@groundnuty/macf 0.2.35 → 0.2.37

package/dist/cli/monitor/run.js

@@ -0,0 +1,67 @@
+/**
+ * Read-only Monitor orchestrator for the auditor (groundnuty/macf#502, DR-026 F4).
+ *
+ * Aggregates a project's coordination substrate — GitHub (open issues + open
+ * PRs, via an injectable read-only seam), F2 reflection ledgers, and a defensive
+ * project-tier rule count — and renders a protocol-health digest via the pure
+ * `buildDigest`.
+ *
+ * Everything here is a READ. The GitHub seam is `GitHubReader` (list-only by
+ * type); reflections + project-rule counts are filesystem reads. The clock is
+ * injected so output is deterministic under test.
+ */
+import { readdirSync, existsSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+import { buildDigest } from './digest.js';
+import { readReflections } from './reflections.js';
+/**
+ * Count `.claude/rules/project/*.md` files. Defensive: returns 0 (never throws)
+ * when the directory is absent — F3 isn't merged, so its absence is normal.
+ */
+export function countProjectRules(workspaceDir) {
+    const dir = join(workspaceDir, '.claude', 'rules', 'project');
+    if (!existsSync(dir))
+        return 0;
+    try {
+        return readdirSync(dir).filter((f) => {
+            if (!f.endsWith('.md'))
+                return false;
+            try {
+                return statSync(join(dir, f)).isFile();
+            }
+            catch {
+                return false;
+            }
+        }).length;
+    }
+    catch {
+        return 0;
+    }
+}
+/**
+ * Run the Monitor: read everything, build the digest, return the Markdown.
+ *
+ * Only READS are performed. Any GitHub read failure is surfaced as a thrown
+ * error to the caller (the CLI command), which decides how to report it.
+ */
+export async function runMonitor(opts) {
+    const [issues, prs] = await Promise.all([
+        opts.reader.listOpenIssues(opts.repo),
+        opts.reader.listOpenPRs(opts.repo),
+    ]);
+    const reflections = readReflections(opts.reflectionsDir);
+    const projectRulesCount = countProjectRules(opts.workspaceDir);
+    return buildDigest({
+        project: opts.project,
+        repo: opts.repo,
+        sinceDays: opts.sinceDays,
+        issues,
+        prs,
+        reflections: reflections.records,
+        reflectionsSkipped: reflections.skipped,
+        reflectionFiles: reflections.files,
+        projectRulesCount,
+        now: opts.now,
+    });
+}
+//# sourceMappingURL=run.js.map

package/dist/cli/monitor/run.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../../../src/cli/monitor/run.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,WAAW,EAAc,MAAM,aAAa,CAAC;AAEtD,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAkBnD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,YAAoB;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YACnC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACrC,IAAI,CAAC;gBACH,OAAO,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;YACzC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC,CAAC,CAAC,MAAM,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAuB;IACtD,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;QACrC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;KACnC,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACzD,MAAM,iBAAiB,GAAG,iBAAiB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAE/D,OAAO,WAAW,CAAC;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,MAAM;QACN,GAAG;QACH,WAAW,EAAE,WAAW,CAAC,OAAO;QAChC,kBAAkB,EAAE,WAAW,CAAC,OAAO;QACvC,eAAe,EAAE,WAAW,CAAC,KAAK;QAClC,iBAAiB;QACjB,GAAG,EAAE,IAAI,CAAC,GAAG;KACd,CAAC,CAAC;AACL,CAAC"}

package/dist/cli/project-rules.d.ts

@@ -0,0 +1,105 @@
+/** Env var carrying the project-rules source (operator-managed config). */
+export declare const PROJECT_RULES_SOURCE_ENV = "MACF_PROJECT_RULES_SOURCE";
+/**
+ * Destination directory for project-tier rules within a workspace:
+ * `<workspace>/.claude/rules/project/`. A SUBDIR of the universal-rule dir so
+ * the two tiers are distinguishable on disk.
+ */
+export declare function workspaceProjectRulesDir(workspaceDir: string): string;
+/**
+ * Parsed shape of a `MACF_PROJECT_RULES_SOURCE` value.
+ *
+ *   - `kind: 'github'` — `<owner>/<repo>//<path>` form: fetched via git clone.
+ *   - `kind: 'local'`  — a local directory path: copied directly.
+ */
+export type ProjectRulesSource = {
+    readonly kind: 'github';
+    readonly owner: string;
+    readonly repo: string;
+    readonly subpath: string;
+} | {
+    readonly kind: 'local';
+    readonly dir: string;
+};
+/**
+ * Parse a `MACF_PROJECT_RULES_SOURCE` value into a discriminated source.
