@flowdot.ai/guardian-agent 0.1.0

package/dist/policy/evaluator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluator.js","sourceRoot":"","sources":["../../src/policy/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAGxD,MAAM,IAAI,GAAgC;IACxC,MAAM,EAAE,CAAC;IACT,OAAO,EAAE,CAAC;IACV,OAAO,EAAE,CAAC;IACV,IAAI,EAAE,CAAC;CACR,CAAC;AAEF,MAAM,OAAO,eAAe;IACT,MAAM,CAAS;IAEhC,YAAY,MAAc;QACxB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,iFAAiF;IACjF,QAAQ,CAAC,QAAgB,EAAE,KAAwB;QACjD,uEAAuE;QACvE,yEAAyE;QACzE,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAC5B,QAAQ,EACR,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,QAAQ,IAAI,WAAW,CAAC,CAAC,EAAE,KAAK,CAAC,CACrD,CAAC;QACF,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,MAAM,CAAC,IAAI;gBACxB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,KAAK,EAAE,QAAQ;aAChB,CAAC;QACJ,CAAC;QAED,uDAAuD;QACvD,KAAK,MAAM,KAAK,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,MAAM,CAAU,EAAE,CAAC;YAC5D,MAAM,CAAC,GAAG,IAAI,CAAC,UAAU,CACvB,QAAQ,EACR,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,KAAK,KAAK,KAAK,IAAI,iBAAiB,CAAC,CAAC,CAAC,KAAK,OAAO,IAAI,WAAW,CAAC,CAAC,EAAE,KAAK,CAAC,CACjF,CAAC;YACF,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;gBACf,OAAO;oBACL,QAAQ,EAAE,OAAO;oBACjB,WAAW,EAAE,CAAC,CAAC,IAAI;oBACnB,SAAS,EAAE,CAAC,CAAC,SAAS;oBACtB,KAAK;iBACN,CAAC;YACJ,CAAC;YACD,+EAA+E;YAC/E,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAC5B,QAAQ,EACR,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,KAAK,KAAK,KAAK,IAAI,iBAAiB,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,WAAW,CAAC,CAAC,EAAE,KAAK,CAAC,CAChF,CAAC;YACF,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;gBACpB,OAAO;oBACL,QAAQ,EAAE,MAAM;oBAChB,WAAW,EAAE,MAAM,CAAC,IAAI;oBACxB,SAAS,EAAE,MAAM,CAAC,SAAS;oBAC3B,KAAK;iBACN,CAAC;YACJ,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC/B,IAAI,CAAC,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACzB,OAAO;gBACL,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,SAAS;gBACtB,SAAS,EAAE,SAAS;gBACpB,KAAK,EAAE,QAAQ;aAChB,CAAC;QACJ,CAAC;QACD,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QACzE,OAAO;YACL,QAAQ;YACR,WAAW,EAAE,SAAS;YACtB,SAAS,EAAE,SAAS;YACpB,KAAK,EAAE,CAAC,CAAC,KAAoB;SAC9B,CAAC;IACJ,CAAC;IAED,oCAAoC;IACpC,OAAO,CAAC,KAAkB;QACxB,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IAED,+EAA+E;IAEvE,UAAU,CAChB,QAAgB,EAChB,IAAmC;QAEnC,sEAAsE;QACtE,0EAA0E;QAC1E,sEAAsE;QACtE,mDAAmD;QACnD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACrC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzC,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;YACtC,CAAC;QACH,CAAC;QACD,kEAAkE;QAClE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACrC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ;gBAAE,SAAS,CAAC,kBAAkB;YACxD,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACjF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;YACzC,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,IAAgB;IACzC,qBAAqB;IACrB,IAAI,IAAI,CAAC,KAAK,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC;IAC3C,oBAAoB;IACpB,OAAO,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC;AAClC,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,WAAW,CAAC,IAAgB,EAAE,KAAmC;IACxE,IAAI,CAAC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAC5B,IAAI,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,SAAS,EAAE,CAAC;QAC9C,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,CAAC,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAC;IAC5E,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;YAAE,OAAO,KAAK,CAAC;IAChE,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;QAC7C,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IAC7E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,iBAAiB,CAAC,CAAS;IAClC,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAC/D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,OAAe,EAAE,IAAY;IACrD,MAAM,EAAE,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACjC,OAAO,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,YAAY,CAAC,OAAe;IACnC,IAAI,GAAG,GAAG,GAAG,CAAC;IACd,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QAC1B,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAW,CAAC;QAC/B,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACd,GAAG,IAAI,IAAI,CAAC;YACZ,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACrB,GAAG,IAAI,GAAG,CAAC;YACX,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACrB,kBAAkB;YAClB,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;YAChB,IAAI,MAAM,GAAG,KAAK,CAAC;YACnB,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC;gBACzB,MAAM,GAAG,IAAI,CAAC;gBACd,GAAG,EAAE,CAAC;YACR,CAAC;YACD,IAAI,IAAI,GAAG,EAAE,CAAC;YACd,OAAO,GAAG,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC;gBACpD,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC;gBACrB,GAAG,EAAE,CAAC;YACR,CAAC;YACD,IAAI,GAAG,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBAC1B,mCAAmC;gBACnC,GAAG,IAAI,KAAK,CAAC;gBACb,CAAC,EAAE,CAAC;YACN,CAAC;iBAAM,CAAC;gBACN,GAAG,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC;gBAClE,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC;aAAM,CAAC;YACN,GAAG,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC;YACtB,CAAC,EAAE,CAAC;QACN,CAAC;IACH,CAAC;IACD,GAAG,IAAI,GAAG,CAAC;IACX,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAY;IACtC,gDAAgD;IAChD,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;AAClD,CAAC"}

