opencode-varlock 0.0.8 → 0.0.10

package/README.md

@@ -1,364 +1,106 @@
 # opencode-varlock
 
-OpenCode plugin that gives agents access to environment variables **without revealing secret values**.
+[![npm version](https://img.shields.io/npm/v/opencode-varlock)](https://www.npmjs.com/package/opencode-varlock)
+[![CI](https://github.com/itlackey/opencode-varlock/actions/workflows/test.yml/badge.svg)](https://github.com/itlackey/opencode-varlock/actions/workflows/test.yml)
 
-## The Problem
+OpenCode plugin that gives agents access to secrets without revealing the values. The plugin leverages [varlock](https://varlock.dev) and [opencode](https://opencode.ai) features to provide a multi-layered defense against intentional and accidental secret leakage by OpenCode agents.
 
-When an AI agent needs secrets (database URLs, API keys, tokens) to run your code, the obvious approach — letting it read `.env` — puts every secret directly into its context window. It can then echo them, log them, or hallucinate them into committed code.
+> [!Important]
+> This plugin is still early in development, and there is active work underway to improve its security model and edge-case protections. PRs, issue reports, and security feedback are very welcome.
 
-## How It Works
+## What it does
 
-Three layers enforce the boundary:
-
-```
-┌──────────────────────────────────────────────────┐
-│  Agent context window                            │
-│                                                  │
-│  "Loaded 3 vars: DB_URL, API_KEY, REDIS_HOST"   │
-│   ↑ names only, never values                     │
-│                                                  │
-├──────────────────────────────────────────────────┤
-│  Layer 1 — Custom tools (load_env / load_secrets)│
-│  Reads files or calls Varlock CLI, injects into  │
-│  process.env, returns only key names.            │
-├──────────────────────────────────────────────────┤
-│  Layer 2 — Permission rules                      │
-│  Glob-based deny rules block `cat .env`,         │
-│  `printenv`, `echo $SECRET`, etc.                │
-├──────────────────────────────────────────────────┤
-│  Layer 3 — EnvGuard hook                         │
-│  tool.execute.before intercept catches anything  │
-│  the glob rules miss (python -c, scripting       │
-│  escapes, indirect reads).                       │
-└──────────────────────────────────────────────────┘
-```
+- provides `load_env` so agents can use `.env` values without seeing them directly
+- provides `load_secrets` and `secret_status` when the [Varlock CLI](https://varlock.dev) is available
+- uses `varlock load --format json` and `varlock printenv` to integrate with the varlock.dev CLI
+- blocks direct secret reads with a `tool.execute.before` guard covering:
+  - 50+ bash deny patterns and 9 interpreter-based env read detectors
+  - 30+ file processor commands (`sed`, `awk`, `dd`, `tee`, `xxd`, etc.)
+  - shell redirects, encoding/eval bypasses, and variable listing commands
+  - varlock CLI self-exfiltration (`varlock printenv`, `varlock load --format env`)
+- scrubs loaded secret values from tool output via a `tool.execute.after` hook
+- whitelists `.env.schema` and `.env.example` (safe for AI consumption per varlock.dev design)
+- validates config files and prevents agents from tampering with plugin configuration
+- prevents symlink traversal and command injection in tool arguments
 
 ## Install
 
-### As an npm plugin
-
-```bash
-npm install opencode-varlock
-```
-
-```json
-// opencode.json
-{
-  "plugin": ["opencode-varlock"]
-}
-```
-
-The published package ships compiled ESM in `dist/`, and the root entry exports only the plugin itself so OpenCode can load it cleanly through the normal npm plugin resolution flow.
-
-### As a local plugin
-
-Reference the package directory locally after building it:
+Add the package to your `opencode.json` file:
 
 ```json
 {
-  "plugin": ["./path/to/opencode-varlock"]
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["opencode-varlock@latest"]
 }
 ```
 
 ## Configuration
 
-All configuration lives in a single `varlock.config.json` file. The plugin searches for it in two locations (merged in order):
-
-1. `./varlock.config.json` (project root)
-2. `.opencode/varlock.config.json`
+### Permissions
 