+ *
+ * The `//` separator disambiguates the two forms unambiguously: a GitHub
+ * `<owner>/<repo>//<path>` always contains `//`, a local filesystem path
+ * never does (`//` collapses to `/` on POSIX and isn't a meaningful path
+ * token). So presence of `//` selects the github form; absence selects local.
+ *
+ * Returns `undefined` for an empty/whitespace-only value (caller treats as
+ * no-op) or a malformed github form (missing owner/repo/path segment) —
+ * malformed is surfaced by the caller as a warning, not a parse crash.
+ */
+export declare function parseProjectRulesSource(raw: string | undefined): ProjectRulesSource | undefined;
+export interface FetchProjectRulesOptions {
+    /** Override the env value (defaults to process.env[MACF_PROJECT_RULES_SOURCE]). */
+    readonly source?: string;
+    /**
+     * Override the GitHub base URL for the github-source form (tests point this
+     * at a local bare repo). Defaults to `https://github.com`.
+     */
+    readonly githubBaseUrl?: string;
+}
+/**
+ * Distribute project-tier rules into `<workspace>/.claude/rules/project/`.
+ *
+ * Resolves the source from `MACF_PROJECT_RULES_SOURCE` (or `options.source`):
+ *   - Unset/empty/whitespace → NO-OP, returns `[]`. The tier is optional.
+ *   - `<owner>/<repo>//<path>` → shallow git clone the default branch (mirrors
+ *     plugin-fetcher.ts), copy `<clone>/<path>/*.md` to the dest subdir.
+ *   - a local directory path → copy `<dir>/*.md` directly.
+ *
+ * Only `*.md` files are copied (a `.example` template, a README, etc. in the
+ * source are ignored — same filter as the universal-rule copy). Each copied
+ * file gets the PROJECT_RULE_HEADER prepended (unless it already opens with an
+ * HTML comment, to avoid double-stacking).
+ *
+ * **Idempotent + non-destructive to other tiers.** The dest is a fresh subdir;
+ * the universal `.claude/rules/*.md` files are never touched (different path).
+ * Re-running overwrites the project subdir's `*.md` files with the current
+ * source content. A `.example` seed (from `macf init`) is preserved — only
+ * `*.md` files are managed here.
+ *
+ * Throws only on a genuine fetch failure (git clone error, source path is a
+ * file not a directory, the github subpath is missing in the clone). A
+ * malformed source string is a no-op-with-warning, NOT a throw, so a typo'd
+ * config can't break `macf update`.
+ *
+ * @returns the list of copied basenames (empty when the source is unset or
+ *   the source dir has no `*.md` files).
+ */
+export declare function fetchProjectRules(workspaceDir: string, options?: FetchProjectRulesOptions): readonly string[];
+/**
+ * Basename of the seed template `macf init` drops into the project-rules
+ * subdir. The `.example` suffix keeps it OUT of the live-rule set (only `*.md`
+ * are loaded as rules + managed by `fetchProjectRules`), so it self-documents
+ * the tier + gives the DR-026 §4 auditor a format to match without becoming a
+ * rule itself.
+ */
+export declare const PROJECT_RULE_SEED_NAME = "EXAMPLE.project-rule.md.example";
+/**
+ * Generic, deployment-agnostic seed content for the project-rules tier.
+ *
+ * CRITICAL: this ships via `macf init` to EVERY deployment, so it must NOT be
+ * macf-specific. A genomics deployment must not receive a macf `dev.mk` rule.
+ * The body demonstrates the FORMAT + the precedence contract with neutral
+ * placeholders only — never a concrete macf rule.
+ */
+export declare function projectRuleSeedContent(): string;
+/**
+ * Seed the project-rules subdir with the generic `.example` template
+ * (`macf init`). Creates `.claude/rules/project/` (mkdir -p) and writes the
+ * `.example` file. Idempotent: overwrites the `.example` with the current
+ * canonical template — it's a managed example, not operator state. Returns the
+ * seeded basename.
+ *
+ * Deliberately does NOT fetch from `MACF_PROJECT_RULES_SOURCE` — `macf init`
+ * only lays down the tier + its self-documenting seed; `macf update` (and
+ * `macf rules refresh`) pull the actual rules from the source. This keeps init
+ * generic (it ships to every deployment) and offline-safe.
+ */
+export declare function seedProjectRulesDir(workspaceDir: string): string;
+//# sourceMappingURL=project-rules.d.ts.map

package/dist/cli/project-rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"project-rules.d.ts","sourceRoot":"","sources":["../../src/cli/project-rules.ts"],"names":[],"mappings":"AAiDA,2EAA2E;AAC3E,eAAO,MAAM,wBAAwB,8BAA8B,CAAC;AAsBpE;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAErE;AAED;;;;;GAKG;AACH,MAAM,MAAM,kBAAkB,GAC1B;IAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpG;IAAE,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC;AAErD;;;;;;;;;;;GAWG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,kBAAkB,GAAG,SAAS,CAmB/F;AAED,MAAM,WAAW,wBAAwB;IACvC,mFAAmF;IACnF,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;OAGG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAID;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,OAAO,GAAE,wBAA6B,GACrC,SAAS,MAAM,EAAE,CA0DnB;AAwBD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,oCAAoC,CAAC;AAExE;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CA8D/C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAKhE"}

package/dist/cli/project-rules.js

@@ -0,0 +1,305 @@
+/**
+ * Project-tier rule distribution (groundnuty/macf#501, DR-026 F3).