package/dist/policy/index.d.ts

@@ -0,0 +1,11 @@
+export type { Policy, PolicyRule, PolicyScope, PolicyDecision, PolicyEvaluation, PolicyWhen, } from './types.js';
+export { PolicyEvaluator, globMatch } from './evaluator.js';
+export { flatGlobMatch, matchAttributionPath, renderAttributionPath, ATTRIBUTION_MISSING_SEGMENT, } from './attribution.js';
+export { PolicyStore } from './store.js';
+export type { PolicyStoreOptions } from './store.js';
+export { parsePolicy, validatePolicy } from './loader.js';
+export { signPayload, verifyPayload } from './integrity.js';
+export type { SignedPolicyFile } from './integrity.js';
+export { loadOrCreateSiteKey, siteKeyFromBytes, SITE_KEY_BYTES } from './site-key.js';
+export type { SiteKey } from './site-key.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/policy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,MAAM,EACN,UAAU,EACV,WAAW,EACX,cAAc,EACd,gBAAgB,EAChB,UAAU,GACX,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC5D,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,qBAAqB,EACrB,2BAA2B,GAC5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,YAAY,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC5D,YAAY,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AACtF,YAAY,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC"}

package/dist/policy/index.js

@@ -0,0 +1,7 @@
+export { PolicyEvaluator, globMatch } from './evaluator.js';
+export { flatGlobMatch, matchAttributionPath, renderAttributionPath, ATTRIBUTION_MISSING_SEGMENT, } from './attribution.js';
+export { PolicyStore } from './store.js';
+export { parsePolicy, validatePolicy } from './loader.js';
+export { signPayload, verifyPayload } from './integrity.js';
+export { loadOrCreateSiteKey, siteKeyFromBytes, SITE_KEY_BYTES } from './site-key.js';
+//# sourceMappingURL=index.js.map

package/dist/policy/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC5D,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,qBAAqB,EACrB,2BAA2B,GAC5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE5D,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC"}

package/dist/policy/integrity.d.ts

@@ -0,0 +1,17 @@
+/**
+ * HMAC-SHA256 integrity for policy files. SPEC §3.5.
+ *
+ * Signatures are produced over the canonical UTF-8 bytes of the policy data,
+ * using a 32-byte site key.
+ */
+export interface SignedPolicyFile {
+    version: 1;
+    signed_at: string;
+    signature: string;
+    data: string;
+}
+/** Compute HMAC-SHA256 over `data` using `key`. Returns base64. */
+export declare function signPayload(data: string | Buffer, key: Buffer): string;
+/** Constant-time HMAC verification. Returns true iff the signature matches. */
+export declare function verifyPayload(data: string | Buffer, signature: string, key: Buffer): boolean;
+//# sourceMappingURL=integrity.d.ts.map

package/dist/policy/integrity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"integrity.d.ts","sourceRoot":"","sources":["../../src/policy/integrity.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,CAAC,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,mEAAmE;AACnE,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAItE;AAED,+EAA+E;AAC/E,wBAAgB,aAAa,CAC3B,IAAI,EAAE,MAAM,GAAG,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAaT"}

package/dist/policy/integrity.js

@@ -0,0 +1,31 @@
+/**
+ * HMAC-SHA256 integrity for policy files. SPEC §3.5.
+ *
+ * Signatures are produced over the canonical UTF-8 bytes of the policy data,
+ * using a 32-byte site key.
+ */
+import { createHmac, timingSafeEqual } from 'node:crypto';
+/** Compute HMAC-SHA256 over `data` using `key`. Returns base64. */
+export function signPayload(data, key) {
+    const hmac = createHmac('sha256', key);
+    hmac.update(typeof data === 'string' ? Buffer.from(data, 'utf-8') : data);
+    return hmac.digest('base64');
+}
+/** Constant-time HMAC verification. Returns true iff the signature matches. */
+export function verifyPayload(data, signature, key) {
+    const expected = signPayload(data, key);
+    const expectedBuf = Buffer.from(expected, 'base64');
+    let providedBuf;
+    /* c8 ignore start */
+    try {
+        providedBuf = Buffer.from(signature, 'base64');
+    }
+    catch {
+        return false;
+    }
+    /* c8 ignore stop */
+    if (providedBuf.length !== expectedBuf.length)
+        return false;
+    return timingSafeEqual(providedBuf, expectedBuf);
+}
+//# sourceMappingURL=integrity.js.map

package/dist/policy/integrity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"integrity.js","sourceRoot":"","sources":["../../src/policy/integrity.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAS1D,mEAAmE;AACnE,MAAM,UAAU,WAAW,CAAC,IAAqB,EAAE,GAAW;IAC5D,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC1E,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,aAAa,CAC3B,IAAqB,EACrB,SAAiB,EACjB,GAAW;IAEX,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACxC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACpD,IAAI,WAAmB,CAAC;IACxB,qBAAqB;IACrB,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,oBAAoB;IACpB,IAAI,WAAW,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC5D,OAAO,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;AACnD,CAAC"}

