observability-toolkit 1.8.2 → 1.8.5

package/dist/backends/signoz-api-rate-limiter.test.js

@@ -0,0 +1,389 @@
+/**
+ * Rate limiter tests for SigNoz API backend
+ * L-STYLE-2: Extracted from signoz-api.test.ts for maintainability
+ */
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import { SigNozApiBackend, TokenBucketRateLimiter } from './signoz-api.js';
+import { setupMock, createV5TraceResponse } from './signoz-api-test-helpers.js';
+describe('SigNozApiBackend rate limiter', () => {
+    it('should allow requests up to max tokens', async () => {
+        let callCount = 0;
+        globalThis.fetch = setupMock(async () => {
+            callCount++;
+            return {
+                ok: true,
+                json: async () => createV5TraceResponse([]),
+                text: async () => '',
+            };
+        });
+        // Create backend - default is 60 tokens
+        const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+        // Make multiple rapid requests - should all succeed within token limit
+        for (let i = 0; i < 10; i++) {
+            await backend.queryTraces({});
+        }
+        assert.strictEqual(callCount, 10, 'All requests within limit should succeed');
+    });
+    it('should block requests when rate limit exceeded', async () => {
+        const originalDateNow = Date.now;
+        let currentTime = 1000000;
+        Date.now = () => currentTime;
+        // Create limiter with very low rate limit (3 tokens) for testing
+        const limiter = new TokenBucketRateLimiter(3, 1); // 3 tokens, 1/sec refill
+        // Use all tokens
+        assert.strictEqual(limiter.tryConsume(), true, '1st token should be available');
+        assert.strictEqual(limiter.tryConsume(), true, '2nd token should be available');
+        assert.strictEqual(limiter.tryConsume(), true, '3rd token should be available');
+        assert.strictEqual(limiter.tryConsume(), false, '4th token should be blocked');
+        Date.now = originalDateNow;
+    });
+    it('should refill tokens over time', async () => {
+        const originalDateNow = Date.now;
+        let currentTime = 1000000;
+        Date.now = () => currentTime;
+        const limiter = new TokenBucketRateLimiter(3, 1); // 3 tokens, 1/sec refill
+        // Use all tokens
+        limiter.tryConsume();
+        limiter.tryConsume();
+        limiter.tryConsume();
+        assert.strictEqual(limiter.getAvailableTokens(), 0, 'All tokens should be used');
+        // Advance time by 2 seconds
+        currentTime += 2000;
+        // Should have refilled 2 tokens
+        assert.strictEqual(limiter.getAvailableTokens(), 2, 'Should have refilled 2 tokens');
+        // Advance time by 5 more seconds (past max)
+        currentTime += 5000;
+        // Should cap at max tokens
+        assert.strictEqual(limiter.getAvailableTokens(), 3, 'Should cap at max tokens');
+        Date.now = originalDateNow;
+    });
+    it('should return empty array when rate limited', async () => {
+        const originalDateNow = Date.now;
+        let currentTime = 1000000;
+        Date.now = () => currentTime;
+        let callCount = 0;
+        globalThis.fetch = setupMock(async () => {
+            callCount++;
+            return {
+                ok: true,
+                json: async () => createV5TraceResponse([]),
+                text: async () => '',
+            };
+        });
+        // We can't easily set custom rate limits on the backend, so we'll test
+        // the behavior by making 60+ requests (default limit)
+        const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+        // Make 60 requests (default token limit)
+        for (let i = 0; i < 60; i++) {
+            await backend.queryTraces({});
+        }
+        assert.strictEqual(callCount, 60);
+        // 61st request should be rate limited
+        const result = await backend.queryTraces({});
+        assert.deepStrictEqual(result, [], 'Should return empty array when rate limited');
+        assert.strictEqual(callCount, 60, 'Should not have made fetch call when rate limited');
+        Date.now = originalDateNow;
+    });
+    it('should log warning when rate limit exceeded', async () => {
+        const originalDateNow = Date.now;
+        let currentTime = 1000000;
+        Date.now = () => currentTime;
+        const warnLogs = [];
+        const originalWarn = console.warn;
+        console.warn = (msg) => { warnLogs.push(msg); };
+        const limiter = new TokenBucketRateLimiter(2, 1);
+        // Use all tokens
+        limiter.tryConsume();
+        limiter.tryConsume();
+        // This should trigger the warning
+        limiter.tryConsume();
+        console.warn = originalWarn;
+        Date.now = originalDateNow;
+        assert(warnLogs.some(log => log.includes('[obs-toolkit] Rate limit exceeded')));
+    });
+    it('should report rate limit status in health check', async () => {
+        const originalDateNow = Date.now;
+        let currentTime = 1000000;
+        Date.now = () => currentTime;
+        globalThis.fetch = setupMock(async () => {
