entries.map(([key, val, file]) => `grep -qE '^${key}' ${file} && sed -i 's/^${key}.*/${key} ${val}/' ${file} || echo '${key} ${val}' >> ${file}`);
-    const useradd = `grep -qE '^INACTIVE' /etc/default/useradd && sed -i 's/^INACTIVE.*/INACTIVE=30/' /etc/default/useradd || echo 'INACTIVE=30' >> /etc/default/useradd`;
-    return raw([...lines, useradd].join(" && "));
-}
-export function buildFaillockCommand() {
-    const directives = [
-        ["deny", "5"],
-        ["unlock_time", "900"],
-        ["fail_interval", "900"],
-    ];
-    const lines = directives.map(([key, val]) => `grep -qE '^${key}' /etc/security/faillock.conf 2>/dev/null && sed -i 's/^${key}.*/${key} = ${val}/' /etc/security/faillock.conf || echo '${key} = ${val}' >> /etc/security/faillock.conf`);
-    return raw([
-        "mkdir -p /etc/security",
-        ...lines,
-        "pam-auth-update --enable faillock 2>/dev/null || true",
-    ].join(" && "));
-}
-export function buildSudoHardeningCommand() {
-    return raw([
-        "mkdir -p /etc/sudoers.d",
-        `grep -qr 'log_output\\|syslog' /etc/sudoers /etc/sudoers.d/ 2>/dev/null || echo 'Defaults log_output' > /etc/sudoers.d/kastell-logging`,
-        "chmod 440 /etc/sudoers.d/kastell-logging 2>/dev/null || true",
-        `grep -qr 'requiretty' /etc/sudoers /etc/sudoers.d/ 2>/dev/null || echo 'Defaults requiretty' > /etc/sudoers.d/kastell-requiretty`,
-        "chmod 440 /etc/sudoers.d/kastell-requiretty 2>/dev/null || true",
-    ].join(" && "));
-}
-// ─── Helper ──────────────────────────────────────────────────────────────────
-async function runLockStep(ip, command, opts) {
-    try {
-        await sshExec(ip, command, opts);
-        return { ok: true };
-    }
-    catch (err) {
-        return { ok: false, error: getErrorMessage(err) };
-    }
-}
-// ─── Orchestrator ────────────────────────────────────────────────────────────
-export async function applyLock(ip, name, platform, options) {
-    assertValidIp(ip);
-    const steps = {
-        sshHardening: false,
-        fail2ban: false,
-        banners: false,
-        accountLock: false,
-        sshCipher: false,
-        ufw: false,
-        cloudMeta: false,
-        dns: false,
-        sysctl: false,
-        unattendedUpgrades: false,
-        aptValidation: false,
-        resourceLimits: false,
-        serviceDisable: false,
-        backupPermissions: false,
-        pwquality: false,
-        dockerHardening: false,
-        auditd: false,
-        logRetention: false,
-        aide: false,
-        cronAccess: false,
-        sshFineTuning: false,
-        loginDefs: false,
-        faillock: false,
-        sudoHardening: false,
-    };
-    const stepErrors = {};
-    // Dry run: preview only, no SSH
-    if (options.dryRun) {
-        return {
-            success: true,
-            steps,
-        };
-    }
-    const auditPlatform = platform ?? "bare";
-    // Pre-audit (non-fatal)
-    let scoreBefore;
-    try {
-        const preAudit = await runAudit(ip, name, auditPlatform);
-        if (preAudit.success && preAudit.data) {
-            scoreBefore = preAudit.data.overallScore;
-        }
-    }
-    catch {
-        // Non-fatal — continue without score
-    }
-    // Step 0: SSH key check — abort if no keys
-    try {
