llm-trust-guard 4.0.0

package/dist/guards/state-persistence-guard.js

@@ -0,0 +1,484 @@
+"use strict";
+/**
+ * StatePersistenceGuard (L22)
+ *
+ * Detects and prevents unauthorized state persistence and corruption.
+ * Implements ASI08 from OWASP Agentic Applications 2026.
+ *
+ * Threat Model:
+ * - ASI08: State Corruption
+ * - Unauthorized state persistence
+ * - Cross-session state leakage
+ * - Malicious state injection
+ * - State tampering and replay attacks
+ *
+ * Protection Capabilities:
+ * - State integrity verification
+ * - Persistence authorization
+ * - Cross-session isolation
+ * - State encryption validation
+ * - Tampering detection
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StatePersistenceGuard = void 0;
+const crypto = __importStar(require("crypto"));
+class StatePersistenceGuard {
+    constructor(config = {}) {
+        this.stateStore = new Map();
+        this.sessionStates = new Map();
+        // State injection patterns
+        this.INJECTION_PATTERNS = [
+            // Code injection
+            { name: "code_injection", pattern: /(?:eval|exec|Function|setTimeout|setInterval)\s*\(/i, severity: 90 },
+            { name: "script_injection", pattern: /<script[\s>]|javascript:/i, severity: 85 },
+            { name: "prototype_pollution", pattern: /__proto__|constructor\s*\[|prototype\s*\[/i, severity: 90 },
+            // Serialization attacks
+            { name: "json_injection", pattern: /\{\s*["']?(__proto__|constructor|prototype)["']?\s*:/i, severity: 85 },
+            { name: "yaml_injection", pattern: /!!python\/|!!ruby\/|!!php\//i, severity: 80 },
+            { name: "pickle_attack", pattern: /cos\n|cposix\n|csubprocess/i, severity: 95 },
+            // Path traversal
+            { name: "path_traversal", pattern: /\.\.\/|\.\.\\|%2e%2e/i, severity: 75 },
+            { name: "null_byte", pattern: /\x00|%00/i, severity: 80 },
+            // State corruption
+            { name: "state_hijack", pattern: /session_id\s*[:=]|tenant_id\s*[:=]/i, severity: 70 },
+            { name: "privilege_inject", pattern: /(?:role|permission|admin|is_admin)\s*[:=]\s*(?:true|admin|1)/i, severity: 85 },
+            { name: "trust_inject", pattern: /trust_level\s*[:=]|autonomy_level\s*[:=]/i, severity: 80 },
+            // Replay attacks
+            { name: "timestamp_manipulation", pattern: /created_at\s*[:=]\s*\d+|modified_at\s*[:=]\s*\d+/i, severity: 60 },
+            { name: "version_manipulation", pattern: /version\s*[:=]\s*\d+/i, severity: 55 },
+        ];
+        // Sensitive state keys
+        this.DEFAULT_SENSITIVE_KEYS = [
+            "credentials",
+            "password",
+            "token",
+            "secret",
+            "api_key",
+            "session_token",
+            "auth_token",
+            "private_key",
+            "encryption_key",
+            "signing_key",
+        ];
+        this.config = {
+            enableIntegrityCheck: config.enableIntegrityCheck ?? true,
+            requireEncryption: config.requireEncryption ?? false,
+            maxStateSize: config.maxStateSize ?? 1024 * 1024, // 1MB
+            maxStateAge: config.maxStateAge ?? 24 * 60 * 60 * 1000, // 24 hours
+            enforceSessionIsolation: config.enforceSessionIsolation ?? true,
+            allowedTargets: config.allowedTargets ?? ["memory", "session", "cache"],
+            sensitiveKeys: config.sensitiveKeys ?? this.DEFAULT_SENSITIVE_KEYS,
+            detectTampering: config.detectTampering ?? true,
+            signingSecret: config.signingSecret ?? crypto.randomBytes(32).toString("hex"),
+        };
+    }
+    /**
+     * Validate a state operation
+     */
+    validateOperation(operation, requestId) {
+        const reqId = requestId || `state-${Date.now()}`;
+        const violations = [];
+        let integrityValid = true;
+        let encryptionValid = true;
+        let sessionAuthorized = true;
+        let sizeValid = true;
+        let ageValid = true;
+        let tamperingDetected = false;
+        // 1. Check session authorization for cross-session operations
+        if (this.config.enforceSessionIsolation && operation.target_session_id) {
+            if (operation.target_session_id !== operation.session_id) {
+                violations.push("cross_session_access_attempt");
+                sessionAuthorized = false;
+            }
+        }
+        // 2. Check persistence target authorization
+        if (operation.target && !this.config.allowedTargets.includes(operation.target)) {
+            violations.push(`unauthorized_target: ${operation.target}`);
