diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock
index e9322b05581d..3ebcb8b8cb00 100644
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
@@ -1715,6 +1715,7 @@ dependencies = [
  "serde",
  "serde_derive",
  "serde_json",
+ "shell-words",
 ]
 
 [[package]]
@@ -2605,6 +2606,12 @@ dependencies = [
  "lazy_static",
 ]
 
+[[package]]
+name = "shell-words"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24188a676b6ae68c3b2cb3a01be17fbf7240ce009799bb56d5b1409051e78fde"
+
 [[package]]
 name = "shlex"
 version = "1.2.0"
diff --git a/src/agent/samples/policy/yaml/pod/pod-exec.yaml b/src/agent/samples/policy/yaml/pod/pod-exec.yaml
index 09f1a89ff278..9abf905bc192 100644
--- a/src/agent/samples/policy/yaml/pod/pod-exec.yaml
+++ b/src/agent/samples/policy/yaml/pod/pod-exec.yaml
@@ -6,7 +6,7 @@ metadata:
   labels:
     run: busybox
   annotations:
-    io.katacontainers.config.agent.policy: IyBDb3B5cmlnaHQgKGMpIDIwMjMgTWljcm9zb2Z0IENvcnBvcmF0aW9uCiMKIyBTUERYLUxpY2Vuc2UtSWRlbnRpZmllcjogQXBhY2hlLTIuMAojCnBhY2thZ2UgYWdlbnRfcG9saWN5CgppbXBvcnQgZnV0dXJlLmtleXdvcmRzLmluCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKCmltcG9ydCBpbnB1dAoKIyBEZWZhdWx0IHZhbHVlcywgcmV0dXJuZWQgYnkgT1BBIHdoZW4gcnVsZXMgY2Fubm90IGJlIGV2YWx1YXRlZCB0byB0cnVlLgpkZWZhdWx0IEFkZEFSUE5laWdoYm9yc1JlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBBZGRTd2FwUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IENsb3NlU3RkaW5SZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgQ29weUZpbGVSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgQ3JlYXRlQ29udGFpbmVyUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgRGVzdHJveVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBFeGVjUHJvY2Vzc1JlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBHZXRPT01FdmVudFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEd1ZXN0RGV0YWlsc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IExpc3RJbnRlcmZhY2VzUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IExpc3RSb3V0ZXNSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgTWVtSG90cGx1Z0J5UHJvYmVSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgT25saW5lQ1BVTWVtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUGF1c2VDb250YWluZXJSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgUmVhZFN0cmVhbVJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBSZW1vdmVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZW1vdmVTdGFsZVZpcnRpb2ZzU2hhcmVNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZXNlZWRSYW5kb21EZXZSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgUmVzdW1lQ29udGFpbmVyUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IFNldEd1ZXN0RGF0ZVRpbWVSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgU2V0UG9saWN5UmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IFNpZ25hbFByb2Nlc3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdGFydENvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0VHJhY2luZ1JlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBTdGF0c0NvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0b3BUcmFjaW5nUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IFR0eVdpblJlc2l6ZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgVXBkYXRlSW50ZXJmYWNlUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgVXBkYXRlUm91dGVzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgV2FpdFByb2Nlc3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXcml0ZVN0cmVhbVJlcXVlc3QgOj0gZmFsc2UKCiMgQWxsb3dSZXF1ZXN0c0ZhaWxpbmdQb2xpY3kgOj0gdHJ1ZSBjb25maWd1cmVzIHRoZSBBZ2VudCB0byAqYWxsb3cgYW55CiMgcmVxdWVzdHMgY2F1c2luZyBhIHBvbGljeSBmYWlsdXJlKi4gVGhpcyBpcyBhbiB1bnNlY3VyZSBjb25maWd1cmF0aW9uCiMgYnV0IGlzIHVzZWZ1bCBmb3IgYWxsb3dpbmcgdW5zZWN1cmUgcG9kcyB0byBzdGFydCwgdGhlbiBjb25uZWN0IHRvCiMgdGhlbSBhbmQgaW5zcGVjdCBPUEEgbG9ncyBmb3IgdGhlIHJvb3QgY2F1c2Ugb2YgYSBmYWlsdXJlLgpkZWZhdWx0IEFsbG93UmVxdWVzdHNGYWlsaW5nUG9saWN5IDo9IGZhbHNlCgojIENvbnN0YW50cwpTX05BTUVfS0VZID0gImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbmFtZSIKU19OQU1FU1BBQ0VfS0VZID0gImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbmFtZXNwYWNlIgpCVU5ETEVfSUQgPSAiW2EtejAtOV17NjR9IgoKQ3JlYXRlQ29udGFpbmVyUmVxdWVzdDo9IHsib3BzIjogb3BzLCAiYWxsb3dlZCI6IHRydWV9IHsKICAgICMgQ2hlY2sgaWYgdGhlIGlucHV0IHJlcXVlc3Qgc2hvdWxkIGJlIHJlamVjdGVkIGV2ZW4gYmVmb3JlIGNoZWNraW5nIHRoZQogICAgIyBwb2xpY3lfZGF0YS5jb250YWluZXJzIGluZm9ybWF0aW9uLgogICAgYWxsb3dfY3JlYXRlX2NvbnRhaW5lcl9pbnB1dAoKICAgIGlfb2NpIDo9IGlucHV0Lk9DSQogICAgaV9zdG9yYWdlcyA6PSBpbnB1dC5zdG9yYWdlcwoKICAgICMgYXJyYXkgb2YgcG9zc2libGUgc3RhdGUgb3BlcmF0aW9ucwogICAgb3BzX2J1aWxkZXIgOj0gW10KCiAgICAjIGNoZWNrIHNhbmRib3ggbmFtZQogICAgc2FuZGJveF9uYW1lID0gaV9vY2kuQW5ub3RhdGlvbnNbU19OQU1FX0tFWV0KICAgIGFkZF9zYW5kYm94X25hbWVfdG9fc3RhdGUgOj0gc3RhdGVfYWxsb3dzKCJzYW5kYm94X25hbWUiLCBzYW5kYm94X25hbWUpCiAgICBvcHNfYnVpbGRlcjEgOj0gY29uY2F0X29wX2lmX25vdF9udWxsKG9wc19idWlsZGVyLCBhZGRfc2FuZGJveF9uYW1lX3RvX3N0YXRlKQoKICAgICMgQ2hlY2sgaWYgYW55IGVsZW1lbnQgZnJvbSB0aGUgcG9saWN5X2RhdGEuY29udGFpbmVycyBhcnJheSBhbGxvd3MgdGhlIGlucHV0IHJlcXVlc3QuCiAgICBzb21lIHBfY29udGFpbmVyIGluIHBvbGljeV9kYXRhLmNvbnRhaW5lcnMKICAgIHByaW50KCI9PT09PT09PSBDcmVhdGVDb250YWluZXJSZXF1ZXN0OiB0cnlpbmcgbmV4dCBwb2xpY3kgY29udGFpbmVyIikKCiAgICBwX3BpZG5zIDo9IHBfY29udGFpbmVyLnNhbmRib3hfcGlkbnMKICAgIGlfcGlkbnMgOj0gaW5wdXQuc2FuZGJveF9waWRucwogICAgcHJpbnQoIkNyZWF0ZUNvbnRhaW5lclJlcXVlc3Q6IHBfcGlkbnMgPSIsIHBfcGlkbnMsICJpX3BpZG5zID0iLCBpX3BpZG5zKQogICAgcF9waWRucyA9PSBpX3BpZG5zCgogICAgcF9vY2kgOj0gcF9jb250YWluZXIuT0NJCgogICAgIyBjaGVjayBuYW1lc3BhY2UKICAgIHBfbmFtZXNwYWNlIDo9IHBfb2NpLkFubm90YXRpb25zW1NfTkFNRVNQQUNFX0tFWV0KICAgIGlfbmFtZXNwYWNlIDo9IGlfb2NpLkFubm90YXRpb25zW1NfTkFNRVNQQUNFX0tFWV0KICAgIHByaW50ICgiQ3JlYXRlQ29udGFpbmVyUmVxdWVzdDogcF9uYW1lc3BhY2UgPSIsIHBfbmFtZXNwYWNlLCAiaV9uYW1lc3BhY2UgPSIsIGlfbmFtZXNwYWNlKQogICAgYWRkX25hbWVzcGFjZV90b19zdGF0ZSA6PSBhbGxvd19uYW1lc3BhY2UocF9uYW1lc3BhY2UsIGlfbmFtZXNwYWNlKQogICAgb3BzIDo9IGNvbmNhdF9vcF9pZl9ub3RfbnVsbChvcHNfYnVpbGRlcjEsIGFkZF9uYW1lc3BhY2VfdG9fc3RhdGUpCgogICAgcHJpbnQoIkNyZWF0ZUNvbnRhaW5lclJlcXVlc3Q6IHAgVmVyc2lvbiA9IiwgcF9vY2kuVmVyc2lvbiwgImkgVmVyc2lvbiA9IiwgaV9vY2kuVmVyc2lvbikKICAgIHBfb2NpLlZlcnNpb24gPT0gaV9vY2kuVmVyc2lvbgoKICAgIHByaW50KCJDcmVhdGVDb250YWluZXJSZXF1ZXN0OiBwIFJlYWRvbmx5ID0iLCBwX29jaS5Sb290LlJlYWRvbmx5LCAiaSBSZWFkb25seSA9IiwgaV9vY2kuUm9vdC5SZWFkb25seSkKICAgIHBfb2NpLlJvb3QuUmVhZG9ubHkgPT0gaV9vY2kuUm9vdC5SZWFkb25seQoKICAgIGFsbG93X2Fubm8ocF9vY2ksIGlfb2NpKQoKICAgIHBfc3RvcmFnZXMgOj0gcF9jb250YWluZXIuc3RvcmFnZXMKICAgIGFsbG93X2J5X2Fubm8ocF9vY2ksIGlfb2NpLCBwX3N0b3JhZ2VzLCBpX3N0b3JhZ2VzKQoKICAgIGFsbG93X2xpbnV4KHBfb2NpLCBpX29jaSkKCiAgICBwcmludCgiQ3JlYXRlQ29udGFpbmVyUmVxdWVzdDogdHJ1ZSIpCn0KCmFsbG93X2NyZWF0ZV9jb250YWluZXJfaW5wdXQgewogICAgcHJpbnQoImFsbG93X2NyZWF0ZV9jb250YWluZXJfaW5wdXQ6IGlucHV0ID0iLCBpbnB1dCkKCiAgICBjb3VudChpbnB1dC5zaGFyZWRfbW91bnRzKSA9PSAwCiAgICBpc19udWxsKGlucHV0LnN0cmluZ191c2VyKQoKICAgIGlfb2NpIDo9IGlucHV0Lk9DSQogICAgaXNfbnVsbChpX29jaS5Ib29rcykKICAgIGlzX251bGwoaV9vY2kuU29sYXJpcykKICAgIGlzX251bGwoaV9vY2kuV2luZG93cykKCiAgICBpX2xpbnV4IDo9IGlfb2NpLkxpbnV4CiAgICBjb3VudChpX2xpbnV4LkdJRE1hcHBpbmdzKSA9PSAwCiAgICBjb3VudChpX2xpbnV4Lk1vdW50TGFiZWwpID09IDAKICAgIGNvdW50KGlfbGludXguUmVzb3VyY2VzLkRldmljZXMpID09IDAKICAgIGNvdW50KGlfbGludXguUm9vdGZzUHJvcGFnYXRpb24pID09IDAKICAgIGNvdW50KGlfbGludXguVUlETWFwcGluZ3MpID09IDAKICAgIGlzX251bGwoaV9saW51eC5JbnRlbFJkdCkKICAgIGlzX251bGwoaV9saW51eC5SZXNvdXJjZXMuQmxvY2tJTykKICAgIGlzX251bGwoaV9saW51eC5SZXNvdXJjZXMuTmV0d29yaykKICAgIGlzX251bGwoaV9saW51eC5SZXNvdXJjZXMuUGlkcykKICAgIGlzX251bGwoaV9saW51eC5TZWNjb21wKQogICAgaV9saW51eC5TeXNjdGwgPT0ge30KCiAgICBpX3Byb2Nlc3MgOj0gaV9vY2kuUHJvY2VzcwogICAgY291bnQoaV9wcm9jZXNzLlNlbGludXhMYWJlbCkgPT0gMAogICAgY291bnQoaV9wcm9jZXNzLlVzZXIuVXNlcm5hbWUpID09IDAKCiAgICBwcmludCgiYWxsb3dfY3JlYXRlX2NvbnRhaW5lcl9pbnB1dDogdHJ1ZSIpCn0KCmFsbG93X25hbWVzcGFjZShwX25hbWVzcGFjZSwgaV9uYW1lc3BhY2UpID0gYWRkX25hbWVzcGFjZSB7CiAgICBwX25hbWVzcGFjZSA9PSBpX25hbWVzcGFjZQogICAgYWRkX25hbWVzcGFjZSA6PSBudWxsCiAgICBwcmludCgiYWxsb3dfbmFtZXNwYWNlIDE6IGlucHV0IG5hbWVzcGFjZSBtYXRjaGVzIHBvbGljeSBkYXRhIikKfQoKYWxsb3dfbmFtZXNwYWNlKHBfbmFtZXNwYWNlLCBpX25hbWVzcGFjZSkgPSBhZGRfbmFtZXNwYWNlIHsKICAgIHBfbmFtZXNwYWNlID09ICIiCiAgICBwcmludCgiYWxsb3dfbmFtZXNwYWNlIDI6IG5vIG5hbWVzcGFjZSBmb3VuZCBvbiBwb2xpY3kgZGF0YSIpCiAgICBhZGRfbmFtZXNwYWNlIDo9IHN0YXRlX2FsbG93cygibmFtZXNwYWNlIiwgaV9uYW1lc3BhY2UpCn0KCiMgdmFsdWUgaGFzbid0IGJlZW4gc2VlbiBiZWZvcmUsIHNhdmUgaXQgdG8gc3RhdGUKc3RhdGVfYWxsb3dzKGtleSwgdmFsdWUpID0gYWN0aW9uIHsKICBzdGF0ZSA6PSBnZXRfc3RhdGUoKQogIG5vdCBzdGF0ZVtrZXldCiAgcHJpbnQoInN0YXRlX2FsbG93czogc2F2aW5nIHRvIHN0YXRlIGtleSA9Iiwga2V5LCAidmFsdWUgPSIsIHZhbHVlKQogIHBhdGggOj0gZ2V0X3N0YXRlX3BhdGgoa2V5KSAKICBhY3Rpb24gOj0gewogICAgIm9wIjogImFkZCIsCiAgICAicGF0aCI6IHBhdGgsIAogICAgInZhbHVlIjogdmFsdWUsCiAgfQp9CgojIHZhbHVlIG1hdGNoZXMgd2hhdCdzIGluIHN0YXRlLCBhbGxvdyBpdApzdGF0ZV9hbGxvd3Moa2V5LCB2YWx1ZSkgPSBhY3Rpb24gewogIHN0YXRlIDo9IGdldF9zdGF0ZSgpCiAgdmFsdWUgPT0gc3RhdGVba2V5XQogIHByaW50KCJzdGF0ZV9hbGxvd3M6IGZvdW5kIGtleSA9Iiwga2V5LCAidmFsdWUgPSIsIHZhbHVlLCAiIGluIHN0YXRlIikKICBhY3Rpb24gOj0gbnVsbAp9CgojIGhlbHBlciBmdW5jdGlvbnMgdG8gaW50ZXJhY3Qgd2l0aCB0aGUgc3RhdGUKZ2V0X3N0YXRlKCkgPSBzdGF0ZSB7CiAgc3RhdGUgOj0gZGF0YVsicHN0YXRlIl0KfQoKZ2V0X3N0YXRlX3ZhbChrZXkpID0gdmFsdWUgewogICAgc3RhdGUgOj0gZ2V0X3N0YXRlKCkKICAgIHZhbHVlIDo9IHN0YXRlW2tleV0KfQoKZ2V0X3N0YXRlX3BhdGgoa2V5KSA9IHBhdGggewogICAgIyBwcmVwZW5kICIvcHN0YXRlLyIgdG8ga2V5CiAgICBwYXRoIDo9IGNvbmNhdCgiLyIsIFsiL3BzdGF0ZSIsIGtleV0pCn0KCiMgSGVscGVyIGZ1bmN0aW9ucyB0byBjb25kaXRpb25hbGx5IGNvbmNhdGVuYXRlIGlmIG9wIGlzIG5vdCBudWxsCmNvbmNhdF9vcF9pZl9ub3RfbnVsbChvcHMsIG9wKSA9IHJlc3VsdCB7CiAgICBvcCA9PSBudWxsCiAgICByZXN1bHQgOj0gb3BzCn0KCmNvbmNhdF9vcF9pZl9ub3RfbnVsbChvcHMsIG9wKSA9IHJlc3VsdCB7CiAgICBvcCAhPSBudWxsCiAgICByZXN1bHQgOj0gYXJyYXkuY29uY2F0KG9wcywgW29wXSkKfQoKIyBSZWplY3QgdW5leHBlY3RlZCBhbm5vdGF0aW9ucy4KYWxsb3dfYW5ubyhwX29jaSwgaV9vY2kpIHsKICAgIHByaW50KCJhbGxvd19hbm5vIDE6IHN0YXJ0IikKCiAgICBub3QgaV9vY2kuQW5ub3RhdGlvbnMKCiAgICBwcmludCgiYWxsb3dfYW5ubyAxOiB0cnVlIikKfQphbGxvd19hbm5vKHBfb2NpLCBpX29jaSkgewogICAgcHJpbnQoImFsbG93X2Fubm8gMjogcCBBbm5vdGF0aW9ucyA9IiwgcF9vY2kuQW5ub3RhdGlvbnMpCiAgICBwcmludCgiYWxsb3dfYW5ubyAyOiBpIEFubm90YXRpb25zID0iLCBpX29jaS5Bbm5vdGF0aW9ucykKCiAgICBpX2tleXMgOj0gb2JqZWN0LmtleXMoaV9vY2kuQW5ub3RhdGlvbnMpCiAgICBwcmludCgiYWxsb3dfYW5ubyAyOiBpIGtleXMgPSIsIGlfa2V5cykKCiAgICBldmVyeSBpX2tleSBpbiBpX2tleXMgewogICAgICAgIGFsbG93X2Fubm9fa2V5KGlfa2V5LCBwX29jaSkKICAgIH0KCiAgICBwcmludCgiYWxsb3dfYW5ubyAyOiB0cnVlIikKfQoKYWxsb3dfYW5ub19rZXkoaV9rZXksIHBfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfYW5ub19rZXkgMTogaSBrZXkgPSIsIGlfa2V5KQoKICAgIHN0YXJ0c3dpdGgoaV9rZXksICJpby5rdWJlcm5ldGVzLmNyaS4iKQoKICAgIHByaW50KCJhbGxvd19hbm5vX2tleSAxOiB0cnVlIikKfQphbGxvd19hbm5vX2tleShpX2tleSwgcF9vY2kpIHsKICAgIHByaW50KCJhbGxvd19hbm5vX2tleSAyOiBpIGtleSA9IiwgaV9rZXkpCgogICAgc29tZSBwX2tleSwgXyBpbiBwX29jaS5Bbm5vdGF0aW9ucwogICAgcF9rZXkgPT0gaV9rZXkKCiAgICBwcmludCgiYWxsb3dfYW5ub19rZXkgMjogdHJ1ZSIpCn0KCiMgR2V0IHRoZSB2YWx1ZSBvZiB0aGUgU19OQU1FX0tFWSBhbm5vdGF0aW9uIGFuZAojIGNvcnJlbGF0ZSBpdCB3aXRoIG90aGVyIGFubm90YXRpb25zIGFuZCBwcm9jZXNzIGZpZWxkcy4KYWxsb3dfYnlfYW5ubyhwX29jaSwgaV9vY2ksIHBfc3RvcmFnZXMsIGlfc3RvcmFnZXMpIHsKICAgIHByaW50KCJhbGxvd19ieV9hbm5vIDE6IHN0YXJ0IikKCiAgICBub3QgcF9vY2kuQW5ub3RhdGlvbnNbU19OQU1FX0tFWV0KCiAgICBpX3NfbmFtZSA6PSBpX29jaS5Bbm5vdGF0aW9uc1tTX05BTUVfS0VZXQogICAgcHJpbnQoImFsbG93X2J5X2Fubm8gMTogaV9zX25hbWUgPSIsIGlfc19uYW1lKQoKICAgIGlfc19uYW1lc3BhY2UgOj0gaV9vY2kuQW5ub3RhdGlvbnNbU19OQU1FU1BBQ0VfS0VZXQogICAgcHJpbnQoImFsbG93X2J5X2Fubm8gMTogaV9zX25hbWVzcGFjZSA9IiwgaV9zX25hbWVzcGFjZSkKCiAgICBhbGxvd19ieV9zYW5kYm94X25hbWUocF9vY2ksIGlfb2NpLCBwX3N0b3JhZ2VzLCBpX3N0b3JhZ2VzLCBpX3NfbmFtZSwgaV9zX25hbWVzcGFjZSkKCiAgICBwcmludCgiYWxsb3dfYnlfYW5ubyAxOiB0cnVlIikKfQphbGxvd19ieV9hbm5vKHBfb2NpLCBpX29jaSwgcF9zdG9yYWdlcywgaV9zdG9yYWdlcykgewogICAgcHJpbnQoImFsbG93X2J5X2Fubm8gMjogc3RhcnQiKQoKICAgIHBfc19uYW1lIDo9IHBfb2NpLkFubm90YXRpb25zW1NfTkFNRV9LRVldCiAgICBpX3NfbmFtZSA6PSBpX29jaS5Bbm5vdGF0aW9uc1tTX05BTUVfS0VZXQogICAgcHJpbnQoImFsbG93X2J5X2Fubm8gMjogaV9zX25hbWUgPSIsIGlfc19uYW1lLCAicF9zX25hbWUgPSIsIHBfc19uYW1lKQoKICAgIGFsbG93X3NhbmRib3hfbmFtZShwX3NfbmFtZSwgaV9zX25hbWUpCgogICAgaV9zX25hbWVzcGFjZSA6PSBpX29jaS5Bbm5vdGF0aW9uc1tTX05BTUVTUEFDRV9LRVldCiAgICBwcmludCgiYWxsb3dfYnlfYW5ubyAyOiBpX3NfbmFtZXNwYWNlID0iLCBpX3NfbmFtZXNwYWNlKQoKICAgIGFsbG93X2J5X3NhbmRib3hfbmFtZShwX29jaSwgaV9vY2ksIHBfc3RvcmFnZXMsIGlfc3RvcmFnZXMsIGlfc19uYW1lLCBpX3NfbmFtZXNwYWNlKQoKICAgIHByaW50KCJhbGxvd19ieV9hbm5vIDI6IHRydWUiKQp9CgphbGxvd19ieV9zYW5kYm94X25hbWUocF9vY2ksIGlfb2NpLCBwX3N0b3JhZ2VzLCBpX3N0b3JhZ2VzLCBzX25hbWUsIHNfbmFtZXNwYWNlKSB7CiAgICBwcmludCgiYWxsb3dfYnlfc2FuZGJveF9uYW1lOiBzdGFydCIpCgogICAgaV9uYW1lc3BhY2UgOj0gaV9vY2kuQW5ub3RhdGlvbnNbU19OQU1FU1BBQ0VfS0VZXQoKICAgIGFsbG93X2J5X2NvbnRhaW5lcl90eXBlcyhwX29jaSwgaV9vY2ksIHNfbmFtZSwgaV9uYW1lc3BhY2UpCiAgICBhbGxvd19ieV9idW5kbGVfb3Jfc2FuZGJveF9pZChwX29jaSwgaV9vY2ksIHBfc3RvcmFnZXMsIGlfc3RvcmFnZXMpCiAgICBhbGxvd19wcm9jZXNzKHBfb2NpLlByb2Nlc3MsIGlfb2NpLlByb2Nlc3MsIHNfbmFtZSwgc19uYW1lc3BhY2UpCgogICAgcHJpbnQoImFsbG93X2J5X3NhbmRib3hfbmFtZTogdHJ1ZSIpCn0KCmFsbG93X3NhbmRib3hfbmFtZShwX3NfbmFtZSwgaV9zX25hbWUpIHsKICAgIHByaW50KCJhbGxvd19zYW5kYm94X25hbWUgMTogc3RhcnQiKQoKICAgIHBfc19uYW1lID09IGlfc19uYW1lCgogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbmFtZSAxOiB0cnVlIikKfQphbGxvd19zYW5kYm94X25hbWUocF9zX25hbWUsIGlfc19uYW1lKSB7CiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9uYW1lIDI6IHN0YXJ0IikKCiAgICAjIFRPRE86IHNob3VsZCBnZW5lcmF0ZWQgbmFtZXMgYmUgaGFuZGxlZCBkaWZmZXJlbnRseT8KICAgIGNvbnRhaW5zKHBfc19uYW1lLCAiJChnZW5lcmF0ZWQtbmFtZSkiKQoKICAgIHByaW50KCJhbGxvd19zYW5kYm94X25hbWUgMjogdHJ1ZSIpCn0KCiMgQ2hlY2sgdGhhdCB0aGUgImlvLmt1YmVybmV0ZXMuY3JpLmNvbnRhaW5lci10eXBlIiBhbmQKIyAiaW8ua2F0YWNvbnRhaW5lcnMucGtnLm9jaS5jb250YWluZXJfdHlwZSIgYW5ub3RhdGlvbnMgZGVzaWduYXRlIHRoZQojIGV4cGVjdGVkIHR5cGUgLSBlaXRoZXIgYSAic2FuZGJveCIgb3IgYSAiY29udGFpbmVyIi4gVGhlbiwgdmFsaWRhdGUKIyBvdGhlciBhbm5vdGF0aW9ucyBiYXNlZCBvbiB0aGUgYWN0dWFsICJzYW5kYm94IiBvciAiY29udGFpbmVyIiB2YWx1ZQojIGZyb20gdGhlIGlucHV0IGNvbnRhaW5lci4KYWxsb3dfYnlfY29udGFpbmVyX3R5cGVzKHBfb2NpLCBpX29jaSwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgcHJpbnQoImFsbG93X2J5X2NvbnRhaW5lcl90eXBlczogY2hlY2tpbmcgaW8ua3ViZXJuZXRlcy5jcmkuY29udGFpbmVyLXR5cGUiKQoKICAgIGNfdHlwZSA6PSAiaW8ua3ViZXJuZXRlcy5jcmkuY29udGFpbmVyLXR5cGUiCiAgICAKICAgIHBfY3JpX3R5cGUgOj0gcF9vY2kuQW5ub3RhdGlvbnNbY190eXBlXQogICAgaV9jcmlfdHlwZSA6PSBpX29jaS5Bbm5vdGF0aW9uc1tjX3R5cGVdCiAgICBwcmludCgiYWxsb3dfYnlfY29udGFpbmVyX3R5cGVzOiBwX2NyaV90eXBlID0iLCBwX2NyaV90eXBlLCAiaV9jcmlfdHlwZSA9IiwgaV9jcmlfdHlwZSkKICAgIHBfY3JpX3R5cGUgPT0gaV9jcmlfdHlwZQoKICAgIGFsbG93X2J5X2NvbnRhaW5lcl90eXBlKGlfY3JpX3R5cGUsIHBfb2NpLCBpX29jaSwgc19uYW1lLCBzX25hbWVzcGFjZSkKCiAgICBwcmludCgiYWxsb3dfYnlfY29udGFpbmVyX3R5cGVzOiB0cnVlIikKfQoKYWxsb3dfYnlfY29udGFpbmVyX3R5cGUoaV9jcmlfdHlwZSwgcF9vY2ksIGlfb2NpLCBzX25hbWUsIHNfbmFtZXNwYWNlKSB7CiAgICBwcmludCgiYWxsb3dfYnlfY29udGFpbmVyX3R5cGUgMTogaV9jcmlfdHlwZSA9IiwgaV9jcmlfdHlwZSkKICAgIGlfY3JpX3R5cGUgPT0gInNhbmRib3giCgogICAgaV9rYXRhX3R5cGUgOj0gaV9vY2kuQW5ub3RhdGlvbnNbImlvLmthdGFjb250YWluZXJzLnBrZy5vY2kuY29udGFpbmVyX3R5cGUiXQogICAgcHJpbnQoImFsbG93X2J5X2NvbnRhaW5lcl90eXBlIDE6IGlfa2F0YV90eXBlID0iLCBpX2thdGFfdHlwZSkKICAgIGlfa2F0YV90eXBlID09ICJwb2Rfc2FuZGJveCIKCiAgICBhbGxvd19zYW5kYm94X2NvbnRhaW5lcl9uYW1lKHBfb2NpLCBpX29jaSkKICAgIGFsbG93X3NhbmRib3hfbmV0X25hbWVzcGFjZShwX29jaSwgaV9vY2kpCiAgICBhbGxvd19zYW5kYm94X2xvZ19kaXJlY3RvcnkocF9vY2ksIGlfb2NpLCBzX25hbWUsIHNfbmFtZXNwYWNlKQoKICAgIHByaW50KCJhbGxvd19ieV9jb250YWluZXJfdHlwZSAxOiB0cnVlIikKfQoKYWxsb3dfYnlfY29udGFpbmVyX3R5cGUoaV9jcmlfdHlwZSwgcF9vY2ksIGlfb2NpLCBzX25hbWUsIHNfbmFtZXNwYWNlKSB7CiAgICBwcmludCgiYWxsb3dfYnlfY29udGFpbmVyX3R5cGUgMjogaV9jcmlfdHlwZSA9IiwgaV9jcmlfdHlwZSkKICAgIGlfY3JpX3R5cGUgPT0gImNvbnRhaW5lciIKCiAgICBpX2thdGFfdHlwZSA6PSBpX29jaS5Bbm5vdGF0aW9uc1siaW8ua2F0YWNvbnRhaW5lcnMucGtnLm9jaS5jb250YWluZXJfdHlwZSJdCiAgICBwcmludCgiYWxsb3dfYnlfY29udGFpbmVyX3R5cGUgMjogaV9rYXRhX3R5cGUgPSIsIGlfa2F0YV90eXBlKQogICAgaV9rYXRhX3R5cGUgPT0gInBvZF9jb250YWluZXIiCgogICAgYWxsb3dfY29udGFpbmVyX25hbWUocF9vY2ksIGlfb2NpKQogICAgYWxsb3dfbmV0X25hbWVzcGFjZShwX29jaSwgaV9vY2kpCiAgICBhbGxvd19sb2dfZGlyZWN0b3J5KHBfb2NpLCBpX29jaSkKCiAgICBwcmludCgiYWxsb3dfYnlfY29udGFpbmVyX3R5cGUgMjogdHJ1ZSIpCn0KCiMgImlvLmt1YmVybmV0ZXMuY3JpLmNvbnRhaW5lci1uYW1lIiBhbm5vdGF0aW9uCmFsbG93X3NhbmRib3hfY29udGFpbmVyX25hbWUocF9vY2ksIGlfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9jb250YWluZXJfbmFtZTogc3RhcnQiKQoKICAgIGNvbnRhaW5lcl9hbm5vdGF0aW9uX21pc3NpbmcocF9vY2ksIGlfb2NpLCAiaW8ua3ViZXJuZXRlcy5jcmkuY29udGFpbmVyLW5hbWUiKQoKICAgIHByaW50KCJhbGxvd19zYW5kYm94X2NvbnRhaW5lcl9uYW1lOiB0cnVlIikKfQoKYWxsb3dfY29udGFpbmVyX25hbWUocF9vY2ksIGlfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfY29udGFpbmVyX25hbWU6IHN0YXJ0IikKCiAgICBhbGxvd19jb250YWluZXJfYW5ub3RhdGlvbihwX29jaSwgaV9vY2ksICJpby5rdWJlcm5ldGVzLmNyaS5jb250YWluZXItbmFtZSIpCgogICAgcHJpbnQoImFsbG93X2NvbnRhaW5lcl9uYW1lOiB0cnVlIikKfQoKY29udGFpbmVyX2Fubm90YXRpb25fbWlzc2luZyhwX29jaSwgaV9vY2ksIGtleSkgewogICAgcHJpbnQoImNvbnRhaW5lcl9hbm5vdGF0aW9uX21pc3Npbmc6Iiwga2V5KQoKICAgIG5vdCBwX29jaS5Bbm5vdGF0aW9uc1trZXldCiAgICBub3QgaV9vY2kuQW5ub3RhdGlvbnNba2V5XQoKICAgIHByaW50KCJjb250YWluZXJfYW5ub3RhdGlvbl9taXNzaW5nOiB0cnVlIikKfQoKYWxsb3dfY29udGFpbmVyX2Fubm90YXRpb24ocF9vY2ksIGlfb2NpLCBrZXkpIHsKICAgIHByaW50KCJhbGxvd19jb250YWluZXJfYW5ub3RhdGlvbjoga2V5ID0iLCBrZXkpCgogICAgcF92YWx1ZSA6PSBwX29jaS5Bbm5vdGF0aW9uc1trZXldCiAgICBpX3ZhbHVlIDo9IGlfb2NpLkFubm90YXRpb25zW2tleV0KICAgIHByaW50KCJhbGxvd19jb250YWluZXJfYW5ub3RhdGlvbjogcF92YWx1ZSA9IiwgcF92YWx1ZSwgImlfdmFsdWUgPSIsIGlfdmFsdWUpCgogICAgcF92YWx1ZSA9PSBpX3ZhbHVlCgogICAgcHJpbnQoImFsbG93X2NvbnRhaW5lcl9hbm5vdGF0aW9uOiB0cnVlIikKfQoKIyAibmVyZGN0bC9uZXR3b3JrLW5hbWVzcGFjZSIgYW5ub3RhdGlvbgphbGxvd19zYW5kYm94X25ldF9uYW1lc3BhY2UocF9vY2ksIGlfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9uZXRfbmFtZXNwYWNlOiBzdGFydCIpCgogICAga2V5IDo9ICJuZXJkY3RsL25ldHdvcmstbmFtZXNwYWNlIgoKICAgIHBfbmFtZXNwYWNlIDo9IHBfb2NpLkFubm90YXRpb25zW2tleV0KICAgIGlfbmFtZXNwYWNlIDo9IGlfb2NpLkFubm90YXRpb25zW2tleV0KICAgIHByaW50KCJhbGxvd19zYW5kYm94X25ldF9uYW1lc3BhY2U6IHBfbmFtZXNwYWNlID0iLCBwX25hbWVzcGFjZSwgImlfbmFtZXNwYWNlID0iLCBpX25hbWVzcGFjZSkKCiAgICByZWdleC5tYXRjaChwX25hbWVzcGFjZSwgaV9uYW1lc3BhY2UpCgogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbmV0X25hbWVzcGFjZTogdHJ1ZSIpCn0KCmFsbG93X25ldF9uYW1lc3BhY2UocF9vY2ksIGlfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfbmV0X25hbWVzcGFjZTogc3RhcnQiKQoKICAgIGtleSA6PSAibmVyZGN0bC9uZXR3b3JrLW5hbWVzcGFjZSIKCiAgICBub3QgcF9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgbm90IGlfb2NpLkFubm90YXRpb25zW2tleV0KCiAgICBwcmludCgiYWxsb3dfbmV0X25hbWVzcGFjZTogdHJ1ZSIpCn0KCiMgImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbG9nLWRpcmVjdG9yeSIgYW5ub3RhdGlvbgphbGxvd19zYW5kYm94X2xvZ19kaXJlY3RvcnkocF9vY2ksIGlfb2NpLCBzX25hbWUsIHNfbmFtZXNwYWNlKSB7CiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9sb2dfZGlyZWN0b3J5OiBzdGFydCIpCgogICAga2V5IDo9ICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LWxvZy1kaXJlY3RvcnkiCgogICAgcF9kaXIgOj0gcF9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgcmVnZXgxIDo9IHJlcGxhY2UocF9kaXIsICIkKHNhbmRib3gtbmFtZSkiLCBzX25hbWUpCiAgICByZWdleDIgOj0gcmVwbGFjZShyZWdleDEsICIkKHNhbmRib3gtbmFtZXNwYWNlKSIsIHNfbmFtZXNwYWNlKQogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbG9nX2RpcmVjdG9yeTogcmVnZXgyID0iLCByZWdleDIpCgogICAgaV9kaXIgOj0gaV9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbG9nX2RpcmVjdG9yeTogaV9kaXIgPSIsIGlfZGlyKQoKICAgIHJlZ2V4Lm1hdGNoKHJlZ2V4MiwgaV9kaXIpCgogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbG9nX2RpcmVjdG9yeTogdHJ1ZSIpCn0KCmFsbG93X2xvZ19kaXJlY3RvcnkocF9vY2ksIGlfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfbG9nX2RpcmVjdG9yeTogc3RhcnQiKQoKICAgIGtleSA6PSAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1sb2ctZGlyZWN0b3J5IgoKICAgIG5vdCBwX29jaS5Bbm5vdGF0aW9uc1trZXldCiAgICBub3QgaV9vY2kuQW5ub3RhdGlvbnNba2V5XQoKICAgIHByaW50KCJhbGxvd19sb2dfZGlyZWN0b3J5OiB0cnVlIikKfQoKYWxsb3dfbGludXgocF9vY2ksIGlfb2NpKSB7CiAgICBwX25hbWVzcGFjZXMgOj0gcF9vY2kuTGludXguTmFtZXNwYWNlcwogICAgcHJpbnQoImFsbG93X2xpbnV4OiBwIG5hbWVzcGFjZXMgPSIsIHBfbmFtZXNwYWNlcykKCiAgICBpX25hbWVzcGFjZXMgOj0gaV9vY2kuTGludXguTmFtZXNwYWNlcwogICAgcHJpbnQoImFsbG93X2xpbnV4OiBpIG5hbWVzcGFjZXMgPSIsIGlfbmFtZXNwYWNlcykKCiAgICBwX25hbWVzcGFjZXMgPT0gaV9uYW1lc3BhY2VzCgogICAgYWxsb3dfbWFza2VkX3BhdGhzKHBfb2NpLCBpX29jaSkKICAgIGFsbG93X3JlYWRvbmx5X3BhdGhzKHBfb2NpLCBpX29jaSkKCiAgICBwcmludCgiYWxsb3dfbGludXg6IHRydWUiKQp9CgphbGxvd19tYXNrZWRfcGF0aHMocF9vY2ksIGlfb2NpKSB7CiAgICBwX3BhdGhzIDo9IHBfb2NpLkxpbnV4Lk1hc2tlZFBhdGhzCiAgICBwcmludCgiYWxsb3dfbWFza2VkX3BhdGhzIDE6IHBfcGF0aHMgPSIsIHBfcGF0aHMpCgogICAgaV9wYXRocyA6PSBpX29jaS5MaW51eC5NYXNrZWRQYXRocwogICAgcHJpbnQoImFsbG93X21hc2tlZF9wYXRocyAxOiBpX3BhdGhzID0iLCBpX3BhdGhzKQoKICAgIGFsbG93X21hc2tlZF9wYXRoc19hcnJheShwX3BhdGhzLCBpX3BhdGhzKQoKICAgIHByaW50KCJhbGxvd19tYXNrZWRfcGF0aHMgMTogdHJ1ZSIpCn0KYWxsb3dfbWFza2VkX3BhdGhzKHBfb2NpLCBpX29jaSkgewogICAgcHJpbnQoImFsbG93X21hc2tlZF9wYXRocyAyOiBzdGFydCIpCgogICAgbm90IHBfb2NpLkxpbnV4Lk1hc2tlZFBhdGhzCiAgICBub3QgaV9vY2kuTGludXguTWFza2VkUGF0aHMKCiAgICBwcmludCgiYWxsb3dfbWFza2VkX3BhdGhzIDI6IHRydWUiKQp9CgojIEFsbCB0aGUgcG9saWN5IG1hc2tlZCBwYXRocyBtdXN0IGJlIG1hc2tlZCBpbiB0aGUgaW5wdXQgZGF0YSB0b28uCiMgSW5wdXQgaXMgYWxsb3dlZCB0byBoYXZlIG1vcmUgbWFza2VkIHBhdGhzIHRoYW4gdGhlIHBvbGljeS4KYWxsb3dfbWFza2VkX3BhdGhzX2FycmF5KHBfYXJyYXksIGlfYXJyYXkpIHsKICAgIGV2ZXJ5IHBfZWxlbSBpbiBwX2FycmF5IHsKICAgICAgICBhbGxvd19tYXNrZWRfcGF0aChwX2VsZW0sIGlfYXJyYXkpCiAgICB9Cn0KCmFsbG93X21hc2tlZF9wYXRoKHBfZWxlbSwgaV9hcnJheSkgewogICAgcHJpbnQoImFsbG93X21hc2tlZF9wYXRoOiBwX2VsZW0gPSIsIHBfZWxlbSkKCiAgICBzb21lIGlfZWxlbSBpbiBpX2FycmF5CiAgICBwX2VsZW0gPT0gaV9lbGVtCgogICAgcHJpbnQoImFsbG93X21hc2tlZF9wYXRoOiB0cnVlIikKfQoKYWxsb3dfcmVhZG9ubHlfcGF0aHMocF9vY2ksIGlfb2NpKSB7CiAgICBwX3BhdGhzIDo9IHBfb2NpLkxpbnV4LlJlYWRvbmx5UGF0aHMKICAgIHByaW50KCJhbGxvd19yZWFkb25seV9wYXRocyAxOiBwX3BhdGhzID0iLCBwX3BhdGhzKQoKICAgIGlfcGF0aHMgOj0gaV9vY2kuTGludXguUmVhZG9ubHlQYXRocwogICAgcHJpbnQoImFsbG93X3JlYWRvbmx5X3BhdGhzIDE6IGlfcGF0aHMgPSIsIGlfcGF0aHMpCgogICAgYWxsb3dfcmVhZG9ubHlfcGF0aHNfYXJyYXkocF9wYXRocywgaV9wYXRocywgaV9vY2kuTGludXguTWFza2VkUGF0aHMpCgogICAgcHJpbnQoImFsbG93X3JlYWRvbmx5X3BhdGhzIDE6IHRydWUiKQp9CmFsbG93X3JlYWRvbmx5X3BhdGhzKHBfb2NpLCBpX29jaSkgewogICAgcHJpbnQoImFsbG93X3JlYWRvbmx5X3BhdGhzIDI6IHN0YXJ0IikKCiAgICBub3QgcF9vY2kuTGludXguUmVhZG9ubHlQYXRocwogICAgbm90IGlfb2NpLkxpbnV4LlJlYWRvbmx5UGF0aHMKCiAgICBwcmludCgiYWxsb3dfcmVhZG9ubHlfcGF0aHMgMjogdHJ1ZSIpCn0KCiMgQWxsIHRoZSBwb2xpY3kgcmVhZG9ubHkgcGF0aHMgbXVzdCBiZSBlaXRoZXI6CiMgLSBQcmVzZW50IGluIHRoZSBpbnB1dCByZWFkb25seSBwYXRocywgb3IKIyAtIFByZXNlbnQgaW4gdGhlIGlucHV0IG1hc2tlZCBwYXRocy4KIyBJbnB1dCBpcyBhbGxvd2VkIHRvIGhhdmUgbW9yZSByZWFkb25seSBwYXRocyB0aGFuIHRoZSBwb2xpY3kuCmFsbG93X3JlYWRvbmx5X3BhdGhzX2FycmF5KHBfYXJyYXksIGlfYXJyYXksIG1hc2tlZF9wYXRocykgewogICAgZXZlcnkgcF9lbGVtIGluIHBfYXJyYXkgewogICAgICAgIGFsbG93X3JlYWRvbmx5X3BhdGgocF9lbGVtLCBpX2FycmF5LCBtYXNrZWRfcGF0aHMpCiAgICB9Cn0KCmFsbG93X3JlYWRvbmx5X3BhdGgocF9lbGVtLCBpX2FycmF5LCBtYXNrZWRfcGF0aHMpIHsKICAgIHByaW50KCJhbGxvd19yZWFkb25seV9wYXRoIDE6IHBfZWxlbSA9IiwgcF9lbGVtKQoKICAgIHNvbWUgaV9lbGVtIGluIGlfYXJyYXkKICAgIHBfZWxlbSA9PSBpX2VsZW0KCiAgICBwcmludCgiYWxsb3dfcmVhZG9ubHlfcGF0aCAxOiB0cnVlIikKfQphbGxvd19yZWFkb25seV9wYXRoKHBfZWxlbSwgaV9hcnJheSwgbWFza2VkX3BhdGhzKSB7CiAgICBwcmludCgiYWxsb3dfcmVhZG9ubHlfcGF0aCAyOiBwX2VsZW0gPSIsIHBfZWxlbSkKCiAgICBzb21lIGlfbWFza2VkIGluIG1hc2tlZF9wYXRocwogICAgcF9lbGVtID09IGlfbWFza2VkCgogICAgcHJpbnQoImFsbG93X3JlYWRvbmx5X3BhdGggMjogdHJ1ZSIpCn0KCiMgQ2hlY2sgdGhlIGNvbnNpc3RlbmN5IG9mIHRoZSBpbnB1dCAiaW8ua2F0YWNvbnRhaW5lcnMucGtnLm9jaS5idW5kbGVfcGF0aCIKIyBhbmQgaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1pZCIgdmFsdWVzIHdpdGggb3RoZXIgZmllbGRzLgphbGxvd19ieV9idW5kbGVfb3Jfc2FuZGJveF9pZChwX29jaSwgaV9vY2ksIHBfc3RvcmFnZXMsIGlfc3RvcmFnZXMpIHsKICAgIHByaW50KCJhbGxvd19ieV9idW5kbGVfb3Jfc2FuZGJveF9pZDogc3RhcnQiKQoKICAgIGJ1bmRsZV9wYXRoIDo9IGlfb2NpLkFubm90YXRpb25zWyJpby5rYXRhY29udGFpbmVycy5wa2cub2NpLmJ1bmRsZV9wYXRoIl0KICAgIGJ1bmRsZV9pZCA6PSByZXBsYWNlKGJ1bmRsZV9wYXRoLCAiL3J1bi9jb250YWluZXJkL2lvLmNvbnRhaW5lcmQucnVudGltZS52Mi50YXNrL2s4cy5pby8iLCAiIikKCiAgICBidW5kbGVfaWRfZm9ybWF0IDo9IGNvbmNhdCgiIiwgWyJeIiwgQlVORExFX0lELCAiJCJdKQogICAgcmVnZXgubWF0Y2goYnVuZGxlX2lkX2Zvcm1hdCwgYnVuZGxlX2lkKQoKICAgIGtleSA6PSAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1pZCIKCiAgICBwX3JlZ2V4IDo9IHBfb2NpLkFubm90YXRpb25zW2tleV0KICAgIHNhbmRib3hfaWQgOj0gaV9vY2kuQW5ub3RhdGlvbnNba2V5XQoKICAgIHByaW50KCJhbGxvd19ieV9idW5kbGVfb3Jfc2FuZGJveF9pZDogc2FuZGJveF9pZCA9Iiwgc2FuZGJveF9pZCwgInJlZ2V4ID0iLCBwX3JlZ2V4KQogICAgcmVnZXgubWF0Y2gocF9yZWdleCwgc2FuZGJveF9pZCkKCiAgICBhbGxvd19yb290X3BhdGgocF9vY2ksIGlfb2NpLCBidW5kbGVfaWQpCgogICAgZXZlcnkgaV9tb3VudCBpbiBpbnB1dC5PQ0kuTW91bnRzIHsKICAgICAgICBhbGxvd19tb3VudChwX29jaSwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKQogICAgfQoKICAgIGFsbG93X3N0b3JhZ2VzKHBfc3RvcmFnZXMsIGlfc3RvcmFnZXMsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkKCiAgICBwcmludCgiYWxsb3dfYnlfYnVuZGxlX29yX3NhbmRib3hfaWQ6IHRydWUiKQp9CgphbGxvd19wcm9jZXNzX2NvbW1vbihwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgcHJpbnQoImFsbG93X3Byb2Nlc3NfY29tbW9uOiBwX3Byb2Nlc3MgPSIsIHBfcHJvY2VzcykKICAgIHByaW50KCJhbGxvd19wcm9jZXNzX2NvbW1vbjogaV9wcm9jZXNzID0gIiwgaV9wcm9jZXNzKQogICAgcHJpbnQoImFsbG93X3Byb2Nlc3NfY29tbW9uOiBzX25hbWUgPSIsIHNfbmFtZSkKCiAgICBwX3Byb2Nlc3MuQ3dkID09IGlfcHJvY2Vzcy5Dd2QKICAgIHBfcHJvY2Vzcy5Ob05ld1ByaXZpbGVnZXMgPT0gaV9wcm9jZXNzLk5vTmV3UHJpdmlsZWdlcwoKICAgIGFsbG93X3VzZXIocF9wcm9jZXNzLCBpX3Byb2Nlc3MpCiAgICBhbGxvd19lbnYocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIHNfbmFtZSwgc19uYW1lc3BhY2UpCgogICAgcHJpbnQoImFsbG93X3Byb2Nlc3NfY29tbW9uOiB0cnVlIikKfQoKIyBDb21wYXJlIHRoZSBPQ0kgUHJvY2VzcyBmaWVsZCBvZiBhIHBvbGljeSBjb250YWluZXIgd2l0aCB0aGUgaW5wdXQgT0NJIFByb2Nlc3MgZnJvbSBhIENyZWF0ZUNvbnRhaW5lclJlcXVlc3QKYWxsb3dfcHJvY2VzcyhwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgcHJpbnQoImFsbG93X3Byb2Nlc3M6IHN0YXJ0IikKCiAgICBhbGxvd19hcmdzKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBzX25hbWUpCiAgICBhbGxvd19wcm9jZXNzX2NvbW1vbihwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lLCBzX25hbWVzcGFjZSkKICAgIGFsbG93X2NhcHMocF9wcm9jZXNzLkNhcGFiaWxpdGllcywgaV9wcm9jZXNzLkNhcGFiaWxpdGllcykKICAgIHBfcHJvY2Vzcy5UZXJtaW5hbCA9PSBpX3Byb2Nlc3MuVGVybWluYWwKCiAgICBwcmludCgiYWxsb3dfcHJvY2VzczogdHJ1ZSIpCn0KCiMgQ29tcGFyZSB0aGUgT0NJIFByb2Nlc3MgZmllbGQgb2YgYSBwb2xpY3kgY29udGFpbmVyIHdpdGggdGhlIGlucHV0IHByb2Nlc3MgZmllbGQgZnJvbSBFeGVjUHJvY2Vzc1JlcXVlc3QKYWxsb3dfaW50ZXJhY3RpdmVfcHJvY2VzcyhwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgcHJpbnQoImFsbG93X2ludGVyYWN0aXZlX3Byb2Nlc3M6IHN0YXJ0IikKCiAgICBhbGxvd19wcm9jZXNzX2NvbW1vbihwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lLCBzX25hbWVzcGFjZSkKICAgIGFsbG93X2V4ZWNfY2FwcyhpX3Byb2Nlc3MuQ2FwYWJpbGl0aWVzKQoKICAgICMgVGhlc2UgYXJlIGNvbW1hbmRzIGVuYWJsZWQgdXNpbmcgRXhlY1Byb2Nlc3NSZXF1ZXN0IGNvbW1hbmRzIGFuZC9vciByZWdleCBmcm9tIHRoZSBzZXR0aW5ncyBmaWxlLgogICAgIyBUaGV5IGNhbiBiZSBleGVjdXRlZCBpbnRlcmFjdGl2ZWx5IHNvIGFsbG93IHRoZW0gdG8gdXNlIGFueSB2YWx1ZSBmb3IgaV9wcm9jZXNzLlRlcm1pbmFsLgoKICAgIHByaW50KCJhbGxvd19pbnRlcmFjdGl2ZV9wcm9jZXNzOiB0cnVlIikKfQoKIyBDb21wYXJlIHRoZSBPQ0kgUHJvY2VzcyBmaWVsZCBvZiBhIHBvbGljeSBjb250YWluZXIgd2l0aCB0aGUgaW5wdXQgcHJvY2VzcyBmaWVsZCBmcm9tIEV4ZWNQcm9jZXNzUmVxdWVzdAphbGxvd19wcm9iZV9wcm9jZXNzKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBzX25hbWUsIHNfbmFtZXNwYWNlKSB7CiAgICBwcmludCgiYWxsb3dfcHJvYmVfcHJvY2Vzczogc3RhcnQiKQoKICAgIGFsbG93X3Byb2Nlc3NfY29tbW9uKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBzX25hbWUsIHNfbmFtZXNwYWNlKQogICAgYWxsb3dfZXhlY19jYXBzKGlfcHJvY2Vzcy5DYXBhYmlsaXRpZXMpCiAgICBwX3Byb2Nlc3MuVGVybWluYWwgPT0gaV9wcm9jZXNzLlRlcm1pbmFsCgogICAgcHJpbnQoImFsbG93X3Byb2JlX3Byb2Nlc3M6IHRydWUiKQp9CgphbGxvd191c2VyKHBfcHJvY2VzcywgaV9wcm9jZXNzKSB7CiAgICBwX3VzZXIgOj0gcF9wcm9jZXNzLlVzZXIKICAgIGlfdXNlciA6PSBpX3Byb2Nlc3MuVXNlcgoKICAgIHByaW50KCJhbGxvd191c2VyOiBpbnB1dCB1aWQgPSIsIGlfdXNlci5VSUQsICJwb2xpY3kgdWlkID0iLCBwX3VzZXIuVUlEKQogICAgcF91c2VyLlVJRCA9PSBpX3VzZXIuVUlECgogICAgIyBUT0RPOiB0cmFjayBkb3duIHRoZSByZWFzb24gZm9yIHJlZ2lzdHJ5Lms4cy5pby9wYXVzZTozLjkgYmVpbmcKICAgICMgICAgICAgZXhlY3V0ZWQgd2l0aCBnaWQgPSAwIGRlc3BpdGUgaGF2aW5nICI2NTUzNTo2NTUzNSIgaW4gaXRzIGNvbnRhaW5lciBpbWFnZQogICAgIyAgICAgICBjb25maWcuCiAgICAjcHJpbnQoImFsbG93X3VzZXI6IGlucHV0IGdpZCA9IiwgaV91c2VyLkdJRCwgInBvbGljeSBnaWQgPSIsIHBfdXNlci5HSUQpCiAgICAjcF91c2VyLkdJRCA9PSBpX3VzZXIuR0lECgogICAgIyBUT0RPOiBjb21wYXJlIHRoZSBhZGRpdGlvbmFsR2lkcyBmaWVsZCB0b28gYWZ0ZXIgY29tcHV0aW5nIGl0cyB2YWx1ZQogICAgIyBiYXNlZCBvbiAvZXRjL3Bhc3N3ZCBhbmQgL2V0Yy9ncm91cCBmcm9tIHRoZSBjb250YWluZXIgaW1hZ2UuCn0KCmFsbG93X2FyZ3MocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIHNfbmFtZSkgewogICAgcHJpbnQoImFsbG93X2FyZ3MgMTogbm8gYXJncyIpCgogICAgbm90IHBfcHJvY2Vzcy5BcmdzCiAgICBub3QgaV9wcm9jZXNzLkFyZ3MKCiAgICBwcmludCgiYWxsb3dfYXJncyAxOiB0cnVlIikKfQphbGxvd19hcmdzKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBzX25hbWUpIHsKICAgIHByaW50KCJhbGxvd19hcmdzIDI6IHBvbGljeSBhcmdzID0iLCBwX3Byb2Nlc3MuQXJncykKICAgIHByaW50KCJhbGxvd19hcmdzIDI6IGlucHV0IGFyZ3MgPSIsIGlfcHJvY2Vzcy5BcmdzKQoKICAgIGNvdW50KHBfcHJvY2Vzcy5BcmdzKSA9PSBjb3VudChpX3Byb2Nlc3MuQXJncykKCiAgICBldmVyeSBpLCBpX2FyZyBpbiBpX3Byb2Nlc3MuQXJncyB7CiAgICAgICAgYWxsb3dfYXJnKGksIGlfYXJnLCBwX3Byb2Nlc3MsIHNfbmFtZSkKICAgIH0KCiAgICBwcmludCgiYWxsb3dfYXJncyAyOiB0cnVlIikKfQphbGxvd19hcmcoaSwgaV9hcmcsIHBfcHJvY2Vzcywgc19uYW1lKSB7CiAgICBwX2FyZyA6PSBwX3Byb2Nlc3MuQXJnc1tpXQogICAgcHJpbnQoImFsbG93X2FyZyAxOiBpID0iLCBpLCAiaV9hcmcgPSIsIGlfYXJnLCAicF9hcmcgPSIsIHBfYXJnKQoKICAgIHBfYXJnMiA6PSByZXBsYWNlKHBfYXJnLCAiJCQiLCAiJCIpCiAgICBwX2FyZzIgPT0gaV9hcmcKCiAgICBwcmludCgiYWxsb3dfYXJnIDE6IHRydWUiKQp9CmFsbG93X2FyZyhpLCBpX2FyZywgcF9wcm9jZXNzLCBzX25hbWUpIHsKICAgIHBfYXJnIDo9IHBfcHJvY2Vzcy5BcmdzW2ldCiAgICBwcmludCgiYWxsb3dfYXJnIDI6IGkgPSIsIGksICJpX2FyZyA9IiwgaV9hcmcsICJwX2FyZyA9IiwgcF9hcmcpCgogICAgIyBUT0RPOiBjYW4gJChub2RlLW5hbWUpIGJlIGhhbmRsZWQgYmV0dGVyPwogICAgY29udGFpbnMocF9hcmcsICIkKG5vZGUtbmFtZSkiKQoKICAgIHByaW50KCJhbGxvd19hcmcgMjogdHJ1ZSIpCn0KYWxsb3dfYXJnKGksIGlfYXJnLCBwX3Byb2Nlc3MsIHNfbmFtZSkgewogICAgcF9hcmcgOj0gcF9wcm9jZXNzLkFyZ3NbaV0KICAgIHByaW50KCJhbGxvd19hcmcgMzogaSA9IiwgaSwgImlfYXJnID0iLCBpX2FyZywgInBfYXJnID0iLCBwX2FyZykKCiAgICBwX2FyZzIgOj0gcmVwbGFjZShwX2FyZywgIiQkIiwgIiQiKQogICAgcF9hcmczIDo9IHJlcGxhY2UocF9hcmcyLCAiJChzYW5kYm94LW5hbWUpIiwgc19uYW1lKQogICAgcHJpbnQoImFsbG93X2FyZyAzOiBwX2FyZzMgPSIsIHBfYXJnMykKICAgIHBfYXJnMyA9PSBpX2FyZwoKICAgIHByaW50KCJhbGxvd19hcmcgMzogdHJ1ZSIpCn0KCiMgT0NJIHByb2Nlc3MuRW52IGZpZWxkCmFsbG93X2VudihwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgcHJpbnQoImFsbG93X2VudjogcCBlbnYgPSIsIHBfcHJvY2Vzcy5FbnYpCiAgICBwcmludCgiYWxsb3dfZW52OiBpIGVudiA9IiwgaV9wcm9jZXNzLkVudikKCiAgICBldmVyeSBpX3ZhciBpbiBpX3Byb2Nlc3MuRW52IHsKICAgICAgICBwcmludCgiYWxsb3dfZW52OiBpX3ZhciA9IiwgaV92YXIpCiAgICAgICAgYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkKICAgIH0KCiAgICBwcmludCgiYWxsb3dfZW52OiB0cnVlIikKfQoKIyBBbGxvdyBpbnB1dCBlbnYgdmFyaWFibGVzIHRoYXQgYXJlIHByZXNlbnQgaW4gdGhlIHBvbGljeSBkYXRhIHRvby4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBwX3ZhciA9PSBpX3ZhcgogICAgcHJpbnQoImFsbG93X3ZhciAxOiB0cnVlIikKfQoKIyBNYXRjaCBpbnB1dCB3aXRoIG9uZSBvZiB0aGUgcG9saWN5IHZhcmlhYmxlcywgYWZ0ZXIgc3Vic3RpdHV0aW5nICQoc2FuZGJveC1uYW1lKS4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBwX3ZhcjIgOj0gcmVwbGFjZShwX3ZhciwgIiQoc2FuZGJveC1uYW1lKSIsIHNfbmFtZSkKCiAgICBwcmludCgiYWxsb3dfdmFyIDI6IHBfdmFyMiA9IiwgcF92YXIyKQogICAgcF92YXIyID09IGlfdmFyCgogICAgcHJpbnQoImFsbG93X3ZhciAyOiB0cnVlIikKfQoKIyBBbGxvdyBpbnB1dCBlbnYgdmFyaWFibGVzIHRoYXQgbWF0Y2ggd2l0aCBhIHJlcXVlc3RfZGVmYXVsdHMgcmVnZXguCmFsbG93X3ZhcihwX3Byb2Nlc3MsIGlfcHJvY2VzcywgaV92YXIsIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIHNvbWUgcF9yZWdleDEgaW4gcG9saWN5X2RhdGEucmVxdWVzdF9kZWZhdWx0cy5DcmVhdGVDb250YWluZXJSZXF1ZXN0LmFsbG93X2Vudl9yZWdleAogICAgcF9yZWdleDIgOj0gcmVwbGFjZShwX3JlZ2V4MSwgIiQoaXB2NF9hKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5pcHY0X2EpCiAgICBwX3JlZ2V4MyA6PSByZXBsYWNlKHBfcmVnZXgyLCAiJChpcF9wKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5pcF9wKQogICAgcF9yZWdleDQgOj0gcmVwbGFjZShwX3JlZ2V4MywgIiQoc3ZjX25hbWUpIiwgcG9saWN5X2RhdGEuY29tbW9uLnN2Y19uYW1lKQogICAgcF9yZWdleDUgOj0gcmVwbGFjZShwX3JlZ2V4NCwgIiQoZG5zX2xhYmVsKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5kbnNfbGFiZWwpCgogICAgcHJpbnQoImFsbG93X3ZhciAzOiBwX3JlZ2V4NSA9IiwgcF9yZWdleDUpCiAgICByZWdleC5tYXRjaChwX3JlZ2V4NSwgaV92YXIpCgogICAgcHJpbnQoImFsbG93X3ZhciAzOiB0cnVlIikKfQoKIyBBbGxvdyBmaWVsZFJlZiAiZmllbGRQYXRoOiBzdGF0dXMucG9kSVAiIHZhbHVlcy4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgbmFtZV92YWx1ZSA6PSBzcGxpdChpX3ZhciwgIj0iKQogICAgY291bnQobmFtZV92YWx1ZSkgPT0gMgogICAgaXNfaXAobmFtZV92YWx1ZVsxXSkKCiAgICBzb21lIHBfdmFyIGluIHBfcHJvY2Vzcy5FbnYKICAgIGFsbG93X3BvZF9pcF92YXIobmFtZV92YWx1ZVswXSwgcF92YXIpCgogICAgcHJpbnQoImFsbG93X3ZhciA0OiB0cnVlIikKfQoKIyBBbGxvdyBjb21tb24gZmllbGRSZWYgdmFyaWFibGVzLgphbGxvd192YXIocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIGlfdmFyLCBzX25hbWUsIHNfbmFtZXNwYWNlKSB7CiAgICBuYW1lX3ZhbHVlIDo9IHNwbGl0KGlfdmFyLCAiPSIpCiAgICBjb3VudChuYW1lX3ZhbHVlKSA9PSAyCgogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBwX25hbWVfdmFsdWUgOj0gc3BsaXQocF92YXIsICI9IikKICAgIGNvdW50KHBfbmFtZV92YWx1ZSkgPT0gMgoKICAgIHBfbmFtZV92YWx1ZVswXSA9PSBuYW1lX3ZhbHVlWzBdCgogICAgIyBUT0RPOiBzaG91bGQgdGhlc2UgYmUgaGFuZGxlZCBpbiBhIGRpZmZlcmVudCB3YXk/CiAgICBhbHdheXNfYWxsb3dlZCA6PSBbIiQoaG9zdC1uYW1lKSIsICIkKG5vZGUtbmFtZSkiLCAiJChwb2QtdWlkKSJdCiAgICBzb21lIGFsbG93ZWQgaW4gYWx3YXlzX2FsbG93ZWQKICAgIGNvbnRhaW5zKHBfbmFtZV92YWx1ZVsxXSwgYWxsb3dlZCkKCiAgICBwcmludCgiYWxsb3dfdmFyIDU6IHRydWUiKQp9CgojIEFsbG93IGZpZWxkUmVmICJmaWVsZFBhdGg6IHN0YXR1cy5ob3N0SVAiIHZhbHVlcy4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgbmFtZV92YWx1ZSA6PSBzcGxpdChpX3ZhciwgIj0iKQogICAgY291bnQobmFtZV92YWx1ZSkgPT0gMgogICAgaXNfaXAobmFtZV92YWx1ZVsxXSkKCiAgICBzb21lIHBfdmFyIGluIHBfcHJvY2Vzcy5FbnYKICAgIGFsbG93X2hvc3RfaXBfdmFyKG5hbWVfdmFsdWVbMF0sIHBfdmFyKQoKICAgIHByaW50KCJhbGxvd192YXIgNjogdHJ1ZSIpCn0KCiMgQWxsb3cgcmVzb3VyY2VGaWVsZFJlZiB2YWx1ZXMgKGUuZy4sICJsaW1pdHMuY3B1IikuCmFsbG93X3ZhcihwX3Byb2Nlc3MsIGlfcHJvY2VzcywgaV92YXIsIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIG5hbWVfdmFsdWUgOj0gc3BsaXQoaV92YXIsICI9IikKICAgIGNvdW50KG5hbWVfdmFsdWUpID09IDIKCiAgICBzb21lIHBfdmFyIGluIHBfcHJvY2Vzcy5FbnYKICAgIHBfbmFtZV92YWx1ZSA6PSBzcGxpdChwX3ZhciwgIj0iKQogICAgY291bnQocF9uYW1lX3ZhbHVlKSA9PSAyCgogICAgcF9uYW1lX3ZhbHVlWzBdID09IG5hbWVfdmFsdWVbMF0KCiAgICAjIFRPRE86IHNob3VsZCB0aGVzZSBiZSBoYW5kbGVkIGluIGEgZGlmZmVyZW50IHdheT8KICAgIGFsd2F5c19hbGxvd2VkID0gWyIkKHJlc291cmNlLWZpZWxkKSIsICIkKHRvZG8tYW5ub3RhdGlvbikiXQogICAgc29tZSBhbGxvd2VkIGluIGFsd2F5c19hbGxvd2VkCiAgICBjb250YWlucyhwX25hbWVfdmFsdWVbMV0sIGFsbG93ZWQpCgogICAgcHJpbnQoImFsbG93X3ZhciA3OiB0cnVlIikKfQoKYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBwX3ZhcjIgOj0gcmVwbGFjZShwX3ZhciwgIiQoc2FuZGJveC1uYW1lc3BhY2UpIiwgc19uYW1lc3BhY2UpCgogICAgcHJpbnQoImFsbG93X3ZhciA4OiBwX3ZhcjIgPSIsIHBfdmFyMikKICAgIHBfdmFyMiA9PSBpX3ZhcgoKICAgIHByaW50KCJhbGxvd192YXIgODogdHJ1ZSIpCn0KCmFsbG93X3BvZF9pcF92YXIodmFyX25hbWUsIHBfdmFyKSB7CiAgICBwcmludCgiYWxsb3dfcG9kX2lwX3ZhcjogdmFyX25hbWUgPSIsIHZhcl9uYW1lLCAicF92YXIgPSIsIHBfdmFyKQoKICAgIHBfbmFtZV92YWx1ZSA6PSBzcGxpdChwX3ZhciwgIj0iKQogICAgY291bnQocF9uYW1lX3ZhbHVlKSA9PSAyCgogICAgcF9uYW1lX3ZhbHVlWzBdID09IHZhcl9uYW1lCiAgICBwX25hbWVfdmFsdWVbMV0gPT0gIiQocG9kLWlwKSIKCiAgICBwcmludCgiYWxsb3dfcG9kX2lwX3ZhcjogdHJ1ZSIpCn0KCmFsbG93X2hvc3RfaXBfdmFyKHZhcl9uYW1lLCBwX3ZhcikgewogICAgcHJpbnQoImFsbG93X2hvc3RfaXBfdmFyOiB2YXJfbmFtZSA9IiwgdmFyX25hbWUsICJwX3ZhciA9IiwgcF92YXIpCgogICAgcF9uYW1lX3ZhbHVlIDo9IHNwbGl0KHBfdmFyLCAiPSIpCiAgICBjb3VudChwX25hbWVfdmFsdWUpID09IDIKCiAgICBwX25hbWVfdmFsdWVbMF0gPT0gdmFyX25hbWUKICAgIHBfbmFtZV92YWx1ZVsxXSA9PSAiJChob3N0LWlwKSIKCiAgICBwcmludCgiYWxsb3dfaG9zdF9pcF92YXI6IHRydWUiKQp9Cgppc19pcCh2YWx1ZSkgewogICAgYnl0ZXMgPSBzcGxpdCh2YWx1ZSwgIi4iKQogICAgY291bnQoYnl0ZXMpID09IDQKCiAgICBpc19pcF9maXJzdF9ieXRlKGJ5dGVzWzBdKQogICAgaXNfaXBfb3RoZXJfYnl0ZShieXRlc1sxXSkKICAgIGlzX2lwX290aGVyX2J5dGUoYnl0ZXNbMl0pCiAgICBpc19pcF9vdGhlcl9ieXRlKGJ5dGVzWzNdKQp9CmlzX2lwX2ZpcnN0X2J5dGUoY29tcG9uZW50KSB7CiAgICBudW1iZXIgPSB0b19udW1iZXIoY29tcG9uZW50KQogICAgbnVtYmVyID49IDEKICAgIG51bWJlciA8PSAyNTUKfQppc19pcF9vdGhlcl9ieXRlKGNvbXBvbmVudCkgewogICAgbnVtYmVyID0gdG9fbnVtYmVyKGNvbXBvbmVudCkKICAgIG51bWJlciA+PSAwCiAgICBudW1iZXIgPD0gMjU1Cn0KCiMgT0NJIHJvb3QuUGF0aAphbGxvd19yb290X3BhdGgocF9vY2ksIGlfb2NpLCBidW5kbGVfaWQpIHsKICAgIGlfcGF0aCA6PSBpX29jaS5Sb290LlBhdGgKICAgIHBfcGF0aDEgOj0gcF9vY2kuUm9vdC5QYXRoCiAgICBwcmludCgiYWxsb3dfcm9vdF9wYXRoOiBpX3BhdGggPSIsIGlfcGF0aCwgInBfcGF0aDEgPSIsIHBfcGF0aDEpCgogICAgcF9wYXRoMiA6PSByZXBsYWNlKHBfcGF0aDEsICIkKGNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5jcGF0aCkKICAgIHByaW50KCJhbGxvd19yb290X3BhdGg6IHBfcGF0aDIgPSIsIHBfcGF0aDIpCgogICAgcF9wYXRoMyA6PSByZXBsYWNlKHBfcGF0aDIsICIkKGJ1bmRsZS1pZCkiLCBidW5kbGVfaWQpCiAgICBwcmludCgiYWxsb3dfcm9vdF9wYXRoOiBwX3BhdGgzID0iLCBwX3BhdGgzKQoKICAgIHBfcGF0aDMgPT0gaV9wYXRoCgogICAgcHJpbnQoImFsbG93X3Jvb3RfcGF0aDogdHJ1ZSIpCn0KCiMgZGV2aWNlIG1vdW50cwphbGxvd19tb3VudChwX29jaSwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKSB7CiAgICBwcmludCgiYWxsb3dfbW91bnQ6IGlfbW91bnQgPSIsIGlfbW91bnQpCgogICAgc29tZSBwX21vdW50IGluIHBfb2NpLk1vdW50cwogICAgcHJpbnQoImFsbG93X21vdW50OiBwX21vdW50ID0iLCBwX21vdW50KQogICAgY2hlY2tfbW91bnQocF9tb3VudCwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKQoKICAgICMgVE9ETzogYXJlIHRoZXJlIGFueSBvdGhlciByZXF1aXJlZCBwb2xpY3kgY2hlY2tzIGZvciBtb3VudHMgLSBlLmcuLAogICAgIyAgICAgICBtdWx0aXBsZSBtb3VudHMgd2l0aCBzYW1lIHNvdXJjZSBvciBkZXN0aW5hdGlvbj8KCiAgICBwcmludCgiYWxsb3dfbW91bnQ6IHRydWUiKQp9CgpjaGVja19tb3VudChwX21vdW50LCBpX21vdW50LCBidW5kbGVfaWQsIHNhbmRib3hfaWQpIHsKICAgIHBfbW91bnQgPT0gaV9tb3VudAogICAgcHJpbnQoImNoZWNrX21vdW50IDE6IHRydWUiKQp9CmNoZWNrX21vdW50KHBfbW91bnQsIGlfbW91bnQsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkgewogICAgcF9tb3VudC5kZXN0aW5hdGlvbiA9PSBpX21vdW50LmRlc3RpbmF0aW9uCiAgICBwX21vdW50LnR5cGVfID09IGlfbW91bnQudHlwZV8KICAgIHBfbW91bnQub3B0aW9ucyA9PSBpX21vdW50Lm9wdGlvbnMKCiAgICBtb3VudF9zb3VyY2VfYWxsb3dzKHBfbW91bnQsIGlfbW91bnQsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkKCiAgICBwcmludCgiY2hlY2tfbW91bnQgMjogdHJ1ZSIpCn0KCm1vdW50X3NvdXJjZV9hbGxvd3MocF9tb3VudCwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKSB7CiAgICByZWdleDEgOj0gcF9tb3VudC5zb3VyY2UKICAgIHJlZ2V4MiA6PSByZXBsYWNlKHJlZ2V4MSwgIiQoc2ZwcmVmaXgpIiwgcG9saWN5X2RhdGEuY29tbW9uLnNmcHJlZml4KQogICAgcmVnZXgzIDo9IHJlcGxhY2UocmVnZXgyLCAiJChjcGF0aCkiLCBwb2xpY3lfZGF0YS5jb21tb24uY3BhdGgpCiAgICByZWdleDQgOj0gcmVwbGFjZShyZWdleDMsICIkKGJ1bmRsZS1pZCkiLCBidW5kbGVfaWQpCgogICAgcHJpbnQoIm1vdW50X3NvdXJjZV9hbGxvd3MgMTogcmVnZXg0ID0iLCByZWdleDQpCiAgICByZWdleC5tYXRjaChyZWdleDQsIGlfbW91bnQuc291cmNlKQoKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDE6IHRydWUiKQp9Cm1vdW50X3NvdXJjZV9hbGxvd3MocF9tb3VudCwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKSB7CiAgICByZWdleDEgOj0gcF9tb3VudC5zb3VyY2UKICAgIHJlZ2V4MiA6PSByZXBsYWNlKHJlZ2V4MSwgIiQoc2ZwcmVmaXgpIiwgcG9saWN5X2RhdGEuY29tbW9uLnNmcHJlZml4KQogICAgcmVnZXgzIDo9IHJlcGxhY2UocmVnZXgyLCAiJChjcGF0aCkiLCBwb2xpY3lfZGF0YS5jb21tb24uY3BhdGgpCiAgICByZWdleDQgOj0gcmVwbGFjZShyZWdleDMsICIkKHNhbmRib3gtaWQpIiwgc2FuZGJveF9pZCkKCiAgICBwcmludCgibW91bnRfc291cmNlX2FsbG93cyAyOiByZWdleDQgPSIsIHJlZ2V4NCkKICAgIHJlZ2V4Lm1hdGNoKHJlZ2V4NCwgaV9tb3VudC5zb3VyY2UpCgogICAgcHJpbnQoIm1vdW50X3NvdXJjZV9hbGxvd3MgMjogdHJ1ZSIpCn0KbW91bnRfc291cmNlX2FsbG93cyhwX21vdW50LCBpX21vdW50LCBidW5kbGVfaWQsIHNhbmRib3hfaWQpIHsKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDM6IGlfbW91bnQuc291cmNlPSIsIGlfbW91bnQuc291cmNlKQoKICAgIGlfc291cmNlX3BhcnRzID0gc3BsaXQoaV9tb3VudC5zb3VyY2UsICIvIikKICAgIGI2NF9kaXJlY3Rfdm9sX3BhdGggPSBpX3NvdXJjZV9wYXJ0c1tjb3VudChpX3NvdXJjZV9wYXJ0cykgLSAxXQoKICAgIGJhc2U2NC5pc192YWxpZChiNjRfZGlyZWN0X3ZvbF9wYXRoKQoKICAgIHNvdXJjZTEgOj0gcF9tb3VudC5zb3VyY2UKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDM6IHNvdXJjZTEgPSIsIHNvdXJjZTEpCgogICAgc291cmNlMiA6PSByZXBsYWNlKHNvdXJjZTEsICIkKHNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5zcGF0aCkKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDM6IHNvdXJjZTIgPSIsIHNvdXJjZTIpCgogICAgc291cmNlMyA6PSByZXBsYWNlKHNvdXJjZTIsICIkKGI2NC1kaXJlY3Qtdm9sLXBhdGgpIiwgYjY0X2RpcmVjdF92b2xfcGF0aCkKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDM6IHNvdXJjZTMgPSIsIHNvdXJjZTMpCgogICAgc291cmNlMyA9PSBpX21vdW50LnNvdXJjZQoKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDM6IHRydWUiKQp9CgojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiMgQ3JlYXRlIGNvbnRhaW5lciBTdG9yYWdlcwoKYWxsb3dfc3RvcmFnZXMocF9zdG9yYWdlcywgaV9zdG9yYWdlcywgYnVuZGxlX2lkLCBzYW5kYm94X2lkKSB7CiAgICBwX2NvdW50IDo9IGNvdW50KHBfc3RvcmFnZXMpCiAgICBpX2NvdW50IDo9IGNvdW50KGlfc3RvcmFnZXMpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZXM6IHBfY291bnQgPSIsIHBfY291bnQsICJpX2NvdW50ID0iLCBpX2NvdW50KQoKICAgIHBfY291bnQgPT0gaV9jb3VudAoKICAgICMgR2V0IHRoZSBjb250YWluZXIgaW1hZ2UgbGF5ZXIgSURzIGFuZCB2ZXJpdHkgcm9vdCBoYXNoZXMsIGZyb20gdGhlICJvdmVybGF5ZnMiIHN0b3JhZ2UuCiAgICBzb21lIG92ZXJsYXlfc3RvcmFnZSBpbiBwX3N0b3JhZ2VzCiAgICBvdmVybGF5X3N0b3JhZ2UuZHJpdmVyID09ICJvdmVybGF5ZnMiCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZXM6IG92ZXJsYXlfc3RvcmFnZSA9Iiwgb3ZlcmxheV9zdG9yYWdlKQogICAgY291bnQob3ZlcmxheV9zdG9yYWdlLm9wdGlvbnMpID09IDIKCiAgICBsYXllcl9pZHMgOj0gc3BsaXQob3ZlcmxheV9zdG9yYWdlLm9wdGlvbnNbMF0sICI6IikKICAgIHByaW50KCJhbGxvd19zdG9yYWdlczogbGF5ZXJfaWRzID0iLCBsYXllcl9pZHMpCgogICAgcm9vdF9oYXNoZXMgOj0gc3BsaXQob3ZlcmxheV9zdG9yYWdlLm9wdGlvbnNbMV0sICI6IikKICAgIHByaW50KCJhbGxvd19zdG9yYWdlczogcm9vdF9oYXNoZXMgPSIsIHJvb3RfaGFzaGVzKQoKICAgIGV2ZXJ5IGlfc3RvcmFnZSBpbiBpX3N0b3JhZ2VzIHsKICAgICAgICBhbGxvd19zdG9yYWdlKHBfc3RvcmFnZXMsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMsIHJvb3RfaGFzaGVzKQogICAgfQoKICAgIHByaW50KCJhbGxvd19zdG9yYWdlczogdHJ1ZSIpCn0KCmFsbG93X3N0b3JhZ2UocF9zdG9yYWdlcywgaV9zdG9yYWdlLCBidW5kbGVfaWQsIHNhbmRib3hfaWQsIGxheWVyX2lkcywgcm9vdF9oYXNoZXMpIHsKICAgIHNvbWUgcF9zdG9yYWdlIGluIHBfc3RvcmFnZXMKCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZTogcF9zdG9yYWdlID0iLCBwX3N0b3JhZ2UpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZTogaV9zdG9yYWdlID0iLCBpX3N0b3JhZ2UpCgogICAgcF9zdG9yYWdlLmRyaXZlciAgICAgICAgICAgPT0gaV9zdG9yYWdlLmRyaXZlcgogICAgcF9zdG9yYWdlLmRyaXZlcl9vcHRpb25zICAgPT0gaV9zdG9yYWdlLmRyaXZlcl9vcHRpb25zCiAgICBwX3N0b3JhZ2UuZnNfZ3JvdXAgICAgICAgICA9PSBpX3N0b3JhZ2UuZnNfZ3JvdXAKCiAgICBhbGxvd19zdG9yYWdlX29wdGlvbnMocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGxheWVyX2lkcywgcm9vdF9oYXNoZXMpCiAgICBhbGxvd19tb3VudF9wb2ludChwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMpCgogICAgIyBUT0RPOiB2YWxpZGF0ZSB0aGUgc291cmNlIGZpZWxkIHRvby4KCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZTogdHJ1ZSIpCn0KCmFsbG93X3N0b3JhZ2Vfb3B0aW9ucyhwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgbGF5ZXJfaWRzLCByb290X2hhc2hlcykgewogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAxOiBzdGFydCIpCgogICAgcF9zdG9yYWdlLmRyaXZlciAhPSAib3ZlcmxheWZzIgogICAgcF9zdG9yYWdlLm9wdGlvbnMgPT0gaV9zdG9yYWdlLm9wdGlvbnMKCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDE6IHRydWUiKQp9CmFsbG93X3N0b3JhZ2Vfb3B0aW9ucyhwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgbGF5ZXJfaWRzLCByb290X2hhc2hlcykgewogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAyOiBzdGFydCIpCgogICAgcF9zdG9yYWdlLmRyaXZlciA9PSAib3ZlcmxheWZzIgogICAgY291bnQocF9zdG9yYWdlLm9wdGlvbnMpID09IDIKCiAgICBwb2xpY3lfaWRzIDo9IHNwbGl0KHBfc3RvcmFnZS5vcHRpb25zWzBdLCAiOiIpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IHBvbGljeV9pZHMgPSIsIHBvbGljeV9pZHMpCiAgICBwb2xpY3lfaWRzID09IGxheWVyX2lkcwoKICAgIHBvbGljeV9oYXNoZXMgOj0gc3BsaXQocF9zdG9yYWdlLm9wdGlvbnNbMV0sICI6IikKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMjogcG9saWN5X2hhc2hlcyA9IiwgcG9saWN5X2hhc2hlcykKCiAgICBwX2NvdW50IDo9IGNvdW50KHBvbGljeV9pZHMpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IHBfY291bnQgPSIsIHBfY291bnQpCiAgICBwX2NvdW50ID49IDEKICAgIHBfY291bnQgPT0gY291bnQocG9saWN5X2hhc2hlcykKCiAgICBpX2NvdW50IDo9IGNvdW50KGlfc3RvcmFnZS5vcHRpb25zKQogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAyOiBpX2NvdW50ID0iLCBpX2NvdW50KQogICAgaV9jb3VudCA9PSBwX2NvdW50ICsgMwoKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMjogaV9zdG9yYWdlLm9wdGlvbnNbMF0gPSIsIGlfc3RvcmFnZS5vcHRpb25zWzBdKQogICAgaV9zdG9yYWdlLm9wdGlvbnNbMF0gPT0gImlvLmthdGFjb250YWluZXJzLmZzLW9wdC5sYXllci1zcmMtcHJlZml4PS92YXIvbGliL2NvbnRhaW5lcmQvaW8uY29udGFpbmVyZC5zbmFwc2hvdHRlci52MS50YXJkZXYvbGF5ZXJzIgoKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMjogaV9zdG9yYWdlLm9wdGlvbnNbaV9jb3VudCAtIDJdID0iLCBpX3N0b3JhZ2Uub3B0aW9uc1tpX2NvdW50IC0gMl0pCiAgICBpX3N0b3JhZ2Uub3B0aW9uc1tpX2NvdW50IC0gMl0gPT0gImlvLmthdGFjb250YWluZXJzLmZzLW9wdC5vdmVybGF5LXJ3IgoKICAgIGxvd2VyZGlyIDo9IGNvbmNhdCgiPSIsIFsibG93ZXJkaXIiLCBwX3N0b3JhZ2Uub3B0aW9uc1swXV0pCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IGxvd2VyZGlyID0iLCBsb3dlcmRpcikKCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IGlfc3RvcmFnZS5vcHRpb25zW2lfY291bnQgLSAxXSA9IiwgaV9zdG9yYWdlLm9wdGlvbnNbaV9jb3VudCAtIDFdKQogICAgaV9zdG9yYWdlLm9wdGlvbnNbaV9jb3VudCAtIDFdID09IGxvd2VyZGlyCgogICAgZXZlcnkgaSwgcG9saWN5X2lkIGluIHBvbGljeV9pZHMgewogICAgICAgIGFsbG93X292ZXJsYXlfbGF5ZXIocG9saWN5X2lkLCBwb2xpY3lfaGFzaGVzW2ldLCBpX3N0b3JhZ2Uub3B0aW9uc1tpICsgMV0pCiAgICB9CgogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAyOiB0cnVlIikKfQphbGxvd19zdG9yYWdlX29wdGlvbnMocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGxheWVyX2lkcywgcm9vdF9oYXNoZXMpIHsKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMzogc3RhcnQiKQoKICAgIHBfc3RvcmFnZS5kcml2ZXIgPT0gImJsayIKICAgIGNvdW50KHBfc3RvcmFnZS5vcHRpb25zKSA9PSAxCgogICAgc3RhcnRzd2l0aChwX3N0b3JhZ2Uub3B0aW9uc1swXSwgIiQoaGFzaCIpCiAgICBoYXNoX3N1ZmZpeCA6PSB0cmltX2xlZnQocF9zdG9yYWdlLm9wdGlvbnNbMF0sICIkKGhhc2giKQoKICAgIGVuZHN3aXRoKGhhc2hfc3VmZml4LCAiKSIpCiAgICBoYXNoX2luZGV4IDo9IHRyaW1fcmlnaHQoaGFzaF9zdWZmaXgsICIpIikKICAgIGkgOj0gdG9fbnVtYmVyKGhhc2hfaW5kZXgpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDM6IGkgPSIsIGkpCgogICAgaGFzaF9vcHRpb24gOj0gY29uY2F0KCI9IiwgWyJpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoIiwgcm9vdF9oYXNoZXNbaV1dKQogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAzOiBoYXNoX29wdGlvbiA9IiwgaGFzaF9vcHRpb24pCgogICAgY291bnQoaV9zdG9yYWdlLm9wdGlvbnMpID09IDQKICAgIGlfc3RvcmFnZS5vcHRpb25zWzBdID09ICJybyIKICAgIGlfc3RvcmFnZS5vcHRpb25zWzFdID09ICJpby5rYXRhY29udGFpbmVycy5mcy1vcHQuYmxvY2tfZGV2aWNlPWZpbGUiCiAgICBpX3N0b3JhZ2Uub3B0aW9uc1syXSA9PSAiaW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmlzLWxheWVyIgogICAgaV9zdG9yYWdlLm9wdGlvbnNbM10gPT0gaGFzaF9vcHRpb24KCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDM6IHRydWUiKQp9CmFsbG93X3N0b3JhZ2Vfb3B0aW9ucyhwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgbGF5ZXJfaWRzLCByb290X2hhc2hlcykgewogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyA0OiBzdGFydCIpCgogICAgcF9zdG9yYWdlLmRyaXZlciA9PSAic21iIgogICAgcF9vcHRzX2NvdW50IDo9IGNvdW50KHBfc3RvcmFnZS5vcHRpb25zKQogICAgaV9vcHRzX2NvdW50IDo9IGNvdW50KGlfc3RvcmFnZS5vcHRpb25zKQogICAgaV9vcHRzX2NvdW50ID09IHBfb3B0c19jb3VudCArIDIKCiAgICBpX29wdF9tYXRjaGVzIDo9IFtpIHwgaSA6PSBpZHg7IGlkeCA8IHBfb3B0c19jb3VudDsgcF9zdG9yYWdlLm9wdGlvbnNbaWR4XSA9PSBpX3N0b3JhZ2Uub3B0aW9uc1tpZHhdXQogICAgY291bnQoaV9vcHRfbWF0Y2hlcykgPT0gcF9vcHRzX2NvdW50CgogICAgc3RhcnRzd2l0aChpX3N0b3JhZ2Uub3B0aW9uc1tpX29wdHNfY291bnQtMl0sICJhZGRyPSIpCiAgICBjcmVkcyA9IHNwbGl0KGlfc3RvcmFnZS5vcHRpb25zW2lfb3B0c19jb3VudC0xXSwgIiwiKQogICAgY291bnQoY3JlZHMpID09IDIKICAgIHN0YXJ0c3dpdGgoY3JlZHNbMF0sICJ1c2VybmFtZT0iKQogICAgc3RhcnRzd2l0aChjcmVkc1sxXSwgInBhc3N3b3JkPSIpCiAgICAKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgNDogdHJ1ZSIpCn0KCmFsbG93X292ZXJsYXlfbGF5ZXIocG9saWN5X2lkLCBwb2xpY3lfaGFzaCwgaV9vcHRpb24pIHsKICAgIHByaW50KCJhbGxvd19vdmVybGF5X2xheWVyOiBwb2xpY3lfaWQgPSIsIHBvbGljeV9pZCwgInBvbGljeV9oYXNoID0iLCBwb2xpY3lfaGFzaCkKICAgIHByaW50KCJhbGxvd19vdmVybGF5X2xheWVyOiBpX29wdGlvbiA9IiwgaV9vcHRpb24pCgogICAgc3RhcnRzd2l0aChpX29wdGlvbiwgImlvLmthdGFjb250YWluZXJzLmZzLW9wdC5sYXllcj0iKQogICAgaV92YWx1ZSA6PSByZXBsYWNlKGlfb3B0aW9uLCAiaW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmxheWVyPSIsICIiKQogICAgaV92YWx1ZV9kZWNvZGVkIDo9IGJhc2U2NC5kZWNvZGUoaV92YWx1ZSkKICAgIHByaW50KCJhbGxvd19vdmVybGF5X2xheWVyOiBpX3ZhbHVlX2RlY29kZWQgPSIsIGlfdmFsdWVfZGVjb2RlZCkKCiAgICBwb2xpY3lfc3VmZml4IDo9IGNvbmNhdCgiPSIsIFsidGFyLHJvLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5ibG9ja19kZXZpY2U9ZmlsZSxpby5rYXRhY29udGFpbmVycy5mcy1vcHQuaXMtbGF5ZXIsaW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LnJvb3QtaGFzaCIsIHBvbGljeV9oYXNoXSkKICAgIHBfdmFsdWUgOj0gY29uY2F0KCIsIiwgW3BvbGljeV9pZCwgcG9saWN5X3N1ZmZpeF0pCiAgICBwcmludCgiYWxsb3dfb3ZlcmxheV9sYXllcjogcF92YWx1ZSA9IiwgcF92YWx1ZSkKCiAgICBwX3ZhbHVlID09IGlfdmFsdWVfZGVjb2RlZAoKICAgIHByaW50KCJhbGxvd19vdmVybGF5X2xheWVyOiB0cnVlIikKfQoKYWxsb3dfbW91bnRfcG9pbnQocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCwgbGF5ZXJfaWRzKSB7CiAgICBwX3N0b3JhZ2UuZnN0eXBlID09ICJ0YXIiCgogICAgc3RhcnRzd2l0aChwX3N0b3JhZ2UubW91bnRfcG9pbnQsICIkKGxheWVyIikKICAgIG1vdW50X3N1ZmZpeCA6PSB0cmltX2xlZnQocF9zdG9yYWdlLm1vdW50X3BvaW50LCAiJChsYXllciIpCgogICAgZW5kc3dpdGgobW91bnRfc3VmZml4LCAiKSIpCiAgICBsYXllcl9pbmRleCA6PSB0cmltX3JpZ2h0KG1vdW50X3N1ZmZpeCwgIikiKQogICAgaSA6PSB0b19udW1iZXIobGF5ZXJfaW5kZXgpCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgMTogaSA9IiwgaSkKCiAgICBsYXllcl9pZCA6PSBsYXllcl9pZHNbaV0KICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAxOiBsYXllcl9pZCA9IiwgbGF5ZXJfaWQpCgogICAgcF9tb3VudCA6PSBjb25jYXQoIi8iLCBbIi9ydW4va2F0YS1jb250YWluZXJzL3NhbmRib3gvbGF5ZXJzIiwgbGF5ZXJfaWRdKQogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDE6IHBfbW91bnQgPSIsIHBfbW91bnQpCgogICAgcF9tb3VudCA9PSBpX3N0b3JhZ2UubW91bnRfcG9pbnQKCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgMTogdHJ1ZSIpCn0KYWxsb3dfbW91bnRfcG9pbnQocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCwgbGF5ZXJfaWRzKSB7CiAgICBwX3N0b3JhZ2UuZnN0eXBlID09ICJmdXNlMy5rYXRhLW92ZXJsYXkiCgogICAgbW91bnQxIDo9IHJlcGxhY2UocF9zdG9yYWdlLm1vdW50X3BvaW50LCAiJChjcGF0aCkiLCBwb2xpY3lfZGF0YS5jb21tb24uY3BhdGgpCiAgICBtb3VudDIgOj0gcmVwbGFjZShtb3VudDEsICIkKGJ1bmRsZS1pZCkiLCBidW5kbGVfaWQpCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgMjogbW91bnQyID0iLCBtb3VudDIpCgogICAgbW91bnQyID09IGlfc3RvcmFnZS5tb3VudF9wb2ludAoKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAyOiB0cnVlIikKfQphbGxvd19tb3VudF9wb2ludChwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMpIHsKICAgIHBfc3RvcmFnZS5mc3R5cGUgPT0gImxvY2FsIgoKICAgIG1vdW50MSA6PSBwX3N0b3JhZ2UubW91bnRfcG9pbnQKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAzOiBtb3VudDEgPSIsIG1vdW50MSkKCiAgICBtb3VudDIgOj0gcmVwbGFjZShtb3VudDEsICIkKGNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5jcGF0aCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAzOiBtb3VudDIgPSIsIG1vdW50MikKCiAgICBtb3VudDMgOj0gcmVwbGFjZShtb3VudDIsICIkKHNhbmRib3gtaWQpIiwgc2FuZGJveF9pZCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAzOiBtb3VudDMgPSIsIG1vdW50MykKCiAgICByZWdleC5tYXRjaChtb3VudDMsIGlfc3RvcmFnZS5tb3VudF9wb2ludCkKCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgMzogdHJ1ZSIpCn0KYWxsb3dfbW91bnRfcG9pbnQocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCwgbGF5ZXJfaWRzKSB7CiAgICBwX3N0b3JhZ2UuZnN0eXBlID09ICJiaW5kIgoKICAgIG1vdW50MSA6PSBwX3N0b3JhZ2UubW91bnRfcG9pbnQKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA0OiBtb3VudDEgPSIsIG1vdW50MSkKCiAgICBtb3VudDIgOj0gcmVwbGFjZShtb3VudDEsICIkKGNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5jcGF0aCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA0OiBtb3VudDIgPSIsIG1vdW50MikKCiAgICBtb3VudDMgOj0gcmVwbGFjZShtb3VudDIsICIkKGJ1bmRsZS1pZCkiLCBidW5kbGVfaWQpCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgNDogbW91bnQzID0iLCBtb3VudDMpCgogICAgcmVnZXgubWF0Y2gobW91bnQzLCBpX3N0b3JhZ2UubW91bnRfcG9pbnQpCgogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDQ6IHRydWUiKQp9CmFsbG93X21vdW50X3BvaW50KHBfc3RvcmFnZSwgaV9zdG9yYWdlLCBidW5kbGVfaWQsIHNhbmRib3hfaWQsIGxheWVyX2lkcykgewogICAgcF9zdG9yYWdlLmZzdHlwZSA9PSAidG1wZnMiCgogICAgbW91bnQxIDo9IHBfc3RvcmFnZS5tb3VudF9wb2ludAogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDU6IG1vdW50MSA9IiwgbW91bnQxKQoKICAgIHJlZ2V4Lm1hdGNoKG1vdW50MSwgaV9zdG9yYWdlLm1vdW50X3BvaW50KQoKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA1OiB0cnVlIikKfQphbGxvd19tb3VudF9wb2ludChwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMpIHsKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA2OiBpX3N0b3JhZ2UubW91bnRfcG9pbnQgPSIsIGlfc3RvcmFnZS5tb3VudF9wb2ludCkKICAgIGFsbG93X2RpcmVjdF92b2xfZHJpdmVyKHBfc3RvcmFnZSwgaV9zdG9yYWdlKQoKICAgIG1vdW50MSA6PSBwX3N0b3JhZ2UubW91bnRfcG9pbnQKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA2OiBtb3VudDEgPSIsIG1vdW50MSkKCiAgICBtb3VudDIgOj0gcmVwbGFjZShtb3VudDEsICIkKHNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5zcGF0aCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA2OiBtb3VudDIgPSIsIG1vdW50MikKCiAgICBkaXJlY3Rfdm9sX3BhdGggOj0gaV9zdG9yYWdlLnNvdXJjZQogICAgbW91bnQzIDo9IHJlcGxhY2UobW91bnQyLCAiJChiNjQtZGlyZWN0LXZvbC1wYXRoKSIsIGJhc2U2NHVybC5lbmNvZGUoZGlyZWN0X3ZvbF9wYXRoKSkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA2OiBtb3VudDMgPSIsIG1vdW50MykKCiAgICBtb3VudDMgPT0gaV9zdG9yYWdlLm1vdW50X3BvaW50CgogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDY6IHRydWUiKQp9CgphbGxvd19kaXJlY3Rfdm9sX2RyaXZlcihwX3N0b3JhZ2UsIGlfc3RvcmFnZSkgewogICAgcHJpbnQoImFsbG93X2RpcmVjdF92b2xfZHJpdmVyIDE6IHN0YXJ0IikKICAgIHBfc3RvcmFnZS5kcml2ZXIgPT0gImJsayIKICAgIHByaW50KCJhbGxvd19kaXJlY3Rfdm9sX2RyaXZlciAxOiB0cnVlIikKfQphbGxvd19kaXJlY3Rfdm9sX2RyaXZlcihwX3N0b3JhZ2UsIGlfc3RvcmFnZSkgewogICAgcHJpbnQoImFsbG93X2RpcmVjdF92b2xfZHJpdmVyIDI6IHN0YXJ0IikKICAgIHBfc3RvcmFnZS5kcml2ZXIgPT0gInNtYiIKICAgIHByaW50KCJhbGxvd19kaXJlY3Rfdm9sX2RyaXZlciAyOiB0cnVlIikKfQoKIyBFeGVjUHJvY2Vzc1JlcXVlc3QucHJvY2Vzcy5DYXBhYmlsaXRpZXMKYWxsb3dfZXhlY19jYXBzKGlfY2FwcykgewogICAgbm90IGlfY2Fwcy5BbWJpZW50CiAgICBub3QgaV9jYXBzLkJvdW5kaW5nCiAgICBub3QgaV9jYXBzLkVmZmVjdGl2ZQogICAgbm90IGlfY2Fwcy5Jbmhlcml0YWJsZQogICAgbm90IGlfY2Fwcy5QZXJtaXR0ZWQKfQoKIyBPQ0kuUHJvY2Vzcy5DYXBhYmlsaXRpZXMKYWxsb3dfY2FwcyhwX2NhcHMsIGlfY2FwcykgewogICAgcHJpbnQoImFsbG93X2NhcHM6IHBvbGljeSBBbWJpZW50ID0iLCBwX2NhcHMuQW1iaWVudCkKICAgIHByaW50KCJhbGxvd19jYXBzOiBpbnB1dCBBbWJpZW50ID0iLCBpX2NhcHMuQW1iaWVudCkKICAgIG1hdGNoX2NhcHMocF9jYXBzLkFtYmllbnQsIGlfY2Fwcy5BbWJpZW50KQoKICAgIHByaW50KCJhbGxvd19jYXBzOiBwb2xpY3kgQm91bmRpbmcgPSIsIHBfY2Fwcy5Cb3VuZGluZykKICAgIHByaW50KCJhbGxvd19jYXBzOiBpbnB1dCBCb3VuZGluZyA9IiwgaV9jYXBzLkJvdW5kaW5nKQogICAgbWF0Y2hfY2FwcyhwX2NhcHMuQm91bmRpbmcsIGlfY2Fwcy5Cb3VuZGluZykKCiAgICBwcmludCgiYWxsb3dfY2FwczogcG9saWN5IEVmZmVjdGl2ZSA9IiwgcF9jYXBzLkVmZmVjdGl2ZSkKICAgIHByaW50KCJhbGxvd19jYXBzOiBpbnB1dCBFZmZlY3RpdmUgPSIsIGlfY2Fwcy5FZmZlY3RpdmUpCiAgICBtYXRjaF9jYXBzKHBfY2Fwcy5FZmZlY3RpdmUsIGlfY2Fwcy5FZmZlY3RpdmUpCgogICAgcHJpbnQoImFsbG93X2NhcHM6IHBvbGljeSBJbmhlcml0YWJsZSA9IiwgcF9jYXBzLkluaGVyaXRhYmxlKQogICAgcHJpbnQoImFsbG93X2NhcHM6IGlucHV0IEluaGVyaXRhYmxlID0iLCBpX2NhcHMuSW5oZXJpdGFibGUpCiAgICBtYXRjaF9jYXBzKHBfY2Fwcy5Jbmhlcml0YWJsZSwgaV9jYXBzLkluaGVyaXRhYmxlKQoKICAgIHByaW50KCJhbGxvd19jYXBzOiBwb2xpY3kgUGVybWl0dGVkID0iLCBwX2NhcHMuUGVybWl0dGVkKQogICAgcHJpbnQoImFsbG93X2NhcHM6IGlucHV0IFBlcm1pdHRlZCA9IiwgaV9jYXBzLlBlcm1pdHRlZCkKICAgIG1hdGNoX2NhcHMocF9jYXBzLlBlcm1pdHRlZCwgaV9jYXBzLlBlcm1pdHRlZCkKfQoKbWF0Y2hfY2FwcyhwX2NhcHMsIGlfY2FwcykgewogICAgcHJpbnQoIm1hdGNoX2NhcHMgMTogc3RhcnQiKQoKICAgIHBfY2FwcyA9PSBpX2NhcHMKCiAgICBwcmludCgibWF0Y2hfY2FwcyAxOiB0cnVlIikKfQptYXRjaF9jYXBzKHBfY2FwcywgaV9jYXBzKSB7CiAgICBwcmludCgibWF0Y2hfY2FwcyAyOiBzdGFydCIpCgogICAgY291bnQocF9jYXBzKSA9PSAxCiAgICBwX2NhcHNbMF0gPT0gIiQoZGVmYXVsdF9jYXBzKSIKCiAgICBwcmludCgibWF0Y2hfY2FwcyAyOiBkZWZhdWx0X2NhcHMgPSIsIHBvbGljeV9kYXRhLmNvbW1vbi5kZWZhdWx0X2NhcHMpCiAgICBwb2xpY3lfZGF0YS5jb21tb24uZGVmYXVsdF9jYXBzID09IGlfY2FwcwoKICAgIHByaW50KCJtYXRjaF9jYXBzIDI6IHRydWUiKQp9Cm1hdGNoX2NhcHMocF9jYXBzLCBpX2NhcHMpIHsKICAgIHByaW50KCJtYXRjaF9jYXBzIDM6IHN0YXJ0IikKCiAgICBjb3VudChwX2NhcHMpID09IDEKICAgIHBfY2Fwc1swXSA9PSAiJChwcml2aWxlZ2VkX2NhcHMpIgoKICAgIHByaW50KCJtYXRjaF9jYXBzIDM6IHByaXZpbGVnZWRfY2FwcyA9IiwgcG9saWN5X2RhdGEuY29tbW9uLnByaXZpbGVnZWRfY2FwcykKICAgIHBvbGljeV9kYXRhLmNvbW1vbi5wcml2aWxlZ2VkX2NhcHMgPT0gaV9jYXBzCgogICAgcHJpbnQoIm1hdGNoX2NhcHMgMzogdHJ1ZSIpCn0KCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKY2hlY2tfZGlyZWN0b3J5X3RyYXZlcnNhbChpX3BhdGgpIHsKICAgIGNvbnRhaW5zKGlfcGF0aCwgIi4uLyIpID09IGZhbHNlCiAgICBlbmRzd2l0aChpX3BhdGgsICIvLi4iKSA9PSBmYWxzZQp9CgpjaGVja19zeW1saW5rX3NvdXJjZShpX3NyYykgewogICAgaV9zcmMgPT0gIiIKICAgIHByaW50KCJjaGVja19zeW1saW5rX3NvdXJjZSAxOiB0cnVlIikKfQpjaGVja19zeW1saW5rX3NvdXJjZShpX3NyYykgewogICAgaV9zcmMgIT0gIiIKICAgIHByaW50KCJjaGVja19zeW1saW5rX3NvdXJjZSAyOiBpX3NyYyA9IiwgaV9zcmMpCgogICAgcmVnZXgubWF0Y2gocG9saWN5X2RhdGEuY29tbW9uLnNfc291cmNlMSwgaV9zcmMpCgogICAgcHJpbnQoImNoZWNrX3N5bWxpbmtfc291cmNlIDI6IHRydWUiKQp9CmNoZWNrX3N5bWxpbmtfc291cmNlKGlfc3JjKSB7CiAgICBpX3NyYyAhPSAiIgogICAgcHJpbnQoImNoZWNrX3N5bWxpbmtfc291cmNlIDM6IGlfc3JjID0iLCBpX3NyYykKCiAgICByZWdleC5tYXRjaChwb2xpY3lfZGF0YS5jb21tb24uc19zb3VyY2UyLCBpX3NyYykKICAgIGNoZWNrX2RpcmVjdG9yeV90cmF2ZXJzYWwoaV9zcmMpCgogICAgcHJpbnQoImNoZWNrX3N5bWxpbmtfc291cmNlIDM6IHRydWUiKQp9CgphbGxvd19zYW5kYm94X3N0b3JhZ2VzKGlfc3RvcmFnZXMpIHsKICAgIHByaW50KCJhbGxvd19zYW5kYm94X3N0b3JhZ2VzOiBpX3N0b3JhZ2VzID0iLCBpX3N0b3JhZ2VzKQoKICAgIHBfc3RvcmFnZXMgOj0gcG9saWN5X2RhdGEuc2FuZGJveC5zdG9yYWdlcwogICAgZXZlcnkgaV9zdG9yYWdlIGluIGlfc3RvcmFnZXMgewogICAgICAgIGFsbG93X3NhbmRib3hfc3RvcmFnZShwX3N0b3JhZ2VzLCBpX3N0b3JhZ2UpCiAgICB9CgogICAgcHJpbnQoImFsbG93X3NhbmRib3hfc3RvcmFnZXM6IHRydWUiKQp9CgphbGxvd19zYW5kYm94X3N0b3JhZ2UocF9zdG9yYWdlcywgaV9zdG9yYWdlKSB7CiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9zdG9yYWdlOiBpX3N0b3JhZ2UgPSIsIGlfc3RvcmFnZSkKCiAgICBzb21lIHBfc3RvcmFnZSBpbiBwX3N0b3JhZ2VzCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9zdG9yYWdlOiBwX3N0b3JhZ2UgPSIsIHBfc3RvcmFnZSkKICAgIGlfc3RvcmFnZSA9PSBwX3N0b3JhZ2UKCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9zdG9yYWdlOiB0cnVlIikKfQoKQ29weUZpbGVSZXF1ZXN0IHsKICAgIHByaW50KCJDb3B5RmlsZVJlcXVlc3Q6IGlucHV0LnBhdGggPSIsIGlucHV0LnBhdGgpCgogICAgY2hlY2tfc3ltbGlua19zb3VyY2UoaW5wdXQuc3ltbGlua19zcmMpCiAgICBjaGVja19kaXJlY3RvcnlfdHJhdmVyc2FsKGlucHV0LnBhdGgpCgogICAgc29tZSByZWdleDEgaW4gcG9saWN5X2RhdGEucmVxdWVzdF9kZWZhdWx0cy5Db3B5RmlsZVJlcXVlc3QKICAgIHJlZ2V4MiA6PSByZXBsYWNlKHJlZ2V4MSwgIiQoc2ZwcmVmaXgpIiwgcG9saWN5X2RhdGEuY29tbW9uLnNmcHJlZml4KQogICAgcmVnZXgzIDo9IHJlcGxhY2UocmVnZXgyLCAiJChjcGF0aCkiLCBwb2xpY3lfZGF0YS5jb21tb24uY3BhdGgpCiAgICByZWdleDQgOj0gcmVwbGFjZShyZWdleDMsICIkKGJ1bmRsZS1pZCkiLCBCVU5ETEVfSUQpCiAgICBwcmludCgiQ29weUZpbGVSZXF1ZXN0OiByZWdleDQgPSIsIHJlZ2V4NCkKCiAgICByZWdleC5tYXRjaChyZWdleDQsIGlucHV0LnBhdGgpCgogICAgcHJpbnQoIkNvcHlGaWxlUmVxdWVzdDogdHJ1ZSIpCn0KCkNyZWF0ZVNhbmRib3hSZXF1ZXN0IHsKICAgIHByaW50KCJDcmVhdGVTYW5kYm94UmVxdWVzdDogaW5wdXQuZ3Vlc3RfaG9va19wYXRoID0iLCBpbnB1dC5ndWVzdF9ob29rX3BhdGgpCiAgICBjb3VudChpbnB1dC5ndWVzdF9ob29rX3BhdGgpID09IDAKCiAgICBwcmludCgiQ3JlYXRlU2FuZGJveFJlcXVlc3Q6IGlucHV0Lmtlcm5lbF9tb2R1bGVzID0iLCBpbnB1dC5rZXJuZWxfbW9kdWxlcykKICAgIGNvdW50KGlucHV0Lmtlcm5lbF9tb2R1bGVzKSA9PSAwCgogICAgaV9waWRucyA6PSBpbnB1dC5zYW5kYm94X3BpZG5zCiAgICBwcmludCgiQ3JlYXRlU2FuZGJveFJlcXVlc3Q6IGlfcGlkbnMgPSIsIGlfcGlkbnMpCiAgICBpX3BpZG5zID09IGZhbHNlCgogICAgYWxsb3dfc2FuZGJveF9zdG9yYWdlcyhpbnB1dC5zdG9yYWdlcykKfQoKYWxsb3dfZXhlYyhwX2NvbnRhaW5lciwgaV9wcm9jZXNzKSB7CiAgICBwcmludCgiYWxsb3dfZXhlYzogc3RhcnQiKQoKICAgIHBfb2NpID0gcF9jb250YWluZXIuT0NJCiAgICBwX3NfbmFtZSA9IHBfb2NpLkFubm90YXRpb25zW1NfTkFNRV9LRVldCiAgICBzX25hbWVzcGFjZSA9IGdldF9zdGF0ZV92YWwoIm5hbWVzcGFjZSIpCiAgICBhbGxvd19wcm9iZV9wcm9jZXNzKHBfb2NpLlByb2Nlc3MsIGlfcHJvY2VzcywgcF9zX25hbWUsIHNfbmFtZXNwYWNlKQoKICAgIHByaW50KCJhbGxvd19leGVjOiB0cnVlIikKfQoKYWxsb3dfaW50ZXJhY3RpdmVfZXhlYyhwX2NvbnRhaW5lciwgaV9wcm9jZXNzKSB7CiAgICBwcmludCgiYWxsb3dfaW50ZXJhY3RpdmVfZXhlYzogc3RhcnQiKQoKICAgIHBfb2NpID0gcF9jb250YWluZXIuT0NJCiAgICBwX3NfbmFtZSA9IHBfb2NpLkFubm90YXRpb25zW1NfTkFNRV9LRVldCiAgICBzX25hbWVzcGFjZSA9IGdldF9zdGF0ZV92YWwoIm5hbWVzcGFjZSIpCiAgICBhbGxvd19pbnRlcmFjdGl2ZV9wcm9jZXNzKHBfb2NpLlByb2Nlc3MsIGlfcHJvY2VzcywgcF9zX25hbWUsIHNfbmFtZXNwYWNlKQoKICAgIHByaW50KCJhbGxvd19pbnRlcmFjdGl2ZV9leGVjOiB0cnVlIikKfQoKIyBUT0RPOiBzaG91bGQgb3RoZXIgRXhlY1Byb2Nlc3NSZXF1ZXN0IGlucHV0IGRhdGEgZmllbGRzIGJlIHZhbGlkYXRlZCBhcyB3ZWxsPwpFeGVjUHJvY2Vzc1JlcXVlc3QgewogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAxOiBpbnB1dCA9IiwgaW5wdXQpCgogICAgaV9jb21tYW5kID0gY29uY2F0KCIgIiwgaW5wdXQucHJvY2Vzcy5BcmdzKQogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAxOiBpX2NvbW1hbmQgPSIsIGlfY29tbWFuZCkKCiAgICBzb21lIHBfY29tbWFuZCBpbiBwb2xpY3lfZGF0YS5yZXF1ZXN0X2RlZmF1bHRzLkV4ZWNQcm9jZXNzUmVxdWVzdC5jb21tYW5kcwogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAxOiBwX2NvbW1hbmQgPSIsIHBfY29tbWFuZCkKICAgIHBfY29tbWFuZCA9PSBpX2NvbW1hbmQKCiAgICAjIFRPRE86IG1hdGNoIHBfY29udGFpbmVyJ3MgSUQgd2l0aCB0aGUgaW5wdXQgY29udGFpbmVyX2lkLgogICAgc29tZSBwX2NvbnRhaW5lciBpbiBwb2xpY3lfZGF0YS5jb250YWluZXJzCiAgICBhbGxvd19pbnRlcmFjdGl2ZV9leGVjKHBfY29udGFpbmVyLCBpbnB1dC5wcm9jZXNzKQoKICAgIHByaW50KCJFeGVjUHJvY2Vzc1JlcXVlc3QgMTogdHJ1ZSIpCn0KRXhlY1Byb2Nlc3NSZXF1ZXN0IHsKICAgIHByaW50KCJFeGVjUHJvY2Vzc1JlcXVlc3QgMjogaW5wdXQgPSIsIGlucHV0KQoKICAgICMgVE9ETzogbWF0Y2ggaW5wdXQgY29udGFpbmVyIElEIHdpdGggaXRzIGNvcnJlc3BvbmRpbmcgY29udGFpbmVyLmV4ZWNfY29tbWFuZHMuCiAgICBpX2NvbW1hbmQgPSBjb25jYXQoIiAiLCBpbnB1dC5wcm9jZXNzLkFyZ3MpCiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDI6IGlfY29tbWFuZCA9IiwgaV9jb21tYW5kKQoKICAgICMgVE9ETzogbWF0Y2ggcF9jb250YWluZXIncyBJRCB3aXRoIHRoZSBpbnB1dCBjb250YWluZXJfaWQuCiAgICBzb21lIHBfY29udGFpbmVyIGluIHBvbGljeV9kYXRhLmNvbnRhaW5lcnMKICAgIHNvbWUgcF9jb21tYW5kIGluIHBfY29udGFpbmVyLmV4ZWNfY29tbWFuZHMKICAgIHByaW50KCJFeGVjUHJvY2Vzc1JlcXVlc3QgMjogcF9jb21tYW5kID0iLCBwX2NvbW1hbmQpCiAgICBwX2NvbW1hbmQgPT0gaV9jb21tYW5kCgogICAgYWxsb3dfZXhlYyhwX2NvbnRhaW5lciwgaW5wdXQucHJvY2VzcykKCiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDI6IHRydWUiKQp9CkV4ZWNQcm9jZXNzUmVxdWVzdCB7CiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDM6IGlucHV0ID0iLCBpbnB1dCkKCiAgICBpX2NvbW1hbmQgPSBjb25jYXQoIiAiLCBpbnB1dC5wcm9jZXNzLkFyZ3MpCiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDM6IGlfY29tbWFuZCA9IiwgaV9jb21tYW5kKQoKICAgIHNvbWUgcF9yZWdleCBpbiBwb2xpY3lfZGF0YS5yZXF1ZXN0X2RlZmF1bHRzLkV4ZWNQcm9jZXNzUmVxdWVzdC5yZWdleAogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAzOiBwX3JlZ2V4ID0iLCBwX3JlZ2V4KQoKICAgIHJlZ2V4Lm1hdGNoKHBfcmVnZXgsIGlfY29tbWFuZCkKCiAgICAjIFRPRE86IG1hdGNoIHBfY29udGFpbmVyJ3MgSUQgd2l0aCB0aGUgaW5wdXQgY29udGFpbmVyX2lkLgogICAgc29tZSBwX2NvbnRhaW5lciBpbiBwb2xpY3lfZGF0YS5jb250YWluZXJzCiAgICBhbGxvd19pbnRlcmFjdGl2ZV9leGVjKHBfY29udGFpbmVyLCBpbnB1dC5wcm9jZXNzKQoKICAgIHByaW50KCJFeGVjUHJvY2Vzc1JlcXVlc3QgMzogdHJ1ZSIpCn0KCkNsb3NlU3RkaW5SZXF1ZXN0IHsKICAgIHBvbGljeV9kYXRhLnJlcXVlc3RfZGVmYXVsdHMuQ2xvc2VTdGRpblJlcXVlc3QgPT0gdHJ1ZQp9CgpSZWFkU3RyZWFtUmVxdWVzdCB7CiAgICBwb2xpY3lfZGF0YS5yZXF1ZXN0X2RlZmF1bHRzLlJlYWRTdHJlYW1SZXF1ZXN0ID09IHRydWUKfQoKVXBkYXRlRXBoZW1lcmFsTW91bnRzUmVxdWVzdCB7CiAgICBwb2xpY3lfZGF0YS5yZXF1ZXN0X2RlZmF1bHRzLlVwZGF0ZUVwaGVtZXJhbE1vdW50c1JlcXVlc3QgPT0gdHJ1ZQp9CgpXcml0ZVN0cmVhbVJlcXVlc3QgewogICAgcG9saWN5X2RhdGEucmVxdWVzdF9kZWZhdWx0cy5Xcml0ZVN0cmVhbVJlcXVlc3QgPT0gdHJ1ZQp9Cgpwb2xpY3lfZGF0YSA6PSB7CiAgImNvbnRhaW5lcnMiOiBbCiAgICB7CiAgICAgICJPQ0kiOiB7CiAgICAgICAgIlZlcnNpb24iOiAiMS4xLjAtcmMuMSIsCiAgICAgICAgIlByb2Nlc3MiOiB7CiAgICAgICAgICAiVGVybWluYWwiOiBmYWxzZSwKICAgICAgICAgICJVc2VyIjogewogICAgICAgICAgICAiVUlEIjogNjU1MzUsCiAgICAgICAgICAgICJHSUQiOiA2NTUzNSwKICAgICAgICAgICAgIkFkZGl0aW9uYWxHaWRzIjogW10sCiAgICAgICAgICAgICJVc2VybmFtZSI6ICIiCiAgICAgICAgICB9LAogICAgICAgICAgIkFyZ3MiOiBbCiAgICAgICAgICAgICIvcGF1c2UiCiAgICAgICAgICBdLAogICAgICAgICAgIkVudiI6IFsKICAgICAgICAgICAgIlBBVEg9L3Vzci9sb2NhbC9zYmluOi91c3IvbG9jYWwvYmluOi91c3Ivc2JpbjovdXNyL2Jpbjovc2JpbjovYmluIgogICAgICAgICAgXSwKICAgICAgICAgICJDd2QiOiAiLyIsCiAgICAgICAgICAiQ2FwYWJpbGl0aWVzIjogewogICAgICAgICAgICAiQW1iaWVudCI6IFtdLAogICAgICAgICAgICAiQm91bmRpbmciOiBbCiAgICAgICAgICAgICAgIiQoZGVmYXVsdF9jYXBzKSIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgIkVmZmVjdGl2ZSI6IFsKICAgICAgICAgICAgICAiJChkZWZhdWx0X2NhcHMpIgogICAgICAgICAgICBdLAogICAgICAgICAgICAiSW5oZXJpdGFibGUiOiBbXSwKICAgICAgICAgICAgIlBlcm1pdHRlZCI6IFsKICAgICAgICAgICAgICAiJChkZWZhdWx0X2NhcHMpIgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgIk5vTmV3UHJpdmlsZWdlcyI6IHRydWUKICAgICAgICB9LAogICAgICAgICJSb290IjogewogICAgICAgICAgIlBhdGgiOiAiJChjcGF0aCkvJChidW5kbGUtaWQpIiwKICAgICAgICAgICJSZWFkb25seSI6IHRydWUKICAgICAgICB9LAogICAgICAgICJNb3VudHMiOiBbCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvcHJvYyIsCiAgICAgICAgICAgICJzb3VyY2UiOiAicHJvYyIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJwcm9jIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAgICAgIm5vZGV2IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2RldiIsCiAgICAgICAgICAgICJzb3VyY2UiOiAidG1wZnMiLAogICAgICAgICAgICAidHlwZV8iOiAidG1wZnMiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAic3RyaWN0YXRpbWUiLAogICAgICAgICAgICAgICJtb2RlPTc1NSIsCiAgICAgICAgICAgICAgInNpemU9NjU1MzZrIgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2Rldi9wdHMiLAogICAgICAgICAgICAic291cmNlIjogImRldnB0cyIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJkZXZwdHMiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAibm9leGVjIiwKICAgICAgICAgICAgICAibmV3aW5zdGFuY2UiLAogICAgICAgICAgICAgICJwdG14bW9kZT0wNjY2IiwKICAgICAgICAgICAgICAibW9kZT0wNjIwIiwKICAgICAgICAgICAgICAiZ2lkPTUiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZGV2L3NobSIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiL3J1bi9rYXRhLWNvbnRhaW5lcnMvc2FuZGJveC9zaG0iLAogICAgICAgICAgICAidHlwZV8iOiAiYmluZCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJyYmluZCIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9kZXYvbXF1ZXVlIiwKICAgICAgICAgICAgInNvdXJjZSI6ICJtcXVldWUiLAogICAgICAgICAgICAidHlwZV8iOiAibXF1ZXVlIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAgICAgIm5vZGV2IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL3N5cyIsCiAgICAgICAgICAgICJzb3VyY2UiOiAic3lzZnMiLAogICAgICAgICAgICAidHlwZV8iOiAic3lzZnMiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAibm9leGVjIiwKICAgICAgICAgICAgICAibm9kZXYiLAogICAgICAgICAgICAgICJybyIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9ldGMvcmVzb2x2LmNvbmYiLAogICAgICAgICAgICAic291cmNlIjogIiQoc2ZwcmVmaXgpcmVzb2x2LmNvbmYkIiwKICAgICAgICAgICAgInR5cGVfIjogImJpbmQiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAicmJpbmQiLAogICAgICAgICAgICAgICJybyIsCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgIm5vZGV2IiwKICAgICAgICAgICAgICAibm9leGVjIgogICAgICAgICAgICBdCiAgICAgICAgICB9CiAgICAgICAgXSwKICAgICAgICAiQW5ub3RhdGlvbnMiOiB7CiAgICAgICAgICAiaW8ua2F0YWNvbnRhaW5lcnMucGtnLm9jaS5idW5kbGVfcGF0aCI6ICIvcnVuL2NvbnRhaW5lcmQvaW8uY29udGFpbmVyZC5ydW50aW1lLnYyLnRhc2svazhzLmlvLyQoYnVuZGxlLWlkKSIsCiAgICAgICAgICAiaW8ua2F0YWNvbnRhaW5lcnMucGtnLm9jaS5jb250YWluZXJfdHlwZSI6ICJwb2Rfc2FuZGJveCIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuY29udGFpbmVyLXR5cGUiOiAic2FuZGJveCIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1pZCI6ICJeW2EtejAtOV17NjR9JCIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1sb2ctZGlyZWN0b3J5IjogIl4vdmFyL2xvZy9wb2RzLyQoc2FuZGJveC1uYW1lc3BhY2UpXyQoc2FuZGJveC1uYW1lKV9bMC05YS1mXXs4fS1bMC05YS1mXXs0fS1bMC05YS1mXXs0fS1bMC05YS1mXXs0fS1bMC05YS1mXXsxMn0kIiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LW5hbWUiOiAiZXhlYy10ZXN0IiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LW5hbWVzcGFjZSI6ICIiLAogICAgICAgICAgIm5lcmRjdGwvbmV0d29yay1uYW1lc3BhY2UiOiAiXi92YXIvcnVuL25ldG5zL2NuaS1bMC05YS1mXXs4fS1bMC05YS1mXXs0fS1bMC05YS1mXXs0fS1bMC05YS1mXXs0fS1bMC05YS1mXXsxMn0kIgogICAgICAgIH0sCiAgICAgICAgIkxpbnV4IjogewogICAgICAgICAgIk5hbWVzcGFjZXMiOiBbCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAiVHlwZSI6ICJpcGMiLAogICAgICAgICAgICAgICJQYXRoIjogIiIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgewogICAgICAgICAgICAgICJUeXBlIjogInV0cyIsCiAgICAgICAgICAgICAgIlBhdGgiOiAiIgogICAgICAgICAgICB9LAogICAgICAgICAgICB7CiAgICAgICAgICAgICAgIlR5cGUiOiAibW91bnQiLAogICAgICAgICAgICAgICJQYXRoIjogIiIKICAgICAgICAgICAgfQogICAgICAgICAgXSwKICAgICAgICAgICJNYXNrZWRQYXRocyI6IFsKICAgICAgICAgICAgIi9wcm9jL2FjcGkiLAogICAgICAgICAgICAiL3Byb2MvYXNvdW5kIiwKICAgICAgICAgICAgIi9wcm9jL2tjb3JlIiwKICAgICAgICAgICAgIi9wcm9jL2tleXMiLAogICAgICAgICAgICAiL3Byb2MvbGF0ZW5jeV9zdGF0cyIsCiAgICAgICAgICAgICIvcHJvYy90aW1lcl9saXN0IiwKICAgICAgICAgICAgIi9wcm9jL3RpbWVyX3N0YXRzIiwKICAgICAgICAgICAgIi9wcm9jL3NjaGVkX2RlYnVnIiwKICAgICAgICAgICAgIi9zeXMvZmlybXdhcmUiLAogICAgICAgICAgICAiL3Byb2Mvc2NzaSIKICAgICAgICAgIF0sCiAgICAgICAgICAiUmVhZG9ubHlQYXRocyI6IFsKICAgICAgICAgICAgIi9wcm9jL2J1cyIsCiAgICAgICAgICAgICIvcHJvYy9mcyIsCiAgICAgICAgICAgICIvcHJvYy9pcnEiLAogICAgICAgICAgICAiL3Byb2Mvc3lzIiwKICAgICAgICAgICAgIi9wcm9jL3N5c3JxLXRyaWdnZXIiCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9LAogICAgICAic3RvcmFnZXMiOiBbCiAgICAgICAgewogICAgICAgICAgImRyaXZlciI6ICJibGsiLAogICAgICAgICAgImRyaXZlcl9vcHRpb25zIjogW10sCiAgICAgICAgICAic291cmNlIjogIiIsCiAgICAgICAgICAiZnN0eXBlIjogInRhciIsCiAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgIiQoaGFzaDApIgogICAgICAgICAgXSwKICAgICAgICAgICJtb3VudF9wb2ludCI6ICIkKGxheWVyMCkiLAogICAgICAgICAgImZzX2dyb3VwIjogbnVsbAogICAgICAgIH0sCiAgICAgICAgewogICAgICAgICAgImRyaXZlciI6ICJvdmVybGF5ZnMiLAogICAgICAgICAgImRyaXZlcl9vcHRpb25zIjogW10sCiAgICAgICAgICAic291cmNlIjogIiIsCiAgICAgICAgICAiZnN0eXBlIjogImZ1c2UzLmthdGEtb3ZlcmxheSIsCiAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgIjVhNWFhZDgwMDU1ZmYyMDAxMmE1MGRjMjVmOGRmN2EyOTkyNDQ3NDMyNGQ2NWY3ZDUzMDZlZThlZTI3ZmY3MWQiLAogICAgICAgICAgICAiODE3MjUwZjFhM2UzMzZkYTc2ZjViZDNmYTc4NGUxYjI2ZDk1OWI5YzEzMTg3NjgxNWJhMjYwNDA0OGI3MGMxOCIKICAgICAgICAgIF0sCiAgICAgICAgICAibW91bnRfcG9pbnQiOiAiJChjcGF0aCkvJChidW5kbGUtaWQpIiwKICAgICAgICAgICJmc19ncm91cCI6IG51bGwKICAgICAgICB9CiAgICAgIF0sCiAgICAgICJzYW5kYm94X3BpZG5zIjogZmFsc2UsCiAgICAgICJleGVjX2NvbW1hbmRzIjogW10KICAgIH0sCiAgICB7CiAgICAgICJPQ0kiOiB7CiAgICAgICAgIlZlcnNpb24iOiAiMS4xLjAtcmMuMSIsCiAgICAgICAgIlByb2Nlc3MiOiB7CiAgICAgICAgICAiVGVybWluYWwiOiBmYWxzZSwKICAgICAgICAgICJVc2VyIjogewogICAgICAgICAgICAiVUlEIjogMCwKICAgICAgICAgICAgIkdJRCI6IDAsCiAgICAgICAgICAgICJBZGRpdGlvbmFsR2lkcyI6IFtdLAogICAgICAgICAgICAiVXNlcm5hbWUiOiAiIgogICAgICAgICAgfSwKICAgICAgICAgICJBcmdzIjogWwogICAgICAgICAgICAiL2Jpbi9zaCIsCiAgICAgICAgICAgICItYyIsCiAgICAgICAgICAgICJ3aGlsZSB0cnVlOyBkbyBlY2hvIEt1YmVybmV0ZXM7IHNsZWVwIDEwOyBkb25lIgogICAgICAgICAgXSwKICAgICAgICAgICJFbnYiOiBbCiAgICAgICAgICAgICJQQVRIPS91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL3NiaW46L3Vzci9iaW46L3NiaW46L2JpbiIsCiAgICAgICAgICAgICJIT1NUTkFNRT0kKGhvc3QtbmFtZSkiLAogICAgICAgICAgICAiUE9EX05BTUU9JChzYW5kYm94LW5hbWUpIiwKICAgICAgICAgICAgIlBPRF9OQU1FU1BBQ0U9JChzYW5kYm94LW5hbWVzcGFjZSkiLAogICAgICAgICAgICAiUE9EX0lQPSQocG9kLWlwKSIsCiAgICAgICAgICAgICJTRVJWSUNFX0FDQ09VTlQ9ZGVmYXVsdCIsCiAgICAgICAgICAgICJQUk9YWV9DT05GSUc9e31cbiIsCiAgICAgICAgICAgICJJU1RJT19NRVRBX1BPRF9QT1JUUz1bXG5dIiwKICAgICAgICAgICAgIklTVElPX01FVEFfQVBQX0NPTlRBSU5FUlM9c2VydmljZWFjbGllbnQiLAogICAgICAgICAgICAiSVNUSU9fTUVUQV9DTFVTVEVSX0lEPUt1YmVybmV0ZXMiLAogICAgICAgICAgICAiSVNUSU9fTUVUQV9OT0RFX05BTUU9JChub2RlLW5hbWUpIgogICAgICAgICAgXSwKICAgICAgICAgICJDd2QiOiAiLyIsCiAgICAgICAgICAiQ2FwYWJpbGl0aWVzIjogewogICAgICAgICAgICAiQW1iaWVudCI6IFtdLAogICAgICAgICAgICAiQm91bmRpbmciOiBbCiAgICAgICAgICAgICAgIiQocHJpdmlsZWdlZF9jYXBzKSIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgIkVmZmVjdGl2ZSI6IFsKICAgICAgICAgICAgICAiJChwcml2aWxlZ2VkX2NhcHMpIgogICAgICAgICAgICBdLAogICAgICAgICAgICAiSW5oZXJpdGFibGUiOiBbXSwKICAgICAgICAgICAgIlBlcm1pdHRlZCI6IFsKICAgICAgICAgICAgICAiJChwcml2aWxlZ2VkX2NhcHMpIgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgIk5vTmV3UHJpdmlsZWdlcyI6IGZhbHNlCiAgICAgICAgfSwKICAgICAgICAiUm9vdCI6IHsKICAgICAgICAgICJQYXRoIjogIiQoY3BhdGgpLyQoYnVuZGxlLWlkKSIsCiAgICAgICAgICAiUmVhZG9ubHkiOiBmYWxzZQogICAgICAgIH0sCiAgICAgICAgIk1vdW50cyI6IFsKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9wcm9jIiwKICAgICAgICAgICAgInNvdXJjZSI6ICJwcm9jIiwKICAgICAgICAgICAgInR5cGVfIjogInByb2MiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAibm9leGVjIiwKICAgICAgICAgICAgICAibm9kZXYiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZGV2IiwKICAgICAgICAgICAgInNvdXJjZSI6ICJ0bXBmcyIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJ0bXBmcyIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJzdHJpY3RhdGltZSIsCiAgICAgICAgICAgICAgIm1vZGU9NzU1IiwKICAgICAgICAgICAgICAic2l6ZT02NTUzNmsiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZGV2L3B0cyIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiZGV2cHRzIiwKICAgICAgICAgICAgInR5cGVfIjogImRldnB0cyIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJub2V4ZWMiLAogICAgICAgICAgICAgICJuZXdpbnN0YW5jZSIsCiAgICAgICAgICAgICAgInB0bXhtb2RlPTA2NjYiLAogICAgICAgICAgICAgICJtb2RlPTA2MjAiLAogICAgICAgICAgICAgICJnaWQ9NSIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9kZXYvc2htIiwKICAgICAgICAgICAgInNvdXJjZSI6ICIvcnVuL2thdGEtY29udGFpbmVycy9zYW5kYm94L3NobSIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJiaW5kIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgInJiaW5kIgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2Rldi9tcXVldWUiLAogICAgICAgICAgICAic291cmNlIjogIm1xdWV1ZSIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJtcXVldWUiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAibm9leGVjIiwKICAgICAgICAgICAgICAibm9kZXYiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvc3lzIiwKICAgICAgICAgICAgInNvdXJjZSI6ICJzeXNmcyIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJzeXNmcyIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJub2V4ZWMiLAogICAgICAgICAgICAgICJub2RldiIsCiAgICAgICAgICAgICAgInJ3IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL3N5cy9mcy9jZ3JvdXAiLAogICAgICAgICAgICAic291cmNlIjogImNncm91cCIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJjZ3JvdXAiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAibm9leGVjIiwKICAgICAgICAgICAgICAibm9kZXYiLAogICAgICAgICAgICAgICJyZWxhdGltZSIsCiAgICAgICAgICAgICAgInJ3IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2V0Yy9ob3N0cyIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiJChzZnByZWZpeClob3N0cyQiLAogICAgICAgICAgICAidHlwZV8iOiAiYmluZCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJyYmluZCIsCiAgICAgICAgICAgICAgInJwcml2YXRlIiwKICAgICAgICAgICAgICAicnciCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZGV2L3Rlcm1pbmF0aW9uLWxvZyIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiJChzZnByZWZpeCl0ZXJtaW5hdGlvbi1sb2ckIiwKICAgICAgICAgICAgInR5cGVfIjogImJpbmQiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAicmJpbmQiLAogICAgICAgICAgICAgICJycHJpdmF0ZSIsCiAgICAgICAgICAgICAgInJ3IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2V0Yy9ob3N0bmFtZSIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiJChzZnByZWZpeClob3N0bmFtZSQiLAogICAgICAgICAgICAidHlwZV8iOiAiYmluZCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJyYmluZCIsCiAgICAgICAgICAgICAgInJwcml2YXRlIiwKICAgICAgICAgICAgICAicnciCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZXRjL3Jlc29sdi5jb25mIiwKICAgICAgICAgICAgInNvdXJjZSI6ICIkKHNmcHJlZml4KXJlc29sdi5jb25mJCIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJiaW5kIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgInJiaW5kIiwKICAgICAgICAgICAgICAicnByaXZhdGUiLAogICAgICAgICAgICAgICJydyIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi92YXIvcnVuL3NlY3JldHMva3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudCIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiJChzZnByZWZpeClzZXJ2aWNlYWNjb3VudCQiLAogICAgICAgICAgICAidHlwZV8iOiAiYmluZCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJyYmluZCIsCiAgICAgICAgICAgICAgInJwcml2YXRlIiwKICAgICAgICAgICAgICAicm8iCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvdmFyL3J1bi9zZWNyZXRzL2F6dXJlL3Rva2VucyIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiJChzZnByZWZpeCl0b2tlbnMkIiwKICAgICAgICAgICAgInR5cGVfIjogImJpbmQiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAicmJpbmQiLAogICAgICAgICAgICAgICJycHJpdmF0ZSIsCiAgICAgICAgICAgICAgInJvIgogICAgICAgICAgICBdCiAgICAgICAgICB9CiAgICAgICAgXSwKICAgICAgICAiQW5ub3RhdGlvbnMiOiB7CiAgICAgICAgICAiaW8ua2F0YWNvbnRhaW5lcnMucGtnLm9jaS5idW5kbGVfcGF0aCI6ICIvcnVuL2NvbnRhaW5lcmQvaW8uY29udGFpbmVyZC5ydW50aW1lLnYyLnRhc2svazhzLmlvLyQoYnVuZGxlLWlkKSIsCiAgICAgICAgICAiaW8ua2F0YWNvbnRhaW5lcnMucGtnLm9jaS5jb250YWluZXJfdHlwZSI6ICJwb2RfY29udGFpbmVyIiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5jb250YWluZXItbmFtZSI6ICJidXN5Ym94IiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5jb250YWluZXItdHlwZSI6ICJjb250YWluZXIiLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLmltYWdlLW5hbWUiOiAibWNyLm1pY3Jvc29mdC5jb20vYWtzL2UyZS9saWJyYXJ5LWJ1c3lib3g6bWFzdGVyLjIyMDMxNC4xLWxpbnV4LWFtZDY0IiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LWlkIjogIl5bYS16MC05XXs2NH0kIiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LW5hbWUiOiAiZXhlYy10ZXN0IiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LW5hbWVzcGFjZSI6ICIiCiAgICAgICAgfSwKICAgICAgICAiTGludXgiOiB7CiAgICAgICAgICAiTmFtZXNwYWNlcyI6IFsKICAgICAgICAgICAgewogICAgICAgICAgICAgICJUeXBlIjogImlwYyIsCiAgICAgICAgICAgICAgIlBhdGgiOiAiIgogICAgICAgICAgICB9LAogICAgICAgICAgICB7CiAgICAgICAgICAgICAgIlR5cGUiOiAidXRzIiwKICAgICAgICAgICAgICAiUGF0aCI6ICIiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAiVHlwZSI6ICJtb3VudCIsCiAgICAgICAgICAgICAgIlBhdGgiOiAiIgogICAgICAgICAgICB9CiAgICAgICAgICBdLAogICAgICAgICAgIk1hc2tlZFBhdGhzIjogW10sCiAgICAgICAgICAiUmVhZG9ubHlQYXRocyI6IFtdCiAgICAgICAgfQogICAgICB9LAogICAgICAic3RvcmFnZXMiOiBbCiAgICAgICAgewogICAgICAgICAgImRyaXZlciI6ICJibGsiLAogICAgICAgICAgImRyaXZlcl9vcHRpb25zIjogW10sCiAgICAgICAgICAic291cmNlIjogIiIsCiAgICAgICAgICAiZnN0eXBlIjogInRhciIsCiAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgIiQoaGFzaDApIgogICAgICAgICAgXSwKICAgICAgICAgICJtb3VudF9wb2ludCI6ICIkKGxheWVyMCkiLAogICAgICAgICAgImZzX2dyb3VwIjogbnVsbAogICAgICAgIH0sCiAgICAgICAgewogICAgICAgICAgImRyaXZlciI6ICJibGsiLAogICAgICAgICAgImRyaXZlcl9vcHRpb25zIjogW10sCiAgICAgICAgICAic291cmNlIjogIiIsCiAgICAgICAgICAiZnN0eXBlIjogInRhciIsCiAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgIiQoaGFzaDEpIgogICAgICAgICAgXSwKICAgICAgICAgICJtb3VudF9wb2ludCI6ICIkKGxheWVyMSkiLAogICAgICAgICAgImZzX2dyb3VwIjogbnVsbAogICAgICAgIH0sCiAgICAgICAgewogICAgICAgICAgImRyaXZlciI6ICJvdmVybGF5ZnMiLAogICAgICAgICAgImRyaXZlcl9vcHRpb25zIjogW10sCiAgICAgICAgICAic291cmNlIjogIiIsCiAgICAgICAgICAiZnN0eXBlIjogImZ1c2UzLmthdGEtb3ZlcmxheSIsCiAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgIjJjMzQyYTEzN2U2OTNjNzg5OGFlYzM2ZGExMDQ3ZjE5MWRjN2MxNjg3ZTY2MTk4YWRhY2M0MzljZjRhZGYzNzk6MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1MiIsCiAgICAgICAgICAgICI4NTY4YzcwYzBjY2ZlMDA1MTA5MmU4MThkYTc2OTExMWE1OTg4MmNkMTlkZDc5OWQzYmNhNWZmYTgyNzkxMDgwOmI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2YiCiAgICAgICAgICBdLAogICAgICAgICAgIm1vdW50X3BvaW50IjogIiQoY3BhdGgpLyQoYnVuZGxlLWlkKSIsCiAgICAgICAgICAiZnNfZ3JvdXAiOiBudWxsCiAgICAgICAgfQogICAgICBdLAogICAgICAic2FuZGJveF9waWRucyI6IGZhbHNlLAogICAgICAiZXhlY19jb21tYW5kcyI6IFsKICAgICAgICAiZWNobyAke0lTVElPX01FVEFfQVBQX0NPTlRBSU5FUlN9IiwKICAgICAgICAiZWNobyBSZWFkeSAke1BPRF9JUH0hIiwKICAgICAgICAiZWNobyAke0lTVElPX01FVEFfTk9ERV9OQU1FfSBzdGFydHVwIgogICAgICBdCiAgICB9CiAgXSwKICAiY29tbW9uIjogewogICAgImNwYXRoIjogIi9ydW4va2F0YS1jb250YWluZXJzL3NoYXJlZC9jb250YWluZXJzIiwKICAgICJzZnByZWZpeCI6ICJeJChjcGF0aCkvJChidW5kbGUtaWQpLVthLXowLTldezE2fS0iLAogICAgInNwYXRoIjogIi9ydW4va2F0YS1jb250YWluZXJzL3NhbmRib3gvc3RvcmFnZSIsCiAgICAiaXB2NF9hIjogIigoMjVbMC01XXwoMlswLTRdfDFcXGR8WzEtOV18KVxcZClcXC4/XFxiKXs0fSIsCiAgICAiaXBfcCI6ICJbMC05XXsxLDV9IiwKICAgICJzdmNfbmFtZSI6ICJbQS1aMC05X1xcLlxcLV0rIiwKICAgICJkbnNfbGFiZWwiOiAiW2EtekEtWjAtOV9cXC5cXC1dKyIsCiAgICAic19zb3VyY2UxIjogIl4uLjJbMC05XXszfV9bMC0xXVswLTldX1swLTNdWzAtOV1fWzAtMl1bMC05XV9bMC01XVswLTldX1swLTVdWzAtOV1cXC5bMC05XXsxLDEwfSQiLAogICAgInNfc291cmNlMiI6ICJeLi5kYXRhLyIsCiAgICAiZGVmYXVsdF9jYXBzIjogWwogICAgICAiQ0FQX0NIT1dOIiwKICAgICAgIkNBUF9EQUNfT1ZFUlJJREUiLAogICAgICAiQ0FQX0ZTRVRJRCIsCiAgICAgICJDQVBfRk9XTkVSIiwKICAgICAgIkNBUF9NS05PRCIsCiAgICAgICJDQVBfTkVUX1JBVyIsCiAgICAgICJDQVBfU0VUR0lEIiwKICAgICAgIkNBUF9TRVRVSUQiLAogICAgICAiQ0FQX1NFVEZDQVAiLAogICAgICAiQ0FQX1NFVFBDQVAiLAogICAgICAiQ0FQX05FVF9CSU5EX1NFUlZJQ0UiLAogICAgICAiQ0FQX1NZU19DSFJPT1QiLAogICAgICAiQ0FQX0tJTEwiLAogICAgICAiQ0FQX0FVRElUX1dSSVRFIgogICAgXSwKICAgICJwcml2aWxlZ2VkX2NhcHMiOiBbCiAgICAgICJDQVBfQ0hPV04iLAogICAgICAiQ0FQX0RBQ19PVkVSUklERSIsCiAgICAgICJDQVBfREFDX1JFQURfU0VBUkNIIiwKICAgICAgIkNBUF9GT1dORVIiLAogICAgICAiQ0FQX0ZTRVRJRCIsCiAgICAgICJDQVBfS0lMTCIsCiAgICAgICJDQVBfU0VUR0lEIiwKICAgICAgIkNBUF9TRVRVSUQiLAogICAgICAiQ0FQX1NFVFBDQVAiLAogICAgICAiQ0FQX0xJTlVYX0lNTVVUQUJMRSIsCiAgICAgICJDQVBfTkVUX0JJTkRfU0VSVklDRSIsCiAgICAgICJDQVBfTkVUX0JST0FEQ0FTVCIsCiAgICAgICJDQVBfTkVUX0FETUlOIiwKICAgICAgIkNBUF9ORVRfUkFXIiwKICAgICAgIkNBUF9JUENfTE9DSyIsCiAgICAgICJDQVBfSVBDX09XTkVSIiwKICAgICAgIkNBUF9TWVNfTU9EVUxFIiwKICAgICAgIkNBUF9TWVNfUkFXSU8iLAogICAgICAiQ0FQX1NZU19DSFJPT1QiLAogICAgICAiQ0FQX1NZU19QVFJBQ0UiLAogICAgICAiQ0FQX1NZU19QQUNDVCIsCiAgICAgICJDQVBfU1lTX0FETUlOIiwKICAgICAgIkNBUF9TWVNfQk9PVCIsCiAgICAgICJDQVBfU1lTX05JQ0UiLAogICAgICAiQ0FQX1NZU19SRVNPVVJDRSIsCiAgICAgICJDQVBfU1lTX1RJTUUiLAogICAgICAiQ0FQX1NZU19UVFlfQ09ORklHIiwKICAgICAgIkNBUF9NS05PRCIsCiAgICAgICJDQVBfTEVBU0UiLAogICAgICAiQ0FQX0FVRElUX1dSSVRFIiwKICAgICAgIkNBUF9BVURJVF9DT05UUk9MIiwKICAgICAgIkNBUF9TRVRGQ0FQIiwKICAgICAgIkNBUF9NQUNfT1ZFUlJJREUiLAogICAgICAiQ0FQX01BQ19BRE1JTiIsCiAgICAgICJDQVBfU1lTTE9HIiwKICAgICAgIkNBUF9XQUtFX0FMQVJNIiwKICAgICAgIkNBUF9CTE9DS19TVVNQRU5EIiwKICAgICAgIkNBUF9BVURJVF9SRUFEIiwKICAgICAgIkNBUF9QRVJGTU9OIiwKICAgICAgIkNBUF9CUEYiLAogICAgICAiQ0FQX0NIRUNLUE9JTlRfUkVTVE9SRSIKICAgIF0sCiAgICAidmlydGlvX2Jsa19zdG9yYWdlX2NsYXNzZXMiOiBbCiAgICAgICJjYy1sb2NhbC1jc2kiLAogICAgICAiY2MtbWFuYWdlZC1jc2kiLAogICAgICAiY2MtbWFuYWdlZC1wcmVtaXVtLWNzaSIKICAgIF0sCiAgICAic21iX3N0b3JhZ2VfY2xhc3NlcyI6IFsKICAgICAgewogICAgICAgICJuYW1lIjogImF6dXJlZmlsZS1jc2kta2F0YS1jYyIsCiAgICAgICAgIm1vdW50X29wdGlvbnMiOiBbCiAgICAgICAgICAiZGlyX21vZGU9MDc3NyIsCiAgICAgICAgICAiZmlsZV9tb2RlPTA3NzciLAogICAgICAgICAgIm1mc3ltbGlua3MiLAogICAgICAgICAgImNhY2hlPXN0cmljdCIsCiAgICAgICAgICAibm9zaGFyZXNvY2siLAogICAgICAgICAgImFjdGltZW89MzAiLAogICAgICAgICAgIm5vYnJsIgogICAgICAgIF0KICAgICAgfQogICAgXQogIH0sCiAgInNhbmRib3giOiB7CiAgICAic3RvcmFnZXMiOiBbCiAgICAgIHsKICAgICAgICAiZHJpdmVyIjogImVwaGVtZXJhbCIsCiAgICAgICAgImRyaXZlcl9vcHRpb25zIjogW10sCiAgICAgICAgInNvdXJjZSI6ICJzaG0iLAogICAgICAgICJmc3R5cGUiOiAidG1wZnMiLAogICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICJub2RldiIsCiAgICAgICAgICAibW9kZT0xNzc3IiwKICAgICAgICAgICJzaXplPTY3MTA4ODY0IgogICAgICAgIF0sCiAgICAgICAgIm1vdW50X3BvaW50IjogIi9ydW4va2F0YS1jb250YWluZXJzL3NhbmRib3gvc2htIiwKICAgICAgICAiZnNfZ3JvdXAiOiBudWxsCiAgICAgIH0KICAgIF0KICB9LAogICJyZXF1ZXN0X2RlZmF1bHRzIjogewogICAgIkNyZWF0ZUNvbnRhaW5lclJlcXVlc3QiOiB7CiAgICAgICJhbGxvd19lbnZfcmVnZXgiOiBbCiAgICAgICAgIl5IT1NUTkFNRT0kKGRuc19sYWJlbCkkIiwKICAgICAgICAiXiQoc3ZjX25hbWUpX1BPUlRfJChpcF9wKV9UQ1A9dGNwOi8vJChpcHY0X2EpOiQoaXBfcCkkIiwKICAgICAgICAiXiQoc3ZjX25hbWUpX1BPUlRfJChpcF9wKV9UQ1BfUFJPVE89dGNwJCIsCiAgICAgICAgIl4kKHN2Y19uYW1lKV9QT1JUXyQoaXBfcClfVENQX1BPUlQ9JChpcF9wKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfUE9SVF8kKGlwX3ApX1RDUF9BRERSPSQoaXB2NF9hKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfU0VSVklDRV9IT1NUPSQoaXB2NF9hKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfU0VSVklDRV9QT1JUPSQoaXBfcCkkIiwKICAgICAgICAiXiQoc3ZjX25hbWUpX1NFUlZJQ0VfUE9SVF8kKGRuc19sYWJlbCk9JChpcF9wKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfUE9SVD10Y3A6Ly8kKGlwdjRfYSk6JChpcF9wKSQiLAogICAgICAgICJeQVpVUkVfQ0xJRU5UX0lEPVtBLUZhLWYwLTktXSokIiwKICAgICAgICAiXkFaVVJFX1RFTkFOVF9JRD1bQS1GYS1mMC05LV0qJCIsCiAgICAgICAgIl5BWlVSRV9GRURFUkFURURfVE9LRU5fRklMRT0vdmFyL3J1bi9zZWNyZXRzL2F6dXJlL3Rva2Vucy9henVyZS1pZGVudGl0eS10b2tlbiQiLAogICAgICAgICJeQVpVUkVfQVVUSE9SSVRZX0hPU1Q9aHR0cHM6Ly9sb2dpblxcLm1pY3Jvc29mdG9ubGluZVxcLmNvbS8kIiwKICAgICAgICAiXlRFUk09eHRlcm0kIgogICAgICBdCiAgICB9LAogICAgIkNvcHlGaWxlUmVxdWVzdCI6IFsKICAgICAgIiQoc2ZwcmVmaXgpIgogICAgXSwKICAgICJFeGVjUHJvY2Vzc1JlcXVlc3QiOiB7CiAgICAgICJjb21tYW5kcyI6IFtdLAogICAgICAicmVnZXgiOiBbXQogICAgfSwKICAgICJDbG9zZVN0ZGluUmVxdWVzdCI6IGZhbHNlLAogICAgIlJlYWRTdHJlYW1SZXF1ZXN0IjogdHJ1ZSwKICAgICJVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IjogZmFsc2UsCiAgICAiV3JpdGVTdHJlYW1SZXF1ZXN0IjogZmFsc2UKICB9Cn0=
