ummaya 0.2.4 → 0.2.5

package/tui/src/tools/WebFetchTool/resolvedAddressSafety.ts

@@ -0,0 +1,78 @@
+import { lookup } from 'node:dns/promises'
+import { isIP } from 'node:net'
+import {
+  validatePublicWebFetchUrl,
+  type WebFetchUrlSafetyResult,
+} from './urlSafety.js'
+
+type ResolvedAddress = {
+  readonly address: string
+  readonly family: 4 | 6
+}
+
+type LookupHost = (hostname: string) => Promise<readonly ResolvedAddress[]>
+
+const lookupHost: LookupHost = async hostname => {
+  const addresses = await lookup(hostname, { all: true, verbatim: true })
+  return addresses.flatMap(({ address, family }) =>
+    family === 4 || family === 6 ? [{ address, family }] : [],
+  )
+}
+
+export async function validateResolvedPublicWebFetchUrl(
+  value: string,
+  resolveHost: LookupHost = lookupHost,
+): Promise<WebFetchUrlSafetyResult> {
+  const validation = validatePublicWebFetchUrl(value)
+  if (!validation.ok || isIP(validation.hostname) !== 0) {
+    return validation
+  }
+
+  let addresses: readonly ResolvedAddress[]
+  try {
+    addresses = await resolveHost(validation.hostname)
+  } catch (error) {
+    if (error instanceof Error) {
+      return unsafeResolvedUrl(
+        `WebFetch could not resolve ${validation.hostname} to a public address.`,
+      )
+    }
+    return unsafeResolvedUrl(
+      `WebFetch could not safely classify ${validation.hostname}.`,
+    )
+  }
+
+  if (addresses.length === 0) {
+    return unsafeResolvedUrl(
+      `WebFetch could not safely classify ${validation.hostname}.`,
+    )
+  }
+
+  for (const resolved of addresses) {
+    const resolvedValidation = validatePublicWebFetchUrl(
+      addressUrlForSafetyCheck(resolved),
+    )
+    if (!resolvedValidation.ok) {
+      return unsafeResolvedUrl(
+        `WebFetch cannot access ${validation.hostname} because it resolved to a private, loopback, metadata, or link-local address (${resolved.address}).`,
+      )
+    }
+  }
+
+  return validation
+}
+
+function addressUrlForSafetyCheck({
+  address,
+  family,
+}: ResolvedAddress): string {
+  return family === 6 ? `http://[${address}]/` : `http://${address}/`
+}
+
+function unsafeResolvedUrl(message: string): WebFetchUrlSafetyResult {
+  return {
+    ok: false,
+    reason: 'unsafe_url',
+    message,
+  }
+}

package/tui/src/tools/WebFetchTool/sourceVerification.ts

@@ -0,0 +1,204 @@
+import { z } from 'zod/v4'
+import { validatePublicWebFetchUrl } from './urlSafety.js'
+
+export const SOURCE_VERIFICATION_POLICY =
+  'source_results_untrusted_until_user_approval' as const
+
+export const sourceVerificationEvidenceSchema = z.object({
+  toolId: z.string(),
+  sourceUrl: z.string().nullable(),
+  title: z.string().nullable(),
+  observedAt: z.string(),
+  citationHandle: z.string(),
+  blockedOrUsed: z.enum(['blocked', 'needs_input']),
+  trust: z.literal('untrusted_source'),
+  promptInjection: z.enum(['detected', 'not_detected']),
+  redacted: z.boolean(),
+})
+
+export const sourceVerificationSchema = z.object({
+  mutationAllowed: z.literal(false),
+  userApprovalRequired: z.literal(true),
+  secretEgress: z.literal(false),
+  policy: z.literal(SOURCE_VERIFICATION_POLICY).default(SOURCE_VERIFICATION_POLICY),
+  evidence: z.array(sourceVerificationEvidenceSchema),
+})
+
+export type SourceVerificationEvidence = z.infer<
+  typeof sourceVerificationEvidenceSchema
+>
+export type SourceVerification = z.infer<typeof sourceVerificationSchema>
+
+const SECRET_TEXT_PATTERNS: readonly RegExp[] = [
+  /Authorization\s*:\s*[^\n\r]+/gi,
+  /Bearer\s+[A-Za-z0-9._~+/=-]+/gi,
+  /Cookie\s*:\s*[^\n\r]+/gi,
+  /\b[A-Z0-9_]*(?:API|AUTH|ACCESS|REFRESH|SESSION)[_-]?KEY\s*=\s*[^\s&]+/gi,
+  /\b(?:session|access|refresh|id)[_-]?token\s*=\s*[^\s&]+/gi,
+  /\bsk-[A-Za-z0-9_-]{8,}\b/g,
+]
+
+const SECRET_QUERY_KEYS = new Set([
+  'access_token',
+  'api_key',
+  'apikey',
+  'auth',
+  'authorization',
+  'cookie',
