@cdoing/core 0.1.0

package/dist/oauth.js

@@ -0,0 +1,312 @@
+"use strict";
+/**
+ * OAuth 2.0 (PKCE) for Claude — Shared Core Module
+ *
+ * All credential storage, token management, and OAuth flow logic lives here.
+ * Both CLI and VS Code extension import from this module.
+ *
+ * Credential storage:
+ *  - macOS: encrypted Keychain via `security` CLI
+ *  - Linux: libsecret via `secret-tool` if available, else file fallback
+ *  - Windows: Windows Credential Manager via `cmdkey`, else file fallback
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.saveOAuthTokens = saveOAuthTokens;
+exports.loadOAuthTokens = loadOAuthTokens;
+exports.clearOAuthTokens = clearOAuthTokens;
+exports.isOAuthExpired = isOAuthExpired;
+exports.refreshAccessToken = refreshAccessToken;
+exports.resolveOAuthToken = resolveOAuthToken;
+exports.generateOAuthUrl = generateOAuthUrl;
+exports.exchangeOAuthCode = exchangeOAuthCode;
+exports.getOAuthStatus = getOAuthStatus;
+const crypto = __importStar(require("crypto"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const child_process_1 = require("child_process");
+const CONFIG_DIR = path.join(os.homedir(), ".cdoing");
+const KEYCHAIN_SERVICE = "cdoing-agent";
+const KEYCHAIN_ACCOUNT = "oauth-tokens";
+// Claude OAuth endpoints (matching Claude Code CLI)
+const CLAUDE_AUTH_URL = "https://claude.ai/oauth/authorize";
+const CLAUDE_TOKEN_URL = "https://console.anthropic.com/v1/oauth/token";
+const CLAUDE_REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
+const CLAUDE_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const SCOPES = "org:create_api_key user:profile user:inference";
+// ── PKCE helpers ─────────────────────────────────────────
+function generateCodeVerifier() {
+    return crypto.randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+    return crypto.createHash("sha256").update(verifier).digest("base64url");
+}
+// ── Secure credential storage ────────────────────────────
+function storeSecret(value) {
+    const platform = process.platform;
+    try {
+        if (platform === "darwin") {
+            try {
+                (0, child_process_1.execSync)(`security delete-generic-password -s "${KEYCHAIN_SERVICE}" -a "${KEYCHAIN_ACCOUNT}" 2>/dev/null`, { stdio: "ignore" });
+            }
+            catch { }
+            (0, child_process_1.execSync)(`security add-generic-password -s "${KEYCHAIN_SERVICE}" -a "${KEYCHAIN_ACCOUNT}" -w "${value.replace(/"/g, '\\"')}" -U`, { stdio: "ignore" });
+            return;
+        }
+        if (platform === "linux") {
+            try {
+                (0, child_process_1.execSync)(`echo -n "${value.replace(/"/g, '\\"')}" | secret-tool store --label="Cdoing Agent OAuth" service "${KEYCHAIN_SERVICE}" account "${KEYCHAIN_ACCOUNT}"`, { stdio: "ignore" });
+                return;
+            }
+            catch { }
+        }
+        if (platform === "win32") {
+            try {
+                (0, child_process_1.execSync)(`cmdkey /generic:"${KEYCHAIN_SERVICE}" /user:"${KEYCHAIN_ACCOUNT}" /pass:"${value.replace(/"/g, '""')}"`, { stdio: "ignore" });
+                return;
+            }
+            catch { }
+        }
+    }
+    catch { }
+    storeSecretToFile(value);
+}
+function loadSecret() {
+    const platform = process.platform;
+    try {
+        if (platform === "darwin") {
+            const result = (0, child_process_1.execSync)(`security find-generic-password -s "${KEYCHAIN_SERVICE}" -a "${KEYCHAIN_ACCOUNT}" -w 2>/dev/null`, { encoding: "utf-8" });
+            return result.trim();
+        }
+        if (platform === "linux") {
+            try {
+                const result = (0, child_process_1.execSync)(`secret-tool lookup service "${KEYCHAIN_SERVICE}" account "${KEYCHAIN_ACCOUNT}" 2>/dev/null`, { encoding: "utf-8" });
+                return result.trim() || null;
+            }
