@groundnuty/macf-core 0.2.0-rc.0

package/dist/certs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/certs/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAEjI,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEhI,OAAO,EAAE,eAAe,EAAE,yBAAyB,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC5F,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,3 @@
+import type { AgentConfig } from './types.js';
+export declare function loadConfig(): AgentConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAmB9C,wBAAgB,UAAU,IAAI,WAAW,CA+DxC"}

package/dist/config.js

@@ -0,0 +1,131 @@
+import { existsSync } from 'node:fs';
+import { randomBytes } from 'node:crypto';
+import { ConfigError } from './errors.js';
+function requireEnv(name) {
+    const value = process.env[name];
+    if (value === undefined || value === '') {
+        throw new ConfigError(`Required environment variable ${name} is not set`);
+    }
+    return value;
+}
+function requireFilePath(name) {
+    const path = requireEnv(name);
+    if (!existsSync(path)) {
+        throw new ConfigError(`File not found for ${name}: ${path}`);
+    }
+    return path;
+}
+export function loadConfig() {
+    const agentName = requireEnv('MACF_AGENT_NAME');
+    const caCertPath = requireFilePath('MACF_CA_CERT');
+    const caKeyPath = resolveCaKeyPath(caCertPath);
+    const agentCertPath = requireFilePath('MACF_AGENT_CERT');
+    const agentKeyPath = requireFilePath('MACF_AGENT_KEY');
+    const agentType = process.env['MACF_AGENT_TYPE'] ?? 'permanent';
+    if (agentType !== 'permanent' && agentType !== 'worker') {
+        throw new ConfigError(`MACF_AGENT_TYPE must be "permanent" or "worker", got "${agentType}"`);
+    }
+    const portStr = process.env['MACF_PORT'] ?? '0';
+    const port = Number.parseInt(portStr, 10);
+    if (Number.isNaN(port) || port < 0 || port > 65535) {
+        throw new ConfigError(`MACF_PORT must be 0-65535, got "${portStr}"`);
+    }
+    const host = process.env['MACF_HOST'] ?? '0.0.0.0';
+    const advertiseHost = process.env['MACF_ADVERTISE_HOST'] ?? (host === '0.0.0.0' ? '127.0.0.1' : host);
+    const debugStr = process.env['MACF_DEBUG'] ?? 'false';
+    const debug = debugStr === 'true' || debugStr === '1';
+    const logPath = process.env['MACF_LOG_PATH'] || undefined;
+    // P2: Registry config
+    const project = process.env['MACF_PROJECT'] ?? 'MACF';
+    const agentRole = process.env['MACF_AGENT_ROLE'] ?? agentName;
+    const instanceId = randomBytes(3).toString('hex');
+    const registryType = process.env['MACF_REGISTRY_TYPE'] ?? 'repo';
+    const registryConfig = parseRegistryConfig(registryType);
+    // macf#185: workspace dir + tmux target for the on-notify wake path.
+    // All three are optional from the plugin's runtime perspective:
+    // - Missing workspaceDir → wake path no-ops (helper script can't be located).
+    // - Missing tmuxSession/Window + no $TMUX → wake path no-ops silently.
+    // - Any present → wake path uses explicit target, falls back to auto-detect.
+    const workspaceDir = process.env['MACF_WORKSPACE_DIR'] || undefined;
+    const tmuxSession = process.env['MACF_TMUX_SESSION'] || undefined;
+    const tmuxWindow = process.env['MACF_TMUX_WINDOW'] || undefined;
+    return {
+        agentName,
+        agentType,
+        agentRole,
+        host,
+        advertiseHost,
+        port,
+        caCertPath,
+        caKeyPath,
+        agentCertPath,
+        agentKeyPath,
+        debug,
+        logPath,
+        project,
+        instanceId,
+        registry: registryConfig,
+        workspaceDir,
+        tmuxSession,
+        tmuxWindow,
+    };
+}
+let warnedFallback = false;
+/**
+ * Resolve the CA private-key path. Preferred source is the explicit
+ * MACF_CA_KEY env var (#103 R3); falls back to the historical
+ * `-cert.pem` → `-key.pem` swap on MACF_CA_CERT for workspaces that
+ * haven't re-run `macf update` yet (claude.sh now emits MACF_CA_KEY).
+ *
+ * Edge case: if caCertPath doesn't literally contain `-cert.pem`,
+ * `.replace()` silently returns the same string. That's the exact
