occ-cloudflare 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +12 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +110 -4
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
- package/src/index.ts +145 -4
package/dist/index.d.ts
CHANGED
|
@@ -21,6 +21,18 @@ export interface OCCCloudflareOptions {
|
|
|
21
21
|
measurement?: string;
|
|
22
22
|
/** Agent identifier for metadata. Default: "cloudflare-worker" */
|
|
23
23
|
agentId?: string;
|
|
24
|
+
/** Raw policy markdown content. Since Cloudflare Workers cannot use
|
|
25
|
+
* node:fs, pass the policy content directly (e.g. from KV, D1, or
|
|
26
|
+
* an environment variable). The policy is committed as slot 0 and
|
|
27
|
+
* tools not in the allowedTools list will be blocked. */
|
|
28
|
+
policyContent?: string;
|
|
29
|
+
/** Pre-built policy binding (alternative to policyContent). */
|
|
30
|
+
policyBinding?: {
|
|
31
|
+
digestB64: string;
|
|
32
|
+
authorProofDigestB64?: string;
|
|
33
|
+
name?: string;
|
|
34
|
+
version?: string;
|
|
35
|
+
};
|
|
24
36
|
}
|
|
25
37
|
export interface ProofLogEntry {
|
|
26
38
|
timestamp: string;
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAA6B,KAAK,QAAQ,EAAyB,MAAM,UAAU,CAAC;AAQ3F,MAAM,WAAW,oBAAoB;IACnC,4EAA4E;IAC5E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAA6B,KAAK,QAAQ,EAAyB,MAAM,UAAU,CAAC;AAQ3F,MAAM,WAAW,oBAAoB;IACnC,4EAA4E;IAC5E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;8DAG0D;IAC1D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,+DAA+D;IAC/D,aAAa,CAAC,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACvG;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,eAAe,GAAG,gBAAgB,CAAC;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,EAAE,QAAQ,CAAC;CACnB;AAED,MAAM,WAAW,aAAa,CAAC,CAAC,GAAG,OAAO;IACxC,+BAA+B;IAC/B,MAAM,EAAE,CAAC,CAAC;IACV,2CAA2C;IAC3C,MAAM,EAAE,aAAa,EAAE,CAAC;CACzB;AAuLD;;;;;;;;;;GAUG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS;IAAE,OAAO,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAA;CAAE,EACzE,IAAI,EAAE,CAAC,EACP,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,oBAAoB,GAC7B,CAAC,GAAG;IAAE,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,aAAa,CAAC,CAAA;CAAE,CA8F7D;AAMD;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC1D,OAAO,EAAE,CAAC,EACV,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,oBAAoB,GAC7B,CAAC,CAqGH;AAED;;;GAGG;AACH,wBAAgB,WAAW,IAAI,IAAI,CAElC"}
|
package/dist/index.js
CHANGED
|
@@ -54,7 +54,7 @@ class InMemoryHost {
|
|
|
54
54
|
}
|
|
55
55
|
}
|
|
56
56
|
let signerPromise;
|
|
57
|
-
async function getSigner(measurement) {
|
|
57
|
+
async function getSigner(measurement, opts) {
|
|
58
58
|
if (signerPromise)
|
|
59
59
|
return signerPromise;
|
|
60
60
|
signerPromise = (async () => {
|
|
@@ -67,7 +67,49 @@ async function getSigner(measurement) {
|
|
|
67
67
|
policy: { requireCounter: true, requireTime: true },
|
|
68
68
|
});
|
|
69
69
|
const publicKeyB64 = uint8ToBase64(publicKey);
|
|
70
|
-
|
|
70
|
+
const state = { constructor, host, publicKeyB64, lastProofHash: undefined };
|
|
71
|
+
// ── Policy enforcement: commit policy as slot 0 ──
|
|
72
|
+
if (opts?.policyContent) {
|
|
73
|
+
const policyMd = opts.policyContent;
|
|
74
|
+
const policyBytes = new TextEncoder().encode(policyMd);
|
|
75
|
+
const policyDigestB64 = uint8ToBase64(sha256(policyBytes));
|
|
76
|
+
// Parse allowed tools for enforcement
|
|
77
|
+
const allowedTools = new Set();
|
|
78
|
+
const toolSection = policyMd.match(/##\s+Allowed\s+Tools[\s\S]*?(?=\n##|$)/i);
|
|
79
|
+
if (toolSection) {
|
|
80
|
+
const toolLines = toolSection[0].split("\n");
|
|
81
|
+
for (const line of toolLines) {
|
|
82
|
+
const match = line.match(/^[-*]\s+(.+)/);
|
|
83
|
+
if (match)
|
|
84
|
+
allowedTools.add(match[1].trim());
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
// Extract name
|
|
88
|
+
const nameMatch = policyMd.match(/^#\s+Policy:\s*(.+)/m);
|
|
89
|
+
const name = nameMatch ? nameMatch[1].trim() : undefined;
|
|
90
|
+
// Commit the policy as a proof (slot 0)
|
|
91
|
+
const commitInput = {
|
|
92
|
+
digestB64: policyDigestB64,
|
|
93
|
+
metadata: { kind: "policy-commitment", policyName: name, adapter: "occ-cloudflare" },
|
|
94
|
+
};
|
|
95
|
+
