@groundnuty/macf 0.2.36 → 0.2.38

package/dist/cli/proc-scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proc-scan.d.ts","sourceRoot":"","sources":["../../src/cli/proc-scan.ts"],"names":[],"mappings":"AAmBA,sDAAsD;AACtD,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,gBAAgB,CAAC;AAE1D,sEAAsE;AACtE,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,UAAU,GAAG,WAAW,CAAC;AAE/D;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,6DAA6D;IAC7D,QAAQ,CAAC,SAAS,EAAE,MAAM,OAAO,CAAC;IAClC,iDAAiD;IACjD,QAAQ,CAAC,QAAQ,EAAE,MAAM,SAAS,MAAM,EAAE,CAAC;IAC3C,2DAA2D;IAC3D,QAAQ,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;IACjD,wDAAwD;IACxD,QAAQ,CAAC,WAAW,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;IACrD,wDAAwD;IACxD,QAAQ,CAAC,WAAW,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;CACtD;AAED,oEAAoE;AACpE,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;IAC/B,oEAAoE;IACpE,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,2CAA2C;IAC3C,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;IAC/C,gDAAgD;IAChD,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,kEAAkE;IAClE,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CACtC;AAED,0EAA0E;AAC1E,wBAAgB,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAEvD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAQ1E;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAQ3F;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,GACpC;IAAE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAA;CAAE,GAAG,IAAI,CAWvE;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAMnE;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,UAAU,GAAG,SAAS,WAAW,EAAE,CA0B5E;AAWD;;;GAGG;AACH,eAAO,MAAM,iBAAiB,EAAE,UA8B/B,CAAC"}

package/dist/cli/proc-scan.js

@@ -0,0 +1,172 @@
+/**
+ * Identity-scoped `/proc` scanning for MACF process diagnostics (macf#556).
+ *
+ * Single-tenant instruments (`pgrep claude | head -1`) are WRONG on a
+ * multi-tenant host: `head -1` grabs an arbitrary one of several `claude`
+ * processes, producing a "no OTEL" false negative against a sibling agent.
+ * This module is correct-by-construction: it enumerates EVERY MACF process
+ * and keys each one by its own `readlink /proc/<pid>/cwd` + per-process
+ * environment, so the caller can disambiguate by workspace / agent identity
+ * instead of picking one at random.
+ *
+ * Linux `/proc` only. The `ProcReader` seam keeps the scan a PURE function of
+ * injectable inputs so tests feed synthetic `/proc` data (no real running
+ * processes), and the real reader degrades gracefully (every read returns
+ * `null` on EACCES / ESRCH races; `available()` is false off-Linux).
+ */
+import { readdirSync, readlinkSync, readFileSync, existsSync } from 'node:fs';
+import { basename } from 'node:path';
+/** Split a NUL-separated `/proc` blob (cmdline / environ) into tokens. */
+export function splitNul(raw) {
+    return raw.split('\0').filter((t) => t.length > 0);
+}
+/**
+ * Parse a NUL-separated `/proc/<pid>/environ` blob into a key→value map.
+ * Splits each entry on the FIRST `=` (values may contain `=`).
+ */
+export function parseEnviron(raw) {
+    const env = {};
+    for (const entry of splitNul(raw)) {
+        const eq = entry.indexOf('=');
+        if (eq <= 0)
+            continue;
+        env[entry.slice(0, eq)] = entry.slice(eq + 1);
+    }
+    return env;
+}
+/**
+ * Parse an `OTEL_RESOURCE_ATTRIBUTES` value (`k1=v1,k2=v2`) into a map.
+ * Used to recover `gen_ai.agent.name`, the OTEL-canonical agent identity.
+ */
+export function parseOtelResourceAttributes(value) {
+    const attrs = {};
+    for (const pair of value.split(',')) {
+        const eq = pair.indexOf('=');
+        if (eq <= 0)
+            continue;
+        attrs[pair.slice(0, eq).trim()] = pair.slice(eq + 1).trim();
+    }
+    return attrs;
+}
+/**
+ * Resolve an agent identity from a process environment, in precedence order:
+ *   1. `gen_ai.agent.name` inside `OTEL_RESOURCE_ATTRIBUTES` (telemetry-canonical)
+ *   2. `MACF_AGENT_NAME`
+ *   3. `MACF_ROUTING_LABEL`
+ * Returns null when none is present.
+ */
+export function agentIdentityFromEnv(env) {
+    const ra = env['OTEL_RESOURCE_ATTRIBUTES'];
+    if (ra) {
+        const name = parseOtelResourceAttributes(ra)['gen_ai.agent.name'];
+        if (name)
+            return { identity: name, source: 'otel' };
+    }
+    const envName = env['MACF_AGENT_NAME'];
+    if (envName)
+        return { identity: envName, source: 'env-name' };
+    const envLabel = env['MACF_ROUTING_LABEL'];
+    if (envLabel)
+        return { identity: envLabel, source: 'env-label' };
+    return null;
+}
+/**
+ * Classify a raw cmdline blob as a MACF process kind, or null if it's neither.
