llm-trust-guard 4.0.0

package/dist/guards/code-execution-guard.js

@@ -0,0 +1,467 @@
+"use strict";
+/**
+ * CodeExecutionGuard (L11)
+ *
+ * Validates and sandboxes agent-generated code before execution.
+ * Prevents RCE (Remote Code Execution) attacks via malicious code generation.
+ *
+ * Threat Model:
+ * - ASI05: Unexpected Code Execution (RCE)
+ * - Code injection via LLM outputs
+ * - Sandbox escape attempts
+ *
+ * Protection Capabilities:
+ * - Static code analysis for dangerous patterns
+ * - Import/require blocklist enforcement
+ * - System call detection
+ * - Resource limit enforcement
+ * - Language-specific security rules
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CodeExecutionGuard = void 0;
+class CodeExecutionGuard {
+    constructor(config = {}) {
+        // Language-specific dangerous patterns
+        this.DANGEROUS_PATTERNS = {
+            javascript: [
+                { name: "eval", pattern: /\beval\s*\(/g, severity: 50 },
+                { name: "function_constructor", pattern: /new\s+Function\s*\(/g, severity: 50 },
+                { name: "child_process", pattern: /require\s*\(\s*['"]child_process['"]\s*\)/g, severity: 60 },
+                { name: "exec", pattern: /\b(exec|execSync|spawn|spawnSync)\s*\(/g, severity: 60 },
+                { name: "fs_write", pattern: /\b(writeFile|writeFileSync|appendFile|unlink|rmdir)\s*\(/g, severity: 45 },
+                { name: "process_env", pattern: /process\.env/g, severity: 30 },
+                { name: "require_dynamic", pattern: /require\s*\(\s*[^'"]/g, severity: 40 },
+                { name: "vm_module", pattern: /require\s*\(\s*['"]vm['"]\s*\)/g, severity: 55 },
+                { name: "fetch_external", pattern: /fetch\s*\(\s*['"]https?:\/\/(?!localhost)/g, severity: 35 },
+                { name: "websocket", pattern: /new\s+WebSocket\s*\(/g, severity: 35 },
+                { name: "prototype_pollution", pattern: /__proto__|constructor\s*\[|Object\.setPrototypeOf/g, severity: 50 },
+                { name: "global_access", pattern: /\bglobal\b|\bglobalThis\b/g, severity: 35 },
+            ],
+            python: [
+                { name: "eval", pattern: /\beval\s*\(/g, severity: 50 },
+                { name: "exec", pattern: /\bexec\s*\(/g, severity: 50 },
+                { name: "compile", pattern: /\bcompile\s*\(/g, severity: 45 },
+                { name: "subprocess", pattern: /import\s+subprocess|from\s+subprocess/g, severity: 60 },
+                { name: "os_system", pattern: /os\.(system|popen|exec)/g, severity: 60 },
+                { name: "os_module", pattern: /import\s+os|from\s+os\s+import/g, severity: 40 },
+                { name: "socket", pattern: /import\s+socket|from\s+socket/g, severity: 40 },
+                { name: "pickle", pattern: /import\s+pickle|pickle\.loads?/g, severity: 55 },
+                { name: "ctypes", pattern: /import\s+ctypes|from\s+ctypes/g, severity: 55 },
+                { name: "builtins", pattern: /__builtins__|__import__/g, severity: 50 },
+                { name: "file_write", pattern: /open\s*\([^)]*['"]w['"]/g, severity: 40 },
+                { name: "requests", pattern: /requests\.(get|post|put|delete)\s*\(/g, severity: 35 },
+                { name: "getattr_dynamic", pattern: /getattr\s*\(\s*\w+\s*,\s*[^'"]/g, severity: 40 },
+            ],
+            bash: [
+                { name: "rm_rf", pattern: /rm\s+(-rf?|--recursive)/gi, severity: 70 },
+                { name: "sudo", pattern: /\bsudo\b/gi, severity: 60 },
+                { name: "curl_pipe", pattern: /curl\s+.*\|\s*(ba)?sh/gi, severity: 70 },
+                { name: "wget_execute", pattern: /wget\s+.*&&\s*(ba)?sh/gi, severity: 70 },
+                { name: "eval", pattern: /\beval\b/gi, severity: 50 },
+                { name: "env_dump", pattern: /\benv\b|\bprintenv\b/gi, severity: 35 },
+                { name: "chmod", pattern: /chmod\s+(\+x|777|755)/gi, severity: 40 },
+                { name: "chown", pattern: /\bchown\b/gi, severity: 45 },
+                { name: "dd", pattern: /\bdd\s+if=/gi, severity: 55 },
+                { name: "nc_reverse", pattern: /\bnc\b.*-e/gi, severity: 70 },
+                { name: "base64_decode", pattern: /base64\s+(-d|--decode)/gi, severity: 40 },
+                { name: "cron", pattern: /crontab|\/etc\/cron/gi, severity: 50 },
+            ],
+            sql: [
+                { name: "drop_table", pattern: /DROP\s+(TABLE|DATABASE)/gi, severity: 70 },
+                { name: "delete_all", pattern: /DELETE\s+FROM\s+\w+\s*(;|$)/gi, severity: 60 },
+                { name: "truncate", pattern: /TRUNCATE\s+TABLE/gi, severity: 65 },
+                { name: "union_injection", pattern: /UNION\s+(ALL\s+)?SELECT/gi, severity: 55 },
+                { name: "comment_injection", pattern: /--\s*$/gm, severity: 30 },
+                { name: "xp_cmdshell", pattern: /xp_cmdshell/gi, severity: 70 },
+                { name: "into_outfile", pattern: /INTO\s+(OUT|DUMP)FILE/gi, severity: 60 },
+                { name: "load_file", pattern: /LOAD_FILE\s*\(/gi, severity: 55 },
+            ],
+        };