+            return {
+                ok: true,
+                json: async () => ({ status: 'success' }),
+                text: async () => '',
+            };
+        });
+        const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+        // Use all 60 tokens
+        for (let i = 0; i < 60; i++) {
+            await backend.queryTraces({});
+        }
+        // Health check should report rate limit status
+        const health = await backend.healthCheck();
+        assert.strictEqual(health.status, 'error');
+        assert(health.message?.includes('Rate limit'));
+        Date.now = originalDateNow;
+    });
+    it('should reset tokens with reset method', async () => {
+        const limiter = new TokenBucketRateLimiter(3, 1);
+        // Use all tokens
+        limiter.tryConsume();
+        limiter.tryConsume();
+        limiter.tryConsume();
+        assert.strictEqual(limiter.getAvailableTokens(), 0);
+        // Reset
+        limiter.reset();
+        assert.strictEqual(limiter.getAvailableTokens(), 3, 'Should have all tokens after reset');
+    });
+    it('should handle logs query when rate limited', async () => {
+        const originalDateNow = Date.now;
+        let currentTime = 1000000;
+        Date.now = () => currentTime;
+        let callCount = 0;
+        globalThis.fetch = setupMock(async () => {
+            callCount++;
+            return {
+                ok: true,
+                json: async () => ({ data: { data: { results: [] } } }),
+                text: async () => '',
+            };
+        });
+        const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+        // Use all 60 tokens
+        for (let i = 0; i < 60; i++) {
+            await backend.queryTraces({});
+        }
+        assert.strictEqual(callCount, 60);
+        // Logs query should also be rate limited
+        const result = await backend.queryLogs({});
+        assert.deepStrictEqual(result, []);
+        assert.strictEqual(callCount, 60, 'Should not make fetch call for logs when rate limited');
+        Date.now = originalDateNow;
+    });
+    it('should handle metrics query when rate limited', async () => {
+        const originalDateNow = Date.now;
+        let currentTime = 1000000;
+        Date.now = () => currentTime;
+        let callCount = 0;
+        globalThis.fetch = setupMock(async () => {
+            callCount++;
+            return {
+                ok: true,
+                json: async () => ({ data: { data: { results: [] } } }),
+                text: async () => '',
+            };
+        });
+        const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+        // Use all 60 tokens
+        for (let i = 0; i < 60; i++) {
+            await backend.queryTraces({});
+        }
+        assert.strictEqual(callCount, 60);
+        // Metrics query should also be rate limited
+        const result = await backend.queryMetrics({ metricName: 'test' });
+        assert.deepStrictEqual(result, []);
+        assert.strictEqual(callCount, 60, 'Should not make fetch call for metrics when rate limited');
+        Date.now = originalDateNow;
+    });
+    it('should refund single token correctly', async () => {
+        const originalDateNow = Date.now;
+        let currentTime = 1000000;
+        Date.now = () => currentTime;
+        const limiter = new TokenBucketRateLimiter(3, 1); // 3 tokens, 1/sec refill
+        // Use all tokens
+        limiter.tryConsume();
+        limiter.tryConsume();
+        limiter.tryConsume();
+        assert.strictEqual(limiter.getAvailableTokens(), 0, 'All tokens should be used');
+        // Refund one token
+        limiter.refund();
+        assert.strictEqual(limiter.getAvailableTokens(), 1, 'Should have 1 token after refund');
+        // Refund again
+        limiter.refund();
+        assert.strictEqual(limiter.getAvailableTokens(), 2, 'Should have 2 tokens after second refund');
+        // Refund at max should not exceed max
+        limiter.refund();
+        limiter.refund(); // This should cap at max
+        assert.strictEqual(limiter.getAvailableTokens(), 3, 'Should cap at max tokens');
+        Date.now = originalDateNow;
+    });
+    it('should refund token when circuit breaker rejects request', async () => {
+        const originalDateNow = Date.now;
+        let currentTime = 1000000;
+        Date.now = () => currentTime;
+        let callCount = 0;
+        globalThis.fetch = setupMock(async () => {
+            callCount++;
+            // Simulate failures to open circuit breaker
+            const response = {
+                ok: false,
+                status: 500,
+                json: async () => ({}),
+                text: async () => 'Internal Server Error',
+            };
+            return response;
+        });
+        const backend = new SigNozApiBackend('https://signoz.example.com', 'test-key');
+        // Cause circuit breaker to open (default is 3 failures per constants.ts)
+        for (let i = 0; i < 3; i++) {
+            try {
+                await backend.queryTraces({});
