llm-trust-guard 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +318 -0
- package/dist/guards/agent-communication-guard.d.ts +169 -0
- package/dist/guards/agent-communication-guard.d.ts.map +1 -0
- package/dist/guards/agent-communication-guard.js +468 -0
- package/dist/guards/agent-communication-guard.js.map +1 -0
- package/dist/guards/autonomy-escalation-guard.d.ts +137 -0
- package/dist/guards/autonomy-escalation-guard.d.ts.map +1 -0
- package/dist/guards/autonomy-escalation-guard.js +470 -0
- package/dist/guards/autonomy-escalation-guard.js.map +1 -0
- package/dist/guards/circuit-breaker.d.ts +142 -0
- package/dist/guards/circuit-breaker.d.ts.map +1 -0
- package/dist/guards/circuit-breaker.js +347 -0
- package/dist/guards/circuit-breaker.js.map +1 -0
- package/dist/guards/code-execution-guard.d.ts +114 -0
- package/dist/guards/code-execution-guard.d.ts.map +1 -0
- package/dist/guards/code-execution-guard.js +467 -0
- package/dist/guards/code-execution-guard.js.map +1 -0
- package/dist/guards/conversation-guard.d.ts +73 -0
- package/dist/guards/conversation-guard.d.ts.map +1 -0
- package/dist/guards/conversation-guard.js +281 -0
- package/dist/guards/conversation-guard.js.map +1 -0
- package/dist/guards/drift-detector.d.ts +182 -0
- package/dist/guards/drift-detector.d.ts.map +1 -0
- package/dist/guards/drift-detector.js +480 -0
- package/dist/guards/drift-detector.js.map +1 -0
- package/dist/guards/encoding-detector.d.ts +76 -0
- package/dist/guards/encoding-detector.d.ts.map +1 -0
- package/dist/guards/encoding-detector.js +698 -0
- package/dist/guards/encoding-detector.js.map +1 -0
- package/dist/guards/execution-monitor.d.ts +73 -0
- package/dist/guards/execution-monitor.d.ts.map +1 -0
- package/dist/guards/execution-monitor.js +205 -0
- package/dist/guards/execution-monitor.js.map +1 -0
- package/dist/guards/input-sanitizer.d.ts +87 -0
- package/dist/guards/input-sanitizer.d.ts.map +1 -0
- package/dist/guards/input-sanitizer.js +301 -0
- package/dist/guards/input-sanitizer.js.map +1 -0
- package/dist/guards/mcp-security-guard.d.ts +204 -0
- package/dist/guards/mcp-security-guard.d.ts.map +1 -0
- package/dist/guards/mcp-security-guard.js +618 -0
- package/dist/guards/mcp-security-guard.js.map +1 -0
- package/dist/guards/memory-guard.d.ts +124 -0
- package/dist/guards/memory-guard.d.ts.map +1 -0
- package/dist/guards/memory-guard.js +476 -0
- package/dist/guards/memory-guard.js.map +1 -0
- package/dist/guards/multimodal-guard.d.ts +93 -0
- package/dist/guards/multimodal-guard.d.ts.map +1 -0
- package/dist/guards/multimodal-guard.js +507 -0
- package/dist/guards/multimodal-guard.js.map +1 -0
- package/dist/guards/output-filter.d.ts +76 -0
- package/dist/guards/output-filter.d.ts.map +1 -0
- package/dist/guards/output-filter.js +289 -0
- package/dist/guards/output-filter.js.map +1 -0
- package/dist/guards/policy-gate.d.ts +57 -0
- package/dist/guards/policy-gate.d.ts.map +1 -0
- package/dist/guards/policy-gate.js +182 -0
- package/dist/guards/policy-gate.js.map +1 -0
- package/dist/guards/prompt-leakage-guard.d.ts +110 -0
- package/dist/guards/prompt-leakage-guard.d.ts.map +1 -0
- package/dist/guards/prompt-leakage-guard.js +529 -0
- package/dist/guards/prompt-leakage-guard.js.map +1 -0
- package/dist/guards/rag-guard.d.ts +188 -0
- package/dist/guards/rag-guard.d.ts.map +1 -0
- package/dist/guards/rag-guard.js +769 -0
- package/dist/guards/rag-guard.js.map +1 -0
- package/dist/guards/schema-validator.d.ts +35 -0
- package/dist/guards/schema-validator.d.ts.map +1 -0
- package/dist/guards/schema-validator.js +316 -0
- package/dist/guards/schema-validator.js.map +1 -0
- package/dist/guards/state-persistence-guard.d.ts +153 -0
- package/dist/guards/state-persistence-guard.d.ts.map +1 -0
- package/dist/guards/state-persistence-guard.js +484 -0
- package/dist/guards/state-persistence-guard.js.map +1 -0
- package/dist/guards/tenant-boundary.d.ts +67 -0
- package/dist/guards/tenant-boundary.d.ts.map +1 -0
- package/dist/guards/tenant-boundary.js +187 -0
- package/dist/guards/tenant-boundary.js.map +1 -0
- package/dist/guards/tool-chain-validator.d.ts +102 -0
- package/dist/guards/tool-chain-validator.d.ts.map +1 -0
- package/dist/guards/tool-chain-validator.js +480 -0
- package/dist/guards/tool-chain-validator.js.map +1 -0
- package/dist/guards/tool-registry.d.ts +45 -0
- package/dist/guards/tool-registry.d.ts.map +1 -0
- package/dist/guards/tool-registry.js +155 -0
- package/dist/guards/tool-registry.js.map +1 -0
- package/dist/guards/trust-exploitation-guard.d.ts +134 -0
- package/dist/guards/trust-exploitation-guard.d.ts.map +1 -0
- package/dist/guards/trust-exploitation-guard.js +354 -0
- package/dist/guards/trust-exploitation-guard.js.map +1 -0
- package/dist/index.d.ts +133 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +430 -0
- package/dist/index.js.map +1 -0
- package/dist/integrations/express.d.ts +119 -0
- package/dist/integrations/express.d.ts.map +1 -0
- package/dist/integrations/express.js +244 -0
- package/dist/integrations/express.js.map +1 -0
- package/dist/integrations/index.d.ts +9 -0
- package/dist/integrations/index.d.ts.map +1 -0
- package/dist/integrations/index.js +26 -0
- package/dist/integrations/index.js.map +1 -0
- package/dist/integrations/langchain.d.ts +165 -0
- package/dist/integrations/langchain.d.ts.map +1 -0
- package/dist/integrations/langchain.js +308 -0
- package/dist/integrations/langchain.js.map +1 -0
- package/dist/integrations/openai.d.ts +205 -0
- package/dist/integrations/openai.d.ts.map +1 -0
- package/dist/integrations/openai.js +380 -0
- package/dist/integrations/openai.js.map +1 -0
- package/dist/types/index.d.ts +245 -0
- package/dist/types/index.d.ts.map +1 -0
- package/dist/types/index.js +6 -0
- package/dist/types/index.js.map +1 -0
- package/package.json +64 -0
|
@@ -0,0 +1,618 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* MCPSecurityGuard (L16)
|
|
4
|
+
*
|
|
5
|
+
* Secures Model Context Protocol (MCP) tool integrations.
|
|
6
|
+
* Prevents tool shadowing, server impersonation, and supply chain attacks.
