npm - limen-ai - Versions diffs - 1.0.0 - Mend

limen-ai 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (704) hide show

package/dist/kernel/events/webhook_delivery.js ADDED Viewed

@@ -0,0 +1,324 @@
+/**
+ * Webhook delivery module — async HTTP delivery with HMAC-SHA256 signing.
+ * S ref: IP-6 (Webhook delivery with at-least-once semantics, max 3 retries)
+ *
+ * Phase: Sprint 5 (Performance & Events)
+ * Implements: Real HTTP delivery for webhook subscriptions, replacing the
+ * placeholder in event_bus.ts processWebhooks().
+ *
+ * This module is STANDALONE — it does not modify the EventBus interface (frozen zone).
+ * It queries pending deliveries from obs_webhook_deliveries, makes HTTP calls with
+ * HMAC-SHA256 signatures, and updates delivery status in the database.
+ *
+ * Security requirements:
+ *   - HMAC-SHA256 via createHmac('sha256', secret).update(body).digest('hex')
+ *   - X-Limen-Signature header on every delivery
+ *   - AbortSignal.timeout(5000) for 5-second deadline per delivery
+ *   - Exponential backoff: Math.pow(2, attempt) * 10 seconds
+ *   - Max 3 retries (schema default: max_attempts = 3)
+ *   - Response status captured in obs_webhook_deliveries.response_status
+ *   - Error message captured (webhook secrets NEVER in error messages)
+ *   - URL validation: must start with 'https://' (no http, no localhost)
+ *
+ * Invariants enforced: IP-6 (at-least-once delivery)
+ * Failure modes defended: FM-06 (external endpoint unavailability)
+ */
+import { createHmac } from 'node:crypto';
+// ============================================================================
+// URL Validation
+// ============================================================================
+/**
+ * IP-6: Validate webhook URL. Must use HTTPS in production.
+ * Rejects http://, localhost, and non-URL strings.
+ *
+ * @param url - URL to validate
+ * @returns true if URL is safe for webhook delivery
+ */
+export function isValidWebhookUrl(url) {
+    if (!url.startsWith('https://'))
+        return false;
+    try {
+        const parsed = new URL(url);
+        // Strip brackets from IPv6 hostnames (Node URL parser includes them)
+        const hostname = parsed.hostname.toLowerCase().replace(/^\[|\]$/g, '');
+        // F-S5-001 FIX: Reject localhost, loopback (IPv4 + IPv6), and 0.0.0.0
+        if (hostname === 'localhost' ||
+            hostname === '127.0.0.1' ||
+            hostname === '::1' ||
+            hostname === '0.0.0.0') {
+            return false;
+        }
+        // F-S5-002 FIX: Reject RFC 1918 private ranges + link-local + AWS metadata
+        // 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16
+        if (hostname.startsWith('10.') ||
+            hostname.startsWith('192.168.') ||
+            hostname.startsWith('169.254.') ||
+            isInRange172(hostname)) {
+            return false;
+        }
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Check if an IPv4 hostname falls in 172.16.0.0/12 (172.16.x.x - 172.31.x.x).
+ * @internal
+ */
+function isInRange172(hostname) {
+    if (!hostname.startsWith('172.'))
+        return false;
+    const parts = hostname.split('.');
+    if (parts.length !== 4)
+        return false;
+    const second = parseInt(parts[1], 10);
+    return second >= 16 && second <= 31;
+}
+// ============================================================================
+// HMAC Signature
+// ============================================================================
+/**
+ * IP-6: Compute HMAC-SHA256 signature for a webhook payload.
+ *
+ * @param secret - Webhook secret (plaintext)
+ * @param body - JSON payload body
+ * @returns Hex-encoded HMAC-SHA256 signature
+ */
+export function computeWebhookSignature(secret, body) {
+    return createHmac('sha256', secret).update(body).digest('hex');
+}
+// ============================================================================
+// Delivery Engine
+// ============================================================================
+/**
+ * IP-6: Deliver pending webhooks via HTTP POST.
+ *
+ * Queries obs_webhook_deliveries for pending/failed deliveries, makes HTTP calls
+ * with HMAC-SHA256 signed payloads, and updates delivery status.
+ *
+ * This function is ASYNC and is called separately from the synchronous
+ * EventBus.processWebhooks(). It handles the actual HTTP transport.
+ *
+ * @param conn - Database connection
+ * @param encryption - Optional encryption for decrypting webhook secrets
+ * @param time - TimeProvider for timestamps (Hard Stop #7)
+ * @param batchSize - Maximum deliveries to process per call (default: 100)
+ * @returns WebhookDeliveryResult with delivery statistics
+ */
+export async function deliverWebhooks(conn, encryption, time, batchSize = 100) {
+    const clock = time ?? { nowISO: () => new Date().toISOString(), nowMs: () => Date.now() }; // clock-exempt: fallback only
+    let delivered = 0;
+    let failed = 0;
+    let exhausted = 0;
+    let skipped = 0;
+    const attempts = [];
+    // Query pending deliveries
+    const pendingDeliveries = conn.query(`SELECT id, subscription_id, event_id, attempts, max_attempts
+     FROM obs_webhook_deliveries
+     WHERE status IN ('pending', 'failed')
+     AND (next_retry_at IS NULL OR next_retry_at <= ?)
