@aegis-scan/core 0.16.6 → 0.18.0

package/dist/runtime/signals.js

@@ -0,0 +1,72 @@
+import { writeEngagementState } from './state.js';
+import { emitEvent, makeEvent } from './events.js';
+export function installSignalHandlers(opts) {
+    const exit = opts.exit ?? ((code) => process.exit(code));
+    const on = opts.on ?? ((sig, h) => process.on(sig, h));
+    const handlers = [];
+    const dumpAndEvent = (reason, exitCode, kind) => {
+        let dumpPath;
+        try {
+            const state = opts.getState();
+            // Update the snapshot's pause-reason and timestamp before flushing.
+            const stamped = {
+                ...state,
+                paused_at: new Date().toISOString(),
+                reason: `signal-${reason}`,
+            };
+            if (opts.stateFilePath) {
+                writeEngagementState(opts.stateFilePath, stamped);
+                dumpPath = opts.stateFilePath;
+            }
+        }
+        catch {
+            // Dump is best-effort; never let a state-write failure mask the exit.
+        }
+        const ev = kind === 'kill'
+            ? makeEvent(opts.engagementId, 'kill', { signal: reason, ...(dumpPath ? { state_dump_path: dumpPath } : {}) })
+            : makeEvent(opts.engagementId, 'intervention', {
+                kind: 'pause',
+                trigger: `signal-${reason}`,
+                reason: 'operator-paused',
+            });
+        try {
+            // Chain the event into the same hash-chain as regular siege events
+            // when a ChainedEmitter is provided. This keeps audit-verify happy
+            // when the engagement is killed mid-flight (otherwise the kill
+            // event would be a chain break).
+            if (opts.chainEmitter) {
+                opts.chainEmitter.emit(ev);
+            }
+            else {
+                emitEvent(ev, opts.eventSink);
+            }
+        }
+        catch {
+            // best-effort
+        }
+        exit(exitCode);
+    };
+    const sigint = () => dumpAndEvent('SIGINT', 130, 'kill');
+    const sigterm = () => dumpAndEvent('SIGTERM', 143, 'kill');
+    const sigusr1 = () => dumpAndEvent('SIGUSR1', 0, 'pause');
+    on('SIGINT', sigint);
+    handlers.push({ sig: 'SIGINT', handler: sigint });
+    on('SIGTERM', sigterm);
+    handlers.push({ sig: 'SIGTERM', handler: sigterm });
+    on('SIGUSR1', sigusr1);
+    handlers.push({ sig: 'SIGUSR1', handler: sigusr1 });
+    return {
+        uninstall() {
+            for (const { sig, handler } of handlers) {
+                try {
+                    process.removeListener(sig, handler);
+                }
+                catch {
+                    // Tests may inject a stub on() that never registers in the real
+                    // process — removeListener is a no-op then.
+                }
+            }
+        },
+    };
+}
+//# sourceMappingURL=signals.js.map

package/dist/runtime/signals.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signals.js","sourceRoot":"","sources":["../../src/runtime/signals.ts"],"names":[],"mappings":"AAkBA,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAElD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAuCnD,MAAM,UAAU,qBAAqB,CAAC,IAA0B;IAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACjE,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC,GAAW,EAAE,CAAa,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,GAAqB,EAAE,CAAC,CAAC,CAAC,CAAC;IAE7F,MAAM,QAAQ,GAAgD,EAAE,CAAC;IAEjE,MAAM,YAAY,GAAG,CAAC,MAAkB,EAAE,QAAgB,EAAE,IAAsB,EAAQ,EAAE;QAC1F,IAAI,QAA4B,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC9B,oEAAoE;YACpE,MAAM,OAAO,GAAoB;gBAC/B,GAAG,KAAK;gBACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,MAAM,EAAE,UAAU,MAAM,EAAE;aAC3B,CAAC;YACF,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;gBACvB,oBAAoB,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;gBAClD,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC;YAChC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sEAAsE;QACxE,CAAC;QAED,MAAM,EAAE,GACN,IAAI,KAAK,MAAM;YACb,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,MAA0C,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;YAClJ,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,cAAc,EAAE;gBAC3C,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,UAAU,MAAM,EAA2D;gBACpF,MAAM,EAAE,iBAAiB;aAC1B,CAAC,CAAC;QACT,IAAI,CAAC;YACH,mEAAmE;YACnE,mEAAmE;YACnE,+DAA+D;YAC/D,iCAAiC;YACjC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACtB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC7B,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,cAAc;QAChB,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjB,CAAC,CAAC;IAEF,MAAM,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IACzD,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;IAE1D,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACrB,QAAQ,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAClD,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IACpD,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAEpD,OAAO;QACL,SAAS;YACP,KAAK,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACxC,IAAI,CAAC;oBACH,OAAO,CAAC,cAAc,CAAC,GAAqB,EAAE,OAAO,CAAC,CAAC;gBACzD,CAAC;gBAAC,MAAM,CAAC;oBACP,gEAAgE;oBAChE,4CAA4C;gBAC9C,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/runtime/state.d.ts