+        }
+        // 3. For write operations, validate the value
+        if (operation.operation === "write" && operation.value !== undefined) {
+            // Check size
+            const valueSize = JSON.stringify(operation.value).length;
+            if (valueSize > this.config.maxStateSize) {
+                violations.push(`state_size_exceeded: ${valueSize} > ${this.config.maxStateSize}`);
+                sizeValid = false;
+            }
+            // Check for injection patterns
+            const valueStr = typeof operation.value === "string"
+                ? operation.value
+                : JSON.stringify(operation.value);
+            for (const { name, pattern, severity } of this.INJECTION_PATTERNS) {
+                if (pattern.test(valueStr)) {
+                    violations.push(`injection_pattern: ${name}`);
+                    if (severity >= 80) {
+                        tamperingDetected = true;
+                    }
+                }
+            }
+            // Check for sensitive key without encryption
+            if (this.isSensitiveKey(operation.key) && !operation.metadata?.encrypted) {
+                if (this.config.requireEncryption) {
+                    violations.push("sensitive_key_not_encrypted");
+                    encryptionValid = false;
+                }
+            }
+        }
+        // 4. For read/restore operations, validate existing state
+        if (operation.operation === "read" || operation.operation === "restore") {
+            const stateKey = this.getStateKey(operation.session_id, operation.key);
+            const existingState = this.stateStore.get(stateKey);
+            if (existingState) {
+                // Check ownership
+                if (this.config.enforceSessionIsolation &&
+                    existingState.session_id !== operation.session_id) {
+                    violations.push("state_ownership_violation");
+                    sessionAuthorized = false;
+                }
+                // Check age
+                const age = Date.now() - existingState.created_at;
+                if (age > this.config.maxStateAge) {
+                    violations.push(`state_expired: age ${Math.round(age / 1000)}s`);
+                    ageValid = false;
+                }
+                // Verify integrity
+                if (this.config.enableIntegrityCheck && existingState.integrity_hash) {
+                    const expectedHash = this.computeIntegrityHash(existingState);
+                    if (existingState.integrity_hash !== expectedHash) {
+                        violations.push("integrity_check_failed");
+                        integrityValid = false;
+                        tamperingDetected = true;
+                    }
+                }
+                // Verify provided hash matches
+                if (operation.integrity_hash && existingState.integrity_hash !== operation.integrity_hash) {
+                    violations.push("integrity_hash_mismatch");
+                    integrityValid = false;
+                }
+            }
+        }
+        // 5. For restore operations, additional checks
+        if (operation.operation === "restore") {
+            // Check for version mismatch (optimistic locking)
+            if (operation.expected_version !== undefined) {
+                const stateKey = this.getStateKey(operation.session_id, operation.key);
+                const existingState = this.stateStore.get(stateKey);
+                if (existingState && existingState.version !== operation.expected_version) {
+                    violations.push(`version_conflict: expected ${operation.expected_version}, got ${existingState.version}`);
+                }
+            }
+        }
+        // 6. For migrate operations, strict validation
+        if (operation.operation === "migrate") {
+            violations.push("migration_requires_admin_approval");
+        }
+        // Determine if operation should be blocked
+        const blocked = !sessionAuthorized ||
+            tamperingDetected ||
+            !integrityValid ||
+            !sizeValid ||
+            violations.length >= 3;
+        return {
+            allowed: !blocked,
+            reason: blocked
+                ? `State operation blocked: ${violations.slice(0, 3).join(", ")}`
+                : "State operation validated",
+            violations,
+            request_id: reqId,
+            analysis: {
+                operation: operation.operation,
+                state_key: operation.key,
