narai-primitives 2.0.0-rc.1

package/dist/connectors/db/lib/policy.js

@@ -0,0 +1,581 @@
+/**
+ * policy.ts — Guard-rail mechanism for SQL query authorization.
+ *
+ * Classifies SQL statements and enforces approval policies before execution.
+ *
+ * Parity notes vs. the Python reference (`policy.py`):
+ *  - `Decision` is a string-literal union (not an enum) so JSON output is the
+ *    lowercase wire value directly: `"allow" | "deny" | "escalate" |
+ *    "present_only"`. Python's `Enum` values serialize the same.
+ *  - `PolicyResult` is a discriminated union on `decision`; `formatted_sql`
+ *    exists ONLY on the `present_only` branch, matching Python's behaviour
+ *    where the field is populated just for write/delete/admin (was DML).
+ *  - Default-deny on unknown first-words: the classifier falls through to
+ *    `"admin"` (the most restrictive category) for anything not in the known
+ *    keyword sets. Python's reference fell through to `"ddl"`; the V2.0
+ *    rename moves DDL→ADMIN but the safety floor is unchanged.
+ *
+ * G-DB-1: the SQL keyword classifier is exported as a top-level
+ * `classifySqlKeywords` so non-relational drivers (MongoDB, DynamoDB) can
+ * provide their own override via the `DatabaseDriver.classifyOperation`
+ * method without going through the SQL keyword path. Policy.checkQuery
+ * accepts an optional driver and dispatches accordingly.
+ */
+import { performance } from "node:perf_hooks";
+import { logEvent, scrubSqlSecrets } from "./audit.js";
+import { DEFAULT_POLICY } from "./plugin_config.js";
+/** Namespace providing Python-style attribute access (`Decision.ALLOW`). */
+export const Decision = {
+    ALLOW: "allow",
+    DENY: "deny",
+    ESCALATE: "escalate",
+    PRESENT_ONLY: "present_only",
+};
+/** Namespace mirroring Python's `OperationType.READ` etc. */
+export const OperationType = {
+    READ: "read",
+    WRITE: "write",
+    DELETE: "delete",
+    ADMIN: "admin",
+    PRIVILEGE: "privilege",
+};
+/**
+ * Decision strictness rank. When a compound statement has multiple per-statement
+ * decisions, the combined result is the one with the highest rank (deny beats
+ * escalate beats present_only beats allow). Ties break by first occurrence so
+ * the reported reason points at the earliest offending statement.
+ */
+const _DECISION_RANK = {
+    allow: 0,
+    present_only: 1,
+    escalate: 2,
+    deny: 3,
+};
+// -----------------------------------------------------------------------
+// Keyword -> OperationType mapping (V2.0 vocab)
+// -----------------------------------------------------------------------
+const _READ_KEYWORDS = new Set([
+    "SELECT", "EXPLAIN", "SHOW", "DESCRIBE", "DESC", "WITH",
+]);
+const _WRITE_KEYWORDS = new Set([
+    "INSERT", "UPDATE", "REPLACE", "MERGE", "UPSERT",
+]);
+const _DELETE_KEYWORDS = new Set([
+    "DELETE", "TRUNCATE",
+]);
+const _ADMIN_KEYWORDS = new Set([
+    "CREATE", "DROP", "ALTER", "RENAME",
+]);
+const _PRIVILEGE_KEYWORDS = new Set([
+    "GRANT", "REVOKE",
+]);
+/**
+ * Classify a SQL string by its leading keyword.
+ *
+ * Exported so SQL drivers (sqlite, postgres, mysql, mssql) can implement
+ * `DatabaseDriver.classifyOperation` without instantiating a Policy. Throws
+ * `Error("Empty SQL statement")` for empty/whitespace-only input.
+ *
+ * Default-deny: any unknown first-word falls through to `ADMIN` (most
+ * restrictive), matching `policy.py`'s safety-floor intent.
+ */
+export function classifySqlKeywords(sql) {
+    const cleaned = Policy._stripComments(sql).trim();
+    if (!cleaned) {
+        throw new Error("Empty SQL statement");
+    }
+    const firstToken = cleaned.split(/\s+/)[0] ?? "";
+    const firstWord = firstToken.toUpperCase();
+    if (_PRIVILEGE_KEYWORDS.has(firstWord))
+        return OperationType.PRIVILEGE;
+    if (_ADMIN_KEYWORDS.has(firstWord))
+        return OperationType.ADMIN;
+    if (_DELETE_KEYWORDS.has(firstWord))
+        return OperationType.DELETE;
+    if (_WRITE_KEYWORDS.has(firstWord))
+        return OperationType.WRITE;
+    if (_READ_KEYWORDS.has(firstWord))
+        return OperationType.READ;
+    return OperationType.ADMIN;
+}
+/**
+ * Split SQL on statement-terminating semicolons, respecting single- and double-
+ * quoted string literals. Comments are stripped first, so line and block
+ * comments cannot hide a semicolon.