+     ORDER BY created_at ASC LIMIT ?`, [clock.nowISO(), batchSize]);
+    // Process each delivery
+    const deliveryPromises = pendingDeliveries.map(async (delivery) => {
+        return deliverSingle(conn, delivery, encryption, clock);
+    });
+    // Execute deliveries with Promise.allSettled for fault isolation
+    const results = await Promise.allSettled(deliveryPromises);
+    for (const result of results) {
+        if (result.status === 'fulfilled') {
+            const attempt = result.value;
+            attempts.push(attempt);
+            switch (attempt.status) {
+                case 'delivered':
+                    delivered++;
+                    break;
+                case 'failed':
+                    failed++;
+                    break;
+                case 'exhausted':
+                    exhausted++;
+                    break;
+                case 'skipped':
+                    skipped++;
+                    break;
+            }
+        }
+        else {
+            // Promise rejection — should not happen with our error handling,
+            // but count as skipped to avoid losing visibility
+            skipped++;
+        }
+    }
+    return { delivered, failed, exhausted, skipped, attempts };
+}
+// ============================================================================
+// Single Delivery
+// ============================================================================
+/**
+ * Attempt delivery of a single webhook.
+ *
+ * @internal
+ */
+async function deliverSingle(conn, delivery, encryption, clock) {
+    // 1. Get subscription config
+    const sub = conn.get(`SELECT handler_config FROM obs_event_subscriptions WHERE id = ?`, [delivery.subscription_id]);
+    if (!sub) {
+        // Subscription deleted — mark exhausted
+        conn.run(`UPDATE obs_webhook_deliveries SET status = 'exhausted', last_attempt_at = ?
+       WHERE id = ?`, [clock.nowISO(), delivery.id]);
+        return {
+            deliveryId: delivery.id,
+            subscriptionId: delivery.subscription_id,
+            eventId: delivery.event_id,
+            status: 'skipped',
+            errorMessage: 'Subscription not found',
+        };
+    }
+    const config = JSON.parse(sub.handler_config);
+    // 2. Validate URL
+    if (!isValidWebhookUrl(config.url)) {
+        conn.run(`UPDATE obs_webhook_deliveries SET status = 'exhausted', last_attempt_at = ?,
+       error_message = 'Invalid webhook URL: must use HTTPS'
+       WHERE id = ?`, [clock.nowISO(), delivery.id]);
+        return {
+            deliveryId: delivery.id,
+            subscriptionId: delivery.subscription_id,
+            eventId: delivery.event_id,
+            status: 'exhausted',
+            errorMessage: 'Invalid webhook URL: must use HTTPS',
+        };
+    }
+    // 3. Decrypt secret if encrypted
+    let webhookSecret;
+    try {
+        webhookSecret = config.encrypted && encryption
+            ? encryption.decrypt(config.secret)
+            : config.secret;
+    }
+    catch {
+        // Decryption failure — do NOT include secret in error
+        conn.run(`UPDATE obs_webhook_deliveries SET status = 'exhausted', last_attempt_at = ?,
+       error_message = 'Webhook secret decryption failed'
+       WHERE id = ?`, [clock.nowISO(), delivery.id]);
+        return {
+            deliveryId: delivery.id,
+            subscriptionId: delivery.subscription_id,
+            eventId: delivery.event_id,
+            status: 'exhausted',
+            errorMessage: 'Webhook secret decryption failed',
+        };
+    }
+    // 4. Get event payload
+    const event = conn.get(`SELECT id, type, scope, payload, timestamp FROM obs_events WHERE id = ?`, [delivery.event_id]);
+    if (!event) {
+        conn.run(`UPDATE obs_webhook_deliveries SET status = 'exhausted', last_attempt_at = ?
+       WHERE id = ?`, [clock.nowISO(), delivery.id]);
+        return {
+            deliveryId: delivery.id,
+            subscriptionId: delivery.subscription_id,
+            eventId: delivery.event_id,
+            status: 'skipped',
+            errorMessage: 'Event not found',
+        };
+    }
+    // 5. Build payload
+    const eventPayload = JSON.stringify({
+        id: event.id,
+        type: event.type,
+        scope: event.scope,
+        payload: JSON.parse(event.payload),
+        timestamp: event.timestamp,
+    });
+    // 6. Compute HMAC-SHA256 signature
+    const signature = computeWebhookSignature(webhookSecret, eventPayload);
+    // 7. Attempt HTTP delivery
+    const newAttempts = delivery.attempts + 1;
+    const nowISO = clock.nowISO();
+    try {
+        const response = await fetch(config.url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-Limen-Signature': signature,
+                'X-Limen-Event-Id': event.id,
+                'X-Limen-Event-Type': event.type,
+            },
+            body: eventPayload,
+            signal: AbortSignal.timeout(5000),
+        });
+        if (response.ok) {
+            // Successful delivery
+            conn.run(`UPDATE obs_webhook_deliveries SET
+         status = 'delivered', attempts = ?, last_attempt_at = ?,
+         response_status = ?