@@ -0,0 +1,88 @@
+import { z } from 'zod';
+import type { Finding } from '../types.js';
+export declare const EngagementStateSchema: z.ZodObject<{
+    state_version: z.ZodLiteral<"0.1.0">;
+    engagement_id: z.ZodString;
+    target: z.ZodString;
+    roe_id: z.ZodString;
+    completed_phases: z.ZodArray<z.ZodEnum<["recon", "discovery", "exploitation", "reporting"]>, "many">;
+    findings_so_far: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>, "many">;
+    paused_at: z.ZodString;
+    reason: z.ZodString;
+}, "strict", z.ZodTypeAny, {
+    reason: string;
+    target: string;
+    roe_id: string;
+    engagement_id: string;
+    completed_phases: ("recon" | "discovery" | "exploitation" | "reporting")[];
+    state_version: "0.1.0";
+    findings_so_far: Record<string, unknown>[];
+    paused_at: string;
+}, {
+    reason: string;
+    target: string;
+    roe_id: string;
+    engagement_id: string;
+    completed_phases: ("recon" | "discovery" | "exploitation" | "reporting")[];
+    state_version: "0.1.0";
+    findings_so_far: Record<string, unknown>[];
+    paused_at: string;
+}>;
+export interface EngagementState {
+    state_version: '0.1.0';
+    engagement_id: string;
+    target: string;
+    roe_id: string;
+    completed_phases: ('recon' | 'discovery' | 'exploitation' | 'reporting')[];
+    findings_so_far: Finding[];
+    paused_at: string;
+    reason: string;
+}
+/**
+ * Append the engagement-state snapshot as a single JSONL line.
+ *
+ * Was: `writeFileSync(path, JSON.stringify(state, null, 2))` which
+ * overwrote the entire state file — destroying every JSONL event that
+ * had been appended since the last snapshot. The audit on 2026-04-27
+ * flagged this as both a format inconsistency (mixed pretty-JSON +
+ * JSONL) AND a data-loss bug (events between persistStates were lost).
+ *
+ * Now: each call appends one JSONL line. Snapshots and events coexist
+ * in the same file. `loadEngagementState` reads the last snapshot.
+ */
+export declare function writeEngagementState(path: string, state: EngagementState): void;
+export interface LoadStateOk {
+    ok: true;
+    state: EngagementState;
+}
+export interface LoadStateFailure {
+    ok: false;
+    error: string;
+    phase: 'file-missing' | 'json-parse' | 'schema-validation';
+}
+export type LoadStateResult = LoadStateOk | LoadStateFailure;
+/**
+ * Load the latest engagement-state snapshot from a JSONL state-file.
+ *
+ * Reads line-by-line, identifies snapshot lines by the presence of a
+ * `state_version` field, schema-validates each, and returns the LAST
+ * (most recent) successful match. Event lines (with `ts`+`event`) are
+ * skipped. Malformed lines are skipped with a count tracked for the
+ * debug error path; only snapshots that pass the strict schema are
+ * candidates.
+ *
+ * Back-compat: also accepts a single-object pretty-JSON file (the
+ * pre-audit format). When the entire file parses as one EngagementState
+ * object, return that. This preserves resume-from-pre-audit-state
+ * functionality during the migration window.
+ */
+export declare function loadEngagementState(path: string): LoadStateResult;
+/**
+ * Build a fresh engagement state at engagement start.
+ */
+export declare function newEngagementState(args: {
+    engagement_id: string;
+    target: string;
+    roe_id: string;
+}): EngagementState;
+//# sourceMappingURL=state.d.ts.map

