@hesohq/sdk 0.1.2-dev.21

package/dist/capture.js

@@ -0,0 +1,591 @@
+"use strict";
+// The shared capture core every Node framework adapter is built on — the JS twin
+// of the Python SDK's `heso._capture`. A framework adapter's only job is to find
+// the tool/model/payment call at its native interception point and translate it
+// into a heso action; everything after (classify, policy, redact, SIGN, audit
+// chain) is the Rust engine's, reached through two entry points here:
+//
+//   • gate()     — capture + drive + ENFORCE. Throws BlockedError / SuspendedError
+//                  on a refusal (blocking mode), so the wrapped call never fires
+//                  ungated. Use where the framework treats a thrown tool error as
+//                  an abort (Vercel AI SDK, Mastra — a throwing `execute`).
+//   • evaluate() — capture + drive WITHOUT enforcing; returns { outcome, action }
+//                  so an adapter can map the decision onto its own verdict shape.
+//
+// recordResult() binds a finished call's result to a follow-up receipt.
+//
+// Zero crypto in TS: minting is delegated to the native @hesohq/node addon
+// (signing, native-only). In this Node SDK, verification likewise binds to the
+// native addon via @hesohq/core (whose main entry re-exports @hesohq/node). The
+// addon is loaded LAZILY here so importing the capture core does not pull in the
+// native binary until a gated action actually mints.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OperatorKeyMismatchError = exports.ApprovalRejectedError = exports.SuspendedError = exports.BlockedError = exports.BridgeError = void 0;
+exports.normalizeFields = normalizeFields;
+exports.buildAction = buildAction;
+exports.evaluate = evaluate;
+exports.gate = gate;
+exports.recordResult = recordResult;
+exports.isEnforcing = isEnforcing;
+exports.finalizeL1 = finalizeL1;
+exports.finalizeQuorum = finalizeQuorum;
+const runtime_js_1 = require("./runtime.js");
+const cloud_js_1 = require("./cloud.js");
+let _native = null;
+function native() {
+    if (_native !== null)
+        return _native;
+    let mod;
+    try {
+        // Lazy require defers loading the native, Node-only addon until minting is
+        // actually used (it is an optional dependency of this package).
+        // eslint-disable-next-line @typescript-eslint/no-var-requires
+        mod = require('@hesohq/node');
+    }
+    catch (err) {
+        throw new BridgeError('@hesohq/sdk: minting requires the native @hesohq/node addon (a Node-only optional dependency). ' +
+            `Install it to use the gating adapters. Underlying error: ${err.message}`);
+    }
+    if (typeof mod.processAction !== 'function') {
+        throw new BridgeError('@hesohq/sdk: @hesohq/node was built without the `process` feature (no processAction export); ' +
+            'rebuild it with `napi build --features process`');
+    }
+    _native = mod;
+    return _native;
+}
+// ── errors ──────────────────────────────────────────────────────────────────
+/** The native engine could not run or its output could not be parsed (fail closed). */
+class BridgeError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'BridgeError';
+    }
+}
+exports.BridgeError = BridgeError;
+/** A captured action was refused by policy. Thrown so the wrapped call never fires. */
+class BlockedError extends Error {
+    constructor(toolName, ruleId, reason) {
+        super(`heso blocked \`${toolName}\` (rule ${ruleId ?? '?'}): ${reason ?? 'refused by policy'}`);
+        this.toolName = toolName;
+        this.ruleId = ruleId;
+        this.reason = reason;
+        this.name = 'BlockedError';
+    }
+}
+exports.BlockedError = BlockedError;
+/** A captured action was gated to a human and awaits approval. Thrown so it never fires. */
+class SuspendedError extends Error {
+    constructor(toolName, actionHash) {
+        super(`heso suspended \`${toolName}\` pending approval (action_hash ${actionHash ?? '?'})`);
+        this.toolName = toolName;
+        this.actionHash = actionHash;
+        this.name = 'SuspendedError';
+    }
+}
+exports.SuspendedError = SuspendedError;
+/**
+ * A human resolved an approval as anything other than ``approved``
+ * (``rejected``/``escalated``). Thrown by {@link finalizeL1} BEFORE any assemble —
+ * a non-approval NEVER mints an L1 (M3). Carries the resolved decision so a caller
+ * can branch (e.g. surface the rejection reason).