+                integrity_valid: integrityValid,
+                encryption_valid: encryptionValid,
+                session_authorized: sessionAuthorized,
+                size_valid: sizeValid,
+                age_valid: ageValid,
+                tampering_detected: tamperingDetected,
+            },
+            recommendations: this.generateRecommendations(violations, operation.operation),
+        };
+    }
+    /**
+     * Store state with integrity protection
+     */
+    storeState(sessionId, key, value, options) {
+        const reqId = `store-${Date.now()}`;
+        // Validate the operation first
+        const validation = this.validateOperation({
+            operation: "write",
+            key,
+            value,
+            session_id: sessionId,
+            target: options?.target,
+            metadata: options,
+        }, reqId);
+        if (!validation.allowed) {
+            return validation;
+        }
+        // Create or update state
+        const stateKey = this.getStateKey(sessionId, key);
+        const existingState = this.stateStore.get(stateKey);
+        const now = Date.now();
+        const stateItem = {
+            state_id: existingState?.state_id || `state-${now}-${Math.random().toString(36).substr(2, 9)}`,
+            session_id: sessionId,
+            key,
+            value,
+            created_at: existingState?.created_at || now,
+            modified_at: now,
+            version: (existingState?.version || 0) + 1,
+            encrypted: options?.encrypted,
+            target: options?.target,
+            metadata: options?.metadata,
+        };
+        // Compute integrity hash
+        stateItem.integrity_hash = this.computeIntegrityHash(stateItem);
+        // Store
+        this.stateStore.set(stateKey, stateItem);
+        // Track session states
+        let sessionStates = this.sessionStates.get(sessionId);
+        if (!sessionStates) {
+            sessionStates = new Set();
+            this.sessionStates.set(sessionId, sessionStates);
+        }
+        sessionStates.add(key);
+        return {
+            ...validation,
+            state_item: stateItem,
+        };
+    }
+    /**
+     * Retrieve state with integrity verification
+     */
+    retrieveState(sessionId, key, options) {
+        const reqId = `retrieve-${Date.now()}`;
+        // Validate the operation
+        const validation = this.validateOperation({
+            operation: "read",
+            key,
+            session_id: sessionId,
+            integrity_hash: options?.integrity_hash,
+        }, reqId);
+        if (!validation.allowed) {
+            return validation;
+        }
+        const stateKey = this.getStateKey(sessionId, key);
+        const stateItem = this.stateStore.get(stateKey);
+        return {
+            ...validation,
+            state_item: stateItem,
+        };
+    }
+    /**
+     * Delete state
+     */
+    deleteState(sessionId, key) {
+        const reqId = `delete-${Date.now()}`;
+        const stateKey = this.getStateKey(sessionId, key);
+        const existingState = this.stateStore.get(stateKey);
+        if (!existingState) {
+            return {
+                allowed: true,
+                reason: "State not found",
+                violations: [],
+                request_id: reqId,
+                analysis: {
+                    operation: "delete",
+                    state_key: key,
+                    integrity_valid: true,
+                    encryption_valid: true,
+                    session_authorized: true,
+                    size_valid: true,
+                    age_valid: true,
+                    tampering_detected: false,
+                },
+                recommendations: [],
+            };
+        }
+        // Verify ownership
+        if (this.config.enforceSessionIsolation && existingState.session_id !== sessionId) {
+            return {
+                allowed: false,
+                reason: "Cannot delete state owned by another session",
+                violations: ["session_ownership_violation"],
+                request_id: reqId,
+                analysis: {
+                    operation: "delete",
+                    state_key: key,
+                    integrity_valid: true,
+                    encryption_valid: true,
+                    session_authorized: false,
+                    size_valid: true,
+                    age_valid: true,
+                    tampering_detected: false,
+                },
+                recommendations: ["Use the correct session ID to delete state"],
