@connexum/ai-governance 1.0.0-beta.21 → 1.0.0-beta.23

package/dist/cli/per-folder-identity.js

@@ -0,0 +1,321 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveGuardedAgentFolder = resolveGuardedAgentFolder;
+exports.buildPerFolderIdentityInputs = buildPerFolderIdentityInputs;
+exports.writePerFolderIdentities = writePerFolderIdentities;
+/**
+ * B1 — Per-folder agent identity writer (per-agent identity-file injection RFC §5).
+ *
+ * Writes each agent's server identity + signed passport into its OWN folder:
+ *   <agent>/.connexum/identity.json   secret (serviceToken); mode 0600; git-ignored
+ *   <agent>/.connexum/passport.json   public verifiable credential (Invariant 4)
+ *
+ * Standalone + side-effect-scoped so it is unit-testable with mocked inputs and does NOT
+ * touch the register-fleet handler in index.ts (held by another workstream). A thin wiring
+ * layer builds PerFolderIdentityInput[] from register-fleet's registered[] + the local scan
+ * and calls writePerFolderIdentities().
+ *
+ * Invariant 2 (advisory, never block): never throws on a write/guard failure — records a
+ * skip + advisory and continues. Malformed existing files are tolerated (Invariant 5 echo).
+ */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const IDENTITY_SCHEMA_VERSION = '1.0';
+const GITIGNORE_RULE = '**/.connexum/identity.json';
+/** Secret-file fields persisted into <agent>/.connexum/identity.json. */
+const IDENTITY_FIELDS = [
+    'localId', 'agentId', 'passportId', 'installationId', 'orgId',
+    'signingKeyId', 'govServerUrl', 'serviceToken', 'serviceTokenJti',
+    'issuedAt', 'expiresAt',
+];
+/**
+ * SHARED traversal guard (Shield S-W2: the write-back F2 governance-projection
+ * writer must REUSE this guard, never re-implement it). Resolves the agent
+ * folder for a scanned filePath and confirms the REAL path (symlinks followed
+ * — Shield HIGH-1, PR #1707 review) is the project root or a child of it.
+ * realpathSync throws on a not-yet-existing path — there is no symlink to
+ * follow in that case, so falling back to the lexical path is safe.
+ */
+function resolveGuardedAgentFolder(projectDir, filePath) {
+    const projectRoot = path.resolve(projectDir);
+    const realProjectRoot = (() => {
+        try {
+            return fs.realpathSync(projectRoot);
+        }
+        catch {
+            return projectRoot;
+        }
+    })();
+    const folder = path.dirname(path.resolve(projectRoot, filePath));
+    const realFolder = (() => {
+        try {
+            return fs.realpathSync(folder);
+        }
+        catch {
+            return folder;
+        }
+    })();
+    const rel = path.relative(realProjectRoot, realFolder);
+    if (rel.startsWith('..') || path.isAbsolute(rel)) {
+        return { error: 'path-traversal: folder outside project root' };
+    }
+    return { folder };
+}
+/**
+ * Pure Pass-1 wiring helper (identity RFC §5 thin wiring layer): join the
+ * register-fleet `registered[]` entries to the local scan's filePaths and the
+ * A1 fleet-shared response metadata, producing the inputs
+ * writePerFolderIdentities() lands on disk. Entries whose localId has no
+ * local filePath (e.g. server-side adoptions of agents not in this scan) are
+ * dropped — there is no folder to write into.
+ */
+function buildPerFolderIdentityInputs(registered, localRefs, meta, issuedAt) {
+    const filePathByLocalId = new Map(localRefs.map((r) => [r.agentId, r.filePath]));
+    const inputs = [];
+    for (const r of registered) {
+        const localId = r.localId ?? r.agentId;
+        const filePath = filePathByLocalId.get(localId);
+        if (!filePath)
+            continue;
+        inputs.push({
+            localId,
+            agentId: r.agentId,
+            filePath,
+            passportId: r.passportId,
+            // Pass 1 (pre-activation): serviceToken is null by design — delivered at
+            // Pass 2 (sync after Confirm+pay). The field-merge in the writer means a
+            // later Pass-1 re-run can never clobber a delivered token.