+        // Default blocked imports per language
+        this.DEFAULT_BLOCKED_IMPORTS = {
+            javascript: [
+                "child_process",
+                "cluster",
+                "dgram",
+                "dns",
+                "net",
+                "tls",
+                "vm",
+                "worker_threads",
+                "v8",
+                "perf_hooks",
+            ],
+            python: [
+                "subprocess",
+                "os",
+                "sys",
+                "socket",
+                "ctypes",
+                "pickle",
+                "marshal",
+                "multiprocessing",
+                "threading",
+                "_thread",
+            ],
+        };
+        // Default blocked functions
+        this.DEFAULT_BLOCKED_FUNCTIONS = [
+            "eval",
+            "exec",
+            "system",
+            "popen",
+            "spawn",
+            "fork",
+            "execv",
+            "execve",
+            "dlopen",
+            "compile",
+        ];
+        this.config = {
+            allowedLanguages: config.allowedLanguages ?? ["javascript", "python", "sql"],
+            blockedImports: config.blockedImports ?? [],
+            blockedFunctions: config.blockedFunctions ?? this.DEFAULT_BLOCKED_FUNCTIONS,
+            maxCodeLength: config.maxCodeLength ?? 10000,
+            maxExecutionTime: config.maxExecutionTime ?? 5000,
+            allowNetwork: config.allowNetwork ?? false,
+            allowFileSystem: config.allowFileSystem ?? false,
+            allowShell: config.allowShell ?? false,
+            allowEnvAccess: config.allowEnvAccess ?? false,
+            customPatterns: config.customPatterns ?? [],
+            riskThreshold: config.riskThreshold ?? 50,
+        };
+    }
+    /**
+     * Analyze code for dangerous patterns before execution
+     */
+    analyze(code, language, requestId) {
+        const reqId = requestId || `code-${Date.now()}`;
+        const normalizedLang = language.toLowerCase();
+        const violations = [];
+        let riskScore = 0;
+        // Check language allowlist
+        if (!this.config.allowedLanguages.includes(normalizedLang)) {
+            return {
+                allowed: false,
+                reason: `Language '${language}' is not allowed`,
+                violations: ["disallowed_language"],
+                request_id: reqId,
+                code_analysis: {
+                    language: normalizedLang,
+                    length: code.length,
+                    dangerous_imports: [],
+                    dangerous_functions: [],
+                    system_calls: [],
+                    network_access: false,
+                    file_access: false,
+                    shell_access: false,
+                    env_access: false,
+                    risk_score: 100,
+                    complexity_score: 0,
+                },
+                recommendations: [`Use one of: ${this.config.allowedLanguages.join(", ")}`],
+            };
+        }
+        // Check code length
+        if (code.length > this.config.maxCodeLength) {
+            violations.push("code_too_long");
+            riskScore += 20;
+        }
+        // Get language-specific patterns
+        const patterns = [
+            ...(this.DANGEROUS_PATTERNS[normalizedLang] || []),
+            ...this.config.customPatterns,
+        ];
+        // Analyze for dangerous patterns
+        const dangerousImports = [];
+        const dangerousFunctions = [];
+        const systemCalls = [];
+        let networkAccess = false;
+        let fileAccess = false;
+        let shellAccess = false;
+        let envAccess = false;
+        for (const { name, pattern, severity } of patterns) {
+            const matches = code.match(pattern);
+            if (matches) {
+                violations.push(`dangerous_pattern_${name}`);
+                riskScore += severity;
+                // Categorize the pattern
+                if (name.includes("exec") || name.includes("spawn") || name.includes("system") || name.includes("subprocess")) {
+                    shellAccess = true;
+                    systemCalls.push(name);
+                }
+                if (name.includes("fs") || name.includes("file") || name.includes("write")) {
+                    fileAccess = true;
+                }
+                if (name.includes("fetch") || name.includes("socket") || name.includes("request") || name.includes("websocket")) {
+                    networkAccess = true;
+                }
+                if (name.includes("env")) {
+                    envAccess = true;
+                }
+                if (name.includes("import") || name.includes("require")) {
+                    dangerousImports.push(name);
+                }
+                if (name.includes("eval") || name.includes("exec") || name.includes("compile")) {
+                    dangerousFunctions.push(name);
+                }
+            }
+        }
+        // Check blocked imports
+        const blockedImports = [
+            ...this.config.blockedImports,
+            ...(this.DEFAULT_BLOCKED_IMPORTS[normalizedLang] || []),