+            catch { }
+        }
+        if (platform === "win32") {
+            try {
+                const result = (0, child_process_1.execSync)(`cmdkey /list:"${KEYCHAIN_SERVICE}"`, { encoding: "utf-8" });
+                if (result.includes(KEYCHAIN_SERVICE)) {
+                    return loadSecretFromFile();
+                }
+            }
+            catch { }
+        }
+    }
+    catch { }
+    return loadSecretFromFile();
+}
+function deleteSecret() {
+    const platform = process.platform;
+    try {
+        if (platform === "darwin") {
+            (0, child_process_1.execSync)(`security delete-generic-password -s "${KEYCHAIN_SERVICE}" -a "${KEYCHAIN_ACCOUNT}" 2>/dev/null`, { stdio: "ignore" });
+        }
+        else if (platform === "linux") {
+            (0, child_process_1.execSync)(`secret-tool clear service "${KEYCHAIN_SERVICE}" account "${KEYCHAIN_ACCOUNT}" 2>/dev/null`, { stdio: "ignore" });
+        }
+        else if (platform === "win32") {
+            (0, child_process_1.execSync)(`cmdkey /delete:"${KEYCHAIN_SERVICE}" 2>nul`, { stdio: "ignore" });
+        }
+    }
+    catch { }
+    deleteSecretFile();
+}
+// ── File-based fallback (AES-256-CBC) ────────────────────
+function deriveFileKey() {
+    const machineId = os.hostname() + os.userInfo().username;
+    return crypto.createHash("sha256").update(machineId).digest();
+}
+function getSecretFilePath() {
+    return path.join(CONFIG_DIR, ".oauth-tokens.enc");
+}
+function storeSecretToFile(value) {
+    if (!fs.existsSync(CONFIG_DIR))
+        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    const key = deriveFileKey();
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
+    let encrypted = cipher.update(value, "utf-8", "hex");
+    encrypted += cipher.final("hex");
+    fs.writeFileSync(getSecretFilePath(), iv.toString("hex") + ":" + encrypted, { mode: 0o600 });
+}
+function loadSecretFromFile() {
+    try {
+        const filePath = getSecretFilePath();
+        if (!fs.existsSync(filePath))
+            return null;
+        const raw = fs.readFileSync(filePath, "utf-8");
+        const [ivHex, encrypted] = raw.split(":");
+        if (!ivHex || !encrypted)
+            return null;
+        const key = deriveFileKey();
+        const decipher = crypto.createDecipheriv("aes-256-cbc", key, Buffer.from(ivHex, "hex"));
+        let decrypted = decipher.update(encrypted, "hex", "utf-8");
+        decrypted += decipher.final("utf-8");
+        return decrypted;
+    }
+    catch {
+        return null;
+    }
+}
+function deleteSecretFile() {
+    try {
+        const filePath = getSecretFilePath();
+        if (fs.existsSync(filePath))
+            fs.unlinkSync(filePath);
+    }
+    catch { }
+}
+// ── Token storage ────────────────────────────────────────
+function saveOAuthTokens(tokens) {
+    storeSecret(JSON.stringify({ ...tokens, saved_at: Date.now() }));
+}
+function loadOAuthTokens() {
+    const raw = loadSecret();
+    if (!raw)
+        return null;
+    try {
+        const parsed = JSON.parse(raw);
+        return parsed.access_token ? parsed : null;
+    }
+    catch {
+        return null;
+    }
+}
+function clearOAuthTokens() {
+    deleteSecret();
+}
+function isOAuthExpired(tokens) {
+    if (!tokens.expires_at)
+        return false;
+    return Date.now() >= tokens.expires_at;
+}
+// ── Token refresh ────────────────────────────────────────
+async function refreshAccessToken(refreshToken) {
+    try {
+        const response = await fetch(CLAUDE_TOKEN_URL, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+                grant_type: "refresh_token",
+                refresh_token: refreshToken,
+                client_id: CLAUDE_CLIENT_ID,
+            }).toString(),
+        });
+        if (!response.ok)
+            return null;
+        const data = (await response.json());
