@cybedefend/vibedefend 1.1.1

package/dist/hooks/install.js

@@ -0,0 +1,169 @@
+/**
+ * Install-side helpers for the Node-based hook runtime.
+ *
+ * Replaces the previous `writeHookFiles` (which rendered four bash
+ * scripts) with a simpler "copy + write config" pair:
+ *
+ *   1. Copy the bundled `dist/hook-runner.js` (built by esbuild) to
+ *      `~/.cybedefend/hook-runner.js`. ONE script for all 5 agents.
+ *   2. Write `~/.cybedefend/runtime-config.json` with the user's region
+ *      + hook tunables — the runner reads it on every invocation.
+ *
+ * Adapters then reference `node <path>/hook-runner.js <subcommand>` from
+ * their respective settings files. No bash, no jq, no curl — runs
+ * natively on Linux, macOS, AND Windows (the previous design needed
+ * Git Bash on Windows).
+ */
+import { copyFileSync, existsSync, rmSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { ensureDirFor, home, log, writeJson } from '../utils.js';
+/** Top-level directory we own. */
+export const VIBEDEFEND_DIR = home('.cybedefend');
+/** Where the bundled runner lives on the user's machine after install. */
+export const HOOK_RUNNER_PATH = home('.cybedefend', 'hook-runner.js');
+/** Persisted config the runner reads at hook-invocation time. */
+export const RUNTIME_CONFIG_PATH = home('.cybedefend', 'runtime-config.json');
+/** Legacy bash hooks dir from V1; deleted on install if found. */
+const LEGACY_HOOKS_DIR = home('.cybedefend', 'hooks');
+/**
+ * Resolve the path of the bundled `hook-runner.js` shipped in our npm
+ * package. Works for:
+ *   - production: <pkg>/dist/install.js → <pkg>/dist/hook-runner.js
+ *   - dev (tsx):  <pkg>/src/hooks/install.ts → <pkg>/dist/hook-runner.js
+ *
+ * Returns null if the bundled file isn't found (build hasn't run yet).
+ */
+function locateBundledRunner() {
+    const here = dirname(fileURLToPath(import.meta.url));
+    // Production: hook-runner.js is in the same dist/ as install.js.
+    const candidates = [
+        join(here, 'hook-runner.js'),
+        join(here, '..', 'dist', 'hook-runner.js'),
+        join(here, '..', '..', 'dist', 'hook-runner.js'),
+    ];
+    for (const c of candidates) {
+        if (existsSync(c))
+            return c;
+    }
+    return null;
+}
+/**
+ * Drop any legacy `~/.cybedefend/hooks/` directory (V1 bash scripts).
+ * Idempotent — silent no-op if the directory doesn't exist.
+ */
+function removeLegacyHooks() {
+    if (existsSync(LEGACY_HOOKS_DIR)) {
+        try {
+            rmSync(LEGACY_HOOKS_DIR, { recursive: true, force: true });
+            log.hint(`Removed legacy bash hooks dir: ${LEGACY_HOOKS_DIR}`);
+        }
+        catch {
+            // Best-effort cleanup; not fatal.
+        }
+    }
+}
+/**
+ * Install the hook runtime on the user's machine.
+ *
+ * Steps:
+ *   1. Sweep legacy `~/.cybedefend/hooks/` if present.
+ *   2. Copy `dist/hook-runner.js` → `~/.cybedefend/hook-runner.js`.
+ *   3. Write `~/.cybedefend/runtime-config.json` with the user's
+ *      region + hook settings.
+ *
+ * Returns the destination paths so the caller can `log.hint(...)` them.
+ */
+export function installHookRuntime(opts) {
+    removeLegacyHooks();
+    const source = locateBundledRunner();
+    if (source === null) {
+        throw new Error('Could not locate the bundled hook-runner.js. Did `pnpm run build` finish? ' +
+            'Expected to find it under <package>/dist/.');
+    }
+    ensureDirFor(HOOK_RUNNER_PATH);
+    copyFileSync(source, HOOK_RUNNER_PATH);
+    const runtimeConfig = {
+        region: {
+            id: opts.region.id,
+            label: opts.region.label,
+            mcpName: opts.region.mcpName,
+            mcpUrl: opts.region.mcpUrl,
+            apiBase: opts.region.apiBase,
+        },
+        hooks: {
+            enableSessionReview: opts.hooks.enableSessionReview,
+            reviewThreshold: opts.hooks.reviewThreshold,
+            autoProposeMode: opts.hooks.autoProposeMode,
+        },
+        installedVersion: opts.installedVersion,
+    };
+    writeJson(RUNTIME_CONFIG_PATH, runtimeConfig);
+    return { runnerPath: HOOK_RUNNER_PATH, configPath: RUNTIME_CONFIG_PATH };
+}
+/**
+ * Compose the `command` field for a settings.json hook entry, targeting
+ * a specific subcommand of the runner. Pure — adapters call this without
+ * touching the filesystem.
