@cotal-ai/core 0.3.2 → 0.5.0

package/dist/provision.d.ts

@@ -37,36 +37,74 @@ export declare function stripSpaceAuth(auth: SpaceAuth): SpaceAuth;
 export declare function createSpaceAuth(space: string): Promise<SpaceAuth>;
 /** Options shaping a minted user's permissions. */
 export interface MintOpts {
-    /** Channels an "agent" may publish to (the agent file's `publish:` allow-list, already
-     *  resolved by the caller). Each is run through the chat-subject builder so a wildcard
-     *  subtree like `team.>` becomes `chat.<id>.team.>`. Defaults to `["general"]`. */
-    channels?: string[];
+    /** Read ACL — channels an "agent" MAY read (the agent file's `allowSubscribe`, already resolved
+     *  by the caller). Minted as per-channel single-filter history-consumer create grants
+     *  (`CONSUMER.CREATE.<CHAT>.<chathist_id>.<chat.*.ch>`) — the broker boundary on chat **history**
+     *  reads (join-backfill / focus-recall). Each is run through the chat-subject builder so a
+     *  wildcard subtree `team.>` becomes `chat.*.team.>`. Defaults to `["general"]`. The live read is the
+     *  agent's own native `sub.allow` over `chat.*.<channel>` (also minted from this list, below). */
+    allowSubscribe?: string[];
+    /** Post ACL — channels an "agent" may publish to (the agent file's `allowPublish`, already
+     *  resolved by the caller). Each becomes a `chat.<id>.<ch>` publish grant. **Default-deny**:
+     *  omitted/empty ⇒ no chat publish grant at all — publishing must be declared. */
+    allowPublish?: string[];
     /** The agent's role — scopes its TASK-queue consumer to svc_<role>. */
     role?: string;
     /** Control service the agent may address. Defaults to `"manager"`. */
     manager?: string;
+    /** Capabilities declared in the agent file (e.g. `"spawn"`). A capability gates the
+     *  privileged control-subject grant in {@link permissionsFor}: `spawn` → the agent may
+     *  publish to the privileged control subject (start/purge/definePersona/named stop).
+     *  Default-deny when absent — nats-server rejects the publish, no handler involved. */
+    capabilities?: string[];
+}
+/** Options for {@link provisionAgent} — {@link MintOpts} plus the active read set. */
+export interface ProvisionOpts extends MintOpts {
+    /** The active read set: the channels the agent subscribes to (live core-sub) at boot, and whose
+     *  `durable`-class members get a boot Plane-3 membership. Must be ⊆ `allowSubscribe`. Defaults to
+     *  `["general"]`. */
+    subscribe?: string[];
+    /** Write a DURABLE boot membership for each `durable`-class channel (default true). A durable backstop
+     *  needs a long-lived manager that hosts Plane-3 AND knows this agent's ACL — true only for an agent
+     *  launched UNDER a manager (`cotal start` / `cotal up`), which registers it in its `agents` ledger.
+     *  Set FALSE for a launcher with no such manager — direct foreground `cotal spawn` — so the agent is
+     *  LIVE-ONLY (no manager would know it, so its durable copies couldn't be authorized by the trusted
+     *  reader nor its membership leaved via self-service; its runtime joins are live-only for that reason
+     *  too). Writing a record nobody can deliver/leave is worse than none. */
+    durableMembership?: boolean;
 }
 /** The privileged onboarding ops a launcher needs — implemented by a connected, permissive
  *  endpoint (the manager, or a short-lived provisioner that `cotal spawn` opens). */
 export interface DurableProvisioner {
     provisionDmInbox(id: string): Promise<void>;
+    /** Pre-create the agent's bind-only Plane-3 DELIVER durable (`dlv_<id>`, filtered to `dlv.<id>`) so
+     *  it can BIND its per-member durable handoff without holding CONSUMER.CREATE on the DLV stream. */
+    provisionDlvInbox(id: string): Promise<void>;
+    /** Write the agent's BOOT durable membership: each `durable`-class boot channel gets a Plane-3
+     *  durable-active record so it receives the durable backstop from boot. Replaces the legacy
+     *  bind-only chat live-tail pre-create — live delivery is now the agent's own core subscription. */
+    provisionMembership(id: string, channels: string[]): Promise<void>;
     provisionTaskQueue(role: string): Promise<void>;
 }
-/** Onboard an agent for launch (auth mode): pre-create its bind-only DM (+ role TASK) durables
- *  and mint its scoped creds. The single shared step so every launcher — the manager and
- *  `cotal spawn` alike — provisions identically (manager not special). */
-export declare function provisionAgent(provisioner: DurableProvisioner, auth: SpaceAuth, identity: Identity, opts?: MintOpts): Promise<string>;
+/** Onboard an agent for launch (auth mode): pre-create its bind-only DM (+ Plane-3 DELIVER + role
+ *  TASK) durables, write its boot durable membership (Plane-3, unless `durableMembership:false`), and
+ *  mint its scoped creds. Live delivery is the agent's own core subscription — there is no per-instance
+ *  chat durable. The single shared onboarding step; a launcher with no managing Plane-3 host (direct
+ *  `cotal spawn`) opts out of the durable membership and is live-only. */
+export declare function provisionAgent(provisioner: DurableProvisioner, auth: SpaceAuth, identity: Identity, opts?: ProvisionOpts): Promise<string>;
 /** Mint a user creds file for an agent {@link Identity} (its stable id+seed from
  *  {@link newIdentity}). The account signing key signs over ONLY the public key
  *  (`fromPublic`) — the agent seed is never part of the signature, it's only folded into
- *  the resulting creds file. The "agent" profile is scoped to publish only as itself and
- *  only to its declared channels (the channel-restriction enforcement); "manager" and
- *  "observer" stay permissive here and are scoped in steps 6–7. */
+ *  the resulting creds file. The "agent" profile is scoped to publish only as itself and only to
+ *  its declared `allowPublish` channels (post ACL, default-deny), and to read only within
+ *  `allowSubscribe` (live tail bind-only + per-channel history grants); "manager" and "observer"
+ *  stay permissive here and are scoped in steps 6–7. */
 export declare function mintCreds(auth: SpaceAuth, identity: Identity, profile: Profile, opts?: MintOpts): Promise<string>;
 /** Render the `nats-server` config that trusts this space's operator and serves its
  *  accounts via the in-config MEMORY resolver. */
 export declare function serverConfig(auth: SpaceAuth, opts: {
     port?: number;
+    host?: string;
     storeDir: string;
 }): string;
 export declare function authDir(root: string): string;

