llm-trust-guard 4.0.0

package/dist/guards/output-filter.d.ts

@@ -0,0 +1,76 @@
+/**
+ * L7: Output Filter
+ *
+ * Prevents sensitive data leakage by:
+ * - Detecting and masking PII (emails, phone numbers, SSN, credit cards)
+ * - Filtering sensitive fields from responses
+ * - Blocking responses that contain secrets or credentials
+ * - Applying role-based output filtering
+ */
+export interface OutputFilterConfig {
+    detectPII?: boolean;
+    piiPatterns?: PIIPattern[];
+    sensitiveFields?: string[];
+    detectSecrets?: boolean;
+    secretPatterns?: SecretPattern[];
+    roleFilters?: Record<string, string[]>;
+    maskingChar?: string;
+    preserveLength?: boolean;
+}
+export interface PIIPattern {
+    name: string;
+    pattern: RegExp;
+    maskAs?: string;
+}
+export interface SecretPattern {
+    name: string;
+    pattern: RegExp;
+    severity: "low" | "medium" | "high" | "critical";
+}
+export interface OutputFilterResult {
+    allowed: boolean;
+    reason?: string;
+    violations: string[];
+    pii_detected: PIIDetection[];
+    secrets_detected: SecretDetection[];
+    filtered_fields: string[];
+    original_response?: any;
+    filtered_response?: any;
+    blocking_reason?: string;
+}
+export interface PIIDetection {
+    type: string;
+    count: number;
+    masked: boolean;
+    locations: string[];
+}
+export interface SecretDetection {
+    type: string;
+    severity: string;
+    blocked: boolean;
+    location: string;
+}
+export declare class OutputFilter {
+    private config;
+    private defaultPIIPatterns;
+    private defaultSecretPatterns;
+    private defaultSensitiveFields;
+    constructor(config?: OutputFilterConfig);
+    /**
+     * Filter output and detect sensitive data
+     */
+    filter(output: any, role?: string, requestId?: string): OutputFilterResult;
+    /**
+     * Quick check if output contains any sensitive data
+     */
+    containsSensitiveData(output: any): boolean;
+    /**
+     * Mask a specific value
+     */
+    mask(value: string, type?: string): string;
+    private filterObject;
+    private maskPIIInString;
+    private generateMask;
+    private findLocations;
+}
+//# sourceMappingURL=output-filter.d.ts.map

package/dist/guards/output-filter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-filter.d.ts","sourceRoot":"","sources":["../../src/guards/output-filter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,WAAW,kBAAkB;IAEjC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAE3B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAE3B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,cAAc,CAAC,EAAE,aAAa,EAAE,CAAC;IAEjC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAEvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;CAClD;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,YAAY,EAAE,YAAY,EAAE,CAAC;IAC7B,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,CAAC,EAAE,GAAG,CAAC;IACxB,iBAAiB,CAAC,EAAE,GAAG,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,kBAAkB,CAyCxB;IAEF,OAAO,CAAC,qBAAqB,CAyC3B;IAEF,OAAO,CAAC,sBAAsB,CAoB5B;gBAEU,MAAM,GAAE,kBAAuB;IAa3C;;OAEG;IACH,MAAM,CACJ,MAAM,EAAE,GAAG,EACX,IAAI,CAAC,EAAE,MAAM,EACb,SAAS,GAAE,MAAW,GACrB,kBAAkB;IA0FrB;;OAEG;IACH,qBAAqB,CAAC,MAAM,EAAE,GAAG,GAAG,OAAO;IAS3C;;OAEG;IACH,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM;IAQ1C,OAAO,CAAC,YAAY;IAuDpB,OAAO,CAAC,eAAe;IAiBvB,OAAO,CAAC,YAAY;IAOpB,OAAO,CAAC,aAAa;CAUtB"}

package/dist/guards/output-filter.js

@@ -0,0 +1,289 @@
+"use strict";
+/**
+ * L7: Output Filter
+ *
+ * Prevents sensitive data leakage by:
+ * - Detecting and masking PII (emails, phone numbers, SSN, credit cards)
+ * - Filtering sensitive fields from responses
+ * - Blocking responses that contain secrets or credentials
+ * - Applying role-based output filtering
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OutputFilter = void 0;
+class OutputFilter {
+    constructor(config = {}) {
+        this.defaultPIIPatterns = [
+            {
+                name: "email",
+                pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
+                maskAs: "[EMAIL]",
+            },
+            {
+                name: "phone_us",
+                pattern: /\b(?:\+1[-.\s]?)?(?:\(?\d{3}\)?[-.\s]?)?\d{3}[-.\s]?\d{4}\b/g,
+                maskAs: "[PHONE]",
+            },
+            {
+                name: "ssn",
+                pattern: /\b\d{3}[-.\s]?\d{2}[-.\s]?\d{4}\b/g,
+                maskAs: "[SSN]",
+            },
+            {
+                name: "credit_card",
+                pattern: /\b(?:\d{4}[-.\s]?){3}\d{4}\b/g,