+            serviceToken: r.serviceToken,
+            installationId: meta.installationId ?? null,
+            signingKeyId: meta.signingKeyId ?? null,
+            govServerUrl: meta.govServerUrl ?? null,
+            orgId: meta.orgId ?? null,
+            issuedAt,
+        });
+    }
+    return inputs;
+}
+function writePerFolderIdentities(projectDir, inputs, opts = {}) {
+    const warn = opts.warn ?? ((m) => console.warn(m));
+    const result = { written: [], skipped: [] };
+    if (inputs.length === 0)
+        return result;
+    const projectRoot = path.resolve(projectDir);
+    // Pass-2 wiring fix: the writer root is the SCAN root (--agent-dir), which
+    // is usually a SUBDIRECTORY of the repo — `.git` lives at an ancestor. Walk
+    // up so a token write inside a real repo isn't wrongly refused; the
+    // .gitignore rule itself is still written at projectRoot (a nested
+    // .gitignore covers everything beneath it).
+    // Shield #1720 F2: a `.git` directly at the system temp dir or the
+    // filesystem root is a stray (shared-host artifact), not a repo that governs
+    // this project — never let it satisfy the secret-write precondition.
+    const STRAY_GIT_HOLDERS = new Set([os.tmpdir(), path.parse(projectRoot).root]);
+    const isGitRepo = (() => {
+        let dir = projectRoot;
+        for (;;) {
+            if (!STRAY_GIT_HOLDERS.has(dir) && fs.existsSync(path.join(dir, '.git')))
+                return true;
+            const parent = path.dirname(dir);
+            if (parent === dir)
+                return false;
+            dir = parent;
+        }
+    })();
+    for (const input of inputs) {
+        // 1. Traversal guard — the resolved REAL folder must be the project root or a child of it.
+        const guarded = resolveGuardedAgentFolder(projectRoot, input.filePath);
+        if (!guarded.folder) {
+            result.skipped.push({ localId: input.localId, reason: guarded.error ?? 'path-traversal: folder outside project root' });
+            warn(`[connexum] identity skipped for ${input.localId}: resolved folder escapes project root (${input.filePath})`);
+            continue;
+        }
+        const folder = guarded.folder;
+        const hasSecret = input.serviceToken != null && input.serviceToken !== '';
+        // 2. gitignore-first HARD precondition when a bearer token will be written.
+        if (hasSecret) {
+            if (!isGitRepo && !opts.allowNoGit) {
+                result.skipped.push({ localId: input.localId, reason: 'no-git-repo: secret write needs allowNoGit opt-in' });
+                warn(`[connexum] identity skipped for ${input.localId}: project is not a git repo; refusing to write a bearer token without allowNoGit (it would not be git-ignored).`);
+                continue;
+            }
+            if (!ensureGitignoreRule(projectRoot, warn)) {
+                result.skipped.push({ localId: input.localId, reason: 'gitignore-write-failed: aborted before writing secret' });
+                warn(`[connexum] identity skipped for ${input.localId}: could not write .gitignore rule; refusing to write the bearer token (a committed token is worse than none).`);
+                continue;
+            }
+        }
+        else {
+            // Best-effort gitignore on metadata-only (Pass 1) — does not gate the write.
+            ensureGitignoreRule(projectRoot, () => { });
+        }
+        // 3. Write the .connexum/ files (field-merged identity, atomic; public passport).
+        try {
+            const dir = path.join(folder, '.connexum');
+            fs.mkdirSync(dir, { recursive: true });
+            writeIdentityMerged(dir, input);
+            if (input.passport != null && input.passport !== '') {
+                // Shield MED-2 (PR #1707 review): passport.json is PUBLIC (deliberately not
+                // git-ignored), so structurally validate the caller-supplied string before it
+                // touches disk — a caller that accidentally passes identity material here must
+                // not publish a bearer token. Validation is local (no trust-api import: the CLI
+                // ships standalone): parsed JSON must be a plain object carrying a signature and
+                // must not contain a serviceToken field at any depth.
+                if (isPlausiblePublicPassport(input.passport)) {
+                    // Plain write (not tmp→rename): public data, no mode requirement; a crash
+                    // mid-write yields a malformed file the next sync overwrites. Deliberate
+                    // asymmetry vs identity.json (Stern OBS-3).