if (state.lastProofHash)
|
|
96
|
+
commitInput.prevProofHashB64 = state.lastProofHash;
|
|
97
|
+
const policyProof = await constructor.commitDigest(commitInput);
|
|
98
|
+
const proofHash = uint8ToBase64(sha256(canonicalize(policyProof)));
|
|
99
|
+
state.lastProofHash = proofHash;
|
|
100
|
+
state.policy = {
|
|
101
|
+
binding: {
|
|
102
|
+
digestB64: policyDigestB64,
|
|
103
|
+
authorProofDigestB64: proofHash,
|
|
104
|
+
name,
|
|
105
|
+
},
|
|
106
|
+
allowedTools: allowedTools.size > 0 ? allowedTools : undefined,
|
|
107
|
+
};
|
|
108
|
+
}
|
|
109
|
+
else if (opts?.policyBinding) {
|
|
110
|
+
state.policy = { binding: opts.policyBinding };
|
|
111
|
+
}
|
|
112
|
+
return state;
|
|
71
113
|
})();
|
|
72
114
|
return signerPromise;
|
|
73
115
|
}
|
|
@@ -89,6 +131,8 @@ async function signDigest(digestB64, metadata, signer) {
|
|
|
89
131
|
const commitInput = { digestB64, metadata };
|
|
90
132
|
if (signer.lastProofHash)
|
|
91
133
|
commitInput.prevProofHashB64 = signer.lastProofHash;
|
|
134
|
+
if (signer.policy?.binding)
|
|
135
|
+
commitInput.policy = signer.policy.binding;
|
|
92
136
|
const proof = await signer.constructor.commitDigest(commitInput);
|
|
93
137
|
// Chain: store this proof's hash for the next commit
|
|
94
138
|
const proofHash = uint8ToBase64(sha256(canonicalize(proof)));
|
|
@@ -116,10 +160,41 @@ export function occWrapTool(tool, name, options) {
|
|
|
116
160
|
if (!originalExecute) {
|
|
117
161
|
return { ...tool, execute: async () => ({ result: undefined, proofs: [] }) };
|
|
118
162
|
}
|
|
163
|
+
const policyContent = options?.policyContent;
|
|
164
|
+
const policyBinding = options?.policyBinding;
|
|
119
165
|
const wrappedExecute = async (...args) => {
|
|
120
166
|
const toolArgs = args[0] ?? {};
|
|
121
|
-
const signer = await getSigner(measurement);
|
|
167
|
+
const signer = await getSigner(measurement, { policyContent, policyBinding });
|
|
122
168
|
const proofs = [];
|
|
169
|
+
// ── Policy enforcement: block tools not in the allowlist ──
|
|
170
|
+
if (signer.policy?.allowedTools && !signer.policy.allowedTools.has(name)) {
|
|
171
|
+
const denialDigest = hashPayload({
|
|
172
|
+
tool: name,
|
|
173
|
+
args: toolArgs,
|
|
174
|
+
denied: true,
|
|
175
|
+
reason: `Tool "${name}" not in policy allowedTools`,
|
|
176
|
+
});
|
|
177
|
+
const denialProof = await signDigest(denialDigest, {
|
|
178
|
+
phase: "pre-execution",
|
|
179
|
+
tool: name,
|
|
180
|
+
agentId,
|
|
181
|
+
denied: true,
|
|
182
|
+
reason: `Tool "${name}" not in policy allowedTools`,
|
|
183
|
+
}, signer);
|
|
184
|
+
proofs.push({
|
|
185
|
+
timestamp: new Date().toISOString(),
|
|
186
|
+
phase: "pre-execution",
|
|
187
|
+
tool: name,
|
|
188
|
+
agentId,
|
|
189
|
+
args: toolArgs,
|
|
190
|
+
proofDigestB64: denialDigest,
|
|
191
|
+
receipt: denialProof,
|
|
192
|
+
});
|
|
193
|
+
return {
|
|
194
|
+
result: `[OCC] Tool "${name}" blocked by policy. Not in allowed tools list.`,
|
|
195
|
+
proofs,
|
|
196
|
+
};
|
|
197
|
+
}
|
|
123
198
|
// Pre-execution proof
|
|
124
199
|
const preDigest = hashPayload({ tool: name, args: toolArgs });
|
|
125
200
|
const preProof = await signDigest(preDigest, {
|
|
@@ -177,6 +252,8 @@ export function occWrapTool(tool, name, options) {
|
|
|
177
252
|
export function occWrapBinding(binding, name, options) {
|
|
178
253
|
const measurement = options?.measurement ?? "occ-cloudflare:stub";
|
|
179
254
|
const agentId = options?.agentId ?? "cloudflare-worker";
|
|
255
|
+
const policyContent = options?.policyContent;
|
|
256
|
+
const policyBinding = options?.policyBinding;
|
|
180
257
|
return new Proxy(binding, {
|
|
181
258
|
get(target, prop) {
|
|
182
259
|
const original = target[prop];
|
|
@@ -184,8 +261,37 @@ export function occWrapBinding(binding, name, options) {
|
|
|
184
261
|
return original;
|
|
185
262
|
return async (...args) => {
|
|
186
263
|
const methodName = `${name}.${String(prop)}`;
|
|
187
|
-
const signer = await getSigner(measurement);
|
|
264
|
+
const signer = await getSigner(measurement, { policyContent, policyBinding });
|
|
188
265
|
const proofs = [];
|
|
266
|
+
// ── Policy enforcement: block tools not in the allowlist ──
|
|
267
|
+
