@brainst0rm/cli 0.14.1 → 0.14.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (103) hide show
  1. package/dist/{App-DSD2B5RV.js → App-4GFCMEPX.js} +10 -10
  2. package/dist/{App-6WBAUX35.js → App-KTUPXXQM.js} +10 -10
  3. package/dist/{agent-D5GTWGPD.js → agent-EYT6BPVT.js} +2 -2
  4. package/dist/{agent-DOR4KPUH.js → agent-KTWFCMY5.js} +2 -2
  5. package/dist/brainstorm.js +56 -56
  6. package/dist/{chunk-RV3CJQGC.js → chunk-2AXI2OPK.js} +43 -7
  7. package/dist/chunk-2AXI2OPK.js.map +1 -0
  8. package/dist/{chunk-6G2HA63H.js → chunk-3AYD5ONW.js} +43 -7
  9. package/dist/chunk-3AYD5ONW.js.map +1 -0
  10. package/dist/{chunk-UPP3TOCP.js → chunk-3RH5MKZF.js} +5 -5
  11. package/dist/{chunk-GLWCTGWG.js → chunk-4NNXZFPX.js} +2 -2
  12. package/dist/{chunk-Z5QQ5OGV.js → chunk-52Q6CE4Y.js} +19 -2
  13. package/dist/chunk-52Q6CE4Y.js.map +1 -0
  14. package/dist/{chunk-FGYEICUI.js → chunk-6UFDBLUX.js} +36 -4
  15. package/dist/chunk-6UFDBLUX.js.map +1 -0
  16. package/dist/{chunk-NVA62I52.js → chunk-6WGHIUWX.js} +2 -2
  17. package/dist/{chunk-4LR7LQPG.js → chunk-CZILJ33T.js} +2 -2
  18. package/dist/{chunk-TLQVDPEQ.js → chunk-DJ7WG6GZ.js} +19 -2
  19. package/dist/chunk-DJ7WG6GZ.js.map +1 -0
  20. package/dist/{chunk-N7JKT44Y.js → chunk-GUHXB5DX.js} +2 -2
  21. package/dist/{chunk-SCGV333Z.js → chunk-HKRUCBMI.js} +4 -4
  22. package/dist/{chunk-PIT7VD46.js → chunk-N5V2PGPN.js} +4 -4
  23. package/dist/{chunk-GF5TKYDA.js → chunk-RVQOLZR6.js} +14 -14
  24. package/dist/{chunk-AH5SFL5J.js → chunk-RVXUVX5W.js} +14 -14
  25. package/dist/{chunk-4PCWPRRN.js → chunk-WRO5TVID.js} +5 -5
  26. package/dist/{chunk-ZYGUHAHM.js → chunk-Z5RDHTWQ.js} +36 -4
  27. package/dist/chunk-Z5RDHTWQ.js.map +1 -0
  28. package/dist/{dist-QUYR4VH7.js → dist-5NJP3JHL.js} +23 -3
  29. package/dist/{dist-QUYR4VH7.js.map → dist-5NJP3JHL.js.map} +1 -1
  30. package/dist/{dist-P6IZYZBM.js → dist-7AIEUUFF.js} +2 -2
  31. package/dist/{dist-RVTIEEXC.js → dist-DCJYPRUZ.js} +3 -3
  32. package/dist/{dist-PGQ4UIM4.js → dist-DXQQF55Y.js} +3 -3
  33. package/dist/{dist-JQXY4E6A.js → dist-KSUHKNET.js} +88 -15
  34. package/dist/dist-KSUHKNET.js.map +1 -0
  35. package/dist/{dist-TS5U3BDK.js → dist-LCPM5BXN.js} +5 -5
  36. package/dist/{dist-VB7CXEYB.js → dist-MKAADC4H.js} +5 -5
  37. package/dist/{dist-MKWOTCNR.js → dist-NQQPQGZU.js} +6 -6
  38. package/dist/{dist-VECPW2NV.js → dist-NTQ7LFRW.js} +5 -5
  39. package/dist/{dist-ESUVKHL4.js → dist-QFVAD45U.js} +6 -6
  40. package/dist/{dist-7IRVYQYG.js → dist-RUBJT7FI.js} +2 -2
  41. package/dist/{dist-P2J4GXPC.js → dist-S7FLVLXS.js} +2 -2
  42. package/dist/{dist-4JONNOLT.js → dist-U3G5HT5D.js} +6 -6
  43. package/dist/{dist-IUVHFJV2.js → dist-UETKBS6A.js} +6 -6
  44. package/dist/{dist-ODBEXWTS.js → dist-WLMQD6I5.js} +5 -5
  45. package/dist/{dist-GNYSGXLR.js → dist-XFJ337R7.js} +23 -3
  46. package/dist/{dist-GNYSGXLR.js.map → dist-XFJ337R7.js.map} +1 -1
  47. package/dist/{dist-T6BIJZSD.js → dist-Y5FZXOVL.js} +2 -2
  48. package/dist/{dist-2DSARR2V.js → dist-ZPASHTYZ.js} +88 -15
  49. package/dist/dist-ZPASHTYZ.js.map +1 -0
  50. package/dist/{handler-VOVQRV5B.js → handler-CPXQZBSW.js} +6 -6
  51. package/dist/{handler-MHEFUP32.js → handler-FIBSROM4.js} +6 -6
  52. package/dist/index.js +56 -56
  53. package/dist/{mcp-server-C732TVIQ.js → mcp-server-56FVMXTC.js} +2 -2
  54. package/dist/{mcp-server-JUYR37EX.js → mcp-server-XXUZDYW6.js} +2 -2
  55. package/dist/{roles-QTZ54BOF.js → roles-CJTZSFFW.js} +6 -6
  56. package/dist/{roles-LDNPU3NI.js → roles-MVBHE5QW.js} +6 -6
  57. package/dist/{slash-VYIMEVPU.js → slash-WFDKT67A.js} +8 -8
  58. package/dist/{slash-VAUFJQBQ.js → slash-Y3E5KBOJ.js} +8 -8
  59. package/package.json +28 -28
  60. package/dist/chunk-6G2HA63H.js.map +0 -1
  61. package/dist/chunk-FGYEICUI.js.map +0 -1
  62. package/dist/chunk-RV3CJQGC.js.map +0 -1
  63. package/dist/chunk-TLQVDPEQ.js.map +0 -1
  64. package/dist/chunk-Z5QQ5OGV.js.map +0 -1
  65. package/dist/chunk-ZYGUHAHM.js.map +0 -1
  66. package/dist/dist-2DSARR2V.js.map +0 -1
  67. package/dist/dist-JQXY4E6A.js.map +0 -1
  68. /package/dist/{App-DSD2B5RV.js.map → App-4GFCMEPX.js.map} +0 -0
  69. /package/dist/{App-6WBAUX35.js.map → App-KTUPXXQM.js.map} +0 -0
  70. /package/dist/{agent-D5GTWGPD.js.map → agent-EYT6BPVT.js.map} +0 -0
  71. /package/dist/{agent-DOR4KPUH.js.map → agent-KTWFCMY5.js.map} +0 -0
  72. /package/dist/{chunk-UPP3TOCP.js.map → chunk-3RH5MKZF.js.map} +0 -0
  73. /package/dist/{chunk-GLWCTGWG.js.map → chunk-4NNXZFPX.js.map} +0 -0
  74. /package/dist/{chunk-NVA62I52.js.map → chunk-6WGHIUWX.js.map} +0 -0
  75. /package/dist/{chunk-4LR7LQPG.js.map → chunk-CZILJ33T.js.map} +0 -0
  76. /package/dist/{chunk-N7JKT44Y.js.map → chunk-GUHXB5DX.js.map} +0 -0
  77. /package/dist/{chunk-SCGV333Z.js.map → chunk-HKRUCBMI.js.map} +0 -0
  78. /package/dist/{chunk-PIT7VD46.js.map → chunk-N5V2PGPN.js.map} +0 -0
  79. /package/dist/{chunk-GF5TKYDA.js.map → chunk-RVQOLZR6.js.map} +0 -0
  80. /package/dist/{chunk-AH5SFL5J.js.map → chunk-RVXUVX5W.js.map} +0 -0
  81. /package/dist/{chunk-4PCWPRRN.js.map → chunk-WRO5TVID.js.map} +0 -0
  82. /package/dist/{dist-4JONNOLT.js.map → dist-7AIEUUFF.js.map} +0 -0
  83. /package/dist/{dist-7IRVYQYG.js.map → dist-DCJYPRUZ.js.map} +0 -0
  84. /package/dist/{dist-ESUVKHL4.js.map → dist-DXQQF55Y.js.map} +0 -0
  85. /package/dist/{dist-IUVHFJV2.js.map → dist-LCPM5BXN.js.map} +0 -0
  86. /package/dist/{dist-VB7CXEYB.js.map → dist-MKAADC4H.js.map} +0 -0
  87. /package/dist/{dist-MKWOTCNR.js.map → dist-NQQPQGZU.js.map} +0 -0
  88. /package/dist/{dist-P2J4GXPC.js.map → dist-NTQ7LFRW.js.map} +0 -0
  89. /package/dist/{dist-P6IZYZBM.js.map → dist-QFVAD45U.js.map} +0 -0
  90. /package/dist/{dist-PGQ4UIM4.js.map → dist-RUBJT7FI.js.map} +0 -0
  91. /package/dist/{dist-RVTIEEXC.js.map → dist-S7FLVLXS.js.map} +0 -0
  92. /package/dist/{dist-T6BIJZSD.js.map → dist-U3G5HT5D.js.map} +0 -0
  93. /package/dist/{dist-TS5U3BDK.js.map → dist-UETKBS6A.js.map} +0 -0
  94. /package/dist/{dist-ODBEXWTS.js.map → dist-WLMQD6I5.js.map} +0 -0
  95. /package/dist/{dist-VECPW2NV.js.map → dist-Y5FZXOVL.js.map} +0 -0
  96. /package/dist/{handler-VOVQRV5B.js.map → handler-CPXQZBSW.js.map} +0 -0
  97. /package/dist/{handler-MHEFUP32.js.map → handler-FIBSROM4.js.map} +0 -0
  98. /package/dist/{mcp-server-C732TVIQ.js.map → mcp-server-56FVMXTC.js.map} +0 -0
  99. /package/dist/{mcp-server-JUYR37EX.js.map → mcp-server-XXUZDYW6.js.map} +0 -0
  100. /package/dist/{roles-LDNPU3NI.js.map → roles-CJTZSFFW.js.map} +0 -0
  101. /package/dist/{roles-QTZ54BOF.js.map → roles-MVBHE5QW.js.map} +0 -0
  102. /package/dist/{slash-VAUFJQBQ.js.map → slash-WFDKT67A.js.map} +0 -0
  103. /package/dist/{slash-VYIMEVPU.js.map → slash-Y3E5KBOJ.js.map} +0 -0
package/dist/{dist-QUYR4VH7.js.map → dist-5NJP3JHL.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../godmode/src/prompt.ts","../../godmode/src/connector-registry.ts","../../godmode/src/blast-radius.ts","../../godmode/src/product-connector.ts","../../godmode/src/connectors/github/client.ts","../../godmode/src/connectors/github/tools/repo.ts","../../godmode/src/connectors/github/tools/webhook.ts","../../godmode/src/connectors/github/tools/pr-review.ts","../../godmode/src/connectors/github/prompt.ts","../../godmode/src/connectors/github/index.ts","../../godmode/src/product-factory.ts","../../godmode/src/signing.ts","../../godmode/src/jwt.ts","../../godmode/src/manifest.ts"],"sourcesContent":["/**\n * God Mode System Prompt — dynamically built from healthy connectors.\n *\n * The prompt describes capabilities (not products), so swapping\n * CrowdStrike for SentinelOne changes a connector file, not the UX.\n */\n\nimport type {\n GodModeConfig,\n GodModeConnectionResult,\n ConnectorCapability,\n} from \"./types.js\";\n\n/** Map capabilities to human-readable descriptions for the prompt. */\nconst CAPABILITY_LABELS: Record<ConnectorCapability, string> = {\n \"endpoint-management\":\n \"device management (status, protection, isolation, scanning)\",\n \"endpoint-security\": \"endpoint security (EDR, antivirus, compliance)\",\n backup: \"backup management (coverage, status, retry, health assessment)\",\n \"service-discovery\": \"asset discovery (inventory, classification, merging)\",\n \"email-security\": \"email security (threat scanning, verdicts, feedback)\",\n communication: \"communication management\",\n \"trust-graph\": \"trust graph analysis (identity relationships, attack paths)\",\n quarantine: \"message quarantine (isolate, release, bulk actions)\",\n compute: \"VM management (create, destroy, status, migrate)\",\n storage: \"storage management (volumes, snapshots, restore)\",\n network: \"network management (VLANs, firewalls, IPs, WireGuard)\",\n migration: \"live migration (cross-platform VM migration)\",\n marketing: \"marketing automation\",\n \"lead-management\": \"lead qualification and enrichment\",\n campaigns: \"campaign management (launch, status, analytics)\",\n infrastructure: \"infrastructure as code (Terraform plan/apply)\",\n dns: \"DNS management (records, propagation)\",\n deployment: \"deployment management\",\n \"user-management\": \"user management (status, access control)\",\n \"access-control\": \"access control (enable, disable, password reset)\",\n compliance: \"compliance auditing (SOC 2, HIPAA, PCI-DSS, GDPR)\",\n audit: \"audit logging\",\n evidence: \"evidence chain (cryptographic, tamper-evident)\",\n};\n\nexport function buildGodModePrompt(\n connected: GodModeConnectionResult[\"connectedSystems\"],\n config: GodModeConfig,\n): { text: string; cacheable: boolean } {\n const deferred = config.deferToolSchemas === true;\n if (connected.length === 0) {\n return {\n text: \"## God Mode\\n\\nNo systems connected. Configure connectors in brainstorm.toml [godmode] section.\",\n cacheable: true,\n };\n }\n\n const sections: string[] = [];\n\n sections.push(`## God Mode — Infrastructure Control Plane\n\nYou have authority over ${connected.length} connected system(s). Translate natural language into actions.`);\n\n // Connected systems with capabilities\n sections.push(\"\\n### Connected Systems\\n\");\n for (const sys of connected) {\n const caps = sys.capabilities\n .map((c) => CAPABILITY_LABELS[c] ?? c)\n .join(\", \");\n sections.push(`- **${sys.displayName}** (${sys.latencyMs}ms): ${caps}`);\n }\n\n if (deferred) {\n sections.push(`\n### Tool Discovery\n\nConnector tool schemas are deferred — only their names and descriptions are\nloaded. To use a connector tool, first call \\`tool_search\\` with keywords\nthat match the capability you need (e.g. \"isolate endpoint\", \"quarantine\nmessage\", \"create vm\"). Matching tools become available in the next turn.\nChangeSet meta-tools (\\`gm_changeset_*\\`) are always available without\nsearch.`);\n }\n\n // Safety protocol\n sections.push(`\n### Safety Protocol\n\nEvery destructive action returns a **ChangeSet** — a simulation of what will happen. You MUST:\n1. Present the ChangeSet to the user: what changes, risk score, cascades, estimated duration\n2. Wait for explicit approval before calling \\`gm_changeset_approve\\`\n3. If risk score > 50, warn the user explicitly about each risk factor\n4. Never auto-approve ChangeSet execution — always present and wait\n5. If the user says \"no\" or \"cancel\", call \\`gm_changeset_reject\\`\n\n### Entity Resolution\n\nUsers refer to things by name (\"John's computer\", \"the QA server\"), not system IDs.\n1. Call the relevant status/search/list tool to resolve the entity\n2. If multiple matches, present options and ask the user to pick\n3. If no match, say so and suggest alternative search terms\n\n### Cross-System Actions\n\nWhen a request involves multiple systems (e.g., \"disable Todd everywhere\"):\n1. Identify all systems that need to act\n2. Call each system's tools in sequence\n3. Present a unified summary of ALL changesets before requesting approval\n4. One approval gates everything`);\n\n return {\n text: sections.join(\"\\n\"),\n cacheable: true,\n };\n}\n","/**\n * Connector Registry — auto-discovery and health monitoring.\n *\n * On startup, probes each configured connector's health endpoint.\n * Healthy connectors get their tools registered. Unhealthy ones are skipped\n * with an error message. The system prompt is dynamically built from\n * whatever is healthy.\n */\n\nimport type { BrainstormToolDef } from \"@brainst0rm/tools\";\nimport type {\n GodModeConnector,\n GodModeConfig,\n GodModeConnectionResult,\n} from \"./types.js\";\nimport { getChangeSetTools } from \"./changeset.js\";\nimport { buildGodModePrompt } from \"./prompt.js\";\n\n/**\n * Connect all configured God Mode connectors.\n *\n * 1. Probe each connector's health endpoint\n * 2. Register healthy connectors' tools into the ToolRegistry\n * 3. Register ChangeSet tools (always)\n * 4. Build dynamic system prompt from healthy connectors\n * 5. Return connection results\n */\n/** Duck-typed registry — accepts anything with a register(tool) method. */\ninterface ToolRegistryLike {\n register(tool: BrainstormToolDef): void;\n}\n\nexport async function connectGodMode(\n registry: ToolRegistryLike,\n config: GodModeConfig,\n connectors: GodModeConnector[],\n): Promise<GodModeConnectionResult> {\n const connected: GodModeConnectionResult[\"connectedSystems\"] = [];\n const errors: GodModeConnectionResult[\"errors\"] = [];\n\n // Health check all connectors in parallel (15s timeout per connector).\n // Caller-owned timer + AbortController so the listener is cleaned up when\n // healthCheck() wins the race — otherwise the abort handler stays attached\n // to an AbortSignal.timeout() and fires on an already-resolved promise\n // 15s later, leaking the reject closure per connector per run.\n const HEALTH_CHECK_TIMEOUT_MS = 15_000;\n const results = await Promise.allSettled(\n connectors.map(async (connector) => {\n const timeoutController = new AbortController();\n const timeoutTimer = setTimeout(\n () => timeoutController.abort(),\n HEALTH_CHECK_TIMEOUT_MS,\n );\n try {\n const health = await Promise.race([\n connector.healthCheck(),\n new Promise<never>((_, reject) => {\n timeoutController.signal.addEventListener(\n \"abort\",\n () =>\n reject(\n new Error(\n `Health check timeout (${HEALTH_CHECK_TIMEOUT_MS}ms)`,\n ),\n ),\n { once: true },\n );\n }),\n ]);\n return { connector, health };\n } finally {\n clearTimeout(timeoutTimer);\n }\n }),\n );\n\n // Register healthy connectors' tools\n for (const result of results) {\n if (result.status === \"rejected\") {\n continue;\n }\n\n const { connector, health } = result.value;\n\n if (!health.ok) {\n errors.push({\n name: connector.name,\n error: health.message ?? `Health check failed (${health.latencyMs}ms)`,\n });\n continue;\n }\n\n // Register all tools from this connector. When Code Mode is enabled,\n // mark each as deferred so the schema stays out of the prompt until\n // the model resolves it via `tool_search`.\n const tools = connector.getTools();\n for (const tool of tools) {\n if (config.deferToolSchemas) {\n tool.deferred = true;\n }\n registry.register(tool);\n }\n\n connected.push({\n name: connector.name,\n displayName: connector.displayName,\n capabilities: connector.capabilities,\n latencyMs: health.latencyMs,\n toolCount: tools.length,\n });\n }\n\n // Always register ChangeSet tools\n const csTools = getChangeSetTools();\n for (const tool of csTools) {\n registry.register(tool);\n }\n\n // Build dynamic prompt — base + connector-specific intelligence\n const promptSegment = buildGodModePrompt(connected, config);\n\n // Append connector-specific prompt segments (e.g., agent OODA intelligence)\n for (const result of results) {\n if (result.status !== \"fulfilled\") continue;\n const { connector, health } = result.value;\n if (!health.ok) continue;\n if (typeof connector.getPrompt === \"function\") {\n promptSegment.text += \"\\n\" + connector.getPrompt();\n }\n }\n\n return {\n connectedSystems: connected,\n errors,\n promptSegment,\n totalTools:\n connected.reduce((sum, c) => sum + c.toolCount, 0) + csTools.length,\n };\n}\n","/**\n * Blast Radius Computation — maps code changes to affected symbols and sectors.\n *\n * When a ChangeSet simulation runs, this module queries the code knowledge graph\n * to compute the structural blast radius: what functions are transitively affected,\n * which community sectors are impacted, and what the risk multiplier is.\n *\n * Critical sectors (auth, crypto, parsing) multiply the risk score.\n */\n\nimport type { BlastRadius } from \"./types.js\";\nimport { createLogger } from \"@brainst0rm/shared\";\n\n/** Escape SQL LIKE wildcards to prevent unintended pattern matching. */\nfunction escapeLike(s: string): string {\n return s.replace(/%/g, \"\\\\%\").replace(/_/g, \"\\\\_\");\n}\n\nconst log = createLogger(\"blast-radius\");\n\n/** Tier-based risk multipliers. */\nconst TIER_RISK: Record<string, number> = {\n critical: 3.0,\n complex: 1.5,\n standard: 1.0,\n simple: 0.5,\n};\n\n/**\n * Compute blast radius for a set of changed files using the code graph.\n *\n * The graph parameter is duck-typed to avoid a hard dependency on @brainst0rm/code-graph.\n * It needs: getDb(), impactAnalysis(), findDefinition()\n */\nexport function computeBlastRadius(\n changedFiles: string[],\n graph: {\n getDb: () => any;\n impactAnalysis: (\n name: string,\n maxDepth?: number,\n ) => Array<{ name: string; depth: number; file: string }>;\n findDefinition: (name: string) => any[];\n },\n maxDepth = 3,\n): BlastRadius {\n const db = graph.getDb();\n const allAffected = new Map<\n string,\n { name: string; file: string; depth: number }\n >();\n const affectedCommunityIds = new Set<string>();\n\n for (const file of changedFiles) {\n // Find all functions defined in this file\n const functions = db\n .prepare(\"SELECT name FROM functions WHERE file = ? OR file LIKE ?\")\n .all(file, `%${escapeLike(file)}`) as Array<{ name: string }>;\n\n for (const fn of functions) {\n // Run impact analysis (transitive callers)\n const impact = graph.impactAnalysis(fn.name, maxDepth);\n for (const item of impact) {\n if (!allAffected.has(item.name)) {\n allAffected.set(item.name, item);\n }\n }\n }\n\n // Find which communities contain nodes in this file\n const communities = db\n .prepare(\n \"SELECT DISTINCT community_id FROM nodes WHERE (file = ? OR file LIKE ?) AND community_id IS NOT NULL\",\n )\n .all(file, `%${escapeLike(file)}`) as Array<{ community_id: string }>;\n\n for (const c of communities) {\n affectedCommunityIds.add(c.community_id);\n }\n }\n\n // Also find communities of transitively affected symbols\n for (const [, item] of allAffected) {\n const nodes = db\n .prepare(\n \"SELECT community_id FROM nodes WHERE name = ? AND community_id IS NOT NULL\",\n )\n .all(item.name) as Array<{ community_id: string }>;\n for (const n of nodes) {\n affectedCommunityIds.add(n.community_id);\n }\n }\n\n // Build community details\n const affectedCommunities: BlastRadius[\"affectedCommunities\"] = [];\n for (const communityId of affectedCommunityIds) {\n const community = db\n .prepare(\"SELECT id, name, metadata_json FROM communities WHERE id = ?\")\n .get(communityId) as\n | { id: string; name: string; metadata_json: string }\n | undefined;\n\n if (community) {\n let tier = \"standard\";\n try {\n const meta = JSON.parse(community.metadata_json);\n tier = meta.tier ?? \"standard\";\n } catch {\n /* ignore */\n }\n\n affectedCommunities.push({\n id: community.id,\n name: community.name ?? communityId,\n tier,\n });\n }\n }\n\n // Compute risk multiplier — max tier risk across all affected communities\n let riskMultiplier = 1.0;\n for (const c of affectedCommunities) {\n const tierRisk = TIER_RISK[c.tier] ?? 1.0;\n if (tierRisk > riskMultiplier) riskMultiplier = tierRisk;\n }\n\n const result: BlastRadius = {\n affectedSymbols: Array.from(allAffected.values()),\n affectedCommunities,\n riskMultiplier,\n totalAffected: allAffected.size,\n };\n\n log.debug(\n {\n changedFiles: changedFiles.length,\n totalAffected: result.totalAffected,\n communities: affectedCommunities.length,\n riskMultiplier,\n },\n \"Blast radius computed\",\n );\n\n return result;\n}\n","/**\n * Generic Product Connector — talks to ANY product implementing the platform contract.\n *\n * Replaces product-specific connectors (MSPConnector, EmailConnector, VMConnector).\n * Discovers tools at runtime by fetching GET /api/v1/god-mode/tools from the product.\n * Executes tools via POST /api/v1/god-mode/execute.\n *\n * Adding a new product to the platform = adding a config entry. Zero code changes.\n */\n\nimport { z } from \"zod\";\nimport { defineTool, type BrainstormToolDef } from \"@brainst0rm/tools\";\nimport type { ToolPermission } from \"@brainst0rm/shared\";\nimport type {\n GodModeConnector,\n ConnectorCapability,\n ConnectorConfig,\n HealthResult,\n} from \"./types.js\";\nimport { createChangeSet, registerExecutor } from \"./changeset.js\";\n\n// ── JSONSchema → Zod Converter ──────────────────────────────────\n\n/**\n * Convert a JSONSchema property to a Zod schema.\n * Handles the subset used by God Mode tool definitions.\n */\nfunction jsonSchemaPropertyToZod(prop: Record<string, unknown>): z.ZodTypeAny {\n const type = prop.type as string | undefined;\n const description = prop.description as string | undefined;\n\n let schema: z.ZodTypeAny;\n\n if (prop.enum && Array.isArray(prop.enum)) {\n const values = prop.enum as [string, ...string[]];\n schema = z.enum(values);\n } else {\n switch (type) {\n case \"string\":\n schema = z.string();\n break;\n case \"number\":\n case \"integer\":\n schema = z.number();\n break;\n case \"boolean\":\n schema = z.boolean();\n break;\n case \"array\": {\n const items = prop.items as Record<string, unknown> | undefined;\n schema = z.array(items ? jsonSchemaPropertyToZod(items) : z.any());\n break;\n }\n case \"object\": {\n const nested = prop.properties as\n | Record<string, Record<string, unknown>>\n | undefined;\n if (nested) {\n schema = jsonSchemaToZod(prop);\n } else {\n schema = z.record(z.any());\n }\n break;\n }\n default:\n schema = z.any();\n }\n }\n\n if (description) {\n schema = schema.describe(description);\n }\n\n if (prop.default !== undefined) {\n schema = schema.default(prop.default);\n }\n\n return schema;\n}\n\n/**\n * Convert a JSONSchema object definition to a Zod object schema.\n */\nfunction jsonSchemaToZod(schema: Record<string, unknown>): z.ZodObject<any> {\n const properties = (schema.properties ?? {}) as Record<\n string,\n Record<string, unknown>\n >;\n const required = new Set((schema.required ?? []) as string[]);\n\n const shape: Record<string, z.ZodTypeAny> = {};\n for (const [key, prop] of Object.entries(properties)) {\n let fieldSchema = jsonSchemaPropertyToZod(prop);\n if (!required.has(key)) {\n fieldSchema = fieldSchema.optional();\n }\n shape[key] = fieldSchema;\n }\n\n return z.object(shape);\n}\n\n// ── Permission Mapping ──────────────────────────────────────────\n\nfunction riskToPermission(\n riskLevel: string,\n requiresChangeset: boolean,\n): ToolPermission {\n if (riskLevel === \"read_only\") return \"auto\";\n if (riskLevel === \"low\" && !requiresChangeset) return \"auto\";\n return \"confirm\";\n}\n\n// ── Product Connector ───────────────────────────────────────────\n\n/**\n * Server tool shape from GET /api/v1/god-mode/tools.\n */\ninterface ServerTool {\n name: string;\n domain: string;\n product: string;\n description: string;\n parameters: Record<string, unknown>;\n risk_level: string;\n requires_changeset: boolean;\n evidence_type?: string;\n}\n\nexport class ProductConnector implements GodModeConnector {\n name: string;\n displayName: string;\n capabilities: ConnectorCapability[] = [];\n\n private config: ConnectorConfig & { displayName?: string };\n private tools: BrainstormToolDef[] = [];\n private initialized = false;\n\n constructor(id: string, config: ConnectorConfig & { displayName?: string }) {\n this.name = id;\n this.displayName =\n config.displayName ?? id.charAt(0).toUpperCase() + id.slice(1);\n this.config = config;\n }\n\n /**\n * Fetch tool definitions from the product server.\n * Must be called before getTools(). Failures are non-fatal.