-Programmatic overrides passed to `createVarlockPlugin()` take highest priority.
-
-### Quick start
-
-Copy the default config into your project:
-
-```bash
-cp node_modules/opencode-varlock/assets/varlock.config.json ./varlock.config.json
-```
-
-Or create a minimal one — only the fields you want to change:
+In addition to adding the plugin to the array, we recommend adding some additional permission settings to your config. There are a few recommended "presets" in the [assets/permissions.json](assets/permissions.json) file, but here is a basic example:
 
 ```json
 {
-  "varlock": {
-    "enabled": true,
-    "namespace": "myapp"
+  "permission": {
+    "bash": {
+      "cat *.env*": "deny",
+      "less *.env*": "deny",
+      "more *.env*": "deny",
+      "head *.env*": "deny",
+      "tail *.env*": "deny",
+      "grep * .env*": "deny",
+      "echo $*": "deny",
+      "python*getenv*": "deny",
+      "python*os.environ*": "deny",
+      "python*open*env*": "deny",
+      "node*process.env*": "deny",
+      "printenv*": "deny",
+      "env": "deny",
+      "export -p": "deny",
+      "source .env*": "deny",
+      "varlock printenv*": "deny",
+      "varlock load --show*": "deny",
+      "varlock load --format*": "deny",
+      "varlock load -f*": "deny",
+      "sed * .env*": "deny",
+      "awk * .env*": "deny"
+    }
   }
 }
 ```
 
-Everything else inherits from the built-in defaults.
-
-The bundled template and permission presets now live in `assets/`:
-
-```text
-assets/varlock.config.json
-assets/varlock.schema.json
-assets/permissions.json
-```
-
-The copied config template points its `$schema` at `./node_modules/opencode-varlock/assets/varlock.schema.json`, so editors can validate and autocomplete it after install.
-
-## Repo layout
-
-```text
-src/   TypeScript source for the plugin entry, config, guard, and tools
-assets/ JSON assets shipped with the npm package
-docs/  Setup and integration guides
-```
-
-## Testing
+### Plugin Config
 
-```bash
-npm run test:unit
-npm run test:integration
-npm run test:coverage
-```
+`varlock.config.json` is optional.
 
-- `test:unit` covers config, guard, tools, and plugin registration
-- `test:integration` starts a real OpenCode server through `@opencode-ai/sdk` and verifies the plugin inside real sessions
-- `test:coverage` emits text, HTML, and LCOV coverage reports under `coverage/`
+If you do not provide one, the plugin uses its built-in defaults from [assets/varlock.config.json](assets/varlock.config.json). Create a local config and place it in your `.opencode` or `~/.config/opencode` directory when you want to override those defaults.
 