+                    fs.writeFileSync(path.join(dir, 'passport.json'), input.passport);
+                }
+                else {
+                    warn(`[connexum] passport for ${input.localId} failed the public-credential structural check; skipping passport.json write`);
+                }
+            }
+            result.written.push(input.localId);
+        }
+        catch (err) {
+            result.skipped.push({ localId: input.localId, reason: `write-failed: ${err.message}` });
+            warn(`[connexum] identity write failed for ${input.localId}: ${err.message}`);
+        }
+    }
+    return result;
+}
+/**
+ * Write identity.json with field-level merge + atomic replace.
+ *   - Merge: an incoming null/undefined field NEVER clobbers a present stored value
+ *     (so a Pass-1 re-register with serviceToken:null cannot wipe a delivered token).
+ *   - Atomic: tmp → chmod 0600 → rename. Closes the write-then-chmod window where a kill
+ *     between writeFileSync and chmodSync would leave the token at 0644 (Stern BLOCK-3).
+ */
+function writeIdentityMerged(dir, input) {
+    const file = path.join(dir, 'identity.json');
+    let existing = {};
+    if (fs.existsSync(file)) {
+        try {
+            // Stern CONDITION-1 (PR #1707 review): valid JSON that is not a plain object
+            // (string/number/array) would spread index keys ("0","1",...) into the merge.
+            // Tolerate-and-start-clean, same as the parse-failure path.
+            const parsed = JSON.parse(fs.readFileSync(file, 'utf-8'));
+            if (typeof parsed === 'object' && parsed !== null && !Array.isArray(parsed)) {
+                existing = parsed;
+            }
+        }
+        catch {
+            existing = {}; // tolerate a corrupt prior file
+        }
+    }
+    const merged = { ...existing };
+    merged.schemaVersion = IDENTITY_SCHEMA_VERSION;
+    merged.passportRef = 'passport.json';
+    for (const f of IDENTITY_FIELDS) {
+        const v = input[f];
+        if (v != null)
+            merged[f] = v; // present incoming value wins
+        else if (!(f in merged))
+            merged[f] = null; // record absence on first write only
+    }
+    const tmp = `${file}.tmp`;
+    fs.writeFileSync(tmp, `${JSON.stringify(merged, null, 2)}\n`, { mode: 0o600 });
+    try {
+        fs.chmodSync(tmp, 0o600);
+    }
+    catch (err) {
+        if (process.platform !== 'win32') {
+            try {
+                fs.unlinkSync(tmp);
+            }
+            catch { /* ignore */ }
+            throw new Error(`chmod 0600 failed on identity file: ${err.message}`);
+        }
+        // Windows: 0600 semantics differ; proceed best-effort.
+    }
+    fs.renameSync(tmp, file); // atomic replace; preserves the tmp inode's 0600 mode
+}
+/**
+ * Structural gate for the PUBLIC passport.json write (Shield MED-2): the string must
+ * parse to a plain JSON object that looks like a signed passport (has a `signature`)
+ * and must NOT carry a `serviceToken` key at any depth — the one secret that could
+ * plausibly be mis-routed here, and the file is deliberately not git-ignored.
+ * Local check only; the CLI cannot import trust-api's deserializePassport (standalone
+ * packaging). False ⇒ the caller skips the write with an advisory, never throws.
+ */
+function isPlausiblePublicPassport(serialized) {
+    try {
+        const parsed = JSON.parse(serialized);
+        if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed))
+            return false;
+        if (typeof parsed['signature'] !== 'string')
+            return false;
+        const containsServiceToken = (v) => {
+            if (v === null || typeof v !== 'object')
+                return false;
+            for (const [k, child] of Object.entries(v)) {
+                if (k === 'serviceToken')
+                    return true;
+                if (containsServiceToken(child))
+                    return true;
+            }
+            return false;
+        };
+        return !containsServiceToken(parsed);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Ensure the project .gitignore ignores the secret identity file (and NOT the public
+ * passport). Returns false if the rule could not be persisted — the caller then refuses
+ * to write the bearer token.