+    io.katacontainers.config.agent.policy: IyBDb3B5cmlnaHQgKGMpIDIwMjMgTWljcm9zb2Z0IENvcnBvcmF0aW9uCiMKIyBTUERYLUxpY2Vuc2UtSWRlbnRpZmllcjogQXBhY2hlLTIuMAojCnBhY2thZ2UgYWdlbnRfcG9saWN5CgppbXBvcnQgZnV0dXJlLmtleXdvcmRzLmluCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKCiMgRGVmYXVsdCB2YWx1ZXMsIHJldHVybmVkIGJ5IE9QQSB3aGVuIHJ1bGVzIGNhbm5vdCBiZSBldmFsdWF0ZWQgdG8gdHJ1ZS4KZGVmYXVsdCBBZGRBUlBOZWlnaGJvcnNSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBDbG9zZVN0ZGluUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IENvcHlGaWxlUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBQb2xpY3lDcmVhdGVDb250YWluZXJSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgQ3JlYXRlU2FuZGJveFJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IEdldE9PTUV2ZW50UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgR3Vlc3REZXRhaWxzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTGlzdEludGVyZmFjZXNSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgTGlzdFJvdXRlc1JlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBNZW1Ib3RwbHVnQnlQcm9iZVJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBPbmxpbmVDUFVNZW1SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBQYXVzZUNvbnRhaW5lclJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBSZWFkU3RyZWFtUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IFJlbW92ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFJlbW92ZVN0YWxlVmlydGlvZnNTaGFyZU1vdW50c1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFJlc2VlZFJhbmRvbURldlJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBSZXN1bWVDb250YWluZXJSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgU2V0R3Vlc3REYXRlVGltZVJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBTZXRQb2xpY3lSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgU2lnbmFsUHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0Q29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RhcnRUcmFjaW5nUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IFN0YXRzQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RvcFRyYWNpbmdSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgVHR5V2luUmVzaXplUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgVXBkYXRlQ29udGFpbmVyUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IFVwZGF0ZUVwaGVtZXJhbE1vdW50c1JlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBVcGRhdGVJbnRlcmZhY2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVSb3V0ZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXYWl0UHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdyaXRlU3RyZWFtUmVxdWVzdCA6PSBmYWxzZQoKIyBBbGxvd1JlcXVlc3RzRmFpbGluZ1BvbGljeSA6PSB0cnVlIGNvbmZpZ3VyZXMgdGhlIEFnZW50IHRvICphbGxvdyBhbnkKIyByZXF1ZXN0cyBjYXVzaW5nIGEgcG9saWN5IGZhaWx1cmUqLiBUaGlzIGlzIGFuIHVuc2VjdXJlIGNvbmZpZ3VyYXRpb24KIyBidXQgaXMgdXNlZnVsIGZvciBhbGxvd2luZyB1bnNlY3VyZSBwb2RzIHRvIHN0YXJ0LCB0aGVuIGNvbm5lY3QgdG8KIyB0aGVtIGFuZCBpbnNwZWN0IE9QQSBsb2dzIGZvciB0aGUgcm9vdCBjYXVzZSBvZiBhIGZhaWx1cmUuCmRlZmF1bHQgQWxsb3dSZXF1ZXN0c0ZhaWxpbmdQb2xpY3kgOj0gZmFsc2UKCiMgQ29uc3RhbnRzClNfTkFNRV9LRVkgPSAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1uYW1lIgpTX05BTUVTUEFDRV9LRVkgPSAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1uYW1lc3BhY2UiCkJVTkRMRV9JRCA9ICJbYS16MC05XXs2NH0iCiMgZnJvbSBodHRwczovL2t1YmVybmV0ZXMuaW8vZG9jcy9jb25jZXB0cy9vdmVydmlldy93b3JraW5nLXdpdGgtb2JqZWN0cy9uYW1lcy8jZG5zLXN1YmRvbWFpbi1uYW1lcwojIGFuZCBodHRwczovL2dpdGh1Yi5jb20va3ViZXJuZXRlcy9rdWJlcm5ldGVzL2Jsb2IvODI5NGFiYzU5OTY5NmUwZDFiNWFhNzM0YWZhN2FlMWU0ZjUwNTlhMC9zdGFnaW5nL3NyYy9rOHMuaW8vYXBpbWFjaGluZXJ5L3BrZy91dGlsL3ZhbGlkYXRpb24vdmFsaWRhdGlvbi5nbyNMMTc3ClNVQkRPTUFJTl9OQU1FID0gIl5bYS16MC05XShbLWEtejAtOV0qW2EtejAtOV0pPyQiCkFMTE9XRURfU1VCRE9NQUlOX05BTUVTIDo9IFsiJChob3N0LW5hbWUpIiwgIiQobm9kZS1uYW1lKSIsICIkKHBvZC11aWQpIl0KQUxXQVlTX0FMTE9XRUQgPSBbIiQocmVzb3VyY2UtZmllbGQpIiwgIiQodG9kby1hbm5vdGF0aW9uKSJdCgpQb2xpY3lDcmVhdGVDb250YWluZXJSZXF1ZXN0Oj0gcmVzcCB7CiAgcmVzcCA9IENyZWF0ZUNvbnRhaW5lclJlcXVlc3RDb21tb24oaW5wdXQuYmFzZSkKICAxPT0yCiAgaV9lbnZfbWFwIDo9IGlucHV0LmVudl9tYXAKICBpX3Rva2VuaXplZF9hcmdzIDo9IGlucHV0LnRva2VuaXplZF9hcmdzCiAgc29tZSBwX2NvbnRhaW5lciBpbiBwb2xpY3lfZGF0YS5jb250YWluZXJzCiAgcF9lbnZfbWFwIDo9IHBfY29udGFpbmVyLmVudl9tYXAgIAogIGFsbG93X2Vudl9tYXAocF9lbnZfbWFwLCBpX2Vudl9tYXApCiAgCiAgcF90b2tlbml6ZWRfYXJncyA6PSBwX2NvbnRhaW5lci50b2tlbml6ZWRfYXJncwogIGFsbG93X3Rva2VuaXplZF9hcmdzKHBfdG9rZW5pemVkX2FyZ3MsIGlfdG9rZW5pemVkX2FyZ3MpCgogIHByaW50KCJQb2xpY3lDcmVhdGVDb250YWluZXJSZXF1ZXN0OiB0cnVlIikKfQoKYWxsb3dfdG9rZW5pemVkX2FyZ3MocF90b2tlbml6ZWRfYXJncywgaV90b2tlbml6ZWRfYXJncykgewogICAgZXZlcnkgaSwgaV90b2tlbml6ZWRfYXJnIGluIGlfdG9rZW5pemVkX2FyZ3MgewogICAgICBhbGxvd190b2tlbml6ZWRfYXJnKHBfdG9rZW5pemVkX2FyZ3NbaV0sIGlfdG9rZW5pemVkX2FyZykKICAgIH0KICAgIHByaW50KCJhbGxvd190b2tlbml6ZWRfYXJnczogdHJ1ZSIpCn0KCmFsbG93X3Rva2VuaXplZF9hcmcocF90b2tlbml6ZWRfYXJnLCBpX3Rva2VuaXplZF9hcmcpIHsKICAgIHByaW50KCJhbGxvd190b2tlbml6ZWRfYXJnOiBwX3Rva2VuaXplZF9hcmcgPSIsIHBfdG9rZW5pemVkX2FyZywgImlfdG9rZW5pemVkX2FyZyA9IiwgaV90b2tlbml6ZWRfYXJnKQogICAgZXZlcnkgaSwgaV90b2tlbiBpbiBpX3Rva2VuaXplZF9hcmcgewogICAgICBhbGxvd190b2tlbihwX3Rva2VuaXplZF9hcmdbaV0sIGlfdG9rZW4pCiAgICB9CiAgICBwcmludCgiYWxsb3dfdG9rZW5pemVkX2FyZzogdHJ1ZSIpCn0KCiMgQWxsb3cgZXhhY3QgbWF0Y2gKYWxsb3dfdG9rZW4ocF90b2tlbiwgaV90b2tlbikgewogICAgcF90b2tlbiA9PSBpX3Rva2VuCiAgICBwcmludCgiYWxsb3dfdG9rZW46IHRydWUiKQp9CgojIEFsbG93IHZhcmlhYmxlcyB0aGF0IHNob3VsZCBsb29rIGxpa2UgYSBzdWJkb21haW4gbmFtZQphbGxvd190b2tlbihwX3Rva2VuLCBpX3Rva2VuKSB7CiAgICBzb21lIGFsbG93ZWQgaW4gQUxMT1dFRF9TVUJET01BSU5fTkFNRVMKICAgIHBfdG9rZW4gPT0gYWxsb3dlZAogICAgcmVnZXgubWF0Y2goU1VCRE9NQUlOX05BTUUsIGlfdG9rZW4pCiAgICBwcmludCgiYWxsb3dfdG9rZW4yOiB0cnVlIikKfQoKYWxsb3dfZW52X21hcChwX2Vudl9tYXAsIGlfZW52X21hcCkgewogICAgZXZlcnkgZW52X2tleSwgZW52X3ZhbCBpbiBpX2Vudl9tYXAgewogICAgICBwcmludCgiYWxsb3dfZW52OiBlbnZfa2V5ID0iLCBlbnZfa2V5LCAiZW52X3ZhbCA9IiwgZW52X3ZhbCkKICAgICAgYWxsb3dfZW52X21hcF9lbnRyeShlbnZfa2V5LCBlbnZfdmFsLCBwX2Vudl9tYXApCiAgICB9CiAgICBwcmludCgiYWxsb3dfZW52X21hcDogdHJ1ZSIpCn0KCiMgQWxsb3cgZXhhY3QgbWF0Y2gKYWxsb3dfZW52X21hcF9lbnRyeShrZXksIGlfdmFsLCBwX2Vudl9tYXApIHsKICAgIHBfdmFsIDo9IHBfZW52X21hcFtrZXldCiAgICBpX3ZhbCA9PSBwX3ZhbAogICAgcHJpbnQoImFsbG93X2Vudl9tYXBfZW50cnk6IHRydWUiKQp9CgojIEFsbG93IHZhcmlhYmxlcyB0aGF0IHNob3VsZCBsb29rIGxpa2UgYSBzdWJkb21haW4gbmFtZQphbGxvd19lbnZfbWFwX2VudHJ5KGtleSwgaV92YWwsIHBfZW52X21hcCkgewogIHBfdmFsIDo9IHBfZW52X21hcFtrZXldCiAgc29tZSBhbGxvd2VkIGluIEFMTE9XRURfU1VCRE9NQUlOX05BTUVTCiAgcF92YWwgPT0gYWxsb3dlZAogIHJlZ2V4Lm1hdGNoKFNVQkRPTUFJTl9OQU1FLCBpX3ZhbCkKICBwcmludCgiYWxsb3dfZW52X21hcF9lbnRyeTI6IHRydWUiKQp9CgojIEFsbG93IGlucHV0IGVudiB2YXJpYWJsZXMgdGhhdCBtYXRjaCB3aXRoIGEgcmVxdWVzdF9kZWZhdWx0cyByZWdleC4KYWxsb3dfZW52X21hcF9lbnRyeShrZXksIGlfdmFsLCBwX2Vudl9tYXApIHsKICAgIHNvbWUgcF9yZWdleDEgaW4gcG9saWN5X2RhdGEucmVxdWVzdF9kZWZhdWx0cy5DcmVhdGVDb250YWluZXJSZXF1ZXN0LmFsbG93X2Vudl9yZWdleAogICAgcF9yZWdleDIgOj0gcmVwbGFjZShwX3JlZ2V4MSwgIiQoaXB2NF9hKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5pcHY0X2EpCiAgICBwX3JlZ2V4MyA6PSByZXBsYWNlKHBfcmVnZXgyLCAiJChpcF9wKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5pcF9wKQogICAgcF9yZWdleDQgOj0gcmVwbGFjZShwX3JlZ2V4MywgIiQoc3ZjX25hbWUpIiwgcG9saWN5X2RhdGEuY29tbW9uLnN2Y19uYW1lKQogICAgcF9yZWdleDUgOj0gcmVwbGFjZShwX3JlZ2V4NCwgIiQoZG5zX2xhYmVsKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5kbnNfbGFiZWwpCgogICAgcmVzdWx0IDo9IGNvbmNhdCgiPSIsIFtrZXksIGlfdmFsXSkKICAgIHJlZ2V4Lm1hdGNoKHBfcmVnZXg1LCByZXN1bHQpCgogICAgcHJpbnQoImFsbG93X2Vudl9tYXBfZW50cnkgMzogdHJ1ZSIpCn0KCiMgQWxsb3cgZmllbGRSZWYgImZpZWxkUGF0aDogc3RhdHVzLnBvZElQIiB2YWx1ZXMuCmFsbG93X2Vudl9tYXBfZW50cnkoa2V5LCBpX3ZhbCwgcF9lbnZfbWFwKSB7CiAgICBpc19pcChpX3ZhbCkKCiAgICBwX3ZhbCA6PSBwX2Vudl9tYXBba2V5XQogICAgcF92YXIgOj0gY29uY2F0KCI9IiwgW2tleSwgcF92YWxdKQogICAgYWxsb3dfcG9kX2lwX3ZhcihrZXksIHBfdmFyKQogICAgcHJpbnQoImFsbG93X2Vudl9tYXBfZW50cnkgNDogdHJ1ZSIpCn0KCiMgTWF0Y2ggaW5wdXQgd2l0aCBvbmUgb2YgdGhlIHBvbGljeSB2YXJpYWJsZXMsIGFmdGVyIHN1YnN0aXR1dGluZyAkKHNhbmRib3gtbmFtZSkuCmFsbG93X2Vudl9tYXBfZW50cnkoa2V5LCBpX3ZhbCwgcF9lbnZfbWFwKSB7CiAgICBzX25hbWUgOj0gaW5wdXQuYmFzZS5PQ0kuQW5ub3RhdGlvbnNbU19OQU1FX0tFWV0KICAgIHBfdmFsIDo9IHBfZW52X21hcFtrZXldCiAgICBwX3ZhcjIgOj0gcmVwbGFjZShwX3ZhbCwgIiQoc2FuZGJveC1uYW1lKSIsIHNfbmFtZSkKICAgIHBfdmFyMiA9PSBpX3ZhbAogICAgcHJpbnQoImFsbG93X2Vudl9tYXBfZW50cnkgNTogdHJ1ZSIpCn0KCiMgTWF0Y2ggaW5wdXQgd2l0aCBvbmUgb2YgdGhlIHBvbGljeSB2YXJpYWJsZXMsIGFmdGVyIHN1YnN0aXR1dGluZyAkKHNhbmRib3gtbmFtZXNwYWNlKS4KYWxsb3dfZW52X21hcF9lbnRyeShrZXksIGlfdmFsLCBwX2Vudl9tYXApIHsKICAgIHNfbmFtZXNwYWNlIDo9IGlucHV0LmJhc2UuT0NJLkFubm90YXRpb25zW1NfTkFNRVNQQUNFX0tFWV0KICAgIHBfdmFsIDo9IHBfZW52X21hcFtrZXldCiAgICBwX3ZhcjIgOj0gcmVwbGFjZShwX3ZhbCwgIiQoc2FuZGJveC1uYW1lc3BhY2UpIiwgc19uYW1lc3BhY2UpCiAgICBwX3ZhcjIgPT0gaV92YWwKICAgIHByaW50KCJhbGxvd19lbnZfbWFwX2VudHJ5IDY6IHRydWUiKQp9CgojIEFsbG93IGZpZWxkUmVmICJmaWVsZFBhdGg6IHN0YXR1cy5ob3N0SVAiIHZhbHVlcy4KYWxsb3dfZW52X21hcF9lbnRyeShrZXksIGlfdmFsLCBwX2Vudl9tYXApIHsKICAgIGlzX2lwKGlfdmFsKQoKICAgIHBfdmFsIDo9IHBfZW52X21hcFtrZXldCiAgICBwX3ZhciA6PSBjb25jYXQoIj0iLCBba2V5LCBwX3ZhbF0pCiAgICBhbGxvd19ob3N0X2lwX3ZhcihrZXksIHBfdmFyKQogICAgcHJpbnQoImFsbG93X2Vudl9tYXBfZW50cnkgNzogdHJ1ZSIpCn0KCiMgQWxsb3cgcmVzb3VyY2VGaWVsZFJlZiB2YWx1ZXMgKGUuZy4sICJsaW1pdHMuY3B1IikuCmFsbG93X2Vudl9tYXBfZW50cnkoa2V5LCBpX3ZhbCwgcF9lbnZfbWFwKSB7CiAgICBwX3ZhbCA6PSBwX2Vudl9tYXBba2V5XQogICAgIyBUT0RPOiBzaG91bGQgdGhlc2UgYmUgaGFuZGxlZCBpbiBhIGRpZmZlcmVudCB3YXk/CiAgICBzb21lIGFsbG93ZWQgaW4gQUxXQVlTX0FMTE9XRUQKICAgIHBfdmFsID09IGFsbG93ZWQKICAgICNyZWdleC5tYXRjaChTVUJET01BSU5fTkFNRSwgaV92YWwpCiAgICBwcmludCgiYWxsb3dfZW52X21hcF9lbnRyeTg6IHRydWUiKQp9CgpDcmVhdGVDb250YWluZXJSZXF1ZXN0Oj0gcmVzcCB7CiAgcmVzcCA9IENyZWF0ZUNvbnRhaW5lclJlcXVlc3RDb21tb24oaW5wdXQpCiAgcHJpbnQoIkNyZWF0ZUNvbnRhaW5lclJlcXVlc3Q6IHRydWUiKQp9CgpDcmVhdGVDb250YWluZXJSZXF1ZXN0Q29tbW9uKHJlcSk6PSB7Im9wcyI6IG9wcywgImFsbG93ZWQiOiB0cnVlfSB7CiAgICAjIENoZWNrIGlmIHRoZSBpbnB1dCByZXF1ZXN0IHNob3VsZCBiZSByZWplY3RlZCBldmVuIGJlZm9yZSBjaGVja2luZyB0aGUKICAgICMgcG9saWN5X2RhdGEuY29udGFpbmVycyBpbmZvcm1hdGlvbi4KICAgIGFsbG93X2NyZWF0ZV9jb250YWluZXJfaW5wdXQocmVxKQoKICAgIGlfb2NpIDo9IHJlcS5PQ0kKICAgIGlfc3RvcmFnZXMgOj0gcmVxLnN0b3JhZ2VzCgogICAgIyBhcnJheSBvZiBwb3NzaWJsZSBzdGF0ZSBvcGVyYXRpb25zCiAgICBvcHNfYnVpbGRlciA6PSBbXQoKICAgICMgY2hlY2sgc2FuZGJveCBuYW1lCiAgICBzYW5kYm94X25hbWUgPSBpX29jaS5Bbm5vdGF0aW9uc1tTX05BTUVfS0VZXQogICAgYWRkX3NhbmRib3hfbmFtZV90b19zdGF0ZSA6PSBzdGF0ZV9hbGxvd3MoInNhbmRib3hfbmFtZSIsIHNhbmRib3hfbmFtZSkKICAgIG9wc19idWlsZGVyMSA6PSBjb25jYXRfb3BfaWZfbm90X251bGwob3BzX2J1aWxkZXIsIGFkZF9zYW5kYm94X25hbWVfdG9fc3RhdGUpCgogICAgIyBDaGVjayBpZiBhbnkgZWxlbWVudCBmcm9tIHRoZSBwb2xpY3lfZGF0YS5jb250YWluZXJzIGFycmF5IGFsbG93cyB0aGUgaW5wdXQgcmVxdWVzdC4KICAgIHNvbWUgcF9jb250YWluZXIgaW4gcG9saWN5X2RhdGEuY29udGFpbmVycwogICAgcHJpbnQoIj09PT09PT09IENyZWF0ZUNvbnRhaW5lclJlcXVlc3Q6IHRyeWluZyBuZXh0IHBvbGljeSBjb250YWluZXIiKQoKICAgIHBfcGlkbnMgOj0gcF9jb250YWluZXIuc2FuZGJveF9waWRucwogICAgaV9waWRucyA6PSByZXEuc2FuZGJveF9waWRucwogICAgcHJpbnQoIkNyZWF0ZUNvbnRhaW5lclJlcXVlc3Q6IHBfcGlkbnMgPSIsIHBfcGlkbnMsICJpX3BpZG5zID0iLCBpX3BpZG5zKQogICAgcF9waWRucyA9PSBpX3BpZG5zCgogICAgcF9vY2kgOj0gcF9jb250YWluZXIuT0NJCgogICAgIyBjaGVjayBuYW1lc3BhY2UKICAgIHBfbmFtZXNwYWNlIDo9IHBfb2NpLkFubm90YXRpb25zW1NfTkFNRVNQQUNFX0tFWV0KICAgIGlfbmFtZXNwYWNlIDo9IGlfb2NpLkFubm90YXRpb25zW1NfTkFNRVNQQUNFX0tFWV0KICAgIHByaW50ICgiQ3JlYXRlQ29udGFpbmVyUmVxdWVzdDogcF9uYW1lc3BhY2UgPSIsIHBfbmFtZXNwYWNlLCAiaV9uYW1lc3BhY2UgPSIsIGlfbmFtZXNwYWNlKQogICAgYWRkX25hbWVzcGFjZV90b19zdGF0ZSA6PSBhbGxvd19uYW1lc3BhY2UocF9uYW1lc3BhY2UsIGlfbmFtZXNwYWNlKQogICAgb3BzIDo9IGNvbmNhdF9vcF9pZl9ub3RfbnVsbChvcHNfYnVpbGRlcjEsIGFkZF9uYW1lc3BhY2VfdG9fc3RhdGUpCgogICAgcHJpbnQoIkNyZWF0ZUNvbnRhaW5lclJlcXVlc3Q6IHAgVmVyc2lvbiA9IiwgcF9vY2kuVmVyc2lvbiwgImkgVmVyc2lvbiA9IiwgaV9vY2kuVmVyc2lvbikKICAgIHBfb2NpLlZlcnNpb24gPT0gaV9vY2kuVmVyc2lvbgoKICAgIHByaW50KCJDcmVhdGVDb250YWluZXJSZXF1ZXN0OiBwIFJlYWRvbmx5ID0iLCBwX29jaS5Sb290LlJlYWRvbmx5LCAiaSBSZWFkb25seSA9IiwgaV9vY2kuUm9vdC5SZWFkb25seSkKICAgIHBfb2NpLlJvb3QuUmVhZG9ubHkgPT0gaV9vY2kuUm9vdC5SZWFkb25seQoKICAgIGFsbG93X2Fubm8ocF9vY2ksIGlfb2NpKQoKICAgIHBfc3RvcmFnZXMgOj0gcF9jb250YWluZXIuc3RvcmFnZXMKICAgIGFsbG93X2J5X2Fubm8ocF9vY2ksIGlfb2NpLCBwX3N0b3JhZ2VzLCBpX3N0b3JhZ2VzKQoKICAgIGFsbG93X2xpbnV4KHBfb2NpLCBpX29jaSkKCiAgICBwcmludCgiQ3JlYXRlQ29udGFpbmVyUmVxdWVzdENvbW1vbjogdHJ1ZSIpCn0KCmFsbG93X2NyZWF0ZV9jb250YWluZXJfaW5wdXQocmVxKSB7CiAgICBwcmludCgiYWxsb3dfY3JlYXRlX2NvbnRhaW5lcl9pbnB1dDogaW5wdXQgPSIsIHJlcSkKICAgIGNvdW50KHJlcS5zaGFyZWRfbW91bnRzKSA9PSAwCiAgICBpc19udWxsKHJlcS5zdHJpbmdfdXNlcikKCiAgICBpX29jaSA6PSByZXEuT0NJCiAgICBpc19udWxsKGlfb2NpLkhvb2tzKQogICAgaXNfbnVsbChpX29jaS5Tb2xhcmlzKQogICAgaXNfbnVsbChpX29jaS5XaW5kb3dzKQoKICAgIGlfbGludXggOj0gaV9vY2kuTGludXgKICAgIGNvdW50KGlfbGludXguR0lETWFwcGluZ3MpID09IDAKICAgIGNvdW50KGlfbGludXguTW91bnRMYWJlbCkgPT0gMAogICAgY291bnQoaV9saW51eC5SZXNvdXJjZXMuRGV2aWNlcykgPT0gMAogICAgY291bnQoaV9saW51eC5Sb290ZnNQcm9wYWdhdGlvbikgPT0gMAogICAgY291bnQoaV9saW51eC5VSURNYXBwaW5ncykgPT0gMAogICAgaXNfbnVsbChpX2xpbnV4LkludGVsUmR0KQogICAgaXNfbnVsbChpX2xpbnV4LlJlc291cmNlcy5CbG9ja0lPKQogICAgaXNfbnVsbChpX2xpbnV4LlJlc291cmNlcy5OZXR3b3JrKQogICAgaXNfbnVsbChpX2xpbnV4LlJlc291cmNlcy5QaWRzKQogICAgaXNfbnVsbChpX2xpbnV4LlNlY2NvbXApCiAgICBpX2xpbnV4LlN5c2N0bCA9PSB7fQoKICAgIGlfcHJvY2VzcyA6PSBpX29jaS5Qcm9jZXNzCiAgICBjb3VudChpX3Byb2Nlc3MuU2VsaW51eExhYmVsKSA9PSAwCiAgICBjb3VudChpX3Byb2Nlc3MuVXNlci5Vc2VybmFtZSkgPT0gMAoKICAgIHByaW50KCJhbGxvd19jcmVhdGVfY29udGFpbmVyX2lucHV0OiB0cnVlIikKfQoKYWxsb3dfbmFtZXNwYWNlKHBfbmFtZXNwYWNlLCBpX25hbWVzcGFjZSkgPSBhZGRfbmFtZXNwYWNlIHsKICAgIHBfbmFtZXNwYWNlID09IGlfbmFtZXNwYWNlCiAgICBhZGRfbmFtZXNwYWNlIDo9IG51bGwKICAgIHByaW50KCJhbGxvd19uYW1lc3BhY2UgMTogaW5wdXQgbmFtZXNwYWNlIG1hdGNoZXMgcG9saWN5IGRhdGEiKQp9CgphbGxvd19uYW1lc3BhY2UocF9uYW1lc3BhY2UsIGlfbmFtZXNwYWNlKSA9IGFkZF9uYW1lc3BhY2UgewogICAgcF9uYW1lc3BhY2UgPT0gIiIKICAgIHByaW50KCJhbGxvd19uYW1lc3BhY2UgMjogbm8gbmFtZXNwYWNlIGZvdW5kIG9uIHBvbGljeSBkYXRhIikKICAgIGFkZF9uYW1lc3BhY2UgOj0gc3RhdGVfYWxsb3dzKCJuYW1lc3BhY2UiLCBpX25hbWVzcGFjZSkKfQoKIyB2YWx1ZSBoYXNuJ3QgYmVlbiBzZWVuIGJlZm9yZSwgc2F2ZSBpdCB0byBzdGF0ZQpzdGF0ZV9hbGxvd3Moa2V5LCB2YWx1ZSkgPSBhY3Rpb24gewogIHN0YXRlIDo9IGdldF9zdGF0ZSgpCiAgbm90IHN0YXRlW2tleV0KICBwcmludCgic3RhdGVfYWxsb3dzOiBzYXZpbmcgdG8gc3RhdGUga2V5ID0iLCBrZXksICJ2YWx1ZSA9IiwgdmFsdWUpCiAgcGF0aCA6PSBnZXRfc3RhdGVfcGF0aChrZXkpIAogIGFjdGlvbiA6PSB7CiAgICAib3AiOiAiYWRkIiwKICAgICJwYXRoIjogcGF0aCwgCiAgICAidmFsdWUiOiB2YWx1ZSwKICB9Cn0KCiMgdmFsdWUgbWF0Y2hlcyB3aGF0J3MgaW4gc3RhdGUsIGFsbG93IGl0CnN0YXRlX2FsbG93cyhrZXksIHZhbHVlKSA9IGFjdGlvbiB7CiAgc3RhdGUgOj0gZ2V0X3N0YXRlKCkKICB2YWx1ZSA9PSBzdGF0ZVtrZXldCiAgcHJpbnQoInN0YXRlX2FsbG93czogZm91bmQga2V5ID0iLCBrZXksICJ2YWx1ZSA9IiwgdmFsdWUsICIgaW4gc3RhdGUiKQogIGFjdGlvbiA6PSBudWxsCn0KCiMgaGVscGVyIGZ1bmN0aW9ucyB0byBpbnRlcmFjdCB3aXRoIHRoZSBzdGF0ZQpnZXRfc3RhdGUoKSA9IHN0YXRlIHsKICBzdGF0ZSA6PSBkYXRhWyJwc3RhdGUiXQp9CgpnZXRfc3RhdGVfdmFsKGtleSkgPSB2YWx1ZSB7CiAgICBzdGF0ZSA6PSBnZXRfc3RhdGUoKQogICAgdmFsdWUgOj0gc3RhdGVba2V5XQp9CgpnZXRfc3RhdGVfcGF0aChrZXkpID0gcGF0aCB7CiAgICAjIHByZXBlbmQgIi9wc3RhdGUvIiB0byBrZXkKICAgIHBhdGggOj0gY29uY2F0KCIvIiwgWyIvcHN0YXRlIiwga2V5XSkKfQoKIyBIZWxwZXIgZnVuY3Rpb25zIHRvIGNvbmRpdGlvbmFsbHkgY29uY2F0ZW5hdGUgaWYgb3AgaXMgbm90IG51bGwKY29uY2F0X29wX2lmX25vdF9udWxsKG9wcywgb3ApID0gcmVzdWx0IHsKICAgIG9wID09IG51bGwKICAgIHJlc3VsdCA6PSBvcHMKfQoKY29uY2F0X29wX2lmX25vdF9udWxsKG9wcywgb3ApID0gcmVzdWx0IHsKICAgIG9wICE9IG51bGwKICAgIHJlc3VsdCA6PSBhcnJheS5jb25jYXQob3BzLCBbb3BdKQp9CgojIFJlamVjdCB1bmV4cGVjdGVkIGFubm90YXRpb25zLgphbGxvd19hbm5vKHBfb2NpLCBpX29jaSkgewogICAgcHJpbnQoImFsbG93X2Fubm8gMTogc3RhcnQiKQoKICAgIG5vdCBpX29jaS5Bbm5vdGF0aW9ucwoKICAgIHByaW50KCJhbGxvd19hbm5vIDE6IHRydWUiKQp9CmFsbG93X2Fubm8ocF9vY2ksIGlfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfYW5ubyAyOiBwIEFubm90YXRpb25zID0iLCBwX29jaS5Bbm5vdGF0aW9ucykKICAgIHByaW50KCJhbGxvd19hbm5vIDI6IGkgQW5ub3RhdGlvbnMgPSIsIGlfb2NpLkFubm90YXRpb25zKQoKICAgIGlfa2V5cyA6PSBvYmplY3Qua2V5cyhpX29jaS5Bbm5vdGF0aW9ucykKICAgIHByaW50KCJhbGxvd19hbm5vIDI6IGkga2V5cyA9IiwgaV9rZXlzKQoKICAgIGV2ZXJ5IGlfa2V5IGluIGlfa2V5cyB7CiAgICAgICAgYWxsb3dfYW5ub19rZXkoaV9rZXksIHBfb2NpKQogICAgfQoKICAgIHByaW50KCJhbGxvd19hbm5vIDI6IHRydWUiKQp9CgphbGxvd19hbm5vX2tleShpX2tleSwgcF9vY2kpIHsKICAgIHByaW50KCJhbGxvd19hbm5vX2tleSAxOiBpIGtleSA9IiwgaV9rZXkpCgogICAgc3RhcnRzd2l0aChpX2tleSwgImlvLmt1YmVybmV0ZXMuY3JpLiIpCgogICAgcHJpbnQoImFsbG93X2Fubm9fa2V5IDE6IHRydWUiKQp9CmFsbG93X2Fubm9fa2V5KGlfa2V5LCBwX29jaSkgewogICAgcHJpbnQoImFsbG93X2Fubm9fa2V5IDI6IGkga2V5ID0iLCBpX2tleSkKCiAgICBzb21lIHBfa2V5LCBfIGluIHBfb2NpLkFubm90YXRpb25zCiAgICBwX2tleSA9PSBpX2tleQoKICAgIHByaW50KCJhbGxvd19hbm5vX2tleSAyOiB0cnVlIikKfQoKIyBHZXQgdGhlIHZhbHVlIG9mIHRoZSBTX05BTUVfS0VZIGFubm90YXRpb24gYW5kCiMgY29ycmVsYXRlIGl0IHdpdGggb3RoZXIgYW5ub3RhdGlvbnMgYW5kIHByb2Nlc3MgZmllbGRzLgphbGxvd19ieV9hbm5vKHBfb2NpLCBpX29jaSwgcF9zdG9yYWdlcywgaV9zdG9yYWdlcykgewogICAgcHJpbnQoImFsbG93X2J5X2Fubm8gMTogc3RhcnQiKQoKICAgIG5vdCBwX29jaS5Bbm5vdGF0aW9uc1tTX05BTUVfS0VZXQoKICAgIGlfc19uYW1lIDo9IGlfb2NpLkFubm90YXRpb25zW1NfTkFNRV9LRVldCiAgICBwcmludCgiYWxsb3dfYnlfYW5ubyAxOiBpX3NfbmFtZSA9IiwgaV9zX25hbWUpCgogICAgaV9zX25hbWVzcGFjZSA6PSBpX29jaS5Bbm5vdGF0aW9uc1tTX05BTUVTUEFDRV9LRVldCiAgICBwcmludCgiYWxsb3dfYnlfYW5ubyAxOiBpX3NfbmFtZXNwYWNlID0iLCBpX3NfbmFtZXNwYWNlKQoKICAgIGFsbG93X2J5X3NhbmRib3hfbmFtZShwX29jaSwgaV9vY2ksIHBfc3RvcmFnZXMsIGlfc3RvcmFnZXMsIGlfc19uYW1lLCBpX3NfbmFtZXNwYWNlKQoKICAgIHByaW50KCJhbGxvd19ieV9hbm5vIDE6IHRydWUiKQp9CmFsbG93X2J5X2Fubm8ocF9vY2ksIGlfb2NpLCBwX3N0b3JhZ2VzLCBpX3N0b3JhZ2VzKSB7CiAgICBwcmludCgiYWxsb3dfYnlfYW5ubyAyOiBzdGFydCIpCgogICAgcF9zX25hbWUgOj0gcF9vY2kuQW5ub3RhdGlvbnNbU19OQU1FX0tFWV0KICAgIGlfc19uYW1lIDo9IGlfb2NpLkFubm90YXRpb25zW1NfTkFNRV9LRVldCiAgICBwcmludCgiYWxsb3dfYnlfYW5ubyAyOiBpX3NfbmFtZSA9IiwgaV9zX25hbWUsICJwX3NfbmFtZSA9IiwgcF9zX25hbWUpCgogICAgYWxsb3dfc2FuZGJveF9uYW1lKHBfc19uYW1lLCBpX3NfbmFtZSkKCiAgICBpX3NfbmFtZXNwYWNlIDo9IGlfb2NpLkFubm90YXRpb25zW1NfTkFNRVNQQUNFX0tFWV0KICAgIHByaW50KCJhbGxvd19ieV9hbm5vIDI6IGlfc19uYW1lc3BhY2UgPSIsIGlfc19uYW1lc3BhY2UpCgogICAgYWxsb3dfYnlfc2FuZGJveF9uYW1lKHBfb2NpLCBpX29jaSwgcF9zdG9yYWdlcywgaV9zdG9yYWdlcywgaV9zX25hbWUsIGlfc19uYW1lc3BhY2UpCgogICAgcHJpbnQoImFsbG93X2J5X2Fubm8gMjogdHJ1ZSIpCn0KCmFsbG93X2J5X3NhbmRib3hfbmFtZShwX29jaSwgaV9vY2ksIHBfc3RvcmFnZXMsIGlfc3RvcmFnZXMsIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIHByaW50KCJhbGxvd19ieV9zYW5kYm94X25hbWU6IHN0YXJ0IikKCiAgICBpX25hbWVzcGFjZSA6PSBpX29jaS5Bbm5vdGF0aW9uc1tTX05BTUVTUEFDRV9LRVldCgogICAgYWxsb3dfYnlfY29udGFpbmVyX3R5cGVzKHBfb2NpLCBpX29jaSwgc19uYW1lLCBpX25hbWVzcGFjZSkKICAgIGFsbG93X2J5X2J1bmRsZV9vcl9zYW5kYm94X2lkKHBfb2NpLCBpX29jaSwgcF9zdG9yYWdlcywgaV9zdG9yYWdlcykKICAgIGFsbG93X3Byb2Nlc3MocF9vY2kuUHJvY2VzcywgaV9vY2kuUHJvY2Vzcywgc19uYW1lLCBzX25hbWVzcGFjZSkKCiAgICBwcmludCgiYWxsb3dfYnlfc2FuZGJveF9uYW1lOiB0cnVlIikKfQoKYWxsb3dfc2FuZGJveF9uYW1lKHBfc19uYW1lLCBpX3NfbmFtZSkgewogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbmFtZSAxOiBzdGFydCIpCgogICAgcF9zX25hbWUgPT0gaV9zX25hbWUKCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9uYW1lIDE6IHRydWUiKQp9CmFsbG93X3NhbmRib3hfbmFtZShwX3NfbmFtZSwgaV9zX25hbWUpIHsKICAgIHByaW50KCJhbGxvd19zYW5kYm94X25hbWUgMjogc3RhcnQiKQoKICAgICMgVE9ETzogc2hvdWxkIGdlbmVyYXRlZCBuYW1lcyBiZSBoYW5kbGVkIGRpZmZlcmVudGx5PwogICAgY29udGFpbnMocF9zX25hbWUsICIkKGdlbmVyYXRlZC1uYW1lKSIpCgogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbmFtZSAyOiB0cnVlIikKfQoKIyBDaGVjayB0aGF0IHRoZSAiaW8ua3ViZXJuZXRlcy5jcmkuY29udGFpbmVyLXR5cGUiIGFuZAojICJpby5rYXRhY29udGFpbmVycy5wa2cub2NpLmNvbnRhaW5lcl90eXBlIiBhbm5vdGF0aW9ucyBkZXNpZ25hdGUgdGhlCiMgZXhwZWN0ZWQgdHlwZSAtIGVpdGhlciBhICJzYW5kYm94IiBvciBhICJjb250YWluZXIiLiBUaGVuLCB2YWxpZGF0ZQojIG90aGVyIGFubm90YXRpb25zIGJhc2VkIG9uIHRoZSBhY3R1YWwgInNhbmRib3giIG9yICJjb250YWluZXIiIHZhbHVlCiMgZnJvbSB0aGUgaW5wdXQgY29udGFpbmVyLgphbGxvd19ieV9jb250YWluZXJfdHlwZXMocF9vY2ksIGlfb2NpLCBzX25hbWUsIHNfbmFtZXNwYWNlKSB7CiAgICBwcmludCgiYWxsb3dfYnlfY29udGFpbmVyX3R5cGVzOiBjaGVja2luZyBpby5rdWJlcm5ldGVzLmNyaS5jb250YWluZXItdHlwZSIpCgogICAgY190eXBlIDo9ICJpby5rdWJlcm5ldGVzLmNyaS5jb250YWluZXItdHlwZSIKICAgIAogICAgcF9jcmlfdHlwZSA6PSBwX29jaS5Bbm5vdGF0aW9uc1tjX3R5cGVdCiAgICBpX2NyaV90eXBlIDo9IGlfb2NpLkFubm90YXRpb25zW2NfdHlwZV0KICAgIHByaW50KCJhbGxvd19ieV9jb250YWluZXJfdHlwZXM6IHBfY3JpX3R5cGUgPSIsIHBfY3JpX3R5cGUsICJpX2NyaV90eXBlID0iLCBpX2NyaV90eXBlKQogICAgcF9jcmlfdHlwZSA9PSBpX2NyaV90eXBlCgogICAgYWxsb3dfYnlfY29udGFpbmVyX3R5cGUoaV9jcmlfdHlwZSwgcF9vY2ksIGlfb2NpLCBzX25hbWUsIHNfbmFtZXNwYWNlKQoKICAgIHByaW50KCJhbGxvd19ieV9jb250YWluZXJfdHlwZXM6IHRydWUiKQp9CgphbGxvd19ieV9jb250YWluZXJfdHlwZShpX2NyaV90eXBlLCBwX29jaSwgaV9vY2ksIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIHByaW50KCJhbGxvd19ieV9jb250YWluZXJfdHlwZSAxOiBpX2NyaV90eXBlID0iLCBpX2NyaV90eXBlKQogICAgaV9jcmlfdHlwZSA9PSAic2FuZGJveCIKCiAgICBpX2thdGFfdHlwZSA6PSBpX29jaS5Bbm5vdGF0aW9uc1siaW8ua2F0YWNvbnRhaW5lcnMucGtnLm9jaS5jb250YWluZXJfdHlwZSJdCiAgICBwcmludCgiYWxsb3dfYnlfY29udGFpbmVyX3R5cGUgMTogaV9rYXRhX3R5cGUgPSIsIGlfa2F0YV90eXBlKQogICAgaV9rYXRhX3R5cGUgPT0gInBvZF9zYW5kYm94IgoKICAgIGFsbG93X3NhbmRib3hfY29udGFpbmVyX25hbWUocF9vY2ksIGlfb2NpKQogICAgYWxsb3dfc2FuZGJveF9uZXRfbmFtZXNwYWNlKHBfb2NpLCBpX29jaSkKICAgIGFsbG93X3NhbmRib3hfbG9nX2RpcmVjdG9yeShwX29jaSwgaV9vY2ksIHNfbmFtZSwgc19uYW1lc3BhY2UpCgogICAgcHJpbnQoImFsbG93X2J5X2NvbnRhaW5lcl90eXBlIDE6IHRydWUiKQp9CgphbGxvd19ieV9jb250YWluZXJfdHlwZShpX2NyaV90eXBlLCBwX29jaSwgaV9vY2ksIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIHByaW50KCJhbGxvd19ieV9jb250YWluZXJfdHlwZSAyOiBpX2NyaV90eXBlID0iLCBpX2NyaV90eXBlKQogICAgaV9jcmlfdHlwZSA9PSAiY29udGFpbmVyIgoKICAgIGlfa2F0YV90eXBlIDo9IGlfb2NpLkFubm90YXRpb25zWyJpby5rYXRhY29udGFpbmVycy5wa2cub2NpLmNvbnRhaW5lcl90eXBlIl0KICAgIHByaW50KCJhbGxvd19ieV9jb250YWluZXJfdHlwZSAyOiBpX2thdGFfdHlwZSA9IiwgaV9rYXRhX3R5cGUpCiAgICBpX2thdGFfdHlwZSA9PSAicG9kX2NvbnRhaW5lciIKCiAgICBhbGxvd19jb250YWluZXJfbmFtZShwX29jaSwgaV9vY2kpCiAgICBhbGxvd19uZXRfbmFtZXNwYWNlKHBfb2NpLCBpX29jaSkKICAgIGFsbG93X2xvZ19kaXJlY3RvcnkocF9vY2ksIGlfb2NpKQoKICAgIHByaW50KCJhbGxvd19ieV9jb250YWluZXJfdHlwZSAyOiB0cnVlIikKfQoKIyAiaW8ua3ViZXJuZXRlcy5jcmkuY29udGFpbmVyLW5hbWUiIGFubm90YXRpb24KYWxsb3dfc2FuZGJveF9jb250YWluZXJfbmFtZShwX29jaSwgaV9vY2kpIHsKICAgIHByaW50KCJhbGxvd19zYW5kYm94X2NvbnRhaW5lcl9uYW1lOiBzdGFydCIpCgogICAgY29udGFpbmVyX2Fubm90YXRpb25fbWlzc2luZyhwX29jaSwgaV9vY2ksICJpby5rdWJlcm5ldGVzLmNyaS5jb250YWluZXItbmFtZSIpCgogICAgcHJpbnQoImFsbG93X3NhbmRib3hfY29udGFpbmVyX25hbWU6IHRydWUiKQp9CgphbGxvd19jb250YWluZXJfbmFtZShwX29jaSwgaV9vY2kpIHsKICAgIHByaW50KCJhbGxvd19jb250YWluZXJfbmFtZTogc3RhcnQiKQoKICAgIGFsbG93X2NvbnRhaW5lcl9hbm5vdGF0aW9uKHBfb2NpLCBpX29jaSwgImlvLmt1YmVybmV0ZXMuY3JpLmNvbnRhaW5lci1uYW1lIikKCiAgICBwcmludCgiYWxsb3dfY29udGFpbmVyX25hbWU6IHRydWUiKQp9Cgpjb250YWluZXJfYW5ub3RhdGlvbl9taXNzaW5nKHBfb2NpLCBpX29jaSwga2V5KSB7CiAgICBwcmludCgiY29udGFpbmVyX2Fubm90YXRpb25fbWlzc2luZzoiLCBrZXkpCgogICAgbm90IHBfb2NpLkFubm90YXRpb25zW2tleV0KICAgIG5vdCBpX29jaS5Bbm5vdGF0aW9uc1trZXldCgogICAgcHJpbnQoImNvbnRhaW5lcl9hbm5vdGF0aW9uX21pc3Npbmc6IHRydWUiKQp9CgphbGxvd19jb250YWluZXJfYW5ub3RhdGlvbihwX29jaSwgaV9vY2ksIGtleSkgewogICAgcHJpbnQoImFsbG93X2NvbnRhaW5lcl9hbm5vdGF0aW9uOiBrZXkgPSIsIGtleSkKCiAgICBwX3ZhbHVlIDo9IHBfb2NpLkFubm90YXRpb25zW2tleV0KICAgIGlfdmFsdWUgOj0gaV9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgcHJpbnQoImFsbG93X2NvbnRhaW5lcl9hbm5vdGF0aW9uOiBwX3ZhbHVlID0iLCBwX3ZhbHVlLCAiaV92YWx1ZSA9IiwgaV92YWx1ZSkKCiAgICBwX3ZhbHVlID09IGlfdmFsdWUKCiAgICBwcmludCgiYWxsb3dfY29udGFpbmVyX2Fubm90YXRpb246IHRydWUiKQp9CgojICJuZXJkY3RsL25ldHdvcmstbmFtZXNwYWNlIiBhbm5vdGF0aW9uCmFsbG93X3NhbmRib3hfbmV0X25hbWVzcGFjZShwX29jaSwgaV9vY2kpIHsKICAgIHByaW50KCJhbGxvd19zYW5kYm94X25ldF9uYW1lc3BhY2U6IHN0YXJ0IikKCiAgICBrZXkgOj0gIm5lcmRjdGwvbmV0d29yay1uYW1lc3BhY2UiCgogICAgcF9uYW1lc3BhY2UgOj0gcF9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgaV9uYW1lc3BhY2UgOj0gaV9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbmV0X25hbWVzcGFjZTogcF9uYW1lc3BhY2UgPSIsIHBfbmFtZXNwYWNlLCAiaV9uYW1lc3BhY2UgPSIsIGlfbmFtZXNwYWNlKQoKICAgIHJlZ2V4Lm1hdGNoKHBfbmFtZXNwYWNlLCBpX25hbWVzcGFjZSkKCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9uZXRfbmFtZXNwYWNlOiB0cnVlIikKfQoKYWxsb3dfbmV0X25hbWVzcGFjZShwX29jaSwgaV9vY2kpIHsKICAgIHByaW50KCJhbGxvd19uZXRfbmFtZXNwYWNlOiBzdGFydCIpCgogICAga2V5IDo9ICJuZXJkY3RsL25ldHdvcmstbmFtZXNwYWNlIgoKICAgIG5vdCBwX29jaS5Bbm5vdGF0aW9uc1trZXldCiAgICBub3QgaV9vY2kuQW5ub3RhdGlvbnNba2V5XQoKICAgIHByaW50KCJhbGxvd19uZXRfbmFtZXNwYWNlOiB0cnVlIikKfQoKIyAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1sb2ctZGlyZWN0b3J5IiBhbm5vdGF0aW9uCmFsbG93X3NhbmRib3hfbG9nX2RpcmVjdG9yeShwX29jaSwgaV9vY2ksIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIHByaW50KCJhbGxvd19zYW5kYm94X2xvZ19kaXJlY3Rvcnk6IHN0YXJ0IikKCiAgICBrZXkgOj0gImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbG9nLWRpcmVjdG9yeSIKCiAgICBwX2RpciA6PSBwX29jaS5Bbm5vdGF0aW9uc1trZXldCiAgICByZWdleDEgOj0gcmVwbGFjZShwX2RpciwgIiQoc2FuZGJveC1uYW1lKSIsIHNfbmFtZSkKICAgIHJlZ2V4MiA6PSByZXBsYWNlKHJlZ2V4MSwgIiQoc2FuZGJveC1uYW1lc3BhY2UpIiwgc19uYW1lc3BhY2UpCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9sb2dfZGlyZWN0b3J5OiByZWdleDIgPSIsIHJlZ2V4MikKCiAgICBpX2RpciA6PSBpX29jaS5Bbm5vdGF0aW9uc1trZXldCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9sb2dfZGlyZWN0b3J5OiBpX2RpciA9IiwgaV9kaXIpCgogICAgcmVnZXgubWF0Y2gocmVnZXgyLCBpX2RpcikKCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9sb2dfZGlyZWN0b3J5OiB0cnVlIikKfQoKYWxsb3dfbG9nX2RpcmVjdG9yeShwX29jaSwgaV9vY2kpIHsKICAgIHByaW50KCJhbGxvd19sb2dfZGlyZWN0b3J5OiBzdGFydCIpCgogICAga2V5IDo9ICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LWxvZy1kaXJlY3RvcnkiCgogICAgbm90IHBfb2NpLkFubm90YXRpb25zW2tleV0KICAgIG5vdCBpX29jaS5Bbm5vdGF0aW9uc1trZXldCgogICAgcHJpbnQoImFsbG93X2xvZ19kaXJlY3Rvcnk6IHRydWUiKQp9CgphbGxvd19saW51eChwX29jaSwgaV9vY2kpIHsKICAgIHBfbmFtZXNwYWNlcyA6PSBwX29jaS5MaW51eC5OYW1lc3BhY2VzCiAgICBwcmludCgiYWxsb3dfbGludXg6IHAgbmFtZXNwYWNlcyA9IiwgcF9uYW1lc3BhY2VzKQoKICAgIGlfbmFtZXNwYWNlcyA6PSBpX29jaS5MaW51eC5OYW1lc3BhY2VzCiAgICBwcmludCgiYWxsb3dfbGludXg6IGkgbmFtZXNwYWNlcyA9IiwgaV9uYW1lc3BhY2VzKQoKICAgIHBfbmFtZXNwYWNlcyA9PSBpX25hbWVzcGFjZXMKCiAgICBhbGxvd19tYXNrZWRfcGF0aHMocF9vY2ksIGlfb2NpKQogICAgYWxsb3dfcmVhZG9ubHlfcGF0aHMocF9vY2ksIGlfb2NpKQoKICAgIHByaW50KCJhbGxvd19saW51eDogdHJ1ZSIpCn0KCmFsbG93X21hc2tlZF9wYXRocyhwX29jaSwgaV9vY2kpIHsKICAgIHBfcGF0aHMgOj0gcF9vY2kuTGludXguTWFza2VkUGF0aHMKICAgIHByaW50KCJhbGxvd19tYXNrZWRfcGF0aHMgMTogcF9wYXRocyA9IiwgcF9wYXRocykKCiAgICBpX3BhdGhzIDo9IGlfb2NpLkxpbnV4Lk1hc2tlZFBhdGhzCiAgICBwcmludCgiYWxsb3dfbWFza2VkX3BhdGhzIDE6IGlfcGF0aHMgPSIsIGlfcGF0aHMpCgogICAgYWxsb3dfbWFza2VkX3BhdGhzX2FycmF5KHBfcGF0aHMsIGlfcGF0aHMpCgogICAgcHJpbnQoImFsbG93X21hc2tlZF9wYXRocyAxOiB0cnVlIikKfQphbGxvd19tYXNrZWRfcGF0aHMocF9vY2ksIGlfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfbWFza2VkX3BhdGhzIDI6IHN0YXJ0IikKCiAgICBub3QgcF9vY2kuTGludXguTWFza2VkUGF0aHMKICAgIG5vdCBpX29jaS5MaW51eC5NYXNrZWRQYXRocwoKICAgIHByaW50KCJhbGxvd19tYXNrZWRfcGF0aHMgMjogdHJ1ZSIpCn0KCiMgQWxsIHRoZSBwb2xpY3kgbWFza2VkIHBhdGhzIG11c3QgYmUgbWFza2VkIGluIHRoZSBpbnB1dCBkYXRhIHRvby4KIyBJbnB1dCBpcyBhbGxvd2VkIHRvIGhhdmUgbW9yZSBtYXNrZWQgcGF0aHMgdGhhbiB0aGUgcG9saWN5LgphbGxvd19tYXNrZWRfcGF0aHNfYXJyYXkocF9hcnJheSwgaV9hcnJheSkgewogICAgZXZlcnkgcF9lbGVtIGluIHBfYXJyYXkgewogICAgICAgIGFsbG93X21hc2tlZF9wYXRoKHBfZWxlbSwgaV9hcnJheSkKICAgIH0KfQoKYWxsb3dfbWFza2VkX3BhdGgocF9lbGVtLCBpX2FycmF5KSB7CiAgICBwcmludCgiYWxsb3dfbWFza2VkX3BhdGg6IHBfZWxlbSA9IiwgcF9lbGVtKQoKICAgIHNvbWUgaV9lbGVtIGluIGlfYXJyYXkKICAgIHBfZWxlbSA9PSBpX2VsZW0KCiAgICBwcmludCgiYWxsb3dfbWFza2VkX3BhdGg6IHRydWUiKQp9CgphbGxvd19yZWFkb25seV9wYXRocyhwX29jaSwgaV9vY2kpIHsKICAgIHBfcGF0aHMgOj0gcF9vY2kuTGludXguUmVhZG9ubHlQYXRocwogICAgcHJpbnQoImFsbG93X3JlYWRvbmx5X3BhdGhzIDE6IHBfcGF0aHMgPSIsIHBfcGF0aHMpCgogICAgaV9wYXRocyA6PSBpX29jaS5MaW51eC5SZWFkb25seVBhdGhzCiAgICBwcmludCgiYWxsb3dfcmVhZG9ubHlfcGF0aHMgMTogaV9wYXRocyA9IiwgaV9wYXRocykKCiAgICBhbGxvd19yZWFkb25seV9wYXRoc19hcnJheShwX3BhdGhzLCBpX3BhdGhzLCBpX29jaS5MaW51eC5NYXNrZWRQYXRocykKCiAgICBwcmludCgiYWxsb3dfcmVhZG9ubHlfcGF0aHMgMTogdHJ1ZSIpCn0KYWxsb3dfcmVhZG9ubHlfcGF0aHMocF9vY2ksIGlfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfcmVhZG9ubHlfcGF0aHMgMjogc3RhcnQiKQoKICAgIG5vdCBwX29jaS5MaW51eC5SZWFkb25seVBhdGhzCiAgICBub3QgaV9vY2kuTGludXguUmVhZG9ubHlQYXRocwoKICAgIHByaW50KCJhbGxvd19yZWFkb25seV9wYXRocyAyOiB0cnVlIikKfQoKIyBBbGwgdGhlIHBvbGljeSByZWFkb25seSBwYXRocyBtdXN0IGJlIGVpdGhlcjoKIyAtIFByZXNlbnQgaW4gdGhlIGlucHV0IHJlYWRvbmx5IHBhdGhzLCBvcgojIC0gUHJlc2VudCBpbiB0aGUgaW5wdXQgbWFza2VkIHBhdGhzLgojIElucHV0IGlzIGFsbG93ZWQgdG8gaGF2ZSBtb3JlIHJlYWRvbmx5IHBhdGhzIHRoYW4gdGhlIHBvbGljeS4KYWxsb3dfcmVhZG9ubHlfcGF0aHNfYXJyYXkocF9hcnJheSwgaV9hcnJheSwgbWFza2VkX3BhdGhzKSB7CiAgICBldmVyeSBwX2VsZW0gaW4gcF9hcnJheSB7CiAgICAgICAgYWxsb3dfcmVhZG9ubHlfcGF0aChwX2VsZW0sIGlfYXJyYXksIG1hc2tlZF9wYXRocykKICAgIH0KfQoKYWxsb3dfcmVhZG9ubHlfcGF0aChwX2VsZW0sIGlfYXJyYXksIG1hc2tlZF9wYXRocykgewogICAgcHJpbnQoImFsbG93X3JlYWRvbmx5X3BhdGggMTogcF9lbGVtID0iLCBwX2VsZW0pCgogICAgc29tZSBpX2VsZW0gaW4gaV9hcnJheQogICAgcF9lbGVtID09IGlfZWxlbQoKICAgIHByaW50KCJhbGxvd19yZWFkb25seV9wYXRoIDE6IHRydWUiKQp9CmFsbG93X3JlYWRvbmx5X3BhdGgocF9lbGVtLCBpX2FycmF5LCBtYXNrZWRfcGF0aHMpIHsKICAgIHByaW50KCJhbGxvd19yZWFkb25seV9wYXRoIDI6IHBfZWxlbSA9IiwgcF9lbGVtKQoKICAgIHNvbWUgaV9tYXNrZWQgaW4gbWFza2VkX3BhdGhzCiAgICBwX2VsZW0gPT0gaV9tYXNrZWQKCiAgICBwcmludCgiYWxsb3dfcmVhZG9ubHlfcGF0aCAyOiB0cnVlIikKfQoKIyBDaGVjayB0aGUgY29uc2lzdGVuY3kgb2YgdGhlIGlucHV0ICJpby5rYXRhY29udGFpbmVycy5wa2cub2NpLmJ1bmRsZV9wYXRoIgojIGFuZCBpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LWlkIiB2YWx1ZXMgd2l0aCBvdGhlciBmaWVsZHMuCmFsbG93X2J5X2J1bmRsZV9vcl9zYW5kYm94X2lkKHBfb2NpLCBpX29jaSwgcF9zdG9yYWdlcywgaV9zdG9yYWdlcykgewogICAgcHJpbnQoImFsbG93X2J5X2J1bmRsZV9vcl9zYW5kYm94X2lkOiBzdGFydCIpCgogICAgYnVuZGxlX3BhdGggOj0gaV9vY2kuQW5ub3RhdGlvbnNbImlvLmthdGFjb250YWluZXJzLnBrZy5vY2kuYnVuZGxlX3BhdGgiXQogICAgYnVuZGxlX2lkIDo9IHJlcGxhY2UoYnVuZGxlX3BhdGgsICIvcnVuL2NvbnRhaW5lcmQvaW8uY29udGFpbmVyZC5ydW50aW1lLnYyLnRhc2svazhzLmlvLyIsICIiKQoKICAgIGJ1bmRsZV9pZF9mb3JtYXQgOj0gY29uY2F0KCIiLCBbIl4iLCBCVU5ETEVfSUQsICIkIl0pCiAgICByZWdleC5tYXRjaChidW5kbGVfaWRfZm9ybWF0LCBidW5kbGVfaWQpCgogICAga2V5IDo9ICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LWlkIgoKICAgIHBfcmVnZXggOj0gcF9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgc2FuZGJveF9pZCA6PSBpX29jaS5Bbm5vdGF0aW9uc1trZXldCgogICAgcHJpbnQoImFsbG93X2J5X2J1bmRsZV9vcl9zYW5kYm94X2lkOiBzYW5kYm94X2lkID0iLCBzYW5kYm94X2lkLCAicmVnZXggPSIsIHBfcmVnZXgpCiAgICByZWdleC5tYXRjaChwX3JlZ2V4LCBzYW5kYm94X2lkKQoKICAgIGFsbG93X3Jvb3RfcGF0aChwX29jaSwgaV9vY2ksIGJ1bmRsZV9pZCkKCiAgICBldmVyeSBpX21vdW50IGluIGlfb2NpLk1vdW50cyB7CiAgICAgICAgYWxsb3dfbW91bnQocF9vY2ksIGlfbW91bnQsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkKICAgIH0KCiAgICBhbGxvd19zdG9yYWdlcyhwX3N0b3JhZ2VzLCBpX3N0b3JhZ2VzLCBidW5kbGVfaWQsIHNhbmRib3hfaWQpCgogICAgcHJpbnQoImFsbG93X2J5X2J1bmRsZV9vcl9zYW5kYm94X2lkOiB0cnVlIikKfQoKYWxsb3dfcHJvY2Vzc19jb21tb24ocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIHByaW50KCJhbGxvd19wcm9jZXNzX2NvbW1vbjogcF9wcm9jZXNzID0iLCBwX3Byb2Nlc3MpCiAgICBwcmludCgiYWxsb3dfcHJvY2Vzc19jb21tb246IGlfcHJvY2VzcyA9ICIsIGlfcHJvY2VzcykKICAgIHByaW50KCJhbGxvd19wcm9jZXNzX2NvbW1vbjogc19uYW1lID0iLCBzX25hbWUpCgogICAgcF9wcm9jZXNzLkN3ZCA9PSBpX3Byb2Nlc3MuQ3dkCiAgICBwX3Byb2Nlc3MuTm9OZXdQcml2aWxlZ2VzID09IGlfcHJvY2Vzcy5Ob05ld1ByaXZpbGVnZXMKCiAgICBhbGxvd191c2VyKHBfcHJvY2VzcywgaV9wcm9jZXNzKQogICAgYWxsb3dfZW52KHBfcHJvY2VzcywgaV9wcm9jZXNzLCBzX25hbWUsIHNfbmFtZXNwYWNlKQoKICAgIHByaW50KCJhbGxvd19wcm9jZXNzX2NvbW1vbjogdHJ1ZSIpCn0KCiMgQ29tcGFyZSB0aGUgT0NJIFByb2Nlc3MgZmllbGQgb2YgYSBwb2xpY3kgY29udGFpbmVyIHdpdGggdGhlIGlucHV0IE9DSSBQcm9jZXNzIGZyb20gYSBDcmVhdGVDb250YWluZXJSZXF1ZXN0CmFsbG93X3Byb2Nlc3MocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIHByaW50KCJhbGxvd19wcm9jZXNzOiBzdGFydCIpCgogICAgYWxsb3dfYXJncyhwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lKQogICAgYWxsb3dfcHJvY2Vzc19jb21tb24ocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIHNfbmFtZSwgc19uYW1lc3BhY2UpCiAgICBhbGxvd19jYXBzKHBfcHJvY2Vzcy5DYXBhYmlsaXRpZXMsIGlfcHJvY2Vzcy5DYXBhYmlsaXRpZXMpCiAgICBwX3Byb2Nlc3MuVGVybWluYWwgPT0gaV9wcm9jZXNzLlRlcm1pbmFsCgogICAgcHJpbnQoImFsbG93X3Byb2Nlc3M6IHRydWUiKQp9CgojIENvbXBhcmUgdGhlIE9DSSBQcm9jZXNzIGZpZWxkIG9mIGEgcG9saWN5IGNvbnRhaW5lciB3aXRoIHRoZSBpbnB1dCBwcm9jZXNzIGZpZWxkIGZyb20gRXhlY1Byb2Nlc3NSZXF1ZXN0CmFsbG93X2ludGVyYWN0aXZlX3Byb2Nlc3MocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIHByaW50KCJhbGxvd19pbnRlcmFjdGl2ZV9wcm9jZXNzOiBzdGFydCIpCgogICAgYWxsb3dfcHJvY2Vzc19jb21tb24ocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIHNfbmFtZSwgc19uYW1lc3BhY2UpCiAgICBhbGxvd19leGVjX2NhcHMoaV9wcm9jZXNzLkNhcGFiaWxpdGllcykKCiAgICAjIFRoZXNlIGFyZSBjb21tYW5kcyBlbmFibGVkIHVzaW5nIEV4ZWNQcm9jZXNzUmVxdWVzdCBjb21tYW5kcyBhbmQvb3IgcmVnZXggZnJvbSB0aGUgc2V0dGluZ3MgZmlsZS4KICAgICMgVGhleSBjYW4gYmUgZXhlY3V0ZWQgaW50ZXJhY3RpdmVseSBzbyBhbGxvdyB0aGVtIHRvIHVzZSBhbnkgdmFsdWUgZm9yIGlfcHJvY2Vzcy5UZXJtaW5hbC4KCiAgICBwcmludCgiYWxsb3dfaW50ZXJhY3RpdmVfcHJvY2VzczogdHJ1ZSIpCn0KCiMgQ29tcGFyZSB0aGUgT0NJIFByb2Nlc3MgZmllbGQgb2YgYSBwb2xpY3kgY29udGFpbmVyIHdpdGggdGhlIGlucHV0IHByb2Nlc3MgZmllbGQgZnJvbSBFeGVjUHJvY2Vzc1JlcXVlc3QKYWxsb3dfcHJvYmVfcHJvY2VzcyhwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgcHJpbnQoImFsbG93X3Byb2JlX3Byb2Nlc3M6IHN0YXJ0IikKCiAgICBhbGxvd19wcm9jZXNzX2NvbW1vbihwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lLCBzX25hbWVzcGFjZSkKICAgIGFsbG93X2V4ZWNfY2FwcyhpX3Byb2Nlc3MuQ2FwYWJpbGl0aWVzKQogICAgcF9wcm9jZXNzLlRlcm1pbmFsID09IGlfcHJvY2Vzcy5UZXJtaW5hbAoKICAgIHByaW50KCJhbGxvd19wcm9iZV9wcm9jZXNzOiB0cnVlIikKfQoKYWxsb3dfdXNlcihwX3Byb2Nlc3MsIGlfcHJvY2VzcykgewogICAgcF91c2VyIDo9IHBfcHJvY2Vzcy5Vc2VyCiAgICBpX3VzZXIgOj0gaV9wcm9jZXNzLlVzZXIKCiAgICBwcmludCgiYWxsb3dfdXNlcjogaW5wdXQgdWlkID0iLCBpX3VzZXIuVUlELCAicG9saWN5IHVpZCA9IiwgcF91c2VyLlVJRCkKICAgIHBfdXNlci5VSUQgPT0gaV91c2VyLlVJRAoKICAgICMgVE9ETzogdHJhY2sgZG93biB0aGUgcmVhc29uIGZvciByZWdpc3RyeS5rOHMuaW8vcGF1c2U6My45IGJlaW5nCiAgICAjICAgICAgIGV4ZWN1dGVkIHdpdGggZ2lkID0gMCBkZXNwaXRlIGhhdmluZyAiNjU1MzU6NjU1MzUiIGluIGl0cyBjb250YWluZXIgaW1hZ2UKICAgICMgICAgICAgY29uZmlnLgogICAgI3ByaW50KCJhbGxvd191c2VyOiBpbnB1dCBnaWQgPSIsIGlfdXNlci5HSUQsICJwb2xpY3kgZ2lkID0iLCBwX3VzZXIuR0lEKQogICAgI3BfdXNlci5HSUQgPT0gaV91c2VyLkdJRAoKICAgICMgVE9ETzogY29tcGFyZSB0aGUgYWRkaXRpb25hbEdpZHMgZmllbGQgdG9vIGFmdGVyIGNvbXB1dGluZyBpdHMgdmFsdWUKICAgICMgYmFzZWQgb24gL2V0Yy9wYXNzd2QgYW5kIC9ldGMvZ3JvdXAgZnJvbSB0aGUgY29udGFpbmVyIGltYWdlLgp9CgphbGxvd19hcmdzKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBzX25hbWUpIHsKICAgIHByaW50KCJhbGxvd19hcmdzIDE6IG5vIGFyZ3MiKQoKICAgIG5vdCBwX3Byb2Nlc3MuQXJncwogICAgbm90IGlfcHJvY2Vzcy5BcmdzCgogICAgcHJpbnQoImFsbG93X2FyZ3MgMTogdHJ1ZSIpCn0KYWxsb3dfYXJncyhwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lKSB7CiAgICBwcmludCgiYWxsb3dfYXJncyAyOiBwb2xpY3kgYXJncyA9IiwgcF9wcm9jZXNzLkFyZ3MpCiAgICBwcmludCgiYWxsb3dfYXJncyAyOiBpbnB1dCBhcmdzID0iLCBpX3Byb2Nlc3MuQXJncykKCiAgICBjb3VudChwX3Byb2Nlc3MuQXJncykgPT0gY291bnQoaV9wcm9jZXNzLkFyZ3MpCgogICAgZXZlcnkgaSwgaV9hcmcgaW4gaV9wcm9jZXNzLkFyZ3MgewogICAgICAgIGFsbG93X2FyZyhpLCBpX2FyZywgcF9wcm9jZXNzLCBzX25hbWUpCiAgICB9CiAgICBwcmludCgiYWxsb3dfYXJncyAyOiB0cnVlIikKfQphbGxvd19hcmcoaSwgaV9hcmcsIHBfcHJvY2Vzcywgc19uYW1lKSB7CiAgICBwX2FyZyA6PSBwX3Byb2Nlc3MuQXJnc1tpXQogICAgcHJpbnQoImFsbG93X2FyZyAxOiBpID0iLCBpLCAiaV9hcmcgPSIsIGlfYXJnLCAicF9hcmcgPSIsIHBfYXJnKQoKICAgIHBfYXJnMiA6PSByZXBsYWNlKHBfYXJnLCAiJCQiLCAiJCIpCiAgICBwX2FyZzIgPT0gaV9hcmcKCiAgICBwcmludCgiYWxsb3dfYXJnIDE6IHRydWUiKQp9CmFsbG93X2FyZyhpLCBpX2FyZywgcF9wcm9jZXNzLCBzX25hbWUpIHsKICAgIHBfYXJnIDo9IHBfcHJvY2Vzcy5BcmdzW2ldCiAgICBwcmludCgiYWxsb3dfYXJnIDI6IGkgPSIsIGksICJpX2FyZyA9IiwgaV9hcmcsICJwX2FyZyA9IiwgcF9hcmcpCgogICAgIyBUT0RPOiBjYW4gJChub2RlLW5hbWUpIGJlIGhhbmRsZWQgYmV0dGVyPwogICAgY29udGFpbnMocF9hcmcsICIkKG5vZGUtbmFtZSkiKQoKICAgIHByaW50KCJhbGxvd19hcmcgMjogdHJ1ZSIpCn0KYWxsb3dfYXJnKGksIGlfYXJnLCBwX3Byb2Nlc3MsIHNfbmFtZSkgewogICAgcF9hcmcgOj0gcF9wcm9jZXNzLkFyZ3NbaV0KICAgIHByaW50KCJhbGxvd19hcmcgMzogaSA9IiwgaSwgImlfYXJnID0iLCBpX2FyZywgInBfYXJnID0iLCBwX2FyZykKCiAgICBwX2FyZzIgOj0gcmVwbGFjZShwX2FyZywgIiQkIiwgIiQiKQogICAgcF9hcmczIDo9IHJlcGxhY2UocF9hcmcyLCAiJChzYW5kYm94LW5hbWUpIiwgc19uYW1lKQogICAgcHJpbnQoImFsbG93X2FyZyAzOiBwX2FyZzMgPSIsIHBfYXJnMykKICAgIHBfYXJnMyA9PSBpX2FyZwoKICAgIHByaW50KCJhbGxvd19hcmcgMzogdHJ1ZSIpCn0KCiMgT0NJIHByb2Nlc3MuRW52IGZpZWxkCmFsbG93X2VudihwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgcHJpbnQoImFsbG93X2VudjogcCBlbnYgPSIsIHBfcHJvY2Vzcy5FbnYpCiAgICBwcmludCgiYWxsb3dfZW52OiBpIGVudiA9IiwgaV9wcm9jZXNzLkVudikKCiAgICBldmVyeSBpX3ZhciBpbiBpX3Byb2Nlc3MuRW52IHsKICAgICAgICBwcmludCgiYWxsb3dfZW52OiBpX3ZhciA9IiwgaV92YXIpCiAgICAgICAgYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkKICAgIH0KCiAgICBwcmludCgiYWxsb3dfZW52OiB0cnVlIikKfQoKIyBBbGxvdyBpbnB1dCBlbnYgdmFyaWFibGVzIHRoYXQgYXJlIHByZXNlbnQgaW4gdGhlIHBvbGljeSBkYXRhIHRvby4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBwX3ZhciA9PSBpX3ZhcgogICAgcHJpbnQoImFsbG93X3ZhciAxOiB0cnVlIikKfQoKIyBNYXRjaCBpbnB1dCB3aXRoIG9uZSBvZiB0aGUgcG9saWN5IHZhcmlhYmxlcywgYWZ0ZXIgc3Vic3RpdHV0aW5nICQoc2FuZGJveC1uYW1lKS4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBwX3ZhcjIgOj0gcmVwbGFjZShwX3ZhciwgIiQoc2FuZGJveC1uYW1lKSIsIHNfbmFtZSkKCiAgICBwcmludCgiYWxsb3dfdmFyIDI6IHBfdmFyMiA9IiwgcF92YXIyKQogICAgcF92YXIyID09IGlfdmFyCgogICAgcHJpbnQoImFsbG93X3ZhciAyOiB0cnVlIikKfQoKIyBBbGxvdyBpbnB1dCBlbnYgdmFyaWFibGVzIHRoYXQgbWF0Y2ggd2l0aCBhIHJlcXVlc3RfZGVmYXVsdHMgcmVnZXguCmFsbG93X3ZhcihwX3Byb2Nlc3MsIGlfcHJvY2VzcywgaV92YXIsIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIHNvbWUgcF9yZWdleDEgaW4gcG9saWN5X2RhdGEucmVxdWVzdF9kZWZhdWx0cy5DcmVhdGVDb250YWluZXJSZXF1ZXN0LmFsbG93X2Vudl9yZWdleAogICAgcF9yZWdleDIgOj0gcmVwbGFjZShwX3JlZ2V4MSwgIiQoaXB2NF9hKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5pcHY0X2EpCiAgICBwX3JlZ2V4MyA6PSByZXBsYWNlKHBfcmVnZXgyLCAiJChpcF9wKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5pcF9wKQogICAgcF9yZWdleDQgOj0gcmVwbGFjZShwX3JlZ2V4MywgIiQoc3ZjX25hbWUpIiwgcG9saWN5X2RhdGEuY29tbW9uLnN2Y19uYW1lKQogICAgcF9yZWdleDUgOj0gcmVwbGFjZShwX3JlZ2V4NCwgIiQoZG5zX2xhYmVsKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5kbnNfbGFiZWwpCgogICAgcHJpbnQoImFsbG93X3ZhciAzOiBwX3JlZ2V4NSA9IiwgcF9yZWdleDUpCiAgICByZWdleC5tYXRjaChwX3JlZ2V4NSwgaV92YXIpCgogICAgcHJpbnQoImFsbG93X3ZhciAzOiB0cnVlIikKfQoKIyBBbGxvdyBmaWVsZFJlZiAiZmllbGRQYXRoOiBzdGF0dXMucG9kSVAiIHZhbHVlcy4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgbmFtZV92YWx1ZSA6PSBzcGxpdChpX3ZhciwgIj0iKQogICAgY291bnQobmFtZV92YWx1ZSkgPT0gMgogICAgaXNfaXAobmFtZV92YWx1ZVsxXSkKCiAgICBzb21lIHBfdmFyIGluIHBfcHJvY2Vzcy5FbnYKICAgIGFsbG93X3BvZF9pcF92YXIobmFtZV92YWx1ZVswXSwgcF92YXIpCgogICAgcHJpbnQoImFsbG93X3ZhciA0OiB0cnVlIikKfQoKIyBBbGxvdyBjb21tb24gZmllbGRSZWYgdmFyaWFibGVzLgphbGxvd192YXIocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIGlfdmFyLCBzX25hbWUsIHNfbmFtZXNwYWNlKSB7CiAgICBuYW1lX3ZhbHVlIDo9IHNwbGl0KGlfdmFyLCAiPSIpCiAgICBjb3VudChuYW1lX3ZhbHVlKSA9PSAyCgogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBwX25hbWVfdmFsdWUgOj0gc3BsaXQocF92YXIsICI9IikKICAgIGNvdW50KHBfbmFtZV92YWx1ZSkgPT0gMgoKICAgIHBfbmFtZV92YWx1ZVswXSA9PSBuYW1lX3ZhbHVlWzBdCgogICAgIyBUT0RPOiBzaG91bGQgdGhlc2UgYmUgaGFuZGxlZCBpbiBhIGRpZmZlcmVudCB3YXk/CiAgICBzb21lIGFsbG93ZWQgaW4gQUxMT1dFRF9TVUJET01BSU5fTkFNRVMKICAgIGNvbnRhaW5zKHBfbmFtZV92YWx1ZVsxXSwgYWxsb3dlZCkKCiAgICBwcmludCgiYWxsb3dfdmFyIDU6IHRydWUiKQp9CgojIEFsbG93IGZpZWxkUmVmICJmaWVsZFBhdGg6IHN0YXR1cy5ob3N0SVAiIHZhbHVlcy4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgbmFtZV92YWx1ZSA6PSBzcGxpdChpX3ZhciwgIj0iKQogICAgY291bnQobmFtZV92YWx1ZSkgPT0gMgogICAgaXNfaXAobmFtZV92YWx1ZVsxXSkKCiAgICBzb21lIHBfdmFyIGluIHBfcHJvY2Vzcy5FbnYKICAgIGFsbG93X2hvc3RfaXBfdmFyKG5hbWVfdmFsdWVbMF0sIHBfdmFyKQoKICAgIHByaW50KCJhbGxvd192YXIgNjogdHJ1ZSIpCn0KCiMgQWxsb3cgcmVzb3VyY2VGaWVsZFJlZiB2YWx1ZXMgKGUuZy4sICJsaW1pdHMuY3B1IikuCmFsbG93X3ZhcihwX3Byb2Nlc3MsIGlfcHJvY2VzcywgaV92YXIsIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIG5hbWVfdmFsdWUgOj0gc3BsaXQoaV92YXIsICI9IikKICAgIGNvdW50KG5hbWVfdmFsdWUpID09IDIKCiAgICBzb21lIHBfdmFyIGluIHBfcHJvY2Vzcy5FbnYKICAgIHBfbmFtZV92YWx1ZSA6PSBzcGxpdChwX3ZhciwgIj0iKQogICAgY291bnQocF9uYW1lX3ZhbHVlKSA9PSAyCgogICAgcF9uYW1lX3ZhbHVlWzBdID09IG5hbWVfdmFsdWVbMF0KCiAgICAjIFRPRE86IHNob3VsZCB0aGVzZSBiZSBoYW5kbGVkIGluIGEgZGlmZmVyZW50IHdheT8KICAgIHNvbWUgYWxsb3dlZCBpbiBBTFdBWVNfQUxMT1dFRAogICAgY29udGFpbnMocF9uYW1lX3ZhbHVlWzFdLCBhbGxvd2VkKQoKICAgIHByaW50KCJhbGxvd192YXIgNzogdHJ1ZSIpCn0KCiMgTWF0Y2ggaW5wdXQgd2l0aCBvbmUgb2YgdGhlIHBvbGljeSB2YXJpYWJsZXMsIGFmdGVyIHN1YnN0aXR1dGluZyAkKHNhbmRib3gtbmFtZXNwYWNlKS4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBwX3ZhcjIgOj0gcmVwbGFjZShwX3ZhciwgIiQoc2FuZGJveC1uYW1lc3BhY2UpIiwgc19uYW1lc3BhY2UpCgogICAgcHJpbnQoImFsbG93X3ZhciA4OiBwX3ZhcjIgPSIsIHBfdmFyMikKICAgIHBfdmFyMiA9PSBpX3ZhcgoKICAgIHByaW50KCJhbGxvd192YXIgODogdHJ1ZSIpCn0KCmFsbG93X3BvZF9pcF92YXIodmFyX25hbWUsIHBfdmFyKSB7CiAgICBwcmludCgiYWxsb3dfcG9kX2lwX3ZhcjogdmFyX25hbWUgPSIsIHZhcl9uYW1lLCAicF92YXIgPSIsIHBfdmFyKQoKICAgIHBfbmFtZV92YWx1ZSA6PSBzcGxpdChwX3ZhciwgIj0iKQogICAgY291bnQocF9uYW1lX3ZhbHVlKSA9PSAyCgogICAgcF9uYW1lX3ZhbHVlWzBdID09IHZhcl9uYW1lCiAgICBwX25hbWVfdmFsdWVbMV0gPT0gIiQocG9kLWlwKSIKCiAgICBwcmludCgiYWxsb3dfcG9kX2lwX3ZhcjogdHJ1ZSIpCn0KCmFsbG93X2hvc3RfaXBfdmFyKHZhcl9uYW1lLCBwX3ZhcikgewogICAgcHJpbnQoImFsbG93X2hvc3RfaXBfdmFyOiB2YXJfbmFtZSA9IiwgdmFyX25hbWUsICJwX3ZhciA9IiwgcF92YXIpCgogICAgcF9uYW1lX3ZhbHVlIDo9IHNwbGl0KHBfdmFyLCAiPSIpCiAgICBjb3VudChwX25hbWVfdmFsdWUpID09IDIKCiAgICBwX25hbWVfdmFsdWVbMF0gPT0gdmFyX25hbWUKICAgIHBfbmFtZV92YWx1ZVsxXSA9PSAiJChob3N0LWlwKSIKCiAgICBwcmludCgiYWxsb3dfaG9zdF9pcF92YXI6IHRydWUiKQp9Cgppc19pcCh2YWx1ZSkgewogICAgYnl0ZXMgPSBzcGxpdCh2YWx1ZSwgIi4iKQogICAgY291bnQoYnl0ZXMpID09IDQKCiAgICBpc19pcF9maXJzdF9ieXRlKGJ5dGVzWzBdKQogICAgaXNfaXBfb3RoZXJfYnl0ZShieXRlc1sxXSkKICAgIGlzX2lwX290aGVyX2J5dGUoYnl0ZXNbMl0pCiAgICBpc19pcF9vdGhlcl9ieXRlKGJ5dGVzWzNdKQp9CmlzX2lwX2ZpcnN0X2J5dGUoY29tcG9uZW50KSB7CiAgICBudW1iZXIgPSB0b19udW1iZXIoY29tcG9uZW50KQogICAgbnVtYmVyID49IDEKICAgIG51bWJlciA8PSAyNTUKfQppc19pcF9vdGhlcl9ieXRlKGNvbXBvbmVudCkgewogICAgbnVtYmVyID0gdG9fbnVtYmVyKGNvbXBvbmVudCkKICAgIG51bWJlciA+PSAwCiAgICBudW1iZXIgPD0gMjU1Cn0KCiMgT0NJIHJvb3QuUGF0aAphbGxvd19yb290X3BhdGgocF9vY2ksIGlfb2NpLCBidW5kbGVfaWQpIHsKICAgIGlfcGF0aCA6PSBpX29jaS5Sb290LlBhdGgKICAgIHBfcGF0aDEgOj0gcF9vY2kuUm9vdC5QYXRoCiAgICBwcmludCgiYWxsb3dfcm9vdF9wYXRoOiBpX3BhdGggPSIsIGlfcGF0aCwgInBfcGF0aDEgPSIsIHBfcGF0aDEpCgogICAgcF9wYXRoMiA6PSByZXBsYWNlKHBfcGF0aDEsICIkKGNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5jcGF0aCkKICAgIHByaW50KCJhbGxvd19yb290X3BhdGg6IHBfcGF0aDIgPSIsIHBfcGF0aDIpCgogICAgcF9wYXRoMyA6PSByZXBsYWNlKHBfcGF0aDIsICIkKGJ1bmRsZS1pZCkiLCBidW5kbGVfaWQpCiAgICBwcmludCgiYWxsb3dfcm9vdF9wYXRoOiBwX3BhdGgzID0iLCBwX3BhdGgzKQoKICAgIHBfcGF0aDMgPT0gaV9wYXRoCgogICAgcHJpbnQoImFsbG93X3Jvb3RfcGF0aDogdHJ1ZSIpCn0KCiMgZGV2aWNlIG1vdW50cwphbGxvd19tb3VudChwX29jaSwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKSB7CiAgICBwcmludCgiYWxsb3dfbW91bnQ6IGlfbW91bnQgPSIsIGlfbW91bnQpCgogICAgc29tZSBwX21vdW50IGluIHBfb2NpLk1vdW50cwogICAgcHJpbnQoImFsbG93X21vdW50OiBwX21vdW50ID0iLCBwX21vdW50KQogICAgY2hlY2tfbW91bnQocF9tb3VudCwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKQoKICAgICMgVE9ETzogYXJlIHRoZXJlIGFueSBvdGhlciByZXF1aXJlZCBwb2xpY3kgY2hlY2tzIGZvciBtb3VudHMgLSBlLmcuLAogICAgIyAgICAgICBtdWx0aXBsZSBtb3VudHMgd2l0aCBzYW1lIHNvdXJjZSBvciBkZXN0aW5hdGlvbj8KCiAgICBwcmludCgiYWxsb3dfbW91bnQ6IHRydWUiKQp9CgpjaGVja19tb3VudChwX21vdW50LCBpX21vdW50LCBidW5kbGVfaWQsIHNhbmRib3hfaWQpIHsKICAgIHBfbW91bnQgPT0gaV9tb3VudAogICAgcHJpbnQoImNoZWNrX21vdW50IDE6IHRydWUiKQp9CmNoZWNrX21vdW50KHBfbW91bnQsIGlfbW91bnQsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkgewogICAgcF9tb3VudC5kZXN0aW5hdGlvbiA9PSBpX21vdW50LmRlc3RpbmF0aW9uCiAgICBwX21vdW50LnR5cGVfID09IGlfbW91bnQudHlwZV8KICAgIHBfbW91bnQub3B0aW9ucyA9PSBpX21vdW50Lm9wdGlvbnMKCiAgICBtb3VudF9zb3VyY2VfYWxsb3dzKHBfbW91bnQsIGlfbW91bnQsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkKCiAgICBwcmludCgiY2hlY2tfbW91bnQgMjogdHJ1ZSIpCn0KCm1vdW50X3NvdXJjZV9hbGxvd3MocF9tb3VudCwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKSB7CiAgICByZWdleDEgOj0gcF9tb3VudC5zb3VyY2UKICAgIHJlZ2V4MiA6PSByZXBsYWNlKHJlZ2V4MSwgIiQoc2ZwcmVmaXgpIiwgcG9saWN5X2RhdGEuY29tbW9uLnNmcHJlZml4KQogICAgcmVnZXgzIDo9IHJlcGxhY2UocmVnZXgyLCAiJChjcGF0aCkiLCBwb2xpY3lfZGF0YS5jb21tb24uY3BhdGgpCiAgICByZWdleDQgOj0gcmVwbGFjZShyZWdleDMsICIkKGJ1bmRsZS1pZCkiLCBidW5kbGVfaWQpCgogICAgcHJpbnQoIm1vdW50X3NvdXJjZV9hbGxvd3MgMTogcmVnZXg0ID0iLCByZWdleDQpCiAgICByZWdleC5tYXRjaChyZWdleDQsIGlfbW91bnQuc291cmNlKQoKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDE6IHRydWUiKQp9Cm1vdW50X3NvdXJjZV9hbGxvd3MocF9tb3VudCwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKSB7CiAgICByZWdleDEgOj0gcF9tb3VudC5zb3VyY2UKICAgIHJlZ2V4MiA6PSByZXBsYWNlKHJlZ2V4MSwgIiQoc2ZwcmVmaXgpIiwgcG9saWN5X2RhdGEuY29tbW9uLnNmcHJlZml4KQogICAgcmVnZXgzIDo9IHJlcGxhY2UocmVnZXgyLCAiJChjcGF0aCkiLCBwb2xpY3lfZGF0YS5jb21tb24uY3BhdGgpCiAgICByZWdleDQgOj0gcmVwbGFjZShyZWdleDMsICIkKHNhbmRib3gtaWQpIiwgc2FuZGJveF9pZCkKCiAgICBwcmludCgibW91bnRfc291cmNlX2FsbG93cyAyOiByZWdleDQgPSIsIHJlZ2V4NCkKICAgIHJlZ2V4Lm1hdGNoKHJlZ2V4NCwgaV9tb3VudC5zb3VyY2UpCgogICAgcHJpbnQoIm1vdW50X3NvdXJjZV9hbGxvd3MgMjogdHJ1ZSIpCn0KbW91bnRfc291cmNlX2FsbG93cyhwX21vdW50LCBpX21vdW50LCBidW5kbGVfaWQsIHNhbmRib3hfaWQpIHsKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDM6IGlfbW91bnQuc291cmNlPSIsIGlfbW91bnQuc291cmNlKQoKICAgIGlfc291cmNlX3BhcnRzID0gc3BsaXQoaV9tb3VudC5zb3VyY2UsICIvIikKICAgIGI2NF9kaXJlY3Rfdm9sX3BhdGggPSBpX3NvdXJjZV9wYXJ0c1tjb3VudChpX3NvdXJjZV9wYXJ0cykgLSAxXQoKICAgIGJhc2U2NC5pc192YWxpZChiNjRfZGlyZWN0X3ZvbF9wYXRoKQoKICAgIHNvdXJjZTEgOj0gcF9tb3VudC5zb3VyY2UKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDM6IHNvdXJjZTEgPSIsIHNvdXJjZTEpCgogICAgc291cmNlMiA6PSByZXBsYWNlKHNvdXJjZTEsICIkKHNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5zcGF0aCkKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDM6IHNvdXJjZTIgPSIsIHNvdXJjZTIpCgogICAgc291cmNlMyA6PSByZXBsYWNlKHNvdXJjZTIsICIkKGI2NC1kaXJlY3Qtdm9sLXBhdGgpIiwgYjY0X2RpcmVjdF92b2xfcGF0aCkKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDM6IHNvdXJjZTMgPSIsIHNvdXJjZTMpCgogICAgc291cmNlMyA9PSBpX21vdW50LnNvdXJjZQoKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDM6IHRydWUiKQp9CgojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiMgQ3JlYXRlIGNvbnRhaW5lciBTdG9yYWdlcwoKYWxsb3dfc3RvcmFnZXMocF9zdG9yYWdlcywgaV9zdG9yYWdlcywgYnVuZGxlX2lkLCBzYW5kYm94X2lkKSB7CiAgICBwX2NvdW50IDo9IGNvdW50KHBfc3RvcmFnZXMpCiAgICBpX2NvdW50IDo9IGNvdW50KGlfc3RvcmFnZXMpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZXM6IHBfY291bnQgPSIsIHBfY291bnQsICJpX2NvdW50ID0iLCBpX2NvdW50KQoKICAgIHBfY291bnQgPT0gaV9jb3VudAoKICAgICMgR2V0IHRoZSBjb250YWluZXIgaW1hZ2UgbGF5ZXIgSURzIGFuZCB2ZXJpdHkgcm9vdCBoYXNoZXMsIGZyb20gdGhlICJvdmVybGF5ZnMiIHN0b3JhZ2UuCiAgICBzb21lIG92ZXJsYXlfc3RvcmFnZSBpbiBwX3N0b3JhZ2VzCiAgICBvdmVybGF5X3N0b3JhZ2UuZHJpdmVyID09ICJvdmVybGF5ZnMiCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZXM6IG92ZXJsYXlfc3RvcmFnZSA9Iiwgb3ZlcmxheV9zdG9yYWdlKQogICAgY291bnQob3ZlcmxheV9zdG9yYWdlLm9wdGlvbnMpID09IDIKCiAgICBsYXllcl9pZHMgOj0gc3BsaXQob3ZlcmxheV9zdG9yYWdlLm9wdGlvbnNbMF0sICI6IikKICAgIHByaW50KCJhbGxvd19zdG9yYWdlczogbGF5ZXJfaWRzID0iLCBsYXllcl9pZHMpCgogICAgcm9vdF9oYXNoZXMgOj0gc3BsaXQob3ZlcmxheV9zdG9yYWdlLm9wdGlvbnNbMV0sICI6IikKICAgIHByaW50KCJhbGxvd19zdG9yYWdlczogcm9vdF9oYXNoZXMgPSIsIHJvb3RfaGFzaGVzKQoKICAgIGV2ZXJ5IGlfc3RvcmFnZSBpbiBpX3N0b3JhZ2VzIHsKICAgICAgICBhbGxvd19zdG9yYWdlKHBfc3RvcmFnZXMsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMsIHJvb3RfaGFzaGVzKQogICAgfQoKICAgIHByaW50KCJhbGxvd19zdG9yYWdlczogdHJ1ZSIpCn0KCmFsbG93X3N0b3JhZ2UocF9zdG9yYWdlcywgaV9zdG9yYWdlLCBidW5kbGVfaWQsIHNhbmRib3hfaWQsIGxheWVyX2lkcywgcm9vdF9oYXNoZXMpIHsKICAgIHNvbWUgcF9zdG9yYWdlIGluIHBfc3RvcmFnZXMKCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZTogcF9zdG9yYWdlID0iLCBwX3N0b3JhZ2UpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZTogaV9zdG9yYWdlID0iLCBpX3N0b3JhZ2UpCgogICAgcF9zdG9yYWdlLmRyaXZlciAgICAgICAgICAgPT0gaV