|
|
7
|
+
*
|
|
8
|
+
* Threat Model:
|
|
9
|
+
* - ASI04: Agentic Supply Chain Vulnerabilities
|
|
10
|
+
* - CVE-2025-68145, CVE-2025-68143, CVE-2025-68144: MCP RCE vulnerabilities
|
|
11
|
+
* - CVE-2025-6514: mcp-remote command injection
|
|
12
|
+
* - CVE-2025-32711: EchoLeak - silent data exfiltration
|
|
13
|
+
* - Tool Shadowing: Malicious MCP servers impersonating legitimate tools
|
|
14
|
+
*
|
|
15
|
+
* Protection Capabilities:
|
|
16
|
+
* - MCP server identity verification (signature-based)
|
|
17
|
+
* - Tool registration allowlist enforcement
|
|
18
|
+
* - Dynamic tool registration monitoring
|
|
19
|
+
* - OAuth endpoint validation
|
|
20
|
+
* - Tool shadowing detection
|
|
21
|
+
* - Server reputation scoring
|
|
22
|
+
* - Command injection prevention
|
|
23
|
+
*/
|
|
24
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
25
|
+
if (k2 === undefined) k2 = k;
|
|
26
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
27
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
28
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
29
|
+
}
|
|
30
|
+
Object.defineProperty(o, k2, desc);
|
|
31
|
+
}) : (function(o, m, k, k2) {
|
|
32
|
+
if (k2 === undefined) k2 = k;
|
|
33
|
+
o[k2] = m[k];
|
|
34
|
+
}));
|
|
35
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
36
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
37
|
+
}) : function(o, v) {
|
|
38
|
+
o["default"] = v;
|
|
39
|
+
});
|
|
40
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
41
|
+
var ownKeys = function(o) {
|
|
42
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
43
|
+
var ar = [];
|
|
44
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
45
|
+
return ar;
|
|
46
|
+
};
|
|
47
|
+
return ownKeys(o);
|
|
48
|
+
};
|
|
49
|
+
return function (mod) {
|
|
50
|
+
if (mod && mod.__esModule) return mod;
|
|
51
|
+
var result = {};
|
|
52
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
53
|
+
__setModuleDefault(result, mod);
|
|
54
|
+
return result;
|
|
55
|
+
};
|
|
56
|
+
})();
|
|
57
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
58
|
+
exports.MCPSecurityGuard = void 0;
|
|
59
|
+
const crypto = __importStar(require("crypto"));
|
|
60
|
+
class MCPSecurityGuard {
|
|
61
|
+
constructor(config = {}) {
|
|
62
|
+
this.registeredServers = new Map();
|
|
63
|
+
this.registeredTools = new Map();
|
|
64
|
+
this.serverReputation = new Map();
|
|
65
|
+
this.toolToServer = new Map(); // tool name -> server ID
|
|
66
|
+
this.serverViolations = new Map();
|
|
67
|
+
// Command injection patterns (based on CVE-2025-6514 and similar)
|
|
68
|
+
this.COMMAND_INJECTION_PATTERNS = [
|
|
69
|
+
// Shell command injection
|
|
70
|
+
{ name: "shell_injection", pattern: /[;&|`$]|\$\(|\)\s*[;&|]|`[^`]+`/g, severity: 50 },
|
|
71
|
+
{ name: "command_substitution", pattern: /\$\{[^}]+\}|\$\([^)]+\)/g, severity: 50 },
|
|
72
|
+
{ name: "pipe_injection", pattern: /\|\s*(cat|rm|curl|wget|nc|bash|sh|exec)/i, severity: 55 },
|
|
73
|
+
// Path traversal
|
|
74
|
+
{ name: "path_traversal", pattern: /\.\.[\/\\]|\.\.%2[fF]/g, severity: 45 },
|
|
75
|
+
{ name: "absolute_path", pattern: /^\/(?:etc|usr|var|tmp|bin|root)/i, severity: 40 },
|
|
76
|
+
// URL-based injection (for OAuth endpoints)
|
|
77
|
+
{ name: "oauth_injection", pattern: /authorization_endpoint.*[;&|`$]/i, severity: 55 },
|
|
78
|
+
{ name: "redirect_manipulation", pattern: /redirect_uri.*[^\w\-_.~:/?#[\]@!$&'()*+,;=%]/i, severity: 45 },
|
|
79
|
+
// AppleScript injection (CVE-2025-68145 style)
|
|
80
|
+
{ name: "applescript_injection", pattern: /osascript|do\s+shell\s+script|tell\s+application/i, severity: 55 },
|
|
81
|
+
// Git-specific injection patterns
|
|
82
|
+
{ name: "git_injection", pattern: /--upload-pack|--receive-pack|-c\s+core\./i, severity: 50 },
|
|
83
|
+
{ name: "git_url_injection", pattern: /ext::|file:\/\/|ssh:\/\/.*@/i, severity: 45 },
|
|
84
|
+
// Argument injection
|
|
85
|
+
{ name: "argument_injection", pattern: /\s--[a-z]+=.*[;&|`$]/i, severity: 45 },
|
|
86
|
+
// Environment variable injection
|
|
87
|
+
{ name: "env_injection", pattern: /\bLD_PRELOAD\b|\bPATH\s*=/i, severity: 50 },
|
|
88
|
+
];
|
|
89
|
+
// Tool shadowing indicators
|
|
90
|
+
this.SHADOWING_INDICATORS = [
|
|
91
|
+
// Similar names to common legitimate tools
|
|
92
|
+
{ legitimate: "file_reader", suspicious: /file[-_]?read(er)?s?|read[-_]?files?/i },
|
|
93
|
+
{ legitimate: "database_query", suspicious: /db[-_]?query|sql[-_]?query|query[-_]?db/i },
|
|
94
|
+
{ legitimate: "email_sender", suspicious: /send[-_]?emails?|email[-_]?send(er)?/i },
|
|
95
|
+
{ legitimate: "api_caller", suspicious: /call[-_]?api|api[-_]?call(er)?/i },
|
|
96
|
+
{ legitimate: "code_executor", suspicious: /exec[-_]?code|run[-_]?code|code[-_]?run/i },
|
|
97
|
+
];
|
|
98
|
+
// Malicious server patterns
|
|
99
|
+
this.MALICIOUS_SERVER_PATTERNS = [
|
|
100
|
+
/postmark-mcp.*fake/i, // Known npm impersonation attack
|
|
101
|
+
/unofficial/i,
|
|
102
|
+
/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/, // IP-based servers
|
|
103
|
+
/pastebin|gist\.github/i,
|
|
104
|
+
/temp|tmp|test.*mcp/i,
|
|
105
|
+
];
|
|
106
|
+
this.config = {
|
|
107
|
+
requireServerSignature: config.requireServerSignature ?? false,
|
|
108
|
+
trustedServers: config.trustedServers ?? [],
|
|
109
|
+
blockedServers: config.blockedServers ?? [],
|
|
110
|
+
allowDynamicRegistration: config.allowDynamicRegistration ?? true,
|
|
111
|
+
toolAllowlist: config.toolAllowlist ?? [],
|
|
112
|
+
toolBlocklist: config.toolBlocklist ?? [],
|
|
113
|
+
validateOAuthEndpoints: config.validateOAuthEndpoints ?? true,
|
|
114
|
+
allowedOAuthDomains: config.allowedOAuthDomains ?? [],
|
|
115
|
+
detectToolShadowing: config.detectToolShadowing ?? true,
|
|
116
|
+
minServerReputation: config.minServerReputation ?? 30,
|
|
117
|
+
strictMode: config.strictMode ?? false,
|
|
118
|
+
customInjectionPatterns: config.customInjectionPatterns ?? [],
|
|
119
|
+
};
|
|
120
|
+
// Pre-register trusted servers
|
|
121
|
+
for (const server of this.config.trustedServers) {
|
|
122
|
+
this.registeredServers.set(server.serverId, {
|
|
123
|
+
...server,
|
|
124
|
+
registeredAt: Date.now(),
|
|
125
|
+
reputationScore: server.reputationScore ?? 90,
