sandstream-kit 1.0.0

package/dist/secret-backends.js

@@ -0,0 +1,510 @@
+import { check1PasswordStatus } from "./onepassword.js";
+import { exec } from "./utils/exec.js";
+// ─── Infisical bulk-fetch cache (avoids repeated CLI calls per generate) ──────
+let infisicalCache = null;
+/** Reset the Infisical cache. Called once per `generateSecrets` run. */
+export function resetInfisicalCache() {
+    infisicalCache = null;
+}
+async function fetchInfisicalSecrets(infisicalConfig) {
+    if (infisicalCache)
+        return infisicalCache;
+    const env = infisicalConfig?.environment ?? "dev";
+    try {
+        const exportArgs = ["export", "--format=json", "--env", env];
+        if (infisicalConfig?.project_id) {
+            exportArgs.push("--projectId", infisicalConfig.project_id);
+        }
+        if (infisicalConfig?.path) {
+            exportArgs.push("--path", infisicalConfig.path);
+        }
+        const { stdout } = await exec("infisical", exportArgs, {
+            timeout: 15_000,
+            env: { ...process.env },
+        });
+        const secrets = JSON.parse(stdout);
+        const cache = new Map();
+        if (Array.isArray(secrets)) {
+            for (const s of secrets) {
+                cache.set(s.key, s.value);
+            }
+        }
+        else if (typeof secrets === "object" && secrets !== null) {
+            for (const [k, v] of Object.entries(secrets)) {
+                if (typeof v === "string")
+                    cache.set(k, v);
+            }
+        }
+        infisicalCache = cache;
+        return cache;
+    }
+    catch {
+        infisicalCache = new Map();
+        return infisicalCache;
+    }
+}
+// ─── Backend registry ─────────────────────────────────────────────────────────
+export const BACKENDS = {
+    env: {
+        async resolve(name) {
+            const val = process.env[name] ?? null;
+            return {
+                name,
+                resolved: val !== null,
+                value: val,
+                detail: val ? "From environment" : "Not set in environment",
+            };
+        },
+        // read-only: env vars are materialized, never written by kit
+    },
+    config: {
+        async resolve(name, config) {
+            const val = config.value ?? null;
+            return { name, resolved: val !== null, value: val, detail: "From config" };
+        },
+        // read-only: inline config values aren't a writable store
+    },
+    "1password": {
+        async resolve(name, config) {
+            if (!config.ref) {
+                return { name, resolved: false, value: null, detail: "No 1Password ref configured" };
+            }
+            const opStatus = await check1PasswordStatus();
+            if (!opStatus.installed) {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: `1Password CLI not installed: ${opStatus.error}`,
+                };
+            }
+            if (!opStatus.authenticated) {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: `Not signed into 1Password: ${opStatus.error}`,
+                };
+            }
+            try {
+                const { stdout } = await exec("op", ["read", config.ref, "--no-newline"], {
+                    timeout: 10_000,
+                });
+                return { name, resolved: !!stdout, value: stdout || null, detail: "From 1Password" };
+            }
+            catch {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: `1Password reference not found: ${config.ref}`,
+                };
+            }
+        },
+        async write(key, value, opts) {
+            // Pre-flight: skip the op command if no account is configured. Otherwise
+            // op interactively prompts ("Do you want to add an account manually now?
+            // [Y/n]") and blocks the whole rotate flow.
+            const opStatus = await check1PasswordStatus();
+            if (!opStatus.installed) {
+                return {
+                    ok: false,
+                    detail: "1Password CLI not installed — install op or pick a different store",
+                };
+            }
+            if (!opStatus.authenticated) {
+                return {
+                    ok: false,
+                    detail: "1Password CLI present but no account configured. Run 'op account add' first (or set OP_SERVICE_ACCOUNT_TOKEN). Skipping vault-write; value will be printed for manual capture.",
+                };
+            }
+            const vault = opts.vault || "Dev";
+            const project = opts.project || "Project";
+            // Try edit first (existing item), fall back to create. Both paths run with
+            // PIPE stdin so the parent doesn't inherit op's interactive prompts even if
+            // auth lapses mid-flight.