\n */\n async initialize(): Promise<void> {\n try {\n const res = await this.apiFetch(\"/api/v1/god-mode/tools\");\n\n if (res.error) {\n console.warn(\n `[godmode] ${this.displayName}: tools endpoint unavailable — ${res.error}`,\n );\n this.initialized = true;\n return;\n }\n\n // Server may return { tools: [...] } or { data: [...] } or just [...]\n const serverTools: ServerTool[] =\n res.tools ?? res.data ?? (Array.isArray(res) ? res : []);\n\n // Derive capabilities from tool domains\n const domains = new Set(serverTools.map((t) => t.domain));\n this.capabilities = [...domains] as ConnectorCapability[];\n\n // Update display name from server if available\n if (res.product) {\n this.displayName = `Brainstorm${res.product.charAt(0).toUpperCase() + res.product.slice(1)}`;\n }\n\n // Convert each server tool to a BrainstormToolDef\n this.tools = serverTools.map((st) => this.convertTool(st));\n this.initialized = true;\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err);\n console.warn(\n `[godmode] ${this.displayName}: initialization failed — ${msg}`,\n );\n this.initialized = true;\n }\n }\n\n async healthCheck(): Promise<HealthResult> {\n const start = Date.now();\n try {\n const res = await this.apiFetch(\"/health\");\n const latencyMs = Date.now() - start;\n\n if (res.error) {\n return { ok: false, latencyMs, message: res.error };\n }\n\n return {\n ok: res.status === \"healthy\" || res.status === \"ok\" || !!res.status,\n latencyMs,\n message: res.version ? `v${res.version}` : undefined,\n };\n } catch {\n return {\n ok: false,\n latencyMs: Date.now() - start,\n message: \"Unreachable\",\n };\n }\n }\n\n getTools(): BrainstormToolDef[] {\n return this.tools;\n }\n\n // ── Tool Conversion ─────────────────────────────────────────\n\n private convertTool(serverTool: ServerTool): BrainstormToolDef {\n // Convert dots to underscores for AI SDK compatibility\n const toolName = serverTool.name.replace(/\\./g, \"_\");\n const inputSchema = jsonSchemaToZod(serverTool.parameters);\n const permission = riskToPermission(\n serverTool.risk_level,\n serverTool.requires_changeset,\n );\n const readonly = serverTool.risk_level === \"read_only\";\n const connector = this;\n\n if (serverTool.requires_changeset) {\n return this.createChangeSetTool(\n toolName,\n serverTool,\n inputSchema,\n permission,\n );\n }\n\n return defineTool({\n name: toolName,\n description: serverTool.description,\n permission,\n readonly,\n inputSchema,\n async execute(params) {\n const result = await connector.apiFetch(\"/api/v1/god-mode/execute\", {\n method: \"POST\",\n body: JSON.stringify({\n tool: serverTool.name,\n params,\n }),\n });\n\n if (result.error) return { error: result.error };\n return result.data ?? result;\n },\n });\n }\n\n private createChangeSetTool(\n toolName: string,\n serverTool: ServerTool,\n inputSchema: z.ZodObject<any>,\n permission: ToolPermission,\n ): BrainstormToolDef {\n const connector = this;\n // Namespace executor key by connector to prevent cross-product collision\n const executorKey = `${this.name}:${toolName}`;\n\n // Register a generic executor for when changesets are approved\n registerExecutor(executorKey, async (cs) => {\n // Extract original params from the changeset's simulation statePreview\n const originalParams = (cs.simulation.statePreview as any)\n ?.originalParams;\n const result = await connector.apiFetch(\"/api/v1/god-mode/execute\", {\n method: \"POST\",\n body: JSON.stringify({\n tool: serverTool.name,\n params: originalParams ?? {},\n simulate: false,\n }),\n });\n\n if (result.error) return { success: false, message: result.error };\n return {\n success: true,\n message: result.message ?? `Executed ${serverTool.name}`,\n rollbackData: result.rollbackData,\n };\n });\n\n return defineTool({\n name: toolName,\n description: serverTool.description,\n permission,\n inputSchema,\n async execute(params) {\n // Step 1: Simulate\n const simResult = await connector.apiFetch(\"/api/v1/god-mode/execute\", {\n method: \"POST\",\n body: JSON.stringify({\n tool: serverTool.name,\n params,\n simulate: true,\n }),\n });\n\n if (simResult.error) return { error: simResult.error };\n\n // Step 2: Create ChangeSet from simulation\n const simulation = simResult.simulation ?? {\n success: true,\n statePreview: { ...simResult.data, originalParams: params },\n cascades: simResult.cascades ?? [],\n constraints: simResult.constraints ?? [],\n estimatedDuration: simResult.estimatedDuration ?? \"< 1 minute\",\n };\n\n // Preserve original params in simulation for the executor\n if (\n simulation.statePreview &&\n typeof simulation.statePreview === \"object\"\n ) {\n (simulation.statePreview as any).originalParams = params;\n }\n\n const changeset = createChangeSet({\n connector: connector.name,\n action: executorKey, // Namespaced to prevent cross-product collision\n description: simResult.description ?? `Execute ${serverTool.name}`,\n changes: simResult.changes ?? [\n {\n system: connector.name,\n entity: `${serverTool.domain}:${JSON.stringify(params).slice(0, 50)}`,\n operation: \"execute\",\n },\n ],\n simulation,\n });\n\n return {\n changeset_id: changeset.id,\n status: \"pending_approval\",\n risk_score: changeset.riskScore,\n risk_factors: changeset.riskFactors,\n description: changeset.description,\n message:\n \"ChangeSet created. Present the simulation to the user and wait for approval before calling gm_changeset_approve.\",\n };\n },\n });\n }\n\n // ── HTTP Client ─────────────────────────────────────────────\n\n private async apiFetch(\n path: string,\n options?: RequestInit & { timeout?: number },\n ): Promise<any> {\n const key = this.resolveApiKey();\n if (!key) {\n return {\n error: `No API key for ${this.displayName} (${this.config.apiKeyName})`,\n };\n }\n\n const url = `${this.config.baseUrl}${path}`;\n\n // Enforce HTTPS for non-local connections\n if (\n !url.startsWith(\"https://\") &&\n !url.startsWith(\"http://localhost\") &&\n !url.startsWith(\"http://127.0.0.1\")\n ) {\n return {\n error: `${this.displayName}: HTTPS required for non-local connections`,\n };\n }\n\n const timeout = options?.timeout ?? 10_000;\n\n try {\n const res = await fetch(url, {\n ...options,\n headers: {\n Authorization: `Bearer ${key}`,\n \"Content-Type\": \"application/json\",\n ...((options?.headers as Record<string, string>) ?? {}),\n },\n signal: AbortSignal.timeout(timeout),\n });\n\n if (!res.ok) {\n const body = await res.text().catch(() => \"\");\n return {\n error: `${this.displayName} API ${res.status}: ${body.slice(0, 200)}`,\n };\n }\n\n return res.json();\n } catch (error) {\n const msg = error instanceof Error ? error.message : String(error);\n return { error: `${this.displayName} API error: ${msg}` };\n }\n }\n\n private resolveApiKey(): string | null {\n return (\n process.env[`_GM_${this.name.toUpperCase()}_KEY`] ??\n process.env[this.config.apiKeyName] ??\n null\n );\n }\n}\n","/**\n * GitHub REST API Client — handles PAT and GitHub App authentication.\n *\n * PAT mode: Bearer token in Authorization header.\n * App mode: Sign JWT with RS256 private key → exchange for installation token.\n *\n * Uses native fetch. No external HTTP libraries.\n */\n\nimport { createLogger } from \"@brainst0rm/shared\";\n\nconst log = createLogger(\"github-client\");\n\nconst GITHUB_API = \"https://api.github.com\";\n\nexport interface GitHubClientConfig {\n /** Personal access token (PAT mode). */\n token?: string;\n /** GitHub App private key PEM (App mode). */\n appPrivateKey?: string;\n /** GitHub App ID (App mode). */\n appId?: string;\n /** Installation ID for the org (App mode). */\n installationId?: string;\n}\n\nexport class GitHubClient {\n private token: string | null;\n private installationToken: string | null = null;\n private installationTokenExpiresAt = 0;\n private config: GitHubClientConfig;\n\n constructor(config: GitHubClientConfig) {\n this.config = config;\n this.token = config.token ?? null;\n }\n\n /**\n * Make an authenticated GitHub API request.\n */\n async request<T = any>(\n method: string,\n path: string,\n body?: unknown,\n ): Promise<T> {\n const token = await this.resolveToken();\n const url = path.startsWith(\"http\") ? path : `${GITHUB_API}${path}`;\n\n const res = await fetch(url, {\n method,\n headers: {\n Authorization: `Bearer ${token}`,\n Accept: \"application/vnd.github+json\",\n \"X-GitHub-Api-Version\": \"2022-11-28\",\n ...(body ? { \"Content-Type\": \"application/json\" } : {}),\n },\n body: body ? JSON.stringify(body) : undefined,\n });\n\n if (!res.ok) {\n const text = await res.text();\n throw new Error(\n `GitHub API ${method} ${path}: ${res.status} ${text.slice(0, 200)}`,\n );\n }\n\n if (res.status === 204) return {} as T;\n return res.json() as Promise<T>;\n }\n\n // ── Repo Operations ─────────────────────────────────────────────\n\n async getRepo(owner: string, repo: string) {\n return this.request(\"GET\", `/repos/${owner}/${repo}`);\n }\n\n async listBranches(owner: string, repo: string) {\n return this.request(\"GET\", `/repos/${owner}/${repo}/branches?per_page=30`);\n }\n\n async compareCommits(\n owner: string,\n repo: string,\n base: string,\n head: string,\n ) {\n return this.request(\n \"GET\",\n `/repos/${owner}/${repo}/compare/${base}...${head}`,\n );\n }\n\n async getContents(owner: string, repo: string, path: string, ref?: string) {\n const query = ref ? `?ref=${ref}` : \"\";\n return this.request(\n \"GET\",\n `/repos/${owner}/${repo}/contents/${path}${query}`,\n );\n }\n\n // ── Webhook Operations ──────────────────────────────────────────\n\n async createWebhook(\n owner: string,\n repo: string,\n url: string,\n secret: string,\n events = [\"push\", \"pull_request\"],\n ) {\n return this.request(\"POST\", `/repos/${owner}/${repo}/hooks`, {\n name: \"web\",\n active: true,\n events,\n config: { url, content_type: \"json\", secret, insecure_ssl: \"0\" },\n });\n }\n\n async listWebhooks(owner: string, repo: string) {\n return this.request(\"GET\", `/repos/${owner}/${repo}/hooks`);\n }\n\n async deleteWebhook(owner: string, repo: string, hookId: number) {\n return this.request(\"DELETE\", `/repos/${owner}/${repo}/hooks/${hookId}`);\n }\n\n // ── PR Operations ───────────────────────────────────────────────\n\n async getPR(owner: string, repo: string, number: number) {\n return this.request(\"GET\", `/repos/${owner}/${repo}/pulls/${number}`);\n }\n\n async getPRFiles(owner: string, repo: string, number: number) {\n return this.request(\n \"GET\",\n `/repos/${owner}/${repo}/pulls/${number}/files?per_page=100`,\n );\n }\n\n async createReview(\n owner: string,\n repo: string,\n number: number,\n body: string,\n event: \"APPROVE\" | \"REQUEST_CHANGES\" | \"COMMENT\" = \"COMMENT\",\n comments?: Array<{ path: string; line: number; body: string }>,\n ) {\n return this.request(\n \"POST\",\n `/repos/${owner}/${repo}/pulls/${number}/reviews`,\n {\n body,\n event,\n comments,\n },\n );\n }\n\n // ── Check Runs ──────────────────────────────────────────────────\n\n async createCheckRun(\n owner: string,\n repo: string,\n opts: {\n name: string;\n headSha: string;\n status: \"queued\" | \"in_progress\" | \"completed\";\n conclusion?: \"success\" | \"failure\" | \"action_required\" | \"neutral\";\n summary?: string;\n text?: string;\n },\n ) {\n return this.request(\"POST\", `/repos/${owner}/${repo}/check-runs`, {\n name: opts.name,\n head_sha: opts.headSha,\n status: opts.status,\n ...(opts.conclusion ? { conclusion: opts.conclusion } : {}),\n output: opts.summary\n ? {\n title: opts.name,\n summary: opts.summary,\n text: opts.text,\n }\n : undefined,\n });\n }\n\n // ── Health ──────────────────────────────────────────────────────\n\n async healthCheck(): Promise<{\n ok: boolean;\n latencyMs: number;\n user?: string;\n }> {\n const start = Date.now();\n try {\n const user = await this.request<{ login: string }>(\"GET\", \"/user\");\n return { ok: true, latencyMs: Date.now() - start, user: user.login };\n } catch (err: any) {\n return { ok: false, latencyMs: Date.now() - start };\n }\n }\n\n // ── Token Resolution ────────────────────────────────────────────\n\n private async resolveToken(): Promise<string> {\n if (this.token) return this.token;\n\n // GitHub App mode — exchange app JWT for installation token\n if (\n this.config.appPrivateKey &&\n this.config.appId &&\n this.config.installationId\n ) {\n if (\n this.installationToken &&\n Date.now() < this.installationTokenExpiresAt\n ) {\n return this.installationToken;\n }\n this.installationToken = await this.exchangeForInstallationToken();\n this.installationTokenExpiresAt = Date.now() + 55 * 60 * 1000; // 55 min (tokens last 60)\n return this.installationToken;\n }\n\n throw new Error(\n \"No GitHub authentication configured. Set GITHUB_TOKEN or configure GitHub App.\",\n );\n }\n\n private async exchangeForInstallationToken(): Promise<string> {\n // Sign JWT with the app's private key using node:crypto RS256\n const appJwt = await this.createAppJwt();\n\n const res = await fetch(\n `${GITHUB_API}/app/installations/${this.config.installationId}/access_tokens`,\n {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${appJwt}`,\n Accept: \"application/vnd.github+json\",\n },\n },\n );\n\n if (!res.ok) {\n throw new Error(`GitHub App token exchange failed: ${res.status}`);\n }\n\n const data = (await res.json()) as { token: string };\n log.info(\"GitHub App installation token acquired\");\n return data.token;\n }\n\n private async createAppJwt(): Promise<string> {\n // RS256 JWT for GitHub App authentication\n // Payload: iss=appId, iat=now-60, exp=now+600\n const { createPrivateKey, sign } = await import(\"node:crypto\");\n\n const now = Math.floor(Date.now() / 1000);\n const header = Buffer.from(\n JSON.stringify({ alg: \"RS256\", typ: \"JWT\" }),\n ).toString(\"base64url\");\n const payload = Buffer.from(\n JSON.stringify({\n iss: this.config.appId,\n iat: now - 60,\n exp: now + 600,\n }),\n ).toString(\"base64url\");\n\n const key = createPrivateKey(this.config.appPrivateKey!);\n const signature = sign(\n \"RSA-SHA256\",\n Buffer.from(`${header}.${payload}`),\n key,\n ).toString(\"base64url\");\n\n return `${header}.${payload}.${signature}`;\n }\n}\n","/**\n * GitHub Repository Tools — repo info, branches, compare commits.\n */\n\nimport { z } from \"zod\";\nimport { defineTool, type BrainstormToolDef } from \"@brainst0rm/tools\";\nimport type { GitHubClient } from \"../client.js\";\n\nexport function createRepoTools(\n client: GitHubClient,\n owner: string,\n repo: string,\n): BrainstormToolDef[] {\n return [\n defineTool({\n name: \"github_repo_info\",\n description: `Get repository metadata for ${owner}/${repo}: languages, topics, default branch, visibility, size.`,\n permission: \"auto\" as const,\n inputSchema: z.object({}),\n async execute() {\n const data = await client.getRepo(owner, repo);\n return {\n name: data.full_name,\n description: data.description,\n language: data.language,\n topics: data.topics,\n defaultBranch: data.default_branch,\n visibility: data.visibility,\n size: data.size,\n openIssues: data.open_issues_count,\n updatedAt: data.updated_at,\n };\n },\n }),\n\n defineTool({\n name: \"github_branches\",\n description: `List branches for ${owner}/${repo} with protection status.`,\n permission: \"auto\" as const,\n inputSchema: z.object({}),\n async execute() {\n const branches = await client.listBranches(owner, repo);\n return branches.map((b: any) => ({\n name: b.name,\n protected: b.protected,\n sha: b.commit.sha.slice(0, 8),\n }));\n },\n }),\n\n defineTool({\n name: \"github_compare\",\n description: `Compare two git refs in ${owner}/${repo}. Shows changed files, commits, and stats.`,\n permission: \"auto\" as const,\n inputSchema: z.object({\n base: z.string().describe(\"Base ref (branch, tag, or SHA)\"),\n head: z.string().describe(\"Head ref to compare against base\"),\n }),\n async execute({ base, head }) {\n const data = await client.compareCommits(owner, repo, base, head);\n return {\n status: data.status,\n aheadBy: data.ahead_by,\n behindBy: data.behind_by,\n totalCommits: data.total_commits,\n files: (data.files ?? []).map((f: any) => ({\n filename: f.filename,\n status: f.status,\n additions: f.additions,\n deletions: f.deletions,\n changes: f.changes,\n })),\n };\n },\n }),\n ];\n}\n","/**\n * GitHub Webhook Tools — create and manage webhooks.\n */\n\nimport { z } from \"zod\";\nimport { defineTool, type BrainstormToolDef } from \"@brainst0rm/tools\";\nimport type { GitHubClient } from \"../client.js\";\n\nexport function createWebhookTools(\n client: GitHubClient,\n owner: string,\n repo: string,\n): BrainstormToolDef[] {\n return [\n defineTool({\n name: \"github_webhook_create\",\n description: `Register a webhook on ${owner}/${repo} to receive push and PR events.`,\n permission: \"confirm\" as const,\n inputSchema: z.object({\n url: z\n .string()\n .describe(\n \"Webhook delivery URL (e.g., https://your-server.com/api/v1/webhooks/github)\",\n ),\n secret: z\n .string()\n .describe(\"Shared secret for HMAC signature verification\"),\n events: z\n .array(z.string())\n .optional()\n .describe(\"Events to subscribe to (default: push, pull_request)\"),\n }),\n async execute({ url, secret, events }) {\n const result = await client.createWebhook(\n owner,\n repo,\n url,\n secret,\n events,\n );\n return {\n id: result.id,\n url: result.config.url,\n events: result.events,\n active: result.active,\n createdAt: result.created_at,\n };\n },\n }),\n\n defineTool({\n name: \"github_webhook_list\",\n description: `List all webhooks configured on ${owner}/${repo}.`,\n permission: \"auto\" as const,\n inputSchema: z.object({}),\n async execute() {\n const hooks = await client.listWebhooks(owner, repo);\n return hooks.map((h: any) => ({\n id: h.id,\n url: h.config.url,\n events: h.events,\n active: h.active,\n lastResponse: h.last_response?.code,\n }));\n },\n }),\n ];\n}\n","/**\n * PR Review Tool — intelligent code review using the knowledge graph.\n *\n * Flow:\n * 1. Fetch PR diff (changed files + patches)\n * 2. Compute blast radius from code graph for each changed file\n * 3. Classify sectors touched — determines model tier per file\n * 4. Build structured review with: risk score, affected sectors, line comments\n * 5. Post as GitHub review + create check run for merge gate\n *\n * Model routing: critical sectors (auth, crypto) get QualityTier 1.\n * Simple changes (docs, config) get QualityTier 5. The router decides\n * the actual model — no hardcoded names.\n */\n\nimport { z } from \"zod\";\nimport { defineTool, type BrainstormToolDef } from \"@brainst0rm/tools\";\nimport type { GitHubClient } from \"../client.js\";\nimport { createLogger } from \"@brainst0rm/shared\";\n\nconst log = createLogger(\"pr-review\");\n\nexport interface PRReviewResult {\n prNumber: number;\n filesReviewed: number;\n riskScore: number;\n sectorsAffected: string[];\n criticalSectorsAffected: string[];\n blastRadius: number;\n reviewBody: string;\n checkConclusion: \"success\" | \"action_required\" | \"neutral\";\n cost: number;\n}\n\nexport interface PRReviewOptions {\n client: GitHubClient;\n owner: string;\n repo: string;\n /** Code graph for blast radius computation. Duck-typed to avoid hard dep. */\n graph?: {\n getDb: () => any;\n impactAnalysis: (name: string, maxDepth?: number) => any[];\n findDefinition: (name: string) => any[];\n };\n}\n\nexport function createPRReviewTools(\n opts: PRReviewOptions,\n): BrainstormToolDef[] {\n const { client, owner, repo, graph } = opts;\n\n return [\n defineTool({\n name: \"github_pr_review\",\n description: `Review a pull request on ${owner}/${repo} using code intelligence. Computes blast radius, classifies risk by sector, and posts a structured review.`,\n permission: \"confirm\" as const,\n inputSchema: z.object({\n prNumber: z.number().describe(\"PR number to review\"),\n postReview: z\n .boolean()\n .optional()\n .describe(\"Post review to GitHub (default true)\"),\n createCheck: z\n .boolean()\n .optional()\n .describe(\"Create check run for merge gate (default true)\"),\n }),\n async execute({ prNumber, postReview, createCheck }) {\n const shouldPost = postReview !== false;\n const shouldCheck = createCheck !== false;\n\n // Fetch PR metadata + changed files\n const pr = await client.getPR(owner, repo, prNumber);\n const files = await client.getPRFiles(owner, repo, prNumber);\n\n const changedFiles = files.map((f: any) => ({\n filename: f.filename,\n status: f.status,\n additions: f.additions,\n deletions: f.deletions,\n changes: f.changes,\n patch: f.patch?.slice(0, 2000), // Limit patch size for context\n }));\n\n // Compute blast radius from code graph\n let blastRadius = 0;\n const affectedSymbols: Array<{\n name: string;\n file: string;\n depth: number;\n }> = [];\n const sectorsAffected = new Set<string>();\n const criticalSectors = new Set<string>();\n\n if (graph) {\n const db = graph.getDb();\n\n for (const file of changedFiles) {\n // Find functions defined in changed files\n const functions = db\n .prepare(\"SELECT name FROM functions WHERE file LIKE ?\")\n .all(`%${file.filename}`) as Array<{ name: string }>;\n\n for (const fn of functions) {\n const impact = graph.impactAnalysis(fn.name, 3);\n for (const item of impact) {\n affectedSymbols.push(item);\n blastRadius++;\n }\n }\n\n // Find which sectors are touched\n const communities = db\n .prepare(\n \"SELECT DISTINCT c.id, c.name, c.metadata_json FROM nodes n JOIN communities c ON c.id = n.community_id WHERE n.file LIKE ? AND n.community_id IS NOT NULL\",\n )\n .all(`%${file.filename}`) as any[];\n\n for (const comm of communities) {\n sectorsAffected.add(comm.name ?? comm.id);\n try {\n const meta = JSON.parse(comm.metadata_json ?? \"{}\");\n if (meta.tier === \"critical\")\n criticalSectors.add(comm.name ?? comm.id);\n } catch {}\n }\n }\n }\n\n // Calculate risk score (0-100)\n let riskScore = 0;\n riskScore += Math.min(30, changedFiles.length * 3); // Files changed\n riskScore += Math.min(20, blastRadius); // Blast radius\n riskScore += criticalSectors.size * 15; // Critical sectors\n riskScore +=\n changedFiles.filter((f: any) => f.deletions > 20).length * 5; // Large deletions\n riskScore = Math.min(100, riskScore);\n\n // Determine check conclusion\n let checkConclusion: \"success\" | \"action_required\" | \"neutral\" =\n \"success\";\n if (criticalSectors.size > 0) checkConclusion = \"action_required\";\n else if (riskScore > 60) checkConclusion = \"action_required\";\n else if (riskScore > 30) checkConclusion = \"neutral\";\n\n // Build review body\n const reviewBody = buildReviewBody({\n pr,\n changedFiles,\n riskScore,\n blastRadius,\n sectorsAffected: Array.from(sectorsAffected),\n criticalSectors: Array.from(criticalSectors),\n affectedSymbols: affectedSymbols.slice(0, 20),\n });\n\n // Post review to GitHub\n if (shouldPost) {\n const event =\n checkConclusion === \"action_required\"\n ? \"REQUEST_CHANGES\"\n : \"COMMENT\";\n await client.createReview(\n owner,\n repo,\n prNumber,\n reviewBody,\n event as any,\n );\n log.info(\n { pr: prNumber, riskScore, sectors: sectorsAffected.size },\n \"Review posted\",\n );\n }\n\n // Create check run\n if (shouldCheck) {\n await client.createCheckRun(owner, repo, {\n name: \"Brainstorm Code Intelligence\",\n headSha: pr.head.sha,\n status: \"completed\",\n conclusion: checkConclusion,\n summary: `Risk Score: ${riskScore}/100 | Blast Radius: ${blastRadius} symbols | Sectors: ${sectorsAffected.size} (${criticalSectors.size} critical)`,\n text: reviewBody,\n });\n log.info(\n { pr: prNumber, conclusion: checkConclusion },\n \"Check run created\",\n );\n }\n\n return {\n prNumber,\n filesReviewed: changedFiles.length,\n riskScore,\n sectorsAffected: Array.from(sectorsAffected),\n criticalSectorsAffected: Array.from(criticalSectors),\n blastRadius,\n reviewBody,\n checkConclusion,\n cost: 0, // Tracked by CostTracker in the agent loop\n };\n },\n }),\n ];\n}\n\n// ── Review Body Builder ───────────────────────────────────────────\n\nfunction buildReviewBody(data: {\n pr: any;\n changedFiles: any[];\n riskScore: number;\n blastRadius: number;\n sectorsAffected: string[];\n criticalSectors: string[];\n affectedSymbols: Array<{ name: string; file: string; depth: number }>;\n}): string {\n const {\n riskScore,\n blastRadius,\n sectorsAffected,\n criticalSectors,\n changedFiles,\n affectedSymbols,\n } = data;\n\n const riskEmoji = riskScore > 60 ? \"🔴\" : riskScore > 30 ? \"🟡\" : \"🟢\";\n const lines: string[] = [];\n\n lines.push(\n `## ${riskEmoji} Brainstorm Code Review`,\n \"\",\n `**Risk Score:** ${riskScore}/100 | **Blast Radius:** ${blastRadius} affected symbols | **Files Changed:** ${changedFiles.length}`,\n \"\",\n );\n\n if (criticalSectors.length > 0) {\n lines.push(\n \"### ⚠️ Critical Sectors Affected\",\n \"\",\n ...criticalSectors.map(\n (s) => `- **${s}** — requires careful review (QualityTier 1 analysis)`,\n ),\n \"\",\n );\n }\n\n if (sectorsAffected.length > 0) {\n lines.push(\n \"### Sectors Touched\",\n \"\",\n ...sectorsAffected.map((s) => {\n const isCritical = criticalSectors.includes(s);\n return `- ${isCritical ? \"🔴\" : \"🟡\"} ${s}`;\n }),\n \"\",\n );\n }\n\n if (affectedSymbols.length > 0) {\n lines.push(\n \"### Blast Radius — Transitively Affected Functions\",\n \"\",\n \"| Function | File | Depth |\",\n \"|----------|------|-------|\",\n ...affectedSymbols\n .slice(0, 15)\n .map(\n (s) =>\n `| \\`${s.name}\\` | \\`${s.file.split(\"/\").slice(-2).join(\"/\")}\\` | ${s.depth} |`,\n ),\n \"\",\n );\n if (affectedSymbols.length > 15) {\n lines.push(\n `*... and ${affectedSymbols.length - 15} more affected symbols*`,\n \"\",\n );\n }\n }\n\n // File summary\n lines.push(\n \"### Changed Files\",\n \"\",\n \"| File | Status | +/- |\",\n \"|------|--------|-----|\",\n ...changedFiles\n .slice(0, 20)\n .map(\n (f: any) =>\n `| \\`${f.filename.split(\"/\").slice(-2).join(\"/\")}\\` | ${f.status} | +${f.additions}/-${f.deletions} |`,\n ),\n \"\",\n );\n\n lines.push(\n \"---\",\n \"*Reviewed by [Brainstorm Code Intelligence Engine](https://github.com/brainstorm)*\",\n );\n\n return lines.join(\"\\n\");\n}\n","/**\n * GitHub system prompt segment — injected when GitHub connector is active.