+ * failure mode this issue fixes — the fallback preserves the old
+ * behavior for compat, but the explicit env is the only reliable
+ * path going forward.
+ */
+function resolveCaKeyPath(caCertPath) {
+    const explicit = process.env['MACF_CA_KEY'];
+    if (explicit !== undefined && explicit !== '') {
+        if (!existsSync(explicit)) {
+            throw new ConfigError(`File not found for MACF_CA_KEY: ${explicit}`);
+        }
+        return explicit;
+    }
+    // Warn once per process so operators see their workspace is in legacy
+    // mode. The structured logger isn't available this early in startup
+    // (loadConfig runs before createLogger), so write directly to stderr.
+    if (!warnedFallback) {
+        warnedFallback = true;
+        process.stderr.write('Warning: MACF_CA_KEY not set; deriving from MACF_CA_CERT. ' +
+            'This fallback is for legacy workspaces only — run `macf update` ' +
+            'to regenerate claude.sh with the explicit MACF_CA_KEY export.\n');
+    }
+    return caCertPath.replace('-cert.pem', '-key.pem');
+}
+function parseRegistryConfig(registryType) {
+    switch (registryType) {
+        case 'org': {
+            const org = process.env['MACF_REGISTRY_ORG'];
+            if (!org)
+                throw new ConfigError('MACF_REGISTRY_ORG is required when MACF_REGISTRY_TYPE=org');
+            return { type: 'org', org };
+        }
+        case 'profile': {
+            const user = process.env['MACF_REGISTRY_USER'];
+            if (!user)
+                throw new ConfigError('MACF_REGISTRY_USER is required when MACF_REGISTRY_TYPE=profile');
+            return { type: 'profile', user };
+        }
+        case 'repo': {
+            const scope = process.env['MACF_REGISTRY_REPO'] ?? 'groundnuty/macf';
+            const parts = scope.split('/');
+            if (parts.length !== 2 || !parts[0] || !parts[1]) {
+                throw new ConfigError(`MACF_REGISTRY_REPO must be "owner/repo", got "${scope}"`);
+            }
+            return { type: 'repo', owner: parts[0], repo: parts[1] };
+        }
+        default:
+            throw new ConfigError(`MACF_REGISTRY_TYPE must be "org", "profile", or "repo", got "${registryType}"`);
+    }
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI1C,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;QACxC,MAAM,IAAI,WAAW,CAAC,iCAAiC,IAAI,aAAa,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAC9B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,WAAW,CAAC,sBAAsB,IAAI,KAAK,IAAI,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,MAAM,SAAS,GAAG,UAAU,CAAC,iBAAiB,CAAC,CAAC;IAChD,MAAM,UAAU,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,aAAa,GAAG,eAAe,CAAC,iBAAiB,CAAC,CAAC;IACzD,MAAM,YAAY,GAAG,eAAe,CAAC,gBAAgB,CAAC,CAAC;IAEvD,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,WAAW,CAAC;IAChE,IAAI,SAAS,KAAK,WAAW,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;QACxD,MAAM,IAAI,WAAW,CAAC,yDAAyD,SAAS,GAAG,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC;IAChD,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;QACnD,MAAM,IAAI,WAAW,CAAC,mCAAmC,OAAO,GAAG,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC;IACnD,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAEtG,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC;IACtD,MAAM,KAAK,GAAG,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,GAAG,CAAC;IAEtD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,SAAS,CAAC;IAE1D,sBAAsB;IACtB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC;IACtD,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,SAAS,CAAC;IAC9D,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAElD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,MAAM,CAAC;IACjE,MAAM,cAAc,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAEzD,qEAAqE;IACrE,gEAAgE;IAChE,8EAA8E;IAC9E,uEAAuE;IACvE,6EAA6E;IAC7E,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,SAAS,CAAC;IACpE,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,SAAS,CAAC;IAClE,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,SAAS,CAAC;IAEhE,OAAO;QACL,SAAS;QACT,SAAS;QACT,SAAS;QACT,IAAI;QACJ,aAAa;QACb,IAAI;QACJ,UAAU;QACV,SAAS;QACT,aAAa;QACb,YAAY;QACZ,KAAK;QACL,OAAO;QACP,OAAO;QACP,UAAU;QACV,QAAQ,EAAE,cAAc;QACxB,YAAY;QACZ,WAAW;QACX,UAAU;KACX,CAAC;AACJ,CAAC;AAED,IAAI,cAAc,GAAG,KAAK,CAAC;AAE3B;;;;;;;;;;;GAWG;AACH,SAAS,gBAAgB,CAAC,UAAkB;IAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC5C,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,EAAE,EAAE,CAAC;QAC9C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,WAAW,CAAC,mCAAmC,QAAQ,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,sEAAsE;IACtE,oEAAoE;IACpE,sEAAsE;IACtE,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,cAAc,GAAG,IAAI,CAAC;QACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,4DAA4D;YAC5D,kEAAkE;YAClE,iEAAiE,CAClE,CAAC;IACJ,CAAC;IACD,OAAO,UAAU,CAAC,OAAO,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,mBAAmB,CAAC,YAAoB;IAC/C,QAAQ,YAAY,EAAE,CAAC;QACrB,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;YAC7C,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,WAAW,CAAC,2DAA2D,CAAC,CAAC;YAC7F,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;QAC9B,CAAC;QACD,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YAC/C,IAAI,CAAC,IAAI;gBAAE,MAAM,IAAI,WAAW,CAAC,gEAAgE,CAAC,CAAC;YACnG,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,iBAAiB,CAAC;YACrE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjD,MAAM,IAAI,WAAW,CAAC,iDAAiD,KAAK,GAAG,CAAC,CAAC;YACnF,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,CAAC;QACD;YACE,MAAM,IAAI,WAAW,CACnB,gEAAgE,YAAY,GAAG,CAChF,CAAC;IACN,CAAC;AACH,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Base error class for all MACF errors.
+ * Each subclass provides a unique `code` string for programmatic handling.
+ */
+export declare class MacfError extends Error {
+    readonly code: string;
+    constructor(code: string, message: string);
+}
+export declare class ConfigError extends MacfError {
+    constructor(message: string);
+}
+export declare class McpChannelError extends MacfError {
+    constructor(message: string);
+}
+export declare class HttpsServerError extends MacfError {
+    constructor(message: string);
+}
+export declare class PortUnavailableError extends MacfError {
+    readonly port: number;
+    constructor(port: number);
+}
+export declare class PortExhaustedError extends MacfError {
+    constructor();
+}
+export declare class ValidationError extends MacfError {
+    constructor(message: string);
+}
+/**
+ * Thrown by server-side handlers to request a specific HTTP status
+ * code on the response. The HTTPS request-handler catches instances
+ * of this error and maps `httpStatus` to the response code. Replaces
+ * the pre-ultrareview pattern:
+ *
+ *   const err = new Error('message');
+ *   (err as { status?: number }).status = 503;
+ *   throw err;
+ *
+ * which relied on ad-hoc `as { status?: number }` casts at both throw
+ * and catch sites. With `HttpError`, the contract is type-level: the
+ * catch site narrows via `instanceof HttpError` and reads the typed
+ * `httpStatus` field.
+ *
+ * Use for intentional, operator-visible failures (e.g. "signing not
+ * available on this agent" → 503). Don't use for unexpected errors —
+ * those should bubble up to the generic 500 path.
+ */
+export declare class HttpError extends MacfError {
+    readonly httpStatus: number;
+    constructor(httpStatus: number, message: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,qBAAa,SAAU,SAAQ,KAAK;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAEV,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAK1C;AAED,qBAAa,WAAY,SAAQ,SAAS;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,eAAgB,SAAQ,SAAS;gBAChC,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,gBAAiB,SAAQ,SAAS;gBACjC,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,oBAAqB,SAAQ,SAAS;IACjD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAEV,IAAI,EAAE,MAAM;CAKzB;AAED,qBAAa,kBAAmB,SAAQ,SAAS;;CAKhD;AAED,qBAAa,eAAgB,SAAQ,SAAS;gBAChC,OAAO,EAAE,MAAM;CAI5B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,SAAU,SAAQ,SAAS;IACtC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAEhB,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAKhD"}