-### Full config reference
+Quick example:
 
 ```json
 {
-  "guard": {
-    "enabled": true,
-
-    "sensitivePatterns": [
-      ".env", ".secret", ".pem", ".key", "credentials", ".pgpass"
-    ],
-
-    "sensitiveGlobs": [
-      "**/.env",
-      "**/.env.*",
-      "**/.env.local",
-      "**/.env.production",
-      "**/*.pem",
-      "**/*.key",
-      "**/credentials",
-      "**/credentials.*",
-      "**/.pgpass",
-      "secrets/**"
-    ],
-
-    "bashDenyPatterns": [],
-
-    "blockedReadTools": ["read", "grep", "glob", "view"],
-    "blockedWriteTools": ["write", "edit"]
-  },
-
-  "env": {
-    "enabled": true,
-    "allowedRoot": "."
-  },
-
+  "$schema": "https://raw.githubusercontent.com/itlackey/opencode-varlock/main/assets/varlock.schema.json",
   "varlock": {
-    "enabled": false,
-    "autoDetect": true,
-    "command": "varlock",
-    "namespace": "app"
-  }
-}
-```
-
-### Config sections
-
-#### `guard` — EnvGuard hook
-
-| Field | Type | Default | Description |
-|---|---|---|---|
-| `enabled` | `boolean` | `true` | Master switch for the `tool.execute.before` hook |
-| `sensitivePatterns` | `string[]` | see above | Substring patterns — a path containing any of these is blocked |
-| `sensitiveGlobs` | `string[]` | see above | Glob patterns — matched against full paths using `*`, `**`, `?` |
-| `bashDenyPatterns` | `string[]` | `[]` | Extra bash substrings to deny (merged with ~30 built-ins) |
-| `blockedReadTools` | `string[]` | `["read","grep","glob","view"]` | Tool names that trigger the file-read check |
-| `blockedWriteTools` | `string[]` | `["write","edit"]` | Tool names that trigger the file-write check |
-
-#### `env` — .env file loader
-
-| Field | Type | Default | Description |
-|---|---|---|---|
-| `enabled` | `boolean` | `true` | Register the `load_env` tool |
-| `allowedRoot` | `string` | `"."` | Path containment boundary (resolved relative to cwd) |
-
-#### `varlock` — Varlock integration
-
-| Field | Type | Default | Description |
-|---|---|---|---|
-| `enabled` | `boolean` | `false` | Explicitly enable Varlock tools |
-| `autoDetect` | `boolean` | `true` | Probe for the CLI at startup and enable if found |
-| `command` | `string` | `"varlock"` | Path or name of the Varlock binary |
-| `namespace` | `string` | `"app"` | Default namespace for `load_secrets` / `secret_status` |
-
-**Varlock resolution logic:**
-
-- `enabled: true` → tools are registered (fails at runtime if CLI is missing)
-- `enabled: false, autoDetect: true` → probes `which <command>`, enables if found
-- `enabled: false, autoDetect: false` → Varlock is fully disabled
-
-### Config merge behavior
-
-Arrays are **replaced**, not concatenated. This means you can fully override the default glob list in your config file without inheriting the defaults:
-
-```json
-{
-  "guard": {
-    "sensitiveGlobs": ["secrets/**", "config/.env.*"]
+    "enabled": true,
+    "namespace": "myapp"
   }
 }
 ```
 
-Object sections are deep-merged. Scalar values overwrite.
-
-### Programmatic overrides
-
-For project-specific customization beyond what JSON can express:
-
-```typescript
-// .opencode/plugin/secrets.ts
-import { createVarlockPlugin } from "opencode-varlock/plugin"
-
-export default createVarlockPlugin({
-  guard: {
-    sensitiveGlobs: [
-      "**/.env",
-      "**/.env.*",
-      "infra/secrets/**",
-      "deploy/*.key",
-    ],
-    bashDenyPatterns: ["vault read", "aws secretsmanager"],
-  },
-  varlock: {
-    enabled: true,
-    command: "/usr/local/bin/varlock",
-    namespace: "prod",
-  },
-})
-```
-
-## Glob patterns
-
