specdo 1.0.2

package/dist/domains/security.js

@@ -0,0 +1,364 @@
+/**
+ * Security Domain Module
+ *
+ * 来源:
+ *   - content/skills/security-hardening/SKILL.md (51 行)
+ *     OWASP Top 10 审计、安全标头、CVE 扫描、密钥管理
+ *   - content/roles/04-quality-security/security-auditor.toml (42 行)
+ *     安全审计方法、攻击面分析、风险排序
+ *
+ * 压缩方法:
+ *   1. OWASP Top 10 表格 → design.checklist + implement.antiPatterns
+ *   2. 安全标头模板 → design.patterns["Security Headers"]
+ *   3. 审计工作流 → verify.checklist
+ *   4. security-auditor focus areas → implement.focusAreas
+ *   5. 原始代码示例/Python脚本 → 丢弃（用户有自己的代码库）
+ */
+export const securityDomain = {
+    name: 'security',
+    description: 'Security audit, OWASP Top 10, vulnerability hardening, secrets management, auth flow validation',
+    // ── Explore: 需求澄清 ─────────────────────────────────────
+    explore: {
+        signals: [
+            // 认证/授权
+            'auth', 'authentication', 'oauth', 'jwt', 'sso', 'mfa', 'rbac',
+            'login', 'logout', 'session', 'token', 'credential', 'password',
+            'permission', 'role', 'access control', 'authorization',
+            // 数据安全
+            'pii', 'personal data', 'privacy', 'gdpr', 'hipaa', 'pci', 'compliance',
+            'encryption', 'encrypt', 'hash', 'salt', 'secret', 'key management',
+            // 攻击面
+            'security', 'vulnerability', 'cve', 'injection', 'xss', 'csrf',
+            'attack', 'threat', 'penetration', 'audit', 'harden',
+            // 业务场景
+            'payment', 'billing', 'transaction', 'financial', 'user data',
+            'admin', 'sensitive',
+        ],
+        questions: {
+            defaultCount: 8,
+            items: [
+                // ── Tier 1: 认证基础 (priority 9-10) ──────────────────
+                {
+                    text: 'What authentication method will be used? (OAuth 2.0, JWT, SAML, session-based, API key, mTLS)',
+                    id: 'auth-method',
+                    signals: ['auth', 'authentication', 'oauth', 'jwt', 'sso', 'login', 'token', 'saml', 'api key', 'mtls', 'session'],
+                    priority: 10,
+                },
+                {
+                    text: 'Is multi-factor authentication (MFA) needed? For all users or only admins? What MFA method (TOTP, WebAuthn, SMS)?',
+                    signals: ['auth', 'authentication', 'mfa', 'login', 'admin', 'sensitive', 'webauthn', 'totp'],
+                    priority: 9,
+                    requiresAnswer: ['security:auth-method'],
+                },
+                {
+                    text: 'What is the session/token lifecycle? (access token TTL, refresh token TTL, revocation strategy, token rotation policy)',
+                    id: 'session-lifecycle',
+                    signals: ['session', 'token', 'jwt', 'expiry', 'refresh', 'revocation', 'credential', 'ttl'],
+                    priority: 9,
+                    requiresAnswer: ['security:auth-method'],
+                },
+                {
+                    text: 'Should refresh tokens use single-use rotation? How is token reuse detected and revoked?',
+                    signals: ['jwt', 'token', 'refresh', 'rotation', 'reuse', 'revocation'],
+                    priority: 7,
+                    requiresAnswer: ['security:session-lifecycle'],
+                    conditional: { 'security:auth-method': 'jwt' },
+                },
+                {
+                    text: 'What user roles and permission levels exist? (admin, user, viewer, editor, superadmin) — is RBAC or ABAC more appropriate?',
+                    signals: ['rbac', 'abac', 'permission', 'role', 'access control', 'authorization', 'admin', 'role-based'],
+                    priority: 9,
+                },
+                // ── Tier 2: 数据安全与合规 (priority 8-9) ──────────────
+                {
+                    text: 'Does this handle PII, financial data, or health data? If yes, what compliance applies (GDPR, HIPAA, PCI-DSS, SOC2, CCPA)?',
+                    id: 'compliance-data',
+                    signals: ['pii', 'personal data', 'privacy', 'gdpr', 'hipaa', 'pci', 'compliance', 'user data', 'sensitive', 'financial', 'soc2', 'ccpa'],
+                    priority: 9,
+                },
+                {
+                    text: 'What encryption standards are required? (at rest: AES-256-GCM; in transit: TLS 1.3; key rotation frequency)',
+                    signals: ['encryption', 'encrypt', 'tls', 'aes', 'key management', 'at rest', 'in transit'],
+                    priority: 8,
+                    requiresAnswer: ['security:compliance-data'],
+                },
+                {
+                    text: 'What is the data retention and deletion policy? (regulatory minimum retention, user right-to-delete, archival/backup considerations)',
+                    signals: ['gdpr', 'pii', 'privacy', 'compliance', 'data', 'retention', 'deletion', 'archive', 'backup', 'right-to-delete'],
+                    priority: 7,
