@det-acp/core 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (114) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +492 -0
  3. package/dist/cli/index.d.ts +15 -0
  4. package/dist/cli/index.d.ts.map +1 -0
  5. package/dist/cli/index.js +308 -0
  6. package/dist/cli/index.js.map +1 -0
  7. package/dist/cli/init.d.ts +32 -0
  8. package/dist/cli/init.d.ts.map +1 -0
  9. package/dist/cli/init.js +234 -0
  10. package/dist/cli/init.js.map +1 -0
  11. package/dist/cli/templates.d.ts +27 -0
  12. package/dist/cli/templates.d.ts.map +1 -0
  13. package/dist/cli/templates.js +266 -0
  14. package/dist/cli/templates.js.map +1 -0
  15. package/dist/engine/action-registry.d.ts +49 -0
  16. package/dist/engine/action-registry.d.ts.map +1 -0
  17. package/dist/engine/action-registry.js +95 -0
  18. package/dist/engine/action-registry.js.map +1 -0
  19. package/dist/engine/gate.d.ts +57 -0
  20. package/dist/engine/gate.d.ts.map +1 -0
  21. package/dist/engine/gate.js +145 -0
  22. package/dist/engine/gate.js.map +1 -0
  23. package/dist/engine/runtime.d.ts +98 -0
  24. package/dist/engine/runtime.d.ts.map +1 -0
  25. package/dist/engine/runtime.js +138 -0
  26. package/dist/engine/runtime.js.map +1 -0
  27. package/dist/engine/session.d.ts +74 -0
  28. package/dist/engine/session.d.ts.map +1 -0
  29. package/dist/engine/session.js +343 -0
  30. package/dist/engine/session.js.map +1 -0
  31. package/dist/index.d.ts +48 -0
  32. package/dist/index.d.ts.map +1 -0
  33. package/dist/index.js +56 -0
  34. package/dist/index.js.map +1 -0
  35. package/dist/ledger/ledger.d.ts +58 -0
  36. package/dist/ledger/ledger.d.ts.map +1 -0
  37. package/dist/ledger/ledger.js +188 -0
  38. package/dist/ledger/ledger.js.map +1 -0
  39. package/dist/ledger/query.d.ts +29 -0
  40. package/dist/ledger/query.d.ts.map +1 -0
  41. package/dist/ledger/query.js +61 -0
  42. package/dist/ledger/query.js.map +1 -0
  43. package/dist/ledger/types.d.ts +27 -0
  44. package/dist/ledger/types.d.ts.map +1 -0
  45. package/dist/ledger/types.js +5 -0
  46. package/dist/ledger/types.js.map +1 -0
  47. package/dist/policy/evaluator.d.ts +21 -0
  48. package/dist/policy/evaluator.d.ts.map +1 -0
  49. package/dist/policy/evaluator.js +383 -0
  50. package/dist/policy/evaluator.js.map +1 -0
  51. package/dist/policy/loader.d.ts +27 -0
  52. package/dist/policy/loader.d.ts.map +1 -0
  53. package/dist/policy/loader.js +69 -0
  54. package/dist/policy/loader.js.map +1 -0
  55. package/dist/policy/schema.d.ts +168 -0
  56. package/dist/policy/schema.d.ts.map +1 -0
  57. package/dist/policy/schema.js +107 -0
  58. package/dist/policy/schema.js.map +1 -0
  59. package/dist/proxy/mcp-proxy.d.ts +43 -0
  60. package/dist/proxy/mcp-proxy.d.ts.map +1 -0
  61. package/dist/proxy/mcp-proxy.js +240 -0
  62. package/dist/proxy/mcp-proxy.js.map +1 -0
  63. package/dist/proxy/mcp-types.d.ts +79 -0
  64. package/dist/proxy/mcp-types.d.ts.map +1 -0
  65. package/dist/proxy/mcp-types.js +28 -0
  66. package/dist/proxy/mcp-types.js.map +1 -0
  67. package/dist/proxy/shell-proxy.d.ts +52 -0
  68. package/dist/proxy/shell-proxy.d.ts.map +1 -0
  69. package/dist/proxy/shell-proxy.js +92 -0
  70. package/dist/proxy/shell-proxy.js.map +1 -0
  71. package/dist/rollback/manager.d.ts +62 -0
  72. package/dist/rollback/manager.d.ts.map +1 -0
  73. package/dist/rollback/manager.js +151 -0
  74. package/dist/rollback/manager.js.map +1 -0
  75. package/dist/server/server.d.ts +24 -0
  76. package/dist/server/server.d.ts.map +1 -0
  77. package/dist/server/server.js +200 -0
  78. package/dist/server/server.js.map +1 -0
  79. package/dist/tools/base.d.ts +58 -0
  80. package/dist/tools/base.d.ts.map +1 -0
  81. package/dist/tools/base.js +48 -0
  82. package/dist/tools/base.js.map +1 -0
  83. package/dist/tools/command-run.d.ts +30 -0
  84. package/dist/tools/command-run.d.ts.map +1 -0
  85. package/dist/tools/command-run.js +87 -0