+ */
+export function hookCommand(subcommand) {
+    return `node ${HOOK_RUNNER_PATH} ${subcommand}`;
+}
+/**
+ * Marker used by every adapter's `dropOurs` to identify legacy AND new
+ * entries it owns. Matches any command referencing a path under our
+ * managed dir — covers the V1 bash hooks (`~/.cybedefend/hooks/*.sh`),
+ * the new runner (`~/.cybedefend/hook-runner.js`), and any future file
+ * we put under `~/.cybedefend/`.
+ *
+ * `inspect()` uses this CONSTANT directly because that detection is
+ * legitimately scoped to whether the CURRENT install wired its hooks;
+ * legacy V0 entries left over from a previous install must NOT report
+ * `hooksWired: true`.
+ *
+ * For idempotent cleanup on re-install (`dropOurs`), use
+ * `isVibedefendOwnedHookCommand()` below — it broadens the match to
+ * cover the V0 repo-embedded path so a fresh install scrubs them too.
+ */
+export const VIBEDEFEND_PATH_MARKER = VIBEDEFEND_DIR;
+/**
+ * Substrings identifying hook commands that an OLDER version of
+ * vibedefend (or its V0 manual-template predecessor) installed and
+ * that a fresh install must scrub on top of the V2 path.
+ *
+ * V0 lived inside the api-microservices repo at
+ * `tools/cybedefend-claude-hooks/hook-*.sh` — users wired absolute paths
+ * to those scripts into `~/.claude/settings.json` by hand, predating the
+ * vibedefend-cli installer. Today those entries still sit alongside the
+ * V2 Node runner unless we drop them: SessionStart, PreToolUse, Stop and
+ * PreCompact each fired twice on Claude Code, duplicating context
+ * injection and (observed in the wild) confusing the agent into ignoring
+ * the workflow doctrine.
+ *
+ * Matching by directory NAME (`cybedefend-claude-hooks/`) rather than
+ * absolute path makes it location-independent — the user's repo can
+ * live anywhere on disk.
+ */
+const LEGACY_HOOK_MARKERS = [
+    'cybedefend-claude-hooks',
+];
+/**
+ * Predicate every adapter's `dropOurs` uses to decide whether a hook
+ * entry belongs to vibedefend. Returns `true` for the current V2 path
+ * AND for any historical vibedefend-managed path (`LEGACY_HOOK_MARKERS`).
+ *
+ * Third-party hooks (different command, different path) MUST be left
+ * alone — only commands that match one of these markers get scrubbed.
+ */
+export function isVibedefendOwnedHookCommand(command) {
+    if (typeof command !== 'string' || command.length === 0)
+        return false;
+    if (command.includes(VIBEDEFEND_PATH_MARKER))
+        return true;
+    for (const marker of LEGACY_HOOK_MARKERS) {
+        if (command.includes(marker))
+            return true;
+    }
+    return false;
+}
+//# sourceMappingURL=install.js.map

package/dist/hooks/install.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install.js","sourceRoot":"","sources":["../../src/hooks/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAIzC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAGjE,kCAAkC;AAClC,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;AAElD,0EAA0E;AAC1E,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC;AAEtE,iEAAiE;AACjE,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,CACrC,aAAa,EACb,qBAAqB,CACtB,CAAC;AAEF,kEAAkE;AAClE,MAAM,gBAAgB,GAAG,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;AAEtD;;;;;;;GAOG;AACH,SAAS,mBAAmB;IAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,iEAAiE;IACjE,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,IAAI,EAAE,gBAAgB,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,CAAC;KACjD,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,UAAU,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB;IACxB,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,CAAC,gBAAgB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,IAAI,CAAC,kCAAkC,gBAAgB,EAAE,CAAC,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,kCAAkC;QACpC,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAIlC;IACC,iBAAiB,EAAE,CAAC;IAEpB,MAAM,MAAM,GAAG,mBAAmB,EAAE,CAAC;IACrC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,4CAA4C,CAC/C,CAAC;IACJ,CAAC;IAED,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAC/B,YAAY,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAEvC,MAAM,aAAa,GAAkB;QACnC,MAAM,EAAE;YACN,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;YAClB,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;SAC7B;QACD,KAAK,EAAE;YACL,mBAAmB,EAAE,IAAI,CAAC,KAAK,CAAC,mBAAmB;YACnD,eAAe,EAAE,IAAI,CAAC,KAAK,CAAC,eAAe;YAC3C,eAAe,EAAE,IAAI,CAAC,KAAK,CAAC,eAAe;SAC5C;QACD,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;KACxC,CAAC;IACF,SAAS,CAAC,mBAAmB,EAAE,aAAa,CAAC,CAAC;IAE9C,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,UAAU,EAAE,mBAAmB,EAAE,CAAC;AAC3E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,WAAW,CACzB,UAMiB;IAEjB,OAAO,QAAQ,gBAAgB,IAAI,UAAU,EAAE,CAAC;AAClD,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,cAAc,CAAC;AAErD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,mBAAmB,GAAsB;IAC7C,yBAAyB;CAC1B,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,4BAA4B,CAAC,OAAe;IAC1D,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,IAAI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,KAAK,MAAM,MAAM,IAAI,mBAAmB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IAC5C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/hooks/runtime/api.js

@@ -0,0 +1,167 @@
+const DEFAULT_TIMEOUT_MS = 10_000;
+/**
+ * POST /project/<id>/business-rules/fetch
+ *
+ * Returns the rendered markdown body + total rule count, or `null` on
+ * any error (network, 4xx/5xx, malformed JSON). The hook treats `null`
+ * as "no rules to inject, proceed".
+ */
+export async function fetchBusinessRules(opts) {
+    const f = opts.fetchImpl ?? globalThis.fetch;
+    const url = `${opts.apiBase}/project/${encodeURIComponent(opts.projectId)}/business-rules/fetch`;
+    let res;
+    try {
+        res = await f(url, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${opts.token}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                files: opts.files,
+                intent: opts.intent,
+                format: 'md',
+                topK: opts.topK ?? 5,
+            }),
+            signal: AbortSignal.timeout(opts.timeoutMs ?? DEFAULT_TIMEOUT_MS),
+        });
+    }
+    catch {
+        return null;
+    }
+    if (!res.ok)
+        return null;
+    let body;
+    try {
+        body = await res.json();
+    }
+    catch {
+        return null;
+    }
+    // Tolerate both `{data: {markdown, total}}` (gateway-wrapped) and the
+    // flat shape `{markdown, total}` (older ingestion-service replies).
+    const root = body;
+    const data = root.data ?? root;
+    const markdown = typeof data.markdown === 'string'
+        ? data.markdown
+        : typeof data.markdown_body === 'string'
+            ? (data.markdown_body)
+            : '';
+    const total = typeof data.total === 'number' ? data.total : 0;
+    return { markdown, total, raw: body };
+}
+/**
+ * POST /project/<id>/security-rules/fetch
+ *
+ * Identical contract to {@link fetchBusinessRules} — same input, same
+ * tolerant JSON unwrapping, same `null`-on-any-error guarantee. Only the
+ * URL path differs (`security-rules/fetch` instead of `business-rules/fetch`).
+ */
+export async function fetchSecurityRules(opts) {
+    const f = opts.fetchImpl ?? globalThis.fetch;
+    const url = `${opts.apiBase}/project/${encodeURIComponent(opts.projectId)}/security-rules/fetch`;
+    let res;
+    try {
+        res = await f(url, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${opts.token}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                files: opts.files,
+                intent: opts.intent,
+                format: 'md',
+                topK: opts.topK ?? 5,
+            }),
+            signal: AbortSignal.timeout(opts.timeoutMs ?? DEFAULT_TIMEOUT_MS),
+        });
+    }
+    catch {
+        return null;
+    }
+    if (!res.ok)
+        return null;
+    let body;
+    try {
+        body = await res.json();
+    }
+    catch {
+        return null;
+    }
+    // Tolerate both `{data: {markdown, total}}` (gateway-wrapped) and the
+    // flat shape `{markdown, total}` (older ingestion-service replies).
+    const root = body;
+    const data = root.data ?? root;
+    const markdown = typeof data.markdown === 'string'
+        ? data.markdown
+        : typeof data.markdown_body === 'string'
+            ? (data.markdown_body)
+            : '';
+    const total = typeof data.total === 'number' ? data.total : 0;
+    return { markdown, total, raw: body };
+}
+/**
+ * GET /project/<id>/business-rules/proposals?status=proposed
+ * Used by the SessionStart hook to show the inbox count to the user.