+        const tokens = {
+            access_token: data.access_token,
+            refresh_token: data.refresh_token || refreshToken,
+            expires_at: data.expires_in ? Date.now() + data.expires_in * 1000 : undefined,
+            token_type: data.token_type || "Bearer",
+        };
+        saveOAuthTokens(tokens);
+        return tokens;
+    }
+    catch {
+        return null;
+    }
+}
+// ── Resolve token (with auto-refresh) ────────────────────
+async function resolveOAuthToken() {
+    const tokens = loadOAuthTokens();
+    if (!tokens)
+        return null;
+    if (isOAuthExpired(tokens) && tokens.refresh_token) {
+        const refreshed = await refreshAccessToken(tokens.refresh_token);
+        return refreshed ? refreshed.access_token : null;
+    }
+    return tokens.access_token;
+}
+// ── OAuth URL generation ─────────────────────────────────
+function generateOAuthUrl() {
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = generateCodeChallenge(codeVerifier);
+    const params = new URLSearchParams({
+        code: "true",
+        client_id: CLAUDE_CLIENT_ID,
+        response_type: "code",
+        redirect_uri: CLAUDE_REDIRECT_URI,
+        scope: SCOPES,
+        code_challenge: codeChallenge,
+        code_challenge_method: "S256",
+        state: codeVerifier,
+    });
+    return { url: `${CLAUDE_AUTH_URL}?${params.toString()}`, codeVerifier };
+}
+// ── Code exchange ────────────────────────────────────────
+async function exchangeOAuthCode(code, codeVerifier) {
+    const splits = code.split("#");
+    const response = await fetch(CLAUDE_TOKEN_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            code: splits[0],
+            state: splits[1] || codeVerifier,
+            grant_type: "authorization_code",
+            client_id: CLAUDE_CLIENT_ID,
+            redirect_uri: CLAUDE_REDIRECT_URI,
+            code_verifier: codeVerifier,
+        }),
+    });
+    if (!response.ok) {
+        const errText = await response.text();
+        throw new Error(`Token exchange failed (${response.status}): ${errText.substring(0, 200)}`);
+    }
+    const data = (await response.json());
+    const tokens = {
+        access_token: data.access_token,
+        refresh_token: data.refresh_token,
+        expires_at: data.expires_in ? Date.now() + data.expires_in * 1000 : undefined,
+        token_type: data.token_type || "Bearer",
+    };
+    saveOAuthTokens(tokens);
+    return tokens;
+}
+// ── Status helper ────────────────────────────────────────
+function getOAuthStatus() {
+    const tokens = loadOAuthTokens();
+    if (!tokens)
+        return { status: "none" };
+    if (isOAuthExpired(tokens))
+        return { status: "expired", expiresAt: tokens.expires_at };
+    return { status: "active", expiresAt: tokens.expires_at };
+}
+//# sourceMappingURL=oauth.js.map

package/dist/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6LH,0CAEC;AAED,0CASC;AAED,4CAEC;AAED,wCAGC;AAID,gDA2BC;AAID,8CAUC;AAID,4CAgBC;AAID,8CA8BC;AAID,wCAKC;AA7TD,+CAAiC;AACjC,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AACzB,iDAAyC;AAEzC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;AACtD,MAAM,gBAAgB,GAAG,cAAc,CAAC;AACxC,MAAM,gBAAgB,GAAG,cAAc,CAAC;AAExC,oDAAoD;AACpD,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAC5D,MAAM,gBAAgB,GAAG,8CAA8C,CAAC;AACxE,MAAM,mBAAmB,GAAG,mDAAmD,CAAC;AAChF,MAAM,gBAAgB,GAAG,sCAAsC,CAAC;AAChE,MAAM,MAAM,GAAG,gDAAgD,CAAC;AAWhE,4DAA4D;AAE5D,SAAS,oBAAoB;IAC3B,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAgB;IAC7C,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AAC1E,CAAC;AAED,4DAA4D;AAE5D,SAAS,WAAW,CAAC,KAAa;IAChC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,IAAI,CAAC;QACH,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,IAAA,wBAAQ,EACN,wCAAwC,gBAAgB,SAAS,gBAAgB,eAAe,EAChG,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;YACV,IAAA,wBAAQ,EACN,qCAAqC,gBAAgB,SAAS,gBAAgB,SAAS,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,EACvH,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,IAAA,wBAAQ,EACN,YAAY,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,+DAA+D,gBAAgB,cAAc,gBAAgB,GAAG,EACtJ,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;gBACF,OAAO;YACT,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACZ,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,IAAA,wBAAQ,EACN,oBAAoB,gBAAgB,YAAY,gBAAgB,YAAY,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,EACxG,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;gBACF,OAAO;YACT,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACZ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAEV,iBAAiB,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,UAAU;IACjB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,IAAI,CAAC;QACH,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,IAAA,wBAAQ,EACrB,sCAAsC,gBAAgB,SAAS,gBAAgB,kBAAkB,EACjG,EAAE,QAAQ,EAAE,OAAO,EAAE,CACtB,CAAC;YACF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EACrB,+BAA+B,gBAAgB,cAAc,gBAAgB,eAAe,EAC5F,EAAE,QAAQ,EAAE,OAAO,EAAE,CACtB,CAAC;gBACF,OAAO,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACZ,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EACrB,iBAAiB,gBAAgB,GAAG,EACpC,EAAE,QAAQ,EAAE,OAAO,EAAE,CACtB,CAAC;gBACF,IAAI,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;oBACtC,OAAO,kBAAkB,EAAE,CAAC;gBAC9B,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACZ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAEV,OAAO,kBAAkB,EAAE,CAAC;AAC9B,CAAC;AAED,SAAS,YAAY;IACnB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,IAAI,CAAC;QACH,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,IAAA,wBAAQ,EACN,wCAAwC,gBAAgB,SAAS,gBAAgB,eAAe,EAChG,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;QACJ,CAAC;aAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAChC,IAAA,wBAAQ,EACN,8BAA8B,gBAAgB,cAAc,gBAAgB,eAAe,EAC3F,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;QACJ,CAAC;aAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAChC,IAAA,wBAAQ,EAAC,mBAAmB,gBAAgB,SAAS,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAEV,gBAAgB,EAAE,CAAC;AACrB,CAAC;AAED,4DAA4D;AAE5D,SAAS,aAAa;IACpB,MAAM,SAAS,GAAG,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC;IACzD,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;AAChE,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAa;IACtC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IACrD,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACjC,EAAE,CAAC,aAAa,CAAC,iBAAiB,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,GAAG,GAAG,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAC/F,CAAC;AAED,SAAS,kBAAkB;IACzB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,iBAAiB,EAAE,CAAC;QACrC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QAC1C,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC/C,MAAM,CAAC,KAAK,EAAE,SAAS,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QACtC,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;QACxF,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QAC3D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB;IACvB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,iBAAiB,EAAE,CAAC;QACrC,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;AACZ,CAAC;AAED,4DAA4D;AAE5D,SAAgB,eAAe,CAAC,MAAmB;IACjD,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,SAAgB,eAAe;IAC7B,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;QAC9C,OAAO,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAgB,gBAAgB;IAC9B,YAAY,EAAE,CAAC;AACjB,CAAC;AAED,SAAgB,cAAc,CAAC,MAAmB;IAChD,IAAI,CAAC,MAAM,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,UAAU,CAAC;AACzC,CAAC;AAED,4DAA4D;AAErD,KAAK,UAAU,kBAAkB,CAAC,YAAoB;IAC3D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;YAC7C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