+            };
+        }
+        // Delete
+        this.stateStore.delete(stateKey);
+        const sessionStates = this.sessionStates.get(sessionId);
+        if (sessionStates) {
+            sessionStates.delete(key);
+        }
+        return {
+            allowed: true,
+            reason: "State deleted",
+            violations: [],
+            request_id: reqId,
+            analysis: {
+                operation: "delete",
+                state_key: key,
+                integrity_valid: true,
+                encryption_valid: true,
+                session_authorized: true,
+                size_valid: true,
+                age_valid: true,
+                tampering_detected: false,
+            },
+            state_item: existingState,
+            recommendations: [],
+        };
+    }
+    /**
+     * Verify state integrity
+     */
+    verifyIntegrity(sessionId, key) {
+        const stateKey = this.getStateKey(sessionId, key);
+        const stateItem = this.stateStore.get(stateKey);
+        if (!stateItem || !stateItem.integrity_hash) {
+            return false;
+        }
+        const expectedHash = this.computeIntegrityHash(stateItem);
+        return stateItem.integrity_hash === expectedHash;
+    }
+    /**
+     * Get all states for a session
+     */
+    getSessionStates(sessionId) {
+        const stateKeys = this.sessionStates.get(sessionId);
+        if (!stateKeys)
+            return [];
+        const states = [];
+        for (const key of stateKeys) {
+            const stateKey = this.getStateKey(sessionId, key);
+            const state = this.stateStore.get(stateKey);
+            if (state) {
+                states.push(state);
+            }
+        }
+        return states;
+    }
+    /**
+     * Clean up expired states
+     */
+    cleanupExpiredStates() {
+        const now = Date.now();
+        let cleaned = 0;
+        for (const [stateKey, state] of this.stateStore.entries()) {
+            if (now - state.created_at > this.config.maxStateAge) {
+                this.stateStore.delete(stateKey);
+                const sessionStates = this.sessionStates.get(state.session_id);
+                if (sessionStates) {
+                    sessionStates.delete(state.key);
+                }
+                cleaned++;
+            }
+        }
+        return cleaned;
+    }
+    /**
+     * Reset all states for a session
+     */
+    resetSession(sessionId) {
+        const stateKeys = this.sessionStates.get(sessionId);
+        if (stateKeys) {
+            for (const key of stateKeys) {
+                this.stateStore.delete(this.getStateKey(sessionId, key));
+            }
+        }
+        this.sessionStates.delete(sessionId);
+    }
+    // Private methods
+    getStateKey(sessionId, key) {
+        return `${sessionId}:${key}`;
+    }
+    computeIntegrityHash(state) {
+        const data = JSON.stringify({
+            session_id: state.session_id,
+            key: state.key,
+            value: state.value,
+            version: state.version,
+        });
+        return crypto
+            .createHmac("sha256", this.config.signingSecret)
+            .update(data)
+            .digest("hex");
+    }
+    isSensitiveKey(key) {
+        const keyLower = key.toLowerCase();
+        return this.config.sensitiveKeys.some(sk => keyLower.includes(sk.toLowerCase()));
+    }
+    generateRecommendations(violations, operation) {
+        const recommendations = [];
+        if (violations.some(v => v.includes("cross_session"))) {
+            recommendations.push("Access only states owned by the current session");
+        }
+        if (violations.some(v => v.includes("injection"))) {
+            recommendations.push("Sanitize state values before persistence");
+        }
+        if (violations.some(v => v.includes("integrity"))) {
+            recommendations.push("Ensure state has not been tampered with");
+        }
+        if (violations.some(v => v.includes("encryption"))) {
+            recommendations.push("Encrypt sensitive state before storage");
+        }
+        if (violations.some(v => v.includes("size"))) {
+            recommendations.push("Reduce state size or split into smaller chunks");
+        }
+        if (violations.some(v => v.includes("expired"))) {
+            recommendations.push("Refresh or recreate expired state");
+        }
+        if (violations.some(v => v.includes("version"))) {
+            recommendations.push("Fetch latest state version before updating");
+        }
+        if (recommendations.length === 0) {