+         WHERE id = ?`, [newAttempts, nowISO, response.status, delivery.id]);
+            return {
+                deliveryId: delivery.id,
+                subscriptionId: delivery.subscription_id,
+                eventId: delivery.event_id,
+                status: 'delivered',
+                responseStatus: response.status,
+            };
+        }
+        // Non-2xx response — treat as failure
+        return handleDeliveryFailure(conn, delivery, newAttempts, nowISO, `HTTP ${response.status}`, response.status);
+    }
+    catch (err) {
+        // Network error, timeout, etc.
+        // SECURITY: Do not include webhook secret in error message
+        const errorMessage = err instanceof Error
+            ? err.name === 'TimeoutError'
+                ? 'Delivery timeout (5s exceeded)'
+                : `Network error: ${err.message}`
+            : 'Unknown delivery error';
+        return handleDeliveryFailure(conn, delivery, newAttempts, nowISO, errorMessage, undefined);
+    }
+}
+// ============================================================================
+// Failure Handling
+// ============================================================================
+/**
+ * Handle a failed delivery attempt. Either retry with exponential backoff
+ * or mark as exhausted if max attempts reached.
+ *
+ * @internal
+ */
+function handleDeliveryFailure(conn, delivery, newAttempts, nowISO, errorMessage, responseStatus) {
+    if (newAttempts >= delivery.max_attempts) {
+        // Max retries exhausted
+        conn.run(`UPDATE obs_webhook_deliveries SET
+       status = 'exhausted', attempts = ?, last_attempt_at = ?,
+       error_message = ?${responseStatus !== undefined ? ', response_status = ?' : ''}
+       WHERE id = ?`, responseStatus !== undefined
+            ? [newAttempts, nowISO, errorMessage, responseStatus, delivery.id]
+            : [newAttempts, nowISO, errorMessage, delivery.id]);
+        return {
+            deliveryId: delivery.id,
+            subscriptionId: delivery.subscription_id,
+            eventId: delivery.event_id,
+            status: 'exhausted',
+            ...(responseStatus !== undefined ? { responseStatus } : {}),
+            errorMessage,
+        };
+    }
+    // Schedule retry with exponential backoff: 2^attempt * 10 seconds
+    const backoffSeconds = Math.pow(2, newAttempts) * 10;
+    conn.run(`UPDATE obs_webhook_deliveries SET
+     status = 'failed', attempts = ?, last_attempt_at = ?,
+     error_message = ?,
+     next_retry_at = strftime('%Y-%m-%dT%H:%M:%fZ', ?, '+' || ? || ' seconds')
+     ${responseStatus !== undefined ? ', response_status = ?' : ''}
+     WHERE id = ?`, responseStatus !== undefined
+        ? [newAttempts, nowISO, errorMessage, nowISO, backoffSeconds, responseStatus, delivery.id]
+        : [newAttempts, nowISO, errorMessage, nowISO, backoffSeconds, delivery.id]);
+    return {
+        deliveryId: delivery.id,
+        subscriptionId: delivery.subscription_id,
+        eventId: delivery.event_id,
+        status: 'failed',
+        ...(responseStatus !== undefined ? { responseStatus } : {}),
+        errorMessage,
+    };
+}
+//# sourceMappingURL=webhook_delivery.js.map

package/dist/kernel/events/webhook_delivery.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"webhook_delivery.js","sourceRoot":"","sources":["../../../src/kernel/events/webhook_delivery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAwCzC,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IAE9C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,qEAAqE;QACrE,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAEvE,sEAAsE;QACtE,IACE,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,KAAK;YAClB,QAAQ,KAAK,SAAS,EACtB,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,2EAA2E;QAC3E,4DAA4D;QAC5D,IACE,QAAQ,CAAC,UAAU,CAAC,KAAK,CAAC;YAC1B,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC;YAC/B,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC;YAC/B,YAAY,CAAC,QAAQ,CAAC,EACtB,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,YAAY,CAAC,QAAgB;IACpC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;IACvC,OAAO,MAAM,IAAI,EAAE,IAAI,MAAM,IAAI,EAAE,CAAC;AACtC,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAc,EAAE,IAAY;IAClE,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACjE,CAAC;AAED,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAwB,EACxB,UAA8B,EAC9B,IAAmB,EACnB,YAAoB,GAAG;IAEvB,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,8BAA8B;IAEzH,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,QAAQ,GAA6B,EAAE,CAAC;IAE9C,2BAA2B;IAC3B,MAAM,iBAAiB,GAAG,IAAI,CAAC,KAAK,CAOlC;;;;qCAIiC,EACjC,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,SAAS,CAAC,CAC5B,CAAC;IAEF,wBAAwB;IACxB,MAAM,gBAAgB,GAAG,iBAAiB,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE;QAChE,OAAO,aAAa,CAAC,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,iEAAiE;IACjE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;IAE3D,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;YAC7B,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvB,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;gBACvB,KAAK,WAAW;oBAAE,SAAS,EAAE,CAAC;oBAAC,MAAM;gBACrC,KAAK,QAAQ;oBAAE,MAAM,EAAE,CAAC;oBAAC,MAAM;gBAC/B,KAAK,WAAW;oBAAE,SAAS,EAAE,CAAC;oBAAC,MAAM;gBACrC,KAAK,SAAS;oBAAE,OAAO,EAAE,CAAC;oBAAC,MAAM;YACnC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,iEAAiE;YACjE,kDAAkD;YAClD,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AAC7D,CAAC;AAED,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;;;GAIG;AACH,KAAK,UAAU,aAAa,CAC1B,IAAwB,EACxB,QAMC,EACD,UAAyC,EACzC,KAAmB;IAEnB,6BAA6B;IAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAClB,iEAAiE,EACjE,CAAC,QAAQ,CAAC,eAAe,CAAC,CAC3B,CAAC;IAEF,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,wCAAwC;QACxC,IAAI,CAAC,GAAG,CACN;oBACc,EACd,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAC9B,CAAC;QACF,OAAO;YACL,UAAU,EAAE,QAAQ,CAAC,EAAE;YACvB,cAAc,EAAE,QAAQ,CAAC,eAAe;YACxC,OAAO,EAAE,QAAQ,CAAC,QAAQ;YAC1B,MAAM,EAAE,SAAS;YACjB,YAAY,EAAE,wBAAwB;SACvC,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAI3C,CAAC;IAEF,kBAAkB;IAClB,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC,GAAG,CACN;;oBAEc,EACd,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAC9B,CAAC;QACF,OAAO;YACL,UAAU,EAAE,QAAQ,CAAC,EAAE;YACvB,cAAc,EAAE,QAAQ,CAAC,eAAe;YACxC,OAAO,EAAE,QAAQ,CAAC,QAAQ;YAC1B,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,qCAAqC;SACpD,CAAC;IACJ,CAAC;IAED,iCAAiC;IACjC,IAAI,aAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,aAAa,GAAG,MAAM,CAAC,SAAS,IAAI,UAAU;YAC5C,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC;YACnC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;QACtD,IAAI,CAAC,GAAG,CACN;;oBAEc,EACd,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAC9B,CAAC;QACF,OAAO;YACL,UAAU,EAAE,QAAQ,CAAC,EAAE;YACvB,cAAc,EAAE,QAAQ,CAAC,eAAe;YACxC,OAAO,EAAE,QAAQ,CAAC,QAAQ;YAC1B,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,kCAAkC;SACjD,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAOpB,yEAAyE,EACzE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,IAAI,CAAC,GAAG,CACN;oBACc,EACd,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAC9B,CAAC;QACF,OAAO;YACL,UAAU,EAAE,QAAQ,CAAC,EAAE;YACvB,cAAc,EAAE,QAAQ,CAAC,eAAe;YACxC,OAAO,EAAE,QAAQ,CAAC,QAAQ;YAC1B,MAAM,EAAE,SAAS;YACjB,YAAY,EAAE,iBAAiB;SAChC,CAAC;IACJ,CAAC;IAED,mBAAmB;IACnB,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC;QAClC,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC;QAClC,SAAS,EAAE,KAAK,CAAC,SAAS;KAC3B,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,SAAS,GAAG,uBAAuB,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IAEvE,2BAA2B;IAC3B,MAAM,WAAW,GAAG,QAAQ,CAAC,QAAQ,GAAG,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;IAE9B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE;YACvC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,mBAAmB,EAAE,SAAS;gBAC9B,kBAAkB,EAAE,KAAK,CAAC,EAAE;gBAC5B,oBAAoB,EAAE,KAAK,CAAC,IAAI;aACjC;YACD,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,sBAAsB;YACtB,IAAI,CAAC,GAAG,CACN;;;sBAGc,EACd,CAAC,WAAW,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC,CACpD,CAAC;YACF,OAAO;gBACL,UAAU,EAAE,QAAQ,CAAC,EAAE;gBACvB,cAAc,EAAE,QAAQ,CAAC,eAAe;gBACxC,OAAO,EAAE,QAAQ,CAAC,QAAQ;gBAC1B,MAAM,EAAE,WAAW;gBACnB,cAAc,EAAE,QAAQ,CAAC,MAAM;aAChC,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,OAAO,qBAAqB,CAC1B,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,EACnC,QAAQ,QAAQ,CAAC,MAAM,EAAE,EAAE,QAAQ,CAAC,MAAM,CAC3C,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,+BAA+B;QAC/B,2DAA2D;QAC3D,MAAM,YAAY,GAAG,GAAG,YAAY,KAAK;YACvC,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,cAAc;gBAC3B,CAAC,CAAC,gCAAgC;gBAClC,CAAC,CAAC,kBAAkB,GAAG,CAAC,OAAO,EAAE;YACnC,CAAC,CAAC,wBAAwB,CAAC;QAE7B,OAAO,qBAAqB,CAC1B,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,EACnC,YAAY,EAAE,SAAS,CACxB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;;;;GAKG;AACH,SAAS,qBAAqB,CAC5B,IAAwB,EACxB,QAMC,EACD,WAAmB,EACnB,MAAc,EACd,YAAoB,EACpB,cAAkC;IAElC,IAAI,WAAW,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;QACzC,wBAAwB;QACxB,IAAI,CAAC,GAAG,CACN;;0BAEoB,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,EAAE;oBACjE,EACd,cAAc,KAAK,SAAS;YAC1B,CAAC,CAAC,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,QAAQ,CAAC,EAAE,CAAC;YAClE,CAAC,CAAC,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE,CAAC,CACrD,CAAC;QACF,OAAO;YACL,UAAU,EAAE,QAAQ,CAAC,EAAE;YACvB,cAAc,EAAE,QAAQ,CAAC,eAAe;YACxC,OAAO,EAAE,QAAQ,CAAC,QAAQ;YAC1B,MAAM,EAAE,WAAoB;YAC5B,GAAG,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3D,YAAY;SACb,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,GAAG,EAAE,CAAC;IACrD,IAAI,CAAC,GAAG,CACN;;;;OAIG,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,EAAE;kBAChD,EACd,cAAc,KAAK,SAAS;QAC1B,CAAC,CAAC,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,cAAc,EAAE,QAAQ,CAAC,EAAE,CAAC;QAC1F,CAAC,CAAC,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,QAAQ,CAAC,EAAE,CAAC,CAC7E,CAAC;IAEF,OAAO;QACL,UAAU,EAAE,QAAQ,CAAC,EAAE;QACvB,cAAc,EAAE,QAAQ,CAAC,eAAe;QACxC,OAAO,EAAE,QAAQ,CAAC,QAAQ;QAC1B,MAAM,EAAE,QAAiB;QACzB,GAAG,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,YAAY;KACb,CAAC;AACJ,CAAC"}

package/dist/kernel/index.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+/**
+ * Kernel factory: createKernel and destroyKernel.