  86. package/dist/tools/command-run.js.map +1 -0
  87. package/dist/tools/file-read.d.ts +34 -0
  88. package/dist/tools/file-read.d.ts.map +1 -0
  89. package/dist/tools/file-read.js +67 -0
  90. package/dist/tools/file-read.js.map +1 -0
  91. package/dist/tools/file-write.d.ts +39 -0
  92. package/dist/tools/file-write.d.ts.map +1 -0
  93. package/dist/tools/file-write.js +158 -0
  94. package/dist/tools/file-write.js.map +1 -0
  95. package/dist/tools/git.d.ts +48 -0
  96. package/dist/tools/git.d.ts.map +1 -0
  97. package/dist/tools/git.js +193 -0
  98. package/dist/tools/git.js.map +1 -0
  99. package/dist/tools/http-request.d.ts +48 -0
  100. package/dist/tools/http-request.d.ts.map +1 -0
  101. package/dist/tools/http-request.js +91 -0
  102. package/dist/tools/http-request.js.map +1 -0
  103. package/dist/types.d.ts +257 -0
  104. package/dist/types.d.ts.map +1 -0
  105. package/dist/types.js +8 -0
  106. package/dist/types.js.map +1 -0
  107. package/examples/coding-agent.policy.yaml +80 -0
  108. package/examples/devops-deploy.policy.yaml +107 -0
  109. package/examples/mcp-proxy.config.yaml +34 -0
  110. package/examples/simple-session.ts +161 -0
  111. package/examples/video-upscaler.policy.yaml +86 -0
  112. package/package.json +92 -0
  113. package/schemas/generate.ts +18 -0
  114. package/schemas/policy.schema.json +7 -0
package/dist/cli/templates.js ADDED
@@ -0,0 +1,266 @@
1
+ /**
2
+ * Bundled templates for the `det-acp init` command.
3
+ *
4
+ * Contains default policy, governance rules for each integration,
5
+ * and generator functions for integration-specific config files.
6
+ */
7
+ // ---------------------------------------------------------------------------
8
+ // Default governance policy (MCP proxy tool names)
9
+ // ---------------------------------------------------------------------------
10
+ export const DEFAULT_POLICY = `\
11
+ # Deterministic Agent Control Protocol — Governance Policy
12
+ # Governs what the MCP proxy allows AI agents to do.
13
+ # Customize this file for your project's needs.
14
+
15
+ version: "1.0"
16
+ name: "default-governance"
17
+ description: "Governance policy for AI agent file operations via MCP proxy"
18
+
19
+ capabilities:
20
+ # Read operations
21
+ - tool: "read_file"
22
+ scope: {}
23
+ - tool: "read_text_file"
24
+ scope: {}
25
+ - tool: "read_multiple_files"
26
+ scope: {}
27
+ - tool: "read_media_file"
28
+ scope: {}
29
+
30
+ # Write/edit operations
31
+ - tool: "write_file"
32
+ scope: {}
33
+ - tool: "edit_file"
34
+ scope: {}
35
+
36
+ # Directory listing
37
+ - tool: "list_directory"
38
+ scope: {}
39
+ - tool: "list_directory_with_sizes"
40
+ scope: {}
41
+ - tool: "list_allowed_directories"
42
+ scope: {}
43
+
44
+ # Search
45
+ - tool: "search_files"
46
+ scope: {}
47
+ - tool: "get_file_info"
48
+ scope: {}
49
+
50
+ # Intentionally NOT included (will be DENIED):
51
+ # - create_directory
52
+ # - move_file
53
+ # - directory_tree
54
+
55
+ limits:
56
+ max_runtime_ms: 3600000 # 1 hour
57
+
58
+ gates: []
59
+
60
+ evidence:
61
+ require: []
62
+ format: "jsonl"
63
+
64
+ forbidden:
65
+ - pattern: "**/.env"
66
+ - pattern: "**/.env.*"
67
+ - pattern: "**/secrets*"
68
+ - pattern: "**/credentials*"
69
+ - pattern: "**/.git/config"
70
+
71
+ session:
72
+ max_actions: 200
73
+ max_denials: 30
74
+ rate_limit:
75
+ max_per_minute: 60
76
+ `;
77
+ // ---------------------------------------------------------------------------
78
+ // Cursor — governance.mdc
79
+ // ---------------------------------------------------------------------------
80
+ export const GOVERNANCE_MDC = `\
81
+ ---
82
+ description: Enforce governance on all file and system operations
83
+ globs:
84
+ alwaysApply: true
85
+ ---
86
+
87
+ # Mandatory Governance Rule
88
+
89
+ You MUST use the \`governed-filesystem\` MCP server for ALL file and system operations. You are strictly forbidden from using your built-in tools to bypass governance.