package/dist/policy/loader.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Parse + validate a Policy. SPEC §3.1.
+ */
+import type { Policy } from './types.js';
+/** Parse a YAML string into a validated Policy. */
+export declare function parsePolicy(yaml: string): Policy;
+/** Validate a parsed object as a Policy. Throws GuardianConfigError on issues. */
+export declare function validatePolicy(raw: unknown): Policy;
+//# sourceMappingURL=loader.d.ts.map

package/dist/policy/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/policy/loader.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,KAAK,EAAE,MAAM,EAA2B,MAAM,YAAY,CAAC;AAKlE,mDAAmD;AACnD,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAGhD;AAED,kFAAkF;AAClF,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAoDnD"}

package/dist/policy/loader.js

@@ -0,0 +1,124 @@
+/**
+ * Parse + validate a Policy. SPEC §3.1.
+ */
+import { parse as parseYaml } from 'yaml';
+import { GuardianConfigError } from '../errors.js';
+const VALID_SCOPES = ['once', 'session', 'forever', 'banned'];
+const VALID_DEFAULT_SCOPES = ['prompt', ...VALID_SCOPES];
+/** Parse a YAML string into a validated Policy. */
+export function parsePolicy(yaml) {
+    const raw = parseYaml(yaml);
+    return validatePolicy(raw);
+}
+/** Validate a parsed object as a Policy. Throws GuardianConfigError on issues. */
+export function validatePolicy(raw) {
+    if (!isObject(raw)) {
+        throw new GuardianConfigError('policy must be an object');
+    }
+    const version = raw.version;
+    if (typeof version !== 'string' || version.length === 0) {
+        throw new GuardianConfigError('policy.version must be a non-empty string');
+    }
+    const agent_id = raw.agent_id;
+    if (typeof agent_id !== 'string' || agent_id.length === 0) {
+        throw new GuardianConfigError('policy.agent_id must be a non-empty string');
+    }
+    const defaultsRaw = raw.defaults;
+    if (!isObject(defaultsRaw)) {
+        throw new GuardianConfigError('policy.defaults must be an object');
+    }
+    const defaultsScope = defaultsRaw.scope;
+    if (typeof defaultsScope !== 'string' || !VALID_DEFAULT_SCOPES.includes(defaultsScope)) {
+        throw new GuardianConfigError(`policy.defaults.scope must be one of ${VALID_DEFAULT_SCOPES.join(', ')}`);
+    }
+    const defaultsDecision = defaultsRaw.decision;
+    if (defaultsDecision !== undefined && defaultsDecision !== 'allow' && defaultsDecision !== 'deny') {
+        throw new GuardianConfigError('policy.defaults.decision must be "allow" or "deny" if set');
+    }
+    const rulesRaw = raw.rules;
+    if (rulesRaw !== undefined && !Array.isArray(rulesRaw)) {
+        throw new GuardianConfigError('policy.rules must be an array if present');
+    }
+    const rules = [];
+    if (Array.isArray(rulesRaw)) {
+        for (let i = 0; i < rulesRaw.length; i++) {
+            rules.push(validateRule(rulesRaw[i], i));
+        }
+    }
+    const defaults = {
+        scope: defaultsScope,
+    };
+    if (defaultsDecision !== undefined) {
+        defaults.decision = defaultsDecision;
+    }
+    return {
+        version,
+        agent_id,
+        defaults,
+        rules,
+    };
+}
+function validateRule(raw, index) {
+    if (!isObject(raw)) {
+        throw new GuardianConfigError(`rule[${index}] must be an object`);
+    }
+    const tool = raw.tool;
+    if (typeof tool !== 'string' || tool.length === 0) {
+        throw new GuardianConfigError(`rule[${index}].tool must be a non-empty string`);
+    }
+    if (tool.startsWith('guardian.') ||
+        tool.startsWith('runtime.') ||
+        tool.startsWith('internal.')) {
+        throw new GuardianConfigError(`rule[${index}].tool uses a reserved prefix`);
+    }
+    const scope = raw.scope;
+    if (typeof scope !== 'string' || !VALID_SCOPES.includes(scope)) {
+        throw new GuardianConfigError(`rule[${index}].scope must be one of ${VALID_SCOPES.join(', ')}`);
+    }
+    const decision = raw.decision;
+    if (decision !== undefined && decision !== 'allow' && decision !== 'deny') {
+        throw new GuardianConfigError(`rule[${index}].decision must be "allow" or "deny" if set`);
+    }
+    const notes = raw.notes;
+    if (notes !== undefined && typeof notes !== 'string') {
+        throw new GuardianConfigError(`rule[${index}].notes must be a string if set`);
+    }
+    const when = raw.when;
+    let validatedWhen;
+    if (when !== undefined) {
+        if (!isObject(when)) {
+            throw new GuardianConfigError(`rule[${index}].when must be an object if set`);
+        }
+        validatedWhen = {};
+        if (when['model.provider'] !== undefined) {
+            if (typeof when['model.provider'] !== 'string') {
+                throw new GuardianConfigError(`rule[${index}].when['model.provider'] must be a string`);
+            }
+            validatedWhen['model.provider'] = when['model.provider'];
+        }
+        if (when['model.id'] !== undefined) {
+            if (typeof when['model.id'] !== 'string') {
+                throw new GuardianConfigError(`rule[${index}].when['model.id'] must be a string`);
+            }
+            validatedWhen['model.id'] = when['model.id'];
+        }
+    }
+    const out = {
+        tool,
+        scope: scope,
+    };
+    if (decision !== undefined) {
+        out.decision = decision;
+    }
+    if (notes !== undefined) {
+        out.notes = notes;
+    }
+    if (validatedWhen !== undefined) {
+        out.when = validatedWhen;
+    }
+    return out;
+}
+function isObject(v) {
+    return typeof v === 'object' && v !== null && !Array.isArray(v);
+}
+//# sourceMappingURL=loader.js.map