+            }
+            catch {
+                // Expected to throw
+            }
+        }
+        assert.strictEqual(callCount, 3, 'Should have made 3 failing requests');
+        // Get initial token count - 60 tokens - 3 consumed = 57
+        // Now circuit breaker is open, subsequent requests should refund tokens
+        const result1 = await backend.queryTraces({});
+        assert.deepStrictEqual(result1, [], 'Should return empty when circuit breaker open');
+        // This should not consume more tokens because the token was refunded
+        const result2 = await backend.queryTraces({});
+        assert.deepStrictEqual(result2, [], 'Should return empty when circuit breaker open');
+        // No additional fetch calls should have been made
+        assert.strictEqual(callCount, 3, 'Should not make more fetch calls when circuit breaker open');
+        Date.now = originalDateNow;
+    });
+    // A2 Category 1: Rate Limiter Boundary Tests
+    describe('rate limiter boundary tests (A2)', () => {
+        it('should allow exactly MAX_TOKENS requests', async () => {
+            const MAX_TOKENS = 60;
+            const limiter = new TokenBucketRateLimiter(MAX_TOKENS, 1);
+            // Consume exactly MAX_TOKENS
+            for (let i = 0; i < MAX_TOKENS; i++) {
+                const allowed = limiter.tryConsume();
+                assert.strictEqual(allowed, true, `Request ${i + 1} should be allowed`);
+            }
+            assert.strictEqual(limiter.getAvailableTokens(), 0, '60th request should leave 0 tokens');
+        });
+        it('should block the 61st request', async () => {
+            const MAX_TOKENS = 60;
+            const limiter = new TokenBucketRateLimiter(MAX_TOKENS, 1);
+            // Consume all tokens
+            for (let i = 0; i < MAX_TOKENS; i++) {
+                limiter.tryConsume();
+            }
+            // 61st request should fail
+            const allowed = limiter.tryConsume();
+            assert.strictEqual(allowed, false, '61st request should be blocked');
+        });
+        it('should refill tokens after elapsed time', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            try {
+                const limiter = new TokenBucketRateLimiter(60, 1); // 1 token per second
+                // Use all tokens
+                for (let i = 0; i < 60; i++) {
+                    limiter.tryConsume();
+                }
+                assert.strictEqual(limiter.getAvailableTokens(), 0);
+                // Advance time by 1 second - should get 1 token back
+                currentTime += 1000;
+                assert.strictEqual(limiter.getAvailableTokens(), 1, 'Should have 1 token after 1 second');
+                // Advance time by 5 more seconds - should have 6 tokens
+                currentTime += 5000;
+                assert.strictEqual(limiter.getAvailableTokens(), 6, 'Should have 6 tokens after 6 seconds');
+            }
+            finally {
+                Date.now = originalDateNow;
+            }
+        });
+        it('should not add partial tokens for fractional seconds', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            try {
+                const limiter = new TokenBucketRateLimiter(60, 1);
+                // Use all tokens
+                for (let i = 0; i < 60; i++) {
+                    limiter.tryConsume();
+                }
+                // Advance by 500ms - should NOT add a partial token
+                currentTime += 500;
+                assert.strictEqual(limiter.getAvailableTokens(), 0, 'Should not have partial tokens at 500ms');
+                // Advance to 999ms - still no token
+                currentTime += 499;
+                assert.strictEqual(limiter.getAvailableTokens(), 0, 'Should not have token at 999ms');
+                // Advance to 1000ms - now should have 1 token
+                currentTime += 1;
+                assert.strictEqual(limiter.getAvailableTokens(), 1, 'Should have 1 token at 1000ms');
+            }
+            finally {
+                Date.now = originalDateNow;
+            }
+        });
+        it('should cap refilled tokens at MAX_TOKENS', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            try {
+                const limiter = new TokenBucketRateLimiter(60, 1);
+                // Use 30 tokens (leave 30)
+                for (let i = 0; i < 30; i++) {
+                    limiter.tryConsume();
+                }
+                assert.strictEqual(limiter.getAvailableTokens(), 30);
+                // Advance by 60 seconds - should cap at 60, not 90
+                currentTime += 60000;
+                assert.strictEqual(limiter.getAvailableTokens(), 60, 'Should cap at MAX_TOKENS');
+            }
+            finally {
+                Date.now = originalDateNow;
+            }
+        });
+        it('should handle exact exhaustion correctly', async () => {
+            const limiter = new TokenBucketRateLimiter(3, 1);
+            limiter.tryConsume();
+            limiter.tryConsume();