+ * channel-server wins over claude (a server is a node process that never
+ * carries a `claude` argv0). claude matches when any argv token's basename is
+ * exactly `claude` (covers `claude`, `/usr/local/bin/claude`, `.../bin/claude`).
+ */
+export function classifyCmdline(raw) {
+    const tokens = splitNul(raw);
+    if (tokens.length === 0)
+        return null;
+    if (tokens.some((t) => t.includes('macf-channel-server')))
+        return 'channel-server';
+    if (tokens.some((t) => basename(t) === 'claude'))
+        return 'claude';
+    return null;
+}
+/**
+ * Enumerate every MACF claude / channel-server process via the reader.
+ * PURE w.r.t. the reader: no real-process dependency. Each process is keyed by
+ * its OWN cwd + environment — never `head -1`. Returns a stable ordering
+ * (by cwd, then kind, then numeric pid) for readable, diffable output.
+ */
+export function scanMacfProcesses(reader) {
+    if (!reader.available())
+        return [];
+    const out = [];
+    for (const pid of reader.listPids()) {
+        const cmdline = reader.readCmdline(pid);
+        if (cmdline === null)
+            continue;
+        const kind = classifyCmdline(cmdline);
+        if (!kind)
+            continue;
+        const cwd = reader.readCwd(pid);
+        const environRaw = reader.readEnviron(pid);
+        const env = environRaw ? parseEnviron(environRaw) : {};
+        const id = agentIdentityFromEnv(env);
+        out.push({
+            pid,
+            kind,
+            cwd,
+            cwdBasename: cwd ? basename(cwd) : null,
+            agentIdentity: id?.identity ?? null,
+            identitySource: id?.source ?? null,
+            port: env['MACF_PORT'] ?? null,
+            otelEndpoint: env['OTEL_EXPORTER_OTLP_ENDPOINT'] ?? null,
+        });
+    }
+    return [...out].sort(compareProcesses);
+}
+/** Stable ordering: cwd (nulls last) → kind → numeric pid. */
+function compareProcesses(a, b) {
+    const ca = a.cwd ?? '￿';
+    const cb = b.cwd ?? '￿';
+    if (ca !== cb)
+        return ca < cb ? -1 : 1;
+    if (a.kind !== b.kind)
+        return a.kind < b.kind ? -1 : 1;
+    return Number(a.pid) - Number(b.pid);
+}
+/**
+ * Real `/proc` reader. Each accessor swallows errors → null so a PID racing
+ * away mid-scan or an unreadable (other-user) process degrades gracefully.
+ */
+export const defaultProcReader = {
+    available: () => process.platform === 'linux' && existsSync('/proc'),
+    listPids: () => {
+        try {
+            return readdirSync('/proc').filter((n) => /^\d+$/.test(n));
+        }
+        catch {
+            return [];
+        }
+    },
+    readCwd: (pid) => {
+        try {
+            return readlinkSync(`/proc/${pid}/cwd`);
+        }
+        catch {
+            return null;
+        }
+    },
+    readCmdline: (pid) => {
+        try {
+            return readFileSync(`/proc/${pid}/cmdline`, 'utf-8');
+        }
+        catch {
+            return null;
+        }
+    },
+    readEnviron: (pid) => {
+        try {
+            return readFileSync(`/proc/${pid}/environ`, 'utf-8');
+        }
+        catch {
+            return null;
+        }
+    },
+};
+//# sourceMappingURL=proc-scan.js.map

package/dist/cli/proc-scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proc-scan.js","sourceRoot":"","sources":["../../src/cli/proc-scan.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC9E,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AA4CrC,0EAA0E;AAC1E,MAAM,UAAU,QAAQ,CAAC,GAAW;IAClC,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACrD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,EAAE,IAAI,CAAC;YAAE,SAAS;QACtB,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CAAC,KAAa;IACvD,MAAM,KAAK,GAA2B,EAAE,CAAC;IACzC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,EAAE,IAAI,CAAC;YAAE,SAAS;QACtB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9D,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAqC;IAErC,MAAM,EAAE,GAAG,GAAG,CAAC,0BAA0B,CAAC,CAAC;IAC3C,IAAI,EAAE,EAAE,CAAC;QACP,MAAM,IAAI,GAAG,2BAA2B,CAAC,EAAE,CAAC,CAAC,mBAAmB,CAAC,CAAC;QAClE,IAAI,IAAI;YAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IACtD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACvC,IAAI,OAAO;QAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IAC9D,MAAM,QAAQ,GAAG,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAC3C,IAAI,QAAQ;QAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACjE,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACnF,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAClE,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAkB;IAClD,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QAAE,OAAO,EAAE,CAAC;IACnC,MAAM,GAAG,GAAkB,EAAE,CAAC;IAC9B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,OAAO,KAAK,IAAI;YAAE,SAAS;QAC/B,MAAM,IAAI,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAChC,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC3C,MAAM,GAAG,GAAG,UAAU,CAAC,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,MAAM,EAAE,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAErC,GAAG,CAAC,IAAI,CAAC;YACP,GAAG;YACH,IAAI;YACJ,GAAG;YACH,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;YACvC,aAAa,EAAE,EAAE,EAAE,QAAQ,IAAI,IAAI;YACnC,cAAc,EAAE,EAAE,EAAE,MAAM,IAAI,IAAI;YAClC,IAAI,EAAE,GAAG,CAAC,WAAW,CAAC,IAAI,IAAI;YAC9B,YAAY,EAAE,GAAG,CAAC,6BAA6B,CAAC,IAAI,IAAI;SACzD,CAAC,CAAC;IACL,CAAC;IACD,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;AACzC,CAAC;AAED,8DAA8D;AAC9D,SAAS,gBAAgB,CAAC,CAAc,EAAE,CAAc;IACtD,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC;IACxB,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC;IACxB,IAAI,EAAE,KAAK,EAAE;QAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvC,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI;QAAE,OAAO,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvD,OAAO,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAe;IAC3C,SAAS,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC;IACpE,QAAQ,EAAE,GAAG,EAAE;QACb,IAAI,CAAC;YACH,OAAO,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC7D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QACf,IAAI,CAAC;YACH,OAAO,YAAY,CAAC,SAAS,GAAG,MAAM,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,WAAW,EAAE,CAAC,GAAG,EAAE,EAAE;QACnB,IAAI,CAAC;YACH,OAAO,YAAY,CAAC,SAAS,GAAG,UAAU,EAAE,OAAO,CAAC,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,WAAW,EAAE,CAAC,GAAG,EAAE,EAAE;QACnB,IAAI,CAAC;YACH,OAAO,YAAY,CAAC,SAAS,GAAG,UAAU,EAAE,OAAO,CAAC,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/cli/project-rules.d.ts

@@ -0,0 +1,105 @@
+/** Env var carrying the project-rules source (operator-managed config). */
+export declare const PROJECT_RULES_SOURCE_ENV = "MACF_PROJECT_RULES_SOURCE";
+/**
+ * Destination directory for project-tier rules within a workspace:
+ * `<workspace>/.claude/rules/project/`. A SUBDIR of the universal-rule dir so
+ * the two tiers are distinguishable on disk.
+ */
+export declare function workspaceProjectRulesDir(workspaceDir: string): string;
+/**
+ * Parsed shape of a `MACF_PROJECT_RULES_SOURCE` value.
+ *
+ *   - `kind: 'github'` — `<owner>/<repo>//<path>` form: fetched via git clone.
+ *   - `kind: 'local'`  — a local directory path: copied directly.
+ */
+export type ProjectRulesSource = {
+    readonly kind: 'github';
+    readonly owner: string;
+    readonly repo: string;
+    readonly subpath: string;
+} | {
+    readonly kind: 'local';
+    readonly dir: string;
+};
+/**
+ * Parse a `MACF_PROJECT_RULES_SOURCE` value into a discriminated source.
+ *
+ * The `//` separator disambiguates the two forms unambiguously: a GitHub
+ * `<owner>/<repo>//<path>` always contains `//`, a local filesystem path
+ * never does (`//` collapses to `/` on POSIX and isn't a meaningful path
+ * token). So presence of `//` selects the github form; absence selects local.
+ *
+ * Returns `undefined` for an empty/whitespace-only value (caller treats as
+ * no-op) or a malformed github form (missing owner/repo/path segment) —
+ * malformed is surfaced by the caller as a warning, not a parse crash.
+ */
+export declare function parseProjectRulesSource(raw: string | undefined): ProjectRulesSource | undefined;
+export interface FetchProjectRulesOptions {
+    /** Override the env value (defaults to process.env[MACF_PROJECT_RULES_SOURCE]). */
+    readonly source?: string;
+    /**
+     * Override the GitHub base URL for the github-source form (tests point this
+     * at a local bare repo). Defaults to `https://github.com`.
+     */
+    readonly githubBaseUrl?: string;
+}
+/**
+ * Distribute project-tier rules into `<workspace>/.claude/rules/project/`.
+ *
+ * Resolves the source from `MACF_PROJECT_RULES_SOURCE` (or `options.source`):
+ *   - Unset/empty/whitespace → NO-OP, returns `[]`. The tier is optional.
+ *   - `<owner>/<repo>//<path>` → shallow git clone the default branch (mirrors
+ *     plugin-fetcher.ts), copy `<clone>/<path>/*.md` to the dest subdir.
+ *   - a local directory path → copy `<dir>/*.md` directly.