+        ];
+        for (const blockedImport of blockedImports) {
+            const importPatterns = [
+                new RegExp(`require\\s*\\(\\s*['"]${blockedImport}['"]\\s*\\)`, "g"),
+                new RegExp(`import\\s+.*from\\s+['"]${blockedImport}['"]`, "g"),
+                new RegExp(`import\\s+${blockedImport}`, "g"),
+                new RegExp(`from\\s+${blockedImport}\\s+import`, "g"),
+            ];
+            for (const pattern of importPatterns) {
+                if (pattern.test(code)) {
+                    violations.push(`blocked_import_${blockedImport}`);
+                    dangerousImports.push(blockedImport);
+                    riskScore += 40;
+                }
+            }
+        }
+        // Check blocked functions
+        for (const blockedFunc of this.config.blockedFunctions) {
+            const funcPattern = new RegExp(`\\b${blockedFunc}\\s*\\(`, "g");
+            if (funcPattern.test(code)) {
+                violations.push(`blocked_function_${blockedFunc}`);
+                dangerousFunctions.push(blockedFunc);
+                riskScore += 35;
+            }
+        }
+        // Policy checks
+        if (networkAccess && !this.config.allowNetwork) {
+            violations.push("network_access_denied");
+            riskScore += 30;
+        }
+        if (fileAccess && !this.config.allowFileSystem) {
+            violations.push("filesystem_access_denied");
+            riskScore += 30;
+        }
+        if (shellAccess && !this.config.allowShell) {
+            violations.push("shell_access_denied");
+            riskScore += 40;
+        }
+        if (envAccess && !this.config.allowEnvAccess) {
+            violations.push("env_access_denied");
+            riskScore += 25;
+        }
+        // Calculate complexity (simplified)
+        const complexityScore = this.calculateComplexity(code, normalizedLang);
+        // Cap risk score
+        riskScore = Math.min(100, riskScore);
+        // Decision
+        const blocked = riskScore >= this.config.riskThreshold;
+        const result = {
+            allowed: !blocked,
+            reason: blocked
+                ? `Code blocked: ${violations.slice(0, 3).join(", ")}`
+                : "Code analysis passed",
+            violations,
+            request_id: reqId,
+            code_analysis: {
+                language: normalizedLang,
+                length: code.length,
+                dangerous_imports: [...new Set(dangerousImports)],
+                dangerous_functions: [...new Set(dangerousFunctions)],
+                system_calls: [...new Set(systemCalls)],
+                network_access: networkAccess,
+                file_access: fileAccess,
+                shell_access: shellAccess,
+                env_access: envAccess,
+                risk_score: riskScore,
+                complexity_score: complexityScore,
+            },
+            recommendations: this.generateRecommendations(violations, riskScore),
+        };
+        // If allowed, provide sandbox configuration
+        if (!blocked) {
+            result.sandbox_config = this.generateSandboxConfig(networkAccess, fileAccess, shellAccess, envAccess);
+            // Optionally provide sanitized code
+            if (violations.length > 0) {
+                result.sanitized_code = this.sanitizeCode(code, normalizedLang);
+            }
+        }
+        return result;
+    }
+    /**
+     * Validate code structure (syntax check simulation)
+     */
+    validateSyntax(code, language) {
+        const errors = [];
+        const normalizedLang = language.toLowerCase();
+        // Basic syntax checks (simplified - real implementation would use parsers)
+        switch (normalizedLang) {
+            case "javascript":
+                // Check for unclosed brackets
+                const jsOpenBraces = (code.match(/{/g) || []).length;
+                const jsCloseBraces = (code.match(/}/g) || []).length;
+                if (jsOpenBraces !== jsCloseBraces) {
+                    errors.push("Unbalanced curly braces");
+                }
+                const jsOpenParens = (code.match(/\(/g) || []).length;
+                const jsCloseParens = (code.match(/\)/g) || []).length;
+                if (jsOpenParens !== jsCloseParens) {
+                    errors.push("Unbalanced parentheses");
+                }
+                break;
+            case "python":
+                // Check for unclosed quotes
+                const singleQuotes = (code.match(/'/g) || []).length;
+                const doubleQuotes = (code.match(/"/g) || []).length;
+                const tripleQuotes = (code.match(/'''|"""/g) || []).length;
+                if ((singleQuotes - tripleQuotes * 3) % 2 !== 0) {
+                    errors.push("Unclosed single quotes");
+                }
+                if ((doubleQuotes - tripleQuotes * 3) % 2 !== 0) {
+                    errors.push("Unclosed double quotes");
+                }
+                break;
+            case "sql":
+                // Check for unclosed quotes
+                const sqlSingleQuotes = (code.match(/'/g) || []).length;