+                    requiresAnswer: ['security:compliance-data'],
+                    conditional: { 'security:compliance-data': 'gdpr' },
+                },
+                {
+                    text: 'Is data minimization enforced by design? Are collected fields strictly necessary for the feature to function?',
+                    signals: ['pii', 'privacy', 'gdpr', 'data', 'minimization', 'compliance'],
+                    priority: 7,
+                    requiresAnswer: ['security:compliance-data'],
+                },
+                // ── Tier 3: 威胁建模与攻击面 (priority 8) ──────────────
+                {
+                    text: 'What is the threat model? Who are the likely attackers (script kiddies, organized crime, nation-state) and what do they want?',
+                    id: 'threat-model',
+                    signals: ['threat', 'attack', 'security', 'vulnerability', 'penetration', 'audit', 'threat model'],
+                    priority: 8,
+                },
+                {
+                    text: 'What is the attack surface of this change? Which user inputs, API endpoints, and third-party interfaces are exposed?',
+                    signals: ['attack', 'threat', 'security', 'vulnerability', 'api', 'endpoint', 'surface', 'input'],
+                    priority: 8,
+                    requiresAnswer: ['security:threat-model'],
+                },
+                // ── Tier 4: 第三方集成安全 (priority 7-8) ──────────────
+                {
+                    text: 'Are there third-party integrations that receive or process sensitive data? What is the data-sharing agreement and scope?',
+                    id: 'third-party',
+                    signals: ['integration', 'third-party', 'api', 'payment', 'billing', 'sensitive', 'vendor', 'saas'],
+                    priority: 8,
+                },
+                {
+                    text: 'Does the integration surface handle webhooks, callbacks, or redirect URIs from untrusted sources? How are they validated?',
+                    signals: ['integration', 'webhook', 'callback', 'redirect', 'oauth', 'sso', 'uri', 'untrusted'],
+                    priority: 7,
+                    requiresAnswer: ['security:third-party'],
+                },
+                {
+                    text: 'What is the vendor/third-party security review process? Are SOC2 reports or penetration test results available?',
+                    signals: ['third-party', 'vendor', 'integration', 'security', 'soc2', 'audit', 'review'],
+                    priority: 6,
+                    requiresAnswer: ['security:third-party'],
+                },
+                // ── Tier 5: 密钥管理 (priority 8) ──────────────────────
+                {
+                    text: 'How will secrets (API keys, DB passwords, signing keys, certificates) be managed, stored, and rotated?',
+                    id: 'secrets-mgmt',
+                    signals: ['secret', 'key management', 'api key', 'password', 'credential', 'encryption', 'rotation', 'certificate', 'signing'],
+                    priority: 8,
+                },
+                {
+                    text: 'Is there a secret rotation plan with defined frequency? Is rotation tested in staging before production?',
+                    signals: ['secret', 'rotation', 'key management', 'credential', 'staging', 'production'],
+                    priority: 7,
+                    requiresAnswer: ['security:secrets-mgmt'],
+                },
+                {
+                    text: 'Where do secrets live at runtime? (env vars, vault, KMS, secrets manager) — are they ever logged or included in error messages?',
+                    signals: ['secret', 'key management', 'env', 'vault', 'kms', 'log', 'error', 'runtime'],
+                    priority: 7,
+                    requiresAnswer: ['security:secrets-mgmt'],
+                },
+                // ── Tier 6: 注入防护 (priority 8) ──────────────────────
+                {
+                    text: 'What SQL/NoSQL injection prevention is in place? Are all queries parameterized with no string concatenation?',
+                    signals: ['sql', 'injection', 'nosql', 'database', 'query', 'parameterized', 'orm', 'prepared statement'],
+                    priority: 8,
+                },
+                {
+                    text: 'How is XSS prevented? Is output encoding context-specific (HTML, JS, URL, CSS)? Is CSP configured with nonce-based script-src?',
+                    signals: ['xss', 'injection', 'output encoding', 'csp', 'sanitize', 'dompurify', 'nonce', 'script'],
+                    priority: 8,
+                },
+                {
+                    text: 'How are file uploads validated? (MIME type inspection, size limits, file extension allowlist, store outside web root)',
+                    signals: ['file upload', 'injection', 'validation', 'mime', 'size limit', 'extension'],
+                    priority: 7,
+                },