9zdG9yYWdlLmRyaXZlcgogICAgcF9zdG9yYWdlLmRyaXZlcl9vcHRpb25zICAgPT0gaV9zdG9yYWdlLmRyaXZlcl9vcHRpb25zCiAgICBwX3N0b3JhZ2UuZnNfZ3JvdXAgICAgICAgICA9PSBpX3N0b3JhZ2UuZnNfZ3JvdXAKCiAgICBhbGxvd19zdG9yYWdlX29wdGlvbnMocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGxheWVyX2lkcywgcm9vdF9oYXNoZXMpCiAgICBhbGxvd19tb3VudF9wb2ludChwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMpCgogICAgIyBUT0RPOiB2YWxpZGF0ZSB0aGUgc291cmNlIGZpZWxkIHRvby4KCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZTogdHJ1ZSIpCn0KCmFsbG93X3N0b3JhZ2Vfb3B0aW9ucyhwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgbGF5ZXJfaWRzLCByb290X2hhc2hlcykgewogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAxOiBzdGFydCIpCgogICAgcF9zdG9yYWdlLmRyaXZlciAhPSAib3ZlcmxheWZzIgogICAgcF9zdG9yYWdlLm9wdGlvbnMgPT0gaV9zdG9yYWdlLm9wdGlvbnMKCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDE6IHRydWUiKQp9CmFsbG93X3N0b3JhZ2Vfb3B0aW9ucyhwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgbGF5ZXJfaWRzLCByb290X2hhc2hlcykgewogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAyOiBzdGFydCIpCgogICAgcF9zdG9yYWdlLmRyaXZlciA9PSAib3ZlcmxheWZzIgogICAgY291bnQocF9zdG9yYWdlLm9wdGlvbnMpID09IDIKCiAgICBwb2xpY3lfaWRzIDo9IHNwbGl0KHBfc3RvcmFnZS5vcHRpb25zWzBdLCAiOiIpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IHBvbGljeV9pZHMgPSIsIHBvbGljeV9pZHMpCiAgICBwb2xpY3lfaWRzID09IGxheWVyX2lkcwoKICAgIHBvbGljeV9oYXNoZXMgOj0gc3BsaXQocF9zdG9yYWdlLm9wdGlvbnNbMV0sICI6IikKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMjogcG9saWN5X2hhc2hlcyA9IiwgcG9saWN5X2hhc2hlcykKCiAgICBwX2NvdW50IDo9IGNvdW50KHBvbGljeV9pZHMpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IHBfY291bnQgPSIsIHBfY291bnQpCiAgICBwX2NvdW50ID49IDEKICAgIHBfY291bnQgPT0gY291bnQocG9saWN5X2hhc2hlcykKCiAgICBpX2NvdW50IDo9IGNvdW50KGlfc3RvcmFnZS5vcHRpb25zKQogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAyOiBpX2NvdW50ID0iLCBpX2NvdW50KQogICAgaV9jb3VudCA9PSBwX2NvdW50ICsgMwoKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMjogaV9zdG9yYWdlLm9wdGlvbnNbMF0gPSIsIGlfc3RvcmFnZS5vcHRpb25zWzBdKQogICAgaV9zdG9yYWdlLm9wdGlvbnNbMF0gPT0gImlvLmthdGFjb250YWluZXJzLmZzLW9wdC5sYXllci1zcmMtcHJlZml4PS92YXIvbGliL2NvbnRhaW5lcmQvaW8uY29udGFpbmVyZC5zbmFwc2hvdHRlci52MS50YXJkZXYvbGF5ZXJzIgoKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMjogaV9zdG9yYWdlLm9wdGlvbnNbaV9jb3VudCAtIDJdID0iLCBpX3N0b3JhZ2Uub3B0aW9uc1tpX2NvdW50IC0gMl0pCiAgICBpX3N0b3JhZ2Uub3B0aW9uc1tpX2NvdW50IC0gMl0gPT0gImlvLmthdGFjb250YWluZXJzLmZzLW9wdC5vdmVybGF5LXJ3IgoKICAgIGxvd2VyZGlyIDo9IGNvbmNhdCgiPSIsIFsibG93ZXJkaXIiLCBwX3N0b3JhZ2Uub3B0aW9uc1swXV0pCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IGxvd2VyZGlyID0iLCBsb3dlcmRpcikKCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IGlfc3RvcmFnZS5vcHRpb25zW2lfY291bnQgLSAxXSA9IiwgaV9zdG9yYWdlLm9wdGlvbnNbaV9jb3VudCAtIDFdKQogICAgaV9zdG9yYWdlLm9wdGlvbnNbaV9jb3VudCAtIDFdID09IGxvd2VyZGlyCgogICAgZXZlcnkgaSwgcG9saWN5X2lkIGluIHBvbGljeV9pZHMgewogICAgICAgIGFsbG93X292ZXJsYXlfbGF5ZXIocG9saWN5X2lkLCBwb2xpY3lfaGFzaGVzW2ldLCBpX3N0b3JhZ2Uub3B0aW9uc1tpICsgMV0pCiAgICB9CgogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAyOiB0cnVlIikKfQphbGxvd19zdG9yYWdlX29wdGlvbnMocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGxheWVyX2lkcywgcm9vdF9oYXNoZXMpIHsKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMzogc3RhcnQiKQoKICAgIHBfc3RvcmFnZS5kcml2ZXIgPT0gImJsayIKICAgIGNvdW50KHBfc3RvcmFnZS5vcHRpb25zKSA9PSAxCgogICAgc3RhcnRzd2l0aChwX3N0b3JhZ2Uub3B0aW9uc1swXSwgIiQoaGFzaCIpCiAgICBoYXNoX3N1ZmZpeCA6PSB0cmltX2xlZnQocF9zdG9yYWdlLm9wdGlvbnNbMF0sICIkKGhhc2giKQoKICAgIGVuZHN3aXRoKGhhc2hfc3VmZml4LCAiKSIpCiAgICBoYXNoX2luZGV4IDo9IHRyaW1fcmlnaHQoaGFzaF9zdWZmaXgsICIpIikKICAgIGkgOj0gdG9fbnVtYmVyKGhhc2hfaW5kZXgpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDM6IGkgPSIsIGkpCgogICAgaGFzaF9vcHRpb24gOj0gY29uY2F0KCI9IiwgWyJpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoIiwgcm9vdF9oYXNoZXNbaV1dKQogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAzOiBoYXNoX29wdGlvbiA9IiwgaGFzaF9vcHRpb24pCgogICAgY291bnQoaV9zdG9yYWdlLm9wdGlvbnMpID09IDQKICAgIGlfc3RvcmFnZS5vcHRpb25zWzBdID09ICJybyIKICAgIGlfc3RvcmFnZS5vcHRpb25zWzFdID09ICJpby5rYXRhY29udGFpbmVycy5mcy1vcHQuYmxvY2tfZGV2aWNlPWZpbGUiCiAgICBpX3N0b3JhZ2Uub3B0aW9uc1syXSA9PSAiaW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmlzLWxheWVyIgogICAgaV9zdG9yYWdlLm9wdGlvbnNbM10gPT0gaGFzaF9vcHRpb24KCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDM6IHRydWUiKQp9CmFsbG93X3N0b3JhZ2Vfb3B0aW9ucyhwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgbGF5ZXJfaWRzLCByb290X2hhc2hlcykgewogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyA0OiBzdGFydCIpCgogICAgcF9zdG9yYWdlLmRyaXZlciA9PSAic21iIgogICAgcF9vcHRzX2NvdW50IDo9IGNvdW50KHBfc3RvcmFnZS5vcHRpb25zKQogICAgaV9vcHRzX2NvdW50IDo9IGNvdW50KGlfc3RvcmFnZS5vcHRpb25zKQogICAgaV9vcHRzX2NvdW50ID09IHBfb3B0c19jb3VudCArIDIKCiAgICBpX29wdF9tYXRjaGVzIDo9IFtpIHwgaSA6PSBpZHg7IGlkeCA8IHBfb3B0c19jb3VudDsgcF9zdG9yYWdlLm9wdGlvbnNbaWR4XSA9PSBpX3N0b3JhZ2Uub3B0aW9uc1tpZHhdXQogICAgY291bnQoaV9vcHRfbWF0Y2hlcykgPT0gcF9vcHRzX2NvdW50CgogICAgc3RhcnRzd2l0aChpX3N0b3JhZ2Uub3B0aW9uc1tpX29wdHNfY291bnQtMl0sICJhZGRyPSIpCiAgICBjcmVkcyA9IHNwbGl0KGlfc3RvcmFnZS5vcHRpb25zW2lfb3B0c19jb3VudC0xXSwgIiwiKQogICAgY291bnQoY3JlZHMpID09IDIKICAgIHN0YXJ0c3dpdGgoY3JlZHNbMF0sICJ1c2VybmFtZT0iKQogICAgc3RhcnRzd2l0aChjcmVkc1sxXSwgInBhc3N3b3JkPSIpCiAgICAKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgNDogdHJ1ZSIpCn0KCmFsbG93X292ZXJsYXlfbGF5ZXIocG9saWN5X2lkLCBwb2xpY3lfaGFzaCwgaV9vcHRpb24pIHsKICAgIHByaW50KCJhbGxvd19vdmVybGF5X2xheWVyOiBwb2xpY3lfaWQgPSIsIHBvbGljeV9pZCwgInBvbGljeV9oYXNoID0iLCBwb2xpY3lfaGFzaCkKICAgIHByaW50KCJhbGxvd19vdmVybGF5X2xheWVyOiBpX29wdGlvbiA9IiwgaV9vcHRpb24pCgogICAgc3RhcnRzd2l0aChpX29wdGlvbiwgImlvLmthdGFjb250YWluZXJzLmZzLW9wdC5sYXllcj0iKQogICAgaV92YWx1ZSA6PSByZXBsYWNlKGlfb3B0aW9uLCAiaW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmxheWVyPSIsICIiKQogICAgaV92YWx1ZV9kZWNvZGVkIDo9IGJhc2U2NC5kZWNvZGUoaV92YWx1ZSkKICAgIHByaW50KCJhbGxvd19vdmVybGF5X2xheWVyOiBpX3ZhbHVlX2RlY29kZWQgPSIsIGlfdmFsdWVfZGVjb2RlZCkKCiAgICBwb2xpY3lfc3VmZml4IDo9IGNvbmNhdCgiPSIsIFsidGFyLHJvLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5ibG9ja19kZXZpY2U9ZmlsZSxpby5rYXRhY29udGFpbmVycy5mcy1vcHQuaXMtbGF5ZXIsaW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LnJvb3QtaGFzaCIsIHBvbGljeV9oYXNoXSkKICAgIHBfdmFsdWUgOj0gY29uY2F0KCIsIiwgW3BvbGljeV9pZCwgcG9saWN5X3N1ZmZpeF0pCiAgICBwcmludCgiYWxsb3dfb3ZlcmxheV9sYXllcjogcF92YWx1ZSA9IiwgcF92YWx1ZSkKCiAgICBwX3ZhbHVlID09IGlfdmFsdWVfZGVjb2RlZAoKICAgIHByaW50KCJhbGxvd19vdmVybGF5X2xheWVyOiB0cnVlIikKfQoKYWxsb3dfbW91bnRfcG9pbnQocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCwgbGF5ZXJfaWRzKSB7CiAgICBwX3N0b3JhZ2UuZnN0eXBlID09ICJ0YXIiCgogICAgc3RhcnRzd2l0aChwX3N0b3JhZ2UubW91bnRfcG9pbnQsICIkKGxheWVyIikKICAgIG1vdW50X3N1ZmZpeCA6PSB0cmltX2xlZnQocF9zdG9yYWdlLm1vdW50X3BvaW50LCAiJChsYXllciIpCgogICAgZW5kc3dpdGgobW91bnRfc3VmZml4LCAiKSIpCiAgICBsYXllcl9pbmRleCA6PSB0cmltX3JpZ2h0KG1vdW50X3N1ZmZpeCwgIikiKQogICAgaSA6PSB0b19udW1iZXIobGF5ZXJfaW5kZXgpCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgMTogaSA9IiwgaSkKCiAgICBsYXllcl9pZCA6PSBsYXllcl9pZHNbaV0KICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAxOiBsYXllcl9pZCA9IiwgbGF5ZXJfaWQpCgogICAgcF9tb3VudCA6PSBjb25jYXQoIi8iLCBbIi9ydW4va2F0YS1jb250YWluZXJzL3NhbmRib3gvbGF5ZXJzIiwgbGF5ZXJfaWRdKQogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDE6IHBfbW91bnQgPSIsIHBfbW91bnQpCgogICAgcF9tb3VudCA9PSBpX3N0b3JhZ2UubW91bnRfcG9pbnQKCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgMTogdHJ1ZSIpCn0KYWxsb3dfbW91bnRfcG9pbnQocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCwgbGF5ZXJfaWRzKSB7CiAgICBwX3N0b3JhZ2UuZnN0eXBlID09ICJmdXNlMy5rYXRhLW92ZXJsYXkiCgogICAgbW91bnQxIDo9IHJlcGxhY2UocF9zdG9yYWdlLm1vdW50X3BvaW50LCAiJChjcGF0aCkiLCBwb2xpY3lfZGF0YS5jb21tb24uY3BhdGgpCiAgICBtb3VudDIgOj0gcmVwbGFjZShtb3VudDEsICIkKGJ1bmRsZS1pZCkiLCBidW5kbGVfaWQpCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgMjogbW91bnQyID0iLCBtb3VudDIpCgogICAgbW91bnQyID09IGlfc3RvcmFnZS5tb3VudF9wb2ludAoKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAyOiB0cnVlIikKfQphbGxvd19tb3VudF9wb2ludChwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMpIHsKICAgIHBfc3RvcmFnZS5mc3R5cGUgPT0gImxvY2FsIgoKICAgIG1vdW50MSA6PSBwX3N0b3JhZ2UubW91bnRfcG9pbnQKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAzOiBtb3VudDEgPSIsIG1vdW50MSkKCiAgICBtb3VudDIgOj0gcmVwbGFjZShtb3VudDEsICIkKGNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5jcGF0aCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAzOiBtb3VudDIgPSIsIG1vdW50MikKCiAgICBtb3VudDMgOj0gcmVwbGFjZShtb3VudDIsICIkKHNhbmRib3gtaWQpIiwgc2FuZGJveF9pZCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAzOiBtb3VudDMgPSIsIG1vdW50MykKCiAgICByZWdleC5tYXRjaChtb3VudDMsIGlfc3RvcmFnZS5tb3VudF9wb2ludCkKCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgMzogdHJ1ZSIpCn0KYWxsb3dfbW91bnRfcG9pbnQocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCwgbGF5ZXJfaWRzKSB7CiAgICBwX3N0b3JhZ2UuZnN0eXBlID09ICJiaW5kIgoKICAgIG1vdW50MSA6PSBwX3N0b3JhZ2UubW91bnRfcG9pbnQKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA0OiBtb3VudDEgPSIsIG1vdW50MSkKCiAgICBtb3VudDIgOj0gcmVwbGFjZShtb3VudDEsICIkKGNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5jcGF0aCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA0OiBtb3VudDIgPSIsIG1vdW50MikKCiAgICBtb3VudDMgOj0gcmVwbGFjZShtb3VudDIsICIkKGJ1bmRsZS1pZCkiLCBidW5kbGVfaWQpCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgNDogbW91bnQzID0iLCBtb3VudDMpCgogICAgcmVnZXgubWF0Y2gobW91bnQzLCBpX3N0b3JhZ2UubW91bnRfcG9pbnQpCgogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDQ6IHRydWUiKQp9CmFsbG93X21vdW50X3BvaW50KHBfc3RvcmFnZSwgaV9zdG9yYWdlLCBidW5kbGVfaWQsIHNhbmRib3hfaWQsIGxheWVyX2lkcykgewogICAgcF9zdG9yYWdlLmZzdHlwZSA9PSAidG1wZnMiCgogICAgbW91bnQxIDo9IHBfc3RvcmFnZS5tb3VudF9wb2ludAogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDU6IG1vdW50MSA9IiwgbW91bnQxKQoKICAgIHJlZ2V4Lm1hdGNoKG1vdW50MSwgaV9zdG9yYWdlLm1vdW50X3BvaW50KQoKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA1OiB0cnVlIikKfQphbGxvd19tb3VudF9wb2ludChwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMpIHsKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA2OiBpX3N0b3JhZ2UubW91bnRfcG9pbnQgPSIsIGlfc3RvcmFnZS5tb3VudF9wb2ludCkKICAgIGFsbG93X2RpcmVjdF92b2xfZHJpdmVyKHBfc3RvcmFnZSwgaV9zdG9yYWdlKQoKICAgIG1vdW50MSA6PSBwX3N0b3JhZ2UubW91bnRfcG9pbnQKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA2OiBtb3VudDEgPSIsIG1vdW50MSkKCiAgICBtb3VudDIgOj0gcmVwbGFjZShtb3VudDEsICIkKHNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5zcGF0aCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA2OiBtb3VudDIgPSIsIG1vdW50MikKCiAgICBkaXJlY3Rfdm9sX3BhdGggOj0gaV9zdG9yYWdlLnNvdXJjZQogICAgbW91bnQzIDo9IHJlcGxhY2UobW91bnQyLCAiJChiNjQtZGlyZWN0LXZvbC1wYXRoKSIsIGJhc2U2NHVybC5lbmNvZGUoZGlyZWN0X3ZvbF9wYXRoKSkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA2OiBtb3VudDMgPSIsIG1vdW50MykKCiAgICBtb3VudDMgPT0gaV9zdG9yYWdlLm1vdW50X3BvaW50CgogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDY6IHRydWUiKQp9CgphbGxvd19kaXJlY3Rfdm9sX2RyaXZlcihwX3N0b3JhZ2UsIGlfc3RvcmFnZSkgewogICAgcHJpbnQoImFsbG93X2RpcmVjdF92b2xfZHJpdmVyIDE6IHN0YXJ0IikKICAgIHBfc3RvcmFnZS5kcml2ZXIgPT0gImJsayIKICAgIHByaW50KCJhbGxvd19kaXJlY3Rfdm9sX2RyaXZlciAxOiB0cnVlIikKfQphbGxvd19kaXJlY3Rfdm9sX2RyaXZlcihwX3N0b3JhZ2UsIGlfc3RvcmFnZSkgewogICAgcHJpbnQoImFsbG93X2RpcmVjdF92b2xfZHJpdmVyIDI6IHN0YXJ0IikKICAgIHBfc3RvcmFnZS5kcml2ZXIgPT0gInNtYiIKICAgIHByaW50KCJhbGxvd19kaXJlY3Rfdm9sX2RyaXZlciAyOiB0cnVlIikKfQoKIyBFeGVjUHJvY2Vzc1JlcXVlc3QucHJvY2Vzcy5DYXBhYmlsaXRpZXMKYWxsb3dfZXhlY19jYXBzKGlfY2FwcykgewogICAgbm90IGlfY2Fwcy5BbWJpZW50CiAgICBub3QgaV9jYXBzLkJvdW5kaW5nCiAgICBub3QgaV9jYXBzLkVmZmVjdGl2ZQogICAgbm90IGlfY2Fwcy5Jbmhlcml0YWJsZQogICAgbm90IGlfY2Fwcy5QZXJtaXR0ZWQKfQoKIyBPQ0kuUHJvY2Vzcy5DYXBhYmlsaXRpZXMKYWxsb3dfY2FwcyhwX2NhcHMsIGlfY2FwcykgewogICAgcHJpbnQoImFsbG93X2NhcHM6IHBvbGljeSBBbWJpZW50ID0iLCBwX2NhcHMuQW1iaWVudCkKICAgIHByaW50KCJhbGxvd19jYXBzOiBpbnB1dCBBbWJpZW50ID0iLCBpX2NhcHMuQW1iaWVudCkKICAgIG1hdGNoX2NhcHMocF9jYXBzLkFtYmllbnQsIGlfY2Fwcy5BbWJpZW50KQoKICAgIHByaW50KCJhbGxvd19jYXBzOiBwb2xpY3kgQm91bmRpbmcgPSIsIHBfY2Fwcy5Cb3VuZGluZykKICAgIHByaW50KCJhbGxvd19jYXBzOiBpbnB1dCBCb3VuZGluZyA9IiwgaV9jYXBzLkJvdW5kaW5nKQogICAgbWF0Y2hfY2FwcyhwX2NhcHMuQm91bmRpbmcsIGlfY2Fwcy5Cb3VuZGluZykKCiAgICBwcmludCgiYWxsb3dfY2FwczogcG9saWN5IEVmZmVjdGl2ZSA9IiwgcF9jYXBzLkVmZmVjdGl2ZSkKICAgIHByaW50KCJhbGxvd19jYXBzOiBpbnB1dCBFZmZlY3RpdmUgPSIsIGlfY2Fwcy5FZmZlY3RpdmUpCiAgICBtYXRjaF9jYXBzKHBfY2Fwcy5FZmZlY3RpdmUsIGlfY2Fwcy5FZmZlY3RpdmUpCgogICAgcHJpbnQoImFsbG93X2NhcHM6IHBvbGljeSBJbmhlcml0YWJsZSA9IiwgcF9jYXBzLkluaGVyaXRhYmxlKQogICAgcHJpbnQoImFsbG93X2NhcHM6IGlucHV0IEluaGVyaXRhYmxlID0iLCBpX2NhcHMuSW5oZXJpdGFibGUpCiAgICBtYXRjaF9jYXBzKHBfY2Fwcy5Jbmhlcml0YWJsZSwgaV9jYXBzLkluaGVyaXRhYmxlKQoKICAgIHByaW50KCJhbGxvd19jYXBzOiBwb2xpY3kgUGVybWl0dGVkID0iLCBwX2NhcHMuUGVybWl0dGVkKQogICAgcHJpbnQoImFsbG93X2NhcHM6IGlucHV0IFBlcm1pdHRlZCA9IiwgaV9jYXBzLlBlcm1pdHRlZCkKICAgIG1hdGNoX2NhcHMocF9jYXBzLlBlcm1pdHRlZCwgaV9jYXBzLlBlcm1pdHRlZCkKfQoKbWF0Y2hfY2FwcyhwX2NhcHMsIGlfY2FwcykgewogICAgcHJpbnQoIm1hdGNoX2NhcHMgMTogc3RhcnQiKQoKICAgIHBfY2FwcyA9PSBpX2NhcHMKCiAgICBwcmludCgibWF0Y2hfY2FwcyAxOiB0cnVlIikKfQptYXRjaF9jYXBzKHBfY2FwcywgaV9jYXBzKSB7CiAgICBwcmludCgibWF0Y2hfY2FwcyAyOiBzdGFydCIpCgogICAgY291bnQocF9jYXBzKSA9PSAxCiAgICBwX2NhcHNbMF0gPT0gIiQoZGVmYXVsdF9jYXBzKSIKCiAgICBwcmludCgibWF0Y2hfY2FwcyAyOiBkZWZhdWx0X2NhcHMgPSIsIHBvbGljeV9kYXRhLmNvbW1vbi5kZWZhdWx0X2NhcHMpCiAgICBwb2xpY3lfZGF0YS5jb21tb24uZGVmYXVsdF9jYXBzID09IGlfY2FwcwoKICAgIHByaW50KCJtYXRjaF9jYXBzIDI6IHRydWUiKQp9Cm1hdGNoX2NhcHMocF9jYXBzLCBpX2NhcHMpIHsKICAgIHByaW50KCJtYXRjaF9jYXBzIDM6IHN0YXJ0IikKCiAgICBjb3VudChwX2NhcHMpID09IDEKICAgIHBfY2Fwc1swXSA9PSAiJChwcml2aWxlZ2VkX2NhcHMpIgoKICAgIHByaW50KCJtYXRjaF9jYXBzIDM6IHByaXZpbGVnZWRfY2FwcyA9IiwgcG9saWN5X2RhdGEuY29tbW9uLnByaXZpbGVnZWRfY2FwcykKICAgIHBvbGljeV9kYXRhLmNvbW1vbi5wcml2aWxlZ2VkX2NhcHMgPT0gaV9jYXBzCgogICAgcHJpbnQoIm1hdGNoX2NhcHMgMzogdHJ1ZSIpCn0KCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKY2hlY2tfZGlyZWN0b3J5X3RyYXZlcnNhbChpX3BhdGgpIHsKICAgIGNvbnRhaW5zKGlfcGF0aCwgIi4uLyIpID09IGZhbHNlCiAgICBlbmRzd2l0aChpX3BhdGgsICIvLi4iKSA9PSBmYWxzZQp9CgpjaGVja19zeW1saW5rX3NvdXJjZShpX3NyYykgewogICAgaV9zcmMgPT0gIiIKICAgIHByaW50KCJjaGVja19zeW1saW5rX3NvdXJjZSAxOiB0cnVlIikKfQpjaGVja19zeW1saW5rX3NvdXJjZShpX3NyYykgewogICAgaV9zcmMgIT0gIiIKICAgIHByaW50KCJjaGVja19zeW1saW5rX3NvdXJjZSAyOiBpX3NyYyA9IiwgaV9zcmMpCgogICAgcmVnZXgubWF0Y2gocG9saWN5X2RhdGEuY29tbW9uLnNfc291cmNlMSwgaV9zcmMpCgogICAgcHJpbnQoImNoZWNrX3N5bWxpbmtfc291cmNlIDI6IHRydWUiKQp9CmNoZWNrX3N5bWxpbmtfc291cmNlKGlfc3JjKSB7CiAgICBpX3NyYyAhPSAiIgogICAgcHJpbnQoImNoZWNrX3N5bWxpbmtfc291cmNlIDM6IGlfc3JjID0iLCBpX3NyYykKCiAgICByZWdleC5tYXRjaChwb2xpY3lfZGF0YS5jb21tb24uc19zb3VyY2UyLCBpX3NyYykKICAgIGNoZWNrX2RpcmVjdG9yeV90cmF2ZXJzYWwoaV9zcmMpCgogICAgcHJpbnQoImNoZWNrX3N5bWxpbmtfc291cmNlIDM6IHRydWUiKQp9CgphbGxvd19zYW5kYm94X3N0b3JhZ2VzKGlfc3RvcmFnZXMpIHsKICAgIHByaW50KCJhbGxvd19zYW5kYm94X3N0b3JhZ2VzOiBpX3N0b3JhZ2VzID0iLCBpX3N0b3JhZ2VzKQoKICAgIHBfc3RvcmFnZXMgOj0gcG9saWN5X2RhdGEuc2FuZGJveC5zdG9yYWdlcwogICAgZXZlcnkgaV9zdG9yYWdlIGluIGlfc3RvcmFnZXMgewogICAgICAgIGFsbG93X3NhbmRib3hfc3RvcmFnZShwX3N0b3JhZ2VzLCBpX3N0b3JhZ2UpCiAgICB9CgogICAgcHJpbnQoImFsbG93X3NhbmRib3hfc3RvcmFnZXM6IHRydWUiKQp9CgphbGxvd19zYW5kYm94X3N0b3JhZ2UocF9zdG9yYWdlcywgaV9zdG9yYWdlKSB7CiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9zdG9yYWdlOiBpX3N0b3JhZ2UgPSIsIGlfc3RvcmFnZSkKCiAgICBzb21lIHBfc3RvcmFnZSBpbiBwX3N0b3JhZ2VzCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9zdG9yYWdlOiBwX3N0b3JhZ2UgPSIsIHBfc3RvcmFnZSkKICAgIGlfc3RvcmFnZSA9PSBwX3N0b3JhZ2UKCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9zdG9yYWdlOiB0cnVlIikKfQoKQ29weUZpbGVSZXF1ZXN0IHsKICAgIHByaW50KCJDb3B5RmlsZVJlcXVlc3Q6IGlucHV0LnBhdGggPSIsIGlucHV0LnBhdGgpCgogICAgY2hlY2tfc3ltbGlua19zb3VyY2UoaW5wdXQuc3ltbGlua19zcmMpCiAgICBjaGVja19kaXJlY3RvcnlfdHJhdmVyc2FsKGlucHV0LnBhdGgpCgogICAgc29tZSByZWdleDEgaW4gcG9saWN5X2RhdGEucmVxdWVzdF9kZWZhdWx0cy5Db3B5RmlsZVJlcXVlc3QKICAgIHJlZ2V4MiA6PSByZXBsYWNlKHJlZ2V4MSwgIiQoc2ZwcmVmaXgpIiwgcG9saWN5X2RhdGEuY29tbW9uLnNmcHJlZml4KQogICAgcmVnZXgzIDo9IHJlcGxhY2UocmVnZXgyLCAiJChjcGF0aCkiLCBwb2xpY3lfZGF0YS5jb21tb24uY3BhdGgpCiAgICByZWdleDQgOj0gcmVwbGFjZShyZWdleDMsICIkKGJ1bmRsZS1pZCkiLCBCVU5ETEVfSUQpCiAgICBwcmludCgiQ29weUZpbGVSZXF1ZXN0OiByZWdleDQgPSIsIHJlZ2V4NCkKCiAgICByZWdleC5tYXRjaChyZWdleDQsIGlucHV0LnBhdGgpCgogICAgcHJpbnQoIkNvcHlGaWxlUmVxdWVzdDogdHJ1ZSIpCn0KCkNyZWF0ZVNhbmRib3hSZXF1ZXN0IHsKICAgIHByaW50KCJDcmVhdGVTYW5kYm94UmVxdWVzdDogaW5wdXQuZ3Vlc3RfaG9va19wYXRoID0iLCBpbnB1dC5ndWVzdF9ob29rX3BhdGgpCiAgICBjb3VudChpbnB1dC5ndWVzdF9ob29rX3BhdGgpID09IDAKCiAgICBwcmludCgiQ3JlYXRlU2FuZGJveFJlcXVlc3Q6IGlucHV0Lmtlcm5lbF9tb2R1bGVzID0iLCBpbnB1dC5rZXJuZWxfbW9kdWxlcykKICAgIGNvdW50KGlucHV0Lmtlcm5lbF9tb2R1bGVzKSA9PSAwCgogICAgaV9waWRucyA6PSBpbnB1dC5zYW5kYm94X3BpZG5zCiAgICBwcmludCgiQ3JlYXRlU2FuZGJveFJlcXVlc3Q6IGlfcGlkbnMgPSIsIGlfcGlkbnMpCiAgICBpX3BpZG5zID09IGZhbHNlCgogICAgYWxsb3dfc2FuZGJveF9zdG9yYWdlcyhpbnB1dC5zdG9yYWdlcykKfQoKYWxsb3dfZXhlYyhwX2NvbnRhaW5lciwgaV9wcm9jZXNzKSB7CiAgICBwcmludCgiYWxsb3dfZXhlYzogc3RhcnQiKQoKICAgIHBfb2NpID0gcF9jb250YWluZXIuT0NJCiAgICBwX3NfbmFtZSA9IHBfb2NpLkFubm90YXRpb25zW1NfTkFNRV9LRVldCiAgICBzX25hbWVzcGFjZSA9IGdldF9zdGF0ZV92YWwoIm5hbWVzcGFjZSIpCiAgICBhbGxvd19wcm9iZV9wcm9jZXNzKHBfb2NpLlByb2Nlc3MsIGlfcHJvY2VzcywgcF9zX25hbWUsIHNfbmFtZXNwYWNlKQoKICAgIHByaW50KCJhbGxvd19leGVjOiB0cnVlIikKfQoKYWxsb3dfaW50ZXJhY3RpdmVfZXhlYyhwX2NvbnRhaW5lciwgaV9wcm9jZXNzKSB7CiAgICBwcmludCgiYWxsb3dfaW50ZXJhY3RpdmVfZXhlYzogc3RhcnQiKQoKICAgIHBfb2NpID0gcF9jb250YWluZXIuT0NJCiAgICBwX3NfbmFtZSA9IHBfb2NpLkFubm90YXRpb25zW1NfTkFNRV9LRVldCiAgICBzX25hbWVzcGFjZSA9IGdldF9zdGF0ZV92YWwoIm5hbWVzcGFjZSIpCiAgICBhbGxvd19pbnRlcmFjdGl2ZV9wcm9jZXNzKHBfb2NpLlByb2Nlc3MsIGlfcHJvY2VzcywgcF9zX25hbWUsIHNfbmFtZXNwYWNlKQoKICAgIHByaW50KCJhbGxvd19pbnRlcmFjdGl2ZV9leGVjOiB0cnVlIikKfQoKIyBUT0RPOiBzaG91bGQgb3RoZXIgRXhlY1Byb2Nlc3NSZXF1ZXN0IGlucHV0IGRhdGEgZmllbGRzIGJlIHZhbGlkYXRlZCBhcyB3ZWxsPwpFeGVjUHJvY2Vzc1JlcXVlc3QgewogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAxOiBpbnB1dCA9IiwgaW5wdXQpCgogICAgaV9jb21tYW5kID0gY29uY2F0KCIgIiwgaW5wdXQucHJvY2Vzcy5BcmdzKQogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAxOiBpX2NvbW1hbmQgPSIsIGlfY29tbWFuZCkKCiAgICBzb21lIHBfY29tbWFuZCBpbiBwb2xpY3lfZGF0YS5yZXF1ZXN0X2RlZmF1bHRzLkV4ZWNQcm9jZXNzUmVxdWVzdC5jb21tYW5kcwogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAxOiBwX2NvbW1hbmQgPSIsIHBfY29tbWFuZCkKICAgIHBfY29tbWFuZCA9PSBpX2NvbW1hbmQKCiAgICAjIFRPRE86IG1hdGNoIHBfY29udGFpbmVyJ3MgSUQgd2l0aCB0aGUgaW5wdXQgY29udGFpbmVyX2lkLgogICAgc29tZSBwX2NvbnRhaW5lciBpbiBwb2xpY3lfZGF0YS5jb250YWluZXJzCiAgICBhbGxvd19pbnRlcmFjdGl2ZV9leGVjKHBfY29udGFpbmVyLCBpbnB1dC5wcm9jZXNzKQoKICAgIHByaW50KCJFeGVjUHJvY2Vzc1JlcXVlc3QgMTogdHJ1ZSIpCn0KRXhlY1Byb2Nlc3NSZXF1ZXN0IHsKICAgIHByaW50KCJFeGVjUHJvY2Vzc1JlcXVlc3QgMjogaW5wdXQgPSIsIGlucHV0KQoKICAgICMgVE9ETzogbWF0Y2ggaW5wdXQgY29udGFpbmVyIElEIHdpdGggaXRzIGNvcnJlc3BvbmRpbmcgY29udGFpbmVyLmV4ZWNfY29tbWFuZHMuCiAgICBpX2NvbW1hbmQgPSBjb25jYXQoIiAiLCBpbnB1dC5wcm9jZXNzLkFyZ3MpCiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDI6IGlfY29tbWFuZCA9IiwgaV9jb21tYW5kKQoKICAgICMgVE9ETzogbWF0Y2ggcF9jb250YWluZXIncyBJRCB3aXRoIHRoZSBpbnB1dCBjb250YWluZXJfaWQuCiAgICBzb21lIHBfY29udGFpbmVyIGluIHBvbGljeV9kYXRhLmNvbnRhaW5lcnMKICAgIHNvbWUgcF9jb21tYW5kIGluIHBfY29udGFpbmVyLmV4ZWNfY29tbWFuZHMKICAgIHByaW50KCJFeGVjUHJvY2Vzc1JlcXVlc3QgMjogcF9jb21tYW5kID0iLCBwX2NvbW1hbmQpCiAgICBwX2NvbW1hbmQgPT0gaV9jb21tYW5kCgogICAgYWxsb3dfZXhlYyhwX2NvbnRhaW5lciwgaW5wdXQucHJvY2VzcykKCiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDI6IHRydWUiKQp9CkV4ZWNQcm9jZXNzUmVxdWVzdCB7CiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDM6IGlucHV0ID0iLCBpbnB1dCkKCiAgICBpX2NvbW1hbmQgPSBjb25jYXQoIiAiLCBpbnB1dC5wcm9jZXNzLkFyZ3MpCiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDM6IGlfY29tbWFuZCA9IiwgaV9jb21tYW5kKQoKICAgIHNvbWUgcF9yZWdleCBpbiBwb2xpY3lfZGF0YS5yZXF1ZXN0X2RlZmF1bHRzLkV4ZWNQcm9jZXNzUmVxdWVzdC5yZWdleAogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAzOiBwX3JlZ2V4ID0iLCBwX3JlZ2V4KQoKICAgIHJlZ2V4Lm1hdGNoKHBfcmVnZXgsIGlfY29tbWFuZCkKCiAgICAjIFRPRE86IG1hdGNoIHBfY29udGFpbmVyJ3MgSUQgd2l0aCB0aGUgaW5wdXQgY29udGFpbmVyX2lkLgogICAgc29tZSBwX2NvbnRhaW5lciBpbiBwb2xpY3lfZGF0YS5jb250YWluZXJzCiAgICBhbGxvd19pbnRlcmFjdGl2ZV9leGVjKHBfY29udGFpbmVyLCBpbnB1dC5wcm9jZXNzKQoKICAgIHByaW50KCJFeGVjUHJvY2Vzc1JlcXVlc3QgMzogdHJ1ZSIpCn0KCkNsb3NlU3RkaW5SZXF1ZXN0IHsKICAgIHBvbGljeV9kYXRhLnJlcXVlc3RfZGVmYXVsdHMuQ2xvc2VTdGRpblJlcXVlc3QgPT0gdHJ1ZQp9CgpSZWFkU3RyZWFtUmVxdWVzdCB7CiAgICBwb2xpY3lfZGF0YS5yZXF1ZXN0X2RlZmF1bHRzLlJlYWRTdHJlYW1SZXF1ZXN0ID09IHRydWUKfQoKVXBkYXRlRXBoZW1lcmFsTW91bnRzUmVxdWVzdCB7CiAgICBwb2xpY3lfZGF0YS5yZXF1ZXN0X2RlZmF1bHRzLlVwZGF0ZUVwaGVtZXJhbE1vdW50c1JlcXVlc3QgPT0gdHJ1ZQp9CgpXcml0ZVN0cmVhbVJlcXVlc3QgewogICAgcG9saWN5X2RhdGEucmVxdWVzdF9kZWZhdWx0cy5Xcml0ZVN0cmVhbVJlcXVlc3QgPT0gdHJ1ZQp9CnBvbGljeV9kYXRhIDo9IHsKICAiY29udGFpbmVycyI6IFsKICAgIHsKICAgICAgIk9DSSI6IHsKICAgICAgICAiVmVyc2lvbiI6ICIxLjEuMC1yYy4xIiwKICAgICAgICAiUHJvY2VzcyI6IHsKICAgICAgICAgICJUZXJtaW5hbCI6IGZhbHNlLAogICAgICAgICAgIlVzZXIiOiB7CiAgICAgICAgICAgICJVSUQiOiA2NTUzNSwKICAgICAgICAgICAgIkdJRCI6IDY1NTM1LAogICAgICAgICAgICAiQWRkaXRpb25hbEdpZHMiOiBbXSwKICAgICAgICAgICAgIlVzZXJuYW1lIjogIiIKICAgICAgICAgIH0sCiAgICAgICAgICAiQXJncyI6IFsKICAgICAgICAgICAgIi9wYXVzZSIKICAgICAgICAgIF0sCiAgICAgICAgICAiRW52IjogWwogICAgICAgICAgICAiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iCiAgICAgICAgICBdLAogICAgICAgICAgIkN3ZCI6ICIvIiwKICAgICAgICAgICJDYXBhYmlsaXRpZXMiOiB7CiAgICAgICAgICAgICJBbWJpZW50IjogW10sCiAgICAgICAgICAgICJCb3VuZGluZyI6IFsKICAgICAgICAgICAgICAiJChkZWZhdWx0X2NhcHMpIgogICAgICAgICAgICBdLAogICAgICAgICAgICAiRWZmZWN0aXZlIjogWwogICAgICAgICAgICAgICIkKGRlZmF1bHRfY2FwcykiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJJbmhlcml0YWJsZSI6IFtdLAogICAgICAgICAgICAiUGVybWl0dGVkIjogWwogICAgICAgICAgICAgICIkKGRlZmF1bHRfY2FwcykiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICAiTm9OZXdQcml2aWxlZ2VzIjogdHJ1ZQogICAgICAgIH0sCiAgICAgICAgIlJvb3QiOiB7CiAgICAgICAgICAiUGF0aCI6ICIkKGNwYXRoKS8kKGJ1bmRsZS1pZCkiLAogICAgICAgICAgIlJlYWRvbmx5IjogdHJ1ZQogICAgICAgIH0sCiAgICAgICAgIk1vdW50cyI6IFsKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9wcm9jIiwKICAgICAgICAgICAgInNvdXJjZSI6ICJwcm9jIiwKICAgICAgICAgICAgInR5cGVfIjogInByb2MiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAibm9leGVjIiwKICAgICAgICAgICAgICAibm9kZXYiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZGV2IiwKICAgICAgICAgICAgInNvdXJjZSI6ICJ0bXBmcyIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJ0bXBmcyIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJzdHJpY3RhdGltZSIsCiAgICAgICAgICAgICAgIm1vZGU9NzU1IiwKICAgICAgICAgICAgICAic2l6ZT02NTUzNmsiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZGV2L3B0cyIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiZGV2cHRzIiwKICAgICAgICAgICAgInR5cGVfIjogImRldnB0cyIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJub2V4ZWMiLAogICAgICAgICAgICAgICJuZXdpbnN0YW5jZSIsCiAgICAgICAgICAgICAgInB0bXhtb2RlPTA2NjYiLAogICAgICAgICAgICAgICJtb2RlPTA2MjAiLAogICAgICAgICAgICAgICJnaWQ9NSIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9kZXYvc2htIiwKICAgICAgICAgICAgInNvdXJjZSI6ICIvcnVuL2thdGEtY29udGFpbmVycy9zYW5kYm94L3NobSIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJiaW5kIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgInJiaW5kIgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2Rldi9tcXVldWUiLAogICAgICAgICAgICAic291cmNlIjogIm1xdWV1ZSIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJtcXVldWUiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAibm9leGVjIiwKICAgICAgICAgICAgICAibm9kZXYiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvc3lzIiwKICAgICAgICAgICAgInNvdXJjZSI6ICJzeXNmcyIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJzeXNmcyIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJub2V4ZWMiLAogICAgICAgICAgICAgICJub2RldiIsCiAgICAgICAgICAgICAgInJvIgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2V0Yy9yZXNvbHYuY29uZiIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiJChzZnByZWZpeClyZXNvbHYuY29uZiQiLAogICAgICAgICAgICAidHlwZV8iOiAiYmluZCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJyYmluZCIsCiAgICAgICAgICAgICAgInJvIiwKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAibm9kZXYiLAogICAgICAgICAgICAgICJub2V4ZWMiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0KICAgICAgICBdLAogICAgICAgICJBbm5vdGF0aW9ucyI6IHsKICAgICAgICAgICJpby5rYXRhY29udGFpbmVycy5wa2cub2NpLmJ1bmRsZV9wYXRoIjogIi9ydW4vY29udGFpbmVyZC9pby5jb250YWluZXJkLnJ1bnRpbWUudjIudGFzay9rOHMuaW8vJChidW5kbGUtaWQpIiwKICAgICAgICAgICJpby5rYXRhY29udGFpbmVycy5wa2cub2NpLmNvbnRhaW5lcl90eXBlIjogInBvZF9zYW5kYm94IiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5jb250YWluZXItdHlwZSI6ICJzYW5kYm94IiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LWlkIjogIl5bYS16MC05XXs2NH0kIiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LWxvZy1kaXJlY3RvcnkiOiAiXi92YXIvbG9nL3BvZHMvJChzYW5kYm94LW5hbWVzcGFjZSlfJChzYW5kYm94LW5hbWUpX1swLTlhLWZdezh9LVswLTlhLWZdezR9LVswLTlhLWZdezR9LVswLTlhLWZdezR9LVswLTlhLWZdezEyfSQiLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbmFtZSI6ICJleGVjLXRlc3QiLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbmFtZXNwYWNlIjogIiIsCiAgICAgICAgICAibmVyZGN0bC9uZXR3b3JrLW5hbWVzcGFjZSI6ICJeL3Zhci9ydW4vbmV0bnMvY25pLVswLTlhLWZdezh9LVswLTlhLWZdezR9LVswLTlhLWZdezR9LVswLTlhLWZdezR9LVswLTlhLWZdezEyfSQiCiAgICAgICAgfSwKICAgICAgICAiTGludXgiOiB7CiAgICAgICAgICAiTmFtZXNwYWNlcyI6IFsKICAgICAgICAgICAgewogICAgICAgICAgICAgICJUeXBlIjogImlwYyIsCiAgICAgICAgICAgICAgIlBhdGgiOiAiIgogICAgICAgICAgICB9LAogICAgICAgICAgICB7CiAgICAgICAgICAgICAgIlR5cGUiOiAidXRzIiwKICAgICAgICAgICAgICAiUGF0aCI6ICIiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAiVHlwZSI6ICJtb3VudCIsCiAgICAgICAgICAgICAgIlBhdGgiOiAiIgogICAgICAgICAgICB9CiAgICAgICAgICBdLAogICAgICAgICAgIk1hc2tlZFBhdGhzIjogWwogICAgICAgICAgICAiL3Byb2MvYWNwaSIsCiAgICAgICAgICAgICIvcHJvYy9hc291bmQiLAogICAgICAgICAgICAiL3Byb2Mva2NvcmUiLAogICAgICAgICAgICAiL3Byb2Mva2V5cyIsCiAgICAgICAgICAgICIvcHJvYy9sYXRlbmN5X3N0YXRzIiwKICAgICAgICAgICAgIi9wcm9jL3RpbWVyX2xpc3QiLAogICAgICAgICAgICAiL3Byb2MvdGltZXJfc3RhdHMiLAogICAgICAgICAgICAiL3Byb2Mvc2NoZWRfZGVidWciLAogICAgICAgICAgICAiL3N5cy9maXJtd2FyZSIsCiAgICAgICAgICAgICIvcHJvYy9zY3NpIgogICAgICAgICAgXSwKICAgICAgICAgICJSZWFkb25seVBhdGhzIjogWwogICAgICAgICAgICAiL3Byb2MvYnVzIiwKICAgICAgICAgICAgIi9wcm9jL2ZzIiwKICAgICAgICAgICAgIi9wcm9jL2lycSIsCiAgICAgICAgICAgICIvcHJvYy9zeXMiLAogICAgICAgICAgICAiL3Byb2Mvc3lzcnEtdHJpZ2dlciIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0sCiAgICAgICJzdG9yYWdlcyI6IFsKICAgICAgICB7CiAgICAgICAgICAiZHJpdmVyIjogImJsayIsCiAgICAgICAgICAiZHJpdmVyX29wdGlvbnMiOiBbXSwKICAgICAgICAgICJzb3VyY2UiOiAiIiwKICAgICAgICAgICJmc3R5cGUiOiAidGFyIiwKICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAiJChoYXNoMCkiCiAgICAgICAgICBdLAogICAgICAgICAgIm1vdW50X3BvaW50IjogIiQobGF5ZXIwKSIsCiAgICAgICAgICAiZnNfZ3JvdXAiOiBudWxsCiAgICAgICAgfSwKICAgICAgICB7CiAgICAgICAgICAiZHJpdmVyIjogIm92ZXJsYXlmcyIsCiAgICAgICAgICAiZHJpdmVyX29wdGlvbnMiOiBbXSwKICAgICAgICAgICJzb3VyY2UiOiAiIiwKICAgICAgICAgICJmc3R5cGUiOiAiZnVzZTMua2F0YS1vdmVybGF5IiwKICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAiNWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCIsCiAgICAgICAgICAgICI4MTcyNTBmMWEzZTMzNmRhNzZmNWJkM2ZhNzg0ZTFiMjZkOTU5YjljMTMxODc2ODE1YmEyNjA0MDQ4YjcwYzE4IgogICAgICAgICAgXSwKICAgICAgICAgICJtb3VudF9wb2ludCI6ICIkKGNwYXRoKS8kKGJ1bmRsZS1pZCkiLAogICAgICAgICAgImZzX2dyb3VwIjogbnVsbAogICAgICAgIH0KICAgICAgXSwKICAgICAgInNhbmRib3hfcGlkbnMiOiBmYWxzZSwKICAgICAgImV4ZWNfY29tbWFuZHMiOiBbXSwKICAgICAgInRva2VuaXplZF9hcmdzIjogWwogICAgICAgIFsKICAgICAgICAgICIvcGF1c2UiCiAgICAgICAgXQogICAgICBdLAogICAgICAiZW52X21hcCI6IHsKICAgICAgICAiUEFUSCI6ICIvdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iCiAgICAgIH0KICAgIH0sCiAgICB7CiAgICAgICJPQ0kiOiB7CiAgICAgICAgIlZlcnNpb24iOiAiMS4xLjAtcmMuMSIsCiAgICAgICAgIlByb2Nlc3MiOiB7CiAgICAgICAgICAiVGVybWluYWwiOiBmYWxzZSwKICAgICAgICAgICJVc2VyIjogewogICAgICAgICAgICAiVUlEIjogMCwKICAgICAgICAgICAgIkdJRCI6IDAsCiAgICAgICAgICAgICJBZGRpdGlvbmFsR2lkcyI6IFtdLAogICAgICAgICAgICAiVXNlcm5hbWUiOiAiIgogICAgICAgICAgfSwKICAgICAgICAgICJBcmdzIjogWwogICAgICAgICAgICAiL2Jpbi9zaCIsCiAgICAgICAgICAgICItYyIsCiAgICAgICAgICAgICJ3aGlsZSB0cnVlOyBkbyBlY2hvIEt1YmVybmV0ZXM7IGVjaG8gJChub2RlLW5hbWUpOyBzbGVlcCAxMDsgZG9uZSIKICAgICAgICAgIF0sCiAgICAgICAgICAiRW52IjogWwogICAgICAgICAgICAiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iLAogICAgICAgICAgICAiSE9TVE5BTUU9JChob3N0LW5hbWUpIiwKICAgICAgICAgICAgIlBPRF9OQU1FPSQoc2FuZGJveC1uYW1lKSIsCiAgICAgICAgICAgICJQT0RfTkFNRVNQQUNFPSQoc2FuZGJveC1uYW1lc3BhY2UpIiwKICAgICAgICAgICAgIlBPRF9JUD0kKHBvZC1pcCkiLAogICAgICAgICAgICAiU0VSVklDRV9BQ0NPVU5UPWRlZmF1bHQiLAogICAgICAgICAgICAiUFJPWFlfQ09ORklHPXt9XG4iLAogICAgICAgICAgICAiSVNUSU9fTUVUQV9QT0RfUE9SVFM9W1xuXSIsCiAgICAgICAgICAgICJJU1RJT19NRVRBX0FQUF9DT05UQUlORVJTPXNlcnZpY2VhY2xpZW50IiwKICAgICAgICAgICAgIklTVElPX01FVEFfQ0xVU1RFUl9JRD1LdWJlcm5ldGVzIiwKICAgICAgICAgICAgIklTVElPX01FVEFfTk9ERV9OQU1FPSQobm9kZS1uYW1lKSIKICAgICAgICAgIF0sCiAgICAgICAgICAiQ3dkIjogIi8iLAogICAgICAgICAgIkNhcGFiaWxpdGllcyI6IHsKICAgICAgICAgICAgIkFtYmllbnQiOiBbXSwKICAgICAgICAgICAgIkJvdW5kaW5nIjogWwogICAgICAgICAgICAgICIkKHByaXZpbGVnZWRfY2FwcykiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJFZmZlY3RpdmUiOiBbCiAgICAgICAgICAgICAgIiQocHJpdmlsZWdlZF9jYXBzKSIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgIkluaGVyaXRhYmxlIjogW10sCiAgICAgICAgICAgICJQZXJtaXR0ZWQiOiBbCiAgICAgICAgICAgICAgIiQocHJpdmlsZWdlZF9jYXBzKSIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgICJOb05ld1ByaXZpbGVnZXMiOiBmYWxzZQogICAgICAgIH0sCiAgICAgICAgIlJvb3QiOiB7CiAgICAgICAgICAiUGF0aCI6ICIkKGNwYXRoKS8kKGJ1bmRsZS1pZCkiLAogICAgICAgICAgIlJlYWRvbmx5IjogZmFsc2UKICAgICAgICB9LAogICAgICAgICJNb3VudHMiOiBbCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvcHJvYyIsCiAgICAgICAgICAgICJzb3VyY2UiOiAicHJvYyIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJwcm9jIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAgICAgIm5vZGV2IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2RldiIsCiAgICAgICAgICAgICJzb3VyY2UiOiAidG1wZnMiLAogICAgICAgICAgICAidHlwZV8iOiAidG1wZnMiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAic3RyaWN0YXRpbWUiLAogICAgICAgICAgICAgICJtb2RlPTc1NSIsCiAgICAgICAgICAgICAgInNpemU9NjU1MzZrIgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2Rldi9wdHMiLAogICAgICAgICAgICAic291cmNlIjogImRldnB0cyIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJkZXZwdHMiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAibm9leGVjIiwKICAgICAgICAgICAgICAibmV3aW5zdGFuY2UiLAogICAgICAgICAgICAgICJwdG14bW9kZT0wNjY2IiwKICAgICAgICAgICAgICAibW9kZT0wNjIwIiwKICAgICAgICAgICAgICAiZ2lkPTUiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZGV2L3NobSIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiL3J1bi9rYXRhLWNvbnRhaW5lcnMvc2FuZGJveC9zaG0iLAogICAgICAgICAgICAidHlwZV8iOiAiYmluZCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJyYmluZCIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9kZXYvbXF1ZXVlIiwKICAgICAgICAgICAgInNvdXJjZSI6ICJtcXVldWUiLAogICAgICAgICAgICAidHlwZV8iOiAibXF1ZXVlIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAgICAgIm5vZGV2IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL3N5cyIsCiAgICAgICAgICAgICJzb3VyY2UiOiAic3lzZnMiLAogICAgICAgICAgICAidHlwZV8iOiAic3lzZnMiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICAgICAibm9leGVjIiwKICAgICAgICAgICAgICAibm9kZXYiLAogICAgICAgICAgICAgICJydyIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9zeXMvZnMvY2dyb3VwIiwKICAgICAgICAgICAgInNvdXJjZSI6ICJjZ3JvdXAiLAogICAgICAgICAgICAidHlwZV8iOiAiY2dyb3VwIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAgICAgIm5vZGV2IiwKICAgICAgICAgICAgICAicmVsYXRpbWUiLAogICAgICAgICAgICAgICJydyIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9ldGMvaG9zdHMiLAogICAgICAgICAgICAic291cmNlIjogIiQoc2ZwcmVmaXgpaG9zdHMkIiwKICAgICAgICAgICAgInR5cGVfIjogImJpbmQiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAicmJpbmQiLAogICAgICAgICAgICAgICJycHJpdmF0ZSIsCiAgICAgICAgICAgICAgInJ3IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2Rldi90ZXJtaW5hdGlvbi1sb2ciLAogICAgICAgICAgICAic291cmNlIjogIiQoc2ZwcmVmaXgpdGVybWluYXRpb24tbG9nJCIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJiaW5kIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgInJiaW5kIiwKICAgICAgICAgICAgICAicnByaXZhdGUiLAogICAgICAgICAgICAgICJydyIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9ldGMvaG9zdG5hbWUiLAogICAgICAgICAgICAic291cmNlIjogIiQoc2ZwcmVmaXgpaG9zdG5hbWUkIiwKICAgICAgICAgICAgInR5cGVfIjogImJpbmQiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAicmJpbmQiLAogICAgICAgICAgICAgICJycHJpdmF0ZSIsCiAgICAgICAgICAgICAgInJ3IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2V0Yy9yZXNvbHYuY29uZiIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiJChzZnByZWZpeClyZXNvbHYuY29uZiQiLAogICAgICAgICAgICAidHlwZV8iOiAiYmluZCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJyYmluZCIsCiAgICAgICAgICAgICAgInJwcml2YXRlIiwKICAgICAgICAgICAgICAicnciCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvdmFyL3J1bi9zZWNyZXRzL2t1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQiLAogICAgICAgICAgICAic291cmNlIjogIiQoc2ZwcmVmaXgpc2VydmljZWFjY291bnQkIiwKICAgICAgICAgICAgInR5cGVfIjogImJpbmQiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAicmJpbmQiLAogICAgICAgICAgICAgICJycHJpdmF0ZSIsCiAgICAgICAgICAgICAgInJvIgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL3Zhci9ydW4vc2VjcmV0cy9henVyZS90b2tlbnMiLAogICAgICAgICAgICAic291cmNlIjogIiQoc2ZwcmVmaXgpdG9rZW5zJCIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJiaW5kIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgInJiaW5kIiwKICAgICAgICAgICAgICAicnByaXZhdGUiLAogICAgICAgICAgICAgICJybyIKICAgICAgICAgICAgXQogICAgICAgICAgfQogICAgICAgIF0sCiAgICAgICAgIkFubm90YXRpb25zIjogewogICAgICAgICAgImlvLmthdGFjb250YWluZXJzLnBrZy5vY2kuYnVuZGxlX3BhdGgiOiAiL3J1bi9jb250YWluZXJkL2lvLmNvbnRhaW5lcmQucnVudGltZS52Mi50YXNrL2s4cy5pby8kKGJ1bmRsZS1pZCkiLAogICAgICAgICAgImlvLmthdGFjb250YWluZXJzLnBrZy5vY2kuY29udGFpbmVyX3R5cGUiOiAicG9kX2NvbnRhaW5lciIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuY29udGFpbmVyLW5hbWUiOiAiYnVzeWJveCIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuY29udGFpbmVyLXR5cGUiOiAiY29udGFpbmVyIiwKICAgICAgICAgICJpby5rdWJlcm5ldGVzLmNyaS5pbWFnZS1uYW1lIjogIm1jci5taWNyb3NvZnQuY29tL2Frcy9lMmUvbGlicmFyeS1idXN5Ym94Om1hc3Rlci4yMjAzMTQuMS1saW51eC1hbWQ2NCIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1pZCI6ICJeW2EtejAtOV17NjR9JCIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1uYW1lIjogImV4ZWMtdGVzdCIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1uYW1lc3BhY2UiOiAiIgogICAgICAgIH0sCiAgICAgICAgIkxpbnV4IjogewogICAgICAgICAgIk5hbWVzcGFjZXMiOiBbCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAiVHlwZSI6ICJpcGMiLAogICAgICAgICAgICAgICJQYXRoIjogIiIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgewogICAgICAgICAgICAgICJUeXBlIjogInV0cyIsCiAgICAgICAgICAgICAgIlBhdGgiOiAiIgogICAgICAgICAgICB9LAogICAgICAgICAgICB7CiAgICAgICAgICAgICAgIlR5cGUiOiAibW91bnQiLAogICAgICAgICAgICAgICJQYXRoIjogIiIKICAgICAgICAgICAgfQogICAgICAgICAgXSwKICAgICAgICAgICJNYXNrZWRQYXRocyI6IFtdLAogICAgICAgICAgIlJlYWRvbmx5UGF0aHMiOiBbXQogICAgICAgIH0KICAgICAgfSwKICAgICAgInN0b3JhZ2VzIjogWwogICAgICAgIHsKICAgICAgICAgICJkcml2ZXIiOiAiYmxrIiwKICAgICAgICAgICJkcml2ZXJfb3B0aW9ucyI6IFtdLAogICAgICAgICAgInNvdXJjZSI6ICIiLAogICAgICAgICAgImZzdHlwZSI6ICJ0YXIiLAogICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICIkKGhhc2gwKSIKICAgICAgICAgIF0sCiAgICAgICAgICAibW91bnRfcG9pbnQiOiAiJChsYXllcjApIiwKICAgICAgICAgICJmc19ncm91cCI6IG51bGwKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICJkcml2ZXIiOiAiYmxrIiwKICAgICAgICAgICJkcml2ZXJfb3B0aW9ucyI6IFtdLAogICAgICAgICAgInNvdXJjZSI6ICIiLAogICAgICAgICAgImZzdHlwZSI6ICJ0YXIiLAogICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICIkKGhhc2gxKSIKICAgICAgICAgIF0sCiAgICAgICAgICAibW91bnRfcG9pbnQiOiAiJChsYXllcjEpIiwKICAgICAgICAgICJmc19ncm91cCI6IG51bGwKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICJkcml2ZXIiOiAib3ZlcmxheWZzIiwKICAgICAgICAgICJkcml2ZXJfb3B0aW9ucyI6IFtdLAogICAgICAgICAgInNvdXJjZSI6ICIiLAogICAgICAgICAgImZzdHlwZSI6ICJmdXNlMy5rYXRhLW92ZXJsYXkiLAogICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICIyYzM0MmExMzdlNjkzYzc4OThhZWMzNmRhMTA0N2YxOTFkYzdjMTY4N2U2NjE5OGFkYWNjNDM5Y2Y0YWRmMzc5OjI1NzBlM2ExOWUxYmYyMGRkZGE0NTQ5OGE5NjI3ZjYxNTU1ZDJkNmMwMTQ3OWI5Yjc2NDYwYjY3OWIyN2Q1NTIiLAogICAgICAgICAgICAiODU2OGM3MGMwY2NmZTAwNTEwOTJlODE4ZGE3NjkxMTFhNTk4ODJjZDE5ZGQ3OTlkM2JjYTVmZmE4Mjc5MTA4MDpiNjQzYjYyMTc3NDg5ODM4MzBiMjZhYzE0YTM1YTMzMjJkZDUyOGMwMDk2M2VhYWRkOTFlZjU1ZjUxM2RjNzNmIgogICAgICAgICAgXSwKICAgICAgICAgICJtb3VudF9wb2ludCI6ICIkKGNwYXRoKS8kKGJ1bmRsZS1pZCkiLAogICAgICAgICAgImZzX2dyb3VwIjogbnVsbAogICAgICAgIH0KICAgICAgXSwKICAgICAgInNhbmRib3hfcGlkbnMiOiBmYWxzZSwKICAgICAgImV4ZWNfY29tbWFuZHMiOiBbCiAgICAgICAgImVjaG8gJHtJU1RJT19NRVRBX0FQUF9DT05UQUlORVJTfSIsCiAgICAgICAgImVjaG8gUmVhZHkgJHtQT0RfSVB9ISIsCiAgICAgICAgImVjaG8gJHtJU1RJT19NRVRBX05PREVfTkFNRX0gc3RhcnR1cCIKICAgICAgXSwKICAgICAgInRva2VuaXplZF9hcmdzIjogWwogICAgICAgIFsKICAgICAgICAgICIvYmluL3NoIgogICAgICAgIF0sCiAgICAgICAgWwogICAgICAgICAgIi1jIgogICAgICAgIF0sCiAgICAgICAgWwogICAgICAgICAgIndoaWxlIiwKICAgICAgICAgICJ0cnVlIiwKICAgICAgICAgICJkbyIsCiAgICAgICAgICAiZWNobyIsCiAgICAgICAgICAiS3ViZXJuZXRlcyIsCiAgICAgICAgICAiZWNobyIsCiAgICAgICAgICAiJChub2RlLW5hbWUpIiwKICAgICAgICAgICJzbGVlcCIsCiAgICAgICAgICAiMTAiLAogICAgICAgICAgImRvbmUiCiAgICAgICAgXQogICAgICBdLAogICAgICAiZW52X21hcCI6IHsKICAgICAgICAiUE9EX05BTUUiOiAiJChzYW5kYm94LW5hbWUpIiwKICAgICAgICAiSVNUSU9fTUVUQV9QT0RfUE9SVFMiOiAiW1xuXSIsCiAgICAgICAgIlBPRF9JUCI6ICIkKHBvZC1pcCkiLAogICAgICAgICJQUk9YWV9DT05GSUciOiAie31cbiIsCiAgICAgICAgIlBPRF9OQU1FU1BBQ0UiOiAiJChzYW5kYm94LW5hbWVzcGFjZSkiLAogICAgICAgICJJU1RJT19NRVRBX0NMVVNURVJfSUQiOiAiS3ViZXJuZXRlcyIsCiAgICAgICAgIklTVElPX01FVEFfTk9ERV9OQU1FIjogIiQobm9kZS1uYW1lKSIsCiAgICAgICAgIklTVElPX01FVEFfQVBQX0NPTlRBSU5FUlMiOiAic2VydmljZWFjbGllbnQiLAogICAgICAgICJIT1NUTkFNRSI6ICIkKGhvc3QtbmFtZSkiLAogICAgICAgICJQQVRIIjogIi91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL3NiaW46L3Vzci9iaW46L3NiaW46L2JpbiIsCiAgICAgICAgIlNFUlZJQ0VfQUNDT1VOVCI6ICJkZWZhdWx0IgogICAgICB9CiAgICB9CiAgXSwKICAiY29tbW9uIjogewogICAgImNwYXRoIjogIi9ydW4va2F0YS1jb250YWluZXJzL3NoYXJlZC9jb250YWluZXJzIiwKICAgICJzZnByZWZpeCI6ICJeJChjcGF0aCkvJChidW5kbGUtaWQpLVthLXowLTldezE2fS0iLAogICAgInNwYXRoIjogIi9ydW4va2F0YS1jb250YWluZXJzL3NhbmRib3gvc3RvcmFnZSIsCiAgICAiaXB2NF9hIjogIigoMjVbMC01XXwoMlswLTRdfDFcXGR8WzEtOV18KVxcZClcXC4/XFxiKXs0fSIsCiAgICAiaXBfcCI6ICJbMC05XXsxLDV9IiwKICAgICJzdmNfbmFtZSI6ICJbQS1aMC05X1xcLlxcLV0rIiwKICAgICJkbnNfbGFiZWwiOiAiW2EtekEtWjAtOV9cXC5cXC1dKyIsCiAgICAic19zb3VyY2UxIjogIl4uLjJbMC05XXszfV9bMC0xXVswLTldX1swLTNdWzAtOV1fWzAtMl1bMC05XV9bMC01XVswLTldX1swLTVdWzAtOV1cXC5bMC05XXsxLDEwfSQiLAogICAgInNfc291cmNlMiI6ICJeLi5kYXRhLyIsCiAgICAiZGVmYXVsdF9jYXBzIjogWwogICAgICAiQ0FQX0NIT1dOIiwKICAgICAgIkNBUF9EQUNfT1ZFUlJJREUiLAogICAgICAiQ0FQX0ZTRVRJRCIsCiAgICAgICJDQVBfRk9XTkVSIiwKICAgICAgIkNBUF9NS05PRCIsCiAgICAgICJDQVBfTkVUX1JBVyIsCiAgICAgICJDQVBfU0VUR0lEIiwKICAgICAgIkNBUF9TRVRVSUQiLAogICAgICAiQ0FQX1NFVEZDQVAiLAogICAgICAiQ0FQX1NFVFBDQVAiLAogICAgICAiQ0FQX05FVF9CSU5EX1NFUlZJQ0UiLAogICAgICAiQ0FQX1NZU19DSFJPT1QiLAogICAgICAiQ0FQX0tJTEwiLAogICAgICAiQ0FQX0FVRElUX1dSSVRFIgogICAgXSwKICAgICJwcml2aWxlZ2VkX2NhcHMiOiBbCiAgICAgICJDQVBfQ0hPV04iLAogICAgICAiQ0FQX0RBQ19PVkVSUklERSIsCiAgICAgICJDQVBfREFDX1JFQURfU0VBUkNIIiwKICAgICAgIkNBUF9GT1dORVIiLAogICAgICAiQ0FQX0ZTRVRJRCIsCiAgICAgICJDQVBfS0lMTCIsCiAgICAgICJDQVBfU0VUR0lEIiwKICAgICAgIkNBUF9TRVRVSUQiLAogICAgICAiQ0FQX1NFVFBDQVAiLAogICAgICAiQ0FQX0xJTlVYX0lNTVVUQUJMRSIsCiAgICAgICJDQVBfTkVUX0JJTkRfU0VSVklDRSIsCiAgICAgICJDQVBfTkVUX0JST0FEQ0FTVCIsCiAgICAgICJDQVBfTkVUX0FETUlOIiwKICAgICAgIkNBUF9ORVRfUkFXIiwKICAgICAgIkNBUF9JUENfTE9DSyIsCiAgICAgICJDQVBfSVBDX09XTkVSIiwKICAgICAgIkNBUF9TWVNfTU9EVUxFIiwKICAgICAgIkNBUF9TWVNfUkFXSU8iLAogICAgICAiQ0FQX1NZU19DSFJPT1QiLAogICAgICAiQ0FQX1NZU19QVFJBQ0UiLAogICAgICAiQ0FQX1NZU19QQUNDVCIsCiAgICAgICJDQVBfU1lTX0FETUlOIiwKICAgICAgIkNBUF9TWVNfQk9PVCIsCiAgICAgICJDQVBfU1lTX05JQ0UiLAogICAgICAiQ0FQX1NZU19SRVNPVVJDRSIsCiAgICAgICJDQVBfU1lTX1RJTUUiLAogICAgICAiQ0FQX1NZU19UVFlfQ09ORklHIiwKICAgICAgIkNBUF9NS05PRCIsCiAgICAgICJDQVBfTEVBU0UiLAogICAgICAiQ0FQX0FVRElUX1dSSVRFIiwKICAgICAgIkNBUF9BVURJVF9DT05UUk9MIiwKICAgICAgIkNBUF9TRVRGQ0FQIiwKICAgICAgIkNBUF9NQUNfT1ZFUlJJREUiLAogICAgICAiQ0FQX01BQ19BRE1JTiIsCiAgICAgICJDQVBfU1lTTE9HIiwKICAgICAgIkNBUF9XQUtFX0FMQVJNIiwKICAgICAgIkNBUF9CTE9DS19TVVNQRU5EIiwKICAgICAgIkNBUF9BVURJVF9SRUFEIiwKICAgICAgIkNBUF9QRVJGTU9OIiwKICAgICAgIkNBUF9CUEYiLAogICAgICAiQ0FQX0NIRUNLUE9JTlRfUkVTVE9SRSIKICAgIF0sCiAgICAidmlydGlvX2Jsa19zdG9yYWdlX2NsYXNzZXMiOiBbCiAgICAgICJjYy1sb2NhbC1jc2kiLAogICAgICAiY2MtbWFuYWdlZC1jc2kiLAogICAgICAiY2MtbWFuYWdlZC1wcmVtaXVtLWNzaSIKICAgIF0sCiAgICAic21iX3N0b3JhZ2VfY2xhc3NlcyI6IFsKICAgICAgewogICAgICAgICJuYW1lIjogImF6dXJlZmlsZS1jc2kta2F0YS1jYyIsCiAgICAgICAgIm1vdW50X29wdGlvbnMiOiBbCiAgICAgICAgICAiZGlyX21vZGU9MDc3NyIsCiAgICAgICAgICAiZmlsZV9tb2RlPTA3NzciLAogICAgICAgICAgIm1mc3ltbGlua3MiLAogICAgICAgICAgImNhY2hlPXN0cmljdCIsCiAgICAgICAgICAibm9zaGFyZXNvY2siLAogICAgICAgICAgImFjdGltZW89MzAiLAogICAgICAgICAgIm5vYnJsIgogICAgICAgIF0KICAgICAgfQogICAgXQogIH0sCiAgInNhbmRib3giOiB7CiAgICAic3RvcmFnZXMiOiBbCiAgICAgIHsKICAgICAgICAiZHJpdmVyIjogImVwaGVtZXJhbCIsCiAgICAgICAgImRyaXZlcl9vcHRpb25zIjogW10sCiAgICAgICAgInNvdXJjZSI6ICJzaG0iLAogICAgICAgICJmc3R5cGUiOiAidG1wZnMiLAogICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAibm9zdWlkIiwKICAgICAgICAgICJub2RldiIsCiAgICAgICAgICAibW9kZT0xNzc3IiwKICAgICAgICAgICJzaXplPTY3MTA4ODY0IgogICAgICAgIF0sCiAgICAgICAgIm1vdW50X3BvaW50IjogIi9ydW4va2F0YS1jb250YWluZXJzL3NhbmRib3gvc2htIiwKICAgICAgICAiZnNfZ3JvdXAiOiBudWxsCiAgICAgIH0KICAgIF0KICB9LAogICJyZXF1ZXN0X2RlZmF1bHRzIjogewogICAgIkNyZWF0ZUNvbnRhaW5lclJlcXVlc3QiOiB7CiAgICAgICJhbGxvd19lbnZfcmVnZXgiOiBbCiAgICAgICAgIl5IT1NUTkFNRT0kKGRuc19sYWJlbCkkIiwKICAgICAgICAiXiQoc3ZjX25hbWUpX1BPUlRfJChpcF9wKV9UQ1A9dGNwOi8vJChpcHY0X2EpOiQoaXBfcCkkIiwKICAgICAgICAiXiQoc3ZjX25hbWUpX1BPUlRfJChpcF9wKV9UQ1BfUFJPVE89dGNwJCIsCiAgICAgICAgIl4kKHN2Y19uYW1lKV9QT1JUXyQoaXBfcClfVENQX1BPUlQ9JChpcF9wKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfUE9SVF8kKGlwX3ApX1RDUF9BRERSPSQoaXB2NF9hKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfU0VSVklDRV9IT1NUPSQoaXB2NF9hKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfU0VSVklDRV9QT1JUPSQoaXBfcCkkIiwKICAgICAgICAiXiQoc3ZjX25hbWUpX1NFUlZJQ0VfUE9SVF8kKGRuc19sYWJlbCk9JChpcF9wKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfUE9SVD10Y3A6Ly8kKGlwdjRfYSk6JChpcF9wKSQiLAogICAgICAgICJeQVpVUkVfQ0xJRU5UX0lEPVtBLUZhLWYwLTktXSokIiwKICAgICAgICAiXkFaVVJFX1RFTkFOVF9JRD1bQS1GYS1mMC05LV0qJCIsCiAgICAgICAgIl5BWlVSRV9GRURFUkFURURfVE9LRU5fRklMRT0vdmFyL3J1bi9zZWNyZXRzL2F6dXJlL3Rva2Vucy9henVyZS1pZGVudGl0eS10b2tlbiQiLAogICAgICAgICJeQVpVUkVfQVVUSE9SSVRZX0hPU1Q9aHR0cHM6Ly9sb2dpblxcLm1pY3Jvc29mdG9ubGluZVxcLmNvbS8kIiwKICAgICAgICAiXlRFUk09eHRlcm0kIgogICAgICBdCiAgICB9LAogICAgIkNvcHlGaWxlUmVxdWVzdCI6IFsKICAgICAgIiQoc2ZwcmVmaXgpIgogICAgXSwKICAgICJFeGVjUHJvY2Vzc1JlcXVlc3QiOiB7CiAgICAgICJjb21tYW5kcyI6IFtdLAogICAgICAicmVnZXgiOiBbXQogICAgfSwKICAgICJDbG9zZVN0ZGluUmVxdWVzdCI6IGZhbHNlLAogICAgIlJlYWRTdHJlYW1SZXF1ZXN0IjogdHJ1ZSwKICAgICJVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IjogZmFsc2UsCiAgICAiV3JpdGVTdHJlYW1SZXF1ZXN0IjogZmFsc2UKICB9Cn0=
 spec:
   restartPolicy: Never
   runtimeClassName: kata-cc
@@ -53,7 +53,7 @@ spec:
         - /bin/sh
       args:
         - "-c"
-        - while true; do echo $(ISTIO_META_CLUSTER_ID); sleep 10; done
+        - while true; do echo $(ISTIO_META_CLUSTER_ID); echo $(ISTIO_META_NODE_NAME); sleep 10; done
       livenessProbe:
         exec:
           command:
diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs
index a8c5101091cf..9065f6a96e10 100644
--- a/src/agent/src/main.rs
+++ b/src/agent/src/main.rs
@@ -75,7 +75,7 @@ use tokio::{
 mod rpc;
 mod tracer;
 