+                maskAs: "[CREDIT_CARD]",
+            },
+            {
+                name: "ip_address",
+                pattern: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g,
+                maskAs: "[IP_ADDRESS]",
+            },
+            {
+                name: "date_of_birth",
+                pattern: /\b(?:0?[1-9]|1[0-2])[\/\-](?:0?[1-9]|[12]\d|3[01])[\/\-](?:19|20)\d{2}\b/g,
+                maskAs: "[DOB]",
+            },
+            {
+                name: "passport",
+                pattern: /\b[A-Z]{1,2}\d{6,9}\b/g,
+                maskAs: "[PASSPORT]",
+            },
+            {
+                name: "bank_account",
+                pattern: /\b\d{8,17}\b/g,
+                maskAs: "[BANK_ACCOUNT]",
+            },
+        ];
+        this.defaultSecretPatterns = [
+            {
+                name: "api_key",
+                pattern: /(?:api[_-]?key|apikey)[=:\s]["']?[A-Za-z0-9_\-]{20,}["']?/gi,
+                severity: "critical",
+            },
+            {
+                name: "aws_secret",
+                pattern: /(?:aws[_-]?secret|secret[_-]?key)[=:\s]["']?[A-Za-z0-9\/+=]{40}["']?/gi,
+                severity: "critical",
+            },
+            {
+                name: "password",
+                pattern: /(?:password|passwd|pwd)[=:\s]["']?[^\s"']{8,}["']?/gi,
+                severity: "critical",
+            },
+            {
+                name: "private_key",
+                pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/g,
+                severity: "critical",
+            },
+            {
+                name: "jwt_token",
+                pattern: /eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g,
+                severity: "high",
+            },
+            {
+                name: "bearer_token",
+                pattern: /Bearer\s+[A-Za-z0-9_\-\.]+/gi,
+                severity: "high",
+            },
+            {
+                name: "database_url",
+                pattern: /(?:mongodb|mysql|postgres|redis):\/\/[^\s]+/gi,
+                severity: "critical",
+            },
+            {
+                name: "github_token",
+                pattern: /gh[pousr]_[A-Za-z0-9_]{36,}/g,
+                severity: "critical",
+            },
+        ];
+        this.defaultSensitiveFields = [
+            "password",
+            "secret",
+            "token",
+            "api_key",
+            "apiKey",
+            "private_key",
+            "privateKey",
+            "ssn",
+            "social_security",
+            "credit_card",
+            "creditCard",
+            "card_number",
+            "cardNumber",
+            "cvv",
+            "pin",
+            "account_number",
+            "accountNumber",
+            "routing_number",
+            "routingNumber",
+        ];
+        this.config = {
+            detectPII: config.detectPII ?? true,
+            piiPatterns: config.piiPatterns ?? this.defaultPIIPatterns,
+            sensitiveFields: config.sensitiveFields ?? this.defaultSensitiveFields,
+            detectSecrets: config.detectSecrets ?? true,
+            secretPatterns: config.secretPatterns ?? this.defaultSecretPatterns,
+            roleFilters: config.roleFilters ?? {},
+            maskingChar: config.maskingChar ?? "*",
+            preserveLength: config.preserveLength ?? false,
+        };
+    }
+    /**
+     * Filter output and detect sensitive data
+     */
+    filter(output, role, requestId = "") {
+        const violations = [];
+        const piiDetections = [];
+        const secretDetections = [];
+        const filteredFields = [];
+        let blockingReason;
+        // Convert to string for pattern matching
+        const outputStr = typeof output === "string" ? output : JSON.stringify(output);
+        // Detect PII
+        if (this.config.detectPII) {
+            for (const pattern of this.config.piiPatterns) {
+                const matches = outputStr.match(pattern.pattern);
+                if (matches && matches.length > 0) {
+                    piiDetections.push({
+                        type: pattern.name,
+                        count: matches.length,
+                        masked: true,
+                        locations: this.findLocations(outputStr, pattern.pattern),
+                    });
+                    violations.push(`PII_DETECTED_${pattern.name.toUpperCase()}`);
+                }
+            }
+        }
+        // Detect secrets
+        if (this.config.detectSecrets) {