+ *
+ * Returns trimmed, non-empty statements. An input with a single trailing
+ * semicolon returns one statement. Edge cases: `''` escaped quotes inside a
+ * single-quoted literal work by accident of toggle semantics (exit + re-enter
+ * with nothing in between). NOT handled: PostgreSQL dollar-quoted strings
+ * (`$tag$...$tag$`) and backtick-quoted identifiers — tolerably over-split
+ * rather than under-split, which is the right bias for a safety gate.
+ */
+function _splitStatements(sql) {
+    const cleaned = Policy._stripComments(sql);
+    const out = [];
+    let start = 0;
+    let inSingle = false;
+    let inDouble = false;
+    for (let i = 0; i < cleaned.length; i++) {
+        const c = cleaned[i];
+        if (c === "'" && !inDouble)
+            inSingle = !inSingle;
+        else if (c === '"' && !inSingle)
+            inDouble = !inDouble;
+        else if (c === ";" && !inSingle && !inDouble) {
+            const s = cleaned.slice(start, i).trim();
+            if (s)
+                out.push(s);
+            start = i + 1;
+        }
+    }
+    const tail = cleaned.slice(start).trim();
+    if (tail)
+        out.push(tail);
+    return out;
+}
+/**
+ * Classify every statement in a compound SQL string. Comments are stripped,
+ * then the input is split on semicolons (outside quoted literals). Each
+ * non-empty statement is classified via `classifySqlKeywords`. Throws
+ * `"Empty SQL statement"` when the result would be zero statements — same
+ * contract as `classifySqlKeywords` on empty input.
+ *
+ * The CLI pre-check and `Policy.checkQuery` both use this so that a compound
+ * like `SELECT 1; DROP TABLE users;` is classified as [READ, ADMIN] and the
+ * strictest rule (under V2.0 default `admin: present` → present_only) wins.
+ * A compound of all reads classifies as [READ, READ, ...] and the aggregate
+ * decision is allow.
+ */
+export function classifyStatements(sql) {
+    const stmts = _splitStatements(sql);
+    if (stmts.length === 0) {
+        throw new Error("Empty SQL statement");
+    }
+    return stmts.map((s) => classifySqlKeywords(s));
+}
+// Regex to strip SQL line comments (-- ...) and block comments (/* ... */)
+const _LINE_COMMENT_RE = /--[^\n]*/g;
+// Python uses re.DOTALL so `.` matches newlines; in JS use the `s` flag.
+const _BLOCK_COMMENT_RE = /\/\*.*?\*\//gs;
+/**
+ * Heuristic: a SELECT is "unbounded" if it reads from a table but has
+ * no WHERE, LIMIT, JOIN, or specific id filter.
+ *
+ * Python uses `re.IGNORECASE | re.DOTALL`; in JS we emulate with `is` flags.
+ */
+const _UNBOUNDED_RE = /^\s*SELECT\s+.*\bFROM\s+\w+/is;
+// G-POLICY-CROSSJOIN: require JOIN ... ON so CROSS JOIN (which has no
+// join predicate and explodes rows) does not count as bounded. Bare
+// JOIN USING (…) also falls through to escalate — safe direction.
+const _BOUNDED_KEYWORDS_RE = /\b(WHERE|LIMIT|OFFSET|HAVING|GROUP\s+BY|JOIN\s+\S+\s+ON)\b/i;
+const _VALID_APPROVAL_MODES = new Set([
+    "auto", "confirm_once", "confirm_each", "grant_required",
+]);
+/**
+ * Stateful policy engine that gates SQL execution.
+ *
+ * Parameters
+ * ----------
+ * approvalMode : string
+ *     One of: auto, confirm_once, confirm_each, grant_required.
+ */
+export class Policy {
+    _approval_mode;
+    _rules;
+    _session_approved;
+    _grants; // grant_type -> expiry (ms, performance.now())
+    // G-DB-AUDIT: grant_types that have already had a `grant_expired` event
+    // emitted (de-dupes spam from repeated isGrantActive polling).
+    _expired_logged;
+    constructor(approvalMode = "auto", rules = DEFAULT_POLICY) {
+        if (!_VALID_APPROVAL_MODES.has(approvalMode)) {
+            // Match Python repr(): single-quoted string.
+            throw new Error(`Unknown approval_mode: '${approvalMode}'`);
+        }
+        this._approval_mode = approvalMode;
+        this._rules = rules;
+        this._session_approved = false;
+        this._grants = new Map();
+        this._expired_logged = new Set();
+    }
+    // ------------------------------------------------------------------
+    // SQL classification
+    // ------------------------------------------------------------------
+    /** Remove SQL comments from the statement. */
+    static _stripComments(sql) {
+        let s = sql.replace(_BLOCK_COMMENT_RE, "");
+        s = s.replace(_LINE_COMMENT_RE, "");
+        return s.trim();
+    }
+    /** Determine the OperationType of a raw SQL string. */
+    classifySql(sql) {
+        return classifySqlKeywords(sql);
+    }
+    // ------------------------------------------------------------------
+    // Unbounded query heuristic
+    // ------------------------------------------------------------------
+    /** Return true if the SELECT appears to lack a bounding clause. */
+    static _isUnboundedSelect(sql) {
+        if (!_UNBOUNDED_RE.test(sql))
+            return false;
+        return !_BOUNDED_KEYWORDS_RE.test(sql);
+    }
+    // ------------------------------------------------------------------
+    // Decision logic
+    // ------------------------------------------------------------------
+    /**
+     * Evaluate whether `sql` should be executed under current policy.