if (signer.policy?.allowedTools && !signer.policy.allowedTools.has(methodName)) {
|
|
268
|
+
const denialDigest = hashPayload({
|
|
269
|
+
tool: methodName,
|
|
270
|
+
args: args.length === 1 ? args[0] : args,
|
|
271
|
+
denied: true,
|
|
272
|
+
reason: `Tool "${methodName}" not in policy allowedTools`,
|
|
273
|
+
});
|
|
274
|
+
const denialProof = await signDigest(denialDigest, {
|
|
275
|
+
phase: "pre-execution",
|
|
276
|
+
tool: methodName,
|
|
277
|
+
agentId,
|
|
278
|
+
denied: true,
|
|
279
|
+
reason: `Tool "${methodName}" not in policy allowedTools`,
|
|
280
|
+
}, signer);
|
|
281
|
+
proofs.push({
|
|
282
|
+
timestamp: new Date().toISOString(),
|
|
283
|
+
phase: "pre-execution",
|
|
284
|
+
tool: methodName,
|
|
285
|
+
agentId,
|
|
286
|
+
args: args.length === 1 ? args[0] : { _args: args },
|
|
287
|
+
proofDigestB64: denialDigest,
|
|
288
|
+
receipt: denialProof,
|
|
289
|
+
});
|
|
290
|
+
return {
|
|
291
|
+
result: `[OCC] Tool "${methodName}" blocked by policy. Not in allowed tools list.`,
|
|
292
|
+
proofs,
|
|
293
|
+
};
|
|
294
|
+
}
|
|
189
295
|
// Pre-execution proof
|
|
190
296
|
const preDigest = hashPayload({
|
|
191
297
|
tool: methodName,
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,sCAAsC;AACtC,mCAAmC;AAEnC;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAwC,MAAM,UAAU,CAAC;AAC3F,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AA0CrC,MAAM,YAAY;IACP,eAAe,GAAG,MAAe,CAAC;IAClC,WAAW,CAAa;IACxB,UAAU,CAAa;IACvB,YAAY,CAAS;IAC9B,QAAQ,GAAG,EAAE,CAAC;IAEd,YAAY,UAAsB,EAAE,SAAqB,EAAE,WAAmB;QAC5E,IAAI,CAAC,WAAW,GAAG,UAAU,CAAC;QAC9B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC5B,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAgB;QACzB,OAAO,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,WAAW;QACf,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;IACpB,CAAC;CACF;AAED,IAAI,aAA+C,CAAC;AAEpD,KAAK,UAAU,SAAS,CAAC,WAAmB;IAC1C,IAAI,aAAa;QAAE,OAAO,aAAa,CAAC;IAExC,aAAa,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,gDAAgD;QAChD,MAAM,UAAU,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAEzD,MAAM,IAAI,GAAG,IAAI,YAAY,CAAC,UAAU,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;QAElE,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,UAAU,CAAC;YAC/C,IAAI;YACJ,MAAM,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;SACpD,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;QAC9C,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,CAAC;IACvE,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,8EAA8E;AAC9E,8DAA8D;AAC9D,8EAA8E;AAE9E,SAAS,aAAa,CAAC,KAAiB;IACtC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,WAAW,CAAC,IAAa;IAChC,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7D,OAAO,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AACtC,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,SAAiB,EACjB,QAAiC,EACjC,MAAmB;IAEnB,MAAM,WAAW,GAIb,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;IAE5B,IAAI,MAAM,CAAC,aAAa;QAAE,WAAW,CAAC,gBAAgB,GAAG,MAAM,CAAC,aAAa,CAAC;IAE9E,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;IAEjE,qDAAqD;IACrD,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7D,MAAM,CAAC,aAAa,GAAG,SAAS,CAAC;IAEjC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,WAAW,CACzB,IAAO,EACP,IAAY,EACZ,OAA8B;IAE9B,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,qBAAqB,CAAC;IAClE,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,mBAAmB,CAAC;IAExD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC;IACrC,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,EAAS,CAAC;IACtF,CAAC;IAED,MAAM,cAAc,GAAG,KAAK,EAAE,GAAG,IAAW,EAA0B,EAAE;QACtE,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAoB,EAAE,CAAC;QAEnC,sBAAsB;QACtB,MAAM,SAAS,GAAG,WAAW,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE;YAC3C,KAAK,EAAE,eAAe;YACtB,IAAI,EAAE,IAAI;YACV,OAAO;SACR,EAAE,MAAM,CAAC,CAAC;QAEX,MAAM,CAAC,IAAI,CAAC;YACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,eAAe;YACtB,IAAI,EAAE,IAAI;YACV,OAAO;YACP,IAAI,EAAE,QAAQ;YACd,cAAc,EAAE,SAAS;YACzB,OAAO,EAAE,QAAQ;SAClB,CAAC,CAAC;QAEH,wBAAwB;QACxB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAEvD,uBAAuB;QACvB,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;QACvE,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE;YAC7C,KAAK,EAAE,gBAAgB;YACvB,IAAI,EAAE,