+            try {
+                await exec("op", ["item", "edit", project, `${key}=${value}`, "--vault", vault], {
+                    timeout: 15_000,
+                });
+            }
+            catch {
+                await exec("op", [
+                    "item",
+                    "create",
+                    `--category=Login`,
+                    `--title=${project}`,
+                    `--vault=${vault}`,
+                    `${key}=${value}`,
+                ], { timeout: 15_000 });
+            }
+            return { ok: true, ref: `op://${vault}/${project}/${key}`, detail: "wrote to 1Password" };
+        },
+    },
+    eas: {
+        async resolve(name, config) {
+            try {
+                const { stdout } = await exec("eas", ["secret:list", "--json"], { timeout: 10_000 });
+                const secrets = JSON.parse(stdout);
+                const found = Array.isArray(secrets) &&
+                    secrets.some((s) => s.name === (config.name || name));
+                return {
+                    name,
+                    resolved: found,
+                    value: found ? "(managed by EAS)" : null,
+                    detail: found ? "Found in EAS" : "Not found in EAS",
+                    managed: true, // EAS holds the value; the string above is a display placeholder
+                };
+            }
+            catch {
+                return { name, resolved: false, value: null, detail: "EAS CLI not available" };
+            }
+        },
+        // read-only: EAS secrets are managed by `eas secret:*`, not migrated into
+    },
+    infisical: {
+        async resolve(name, config, infisicalConfig) {
+            try {
+                const cache = await fetchInfisicalSecrets(infisicalConfig);
+                const key = config.name || name;
+                const val = cache.get(key) ?? null;
+                return {
+                    name,
+                    resolved: val !== null,
+                    value: val,
+                    detail: val !== null ? "From Infisical" : "Not found in Infisical",
+                };
+            }
+            catch {
+                return { name, resolved: false, value: null, detail: "Infisical CLI not available" };
+            }
+        },
+        async write(key, value) {
+            await exec("infisical", ["secrets", "set", `${key}=${value}`], { timeout: 15_000 });
+            return { ok: true, detail: "wrote to Infisical" };
+        },
+    },
+    bitwarden: {
+        async resolve(name, config) {
+            if (!config.name && !config.ref) {
+                return { name, resolved: false, value: null, detail: "No Bitwarden field name configured" };
+            }
+            try {
+                const fieldName = config.name || config.ref || name;
+                const { stdout } = await exec("bw", ["get", fieldName], { timeout: 10_000 });
+                return { name, resolved: !!stdout, value: stdout || null, detail: "From Bitwarden" };
+            }
+            catch {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: "Bitwarden CLI not available or secret not found",
+                };
+            }
+        },
+        // read-only: `bw` write semantics (folders/collections) aren't modeled yet
+    },
+    doppler: {
+        async resolve(name, config) {
+            if (!config.name) {
+                return { name, resolved: false, value: null, detail: "No Doppler secret name configured" };
+            }
+            try {
+                const { stdout } = await exec("doppler", ["secrets", "get", config.name, "--plain"], {
+                    timeout: 10_000,
+                });
+                return { name, resolved: !!stdout, value: stdout || null, detail: "From Doppler" };
+            }
+            catch {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: "Doppler CLI not available or secret not found",
+                };
+            }
+        },
+        async write(key, value) {
+            await exec("doppler", ["secrets", "set", `${key}=${value}`], { timeout: 15_000 });
+            return { ok: true, detail: "wrote to Doppler" };
+        },
+    },
+    dotenvx: {
+        async resolve(name, config) {
+            // `dotenvx get <KEY>` prints the decrypted value to stdout, using
+            // DOTENV_PRIVATE_KEY (from .env.keys or the environment). `config.name`
+            // overrides the lookup key; the file defaults to ./.env.
+            const key = config.name || name;
+            try {
+                const { stdout } = await exec("dotenvx", ["get", key], { timeout: 10_000 });
+                const val = stdout.trim();
+                return {
+                    name,
+                    resolved: !!val,
+                    value: val || null,
+                    detail: val ? "From dotenvx" : "Not found in dotenvx .env",
+                };
+            }
+            catch {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: "dotenvx CLI not available or key not found",
+                };
+            }
+        },
+        async write(key, value) {
+            // `dotenvx set <KEY> <value>` encrypts the value into .env (ECIES). The
+            // value is an argv token — see the SecretBackend.write note on exposure.
