ssh-mcp-pro 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +127 -0
- package/ARCHITECTURE.md +145 -0
- package/LICENSE +21 -0
- package/LICENSES/MIT.txt +21 -0
- package/MIGRATION.md +14 -0
- package/README.md +175 -0
- package/REGISTRY_SUBMISSION.md +38 -0
- package/SECURITY.md +40 -0
- package/SECURITY_DECISIONS.md +59 -0
- package/dist/agent-bin.d.ts +3 -0
- package/dist/agent-bin.d.ts.map +1 -0
- package/dist/agent-bin.js +8 -0
- package/dist/agent-bin.js.map +1 -0
- package/dist/audit.d.ts +25 -0
- package/dist/audit.d.ts.map +1 -0
- package/dist/audit.js +50 -0
- package/dist/audit.js.map +1 -0
- package/dist/auth.d.ts +4 -0
- package/dist/auth.d.ts.map +1 -0
- package/dist/auth.js +33 -0
- package/dist/auth.js.map +1 -0
- package/dist/cli.d.ts +16 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +99 -0
- package/dist/cli.js.map +1 -0
- package/dist/config.d.ts +103 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/config.js +490 -0
- package/dist/config.js.map +1 -0
- package/dist/connector-credentials.d.ts +8 -0
- package/dist/connector-credentials.d.ts.map +1 -0
- package/dist/connector-credentials.js +132 -0
- package/dist/connector-credentials.js.map +1 -0
- package/dist/connector-profile.d.ts +17 -0
- package/dist/connector-profile.d.ts.map +1 -0
- package/dist/connector-profile.js +81 -0
- package/dist/connector-profile.js.map +1 -0
- package/dist/container.d.ts +18 -0
- package/dist/container.d.ts.map +1 -0
- package/dist/container.js +52 -0
- package/dist/container.js.map +1 -0
- package/dist/detect.d.ts +7 -0
- package/dist/detect.d.ts.map +1 -0
- package/dist/detect.js +271 -0
- package/dist/detect.js.map +1 -0
- package/dist/ensure.d.ts +17 -0
- package/dist/ensure.d.ts.map +1 -0
- package/dist/ensure.js +531 -0
- package/dist/ensure.js.map +1 -0
- package/dist/errors.d.ts +54 -0
- package/dist/errors.d.ts.map +1 -0
- package/dist/errors.js +84 -0
- package/dist/errors.js.map +1 -0
- package/dist/fs-tools.d.ts +26 -0
- package/dist/fs-tools.d.ts.map +1 -0
- package/dist/fs-tools.js +599 -0
- package/dist/fs-tools.js.map +1 -0
- package/dist/http-rate-limit.d.ts +9 -0
- package/dist/http-rate-limit.d.ts.map +1 -0
- package/dist/http-rate-limit.js +41 -0
- package/dist/http-rate-limit.js.map +1 -0
- package/dist/http-security.d.ts +22 -0
- package/dist/http-security.d.ts.map +1 -0
- package/dist/http-security.js +88 -0
- package/dist/http-security.js.map +1 -0
- package/dist/index.d.ts +10 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +201 -0
- package/dist/index.js.map +1 -0
- package/dist/logging.d.ts +52 -0
- package/dist/logging.d.ts.map +1 -0
- package/dist/logging.js +180 -0
- package/dist/logging.js.map +1 -0
- package/dist/mcp.d.ts +16 -0
- package/dist/mcp.d.ts.map +1 -0
- package/dist/mcp.js +159 -0
- package/dist/mcp.js.map +1 -0
- package/dist/metrics.d.ts +95 -0
- package/dist/metrics.d.ts.map +1 -0
- package/dist/metrics.js +204 -0
- package/dist/metrics.js.map +1 -0
- package/dist/oauth.d.ts +14 -0
- package/dist/oauth.d.ts.map +1 -0
- package/dist/oauth.js +105 -0
- package/dist/oauth.js.map +1 -0
- package/dist/policy.d.ts +64 -0
- package/dist/policy.d.ts.map +1 -0
- package/dist/policy.js +368 -0
- package/dist/policy.js.map +1 -0
- package/dist/process.d.ts +24 -0
- package/dist/process.d.ts.map +1 -0
- package/dist/process.js +212 -0
- package/dist/process.js.map +1 -0
- package/dist/prompts.d.ts +49 -0
- package/dist/prompts.d.ts.map +1 -0
- package/dist/prompts.js +191 -0
- package/dist/prompts.js.map +1 -0
- package/dist/rate-limiter.d.ts +57 -0
- package/dist/rate-limiter.d.ts.map +1 -0
- package/dist/rate-limiter.js +141 -0
- package/dist/rate-limiter.js.map +1 -0
- package/dist/remote/agent-cli.d.ts +2 -0
- package/dist/remote/agent-cli.d.ts.map +1 -0
- package/dist/remote/agent-cli.js +270 -0
- package/dist/remote/agent-cli.js.map +1 -0
- package/dist/remote/agent-executor.d.ts +26 -0
- package/dist/remote/agent-executor.d.ts.map +1 -0
- package/dist/remote/agent-executor.js +400 -0
- package/dist/remote/agent-executor.js.map +1 -0
- package/dist/remote/config.d.ts +3 -0
- package/dist/remote/config.d.ts.map +1 -0
- package/dist/remote/config.js +52 -0
- package/dist/remote/config.js.map +1 -0
- package/dist/remote/control-plane.d.ts +57 -0
- package/dist/remote/control-plane.d.ts.map +1 -0
- package/dist/remote/control-plane.js +1248 -0
- package/dist/remote/control-plane.js.map +1 -0
- package/dist/remote/crypto.d.ts +38 -0
- package/dist/remote/crypto.d.ts.map +1 -0
- package/dist/remote/crypto.js +143 -0
- package/dist/remote/crypto.js.map +1 -0
- package/dist/remote/mcp-tools.d.ts +10 -0
- package/dist/remote/mcp-tools.d.ts.map +1 -0
- package/dist/remote/mcp-tools.js +201 -0
- package/dist/remote/mcp-tools.js.map +1 -0
- package/dist/remote/policy.d.ts +11 -0
- package/dist/remote/policy.d.ts.map +1 -0
- package/dist/remote/policy.js +94 -0
- package/dist/remote/policy.js.map +1 -0
- package/dist/remote/schemas.d.ts +298 -0
- package/dist/remote/schemas.d.ts.map +1 -0
- package/dist/remote/schemas.js +111 -0
- package/dist/remote/schemas.js.map +1 -0
- package/dist/remote/scopes.d.ts +6 -0
- package/dist/remote/scopes.d.ts.map +1 -0
- package/dist/remote/scopes.js +24 -0
- package/dist/remote/scopes.js.map +1 -0
- package/dist/remote/store.d.ts +45 -0
- package/dist/remote/store.d.ts.map +1 -0
- package/dist/remote/store.js +355 -0
- package/dist/remote/store.js.map +1 -0
- package/dist/remote/types.d.ts +183 -0
- package/dist/remote/types.d.ts.map +1 -0
- package/dist/remote/types.js +103 -0
- package/dist/remote/types.js.map +1 -0
- package/dist/remote/util.d.ts +6 -0
- package/dist/remote/util.d.ts.map +1 -0
- package/dist/remote/util.js +45 -0
- package/dist/remote/util.js.map +1 -0
- package/dist/remote/websocket.d.ts +26 -0
- package/dist/remote/websocket.d.ts.map +1 -0