90
+
91
+ ## Required Tool Mapping
92
+
93
+ Instead of your built-in tools, you MUST use these governed equivalents:
94
+
95
+ | Instead of (built-in) | Use (governed MCP) |
96
+ |---------------------------|----------------------------------------------------|
97
+ | \`Read\` tool | \`governed-filesystem\` → \`read_text_file\` |
98
+ | \`Write\` tool | \`governed-filesystem\` → \`write_file\` |
99
+ | \`StrReplace\` / \`Edit\` | \`governed-filesystem\` → \`edit_file\` |
100
+ | \`LS\` tool | \`governed-filesystem\` → \`list_directory\` |
101
+ | \`Glob\` / \`Search\` | \`governed-filesystem\` → \`search_files\` |
102
+ | Reading multiple files | \`governed-filesystem\` → \`read_multiple_files\` |
103
+ | \`Delete\` tool | Not available — you may not delete files |
104
+
105
+ ## Rules
106
+
107
+ 1. **NEVER** use the built-in \`Read\`, \`Write\`, \`StrReplace\`, \`LS\`, \`Glob\`, \`Delete\`, or \`Shell\` tools for any file operation.
108
+ 2. **ALWAYS** route file reads through \`governed-filesystem\` → \`read_text_file\`.
109
+ 3. **ALWAYS** route file writes through \`governed-filesystem\` → \`write_file\`.
110
+ 4. **ALWAYS** route file edits through \`governed-filesystem\` → \`edit_file\`.
111
+ 5. **ALWAYS** route directory listings through \`governed-filesystem\` → \`list_directory\`.
112
+ 6. **ALWAYS** route file searches through \`governed-filesystem\` → \`search_files\`.
113
+ 7. If a governed tool call is **denied by policy**, you MUST respect the denial. Do NOT attempt to use a built-in tool as a fallback. Report the denial to the user instead.
114
+ 8. If you need a tool that is not available through the governed MCP server, ask the user for permission before proceeding.
115
+
116
+ ## Why
117
+
118
+ All file and system operations must go through the Deterministic Agent Control Protocol governance layer for policy enforcement and audit logging. Using built-in tools would bypass security policies, forbidden path protections, and the tamper-evident evidence ledger.
119
+ `;
120
+ // ---------------------------------------------------------------------------
121
+ // Claude Code — CLAUDE.md
122
+ // ---------------------------------------------------------------------------
123
+ export const CLAUDE_MD = `\
124
+ # Governance Instructions
125
+
126
+ You MUST use the \`governed-filesystem\` MCP server for ALL file and system operations. You are strictly forbidden from using your built-in tools to bypass governance.
127
+
128
+ ## Required Tool Mapping
129
+
130
+ Instead of your built-in file tools, you MUST use these governed equivalents:
131
+
132
+ | Instead of (built-in) | Use (governed MCP) |
133
+ |--------------------------|------------------------------------------------|
134
+ | \`Read\` tool | \`governed-filesystem\` → \`read_text_file\` |
135
+ | \`Write\` tool | \`governed-filesystem\` → \`write_file\` |
136
+ | \`Edit\` tool | \`governed-filesystem\` → \`edit_file\` |
137
+ | \`LS\` / \`Glob\` | \`governed-filesystem\` → \`list_directory\` |
138
+ | \`Grep\` / \`Search\` | \`governed-filesystem\` → \`search_files\` |
139
+ | Reading multiple files | \`governed-filesystem\` → \`read_multiple_files\` |
140
+ | Deleting files | Not available — you may not delete files |
141
+
142
+ ## Rules
143
+
144
+ 1. **NEVER** use the built-in \`Read\`, \`Write\`, \`Edit\`, \`Grep\`, \`Glob\`, or \`Bash\` (for file operations) tools when the governed MCP tools are available.
145
+ 2. **ALWAYS** route file reads through \`governed-filesystem\` → \`read_text_file\`.
146
+ 3. **ALWAYS** route file writes through \`governed-filesystem\` → \`write_file\`.
147
+ 4. **ALWAYS** route file edits through \`governed-filesystem\` → \`edit_file\`.
148
+ 5. **ALWAYS** route directory listings through \`governed-filesystem\` → \`list_directory\`.
149
+ 6. **ALWAYS** route file searches through \`governed-filesystem\` → \`search_files\`.
150
+ 7. If a governed tool call is **denied by policy**, you MUST respect the denial. Do NOT attempt to use a built-in tool as a fallback. Report the denial to the user instead.
151
+ 8. If you need a tool that is not available through the governed MCP server, ask the user for permission before proceeding.
152
+
153
+ ## Why
154
+
155
+ All file and system operations must go through the Deterministic Agent Control Protocol governance layer for policy enforcement and audit logging. Using built-in tools would bypass security policies, forbidden path protections, and the tamper-evident evidence ledger.
156
+ `;
157
+ // ---------------------------------------------------------------------------
158
+ // Codex — AGENTS.md
159
+ // ---------------------------------------------------------------------------
160
+ export const AGENTS_MD = `\
161
+ # Governance Instructions
162
+
163
+ You MUST use the \`governed-filesystem\` MCP server for ALL file and system operations. You are strictly forbidden from using your built-in tools to bypass governance.