package/dist/policy/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/policy/loader.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAE1C,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAGnD,MAAM,YAAY,GAA2B,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;AACtF,MAAM,oBAAoB,GAAsB,CAAC,QAAQ,EAAE,GAAG,YAAY,CAAC,CAAC;AAE5E,mDAAmD;AACnD,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAY,CAAC;IACvC,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,kFAAkF;AAClF,MAAM,UAAU,cAAc,CAAC,GAAY;IACzC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,mBAAmB,CAAC,0BAA0B,CAAC,CAAC;IAC5D,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IAC5B,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,mBAAmB,CAAC,2CAA2C,CAAC,CAAC;IAC7E,CAAC;IACD,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAC9B,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,mBAAmB,CAAC,4CAA4C,CAAC,CAAC;IAC9E,CAAC;IAED,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,CAAC;IACjC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,mBAAmB,CAAC,mCAAmC,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,aAAa,GAAG,WAAW,CAAC,KAAK,CAAC;IACxC,IAAI,OAAO,aAAa,KAAK,QAAQ,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACvF,MAAM,IAAI,mBAAmB,CAC3B,wCAAwC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,gBAAgB,GAAG,WAAW,CAAC,QAAQ,CAAC;IAC9C,IAAI,gBAAgB,KAAK,SAAS,IAAI,gBAAgB,KAAK,OAAO,IAAI,gBAAgB,KAAK,MAAM,EAAE,CAAC;QAClG,MAAM,IAAI,mBAAmB,CAAC,2DAA2D,CAAC,CAAC;IAC7F,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC;IAC3B,IAAI,QAAQ,KAAK,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,mBAAmB,CAAC,0CAA0C,CAAC,CAAC;IAC5E,CAAC;IACD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACzC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAuB;QACnC,KAAK,EAAE,aAA4C;KACpD,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,QAAQ,CAAC,QAAQ,GAAG,gBAAsE,CAAC;IAC7F,CAAC;IAED,OAAO;QACL,OAAO;QACP,QAAQ;QACR,QAAQ;QACR,KAAK;KACN,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,GAAY,EAAE,KAAa;IAC/C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,mBAAmB,CAAC,QAAQ,KAAK,qBAAqB,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;IACtB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,mBAAmB,CAAC,QAAQ,KAAK,mCAAmC,CAAC,CAAC;IAClF,CAAC;IACD,IACE,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;QAC5B,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAC3B,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAC5B,CAAC;QACD,MAAM,IAAI,mBAAmB,CAAC,QAAQ,KAAK,+BAA+B,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,KAAoB,CAAC,EAAE,CAAC;QAC9E,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,KAAK,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACjE,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAC9B,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QAC1E,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,KAAK,6CAA6C,CAC3D,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IACxB,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACrD,MAAM,IAAI,mBAAmB,CAAC,QAAQ,KAAK,iCAAiC,CAAC,CAAC;IAChF,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;IACtB,IAAI,aAAiC,CAAC;IACtC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACpB,MAAM,IAAI,mBAAmB,CAAC,QAAQ,KAAK,iCAAiC,CAAC,CAAC;QAChF,CAAC;QACD,aAAa,GAAG,EAAE,CAAC;QACnB,IAAI,IAAI,CAAC,gBAAgB,CAAC,KAAK,SAAS,EAAE,CAAC;YACzC,IAAI,OAAO,IAAI,CAAC,gBAAgB,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAC/C,MAAM,IAAI,mBAAmB,CAAC,QAAQ,KAAK,2CAA2C,CAAC,CAAC;YAC1F,CAAC;YACD,aAAa,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,SAAS,EAAE,CAAC;YACnC,IAAI,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACzC,MAAM,IAAI,mBAAmB,CAAC,QAAQ,KAAK,qCAAqC,CAAC,CAAC;YACpF,CAAC;YACD,aAAa,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,MAAM,GAAG,GAAe;QACtB,IAAI;QACJ,KAAK,EAAE,KAAoB;KAC5B,CAAC;IACF,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,GAAG,CAAC,QAAQ,GAAG,QAAsD,CAAC;IACxE,CAAC;IACD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,GAAG,CAAC,KAAK,GAAG,KAAK,CAAC;IACpB,CAAC;IACD,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,GAAG,CAAC,IAAI,GAAG,aAAa,CAAC;IAC3B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC"}