package/dist/provision.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"provision.d.ts","sourceRoot":"","sources":["../src/provision.ts"],"names":[],"mappings":"AAyCA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAE9C;;;mEAGmE;AACnE,MAAM,MAAM,OAAO,GAAG,OAAO,GAAG,UAAU,GAAG,OAAO,GAAG,SAAS,CAAC;AAEjE;+DAC+D;AAC/D,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,OAAO,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7F,GAAG,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;CACnC;AAYD;;;;;;;yEAOyE;AACzE,wBAAgB,cAAc,CAAC,IAAI,EAAE,SAAS,GAAG,SAAS,CAazD;AAED,4FAA4F;AAC5F,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CA6BvE;AAED,mDAAmD;AACnD,MAAM,WAAW,QAAQ;IACvB;;uFAEmF;IACnF,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,uEAAuE;IACvE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;qFACqF;AACrF,MAAM,WAAW,kBAAkB;IACjC,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAED;;0EAE0E;AAC1E,wBAAsB,cAAc,CAClC,WAAW,EAAE,kBAAkB,EAC/B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,QAAQ,EAClB,IAAI,GAAE,QAAa,GAClB,OAAO,CAAC,MAAM,CAAC,CAIjB;AAED;;;;;mEAKmE;AACnE,wBAAsB,SAAS,CAC7B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,OAAO,EAChB,IAAI,GAAE,QAAa,GAClB,OAAO,CAAC,MAAM,CAAC,CAYjB;AA4ID;kDACkD;AAClD,wBAAgB,YAAY,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAqB/F;AAMD,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE5C;AAED;;iGAEiG;AACjG,wBAAgB,aAAa,CAAC,KAAK,GAAE,MAAsB,GAAG,MAAM,CAQnE;AAED,6FAA6F;AAC7F,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,IAAI,CAGhE;AAED,iFAAiF;AACjF,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,CAIhE"}
+{"version":3,"file":"provision.d.ts","sourceRoot":"","sources":["../src/provision.ts"],"names":[],"mappings":"AA+CA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAE9C;;;mEAGmE;AACnE,MAAM,MAAM,OAAO,GAAG,OAAO,GAAG,UAAU,GAAG,OAAO,GAAG,SAAS,CAAC;AAEjE;+DAC+D;AAC/D,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,OAAO,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7F,GAAG,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;CACnC;AAYD;;;;;;;yEAOyE;AACzE,wBAAgB,cAAc,CAAC,IAAI,EAAE,SAAS,GAAG,SAAS,CAazD;AAED,4FAA4F;AAC5F,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CA6BvE;AAED,mDAAmD;AACnD,MAAM,WAAW,QAAQ;IACvB;;;;;sGAKkG;IAClG,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B;;sFAEkF;IAClF,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,uEAAuE;IACvE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;2FAGuF;IACvF,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,sFAAsF;AACtF,MAAM,WAAW,aAAc,SAAQ,QAAQ;IAC7C;;yBAEqB;IACrB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB;;;;;;8EAM0E;IAC1E,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED;qFACqF;AACrF,MAAM,WAAW,kBAAkB;IACjC,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C;wGACoG;IACpG,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C;;wGAEoG;IACpG,mBAAmB,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnE,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAED;;;;0EAI0E;AAC1E,wBAAsB,cAAc,CAClC,WAAW,EAAE,kBAAkB,EAC/B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,QAAQ,EAClB,IAAI,GAAE,aAAkB,GACvB,OAAO,CAAC,MAAM,CAAC,CAsBjB;AAED;;;;;;wDAMwD;AACxD,wBAAsB,SAAS,CAC7B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,OAAO,EAChB,IAAI,GAAE,QAAa,GAClB,OAAO,CAAC,MAAM,CAAC,CAYjB;AAiLD;kDACkD;AAClD,wBAAgB,YAAY,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAuB9G;AAMD,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE5C;AAED;;iGAEiG;AACjG,wBAAgB,aAAa,CAAC,KAAK,GAAE,MAAsB,GAAG,MAAM,CAQnE;AAED,6FAA6F;AAC7F,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,IAAI,CAGhE;AAED,iFAAiF;AACjF,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,CAIhE"}