-#[cfg(feature = "agent-policy")]
+// #[cfg(feature = "agent-policy")]
 mod policy;
 
 cfg_if! {
diff --git a/src/agent/src/policy.rs b/src/agent/src/policy.rs
index dd8e287cadce..b27c66befa57 100644
--- a/src/agent/src/policy.rs
+++ b/src/agent/src/policy.rs
@@ -25,6 +25,70 @@ macro_rules! sl {
     };
 }
 
+#[cfg(test)]
+mod tests {
+    use super::*; // Import the function and structs to be tested
+
+    #[tokio::test]
+    async fn test_allow_request() {
+        let mut policy = AgentPolicy::new();
+
+        // Mock endpoint and input
+        // let request = protocols::agent::CreateContainerRequest {
+        //     ..Default::default()
+        // };
+
+        // Deserialize the JSON content into the Config struct
+        // let data =
+        //     std::fs::read_to_string("../tools/genpolicy/create.json").expect("Unable to read file");
+        // let request: protocols::agent::CreateContainerRequest =
+        //     serde_json::from_str(&data).expect("JSON was not well-formatted");
+        // let request = serde_json::to_string(&request).unwrap();
+        // let ep = "CreateContainerRequest";
+
+        let data =
+            std::fs::read_to_string("../tools/genpolicy/create.json").expect("Unable to read file");
+        // println!("Data: {}", data);
+        let request: protocols::agent::CreateContainerRequest =
+            serde_json::from_str(&data).expect("JSON was not well-formatted");
+        // println!("Request: {}", request);
+        let request = serde_json::to_string(&request).unwrap();
+        let ep = "CreateContainerRequest";
+
+        // println!("Request: {}", request);
+
+        // let request = r#"{"key": "value"}"#;
+
+        // Mock policy initialization (if needed)
+        policy
+            .engine
+            .add_policy_from_file("../tools/genpolicy/exec2.rego")
+            .unwrap();
+
+        // Call the function
+        let result = policy.allow_request(ep, &request).await;
+
+        // let x = "while true; do echo Kubernetes; echo aks-nodepool1-40948945-vmss000000; sleep 10; done";
+
+        // let split = shlex::split(x).unwrap();
+        // println!("shlex split {:?}", split);
+
+        // let split = shell_words::split(x).unwrap();
+        // println!("shell_words split {:?}", split);
+
+        // let split = shellwords::split(x).unwrap();
+        // println!("shellwords split {:?}", split);
+
+        // Assert the expected result
+        match result {
+            Ok((allowed, _)) => assert!(allowed, "Expected the request to be allowed"),
+            Err(e) => panic!("Unexpected error: {:?}", e),
+        }
+
+        // assert!(false, "fail");
+    }
+}
+
 async fn allow_request(policy: &mut AgentPolicy, ep: &str, request: &str) -> ttrpc::Result<()> {
     match policy.allow_request(ep, request).await {
         Ok((allowed, prints)) => {
@@ -120,6 +184,43 @@ pub struct AgentPolicy {
     engine: regorus::Engine,
 }
 