,UAAU,EAAE,eAAe;gBAC3B,aAAa,EAAE,YAAY;gBAC3B,SAAS,EAAE,gBAAgB;aAC5B,CAAC,CAAC,QAAQ,EAAE;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAE9B,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAChE,MAAM,MAAM,GAAgB;YAC1B,YAAY,EAAE,IAAI,CAAC,YAAsB;YACzC,aAAa,EAAG,IAAI,CAAC,aAAwB,IAAI,YAAY;YAC7D,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAI,IAAI,CAAC,UAAqB,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;YACzF,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,QAAQ;SACpD,CAAC;QAEF,eAAe,CAAC,MAAM,CAAC,CAAC;QACxB,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,4DAA4D;AAErD,KAAK,UAAU,iBAAiB;IACrC,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,cAAc,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACnD,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACjE,OAAO,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC;IACnD,CAAC;IAED,OAAO,MAAM,CAAC,YAAY,CAAC;AAC7B,CAAC;AAED,4DAA4D;AAE5D,SAAgB,gBAAgB;IAC9B,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;IAC5C,MAAM,aAAa,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;IAE1D,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,IAAI,EAAE,MAAM;QACZ,SAAS,EAAE,gBAAgB;QAC3B,aAAa,EAAE,MAAM;QACrB,YAAY,EAAE,mBAAmB;QACjC,KAAK,EAAE,MAAM;QACb,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;QAC7B,KAAK,EAAE,YAAY;KACpB,CAAC,CAAC;IAEH,OAAO,EAAE,GAAG,EAAE,GAAG,eAAe,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,EAAE,YAAY,EAAE,CAAC;AAC1E,CAAC;AAED,4DAA4D;AAErD,KAAK,UAAU,iBAAiB,CAAC,IAAY,EAAE,YAAoB;IACxE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;QAC7C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;YACf,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,YAAY;YAChC,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,gBAAgB;YAC3B,YAAY,EAAE,mBAAmB;YACjC,aAAa,EAAE,YAAY;SAC5B,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,MAAM,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAC9F,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;IAChE,MAAM,MAAM,GAAgB;QAC1B,YAAY,EAAE,IAAI,CAAC,YAAsB;QACzC,aAAa,EAAE,IAAI,CAAC,aAAmC;QACvD,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAI,IAAI,CAAC,UAAqB,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;QACzF,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,QAAQ;KACpD,CAAC;IAEF,eAAe,CAAC,MAAM,CAAC,CAAC;IACxB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,4DAA4D;AAE5D,SAAgB,cAAc;IAC5B,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IACvC,IAAI,cAAc,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC;IACvF,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC;AAC5D,CAAC"}

package/dist/permissions/index.d.ts

@@ -0,0 +1,216 @@
+/**
+ * Permission Manager
+ *
+ * Implements the Claude Code permission system:
+ *   - Settings-based allow/ask/deny rules loaded from .claude/settings.json files
+ *   - Permission modes: default, acceptEdits, plan, dontAsk, bypassPermissions
+ *   - Rule evaluation order: deny → ask → allow (deny always wins)
+ *   - Rule syntax: Tool, Tool(*), Bash(cmd *), Read(path), WebFetch(domain:x), Agent(name)
+ *   - Settings precedence: local project → shared project → user (~/.claude/settings.json)
+ *
+ * Also supports legacy runtime stored rules (allow once / always / project).
+ *
+ * Backward compatible: legacy ASK / AUTO_EDIT / AUTO modes still accepted.
+ */
+import type { ToolDefinition } from "../tools/types";
+import type { SandboxManager } from "../sandbox";
+/** A stored runtime permission rule (session / legacy format) */
+export interface PermissionRule {
+    tool: string;
+    /** Optional: match only when this input value matches */
+    inputMatch?: string;
+    createdAt: string;
+}
+export type PermissionScope = "global" | "project";
+/**
+ * Permission modes as defined in Claude Code docs.
+ * Legacy aliases (ask / auto-edit / auto) are kept for backward compatibility.