+            recommendations.push(`Continue with ${operation} operation`);
+        }
+        return recommendations;
+    }
+}
+exports.StatePersistenceGuard = StatePersistenceGuard;
+//# sourceMappingURL=state-persistence-guard.js.map

package/dist/guards/state-persistence-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state-persistence-guard.js","sourceRoot":"","sources":["../../src/guards/state-persistence-guard.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;GAmBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,+CAAiC;AAwFjC,MAAa,qBAAqB;IA6ChC,YAAY,SAAsC,EAAE;QA3C5C,eAAU,GAA2B,IAAI,GAAG,EAAE,CAAC;QAC/C,kBAAa,GAA6B,IAAI,GAAG,EAAE,CAAC;QAE5D,2BAA2B;QACV,uBAAkB,GAA+D;YAChG,iBAAiB;YACjB,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,qDAAqD,EAAE,QAAQ,EAAE,EAAE,EAAE;YACxG,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,2BAA2B,EAAE,QAAQ,EAAE,EAAE,EAAE;YAChF,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,4CAA4C,EAAE,QAAQ,EAAE,EAAE,EAAE;YAEpG,wBAAwB;YACxB,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,uDAAuD,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC1G,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,8BAA8B,EAAE,QAAQ,EAAE,EAAE,EAAE;YACjF,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,6BAA6B,EAAE,QAAQ,EAAE,EAAE,EAAE;YAE/E,iBAAiB;YACjB,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC1E,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,EAAE,EAAE;YAEzD,mBAAmB;YACnB,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,qCAAqC,EAAE,QAAQ,EAAE,EAAE,EAAE;YACtF,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,+DAA+D,EAAE,QAAQ,EAAE,EAAE,EAAE;YACpH,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,2CAA2C,EAAE,QAAQ,EAAE,EAAE,EAAE;YAE5F,iBAAiB;YACjB,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,mDAAmD,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC9G,EAAE,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,EAAE,EAAE;SACjF,CAAC;QAEF,uBAAuB;QACN,2BAAsB,GAAG;YACxC,aAAa;YACb,UAAU;YACV,OAAO;YACP,QAAQ;YACR,SAAS;YACT,eAAe;YACf,YAAY;YACZ,aAAa;YACb,gBAAgB;YAChB,aAAa;SACd,CAAC;QAGA,IAAI,CAAC,MAAM,GAAG;YACZ,oBAAoB,EAAE,MAAM,CAAC,oBAAoB,IAAI,IAAI;YACzD,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,KAAK;YACpD,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,IAAI,GAAG,IAAI,EAAE,MAAM;YACxD,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,WAAW;YACnE,uBAAuB,EAAE,MAAM,CAAC,uBAAuB,IAAI,IAAI;YAC/D,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YACvE,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,IAAI,CAAC,sBAAsB;YAClE,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,IAAI;YAC/C,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;SAC9E,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,iBAAiB,CACf,SAAyB,EACzB,SAAkB;QAElB,MAAM,KAAK,GAAG,SAAS,IAAI,SAAS,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACjD,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,IAAI,cAAc,GAAG,IAAI,CAAC;QAC1B,IAAI,eAAe,GAAG,IAAI,CAAC;QAC3B,IAAI,iBAAiB,GAAG,IAAI,CAAC;QAC7B,IAAI,SAAS,GAAG,IAAI,CAAC;QACrB,IAAI,QAAQ,GAAG,IAAI,CAAC;QACpB,IAAI,iBAAiB,GAAG,KAAK,CAAC;QAE9B,8DAA8D;QAC9D,IAAI,IAAI,CAAC,MAAM,CAAC,uBAAuB,IAAI,SAAS,CAAC,iBAAiB,EAAE,CAAC;YACvE,IAAI,SAAS,CAAC,iBAAiB,KAAK,SAAS,CAAC,UAAU,EAAE,CAAC;gBACzD,UAAU,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;gBAChD,iBAAiB,GAAG,KAAK,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,IAAI,SAAS,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/E,UAAU,CAAC,IAAI,CAAC,wBAAwB,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,8CAA8C;QAC9C,IAAI,SAAS,CAAC,SAAS,KAAK,OAAO,IAAI,SAAS,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YACrE,aAAa;YACb,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;YACzD,IAAI,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBACzC,UAAU,CAAC,IAAI,CAAC,wBAAwB,SAAS,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;gBACnF,SAAS,GAAG,KAAK,CAAC;YACpB,CAAC;YAED,+BAA+B;YAC/B,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ;gBAClD,CAAC,CAAC,SAAS,CAAC,KAAK;gBACjB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAEpC,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAClE,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC3B,UAAU,CAAC,IAAI,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;oBAC9C,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;wBACnB,iBAAiB,GAAG,IAAI,CAAC;oBAC3B,CAAC;gBACH,CAAC;YACH,CAAC;YAED,6CAA6C;YAC7C,IAAI,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC;gBACzE,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;oBAClC,UAAU,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