-The guard supports glob patterns alongside the existing substring patterns. Both are checked — a match on either blocks the access.
-
-### Supported syntax
-
-| Pattern | Matches | Example |
-|---|---|---|
-| `*` | Any characters except `/` | `*.pem` matches `server.pem` |
-| `**` | Any characters including `/` | `secrets/**` matches `secrets/prod/db.key` |
-| `**/` | Zero or more directory levels | `**/.env` matches `.env` and `config/.env` |
-| `?` | Single character except `/` | `?.key` matches `a.key` |
-
-### When to use which
-
-**Substring patterns** are fast and filename-oriented. Use them for extensions and file names that should be blocked everywhere regardless of path:
-
-```json
-"sensitivePatterns": [".env", ".pem", "credentials"]
-```
-
-**Glob patterns** are structural and path-aware. Use them for directory-scoped rules and more precise matching:
-
-```json
-"sensitiveGlobs": [
-  "secrets/**",
-  "config/.env.*",
-  "deploy/**/*.key",
-  "**/node_modules/**/.env"
-]
-```
-
-### How globs are checked
-
-For file tool calls (`read`, `write`, `edit`, etc.), the glob is matched against the path argument directly.
-
-For bash commands, the guard extracts file-path-like tokens from the command string and checks each one against the compiled globs. This catches things like `jq . secrets/config.json` even when the substring patterns wouldn't flag it.
-
-## Tools
-
-### `load_env`
-
-Parses a `.env` file and sets `process.env`. Returns only variable **names**.
-
-```
-Agent → load_env(path: ".env")
-     ← { loaded: ["DATABASE_URL", "REDIS_HOST"], skipped: ["NODE_ENV"] }
-```
-
-### `load_secrets` (Varlock)
-
-Pulls secrets from Varlock and injects into `process.env`.
-
-```
-Agent → load_secrets(namespace: "prod", keys: ["db_url", "api_key"])
-     ← { loaded: ["DB_URL", "API_KEY"], source: "varlock/prod" }
-```
-
-### `secret_status` (Varlock)
-
-Read-only check of which secrets exist and which are loaded.
-
-```
-Agent → secret_status(namespace: "app")
-     ← { total: 5, loaded: 3, unloaded: 2, keys: [...] }
-```
-
-## Permission sets
-
-The `assets/permissions.json` file contains three tiers (standard, strict, lockdown) plus an example agent definition. Copy the tier that fits your threat model into `opencode.json`.
-
-These permission rules complement the EnvGuard hook — the rules handle fast-path blocking while the hook catches edge cases the glob-based rules miss.
-
-## Architecture
-
-### Why three layers?
-
-**Permissions alone aren't enough.** An agent can try `python3 -c "print(open('.env').read())"` or `python -c "import os; print(os.getenv('API_KEY'))"` - the obvious glob rules won't catch every runtime exfiltration path.
-
-**Prompt instructions alone aren't enough.** Telling an agent "never read .env" is a soft boundary the model can reason past.
-
-**The plugin hook is the hard boundary.** `tool.execute.before` runs before every built-in tool call, inspects actual arguments, and throws an error the agent cannot suppress. The error message redirects it to the approved tools.
-
-### What the agent sees
-
-```
-✓ "Loaded 5 variables: DATABASE_URL, API_KEY, REDIS_HOST, JWT_SECRET, SMTP_PASS"
-✓ Writes code: const db = new Client(process.env.DATABASE_URL)
-✗ cat .env              → Blocked: deny pattern
-✗ echo $API_KEY         → Blocked: deny pattern
-✗ python -c "os.getenv" → Blocked: runtime env read
-✗ python -c "open..."   → Blocked: sensitive file
-✗ jq . secrets/app.json → Blocked: matches glob "secrets/**"
-```
-
-## Advanced: composing individual pieces
-
-Every component is exported for use in custom plugins:
+## Docs
 