164
+
165
+ ## Required Tool Mapping
166
+
167
+ Instead of your built-in file tools, you MUST use these governed equivalents:
168
+
169
+ | Instead of (built-in) | Use (governed MCP) |
170
+ |--------------------------|------------------------------------------------|
171
+ | Reading files | \`governed-filesystem\` → \`read_text_file\` |
172
+ | Writing files | \`governed-filesystem\` → \`write_file\` |
173
+ | Editing files | \`governed-filesystem\` → \`edit_file\` |
174
+ | Listing directories | \`governed-filesystem\` → \`list_directory\` |
175
+ | Searching files | \`governed-filesystem\` → \`search_files\` |
176
+ | Reading multiple files | \`governed-filesystem\` → \`read_multiple_files\` |
177
+ | Deleting files | Not available — you may not delete files |
178
+
179
+ ## Rules
180
+
181
+ 1. **NEVER** use built-in file read/write/edit tools for any file operation when the governed MCP tools are available.
182
+ 2. **ALWAYS** route file operations through the \`governed-filesystem\` MCP server.
183
+ 3. If a governed tool call is **denied by policy**, you MUST respect the denial. Do NOT attempt to use a built-in tool as a fallback. Report the denial to the user instead.
184
+ 4. If you need a tool that is not available through the governed MCP server, ask the user for permission before proceeding.
185
+
186
+ ## Why
187
+
188
+ All file and system operations must go through the Deterministic Agent Control Protocol governance layer for policy enforcement and audit logging. Using built-in tools would bypass security policies, forbidden path protections, and the tamper-evident evidence ledger.
189
+ `;
190
+ // ---------------------------------------------------------------------------
191
+ // Claude Code — .claude/settings.json
192
+ // ---------------------------------------------------------------------------
193
+ export const CLAUDE_SETTINGS_JSON = `\
194
+ {
195
+ "permissions": {
196
+ "deny": [
197
+ "Read",
198
+ "Write",
199
+ "Edit"
200
+ ],
201
+ "allow": [
202
+ "Bash",
203
+ "Grep",
204
+ "Glob",
205
+ "governed-filesystem"
206
+ ]
207
+ }
208
+ }
209
+ `;
210
+ // ---------------------------------------------------------------------------
211
+ // Config generators
212
+ // ---------------------------------------------------------------------------
213
+ /**
214
+ * Generate .cursor/mcp.json content.
215
+ * Uses the simplified `proxy --policy` mode so no mcp-proxy.yaml is needed.
216
+ */
217
+ export function generateCursorMcpJson(cliPath, policyAbsPath) {
218
+ const config = {
219
+ mcpServers: {
220
+ 'governed-filesystem': {
221
+ command: 'node',
222
+ args: [cliPath, 'proxy', '--policy', policyAbsPath],
223
+ },
224
+ },
225
+ };
226
+ return JSON.stringify(config, null, 2) + '\n';
227
+ }
228
+ /**
229
+ * Generate .mcp.json content for Claude Code.
230
+ * Uses the simplified `proxy --policy` mode so no mcp-proxy.yaml is needed.
231
+ */
232
+ export function generateClaudeCodeMcpJson(cliPath, policyAbsPath) {
233
+ const config = {
234
+ mcpServers: {
235
+ 'governed-filesystem': {
236
+ command: 'node',
237
+ args: [cliPath, 'proxy', '--policy', policyAbsPath],
238
+ },
239
+ },
240
+ };
241
+ return JSON.stringify(config, null, 2) + '\n';
242
+ }
243
+ /**
244
+ * Generate .codex/config.toml content.
245
+ * Uses the simplified `proxy --policy` mode so no mcp-proxy.yaml is needed.
246
+ */
247
+ export function generateCodexConfigToml(cliPath, policyAbsPath) {
248
+ return `\
249
+ # Codex CLI config with Deterministic Agent Control Protocol governance
250
+ # Generated by: det-acp init codex
251
+
252
+ # Use workspace-write sandbox for OS-level filesystem restrictions
253
+ sandbox_mode = "workspace-write"
254
+
255
+ # Governed MCP proxy — routes file operations through policy enforcement
256
+ [mcp_servers.governed-filesystem]
257
+ command = "node"
258
+ args = [
259
+ ${JSON.stringify(cliPath)},
260
+ "proxy",
261
+ "--policy",
262
+ ${JSON.stringify(policyAbsPath)}
263
+ ]
264
+ `;
265
+ }
266
+ //# sourceMappingURL=templates.js.map
package/dist/cli/templates.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"templates.js","sourceRoot":"","sources":["../../src/cli/templates.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,8EAA8E;AAC9E,mDAAmD;AACnD,8EAA8E;AAE9E,MAAM,CAAC,MAAM,cAAc,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkE7B,CAAC;AAEF,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,MAAM,CAAC,MAAM,cAAc,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuC7B,CAAC;AAEF,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,MAAM,CAAC,MAAM,SAAS,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiCxB,CAAC;AAEF,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,MAAM,CAAC,MAAM,SAAS,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6BxB,CAAC;AAEF,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E,MAAM,CAAC,MAAM,oBAAoB,GAAG;;;;;;;;;;;;;;;;CAgBnC,CAAC;AAEF,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe,EAAE,aAAqB;IAC1E,MAAM,MAAM,GAAG;QACb,UAAU,EAAE;YACV,qBAAqB,EAAE;gBACrB,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC;aACpD;SACF;KACF,CAAC;IACF,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;AAChD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CAAC,OAAe,EAAE,aAAqB;IAC9E,MAAM,MAAM,GAAG;QACb,UAAU,EAAE;YACV,qBAAqB,EAAE;gBACrB,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC;aACpD;SACF;KACF,CAAC;IACF,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;AAChD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAe,EAAE,aAAqB;IAC5E,OAAO;;;;;;;;;;;IAWL,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;;;IAGvB,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC;;CAEhC,CAAC;AACF,CAAC"}
package/dist/engine/action-registry.d.ts ADDED
@@ -0,0 +1,49 @@
1
+ /**
2
+ * Action Registry — central registry of all available tool adapters.