+ *
+ * Only `*.md` files are copied (a `.example` template, a README, etc. in the
+ * source are ignored — same filter as the universal-rule copy). Each copied
+ * file gets the PROJECT_RULE_HEADER prepended (unless it already opens with an
+ * HTML comment, to avoid double-stacking).
+ *
+ * **Idempotent + non-destructive to other tiers.** The dest is a fresh subdir;
+ * the universal `.claude/rules/*.md` files are never touched (different path).
+ * Re-running overwrites the project subdir's `*.md` files with the current
+ * source content. A `.example` seed (from `macf init`) is preserved — only
+ * `*.md` files are managed here.
+ *
+ * Throws only on a genuine fetch failure (git clone error, source path is a
+ * file not a directory, the github subpath is missing in the clone). A
+ * malformed source string is a no-op-with-warning, NOT a throw, so a typo'd
+ * config can't break `macf update`.
+ *
+ * @returns the list of copied basenames (empty when the source is unset or
+ *   the source dir has no `*.md` files).
+ */
+export declare function fetchProjectRules(workspaceDir: string, options?: FetchProjectRulesOptions): readonly string[];
+/**
+ * Basename of the seed template `macf init` drops into the project-rules
+ * subdir. The `.example` suffix keeps it OUT of the live-rule set (only `*.md`
+ * are loaded as rules + managed by `fetchProjectRules`), so it self-documents
+ * the tier + gives the DR-026 §4 auditor a format to match without becoming a
+ * rule itself.
+ */
+export declare const PROJECT_RULE_SEED_NAME = "EXAMPLE.project-rule.md.example";
+/**
+ * Generic, deployment-agnostic seed content for the project-rules tier.
+ *
+ * CRITICAL: this ships via `macf init` to EVERY deployment, so it must NOT be
+ * macf-specific. A genomics deployment must not receive a macf `dev.mk` rule.
+ * The body demonstrates the FORMAT + the precedence contract with neutral
+ * placeholders only — never a concrete macf rule.
+ */
+export declare function projectRuleSeedContent(): string;
+/**
+ * Seed the project-rules subdir with the generic `.example` template
+ * (`macf init`). Creates `.claude/rules/project/` (mkdir -p) and writes the
+ * `.example` file. Idempotent: overwrites the `.example` with the current
+ * canonical template — it's a managed example, not operator state. Returns the
+ * seeded basename.
+ *
+ * Deliberately does NOT fetch from `MACF_PROJECT_RULES_SOURCE` — `macf init`
+ * only lays down the tier + its self-documenting seed; `macf update` (and
+ * `macf rules refresh`) pull the actual rules from the source. This keeps init
+ * generic (it ships to every deployment) and offline-safe.
+ */
+export declare function seedProjectRulesDir(workspaceDir: string): string;
+//# sourceMappingURL=project-rules.d.ts.map

package/dist/cli/project-rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"project-rules.d.ts","sourceRoot":"","sources":["../../src/cli/project-rules.ts"],"names":[],"mappings":"AAiDA,2EAA2E;AAC3E,eAAO,MAAM,wBAAwB,8BAA8B,CAAC;AAsBpE;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAErE;AAED;;;;;GAKG;AACH,MAAM,MAAM,kBAAkB,GAC1B;IAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpG;IAAE,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC;AAErD;;;;;;;;;;;GAWG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,kBAAkB,GAAG,SAAS,CAmB/F;AAED,MAAM,WAAW,wBAAwB;IACvC,mFAAmF;IACnF,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;OAGG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAID;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,OAAO,GAAE,wBAA6B,GACrC,SAAS,MAAM,EAAE,CA0DnB;AAwBD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,oCAAoC,CAAC;AAExE;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CA8D/C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAKhE"}

package/dist/cli/project-rules.js

@@ -0,0 +1,305 @@
+/**
+ * Project-tier rule distribution (groundnuty/macf#501, DR-026 F3).
+ *
+ * The three-tier rule model (DR-026 §3) splits coordination knowledge into:
+ *   1. Universal / product rules — shipped IN the CLI at `plugin/rules/*.md`,
+ *      copied to `.claude/rules/*.md` (see rules.ts `copyCanonicalRules`).
+ *   2. **Project rules** — per-deployment, NOT shipped in the npm product. This
+ *      module. Sourced from an explicit config and copied to a SUBDIR
+ *      `.claude/rules/project/*.md` so the universal and project tiers are
+ *      distinguishable on disk (DR-026 §4's subordination check needs a clean
+ *      target to match against).
+ *   3. Agent-private rules — an agent's own `.claude/rules/` / memory; out of
+ *      scope here.
+ *
+ * **Why explicit config, not "the coordination repo".** A multi-repo deployment
+ * has no single repo to implicitly pull project rules from, so the source MUST
+ * be configured. `MACF_PROJECT_RULES_SOURCE` carries it, in one of two forms:
+ *
+ *   - `<owner>/<repo>//<path>`  — a GitHub repo + subdir (e.g.