+     *
+     * G-DB-1: when `driver` is supplied, classification is delegated to
+     * `driver.classifyOperation()`. This lets non-relational drivers
+     * (MongoDB, DynamoDB) classify their JSON envelope queries instead of
+     * falling through SQL keyword matching (which would default to ADMIN).
+     *
+     * G-DB-AUDIT: every `deny` decision is emitted as a `policy_deny` event
+     * via `audit.logEvent`. The audit module no-ops when audit is disabled.
+     */
+    checkQuery(sql, driver) {
+        const stripped = sql.trim();
+        if (!stripped) {
+            const result = { decision: "deny", reason: "Empty SQL statement" };
+            _emitDeny(result.reason, null);
+            return result;
+        }
+        // Non-SQL drivers (MongoDB, DynamoDB) receive JSON envelopes — semicolon
+        // splitting would corrupt them. Stay on the single-statement path and
+        // trust the driver's own classifier for those.
+        if (driver !== undefined) {
+            return this._checkSingleStatement(stripped, driver);
+        }
+        // SQL path: split on statement terminators, classify each, combine via
+        // strictest-wins (deny > escalate > present_only > allow). A compound of
+        // all-allowed statements stays allowed.
+        let classifications;
+        try {
+            classifications = classifyStatements(stripped);
+        }
+        catch (exc) {
+            const reason = exc.message;
+            _emitDeny(reason, null);
+            return { decision: "deny", reason };
+        }
+        const statements = _splitStatements(stripped);
+        const perStmt = [];
+        for (let i = 0; i < statements.length; i++) {
+            const stmt = statements[i];
+            const op = classifications[i];
+            perStmt.push({ stmt, op, result: this._decideOne(stmt, op) });
+        }
+        // Pick the strictest decision; break ties by first occurrence so the
+        // reason and op reflect the earliest culprit (predictable messaging).
+        let winner = perStmt[0];
+        for (const entry of perStmt.slice(1)) {
+            if (_DECISION_RANK[entry.result.decision] > _DECISION_RANK[winner.result.decision]) {
+                winner = entry;
+            }
+        }
+        // For a present_only compound, substitute the formatted whole-compound so
+        // the human who runs it manually gets every statement, not just the
+        // write/delete/admin half.
+        let final = winner.result;
+        if (statements.length > 1 && final.decision === "present_only") {
+            const combined = perStmt.map((e) => _formatStatement(e.stmt)).join("; ") + ";";
+            final = { ...final, formatted_sql: combined };
+        }
+        // Emit one audit event for the combined decision. Tagging with the
+        // winner's op makes the event legible ("policy_deny op=admin because an
+        // ADMIN statement was present") without flooding the log with per-stmt
+        // entries for every compound query.
+        if (final.decision === "deny") {
+            _emitDeny(final.reason, winner.op);
+        }
+        else if (final.decision === "escalate") {
+            _emitEscalate(final.reason, winner.op);
+        }
+        else if (final.decision === "present_only") {
+            _emitPresentOnly(final.reason, winner.op, final.formatted_sql);
+        }
+        else if (winner.op !== OperationType.READ) {
+            // READ allow is deliberately not audited (matches prior behavior);
+            // write/delete allow is, so symmetry with present_only/deny holds.
+            _emitAllow(winner.op);
+        }
+        return final;
+    }
+    /**
+     * Single-statement decision path. Factored out so compound handling can
+     * call it per sub-statement without emitting audit events (those are
+     * consolidated into one emission after combining). Compatible with the
+     * driver-provided path: when a non-SQL driver supplies its own
+     * `classifyOperation`, the whole query string flows through here.
+     */
+    _decideOne(stmt, op) {
+        const rule = this._rules[op];
+        if (rule === "deny") {
+            return { decision: "deny", reason: _denyReason(op) };
+        }
+        if (rule === "escalate") {
+            return { decision: "escalate", reason: _escalateReason(op) };
+        }
+        if (rule === "present") {
+            const formatted = _formatStatement(stmt);
+            return { decision: "present_only", reason: _presentReason(op), formatted_sql: formatted };
+        }
+        // rule === "allow"
+        if (op === OperationType.READ) {
+            return this._checkRead(stmt);
+        }
+        // Config validation prevents "allow" from reaching ADMIN/PRIVILEGE; only
+        // WRITE/DELETE remain.
+        return { decision: "allow", reason: `${op.toUpperCase()} allowed by policy` };
+    }
+    /**
+     * Driver-provided path: the caller owns classification (possibly via a
+     * JSON envelope for MongoDB/DynamoDB). Emits the audit event itself since
+     * we're not aggregating across multiple sub-statements here.