3
+ *
4
+ * Tools must be registered before the runtime can dispatch actions to them.
5
+ * The registry validates action requests against the policy before dispatching.
6
+ */
7
+ import type { ToolAdapter } from '../tools/base.js';
8
+ import type { ActionRequest, Policy, ValidationResult } from '../types.js';
9
+ export declare class ActionRegistry {
10
+ private adapters;
11
+ /**
12
+ * Register a tool adapter.
13
+ */
14
+ register(adapter: ToolAdapter): void;
15
+ /**
16
+ * Unregister a tool adapter by name.
17
+ */
18
+ unregister(name: string): boolean;
19
+ /**
20
+ * Get a registered tool adapter by name.
21
+ */
22
+ get(name: string): ToolAdapter | undefined;
23
+ /**
24
+ * Check if a tool adapter is registered.
25
+ */
26
+ has(name: string): boolean;
27
+ /**
28
+ * Get all registered tool adapter names.
29
+ */
30
+ listTools(): string[];
31
+ /**
32
+ * Validate an action request: check the tool exists, parse input, and
33
+ * evaluate against the policy.
34
+ */
35
+ validateAction(request: ActionRequest, policy: Policy): ValidationResult;
36
+ /**
37
+ * Get the adapter for an action, throwing if not found.
38
+ */
39
+ getRequired(name: string): ToolAdapter;
40
+ /**
41
+ * Create a registry pre-loaded with the standard tool adapters.
42
+ */
43
+ static createDefault(): ActionRegistry;
44
+ }
45
+ /**
46
+ * Create a registry with all built-in tool adapters.
47
+ */
48
+ export declare function createDefaultRegistry(): Promise<ActionRegistry>;
49
+ //# sourceMappingURL=action-registry.d.ts.map
package/dist/engine/action-registry.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"action-registry.d.ts","sourceRoot":"","sources":["../../src/engine/action-registry.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAG3E,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAkC;IAElD;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAOpC;;OAEG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIjC;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAI1C;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI1B;;OAEG;IACH,SAAS,IAAI,MAAM,EAAE;IAIrB;;;OAGG;IACH,cAAc,CAAC,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,GAAG,gBAAgB;IAcxE;;OAEG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW;IAQtC;;OAEG;IACH,MAAM,CAAC,aAAa,IAAI,cAAc;CAKvC;AAED;;GAEG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,cAAc,CAAC,CAgBrE"}
package/dist/engine/action-registry.js ADDED
@@ -0,0 +1,95 @@
1
+ /**
2
+ * Action Registry — central registry of all available tool adapters.
3
+ *
4
+ * Tools must be registered before the runtime can dispatch actions to them.
5
+ * The registry validates action requests against the policy before dispatching.
6
+ */
7
+ export class ActionRegistry {
8
+ adapters = new Map();
9
+ /**
10
+ * Register a tool adapter.
11
+ */
12
+ register(adapter) {
13
+ if (this.adapters.has(adapter.name)) {
14
+ throw new Error(`Tool adapter "${adapter.name}" is already registered`);
15
+ }
16
+ this.adapters.set(adapter.name, adapter);
17
+ }
18
+ /**
19
+ * Unregister a tool adapter by name.
20
+ */
21
+ unregister(name) {
22
+ return this.adapters.delete(name);
23
+ }
24
+ /**
25
+ * Get a registered tool adapter by name.
26
+ */
27
+ get(name) {
28
+ return this.adapters.get(name);
29
+ }
30
+ /**
31
+ * Check if a tool adapter is registered.
32
+ */
33
+ has(name) {
34
+ return this.adapters.has(name);
35
+ }
36
+ /**
37
+ * Get all registered tool adapter names.
38
+ */
39
+ listTools() {
40
+ return Array.from(this.adapters.keys());
41
+ }
42
+ /**
43
+ * Validate an action request: check the tool exists, parse input, and
44
+ * evaluate against the policy.
45
+ */
46
+ validateAction(request, policy) {
47
+ const adapter = this.adapters.get(request.tool);
48
+ if (!adapter) {
49
+ return {
50
+ verdict: 'deny',
51
+ tool: request.tool,
52
+ reasons: [`Unknown tool: "${request.tool}". Available: [${this.listTools().join(', ')}]`],
53
+ };
54
+ }
55
+ // Let the adapter validate its own input + policy
56
+ return adapter.validate(request.input, policy);
57
+ }
58
+ /**
59
+ * Get the adapter for an action, throwing if not found.
60
+ */
61
+ getRequired(name) {
62
+ const adapter = this.adapters.get(name);
63
+ if (!adapter) {
64
+ throw new Error(`Tool adapter "${name}" is not registered. Available: [${this.listTools().join(', ')}]`);
65
+ }
66
+ return adapter;
67
+ }
68
+ /**
69
+ * Create a registry pre-loaded with the standard tool adapters.