;oBAC/C,eAAe,GAAG,KAAK,CAAC;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,IAAI,SAAS,CAAC,SAAS,KAAK,MAAM,IAAI,SAAS,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACxE,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC;YACvE,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAEpD,IAAI,aAAa,EAAE,CAAC;gBAClB,kBAAkB;gBAClB,IAAI,IAAI,CAAC,MAAM,CAAC,uBAAuB;oBACnC,aAAa,CAAC,UAAU,KAAK,SAAS,CAAC,UAAU,EAAE,CAAC;oBACtD,UAAU,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;oBAC7C,iBAAiB,GAAG,KAAK,CAAC;gBAC5B,CAAC;gBAED,YAAY;gBACZ,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC,UAAU,CAAC;gBAClD,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;oBAClC,UAAU,CAAC,IAAI,CAAC,sBAAsB,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;oBACjE,QAAQ,GAAG,KAAK,CAAC;gBACnB,CAAC;gBAED,mBAAmB;gBACnB,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,aAAa,CAAC,cAAc,EAAE,CAAC;oBACrE,MAAM,YAAY,GAAG,IAAI,CAAC,oBAAoB,CAAC,aAAa,CAAC,CAAC;oBAC9D,IAAI,aAAa,CAAC,cAAc,KAAK,YAAY,EAAE,CAAC;wBAClD,UAAU,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;wBAC1C,cAAc,GAAG,KAAK,CAAC;wBACvB,iBAAiB,GAAG,IAAI,CAAC;oBAC3B,CAAC;gBACH,CAAC;gBAED,+BAA+B;gBAC/B,IAAI,SAAS,CAAC,cAAc,IAAI,aAAa,CAAC,cAAc,KAAK,SAAS,CAAC,cAAc,EAAE,CAAC;oBAC1F,UAAU,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;oBAC3C,cAAc,GAAG,KAAK,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,+CAA+C;QAC/C,IAAI,SAAS,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACtC,kDAAkD;YAClD,IAAI,SAAS,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;gBAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC;gBACvE,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACpD,IAAI,aAAa,IAAI,aAAa,CAAC,OAAO,KAAK,SAAS,CAAC,gBAAgB,EAAE,CAAC;oBAC1E,UAAU,CAAC,IAAI,CAAC,8BAA8B,SAAS,CAAC,gBAAgB,SAAS,aAAa,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC5G,CAAC;YACH,CAAC;QACH,CAAC;QAED,+CAA+C;QAC/C,IAAI,SAAS,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACtC,UAAU,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QAED,2CAA2C;QAC3C,MAAM,OAAO,GACX,CAAC,iBAAiB;YAClB,iBAAiB;YACjB,CAAC,cAAc;YACf,CAAC,SAAS;YACV,UAAU,CAAC,MAAM,IAAI,CAAC,CAAC;QAEzB,OAAO;YACL,OAAO,EAAE,CAAC,OAAO;YACjB,MAAM,EAAE,OAAO;gBACb,CAAC,CAAC,4BAA4B,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBACjE,CAAC,CAAC,2BAA2B;YAC/B,UAAU;YACV,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE;gBACR,SAAS,EAAE,SAAS,CAAC,SAAS;gBAC9B,SAAS,EAAE,SAAS,CAAC,GAAG;gBACxB,eAAe,EAAE,cAAc;gBAC/B,gBAAgB,EAAE,eAAe;gBACjC,kBAAkB,EAAE,iBAAiB;gBACrC,UAAU,EAAE,SAAS;gBACrB,SAAS,EAAE,QAAQ;gBACnB,kBAAkB,EAAE,iBAAiB;aACtC;YACD,eAAe,EAAE,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,SAAS,CAAC,SAAS,CAAC;SAC/E,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,UAAU,CACR,SAAiB,EACjB,GAAW,EACX,KAAU,EACV,OAIC;QAED,MAAM,KAAK,GAAG,SAAS,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAEpC,+BAA+B;QAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB,CAAC;YACxC,SAAS,EAAE,OAAO;YAClB,GAAG;YACH,KAAK;YACL,UAAU,EAAE,SAAS;YACrB,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,OAAO;SAClB,EAAE,KAAK,CAAC,CAAC;QAEV,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,yBAAyB;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAClD,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,MAAM,SAAS,GAAc;YAC3B,QAAQ,EAAE,aAAa,EAAE,QAAQ,IAAI,SAAS,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;YAC9F,UAAU,EAAE,SAAS;YACrB,GAAG;YACH,KAAK;YACL,UAAU,EAAE,aAAa,EAAE,UAAU,IAAI,GAAG;YAC5C,WAAW,EAAE,GAAG;YAChB,OAAO,EAAE,CAAC,aAAa,EAAE,OAAO,IAAI,CAAC,CAAC,GAAG,CAAC;YAC1C,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,QAAQ,EAAE,OAAO,EAAE,QAAQ;SAC5B,CAAC;QAEF,yBAAyB;QACzB,SAAS,CAAC,cAAc,GAAG,IAAI,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC;QAEhE,QAAQ;QACR,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAEzC,uBAAuB;QACvB,IAAI,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACtD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,aAAa,GAAG,IAAI,GAAG,EAAE,CAAC;YAC1B,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;QACnD,CAAC;QACD,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEvB,OAAO;YACL,GAAG,UAAU;YACb,UAAU,EAAE,SAAS;SACtB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,aAAa,CACX,SAAiB,EACjB,GAAW,EACX,OAEC;QAED,MAAM,KAAK,GAAG,YAAY,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAEvC,yBAAyB;QACzB,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB,CAAC;YACxC,SAAS,EAAE,MAAM;YACjB,GAAG;YACH,UAAU,EAAE,SAAS;YACrB,cAAc,EAAE,OAAO,EAAE,cAAc;SACxC,EAAE,KAAK,CAAC,CAAC;QAEV,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEhD,OAAO;YACL,GAAG,UAAU;YACb,UAAU,EAAE,SAAS;SACtB