package/dist/provision.js

@@ -18,7 +18,7 @@ import { readFileSync, writeFileSync, mkdirSync, existsSync } from "node:fs";
 import { join, dirname, resolve } from "node:path";
 import { encodeOperator, encodeAccount, encodeUser, fmtCreds, } from "@nats-io/jwt";
 import { createOperator, createAccount, fromPublic, fromSeed } from "@nats-io/nkeys";
-import { token, spacePrefix, chatSubject, unicastSubject, anycastSubject, controlServiceSubject, chatStream, dmStream, taskStream, chatDurable, dmDurable, taskDurable, presenceBucket, channelBucket, } from "./subjects.js";
+import { token, spacePrefix, chatSubject, assertValidChannel, channelInAllow, unicastSubject, anycastSubject, controlServiceSubject, CONTROL_PRIVILEGED, CONTROL_SELF_SERVICE, chatStream, dmStream, taskStream, dlvStream, chatHistDurable, dmDurable, taskDurable, dlvDurable, presenceBucket, channelBucket, } from "./subjects.js";
 // Unlimited account limits — without explicit limits a JWT account defaults to 0 conns
 // (every connect denied). JetStream needs storage on the data account but MUST stay off
 // the system account (the server refuses to start otherwise).
@@ -74,21 +74,42 @@ export async function createSpaceAuth(space) {
         sys: { pub: sysPub, jwt: sysJwt },
     };
 }
-/** Onboard an agent for launch (auth mode): pre-create its bind-only DM (+ role TASK) durables
- *  and mint its scoped creds. The single shared step so every launcher — the manager and
- *  `cotal spawn` alike — provisions identically (manager not special). */
+/** Onboard an agent for launch (auth mode): pre-create its bind-only DM (+ Plane-3 DELIVER + role
+ *  TASK) durables, write its boot durable membership (Plane-3, unless `durableMembership:false`), and
+ *  mint its scoped creds. Live delivery is the agent's own core subscription — there is no per-instance
+ *  chat durable. The single shared onboarding step; a launcher with no managing Plane-3 host (direct
+ *  `cotal spawn`) opts out of the durable membership and is live-only. */
 export async function provisionAgent(provisioner, auth, identity, opts = {}) {
+    const subscribe = opts.subscribe?.length ? opts.subscribe : ["general"];
+    const allowSubscribe = opts.allowSubscribe?.length ? opts.allowSubscribe : subscribe;
+    // Reject channel names the wire layer would rewrite (the pre-created filter rides token() too).
+    for (const ch of [...subscribe, ...allowSubscribe])
+        assertValidChannel(ch);
+    // Re-assert the load-time invariant at the trust boundary (defense in depth): the pre-created
+    // live filter (subscribe) must sit within the read ACL (allowSubscribe), or the provisioner
+    // would hand the agent live delivery it isn't permitted to read.
+    for (const ch of subscribe)
+        if (!channelInAllow(allowSubscribe, ch))
+            throw new Error(`provisionAgent: subscribe "${ch}" is not within allowSubscribe [${allowSubscribe.join(", ")}]`);
     await provisioner.provisionDmInbox(identity.id);
+    await provisioner.provisionDlvInbox(identity.id);
+    // DELIVER durable exists before membership — the trusted reader transfers boot backstop copies onto it.
+    // Durable boot membership only for a launcher backed by a managing Plane-3 host (default). A live-only
+    // launcher (direct `cotal spawn`) opts out: no manager would know this agent, so a durable record could
+    // be neither authorized for reader delivery nor leaved via self-service — worse than none.
+    if (opts.durableMembership !== false)
+        await provisioner.provisionMembership(identity.id, subscribe);
     if (opts.role)
         await provisioner.provisionTaskQueue(opts.role);
-    return mintCreds(auth, identity, "agent", opts);
+    return mintCreds(auth, identity, "agent", { ...opts, allowSubscribe });
 }
 /** Mint a user creds file for an agent {@link Identity} (its stable id+seed from
  *  {@link newIdentity}). The account signing key signs over ONLY the public key
  *  (`fromPublic`) — the agent seed is never part of the signature, it's only folded into
- *  the resulting creds file. The "agent" profile is scoped to publish only as itself and
- *  only to its declared channels (the channel-restriction enforcement); "manager" and
- *  "observer" stay permissive here and are scoped in steps 6–7. */
+ *  the resulting creds file. The "agent" profile is scoped to publish only as itself and only to
+ *  its declared `allowPublish` channels (post ACL, default-deny), and to read only within
+ *  `allowSubscribe` (live tail bind-only + per-channel history grants); "manager" and "observer"
+ *  stay permissive here and are scoped in steps 6–7. */
 export async function mintCreds(auth, identity, profile, opts = {}) {
     const signer = fromSeed(new TextEncoder().encode(auth.account.signingSeed));
     const perms = permissionsFor(profile, auth.space, identity.id, opts);
@@ -151,38 +172,56 @@ function permissionsFor(profile, space, id, opts) {
         return { sub: { allow: sub }, pub: { allow } };
     }
     // ---- agent ----
-    const channels = opts.channels?.length ? opts.channels : ["general"];
-    const manager = opts.manager ?? "manager";
-    const chatD = chatDurable(id), dmD = dmDurable(id);
+    const allowPublish = opts.allowPublish ?? []; // post ACL — DEFAULT-DENY (publish must be declared)
+    const allowSubscribe = opts.allowSubscribe?.length ? opts.allowSubscribe : ["general"]; // read ACL
+    // Re-assert at the mint chokepoint (covers mint/spawn paths that bypass the file loader): a policy
+    // channel must equal its wire token, or the minted grant would alias the logical ACL.
+    for (const ch of [...allowSubscribe, ...allowPublish])
+        assertValidChannel(ch);
+    const manager = opts.manager ?? CONTROL_PRIVILEGED;
+    const chatHistD = chatHistDurable(id), dmD = dmDurable(id);
+    const DLV = dlvStream(space), dlvD = dlvDurable(id); // Plane-3 per-member delivery (bind-only)
     const svcD = opts.role ? taskDurable(opts.role) : undefined;
     const pubAllow = [
-        // peer subjects — identity + channel scope (step 5), built from the real builders.
-        ...channels.map((ch) => chatSubject(space, id, ch)),
+        // peer publish — identity + channel scope, built from the real builders. Default-deny: ONLY the
+        // declared allowPublish channels (none by default) get a chat-publish grant.
+        ...allowPublish.map((ch) => chatSubject(space, id, ch)),
         unicastSubject(space, "*", id), //  inst.*.<id>   — DM any instance, as me
         anycastSubject(space, "*", id), //  svc.*.<id>    — anycast any role, as me
-        controlServiceSubject(space, manager, id), // ctl.<mgr>.<id>
+        controlServiceSubject(space, CONTROL_SELF_SERVICE, id), // ctl.self.<id> — self stop/despawn + mediated join/leave, granted to all
         // JetStream control plane — scoped to this agent's own streams/durables.
         "$JS.API.INFO",
-        `$JS.API.STREAM.INFO.${CHAT}`, `$JS.API.STREAM.INFO.${DM}`, `$JS.API.STREAM.INFO.${TASK}`, `$JS.API.STREAM.INFO.${KV}`, `$JS.API.STREAM.INFO.${CHKV}`,
-        // CHAT consumer: self-create + self-update (join/leave mutate filter_subjects). Chat is
-        // world-readable, so name-scope is enough — but PIN to the own concrete chat_<id>, never a
-        // pattern: `update` clobbers, so a wildcard grant would let an agent repoint a peer's filter
-        // (silent channel-kick). Both API forms: old DURABLE.CREATE + new CONSUMER.CREATE.<name>
-        // (the multi-filter create/update subject), each scoped to this durable.
-        `$JS.API.CONSUMER.DURABLE.CREATE.${CHAT}.${chatD}`,
-        `$JS.API.CONSUMER.CREATE.${CHAT}.${chatD}`,
-        `$JS.API.CONSUMER.CREATE.${CHAT}.${chatD}.>`,
-        `$JS.API.CONSUMER.INFO.${CHAT}.${chatD}`,
-        `$JS.API.CONSUMER.MSG.NEXT.${CHAT}.${chatD}`,
-        `$JS.ACK.${CHAT}.${chatD}.>`,
-        // History backfill on join via Direct Get — a read verb (no consumer create/clobber surface).
-        // CHAT only, never DM/TASK (direct-get bypasses the consumer-create deny that is DM's
-        // confidentiality boundary). Requires allow_direct on the CHAT stream (set in streams.ts).
-        `$JS.API.DIRECT.GET.${CHAT}`,
+        // STREAM.INFO: CHAT (join watermark, recall drop-marker, channel-list counts — a documented
+        // metadata surface, see SPEC §9) + the world-readable presence/registry KVs. NOT DM/TASK: agents
+        // bind their dm_<id>/svc_<role> by name and never inspect those streams, so granting INFO there
+        // would only leak DM-inbox / task subject metadata across peers for no functional gain.
+        `$JS.API.STREAM.INFO.${CHAT}`, `$JS.API.STREAM.INFO.${KV}`, `$JS.API.STREAM.INFO.${CHKV}`,
+        // Live channel delivery is the agent's own native core subscription (sub.allow over chat.*.<ch>,
+        // below) — there is NO per-instance chat live-tail durable to bind. The durable backstop is
+        // Plane-3 (the bind-only dlv_<id> durable below). So no CHAT consumer bind/ack grants here.
+        // CHAT history reads (join-backfill, focus-recall, drop-marker) — single-filter EPHEMERAL
+        // consumers named chathist_<id>. The create rides the extended subject
+        // CONSUMER.CREATE.<CHAT>.<chathist_id>.<filter>, whose trailing filter token nats-server pins to
+        // the request body (JSConsumerCreateFilterSubjectMismatchErr, code 10131) — so one create grant
+        // per allowSubscribe channel makes history reads broker-bounded to the read ACL. Replaces the
+        // old unfiltered DIRECT.GET.<CHAT> (which could fetch ANY message regardless of channel). The
+        // name is the agent's own, so info/fetch/delete can't reach a peer's consumer. NO broad
+        // CONSUMER.CREATE.<CHAT> / .> deny here: NATS deny beats allow, which would also kill these.
+        ...allowSubscribe.map((ch) => `$JS.API.CONSUMER.CREATE.${CHAT}.${chatHistD}.${chatSubject(space, "*", ch)}`),
+        `$JS.API.CONSUMER.INFO.${CHAT}.${chatHistD}`,
+        `$JS.API.CONSUMER.MSG.NEXT.${CHAT}.${chatHistD}`,
+        `$JS.API.CONSUMER.DELETE.${CHAT}.${chatHistD}`,
         // DM consumer: BIND ONLY — info/fetch/ack its own pre-created durable, never create.
         `$JS.API.CONSUMER.INFO.${DM}.${dmD}`,
         `$JS.API.CONSUMER.MSG.NEXT.${DM}.${dmD}`,
         `$JS.ACK.${DM}.${dmD}.>`,
+        // Plane-3 DELIVER consumer (SPEC §8): BIND ONLY its own pre-created dlv_<id> — info/fetch/ack,
+        // never create (the provisioner pre-creates it filtered to dlv.<id>). The agent acks this via
+        // native JetStream — the re-authorized per-member handoff. It gets NO grant on the INBOX (mixed
+        // pre-auth) stream at all: default-deny keeps the fan-out target unreadable by the agent.
+        `$JS.API.CONSUMER.INFO.${DLV}.${dlvD}`,
+        `$JS.API.CONSUMER.MSG.NEXT.${DLV}.${dlvD}`,
+        `$JS.ACK.${DLV}.${dlvD}.>`,
         // Presence: watch (read, public roster) + flow control + PUT OWN KEY ONLY.
         `$JS.API.CONSUMER.CREATE.${KV}.>`,
         `$JS.API.CONSUMER.INFO.${KV}.>`,
@@ -200,6 +239,14 @@ function permissionsFor(profile, space, id, opts) {
         // allowed — the privileged provisioner pre-creates svc_<role> filtered to svc.<role>.*.
         pubAllow.push(`$JS.API.CONSUMER.INFO.${TASK}.${svcD}`, `$JS.API.CONSUMER.MSG.NEXT.${TASK}.${svcD}`, `$JS.ACK.${TASK}.${svcD}.>`);
     }
+    if (opts.capabilities?.includes("spawn")) {
+        // Spawn capability → grant the PRIVILEGED control subject (start / purge / definePersona /
+        // named stop-despawn). Default-deny otherwise: the subject is simply absent from this
+        // allow-list, so nats-server rejects the publish — no handler check, no deny-entry (a
+        // blanket `ctl.<mgr>.>` deny would override this grant too, since NATS deny beats allow).
+        // The self-service subject above is granted to all regardless of capability.
+        pubAllow.push(controlServiceSubject(space, manager, id));
+    }
     // Explicit create-deny (defense-in-depth over default-deny) on the two streams whose
     // create-time filter_subject is the attack surface — DM (private content) and TASK
     // (cross-role work-stealing). Covers the bare ephemeral form (no trailing token), the
@@ -211,13 +258,26 @@ function permissionsFor(profile, space, id, opts) {
         `$JS.API.CONSUMER.CREATE.${TASK}`,
         `$JS.API.CONSUMER.CREATE.${TASK}.>`,
         `$JS.API.CONSUMER.DURABLE.CREATE.${TASK}.>`,
+        // Plane-3 DELIVER: bind-only, like DM — the create-time filter_subject is the attack surface, so
+        // no create path (the provisioner pre-creates dlv_<id> filtered to dlv.<id>).
+        `$JS.API.CONSUMER.CREATE.${DLV}`,
+        `$JS.API.CONSUMER.CREATE.${DLV}.>`,
+        `$JS.API.CONSUMER.DURABLE.CREATE.${DLV}.>`,
     ];
-    return { pub: { allow: pubAllow, deny: pubDeny }, sub: { allow: [inbox] } };
+    // CHAT live read boundary (SPEC v0.3 §9 / Appendix B): mint the read ACL as a native `sub.allow`
+    // over cotal.<space>.chat.*.<channel> — one per allowSubscribe channel, wildcards passed through
+    // (e.g. chat.*.review.>, chat.*.>). This is what lets an agent self-serve a live channel subscribe
+    // with NO manager: join = nc.subscribe, broker-enforced per-subscribe, no consumer name to confine,
+    // so an open ACL needs no enumeration. This sub.allow grant IS the live read path — there is no
+    // per-instance chat durable; the durable backstop is Plane-3 (manager fan-out → per-member DELIVER).
+    const subChat = allowSubscribe.map((ch) => chatSubject(space, "*", ch));
+    return { pub: { allow: pubAllow, deny: pubDeny }, sub: { allow: [inbox, ...subChat] } };
 }
 /** Render the `nats-server` config that trusts this space's operator and serves its
  *  accounts via the in-config MEMORY resolver. */
 export function serverConfig(auth, opts) {
     const port = opts.port ?? 4222;
+    const host = opts.host ?? "127.0.0.1";
     // A minted "agent" carries its full permission allow-list inline in its user JWT, which the
     // client sends in the CONNECT protocol line. With per-channel + JetStream-API grants that JWT
     // exceeds the 4 KB default max_control_line at ~2 channels, and the server then silently drops
@@ -226,6 +286,7 @@ export function serverConfig(auth, opts) {
     // is a per-connection pre-auth allocation under connection flooding. 64 KB clears a many-channel
     // agent JWT (~4–8 KB) with wide margin while keeping the pre-auth surface ~16× tighter than 1 MB.
     return `# Generated by \`cotal up\` — do not edit by hand.
+host: ${host}
 port: ${port}
 max_control_line: 65536
 jetstream { store_dir: ${JSON.stringify(opts.storeDir)} }