package/dist/errors.js

@@ -0,0 +1,78 @@
+/**
+ * Base error class for all MACF errors.
+ * Each subclass provides a unique `code` string for programmatic handling.
+ */
+export class MacfError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = 'MacfError';
+        this.code = code;
+    }
+}
+export class ConfigError extends MacfError {
+    constructor(message) {
+        super('CONFIG_ERROR', message);
+        this.name = 'ConfigError';
+    }
+}
+export class McpChannelError extends MacfError {
+    constructor(message) {
+        super('MCP_CHANNEL_ERROR', message);
+        this.name = 'McpChannelError';
+    }
+}
+export class HttpsServerError extends MacfError {
+    constructor(message) {
+        super('HTTPS_SERVER_ERROR', message);
+        this.name = 'HttpsServerError';
+    }
+}
+export class PortUnavailableError extends MacfError {
+    port;
+    constructor(port) {
+        super('PORT_UNAVAILABLE', `Port ${port} is already in use`);
+        this.name = 'PortUnavailableError';
+        this.port = port;
+    }
+}
+export class PortExhaustedError extends MacfError {
+    constructor() {
+        super('PORT_EXHAUSTED', 'Failed to find available port after 10 attempts');
+        this.name = 'PortExhaustedError';
+    }
+}
+export class ValidationError extends MacfError {
+    constructor(message) {
+        super('VALIDATION_ERROR', message);
+        this.name = 'ValidationError';
+    }
+}
+/**
+ * Thrown by server-side handlers to request a specific HTTP status
+ * code on the response. The HTTPS request-handler catches instances
+ * of this error and maps `httpStatus` to the response code. Replaces
+ * the pre-ultrareview pattern:
+ *
+ *   const err = new Error('message');
+ *   (err as { status?: number }).status = 503;
+ *   throw err;
+ *
+ * which relied on ad-hoc `as { status?: number }` casts at both throw
+ * and catch sites. With `HttpError`, the contract is type-level: the
+ * catch site narrows via `instanceof HttpError` and reads the typed
+ * `httpStatus` field.
+ *
+ * Use for intentional, operator-visible failures (e.g. "signing not
+ * available on this agent" → 503). Don't use for unexpected errors —
+ * those should bubble up to the generic 500 path.
+ */
+export class HttpError extends MacfError {
+    httpStatus;
+    constructor(httpStatus, message) {
+        super('HTTP_ERROR', message);
+        this.name = 'HttpError';
+        this.httpStatus = httpStatus;
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,OAAO,SAAU,SAAQ,KAAK;IACzB,IAAI,CAAS;IAEtB,YAAY,IAAY,EAAE,OAAe;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,MAAM,OAAO,WAAY,SAAQ,SAAS;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,SAAS;IAC5C,YAAY,OAAe;QACzB,KAAK,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,OAAO,gBAAiB,SAAQ,SAAS;IAC7C,YAAY,OAAe;QACzB,KAAK,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED,MAAM,OAAO,oBAAqB,SAAQ,SAAS;IACxC,IAAI,CAAS;IAEtB,YAAY,IAAY;QACtB,KAAK,CAAC,kBAAkB,EAAE,QAAQ,IAAI,oBAAoB,CAAC,CAAC;QAC5D,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;QACnC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,SAAS;IAC/C;QACE,KAAK,CAAC,gBAAgB,EAAE,iDAAiD,CAAC,CAAC;QAC3E,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,SAAS;IAC5C,YAAY,OAAe;QACzB,KAAK,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,SAAU,SAAQ,SAAS;IAC7B,UAAU,CAAS;IAE5B,YAAY,UAAkB,EAAE,OAAe;QAC7C,KAAK,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAC7B,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Barrel export for the macf-core package.
+ *
+ * Internal-shared-code package consumed by the MACF CLI and channel-
+ * server packages via npm workspaces. Not intended for direct
+ * external use (will be marked deprecated-internal on first npm
+ * publish per DR-022 Amendment A).
+ *
+ * Re-exports everything the consumers need so they can
+ * `import { X } from '@groundnuty/macf-core'` instead of reaching
+ * into subpaths. Subpath imports are still supported via normal
+ * node-resolution for consumers that need a specific module.
+ */
+export * from './errors.js';
+export * from './logger.js';
+export * from './config.js';
+export * from './token.js';
+export * from './types.js';
+export * from './mtls-health-ping.js';
+export * from './certs/index.js';
+export * from './registry/index.js';
+export { createChallengeStore, DEFAULT_CHALLENGE_TTL_MS } from './certs/challenge-store.js';
+export type { ChallengeRecord, ChallengeStore, Clock } from './certs/challenge-store.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,uBAAuB,CAAC;AACtC,cAAc,kBAAkB,CAAC;AACjC,cAAc,qBAAqB,CAAC;AAIpC,OAAO,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAC5F,YAAY,EAAE,eAAe,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,4BAA4B,CAAC"}