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,SAAiB,EAAE,GAAW;QACxC,MAAM,KAAK,GAAG,UAAU,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAErC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAClD,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEpD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,iBAAiB;gBACzB,UAAU,EAAE,EAAE;gBACd,UAAU,EAAE,KAAK;gBACjB,QAAQ,EAAE;oBACR,SAAS,EAAE,QAAQ;oBACnB,SAAS,EAAE,GAAG;oBACd,eAAe,EAAE,IAAI;oBACrB,gBAAgB,EAAE,IAAI;oBACtB,kBAAkB,EAAE,IAAI;oBACxB,UAAU,EAAE,IAAI;oBAChB,SAAS,EAAE,IAAI;oBACf,kBAAkB,EAAE,KAAK;iBAC1B;gBACD,eAAe,EAAE,EAAE;aACpB,CAAC;QACJ,CAAC;QAED,mBAAmB;QACnB,IAAI,IAAI,CAAC,MAAM,CAAC,uBAAuB,IAAI,aAAa,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAClF,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,8CAA8C;gBACtD,UAAU,EAAE,CAAC,6BAA6B,CAAC;gBAC3C,UAAU,EAAE,KAAK;gBACjB,QAAQ,EAAE;oBACR,SAAS,EAAE,QAAQ;oBACnB,SAAS,EAAE,GAAG;oBACd,eAAe,EAAE,IAAI;oBACrB,gBAAgB,EAAE,IAAI;oBACtB,kBAAkB,EAAE,KAAK;oBACzB,UAAU,EAAE,IAAI;oBAChB,SAAS,EAAE,IAAI;oBACf,kBAAkB,EAAE,KAAK;iBAC1B;gBACD,eAAe,EAAE,CAAC,4CAA4C,CAAC;aAChE,CAAC;QACJ,CAAC;QAED,SAAS;QACT,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEjC,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACxD,IAAI,aAAa,EAAE,CAAC;YAClB,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5B,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,eAAe;YACvB,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE;gBACR,SAAS,EAAE,QAAQ;gBACnB,SAAS,EAAE,GAAG;gBACd,eAAe,EAAE,IAAI;gBACrB,gBAAgB,EAAE,IAAI;gBACtB,kBAAkB,EAAE,IAAI;gBACxB,UAAU,EAAE,IAAI;gBAChB,SAAS,EAAE,IAAI;gBACf,kBAAkB,EAAE,KAAK;aAC1B;YACD,UAAU,EAAE,aAAa;YACzB,eAAe,EAAE,EAAE;SACpB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,SAAiB,EAAE,GAAW;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEhD,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC;YAC5C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC;QAC1D,OAAO,SAAS,CAAC,cAAc,KAAK,YAAY,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,SAAiB;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACpD,IAAI,CAAC,SAAS;YAAE,OAAO,EAAE,CAAC;QAE1B,MAAM,MAAM,GAAgB,EAAE,CAAC;QAC/B,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YAClD,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC5C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,oBAAoB;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1D,IAAI,GAAG,GAAG,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBACrD,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACjC,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;gBAC/D,IAAI,aAAa,EAAE,CAAC;oBAClB,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAClC,CAAC;gBACD,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,SAAiB;QAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACpD,IAAI,SAAS,EAAE,CAAC;YACd,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;gBAC5B,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;QACD,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC;IAED,kBAAkB;IAEV,WAAW,CAAC,SAAiB,EAAE,GAAW;QAChD,OAAO,GAAG,SAAS,IAAI,GAAG,EAAE,CAAC;IAC/B,CAAC;IAEO,oBAAoB,CAAC,KAAgB;QAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;YAC1B,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC,CAAC;QAEH,OAAO,MAAM;aACV,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;aAC/C,MAAM,CAAC,IAAI,CAAC;aACZ,MAAM,CAAC,KAAK,CAAC,CAAC;IACnB,CAAC;IAEO,cAAc,CAAC,GAAW;QAChC,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACnF,CAAC;IAEO,uBAAuB,CAAC,UAAoB,EAAE,SAAiB;QACrE,MAAM,eAAe,GAAa,EAAE,CAAC;QAErC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC;YACtD,eAAe,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAC1E,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YAClD,eAAe,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YAClD,eAAe,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;QAClE,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YACnD,eAAe,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;QACjE,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YAC7C,eAAe,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;QACzE,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YAChD,eAAe,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YAChD,eAAe,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QACrE,CAAC;QAED,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,eAAe,CAAC,IAAI,CAAC,iBAAiB,SAAS,YAAY,CAAC,CAAC;QAC/D,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF;AA1fD,sDA0fC"}

package/dist/guards/tenant-boundary.d.ts

@@ -0,0 +1,67 @@
+/**
+ * L4 Tenant Boundary Guard
+ *
+ * Enforces strict multi-tenant isolation.