+  'id_token',
+  'key',
+  'refresh_token',
+  'servicekey',
+  'session',
+  'session_token',
+  'token',
+])
+
+const PROMPT_INJECTION_PATTERNS: readonly RegExp[] = [
+  /ignore\s+(?:all\s+)?previous\s+instructions/i,
+  /change\s+(?:the\s+)?permission\s+policy/i,
+  /bypass\s+(?:permissions?|approval|policy)/i,
+  /system\s+prompt/i,
+  /treat\s+this\s+as\s+(?:a\s+)?system\s+instruction/i,
+]
+
+function stableHandlePart(value: string): string {
+  const lowered = value.toLowerCase().replace(/[^a-z0-9]+/g, '-')
+  const trimmed = lowered.replace(/^-+|-+$/g, '')
+  return trimmed.length > 0 ? trimmed.slice(0, 48) : 'source'
+}
+
+function hasRedactionCandidate(value: string): boolean {
+  return SECRET_TEXT_PATTERNS.some(pattern => {
+    pattern.lastIndex = 0
+    return pattern.test(value)
+  })
+}
+
+export function redactSourceVerificationText(value: string): string {
+  const redacted = SECRET_TEXT_PATTERNS.reduce(
+    (current, pattern) => current.replace(pattern, '[REDACTED]'),
+    value,
+  )
+  return redacted
+    .replaceAll('<source_verification>', '[source_verification]')
+    .replaceAll('</source_verification>', '[/source_verification]')
+}
+
+export function redactSourceVerificationUrl(value: string | null): string | null {
+  if (value === null) return null
+  const validation = validatePublicWebFetchUrl(value)
+  if (!validation.ok) return null
+  const { parsedUrl } = validation
+  for (const key of [...parsedUrl.searchParams.keys()]) {
+    if (SECRET_QUERY_KEYS.has(key.toLowerCase())) {
+      parsedUrl.searchParams.set(key, '[REDACTED]')
+    }
+  }
+  return redactSourceVerificationText(parsedUrl.toString())
+}
+
+export function detectPromptInjection(value: string): 'detected' | 'not_detected' {
+  return PROMPT_INJECTION_PATTERNS.some(pattern => pattern.test(value))
+    ? 'detected'
+    : 'not_detected'
+}
+
+export function buildSourceEvidence({
+  toolId,
+  sourceUrl,
+  title,
+  observedAt = new Date().toISOString(),
+  blockedOrUsed,
+  rawText,
+}: {
+  toolId: string
+  sourceUrl: string | null
+  title: string | null
+  observedAt?: string
+  blockedOrUsed: SourceVerificationEvidence['blockedOrUsed']
+  rawText: string
+}): SourceVerificationEvidence {
+  const redactedUrl = redactSourceVerificationUrl(sourceUrl)
+  const redactedTitle = title === null ? null : redactSourceVerificationText(title)
+  const combined = `${rawText}\n${redactedTitle ?? ''}\n${redactedUrl ?? ''}`
+  return {
+    toolId,
+    sourceUrl: redactedUrl,
+    title: redactedTitle,
+    observedAt,
+    citationHandle: `src-${stableHandlePart(toolId)}-${stableHandlePart(
+      redactedUrl ?? redactedTitle ?? rawText,
+    )}`,
+    blockedOrUsed,
+    trust: 'untrusted_source',
+    promptInjection: detectPromptInjection(combined),
+    redacted:
+      hasRedactionCandidate(rawText) ||
+      (sourceUrl !== null && redactSourceVerificationUrl(sourceUrl) !== sourceUrl) ||
+      (title !== null && redactSourceVerificationText(title) !== title),
+  }
+}
+
+export function buildSourceVerification(
+  evidence: readonly SourceVerificationEvidence[],
+): SourceVerification {
+  return {
+    mutationAllowed: false,
+    userApprovalRequired: true,
+    secretEgress: false,
+    policy: SOURCE_VERIFICATION_POLICY,
+    evidence: [...evidence],
+  }
+}
+
+export function formatSourceVerificationForModel(
+  sourceVerification: SourceVerification | undefined,
+): string {
+  if (sourceVerification === undefined) return ''
+  const parsed = sourceVerificationSchema.safeParse(sourceVerification)
+  if (!parsed.success) return ''
+
+  const lines = [
+    '<source_verification>',
+    `policy: ${parsed.data.policy}`,
+    `document_mutation_allowed: ${parsed.data.mutationAllowed}`,
+    `user_approval_required: ${parsed.data.userApprovalRequired}`,
+    `permission_policy_mutation_allowed: false`,
+    `no_secret_egress: ${!parsed.data.secretEgress}`,