package/dist/index.js

@@ -0,0 +1,25 @@
+/**
+ * Barrel export for the macf-core package.
+ *
+ * Internal-shared-code package consumed by the MACF CLI and channel-
+ * server packages via npm workspaces. Not intended for direct
+ * external use (will be marked deprecated-internal on first npm
+ * publish per DR-022 Amendment A).
+ *
+ * Re-exports everything the consumers need so they can
+ * `import { X } from '@groundnuty/macf-core'` instead of reaching
+ * into subpaths. Subpath imports are still supported via normal
+ * node-resolution for consumers that need a specific module.
+ */
+export * from './errors.js';
+export * from './logger.js';
+export * from './config.js';
+export * from './token.js';
+export * from './types.js';
+export * from './mtls-health-ping.js';
+export * from './certs/index.js';
+export * from './registry/index.js';
+// Subpath modules NOT re-exported from the subdir index.ts files;
+// surface them here so consumers can use the flat barrel uniformly.
+export { createChallengeStore, DEFAULT_CHALLENGE_TTL_MS } from './certs/challenge-store.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,uBAAuB,CAAC;AACtC,cAAc,kBAAkB,CAAC;AACjC,cAAc,qBAAqB,CAAC;AAEpC,kEAAkE;AAClE,oEAAoE;AACpE,OAAO,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC"}

package/dist/logger.d.ts

@@ -0,0 +1,6 @@
+import type { Logger } from './types.js';
+export declare function createLogger(config: {
+    readonly logPath?: string;
+    readonly debug?: boolean;
+}): Logger;
+//# sourceMappingURL=logger.d.ts.map

package/dist/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AAkBzC,wBAAgB,YAAY,CAAC,MAAM,EAAE;IACnC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;CAC1B,GAAG,MAAM,CA8BT"}

package/dist/logger.js

@@ -0,0 +1,39 @@
+import { appendFileSync, writeFileSync, existsSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { mkdirSync } from 'node:fs';
+function formatEntry(level, event, data) {
+    const entry = {
+        ts: new Date().toISOString(),
+        level,
+        event,
+        ...data,
+    };
+    return JSON.stringify(entry);
+}
+export function createLogger(config) {
+    const { logPath, debug = false } = config;
+    if (logPath) {
+        const dir = dirname(logPath);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        if (!existsSync(logPath)) {
+            writeFileSync(logPath, '');
+        }
+    }
+    function write(level, event, data) {
+        const line = formatEntry(level, event, data);
+        if (logPath) {
+            appendFileSync(logPath, line + '\n');
+        }
+        if (debug) {
+            process.stderr.write(line + '\n');
+        }
+    }
+    return {
+        info: (event, data) => write('info', event, data),
+        warn: (event, data) => write('warn', event, data),
+        error: (event, data) => write('error', event, data),
+    };
+}
+//# sourceMappingURL=logger.js.map