+ */
+class ApprovalRejectedError extends Error {
+    constructor(actionHash, decision) {
+        super(`heso approval ${actionHash} resolved \`${decision}\` (not approved) — no L1 minted`);
+        this.actionHash = actionHash;
+        this.decision = decision;
+        this.name = 'ApprovalRejectedError';
+    }
+}
+exports.ApprovalRejectedError = ApprovalRejectedError;
+/**
+ * Read the ``decision`` field off a relayed approver record WITHOUT mutating it.
+ *
+ * The cloud relays the record as the EXACT verbatim JSON TEXT the approver signed (M2);
+ * the byte-faithfulness moat means that string must reach the native assemble UNTOUCHED.
+ * This parses it READ-ONLY for the M3 decision gate (``finalizeL1``/``finalizeQuorum`` throw
+ * {@link ApprovalRejectedError} on a non-approval BEFORE any keystore touch); the
+ * verbatim string itself — never a reserialize of this parse — is what feeds the
+ * assemble. A record that is not parseable JSON / carries no string ``decision`` is a
+ * fail-closed {@link BridgeError} (a malformed relay never silently assembles).
+ */
+function decisionFromRecord(record) {
+    let parsed;
+    try {
+        parsed = JSON.parse(record);
+    }
+    catch (err) {
+        throw new BridgeError(`@hesohq/sdk: relayed approver record is not valid JSON: ${err.message}`);
+    }
+    if (typeof parsed !== 'object' ||
+        parsed === null ||
+        typeof parsed.decision !== 'string') {
+        throw new BridgeError('@hesohq/sdk: relayed approver record has no string `decision` field');
+    }
+    return parsed.decision;
+}
+/**
+ * The operator key loaded from the project keystore does NOT match the suspended
+ * body's ``agent_identity`` (MANDATORY-1). The action was suspended under a now-
+ * rotated key, so the in-core assemble fails closed rather than minting a receipt
+ * the verifier would reject. A DISTINCT typed signal so {@link finalizeL1} /
+ * {@link finalizeQuorum} can drive key-rotation auto-recovery (re-suspend under the new
+ * key) instead of surfacing an opaque {@link BridgeError}. Carries the
+ * ``agent_identity`` the suspended content expects so the caller can branch.
+ */
+class OperatorKeyMismatchError extends Error {
+    constructor(actionHash, expectedAgentIdentity, 
+    /** The loaded operator pubkey when known (proactive path); ``null`` when the
+     * mismatch was only discovered reactively inside the native assemble. */
+    loadedPublicKey = null) {
+        super(`heso operator key mismatch finalizing ${actionHash}: the suspended content was ` +
+            `minted under agent_identity ${expectedAgentIdentity}` +
+            (loadedPublicKey !== null ? `, but the loaded operator key is ${loadedPublicKey}` : '') +
+            ' — the key rotated; re-suspend under the new key (no receipt minted)');
+        this.actionHash = actionHash;
+        this.expectedAgentIdentity = expectedAgentIdentity;
+        this.loadedPublicKey = loadedPublicKey;
+        this.name = 'OperatorKeyMismatchError';
+    }
+}
+exports.OperatorKeyMismatchError = OperatorKeyMismatchError;
+/** The napi/wheel surfaces an operator-key mismatch as a ``[OperatorKeyMismatch]``-
+ * prefixed error (the discriminable boundary signal). Detect it so the REACTIVE
+ * key-rotation catch can promote it to {@link OperatorKeyMismatchError}. */
+function isOperatorKeyMismatch(err) {
+    return err instanceof Error && err.message.includes('[OperatorKeyMismatch]');
+}
+// ── core ──────────────────────────────────────────────────────────────────────
+/**
+ * Build the action's `fields` from a framework's tool input: an object is used as
+ * the structured fields; a JSON-object string is parsed; anything else is recorded
+ * verbatim under `input`. Never throws — capture must not crash the agent.