+ */
+export declare enum PermissionMode {
+    DEFAULT = "default",// prompt on first use of each tool
+    ACCEPT_EDITS = "acceptEdits",// auto-approve file edits, ask for shell
+    PLAN = "plan",// read-only: block write + exec tools
+    DONT_ASK = "dontAsk",// deny all unless explicitly allowed
+    BYPASS = "bypassPermissions",// skip all permission checks
+    ASK = "ask",// → DEFAULT
+    AUTO_EDIT = "auto-edit",// → ACCEPT_EDITS
+    AUTO = "auto"
+}
+export type PermissionPromptFn = (toolName: string, message: string, hasProject: boolean) => Promise<"allow" | "always" | "project" | "deny" | "deny_always" | "deny_project">;
+/** Managed-only settings that cannot be overridden */
+interface ManagedOnlySettings {
+    disableBypassPermissionsMode?: "disable" | string;
+    allowManagedPermissionRulesOnly?: boolean;
+    allowManagedHooksOnly?: boolean;
+    allowManagedMcpServersOnly?: boolean;
+}
+export declare class PermissionManager {
+    private mode;
+    private projectDir;
+    private cwd;
+    private customPromptFn;
+    private sandboxManager;
+    private globalRules;
+    private projectRules;
+    /**
+     * Session-only approvals for file-modification tools (file_write, file_edit).
+     * Per the tiered permission table: "Until session end" — not written to disk.
+     * Key = toolName (no specifier needed; file edit approvals cover all paths).
+     */
+    private sessionApprovals;
+    private settingsAllow;
+    private settingsAsk;
+    private settingsDeny;
+    private managedSettings;
+    private managedAllow;
+    private managedAsk;
+    private managedDeny;
+    constructor(mode?: PermissionMode, projectDir?: string);
+    /**
+     * Load managed settings from system-level config.
+     * Managed settings have the highest priority and cannot be overridden.
+     *
+     * Paths:
+     *   macOS: /Library/Application Support/cdoing/managed-settings.json
+     *   Linux: /etc/cdoing/managed-settings.json
+     */
+    private loadManagedSettings;
+    /** Collapse legacy aliases into canonical mode values. */
+    private normalizeMode;
+    /**
+     * Read `defaultMode` from settings files (local → shared → user).
+     * Higher-precedence files win. Returns null if no file sets it.
+     */
+    private readDefaultModeFromSettings;
+    setPromptFn(fn: PermissionPromptFn): void;
+    setSandboxManager(sm: SandboxManager): void;
+    setMode(mode: PermissionMode): void;
+    getMode(): PermissionMode;
+    /**
+     * Check whether a specific file path is denied by settings rules for a given category.
+     * Used by shell_exec to check extracted paths against Read/Edit/Delete rules.
+     *
+     * Returns "deny" if a deny rule matches the path for the given category.
+     * Returns null otherwise (no deny found — the command can proceed through normal permission flow).
+     */
+    checkPathPermission(filePath: string, category: "Read" | "Edit" | "Delete"): "deny" | null;
+    /** Check whether a file path matches any ask rule for the given category. */
+    private pathMatchesAsk;
+    setProjectDir(dir: string): void;
+    /**
+     * Load and merge permission rules from settings files.
+     *
+     * Precedence (highest to lowest, docs order):
+     *   1. Local project  — <project>/.claude/settings.local.json  (highest)
+     *   2. Shared project — <project>/.claude/settings.json
+     *   3. User           — ~/.claude/settings.json                 (lowest)
+     *
+     * Rule evaluation uses "first match wins", so higher-precedence rules are
+     * stored at the front of the allow/ask arrays.
+     *
+     * Deny rules from ALL sources are merged — a deny at any level cannot be
+     * overridden by an allow at any other level.
+     */
+    loadSettingsRules(): void;
+    /** Return the currently loaded settings rules (for display / debugging). */
+    getSettingsRules(): {
+        allow: string[];
+        ask: string[];
+        deny: string[];
+    };
+    /**
+     * Test whether a settings rule string covers a specific tool invocation.
+     */
+    private matchesRule;
+    /**
+     * Evaluate all settings rules for a tool call.
+     *
+     * Evaluation order per docs: deny → ask → allow.
+     *   - deny wins over everything.
+     *   - ask overrides allow (lets you "ask for rm *" even when "allow Bash").
+     *   - allow auto-approves when no deny/ask rule matched.
+     * Returns null when no rule matches (fall back to mode behaviour).
+     */
+    private evaluateRules;
+    /**
+     * Determine whether a tool call is allowed.
+     *
+     * Decision flow:
+     *   1. bypassPermissions mode → allow all.