+     */
+    _checkSingleStatement(stmt, driver) {
+        let op;
+        try {
+            op = driver.classifyOperation(stmt);
+        }
+        catch (exc) {
+            const reason = exc.message;
+            _emitDeny(reason, null);
+            return { decision: "deny", reason };
+        }
+        const result = this._decideOne(stmt, op);
+        if (result.decision === "deny")
+            _emitDeny(result.reason, op);
+        else if (result.decision === "escalate")
+            _emitEscalate(result.reason, op);
+        else if (result.decision === "present_only")
+            _emitPresentOnly(result.reason, op, result.formatted_sql);
+        else if (op !== OperationType.READ)
+            _emitAllow(op);
+        return result;
+    }
+    /** Apply approval-mode logic for READ operations. */
+    _checkRead(sql) {
+        // Unbounded safety check — operator can opt out via
+        // policy.unbounded_select: 'allow' (default 'escalate').
+        if (this._rules.unbounded_select !== "allow" &&
+            Policy._isUnboundedSelect(sql)) {
+            return {
+                decision: "escalate",
+                reason: "Unbounded SELECT detected -- add WHERE or LIMIT",
+            };
+        }
+        const mode = this._approval_mode;
+        if (mode === "auto") {
+            return { decision: "allow", reason: "auto-approved" };
+        }
+        if (mode === "confirm_once") {
+            if (this._session_approved) {
+                return { decision: "allow", reason: "session approved" };
+            }
+            return {
+                decision: "escalate",
+                reason: "First read requires confirmation (confirm_once)",
+            };
+        }
+        if (mode === "confirm_each") {
+            return {
+                decision: "escalate",
+                reason: "Each read requires confirmation (confirm_each)",
+            };
+        }
+        if (mode === "grant_required") {
+            if (this.isGrantActive("read")) {
+                return { decision: "allow", reason: "active read grant" };
+            }
+            return { decision: "deny", reason: "No active read grant" };
+        }
+        // Unreachable given the constructor guard, but defensive:
+        return { decision: "deny", reason: `Unknown mode: ${mode}` };
+    }
+    // ------------------------------------------------------------------
+    // Session & grant management
+    // ------------------------------------------------------------------
+    /** Mark the current session as approved (for confirm_once mode). */
+    approveSession() {
+        this._session_approved = true;
+    }
+    /**
+     * Add a time-limited grant.
+     *
+     * G-DB-AUDIT: emits a `grant_added` event with the grant type and TTL.
+     *
+     * Lifetime scope: grants are in-process only. Expiry is measured with
+     * `performance.now()`, which is reset on every Node process start, so
+     * a new CLI invocation always begins with no active grants — even if
+     * a previous run added one seconds ago. Suitable for the CLI's
+     * single-invocation model; not suitable as a cross-process gate.
+     */
+    addGrant(grantType, ttlSeconds = 300) {
+        // performance.now() is process-relative; see JSDoc for lifetime scope.
+        this._grants.set(grantType, performance.now() + ttlSeconds * 1000);
+        logEvent({
+            event_type: "grant_added",
+            details: { grant_type: grantType, ttl_seconds: ttlSeconds },
+        });
+    }
+    /**
+     * Check whether a grant is currently active (not expired).
+     *
+     * G-DB-AUDIT: emits a single `grant_expired` event the first time an
+     * expired grant is observed (subsequent checks are silent so the audit
+     * log isn't spammed by repeated polling).
+     */
+    isGrantActive(grantType) {
+        const expiry = this._grants.get(grantType);
+        if (expiry === undefined)
+            return false;
+        if (performance.now() < expiry)
+            return true;
+        if (!this._expired_logged.has(grantType)) {
+            this._expired_logged.add(grantType);
+            logEvent({
+                event_type: "grant_expired",
+                details: { grant_type: grantType },
+            });
+        }
+        return false;
+    }
+}
+/**
+ * Issue a time-limited grant whose TTL derives from an environment's
+ * `grant_duration_hours` field (v2 design §4 default: 8 hours).
+ *
+ * This is the recommended API for prod callers — `addGrant` remains the
+ * low-level primitive (5-minute default, used for short-lived operations
+ * like test scaffolding and administrative confirmations).
+ *
+ * Lifetime scope: grants live in memory only. Because `addGrant` uses
+ * `performance.now()` — a process-relative monotonic clock — a grant
+ * written in one CLI invocation does NOT carry into the next one, even
+ * if `grant_duration_hours=8`. The "8 hour" default means "up to 8
+ * wall-clock hours within a single long-running session," not "8
+ * wall-clock hours across reboots." Persisting grants to disk is out
+ * of scope for v2.
+ */
+export function grantFromEnv(policy, env, grantType) {
+    const hours = env.grant_duration_hours ?? 8;
+    policy.addGrant(grantType, hours * 3600);
+}
+/**
+ * G-DB-AUDIT: emit a `policy_deny` event with the deny reason and the
+ * SQL operation type (when known). The audit module no-ops when audit
+ * has not been enabled, so this is safe to call unconditionally.