package/dist/provision.js.map

@@ -1 +1 @@
-{"version":3,"file":"provision.js","sourceRoot":"","sources":["../src/provision.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EACL,cAAc,EACd,aAAa,EACb,UAAU,EACV,QAAQ,GACT,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AACrF,OAAO,EACL,KAAK,EACL,WAAW,EACX,WAAW,EACX,cAAc,EACd,cAAc,EACd,qBAAqB,EACrB,UAAU,EACV,QAAQ,EACR,UAAU,EACV,WAAW,EACX,SAAS,EACT,WAAW,EACX,cAAc,EACd,aAAa,GACd,MAAM,eAAe,CAAC;AAkBvB,uFAAuF;AACvF,wFAAwF;AACxF,8DAA8D;AAC9D,MAAM,WAAW,GAAG;IAClB,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;IACtD,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI;CAC9B,CAAC;AACX,MAAM,WAAW,GAAG,EAAE,GAAG,WAAW,EAAE,WAAW,EAAE,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,EAAE,CAAC;AAC1E,MAAM,UAAU,GAAG,EAAE,GAAG,WAAW,EAAE,WAAW,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;AAEvE;;;;;;;yEAOyE;AACzE,MAAM,UAAU,cAAc,CAAC,IAAe;IAC5C,OAAO;QACL,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;QAC/B,OAAO,EAAE;YACP,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;YACrB,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,EAAE;YACP,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW;YACrC,UAAU,EAAE,EAAE;SACf;QACD,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;KAC1B,CAAC;AACJ,CAAC;AAED,4FAA4F;AAC5F,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa;IACjD,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,aAAa,EAAE,CAAC,CAAC,yCAAyC;IACvE,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,EAAE,CAAC;IAEpC,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,SAAS,KAAK,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,CAAC;IACnG,MAAM,UAAU,GAAG,MAAM,aAAa,CACpC,KAAK,CAAC,KAAK,CAAC,EACZ,GAAG,EACH,EAAE,YAAY,EAAE,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,EAC5D,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IAE1F,MAAM,GAAG,GAAG,CAAC,CAAa,EAAE,EAAE,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO;QACL,KAAK;QACL,QAAQ,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE;QACxD,OAAO,EAAE;YACP,GAAG,EAAE,GAAG,CAAC,YAAY,EAAE;YACvB,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACxB,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAChC,UAAU,EAAE,IAAI,CAAC,YAAY,EAAE;SAChC;QACD,GAAG,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE;KAClC,CAAC;AACJ,CAAC;AAqBD;;0EAE0E;AAC1E,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAA+B,EAC/B,IAAe,EACf,QAAkB,EAClB,OAAiB,EAAE;IAEnB,MAAM,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAChD,IAAI,IAAI,CAAC,IAAI;QAAE,MAAM,WAAW,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,OAAO,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;AAClD,CAAC;AAED;;;;;mEAKmE;AACnE,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAe,EACf,QAAkB,EAClB,OAAgB,EAChB,OAAiB,EAAE;IAEnB,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IACrE,MAAM,OAAO,GAAG,MAAM,UAAU,CAC9B,OAAO,EACP,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC,EACvB,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAC5B,KAAK,EACL,EAAE,MAAM,EAAE,CACX,CAAC;IACF,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACnF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED;;;4BAG4B;AAC5B,SAAS,cAAc,CACrB,OAAgB,EAChB,KAAa,EACb,EAAU,EACV,IAAc;IAEd,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC,CAAC,iCAAiC;IACvE,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAC/E,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;IACzC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,4CAA4C;IACvF,MAAM,KAAK,GAAG,UAAU,EAAE,IAAI,CAAC;IAE/B,IAAI,OAAO,KAAK,UAAU,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QAClD,sFAAsF;QACtF,gFAAgF;QAChF,wFAAwF;QACxF,+EAA+E;QAC/E,yFAAyF;QACzF,yFAAyF;QACzF,4FAA4F;QAC5F,yFAAyF;QACzF,8EAA8E;QAC9E,MAAM,GAAG,GACP,OAAO,KAAK,OAAO;YACjB,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC;YACpC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG;YACZ,cAAc;YACd,uBAAuB,IAAI,EAAE;YAC7B,uBAAuB,EAAE,EAAE;YAC3B,sFAAsF;YACtF,yEAAyE;YACzE,2BAA2B,IAAI,EAAE;YACjC,2BAA2B,IAAI,IAAI;YACnC,yBAAyB,IAAI,IAAI;YACjC,6BAA6B,IAAI,IAAI;YACrC,2BAA2B,IAAI,IAAI;YACnC,WAAW,IAAI,IAAI;YACnB,2BAA2B,EAAE,IAAI,EAAE,+CAA+C;YAClF,yBAAyB,EAAE,IAAI;YAC/B,oFAAoF;YACpF,8FAA8F;YAC9F,uBAAuB,IAAI,EAAE;YAC7B,0BAA0B,IAAI,EAAE;YAChC,2BAA2B,IAAI,IAAI;YACnC,yBAAyB,IAAI,IAAI;YACjC,2BAA2B,IAAI,IAAI,EAAG,6BAA6B;YACnE,UAAU,EAAE,gCAAgC;SAC7C,CAAC;QACF,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;YACxB,sFAAsF;YACtF,sFAAsF;YACtF,KAAK,CAAC,IAAI,CACR,uBAAuB,EAAE,EAAE,EAC3B,2BAA2B,EAAE,EAAE,EAC/B,2BAA2B,EAAE,IAAI,EACjC,yBAAyB,EAAE,IAAI,EAC/B,6BAA6B,EAAE,IAAI,EACnC,2BAA2B,EAAE,IAAI,EACjC,WAAW,EAAE,IAAI,CAClB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC;IACjD,CAAC;IAED,kBAAkB;IAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACrE,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,SAAS,CAAC;IAC1C,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,EAAE,GAAG,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACnD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5D,MAAM,QAAQ,GAAG;QACf,mFAAmF;QACnF,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QACnD,cAAc,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,0CAA0C;QAC1E,cAAc,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,2CAA2C;QAC3E,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,EAAE,iBAAiB;QAC5D,yEAAyE;QACzE,cAAc;QACd,uBAAuB,IAAI,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE,uBAAuB,IAAI,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE,uBAAuB,IAAI,EAAE;QACrJ,wFAAwF;QACxF,2FAA2F;QAC3F,6FAA6F;QAC7F,yFAAyF;QACzF,yEAAyE;QACzE,mCAAmC,IAAI,IAAI,KAAK,EAAE;QAClD,2BAA2B,IAAI,IAAI,KAAK,EAAE;QAC1C,2BAA2B,IAAI,IAAI,KAAK,IAAI;QAC5C,yBAAyB,IAAI,IAAI,KAAK,EAAE;QACxC,6BAA6B,IAAI,IAAI,KAAK,EAAE;QAC5C,WAAW,IAAI,IAAI,KAAK,IAAI;QAC5B,8FAA8F;QAC9F,sFAAsF;QACtF,2FAA2F;QAC3F,sBAAsB,IAAI,EAAE;QAC5B,qFAAqF;QACrF,yBAAyB,EAAE,IAAI,GAAG,EAAE;QACpC,6BAA6B,EAAE,IAAI,GAAG,EAAE;QACxC,WAAW,EAAE,IAAI,GAAG,IAAI;QACxB,2EAA2E;QAC3E,2BAA2B,EAAE,IAAI;QACjC,yBAAyB,EAAE,IAAI;QAC/B,UAAU;QACV,OAAO,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,4CAA4C;QAClF,yFAAyF;QACzF,+FAA+F;QAC/F,0BAA0B,IAAI,EAAE;QAChC,2BAA2B,IAAI,IAAI;QACnC,yBAAyB,IAAI,IAAI;KAClC,CAAC;IACF,IAAI,IAAI,EAAE,CAAC;QACT,yFAAyF;QACzF,oFAAoF;QACpF,wFAAwF;QACxF,QAAQ,CAAC,IAAI,CACX,yBAAyB,IAAI,IAAI,IAAI,EAAE,EACvC,6BAA6B,IAAI,IAAI,IAAI,EAAE,EAC3C,WAAW,IAAI,IAAI,IAAI,IAAI,CAC5B,CAAC;IACJ,CAAC;IACD,qFAAqF;IACrF,mFAAmF;IACnF,sFAAsF;IACtF,iFAAiF;IACjF,MAAM,OAAO,GAAG;QACd,2BAA2B,EAAE,EAAE;QAC/B,2BAA2B,EAAE,IAAI;QACjC,mCAAmC,EAAE,IAAI;QACzC,2BAA2B,IAAI,EAAE;QACjC,2BAA2B,IAAI,IAAI;QACnC,mCAAmC,IAAI,IAAI;KAC5C,CAAC;IACF,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;AAC9E,CAAC;AAED;kDACkD;AAClD,MAAM,UAAU,YAAY,CAAC,IAAe,EAAE,IAAyC;IACrF,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;IAC/B,4FAA4F;IAC5F,8FAA8F;IAC9F,+FAA+F;IAC/F,+FAA+F;IAC/F,gGAAgG;IAChG,iGAAiG;IACjG,kGAAkG;IAClG,OAAO;QACD,IAAI;;yBAEa,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC;YAC1C,IAAI,CAAC,QAAQ,CAAC,GAAG;kBACX,IAAI,CAAC,GAAG,CAAC,GAAG;;;IAG1B,IAAI,CAAC,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG;IACrC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG;;CAEhC,CAAC;AACF,CAAC;AAED,kFAAkF;AAElF,MAAM,SAAS,GAAG,WAAW,CAAC;AAE9B,MAAM,UAAU,OAAO,CAAC,IAAY;IAClC,OAAO,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AACtC,CAAC;AAED;;iGAEiG;AACjG,MAAM,UAAU,aAAa,CAAC,QAAgB,OAAO,CAAC,GAAG,EAAE;IACzD,IAAI,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IACzB,SAAS,CAAC;QACR,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAAE,OAAO,GAAG,CAAC;QAChD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,MAAM,KAAK,GAAG;YAAE,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;AACH,CAAC;AAED,6FAA6F;AAC7F,MAAM,UAAU,aAAa,CAAC,GAAW,EAAE,IAAe;IACxD,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACtF,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC/B,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACrC,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAc,CAAC;AAC1D,CAAC"}