+                // ── Tier 7: CSRF / CORS / 安全标头 (priority 7) ────────
+                {
+                    text: 'Is CSRF protection needed? (SameSite=Strict cookies, CSRF tokens on state-changing requests, custom header requirement)',
+                    signals: ['csrf', 'cookie', 'samesite', 'token', 'state', 'form', 'cross-site'],
+                    priority: 7,
+                },
+                {
+                    text: 'What is the CORS policy? Are origins explicitly allowlisted (no * with credentials)? Are preflight requests handled?',
+                    signals: ['cors', 'cross-origin', 'origin', 'allowlist', 'preflight', 'credentials', 'api'],
+                    priority: 7,
+                },
+                {
+                    text: 'Which security headers will be enforced? (HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy)',
+                    signals: ['security headers', 'hsts', 'csp', 'x-content-type-options', 'x-frame-options', 'referrer-policy', 'permissions-policy'],
+                    priority: 7,
+                },
+                // ── Tier 8: 日志与监控 (priority 7) ────────────────────
+                {
+                    text: 'What is the audit logging strategy for auth events, data mutations, and admin actions? Are logs immutable and tamper-proof?',
+                    id: 'audit-logging',
+                    signals: ['audit', 'logging', 'log', 'monitoring', 'auth', 'admin', 'mutation', 'immutable', 'tamper'],
+                    priority: 7,
+                },
+                {
+                    text: 'Are sensitive fields (passwords, tokens, full PII) redacted or excluded from logs? Is structured logging with sensitivity tags used?',
+                    signals: ['logging', 'log', 'pii', 'sensitive', 'redact', 'token', 'password', 'structured'],
+                    priority: 7,
+                    requiresAnswer: ['security:audit-logging'],
+                },
+                {
+                    text: 'How are security incidents detected and alerted? Is there an anomaly detection or rate-limit alerting pipeline?',
+                    signals: ['monitoring', 'alert', 'incident', 'anomaly', 'rate limit', 'detection', 'siem'],
+                    priority: 6,
+                },
+                // ── Tier 9: 依赖安全 (priority 6-7) ────────────────────
+                {
+                    text: 'How are dependencies scanned for known vulnerabilities? (npm audit, Snyk, Dependabot, OWASP Dependency-Check) — is CI gating on CRITICAL?',
+                    id: 'dep-scan',
+                    signals: ['dependency', 'cve', 'npm audit', 'snyk', 'dependabot', 'vulnerability', 'scan', 'ci', 'supply chain'],
+                    priority: 7,
+                },
+                {
+                    text: 'Are third-party libraries pinned to exact versions? Is there a process for reviewing new dependencies before adoption?',
+                    signals: ['dependency', 'version', 'pin', 'lock', 'library', 'third-party', 'supply chain'],
+                    priority: 6,
+                    requiresAnswer: ['security:dep-scan'],
+                },
+                // ── Tier 10: 安全配置与开发实践 (priority 5-6) ──────────
+                {
+                    text: 'Are default credentials and unnecessary features disabled in production configuration? Is there a production hardening checklist?',
+                    signals: ['configuration', 'default', 'production', 'harden', 'disable', 'misconfiguration'],
+                    priority: 6,
+                },
+                {
+                    text: 'How is the admin panel or privileged interface protected? (IP allowlisting, separate auth, access logging, session timeout)',
+                    signals: ['admin', 'privilege', 'panel', 'ip', 'allowlist', 'auth', 'session'],
+                    priority: 6,
+                },
+                {
+                    text: 'Is there a security review gate in the development workflow? When is a full penetration test or external audit required?',
+                    signals: ['security', 'review', 'audit', 'penetration', 'gate', 'workflow', 'sdlc'],
+                    priority: 5,
+                },
+                {
+                    text: 'What is the error handling strategy for security failures? (no stack traces in responses, generic messages, server-side logging)',
+                    signals: ['error', 'security', 'stack trace', 'response', 'logging', 'failure', 'exception'],
+                    priority: 6,
+                },
+                {
+                    text: 'How are rate limits configured for auth endpoints and public APIs? (per-IP, per-user, burst vs sustained; 429 response format)',
+                    signals: ['rate limit', 'throttle', 'brute force', 'auth', 'api', '429', 'ddos', 'dos'],
+                    priority: 6,
+                },
+            ],
+        },
+    },
+    // ── Design: 设计阶段 ─────────────────────────────────────