+ */
+function ensureGitignoreRule(projectRoot, warn) {
+    const file = path.join(projectRoot, '.gitignore');
+    try {
+        let content = '';
+        if (fs.existsSync(file))
+            content = fs.readFileSync(file, 'utf-8');
+        if (content.split(/\r?\n/).some((l) => l.trim() === GITIGNORE_RULE))
+            return true;
+        const prefix = content.length > 0 && !content.endsWith('\n') ? '\n' : '';
+        fs.appendFileSync(file, `${prefix}# Connexum per-agent identity (bearer serviceToken) — never commit\n${GITIGNORE_RULE}\n`);
+        return true;
+    }
+    catch (err) {
+        warn(`[connexum] could not update .gitignore: ${err.message}`);
+        return false;
+    }
+}
+//# sourceMappingURL=per-folder-identity.js.map

package/dist/cli/per-folder-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"per-folder-identity.js","sourceRoot":"","sources":["../../src/cli/per-folder-identity.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2EA,8DAiBC;AAkBD,oEA6BC;AAED,4DAuFC;AApOD;;;;;;;;;;;;;;GAcG;AACH,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAwCzB,MAAM,uBAAuB,GAAG,KAAK,CAAC;AACtC,MAAM,cAAc,GAAG,4BAA4B,CAAC;AAEpD,yEAAyE;AACzE,MAAM,eAAe,GAA8C;IACjE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,gBAAgB,EAAE,OAAO;IAC7D,cAAc,EAAE,cAAc,EAAE,cAAc,EAAE,iBAAiB;IACjE,UAAU,EAAE,WAAW;CACxB,CAAC;AAEF;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CACvC,UAAkB,EAClB,QAAgB;IAEhB,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC7C,MAAM,eAAe,GAAG,CAAC,GAAG,EAAE;QAC5B,IAAI,CAAC;YAAC,OAAO,EAAE,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,OAAO,WAAW,CAAC;QAAC,CAAC;IAC5E,CAAC,CAAC,EAAE,CAAC;IACL,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjE,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE;QACvB,IAAI,CAAC;YAAC,OAAO,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,OAAO,MAAM,CAAC;QAAC,CAAC;IAClE,CAAC,CAAC,EAAE,CAAC;IACL,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IACvD,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACjD,OAAO,EAAE,KAAK,EAAE,6CAA6C,EAAE,CAAC;IAClE,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,CAAC;AACpB,CAAC;AAUD;;;;;;;GAOG;AACH,SAAgB,4BAA4B,CAC1C,UAAgH,EAChH,SAAuD,EACvD,IAAuB,EACvB,QAAgB;IAEhB,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IACjF,MAAM,MAAM,GAA6B,EAAE,CAAC;IAC5C,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC;QACvC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChD,IAAI,CAAC,QAAQ;YAAE,SAAS;QACxB,MAAM,CAAC,IAAI,CAAC;YACV,OAAO;YACP,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,QAAQ;YACR,UAAU,EAAE,CAAC,CAAC,UAAU;YACxB,yEAAyE;YACzE,yEAAyE;YACzE,2DAA2D;YAC3D,YAAY,EAAE,CAAC,CAAC,YAAY;YAC5B,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,IAAI;YAC3C,YAAY,EAAE,IAAI,CAAC,YAAY,IAAI,IAAI;YACvC,YAAY,EAAE,IAAI,CAAC,YAAY,IAAI,IAAI;YACvC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI;YACzB,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAgB,wBAAwB,CACtC,UAAkB,EAClB,MAAgC,EAChC,OAA8B,EAAE;IAEhC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAyB,EAAE,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAClE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAEvC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC7C,2EAA2E;IAC3E,4EAA4E;IAC5E,oEAAoE;IACpE,mEAAmE;IACnE,4CAA4C;IAC5C,mEAAmE;IACnE,6EAA6E;IAC7E,qEAAqE;IACrE,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/E,MAAM,SAAS,GAAG,CAAC,GAAG,EAAE;QACtB,IAAI,GAAG,GAAG,WAAW,CAAC;QACtB,SAAS,CAAC;YACR,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YACtF,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,MAAM,KAAK,GAAG;gBAAE,OAAO,KAAK,CAAC;YACjC,GAAG,GAAG,MAAM,CAAC;QACf,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,2FAA2F;QAC3F,MAAM,OAAO,GAAG,yBAAyB,CAAC,WAAW,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;QACvE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,6CAA6C,EAAE,CAAC,CAAC;YACxH,IAAI,CAAC,mCAAmC,KAAK,CAAC,OAAO,2CAA2C,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC;YACnH,SAAS;QACX,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE9B,MAAM,SAAS,GAAG,KAAK,CAAC,YAAY,IAAI,IAAI,IAAI,KAAK,CAAC,YAAY,KAAK,EAAE,CAAC;QAE1E,4EAA4E;QAC5E,