@glasstrace/sdk 0.20.0 → 1.0.0

package/dist/node-subpath.d.cts

@@ -0,0 +1,132 @@
+import { f as SourceMapUploadResponse, g as SourceMapManifestResponse, I as ImportGraphPayload } from './index.d-CYYe3PxB.cjs';
+import './v4/classic/external.cjs';
+
+interface SourceMapEntry {
+    filePath: string;
+    content: string;
+}
+/**
+ * Metadata for a discovered source map file, without its content loaded.
+ * Used by the streaming upload flow to defer file reads until upload time.
+ */
+interface SourceMapFileInfo {
+    /** Relative path to the compiled JS file (`.map` extension stripped). */
+    filePath: string;
+    /** Absolute path on disk for reading the file content on demand. */
+    absolutePath: string;
+    /** File size in bytes. */
+    sizeBytes: number;
+}
+/**
+ * Recursively discovers all `.map` files in the given build directory.
+ * Returns metadata only — file content is NOT read into memory.
+ */
+declare function discoverSourceMapFiles(buildDir: string): Promise<SourceMapFileInfo[]>;
+/**
+ * Recursively finds all .map files in the given build directory.
+ * Returns relative paths and file contents.
+ *
+ * @deprecated Prefer {@link discoverSourceMapFiles} to avoid loading all
+ * source maps into memory simultaneously.
+ */
+declare function collectSourceMaps(buildDir: string): Promise<SourceMapEntry[]>;
+/**
+ * Computes a build hash for source map uploads.
+ *
+ * First tries `git rev-parse HEAD` to get the git commit SHA.
+ * On failure, falls back to a deterministic content hash:
+ * sort source map file paths alphabetically, concatenate each as
+ * `{relativePath}\n{fileLength}\n{fileContent}`, then SHA-256 the result.
+ *
+ * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
+ * `SourceMapFileInfo[]` (streaming, reads on demand).
+ */
+declare function computeBuildHash(maps?: SourceMapEntry[] | SourceMapFileInfo[]): Promise<string>;
+/**
+ * Uploads source maps to the ingestion API.
+ *
+ * POSTs to `{endpoint}/v1/source-maps` with the API key, build hash,
+ * and file entries. Validates the response against SourceMapUploadResponseSchema.
+ *
+ * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
+ * `SourceMapFileInfo[]` (deferred reads). With `SourceMapFileInfo[]`,
+ * file content is read at upload time rather than at discovery time.
+ * Note: the legacy endpoint sends all files in a single JSON body, so
+ * peak memory is similar — the benefit is deferring reads past discovery.
+ */
+declare function uploadSourceMaps(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[]): Promise<SourceMapUploadResponse>;
+/** Builds at or above this byte size route to the presigned upload flow. */
+declare const PRESIGNED_THRESHOLD_BYTES = 4500000;
+/** Signature for the blob upload function, injectable for testing. */
+type BlobUploader = (clientToken: string, pathname: string, content: string) => Promise<{
+    url: string;
+    size: number;
+}>;
+/**
+ * Orchestrates the 3-phase presigned upload flow.
+ *
+ * 1. Requests presigned tokens for all source map files
+ * 2. Uploads each file to blob storage with a concurrency limit of 5,
+ *    reading file content from disk just before each upload
+ * 3. Submits the manifest to finalize the upload
+ *
+ * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
+ * `SourceMapFileInfo[]` (streaming, reads on demand).
+ *
+ * Accepts an optional `blobUploader` for test injection; defaults to
+ * {@link uploadToBlob}.
+ */
+declare function uploadSourceMapsPresigned(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[], blobUploader?: BlobUploader): Promise<SourceMapManifestResponse>;
+/**
+ * Options for {@link uploadSourceMapsAuto}, primarily used for test injection.
+ */
+interface AutoUploadOptions {
+    /** Override blob availability check (for testing). */
+    checkBlobAvailable?: () => Promise<boolean>;
+    /** Override blob uploader (for testing). */
+    blobUploader?: BlobUploader;
+}
+/**
+ * Automatically routes source map uploads based on total build size.
+ *
+ * - Below {@link PRESIGNED_THRESHOLD_BYTES}: uses the legacy single-request
+ *   {@link uploadSourceMaps} endpoint.
+ * - At or above the threshold: checks if `@vercel/blob` is available and
+ *   uses the presigned 3-phase flow. Falls back to legacy with a warning
+ *   if the package is not installed.
+ *
+ * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
+ * `SourceMapFileInfo[]` (streaming, reads on demand).
+ */
+declare function uploadSourceMapsAuto(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[], options?: AutoUploadOptions): Promise<SourceMapUploadResponse | SourceMapManifestResponse>;
+
+/**
+ * Discovers test files by scanning the project directory for conventional
+ * test file patterns. Also reads vitest/jest config files for custom include
+ * patterns and merges them with the defaults. Excludes node_modules/ and .next/.
+ *
+ * @param projectRoot - Absolute path to the project root directory.
+ * @returns Relative POSIX paths from projectRoot, capped at {@link MAX_TEST_FILES}.
+ */
+declare function discoverTestFiles(projectRoot: string): Promise<string[]>;
+/**
+ * Extracts import paths from file content using regex.
+ * Handles ES module imports, CommonJS requires, and dynamic imports.
+ *
+ * @param fileContent - The full text content of a TypeScript/JavaScript file.
+ * @returns An array of import path strings as written in the source (e.g. "./foo", "react").
+ */
+declare function extractImports(fileContent: string): string[];
+/**
+ * Builds an import graph mapping test file paths to their imported module paths.
+ *
+ * Discovers test files, reads each, extracts imports, and builds a graph.
+ * Computes a deterministic buildHash from the serialized graph content.
+ * Individual file read failures are silently skipped.
+ *
+ * @param projectRoot - Absolute path to the project root directory.
+ * @returns An {@link ImportGraphPayload} containing the graph and a deterministic buildHash.
+ */
+declare function buildImportGraph(projectRoot: string): Promise<ImportGraphPayload>;
+
+export { type AutoUploadOptions, type BlobUploader, PRESIGNED_THRESHOLD_BYTES, type SourceMapEntry, type SourceMapFileInfo, buildImportGraph, collectSourceMaps, computeBuildHash, discoverSourceMapFiles, discoverTestFiles, extractImports, uploadSourceMaps, uploadSourceMapsAuto, uploadSourceMapsPresigned };

package/dist/node-subpath.d.ts

@@ -0,0 +1,132 @@
+import { f as SourceMapUploadResponse, g as SourceMapManifestResponse, I as ImportGraphPayload } from './index.d-CYYe3PxB.js';
+import './v4/classic/external.cjs';
+
+interface SourceMapEntry {
+    filePath: string;
+    content: string;
+}
+/**
+ * Metadata for a discovered source map file, without its content loaded.
+ * Used by the streaming upload flow to defer file reads until upload time.
+ */
+interface SourceMapFileInfo {
+    /** Relative path to the compiled JS file (`.map` extension stripped). */
+    filePath: string;
+    /** Absolute path on disk for reading the file content on demand. */
+    absolutePath: string;
+    /** File size in bytes. */
+    sizeBytes: number;
+}
+/**
+ * Recursively discovers all `.map` files in the given build directory.
+ * Returns metadata only — file content is NOT read into memory.
+ */
+declare function discoverSourceMapFiles(buildDir: string): Promise<SourceMapFileInfo[]>;
+/**
+ * Recursively finds all .map files in the given build directory.
+ * Returns relative paths and file contents.
+ *
+ * @deprecated Prefer {@link discoverSourceMapFiles} to avoid loading all
+ * source maps into memory simultaneously.
+ */
+declare function collectSourceMaps(buildDir: string): Promise<SourceMapEntry[]>;
+/**
+ * Computes a build hash for source map uploads.
+ *
+ * First tries `git rev-parse HEAD` to get the git commit SHA.
+ * On failure, falls back to a deterministic content hash:
+ * sort source map file paths alphabetically, concatenate each as
+ * `{relativePath}\n{fileLength}\n{fileContent}`, then SHA-256 the result.
+ *
+ * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
+ * `SourceMapFileInfo[]` (streaming, reads on demand).
+ */
+declare function computeBuildHash(maps?: SourceMapEntry[] | SourceMapFileInfo[]): Promise<string>;
+/**
+ * Uploads source maps to the ingestion API.
+ *
+ * POSTs to `{endpoint}/v1/source-maps` with the API key, build hash,
+ * and file entries. Validates the response against SourceMapUploadResponseSchema.
+ *
+ * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
+ * `SourceMapFileInfo[]` (deferred reads). With `SourceMapFileInfo[]`,
+ * file content is read at upload time rather than at discovery time.
+ * Note: the legacy endpoint sends all files in a single JSON body, so
+ * peak memory is similar — the benefit is deferring reads past discovery.
+ */
+declare function uploadSourceMaps(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[]): Promise<SourceMapUploadResponse>;
+/** Builds at or above this byte size route to the presigned upload flow. */
+declare const PRESIGNED_THRESHOLD_BYTES = 4500000;
+/** Signature for the blob upload function, injectable for testing. */
+type BlobUploader = (clientToken: string, pathname: string, content: string) => Promise<{
+    url: string;
+    size: number;
+}>;
+/**
+ * Orchestrates the 3-phase presigned upload flow.
+ *
+ * 1. Requests presigned tokens for all source map files
+ * 2. Uploads each file to blob storage with a concurrency limit of 5,
+ *    reading file content from disk just before each upload
+ * 3. Submits the manifest to finalize the upload
+ *
+ * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
+ * `SourceMapFileInfo[]` (streaming, reads on demand).
+ *
+ * Accepts an optional `blobUploader` for test injection; defaults to
+ * {@link uploadToBlob}.
+ */
+declare function uploadSourceMapsPresigned(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[], blobUploader?: BlobUploader): Promise<SourceMapManifestResponse>;
+/**
+ * Options for {@link uploadSourceMapsAuto}, primarily used for test injection.
+ */
+interface AutoUploadOptions {
+    /** Override blob availability check (for testing). */
+    checkBlobAvailable?: () => Promise<boolean>;
+    /** Override blob uploader (for testing). */
+    blobUploader?: BlobUploader;
+}
+/**
+ * Automatically routes source map uploads based on total build size.
+ *
+ * - Below {@link PRESIGNED_THRESHOLD_BYTES}: uses the legacy single-request
+ *   {@link uploadSourceMaps} endpoint.
+ * - At or above the threshold: checks if `@vercel/blob` is available and
+ *   uses the presigned 3-phase flow. Falls back to legacy with a warning
+ *   if the package is not installed.
+ *
+ * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
+ * `SourceMapFileInfo[]` (streaming, reads on demand).
+ */
+declare function uploadSourceMapsAuto(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[], options?: AutoUploadOptions): Promise<SourceMapUploadResponse | SourceMapManifestResponse>;
+
+/**
+ * Discovers test files by scanning the project directory for conventional
+ * test file patterns. Also reads vitest/jest config files for custom include
+ * patterns and merges them with the defaults. Excludes node_modules/ and .next/.
+ *
+ * @param projectRoot - Absolute path to the project root directory.
+ * @returns Relative POSIX paths from projectRoot, capped at {@link MAX_TEST_FILES}.
+ */
+declare function discoverTestFiles(projectRoot: string): Promise<string[]>;
+/**
+ * Extracts import paths from file content using regex.
+ * Handles ES module imports, CommonJS requires, and dynamic imports.
+ *
+ * @param fileContent - The full text content of a TypeScript/JavaScript file.
+ * @returns An array of import path strings as written in the source (e.g. "./foo", "react").
+ */
+declare function extractImports(fileContent: string): string[];
+/**
+ * Builds an import graph mapping test file paths to their imported module paths.
+ *
+ * Discovers test files, reads each, extracts imports, and builds a graph.
+ * Computes a deterministic buildHash from the serialized graph content.
+ * Individual file read failures are silently skipped.
+ *
+ * @param projectRoot - Absolute path to the project root directory.
+ * @returns An {@link ImportGraphPayload} containing the graph and a deterministic buildHash.