package/dist/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACpE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAKpC,SAAS,WAAW,CAClB,KAAe,EACf,KAAa,EACb,IAA8B;IAE9B,MAAM,KAAK,GAA4B;QACrC,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,KAAK;QACL,KAAK;QACL,GAAG,IAAI;KACR,CAAC;IACF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAG5B;IACC,MAAM,EAAE,OAAO,EAAE,KAAK,GAAG,KAAK,EAAE,GAAG,MAAM,CAAC;IAE1C,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC7B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACzB,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,SAAS,KAAK,CAAC,KAAe,EAAE,KAAa,EAAE,IAA8B;QAC3E,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;QAE7C,IAAI,OAAO,EAAE,CAAC;YACZ,cAAc,CAAC,OAAO,EAAE,IAAI,GAAG,IAAI,CAAC,CAAC;QACvC,CAAC;QAED,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC;QACjD,IAAI,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC;QACjD,KAAK,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC;KACpD,CAAC;AACJ,CAAC"}

package/dist/mtls-health-ping.d.ts

@@ -0,0 +1,26 @@
+import type { HealthResponse } from './types.js';
+/**
+ * Shared mTLS /health ping. Used by:
+ *
+ *   - `src/cli/commands/status.ts` → `macf status` display
+ *   - `src/plugin/lib/health.ts`    → `/macf-ping` skill
+ *
+ * Returns the parsed HealthResponse on 2xx JSON, or `null` on any
+ * failure (missing cert files, network error, timeout, bad JSON).
+ * Null-on-failure matches both callers' expectations — they render
+ * "agent offline" at the UI layer.
+ *
+ * `src/collision.ts` has its own boolean-returning variant with
+ * different failure semantics (an in-process collision check, not a
+ * user-facing status fetch) — intentionally not folded into this
+ * shared helper. See ultrareview finding A3 for the dedup rationale.
+ */
+export declare function pingAgentHealth(config: {
+    readonly host: string;
+    readonly port: number;
+    readonly caCertPem: string;
+    readonly certPath: string;
+    readonly keyPath: string;
+    readonly timeoutMs?: number;
+}): Promise<HealthResponse | null>;
+//# sourceMappingURL=mtls-health-ping.d.ts.map

package/dist/mtls-health-ping.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mtls-health-ping.d.ts","sourceRoot":"","sources":["../src/mtls-health-ping.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAmCjC"}

package/dist/mtls-health-ping.js

@@ -0,0 +1,53 @@
+import { request } from 'node:https';
+import { readFileSync, existsSync } from 'node:fs';
+/**
+ * Shared mTLS /health ping. Used by:
+ *
+ *   - `src/cli/commands/status.ts` → `macf status` display
+ *   - `src/plugin/lib/health.ts`    → `/macf-ping` skill
+ *
+ * Returns the parsed HealthResponse on 2xx JSON, or `null` on any
+ * failure (missing cert files, network error, timeout, bad JSON).
+ * Null-on-failure matches both callers' expectations — they render
+ * "agent offline" at the UI layer.
+ *
+ * `src/collision.ts` has its own boolean-returning variant with
+ * different failure semantics (an in-process collision check, not a
+ * user-facing status fetch) — intentionally not folded into this
+ * shared helper. See ultrareview finding A3 for the dedup rationale.
+ */
+export async function pingAgentHealth(config) {
+    const { host, port, caCertPem, certPath, keyPath, timeoutMs = DEFAULT_TIMEOUT_MS } = config;
+    if (!existsSync(certPath) || !existsSync(keyPath))
+        return null;
+    return new Promise((resolve) => {
+        const req = request({
+            hostname: host,
+            port,
+            method: 'GET',
+            path: '/health',
+            ca: Buffer.from(caCertPem),
+            cert: readFileSync(certPath),
+            key: readFileSync(keyPath),
+            rejectUnauthorized: true,
+            timeout: timeoutMs,
+        }, (res) => {
+            const chunks = [];
+            res.on('data', (chunk) => chunks.push(chunk));
+            res.on('end', () => {
+                try {
+                    const body = JSON.parse(Buffer.concat(chunks).toString('utf-8'));
+                    resolve(body);
+                }
+                catch {
+                    resolve(null);
+                }
+            });
+        });
+        req.on('error', () => resolve(null));
+        req.on('timeout', () => { req.destroy(); resolve(null); });
+        req.end();
+    });
+}
+const DEFAULT_TIMEOUT_MS = 5000;
+//# sourceMappingURL=mtls-health-ping.js.map