+            await exec("dotenvx", ["set", key, value], { timeout: 15_000 });
+            return { ok: true, detail: "encrypted into .env via dotenvx" };
+        },
+    },
+    vault: {
+        async resolve(name, config) {
+            const path = config.vault_path || config.ref;
+            const field = config.vault_field || config.name;
+            if (!path || !field) {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: "vault: vault_path and vault_field (or ref/name) required",
+                };
+            }
+            try {
+                const { stdout } = await exec("vault", ["kv", "get", "-field", field, path], {
+                    timeout: 10_000,
+                });
+                const val = stdout.trim();
+                return {
+                    name,
+                    resolved: !!val,
+                    value: val || null,
+                    detail: val ? "From Vault" : "Empty in Vault",
+                };
+            }
+            catch {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: "Vault CLI not available or not authenticated",
+                };
+            }
+        },
+        async write(key, value, opts) {
+            const path = opts.vaultPath || "secret/data/kit";
+            // `vault kv put - <path>` reads KEY=value pairs from stdin; keeps value out
+            // of argv (and out of any error message).
+            await exec("vault", ["kv", "put", "-", path], {
+                timeout: 15_000,
+                input: `${key}=${value}\n`,
+            });
+            return { ok: true, detail: `wrote to Vault path ${path}` };
+        },
+    },
+    "aws-sm": {
+        async resolve(name, config) {
+            const secretId = config.name || config.ref || name;
+            const args = [
+                "secretsmanager",
+                "get-secret-value",
+                "--secret-id",
+                secretId,
+                "--query",
+                "SecretString",
+                "--output",
+                "text",
+            ];
+            if (config.aws_region)
+                args.push("--region", config.aws_region);
+            try {
+                const { stdout } = await exec("aws", args, { timeout: 15_000 });
+                const val = stdout.trim();
+                if (!val || val === "None") {
+                    return { name, resolved: false, value: null, detail: "AWS: secret empty or not found" };
+                }
+                return { name, resolved: true, value: val, detail: "From AWS Secrets Manager" };
+            }
+            catch {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: "AWS CLI not available or not authenticated",
+                };
+            }
+        },
+        async write(key, value, opts) {
+            // `--secret-string file:///dev/stdin` reads the value from stdin instead of
+            // argv, so the credential never lands in ps / error messages.
+            const args = [
+                "secretsmanager",
+                "create-secret",
+                "--name",
+                key,
+                "--secret-string",
+                "file:///dev/stdin",
+            ];
+            if (opts.region)
+                args.push("--region", opts.region);
+            try {
+                await exec("aws", args, { timeout: 15_000, input: value });
+            }
+            catch {
+                const update = [
+                    "secretsmanager",
+                    "put-secret-value",
+                    "--secret-id",
+                    key,
+                    "--secret-string",
+                    "file:///dev/stdin",
+                ];
+                if (opts.region)
+                    update.push("--region", opts.region);
+                await exec("aws", update, { timeout: 15_000, input: value });
+            }
+            return { ok: true, detail: "wrote to AWS Secrets Manager" };
+        },
+    },
+    "gcp-sm": {
+        async resolve(name, config) {
+            const secretName = config.name || config.ref || name;
+            const version = config.gcp_version || "latest";
+            const args = ["secrets", "versions", "access", version, "--secret", secretName];
+            const project = config.gcp_project || process.env.GCP_PROJECT || process.env.GOOGLE_CLOUD_PROJECT;
+            if (project)
+                args.push("--project", project);
+            try {
+                const { stdout } = await exec("gcloud", args, { timeout: 15_000 });
+                const val = stdout.trim();
+                return {
+                    name,
+                    resolved: !!val,
+                    value: val || null,
+                    detail: val ? "From GCP Secret Manager" : "Empty in GCP Secret Manager",
+                };
+            }
+            catch {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: "gcloud CLI not available or not authenticated",
+                };
+            }
+        },
+        async write(key, value, opts) {
+            // gcloud requires the secret to exist first; create then add version.