+ */
+declare function buildImportGraph(projectRoot: string): Promise<ImportGraphPayload>;
+
+export { type AutoUploadOptions, type BlobUploader, PRESIGNED_THRESHOLD_BYTES, type SourceMapEntry, type SourceMapFileInfo, buildImportGraph, collectSourceMaps, computeBuildHash, discoverSourceMapFiles, discoverTestFiles, extractImports, uploadSourceMaps, uploadSourceMapsAuto, uploadSourceMapsPresigned };

package/dist/node-subpath.js

@@ -0,0 +1,31 @@
+import {
+  PRESIGNED_THRESHOLD_BYTES,
+  collectSourceMaps,
+  computeBuildHash,
+  discoverSourceMapFiles,
+  uploadSourceMaps,
+  uploadSourceMapsAuto,
+  uploadSourceMapsPresigned
+} from "./chunk-7PDDBLST.js";
+import "./chunk-3TU62WD6.js";
+import {
+  buildImportGraph,
+  discoverTestFiles,
+  extractImports
+} from "./chunk-BT2OCXCG.js";
+import "./chunk-VUZCLMIX.js";
+import "./chunk-TQ54WLCZ.js";
+import "./chunk-NSBPE2FW.js";
+export {
+  PRESIGNED_THRESHOLD_BYTES,
+  buildImportGraph,
+  collectSourceMaps,
+  computeBuildHash,
+  discoverSourceMapFiles,
+  discoverTestFiles,
+  extractImports,
+  uploadSourceMaps,
+  uploadSourceMapsAuto,
+  uploadSourceMapsPresigned
+};
+//# sourceMappingURL=node-subpath.js.map

package/dist/node-subpath.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/{source-map-uploader-VPDZWWM2.js → source-map-uploader-ZHA3B4GE.js}

@@ -11,9 +11,10 @@ import {
   uploadSourceMapsAuto,
   uploadSourceMapsPresigned,
   uploadToBlob
-} from "./chunk-VN3GZDV6.js";
+} from "./chunk-7PDDBLST.js";
+import "./chunk-3TU62WD6.js";
 import "./chunk-VUZCLMIX.js";
-import "./chunk-5N2IR4EO.js";
+import "./chunk-TQ54WLCZ.js";
 import "./chunk-NSBPE2FW.js";
 export {
   PRESIGNED_THRESHOLD_BYTES,
@@ -29,4 +30,4 @@ export {
   uploadSourceMapsPresigned,
   uploadToBlob
 };
-//# sourceMappingURL=source-map-uploader-VPDZWWM2.js.map
+//# sourceMappingURL=source-map-uploader-ZHA3B4GE.js.map

package/dist/source-map-uploader-ZHA3B4GE.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glasstrace/sdk",
-  "version": "0.20.0",
+  "version": "1.0.0",
   "description": "Glasstrace server-side debugging SDK for AI coding agents",
   "type": "module",
   "sideEffects": false,
@@ -17,6 +17,14 @@
       "require": "./dist/adapters/drizzle.cjs",
       "default": "./dist/adapters/drizzle.js"
     },
+    "./node": {
+      "types": "./dist/node-subpath.d.ts",
+      "node": {
+        "import": "./dist/node-subpath.js",
+        "require": "./dist/node-subpath.cjs"
+      },
+      "default": null
+    },
     "./package.json": "./package.json"
   },
   "bin": {
@@ -35,6 +43,9 @@
   },
   "scripts": {
     "build": "tsup",
+    "postbuild": "npm run check:edge-bundle && npm run verify:subpath",
+    "check:edge-bundle": "node scripts/check-edge-bundle.mjs",
+    "verify:subpath": "bash scripts/verify-subpath-resolution.sh",
     "preuninstall": "node -e \"process.stderr.write('\\n[@glasstrace/sdk] Package removal warning:\\n  Before \\'npm uninstall @glasstrace/sdk\\' runs, Glasstrace recommends running \\'npx @glasstrace/sdk uninit\\' first to cleanly remove instrumentation files, MCP configuration, and the .glasstrace/ state directory. Without uninit, your next build may fail because instrumentation.ts and next.config still reference the removed package.\\n  See: https://glasstrace.dev/docs/cli#uninit\\n\\n')\""
   },
   "peerDependencies": {
@@ -65,6 +76,7 @@
     "@opentelemetry/sdk-trace-base": "^2.6.1",
     "@vercel/blob": "^2.3.3",
     "@vercel/otel": "^2.1.2",
+    "esbuild": "^0.27.7",
     "tsup": "^8.5.0"
   },
   "publishConfig": {

package/dist/chunk-F2TZRBEH.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/health-collector.ts","../src/https-transport.ts","../src/init-client.ts","../src/import-graph.ts"],"sourcesContent":["import type { SdkHealthReport } from \"@glasstrace/protocol\";\n\n// --- Module-level state (singleton pattern matching init-client.ts) ---\n\n/** Spans successfully forwarded to the delegate exporter since last collect. */\nlet tracesExported = 0;\n\n/** Spans dropped: buffer overflow evictions + spans lost on shutdown. */\nlet tracesDropped = 0;\n\n/** Failed performInit attempts since last collect. */\nlet initFailures = 0;\n\n/** Timestamp (ms) of the last successful config sync (performInit success or cached config load). */\nlet lastConfigSyncAt: number | null = null;\n\n// --- Recording functions (called by other modules) ---\n\n/**\n * Records that spans were submitted to the delegate exporter.\n * Counts submission, not confirmed delivery (DISC-1118).\n * Called by GlasstraceExporter after delegate.export() is invoked.\n */\nexport function recordSpansExported(count: number): void {\n  if (!Number.isFinite(count) || count < 0 || !Number.isInteger(count)) return;\n  tracesExported += count;\n}\n\n/**\n * Records that spans were dropped (buffer overflow eviction or shutdown loss).\n * Called by GlasstraceExporter on buffer eviction and unresolved-key shutdown.\n */\nexport function recordSpansDropped(count: number): void {\n  if (!Number.isFinite(count) || count < 0 || !Number.isInteger(count)) return;\n  tracesDropped += count;\n}\n\n/**\n * Records a failed performInit attempt.\n * Called by performInit when the init request fails for any reason.\n */\nexport function recordInitFailure(): void {\n  try { initFailures += 1; } catch { /* best-effort */ }\n}\n\n/**\n * Records the timestamp of a successful config sync.\n * Called by performInit on success and by loadCachedConfig when loading a valid cache.\n */\nexport function recordConfigSync(timestamp: number): void {\n  try { lastConfigSyncAt = timestamp; } catch { /* best-effort */ }\n}\n\n// --- Collection ---\n\n/**\n * Snapshots the current health metrics into an SdkHealthReport without\n * resetting counters. Counters are only reset when {@link acknowledgeHealthReport}\n * is called after the init request succeeds. This two-phase approach prevents\n * metric loss when `performInit` fails — the counters persist for the next\n * init attempt.\n *\n * On the first init call, all counters will be zero, which is correct.\n *\n * @param sdkVersion - The SDK version string to include in the report.\n * @returns The health report, or null if collection fails unexpectedly.\n */\nexport function collectHealthReport(sdkVersion: string): SdkHealthReport | null {\n  try {\n    const now = Date.now();\n    const configAge = lastConfigSyncAt !== null ? Math.max(0, now - lastConfigSyncAt) : 0;\n\n    return {\n      tracesExportedSinceLastInit: tracesExported,\n      tracesDropped,\n      initFailures,\n      configAge: Math.round(configAge),\n      sdkVersion,\n    };\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Subtracts the reported values from the running counters after a health\n * report has been successfully delivered to the backend. Called by\n * `performInit` on the success path. If init fails, counters persist\n * for the next attempt.\n *\n * Uses subtraction instead of zeroing to preserve any increments that\n * occurred between the snapshot (`collectHealthReport`) and delivery\n * (e.g., spans exported during the init HTTP call). Values are clamped\n * to 0 to guard against edge cases.\n *\n * Core invariant (DISC-1123): for any finite counter C and finite reported\n * value, after acknowledge:\n *   C_new = max(0, C_before_ack - reported_value)\n * This guarantees:\n *   1. Reported finite, non-negative values are removed exactly once\n *      (no double-counting).\n *   2. Activity between snapshot and acknowledge is preserved (not lost).\n *   3. The counter never goes negative (clamp prevents underflow).\n * Corruption vectors guarded: non-finite report fields (NaN/±Infinity)\n * preserve the counter; negative finite report fields are clamped to 0\n * before subtraction.\n *\n * `lastConfigSyncAt` is NOT affected — config age measures time since\n * the last successful sync, not the last acknowledgment.\n */\nexport function acknowledgeHealthReport(report: SdkHealthReport): void {\n  const exp = Math.max(0, report.tracesExportedSinceLastInit);\n  const expVal = tracesExported - exp;\n  tracesExported = Number.isFinite(expVal) ? Math.max(0, expVal) : tracesExported;\n\n  const drop = Math.max(0, report.tracesDropped);\n  const dropVal = tracesDropped - drop;\n  tracesDropped = Number.isFinite(dropVal) ? Math.max(0, dropVal) : tracesDropped;\n\n  const fail = Math.max(0, report.initFailures);\n  const failVal = initFailures - fail;\n  initFailures = Number.isFinite(failVal) ? Math.max(0, failVal) : initFailures;\n}\n\n// --- Test support ---\n\n/**\n * Resets all health metrics to initial state. For testing only.\n */\nexport function _resetHealthForTesting(): void {\n  tracesExported = 0;\n  tracesDropped = 0;\n  initFailures = 0;\n  lastConfigSyncAt = null;\n}\n","/**\n * Minimal Node-native HTTPS transport used by the SDK init call.\n *\n * ## Why this exists\n *\n * Next.js 16 patches the global `fetch` to add caching, revalidation,\n * and request deduplication. When the SDK is bundled into a Next.js\n * process (instrumentation.ts path), outbound calls to\n * `api.glasstrace.dev` get intercepted by the patched fetch and can\n * silently hang — the fetch promise never resolves (DISC-493 Issue 3).\n *\n * A silent init hang is catastrophic: the SDK stays in \"pending key\"\n * state forever, enriched spans are buffered without ever being\n * exported, and anonymous keys are never registered server-side\n * (DISC-494).\n *\n * ## Why `node:https`\n *\n * `node:https` is a Node.js core module. It has zero bundle weight\n * (important because the SDK is tsup-inlined into every consumer's\n * bundle) and is always available on Node.js >= 20. Using it directly\n * bypasses the global `fetch` patching entirely — Next.js never sees\n * the request.\n *\n * Alternatives considered and rejected:\n *\n * - **`undici` as a runtime dep** — adds ~400KB inlined into every\n *   consumer bundle.\n * - **`fetch(..., { cache: \"no-store\", next: { revalidate: 0 } })`** —\n *   bandaid. Couples the SDK to Next.js's fetch-extension API and still\n *   relies on Next's patched fetch behaving correctly. Explicitly\n *   forbidden by the task brief for this reason.\n * - **Monkey-patch `globalThis.fetch`** — forbidden in the public SDK\n *   (`glasstrace-sdk/CLAUDE.md`). Bypassing the patched fetch by\n *   calling a different API is avoidance, not patching.