\n */\n\nexport function buildGitHubPrompt(owner: string, repo: string): string {\n return [\n \"## GitHub Integration\",\n \"\",\n `Connected to **${owner}/${repo}** via GitHub API.`,\n \"\",\n \"Available capabilities:\",\n \"- Repository metadata and branch management\",\n \"- Webhook configuration for push/PR events\",\n \"- PR review with blast radius analysis\",\n \"- Check runs for merge gates\",\n \"- Commit comparison for change detection\",\n \"\",\n \"Use `github_compare` to see what changed between branches.\",\n \"Use `github_repo_info` to understand the repository.\",\n \"The webhook auto-reindexes the code graph on every push.\",\n ].join(\"\\n\");\n}\n","/**\n * GitHub God Mode Connector — integrates private GitHub repos into Brainstorm.\n *\n * Follows the GodModeConnector pattern. Provides tools for repo management,\n * webhook configuration, PR review, and compliance. Auth via PAT or GitHub App.\n */\n\nimport type {\n GodModeConnector,\n ConnectorCapability,\n HealthResult,\n} from \"../../types.js\";\nimport type { BrainstormToolDef } from \"@brainst0rm/tools\";\nimport { GitHubClient, type GitHubClientConfig } from \"./client.js\";\nimport { createRepoTools } from \"./tools/repo.js\";\nimport { createWebhookTools } from \"./tools/webhook.js\";\nimport { createPRReviewTools } from \"./tools/pr-review.js\";\nimport { buildGitHubPrompt } from \"./prompt.js\";\nimport { createLogger } from \"@brainst0rm/shared\";\n\nconst log = createLogger(\"github-connector\");\n\nexport interface GitHubConnectorConfig {\n /** PAT or installation token. */\n token?: string;\n /** GitHub App private key (PEM). */\n appPrivateKey?: string;\n /** GitHub App ID. */\n appId?: string;\n /** Installation ID. */\n installationId?: string;\n /** Repository owner (org or user). */\n owner: string;\n /** Repository name. */\n repo: string;\n /** Optional code graph for blast radius in PR reviews. */\n graph?: any;\n}\n\nexport class GitHubConnector implements GodModeConnector {\n name = \"github\";\n displayName = \"GitHub\";\n capabilities: ConnectorCapability[] = [\n \"access-control\",\n \"compliance\",\n \"audit\",\n \"deployment\",\n ];\n\n private client: GitHubClient;\n private owner: string;\n private repo: string;\n private graph: any;\n private cachedTools: BrainstormToolDef[] | null = null;\n\n constructor(config: GitHubConnectorConfig) {\n this.owner = config.owner;\n this.repo = config.repo;\n this.graph = config.graph ?? null;\n this.client = new GitHubClient({\n token: config.token,\n appPrivateKey: config.appPrivateKey,\n appId: config.appId,\n installationId: config.installationId,\n });\n }\n\n getTools(): BrainstormToolDef[] {\n if (!this.cachedTools) {\n this.cachedTools = [\n ...createRepoTools(this.client, this.owner, this.repo),\n ...createWebhookTools(this.client, this.owner, this.repo),\n ...createPRReviewTools({\n client: this.client,\n owner: this.owner,\n repo: this.repo,\n graph: this.graph,\n }),\n ];\n }\n return this.cachedTools;\n }\n\n async healthCheck(): Promise<HealthResult> {\n const result = await this.client.healthCheck();\n return {\n ok: result.ok,\n latencyMs: result.latencyMs,\n message: result.ok\n ? `Authenticated as ${result.user} for ${this.owner}/${this.repo}`\n : \"GitHub API unreachable or authentication failed\",\n };\n }\n\n getPrompt(): string {\n return buildGitHubPrompt(this.owner, this.repo);\n }\n\n /** Get the underlying client for advanced operations (PR review, checks). */\n getClient(): GitHubClient {\n return this.client;\n }\n}\n\n/**\n * Create a GitHub connector from environment/vault credentials.\n */\nexport function createGitHubConnector(\n owner: string,\n repo: string,\n resolveKey?: (name: string) => string | null,\n): GitHubConnector | null {\n const token = resolveKey?.(\"GITHUB_TOKEN\") ?? process.env.GITHUB_TOKEN;\n const appKey =\n resolveKey?.(\"GITHUB_APP_PRIVATE_KEY\") ??\n process.env.GITHUB_APP_PRIVATE_KEY;\n const appId = resolveKey?.(\"GITHUB_APP_ID\") ?? process.env.GITHUB_APP_ID;\n const installId =\n resolveKey?.(\"GITHUB_INSTALLATION_ID\") ??\n process.env.GITHUB_INSTALLATION_ID;\n\n if (!token && !appKey) {\n log.debug(\"No GitHub credentials found — connector disabled\");\n return null;\n }\n\n return new GitHubConnector({\n token: token ?? undefined,\n appPrivateKey: appKey ?? undefined,\n appId: appId ?? undefined,\n installationId: installId ?? undefined,\n owner,\n repo,\n });\n}\n","/**\n * Product Factory — creates generic ProductConnectors from config.\n *\n * Replaces the hardcoded factory map { msp: createMSPConnector, ... }.\n * Adding a new product = adding a [godmode.connectors.X] config entry.\n */\n\nimport { ProductConnector } from \"./product-connector.js\";\nimport type { GodModeConnector, GodModeConfig } from \"./types.js\";\n\n/**\n * Create and initialize ProductConnectors for all enabled connectors in config.\n * Each connector fetches its tool definitions from the product server.\n * Initialization failures are non-fatal — the connector will have 0 tools.\n */\nexport async function createProductConnectors(\n config: GodModeConfig,\n): Promise<GodModeConnector[]> {\n const connectors: GodModeConnector[] = [];\n\n const entries = Object.entries(config.connectors ?? {});\n if (entries.length === 0) return connectors;\n\n // Initialize all connectors in parallel for faster boot\n const results = await Promise.allSettled(\n entries\n .filter(([, cfg]) => cfg.enabled !== false)\n .map(async ([id, cfg]) => {\n const connector = new ProductConnector(id, cfg as any);\n await connector.initialize();\n return connector;\n }),\n );\n\n for (const result of results) {\n if (result.status === \"fulfilled\") {\n connectors.push(result.value);\n }\n // Rejected connectors are already logged by ProductConnector.initialize()\n }\n\n return connectors;\n}\n","/**\n * Platform Event Signing — HMAC-SHA256 with per-tenant key derivation.\n *\n * Every cross-product event is signed so the receiver can verify authenticity\n * and detect tampering. Uses HKDF to derive a per-tenant HMAC key from the\n * platform master secret, so tenants can't forge events for each other.\n *\n * Canonical JSON: keys sorted, no whitespace. Deterministic across languages\n * so Python products produce the same signature as TypeScript ones.\n */\n\nimport { createHmac, hkdfSync, randomUUID, timingSafeEqual } from \"node:crypto\";\nimport type { PlatformEvent } from \"@brainst0rm/shared\";\n\nconst HKDF_SALT = Buffer.from(\"brainstorm-platform-events-v1\");\nconst HKDF_INFO = Buffer.from(\"hmac-signing\");\nconst KEY_LENGTH = 32; // 256-bit HMAC key\n\n/**\n * Derive a per-tenant HMAC key from the platform master secret.\n * Uses HKDF-SHA256 with the tenant_id baked into the info parameter,\n * ensuring each tenant gets a unique signing key.\n */\nexport function deriveTenantKey(\n masterSecret: string,\n tenantId: string,\n): Buffer {\n const info = Buffer.concat([HKDF_INFO, Buffer.from(`|${tenantId}`)]);\n return Buffer.from(\n hkdfSync(\"sha256\", masterSecret, HKDF_SALT, info, KEY_LENGTH),\n );\n}\n\n/**\n * Produce canonical JSON for signing.\n * Keys sorted recursively, no whitespace. Matches Python's\n * json.dumps(obj, sort_keys=True, separators=(',', ':'))\n */\nexport function canonicalize(obj: Record<string, unknown>): string {\n // Recursive key-sorted JSON with no whitespace.\n // Matches Python's json.dumps(obj, sort_keys=True, separators=(',', ':'))\n return JSON.stringify(obj, (_key, value) => {\n if (value && typeof value === \"object\" && !Array.isArray(value)) {\n return Object.keys(value)\n .sort()\n .reduce((sorted: Record<string, unknown>, k) => {\n sorted[k] = value[k];\n return sorted;\n }, {});\n }\n return value;\n });\n}\n\n/**\n * Sign a platform event payload.\n * Returns the HMAC-SHA256 hex signature.\n */\nexport function signEvent(\n event: Omit<PlatformEvent, \"signature\">,\n masterSecret: string,\n): string {\n const key = deriveTenantKey(masterSecret, event.tenant_id);\n const payload = canonicalize(event as Record<string, unknown>);\n return createHmac(\"sha256\", key).update(payload).digest(\"hex\");\n}\n\n/**\n * Verify a signed platform event.\n * Uses timing-safe comparison to prevent timing attacks.\n */\n/** Maximum age (in seconds) for a platform event to be accepted. */\nconst MAX_EVENT_AGE_SECONDS = 300; // 5 minutes\n\nexport function verifyEvent(\n event: PlatformEvent,\n masterSecret: string,\n): boolean {\n // Reject events without a signature\n if (!event.signature) return false;\n\n // Replay protection: require a parseable timestamp inside the freshness\n // window. A missing or malformed timestamp is treated as a failed check,\n // not skipped — otherwise a captured event could be replayed forever by\n // an attacker who strips or corrupts the timestamp field.\n if (!event.timestamp) return false;\n const eventTime = new Date(event.timestamp).getTime();\n if (Number.isNaN(eventTime)) return false;\n const ageMs = Math.abs(Date.now() - eventTime);\n if (ageMs > MAX_EVENT_AGE_SECONDS * 1000) return false;\n\n const { signature, ...rest } = event;\n const expected = signEvent(rest, masterSecret);\n\n // Timing-safe comparison\n const sigBuf = Buffer.from(signature, \"hex\");\n const expectedBuf = Buffer.from(expected, \"hex\");\n if (sigBuf.length !== expectedBuf.length) return false;\n return timingSafeEqual(sigBuf, expectedBuf);\n}\n\n/**\n * Create a signed PlatformEvent ready for transmission.\n */\nexport function createSignedEvent(\n type: string,\n tenantId: string,\n product: string,\n data: Record<string, unknown>,\n masterSecret: string,\n opts?: { correlationId?: string; schemaVersion?: number },\n): PlatformEvent {\n const unsigned = {\n id: randomUUID(),\n type,\n tenant_id: tenantId,\n product,\n timestamp: new Date().toISOString(),\n data,\n schema_version: opts?.schemaVersion ?? 1,\n ...(opts?.correlationId ? { correlation_id: opts.correlationId } : {}),\n };\n\n const signature = signEvent(unsigned, masterSecret);\n return { ...unsigned, signature };\n}\n","/**\n * JWT verification for the Brainstorm control plane.\n *\n * Verifies Supabase-issued JWTs using the project's JWT secret (HS256).\n * Extracts platform_tenant_id and product roles from claims.\n *\n * Supabase uses HS256 with the project's JWT secret (not RS256/JWKS),\n * so verification is a simple HMAC check — no key rotation complexity.\n */\n\nimport { createHmac, timingSafeEqual } from \"node:crypto\";\n\nexport interface JWTPayload {\n sub: string;\n email?: string;\n role?: string;\n platform_tenant_id?: string;\n platform_role?: string;\n products?: Record<string, { enabled: boolean; role: string }>;\n iat?: number;\n exp?: number;\n aud?: string;\n}\n\nexport interface AuthResult {\n authenticated: boolean;\n payload?: JWTPayload;\n error?: string;\n}\n\n/**\n * Verify a Supabase JWT using the project's JWT secret (HS256).\n * Returns the decoded payload if valid, or an error message.\n */\nexport function verifyJWT(token: string, jwtSecret: string): AuthResult {\n const parts = token.split(\".\");\n if (parts.length !== 3) {\n return { authenticated: false, error: \"Malformed JWT\" };\n }\n\n const [headerB64, payloadB64, signatureB64] = parts;\n\n // Verify HS256 signature\n const signingInput = `${headerB64}.${payloadB64}`;\n const expectedSig = createHmac(\"sha256\", jwtSecret)\n .update(signingInput)\n .digest();\n const actualSig = Buffer.from(signatureB64, \"base64url\");\n\n if (\n expectedSig.length !== actualSig.length ||\n !timingSafeEqual(expectedSig, actualSig)\n ) {\n return { authenticated: false, error: \"Invalid signature\" };\n }\n\n // Decode payload\n let payload: JWTPayload;\n try {\n payload = JSON.parse(\n Buffer.from(payloadB64, \"base64url\").toString(\"utf-8\"),\n );\n } catch {\n return { authenticated: false, error: \"Invalid payload encoding\" };\n }\n\n // Check header algorithm\n try {\n const header = JSON.parse(\n Buffer.from(headerB64, \"base64url\").toString(\"utf-8\"),\n );\n if (header.alg !== \"HS256\") {\n return {\n authenticated: false,\n error: `Unsupported algorithm: ${header.alg}`,\n };\n }\n } catch {\n return { authenticated: false, error: \"Invalid header encoding\" };\n }\n\n // Check expiration — require exp claim to prevent indefinite tokens\n if (!payload.exp) {\n return { authenticated: false, error: \"Token missing expiration claim\" };\n }\n if (payload.exp < Math.floor(Date.now() / 1000)) {\n return { authenticated: false, error: \"Token expired\" };\n }\n\n // Require platform_tenant_id — every God Mode call must be tenant-scoped\n if (!payload.platform_tenant_id && !payload.sub) {\n return {\n authenticated: false,\n error: \"Missing subject or platform_tenant_id claim\",\n };\n }\n\n return { authenticated: true, payload };\n}\n\n/**\n * Extract Bearer token from Authorization header.\n */\nexport function extractBearerToken(\n authHeader: string | undefined,\n): string | null {\n if (!authHeader?.startsWith(\"Bearer \")) return null;\n return authHeader.slice(7);\n}\n","/**\n * Product Manifest — schema, loader, and validator.\n *\n * Every product in the Brainstorm platform declares itself via a\n * product-manifest.yaml at its repo root. This module defines the\n * schema (Zod), loads/validates manifests, and provides a template\n * generator for bootstrapping new products.\n */\n\nimport { z } from \"zod\";\n\n// ── Schema ──────────────────────────────────────────────────────\n\nconst securityAuthSchema = z.object({\n human: z.enum([\"supabase-jwt\", \"none\"]).default(\"supabase-jwt\"),\n machine: z.enum([\"mtls-spiffe\", \"api-key\", \"none\"]).default(\"api-key\"),\n tenant_claim: z.string().default(\"platform_tenant_id\"),\n});\n\nconst securityEncryptionSchema = z.object({\n credentials: z.enum([\"aes-256-gcm\", \"fernet\", \"none\"]).default(\"aes-256-gcm\"),\n evidence: z.enum([\"hybrid-pqc\", \"ed25519\", \"none\"]).default(\"none\"),\n});\n\nconst securityAuditSchema = z.object({\n signing: z.enum([\"hmac-sha256\", \"none\"]).default(\"hmac-sha256\"),\n retention: z.string().default(\"7y\"),\n});\n\nconst securitySchema = z.object({\n api_base: z.string().url(),\n health: z.string().default(\"/health\"),\n auth: securityAuthSchema.default({}),\n encryption: securityEncryptionSchema.default({}),\n audit: securityAuditSchema.default({}),\n});\n\nconst edgeSchema = z.object({\n plugins: z.array(z.string()).default([]),\n});\n\nconst eventSchema = z.object({\n publishes: z.array(z.string()).default([]),\n subscribes: z.array(z.string()).default([]),\n});\n\nconst capabilitySchema = z.object({\n domain: z.string(),\n});\n\nexport const productManifestSchema = z.object({\n product: z.object({\n id: z\n .string()\n .regex(\n /^[a-z0-9-]+$/,\n \"Product ID must be lowercase alphanumeric + hyphens\",\n ),\n name: z.string(),\n version: z.string(),\n }),\n security: securitySchema,\n capabilities: z.array(capabilitySchema).default([]),\n events: eventSchema.default({}),\n edge: edgeSchema.default({}),\n});\n\nexport type ProductManifest = z.infer<typeof productManifestSchema>;\n\n// ── Loader ──────────────────────────────────────────────────────\n\n/**\n * Parse and validate a product manifest from a YAML string.\n */\nexport function parseManifest(yamlContent: string): {\n ok: boolean;\n manifest?: ProductManifest;\n errors?: string[];\n} {\n // Dynamic import of yaml would be needed, but for CLI context we parse JSON-compatible YAML\n // The CLI command handles the YAML parsing; this validates the parsed object.\n try {\n // Try JSON first (manifests can be JSON too)\n const data = JSON.parse(yamlContent);\n return validateManifestData(data);\n } catch {\n return {\n ok: false,\n errors: [\n \"Invalid JSON/YAML. Use `brainstorm platform init` to generate a template.\",\n ],\n };\n }\n}\n\n/**\n * Validate a parsed manifest object against the schema.\n */\nexport function validateManifestData(data: unknown): {\n ok: boolean;\n manifest?: ProductManifest;\n errors?: string[];\n} {\n const result = productManifestSchema.safeParse(data);\n if (result.success) {\n return { ok: true, manifest: result.data };\n }\n const errors = result.error.issues.map(\n (i) => `${i.path.join(\".\")}: ${i.message}`,\n );\n return { ok: false, errors };\n}\n\n// ── Template ────────────────────────────────────────────────────\n\n/**\n * Generate a product-manifest.yaml template for a new product.\n */\nexport function generateManifestTemplate(\n productId: string,\n productName: string,\n apiBase: string,\n): string {\n return `# product-manifest.yaml — Brainstorm Platform Contract\n# Docs: https://brainstorm.co/docs/platform-contract\n\nproduct:\n id: \"${productId}\"\n name: \"${productName}\"\n version: \"0.1.0\"\n\n# ── Security ──────────────────────────────────────────\nsecurity:\n api_base: \"${apiBase}\"\n health: \"/health\"\n auth:\n human: \"supabase-jwt\"\n machine: \"api-key\" # Upgrade to mtls-spiffe when ready\n tenant_claim: \"platform_tenant_id\"\n encryption:\n credentials: \"aes-256-gcm\"\n evidence: \"none\" # Set to hybrid-pqc when evidence chains are implemented\n audit:\n signing: \"hmac-sha256\"\n retention: \"7y\"\n\n# ── Capabilities (God Mode) ───────────────────────────\ncapabilities: []\n # - domain: \"endpoint-management\"\n # - domain: \"compliance\"\n\n# ── Events ────────────────────────────────────────────\nevents:\n publishes: []\n # - \"${productId}.alert.created\"\n subscribes: []\n # - \"platform.tenant.created\"\n\n# ── Edge Agent Plugins ────────────────────────────────\nedge:\n plugins: []\n`;\n}\n\n// ── Contract Verification ───────────────────────────────────────\n\nexport interface VerifyResult {\n endpoint: string;\n status: \"pass\" | \"fail\" | \"skip\";\n message: string;\n latencyMs?: number;\n}\n\n/**\n * Verify that a product implements the required platform endpoints.\n * Hits each endpoint and checks the response shape.\n */\nexport async function verifyProductContract(\n apiBase: string,\n opts?: { timeout?: number; token?: string },\n): Promise<VerifyResult[]> {\n const timeout = opts?.timeout ?? 10_000;\n const results: VerifyResult[] = [];\n\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n if (opts?.token) {\n headers[\"Authorization\"] = `Bearer ${opts.token}`;\n }\n\n // 1. Health check (no auth)\n results.push(\n await checkEndpoint(\"GET\", `${apiBase}/health`, {\n timeout,\n validate: (body) => {\n if (!body.status) return \"Missing 'status' field\";\n if (!body.version) return \"Missing 'version' field\";\n return null;\n },\n }),\n );\n\n // 2. God Mode tools\n results.push(\n await checkEndpoint(\"GET\", `${apiBase}/api/v1/god-mode/tools`, {\n timeout,\n headers,\n validate: (body) => {\n const data = body.data ?? body;\n if (!Array.isArray(data)) return \"Expected array of tools\";\n return null;\n },\n }),\n );\n\n // 3. Platform events receiver\n results.push(\n await checkEndpoint(\"POST\", `${apiBase}/api/v1/platform/events`, {\n timeout,\n headers,\n body: JSON.stringify({\n id: \"test-verify\",\n type: \"platform.verify\",\n tenant_id: \"verify\",\n product: \"verify\",\n timestamp: new Date().toISOString(),\n data: {},\n schema_version: 1,\n signature: \"test\",\n }),\n // 401/403 is acceptable — means the endpoint exists but our test signature fails\n acceptStatuses: [200, 401, 403],\n validate: () => null,\n }),\n );\n\n // 4. Tenant provisioning\n results.push(\n await checkEndpoint(\"POST\", `${apiBase}/api/v1/platform/tenants`, {\n timeout,\n headers,\n body: JSON.stringify({\n id: \"verify-test\",\n name: \"Verify Test\",\n slug: \"verify\",\n }),\n acceptStatuses: [200, 201, 400, 401, 403, 409],\n validate: () => null,\n }),\n );\n\n return results;\n}\n\nasync function checkEndpoint(\n method: string,\n url: string,\n opts: {\n timeout: number;\n headers?: Record<string, string>;\n body?: string;\n acceptStatuses?: number[];\n validate: (body: any) => string | null;\n },\n): Promise<VerifyResult> {\n const start = Date.now();\n const endpointPath = new URL(url).pathname;\n\n try {\n const res = await fetch(url, {\n method,\n headers: opts.headers,\n body: opts.body,\n signal: AbortSignal.timeout(opts.timeout),\n });\n\n const latencyMs = Date.now() - start;\n const acceptable = opts.acceptStatuses ?? [200];\n\n if (!acceptable.includes(res.status)) {\n // 404 means the endpoint doesn't exist\n if (res.status === 404) {\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"fail\",\n message: \"Not found (404)\",\n latencyMs,\n };\n }\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"fail\",\n message: `HTTP ${res.status}`,\n latencyMs,\n };\n }\n\n let body: any = {};\n try {\n body = await res.json();\n } catch {\n // Some endpoints may return empty or non-JSON\n }\n\n const error = opts.validate(body);\n if (error) {\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"fail\",\n message: error,\n latencyMs,\n };\n }\n\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"pass\",\n message: `${res.status} OK`,\n latencyMs,\n };\n } catch (err) {\n const latencyMs = Date.now() - start;\n const msg = err instanceof Error ? err.message : String(err);\n if (msg.includes(\"timeout\") || msg.includes(\"abort\")) {\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"fail\",\n message: `Timeout (${opts.timeout}ms)`,\n latencyMs,\n };\n }\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"fail\",\n message: msg,\n latencyMs,\n };\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AWWA,SAAS,YAAY,UAAU,YAAY,uBAAuB;ACDlE,SAAS,cAAAA,aAAY,mBAAAC,wBAAuB;AZI5C,IAAM,oBAAyD;EAC7D,uBACE;EACF,qBAAqB;EACrB,QAAQ;EACR,qBAAqB;EACrB,kBAAkB;EAClB,eAAe;EACf,eAAe;EACf,YAAY;EACZ,SAAS;EACT,SAAS;EACT,SAAS;EACT,WAAW;EACX,WAAW;EACX,mBAAmB;EACnB,WAAW;EACX,gBAAgB;EAChB,KAAK;EACL,YAAY;EACZ,mBAAmB;EACnB,kBAAkB;EAClB,YAAY;EACZ,OAAO;EACP,UAAU;AACZ;AAEO,SAAS,mBACd,WACA,QACsC;AACtC,QAAM,WAAW,OAAO,qBAAqB;AAC7C,MAAI,UAAU,WAAW,GAAG;AAC1B,WAAO;MACL,MAAM;MACN,WAAW;IACb;EACF;AAEA,QAAM,WAAqB,CAAC;AAE5B,WAAS,KAAK;;0BAEU,UAAU,MAAM,gEAAgE;AAGxG,WAAS,KAAK,2BAA2B;AACzC,aAAW,OAAO,WAAW;AAC3B,UAAM,OAAO,IAAI,aACd,IAAI,CAAC,MAAM,kBAAkB,CAAC,KAAK,CAAC,EACpC,KAAK,IAAI;AACZ,aAAS,KAAK,OAAO,IAAI,WAAW,OAAO,IAAI,SAAS,QAAQ,IAAI,EAAE;EACxE;AAEA,MAAI,UAAU;AACZ,aAAS,KAAK;;;;;;;;QAQV;EACN;AAGA,WAAS,KAAK;;;;;;;;;;;;;;;;;;;;;;;iCAuBiB;AAE/B,SAAO;IACL,MAAM,SAAS,KAAK,IAAI;IACxB,WAAW;EACb;AACF;AC9EA,eAAsB,eACpB,UACA,QACA,YACkC;AAClC,QAAM,YAAyD,CAAC;AAChE,QAAM,SAA4C,CAAC;AAOnD,QAAM,0BAA0B;AAChC,QAAM,UAAU,MAAM,QAAQ;IAC5B,WAAW,IAAI,OAAO,cAAc;AAClC,YAAM,oBAAoB,IAAI,gBAAgB;AAC9C,YAAM,eAAe;QACnB,MAAM,kBAAkB,MAAM;QAC9B;MACF;AACA,UAAI;AACF,cAAM,SAAS,MAAM,QAAQ,KAAK;UAChC,UAAU,YAAY;UACtB,IAAI,QAAe,CAAC,GAAG,WAAW;AAChC,8BAAkB,OAAO;cACvB;cACA,MACE;gBACE,IAAI;kBACF,yBAAyB,uBAAuB;gBAClD;cACF;cACF,EAAE,MAAM,KAAK;YACf;UACF,CAAC;QACH,CAAC;AACD,eAAO,EAAE,WAAW,OAAO;MAC7B,UAAA;AACE,qBAAa,YAAY;MAC3B;IACF,CAAC;EACH;AAGA,aAAW,UAAU,SAAS;AAC5B,QAAI,OAAO,WAAW,YAAY;AAChC;IACF;AAEA,UAAM,EAAE,WAAW,OAAO,IAAI,OAAO;AAErC,QAAI,CAAC,OAAO,IAAI;AACd,aAAO,KAAK;QACV,MAAM,UAAU;QAChB,OAAO,OAAO,WAAW,wBAAwB,OAAO,SAAS;MACnE,CAAC;AACD;IACF;AAKA,UAAM,QAAQ,UAAU,SAAS;AACjC,eAAW,QAAQ,OAAO;AACxB,UAAI,OAAO,kBAAkB;AAC3B,aAAK,WAAW;MAClB;AACA,eAAS,SAAS,IAAI;IACxB;AAEA,cAAU,KAAK;MACb,MAAM,UAAU;MAChB,aAAa,UAAU;MACvB,cAAc,UAAU;MACxB,WAAW,OAAO;MAClB,WAAW,MAAM;IACnB,CAAC;EACH;AAGA,QAAM,UAAU,kBAAkB;AAClC,aAAW,QAAQ,SAAS;AAC1B,aAAS,SAAS,IAAI;EACxB;AAGA,QAAM,gBAAgB,mBAAmB,WAAW,MAAM;AAG1D,aAAW,UAAU,SAAS;AAC5B,QAAI,OAAO,WAAW,YAAa;AACnC,UAAM,EAAE,WAAW,OAAO,IAAI,OAAO;AACrC,QAAI,CAAC,OAAO,GAAI;AAChB,QAAI,OAAO,UAAU,cAAc,YAAY;AAC7C,oBAAc,QAAQ,OAAO,UAAU,UAAU;IACnD;EACF;AAEA,SAAO;IACL,kBAAkB;IAClB;IACA;IACA,YACE,UAAU,OAAO,CAAC,KAAK,MAAM,MAAM,EAAE,WAAW,CAAC,IAAI,QAAQ;EACjE;AACF;AC5HA,SAAS,WAAW,GAAmB;AACrC,SAAO,EAAE,QAAQ,MAAM,KAAK,EAAE,QAAQ,MAAM,KAAK;AACnD;AAEA,IAAM,MAAM,aAAa,cAAc;AAGvC,IAAM,YAAoC;EACxC,UAAU;EACV,SAAS;EACT,UAAU;EACV,QAAQ;AACV;AAQO,SAAS,mBACd,cACA,OAQA,WAAW,GACE;AACb,QAAM,KAAK,MAAM,MAAM;AACvB,QAAM,cAAc,oBAAI,IAGtB;AACF,QAAM,uBAAuB,oBAAI,IAAY;AAE7C,aAAW,QAAQ,cAAc;AAE/B,UAAM,YAAY,GACf,QAAQ,0DAA0D,EAClE,IAAI,MAAM,IAAI,WAAW,IAAI,CAAC,EAAE;AAEnC,eAAW,MAAM,WAAW;AAE1B,YAAM,SAAS,MAAM,eAAe,GAAG,MAAM,QAAQ;AACrD,iBAAW,QAAQ,QAAQ;AACzB,YAAI,CAAC,YAAY,IAAI,KAAK,IAAI,GAAG;AAC/B,sBAAY,IAAI,KAAK,MAAM,IAAI;QACjC;MACF;IACF;AAGA,UAAM,cAAc,GACjB;MACC;IACF,EACC,IAAI,MAAM,IAAI,WAAW,IAAI,CAAC,EAAE;AAEnC,eAAW,KAAK,aAAa;AAC3B,2BAAqB,IAAI,EAAE,YAAY;IACzC;EACF;AAGA,aAAW,CAAC,EAAE,IAAI,KAAK,aAAa;AAClC,UAAM,QAAQ,GACX;MACC;IACF,EACC,IAAI,KAAK,IAAI;AAChB,eAAW,KAAK,OAAO;AACrB,2BAAqB,IAAI,EAAE,YAAY;IACzC;EACF;AAGA,QAAM,sBAA0D,CAAC;AACjE,aAAW,eAAe,sBAAsB;AAC9C,UAAM,YAAY,GACf,QAAQ,8DAA8D,EACtE,IAAI,WAAW;AAIlB,QAAI,WAAW;AACb,UAAI,OAAO;AACX,UAAI;AACF,cAAM,OAAO,KAAK,MAAM,UAAU,aAAa;AAC/C,eAAO,KAAK,QAAQ;MACtB,QAAQ;MAER;AAEA,0BAAoB,KAAK;QACvB,IAAI,UAAU;QACd,MAAM,UAAU,QAAQ;QACxB;MACF,CAAC;IACH;EACF;AAGA,MAAI,iBAAiB;AACrB,aAAW,KAAK,qBAAqB;AACnC,UAAM,WAAW,UAAU,EAAE,IAAI,KAAK;AACtC,QAAI,WAAW,eAAgB,kBAAiB;EAClD;AAEA,QAAM,SAAsB;IAC1B,iBAAiB,MAAM,KAAK,YAAY,OAAO,CAAC;IAChD;IACA;IACA,eAAe,YAAY;EAC7B;AAEA,MAAI;IACF;MACE,cAAc,aAAa;MAC3B,eAAe,OAAO;MACtB,aAAa,oBAAoB;MACjC;IACF;IACA;EACF;AAEA,SAAO;AACT;ACrHA,SAAS,wBAAwB,MAA6C;AAC5E,QAAM,OAAO,KAAK;AAClB,QAAM,cAAc,KAAK;AAEzB,MAAI;AAEJ,MAAI,KAAK,QAAQ,MAAM,QAAQ,KAAK,IAAI,GAAG;AACzC,UAAM,SAAS,KAAK;AACpB,aAAS,iBAAE,KAAK,MAAM;EACxB,OAAO;AACL,YAAQ,MAAM;MACZ,KAAK;AACH,iBAAS,iBAAE,OAAO;AAClB;MACF,KAAK;MACL,KAAK;AACH,iBAAS,iBAAE,OAAO;AAClB;MACF,KAAK;AACH,iBAAS,iBAAE,QAAQ;AACnB;MACF,KAAK,SAAS;AACZ,cAAM,QAAQ,KAAK;AACnB,iBAAS,iBAAE,MAAM,QAAQ,wBAAwB,KAAK,IAAI,iBAAE,IAAI,CAAC;AACjE;MACF;MACA,KAAK,UAAU;AACb,cAAM,SAAS,KAAK;AAGpB,YAAI,QAAQ;AACV,mBAAS,gBAAgB,IAAI;QAC/B,OAAO;AACL,mBAAS,iBAAE,OAAO,iBAAE,IAAI,CAAC;QAC3B;AACA;MACF;MACA;AACE,iBAAS,iBAAE,IAAI;IACnB;EACF;AAEA,MAAI,aAAa;AACf,aAAS,OAAO,SAAS,WAAW;EACtC;AAEA,MAAI,KAAK,YAAY,QAAW;AAC9B,aAAS,OAAO,QAAQ,KAAK,OAAO;EACtC;AAEA,SAAO;AACT;AAKA,SAAS,gBAAgB,QAAmD;AAC1E,QAAM,aAAc,OAAO,cAAc,CAAC;AAI1C,QAAM,WAAW,IAAI,IAAK,OAAO,YAAY,CAAC,CAAc;AAE5D,QAAM,QAAsC,CAAC;AAC7C,aAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQ,UAAU,GAAG;AACpD,QAAI,cAAc,wBAAwB,IAAI;AAC9C,QAAI,CAAC,SAAS,IAAI,GAAG,GAAG;AACtB,oBAAc,YAAY,SAAS;IACrC;AACA,UAAM,GAAG,IAAI;EACf;AAEA,SAAO,iBAAE,OAAO,KAAK;AACvB;AAIA,SAAS,iBACP,WACA,mBACgB;AAChB,MAAI,cAAc,YAAa,QAAO;AACtC,MAAI,cAAc,SAAS,CAAC,kBAAmB,QAAO;AACtD,SAAO;AACT;AAkBO,IAAM,mBAAN,MAAmD;EACxD;EACA;EACA,eAAsC,CAAC;EAE/B;EACA,QAA6B,CAAC;EAC9B,cAAc;EAEtB,YAAY,IAAY,QAAoD;AAC1E,SAAK,OAAO;AACZ,SAAK,cACH,OAAO,eAAe,GAAG,OAAO,CAAC,EAAE,YAAY,IAAI,GAAG,MAAM,CAAC;AAC/D,SAAK,SAAS;EAChB;;;;;EAMA,MAAM,aAA4B;AAChC,QAAI;AACF,YAAM,MAAM,MAAM,KAAK,SAAS,wBAAwB;AAExD,UAAI,IAAI,OAAO;AACb,gBAAQ;UACN,aAAa,KAAK,WAAW,uCAAkC,IAAI,KAAK;QAC1E;AACA,aAAK,cAAc;AACnB;MACF;AAGA,YAAM,cACJ,IAAI,SAAS,IAAI,SAAS,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC;AAGxD,YAAM,UAAU,IAAI,IAAI,YAAY,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AACxD,WAAK,eAAe,CAAC,GAAG,OAAO;AAG/B,UAAI,IAAI,SAAS;AACf,aAAK,cAAc,aAAa,IAAI,QAAQ,OAAO,CAAC,EAAE,YAAY,IAAI,IAAI,QAAQ,MAAM,CAAC,CAAC;MAC5F;AAGA,WAAK,QAAQ,YAAY,IAAI,CAAC,OAAO,KAAK,YAAY,EAAE,CAAC;AACzD,WAAK,cAAc;IACrB,SAAS,KAAK;AACZ,YAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,cAAQ;QACN,aAAa,KAAK,WAAW,kCAA6B,GAAG;MAC/D;AACA,WAAK,cAAc;IACrB;EACF;EAEA,MAAM,cAAqC;AACzC,UAAM,QAAQ,KAAK,IAAI;AACvB,QAAI;AACF,YAAM,MAAM,MAAM,KAAK,SAAS,SAAS;AACzC,YAAM,YAAY,KAAK,IAAI,IAAI;AAE/B,UAAI,IAAI,OAAO;AACb,eAAO,EAAE,IAAI,OAAO,WAAW,SAAS,IAAI,MAAM;MACpD;AAEA,aAAO;QACL,IAAI,IAAI,WAAW,aAAa,IAAI,WAAW,QAAQ,CAAC,CAAC,IAAI;QAC7D;QACA,SAAS,IAAI,UAAU,IAAI,IAAI,OAAO,KAAK;MAC7C;IACF,QAAQ;AACN,aAAO;QACL,IAAI;QACJ,WAAW,KAAK,IAAI,IAAI;QACxB,SAAS;MACX;IACF;EACF;EAEA,WAAgC;AAC9B,WAAO,KAAK;EACd;;EAIQ,YAAY,YAA2C;AAE7D,UAAM,WAAW,WAAW,KAAK,QAAQ,OAAO,GAAG;AACnD,UAAM,cAAc,gBAAgB,WAAW,UAAU;AACzD,UAAM,aAAa;MACjB,WAAW;MACX,WAAW;IACb;AACA,UAAM,WAAW,WAAW,eAAe;AAC3C,UAAM,YAAY;AAElB,QAAI,WAAW,oBAAoB;AACjC,aAAO,KAAK;QACV;QACA;QACA;QACA;MACF;IACF;AAEA,WAAO,WAAW;MAChB,MAAM;MACN,aAAa,WAAW;MACxB;MACA;MACA;MACA,MAAM,QAAQ,QAAQ;AACpB,cAAM,SAAS,MAAM,UAAU,SAAS,4BAA4B;UAClE,QAAQ;UACR,MAAM,KAAK,UAAU;YACnB,MAAM,WAAW;YACjB;UACF,CAAC;QACH,CAAC;AAED,YAAI,OAAO,MAAO,QAAO,EAAE,OAAO,OAAO,MAAM;AAC/C,eAAO,OAAO,QAAQ;MACxB;IACF,CAAC;EACH;EAEQ,oBACN,UACA,YACA,aACA,YACmB;AACnB,UAAM,YAAY;AAElB,UAAM,cAAc,GAAG,KAAK,IAAI,IAAI,QAAQ;AAG5C,qBAAiB,aAAa,OAAO,OAAO;AAE1C,YAAM,iBAAkB,GAAG,WAAW,cAClC;AACJ,YAAM,SAAS,MAAM,UAAU,SAAS,4BAA4B;QAClE,QAAQ;QACR,MAAM,KAAK,UAAU;UACnB,MAAM,WAAW;UACjB,QAAQ,kBAAkB,CAAC;UAC3B,UAAU;QACZ,CAAC;MACH,CAAC;AAED,UAAI,OAAO,MAAO,QAAO,EAAE,SAAS,OAAO,SAAS,OAAO,MAAM;AACjE,aAAO;QACL,SAAS;QACT,SAAS,OAAO,WAAW,YAAY,WAAW,IAAI;QACtD,cAAc,OAAO;MACvB;IACF,CAAC;AAED,WAAO,WAAW;MAChB,MAAM;MACN,aAAa,WAAW;MACxB;MACA;MACA,MAAM,QAAQ,QAAQ;AAEpB,cAAM,YAAY,MAAM,UAAU,SAAS,4BAA4B;UACrE,QAAQ;UACR,MAAM,KAAK,UAAU;YACnB,MAAM,WAAW;YACjB;YACA,UAAU;UACZ,CAAC;QACH,CAAC;AAED,YAAI,UAAU,MAAO,QAAO,EAAE,OAAO,UAAU,MAAM;AAGrD,cAAM,aAAa,UAAU,cAAc;UACzC,SAAS;UACT,cAAc,EAAE,GAAG,UAAU,MAAM,gBAAgB,OAAO;UAC1D,UAAU,UAAU,YAAY,CAAC;UACjC,aAAa,UAAU,eAAe,CAAC;UACvC,mBAAmB,UAAU,qBAAqB;QACpD;AAGA,YACE,WAAW,gBACX,OAAO,WAAW,iBAAiB,UACnC;AACC,qBAAW,aAAqB,iBAAiB;QACpD;AAEA,cAAM,YAAY,gBAAgB;UAChC,WAAW,UAAU;UACrB,QAAQ;;UACR,aAAa,UAAU,eAAe,WAAW,WAAW,IAAI;UAChE,SAAS,UAAU,WAAW;YAC5B;cACE,QAAQ,UAAU;cAClB,QAAQ,GAAG,WAAW,MAAM,IAAI,KAAK,UAAU,MAAM,EAAE,MAAM,GAAG,EAAE,CAAC;cACnE,WAAW;YACb;UACF;UACA;QACF,CAAC;AAED,eAAO;UACL,cAAc,UAAU;UACxB,QAAQ;UACR,YAAY,UAAU;UACtB,cAAc,UAAU;UACxB,aAAa,UAAU;UACvB,SACE;QACJ;MACF;IACF,CAAC;EACH;;EAIA,MAAc,SACZ,MACA,SACc;AACd,UAAM,MAAM,KAAK,cAAc;AAC/B,QAAI,CAAC,KAAK;AACR,aAAO;QACL,OAAO,kBAAkB,KAAK,WAAW,KAAK,KAAK,OAAO,UAAU;MACtE;IACF;AAEA,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,GAAG,IAAI;AAGzC,QACE,CAAC,IAAI,WAAW,UAAU,KAC1B,CAAC,IAAI,WAAW,kBAAkB,KAClC,CAAC,IAAI,WAAW,kBAAkB,GAClC;AACA,aAAO;QACL,OAAO,GAAG,KAAK,WAAW;MAC5B;IACF;AAEA,UAAM,UAAU,SAAS,WAAW;AAEpC,QAAI;AACF,YAAM,MAAM,MAAM,MAAM,KAAK;QAC3B,GAAG;QACH,SAAS;UACP,eAAe,UAAU,GAAG;UAC5B,gBAAgB;UAChB,GAAK,SAAS,WAAsC,CAAC;QACvD;QACA,QAAQ,YAAY,QAAQ,OAAO;MACrC,CAAC;AAED,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,eAAO;UACL,OAAO,GAAG,KAAK,WAAW,QAAQ,IAAI,MAAM,KAAK,KAAK,MAAM,GAAG,GAAG,CAAC;QACrE;MACF;AAEA,aAAO,IAAI,KAAK;IAClB,SAAS,OAAO;AACd,YAAM,MAAM,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACjE,aAAO,EAAE,OAAO,GAAG,KAAK,WAAW,eAAe,GAAG,GAAG;IAC1D;EACF;EAEQ,gBAA+B;AACrC,WACE,QAAQ,IAAI,OAAO,KAAK,KAAK,YAAY,CAAC,MAAM,KAChD,QAAQ,IAAI,KAAK,OAAO,UAAU,KAClC;EAEJ;AACF;AChZA,IAAMC,OAAMC,aAAa,eAAe;AAExC,IAAM,aAAa;AAaZ,IAAM,eAAN,MAAmB;EAChB;EACA,oBAAmC;EACnC,6BAA6B;EAC7B;EAER,YAAY,QAA4B;AACtC,SAAK,SAAS;AACd,SAAK,QAAQ,OAAO,SAAS;EAC/B;;;;EAKA,MAAM,QACJ,QACA,MACA,MACY;AACZ,UAAM,QAAQ,MAAM,KAAK,aAAa;AACtC,UAAM,MAAM,KAAK,WAAW,MAAM,IAAI,OAAO,GAAG,UAAU,GAAG,IAAI;AAEjE,UAAM,MAAM,MAAM,MAAM,KAAK;MAC3B;MACA,SAAS;QACP,eAAe,UAAU,KAAK;QAC9B,QAAQ;QACR,wBAAwB;QACxB,GAAI,OAAO,EAAE,gBAAgB,mBAAmB,IAAI,CAAC;MACvD;MACA,MAAM,OAAO,KAAK,UAAU,IAAI,IAAI;IACtC,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,YAAM,IAAI;QACR,cAAc,MAAM,IAAI,IAAI,KAAK,IAAI,MAAM,IAAI,KAAK,MAAM,GAAG,GAAG,CAAC;MACnE;IACF;AAEA,QAAI,IAAI,WAAW,IAAK,QAAO,CAAC;AAChC,WAAO,IAAI,KAAK;EAClB;;EAIA,MAAM,QAAQ,OAAe,MAAc;AACzC,WAAO,KAAK,QAAQ,OAAO,UAAU,KAAK,IAAI,IAAI,EAAE;EACtD;EAEA,MAAM,aAAa,OAAe,MAAc;AAC9C,WAAO,KAAK,QAAQ,OAAO,UAAU,KAAK,IAAI,IAAI,uBAAuB;EAC3E;EAEA,MAAM,eACJ,OACA,MACA,MACA,MACA;AACA,WAAO,KAAK;MACV;MACA,UAAU,KAAK,IAAI,IAAI,YAAY,IAAI,MAAM,IAAI;IACnD;EACF;EAEA,MAAM,YAAY,OAAe,MAAc,MAAc,KAAc;AACzE,UAAM,QAAQ,MAAM,QAAQ,GAAG,KAAK;AACpC,WAAO,KAAK;MACV;MACA,UAAU,KAAK,IAAI,IAAI,aAAa,IAAI,GAAG,KAAK;IAClD;EACF;;EAIA,MAAM,cACJ,OACA,MACA,KACA,QACA,SAAS,CAAC,QAAQ,cAAc,GAChC;AACA,WAAO,KAAK,QAAQ,QAAQ,UAAU,KAAK,IAAI,IAAI,UAAU;MAC3D,MAAM;MACN,QAAQ;MACR;MACA,QAAQ,EAAE,KAAK,cAAc,QAAQ,QAAQ,cAAc,IAAI;IACjE,CAAC;EACH;EAEA,MAAM,aAAa,OAAe,MAAc;AAC9C,WAAO,KAAK,QAAQ,OAAO,UAAU,KAAK,IAAI,IAAI,QAAQ;EAC5D;EAEA,MAAM,cAAc,OAAe,MAAc,QAAgB;AAC/D,WAAO,KAAK,QAAQ,UAAU,UAAU,KAAK,IAAI,IAAI,UAAU,MAAM,EAAE;EACzE;;EAIA,MAAM,MAAM,OAAe,MAAc,QAAgB;AACvD,WAAO,KAAK,QAAQ,OAAO,UAAU,KAAK,IAAI,IAAI,UAAU,MAAM,EAAE;EACtE;EAEA,MAAM,WAAW,OAAe,MAAc,QAAgB;AAC5D,WAAO,KAAK;MACV;MACA,UAAU,KAAK,IAAI,IAAI,UAAU,MAAM;IACzC;EACF;EAEA,MAAM,aACJ,OACA,MACA,QACA,MACA,QAAmD,WACnD,UACA;AACA,WAAO,KAAK;MACV;MACA,UAAU,KAAK,IAAI,IAAI,UAAU,MAAM;MACvC;QACE;QACA;QACA;MACF;IACF;EACF;;EAIA,MAAM,eACJ,OACA,MACA,MAQA;AACA,WAAO,KAAK,QAAQ,QAAQ,UAAU,KAAK,IAAI,IAAI,eAAe;MAChE,MAAM,KAAK;MACX,UAAU,KAAK;MACf,QAAQ,KAAK;MACb,GAAI,KAAK,aAAa,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;MACzD,QAAQ,KAAK,UACT;QACE,OAAO,KAAK;QACZ,SAAS,KAAK;QACd,MAAM,KAAK;MACb,IACA;IACN,CAAC;EACH;;EAIA,MAAM,cAIH;AACD,UAAM,QAAQ,KAAK,IAAI;AACvB,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,QAA2B,OAAO,OAAO;AACjE,aAAO,EAAE,IAAI,MAAM,WAAW,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,MAAM;IACrE,SAAS,KAAU;AACjB,aAAO,EAAE,IAAI,OAAO,WAAW,KAAK,IAAI,IAAI,MAAM;IACpD;EACF;;EAIA,MAAc,eAAgC;AAC5C,QAAI,KAAK,MAAO,QAAO,KAAK;AAG5B,QACE,KAAK,OAAO,iBACZ,KAAK,OAAO,SACZ,KAAK,OAAO,gBACZ;AACA,UACE,KAAK,qBACL,KAAK,IAAI,IAAI,KAAK,4BAClB;AACA,eAAO,KAAK;MACd;AACA,WAAK,oBAAoB,MAAM,KAAK,6BAA6B;AACjE,WAAK,6BAA6B,KAAK,IAAI,IAAI,KAAK,KAAK;AACzD,aAAO,KAAK;IACd;AAEA,UAAM,IAAI;MACR;IACF;EACF;EAEA,MAAc,+BAAgD;AAE5D,UAAM,SAAS,MAAM,KAAK,aAAa;AAEvC,UAAM,MAAM,MAAM;MAChB,GAAG,UAAU,sBAAsB,KAAK,OAAO,cAAc;MAC7D;QACE,QAAQ;QACR,SAAS;UACP,eAAe,UAAU,MAAM;UAC/B,QAAQ;QACV;MACF;IACF;AAEA,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,IAAI,MAAM,qCAAqC,IAAI,MAAM,EAAE;IACnE;AAEA,UAAM,OAAQ,MAAM,IAAI,KAAK;AAC7BD,SAAI,KAAK,wCAAwC;AACjD,WAAO,KAAK;EACd;EAEA,MAAc,eAAgC;AAG5C,UAAM,EAAE,kBAAkB,KAAK,IAAI,MAAM,OAAO,QAAa;AAE7D,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,UAAM,SAAS,OAAO;MACpB,KAAK,UAAU,EAAE,KAAK,SAAS,KAAK,MAAM,CAAC;IAC7C,EAAE,SAAS,WAAW;AACtB,UAAM,UAAU,OAAO;MACrB,KAAK,UAAU;QACb,KAAK,KAAK,OAAO;QACjB,KAAK,MAAM;QACX,KAAK,MAAM;MACb,CAAC;IACH,EAAE,SAAS,WAAW;AAEtB,UAAM,MAAM,iBAAiB,KAAK,OAAO,aAAc;AACvD,UAAM,YAAY;MAChB;MACA,OAAO,KAAK,GAAG,MAAM,IAAI,OAAO,EAAE;MAClC;IACF,EAAE,SAAS,WAAW;AAEtB,WAAO,GAAG,MAAM,IAAI,OAAO,IAAI,SAAS;EAC1C;AACF;AC/QO,SAAS,gBACd,QACA,OACA,MACqB;AACrB,SAAO;IACLE,WAAW;MACT,MAAM;MACN,aAAa,+BAA+B,KAAK,IAAI,IAAI;MACzD,YAAY;MACZ,aAAaC,iBAAE,OAAO,CAAC,CAAC;MACxB,MAAM,UAAU;AACd,cAAM,OAAO,MAAM,OAAO,QAAQ,OAAO,IAAI;AAC7C,eAAO;UACL,MAAM,KAAK;UACX,aAAa,KAAK;UAClB,UAAU,KAAK;UACf,QAAQ,KAAK;UACb,eAAe,KAAK;UACpB,YAAY,KAAK;UACjB,MAAM,KAAK;UACX,YAAY,KAAK;UACjB,WAAW,KAAK;QAClB;MACF;IACF,CAAC;IAEDD,WAAW;MACT,MAAM;MACN,aAAa,qBAAqB,KAAK,IAAI,IAAI;MAC/C,YAAY;MACZ,aAAaC,iBAAE,OAAO,CAAC,CAAC;MACxB,MAAM,UAAU;AACd,cAAM,WAAW,MAAM,OAAO,aAAa,OAAO,IAAI;AACtD,eAAO,SAAS,IAAI,CAAC,OAAY;UAC/B,MAAM,EAAE;UACR,WAAW,EAAE;UACb,KAAK,EAAE,OAAO,IAAI,MAAM,GAAG,CAAC;QAC9B,EAAE;MACJ;IACF,CAAC;IAEDD,WAAW;MACT,MAAM;MACN,aAAa,2BAA2B,KAAK,IAAI,IAAI;MACrD,YAAY;MACZ,aAAaC,iBAAE,OAAO;QACpB,MAAMA,iBAAE,OAAO,EAAE,SAAS,gCAAgC;QAC1D,MAAMA,iBAAE,OAAO,EAAE,SAAS,kCAAkC;MAC9D,CAAC;MACD,MAAM,QAAQ,EAAE,MAAM,KAAK,GAAG;AAC5B,cAAM,OAAO,MAAM,OAAO,eAAe,OAAO,MAAM,MAAM,IAAI;AAChE,eAAO;UACL,QAAQ,KAAK;UACb,SAAS,KAAK;UACd,UAAU,KAAK;UACf,cAAc,KAAK;UACnB,QAAQ,KAAK,SAAS,CAAC,GAAG,IAAI,CAAC,OAAY;YACzC,UAAU,EAAE;YACZ,QAAQ,EAAE;YACV,WAAW,EAAE;YACb,WAAW,EAAE;YACb,SAAS,EAAE;UACb,EAAE;QACJ;MACF;IACF,CAAC;EACH;AACF;ACpEO,SAAS,mBACd,QACA,OACA,MACqB;AACrB,SAAO;IACLD,WAAW;MACT,MAAM;MACN,aAAa,yBAAyB,KAAK,IAAI,IAAI;MACnD,YAAY;MACZ,aAAaC,iBAAE,OAAO;QACpB,KAAKA,iBACF,OAAO,EACP;UACC;QACF;QACF,QAAQA,iBACL,OAAO,EACP,SAAS,+CAA+C;QAC3D,QAAQA,iBACL,MAAMA,iBAAE,OAAO,CAAC,EAChB,SAAS,EACT,SAAS,sDAAsD;MACpE,CAAC;MACD,MAAM,QAAQ,EAAE,KAAK,QAAQ,OAAO,GAAG;AACrC,cAAM,SAAS,MAAM,OAAO;UAC1B;UACA;UACA;UACA;UACA;QACF;AACA,eAAO;UACL,IAAI,OAAO;UACX,KAAK,OAAO,OAAO;UACnB,QAAQ,OAAO;UACf,QAAQ,OAAO;UACf,WAAW,OAAO;QACpB;MACF;IACF,CAAC;IAEDD,WAAW;MACT,MAAM;MACN,aAAa,mCAAmC,KAAK,IAAI,IAAI;MAC7D,YAAY;MACZ,aAAaC,iBAAE,OAAO,CAAC,CAAC;MACxB,MAAM,UAAU;AACd,cAAM,QAAQ,MAAM,OAAO,aAAa,OAAO,IAAI;AACnD,eAAO,MAAM,IAAI,CAAC,OAAY;UAC5B,IAAI,EAAE;UACN,KAAK,EAAE,OAAO;UACd,QAAQ,EAAE;UACV,QAAQ,EAAE;UACV,cAAc,EAAE,eAAe;QACjC,EAAE;MACJ;IACF,CAAC;EACH;AACF;AC/CA,IAAMH,OAAMC,aAAa,WAAW;AA0B7B,SAAS,oBACd,MACqB;AACrB,QAAM,EAAE,QAAQ,OAAO,MAAM,MAAM,IAAI;AAEvC,SAAO;IACLC,WAAW;MACT,MAAM;MACN,aAAa,4BAA4B,KAAK,IAAI,IAAI;MACtD,YAAY;MACZ,aAAaC,iBAAE,OAAO;QACpB,UAAUA,iBAAE,OAAO,EAAE,SAAS,qBAAqB;QACnD,YAAYA,iBACT,QAAQ,EACR,SAAS,EACT,SAAS,sCAAsC;QAClD,aAAaA,iBACV,QAAQ,EACR,SAAS,EACT,SAAS,gDAAgD;MAC9D,CAAC;MACD,MAAM,QAAQ,EAAE,UAAU,YAAY,YAAY,GAAG;AACnD,cAAM,aAAa,eAAe;AAClC,cAAM,cAAc,gBAAgB;AAGpC,cAAM,KAAK,MAAM,OAAO,MAAM,OAAO,MAAM,QAAQ;AACnD,cAAM,QAAQ,MAAM,OAAO,WAAW,OAAO,MAAM,QAAQ;AAE3D,cAAM,eAAe,MAAM,IAAI,CAAC,OAAY;UAC1C,UAAU,EAAE;UACZ,QAAQ,EAAE;UACV,WAAW,EAAE;UACb,WAAW,EAAE;UACb,SAAS,EAAE;UACX,OAAO,EAAE,OAAO,MAAM,GAAG,GAAI;;QAC/B,EAAE;AAGF,YAAI,cAAc;AAClB,cAAM,kBAID,CAAC;AACN,cAAM,kBAAkB,oBAAI,IAAY;AACxC,cAAM,kBAAkB,oBAAI,IAAY;AAExC,YAAI,OAAO;AACT,gBAAM,KAAK,MAAM,MAAM;AAEvB,qBAAW,QAAQ,cAAc;AAE/B,kBAAM,YAAY,GACf,QAAQ,8CAA8C,EACtD,IAAI,IAAI,KAAK,QAAQ,EAAE;AAE1B,uBAAW,MAAM,WAAW;AAC1B,oBAAM,SAAS,MAAM,eAAe,GAAG,MAAM,CAAC;AAC9C,yBAAW,QAAQ,QAAQ;AACzB,gCAAgB,KAAK,IAAI;AACzB;cACF;YACF;AAGA,kBAAM,cAAc,GACjB;cACC;YACF,EACC,IAAI,IAAI,KAAK,QAAQ,EAAE;AAE1B,uBAAW,QAAQ,aAAa;AAC9B,8BAAgB,IAAI,KAAK,QAAQ,KAAK,EAAE;AACxC,kBAAI;AACF,sBAAM,OAAO,KAAK,MAAM,KAAK,iBAAiB,IAAI;AAClD,oBAAI,KAAK,SAAS;AAChB,kCAAgB,IAAI,KAAK,QAAQ,KAAK,EAAE;cAC5C,QAAQ;cAAC;YACX;UACF;QACF;AAGA,YAAI,YAAY;AAChB,qBAAa,KAAK,IAAI,IAAI,aAAa,SAAS,CAAC;AACjD,qBAAa,KAAK,IAAI,IAAI,WAAW;AACrC,qBAAa,gBAAgB,OAAO;AACpC,qBACE,aAAa,OAAO,CAAC,MAAW,EAAE,YAAY,EAAE,EAAE,SAAS;AAC7D,oBAAY,KAAK,IAAI,KAAK,SAAS;AAGnC,YAAI,kBACF;AACF,YAAI,gBAAgB,OAAO,EAAG,mBAAkB;iBACvC,YAAY,GAAI,mBAAkB;iBAClC,YAAY,GAAI,mBAAkB;AAG3C,cAAM,aAAa,gBAAgB;UACjC;UACA;UACA;UACA;UACA,iBAAiB,MAAM,KAAK,eAAe;UAC3C,iBAAiB,MAAM,KAAK,eAAe;UAC3C,iBAAiB,gBAAgB,MAAM,GAAG,EAAE;QAC9C,CAAC;AAGD,YAAI,YAAY;AACd,gBAAM,QACJ,oBAAoB,oBAChB,oBACA;AACN,gBAAM,OAAO;YACX;YACA;YACA;YACA;YACA;UACF;AACAH,eAAI;YACF,EAAE,IAAI,UAAU,WAAW,SAAS,gBAAgB,KAAK;YACzD;UACF;QACF;AAGA,YAAI,aAAa;AACf,gBAAM,OAAO,eAAe,OAAO,MAAM;YACvC,MAAM;YACN,SAAS,GAAG,KAAK;YACjB,QAAQ;YACR,YAAY;YACZ,SAAS,eAAe,SAAS,wBAAwB,WAAW,uBAAuB,gBAAgB,IAAI,KAAK,gBAAgB,IAAI;YACxI,MAAM;UACR,CAAC;AACDA,eAAI;YACF,EAAE,IAAI,UAAU,YAAY,gBAAgB;YAC5C;UACF;QACF;AAEA,eAAO;UACL;UACA,eAAe,aAAa;UAC5B;UACA,iBAAiB,MAAM,KAAK,eAAe;UAC3C,yBAAyB,MAAM,KAAK,eAAe;UACnD;UACA;UACA;UACA,MAAM;;QACR;MACF;IACF,CAAC;EACH;AACF;AAIA,SAAS,gBAAgB,MAQd;AACT,QAAM;IACJ;IACA;IACA;IACA;IACA;IACA;EACF,IAAI;AAEJ,QAAM,YAAY,YAAY,KAAK,cAAO,YAAY,KAAK,cAAO;AAClE,QAAM,QAAkB,CAAC;AAEzB,QAAM;IACJ,MAAM,SAAS;IACf;IACA,mBAAmB,SAAS,4BAA4B,WAAW,0CAA0C,aAAa,MAAM;IAChI;EACF;AAEA,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM;MACJ;MACA;MACA,GAAG,gBAAgB;QACjB,CAAC,MAAM,OAAO,CAAC;MACjB;MACA;IACF;EACF;AAEA,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM;MACJ;MACA;MACA,GAAG,gBAAgB,IAAI,CAAC,MAAM;AAC5B,cAAM,aAAa,gBAAgB,SAAS,CAAC;AAC7C,eAAO,KAAK,aAAa,cAAO,WAAI,IAAI,CAAC;MAC3C,CAAC;MACD;IACF;EACF;AAEA,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM;MACJ;MACA;MACA;MACA;MACA,GAAG,gBACA,MAAM,GAAG,EAAE,EACX;QACC,CAAC,MACC,OAAO,EAAE,IAAI,UAAU,EAAE,KAAK,MAAM,GAAG,EAAE,MAAM,EAAE,EAAE,KAAK,GAAG,CAAC,QAAQ,EAAE,KAAK;MAC/E;MACF;IACF;AACA,QAAI,gBAAgB,SAAS,IAAI;AAC/B,YAAM;QACJ,YAAY,gBAAgB,SAAS,EAAE;QACvC;MACF;IACF;EACF;AAGA,QAAM;IACJ;IACA;IACA;IACA;IACA,GAAG,aACA,MAAM,GAAG,EAAE,EACX;MACC,CAAC,MACC,OAAO,EAAE,SAAS,MAAM,GAAG,EAAE,MAAM,EAAE,EAAE,KAAK,GAAG,CAAC,QAAQ,EAAE,MAAM,OAAO,EAAE,SAAS,KAAK,EAAE,SAAS;IACtG;IACF;EACF;AAEA,QAAM;IACJ;IACA;EACF;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AC3SO,SAAS,kBAAkB,OAAe,MAAsB;AACrE,SAAO;IACL;IACA;IACA,kBAAkB,KAAK,IAAI,IAAI;IAC/B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;EACF,EAAE,KAAK,IAAI;AACb;ACDA,IAAMA,OAAMC,aAAa,kBAAkB;AAmBpC,IAAM,kBAAN,MAAkD;EACvD,OAAO;EACP,cAAc;EACd,eAAsC;IACpC;IACA;IACA;IACA;EACF;EAEQ;EACA;EACA;EACA;EACA,cAA0C;EAElD,YAAY,QAA+B;AACzC,SAAK,QAAQ,OAAO;AACpB,SAAK,OAAO,OAAO;AACnB,SAAK,QAAQ,OAAO,SAAS;AAC7B,SAAK,SAAS,IAAI,aAAa;MAC7B,OAAO,OAAO;MACd,eAAe,OAAO;MACtB,OAAO,OAAO;MACd,gBAAgB,OAAO;IACzB,CAAC;EACH;EAEA,WAAgC;AAC9B,QAAI,CAAC,KAAK,aAAa;AACrB,WAAK,cAAc;QACjB,GAAG,gBAAgB,KAAK,QAAQ,KAAK,OAAO,KAAK,IAAI;QACrD,GAAG,mBAAmB,KAAK,QAAQ,KAAK,OAAO,KAAK,IAAI;QACxD,GAAG,oBAAoB;UACrB,QAAQ,KAAK;UACb,OAAO,KAAK;UACZ,MAAM,KAAK;UACX,OAAO,KAAK;QACd,CAAC;MACH;IACF;AACA,WAAO,KAAK;EACd;EAEA,MAAM,cAAqC;AACzC,UAAM,SAAS,MAAM,KAAK,OAAO,YAAY;AAC7C,WAAO;MACL,IAAI,OAAO;MACX,WAAW,OAAO;MAClB,SAAS,OAAO,KACZ,oBAAoB,OAAO,IAAI,QAAQ,KAAK,KAAK,IAAI,KAAK,IAAI,KAC9D;IACN;EACF;EAEA,YAAoB;AAClB,WAAO,kBAAkB,KAAK,OAAO,KAAK,IAAI;EAChD;;EAGA,YAA0B;AACxB,WAAO,KAAK;EACd;AACF;AAKO,SAAS,sBACd,OACA,MACA,YACwB;AACxB,QAAM,QAAQ,aAAa,cAAc,KAAK,QAAQ,IAAI;AAC1D,QAAM,SACJ,aAAa,wBAAwB,KACrC,QAAQ,IAAI;AACd,QAAM,QAAQ,aAAa,eAAe,KAAK,QAAQ,IAAI;AAC3D,QAAM,YACJ,aAAa,wBAAwB,KACrC,QAAQ,IAAI;AAEd,MAAI,CAAC,SAAS,CAAC,QAAQ;AACrBD,SAAI,MAAM,uDAAkD;AAC5D,WAAO;EACT;AAEA,SAAO,IAAI,gBAAgB;IACzB,OAAO,SAAS;IAChB,eAAe,UAAU;IACzB,OAAO,SAAS;IAChB,gBAAgB,aAAa;IAC7B;IACA;EACF,CAAC;AACH;ACvHA,eAAsB,wBACpB,QAC6B;AAC7B,QAAM,aAAiC,CAAC;AAExC,QAAM,UAAU,OAAO,QAAQ,OAAO,cAAc,CAAC,CAAC;AACtD,MAAI,QAAQ,WAAW,EAAG,QAAO;AAGjC,QAAM,UAAU,MAAM,QAAQ;IAC5B,QACG,OAAO,CAAC,CAAC,EAAE,GAAG,MAAM,IAAI,YAAY,KAAK,EACzC,IAAI,OAAO,CAAC,IAAI,GAAG,MAAM;AACxB,YAAM,YAAY,IAAI,iBAAiB,IAAI,GAAU;AACrD,YAAM,UAAU,WAAW;AAC3B,aAAO;IACT,CAAC;EACL;AAEA,aAAW,UAAU,SAAS;AAC5B,QAAI,OAAO,WAAW,aAAa;AACjC,iBAAW,KAAK,OAAO,KAAK;IAC9B;EAEF;AAEA,SAAO;AACT;AC5BA,IAAM,YAAY,OAAO,KAAK,+BAA+B;AAC7D,IAAM,YAAY,OAAO,KAAK,cAAc;AAC5C,IAAM,aAAa;AAOZ,SAAS,gBACd,cACA,UACQ;AACR,QAAM,OAAO,OAAO,OAAO,CAAC,WAAW,OAAO,KAAK,IAAI,QAAQ,EAAE,CAAC,CAAC;AACnE,SAAO,OAAO;IACZ,SAAS,UAAU,cAAc,WAAW,MAAM,UAAU;EAC9D;AACF;AAOO,SAAS,aAAa,KAAsC;AAGjE,SAAO,KAAK,UAAU,KAAK,CAAC,MAAM,UAAU;AAC1C,QAAI,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK,GAAG;AAC/D,aAAO,OAAO,KAAK,KAAK,EACrB,KAAK,EACL,OAAO,CAAC,QAAiC,MAAM;AAC9C,eAAO,CAAC,IAAI,MAAM,CAAC;AACnB,eAAO;MACT,GAAG,CAAC,CAAC;IACT;AACA,WAAO;EACT,CAAC;AACH;AAMO,SAAS,UACd,OACA,cACQ;AACR,QAAM,MAAM,gBAAgB,cAAc,MAAM,SAAS;AACzD,QAAM,UAAU,aAAa,KAAgC;AAC7D,SAAO,WAAW,UAAU,GAAG,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AAC/D;AAOA,IAAM,wBAAwB;AAEvB,SAAS,YACd,OACA,cACS;AAET,MAAI,CAAC,MAAM,UAAW,QAAO;AAM7B,MAAI,CAAC,MAAM,UAAW,QAAO;AAC7B,QAAM,YAAY,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ;AACpD,MAAI,OAAO,MAAM,SAAS,EAAG,QAAO;AACpC,QAAM,QAAQ,KAAK,IAAI,KAAK,IAAI,IAAI,SAAS;AAC7C,MAAI,QAAQ,wBAAwB,IAAM,QAAO;AAEjD,QAAM,EAAE,WAAW,GAAG,KAAK,IAAI;AAC/B,QAAM,WAAW,UAAU,MAAM,YAAY;AAG7C,QAAM,SAAS,OAAO,KAAK,WAAW,KAAK;AAC3C,QAAM,cAAc,OAAO,KAAK,UAAU,KAAK;AAC/C,MAAI,OAAO,WAAW,YAAY,OAAQ,QAAO;AACjD,SAAO,gBAAgB,QAAQ,WAAW;AAC5C;AAKO,SAAS,kBACd,MACA,UACA,SACA,MACA,cACA,MACe;AACf,QAAM,WAAW;IACf,IAAI,WAAW;IACf;IACA,WAAW;IACX;IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;IAClC;IACA,gBAAgB,MAAM,iBAAiB;IACvC,GAAI,MAAM,gBAAgB,EAAE,gBAAgB,KAAK,cAAc,IAAI,CAAC;EACtE;AAEA,QAAM,YAAY,UAAU,UAAU,YAAY;AAClD,SAAO,EAAE,GAAG,UAAU,UAAU;AAClC;AC3FO,SAAS,UAAU,OAAe,WAA+B;AACtE,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,GAAG;AACtB,WAAO,EAAE,eAAe,OAAO,OAAO,gBAAgB;EACxD;AAEA,QAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAG9C,QAAM,eAAe,GAAG,SAAS,IAAI,UAAU;AAC/C,QAAM,cAAcI,YAAW,UAAU,SAAS,EAC/C,OAAO,YAAY,EACnB,OAAO;AACV,QAAM,YAAY,OAAO,KAAK,cAAc,WAAW;AAEvD,MACE,YAAY,WAAW,UAAU,UACjC,CAACC,iBAAgB,aAAa,SAAS,GACvC;AACA,WAAO,EAAE,eAAe,OAAO,OAAO,oBAAoB;EAC5D;AAGA,MAAI;AACJ,MAAI;AACF,cAAU,KAAK;MACb,OAAO,KAAK,YAAY,WAAW,EAAE,SAAS,OAAO;IACvD;EACF,QAAQ;AACN,WAAO,EAAE,eAAe,OAAO,OAAO,2BAA2B;EACnE;AAGA,MAAI;AACF,UAAM,SAAS,KAAK;MAClB,OAAO,KAAK,WAAW,WAAW,EAAE,SAAS,OAAO;IACtD;AACA,QAAI,OAAO,QAAQ,SAAS;AAC1B,aAAO;QACL,eAAe;QACf,OAAO,0BAA0B,OAAO,GAAG;MAC7C;IACF;EACF,QAAQ;AACN,WAAO,EAAE,eAAe,OAAO,OAAO,0BAA0B;EAClE;AAGA,MAAI,CAAC,QAAQ,KAAK;AAChB,WAAO,EAAE,eAAe,OAAO,OAAO,iCAAiC;EACzE;AACA,MAAI,QAAQ,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,GAAG;AAC/C,WAAO,EAAE,eAAe,OAAO,OAAO,gBAAgB;EACxD;AAGA,MAAI,CAAC,QAAQ,sBAAsB,CAAC,QAAQ,KAAK;AAC/C,WAAO;MACL,eAAe;MACf,OAAO;IACT;EACF;AAEA,SAAO,EAAE,eAAe,MAAM,QAAQ;AACxC;AAKO,SAAS,mBACd,YACe;AACf,MAAI,CAAC,YAAY,WAAW,SAAS,EAAG,QAAO;AAC/C,SAAO,WAAW,MAAM,CAAC;AAC3B;AC/FA,IAAM,qBAAqBF,iBAAE,OAAO;EAClC,OAAOA,iBAAE,KAAK,CAAC,gBAAgB,MAAM,CAAC,EAAE,QAAQ,cAAc;EAC9D,SAASA,iBAAE,KAAK,CAAC,eAAe,WAAW,MAAM,CAAC,EAAE,QAAQ,SAAS;EACrE,cAAcA,iBAAE,OAAO,EAAE,QAAQ,oBAAoB;AACvD,CAAC;AAED,IAAM,2BAA2BA,iBAAE,OAAO;EACxC,aAAaA,iBAAE,KAAK,CAAC,eAAe,UAAU,MAAM,CAAC,EAAE,QAAQ,aAAa;EAC5E,UAAUA,iBAAE,KAAK,CAAC,cAAc,WAAW,MAAM,CAAC,EAAE,QAAQ,MAAM;AACpE,CAAC;AAED,IAAM,sBAAsBA,iBAAE,OAAO;EACnC,SAASA,iBAAE,KAAK,CAAC,eAAe,MAAM,CAAC,EAAE,QAAQ,aAAa;EAC9D,WAAWA,iBAAE,OAAO,EAAE,QAAQ,IAAI;AACpC,CAAC;AAED,IAAM,iBAAiBA,iBAAE,OAAO;EAC9B,UAAUA,iBAAE,OAAO,EAAE,IAAI;EACzB,QAAQA,iBAAE,OAAO,EAAE,QAAQ,SAAS;EACpC,MAAM,mBAAmB,QAAQ,CAAC,CAAC;EACnC,YAAY,yBAAyB,QAAQ,CAAC,CAAC;EAC/C,OAAO,oBAAoB,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,IAAM,aAAaA,iBAAE,OAAO;EAC1B,SAASA,iBAAE,MAAMA,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AACzC,CAAC;AAED,IAAM,cAAcA,iBAAE,OAAO;EAC3B,WAAWA,iBAAE,MAAMA,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;EACzC,YAAYA,iBAAE,MAAMA,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC5C,CAAC;AAED,IAAM,mBAAmBA,iBAAE,OAAO;EAChC,QAAQA,iBAAE,OAAO;AACnB,CAAC;AAEM,IAAM,wBAAwBA,iBAAE,OAAO;EAC5C,SAASA,iBAAE,OAAO;IAChB,IAAIA,iBACD,OAAO,EACP;MACC;MACA;IACF;IACF,MAAMA,iBAAE,OAAO;IACf,SAASA,iBAAE,OAAO;EACpB,CAAC;EACD,UAAU;EACV,cAAcA,iBAAE,MAAM,gBAAgB,EAAE,QAAQ,CAAC,CAAC;EAClD,QAAQ,YAAY,QAAQ,CAAC,CAAC;EAC9B,MAAM,WAAW,QAAQ,CAAC,CAAC;AAC7B,CAAC;AASM,SAAS,cAAc,aAI5B;AAGA,MAAI;AAEF,UAAM,OAAO,KAAK,MAAM,WAAW;AACnC,WAAO,qBAAqB,IAAI;EAClC,QAAQ;AACN,WAAO;MACL,IAAI;MACJ,QAAQ;QACN;MACF;IACF;EACF;AACF;AAKO,SAAS,qBAAqB,MAInC;AACA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,OAAO,SAAS;AAClB,WAAO,EAAE,IAAI,MAAM,UAAU,OAAO,KAAK;EAC3C;AACA,QAAM,SAAS,OAAO,MAAM,OAAO;IACjC,CAAC,MAAM,GAAG,EAAE,KAAK,KAAK,GAAG,CAAC,KAAK,EAAE,OAAO;EAC1C;AACA,SAAO,EAAE,IAAI,OAAO,OAAO;AAC7B;AAOO,SAAS,yBACd,WACA,aACA,SACQ;AACR,SAAO;;;;SAIA,SAAS;WACP,WAAW;;;;;eAKP,OAAO;;;;;;;;;;;;;;;;;;;;;WAqBX,SAAS;;;;;;;;AAQpB;AAeA,eAAsB,sBACpB,SACA,MACyB;AACzB,QAAM,UAAU,MAAM,WAAW;AACjC,QAAM,UAA0B,CAAC;AAEjC,QAAM,UAAkC;IACtC,gBAAgB;EAClB;AACA,MAAI,MAAM,OAAO;AACf,YAAQ,eAAe,IAAI,UAAU,KAAK,KAAK;EACjD;AAGA,UAAQ;IACN,MAAM,cAAc,OAAO,GAAG,OAAO,WAAW;MAC9C;MACA,UAAU,CAAC,SAAS;AAClB,YAAI,CAAC,KAAK,OAAQ,QAAO;AACzB,YAAI,CAAC,KAAK,QAAS,QAAO;AAC1B,eAAO;MACT;IACF,CAAC;EACH;AAGA,UAAQ;IACN,MAAM,cAAc,OAAO,GAAG,OAAO,0BAA0B;MAC7D;MACA;MACA,UAAU,CAAC,SAAS;AAClB,cAAM,OAAO,KAAK,QAAQ;AAC1B,YAAI,CAAC,MAAM,QAAQ,IAAI,EAAG,QAAO;AACjC,eAAO;MACT;IACF,CAAC;EACH;AAGA,UAAQ;IACN,MAAM,cAAc,QAAQ,GAAG,OAAO,2BAA2B;MAC/D;MACA;MACA,MAAM,KAAK,UAAU;QACnB,IAAI;QACJ,MAAM;QACN,WAAW;QACX,SAAS;QACT,YAAW,oBAAI,KAAK,GAAE,YAAY;QAClC,MAAM,CAAC;QACP,gBAAgB;QAChB,WAAW;MACb,CAAC;;MAED,gBAAgB,CAAC,KAAK,KAAK,GAAG;MAC9B,UAAU,MAAM;IAClB,CAAC;EACH;AAGA,UAAQ;IACN,MAAM,cAAc,QAAQ,GAAG,OAAO,4BAA4B;MAChE;MACA;MACA,MAAM,KAAK,UAAU;QACnB,IAAI;QACJ,MAAM;QACN,MAAM;MACR,CAAC;MACD,gBAAgB,CAAC,KAAK,KAAK,KAAK,KAAK,KAAK,GAAG;MAC7C,UAAU,MAAM;IAClB,CAAC;EACH;AAEA,SAAO;AACT;AAEA,eAAe,cACb,QACA,KACA,MAOuB;AACvB,QAAM,QAAQ,KAAK,IAAI;AACvB,QAAM,eAAe,IAAI,IAAI,GAAG,EAAE;AAElC,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,KAAK;MAC3B;MACA,SAAS,KAAK;MACd,MAAM,KAAK;MACX,QAAQ,YAAY,QAAQ,KAAK,OAAO;IAC1C,CAAC;AAED,UAAM,YAAY,KAAK,IAAI,IAAI;AAC/B,UAAM,aAAa,KAAK,kBAAkB,CAAC,GAAG;AAE9C,QAAI,CAAC,WAAW,SAAS,IAAI,MAAM,GAAG;AAEpC,UAAI,IAAI,WAAW,KAAK;AACtB,eAAO;UACL,UAAU,GAAG,MAAM,IAAI,YAAY;UACnC,QAAQ;UACR,SAAS;UACT;QACF;MACF;AACA,aAAO;QACL,UAAU,GAAG,MAAM,IAAI,YAAY;QACnC,QAAQ;QACR,SAAS,QAAQ,IAAI,MAAM;QAC3B;MACF;IACF;AAEA,QAAI,OAAY,CAAC;AACjB,QAAI;AACF,aAAO,MAAM,IAAI,KAAK;IACxB,QAAQ;IAER;AAEA,UAAM,QAAQ,KAAK,SAAS,IAAI;AAChC,QAAI,OAAO;AACT,aAAO;QACL,UAAU,GAAG,MAAM,IAAI,YAAY;QACnC,QAAQ;QACR,SAAS;QACT;MACF;IACF;AAEA,WAAO;MACL,UAAU,GAAG,MAAM,IAAI,YAAY;MACnC,QAAQ;MACR,SAAS,GAAG,IAAI,MAAM;MACtB;IACF;EACF,SAAS,KAAK;AACZ,UAAM,YAAY,KAAK,IAAI,IAAI;AAC/B,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,QAAI,IAAI,SAAS,SAAS,KAAK,IAAI,SAAS,OAAO,GAAG;AACpD,aAAO;QACL,UAAU,GAAG,MAAM,IAAI,YAAY;QACnC,QAAQ;QACR,SAAS,YAAY,KAAK,OAAO;QACjC;MACF;IACF;AACA,WAAO;MACL,UAAU,GAAG,MAAM,IAAI,YAAY;MACnC,QAAQ;MACR,SAAS;MACT;IACF;EACF;AACF;","names":["createHmac","timingSafeEqual","log","createLogger","defineTool","z","createHmac","timingSafeEqual"]}