package/dist/runtime/state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.d.ts","sourceRoot":"","sources":["../../src/runtime/state.ts"],"names":[],"mappings":"AA+BA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAI3C,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWvB,CAAC;AAEZ,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,OAAO,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,CAAC,OAAO,GAAG,WAAW,GAAG,cAAc,GAAG,WAAW,CAAC,EAAE,CAAC;IAC3E,eAAe,EAAE,OAAO,EAAE,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,IAAI,CAE/E;AAED,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,IAAI,CAAC;IACT,KAAK,EAAE,eAAe,CAAC;CACxB;AACD,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,KAAK,CAAC;IACV,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,cAAc,GAAG,YAAY,GAAG,mBAAmB,CAAC;CAC5D;AACD,MAAM,MAAM,eAAe,GAAG,WAAW,GAAG,gBAAgB,CAAC;AAE7D;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CA8EjE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE;IACvC,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB,GAAG,eAAe,CAWlB"}

package/dist/runtime/state.js

@@ -0,0 +1,172 @@
+/**
+ * Engagement state snapshot — the durable artifact that supports
+ * pause-and-resume.
+ *
+ * Closes APTS-HO-006 (Graceful Pause Mechanism with State Preservation) +
+ * APTS-HO-008 (Immediate Kill Switch with State Dump) jointly with
+ * runtime/signals.ts.
+ *
+ * Snapshot scope (Cluster-2 v1):
+ *   - engagement_id (matches the JSONL event stream)
+ *   - target + roe_id
+ *   - completed_phases — engagement is phase-grained; resume restarts the
+ *     next phase, not mid-phase. Simpler than the full mid-phase resume
+ *     and sufficient for siege's 4-phase shape.
+ *   - findings_so_far — the in-flight findings array
+ *   - paused_at — ISO-8601 timestamp
+ *   - reason — short rationale (e.g. "operator-SIGUSR1", "temporal-expiry")
+ *
+ * State-file format (audit-fix 2026-04-27):
+ *   - PURE JSONL. Every line is a single-line JSON object.
+ *   - Snapshots have a `state_version` field; events have `ts` + `event`.
+ *   - Snapshots are APPENDED, not overwritten. `loadEngagementState`
+ *     reads the file line-by-line and returns the LAST snapshot.
+ *   - Previous behavior (overwriting with pretty-printed JSON) was
+ *     destroying events between persistStates and breaking line-oriented
+ *     tools like `jq -c`.
+ *
+ * Mid-phase resume is deferred to a future cluster — it requires
+ * scanner-level checkpointing which the orchestrator doesn't expose today.
+ */
+import { readFileSync, appendFileSync, existsSync } from 'node:fs';
+import { z } from 'zod';
+const FindingPassthroughSchema = z.record(z.unknown());
+export const EngagementStateSchema = z
+    .object({
+    state_version: z.literal('0.1.0'),
+    engagement_id: z.string().min(1),
+    target: z.string().min(1),
+    roe_id: z.string().min(1),
+    completed_phases: z.array(z.enum(['recon', 'discovery', 'exploitation', 'reporting'])),
+    findings_so_far: z.array(FindingPassthroughSchema),
+    paused_at: z.string().datetime({ offset: true }),
+    reason: z.string().min(1),
+})
+    .strict();
+/**
+ * Append the engagement-state snapshot as a single JSONL line.
+ *
+ * Was: `writeFileSync(path, JSON.stringify(state, null, 2))` which
+ * overwrote the entire state file — destroying every JSONL event that
+ * had been appended since the last snapshot. The audit on 2026-04-27
+ * flagged this as both a format inconsistency (mixed pretty-JSON +
+ * JSONL) AND a data-loss bug (events between persistStates were lost).
+ *
+ * Now: each call appends one JSONL line. Snapshots and events coexist
+ * in the same file. `loadEngagementState` reads the last snapshot.
+ */
+export function writeEngagementState(path, state) {
+    appendFileSync(path, JSON.stringify(state) + '\n');
+}
+/**
+ * Load the latest engagement-state snapshot from a JSONL state-file.