IAAI;YACV,OAAO;SACR,EAAE,MAAM,CAAC,CAAC;QAEX,MAAM,CAAC,IAAI,CAAC;YACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,gBAAgB;YACvB,IAAI,EAAE,IAAI;YACV,OAAO;YACP,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM;YACnE,cAAc,EAAE,UAAU;YAC1B,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QAEH,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IAC5B,CAAC,CAAC;IAEF,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,cAAc,EAAS,CAAC;AACrD,CAAC;AAED,8EAA8E;AAC9E,mDAAmD;AACnD,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAC5B,OAAU,EACV,IAAY,EACZ,OAA8B;IAE9B,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,qBAAqB,CAAC;IAClE,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,mBAAmB,CAAC;IAExD,OAAO,IAAI,KAAK,CAAC,OAAO,EAAE;QACxB,GAAG,CAAC,MAAM,EAAE,IAAqB;YAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAe,CAAC,CAAC;YACzC,IAAI,OAAO,QAAQ,KAAK,UAAU;gBAAE,OAAO,QAAQ,CAAC;YAEpD,OAAO,KAAK,EAAE,GAAG,IAAW,EAA0B,EAAE;gBACtD,MAAM,UAAU,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,CAAC;gBAC5C,MAAM,MAAM,GAAoB,EAAE,CAAC;gBAEnC,sBAAsB;gBACtB,MAAM,SAAS,GAAG,WAAW,CAAC;oBAC5B,IAAI,EAAE,UAAU;oBAChB,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI;iBACzC,CAAC,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE;oBAC3C,KAAK,EAAE,eAAe;oBACtB,IAAI,EAAE,UAAU;oBAChB,OAAO;iBACR,EAAE,MAAM,CAAC,CAAC;gBAEX,MAAM,CAAC,IAAI,CAAC;oBACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,KAAK,EAAE,eAAe;oBACtB,IAAI,EAAE,UAAU;oBAChB,OAAO;oBACP,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE;oBACnD,cAAc,EAAE,SAAS;oBACzB,OAAO,EAAE,QAAQ;iBAClB,CAAC,CAAC;gBAEH,0BAA0B;gBAC1B,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBAElD,uBAAuB;gBACvB,MAAM,UAAU,GAAG,WAAW,CAAC;oBAC7B,IAAI,EAAE,UAAU;oBAChB,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI;oBACxC,MAAM;iBACP,CAAC,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE;oBAC7C,KAAK,EAAE,gBAAgB;oBACvB,IAAI,EAAE,UAAU;oBAChB,OAAO;iBACR,EAAE,MAAM,CAAC,CAAC;gBAEX,MAAM,CAAC,IAAI,CAAC;oBACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,KAAK,EAAE,gBAAgB;oBACvB,IAAI,EAAE,UAAU;oBAChB,OAAO;oBACP,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE;oBACnD,MAAM,EAAE,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM;oBACnE,cAAc,EAAE,UAAU;oBAC1B,OAAO,EAAE,SAAS;iBACnB,CAAC,CAAC;gBAEH,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;YAC5B,CAAC,CAAC;QACJ,CAAC;KACF,CAAM,CAAC;AACV,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW;IACzB,aAAa,GAAG,SAAS,CAAC;AAC5B,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,sCAAsC;AACtC,mCAAmC;AAEnC;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAwC,MAAM,UAAU,CAAC;AAC3F,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AAwDrC,MAAM,YAAY;IACP,eAAe,GAAG,MAAe,CAAC;IAClC,WAAW,CAAa;IACxB,UAAU,CAAa;IACvB,YAAY,CAAS;IAC9B,QAAQ,GAAG,EAAE,CAAC;IAEd,YAAY,UAAsB,EAAE,SAAqB,EAAE,WAAmB;QAC5E,IAAI,CAAC,WAAW,GAAG,UAAU,CAAC;QAC9B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC5B,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAgB;QACzB,OAAO,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,WAAW;QACf,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;IACpB,CAAC;CACF;AAED,IAAI,aAA+C,CAAC;AAEpD,KAAK,UAAU,SAAS,CAAC,WAAmB,EAAE,IAG7C;IACC,IAAI,aAAa;QAAE,OAAO,aAAa,CAAC;IAExC,aAAa,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,gDAAgD;QAChD,MAAM,UAAU,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAEzD,MAAM,IAAI,GAAG,IAAI,YAAY,CAAC,UAAU,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;QAElE,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,UAAU,CAAC;YAC/C,IAAI;YACJ,MAAM,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;SACpD,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAgB,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,CAAC;QAEzF,oDAAoD;QACpD,IAAI,IAAI,EAAE,aAAa,EAAE,CAAC;YACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC;YACpC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACvD,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;YAE3D,sCAAsC;YACtC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;YACvC,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;YAC9E,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC7C,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;oBACzC,IAAI,KAAK;wBAAE,