+#[derive(Debug, serde::Serialize)]
+struct PolicyCreateContainerRequest {
+    base: protocols::agent::CreateContainerRequest,
+    tokenized_args: Vec<Vec<String>>,
+    env_map: std::collections::HashMap<String, String>,
+}
+
+fn map_request(ep: &str, input: &str) -> (String, String) {
+    println!("Mapping request");
+    match ep {
+        "CreateContainerRequest" => {
+            println!("CreateContainerRequest detected");
+            let req: protocols::agent::CreateContainerRequest =
+                serde_json::from_str(input).expect("JSON was not well-formatted");
+            let tokenized_args = oci::get_tokenized_args(&req.OCI.Process.Args);
+
+            // println!("Tokenized args: {:?}", tokenized_args);
+
+            let env_map = oci::get_env_map(&req.OCI.Process.Env);
+            // println!("Env: {:?}", env_map);
+
+            let req_v2 = PolicyCreateContainerRequest {
+                base: req,
+                tokenized_args,
+                env_map,
+            };
+
+            (
+                "PolicyCreateContainerRequest".to_string(),
+                serde_json::to_string(&req_v2).expect("failed to serialize"),
+            )
+        }
+
+        _ => (ep.to_string(), input.to_string()),
+    }
+}
+
 #[derive(serde::Deserialize, Debug)]
 struct MetadataResponse {
     allowed: bool,
@@ -193,6 +294,9 @@ impl AgentPolicy {
     /// Ask regorus if an API call should be allowed or not.
     async fn allow_request(&mut self, ep: &str, ep_input: &str) -> Result<(bool, String)> {
         debug!(sl!(), "policy check: {ep}");
+
+        let (ep, ep_input) = &map_request(ep, ep_input);
+
         self.log_request(ep, ep_input).await;
 
         let query = format!("data.agent_policy.{ep}");
@@ -201,10 +305,13 @@ impl AgentPolicy {
         let results = self.engine.eval_query(query, false)?;
 
         let prints = match self.engine.take_prints() {
-            Ok(p) => p.join(" "),
+            Ok(p) => p.join("\n"),
             Err(e) => format!("Failed to get policy log: {e}"),
         };
 
+        println!("Policy prints: {}", prints);
+        // println!("allow_failures: {}", self.allow_failures);
+
         if results.result.len() != 1 {
             // Results are empty when AllowRequestsFailingPolicy is used to allow a Request that hasn't been defined in the policy
             if self.allow_failures {
diff --git a/src/libs/oci/Cargo.toml b/src/libs/oci/Cargo.toml
index 8c08705a3dbe..23dde384b02c 100644
--- a/src/libs/oci/Cargo.toml
+++ b/src/libs/oci/Cargo.toml
@@ -10,3 +10,4 @@ serde = "1.0.131"
 serde_derive = "1.0.131"
 serde_json = "1.0.73"
 libc = "0.2.112"
+shell-words = "1.1.0"
diff --git a/src/libs/oci/src/lib.rs b/src/libs/oci/src/lib.rs
index dbfab6c08d16..9a96aa013f63 100644
--- a/src/libs/oci/src/lib.rs
+++ b/src/libs/oci/src/lib.rs
@@ -81,6 +81,35 @@ impl Spec {
 
 pub type LinuxRlimit = PosixRlimit;
 
+pub fn get_tokenized_args(args: &Vec<String>) -> Vec<Vec<String>> {
+    let mut tokenized_args: Vec<Vec<String>> = Vec::new();
+    for arg in args {
+        let mut arg_split = shell_words::split(arg).expect("Failed to split");
+        for s in arg_split.iter_mut() {
+            if s.ends_with(';') {
+                s.pop(); // Remove the last character
+            }
+        }
+        tokenized_args.push(arg_split);
+    }
+    tokenized_args
+}
+
+pub fn get_env_map(env: &Vec<String>) -> std::collections::HashMap<String, String> {
+    let env_map: std::collections::HashMap<String, String> = env
+        .iter()
+        .filter_map(|v| {
+            let mut split = v.splitn(2, "=");
+            if let (Some(key), Some(value)) = (split.next(), split.next()) {
+                Some((key.to_string(), value.to_string()))
+            } else {
+                None
+            }
+        })
+        .collect();
+    env_map
+}
+
 #[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq)]
 pub struct Process {
     #[serde(default)]
diff --git a/src/tools/genpolicy/Cargo.lock b/src/tools/genpolicy/Cargo.lock
index 262894d37218..629f37d13020 100644
--- a/src/tools/genpolicy/Cargo.lock
+++ b/src/tools/genpolicy/Cargo.lock
@@ -1,6 +1,6 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 3
+version = 4
 
 [[package]]
 name = "addr2line"
@@ -1043,6 +1043,7 @@ dependencies = [
  "serde",
  "serde_derive",
  "serde_json",
+ "shell-words",
 ]
 
 [[package]]
@@ -1539,6 +1540,12 @@ dependencies = [
  "digest",
 ]
 