+ * S ref: C-07 (Object.freeze), C-06 (no shared mutable state), §3.3 (engine not framework)
+ *
+ * Phase: 1 (Kernel)
+ * The top-level entry point for the kernel module.
+ *
+ * C-07: Object.freeze on public API.
+ * C-06: Two createKernel() calls produce independent instances.
+ * §3.3: Engine, not framework -- consumer receives complete opaque object.
+ *
+ * Build order justification (SDD Section 7):
+ * 1. Database lifecycle (foundation)
+ * 2. Namespace enforcement (before tables)
+ * 3. Audit trail (before mutations)
+ * 4. Crypto (needed by audit + vault)
+ * 5. Event bus (needed by all modules)
+ * 6. RBAC + Rate limiter (needed by API)
+ * 7. Retention + Tenant + Config
+ */
+import type { Result, Kernel, KernelConfig } from './interfaces/index.js';
+/**
+ * Create an independent kernel instance.
+ * Returns a frozen object per C-07. Each call produces an independent instance per C-06.
+ *
+ * S ref: C-07 (Object.freeze), C-06 (no shared mutable state),
+ *        §3.3 (engine not framework), SDD FPD-7
+ */
+export declare function createKernel(config: KernelConfig): Result<Readonly<Kernel>>;
+/**
+ * Graceful shutdown: close kernel's internal database connection.
+ * CF-011: Properly closes the connection tracked during createKernel.
+ * Idempotent: calling destroyKernel twice is safe (second call is a no-op).
+ *
+ * S ref: I-05 (clean shutdown), §3.4 (WAL checkpoint)
+ */
+export declare function destroyKernel(kernel: Kernel): Result<void>;
+export type * from './interfaces/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/kernel/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/kernel/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EACV,MAAM,EAAE,MAAM,EAAE,YAAY,EAC7B,MAAM,uBAAuB,CAAC;AAqB/B;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CA2M3E;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,CA2B1D;AAGD,mBAAmB,uBAAuB,CAAC"}

package/dist/kernel/index.js ADDED Viewed

@@ -0,0 +1,263 @@
+/**
+ * Kernel factory: createKernel and destroyKernel.
+ * S ref: C-07 (Object.freeze), C-06 (no shared mutable state), §3.3 (engine not framework)
+ *
+ * Phase: 1 (Kernel)
+ * The top-level entry point for the kernel module.
+ *
+ * C-07: Object.freeze on public API.
+ * C-06: Two createKernel() calls produce independent instances.
+ * §3.3: Engine, not framework -- consumer receives complete opaque object.
+ *
+ * Build order justification (SDD Section 7):
+ * 1. Database lifecycle (foundation)
+ * 2. Namespace enforcement (before tables)
+ * 3. Audit trail (before mutations)
+ * 4. Crypto (needed by audit + vault)
+ * 5. Event bus (needed by all modules)
+ * 6. RBAC + Rate limiter (needed by API)
+ * 7. Retention + Tenant + Config
+ */
+import { createDatabaseLifecycle } from './database/database_lifecycle.js';
+// CF-011: Module-level connection tracker for destroyKernel.
+// WeakMap so that unreferenced kernels can be garbage-collected.
+// This avoids modifying the frozen Kernel interface while giving
+// destroyKernel access to the connection it needs to close.
+const kernelConnections = new WeakMap();
+import { getPhase1Migrations } from './database/migrations.js';
+import { createNamespaceEnforcer } from './namespace/namespace_enforcer.js';
+import { createAuditTrail } from './audit/audit_trail.js';
+import { createCryptoEngine, createVaultOperations, createStringEncryption } from './crypto/crypto_engine.js';
+import { createEventBus } from './events/event_bus.js';
+import { createRbacEngine } from './rbac/rbac_engine.js';
+import { createRateLimiter } from './rate_limiter/rate_limiter.js';
+import { createRetentionScheduler, DEFAULT_POLICIES } from './retention/retention_scheduler.js';
+import { createTenantContext } from './tenant/tenant_context.js';
+import { createSystemTimeProvider } from './time/time_provider.js';
+import { randomUUID } from 'node:crypto';
+/**
+ * Create an independent kernel instance.