-        const keyResult = await sshExec(ip, buildKeyCheckCommand());
-        const keyCount = parseInt(keyResult.stdout.trim(), 10);
-        if (isNaN(keyCount) || keyCount === 0) {
-            return {
-                success: false,
-                steps,
-                error: "No SSH keys found in /root/.ssh/authorized_keys. Cannot disable password authentication without SSH keys — this would permanently lock you out.",
-                hint: `Add an SSH key first: ssh-copy-id root@${ip}`,
-            };
-        }
-    }
-    catch (err) {
-        return {
-            success: false,
-            steps,
-            error: `SSH key check failed: ${getErrorMessage(err)}`,
-        };
-    }
-    // ── Group 1: SSH & Auth ──────────────────────────────────────────────────
-    // Step 1: SSH hardening (critical — determines overall success)
-    const sshResult = await runLockStep(ip, buildHardeningCommand());
-    steps.sshHardening = sshResult.ok;
-    if (!sshResult.ok)
-        stepErrors.sshHardening = sshResult.error;
-    // Step 2: fail2ban
-    const fail2banResult = await runLockStep(ip, buildFail2banCommand());
-    steps.fail2ban = fail2banResult.ok;
-    if (!fail2banResult.ok)
-        stepErrors.fail2ban = fail2banResult.error;
-    // Step 3: Login banners
-    const bannersResult = await runLockStep(ip, buildLoginBannersCommand());
-    steps.banners = bannersResult.ok;
-    if (!bannersResult.ok)
-        stepErrors.banners = bannersResult.error;
-    // Step 4: Account locking
-    const accountLockResult = await runLockStep(ip, buildAccountLockCommand());
-    steps.accountLock = accountLockResult.ok;
-    if (!accountLockResult.ok)
-        stepErrors.accountLock = accountLockResult.error;
-    // Step 5: SSH cipher hardening — with sshd -t rollback
-    const sshCipherResult = await runLockStep(ip, buildSshCipherCommand());
-    steps.sshCipher = sshCipherResult.ok;
-    if (!sshCipherResult.ok)
-        stepErrors.sshCipher = sshCipherResult.error;
-    // ── Group 2: Firewall & Network ──────────────────────────────────────────
-    // Step 6: UFW firewall, 60s timeout for apt
-    const ufwResult = await runLockStep(ip, buildFirewallSetupCommand(platform), { timeoutMs: LOCK_FIREWALL_TIMEOUT_MS });
-    steps.ufw = ufwResult.ok;
-    if (!ufwResult.ok)
-        stepErrors.ufw = ufwResult.error;
-    // Step 7: Cloud metadata — conditional on UFW
-    if (steps.ufw) {
-        const cloudMetaResult = await runLockStep(ip, buildCloudMetaBlockCommand());
-        steps.cloudMeta = cloudMetaResult.ok;
-        if (!cloudMetaResult.ok)
-            stepErrors.cloudMeta = cloudMetaResult.error;
-    }
-    else {
-        stepErrors.cloudMeta = "UFW required";
-    }
-    // Step 8: DNS security — with rollback on failure
-    const dnsResult = await runLockStep(ip, buildDnsSecurityCommand(), { timeoutMs: 15_000 });
-    steps.dns = dnsResult.ok;
-    if (!dnsResult.ok) {
-        stepErrors.dns = dnsResult.error;
-        await runLockStep(ip, buildDnsRollbackCommand());
-    }
-    // ── Group 3: System ──────────────────────────────────────────────────────
-    // Step 9: sysctl hardening
-    const sysctlResult = await runLockStep(ip, buildSysctlHardeningCommand());
-    steps.sysctl = sysctlResult.ok;
-    if (!sysctlResult.ok)