1
+ {"version":3,"sources":["../../godmode/src/prompt.ts","../../godmode/src/connector-registry.ts","../../godmode/src/blast-radius.ts","../../godmode/src/product-connector.ts","../../godmode/src/connectors/github/client.ts","../../godmode/src/connectors/github/tools/repo.ts","../../godmode/src/connectors/github/tools/webhook.ts","../../godmode/src/connectors/github/tools/pr-review.ts","../../godmode/src/connectors/github/prompt.ts","../../godmode/src/connectors/github/index.ts","../../godmode/src/product-factory.ts","../../godmode/src/signing.ts","../../godmode/src/jwt.ts","../../godmode/src/manifest.ts"],"sourcesContent":["/**\n * God Mode System Prompt — dynamically built from healthy connectors.\n *\n * The prompt describes capabilities (not products), so swapping\n * CrowdStrike for SentinelOne changes a connector file, not the UX.\n */\n\nimport type {\n GodModeConfig,\n GodModeConnectionResult,\n ConnectorCapability,\n} from \"./types.js\";\n\n/** Map capabilities to human-readable descriptions for the prompt. */\nconst CAPABILITY_LABELS: Record<ConnectorCapability, string> = {\n \"endpoint-management\":\n \"device management (status, protection, isolation, scanning)\",\n \"endpoint-security\": \"endpoint security (EDR, antivirus, compliance)\",\n backup: \"backup management (coverage, status, retry, health assessment)\",\n \"service-discovery\": \"asset discovery (inventory, classification, merging)\",\n \"email-security\": \"email security (threat scanning, verdicts, feedback)\",\n communication: \"communication management\",\n \"trust-graph\": \"trust graph analysis (identity relationships, attack paths)\",\n quarantine: \"message quarantine (isolate, release, bulk actions)\",\n compute: \"VM management (create, destroy, status, migrate)\",\n storage: \"storage management (volumes, snapshots, restore)\",\n network: \"network management (VLANs, firewalls, IPs, WireGuard)\",\n migration: \"live migration (cross-platform VM migration)\",\n marketing: \"marketing automation\",\n \"lead-management\": \"lead qualification and enrichment\",\n campaigns: \"campaign management (launch, status, analytics)\",\n infrastructure: \"infrastructure as code (Terraform plan/apply)\",\n dns: \"DNS management (records, propagation)\",\n deployment: \"deployment management\",\n \"user-management\": \"user management (status, access control)\",\n \"access-control\": \"access control (enable, disable, password reset)\",\n compliance: \"compliance auditing (SOC 2, HIPAA, PCI-DSS, GDPR)\",\n audit: \"audit logging\",\n evidence: \"evidence chain (cryptographic, tamper-evident)\",\n};\n\nexport function buildGodModePrompt(\n connected: GodModeConnectionResult[\"connectedSystems\"],\n config: GodModeConfig,\n): { text: string; cacheable: boolean } {\n const deferred = config.deferToolSchemas === true;\n if (connected.length === 0) {\n return {\n text: \"## God Mode\\n\\nNo systems connected. Configure connectors in brainstorm.toml [godmode] section.\",\n cacheable: true,\n };\n }\n\n const sections: string[] = [];\n\n sections.push(`## God Mode — Infrastructure Control Plane\n\nYou have authority over ${connected.length} connected system(s). Translate natural language into actions.`);\n\n // Connected systems with capabilities\n sections.push(\"\\n### Connected Systems\\n\");\n for (const sys of connected) {\n const caps = sys.capabilities\n .map((c) => CAPABILITY_LABELS[c] ?? c)\n .join(\", \");\n sections.push(`- **${sys.displayName}** (${sys.latencyMs}ms): ${caps}`);\n }\n\n if (deferred) {\n sections.push(`\n### Tool Discovery\n\nConnector tool schemas are deferred — only their names and descriptions are\nloaded. To use a connector tool, first call \\`tool_search\\` with keywords\nthat match the capability you need (e.g. \"isolate endpoint\", \"quarantine\nmessage\", \"create vm\"). Matching tools become available in the next turn.\nChangeSet meta-tools (\\`gm_changeset_*\\`) are always available without\nsearch.`);\n }\n\n // Safety protocol\n sections.push(`\n### Safety Protocol\n\nEvery destructive action returns a **ChangeSet** — a simulation of what will happen. You MUST:\n1. Present the ChangeSet to the user: what changes, risk score, cascades, estimated duration\n2. Wait for explicit approval before calling \\`gm_changeset_approve\\`\n3. If risk score > 50, warn the user explicitly about each risk factor\n4. Never auto-approve ChangeSet execution — always present and wait\n5. If the user says \"no\" or \"cancel\", call \\`gm_changeset_reject\\`\n\n### Entity Resolution\n\nUsers refer to things by name (\"John's computer\", \"the QA server\"), not system IDs.\n1. Call the relevant status/search/list tool to resolve the entity\n2. If multiple matches, present options and ask the user to pick\n3. If no match, say so and suggest alternative search terms\n\n### Cross-System Actions\n\nWhen a request involves multiple systems (e.g., \"disable Todd everywhere\"):\n1. Identify all systems that need to act\n2. Call each system's tools in sequence\n3. Present a unified summary of ALL changesets before requesting approval\n4. One approval gates everything`);\n\n return {\n text: sections.join(\"\\n\"),\n cacheable: true,\n };\n}\n","/**\n * Connector Registry — auto-discovery and health monitoring.\n *\n * On startup, probes each configured connector's health endpoint.\n * Healthy connectors get their tools registered. Unhealthy ones are skipped\n * with an error message. The system prompt is dynamically built from\n * whatever is healthy.\n */\n\nimport type { BrainstormToolDef } from \"@brainst0rm/tools\";\nimport type {\n GodModeConnector,\n GodModeConfig,\n GodModeConnectionResult,\n} from \"./types.js\";\nimport { getChangeSetTools } from \"./changeset.js\";\nimport { buildGodModePrompt } from \"./prompt.js\";\n\n/**\n * Connect all configured God Mode connectors.\n *\n * 1. Probe each connector's health endpoint\n * 2. Register healthy connectors' tools into the ToolRegistry\n * 3. Register ChangeSet tools (always)\n * 4. Build dynamic system prompt from healthy connectors\n * 5. Return connection results\n */\n/** Duck-typed registry — accepts anything with a register(tool) method. */\ninterface ToolRegistryLike {\n register(tool: BrainstormToolDef): void;\n}\n\nexport async function connectGodMode(\n registry: ToolRegistryLike,\n config: GodModeConfig,\n connectors: GodModeConnector[],\n): Promise<GodModeConnectionResult> {\n const connected: GodModeConnectionResult[\"connectedSystems\"] = [];\n const errors: GodModeConnectionResult[\"errors\"] = [];\n\n // Health check all connectors in parallel (15s timeout per connector).\n // Caller-owned timer + AbortController so the listener is cleaned up when\n // healthCheck() wins the race — otherwise the abort handler stays attached\n // to an AbortSignal.timeout() and fires on an already-resolved promise\n // 15s later, leaking the reject closure per connector per run.\n const HEALTH_CHECK_TIMEOUT_MS = 15_000;\n const results = await Promise.allSettled(\n connectors.map(async (connector) => {\n const timeoutController = new AbortController();\n const timeoutTimer = setTimeout(\n () => timeoutController.abort(),\n HEALTH_CHECK_TIMEOUT_MS,\n );\n try {\n const health = await Promise.race([\n connector.healthCheck(),\n new Promise<never>((_, reject) => {\n timeoutController.signal.addEventListener(\n \"abort\",\n () =>\n reject(\n new Error(\n `Health check timeout (${HEALTH_CHECK_TIMEOUT_MS}ms)`,\n ),\n ),\n { once: true },\n );\n }),\n ]);\n return { connector, health };\n } finally {\n clearTimeout(timeoutTimer);\n }\n }),\n );\n\n // Register healthy connectors' tools\n for (const result of results) {\n if (result.status === \"rejected\") {\n continue;\n }\n\n const { connector, health } = result.value;\n\n if (!health.ok) {\n errors.push({\n name: connector.name,\n error: health.message ?? `Health check failed (${health.latencyMs}ms)`,\n });\n continue;\n }\n\n // Register all tools from this connector. When Code Mode is enabled,\n // mark each as deferred so the schema stays out of the prompt until\n // the model resolves it via `tool_search`.\n const tools = connector.getTools();\n for (const tool of tools) {\n if (config.deferToolSchemas) {\n tool.deferred = true;\n }\n registry.register(tool);\n }\n\n connected.push({\n name: connector.name,\n displayName: connector.displayName,\n capabilities: connector.capabilities,\n latencyMs: health.latencyMs,\n toolCount: tools.length,\n });\n }\n\n // Always register ChangeSet tools\n const csTools = getChangeSetTools();\n for (const tool of csTools) {\n registry.register(tool);\n }\n\n // Build dynamic prompt — base + connector-specific intelligence\n const promptSegment = buildGodModePrompt(connected, config);\n\n // Append connector-specific prompt segments (e.g., agent OODA intelligence)\n for (const result of results) {\n if (result.status !== \"fulfilled\") continue;\n const { connector, health } = result.value;\n if (!health.ok) continue;\n if (typeof connector.getPrompt === \"function\") {\n promptSegment.text += \"\\n\" + connector.getPrompt();\n }\n }\n\n return {\n connectedSystems: connected,\n errors,\n promptSegment,\n totalTools:\n connected.reduce((sum, c) => sum + c.toolCount, 0) + csTools.length,\n };\n}\n","/**\n * Blast Radius Computation — maps code changes to affected symbols and sectors.\n *\n * When a ChangeSet simulation runs, this module queries the code knowledge graph\n * to compute the structural blast radius: what functions are transitively affected,\n * which community sectors are impacted, and what the risk multiplier is.\n *\n * Critical sectors (auth, crypto, parsing) multiply the risk score.\n */\n\nimport type { BlastRadius } from \"./types.js\";\nimport { createLogger } from \"@brainst0rm/shared\";\n\n/** Escape SQL LIKE wildcards to prevent unintended pattern matching. */\nfunction escapeLike(s: string): string {\n return s.replace(/%/g, \"\\\\%\").replace(/_/g, \"\\\\_\");\n}\n\nconst log = createLogger(\"blast-radius\");\n\n/** Tier-based risk multipliers. */\nconst TIER_RISK: Record<string, number> = {\n critical: 3.0,\n complex: 1.5,\n standard: 1.0,\n simple: 0.5,\n};\n\n/**\n * Compute blast radius for a set of changed files using the code graph.\n *\n * The graph parameter is duck-typed to avoid a hard dependency on @brainst0rm/code-graph.\n * It needs: getDb(), impactAnalysis(), findDefinition()\n */\nexport function computeBlastRadius(\n changedFiles: string[],\n graph: {\n getDb: () => any;\n impactAnalysis: (\n name: string,\n maxDepth?: number,\n ) => Array<{ name: string; depth: number; file: string }>;\n findDefinition: (name: string) => any[];\n },\n maxDepth = 3,\n): BlastRadius {\n const db = graph.getDb();\n const allAffected = new Map<\n string,\n { name: string; file: string; depth: number }\n >();\n const affectedCommunityIds = new Set<string>();\n\n for (const file of changedFiles) {\n // Find all functions defined in this file\n const functions = db\n .prepare(\"SELECT name FROM functions WHERE file = ? OR file LIKE ?\")\n .all(file, `%${escapeLike(file)}`) as Array<{ name: string }>;\n\n for (const fn of functions) {\n // Run impact analysis (transitive callers)\n const impact = graph.impactAnalysis(fn.name, maxDepth);\n for (const item of impact) {\n if (!allAffected.has(item.name)) {\n allAffected.set(item.name, item);\n }\n }\n }\n\n // Find which communities contain nodes in this file\n const communities = db\n .prepare(\n \"SELECT DISTINCT community_id FROM nodes WHERE (file = ? OR file LIKE ?) AND community_id IS NOT NULL\",\n )\n .all(file, `%${escapeLike(file)}`) as Array<{ community_id: string }>;\n\n for (const c of communities) {\n affectedCommunityIds.add(c.community_id);\n }\n }\n\n // Also find communities of transitively affected symbols\n for (const [, item] of allAffected) {\n const nodes = db\n .prepare(\n \"SELECT community_id FROM nodes WHERE name = ? AND community_id IS NOT NULL\",\n )\n .all(item.name) as Array<{ community_id: string }>;\n for (const n of nodes) {\n affectedCommunityIds.add(n.community_id);\n }\n }\n\n // Build community details\n const affectedCommunities: BlastRadius[\"affectedCommunities\"] = [];\n for (const communityId of affectedCommunityIds) {\n const community = db\n .prepare(\"SELECT id, name, metadata_json FROM communities WHERE id = ?\")\n .get(communityId) as\n | { id: string; name: string; metadata_json: string }\n | undefined;\n\n if (community) {\n let tier = \"standard\";\n try {\n const meta = JSON.parse(community.metadata_json);\n tier = meta.tier ?? \"standard\";\n } catch {\n /* ignore */\n }\n\n affectedCommunities.push({\n id: community.id,\n name: community.name ?? communityId,\n tier,\n });\n }\n }\n\n // Compute risk multiplier — max tier risk across all affected communities\n let riskMultiplier = 1.0;\n for (const c of affectedCommunities) {\n const tierRisk = TIER_RISK[c.tier] ?? 1.0;\n if (tierRisk > riskMultiplier) riskMultiplier = tierRisk;\n }\n\n const result: BlastRadius = {\n affectedSymbols: Array.from(allAffected.values()),\n affectedCommunities,\n riskMultiplier,\n totalAffected: allAffected.size,\n };\n\n log.debug(\n {\n changedFiles: changedFiles.length,\n totalAffected: result.totalAffected,\n communities: affectedCommunities.length,\n riskMultiplier,\n },\n \"Blast radius computed\",\n );\n\n return result;\n}\n","/**\n * Generic Product Connector — talks to ANY product implementing the platform contract.\n *\n * Replaces product-specific connectors (MSPConnector, EmailConnector, VMConnector).\n * Discovers tools at runtime by fetching GET /api/v1/god-mode/tools from the product.\n * Executes tools via POST /api/v1/god-mode/execute.\n *\n * Adding a new product to the platform = adding a config entry. Zero code changes.\n */\n\nimport { z } from \"zod\";\nimport { defineTool, type BrainstormToolDef } from \"@brainst0rm/tools\";\nimport type { ToolPermission } from \"@brainst0rm/shared\";\nimport type {\n GodModeConnector,\n ConnectorCapability,\n ConnectorConfig,\n HealthResult,\n} from \"./types.js\";\nimport { createChangeSet, registerExecutor } from \"./changeset.js\";\n\n// ── JSONSchema → Zod Converter ──────────────────────────────────\n\n/**\n * Convert a JSONSchema property to a Zod schema.\n * Handles the subset used by God Mode tool definitions.\n */\nfunction jsonSchemaPropertyToZod(prop: Record<string, unknown>): z.ZodTypeAny {\n const type = prop.type as string | undefined;\n const description = prop.description as string | undefined;\n\n let schema: z.ZodTypeAny;\n\n if (prop.enum && Array.isArray(prop.enum)) {\n const values = prop.enum as [string, ...string[]];\n schema = z.enum(values);\n } else {\n switch (type) {\n case \"string\":\n schema = z.string();\n break;\n case \"number\":\n case \"integer\":\n schema = z.number();\n break;\n case \"boolean\":\n schema = z.boolean();\n break;\n case \"array\": {\n const items = prop.items as Record<string, unknown> | undefined;\n schema = z.array(items ? jsonSchemaPropertyToZod(items) : z.any());\n break;\n }\n case \"object\": {\n const nested = prop.properties as\n | Record<string, Record<string, unknown>>\n | undefined;\n if (nested) {\n schema = jsonSchemaToZod(prop);\n } else {\n schema = z.record(z.any());\n }\n break;\n }\n default:\n schema = z.any();\n }\n }\n\n if (description) {\n schema = schema.describe(description);\n }\n\n if (prop.default !== undefined) {\n schema = schema.default(prop.default);\n }\n\n return schema;\n}\n\n/**\n * Convert a JSONSchema object definition to a Zod object schema.\n */\nfunction jsonSchemaToZod(schema: Record<string, unknown>): z.ZodObject<any> {\n const properties = (schema.properties ?? {}) as Record<\n string,\n Record<string, unknown>\n >;\n const required = new Set((schema.required ?? []) as string[]);\n\n const shape: Record<string, z.ZodTypeAny> = {};\n for (const [key, prop] of Object.entries(properties)) {\n let fieldSchema = jsonSchemaPropertyToZod(prop);\n if (!required.has(key)) {\n fieldSchema = fieldSchema.optional();\n }\n shape[key] = fieldSchema;\n }\n\n return z.object(shape);\n}\n\n// ── Permission Mapping ──────────────────────────────────────────\n\nfunction riskToPermission(\n riskLevel: string,\n requiresChangeset: boolean,\n): ToolPermission {\n if (riskLevel === \"read_only\") return \"auto\";\n if (riskLevel === \"low\" && !requiresChangeset) return \"auto\";\n return \"confirm\";\n}\n\n// ── Product Connector ───────────────────────────────────────────\n\n/**\n * Server tool shape from GET /api/v1/god-mode/tools.\n */\ninterface ServerTool {\n name: string;\n domain: string;\n product: string;\n description: string;\n parameters: Record<string, unknown>;\n risk_level: string;\n requires_changeset: boolean;\n evidence_type?: string;\n}\n\nexport class ProductConnector implements GodModeConnector {\n name: string;\n displayName: string;\n capabilities: ConnectorCapability[] = [];\n\n private config: ConnectorConfig & { displayName?: string };\n private tools: BrainstormToolDef[] = [];\n private initialized = false;\n\n constructor(id: string, config: ConnectorConfig & { displayName?: string }) {\n this.name = id;\n this.displayName =\n config.displayName ?? id.charAt(0).toUpperCase() + id.slice(1);\n this.config = config;\n }\n\n /**\n * Fetch tool definitions from the product server.\n * Must be called before getTools(). Failures are non-fatal.\n */\n async initialize(): Promise<void> {\n try {\n const res = await this.apiFetch(\"/api/v1/god-mode/tools\");\n\n if (res.error) {\n console.warn(\n `[godmode] ${this.displayName}: tools endpoint unavailable — ${res.error}`,\n );\n this.initialized = true;\n return;\n }\n\n // Server may return { tools: [...] } or { data: [...] } or just [...]\n const serverTools: ServerTool[] =\n res.tools ?? res.data ?? (Array.isArray(res) ? res : []);\n\n // Derive capabilities from tool domains\n const domains = new Set(serverTools.map((t) => t.domain));\n this.capabilities = [...domains] as ConnectorCapability[];\n\n // Update display name from server if available\n if (res.product) {\n this.displayName = `Brainstorm${res.product.charAt(0).toUpperCase() + res.product.slice(1)}`;\n }\n\n // Convert each server tool to a BrainstormToolDef\n this.tools = serverTools.map((st) => this.convertTool(st));\n this.initialized = true;\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err);\n console.warn(\n `[godmode] ${this.displayName}: initialization failed — ${msg}`,\n );\n this.initialized = true;\n }\n }\n\n async healthCheck(): Promise<HealthResult> {\n const start = Date.now();\n try {\n const res = await this.apiFetch(\"/health\");\n const latencyMs = Date.now() - start;\n\n if (res.error) {\n return { ok: false, latencyMs, message: res.error };\n }\n\n return {\n ok: res.status === \"healthy\" || res.status === \"ok\" || !!res.status,\n latencyMs,\n message: res.version ? `v${res.version}` : undefined,\n };\n } catch {\n return {\n ok: false,\n latencyMs: Date.now() - start,\n message: \"Unreachable\",\n };\n }\n }\n\n getTools(): BrainstormToolDef[] {\n return this.tools;\n }\n\n // ── Tool Conversion ─────────────────────────────────────────\n\n private convertTool(serverTool: ServerTool): BrainstormToolDef {\n // Convert dots to underscores for AI SDK compatibility\n const toolName = serverTool.name.replace(/\\./g, \"_\");\n const inputSchema = jsonSchemaToZod(serverTool.parameters);\n const permission = riskToPermission(\n serverTool.risk_level,\n serverTool.requires_changeset,\n );\n const readonly = serverTool.risk_level === \"read_only\";\n const connector = this;\n\n if (serverTool.requires_changeset) {\n return this.createChangeSetTool(\n toolName,\n serverTool,\n inputSchema,\n permission,\n );\n }\n\n return defineTool({\n name: toolName,\n description: serverTool.description,\n permission,\n readonly,\n inputSchema,\n async execute(params) {\n const result = await connector.apiFetch(\"/api/v1/god-mode/execute\", {\n method: \"POST\",\n body: JSON.stringify({\n tool: serverTool.name,\n params,\n }),\n });\n\n if (result.error) return { error: result.error };\n return result.data ?? result;\n },\n });\n }\n\n private createChangeSetTool(\n toolName: string,\n serverTool: ServerTool,\n inputSchema: z.ZodObject<any>,\n permission: ToolPermission,\n ): BrainstormToolDef {\n const connector = this;\n // Namespace executor key by connector to prevent cross-product collision\n const executorKey = `${this.name}:${toolName}`;\n\n // Register a generic executor for when changesets are approved\n registerExecutor(executorKey, async (cs) => {\n // Extract original params from the changeset's simulation statePreview\n const originalParams = (cs.simulation.statePreview as any)\n ?.originalParams;\n const result = await connector.apiFetch(\"/api/v1/god-mode/execute\", {\n method: \"POST\",\n body: JSON.stringify({\n tool: serverTool.name,\n params: originalParams ?? {},\n simulate: false,\n }),\n });\n\n if (result.error) return { success: false, message: result.error };\n return {\n success: true,\n message: result.message ?? `Executed ${serverTool.name}`,\n rollbackData: result.rollbackData,\n };\n });\n\n return defineTool({\n name: toolName,\n description: serverTool.description,\n permission,\n inputSchema,\n async execute(params) {\n // Step 1: Simulate\n const simResult = await connector.apiFetch(\"/api/v1/god-mode/execute\", {\n method: \"POST\",\n body: JSON.stringify({\n tool: serverTool.name,\n params,\n simulate: true,\n }),\n });\n\n if (simResult.error) return { error: simResult.error };\n\n // Step 2: Create ChangeSet from simulation\n const simulation = simResult.simulation ?? {\n success: true,\n statePreview: { ...simResult.data, originalParams: params },\n cascades: simResult.cascades ?? [],\n constraints: simResult.constraints ?? [],\n estimatedDuration: simResult.estimatedDuration ?? \"< 1 minute\",\n };\n\n // Preserve original params in simulation for the executor\n if (\n simulation.statePreview &&\n typeof simulation.statePreview === \"object\"\n ) {\n (simulation.statePreview as any).originalParams = params;\n }\n\n const changeset = createChangeSet({\n connector: connector.name,\n action: executorKey, // Namespaced to prevent cross-product collision\n description: simResult.description ?? `Execute ${serverTool.name}`,\n changes: simResult.changes ?? [\n {\n system: connector.name,\n entity: `${serverTool.domain}:${JSON.stringify(params).slice(0, 50)}`,\n operation: \"execute\",\n },\n ],\n simulation,\n });\n\n return {\n changeset_id: changeset.id,\n status: \"pending_approval\",\n risk_score: changeset.riskScore,\n risk_factors: changeset.riskFactors,\n description: changeset.description,\n message:\n \"ChangeSet created. Present the simulation to the user and wait for approval before calling gm_changeset_approve.\",\n };\n },\n });\n }\n\n // ── HTTP Client ─────────────────────────────────────────────\n\n private async apiFetch(\n path: string,\n options?: RequestInit & { timeout?: number },\n ): Promise<any> {\n const key = this.resolveApiKey();\n if (!key) {\n return {\n error: `No API key for ${this.displayName} (${this.config.apiKeyName})`,\n };\n }\n\n const url = `${this.config.baseUrl}${path}`;\n\n // Enforce HTTPS for non-local connections\n if (\n !url.startsWith(\"https://\") &&\n !url.startsWith(\"http://localhost\") &&\n !url.startsWith(\"http://127.0.0.1\")\n ) {\n return {\n error: `${this.displayName}: HTTPS required for non-local connections`,\n };\n }\n\n const timeout = options?.timeout ?? 