+    `no_fabricated_fact: true`,
+  ]
+
+  for (const evidence of parsed.data.evidence) {
+    const safeSourceUrl = redactSourceVerificationUrl(evidence.sourceUrl)
+    const safeTitle =
+      evidence.title === null ? null : redactSourceVerificationText(evidence.title)
+    lines.push(
+      `tool_id: ${redactSourceVerificationText(evidence.toolId)}`,
+      `source_url: ${safeSourceUrl ?? 'none'}`,
+      `title: ${safeTitle ?? 'none'}`,
+      `timestamp: ${evidence.observedAt}`,
+      `citation_handle: ${redactSourceVerificationText(evidence.citationHandle)}`,
+      `blocked_or_used: ${evidence.blockedOrUsed}`,
+      `trust: ${evidence.trust}`,
+      `prompt_injection: ${evidence.promptInjection}`,
+      `redacted: ${evidence.redacted}`,
+    )
+  }
+
+  lines.push('</source_verification>')
+  return lines.join('\n')
+}
+
+export function formatSourceVerifiedToolResult({
+  result,
+  sourceVerification,
+}: {
+  result: string
+  sourceVerification?: SourceVerification
+}): string {
+  const safeResult = redactSourceVerificationText(result)
+  const verification = formatSourceVerificationForModel(sourceVerification)
+  if (!verification) return safeResult
+  return `${safeResult}\n\n${verification}`
+}

package/tui/src/tools/WebFetchTool/types.ts

@@ -0,0 +1,23 @@
+import type { SourceVerification } from './sourceVerification.js'
+
+export type WebFetchOutput = {
+  readonly bytes: number
+  readonly code: number
+  readonly codeText: string
+  readonly result: string
+  readonly durationMs: number
+  readonly url: string
+  readonly sourceVerification?: SourceVerification
+}
+
+export type WebFetchCallInput = {
+  readonly url: string
+  readonly prompt: string
+}
+
+export type WebFetchCallContext = {
+  readonly abortController: AbortController
+  readonly options: {
+    readonly isNonInteractiveSession: boolean
+  }
+}

package/tui/src/tools/WebFetchTool/urlSafety.ts

@@ -0,0 +1,181 @@
+import { isIP } from 'node:net'
+
+const MAX_WEB_FETCH_URL_LENGTH = 2000
+
+const INTERNAL_HOSTNAMES = new Set([
+  'localhost',
+  'localhost.localdomain',
+  'ip6-localhost',
+  'ip6-loopback',
+  'metadata',
+  'metadata.google.internal',
+])
+
+const INTERNAL_HOSTNAME_SUFFIXES = [
+  '.localhost',
+  '.local',
+  '.internal',
+  '.intranet',
+  '.lan',
+  '.home',
+  '.corp',
+] as const
+
+export type WebFetchUrlSafetyResult =
+  | {
+      readonly ok: true
+      readonly parsedUrl: URL
+      readonly hostname: string
+    }
+  | {
+      readonly ok: false
+      readonly reason: 'invalid_url' | 'unsafe_url'
+      readonly message: string
+    }
+
+export function validatePublicWebFetchUrl(
+  value: string,
+): WebFetchUrlSafetyResult {
+  if (value.length > MAX_WEB_FETCH_URL_LENGTH) {
+    return unsafeUrl('URL exceeds the WebFetch length limit.')
+  }
+
+  let parsedUrl: URL
+  try {
+    parsedUrl = new URL(value)
+  } catch (error) {
+    if (error instanceof TypeError) {
+      return {
+        ok: false,
+        reason: 'invalid_url',
+        message: `Invalid URL "${value}". The URL provided could not be parsed.`,
+      }
+    }
+    throw error
+  }
+
+  if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+    return unsafeUrl('WebFetch only allows public http or https URLs.')
+  }
+
+  if (parsedUrl.username || parsedUrl.password) {
+    return unsafeUrl('WebFetch URLs must not contain credentials.')
+  }
+
+  const hostname = normalizeHostname(parsedUrl.hostname)
+  if (hostname.length === 0) {
+    return unsafeUrl('WebFetch URL host is empty.')
+  }
+
+  if (isIpAddress(hostname)) {
+    return isNonPublicIpAddress(hostname)
+      ? unsafeUrl('WebFetch cannot access private, loopback, metadata, or link-local IP ranges.')
+      : { ok: true, parsedUrl, hostname }
+  }
+
+  if (isInternalHostname(hostname)) {
+    return unsafeUrl('WebFetch cannot access private, loopback, metadata, or link-local hostnames.')