+                if (sqlSingleQuotes % 2 !== 0) {
+                    errors.push("Unclosed single quotes in SQL");
+                }
+                break;
+        }
+        return { valid: errors.length === 0, errors };
+    }
+    /**
+     * Generate secure sandbox configuration
+     */
+    generateSandboxConfig(needsNetwork, needsFileSystem, needsShell, needsEnv) {
+        return {
+            timeout: this.config.maxExecutionTime,
+            memoryLimit: 128 * 1024 * 1024, // 128MB
+            allowedSyscalls: this.getAllowedSyscalls(needsNetwork, needsFileSystem, needsShell),
+            networkPolicy: needsNetwork && this.config.allowNetwork ? "localhost" : "none",
+            filesystemPolicy: needsFileSystem && this.config.allowFileSystem ? "temponly" : "none",
+            envVars: needsEnv && this.config.allowEnvAccess
+                ? { NODE_ENV: "sandbox", SANDBOX: "true" }
+                : {},
+        };
+    }
+    /**
+     * Sanitize code by removing dangerous patterns
+     */
+    sanitizeCode(code, language) {
+        let sanitized = code;
+        // Get language patterns
+        const patterns = this.DANGEROUS_PATTERNS[language] || [];
+        // Remove high-severity patterns
+        for (const { pattern, severity } of patterns) {
+            if (severity >= 50) {
+                sanitized = sanitized.replace(pattern, "/* BLOCKED */");
+            }
+        }
+        // Remove blocked imports
+        const blockedImports = [
+            ...this.config.blockedImports,
+            ...(this.DEFAULT_BLOCKED_IMPORTS[language] || []),
+        ];
+        for (const blockedImport of blockedImports) {
+            const importPatterns = [
+                new RegExp(`require\\s*\\(\\s*['"]${blockedImport}['"]\\s*\\)`, "g"),
+                new RegExp(`import\\s+.*from\\s+['"]${blockedImport}['"].*`, "gm"),
+                new RegExp(`import\\s+${blockedImport}.*`, "gm"),
+                new RegExp(`from\\s+${blockedImport}\\s+import.*`, "gm"),
+            ];
+            for (const pattern of importPatterns) {
+                sanitized = sanitized.replace(pattern, "/* BLOCKED_IMPORT */");
+            }
+        }
+        return sanitized;
+    }
+    /**
+     * Get allowed languages
+     */
+    getAllowedLanguages() {
+        return [...this.config.allowedLanguages];
+    }
+    /**
+     * Add custom dangerous pattern
+     */
+    addDangerousPattern(language, name, pattern, severity) {
+        if (!this.DANGEROUS_PATTERNS[language]) {
+            this.DANGEROUS_PATTERNS[language] = [];
+        }
+        this.DANGEROUS_PATTERNS[language].push({ name, pattern, severity });
+    }
+    calculateComplexity(code, language) {
+        let complexity = 0;
+        // Count control structures
+        const controlPatterns = {
+            javascript: /\b(if|else|for|while|switch|try|catch)\b/g,
+            python: /\b(if|elif|else|for|while|try|except|with)\b/g,
+            sql: /\b(CASE|WHEN|IF|WHILE|LOOP)\b/gi,
+        };
+        const pattern = controlPatterns[language];
+        if (pattern) {
+            const matches = code.match(pattern) || [];
+            complexity += matches.length * 5;
+        }
+        // Count function definitions
+        const funcPatterns = {
+            javascript: /\b(function|=>|\basync\b)/g,
+            python: /\bdef\b|\blambda\b/g,
+            sql: /\bCREATE\s+(FUNCTION|PROCEDURE)\b/gi,
+        };
+        const funcPattern = funcPatterns[language];
+        if (funcPattern) {
+            const funcMatches = code.match(funcPattern) || [];
+            complexity += funcMatches.length * 10;
+        }
+        // Line count factor
+        const lines = code.split("\n").length;
+        complexity += Math.min(lines, 100);
+        return Math.min(100, complexity);
+    }
+    getAllowedSyscalls(needsNetwork, needsFileSystem, needsShell) {
+        const base = ["read", "write", "exit", "brk", "mmap", "munmap", "close"];
+        if (needsNetwork && this.config.allowNetwork) {
+            base.push("socket", "connect", "bind", "listen", "accept");
+        }
+        if (needsFileSystem && this.config.allowFileSystem) {
+            base.push("open", "stat", "fstat", "lstat", "access");
+        }
+        // Never allow shell-related syscalls even if configured
+        // This is a security-critical restriction
+        // Shell access should be handled differently (e.g., via approved commands only)
+        return base;
+    }
+    generateRecommendations(violations, riskScore) {
+        const recommendations = [];
+        if (violations.some((v) => v.includes("import"))) {
+            recommendations.push("Remove or replace blocked imports with safe alternatives");
+        }
+        if (violations.some((v) => v.includes("eval") || v.includes("exec"))) {
+            recommendations.push("Avoid dynamic code execution - use static alternatives");
+        }
+        if (violations.some((v) => v.includes("network"))) {
+            recommendations.push("Remove network access or use approved endpoints only");
+        }