-        stepErrors.sysctl = sysctlResult.error;
-    // Step 10: unattended-upgrades, 120s timeout for apt
-    const upgradesResult = await runLockStep(ip, buildUnattendedUpgradesCommand(), { timeoutMs: LOCK_UPGRADES_TIMEOUT_MS });
-    steps.unattendedUpgrades = upgradesResult.ok;
-    if (!upgradesResult.ok)
-        stepErrors.unattendedUpgrades = upgradesResult.error;
-    // Step 11: APT validation
-    const aptResult = await runLockStep(ip, buildAptValidationCommand());
-    steps.aptValidation = aptResult.ok;
-    if (!aptResult.ok)
-        stepErrors.aptValidation = aptResult.error;
-    // Step 12: Resource limits
-    const limitsResult = await runLockStep(ip, buildResourceLimitsCommand());
-    steps.resourceLimits = limitsResult.ok;
-    if (!limitsResult.ok)
-        stepErrors.resourceLimits = limitsResult.error;
-    // Step 13: Service disabling
-    const serviceResult = await runLockStep(ip, buildServiceDisableCommand());
-    steps.serviceDisable = serviceResult.ok;
-    if (!serviceResult.ok)
-        stepErrors.serviceDisable = serviceResult.error;
-    // Step 14: Backup permissions
-    const backupResult = await runLockStep(ip, buildBackupPermissionsCommand(), { timeoutMs: LOCK_PACKAGES_TIMEOUT_MS });
-    steps.backupPermissions = backupResult.ok;
-    if (!backupResult.ok)
-        stepErrors.backupPermissions = backupResult.error;
-    // Step 15: Password quality policy
-    const pwqualityResult = await runLockStep(ip, buildPwqualityCommand(), { timeoutMs: LOCK_PACKAGES_TIMEOUT_MS });
-    steps.pwquality = pwqualityResult.ok;
-    if (!pwqualityResult.ok)
-        stepErrors.pwquality = pwqualityResult.error;
-    // Step 16: Docker runtime hardening
-    const dockerResult = await runLockStep(ip, buildDockerHardeningCommand(platform), { timeoutMs: LOCK_PACKAGES_TIMEOUT_MS });
-    steps.dockerHardening = dockerResult.ok;
-    if (!dockerResult.ok)
-        stepErrors.dockerHardening = dockerResult.error;
-    // ── Group 4: Monitoring ──────────────────────────────────────────────────
-    // Step 17: auditd
-    const auditdResult = await runLockStep(ip, buildAuditdCommand(), { timeoutMs: LOCK_PACKAGES_TIMEOUT_MS });
-    steps.auditd = auditdResult.ok;
-    if (!auditdResult.ok)
-        stepErrors.auditd = auditdResult.error;
-    // Step 18: Log retention
-    const logResult = await runLockStep(ip, buildLogRetentionCommand());
-    steps.logRetention = logResult.ok;
-    if (!logResult.ok)
-        stepErrors.logRetention = logResult.error;
-    // Step 19: AIDE (fire-and-forget)
-    const aideResult = await runLockStep(ip, buildAideInitCommand(), { timeoutMs: LOCK_PACKAGES_TIMEOUT_MS });
-    steps.aide = aideResult.ok;
-    if (!aideResult.ok)
-        stepErrors.aide = aideResult.error;
-    // Step 20: Cron access control
-    const cronAccessResult = await runLockStep(ip, buildCronAccessCommand());
-    steps.cronAccess = cronAccessResult.ok;
-    if (!cronAccessResult.ok)
-        stepErrors.cronAccess = cronAccessResult.error;
-    // ── Group 5: Score Boost (P87) ─────────────────────────────────────────────
-    // Step 21: SSH fine-tuning — with sshd -t rollback
-    const sshFineTuneResult = await runLockStep(ip, buildSshFineTuningCommand());
-    steps.sshFineTuning = sshFineTuneResult.ok;
-    if (!sshFineTuneResult.ok)