10_000;\n\n try {\n const res = await fetch(url, {\n ...options,\n headers: {\n Authorization: `Bearer ${key}`,\n \"Content-Type\": \"application/json\",\n ...((options?.headers as Record<string, string>) ?? {}),\n },\n signal: AbortSignal.timeout(timeout),\n });\n\n if (!res.ok) {\n const body = await res.text().catch(() => \"\");\n return {\n error: `${this.displayName} API ${res.status}: ${body.slice(0, 200)}`,\n };\n }\n\n return res.json();\n } catch (error) {\n const msg = error instanceof Error ? error.message : String(error);\n return { error: `${this.displayName} API error: ${msg}` };\n }\n }\n\n private resolveApiKey(): string | null {\n return (\n process.env[`_GM_${this.name.toUpperCase()}_KEY`] ??\n process.env[this.config.apiKeyName] ??\n null\n );\n }\n}\n","/**\n * GitHub REST API Client — handles PAT and GitHub App authentication.\n *\n * PAT mode: Bearer token in Authorization header.\n * App mode: Sign JWT with RS256 private key → exchange for installation token.\n *\n * Uses native fetch. No external HTTP libraries.\n */\n\nimport { createLogger } from \"@brainst0rm/shared\";\n\nconst log = createLogger(\"github-client\");\n\nconst GITHUB_API = \"https://api.github.com\";\n\nexport interface GitHubClientConfig {\n /** Personal access token (PAT mode). */\n token?: string;\n /** GitHub App private key PEM (App mode). */\n appPrivateKey?: string;\n /** GitHub App ID (App mode). */\n appId?: string;\n /** Installation ID for the org (App mode). */\n installationId?: string;\n}\n\nexport class GitHubClient {\n private token: string | null;\n private installationToken: string | null = null;\n private installationTokenExpiresAt = 0;\n private config: GitHubClientConfig;\n\n constructor(config: GitHubClientConfig) {\n this.config = config;\n this.token = config.token ?? null;\n }\n\n /**\n * Make an authenticated GitHub API request.\n */\n async request<T = any>(\n method: string,\n path: string,\n body?: unknown,\n ): Promise<T> {\n const token = await this.resolveToken();\n const url = path.startsWith(\"http\") ? path : `${GITHUB_API}${path}`;\n\n const res = await fetch(url, {\n method,\n headers: {\n Authorization: `Bearer ${token}`,\n Accept: \"application/vnd.github+json\",\n \"X-GitHub-Api-Version\": \"2022-11-28\",\n ...(body ? { \"Content-Type\": \"application/json\" } : {}),\n },\n body: body ? JSON.stringify(body) : undefined,\n });\n\n if (!res.ok) {\n const text = await res.text();\n throw new Error(\n `GitHub API ${method} ${path}: ${res.status} ${text.slice(0, 200)}`,\n );\n }\n\n if (res.status === 204) return {} as T;\n return res.json() as Promise<T>;\n }\n\n // ── Repo Operations ─────────────────────────────────────────────\n\n async getRepo(owner: string, repo: string) {\n return this.request(\"GET\", `/repos/${owner}/${repo}`);\n }\n\n async listBranches(owner: string, repo: string) {\n return this.request(\"GET\", `/repos/${owner}/${repo}/branches?per_page=30`);\n }\n\n async compareCommits(\n owner: string,\n repo: string,\n base: string,\n head: string,\n ) {\n return this.request(\n \"GET\",\n `/repos/${owner}/${repo}/compare/${base}...${head}`,\n );\n }\n\n async getContents(owner: string, repo: string, path: string, ref?: string) {\n const query = ref ? `?ref=${ref}` : \"\";\n return this.request(\n \"GET\",\n `/repos/${owner}/${repo}/contents/${path}${query}`,\n );\n }\n\n // ── Webhook Operations ──────────────────────────────────────────\n\n async createWebhook(\n owner: string,\n repo: string,\n url: string,\n secret: string,\n events = [\"push\", \"pull_request\"],\n ) {\n return this.request(\"POST\", `/repos/${owner}/${repo}/hooks`, {\n name: \"web\",\n active: true,\n events,\n config: { url, content_type: \"json\", secret, insecure_ssl: \"0\" },\n });\n }\n\n async listWebhooks(owner: string, repo: string) {\n return this.request(\"GET\", `/repos/${owner}/${repo}/hooks`);\n }\n\n async deleteWebhook(owner: string, repo: string, hookId: number) {\n return this.request(\"DELETE\", `/repos/${owner}/${repo}/hooks/${hookId}`);\n }\n\n // ── PR Operations ───────────────────────────────────────────────\n\n async getPR(owner: string, repo: string, number: number) {\n return this.request(\"GET\", `/repos/${owner}/${repo}/pulls/${number}`);\n }\n\n async getPRFiles(owner: string, repo: string, number: number) {\n return this.request(\n \"GET\",\n `/repos/${owner}/${repo}/pulls/${number}/files?per_page=100`,\n );\n }\n\n async createReview(\n owner: string,\n repo: string,\n number: number,\n body: string,\n event: \"APPROVE\" | \"REQUEST_CHANGES\" | \"COMMENT\" = \"COMMENT\",\n comments?: Array<{ path: string; line: number; body: string }>,\n ) {\n return this.request(\n \"POST\",\n `/repos/${owner}/${repo}/pulls/${number}/reviews`,\n {\n body,\n event,\n comments,\n },\n );\n }\n\n // ── Check Runs ──────────────────────────────────────────────────\n\n async createCheckRun(\n owner: string,\n repo: string,\n opts: {\n name: string;\n headSha: string;\n status: \"queued\" | \"in_progress\" | \"completed\";\n conclusion?: \"success\" | \"failure\" | \"action_required\" | \"neutral\";\n summary?: string;\n text?: string;\n },\n ) {\n return this.request(\"POST\", `/repos/${owner}/${repo}/check-runs`, {\n name: opts.name,\n head_sha: opts.headSha,\n status: opts.status,\n ...(opts.conclusion ? { conclusion: opts.conclusion } : {}),\n output: opts.summary\n ? {\n title: opts.name,\n summary: opts.summary,\n text: opts.text,\n }\n : undefined,\n });\n }\n\n // ── Health ──────────────────────────────────────────────────────\n\n async healthCheck(): Promise<{\n ok: boolean;\n latencyMs: number;\n user?: string;\n }> {\n const start = Date.now();\n try {\n const user = await this.request<{ login: string }>(\"GET\", \"/user\");\n return { ok: true, latencyMs: Date.now() - start, user: user.login };\n } catch (err: any) {\n return { ok: false, latencyMs: Date.now() - start };\n }\n }\n\n // ── Token Resolution ────────────────────────────────────────────\n\n private async resolveToken(): Promise<string> {\n if (this.token) return this.token;\n\n // GitHub App mode — exchange app JWT for installation token\n if (\n this.config.appPrivateKey &&\n this.config.appId &&\n this.config.installationId\n ) {\n if (\n this.installationToken &&\n Date.now() < this.installationTokenExpiresAt\n ) {\n return this.installationToken;\n }\n this.installationToken = await this.exchangeForInstallationToken();\n this.installationTokenExpiresAt = Date.now() + 55 * 60 * 1000; // 55 min (tokens last 60)\n return this.installationToken;\n }\n\n throw new Error(\n \"No GitHub authentication configured. Set GITHUB_TOKEN or configure GitHub App.\",\n );\n }\n\n private async exchangeForInstallationToken(): Promise<string> {\n // Sign JWT with the app's private key using node:crypto RS256\n const appJwt = await this.createAppJwt();\n\n const res = await fetch(\n `${GITHUB_API}/app/installations/${this.config.installationId}/access_tokens`,\n {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${appJwt}`,\n Accept: \"application/vnd.github+json\",\n },\n },\n );\n\n if (!res.ok) {\n throw new Error(`GitHub App token exchange failed: ${res.status}`);\n }\n\n const data = (await res.json()) as { token: string };\n log.info(\"GitHub App installation token acquired\");\n return data.token;\n }\n\n private async createAppJwt(): Promise<string> {\n // RS256 JWT for GitHub App authentication\n // Payload: iss=appId, iat=now-60, exp=now+600\n const { createPrivateKey, sign } = await import(\"node:crypto\");\n\n const now = Math.floor(Date.now() / 1000);\n const header = Buffer.from(\n JSON.stringify({ alg: \"RS256\", typ: \"JWT\" }),\n ).toString(\"base64url\");\n const payload = Buffer.from(\n JSON.stringify({\n iss: this.config.appId,\n iat: now - 60,\n exp: now + 600,\n }),\n ).toString(\"base64url\");\n\n const key = createPrivateKey(this.config.appPrivateKey!);\n const signature = sign(\n \"RSA-SHA256\",\n Buffer.from(`${header}.${payload}`),\n key,\n ).toString(\"base64url\");\n\n return `${header}.${payload}.${signature}`;\n }\n}\n","/**\n * GitHub Repository Tools — repo info, branches, compare commits.\n */\n\nimport { z } from \"zod\";\nimport { defineTool, type BrainstormToolDef } from \"@brainst0rm/tools\";\nimport type { GitHubClient } from \"../client.js\";\n\nexport function createRepoTools(\n client: GitHubClient,\n owner: string,\n repo: string,\n): BrainstormToolDef[] {\n return [\n defineTool({\n name: \"github_repo_info\",\n description: `Get repository metadata for ${owner}/${repo}: languages, topics, default branch, visibility, size.`,\n permission: \"auto\" as const,\n inputSchema: z.object({}),\n async execute() {\n const data = await client.getRepo(owner, repo);\n return {\n name: data.full_name,\n description: data.description,\n language: data.language,\n topics: data.topics,\n defaultBranch: data.default_branch,\n visibility: data.visibility,\n size: data.size,\n openIssues: data.open_issues_count,\n updatedAt: data.updated_at,\n };\n },\n }),\n\n defineTool({\n name: \"github_branches\",\n description: `List branches for ${owner}/${repo} with protection status.`,\n permission: \"auto\" as const,\n inputSchema: z.object({}),\n async execute() {\n const branches = await client.listBranches(owner, repo);\n return branches.map((b: any) => ({\n name: b.name,\n protected: b.protected,\n sha: b.commit.sha.slice(0, 8),\n }));\n },\n }),\n\n defineTool({\n name: \"github_compare\",\n description: `Compare two git refs in ${owner}/${repo}. Shows changed files, commits, and stats.`,\n permission: \"auto\" as const,\n inputSchema: z.object({\n base: z.string().describe(\"Base ref (branch, tag, or SHA)\"),\n head: z.string().describe(\"Head ref to compare against base\"),\n }),\n async execute({ base, head }) {\n const data = await client.compareCommits(owner, repo, base, head);\n return {\n status: data.status,\n aheadBy: data.ahead_by,\n behindBy: data.behind_by,\n totalCommits: data.total_commits,\n files: (data.files ?? []).map((f: any) => ({\n filename: f.filename,\n status: f.status,\n additions: f.additions,\n deletions: f.deletions,\n changes: f.changes,\n })),\n };\n },\n }),\n ];\n}\n","/**\n * GitHub Webhook Tools — create and manage webhooks.\n */\n\nimport { z } from \"zod\";\nimport { defineTool, type BrainstormToolDef } from \"@brainst0rm/tools\";\nimport type { GitHubClient } from \"../client.js\";\n\nexport function createWebhookTools(\n client: GitHubClient,\n owner: string,\n repo: string,\n): BrainstormToolDef[] {\n return [\n defineTool({\n name: \"github_webhook_create\",\n description: `Register a webhook on ${owner}/${repo} to receive push and PR events.`,\n permission: \"confirm\" as const,\n inputSchema: z.object({\n url: z\n .string()\n .describe(\n \"Webhook delivery URL (e.g., https://your-server.com/api/v1/webhooks/github)\",\n ),\n secret: z\n .string()\n .describe(\"Shared secret for HMAC signature verification\"),\n events: z\n .array(z.string())\n .optional()\n .describe(\"Events to subscribe to (default: push, pull_request)\"),\n }),\n async execute({ url, secret, events }) {\n const result = await client.createWebhook(\n owner,\n repo,\n url,\n secret,\n events,\n );\n return {\n id: result.id,\n url: result.config.url,\n events: result.events,\n active: result.active,\n createdAt: result.created_at,\n };\n },\n }),\n\n defineTool({\n name: \"github_webhook_list\",\n description: `List all webhooks configured on ${owner}/${repo}.`,\n permission: \"auto\" as const,\n inputSchema: z.object({}),\n async execute() {\n const hooks = await client.listWebhooks(owner, repo);\n return hooks.map((h: any) => ({\n id: h.id,\n url: h.config.url,\n events: h.events,\n active: h.active,\n lastResponse: h.last_response?.code,\n }));\n },\n }),\n ];\n}\n","/**\n * PR Review Tool — intelligent code review using the knowledge graph.\n *\n * Flow:\n * 1. Fetch PR diff (changed files + patches)\n * 2. Compute blast radius from code graph for each changed file\n * 3. Classify sectors touched — determines model tier per file\n * 4. Build structured review with: risk score, affected sectors, line comments\n * 5. Post as GitHub review + create check run for merge gate\n *\n * Model routing: critical sectors (auth, crypto) get QualityTier 1.\n * Simple changes (docs, config) get QualityTier 5. The router decides\n * the actual model — no hardcoded names.\n */\n\nimport { z } from \"zod\";\nimport { defineTool, type BrainstormToolDef } from \"@brainst0rm/tools\";\nimport type { GitHubClient } from \"../client.js\";\nimport { createLogger } from \"@brainst0rm/shared\";\n\nconst log = createLogger(\"pr-review\");\n\nexport interface PRReviewResult {\n prNumber: number;\n filesReviewed: number;\n riskScore: number;\n sectorsAffected: string[];\n criticalSectorsAffected: string[];\n blastRadius: number;\n reviewBody: string;\n checkConclusion: \"success\" | \"action_required\" | \"neutral\";\n cost: number;\n}\n\nexport interface PRReviewOptions {\n client: GitHubClient;\n owner: string;\n repo: string;\n /** Code graph for blast radius computation. Duck-typed to avoid hard dep. */\n graph?: {\n getDb: () => any;\n impactAnalysis: (name: string, maxDepth?: number) => any[];\n findDefinition: (name: string) => any[];\n };\n}\n\nexport function createPRReviewTools(\n opts: PRReviewOptions,\n): BrainstormToolDef[] {\n const { client, owner, repo, graph } = opts;\n\n return [\n defineTool({\n name: \"github_pr_review\",\n description: `Review a pull request on ${owner}/${repo} using code intelligence. Computes blast radius, classifies risk by sector, and posts a structured review.`,\n permission: \"confirm\" as const,\n inputSchema: z.object({\n prNumber: z.number().describe(\"PR number to review\"),\n postReview: z\n .boolean()\n .optional()\n .describe(\"Post review to GitHub (default true)\"),\n createCheck: z\n .boolean()\n .optional()\n .describe(\"Create check run for merge gate (default true)\"),\n }),\n async execute({ prNumber, postReview, createCheck }) {\n const shouldPost = postReview !== false;\n const shouldCheck = createCheck !== false;\n\n // Fetch PR metadata + changed files\n const pr = await client.getPR(owner, repo, prNumber);\n const files = await client.getPRFiles(owner, repo, prNumber);\n\n const changedFiles = files.map((f: any) => ({\n filename: f.filename,\n status: f.status,\n additions: f.additions,\n deletions: f.deletions,\n changes: f.changes,\n patch: f.patch?.slice(0, 2000), // Limit patch size for context\n }));\n\n // Compute blast radius from code graph\n let blastRadius = 0;\n const affectedSymbols: Array<{\n name: string;\n file: string;\n depth: number;\n }> = [];\n const sectorsAffected = new Set<string>();\n const criticalSectors = new Set<string>();\n\n if (graph) {\n const db = graph.getDb();\n\n for (const file of changedFiles) {\n // Find functions defined in changed files\n const functions = db\n .prepare(\"SELECT name FROM functions WHERE file LIKE ?\")\n .all(`%${file.filename}`) as Array<{ name: string }>;\n\n for (const fn of functions) {\n const impact = graph.impactAnalysis(fn.name, 3);\n for (const item of impact) {\n affectedSymbols.push(item);\n blastRadius++;\n }\n }\n\n // Find which sectors are touched\n const communities = db\n .prepare(\n \"SELECT DISTINCT c.id, c.name, c.metadata_json FROM nodes n JOIN communities c ON c.id = n.community_id WHERE n.file LIKE ? AND n.community_id IS NOT NULL\",\n )\n .all(`%${file.filename}`) as any[];\n\n for (const comm of communities) {\n sectorsAffected.add(comm.name ?? comm.id);\n try {\n const meta = JSON.parse(comm.metadata_json ?? \"{}\");\n if (meta.tier === \"critical\")\n criticalSectors.add(comm.name ?? comm.id);\n } catch {}\n }\n }\n }\n\n // Calculate risk score (0-100)\n let riskScore = 0;\n riskScore += Math.min(30, changedFiles.length * 3); // Files changed\n riskScore += Math.min(20, blastRadius); // Blast radius\n riskScore += criticalSectors.size * 15; // Critical sectors\n riskScore +=\n changedFiles.filter((f: any) => f.deletions > 20).length * 5; // Large deletions\n riskScore = Math.min(100, riskScore);\n\n // Determine check conclusion\n let checkConclusion: \"success\" | \"action_required\" | \"neutral\" =\n \"success\";\n if (criticalSectors.size > 0) checkConclusion = \"action_required\";\n else if (riskScore > 60) checkConclusion = \"action_required\";\n else if (riskScore > 30) checkConclusion = \"neutral\";\n\n // Build review body\n const reviewBody = buildReviewBody({\n pr,\n changedFiles,\n riskScore,\n blastRadius,\n sectorsAffected: Array.from(sectorsAffected),\n criticalSectors: Array.from(criticalSectors),\n affectedSymbols: affectedSymbols.slice(0, 20),\n });\n\n // Post review to GitHub\n if (shouldPost) {\n const event =\n checkConclusion === \"action_required\"\n ? \"REQUEST_CHANGES\"\n : \"COMMENT\";\n await client.createReview(\n owner,\n repo,\n prNumber,\n reviewBody,\n event as any,\n );\n log.info(\n { pr: prNumber, riskScore, sectors: sectorsAffected.size },\n \"Review posted\",\n );\n }\n\n // Create check run\n if (shouldCheck) {\n await client.createCheckRun(owner, repo, {\n name: \"Brainstorm Code Intelligence\",\n headSha: pr.head.sha,\n status: \"completed\",\n conclusion: checkConclusion,\n summary: `Risk Score: ${riskScore}/100 | Blast Radius: ${blastRadius} symbols | Sectors: ${sectorsAffected.size} (${criticalSectors.size} critical)`,\n text: reviewBody,\n });\n log.info(\n { pr: prNumber, conclusion: checkConclusion },\n \"Check run created\",\n );\n }\n\n return {\n prNumber,\n filesReviewed: changedFiles.length,\n riskScore,\n sectorsAffected: Array.from(sectorsAffected),\n criticalSectorsAffected: Array.from(criticalSectors),\n blastRadius,\n reviewBody,\n checkConclusion,\n cost: 0, // Tracked by CostTracker in the agent loop\n };\n },\n }),\n ];\n}\n\n// ── Review Body Builder ───────────────────────────────────────────\n\nfunction buildReviewBody(data: {\n pr: any;\n changedFiles: any[];\n riskScore: number;\n blastRadius: number;\n sectorsAffected: string[];\n criticalSectors: string[];\n affectedSymbols: Array<{ name: string; file: string; depth: number }>;\n}): string {\n const {\n riskScore,\n blastRadius,\n sectorsAffected,\n criticalSectors,\n changedFiles,\n affectedSymbols,\n } = data;\n\n const riskEmoji = riskScore > 60 ? \"🔴\" : riskScore > 30 ? \"🟡\" : \"🟢\";\n const lines: string[] = [];\n\n lines.push(\n `## ${riskEmoji} Brainstorm Code Review`,\n \"\",\n `**Risk Score:** ${riskScore}/100 | **Blast Radius:** ${blastRadius} affected symbols | **Files Changed:** ${changedFiles.length}`,\n \"\",\n );\n\n if (criticalSectors.length > 0) {\n lines.push(\n \"### ⚠️ Critical Sectors Affected\",\n \"\",\n ...criticalSectors.map(\n (s) => `- **${s}** — requires careful review (QualityTier 1 analysis)`,\n ),\n \"\",\n );\n }\n\n if (sectorsAffected.length > 0) {\n lines.push(\n \"### Sectors Touched\",\n \"\",\n ...sectorsAffected.map((s) => {\n const isCritical = criticalSectors.includes(s);\n return `- ${isCritical ? \"🔴\" : \"🟡\"} ${s}`;\n }),\n \"\",\n );\n }\n\n if (affectedSymbols.length > 0) {\n lines.push(\n \"### Blast Radius — Transitively Affected Functions\",\n \"\",\n \"| Function | File | Depth |\",\n \"|----------|------|-------|\",\n ...affectedSymbols\n .slice(0, 15)\n .map(\n (s) =>\n `| \\`${s.name}\\` | \\`${s.file.split(\"/\").slice(-2).join(\"/\")}\\` | ${s.depth} |`,\n ),\n \"\",\n );\n if (affectedSymbols.length > 15) {\n lines.push(\n `*... and ${affectedSymbols.length - 15} more affected symbols*`,\n \"\",\n );\n }\n }\n\n // File summary\n lines.push(\n \"### Changed Files\",\n \"\",\n \"| File | Status | +/- |\",\n \"|------|--------|-----|\",\n ...changedFiles\n .slice(0, 20)\n .map(\n (f: any) =>\n `| \\`${f.filename.split(\"/\").slice(-2).join(\"/\")}\\` | ${f.status} | +${f.additions}/-${f.deletions} |`,\n ),\n \"\",\n );\n\n lines.push(\n \"---\",\n \"*Reviewed by [Brainstorm Code Intelligence Engine](https://github.com/brainstorm)*\",\n );\n\n return lines.join(\"\\n\");\n}\n","/**\n * GitHub system prompt segment — injected when GitHub connector is active.\n */\n\nexport function buildGitHubPrompt(owner: string, repo: string): string {\n return [\n \"## GitHub Integration\",\n \"\",\n `Connected to **${owner}/${repo}** via GitHub API.`,\n \"\",\n \"Available capabilities:\",\n \"- Repository metadata and branch management\",\n \"- Webhook configuration for push/PR events\",\n \"- PR review with blast radius analysis\",\n \"- Check runs for merge gates\",\n \"- Commit comparison for change detection\",\n \"\",\n \"Use `github_compare` to see what changed between branches.\",\n \"Use `github_repo_info` to understand the repository.\",\n \"The webhook auto-reindexes the code graph on every push.\",\n ].join(\"\\n\");\n}\n","/**\n * GitHub God Mode Connector — integrates private GitHub repos into Brainstorm.\n *\n * Follows the GodModeConnector pattern. Provides tools for repo management,\n * webhook configuration, PR review, and compliance. Auth via PAT or GitHub App.\n */\n\nimport type {\n GodModeConnector,\n ConnectorCapability,\n HealthResult,\n} from \"../../types.js\";\nimport type { BrainstormToolDef } from \"@brainst0rm/tools\";\nimport { GitHubClient, type GitHubClientConfig } from \"./client.js\";\nimport { createRepoTools } from \"./tools/repo.js\";\nimport { createWebhookTools } from \"./tools/webhook.js\";\nimport { createPRReviewTools } from \"./tools/pr-review.js\";\nimport { buildGitHubPrompt } from \"./prompt.js\";\nimport { createLogger } from \"@brainst0rm/shared\";\n\nconst log = createLogger(\"github-connector\");\n\nexport interface GitHubConnectorConfig {\n /** PAT or installation token. */\n token?: string;\n /** GitHub App private key (PEM). */\n appPrivateKey?: string;\n /** GitHub App ID. */\n appId?: string;\n /** Installation ID. */\n installationId?: string;\n /** Repository owner (org or user). */\n owner: string;\n /** Repository name. */\n repo: string;\n /** Optional code graph for blast radius in PR reviews. */\n graph?: any;\n}\n\nexport class GitHubConnector implements GodModeConnector {\n name = \"github\";\n displayName = \"GitHub\";\n capabilities: ConnectorCapability[] = [\n \"access-control\",\n \"compliance\",\n \"audit\",\n \"deployment\",\n ];\n\n private client: GitHubClient;\n private owner: string;\n private repo: string;\n private graph: any;\n private cachedTools: BrainstormToolDef[] | null = null;\n\n constructor(config: GitHubConnectorConfig) {\n this.owner = config.owner;\n this.repo = config.repo;\n this.graph = config.graph ?? null;\n this.client = new GitHubClient({\n token: config.token,\n appPrivateKey: config.appPrivateKey,\n appId: config.appId,\n installationId: config.installationId,\n });\n }\n\n getTools(): BrainstormToolDef[] {\n if (!this.cachedTools) {\n this.cachedTools = [\n ...createRepoTools(this.client, this.owner, this.repo),\n ...createWebhookTools(this.client, this.owner, this.repo),\n ...createPRReviewTools({\n client: this.client,\n owner: this.owner,\n repo: this.repo,\n graph: this.graph,\n }),\n ];\n }\n return this.cachedTools;\n }\n\n async healthCheck(): Promise<HealthResult> {\n const result = await this.client.healthCheck();\n return {\n ok: result.ok,\n latencyMs: result.latencyMs,\n message: result.ok\n ? `Authenticated as ${result.user} for ${this.owner}/${this.repo}`\n : \"GitHub API unreachable or authentication failed\",\n };\n }\n\n getPrompt(): string {\n return buildGitHubPrompt(this.owner, this.repo);\n }\n\n /** Get the underlying client for advanced operations (PR review, checks). */\n getClient(): GitHubClient {\n return this.client;\n }\n}\n\n/**\n * Create a GitHub connector from environment/vault credentials.\n */\nexport function createGitHubConnector(\n owner: string,\n repo: string,\n resolveKey?: (name: string) => string | null,\n): GitHubConnector | null {\n const token = resolveKey?.(\"GITHUB_TOKEN\") ?? process.env.GITHUB_TOKEN;\n const appKey =\n resolveKey?.