+     *   2. Tools that never require permission → allow.
+     *   3. Settings deny rule matches → deny.
+     *   4. Settings ask rule matches → prompt user (overrides stored/allow).
+     *   5. Settings allow rule matches → allow.
+     *   6. Session-only approval exists (file-edit tools) → allow.
+     *   7. Runtime stored rule matches (Bash tools, persisted) → allow.
+     *   8. Fall back to mode:
+     *      - plan        → deny write/exec tools.
+     *      - dontAsk     → deny anything not explicitly allowed.
+     *      - acceptEdits → allow file edits; prompt for others.
+     *      - default     → prompt user.
+     */
+    requestPermission(toolDef: ToolDefinition, input: Record<string, unknown>): Promise<boolean>;
+    private getProjectPermissionsFile;
+    private loadRuntimeRules;
+    private loadGlobalRules;
+    private loadProjectRules;
+    private saveGlobalRules;
+    private saveProjectRules;
+    private hasStoredPermission;
+    private addRule;
+    /**
+     * Save a deny rule to settings.json so it persists across sessions.
+     * Creates the .cdoing/ folder and settings.json file if they don't exist.
+     */
+    private addDenyRule;
+    /**
+     * Persist a permission rule to settings.json.
+     *
+     * Writes to:
+     *   - Project scope → <project>/.cdoing/settings.json
+     *   - Global scope  → ~/.cdoing/settings.json
+     */
+    private addToSettingsAllow;
+    /**
+     * Persist a deny rule to settings.json.
+     *
+     * Writes to:
+     *   - Project scope → <project>/.cdoing/settings.json
+     *   - Global scope  → ~/.cdoing/settings.json
+     */
+    private addToSettingsDeny;
+    /**
+     * Persist a permission rule to a specific field (allow/deny/ask) in settings.json.
+     * Creates the directory and file if they don't exist.
+     */
+    private addToSettingsField;
+    /** Check whether bypass mode is disabled by managed settings. */
+    isBypassDisabled(): boolean;
+    /** Return managed-only settings for external inspection. */
+    getManagedSettings(): Readonly<ManagedOnlySettings>;
+    /**
+     * Remove a permission rule from settings.json.
+     * Removes from the specified field (allow/deny/ask) in the given scope.
+     */
+    removeSettingsRule(rule: string, field: "allow" | "deny" | "ask", scope: PermissionScope): void;
+    removeRule(toolName?: string, scope?: PermissionScope): void;
+    getStoredRules(): {
+        global: ReadonlyArray<PermissionRule>;
+        project: ReadonlyArray<PermissionRule>;
+    };
+    private describeAction;
+    /**
+     * Ask the user whether to allow a tool call.
+     *
+     * Options:
+     *   y / Enter → Allow once
+     *   a         → Always allow globally (~/.cdoing/permissions.json)
+     *   p         → Allow for this project (.cdoing/permissions.json)
+     *   n         → Deny
+     *
+     * Uses customPromptFn if set (e.g. VS Code UI), otherwise falls back to CLI readline.