|
|
126
|
+
});
|
|
127
|
+
this.serverReputation.set(server.serverId, server.reputationScore ?? 90);
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
/**
|
|
131
|
+
* Validate MCP server registration
|
|
132
|
+
*/
|
|
133
|
+
validateServerRegistration(registration, requestId) {
|
|
134
|
+
const reqId = requestId || `mcp-reg-${Date.now()}`;
|
|
135
|
+
const violations = [];
|
|
136
|
+
let serverVerified = false;
|
|
137
|
+
let signatureValid = false;
|
|
138
|
+
let isShadowing = false;
|
|
139
|
+
let toolsAllowed = true;
|
|
140
|
+
let reputationScore = 50; // Neutral starting point
|
|
141
|
+
const { server, tools, oauth, signature, timestamp } = registration;
|
|
142
|
+
// Check if server is blocked
|
|
143
|
+
if (this.isServerBlocked(server.serverId, server.name)) {
|
|
144
|
+
violations.push("server_blocked");
|
|
145
|
+
reputationScore = 0;
|
|
146
|
+
}
|
|
147
|
+
// Check for malicious server patterns
|
|
148
|
+
const maliciousCheck = this.checkMaliciousPatterns(server);
|
|
149
|
+
if (maliciousCheck.suspicious) {
|
|
150
|
+
violations.push(...maliciousCheck.violations);
|
|
151
|
+
reputationScore -= 30;
|
|
152
|
+
}
|
|
153
|
+
// Verify server signature if required
|
|
154
|
+
if (this.config.requireServerSignature) {
|
|
155
|
+
if (!signature || !server.publicKey) {
|
|
156
|
+
violations.push("missing_server_signature");
|
|
157
|
+
}
|
|
158
|
+
else {
|
|
159
|
+
signatureValid = this.verifyServerSignature(server, signature);
|
|
160
|
+
if (!signatureValid) {
|
|
161
|
+
violations.push("invalid_server_signature");
|
|
162
|
+
reputationScore -= 40;
|
|
163
|
+
}
|
|
164
|
+
else {
|
|
165
|
+
serverVerified = true;
|
|
166
|
+
reputationScore += 20;
|
|
167
|
+
}
|
|
168
|
+
}
|
|
169
|
+
}
|
|
170
|
+
else {
|
|
171
|
+
// No signature required, basic verification
|
|
172
|
+
serverVerified = true;
|
|
173
|
+
}
|
|
174
|
+
// Check for tool shadowing
|
|
175
|
+
if (this.config.detectToolShadowing) {
|
|
176
|
+
const shadowingCheck = this.detectToolShadowing(tools, server.serverId);
|
|
177
|
+
if (shadowingCheck.detected) {
|
|
178
|
+
isShadowing = true;
|
|
179
|
+
violations.push(...shadowingCheck.violations);
|
|
180
|
+
reputationScore -= 50;
|
|
181
|
+
}
|
|
182
|
+
}
|
|
183
|
+
// Validate tools
|
|
184
|
+
for (const tool of tools) {
|
|
185
|
+
// Check tool allowlist/blocklist
|
|
186
|
+
if (this.config.toolAllowlist.length > 0 && !this.config.toolAllowlist.includes(tool.name)) {
|
|
187
|
+
violations.push(`tool_not_in_allowlist: ${tool.name}`);
|
|
188
|
+
toolsAllowed = false;
|
|
189
|
+
}
|
|
190
|
+
if (this.config.toolBlocklist.includes(tool.name)) {
|
|
191
|
+
violations.push(`tool_blocked: ${tool.name}`);
|
|
192
|
+
toolsAllowed = false;
|
|
193
|
+
}
|
|
194
|
+
// Check for injection in tool description
|
|
195
|
+
const descInjection = this.detectInjection(tool.description);
|
|
196
|
+
if (descInjection.detected) {
|
|
197
|
+
violations.push(`injection_in_tool_description: ${tool.name}`);
|
|
198
|
+
reputationScore -= 20;
|
|
199
|
+
}
|
|
200
|
+
}
|
|
201
|
+
// Validate OAuth endpoints if present
|
|
202
|
+
if (oauth && this.config.validateOAuthEndpoints) {
|
|
203
|
+
const oauthCheck = this.validateOAuthConfig(oauth);
|
|
204
|
+
if (!oauthCheck.valid) {
|
|
205
|
+
violations.push(...oauthCheck.violations);
|
|
206
|
+
reputationScore -= 30;
|
|
207
|
+
}
|
|
208
|
+
}
|
|
209
|
+
// Check timestamp (prevent replay attacks)
|
|
210
|
+
const age = Date.now() - timestamp;
|
|
211
|
+
if (age < 0) {
|
|
212
|
+
violations.push("future_timestamp");
|
|
213
|
+
}
|
|
214
|
+
else if (age > 5 * 60 * 1000) { // 5 minutes
|
|
215
|
+
violations.push("stale_registration");
|
|
216
|
+
}
|
|
217
|
+
// Check dynamic registration policy
|
|
218
|
+
if (!this.config.allowDynamicRegistration && !this.isTrustedServer(server.serverId)) {
|
|
219
|
+
violations.push("dynamic_registration_disabled");
|
|
220
|
+
}
|
|
221
|
+
// Final reputation score
|
|
222
|
+
reputationScore = Math.max(0, Math.min(100, reputationScore));
|
|
223
|
+
const blocked = reputationScore < this.config.minServerReputation ||
|
|
224
|
+
(this.config.strictMode && violations.length > 0) ||
|
|
225
|
+
isShadowing;
|
|
226
|
+
// Register server if allowed
|
|
227
|
+
if (!blocked) {
|
|
228
|
+
this.registerServer(server, tools, reputationScore);
|
|
229
|
+
}
|
|
230
|
+
return {
|
|
231
|
+
allowed: !blocked,
|
|
232
|
+
reason: blocked
|
|
233
|
+
? `Server registration blocked: ${violations.slice(0, 3).join(", ")}`
|
|
234
|
+
: "Server registration validated",
|
|
235
|
+
violations,
|
|
236
|
+
request_id: reqId,
|
|
237
|
+
server_analysis: {
|
|
238
|
+
server_verified: serverVerified,
|
|
239
|
+
signature_valid: signatureValid,
|
|
240
|
+
reputation_score: reputationScore,
|
|
241
|
+
is_shadowing: isShadowing,
|
|
242
|
+
tools_allowed: toolsAllowed,
|
|
243
|
+
},
|
|
244
|
+
recommendations: this.generateRecommendations(violations, "registration"),
|
|
245
|
+
};
|
|
246
|
+
}
|
|
247
|
+
/**
|
|
248
|
+
* Validate MCP tool call
|
|
249
|
+
*/
|
|
250
|
+
validateToolCall(toolCall, requestId) {
|
|
251
|
+
const reqId = requestId || `mcp-call-${Date.now()}`;
|
|
252
|
+
const violations = [];
|
|
253
|
+
let toolRegistered = false;
|
|
254
|
+
let toolAllowed = true;
|
|
255
|
+
let parametersSafe = true;
|
|
256
|
+
let injectionDetected = false;
|
|
257
|
+
let riskLevel = "low";
|
|
258
|
+
const { toolName, serverId, parameters } = toolCall;
|
|
259
|
+
// Check if tool is registered
|
|
260
|
+
const tool = this.registeredTools.get(toolName);
|
|
261
|
+
if (tool) {
|
|
262
|
+
toolRegistered = true;
|
|
263
|
+
riskLevel = tool.riskLevel || "low";
|
|
264
|
+
// Verify tool belongs to the claimed server
|
|
265
|
+
const expectedServer = this.toolToServer.get(toolName);
|
|
266
|
+
if (expectedServer && expectedServer !== serverId) {
|
|
267
|
+
violations.push("server_tool_mismatch");
|
|
268
|
+
injectionDetected = true; // Possible tool shadowing attack
|
|
269
|
+
}
|
|
270
|
+
}
|
|
271
|
+
else {
|
|
272
|
+
violations.push("tool_not_registered");
|
|
273
|
+
}
|
|
274
|
+
// Check server reputation
|
|
275
|
+
const serverRep = this.serverReputation.get(serverId) ?? 0;
|
|