+            assert.strictEqual(limiter.getAvailableTokens(), 1, 'Should have 1 token left');
+            limiter.tryConsume();
+            assert.strictEqual(limiter.getAvailableTokens(), 0, 'Should have exactly 0 tokens');
+            const allowed = limiter.tryConsume();
+            assert.strictEqual(allowed, false, 'Next request should fail');
+        });
+        it('should not overflow on large refill periods', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            try {
+                const limiter = new TokenBucketRateLimiter(60, 1);
+                // Use all tokens
+                for (let i = 0; i < 60; i++) {
+                    limiter.tryConsume();
+                }
+                // Advance by a very long time (1 day)
+                currentTime += 86400000;
+                const tokens = limiter.getAvailableTokens();
+                assert.strictEqual(tokens, 60, 'Should cap at MAX_TOKENS, not overflow');
+            }
+            finally {
+                Date.now = originalDateNow;
+            }
+        });
+        it('should cap elapsed time to prevent precision loss (H1)', async () => {
+            const originalDateNow = Date.now;
+            let currentTime = 1000000;
+            Date.now = () => currentTime;
+            try {
+                // 10 tokens, 1/sec refill = max useful elapsed is 10 seconds
+                const limiter = new TokenBucketRateLimiter(10, 1);
+                // Use all tokens
+                for (let i = 0; i < 10; i++) {
+                    limiter.tryConsume();
+                }
+                assert.strictEqual(limiter.getAvailableTokens(), 0);
+                // Advance by 30 days (extreme case for long-running process)
+                currentTime += 30 * 24 * 60 * 60 * 1000;
+                // Should still correctly cap at maxTokens, not have precision issues
+                const tokens = limiter.getAvailableTokens();
+                assert.strictEqual(tokens, 10, 'Should handle extreme elapsed times without precision loss');
+            }
+            finally {
+                Date.now = originalDateNow;
+            }
+        });
+    });
+});
+//# sourceMappingURL=signoz-api-rate-limiter.test.js.map

package/dist/backends/signoz-api-rate-limiter.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signoz-api-rate-limiter.test.js","sourceRoot":"","sources":["../../src/backends/signoz-api-rate-limiter.test.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAEhF,QAAQ,CAAC,+BAA+B,EAAE,GAAG,EAAE;IAC7C,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,UAAU,CAAC,KAAK,GAAG,SAAS,CAAC,KAAK,IAAI,EAAE;YACtC,SAAS,EAAE,CAAC;YACZ,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,qBAAqB,CAAC,EAAE,CAAC;gBAC3C,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;aACrB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,wCAAwC;QACxC,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,4BAA4B,EAAE,UAAU,CAAC,CAAC;QAE/E,uEAAuE;QACvE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAChC,CAAC;QACD,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,EAAE,0CAA0C,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;QACjC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;QAE7B,iEAAiE;QACjE,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,yBAAyB;QAE3E,iBAAiB;QACjB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,+BAA+B,CAAC,CAAC;QAChF,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,+BAA+B,CAAC,CAAC;QAChF,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,+BAA+B,CAAC,CAAC;QAChF,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,6BAA6B,CAAC,CAAC;QAE/E,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;QACjC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;QAE7B,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,yBAAyB;QAE3E,iBAAiB;QACjB,OAAO,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,2BAA2B,CAAC,CAAC;QAEjF,4BAA4B;QAC5B,WAAW,IAAI,IAAI,CAAC;QAEpB,gCAAgC;QAChC,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,+BAA+B,CAAC,CAAC;QAErF,4CAA4C;QAC5C,WAAW,IAAI,IAAI,CAAC;QAEpB,2BAA2B;QAC3B,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,0BAA0B,CAAC,CAAC;QAEhF,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;QACjC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;QAE7B,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,UAAU,CAAC,KAAK,GAAG,SAAS,CAAC,KAAK,IAAI,EAAE;YACtC,SAAS,EAAE,CAAC;YACZ,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,qBAAqB,CAAC,EAAE,CAAC;gBAC3C,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;aACrB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,uEAAuE;QACvE,sDAAsD;QACtD,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,4BAA4B,EAAE,UAAU,CAAC,CAAC;QAE/E,yCAAyC;QACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAChC,CAAC;QACD,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAElC,sCAAsC;QACtC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAC7C,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,EAAE,6CAA6C,CAAC,CAAC;QAClF,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,EAAE,mDAAmD,CAAC,CAAC;QAEvF,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