+     */
+    private askUser;
+}
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/permissions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/permissions/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAMH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAwBjD,iEAAiE;AACjE,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,SAAS,CAAC;AAEnD;;;GAGG;AACH,oBAAY,cAAc;IAExB,OAAO,YAAiB,CAAa,mCAAmC;IACxE,YAAY,gBAAgB,CAAS,yCAAyC;IAC9E,IAAI,SAAiB,CAAgB,sCAAsC;IAC3E,QAAQ,YAAgB,CAAa,qCAAqC;IAC1E,MAAM,sBAA4B,CAAG,6BAA6B;IAGlE,GAAG,QAAc,CAAS,YAAY;IACtC,SAAS,cAAc,CAAG,iBAAiB;IAC3C,IAAI,SAAc;CACnB;AAED,MAAM,MAAM,kBAAkB,GAAG,CAC/B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,OAAO,KAChB,OAAO,CAAC,OAAO,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,GAAG,aAAa,GAAG,cAAc,CAAC,CAAC;AAUvF,sDAAsD;AACtD,UAAU,mBAAmB;IAC3B,4BAA4B,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;IAClD,+BAA+B,CAAC,EAAE,OAAO,CAAC;IAC1C,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC;AA8KD,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,IAAI,CAA2B;IACvC,OAAO,CAAC,UAAU,CAA2B;IAC7C,OAAO,CAAC,GAAG,CAAoB;IAC/B,OAAO,CAAC,cAAc,CAAmC;IACzD,OAAO,CAAC,cAAc,CAA+B;IAGrD,OAAO,CAAC,WAAW,CAAyB;IAC5C,OAAO,CAAC,YAAY,CAAwB;IAE5C;;;;OAIG;IACH,OAAO,CAAC,gBAAgB,CAA0B;IAGlD,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,WAAW,CAAkB;IACrC,OAAO,CAAC,YAAY,CAAiB;IAGrC,OAAO,CAAC,eAAe,CAA2B;IAClD,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,UAAU,CAAkB;IACpC,OAAO,CAAC,WAAW,CAAiB;gBAExB,IAAI,GAAE,cAAuC,EAAE,UAAU,CAAC,EAAE,MAAM;IAmB9E;;;;;;;OAOG;IACH,OAAO,CAAC,mBAAmB;IA4B3B,0DAA0D;IAC1D,OAAO,CAAC,aAAa;IASrB;;;OAGG;IACH,OAAO,CAAC,2BAA2B;IAyBnC,WAAW,CAAC,EAAE,EAAE,kBAAkB,GAAG,IAAI;IAIzC,iBAAiB,CAAC,EAAE,EAAE,cAAc,GAAG,IAAI;IAI3C,OAAO,CAAC,IAAI,EAAE,cAAc,GAAG,IAAI;IAUnC,OAAO,IAAI,cAAc;IAIzB;;;;;;OAMG;IACH,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,GAAG,MAAM,GAAG,IAAI;IAe1F,6EAA6E;IAC7E,OAAO,CAAC,cAAc;IAatB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAYhC;;;;;;;;;;;;;OAaG;IACH,iBAAiB,IAAI,IAAI;IAuCzB,4EAA4E;IAC5E,gBAAgB,IAAI;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,GAAG,EAAE,MAAM,EAAE,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;IAUtE;;OAEG;IACH,OAAO,CAAC,WAAW;IAoDnB;;;;;;;;OAQG;IACH,OAAO,CAAC,aAAa;IAqBrB;;;;;;;;;;;;;;;;OAgBG;IACG,iBAAiB,CACrB,OAAO,EAAE,cAAc,EACvB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,OAAO,CAAC,OAAO,CAAC;IAiEnB,OAAO,CAAC,yBAAyB;IAKjC,OAAO,CAAC,gBAAgB;IAKxB,OAAO,CAAC,eAAe;IAWvB,OAAO,CAAC,gBAAgB;IAcxB,OAAO,CAAC,eAAe;IAWvB,OAAO,CAAC,gBAAgB;IAQxB,OAAO,CAAC,mBAAmB;IAY3B,OAAO,CAAC,OAAO;IAsBf;;;OAGG;IACH,OAAO,CAAC,WAAW;IAQnB;;;;;;OAMG;IACH,OAAO,CAAC,kBAAkB;IAI1B;;;;;;OAMG;IACH,OAAO,CAAC,iBAAiB;IAIzB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IA+B1B,iEAAiE;IACjE,gBAAgB,IAAI,OAAO;IAI3B,4DAA4D;IAC5D,kBAAkB,IAAI,QAAQ,CAAC,mBAAmB,CAAC;IAInD;;;OAGG;IACH,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,KAAK,EAAE,KAAK,EAAE,eAAe,GAAG,IAAI;IAqB/F,UAAU,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,eAAe,GAAG,IAAI;IAe5D,cAAc,IAAI;QAChB,MAAM,EAAG,aAAa,CAAC,cAAc,CAAC,CAAC;QACvC,OAAO,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;KACxC;IAMD,OAAO,CAAC,cAAc;IAUtB;;;;;;;;;;OAUG;YACW,OAAO;CA8EtB"}