276
|
+
if (serverRep < this.config.minServerReputation) {
|
|
277
|
+
violations.push("low_server_reputation");
|
|
278
|
+
}
|
|
279
|
+
// Check tool allowlist/blocklist
|
|
280
|
+
if (this.config.toolAllowlist.length > 0 && !this.config.toolAllowlist.includes(toolName)) {
|
|
281
|
+
violations.push("tool_not_in_allowlist");
|
|
282
|
+
toolAllowed = false;
|
|
283
|
+
}
|
|
284
|
+
if (this.config.toolBlocklist.includes(toolName)) {
|
|
285
|
+
violations.push("tool_blocked");
|
|
286
|
+
toolAllowed = false;
|
|
287
|
+
}
|
|
288
|
+
// Scan parameters for injection
|
|
289
|
+
const paramCheck = this.scanParameters(parameters);
|
|
290
|
+
if (paramCheck.injectionDetected) {
|
|
291
|
+
injectionDetected = true;
|
|
292
|
+
parametersSafe = false;
|
|
293
|
+
violations.push(...paramCheck.violations);
|
|
294
|
+
}
|
|
295
|
+
// Check for high-risk operations without verification
|
|
296
|
+
if (this.isHighRiskOperation(toolName, parameters)) {
|
|
297
|
+
riskLevel = "high";
|
|
298
|
+
if (serverRep < 70) {
|
|
299
|
+
violations.push("high_risk_low_reputation");
|
|
300
|
+
}
|
|
301
|
+
}
|
|
302
|
+
// Update server violation count
|
|
303
|
+
if (violations.length > 0) {
|
|
304
|
+
const currentViolations = this.serverViolations.get(serverId) || 0;
|
|
305
|
+
this.serverViolations.set(serverId, currentViolations + violations.length);
|
|
306
|
+
// Degrade reputation
|
|
307
|
+
const currentRep = this.serverReputation.get(serverId) || 50;
|
|
308
|
+
this.serverReputation.set(serverId, Math.max(0, currentRep - violations.length * 5));
|
|
309
|
+
}
|
|
310
|
+
const blocked = !toolRegistered ||
|
|
311
|
+
!toolAllowed ||
|
|
312
|
+
injectionDetected ||
|
|
313
|
+
(this.config.strictMode && violations.length > 0);
|
|
314
|
+
return {
|
|
315
|
+
allowed: !blocked,
|
|
316
|
+
reason: blocked
|
|
317
|
+
? `Tool call blocked: ${violations.slice(0, 3).join(", ")}`
|
|
318
|
+
: "Tool call validated",
|
|
319
|
+
violations,
|
|
320
|
+
request_id: reqId,
|
|
321
|
+
tool_analysis: {
|
|
322
|
+
tool_registered: toolRegistered,
|
|
323
|
+
tool_allowed: toolAllowed,
|
|
324
|
+
parameters_safe: parametersSafe,
|
|
325
|
+
injection_detected: injectionDetected,
|
|
326
|
+
risk_level: riskLevel,
|
|
327
|
+
},
|
|
328
|
+
server_analysis: {
|
|
329
|
+
server_verified: this.registeredServers.has(serverId),
|
|
330
|
+
signature_valid: true, // Already validated at registration
|
|
331
|
+
reputation_score: serverRep,
|
|
332
|
+
is_shadowing: false,
|
|
333
|
+
tools_allowed: toolAllowed,
|
|
334
|
+
},
|
|
335
|
+
recommendations: this.generateRecommendations(violations, "tool_call"),
|
|
336
|
+
};
|
|
337
|
+
}
|
|
338
|
+
/**
|
|
339
|
+
* Register a trusted MCP server
|
|
340
|
+
*/
|
|
341
|
+
registerTrustedServer(server, tools) {
|
|
342
|
+
this.registerServer(server, tools, 90);
|
|
343
|
+
}
|
|
344
|
+
/**
|
|
345
|
+
* Block an MCP server
|
|
346
|
+
*/
|
|
347
|
+
blockServer(serverIdOrPattern) {
|
|
348
|
+
if (!this.config.blockedServers.includes(serverIdOrPattern)) {
|
|
349
|
+
this.config.blockedServers.push(serverIdOrPattern);
|
|
350
|
+
}
|
|
351
|
+
// Remove from registered if exists
|
|
352
|
+
this.registeredServers.delete(serverIdOrPattern);
|
|
353
|
+
this.serverReputation.set(serverIdOrPattern, 0);
|
|
354
|
+
}
|
|
355
|
+
/**
|
|
356
|
+
* Get server reputation
|
|
357
|
+
*/
|
|
358
|
+
getServerReputation(serverId) {
|
|
359
|
+
return this.serverReputation.get(serverId) ?? 0;
|
|
360
|
+
}
|
|
361
|
+
/**
|
|
362
|
+
* Update server reputation
|
|
363
|
+
*/
|
|
364
|
+
updateServerReputation(serverId, delta) {
|
|
365
|
+
const current = this.serverReputation.get(serverId) ?? 50;
|
|
366
|
+
this.serverReputation.set(serverId, Math.max(0, Math.min(100, current + delta)));
|
|
367
|
+
}
|
|
368
|
+
/**
|
|
369
|
+
* Get all registered servers
|
|
370
|
+
*/
|
|
371
|
+
getRegisteredServers() {
|
|
372
|
+
return [...this.registeredServers.values()];
|
|
373
|
+
}
|
|
374
|
+
/**
|
|
375
|
+
* Get all registered tools
|
|
376
|
+
*/
|
|
377
|
+
getRegisteredTools() {
|
|
378
|
+
return [...this.registeredTools.values()];
|
|
379
|
+
}
|
|
380
|
+
/**
|
|
381
|
+
* Check if a tool name is potentially shadowing another
|
|
382
|
+
*/
|
|
383
|
+
isToolShadowing(toolName) {
|
|
384
|
+
for (const indicator of this.SHADOWING_INDICATORS) {
|
|
385
|
+
if (indicator.suspicious.test(toolName) && toolName !== indicator.legitimate) {
|
|
386
|
+
return { shadowing: true, legitimate: indicator.legitimate };
|
|
387
|
+
}
|
|
388
|
+
}
|
|
389
|
+
return { shadowing: false };
|
|
390
|
+
}
|
|
391
|
+
/**
|
|
392
|
+
* Get violation count for a server
|
|
393
|
+
*/
|
|
394
|
+
getServerViolations(serverId) {
|
|
395
|
+
return this.serverViolations.get(serverId) || 0;
|
|
396
|
+
}
|
|
397
|
+
/**
|
|
398
|
+
* Reset server violations
|
|
399
|
+
*/
|
|
400
|
+
resetServerViolations(serverId) {
|
|
401
|
+
this.serverViolations.delete(serverId);
|
|
402
|
+
}
|
|
403
|
+
// Private methods
|
|
404
|
+
registerServer(server, tools, reputation) {
|
|
405
|
+
this.registeredServers.set(server.serverId, {
|
|
406
|
+
...server,
|
|
407
|
+
registeredAt: Date.now(),
|
|
408
|
+
reputationScore: reputation,
|
|
409
|
+
});
|
|
410
|
+
this.serverReputation.set(server.serverId, reputation);
|
|
411
|
+
// Register tools
|
|
412
|
+
for (const tool of tools) {
|
|
413
|
+
this.registeredTools.set(tool.name, tool);
|
|
414
|
+
this.toolToServer.set(tool.name, server.serverId);
|
|
415
|
+
}
|
|
416
|
+
}
|
|
417
|
+
isServerBlocked(serverId, serverName) {
|
|
418
|
+
for (const blocked of this.config.blockedServers) {
|
|
419
|
+
if (serverId.includes(blocked) || (serverName && serverName.includes(blocked))) {
|
|
420
|
+
return true;
|
|
421
|
+
}
|
|
422
|
+
try {
|
|
423
|
+
const regex = new RegExp(blocked, "i");
|
|
424
|
+
if (regex.test(serverId) || (serverName && regex.test(serverName))) {
|
|
425
|
+
return true;
|
|
426
|
+
}
|
|
427
|
+
}
|
|
428
|
+
catch {
|
|
429
|
+
// Invalid regex, treat as string
|
|
430
|
+
}
|
|
431
|
+
}
|
|
432
|
+
return false;
|
|
433
|
+
}
|
|
434
|
+
isTrustedServer(serverId) {
|
|
435
|
+
return this.config.trustedServers.some((s) => s.serverId === serverId);
|
|
436
|
+