70
+ */
71
+ static createDefault() {
72
+ // Lazy imports to avoid circular deps
73
+ const registry = new ActionRegistry();
74
+ return registry;
75
+ }
76
+ }
77
+ /**
78
+ * Create a registry with all built-in tool adapters.
79
+ */
80
+ export async function createDefaultRegistry() {
81
+ const { FileReadAdapter } = await import('../tools/file-read.js');
82
+ const { FileWriteAdapter } = await import('../tools/file-write.js');
83
+ const { CommandRunAdapter } = await import('../tools/command-run.js');
84
+ const { HttpRequestAdapter } = await import('../tools/http-request.js');
85
+ const { GitDiffAdapter, GitApplyAdapter } = await import('../tools/git.js');
86
+ const registry = new ActionRegistry();
87
+ registry.register(new FileReadAdapter());
88
+ registry.register(new FileWriteAdapter());
89
+ registry.register(new CommandRunAdapter());
90
+ registry.register(new HttpRequestAdapter());
91
+ registry.register(new GitDiffAdapter());
92
+ registry.register(new GitApplyAdapter());
93
+ return registry;
94
+ }
95
+ //# sourceMappingURL=action-registry.js.map
package/dist/engine/action-registry.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"action-registry.js","sourceRoot":"","sources":["../../src/engine/action-registry.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,MAAM,OAAO,cAAc;IACjB,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;IAElD;;OAEG;IACH,QAAQ,CAAC,OAAoB;QAC3B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,iBAAiB,OAAO,CAAC,IAAI,yBAAyB,CAAC,CAAC;QAC1E,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,IAAY;QACrB,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED;;;OAGG;IACH,cAAc,CAAC,OAAsB,EAAE,MAAc;QACnD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,OAAO,EAAE,CAAC,kBAAkB,OAAO,CAAC,IAAI,kBAAkB,IAAI,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;aAC1F,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,IAAY;QACtB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,iBAAiB,IAAI,oCAAoC,IAAI,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3G,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,aAAa;QAClB,sCAAsC;QACtC,MAAM,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAC;QACtC,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IAClE,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;IACpE,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;IACtE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IACxE,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE5E,MAAM,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAC;IACtC,QAAQ,CAAC,QAAQ,CAAC,IAAI,eAAe,EAAE,CAAC,CAAC;IACzC,QAAQ,CAAC,QAAQ,CAAC,IAAI,gBAAgB,EAAE,CAAC,CAAC;IAC1C,QAAQ,CAAC,QAAQ,CAAC,IAAI,iBAAiB,EAAE,CAAC,CAAC;IAC3C,QAAQ,CAAC,QAAQ,CAAC,IAAI,kBAAkB,EAAE,CAAC,CAAC;IAC5C,QAAQ,CAAC,QAAQ,CAAC,IAAI,cAAc,EAAE,CAAC,CAAC;IACxC,QAAQ,CAAC,QAAQ,CAAC,IAAI,eAAe,EAAE,CAAC,CAAC;IAEzC,OAAO,QAAQ,CAAC;AAClB,CAAC"}
package/dist/engine/gate.d.ts ADDED
@@ -0,0 +1,57 @@
1
+ /**
2
+ * Gate Manager — handles approval gates for session actions.
3
+ *
4
+ * When a policy gate is triggered, the gate manager determines what kind
5
+ * of approval is needed and manages the approval lifecycle.
6
+ *
7
+ * Supports:
8
+ * - auto: automatically approve (for low-risk actions)
9
+ * - human: pause session and wait for human approval
10
+ * - webhook: call an external webhook for approval decision
11
+ */
12
+ import type { ActionRequest, Gate, GateDecision, GateRequest, GateResponse, RiskLevel } from '../types.js';
13
+ export type GateHandler = (request: GateRequest) => Promise<GateResponse>;
14
+ export declare class GateManager {
15
+ private pendingGates;
16
+ private responses;
17
+ private handlers;
18
+ /**
19
+ * Register a handler for a specific approval mode.
20
+ * The handler is called when a gate with that mode is triggered.
21
+ */
22
+ registerHandler(mode: string, handler: GateHandler): void;
23
+ /**
24
+ * Request approval for a gated action.
25
+ * Returns the gate decision.
26
+ */
27
+ requestApproval(sessionId: string, actionId: string, action: ActionRequest, gate: Gate): Promise<GateResponse>;
28
+ /**
29
+ * Manually resolve a pending gate (used by server/CLI for human approval).
30
+ */
31
+ resolve(sessionId: string, actionId: string, decision: GateDecision, respondedBy?: string, reason?: string): GateResponse;
32
+ /**
33
+ * Get all pending gate requests.
34
+ */
35
+ getPending(): GateRequest[];
36
+ /**
37
+ * Get pending gates for a specific session.
38
+ */
39
+ getPendingForSession(sessionId: string): GateRequest[];
40
+ /**
41
+ * Check if a gate is pending for a specific action.
42
+ */
43
+ isPending(sessionId: string, actionId: string): boolean;
44
+ /**
45
+ * Get the response for a gate (if resolved).