+ */
+function _emitDeny(reason, op) {
+    const details = { reason };
+    if (op !== null)
+        details["op"] = op;
+    logEvent({ event_type: "policy_deny", details });
+}
+/** Emit a `policy_allow` audit event tagged with the operation type. */
+function _emitAllow(op) {
+    logEvent({ event_type: "policy_allow", details: { op } });
+}
+/**
+ * Symmetric to `_emitDeny` / `_emitPresentOnly`: record a `policy_escalate`
+ * event when the policy returns `escalate`. Without this, a blocked-pending-
+ * approval path leaves an empty audit trail, making "no write happened" hard
+ * to prove positively — the viewer's absence-of-write check sees nothing to
+ * distinguish from "CLI never ran". The `op` tag lets consumers filter
+ * read-escalation (grant_required / unbounded SELECT) from write-escalation.
+ */
+function _emitEscalate(reason, op) {
+    const details = { reason };
+    if (op !== null)
+        details["op"] = op;
+    logEvent({ event_type: "policy_escalate", details });
+}
+/** Default deny reason per operation type (stable strings used by evals). */
+function _denyReason(op) {
+    if (op === OperationType.ADMIN)
+        return "ADMIN statements are never allowed";
+    if (op === OperationType.PRIVILEGE)
+        return "PRIVILEGE statements are never allowed";
+    if (op === OperationType.WRITE)
+        return "WRITE statements are not allowed";
+    if (op === OperationType.DELETE)
+        return "DELETE statements are not allowed";
+    return "READ statements are not allowed";
+}
+function _escalateReason(op) {
+    return `${op.toUpperCase()} statements require approval`;
+}
+function _presentReason(op) {
+    return `${op.toUpperCase()} statements are displayed but not executed`;
+}
+/**
+ * Strip comments and uppercase the leading keyword for readability when
+ * echoing a statement back to the caller in a `present_only` response.
+ */
+function _formatStatement(sql) {
+    let formatted = Policy._stripComments(sql.trim());
+    const parts = formatted.split(/\s+/);
+    const first = parts[0];
+    if (first !== undefined) {
+        if (parts.length > 1) {
+            const rest = parts.slice(1).join(" ");
+            formatted = first.toUpperCase() + " " + rest;
+        }
+        else {
+            formatted = first.toUpperCase();
+        }
+    }
+    return formatted;
+}
+/**
+ * Symmetric to `_emitDeny`: emit a `policy_present_only` event when a
+ * write/delete/admin statement is intercepted and returned as formatted
+ * SQL rather than executed. Without this, the "no write event occurred"
+ * audit assertion on PRESENT_ONLY paths passes vacuously — an empty
+ * audit log also has no writes. Recording the policy decision gives
+ * downstream consumers (and eval graders) a positive signal that the
+ * decision actually fired.
+ *
+ * The `formatted_sql` is truncated to a reasonable length so the audit
+ * file doesn't bloat on long INSERTs; the full SQL is already in the
+ * API response.
+ */
+function _emitPresentOnly(reason, op, formattedSql) {
+    // Scrub credentials before truncation so a literal split by truncation
+    // can't leak. Same helper used by audit.logQuery.
+    const scrubbed = scrubSqlSecrets(formattedSql);
+    const truncated = scrubbed.length > 500
+        ? scrubbed.slice(0, 500) + "\u2026"
+        : scrubbed;
+    const details = {
+        reason,
+        formatted_sql: truncated,
+    };
+    if (op !== null)
+        details["op"] = op;
+    logEvent({ event_type: "policy_present_only", details });
+}
+/**
+ * Serialize a PolicyResult to JSON.
+ *
+ * Key order: decision, reason, (formatted_sql only when decision ===
+ * "present_only"). V8 preserves string-key insertion order so explicit
+ * construction is sufficient.