-        stepErrors.sshFineTuning = sshFineTuneResult.error;
-    // Step 22: Login definitions
-    const loginDefsResult = await runLockStep(ip, buildLoginDefsCommand());
-    steps.loginDefs = loginDefsResult.ok;
-    if (!loginDefsResult.ok)
-        stepErrors.loginDefs = loginDefsResult.error;
-    // Step 23: Faillock
-    const faillockResult = await runLockStep(ip, buildFaillockCommand());
-    steps.faillock = faillockResult.ok;
-    if (!faillockResult.ok)
-        stepErrors.faillock = faillockResult.error;
-    // Step 24: Sudo hardening
-    const sudoHardeningResult = await runLockStep(ip, buildSudoHardeningCommand());
-    steps.sudoHardening = sudoHardeningResult.ok;
-    if (!sudoHardeningResult.ok)
-        stepErrors.sudoHardening = sudoHardeningResult.error;
-    // Post-audit (non-fatal)
-    let scoreAfter;
-    try {
-        const postAudit = await runAudit(ip, name, auditPlatform);
-        if (postAudit.success && postAudit.data) {
-            scoreAfter = postAudit.data.overallScore;
-        }
-    }
-    catch {
-        // Non-fatal
-    }
-    return {
-        success: steps.sshHardening,
-        steps,
-        ...(Object.keys(stepErrors).length > 0 && { stepErrors }),
-        scoreBefore,
-        scoreAfter,
-    };
-}
-//# sourceMappingURL=lock.js.map

package/dist/core/lock.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"lock.js","sourceRoot":"","sources":["../../src/core/lock.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAChG,OAAO,EAAE,yBAAyB,EAAE,MAAM,eAAe,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,GAAG,EAAmB,MAAM,wBAAwB,CAAC;AAE9D,OAAO,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAClJ,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAoD1D,gFAAgF;AAEhF,MAAM,UAAU,2BAA2B;IACzC,MAAM,QAAQ,GAAG;QACf,6BAA6B;QAC7B,sCAAsC;QACtC,0CAA0C;QAC1C,yCAAyC;QACzC,6CAA6C;QAC7C,kCAAkC;QAClC,2BAA2B;QAC3B,6BAA6B;QAC7B,wCAAwC;QACxC,iCAAiC;QACjC,yBAAyB;QACzB,wBAAwB;QACxB,oBAAoB;QACpB,2BAA2B;QAC3B,oCAAoC;QACpC,6EAA6E;QAC7E,+BAA+B;QAC/B,mCAAmC;QACnC,gCAAgC;QAChC,oCAAoC;QACpC,wCAAwC;QACxC,2BAA2B;QAC3B,sCAAsC;QACtC,0CAA0C;QAC1C,0BAA0B;QAC1B,sCAAsC;QACtC,0CAA0C;KAC3C,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CACR;QACE,WAAW,QAAQ,sCAAsC;QACzD,6DAA6D;KAC9D,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,8BAA8B;IAC5C,MAAM,cAAc,GAAG;QACrB,0CAA0C;QAC1C,wCAAwC;QACxC,uCAAuC;KACxC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CACR;QACE,uEAAuE;QACvE,WAAW,cAAc,4CAA4C;KACtE,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB;IACtC,MAAM,UAAU,GAAG,+DAA+D,CAAC;IACnF,OAAO,GAAG,CACR;QACE,WAAW,UAAU,mBAAmB;QACxC,WAAW,UAAU,uBAAuB;QAC5C,WAAW,UAAU,kBAAkB;QACvC,iGAAiG;QACjG,6DAA6D;KAC9D,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,2FAA2F;IAC3F,MAAM,SAAS,GAAG;QAChB,6BAA6B;QAC7B,kCAAkC;QAClC,kCAAkC;QAClC,iCAAiC;QACjC,mCAAmC;QACnC,wBAAwB;QACxB,oCAAoC;QACpC,uCAAuC;QACvC,qFAAqF;QACrF,eAAe;QACf,wFAAwF;QACxF,wCAAwC;QACxC,qBAAqB;QACrB,qCAAqC;QACrC,uCAAuC;QACvC,mCAAmC;QACnC,mCAAmC;QACnC,mCAAmC;QACnC,mBAAmB;QACnB,8EAA8E;QAC9E,0CAA0C;QAC1C,uCAAuC;QACvC,mDAAmD;QACnD,kBAAkB;QAClB,6FAA6F;QAC7F,uCAAuC;QACvC,yCAAyC;QACzC,sCAAsC;KACvC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,gDAAgD;IAChD,MAAM,aAAa,GAAG,MAAM,CAAC;IAE7B,OAAO,GAAG,CACR;QACE,0EAA0E;QAC1E,mDAAmD;QACnD,WAAW,SAAS,iDAAiD;QACrE,WAAW,aAAa,4CAA4C;QACpE,uCAAuC;QACvC,oFAAoF;KACrF,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,0BAA0B;IACxC,MAAM,aAAa,GAAG;QACpB,mBAAmB;QACnB,mBAAmB;QACnB,qBAAqB;QACrB,qBAAqB;QACrB,2BAA2B;QAC3B,2BAA2B;KAC5B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CAAC,WAAW,aAAa,+CAA+C,CAAC,CAAC;AACtF,CAAC;AAED,MAAM,UAAU,0BAA0B;IACxC,MAAM,QAAQ,GAAG,CAAC,WAAW,EAAE,cAAc,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,QAAQ;SAC3B,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CACJ,8BAA8B,CAAC,oCAAoC,CAAC,uBAAuB,CAAC,yBAAyB,CAAC,sBAAsB,CAC/I;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,OAAO,GAAG,CAAC,aAAa,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,MAAM,OAAO,GAAG;QACd,yCAAyC;QACzC,6CAA6C;QAC7C,wDAAwD;KACzD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CAAC,WAAW,OAAO,gDAAgD,CAAC,CAAC;AACjF,CAAC;AAED,MAAM,UAAU,wBAAwB;IACtC,MAAM,aAAa,GAAG;QACpB,iBAAiB;QACjB,GAAG;QACH,WAAW;QACX,eAAe;QACf,eAAe;QACf,cAAc;QACd,mBAAmB;QACnB,gBAAgB;QAChB,gBAAgB;QAChB,yCAAyC;QACzC,eAAe;QACf,GAAG;KACJ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CACR;QACE,6DAA6D;QAC7D,8CAA8C;QAC9C,6CAA6C;QAC7C,WAAW,aAAa,2CAA2C;QACnE,sDAAsD;KACvD,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,0BAA0B;IACxC,OAAO,GAAG,CACR;QACE,iCAAiC;QACjC,kCAAkC;KACnC,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,GAAG,CACR;QACE,8HAA8H;QAC9H,wCAAwC;QACxC,yCAAyC;QACzC,MAAM;QACN,MAAM;KACP,CAAC,IAAI,CAAC,GAAG,CAAC,CACZ,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,MAAM,UAAU,GAAG,0DAA0D,CAAC;IAC9E,OAAO,GAAG,CACR;QACE,wDAAwD;QACxD,gCAAgC;QAChC,WAAW,UAAU,mCAAmC;QACxD,sCAAsC;QACtC,mDAAmD;KACpD,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,OAAO,GAAG,CACR;QACE,6BAA6B;QAC7B,2BAA2B;QAC3B,2BAA2B;QAC3B,yBAAyB;QACzB,oBAAoB;QACpB,wBAAwB;KACzB,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,6BAA6B;IAC3C,OAAO,GAAG,CACR;QACE,yDAAyD;QACzD,uBAAuB;QACvB,wBAAwB;QACxB,8BAA8B;KAC/B,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,MAAM,aAAa,GAAG,CAAC,WAAW,EAAE,YAAY,EAAE,0BAA0B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAE1F,OAAO,GAAG,CACR;QACE,0FAA0F;QAC1F,uCAAuC;QACvC,WAAW,aAAa,yDAAyD;QACjF,oCAAoC;QACpC,gEAAgE;KACjE,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,GAAG,CACR;QACE,wDAAwD;QACxD,oCAAoC;KACrC,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,MAAM,IAAI,GAAG;QACX,aAAa;QACb,cAAc;QACd,cAAc;QACd,cAAc;QACd,cAAc;QACd,eAAe;KAChB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CACR;QACE,uHAAuH;QACvH,oEAAoE;QACpE,WAAW,IAAI,qCAAqC;KACrD,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,QAA8B;IACxE,MAAM,SAAS,GAAG,QAAQ,KAAK,SAAS,CAAC;IACzC,MAAM,SAAS,GAAG,QAAQ,KAAK,SAAS,CAAC;IAEzC,MAAM,QAAQ,GAA4B;QACxC,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE;QAClD,mBAAmB,EAAE,IAAI;KAC1B,CAAC;IAEF,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,QAAQ,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC;IAClC,CAAC;IAED,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,EAAE,CAAC;QAC7B,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC;IAC1B,CAAC;IAED,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAE/C,OAAO,GAAG,CACR;QACE,oGAAoG;QACpG,gHAAgH;QAChH,iGAAiG;QACjG,+DAA+D;QAC/D,gBAAgB,aAAa,8EAA8E;QAC3G,sLAAsL;QACtL,qDAAqD;QACrD,iEAAiE;KAClE,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,MAAM,eAAe,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAE5D,OAAO,GAAG,CACR;QACE,yDAAyD;QACzD,0FAA0F;QAC1F,sBAAsB,eAAe,WAAW,YAAY,oBAAoB,YAAY,8BAA8B;QAC1H,oLAAoL;KACrL,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,MAAM,UAAU,GAAuB;QACrC,CAAC,qBAAqB,EAAE,KAAK,CAAC;QAC9B,CAAC,qBAAqB,EAAE,GAAG,CAAC;QAC5B,CAAC,gBAAgB,EAAE,IAAI,CAAC;QACxB,CAAC,sBAAsB,EAAE,IAAI,CAAC;QAC9B,CAAC,eAAe,EAAE,IAAI,CAAC;QACvB,CAAC,aAAa,EAAE,UAAU,CAAC;QAC3B,CAAC,aAAa,EAAE,KAAK,CAAC;QACtB,CAAC,uBAAuB,EAAE,IAAI,CAAC;QAC/B,CAAC,UAAU,EAAE,SAAS,CAAC;QACvB,CAAC,QAAQ,EAAE,IAAI,CAAC;QAChB,CAAC,WAAW,EAAE,IAAI,CAAC;QACnB,CAAC,cAAc,EAAE,KAAK,CAAC;QACvB,CAAC,yBAAyB,EAAE,IAAI,CAAC;QACjC,CAAC,aAAa,EAAE,IAAI,CAAC;QACrB,CAAC,sBAAsB,EAAE,IAAI,CAAC;KAC/B,CAAC;IACF,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAC7B,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CACb,gBAAgB,GAAG,4CAA4C,GAAG,MAAM,GAAG,IAAI,GAAG,oCAAoC,GAAG,IAAI,GAAG,2BAA2B,CAC9J,CAAC;IACF,OAAO,GAAG,CACR;QACE,2DAA2D;QAC3D,GAAG,QAAQ;QACX,sMAAsM;KACvM,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,MAAM,OAAO,GAA+B;QAC1C,CAAC,eAAe,EAAE,GAAG,EAAE,iBAAiB,CAAC;QACzC,CAAC,eAAe,EAAE,GAAG,EAAE,iBAAiB,CAAC;QACzC,CAAC,gBAAgB,EAAE,QAAQ,EAAE,iBAAiB,CAAC;QAC/C,CAAC,OAAO,EAAE,KAAK,EAAE,iBAAiB,CAAC;KACpC,CAAC;IACF,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CACvB,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,EAAE,EAAE,CACnB,cAAc,GAAG,KAAK,IAAI,kBAAkB,GAAG,MAAM,GAAG,IAAI,GAAG,MAAM,IAAI,aAAa,GAAG,IAAI,GAAG,QAAQ,IAAI,EAAE,CACjH,CAAC;IACF,MAAM,OAAO,GAAG,qJAAqJ,CAAC;IACtK,OAAO,GAAG,CAAC,CAAC,GAAG,KAAK,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,MAAM,UAAU,GAAuB;QACrC,CAAC,MAAM,EAAE,GAAG,CAAC;QACb,CAAC,aAAa,EAAE,KAAK,CAAC;QACtB,CAAC,eAAe,EAAE,KAAK,CAAC;KACzB,CAAC;IACF,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAC1B,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CACb,cAAc,GAAG,2DAA2D,GAAG,MAAM,GAAG,MAAM,GAAG,2CAA2C,GAAG,MAAM,GAAG,kCAAkC,CAC7L,CAAC;IACF,OAAO,GAAG,CACR;QACE,wBAAwB;QACxB,GAAG,KAAK;QACR,uDAAuD;KACxD,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,OAAO,GAAG,CACR;QACE,yBAAyB;QACzB,wIAAwI;QACxI,8DAA8D;QAC9D,kIAAkI;QAClI,iEAAiE;KAClE,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,gFAAgF;AAEhF,KAAK,UAAU,WAAW,CACxB,EAAU,EACV,OAAmB,EACnB,IAA6B;IAE7B,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;IACpD,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,EAAU,EACV,IAAY,EACZ,QAA8B,EAC9B,OAAoB;IAEpB,aAAa,CAAC,EAAE,CAAC,CAAC;IAElB,MAAM,KAAK,GAAmB;QAC5B,YAAY,EAAE,KAAK;QACnB,QAAQ,EAAE,KAAK;QACf,OAAO,EAAE,KAAK;QACd,WAAW,EAAE,KAAK;QAClB,SAAS,EAAE,KAAK;QAChB,GAAG,EAAE,KAAK;QACV,SAAS,EAAE,KAAK;QAChB,GAAG,EAAE,KAAK;QACV,MAAM,EAAE,KAAK;QACb,kBAAkB,EAAE,KAAK;QACzB,aAAa,EAAE,KAAK;QACpB,cAAc,EAAE,KAAK;QACrB,cAAc,EAAE,KAAK;QACrB,iBAAiB,EAAE,KAAK;QACxB,SAAS,EAAE,KAAK;QAChB,eAAe,EAAE,KAAK;QACtB,MAAM,EAAE,KAAK;QACb,YAAY,EAAE,KAAK;QACnB,IAAI,EAAE,KAAK;QACX,UAAU,EAAE,KAAK;QACjB,aAAa,EAAE,KAAK;QACpB,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE,KAAK;QACf,aAAa,EAAE,KAAK;KACrB,CAAC;IAEF,MAAM,UAAU,GAAkD,EAAE,CAAC;IAErE,gCAAgC;IAChC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK;SACN,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,QAAQ,IAAI,MAAM,CAAC;IAEzC,wBAAwB;IACxB,IAAI,WAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,EAAE,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;QACzD,IAAI,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