+ * Prevents cross-tenant data access.
+ */
+import { SessionContext, TenantBoundaryResult } from "../types";
+export interface ResourceOwnership {
+    resource_id: string;
+    tenant_id: string;
+    resource_type?: string;
+}
+export interface TenantBoundaryConfig {
+    validTenants?: Set<string>;
+    resourceOwnership?: Map<string, ResourceOwnership>;
+    resourceIdFields?: string[];
+    listOperations?: string[];
+}
+export declare class TenantBoundary {
+    private validTenants;
+    private resourceOwnership;
+    private resourceIdFields;
+    private listOperations;
+    constructor(config?: TenantBoundaryConfig);
+    /**
+     * Validate session has valid tenant
+     */
+    validateSession(session: SessionContext | undefined, requestId?: string): {
+        valid: boolean;
+        error?: string;
+    };
+    /**
+     * Check resource ownership
+     */
+    checkResourceOwnership(resourceId: string, session: SessionContext, requestId?: string): {
+        allowed: boolean;
+        resource_tenant?: string;
+    };
+    /**
+     * Check if tenant_id parameter matches session
+     */
+    checkTenantParameter(params: Record<string, any>, session: SessionContext, requestId?: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Enforce tenant filtering for list operations
+     */
+    enforceTenantFilter(toolName: string, params: Record<string, any>, session: SessionContext, requestId?: string): {
+        allowed: boolean;
+        enforced_params: Record<string, any>;
+        reason?: string;
+    };
+    /**
+     * Complete tenant boundary check
+     */
+    check(toolName: string, params: Record<string, any>, session: SessionContext | undefined, requestId?: string): TenantBoundaryResult;
+    /**
+     * Register resource ownership
+     */
+    registerResource(resourceId: string, tenantId: string, resourceType?: string): void;
+    /**
+     * Add valid tenant
+     */
+    addValidTenant(tenantId: string): void;
+}
+//# sourceMappingURL=tenant-boundary.d.ts.map

package/dist/guards/tenant-boundary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-boundary.d.ts","sourceRoot":"","sources":["../../src/guards/tenant-boundary.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAEhE,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,oBAAoB;IACnC,YAAY,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC3B,iBAAiB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IACnD,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,YAAY,CAAc;IAClC,OAAO,CAAC,iBAAiB,CAAiC;IAC1D,OAAO,CAAC,gBAAgB,CAAW;IACnC,OAAO,CAAC,cAAc,CAAW;gBAErB,MAAM,GAAE,oBAAyB;IAoB7C;;OAEG;IACH,eAAe,CACb,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,SAAS,GAAE,MAAW,GACrB;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAwBrC;;OAEG;IACH,sBAAsB,CACpB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,cAAc,EACvB,SAAS,GAAE,MAAW,GACrB;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,eAAe,CAAC,EAAE,MAAM,CAAA;KAAE;IAmBjD;;OAEG;IACH,oBAAoB,CAClB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,OAAO,EAAE,cAAc,EACvB,SAAS,GAAE,MAAW,GACrB;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAcxC;;OAEG;IACH,mBAAmB,CACjB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,OAAO,EAAE,cAAc,EACvB,SAAS,GAAE,MAAW,GACrB;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA6B9E;;OAEG;IACH,KAAK,CACH,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,SAAS,GAAE,MAAW,GACrB,oBAAoB;IAoEvB;;OAEG;IACH,gBAAgB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI;IAQnF;;OAEG;IACH,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;CAGvC"}