\n *\n * ## Structure\n *\n * `httpsPostJson` is the only exported function. It:\n *   - Sends a POST to a URL with a JSON body\n *   - Applies a per-request timeout (default 10s)\n *   - Retries transport-level failures (DNS, TCP, TLS) with backoff\n *   - Never retries HTTP status errors — those are surfaced immediately\n *   - Distinguishes transport failure, server error, and body-parse error\n *     so callers can render actionable messages\n */\nimport {\n  request as httpsRequest,\n  type RequestOptions as HttpsRequestOptions,\n} from \"node:https\";\nimport {\n  request as httpRequest,\n  type IncomingMessage,\n} from \"node:http\";\nimport { URL } from \"node:url\";\n\n/** Error thrown when the HTTP request never completed (DNS/TCP/TLS/timeout). */\nexport class HttpsTransportError extends Error {\n  readonly kind = \"transport\" as const;\n  readonly cause?: unknown;\n  constructor(message: string, cause?: unknown) {\n    super(message);\n    this.name = \"HttpsTransportError\";\n    this.cause = cause;\n  }\n}\n\n/** Error thrown when the server returned a non-2xx HTTP status. */\nexport class HttpsStatusError extends Error {\n  readonly kind = \"status\" as const;\n  readonly status: number;\n  /** Raw response body text (may be truncated by caller if large). */\n  readonly body: string;\n  constructor(status: number, body: string) {\n    super(`Server returned HTTP ${status}`);\n    this.name = \"HttpsStatusError\";\n    this.status = status;\n    this.body = body;\n  }\n}\n\n/** Error thrown when the response body was not parseable JSON. */\nexport class HttpsBodyParseError extends Error {\n  readonly kind = \"parse\" as const;\n  readonly status: number;\n  readonly cause?: unknown;\n  constructor(status: number, cause?: unknown) {\n    super(`Server returned malformed response (HTTP ${status})`);\n    this.name = \"HttpsBodyParseError\";\n    this.status = status;\n    this.cause = cause;\n  }\n}\n\n/** Options controlling timeout and retry behavior. */\nexport interface HttpsPostJsonOptions {\n  /** Parsed headers (including Content-Type, Authorization, etc). */\n  headers: Record<string, string>;\n  /** Per-attempt timeout, ms. Defaults to 10000. */\n  timeoutMs?: number;\n  /**\n   * Total number of attempts INCLUDING the first. Defaults to 3\n   * (initial + 2 retries). Only transport errors are retried.\n   */\n  maxAttempts?: number;\n  /**\n   * Backoff delays between retries, ms. The array length should be\n   * `maxAttempts - 1`. Defaults to [500, 1500].\n   */\n  retryDelaysMs?: readonly number[];\n  /**\n   * Total deadline across all attempts, ms. Defaults to 20000.\n   * If exceeded, no further retries are attempted and the last error\n   * is surfaced. Guards against CLI hang on flaky networks.\n   */\n  totalDeadlineMs?: number;\n  /**\n   * Abort signal. When aborted, the in-flight request is terminated and\n   * no further retries are attempted.\n   */\n  signal?: AbortSignal;\n  /**\n   * Scheduler injection point for tests. Defaults to `setTimeout`.\n   * Using fake timers in tests requires the injected scheduler to honor\n   * `vi.advanceTimersByTime()` — Node's real setTimeout is fine when no\n   * fake timers are installed.\n   */\n  scheduler?: (fn: () => void, ms: number) => { unref?: () => void };\n  /**\n   * Alternate HTTPS request function. Injected by tests to simulate\n   * Next.js-style fetch patching (assert call count stays zero) or to\n   * mock transport behavior without opening real sockets.\n   */\n  requestImpl?: typeof httpsRequest;\n  /**\n   * Alternate HTTP request function, used when the URL is `http://`.\n   * Splitting http/https lets tests use a local non-TLS mock server.\n   */\n  httpRequestImpl?: typeof httpRequest;\n}\n\n/** Shape of a successful response. */\nexport interface HttpsPostJsonResult {\n  /** HTTP status code. Always in [200, 299] for success. */\n  status: number;\n  /** Parsed JSON body. May be `undefined` for 204 No Content. */\n  body: unknown;\n  /** Raw body text for diagnostics. */\n  raw: string;\n}\n\n/** Delays so a failing test still completes before the suite's timeout. */\nconst DEFAULT_TIMEOUT_MS = 10_000;\nconst DEFAULT_RETRY_DELAYS_MS = [500, 1500] as const;\nconst DEFAULT_TOTAL_DEADLINE_MS = 20_000;\n\n/**\n * Sends a POST request with a JSON body using `node:https`. Bypasses\n * any `globalThis.fetch` patching (Next.js 16, MSW, etc).\n *\n * @throws {HttpsTransportError} DNS failure, TCP reset, TLS handshake\n * failure, request timeout, or abort.\n * @throws {HttpsStatusError} HTTP response with status >= 400.\n * @throws {HttpsBodyParseError} HTTP 2xx with non-JSON body (status not\n * equal to 204).\n */\nexport async function httpsPostJson(\n  url: string,\n  jsonBody: unknown,\n  options: HttpsPostJsonOptions,\n): Promise<HttpsPostJsonResult> {\n  const parsed = new URL(url);\n  const isHttps = parsed.protocol === \"https:\";\n  const isHttp = parsed.protocol === \"http:\";\n  if (!isHttps && !isHttp) {\n    throw new HttpsTransportError(\n      `Unsupported protocol: ${parsed.protocol} (expected http: or https:)`,\n    );\n  }\n  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n  const maxAttempts = options.maxAttempts ?? 3;\n  const retryDelaysMs = options.retryDelaysMs ?? DEFAULT_RETRY_DELAYS_MS;\n  const totalDeadlineMs = options.totalDeadlineMs ?? DEFAULT_TOTAL_DEADLINE_MS;\n  const scheduler = options.scheduler ?? ((fn, ms) => setTimeout(fn, ms));\n  const requestImpl = isHttps\n    ? (options.requestImpl ?? httpsRequest)\n    : (options.httpRequestImpl ?? httpRequest);\n\n  // Serialize once so retries use the exact same bytes.\n  let payload: string;\n  try {\n    payload = JSON.stringify(jsonBody);\n  } catch (err) {\n    throw new HttpsTransportError(\n      `Failed to serialize request body: ${err instanceof Error ? err.message : String(err)}`,\n      err,\n    );\n  }\n  const payloadBuffer = Buffer.from(payload, \"utf-8\");\n\n  const startedAt = Date.now();\n  let lastError: unknown;\n\n  for (let attempt = 0; attempt < maxAttempts; attempt += 1) {\n    if (options.signal?.aborted) {\n      throw new HttpsTransportError(\"Request aborted\");\n    }\n    // Respect the total deadline — don't start another attempt if we'd\n    // blow past it even before issuing the request.\n    const elapsed = Date.now() - startedAt;\n    if (elapsed >= totalDeadlineMs) {\n      break;\n    }\n    const remainingBudget = totalDeadlineMs - elapsed;\n    const attemptTimeoutMs = Math.min(timeoutMs, remainingBudget);\n\n    try {\n      return await sendSingleRequest(\n        parsed,\n        payloadBuffer,\n        options.headers,\n        attemptTimeoutMs,\n        options.signal,\n        requestImpl,\n      );\n    } catch (err) {\n      lastError = err;\n      // Never retry status/parse errors — they're server responses, not\n      // transient network failures.\n      if (err instanceof HttpsStatusError || err instanceof HttpsBodyParseError) {\n        throw err;\n      }\n      const isLast = attempt === maxAttempts - 1;\n      if (isLast) break;\n\n      const delayMs = retryDelaysMs[attempt] ?? retryDelaysMs[retryDelaysMs.length - 1] ?? 0;\n      const elapsedBeforeSleep = Date.now() - startedAt;\n      const remaining = totalDeadlineMs - elapsedBeforeSleep;\n      if (remaining <= 0) break;\n      const actualDelayMs = Math.min(delayMs, remaining);\n      await sleep(actualDelayMs, scheduler, options.signal);\n    }\n  }\n\n  if (lastError instanceof HttpsTransportError) throw lastError;\n  throw new HttpsTransportError(\n    lastError instanceof Error ? lastError.message : \"Request failed\",\n    lastError,\n  );\n}\n\n/**\n * Fires a single HTTPS request. Resolves with the parsed result on 2xx,\n * throws the appropriate typed error otherwise. Caller handles retries.\n */\nfunction sendSingleRequest(\n  url: URL,\n  payload: Buffer,\n  headers: Record<string, string>,\n  timeoutMs: number,\n  signal: AbortSignal | undefined,\n  requestImpl: typeof httpsRequest,\n): Promise<HttpsPostJsonResult> {\n  return new Promise<HttpsPostJsonResult>((resolve, reject) => {\n    // Merge caller headers with Content-Length so Node doesn't chunk\n    // the body. Explicit content-length also prevents confusion from\n    // servers that reject chunked POSTs.\n    const finalHeaders: Record<string, string | number> = {\n      ...headers,\n      \"Content-Length\": payload.byteLength,\n    };\n\n    const reqOptions: HttpsRequestOptions = {\n      method: \"POST\",\n      hostname: url.hostname,\n      port: url.port === \"\" ? undefined : Number(url.port),\n      path: `${url.pathname}${url.search}`,\n      headers: finalHeaders,\n      // Explicit timeout at the socket level. Still complemented by a\n      // manual timer below because `timeout` only fires when the socket\n      // is idle — it does not cover \"TLS handshake hangs forever\".\n      timeout: timeoutMs,\n    };\n\n    let settled = false;\n    // Hoisted so every settle path can clear the manual timer and drop\n    // the optional abort listener. Assigned below once `req`, `timer`,\n    // and `onAbort` exist.\n    let cleanup = (): void => {};\n    const settle = (fn: () => void): void => {\n      if (settled) return;\n      settled = true;\n      cleanup();\n      fn();\n    };\n\n    const req = requestImpl(reqOptions, (res: IncomingMessage) => {\n      const chunks: Buffer[] = [];\n      res.on(\"data\", (chunk: Buffer | string) => {\n        chunks.push(typeof chunk === \"string\" ? Buffer.from(chunk, \"utf-8\") : chunk);\n      });\n      res.on(\"end\", () => {\n        const raw = Buffer.concat(chunks).toString(\"utf-8\");\n        const status = res.statusCode ?? 0;\n        if (status < 200 || status >= 300) {\n          settle(() => reject(new HttpsStatusError(status, raw)));\n          return;\n        }\n        // HTTP 204: no body is expected; resolve with undefined.\n        if (status === 204 || raw.length === 0) {\n          settle(() => resolve({ status, body: undefined, raw }));\n          return;\n        }\n        try {\n          const parsed = JSON.parse(raw);\n          settle(() => resolve({ status, body: parsed, raw }));\n        } catch (err) {\n          settle(() => reject(new HttpsBodyParseError(status, err)));\n        }\n      });\n      res.on(\"error\", (err) => {\n        settle(() => reject(new HttpsTransportError(`Response stream error: ${err.message}`, err)));\n      });\n    });\n\n    // A single manual timeout guards against handshake/DNS hangs that\n    // the `timeout` option in `request()` does not cover. We destroy the\n    // socket on timeout so the node:https layer doesn't keep it alive.\n    const timer = setTimeout(() => {\n      settle(() => {\n        req.destroy(new Error(\"Request timed out\"));\n        reject(new HttpsTransportError(`Request timed out after ${timeoutMs}ms`));\n      });\n    }, timeoutMs);\n    // Don't block process exit while the timer is running.\n    if (typeof timer.unref === \"function\") timer.unref();\n\n    // Hoisted so `cleanup` can remove it on settle. Only registered\n    // on the signal below when `signal !== undefined`.\n    const onAbort = (): void => {\n      settle(() => {\n        req.destroy(new Error(\"Aborted\"));\n        reject(new HttpsTransportError(\"Request aborted\"));\n      });\n    };\n\n    // Install cleanup now that `timer` and `onAbort` exist. Invoked by\n    // every settle path (success, status-error, parse-error, transport\n    // error, timeout, abort) to clear the manual timer and drop the\n    // abort listener so long-lived signals don't accumulate listeners.\n    cleanup = (): void => {\n      clearTimeout(timer);\n      if (signal !