(\"GITHUB_APP_PRIVATE_KEY\") ??\n process.env.GITHUB_APP_PRIVATE_KEY;\n const appId = resolveKey?.(\"GITHUB_APP_ID\") ?? process.env.GITHUB_APP_ID;\n const installId =\n resolveKey?.(\"GITHUB_INSTALLATION_ID\") ??\n process.env.GITHUB_INSTALLATION_ID;\n\n if (!token && !appKey) {\n log.debug(\"No GitHub credentials found — connector disabled\");\n return null;\n }\n\n return new GitHubConnector({\n token: token ?? undefined,\n appPrivateKey: appKey ?? undefined,\n appId: appId ?? undefined,\n installationId: installId ?? undefined,\n owner,\n repo,\n });\n}\n","/**\n * Product Factory — creates generic ProductConnectors from config.\n *\n * Replaces the hardcoded factory map { msp: createMSPConnector, ... }.\n * Adding a new product = adding a [godmode.connectors.X] config entry.\n */\n\nimport { ProductConnector } from \"./product-connector.js\";\nimport type { GodModeConnector, GodModeConfig } from \"./types.js\";\n\n/**\n * Create and initialize ProductConnectors for all enabled connectors in config.\n * Each connector fetches its tool definitions from the product server.\n * Initialization failures are non-fatal — the connector will have 0 tools.\n */\nexport async function createProductConnectors(\n config: GodModeConfig,\n): Promise<GodModeConnector[]> {\n const connectors: GodModeConnector[] = [];\n\n const entries = Object.entries(config.connectors ?? {});\n if (entries.length === 0) return connectors;\n\n // Initialize all connectors in parallel for faster boot\n const results = await Promise.allSettled(\n entries\n .filter(([, cfg]) => cfg.enabled !== false)\n .map(async ([id, cfg]) => {\n const connector = new ProductConnector(id, cfg as any);\n await connector.initialize();\n return connector;\n }),\n );\n\n for (const result of results) {\n if (result.status === \"fulfilled\") {\n connectors.push(result.value);\n }\n // Rejected connectors are already logged by ProductConnector.initialize()\n }\n\n return connectors;\n}\n","/**\n * Platform Event Signing — HMAC-SHA256 with per-tenant key derivation.\n *\n * Every cross-product event is signed so the receiver can verify authenticity\n * and detect tampering. Uses HKDF to derive a per-tenant HMAC key from the\n * platform master secret, so tenants can't forge events for each other.\n *\n * Canonical JSON: keys sorted, no whitespace. Deterministic across languages\n * so Python products produce the same signature as TypeScript ones.\n */\n\nimport { createHmac, hkdfSync, randomUUID, timingSafeEqual } from \"node:crypto\";\nimport type { PlatformEvent } from \"@brainst0rm/shared\";\n\nconst HKDF_SALT = Buffer.from(\"brainstorm-platform-events-v1\");\nconst HKDF_INFO = Buffer.from(\"hmac-signing\");\nconst KEY_LENGTH = 32; // 256-bit HMAC key\n\n/**\n * Derive a per-tenant HMAC key from the platform master secret.\n * Uses HKDF-SHA256 with the tenant_id baked into the info parameter,\n * ensuring each tenant gets a unique signing key.\n */\nexport function deriveTenantKey(\n masterSecret: string,\n tenantId: string,\n): Buffer {\n const info = Buffer.concat([HKDF_INFO, Buffer.from(`|${tenantId}`)]);\n return Buffer.from(\n hkdfSync(\"sha256\", masterSecret, HKDF_SALT, info, KEY_LENGTH),\n );\n}\n\n/**\n * Produce canonical JSON for signing.\n * Keys sorted recursively, no whitespace. Matches Python's\n * json.dumps(obj, sort_keys=True, separators=(',', ':'))\n */\nexport function canonicalize(obj: Record<string, unknown>): string {\n // Recursive key-sorted JSON with no whitespace.\n // Matches Python's json.dumps(obj, sort_keys=True, separators=(',', ':'))\n return JSON.stringify(obj, (_key, value) => {\n if (value && typeof value === \"object\" && !Array.isArray(value)) {\n return Object.keys(value)\n .sort()\n .reduce((sorted: Record<string, unknown>, k) => {\n sorted[k] = value[k];\n return sorted;\n }, {});\n }\n return value;\n });\n}\n\n/**\n * Sign a platform event payload.\n * Returns the HMAC-SHA256 hex signature.\n */\nexport function signEvent(\n event: Omit<PlatformEvent, \"signature\">,\n masterSecret: string,\n): string {\n const key = deriveTenantKey(masterSecret, event.tenant_id);\n const payload = canonicalize(event as Record<string, unknown>);\n return createHmac(\"sha256\", key).update(payload).digest(\"hex\");\n}\n\n/**\n * Verify a signed platform event.\n * Uses timing-safe comparison to prevent timing attacks.\n */\n/** Maximum age (in seconds) for a platform event to be accepted. */\nconst MAX_EVENT_AGE_SECONDS = 300; // 5 minutes\n\n/**\n * Replay-dedupe cache for verified event ids.\n *\n * v16 Attacker finding: the freshness window alone is not sufficient. An\n * attacker who captures one signed event can replay it ~300×/sec for\n * 5 minutes — the signature is valid, the timestamp is within window, and\n * the server has no record that THIS event was already seen. Webhook\n * verification closed the same shape with an LRU nonce cache (PR #309);\n * platform events did not.\n *\n * Map keyed on event.id, value = wall-clock ms when first seen. Entries\n * expire passively at lookup (any entry older than the freshness window\n * is treated as evicted). The cache is also LRU-bounded so a flood of\n * fresh-but-bogus ids cannot blow memory.\n *\n * Exported for tests that need to reset state between cases.\n */\nconst seenEventIds = new Map<string, number>();\nconst MAX_SEEN_IDS = 100_000;\nconst FRESHNESS_MS = MAX_EVENT_AGE_SECONDS * 1000;\n\n/** Test helper — drop all dedupe state. Production code MUST NOT call this. */\nexport function _resetSeenEventIdsForTesting(): void {\n seenEventIds.clear();\n}\n\nfunction checkAndRecordEventId(eventId: string, now: number): boolean {\n // Passive expiry: drop entries older than the freshness window. Done\n // lazily on every check so we don't need a sweeper timer.\n const cutoff = now - FRESHNESS_MS;\n // First, opportunistically evict ALL entries older than cutoff. Cheap\n // when the cache is small; with the LRU cap above this stays cheap.\n for (const [id, ts] of seenEventIds) {\n if (ts < cutoff) seenEventIds.delete(id);\n }\n\n if (seenEventIds.has(eventId)) {\n // Already seen within the freshness window — REPLAY.\n return false;\n }\n\n // LRU eviction if full — drop oldest entry by insertion order.\n if (seenEventIds.size >= MAX_SEEN_IDS) {\n const oldestKey = seenEventIds.keys().next().value;\n if (oldestKey !== undefined) seenEventIds.delete(oldestKey);\n }\n\n seenEventIds.set(eventId, now);\n return true;\n}\n\nexport function verifyEvent(\n event: PlatformEvent,\n masterSecret: string,\n): boolean {\n // Reject events without a signature\n if (!event.signature) return false;\n\n // Reject events without an id — required for replay dedupe\n if (!event.id) return false;\n\n // Replay protection step 1: require a parseable timestamp inside the\n // freshness window. A missing or malformed timestamp is treated as a\n // failed check, not skipped — otherwise a captured event could be\n // replayed forever by an attacker who strips or corrupts the field.\n if (!event.timestamp) return false;\n const eventTime = new Date(event.timestamp).getTime();\n if (Number.isNaN(eventTime)) return false;\n const ageMs = Math.abs(Date.now() - eventTime);\n if (ageMs > MAX_EVENT_AGE_SECONDS * 1000) return false;\n\n // Verify signature BEFORE recording id in the dedupe cache — otherwise\n // an attacker can spam fake ids to fill the LRU and evict legitimate\n // entries.\n const { signature, ...rest } = event;\n const expected = signEvent(rest, masterSecret);\n const sigBuf = Buffer.from(signature, \"hex\");\n const expectedBuf = Buffer.from(expected, \"hex\");\n if (sigBuf.length !== expectedBuf.length) return false;\n if (!timingSafeEqual(sigBuf, expectedBuf)) return false;\n\n // Replay protection step 2: record event.id; reject if already seen\n // within the freshness window.\n return checkAndRecordEventId(event.id, Date.now());\n}\n\n/**\n * Create a signed PlatformEvent ready for transmission.\n */\nexport function createSignedEvent(\n type: string,\n tenantId: string,\n product: string,\n data: Record<string, unknown>,\n masterSecret: string,\n opts?: { correlationId?: string; schemaVersion?: number },\n): PlatformEvent {\n const unsigned = {\n id: randomUUID(),\n type,\n tenant_id: tenantId,\n product,\n timestamp: new Date().toISOString(),\n data,\n schema_version: opts?.schemaVersion ?? 1,\n ...(opts?.correlationId ? { correlation_id: opts.correlationId } : {}),\n };\n\n const signature = signEvent(unsigned, masterSecret);\n return { ...unsigned, signature };\n}\n","/**\n * JWT verification for the Brainstorm control plane.\n *\n * Verifies Supabase-issued JWTs using the project's JWT secret (HS256).\n * Extracts platform_tenant_id and product roles from claims.\n *\n * Supabase uses HS256 with the project's JWT secret (not RS256/JWKS),\n * so verification is a simple HMAC check — no key rotation complexity.\n */\n\nimport { createHmac, timingSafeEqual } from \"node:crypto\";\n\nexport interface JWTPayload {\n sub: string;\n email?: string;\n role?: string;\n platform_tenant_id?: string;\n platform_role?: string;\n products?: Record<string, { enabled: boolean; role: string }>;\n iat?: number;\n exp?: number;\n aud?: string;\n}\n\nexport interface AuthResult {\n authenticated: boolean;\n payload?: JWTPayload;\n error?: string;\n}\n\n/**\n * Verify a Supabase JWT using the project's JWT secret (HS256).\n * Returns the decoded payload if valid, or an error message.\n */\nexport function verifyJWT(token: string, jwtSecret: string): AuthResult {\n const parts = token.split(\".\");\n if (parts.length !== 3) {\n return { authenticated: false, error: \"Malformed JWT\" };\n }\n\n const [headerB64, payloadB64, signatureB64] = parts;\n\n // Verify HS256 signature\n const signingInput = `${headerB64}.${payloadB64}`;\n const expectedSig = createHmac(\"sha256\", jwtSecret)\n .update(signingInput)\n .digest();\n const actualSig = Buffer.from(signatureB64, \"base64url\");\n\n if (\n expectedSig.length !== actualSig.length ||\n !timingSafeEqual(expectedSig, actualSig)\n ) {\n return { authenticated: false, error: \"Invalid signature\" };\n }\n\n // Decode payload\n let payload: JWTPayload;\n try {\n payload = JSON.parse(\n Buffer.from(payloadB64, \"base64url\").toString(\"utf-8\"),\n );\n } catch {\n return { authenticated: false, error: \"Invalid payload encoding\" };\n }\n\n // Check header algorithm\n try {\n const header = JSON.parse(\n Buffer.from(headerB64, \"base64url\").toString(\"utf-8\"),\n );\n if (header.alg !== \"HS256\") {\n return {\n authenticated: false,\n error: `Unsupported algorithm: ${header.alg}`,\n };\n }\n } catch {\n return { authenticated: false, error: \"Invalid header encoding\" };\n }\n\n // Check expiration — require exp claim to prevent indefinite tokens\n if (!payload.exp) {\n return { authenticated: false, error: \"Token missing expiration claim\" };\n }\n if (payload.exp < Math.floor(Date.now() / 1000)) {\n return { authenticated: false, error: \"Token expired\" };\n }\n\n // Require platform_tenant_id — every God Mode call must be tenant-scoped\n if (!payload.platform_tenant_id && !payload.sub) {\n return {\n authenticated: false,\n error: \"Missing subject or platform_tenant_id claim\",\n };\n }\n\n return { authenticated: true, payload };\n}\n\n/**\n * Extract Bearer token from Authorization header.\n */\nexport function extractBearerToken(\n authHeader: string | undefined,\n): string | null {\n if (!authHeader?.startsWith(\"Bearer \")) return null;\n return authHeader.slice(7);\n}\n","/**\n * Product Manifest — schema, loader, and validator.\n *\n * Every product in the Brainstorm platform declares itself via a\n * product-manifest.yaml at its repo root. This module defines the\n * schema (Zod), loads/validates manifests, and provides a template\n * generator for bootstrapping new products.\n */\n\nimport { z } from \"zod\";\n\n// ── Schema ──────────────────────────────────────────────────────\n\nconst securityAuthSchema = z.object({\n human: z.enum([\"supabase-jwt\", \"none\"]).default(\"supabase-jwt\"),\n machine: z.enum([\"mtls-spiffe\", \"api-key\", \"none\"]).default(\"api-key\"),\n tenant_claim: z.string().default(\"platform_tenant_id\"),\n});\n\nconst securityEncryptionSchema = z.object({\n credentials: z.enum([\"aes-256-gcm\", \"fernet\", \"none\"]).default(\"aes-256-gcm\"),\n evidence: z.enum([\"hybrid-pqc\", \"ed25519\", \"none\"]).default(\"none\"),\n});\n\nconst securityAuditSchema = z.object({\n signing: z.enum([\"hmac-sha256\", \"none\"]).default(\"hmac-sha256\"),\n retention: z.string().default(\"7y\"),\n});\n\nconst securitySchema = z.object({\n api_base: z.string().url(),\n health: z.string().default(\"/health\"),\n auth: securityAuthSchema.default({}),\n encryption: securityEncryptionSchema.default({}),\n audit: securityAuditSchema.default({}),\n});\n\nconst edgeSchema = z.object({\n plugins: z.array(z.string()).default([]),\n});\n\nconst eventSchema = z.object({\n publishes: z.array(z.string()).default([]),\n subscribes: z.array(z.string()).default([]),\n});\n\nconst capabilitySchema = z.object({\n domain: z.string(),\n});\n\nexport const productManifestSchema = z.object({\n product: z.object({\n id: z\n .string()\n .regex(\n /^[a-z0-9-]+$/,\n \"Product ID must be lowercase alphanumeric + hyphens\",\n ),\n name: z.string(),\n version: z.string(),\n }),\n security: securitySchema,\n capabilities: z.array(capabilitySchema).default([]),\n events: eventSchema.default({}),\n edge: edgeSchema.default({}),\n});\n\nexport type ProductManifest = z.infer<typeof productManifestSchema>;\n\n// ── Loader ──────────────────────────────────────────────────────\n\n/**\n * Parse and validate a product manifest from a YAML string.\n */\nexport function parseManifest(yamlContent: string): {\n ok: boolean;\n manifest?: ProductManifest;\n errors?: string[];\n} {\n // Dynamic import of yaml would be needed, but for CLI context we parse JSON-compatible YAML\n // The CLI command handles the YAML parsing; this validates the parsed object.\n try {\n // Try JSON first (manifests can be JSON too)\n const data = JSON.parse(yamlContent);\n return validateManifestData(data);\n } catch {\n return {\n ok: false,\n errors: [\n \"Invalid JSON/YAML. Use `brainstorm platform init` to generate a template.\",\n ],\n };\n }\n}\n\n/**\n * Validate a parsed manifest object against the schema.\n */\nexport function validateManifestData(data: unknown): {\n ok: boolean;\n manifest?: ProductManifest;\n errors?: string[];\n} {\n const result = productManifestSchema.safeParse(data);\n if (result.success) {\n return { ok: true, manifest: result.data };\n }\n const errors = result.error.issues.map(\n (i) => `${i.path.join(\".\")}: ${i.message}`,\n );\n return { ok: false, errors };\n}\n\n// ── Template ────────────────────────────────────────────────────\n\n/**\n * Generate a product-manifest.yaml template for a new product.\n */\nexport function generateManifestTemplate(\n productId: string,\n productName: string,\n apiBase: string,\n): string {\n return `# product-manifest.yaml — Brainstorm Platform Contract\n# Docs: https://brainstorm.co/docs/platform-contract\n\nproduct:\n id: \"${productId}\"\n name: \"${productName}\"\n version: \"0.1.0\"\n\n# ── Security ──────────────────────────────────────────\nsecurity:\n api_base: \"${apiBase}\"\n health: \"/health\"\n auth:\n human: \"supabase-jwt\"\n machine: \"api-key\" # Upgrade to mtls-spiffe when ready\n tenant_claim: \"platform_tenant_id\"\n encryption:\n credentials: \"aes-256-gcm\"\n evidence: \"none\" # Set to hybrid-pqc when evidence chains are implemented\n audit:\n signing: \"hmac-sha256\"\n retention: \"7y\"\n\n# ── Capabilities (God Mode) ───────────────────────────\ncapabilities: []\n # - domain: \"endpoint-management\"\n # - domain: \"compliance\"\n\n# ── Events ────────────────────────────────────────────\nevents:\n publishes: []\n # - \"${productId}.alert.created\"\n subscribes: []\n # - \"platform.tenant.created\"\n\n# ── Edge Agent Plugins ────────────────────────────────\nedge:\n plugins: []\n`;\n}\n\n// ── Contract Verification ───────────────────────────────────────\n\nexport interface VerifyResult {\n endpoint: string;\n status: \"pass\" | \"fail\" | \"skip\";\n message: string;\n latencyMs?: number;\n}\n\n/**\n * Verify that a product implements the required platform endpoints.\n * Hits each endpoint and checks the response shape.\n */\nexport async function verifyProductContract(\n apiBase: string,\n opts?: { timeout?: number; token?: string },\n): Promise<VerifyResult[]> {\n const timeout = opts?.timeout ?? 10_000;\n const results: VerifyResult[] = [];\n\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n if (opts?.token) {\n headers[\"Authorization\"] = `Bearer ${opts.token}`;\n }\n\n // 1. Health check (no auth)\n results.push(\n await checkEndpoint(\"GET\", `${apiBase}/health`, {\n timeout,\n validate: (body) => {\n if (!body.status) return \"Missing 'status' field\";\n if (!body.version) return \"Missing 'version' field\";\n return null;\n },\n }),\n );\n\n // 2. God Mode tools\n results.push(\n await checkEndpoint(\"GET\", `${apiBase}/api/v1/god-mode/tools`, {\n timeout,\n headers,\n validate: (body) => {\n const data = body.data ?? body;\n if (!Array.isArray(data)) return \"Expected array of tools\";\n return null;\n },\n }),\n );\n\n // 3. Platform events receiver\n results.push(\n await checkEndpoint(\"POST\", `${apiBase}/api/v1/platform/events`, {\n timeout,\n headers,\n body: JSON.stringify({\n id: \"test-verify\",\n type: \"platform.verify\",\n tenant_id: \"verify\",\n product: \"verify\",\n timestamp: new Date().toISOString(),\n data: {},\n schema_version: 1,\n signature: \"test\",\n }),\n // 401/403 is acceptable — means the endpoint exists but our test signature fails\n acceptStatuses: [200, 401, 403],\n validate: () => null,\n }),\n );\n\n // 4. Tenant provisioning\n results.push(\n await checkEndpoint(\"POST\", `${apiBase}/api/v1/platform/tenants`, {\n timeout,\n headers,\n body: JSON.stringify({\n id: \"verify-test\",\n name: \"Verify Test\",\n slug: \"verify\",\n }),\n acceptStatuses: [200, 201, 400, 401, 403, 409],\n validate: () => null,\n }),\n );\n\n return results;\n}\n\nasync function checkEndpoint(\n method: string,\n url: string,\n opts: {\n timeout: number;\n headers?: Record<string, string>;\n body?: string;\n acceptStatuses?: number[];\n validate: (body: any) => string | null;\n },\n): Promise<VerifyResult> {\n const start = Date.now();\n const endpointPath = new URL(url).pathname;\n\n try {\n const res = await fetch(url, {\n method,\n headers: opts.headers,\n body: opts.body,\n signal: AbortSignal.timeout(opts.timeout),\n });\n\n const latencyMs = Date.now() - start;\n const acceptable = opts.acceptStatuses ?? [200];\n\n if (!acceptable.includes(res.status)) {\n // 404 means the endpoint doesn't exist\n if (res.status === 404) {\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"fail\",\n message: \"Not found (404)\",\n latencyMs,\n };\n }\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"fail\",\n message: `HTTP ${res.status}`,\n latencyMs,\n };\n }\n\n let body: any = {};\n try {\n body = await res.json();\n } catch {\n // Some endpoints may return empty or non-JSON\n }\n\n const error = opts.validate(body);\n if (error) {\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"fail\",\n message: error,\n latencyMs,\n };\n }\n\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"pass\",\n message: `${res.status} OK`,\n latencyMs,\n };\n } catch (err) {\n const latencyMs = Date.now() - start;\n const msg = err instanceof Error ? err.message : String(err);\n if (msg.includes(\"timeout\") || msg.includes(\"abort\")) {\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"fail\",\n message: `Timeout (${opts.timeout}ms)`,\n latencyMs,\n };\n }\n return {\n endpoint: `${method} ${endpointPath}`,\n status: \"fail\",\n message: msg,\n latencyMs,\n };\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AWWA,SAAS,YAAY,UAAU,YAAY,uBAAuB;ACDlE,SAAS,cAAAA,aAAY,mBAAAC,wBAAuB;AZI5C,IAAM,oBAAyD;EAC7D,uBACE;EACF,qBAAqB;EACrB,QAAQ;EACR,qBAAqB;EACrB,kBAAkB;EAClB,eAAe;EACf,eAAe;EACf,YAAY;EACZ,SAAS;EACT,SAAS;EACT,SAAS;EACT,WAAW;EACX,WAAW;EACX,mBAAmB;EACnB,WAAW;EACX,gBAAgB;EAChB,KAAK;EACL,YAAY;EACZ,mBAAmB;EACnB,kBAAkB;EAClB,YAAY;EACZ,OAAO;EACP,UAAU;AACZ;AAEO,SAAS,mBACd,WACA,QACsC;AACtC,QAAM,WAAW,OAAO,qBAAqB;AAC7C,MAAI,UAAU,WAAW,GAAG;AAC1B,WAAO;MACL,MAAM;MACN,WAAW;IACb;EACF;AAEA,QAAM,WAAqB,CAAC;AAE5B,WAAS,KAAK;;0BAEU,UAAU,MAAM,gEAAgE;AAGxG,WAAS,KAAK,2BAA2B;AACzC,aAAW,OAAO,WAAW;AAC3B,UAAM,OAAO,IAAI,aACd,IAAI,CAAC,MAAM,kBAAkB,CAAC,KAAK,CAAC,EACpC,KAAK,IAAI;AACZ,aAAS,KAAK,OAAO,IAAI,WAAW,OAAO,IAAI,SAAS,QAAQ,IAAI,EAAE;EACxE;AAEA,MAAI,UAAU;AACZ,aAAS,KAAK;;;;;;;;QAQV;EACN;AAGA,WAAS,KAAK;;;;;;;;;;;;;;;;;;;;;;;iCAuBiB;AAE/B,SAAO;IACL,MAAM,SAAS,KAAK,IAAI;IACxB,WAAW;EACb;AACF;AC9EA,eAAsB,eACpB,UACA,QACA,YACkC;AAClC,QAAM,YAAyD,CAAC;AAChE,QAAM,SAA4C,CAAC;AAOnD,QAAM,0BAA0B;AAChC,QAAM,UAAU,MAAM,QAAQ;IAC5B,WAAW,IAAI,OAAO,cAAc;AAClC,YAAM,oBAAoB,IAAI,gBAAgB;AAC9C,YAAM,eAAe;QACnB,MAAM,kBAAkB,MAAM;QAC9B;MACF;AACA,UAAI;AACF,cAAM,SAAS,MAAM,QAAQ,KAAK;UAChC,UAAU,YAAY;UACtB,IAAI,QAAe,CAAC,GAAG,WAAW;AAChC,8BAAkB,OAAO;cACvB;cACA,MACE;gBACE,IAAI;kBACF,yBAAyB,uBAAuB;gBAClD;cACF;cACF,EAAE,MAAM,KAAK;YACf;UACF,CAAC;QACH,CAAC;AACD,eAAO,EAAE,WAAW,OAAO;MAC7B,UAAA;AACE,qBAAa,YAAY;MAC3B;IACF,CAAC;EACH;AAGA,aAAW,UAAU,SAAS;AAC5B,QAAI,OAAO,WAAW,YAAY;AAChC;IACF;AAEA,UAAM,EAAE,WAAW,OAAO,IAAI,OAAO;AAErC,QAAI,CAAC,OAAO,IAAI;AACd,aAAO,KAAK;QACV,MAAM,UAAU;QAChB,OAAO,OAAO,WAAW,wBAAwB,OAAO,SAAS;MACnE,CAAC;AACD;IACF;AAKA,UAAM,QAAQ,UAAU,SAAS;AACjC,eAAW,QAAQ,OAAO;AACxB,UAAI,OAAO,kBAAkB;AAC3B,aAAK,WAAW;MAClB;AACA,eAAS,SAAS,IAAI;IACxB;AAEA,cAAU,KAAK;MACb,MAAM,UAAU;MAChB,aAAa,UAAU;MACvB,cAAc,UAAU;MACxB,WAAW,OAAO;MAClB,WAAW,MAAM;IACnB,CAAC;EACH;AAGA,QAAM,UAAU,kBAAkB;AAClC,aAAW,QAAQ,SAAS;AAC1B,aAAS,SAAS,IAAI;EACxB;AAGA,QAAM,gBAAgB,mBAAmB,WAAW,MAAM;AAG1D,aAAW,UAAU,SAAS;AAC5B,QAAI,OAAO,WAAW,YAAa;AACnC,UAAM,EAAE,WAAW,OAAO,IAAI,OAAO;AACrC,QAAI,CAAC,OAAO,GAAI;AAChB,QAAI,OAAO,UAAU,cAAc,YAAY;AAC7C,oBAAc,QAAQ,OAAO,UAAU,UAAU;IACnD;EACF;AAEA,SAAO;IACL,kBAAkB;IAClB;IACA;IACA,YACE,UAAU,OAAO,CAAC,KAAK,MAAM,MAAM,EAAE,WAAW,CAAC,IAAI,QAAQ;EACjE;AACF;AC5HA,SAAS,WAAW,GAAmB;AACrC,SAAO,EAAE,QAAQ,MAAM,KAAK,EAAE,QAAQ,MAAM,KAAK;AACnD;AAEA,IAAM,MAAM,aAAa,cAAc;AAGvC,IAAM,YAAoC;EACxC,UAAU;EACV,SAAS;EACT,UAAU;EACV,QAAQ;AACV;AAQO,SAAS,mBACd,cACA,OAQA,WAAW,GACE;AACb,QAAM,KAAK,MAAM,MAAM;AACvB,QAAM,cAAc,oBAAI,IAGtB;AACF,QAAM,uBAAuB,oBAAI,IAAY;AAE7C,aAAW,QAAQ,cAAc;AAE/B,UAAM,YAAY,GACf,QAAQ,0DAA0D,EAClE,IAAI,MAAM,IAAI,WAAW,IAAI,CAAC,EAAE;AAEnC,eAAW,MAAM,WAAW;AAE1B,YAAM,SAAS,MAAM,eAAe,GAAG,MAAM,QAAQ;AACrD,iBAAW,QAAQ,QAAQ;AACzB,YAAI,CAAC,YAAY,IAAI,KAAK,IAAI,GAAG;AAC/B,sBAAY,IAAI,KAAK,MAAM,IAAI;QACjC;MACF;IACF;AAGA,UAAM,cAAc,GACjB;MACC;IACF,EACC,IAAI,MAAM,IAAI,WAAW,IAAI,CAAC,EAAE;AAEnC,eAAW,KAAK,aAAa;AAC3B,2BAAqB,IAAI,EAAE,YAAY;IACzC;EACF;AAGA,aAAW,CAAC,EAAE,IAAI,KAAK,aAAa;AAClC,UAAM,QAAQ,GACX;MACC;IACF,EACC,IAAI,KAAK,IAAI;AAChB,eAAW,KAAK,OAAO;AACrB,2BAAqB,IAAI,EAAE,YAAY;IACzC;EACF;AAGA,QAAM,sBAA0D,CAAC;AACjE,aAAW,eAAe,sBAAsB;AAC9C,UAAM,YAAY,GACf,QAAQ,8DAA8D,EACtE,IAAI,WAAW;AAIlB,QAAI,WAAW;AACb,UAAI,OAAO;AACX,UAAI;AACF,cAAM,OAAO,KAAK,MAAM,UAAU,aAAa;AAC/C,eAAO,KAAK,QAAQ;MACtB,QAAQ;MAER;AAEA,0BAAoB,KAAK;QACvB,IAAI,UAAU;QACd,MAAM,UAAU,QAAQ;QACxB;MACF,CAAC;IACH;EACF;AAGA,MAAI,iBAAiB;AACrB,aAAW,KAAK,qBAAqB;AACnC,UAAM,WAAW,UAAU,EAAE,IAAI,KAAK;AACtC,QAAI,WAAW,eAAgB,kBAAiB;EAClD;AAEA,QAAM,SAAsB;IAC1B,iBAAiB,MAAM,KAAK,YAAY,OAAO,CAAC;IAChD;IACA;IACA,eAAe,YAAY;EAC7B;AAEA,MAAI;IACF;MACE,cAAc,aAAa;MAC3B,eAAe,OAAO;MACtB,aAAa,oBAAoB;MACjC;IACF;IACA;EACF;AAEA,SAAO;AACT;ACrHA,SAAS,wBAAwB,MAA6C;AAC5E,QAAM,OAAO,KAAK;AAClB,QAAM,cAAc,KAAK;AAEzB,MAAI;AAEJ,MAAI,KAAK,QAAQ,MAAM,QAAQ,KAAK,IAAI,GAAG;AACzC,UAAM,SAAS,KAAK;AACpB,aAAS,iBAAE,KAAK,MAAM;EACxB,OAAO;AACL,YAAQ,MAAM;MACZ,KAAK;AACH,iBAAS,iBAAE,OAAO;AAClB;MACF,KAAK;MACL,KAAK;AACH,iBAAS,iBAAE,OAAO;AAClB;MACF,KAAK;AACH,iBAAS,iBAAE,QAAQ;AACnB;MACF,KAAK,SAAS;AACZ,cAAM,QAAQ,KAAK;AACnB,iBAAS,iBAAE,MAAM,QAAQ,wBAAwB,KAAK,IAAI,iBAAE,IAAI,CAAC;AACjE;MACF;MACA,KAAK,UAAU;AACb,cAAM,SAAS,KAAK;AAGpB,YAAI,QAAQ;AACV,mBAAS,gBAAgB,IAAI;QAC/B,OAAO;AACL,mBAAS,iBAAE,OAAO,iBAAE,IAAI,CAAC;QAC3B;AACA;MACF;MACA;AACE,iBAAS,iBAAE,IAAI;IACnB;EACF;AAEA,MAAI,aAAa;AACf,aAAS,OAAO,SAAS,WAAW;EACtC;AAEA,MAAI,KAAK,YAAY,QAAW;AAC9B,aAAS,OAAO,QAAQ,KAAK,OAAO;EACtC;AAEA,SAAO;AACT;AAKA,SAAS