- package/dist/remote/websocket.js +167 -0
- package/dist/remote/websocket.js.map +1 -0
- package/dist/render-http.d.ts +2 -0
- package/dist/render-http.d.ts.map +1 -0
- package/dist/render-http.js +14 -0
- package/dist/render-http.js.map +1 -0
- package/dist/resources.d.ts +19 -0
- package/dist/resources.d.ts.map +1 -0
- package/dist/resources.js +96 -0
- package/dist/resources.js.map +1 -0
- package/dist/retry.d.ts +45 -0
- package/dist/retry.d.ts.map +1 -0
- package/dist/retry.js +120 -0
- package/dist/retry.js.map +1 -0
- package/dist/safety.d.ts +31 -0
- package/dist/safety.d.ts.map +1 -0
- package/dist/safety.js +174 -0
- package/dist/safety.js.map +1 -0
- package/dist/server-http.d.ts +2 -0
- package/dist/server-http.d.ts.map +1 -0
- package/dist/server-http.js +432 -0
- package/dist/server-http.js.map +1 -0
- package/dist/session.d.ts +116 -0
- package/dist/session.d.ts.map +1 -0
- package/dist/session.js +666 -0
- package/dist/session.js.map +1 -0
- package/dist/shell.d.ts +10 -0
- package/dist/shell.d.ts.map +1 -0
- package/dist/shell.js +83 -0
- package/dist/shell.js.map +1 -0
- package/dist/ssh-config.d.ts +94 -0
- package/dist/ssh-config.d.ts.map +1 -0
- package/dist/ssh-config.js +234 -0
- package/dist/ssh-config.js.map +1 -0
- package/dist/streaming.d.ts +36 -0
- package/dist/streaming.d.ts.map +1 -0
- package/dist/streaming.js +140 -0
- package/dist/streaming.js.map +1 -0
- package/dist/telemetry.d.ts +17 -0
- package/dist/telemetry.d.ts.map +1 -0
- package/dist/telemetry.js +101 -0
- package/dist/telemetry.js.map +1 -0
- package/dist/tools/connector.provider.d.ts +28 -0
- package/dist/tools/connector.provider.d.ts.map +1 -0
- package/dist/tools/connector.provider.js +360 -0
- package/dist/tools/connector.provider.js.map +1 -0
- package/dist/tools/ensure.provider.d.ts +18 -0
- package/dist/tools/ensure.provider.d.ts.map +1 -0
- package/dist/tools/ensure.provider.js +173 -0
- package/dist/tools/ensure.provider.js.map +1 -0
- package/dist/tools/fs.provider.d.ts +21 -0
- package/dist/tools/fs.provider.d.ts.map +1 -0
- package/dist/tools/fs.provider.js +259 -0
- package/dist/tools/fs.provider.js.map +1 -0
- package/dist/tools/index.d.ts +4 -0
- package/dist/tools/index.d.ts.map +1 -0
- package/dist/tools/index.js +68 -0
- package/dist/tools/index.js.map +1 -0
- package/dist/tools/metadata.d.ts +11 -0
- package/dist/tools/metadata.d.ts.map +1 -0
- package/dist/tools/metadata.js +10 -0
- package/dist/tools/metadata.js.map +1 -0
- package/dist/tools/output-schemas.d.ts +217 -0
- package/dist/tools/output-schemas.d.ts.map +1 -0
- package/dist/tools/output-schemas.js +300 -0
- package/dist/tools/output-schemas.js.map +1 -0
- package/dist/tools/process.provider.d.ts +22 -0
- package/dist/tools/process.provider.d.ts.map +1 -0
- package/dist/tools/process.provider.js +146 -0
- package/dist/tools/process.provider.js.map +1 -0
- package/dist/tools/registry.d.ts +12 -0
- package/dist/tools/registry.d.ts.map +1 -0
- package/dist/tools/registry.js +163 -0
- package/dist/tools/registry.js.map +1 -0
- package/dist/tools/results.d.ts +4 -0
- package/dist/tools/results.d.ts.map +1 -0
- package/dist/tools/results.js +5 -0
- package/dist/tools/results.js.map +1 -0
- package/dist/tools/session.provider.d.ts +23 -0
- package/dist/tools/session.provider.d.ts.map +1 -0
- package/dist/tools/session.provider.js +299 -0
- package/dist/tools/session.provider.js.map +1 -0
- package/dist/tools/system.provider.d.ts +18 -0
- package/dist/tools/system.provider.d.ts.map +1 -0
- package/dist/tools/system.provider.js +81 -0
- package/dist/tools/system.provider.js.map +1 -0
- package/dist/tools/transfer.provider.d.ts +16 -0
- package/dist/tools/transfer.provider.d.ts.map +1 -0
- package/dist/tools/transfer.provider.js +85 -0
- package/dist/tools/transfer.provider.js.map +1 -0
- package/dist/tools/tunnel.provider.d.ts +18 -0
- package/dist/tools/tunnel.provider.d.ts.map +1 -0
- package/dist/tools/tunnel.provider.js +142 -0
- package/dist/tools/tunnel.provider.js.map +1 -0
- package/dist/tools/types.d.ts +16 -0
- package/dist/tools/types.d.ts.map +1 -0
- package/dist/tools/types.js +2 -0
- package/dist/tools/types.js.map +1 -0
- package/dist/transfer.d.ts +40 -0
- package/dist/transfer.d.ts.map +1 -0
- package/dist/transfer.js +363 -0
- package/dist/transfer.js.map +1 -0
- package/dist/tunnel.d.ts +37 -0
- package/dist/tunnel.d.ts.map +1 -0
- package/dist/tunnel.js +234 -0
- package/dist/tunnel.js.map +1 -0
- package/dist/types.d.ts +341 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +184 -0
- package/dist/types.js.map +1 -0
- package/docs/docker.md +22 -0
- package/examples/README.md +77 -0
- package/mcp.json +21 -0
- package/package.json +147 -0
- package/registry/ssh-mcp-pro/mcp.json +21 -0
- package/server.json +76 -0
package/dist/policy.d.ts
ADDED
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
import type { PolicyMode } from "./types.js";
|
|
2
|
+
export interface PolicyConfig {
|
|
3
|
+
mode: PolicyMode;
|
|
4
|
+
allowRootLogin: boolean;
|
|
5
|
+
allowRawSudo: boolean;
|
|
6
|
+
allowDestructiveCommands: boolean;
|
|
7
|
+
allowDestructiveFs: boolean;
|
|
8
|
+
allowedHosts: string[];
|
|
9
|
+
commandAllow: string[];
|
|
10
|
+
commandDeny: string[];
|
|
11
|
+
pathAllowPrefixes: string[];
|
|
12
|
+
pathDenyPrefixes: string[];
|
|
13
|
+
localPathAllowPrefixes: string[];
|
|
14
|
+
localPathDenyPrefixes: string[];
|
|
15
|
+
tunnelAllowBindHosts: string[];
|
|
16
|
+
tunnelDenyBindHosts: string[];
|
|
17
|
+
tunnelAllowRemoteHosts: string[];
|
|
18
|
+
tunnelDenyRemoteHosts: string[];
|
|
19
|
+
tunnelAllowPorts: string[];
|
|
20
|
+
tunnelDenyPorts: string[];
|
|
21
|
+
}
|
|
22
|
+