package/dist/mtls-health-ping.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mtls-health-ping.js","sourceRoot":"","sources":["../src/mtls-health-ping.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGnD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAOrC;IACC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,GAAG,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE5F,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/D,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,GAAG,GAAG,OAAO,CACjB;YACE,QAAQ,EAAE,IAAI;YACd,IAAI;YACJ,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,SAAS;YACf,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC;YAC1B,IAAI,EAAE,YAAY,CAAC,QAAQ,CAAC;YAC5B,GAAG,EAAE,YAAY,CAAC,OAAO,CAAC;YAC1B,kBAAkB,EAAE,IAAI;YACxB,OAAO,EAAE,SAAS;SACnB,EACD,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YACtD,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,IAAI,CAAC;oBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;oBACjE,OAAO,CAAC,IAAsB,CAAC,CAAC;gBAClC,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChB,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CACF,CAAC;QACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACrC,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,kBAAkB,GAAG,IAAI,CAAC"}

package/dist/registry/factory.d.ts

@@ -0,0 +1,10 @@
+import type { Registry, RegistryConfig } from './types.js';
+/**
+ * Creates a Registry from config. The registry type determines
+ * the GitHub API path prefix:
+ *   - org:     /orgs/{org}
+ *   - profile: /repos/{user}/{user}  (user's profile repo)
+ *   - repo:    /repos/{owner}/{repo}
+ */
+export declare function createRegistryFromConfig(config: RegistryConfig, project: string, token: string): Registry;
+//# sourceMappingURL=factory.d.ts.map

package/dist/registry/factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/registry/factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAI3D;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,QAAQ,CAiBV"}

package/dist/registry/factory.js

@@ -0,0 +1,26 @@
+import { createGitHubClient } from './github-client.js';
+import { createRegistry } from './registry.js';
+/**
+ * Creates a Registry from config. The registry type determines
+ * the GitHub API path prefix:
+ *   - org:     /orgs/{org}
+ *   - profile: /repos/{user}/{user}  (user's profile repo)
+ *   - repo:    /repos/{owner}/{repo}
+ */
+export function createRegistryFromConfig(config, project, token) {
+    let pathPrefix;
+    switch (config.type) {
+        case 'org':
+            pathPrefix = `/orgs/${config.org}`;
+            break;
+        case 'profile':
+            pathPrefix = `/repos/${config.user}/${config.user}`;
+            break;
+        case 'repo':
+            pathPrefix = `/repos/${config.owner}/${config.repo}`;
+            break;
+    }
+    const client = createGitHubClient(pathPrefix, token);
+    return createRegistry(client, project);
+}
+//# sourceMappingURL=factory.js.map

package/dist/registry/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/registry/factory.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE/C;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CACtC,MAAsB,EACtB,OAAe,EACf,KAAa;IAEb,IAAI,UAAkB,CAAC;IAEvB,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,KAAK;YACR,UAAU,GAAG,SAAS,MAAM,CAAC,GAAG,EAAE,CAAC;YACnC,MAAM;QACR,KAAK,SAAS;YACZ,UAAU,GAAG,UAAU,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YACpD,MAAM;QACR,KAAK,MAAM;YACT,UAAU,GAAG,UAAU,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YACrD,MAAM;IACV,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IACrD,OAAO,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AACzC,CAAC"}

package/dist/registry/github-client.d.ts

@@ -0,0 +1,14 @@
+import type { GitHubVariablesClient } from './types.js';
+import { MacfError } from '../errors.js';
+export declare class GitHubApiError extends MacfError {
+    readonly status: number;
+    constructor(status: number, message: string);
+}
+/**
+ * Creates a GitHub Variables API client for a given URL path prefix.
+ *
+ * @param pathPrefix - e.g. "/orgs/my-org" or "/repos/owner/repo"
+ * @param token - GitHub API token
+ */
+export declare function createGitHubClient(pathPrefix: string, token: string): GitHubVariablesClient;
+//# sourceMappingURL=github-client.d.ts.map

package/dist/registry/github-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-client.d.ts","sourceRoot":"","sources":["../../src/registry/github-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AACxD,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,qBAAa,cAAe,SAAQ,SAAS;IAC3C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBAEZ,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAK5C;AAwBD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,GACZ,qBAAqB,CA8GvB"}