package/dist/policy/site-key.d.ts

@@ -0,0 +1,22 @@
+/**
+ * SiteKey — 32 random bytes used as the HMAC key for policy file integrity.
+ *
+ * Generated on first run; persisted under `.guardian/site.key` (or whatever
+ * directory the consumer points us at). Mode 0o600. Never logged.
+ *
+ * SPEC §3.5.
+ */
+declare const SITE_KEY_BYTES = 32;
+export interface SiteKey {
+    bytes: Buffer;
+    path: string;
+}
+/**
+ * Load the site key from `path`, or generate and persist a new one if absent.
+ * Throws if the file exists but has the wrong length.
+ */
+export declare function loadOrCreateSiteKey(path: string): SiteKey;
+/** Build a SiteKey from raw bytes (for testing). */
+export declare function siteKeyFromBytes(bytes: Buffer): SiteKey;
+export { SITE_KEY_BYTES };
+//# sourceMappingURL=site-key.d.ts.map

package/dist/policy/site-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"site-key.d.ts","sourceRoot":"","sources":["../../src/policy/site-key.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAQH,QAAA,MAAM,cAAc,KAAK,CAAC;AAE1B,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAuBzD;AAED,oDAAoD;AACpD,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAOvD;AAED,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/dist/policy/site-key.js

@@ -0,0 +1,48 @@
+/**
+ * SiteKey — 32 random bytes used as the HMAC key for policy file integrity.
+ *
+ * Generated on first run; persisted under `.guardian/site.key` (or whatever
+ * directory the consumer points us at). Mode 0o600. Never logged.
+ *
+ * SPEC §3.5.
+ */
+import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync } from 'node:fs';
+import { randomBytes } from 'node:crypto';
+import { dirname } from 'node:path';
+import { GuardianConfigError } from '../errors.js';
+const SITE_KEY_BYTES = 32;
+/**
+ * Load the site key from `path`, or generate and persist a new one if absent.
+ * Throws if the file exists but has the wrong length.
+ */
+export function loadOrCreateSiteKey(path) {
+    if (existsSync(path)) {
+        const bytes = readFileSync(path);
+        if (bytes.length !== SITE_KEY_BYTES) {
+            throw new GuardianConfigError(`site key at ${path} is ${bytes.length} bytes, expected ${SITE_KEY_BYTES}`);
+        }
+        return { bytes, path };
+    }
+    mkdirSync(dirname(path), { recursive: true, mode: 0o700 });
+    const bytes = randomBytes(SITE_KEY_BYTES);
+    writeFileSync(path, bytes, { mode: 0o600 });
+    // Re-chmod in case umask suppressed it.
+    /* c8 ignore start */
+    try {
+        chmodSync(path, 0o600);
+    }
+    catch {
+        // Windows: mode bits may not be enforceable. Best-effort.
+    }
+    /* c8 ignore stop */
+    return { bytes, path };
+}
+/** Build a SiteKey from raw bytes (for testing). */
+export function siteKeyFromBytes(bytes) {
+    if (bytes.length !== SITE_KEY_BYTES) {
+        throw new GuardianConfigError(`site key bytes are ${bytes.length}, expected ${SITE_KEY_BYTES}`);
+    }
+    return { bytes, path: '<in-memory>' };
+}
+export { SITE_KEY_BYTES };
+//# sourceMappingURL=site-key.js.map

package/dist/policy/site-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"site-key.js","sourceRoot":"","sources":["../../src/policy/site-key.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACxF,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAEnD,MAAM,cAAc,GAAG,EAAE,CAAC;AAO1B;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;YACpC,MAAM,IAAI,mBAAmB,CAC3B,eAAe,IAAI,OAAO,KAAK,CAAC,MAAM,oBAAoB,cAAc,EAAE,CAC3E,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3D,MAAM,KAAK,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC;IAC1C,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5C,wCAAwC;IACxC,qBAAqB;IACrB,IAAI,CAAC;QACH,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IACD,oBAAoB;IACpB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,IAAI,KAAK,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;QACpC,MAAM,IAAI,mBAAmB,CAC3B,sBAAsB,KAAK,CAAC,MAAM,cAAc,cAAc,EAAE,CACjE,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;AACxC,CAAC;AAED,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/dist/policy/store.d.ts