+            const createArgs = [
+                "secrets",
+                "create",
+                key,
+                "--data-file=-",
+                "--replication-policy=automatic",
+            ];
+            if (opts.project)
+                createArgs.push("--project", opts.project);
+            try {
+                await exec("gcloud", createArgs, {
+                    timeout: 15_000,
+                    input: value,
+                });
+            }
+            catch {
+                const addArgs = ["secrets", "versions", "add", key, "--data-file=-"];
+                if (opts.project)
+                    addArgs.push("--project", opts.project);
+                await exec("gcloud", addArgs, {
+                    timeout: 15_000,
+                    input: value,
+                });
+            }
+            return { ok: true, detail: "wrote to GCP Secret Manager" };
+        },
+    },
+    "azure-kv": {
+        async resolve(name, config) {
+            const secretName = config.name || config.ref || name;
+            const vault = config.azure_vault || process.env.AZURE_KEYVAULT_NAME;
+            if (!vault) {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: "Azure: azure_vault or AZURE_KEYVAULT_NAME required",
+                };
+            }
+            const args = [
+                "keyvault",
+                "secret",
+                "show",
+                "--vault-name",
+                vault,
+                "--name",
+                secretName,
+                "--query",
+                "value",
+                "-o",
+                "tsv",
+            ];
+            try {
+                const { stdout } = await exec("az", args, { timeout: 15_000 });
+                const val = stdout.trim();
+                return {
+                    name,
+                    resolved: !!val,
+                    value: val || null,
+                    detail: val ? "From Azure Key Vault" : "Empty in Azure Key Vault",
+                };
+            }
+            catch {
+                return {
+                    name,
+                    resolved: false,
+                    value: null,
+                    detail: "Azure CLI not available or not authenticated",
+                };
+            }
+        },
+        async write(key, value, opts) {
+            if (!opts.vault) {
+                return { ok: false, detail: "Azure: --vault required (azure_vault or AZURE_KEYVAULT_NAME)" };
+            }
+            await exec("az", [
+                "keyvault",
+                "secret",
+                "set",
+                "--vault-name",
+                opts.vault,
+                "--name",
+                key,
+                "--value",
+                value,
+            ], { timeout: 15_000 });
+            return { ok: true, detail: `wrote to Azure Key Vault ${opts.vault}` };
+        },
+    },
+};
+/** Resolve (read) a secret via the registry. Mirrors the old `resolveSecret`
+ *  switch — unknown sources return a uniform `Unknown source` result. */
+export async function resolveViaBackend(name, config, infisicalConfig) {
+    const backend = BACKENDS[config.source];
+    if (!backend) {
+        return { name, resolved: false, value: null, detail: `Unknown source: ${config.source}` };
+    }
+    return backend.resolve(name, config, infisicalConfig);
+}
+/** Write a secret via the registry. Backends without a `write` are read-only;
+ *  the "not yet supported" message matches the old switch default verbatim. */
+export async function writeViaBackend(store, key, value, opts) {
+    const backend = BACKENDS[store];
+    if (!backend?.write) {
+        return { ok: false, detail: `migration to '${store}' not yet supported — write manually` };
+    }
+    return backend.write(key, value, opts);
+}
+//# sourceMappingURL=secret-backends.js.map

package/dist/secret-backends.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-backends.js","sourceRoot":"","sources":["../src/secret-backends.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAmDvC,iFAAiF;AAEjF,IAAI,cAAc,GAA+B,IAAI,CAAC;AAEtD,wEAAwE;AACxE,MAAM,UAAU,mBAAmB;IACjC,cAAc,GAAG,IAAI,CAAC;AACxB,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,eAAiC;IAEjC,IAAI,cAAc;QAAE,OAAO,cAAc,CAAC;IAE1C,MAAM,GAAG,GAAG,eAAe,EAAE,WAAW,IAAI,KAAK,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,CAAC,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC7D,IAAI,eAAe,EAAE,UAAU,EAAE,CAAC;YAChC,UAAU,CAAC,IAAI,CAAC,aAAa,EAAE,eAAe,CAAC,UAAU,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,eAAe,EAAE,IAAI,EAAE,CAAC;YAC1B,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,UAAU,EAAE;YACrD,OAAO,EAAE,MAAM;YACf,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE;SACxB,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;QACxC,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,KAAK,MAAM,CAAC,IAAI,OAA2C,EAAE,CAAC;gBAC5D,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YAC3D,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC7C,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QACD,cAAc,GAAG,KAAK,CAAC;QACvB,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,cAAc,GAAG,IAAI,GAAG,EAAE,CAAC;QAC3B,OAAO,cAAc,CAAC;IACxB,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF,MAAM,CAAC,MAAM,QAAQ,GAAkC;IACrD,GAAG,EAAE;QACH,KAAK,CAAC,OAAO,CAAC,IAAI;YAChB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;YACtC,OAAO;gBACL,IAAI;gBACJ,QAAQ,EAAE,GAAG,KAAK,IAAI;gBACtB,KAAK,EAAE,GAAG;gBACV,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,wBAAwB;aAC5D,CAAC;QACJ,CAAC;QACD,6DAA6D;KAC9D;IAED,MAAM,EAAE;QACN,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM;YACxB,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC;YACjC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,KAAK,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QAC7E,CAAC;QACD,0DAA0D;KAC3D;IAED,WAAW,EAAE;QACX,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM;YACxB,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;YACvF,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,oBAAoB,EAAE,CAAC;YAC9C,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACxB,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,gCAAgC,QAAQ,CAAC,KAAK,EAAE;iBACzD,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;gBAC5B,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,8BAA8B,QAAQ,CAAC,KAAK,EAAE;iBACvD,CAAC;YACJ,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE;oBACxE,OAAO,EAAE,MAAM;iBAChB,CAAC,CAAC;gBACH,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,IAAI,IAAI,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;YACvF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,kCAAkC,MAAM,CAAC,GAAG,EAAE;iBACvD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI;YAC1B,yEAAyE;YACzE,yEAAyE;YACzE,4CAA4C;YAC5C,MAAM,QAAQ,GAAG,MAAM,oBAAoB,EAAE,CAAC;YAC9C,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACxB,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,oEAAoE;iBAC7E,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;gBAC5B,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,MAAM,EACJ,gLAAgL;iBACnL,CAAC;YACJ,CAAC;YACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC;YAClC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,SAAS,CAAC;YAC1C,2EAA2E;YAC3E,4EAA4E;YAC5E,0BAA0B;YAC1B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,IAAI,KAAK,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,EAAE;oBAC/E,OAAO,EAAE,MAAM;iBAChB,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,IAAI,CAAC,IAAI,EAAE;oBACf,MAAM;oBACN,QAAQ;oBACR,kBAAkB;oBAClB,WAAW,OAAO,EAAE;oBACpB,WAAW,KAAK,EAAE;oBAClB,GAAG,GAAG,IAAI,KAAK,EAAE;iBAClB,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;YAC1B,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,KAAK,IAAI,OAAO,IAAI,GAAG,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;QAC5F,CAAC;KACF;IAED,GAAG,EAAE;QACH,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM;YACxB,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,aAAa,EAAE,QAAQ,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;gBACrF,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;gBACnC,MAAM,KAAK,GACT,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;oBACtB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAmB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC;gBAC1E,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI;oBACxC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,kBAAkB;oBACnD,OAAO,EAAE,IAAI,EAAE,iEAAiE;iBACjF,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;YACjF,CAAC;QACH,CAAC;QACD,0EAA0E;KAC3E;IAED,SAAS,EAAE;QACT,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,eAAe;YACzC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,qBAAqB,CAAC,eAAe,CAAC,CAAC;gBAC3D,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC;gBAChC,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;gBACnC,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,GAAG,KAAK,IAAI;oBACtB,KAAK,EAAE,GAAG;oBACV,MAAM,EAAE,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,wBAAwB;iBACnE,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;YACvF,CAAC;QACH,CAAC;QACD,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK;YACpB,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;YACpF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;QACpD,CAAC;KACF;IAED,SAAS,EAAE;QACT,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM;YACxB,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC;YAC9F,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC;gBACpD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC7E,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,IAAI,IAAI,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