== undefined) {\n        signal.removeEventListener(\"abort\", onAbort);\n      }\n    };\n\n    req.on(\"error\", (err) => {\n      settle(() => reject(new HttpsTransportError(`fetch failed: ${err.message}`, err)));\n    });\n\n    req.on(\"timeout\", () => {\n      settle(() => {\n        req.destroy(new Error(\"Request timed out\"));\n        reject(new HttpsTransportError(`Request timed out after ${timeoutMs}ms`));\n      });\n    });\n\n    if (signal !== undefined) {\n      if (signal.aborted) {\n        req.destroy(new Error(\"Aborted\"));\n        settle(() => reject(new HttpsTransportError(\"Request aborted\")));\n        return;\n      }\n      signal.addEventListener(\"abort\", onAbort, { once: true });\n    }\n\n    req.end(payload);\n  });\n}\n\n/**\n * Delay helper that honors an AbortSignal. We cannot use `setTimeout`'s\n * built-in `signal` option because it is not available in older Node 20\n * patch releases (added in 20.6).\n *\n * Both settle paths (timer fires, signal aborts) clear the pending\n * timer and remove the abort listener so this helper remains leak-free\n * under heavy retry/abort usage.\n */\nfunction sleep(\n  ms: number,\n  scheduler: (fn: () => void, ms: number) => { unref?: () => void },\n  signal: AbortSignal | undefined,\n): Promise<void> {\n  return new Promise<void>((resolve, reject) => {\n    let settled = false;\n    // Forward-declared so `settle` below can reference it. Assigned\n    // once `timer` exists.\n    let cleanup = (): void => {};\n    const settle = (fn: () => void): void => {\n      if (settled) return;\n      settled = true;\n      cleanup();\n      fn();\n    };\n    const onAbort = (): void => {\n      settle(() => reject(new HttpsTransportError(\"Request aborted\")));\n    };\n    const timer = scheduler(() => {\n      settle(resolve);\n    }, ms);\n    if (typeof timer.unref === \"function\") timer.unref();\n    cleanup = (): void => {\n      // `scheduler` returns whatever `setTimeout` returns (NodeJS.Timeout\n      // in Node, number in jsdom). Both are accepted by `clearTimeout`.\n      clearTimeout(timer as unknown as NodeJS.Timeout);\n      if (signal !== undefined) {\n        signal.removeEventListener(\"abort\", onAbort);\n      }\n    };\n    if (signal !== undefined) {\n      if (signal.aborted) {\n        onAbort();\n        return;\n      }\n      signal.addEventListener(\"abort\", onAbort, { once: true });\n    }\n  });\n}\n","import {\n  SdkInitResponseSchema,\n  SdkCachedConfigSchema,\n  DEFAULT_CAPTURE_CONFIG,\n} from \"@glasstrace/protocol\";\nimport type {\n  SdkInitResponse,\n  CaptureConfig,\n  AnonApiKey,\n  ImportGraphPayload,\n  SdkHealthReport,\n  SdkDiagnosticCode,\n} from \"@glasstrace/protocol\";\nimport type { ResolvedConfig } from \"./env-detection.js\";\nimport { recordInitFailure, recordConfigSync, acknowledgeHealthReport } from \"./health-collector.js\";\nimport {\n  httpsPostJson,\n  HttpsStatusError,\n  HttpsTransportError,\n  HttpsBodyParseError,\n} from \"./https-transport.js\";\n\nconst GLASSTRACE_DIR = \".glasstrace\";\nconst CONFIG_FILE = \"config\";\nconst TWENTY_FOUR_HOURS_MS = 24 * 60 * 60 * 1000;\nconst INIT_TIMEOUT_MS = 10_000;\n\n/**\n * Lazily imports `node:fs/promises` and `node:path`. Returns `null` if\n * the modules are unavailable (non-Node environments). Cached after first call.\n */\nlet fsPathAsyncCache: { fs: typeof import(\"node:fs/promises\"); path: typeof import(\"node:path\") } | null | undefined;\n\nasync function loadFsPathAsync(): Promise<{ fs: typeof import(\"node:fs/promises\"); path: typeof import(\"node:path\") } | null> {\n  if (fsPathAsyncCache !== undefined) return fsPathAsyncCache;\n  try {\n    const [fs, path] = await Promise.all([\n      import(\"node:fs/promises\"),\n      import(\"node:path\"),\n    ]);\n    fsPathAsyncCache = { fs, path };\n    return fsPathAsyncCache;\n  } catch {\n    fsPathAsyncCache = null;\n    return null;\n  }\n}\n\n/**\n * Lazily imports synchronous `node:fs` and `node:path` via `require()`.\n * Returns `null` when unavailable. Used by `loadCachedConfig` which is\n * synchronous for startup performance.\n */\nfunction loadFsSyncOrNull(): { readFileSync: typeof import(\"node:fs\").readFileSync; join: typeof import(\"node:path\").join } | null {\n  try {\n    // eslint-disable-next-line @typescript-eslint/no-require-imports\n    const fs = require(\"node:fs\") as typeof import(\"node:fs\");\n    // eslint-disable-next-line @typescript-eslint/no-require-imports\n    const path = require(\"node:path\") as typeof import(\"node:path\");\n    return { readFileSync: fs.readFileSync, join: path.join };\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Test-only transport hook. When set, `sendInitRequest` calls this\n * instead of `httpsPostJson`. Enables unit tests to assert that the\n * SDK never routes through `globalThis.fetch` (Next.js patching) by\n * injecting a pure-function transport that never touches the network.\n *\n * Production code never sets this. Reset via `_resetConfigForTesting()`.\n */\ntype HttpsPostJsonFn = typeof httpsPostJson;\nlet transportOverride: HttpsPostJsonFn | null = null;\n\n/** In-memory config from the latest successful init response. */\nlet currentConfig: SdkInitResponse | null = null;\n\n/** Whether the disk cache has already been checked by getActiveConfig(). */\nlet configCacheChecked = false;\n\n/** Whether the next init call should be skipped (rate-limit backoff). */\nlet rateLimitBackoff = false;\n\n/** Whether the most recent performInit call completed the success path. */\nlet lastInitSucceeded = false;\n\n/**\n * Reads and validates a cached config file from `.glasstrace/config`.\n * Returns the parsed `SdkInitResponse` or `null` on any failure,\n * including when `node:fs` is unavailable (non-Node environments).\n */\nexport function loadCachedConfig(projectRoot?: string): SdkInitResponse | null {\n  const modules = loadFsSyncOrNull();\n  if (!modules) return null;\n\n  const root = projectRoot ?? process.cwd();\n  const configPath = modules.join(root, GLASSTRACE_DIR, CONFIG_FILE);\n\n  try {\n    // Use synchronous read for startup performance (this is called during init)\n    const content = modules.readFileSync(configPath, \"utf-8\");\n    const parsed = JSON.parse(content);\n    const cached = SdkCachedConfigSchema.parse(parsed);\n\n    // Warn if cache is stale\n    const age = Date.now() - cached.cachedAt;\n    if (age > TWENTY_FOUR_HOURS_MS) {\n      console.warn(\n        `[glasstrace] Cached config is ${Math.round(age / 3600000)}h old. Will refresh on next init.`,\n      );\n    }\n\n    // Parse the response through the schema\n    const result = SdkInitResponseSchema.safeParse(cached.response);\n    if (result.success) {\n      recordConfigSync(cached.cachedAt);\n      return result.data;\n    }\n\n    console.warn(\"[glasstrace] Cached config failed validation. Using defaults.\");\n    return null;\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Persists the init response to `.glasstrace/config` using atomic\n * write-temp + rename semantics. Silently skipped when `node:fs` is\n * unavailable (non-Node environments). On I/O failure, logs a warning.\n *\n * Atomicity: the payload is written to `.glasstrace/config.tmp` and then\n * renamed into place. `rename` is atomic on POSIX filesystems, so readers\n * either see the previous valid config or the new valid config — never a\n * truncated or partially-written file (DISC-1247 Scenario 5). If the\n * rename fails, the temp file is cleaned up on a best-effort basis.\n */\nexport async function saveCachedConfig(\n  response: SdkInitResponse,\n  projectRoot?: string,\n): Promise<void> {\n  const modules = await loadFsPathAsync();\n  if (!modules) return;\n\n  const root = projectRoot ?? process.cwd();\n  const dirPath = modules.path.join(root, GLASSTRACE_DIR);\n  const configPath = modules.path.join(dirPath, CONFIG_FILE);\n  const tmpPath = `${configPath}.tmp`;\n\n  try {\n    await modules.fs.mkdir(dirPath, { recursive: true, mode: 0o700 });\n    await modules.fs.chmod(dirPath, 0o700);\n    const cached = {\n      response,\n      cachedAt: Date.now(),\n    };\n    // Write to a sibling temp file first, then atomically rename.\n    // Using a sibling (same directory) guarantees the rename stays on\n    // the same filesystem, which is required for atomicity.\n    await modules.fs.writeFile(tmpPath, JSON.stringify(cached), {\n      encoding: \"utf-8\",\n      mode: 0o600,\n    });\n    try {\n      await modules.fs.chmod(tmpPath, 0o600);\n      await modules.fs.rename(tmpPath, configPath);\n    } catch (renameErr) {\n      // Rename failed — remove the temp file so it doesn't linger.\n      try {\n        await modules.fs.unlink(tmpPath);\n      } catch {\n        // Best-effort cleanup; ignore unlink failures.\n      }\n      throw renameErr;\n    }\n    // chmod the final path to defend against platforms that don't honor\n    // the mode passed to writeFile/rename on first creation.\n    await modules.fs.chmod(configPath, 0o600);\n  } catch (err) {\n    console.warn(\n      `[glasstrace] Failed to cache config to ${configPath}: ${err instanceof Error ? err.message : String(err)}`,\n    );\n  }\n}\n\n/**\n * Sends a POST request to `/v1/sdk/init`.\n * Validates the response against `SdkInitResponseSchema`.\n *\n * Uses `node:https` via {@link httpsPostJson} rather than the global\n * `fetch` because Next.js 16 patches `fetch` for caching/revalidation\n * and can cause the init request to silently hang (DISC-493 Issue 3).\n * Retries transport-level failures (DNS, TCP, TLS) twice with 500ms +\n * 1500ms backoff, capped at a 20-second total deadline. Server responses\n * (HTTP 4xx/5xx) are never retried and are surfaced immediately.\n */\nexport async function sendInitRequest(\n  config: ResolvedConfig,\n  anonKey: AnonApiKey | null,\n  sdkVersion: string,\n  importGraph?: ImportGraphPayload,\n  healthReport?: SdkHealthReport,\n  diagnostics?: Array<{ code: SdkDiagnosticCode; message: string; timestamp: number }>,\n  signal?: AbortSignal,\n): Promise<SdkInitResponse> {\n  // Determine the API key for auth. Use || (not ??) so empty strings\n  // fall through to the anonymous key — defense in depth for DISC-467.\n  const effectiveKey = config.apiKey || anonKey;\n  if (!effectiveKey) {\n    throw new Error(\"No API key available for init request\");\n  }\n\n  // Build the request payload\n  const payload: Record<string, unknown> = {\n    sdkVersion,\n  };\n\n  // Straggler linking: if dev key is set AND anonKey is provided\n  if (config.apiKey && anonKey) {\n    payload.anonKey = anonKey;\n  }\n\n  if (config.environment) {\n    payload.environment = config.environment;\n  }\n  if (importGraph) {\n    payload.importGraph = importGraph;\n  }\n  if (healthReport) {\n    payload.healthReport = healthReport;\n  }\n  if (diagnostics) {\n    payload.diagnostics = diagnostics;\n  }\n\n  const url = `${config.endpoint}/v1/sdk/init`;\n\n  const transport = transportOverride ?? httpsPostJson;\n  let result;\n  try {\n    result = await transport(url, payload, {\n      headers: {\n        \"Content-Type\": \"application/json\",\n        Authorization: `Bearer ${effectiveKey}`,\n      },\n      timeoutMs: INIT_TIMEOUT_MS,\n      signal,\n    });\n  } catch (err) {\n    if (err instanceof HttpsStatusError) {\n      const error = new Error(`Init request failed with status ${err.status}`);\n      (error as unknown as Record<string, unknown>).status = err.status;\n      throw error;\n    }\n    if (err instanceof HttpsBodyParseError) {\n      // Preserve SyntaxError name so callers can distinguish parse failures\n      // (existing test contract uses `name === \"SyntaxError\"`).