+    design: {
+        checklist: [
+            // OWASP Top 10 — 从 security-hardening 表格提取
+            'Injection: All database queries use parameterized statements; no string concatenation',
+            'Broken Authentication: Session timeout defined; MFA for sensitive operations; password policy enforced',
+            'Sensitive Data Exposure: Encryption at rest (AES-256-GCM) and in transit (TLS 1.3); PII minimized',
+            'XXE: XML parsers configured with DTD/entity expansion disabled; prefer JSON where possible',
+            'Broken Access Control: Server-side authorization check on every endpoint; IDOR prevention via ownership validation',
+            'Security Misconfiguration: No default credentials; unnecessary features disabled; verbose errors suppressed in production',
+            'XSS: Output encoding for all user-generated content; CSP header with nonce-based script-src',
+            'Insecure Deserialization: Type constraints and integrity checks on deserialized data; allowlist for accepted types',
+            'Components with Known Vulnerabilities: Dependency scanning in CI; automated update policy for CVEs',
+            'Insufficient Logging & Monitoring: Audit trail for auth events, data mutations, admin actions; no sensitive data in logs',
+            // 安全标头 — 从 security-hardening 示例提取
+            'HSTS header set: max-age=31536000; includeSubDomains',
+            'CSP header: default-src self; script-src with nonce; no unsafe-inline',
+            'X-Content-Type-Options: nosniff',
+            'X-Frame-Options: DENY (or SAMEORIGIN if iframes needed)',
+            'Referrer-Policy: strict-origin-when-cross-origin',
+            'Permissions-Policy: restrict camera, microphone, geolocation to minimum',
+            // 基础架构安全
+            'CORS configured with explicit allowed origins (no * with credentials)',
+            'Rate limiting on all auth endpoints (login, signup, password reset)',
+            'API has request size limits and timeout configurations',
+            'CSRF tokens on all state-changing requests (or SameSite=Strict cookies)',
+            // 审计关注 — 从 security-auditor 提取
+            'Authentication/authorization boundaries clearly drawn and documented',
+            'Privilege escalation paths analyzed and blocked',
+            'Secret handling surfaces mapped (code, config, CI, logs, runtime env)',
+            'Supply-chain trust boundaries identified (npm/pip dependencies, build tools, base images)',
+        ],
+        patterns: {
+            'Defense in Depth': 'Layer multiple controls: network (firewall, WAF) → application (auth, input validation) → data (encryption, backups). No single control failure should compromise the system.',
+            'Principle of Least Privilege': 'Every component, service account, and user should have the minimum permissions needed. Use short-lived credentials where possible.',
+            'Secure by Default': 'Default-deny for all access; explicitly grant permissions per role. Default configurations should be the most secure option.',
+            'JWT with Refresh Token Rotation': 'Short-lived access tokens (15 min) + longer refresh tokens. Rotate refresh token on each use; detect and revoke stolen refresh tokens via reuse detection.',
+            'Security Headers Middleware': 'Apply HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy globally via middleware — not per-route. One audit point.',
+            'OWASP ASVS Level 2': 'For applications handling sensitive data, align with OWASP Application Security Verification Standard Level 2 as a design baseline.',
+        },
+        antiPatterns: [
+            'Rolling your own cryptographic algorithm or protocol — use well-audited libraries (libsodium, WebCrypto API, bcrypt for passwords)',
+            'Client-side only authorization checks — the server must independently verify permissions on every request',
+            'Storing secrets in source code, config files, or environment variables committed to git — use a secret manager (Vault, AWS Secrets Manager, Doppler)',
+            'Logging sensitive data (passwords, tokens, full PII) in application logs — redact or hash before logging; use structured logging with sensitivity tags',
+            'Overly permissive CORS (Access-Control-Allow-Origin: * with credentials) — restrict to explicit, validated origins',
+            'Trusting user-supplied URLs for redirects without validation — validate against an allowlist of safe destinations',
+            'Using deprecated hash algorithms (MD5, SHA-1) for security purposes — use bcrypt/scrypt/argon2 for passwords, SHA-256+ for integrity',
+        ],
+    },
+    // ── Implement: 实施阶段 ──────────────────────────────────
+    implement: {
+        focusAreas: [
+            // 从 security-hardening audit workflow + security-auditor focus areas 提取
+            'Input validation: every API endpoint validates type, format, length, and business rules before processing',