+ *
+ * Reads line-by-line, identifies snapshot lines by the presence of a
+ * `state_version` field, schema-validates each, and returns the LAST
+ * (most recent) successful match. Event lines (with `ts`+`event`) are
+ * skipped. Malformed lines are skipped with a count tracked for the
+ * debug error path; only snapshots that pass the strict schema are
+ * candidates.
+ *
+ * Back-compat: also accepts a single-object pretty-JSON file (the
+ * pre-audit format). When the entire file parses as one EngagementState
+ * object, return that. This preserves resume-from-pre-audit-state
+ * functionality during the migration window.
+ */
+export function loadEngagementState(path) {
+    if (!existsSync(path)) {
+        return { ok: false, error: `state file not found at ${path}`, phase: 'file-missing' };
+    }
+    let raw;
+    try {
+        raw = readFileSync(path, 'utf-8');
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: `state file unreadable at ${path}: ${err instanceof Error ? err.message : String(err)}`,
+            phase: 'file-missing',
+        };
+    }
+    // Back-compat: try parsing the whole file as a single JSON snapshot first.
+    // The pre-audit format wrote pretty-printed JSON without JSONL structure.
+    const trimmed = raw.trim();
+    if (trimmed.startsWith('{') && trimmed.endsWith('}')) {
+        try {
+            const parsed = JSON.parse(trimmed);
+            const result = EngagementStateSchema.safeParse(parsed);
+            if (result.success) {
+                return { ok: true, state: result.data };
+            }
+            // Fall through to JSONL parse — the file might be JSONL where the
+            // first event is a single-line snapshot followed by event lines.
+        }
+        catch {
+            // Not a single-object file; fall through to JSONL.
+        }
+    }
+    // JSONL: parse line-by-line, return the last successful snapshot.
+    const lines = raw.split('\n').filter((l) => l.trim().length > 0);
+    let lastSnapshot = null;
+    let parseErrors = 0;
+    let schemaErrors = 0;
+    for (const line of lines) {
+        let parsed;
+        try {
+            parsed = JSON.parse(line);
+        }
+        catch {
+            parseErrors += 1;
+            continue;
+        }
+        if (typeof parsed !== 'object' || parsed === null)
+            continue;
+        if (!('state_version' in parsed))
+            continue; // event line, skip
+        const result = EngagementStateSchema.safeParse(parsed);
+        if (result.success) {
+            lastSnapshot = result.data;
+        }
+        else {
+            schemaErrors += 1;
+        }
+    }
+    if (lastSnapshot) {
+        return { ok: true, state: lastSnapshot };
+    }
+    if (parseErrors > 0 && lines.length === parseErrors) {
+        return {
+            ok: false,
+            error: `state file at ${path}: no parseable JSONL line found (${parseErrors} malformed)`,
+            phase: 'json-parse',
+        };
+    }
+    if (schemaErrors > 0) {
+        return {
+            ok: false,
+            error: `state file at ${path}: ${schemaErrors} snapshot-shaped lines failed schema validation`,
+            phase: 'schema-validation',
+        };
+    }
+    return {
+        ok: false,
+        error: `state file at ${path} contains no engagement-state snapshot`,
+        phase: 'schema-validation',
+    };
+}
+/**
+ * Build a fresh engagement state at engagement start.
+ */
+export function newEngagementState(args) {
+    return {
+        state_version: '0.1.0',
+        engagement_id: args.engagement_id,
+        target: args.target,
+        roe_id: args.roe_id,
+        completed_phases: [],
+        findings_so_far: [],
+        paused_at: new Date().toISOString(),
+        reason: 'engagement-start',
+    };
+}
+//# sourceMappingURL=state.js.map