\n      const cause = err.cause;\n      if (cause instanceof SyntaxError) throw cause;\n      throw err;\n    }\n    if (err instanceof HttpsTransportError) {\n      // Transport error — surface as-is; callers classify via message/name.\n      throw err;\n    }\n    throw err;\n  }\n\n  return SdkInitResponseSchema.parse(result.body);\n}\n\n/**\n * Result returned by {@link performInit} when the backend reports an\n * account claim transition. `null` means no claim was present.\n */\nexport interface InitClaimResult {\n  claimResult: NonNullable<SdkInitResponse[\"claimResult\"]>;\n}\n\n/**\n * Writes a claimed API key to disk using a fallback chain:\n *   1. `.env.local` — update or create with the new key\n *   2. `.glasstrace/claimed-key` — fallback if `.env.local` is not writable\n *   3. Dashboard message — if all file writes fail (key is never logged)\n *\n * The key value MUST NOT appear in any log output or stderr message.\n * In non-Node environments where `node:fs` is unavailable, falls through\n * directly to the dashboard message (step 3).\n */\nexport async function writeClaimedKey(\n  newApiKey: string,\n  projectRoot?: string,\n): Promise<void> {\n  const modules = await loadFsPathAsync();\n\n  if (modules) {\n    const root = projectRoot ?? process.cwd();\n    const envLocalPath = modules.path.join(root, \".env.local\");\n\n    // Step 1: Try writing to .env.local\n    let envLocalWritten = false;\n    try {\n      let content: string;\n      try {\n        content = await modules.fs.readFile(envLocalPath, \"utf-8\");\n        // Replace all existing GLASSTRACE_API_KEY lines or append\n        if (/^GLASSTRACE_API_KEY=.*/m.test(content)) {\n          content = content.replace(\n            /^GLASSTRACE_API_KEY=.*$/gm,\n            `GLASSTRACE_API_KEY=${newApiKey}`,\n          );\n        } else {\n          // Ensure trailing newline before appending\n          if (content.length > 0 && !content.endsWith(\"\\n\")) {\n            content += \"\\n\";\n          }\n          content += `GLASSTRACE_API_KEY=${newApiKey}\\n`;\n        }\n      } catch (readErr: unknown) {\n        // Only create a new file when the file genuinely does not exist.\n        // Other read errors (e.g., permission denied) should not silently\n        // overwrite an existing .env.local that we cannot read.\n        const code = readErr instanceof Error ? (readErr as NodeJS.ErrnoException).code : undefined;\n        if (code !== \"ENOENT\") {\n          throw readErr;\n        }\n        content = `GLASSTRACE_API_KEY=${newApiKey}\\n`;\n      }\n\n      await modules.fs.writeFile(envLocalPath, content, { encoding: \"utf-8\", mode: 0o600 });\n      await modules.fs.chmod(envLocalPath, 0o600);\n      envLocalWritten = true;\n    } catch {\n      // .env.local write failed — fall through to step 2\n    }\n\n    if (envLocalWritten) {\n      try {\n        process.stderr.write(\n          \"[glasstrace] Account claimed! API key written to .env.local. Restart your dev server to use it.\\n\",\n        );\n      } catch { /* stderr is best-effort */ }\n      return;\n    }\n\n    // Step 2: Try writing to .glasstrace/claimed-key\n    let claimedKeyWritten = false;\n    try {\n      const dirPath = modules.path.join(root, GLASSTRACE_DIR);\n      await modules.fs.mkdir(dirPath, { recursive: true, mode: 0o700 });\n      await modules.fs.chmod(dirPath, 0o700);\n      const claimedKeyPath = modules.path.join(dirPath, \"claimed-key\");\n      await modules.fs.writeFile(claimedKeyPath, newApiKey, {\n        encoding: \"utf-8\",\n        mode: 0o600,\n      });\n      await modules.fs.chmod(claimedKeyPath, 0o600);\n      claimedKeyWritten = true;\n    } catch {\n      // .glasstrace write also failed — fall through to step 3\n    }\n\n    if (claimedKeyWritten) {\n      try {\n        process.stderr.write(\n          \"[glasstrace] Account claimed! API key written to .glasstrace/claimed-key. Copy it to your .env.local file.\\n\",\n        );\n      } catch { /* stderr is best-effort */ }\n      return;\n    }\n  }\n\n  // Step 3: All file writes failed (or node:fs unavailable) — log a message WITHOUT the key\n  try {\n    process.stderr.write(\n      \"[glasstrace] Account claimed but could not write key to disk. Visit your dashboard settings to rotate and retrieve a new API key.\\n\",\n    );\n  } catch { /* stderr is best-effort */ }\n}\n\n/**\n * Orchestrates the full init flow: send request, update config, cache result.\n * This function MUST NOT throw.\n *\n * Returns the claim result when the backend reports an account claim\n * transition, or `null` when no claim result is available (including\n * when init is skipped due to rate-limit backoff, missing API key,\n * or request failure). Callers that do not need claim information\n * can safely ignore the return value.\n */\nexport async function performInit(\n  config: ResolvedConfig,\n  anonKey: AnonApiKey | null,\n  sdkVersion: string,\n  healthReport?: SdkHealthReport | null,\n): Promise<InitClaimResult | null> {\n  lastInitSucceeded = false;\n\n  // Skip if in rate-limit backoff\n  if (rateLimitBackoff) {\n    rateLimitBackoff = false; // Reset for next call\n    return null;\n  }\n\n  // Guard flag: prevents recordInitFailure() from being called twice if the\n  // inner catch body itself throws (e.g., an unexpected error in console.warn\n  // or the instanceof checks). Without this flag, the outer safety-net catch\n  // would call recordInitFailure() a second time, inflating initFailures in\n  // the health report. Fix for DISC-1121.\n  let failureRecorded = false;\n\n  try {\n    const effectiveKey = config.apiKey || anonKey;\n    if (!effectiveKey) {\n      console.warn(\"[glasstrace] No API key available for init request.\");\n      return null;\n    }\n\n    // No outer AbortController timeout: `httpsPostJson` enforces a\n    // per-attempt timeout (INIT_TIMEOUT_MS = 10s) AND a 20s total\n    // deadline across retries. An outer 10s abort would race the first\n    // attempt's own timeout and prevent the backoff-retry window from\n    // ever running, defeating the transport's retry behavior.\n    try {\n      // Delegate to sendInitRequest to avoid duplicating fetch logic\n      const result = await sendInitRequest(\n        config,\n        anonKey,\n        sdkVersion,\n        undefined,\n        healthReport ?? undefined,\n        undefined,\n      );\n\n      // Update in-memory config\n      currentConfig = result;\n      recordConfigSync(Date.now());\n      if (healthReport) {\n        acknowledgeHealthReport(healthReport);\n      }\n      lastInitSucceeded = true;\n\n      // Persist to disk\n      await saveCachedConfig(result);\n\n      // Handle account claim transition — write key to disk, never to stderr\n      if (result.claimResult) {\n        try {\n          await writeClaimedKey(result.claimResult.newApiKey);\n        } catch {\n          // writeClaimedKey handles its own errors internally, but guard\n          // against unexpected failures to ensure claimResult is never lost\n        }\n        return { claimResult: result.claimResult };\n      }\n\n      return null;\n    } catch (err) {\n      recordInitFailure();\n      failureRecorded = true;\n\n      // HttpsTransportError covers DNS/TCP/TLS/timeout from the\n      // node:https transport itself — `httpsPostJson` raises timeouts\n      // via this error class when its internal deadlines expire.\n      if (err instanceof HttpsTransportError) {\n        if (/timed out|aborted/i.test(err.message)) {\n          console.warn(\"[glasstrace] ingestion_unreachable: Init request timed out.\");\n        } else {\n          console.warn(`[glasstrace] ingestion_unreachable: ${err.message}`);\n        }\n        return null;\n      }\n\n      // Check for HTTP status errors attached by sendInitRequest\n      const status = (err as Record<string, unknown>).status;\n      if (status === 401) {\n        console.warn(\n          \"[glasstrace] ingestion_auth_failed: Check your GLASSTRACE_API_KEY.\",\n        );\n        return null;\n      }\n\n      if (status === 429) {\n        console.warn(\"[glasstrace] ingestion_rate_limited: Backing off.\");\n        rateLimitBackoff = true;\n        return null;\n      }\n\n      if (typeof status === \"number\" && status >= 400) {\n        console.warn(\n          `[glasstrace] Init request failed with status ${status}. Using cached config.`,\n        );\n        return null;\n      }\n\n      // Schema validation failure from sendInitRequest.parse\n      // NOTE: Health report was already sent to the backend (HTTP 200).\n      // Not acknowledging here means the next report will double-count\n      // these values. This is intentional — over-reporting is preferable\n      // to data loss when the response is unparseable (DISC-1120).\n      if (err instanceof Error && err.name === \"ZodError\") {\n        console.warn(\n          \"[glasstrace] Init response failed validation (schema version mismatch?). Using cached config.\",\n        );\n        return null;\n      }\n\n      // Network error or other fetch failure\n      console.warn(\n        `[glasstrace] ingestion_unreachable: ${err instanceof Error ? err.message : String(err)}`,\n      );\n      return null;\n    }\n  } catch (err) {\n    // Outermost catch — safety net for unexpected throws from the inner catch\n    // body itself (e.g., an error in console.warn or instanceof checks).\n    // Only record the failure if the inner catch did not already do so (DISC-1121).\n    if (!failureRecorded) {\n      recordInitFailure();\n    }\n    // Guard console.warn itself: performInit MUST NOT throw. If console.warn\n    // throws here (the same failure mode this catch was added to handle), swallow\n    // silently rather than violating the \"never throws\" contract.\n    try {\n      console.warn(\n        `[glasstrace] Unexpected init error: ${err instanceof Error ? err.message : String(err)}`,\n      );\n    } catch { /* best-effort logging; never propagate */ }\n  }\n\n  return null;\n}\n\n/**\n * Returns the current capture config from the three-tier fallback chain:\n * 1. In-memory config from latest init response\n * 2. File cache (read at most once per process lifetime)\n * 3. DEFAULT_CAPTURE_CONFIG\n *\n * The disk read is cached via `configCacheChecked` to avoid repeated\n * synchronous I/O on the hot path (called by GlasstraceExporter on\n * every span export batch).\n */\nexport function getActiveConfig(): CaptureConfig {\n  // Tier 1: in-memory\n  if (currentConfig) {\n    return currentConfig.config;\n  }\n\n  // Tier 2: file cache (only attempt once)\n  if (!configCacheChecked) {\n    configCacheChecked = true;\n    const cached = loadCachedConfig();\n    if (cached) {\n      currentConfig = cached;\n      return cached.config;\n    }\n  }\n\n  // Tier 3: defaults\n  return { ...DEFAULT_CAPTURE_CONFIG };\n}\n\n/**\n * Returns the `linkedAccountId` from the current in-memory init response,\n * or `undefined` if no init response is available or no account is linked.