+[[package]]
+name = "shell-words"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24188a676b6ae68c3b2cb3a01be17fbf7240ce009799bb56d5b1409051e78fde"
+
 [[package]]
 name = "slab"
 version = "0.4.9"
diff --git a/src/tools/genpolicy/create.json b/src/tools/genpolicy/create.json
new file mode 100644
index 000000000000..305dd99d2077
--- /dev/null
+++ b/src/tools/genpolicy/create.json
@@ -0,0 +1,432 @@
+{
+    "OCI": {
+        "Annotations": {
+            "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/busybox",
+            "io.katacontainers.pkg.oci.container_type": "pod_container",
+            "io.kubernetes.cri.container-name": "busybox",
+            "io.kubernetes.cri.container-type": "container",
+            "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64",
+            "io.kubernetes.cri.sandbox-id": "7f2aceaac878f82b8b7d3a2ab4ce4df4069a241f7b896adf57c3dec47a2dd6e9",
+            "io.kubernetes.cri.sandbox-name": "exec-test",
+            "io.kubernetes.cri.sandbox-namespace": "default",
+            "io.kubernetes.cri.sandbox-uid": "2db86c40-86b1-48c4-9079-1d6cffed8f24"
+        },
+        "Hooks": null,
+        "Hostname": "",
+        "Linux": {
+            "CgroupsPath": "/kubepods/besteffort/pod2db86c40-86b1-48c4-9079-1d6cffed8f24/busybox",
+            "Devices": [],
+            "GIDMappings": [],
+            "IntelRdt": null,
+            "MaskedPaths": [],
+            "MountLabel": "",
+            "Namespaces": [
+                {
+                    "Path": "",
+                    "Type": "ipc"
+                },
+                {
+                    "Path": "",
+                    "Type": "uts"
+                },
+                {
+                    "Path": "",
+                    "Type": "mount"
+                }
+            ],
+            "ReadonlyPaths": [],
+            "Resources": {
+                "BlockIO": null,
+                "CPU": {
+                    "Cpus": "",
+                    "Mems": "",
+                    "Period": 100000,
+                    "Quota": 0,
+                    "RealtimePeriod": 0,
+                    "RealtimeRuntime": 0,
+                    "Shares": 2
+                },
+                "Devices": [],
+                "HugepageLimits": [],
+                "Memory": {
+                    "DisableOOMKiller": false,
+                    "Kernel": 0,
+                    "KernelTCP": 0,
+                    "Limit": 0,
+                    "Reservation": 0,
+                    "Swap": 0,
+                    "Swappiness": 0
+                },
+                "Network": null,
+                "Pids": null
+            },
+            "RootfsPropagation": "",
+            "Seccomp": null,
+            "Sysctl": {},
+            "UIDMappings": []
+        },
+        "Mounts": [
+            {
+                "destination": "/proc",
+                "options": [
+                    "nosuid",
+                    "noexec",
+                    "nodev"
+                ],
+                "source": "proc",
+                "type_": "proc"
+            },
+            {
+                "destination": "/dev",
+                "options": [
+                    "nosuid",
+                    "strictatime",
+                    "mode=755",
+                    "size=65536k"
+                ],
+                "source": "tmpfs",
+                "type_": "tmpfs"
+            },
+            {
+                "destination": "/dev/pts",
+                "options": [
+                    "nosuid",
+                    "noexec",
+                    "newinstance",
+                    "ptmxmode=0666",
+                    "mode=0620",
+                    "gid=5"
+                ],
+                "source": "devpts",
+                "type_": "devpts"
+            },
+            {
+                "destination": "/dev/mqueue",
+                "options": [
+                    "nosuid",
+                    "noexec",
+                    "nodev"
+                ],
+                "source": "mqueue",
+                "type_": "mqueue"
+            },
+            {
+                "destination": "/sys",
+                "options": [
+                    "nosuid",
+                    "noexec",
+                    "nodev",
+                    "rw"
+                ],
+                "source": "sysfs",
+                "type_": "sysfs"
+            },
+            {
+                "destination": "/sys/fs/cgroup",
+                "options": [
+                    "nosuid",
+                    "noexec",
+                    "nodev",
+                    "relatime",
+                    "rw"
+                ],
+                "source": "cgroup",
+                "type_": "cgroup"
+            },
+            {
+                "destination": "/etc/hosts",
+                "options": [
+                    "rbind",
+                    "rprivate",
+                    "rw"
+                ],
+                "source": "/run/kata-containers/shared/containers/busybox-cb28fade573ec3a0-hosts",
+                "type_": "bind"
+            },
+            {
+                "destination": "/dev/termination-log",
+                "options": [
+                    "rbind",
+                    "rprivate",
+                    "rw"
+                ],
+                "source": "/run/kata-containers/shared/containers/busybox-c83ba1879ef479d4-termination-log",
+                "type_": "bind"
+            },
+            {
+                "destination": "/etc/hostname",
+                "options": [
+                    "rbind",
+                    "rprivate",
+                    "rw"
+                ],
+                "source": "/run/kata-containers/shared/containers/busybox-6a0fca3eff31f646-hostname",
+                "type_": "bind"
+            },
+            {
+                "destination": "/etc/resolv.conf",
+                "options": [
+                    "rbind",
+                    "rprivate",
+                    "rw"
+                ],
+                "source": "/run/kata-containers/shared/containers/busybox-35127de2b7536709-resolv.conf",
+                "type_": "bind"
+            },
+            {
+                "destination": "/dev/shm",
+                "options": [
+                    "rbind"
+                ],
+                "source": "/run/kata-containers/sandbox/shm",
+                "type_": "bind"
+            },
+            {
+                "destination": "/var/run/secrets/kubernetes.io/serviceaccount",
+                "options": [
+                    "rbind",
+                    "rprivate",
+                    "ro"
+                ],
+                "source": "/run/kata-containers/shared/containers/busybox-5dbf4171c7e040cb-serviceaccount",
+                "type_": "bind"
+            }
+        ],
+        "Process": {
+            "ApparmorProfile": "",
+            "Args": [
+                "/bin/sh",
+                "-c",
+                "while true; do echo Kubernetes; echo aks-nodepool1-40948945-vmss000000; sleep 10; done"
+            ],
+            "Capabilities": {
+                "Ambient": [],
+                "Bounding": [
+                    "CAP_CHOWN",
+                    "CAP_DAC_OVERRIDE",
+                    "CAP_DAC_READ_SEARCH",
+                    "CAP_FOWNER",
+                    "CAP_FSETID",
+                    "CAP_KILL",
+                    "CAP_SETGID",
+                    "CAP_SETUID",
+                    "CAP_SETPCAP",
+                    "CAP_LINUX_IMMUTABLE",
+                    "CAP_NET_BIND_SERVICE",
+                    "CAP_NET_BROADCAST",
+                    "CAP_NET_ADMIN",
+                    "CAP_NET_RAW",
+                    "CAP_IPC_LOCK",
+                    "CAP_IPC_OWNER",
+                    "CAP_SYS_MODULE",
+                    "CAP_SYS_RAWIO",
+                    "CAP_SYS_CHROOT",
+                    "CAP_SYS_PTRACE",
+                    "CAP_SYS_PACCT",
+                    "CAP_SYS_ADMIN",
+                    "CAP_SYS_BOOT",
+                    "CAP_SYS_NICE",
+                    "CAP_SYS_RESOURCE",
+                    "CAP_SYS_TIME",
+                    "CAP_SYS_TTY_CONFIG",
+                    "CAP_MKNOD",
+                    "CAP_LEASE",
+                    "CAP_AUDIT_WRITE",
+                    "CAP_AUDIT_CONTROL",
+                    "CAP_SETFCAP",
+                    "CAP_MAC_OVERRIDE",
+                    "CAP_MAC_ADMIN",
+                    "CAP_SYSLOG",
+                    "CAP_WAKE_ALARM",
+                    "CAP_BLOCK_SUSPEND",
+                    "CAP_AUDIT_READ",
+                    "CAP_PERFMON",
+                    "CAP_BPF",
+                    "CAP_CHECKPOINT_RESTORE"
+                ],
+                "Effective": [
+                    "CAP_CHOWN",
+                    "CAP_DAC_OVERRIDE",
+                    "CAP_DAC_READ_SEARCH",
+                    "CAP_FOWNER",
+                    "CAP_FSETID",
+                    "CAP_KILL",
+                    "CAP_SETGID",
+                    "CAP_SETUID",
+                    "CAP_SETPCAP",
+                    "CAP_LINUX_IMMUTABLE",
+                    "CAP_NET_BIND_SERVICE",
+                    "CAP_NET_BROADCAST",
+                    "CAP_NET_ADMIN",
+                    "CAP_NET_RAW",
+                    "CAP_IPC_LOCK",
+                    "CAP_IPC_OWNER",
+                    "CAP_SYS_MODULE",
+                    "CAP_SYS_RAWIO",
+                    "CAP_SYS_CHROOT",
+                    "CAP_SYS_PTRACE",
+                    "CAP_SYS_PACCT",
+                    "CAP_SYS_ADMIN",
+                    "CAP_SYS_BOOT",
+                    "CAP_SYS_NICE",
+                    "CAP_SYS_RESOURCE",
+                    "CAP_SYS_TIME",
+                    "CAP_SYS_TTY_CONFIG",
+                    "CAP_MKNOD",
+                    "CAP_LEASE",
+                    "CAP_AUDIT_WRITE",
+                    "CAP_AUDIT_CONTROL",
+                    "CAP_SETFCAP",
+                    "CAP_MAC_OVERRIDE",
+                    "CAP_MAC_ADMIN",
+                    "CAP_SYSLOG",
+                    "CAP_WAKE_ALARM",
+                    "CAP_BLOCK_SUSPEND",
+                    "CAP_AUDIT_READ",
+                    "CAP_PERFMON",
+                    "CAP_BPF",
+                    "CAP_CHECKPOINT_RESTORE"
+                ],
+                "Inheritable": [],
+                "Permitted": [
+                    "CAP_CHOWN",
+                    "CAP_DAC_OVERRIDE",
+                    "CAP_DAC_READ_SEARCH",
+                    "CAP_FOWNER",
+                    "CAP_FSETID",
+                    "CAP_KILL",
+                    "CAP_SETGID",
+                    "CAP_SETUID",
+                    "CAP_SETPCAP",
+                    "CAP_LINUX_IMMUTABLE",
+                    "CAP_NET_BIND_SERVICE",
+                    "CAP_NET_BROADCAST",
+                    "CAP_NET_ADMIN",
+                    "CAP_NET_RAW",
+                    "CAP_IPC_LOCK",
+                    "CAP_IPC_OWNER",
+                    "CAP_SYS_MODULE",
+                    "CAP_SYS_RAWIO",
+                    "CAP_SYS_CHROOT",
+                    "CAP_SYS_PTRACE",
+                    "CAP_SYS_PACCT",
+                    "CAP_SYS_ADMIN",
+                    "CAP_SYS_BOOT",
+                    "CAP_SYS_NICE",
+                    "CAP_SYS_RESOURCE",
+                    "CAP_SYS_TIME",
+                    "CAP_SYS_TTY_CONFIG",
+                    "CAP_MKNOD",
+                    "CAP_LEASE",
+                    "CAP_AUDIT_WRITE",
+                    "CAP_AUDIT_CONTROL",
+                    "CAP_SETFCAP",
+                    "CAP_MAC_OVERRIDE",
+                    "CAP_MAC_ADMIN",
+                    "CAP_SYSLOG",
+                    "CAP_WAKE_ALARM",
+                    "CAP_BLOCK_SUSPEND",
+                    "CAP_AUDIT_READ",
+                    "CAP_PERFMON",
+                    "CAP_BPF",
+                    "CAP_CHECKPOINT_RESTORE"
+                ]
+            },
+            "ConsoleSize": null,
+            "Cwd": "/",
+            "Env": [
+                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+                "HOSTNAME=exec-test",
+                "POD_NAME=exec-test",
+                "POD_NAMESPACE=default",
+                "POD_IP=10.244.0.19",
+                "PROXY_CONFIG={}\n",
+                "ISTIO_META_CLUSTER_ID=Kubernetes",
+                "SERVICE_ACCOUNT=default",
+                "ISTIO_META_POD_PORTS=[\n]",
+                "ISTIO_META_APP_CONTAINERS=serviceaclient",
+                "ISTIO_META_NODE_NAME=aks-nodepool1-40948945-vmss000000",
+                "KUBERNETES_SERVICE_PORT=443",
+                "KUBERNETES_SERVICE_PORT_HTTPS=443",
+                "KUBERNETES_PORT=tcp://10.0.0.1:443",
+                "KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443",
+                "KUBERNETES_PORT_443_TCP_PROTO=tcp",
+                "KUBERNETES_PORT_443_TCP_PORT=443",
+                "KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1",
+                "KUBERNETES_SERVICE_HOST=10.0.0.1"
+            ],
+            "NoNewPrivileges": false,
+            "OOMScoreAdj": 1000,
+            "Rlimits": [],
+            "SelinuxLabel": "",
+            "Terminal": false,
+            "User": {
+                "AdditionalGids": [
+                    0,
+                    10
+                ],
+                "GID": 0,
+                "UID": 0,
+                "Username": ""
+            }
+        },
+        "Root": {
+            "Path": "/run/kata-containers/shared/containers/busybox",
+            "Readonly": false
+        },
+        "Solaris": null,
+        "Version": "1.1.0-rc.1",
+        "Windows": null
+    },
+    "container_id": "busybox",
+    "devices": [],
+    "exec_id": "busybox",
+    "sandbox_pidns": false,
+    "shared_mounts": [],
+    "storages": [
+        {
+            "driver": "blk",
+            "driver_options": [],
+            "fs_group": null,
+            "fstype": "tar",
+            "mount_point": "/run/kata-containers/sandbox/layers/2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379",
+            "options": [
+                "ro",
+                "io.katacontainers.fs-opt.block_device=file",
+                "io.katacontainers.fs-opt.is-layer",
+                "io.katacontainers.fs-opt.root-hash=8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080"
+            ],
+            "source": "0001:00:02.0"
+        },
+        {
+            "driver": "blk",
+            "driver_options": [],
+            "fs_group": null,
+            "fstype": "tar",
+            "mount_point": "/run/kata-containers/sandbox/layers/2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552",
+            "options": [
+                "ro",
+                "io.katacontainers.fs-opt.block_device=file",
+                "io.katacontainers.fs-opt.is-layer",
+                "io.katacontainers.fs-opt.root-hash=b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"
+            ],
+            "source": "0001:00:03.0"
+        },
+        {
+            "driver": "overlayfs",
+            "driver_options": [],
+            "fs_group": null,
+            "fstype": "fuse3.kata-overlay",
+            "mount_point": "/run/kata-containers/shared/containers/busybox",
+            "options": [
+                "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers",
+                "io.katacontainers.fs-opt.layer=MmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA=",
+                "io.katacontainers.fs-opt.layer=MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1Mix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2Y=",
+                "io.katacontainers.fs-opt.overlay-rw",
+                "lowerdir=2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552"
+            ],
+            "source": "none"
+        }
+    ],
+    "string_user": null
+}
\ No newline at end of file
diff --git a/src/tools/genpolicy/exec.rego b/src/tools/genpolicy/exec.rego
new file mode 100644
index 000000000000..a3223cddd2b6
--- /dev/null
+++ b/src/tools/genpolicy/exec.rego
@@ -0,0 +1,2017 @@
+# Copyright (c) 2023 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+package agent_policy
+
+import future.keywords.in
+import future.keywords.every
+
+# Default values, returned by OPA when rules cannot be evaluated to true.
+default AddARPNeighborsRequest := false
+default AddSwapRequest := false
+default CloseStdinRequest := false
+default CopyFileRequest := false
+default CreateContainerRequest := false
+default CreateSandboxRequest := false
+default DestroySandboxRequest := true
+default ExecProcessRequest := false
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := false
+default ListRoutesRequest := false
+default MemHotplugByProbeRequest := false
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := false
+default ReadStreamRequest := false
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := false
+default ResumeContainerRequest := false
+default SetGuestDateTimeRequest := false
+default SetPolicyRequest := false
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := false
+default StatsContainerRequest := true
+default StopTracingRequest := false
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := false
+default UpdateEphemeralMountsRequest := false
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := false
+
+# AllowRequestsFailingPolicy := true configures the Agent to *allow any
+# requests causing a policy failure*. This is an unsecure configuration
+# but is useful for allowing unsecure pods to start, then connect to
+# them and inspect OPA logs for the root cause of a failure.
+default AllowRequestsFailingPolicy := false
+
+# Constants
+S_NAME_KEY = "io.kubernetes.cri.sandbox-name"
+S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace"
+BUNDLE_ID = "[a-z0-9]{64}"
+
+CreateContainerRequest:= {"ops": ops, "allowed": true} {
+    # Check if the input request should be rejected even before checking the
+    # policy_data.containers information.
+    allow_create_container_input
+
+    i_oci := input.OCI
+    i_storages := input.storages
+
+    # array of possible state operations
+    ops_builder := []
+
+    # check sandbox name
+    sandbox_name = i_oci.Annotations[S_NAME_KEY]
+    add_sandbox_name_to_state := state_allows("sandbox_name", sandbox_name)
+    ops_builder1 := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state)
+
+    # Check if any element from the policy_data.containers array allows the input request.
+    some p_container in policy_data.containers
+    print("======== CreateContainerRequest: trying next policy container")
+
+    p_pidns := p_container.sandbox_pidns
+    i_pidns := input.sandbox_pidns
+    print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns)
+    p_pidns == i_pidns
+
+    p_oci := p_container.OCI
+
+    # check namespace
+    p_namespace := p_oci.Annotations[S_NAMESPACE_KEY]
+    i_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    print ("CreateContainerRequest: p_namespace =", p_namespace, "i_namespace =", i_namespace)
+    add_namespace_to_state := allow_namespace(p_namespace, i_namespace)
+    ops := concat_op_if_not_null(ops_builder1, add_namespace_to_state)
+
+    print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version)
+    p_oci.Version == i_oci.Version
+
+    print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly)
+    p_oci.Root.Readonly == i_oci.Root.Readonly
+
+    allow_anno(p_oci, i_oci)
+
+    p_storages := p_container.storages
+    allow_by_anno(p_oci, i_oci, p_storages, i_storages)
+
+    allow_linux(p_oci, i_oci)
+
+    print("CreateContainerRequest: true")
+}
+
+allow_create_container_input {
+    print("allow_create_container_input: input =", input)
+    count(input.shared_mounts) == 0
+    is_null(input.string_user)
+
+    i_oci := input.OCI
+    is_null(i_oci.Hooks)
+    is_null(i_oci.Solaris)
+    is_null(i_oci.Windows)
+
+    i_linux := i_oci.Linux
+    count(i_linux.GIDMappings) == 0
+    count(i_linux.MountLabel) == 0
+    count(i_linux.Resources.Devices) == 0
+    count(i_linux.RootfsPropagation) == 0
+    count(i_linux.UIDMappings) == 0
+    is_null(i_linux.IntelRdt)
+    is_null(i_linux.Resources.BlockIO)
+    is_null(i_linux.Resources.Network)
+    is_null(i_linux.Resources.Pids)
+    is_null(i_linux.Seccomp)
+    i_linux.Sysctl == {}
+
+    i_process := i_oci.Process
+    count(i_process.SelinuxLabel) == 0
+    count(i_process.User.Username) == 0
+
+    print("allow_create_container_input: true")
+}
+
+allow_namespace(p_namespace, i_namespace) = add_namespace {
+    p_namespace == i_namespace
+    add_namespace := null
+    print("allow_namespace 1: input namespace matches policy data")
+}
+
+allow_namespace(p_namespace, i_namespace) = add_namespace {
+    p_namespace == ""
+    print("allow_namespace 2: no namespace found on policy data")
+    add_namespace := state_allows("namespace", i_namespace)
+}
+
+# value hasn't been seen before, save it to state
+state_allows(key, value) = action {
+  state := get_state()
+  not state[key]
+  print("state_allows: saving to state key =", key, "value =", value)
+  path := get_state_path(key) 
+  action := {
+    "op": "add",
+    "path": path, 
+    "value": value,
+  }
+}
+
+# value matches what's in state, allow it
+state_allows(key, value) = action {
+  state := get_state()
+  value == state[key]
+  print("state_allows: found key =", key, "value =", value, " in state")
+  action := null
+}
+
+# helper functions to interact with the state
+get_state() = state {
+  state := data["pstate"]
+}
+
+get_state_val(key) = value {
+    state := get_state()
+    value := state[key]
+}
+
+get_state_path(key) = path {
+    # prepend "/pstate/" to key
+    path := concat("/", ["/pstate", key])
+}
+
+# Helper functions to conditionally concatenate if op is not null
+concat_op_if_not_null(ops, op) = result {
+    op == null
+    result := ops
+}
+
+concat_op_if_not_null(ops, op) = result {
+    op != null
+    result := array.concat(ops, [op])
+}
+
+# Reject unexpected annotations.
+allow_anno(p_oci, i_oci) {
+    print("allow_anno 1: start")
+
+    not i_oci.Annotations
+
+    print("allow_anno 1: true")
+}
+allow_anno(p_oci, i_oci) {
+    print("allow_anno 2: p Annotations =", p_oci.Annotations)
+    print("allow_anno 2: i Annotations =", i_oci.Annotations)
+
+    i_keys := object.keys(i_oci.Annotations)
+    print("allow_anno 2: i keys =", i_keys)
+
+    every i_key in i_keys {
+        allow_anno_key(i_key, p_oci)
+    }
+
+    print("allow_anno 2: true")
+}
+
+allow_anno_key(i_key, p_oci) {
+    print("allow_anno_key 1: i key =", i_key)
+
+    startswith(i_key, "io.kubernetes.cri.")
+
+    print("allow_anno_key 1: true")
+}
+allow_anno_key(i_key, p_oci) {
+    print("allow_anno_key 2: i key =", i_key)
+
+    some p_key, _ in p_oci.Annotations
+    p_key == i_key
+
+    print("allow_anno_key 2: true")
+}
+
+# Get the value of the S_NAME_KEY annotation and
+# correlate it with other annotations and process fields.
+allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
+    print("allow_by_anno 1: start")
+
+    not p_oci.Annotations[S_NAME_KEY]
+
+    i_s_name := i_oci.Annotations[S_NAME_KEY]
+    print("allow_by_anno 1: i_s_name =", i_s_name)
+
+    i_s_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    print("allow_by_anno 1: i_s_namespace =", i_s_namespace)
+
+    allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name, i_s_namespace)
+
+    print("allow_by_anno 1: true")
+}
+allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
+    print("allow_by_anno 2: start")
+
+    p_s_name := p_oci.Annotations[S_NAME_KEY]
+    i_s_name := i_oci.Annotations[S_NAME_KEY]
+    print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name)
+
+    allow_sandbox_name(p_s_name, i_s_name)
+
+    i_s_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    print("allow_by_anno 2: i_s_namespace =", i_s_namespace)
+
+    allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name, i_s_namespace)
+
+    print("allow_by_anno 2: true")
+}
+
+allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name, s_namespace) {
+    print("allow_by_sandbox_name: start")
+
+    i_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+
+    allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
+    allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
+    allow_process(p_oci.Process, i_oci.Process, s_name, s_namespace)
+
+    print("allow_by_sandbox_name: true")
+}
+
+allow_sandbox_name(p_s_name, i_s_name) {
+    print("allow_sandbox_name 1: start")
+
+    p_s_name == i_s_name
+
+    print("allow_sandbox_name 1: true")
+}
+allow_sandbox_name(p_s_name, i_s_name) {
+    print("allow_sandbox_name 2: start")
+
+    # TODO: should generated names be handled differently?
+    contains(p_s_name, "$(generated-name)")
+
+    print("allow_sandbox_name 2: true")
+}
+
+# Check that the "io.kubernetes.cri.container-type" and
+# "io.katacontainers.pkg.oci.container_type" annotations designate the
+# expected type - either a "sandbox" or a "container". Then, validate
+# other annotations based on the actual "sandbox" or "container" value
+# from the input container.
+allow_by_container_types(p_oci, i_oci, s_name, s_namespace) {
+    print("allow_by_container_types: checking io.kubernetes.cri.container-type")
+
+    c_type := "io.kubernetes.cri.container-type"
+    
+    p_cri_type := p_oci.Annotations[c_type]
+    i_cri_type := i_oci.Annotations[c_type]
+    print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type)
+    p_cri_type == i_cri_type
+
+    allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace)
+
+    print("allow_by_container_types: true")
+}
+
+allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) {
+    print("allow_by_container_type 1: i_cri_type =", i_cri_type)
+    i_cri_type == "sandbox"
+
+    i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"]
+    print("allow_by_container_type 1: i_kata_type =", i_kata_type)
+    i_kata_type == "pod_sandbox"
+
+    allow_sandbox_container_name(p_oci, i_oci)
+    allow_sandbox_net_namespace(p_oci, i_oci)
+    allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace)
+
+    print("allow_by_container_type 1: true")
+}
+
+allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) {
+    print("allow_by_container_type 2: i_cri_type =", i_cri_type)
+    i_cri_type == "container"
+
+    i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"]
+    print("allow_by_container_type 2: i_kata_type =", i_kata_type)
+    i_kata_type == "pod_container"
+
+    allow_container_name(p_oci, i_oci)
+    allow_net_namespace(p_oci, i_oci)
+    allow_log_directory(p_oci, i_oci)
+
+    print("allow_by_container_type 2: true")
+}
+
+# "io.kubernetes.cri.container-name" annotation
+allow_sandbox_container_name(p_oci, i_oci) {
+    print("allow_sandbox_container_name: start")
+
+    container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name")
+
+    print("allow_sandbox_container_name: true")
+}
+
+allow_container_name(p_oci, i_oci) {
+    print("allow_container_name: start")
+
+    allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name")
+
+    print("allow_container_name: true")
+}
+
+container_annotation_missing(p_oci, i_oci, key) {
+    print("container_annotation_missing:", key)
+
+    not p_oci.Annotations[key]
+    not i_oci.Annotations[key]
+
+    print("container_annotation_missing: true")
+}
+
+allow_container_annotation(p_oci, i_oci, key) {
+    print("allow_container_annotation: key =", key)
+
+    p_value := p_oci.Annotations[key]
+    i_value := i_oci.Annotations[key]
+    print("allow_container_annotation: p_value =", p_value, "i_value =", i_value)
+
+    p_value == i_value
+
+    print("allow_container_annotation: true")
+}
+
+# "nerdctl/network-namespace" annotation
+allow_sandbox_net_namespace(p_oci, i_oci) {
+    print("allow_sandbox_net_namespace: start")
+
+    key := "nerdctl/network-namespace"
+
+    p_namespace := p_oci.Annotations[key]
+    i_namespace := i_oci.Annotations[key]
+    print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace)
+
+    regex.match(p_namespace, i_namespace)
+
+    print("allow_sandbox_net_namespace: true")
+}
+
+allow_net_namespace(p_oci, i_oci) {
+    print("allow_net_namespace: start")
+
+    key := "nerdctl/network-namespace"
+
+    not p_oci.Annotations[key]
+    not i_oci.Annotations[key]
+
+    print("allow_net_namespace: true")
+}
+
+# "io.kubernetes.cri.sandbox-log-directory" annotation
+allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) {
+    print("allow_sandbox_log_directory: start")
+
+    key := "io.kubernetes.cri.sandbox-log-directory"
+
+    p_dir := p_oci.Annotations[key]
+    regex1 := replace(p_dir, "$(sandbox-name)", s_name)
+    regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace)
+    print("allow_sandbox_log_directory: regex2 =", regex2)
+
+    i_dir := i_oci.Annotations[key]
+    print("allow_sandbox_log_directory: i_dir =", i_dir)
+
+    regex.match(regex2, i_dir)
+
+    print("allow_sandbox_log_directory: true")
+}
+
+allow_log_directory(p_oci, i_oci) {
+    print("allow_log_directory: start")
+
+    key := "io.kubernetes.cri.sandbox-log-directory"
+
+    not p_oci.Annotations[key]
+    not i_oci.Annotations[key]
+
+    print("allow_log_directory: true")
+}
+
+allow_linux(p_oci, i_oci) {
+    p_namespaces := p_oci.Linux.Namespaces
+    print("allow_linux: p namespaces =", p_namespaces)
+
+    i_namespaces := i_oci.Linux.Namespaces
+    print("allow_linux: i namespaces =", i_namespaces)
+
+    p_namespaces == i_namespaces
+
+    allow_masked_paths(p_oci, i_oci)
+    allow_readonly_paths(p_oci, i_oci)
+
+    print("allow_linux: true")
+}
+
+allow_masked_paths(p_oci, i_oci) {
+    p_paths := p_oci.Linux.MaskedPaths
+    print("allow_masked_paths 1: p_paths =", p_paths)
+
+    i_paths := i_oci.Linux.MaskedPaths
+    print("allow_masked_paths 1: i_paths =", i_paths)
+
+    allow_masked_paths_array(p_paths, i_paths)
+
+    print("allow_masked_paths 1: true")
+}
+allow_masked_paths(p_oci, i_oci) {
+    print("allow_masked_paths 2: start")
+
+    not p_oci.Linux.MaskedPaths
+    not i_oci.Linux.MaskedPaths
+
+    print("allow_masked_paths 2: true")
+}
+
+# All the policy masked paths must be masked in the input data too.
+# Input is allowed to have more masked paths than the policy.
+allow_masked_paths_array(p_array, i_array) {
+    every p_elem in p_array {
+        allow_masked_path(p_elem, i_array)
+    }
+}
+
+allow_masked_path(p_elem, i_array) {
+    print("allow_masked_path: p_elem =", p_elem)
+
+    some i_elem in i_array
+    p_elem == i_elem
+
+    print("allow_masked_path: true")
+}
+
+allow_readonly_paths(p_oci, i_oci) {
+    p_paths := p_oci.Linux.ReadonlyPaths
+    print("allow_readonly_paths 1: p_paths =", p_paths)
+
+    i_paths := i_oci.Linux.ReadonlyPaths
+    print("allow_readonly_paths 1: i_paths =", i_paths)
+
+    allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths)
+
+    print("allow_readonly_paths 1: true")
+}
+allow_readonly_paths(p_oci, i_oci) {
+    print("allow_readonly_paths 2: start")
+
+    not p_oci.Linux.ReadonlyPaths
+    not i_oci.Linux.ReadonlyPaths
+
+    print("allow_readonly_paths 2: true")
+}
+
+# All the policy readonly paths must be either:
+# - Present in the input readonly paths, or
+# - Present in the input masked paths.
+# Input is allowed to have more readonly paths than the policy.
+allow_readonly_paths_array(p_array, i_array, masked_paths) {
+    every p_elem in p_array {
+        allow_readonly_path(p_elem, i_array, masked_paths)
+    }
+}
+
+allow_readonly_path(p_elem, i_array, masked_paths) {
+    print("allow_readonly_path 1: p_elem =", p_elem)
+
+    some i_elem in i_array
+    p_elem == i_elem
+
+    print("allow_readonly_path 1: true")
+}
+allow_readonly_path(p_elem, i_array, masked_paths) {
+    print("allow_readonly_path 2: p_elem =", p_elem)
+
+    some i_masked in masked_paths
+    p_elem == i_masked
+
+    print("allow_readonly_path 2: true")
+}
+
+# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path"
+# and io.kubernetes.cri.sandbox-id" values with other fields.
+allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
+    print("allow_by_bundle_or_sandbox_id: start")
+
+    bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"]
+    bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "")
+
+    bundle_id_format := concat("", ["^", BUNDLE_ID, "$"])
+    # regex.match(bundle_id_format, bundle_id)
+
+    key := "io.kubernetes.cri.sandbox-id"
+
+    p_regex := p_oci.Annotations[key]
+    sandbox_id := i_oci.Annotations[key]
+
+    print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex)
+    regex.match(p_regex, sandbox_id)
+
+    allow_root_path(p_oci, i_oci, bundle_id)
+
+    every i_mount in input.OCI.Mounts {
+        allow_mount(p_oci, i_mount, bundle_id, sandbox_id)
+    }
+
+    allow_storages(p_storages, i_storages, bundle_id, sandbox_id)
+
+    print("allow_by_bundle_or_sandbox_id: true")
+}
+
+allow_process_common(p_process, i_process, s_name, s_namespace) {
+    print("allow_process_common: p_process =", p_process)
+    print("allow_process_common: i_process = ", i_process)
+    print("allow_process_common: s_name =", s_name)
+
+    p_process.Cwd == i_process.Cwd
+    p_process.NoNewPrivileges == i_process.NoNewPrivileges
+
+    allow_user(p_process, i_process)
+    allow_env(p_process, i_process, s_name, s_namespace)
+
+    print("allow_process_common: true")
+}
+
+# Compare the OCI Process field of a policy container with the input OCI Process from a CreateContainerRequest
+allow_process(p_process, i_process, s_name, s_namespace) {
+    print("allow_process: start")
+
+    allow_args(p_process, i_process, s_name)
+    allow_process_common(p_process, i_process, s_name, s_namespace)
+    allow_caps(p_process.Capabilities, i_process.Capabilities)
+    p_process.Terminal == i_process.Terminal
+
+    print("allow_process: true")
+}
+
+# Compare the OCI Process field of a policy container with the input process field from ExecProcessRequest
+allow_interactive_process(p_process, i_process, s_name, s_namespace) {
+    print("allow_interactive_process: start")
+
+    allow_process_common(p_process, i_process, s_name, s_namespace)
+    allow_exec_caps(i_process.Capabilities)
+
+    # These are commands enabled using ExecProcessRequest commands and/or regex from the settings file.
+    # They can be executed interactively so allow them to use any value for i_process.Terminal.
+
+    print("allow_interactive_process: true")
+}
+
+# Compare the OCI Process field of a policy container with the input process field from ExecProcessRequest
+allow_probe_process(p_process, i_process, s_name, s_namespace) {
+    print("allow_probe_process: start")
+
+    allow_process_common(p_process, i_process, s_name, s_namespace)
+    allow_exec_caps(i_process.Capabilities)
+    p_process.Terminal == i_process.Terminal
+
+    print("allow_probe_process: true")
+}
+
+allow_user(p_process, i_process) {
+    p_user := p_process.User
+    i_user := i_process.User
+
+    print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
+    p_user.UID == i_user.UID
+
+    # TODO: track down the reason for registry.k8s.io/pause:3.9 being
+    #       executed with gid = 0 despite having "65535:65535" in its container image
+    #       config.
+    #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID)
+    #p_user.GID == i_user.GID
+
+    # TODO: compare the additionalGids field too after computing its value
+    # based on /etc/passwd and /etc/group from the container image.
+}
+
+allow_args(p_process, i_process, s_name) {
+    print("allow_args 1: no args")
+
+    not p_process.Args
+    not i_process.Args
+
+    print("allow_args 1: true")
+}
+allow_args(p_process, i_process, s_name) {
+    print("allow_args 2: policy args =", p_process.Args)
+    print("allow_args 2: input args =", i_process.Args)
+
+    count(p_process.Args) == count(i_process.Args)
+
+    every i, i_arg in i_process.Args {
+        allow_arg(i, i_arg, p_process, s_name)
+    }
+    print("allow_args 2: true")
+}
+allow_arg(i, i_arg, p_process, s_name) {
+    p_arg := p_process.Args[i]
+    print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg)
+
+    p_arg2 := replace(p_arg, "$$", "$")
+    p_arg2 == i_arg
+
+    print("allow_arg 1: true")
+}
+allow_arg(i, i_arg, p_process, s_name) {
+    p_arg := p_process.Args[i]
+    print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg)
+
+    # TODO: can $(node-name) be handled better?
+    contains(p_arg, "$(node-name)")
+
+    print("allow_arg 2: true")
+}
+allow_arg(i, i_arg, p_process, s_name) {
+    p_arg := p_process.Args[i]
+    print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg)
+
+    p_arg2 := replace(p_arg, "$$", "$")
+    p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name)
+    print("allow_arg 3: p_arg3 =", p_arg3)
+    p_arg3 == i_arg
+
+    print("allow_arg 3: true")
+}
+
+# OCI process.Env field
+allow_env(p_process, i_process, s_name, s_namespace) {
+    print("allow_env: p env =", p_process.Env)
+    print("allow_env: i env =", i_process.Env)
+
+    every i_var in i_process.Env {
+        print("allow_env: i_var =", i_var)
+        allow_var(p_process, i_process, i_var, s_name, s_namespace)
+    }
+
+    print("allow_env: true")
+}
+
+# Allow input env variables that are present in the policy data too.
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    some p_var in p_process.Env
+    p_var == i_var
+    print("allow_var 1: true")
+}
+
+# Match input with one of the policy variables, after substituting $(sandbox-name).
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    some p_var in p_process.Env
+    p_var2 := replace(p_var, "$(sandbox-name)", s_name)
+
+    print("allow_var 2: p_var2 =", p_var2)
+    p_var2 == i_var
+
+    print("allow_var 2: true")
+}
+
+# Allow input env variables that match with a request_defaults regex.
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex
+    p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a)
+    p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p)
+    p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name)
+    p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label)
+
+    print("allow_var 3: p_regex5 =", p_regex5)
+    regex.match(p_regex5, i_var)
+
+    print("allow_var 3: true")
+}
+
+# Allow fieldRef "fieldPath: status.podIP" values.
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    name_value := split(i_var, "=")
+    count(name_value) == 2
+    is_ip(name_value[1])
+
+    some p_var in p_process.Env
+    allow_pod_ip_var(name_value[0], p_var)
+
+    print("allow_var 4: true")
+}
+
+# Allow common fieldRef variables.
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    name_value := split(i_var, "=")
+    count(name_value) == 2
+
+    some p_var in p_process.Env
+    p_name_value := split(p_var, "=")
+    count(p_name_value) == 2
+
+    p_name_value[0] == name_value[0]
+
+    # TODO: should these be handled in a different way?
+    always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"]
+    some allowed in always_allowed
+    contains(p_name_value[1], allowed)
+
+    print("allow_var 5: true")
+}
+
+# Allow fieldRef "fieldPath: status.hostIP" values.
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    name_value := split(i_var, "=")
+    count(name_value) == 2
+    is_ip(name_value[1])
+
+    some p_var in p_process.Env
+    allow_host_ip_var(name_value[0], p_var)
+
+    print("allow_var 6: true")
+}
+
+# Allow resourceFieldRef values (e.g., "limits.cpu").
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    name_value := split(i_var, "=")
+    count(name_value) == 2
+
+    some p_var in p_process.Env
+    p_name_value := split(p_var, "=")
+    count(p_name_value) == 2
+
+    p_name_value[0] == name_value[0]
+
+    # TODO: should these be handled in a different way?
+    always_allowed = ["$(resource-field)", "$(todo-annotation)"]
+    some allowed in always_allowed
+    contains(p_name_value[1], allowed)
+
+    print("allow_var 7: true")
+}
+
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    some p_var in p_process.Env
+    p_var2 := replace(p_var, "$(sandbox-namespace)", s_namespace)
+
+    print("allow_var 8: p_var2 =", p_var2)
+    p_var2 == i_var
+
+    print("allow_var 8: true")
+}
+
+allow_pod_ip_var(var_name, p_var) {
+    print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var)
+
+    p_name_value := split(p_var, "=")
+    count(p_name_value) == 2
+
+    p_name_value[0] == var_name
+    p_name_value[1] == "$(pod-ip)"
+
+    print("allow_pod_ip_var: true")
+}
+
+allow_host_ip_var(var_name, p_var) {
+    print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var)
+
+    p_name_value := split(p_var, "=")
+    count(p_name_value) == 2
+
+    p_name_value[0] == var_name
+    p_name_value[1] == "$(host-ip)"
+
+    print("allow_host_ip_var: true")
+}
+
+is_ip(value) {
+    bytes = split(value, ".")
+    count(bytes) == 4
+
+    is_ip_first_byte(bytes[0])
+    is_ip_other_byte(bytes[1])
+    is_ip_other_byte(bytes[2])
+    is_ip_other_byte(bytes[3])
+}
+is_ip_first_byte(component) {
+    number = to_number(component)
+    number >= 1
+    number <= 255
+}
+is_ip_other_byte(component) {
+    number = to_number(component)
+    number >= 0
+    number <= 255
+}
+
+# OCI root.Path
+allow_root_path(p_oci, i_oci, bundle_id) {
+    i_path := i_oci.Root.Path
+    p_path1 := p_oci.Root.Path
+    print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1)
+
+    p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath)
+    print("allow_root_path: p_path2 =", p_path2)
+
+    p_path3 := replace(p_path2, "$(bundle-id)", bundle_id)
+    print("allow_root_path: p_path3 =", p_path3)
+
+    p_path3 == i_path
+
+    print("allow_root_path: true")
+}
+
+# device mounts
+allow_mount(p_oci, i_mount, bundle_id, sandbox_id) {
+    print("allow_mount: i_mount =", i_mount)
+
+    some p_mount in p_oci.Mounts
+    print("allow_mount: p_mount =", p_mount)
+    check_mount(p_mount, i_mount, bundle_id, sandbox_id)
+
+    # TODO: are there any other required policy checks for mounts - e.g.,
+    #       multiple mounts with same source or destination?
+
+    print("allow_mount: true")
+}
+
+check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
+    p_mount == i_mount
+    print("check_mount 1: true")
+}
+check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
+    p_mount.destination == i_mount.destination
+    p_mount.type_ == i_mount.type_
+    p_mount.options == i_mount.options
+
+    mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id)
+
+    print("check_mount 2: true")
+}
+
+mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
+    regex1 := p_mount.source
+    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
+    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
+    regex4 := replace(regex3, "$(bundle-id)", bundle_id)
+
+    print("mount_source_allows 1: regex4 =", regex4)
+    regex.match(regex4, i_mount.source)
+
+    print("mount_source_allows 1: true")
+}
+mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
+    regex1 := p_mount.source
+    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
+    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
+    regex4 := replace(regex3, "$(sandbox-id)", sandbox_id)
+
+    print("mount_source_allows 2: regex4 =", regex4)
+    regex.match(regex4, i_mount.source)
+
+    print("mount_source_allows 2: true")
+}
+mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
+    print("mount_source_allows 3: i_mount.source=", i_mount.source)
+
+    i_source_parts = split(i_mount.source, "/")
+    b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1]
+
+    base64.is_valid(b64_direct_vol_path)
+
+    source1 := p_mount.source
+    print("mount_source_allows 3: source1 =", source1)
+
+    source2 := replace(source1, "$(spath)", policy_data.common.spath)
+    print("mount_source_allows 3: source2 =", source2)
+
+    source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path)
+    print("mount_source_allows 3: source3 =", source3)
+
+    source3 == i_mount.source
+
+    print("mount_source_allows 3: true")
+}
+
+######################################################################
+# Create container Storages
+
+allow_storages(p_storages, i_storages, bundle_id, sandbox_id) {
+    p_count := count(p_storages)
+    i_count := count(i_storages)
+    print("allow_storages: p_count =", p_count, "i_count =", i_count)
+
+    p_count == i_count
+
+    # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage.
+    some overlay_storage in p_storages
+    overlay_storage.driver == "overlayfs"
+    print("allow_storages: overlay_storage =", overlay_storage)
+    count(overlay_storage.options) == 2
+
+    layer_ids := split(overlay_storage.options[0], ":")
+    print("allow_storages: layer_ids =", layer_ids)
+
+    root_hashes := split(overlay_storage.options[1], ":")
+    print("allow_storages: root_hashes =", root_hashes)
+
+    every i_storage in i_storages {
+        allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes)
+    }
+
+    print("allow_storages: true")
+}
+
+allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) {
+    some p_storage in p_storages
+
+    print("allow_storage: p_storage =", p_storage)
+    print("allow_storage: i_storage =", i_storage)
+
+    p_storage.driver           == i_storage.driver
+    p_storage.driver_options   == i_storage.driver_options
+    p_storage.fs_group         == i_storage.fs_group
+
+    allow_storage_options(p_storage, i_storage, layer_ids, root_hashes)
+    allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids)
+
+    # TODO: validate the source field too.
+
+    print("allow_storage: true")
+}
+
+allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+    print("allow_storage_options 1: start")
+
+    p_storage.driver != "overlayfs"
+    p_storage.options == i_storage.options
+
+    print("allow_storage_options 1: true")
+}
+allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+    print("allow_storage_options 2: start")
+
+    p_storage.driver == "overlayfs"
+    count(p_storage.options) == 2
+
+    policy_ids := split(p_storage.options[0], ":")
+    print("allow_storage_options 2: policy_ids =", policy_ids)
+    policy_ids == layer_ids
+
+    policy_hashes := split(p_storage.options[1], ":")
+    print("allow_storage_options 2: policy_hashes =", policy_hashes)
+
+    p_count := count(policy_ids)
+    print("allow_storage_options 2: p_count =", p_count)
+    p_count >= 1
+    p_count == count(policy_hashes)
+
+    i_count := count(i_storage.options)
+    print("allow_storage_options 2: i_count =", i_count)
+    i_count == p_count + 3
+
+    print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0])
+    i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers"
+
+    print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2])
+    i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw"
+
+    lowerdir := concat("=", ["lowerdir", p_storage.options[0]])
+    print("allow_storage_options 2: lowerdir =", lowerdir)
+
+    print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1])
+    i_storage.options[i_count - 1] == lowerdir
+
+    every i, policy_id in policy_ids {
+        allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1])
+    }
+
+    print("allow_storage_options 2: true")
+}
+allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+    print("allow_storage_options 3: start")
+
+    p_storage.driver == "blk"
+    count(p_storage.options) == 1
+
+    startswith(p_storage.options[0], "$(hash")
+    hash_suffix := trim_left(p_storage.options[0], "$(hash")
+
+    endswith(hash_suffix, ")")
+    hash_index := trim_right(hash_suffix, ")")
+    i := to_number(hash_index)
+    print("allow_storage_options 3: i =", i)
+
+    hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]])
+    print("allow_storage_options 3: hash_option =", hash_option)
+
+    count(i_storage.options) == 4
+    i_storage.options[0] == "ro"
+    i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file"
+    i_storage.options[2] == "io.katacontainers.fs-opt.is-layer"
+    i_storage.options[3] == hash_option
+
+    print("allow_storage_options 3: true")
+}
+allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+    print("allow_storage_options 4: start")
+
+    p_storage.driver == "smb"
+    p_opts_count := count(p_storage.options)
+    i_opts_count := count(i_storage.options)
+    i_opts_count == p_opts_count + 2
+
+    i_opt_matches := [i | i := idx; idx < p_opts_count; p_storage.options[idx] == i_storage.options[idx]]
+    count(i_opt_matches) == p_opts_count
+
+    startswith(i_storage.options[i_opts_count-2], "addr=")
+    creds = split(i_storage.options[i_opts_count-1], ",")
+    count(creds) == 2
+    startswith(creds[0], "username=")
+    startswith(creds[1], "password=")
+    
+    print("allow_storage_options 4: true")
+}
+
+allow_overlay_layer(policy_id, policy_hash, i_option) {
+    print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash)
+    print("allow_overlay_layer: i_option =", i_option)
+
+    startswith(i_option, "io.katacontainers.fs-opt.layer=")
+    i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "")
+    i_value_decoded := base64.decode(i_value)
+    print("allow_overlay_layer: i_value_decoded =", i_value_decoded)
+
+    policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash])
+    p_value := concat(",", [policy_id, policy_suffix])
+    print("allow_overlay_layer: p_value =", p_value)
+
+    p_value == i_value_decoded
+
+    print("allow_overlay_layer: true")
+}
+
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    p_storage.fstype == "tar"
+
+    startswith(p_storage.mount_point, "$(layer")
+    mount_suffix := trim_left(p_storage.mount_point, "$(layer")
+
+    endswith(mount_suffix, ")")
+    layer_index := trim_right(mount_suffix, ")")
+    i := to_number(layer_index)
+    print("allow_mount_point 1: i =", i)
+
+    layer_id := layer_ids[i]
+    print("allow_mount_point 1: layer_id =", layer_id)
+
+    p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id])
+    print("allow_mount_point 1: p_mount =", p_mount)
+
+    p_mount == i_storage.mount_point
+
+    print("allow_mount_point 1: true")
+}
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    p_storage.fstype == "fuse3.kata-overlay"
+
+    mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath)
+    mount2 := replace(mount1, "$(bundle-id)", bundle_id)
+    print("allow_mount_point 2: mount2 =", mount2)
+
+    mount2 == i_storage.mount_point
+
+    print("allow_mount_point 2: true")
+}
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    p_storage.fstype == "local"
+
+    mount1 := p_storage.mount_point
+    print("allow_mount_point 3: mount1 =", mount1)
+
+    mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath)
+    print("allow_mount_point 3: mount2 =", mount2)
+
+    mount3 := replace(mount2, "$(sandbox-id)", sandbox_id)
+    print("allow_mount_point 3: mount3 =", mount3)
+
+    regex.match(mount3, i_storage.mount_point)
+
+    print("allow_mount_point 3: true")
+}
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    p_storage.fstype == "bind"
+
+    mount1 := p_storage.mount_point
+    print("allow_mount_point 4: mount1 =", mount1)
+
+    mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath)
+    print("allow_mount_point 4: mount2 =", mount2)
+
+    mount3 := replace(mount2, "$(bundle-id)", bundle_id)
+    print("allow_mount_point 4: mount3 =", mount3)
+
+    regex.match(mount3, i_storage.mount_point)
+
+    print("allow_mount_point 4: true")
+}
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    p_storage.fstype == "tmpfs"
+
+    mount1 := p_storage.mount_point
+    print("allow_mount_point 5: mount1 =", mount1)
+
+    regex.match(mount1, i_storage.mount_point)
+
+    print("allow_mount_point 5: true")
+}
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point)
+    allow_direct_vol_driver(p_storage, i_storage)
+
+    mount1 := p_storage.mount_point
+    print("allow_mount_point 6: mount1 =", mount1)
+
+    mount2 := replace(mount1, "$(spath)", policy_data.common.spath)
+    print("allow_mount_point 6: mount2 =", mount2)
+
+    direct_vol_path := i_storage.source
+    mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path))
+    print("allow_mount_point 6: mount3 =", mount3)
+
+    mount3 == i_storage.mount_point
+
+    print("allow_mount_point 6: true")
+}
+
+allow_direct_vol_driver(p_storage, i_storage) {
+    print("allow_direct_vol_driver 1: start")
+    p_storage.driver == "blk"
+    print("allow_direct_vol_driver 1: true")
+}
+allow_direct_vol_driver(p_storage, i_storage) {
+    print("allow_direct_vol_driver 2: start")
+    p_storage.driver == "smb"
+    print("allow_direct_vol_driver 2: true")
+}
+
+# ExecProcessRequest.process.Capabilities
+allow_exec_caps(i_caps) {
+    not i_caps.Ambient
+    not i_caps.Bounding
+    not i_caps.Effective
+    not i_caps.Inheritable
+    not i_caps.Permitted
+}
+
+# OCI.Process.Capabilities
+allow_caps(p_caps, i_caps) {
+    print("allow_caps: policy Ambient =", p_caps.Ambient)
+    print("allow_caps: input Ambient =", i_caps.Ambient)
+    match_caps(p_caps.Ambient, i_caps.Ambient)
+
+    print("allow_caps: policy Bounding =", p_caps.Bounding)
+    print("allow_caps: input Bounding =", i_caps.Bounding)
+    match_caps(p_caps.Bounding, i_caps.Bounding)
+
+    print("allow_caps: policy Effective =", p_caps.Effective)
+    print("allow_caps: input Effective =", i_caps.Effective)
+    match_caps(p_caps.Effective, i_caps.Effective)
+
+    print("allow_caps: policy Inheritable =", p_caps.Inheritable)
+    print("allow_caps: input Inheritable =", i_caps.Inheritable)
+    match_caps(p_caps.Inheritable, i_caps.Inheritable)
+
+    print("allow_caps: policy Permitted =", p_caps.Permitted)
+    print("allow_caps: input Permitted =", i_caps.Permitted)
+    match_caps(p_caps.Permitted, i_caps.Permitted)
+}
+
+match_caps(p_caps, i_caps) {
+    print("match_caps 1: start")
+
+    p_caps == i_caps
+
+    print("match_caps 1: true")
+}
+match_caps(p_caps, i_caps) {
+    print("match_caps 2: start")
+
+    count(p_caps) == 1
+    p_caps[0] == "$(default_caps)"
+
+    print("match_caps 2: default_caps =", policy_data.common.default_caps)
+    policy_data.common.default_caps == i_caps
+
+    print("match_caps 2: true")
+}
+match_caps(p_caps, i_caps) {
+    print("match_caps 3: start")
+
+    count(p_caps) == 1
+    p_caps[0] == "$(privileged_caps)"
+
+    print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps)
+    policy_data.common.privileged_caps == i_caps
+
+    print("match_caps 3: true")
+}
+
+######################################################################
+check_directory_traversal(i_path) {
+    contains(i_path, "../") == false
+    endswith(i_path, "/..") == false
+}
+
+check_symlink_source(i_src) {
+    i_src == ""
+    print("check_symlink_source 1: true")
+}
+check_symlink_source(i_src) {
+    i_src != ""
+    print("check_symlink_source 2: i_src =", i_src)
+
+    regex.match(policy_data.common.s_source1, i_src)
+
+    print("check_symlink_source 2: true")
+}
+check_symlink_source(i_src) {
+    i_src != ""
+    print("check_symlink_source 3: i_src =", i_src)
+
+    regex.match(policy_data.common.s_source2, i_src)
+    check_directory_traversal(i_src)
+
+    print("check_symlink_source 3: true")
+}
+
+allow_sandbox_storages(i_storages) {
+    print("allow_sandbox_storages: i_storages =", i_storages)
+
+    p_storages := policy_data.sandbox.storages
+    every i_storage in i_storages {
+        allow_sandbox_storage(p_storages, i_storage)
+    }
+
+    print("allow_sandbox_storages: true")
+}
+
+allow_sandbox_storage(p_storages, i_storage) {
+    print("allow_sandbox_storage: i_storage =", i_storage)
+
+    some p_storage in p_storages
+    print("allow_sandbox_storage: p_storage =", p_storage)
+    i_storage == p_storage
+
+    print("allow_sandbox_storage: true")
+}
+
+CopyFileRequest {
+    print("CopyFileRequest: input.path =", input.path)
+
+    check_symlink_source(input.symlink_src)
+    check_directory_traversal(input.path)
+
+    some regex1 in policy_data.request_defaults.CopyFileRequest
+    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
+    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
+    regex4 := replace(regex3, "$(bundle-id)", BUNDLE_ID)
+    print("CopyFileRequest: regex4 =", regex4)
+
+    regex.match(regex4, input.path)
+
+    print("CopyFileRequest: true")
+}
+
+CreateSandboxRequest {
+    print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path)
+    count(input.guest_hook_path) == 0
+
+    print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules)
+    count(input.kernel_modules) == 0
+
+    i_pidns := input.sandbox_pidns
+    print("CreateSandboxRequest: i_pidns =", i_pidns)
+    i_pidns == false
+
+    allow_sandbox_storages(input.storages)
+}
+
+allow_exec(p_container, i_process) {
+    print("allow_exec: start")
+
+    p_oci = p_container.OCI
+    p_s_name = p_oci.Annotations[S_NAME_KEY]
+    s_namespace = get_state_val("namespace")
+    allow_probe_process(p_oci.Process, i_process, p_s_name, s_namespace)
+
+    print("allow_exec: true")
+}
+
+allow_interactive_exec(p_container, i_process) {
+    print("allow_interactive_exec: start")
+
+    p_oci = p_container.OCI
+    p_s_name = p_oci.Annotations[S_NAME_KEY]
+    s_namespace = get_state_val("namespace")
+    allow_interactive_process(p_oci.Process, i_process, p_s_name, s_namespace)
+
+    print("allow_interactive_exec: true")
+}
+
+# TODO: should other ExecProcessRequest input data fields be validated as well?
+ExecProcessRequest {
+    print("ExecProcessRequest 1: input =", input)
+
+    i_command = concat(" ", input.process.Args)
+    print("ExecProcessRequest 1: i_command =", i_command)
+
+    some p_command in policy_data.request_defaults.ExecProcessRequest.commands
+    print("ExecProcessRequest 1: p_command =", p_command)
+    p_command == i_command
+
+    # TODO: match p_container's ID with the input container_id.
+    some p_container in policy_data.containers
+    allow_interactive_exec(p_container, input.process)
+
+    print("ExecProcessRequest 1: true")
+}
+ExecProcessRequest {
+    print("ExecProcessRequest 2: input =", input)
+
+    # TODO: match input container ID with its corresponding container.exec_commands.
+    i_command = concat(" ", input.process.Args)
+    print("ExecProcessRequest 2: i_command =", i_command)
+
+    # TODO: match p_container's ID with the input container_id.
+    some p_container in policy_data.containers
+    some p_command in p_container.exec_commands
+    print("ExecProcessRequest 2: p_command =", p_command)
+    p_command == i_command
+
+    allow_exec(p_container, input.process)
+
+    print("ExecProcessRequest 2: true")
+}
+ExecProcessRequest {
+    print("ExecProcessRequest 3: input =", input)
+
+    i_command = concat(" ", input.process.Args)
+    print("ExecProcessRequest 3: i_command =", i_command)
+
+    some p_regex in policy_data.request_defaults.ExecProcessRequest.regex
+    print("ExecProcessRequest 3: p_regex =", p_regex)
+
+    regex.match(p_regex, i_command)
+
+    # TODO: match p_container's ID with the input container_id.
+    some p_container in policy_data.containers
+    allow_interactive_exec(p_container, input.process)
+
+    print("ExecProcessRequest 3: true")
+}
+
+CloseStdinRequest {
+    policy_data.request_defaults.CloseStdinRequest == true
+}
+
+ReadStreamRequest {
+    policy_data.request_defaults.ReadStreamRequest == true
+}
+
+UpdateEphemeralMountsRequest {
+    policy_data.request_defaults.UpdateEphemeralMountsRequest == true
+}
+
+WriteStreamRequest {
+    policy_data.request_defaults.WriteStreamRequest == true
+}
+
+policy_data := {
+  "containers": [
+    {
+      "OCI": {
+        "Version": "1.1.0-rc.1",
+        "Process": {
+          "Terminal": false,
+          "User": {
+            "UID": 65535,
+            "GID": 65535,
+            "AdditionalGids": [],
+            "Username": ""
+          },
+          "Args": [
+            "/pause"
+          ],
+          "Env": [
+            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ],
+          "Cwd": "/",
+          "Capabilities": {
+            "Ambient": [],
+            "Bounding": [
+              "$(default_caps)"
+            ],
+            "Effective": [
+              "$(default_caps)"
+            ],
+            "Inheritable": [],
+            "Permitted": [
+              "$(default_caps)"
+            ]
+          },
+          "NoNewPrivileges": true
+        },
+        "Root": {
+          "Path": "$(cpath)/$(bundle-id)",
+          "Readonly": true
+        },
+        "Mounts": [
+          {
+            "destination": "/proc",
+            "source": "proc",
+            "type_": "proc",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev"
+            ]
+          },
+          {
+            "destination": "/dev",
+            "source": "tmpfs",
+            "type_": "tmpfs",
+            "options": [
+              "nosuid",
+              "strictatime",
+              "mode=755",
+              "size=65536k"
+            ]
+          },
+          {
+            "destination": "/dev/pts",
+            "source": "devpts",
+            "type_": "devpts",
+            "options": [
+              "nosuid",
+              "noexec",
+              "newinstance",
+              "ptmxmode=0666",
+              "mode=0620",
+              "gid=5"
+            ]
+          },
+          {
+            "destination": "/dev/shm",
+            "source": "/run/kata-containers/sandbox/shm",
+            "type_": "bind",
+            "options": [
+              "rbind"
+            ]
+          },
+          {
+            "destination": "/dev/mqueue",
+            "source": "mqueue",
+            "type_": "mqueue",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev"
+            ]
+          },
+          {
+            "destination": "/sys",
+            "source": "sysfs",
+            "type_": "sysfs",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev",
+              "ro"
+            ]
+          },
+          {
+            "destination": "/etc/resolv.conf",
+            "source": "$(sfprefix)resolv.conf$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "ro",
+              "nosuid",
+              "nodev",
+              "noexec"
+            ]
+          }
+        ],
+        "Annotations": {
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)",
+          "io.katacontainers.pkg.oci.container_type": "pod_sandbox",
+          "io.kubernetes.cri.container-type": "sandbox",
+          "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$",
+          "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
+          "io.kubernetes.cri.sandbox-name": "exec-test",
+          "io.kubernetes.cri.sandbox-namespace": "",
+          "nerdctl/network-namespace": "^/var/run/netns/cni-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
+        },
+        "Linux": {
+          "Namespaces": [
+            {
+              "Type": "ipc",
+              "Path": ""
+            },
+            {
+              "Type": "uts",
+              "Path": ""
+            },
+            {
+              "Type": "mount",
+              "Path": ""
+            }
+          ],
+          "MaskedPaths": [
+            "/proc/acpi",
+            "/proc/asound",
+            "/proc/kcore",
+            "/proc/keys",
+            "/proc/latency_stats",
+            "/proc/timer_list",
+            "/proc/timer_stats",
+            "/proc/sched_debug",
+            "/sys/firmware",
+            "/proc/scsi"
+          ],
+          "ReadonlyPaths": [
+            "/proc/bus",
+            "/proc/fs",
+            "/proc/irq",
+            "/proc/sys",
+            "/proc/sysrq-trigger"
+          ]
+        }
+      },
+      "storages": [
+        {
+          "driver": "blk",
+          "driver_options": [],
+          "source": "",
+          "fstype": "tar",
+          "options": [
+            "$(hash0)"
+          ],
+          "mount_point": "$(layer0)",
+          "fs_group": null
+        },
+        {
+          "driver": "overlayfs",
+          "driver_options": [],
+          "source": "",
+          "fstype": "fuse3.kata-overlay",
+          "options": [
+            "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d",
+            "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"
+          ],
+          "mount_point": "$(cpath)/$(bundle-id)",
+          "fs_group": null
+        }
+      ],
+      "sandbox_pidns": false,
+      "exec_commands": []
+    },
+    {
+      "OCI": {
+        "Version": "1.1.0-rc.1",
+        "Process": {
+          "Terminal": false,
+          "User": {
+            "UID": 0,
+            "GID": 0,
+            "AdditionalGids": [],
+            "Username": ""
+          },
+          "Args": [
+            "/bin/sh",
+            "-c",
+            "while true; do echo Kubernetes; echo $(node-name); sleep 10; done"
+          ],
+          "Env": [
+            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+            "HOSTNAME=$(host-name)",
+            "POD_NAME=$(sandbox-name)",
+            "POD_NAMESPACE=$(sandbox-namespace)",
+            "POD_IP=$(pod-ip)",
+            "SERVICE_ACCOUNT=default",
+            "PROXY_CONFIG={}\n",
+            "ISTIO_META_POD_PORTS=[\n]",
+            "ISTIO_META_APP_CONTAINERS=serviceaclient",
+            "ISTIO_META_CLUSTER_ID=Kubernetes",
+            "ISTIO_META_NODE_NAME=$(node-name)"
+          ],
+          "Cwd": "/",
+          "Capabilities": {
+            "Ambient": [],
+            "Bounding": [
+              "$(privileged_caps)"
+            ],
+            "Effective": [
+              "$(privileged_caps)"
+            ],
+            "Inheritable": [],
+            "Permitted": [
+              "$(privileged_caps)"
+            ]
+          },
+          "NoNewPrivileges": false
+        },
+        "Root": {
+          "Path": "$(cpath)/$(bundle-id)",
+          "Readonly": false
+        },
+        "Mounts": [
+          {
+            "destination": "/proc",
+            "source": "proc",
+            "type_": "proc",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev"
+            ]
+          },
+          {
+            "destination": "/dev",
+            "source": "tmpfs",
+            "type_": "tmpfs",
+            "options": [
+              "nosuid",
+              "strictatime",
+              "mode=755",
+              "size=65536k"
+            ]
+          },
+          {
+            "destination": "/dev/pts",
+            "source": "devpts",
+            "type_": "devpts",
+            "options": [
+              "nosuid",
+              "noexec",
+              "newinstance",
+              "ptmxmode=0666",
+              "mode=0620",
+              "gid=5"
+            ]
+          },
+          {
+            "destination": "/dev/shm",
+            "source": "/run/kata-containers/sandbox/shm",
+            "type_": "bind",
+            "options": [
+              "rbind"
+            ]
+          },
+          {
+            "destination": "/dev/mqueue",
+            "source": "mqueue",
+            "type_": "mqueue",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev"
+            ]
+          },
+          {
+            "destination": "/sys",
+            "source": "sysfs",
+            "type_": "sysfs",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/sys/fs/cgroup",
+            "source": "cgroup",
+            "type_": "cgroup",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev",
+              "relatime",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/etc/hosts",
+            "source": "$(sfprefix)hosts$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/dev/termination-log",
+            "source": "$(sfprefix)termination-log$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/etc/hostname",
+            "source": "$(sfprefix)hostname$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/etc/resolv.conf",
+            "source": "$(sfprefix)resolv.conf$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/var/run/secrets/kubernetes.io/serviceaccount",
+            "source": "$(sfprefix)serviceaccount$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "ro"
+            ]
+          },
+          {
+            "destination": "/var/run/secrets/azure/tokens",
+            "source": "$(sfprefix)tokens$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "ro"
+            ]
+          }
+        ],
+        "Annotations": {
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)",
+          "io.katacontainers.pkg.oci.container_type": "pod_container",
+          "io.kubernetes.cri.container-name": "busybox",
+          "io.kubernetes.cri.container-type": "container",
+          "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64",
+          "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$",
+          "io.kubernetes.cri.sandbox-name": "exec-test",
+          "io.kubernetes.cri.sandbox-namespace": ""
+        },
+        "Linux": {
+          "Namespaces": [
+            {
+              "Type": "ipc",
+              "Path": ""
+            },
+            {
+              "Type": "uts",
+              "Path": ""
+            },
+            {
+              "Type": "mount",
+              "Path": ""
+            }
+          ],
+          "MaskedPaths": [],
+          "ReadonlyPaths": []
+        }
+      },
+      "storages": [
+        {
+          "driver": "blk",
+          "driver_options": [],
+          "source": "",
+          "fstype": "tar",
+          "options": [
+            "$(hash0)"
+          ],
+          "mount_point": "$(layer0)",
+          "fs_group": null
+        },
+        {
+          "driver": "blk",
+          "driver_options": [],
+          "source": "",
+          "fstype": "tar",
+          "options": [
+            "$(hash1)"
+          ],
+          "mount_point": "$(layer1)",
+          "fs_group": null
+        },
+        {
+          "driver": "overlayfs",
+          "driver_options": [],
+          "source": "",
+          "fstype": "fuse3.kata-overlay",
+          "options": [
+            "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552",
+            "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"
+          ],
+          "mount_point": "$(cpath)/$(bundle-id)",
+          "fs_group": null
+        }
+      ],
+      "sandbox_pidns": false,
+      "exec_commands": [
+        "echo ${ISTIO_META_APP_CONTAINERS}",
+        "echo Ready ${POD_IP}!",
+        "echo ${ISTIO_META_NODE_NAME} startup"
+      ]
+    }
+  ],
+  "common": {
+    "cpath": "/run/kata-containers/shared/containers",
+    "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-",
+    "spath": "/run/kata-containers/sandbox/storage",
+    "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}",
+    "ip_p": "[0-9]{1,5}",
+    "svc_name": "[A-Z0-9_\\.\\-]+",
+    "dns_label": "[a-zA-Z0-9_\\.\\-]+",
+    "s_source1": "^..2[0-9]{3}_[0-1][0-9]_[0-3][0-9]_[0-2][0-9]_[0-5][0-9]_[0-5][0-9]\\.[0-9]{1,10}$",
+    "s_source2": "^..data/",
+    "default_caps": [
+      "CAP_CHOWN",
+      "CAP_DAC_OVERRIDE",
+      "CAP_FSETID",
+      "CAP_FOWNER",
+      "CAP_MKNOD",
+      "CAP_NET_RAW",
+      "CAP_SETGID",
+      "CAP_SETUID",
+      "CAP_SETFCAP",
+      "CAP_SETPCAP",
+      "CAP_NET_BIND_SERVICE",
+      "CAP_SYS_CHROOT",
+      "CAP_KILL",
+      "CAP_AUDIT_WRITE"
+    ],
+    "privileged_caps": [
+      "CAP_CHOWN",
+      "CAP_DAC_OVERRIDE",
+      "CAP_DAC_READ_SEARCH",
+      "CAP_FOWNER",
+      "CAP_FSETID",
+      "CAP_KILL",
+      "CAP_SETGID",
+      "CAP_SETUID",
+      "CAP_SETPCAP",
+      "CAP_LINUX_IMMUTABLE",
+      "CAP_NET_BIND_SERVICE",
+      "CAP_NET_BROADCAST",
+      "CAP_NET_ADMIN",
+      "CAP_NET_RAW",
+      "CAP_IPC_LOCK",
+      "CAP_IPC_OWNER",
+      "CAP_SYS_MODULE",
+      "CAP_SYS_RAWIO",
+      "CAP_SYS_CHROOT",
+      "CAP_SYS_PTRACE",
+      "CAP_SYS_PACCT",
+      "CAP_SYS_ADMIN",
+      "CAP_SYS_BOOT",
+      "CAP_SYS_NICE",
+      "CAP_SYS_RESOURCE",
+      "CAP_SYS_TIME",
+      "CAP_SYS_TTY_CONFIG",
+      "CAP_MKNOD",
+      "CAP_LEASE",
+      "CAP_AUDIT_WRITE",
+      "CAP_AUDIT_CONTROL",
+      "CAP_SETFCAP",
+      "CAP_MAC_OVERRIDE",
+      "CAP_MAC_ADMIN",
+      "CAP_SYSLOG",
+      "CAP_WAKE_ALARM",
+      "CAP_BLOCK_SUSPEND",
+      "CAP_AUDIT_READ",
+      "CAP_PERFMON",
+      "CAP_BPF",
+      "CAP_CHECKPOINT_RESTORE"
+    ],
+    "virtio_blk_storage_classes": [
+      "cc-local-csi",
+      "cc-managed-csi",
+      "cc-managed-premium-csi"
+    ],
+    "smb_storage_classes": [
+      {
+        "name": "azurefile-csi-kata-cc",
+        "mount_options": [
+          "dir_mode=0777",
+          "file_mode=0777",
+          "mfsymlinks",
+          "cache=strict",
+          "nosharesock",
+          "actimeo=30",
+          "nobrl"
+        ]
+      }
+    ]
+  },
+  "sandbox": {
+    "storages": [
+      {
+        "driver": "ephemeral",
+        "driver_options": [],
+        "source": "shm",
+        "fstype": "tmpfs",
+        "options": [
+          "noexec",
+          "nosuid",
+          "nodev",
+          "mode=1777",
+          "size=67108864"
+        ],
+        "mount_point": "/run/kata-containers/sandbox/shm",
+        "fs_group": null
+      }
+    ]
+  },
+  "request_defaults": {
+    "CreateContainerRequest": {
+      "allow_env_regex": [
+        "^HOSTNAME=$(dns_label)$",
+        "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$",
+        "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$",
+        "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$",
+        "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$",
+        "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$",
+        "^$(svc_name)_SERVICE_PORT=$(ip_p)$",
+        "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$",
+        "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$",
+        "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
+        "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
+        "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
+        "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
+        "^TERM=xterm$"
+      ]
+    },
+    "CopyFileRequest": [
+      "$(sfprefix)"
+    ],
+    "ExecProcessRequest": {
+      "commands": [],
+      "regex": []
+    },
+    "CloseStdinRequest": false,
+    "ReadStreamRequest": true,
+    "UpdateEphemeralMountsRequest": false,
+    "WriteStreamRequest": false
+  }
+}
\ No newline at end of file
diff --git a/src/tools/genpolicy/exec2.rego b/src/tools/genpolicy/exec2.rego
new file mode 100644
index 000000000000..24c4a3144730
--- /dev/null
+++ b/src/tools/genpolicy/exec2.rego
@@ -0,0 +1,2196 @@
+# Copyright (c) 2023 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+package agent_policy
+
+import future.keywords.in
+import future.keywords.every
+
+# Default values, returned by OPA when rules cannot be evaluated to true.
+default AddARPNeighborsRequest := false
+default AddSwapRequest := false
+default CloseStdinRequest := false
+default CopyFileRequest := false
+default CreateContainerRequest := false
+default PolicyCreateContainerRequest := false
+default CreateSandboxRequest := false
+default DestroySandboxRequest := true
+default ExecProcessRequest := false
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := false
+default ListRoutesRequest := false
+default MemHotplugByProbeRequest := false
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := false
+default ReadStreamRequest := false
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := false
+default ResumeContainerRequest := false
+default SetGuestDateTimeRequest := false
+default SetPolicyRequest := false
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := false
+default StatsContainerRequest := true
+default StopTracingRequest := false
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := false
+default UpdateEphemeralMountsRequest := false
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := false
+
+# AllowRequestsFailingPolicy := true configures the Agent to *allow any
+# requests causing a policy failure*. This is an unsecure configuration
+# but is useful for allowing unsecure pods to start, then connect to
+# them and inspect OPA logs for the root cause of a failure.
+default AllowRequestsFailingPolicy := false
+
+# Constants
+S_NAME_KEY = "io.kubernetes.cri.sandbox-name"
+S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace"
+BUNDLE_ID = "[a-z0-9]{64}"
+# from https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
+# and https://github.com/kubernetes/kubernetes/blob/8294abc599696e0d1b5aa734afa7ae1e4f5059a0/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go#L177
+SUBDOMAIN_NAME = "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"
+ALLOWED_SUBDOMAIN_NAMES := ["$(host-name)", "$(node-name)", "$(pod-uid)"]
+ALWAYS_ALLOWED = ["$(resource-field)", "$(todo-annotation)"]
+
+PolicyCreateContainerRequest:= resp {
+  resp = CreateContainerRequestCommon(input.base)
+  i_env_map := input.env_map
+  i_tokenized_args := input.tokenized_args
+  some p_container in policy_data.containers
+  p_env_map := p_container.env_map  
+  allow_env_map(p_env_map, i_env_map)
+  
+  p_tokenized_args := p_container.tokenized_args
+  allow_tokenized_args(p_tokenized_args, i_tokenized_args)
+
+  print("PolicyCreateContainerRequest: true")
+}
+
+allow_tokenized_args(p_tokenized_args, i_tokenized_args) {
+    every i, i_tokenized_arg in i_tokenized_args {
+      allow_tokenized_arg(p_tokenized_args[i], i_tokenized_arg)
+    }
+    print("allow_tokenized_args: true")
+}
+
+allow_tokenized_arg(p_tokenized_arg, i_tokenized_arg) {
+    print("allow_tokenized_arg: p_tokenized_arg =", p_tokenized_arg, "i_tokenized_arg =", i_tokenized_arg)
+    every i, i_token in i_tokenized_arg {
+      allow_token(p_tokenized_arg[i], i_token)
+    }
+    print("allow_tokenized_arg: true")
+}
+
+# Allow exact match
+allow_token(p_token, i_token) {
+    p_token == i_token
+    print("allow_token: true")
+}
+
+# Allow variables that should look like a subdomain name
+allow_token(p_token, i_token) {
+    some allowed in ALLOWED_SUBDOMAIN_NAMES
+    p_token == allowed
+    regex.match(SUBDOMAIN_NAME, i_token)
+    print("allow_token2: true")
+}
+
+allow_env_map(p_env_map, i_env_map) {
+    every env_key, env_val in i_env_map {
+      print("allow_env: env_key =", env_key, "env_val =", env_val)
+      allow_env_map_entry(env_key, env_val, p_env_map)
+    }
+    print("allow_env_map: true")
+}
+
+# Allow exact match
+allow_env_map_entry(key, i_val, p_env_map) {
+    p_val := p_env_map[key]
+    i_val == p_val
+    print("allow_env_map_entry: true")
+}
+
+# Allow variables that should look like a subdomain name
+allow_env_map_entry(key, i_val, p_env_map) {
+  p_val := p_env_map[key]
+  some allowed in ALLOWED_SUBDOMAIN_NAMES
+  p_val == allowed
+  regex.match(SUBDOMAIN_NAME, i_val)
+  print("allow_env_map_entry2: true")
+}
+
+# Allow input env variables that match with a request_defaults regex.
+allow_env_map_entry(key, i_val, p_env_map) {
+    some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex
+    p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a)
+    p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p)
+    p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name)
+    p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label)
+
+    result := concat("=", [key, i_val])
+    regex.match(p_regex5, result)
+
+    print("allow_env_map_entry 3: true")
+}
+
+# Allow fieldRef "fieldPath: status.podIP" values.
+allow_env_map_entry(key, i_val, p_env_map) {
+    is_ip(i_val)
+
+    p_val := p_env_map[key]
+    p_var := concat("=", [key, p_val])
+    allow_pod_ip_var(key, p_var)
+    print("allow_env_map_entry 4: true")
+}
+
+# Match input with one of the policy variables, after substituting $(sandbox-name).
+allow_env_map_entry(key, i_val, p_env_map) {
+    s_name := input.base.OCI.Annotations[S_NAME_KEY]
+    p_val := p_env_map[key]
+    p_var2 := replace(p_val, "$(sandbox-name)", s_name)
+    p_var2 == i_val
+    print("allow_env_map_entry 5: true")
+}
+
+# Match input with one of the policy variables, after substituting $(sandbox-namespace).
+allow_env_map_entry(key, i_val, p_env_map) {
+    s_namespace := input.base.OCI.Annotations[S_NAMESPACE_KEY]
+    p_val := p_env_map[key]
+    p_var2 := replace(p_val, "$(sandbox-namespace)", s_namespace)
+    p_var2 == i_val
+    print("allow_env_map_entry 6: true")
+}
+
+# Allow fieldRef "fieldPath: status.hostIP" values.
+allow_env_map_entry(key, i_val, p_env_map) {
+    is_ip(i_val)
+
+    p_val := p_env_map[key]
+    p_var := concat("=", [key, p_val])
+    allow_host_ip_var(key, p_var)
+    print("allow_env_map_entry 7: true")
+}
+
+# Allow resourceFieldRef values (e.g., "limits.cpu").
+allow_env_map_entry(key, i_val, p_env_map) {
+    p_val := p_env_map[key]
+    # TODO: should these be handled in a different way?
+    some allowed in ALWAYS_ALLOWED
+    p_val == allowed
+    #regex.match(SUBDOMAIN_NAME, i_val)
+    print("allow_env_map_entry8: true")
+}
+
+CreateContainerRequest:= resp {
+  resp = CreateContainerRequestCommon(input)
+  print("CreateContainerRequest: true")
+}
+
+CreateContainerRequestCommon(req):= {"ops": ops, "allowed": true} {
+    # Check if the input request should be rejected even before checking the
+    # policy_data.containers information.
+    allow_create_container_input(req)
+
+    i_oci := req.OCI
+    i_storages := req.storages
+
+    # array of possible state operations
+    ops_builder := []
+
+    # check sandbox name
+    sandbox_name = i_oci.Annotations[S_NAME_KEY]
+    add_sandbox_name_to_state := state_allows("sandbox_name", sandbox_name)
+    ops_builder1 := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state)
+
+    # Check if any element from the policy_data.containers array allows the input request.
+    some p_container in policy_data.containers
+    print("======== CreateContainerRequest: trying next policy container")
+
+    p_pidns := p_container.sandbox_pidns
+    i_pidns := req.sandbox_pidns
+    print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns)
+    p_pidns == i_pidns
+
+    p_oci := p_container.OCI
+
+    # check namespace
+    p_namespace := p_oci.Annotations[S_NAMESPACE_KEY]
+    i_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    print ("CreateContainerRequest: p_namespace =", p_namespace, "i_namespace =", i_namespace)
+    add_namespace_to_state := allow_namespace(p_namespace, i_namespace)
+    ops := concat_op_if_not_null(ops_builder1, add_namespace_to_state)
+
+    print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version)
+    p_oci.Version == i_oci.Version
+
+    print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly)
+    p_oci.Root.Readonly == i_oci.Root.Readonly
+
+    allow_anno(p_oci, i_oci)
+
+    p_storages := p_container.storages
+    allow_by_anno(p_oci, i_oci, p_storages, i_storages)
+
+    allow_linux(p_oci, i_oci)
+
+    print("CreateContainerRequestCommon: true")
+}
+
+allow_create_container_input(req) {
+    print("allow_create_container_input: input =", req)
+    count(req.shared_mounts) == 0
+    is_null(req.string_user)
+
+    i_oci := req.OCI
+    is_null(i_oci.Hooks)
+    is_null(i_oci.Solaris)
+    is_null(i_oci.Windows)
+
+    i_linux := i_oci.Linux
+    count(i_linux.GIDMappings) == 0
+    count(i_linux.MountLabel) == 0
+    count(i_linux.Resources.Devices) == 0
+    count(i_linux.RootfsPropagation) == 0
+    count(i_linux.UIDMappings) == 0
+    is_null(i_linux.IntelRdt)
+    is_null(i_linux.Resources.BlockIO)
+    is_null(i_linux.Resources.Network)
+    is_null(i_linux.Resources.Pids)
+    is_null(i_linux.Seccomp)
+    i_linux.Sysctl == {}
+
+    i_process := i_oci.Process
+    count(i_process.SelinuxLabel) == 0
+    count(i_process.User.Username) == 0
+
+    print("allow_create_container_input: true")
+}
+
+allow_namespace(p_namespace, i_namespace) = add_namespace {
+    p_namespace == i_namespace
+    add_namespace := null
+    print("allow_namespace 1: input namespace matches policy data")
+}
+
+allow_namespace(p_namespace, i_namespace) = add_namespace {
+    p_namespace == ""
+    print("allow_namespace 2: no namespace found on policy data")
+    add_namespace := state_allows("namespace", i_namespace)
+}
+
+# value hasn't been seen before, save it to state
+state_allows(key, value) = action {
+  state := get_state()
+  not state[key]
+  print("state_allows: saving to state key =", key, "value =", value)
+  path := get_state_path(key) 
+  action := {
+    "op": "add",
+    "path": path, 
+    "value": value,
+  }
+}
+
+# value matches what's in state, allow it
+state_allows(key, value) = action {
+  state := get_state()
+  value == state[key]
+  print("state_allows: found key =", key, "value =", value, " in state")
+  action := null
+}
+
+# helper functions to interact with the state
+get_state() = state {
+  state := data["pstate"]
+}
+
+get_state_val(key) = value {
+    state := get_state()
+    value := state[key]
+}
+
+get_state_path(key) = path {
+    # prepend "/pstate/" to key
+    path := concat("/", ["/pstate", key])
+}
+
+# Helper functions to conditionally concatenate if op is not null
+concat_op_if_not_null(ops, op) = result {
+    op == null
+    result := ops
+}
+
+concat_op_if_not_null(ops, op) = result {
+    op != null
+    result := array.concat(ops, [op])
+}
+
+# Reject unexpected annotations.
+allow_anno(p_oci, i_oci) {
+    print("allow_anno 1: start")
+
+    not i_oci.Annotations
+
+    print("allow_anno 1: true")
+}
+allow_anno(p_oci, i_oci) {
+    print("allow_anno 2: p Annotations =", p_oci.Annotations)
+    print("allow_anno 2: i Annotations =", i_oci.Annotations)
+
+    i_keys := object.keys(i_oci.Annotations)
+    print("allow_anno 2: i keys =", i_keys)
+
+    every i_key in i_keys {
+        allow_anno_key(i_key, p_oci)
+    }
+
+    print("allow_anno 2: true")
+}
+
+allow_anno_key(i_key, p_oci) {
+    print("allow_anno_key 1: i key =", i_key)
+
+    startswith(i_key, "io.kubernetes.cri.")
+
+    print("allow_anno_key 1: true")
+}
+allow_anno_key(i_key, p_oci) {
+    print("allow_anno_key 2: i key =", i_key)
+
+    some p_key, _ in p_oci.Annotations
+    p_key == i_key
+
+    print("allow_anno_key 2: true")
+}
+
+# Get the value of the S_NAME_KEY annotation and
+# correlate it with other annotations and process fields.
+allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
+    print("allow_by_anno 1: start")
+
+    not p_oci.Annotations[S_NAME_KEY]
+
+    i_s_name := i_oci.Annotations[S_NAME_KEY]
+    print("allow_by_anno 1: i_s_name =", i_s_name)
+
+    i_s_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    print("allow_by_anno 1: i_s_namespace =", i_s_namespace)
+
+    allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name, i_s_namespace)
+
+    print("allow_by_anno 1: true")
+}
+allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
+    print("allow_by_anno 2: start")
+
+    p_s_name := p_oci.Annotations[S_NAME_KEY]
+    i_s_name := i_oci.Annotations[S_NAME_KEY]
+    print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name)
+
+    allow_sandbox_name(p_s_name, i_s_name)
+
+    i_s_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    print("allow_by_anno 2: i_s_namespace =", i_s_namespace)
+
+    allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name, i_s_namespace)
+
+    print("allow_by_anno 2: true")
+}
+
+allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name, s_namespace) {
+    print("allow_by_sandbox_name: start")
+
+    i_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+
+    allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
+    allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
+    allow_process(p_oci.Process, i_oci.Process, s_name, s_namespace)
+
+    print("allow_by_sandbox_name: true")
+}
+
+allow_sandbox_name(p_s_name, i_s_name) {
+    print("allow_sandbox_name 1: start")
+
+    p_s_name == i_s_name
+
+    print("allow_sandbox_name 1: true")
+}
+allow_sandbox_name(p_s_name, i_s_name) {
+    print("allow_sandbox_name 2: start")
+
+    # TODO: should generated names be handled differently?
+    contains(p_s_name, "$(generated-name)")
+
+    print("allow_sandbox_name 2: true")
+}
+
+# Check that the "io.kubernetes.cri.container-type" and
+# "io.katacontainers.pkg.oci.container_type" annotations designate the
+# expected type - either a "sandbox" or a "container". Then, validate
+# other annotations based on the actual "sandbox" or "container" value
+# from the input container.
+allow_by_container_types(p_oci, i_oci, s_name, s_namespace) {
+    print("allow_by_container_types: checking io.kubernetes.cri.container-type")
+
+    c_type := "io.kubernetes.cri.container-type"
+    
+    p_cri_type := p_oci.Annotations[c_type]
+    i_cri_type := i_oci.Annotations[c_type]
+    print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type)
+    p_cri_type == i_cri_type
+
+    allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace)
+
+    print("allow_by_container_types: true")
+}
+
+allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) {
+    print("allow_by_container_type 1: i_cri_type =", i_cri_type)
+    i_cri_type == "sandbox"
+
+    i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"]
+    print("allow_by_container_type 1: i_kata_type =", i_kata_type)
+    i_kata_type == "pod_sandbox"
+
+    allow_sandbox_container_name(p_oci, i_oci)
+    allow_sandbox_net_namespace(p_oci, i_oci)
+    allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace)
+
+    print("allow_by_container_type 1: true")
+}
+
+allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) {
+    print("allow_by_container_type 2: i_cri_type =", i_cri_type)
+    i_cri_type == "container"
+
+    i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"]
+    print("allow_by_container_type 2: i_kata_type =", i_kata_type)
+    i_kata_type == "pod_container"
+
+    allow_container_name(p_oci, i_oci)
+    allow_net_namespace(p_oci, i_oci)
+    allow_log_directory(p_oci, i_oci)
+
+    print("allow_by_container_type 2: true")
+}
+
+# "io.kubernetes.cri.container-name" annotation
+allow_sandbox_container_name(p_oci, i_oci) {
+    print("allow_sandbox_container_name: start")
+
+    container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name")
+
+    print("allow_sandbox_container_name: true")
+}
+
+allow_container_name(p_oci, i_oci) {
+    print("allow_container_name: start")
+
+    allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name")
+
+    print("allow_container_name: true")
+}
+
+container_annotation_missing(p_oci, i_oci, key) {
+    print("container_annotation_missing:", key)
+
+    not p_oci.Annotations[key]
+    not i_oci.Annotations[key]
+
+    print("container_annotation_missing: true")
+}
+
+allow_container_annotation(p_oci, i_oci, key) {
+    print("allow_container_annotation: key =", key)
+
+    p_value := p_oci.Annotations[key]
+    i_value := i_oci.Annotations[key]
+    print("allow_container_annotation: p_value =", p_value, "i_value =", i_value)
+
+    p_value == i_value
+
+    print("allow_container_annotation: true")
+}
+
+# "nerdctl/network-namespace" annotation
+allow_sandbox_net_namespace(p_oci, i_oci) {
+    print("allow_sandbox_net_namespace: start")
+
+    key := "nerdctl/network-namespace"
+
+    p_namespace := p_oci.Annotations[key]
+    i_namespace := i_oci.Annotations[key]
+    print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace)
+
+    regex.match(p_namespace, i_namespace)
+
+    print("allow_sandbox_net_namespace: true")
+}
+
+allow_net_namespace(p_oci, i_oci) {
+    print("allow_net_namespace: start")
+
+    key := "nerdctl/network-namespace"
+
+    not p_oci.Annotations[key]
+    not i_oci.Annotations[key]
+
+    print("allow_net_namespace: true")
+}
+
+# "io.kubernetes.cri.sandbox-log-directory" annotation
+allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) {
+    print("allow_sandbox_log_directory: start")
+
+    key := "io.kubernetes.cri.sandbox-log-directory"
+
+    p_dir := p_oci.Annotations[key]
+    regex1 := replace(p_dir, "$(sandbox-name)", s_name)
+    regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace)
+    print("allow_sandbox_log_directory: regex2 =", regex2)
+
+    i_dir := i_oci.Annotations[key]
+    print("allow_sandbox_log_directory: i_dir =", i_dir)
+
+    regex.match(regex2, i_dir)
+
+    print("allow_sandbox_log_directory: true")
+}
+
+allow_log_directory(p_oci, i_oci) {
+    print("allow_log_directory: start")
+
+    key := "io.kubernetes.cri.sandbox-log-directory"
+
+    not p_oci.Annotations[key]
+    not i_oci.Annotations[key]
+
+    print("allow_log_directory: true")
+}
+
+allow_linux(p_oci, i_oci) {
+    p_namespaces := p_oci.Linux.Namespaces
+    print("allow_linux: p namespaces =", p_namespaces)
+
+    i_namespaces := i_oci.Linux.Namespaces
+    print("allow_linux: i namespaces =", i_namespaces)
+
+    p_namespaces == i_namespaces
+
+    allow_masked_paths(p_oci, i_oci)
+    allow_readonly_paths(p_oci, i_oci)
+
+    print("allow_linux: true")
+}
+
+allow_masked_paths(p_oci, i_oci) {
+    p_paths := p_oci.Linux.MaskedPaths
+    print("allow_masked_paths 1: p_paths =", p_paths)
+
+    i_paths := i_oci.Linux.MaskedPaths
+    print("allow_masked_paths 1: i_paths =", i_paths)
+
+    allow_masked_paths_array(p_paths, i_paths)
+
+    print("allow_masked_paths 1: true")
+}
+allow_masked_paths(p_oci, i_oci) {
+    print("allow_masked_paths 2: start")
+
+    not p_oci.Linux.MaskedPaths
+    not i_oci.Linux.MaskedPaths
+
+    print("allow_masked_paths 2: true")
+}
+
+# All the policy masked paths must be masked in the input data too.
+# Input is allowed to have more masked paths than the policy.
+allow_masked_paths_array(p_array, i_array) {
+    every p_elem in p_array {
+        allow_masked_path(p_elem, i_array)
+    }
+}
+
+allow_masked_path(p_elem, i_array) {
+    print("allow_masked_path: p_elem =", p_elem)
+
+    some i_elem in i_array
+    p_elem == i_elem
+
+    print("allow_masked_path: true")
+}
+
+allow_readonly_paths(p_oci, i_oci) {
+    p_paths := p_oci.Linux.ReadonlyPaths
+    print("allow_readonly_paths 1: p_paths =", p_paths)
+
+    i_paths := i_oci.Linux.ReadonlyPaths
+    print("allow_readonly_paths 1: i_paths =", i_paths)
+
+    allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths)
+
+    print("allow_readonly_paths 1: true")
+}
+allow_readonly_paths(p_oci, i_oci) {
+    print("allow_readonly_paths 2: start")
+
+    not p_oci.Linux.ReadonlyPaths
+    not i_oci.Linux.ReadonlyPaths
+
+    print("allow_readonly_paths 2: true")
+}
+
+# All the policy readonly paths must be either:
+# - Present in the input readonly paths, or
+# - Present in the input masked paths.
+# Input is allowed to have more readonly paths than the policy.
+allow_readonly_paths_array(p_array, i_array, masked_paths) {
+    every p_elem in p_array {
+        allow_readonly_path(p_elem, i_array, masked_paths)
+    }
+}
+
+allow_readonly_path(p_elem, i_array, masked_paths) {
+    print("allow_readonly_path 1: p_elem =", p_elem)
+
+    some i_elem in i_array
+    p_elem == i_elem
+
+    print("allow_readonly_path 1: true")
+}
+allow_readonly_path(p_elem, i_array, masked_paths) {
+    print("allow_readonly_path 2: p_elem =", p_elem)
+
+    some i_masked in masked_paths
+    p_elem == i_masked
+
+    print("allow_readonly_path 2: true")
+}
+
+# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path"
+# and io.kubernetes.cri.sandbox-id" values with other fields.
+allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
+    print("allow_by_bundle_or_sandbox_id: start")
+
+    bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"]
+    bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "")
+
+    bundle_id_format := concat("", ["^", BUNDLE_ID, "$"])
+    # regex.match(bundle_id_format, bundle_id)
+
+    key := "io.kubernetes.cri.sandbox-id"
+
+    p_regex := p_oci.Annotations[key]
+    sandbox_id := i_oci.Annotations[key]
+
+    print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex)
+    regex.match(p_regex, sandbox_id)
+
+    allow_root_path(p_oci, i_oci, bundle_id)
+
+    every i_mount in i_oci.Mounts {
+        allow_mount(p_oci, i_mount, bundle_id, sandbox_id)
+    }
+
+    allow_storages(p_storages, i_storages, bundle_id, sandbox_id)
+
+    print("allow_by_bundle_or_sandbox_id: true")
+}
+
+allow_process_common(p_process, i_process, s_name, s_namespace) {
+    print("allow_process_common: p_process =", p_process)
+    print("allow_process_common: i_process = ", i_process)
+    print("allow_process_common: s_name =", s_name)
+
+    p_process.Cwd == i_process.Cwd
+    p_process.NoNewPrivileges == i_process.NoNewPrivileges
+
+    allow_user(p_process, i_process)
+    allow_env(p_process, i_process, s_name, s_namespace)
+
+    print("allow_process_common: true")
+}
+
+# Compare the OCI Process field of a policy container with the input OCI Process from a CreateContainerRequest
+allow_process(p_process, i_process, s_name, s_namespace) {
+    print("allow_process: start")
+
+    allow_args(p_process, i_process, s_name)
+    allow_process_common(p_process, i_process, s_name, s_namespace)
+    allow_caps(p_process.Capabilities, i_process.Capabilities)
+    p_process.Terminal == i_process.Terminal
+
+    print("allow_process: true")
+}
+
+# Compare the OCI Process field of a policy container with the input process field from ExecProcessRequest
+allow_interactive_process(p_process, i_process, s_name, s_namespace) {
+    print("allow_interactive_process: start")
+
+    allow_process_common(p_process, i_process, s_name, s_namespace)
+    allow_exec_caps(i_process.Capabilities)
+
+    # These are commands enabled using ExecProcessRequest commands and/or regex from the settings file.
+    # They can be executed interactively so allow them to use any value for i_process.Terminal.
+
+    print("allow_interactive_process: true")
+}
+
+# Compare the OCI Process field of a policy container with the input process field from ExecProcessRequest
+allow_probe_process(p_process, i_process, s_name, s_namespace) {
+    print("allow_probe_process: start")
+
+    allow_process_common(p_process, i_process, s_name, s_namespace)
+    allow_exec_caps(i_process.Capabilities)
+    p_process.Terminal == i_process.Terminal
+
+    print("allow_probe_process: true")
+}
+
+allow_user(p_process, i_process) {
+    p_user := p_process.User
+    i_user := i_process.User
+
+    print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
+    p_user.UID == i_user.UID
+
+    # TODO: track down the reason for registry.k8s.io/pause:3.9 being
+    #       executed with gid = 0 despite having "65535:65535" in its container image
+    #       config.
+    #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID)
+    #p_user.GID == i_user.GID
+
+    # TODO: compare the additionalGids field too after computing its value
+    # based on /etc/passwd and /etc/group from the container image.
+}
+
+allow_args(p_process, i_process, s_name) {
+    print("allow_args 1: no args")
+
+    not p_process.Args
+    not i_process.Args
+
+    print("allow_args 1: true")
+}
+allow_args(p_process, i_process, s_name) {
+    print("allow_args 2: policy args =", p_process.Args)
+    print("allow_args 2: input args =", i_process.Args)
+
+    count(p_process.Args) == count(i_process.Args)
+
+    every i, i_arg in i_process.Args {
+        allow_arg(i, i_arg, p_process, s_name)
+    }
+    print("allow_args 2: true")
+}
+allow_arg(i, i_arg, p_process, s_name) {
+    p_arg := p_process.Args[i]
+    print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg)
+
+    p_arg2 := replace(p_arg, "$$", "$")
+    p_arg2 == i_arg
+
+    print("allow_arg 1: true")
+}
+allow_arg(i, i_arg, p_process, s_name) {
+    p_arg := p_process.Args[i]
+    print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg)
+
+    # TODO: can $(node-name) be handled better?
+    contains(p_arg, "$(node-name)")
+
+    print("allow_arg 2: true")
+}
+allow_arg(i, i_arg, p_process, s_name) {
+    p_arg := p_process.Args[i]
+    print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg)
+
+    p_arg2 := replace(p_arg, "$$", "$")
+    p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name)
+    print("allow_arg 3: p_arg3 =", p_arg3)
+    p_arg3 == i_arg
+
+    print("allow_arg 3: true")
+}
+
+# OCI process.Env field
+allow_env(p_process, i_process, s_name, s_namespace) {
+    print("allow_env: p env =", p_process.Env)
+    print("allow_env: i env =", i_process.Env)
+
+    every i_var in i_process.Env {
+        print("allow_env: i_var =", i_var)
+        allow_var(p_process, i_process, i_var, s_name, s_namespace)
+    }
+
+    print("allow_env: true")
+}
+
+# Allow input env variables that are present in the policy data too.
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    some p_var in p_process.Env
+    p_var == i_var
+    print("allow_var 1: true")
+}
+
+# Match input with one of the policy variables, after substituting $(sandbox-name).
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    some p_var in p_process.Env
+    p_var2 := replace(p_var, "$(sandbox-name)", s_name)
+
+    print("allow_var 2: p_var2 =", p_var2)
+    p_var2 == i_var
+
+    print("allow_var 2: true")
+}
+
+# Allow input env variables that match with a request_defaults regex.
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex
+    p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a)
+    p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p)
+    p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name)
+    p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label)
+
+    print("allow_var 3: p_regex5 =", p_regex5)
+    regex.match(p_regex5, i_var)
+
+    print("allow_var 3: true")
+}
+
+# Allow fieldRef "fieldPath: status.podIP" values.
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    name_value := split(i_var, "=")
+    count(name_value) == 2
+    is_ip(name_value[1])
+
+    some p_var in p_process.Env
+    allow_pod_ip_var(name_value[0], p_var)
+
+    print("allow_var 4: true")
+}
+
+# Allow common fieldRef variables.
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    name_value := split(i_var, "=")
+    count(name_value) == 2
+
+    some p_var in p_process.Env
+    p_name_value := split(p_var, "=")
+    count(p_name_value) == 2
+
+    p_name_value[0] == name_value[0]
+
+    # TODO: should these be handled in a different way?
+    some allowed in ALLOWED_SUBDOMAIN_NAMES
+    contains(p_name_value[1], allowed)
+
+    print("allow_var 5: true")
+}
+
+# Allow fieldRef "fieldPath: status.hostIP" values.
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    name_value := split(i_var, "=")
+    count(name_value) == 2
+    is_ip(name_value[1])
+
+    some p_var in p_process.Env
+    allow_host_ip_var(name_value[0], p_var)
+
+    print("allow_var 6: true")
+}
+
+# Allow resourceFieldRef values (e.g., "limits.cpu").
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    name_value := split(i_var, "=")
+    count(name_value) == 2
+
+    some p_var in p_process.Env
+    p_name_value := split(p_var, "=")
+    count(p_name_value) == 2
+
+    p_name_value[0] == name_value[0]
+
+    # TODO: should these be handled in a different way?
+    some allowed in ALWAYS_ALLOWED
+    contains(p_name_value[1], allowed)
+
+    print("allow_var 7: true")
+}
+
+# Match input with one of the policy variables, after substituting $(sandbox-namespace).
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    some p_var in p_process.Env
+    p_var2 := replace(p_var, "$(sandbox-namespace)", s_namespace)
+
+    print("allow_var 8: p_var2 =", p_var2)
+    p_var2 == i_var
+
+    print("allow_var 8: true")
+}
+
+allow_pod_ip_var(var_name, p_var) {
+    print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var)
+
+    p_name_value := split(p_var, "=")
+    count(p_name_value) == 2
+
+    p_name_value[0] == var_name
+    p_name_value[1] == "$(pod-ip)"
+
+    print("allow_pod_ip_var: true")
+}
+
+allow_host_ip_var(var_name, p_var) {
+    print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var)
+
+    p_name_value := split(p_var, "=")
+    count(p_name_value) == 2
+
+    p_name_value[0] == var_name
+    p_name_value[1] == "$(host-ip)"
+
+    print("allow_host_ip_var: true")
+}
+
+is_ip(value) {
+    bytes = split(value, ".")
+    count(bytes) == 4
+
+    is_ip_first_byte(bytes[0])
+    is_ip_other_byte(bytes[1])
+    is_ip_other_byte(bytes[2])
+    is_ip_other_byte(bytes[3])
+}
+is_ip_first_byte(component) {
+    number = to_number(component)
+    number >= 1
+    number <= 255
+}
+is_ip_other_byte(component) {
+    number = to_number(component)
+    number >= 0
+    number <= 255
+}
+
+# OCI root.Path
+allow_root_path(p_oci, i_oci, bundle_id) {
+    i_path := i_oci.Root.Path
+    p_path1 := p_oci.Root.Path
+    print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1)
+
+    p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath)
+    print("allow_root_path: p_path2 =", p_path2)
+
+    p_path3 := replace(p_path2, "$(bundle-id)", bundle_id)
+    print("allow_root_path: p_path3 =", p_path3)
+
+    p_path3 == i_path
+
+    print("allow_root_path: true")
+}
+
+# device mounts
+allow_mount(p_oci, i_mount, bundle_id, sandbox_id) {
+    print("allow_mount: i_mount =", i_mount)
+
+    some p_mount in p_oci.Mounts
+    print("allow_mount: p_mount =", p_mount)
+    check_mount(p_mount, i_mount, bundle_id, sandbox_id)
+
+    # TODO: are there any other required policy checks for mounts - e.g.,
+    #       multiple mounts with same source or destination?
+
+    print("allow_mount: true")
+}
+
+check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
+    p_mount == i_mount
+    print("check_mount 1: true")
+}
+check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
+    p_mount.destination == i_mount.destination
+    p_mount.type_ == i_mount.type_
+    p_mount.options == i_mount.options
+
+    mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id)
+
+    print("check_mount 2: true")
+}
+
+mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
+    regex1 := p_mount.source
+    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
+    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
+    regex4 := replace(regex3, "$(bundle-id)", bundle_id)
+
+    print("mount_source_allows 1: regex4 =", regex4)
+    regex.match(regex4, i_mount.source)
+
+    print("mount_source_allows 1: true")
+}
+mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
+    regex1 := p_mount.source
+    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
+    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
+    regex4 := replace(regex3, "$(sandbox-id)", sandbox_id)
+
+    print("mount_source_allows 2: regex4 =", regex4)
+    regex.match(regex4, i_mount.source)
+
+    print("mount_source_allows 2: true")
+}
+mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
+    print("mount_source_allows 3: i_mount.source=", i_mount.source)
+
+    i_source_parts = split(i_mount.source, "/")
+    b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1]
+
+    base64.is_valid(b64_direct_vol_path)
+
+    source1 := p_mount.source
+    print("mount_source_allows 3: source1 =", source1)
+
+    source2 := replace(source1, "$(spath)", policy_data.common.spath)
+    print("mount_source_allows 3: source2 =", source2)
+
+    source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path)
+    print("mount_source_allows 3: source3 =", source3)
+
+    source3 == i_mount.source
+
+    print("mount_source_allows 3: true")
+}
+
+######################################################################
+# Create container Storages
+
+allow_storages(p_storages, i_storages, bundle_id, sandbox_id) {
+    p_count := count(p_storages)
+    i_count := count(i_storages)
+    print("allow_storages: p_count =", p_count, "i_count =", i_count)
+
+    p_count == i_count
+
+    # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage.
+    some overlay_storage in p_storages
+    overlay_storage.driver == "overlayfs"
+    print("allow_storages: overlay_storage =", overlay_storage)
+    count(overlay_storage.options) == 2
+
+    layer_ids := split(overlay_storage.options[0], ":")
+    print("allow_storages: layer_ids =", layer_ids)
+
+    root_hashes := split(overlay_storage.options[1], ":")
+    print("allow_storages: root_hashes =", root_hashes)
+
+    every i_storage in i_storages {
+        allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes)
+    }
+
+    print("allow_storages: true")
+}
+
+allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) {
+    some p_storage in p_storages
+
+    print("allow_storage: p_storage =", p_storage)
+    print("allow_storage: i_storage =", i_storage)
+
+    p_storage.driver           == i_storage.driver
+    p_storage.driver_options   == i_storage.driver_options
+    p_storage.fs_group         == i_storage.fs_group
+
+    allow_storage_options(p_storage, i_storage, layer_ids, root_hashes)
+    allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids)
+
+    # TODO: validate the source field too.
+
+    print("allow_storage: true")
+}
+
+allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+    print("allow_storage_options 1: start")
+
+    p_storage.driver != "overlayfs"
+    p_storage.options == i_storage.options
+
+    print("allow_storage_options 1: true")
+}
+allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+    print("allow_storage_options 2: start")
+
+    p_storage.driver == "overlayfs"
+    count(p_storage.options) == 2
+
+    policy_ids := split(p_storage.options[0], ":")
+    print("allow_storage_options 2: policy_ids =", policy_ids)
+    policy_ids == layer_ids
+
+    policy_hashes := split(p_storage.options[1], ":")
+    print("allow_storage_options 2: policy_hashes =", policy_hashes)
+
+    p_count := count(policy_ids)
+    print("allow_storage_options 2: p_count =", p_count)
+    p_count >= 1
+    p_count == count(policy_hashes)
+
+    i_count := count(i_storage.options)
+    print("allow_storage_options 2: i_count =", i_count)
+    i_count == p_count + 3
+
+    print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0])
+    i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers"
+
+    print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2])
+    i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw"
+
+    lowerdir := concat("=", ["lowerdir", p_storage.options[0]])
+    print("allow_storage_options 2: lowerdir =", lowerdir)
+
+    print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1])
+    i_storage.options[i_count - 1] == lowerdir
+
+    every i, policy_id in policy_ids {
+        allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1])
+    }
+
+    print("allow_storage_options 2: true")
+}
+allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+    print("allow_storage_options 3: start")
+
+    p_storage.driver == "blk"
+    count(p_storage.options) == 1
+
+    startswith(p_storage.options[0], "$(hash")
+    hash_suffix := trim_left(p_storage.options[0], "$(hash")
+
+    endswith(hash_suffix, ")")
+    hash_index := trim_right(hash_suffix, ")")
+    i := to_number(hash_index)
+    print("allow_storage_options 3: i =", i)
+
+    hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]])
+    print("allow_storage_options 3: hash_option =", hash_option)
+
+    count(i_storage.options) == 4
+    i_storage.options[0] == "ro"
+    i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file"
+    i_storage.options[2] == "io.katacontainers.fs-opt.is-layer"
+    i_storage.options[3] == hash_option
+
+    print("allow_storage_options 3: true")
+}
+allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+    print("allow_storage_options 4: start")
+
+    p_storage.driver == "smb"
+    p_opts_count := count(p_storage.options)
+    i_opts_count := count(i_storage.options)
+    i_opts_count == p_opts_count + 2
+
+    i_opt_matches := [i | i := idx; idx < p_opts_count; p_storage.options[idx] == i_storage.options[idx]]
+    count(i_opt_matches) == p_opts_count
+
+    startswith(i_storage.options[i_opts_count-2], "addr=")
+    creds = split(i_storage.options[i_opts_count-1], ",")
+    count(creds) == 2
+    startswith(creds[0], "username=")
+    startswith(creds[1], "password=")
+    
+    print("allow_storage_options 4: true")
+}
+
+allow_overlay_layer(policy_id, policy_hash, i_option) {
+    print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash)
+    print("allow_overlay_layer: i_option =", i_option)
+
+    startswith(i_option, "io.katacontainers.fs-opt.layer=")
+    i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "")
+    i_value_decoded := base64.decode(i_value)
+    print("allow_overlay_layer: i_value_decoded =", i_value_decoded)
+
+    policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash])
+    p_value := concat(",", [policy_id, policy_suffix])
+    print("allow_overlay_layer: p_value =", p_value)
+
+    p_value == i_value_decoded
+
+    print("allow_overlay_layer: true")
+}
+
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    p_storage.fstype == "tar"
+
+    startswith(p_storage.mount_point, "$(layer")
+    mount_suffix := trim_left(p_storage.mount_point, "$(layer")
+
+    endswith(mount_suffix, ")")
+    layer_index := trim_right(mount_suffix, ")")
+    i := to_number(layer_index)
+    print("allow_mount_point 1: i =", i)
+
+    layer_id := layer_ids[i]
+    print("allow_mount_point 1: layer_id =", layer_id)
+
+    p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id])
+    print("allow_mount_point 1: p_mount =", p_mount)
+
+    p_mount == i_storage.mount_point
+
+    print("allow_mount_point 1: true")
+}
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    p_storage.fstype == "fuse3.kata-overlay"
+
+    mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath)
+    mount2 := replace(mount1, "$(bundle-id)", bundle_id)
+    print("allow_mount_point 2: mount2 =", mount2)
+
+    mount2 == i_storage.mount_point
+
+    print("allow_mount_point 2: true")
+}
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    p_storage.fstype == "local"
+
+    mount1 := p_storage.mount_point
+    print("allow_mount_point 3: mount1 =", mount1)
+
+    mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath)
+    print("allow_mount_point 3: mount2 =", mount2)
+
+    mount3 := replace(mount2, "$(sandbox-id)", sandbox_id)
+    print("allow_mount_point 3: mount3 =", mount3)
+
+    regex.match(mount3, i_storage.mount_point)
+
+    print("allow_mount_point 3: true")
+}
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    p_storage.fstype == "bind"
+
+    mount1 := p_storage.mount_point
+    print("allow_mount_point 4: mount1 =", mount1)
+
+    mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath)
+    print("allow_mount_point 4: mount2 =", mount2)
+
+    mount3 := replace(mount2, "$(bundle-id)", bundle_id)
+    print("allow_mount_point 4: mount3 =", mount3)
+
+    regex.match(mount3, i_storage.mount_point)
+
+    print("allow_mount_point 4: true")
+}
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    p_storage.fstype == "tmpfs"
+
+    mount1 := p_storage.mount_point
+    print("allow_mount_point 5: mount1 =", mount1)
+
+    regex.match(mount1, i_storage.mount_point)
+
+    print("allow_mount_point 5: true")
+}
+allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
+    print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point)
+    allow_direct_vol_driver(p_storage, i_storage)
+
+    mount1 := p_storage.mount_point
+    print("allow_mount_point 6: mount1 =", mount1)
+
+    mount2 := replace(mount1, "$(spath)", policy_data.common.spath)
+    print("allow_mount_point 6: mount2 =", mount2)
+
+    direct_vol_path := i_storage.source
+    mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path))
+    print("allow_mount_point 6: mount3 =", mount3)
+
+    mount3 == i_storage.mount_point
+
+    print("allow_mount_point 6: true")
+}
+
+allow_direct_vol_driver(p_storage, i_storage) {
+    print("allow_direct_vol_driver 1: start")
+    p_storage.driver == "blk"
+    print("allow_direct_vol_driver 1: true")
+}
+allow_direct_vol_driver(p_storage, i_storage) {
+    print("allow_direct_vol_driver 2: start")
+    p_storage.driver == "smb"
+    print("allow_direct_vol_driver 2: true")
+}
+
+# ExecProcessRequest.process.Capabilities
+allow_exec_caps(i_caps) {
+    not i_caps.Ambient
+    not i_caps.Bounding
+    not i_caps.Effective
+    not i_caps.Inheritable
+    not i_caps.Permitted
+}
+
+# OCI.Process.Capabilities
+allow_caps(p_caps, i_caps) {
+    print("allow_caps: policy Ambient =", p_caps.Ambient)
+    print("allow_caps: input Ambient =", i_caps.Ambient)
+    match_caps(p_caps.Ambient, i_caps.Ambient)
+
+    print("allow_caps: policy Bounding =", p_caps.Bounding)
+    print("allow_caps: input Bounding =", i_caps.Bounding)
+    match_caps(p_caps.Bounding, i_caps.Bounding)
+
+    print("allow_caps: policy Effective =", p_caps.Effective)
+    print("allow_caps: input Effective =", i_caps.Effective)
+    match_caps(p_caps.Effective, i_caps.Effective)
+
+    print("allow_caps: policy Inheritable =", p_caps.Inheritable)
+    print("allow_caps: input Inheritable =", i_caps.Inheritable)
+    match_caps(p_caps.Inheritable, i_caps.Inheritable)
+
+    print("allow_caps: policy Permitted =", p_caps.Permitted)
+    print("allow_caps: input Permitted =", i_caps.Permitted)
+    match_caps(p_caps.Permitted, i_caps.Permitted)
+}
+
+match_caps(p_caps, i_caps) {
+    print("match_caps 1: start")
+
+    p_caps == i_caps
+
+    print("match_caps 1: true")
+}
+match_caps(p_caps, i_caps) {
+    print("match_caps 2: start")
+
+    count(p_caps) == 1
+    p_caps[0] == "$(default_caps)"
+
+    print("match_caps 2: default_caps =", policy_data.common.default_caps)
+    policy_data.common.default_caps == i_caps
+
+    print("match_caps 2: true")
+}
+match_caps(p_caps, i_caps) {
+    print("match_caps 3: start")
+
+    count(p_caps) == 1
+    p_caps[0] == "$(privileged_caps)"
+
+    print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps)
+    policy_data.common.privileged_caps == i_caps
+
+    print("match_caps 3: true")
+}
+
+######################################################################
+check_directory_traversal(i_path) {
+    contains(i_path, "../") == false
+    endswith(i_path, "/..") == false
+}
+
+check_symlink_source(i_src) {
+    i_src == ""
+    print("check_symlink_source 1: true")
+}
+check_symlink_source(i_src) {
+    i_src != ""
+    print("check_symlink_source 2: i_src =", i_src)
+
+    regex.match(policy_data.common.s_source1, i_src)
+
+    print("check_symlink_source 2: true")
+}
+check_symlink_source(i_src) {
+    i_src != ""
+    print("check_symlink_source 3: i_src =", i_src)
+
+    regex.match(policy_data.common.s_source2, i_src)
+    check_directory_traversal(i_src)
+
+    print("check_symlink_source 3: true")
+}
+
+allow_sandbox_storages(i_storages) {
+    print("allow_sandbox_storages: i_storages =", i_storages)
+
+    p_storages := policy_data.sandbox.storages
+    every i_storage in i_storages {
+        allow_sandbox_storage(p_storages, i_storage)
+    }
+
+    print("allow_sandbox_storages: true")
+}
+
+allow_sandbox_storage(p_storages, i_storage) {
+    print("allow_sandbox_storage: i_storage =", i_storage)
+
+    some p_storage in p_storages
+    print("allow_sandbox_storage: p_storage =", p_storage)
+    i_storage == p_storage
+
+    print("allow_sandbox_storage: true")
+}
+
+CopyFileRequest {
+    print("CopyFileRequest: input.path =", input.path)
+
+    check_symlink_source(input.symlink_src)
+    check_directory_traversal(input.path)
+
+    some regex1 in policy_data.request_defaults.CopyFileRequest
+    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
+    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
+    regex4 := replace(regex3, "$(bundle-id)", BUNDLE_ID)
+    print("CopyFileRequest: regex4 =", regex4)
+
+    regex.match(regex4, input.path)
+
+    print("CopyFileRequest: true")
+}
+
+CreateSandboxRequest {
+    print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path)
+    count(input.guest_hook_path) == 0
+
+    print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules)
+    count(input.kernel_modules) == 0
+
+    i_pidns := input.sandbox_pidns
+    print("CreateSandboxRequest: i_pidns =", i_pidns)
+    i_pidns == false
+
+    allow_sandbox_storages(input.storages)
+}
+
+allow_exec(p_container, i_process) {
+    print("allow_exec: start")
+
+    p_oci = p_container.OCI
+    p_s_name = p_oci.Annotations[S_NAME_KEY]
+    s_namespace = get_state_val("namespace")
+    allow_probe_process(p_oci.Process, i_process, p_s_name, s_namespace)
+
+    print("allow_exec: true")
+}
+
+allow_interactive_exec(p_container, i_process) {
+    print("allow_interactive_exec: start")
+
+    p_oci = p_container.OCI
+    p_s_name = p_oci.Annotations[S_NAME_KEY]
+    s_namespace = get_state_val("namespace")
+    allow_interactive_process(p_oci.Process, i_process, p_s_name, s_namespace)
+
+    print("allow_interactive_exec: true")
+}
+
+# TODO: should other ExecProcessRequest input data fields be validated as well?
+ExecProcessRequest {
+    print("ExecProcessRequest 1: input =", input)
+
+    i_command = concat(" ", input.process.Args)
+    print("ExecProcessRequest 1: i_command =", i_command)
+
+    some p_command in policy_data.request_defaults.ExecProcessRequest.commands
+    print("ExecProcessRequest 1: p_command =", p_command)
+    p_command == i_command
+
+    # TODO: match p_container's ID with the input container_id.
+    some p_container in policy_data.containers
+    allow_interactive_exec(p_container, input.process)
+
+    print("ExecProcessRequest 1: true")
+}
+ExecProcessRequest {
+    print("ExecProcessRequest 2: input =", input)
+
+    # TODO: match input container ID with its corresponding container.exec_commands.
+    i_command = concat(" ", input.process.Args)
+    print("ExecProcessRequest 2: i_command =", i_command)
+
+    # TODO: match p_container's ID with the input container_id.
+    some p_container in policy_data.containers
+    some p_command in p_container.exec_commands
+    print("ExecProcessRequest 2: p_command =", p_command)
+    p_command == i_command
+
+    allow_exec(p_container, input.process)
+
+    print("ExecProcessRequest 2: true")
+}
+ExecProcessRequest {
+    print("ExecProcessRequest 3: input =", input)
+
+    i_command = concat(" ", input.process.Args)
+    print("ExecProcessRequest 3: i_command =", i_command)
+
+    some p_regex in policy_data.request_defaults.ExecProcessRequest.regex
+    print("ExecProcessRequest 3: p_regex =", p_regex)
+
+    regex.match(p_regex, i_command)
+
+    # TODO: match p_container's ID with the input container_id.
+    some p_container in policy_data.containers
+    allow_interactive_exec(p_container, input.process)
+
+    print("ExecProcessRequest 3: true")
+}
+
+CloseStdinRequest {
+    policy_data.request_defaults.CloseStdinRequest == true
+}
+
+ReadStreamRequest {
+    policy_data.request_defaults.ReadStreamRequest == true
+}
+
+UpdateEphemeralMountsRequest {
+    policy_data.request_defaults.UpdateEphemeralMountsRequest == true
+}
+
+WriteStreamRequest {
+    policy_data.request_defaults.WriteStreamRequest == true
+}
+policy_data := {
+  "containers": [
+    {
+      "OCI": {
+        "Version": "1.1.0-rc.1",
+        "Process": {
+          "Terminal": false,
+          "User": {
+            "UID": 65535,
+            "GID": 65535,
+            "AdditionalGids": [],
+            "Username": ""
+          },
+          "Args": [
+            "/pause"
+          ],
+          "Env": [
+            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ],
+          "Cwd": "/",
+          "Capabilities": {
+            "Ambient": [],
+            "Bounding": [
+              "$(default_caps)"
+            ],
+            "Effective": [
+              "$(default_caps)"
+            ],
+            "Inheritable": [],
+            "Permitted": [
+              "$(default_caps)"
+            ]
+          },
+          "NoNewPrivileges": true
+        },
+        "Root": {
+          "Path": "$(cpath)/$(bundle-id)",
+          "Readonly": true
+        },
+        "Mounts": [
+          {
+            "destination": "/proc",
+            "source": "proc",
+            "type_": "proc",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev"
+            ]
+          },
+          {
+            "destination": "/dev",
+            "source": "tmpfs",
+            "type_": "tmpfs",
+            "options": [
+              "nosuid",
+              "strictatime",
+              "mode=755",
+              "size=65536k"
+            ]
+          },
+          {
+            "destination": "/dev/pts",
+            "source": "devpts",
+            "type_": "devpts",
+            "options": [
+              "nosuid",
+              "noexec",
+              "newinstance",
+              "ptmxmode=0666",
+              "mode=0620",
+              "gid=5"
+            ]
+          },
+          {
+            "destination": "/dev/shm",
+            "source": "/run/kata-containers/sandbox/shm",
+            "type_": "bind",
+            "options": [
+              "rbind"
+            ]
+          },
+          {
+            "destination": "/dev/mqueue",
+            "source": "mqueue",
+            "type_": "mqueue",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev"
+            ]
+          },
+          {
+            "destination": "/sys",
+            "source": "sysfs",
+            "type_": "sysfs",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev",
+              "ro"
+            ]
+          },
+          {
+            "destination": "/etc/resolv.conf",
+            "source": "$(sfprefix)resolv.conf$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "ro",
+              "nosuid",
+              "nodev",
+              "noexec"
+            ]
+          }
+        ],
+        "Annotations": {
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)",
+          "io.katacontainers.pkg.oci.container_type": "pod_sandbox",
+          "io.kubernetes.cri.container-type": "sandbox",
+          "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$",
+          "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
+          "io.kubernetes.cri.sandbox-name": "exec-test",
+          "io.kubernetes.cri.sandbox-namespace": "",
+          "nerdctl/network-namespace": "^/var/run/netns/cni-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
+        },
+        "Linux": {
+          "Namespaces": [
+            {
+              "Type": "ipc",
+              "Path": ""
+            },
+            {
+              "Type": "uts",
+              "Path": ""
+            },
+            {
+              "Type": "mount",
+              "Path": ""
+            }
+          ],
+          "MaskedPaths": [
+            "/proc/acpi",
+            "/proc/asound",
+            "/proc/kcore",
+            "/proc/keys",
+            "/proc/latency_stats",
+            "/proc/timer_list",
+            "/proc/timer_stats",
+            "/proc/sched_debug",
+            "/sys/firmware",
+            "/proc/scsi"
+          ],
+          "ReadonlyPaths": [
+            "/proc/bus",
+            "/proc/fs",
+            "/proc/irq",
+            "/proc/sys",
+            "/proc/sysrq-trigger"
+          ]
+        }
+      },
+      "storages": [
+        {
+          "driver": "blk",
+          "driver_options": [],
+          "source": "",
+          "fstype": "tar",
+          "options": [
+            "$(hash0)"
+          ],
+          "mount_point": "$(layer0)",
+          "fs_group": null
+        },
+        {
+          "driver": "overlayfs",
+          "driver_options": [],
+          "source": "",
+          "fstype": "fuse3.kata-overlay",
+          "options": [
+            "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d",
+            "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"
+          ],
+          "mount_point": "$(cpath)/$(bundle-id)",
+          "fs_group": null
+        }
+      ],
+      "sandbox_pidns": false,
+      "exec_commands": [],
+      "tokenized_args": [
+        [
+          "/pause"
+        ]
+      ],
+      "env_map": {
+        "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+      }
+    },
+    {
+      "OCI": {
+        "Version": "1.1.0-rc.1",
+        "Process": {
+          "Terminal": false,
+          "User": {
+            "UID": 0,
+            "GID": 0,
+            "AdditionalGids": [],
+            "Username": ""
+          },
+          "Args": [
+            "/bin/sh",
+            "-c",
+            "while true; do echo Kubernetes; echo $(node-name); sleep 10; done"
+          ],
+          "Env": [
+            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+            "HOSTNAME=$(host-name)",
+            "POD_NAME=$(sandbox-name)",
+            "POD_NAMESPACE=$(sandbox-namespace)",
+            "POD_IP=$(pod-ip)",
+            "SERVICE_ACCOUNT=default",
+            "PROXY_CONFIG={}\n",
+            "ISTIO_META_POD_PORTS=[\n]",
+            "ISTIO_META_APP_CONTAINERS=serviceaclient",
+            "ISTIO_META_CLUSTER_ID=Kubernetes",
+            "ISTIO_META_NODE_NAME=$(node-name)"
+          ],
+          "Cwd": "/",
+          "Capabilities": {
+            "Ambient": [],
+            "Bounding": [
+              "$(privileged_caps)"
+            ],
+            "Effective": [
+              "$(privileged_caps)"
+            ],
+            "Inheritable": [],
+            "Permitted": [
+              "$(privileged_caps)"
+            ]
+          },
+          "NoNewPrivileges": false
+        },
+        "Root": {
+          "Path": "$(cpath)/$(bundle-id)",
+          "Readonly": false
+        },
+        "Mounts": [
+          {
+            "destination": "/proc",
+            "source": "proc",
+            "type_": "proc",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev"
+            ]
+          },
+          {
+            "destination": "/dev",
+            "source": "tmpfs",
+            "type_": "tmpfs",
+            "options": [
+              "nosuid",
+              "strictatime",
+              "mode=755",
+              "size=65536k"
+            ]
+          },
+          {
+            "destination": "/dev/pts",
+            "source": "devpts",
+            "type_": "devpts",
+            "options": [
+              "nosuid",
+              "noexec",
+              "newinstance",
+              "ptmxmode=0666",
+              "mode=0620",
+              "gid=5"
+            ]
+          },
+          {
+            "destination": "/dev/shm",
+            "source": "/run/kata-containers/sandbox/shm",
+            "type_": "bind",
+            "options": [
+              "rbind"
+            ]
+          },
+          {
+            "destination": "/dev/mqueue",
+            "source": "mqueue",
+            "type_": "mqueue",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev"
+            ]
+          },
+          {
+            "destination": "/sys",
+            "source": "sysfs",
+            "type_": "sysfs",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/sys/fs/cgroup",
+            "source": "cgroup",
+            "type_": "cgroup",
+            "options": [
+              "nosuid",
+              "noexec",
+              "nodev",
+              "relatime",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/etc/hosts",
+            "source": "$(sfprefix)hosts$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/dev/termination-log",
+            "source": "$(sfprefix)termination-log$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/etc/hostname",
+            "source": "$(sfprefix)hostname$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/etc/resolv.conf",
+            "source": "$(sfprefix)resolv.conf$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "rw"
+            ]
+          },
+          {
+            "destination": "/var/run/secrets/kubernetes.io/serviceaccount",
+            "source": "$(sfprefix)serviceaccount$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "ro"
+            ]
+          },
+          {
+            "destination": "/var/run/secrets/azure/tokens",
+            "source": "$(sfprefix)tokens$",
+            "type_": "bind",
+            "options": [
+              "rbind",
+              "rprivate",
+              "ro"
+            ]
+          }
+        ],
+        "Annotations": {
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)",
+          "io.katacontainers.pkg.oci.container_type": "pod_container",
+          "io.kubernetes.cri.container-name": "busybox",
+          "io.kubernetes.cri.container-type": "container",
+          "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64",
+          "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$",
+          "io.kubernetes.cri.sandbox-name": "exec-test",
+          "io.kubernetes.cri.sandbox-namespace": ""
+        },
+        "Linux": {
+          "Namespaces": [
+            {
+              "Type": "ipc",
+              "Path": ""
+            },
+            {
+              "Type": "uts",
+              "Path": ""
+            },
+            {
+              "Type": "mount",
+              "Path": ""
+            }
+          ],
+          "MaskedPaths": [],
+          "ReadonlyPaths": []
+        }
+      },
+      "storages": [
+        {
+          "driver": "blk",
+          "driver_options": [],
+          "source": "",
+          "fstype": "tar",
+          "options": [
+            "$(hash0)"
+          ],
+          "mount_point": "$(layer0)",
+          "fs_group": null
+        },
+        {
+          "driver": "blk",
+          "driver_options": [],
+          "source": "",
+          "fstype": "tar",
+          "options": [
+            "$(hash1)"
+          ],
+          "mount_point": "$(layer1)",
+          "fs_group": null
+        },
+        {
+          "driver": "overlayfs",
+          "driver_options": [],
+          "source": "",
+          "fstype": "fuse3.kata-overlay",
+          "options": [
+            "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552",
+            "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"
+          ],
+          "mount_point": "$(cpath)/$(bundle-id)",
+          "fs_group": null
+        }
+      ],
+      "sandbox_pidns": false,
+      "exec_commands": [
+        "echo ${ISTIO_META_APP_CONTAINERS}",
+        "echo Ready ${POD_IP}!",
+        "echo ${ISTIO_META_NODE_NAME} startup"
+      ],
+      "tokenized_args": [
+        [
+          "/bin/sh"
+        ],
+        [
+          "-c"
+        ],
+        [
+          "while",
+          "true",
+          "do",
+          "echo",
+          "Kubernetes",
+          "echo",
+          "$(node-name)",
+          "sleep",
+          "10",
+          "done"
+        ]
+      ],
+      "env_map": {
+        "POD_NAME": "$(sandbox-name)",
+        "POD_IP": "$(pod-ip)",
+        "ISTIO_META_CLUSTER_ID": "Kubernetes",
+        "ISTIO_META_NODE_NAME": "$(node-name)",
+        "SERVICE_ACCOUNT": "default",
+        "PROXY_CONFIG": "{}\n",
+        "POD_NAMESPACE": "$(sandbox-namespace)",
+        "ISTIO_META_POD_PORTS": "[\n]",
+        "HOSTNAME": "$(host-name)",
+        "ISTIO_META_APP_CONTAINERS": "serviceaclient",
+        "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+      }
+    }
+  ],
+  "common": {
+    "cpath": "/run/kata-containers/shared/containers",
+    "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-",
+    "spath": "/run/kata-containers/sandbox/storage",
+    "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}",
+    "ip_p": "[0-9]{1,5}",
+    "svc_name": "[A-Z0-9_\\.\\-]+",
+    "dns_label": "[a-zA-Z0-9_\\.\\-]+",
+    "s_source1": "^..2[0-9]{3}_[0-1][0-9]_[0-3][0-9]_[0-2][0-9]_[0-5][0-9]_[0-5][0-9]\\.[0-9]{1,10}$",
+    "s_source2": "^..data/",
+    "default_caps": [
+      "CAP_CHOWN",
+      "CAP_DAC_OVERRIDE",
+      "CAP_FSETID",
+      "CAP_FOWNER",
+      "CAP_MKNOD",
+      "CAP_NET_RAW",
+      "CAP_SETGID",
+      "CAP_SETUID",
+      "CAP_SETFCAP",
+      "CAP_SETPCAP",
+      "CAP_NET_BIND_SERVICE",
+      "CAP_SYS_CHROOT",
+      "CAP_KILL",
+      "CAP_AUDIT_WRITE"
+    ],
+    "privileged_caps": [
+      "CAP_CHOWN",
+      "CAP_DAC_OVERRIDE",
+      "CAP_DAC_READ_SEARCH",
+      "CAP_FOWNER",
+      "CAP_FSETID",
+      "CAP_KILL",
+      "CAP_SETGID",
+      "CAP_SETUID",
+      "CAP_SETPCAP",
+      "CAP_LINUX_IMMUTABLE",
+      "CAP_NET_BIND_SERVICE",
+      "CAP_NET_BROADCAST",
+      "CAP_NET_ADMIN",
+      "CAP_NET_RAW",
+      "CAP_IPC_LOCK",
+      "CAP_IPC_OWNER",
+      "CAP_SYS_MODULE",
+      "CAP_SYS_RAWIO",
+      "CAP_SYS_CHROOT",
+      "CAP_SYS_PTRACE",
+      "CAP_SYS_PACCT",
+      "CAP_SYS_ADMIN",
+      "CAP_SYS_BOOT",
+      "CAP_SYS_NICE",
+      "CAP_SYS_RESOURCE",
+      "CAP_SYS_TIME",
+      "CAP_SYS_TTY_CONFIG",
+      "CAP_MKNOD",
+      "CAP_LEASE",
+      "CAP_AUDIT_WRITE",
+      "CAP_AUDIT_CONTROL",
+      "CAP_SETFCAP",
+      "CAP_MAC_OVERRIDE",
+      "CAP_MAC_ADMIN",
+      "CAP_SYSLOG",
+      "CAP_WAKE_ALARM",
+      "CAP_BLOCK_SUSPEND",
+      "CAP_AUDIT_READ",
+      "CAP_PERFMON",
+      "CAP_BPF",
+      "CAP_CHECKPOINT_RESTORE"
+    ],
+    "virtio_blk_storage_classes": [
+      "cc-local-csi",
+      "cc-managed-csi",
+      "cc-managed-premium-csi"
+    ],
+    "smb_storage_classes": [
+      {
+        "name": "azurefile-csi-kata-cc",
+        "mount_options": [
+          "dir_mode=0777",
+          "file_mode=0777",
+          "mfsymlinks",
+          "cache=strict",
+          "nosharesock",
+          "actimeo=30",
+          "nobrl"
+        ]
+      }
+    ]
+  },
+  "sandbox": {
+    "storages": [
+      {
+        "driver": "ephemeral",
+        "driver_options": [],
+        "source": "shm",
+        "fstype": "tmpfs",
+        "options": [
+          "noexec",
+          "nosuid",
+          "nodev",
+          "mode=1777",
+          "size=67108864"
+        ],
+        "mount_point": "/run/kata-containers/sandbox/shm",
+        "fs_group": null
+      }
+    ]
+  },
+  "request_defaults": {
+    "CreateContainerRequest": {
+      "allow_env_regex": [
+        "^HOSTNAME=$(dns_label)$",
+        "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$",
+        "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$",
+        "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$",
+        "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$",
+        "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$",
+        "^$(svc_name)_SERVICE_PORT=$(ip_p)$",
+        "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$",
+        "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$",
+        "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
+        "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
+        "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
+        "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
+        "^TERM=xterm$"
+      ]
+    },
+    "CopyFileRequest": [
+      "$(sfprefix)"
+    ],
+    "ExecProcessRequest": {
+      "commands": [],
+      "regex": []
+    },
+    "CloseStdinRequest": false,
+    "ReadStreamRequest": true,
+    "UpdateEphemeralMountsRequest": false,
+    "WriteStreamRequest": false
+  }
+}
\ No newline at end of file
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index 943fad534d18..3173d9167b04 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -7,14 +7,13 @@ package agent_policy
 import future.keywords.in
 import future.keywords.every
 