46
+ */
47
+ getResponse(sessionId: string, actionId: string): GateResponse | undefined;
48
+ /**
49
+ * Clear all gates for a session (e.g. on session termination).
50
+ */
51
+ clearSession(sessionId: string): void;
52
+ }
53
+ /**
54
+ * Default auto-approve handler for low-risk actions.
55
+ */
56
+ export declare function createAutoApproveHandler(maxRisk?: RiskLevel): GateHandler;
57
+ //# sourceMappingURL=gate.d.ts.map
package/dist/engine/gate.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../../src/engine/gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EACV,aAAa,EACb,IAAI,EACJ,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,SAAS,EACV,MAAM,aAAa,CAAC;AAErB,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;AAE1E,qBAAa,WAAW;IACtB,OAAO,CAAC,YAAY,CAAkC;IACtD,OAAO,CAAC,SAAS,CAAmC;IACpD,OAAO,CAAC,QAAQ,CAAkC;IAElD;;;OAGG;IACH,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,GAAG,IAAI;IAIzD;;;OAGG;IACG,eAAe,CACnB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,aAAa,EACrB,IAAI,EAAE,IAAI,GACT,OAAO,CAAC,YAAY,CAAC;IA0CxB;;OAEG;IACH,OAAO,CACL,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,YAAY,EACtB,WAAW,CAAC,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE,MAAM,GACd,YAAY;IAoBf;;OAEG;IACH,UAAU,IAAI,WAAW,EAAE;IAI3B;;OAEG;IACH,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,EAAE;IAItD;;OAEG;IACH,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS;IAI1E;;OAEG;IACH,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;CAYtC;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,GAAE,SAAiB,GAAG,WAAW,CAsBhF"}
package/dist/engine/gate.js ADDED
@@ -0,0 +1,145 @@
1
+ /**
2
+ * Gate Manager — handles approval gates for session actions.
3
+ *
4
+ * When a policy gate is triggered, the gate manager determines what kind
5
+ * of approval is needed and manages the approval lifecycle.
6
+ *
7
+ * Supports:
8
+ * - auto: automatically approve (for low-risk actions)
9
+ * - human: pause session and wait for human approval
10
+ * - webhook: call an external webhook for approval decision
11
+ */
12
+ export class GateManager {
13
+ pendingGates = new Map();
14
+ responses = new Map();
15
+ handlers = new Map();
16
+ /**
17
+ * Register a handler for a specific approval mode.
18
+ * The handler is called when a gate with that mode is triggered.
19
+ */
20
+ registerHandler(mode, handler) {
21
+ this.handlers.set(mode, handler);
22
+ }
23
+ /**
24
+ * Request approval for a gated action.
25
+ * Returns the gate decision.
26
+ */
27
+ async requestApproval(sessionId, actionId, action, gate) {
28
+ const gateKey = `${sessionId}:${actionId}`;
29
+ const request = {
30
+ sessionId,
31
+ actionId,
32
+ action,
33
+ gate,
34
+ requestedAt: new Date().toISOString(),
35
+ };
36
+ this.pendingGates.set(gateKey, request);
37
+ // Auto-approve mode
38
+ if (gate.approval === 'auto') {
39
+ const response = {
40
+ decision: 'approved',
41
+ respondedBy: 'auto',
42
+ respondedAt: new Date().toISOString(),
43
+ reason: 'Auto-approved by policy',
44
+ };
45
+ this.responses.set(gateKey, response);
46
+ this.pendingGates.delete(gateKey);
47
+ return response;
48
+ }
49
+ // Check for registered handler
50
+ const handler = this.handlers.get(gate.approval);
51
+ if (handler) {
52
+ const response = await handler(request);
53
+ this.responses.set(gateKey, response);
54
+ this.pendingGates.delete(gateKey);
55
+ return response;
56
+ }
57
+ // No handler — gate stays pending
58
+ return {
59
+ decision: 'pending',
60
+ reason: `Awaiting ${gate.approval} approval`,
61
+ };
62
+ }
63
+ /**
64
+ * Manually resolve a pending gate (used by server/CLI for human approval).
65
+ */
66
+ resolve(sessionId, actionId, decision, respondedBy, reason) {
67
+ const gateKey = `${sessionId}:${actionId}`;
68
+ const pending = this.pendingGates.get(gateKey);
69
+ if (!pending) {
70
+ throw new Error(`No pending gate found for session ${sessionId} action ${actionId}`);
71
+ }
72
+ const response = {
73
+ decision,
74
+ respondedBy,
75
+ respondedAt: new Date().toISOString(),
76
+ reason,
77
+ };
78
+ this.responses.set(gateKey, response);
79
+ this.pendingGates.delete(gateKey);
80
+ return response;
81
+ }
82
+ /**
83
+ * Get all pending gate requests.
84
+ */
85
+ getPending() {
86
+ return Array.from(this.pendingGates.values());
87
+ }
88
+ /**
89
+ * Get pending gates for a specific session.
90
+ */
91
+ getPendingForSession(sessionId) {
92
+ return Array.from(this.pendingGates.values()).filter((g) => g.sessionId === sessionId);
93
+ }
94
+ /**
95
+ * Check if a gate is pending for a specific action.