;QACjC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;QAE7B,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;QAClC,OAAO,CAAC,IAAI,GAAG,CAAC,GAAW,EAAE,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAExD,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAEjD,iBAAiB;QACjB,OAAO,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,CAAC,UAAU,EAAE,CAAC;QAErB,kCAAkC;QAClC,OAAO,CAAC,UAAU,EAAE,CAAC;QAErB,OAAO,CAAC,IAAI,GAAG,YAAY,CAAC;QAC5B,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;QAE3B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,mCAAmC,CAAC,CAAC,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;QACjC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;QAE7B,UAAU,CAAC,KAAK,GAAG,SAAS,CAAC,KAAK,IAAI,EAAE;YACtC,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;gBACzC,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;aACrB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,4BAA4B,EAAE,UAAU,CAAC,CAAC;QAE/E,oBAAoB;QACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAChC,CAAC;QAED,+CAA+C;QAC/C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;QAE/C,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAEjD,iBAAiB;QACjB,OAAO,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC,CAAC;QAEpD,QAAQ;QACR,OAAO,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,oCAAoC,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;QACjC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;QAE7B,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,UAAU,CAAC,KAAK,GAAG,SAAS,CAAC,KAAK,IAAI,EAAE;YACtC,SAAS,EAAE,CAAC;YACZ,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;gBACvD,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;aACrB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,4BAA4B,EAAE,UAAU,CAAC,CAAC;QAE/E,oBAAoB;QACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAChC,CAAC;QACD,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAElC,yCAAyC;QACzC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAC3C,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnC,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,EAAE,uDAAuD,CAAC,CAAC;QAE3F,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;QACjC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;QAE7B,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,UAAU,CAAC,KAAK,GAAG,SAAS,CAAC,KAAK,IAAI,EAAE;YACtC,SAAS,EAAE,CAAC;YACZ,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;gBACvD,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;aACrB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,4BAA4B,EAAE,UAAU,CAAC,CAAC;QAE/E,oBAAoB;QACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAChC,CAAC;QACD,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAElC,4CAA4C;QAC5C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,CAAC;QAClE,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnC,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,EAAE,0DAA0D,CAAC,CAAC;QAE9F,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;QACjC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;QAE7B,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,yBAAyB;QAE3E,iBAAiB;QACjB,OAAO,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,2BAA2B,CAAC,CAAC;QAEjF,mBAAmB;QACnB,OAAO,CAAC,MAAM,EAAE,CAAC;QACjB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,kCAAkC,CAAC,CAAC;QAExF,eAAe;QACf,OAAO,CAAC,MAAM,EAAE,CAAC;QACjB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,0CAA0C,CAAC,CAAC;QAEhG,sCAAsC;QACtC,OAAO,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,yBAAyB;QAC3C,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,0BAA0B,CAAC,CAAC;QAEhF,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;QACjC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;QAE7B,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,UAAU,CAAC,KAAK,GAAG,SAAS,CAAC,KAAK,IAAI,EAAE;YACtC,SAAS,EAAE,CAAC;YACZ,4CAA4C;YAC5C,MAAM,QAAQ,GAAG;gBACf,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;gBACtB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,uBAAuB;aAC1C,CAAC;YACF,OAAO,QAAQ,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,4BAA4B,EAAE,UAAU,CAAC,CAAC;QAE/E,yEAAyE;QACzE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACP,oBAAoB;YACtB,CAAC;QACH,CAAC;QACD,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC,EAAE,qCAAqC,CAAC,CAAC;QAExE,wDAAwD;QACxD,wEAAwE;QACxE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,EAAE,EAAE,+CAA+C,CAAC,CAAC;QAErF,qEAAqE;QACrE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,EAAE,EAAE,+CAA+C,CAAC,CAAC;QAErF,kDAAkD;QAClD,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC,EAAE,4DAA4D,CAAC,CAAC;QAE/F,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,6CAA6C;IAC7C,QAAQ,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAChD,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,UAAU,GAAG,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;YAE1D,6BAA6B;YAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;gBACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;gBACrC,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,EAAE,WAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