@@ -0,0 +1,45 @@
+/**
+ * PolicyStore — HMAC-signed permissions.yaml + unsigned session.yaml.
+ * SPEC §3.1 / §3.5 / §3.6.
+ *
+ * Pre-alpha: simple sync I/O strategy + per-store async queue to serialize
+ * writes. Cross-process locking via `proper-lockfile` is planned for v0.4+;
+ * for now, the library assumes a single process per `.guardian/` directory.
+ */
+import type { Policy, PolicyRule, PolicyScope } from './types.js';
+import { type SiteKey } from './site-key.js';
+export interface PolicyStoreOptions {
+    /** Directory holding permissions.yaml, session.yaml, site.key. */
+    dir: string;
+    /** Agent id this store is for. */
+    agentId: string;
+    /** Default behavior when no rule matches. Used to seed an empty store. */
+    defaultScope?: 'prompt' | PolicyScope;
+    /** Pre-supplied site key (testing). If absent, loaded or created at `dir/site.key`. */
+    siteKey?: SiteKey;
+}
+export declare class PolicyStore {
+    readonly dir: string;
+    readonly agentId: string;
+    private readonly siteKey;
+    private readonly defaultScope;
+    private writeQueue;
+    constructor(options: PolicyStoreOptions);
+    /** Read merged policy: persistent rules + session rules. */
+    getPolicy(): Policy;
+    /** Add a rule. session/once go to session.yaml; forever/banned go to permissions.yaml. */
+    addRule(rule: PolicyRule): Promise<void>;
+    /** Remove a rule by tool + scope. No-op if absent. */
+    removeRule(tool: string, scope: PolicyScope): Promise<void>;
+    /** Drop session rules. */
+    clearSession(): Promise<void>;
+    /** Idempotent close. */
+    close(): Promise<void>;
+    private enqueue;
+    private emptyPolicy;
+    private readPersistent;
+    private writePersistent;
+    private readSession;
+    private writeSession;
+}
+//# sourceMappingURL=store.d.ts.map

package/dist/policy/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/policy/store.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAiBH,OAAO,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAGlE,OAAO,EAAuB,KAAK,OAAO,EAAE,MAAM,eAAe,CAAC;AAElE,MAAM,WAAW,kBAAkB;IACjC,kEAAkE;IAClE,GAAG,EAAE,MAAM,CAAC;IACZ,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,0EAA0E;IAC1E,YAAY,CAAC,EAAE,QAAQ,GAAG,WAAW,CAAC;IACtC,uFAAuF;IACvF,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAOD,qBAAa,WAAW;IACtB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAClC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAyB;IAEtD,OAAO,CAAC,UAAU,CAAuC;gBAE7C,OAAO,EAAE,kBAAkB;IAQvC,4DAA4D;IAC5D,SAAS,IAAI,MAAM;IAWnB,0FAA0F;IAC1F,OAAO,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAoBxC,sDAAsD;IACtD,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAc3D,0BAA0B;IAC1B,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAS7B,wBAAwB;IAClB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAa5B,OAAO,CAAC,OAAO;IAMf,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,cAAc;IAqBtB,OAAO,CAAC,eAAe;IA0BvB,OAAO,CAAC,WAAW;IAWnB,OAAO,CAAC,YAAY;CAiBrB"}