+            for (const pattern of this.config.secretPatterns) {
+                const matches = outputStr.match(pattern.pattern);
+                if (matches && matches.length > 0) {
+                    secretDetections.push({
+                        type: pattern.name,
+                        severity: pattern.severity,
+                        blocked: pattern.severity === "critical",
+                        location: "response",
+                    });
+                    violations.push(`SECRET_DETECTED_${pattern.name.toUpperCase()}`);
+                    // Block critical secrets
+                    if (pattern.severity === "critical") {
+                        blockingReason = `Critical secret detected: ${pattern.name}`;
+                    }
+                }
+            }
+        }
+        // Filter output
+        let filteredOutput = typeof output === "string" ? output : JSON.parse(JSON.stringify(output));
+        // Mask PII in output
+        if (this.config.detectPII && typeof filteredOutput === "string") {
+            for (const pattern of this.config.piiPatterns) {
+                filteredOutput = filteredOutput.replace(pattern.pattern, pattern.maskAs || this.generateMask(8));
+            }
+        }
+        else if (typeof filteredOutput === "object" && filteredOutput !== null) {
+            filteredOutput = this.filterObject(filteredOutput, role, filteredFields, piiDetections);
+        }
+        // Determine if blocked
+        const hasBlockingSecrets = secretDetections.some((s) => s.blocked);
+        const allowed = !hasBlockingSecrets;
+        if (!allowed) {
+            console.log(`[OutputFilter:${requestId}] BLOCKED: ${blockingReason}`);
+        }
+        return {
+            allowed,
+            reason: allowed ? undefined : blockingReason,
+            violations,
+            pii_detected: piiDetections,
+            secrets_detected: secretDetections,
+            filtered_fields: filteredFields,
+            original_response: output,
+            filtered_response: filteredOutput,
+            blocking_reason: blockingReason,
+        };
+    }
+    /**
+     * Quick check if output contains any sensitive data
+     */
+    containsSensitiveData(output) {
+        const result = this.filter(output);
+        return (result.pii_detected.length > 0 ||
+            result.secrets_detected.length > 0 ||
+            result.filtered_fields.length > 0);
+    }
+    /**
+     * Mask a specific value
+     */
+    mask(value, type) {
+        const piiPattern = this.config.piiPatterns?.find((p) => p.name === type);
+        if (piiPattern?.maskAs) {
+            return piiPattern.maskAs;
+        }
+        return this.generateMask(value.length);
+    }
+    filterObject(obj, role, filteredFields, piiDetections) {
+        if (Array.isArray(obj)) {
+            return obj.map((item) => this.filterObject(item, role, filteredFields, piiDetections));
+        }
+        if (typeof obj !== "object" || obj === null) {
+            // Check for PII in string values
+            if (typeof obj === "string") {
+                return this.maskPIIInString(obj, piiDetections);
+            }
+            return obj;
+        }
+        const result = {};
+        const roleSpecificFilter = role ? this.config.roleFilters?.[role] : undefined;
+        for (const [key, value] of Object.entries(obj)) {
+            // Check if field should be filtered
+            const lowerKey = key.toLowerCase();
+            const isSensitive = this.config.sensitiveFields?.some((f) => lowerKey.includes(f.toLowerCase()));
+            const isRoleFiltered = roleSpecificFilter?.includes(key);
+            if (isSensitive || isRoleFiltered) {
+                filteredFields.push(key);
+                result[key] = "[FILTERED]";
+                continue;
+            }
+            // Recursively filter nested objects
+            if (typeof value === "object" && value !== null) {
+                result[key] = this.filterObject(value, role, filteredFields, piiDetections);
+            }
+            else if (typeof value === "string") {
+                result[key] = this.maskPIIInString(value, piiDetections);
+            }
+            else {
+                result[key] = value;
+            }
+        }
+        return result;
+    }
+    maskPIIInString(str, piiDetections) {
+        let result = str;
+        for (const pattern of this.config.piiPatterns) {
+            const matches = result.match(pattern.pattern);
+            if (matches && matches.length > 0) {