export type PolicyAction = "ssh.open" | "proc.exec" | "proc.sudo" | "fs.read" | "fs.stat" | "fs.list" | "fs.write" | "fs.remove" | "fs.mkdir" | "fs.rename" | "ensure.package" | "ensure.service" | "ensure.lines" | "patch.apply" | "transfer.upload" | "transfer.download" | "transfer.local.read" | "transfer.local.write" | "transfer.local.create" | "transfer.local.overwrite" | "tunnel.local" | "tunnel.remote";
|
|
23
|
+
export interface PolicyContext {
|
|
24
|
+
action: PolicyAction;
|
|
25
|
+
host?: string;
|
|
26
|
+
username?: string;
|
|
27
|
+
command?: string;
|
|
28
|
+
path?: string;
|
|
29
|
+
secondaryPath?: string;
|
|
30
|
+
localBindHost?: string;
|
|
31
|
+
localPort?: number;
|
|
32
|
+
remoteHost?: string;
|
|
33
|
+
remotePort?: number;
|
|
34
|
+
mode?: PolicyMode;
|
|
35
|
+
rawSudo?: boolean;
|
|
36
|
+
destructive?: boolean;
|
|
37
|
+
}
|
|
38
|
+
export interface PolicyDecision {
|
|
39
|
+
allowed: boolean;
|
|
40
|
+
mode: PolicyMode;
|
|
41
|
+
action: PolicyAction;
|
|
42
|
+
reason?: string;
|
|
43
|
+
hint?: string;
|
|
44
|
+
riskLevel?: string;
|
|
45
|
+
}
|
|
46
|
+
export type PolicyDecisionObserver = (decision: PolicyDecision, context: PolicyContext) => void;
|
|
47
|
+
export declare function isSegmentBoundaryPathMatch(candidate: string, prefix: string, separator: string): boolean;
|
|
48
|
+
export declare function normalizeRemotePosixPath(pathValue: string): string;
|
|
49
|
+
export declare class PolicyEngine {
|
|
50
|
+
private readonly config;
|
|
51
|
+
private readonly observer?;
|
|
52
|
+
private readonly pathAllowPrefixes;
|
|
53
|
+
private readonly pathDenyPrefixes;
|
|
54
|
+
private readonly defaultPathAllowPrefixes;
|
|
55
|
+
private readonly localPathAllowPrefixes;
|
|
56
|
+
private readonly localPathDenyPrefixes;
|
|
57
|
+
constructor(config: PolicyConfig, observer?: PolicyDecisionObserver | undefined);
|
|
58
|
+
getEffectivePolicy(): PolicyConfig;
|
|
59
|
+
evaluate(context: PolicyContext): PolicyDecision;
|
|
60
|
+
assertAllowed(context: PolicyContext): PolicyDecision;
|
|
61
|
+
check(context: PolicyContext): PolicyDecision;
|
|
62
|
+
explain(context: PolicyContext): PolicyDecision;
|
|
63
|
+
}
|
|
64
|
+
//# sourceMappingURL=policy.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../src/policy.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,UAAU,CAAC;IACjB,cAAc,EAAE,OAAO,CAAC;IACxB,YAAY,EAAE,OAAO,CAAC;IACtB,wBAAwB,EAAE,OAAO,CAAC;IAClC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,sBAAsB,EAAE,MAAM,EAAE,CAAC;IACjC,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,sBAAsB,EAAE,MAAM,EAAE,CAAC;IACjC,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,MAAM,YAAY,GACpB,UAAU,GACV,WAAW,GACX,WAAW,GACX,SAAS,GACT,SAAS,GACT,SAAS,GACT,UAAU,GACV,WAAW,GACX,UAAU,GACV,WAAW,GACX,gBAAgB,GAChB,gBAAgB,GAChB,cAAc,GACd,aAAa,GACb,iBAAiB,GACjB,mBAAmB,GACnB,qBAAqB,GACrB,sBAAsB,GACtB,uBAAuB,GACvB,0BAA0B,GAC1B,cAAc,GACd,eAAe,CAAC;AAEpB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,YAAY,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,UAAU,CAAC;IACjB,MAAM,EAAE,YAAY,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,sBAAsB,GAAG,CAAC,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,aAAa,KAAK,IAAI,CAAC;AAuDhG,wBAAgB,0BAA0B,CACxC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAET;AA8BD,wBAAgB,wBAAwB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CASlE;AAmCD,qBAAa,YAAY;IAQrB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAR5B,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAW;IAC5C,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAW;IACpD,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAW;IAClD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAW;gBAG9B,MAAM,EAAE,YAAY,EACpB,QAAQ,CAAC,EAAE,sBAAsB,YAAA;IAqBpD,kBAAkB,IAAI,YAAY;IAmBlC,QAAQ,CAAC,OAAO,EAAE,aAAa,GAAG,cAAc;IA4PhD,aAAa,CAAC,OAAO,EAAE,aAAa,GAAG,cAAc;IASrD,KAAK,CAAC,OAAO,EAAE,aAAa,GAAG,cAAc;IAM7C,OAAO,CAAC,OAAO,EAAE,aAAa,GAAG,cAAc;CAKhD"}
|
package/dist/policy.js
ADDED
|
@@ -0,0 +1,368 @@
|
|
|
1
|
+
import * as fs from "node:fs";
|
|
2
|
+
import * as path from "node:path";
|
|
3
|
+
import { posix as posixPath } from "node:path";
|
|
4
|
+
import { createPolicyError } from "./errors.js";
|
|
5
|
+
import { checkCommandSafety } from "./safety.js";
|
|
6
|
+
const DEFAULT_ALLOWED_MUTATION_PREFIXES = ["/tmp", "/var/tmp", "/home", "/Users"];
|
|
7
|
+
const LOCAL_TRANSFER_ACTIONS = new Set([
|
|
8
|
+
"transfer.local.read",
|
|
9
|
+
"transfer.local.write",
|
|
10
|
+
"transfer.local.create",
|
|
11
|
+
"transfer.local.overwrite",
|
|
12
|
+
]);
|
|
13
|
+
function compile(pattern) {
|
|
14
|
+
try {
|
|
15
|
+
return new RegExp(pattern);
|
|
16
|
+
}
|
|
17
|
+
catch {
|
|
18
|
+
return undefined;
|
|
19
|
+
}
|
|
20
|
+
}
|
|
21
|
+
function matchesAny(value, patterns) {
|
|
22
|
+
return patterns.some((pattern) => compile(pattern)?.test(value));
|
|
23
|
+
}
|
|
24
|
+
function matchesPolicyValue(value, policies) {
|
|
25
|
+
return policies.some((policy) => policy === value || matchesAny(value, [policy]));
|
|
26
|
+
}
|
|
27
|
+
function parsePortRange(policy) {
|
|
28
|
+
const trimmed = policy.trim();
|
|
29
|
+
const range = /^(\d{1,5})(?:-(\d{1,5}))?$/u.exec(trimmed);
|
|
30
|
+
if (!range) {
|
|
31
|
+
return undefined;
|
|
32
|
+
}
|
|
33
|
+
const start = Number(range[1]);
|
|
34
|
+
const end = range[2] === undefined ? start : Number(range[2]);
|
|
35
|
+
if (!Number.isInteger(start) ||
|
|
36
|
+
!Number.isInteger(end) ||
|
|
37
|
+
start < 0 ||
|
|
38
|
+
end > 65535 ||
|
|
39
|
+
start > end) {
|
|
40
|
+
return undefined;
|
|
41
|
+
}
|
|
42
|
+
return { start, end };
|
|
43
|
+
}
|
|
44
|
+
function matchesPortPolicy(port, policies) {
|
|
45
|
+
return policies.some((policy) => {
|
|
46
|
+
const range = parsePortRange(policy);
|
|
47
|
+
return range ? port >= range.start && port <= range.end : false;
|
|
48
|
+
});
|
|
49
|
+
}
|
|
50
|
+
export function isSegmentBoundaryPathMatch(candidate, prefix, separator) {
|
|
51
|