+ */
+export async function fetchProposalsCount(opts) {
+    const f = opts.fetchImpl ?? globalThis.fetch;
+    const url = `${opts.apiBase}/project/${encodeURIComponent(opts.projectId)}/business-rules/proposals?status=proposed`;
+    let res;
+    try {
+        res = await f(url, {
+            method: 'GET',
+            headers: { Authorization: `Bearer ${opts.token}` },
+            signal: AbortSignal.timeout(opts.timeoutMs ?? 5_000),
+        });
+    }
+    catch {
+        return null;
+    }
+    if (!res.ok)
+        return null;
+    let body;
+    try {
+        body = await res.json();
+    }
+    catch {
+        return null;
+    }
+    const root = body;
+    const data = root.data ?? root;
+    const total = typeof data.total === 'number'
+        ? data.total
+        : Array.isArray(data.proposals)
+            ? data.proposals.length
+            : 0;
+    return { total, raw: body };
+}
+/**
+ * Authenticated liveness probe for `vibedefend status` / `doctor`.
+ * Hits a cheap, auth-gated, project-scoped GET and classifies the result:
+ * reachable + authorized → `ok`, 401/403 → `token_invalid`, network failure
+ * → `unreachable`, any other non-2xx → `error`.
+ */
+export async function pingGateway(opts) {
+    const f = opts.fetchImpl ?? globalThis.fetch;
+    const url = `${opts.apiBase}/project/${encodeURIComponent(opts.projectId)}/business-rules/proposals?status=proposed`;
+    let res;
+    try {
+        res = await f(url, {
+            method: 'GET',
+            headers: { Authorization: `Bearer ${opts.token}` },
+            signal: AbortSignal.timeout(opts.timeoutMs ?? 5_000),
+        });
+    }
+    catch {
+        return { status: 'unreachable' };
+    }
+    if (res.status === 401 || res.status === 403) {
+        return { status: 'token_invalid' };
+    }
+    if (res.ok)
+        return { status: 'ok' };
+    return { status: 'error', detail: `HTTP ${res.status}` };
+}
+//# sourceMappingURL=api.js.map

package/dist/hooks/runtime/api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../../../src/hooks/runtime/api.ts"],"names":[],"mappings":"AAWA,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAclC;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAAoB;IAEpB,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC;IAC7C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,YAAY,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,uBAAuB,CAAC;IAEjG,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,EAAE;YACjB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE;gBACrC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC;aACrB,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;SAClE,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,IAAI,GAAG,IAA+B,CAAC;IAC7C,MAAM,IAAI,GAAI,IAAI,CAAC,IAAgC,IAAI,IAAI,CAAC;IAC5D,MAAM,QAAQ,GACZ,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAC/B,CAAC,CAAC,IAAI,CAAC,QAAQ;QACf,CAAC,CAAC,OAAQ,IAAmC,CAAC,aAAa,KAAK,QAAQ;YACtE,CAAC,CAAC,CAAE,IAAkC,CAAC,aAAa,CAAC;YACrD,CAAC,CAAC,EAAE,CAAC;IACX,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9D,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAAoB;IAEpB,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC;IAC7C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,YAAY,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,uBAAuB,CAAC;IAEjG,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,EAAE;YACjB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE;gBACrC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC;aACrB,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;SAClE,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,IAAI,GAAG,IAA+B,CAAC;IAC7C,MAAM,IAAI,GAAI,IAAI,CAAC,IAAgC,IAAI,IAAI,CAAC;IAC5D,MAAM,QAAQ,GACZ,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAC/B,CAAC,CAAC,IAAI,CAAC,QAAQ;QACf,CAAC,CAAC,OAAQ,IAAmC,CAAC,aAAa,KAAK,QAAQ;YACtE,CAAC,CAAC,CAAE,IAAkC,CAAC,aAAa,CAAC;YACrD,CAAC,CAAC,EAAE,CAAC;IACX,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9D,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC;AAOD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAMzC;IACC,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC;IAC7C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,YAAY,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,2CAA2C,CAAC;IACrH,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,EAAE;YACjB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE,EAAE;YAClD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;SACrD,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,IAA+B,CAAC;IAC7C,MAAM,IAAI,GAAI,IAAI,CAAC,IAAgC,IAAI,IAAI,CAAC;IAC5D,MAAM,KAAK,GACT,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;QAC5B,CAAC,CAAC,IAAI,CAAC,KAAK;QACZ,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC;YAC7B,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM;YACvB,CAAC,CAAC,CAAC,CAAC;IACV,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AAC9B,CAAC;AAaD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAMjC;IACC,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC;IAC7C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,YAAY,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,2CAA2C,CAAC;IACrH,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,EAAE;YACjB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE,EAAE;YAClD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;SACrD,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC7C,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACrC,CAAC;IACD,IAAI,GAAG,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACpC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;AAC3D,CAAC"}

package/dist/hooks/runtime/config.js

@@ -0,0 +1,60 @@
+/**
+ * Load the runtime config written by the installer.