+                result = result.replace(pattern.pattern, pattern.maskAs || this.generateMask(8));
+            }
+        }
+        return result;
+    }
+    generateMask(length) {
+        if (this.config.preserveLength) {
+            return this.config.maskingChar.repeat(length);
+        }
+        return this.config.maskingChar.repeat(8);
+    }
+    findLocations(text, pattern) {
+        const locations = [];
+        let match;
+        const regex = new RegExp(pattern.source, pattern.flags);
+        while ((match = regex.exec(text)) !== null) {
+            locations.push(`index:${match.index}`);
+            if (!pattern.flags.includes("g"))
+                break;
+        }
+        return locations;
+    }
+}
+exports.OutputFilter = OutputFilter;
+//# sourceMappingURL=output-filter.js.map

package/dist/guards/output-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-filter.js","sourceRoot":"","sources":["../../src/guards/output-filter.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAwDH,MAAa,YAAY;IA8GvB,YAAY,SAA6B,EAAE;QA5GnC,uBAAkB,GAAiB;YACzC;gBACE,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,qDAAqD;gBAC9D,MAAM,EAAE,SAAS;aAClB;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,8DAA8D;gBACvE,MAAM,EAAE,SAAS;aAClB;YACD;gBACE,IAAI,EAAE,KAAK;gBACX,OAAO,EAAE,oCAAoC;gBAC7C,MAAM,EAAE,OAAO;aAChB;YACD;gBACE,IAAI,EAAE,aAAa;gBACnB,OAAO,EAAE,+BAA+B;gBACxC,MAAM,EAAE,eAAe;aACxB;YACD;gBACE,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,8BAA8B;gBACvC,MAAM,EAAE,cAAc;aACvB;YACD;gBACE,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,2EAA2E;gBACpF,MAAM,EAAE,OAAO;aAChB;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,wBAAwB;gBACjC,MAAM,EAAE,YAAY;aACrB;YACD;gBACE,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,eAAe;gBACxB,MAAM,EAAE,gBAAgB;aACzB;SACF,CAAC;QAEM,0BAAqB,GAAoB;YAC/C;gBACE,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,6DAA6D;gBACtE,QAAQ,EAAE,UAAU;aACrB;YACD;gBACE,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,wEAAwE;gBACjF,QAAQ,EAAE,UAAU;aACrB;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,sDAAsD;gBAC/D,QAAQ,EAAE,UAAU;aACrB;YACD;gBACE,IAAI,EAAE,aAAa;gBACnB,OAAO,EAAE,gDAAgD;gBACzD,QAAQ,EAAE,UAAU;aACrB;YACD;gBACE,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,uDAAuD;gBAChE,QAAQ,EAAE,MAAM;aACjB;YACD;gBACE,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,8BAA8B;gBACvC,QAAQ,EAAE,MAAM;aACjB;YACD;gBACE,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,+CAA+C;gBACxD,QAAQ,EAAE,UAAU;aACrB;YACD;gBACE,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,8BAA8B;gBACvC,QAAQ,EAAE,UAAU;aACrB;SACF,CAAC;QAEM,2BAAsB,GAAa;YACzC,UAAU;YACV,QAAQ;YACR,OAAO;YACP,SAAS;YACT,QAAQ;YACR,aAAa;YACb,YAAY;YACZ,KAAK;YACL,iBAAiB;YACjB,aAAa;YACb,YAAY;YACZ,aAAa;YACb,YAAY;YACZ,KAAK;YACL,KAAK;YACL,gBAAgB;YAChB,eAAe;YACf,gBAAgB;YAChB,eAAe;SAChB,CAAC;QAGA,IAAI,CAAC,MAAM,GAAG;YACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;YACnC,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,kBAAkB;YAC1D,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,IAAI,CAAC,sBAAsB;YACtE,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,IAAI;YAC3C,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,IAAI,CAAC,qBAAqB;YACnE,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,EAAE;YACrC,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,GAAG;YACtC,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,KAAK;SAC/C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,MAAM,CACJ,MAAW,EACX,IAAa,EACb,YAAoB,EAAE;QAEtB,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,aAAa,GAAmB,EAAE,CAAC;QACzC,MAAM,gBAAgB,GAAsB,EAAE,CAAC;QAC/C,MAAM,cAAc,GAAa,EAAE,CAAC;QACpC,IAAI,cAAkC,CAAC;QAEvC,yCAAyC;QACzC,MAAM,SAAS,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAE/E,aAAa;QACb,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC1B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,WAAY,EAAE,CAAC;gBAC/C,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;gBACjD,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAClC,aAAa,CAAC,IAAI,CAAC;wBACjB,IAAI,EAAE,OAAO,CAAC,IAAI;wBAClB,KAAK,EAAE,OAAO,CAAC,MAAM;wBACrB,MAAM,EAAE,IAAI;wBACZ,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC;qBAC1D,CAAC,CAAC;oBACH,UAAU,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;gBAChE,CAAC;YACH,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC9B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,cAAe,EAAE,CAAC;gBAClD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;gBACjD,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAClC,gBAAgB,CAAC,IAAI,CAAC;wBACpB,IAAI,EAAE,OAAO,CAAC,IAAI;wBAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,OAAO,EAAE,OAAO,CAAC,QAAQ,KAAK,UAAU;wBACxC,QAAQ,EAAE,UAAU;qBACrB,CAAC,CAAC;oBACH,UAAU,CAAC,IAAI,CAAC,mBAAmB,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;oBAEjE,yBAAyB;oBACzB,IAAI,OAAO,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;wBACpC,cAAc,GAAG,6BAA6B,OAAO,CAAC,IAAI,EAAE,CAAC;oBAC/D,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,gBAAgB;QAChB,IAAI,cAAc,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAE9F,qBAAqB;QACrB,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,cAAc,KAAK,QAAQ,EAAE,CAAC;YAChE,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,WAAY,EAAE,CAAC;gBAC/C,cAAc,GAAG,cAAc,CAAC,OAAO,CACrC,OAAO,CAAC,OAAO,EACf,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CACvC,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,KAAK,IAAI,EAAE,CAAC;YACzE,cAAc,GAAG,IAAI,CAAC,YAAY,CAChC,cAAc,EACd,IAAI,EACJ,cAAc,EACd,aAAa,CACd,CAAC;QACJ,CAAC;QAED,uBAAuB;QACvB,MAAM,kBAAkB,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QACnE,MAAM,OAAO,GAAG,CAAC,kBAAkB,CAAC;QAEpC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CACT,iBAAiB,SAAS,cAAc,cAAc,EAAE,CACzD,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO;YACP,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,cAAc;YAC5C,UAAU;YACV,YAAY,EAAE,aAAa;YAC3B,gBAAgB,EAAE,gBAAgB;YAClC,eAAe,EAAE,cAAc;YAC/B,iBAAiB,EAAE,MAAM;YACzB,iBAAiB,EAAE,cAAc;YACjC,eAAe,EAAE,cAAc;SAChC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,qBAAqB,CAAC,MAAW;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACnC,OAAO,CACL,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC;YAC9B,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC;YAClC,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,CAClC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,KAAa,EAAE,IAAa;QAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QACzE,IAAI,UAAU,EAAE,MAAM,EAAE,CAAC;YACvB,OAAO,UAAU,CAAC,MAAM,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAEO,YAAY,CAClB,GAAQ,EACR,IAAwB,EACxB,cAAwB,EACxB,aAA6B;QAE7B,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CACtB,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,aAAa,CAAC,CAC7D,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YAC5C,iCAAiC;YACjC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,OAAO,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;YAClD,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,MAAM,MAAM,GAAwB,EAAE,CAAC;QACvC,MAAM,kBAAkB,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAE9E,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,oCAAoC;YACpC,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YACnC,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,IAAI,CACnD,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC1C,CAAC;YACF,MAAM,cAAc,GAAG,kBAAkB,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC;YAEzD,IAAI,WAAW,IAAI,cAAc,EAAE,CAAC;gBAClC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACzB,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;gBAC3B,SAAS;YACX,CAAC;YAED,oCAAoC;YACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBAChD,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,YAAY,CAC7B,KAAK,EACL,IAAI,EACJ,cAAc,EACd,aAAa,CACd,CAAC;YACJ,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACrC,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;YAC3D,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACtB,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,eAAe,CACrB,GAAW,EACX,aAA6B;QAE7B,IAAI,MAAM,GAAG,GAAG,CAAC;QACjB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,WAAY,EAAE,CAAC;YAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAC9C,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,MAAM,GAAG,MAAM,CAAC,OAAO,CACrB,OAAO,CAAC,OAAO,EACf,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CACvC,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,YAAY,CAAC,MAAc;QACjC,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,MAAM,CAAC,WAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,WAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC;IAEO,aAAa,CAAC,IAAY,EAAE,OAAe;QACjD,MAAM,SAAS,GAAa,EAAE,CAAC;QAC/B,IAAI,KAAK,CAAC;QACV,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,SAAS,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACvC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,MAAM;QAC1C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AA5UD,oCA4UC"}

package/dist/guards/policy-gate.d.ts

@@ -0,0 +1,57 @@
+/**
+ * L3 Policy Gate
+ *
+ * Enforces role-based access control with constraint validation.
+ * The definitive layer for authorization decisions.