-```typescript
-import { loadConfig, DEFAULT_CONFIG } from "opencode-varlock/config"
-import { createVarlockPlugin } from "opencode-varlock/plugin"
-import { createEnvGuard, globToRegex } from "opencode-varlock/guard"
-import { createLoadEnvTool } from "opencode-varlock/tools"
+- setup and overrides: `docs/configuration.md`
+- security model and limitations: `docs/security.md`
+- tests and validation: `docs/testing.md`
+- exported APIs and tools: `docs/api.md`
+- Docker + pass guide: `docs/docker-pass-guide.md`
 
-// Load config with custom overrides
-const config = loadConfig(process.cwd(), {
-  guard: { sensitiveGlobs: ["my-secrets/**"] },
-})
+## Useful files
 
-// Use just the guard
-const guard = createEnvGuard(config.guard)
-
-// Use just the tool
-const loadEnv = createLoadEnvTool(config.env)
-
-// Test a glob pattern
-const regex = globToRegex("**/.env.*")
-regex.test("config/.env.production") // true
-```
+- default config: `assets/varlock.config.json`
+- JSON schema: `assets/varlock.schema.json`
+- recommended permission configurations: `assets/permissions.json`
 
 ## License
 

package/assets/permissions.json

@@ -18,14 +18,22 @@
         "head *.env*": "deny",
         "tail *.env*": "deny",
         "grep * .env*": "deny",
+        "sed * .env*": "deny",
+        "awk * .env*": "deny",
         "echo $*": "deny",
         "python*getenv*": "deny",
         "python*os.environ*": "deny",
+        "python*open*env*": "deny",
         "node*process.env*": "deny",
+        "node*readFileSync*env*": "deny",
         "printenv*": "deny",
         "env": "deny",
         "export -p": "deny",
         "source .env*": "deny",
+        "varlock printenv*": "deny",
+        "varlock load --show*": "deny",
+        "varlock load --format*": "deny",
+        "varlock load -f*": "deny",
         "npm test": "allow",
         "npm run *": "allow",
         "bun test": "allow",
@@ -42,22 +50,27 @@
     "permission": {
       "read": {
         "*.env*": "deny",
+        "*.env.schema": "allow",
+        "*.env.example": "allow",
         "*.pem": "deny",
         "*.key": "deny",
         "*credentials*": "deny",
         "*.pgpass": "deny",
+        "*varlock.config*": "deny",
         "*": "ask"
       },
       "write": {
         "*.env*": "deny",
         "*.pem": "deny",
         "*.key": "deny",
+        "*varlock.config*": "deny",
         "*": "ask"
       },
       "edit": {
         "*.env*": "deny",
         "*.pem": "deny",
         "*.key": "deny",
+        "*varlock.config*": "deny",
         "*": "ask"
       },
       "bash": {
@@ -67,20 +80,39 @@
         "head *.env*": "deny",
         "tail *.env*": "deny",
         "grep * .env*": "deny",
+        "sed * .env*": "deny",
+        "awk * .env*": "deny",
+        "cut * .env*": "deny",
+        "sort .env*": "deny",
+        "dd if=.env*": "deny",
+        "tee * .env*": "deny",
+        "xxd .env*": "deny",
         "echo $*": "deny",
         "python*getenv*": "deny",
         "python*os.environ*": "deny",
+        "python*open*env*": "deny",
         "node*process.env*": "deny",
+        "node*readFileSync*env*": "deny",
+        "ruby*File.read*env*": "deny",
         "printenv*": "deny",
         "env": "deny",
         "env *": "deny",
         "export -p": "deny",
         "declare -x": "deny",
+        "compgen -v": "deny",
+        "compgen -A variable": "deny",
+        "typeset -x": "deny",
         "source .env*": "deny",
         ". .env*": "deny",
         "set -a*": "deny",
         "curl *env*": "deny",
         "wget *env*": "deny",
+        "varlock printenv*": "deny",
+        "varlock load --show*": "deny",
+        "varlock load --format*": "deny",
+        "varlock load -f*": "deny",
+        "*base64*|*bash*": "deny",
+        "*base64*|*sh*": "deny",
         "npm test": "allow",
         "npm run *": "allow",
         "bun test": "allow",
@@ -97,20 +129,25 @@
     "permission": {
       "read": {
         "*.env*": "deny",
+        "*.env.schema": "allow",
+        "*.env.example": "allow",
         "*.pem": "deny",
         "*.key": "deny",
         "*credentials*": "deny",
         "*secret*": "deny",
+        "*varlock.config*": "deny",
         "*": "allow"
       },
       "write": {
         "*.env*": "deny",
+        "*varlock.config*": "deny",
         "*.ts": "ask",
         "*.js": "ask",
         "*": "deny"
       },
       "edit": {
         "*.env*": "deny",
+        "*varlock.config*": "deny",
         "*.ts": "ask",
         "*.js": "ask",
         "*": "deny"
@@ -141,17 +178,27 @@
         "permission": {
           "read": {
             "*.env*": "deny",
+            "*.env.schema": "allow",
+            "*.env.example": "allow",
             "*.pem": "deny",
+            "*varlock.config*": "deny",
             "*": "allow"
           },
           "bash": {
             "cat *.env*": "deny",
+            "sed * .env*": "deny",
+            "awk * .env*": "deny",
             "printenv*": "deny",
             "echo $*": "deny",
             "python*getenv*": "deny",
             "python*os.environ*": "deny",
+            "python*open*env*": "deny",
             "node*process.env*": "deny",
             "env": "deny",
+            "compgen -v": "deny",
+            "varlock printenv*": "deny",
+            "varlock load --format*": "deny",
+            "varlock load --show*": "deny",
             "docker *": "allow",
             "npm *": "allow",
             "bun *": "allow",

package/assets/varlock.config.json

@@ -1,5 +1,5 @@
 {
-  "$schema": "./node_modules/opencode-varlock/assets/varlock.schema.json",
+  "$schema": "https://raw.githubusercontent.com/itlackey/opencode-varlock/main/assets/varlock.schema.json",
   "$comment": "opencode-varlock configuration. Place in project root or .opencode/",
 