\n *\n * Used by the discovery endpoint to determine whether `claimed: true`\n * should be included in the response.\n */\nexport function getLinkedAccountId(): string | undefined {\n  return currentConfig?.linkedAccountId;\n}\n\n/**\n * Returns the `claimResult` from the current in-memory init response,\n * or `undefined` if no init response is available or no claim occurred.\n *\n * Used by the discovery endpoint to detect in-flight claims: a valid\n * init response can include `claimResult` (claim happening NOW) without\n * `linkedAccountId` being set yet.\n */\nexport function getClaimResult(): SdkInitResponse[\"claimResult\"] {\n  return currentConfig?.claimResult;\n}\n\n/**\n * Resets the in-memory config store. For testing only.\n */\nexport function _resetConfigForTesting(): void {\n  currentConfig = null;\n  configCacheChecked = false;\n  rateLimitBackoff = false;\n  lastInitSucceeded = false;\n  transportOverride = null;\n}\n\n/**\n * Installs a test-only transport that replaces the `node:https` path\n * used by `sendInitRequest` and `performInit`. Tests use this to avoid\n * opening real sockets and to assert the SDK never routes through\n * `globalThis.fetch`. Pass `null` to restore the default transport.\n *\n * @internal Test-only. Never called from production code paths.\n */\nexport function _setTransportForTesting(fn: HttpsPostJsonFn | null): void {\n  transportOverride = fn;\n}\n\n/**\n * Sets the in-memory config directly. Used by performInit and the orchestrator.\n */\nexport function _setCurrentConfig(config: SdkInitResponse): void {\n  currentConfig = config;\n}\n\n/**\n * Returns whether rate-limit backoff is active. For testing only.\n */\nexport function _isRateLimitBackoff(): boolean {\n  return rateLimitBackoff;\n}\n\n/**\n * Reads and clears the rate-limit backoff flag.\n * Called by the heartbeat after performInit returns null to detect 429 responses.\n * Returns true if a 429 occurred, false otherwise.\n */\nexport function consumeRateLimitFlag(): boolean {\n  if (rateLimitBackoff) {\n    rateLimitBackoff = false;\n    return true;\n  }\n  return false;\n}\n\n/**\n * Returns true if the most recent performInit call completed the success path\n * (recordConfigSync + acknowledgeHealthReport were called).\n * Used by backgroundInit to decide whether to start the heartbeat.\n */\nexport function didLastInitSucceed(): boolean {\n  return lastInitSucceeded;\n}\n\n/**\n * Result of {@link verifyInitReachable}.\n *\n * - `ok: true` — server acknowledged the init call with a valid, schema-\n *   compliant payload. The anon key (if any) is registered server-side.\n * - `ok: false` with `reason: \"transport\"` — DNS/TCP/TLS/timeout failure.\n *   No response reached the server (or couldn't be parsed off the wire).\n *   `detail` is the raw cause (e.g. \"ECONNREFUSED\") with any leading\n *   `fetch failed: ` prefix stripped; callers that render to the user\n *   should add the prefix themselves to avoid doubling it.\n * - `ok: false` with `reason: \"rejected\"` — HTTP 4xx/5xx status. The\n *   server received the call but declined it. `status` is set.\n * - `ok: false` with `reason: \"malformed\"` — HTTP 2xx but the body was\n *   not valid JSON or did not match the protocol schema.\n */\nexport type VerifyInitResult =\n  | { ok: true; response: SdkInitResponse }\n  | { ok: false; reason: \"transport\"; detail: string }\n  | { ok: false; reason: \"rejected\"; status: number; detail: string }\n  | { ok: false; reason: \"malformed\"; detail: string };\n\n/**\n * Synchronously verifies that `/v1/sdk/init` is reachable and that the\n * provided anon key (if any) is registered server-side. Unlike\n * {@link performInit}, this function does NOT swallow errors — it\n * classifies them into the three user-actionable categories and\n * returns them.\n *\n * Used by the CLI `init` command to fail loudly when the init request\n * fails (DISC-493 Issue 3, DISC-494), rather than relying on the\n * runtime fire-and-forget call which can silently fail inside a\n * Next.js 16 process.\n *\n * The anon key is NEVER logged by this function. Error `detail`\n * strings are sanitized to the failure class only — the key does not\n * appear in transport, rejection, or malformed messages.\n */\nexport async function verifyInitReachable(\n  config: ResolvedConfig,\n  anonKey: AnonApiKey | null,\n  sdkVersion: string,\n): Promise<VerifyInitResult> {\n  try {\n    const response = await sendInitRequest(config, anonKey, sdkVersion);\n    return { ok: true, response };\n  } catch (err) {\n    // HTTP status error — server rejected the key.\n    const status = (err as Record<string, unknown>).status;\n    if (typeof status === \"number\") {\n      return {\n        ok: false,\n        reason: \"rejected\",\n        status,\n        detail: `server returned HTTP ${status}`,\n      };\n    }\n\n    // Schema validation failure (ZodError) or JSON parse error\n    // (SyntaxError). Both mean the server responded but the body is\n    // not a shape we can use.\n    if (err instanceof Error && (err.name === \"ZodError\" || err.name === \"SyntaxError\")) {\n      return {\n        ok: false,\n        reason: \"malformed\",\n        detail: \"server returned malformed response\",\n      };\n    }\n\n    // Everything else (transport errors, timeouts, abort, unknown) is\n    // classified as transport. `detail` is the raw cause without a\n    // `fetch failed:` prefix so the CLI (the only caller that renders\n    // this) can format it as `fetch failed: <detail>` without risking\n    // the double-prefix that would occur when the underlying error\n    // already starts with `fetch failed:` (e.g., `HttpsTransportError`\n    // from `sendSingleRequest`).\n    const rawMessage = err instanceof Error ? err.message : String(err);\n    const detail = rawMessage.startsWith(\"fetch failed: \")\n      ? rawMessage.slice(\"fetch failed: \".length)\n      : rawMessage;\n    return { ok: false, reason: \"transport\", detail };\n  }\n}\n","import * as fs from \"node:fs/promises\";\nimport * as fsSync from \"node:fs\";\nimport * as path from \"node:path\";\nimport * as crypto from \"node:crypto\";\nimport { createBuildHash, type ImportGraphPayload } from \"@glasstrace/protocol\";\n\n/** Maximum number of test files to process to prevent runaway in large projects */\nconst MAX_TEST_FILES = 5000;\n\n/** Directories to exclude from test file discovery */\nconst EXCLUDED_DIRS = new Set([\"node_modules\", \".next\", \".git\", \"dist\", \".turbo\"]);\n\n/** Conventional test file patterns */\nconst DEFAULT_TEST_PATTERNS = [\n  /\\.test\\.tsx?$/,\n  /\\.spec\\.tsx?$/,\n];\n\n/**\n * Converts a glob pattern (e.g. \"e2e/**\\/*.ts\") to an anchored RegExp.\n * Uses a placeholder to avoid `*` replacement corrupting the `**\\/` output.\n *\n * @param glob - A file glob pattern such as \"src/**\\/*.test.ts\".\n * @returns A RegExp that matches paths against the glob from start to end.\n */\nfunction globToRegExp(glob: string): RegExp {\n  const DOUBLE_STAR_PLACEHOLDER = \"\\0DSTAR\\0\";\n  const regexStr = glob\n    .replace(/\\*\\*\\//g, DOUBLE_STAR_PLACEHOLDER) // protect **/ first\n    .replace(/[.+?^${}()|[\\]\\\\]/g, \"\\\\$&\") // escape all regex metacharacters (except *)\n    .replace(/\\*/g, \"[^/]+\")\n    .replace(new RegExp(DOUBLE_STAR_PLACEHOLDER.replace(/\\0/g, \"\\\\0\"), \"g\"), \"(?:.+/)?\");\n  return new RegExp(\"^\" + regexStr + \"$\");\n}\n\n/**\n * Attempts to read include patterns from vitest.config.*, vite.config.*,\n * or jest.config.* files. Returns additional RegExp patterns extracted\n * from the config, or an empty array if no config is found or parsing fails.\n * This is best-effort — it reads the config as text and extracts patterns\n * via regex, without evaluating the JS.\n *\n * For Vitest/Vite configs, looks for `test.include` arrays.\n * For Jest configs, looks for `testMatch` arrays.\n * Does not support `testRegex` (string-based Jest pattern) — that is\n * left as future work.\n */\nfunction loadCustomTestPatterns(projectRoot: string): RegExp[] {\n  const configNames = [\n    \"vitest.config.ts\",\n    \"vitest.config.js\",\n    \"vitest.config.mts\",\n    \"vitest.config.mjs\",\n    \"vite.config.ts\",\n    \"vite.config.js\",\n    \"vite.config.mts\",\n    \"vite.config.mjs\",\n    \"jest.config.ts\",\n    \"jest.config.js\",\n    \"jest.config.mts\",\n    \"jest.config.mjs\",\n  ];\n\n  for (const name of configNames) {\n    const configPath = path.join(projectRoot, name);\n    let content: string;\n    try {\n      content = fsSync.readFileSync(configPath, \"utf-8\");\n    } catch {\n      // Config file does not exist at this path — try next candidate\n      continue;\n    }\n\n    try {\n      const isJest = name.startsWith(\"jest.\");\n      let includeMatch: RegExpExecArray | null = null;\n\n      if (isJest) {\n        // Jest: look for testMatch: [...]\n        includeMatch = /testMatch\\s*:\\s*\\[([^\\]]*)\\]/s.exec(content);\n      } else {\n        // Vitest/Vite: look for `test` block's `include` to avoid\n        // matching `coverage.include` or other unrelated arrays.\n        // Strategy: find `test` property, then look for `include` within\n        // the next ~500 chars (heuristic to stay within the test block).\n        const testBlockMatch = /\\btest\\s*[:{]\\s*/s.exec(content);\n        if (testBlockMatch) {\n          const afterTest = content.slice(testBlockMatch.index, testBlockMatch.index + 500);\n          includeMatch = /include\\s*:\\s*\\[([^\\]]*)\\]/s.exec(afterTest);\n        }\n      }\n\n      if (!includeMatch) {\n        continue;\n      }\n\n      const arrayContent = includeMatch[1];\n      const stringRegex = /['\"]([^'\"]+)['\"]/g;\n      const patterns: RegExp[] = [];\n      let match: RegExpExecArray | null;\n      match = stringRegex.exec(arrayContent);\n      while (match !== null) {\n        patterns.push(globToRegExp(match[1]));\n        match = stringRegex.exec(arrayContent);\n      }\n\n      if (patterns.length > 0) {\n        return patterns;\n      }\n    } catch {\n      // Regex-based config parsing failed — fall through to next config file\n      continue;\n    }\n  }\n\n  return [];\n}\n\n/**\n * Discovers test files by scanning the project directory for conventional\n * test file patterns. Also reads vitest/jest config files for custom include\n * patterns and merges them with the defaults. Excludes node_modules/ and .next/.\n *\n * @param projectRoot - Absolute path to the project root directory.\n * @returns Relative POSIX paths from projectRoot, capped at {@link MAX_TEST_FILES}.