+ */
+import { SessionContext, ToolDefinition, PolicyGateResult, Role } from "../types";
+export interface PolicyGateConfig {
+    roleHierarchy?: Record<Role, number>;
+    toolPermissions?: Map<string, {
+        roles: Role[];
+        constraints?: Record<Role, any>;
+    }>;
+}
+export declare class PolicyGate {
+    private roleHierarchy;
+    private toolPermissions;
+    constructor(config?: PolicyGateConfig);
+    /**
+     * Validate session is authentic
+     */
+    validateSession(session: SessionContext | undefined, requestId?: string): {
+        valid: boolean;
+        error?: string;
+    };
+    /**
+     * Detect role tampering (claimed vs session role)
+     */
+    detectRoleTampering(session: SessionContext, claimedRole: Role | undefined): {
+        tampered: boolean;
+        actual: Role;
+        claimed?: Role;
+    };
+    /**
+     * Check tool access for a session
+     */
+    checkToolAccess(tool: ToolDefinition, session: SessionContext, requestId?: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Check constraints for a tool call
+     */
+    checkConstraints(tool: ToolDefinition, params: Record<string, any>, session: SessionContext, requestId?: string): {
+        valid: boolean;
+        violations: string[];
+    };
+    /**
+     * Complete policy check
+     */
+    check(tool: ToolDefinition, params: Record<string, any>, session: SessionContext | undefined, claimedRole: Role | undefined, requestId?: string): PolicyGateResult;
+    /**
+     * Set role hierarchy
+     */
+    setRoleHierarchy(hierarchy: Record<Role, number>): void;
+}
+//# sourceMappingURL=policy-gate.d.ts.map

package/dist/guards/policy-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-gate.d.ts","sourceRoot":"","sources":["../../src/guards/policy-gate.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAElF,MAAM,WAAW,gBAAgB;IAC/B,aAAa,CAAC,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACrC,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;KAAE,CAAC,CAAC;CACnF;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,eAAe,CAAkE;gBAE7E,MAAM,GAAE,gBAAqB;IAKzC;;OAEG;IACH,eAAe,CACb,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,SAAS,GAAE,MAAW,GACrB;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAmBrC;;OAEG;IACH,mBAAmB,CACjB,OAAO,EAAE,cAAc,EACvB,WAAW,EAAE,IAAI,GAAG,SAAS,GAC5B;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,IAAI,CAAC;QAAC,OAAO,CAAC,EAAE,IAAI,CAAA;KAAE;IAYtD;;OAEG;IACH,eAAe,CACb,IAAI,EAAE,cAAc,EACpB,OAAO,EAAE,cAAc,EACvB,SAAS,GAAE,MAAW,GACrB;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA6BxC;;OAEG;IACH,gBAAgB,CACd,IAAI,EAAE,cAAc,EACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,OAAO,EAAE,cAAc,EACvB,SAAS,GAAE,MAAW,GACrB;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,UAAU,EAAE,MAAM,EAAE,CAAA;KAAE;IA6C3C;;OAEG;IACH,KAAK,CACH,IAAI,EAAE,cAAc,EACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,WAAW,EAAE,IAAI,GAAG,SAAS,EAC7B,SAAS,GAAE,MAAW,GACrB,gBAAgB;IAgEnB;;OAEG;IACH,gBAAgB,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,GAAG,IAAI;CAGxD"}

package/dist/guards/policy-gate.js

@@ -0,0 +1,182 @@
+"use strict";
+/**
+ * L3 Policy Gate
+ *
+ * Enforces role-based access control with constraint validation.
+ * The definitive layer for authorization decisions.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyGate = void 0;
+class PolicyGate {
+    constructor(config = {}) {
+        this.roleHierarchy = config.roleHierarchy || {};
+        this.toolPermissions = config.toolPermissions || new Map();
+    }
+    /**
+     * Validate session is authentic
+     */
+    validateSession(session, requestId = "") {
+        if (!session) {
+            if (requestId)
+                console.log(`[L3:${requestId}] BLOCKED: No session`);
+            return { valid: false, error: "Missing session context" };
+        }
+        if (!session.authenticated) {
+            if (requestId)
+                console.log(`[L3:${requestId}] BLOCKED: Not authenticated`);
+            return { valid: false, error: "Session not authenticated" };
+        }
+        if (!session.role) {
+            if (requestId)
+                console.log(`[L3:${requestId}] BLOCKED: No role in session`);
+            return { valid: false, error: "Missing role in session" };
+        }
+        return { valid: true };
+    }
+    /**
+     * Detect role tampering (claimed vs session role)
+     */
+    detectRoleTampering(session, claimedRole) {
+        if (!claimedRole) {
+            return { tampered: false, actual: session.role };
+        }
+        if (claimedRole !== session.role) {
+            return { tampered: true, actual: session.role, claimed: claimedRole };
+        }
+        return { tampered: false, actual: session.role };
+    }
+    /**
+     * Check tool access for a session
+     */
+    checkToolAccess(tool, session, requestId = "") {
+        // If tool has no role restrictions, allow
+        if (!tool.roles || tool.roles.length === 0) {
+            return { allowed: true };
+        }
+        // Check if session role is in allowed roles
+        if (!tool.roles.includes(session.role)) {
+            // Check hierarchy if defined
+            const sessionRoleLevel = this.roleHierarchy[session.role] ?? -1;