+ */
+function normalizeFields(input) {
+    if (input === null || input === undefined)
+        return {};
+    if (typeof input === 'object' && !Array.isArray(input)) {
+        return coerceFields(input);
+    }
+    if (typeof input === 'string') {
+        let parsed;
+        try {
+            parsed = JSON.parse(input);
+        }
+        catch {
+            return { input };
+        }
+        if (parsed !== null && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            return coerceFields(parsed);
+        }
+        return { input: jsonable(parsed) };
+    }
+    return { input: jsonable(input) };
+}
+/**
+ * Coerce a value to a JSON-serializable form, falling back to its string form when
+ * it is not (capture must never throw, and a non-serializable arg — a BigInt, a
+ * function, a circular object — must not later make `JSON.stringify(fields)` fail
+ * closed and abort the call). The JS twin of `_bridge.jsonable` (which `repr`s the
+ * value); here `String(v)` plays repr's role (e.g. `5n` -> `"5"`).
+ */
+function jsonable(value) {
+    try {
+        // JSON.stringify THROWS for BigInt / circular, but returns `undefined` (no throw)
+        // for a function / symbol / undefined value — those would be silently dropped from
+        // the wire, so the gate never sees the field. Treat both as non-serializable and
+        // fall back to the string form (String() handles symbols, where templating throws).
+        return JSON.stringify(value) === undefined ? String(value) : value;
+    }
+    catch {
+        return String(value);
+    }
+}
+/** Apply {@link jsonable} to every value of a fields map. */
+function coerceFields(obj) {
+    const out = {};
+    for (const [k, v] of Object.entries(obj))
+        out[k] = jsonable(v);
+    return out;
+}
+function buildProcessInput(toolName, fields, verb, surface, targetHost, extraSignal, redactFields, redactStrategy, config) {
+    const signal = { surface };
+    if (extraSignal) {
+        for (const [k, v] of Object.entries(extraSignal)) {
+            if (v !== undefined && v !== null)
+                signal[k] = v;
+        }
+    }
+    const input = {
+        verb,
+        tool_name: toolName,
+        workflow: config.workflow,
+        account: config.account,
+        fields,
+        redact_fields: redactFields,
+        redact_strategy: redactStrategy,
+        signal,
+    };
+    if (targetHost !== undefined)
+        input.target_host = targetHost;
+    if (config.clockOverride !== null)
+        input.clock_override = config.clockOverride;
+    return input;
+}
+/**
+ * Translate a captured call into an {@link Action}, stamping the active config's
+ * workflow/account/clock. The `verb` is an escalate-only hint — the engine
+ * classifies the `surface`/`signal` structurally and takes the stricter lane.
+ */
+function buildAction(toolName, fields, opts = {}) {
+    const config = (0, runtime_js_1.requireConfig)();
+    // Coerce values to JSON-safe forms (mirrors Python build_action) so a direct
+    // caller passing raw fields gets the same fail-safe capture as the gate path.