}
|
|
437
|
+
checkMaliciousPatterns(server) {
|
|
438
|
+
const violations = [];
|
|
439
|
+
const checkStr = `${server.serverId} ${server.name} ${JSON.stringify(server.metadata || {})}`;
|
|
440
|
+
for (const pattern of this.MALICIOUS_SERVER_PATTERNS) {
|
|
441
|
+
if (pattern.test(checkStr)) {
|
|
442
|
+
violations.push(`malicious_pattern: ${pattern.source.substring(0, 20)}`);
|
|
443
|
+
}
|
|
444
|
+
}
|
|
445
|
+
return {
|
|
446
|
+
suspicious: violations.length > 0,
|
|
447
|
+
violations,
|
|
448
|
+
};
|
|
449
|
+
}
|
|
450
|
+
verifyServerSignature(server, signature) {
|
|
451
|
+
if (!server.publicKey)
|
|
452
|
+
return false;
|
|
453
|
+
try {
|
|
454
|
+
const data = JSON.stringify({
|
|
455
|
+
serverId: server.serverId,
|
|
456
|
+
name: server.name,
|
|
457
|
+
version: server.version,
|
|
458
|
+
});
|
|
459
|
+
const verify = crypto.createVerify("SHA256");
|
|
460
|
+
verify.update(data);
|
|
461
|
+
return verify.verify(server.publicKey, signature, "hex");
|
|
462
|
+
}
|
|
463
|
+
catch {
|
|
464
|
+
return false;
|
|
465
|
+
}
|
|
466
|
+
}
|
|
467
|
+
detectToolShadowing(tools, serverId) {
|
|
468
|
+
const violations = [];
|
|
469
|
+
for (const tool of tools) {
|
|
470
|
+
// Check if this tool name is already registered by another server
|
|
471
|
+
const existingServer = this.toolToServer.get(tool.name);
|
|
472
|
+
if (existingServer && existingServer !== serverId) {
|
|
473
|
+
violations.push(`tool_shadowing: ${tool.name} (already registered by ${existingServer})`);
|
|
474
|
+
}
|
|
475
|
+
// Check for suspicious similar names
|
|
476
|
+
const shadowCheck = this.isToolShadowing(tool.name);
|
|
477
|
+
if (shadowCheck.shadowing) {
|
|
478
|
+
violations.push(`suspicious_tool_name: ${tool.name} (similar to ${shadowCheck.legitimate})`);
|
|
479
|
+
}
|
|
480
|
+
}
|
|
481
|
+
return {
|
|
482
|
+
detected: violations.length > 0,
|
|
483
|
+
violations,
|
|
484
|
+
};
|
|
485
|
+
}
|
|
486
|
+
validateOAuthConfig(oauth) {
|
|
487
|
+
const violations = [];
|
|
488
|
+
// Check authorization endpoint for injection (CVE-2025-6514)
|
|
489
|
+
if (oauth.authorizationEndpoint) {
|
|
490
|
+
const injection = this.detectInjection(oauth.authorizationEndpoint);
|
|
491
|
+
if (injection.detected) {
|
|
492
|
+
violations.push("oauth_authorization_endpoint_injection");
|
|
493
|
+
}
|
|
494
|
+
// Check domain allowlist
|
|
495
|
+
if (this.config.allowedOAuthDomains.length > 0) {
|
|
496
|
+
try {
|
|
497
|
+
const url = new URL(oauth.authorizationEndpoint);
|
|
498
|
+
const domainAllowed = this.config.allowedOAuthDomains.some((d) => url.hostname.endsWith(d));
|
|
499
|
+
if (!domainAllowed) {
|
|
500
|
+
violations.push(`oauth_domain_not_allowed: ${url.hostname}`);
|
|
501
|
+
}
|
|
502
|
+
}
|
|
503
|
+
catch {
|
|
504
|
+
violations.push("invalid_oauth_authorization_url");
|
|
505
|
+
}
|
|
506
|
+
}
|
|
507
|
+
}
|
|
508
|
+
// Check token endpoint
|
|
509
|
+
if (oauth.tokenEndpoint) {
|
|
510
|
+
const injection = this.detectInjection(oauth.tokenEndpoint);
|
|
511
|
+
if (injection.detected) {
|
|
512
|
+
violations.push("oauth_token_endpoint_injection");
|
|
513
|
+
}
|
|
514
|
+
}
|
|
515
|
+
return {
|
|
516
|
+
valid: violations.length === 0,
|
|
517
|
+
violations,
|
|
518
|
+
};
|
|
519
|
+
}
|
|
520
|
+
detectInjection(value) {
|
|
521
|
+
const patterns = [];
|
|
522
|
+
const allPatterns = [...this.COMMAND_INJECTION_PATTERNS, ...this.config.customInjectionPatterns.map((p, i) => ({
|
|
523
|
+
name: `custom_${i}`,
|
|
524
|
+
pattern: p,
|
|
525
|
+
severity: 50,
|
|
526
|
+
}))];
|
|
527
|
+
for (const { name, pattern } of allPatterns) {
|
|
528
|
+
if (pattern.test(value)) {
|
|
529
|
+
patterns.push(name);
|
|
530
|
+
}
|
|
531
|
+
}
|
|
532
|
+
return {
|
|
533
|
+
detected: patterns.length > 0,
|
|
534
|
+
patterns,
|
|
535
|
+
};
|
|
536
|
+
}
|
|
537
|
+
scanParameters(parameters) {
|
|
538
|
+
const violations = [];
|
|
539
|
+
const paramStr = JSON.stringify(parameters);
|
|
540
|
+
// Check for command injection in parameter values
|
|
541
|
+
const injection = this.detectInjection(paramStr);
|
|
542
|
+
if (injection.detected) {
|
|
543
|
+
violations.push(...injection.patterns.map((p) => `param_injection_${p}`));
|
|
544
|
+
}
|
|
545
|
+
// Check for excessively long values (potential DoS or buffer overflow)
|
|
546
|
+
for (const [key, value] of Object.entries(parameters)) {
|
|
547
|
+
if (typeof value === "string" && value.length > 10000) {
|
|
548
|
+
violations.push(`oversized_parameter: ${key}`);
|
|
549
|
+
}
|
|
550
|
+
}
|
|
551
|
+
// Check for suspicious keys
|
|
552
|
+
const suspiciousKeys = ["__proto__", "constructor", "prototype", "eval", "exec"];
|
|
553
|
+
for (const key of Object.keys(parameters)) {
|
|
554
|
+
if (suspiciousKeys.includes(key.toLowerCase())) {
|
|
555
|
+
violations.push(`suspicious_parameter_key: ${key}`);
|
|
556
|
+
}
|
|
557
|
+
}
|
|
558
|
+
return {
|
|
559
|
+
injectionDetected: violations.length > 0,
|
|
560
|
+
violations,
|
|
561
|
+
};
|
|
562
|
+
}
|
|
563
|
+
isHighRiskOperation(toolName, parameters) {
|
|
564
|
+
const highRiskTools = [
|
|
565
|
+
"execute_code", "run_command", "shell_exec", "eval",
|
|
566
|
+
"file_write", "file_delete", "database_write", "database_delete",
|
|
567
|
+
"send_email", "make_payment", "transfer_funds",
|
|
568
|
+
"modify_permissions", "create_user", "delete_user",
|
|
569
|
+
];
|
|
570
|
+
const toolLower = toolName.toLowerCase();
|
|
571
|
+
if (highRiskTools.some((t) => toolLower.includes(t))) {
|
|
572
|
+
return true;
|
|
573
|
+
}
|
|
574
|
+
// Check parameters for high-risk indicators
|
|
575
|
+
const paramStr = JSON.stringify(parameters).toLowerCase();
|
|
576
|
+
if (paramStr.includes("delete") || paramStr.includes("drop") ||
|
|
577
|
+
paramStr.includes("truncate") || paramStr.includes("exec")) {
|
|
578
|
+
return true;
|
|
579
|
+
}
|
|
580
|
+
return false;
|
|
581
|
+
}
|
|
582
|
+
generateRecommendations(violations, context) {
|
|
583
|
+
const recommendations = [];
|
|
584
|
+
if (context === "registration") {
|
|
585
|
+
if (violations.some((v) => v.includes("signature"))) {
|
|
586
|
+
recommendations.push("Enable server signature verification for production");
|
|
587
|
+
}
|
|
588
|
+