+ */
+export function policyResultJson(result) {
+    if (result.decision === "present_only") {
+        return JSON.stringify({
+            decision: result.decision,
+            reason: result.reason,
+            formatted_sql: result.formatted_sql,
+        });
+    }
+    return JSON.stringify({
+        decision: result.decision,
+        reason: result.reason,
+    });
+}
+//# sourceMappingURL=policy.js.map

package/dist/connectors/db/lib/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../../src/connectors/db/lib/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE9C,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AACvD,OAAO,EAAE,cAAc,EAAoB,MAAM,oBAAoB,CAAC;AAKtE,4EAA4E;AAC5E,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,KAAK,EAAE,OAAgB;IACvB,IAAI,EAAE,MAAe;IACrB,QAAQ,EAAE,UAAmB;IAC7B,YAAY,EAAE,cAAuB;CACH,CAAC;AAKrC,6DAA6D;AAC7D,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,IAAI,EAAE,MAAe;IACrB,KAAK,EAAE,OAAgB;IACvB,MAAM,EAAE,QAAiB;IACzB,KAAK,EAAE,OAAgB;IACvB,SAAS,EAAE,WAAoB;CACQ,CAAC;AAS1C;;;;;GAKG;AACH,MAAM,cAAc,GAA6B;IAC/C,KAAK,EAAE,CAAC;IACR,YAAY,EAAE,CAAC;IACf,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;CACR,CAAC;AAEF,0EAA0E;AAC1E,gDAAgD;AAChD,0EAA0E;AAE1E,MAAM,cAAc,GAAwB,IAAI,GAAG,CAAC;IAClD,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM;CACxD,CAAC,CAAC;AACH,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ;CACjD,CAAC,CAAC;AACH,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;IACpD,QAAQ,EAAE,UAAU;CACrB,CAAC,CAAC;AACH,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ;CACpC,CAAC,CAAC;AACH,MAAM,mBAAmB,GAAwB,IAAI,GAAG,CAAC;IACvD,OAAO,EAAE,QAAQ;CAClB,CAAC,CAAC;AAEH;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW;IAC7C,MAAM,OAAO,GAAG,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACjD,MAAM,SAAS,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IAE3C,IAAI,mBAAmB,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,aAAa,CAAC,SAAS,CAAC;IACvE,IAAI,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,aAAa,CAAC,KAAK,CAAC;IAC/D,IAAI,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,aAAa,CAAC,MAAM,CAAC;IACjE,IAAI,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,aAAa,CAAC,KAAK,CAAC;IAC/D,IAAI,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,aAAa,CAAC,IAAI,CAAC;IAE7D,OAAO,aAAa,CAAC,KAAK,CAAC;AAC7B,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,OAAO,GAAG,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,QAAQ;YAAE,QAAQ,GAAG,CAAC,QAAQ,CAAC;aAC5C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,QAAQ;YAAE,QAAQ,GAAG,CAAC,QAAQ,CAAC;aACjD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC7C,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,IAAI,CAAC;gBAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACnB,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;QAChB,CAAC;IACH,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;IACzC,IAAI,IAAI;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzB,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,MAAM,KAAK,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,2EAA2E;AAC3E,MAAM,gBAAgB,GAAG,WAAW,CAAC;AACrC,yEAAyE;AACzE,MAAM,iBAAiB,GAAG,eAAe,CAAC;AAG1C;;;;;GAKG;AACH,MAAM,aAAa,GAAG,+BAA+B,CAAC;AACtD,sEAAsE;AACtE,oEAAoE;AACpE,kEAAkE;AAClE,MAAM,oBAAoB,GACxB,6DAA6D,CAAC;AAQhE,MAAM,qBAAqB,GAA8B,IAAI,GAAG,CAAC;IAC/D,MAAM,EAAE,cAAc,EAAE,cAAc,EAAE,gBAAgB;CACzD,CAAC,CAAC;AAEH;;;;;;;GAOG;AACH,MAAM,OAAO,MAAM;IACA,cAAc,CAAe;IAC7B,MAAM,CAAc;IAC7B,iBAAiB,CAAU;IAClB,OAAO,CAAsB,CAAC,+CAA+C;IAC9F,wEAAwE;IACxE,+DAA+D;IAC9C,eAAe,CAAc;IAE9C,YACE,eAAuB,MAAM,EAC7B,QAAqB,cAAc;QAEnC,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,YAA4B,CAAC,EAAE,CAAC;YAC7D,6CAA6C;YAC7C,MAAM,IAAI,KAAK,CAAC,2BAA2B,YAAY,GAAG,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,CAAC,cAAc,GAAG,YAA4B,CAAC;QACnD,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,iBAAiB,GAAG,KAAK,CAAC;QAC/B,IAAI,CAAC,OAAO,GAAG,IAAI,GAAG,EAAE,CAAC;QACzB,IAAI,CAAC,eAAe,GAAG,IAAI,GAAG,EAAE,CAAC;IACnC,CAAC;IAED,qEAAqE;IACrE,qBAAqB;IACrB,qEAAqE;IAErE,8CAA8C;IAC9C,MAAM,CAAC,cAAc,CAAC,GAAW;QAC/B,IAAI,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC;QAC3C,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IAClB,CAAC;IAED,uDAAuD;IACvD,WAAW,CAAC,GAAW;QACrB,OAAO,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IAED,qEAAqE;IACrE,4BAA4B;IAC5B,qEAAqE;IAErE,mEAAmE;IACnE,MAAM,CAAC,kBAAkB,CAAC,GAAW;QACnC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3C,OAAO,CAAC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,qEAAqE;IACrE,iBAAiB;IACjB,qEAAqE;IAErE;;;;;;;;;;OAUG;IACH,UAAU,CAAC,GAAW,EAAE,MAAuB;QAC7C,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,MAAM,GAAiB,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;YACjF,