YACtC,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC;QAC3C,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,qCAAqC;IACvC,CAAC;IAED,2CAA2C;IAC3C,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,EAAE,EAAE,oBAAoB,EAAE,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;YACtC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK;gBACL,KAAK,EAAE,iJAAiJ;gBACxJ,IAAI,EAAE,0CAA0C,EAAE,EAAE;aACrD,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK;YACL,KAAK,EAAE,yBAAyB,eAAe,CAAC,GAAG,CAAC,EAAE;SACvD,CAAC;IACJ,CAAC;IAED,4EAA4E;IAE5E,gEAAgE;IAChE,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,qBAAqB,EAAE,CAAC,CAAC;IACjE,KAAK,CAAC,YAAY,GAAG,SAAS,CAAC,EAAE,CAAC;IAClC,IAAI,CAAC,SAAS,CAAC,EAAE;QAAE,UAAU,CAAC,YAAY,GAAG,SAAS,CAAC,KAAM,CAAC;IAE9D,mBAAmB;IACnB,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,oBAAoB,EAAE,CAAC,CAAC;IACrE,KAAK,CAAC,QAAQ,GAAG,cAAc,CAAC,EAAE,CAAC;IACnC,IAAI,CAAC,cAAc,CAAC,EAAE;QAAE,UAAU,CAAC,QAAQ,GAAG,cAAc,CAAC,KAAM,CAAC;IAEpE,wBAAwB;IACxB,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACxE,KAAK,CAAC,OAAO,GAAG,aAAa,CAAC,EAAE,CAAC;IACjC,IAAI,CAAC,aAAa,CAAC,EAAE;QAAE,UAAU,CAAC,OAAO,GAAG,aAAa,CAAC,KAAM,CAAC;IAEjE,0BAA0B;IAC1B,MAAM,iBAAiB,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,uBAAuB,EAAE,CAAC,CAAC;IAC3E,KAAK,CAAC,WAAW,GAAG,iBAAiB,CAAC,EAAE,CAAC;IACzC,IAAI,CAAC,iBAAiB,CAAC,EAAE;QAAE,UAAU,CAAC,WAAW,GAAG,iBAAiB,CAAC,KAAM,CAAC;IAE7E,uDAAuD;IACvD,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,qBAAqB,EAAE,CAAC,CAAC;IACvE,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC;IACrC,IAAI,CAAC,eAAe,CAAC,EAAE;QAAE,UAAU,CAAC,SAAS,GAAG,eAAe,CAAC,KAAM,CAAC;IAEvE,4EAA4E;IAE5E,4CAA4C;IAC5C,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,yBAAyB,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACtH,KAAK,CAAC,GAAG,GAAG,SAAS,CAAC,EAAE,CAAC;IACzB,IAAI,CAAC,SAAS,CAAC,EAAE;QAAE,UAAU,CAAC,GAAG,GAAG,SAAS,CAAC,KAAM,CAAC;IAErD,8CAA8C;IAC9C,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;QACd,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,0BAA0B,EAAE,CAAC,CAAC;QAC5E,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC;QACrC,IAAI,CAAC,eAAe,CAAC,EAAE;YAAE,UAAU,CAAC,SAAS,GAAG,eAAe,CAAC,KAAM,CAAC;IACzE,CAAC;SAAM,CAAC;QACN,UAAU,CAAC,SAAS,GAAG,cAAc,CAAC;IACxC,CAAC;IAED,kDAAkD;IAClD,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IAC1F,KAAK,CAAC,GAAG,GAAG,SAAS,CAAC,EAAE,CAAC;IACzB,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;QAClB,UAAU,CAAC,GAAG,GAAG,SAAS,CAAC,KAAM,CAAC;QAClC,MAAM,WAAW,CAAC,EAAE,EAAE,uBAAuB,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,4EAA4E;IAE5E,2BAA2B;IAC3B,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,2BAA2B,EAAE,CAAC,CAAC;IAC1E,KAAK,CAAC,MAAM,GAAG,YAAY,CAAC,EAAE,CAAC;IAC/B,IAAI,CAAC,YAAY,CAAC,EAAE;QAAE,UAAU,CAAC,MAAM,GAAG,YAAY,CAAC,KAAM,CAAC;IAE9D,qDAAqD;IACrD,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,8BAA8B,EAAE,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACxH,KAAK,CAAC,kBAAkB,GAAG,cAAc,CAAC,EAAE,CAAC;IAC7C,IAAI,CAAC,cAAc,CAAC,EAAE;QAAE,UAAU,CAAC,kBAAkB,GAAG,cAAc,CAAC,KAAM,CAAC;IAE9E,0BAA0B;IAC1B,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,yBAAyB,EAAE,CAAC,CAAC;IACrE,KAAK,CAAC,aAAa,GAAG,SAAS,CAAC,EAAE,CAAC;IACnC,IAAI,CAAC,SAAS,CAAC,EAAE;QAAE,UAAU,CAAC,aAAa,GAAG,SAAS,CAAC,KAAM,CAAC;IAE/D,2BAA2B;IAC3B,