+{"version":3,"file":"provision.js","sourceRoot":"","sources":["../src/provision.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EACL,cAAc,EACd,aAAa,EACb,UAAU,EACV,QAAQ,GACT,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AACrF,OAAO,EACL,KAAK,EACL,WAAW,EACX,WAAW,EACX,kBAAkB,EAClB,cAAc,EACd,cAAc,EACd,cAAc,EACd,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,UAAU,EACV,QAAQ,EACR,UAAU,EACV,SAAS,EACT,eAAe,EACf,SAAS,EACT,WAAW,EACX,UAAU,EACV,cAAc,EACd,aAAa,GACd,MAAM,eAAe,CAAC;AAkBvB,uFAAuF;AACvF,wFAAwF;AACxF,8DAA8D;AAC9D,MAAM,WAAW,GAAG;IAClB,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;IACtD,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI;CAC9B,CAAC;AACX,MAAM,WAAW,GAAG,EAAE,GAAG,WAAW,EAAE,WAAW,EAAE,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,EAAE,CAAC;AAC1E,MAAM,UAAU,GAAG,EAAE,GAAG,WAAW,EAAE,WAAW,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;AAEvE;;;;;;;yEAOyE;AACzE,MAAM,UAAU,cAAc,CAAC,IAAe;IAC5C,OAAO;QACL,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;QAC/B,OAAO,EAAE;YACP,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;YACrB,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,EAAE;YACP,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW;YACrC,UAAU,EAAE,EAAE;SACf;QACD,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;KAC1B,CAAC;AACJ,CAAC;AAED,4FAA4F;AAC5F,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa;IACjD,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,aAAa,EAAE,CAAC,CAAC,yCAAyC;IACvE,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,EAAE,CAAC;IAEpC,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,SAAS,KAAK,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,CAAC;IACnG,MAAM,UAAU,GAAG,MAAM,aAAa,CACpC,KAAK,CAAC,KAAK,CAAC,EACZ,GAAG,EACH,EAAE,YAAY,EAAE,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,EAC5D,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IAE1F,MAAM,GAAG,GAAG,CAAC,CAAa,EAAE,EAAE,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO;QACL,KAAK;QACL,QAAQ,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE;QACxD,OAAO,EAAE;YACP,GAAG,EAAE,GAAG,CAAC,YAAY,EAAE;YACvB,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACxB,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAChC,UAAU,EAAE,IAAI,CAAC,YAAY,EAAE;SAChC;QACD,GAAG,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE;KAClC,CAAC;AACJ,CAAC;AAwDD;;;;0EAI0E;AAC1E,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAA+B,EAC/B,IAAe,EACf,QAAkB,EAClB,OAAsB,EAAE;IAExB,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACxE,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;IACrF,gGAAgG;IAChG,KAAK,MAAM,EAAE,IAAI,CAAC,GAAG,SAAS,EAAE,GAAG,cAAc,CAAC;QAAE,kBAAkB,CAAC,EAAE,CAAC,CAAC;IAC3E,8FAA8F;IAC9F,4FAA4F;IAC5F,iEAAiE;IACjE,KAAK,MAAM,EAAE,IAAI,SAAS;QACxB,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CACb,8BAA8B,EAAE,mCAAmC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAChG,CAAC;IACN,MAAM,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAChD,MAAM,WAAW,CAAC,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACjD,wGAAwG;IACxG,uGAAuG;IACvG,wGAAwG;IACxG,2FAA2F;IAC3F,IAAI,IAAI,CAAC,iBAAiB,KAAK,KAAK;QAAE,MAAM,WAAW,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;IACpG,IAAI,IAAI,CAAC,IAAI;QAAE,MAAM,WAAW,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,OAAO,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,GAAG,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;AACzE,CAAC;AAED;;;;;;wDAMwD;AACxD,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAe,EACf,QAAkB,EAClB,OAAgB,EAChB,OAAiB,EAAE;IAEnB,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IACrE,MAAM,OAAO,GAAG,MAAM,UAAU,CAC9B,OAAO,EACP,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC,EACvB,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAC5B,KAAK,EACL,EAAE,MAAM,EAAE,CACX,CAAC;IACF,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACnF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED;;;4BAG4B;AAC5B,SAAS,cAAc,CACrB,OAAgB,EAChB,KAAa,EACb,EAAU,EACV,IAAc;IAEd,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC,CAAC,iCAAiC;IACvE,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAC/E,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;IACzC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,4CAA4C;IACvF,MAAM,KAAK,GAAG,UAAU,EAAE,IAAI,CAAC;IAE/B,IAAI,OAAO,KAAK,UAAU,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QAClD,sFAAsF;QACtF,gFAAgF;QAChF,wFAAwF;QACxF,+EAA+E;QAC/E,yFAAyF;QACzF,yFAAyF;QACzF,4FAA4F;QAC5F,yFAAyF;QACzF,8EAA8E;QAC9E,MAAM,GAAG,GACP,OAAO,KAAK,OAAO;YACjB,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC;YACpC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG;YACZ,cAAc;YACd,uBAAuB,IAAI,EAAE;YAC7B,uBAAuB,EAAE,EAAE;YAC3B,sFAAsF;YACtF,yEAAyE;YACzE,2BAA2B,IAAI,EAAE;YACjC,2BAA2B,IAAI,IAAI;YACnC,yBAAyB,IAAI,IAAI;YACjC,6BAA6B,IAAI,IAAI;YACrC,2BAA2B,IAAI,IAAI;YACnC,WAAW,IAAI,IAAI;YACnB,2BAA2B,EAAE,IAAI,EAAE,+CAA+C;YAClF,yBAAyB,EAAE,IAAI;YAC/B,oFAAoF;YACpF,8FAA8F;YAC9F,uBAAuB,IAAI,EAAE;YAC7B,0BAA0B,IAAI,EAAE;YAChC,2BAA2B,IAAI,IAAI;YACnC,yBAAyB,IAAI,IAAI;YACjC,2BAA2B,IAAI,IAAI,EAAG,6BAA6B;YACnE,UAAU,EAAE,gCAAgC;SAC7C,CAAC;QACF,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;YACxB,sFAAsF;YACtF,sFAAsF;YACtF,KAAK,CAAC,IAAI,CACR,uBAAuB,EAAE,EAAE,EAC3B,2BAA2B,EAAE,EAAE,EAC/B,2BAA2B,EAAE,IAAI,EACjC,yBAAyB,EAAE,IAAI,EAC/B,6BAA6B,EAAE,IAAI,EACnC,2BAA2B,EAAE,IAAI,EACjC,WAAW,EAAE,IAAI,CAClB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC;IACjD,CAAC;IAED,kBAAkB;IAClB,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,qDAAqD;IACnG,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW;IACnG,mGAAmG;IACnG,sFAAsF;IACtF,KAAK,MAAM,EAAE,IAAI,CAAC,GAAG,cAAc,EAAE,GAAG,YAAY,CAAC;QAAE,kBAAkB,CAAC,EAAE,CAAC,CAAC;IAC9E,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,kBAAkB,CAAC;IACnD,MAAM,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC,EAAE,GAAG,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,IAAI,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,0CAA0C;IAC/F,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5D,MAAM,QAAQ,GAAG;QACf,gGAAgG;QAChG,6EAA6E;QAC7E,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QACvD,cAAc,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,0CAA0C;QAC1E,cAAc,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,2CAA2C;QAC3E,qBAAqB,CAAC,KAAK,EAAE,oBAAoB,EAAE,EAAE,CAAC,EAAE,0EAA0E;QAClI,yEAAyE;QACzE,cAAc;QACd,4FAA4F;QAC5F,iGAAiG;QACjG,gGAAgG;QAChG,wFAAwF;QACxF,uBAAuB,IAAI,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE,uBAAuB,IAAI,EAAE;QACzF,iGAAiG;QACjG,4FAA4F;QAC5F,4FAA4F;QAC5F,0FAA0F;QAC1F,uEAAuE;QACvE,iGAAiG;QACjG,gGAAgG;QAChG,8FAA8F;QAC9F,8FAA8F;QAC9F,wFAAwF;QACxF,6FAA6F;QAC7F,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,2BAA2B,IAAI,IAAI,SAAS,IAAI,WAAW,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,CAAC;QAC5G,yBAAyB,IAAI,IAAI,SAAS,EAAE;QAC5C,6BAA6B,IAAI,IAAI,SAAS,EAAE;QAChD,2BAA2B,IAAI,IAAI,SAAS,EAAE;QAC9C,qFAAqF;QACrF,yBAAyB,EAAE,IAAI,GAAG,EAAE;QACpC,6BAA6B,EAAE,IAAI,GAAG,EAAE;QACxC,WAAW,EAAE,IAAI,GAAG,IAAI;QACxB,+FAA+F;QAC/F,8FAA8F;QAC9F,gGAAgG;QAChG,0FAA0F;QAC1F,yBAAyB,GAAG,IAAI,IAAI,EAAE;QACtC,6BAA6B,GAAG,IAAI,IAAI,EAAE;QAC1C,WAAW,GAAG,IAAI,IAAI,IAAI;QAC1B,2EAA2E;QAC3E,2BAA2B,EAAE,IAAI;QACjC,yBAAyB,EAAE,IAAI;QAC/B,UAAU;QACV,OAAO,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,4CAA4C;QAClF,yFAAyF;QACzF,+FAA+F;QAC/F,0BAA0B,IAAI,EAAE;QAChC,2BAA2B,IAAI,IAAI;QACnC,yBAAyB,IAAI,IAAI;KAClC,CAAC;IACF,IAAI,IAAI,EAAE,CAAC;QACT,yFAAyF;QACzF,oFAAoF;QACpF,wFAAwF;QACxF,QAAQ,CAAC,IAAI,CACX,yBAAyB,IAAI,IAAI,IAAI,EAAE,EACvC,6BAA6B,IAAI,IAAI,IAAI,EAAE,EAC3C,WAAW,IAAI,IAAI,IAAI,IAAI,CAC5B,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,2FAA2F;QAC3F,sFAAsF;QACtF,sFAAsF;QACtF,0FAA0F;QAC1F,6EAA6E;QAC7E,QAAQ,CAAC,IAAI,CAAC,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IACD,qFAAqF;IACrF,mFAAmF;IACnF,sFAAsF;IACtF,iFAAiF;IACjF,MAAM,OAAO,GAAG;QACd,2BAA2B,EAAE,EAAE;QAC/B,2BAA2B,EAAE,IAAI;QACjC,mCAAmC,EAAE,IAAI;QACzC,2BAA2B,IAAI,EAAE;QACjC,2BAA2B,IAAI,IAAI;QACnC,mCAAmC,IAAI,IAAI;QAC3C,iGAAiG;QACjG,8EAA8E;QAC9E,2BAA2B,GAAG,EAAE;QAChC,2BAA2B,GAAG,IAAI;QAClC,mCAAmC,GAAG,IAAI;KAC3C,CAAC;IACF,iGAAiG;IACjG,iGAAiG;IACjG,mGAAmG;IACnG,oGAAoG;IACpG,gGAAgG;IAChG,qGAAqG;IACrG,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;IACxE,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,KAAK,EAAE,GAAG,OAAO,CAAC,EAAE,EAAE,CAAC;AAC1F,CAAC;AAED;kDACkD;AAClD,MAAM,UAAU,YAAY,CAAC,IAAe,EAAE,IAAwD;IACpG,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;IAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,WAAW,CAAC;IACtC,4FAA4F;IAC5F,8FAA8F;IAC9F,+FAA+F;IAC/F,+FAA+F;IAC/F,gGAAgG;IAChG,iGAAiG;IACjG,kGAAkG;IAClG,OAAO;QACD,IAAI;QACJ,IAAI;;yBAEa,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC;YAC1C,IAAI,CAAC,QAAQ,CAAC,GAAG;kBACX,IAAI,CAAC,GAAG,CAAC,GAAG;;;IAG1B,IAAI,CAAC,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG;IACrC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG;;CAEhC,CAAC;AACF,CAAC;AAED,kFAAkF;AAElF,MAAM,SAAS,GAAG,WAAW,CAAC;AAE9B,MAAM,UAAU,OAAO,CAAC,IAAY;IAClC,OAAO,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AACtC,CAAC;AAED;;iGAEiG;AACjG,MAAM,UAAU,aAAa,CAAC,QAAgB,OAAO,CAAC,GAAG,EAAE;IACzD,IAAI,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IACzB,SAAS,CAAC;QACR,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAAE,OAAO,GAAG,CAAC;QAChD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,MAAM,KAAK,GAAG;YAAE,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;AACH,CAAC;AAED,6FAA6F;AAC7F,MAAM,UAAU,aAAa,CAAC,GAAW,EAAE,IAAe;IACxD,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACtF,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC/B,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACrC,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAc,CAAC;AAC1D,CAAC"}