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACnC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,mDAAmD,EAAE,CAAC,CAAC;gBAC7G,IAAI,CAAC,mCAAmC,KAAK,CAAC,OAAO,iHAAiH,CAAC,CAAC;gBACxK,SAAS;YACX,CAAC;YACD,IAAI,CAAC,mBAAmB,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,CAAC;gBAC5C,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,uDAAuD,EAAE,CAAC,CAAC;gBACjH,IAAI,CAAC,mCAAmC,KAAK,CAAC,OAAO,+GAA+G,CAAC,CAAC;gBACtK,SAAS;YACX,CAAC;QACH,CAAC;aAAM,CAAC;YACN,6EAA6E;YAC7E,mBAAmB,CAAC,WAAW,EAAE,GAAG,EAAE,GAA0B,CAAC,CAAC,CAAC;QACrE,CAAC;QAED,kFAAkF;QAClF,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;YAC3C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACvC,mBAAmB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAChC,IAAI,KAAK,CAAC,QAAQ,IAAI,IAAI,IAAI,KAAK,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;gBACpD,4EAA4E;gBAC5E,8EAA8E;gBAC9E,+EAA+E;gBAC/E,gFAAgF;gBAChF,iFAAiF;gBACjF,sDAAsD;gBACtD,IAAI,yBAAyB,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC9C,0EAA0E;oBAC1E,yEAAyE;oBACzE,4CAA4C;oBAC5C,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;gBACpE,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,2BAA2B,KAAK,CAAC,OAAO,8EAA8E,CAAC,CAAC;gBAC/H,CAAC;YACH,CAAC;YACD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,iBAAkB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YACnG,IAAI,CAAC,wCAAwC,KAAK,CAAC,OAAO,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,GAAW,EAAE,KAA6B;IACrE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAE7C,IAAI,QAAQ,GAA4B,EAAE,CAAC;IAC3C,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,6EAA6E;YAC7E,8EAA8E;YAC9E,4DAA4D;YAC5D,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;YACnE,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5E,QAAQ,GAAG,MAAiC,CAAC;YAC/C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,GAAG,EAAE,CAAC,CAAC,gCAAgC;QACjD,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAA4B,EAAE,GAAG,QAAQ,EAAE,CAAC;IACxD,MAAM,CAAC,aAAa,GAAG,uBAAuB,CAAC;IAC/C,MAAM,CAAC,WAAW,GAAG,eAAe,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;QAChC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACnB,IAAI,CAAC,IAAI,IAAI;YAAE,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAU,8BAA8B;aAChE,IAAI,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;YAAE,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,qCAAqC;IAClF,CAAC;IAED,MAAM,GAAG,GAAG,GAAG,IAAI,MAAM,CAAC;IAC1B,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/E,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,IAAI,CAAC;gBAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,uCAAwC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACnF,CAAC;QACD,uDAAuD;IACzD,CAAC;IACD,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,sDAAsD;AAClF,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,yBAAyB,CAAC,UAAkB;IACnD,IAAI,CAAC;QACH,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;YAAE,OAAO,KAAK,CAAC;QACzF,IAAI,OAAQ,MAAkC,CAAC,WAAW,CAAC,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QACvF,MAAM,oBAAoB,GAAG,CAAC,CAAU,EAAW,EAAE;YACnD,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;gBAAE,OAAO,KAAK,CAAC;YACtD,KAAK,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAA4B,CAAC,EAAE,CAAC;gBACtE,IAAI,CAAC,KAAK,cAAc;oBAAE,OAAO,IAAI,CAAC;gBACtC,IAAI,oBAAoB,CAAC,KAAK,CAAC;oBAAE,OAAO,IAAI,CAAC;YAC/C,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QACF,OAAO,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,WAAmB,EAAE,IAAyB;IACzE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IAClD,IAAI,CAAC;QACH,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAClE,IAAI,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,cAAc,CAAC;YAAE,OAAO,IAAI,CAAC;QACjF,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACzE,EAAE,CAAC,cAAc,CACf,IAAI,EACJ,GAAG,MAAM,uEAAuE,cAAc,IAAI,CACnG,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,2CAA4C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC1E,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/cli/sync.d.ts

@@ -0,0 +1,193 @@
+/**
+ * ai-governance sync — pull the server's signed governance bundle and
+ * re-materialize the local .governance.json to match.