+  }
+
+  return { ok: true, parsedUrl, hostname }
+}
+
+export function isPublicWebFetchUrl(value: string): boolean {
+  return validatePublicWebFetchUrl(value).ok
+}
+
+function unsafeUrl(message: string): WebFetchUrlSafetyResult {
+  return {
+    ok: false,
+    reason: 'unsafe_url',
+    message,
+  }
+}
+
+function normalizeHostname(hostname: string): string {
+  const lower = hostname.toLowerCase()
+  const withoutBrackets =
+    lower.startsWith('[') && lower.endsWith(']')
+      ? lower.slice(1, lower.length - 1)
+      : lower
+  return withoutBrackets.replace(/\.$/u, '')
+}
+
+function isIpAddress(hostname: string): boolean {
+  return isIP(hostname) !== 0
+}
+
+function isNonPublicIpAddress(hostname: string): boolean {
+  switch (isIP(hostname)) {
+    case 4:
+      return isNonPublicIpv4(hostname)
+    case 6:
+      return isNonPublicIpv6(hostname)
+    default:
+      return true
+  }
+}
+
+function isNonPublicIpv4(hostname: string): boolean {
+  const octets = hostname.split('.').map(value => Number(value))
+  const [first, second] = octets
+  if (
+    octets.length !== 4 ||
+    first === undefined ||
+    second === undefined ||
+    octets.some(octet => !Number.isInteger(octet) || octet < 0 || octet > 255)
+  ) {
+    return true
+  }
+
+  return (
+    first === 0 ||
+    first === 10 ||
+    first === 127 ||
+    first >= 224 ||
+    (first === 100 && second >= 64 && second <= 127) ||
+    (first === 169 && second === 254) ||
+    (first === 172 && second >= 16 && second <= 31) ||
+    (first === 192 && second === 168) ||
+    (first === 198 && (second === 18 || second === 19))
+  )
+}
+
+function isNonPublicIpv6(hostname: string): boolean {
+  const lower = hostname.toLowerCase()
+  if (
+    lower === '::' ||
+    lower === '::1' ||
+    lower.startsWith('::ffff:') ||
+    lower.startsWith('2001:db8:')
+  ) {
+    return true
+  }
+
+  const firstSegment = lower.split(':').find(segment => segment.length > 0)
+  if (firstSegment === undefined) {
+    return true
+  }
+  const firstHextet = Number.parseInt(firstSegment, 16)
+  if (!Number.isInteger(firstHextet)) {
+    return true
+  }
+
+  return (
+    (firstHextet & 0xfe00) === 0xfc00 ||
+    (firstHextet & 0xffc0) === 0xfe80 ||
+    (firstHextet & 0xff00) === 0xff00
+  )
+}
+
+function isInternalHostname(hostname: string): boolean {
+  if (INTERNAL_HOSTNAMES.has(hostname)) {
+    return true
+  }
+
+  if (!hostname.includes('.')) {
+    return true
+  }
+