+ *
+ * One file per user: `~/.cybedefend/runtime-config.json`. Holds the
+ * region (so the hook knows which `apiBase` / `mcpName` to use) and
+ * tunables (threshold, auto-propose). Re-written every time the user
+ * runs `vibedefend install` or `vibedefend update`.
+ *
+ * Why a config file rather than env vars or CLI args?
+ *  - Settings.json `command` strings can't easily carry structured data
+ *    across the OS shell escape boundary (try threading a JSON object
+ *    through a Windows cmd.exe command line and you'll see).
+ *  - Env vars work but require listing every key in every adapter's
+ *    settings file. Brittle.
+ *  - One file = one source of truth, easy for users to inspect, easy
+ *    for the installer to atomically update.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+export function runtimeConfigPath() {
+    return join(homedir(), '.cybedefend', 'runtime-config.json');
+}
+/**
+ * Returns the config or `null` if absent / corrupt. Hooks treat `null`
+ * as "not installed yet, silently no-op" rather than crashing the
+ * agent's edit.
+ */
+export function loadRuntimeConfig(path) {
+    const p = path ?? runtimeConfigPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        const raw = readFileSync(p, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/** Read JSON from stdin (the hook event). Returns `{}` on parse failure. */
+export async function readStdinJson() {
+    const chunks = [];
+    for await (const chunk of process.stdin) {
+        chunks.push(typeof chunk === 'string' ? Buffer.from(chunk) : chunk);
+    }
+    const raw = Buffer.concat(chunks).toString('utf8');
+    if (!raw.trim())
+        return {};
+    try {
+        const parsed = JSON.parse(raw);
+        return typeof parsed === 'object' && parsed !== null
+            ? parsed
+            : {};
+    }
+    catch {
+        return {};
+    }
+}
+//# sourceMappingURL=config.js.map

package/dist/hooks/runtime/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/hooks/runtime/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAIjC,MAAM,UAAU,iBAAiB;IAC/B,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,qBAAqB,CAAC,CAAC;AAC/D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAa;IAC7C,MAAM,CAAC,GAAG,IAAI,IAAI,iBAAiB,EAAE,CAAC;IACtC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,4EAA4E;AAC5E,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE;QAAE,OAAO,EAAE,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI;YAClD,CAAC,CAAE,MAAkC;YACrC,CAAC,CAAC,EAAE,CAAC;IACT,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/hooks/runtime/emit.js

@@ -0,0 +1,45 @@
+export function emit(body, client) {
+    if (!body)
+        return;
+    if (client === 'cursor') {
+        const payload = JSON.stringify({
+            permission: 'allow',
+            agent_message: body,
+        });
+        process.stdout.write(payload);
+        return;
+    }
+    // Default: plain markdown to stdout.
+    process.stdout.write(body);
+    if (!body.endsWith('\n'))
+        process.stdout.write('\n');
+}
+/**
+ * SessionStart-context emission.
+ *
+ * For Codex: wraps in the documented JSON envelope so the body lands in
+ * `additionalContext` and Codex injects it as developer context for the
+ * upcoming conversation. (The "plain text on stdout" fallback Codex's
+ * docs mention does not appear to be reliably honored in practice.)
+ *
+ * For every other client: delegates to `emit`, which preserves Cursor's
+ * permission-allow envelope and Claude Code / VS Code / Windsurf's
+ * plain-markdown shape — all of which already work for their respective
+ * SessionStart equivalents.