package/dist/runtime/state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.js","sourceRoot":"","sources":["../../src/runtime/state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;AAEvD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC;KACnC,MAAM,CAAC;IACN,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IACjC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,gBAAgB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC,CAAC;IACtF,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,wBAAwB,CAAC;IAClD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAChD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC1B,CAAC;KACD,MAAM,EAAE,CAAC;AAaZ;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAY,EAAE,KAAsB;IACvE,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;AACrD,CAAC;AAaD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,IAAI,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IACxF,CAAC;IACD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,4BAA4B,IAAI,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAC9F,KAAK,EAAE,cAAc;SACtB,CAAC;IACJ,CAAC;IAED,2EAA2E;IAC3E,0EAA0E;IAC1E,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACvD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAkC,EAAE,CAAC;YACxE,CAAC;YACD,kEAAkE;YAClE,iEAAiE;QACnE,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjE,IAAI,YAAY,GAA2B,IAAI,CAAC;IAChD,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,WAAW,IAAI,CAAC,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI;YAAE,SAAS;QAC5D,IAAI,CAAC,CAAC,eAAe,IAAI,MAAM,CAAC;YAAE,SAAS,CAAC,mBAAmB;QAC/D,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACvD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,YAAY,GAAG,MAAM,CAAC,IAAkC,CAAC;QAC3D,CAAC;aAAM,CAAC;YACN,YAAY,IAAI,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;IAC3C,CAAC;IAED,IAAI,WAAW,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QACpD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,iBAAiB,IAAI,oCAAoC,WAAW,aAAa;YACxF,KAAK,EAAE,YAAY;SACpB,CAAC;IACJ,CAAC;IACD,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,iBAAiB,IAAI,KAAK,YAAY,iDAAiD;YAC9F,KAAK,EAAE,mBAAmB;SAC3B,CAAC;IACJ,CAAC;IACD,OAAO;QACL,EAAE,EAAE,KAAK;QACT,KAAK,EAAE,iBAAiB,IAAI,wCAAwC;QACpE,KAAK,EAAE,mBAAmB;KAC3B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAIlC;IACC,OAAO;QACL,aAAa,EAAE,OAAO;QACtB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,gBAAgB,EAAE,EAAE;QACpB,eAAe,EAAE,EAAE;QACnB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,MAAM,EAAE,kBAAkB;KAC3B,CAAC;AACJ,CAAC"}

package/dist/safety-controls/boundary-monitor.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Continuous boundary monitoring + breach detection.
+ *
+ * Closes APTS-AL-016 (Continuous Boundary Monitoring and Breach
+ * Detection).
+ *
+ * Design notes:
+ *   - Cluster-3 emits a single scope-validation event at engagement
+ *     start. AL-016 requires *continuous* monitoring — every scanner
+ *     emission re-validates the finding's target against the loaded
+ *     RoE.
+ *   - Strategy: per finding, validate the finding's location URL (or
+ *     its `file` path for SAST). On out-of-scope detection, emit a
+ *     scope-validation breach event and return a halt-decision. The
+ *     orchestrator caller is responsible for actually halting; this
+ *     module is pure-function so it remains test-friendly.
+ */
+import { type RoE, type ValidationDecision } from '../roe/types.js';
+export interface BreachDetectionResult {
+    /** True iff the finding's target/location is in-scope. */
+    in_scope: boolean;
+    decision: ValidationDecision;
+    /** The URL or file the finding referred to. */
+    inspected: string;
+    apts_refs: string[];
+}
+export interface FindingLike {
+    /** Optional finding-emitted target URL (DAST findings). */
+    target?: string;
+    /** Optional finding-emitted source file (SAST findings). */
+    file?: string;
+    /** Optional explicit location URL. */
+    location?: string;
+}
+/**
+ * Inspect a finding's location/target/file and validate against the RoE.
+ * Returns in_scope=true with the underlying decision when allowed, or
+ * in_scope=false with the rejection reason.
+ *
+ * Findings without any URL/path field (purely advisory) skip validation
+ * and return in_scope=true so the orchestrator does not halt on
+ * intentionally-unsourced findings.
+ */
+export declare function detectScopeBreach(f: FindingLike, roe: RoE): BreachDetectionResult;
+//# sourceMappingURL=boundary-monitor.d.ts.map

package/dist/safety-controls/boundary-monitor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"boundary-monitor.d.ts","sourceRoot":"","sources":["../../src/safety-controls/boundary-monitor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAyB,KAAK,GAAG,EAAE,KAAK,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAE3F,MAAM,WAAW,qBAAqB;IACpC,0DAA0D;IAC1D,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4DAA4D;IAC5D,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAC/B,CAAC,EAAE,WAAW,EACd,GAAG,EAAE,GAAG,GACP,qBAAqB,CAoCvB"}