+ *
+ * The three-tier rule model (DR-026 §3) splits coordination knowledge into:
+ *   1. Universal / product rules — shipped IN the CLI at `plugin/rules/*.md`,
+ *      copied to `.claude/rules/*.md` (see rules.ts `copyCanonicalRules`).
+ *   2. **Project rules** — per-deployment, NOT shipped in the npm product. This
+ *      module. Sourced from an explicit config and copied to a SUBDIR
+ *      `.claude/rules/project/*.md` so the universal and project tiers are
+ *      distinguishable on disk (DR-026 §4's subordination check needs a clean
+ *      target to match against).
+ *   3. Agent-private rules — an agent's own `.claude/rules/` / memory; out of
+ *      scope here.
+ *
+ * **Why explicit config, not "the coordination repo".** A multi-repo deployment
+ * has no single repo to implicitly pull project rules from, so the source MUST
+ * be configured. `MACF_PROJECT_RULES_SOURCE` carries it, in one of two forms:
+ *
+ *   - `<owner>/<repo>//<path>`  — a GitHub repo + subdir (e.g.
+ *                                 `groundnuty/macf//project-rules`). Fetched via
+ *                                 a shallow `git clone` of the default branch,
+ *                                 mirroring plugin-fetcher.ts (reuse, don't
+ *                                 reinvent). The `//` separates repo from path.
+ *   - a local directory path     — anything WITHOUT the `//` separator that
+ *                                 resolves to a directory on disk. Copied
+ *                                 directly (no clone). Lets a single-host
+ *                                 deployment point at a checked-out repo or a
+ *                                 plain rules directory.
+ *
+ * **Optional tier — never errors on absence.** When the env var is unset/empty,
+ * `fetchProjectRules` is a no-op returning `[]`. The tier is optional, exactly
+ * like a workspace that has no universal rules: absence is normal, not a fault.
+ *
+ * **No shadow of the universal tier.** Project rules land under
+ * `.claude/rules/project/`, a different subdir from the universal
+ * `.claude/rules/*.md`. The universal-rule copy path (rules.ts) is untouched,
+ * so this can never overwrite a universal rule.
+ *
+ * **Precedence (documented, NOT enforced here).** Project rules *add to /
+ * specialize* the universal protocol; they never weaken it. The §4
+ * invariant-check that enforces "never contradict" is a separate (gated) slice
+ * of DR-026 — F3 only lays down the on-disk tiers. See
+ * `design/project-tier-rules.md`.
+ */
+import { execFileSync } from 'node:child_process';
+import { existsSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join, resolve } from 'node:path';
+/** Env var carrying the project-rules source (operator-managed config). */
+export const PROJECT_RULES_SOURCE_ENV = 'MACF_PROJECT_RULES_SOURCE';
+/**
+ * Header prepended to each copied project rule, marking the on-disk tier +
+ * the managed-from-source contract. Distinct wording from the universal-rule
+ * MANAGED_HEADER (rules.ts) so an operator inspecting a file knows which tier
+ * it belongs to + where it came from.
+ */
+const PROJECT_RULE_HEADER = [
+    '<!--',
+    '  PROJECT-TIER RULE (DR-026 §3 tier 2). Distributed by `macf` from this',
+    `  deployment's project-rules source (\`${PROJECT_RULES_SOURCE_ENV}\`). Do not`,
+    '  edit this workspace copy — edits are overwritten on the next `macf update`.',
+    '  Edit the rule at the source, then re-run `macf update` here.',
+    '',
+    '  Project rules ADD TO / SPECIALIZE the universal rules in',
+    '  .claude/rules/*.md; they must never contradict or weaken them',
+    '  (DR-026 §4). See design/project-tier-rules.md.',
+    '-->',
+    '',
+].join('\n');
+/**
+ * Destination directory for project-tier rules within a workspace:
+ * `<workspace>/.claude/rules/project/`. A SUBDIR of the universal-rule dir so
+ * the two tiers are distinguishable on disk.
+ */
+export function workspaceProjectRulesDir(workspaceDir) {
+    return join(resolve(workspaceDir), '.claude', 'rules', 'project');
+}
+/**
+ * Parse a `MACF_PROJECT_RULES_SOURCE` value into a discriminated source.