+        if (violations.some((v) => v.includes("filesystem"))) {
+            recommendations.push("Use temporary directories or remove file operations");
+        }
+        if (violations.some((v) => v.includes("shell"))) {
+            recommendations.push("Shell access is not permitted - use language-native alternatives");
+        }
+        if (riskScore >= 70) {
+            recommendations.push("Code requires significant review before execution");
+        }
+        if (recommendations.length === 0) {
+            recommendations.push("Code passed security analysis");
+        }
+        return recommendations;
+    }
+}
+exports.CodeExecutionGuard = CodeExecutionGuard;
+//# sourceMappingURL=code-execution-guard.js.map

package/dist/guards/code-execution-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"code-execution-guard.js","sourceRoot":"","sources":["../../src/guards/code-execution-guard.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;GAiBG;;;AA2DH,MAAa,kBAAkB;IAsG7B,YAAY,SAAmC,EAAE;QAnGjD,uCAAuC;QACtB,uBAAkB,GAA+E;YAChH,UAAU,EAAE;gBACV,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACvD,EAAE,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC/E,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,4CAA4C,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC9F,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,yCAAyC,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAClF,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,2DAA2D,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACxG,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC/D,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC3E,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC/E,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,4CAA4C,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC/F,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACrE,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,oDAAoD,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC5G,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,4BAA4B,EAAE,QAAQ,EAAE,EAAE,EAAE;aAC/E;YACD,MAAM,EAAE;gBACN,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACvD,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACvD,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC7D,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACvF,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACxE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC/E,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC3E,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC5E,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC3E,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACvE,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACzE,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACpF,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,EAAE,EAAE;aACtF;YACD,IAAI,EAAE;gBACJ,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,2BAA2B,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACrE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACrD,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,yBAAyB,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACvE,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,yBAAyB,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC1E,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACrD,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,wBAAwB,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACrE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,yBAAyB,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACnE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACvD,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACrD,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC7D,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC5E,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,EAAE,EAAE;aACjE;YACD,GAAG,EAAE;gBACH,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,2BAA2B,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC1E,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,+BAA+B,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC9E,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,EAAE,EAAE;gBACjE,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,2BAA2B,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC/E,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAChE,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC/D,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,yBAAyB,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAC1E,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,EAAE,EAAE;aACjE;SACF,CAAC;QAEF,uCAAuC;QACtB,4BAAuB,GAA6B;YACnE,UAAU,EAAE;gBACV,eAAe;gBACf,SAAS;gBACT,OAAO;gBACP,KAAK;gBACL,KAAK;gBACL,KAAK;gBACL,IAAI;gBACJ,gBAAgB;gBAChB,IAAI;gBACJ,YAAY;aACb;YACD,MAAM,EAAE;gBACN,YAAY;gBACZ,IAAI;gBACJ,KAAK;gBACL,QAAQ;gBACR,QAAQ;gBACR,QAAQ;gBACR,SAAS;gBACT,iBAAiB;gBACjB,WAAW;gBACX,SAAS;aACV;SACF,CAAC;QAEF,4BAA4B;QACX,8BAAyB,GAAG;YAC3C,MAAM;YACN,MAAM;YACN,QAAQ;YACR,OAAO;YACP,OAAO;YACP,MAAM;YACN,OAAO;YACP,QAAQ;YACR,QAAQ;YACR,SAAS;SACV,CAAC;QAGA,IAAI,CAAC,MAAM,GAAG;YACZ,