+ * Returns a frozen object per C-07. Each call produces an independent instance per C-06.
+ *
+ * S ref: C-07 (Object.freeze), C-06 (no shared mutable state),
+ *        §3.3 (engine not framework), SDD FPD-7
+ */
+export function createKernel(config) {
+    try {
+        const time = createSystemTimeProvider();
+        const startTime = time.nowMs();
+        // ─── Build Order 1: Database lifecycle ───
+        const database = createDatabaseLifecycle();
+        const openResult = database.open({
+            dataDir: config.dataDir,
+            tenancy: config.tenancy,
+            ...(config.busyTimeoutMs !== undefined ? { busyTimeoutMs: config.busyTimeoutMs } : {}),
+        });
+        if (!openResult.ok)
+            return openResult;
+        const conn = openResult.value;
+        // ─── Build Order 2: Namespace enforcement ───
+        const namespace = createNamespaceEnforcer();
+        // Validate all migration SQL before applying
+        const migrations = getPhase1Migrations();
+        for (const migration of migrations) {
+            const validationResult = namespace.validateMigration(migration.sql);
+            if (!validationResult.ok) {
+                conn.close();
+                return validationResult;
+            }
+        }
+        // Run migrations
+        const migrateResult = database.migrate(conn, migrations);
+        if (!migrateResult.ok) {
+            conn.close();
+            return migrateResult;
+        }
+        // ─── Build Order 4: Crypto engine ───
+        // (Built before audit because audit needs sha256)
+        const crypto = createCryptoEngine();
+        const vault = createVaultOperations(crypto, config.masterKey);
+        // ─── Build Order 3: Audit trail ───
+        const audit = createAuditTrail(crypto.sha256);
+        // ─── Build Order 5: Event bus ───
+        // CF-010: Wire encryption adapter for webhook secret encryption at rest
+        const stringEncryption = createStringEncryption(crypto, config.masterKey);
+        const events = createEventBus(stringEncryption);
+        // ─── Build Order 6: RBAC + Rate limiter ───
+        // CF-006: Pass conn to restore RBAC active state from existing custom roles
+        const rbac = createRbacEngine(conn);
+        const rateLimiter = createRateLimiter();
+        // CF-005 / DEC-4D-001: Clean stale archive flag on startup.
+        // If kernel crashed mid-archive, the flag remains and the DELETE trigger is
+        // permanently disabled. Clean it unconditionally — archive() is transactional,
+        // so a stale flag means the archive didn't complete.
+        conn.run('DELETE FROM core_audit_archive_active');
+        // CF-035: Clean stale tombstone flag on startup (same rationale as archive flag).
+        // CF-011: Guard with try/catch — table is created by Phase 4D4 migration
+        // which may not have run yet on first startup.
+        try {
+            conn.run('DELETE FROM core_audit_tombstone_active');
+        }
+        catch {
+            // Table does not exist yet (first run before Phase 4D4 migrations).
+            // This is safe — no stale flag can exist if the table doesn't exist.
+        }
+        // Seed default roles in a transaction (I-03: mutation + audit in same txn)
+        conn.transaction(() => {
+            rbac.seedDefaultRoles(conn);
+            // Seed default retention policies
+            for (const policy of DEFAULT_POLICIES) {
+                const id = randomUUID();
+                conn.run(`INSERT INTO core_retention_policies (id, tenant_id, data_type, retention_days, action, enabled)
+           VALUES (?, NULL, ?, ?, ?, 1)
+           ON CONFLICT(tenant_id, data_type) DO NOTHING`, [id, policy.dataType, policy.retentionDays, policy.action]);
+            }
+            // Audit the kernel initialization
+            audit.append(conn, {
+                tenantId: null,
+                actorType: 'system',
+                actorId: 'kernel',
+                operation: 'kernel.initialized',
+                resourceType: 'kernel',
+                resourceId: 'kernel',
+                detail: {
+                    dataDir: config.dataDir,
+                    tenancyMode: config.tenancy.mode,
+                    schemaVersion: migrateResult.value.currentVersion,
+                    migrationsApplied: migrateResult.value.applied,
+                },
+            });
+        });
+        // ─── Build Order 7: Retention + Tenant ───
+        const retention = createRetentionScheduler(audit);
+        const tenant = createTenantContext(conn);
+        // ─── Assemble Kernel ───
+        const kernel = {
+            database,
+            audit,
+            crypto,
+            vault,
+            events,
+            rbac,
+            retention,
+            namespace,
+            tenant,
+            rateLimiter,
+            time,
+            /**
+             * Aggregated kernel health check.