+ *
+ * The `//` separator disambiguates the two forms unambiguously: a GitHub
+ * `<owner>/<repo>//<path>` always contains `//`, a local filesystem path
+ * never does (`//` collapses to `/` on POSIX and isn't a meaningful path
+ * token). So presence of `//` selects the github form; absence selects local.
+ *
+ * Returns `undefined` for an empty/whitespace-only value (caller treats as
+ * no-op) or a malformed github form (missing owner/repo/path segment) —
+ * malformed is surfaced by the caller as a warning, not a parse crash.
+ */
+export function parseProjectRulesSource(raw) {
+    const value = (raw ?? '').trim();
+    if (value === '')
+        return undefined;
+    const sepIdx = value.indexOf('//');
+    if (sepIdx < 0) {
+        // No `//` → local directory path.
+        return { kind: 'local', dir: value };
+    }
+    const repoPart = value.slice(0, sepIdx);
+    const subpath = value.slice(sepIdx + 2).replace(/^\/+|\/+$/g, '');
+    const ownerRepo = repoPart.split('/');
+    if (ownerRepo.length !== 2 || !ownerRepo[0] || !ownerRepo[1] || subpath === '') {
+        // Malformed github form (e.g. "owner//path" with no repo, or trailing
+        // empty subpath). Don't throw — caller warns + skips.
+        return undefined;
+    }
+    return { kind: 'github', owner: ownerRepo[0], repo: ownerRepo[1], subpath };
+}
+const DEFAULT_GITHUB_BASE_URL = 'https://github.com';
+/**
+ * Distribute project-tier rules into `<workspace>/.claude/rules/project/`.
+ *
+ * Resolves the source from `MACF_PROJECT_RULES_SOURCE` (or `options.source`):
+ *   - Unset/empty/whitespace → NO-OP, returns `[]`. The tier is optional.
+ *   - `<owner>/<repo>//<path>` → shallow git clone the default branch (mirrors
+ *     plugin-fetcher.ts), copy `<clone>/<path>/*.md` to the dest subdir.
+ *   - a local directory path → copy `<dir>/*.md` directly.
+ *
+ * Only `*.md` files are copied (a `.example` template, a README, etc. in the
+ * source are ignored — same filter as the universal-rule copy). Each copied
+ * file gets the PROJECT_RULE_HEADER prepended (unless it already opens with an
+ * HTML comment, to avoid double-stacking).
+ *
+ * **Idempotent + non-destructive to other tiers.** The dest is a fresh subdir;
+ * the universal `.claude/rules/*.md` files are never touched (different path).
+ * Re-running overwrites the project subdir's `*.md` files with the current
+ * source content. A `.example` seed (from `macf init`) is preserved — only
+ * `*.md` files are managed here.
+ *
+ * Throws only on a genuine fetch failure (git clone error, source path is a
+ * file not a directory, the github subpath is missing in the clone). A
+ * malformed source string is a no-op-with-warning, NOT a throw, so a typo'd
+ * config can't break `macf update`.
+ *
+ * @returns the list of copied basenames (empty when the source is unset or
+ *   the source dir has no `*.md` files).
+ */
+export function fetchProjectRules(workspaceDir, options = {}) {
+    const raw = options.source ?? process.env[PROJECT_RULES_SOURCE_ENV];
+    const parsed = parseProjectRulesSource(raw);
+    if (parsed === undefined) {
+        if ((raw ?? '').trim() !== '') {
+            // Non-empty but unparseable — surface it; don't silently drop.
+            process.stderr.write(`Warning: ${PROJECT_RULES_SOURCE_ENV}="${raw}" is malformed.\n` +
+                `  Expected "<owner>/<repo>//<path>" (e.g. groundnuty/macf//project-rules)\n` +
+                `  or a local directory path. Skipping project-rule distribution.\n`);
+        }
+        return [];
+    }
+    if (parsed.kind === 'local') {
+        const srcDir = resolve(parsed.dir);
+        if (!existsSync(srcDir)) {
+            throw new Error(`${PROJECT_RULES_SOURCE_ENV} local source does not exist: ${srcDir}`);
+        }
+        if (!statSync(srcDir).isDirectory()) {
+            throw new Error(`${PROJECT_RULES_SOURCE_ENV} local source is not a directory: ${srcDir}`);
+        }
+        return copyMarkdownRules(srcDir, workspaceProjectRulesDir(workspaceDir));
+    }
+    // github form — shallow-clone the default branch (mirrors plugin-fetcher.ts),
+    // copy the subpath's *.md files, discard the clone.