+
return candidate === prefix || candidate.startsWith(`${prefix}${separator}`);
|
|
52
|
+
}
|
|
53
|
+
function stripTrailingSeparators(value, separator, root) {
|
|
54
|
+
let stripped = value;
|
|
55
|
+
while (stripped.length > root.length && stripped.endsWith(separator)) {
|
|
56
|
+
stripped = stripped.slice(0, -separator.length);
|
|
57
|
+
}
|
|
58
|
+
return stripped;
|
|
59
|
+
}
|
|
60
|
+
function resolveLocalExistingPrefix(normalizedPath) {
|
|
61
|
+
const pendingSegments = [];
|
|
62
|
+
let candidate = normalizedPath;
|
|
63
|
+
while (true) {
|
|
64
|
+
try {
|
|
65
|
+
const resolvedPrefix = fs.realpathSync.native(candidate);
|
|
66
|
+
return path.join(resolvedPrefix, ...pendingSegments.reverse());
|
|
67
|
+
}
|
|
68
|
+
catch {
|
|
69
|
+
const parent = path.dirname(candidate);
|
|
70
|
+
if (parent === candidate) {
|
|
71
|
+
return normalizedPath;
|
|
72
|
+
}
|
|
73
|
+
pendingSegments.push(path.basename(candidate));
|
|
74
|
+
candidate = parent;
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
export function normalizeRemotePosixPath(pathValue) {
|
|
79
|
+
if (pathValue.includes("\0")) {
|
|
80
|
+
throw new Error("Path contains NUL byte");
|
|
81
|
+
}
|
|
82
|
+
const unixSeparators = pathValue.replace(/\\/g, "/");
|
|
83
|
+
const absolutePath = unixSeparators.startsWith("/") ? unixSeparators : `/${unixSeparators}`;
|
|
84
|
+
const normalized = posixPath.normalize(absolutePath);
|
|
85
|
+
return stripTrailingSeparators(normalized, "/", "/");
|
|
86
|
+
}
|
|
87
|
+
function normalizeLocalPolicyPath(pathValue) {
|
|
88
|
+
if (pathValue.includes("\0")) {
|
|
89
|
+
throw new Error("Path contains NUL byte");
|
|
90
|
+
}
|
|
91
|
+
const absolutePath = path.resolve(pathValue);
|
|
92
|
+
const normalized = resolveLocalExistingPrefix(path.normalize(absolutePath));
|
|
93
|
+
return stripTrailingSeparators(normalized, path.sep, path.parse(normalized).root);
|
|
94
|
+
}
|
|
95
|
+
function normalizePolicyPaths(paths, normalizer) {
|
|
96
|
+
return [...new Set((paths ?? []).map((pathValue) => normalizer(pathValue)))];
|
|
97
|
+
}
|
|
98
|
+
function isPathUnder(pathValue, prefix, separator) {
|
|
99
|
+
if (prefix === "/" || prefix === path.parse(prefix).root) {
|
|
100
|
+
return true;
|
|
101
|
+
}
|
|
102
|
+
return isSegmentBoundaryPathMatch(pathValue, prefix, separator);
|
|
103
|
+
}
|
|
104
|
+
function denied(decision) {
|
|
105
|
+
return { ...decision, allowed: false };
|
|
106
|
+
}
|
|
107
|
+
function allowed(decision) {
|
|
108
|
+
return { ...decision, allowed: true };
|
|
109
|
+
}
|
|
110
|
+
export class PolicyEngine {
|
|
111
|
+
config;
|
|
112
|
+
observer;
|
|
113
|
+
pathAllowPrefixes;
|
|
114
|
+
pathDenyPrefixes;
|
|
115
|
+
defaultPathAllowPrefixes;
|
|
116
|
+
localPathAllowPrefixes;
|
|
117
|
+
localPathDenyPrefixes;
|
|
118
|
+
constructor(config, observer) {
|
|
119
|
+
this.config = config;
|
|
120
|
+
this.observer = observer;
|
|
121
|
+
this.pathAllowPrefixes = normalizePolicyPaths(config.pathAllowPrefixes, normalizeRemotePosixPath);
|
|
122
|
+
this.pathDenyPrefixes = normalizePolicyPaths(config.pathDenyPrefixes, normalizeRemotePosixPath);
|
|
123
|
+
this.defaultPathAllowPrefixes = normalizePolicyPaths(DEFAULT_ALLOWED_MUTATION_PREFIXES, normalizeRemotePosixPath);
|
|
124
|
+
this.localPathAllowPrefixes = normalizePolicyPaths(config.localPathAllowPrefixes, normalizeLocalPolicyPath);
|
|
125
|
+
this.localPathDenyPrefixes = normalizePolicyPaths(config.localPathDenyPrefixes, normalizeLocalPolicyPath);
|
|
126
|
+
}
|
|
127
|
+
getEffectivePolicy() {
|
|
128
|
+
return {
|
|
129
|
+
...this.config,
|
|
130
|
+
allowedHosts: [...this.config.allowedHosts],
|
|
131
|
+
commandAllow: [...this.config.commandAllow],
|
|
132
|
+
commandDeny: [...this.config.commandDeny],
|
|
133
|
+
pathAllowPrefixes: [...this.config.pathAllowPrefixes],
|
|
134
|
+
pathDenyPrefixes: [...this.config.pathDenyPrefixes],
|
|
135
|
+
localPathAllowPrefixes: [...(this.config.localPathAllowPrefixes ?? [])],
|
|
136
|
+
localPathDenyPrefixes: [...(this.config.localPathDenyPrefixes ?? [])],
|
|
137
|
+
tunnelAllowBindHosts: [...(this.config.tunnelAllowBindHosts ?? [])],
|
|
138
|
+
tunnelDenyBindHosts: [...(this.config.tunnelDenyBindHosts ?? [])],
|
|
139
|
+
tunnelAllowRemoteHosts: [...(this.config.tunnelAllowRemoteHosts ?? [])],
|
|
140
|
+
tunnelDenyRemoteHosts: [...(this.config.tunnelDenyRemoteHosts ?? [])],
|
|
141
|
+
tunnelAllowPorts: [...(this.config.tunnelAllowPorts ?? [])],
|
|
142
|
+
tunnelDenyPorts: [...(this.config.tunnelDenyPorts ?? [])],
|
|
143
|
+
};
|
|
144
|
+
}
|
|
145
|
+
evaluate(context) {
|
|
146
|
+
const mode = context.mode ?? this.config.mode;
|
|
147
|
+
if (context.host && this.config.allowedHosts.length > 0) {
|
|
148
|
+
const hostAllowed = this.config.allowedHosts.some((host) => host === context.host || matchesAny(context.host ?? "", [host]));
|
|
149
|
+
if (!hostAllowed) {
|
|
150
|
+
return denied({
|
|
151
|
+
mode,
|
|
152
|
+
action: context.action,
|
|
153
|
+
reason: `Host ${context.host} is not allowed by policy`,
|
|
154
|
+
hint: "Add the host to allowedHosts or use an SSH config alias that is allowed.",
|
|
155
|
+
});
|
|
156
|
+
}
|
|
157
|
+
}
|
|
158
|
+
if (context.action === "tunnel.local" || context.action === "tunnel.remote") {
|
|
159
|
+
const bindHost = context.localBindHost;
|
|
160
|
+
if (bindHost &&
|
|
161
|
+
(this.config.tunnelDenyBindHosts ?? []).length > 0 &&
|
|
162
|
+
matchesPolicyValue(bindHost, this.config.tunnelDenyBindHosts)) {
|
|
163
|
+
return denied({
|
|
164
|
+
mode,
|
|
165
|
+
action: context.action,
|
|
166
|
+
reason: `Tunnel bind host ${bindHost} is denied by policy`,
|
|
167
|
+
hint: "Choose an allowed bind host or adjust tunnelDenyBindHosts.",
|
|
168
|
+
});
|
|
169
|
+
}
|
|
170
|
+
if (bindHost &&
|
|
171
|
+