+ *                                 `groundnuty/macf//project-rules`). Fetched via
+ *                                 a shallow `git clone` of the default branch,
+ *                                 mirroring plugin-fetcher.ts (reuse, don't
+ *                                 reinvent). The `//` separates repo from path.
+ *   - a local directory path     — anything WITHOUT the `//` separator that
+ *                                 resolves to a directory on disk. Copied
+ *                                 directly (no clone). Lets a single-host
+ *                                 deployment point at a checked-out repo or a
+ *                                 plain rules directory.
+ *
+ * **Optional tier — never errors on absence.** When the env var is unset/empty,
+ * `fetchProjectRules` is a no-op returning `[]`. The tier is optional, exactly
+ * like a workspace that has no universal rules: absence is normal, not a fault.
+ *
+ * **No shadow of the universal tier.** Project rules land under
+ * `.claude/rules/project/`, a different subdir from the universal
+ * `.claude/rules/*.md`. The universal-rule copy path (rules.ts) is untouched,
+ * so this can never overwrite a universal rule.
+ *
+ * **Precedence (documented, NOT enforced here).** Project rules *add to /
+ * specialize* the universal protocol; they never weaken it. The §4
+ * invariant-check that enforces "never contradict" is a separate (gated) slice
+ * of DR-026 — F3 only lays down the on-disk tiers. See
+ * `design/project-tier-rules.md`.
+ */
+import { execFileSync } from 'node:child_process';
+import { existsSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join, resolve } from 'node:path';
+/** Env var carrying the project-rules source (operator-managed config). */
+export const PROJECT_RULES_SOURCE_ENV = 'MACF_PROJECT_RULES_SOURCE';
+/**
+ * Header prepended to each copied project rule, marking the on-disk tier +
+ * the managed-from-source contract. Distinct wording from the universal-rule
+ * MANAGED_HEADER (rules.ts) so an operator inspecting a file knows which tier
+ * it belongs to + where it came from.
+ */
+const PROJECT_RULE_HEADER = [
+    '<!--',
+    '  PROJECT-TIER RULE (DR-026 §3 tier 2). Distributed by `macf` from this',
+    `  deployment's project-rules source (\`${PROJECT_RULES_SOURCE_ENV}\`). Do not`,
+    '  edit this workspace copy — edits are overwritten on the next `macf update`.',
+    '  Edit the rule at the source, then re-run `macf update` here.',
+    '',
+    '  Project rules ADD TO / SPECIALIZE the universal rules in',
+    '  .claude/rules/*.md; they must never contradict or weaken them',
+    '  (DR-026 §4). See design/project-tier-rules.md.',
+    '-->',
+    '',
+].join('\n');
+/**
+ * Destination directory for project-tier rules within a workspace:
+ * `<workspace>/.claude/rules/project/`. A SUBDIR of the universal-rule dir so
+ * the two tiers are distinguishable on disk.
+ */
+export function workspaceProjectRulesDir(workspaceDir) {
+    return join(resolve(workspaceDir), '.claude', 'rules', 'project');
+}
+/**
+ * Parse a `MACF_PROJECT_RULES_SOURCE` value into a discriminated source.
+ *
+ * The `//` separator disambiguates the two forms unambiguously: a GitHub
+ * `<owner>/<repo>//<path>` always contains `//`, a local filesystem path
+ * never does (`//` collapses to `/` on POSIX and isn't a meaningful path
+ * token). So presence of `//` selects the github form; absence selects local.
+ *
+ * Returns `undefined` for an empty/whitespace-only value (caller treats as
+ * no-op) or a malformed github form (missing owner/repo/path segment) —
+ * malformed is surfaced by the caller as a warning, not a parse crash.
+ */
+export function parseProjectRulesSource(raw) {
+    const value = (raw ?? '').trim();
+    if (value === '')
+        return undefined;
+    const sepIdx = value.indexOf('//');
+    if (sepIdx < 0) {
+        // No `//` → local directory path.
+        return { kind: 'local', dir: value };
+    }
+    const repoPart = value.slice(0, sepIdx);
+    const subpath = value.slice(sepIdx + 2).replace(/^\/+|\/+$/g, '');
+    const ownerRepo = repoPart.split('/');
+    if (ownerRepo.length !== 2 || !ownerRepo[0] || !ownerRepo[1] || subpath === '') {
+        // Malformed github form (e.g. "owner//path" with no repo, or trailing
+        // empty subpath). Don't throw — caller warns + skips.
+        return undefined;
+    }
+    return { kind: 'github', owner: ownerRepo[0], repo: ownerRepo[1], subpath };
+}
+const DEFAULT_GITHUB_BASE_URL = 'https://github.com';
+/**
+ * Distribute project-tier rules into `<workspace>/.claude/rules/project/`.
+ *
+ * Resolves the source from `MACF_PROJECT_RULES_SOURCE` (or `options.source`):
+ *   - Unset/empty/whitespace → NO-OP, returns `[]`. The tier is optional.