package/dist/resolve.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Peer name resolution + name validation — the client-side half of addressing.
+ *
+ * The wire routes on the unforgeable instance id (the nkey carried in the subject); a human
+ * **name** is only a convenience this resolves to an id. Resolution is deterministic and
+ * fail-loud: it returns exactly one peer or throws {@link AmbiguousPeerError} — it never
+ * silently picks among same-named peers. The id is authoritative; the name is best-effort.
+ *
+ * `owner/name` handles (per-owner namespaces) land with the accounts/auth feature; until then
+ * `/` is reserved in a name ({@link assertValidName}) so they slot in without a migration.
+ * See .internal/plans/peer-addressing.md.
+ */
+import type { Presence, PresenceStatus } from "./types.js";
+/** A peer that matched an ambiguous name — structural, so each surface renders it itself
+ *  (core never formats UI strings). The full `id` is the authoritative, routable address. */
+export interface PeerCandidate {
+    id: string;
+    name: string;
+    role?: string;
+    status: PresenceStatus;
+    /** Epoch ms of the peer's last heartbeat. */
+    ts: number;
+}
+/** Thrown when a name resolves to two or more peers that could each be the target. Carries the
+ *  candidates structurally so a caller can show them and re-address by the exact `id`. */
+export declare class AmbiguousPeerError extends Error {
+    readonly target: string;
+    readonly candidates: PeerCandidate[];
+    constructor(target: string, candidates: PeerCandidate[]);
+}
+/**
+ * Resolve a `target` (an exact instance id, or a display name) to one peer on `roster`.
+ *
+ * - an exact instance-id match wins (any status — an id is unambiguous);
+ * - otherwise a case-insensitive name match, preferring live peers over stale offline ghosts:
+ *   one live match resolves; **2+ live matches throw**; with no live match a unique offline peer
+ *   resolves (best-effort), but **2+ offline duplicates throw**;
+ * - no match → `undefined` (the caller renders "no such peer").
+ *
+ * `opts.selfId`, when given, is excluded (you don't DM yourself). Throws
+ * {@link AmbiguousPeerError} rather than ever silently picking.
+ */
+export declare function resolvePeer(roster: Presence[], target: string, opts?: {
+    selfId?: string;
+}): Presence | undefined;
+/**
+ * Validate a display name. A name must be non-empty, single-line, and free of surrounding
+ * whitespace; `/` is reserved as the future `owner/name` separator (and already means "a path"
+ * to the agent-file loader). Throws — no silent rewrite (per AGENTS.md, no fallbacks). Internal
+ * spaces are allowed (human display names like "Ada Lovelace").
+ */
+export declare function assertValidName(name: string): void;
+//# sourceMappingURL=resolve.d.ts.map