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC/C,CAAC;YACH,CAAC;YAED,eAAe;YACf,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;YACzD,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;YAEzD,wCAAwC;YACxC,MAAM,WAAW,GAIb;gBACF,SAAS,EAAE,eAAe;gBAC1B,QAAQ,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,gBAAgB,EAAE;aACrF,CAAC;YACF,IAAI,KAAK,CAAC,aAAa;gBAAE,WAAW,CAAC,gBAAgB,GAAG,KAAK,CAAC,aAAa,CAAC;YAE5E,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;YAChE,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;YACnE,KAAK,CAAC,aAAa,GAAG,SAAS,CAAC;YAEhC,KAAK,CAAC,MAAM,GAAG;gBACb,OAAO,EAAE;oBACP,SAAS,EAAE,eAAe;oBAC1B,oBAAoB,EAAE,SAAS;oBAC/B,IAAI;iBACL;gBACD,YAAY,EAAE,YAAY,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC/D,CAAC;QACJ,CAAC;aAAM,IAAI,IAAI,EAAE,aAAa,EAAE,CAAC;YAC/B,KAAK,CAAC,MAAM,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC;QACjD,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,8EAA8E;AAC9E,8DAA8D;AAC9D,8EAA8E;AAE9E,SAAS,aAAa,CAAC,KAAiB;IACtC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,WAAW,CAAC,IAAa;IAChC,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7D,OAAO,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AACtC,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,SAAiB,EACjB,QAAiC,EACjC,MAAmB;IAEnB,MAAM,WAAW,GAKb,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;IAE5B,IAAI,MAAM,CAAC,aAAa;QAAE,WAAW,CAAC,gBAAgB,GAAG,MAAM,CAAC,aAAa,CAAC;IAC9E,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO;QAAE,WAAW,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;IAEvE,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;IAEjE,qDAAqD;IACrD,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7D,MAAM,CAAC,aAAa,GAAG,SAAS,CAAC;IAEjC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,WAAW,CACzB,IAAO,EACP,IAAY,EACZ,OAA8B;IAE9B,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,qBAAqB,CAAC;IAClE,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,mBAAmB,CAAC;IAExD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC;IACrC,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,EAAS,CAAC;IACtF,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,CAAC;IAC7C,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,CAAC;IAE7C,MAAM,cAAc,GAAG,KAAK,EAAE,GAAG,IAAW,EAA0B,EAAE;QACtE,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,WAAW,EAAE,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC,CAAC;QAC9E,MAAM,MAAM,GAAoB,EAAE,CAAC;QAEnC,6DAA6D;QAC7D,IAAI,MAAM,CAAC,MAAM,EAAE,YAAY,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACzE,MAAM,YAAY,GAAG,WAAW,CAAC;gBAC/B,IAAI,EAAE,IAAI;gBACV,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE,IAAI;gBACZ,MAAM,EAAE,SAAS,IAAI,8BAA8B;aACpD,CAAC,CAAC;YAEH,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,YAAY,EAAE;gBACjD,KAAK,EAAE,eAAe;gBACtB,IAAI,EAAE,IAAI;gBACV,OAAO;gBACP,MAAM,EAAE,IAAI;gBACZ,MAAM,EAAE,SAAS,IAAI,8BAA8B;aACpD,EAAE,MAAM,CAAC,CAAC;YAEX,MAAM,CAAC,IAAI,CAAC;gBACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,KAAK,EAAE,eAAe;gBACtB,IAAI,EAAE,IAAI;gBACV,OAAO;gBACP,IAAI,EAAE,QAAQ;gBACd,cAAc,EAAE,YAAY;gBAC5B,OAAO,EAAE,WAAW;aACrB,CAAC,CAAC;YAEH,OAAO;gBACL,MAAM,EAAE,eAAe,IAAI,iDAAmE;gBAC9F,MAAM;aACP,CAAC;QACJ,CAAC;QAED,sBAAsB;QACtB,MAAM,SAAS,GAAG,WAAW,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE;YAC3C,KAAK,EAAE,eAAe;YACtB,IAAI,EAAE,IAAI;YACV,OAAO;SACR,EAAE,MAAM,CAAC,CAAC;QAEX,MAAM,CAAC,IAAI,CAAC;YACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,eAAe;YACtB,IAAI,EAAE,IAAI;YACV,OAAO;YACP,IAAI,EAAE,QAAQ;YACd,cAAc,EAAE,SAAS;YACzB,OAAO,EAAE,QAAQ;SAClB,CAAC,CAAC;QAEH,wBAAwB;QACxB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAEvD,uBAAuB;QACvB,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;QACvE,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE;YAC7C,KAAK,EAAE,gBAAgB;YACvB,IAAI,EAAE,IAAI;YACV,OAAO;SACR,EAAE,MAAM,CAAC,CAAC;QAEX,MAAM,CAAC,IAAI,CAAC;YACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,gBAAgB;YACvB,IAAI,EAAE,IAAI;YACV,OAAO;YACP,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM;YACnE,cAAc,EAAE,UAAU;YAC1B,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QAEH,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IAC5B,CAAC,CAAC;IAEF,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,cAAc,EAAS,CAAC;AACrD,CAAC;AAED,8EAA8E;AAC9E,mDAAmD;AACnD,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAC5B,OAAU,EACV,IAAY,EACZ,OAA8B;IAE9B,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,qBAAqB,CAAC;IAClE,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,mBAAmB,CAAC;IAExD,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,CAAC;IAC7C,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,CAAC;IAE7C,OAAO,IAAI,KAAK,CAAC,OAAO,EAAE;QACxB,GAAG,CAAC,MAAM,EAAE,IAAqB;YAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAe,CAAC,CAAC;YACzC,IAAI,OAAO,QAAQ,KAAK,UAAU;gBAAE,OAAO,QAAQ,CAAC;YAEpD,OAAO,KAAK,EAAE,GAAG,IAAW,EAA0B,EAAE;gBACtD,MAAM,UAAU,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,WAAW,EAAE,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC,CAAC;gBAC9E,MAAM,MAAM,GAAoB,EAAE,CAAC;gBAEnC,6DAA6D;gBAC7D,IAAI,MAAM,CAAC,MAAM,EAAE,YAAY,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC/E,MAAM,YAAY,GAAG,WAAW,CAAC;wBAC/B,IAAI,EAAE,UAAU;wBAChB,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI;wBACxC,MAAM,EAAE,IAAI;wBACZ,MAAM,EAAE,SAAS,UAAU,8BAA8B;qBAC1D,CAAC,CAAC;oBAEH,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,YAAY,EAAE;wBACjD,KAAK,EAAE,eAAe;wBACtB,IAAI,EAAE,UAAU;wBAChB,OAAO;wBACP,MAAM,EAAE,IAAI;wBACZ,MAAM,EAAE,SAAS,UAAU,8BAA8B;qBAC1D,EAAE,MAAM,CAAC,CAAC;oBAEX,MAAM,CAAC,IAAI,CAAC;wBACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,KAAK,EAAE,eAAe;wBACtB,IAAI,EAAE,UAAU;wBAChB,OAAO;wBACP,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE;wBACnD,cAAc,EAAE,YAAY;wBAC5B,OAAO,EAAE,WAAW;qBACrB,CAAC,CAAC;oBAEH,OAAO;wBACL,MAAM,EAAE,eAAe,UAAU,iDAAmE;wBACpG,MAAM;qBACP,CAAC;gBACJ,CAAC;gBAED,sBAAsB;gBACtB,MAAM,SAAS,GAAG,WAAW,CAAC;oBAC5B,IAAI,EAAE,UAAU;oBAChB,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI;iBACzC,CAAC,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE;oBAC3C,KAAK,EAAE,eAAe;oBACtB,IAAI,EAAE,UAAU;oBAChB,OAAO;iBACR,EAAE,MAAM,CAAC,CAAC;gBAEX,MAAM,CAAC,IAAI,CAAC;oBACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,KAAK,EAAE,eAAe;oBACtB,IAAI,EAAE,UAAU;oBAChB,OAAO;oBACP,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE;oBACnD,cAAc,EAAE,SAAS;oBACzB,OAAO,EAAE,QAAQ;iBAClB,CAAC,CAAC;gBAEH,0BAA0B;gBAC1B,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBAElD,uBAAuB;gBACvB,MAAM,UAAU,GAAG,WAAW,CAAC;oBAC7B,IAAI,EAAE,UAAU;oBAChB,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI;oBACxC,MAAM;iBACP,CAAC,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE;oBAC7C,KAAK,EAAE,gBAAgB;oBACvB,IAAI,EAAE,UAAU;oBAChB,OAAO;iBACR,EAAE,MAAM,CAAC,CAAC;gBAEX,MAAM,CAAC,IAAI,CAAC;oBACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,KAAK,EAAE,gBAAgB;oBACvB,IAAI,EAAE,UAAU;oBAChB,OAAO;oBACP,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE;oBACnD,MAAM,EAAE,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM;oBACnE,cAAc,EAAE,UAAU;oBAC1B,OAAO,EAAE,SAAS;iBACnB,CAAC,CAAC;gBAEH,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;YAC5B,CAAC,CAAC;QACJ,CAAC;KACF,CAAM,CAAC;AACV,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW;IACzB,aAAa,GAAG,SAAS,CAAC;AAC5B,CAAC"}
|
package/package.json
CHANGED
package/src/index.ts
CHANGED
|
@@ -32,6 +32,13 @@ export interface OCCCloudflareOptions {
|
|
|
32
32
|
measurement?: string;
|
|
33
33
|
/** Agent identifier for metadata. Default: "cloudflare-worker" */
|
|
34
34
|
agentId?: string;
|
|
35
|
+
/** Raw policy markdown content. Since Cloudflare Workers cannot use
|
|
36
|
+
* node:fs, pass the policy content directly (e.g. from KV, D1, or
|
|
37
|
+
* an environment variable). The policy is committed as slot 0 and
|
|
38
|
+
* tools not in the allowedTools list will be blocked. */
|
|
39
|
+
policyContent?: string;
|
|
40
|
+
/** Pre-built policy binding (alternative to policyContent). */
|
|
41
|
+
policyBinding?: { digestB64: string; authorProofDigestB64?: string; name?: string; version?: string };
|
|
35
42
|
}
|
|
36
43
|
|
|
37
44
|
export interface ProofLogEntry {
|
|
@@ -56,11 +63,18 @@ export interface WrappedResult<T = unknown> {
|
|
|
56
63
|
// In-memory signer (no filesystem, no occ-stub)
|
|
57
64
|
// ---------------------------------------------------------------------------
|
|
58
65
|
|
|
66
|
+
/** Policy binding state for the signer. */
|
|
67
|
+
interface PolicyState {
|
|
68
|
+