+  return INTERNAL_HOSTNAME_SUFFIXES.some(suffix => hostname.endsWith(suffix))
+}

package/tui/src/tools/WebFetchTool/utils.ts

@@ -4,7 +4,7 @@ import {
   type AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS,
   logEvent,
 } from '../../services/analytics/index.js'
-import { queryHaiku } from '../../services/api/claude.js'
+import { queryHaiku } from '../../services/api/ummaya.js'
 import { AbortError } from '../../utils/errors.js'
 import { getWebFetchUserAgent } from '../../utils/http.js'
 import { logError } from '../../utils/log.js'

package/tui/src/tools/WebSearchTool/UI.tsx

@@ -98,4 +98,3 @@ export function getToolUseSummary(input: Partial<{
   }
   return truncate(input.query, TOOL_SUMMARY_MAX_LENGTH);
 }
-//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJuYW1lcyI6WyJSZWFjdCIsIk1lc3NhZ2VSZXNwb25zZSIsIlRPT0xfU1VNTUFSWV9NQVhfTEVOR1RIIiwiQm94IiwiVGV4dCIsIlByb2dyZXNzTWVzc2FnZSIsInRydW5jYXRlIiwiT3V0cHV0IiwiU2VhcmNoUmVzdWx0IiwiV2ViU2VhcmNoUHJvZ3Jlc3MiLCJnZXRTZWFyY2hTdW1tYXJ5IiwicmVzdWx0cyIsInNlYXJjaENvdW50IiwidG90YWxSZXN1bHRDb3VudCIsInJlc3VsdCIsImNvbnRlbnQiLCJsZW5ndGgiLCJyZW5kZXJUb29sVXNlTWVzc2FnZSIsInF1ZXJ5IiwiYWxsb3dlZF9kb21haW5zIiwiYmxvY2tlZF9kb21haW5zIiwiUGFydGlhbCIsInZlcmJvc2UiLCJSZWFjdE5vZGUiLCJtZXNzYWdlIiwiam9pbiIsInJlbmRlclRvb2xVc2VQcm9ncmVzc01lc3NhZ2UiLCJwcm9ncmVzc01lc3NhZ2VzIiwibGFzdFByb2dyZXNzIiwiZGF0YSIsInR5cGUiLCJyZXN1bHRDb3VudCIsInJlbmRlclRvb2xSZXN1bHRNZXNzYWdlIiwib3V0cHV0IiwidGltZURpc3BsYXkiLCJkdXJhdGlvblNlY29uZHMiLCJNYXRoIiwicm91bmQiLCJnZXRUb29sVXNlU3VtbWFyeSIsImlucHV0Il0sInNvdXJjZXMiOlsiVUkudHN4Il0sInNvdXJjZXNDb250ZW50IjpbImltcG9ydCBSZWFjdCBmcm9tICdyZWFjdCdcbmltcG9ydCB7IE1lc3NhZ2VSZXNwb25zZSB9IGZyb20gJy4uLy4uL2NvbXBvbmVudHMvTWVzc2FnZVJlc3BvbnNlLmpzJ1xuaW1wb3J0IHsgVE9PTF9TVU1NQVJZX01BWF9MRU5HVEggfSBmcm9tICcuLi8uLi9jb25zdGFudHMvdG9vbExpbWl0cy5qcydcbmltcG9ydCB7IEJveCwgVGV4dCB9IGZyb20gJy4uLy4uL2luay5qcydcbmltcG9ydCB0eXBlIHsgUHJvZ3Jlc3NNZXNzYWdlIH0gZnJvbSAnLi4vLi4vdHlwZXMvbWVzc2FnZS5qcydcbmltcG9ydCB7IHRydW5jYXRlIH0gZnJvbSAnLi4vLi4vdXRpbHMvZm9ybWF0LmpzJ1xuaW1wb3J0IHR5cGUge1xuICBPdXRwdXQsXG4gIFNlYXJjaFJlc3VsdCxcbiAgV2ViU2VhcmNoUHJvZ3Jlc3MsXG59IGZyb20gJy4vV2ViU2VhcmNoVG9vbC5qcydcblxuZnVuY3Rpb24gZ2V0U2VhcmNoU3VtbWFyeShcbiAgcmVzdWx0czogKFNlYXJjaFJlc3VsdCB8IHN0cmluZyB8IG51bGwgfCB1bmRlZmluZWQpW10sXG4pOiB7XG4gIHNlYXJjaENvdW50OiBudW1iZXJcbiAgdG90YWxSZXN1bHRDb3VudDogbnVtYmVyXG59IHtcbiAgbGV0IHNlYXJjaENvdW50ID0gMFxuICBsZXQgdG90YWxSZXN1bHRDb3VudCA9IDBcblxuICBmb3IgKGNvbnN0IHJlc3VsdCBvZiByZXN1bHRzKSB7XG4gICAgaWYgKHJlc3VsdCAhPSBudWxsICYmIHR5cGVvZiByZXN1bHQgIT09ICdzdHJpbmcnKSB7XG4gICAgICBzZWFyY2hDb3VudCsrXG4gICAgICB0b3RhbFJlc3VsdENvdW50ICs9IHJlc3VsdC5jb250ZW50Py5sZW5ndGggPz8gMFxuICAgIH1cbiAgfVxuXG4gIHJldHVybiB7IHNlYXJjaENvdW50LCB0b3RhbFJlc3VsdENvdW50IH1cbn1cblxuZXhwb3J0IGZ1bmN0aW9uIHJlbmRlclRvb2xVc2VNZXNzYWdlKFxuICB7XG4gICAgcXVlcnksXG4gICAgYWxsb3dlZF9kb21haW5zLFxuICAgIGJsb2NrZWRfZG9tYWlucyxcbiAgfTogUGFydGlhbDx7XG4gICAgcXVlcnk6IHN0cmluZ1xuICAgIGFsbG93ZWRfZG9tYWlucz86IHN0cmluZ1tdXG4gICAgYmxvY2tlZF9kb21haW5zPzogc3RyaW5nW11cbiAgfT4sXG4gIHsgdmVyYm9zZSB9OiB7IHZlcmJvc2U6IGJvb2xlYW4gfSxcbik6IFJlYWN0LlJlYWN0Tm9kZSB7XG4gIGlmICghcXVlcnkpIHtcbiAgICByZXR1cm4gbnVsbFxuICB9XG5cbiAgbGV0IG1lc3NhZ2UgPSAnJ1xuXG4gIGlmIChxdWVyeSkge1xuICAgIG1lc3NhZ2UgKz0gYFwiJHtxdWVyeX1cImBcbiAgfVxuXG4gIGlmICh2ZXJib3NlKSB7XG4gICAgaWYgKGFsbG93ZWRfZG9tYWlucyAmJiBhbGxvd2VkX2RvbWFpbnMubGVuZ3RoID4gMCkge1xuICAgICAgbWVzc2FnZSArPSBgLCBvbmx5IGFsbG93aW5nIGRvbWFpbnM6ICR7YWxsb3dlZF9kb21haW5zLmpvaW4oJywgJyl9YFxuICAgIH1cblxuICAgIGlmIChibG9ja2VkX2RvbWFpbnMgJiYgYmxvY2tlZF9kb21haW5zLmxlbmd0aCA+IDApIHtcbiAgICAgIG1lc3NhZ2UgKz0gYCwgYmxvY2tpbmcgZG9tYWluczogJHtibG9ja2VkX2RvbWFpbnMuam9pbignLCAnKX1gXG4gICAgfVxuICB9XG5cbiAgcmV0dXJuIG1lc3NhZ2Vcbn1cblxuZXhwb3J0IGZ1bmN0aW9uIHJlbmRlclRvb2xVc2VQcm9ncmVzc01lc3NhZ2UoXG4gIHByb2dyZXNzTWVzc2FnZXM6IFByb2dyZXNzTWVzc2FnZTxXZWJTZWFyY2hQcm9ncmVzcz5bXSxcbik6IFJlYWN0LlJlYWN0Tm9kZSB7XG4gIGlmIChwcm9ncmVzc01lc3NhZ2VzLmxlbmd0aCA9PT0gMCkge1xuICAgIHJldHVybiBudWxsXG4gIH1cblxuICBjb25zdCBsYXN0UHJvZ3Jlc3MgPSBwcm9ncmVzc01lc3NhZ2VzW3Byb2dyZXNzTWVzc2FnZXMubGVuZ3RoIC0gMV1cbiAgaWYgKCFsYXN0UHJvZ3Jlc3M/LmRhdGEpIHtcbiAgICByZXR1cm4gbnVsbFxuICB9XG5cbiAgY29uc3QgZGF0YSA9IGxhc3RQcm9ncmVzcy5kYXRhXG5cbiAgc3dpdGNoIChkYXRhLnR5cGUpIHtcbiAgICBjYXNlICdxdWVyeV91cGRhdGUnOlxuICAgICAgcmV0dXJuIChcbiAgICAgICAgPE1lc3NhZ2VSZXNwb25zZT5cbiAgICAgICAgICA8VGV4dCBkaW1Db2xvcj5TZWFyY2hpbmc6IHtkYXRhLnF1ZXJ5fTwvVGV4dD5cbiAgICAgICAgPC9NZXNzYWdlUmVzcG9uc2U+XG4gICAgICApXG4gICAgY2FzZSAnc2VhcmNoX3Jlc3VsdHNfcmVjZWl2ZWQnOlxuICAgICAgcmV0dXJuIChcbiAgICAgICAgPE1lc3NhZ2VSZXNwb25zZT5cbiAgICAgICAgICA8VGV4dCBkaW1Db2xvcj5cbiAgICAgICAgICAgIEZvdW5kIHtkYXRhLnJlc3VsdENvdW50fSByZXN1bHRzIGZvciAmcXVvdDt7ZGF0YS5xdWVyeX0mcXVvdDtcbiAgICAgICAgICA8L1RleHQ+XG4gICAgICAgIDwvTWVzc2FnZVJlc3BvbnNlPlxuICAgICAgKVxuICAgIGRlZmF1bHQ6XG4gICAgICByZXR1cm4gbnVsbFxuICB9XG59XG5cbmV4cG9ydCBmdW5jdGlvbiByZW5kZXJUb29sUmVzdWx0TWVzc2FnZShvdXRwdXQ6IE91dHB1dCk6IFJlYWN0LlJlYWN0Tm9kZSB7XG4gIGNvbnN0IHsgc2VhcmNoQ291bnQgfSA9IGdldFNlYXJjaFN1bW1hcnkob3V0cHV0LnJlc3VsdHMgPz8gW10pXG4gIGNvbnN0