+            'Output encoding: all user-generated content encoded before rendering (context-specific: HTML, JS, URL, CSS)',
+            'SQL injection prevention: parameterized queries 100% of the time; ORM raw queries audited',
+            'Authentication flow: token generation, storage (secure+httpOnly+SameSite), refresh, revocation all tested',
+            'Authorization: role checks at every endpoint, not just UI hiding; test with different role accounts',
+            'Secrets handling: no secrets in code; env vars validated at startup; secret rotation tested',
+            'Error handling: user-facing errors reveal nothing about internals; stack traces logged server-side only',
+            'File upload: validate MIME type (not just extension), size limits enforced server-side, store outside web root',
+            'Dependency audit: run npm audit / pip audit; block builds on HIGH or CRITICAL CVEs',
+            'Cryptographic usage: verify algorithm choice, key length, IV/nonce handling, and padding for every crypto call',
+            // 从 security-auditor working mode + quality checks 提取
+            'Map failure surface before implementing: which user inputs reach this code? what can go wrong?',
+            'Separate confirmed vulnerability from hypothesis: test each suspected issue before reporting',
+            'Verify one normal path, one failure path, and one privilege escalation attempt per auth change',
+            'For each finding, state: attack path → impact → exploitation prerequisites → remediation',
+        ],
+        patterns: {
+            'Input Validation Chain': 'Validation middleware: check type → validate format → enforce business rules → sanitize. Reject early at the boundary; never pass raw input to business logic.',
+            'Parametrized Query Audit': 'Grep for string concatenation near SQL keywords (SELECT, INSERT, UPDATE, DELETE, WHERE) before every commit. Add to pre-commit hook.',
+            'Secret Rotation Script': 'Every secret should have a documented rotation procedure. Implement a /health endpoint that reports secret age; alert if approaching expiry.',
+            'OWASP Dependency Check in CI': 'Run dependency scanning in CI pipeline. Fail build on CRITICAL. File ticket automatically on HIGH. Update within SLA per severity.',
+        },
+        antiPatterns: [
+            'Using innerHTML, dangerouslySetInnerHTML, or document.write with user-controlled data — use textContent or a sanitizer (DOMPurify)',
+            'Building SQL queries with string concatenation or template literals — use query builders or parameterized queries',
+            'Trusting client-side validation — always re-validate on the server',
+            'Hardcoding API keys, tokens, or database passwords — use environment variables validated at startup',
+            'Disabling security features for development ("temporarily") and forgetting to re-enable — security config should be environment-aware, not environment-specific',
+            'Catching all errors with a generic try/catch and returning 200 OK — use proper HTTP status codes (401, 403, 404, 422, 500)',
+            'Using default or weak secrets in production (admin/admin, default JWT secret) — generate unique secrets per environment',
+        ],
+    },
+    // ── Verify: 验证阶段 ─────────────────────────────────────
+    verify: {
+        checklist: [
+            // 认证/授权验证
+            'All auth endpoints have rate limiting (login, signup, password reset, MFA, token refresh)',
+            'Session tokens use secure + httpOnly + SameSite=Strict flags',
+            'JWT tokens use RS256 or HS256 with key length ≥ 256 bits; no "none" algorithm allowed',
+            'Password reset flow: time-limited tokens, email verification, no user enumeration in responses',
+            'MFA enrollment and recovery flows tested end-to-end',
+            // 注入防护验证
+            'All SQL queries use parameterized statements (grep for string concatenation near SQL keywords)',
+            'No user input rendered without encoding (grep for innerHTML, dangerouslySetInnerHTML, document.write)',
+            'File upload endpoints validate MIME type by content inspection, not just extension',
+            // 配置验证
+            'CSP header present and not using unsafe-inline or unsafe-eval',
+            'HSTS header set with max-age ≥ 1 year (31536000)',
+            'No hardcoded secrets in codebase (grep for common patterns: api_key, secret, password, token =)',
+            'CORS configuration restricts to explicit origins (no * with credentials)',
+            // 依赖验证
+            'Dependencies pass npm audit / pip audit with zero HIGH or CRITICAL',
+            'All production dependencies pinned to exact versions (no ^ or ~ ranges)',
+            // 运行时验证
+            'Error responses contain no stack traces, internal paths, or debug information',
+            'Security headers present on all responses (verify with curl -I or browser devtools)',