binding: { digestB64: string; authorProofDigestB64?: string; name?: string; version?: string };
|
|
69
|
+
allowedTools?: Set<string>;
|
|
70
|
+
}
|
|
71
|
+
|
|
59
72
|
interface SignerState {
|
|
60
73
|
constructor: Constructor;
|
|
61
74
|
host: InMemoryHost;
|
|
62
75
|
publicKeyB64: string;
|
|
63
76
|
lastProofHash: string | undefined;
|
|
77
|
+
policy?: PolicyState;
|
|
64
78
|
}
|
|
65
79
|
|
|
66
80
|
class InMemoryHost implements HostCapabilities {
|
|
@@ -106,7 +120,10 @@ class InMemoryHost implements HostCapabilities {
|
|
|
106
120
|
|
|
107
121
|
let signerPromise: Promise<SignerState> | undefined;
|
|
108
122
|
|
|
109
|
-
async function getSigner(measurement: string
|
|
123
|
+
async function getSigner(measurement: string, opts?: {
|
|
124
|
+
policyContent?: string;
|
|
125
|
+
policyBinding?: { digestB64: string; authorProofDigestB64?: string; name?: string; version?: string };
|
|
126
|
+
}): Promise<SignerState> {
|
|
110
127
|
if (signerPromise) return signerPromise;
|
|
111
128
|
|
|
112
129
|
signerPromise = (async () => {
|
|
@@ -122,7 +139,57 @@ async function getSigner(measurement: string): Promise<SignerState> {
|
|
|
122
139
|
});
|
|
123
140
|
|
|
124
141
|
const publicKeyB64 = uint8ToBase64(publicKey);
|
|
125
|
-
|
|
142
|
+
const state: SignerState = { constructor, host, publicKeyB64, lastProofHash: undefined };
|
|
143
|
+
|
|
144
|
+
// ── Policy enforcement: commit policy as slot 0 ──
|
|
145
|
+
if (opts?.policyContent) {
|
|
146
|
+
const policyMd = opts.policyContent;
|
|
147
|
+
const policyBytes = new TextEncoder().encode(policyMd);
|
|
148
|
+
const policyDigestB64 = uint8ToBase64(sha256(policyBytes));
|
|
149
|
+
|
|
150
|
+
// Parse allowed tools for enforcement
|
|
151
|
+
const allowedTools = new Set<string>();
|
|
152
|
+
const toolSection = policyMd.match(/##\s+Allowed\s+Tools[\s\S]*?(?=\n##|$)/i);
|
|
153
|
+
if (toolSection) {
|
|
154
|
+
const toolLines = toolSection[0].split("\n");
|
|
155
|
+
for (const line of toolLines) {
|
|
156
|
+
const match = line.match(/^[-*]\s+(.+)/);
|
|
157
|
+
if (match) allowedTools.add(match[1].trim());
|
|
158
|
+
}
|
|
159
|
+
}
|
|
160
|
+
|
|
161
|
+
// Extract name
|
|
162
|
+
const nameMatch = policyMd.match(/^#\s+Policy:\s*(.+)/m);
|
|
163
|
+
const name = nameMatch ? nameMatch[1].trim() : undefined;
|
|
164
|
+
|
|
165
|
+
// Commit the policy as a proof (slot 0)
|
|
166
|
+
const commitInput: {
|
|
167
|
+
digestB64: string;
|
|
168
|
+
metadata?: Record<string, unknown>;
|
|
169
|
+
prevProofHashB64?: string;
|
|
170
|
+
} = {
|
|
171
|
+
digestB64: policyDigestB64,
|
|
172
|
+
metadata: { kind: "policy-commitment", policyName: name, adapter: "occ-cloudflare" },
|
|
173
|
+
};
|
|
174
|
+
if (state.lastProofHash) commitInput.prevProofHashB64 = state.lastProofHash;
|
|
175
|
+
|
|
176
|
+
const policyProof = await constructor.commitDigest(commitInput);
|
|
177
|
+
const proofHash = uint8ToBase64(sha256(canonicalize(policyProof)));
|
|
178
|
+
state.lastProofHash = proofHash;
|
|
179
|
+
|
|
180
|
+
state.policy = {
|
|
181
|
+
binding: {
|
|
182
|
+
digestB64: policyDigestB64,
|
|
183
|
+
authorProofDigestB64: proofHash,
|
|
184
|
+
name,
|
|
185
|
+
},
|
|
186
|
+
allowedTools: allowedTools.size > 0 ? allowedTools : undefined,
|
|
187
|
+
};
|
|
188
|
+
} else if (opts?.policyBinding) {
|
|
189
|
+
state.policy = { binding: opts.policyBinding };
|
|
190
|
+
}
|
|
191
|
+
|
|
192
|
+
return state;
|
|
126
193
|
})();
|
|
127
194
|
|
|
128
195
|
return signerPromise;
|
|
@@ -154,9 +221,11 @@ async function signDigest(
|
|
|
154
221
|
digestB64: string;
|
|
155
222
|
metadata?: Record<string, unknown>;
|
|
156
223
|
prevProofHashB64?: string;
|
|
224
|
+
policy?: { digestB64: string; authorProofDigestB64?: string; name?: string; version?: string };
|
|
157
225
|
} = { digestB64, metadata };
|
|
158
226
|
|
|
159
227
|
if (signer.lastProofHash) commitInput.prevProofHashB64 = signer.lastProofHash;
|
|
228
|
+
if (signer.policy?.binding) commitInput.policy = signer.policy.binding;
|
|
160
229
|
|
|
161
230
|
const proof = await signer.constructor.commitDigest(commitInput);
|
|
162
231
|
|
|
@@ -195,11 +264,47 @@ export function occWrapTool<T extends { execute?: (...args: any[]) => any }>(