if (violations.some((v) => v.includes("shadowing"))) {
|
|
589
|
+
recommendations.push("Review tool names for potential shadowing attacks");
|
|
590
|
+
}
|
|
591
|
+
if (violations.some((v) => v.includes("oauth"))) {
|
|
592
|
+
recommendations.push("Configure OAuth domain allowlist");
|
|
593
|
+
}
|
|
594
|
+
if (violations.some((v) => v.includes("malicious"))) {
|
|
595
|
+
recommendations.push("Block suspicious servers and review server sources");
|
|
596
|
+
}
|
|
597
|
+
}
|
|
598
|
+
else {
|
|
599
|
+
if (violations.some((v) => v.includes("injection"))) {
|
|
600
|
+
recommendations.push("Sanitize tool parameters before execution");
|
|
601
|
+
}
|
|
602
|
+
if (violations.some((v) => v.includes("reputation"))) {
|
|
603
|
+
recommendations.push("Only use tools from high-reputation servers");
|
|
604
|
+
}
|
|
605
|
+
if (violations.some((v) => v.includes("not_registered"))) {
|
|
606
|
+
recommendations.push("Register tools before allowing execution");
|
|
607
|
+
}
|
|
608
|
+
}
|
|
609
|
+
if (recommendations.length === 0) {
|
|
610
|
+
recommendations.push(context === "registration"
|
|
611
|
+
? "Server registration validated successfully"
|
|
612
|
+
: "Tool call validated successfully");
|
|
613
|
+
}
|
|
614
|
+
return recommendations;
|
|
615
|
+
}
|
|
616
|
+
}
|
|
617
|
+
exports.MCPSecurityGuard = MCPSecurityGuard;
|
|
618
|
+
//# sourceMappingURL=mcp-security-guard.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mcp-security-guard.js","sourceRoot":"","sources":["../../src/guards/mcp-security-guard.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,+CAAiC;AAuHjC,MAAa,gBAAgB;IAwD3B,YAAY,SAAiC,EAAE;QAtDvC,sBAAiB,GAAmC,IAAI,GAAG,EAAE,CAAC;QAC9D,oBAAe,GAAmC,IAAI,GAAG,EAAE,CAAC;QAC5D,qBAAgB,GAAwB,IAAI,GAAG,EAAE,CAAC;QAClD,iBAAY,GAAwB,IAAI,GAAG,EAAE,CAAC,CAAC,yBAAyB;QACxE,qBAAgB,GAAwB,IAAI,GAAG,EAAE,CAAC;QAE1D,kEAAkE;QACjD,+BAA0B,GAA+D;YACxG,0BAA0B;YAC1B,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,kCAAkC,EAAE,QAAQ,EAAE,EAAE,EAAE;YACtF,EAAE,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,EAAE,EAAE;YACnF,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,0CAA0C,EAAE,QAAQ,EAAE,EAAE,EAAE;YAE7F,iBAAiB;YACjB,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,wBAAwB,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC3E,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,kCAAkC,EAAE,QAAQ,EAAE,EAAE,EAAE;YAEpF,4CAA4C;YAC5C,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,kCAAkC,EAAE,QAAQ,EAAE,EAAE,EAAE;YACtF,EAAE,IAAI,EAAE,uBAAuB,EAAE,OAAO,EAAE,+CAA+C,EAAE,QAAQ,EAAE,EAAE,EAAE;YAEzG,+CAA+C;YAC/C,EAAE,IAAI,EAAE,uBAAuB,EAAE,OAAO,EAAE,mDAAmD,EAAE,QAAQ,EAAE,EAAE,EAAE;YAE7G,kCAAkC;YAClC,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,2CAA2C,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC7F,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,8BAA8B,EAAE,QAAQ,EAAE,EAAE,EAAE;YAEpF,qBAAqB;YACrB,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,EAAE,EAAE;YAE9E,iCAAiC;YACjC,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,4BAA4B,EAAE,QAAQ,EAAE,EAAE,EAAE;SAC/E,CAAC;QAEF,4BAA4B;QACX,yBAAoB,GAAG;YACtC,2CAA2C;YAC3C,EAAE,UAAU,EAAE,aAAa,EAAE,UAAU,EAAE,uCAAuC,EAAE;YAClF,EAAE,UAAU,EAAE,gBAAgB,EAAE,UAAU,EAAE,0CAA0C,EAAE;YACxF,EAAE,UAAU,EAAE,cAAc,EAAE,UAAU,EAAE,uCAAuC,EAAE;YACnF,EAAE,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,iCAAiC,EAAE;YAC3E,EAAE,UAAU,EAAE,eAAe,EAAE,UAAU,EAAE,0CAA0C,EAAE;SACxF,CAAC;QAEF,4BAA4B;QACX,8BAAyB,GAAG;YAC3C,qBAAqB,EAAK,iCAAiC;YAC3D,aAAa;YACb,oCAAoC,EAAG,mBAAmB;YAC1D,wBAAwB;YACxB,qBAAqB;SACtB,CAAC;QAGA,IAAI,CAAC,MAAM,GAAG;YACZ,sBAAsB,EAAE,MAAM,CAAC,sBAAsB,IAAI,KAAK;YAC9D,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,EAAE;YAC3C,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,EAAE;YAC3C,wBAAwB,EAAE,MAAM,CAAC,wBAAwB,IAAI,IAAI;YACjE,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;YACzC,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;YACzC,sBAAsB,EAAE,MAAM,CAAC,sBAAsB,IAAI,IAAI;YAC7D,mBAAmB,EAAE,MAAM,CAAC,mBAAmB,IAAI,EAAE;YACrD,mBAAmB,EAAE,MAAM,CAAC,mBAAmB,IAAI,IAAI;YACvD,mBAAmB,EAAE,MAAM,CAAC,mBAAmB,IAAI,EAAE;YACrD,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,KAAK;YACtC,uBAAuB,EAAE,MAAM,CAAC,uBAAuB,IAAI,EAAE;SAC9D,CAAC;QAEF,+BAA+B;QAC/B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAChD,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE;gBAC1C,GAAG,MAAM;gBACT,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE;gBACxB,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,EAAE;aAC9C,CAAC,CAAC;YACH,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC;IAED;;OAEG;IACH,0BAA0B,CACxB,YAAmC,EACnC,SAAkB;QAElB,MAAM,KAAK,GAAG,SAAS,IAAI,WAAW,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACnD,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,cAAc,GAAG,KAAK,CAAC;QAC3B,IAAI,cAAc,GAAG,KAAK,CAAC;QAC3B,IAAI,WAAW,GAAG,KAAK,CAAC;QACxB,IAAI,YAAY,GAAG,IAAI,CAAC;QACxB,IAAI,eAAe,GAAG,EAAE,CAAC,CAAC,yBAAyB;QAEnD,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,YAAY,CAAC;QAEpE,6BAA6B;QAC7B,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACvD,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAClC,eAAe,GAAG,CAAC,CAAC;QACtB,CAAC;QAED,sCAAsC;QACtC,MAAM,cAAc,GAAG,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC;QAC3D,IAAI,cAAc,CAAC,UAAU,EAAE,CAAC;YAC9B,UAAU,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;YAC9C,eAAe,IAAI,EAAE,CAAC;QACxB,CAAC;QAED,sCAAsC;QACtC,IAAI,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,CAAC;YACvC,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBACpC,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YAC9C,CAAC;iBAAM,CAAC;gBACN,cAAc,GAAG,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;gBAC/D,IAAI,CAAC,cAAc,EAAE,CAAC;oBACpB,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;oBAC5C,eAAe,IAAI,EAAE,CAAC;gBACxB,CAAC;qBAAM,CAAC;oBACN,cAAc,GAAG,IAAI,CAAC;oBACtB,eAAe,IAAI,EAAE,CAAC;gBACxB,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,4CAA4C;YAC5C,cAAc,GAAG,IAAI,CAAC;QACxB,CAAC;QAED,2BAA2B;QAC3B,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;YACpC,MAAM,cAAc,GAAG,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YACxE,IAAI,cAAc,CAAC,QAAQ,EAAE,CAAC;gBAC5B,WAAW,GAAG,IAAI,CAAC;gBACnB,UAAU,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;gBAC9C,eAAe,IAAI,EAAE,CAAC;