+            const hasHigherRole = tool.roles.some((r) => {
+                const requiredLevel = this.roleHierarchy[r] ?? -1;
+                return sessionRoleLevel >= requiredLevel && requiredLevel >= 0;
+            });
+            if (!hasHigherRole) {
+                if (requestId) {
+                    console.log(`[L3:${requestId}] BLOCKED: Role '${session.role}' cannot use '${tool.name}'`);
+                }
+                return {
+                    allowed: false,
+                    reason: `Role '${session.role}' is not authorized for tool '${tool.name}'`,
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * Check constraints for a tool call
+     */
+    checkConstraints(tool, params, session, requestId = "") {
+        const violations = [];
+        if (!tool.constraints) {
+            return { valid: true, violations: [] };
+        }
+        const roleConstraints = tool.constraints[session.role];
+        if (!roleConstraints) {
+            return { valid: true, violations: [] };
+        }
+        // Check max_amount
+        if (roleConstraints.max_amount !== undefined) {
+            const amount = params.amount || params.total_amount;
+            if (amount && amount > roleConstraints.max_amount) {
+                violations.push(`Amount ${amount} exceeds limit of ${roleConstraints.max_amount} for role '${session.role}'`);
+                if (requestId) {
+                    console.log(`[L3:${requestId}] CONSTRAINT: Amount exceeds limit`);
+                }
+            }
+        }
+        // Check require_approval
+        if (roleConstraints.require_approval && !params.approval_id) {
+            violations.push(`Tool '${tool.name}' requires approval for role '${session.role}'`);
+            if (requestId) {
+                console.log(`[L3:${requestId}] CONSTRAINT: Requires approval`);
+            }
+        }
+        // Check allowed_values
+        if (roleConstraints.allowed_values) {
+            for (const [field, allowedVals] of Object.entries(roleConstraints.allowed_values)) {
+                if (params[field] && !allowedVals.includes(params[field])) {
+                    violations.push(`Value '${params[field]}' not allowed for field '${field}'`);
+                }
+            }
+        }
+        return { valid: violations.length === 0, violations };
+    }
+    /**
+     * Complete policy check
+     */
+    check(tool, params, session, claimedRole, requestId = "") {
+        // Validate session
+        const sessionCheck = this.validateSession(session, requestId);
+        if (!sessionCheck.valid) {
+            return {
+                allowed: false,
+                reason: sessionCheck.error,
+                violations: ["INVALID_SESSION"],
+                session_role: "",
+                required_roles: tool.roles || [],
+            };
+        }
+        const validSession = session;
+        // Detect tampering
+        const tamperCheck = this.detectRoleTampering(validSession, claimedRole);
+        const violations = [];
+        if (tamperCheck.tampered) {
+            violations.push("ROLE_TAMPERING");
+            if (requestId) {
+                console.log(`[L3:${requestId}] ALERT: Role tampering detected`);
+                console.log(`[L3:${requestId}]   Claimed: ${tamperCheck.claimed}, Actual: ${tamperCheck.actual}`);
+            }
+        }
+        // Check tool access (using SESSION role)
+        const accessCheck = this.checkToolAccess(tool, validSession, requestId);
+        if (!accessCheck.allowed) {
+            return {
+                allowed: false,
+                reason: accessCheck.reason,
+                violations: [...violations, "UNAUTHORIZED_TOOL"],
+                session_role: validSession.role,
+                required_roles: tool.roles || [],
+            };
+        }
+        // Check constraints
+        const constraintCheck = this.checkConstraints(tool, params, validSession, requestId);
+        if (!constraintCheck.valid) {
+            return {
+                allowed: false,
+                reason: "Constraint violation",
+                violations: [...violations, ...constraintCheck.violations],
+                session_role: validSession.role,
+                required_roles: tool.roles || [],
+                constraint_violations: constraintCheck.violations,
+            };
+        }
+        if (requestId) {
+            console.log(`[L3:${requestId}] Policy check PASSED`);
+        }
+        return {
+            allowed: true,
+            violations: tamperCheck.tampered ? ["ROLE_TAMPERING_HANDLED"] : [],
+            session_role: validSession.role,
+            required_roles: tool.roles || [],
+        };
+    }
+    /**
+     * Set role hierarchy
+     */
+    setRoleHierarchy(hierarchy) {
+        this.roleHierarchy = hierarchy;
+    }
+}
+exports.PolicyGate = PolicyGate;
+//# sourceMappingURL=policy-gate.js.map