96
+ */
97
+ isPending(sessionId, actionId) {
98
+ return this.pendingGates.has(`${sessionId}:${actionId}`);
99
+ }
100
+ /**
101
+ * Get the response for a gate (if resolved).
102
+ */
103
+ getResponse(sessionId, actionId) {
104
+ return this.responses.get(`${sessionId}:${actionId}`);
105
+ }
106
+ /**
107
+ * Clear all gates for a session (e.g. on session termination).
108
+ */
109
+ clearSession(sessionId) {
110
+ for (const key of this.pendingGates.keys()) {
111
+ if (key.startsWith(`${sessionId}:`)) {
112
+ this.pendingGates.delete(key);
113
+ }
114
+ }
115
+ for (const key of this.responses.keys()) {
116
+ if (key.startsWith(`${sessionId}:`)) {
117
+ this.responses.delete(key);
118
+ }
119
+ }
120
+ }
121
+ }
122
+ /**
123
+ * Default auto-approve handler for low-risk actions.
124
+ */
125
+ export function createAutoApproveHandler(maxRisk = 'low') {
126
+ const riskOrder = ['low', 'medium', 'high', 'critical'];
127
+ const maxRiskIndex = riskOrder.indexOf(maxRisk);
128
+ return async (request) => {
129
+ const riskLevel = request.gate.risk_level ?? 'medium';
130
+ const riskIndex = riskOrder.indexOf(riskLevel);
131
+ if (riskIndex <= maxRiskIndex) {
132
+ return {
133
+ decision: 'approved',
134
+ respondedBy: 'auto-approve-handler',
135
+ respondedAt: new Date().toISOString(),
136
+ reason: `Risk level "${riskLevel}" is within auto-approve threshold "${maxRisk}"`,
137
+ };
138
+ }
139
+ return {
140
+ decision: 'pending',
141
+ reason: `Risk level "${riskLevel}" exceeds auto-approve threshold "${maxRisk}" — requires manual approval`,
142
+ };
143
+ };
144
+ }
145
+ //# sourceMappingURL=gate.js.map
package/dist/engine/gate.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"gate.js","sourceRoot":"","sources":["../../src/engine/gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAaH,MAAM,OAAO,WAAW;IACd,YAAY,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,SAAS,GAAG,IAAI,GAAG,EAAwB,CAAC;IAC5C,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;IAElD;;;OAGG;IACH,eAAe,CAAC,IAAY,EAAE,OAAoB;QAChD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACnC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe,CACnB,SAAiB,EACjB,QAAgB,EAChB,MAAqB,EACrB,IAAU;QAEV,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,QAAQ,EAAE,CAAC;QAE3C,MAAM,OAAO,GAAgB;YAC3B,SAAS;YACT,QAAQ;YACR,MAAM;YACN,IAAI;YACJ,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACtC,CAAC;QAEF,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAExC,oBAAoB;QACpB,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAiB;gBAC7B,QAAQ,EAAE,UAAU;gBACpB,WAAW,EAAE,MAAM;gBACnB,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACrC,MAAM,EAAE,yBAAyB;aAClC,CAAC;YACF,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACtC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAClC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,+BAA+B;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;YACxC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACtC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAClC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,kCAAkC;QAClC,OAAO;YACL,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,YAAY,IAAI,CAAC,QAAQ,WAAW;SAC7C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,OAAO,CACL,SAAiB,EACjB,QAAgB,EAChB,QAAsB,EACtB,WAAoB,EACpB,MAAe;QAEf,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,QAAQ,EAAE,CAAC;QAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAE/C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,qCAAqC,SAAS,WAAW,QAAQ,EAAE,CAAC,CAAC;QACvF,CAAC;QAED,MAAM,QAAQ,GAAiB;YAC7B,QAAQ;YACR,WAAW;YACX,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,MAAM;SACP,CAAC;QAEF,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAClC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,oBAAoB,CAAC,SAAiB;QACpC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;IACzF,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,SAAiB,EAAE,QAAgB;QAC3C,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,SAAS,IAAI,QAAQ,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,SAAiB,EAAE,QAAgB;QAC7C,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,SAAS,IAAI,QAAQ,EAAE,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,SAAiB;QAC5B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,EAAE,CAAC;YAC3C,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,SAAS,GAAG,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QACD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,SAAS,GAAG,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,UAAqB,KAAK;IACjE,MAAM,SAAS,GAAgB,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IACrE,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhD,OAAO,KAAK,EAAE,OAAoB,EAAyB,EAAE;QAC3D,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,UAAU,IAAI,QAAQ,CAAC;QACtD,MAAM,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAE/C,IAAI,SAAS,IAAI,YAAY,EAAE,CAAC;YAC9B,OAAO;gBACL,QAAQ,EAAE,UAAU;gBACpB,WAAW,EAAE,sBAAsB;gBACnC,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACrC,MAAM,EAAE,eAAe,SAAS,uCAAuC,OAAO,GAAG;aAClF,CAAC;QACJ,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,eAAe,SAAS,qCAAqC,OAAO,8BAA8B;SAC3G,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}