+ *
+ * Design (Thomas, locked):
+ *   - SAFE BY DEFAULT: no arguments = dry-run. Shows diff, writes nothing.
+ *   - --apply (or interactive confirm) writes the new governance to disk.
+ *   - NOT at runtime, NOT at init — a deliberate standalone verb.
+ *   - Client PULLS from server. Server never calls out to the client (Invariant 10).
+ *   - Server unreachable → graceful message, local config unchanged (Invariant 2/3).
+ *   - Unsigned / tampered bundle → REJECTED, nothing written.
+ *
+ * Usage:
+ *   ai-governance sync                   Dry-run: show diff, no writes
+ *   ai-governance sync --apply           Apply the bundle to .governance.json
+ *   ai-governance sync --agent <id>      Sync a specific agent only
+ *   ai-governance sync --gov-server-url  Override gov server URL
+ *
+ * Source of per-agent identities: .governance.json agents[] written by TS-002
+ * (register-fleet + writePerAgentIdentities). Each entry has:
+ *   { localId, agentId, serviceToken, passportId, filePath }
+ * Plus top-level runtime block:
+ *   { govServerUrl, orgId, agentId, serviceToken }
+ *
+ * Follow-up slices (historic seams — see feat/effective-governance-projection-2026-06-08):
+ *   F1: serviceToken TTL reduced to 30d — DONE
+ *   F2: JTI added to minted tokens, persisted on metadata — DONE
+ *   F3: per-agent audit-logger.sh push rewiring (CXNI_AGENT_FILE resolver) — DONE
+ *   F4: serviceToken moved off curl argv via tmpfile — DONE (this file + audit-logger.sh)
+ *   F5: narrower AGENT_SELF role on server for tighter RBAC — DEFERRED (architectural)
+ *
+ * @connexum/ai-governance  TS-010 sync verb
+ */
+import { fetchAgentGovernance } from './governance-projection-writer.js';
+/** Governance section as materialised from the bundle into .governance.json. */
+export interface SyncedGovernance {
+    /** Compliance pack IDs bound by the server. */
+    packs: string[];
+    /** Raw rule overrides from the bundle. */
+    ruleOverrides: unknown[];
+    /** Declared approval gates. */
+    declaredApprovalGates: unknown[];
+    /** Declared forbidden capabilities. */
+    declaredForbiddenCapabilities: string[];
+    /** ISO timestamp the bundle was issued. */
+    bundleIssuedAt: string;
+    /** hex content hash of the bundle payload (for audit). */
+    contentHash: string;
+    /** Ed25519 public key of the org (base64url) that signed this bundle. */
+    signerPublicKeyB64: string;
+}
+/** The shape stored under .governance.json `lastSync` for one agent. */
+export interface AgentLastSync {
+    agentId: string;
+    syncedAt: string;
+    governance: SyncedGovernance;
+}
+/** Per-agent diff result. */
+export interface AgentSyncDiff {
+    agentId: string;
+    filePath?: string;
+    /** null = failed to fetch bundle */
+    bundle: Record<string, unknown> | null;
+    /** null = bundle fetch/verify failed */
+    newGovernance: SyncedGovernance | null;
+    /**
+     * null = no previous sync snapshot (treat as no previous state).
+     * Diff shows "+ <key>: <value>" for all fields on first sync.
+     */
+    previousGovernance: SyncedGovernance | null;
+    diffLines: string[];
+    /** Human-readable error when bundle could not be fetched or verified. */
+    error?: string;
+}
+/** Outcome of runSyncCommand. */
+export interface SyncResult {
+    dryRun: boolean;
+    diffs: AgentSyncDiff[];
+    applied: number;
+    errors: number;
+}
+/** One delivered per-agent token (POST /api/v1/cli/agent-tokens response item). */
+export interface FetchedAgentToken {
+    agentId: string;
+    serviceToken: string;
+    passportId: string | null;
+}
+/**
+ * Fetch the org's Ed25519 public key from the governance server and write it
+ * into .governance.json under `orgPublicKey`.