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YAC/B,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,yEAAyE;QACzE,sEAAsE;QACtE,+CAA+C;QAC/C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,qBAAqB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACtD,CAAC;QAED,uEAAuE;QACvE,yEAAyE;QACzE,wCAAwC;QACxC,IAAI,eAAgC,CAAC;QACrC,IAAI,CAAC;YACH,eAAe,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAI,GAAa,CAAC,OAAO,CAAC;YACtC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YACxB,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAqE,EAAE,CAAC;QACrF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAE,CAAC;YAC5B,MAAM,EAAE,GAAG,eAAe,CAAC,CAAC,CAAE,CAAC;YAC/B,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,qEAAqE;QACrE,sEAAsE;QACtE,IAAI,MAAM,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;QACzB,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YACrC,IAAI,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACnF,MAAM,GAAG,KAAK,CAAC;YACjB,CAAC;QACH,CAAC;QAED,0EAA0E;QAC1E,oEAAoE;QACpE,2BAA2B;QAC3B,IAAI,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC;QAC1B,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,KAAK,cAAc,EAAE,CAAC;YAC/D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC;YAC/E,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;QAChD,CAAC;QAED,mEAAmE;QACnE,wEAAwE;QACxE,uEAAuE;QACvE,oCAAoC;QACpC,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC9B,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QACrC,CAAC;aAAM,IAAI,KAAK,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;YACzC,aAAa,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QACzC,CAAC;aAAM,IAAI,KAAK,CAAC,QAAQ,KAAK,cAAc,EAAE,CAAC;YAC7C,gBAAgB,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;QACjE,CAAC;aAAM,IAAI,MAAM,CAAC,EAAE,KAAK,aAAa,CAAC,IAAI,EAAE,CAAC;YAC5C,mEAAmE;YACnE,mEAAmE;YACnE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACxB,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;OAMG;IACK,UAAU,CAAC,IAAY,EAAE,EAAiB;QAChD,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC7B,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,CAAC,EAAE,CAAC;QACvD,CAAC;QACD,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;YACxB,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,CAAC,EAAE,CAAC;QAC/D,CAAC;QACD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;YACzC,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,CAAC,EAAE,aAAa,EAAE,SAAS,EAAE,CAAC;QAC5F,CAAC;QACD,mBAAmB;QACnB,IAAI,EAAE,KAAK,aAAa,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC;QACD,yEAAyE;QACzE,uBAAuB;QACvB,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE,oBAAoB,EAAE,CAAC;IAChF,CAAC;IAED;;;;OAIG;IACK,qBAAqB,CAC3B,IAAY,EACZ,MAAsB;QAEtB,IAAI,EAAiB,CAAC;QACtB,IAAI,CAAC;YACH,EAAE,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAI,GAAa,CAAC,OAAO,CAAC;YACtC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YACxB,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACtC,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACzC,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM;YAAE,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;aACxD,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU;YAAE,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;aACrE,IAAI,MAAM,CAAC,QAAQ,KAAK,cAAc;YAAE,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;aAClG,IAAI,EAAE,KAAK,aAAa,CAAC,IAAI;YAAE,UAAU,CAAC,EAAE,CAAC,CAAC;QACnD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,qDAAqD;IAC7C,UAAU,CAAC,GAAW;QAC5B,oDAAoD;QACpD,yDAAyD;QACzD,IACE,IAAI,CAAC,MAAM,CAAC,gBAAgB,KAAK,OAAO;YACxC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAC9B,CAAC;YACD,OAAO;gBACL,QAAQ,EAAE,UAAU;gBACpB,MAAM,EAAE,iDAAiD;aAC1D,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC;QAEjC,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YACpB,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;YAC5B,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC3B,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;YAC3D,CAAC;YACD,OAAO;gBACL,QAAQ,EAAE,UAAU;gBACpB,MAAM,EAAE,iDAAiD;aAC1D,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;YAC5B,OAAO;gBACL,QAAQ,EAAE,UAAU;gBACpB,MAAM,EAAE,gDAAgD;aACzD,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,KAAK,gBAAgB,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC/B,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;YAC5D,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;QAC9D,CAAC;QAED,0DAA0D;QAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;IAC/D,CAAC;IAED,qEAAqE;IACrE,6BAA6B;IAC7B,qEAAqE;IAErE,oEAAoE;IACpE,cAAc;QACZ,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAChC,CAAC;IAED;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,SAAiB,EAAE,aAAqB,GAAG;QAClD,uEAAuE;QACvE