+    const baseUrl = options.githubBaseUrl ?? DEFAULT_GITHUB_BASE_URL;
+    const repoUrl = `${baseUrl}/${parsed.owner}/${parsed.repo}`;
+    const tmpClone = mkdtempSync(join(tmpdir(), 'macf-project-rules-clone-'));
+    try {
+        execFileSync('git', ['clone', '--depth', '1', repoUrl, tmpClone], {
+            stdio: ['ignore', 'ignore', 'pipe'],
+        });
+        const srcDir = join(tmpClone, parsed.subpath);
+        if (!existsSync(srcDir) || !statSync(srcDir).isDirectory()) {
+            throw new Error(`Project-rules subpath "${parsed.subpath}" not found in ${repoUrl}. ` +
+                `Check ${PROJECT_RULES_SOURCE_ENV} and the repo layout.`);
+        }
+        return copyMarkdownRules(srcDir, workspaceProjectRulesDir(workspaceDir));
+    }
+    catch (err) {
+        if (err instanceof Error && err.message.includes('subpath'))
+            throw err;
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`Failed to fetch project rules from ${repoUrl}: ${msg}. ` +
+            `Check network access + that ${PROJECT_RULES_SOURCE_ENV} is correct.`, { cause: err });
+    }
+    finally {
+        rmSync(tmpClone, { recursive: true, force: true });
+    }
+}
+/**
+ * Copy every `*.md` file from `srcDir` to `destDir`, prepending the
+ * project-rule header. Creates `destDir` (mkdir -p). Returns copied basenames.
+ * Shared by both the local and github source paths.
+ */
+function copyMarkdownRules(srcDir, destDir) {
+    mkdirSync(destDir, { recursive: true });
+    const copied = [];
+    for (const entry of readdirSync(srcDir, { withFileTypes: true })) {
+        if (!entry.isFile() || !entry.name.endsWith('.md'))
+            continue;
+        const content = readFileSync(join(srcDir, entry.name), 'utf-8');
+        const out = content.startsWith('<!--') ? content : PROJECT_RULE_HEADER + content;
+        writeFileSync(join(destDir, entry.name), out);
+        copied.push(entry.name);
+    }
+    return copied;
+}
+// ---------------------------------------------------------------------------
+// Seed (.example) template — written by `macf init`
+// ---------------------------------------------------------------------------
+/**
+ * Basename of the seed template `macf init` drops into the project-rules
+ * subdir. The `.example` suffix keeps it OUT of the live-rule set (only `*.md`
+ * are loaded as rules + managed by `fetchProjectRules`), so it self-documents
+ * the tier + gives the DR-026 §4 auditor a format to match without becoming a
+ * rule itself.
+ */
+export const PROJECT_RULE_SEED_NAME = 'EXAMPLE.project-rule.md.example';
+/**
+ * Generic, deployment-agnostic seed content for the project-rules tier.
+ *
+ * CRITICAL: this ships via `macf init` to EVERY deployment, so it must NOT be
+ * macf-specific. A genomics deployment must not receive a macf `dev.mk` rule.
+ * The body demonstrates the FORMAT + the precedence contract with neutral
+ * placeholders only — never a concrete macf rule.
+ */
+export function projectRuleSeedContent() {
+    return [
+        '<!--',
+        '  EXAMPLE project-tier rule (template, not active).',
+        '',
+        '  This file ends in `.example`, so `macf` does NOT load it as a live rule',
+        '  and does NOT overwrite it on `macf update` (only `*.md` files in this',
+        '  directory are managed). It self-documents the project-rules tier and',
+        '  gives the DR-026 §4 auditor a format to match.',
+        '-->',
+        '',
+        '# Project-tier rules (`.claude/rules/project/`)',
+        '',
+        'This directory holds **project-tier** coordination rules (DR-026 §3, tier 2):',
+        'per-deployment rules that ADD TO or SPECIALIZE the universal rules in the',
+        'parent `.claude/rules/*.md` directory.',
+        '',
+        '## Where these come from',
+        '',
+        'Project rules are distributed by `macf` from this deployment\'s configured',
+        'source, set via the `MACF_PROJECT_RULES_SOURCE` operator config in',
+        '`.claude/.macf/env.project-rules`. The source is one of:',
+        '',
+        '- `<owner>/<repo>//<path>` — a GitHub repo + subdir',
+        '  (e.g. `your-org/your-coordination-repo//project-rules`)',
+        '- a local directory path — for single-host deployments',
+        '',
+        'When `MACF_PROJECT_RULES_SOURCE` is unset, this tier is empty (it is',
+        'optional). Authored rules live at the SOURCE, not in this workspace copy —',
+        'edit them there, then run `macf update` here.',
+        '',
+        '## Precedence (the one hard contract)',
+        '',
+        'Project rules may **add to / specialize** the universal protocol but must',
+        '**never contradict or weaken** its protected invariants (e.g. reporter-owns',
+        'closure, the identity↔attribution guarantee, the no-self-merge / LGTM gate).',
+        'See `design/project-tier-rules.md` for the full precedence model.',
+        '',
+        '## Format to follow (replace this example)',
+        '',
+        'A project rule is a Markdown file. Name it `*.md` (this `.example` is a',
+        'template, not a rule). Suggested shape — adapt to your deployment:',
+        '',
+        '```markdown',
+        '# <Short rule title>',
+        '',
+        '## Applies to',
+        '',
+        '<Which agents / repos / situations this project rule governs.>',
+        '',
+        '## Rule',
+        '',
+        '<The specialization. State what it ADDS to the universal protocol — never',
+        'what it weakens. If it looks like it relaxes a universal invariant, it is',
+        'wrong by construction (DR-026 §4).>',
+        '',
+        '## Rationale',
+        '',
+        '<Why this deployment needs it. Link the incident / pattern it codifies.>',
+        '```',
+        '',
+    ].join('\n');
+}
+/**
+ * Seed the project-rules subdir with the generic `.example` template
+ * (`macf init`). Creates `.claude/rules/project/` (mkdir -p) and writes the
+ * `.example` file. Idempotent: overwrites the `.example` with the current
+ * canonical template — it's a managed example, not operator state. Returns the
+ * seeded basename.