+ *   - `<owner>/<repo>//<path>` → shallow git clone the default branch (mirrors
+ *     plugin-fetcher.ts), copy `<clone>/<path>/*.md` to the dest subdir.
+ *   - a local directory path → copy `<dir>/*.md` directly.
+ *
+ * Only `*.md` files are copied (a `.example` template, a README, etc. in the
+ * source are ignored — same filter as the universal-rule copy). Each copied
+ * file gets the PROJECT_RULE_HEADER prepended (unless it already opens with an
+ * HTML comment, to avoid double-stacking).
+ *
+ * **Idempotent + non-destructive to other tiers.** The dest is a fresh subdir;
+ * the universal `.claude/rules/*.md` files are never touched (different path).
+ * Re-running overwrites the project subdir's `*.md` files with the current
+ * source content. A `.example` seed (from `macf init`) is preserved — only
+ * `*.md` files are managed here.
+ *
+ * Throws only on a genuine fetch failure (git clone error, source path is a
+ * file not a directory, the github subpath is missing in the clone). A
+ * malformed source string is a no-op-with-warning, NOT a throw, so a typo'd
+ * config can't break `macf update`.
+ *
+ * @returns the list of copied basenames (empty when the source is unset or
+ *   the source dir has no `*.md` files).
+ */
+export function fetchProjectRules(workspaceDir, options = {}) {
+    const raw = options.source ?? process.env[PROJECT_RULES_SOURCE_ENV];
+    const parsed = parseProjectRulesSource(raw);
+    if (parsed === undefined) {
+        if ((raw ?? '').trim() !== '') {
+            // Non-empty but unparseable — surface it; don't silently drop.
+            process.stderr.write(`Warning: ${PROJECT_RULES_SOURCE_ENV}="${raw}" is malformed.\n` +
+                `  Expected "<owner>/<repo>//<path>" (e.g. groundnuty/macf//project-rules)\n` +
+                `  or a local directory path. Skipping project-rule distribution.\n`);
+        }
+        return [];
+    }
+    if (parsed.kind === 'local') {
+        const srcDir = resolve(parsed.dir);
+        if (!existsSync(srcDir)) {
+            throw new Error(`${PROJECT_RULES_SOURCE_ENV} local source does not exist: ${srcDir}`);
+        }
+        if (!statSync(srcDir).isDirectory()) {
+            throw new Error(`${PROJECT_RULES_SOURCE_ENV} local source is not a directory: ${srcDir}`);
+        }
+        return copyMarkdownRules(srcDir, workspaceProjectRulesDir(workspaceDir));
+    }
+    // github form — shallow-clone the default branch (mirrors plugin-fetcher.ts),
+    // copy the subpath's *.md files, discard the clone.
+    const baseUrl = options.githubBaseUrl ?? DEFAULT_GITHUB_BASE_URL;
+    const repoUrl = `${baseUrl}/${parsed.owner}/${parsed.repo}`;
+    const tmpClone = mkdtempSync(join(tmpdir(), 'macf-project-rules-clone-'));
+    try {
+        execFileSync('git', ['clone', '--depth', '1', repoUrl, tmpClone], {
+            stdio: ['ignore', 'ignore', 'pipe'],
+        });
+        const srcDir = join(tmpClone, parsed.subpath);
+        if (!existsSync(srcDir) || !statSync(srcDir).isDirectory()) {
+            throw new Error(`Project-rules subpath "${parsed.subpath}" not found in ${repoUrl}. ` +
+                `Check ${PROJECT_RULES_SOURCE_ENV} and the repo layout.`);
+        }
+        return copyMarkdownRules(srcDir, workspaceProjectRulesDir(workspaceDir));
+    }
+    catch (err) {
+        if (err instanceof Error && err.message.includes('subpath'))
+            throw err;
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`Failed to fetch project rules from ${repoUrl}: ${msg}. ` +
+            `Check network access + that ${PROJECT_RULES_SOURCE_ENV} is correct.`, { cause: err });
+    }
+    finally {
+        rmSync(tmpClone, { recursive: true, force: true });
+    }
+}
+/**
+ * Copy every `*.md` file from `srcDir` to `destDir`, prepending the
+ * project-rule header. Creates `destDir` (mkdir -p). Returns copied basenames.
+ * Shared by both the local and github source paths.
+ */
+function copyMarkdownRules(srcDir, destDir) {
+    mkdirSync(destDir, { recursive: true });
+    const copied = [];
+    for (const entry of readdirSync(srcDir, { withFileTypes: true })) {
+        if (!entry.isFile() || !entry.name.endsWith('.md'))
+            continue;
+        const content = readFileSync(join(srcDir, entry.name), 'utf-8');
+        const out = content.startsWith('<!--') ? content : PROJECT_RULE_HEADER + content;
+        writeFileSync(join(destDir, entry.name), out);
+        copied.push(entry.name);
+    }
+    return copied;
+}
+// ---------------------------------------------------------------------------
+// Seed (.example) template — written by `macf init`
+// ---------------------------------------------------------------------------
+/**
+ * Basename of the seed template `macf init` drops into the project-rules
+ * subdir. The `.example` suffix keeps it OUT of the live-rule set (only `*.md`
+ * are loaded as rules + managed by `fetchProjectRules`), so it self-documents
+ * the tier + gives the DR-026 §4 auditor a format to match without becoming a
+ * rule itself.