package/dist/safety-controls/boundary-monitor.js

@@ -0,0 +1,77 @@
+/**
+ * Continuous boundary monitoring + breach detection.
+ *
+ * Closes APTS-AL-016 (Continuous Boundary Monitoring and Breach
+ * Detection).
+ *
+ * Design notes:
+ *   - Cluster-3 emits a single scope-validation event at engagement
+ *     start. AL-016 requires *continuous* monitoring — every scanner
+ *     emission re-validates the finding's target against the loaded
+ *     RoE.
+ *   - Strategy: per finding, validate the finding's location URL (or
+ *     its `file` path for SAST). On out-of-scope detection, emit a
+ *     scope-validation breach event and return a halt-decision. The
+ *     orchestrator caller is responsible for actually halting; this
+ *     module is pure-function so it remains test-friendly.
+ */
+import { validateTargetInScope } from '../roe/types.js';
+/**
+ * Inspect a finding's location/target/file and validate against the RoE.
+ * Returns in_scope=true with the underlying decision when allowed, or
+ * in_scope=false with the rejection reason.
+ *
+ * Findings without any URL/path field (purely advisory) skip validation
+ * and return in_scope=true so the orchestrator does not halt on
+ * intentionally-unsourced findings.
+ */
+export function detectScopeBreach(f, roe) {
+    const inspect = pickTarget(f);
+    if (!inspect) {
+        return {
+            in_scope: true,
+            decision: {
+                allowed: true,
+                reason: 'finding has no inspectable URL/path; boundary check skipped',
+                apts_refs: ['APTS-AL-016'],
+            },
+            inspected: '',
+            apts_refs: ['APTS-AL-016'],
+        };
+    }
+    // For file paths (SAST), we do not URL-parse — boundary check is
+    // currently URL-shaped only. Future work: extend RoE.in_scope.repository_paths
+    // to gate file-path findings continuously.
+    if (!isUrlLike(inspect)) {
+        return {
+            in_scope: true,
+            decision: {
+                allowed: true,
+                reason: `finding location is a file path ("${inspect}"); URL boundary check not applicable`,
+                apts_refs: ['APTS-AL-016'],
+            },
+            inspected: inspect,
+            apts_refs: ['APTS-AL-016'],
+        };
+    }
+    const decision = validateTargetInScope(inspect, roe);
+    return {
+        in_scope: decision.allowed,
+        decision,
+        inspected: inspect,
+        apts_refs: ['APTS-AL-016', ...(decision.apts_refs ?? [])],
+    };
+}
+function pickTarget(f) {
+    if (f.location && f.location.length > 0)
+        return f.location;
+    if (f.target && f.target.length > 0)
+        return f.target;
+    if (f.file && f.file.length > 0)
+        return f.file;
+    return '';
+}
+function isUrlLike(s) {
+    return /^https?:\/\//i.test(s);
+}
+//# sourceMappingURL=boundary-monitor.js.map

package/dist/safety-controls/boundary-monitor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"boundary-monitor.js","sourceRoot":"","sources":["../../src/safety-controls/boundary-monitor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,qBAAqB,EAAqC,MAAM,iBAAiB,CAAC;AAoB3F;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAC/B,CAAc,EACd,GAAQ;IAER,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE;gBACR,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,6DAA6D;gBACrE,SAAS,EAAE,CAAC,aAAa,CAAC;aAC3B;YACD,SAAS,EAAE,EAAE;YACb,SAAS,EAAE,CAAC,aAAa,CAAC;SAC3B,CAAC;IACJ,CAAC;IACD,iEAAiE;IACjE,+EAA+E;IAC/E,2CAA2C;IAC3C,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE;gBACR,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,qCAAqC,OAAO,uCAAuC;gBAC3F,SAAS,EAAE,CAAC,aAAa,CAAC;aAC3B;YACD,SAAS,EAAE,OAAO;YAClB,SAAS,EAAE,CAAC,aAAa,CAAC;SAC3B,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,qBAAqB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACrD,OAAO;QACL,QAAQ,EAAE,QAAQ,CAAC,OAAO;QAC1B,QAAQ;QACR,SAAS,EAAE,OAAO;QAClB,SAAS,EAAE,CAAC,aAAa,EAAE,GAAG,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;KAC1D,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,CAAc;IAChC,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,CAAC,CAAC,QAAQ,CAAC;IAC3D,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,CAAC,CAAC,MAAM,CAAC;IACrD,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,CAAC,CAAC,IAAI,CAAC;IAC/C,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,SAAS,CAAC,CAAS;IAC1B,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjC,CAAC"}