+            'TLS 1.2+ enforced; HTTP redirected to HTTPS; HSTS preload considered',
+            // 审计验证 — 从 security-auditor quality checks 提取
+            'For each security finding: attack path, impact, and exploitation prerequisites are documented',
+            'Mitigation guidance for each finding is specific and operationally feasible',
+            'High-severity items include immediate containment steps (WAF rule, feature flag, config change)',
+            'Verification steps that require runtime or environment access are explicitly called out',
+            'Residual risk after remediation is assessed and documented',
+            // 变更安全
+            'No new secrets introduced without rotation plan',
+            'Authorization rules tested with at least 2 role accounts (admin + regular user)',
+        ],
+    },
+};
+//# sourceMappingURL=security.js.map

package/dist/domains/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/domains/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,MAAM,CAAC,MAAM,cAAc,GAAiB;IAC1C,IAAI,EAAE,UAAU;IAChB,WAAW,EACT,iGAAiG;IAEnG,yDAAyD;IAEzD,OAAO,EAAE;QACP,OAAO,EAAE;YACP,QAAQ;YACR,MAAM,EAAE,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM;YAC9D,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,YAAY,EAAE,UAAU;YAC/D,YAAY,EAAE,MAAM,EAAE,gBAAgB,EAAE,eAAe;YACvD,OAAO;YACP,KAAK,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY;YACvE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,gBAAgB;YACnE,MAAM;YACN,UAAU,EAAE,eAAe,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM;YAC9D,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,OAAO,EAAE,QAAQ;YACpD,OAAO;YACP,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,WAAW,EAAE,WAAW;YAC7D,OAAO,EAAE,WAAW;SACrB;QAED,SAAS,EAAE;YACT,YAAY,EAAE,CAAC;YACf,KAAK,EAAE;gBACL,qDAAqD;gBACrD;oBACE,IAAI,EAAE,+FAA+F;oBACrG,EAAE,EAAE,aAAa;oBACjB,OAAO,EAAE,CAAC,MAAM,EAAE,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC;oBAClH,QAAQ,EAAE,EAAE;iBACb;gBACD;oBACE,IAAI,EAAE,mHAAmH;oBACzH,OAAO,EAAE,CAAC,MAAM,EAAE,gBAAgB,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC;oBAC7F,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,sBAAsB,CAAC;iBACzC;gBACD;oBACE,IAAI,EAAE,wHAAwH;oBAC9H,EAAE,EAAE,mBAAmB;oBACvB,OAAO,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;oBAC5F,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,sBAAsB,CAAC;iBACzC;gBACD;oBACE,IAAI,EAAE,yFAAyF;oBAC/F,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,CAAC;oBACvE,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,4BAA4B,CAAC;oBAC9C,WAAW,EAAE,EAAE,sBAAsB,EAAE,KAAK,EAAE;iBAC/C;gBACD;oBACE,IAAI,EAAE,4HAA4H;oBAClI,OAAO,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,gBAAgB,EAAE,eAAe,EAAE,OAAO,EAAE,YAAY,CAAC;oBACzG,QAAQ,EAAE,CAAC;iBACZ;gBAED,mDAAmD;gBACnD;oBACE,IAAI,EAAE,2HAA2H;oBACjI,EAAE,EAAE,iBAAiB;oBACrB,OAAO,EAAE,CAAC,KAAK,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC;oBACzI,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,6GAA6G;oBACnH,OAAO,EAAE,CAAC,YAAY,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,SAAS,EAAE,YAAY,CAAC;oBAC3F,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,0BAA0B,CAAC;iBAC7C;gBACD;oBACE,IAAI,EAAE,sIAAsI;oBAC5I,OAAO,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,CAAC;oBAC1H,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,0BAA0B,CAAC;oBAC5C,WAAW,EAAE,EAAE,0BAA0B,EAAE,MAAM,EAAE;iBACpD;gBACD;oBACE,IAAI,EAAE,+GAA+G;oBACrH,OAAO,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,YAAY,CAAC;oBACzE,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,0BAA0B,CAAC;iBAC7C;gBAED,kDAAkD;gBAClD;oBACE,IAAI,EAAE,+HAA+H;oBACrI,EAAE,EAAE,cAAc;oBAClB,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,OAAO,EAAE,cAAc,CAAC;oBAClG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,sHAAsH;oBAC5H,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,eAAe,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC;oBACjG,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,uBAAuB,CAAC;iBAC1C;gBAED,mDAAmD;gBACnD;oBACE,IAAI,EAAE,0HAA0H;oBAChI,EAAE,EAAE,aAAa;oBACjB,OAAO,EAAE,CAAC,aAAa,EAAE,aAAa,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,CAAC;oBACnG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,2HAA2H;oBACjI,OAAO,EAAE,CAAC,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,CAAC;oBAC/F,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,sBAAsB,CAAC;iBACzC;gBACD;oBACE,IAAI,EAAE,iHAAiH;oBACvH,OAAO,EAAE,CAAC,aAAa,EAAE,QAAQ,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC;oBACxF,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,sBAAsB,CAAC;iBACzC;gBAED,sDAAsD;gBACtD;oBACE,IAAI,EAAE,wGAAwG;oBAC9G,EAAE,EAAE,cAAc;oBAClB,OAAO,EAAE,CAAC,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,SAAS,CAAC;oBAC9H,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,0GAA0G;oBAChH,OAAO,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,gBAAgB,EAAE,YAAY,EAAE,SAAS,EAAE,YAAY,CAAC;oBACxF,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,uBAAuB,CAAC;iBAC1C;gBACD;oBACE,IAAI,EAAE,iIAAiI;oBACvI,OAAO,EAAE,CAAC,QAAQ,EAAE,gBAAgB,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,CAAC;oBACvF,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,uBAAuB,CAAC;iBAC1C;gBAED,sDAAsD;gBACtD;oBACE,IAAI,EAAE,8GAA8G;oBACpH,OAAO,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,oBAAoB,CAAC;oBACzG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,gIAAgI;oBACtI,OAAO,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC;oBACnG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,uHAAuH;oBAC7H,OAAO,EAAE,CAAC,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,WAAW,CAAC;oBACtF,QAAQ,EAAE,CAAC;iBACZ;gBAED,sDAAsD;gBACtD;oBACE,IAAI,EAAE,yHAAyH;oBAC/H,OAAO,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,YAAY,CAAC;oBAC/E,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,sHAAsH;oBAC5H,OAAO,EAAE,CAAC,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,aAAa,EAAE,KAAK,CAAC;oBAC3F,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,oIAAoI;oBAC1I,OAAO,EAAE,CAAC,kBAAkB,EAAE,MAAM,EAAE,KAAK,EAAE,wBAAwB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,oBAAoB,CAAC;oBAClI,QAAQ,EAAE,CAAC;iBACZ;gBAED,qDAAqD;gBACrD;oBACE,IAAI,EAAE,6HAA6H;oBACnI,EAAE,EAAE,eAAe;oBACnB,OAAO,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,CAAC;oBACtG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,sIAAsI;oBAC5I,OAAO,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,YAAY,CAAC;oBAC5F,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,wBAAwB,CAAC;iBAC3C;gBACD;oBACE,IAAI,EAAE,iHAAiH;oBACvH,OAAO,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,CAAC;oBAC1F,QAAQ,EAAE,CAAC;iBACZ;gBAED,sDAAsD;gBACtD;oBACE,IAAI,EAAE,2IAA2I;oBACjJ,EAAE,EAAE,UAAU;oBACd,OAAO,EAAE,CAAC,YAAY,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,CAAC;oBAChH,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,wHAAwH;oBAC9H,OAAO,EAAE,CAAC,YAAY,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,cAAc,CAAC;oBAC3F,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,mBAAmB,CAAC;iBACtC;gBAED,kDAAkD;gBAClD;oBACE,IAAI,EAAE,mIAAmI;oBACzI,OAAO,EAAE,CAAC,eAAe,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,SAAS,EAAE,kBAAkB,CAAC;oBAC5F,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,6HAA6H;oBACnI,OAAO,EAAE,CAAC,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,CAAC;oBAC9E,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,0HAA0H;oBAChI,OAAO,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;oBACnF,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,kIAAkI;oBACxI,OAAO,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC;oBAC5F,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,gIAAgI;oBACtI,OAAO,EAAE,CAAC,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC;oBACvF,QAAQ,EAAE,CAAC;iBACZ;aACF;SACF;KACF;IAED,wDAAwD;IAExD,MAAM,EAAE;QACN,SAAS,EAAE;YACT,2CAA2C;YAC3C,uFAAuF;YACvF,wGAAwG;YACxG,mGAAmG;YACnG,4FAA4F;YAC5F,oHAAoH;YACpH,2HAA2H;YAC3H,6FAA6F;YAC7F,oHAAoH;YACpH,oGAAoG;YACpG,0HAA0H;YAE1H,mCAAmC;YACnC,sDAAsD;YACtD,uEAAuE;YACvE,iCAAiC;YACjC,yDAAyD;YACzD,kDAAkD;YAClD,yEAAyE;YAEzE,SAAS;YACT,uEAAuE;YACvE,qEAAqE;YACrE,wDAAwD;YACxD,yEAAyE;YAEzE,+BAA+B;YAC/B,sEAAsE;YACtE,iDAAiD;YACjD,uEAAuE;YACvE,2FAA2F;SAC5F;QAED,QAAQ,EAAE;YACR,kBAAkB,EAChB,+KAA+K;YACjL,8BAA8B,EAC5B,oIAAoI;YACtI,mBAAmB,EACjB,8HAA8H;YAChI,iCAAiC,EAC/B,4JAA4J;YAC9J,6BAA6B,EAC3B,yJAAyJ;YAC3J,oBAAoB,EAClB,qIAAqI;SACxI;QAED,YAAY,EAAE;YACZ,oIAAoI;YACpI,2GAA2G;YAC3G,sJAAsJ;YACtJ,wJAAwJ;YACxJ,oHAAoH;YACpH,mHAAmH;YACnH,sIAAsI;SACvI;KACF;IAED,wDAAwD;IAExD,SAAS,EAAE;QACT,UAAU,EAAE;YACV,wEAAwE;YACxE,2GAA2G;YAC3G,6GAA6G;YAC7G,2FAA2F;YAC3F,2GAA2G;YAC3G,qGAAqG;YACrG,6FAA6F;YAC7F,yGAAyG;YACzG,gHAAgH;YAChH,oFAAoF;YACpF,gHAAgH;YAEhH,sDAAsD;YACtD,gGAAgG;YAChG,8FAA8F;YAC9F,gGAAgG;YAChG,0FAA0F;SAC3F;QAED,QAAQ,EAAE;YACR,wBAAwB,EACtB,gKAAgK;YAClK,0BAA0B,EACxB,sIAAsI;YACxI,wBAAwB,EACtB,8IAA8I;YAChJ,8BAA8B,EAC5B,oIAAoI;SACvI;QAED,YAAY,EAAE;YACZ,oIAAoI;YACpI,mHAAmH;YACnH,oEAAoE;YACpE,qGAAqG;YACrG,iKAAiK;YACjK,4HAA4H;YAC5H,yHAAyH;SAC1H;KACF;IAED,wDAAwD;IAExD,MAAM,EAAE;QACN,SAAS,EAAE;YACT,UAAU;YACV,2FAA2F;YAC3F,8DAA8D;YAC9D,uFAAuF;YACvF,gGAAgG;YAChG,qDAAqD;YAErD,SAAS;YACT,gGAAgG;YAChG,uGAAuG;YACvG,oFAAoF;YAEpF,OAAO;YACP,+DAA+D;YAC/D,kDAAkD;YAClD,iGAAiG;YACjG,0EAA0E;YAE1E,OAAO;YACP,oEAAoE;YACpE,yEAAyE;YAEzE,QAAQ;YACR,+EAA+E;YAC/E,qFAAqF;YACrF,sEAAsE;YAEtE,8CAA8C;YAC9C,+FAA+F;YAC/F,6EAA6E;YAC7E,iGAAiG;YACjG,yFAAyF;YACzF,4DAA4D;YAE5D,OAAO;YACP,iDAAiD;YACjD,iFAAiF;SAClF;KACF;CACF,CAAC"}

package/dist/domains/signal-match.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Signal Match Utility
+ *
+ * 提取自 domains/index.ts 的纯函数分词和信号匹配逻辑。
+ * 供 domains/index.ts 和 domains/pool-ranking.ts 共同引用，避免循环依赖。
+ */
+/** 分词的分割字符集 */
+export declare const TOKENIZE_SPLIT_CHARS: RegExp;
+/** 短信号最小长度：低于此值的信号仅做精确 token 匹配，不做子串匹配 */
+export declare const MIN_SIGNAL_LENGTH_FOR_SUBSTRING = 4;
+/**
+ * 分词：小写 → 按非字母数字边界拆分 → 过滤停用词和短词 → 去重
+ */
+export declare function tokenize(text: string): string[];
+/**
+ * 判断单个 signal 是否匹配当前输入。
+ *
+ * 匹配规则（按优先级）:
+ *   1. 含空格的信号 → 直接在原始输入中做子串匹配