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI,CAAC,CAAC;QACnE,QAAQ,CAAC;YACP,UAAU,EAAE,aAAa;YACzB,OAAO,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE;SAC5D,CAAC,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACH,aAAa,CAAC,SAAiB;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,KAAK,CAAC;QACvC,IAAI,WAAW,CAAC,GAAG,EAAE,GAAG,MAAM;YAAE,OAAO,IAAI,CAAC;QAC5C,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACpC,QAAQ,CAAC;gBACP,UAAU,EAAE,eAAe;gBAC3B,OAAO,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE;aACnC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,YAAY,CAC1B,MAAc,EACd,GAAsC,EACtC,SAAiB;IAEjB,MAAM,KAAK,GAAG,GAAG,CAAC,oBAAoB,IAAI,CAAC,CAAC;IAC5C,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,KAAK,GAAG,IAAI,CAAC,CAAC;AAC3C,CAAC;AAED;;;;GAIG;AACH,SAAS,SAAS,CAAC,MAAc,EAAE,EAAwB;IACzD,MAAM,OAAO,GAA4B,EAAE,MAAM,EAAE,CAAC;IACpD,IAAI,EAAE,KAAK,IAAI;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;IACpC,QAAQ,CAAC,EAAE,UAAU,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC,CAAC;AACnD,CAAC;AAED,wEAAwE;AACxE,SAAS,UAAU,CAAC,EAAiB;IACnC,QAAQ,CAAC,EAAE,UAAU,EAAE,cAAc,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;AAC5D,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,aAAa,CAAC,MAAc,EAAE,EAAwB;IAC7D,MAAM,OAAO,GAA4B,EAAE,MAAM,EAAE,CAAC;IACpD,IAAI,EAAE,KAAK,IAAI;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;IACpC,QAAQ,CAAC,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,6EAA6E;AAC7E,SAAS,WAAW,CAAC,EAAiB;IACpC,IAAI,EAAE,KAAK,aAAa,CAAC,KAAK;QAAE,OAAO,oCAAoC,CAAC;IAC5E,IAAI,EAAE,KAAK,aAAa,CAAC,SAAS;QAAE,OAAO,wCAAwC,CAAC;IACpF,IAAI,EAAE,KAAK,aAAa,CAAC,KAAK;QAAE,OAAO,kCAAkC,CAAC;IAC1E,IAAI,EAAE,KAAK,aAAa,CAAC,MAAM;QAAE,OAAO,mCAAmC,CAAC;IAC5E,OAAO,iCAAiC,CAAC;AAC3C,CAAC;AAED,SAAS,eAAe,CAAC,EAAiB;IACxC,OAAO,GAAG,EAAE,CAAC,WAAW,EAAE,8BAA8B,CAAC;AAC3D,CAAC;AAED,SAAS,cAAc,CAAC,EAAiB;IACvC,OAAO,GAAG,EAAE,CAAC,WAAW,EAAE,4CAA4C,CAAC;AACzE,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,IAAI,SAAS,GAAG,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACvB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtC,SAAS,GAAG,KAAK,CAAC,WAAW,EAAE,GAAG,GAAG,GAAG,IAAI,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAClC,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,gBAAgB,CACvB,MAAc,EACd,EAAwB,EACxB,YAAoB;IAEpB,uEAAuE;IACvE,kDAAkD;IAClD,MAAM,QAAQ,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,SAAS,GACb,QAAQ,CAAC,MAAM,GAAG,GAAG;QACnB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,QAAQ;QACnC,CAAC,CAAC,QAAQ,CAAC;IACf,MAAM,OAAO,GAA4B;QACvC,MAAM;QACN,aAAa,EAAE,SAAS;KACzB,CAAC;IACF,IAAI,EAAE,KAAK,IAAI;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;IACpC,QAAQ,CAAC,EAAE,UAAU,EAAE,qBAAqB,EAAE,OAAO,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAoB;IACnD,IAAI,MAAM,CAAC,QAAQ,KAAK,cAAc,EAAE,CAAC;QACvC,OAAO,IAAI,CAAC,SAAS,CAAC;YACpB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,aAAa,EAAE,MAAM,CAAC,aAAa;SACpC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;AACL,CAAC"}

package/dist/connectors/db/lib/query.d.ts

@@ -0,0 +1,22 @@
+import { type Policy } from "./policy.js";
+import type { ExecuteReadResult } from "./drivers/base.js";
+/**
+ * Minimal driver shape `executeQuery` needs. The test suite constructs
+ * one of these directly (sync drivers wrap via `Promise.resolve(...)`).
+ */
+export interface QueryableDriver {
+    executeReadAsync(conn: unknown, query: string, params?: unknown[] | null, maxRows?: number, timeoutMs?: number): Promise<ExecuteReadResult>;
+}
+export interface ExecuteQueryOptions {
+    /** Connection passed straight through to `executeReadAsync`. */
+    conn?: unknown;
+    params?: unknown[] | null;
+    max_rows?: number;
+    timeout_ms?: number;
+}
+/** Execute a SQL query through policy checks and the database driver.
+ *
+ * Returns a structured dict — never raises.
+ */
+export declare function executeQuery(driver: QueryableDriver, sql: string, policy: Policy, options?: ExecuteQueryOptions): Promise<Record<string, unknown>>;
+//# sourceMappingURL=query.d.ts.map

package/dist/connectors/db/lib/query.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"query.d.ts","sourceRoot":"","sources":["../../../../src/connectors/db/lib/query.ts"],"names":[],"mappings":"AAqBA,OAAO,EAAY,KAAK,MAAM,EAAqB,MAAM,aAAa,CAAC;AACvE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,gBAAgB,CACd,IAAI,EAAE,OAAO,EACb,KAAK,EAAE,MAAM,EACb,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,IAAI,EACzB,OAAO,CAAC,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,iBAAiB,CAAC,CAAC;CAC/B;AAED,MAAM,WAAW,mBAAmB;IAClC,gEAAgE;IAChE,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,eAAe,EACvB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CA8ElC"}