package/dist/resolve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../src/resolve.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,KAAK,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE3D;6FAC6F;AAC7F,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,cAAc,CAAC;IACvB,6CAA6C;IAC7C,EAAE,EAAE,MAAM,CAAC;CACZ;AAED;0FAC0F;AAC1F,qBAAa,kBAAmB,SAAQ,KAAK;IAEzC,QAAQ,CAAC,MAAM,EAAE,MAAM;IACvB,QAAQ,CAAC,UAAU,EAAE,aAAa,EAAE;gBAD3B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,aAAa,EAAE;CASvC;AAMD;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,QAAQ,EAAE,EAClB,MAAM,EAAE,MAAM,EACd,IAAI,GAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAO,GAC7B,QAAQ,GAAG,SAAS,CAetB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAOlD"}

package/dist/resolve.js

@@ -0,0 +1,61 @@
+/** Thrown when a name resolves to two or more peers that could each be the target. Carries the
+ *  candidates structurally so a caller can show them and re-address by the exact `id`. */
+export class AmbiguousPeerError extends Error {
+    target;
+    candidates;
+    constructor(target, candidates) {
+        super(`"${target}" is ambiguous — ${candidates.length} peers share that name: ` +
+            candidates.map((c) => `${c.name} (${c.id}, ${c.status})`).join("; ") +
+            `. Re-send to the exact instance id.`);
+        this.target = target;
+        this.candidates = candidates;
+        this.name = "AmbiguousPeerError";
+    }
+}
+function candidate(p) {
+    return { id: p.card.id, name: p.card.name, role: p.card.role, status: p.status, ts: p.ts };
+}
+/**
+ * Resolve a `target` (an exact instance id, or a display name) to one peer on `roster`.
+ *
+ * - an exact instance-id match wins (any status — an id is unambiguous);
+ * - otherwise a case-insensitive name match, preferring live peers over stale offline ghosts:
+ *   one live match resolves; **2+ live matches throw**; with no live match a unique offline peer
+ *   resolves (best-effort), but **2+ offline duplicates throw**;
+ * - no match → `undefined` (the caller renders "no such peer").
+ *
+ * `opts.selfId`, when given, is excluded (you don't DM yourself). Throws
+ * {@link AmbiguousPeerError} rather than ever silently picking.
+ */
+export function resolvePeer(roster, target, opts = {}) {
+    const peers = opts.selfId ? roster.filter((p) => p.card.id !== opts.selfId) : roster;
+    const byId = peers.find((p) => p.card.id === target);
+    if (byId)
+        return byId;
+    const want = target.trim().toLowerCase();
+    if (!want)
+        return undefined;
+    const matches = peers.filter((p) => p.card.name.toLowerCase() === want);
+    if (matches.length === 0)
+        return undefined;
+    const live = matches.filter((p) => p.status !== "offline");
+    const pool = live.length > 0 ? live : matches;
+    if (pool.length === 1)
+        return pool[0];
+    throw new AmbiguousPeerError(target, pool.map(candidate));
+}
+/**
+ * Validate a display name. A name must be non-empty, single-line, and free of surrounding
+ * whitespace; `/` is reserved as the future `owner/name` separator (and already means "a path"
+ * to the agent-file loader). Throws — no silent rewrite (per AGENTS.md, no fallbacks). Internal
+ * spaces are allowed (human display names like "Ada Lovelace").
+ */
+export function assertValidName(name) {
+    if (name.length === 0 || name !== name.trim())
+        throw new Error(`invalid name ${JSON.stringify(name)}: must be non-empty with no surrounding whitespace`);
+    if (/[\r\n]/.test(name))
+        throw new Error(`invalid name ${JSON.stringify(name)}: must be a single line`);
+    if (name.includes("/"))
+        throw new Error(`invalid name ${JSON.stringify(name)}: "/" is reserved (the owner/name separator)`);
+}
+//# sourceMappingURL=resolve.js.map