;YACvF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,iDAAiD;iBAC1D,CAAC;YACJ,CAAC;QACH,CAAC;QACD,2EAA2E;KAC5E;IAED,OAAO,EAAE;QACP,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM;YACxB,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;gBACjB,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;YAC7F,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,EAAE;oBACnF,OAAO,EAAE,MAAM;iBAChB,CAAC,CAAC;gBACH,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,IAAI,IAAI,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;YACrF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,+CAA+C;iBACxD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK;YACpB,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;YAClF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;QAClD,CAAC;KACF;IAED,OAAO,EAAE;QACP,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM;YACxB,kEAAkE;YAClE,wEAAwE;YACxE,yDAAyD;YACzD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC;YAChC,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC5E,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC1B,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,CAAC,CAAC,GAAG;oBACf,KAAK,EAAE,GAAG,IAAI,IAAI;oBAClB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,2BAA2B;iBAC3D,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,4CAA4C;iBACrD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK;YACpB,wEAAwE;YACxE,yEAAyE;YACzE,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;YAChE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;QACjE,CAAC;KACF;IAED,KAAK,EAAE;QACL,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM;YACxB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,GAAG,CAAC;YAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,IAAI,CAAC;YAChD,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACpB,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,0DAA0D;iBACnE,CAAC;YACJ,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,EAAE;oBAC3E,OAAO,EAAE,MAAM;iBAChB,CAAC,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC1B,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,CAAC,CAAC,GAAG;oBACf,KAAK,EAAE,GAAG,IAAI,IAAI;oBAClB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,gBAAgB;iBAC9C,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,8CAA8C;iBACvD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI;YAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,IAAI,iBAAiB,CAAC;YACjD,4EAA4E;YAC5E,0CAA0C;YAC1C,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,EAAE;gBAC5C,OAAO,EAAE,MAAM;gBACf,KAAK,EAAE,GAAG,GAAG,IAAI,KAAK,IAAI;aACG,CAAC,CAAC;YACjC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,uBAAuB,IAAI,EAAE,EAAE,CAAC;QAC7D,CAAC;KACF;IAED,QAAQ,EAAE;QACR,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM;YACxB,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC;YACnD,MAAM,IAAI,GAAG;gBACX,gBAAgB;gBAChB,kBAAkB;gBAClB,aAAa;gBACb,QAAQ;gBACR,SAAS;gBACT,cAAc;gBACd,UAAU;gBACV,MAAM;aACP,CAAC;YACF,IAAI,MAAM,CAAC,UAAU;gBAAE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;YAChE,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;gBAChE,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC1B,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;oBAC3B,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;gBAC1F,CAAC;gBACD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC;YAClF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,4CAA4C;iBACrD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI;YAC1B,4EAA4E;YAC5E,8DAA8D;YAC9D,MAAM,IAAI,GAAG;gBACX,gBAAgB;gBAChB,eAAe;gBACf,QAAQ;gBACR,GAAG;gBACH,iBAAiB;gBACjB,mBAAmB;aACpB,CAAC;YACF,IAAI,IAAI,CAAC,MAAM;gBAAE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YACpD,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAgC,CAAC,CAAC;YAC3F,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,MAAM,GAAG;oBACb,gBAAgB;oBAChB,kBAAkB;oBAClB,aAAa;oBACb,GAAG;oBACH,iBAAiB;oBACjB,mBAAmB;iBACpB,CAAC;gBACF,IAAI,IAAI,CAAC,MAAM;oBAAE,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;gBACtD,MAAM,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAgC,CAAC,CAAC;YAC7F,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;QAC9D,CAAC;KACF;IAED,QAAQ,EAAE;QACR,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM;YACxB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC;YACrD,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAC;YAC/C,MAAM,IAAI,GAAG,CAAC,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;YAChF,MAAM,OAAO,GACX,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;YACpF,IAAI,OAAO;gBAAE,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YAC7C,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;gBACnE,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC1B,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,CAAC,CAAC,GAAG;oBACf,KAAK,EAAE,GAAG,IAAI,IAAI;oBAClB