package/dist/policy/store.js

@@ -0,0 +1,223 @@
+/**
+ * PolicyStore — HMAC-signed permissions.yaml + unsigned session.yaml.
+ * SPEC §3.1 / §3.5 / §3.6.
+ *
+ * Pre-alpha: simple sync I/O strategy + per-store async queue to serialize
+ * writes. Cross-process locking via `proper-lockfile` is planned for v0.4+;
+ * for now, the library assumes a single process per `.guardian/` directory.
+ */
+import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync, unlinkSync, statSync, } from 'node:fs';
+import { randomFillSync } from 'node:crypto';
+import { join } from 'node:path';
+import { parse as parseYaml, stringify as stringifyYaml } from 'yaml';
+import { GuardianIntegrityError } from '../errors.js';
+import { validatePolicy } from './loader.js';
+import { signPayload, verifyPayload } from './integrity.js';
+import { loadOrCreateSiteKey } from './site-key.js';
+const PERMISSIONS_FILE = 'permissions.yaml';
+const SESSION_FILE = 'session.yaml';
+const SITE_KEY_FILE = 'site.key';
+const POLICY_FILE_VERSION = 1;
+export class PolicyStore {
+    dir;
+    agentId;
+    siteKey;
+    defaultScope;
+    writeQueue = Promise.resolve();
+    constructor(options) {
+        this.dir = options.dir;
+        this.agentId = options.agentId;
+        this.defaultScope = options.defaultScope ?? 'prompt';
+        mkdirSync(this.dir, { recursive: true, mode: 0o700 });
+        this.siteKey = options.siteKey ?? loadOrCreateSiteKey(join(this.dir, SITE_KEY_FILE));
+    }
+    /** Read merged policy: persistent rules + session rules. */
+    getPolicy() {
+        const persistent = this.readPersistent();
+        const session = this.readSession();
+        return {
+            version: persistent.version,
+            agent_id: this.agentId,
+            defaults: persistent.defaults,
+            rules: [...persistent.rules, ...session.rules],
+        };
+    }
+    /** Add a rule. session/once go to session.yaml; forever/banned go to permissions.yaml. */
+    addRule(rule) {
+        return this.enqueue(() => {
+            if (rule.scope === 'session' || rule.scope === 'once') {
+                const cur = this.readSession();
+                cur.rules = [
+                    ...cur.rules.filter((r) => !(r.tool === rule.tool && r.scope === rule.scope)),
+                    rule,
+                ];
+                this.writeSession(cur);
+            }
+            else {
+                const cur = this.readPersistent();
+                cur.rules = [
+                    ...cur.rules.filter((r) => !(r.tool === rule.tool && r.scope === rule.scope)),
+                    rule,
+                ];
+                this.writePersistent(cur);
+            }
+        });
+    }
+    /** Remove a rule by tool + scope. No-op if absent. */
+    removeRule(tool, scope) {
+        return this.enqueue(() => {
+            if (scope === 'session' || scope === 'once') {
+                const cur = this.readSession();
+                cur.rules = cur.rules.filter((r) => !(r.tool === tool && r.scope === scope));
+                this.writeSession(cur);
+            }
+            else {
+                const cur = this.readPersistent();
+                cur.rules = cur.rules.filter((r) => !(r.tool === tool && r.scope === scope));
+                this.writePersistent(cur);
+            }
+        });
+    }
+    /** Drop session rules. */
+    clearSession() {
+        return this.enqueue(() => {
+            const sessionPath = join(this.dir, SESSION_FILE);
+            if (existsSync(sessionPath)) {
+                secureUnlink(sessionPath);
+            }
+        });
+    }
+    /** Idempotent close. */
+    async close() {
+        /* c8 ignore start */
+        try {
+            await this.writeQueue;
+        }
+        catch {
+            // Defensive: enqueue() re-wraps with .catch(() => undefined), so
+            // writeQueue never actually rejects. Belt-and-braces.
+        }
+        /* c8 ignore stop */
+    }
+    // ---- internal --------------------------------------------------------------
+    enqueue(fn) {
+        const result = this.writeQueue.then(() => fn());
+        this.writeQueue = result.catch(() => undefined);
+        return result;
+    }
+    emptyPolicy() {
+        return {
+            version: '0.2',
+            agent_id: this.agentId,
+            defaults: { scope: this.defaultScope },
+            rules: [],
+        };
+    }
+    readPersistent() {
+        const path = join(this.dir, PERMISSIONS_FILE);
+        if (!existsSync(path)) {
+            return this.emptyPolicy();
+        }
+        const raw = readFileSync(path, 'utf-8');
+        const signed = parseYaml(raw);
+        if (!isSignedFile(signed)) {
+            throw new GuardianIntegrityError(`permissions.yaml at ${path} is not in signed-file format`);
+        }
+        if (!verifyPayload(signed.data, signed.signature, this.siteKey.bytes)) {
+            throw new GuardianIntegrityError(`permissions.yaml at ${path} failed HMAC verification`);
+        }
+        const data = parseYaml(signed.data);
+        return validatePolicy(data);
+    }
+    writePersistent(policy) {
+        const path = join(this.dir, PERMISSIONS_FILE);
+        const payload = {
+            version: policy.version,
+            agent_id: this.agentId,
+            defaults: policy.defaults,
+            rules: policy.rules,
+        };
+        const dataStr = stringifyYaml(payload, { sortMapEntries: true });
+        const signature = signPayload(dataStr, this.siteKey.bytes);
+        const file = {
+            version: POLICY_FILE_VERSION,
+            signed_at: new Date().toISOString(),
+            signature,
+            data: dataStr,
+        };
+        writeFileSync(path, stringifyYaml(file), { mode: 0o600 });
+        /* c8 ignore start */
+        try {
+            chmodSync(path, 0o600);
+        }
+        catch {
+            // Windows / mode-bit unsupported FS — best effort.
+        }
+        /* c8 ignore stop */
+    }
+    readSession() {
+        const path = join(this.dir, SESSION_FILE);
+        if (!existsSync(path)) {
+            return this.emptyPolicy();
+        }
+        const raw = readFileSync(path, 'utf-8');
+        if (raw.length === 0)
+            return this.emptyPolicy();
+        const parsed = parseYaml(raw);
+        return validatePolicy(parsed);
+    }
+    writeSession(policy) {
+        const path = join(this.dir, SESSION_FILE);
+        const payload = {
+            version: policy.version,
+            agent_id: this.agentId,
+            defaults: policy.defaults,
+            rules: policy.rules,
+        };
+        writeFileSync(path, stringifyYaml(payload, { sortMapEntries: true }), { mode: 0o600 });
+        /* c8 ignore start */
+        try {
+            chmodSync(path, 0o600);
+        }
+        catch {
+            // ignore
+        }
+        /* c8 ignore stop */
+    }
+}
+function isSignedFile(v) {
+    if (typeof v !== 'object' || v === null)
+        return false;
+    const obj = v;
+    return (obj.version === POLICY_FILE_VERSION &&
+        typeof obj.signed_at === 'string' &&
+        typeof obj.signature === 'string' &&
+        typeof obj.data === 'string');
+}
+/* c8 ignore start — defensive secure-delete helper: stat / write / unlink
+   failure modes are platform-specific (Windows file locks, EACCES on read-only
+   mounts). Catches preserved as best-effort. */
+function secureUnlink(path) {
+    try {
+        const stat = statSync(path);
+        const len = stat.size;
+        if (len > 0) {
+            const buf = Buffer.alloc(len);
+            for (let i = 0; i < 3; i++) {
+                randomFillSync(buf);
+                writeFileSync(path, buf);
+            }
+        }
+    }
+    catch {
+        // ignore — best-effort
+    }
+    try {
+        unlinkSync(path);
+    }
+    catch {
+        // ignore
+    }
+}
+/* c8 ignore stop */
+//# sourceMappingURL=store.js.map