YAC1E,CAAC;YAED,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,oCAAoC,CAAC,CAAC;QAC5F,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;YAC7C,MAAM,UAAU,GAAG,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;YAE1D,qBAAqB;YACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;gBACpC,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,CAAC;YAED,2BAA2B;YAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;YACrC,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,KAAK,EAAE,gCAAgC,CAAC,CAAC;QACvE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;YACjC,IAAI,WAAW,GAAG,OAAO,CAAC;YAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;YAE7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,qBAAqB;gBAExE,iBAAiB;gBACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC5B,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,CAAC;gBACD,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC,CAAC;gBAEpD,qDAAqD;gBACrD,WAAW,IAAI,IAAI,CAAC;gBACpB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,oCAAoC,CAAC,CAAC;gBAE1F,wDAAwD;gBACxD,WAAW,IAAI,IAAI,CAAC;gBACpB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,sCAAsC,CAAC,CAAC;YAC9F,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;YAC7B,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;YACjC,IAAI,WAAW,GAAG,OAAO,CAAC;YAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;YAE7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;gBAElD,iBAAiB;gBACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC5B,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,CAAC;gBAED,oDAAoD;gBACpD,WAAW,IAAI,GAAG,CAAC;gBACnB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,yCAAyC,CAAC,CAAC;gBAE/F,oCAAoC;gBACpC,WAAW,IAAI,GAAG,CAAC;gBACnB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,gCAAgC,CAAC,CAAC;gBAEtF,8CAA8C;gBAC9C,WAAW,IAAI,CAAC,CAAC;gBACjB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,+BAA+B,CAAC,CAAC;YACvF,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;YAC7B,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;YACjC,IAAI,WAAW,GAAG,OAAO,CAAC;YAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;YAE7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;gBAElD,2BAA2B;gBAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC5B,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,CAAC;gBACD,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,EAAE,CAAC,CAAC;gBAErD,mDAAmD;gBACnD,WAAW,IAAI,KAAK,CAAC;gBACrB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,EAAE,EAAE,0BAA0B,CAAC,CAAC;YACnF,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;YAC7B,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAEjD,OAAO,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,0BAA0B,CAAC,CAAC;YAEhF,OAAO,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,8BAA8B,CAAC,CAAC;YAEpF,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;YACrC,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,KAAK,EAAE,0BAA0B,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;YACjC,IAAI,WAAW,GAAG,OAAO,CAAC;YAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;YAE7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;gBAElD,iBAAiB;gBACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC5B,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,CAAC;gBAED,sCAAsC;gBACtC,WAAW,IAAI,QAAQ,CAAC;gBACxB,MAAM,MAAM,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;gBAC5C,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,EAAE,EAAE,wCAAwC,CAAC,CAAC;YAC3E,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;YAC7B,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;YACtE,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC;YACjC,IAAI,WAAW,GAAG,OAAO,CAAC;YAC1B,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC;YAE7B,IAAI,CAAC;gBACH,6DAA6D;gBAC7D,MAAM,OAAO,GAAG,IAAI,sBAAsB,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;gBAElD,iBAAiB;gBACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC5B,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,CAAC;gBACD,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC,CAAC;gBAEpD,6DAA6D;gBAC7D,WAAW,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;gBAExC,qEAAqE;gBACrE,MAAM,MAAM,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;gBAC5C,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,EAAE,EAAE,4DAA4D,CAAC,CAAC;YAC/F,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC;YAC7B,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/backends/signoz-api-ssrf.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * SSRF protection tests for SigNoz API backend
+ * L-STYLE-2: Extracted from signoz-api.test.ts for maintainability
+ */
+export {};
+//# sourceMappingURL=signoz-api-ssrf.test.d.ts.map

package/dist/backends/signoz-api-ssrf.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signoz-api-ssrf.test.d.ts","sourceRoot":"","sources":["../../src/backends/signoz-api-ssrf.test.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/backends/signoz-api-ssrf.test.js

@@ -0,0 +1,216 @@
+/**
+ * SSRF protection tests for SigNoz API backend
+ * L-STYLE-2: Extracted from signoz-api.test.ts for maintainability