+ *
+ * Deliberately does NOT fetch from `MACF_PROJECT_RULES_SOURCE` — `macf init`
+ * only lays down the tier + its self-documenting seed; `macf update` (and
+ * `macf rules refresh`) pull the actual rules from the source. This keeps init
+ * generic (it ships to every deployment) and offline-safe.
+ */
+export function seedProjectRulesDir(workspaceDir) {
+    const destDir = workspaceProjectRulesDir(workspaceDir);
+    mkdirSync(destDir, { recursive: true });
+    writeFileSync(join(destDir, PROJECT_RULE_SEED_NAME), projectRuleSeedContent());
+    return PROJECT_RULE_SEED_NAME;
+}
+//# sourceMappingURL=project-rules.js.map

package/dist/cli/project-rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"project-rules.js","sourceRoot":"","sources":["../../src/cli/project-rules.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACzH,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C,2EAA2E;AAC3E,MAAM,CAAC,MAAM,wBAAwB,GAAG,2BAA2B,CAAC;AAEpE;;;;;GAKG;AACH,MAAM,mBAAmB,GAAG;IAC1B,MAAM;IACN,yEAAyE;IACzE,0CAA0C,wBAAwB,aAAa;IAC/E,+EAA+E;IAC/E,gEAAgE;IAChE,EAAE;IACF,4DAA4D;IAC5D,iEAAiE;IACjE,kDAAkD;IAClD,KAAK;IACL,EAAE;CACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,YAAoB;IAC3D,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;AACpE,CAAC;AAYD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAuB;IAC7D,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACjC,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,SAAS,CAAC;IAEnC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,kCAAkC;QAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IACvC,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IAClE,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;QAC/E,sEAAsE;QACtE,sDAAsD;QACtD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC;AAC9E,CAAC;AAYD,MAAM,uBAAuB,GAAG,oBAAoB,CAAC;AAErD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,iBAAiB,CAC/B,YAAoB,EACpB,UAAoC,EAAE;IAEtC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC9B,+DAA+D;YAC/D,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,YAAY,wBAAwB,KAAK,GAAG,mBAAmB;gBAC7D,6EAA6E;gBAC7E,oEAAoE,CACvE,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,GAAG,wBAAwB,iCAAiC,MAAM,EAAE,CACrE,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,GAAG,wBAAwB,qCAAqC,MAAM,EAAE,CACzE,CAAC;QACJ,CAAC;QACD,OAAO,iBAAiB,CAAC,MAAM,EAAE,wBAAwB,CAAC,YAAY,CAAC,CAAC,CAAC;IAC3E,CAAC;IAED,8EAA8E;IAC9E,oDAAoD;IACpD,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,IAAI,uBAAuB,CAAC;IACjE,MAAM,OAAO,GAAG,GAAG,OAAO,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;IAC5D,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,2BAA2B,CAAC,CAAC,CAAC;IAC1E,IAAI,CAAC;QACH,YAAY,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE;YAChE,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC;SACpC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CACb,0BAA0B,MAAM,CAAC,OAAO,kBAAkB,OAAO,IAAI;gBACnE,SAAS,wBAAwB,uBAAuB,CAC3D,CAAC;QACJ,CAAC;QACD,OAAO,iBAAiB,CAAC,MAAM,EAAE,wBAAwB,CAAC,YAAY,CAAC,CAAC,CAAC;IAC3E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,MAAM,GAAG,CAAC;QACvE,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,sCAAsC,OAAO,KAAK,GAAG,IAAI;YACvD,+BAA+B,wBAAwB,cAAc,EACvE,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,MAAc,EAAE,OAAe;IACxD,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACjE,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,SAAS;QAC7D,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;QAChE,