(this.config.tunnelAllowBindHosts ?? []).length > 0 &&
|
|
172
|
+
!matchesPolicyValue(bindHost, this.config.tunnelAllowBindHosts)) {
|
|
173
|
+
return denied({
|
|
174
|
+
mode,
|
|
175
|
+
action: context.action,
|
|
176
|
+
reason: `Tunnel bind host ${bindHost} is outside allowed policy`,
|
|
177
|
+
hint: "Choose an allowed bind host or adjust tunnelAllowBindHosts.",
|
|
178
|
+
});
|
|
179
|
+
}
|
|
180
|
+
const remoteHost = context.remoteHost;
|
|
181
|
+
if (remoteHost &&
|
|
182
|
+
(this.config.tunnelDenyRemoteHosts ?? []).length > 0 &&
|
|
183
|
+
matchesPolicyValue(remoteHost, this.config.tunnelDenyRemoteHosts)) {
|
|
184
|
+
return denied({
|
|
185
|
+
mode,
|
|
186
|
+
action: context.action,
|
|
187
|
+
reason: `Tunnel remote host ${remoteHost} is denied by policy`,
|
|
188
|
+
hint: "Choose an allowed remote host or adjust tunnelDenyRemoteHosts.",
|
|
189
|
+
});
|
|
190
|
+
}
|
|
191
|
+
if (remoteHost &&
|
|
192
|
+
(this.config.tunnelAllowRemoteHosts ?? []).length > 0 &&
|
|
193
|
+
!matchesPolicyValue(remoteHost, this.config.tunnelAllowRemoteHosts)) {
|
|
194
|
+
return denied({
|
|
195
|
+
mode,
|
|
196
|
+
action: context.action,
|
|
197
|
+
reason: `Tunnel remote host ${remoteHost} is outside allowed policy`,
|
|
198
|
+
hint: "Choose an allowed remote host or adjust tunnelAllowRemoteHosts.",
|
|
199
|
+
});
|
|
200
|
+
}
|
|
201
|
+
const ports = [context.localPort, context.remotePort].filter((port) => typeof port === "number");
|
|
202
|
+
for (const port of ports) {
|
|
203
|
+
if ((this.config.tunnelDenyPorts ?? []).length > 0 &&
|
|
204
|
+
matchesPortPolicy(port, this.config.tunnelDenyPorts)) {
|
|
205
|
+
return denied({
|
|
206
|
+
mode,
|
|
207
|
+
action: context.action,
|
|
208
|
+
reason: `Tunnel port ${port} is denied by policy`,
|
|
209
|
+
hint: "Choose a different port or adjust tunnelDenyPorts.",
|
|
210
|
+
});
|
|
211
|
+
}
|
|
212
|
+
if ((this.config.tunnelAllowPorts ?? []).length > 0 &&
|
|
213
|
+
!matchesPortPolicy(port, this.config.tunnelAllowPorts)) {
|
|
214
|
+
return denied({
|
|
215
|
+
mode,
|
|
216
|
+
action: context.action,
|
|
217
|
+
reason: `Tunnel port ${port} is outside allowed policy`,
|
|
218
|
+
hint: "Choose an allowed port or adjust tunnelAllowPorts.",
|
|
219
|
+
});
|
|
220
|
+
}
|
|
221
|
+
}
|
|
222
|
+
}
|
|
223
|
+
if (context.username === "root" && !this.config.allowRootLogin) {
|
|
224
|
+
return denied({
|
|
225
|
+
mode,
|
|
226
|
+
action: context.action,
|
|
227
|
+
reason: "Root SSH login is disabled by policy",
|
|
228
|
+
hint: "Connect as an unprivileged user and use approved ensure tools where possible.",
|
|
229
|
+
});
|
|
230
|
+
}
|
|
231
|
+
if (context.rawSudo && !this.config.allowRawSudo) {
|
|
232
|
+
return denied({
|
|
233
|
+
mode,
|
|
234
|
+
action: context.action,
|
|
235
|
+
reason: "Raw sudo command execution is disabled by policy",
|
|
236
|
+
hint: "Use an idempotent ensure_* tool or enable allowRawSudo explicitly.",
|
|
237
|
+
});
|
|
238
|
+
}
|
|
239
|
+
if (context.command) {
|
|
240
|
+
if (this.config.commandDeny.length > 0 &&
|
|
241
|
+
matchesAny(context.command, this.config.commandDeny)) {
|
|
242
|
+
return denied({
|
|
243
|
+
mode,
|
|
244
|
+
action: context.action,
|
|
245
|
+
reason: "Command matched commandDeny policy",
|
|
246
|
+
hint: "Review the command or adjust the policy.",
|
|
247
|
+
});
|
|
248
|
+
}
|
|
249
|
+
if (this.config.commandAllow.length > 0 &&
|
|
250
|
+
!matchesAny(context.command, this.config.commandAllow)) {
|
|
251
|
+
return denied({
|
|
252
|
+
mode,
|
|
253
|
+
action: context.action,
|
|
254
|
+
reason: "Command does not match commandAllow policy",
|
|
255
|
+
hint: "Use an allowed command or update commandAllow.",
|
|
256
|
+
});
|
|
257
|
+
}
|
|
258
|
+
const safety = checkCommandSafety(context.command);
|
|
259
|
+
if (!safety.safe && !this.config.allowDestructiveCommands) {
|
|
260
|
+
return denied({
|
|
261
|
+
mode,
|
|
262
|
+
action: context.action,
|
|
263
|
+
reason: safety.warning ?? "Command is considered unsafe",
|
|
264
|
+
hint: safety.suggestion ?? "Review the command before enabling destructive command policy.",
|
|
265
|
+
...(safety.riskLevel ? { riskLevel: safety.riskLevel } : {}),
|
|
266
|
+
});
|
|
267
|
+
}
|
|
268
|
+
}
|
|
269
|
+
const paths = [context.path, context.secondaryPath].filter((pathValue) => Boolean(pathValue));
|
|
270
|
+
if (LOCAL_TRANSFER_ACTIONS.has(context.action)) {
|
|
271
|
+
for (const pathValue of paths) {
|
|
272
|
+
let normalizedPath;
|
|
273
|
+
try {
|
|
274
|
+
normalizedPath = normalizeLocalPolicyPath(pathValue);
|
|
275
|
+
}
|
|
276
|
+
catch {
|
|
277
|
+
return denied({
|
|
278
|
+
mode,
|
|
279
|
+
action: context.action,
|
|
280
|
+
reason: "Local path contains NUL byte",
|
|
281
|
+
hint: "Choose a valid local path without NUL bytes.",
|
|
282
|
+
});
|
|
283
|
+
}
|
|
284
|
+
if (this.localPathDenyPrefixes.some((prefix) => isPathUnder(normalizedPath, prefix, path.sep))) {
|
|
285
|
+
return denied({
|
|
286
|
+
mode,
|
|
287
|
+
action: context.action,
|
|
288
|
+
reason: `Local path ${pathValue} is denied by policy`,
|
|
289
|
+
hint: "Choose a different local path or adjust localPathDenyPrefixes.",
|
|
290
|
+
});
|
|
291
|
+
}
|
|
292
|
+
if (this.localPathAllowPrefixes.length === 0) {
|
|
293
|
+
return denied({
|
|
294
|
+
mode,
|
|
295
|
+
action: context.action,
|
|
296
|
+
reason: "Local transfer path policy has no allowed prefixes",
|
|
297
|
+
hint: "Set localPathAllowPrefixes for MCP-server-host transfer paths.",
|
|
298
|
+
});
|
|
299
|
+
}
|
|
300
|
+
const underAllowedPrefix = this.localPathAllowPrefixes.some((prefix) => isPathUnder(normalizedPath, prefix, path.sep));
|
|
301
|
+
if (!underAllowedPrefix) {
|
|
302
|
+
return denied({
|
|
303
|
+
mode,
|
|
304
|
+
action: context.action,
|
|
305
|
+