YACxB,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,iCAAiC;YACjC,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3F,UAAU,CAAC,IAAI,CAAC,0BAA0B,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBACvD,YAAY,GAAG,KAAK,CAAC;YACvB,CAAC;YACD,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClD,UAAU,CAAC,IAAI,CAAC,iBAAiB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC9C,YAAY,GAAG,KAAK,CAAC;YACvB,CAAC;YAED,0CAA0C;YAC1C,MAAM,aAAa,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC7D,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;gBAC3B,UAAU,CAAC,IAAI,CAAC,kCAAkC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC/D,eAAe,IAAI,EAAE,CAAC;YACxB,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,IAAI,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,CAAC;YAChD,MAAM,UAAU,GAAG,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACnD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBACtB,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;gBAC1C,eAAe,IAAI,EAAE,CAAC;YACxB,CAAC;QACH,CAAC;QAED,2CAA2C;QAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QACnC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;YACZ,UAAU,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACtC,CAAC;aAAM,IAAI,GAAG,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,YAAY;YAC5C,UAAU,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACxC,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpF,UAAU,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,yBAAyB;QACzB,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC;QAC9D,MAAM,OAAO,GAAG,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,mBAAmB;YAC/D,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;YACjD,WAAW,CAAC;QAEd,6BAA6B;QAC7B,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;QACtD,CAAC;QAED,OAAO;YACL,OAAO,EAAE,CAAC,OAAO;YACjB,MAAM,EAAE,OAAO;gBACb,CAAC,CAAC,gCAAgC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBACrE,CAAC,CAAC,+BAA+B;YACnC,UAAU;YACV,UAAU,EAAE,KAAK;YACjB,eAAe,EAAE;gBACf,eAAe,EAAE,cAAc;gBAC/B,eAAe,EAAE,cAAc;gBAC/B,gBAAgB,EAAE,eAAe;gBACjC,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,YAAY;aAC5B;YACD,eAAe,EAAE,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,cAAc,CAAC;SAC1E,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,gBAAgB,CACd,QAAqB,EACrB,SAAkB;QAElB,MAAM,KAAK,GAAG,SAAS,IAAI,YAAY,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACpD,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,cAAc,GAAG,KAAK,CAAC;QAC3B,IAAI,WAAW,GAAG,IAAI,CAAC;QACvB,IAAI,cAAc,GAAG,IAAI,CAAC;QAC1B,IAAI,iBAAiB,GAAG,KAAK,CAAC;QAC9B,IAAI,SAAS,GAAG,KAAK,CAAC;QAEtB,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,QAAQ,CAAC;QAEpD,8BAA8B;QAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,IAAI,EAAE,CAAC;YACT,cAAc,GAAG,IAAI,CAAC;YACtB,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;YAEpC,4CAA4C;YAC5C,MAAM,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACvD,IAAI,cAAc,IAAI,cAAc,KAAK,QAAQ,EAAE,CAAC;gBAClD,UAAU,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;gBACxC,iBAAiB,GAAG,IAAI,CAAC,CAAC,iCAAiC;YAC7D,CAAC;QACH,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QACzC,CAAC;QAED,0BAA0B;QAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,IAAI,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;YAChD,UAAU,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,iCAAiC;QACjC,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1F,UAAU,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACzC,WAAW,GAAG,KAAK,CAAC;QACtB,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAChC,WAAW,GAAG,KAAK,CAAC;QACtB,CAAC;QAED,gCAAgC;QAChC,MAAM,UAAU,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QACnD,IAAI,UAAU,CAAC,iBAAiB,EAAE,CAAC;YACjC,iBAAiB,GAAG,IAAI,CAAC;YACzB,cAAc,GAAG,KAAK,CAAC;YACvB,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;QAC5C,CAAC;QAED,sDAAsD;QACtD,IAAI,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,CAAC;YACnD,SAAS,GAAG,MAAM,CAAC;YACnB,IAAI,SAAS,GAAG,EAAE,EAAE,CAAC;gBACnB,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,gCAAgC;QAChC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,iBAAiB,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,iBAAiB,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;YAE3E,qBAAqB;YACrB,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC7D,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;QACvF,CAAC;QAED,MAAM,OAAO,GAAG,CAAC,cAAc;YAC7B,CAAC,WAAW;YACZ,iBAAiB;YACjB,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAEpD,OAAO;YACL,OAAO,EAAE,CAAC,OAAO;YACjB,MAAM,EAAE,OAAO;gBACb,CAAC,CAAC,sBAAsB,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC3D,CAAC,CAAC,qBAAqB;YACzB,UAAU;YACV,UAAU,EAAE,KAAK;YACjB,aAAa,EAAE;gBACb,eAAe,EAAE,cAAc;gBAC/B,YAAY,EAAE,WAAW;gBACzB,eAAe,EAAE,cAAc;gBAC/B,kBAAkB,EAAE,iBAAiB;gBACrC,UAAU,EAAE,SAAS;aACtB;YACD,eAAe,EAAE;gBACf,eAAe,EAAE,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC;gBACrD,eAAe,EAAE,IAAI,EAAE,oCAAoC;gBAC3D,gBAAgB,EAAE,SAAS;gBAC3B,YAAY,EAAE,KAAK;gBACnB,aAAa,EAAE,WAAW;aAC3B;YACD,eAAe,EAAE,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,WAAW,CAAC;SACvE,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,qBAAqB,CAAC,MAAyB,EAAE,KAA0B;QACzE,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,iBAAyB;QACnC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC5D,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACrD,CAAC;QACD,mCAAmC;QACnC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;QACjD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,QAAgB;QAClC,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,sBAAsB,CAAC,QAAgB,EAAE,KAAa;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC1D,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACnF,CAAC;IAED;;OAEG;IACH,oBAAoB;QAClB,OAAO,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,OAAO,CAAC,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,QAAgB;QAC9B,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAClD,IAAI,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,QAAQ,KAAK,SAAS,CAAC,UAAU,EAAE,CAAC;gBAC7E,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;YAC/D,CAAC;QACH,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,QAAgB;QAClC,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,qBAAqB,CAAC,QAAgB;QACpC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