package/dist/guards/policy-gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-gate.js","sourceRoot":"","sources":["../../src/guards/policy-gate.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AASH,MAAa,UAAU;IAIrB,YAAY,SAA2B,EAAE;QACvC,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC;QAChD,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,IAAI,GAAG,EAAE,CAAC;IAC7D,CAAC;IAED;;OAEG;IACH,eAAe,CACb,OAAmC,EACnC,YAAoB,EAAE;QAEtB,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,IAAI,SAAS;gBAAE,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,uBAAuB,CAAC,CAAC;YACpE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC5D,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;YAC3B,IAAI,SAAS;gBAAE,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,8BAA8B,CAAC,CAAC;YAC3E,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC;QAC9D,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,IAAI,SAAS;gBAAE,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,+BAA+B,CAAC,CAAC;YAC5E,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC5D,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,mBAAmB,CACjB,OAAuB,EACvB,WAA6B;QAE7B,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC;QACnD,CAAC;QAED,IAAI,WAAW,KAAK,OAAO,CAAC,IAAI,EAAE,CAAC;YACjC,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;QACxE,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,eAAe,CACb,IAAoB,EACpB,OAAuB,EACvB,YAAoB,EAAE;QAEtB,0CAA0C;QAC1C,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,6BAA6B;YAC7B,MAAM,gBAAgB,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAChE,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;gBAC1C,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;gBAClD,OAAO,gBAAgB,IAAI,aAAa,IAAI,aAAa,IAAI,CAAC,CAAC;YACjE,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,IAAI,SAAS,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,oBAAoB,OAAO,CAAC,IAAI,iBAAiB,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC;gBAC7F,CAAC;gBACD,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,SAAS,OAAO,CAAC,IAAI,iCAAiC,IAAI,CAAC,IAAI,GAAG;iBAC3E,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,gBAAgB,CACd,IAAoB,EACpB,MAA2B,EAC3B,OAAuB,EACvB,YAAoB,EAAE;QAEtB,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACvD,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QACzC,CAAC;QAED,mBAAmB;QACnB,IAAI,eAAe,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7C,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC;YACpD,IAAI,MAAM,IAAI,MAAM,GAAG,eAAe,CAAC,UAAU,EAAE,CAAC;gBAClD,UAAU,CAAC,IAAI,CACb,UAAU,MAAM,qBAAqB,eAAe,CAAC,UAAU,cAAc,OAAO,CAAC,IAAI,GAAG,CAC7F,CAAC;gBACF,IAAI,SAAS,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,oCAAoC,CAAC,CAAC;gBACpE,CAAC;YACH,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,IAAI,eAAe,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YAC5D,UAAU,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,iCAAiC,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC;YACpF,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,iCAAiC,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,IAAI,eAAe,CAAC,cAAc,EAAE,CAAC;YACnC,KAAK,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,cAAc,CAAC,EAAE,CAAC;gBAClF,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;oBAC1D,UAAU,CAAC,IAAI,CAAC,UAAU,MAAM,CAAC,KAAK,CAAC,4BAA4B,KAAK,GAAG,CAAC,CAAC;gBAC/E,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,UAAU,EAAE,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,KAAK,CACH,IAAoB,EACpB,MAA2B,EAC3B,OAAmC,EACnC,WAA6B,EAC7B,YAAoB,EAAE;QAEtB,mBAAmB;QACnB,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC9D,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YACxB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,YAAY,CAAC,KAAK;gBAC1B,UAAU,EAAE,CAAC,iBAAiB,CAAC;gBAC/B,YAAY,EAAE,EAAU;gBACxB,cAAc,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;aACjC,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAG,OAAQ,CAAC;QAE9B,mBAAmB;QACnB,MAAM,WAAW,GAAG,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QACxE,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;YACzB,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAClC,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,kCAAkC,CAAC,CAAC;gBAChE,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,gBAAgB,WAAW,CAAC,OAAO,aAAa,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;YACpG,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,MAAM,WAAW,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;QACxE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,WAAW,CAAC,MAAM;gBAC1B,UAAU,EAAE,CAAC,GAAG,UAAU,EAAE,mBAAmB,CAAC;gBAChD,YAAY,EAAE,YAAY,CAAC,IAAI;gBAC/B,cAAc,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;aACjC,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,MAAM,eAAe,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;QACrF,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAC3B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,sBAAsB;gBAC9B,UAAU,EAAE,CAAC,GAAG,UAAU,EAAE,GAAG,eAAe,CAAC,UAAU,CAAC;gBAC1D,YAAY,EAAE,YAAY,CAAC,IAAI;gBAC/B,cAAc,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;gBAChC,qBAAqB,EAAE,eAAe,CAAC,UAAU;aAClD,CAAC;QACJ,CAAC;QAED,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,uBAAuB,CAAC,CAAC;QACvD,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,UAAU,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,CAAC,EAAE;YAClE,YAAY,EAAE,YAAY,CAAC,IAAI;YAC/B,cAAc,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;SACjC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,SAA+B;QAC9C,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC;IACjC,CAAC;CACF;AA5ND,gCA4NC"}