reason: `Local path ${pathValue} is outside allowed prefixes`,
|
|
306
|
+
hint: `Allowed local transfer prefixes: ${this.localPathAllowPrefixes.join(", ")}`,
|
|
307
|
+
});
|
|
308
|
+
}
|
|
309
|
+
}
|
|
310
|
+
return allowed({ mode, action: context.action });
|
|
311
|
+
}
|
|
312
|
+
for (const pathValue of paths) {
|
|
313
|
+
let normalizedPath;
|
|
314
|
+
try {
|
|
315
|
+
normalizedPath = normalizeRemotePosixPath(pathValue);
|
|
316
|
+
}
|
|
317
|
+
catch {
|
|
318
|
+
return denied({
|
|
319
|
+
mode,
|
|
320
|
+
action: context.action,
|
|
321
|
+
reason: "Path contains NUL byte",
|
|
322
|
+
hint: "Choose a valid remote path without NUL bytes.",
|
|
323
|
+
});
|
|
324
|
+
}
|
|
325
|
+
if (this.pathDenyPrefixes.some((prefix) => isPathUnder(normalizedPath, prefix, "/"))) {
|
|
326
|
+
return denied({
|
|
327
|
+
mode,
|
|
328
|
+
action: context.action,
|
|
329
|
+
reason: `Path ${pathValue} is denied by policy`,
|
|
330
|
+
hint: "Choose a different path or adjust pathDenyPrefixes.",
|
|
331
|
+
});
|
|
332
|
+
}
|
|
333
|
+
const isDestructiveFs = (context.destructive ?? false) || context.action === "fs.remove";
|
|
334
|
+
const allowPrefixes = this.pathAllowPrefixes.length > 0 ? this.pathAllowPrefixes : this.defaultPathAllowPrefixes;
|
|
335
|
+
if (isDestructiveFs && !this.config.allowDestructiveFs) {
|
|
336
|
+
const underAllowedPrefix = allowPrefixes.some((prefix) => isPathUnder(normalizedPath, prefix, "/"));
|
|
337
|
+
if (!underAllowedPrefix) {
|
|
338
|
+
return denied({
|
|
339
|
+
mode,
|
|
340
|
+
action: context.action,
|
|
341
|
+
reason: `Destructive filesystem operation on ${pathValue} is outside allowed prefixes`,
|
|
342
|
+
hint: `Allowed destructive prefixes: ${allowPrefixes.join(", ")}`,
|
|
343
|
+
});
|
|
344
|
+
}
|
|
345
|
+
}
|
|
346
|
+
}
|
|
347
|
+
return allowed({ mode, action: context.action });
|
|
348
|
+
}
|
|
349
|
+
assertAllowed(context) {
|
|
350
|
+
const decision = this.evaluate(context);
|
|
351
|
+
this.observer?.(decision, context);
|
|
352
|
+
if (!decision.allowed && decision.mode === "enforce") {
|
|
353
|
+
throw createPolicyError(decision.reason ?? "Operation denied by policy", decision.hint);
|
|
354
|
+
}
|
|
355
|
+
return decision;
|
|
356
|
+
}
|
|
357
|
+
check(context) {
|
|
358
|
+
const decision = this.evaluate(context);
|
|
359
|
+
this.observer?.(decision, context);
|
|
360
|
+
return decision;
|
|
361
|
+
}
|
|
362
|
+
explain(context) {
|
|
363
|
+
const decision = this.evaluate({ ...context, mode: "explain" });
|
|
364
|
+
this.observer?.(decision, { ...context, mode: "explain" });
|
|
365
|
+
return decision;
|
|
366
|
+
}
|
|
367
|
+
}
|
|
368
|
+
//# sourceMappingURL=policy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../src/policy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,WAAW,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AA2EjD,MAAM,iCAAiC,GAAG,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;AAClF,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAe;IACnD,qBAAqB;IACrB,sBAAsB;IACtB,uBAAuB;IACvB,0BAA0B;CAC3B,CAAC,CAAC;AAEH,SAAS,OAAO,CAAC,OAAe;IAC9B,IAAI,CAAC;QACH,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,KAAa,EAAE,QAAkB;IACnD,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa,EAAE,QAAkB;IAC3D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,KAAK,KAAK,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AACpF,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,MAAM,KAAK,GAAG,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9D,IACE,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC;QACxB,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC;QACtB,KAAK,GAAG,CAAC;QACT,GAAG,GAAG,KAAK;QACX,KAAK,GAAG,GAAG,EACX,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY,EAAE,QAAkB;IACzD,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;QAC9B,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QACrC,OAAO,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,KAAK,IAAI,IAAI,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,SAAiB,EACjB,MAAc,EACd,SAAiB;IAEjB,OAAO,SAAS,KAAK,MAAM,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,SAAS,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAa,EAAE,SAAiB,EAAE,IAAY;IAC7E,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,OAAO,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACrE,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,0BAA0B,CAAC,cAAsB;IACxD,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,IAAI,SAAS,GAAG,cAAc,CAAC;IAE/B,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACzD,OAAO,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACvC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,OAAO,cAAc,CAAC;YACxB,CAAC;YAED,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;YAC/C,SAAS,GAAG,MAAM,CAAC;QACrB,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,SAAiB;IACxD,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,cAAc,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACrD,MAAM,YAAY,GAAG,cAAc,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,cAAc,EAAE,CAAC;IAC5F,MAAM,UAAU,GAAG,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IACrD,OAAO,uBAAuB,CAAC,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,wBAAwB,CAAC,SAAiB;IACjD,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,0BAA0B,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;IAE5E,OAAO,uBAAuB,CAAC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC;AACpF,CAAC;AAED,SAAS,oBAAoB,CAC3B,KAA2B,EAC3B,UAAyC;IAEzC,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,WAAW,CAAC,SAAiB,EAAE,MAAc,EAAE,SAAiB;IACvE,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACzD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,0BAA0B,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,MAAM,CAAC,QAAyC;IACvD,OAAO,EAAE,GAAG,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AACzC,CAAC;AAED,SAAS