\n */\nexport async function discoverTestFiles(\n  projectRoot: string,\n): Promise<string[]> {\n  const customPatterns = loadCustomTestPatterns(projectRoot);\n  const testPatterns = [...DEFAULT_TEST_PATTERNS, ...customPatterns];\n  const results: string[] = [];\n\n  try {\n    await walkForTests(projectRoot, projectRoot, results, testPatterns);\n  } catch {\n    // Project root directory does not exist or is unreadable — return empty\n    return [];\n  }\n\n  return results.slice(0, MAX_TEST_FILES);\n}\n\n/** Recursively walks directories, collecting test file paths into `results`. */\nasync function walkForTests(\n  baseDir: string,\n  currentDir: string,\n  results: string[],\n  testPatterns: RegExp[],\n): Promise<void> {\n  if (results.length >= MAX_TEST_FILES) {\n    return;\n  }\n\n  let entries: import(\"node:fs\").Dirent[];\n  try {\n    entries = await fs.readdir(currentDir, { withFileTypes: true });\n  } catch {\n    // Directory is unreadable (permissions, broken symlink) — skip subtree\n    return;\n  }\n\n  for (const entry of entries) {\n    if (results.length >= MAX_TEST_FILES) {\n      return;\n    }\n\n    const fullPath = path.join(currentDir, entry.name);\n\n    if (entry.isDirectory()) {\n      if (EXCLUDED_DIRS.has(entry.name)) {\n        continue;\n      }\n      await walkForTests(baseDir, fullPath, results, testPatterns);\n    } else if (entry.isFile()) {\n      const relativePath = path.relative(baseDir, fullPath).replace(/\\\\/g, \"/\");\n\n      // Check if it matches test patterns or is in __tests__\n      const isTestFile =\n        testPatterns.some((p) => p.test(entry.name) || p.test(relativePath)) ||\n        relativePath.includes(\"__tests__\");\n\n      if (isTestFile && (entry.name.endsWith(\".ts\") || entry.name.endsWith(\".tsx\"))) {\n        results.push(relativePath);\n      }\n    }\n  }\n}\n\n/**\n * Extracts import paths from file content using regex.\n * Handles ES module imports, CommonJS requires, and dynamic imports.\n *\n * @param fileContent - The full text content of a TypeScript/JavaScript file.\n * @returns An array of import path strings as written in the source (e.g. \"./foo\", \"react\").\n */\nexport function extractImports(fileContent: string): string[] {\n  const seen = new Set<string>();\n  const imports: string[] = [];\n\n  /** Adds a path to the result if not already present. */\n  const addUnique = (importPath: string): void => {\n    if (!seen.has(importPath)) {\n      seen.add(importPath);\n      imports.push(importPath);\n    }\n  };\n\n  // ES module imports — split into two simple patterns to avoid\n  // catastrophic backtracking (CodeQL ReDoS). The original single regex\n  // used [\\w*{}\\s,]+ which overlapped with the surrounding \\s+, causing\n  // polynomial backtracking. These replacements use [^'\"]+ which has\n  // only one quantifier before the anchor, ensuring linear-time matching.\n  // The [^'\"]+ class supports multiline destructured imports (e.g.,\n  // import {\\n  foo,\\n  bar\\n} from 'path') since it does not exclude \\n.\n  //\n  // 1. Named/default/namespace: import { x } from 'path'\n  const esFromImportRegex = /\\bimport\\b[^'\"]+\\bfrom\\s+['\"]([^'\"]+)['\"]/g;\n  // 2. Side-effect: import 'path'\n  const esSideEffectRegex = /\\bimport\\s+['\"]([^'\"]+)['\"]/g;\n\n  let match: RegExpExecArray | null;\n\n  match = esFromImportRegex.exec(fileContent);\n  while (match !== null) {\n    addUnique(match[1]);\n    match = esFromImportRegex.exec(fileContent);\n  }\n\n  match = esSideEffectRegex.exec(fileContent);\n  while (match !== null) {\n    addUnique(match[1]);\n    match = esSideEffectRegex.exec(fileContent);\n  }\n\n  // CommonJS: require('path')\n  const requireRegex = /require\\s*\\(\\s*['\"]([^'\"]+)['\"]\\s*\\)/g;\n  match = requireRegex.exec(fileContent);\n  while (match !== null) {\n    addUnique(match[1]);\n    match = requireRegex.exec(fileContent);\n  }\n\n  // Dynamic import: import('path')\n  const dynamicImportRegex = /import\\s*\\(\\s*['\"]([^'\"]+)['\"]\\s*\\)/g;\n  match = dynamicImportRegex.exec(fileContent);\n  while (match !== null) {\n    addUnique(match[1]);\n    match = dynamicImportRegex.exec(fileContent);\n  }\n\n  return imports;\n}\n\n/**\n * Builds an import graph mapping test file paths to their imported module paths.\n *\n * Discovers test files, reads each, extracts imports, and builds a graph.\n * Computes a deterministic buildHash from the serialized graph content.\n * Individual file read failures are silently skipped.\n *\n * @param projectRoot - Absolute path to the project root directory.\n * @returns An {@link ImportGraphPayload} containing the graph and a deterministic buildHash.\n */\nexport async function buildImportGraph(\n  projectRoot: string,\n): Promise<ImportGraphPayload> {\n  const testFiles = await discoverTestFiles(projectRoot);\n  const graph: Record<string, string[]> = {};\n\n  for (const testFile of testFiles) {\n    const fullPath = path.join(projectRoot, testFile);\n    try {\n      const content = await fs.readFile(fullPath, \"utf-8\");\n      const imports = extractImports(content);\n      graph[testFile] = imports;\n    } catch {\n      // File is unreadable (permissions, deleted between discovery and read) — skip\n      continue;\n    }\n  }\n\n  // Compute deterministic build hash from graph content\n  const sortedKeys = Object.keys(graph).sort();\n  const serialized = sortedKeys\n    .map((key) => `${key}:${JSON.stringify(graph[key])}`)\n    .join(\"\\n\");\n  const hashHex = crypto\n    .createHash(\"sha256\")\n    .update(serialized)\n    .digest(\"hex\");\n  const buildHash = createBuildHash(hashHex);\n\n  return { buildHash, graph };\n}\n"],"mappings":";;;;;;;;;;;AAKA,IAAI,iBAAiB;AAGrB,IAAI,gBAAgB;AAGpB,IAAI,eAAe;AAGnB,IAAI,mBAAkC;AAS/B,SAAS,oBAAoB,OAAqB;AACvD,MAAI,CAAC,OAAO,SAAS,KAAK,KAAK,QAAQ,KAAK,CAAC,OAAO,UAAU,KAAK,EAAG;AACtE,oBAAkB;AACpB;AAMO,SAAS,mBAAmB,OAAqB;AACtD,MAAI,CAAC,OAAO,SAAS,KAAK,KAAK,QAAQ,KAAK,CAAC,OAAO,UAAU,KAAK,EAAG;AACtE,mBAAiB;AACnB;AAMO,SAAS,oBAA0B;AACxC,MAAI;AAAE,oBAAgB;AAAA,EAAG,QAAQ;AAAA,EAAoB;AACvD;AAMO,SAAS,iBAAiB,WAAyB;AACxD,MAAI;AAAE,uBAAmB;AAAA,EAAW,QAAQ;AAAA,EAAoB;AAClE;AAgBO,SAAS,oBAAoB,YAA4C;AAC9E,MAAI;AACF,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,YAAY,qBAAqB,OAAO,KAAK,IAAI,GAAG,MAAM,gBAAgB,IAAI;AAEpF,WAAO;AAAA,MACL,6BAA6B;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,WAAW,KAAK,MAAM,SAAS;AAAA,MAC/B;AAAA,IACF;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AA4BO,SAAS,wBAAwB,QAA+B;AACrE,QAAM,MAAM,KAAK,IAAI,GAAG,OAAO,2BAA2B;AAC1D,QAAM,SAAS,iBAAiB;AAChC,mBAAiB,OAAO,SAAS,MAAM,IAAI,KAAK,IAAI,GAAG,MAAM,IAAI;AAEjE,QAAM,OAAO,KAAK,IAAI,GAAG,OAAO,aAAa;AAC7C,QAAM,UAAU,gBAAgB;AAChC,kBAAgB,OAAO,SAAS,OAAO,IAAI,KAAK,IAAI,GAAG,OAAO,IAAI;AAElE,QAAM,OAAO,KAAK,IAAI,GAAG,OAAO,YAAY;AAC5C,QAAM,UAAU,eAAe;AAC/B,iBAAe,OAAO,SAAS,OAAO,IAAI,KAAK,IAAI,GAAG,OAAO,IAAI;AACnE;;;AC5EA;AAAA,EACE,WAAW;AAAA,OAEN;AACP;AAAA,EACE,WAAW;AAAA,OAEN;AACP,SAAS,WAAW;AAGb,IAAM,sBAAN,cAAkC,MAAM;AAAA,EACpC,OAAO;AAAA,EACP;AAAA,EACT,YAAY,SAAiB,OAAiB;AAC5C,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AACF;AAGO,IAAM,mBAAN,cAA+B,MAAM;AAAA,EACjC,OAAO;AAAA,EACP;AAAA;AAAA,EAEA;AAAA,EACT,YAAY,QAAgB,MAAc;AACxC,UAAM,wBAAwB,MAAM,EAAE;AACtC,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,sBAAN,cAAkC,MAAM;AAAA,EACpC,OAAO;AAAA,EACP;AAAA,EACA;AAAA,EACT,YAAY,QAAgB,OAAiB;AAC3C,UAAM,4CAA4C,MAAM,GAAG;AAC3D,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,QAAQ;AAAA,EACf;AACF;AA4DA,IAAM,qBAAqB;AAC3B,IAAM,0BAA0B,CAAC,KAAK,IAAI;AAC1C,IAAM,4BAA4B;AAYlC,eAAsB,cACpB,KACA,UACA,SAC8B;AAC9B,QAAM,SAAS,IAAI,IAAI,GAAG;AAC1B,QAAM,UAAU,OAAO,aAAa;AACpC,QAAM,SAAS,OAAO,aAAa;AACnC,MAAI,CAAC,WAAW,CAAC,QAAQ;AACvB,UAAM,IAAI;AAAA,MACR,yBAAyB,OAAO,QAAQ;AAAA,IAC1C;AAAA,EACF;AACA,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,cAAc,QAAQ,eAAe;AAC3C,QAAM,gBAAgB,QAAQ,iBAAiB;AAC/C,QAAM,kBAAkB,QAAQ,mBAAmB;AACnD,QAAM,YAAY,QAAQ,cAAc,CAAC,IAAI,OAAO,WAAW,IAAI,EAAE;AACrE,QAAM,cAAc,UACf,QAAQ,eAAe,eACvB,QAAQ,mBAAmB;AAGhC,MAAI;AACJ,MAAI;AACF,cAAU,KAAK,UAAU,QAAQ;AAAA,EACnC,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,qCAAqC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MACrF;AAAA,IACF;AAAA,EACF;AACA,QAAM,gBAAgB,OAAO,KAAK,SAAS,OAAO;AAElD,QAAM,YAAY,KAAK,IAAI;AAC3B,MAAI;AAEJ,WAAS,UAAU,GAAG,UAAU,aAAa,WAAW,GAAG;AACzD,QAAI,QAAQ,QAAQ,SAAS;AAC3B,YAAM,IAAI,oBAAoB,iBAAiB;AAAA,IACjD;AAGA,UAAM,UAAU,KAAK,IAAI,IAAI;AAC7B,QAAI,WAAW,iBAAiB;AAC9B;AAAA,IACF;AACA,UAAM,kBAAkB,kBAAkB;AAC1C,UAAM,mBAAmB,KAAK,IAAI,WAAW,eAAe;AAE5D,QAAI;AACF,aAAO,MAAM;AAAA,QACX;AAAA,QACA;AAAA,QACA,QAAQ;AAAA,QACR;AAAA,QACA,QAAQ;AAAA,QACR;AAAA,MACF;AAAA,IACF,SAAS,KAAK;AACZ,kBAAY;AAGZ,UAAI,eAAe,oBAAoB,eAAe,qBAAqB;AACzE,cAAM;AAAA,MACR;AACA,YAAM,SAAS,YAAY,cAAc;AACzC,UAAI,OAAQ;AAEZ,YAAM,UAAU,cAAc,OAAO,KAAK,cAAc,cAAc,SAAS,CAAC,KAAK;AACrF,YAAM,qBAAqB,KAAK,IAAI,IAAI;AACxC,YAAM,YAAY,kBAAkB;AACpC,UAAI,aAAa,EAAG;AACpB,YAAM,gBAAgB,KAAK,IAAI,SAAS,SAAS;AACjD,YAAM,MAAM,eAAe,WAAW,QAAQ,MAAM;AAAA,IACtD;AAAA,EACF;AAEA,MAAI,qBAAqB,oBAAqB,OAAM;AACpD,QAAM,IAAI;AAAA,IACR,qBAAqB,QAAQ,UAAU,UAAU;AAAA,IACjD;AAAA,EACF;AACF;AAMA,SAAS,kBACP,KACA,SACA,SACA,WACA,QACA,aAC8B;AAC9B,SAAO,IAAI,QAA6B,CAAC,SAAS,WAAW;AAI3D,UAAM,eAAgD;AAAA,MACpD,GAAG;AAAA,MACH,kBAAkB,QAAQ;AAAA,IAC5B;AAEA,UAAM,aAAkC;AAAA,MACtC,QAAQ;AAAA,MACR,UAAU,IAAI;AAAA,MACd,MAAM,IAAI,SAAS,KAAK,SAAY,OAAO,IAAI,IAAI;AAAA,MACnD,MAAM,GAAG,IAAI,QAAQ,GAAG,IAAI,MAAM;AAAA,MAClC,SAAS;AAAA;AAAA;AAAA;AAAA,MAIT,SAAS;AAAA,IACX;AAEA,QAAI,UAAU;AAId,QAAI,UAAU,MAAY;AAAA,IAAC;AAC3B,UAAM,SAAS,CAAC,OAAyB;AACvC,UAAI,QAAS;AACb,gBAAU;AACV,cAAQ;AACR,SAAG;AAAA,IACL;AAEA,UAAM,MAAM,YAAY,YAAY,CAAC,QAAyB;AAC5D,YAAM,SAAmB,CAAC;AAC1B,UAAI,GAAG,QAAQ,CAAC,UAA2B;AACzC,eAAO,KAAK,OAAO,UAAU,WAAW,OAAO,KAAK,OAAO,OAAO,IAAI,KAAK;AAAA,MAC7E,CAAC;AACD,UAAI,GAAG,OAAO,MAAM;AAClB,cAAM,MAAM,OAAO,OAAO,MAAM,EAAE,SAAS,OAAO;AAClD,cAAM,SAAS,IAAI,cAAc;AACjC,YAAI,SAAS,OAAO,UAAU,KAAK;AACjC,iBAAO,MAAM,OAAO,IAAI,iBAAiB,QAAQ,GAAG,CAAC,CAAC;AACtD;AAAA,QACF;AAEA,YAAI,WAAW,OAAO,IAAI,WAAW,GAAG;AACtC,iBAAO,MAAM,QAAQ,EAAE,QAAQ,MAAM,QAAW,IAAI,CAAC,CAAC;AACtD;AAAA,QACF;AACA,YAAI;AACF,gBAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,iBAAO,MAAM,QAAQ,EAAE,QAAQ,MAAM,QAAQ,IAAI,CAAC,CAAC;AAAA,QACrD,SAAS,KAAK;AACZ,iBAAO,MAAM,OAAO,IAAI,oBAAoB,QAAQ,GAAG,CAAC,CAAC;AAAA,QAC3D;AAAA,MACF,CAAC;AACD,UAAI,GAAG,SAAS,CAAC,QAAQ;AACvB,eAAO,MAAM,OAAO,IAAI,oBAAoB,0BAA0B,IAAI,OAAO,IAAI,GAAG,CAAC,CAAC;AAAA,MAC5F,CAAC;AAAA,IACH,CAAC;AAKD,UAAM,QAAQ,WAAW,MAAM;AAC7B,aAAO,MAAM;AACX,YAAI,QAAQ,IAAI,MAAM,mBAAmB,CAAC;AAC1C,eAAO,IAAI,oBAAoB,2BAA2B,SAAS,IAAI,CAAC;AAAA,MAC1E,CAAC;AAAA,IACH,GAAG,SAAS;AAEZ,QAAI,OAAO,MAAM,UAAU,WAAY,OAAM,MAAM;AAInD,UAAM,UAAU,MAAY;AAC1B,aAAO,MAAM;AACX,YAAI,QAAQ,IAAI,MAAM,SAAS,CAAC;AAChC,eAAO,IAAI,oBAAoB,iBAAiB,CAAC;AAAA,MACnD,CAAC;AAAA,IACH;AAMA,cAAU,MAAY;AACpB,mBAAa,KAAK;AAClB,UAAI,WAAW,QAAW;AACxB,eAAO,oBAAoB,SAAS,OAAO;AAAA,MAC7C;AAAA,IACF;AAEA,QAAI,GAAG,SAAS,CAAC,QAAQ;AACvB,aAAO,MAAM,OAAO,IAAI,oBAAoB,iBAAiB,IAAI,OAAO,IAAI,GAAG,CAAC,CAAC;AAAA,IACnF,CAAC;AAED,QAAI,GAAG,WAAW,MAAM;AACtB,aAAO,MAAM;AACX,YAAI,QAAQ,IAAI,MAAM,mBAAmB,CAAC;AAC1C,eAAO,IAAI,oBAAoB,2BAA2B,SAAS,IAAI,CAAC;AAAA,MAC1E,CAAC;AAAA,IACH,CAAC;AAED,QAAI,WAAW,QAAW;AACxB,UAAI,OAAO,SAAS;AAClB,YAAI,QAAQ,IAAI,MAAM,SAAS,CAAC;AAChC,eAAO,MAAM,OAAO,IAAI,oBAAoB,iBAAiB,CAAC,CAAC;AAC/D;AAAA,MACF;AACA,aAAO,iBAAiB,SAAS,SAAS,EAAE,MAAM,KAAK,CAAC;AAAA,IAC1D;AAEA,QAAI,IAAI,OAAO;AAAA,EACjB,CAAC;AACH;AAWA,SAAS,MACP,IACA,WACA,QACe;AACf,SAAO,IAAI,QAAc,CAAC,SAAS,WAAW;AAC5C,QAAI,UAAU;AAGd,QAAI,UAAU,MAAY;AAAA,IAAC;AAC3B,UAAM,SAAS,CAAC,