+ */
+export const PROJECT_RULE_SEED_NAME = 'EXAMPLE.project-rule.md.example';
+/**
+ * Generic, deployment-agnostic seed content for the project-rules tier.
+ *
+ * CRITICAL: this ships via `macf init` to EVERY deployment, so it must NOT be
+ * macf-specific. A genomics deployment must not receive a macf `dev.mk` rule.
+ * The body demonstrates the FORMAT + the precedence contract with neutral
+ * placeholders only — never a concrete macf rule.
+ */
+export function projectRuleSeedContent() {
+    return [
+        '<!--',
+        '  EXAMPLE project-tier rule (template, not active).',
+        '',
+        '  This file ends in `.example`, so `macf` does NOT load it as a live rule',
+        '  and does NOT overwrite it on `macf update` (only `*.md` files in this',
+        '  directory are managed). It self-documents the project-rules tier and',
+        '  gives the DR-026 §4 auditor a format to match.',
+        '-->',
+        '',
+        '# Project-tier rules (`.claude/rules/project/`)',
+        '',
+        'This directory holds **project-tier** coordination rules (DR-026 §3, tier 2):',
+        'per-deployment rules that ADD TO or SPECIALIZE the universal rules in the',
+        'parent `.claude/rules/*.md` directory.',
+        '',
+        '## Where these come from',
+        '',
+        'Project rules are distributed by `macf` from this deployment\'s configured',
+        'source, set via the `MACF_PROJECT_RULES_SOURCE` operator config in',
+        '`.claude/.macf/env.project-rules`. The source is one of:',
+        '',
+        '- `<owner>/<repo>//<path>` — a GitHub repo + subdir',
+        '  (e.g. `your-org/your-coordination-repo//project-rules`)',
+        '- a local directory path — for single-host deployments',
+        '',
+        'When `MACF_PROJECT_RULES_SOURCE` is unset, this tier is empty (it is',
+        'optional). Authored rules live at the SOURCE, not in this workspace copy —',
+        'edit them there, then run `macf update` here.',
+        '',
+        '## Precedence (the one hard contract)',
+        '',
+        'Project rules may **add to / specialize** the universal protocol but must',
+        '**never contradict or weaken** its protected invariants (e.g. reporter-owns',
+        'closure, the identity↔attribution guarantee, the no-self-merge / LGTM gate).',
+        'See `design/project-tier-rules.md` for the full precedence model.',
+        '',
+        '## Format to follow (replace this example)',
+        '',
+        'A project rule is a Markdown file. Name it `*.md` (this `.example` is a',
+        'template, not a rule). Suggested shape — adapt to your deployment:',
+        '',
+        '```markdown',
+        '# <Short rule title>',
+        '',
+        '## Applies to',
+        '',
+        '<Which agents / repos / situations this project rule governs.>',
+        '',
+        '## Rule',
+        '',
+        '<The specialization. State what it ADDS to the universal protocol — never',
+        'what it weakens. If it looks like it relaxes a universal invariant, it is',
+        'wrong by construction (DR-026 §4).>',
+        '',
+        '## Rationale',
+        '',
+        '<Why this deployment needs it. Link the incident / pattern it codifies.>',
+        '```',
+        '',
+    ].join('\n');
+}
+/**
+ * Seed the project-rules subdir with the generic `.example` template
+ * (`macf init`). Creates `.claude/rules/project/` (mkdir -p) and writes the
+ * `.example` file. Idempotent: overwrites the `.example` with the current
+ * canonical template — it's a managed example, not operator state. Returns the
+ * seeded basename.
+ *
+ * Deliberately does NOT fetch from `MACF_PROJECT_RULES_SOURCE` — `macf init`
+ * only lays down the tier + its self-documenting seed; `macf update` (and
+ * `macf rules refresh`) pull the actual rules from the source. This keeps init
+ * generic (it ships to every deployment) and offline-safe.