|
|
|
195
264
|
return { ...tool, execute: async () => ({ result: undefined, proofs: [] }) } as any;
|
|
196
265
|
}
|
|
197
266
|
|
|
267
|
+
const policyContent = options?.policyContent;
|
|
268
|
+
const policyBinding = options?.policyBinding;
|
|
269
|
+
|
|
198
270
|
const wrappedExecute = async (...args: any[]): Promise<WrappedResult> => {
|
|
199
271
|
const toolArgs = args[0] ?? {};
|
|
200
|
-
const signer = await getSigner(measurement);
|
|
272
|
+
const signer = await getSigner(measurement, { policyContent, policyBinding });
|
|
201
273
|
const proofs: ProofLogEntry[] = [];
|
|
202
274
|
|
|
275
|
+
// ── Policy enforcement: block tools not in the allowlist ──
|
|
276
|
+
if (signer.policy?.allowedTools && !signer.policy.allowedTools.has(name)) {
|
|
277
|
+
const denialDigest = hashPayload({
|
|
278
|
+
tool: name,
|
|
279
|
+
args: toolArgs,
|
|
280
|
+
denied: true,
|
|
281
|
+
reason: `Tool "${name}" not in policy allowedTools`,
|
|
282
|
+
});
|
|
283
|
+
|
|
284
|
+
const denialProof = await signDigest(denialDigest, {
|
|
285
|
+
phase: "pre-execution",
|
|
286
|
+
tool: name,
|
|
287
|
+
agentId,
|
|
288
|
+
denied: true,
|
|
289
|
+
reason: `Tool "${name}" not in policy allowedTools`,
|
|
290
|
+
}, signer);
|
|
291
|
+
|
|
292
|
+
proofs.push({
|
|
293
|
+
timestamp: new Date().toISOString(),
|
|
294
|
+
phase: "pre-execution",
|
|
295
|
+
tool: name,
|
|
296
|
+
agentId,
|
|
297
|
+
args: toolArgs,
|
|
298
|
+
proofDigestB64: denialDigest,
|
|
299
|
+
receipt: denialProof,
|
|
300
|
+
});
|
|
301
|
+
|
|
302
|
+
return {
|
|
303
|
+
result: `[OCC] Tool "${name}" blocked by policy. Not in allowed tools list.` as unknown as any,
|
|
304
|
+
proofs,
|
|
305
|
+
};
|
|
306
|
+
}
|
|
307
|
+
|
|
203
308
|
// Pre-execution proof
|
|
204
309
|
const preDigest = hashPayload({ tool: name, args: toolArgs });
|
|
205
310
|
const preProof = await signDigest(preDigest, {
|
|
@@ -270,6 +375,9 @@ export function occWrapBinding<B extends Record<string, any>>(
|
|
|
270
375
|
const measurement = options?.measurement ?? "occ-cloudflare:stub";
|
|
271
376
|
const agentId = options?.agentId ?? "cloudflare-worker";
|
|
272
377
|
|
|
378
|
+
const policyContent = options?.policyContent;
|
|
379
|
+
const policyBinding = options?.policyBinding;
|
|
380
|
+
|
|
273
381
|
return new Proxy(binding, {
|
|
274
382
|
get(target, prop: string | symbol) {
|
|
275
383
|
const original = target[prop as keyof B];
|
|
@@ -277,9 +385,42 @@ export function occWrapBinding<B extends Record<string, any>>(
|
|
|
277
385
|
|
|
278
386
|
return async (...args: any[]): Promise<WrappedResult> => {
|
|
279
387
|
const methodName = `${name}.${String(prop)}`;
|
|
280
|
-
const signer = await getSigner(measurement);
|
|
388
|
+
const signer = await getSigner(measurement, { policyContent, policyBinding });
|
|
281
389
|
const proofs: ProofLogEntry[] = [];
|
|
282
390
|
|
|
391
|
+
// ── Policy enforcement: block tools not in the allowlist ──
|
|
392
|
+
if (signer.policy?.allowedTools && !signer.policy.allowedTools.has(methodName)) {
|
|
393
|
+
const denialDigest = hashPayload({
|
|
394
|
+
tool: methodName,
|
|
395
|
+
args: args.length === 1 ? args[0] : args,
|
|
396
|
+
denied: true,
|
|
397
|
+
reason: `Tool "${methodName}" not in policy allowedTools`,
|
|
398
|
+
});
|
|
399
|
+
|
|
400
|
+
const denialProof = await signDigest(denialDigest, {
|
|
401
|
+
phase: "pre-execution",
|
|
402
|
+
tool: methodName,
|
|
403
|
+
agentId,
|
|
404
|
+
denied: true,
|
|
405
|
+
reason: `Tool "${methodName}" not in policy allowedTools`,
|
|
406
|
+
}, signer);
|
|
407
|
+
|
|
408
|
+
proofs.push({
|
|
409
|
+
timestamp: new Date().toISOString(),
|
|
410
|
+
phase: "pre-execution",
|
|
411
|
+
tool: methodName,
|
|
412
|
+
agentId,
|
|
413
|
+
args: args.length === 1 ? args[0] : { _args: args },
|
|
414
|
+
proofDigestB64: denialDigest,
|
|
415
|
+
receipt: denialProof,
|
|
416
|
+
});
|
|
417
|
+
|
|
418
|
+
return {
|
|
419
|
+
result: `[OCC] Tool "${methodName}" blocked by policy. Not in allowed tools list.` as unknown as any,
|
|
420
|
+
proofs,
|
|
421
|
+
};
|
|
422
|
+
}
|
|
423
|
+
|
|
283
424
|
// Pre-execution proof
|
|
284
425
|
const preDigest = hashPayload({
|
|
285
426
|
tool: methodName,
|