+ */
+export function emitContext(body, client) {
+    if (!body)
+        return;
+    if (client === 'codex') {
+        const payload = JSON.stringify({
+            hookSpecificOutput: {
+                hookEventName: 'SessionStart',
+                additionalContext: body,
+            },
+        });
+        process.stdout.write(payload);
+        return;
+    }
+    emit(body, client);
+}
+//# sourceMappingURL=emit.js.map

package/dist/hooks/runtime/emit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"emit.js","sourceRoot":"","sources":["../../../src/hooks/runtime/emit.ts"],"names":[],"mappings":"AAgCA,MAAM,UAAU,IAAI,CAAC,IAAY,EAAE,MAAgB;IACjD,IAAI,CAAC,IAAI;QAAE,OAAO;IAElB,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;YAC7B,UAAU,EAAE,OAAO;YACnB,aAAa,EAAE,IAAI;SACpB,CAAC,CAAC;QACH,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO;IACT,CAAC;IAED,qCAAqC;IACrC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC3B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AACvD,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,MAAgB;IACxD,IAAI,CAAC,IAAI;QAAE,OAAO;IAElB,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;YAC7B,kBAAkB,EAAE;gBAClB,aAAa,EAAE,cAAc;gBAC7B,iBAAiB,EAAE,IAAI;aACxB;SACF,CAAC,CAAC;QACH,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO;IACT,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AACrB,CAAC"}

package/dist/hooks/runtime/fetch-rules.js

@@ -0,0 +1,154 @@
+/**
+ * PreToolUse hook — fetch business rules before an Edit/Write.
+ *
+ * Triggered by every agent on every tool call (Cursor and Claude Code
+ * honour matchers and only fire for Edit/Write/MultiEdit; VS Code
+ * ignores matchers, so we self-filter; Windsurf has its own
+ * pre_write_code event; Codex uses apply_patch). We early-exit unless
+ * the tool name is in our interested set.
+ */
+import { sniff } from './sniff.js';
+import { resolveProjectId, resolveToken } from './resolve.js';
+import { fetchBusinessRules, fetchSecurityRules } from './api.js';
+import { emit } from './emit.js';
+import { loadRuntimeConfig, readStdinJson } from './config.js';
+const INTERESTED_TOOLS = new Set([
+    'Edit',
+    'Write',
+    'MultiEdit',
+    'apply_patch',
+]);
+export async function fetchRulesHook(deps = {}) {
+    const readStdin = deps.readStdin ?? readStdinJson;
+    const loadConfig = deps.loadConfig ?? loadRuntimeConfig;
+    const resolveProject = deps.resolveProject ?? resolveProjectId;
+    const resolveTok = deps.resolveTokenFn ?? resolveToken;
+    const fetchRules = deps.fetchRulesFn ?? fetchBusinessRules;
+    const fetchSecRules = deps.fetchSecurityRulesFn ?? fetchSecurityRules;
+    const emitFn = deps.emitFn ?? emit;
+    const stdin = await readStdin();
+    const event = sniff(stdin);
+    // Self-filter: ignore tool calls we don't care about. Crucial for
+    // VS Code Copilot which ignores matchers and fires PreToolUse on
+    // every tool call.
+    if (!INTERESTED_TOOLS.has(event.toolName))
+        return;
+    if (!event.filePath)
+        return;
+    const config = loadConfig();
+    if (!config)
+        return;
+    const { projectId, apiBase: configApiBase } = resolveProject();
+    if (!projectId)
+        return;
+    const apiBase = process.env.CYBEDEFEND_API_BASE ?? configApiBase ?? config.region.apiBase;
+    const token = resolveTok(config.region.mcpName);
+    if (!token)
+        return;
+    const intent = buildIntent(event);
+    const fetchOpts = {
+        apiBase,
+        projectId,
+        token,
+        files: [event.filePath],
+        intent,
+        topK: 5,
+    };
+    // Fetch both corpora in parallel. They are independent — either one
+    // failing (returning null) must NEVER suppress the other's block.
+    const [businessResult, securityResult] = await Promise.all([
+        fetchRules(fetchOpts),
+        fetchSecRules(fetchOpts),
+    ]);
+    if (businessResult) {
+        const body = composeBody(businessResult.markdown, businessResult.total, event.filePath);
+        if (body)
+            emitFn(body, event.client);
+    }
+    if (securityResult &&
+        securityResult.total > 0 &&
+        securityResult.markdown &&
+        securityResult.markdown.length > 0) {
+        emitFn(composeSecurityBody(securityResult.markdown, securityResult.total, event.filePath), event.client);
+    }
+}
+/** Build the retrieval `intent` string from the event content. */
+function buildIntent(event) {
+    const limit = parseInt(process.env.CYBEDEFEND_INTENT_BYTES ?? '800', 10);
+    const snippet = event.newContent
+        .slice(0, Number.isFinite(limit) ? limit : 800)
+        .replace(/\s+/g, ' ')
+        .trim();
+    return `Working on ${event.filePath} (tool=${event.toolName}, client=${event.client}). Code being written: ${snippet}`;
+}
+/**
+ * Imperative + ready-to-paste template that the agent prepends to its reply.