   "guard": {
@@ -13,7 +13,8 @@
       ".pem",
       ".key",
       "credentials",
-      ".pgpass"
+      ".pgpass",
+      "varlock.config"
     ],
 
     "sensitiveGlobs": [
@@ -26,7 +27,9 @@
       "**/credentials",
       "**/credentials.*",
       "**/.pgpass",
-      "secrets/**"
+      "secrets/**",
+      "**/varlock.config.json",
+      "**/.opencode/varlock.config.json"
     ],
 
     "bashDenyPatterns": [],
@@ -43,7 +46,7 @@
   },
 
   "varlock": {
-    "$comment": "Varlock integration - pull secrets from pass, Azure KV, AWS, 1Password, etc.",
+    "$comment": "Varlock integration - uses varlock load/printenv to pull secrets from configured backends",
 
     "enabled": false,
     "autoDetect": true,

package/dist/config.d.ts

@@ -36,6 +36,11 @@ export type PluginConfig = {
     varlock: VarlockConfig;
 };
 export declare const DEFAULT_CONFIG: PluginConfig;
+/**
+ * Validates a parsed config object against the expected schema.
+ * Returns an array of human-readable error strings (empty = valid).
+ */
+export declare function validateConfig(config: unknown, logger?: ConfigLogger): string[];
 export declare function loadConfig(cwd: string, overrides?: DeepPartial<PluginConfig>, logger?: ConfigLogger): PluginConfig;
 type DeepPartial<T> = {
     [K in keyof T]?: T[K] extends object ? DeepPartial<T[K]> : T[K];

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE;IACjC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAA;IAC1C,OAAO,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAChC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;AAE1B,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,OAAO,CAAA;IAChB,iBAAiB,EAAE,MAAM,EAAE,CAAA;IAC3B,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,iBAAiB,EAAE,MAAM,EAAE,CAAA;CAC5B,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,aAAa,GAAG;IAC1B,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,OAAO,CAAA;IACnB,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,KAAK,EAAE,WAAW,CAAA;IAClB,GAAG,EAAE,SAAS,CAAA;IACd,OAAO,EAAE,aAAa,CAAA;CACvB,CAAA;AAED,eAAO,MAAM,cAAc,EAAE,YAqC5B,CAAA;AAOD,wBAAgB,UAAU,CACxB,GAAG,EAAE,MAAM,EACX,SAAS,GAAE,WAAW,CAAC,YAAY,CAAM,EACzC,MAAM,CAAC,EAAE,YAAY,GACpB,YAAY,CAyCd;AAED,KAAK,WAAW,CAAC,CAAC,IAAI;KACnB,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAChE,CAAA;AAED,wBAAgB,SAAS,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACrD,MAAM,EAAE,CAAC,EACT,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,GACrB,CAAC,CAyBH;AAED,YAAY,EAAE,WAAW,EAAE,CAAA"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE;IACjC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAA;IAC1C,OAAO,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAChC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;AAE1B,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,OAAO,CAAA;IAChB,iBAAiB,EAAE,MAAM,EAAE,CAAA;IAC3B,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,iBAAiB,EAAE,MAAM,EAAE,CAAA;CAC5B,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,aAAa,GAAG;IAC1B,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,OAAO,CAAA;IACnB,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,KAAK,EAAE,WAAW,CAAA;IAClB,GAAG,EAAE,SAAS,CAAA;IACd,OAAO,EAAE,aAAa,CAAA;CACvB,CAAA;AAED,eAAO,MAAM,cAAc,EAAE,YAwC5B,CAAA;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,OAAO,EACf,MAAM,CAAC,EAAE,YAAY,GACpB,MAAM,EAAE,CA8HV;AAwFD,wBAAgB,UAAU,CACxB,GAAG,EAAE,MAAM,EACX,SAAS,GAAE,WAAW,CAAC,YAAY,CAAM,EACzC,MAAM,CAAC,EAAE,YAAY,GACpB,YAAY,CAkFd;AAED,KAAK,WAAW,CAAC,CAAC,IAAI;KACnB,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAChE,CAAA;AAED,wBAAgB,SAAS,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACrD,MAAM,EAAE,CAAC,EACT,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,GACrB,CAAC,CAyBH;AAED,YAAY,EAAE,WAAW,EAAE,CAAA"}