+ *   2. 含 tokenize 分割符但不含空格的信号 (e.g. "n+1") → 原始输入子串匹配
+ *   3. 短信号 (< MIN_SIGNAL_LENGTH_FOR_SUBSTRING 字符) → 仅精确 token 匹配
+ *   4. 普通信号 → token 包含 signal，或较长 token 作为 signal 前缀
+ */
+export declare function signalMatchesToken(signal: string, lowerInput: string, tokens: string[]): boolean;
+//# sourceMappingURL=signal-match.d.ts.map

package/dist/domains/signal-match.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signal-match.d.ts","sourceRoot":"","sources":["../../src/domains/signal-match.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAe;AACf,eAAO,MAAM,oBAAoB,QAA4C,CAAC;AAE9E,0CAA0C;AAC1C,eAAO,MAAM,+BAA+B,IAAI,CAAC;AAajD;;GAEG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAmB/C;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,EAAE,GACf,OAAO,CAwBT"}

package/dist/domains/signal-match.js

@@ -0,0 +1,67 @@
+/**
+ * Signal Match Utility
+ *
+ * 提取自 domains/index.ts 的纯函数分词和信号匹配逻辑。
+ * 供 domains/index.ts 和 domains/pool-ranking.ts 共同引用，避免循环依赖。
+ */
+/** 分词的分割字符集 */
+export const TOKENIZE_SPLIT_CHARS = /[\s,.;:!?()\[\]{}<>/\\|`'"@#$%^&*+=~_-]/;
+/** 短信号最小长度：低于此值的信号仅做精确 token 匹配，不做子串匹配 */
+export const MIN_SIGNAL_LENGTH_FOR_SUBSTRING = 4;
+/** 英文停用词 — 不参与匹配的常见功能词 */
+const STOP_WORDS = new Set([
+    'a', 'an', 'the', 'is', 'are', 'be', 'to', 'of', 'in', 'for',
+    'on', 'with', 'and', 'or', 'but', 'not', 'this', 'that', 'it',
+    'we', 'you', 'i', 'my', 'our', 'your', 'me', 'us',
+    'need', 'want', 'should', 'would', 'could', 'can', 'will',
+    'add', 'create', 'make', 'build', 'implement', 'fix', 'change',
+    'do', 'does', 'get', 'set', 'use', 'using', 'have', 'has',
+    'new', 'like', 'just', 'also', 'now', 'then', 'than',
+]);
+/**
+ * 分词：小写 → 按非字母数字边界拆分 → 过滤停用词和短词 → 去重
+ */
+export function tokenize(text) {
+    const seen = new Set();
+    const tokens = [];
+    for (const raw of text.split(TOKENIZE_SPLIT_CHARS)) {
+        const token = raw.toLowerCase();
+        if (token.length < 2 ||
+            STOP_WORDS.has(token) ||
+            /^\d+$/.test(token) || // 纯数字
+            seen.has(token)) {
+            continue;
+        }
+        seen.add(token);
+        tokens.push(token);
+    }
+    return tokens;
+}
+/**
+ * 判断单个 signal 是否匹配当前输入。
+ *
+ * 匹配规则（按优先级）:
+ *   1. 含空格的信号 → 直接在原始输入中做子串匹配
+ *   2. 含 tokenize 分割符但不含空格的信号 (e.g. "n+1") → 原始输入子串匹配
+ *   3. 短信号 (< MIN_SIGNAL_LENGTH_FOR_SUBSTRING 字符) → 仅精确 token 匹配
+ *   4. 普通信号 → token 包含 signal，或较长 token 作为 signal 前缀
+ */
+export function signalMatchesToken(signal, lowerInput, tokens) {
+    const s = signal.toLowerCase();
+    // 含空格的多词信号: 直接在原始输入中做子串匹配
+    if (s.includes(' ')) {
+        return lowerInput.includes(s);
+    }
+    // 含 tokenize 分割符的信号: 直接在原始输入中做子串匹配
+    if (TOKENIZE_SPLIT_CHARS.test(s)) {
+        return lowerInput.includes(s);
+    }
+    // 短信号: 仅精确 token 匹配，防止缩写误匹配
+    if (s.length < MIN_SIGNAL_LENGTH_FOR_SUBSTRING) {
+        return tokens.some((token) => token === s);
+    }
+    // 单词信号
+    return tokens.some((token) => token.includes(s) ||
+        (token.length >= 4 && s.startsWith(token)));
+}
+//# sourceMappingURL=signal-match.js.map

package/dist/domains/signal-match.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signal-match.js","sourceRoot":"","sources":["../../src/domains/signal-match.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAe;AACf,MAAM,CAAC,MAAM,oBAAoB,GAAG,yCAAyC,CAAC;AAE9E,0CAA0C;AAC1C,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAAC,CAAC;AAEjD,0BAA0B;AAC1B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK;IAC5D,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI;IAC7D,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI;IACjD,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM;IACzD,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,QAAQ;IAC9D,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK;IACzD,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM;CACrD,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAY;IACnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAChC,IACE,KAAK,CAAC,MAAM,GAAG,CAAC;YAChB,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC;YACrB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,MAAM;YAC7B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,EACf,CAAC;YACD,SAAS;QACX,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAAc,EACd,UAAkB,EAClB,MAAgB;IAEhB,MAAM,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAE/B,0BAA0B;IAC1B,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACpB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IAChC,CAAC;IAED,mCAAmC;IACnC,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACjC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IAChC,CAAC;IAED,4BAA4B;IAC5B,IAAI,CAAC,CAAC,MAAM,GAAG,+BAA+B,EAAE,CAAC;QAC/C,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED,OAAO;IACP,OAAO,MAAM,CAAC,IAAI,CAChB,CAAC,KAAK,EAAE,EAAE,CACR,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;QACjB,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAC7C,CAAC;AACJ,CAAC"}