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,6BAA6B;iBACxE,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,+CAA+C;iBACxD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI;YAC1B,sEAAsE;YACtE,MAAM,UAAU,GAAG;gBACjB,SAAS;gBACT,QAAQ;gBACR,GAAG;gBACH,eAAe;gBACf,gCAAgC;aACjC,CAAC;YACF,IAAI,IAAI,CAAC,OAAO;gBAAE,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YAC7D,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE;oBAC/B,OAAO,EAAE,MAAM;oBACf,KAAK,EAAE,KAAK;iBACiB,CAAC,CAAC;YACnC,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,OAAO,GAAG,CAAC,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;gBACrE,IAAI,IAAI,CAAC,OAAO;oBAAE,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC1D,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE;oBAC5B,OAAO,EAAE,MAAM;oBACf,KAAK,EAAE,KAAK;iBACiB,CAAC,CAAC;YACnC,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;QAC7D,CAAC;KACF;IAED,UAAU,EAAE;QACV,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM;YACxB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC;YACrD,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;YACpE,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,oDAAoD;iBAC7D,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,GAAG;gBACX,UAAU;gBACV,QAAQ;gBACR,MAAM;gBACN,cAAc;gBACd,KAAK;gBACL,QAAQ;gBACR,UAAU;gBACV,SAAS;gBACT,OAAO;gBACP,IAAI;gBACJ,KAAK;aACN,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC/D,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC1B,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,CAAC,CAAC,GAAG;oBACf,KAAK,EAAE,GAAG,IAAI,IAAI;oBAClB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,0BAA0B;iBAClE,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,IAAI;oBACJ,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,8CAA8C;iBACvD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI;YAC1B,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBAChB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,8DAA8D,EAAE,CAAC;YAC/F,CAAC;YACD,MAAM,IAAI,CAAC,IAAI,EAAE;gBACf,UAAU;gBACV,QAAQ;gBACR,KAAK;gBACL,cAAc;gBACd,IAAI,CAAC,KAAK;gBACV,QAAQ;gBACR,GAAG;gBACH,SAAS;gBACT,KAAK;aACN,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;YACxB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,4BAA4B,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;QACxE,CAAC;KACF;CACF,CAAC;AAEF;yEACyE;AACzE,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,IAAY,EACZ,MAAuB,EACvB,eAAiC;IAEjC,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,mBAAmB,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;IAC5F,CAAC;IACD,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;AACxD,CAAC;AAED;+EAC+E;AAC/E,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,GAAW,EACX,KAAa,EACb,IAAe;IAEf,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;QACpB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,KAAK,sCAAsC,EAAE,CAAC;IAC7F,CAAC;IACD,OAAO,OAAO,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;AACzC,CAAC"}

package/dist/secret-expiration.d.ts

@@ -0,0 +1,46 @@
+import type { GovernanceConfig, SecretsConfig } from "./config.js";
+export interface SecretExpiration {
+    key: string;
+    expiry_date?: string;
+    days_until_expiry?: number;
+    expired: boolean;
+    warning: boolean;
+}
+/**
+ * Check if secrets are expiring or expired.
+ * Queries expiration metadata from secret stores and config-based hints.
+ */
+export declare function checkSecretExpiration(config: GovernanceConfig | undefined, secretKeys: string[], secretsConfig?: SecretsConfig): Promise<SecretExpiration[]>;
+/**
+ * Read a config-based expiration hint from environment variable.
+ *
+ * Convention: set `<KEY>_EXPIRES_AT=<ISO-date>` to declare expiration
+ * for any secret, regardless of which store it lives in. This is the
+ * universal fallback for stores that do not expose expiration metadata.
+ *
+ * Example: API_KEY_EXPIRES_AT=2026-12-31T00:00:00Z
+ */
+export declare function getEnvExpirationHint(key: string): string | null;
+/**
+ * Fetch expiration date from a 1Password item.
+ *
+ * Parses refs in the format `op://vault/item/field` or `vault/item`.
+ * Calls `op item get <item> --vault <vault> --format json` and returns
+ * the `expires` field if present.
+ *
+ * Returns null if the item has no expiry, if op is unavailable, or if
+ * the ref cannot be parsed.
+ */
+export declare function get1PasswordExpiration(ref: string): Promise<string | null>;
+/**
+ * Format secret expiration warnings for display
+ */
+export declare function formatSecretExpirationWarnings(expirations: SecretExpiration[]): string;
+/**
+ * Check if any secrets are expired (blocking check)
+ */
+export declare function hasExpiredSecrets(expirations: SecretExpiration[]): boolean;
+/**
+ * Check if any secrets have warnings
+ */
+export declare function hasSecretWarnings(expirations: SecretExpiration[]): boolean;