+    const coerced = coerceFields(fields);
+    const input = buildProcessInput(toolName, coerced, opts.verb ?? 'tool_call', opts.surface ?? 'decorator', opts.targetHost, opts.signal, opts.redact ?? [], opts.redactStrategy ?? 'destructive', config);
+    return { verb: input.verb, toolName, fields: coerced, input };
+}
+function drive(input, config) {
+    let raw;
+    try {
+        raw = native().processAction(JSON.stringify(input), config.projectRoot);
+    }
+    catch (err) {
+        throw new BridgeError(`@hesohq/sdk: native processAction failed: ${err.message}`);
+    }
+    let data;
+    try {
+        data = JSON.parse(raw.toString('utf-8'));
+    }
+    catch (err) {
+        throw new BridgeError(`@hesohq/sdk: could not parse engine output: ${err.message}`);
+    }
+    return parseOutcome(data);
+}
+function parseOutcome(data) {
+    if (data.status === 'allowed') {
+        return {
+            kind: 'allowed',
+            allowed: true,
+            receipt: data.receipt,
+            ruleId: null,
+            reason: null,
+            actionHash: data.receipt.content?.action_hash ?? null,
+        };
+    }
+    if (data.status === 'blocked') {
+        return {
+            kind: 'blocked',
+            allowed: false,
+            receipt: null,
+            ruleId: data.rule_id ?? null,
+            reason: data.reason ?? null,
+            actionHash: null,
+        };
+    }
+    return {
+        kind: 'suspended',
+        allowed: false,
+        receipt: data.receipt ?? null,
+        ruleId: null,
+        reason: null,
+        actionHash: data.ticket?.action_hash ?? null,
+    };
+}
+function enforce(toolName, outcome, config) {
+    if (outcome.allowed)
+        return;
+    if (!config.blocking)
+        return; // observe-only: recorded, not enforced
+    if (outcome.kind === 'blocked')
+        throw new BlockedError(toolName, outcome.ruleId, outcome.reason);
+    throw new SuspendedError(toolName, outcome.actionHash);
+}
+/**
+ * Capture + drive an action WITHOUT enforcing. Returns `{ outcome, action }` so an
+ * adapter can map the decision onto a framework verdict (allow/deny) instead of
+ * throwing. The returned `action` is what {@link recordResult} binds the result to.
+ */
+function evaluate(toolName, input, opts = {}) {
+    const config = (0, runtime_js_1.requireConfig)();
+    const action = buildAction(toolName, normalizeFields(input), opts);
+    return { outcome: drive(action.input, config), action };
+}
+/**
+ * Capture + drive + ENFORCE an action before its side effect runs. Throws
+ * {@link BlockedError} / {@link SuspendedError} on a refusal in blocking mode (so
+ * the wrapped call never fires ungated); returns the gated {@link Action} on allow
+ * (or in observe-only mode), which {@link recordResult} later binds the result to.
+ */
+function gate(toolName, input, opts = {}) {
+    const config = (0, runtime_js_1.requireConfig)();
+    const action = buildAction(toolName, normalizeFields(input), opts);
+    const outcome = drive(action.input, config);
+    mirrorSuspended(outcome);
+    enforce(toolName, outcome, config);
+    return action;
+}
+/**
+ * On a suspend, mirror-push the signed suspended L0 receipt the engine now returns
+ * so the byte-exact operator-stamped suspended content exists server-side for the
+ * later L1 relay (the browser co-signs THAT content; the SDK reassembles the L1 off
+ * the identical body). Fire-and-forget + best-effort: a mirror failure must not stop
+ * ``gate`` from throwing {@link SuspendedError} and aborting the call. The push is
+ * not load-bearing for the refusal — only for the relay that follows.
+ */
+function mirrorSuspended(outcome) {
+    if (outcome.kind !== 'suspended' || outcome.receipt === null)
+        return;
+    void (0, cloud_js_1.pushReceipt)(outcome.receipt).catch(() => {
+        // best-effort — the suspended receipt is relay evidence, not the refusal itself
+    });
+}
+/**
+ * Bind a finished call's result to a follow-up receipt (evidence of WHAT happened,
+ * not only what was allowed). Best-effort: a recording failure is swallowed — the
+ * load-bearing decision was the gate on the way in, and recording must never crash
+ * the agent.