package/dist/safety-controls/decision-timeout.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Per-phase decision timeout with default-safe halt.
+ *
+ * Closes APTS-HO-003 (Decision Timeout and Default-Safe Behavior).
+ *
+ * Design notes:
+ *   - HO-003 mandates that an indefinitely-running phase eventually
+ *     hits a decision boundary; the default behavior on timeout is
+ *     halt (the safe choice for an offensive engagement) rather than
+ *     continue.
+ *   - `withPhaseTimeout` wraps a phase promise. If the phase resolves
+ *     before the deadline it returns its value; otherwise it returns
+ *     a structured TimeoutResult so the caller can record the halt
+ *     in the audit channel.
+ *   - The wrapped promise is signaled via AbortController; whether it
+ *     actually terminates is the wrapped function's responsibility.
+ *     We always race so the orchestrator is never stuck.
+ */
+export interface TimeoutOk<T> {
+    timed_out: false;
+    value: T;
+}
+export interface TimeoutFailure {
+    timed_out: true;
+    /** Phase name supplied by caller. */
+    phase: string;
+    /** Configured timeout in ms. */
+    timeout_ms: number;
+    /** Default-safe action that fired. Always 'halt' for offensive engagements. */
+    default_action: 'halt';
+    reason: string;
+    apts_refs: string[];
+}
+export type TimeoutResult<T> = TimeoutOk<T> | TimeoutFailure;
+export interface PhaseTimeoutOptions {
+    phase: string;
+    timeout_ms: number;
+    /** AbortController to signal the wrapped phase. Caller wires it through. */
+    controller?: AbortController;
+}
+/**
+ * Wrap a phase promise with a default-safe timeout. On timeout, returns
+ * { timed_out: true, ... }; the caller emits a halt event and stops.
+ */
+export declare function withPhaseTimeout<T>(phasePromise: Promise<T>, opts: PhaseTimeoutOptions): Promise<TimeoutResult<T>>;
+/**
+ * Compute the per-phase timeout from RoE.stop_conditions when the
+ * operator supplies an explicit phase_timeout_minutes. Otherwise
+ * derive 1/4 of max_duration_minutes (4 phases) when present, else
+ * fall back to the supplied default.
+ */
+export declare function derivePhaseTimeoutMs(stopConditions: {
+    max_duration_minutes?: number;
+    phase_timeout_minutes?: number;
+}, defaultMs: number): number;
+//# sourceMappingURL=decision-timeout.d.ts.map

package/dist/safety-controls/decision-timeout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decision-timeout.d.ts","sourceRoot":"","sources":["../../src/safety-controls/decision-timeout.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,MAAM,WAAW,SAAS,CAAC,CAAC;IAC1B,SAAS,EAAE,KAAK,CAAC;IACjB,KAAK,EAAE,CAAC,CAAC;CACV;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,IAAI,CAAC;IAChB,qCAAqC;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,+EAA+E;IAC/E,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,MAAM,aAAa,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,GAAG,cAAc,CAAC;AAE7D,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EACtC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC,EACxB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CA6B3B;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,cAAc,EAAE;IAAE,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAAC,qBAAqB,CAAC,EAAE,MAAM,CAAA;CAAE,EACjF,SAAS,EAAE,MAAM,GAChB,MAAM,CAQR"}