+ *
+ * SECURITY: this must be called at `ai-governance init` time, BEFORE the first
+ * sync. The key is fetched over authenticated TLS from the same gov-server that
+ * issued the serviceToken. Subsequent syncs verify bundle signatures against
+ * this pinned key — they NEVER trust the key embedded in the bundle itself.
+ *
+ * The endpoint `GET /api/v1/orgs/:orgId/public-key` is unauthenticated (public
+ * keys are public, per Locked Invariant 4). We call it over the same
+ * govServerUrl + orgId that the exchange just returned, giving us a trusted
+ * source: the same TLS channel that authenticated the exchange.
+ *
+ * Returns the pinned key (base64url) on success, or null on failure.
+ * NEVER throws — on failure the caller logs the advisory and continues;
+ * the subsequent sync will fail closed (no pinned key = bundle rejected).
+ *
+ * DEPENDENCY NOTE (2026-06-08 prod incident): the org signing key is currently
+ * in-memory and regenerates on every gov-server deploy. With key-pinning, every
+ * post-deploy sync hits the rotation path until the key is made durable. That
+ * durability fix is the separate incident runbook — this function is still
+ * correct and required (rotation-as-explicit-event is the safe behavior).
+ */
+export declare function fetchAndPinOrgPublicKey(govServerUrl: string, orgId: string, configPath: string, timeoutSec?: number): string | null;
+/**
+ * Verify a governance bundle's Ed25519 signature.
+ *
+ * The signed payload is the JCS-canonical serialization of:
+ *   { agentId, bundleVersion, governance, issuedAt, orgId }
+ * The contentHash is SHA-256(canonical_bytes), hex-encoded.
+ * The signature is Ed25519(raw_sha256_digest_bytes) by the org signing key.
+ *
+ * KEY-TRUST SECURITY (Shield TS-010 remediation):
+ *   `pinnedPublicKeyB64` is the PINNED org public key read from the LOCAL
+ *   .governance.json (written at trusted init time). It is the SOLE key used
+ *   for signature verification. bundle['publicKeyB64'] is NEVER used as the
+ *   verification key — doing so would allow a MITM/rogue server to substitute
+ *   their own key alongside a tampered bundle and have it pass verification.
+ *
+ *   When `pinnedPublicKeyB64` is undefined (no pinned key on disk), the bundle
+ *   is REJECTED (fail closed). Re-running `ai-governance init` pins the key.
+ *
+ *   KEY ROTATION: if bundle['publicKeyB64'] differs from the pinned key, the
+ *   bundle is REJECTED with a rotation message. Key rotation is an EXPLICIT
+ *   operator event — re-run `ai-governance init` to accept the new key over an
+ *   authenticated TLS channel and re-pin it.
+ *
+ * Returns the verified SyncedGovernance on success, or an error string.
+ *
+ * SAFE BY DEFAULT: any failure (missing fields, bad sig, tampered, missing/
+ * mismatched pinned key) returns an error string; the caller MUST NOT apply.
+ */
+export declare function verifyBundle(bundle: Record<string, unknown>, pinnedPublicKeyB64?: string): {
+    ok: true;
+    governance: SyncedGovernance;
+} | {
+    ok: false;
+    error: string;
+};
+/** Produce a human-readable unified-style diff between two SyncedGovernance objects. */
+export declare function computeGovernanceDiff(previous: SyncedGovernance | null, next: SyncedGovernance): string[];
+/**
+ * Apply the synced governance to the local .governance.json.
+ *
+ * Rules:
+ *   1. NEVER silently clobber a hand-edited file. If the local `packs` field
+ *      diverges from what `lastSync[agentId].governance.packs` recorded (i.e.
+ *      the user hand-edited it since the last sync), surface that in the diff
+ *      output. The --apply write still proceeds but the divergence is logged.
+ *   2. Write mode 0o600 — serviceTokens are present in the same file.
+ *   3. The `packs` top-level field is updated only when it is the first sync
+ *      or when --apply is passed. It is the union of all agents' packs.
+ *   4. `lastSync[agentId]` is updated unconditionally on --apply.
+ *
+ * Returns a list of warnings (non-fatal) about hand-edit divergences.