+ */
+function recordResult(action, output) {
+    try {
+        const config = (0, runtime_js_1.requireConfig)();
+        const repr = typeof output === 'string' ? output : JSON.stringify(output ?? null);
+        const input = { ...action.input, result_hash: native().blake3Hex(repr) };
+        drive(input, config);
+    }
+    catch {
+        // best-effort — recording is evidence, not enforcement
+    }
+}
+/**
+ * True when the active config enforces refusals (blocking mode), false in
+ * observe-only mode. Decision-returning adapters consult this to mirror
+ * {@link gate}'s observe-only behavior: in observe-only the verdict is "allow".
+ */
+function isEnforcing() {
+    return (0, runtime_js_1.requireConfig)().blocking;
+}
+// ── L1 finalization (phase two of the gate) ─────────────────────────────────
+/**
+ * Finalize an approved gate into a signed L1 receipt — the out-of-band SECOND call
+ * of the two-phase pattern. Phase one is {@link gate}, which throws
+ * {@link SuspendedError} (carrying the ``action_hash``) and cannot block ``execute``
+ * waiting for a human. Once the cloud relays the approver parts (poll keyed on that
+ * ``action_hash``), this assembles and mirrors the L1.
+ *
+ * Order is load-bearing:
+ *  1. Assert the relayed record is ``approved`` BEFORE touching the keystore (M3) —
+ *     a ``rejected``/``escalated`` decision throws {@link ApprovalRejectedError} and
+ *     NEVER assembles an L1.
+ *  2. Assemble in-core: the native addon loads the OPERATOR key from the project
+ *     keystore, runs the MANDATORY-1 operator-key identity check against the
+ *     suspended content's ``agent_identity``, and verifies Valid(L1) internally —
+ *     throwing on any bad part. The record is passed as the SAME bytes the cloud
+ *     stored verbatim (M2): build the L1 over the operator-stamped ``suspendedContent``.
+ *  3. Re-verify the assembled receipt locally and REFUSE to push unless it is
+ *     Valid(L1) — a defense-in-depth gate independent of the addon's internal check.
+ *  4. Mirror-push, superseding the suspended L0 entry the L1 was built from (M5).
+ *
+ * @returns the signed L1 {@link ActionReceipt} that was pushed.
+ */
+async function finalizeL1(suspendedContent, relayedParts, keyPassphrase) {
+    const config = (0, runtime_js_1.requireConfig)();
+    const actionHash = suspendedContent.action_hash;
+    // M3 / REJECT-MINTS-NO-L1: a non-approval never reaches the keystore. The record is
+    // the cloud's VERBATIM JSON TEXT — parse it READ-ONLY for the decision gate only
+    // (the verbatim string itself is what feeds the native assemble, never a reserialize).
+    const decision = decisionFromRecord(relayedParts.record);
+    if (decision !== 'approved') {
+        throw new ApprovalRejectedError(actionHash, decision);
+    }
+    // The native addon assembles the L1 in-core off the operator-stamped suspended
+    // content and the verbatim approver record (M2 — the cloud's EXACT TEXT is passed
+    // straight through, never parse/reserialized here), running MANDATORY-1 and verifying
+    // Valid(L1) before it returns. A relayed anchor (opaque, never parsed here) is threaded
+    // straight in so the operator signature covers it; absent ⇒ the unchanged anchorless
+    // path (the L1 golden never moves).
+    let receiptBytes;
+    try {
+        receiptBytes = native().assembleL1FromParts(JSON.stringify(suspendedContent), relayedParts.record, relayedParts.approverPubkeyB64, relayedParts.coSigB64, config.projectRoot, keyPassphrase, relayedParts.timeAnchor !== undefined ? JSON.stringify(relayedParts.timeAnchor) : undefined);
+    }
+    catch (err) {
+        // MANDATORY-1: a rotated operator key fails closed in-core. Promote the typed
+        // boundary signal so a caller can drive key-rotation recovery (re-suspend).
+        if (isOperatorKeyMismatch(err)) {
+            throw new OperatorKeyMismatchError(actionHash, suspendedContent.agent_identity);
+        }
+        throw new BridgeError(`@hesohq/sdk: assembleL1FromParts failed: ${err.message}`);
+    }
+    // Defense in depth: refuse to push anything that is not locally Valid(L1).