IHRpbWVEaXNwbGF5ID1cbiAgICBvdXRwdXQuZHVyYXRpb25TZWNvbmRzID49IDFcbiAgICAgID8gYCR7TWF0aC5yb3VuZChvdXRwdXQuZHVyYXRpb25TZWNvbmRzKX1zYFxuICAgICAgOiBgJHtNYXRoLnJvdW5kKG91dHB1dC5kdXJhdGlvblNlY29uZHMgKiAxMDAwKX1tc2BcblxuICByZXR1cm4gKFxuICAgIDxCb3gganVzdGlmeUNvbnRlbnQ9XCJzcGFjZS1iZXR3ZWVuXCIgd2lkdGg9XCIxMDAlXCI+XG4gICAgICA8TWVzc2FnZVJlc3BvbnNlIGhlaWdodD17MX0+XG4gICAgICAgIDxUZXh0PlxuICAgICAgICAgIERpZCB7c2VhcmNoQ291bnR9IHNlYXJjaFxuICAgICAgICAgIHtzZWFyY2hDb3VudCAhPT0gMSA/ICdlcycgOiAnJ30gaW4ge3RpbWVEaXNwbGF5fVxuICAgICAgICA8L1RleHQ+XG4gICAgICA8L01lc3NhZ2VSZXNwb25zZT5cbiAgICA8L0JveD5cbiAgKVxufVxuXG5leHBvcnQgZnVuY3Rpb24gZ2V0VG9vbFVzZVN1bW1hcnkoXG4gIGlucHV0OiBQYXJ0aWFsPHsgcXVlcnk6IHN0cmluZyB9PiB8IHVuZGVmaW5lZCxcbik6IHN0cmluZyB8IG51bGwge1xuICBpZiAoIWlucHV0Py5xdWVyeSkge1xuICAgIHJldHVybiBudWxsXG4gIH1cbiAgcmV0dXJuIHRydW5jYXRlKGlucHV0LnF1ZXJ5LCBUT09MX1NVTU1BUllfTUFYX0xFTkdUSClcbn1cbiJdLCJtYXBwaW5ncyI6IkFBQUEsT0FBT0EsS0FBSyxNQUFNLE9BQU87QUFDekIsU0FBU0MsZUFBZSxRQUFRLHFDQUFxQztBQUNyRSxTQUFTQyx1QkFBdUIsUUFBUSwrQkFBK0I7QUFDdkUsU0FBU0MsR0FBRyxFQUFFQyxJQUFJLFFBQVEsY0FBYztBQUN4QyxjQUFjQyxlQUFlLFFBQVEsd0JBQXdCO0FBQzdELFNBQVNDLFFBQVEsUUFBUSx1QkFBdUI7QUFDaEQsY0FDRUMsTUFBTSxFQUNOQyxZQUFZLEVBQ1pDLGlCQUFpQixRQUNaLG9CQUFvQjtBQUUzQixTQUFTQyxnQkFBZ0JBLENBQ3ZCQyxPQUFPLEVBQUUsQ0FBQ0gsWUFBWSxHQUFHLE1BQU0sR0FBRyxJQUFJLEdBQUcsU0FBUyxDQUFDLEVBQUUsQ0FDdEQsRUFBRTtFQUNESSxXQUFXLEVBQUUsTUFBTTtFQUNuQkMsZ0JBQWdCLEVBQUUsTUFBTTtBQUMxQixDQUFDLENBQUM7RUFDQSxJQUFJRCxXQUFXLEdBQUcsQ0FBQztFQUNuQixJQUFJQyxnQkFBZ0IsR0FBRyxDQUFDO0VBRXhCLEtBQUssTUFBTUMsTUFBTSxJQUFJSCxPQUFPLEVBQUU7SUFDNUIsSUFBSUcsTUFBTSxJQUFJLElBQUksSUFBSSxPQUFPQSxNQUFNLEtBQUssUUFBUSxFQUFFO01BQ2hERixXQUFXLEVBQUU7TUFDYkMsZ0JBQWdCLElBQUlDLE1BQU0sQ0FBQ0MsT0FBTyxFQUFFQyxNQUFNLElBQUksQ0FBQztJQUNqRDtFQUNGO0VBRUEsT0FBTztJQUFFSixXQUFXO0lBQUVDO0VBQWlCLENBQUM7QUFDMUM7QUFFQSxPQUFPLFNBQVNJLG9CQUFvQkEsQ0FDbEM7RUFDRUMsS0FBSztFQUNMQyxlQUFlO0VBQ2ZDO0FBS0QsQ0FKQSxFQUFFQyxPQUFPLENBQUM7RUFDVEgsS0FBSyxFQUFFLE1BQU07RUFDYkMsZUFBZSxDQUFDLEVBQUUsTUFBTSxFQUFFO0VBQzFCQyxlQUFlLENBQUMsRUFBRSxNQUFNLEVBQUU7QUFDNUIsQ0FBQyxDQUFDLEVBQ0Y7RUFBRUU7QUFBOEIsQ0FBckIsRUFBRTtFQUFFQSxPQUFPLEVBQUUsT0FBTztBQUFDLENBQUMsQ0FDbEMsRUFBRXRCLEtBQUssQ0FBQ3VCLFNBQVMsQ0FBQztFQUNqQixJQUFJLENBQUNMLEtBQUssRUFBRTtJQUNWLE9BQU8sSUFBSTtFQUNiO0VBRUEsSUFBSU0sT0FBTyxHQUFHLEVBQUU7RUFFaEIsSUFBSU4sS0FBSyxFQUFFO0lBQ1RNLE9BQU8sSUFBSSxJQUFJTixLQUFLLEdBQUc7RUFDekI7RUFFQSxJQUFJSSxPQUFPLEVBQUU7SUFDWCxJQUFJSCxlQUFlLElBQUlBLGVBQWUsQ0FBQ0gsTUFBTSxHQUFHLENBQUMsRUFBRTtNQUNqRFEsT0FBTyxJQUFJLDRCQUE0QkwsZUFBZSxDQUFDTSxJQUFJLENBQUMsSUFBSSxDQUFDLEVBQUU7SUFDckU7SUFFQSxJQUFJTCxlQUFlLElBQUlBLGVBQWUsQ0FBQ0osTUFBTSxHQUFHLENBQUMsRUFBRTtNQUNqRFEsT0FBTyxJQUFJLHVCQUF1QkosZUFBZSxDQUFDSyxJQUFJLENBQUMsSUFBSSxDQUFDLEVBQUU7SUFDaEU7RUFDRjtFQUVBLE9BQU9ELE9BQU87QUFDaEI7QUFFQSxPQUFPLFNBQVNFLDRCQUE0QkEsQ0FDMUNDLGdCQUFnQixFQUFFdEIsZUFBZSxDQUFDSSxpQkFBaUIsQ0FBQyxFQUFFLENBQ3ZELEVBQUVULEtBQUssQ0FBQ3VCLFNBQVMsQ0FBQztFQUNqQixJQUFJSSxnQkFBZ0IsQ0FBQ1gsTUFBTSxLQUFLLENBQUMsRUFBRTtJQUNqQyxPQUFPLElBQUk7RUFDYjtFQUVBLE1BQU1ZLFlBQVksR0FBR0QsZ0JBQWdCLENBQUNBLGdCQUFnQixDQUFDWCxNQUFNLEdBQUcsQ0FBQyxDQUFDO0VBQ2xFLElBQUksQ0FBQ1ksWUFBWSxFQUFFQyxJQUFJLEVBQUU7SUFDdkIsT0FBTyxJQUFJO0VBQ2I7RUFFQSxNQUFNQSxJQUFJLEdBQUdELFlBQVksQ0FBQ0MsSUFBSTtFQUU5QixRQUFRQSxJQUFJLENBQUNDLElBQUk7SUFDZixLQUFLLGNBQWM7TUFDakIsT0FDRSxDQUFDLGVBQWU7QUFDeEIsVUFBVSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsV0FBVyxDQUFDRCxJQUFJLENBQUNYLEtBQUssQ0FBQyxFQUFFLElBQUk7QUFDdEQsUUFBUSxFQUFFLGVBQWUsQ0FBQztJQUV0QixLQUFLLHlCQUF5QjtNQUM1QixPQUNFLENBQUMsZUFBZTtBQUN4QixVQUFVLENBQUMsSUFBSSxDQUFDLFFBQVE7QUFDeEIsa0JBQWtCLENBQUNXLElBQUksQ0FBQ0UsV0FBVyxDQUFDLG1CQUFtQixDQUFDRixJQUFJLENBQUNYLEtBQUssQ0FBQztBQUNuRSxVQUFVLEVBQUUsSUFBSTtBQUNoQixRQUFRLEVBQUUsZUFBZSxDQUFDO0lBRXRCO01BQ0UsT0FBTyxJQUFJO0VBQ2Y7QUFDRjtBQUVBLE9BQU8sU0FBU2MsdUJBQXVCQSxDQUFDQyxNQUFNLEVBQUUxQixNQUFNLENBQUMsRUFBRVAsS0FBSyxDQUFDdUIsU0FBUyxDQUFDO0VBQ3ZFLE1BQU07SUFBRVg7RUFBWSxDQUFDLEdBQUdGLGdCQUFnQixDQUFDdUIsTUFBTSxDQUFDdEIsT0FBTyxJQUFJLEVBQUUsQ0FBQztFQUM5RCxNQUFNdUIsV0FBVyxHQUNmRCxNQUFNLENBQUNFLGVBQWUsSUFBSSxDQUFDLEdBQ3ZCLEdBQUdDLElBQUksQ0FBQ0MsS0FBSyxDQUFDSixNQUFNLENBQUNFLGVBQWUsQ0FBQyxHQUFHLEdBQ3hDLEdBQUdDLElBQUksQ0FBQ0MsS0FBSyxDQUFDSixNQUFNLENBQUNFLGVBQWUsR0FBRyxJQUFJLENBQUMsSUFBSTtFQUV0RCxPQUNFLENBQUMsR0FBRyxDQUFDLGNBQWMsQ0FBQyxlQUFlLENBQUMsS0FBSyxDQUFDLE1BQU07QUFDcEQsTUFBTSxDQUFDLGVBQWUsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUM7QUFDakMsUUFBUSxDQUFDLElBQUk7QUFDYixjQUFjLENBQUN2QixXQUFXLENBQUM7QUFDM0IsVUFBVSxDQUFDQSxXQUFXLEtBQUssQ0FBQyxHQUFHLElBQUksR0FBRyxFQUFFLENBQUMsSUFBSSxDQUFDc0IsV0FBVztBQUN6RCxRQUFRLEVBQUUsSUFBSTtBQUNkLE1BQU0sRUFBRSxlQUFlO0FBQ3ZCLElBQUksRUFBRSxHQUFHLENBQUM7QUFFVjtBQUVBLE9BQU8sU0FBU0ksaUJBQWlCQSxDQUMvQkMsS0FBSyxFQUFFbEIsT0FBTyxDQUFDO0VBQUVILEtBQUssRUFBRSxNQUFNO0FBQUMsQ0FBQyxDQUFDLEdBQUcsU0FBUyxDQUM5QyxFQUFFLE1BQU0sR0FBRyxJQUFJLENBQUM7RUFDZixJQUFJLENBQUNxQixLQUFLLEVBQUVyQixLQUFLLEVBQUU7SUFDakIsT0FBTyxJQUFJO0VBQ2I7RUFDQSxPQUFPWixRQUFRLENBQUNpQyxLQUFLLENBQUNyQixLQUFLLEVBQUVoQix1QkFBdUIsQ0FBQztBQUN2RCIsImlnbm9yZUxpc3QiOltdfQ==