+ */
+export function seedProjectRulesDir(workspaceDir) {
+    const destDir = workspaceProjectRulesDir(workspaceDir);
+    mkdirSync(destDir, { recursive: true });
+    writeFileSync(join(destDir, PROJECT_RULE_SEED_NAME), projectRuleSeedContent());
+    return PROJECT_RULE_SEED_NAME;
+}
+//# sourceMappingURL=project-rules.js.map

package/dist/cli/project-rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"project-rules.js","sourceRoot":"","sources":["../../src/cli/project-rules.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACzH,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C,2EAA2E;AAC3E,MAAM,CAAC,MAAM,wBAAwB,GAAG,2BAA2B,CAAC;AAEpE;;;;;GAKG;AACH,MAAM,mBAAmB,GAAG;IAC1B,MAAM;IACN,yEAAyE;IACzE,0CAA0C,wBAAwB,aAAa;IAC/E,+EAA+E;IAC/E,gEAAgE;IAChE,EAAE;IACF,4DAA4D;IAC5D,iEAAiE;IACjE,kDAAkD;IAClD,KAAK;IACL,EAAE;CACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,YAAoB;IAC3D,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;AACpE,CAAC;AAYD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAuB;IAC7D,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACjC,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,SAAS,CAAC;IAEnC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,kCAAkC;QAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IACvC,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IAClE,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;QAC/E,sEAAsE;QACtE,sDAAsD;QACtD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC;AAC9E,CAAC;AAYD,MAAM,uBAAuB,GAAG,oBAAoB,CAAC;AAErD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,iBAAiB,CAC/B,YAAoB,EACpB,UAAoC,EAAE;IAEtC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC9B,+DAA+D;YAC/D,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,YAAY,wBAAwB,KAAK,GAAG,mBAAmB;gBAC7D,6EAA6E;gBAC7E,oEAAoE,CACvE,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,GAAG,wBAAwB,iCAAiC,MAAM,EAAE,CACrE,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,GAAG,wBAAwB,qCAAqC,MAAM,EAAE,CACzE,CAAC;QACJ,CAAC;QACD,OAAO,iBAAiB,CAAC,MAAM,EAAE,wBAAwB,CAAC,YAAY,CAAC,CAAC,CAAC;IAC3E,CAAC;IAED,8EAA8E;IAC9E,oDAAoD;IACpD,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,IAAI,uBAAuB,CAAC;IACjE,MAAM,OAAO,GAAG,GAAG,OAAO,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;IAC5D,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,2BAA2B,CAAC,CAAC,CAAC;IAC1E,IAAI,CAAC;QACH,YAAY,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE;YAChE,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC;SACpC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CACb,0BAA0B,MAAM,CAAC,OAAO,kBAAkB,OAAO,IAAI;gBACnE,SAAS,wBAAwB,uBAAuB,CAC3D,CAAC;QACJ,CAAC;QACD,OAAO,iBAAiB,CAAC,MAAM,EAAE,wBAAwB,CAAC,YAAY,CAAC,CAAC,CAAC;IAC3E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,MAAM,GAAG,CAAC;QACvE,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,sCAAsC,OAAO,KAAK,GAAG,IAAI;YACvD,+BAA+B,wBAAwB,cAAc,EACvE,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,MAAc,EAAE,OAAe;IACxD,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACjE,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,SAAS;QAC7D,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;QAChE,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,GAAG,OAAO,CAAC;QACjF,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,oDAAoD;AACpD,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,iCAAiC,CAAC;AAExE;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB;IACpC,OAAO;QACL,MAAM;QACN,qDAAqD;QACrD,EAAE;QACF,2EAA2E;QAC3E,yEAAyE;QACzE,wEAAwE;QACxE,kDAAkD;QAClD,KAAK;QACL,EAAE;QACF,iDAAiD;QACjD,EAAE;QACF,+EAA+E;QAC/E,2EAA2E;QAC3E,wCAAwC;QACxC,EAAE;QACF,0BAA0B;QAC1B,EAAE;QACF,4EAA4E;QAC5E,oEAAoE;QACpE,0DAA0D;QAC1D,EAAE;QACF,qDAAqD;QACrD,2DAA2D;QAC3D,wDAAwD;QACxD,EAAE;QACF,sEAAsE;QACtE,4EAA4E;QAC5E,+CAA+C;QAC/C,EAAE;QACF,uCAAuC;QACvC,EAAE;QACF,2EAA2E;QAC3E,6EAA6E;QAC7E,8EAA8E;QAC9E,mEAAmE;QACnE,EAAE;QACF,4CAA4C;QAC5C,EAAE;QACF,yEAAyE;QACzE,oEAAoE;QACpE,EAAE;QACF,aAAa;QACb,sBAAsB;QACtB,EAAE;QACF,eAAe;QACf,EAAE;QACF,gEAAgE;QAChE,EAAE;QACF,SAAS;QACT,EAAE;QACF,2EAA2E;QAC3E,2EAA2E;QAC3E,qCAAqC;QACrC,EAAE;QACF,cAAc;QACd,EAAE;QACF,0EAA0E;QAC1E,KAAK;QACL,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,MAAM,OAAO,GAAG,wBAAwB,CAAC,YAAY,CAAC,CAAC;IACvD,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACxC,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,sBAAsB,CAAC,EAAE,sBAAsB,EAAE,CAAC,CAAC;IAC/E,OAAO,sBAAsB,CAAC;AAChC,CAAC"}