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,GAAG,OAAO,CAAC;QACjF,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,oDAAoD;AACpD,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,iCAAiC,CAAC;AAExE;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB;IACpC,OAAO;QACL,MAAM;QACN,qDAAqD;QACrD,EAAE;QACF,2EAA2E;QAC3E,yEAAyE;QACzE,wEAAwE;QACxE,kDAAkD;QAClD,KAAK;QACL,EAAE;QACF,iDAAiD;QACjD,EAAE;QACF,+EAA+E;QAC/E,2EAA2E;QAC3E,wCAAwC;QACxC,EAAE;QACF,0BAA0B;QAC1B,EAAE;QACF,4EAA4E;QAC5E,oEAAoE;QACpE,0DAA0D;QAC1D,EAAE;QACF,qDAAqD;QACrD,2DAA2D;QAC3D,wDAAwD;QACxD,EAAE;QACF,sEAAsE;QACtE,4EAA4E;QAC5E,+CAA+C;QAC/C,EAAE;QACF,uCAAuC;QACvC,EAAE;QACF,2EAA2E;QAC3E,6EAA6E;QAC7E,8EAA8E;QAC9E,mEAAmE;QACnE,EAAE;QACF,4CAA4C;QAC5C,EAAE;QACF,yEAAyE;QACzE,oEAAoE;QACpE,EAAE;QACF,aAAa;QACb,sBAAsB;QACtB,EAAE;QACF,eAAe;QACf,EAAE;QACF,gEAAgE;QAChE,EAAE;QACF,SAAS;QACT,EAAE;QACF,2EAA2E;QAC3E,2EAA2E;QAC3E,qCAAqC;QACrC,EAAE;QACF,cAAc;QACd,EAAE;QACF,0EAA0E;QAC1E,KAAK;QACL,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,MAAM,OAAO,GAAG,wBAAwB,CAAC,YAAY,CAAC,CAAC;IACvD,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACxC,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,sBAAsB,CAAC,EAAE,sBAAsB,EAAE,CAAC,CAAC;IAC/E,OAAO,sBAAsB,CAAC;AAChC,CAAC"}

package/dist/cli/propose/candidates.d.ts

@@ -0,0 +1,95 @@
+/**
+ * Pure candidate-proposal pipeline for the auditor Plan membrane
+ * (groundnuty/macf#503, DR-026 G1). This is the Analyze→Plan half of the
+ * MAPE-K loop: turn F4's reflection signals into RATIFIABLE proposals.
+ *
+ * Everything here is deterministic CODE scaffolding. The LLM judgment (is this a
+ * real rule? is the text precise? is the tier right?) is NOT encoded — the code
+ * assembles the AGENT-AUTHORED signal content (`signal`/`proposed_tier`/
+ * `rationale` from `rule_evolution_signals`) into structured proposals and
+ * applies three LOAD-BEARING, mechanical safety gates:
+ *
+ *   GATE 1 — N>1 = distinct AGENTS, not occurrences. A candidate is promotable
+ *     only if it recurs across ≥ threshold DISTINCT `agent.name`s. Five hits from
+ *     ONE agent is N=1 → HELD (reflection ≠ verification). We count the set of
+ *     distinct agent names, never raw occurrences.
+ *
+ *   GATE 3 — no-auto-drop on invariant-touch. Step 4 SURFACES which protected
+ *     invariants a candidate touches + flags apparent-relaxations HIGH-RISK, but
+ *     NEVER drops/rejects in code. The amendment clause lets the auditor PROPOSE
+ *     an operator-ratified amendment, so auto-dropping would foreclose that path.
+ *     (GATE 2 — dry-run-by-default — lives in the orchestrator/command + writer
+ *     seam, not here.)
+ *
+ * The tier-router (step 3) groups by the `proposed_tier` HINT and marks
+ * `universal` candidates NEEDS-CONFIRMATION (never auto-route a universal
+ * promotion — it affects every deployment). The hint is a hint, not a decision.
+ */
+import type { ReflectionRecord } from '@groundnuty/macf-core';
+import { type InvariantTouch, type ProtectedInvariant } from './invariants.js';
+/** Default distinct-agent threshold for promotion (configurable). */
+export declare const DEFAULT_MIN_AGENTS = 2;
+/**
+ * The router routing decision for a candidate, derived from its `proposed_tier`
+ * HINT. `needs-confirmation` is the universal/canonical case (never auto-route);
+ * `project-draft` is the local-project-rule case; `review` is anything else (an
+ * unrecognised tier hint still surfaces, routed for plain operator review).