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,KAAK,CAAC;YAC5E,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,EAAE;YAC3C,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI,CAAC,yBAAyB;YAC3E,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,KAAK;YAC5C,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI;YACjD,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,KAAK;YAC1C,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,KAAK;YAChD,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,KAAK;YACtC,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,KAAK;YAC9C,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,EAAE;YAC3C,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;SAC1C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,OAAO,CACL,IAAY,EACZ,QAAgB,EAChB,SAAkB;QAElB,MAAM,KAAK,GAAG,SAAS,IAAI,QAAQ,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAChD,MAAM,cAAc,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC9C,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,2BAA2B;QAC3B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YAC3D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,aAAa,QAAQ,kBAAkB;gBAC/C,UAAU,EAAE,CAAC,qBAAqB,CAAC;gBACnC,UAAU,EAAE,KAAK;gBACjB,aAAa,EAAE;oBACb,QAAQ,EAAE,cAAc;oBACxB,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,iBAAiB,EAAE,EAAE;oBACrB,mBAAmB,EAAE,EAAE;oBACvB,YAAY,EAAE,EAAE;oBAChB,cAAc,EAAE,KAAK;oBACrB,WAAW,EAAE,KAAK;oBAClB,YAAY,EAAE,KAAK;oBACnB,UAAU,EAAE,KAAK;oBACjB,UAAU,EAAE,GAAG;oBACf,gBAAgB,EAAE,CAAC;iBACpB;gBACD,eAAe,EAAE,CAAC,eAAe,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;aAC5E,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC5C,UAAU,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACjC,SAAS,IAAI,EAAE,CAAC;QAClB,CAAC;QAED,iCAAiC;QACjC,MAAM,QAAQ,GAAG;YACf,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;YAClD,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc;SAC9B,CAAC;QAEF,iCAAiC;QACjC,MAAM,gBAAgB,GAAa,EAAE,CAAC;QACtC,MAAM,kBAAkB,GAAa,EAAE,CAAC;QACxC,MAAM,WAAW,GAAa,EAAE,CAAC;QACjC,IAAI,aAAa,GAAG,KAAK,CAAC;QAC1B,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,IAAI,WAAW,GAAG,KAAK,CAAC;QACxB,IAAI,SAAS,GAAG,KAAK,CAAC;QAEtB,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;YACnD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACpC,IAAI,OAAO,EAAE,CAAC;gBACZ,UAAU,CAAC,IAAI,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC;gBAC7C,SAAS,IAAI,QAAQ,CAAC;gBAEtB,yBAAyB;gBACzB,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC9G,WAAW,GAAG,IAAI,CAAC;oBACnB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzB,CAAC;gBACD,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3E,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;gBACD,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;oBAChH,aAAa,GAAG,IAAI,CAAC;gBACvB,CAAC;gBACD,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBACzB,SAAS,GAAG,IAAI,CAAC;gBACnB,CAAC;gBACD,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;oBACxD,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC9B,CAAC;gBACD,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;oBAC/E,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,MAAM,cAAc,GAAG;YACrB,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc;YAC7B,GAAG,CAAC,IAAI,CAAC,uBAAuB,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;SACxD,CAAC;QAEF,KAAK,MAAM,aAAa,IAAI,cAAc,EAAE,CAAC;YAC3C,MAAM,cAAc,GAAG;gBACrB,IAAI,MAAM,CAAC,yBAAyB,aAAa,aAAa,EAAE,GAAG,CAAC;gBACpE,IAAI,MAAM,CAAC,2BAA2B,aAAa,MAAM,EAAE,GAAG,CAAC;gBAC/D,IAAI,MAAM,CAAC,aAAa,aAAa,EAAE,EAAE,GAAG,CAAC;gBAC7C,IAAI,MAAM,CAAC,WAAW,aAAa,YAAY,EAAE,GAAG,CAAC;aACtD,CAAC;YAEF,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;gBACrC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,UAAU,CAAC,IAAI,CAAC,kBAAkB,aAAa,EAAE,CAAC,CAAC;oBACnD,gBAAgB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;oBACrC,SAAS,IAAI,EAAE,CAAC;gBAClB,CAAC;YACH,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;YACvD,MAAM,WAAW,GAAG,IAAI,MAAM,CAAC,MAAM,WAAW,SAAS,EAAE,GAAG,CAAC,CAAC;YAChE,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3B,UAAU,CAAC,IAAI,CAAC,oBAAoB,WAAW,EAAE,CAAC,CAAC;gBACnD,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBACrC,SAAS,IAAI,EAAE,CAAC;YAClB,CAAC;QACH,CAAC;QAED,gBAAgB;QAChB,IAAI,aAAa,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YAC/C,UAAU,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACzC,SAAS,IAAI,EAAE,CAAC;QAClB,CAAC;QACD,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YAC/C,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YAC5C,SAAS,IAAI,EAAE,CAAC;QAClB,CAAC;QACD,IAAI,WAAW,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAC3C,UAAU,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;YACvC,SAAS,IAAI,EAAE,CAAC;QAClB,CAAC;QACD,IAAI,SAAS,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAC7C,UAAU,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;YACrC,SAAS,IAAI,EAAE,CAAC;QAClB,CAAC;QAED,oCAAoC;QACpC,MAAM,eAAe,GAAG,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;QAEvE,iBAAiB;QACjB,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAErC,WAAW;QACX,MAAM,OAAO,GAAG,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;QAEvD,MAAM,MAAM,GAAuB;YACjC,OAAO,EAAE,CAAC,OAAO;YACjB,MAAM,EAAE,OAAO;gBACb,CAAC,CAAC,iBAAiB,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBACtD,CAAC,CAAC,sBAAsB;YAC1B,UAAU;YACV,UAAU,EAAE,KAAK;YACjB,aAAa,EAAE;gBACb,QAAQ,EAAE,cAAc;gBACxB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,iBAAiB,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC;gBACjD,mBAAmB,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,kBAAkB,CAAC,CAAC;gBACrD,YAAY,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;gBACvC,cAAc,EAAE,aAAa;gBAC7B,WAAW,EAAE,UAAU;gBACvB,YAAY,EAAE,WAAW;gBACzB,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,SAAS;gBACrB,gBAAgB,EAAE,eAAe;aAClC;YACD,eAAe,EAAE,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,SAAS,CAAC;SACrE,CAAC;QAEF,4CAA4C;QAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,qBAAqB,CAChD,aAAa,EACb,UAAU,EACV,WAAW,EACX,SAAS,CACV,CAAC;YAEF,oCAAoC;YACpC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1B,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,IAAY,EAAE,QAAgB;QAC3C,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,cAAc,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QAE9C,2EAA2E;QAC3E,QAAQ,cAAc,EAAE,CAAC;YACvB,KAAK,YAAY;gBACf,8BAA8B;gBAC9B,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrD,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACtD,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;oBACnC,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;gBACzC,CAAC;gBAED,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACtD,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACvD,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;oBACnC,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;gBACxC,CAAC;gBACD,MAAM;YAER,KAAK,QAAQ;gBACX,4BAA4B;gBAC5B,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrD,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrD,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBAE3D,IAAI,CAAC,YAAY,GAAG,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;oBAChD,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;gBACxC,CAAC;gBACD,IAAI,CAAC,YAAY,GAAG,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;oBAChD,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;gBACxC,CAAC;gBACD,MAAM;YAER,KAAK,KAAK;gBACR,4BAA4B;gBAC5B,MAAM,eAAe,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACxD,IAAI,eAAe,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC9B,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;gBAC/C,CAAC;gBACD,MAAM;QACV,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,qBAAqB,CACnB,YAAqB,EACrB,eAAwB,EACxB,UAAmB,EACnB,QAAiB;QAEjB,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB;YACrC,WAAW,EAAE,GAAG,GAAG,IAAI,GAAG,IAAI,EAAE,QAAQ;YACxC,eAAe,EAAE,IAAI,CAAC,kBAAkB,CAAC,YAAY,EAAE,eAAe,EAAE,UAAU,CAAC;YACnF,aAAa,EAAE,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM;YAC9E,gBAAgB,EAAE,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;YACtF,OAAO,EAAE,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc;gBAC7C,CAAC,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE;gBAC1C,CAAC,CAAC,EAAE;SACP,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,IAAY,EAAE,QAAgB;QACzC,IAAI,SAAS,GAAG,IAAI,CAAC;QAErB,wBAAwB;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEzD,gCAAgC;QAChC,KAAK,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;YAC7C,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;gBACnB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,MAAM,cAAc,GAAG;YACrB,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc;YAC7B,GAAG,CAAC,IAAI,CAAC,uBAAuB,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;SAClD,CAAC;QAEF,KAAK,MAAM,aAAa,IAAI,cAAc,EAAE,CAAC;YAC3C,MAAM,cAAc,GAAG;gBACrB,IAAI,MAAM,CAAC,yBAAyB,aAAa,aAAa,EAAE,GAAG,CAAC;gBACpE,IAAI,MAAM,CAAC,2BAA2B,aAAa,QAAQ,EAAE,IAAI,CAAC;gBAClE,IAAI,MAAM,CAAC,aAAa,aAAa,IAAI,EAAE,IAAI,CAAC;gBAChD,IAAI,MAAM,CAAC,WAAW,aAAa,cAAc,EAAE,IAAI,CAAC;aACzD,CAAC;YAEF,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;gBACrC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,sBAAsB,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,mBAAmB;QACjB,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,mBAAmB,CACjB,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAgB;QAEhB,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;QACzC,CAAC;QACD,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC;IACtE,CAAC;IAEO,mBAAmB,CAAC,IAAY,EAAE,QAAgB;QACxD,IAAI,UAAU,GAAG,CAAC,CAAC;QAEnB,2BAA2B;QAC3B,MAAM,eAAe,GAAG;YACtB,UAAU,EAAE,2CAA2C;YACvD,MAAM,EAAE,+CAA+C;YACvD,GAAG,EAAE,iCAAiC;SACvC,CAAC;QAEF,MAAM,OAAO,GAAG,eAAe,CAAC,QAAwC,CAAC,CAAC;QAC1E,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAC1C,UAAU,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;QACnC,CAAC;QAED,6BAA6B;QAC7B,MAAM,YAAY,GAAG;YACnB,UAAU,EAAE,4BAA4B;YACxC,MAAM,EAAE,qBAAqB;YAC7B,GAAG,EAAE,qCAAqC;SAC3C,CAAC;QAEF,MAAM,WAAW,GAAG,YAAY,CAAC,QAAqC,CAAC,CAAC;QACxE,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;YAClD,UAAU,IAAI,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC;QACxC,CAAC;QAED,oBAAoB;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;QACtC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAEnC,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACnC,CAAC;IAEO,kBAAkB,CACxB,YAAqB,EACrB,eAAwB,EACxB,UAAmB;QAEnB,MAAM,IAAI,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEzE,IAAI,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YAC7C,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YACnD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QACxD,CAAC;QAED,wDAAwD;QACxD,0CAA0C;QAC1C,gFAAgF;QAEhF,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,uBAAuB,CAAC,UAAoB,EAAE,SAAiB;QACrE,MAAM,eAAe,GAAa,EAAE,CAAC;QAErC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACjD,eAAe,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;QACnF,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;QACjF,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YAClD,eAAe,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YACrD,eAAe,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAChD,eAAe,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;QAC3F,CAAC;QACD,IAAI,SAAS,IAAI,EAAE,EAAE,CAAC;YACpB,eAAe,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;QAC5E,CAAC;QAED,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,eAAe,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACxD,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF;AA3gBD,gDA2gBC"}

package/dist/guards/conversation-guard.d.ts

@@ -0,0 +1,73 @@
+/**
+ * ConversationGuard
+ *
+ * Detects and prevents multi-turn manipulation attacks by:
+ * - Tracking conversation history patterns
+ * - Detecting gradual privilege escalation attempts
+ * - Identifying context manipulation across turns
+ * - Blocking suspicious conversation trajectories
+ */
+export interface ConversationGuardConfig {
+    maxConversationLength?: number;
+    conversationTTLMinutes?: number;
+    escalationThreshold?: number;
+    manipulationPatterns?: ManipulationPattern[];
+    detectToneShifts?: boolean;
+    detectRoleConfusion?: boolean;
+    detectInstructionOverride?: boolean;
+}
+export interface ManipulationPattern {
+    name: string;
+    pattern: RegExp;
+    weight: number;
+    category: "escalation" | "confusion" | "override" | "extraction";
+}
+export interface ConversationGuardResult {
+    allowed: boolean;
+    reason?: string;
+    violations: string[];
+    risk_score: number;
+    risk_factors: RiskFactor[];
+    conversation_analysis: {
+        turn_count: number;
+        escalation_attempts: number;
+        manipulation_indicators: number;
+        suspicious_patterns: string[];
+    };
+}
+export interface RiskFactor {
+    factor: string;
+    weight: number;
+    details: string;
+}
+export declare class ConversationGuard {
+    private config;
+    private sessions;
+    private defaultManipulationPatterns;
+    constructor(config?: ConversationGuardConfig);
+    /**
+     * Analyze a new user message in context of the conversation
+     */
+    check(sessionId: string, userMessage: string, toolCalls?: string[], claimedRole?: string, requestId?: string): ConversationGuardResult;
+    /**
+     * Record assistant response (for complete conversation tracking)
+     */
+    recordResponse(sessionId: string, response: string, toolCalls?: string[]): void;
+    /**
+     * Get session analysis
+     */
+    getSessionAnalysis(sessionId: string): {
+        turn_count: number;
+        escalation_attempts: number;
+        manipulation_indicators: number;
+        claimed_roles: string[];
+        session_age_minutes: number;
+    } | null;
+    /**
+     * Reset a session
+     */
+    resetSession(sessionId: string): void;
+    private getOrCreateSession;
+    private cleanupSessions;
+}
+//# sourceMappingURL=conversation-guard.d.ts.map

package/dist/guards/conversation-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"conversation-guard.d.ts","sourceRoot":"","sources":["../../src/guards/conversation-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,WAAW,uBAAuB;IAEtC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,oBAAoB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAE7C,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,yBAAyB,CAAC,EAAE,OAAO,CAAC;CACrC;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,YAAY,GAAG,WAAW,GAAG,UAAU,GAAG,YAAY,CAAC;CAClE;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,UAAU,EAAE,CAAC;IAC3B,qBAAqB,EAAE;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,mBAAmB,EAAE,MAAM,CAAC;QAC5B,uBAAuB,EAAE,MAAM,CAAC;QAChC,mBAAmB,EAAE,MAAM,EAAE,CAAC;KAC/B,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAoBD,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,QAAQ,CAA+C;IAE/D,OAAO,CAAC,2BAA2B,CAuEjC;gBAEU,MAAM,GAAE,uBAA4B;IAehD;;OAEG;IACH,KAAK,CACH,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,SAAS,CAAC,EAAE,MAAM,EAAE,EACpB,WAAW,CAAC,EAAE,MAAM,EACpB,SAAS,GAAE,MAAW,GACrB,uBAAuB;IA0I1B;;OAEG;IACH,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI;IAa/E;;OAEG;IACH,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG;QACrC,UAAU,EAAE,MAAM,CAAC;QACnB,mBAAmB,EAAE,MAAM,CAAC;QAC5B,uBAAuB,EAAE,MAAM,CAAC;QAChC,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,mBAAmB,EAAE,MAAM,CAAC;KAC7B,GAAG,IAAI;IAaR;;OAEG;IACH,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAIrC,OAAO,CAAC,kBAAkB;IAc1B,OAAO,CAAC,eAAe;CAUxB"}