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,0BAA0B,EAAE,CAAC,CAAC;IACzE,KAAK,CAAC,cAAc,GAAG,YAAY,CAAC,EAAE,CAAC;IACvC,IAAI,CAAC,YAAY,CAAC,EAAE;QAAE,UAAU,CAAC,cAAc,GAAG,YAAY,CAAC,KAAM,CAAC;IAEtE,6BAA6B;IAC7B,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAC1E,KAAK,CAAC,cAAc,GAAG,aAAa,CAAC,EAAE,CAAC;IACxC,IAAI,CAAC,aAAa,CAAC,EAAE;QAAE,UAAU,CAAC,cAAc,GAAG,aAAa,CAAC,KAAM,CAAC;IAExE,8BAA8B;IAC9B,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,6BAA6B,EAAE,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACrH,KAAK,CAAC,iBAAiB,GAAG,YAAY,CAAC,EAAE,CAAC;IAC1C,IAAI,CAAC,YAAY,CAAC,EAAE;QAAE,UAAU,CAAC,iBAAiB,GAAG,YAAY,CAAC,KAAM,CAAC;IAEzE,mCAAmC;IACnC,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,qBAAqB,EAAE,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAChH,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC;IACrC,IAAI,CAAC,eAAe,CAAC,EAAE;QAAE,UAAU,CAAC,SAAS,GAAG,eAAe,CAAC,KAAM,CAAC;IAEvE,oCAAoC;IACpC,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,2BAA2B,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAC3H,KAAK,CAAC,eAAe,GAAG,YAAY,CAAC,EAAE,CAAC;IACxC,IAAI,CAAC,YAAY,CAAC,EAAE;QAAE,UAAU,CAAC,eAAe,GAAG,YAAY,CAAC,KAAM,CAAC;IAEvE,4EAA4E;IAE5E,kBAAkB;IAClB,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAC1G,KAAK,CAAC,MAAM,GAAG,YAAY,CAAC,EAAE,CAAC;IAC/B,IAAI,CAAC,YAAY,CAAC,EAAE;QAAE,UAAU,CAAC,MAAM,GAAG,YAAY,CAAC,KAAM,CAAC;IAE9D,yBAAyB;IACzB,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACpE,KAAK,CAAC,YAAY,GAAG,SAAS,CAAC,EAAE,CAAC;IAClC,IAAI,CAAC,SAAS,CAAC,EAAE;QAAE,UAAU,CAAC,YAAY,GAAG,SAAS,CAAC,KAAM,CAAC;IAE9D,kCAAkC;IAClC,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAC1G,KAAK,CAAC,IAAI,GAAG,UAAU,CAAC,EAAE,CAAC;IAC3B,IAAI,CAAC,UAAU,CAAC,EAAE;QAAE,UAAU,CAAC,IAAI,GAAG,UAAU,CAAC,KAAM,CAAC;IAExD,+BAA+B;IAC/B,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,sBAAsB,EAAE,CAAC,CAAC;IACzE,KAAK,CAAC,UAAU,GAAG,gBAAgB,CAAC,EAAE,CAAC;IACvC,IAAI,CAAC,gBAAgB,CAAC,EAAE;QAAE,UAAU,CAAC,UAAU,GAAG,gBAAgB,CAAC,KAAM,CAAC;IAE1E,8EAA8E;IAE9E,mDAAmD;IACnD,MAAM,iBAAiB,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAC7E,KAAK,CAAC,aAAa,GAAG,iBAAiB,CAAC,EAAE,CAAC;IAC3C,IAAI,CAAC,iBAAiB,CAAC,EAAE;QAAE,UAAU,CAAC,aAAa,GAAG,iBAAiB,CAAC,KAAM,CAAC;IAE/E,6BAA6B;IAC7B,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,qBAAqB,EAAE,CAAC,CAAC;IACvE,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC;IACrC,IAAI,CAAC,eAAe,CAAC,EAAE;QAAE,UAAU,CAAC,SAAS,GAAG,eAAe,CAAC,KAAM,CAAC;IAEvE,oBAAoB;IACpB,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,oBAAoB,EAAE,CAAC,CAAC;IACrE,KAAK,CAAC,QAAQ,GAAG,cAAc,CAAC,EAAE,CAAC;IACnC,IAAI,CAAC,cAAc,CAAC,EAAE;QAAE,UAAU,CAAC,QAAQ,GAAG,cAAc,CAAC,KAAM,CAAC;IAEpE,0BAA0B;IAC1B,MAAM,mBAAmB,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAC/E,KAAK,CAAC,aAAa,GAAG,mBAAmB,CAAC,EAAE,CAAC;IAC7C,IAAI,CAAC,mBAAmB,CAAC,EAAE;QAAE,UAAU,CAAC,aAAa,GAAG,mBAAmB,CAAC,KAAM,CAAC;IAEnF,yBAAyB;IACzB,IAAI,UAA8B,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,EAAE,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;QAC1D,IAAI,SAAS,CAAC,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACxC,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC;QAC3C,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,YAAY;QAC3B,KAAK;QACL,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,CAAC;QACzD,WAAW;QACX,UAAU;KACX,CAAC;AACJ,CAAC"}