+             * S ref: I-05 (database consistency), I-06 (audit chain valid)
+             */
+            health() {
+                try {
+                    // Database health
+                    const dbHealthResult = database.health(conn);
+                    if (!dbHealthResult.ok) {
+                        return {
+                            ok: true,
+                            value: {
+                                status: 'unhealthy',
+                                database: {
+                                    status: 'unhealthy',
+                                    walSize: 0,
+                                    pageCount: 0,
+                                    freePages: 0,
+                                    schemaVersion: 0,
+                                    integrityOk: false,
+                                },
+                                auditChainValid: false,
+                                migrationsCurrent: false,
+                                rbacActive: rbac.isActive(),
+                                uptimeMs: time.nowMs() - startTime,
+                            },
+                        };
+                    }
+                    // Audit chain verification
+                    const chainResult = audit.verifyChain(conn);
+                    const auditChainValid = chainResult.ok && chainResult.value.valid;
+                    // Schema verification
+                    const schemaResult = database.verifySchema(conn);
+                    const migrationsCurrent = schemaResult.ok && schemaResult.value.valid;
+                    const dbHealth = dbHealthResult.value;
+                    const status = dbHealth.integrityOk && auditChainValid && migrationsCurrent
+                        ? 'healthy'
+                        : dbHealth.integrityOk
+                            ? 'degraded'
+                            : 'unhealthy';
+                    return {
+                        ok: true,
+                        value: {
+                            status,
+                            database: dbHealth,
+                            auditChainValid,
+                            migrationsCurrent,
+                            rbacActive: rbac.isActive(),
+                            uptimeMs: time.nowMs() - startTime,
+                        },
+                    };
+                }
+                catch (err) {
+                    return {
+                        ok: false,
+                        error: {
+                            code: 'HEALTH_CHECK_FAILED',
+                            message: err instanceof Error ? err.message : String(err),
+                            spec: 'I-05',
+                        },
+                    };
+                }
+            },
+        };
+        // CF-011: Track connection for destroyKernel cleanup
+        kernelConnections.set(kernel, conn);
+        // C-07: Freeze the kernel object to prevent mutation
+        return { ok: true, value: Object.freeze(kernel) };
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: {
+                code: 'KERNEL_CREATE_FAILED',
+                message: err instanceof Error ? err.message : String(err),
+                spec: 'C-07, C-06, §3.3',
+            },
+        };
+    }
+}
+/**
+ * Graceful shutdown: close kernel's internal database connection.
+ * CF-011: Properly closes the connection tracked during createKernel.
+ * Idempotent: calling destroyKernel twice is safe (second call is a no-op).
+ *
+ * S ref: I-05 (clean shutdown), §3.4 (WAL checkpoint)
+ */
+export function destroyKernel(kernel) {
+    try {
+        const conn = kernelConnections.get(kernel);
+        if (conn) {
+            // WAL checkpoint before close: ensures all pending writes are flushed
+            // to the main database file. PASSIVE mode doesn't block readers.
+            try {
+                conn.run('PRAGMA wal_checkpoint(PASSIVE)');
+            }
+            catch {
+                // Checkpoint failure is non-fatal — SQLite will replay WAL on next open
+            }
+            conn.close();
+            kernelConnections.delete(kernel);
+        }
+        // If no connection found, kernel was already destroyed (idempotent).
+        return { ok: true, value: undefined };
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: {
+                code: 'KERNEL_DESTROY_FAILED',
+                message: err instanceof Error ? err.message : String(err),
+                spec: 'I-05',
+            },
+        };