,kBAAkB;IAEV,cAAc,CAAC,MAAyB,EAAE,KAA0B,EAAE,UAAkB;QAC9F,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE;YAC1C,GAAG,MAAM;YACT,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE;YACxB,eAAe,EAAE,UAAU;SAC5B,CAAC,CAAC;QACH,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAEvD,iBAAiB;QACjB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YAC1C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,QAAgB,EAAE,UAAmB;QAC3D,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YACjD,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC/E,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;gBACvC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;oBACnE,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,iCAAiC;YACnC,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,eAAe,CAAC,QAAgB;QACtC,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;IACzE,CAAC;IAEO,sBAAsB,CAAC,MAAyB;QAItD,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;QAE9F,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACrD,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,UAAU,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;QAED,OAAO;YACL,UAAU,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC;YACjC,UAAU;SACX,CAAC;IACJ,CAAC;IAEO,qBAAqB,CAAC,MAAyB,EAAE,SAAiB;QACxE,IAAI,CAAC,MAAM,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAC7C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACpB,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEO,mBAAmB,CAAC,KAA0B,EAAE,QAAgB;QAItE,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,kEAAkE;YAClE,MAAM,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACxD,IAAI,cAAc,IAAI,cAAc,KAAK,QAAQ,EAAE,CAAC;gBAClD,UAAU,CAAC,IAAI,CAAC,mBAAmB,IAAI,CAAC,IAAI,2BAA2B,cAAc,GAAG,CAAC,CAAC;YAC5F,CAAC;YAED,qCAAqC;YACrC,MAAM,WAAW,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpD,IAAI,WAAW,CAAC,SAAS,EAAE,CAAC;gBAC1B,UAAU,CAAC,IAAI,CAAC,yBAAyB,IAAI,CAAC,IAAI,gBAAgB,WAAW,CAAC,UAAU,GAAG,CAAC,CAAC;YAC/F,CAAC;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC;YAC/B,UAAU;SACX,CAAC;IACJ,CAAC;IAEO,mBAAmB,CAAC,KAI3B;QACC,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,6DAA6D;QAC7D,IAAI,KAAK,CAAC,qBAAqB,EAAE,CAAC;YAChC,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;YACpE,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;gBACvB,UAAU,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;YAC5D,CAAC;YAED,yBAAyB;YACzB,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/C,IAAI,CAAC;oBACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;oBACjD,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,IAAI,CACxD,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAChC,CAAC;oBACF,IAAI,CAAC,aAAa,EAAE,CAAC;wBACnB,UAAU,CAAC,IAAI,CAAC,6BAA6B,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;oBAC/D,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,UAAU,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;gBACrD,CAAC;YACH,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,IAAI,KAAK,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAC5D,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;gBACvB,UAAU,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAED,OAAO;YACL,KAAK,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC;YAC9B,UAAU;SACX,CAAC;IACJ,CAAC;IAEO,eAAe,CAAC,KAAa;QACnC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,CAAC,0BAA0B,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC7G,IAAI,EAAE,UAAU,CAAC,EAAE;gBACnB,OAAO,EAAE,CAAC;gBACV,QAAQ,EAAE,EAAE;aACb,CAAC,CAAC,CAAC,CAAC;QAEL,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,WAAW,EAAE,CAAC;YAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC;YAC7B,QAAQ;SACT,CAAC;IACJ,CAAC;IAEO,cAAc,CAAC,UAA+B;QAIpD,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAE5C,kDAAkD;QAClD,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;YACvB,UAAU,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5E,CAAC;QAED,uEAAuE;QACvE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YACtD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;gBACtD,UAAU,CAAC,IAAI,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAC;YACjD,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,MAAM,cAAc,GAAG,CAAC,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QACjF,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YAC1C,IAAI,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBAC/C,UAAU,CAAC,IAAI,CAAC,6BAA6B,GAAG,EAAE,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QAED,OAAO;YACL,iBAAiB,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC;YACxC,UAAU;SACX,CAAC;IACJ,CAAC;IAEO,mBAAmB,CAAC,QAAgB,EAAE,UAA+B;QAC3E,MAAM,aAAa,GAAG;YACpB,cAAc,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM;YACnD,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,iBAAiB;YAChE,YAAY,EAAE,cAAc,EAAE,gBAAgB;YAC9C,oBAAoB,EAAE,aAAa,EAAE,aAAa;SACnD,CAAC;QAEF,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QACzC,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,4CAA4C;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;QAC1D,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;YACxD,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,uBAAuB,CAAC,UAAoB,EAAE,OAAqC;QACzF,MAAM,eAAe,GAAa,EAAE,CAAC;QAErC,IAAI,OAAO,KAAK,cAAc,EAAE,CAAC;YAC/B,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;gBACpD,eAAe,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YAC9E,CAAC;YACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;gBACpD,eAAe,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAChD,eAAe,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;YAC3D,CAAC;YACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;gBACpD,eAAe,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;gBACpD,eAAe,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;YACpE,CAAC;YACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;gBACrD,eAAe,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;YACtE,CAAC;YACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC;gBACzD,eAAe,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;QAED,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,eAAe,CAAC,IAAI,CAAC,OAAO,KAAK,cAAc;gBAC7C,CAAC,CAAC,4CAA4C;gBAC9C,CAAC,CAAC,kCAAkC,CACrC,CAAC;QACJ,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF;AA3oBD,4CA2oBC"}
|