,gBAAgB,QAAmD;AAC1E,QAAM,aAAc,OAAO,cAAc,CAAC;AAI1C,QAAM,WAAW,IAAI,IAAK,OAAO,YAAY,CAAC,CAAc;AAE5D,QAAM,QAAsC,CAAC;AAC7C,aAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQ,UAAU,GAAG;AACpD,QAAI,cAAc,wBAAwB,IAAI;AAC9C,QAAI,CAAC,SAAS,IAAI,GAAG,GAAG;AACtB,oBAAc,YAAY,SAAS;IACrC;AACA,UAAM,GAAG,IAAI;EACf;AAEA,SAAO,iBAAE,OAAO,KAAK;AACvB;AAIA,SAAS,iBACP,WACA,mBACgB;AAChB,MAAI,cAAc,YAAa,QAAO;AACtC,MAAI,cAAc,SAAS,CAAC,kBAAmB,QAAO;AACtD,SAAO;AACT;AAkBO,IAAM,mBAAN,MAAmD;EACxD;EACA;EACA,eAAsC,CAAC;EAE/B;EACA,QAA6B,CAAC;EAC9B,cAAc;EAEtB,YAAY,IAAY,QAAoD;AAC1E,SAAK,OAAO;AACZ,SAAK,cACH,OAAO,eAAe,GAAG,OAAO,CAAC,EAAE,YAAY,IAAI,GAAG,MAAM,CAAC;AAC/D,SAAK,SAAS;EAChB;;;;;EAMA,MAAM,aAA4B;AAChC,QAAI;AACF,YAAM,MAAM,MAAM,KAAK,SAAS,wBAAwB;AAExD,UAAI,IAAI,OAAO;AACb,gBAAQ;UACN,aAAa,KAAK,WAAW,uCAAkC,IAAI,KAAK;QAC1E;AACA,aAAK,cAAc;AACnB;MACF;AAGA,YAAM,cACJ,IAAI,SAAS,IAAI,SAAS,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC;AAGxD,YAAM,UAAU,IAAI,IAAI,YAAY,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AACxD,WAAK,eAAe,CAAC,GAAG,OAAO;AAG/B,UAAI,IAAI,SAAS;AACf,aAAK,cAAc,aAAa,IAAI,QAAQ,OAAO,CAAC,EAAE,YAAY,IAAI,IAAI,QAAQ,MAAM,CAAC,CAAC;MAC5F;AAGA,WAAK,QAAQ,YAAY,IAAI,CAAC,OAAO,KAAK,YAAY,EAAE,CAAC;AACzD,WAAK,cAAc;IACrB,SAAS,KAAK;AACZ,YAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,cAAQ;QACN,aAAa,KAAK,WAAW,kCAA6B,GAAG;MAC/D;AACA,WAAK,cAAc;IACrB;EACF;EAEA,MAAM,cAAqC;AACzC,UAAM,QAAQ,KAAK,IAAI;AACvB,QAAI;AACF,YAAM,MAAM,MAAM,KAAK,SAAS,SAAS;AACzC,YAAM,YAAY,KAAK,IAAI,IAAI;AAE/B,UAAI,IAAI,OAAO;AACb,eAAO,EAAE,IAAI,OAAO,WAAW,SAAS,IAAI,MAAM;MACpD;AAEA,aAAO;QACL,IAAI,IAAI,WAAW,aAAa,IAAI,WAAW,QAAQ,CAAC,CAAC,IAAI;QAC7D;QACA,SAAS,IAAI,UAAU,IAAI,IAAI,OAAO,KAAK;MAC7C;IACF,QAAQ;AACN,aAAO;QACL,IAAI;QACJ,WAAW,KAAK,IAAI,IAAI;QACxB,SAAS;MACX;IACF;EACF;EAEA,WAAgC;AAC9B,WAAO,KAAK;EACd;;EAIQ,YAAY,YAA2C;AAE7D,UAAM,WAAW,WAAW,KAAK,QAAQ,OAAO,GAAG;AACnD,UAAM,cAAc,gBAAgB,WAAW,UAAU;AACzD,UAAM,aAAa;MACjB,WAAW;MACX,WAAW;IACb;AACA,UAAM,WAAW,WAAW,eAAe;AAC3C,UAAM,YAAY;AAElB,QAAI,WAAW,oBAAoB;AACjC,aAAO,KAAK;QACV;QACA;QACA;QACA;MACF;IACF;AAEA,WAAO,WAAW;MAChB,MAAM;MACN,aAAa,WAAW;MACxB;MACA;MACA;MACA,MAAM,QAAQ,QAAQ;AACpB,cAAM,SAAS,MAAM,UAAU,SAAS,4BAA4B;UAClE,QAAQ;UACR,MAAM,KAAK,UAAU;YACnB,MAAM,WAAW;YACjB;UACF,CAAC;QACH,CAAC;AAED,YAAI,OAAO,MAAO,QAAO,EAAE,OAAO,OAAO,MAAM;AAC/C,eAAO,OAAO,QAAQ;MACxB;IACF,CAAC;EACH;EAEQ,oBACN,UACA,YACA,aACA,YACmB;AACnB,UAAM,YAAY;AAElB,UAAM,cAAc,GAAG,KAAK,IAAI,IAAI,QAAQ;AAG5C,qBAAiB,aAAa,OAAO,OAAO;AAE1C,YAAM,iBAAkB,GAAG,WAAW,cAClC;AACJ,YAAM,SAAS,MAAM,UAAU,SAAS,4BAA4B;QAClE,QAAQ;QACR,MAAM,KAAK,UAAU;UACnB,MAAM,WAAW;UACjB,QAAQ,kBAAkB,CAAC;UAC3B,UAAU;QACZ,CAAC;MACH,CAAC;AAED,UAAI,OAAO,MAAO,QAAO,EAAE,SAAS,OAAO,SAAS,OAAO,MAAM;AACjE,aAAO;QACL,SAAS;QACT,SAAS,OAAO,WAAW,YAAY,WAAW,IAAI;QACtD,cAAc,OAAO;MACvB;IACF,CAAC;AAED,WAAO,WAAW;MAChB,MAAM;MACN,aAAa,WAAW;MACxB;MACA;MACA,MAAM,QAAQ,QAAQ;AAEpB,cAAM,YAAY,MAAM,UAAU,SAAS,4BAA4B;UACrE,QAAQ;UACR,MAAM,KAAK,UAAU;YACnB,MAAM,WAAW;YACjB;YACA,UAAU;UACZ,CAAC;QACH,CAAC;AAED,YAAI,UAAU,MAAO,QAAO,EAAE,OAAO,UAAU,MAAM;AAGrD,cAAM,aAAa,UAAU,cAAc;UACzC,SAAS;UACT,cAAc,EAAE,GAAG,UAAU,MAAM,gBAAgB,OAAO;UAC1D,UAAU,UAAU,YAAY,CAAC;UACjC,aAAa,UAAU,eAAe,CAAC;UACvC,mBAAmB,UAAU,qBAAqB;QACpD;AAGA,YACE,WAAW,gBACX,OAAO,WAAW,iBAAiB,UACnC;AACC,qBAAW,aAAqB,iBAAiB;QACpD;AAEA,cAAM,YAAY,gBAAgB;UAChC,WAAW,UAAU;UACrB,QAAQ;;UACR,aAAa,UAAU,eAAe,WAAW,WAAW,IAAI;UAChE,SAAS,UAAU,WAAW;YAC5B;cACE,QAAQ,UAAU;cAClB,QAAQ,GAAG,WAAW,MAAM,IAAI,KAAK,UAAU,MAAM,EAAE,MAAM,GAAG,EAAE,CAAC;cACnE,WAAW;YACb;UACF;UACA;QACF,CAAC;AAED,eAAO;UACL,cAAc,UAAU;UACxB,QAAQ;UACR,YAAY,UAAU;UACtB,cAAc,UAAU;UACxB,aAAa,UAAU;UACvB,SACE;QACJ;MACF;IACF,CAAC;EACH;;EAIA,MAAc,SACZ,MACA,SACc;AACd,UAAM,MAAM,KAAK,cAAc;AAC/B,QAAI,CAAC,KAAK;AACR,aAAO;QACL,OAAO,kBAAkB,KAAK,WAAW,KAAK,KAAK,OAAO,UAAU;MACtE;IACF;AAEA,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,GAAG,IAAI;AAGzC,QACE,CAAC,IAAI,WAAW,UAAU,KAC1B,CAAC,IAAI,WAAW,kBAAkB,KAClC,CAAC,IAAI,WAAW,kBAAkB,GAClC;AACA,aAAO;QACL,OAAO,GAAG,KAAK,WAAW;MAC5B;IACF;AAEA,UAAM,UAAU,SAAS,WAAW;AAEpC,QAAI;AACF,YAAM,MAAM,MAAM,MAAM,KAAK;QAC3B,GAAG;QACH,SAAS;UACP,eAAe,UAAU,GAAG;UAC5B,gBAAgB;UAChB,GAAK,SAAS,WAAsC,CAAC;QACvD;QACA,QAAQ,YAAY,QAAQ,OAAO;MACrC,CAAC;AAED,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,eAAO;UACL,OAAO,GAAG,KAAK,WAAW,QAAQ,IAAI,MAAM,KAAK,KAAK,MAAM,GAAG,GAAG,CAAC;QACrE;MACF;AAEA,aAAO,IAAI,KAAK;IAClB,SAAS,OAAO;AACd,YAAM,MAAM,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACjE,aAAO,EAAE,OAAO,GAAG,KAAK,WAAW,eAAe,GAAG,GAAG;IAC1D;EACF;EAEQ,gBAA+B;AACrC,WACE,QAAQ,IAAI,OAAO,KAAK,KAAK,YAAY,CAAC,MAAM,KAChD,QAAQ,IAAI,KAAK,OAAO,UAAU,KAClC;EAEJ;AACF;AChZA,IAAMC,OAAMC,aAAa,eAAe;AAExC,IAAM,aAAa;AAaZ,IAAM,eAAN,MAAmB;EAChB;EACA,oBAAmC;EACnC,6BAA6B;EAC7B;EAER,YAAY,QAA4B;AACtC,SAAK,SAAS;AACd,SAAK,QAAQ,OAAO,SAAS;EAC/B;;;;EAKA,MAAM,QACJ,QACA,MACA,MACY;AACZ,UAAM,QAAQ,MAAM,KAAK,aAAa;AACtC,UAAM,MAAM,KAAK,WAAW,MAAM,IAAI,OAAO,GAAG,UAAU,GAAG,IAAI;AAEjE,UAAM,MAAM,MAAM,MAAM,KAAK;MAC3B;MACA,SAAS;QACP,eAAe,UAAU,KAAK;QAC9B,QAAQ;QACR,wBAAwB;QACxB,GAAI,OAAO,EAAE,gBAAgB,mBAAmB,IAAI,CAAC;MACvD;MACA,MAAM,OAAO,KAAK,UAAU,IAAI,IAAI;IACtC,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,YAAM,IAAI;QACR,cAAc,MAAM,IAAI,IAAI,KAAK,IAAI,MAAM,IAAI,KAAK,MAAM,GAAG,GAAG,CAAC;MACnE;IACF;AAEA,QAAI,IAAI,WAAW,IAAK,QAAO,CAAC;AAChC,WAAO,IAAI,KAAK;EAClB;;EAIA,MAAM,QAAQ,OAAe,MAAc;AACzC,WAAO,KAAK,QAAQ,OAAO,UAAU,KAAK,IAAI,IAAI,EAAE;EACtD;EAEA,MAAM,aAAa,OAAe,MAAc;AAC9C,WAAO,KAAK,QAAQ,OAAO,UAAU,KAAK,IAAI,IAAI,uBAAuB;EAC3E;EAEA,MAAM,eACJ,OACA,MACA,MACA,MACA;AACA,WAAO,KAAK;MACV;MACA,UAAU,KAAK,IAAI,IAAI,YAAY,IAAI,MAAM,IAAI;IACnD;EACF;EAEA,MAAM,YAAY,OAAe,MAAc,MAAc,KAAc;AACzE,UAAM,QAAQ,MAAM,QAAQ,GAAG,KAAK;AACpC,WAAO,KAAK;MACV;MACA,UAAU,KAAK,IAAI,IAAI,aAAa,IAAI,GAAG,KAAK;IAClD;EACF;;EAIA,MAAM,cACJ,OACA,MACA,KACA,QACA,SAAS,CAAC,QAAQ,cAAc,GAChC;AACA,WAAO,KAAK,QAAQ,QAAQ,UAAU,KAAK,IAAI,IAAI,UAAU;MAC3D,MAAM;MACN,QAAQ;MACR;MACA,QAAQ,EAAE,KAAK,cAAc,QAAQ,QAAQ,cAAc,IAAI;IACjE,CAAC;EACH;EAEA,MAAM,aAAa,OAAe,MAAc;AAC9C,WAAO,KAAK,QAAQ,OAAO,UAAU,KAAK,IAAI,IAAI,QAAQ;EAC5D;EAEA,MAAM,cAAc,OAAe,MAAc,QAAgB;AAC/D,WAAO,KAAK,QAAQ,UAAU,UAAU,KAAK,IAAI,IAAI,UAAU,MAAM,EAAE;EACzE;;EAIA,MAAM,MAAM,OAAe,MAAc,QAAgB;AACvD,WAAO,KAAK,QAAQ,OAAO,UAAU,KAAK,IAAI,IAAI,UAAU,MAAM,EAAE;EACtE;EAEA,MAAM,WAAW,OAAe,MAAc,QAAgB;AAC5D,WAAO,KAAK;MACV;MACA,UAAU,KAAK,IAAI,IAAI,UAAU,MAAM;IACzC;EACF;EAEA,MAAM,aACJ,OACA,MACA,QACA,MACA,QAAmD,WACnD,UACA;AACA,WAAO,KAAK;MACV;MACA,UAAU,KAAK,IAAI,IAAI,UAAU,MAAM;MACvC;QACE;QACA;QACA;MACF;IACF;EACF;;EAIA,MAAM,eACJ,OACA,MACA,MAQA;AACA,WAAO,KAAK,QAAQ,QAAQ,UAAU,KAAK,IAAI,IAAI,eAAe;MAChE,MAAM,KAAK;MACX,UAAU,KAAK;MACf,QAAQ,KAAK;MACb,GAAI,KAAK,aAAa,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;MACzD,QAAQ,KAAK,UACT;QACE,OAAO,KAAK;QACZ,SAAS,KAAK;QACd,MAAM,KAAK;MACb,IACA;IACN,CAAC;EACH;;EAIA,MAAM,cAIH;AACD,UAAM,QAAQ,KAAK,IAAI;AACvB,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,QAA2B,OAAO,OAAO;AACjE,aAAO,EAAE,IAAI,MAAM,WAAW,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,MAAM;IACrE,SAAS,KAAU;AACjB,aAAO,EAAE,IAAI,OAAO,WAAW,KAAK,IAAI,IAAI,MAAM;IACpD;EACF;;EAIA,MAAc,eAAgC;AAC5C,QAAI,KAAK,MAAO,QAAO,KAAK;AAG5B,QACE,KAAK,OAAO,iBACZ,KAAK,OAAO,SACZ,KAAK,OAAO,gBACZ;AACA,UACE,KAAK,qBACL,KAAK,IAAI,IAAI,KAAK,4BAClB;AACA,eAAO,KAAK;MACd;AACA,WAAK,oBAAoB,MAAM,KAAK,6BAA6B;AACjE,WAAK,6BAA6B,KAAK,IAAI,IAAI,KAAK,KAAK;AACzD,aAAO,KAAK;IACd;AAEA,UAAM,IAAI;MACR;IACF;EACF;EAEA,MAAc,+BAAgD;AAE5D,UAAM,SAAS,MAAM,KAAK,aAAa;AAEvC,UAAM,MAAM,MAAM;MAChB,GAAG,UAAU,sBAAsB,KAAK,OAAO,cAAc;MAC7D;QACE,QAAQ;QACR,SAAS;UACP,eAAe,UAAU,MAAM;UAC/B,QAAQ;QACV;MACF;IACF;AAEA,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,IAAI,MAAM,qCAAqC,IAAI,MAAM,EAAE;IACnE;AAEA,UAAM,OAAQ,MAAM,IAAI,KAAK;AAC7BD,SAAI,KAAK,wCAAwC;AACjD,WAAO,KAAK;EACd;EAEA,MAAc,eAAgC;AAG5C,UAAM,EAAE,kBAAkB,KAAK,IAAI,MAAM,OAAO,QAAa;AAE7D,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,UAAM,SAAS,OAAO;MACpB,KAAK,UAAU,EAAE,KAAK,SAAS,KAAK,MAAM,CAAC;IAC7C,EAAE,SAAS,WAAW;AACtB,UAAM,UAAU,OAAO;MACrB,KAAK,UAAU;QACb,KAAK,KAAK,OAAO;QACjB,KAAK,MAAM;QACX,KAAK,MAAM;MACb,CAAC;IACH,EAAE,SAAS,WAAW;AAEtB,UAAM,MAAM,iBAAiB,KAAK,OAAO,aAAc;AACvD,UAAM,YAAY;MAChB;MACA,OAAO,KAAK,GAAG,MAAM,IAAI,OAAO,EAAE;MAClC;IACF,EAAE,SAAS,WAAW;AAEtB,WAAO,GAAG,MAAM,IAAI,OAAO,IAAI,SAAS;EAC1C;AACF;AC/QO,SAAS,gBACd,QACA,OACA,MACqB;AACrB,SAAO;IACLE,WAAW;MACT,MAAM;MACN,aAAa,+BAA+B,KAAK,IAAI,IAAI;MACzD,YAAY;MACZ,aAAaC,iBAAE,OAAO,CAAC,CAAC;MACxB,MAAM,UAAU;AACd,cAAM,OAAO,MAAM,OAAO,QAAQ,OAAO,IAAI;AAC7C,eAAO;UACL,MAAM,KAAK;UACX,aAAa,KAAK;UAClB,UAAU,KAAK;UACf,QAAQ,KAAK;UACb,eAAe,KAAK;UACpB,YAAY,KAAK;UACjB,MAAM,KAAK;UACX,YAAY,KAAK;UACjB,WAAW,KAAK;QAClB;MACF;IACF,CAAC;IAEDD,WAAW;MACT,MAAM;MACN,aAAa,qBAAqB,KAAK,IAAI,IAAI;MAC/C,YAAY;MACZ,aAAaC,iBAAE,OAAO,CAAC,CAAC;MACxB,MAAM,UAAU;AACd,cAAM,WAAW,MAAM,OAAO,aAAa,OAAO,IAAI;AACtD,eAAO,SAAS,IAAI,CAAC,OAAY;UAC/B,MAAM,EAAE;UACR,WAAW,EAAE;UACb,KAAK,EAAE,OAAO,IAAI,MAAM,GAAG,CAAC;QAC9B,EAAE;MACJ;IACF,CAAC;IAEDD,WAAW;MACT,MAAM;MACN,aAAa,2BAA2B,KAAK,IAAI,IAAI;MACrD,YAAY;MACZ,aAAaC,iBAAE,OAAO;QACpB,MAAMA,iBAAE,OAAO,EAAE,SAAS,gCAAgC;QAC1D,MAAMA,iBAAE,OAAO,EAAE,SAAS,kCAAkC;MAC9D,CAAC;MACD,MAAM,QAAQ,EAAE,MAAM,KAAK,GAAG;AAC5B,cAAM,OAAO,MAAM,OAAO,eAAe,OAAO,MAAM,MAAM,IAAI;AAChE,eAAO;UACL,QAAQ,KAAK;UACb,SAAS,KAAK;UACd,UAAU,KAAK;UACf,cAAc,KAAK;UACnB,QAAQ,KAAK,SAAS,CAAC,GAAG,IAAI,CAAC,OAAY;YACzC,UAAU,EAAE;YACZ,QAAQ,EAAE;YACV,WAAW,EAAE;YACb,WAAW,EAAE;YACb,SAAS,EAAE;UACb,EAAE;QACJ;MACF;IACF,CAAC;EACH;AACF;ACpEO,SAAS,mBACd,QACA,OACA,MACqB;AACrB,SAAO;IACLD,WAAW;MACT,MAAM;MACN,aAAa,yBAAyB,KAAK,IAAI,IAAI;MACnD,YAAY;MACZ,aAAaC,iBAAE,OAAO;QACpB,KAAKA,iBACF,OAAO,EACP;UACC;QACF;QACF,QAAQA,iBACL,OAAO,EACP,SAAS,+CAA+C;QAC3D,QAAQA,iBACL,MAAMA,iBAAE,OAAO,CAAC,EAChB,SAAS,EACT,SAAS,sDAAsD;MACpE,CAAC;MACD,MAAM,QAAQ,EAAE,KAAK,QAAQ,OAAO,GAAG;AACrC,cAAM,SAAS,MAAM,OAAO;UAC1B;UACA;UACA;UACA;UACA;QACF;AACA,eAAO;UACL,IAAI,OAAO;UACX,KAAK,OAAO,OAAO;UACnB,QAAQ,OAAO;UACf,QAAQ,OAAO;UACf,WAAW,OAAO;QACpB;MACF;IACF,CAAC;IAEDD,WAAW;MACT,MAAM;MACN,aAAa,mCAAmC,KAAK,IAAI,IAAI;MAC7D,YAAY;MACZ,aAAaC,iBAAE,OAAO,CAAC,CAAC;MACxB,MAAM,UAAU;AACd,cAAM,QAAQ,MAAM,OAAO,aAAa,OAAO,IAAI;AACnD,eAAO,MAAM,IAAI,CAAC,OAAY;UAC5B,IAAI,EAAE;UACN,KAAK,EAAE,OAAO;UACd,QAAQ,EAAE;UACV,QAAQ,EAAE;UACV,cAAc,EAAE,eAAe;QACjC,EAAE;MACJ;IACF,CAAC;EACH;AACF;AC/CA,IAAMH,OAAMC,aAAa,WAAW;AA0B7B,SAAS,oBACd,MACqB;AACrB,QAAM,EAAE,QAAQ,OAAO,MAAM,MAAM,IAAI;AAEvC,SAAO;IACLC,WAAW;MACT,MAAM;MACN,aAAa,4BAA4B,KAAK,IAAI,IAAI;MACtD,YAAY;MACZ,aAAaC,iBAAE,OAAO;QACpB,UAAUA,iBAAE,OAAO,EAAE,SAAS,qBAAqB;QACnD,YAAYA,iBACT,QAAQ,EACR,SAAS,EACT,SAAS,sCAAsC;QAClD,aAAaA,iBACV,QAAQ,EACR,SAAS,EACT,SAAS,gDAAgD;MAC9D,CAAC;MACD,MAAM,QAAQ,EAAE,UAAU,YAAY,YAAY,GAAG;AACnD,cAAM,aAAa,eAAe;AAClC,cAAM,cAAc,gBAAgB;AAGpC,cAAM,KAAK,MAAM,OAAO,MAAM,OAAO,MAAM,QAAQ;AACnD,cAAM,QAAQ,MAAM,OAAO,WAAW,OAAO,MAAM,QAAQ;AAE3D,cAAM,eAAe,MAAM,IAAI,CAAC,OAAY;UAC1C,UAAU,EAAE;UACZ,QAAQ,EAAE;UACV,WAAW,EAAE;UACb,WAAW,EAAE;UACb,SAAS,EAAE;UACX,OAAO,EAAE,OAAO,MAAM,GAAG,GAAI;;QAC/B,EAAE;AAGF,YAAI,cAAc;AAClB,cAAM,kBAID,CAAC;AACN,cAAM,kBAAkB,oBAAI,IAAY;AACxC,cAAM,kBAAkB,oBAAI,IAAY;AAExC,YAAI,OAAO;AACT,gBAAM,KAAK,MAAM,MAAM;AAEvB,qBAAW,QAAQ,cAAc;AAE/B,kBAAM,YAAY,GACf,QAAQ,8CAA8C,EACtD,IAAI,IAAI,KAAK,QAAQ,EAAE;AAE1B,uBAAW,MAAM,WAAW;AAC1B,oBAAM,SAAS,MAAM,eAAe,GAAG,MAAM,CAAC;AAC9C,yBAAW,QAAQ,QAAQ;AACzB,gCAAgB,KAAK,IAAI;AACzB;cACF;YACF;AAGA,kBAAM,cAAc,GACjB;cACC;YACF,EACC,IAAI,IAAI,KAAK,QAAQ,EAAE;AAE1B,uBAAW,QAAQ,aAAa;AAC9B,8BAAgB,IAAI,KAAK,QAAQ,KAAK,EAAE;AACxC,kBAAI;AACF,sBAAM,OAAO,KAAK,MAAM,KAAK,iBAAiB,IAAI;AAClD,oBAAI,KAAK,SAAS;AAChB,kCAAgB,IAAI,KAAK,QAAQ,KAAK,EAAE;cAC5C,QAAQ;cAAC;YACX;UACF;QACF;AAGA,YAAI,YAAY;AAChB,qBAAa,KAAK,IAAI,IAAI,aAAa,SAAS,CAAC;AACjD,qBAAa,KAAK,IAAI,IAAI,WAAW;AACrC,qBAAa,gBAAgB,OAAO;AACpC,qBACE,aAAa,OAAO,CAAC,MAAW,EAAE,YAAY,EAAE,EAAE,SAAS;AAC7D,oBAAY,KAAK,IAAI,KAAK,SAAS;AAGnC,YAAI,kBACF;AACF,YAAI,gBAAgB,OAAO,EAAG,mBAAkB;iBACvC,YAAY,GAAI,mBAAkB;iBAClC,YAAY,GAAI,mBAAkB;AAG3C,cAAM,aAAa,gBAAgB;UACjC;UACA;UACA;UACA;UACA,iBAAiB,MAAM,KAAK,eAAe;UAC3C,iBAAiB,MAAM,KAAK,eAAe;UAC3C,iBAAiB,gBAAgB,MAAM,GAAG,EAAE;QAC9C,CAAC;AAGD,YAAI,YAAY;AACd,gBAAM,QACJ,oBAAoB,oBAChB,oBACA;AACN,gBAAM,OAAO;YACX;YACA;YACA;YACA;YACA;UACF;AACAH,eAAI;YACF,EAAE,IAAI,UAAU,WAAW,SAAS,gBAAgB,KAAK;YACzD;UACF;QACF;AAGA,YAAI,aAAa;AACf,gBAAM,OAAO,eAAe,OAAO,MAAM;YACvC,MAAM;YACN,SAAS,GAAG,KAAK;YACjB,QAAQ;YACR,YAAY;YACZ,SAAS,eAAe,SAAS,wBAAwB,WAAW,uBAAuB,gBAAgB,IAAI,KAAK,gBAAgB,IAAI;YACxI,MAAM;UACR,CAAC;AACDA,eAAI;YACF,EAAE,IAAI,UAAU,YAAY,gBAAgB;YAC5C;UACF;QACF;AAEA,eAAO;UACL;UACA,eAAe,aAAa;UAC5B;UACA,iBAAiB,MAAM,KAAK,eAAe;UAC3C,yBAAyB,MAAM,KAAK,eAAe;UACnD;UACA;UACA;UACA,MAAM;;QACR;MACF;IACF,CAAC;EACH;AACF;AAIA,SAAS,gBAAgB,MAQd;AACT,QAAM;IACJ;IACA;IACA;IACA;IACA;IACA;EACF,IAAI;AAEJ,QAAM,YAAY,YAAY,KAAK,cAAO,YAAY,KAAK,cAAO;AAClE,QAAM,QAAkB,CAAC;AAEzB,QAAM;IACJ,MAAM,SAAS;IACf;IACA,mBAAmB,SAAS,4BAA4B,WAAW,0CAA0C,aAAa,MAAM;IAChI;EACF;AAEA,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM;MACJ;MACA;MACA,GAAG,gBAAgB;QACjB,CAAC,MAAM,OAAO,CAAC;MACjB;MACA;IACF;EACF;AAEA,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM;MACJ;MACA;MACA,GAAG,gBAAgB,IAAI,CAAC,MAAM;AAC5B,cAAM,aAAa,gBAAgB,SAAS,CAAC;AAC7C,eAAO,KAAK,aAAa,cAAO,WAAI,IAAI,CAAC;MAC3C,CAAC;MACD;IACF;EACF;AAEA,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM;MACJ;MACA;MACA;MACA;MACA,GAAG,gBACA,MAAM,GAAG,EAAE,EACX;QACC,CAAC,MACC,OAAO,EAAE,IAAI,UAAU,EAAE,KAAK,MAAM,GAAG,EAAE,MAAM,EAAE,EAAE,KAAK,GAAG,CAAC,QAAQ,EAAE,KAAK;MAC/E;MACF;IACF;AACA,QAAI,gBAAgB,SAAS,IAAI;AAC/B,YAAM;QACJ,YAAY,gBAAgB,SAAS,EAAE;QACvC;MACF;IACF;EACF;AAGA,QAAM;IACJ;IACA;IACA;IACA;IACA,GAAG,aACA,MAAM,GAAG,EAAE,EACX;MACC,CAAC,MACC,OAAO,EAAE,SAAS,MAAM,GAAG,EAAE,MAAM,EAAE,EAAE,KAAK,GAAG,CAAC,QAAQ,EAAE,MAAM,OAAO,EAAE,SAAS,KAAK,EAAE,SAAS;IACtG;IACF;EACF;AAEA,QAAM;IACJ;IACA;EACF;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AC3SO,SAAS,kBAAkB,OAAe,MAAsB;AACrE,SAAO;IACL;IACA;IACA,kBAAkB,KAAK,IAAI,IAAI;IAC/B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;EACF,EAAE,KAAK,IAAI;AACb;ACDA,IAAMA,OAAMC,aAAa,kBAAkB;AAmBpC,IAAM,kBAAN,MAAkD;EACvD,OAAO;EACP,cAAc;EACd,eAAsC;IACpC;IACA;IACA;IACA;EACF;EAEQ;EACA;EACA;EACA;EACA,cAA0C;EAElD,YAAY,QAA+B;AACzC,SAAK,QAAQ,OAAO;AACpB,SAAK,OAAO,OAAO;AACnB,SAAK,QAAQ,OAAO,SAAS;AAC7B,SAAK,SAAS,IAAI,aAAa;MAC7B,OAAO,OAAO;MACd,eAAe,OAAO;MACtB,OAAO,OAAO;MACd,gBAAgB,OAAO;IACzB,CAAC;EACH;EAEA,WAAgC;AAC9B,QAAI,CAAC,KAAK,aAAa;AACrB,WAAK,cAAc;QACjB,GAAG,gBAAgB,KAAK,QAAQ,KAAK,OAAO,KAAK,IAAI;QACrD,GAAG,mBAAmB,KAAK,QAAQ,KAAK,OAAO,KAAK,IAAI;QACxD,GAAG,oBAAoB;UACrB,QAAQ,KAAK;UACb,OAAO,KAAK;UACZ,MAAM,KAAK;UACX,OAAO,KAAK;QACd,CAAC;MACH;IACF;AACA,WAAO,KAAK;EACd;EAEA,MAAM,cAAqC;AACzC,UAAM,SAAS,MAAM,KAAK,OAAO,YAAY;AAC7C,WAAO;MACL,IAAI,OAAO;MACX,WAAW,OAAO;MAClB,SAAS,OAAO,KACZ,oBAAoB,OAAO,IAAI,QAAQ,KAAK,KAAK,IAAI,KAAK,IAAI,KAC9D;IACN;EACF;EAEA,YAAoB;AAClB,WAAO,kBAAkB,KAAK,OAAO,KAAK,IAAI;EAChD;;EAGA,YAA0B;AACxB,WAAO,KAAK;EACd;AACF;AAKO,SAAS,sBACd,OACA,MACA,YACwB;AACxB,QAAM,QAAQ,aAAa,cAAc,KAAK,QAAQ,IAAI;AAC1D,QAAM,SACJ,aAAa,wBAAwB,KACrC,QAAQ,IAAI;AACd,QAAM,QAAQ,aAAa,eAAe,KAAK,QAAQ,IAAI;AAC3D,QAAM,YACJ,aAAa,wBAAwB,KACrC,QAAQ,IAAI;AAEd,MAAI,CAAC,SAAS,CAAC,QAAQ;AACrBD,SAAI,MAAM,uDAAkD;AAC5D,WAAO;EACT;AAEA,SAAO,IAAI,gBAAgB;IACzB,OAAO,SAAS;IAChB,eAAe,UAAU;IACzB,OAAO,SAAS;IAChB,gBAAgB,aAAa;IAC7B;IACA;EACF,CAAC;AACH;ACvHA,eAAsB,wBACpB,QAC6B;AAC7B,QAAM,aAAiC,CAAC;AAExC,QAAM,UAAU,OAAO,QAAQ,OAAO,cAAc,CAAC,CAAC;AACtD,MAAI,QAAQ,WAAW,EAAG,QAAO;AAGjC,QAAM,UAAU,MAAM,QAAQ;IAC5B,QACG,OAAO,CAAC,CAAC,EAAE,GAAG,MAAM,IAAI,YAAY,KAAK,EACzC,IAAI,OAAO,CAAC,IAAI,GAAG,MAAM;AACxB,YAAM,YAAY,IAAI,iBAAiB,IAAI,GAAU;AACrD,YAAM,UAAU,WAAW;AAC3B,aAAO;IACT,CAAC;EACL;AAEA,aAAW,UAAU,SAAS;AAC5B,QAAI,OAAO,WAAW,aAAa;AACjC,iBAAW,KAAK,OAAO,KAAK;IAC9B;EAEF;AAEA,SAAO;AACT;AC5BA,IAAM,YAAY,OAAO,KAAK,+BAA+B;AAC7D,IAAM,YAAY,OAAO,KAAK,cAAc;AAC5C,IAAM,aAAa;AAOZ,SAAS,gBACd,cACA,UACQ;AACR,QAAM,OAAO,OAAO,OAAO,CAAC,WAAW,OAAO,KAAK,IAAI,QAAQ,EAAE,CAAC,CAAC;AACnE,SAAO,OAAO;IACZ,SAAS,UAAU,cAAc,WAAW,MAAM,UAAU;EAC9D;AACF;AAOO,SAAS,aAAa,KAAsC;AAGjE,SAAO,KAAK,UAAU,KAAK,CAAC,MAAM,UAAU;AAC1C,QAAI,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK,GAAG;AAC/D,aAAO,OAAO,KAAK,KAAK,EACrB,KAAK,EACL,OAAO,CAAC,QAAiC,MAAM;AAC9C,eAAO,CAAC,IAAI,MAAM,CAAC;AACnB,eAAO;MACT,GAAG,CAAC,CAAC;IACT;AACA,WAAO;EACT,CAAC;AACH;AAMO,SAAS,UACd,OACA,cACQ;AACR,QAAM,MAAM,gBAAgB,cAAc,MAAM,SAAS;AACzD,QAAM,UAAU,aAAa,KAAgC;AAC7D,SAAO,WAAW,UAAU,GAAG,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AAC/D;AAOA,IAAM,wBAAwB;AAmB9B,IAAM,eAAe,oBAAI,IAAoB;AAC7C,IAAM,eAAe;AACrB,IAAM,eAAe,wBAAwB;AAO7C,SAAS,sBAAsB,SAAiB,KAAsB;AAGpE,QAAM,SAAS,MAAM;AAGrB,aAAW,CAAC,IAAI,EAAE,KAAK,cAAc;AACnC,QAAI,KAAK,OAAQ,cAAa,OAAO,EAAE;EACzC;AAEA,MAAI,aAAa,IAAI,OAAO,GAAG;AAE7B,WAAO;EACT;AAGA,MAAI,aAAa,QAAQ,cAAc;AACrC,UAAM,YAAY,aAAa,KAAK,EAAE,KAAK,EAAE;AAC7C,QAAI,cAAc,OAAW,cAAa,OAAO,SAAS;EAC5D;AAEA,eAAa,IAAI,SAAS,GAAG;AAC7B,SAAO;AACT;AAEO,SAAS,YACd,OACA,cACS;AAET,MAAI,CAAC,MAAM,UAAW,QAAO;AAG7B,MAAI,CAAC,MAAM,GAAI,QAAO;AAMtB,MAAI,CAAC,MAAM,UAAW,QAAO;AAC7B,QAAM,YAAY,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ;AACpD,MAAI,OAAO,MAAM,SAAS,EAAG,QAAO;AACpC,QAAM,QAAQ,KAAK,IAAI,KAAK,IAAI,IAAI,SAAS;AAC7C,MAAI,QAAQ,wBAAwB,IAAM,QAAO;AAKjD,QAAM,EAAE,WAAW,GAAG,KAAK,IAAI;AAC/B,QAAM,WAAW,UAAU,MAAM,YAAY;AAC7C,QAAM,SAAS,OAAO,KAAK,WAAW,KAAK;AAC3C,QAAM,cAAc,OAAO,KAAK,UAAU,KAAK;AAC/C,MAAI,OAAO,WAAW,YAAY,OAAQ,QAAO;AACjD,MAAI,CAAC,gBAAgB,QAAQ,WAAW,EAAG,QAAO;AAIlD,SAAO,sBAAsB,MAAM,IAAI,KAAK,IAAI,CAAC;AACnD;AAKO,SAAS,kBACd,MACA,UACA,SACA,MACA,cACA,MACe;AACf,QAAM,WAAW;IACf,IAAI,WAAW;IACf;IACA,WAAW;IACX;IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;IAClC;IACA,gBAAgB,MAAM,iBAAiB;IACvC,GAAI,MAAM,gBAAgB,EAAE,gBAAgB,KAAK,cAAc,IAAI,CAAC;EACtE;AAEA,QAAM,YAAY,UAAU,UAAU,YAAY;AAClD,SAAO,EAAE,GAAG,UAAU,UAAU;AAClC;ACtJO,SAAS,UAAU,OAAe,WAA+B;AACtE,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,GAAG;AACtB,WAAO,EAAE,eAAe,OAAO,OAAO,gBAAgB;EACxD;AAEA,QAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAG9C,QAAM,eAAe,GAAG,SAAS,IAAI,UAAU;AAC/C,QAAM,cAAcI,YAAW,UAAU,SAAS,EAC/C,OAAO,YAAY,EACnB,OAAO;AACV,QAAM,YAAY,OAAO,KAAK,cAAc,WAAW;AAEvD,MACE,YAAY,WAAW,UAAU,UACjC,CAACC,iBAAgB,aAAa,SAAS,GACvC;AACA,WAAO,EAAE,eAAe,OAAO,OAAO,oBAAoB;EAC5D;AAGA,MAAI;AACJ,MAAI;AACF,cAAU,KAAK;MACb,OAAO,KAAK,YAAY,WAAW,EAAE,SAAS,OAAO;IACvD;EACF,QAAQ;AACN,WAAO,EAAE,eAAe,OAAO,OAAO,2BAA2B;EACnE;AAGA,MAAI;AACF,UAAM,SAAS,KAAK;MAClB,OAAO,KAAK,WAAW,WAAW,EAAE,SAAS,OAAO;IACtD;AACA,QAAI,OAAO,QAAQ,SAAS;AAC1B,aAAO;QACL,eAAe;QACf,OAAO,0BAA0B,OAAO,GAAG;MAC7C;IACF;EACF,QAAQ;AACN,WAAO,EAAE,eAAe,OAAO,OAAO,0BAA0B;EAClE;AAGA,MAAI,CAAC,QAAQ,KAAK;AAChB,WAAO,EAAE,eAAe,OAAO,OAAO,iCAAiC;EACzE;AACA,MAAI,QAAQ,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,GAAG;AAC/C,WAAO,EAAE,eAAe,OAAO,OAAO,gBAAgB;EACxD;AAGA,MAAI,CAAC,QAAQ,sBAAsB,CAAC,QAAQ,KAAK;AAC/C,WAAO;MACL,eAAe;MACf,OAAO;IACT;EACF;AAEA,SAAO,EAAE,eAAe,MAAM,QAAQ;AACxC;AAKO,SAAS,mBACd,YACe;AACf,MAAI,CAAC,YAAY,WAAW,SAAS,EAAG,QAAO;AAC/C,SAAO,WAAW,MAAM,CAAC;AAC3B;AC/FA,IAAM,qBAAqBF,iBAAE,OAAO;EAClC,OAAOA,iBAAE,KAAK,CAAC,gBAAgB,MAAM,CAAC,EAAE,QAAQ,cAAc;EAC9D,SAASA,iBAAE,KAAK,CAAC,eAAe,WAAW,MAAM,CAAC,EAAE,QAAQ,SAAS;EACrE,cAAcA,iBAAE,OAAO,EAAE,QAAQ,oBAAoB;AACvD,CAAC;AAED,IAAM,2BAA2BA,iBAAE,OAAO;EACxC,aAAaA,iBAAE,KAAK,CAAC,eAAe,UAAU,MAAM,CAAC,EAAE,QAAQ,aAAa;EAC5E,UAAUA,iBAAE,KAAK,CAAC,cAAc,WAAW,MAAM,CAAC,EAAE,QAAQ,MAAM;AACpE,CAAC;AAED,IAAM,sBAAsBA,iBAAE,OAAO;EACnC,SAASA,iBAAE,KAAK,CAAC,eAAe,MAAM,CAAC,EAAE,QAAQ,aAAa;EAC9D,WAAWA,iBAAE,OAAO,EAAE,QAAQ,IAAI;AACpC,CAAC;AAED,IAAM,iBAAiBA,iBAAE,OAAO;EAC9B,UAAUA,iBAAE,OAAO,EAAE,IAAI;EACzB,QAAQA,iBAAE,OAAO,EAAE,QAAQ,SAAS;EACpC,MAAM,mBAAmB,QAAQ,CAAC,CAAC;EACnC,YAAY,yBAAyB,QAAQ,CAAC,CAAC;EAC/C,OAAO,oBAAoB,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,IAAM,aAAaA,iBAAE,OAAO;EAC1B,SAASA,iBAAE,MAAMA,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AACzC,CAAC;AAED,IAAM,cAAcA,iBAAE,OAAO;EAC3B,WAAWA,iBAAE,MAAMA,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;EACzC,YAAYA,iBAAE,MAAMA,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC5C,CAAC;AAED,IAAM,mBAAmBA,iBAAE,OAAO;EAChC,QAAQA,iBAAE,OAAO;AACnB,CAAC;AAEM,IAAM,wBAAwBA,iBAAE,OAAO;EAC5C,SAASA,iBAAE,OAAO;IAChB,IAAIA,iBACD,OAAO,EACP;MACC;MACA;IACF;IACF,MAAMA,iBAAE,OAAO;IACf,SAASA,iBAAE,OAAO;EACpB,CAAC;EACD,UAAU;EACV,cAAcA,iBAAE,MAAM,gBAAgB,EAAE,QAAQ,CAAC,CAAC;EAClD,QAAQ,YAAY,QAAQ,CAAC,CAAC;EAC9B,MAAM,WAAW,QAAQ,CAAC,CAAC;AAC7B,CAAC;AASM,SAAS,cAAc,aAI5B;AAGA,MAAI;AAEF,UAAM,OAAO,KAAK,MAAM,WAAW;AACnC,WAAO,qBAAqB,IAAI;EAClC,QAAQ;AACN,WAAO;MACL,IAAI;MACJ,QAAQ;QACN;MACF;IACF;EACF;AACF;AAKO,SAAS,qBAAqB,MAInC;AACA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,OAAO,SAAS;AAClB,WAAO,EAAE,IAAI,MAAM,UAAU,OAAO,KAAK;EAC3C;AACA,QAAM,SAAS,OAAO,MAAM,OAAO;IACjC,CAAC,MAAM,GAAG,EAAE,KAAK,KAAK,GAAG,CAAC,KAAK,EAAE,OAAO;EAC1C;AACA,SAAO,EAAE,IAAI,OAAO,OAAO;AAC7B;AAOO,SAAS,yBACd,WACA,aACA,SACQ;AACR,SAAO;;;;SAIA,SAAS;WACP,WAAW;;;;;eAKP,OAAO;;;;;;;;;;;;;;;;;;;;;WAqBX,SAAS;;;;;;;;AAQpB;AAeA,eAAsB,sBACpB,SACA,MACyB;AACzB,QAAM,UAAU,MAAM,WAAW;AACjC,QAAM,UAA0B,CAAC;AAEjC,QAAM,UAAkC;IACtC,gBAAgB;EAClB;AACA,MAAI,MAAM,OAAO;AACf,YAAQ,eAAe,IAAI,UAAU,KAAK,KAAK;EACjD;AAGA,UAAQ;IACN,MAAM,cAAc,OAAO,GAAG,OAAO,WAAW;MAC9C;MACA,UAAU,CAAC,SAAS;AAClB,YAAI,CAAC,KAAK,OAAQ,QAAO;AACzB,YAAI,CAAC,KAAK,QAAS,QAAO;AAC1B,eAAO;MACT;IACF,CAAC;EACH;AAGA,UAAQ;IACN,MAAM,cAAc,OAAO,GAAG,OAAO,0BAA0B;MAC7D;MACA;MACA,UAAU,CAAC,SAAS;AAClB,cAAM,OAAO,KAAK,QAAQ;AAC1B,YAAI,CAAC,MAAM,QAAQ,IAAI,EAAG,QAAO;AACjC,eAAO;MACT;IACF,CAAC;EACH;AAGA,UAAQ;IACN,MAAM,cAAc,QAAQ,GAAG,OAAO,2BAA2B;MAC/D;MACA;MACA,MAAM,KAAK,UAAU;QACnB,IAAI;QACJ,MAAM;QACN,WAAW;QACX,SAAS;QACT,YAAW,oBAAI,KAAK,GAAE,YAAY;QAClC,MAAM,CAAC;QACP,gBAAgB;QAChB,WAAW;MACb,CAAC;;MAED,gBAAgB,CAAC,KAAK,KAAK,GAAG;MAC9B,UAAU,MAAM;IAClB,CAAC;EACH;AAGA,UAAQ;IACN,MAAM,cAAc,QAAQ,GAAG,OAAO,4BAA4B;MAChE;MACA;MACA,MAAM,KAAK,UAAU;QACnB,IAAI;QACJ,MAAM;QACN,MAAM;MACR,CAAC;MACD,gBAAgB,CAAC,KAAK,KAAK,KAAK,KAAK,KAAK,GAAG;MAC7C,UAAU,MAAM;IAClB,CAAC;EACH;AAEA,SAAO;AACT;AAEA,eAAe,cACb,QACA,KACA,MAOuB;AACvB,QAAM,QAAQ,KAAK,IAAI;AACvB,QAAM,eAAe,IAAI,IAAI,GAAG,EAAE;AAElC,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,KAAK;MAC3B;MACA,SAAS,KAAK;MACd,MAAM,KAAK;MACX,QAAQ,YAAY,QAAQ,KAAK,OAAO;IAC1C,CAAC;AAED,UAAM,YAAY,KAAK,IAAI,IAAI;AAC/B,UAAM,aAAa,KAAK,kBAAkB,CAAC,GAAG;AAE9C,QAAI,CAAC,WAAW,SAAS,IAAI,MAAM,GAAG;AAEpC,UAAI,IAAI,WAAW,KAAK;AACtB,eAAO;UACL,UAAU,GAAG,MAAM,IAAI,YAAY;UACnC,QAAQ;UACR,SAAS;UACT;QACF;MACF;AACA,aAAO;QACL,UAAU,GAAG,MAAM,IAAI,YAAY;QACnC,QAAQ;QACR,SAAS,QAAQ,IAAI,MAAM;QAC3B;MACF;IACF;AAEA,QAAI,OAAY,CAAC;AACjB,QAAI;AACF,aAAO,MAAM,IAAI,KAAK;IACxB,QAAQ;IAER;AAEA,UAAM,QAAQ,KAAK,SAAS,IAAI;AAChC,QAAI,OAAO;AACT,aAAO;QACL,UAAU,GAAG,MAAM,IAAI,YAAY;QACnC,QAAQ;QACR,SAAS;QACT;MACF;IACF;AAEA,WAAO;MACL,UAAU,GAAG,MAAM,IAAI,YAAY;MACnC,QAAQ;MACR,SAAS,GAAG,IAAI,MAAM;MACtB;IACF;EACF,SAAS,KAAK;AACZ,UAAM,YAAY,KAAK,IAAI,IAAI;AAC/B,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,QAAI,IAAI,SAAS,SAAS,KAAK,IAAI,SAAS,OAAO,GAAG;AACpD,aAAO;QACL,UAAU,GAAG,MAAM,IAAI,YAAY;QACnC,QAAQ;QACR,SAAS,YAAY,KAAK,OAAO;QACjC;MACF;IACF;AACA,WAAO;MACL,UAAU,GAAG,MAAM,IAAI,YAAY;MACnC,QAAQ;MACR,SAAS;MACT;IACF;EACF;AACF;","names":["createHmac","timingSafeEqual","log","createLogger","defineTool","z","createHmac","timingSafeEqual"]}
package/dist/{dist-P6IZYZBM.js → dist-7AIEUUFF.js} RENAMED
@@ -97,7 +97,7 @@ import {
97
97
  webFetchTool,
98
98
  webSearchTool,
99
99
  withWorkspace
100
- } from "./chunk-6G2HA63H.js";
100
+ } from "./chunk-3AYD5ONW.js";
101
101
  import {
102
102
  beginTransactionTool,
103
103
  commitTransactionTool,
@@ -243,4 +243,4 @@ export {
243
243
  webSearchTool,
244
244
  withWorkspace
245
245
  };
246
- //# sourceMappingURL=dist-P6IZYZBM.js.map
246
+ //# sourceMappingURL=dist-7AIEUUFF.js.map
package/dist/{dist-RVTIEEXC.js → dist-DCJYPRUZ.js} RENAMED
@@ -19,8 +19,8 @@ import {
19
19
  optimizeTeamComposition,
20
20
  recordOutcome,
21
21
  resolveCanonicalName
22
- } from "./chunk-4LR7LQPG.js";
23
- import "./chunk-Z5QQ5OGV.js";
22
+ } from "./chunk-CZILJ33T.js";
23
+ import "./chunk-52Q6CE4Y.js";
24
24
  import "./chunk-E7XO6BH5.js";
25
25
  import "./chunk-SQAR52C3.js";
26
26
  import "./chunk-RBN7ACDW.js";
@@ -43,4 +43,4 @@ export {
43
43
  recordOutcome,
44
44
  resolveCanonicalName
45
45
  };
46
- //# sourceMappingURL=dist-RVTIEEXC.js.map
46
+ //# sourceMappingURL=dist-DCJYPRUZ.js.map
package/dist/{dist-PGQ4UIM4.js → dist-DXQQF55Y.js} RENAMED
@@ -16,8 +16,8 @@ import {
16
16
  optimizeTeamComposition,
17
17
  recordOutcome,
18
18
  resolveCanonicalName
19
- } from "./chunk-NVA62I52.js";
20
- import "./chunk-TLQVDPEQ.js";
19
+ } from "./chunk-6WGHIUWX.js";
20
+ import "./chunk-DJ7WG6GZ.js";
21
21
  import "./chunk-KE4QKEOM.js";
22
22
  import "./chunk-FYJECSUZ.js";
23
23
  import "./chunk-PLDDJCW6.js";
@@ -40,4 +40,4 @@ export {
40
40
  recordOutcome,
41
41
  resolveCanonicalName
42
42
  };
43
- //# sourceMappingURL=dist-PGQ4UIM4.js.map
43
+ //# sourceMappingURL=dist-DXQQF55Y.js.map