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/kernel/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/kernel/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAMH,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAE3E,6DAA6D;AAC7D,iEAAiE;AACjE,iEAAiE;AACjE,4DAA4D;AAC5D,MAAM,iBAAiB,GAAG,IAAI,OAAO,EAA8B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAC9G,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AAChG,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,MAAoB;IAC/C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAE/B,4CAA4C;QAC5C,MAAM,QAAQ,GAAG,uBAAuB,EAAE,CAAC;QAC3C,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC;YAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,GAAG,CAAC,MAAM,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvF,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,CAAC,EAAE;YAAE,OAAO,UAAU,CAAC;QACtC,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC;QAE9B,+CAA+C;QAC/C,MAAM,SAAS,GAAG,uBAAuB,EAAE,CAAC;QAE5C,6CAA6C;QAC7C,MAAM,UAAU,GAAG,mBAAmB,EAAE,CAAC;QACzC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,MAAM,gBAAgB,GAAG,SAAS,CAAC,iBAAiB,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACpE,IAAI,CAAC,gBAAgB,CAAC,EAAE,EAAE,CAAC;gBACzB,IAAI,CAAC,KAAK,EAAE,CAAC;gBACb,OAAO,gBAAgB,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QACzD,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACtB,IAAI,CAAC,KAAK,EAAE,CAAC;YACb,OAAO,aAAa,CAAC;QACvB,CAAC;QAED,uCAAuC;QACvC,kDAAkD;QAClD,MAAM,MAAM,GAAG,kBAAkB,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,qBAAqB,CAAC,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QAE9D,qCAAqC;QACrC,MAAM,KAAK,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAE9C,mCAAmC;QACnC,wEAAwE;QACxE,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QAC1E,MAAM,MAAM,GAAG,cAAc,CAAC,gBAAgB,CAAC,CAAC;QAEhD,6CAA6C;QAC7C,4EAA4E;QAC5E,MAAM,IAAI,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,WAAW,GAAG,iBAAiB,EAAE,CAAC;QAExC,4DAA4D;QAC5D,4EAA4E;QAC5E,+EAA+E;QAC/E,qDAAqD;QACrD,IAAI,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;QAElD,kFAAkF;QAClF,yEAAyE;QACzE,+CAA+C;QAC/C,IAAI,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,oEAAoE;YACpE,qEAAqE;QACvE,CAAC;QAED,2EAA2E;QAC3E,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE;YACpB,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;YAE5B,kCAAkC;YAClC,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;gBACtC,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;gBACxB,IAAI,CAAC,GAAG,CACN;;wDAE8C,EAC9C,CAAC,EAAE,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,CAC3D,CAAC;YACJ,CAAC;YAED,kCAAkC;YAClC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE;gBACjB,QAAQ,EAAE,IAAI;gBACd,SAAS,EAAE,QAAQ;gBACnB,OAAO,EAAE,QAAQ;gBACjB,SAAS,EAAE,oBAAoB;gBAC/B,YAAY,EAAE,QAAQ;gBACtB,UAAU,EAAE,QAAQ;gBACpB,MAAM,EAAE;oBACN,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI;oBAChC,aAAa,EAAE,aAAa,CAAC,KAAK,CAAC,cAAc;oBACjD,iBAAiB,EAAE,aAAa,CAAC,KAAK,CAAC,OAAO;iBAC/C;aACF,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,4CAA4C;QAC5C,MAAM,SAAS,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;QAClD,MAAM,MAAM,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAEzC,0BAA0B;QAC1B,MAAM,MAAM,GAAW;YACrB,QAAQ;YACR,KAAK;YACL,MAAM;YACN,KAAK;YACL,MAAM;YACN,IAAI;YACJ,SAAS;YACT,SAAS;YACT,MAAM;YACN,WAAW;YACX,IAAI;YAEJ;;;eAGG;YACH,MAAM;gBACJ,IAAI,CAAC;oBACH,kBAAkB;oBAClB,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;oBAC7C,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC;wBACvB,OAAO;4BACL,EAAE,EAAE,IAAI;4BACR,KAAK,EAAE;gCACL,MAAM,EAAE,WAAW;gCACnB,QAAQ,EAAE;oCACR,MAAM,EAAE,WAAW;oCACnB,OAAO,EAAE,CAAC;oCACV,SAAS,EAAE,CAAC;oCACZ,SAAS,EAAE,CAAC;oCACZ,aAAa,EAAE,CAAC;oCAChB,WAAW,EAAE,KAAK;iCACnB;gCACD,eAAe,EAAE,KAAK;gCACtB,iBAAiB,EAAE,KAAK;gCACxB,UAAU,EAAE,IAAI,CAAC,QAAQ,EAAE;gCAC3B,QAAQ,EAAE,IAAI,CAAC,KAAK,EAAE,GAAG,SAAS;6BACnC;yBACF,CAAC;oBACJ,CAAC;oBAED,2BAA2B;oBAC3B,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;oBAC5C,MAAM,eAAe,GAAG,WAAW,CAAC,EAAE,IAAI,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC;oBAElE,sBAAsB;oBACtB,MAAM,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;oBACjD,MAAM,iBAAiB,GAAG,YAAY,CAAC,EAAE,IAAI,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC;oBAEtE,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC;oBACtC,MAAM,MAAM,GAAG,QAAQ,CAAC,WAAW,IAAI,eAAe,IAAI,iBAAiB;wBACzE,CAAC,CAAC,SAAS;wBACX,CAAC,CAAC,QAAQ,CAAC,WAAW;4BACpB,CAAC,CAAC,UAAU;4BACZ,CAAC,CAAC,WAAW,CAAC;oBAElB,OAAO;wBACL,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE;4BACL,MAAM;4BACN,QAAQ,EAAE,QAAQ;4BAClB,eAAe;4BACf,iBAAiB;4BACjB,UAAU,EAAE,IAAI,CAAC,QAAQ,EAAE;4BAC3B,QAAQ,EAAE,IAAI,CAAC,KAAK,EAAE,GAAG,SAAS;yBACnC;qBACF,CAAC;gBACJ,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,OAAO;wBACL,EAAE,EAAE,KAAK;wBACT,KAAK,EAAE;4BACL,IAAI,EAAE,qBAAqB;4BAC3B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;4BACzD,IAAI,EAAE,MAAM;yBACb;qBACF,CAAC;gBACJ,CAAC;YACH,CAAC;SACF,CAAC;QAEF,qDAAqD;QACrD,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAEpC,qDAAqD;QACrD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;IACpD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,sBAAsB;gBAC5B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;gBACzD,IAAI,EAAE,kBAAkB;aACzB;SACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,MAAc;IAC1C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,IAAI,EAAE,CAAC;YACT,sEAAsE;YACtE,iEAAiE;YACjE,IAAI,CAAC;gBACH,IAAI,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;YAC7C,CAAC;YAAC,MAAM,CAAC;gBACP,wEAAwE;YAC1E,CAAC;YAED,IAAI,CAAC,KAAK,EAAE,CAAC;YACb,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC;QACD,qEAAqE;QACrE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IACxC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,uBAAuB;gBAC7B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;gBACzD,IAAI,EAAE,MAAM;aACb;SACF,CAAC;IACJ,CAAC;AACH,CAAC"}