+ *
+ * Why a concrete template instead of "consider emitting": Claude Code's TUI
+ * collapses MCP tool calls into a one-liner ("utilisé 2 outils"), so the
+ * user has no visibility into WHICH rules were fetched or HOW the agent
+ * applied them. The previous "MANDATORY — emit a status block" language
+ * read as guidance and the agent silently applied rules without surfacing
+ * them. Concrete templates the agent paste-and-fills are followed far
+ * more reliably than abstract instructions; this block is what the user
+ * sees in chat as proof CybeDefend is influencing the change.
+ *
+ * Format chosen: compact blockquote (3-4 lines per file edit), one line
+ * per rule, with [severity · category] for skimmability and a one-sentence
+ * applies/N-A reason.
+ */
+function visibleCalloutTemplate(kind, total, filePath) {
+    const subject = kind === 'Business' ? 'rules' : 'security rules';
+    return [
+        '---',
+        '',
+        `**🛡️ REQUIRED USER-VISIBLE MARKER** — you MUST include this exact block as the FIRST paragraph of your next assistant reply, BEFORE the Edit/Write tool call. Do not paraphrase, do not skip — without it, the user cannot see CybeDefend is influencing the change.`,
+        '',
+        `> 🛡️ **CybeDefend ${kind} Rules** — ${total} rule${total === 1 ? '' : 's'} for \`${filePath}\``,
+        `> - **<rule-title>** [<severity> · <category>] — applies because <one-sentence reason>`,
+        `> - **<rule-title>** [<severity> · <category>] — N/A because <one-sentence reason>`,
+        '',
+        `(Fill the bracketed values from the ${subject} listed above. Keep one line per rule. If a rule does not apply to this change, still emit the line with an N/A reason — the user needs to see CybeDefend was consulted.)`,
+        '',
+    ].join('\n');
+}
+/** Compose the markdown body the agent will see. */
+function composeBody(markdown, total, filePath) {
+    if (markdown && markdown.length > 0) {
+        return [
+            `## CybeDefend Business Rules (${total} — fetched for ${filePath})`,
+            markdown,
+            '',
+            visibleCalloutTemplate('Business', total, filePath),
+        ].join('\n');
+    }
+    if (total === 0) {
+        // Even with 0 matches, the agent must still surface a visible line so
+        // the user can see CybeDefend ran on this file rather than being
+        // silent (silence is indistinguishable from "CybeDefend wasn't
+        // consulted at all").
+        return [
+            `## CybeDefend Business Rules (0 — fetched for ${filePath})`,
+            '',
+            '(no matching business rules for this change)',
+            '',
+            '---',
+            '',
+            `**🛡️ REQUIRED USER-VISIBLE MARKER** — include this exact line as the FIRST paragraph of your next assistant reply, BEFORE the Edit/Write tool call:`,
+            '',
+            `> 🛡️ **CybeDefend** — no matching business rules for \`${filePath}\`. Proceeding.`,
+            '',
+        ].join('\n');
+    }
+    return '';
+}
+/** Compose the security-rules markdown block. Caller omits it when empty. */
+function composeSecurityBody(markdown, total, filePath) {
+    return [
+        `## CybeDefend Security Rules (${total} — fetched for ${filePath})`,
+        markdown,
+        '',
+        visibleCalloutTemplate('Security', total, filePath),
+    ].join('\n');
+}
+//# sourceMappingURL=fetch-rules.js.map

package/dist/hooks/runtime/fetch-rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch-rules.js","sourceRoot":"","sources":["../../../src/hooks/runtime/fetch-rules.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG/D,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,MAAM;IACN,OAAO;IACP,WAAW;IACX,aAAa;CACd,CAAC,CAAC;AAaH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAuB,EAAE;IAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,aAAa,CAAC;IAClD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,iBAAiB,CAAC;IACxD,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,gBAAgB,CAAC;IAC/D,MAAM,UAAU,GAAG,IAAI,CAAC,cAAc,IAAI,YAAY,CAAC;IACvD,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,IAAI,kBAAkB,CAAC;IAC3D,MAAM,aAAa,GAAG,IAAI,CAAC,oBAAoB,IAAI,kBAAkB,CAAC;IACtE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC;IAEnC,MAAM,KAAK,GAAG,MAAM,SAAS,EAAE,CAAC;IAChC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAE3B,kEAAkE;IAClE,iEAAiE;IACjE,mBAAmB;IACnB,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC;QAAE,OAAO;IAClD,IAAI,CAAC,KAAK,CAAC,QAAQ;QAAE,OAAO;IAE5B,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,IAAI,CAAC,MAAM;QAAE,OAAO;IAEpB,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,cAAc,EAAE,CAAC;IAC/D,IAAI,CAAC,SAAS;QAAE,OAAO;IAEvB,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,aAAa,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;IAE5E,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChD,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG;QAChB,OAAO;QACP,SAAS;QACT,KAAK;QACL,KAAK,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC;QACvB,MAAM;QACN,IAAI,EAAE,CAAC;KACR,CAAC;IAEF,oEAAoE;IACpE,kEAAkE;IAClE,MAAM,CAAC,cAAc,EAAE,cAAc,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACzD,UAAU,CAAC,SAAS,CAAC;QACrB,aAAa,CAAC,SAAS,CAAC;KACzB,CAAC,CAAC;IAEH,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,IAAI,GAAG,WAAW,CACtB,cAAc,CAAC,QAAQ,EACvB,cAAc,CAAC,KAAK,EACpB,KAAK,CAAC,QAAQ,CACf,CAAC;QACF,IAAI,IAAI;YAAE,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,IACE,cAAc;QACd,cAAc,CAAC,KAAK,GAAG,CAAC;QACxB,cAAc,CAAC,QAAQ;QACvB,cAAc,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAClC,CAAC;QACD,MAAM,CACJ,mBAAmB,CACjB,cAAc,CAAC,QAAQ,EACvB,cAAc,CAAC,KAAK,EACpB,KAAK,CAAC,QAAQ,CACf,EACD,KAAK,CAAC,MAAM,CACb,CAAC;IACJ,CAAC;AACH,CAAC;AAED,kEAAkE;AAClE,SAAS,WAAW,CAAC,KAAsB;IACzC,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,KAAK,EAAE,EAAE,CAAC,CAAC;IACzE,MAAM,OAAO,GAAG,KAAK,CAAC,UAAU;SAC7B,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;SAC9C,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;SACpB,IAAI,EAAE,CAAC;IACV,OAAO,cAAc,KAAK,CAAC,QAAQ,UAAU,KAAK,CAAC,QAAQ,YAAY,KAAK,CAAC,MAAM,0BAA0B,OAAO,EAAE,CAAC;AACzH,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAS,sBAAsB,CAC7B,IAA6B,EAC7B,KAAa,EACb,QAAgB;IAEhB,MAAM,OAAO,GAAG,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC;IACjE,OAAO;QACL,KAAK;QACL,EAAE;QACF,uQAAuQ;QACvQ,EAAE;QACF,sBAAsB,IAAI,cAAc,KAAK,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,UAAU,QAAQ,IAAI;QACjG,wFAAwF;QACxF,oFAAoF;QACpF,EAAE;QACF,uCAAuC,OAAO,2KAA2K;QACzN,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,oDAAoD;AACpD,SAAS,WAAW,CAClB,QAAgB,EAChB,KAAa,EACb,QAAgB;IAEhB,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,iCAAiC,KAAK,kBAAkB,QAAQ,GAAG;YACnE,QAAQ;YACR,EAAE;YACF,sBAAsB,CAAC,UAAU,EAAE,KAAK,EAAE,QAAQ,CAAC;SACpD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IACD,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,sEAAsE;QACtE,iEAAiE;QACjE,+DAA+D;QAC/D,sBAAsB;QACtB,OAAO;YACL,iDAAiD,QAAQ,GAAG;YAC5D,EAAE;YACF,8CAA8C;YAC9C,EAAE;YACF,KAAK;YACL,EAAE;YACF,sJAAsJ;YACtJ,EAAE;YACF,2DAA2D,QAAQ,iBAAiB;YACpF,EAAE;SACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,6EAA6E;AAC7E,SAAS,mBAAmB,CAC1B,QAAgB,EAChB,KAAa,EACb,QAAgB;IAEhB,OAAO;QACL,iCAAiC,KAAK,kBAAkB,QAAQ,GAAG;QACnE,QAAQ;QACR,EAAE;QACF,sBAAsB,CAAC,UAAU,EAAE,KAAK,EAAE,QAAQ,CAAC;KACpD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}