+ */
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import { SigNozApiBackend } from './signoz-api.js';
+describe('SigNozApiBackend SSRF protection', () => {
+    it('should block localhost URL', () => {
+        const backend = new SigNozApiBackend('https://localhost/api', 'test-key');
+        // Backend with blocked URL will have empty baseUrl
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should have empty base for blocked localhost');
+    });
+    it('should block 127.0.0.1', () => {
+        const backend = new SigNozApiBackend('https://127.0.0.1/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should have empty base for blocked 127.0.0.1');
+    });
+    it('should block IPv6 localhost ::1', () => {
+        const backend = new SigNozApiBackend('https://[::1]/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block IPv6 localhost');
+    });
+    it('should block long-form IPv6 localhost', () => {
+        const backend = new SigNozApiBackend('https://[0:0:0:0:0:0:0:1]/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block long-form IPv6 localhost');
+    });
+    it('should block IPv4-mapped IPv6 localhost', () => {
+        const backend = new SigNozApiBackend('https://[::ffff:127.0.0.1]/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block IPv4-mapped localhost');
+    });
+    it('should block .localhost TLD', () => {
+        const backend = new SigNozApiBackend('https://myapp.localhost/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block .localhost TLD');
+    });
+    it('should block private 192.168.x.x ranges', () => {
+        const backend = new SigNozApiBackend('https://192.168.1.1/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block 192.168.x.x');
+    });
+    it('should block private 10.x.x.x ranges', () => {
+        const backend = new SigNozApiBackend('https://10.0.0.1/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block 10.x.x.x');
+    });
+    it('should block private 172.16-31.x.x ranges', () => {
+        const backend = new SigNozApiBackend('https://172.16.0.1/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block 172.16.x.x');
+    });
+    it('should block IPv6 unique local addresses (fc00::/7)', () => {
+        const backend = new SigNozApiBackend('https://[fc00::1]/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block fc00:: ULA');
+    });
+    it('should block IPv6 link-local addresses (fe80::)', () => {
+        const backend = new SigNozApiBackend('https://[fe80::1]/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block fe80:: link-local');
+    });
+    it('should block .local domain', () => {
+        const backend = new SigNozApiBackend('https://myhost.local/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block .local domain');
+    });
+    it('should block .internal domain', () => {
+        const backend = new SigNozApiBackend('https://signoz.internal/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block .internal domain');
+    });
+    it('should block .home.arpa domain', () => {
+        const backend = new SigNozApiBackend('https://router.home.arpa/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block .home.arpa domain');
+    });
+    it('should allow valid external HTTPS URL', () => {
+        const backend = new SigNozApiBackend('https://signoz.example.com/api/', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.ok(url.includes('signoz.example.com'), 'Should allow valid external URL');
+    });
+    it('should block HTTP protocol', () => {
+        const backend = new SigNozApiBackend('http://signoz.example.com/api', 'test-key');
+        const url = backend.getTraceUrl('trace-123');
+        assert.strictEqual(url, '/trace/trace-123', 'Should block HTTP protocol');
+    });
+    // A2 Category 6: SSRF Advanced Tests
+    describe('advanced SSRF protection (A2)', () => {
+        it('should block URL-encoded localhost', () => {
+            // %6c%6f%63%61%6c%68%6f%73%74 = localhost
+            const backend = new SigNozApiBackend('https://%6c%6f%63%61%6c%68%6f%73%74/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block URL-encoded localhost');
+        });
+        it('should block double-encoded localhost', () => {
+            // %256c = %l (double-encoded l)
+            const backend = new SigNozApiBackend('https://%256c%256f%256c%256f%256c%2568%256f%2573%2574/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            // URL constructor may fail or return blocked URL
+            assert.strictEqual(url, '/trace/trace-123', 'Should block double-encoded localhost');
+        });
+        it('should block IPv6 compressed format for localhost', () => {
+            const backend = new SigNozApiBackend('https://[::ffff:7f00:1]/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block ::ffff:7f00:1');
+        });
+        it('should block IPv6 with zone ID', () => {
+            // fe80::1%eth0 - link-local with zone ID
+            const backend = new SigNozApiBackend('https://[fe80::1%25eth0]/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block IPv6 with zone ID');