+    const verdict = native().verify(receiptBytes);
+    if (verdict.verdict !== 'Valid' || verdict.trustLevel !== 'L1') {
+        throw new BridgeError(`@hesohq/sdk: assembled receipt is not Valid(L1) — verdict=${verdict.verdict} trustLevel=${verdict.trustLevel}; refusing to push`);
+    }
+    let receipt;
+    try {
+        receipt = JSON.parse(receiptBytes.toString('utf-8'));
+    }
+    catch (err) {
+        throw new BridgeError(`@hesohq/sdk: could not parse assembled L1 receipt: ${err.message}`);
+    }
+    // The L1 supersedes the suspended L0 entry it was built from (M5: suspended -> L1).
+    await (0, cloud_js_1.pushReceipt)(receipt, actionHash);
+    return receipt;
+}
+/**
+ * Re-drive a suspended action through the engine gate under the CURRENT operator
+ * key — the key-rotation auto-recovery path. The original suspended content was
+ * minted under a now-rotated key, so its co-signed base is dead; the only safe move
+ * is to re-suspend: rebuild the action verbatim from ``suspendedContent.action`` and
+ * run it through ``processAction`` again, yielding a FRESH Suspended L0 with a new
+ * ``agent_identity`` + ``action_hash``. We mirror-push it so the byte-exact new base
+ * exists server-side for the next relay, and hand the new hash back so the caller
+ * re-opens the approval against it (the cloud's S11 lifecycle invalidates the stale
+ * one). The old human co-sign cannot be replayed against the new base.
+ */
+function reSuspendUnderNewKey(suspendedContent, config) {
+    const detail = suspendedContent.action;
+    // Rebuild the wire input VERBATIM from the suspended action (the engine re-stamps
+    // the current operator identity + a fresh action_hash; the action itself is the
+    // same one the human reviewed).
+    const input = {
+        verb: detail.verb,
+        tool_name: detail.tool_name,
+        workflow: detail.workflow,
+        account: detail.account,
+        fields: detail.fields,
+        redact_fields: [],
+        redact_strategy: 'destructive',
+        signal: { surface: 'sdk_wrap' },
+    };
+    if (detail.target_host !== undefined)
+        input.target_host = detail.target_host;
+    if (config.clockOverride !== null)
+        input.clock_override = config.clockOverride;
+    const outcome = drive(input, config);
+    if (outcome.kind !== 'suspended' || outcome.receipt === null) {
+        throw new BridgeError(`@hesohq/sdk: key-rotation re-suspend expected a fresh Suspended L0 but the engine ` +
+            `returned \`${outcome.kind}\` — cannot recover this approval automatically`);
+    }
+    const freshHash = outcome.receipt.content.action_hash;
+    // Mirror the fresh suspended base so the relay that follows has the exact bytes.
+    void (0, cloud_js_1.pushReceipt)(outcome.receipt).catch(() => {
+        // best-effort — same contract as the gate-path mirror
+    });
+    return {
+        receipt: outcome.receipt,
+        actionHash: freshHash,
+        agentIdentity: outcome.receipt.content.agent_identity,
+    };
+}
+/**
+ * Finalize an approved k-of-n gate into a signed QUORUM receipt — the multi-approver
+ * sibling of {@link finalizeL1}. Every relayed leg must be ``approved``; the native
+ * addon assembles the quorum in-core off the operator-stamped suspended content and the
+ * verbatim per-approver records + co-signatures (canonicalization stays the Rust
+ * moat), verifying Valid(L1) WITH a ``multi_approval`` block before it returns. A
+ * quorum embeds ``trust_level: 'L1'`` WITH that block — it is NOT a higher level than
+ * single-approver L1.
+ *
+ * Order is load-bearing:
+ *  1. Assert EVERY leg's ``record.decision`` is ``approved`` BEFORE touching the
+ *     keystore (M3) — any non-approval throws {@link ApprovalRejectedError} and NEVER
+ *     assembles a quorum.