-import input
-
 # Default values, returned by OPA when rules cannot be evaluated to true.
 default AddARPNeighborsRequest := false
 default AddSwapRequest := false
 default CloseStdinRequest := false
 default CopyFileRequest := false
 default CreateContainerRequest := false
+default PolicyCreateContainerRequest := false
 default CreateSandboxRequest := false
 default DestroySandboxRequest := true
 default ExecProcessRequest := false
@@ -55,14 +54,172 @@ default AllowRequestsFailingPolicy := false
 S_NAME_KEY = "io.kubernetes.cri.sandbox-name"
 S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace"
 BUNDLE_ID = "[a-z0-9]{64}"
+# from https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
+# and https://github.com/kubernetes/kubernetes/blob/8294abc599696e0d1b5aa734afa7ae1e4f5059a0/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go#L177
+SUBDOMAIN_NAME = "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"
+ALLOWED_SUBDOMAIN_NAMES := ["$(host-name)", "$(node-name)", "$(pod-uid)"]
+ALWAYS_ALLOWED = ["$(resource-field)", "$(todo-annotation)"]
+
+PolicyCreateContainerRequest:= resp {
+  resp = CreateContainerRequestCommon(input.base)
+#   resp :=  {"ops": [], "allowed": true}
+  i_env_map := input.env_map
+  i_tokenized_args := input.tokenized_args
+  some p_container in policy_data.containers
+  p_env_map := p_container.env_map  
+  allow_env_map(p_env_map, i_env_map)
+  
+  p_tokenized_args := p_container.tokenized_args
+  allow_tokenized_args(p_tokenized_args, i_tokenized_args)
+
+  print("PolicyCreateContainerRequest: true")
+}
+
+allow_tokenized_args(p_tokenized_args, i_tokenized_args) {
+    every i, i_tokenized_arg in i_tokenized_args {
+      allow_tokenized_arg(p_tokenized_args[i], i_tokenized_arg)
+    }
+    print("allow_tokenized_args: true")
+}
+
+allow_tokenized_arg(p_tokenized_arg, i_tokenized_arg) {
+    print("allow_tokenized_arg: p_tokenized_arg =", p_tokenized_arg, "i_tokenized_arg =", i_tokenized_arg)
+    every i, i_token in i_tokenized_arg {
+      # todo: why do we need to do this
+      p_token := replace(p_tokenized_arg[i], "$$", "$")
+      allow_token(p_token, i_token)
+    }
+    print("allow_tokenized_arg: true")
+}
+
+# Allow exact match
+allow_token(p_token, i_token) {
+    p_token == i_token
+    print("allow_token: true")
+}
+
+# Allow variables that should look like a subdomain name
+allow_token(p_token, i_token) {
+    some allowed in ALLOWED_SUBDOMAIN_NAMES
+    p_token == allowed
+    regex.match(SUBDOMAIN_NAME, i_token)
+    print("allow_token2: true")
+}
+
+# sandbox-name
+allow_token(p_token, i_token) {
+    s_name := input.base.OCI.Annotations[S_NAME_KEY]
+    p_var2 := replace(p_token, "$(sandbox-name)", s_name)
+    p_var2 == i_token
+    print("allow_token3: true")
+}
+
+# sandbox-namespace
+allow_token(p_token, i_token) {
+    s_namespace := input.base.OCI.Annotations[S_NAMESPACE_KEY]
+    p_var2 := replace(p_token, "$(sandbox-namespace)", s_namespace)
+    p_var2 == i_token
+    print("allow_token4: true")
+}
+
+allow_env_map(p_env_map, i_env_map) {
+    every env_key, env_val in i_env_map {
+      print("allow_env: env_key =", env_key, "env_val =", env_val)
+      allow_env_map_entry(env_key, env_val, p_env_map)
+    }
+    print("allow_env_map: true")
+}
+
+# Allow exact match
+allow_env_map_entry(key, i_val, p_env_map) {
+    p_val := p_env_map[key]
+    i_val == p_val
+    print("allow_env_map_entry: true")
+}
+
+# Allow variables that should look like a subdomain name
+allow_env_map_entry(key, i_val, p_env_map) {
+  p_val := p_env_map[key]
+  some allowed in ALLOWED_SUBDOMAIN_NAMES
+  p_val == allowed
+  regex.match(SUBDOMAIN_NAME, i_val)
+  print("allow_env_map_entry2: true")
+}
+
+# Allow input env variables that match with a request_defaults regex.
+allow_env_map_entry(key, i_val, p_env_map) {
+    some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex
+    p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a)
+    p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p)
+    p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name)
+    p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label)
+
+    result := concat("=", [key, i_val])
+    regex.match(p_regex5, result)
+
+    print("allow_env_map_entry 3: true")
+}
+
+# Allow fieldRef "fieldPath: status.podIP" values.
+allow_env_map_entry(key, i_val, p_env_map) {
+    is_ip(i_val)
+
+    p_val := p_env_map[key]
+    p_var := concat("=", [key, p_val])
+    allow_pod_ip_var(key, p_var)
+    print("allow_env_map_entry 4: true")
+}
+
+# Match input with one of the policy variables, after substituting $(sandbox-name).
+allow_env_map_entry(key, i_val, p_env_map) {
+    s_name := input.base.OCI.Annotations[S_NAME_KEY]
+    p_val := p_env_map[key]
+    p_var2 := replace(p_val, "$(sandbox-name)", s_name)
+    p_var2 == i_val
+    print("allow_env_map_entry 5: true")
+}
 
-CreateContainerRequest:= {"ops": ops, "allowed": true} {
+# Match input with one of the policy variables, after substituting $(sandbox-namespace).
+allow_env_map_entry(key, i_val, p_env_map) {
+    s_namespace := input.base.OCI.Annotations[S_NAMESPACE_KEY]
+    p_val := p_env_map[key]
+    p_var2 := replace(p_val, "$(sandbox-namespace)", s_namespace)
+    p_var2 == i_val
+    print("allow_env_map_entry 6: true")
+}
+
+# Allow fieldRef "fieldPath: status.hostIP" values.
+allow_env_map_entry(key, i_val, p_env_map) {
+    is_ip(i_val)
+
+    p_val := p_env_map[key]
+    p_var := concat("=", [key, p_val])
+    allow_host_ip_var(key, p_var)
+    print("allow_env_map_entry 7: true")
+}
+
+# Allow resourceFieldRef values (e.g., "limits.cpu").
+allow_env_map_entry(key, i_val, p_env_map) {
+    p_val := p_env_map[key]
+    # TODO: should these be handled in a different way?
+    some allowed in ALWAYS_ALLOWED
+    p_val == allowed
+    #regex.match(SUBDOMAIN_NAME, i_val)
+    print("allow_env_map_entry8: true")
+}
+
+CreateContainerRequest:= resp {
+  resp = CreateContainerRequestCommon(input)
+  print("CreateContainerRequest: true")
+}
+
+CreateContainerRequestCommon(req):= {"ops": ops, "allowed": true} {
     # Check if the input request should be rejected even before checking the
     # policy_data.containers information.
-    allow_create_container_input
+    allow_create_container_input(req)
 
-    i_oci := input.OCI
-    i_storages := input.storages
+    i_oci := req.OCI
+    i_storages := req.storages
 
     # array of possible state operations
     ops_builder := []
@@ -77,7 +234,7 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} {
     print("======== CreateContainerRequest: trying next policy container")
 
     p_pidns := p_container.sandbox_pidns
-    i_pidns := input.sandbox_pidns
+    i_pidns := req.sandbox_pidns
     print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns)
     p_pidns == i_pidns
 
@@ -103,16 +260,15 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} {
 
     allow_linux(p_oci, i_oci)
 
-    print("CreateContainerRequest: true")
+    print("CreateContainerRequestCommon: true")
 }
 
-allow_create_container_input {
-    print("allow_create_container_input: input =", input)
+allow_create_container_input(req) {
+    print("allow_create_container_input: input =", req)
+    count(req.shared_mounts) == 0
+    is_null(req.string_user)
 
-    count(input.shared_mounts) == 0
-    is_null(input.string_user)
-
-    i_oci := input.OCI
+    i_oci := req.OCI
     is_null(i_oci.Hooks)
     is_null(i_oci.Solaris)
     is_null(i_oci.Windows)
@@ -560,7 +716,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
 
     allow_root_path(p_oci, i_oci, bundle_id)
 
-    every i_mount in input.OCI.Mounts {
+    every i_mount in i_oci.Mounts {
         allow_mount(p_oci, i_mount, bundle_id, sandbox_id)
     }
 
@@ -653,7 +809,6 @@ allow_args(p_process, i_process, s_name) {
     every i, i_arg in i_process.Args {
         allow_arg(i, i_arg, p_process, s_name)
     }
-
     print("allow_args 2: true")
 }
 allow_arg(i, i_arg, p_process, s_name) {
@@ -755,8 +910,7 @@ allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     p_name_value[0] == name_value[0]
 
     # TODO: should these be handled in a different way?
-    always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"]
-    some allowed in always_allowed
+    some allowed in ALLOWED_SUBDOMAIN_NAMES
     contains(p_name_value[1], allowed)
 
     print("allow_var 5: true")
@@ -786,13 +940,13 @@ allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     p_name_value[0] == name_value[0]
 
     # TODO: should these be handled in a different way?
-    always_allowed = ["$(resource-field)", "$(todo-annotation)"]
-    some allowed in always_allowed
+    some allowed in ALWAYS_ALLOWED
     contains(p_name_value[1], allowed)
 
     print("allow_var 7: true")
 }
 
+# Match input with one of the policy variables, after substituting $(sandbox-namespace).
 allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     some p_var in p_process.Env
     p_var2 := replace(p_var, "$(sandbox-namespace)", s_namespace)
@@ -1428,4 +1582,4 @@ UpdateEphemeralMountsRequest {
 
 WriteStreamRequest {
     policy_data.request_defaults.WriteStreamRequest == true
-}
+}
\ No newline at end of file
diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
index 4c0332f7a9b2..81e02f37126c 100644
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@@ -271,6 +271,9 @@ pub struct ContainerPolicy {
     /// ExecProcessRequest. By default, all ExecProcessRequest calls are blocked
     /// by the policy.
     exec_commands: Vec<String>,
+
+    tokenized_args: Vec<Vec<String>>,
+    env_map: std::collections::HashMap<String, String>,
 }
 
 /// See Reference / Kubernetes API / Config and Storage Resources / Volume.
@@ -595,6 +598,9 @@ impl AgentPolicy {
         };
         let exec_commands = yaml_container.get_exec_commands();
 
+        let env_map = oci::get_env_map(&process.Env);
+
+        let tokenized_args = oci::get_tokenized_args(&process.Args);
         ContainerPolicy {
             OCI: KataSpec {
                 Version: version_default(),
@@ -608,6 +614,8 @@ impl AgentPolicy {
             storages,
             sandbox_pidns,
             exec_commands,
+            tokenized_args,
+            env_map,
         }
     }