,OAAO,CAAC,QAAyC;IACxD,OAAO,EAAE,GAAG,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC;AAED,MAAM,OAAO,YAAY;IAQJ;IACA;IARF,iBAAiB,CAAW;IAC5B,gBAAgB,CAAW;IAC3B,wBAAwB,CAAW;IACnC,sBAAsB,CAAW;IACjC,qBAAqB,CAAW;IAEjD,YACmB,MAAoB,EACpB,QAAiC;QADjC,WAAM,GAAN,MAAM,CAAc;QACpB,aAAQ,GAAR,QAAQ,CAAyB;QAElD,IAAI,CAAC,iBAAiB,GAAG,oBAAoB,CAC3C,MAAM,CAAC,iBAAiB,EACxB,wBAAwB,CACzB,CAAC;QACF,IAAI,CAAC,gBAAgB,GAAG,oBAAoB,CAAC,MAAM,CAAC,gBAAgB,EAAE,wBAAwB,CAAC,CAAC;QAChG,IAAI,CAAC,wBAAwB,GAAG,oBAAoB,CAClD,iCAAiC,EACjC,wBAAwB,CACzB,CAAC;QACF,IAAI,CAAC,sBAAsB,GAAG,oBAAoB,CAChD,MAAM,CAAC,sBAAsB,EAC7B,wBAAwB,CACzB,CAAC;QACF,IAAI,CAAC,qBAAqB,GAAG,oBAAoB,CAC/C,MAAM,CAAC,qBAAqB,EAC5B,wBAAwB,CACzB,CAAC;IACJ,CAAC;IAED,kBAAkB;QAChB,OAAO;YACL,GAAG,IAAI,CAAC,MAAM;YACd,YAAY,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAC3C,YAAY,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAC3C,WAAW,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YACzC,iBAAiB,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;YACrD,gBAAgB,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;YACnD,sBAAsB,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;YACvE,qBAAqB,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC;YACrE,oBAAoB,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC;YACnE,mBAAmB,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,mBAAmB,IAAI,EAAE,CAAC,CAAC;YACjE,sBAAsB,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;YACvE,qBAAqB,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC;YACrE,gBAAgB,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC;YAC3D,eAAe,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;SAC1D,CAAC;IACJ,CAAC;IAED,QAAQ,CAAC,OAAsB;QAC7B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAE9C,IAAI,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxD,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,CAC/C,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAC1E,CAAC;YACF,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,MAAM,CAAC;oBACZ,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,QAAQ,OAAO,CAAC,IAAI,2BAA2B;oBACvD,IAAI,EAAE,0EAA0E;iBACjF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,cAAc,IAAI,OAAO,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;YAC5E,MAAM,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC;YACvC,IACE,QAAQ;gBACR,CAAC,IAAI,CAAC,MAAM,CAAC,mBAAmB,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;gBAClD,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,EAC7D,CAAC;gBACD,OAAO,MAAM,CAAC;oBACZ,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,oBAAoB,QAAQ,sBAAsB;oBAC1D,IAAI,EAAE,4DAA4D;iBACnE,CAAC,CAAC;YACL,CAAC;YACD,IACE,QAAQ;gBACR,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;gBACnD,CAAC,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,EAC/D,CAAC;gBACD,OAAO,MAAM,CAAC;oBACZ,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,oBAAoB,QAAQ,4BAA4B;oBAChE,IAAI,EAAE,6DAA6D;iBACpE,CAAC,CAAC;YACL,CAAC;YAED,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;YACtC,IACE,UAAU;gBACV,CAAC,IAAI,CAAC,MAAM,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;gBACpD,kBAAkB,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC,EACjE,CAAC;gBACD,OAAO,MAAM,CAAC;oBACZ,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,sBAAsB,UAAU,sBAAsB;oBAC9D,IAAI,EAAE,gEAAgE;iBACvE,CAAC,CAAC;YACL,CAAC;YACD,IACE,UAAU;gBACV,CAAC,IAAI,CAAC,MAAM,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;gBACrD,CAAC,kBAAkB,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,EACnE,CAAC;gBACD,OAAO,MAAM,CAAC;oBACZ,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,sBAAsB,UAAU,4BAA4B;oBACpE,IAAI,EAAE,iEAAiE;iBACxE,CAAC,CAAC;YACL,CAAC;YAED,MAAM,KAAK,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC,MAAM,CAC1D,CAAC,IAAI,EAAkB,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CACnD,CAAC;YACF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IACE,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;oBAC9C,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,EACpD,CAAC;oBACD,OAAO,MAAM,CAAC;wBACZ,IAAI;wBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,MAAM,EAAE,eAAe,IAAI,sBAAsB;wBACjD,IAAI,EAAE,oDAAoD;qBAC3D,CAAC,CAAC;gBACL,CAAC;gBACD,IACE,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;oBAC/C,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,EACtD,CAAC;oBACD,OAAO,MAAM,CAAC;wBACZ,IAAI;wBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,MAAM,EAAE,eAAe,IAAI,4BAA4B;wBACvD,IAAI,EAAE,oDAAoD;qBAC3D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAC/D,OAAO,MAAM,CAAC;gBACZ,IAAI;gBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,MAAM,EAAE,sCAAsC;gBAC9C,IAAI,EAAE,+EAA+E;aACtF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACjD,OAAO,MAAM,CAAC;gBACZ,IAAI;gBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,MAAM,EAAE,kDAAkD;gBAC1D,IAAI,EAAE,oEAAoE;aAC3E,CAAC,CAAC;QACL,CAAC;QAED,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,IACE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;gBAClC,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,EACpD,CAAC;gBACD,OAAO,MAAM,CAAC;oBACZ,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,oCAAoC;oBAC5C,IAAI,EAAE,0CAA0C;iBACjD,CAAC,CAAC;YACL,CAAC;YAED,IACE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC;gBACnC,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,EACtD,CAAC;gBACD,OAAO,MAAM,CAAC;oBACZ,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,4CAA4C;oBACpD,IAAI,EAAE,gDAAgD;iBACvD,CAAC,CAAC;YACL,CAAC;YAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YACnD,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,EAAE,CAAC;gBAC1D,OAAO,MAAM,CAAC;oBACZ,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,MAAM,CAAC,OAAO,IAAI,8BAA8B;oBACxD,IAAI,EACF,MAAM,CAAC,UAAU,IAAI,gEAAgE;oBACvF,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC7D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,CAAC,SAAS,EAAuB,EAAE,CAC5F,OAAO,CAAC,SAAS,CAAC,CACnB,CAAC;QACF,IAAI,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/C,KAAK,MAAM,SAAS,IAAI,KAAK,EAAE,CAAC;gBAC9B,IAAI,cAAsB,CAAC;gBAC3B,IAAI,CAAC;oBACH,cAAc,GAAG,wBAAwB,CAAC,SAAS,CAAC,CAAC;gBACvD,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,MAAM,CAAC;wBACZ,IAAI;wBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,MAAM,EAAE,8BAA8B;wBACtC,IAAI,EAAE,8CAA8C;qBACrD,CAAC,CAAC;gBACL,CAAC;gBAED,IACE,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,cAAc,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAC1F,CAAC;oBACD,OAAO,MAAM,CAAC;wBACZ,IAAI;wBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,MAAM,EAAE,cAAc,SAAS,sBAAsB;wBACrD,IAAI,EAAE,gEAAgE;qBACvE,CAAC,CAAC;gBACL,CAAC;gBAED,IAAI,IAAI,CAAC,sBAAsB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC7C,OAAO,MAAM,CAAC;wBACZ,IAAI;wBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,MAAM,EAAE,oDAAoD;wBAC5D,IAAI,EAAE,gEAAgE;qBACvE,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CACrE,WAAW,CAAC,cAAc,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,CAC9C,CAAC;gBACF,IAAI,CAAC,kBAAkB,EAAE,CAAC;oBACxB,OAAO,MAAM,CAAC;wBACZ,IAAI;wBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,MAAM,EAAE,cAAc,SAAS,8BAA8B;wBAC7D,IAAI,EAAE,oCAAoC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;qBACnF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QACnD,CAAC;QAED,KAAK,MAAM,SAAS,IAAI,KAAK,EAAE,CAAC;YAC9B,IAAI,cAAsB,CAAC;YAC3B,IAAI,CAAC;gBACH,cAAc,GAAG,wBAAwB,CAAC,SAAS,CAAC,CAAC;YACvD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,MAAM,CAAC;oBACZ,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,wBAAwB;oBAChC,IAAI,EAAE,+CAA+C;iBACtD,CAAC,CAAC;YACL,CAAC;YAED,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,cAAc,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;gBACrF,OAAO,MAAM,CAAC;oBACZ,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,QAAQ,SAAS,sBAAsB;oBAC/C,IAAI,EAAE,qDAAqD;iBAC5D,CAAC,CAAC;YACL,CAAC;YAED,MAAM,eAAe,GAAG,CAAC,OAAO,CAAC,WAAW,IAAI,KAAK,CAAC,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,CAAC;YACzF,MAAM,aAAa,GACjB,IAAI,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC;YAE7F,IAAI,eAAe,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;gBACvD,MAAM,kBAAkB,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CACvD,WAAW,CAAC,cAAc,EAAE,MAAM,EAAE,GAAG,CAAC,CACzC,CAAC;gBACF,IAAI,CAAC,kBAAkB,EAAE,CAAC;oBACxB,OAAO,MAAM,CAAC;wBACZ,IAAI;wBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,MAAM,EAAE,uCAAuC,SAAS,8BAA8B;wBACtF,IAAI,EAAE,iCAAiC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;qBAClE,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,aAAa,CAAC,OAAsB;QAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnC,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACrD,MAAM,iBAAiB,CAAC,QAAQ,CAAC,MAAM,IAAI,4BAA4B,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC1F,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,OAAsB;QAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,OAAsB;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;QAChE,IAAI,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;QAC3D,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
import type { PolicyAction, PolicyEngine } from "./policy.js";
|
|
2
|
+
import type { SessionManager } from "./session.js";
|
|
3
|
+
import type { ServerConfig } from "./config.js";
|
|
4
|
+
import type { ExecResult } from "./types.js";
|
|
5
|
+
export interface ProcessService {
|
|
6
|
+
execCommand(sessionId: string, command: string, cwd?: string, env?: Record<string, string>, timeoutMs?: number): Promise<ExecResult>;
|
|
7
|
+
execSudo(sessionId: string, command: string, password?: string, cwd?: string, timeoutMs?: number, policyOptions?: SudoPolicyOptions): Promise<ExecResult>;
|
|
8
|
+
commandExists(sessionId: string, command: string): Promise<boolean>;
|
|
9
|
+
getAvailableShell(sessionId: string): Promise<string>;
|
|
10
|
+
execWithShell(sessionId: string, command: string, cwd?: string, env?: Record<string, string>): Promise<ExecResult>;
|
|
11
|
+
}
|
|
12
|
+
export interface SudoPolicyOptions {
|
|
13
|
+
policyAction?: PolicyAction;
|
|
14
|
+
rawSudo?: boolean;
|
|
15
|
+
path?: string;
|
|
16
|
+
destructive?: boolean;
|
|
17
|
+
}
|
|
18
|
+
export interface ProcessServiceDeps {
|
|
19
|
+
sessionManager: Pick<SessionManager, "getSession" | "getOSInfo">;
|
|
20
|
+
config: Pick<ServerConfig, "commandTimeoutMs" | "maxCommandOutputBytes">;
|
|
21
|
+
policy: Pick<PolicyEngine, "assertAllowed">;
|
|
22
|
+
}
|
|
23
|
+
export declare function createProcessService({ sessionManager, config, policy, }: ProcessServiceDeps): ProcessService;
|
|
24
|
+
//# sourceMappingURL=process.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"process.d.ts","sourceRoot":"","sources":["../src/process.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAG7C,MAAM,WAAW,cAAc;IAC7B,WAAW,CACT,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,GAAG,CAAC,EAAE,MAAM,EACZ,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,UAAU,CAAC,CAAC;IACvB,QAAQ,CACN,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,QAAQ,CAAC,EAAE,MAAM,EACjB,GAAG,CAAC,EAAE,MAAM,EACZ,SAAS,CAAC,EAAE,MAAM,EAClB,aAAa,CAAC,EAAE,iBAAiB,GAChC,OAAO,CAAC,UAAU,CAAC,CAAC;IACvB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACpE,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACtD,aAAa,CACX,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,GAAG,CAAC,EAAE,MAAM,EACZ,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC3B,OAAO,CAAC,UAAU,CAAC,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE,YAAY,GAAG,WAAW,CAAC,CAAC;IACjE,MAAM,EAAE,IAAI,CAAC,YAAY,EAAE,kBAAkB,GAAG,uBAAuB,CAAC,CAAC;IACzE,MAAM,EAAE,IAAI,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;CAC7C;AA+CD,wBAAgB,oBAAoB,CAAC,EACnC,cAAc,EACd,MAAM,EACN,MAAM,GACP,EAAE,kBAAkB,GAAG,cAAc,CAuPrC"}
|