+ */
+export declare function applyGovernanceToLocal(configPath: string, agentId: string, newGovernance: SyncedGovernance): {
+    warnings: string[];
+};
+/**
+ * Parse the args array and run the sync command.
+ *
+ * @param args   Slice of process.argv after 'sync'
+ * @param projectDir  Absolute path to the project directory (default: cwd)
+ * @param options.fetchBundleFn  Override the fetch function for testing
+ * @returns exit code: 0 = success (or dry-run with no errors), 1 = some errors
+ */
+export declare function runSyncCommand(args: string[], projectDir?: string, options?: {
+    /** Injectable fetch function for testing (default: fetchBundle via curl). */
+    fetchBundleFn?: (govServerUrl: string, agentId: string, serviceToken: string) => {
+        bundle: Record<string, unknown> | null;
+        error?: string;
+    };
+    /** Injectable per-agent token fetch for testing (default: fetchAgentTokens via curl). */
+    fetchAgentTokensFn?: (govServerUrl: string, installToken: string) => {
+        tokens: FetchedAgentToken[] | null;
+        installationId?: string | null;
+        error?: string;
+    };
+    /** Injectable governance-projection fetch for testing (write-back F2). */
+    fetchAgentGovernanceFn?: typeof fetchAgentGovernance;
+    /** Suppress all stdout/stderr for testing. */
+    silent?: boolean;
+}): Promise<SyncResult>;
+//# sourceMappingURL=sync.d.ts.map

package/dist/cli/sync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync.d.ts","sourceRoot":"","sources":["../../src/cli/sync.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAQH,OAAO,EAAE,oBAAoB,EAA8B,MAAM,mCAAmC,CAAC;AA2BrG,gFAAgF;AAChF,MAAM,WAAW,gBAAgB;IAC/B,+CAA+C;IAC/C,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,0CAA0C;IAC1C,aAAa,EAAE,OAAO,EAAE,CAAC;IACzB,+BAA+B;IAC/B,qBAAqB,EAAE,OAAO,EAAE,CAAC;IACjC,uCAAuC;IACvC,6BAA6B,EAAE,MAAM,EAAE,CAAC;IACxC,2CAA2C;IAC3C,cAAc,EAAE,MAAM,CAAC;IACvB,0DAA0D;IAC1D,WAAW,EAAE,MAAM,CAAC;IACpB,yEAAyE;IACzE,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,wEAAwE;AACxE,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,gBAAgB,CAAC;CAC9B;AAED,6BAA6B;AAC7B,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IACvC,wCAAwC;IACxC,aAAa,EAAE,gBAAgB,GAAG,IAAI,CAAC;IACvC;;;OAGG;IACH,kBAAkB,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC5C,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,yEAAyE;IACzE,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,iCAAiC;AACjC,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,EAAE,aAAa,EAAE,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB;AA6MD,mFAAmF;AACnF,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAoGD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,uBAAuB,CACrC,YAAY,EAAE,MAAM,EACpB,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,UAAU,SAAK,GACd,MAAM,GAAG,IAAI,CA4Df;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,YAAY,CAC1B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,kBAAkB,CAAC,EAAE,MAAM,GAC1B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,UAAU,EAAE,gBAAgB,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAiH3E;AAMD,wFAAwF;AACxF,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,gBAAgB,GAAG,IAAI,EACjC,IAAI,EAAE,gBAAgB,GACrB,MAAM,EAAE,CAkDV;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,gBAAgB,GAC9B;IAAE,QAAQ,EAAE,MAAM,EAAE,CAAA;CAAE,CAkExB;AAMD;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EAAE,EACd,UAAU,GAAE,MAAsB,EAClC,OAAO,GAAE;IACP,6EAA6E;IAC7E,aAAa,CAAC,EAAE,CACd,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,KACjB;QAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAChE,yFAAyF;IACzF,kBAAkB,CAAC,EAAE,CACnB,YAAY,EAAE,MAAM,EACpB,YAAY,EAAE,MAAM,KACjB;QAAE,MAAM,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC;QAAC,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5F,0EAA0E;IAC1E,sBAAsB,CAAC,EAAE,OAAO,oBAAoB,CAAC;IACrD,8CAA8C;IAC9C,MAAM,CAAC,EAAE,OAAO,CAAC;CACb,GACL,OAAO,CAAC,UAAU,CAAC,CA8VrB"}