+ */
+export type RouteDecision = 'needs-confirmation' | 'project-draft' | 'review';
+/** A fully-assembled, ratifiable candidate proposal (a survivor of GATE 1). */
+export interface ProposalCandidate {
+    /** Dedup handle: the signal `key` when present, else the signal text. */
+    readonly handle: string;
+    /** Whether the grouping used an explicit `key` (vs falling back to text). */
+    readonly hasKey: boolean;
+    /** The agent-authored proposed tier HINT (verbatim). */
+    readonly proposedTier: string;
+    /** Representative agent-authored signal text. */
+    readonly signal: string;
+    /** All distinct agent-authored rationales contributing this candidate. */
+    readonly rationales: readonly string[];
+    /** Distinct agent names that corroborated this candidate (GATE 1 unit). */
+    readonly corroboratingAgents: readonly string[];
+    /** Distinct-agent count == corroboratingAgents.length (the GATE-1 number). */
+    readonly distinctAgents: number;
+    /** Raw occurrence count (records carrying this signal) — informational only. */
+    readonly occurrences: number;
+    /** Router decision from the tier hint. */
+    readonly route: RouteDecision;
+    /** Protected invariants this candidate plausibly touches (SURFACED, GATE 3). */
+    readonly invariantTouches: readonly InvariantTouch[];
+    /** True when the text reads like a relaxation → HIGH-RISK flag (GATE 3). */
+    readonly highRisk: boolean;
+}
+/** A candidate HELD below the distinct-agent threshold (reported, not dropped). */
+export interface HeldCandidate {
+    readonly handle: string;
+    readonly hasKey: boolean;
+    readonly proposedTier: string;
+    readonly signal: string;
+    readonly distinctAgents: number;
+    readonly occurrences: number;
+    /** Why it was held — always the N<threshold reason for v1. */
+    readonly reason: string;
+}
+/** The full pipeline output: survivors + held + the threshold used. */
+export interface CandidateSet {
+    readonly minAgents: number;
+    readonly promoted: readonly ProposalCandidate[];
+    readonly held: readonly HeldCandidate[];
+}
+/** Route a candidate from its tier hint (universal/canonical never auto-route). */
+export declare function routeForTier(proposedTier: string): RouteDecision;
+/**
+ * Run the full candidate pipeline over the reflection records.
+ *
+ * Steps (DR-026 G1 §The command):
+ *   1. Aggregate signals (distinct-agent grouping).
+ *   2. GATE 1 — keep candidates with distinctAgents ≥ minAgents; the rest go to
+ *      `held` (visible, never silently dropped).
+ *   3. Tier-router — universal/canonical → needs-confirmation; project → draft.
+ *   4. Subordination-check — surface touched invariants + HIGH-RISK relaxation
+ *      flag. NEVER drops (GATE 3).
+ */
+export declare function buildCandidates(records: readonly ReflectionRecord[], invariants: readonly ProtectedInvariant[], minAgents?: number): CandidateSet;
+//# sourceMappingURL=candidates.d.ts.map

package/dist/cli/propose/candidates.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"candidates.d.ts","sourceRoot":"","sources":["../../../src/cli/propose/candidates.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,OAAO,KAAK,EAAE,gBAAgB,EAAuB,MAAM,uBAAuB,CAAC;AACnF,OAAO,EAGL,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACxB,MAAM,iBAAiB,CAAC;AAEzB,qEAAqE;AACrE,eAAO,MAAM,kBAAkB,IAAI,CAAC;AAKpC;;;;;GAKG;AACH,MAAM,MAAM,aAAa,GAAG,oBAAoB,GAAG,eAAe,GAAG,QAAQ,CAAC;AAE9E,+EAA+E;AAC/E,MAAM,WAAW,iBAAiB;IAChC,yEAAyE;IACzE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,6EAA6E;IAC7E,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB,wDAAwD;IACxD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,iDAAiD;IACjD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,0EAA0E;IAC1E,QAAQ,CAAC,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,2EAA2E;IAC3E,QAAQ,CAAC,mBAAmB,EAAE,SAAS,MAAM,EAAE,CAAC;IAChD,8EAA8E;IAC9E,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,gFAAgF;IAChF,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,0CAA0C;IAC1C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,gFAAgF;IAChF,QAAQ,CAAC,gBAAgB,EAAE,SAAS,cAAc,EAAE,CAAC;IACrD,4EAA4E;IAC5E,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;CAC5B;AAED,mFAAmF;AACnF,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,8DAA8D;IAC9D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,uEAAuE;AACvE,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,SAAS,iBAAiB,EAAE,CAAC;IAChD,QAAQ,CAAC,IAAI,EAAE,SAAS,aAAa,EAAE,CAAC;CACzC;AA6DD,mFAAmF;AACnF,wBAAgB,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,aAAa,CAKhE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,SAAS,gBAAgB,EAAE,EACpC,UAAU,EAAE,SAAS,kBAAkB,EAAE,EACzC,SAAS,GAAE,MAA2B,GACrC,YAAY,CA2Dd"}