package/dist/resolve.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve.js","sourceRoot":"","sources":["../src/resolve.ts"],"names":[],"mappings":"AAyBA;0FAC0F;AAC1F,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAEhC;IACA;IAFX,YACW,MAAc,EACd,UAA2B;QAEpC,KAAK,CACH,IAAI,MAAM,oBAAoB,UAAU,CAAC,MAAM,0BAA0B;YACvE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YACpE,qCAAqC,CACxC,CAAC;QAPO,WAAM,GAAN,MAAM,CAAQ;QACd,eAAU,GAAV,UAAU,CAAiB;QAOpC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,SAAS,SAAS,CAAC,CAAW;IAC5B,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC;AAC7F,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,WAAW,CACzB,MAAkB,EAClB,MAAc,EACd,OAA4B,EAAE;IAE9B,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAErF,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;IACrD,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAEtB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACzC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,CAAC;IACxE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAE3C,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;IAC3D,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;IAC9C,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;IACtC,MAAM,IAAI,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,KAAK,IAAI,CAAC,IAAI,EAAE;QAC3C,MAAM,IAAI,KAAK,CAAC,gBAAgB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;IAC5G,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,gBAAgB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACjF,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,gBAAgB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;AACxG,CAAC"}

package/dist/streams.d.ts

@@ -3,6 +3,20 @@ import { type ConsumerConfig, type JetStreamManager } from "@nats-io/jetstream";
  *  oldest message on a subject is discarded (`DiscardPolicy.Old`). Also the horizon of focus
  *  recall: only the last {@link MAX_MSGS_PER_SUBJECT} per sender-subject are recallable. */
 export declare const MAX_MSGS_PER_SUBJECT = 1000;
+/** JetStream message-dedup window on the Plane-3 streams: a `Nats-Msg-Id`
+ *  (`<msgId>:<owner>:<generation>`) repeated within this window is collapsed. Sized generous (2h) so
+ *  an activation-catch-up copy and a racing fan-out copy of the same message dedup even for a slow/
+ *  backlogged owner. **This window IS the cross-path exactly-once correctness horizon** — two writes
+ *  of the same logical copy separated by more than it (e.g. a manager crash after a DLV publish, the
+ *  dinbox ack lost, the window expiring, then a re-transfer after restart) are NOT collapsed at the
+ *  stream. The connector's commit-aware id-cache (`MeshAgent.ingest`) coalesces live↔durable and
+ *  redelivery duplicates within a SESSION, but it is in-memory and reset on agent restart, so it is
+ *  NOT a cross-restart guarantee. A persistent per-owner delivery ledger would lift the bound; not
+ *  built (the 2h horizon covers the realistic crash/redelivery lag). Keep the window ≥ worst-case lag. */
+export declare const PLANE3_DEDUP_WINDOW_MS: number;
+/** Bound on the trusted reader's in-flight (un-acked) entries per owner — an offline owner with a large
+ *  backlog can't stall the reader's own redelivery by pinning unbounded pending. */
+export declare const DINBOX_MAX_ACK_PENDING = 1000;
 export interface ClearSpaceHistoryResult {
     chat: number;
     dm?: number;
@@ -45,6 +59,29 @@ export declare function dmDurableConfig(space: string, id: string, opts?: {
 export declare function taskDurableConfig(space: string, role: string, opts?: {
     ackWaitMs?: number;
 }): Partial<ConsumerConfig>;
+/** The single privileged trusted-reader consumer over the WHOLE INBOX (mixed pre-auth) store
+ *  (`dinbox.>`, all owners) — created + bound only by the manager. Explicit ack: the reader holds an
+ *  entry un-acked until it has transferred the re-authorized copy to DLV (a crash before transfer
+ *  redelivers). `max_ack_pending` bounds the reader's in-flight set. The per-message owner is
+ *  recovered from the subject (`parseDinboxOwner`). */
+export declare function inboxReaderConfig(space: string, opts?: {
+    ackWaitMs?: number;
+}): Partial<ConsumerConfig>;
+/** An agent's bind-only per-member DELIVER consumer (mirrors {@link dmDurableConfig}): the provisioner
+ *  pre-creates it filtered to `dlv.<owner>`; the agent BINDS it (denied CREATE on DLV) and acks via
+ *  native JetStream — the §8 "equivalent per-member at-least-once mechanism with the same ack
+ *  semantics". `inactive_threshold` only for an open-mode self-create (none today; Plane-3 is
+ *  auth-only). */
+export declare function dlvDurableConfig(space: string, owner: string, opts?: {
+    ackWaitMs?: number;
+    inactiveThresholdMs?: number;
+}): Partial<ConsumerConfig>;
+/** The single privileged fan-out consumer on CHAT (manager-pumped; routing, not auth).
+ *  `DeliverPolicy.New` at creation (pre-existing backlog is pre-membership); a DURABLE, so on a
+ *  manager restart it resumes from its ack cursor and fans out the gap, idempotent via `Nats-Msg-Id`. */
+export declare function fanoutDurableConfig(space: string, opts?: {
+    ackWaitMs?: number;
+}): Partial<ConsumerConfig>;
 /** Connect with the given (privileged) creds, create the space's streams, and disconnect.
  *  Used by `cotal up` to pre-create streams once at setup. */
 export declare function setupSpaceStreams(opts: {

package/dist/streams.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"streams.d.ts","sourceRoot":"","sources":["../src/streams.ts"],"names":[],"mappings":"AAAA,OAAO,EAOL,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACtB,MAAM,oBAAoB,CAAC;AAqB5B;;4FAE4F;AAC5F,eAAO,MAAM,oBAAoB,OAAO,CAAC;AAEzC,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,CAAC,EAAE,MAAM,CAAC;CACb;AAED;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,gBAAgB,EACrB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,IAAI,CAAC,CA0Bf;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EACb,EAAE,EAAE,MAAM,EACV,IAAI,GAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAAO,GAC9D,OAAO,CAAC,cAAc,CAAC,CAUzB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAA;CAAO,GAChC,OAAO,CAAC,cAAc,CAAC,CAOzB;AAED;8DAC8D;AAC9D,wBAAsB,iBAAiB,CAAC,IAAI,EAAE;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,oGAAoG;IACpG,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,OAAO,CAAC,IAAI,CAAC,CAgBhB;AAED;kDACkD;AAClD,wBAAsB,iBAAiB,CAAC,IAAI,EAAE;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAcnC;AAED;;;;;oFAKoF;AACpF,wBAAsB,YAAY,CAAC,IAAI,EAAE;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAsB/C"}
+{"version":3,"file":"streams.d.ts","sourceRoot":"","sources":["../src/streams.ts"],"names":[],"mappings":"AAAA,OAAO,EAOL,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACtB,MAAM,oBAAoB,CAAC;AA6B5B;;4FAE4F;AAC5F,eAAO,MAAM,oBAAoB,OAAO,CAAC;AAEzC;;;;;;;;;0GAS0G;AAC1G,eAAO,MAAM,sBAAsB,QAAqB,CAAC;AAEzD;oFACoF;AACpF,eAAO,MAAM,sBAAsB,OAAO,CAAC;AAE3C,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,CAAC,EAAE,MAAM,CAAC;CACb;AAED;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,gBAAgB,EACrB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,IAAI,CAAC,CAkDf;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EACb,EAAE,EAAE,MAAM,EACV,IAAI,GAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAAO,GAC9D,OAAO,CAAC,cAAc,CAAC,CAUzB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAA;CAAO,GAChC,OAAO,CAAC,cAAc,CAAC,CAOzB;AAID;;;;uDAIuD;AACvD,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,MAAM,EACb,IAAI,GAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAA;CAAO,GAChC,OAAO,CAAC,cAAc,CAAC,CASzB;AAED;;;;kBAIkB;AAClB,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,EACb,IAAI,GAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAAO,GAC9D,OAAO,CAAC,cAAc,CAAC,CAUzB;AAED;;yGAEyG;AACzG,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,IAAI,GAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAA;CAAO,GAChC,OAAO,CAAC,cAAc,CAAC,CAQzB;AAED;8DAC8D;AAC9D,wBAAsB,iBAAiB,CAAC,IAAI,EAAE;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,oGAAoG;IACpG,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBhB;AAED;kDACkD;AAClD,wBAAsB,iBAAiB,CAAC,IAAI,EAAE;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAcnC;AAED;;;;;oFAKoF;AACpF,wBAAsB,YAAY,CAAC,IAAI,EAAE;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAsB/C"}