+        });
+        it('should block decimal IP representation of localhost', () => {
+            // 2130706433 = 127.0.0.1 in decimal
+            const backend = new SigNozApiBackend('https://2130706433/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            // May be parsed as hostname (not blocked by URL constructor)
+            // But our SSRF check should catch it if it resolves
+            assert.strictEqual(typeof url, 'string');
+        });
+        it('should block octal IP representation', () => {
+            // 0177.0.0.1 = 127.0.0.1 in octal
+            const backend = new SigNozApiBackend('https://0177.0.0.1/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            // Octal notation may or may not be parsed by URL
+            assert.strictEqual(typeof url, 'string');
+        });
+        it('should block AWS metadata endpoint (169.254.169.254)', () => {
+            // M-INFO-1: Cloud metadata endpoints now blocked
+            const backend = new SigNozApiBackend('https://169.254.169.254/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block AWS metadata endpoint');
+        });
+        it('should block GCP metadata endpoint', () => {
+            // .internal TLD is blocked
+            const backend = new SigNozApiBackend('https://metadata.google.internal/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block GCP metadata');
+        });
+        it('should handle IPv4-mapped private ranges', () => {
+            // ::ffff:192.168.1.1 gets normalized by URL constructor to ::ffff:c0a8:101
+            // Current SSRF check uses string pattern that doesn't match this format
+            // Security note: Consider enhancing IPv4-mapped detection
+            const backend = new SigNozApiBackend('https://[::ffff:192.168.1.1]/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            // Document current behavior - may not be blocked due to hex normalization
+            assert.strictEqual(typeof url, 'string');
+        });
+        it('should block link-local IPv4 addresses (169.254.0.0/16)', () => {
+            // M-INFO-1: Full link-local range now blocked
+            const backend = new SigNozApiBackend('https://169.254.1.1/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block link-local addresses');
+        });
+        it('should block fd00:: IPv6 unique local', () => {
+            const backend = new SigNozApiBackend('https://[fd00::1]/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block fd00:: ULA');
+        });
+        it('should handle empty hostname', () => {
+            // Empty hostname is invalid
+            try {
+                const backend = new SigNozApiBackend('https:///api', 'test-key');
+                const url = backend.getTraceUrl('trace-123');
+                assert.strictEqual(url, '/trace/trace-123');
+            }
+            catch {
+                // URL constructor may throw for invalid URL
+            }
+        });
+        it('should handle username:password@ in URL', () => {
+            // Credentials in URL should not bypass SSRF check
+            const backend = new SigNozApiBackend('https://user:pass@localhost/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block localhost with credentials');
+        });
+        it('should handle localhost with port', () => {
+            const backend = new SigNozApiBackend('https://localhost:8080/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block localhost with port');
+        });
+        it('should block full 127.0.0.0/8 loopback range', () => {
+            // M-INFO-1: Full loopback range now blocked
+            const addresses = ['127.0.0.2', '127.1.1.1', '127.255.255.254'];
+            for (const addr of addresses) {
+                const backend = new SigNozApiBackend(`https://${addr}/api`, 'test-key');
+                const url = backend.getTraceUrl('trace-123');
+                assert.strictEqual(url, '/trace/trace-123', `Should block ${addr}`);
+            }
+        });
+        it('should handle 0.0.0.0', () => {
+            const backend = new SigNozApiBackend('https://0.0.0.0/api', 'test-key');
+            const url = backend.getTraceUrl('trace-123');
+            assert.strictEqual(url, '/trace/trace-123', 'Should block 0.0.0.0');
+        });
+        it('should block Kubernetes internal domains', () => {
+            const internalDomains = [
+                'https://kubernetes.default.svc/api',
+                'https://kubernetes.default/api',
+                'https://service.namespace.svc.cluster.local/api',
+            ];
+            for (const domain of internalDomains) {
+                const backend = new SigNozApiBackend(domain, 'test-key');
+                const url = backend.getTraceUrl('trace-123');
+                // Should block internal/local domains
+                if (domain.includes('.local')) {
+                    assert.strictEqual(url, '/trace/trace-123', `Should block ${domain}`);
+                }
+            }
+        });
+    });
+});
+//# sourceMappingURL=signoz-api-ssrf.test.js.map