package/dist/safety-controls/decision-timeout.js

@@ -0,0 +1,67 @@
+/**
+ * Per-phase decision timeout with default-safe halt.
+ *
+ * Closes APTS-HO-003 (Decision Timeout and Default-Safe Behavior).
+ *
+ * Design notes:
+ *   - HO-003 mandates that an indefinitely-running phase eventually
+ *     hits a decision boundary; the default behavior on timeout is
+ *     halt (the safe choice for an offensive engagement) rather than
+ *     continue.
+ *   - `withPhaseTimeout` wraps a phase promise. If the phase resolves
+ *     before the deadline it returns its value; otherwise it returns
+ *     a structured TimeoutResult so the caller can record the halt
+ *     in the audit channel.
+ *   - The wrapped promise is signaled via AbortController; whether it
+ *     actually terminates is the wrapped function's responsibility.
+ *     We always race so the orchestrator is never stuck.
+ */
+/**
+ * Wrap a phase promise with a default-safe timeout. On timeout, returns
+ * { timed_out: true, ... }; the caller emits a halt event and stops.
+ */
+export async function withPhaseTimeout(phasePromise, opts) {
+    let timer = null;
+    const timeoutPromise = new Promise((resolve) => {
+        timer = setTimeout(() => {
+            if (opts.controller)
+                opts.controller.abort();
+            resolve({
+                timed_out: true,
+                phase: opts.phase,
+                timeout_ms: opts.timeout_ms,
+                default_action: 'halt',
+                reason: `phase "${opts.phase}" exceeded ${opts.timeout_ms} ms decision timeout — default-safe halt`,
+                apts_refs: ['APTS-HO-003'],
+            });
+        }, opts.timeout_ms);
+        if (timer && typeof timer.unref === 'function')
+            timer.unref();
+    });
+    const value = await Promise.race([
+        phasePromise.then((v) => ({ timed_out: false, value: v }), (err) => {
+            // Propagate errors so the caller's existing catch handles them.
+            throw err;
+        }),
+        timeoutPromise,
+    ]);
+    if (timer)
+        clearTimeout(timer);
+    return value;
+}
+/**
+ * Compute the per-phase timeout from RoE.stop_conditions when the
+ * operator supplies an explicit phase_timeout_minutes. Otherwise
+ * derive 1/4 of max_duration_minutes (4 phases) when present, else
+ * fall back to the supplied default.
+ */
+export function derivePhaseTimeoutMs(stopConditions, defaultMs) {
+    if (stopConditions.phase_timeout_minutes !== undefined) {
+        return stopConditions.phase_timeout_minutes * 60_000;
+    }
+    if (stopConditions.max_duration_minutes !== undefined) {
+        return Math.round((stopConditions.max_duration_minutes * 60_000) / 4);
+    }
+    return defaultMs;
+}
+//# sourceMappingURL=decision-timeout.js.map

package/dist/safety-controls/decision-timeout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decision-timeout.js","sourceRoot":"","sources":["../../src/safety-controls/decision-timeout.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AA4BH;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,YAAwB,EACxB,IAAyB;IAEzB,IAAI,KAAK,GAA0B,IAAI,CAAC;IACxC,MAAM,cAAc,GAAG,IAAI,OAAO,CAAiB,CAAC,OAAO,EAAE,EAAE;QAC7D,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YACtB,IAAI,IAAI,CAAC,UAAU;gBAAE,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YAC7C,OAAO,CAAC;gBACN,SAAS,EAAE,IAAI;gBACf,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,cAAc,EAAE,MAAM;gBACtB,MAAM,EAAE,UAAU,IAAI,CAAC,KAAK,cAAc,IAAI,CAAC,UAAU,0CAA0C;gBACnG,SAAS,EAAE,CAAC,aAAa,CAAC;aAC3B,CAAC,CAAC;QACL,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACpB,IAAI,KAAK,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,UAAU;YAAE,KAAK,CAAC,KAAK,EAAE,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;QAC/B,YAAY,CAAC,IAAI,CACf,CAAC,CAAC,EAAgB,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EACrD,CAAC,GAAG,EAAS,EAAE;YACb,gEAAgE;YAChE,MAAM,GAAG,CAAC;QACZ,CAAC,CACF;QACD,cAAc;KACf,CAAC,CAAC;IACH,IAAI,KAAK;QAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,cAAiF,EACjF,SAAiB;IAEjB,IAAI,cAAc,CAAC,qBAAqB,KAAK,SAAS,EAAE,CAAC;QACvD,OAAO,cAAc,CAAC,qBAAqB,GAAG,MAAM,CAAC;IACvD,CAAC;IACD,IAAI,cAAc,CAAC,oBAAoB,KAAK,SAAS,EAAE,CAAC;QACtD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,cAAc,CAAC,oBAAoB,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}