OAAyB;AACvC,UAAI,QAAS;AACb,gBAAU;AACV,cAAQ;AACR,SAAG;AAAA,IACL;AACA,UAAM,UAAU,MAAY;AAC1B,aAAO,MAAM,OAAO,IAAI,oBAAoB,iBAAiB,CAAC,CAAC;AAAA,IACjE;AACA,UAAM,QAAQ,UAAU,MAAM;AAC5B,aAAO,OAAO;AAAA,IAChB,GAAG,EAAE;AACL,QAAI,OAAO,MAAM,UAAU,WAAY,OAAM,MAAM;AACnD,cAAU,MAAY;AAGpB,mBAAa,KAAkC;AAC/C,UAAI,WAAW,QAAW;AACxB,eAAO,oBAAoB,SAAS,OAAO;AAAA,MAC7C;AAAA,IACF;AACA,QAAI,WAAW,QAAW;AACxB,UAAI,OAAO,SAAS;AAClB,gBAAQ;AACR;AAAA,MACF;AACA,aAAO,iBAAiB,SAAS,SAAS,EAAE,MAAM,KAAK,CAAC;AAAA,IAC1D;AAAA,EACF,CAAC;AACH;;;ACvZA,IAAM,iBAAiB;AACvB,IAAM,cAAc;AACpB,IAAM,uBAAuB,KAAK,KAAK,KAAK;AAC5C,IAAM,kBAAkB;AAMxB,IAAI;AAEJ,eAAe,kBAA+G;AAC5H,MAAI,qBAAqB,OAAW,QAAO;AAC3C,MAAI;AACF,UAAM,CAACA,KAAIC,KAAI,IAAI,MAAM,QAAQ,IAAI;AAAA,MACnC,OAAO,kBAAkB;AAAA,MACzB,OAAO,WAAW;AAAA,IACpB,CAAC;AACD,uBAAmB,EAAE,IAAAD,KAAI,MAAAC,MAAK;AAC9B,WAAO;AAAA,EACT,QAAQ;AACN,uBAAmB;AACnB,WAAO;AAAA,EACT;AACF;AAOA,SAAS,mBAA0H;AACjI,MAAI;AAEF,UAAMD,MAAK,UAAQ,SAAS;AAE5B,UAAMC,QAAO,UAAQ,WAAW;AAChC,WAAO,EAAE,cAAcD,IAAG,cAAc,MAAMC,MAAK,KAAK;AAAA,EAC1D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAWA,IAAI,oBAA4C;AAGhD,IAAI,gBAAwC;AAG5C,IAAI,qBAAqB;AAGzB,IAAI,mBAAmB;AAGvB,IAAI,oBAAoB;AAOjB,SAAS,iBAAiB,aAA8C;AAC7E,QAAM,UAAU,iBAAiB;AACjC,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,OAAO,eAAe,QAAQ,IAAI;AACxC,QAAM,aAAa,QAAQ,KAAK,MAAM,gBAAgB,WAAW;AAEjE,MAAI;AAEF,UAAM,UAAU,QAAQ,aAAa,YAAY,OAAO;AACxD,UAAM,SAAS,KAAK,MAAM,OAAO;AACjC,UAAM,SAAS,sBAAsB,MAAM,MAAM;AAGjD,UAAM,MAAM,KAAK,IAAI,IAAI,OAAO;AAChC,QAAI,MAAM,sBAAsB;AAC9B,cAAQ;AAAA,QACN,iCAAiC,KAAK,MAAM,MAAM,IAAO,CAAC;AAAA,MAC5D;AAAA,IACF;AAGA,UAAM,SAAS,sBAAsB,UAAU,OAAO,QAAQ;AAC9D,QAAI,OAAO,SAAS;AAClB,uBAAiB,OAAO,QAAQ;AAChC,aAAO,OAAO;AAAA,IAChB;AAEA,YAAQ,KAAK,+DAA+D;AAC5E,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAaA,eAAsB,iBACpB,UACA,aACe;AACf,QAAM,UAAU,MAAM,gBAAgB;AACtC,MAAI,CAAC,QAAS;AAEd,QAAM,OAAO,eAAe,QAAQ,IAAI;AACxC,QAAM,UAAU,QAAQ,KAAK,KAAK,MAAM,cAAc;AACtD,QAAM,aAAa,QAAQ,KAAK,KAAK,SAAS,WAAW;AACzD,QAAM,UAAU,GAAG,UAAU;AAE7B,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,SAAS,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAChE,UAAM,QAAQ,GAAG,MAAM,SAAS,GAAK;AACrC,UAAM,SAAS;AAAA,MACb;AAAA,MACA,UAAU,KAAK,IAAI;AAAA,IACrB;AAIA,UAAM,QAAQ,GAAG,UAAU,SAAS,KAAK,UAAU,MAAM,GAAG;AAAA,MAC1D,UAAU;AAAA,MACV,MAAM;AAAA,IACR,CAAC;AACD,QAAI;AACF,YAAM,QAAQ,GAAG,MAAM,SAAS,GAAK;AACrC,YAAM,QAAQ,GAAG,OAAO,SAAS,UAAU;AAAA,IAC7C,SAAS,WAAW;AAElB,UAAI;AACF,cAAM,QAAQ,GAAG,OAAO,OAAO;AAAA,MACjC,QAAQ;AAAA,MAER;AACA,YAAM;AAAA,IACR;AAGA,UAAM,QAAQ,GAAG,MAAM,YAAY,GAAK;AAAA,EAC1C,SAAS,KAAK;AACZ,YAAQ;AAAA,MACN,0CAA0C,UAAU,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAC3G;AAAA,EACF;AACF;AAaA,eAAsB,gBACpB,QACA,SACA,YACA,aACA,cACA,aACA,QAC0B;AAG1B,QAAM,eAAe,OAAO,UAAU;AACtC,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,MAAM,uCAAuC;AAAA,EACzD;AAGA,QAAM,UAAmC;AAAA,IACvC;AAAA,EACF;AAGA,MAAI,OAAO,UAAU,SAAS;AAC5B,YAAQ,UAAU;AAAA,EACpB;AAEA,MAAI,OAAO,aAAa;AACtB,YAAQ,cAAc,OAAO;AAAA,EAC/B;AACA,MAAI,aAAa;AACf,YAAQ,cAAc;AAAA,EACxB;AACA,MAAI,cAAc;AAChB,YAAQ,eAAe;AAAA,EACzB;AACA,MAAI,aAAa;AACf,YAAQ,cAAc;AAAA,EACxB;AAEA,QAAM,MAAM,GAAG,OAAO,QAAQ;AAE9B,QAAM,YAAY,qBAAqB;AACvC,MAAI;AACJ,MAAI;AACF,aAAS,MAAM,UAAU,KAAK,SAAS;AAAA,MACrC,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,eAAe,UAAU,YAAY;AAAA,MACvC;AAAA,MACA,WAAW;AAAA,MACX;AAAA,IACF,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,eAAe,kBAAkB;AACnC,YAAM,QAAQ,IAAI,MAAM,mCAAmC,IAAI,MAAM,EAAE;AACvE,MAAC,MAA6C,SAAS,IAAI;AAC3D,YAAM;AAAA,IACR;AACA,QAAI,eAAe,qBAAqB;AAGtC,YAAM,QAAQ,IAAI;AAClB,UAAI,iBAAiB,YAAa,OAAM;AACxC,YAAM;AAAA,IACR;AACA,QAAI,eAAe,qBAAqB;AAEtC,YAAM;AAAA,IACR;AACA,UAAM;AAAA,EACR;AAEA,SAAO,sBAAsB,MAAM,OAAO,IAAI;AAChD;AAoBA,eAAsB,gBACpB,WACA,aACe;AACf,QAAM,UAAU,MAAM,gBAAgB;AAEtC,MAAI,SAAS;AACX,UAAM,OAAO,eAAe,QAAQ,IAAI;AACxC,UAAM,eAAe,QAAQ,KAAK,KAAK,MAAM,YAAY;AAGzD,QAAI,kBAAkB;AACtB,QAAI;AACF,UAAI;AACJ,UAAI;AACF,kBAAU,MAAM,QAAQ,GAAG,SAAS,cAAc,OAAO;AAEzD,YAAI,0BAA0B,KAAK,OAAO,GAAG;AAC3C,oBAAU,QAAQ;AAAA,YAChB;AAAA,YACA,sBAAsB,SAAS;AAAA,UACjC;AAAA,QACF,OAAO;AAEL,cAAI,QAAQ,SAAS,KAAK,CAAC,QAAQ,SAAS,IAAI,GAAG;AACjD,uBAAW;AAAA,UACb;AACA,qBAAW,sBAAsB,SAAS;AAAA;AAAA,QAC5C;AAAA,MACF,SAAS,SAAkB;AAIzB,cAAM,OAAO,mBAAmB,QAAS,QAAkC,OAAO;AAClF,YAAI,SAAS,UAAU;AACrB,gBAAM;AAAA,QACR;AACA,kBAAU,sBAAsB,SAAS;AAAA;AAAA,MAC3C;AAEA,YAAM,QAAQ,GAAG,UAAU,cAAc,SAAS,EAAE,UAAU,SAAS,MAAM,IAAM,CAAC;AACpF,YAAM,QAAQ,GAAG,MAAM,cAAc,GAAK;AAC1C,wBAAkB;AAAA,IACpB,QAAQ;AAAA,IAER;AAEA,QAAI,iBAAiB;AACnB,UAAI;AACF,gBAAQ,OAAO;AAAA,UACb;AAAA,QACF;AAAA,MACF,QAAQ;AAAA,MAA8B;AACtC;AAAA,IACF;AAGA,QAAI,oBAAoB;AACxB,QAAI;AACF,YAAM,UAAU,QAAQ,KAAK,KAAK,MAAM,cAAc;AACtD,YAAM,QAAQ,GAAG,MAAM,SAAS,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAChE,YAAM,QAAQ,GAAG,MAAM,SAAS,GAAK;AACrC,YAAM,iBAAiB,QAAQ,KAAK,KAAK,SAAS,aAAa;AAC/D,YAAM,QAAQ,GAAG,UAAU,gBAAgB,WAAW;AAAA,QACpD,UAAU;AAAA,QACV,MAAM;AAAA,MACR,CAAC;AACD,YAAM,QAAQ,GAAG,MAAM,gBAAgB,GAAK;AAC5C,0BAAoB;AAAA,IACtB,QAAQ;AAAA,IAER;AAEA,QAAI,mBAAmB;AACrB,UAAI;AACF,gBAAQ,OAAO;AAAA,UACb;AAAA,QACF;AAAA,MACF,QAAQ;AAAA,MAA8B;AACtC;AAAA,IACF;AAAA,EACF;AAGA,MAAI;AACF,YAAQ,OAAO;AAAA,MACb;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAA8B;AACxC;AAYA,eAAsB,YACpB,QACA,SACA,YACA,cACiC;AACjC,sBAAoB;AAGpB,MAAI,kBAAkB;AACpB,uBAAmB;AACnB,WAAO;AAAA,EACT;AAOA,MAAI,kBAAkB;AAEtB,MAAI;AACF,UAAM,eAAe,OAAO,UAAU;AACtC,QAAI,CAAC,cAAc;AACjB,cAAQ,KAAK,qDAAqD;AAClE,aAAO;AAAA,IACT;AAOA,QAAI;AAEF,YAAM,SAAS,MAAM;AAAA,QACnB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,gBAAgB;AAAA,QAChB;AAAA,MACF;AAGA,sBAAgB;AAChB,uBAAiB,KAAK,IAAI,CAAC;AAC3B,UAAI,cAAc;AAChB,gCAAwB,YAAY;AAAA,MACtC;AACA,0BAAoB;AAGpB,YAAM,iBAAiB,MAAM;AAG7B,UAAI,OAAO,aAAa;AACtB,YAAI;AACF,gBAAM,gBAAgB,OAAO,YAAY,SAAS;AAAA,QACpD,QAAQ;AAAA,QAGR;AACA,eAAO,EAAE,aAAa,OAAO,YAAY;AAAA,MAC3C;AAEA,aAAO;AAAA,IACT,SAAS,KAAK;AACZ,wBAAkB;AAClB,wBAAkB;AAKlB,UAAI,eAAe,qBAAqB;AACtC,YAAI,qBAAqB,KAAK,IAAI,OAAO,GAAG;AAC1C,kBAAQ,KAAK,6DAA6D;AAAA,QAC5E,OAAO;AACL,kBAAQ,KAAK,uCAAuC,IAAI,OAAO,EAAE;AAAA,QACnE;AACA,eAAO;AAAA,MACT;AAGA,YAAM,SAAU,IAAgC;AAChD,UAAI,WAAW,KAAK;AAClB,gBAAQ;AAAA,UACN;AAAA,QACF;AACA,eAAO;AAAA,MACT;AAEA,UAAI,WAAW,KAAK;AAClB,gBAAQ,KAAK,mDAAmD;AAChE,2BAAmB;AACnB,eAAO;AAAA,MACT;AAEA,UAAI,OAAO,WAAW,YAAY,UAAU,KAAK;AAC/C,gBAAQ;AAAA,UACN,gDAAgD,MAAM;AAAA,QACxD;AACA,eAAO;AAAA,MACT;AAOA,UAAI,eAAe,SAAS,IAAI,SAAS,YAAY;AACnD,gBAAQ;AAAA,UACN;AAAA,QACF;AACA,eAAO;AAAA,MACT;AAGA,cAAQ;AAAA,QACN,uCAAuC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MACzF;AACA,aAAO;AAAA,IACT;AAAA,EACF,SAAS,KAAK;AAIZ,QAAI,CAAC,iBAAiB;AACpB,wBAAkB;AAAA,IACpB;AAIA,QAAI;AACF,cAAQ;AAAA,QACN,uCAAuC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MACzF;AAAA,IACF,QAAQ;AAAA,IAA6C;AAAA,EACvD;AAEA,SAAO;AACT;AAYO,SAAS,kBAAiC;AAE/C,MAAI,eAAe;AACjB,WAAO,cAAc;AAAA,EACvB;AAGA,MAAI,CAAC,oBAAoB;AACvB,yBAAqB;AACrB,UAAM,SAAS,iBAAiB;AAChC,QAAI,QAAQ;AACV,sBAAgB;AAChB,aAAO,OAAO;AAAA,IAChB;AAAA,EACF;AAGA,SAAO,EAAE,GAAG,uBAAuB;AACrC;AASO,SAAS,qBAAyC;AACvD,SAAO,eAAe;AACxB;AAUO,SAAS,iBAAiD;AAC/D,SAAO,eAAe;AACxB;AA4BO,SAAS,kBAAkB,QAA+B;AAC/D,kBAAgB;AAClB;AAcO,SAAS,uBAAgC;AAC9C,MAAI,kBAAkB;AACpB,uBAAmB;AACnB,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAOO,SAAS,qBAA8B;AAC5C,SAAO;AACT;AAuCA,eAAsB,oBACpB,QACA,SACA,YAC2B;AAC3B,MAAI;AACF,UAAM,WAAW,MAAM,gBAAgB,QAAQ,SAAS,UAAU;AAClE,WAAO,EAAE,IAAI,MAAM,SAAS;AAAA,EAC9B,SAAS,KAAK;AAEZ,UAAM,SAAU,IAAgC;AAChD,QAAI,OAAO,WAAW,UAAU;AAC9B,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR;AAAA,QACA,QAAQ,wBAAwB,MAAM;AAAA,MACxC;AAAA,IACF;AAKA,QAAI,eAAe,UAAU,IAAI,SAAS,cAAc,IAAI,SAAS,gBAAgB;AACnF,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV;AAAA,IACF;AASA,UAAM,aAAa,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAClE,UAAM,SAAS,WAAW,WAAW,gBAAgB,IACjD,WAAW,MAAM,iBAAiB,MAAM,IACxC;AACJ,WAAO,EAAE,IAAI,OAAO,QAAQ,aAAa,OAAO;AAAA,EAClD;AACF;;;ACxtBA,YAAY,QAAQ;AACpB,YAAY,YAAY;AACxB,YAAY,UAAU;AACtB,YAAY,YAAY;AAIxB,IAAM,iBAAiB;AAGvB,IAAM,gBAAgB,oBAAI,IAAI,CAAC,gBAAgB,SAAS,QAAQ,QAAQ,QAAQ,CAAC;AAGjF,IAAM,wBAAwB;AAAA,EAC5B;AAAA,EACA;AACF;AASA,SAAS,aAAa,MAAsB;AAC1C,QAAM,0BAA0B;AAChC,QAAM,WAAW,KACd,QAAQ,WAAW,uBAAuB,EAC1C,QAAQ,sBAAsB,MAAM,EACpC,QAAQ,OAAO,OAAO,EACtB,QAAQ,IAAI,OAAO,wBAAwB,QAAQ,OAAO,KAAK,GAAG,GAAG,GAAG,UAAU;AACrF,SAAO,IAAI,OAAO,MAAM,WAAW,GAAG;AACxC;AAcA,SAAS,uBAAuB,aAA+B;AAC7D,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,aAAW,QAAQ,aAAa;AAC9B,UAAM,aAAkB,UAAK,aAAa,IAAI;AAC9C,QAAI;AACJ,QAAI;AACF,gBAAiB,oBAAa,YAAY,OAAO;AAAA,IACnD,QAAQ;AAEN;AAAA,IACF;AAEA,QAAI;AACF,YAAM,SAAS,KAAK,WAAW,OAAO;AACtC,UAAI,eAAuC;AAE3C,UAAI,QAAQ;AAEV,uBAAe,gCAAgC,KAAK,OAAO;AAAA,MAC7D,OAAO;AAKL,cAAM,iBAAiB,oBAAoB,KAAK,OAAO;AACvD,YAAI,gBAAgB;AAClB,gBAAM,YAAY,QAAQ,MAAM,eAAe,OAAO,eAAe,QAAQ,GAAG;AAChF,yBAAe,8BAA8B,KAAK,SAAS;AAAA,QAC7D;AAAA,MACF;AAEA,UAAI,CAAC,cAAc;AACjB;AAAA,MACF;AAEA,YAAM,eAAe,aAAa,CAAC;AACnC,YAAM,cAAc;AACpB,YAAM,WAAqB,CAAC;AAC5B,UAAI;AACJ,cAAQ,YAAY,KAAK,YAAY;AACrC,aAAO,UAAU,MAAM;AACrB,iBAAS,KAAK,aAAa,MAAM,CAAC,CAAC,CAAC;AACpC,gBAAQ,YAAY,KAAK,YAAY;AAAA,MACvC;AAEA,UAAI,SAAS,SAAS,GAAG;AACvB,eAAO;AAAA,MACT;AAAA,IACF,QAAQ;AAEN;AAAA,IACF;AAAA,EACF;AAEA,SAAO,CAAC;AACV;AAUA,eAAsB,kBACpB,aACmB;AACnB,QAAM,iBAAiB,uBAAuB,WAAW;AACzD,QAAM,eAAe,CAAC,GAAG,uBAAuB,GAAG,cAAc;AACjE,QAAM,UAAoB,CAAC;AAE3B,MAAI;AACF,UAAM,aAAa,aAAa,aAAa,SAAS,YAAY;AAAA,EACpE,QAAQ;AAEN,WAAO,CAAC;AAAA,EACV;AAEA,SAAO,QAAQ,MAAM,GAAG,cAAc;AACxC;AAGA,eAAe,aACb,SACA,YACA,SACA,cACe;AACf,MAAI,QAAQ,UAAU,gBAAgB;AACpC;AAAA,EACF;AAEA,MAAI;AACJ,MAAI;AACF,cAAU,MAAS,WAAQ,YAAY,EAAE,eAAe,KAAK,CAAC;AAAA,EAChE,QAAQ;AAEN;AAAA,EACF;AAEA,aAAW,SAAS,SAAS;AAC3B,QAAI,QAAQ,UAAU,gBAAgB;AACpC;AAAA,IACF;AAEA,UAAM,WAAgB,UAAK,YAAY,MAAM,IAAI;AAEjD,QAAI,MAAM,YAAY,GAAG;AACvB,UAAI,cAAc,IAAI,MAAM,IAAI,GAAG;AACjC;AAAA,MACF;AACA,YAAM,aAAa,SAAS,UAAU,SAAS,YAAY;AAAA,IAC7D,WAAW,MAAM,OAAO,GAAG;AACzB,YAAM,eAAoB,cAAS,SAAS,QAAQ,EAAE,QAAQ,OAAO,GAAG;AAGxE,YAAM,aACJ,aAAa,KAAK,CAAC,MAAM,EAAE,KAAK,MAAM,IAAI,KAAK,EAAE,KAAK,YAAY,CAAC,KACnE,aAAa,SAAS,WAAW;AAEnC,UAAI,eAAe,MAAM,KAAK,SAAS,KAAK,KAAK,MAAM,KAAK,SAAS,MAAM,IAAI;AAC7E,gBAAQ,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF;AAAA,EACF;AACF;AASO,SAAS,eAAe,aAA+B;AAC5D,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,UAAoB,CAAC;AAG3B,QAAM,YAAY,CAAC,eAA6B;AAC9C,QAAI,CAAC,KAAK,IAAI,UAAU,GAAG;AACzB,WAAK,IAAI,UAAU;AACnB,cAAQ,KAAK,UAAU;AAAA,IACzB;AAAA,EACF;AAWA,QAAM,oBAAoB;AAE1B,QAAM,oBAAoB;AAE1B,MAAI;AAEJ,UAAQ,kBAAkB,KAAK,WAAW;AAC1C,SAAO,UAAU,MAAM;AACrB,cAAU,MAAM,CAAC,CAAC;AAClB,YAAQ,kBAAkB,KAAK,WAAW;AAAA,EAC5C;AAEA,UAAQ,kBAAkB,KAAK,WAAW;AAC1C,SAAO,UAAU,MAAM;AACrB,cAAU,MAAM,CAAC,CAAC;AAClB,YAAQ,kBAAkB,KAAK,WAAW;AAAA,EAC5C;AAGA,QAAM,eAAe;AACrB,UAAQ,aAAa,KAAK,WAAW;AACrC,SAAO,UAAU,MAAM;AACrB,cAAU,MAAM,CAAC,CAAC;AAClB,YAAQ,aAAa,KAAK,WAAW;AAAA,EACvC;AAGA,QAAM,qBAAqB;AAC3B,UAAQ,mBAAmB,KAAK,WAAW;AAC3C,SAAO,UAAU,MAAM;AACrB,cAAU,MAAM,CAAC,CAAC;AAClB,YAAQ,mBAAmB,KAAK,WAAW;AAAA,EAC7C;AAEA,SAAO;AACT;AAYA,eAAsB,iBACpB,aAC6B;AAC7B,QAAM,YAAY,MAAM,kBAAkB,WAAW;AACrD,QAAM,QAAkC,CAAC;AAEzC,aAAW,YAAY,WAAW;AAChC,UAAM,WAAgB,UAAK,aAAa,QAAQ;AAChD,QAAI;AACF,YAAM,UAAU,MAAS,YAAS,UAAU,OAAO;AACnD,YAAM,UAAU,eAAe,OAAO;AACtC,YAAM,QAAQ,IAAI;AAAA,IACpB,QAAQ;AAEN;AAAA,IACF;AAAA,EACF;AAGA,QAAM,aAAa,OAAO,KAAK,KAAK,EAAE,KAAK;AAC3C,QAAM,aAAa,WAChB,IAAI,CAAC,QAAQ,GAAG,GAAG,IAAI,KAAK,UAAU,MAAM,GAAG,CAAC,CAAC,EAAE,EACnD,KAAK,IAAI;AACZ,QAAM,UACH,kBAAW,QAAQ,EACnB,OAAO,UAAU,EACjB,OAAO,KAAK;AACf,QAAM,YAAY,gBAAgB,OAAO;AAEzC,SAAO,EAAE,WAAW,MAAM;AAC5B;","names":["fs","path"]}