package/dist/policy/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/policy/store.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,UAAU,EACV,YAAY,EACZ,aAAa,EACb,SAAS,EACT,SAAS,EACT,UAAU,EACV,QAAQ,GACT,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAEtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AAEtD,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,aAAa,EAAyB,MAAM,gBAAgB,CAAC;AACnF,OAAO,EAAE,mBAAmB,EAAgB,MAAM,eAAe,CAAC;AAalE,MAAM,gBAAgB,GAAG,kBAAkB,CAAC;AAC5C,MAAM,YAAY,GAAG,cAAc,CAAC;AACpC,MAAM,aAAa,GAAG,UAAU,CAAC;AACjC,MAAM,mBAAmB,GAAG,CAAU,CAAC;AAEvC,MAAM,OAAO,WAAW;IACb,GAAG,CAAS;IACZ,OAAO,CAAS;IACR,OAAO,CAAU;IACjB,YAAY,CAAyB;IAE9C,UAAU,GAAqB,OAAO,CAAC,OAAO,EAAE,CAAC;IAEzD,YAAY,OAA2B;QACrC,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACvB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,QAAQ,CAAC;QACrD,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACtD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC,CAAC;IACvF,CAAC;IAED,4DAA4D;IAC5D,SAAS;QACP,MAAM,UAAU,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACnC,OAAO;YACL,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,QAAQ,EAAE,IAAI,CAAC,OAAO;YACtB,QAAQ,EAAE,UAAU,CAAC,QAAQ;YAC7B,KAAK,EAAE,CAAC,GAAG,UAAU,CAAC,KAAK,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,0FAA0F;IAC1F,OAAO,CAAC,IAAgB;QACtB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE;YACvB,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,KAAK,MAAM,EAAE,CAAC;gBACtD,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC/B,GAAG,CAAC,KAAK,GAAG;oBACV,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC;oBAC7E,IAAI;iBACL,CAAC;gBACF,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;gBAClC,GAAG,CAAC,KAAK,GAAG;oBACV,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC;oBAC7E,IAAI;iBACL,CAAC;gBACF,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,sDAAsD;IACtD,UAAU,CAAC,IAAY,EAAE,KAAkB;QACzC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE;YACvB,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;gBAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC/B,GAAG,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC,CAAC;gBAC7E,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;gBAClC,GAAG,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC,CAAC;gBAC7E,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,YAAY;QACV,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE;YACvB,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YACjD,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC5B,YAAY,CAAC,WAAW,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,wBAAwB;IACxB,KAAK,CAAC,KAAK;QACT,qBAAqB;QACrB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,UAAU,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;YACjE,sDAAsD;QACxD,CAAC;QACD,oBAAoB;IACtB,CAAC;IAED,+EAA+E;IAEvE,OAAO,CAAI,EAAW;QAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,WAAW;QACjB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,IAAI,CAAC,OAAO;YACtB,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE;YACtC,KAAK,EAAE,EAAE;SACV,CAAC;IACJ,CAAC;IAEO,cAAc;QACpB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;QAC9C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;QAC5B,CAAC;QACD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAY,CAAC;QACzC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,sBAAsB,CAC9B,uBAAuB,IAAI,+BAA+B,CAC3D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACtE,MAAM,IAAI,sBAAsB,CAC9B,uBAAuB,IAAI,2BAA2B,CACvD,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAY,CAAC;QAC/C,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAEO,eAAe,CAAC,MAAc;QACpC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;QAC9C,MAAM,OAAO,GAA4B;YACvC,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,QAAQ,EAAE,IAAI,CAAC,OAAO;YACtB,QAAQ,EAAE,MAAM,CAAC,QAA8C;YAC/D,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;QACF,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC3D,MAAM,IAAI,GAAqB;YAC7B,OAAO,EAAE,mBAAmB;YAC5B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS;YACT,IAAI,EAAE,OAAO;SACd,CAAC;QACF,aAAa,CAAC,IAAI,EAAE,aAAa,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1D,qBAAqB;QACrB,IAAI,CAAC;YACH,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QACD,oBAAoB;IACtB,CAAC;IAEO,WAAW;QACjB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QAC1C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;QAC5B,CAAC;QACD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACxC,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;QAChD,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAY,CAAC;QACzC,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAEO,YAAY,CAAC,MAAc;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QAC1C,MAAM,OAAO,GAAG;YACd,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,QAAQ,EAAE,IAAI,CAAC,OAAO;YACtB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;QACF,aAAa,CAAC,IAAI,EAAE,aAAa,CAAC,OAAO,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACvF,qBAAqB;QACrB,IAAI,CAAC;YACH,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,oBAAoB;IACtB,CAAC;CACF;AAED,SAAS,YAAY,CAAC,CAAU;IAC9B,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACtD,MAAM,GAAG,GAAG,CAA4B,CAAC;IACzC,OAAO,CACL,GAAG,CAAC,OAAO,KAAK,mBAAmB;QACnC,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ;QACjC,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ;QACjC,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAC7B,CAAC;AACJ,CAAC;AAED;;gDAEgD;AAChD,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC;QACtB,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC3B,cAAc,CAAC,GAAG,CAAC,CAAC;gBACpB,aAAa,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uBAAuB;IACzB,CAAC;IACD,IAAI,CAAC;QACH,UAAU,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;AACH,CAAC;AACD,oBAAoB"}