+ *  2. KEY-ROTATION (proactive): if ``loadedOperatorPubkeyB64`` is supplied and does
+ *     NOT equal the suspended content's ``agent_identity``, skip the wasted assemble
+ *     and drive recovery straight away.
+ *  3. Assemble in-core (the addon runs MANDATORY-1 + verifies Valid(L1) with a
+ *     ``multi_approval`` block); a reactive ``[OperatorKeyMismatch]`` is caught and
+ *     drives the SAME recovery.
+ *  4. Re-verify locally and REFUSE to push unless Valid(L1) WITH a ``multi_approval``
+ *     block (defense in depth).
+ *  5. Mirror-push, superseding the suspended L0 entry the quorum was built from (M5:
+ *     suspended/L0 -> L1; the server rejects an already-decided L1 target).
+ *
+ * On a key mismatch (proactive or reactive) and a supplied ``onKeyRotation``
+ * recovery, this re-suspends under the new key and throws an
+ * {@link OperatorKeyMismatchError} carrying the fresh hash via ``cause`` so the
+ * caller never mistakes recovery for a successful mint. With no recovery requested
+ * it throws the typed mismatch unhandled.
+ *
+ * @returns the signed QUORUM {@link ActionReceipt} that was pushed (L1 with a
+ * ``multi_approval`` block).
+ */
+async function finalizeQuorum(suspendedContent, relayedParts, options = {}) {
+    const config = (0, runtime_js_1.requireConfig)();
+    const actionHash = suspendedContent.action_hash;
+    const { keyPassphrase, loadedOperatorPubkeyB64, onKeyRotation } = options;
+    // M3 / REJECT-MINTS-NO-QUORUM: a single non-approval anywhere never reaches the keystore.
+    // Each leg's record is the cloud's VERBATIM JSON TEXT — parse READ-ONLY for the
+    // decision gate (the verbatim string itself feeds the native assemble below).
+    for (const leg of relayedParts.legs) {
+        const decision = decisionFromRecord(leg.record);
+        if (decision !== 'approved') {
+            throw new ApprovalRejectedError(actionHash, decision);
+        }
+    }
+    // PROACTIVE key-rotation: a known-disagreeing operator pubkey skips the assemble.
+    if (loadedOperatorPubkeyB64 !== undefined &&
+        loadedOperatorPubkeyB64 !== suspendedContent.agent_identity) {
+        return recoverFromKeyRotation(suspendedContent, config, onKeyRotation, loadedOperatorPubkeyB64);
+    }
+    // The native addon assembles the quorum in-core. parts_json carries each leg as
+    // `{ record: <JSON STRING>, approverPubkeyB64, coSigB64 }` (the napi WireQuorumPart is
+    // camelCase; `record` stays a JSON STRING on every plane, matching the golden). The
+    // cloud already relayed `record` as the EXACT verbatim JSON TEXT, so it is passed
+    // STRAIGHT through here (never re-stringified — that would diverge the canonical bytes
+    // and fail the in-core per-leg co-sign verify closed).
+    const partsJson = JSON.stringify(relayedParts.legs.map((leg) => ({
+        record: leg.record,
+        approverPubkeyB64: leg.approverPubkeyB64,
+        coSigB64: leg.coSigB64,
+    })));
+    let receiptBytes;
+    try {
+        receiptBytes = native().assembleQuorumFromParts(JSON.stringify(suspendedContent), relayedParts.threshold, JSON.stringify(relayedParts.roster), partsJson, config.projectRoot, keyPassphrase);
+    }
+    catch (err) {
+        // REACTIVE key-rotation: the in-core MANDATORY-1 check fired.
+        if (isOperatorKeyMismatch(err)) {
+            return recoverFromKeyRotation(suspendedContent, config, onKeyRotation, null);
+        }
+        throw new BridgeError(`@hesohq/sdk: assembleQuorumFromParts failed: ${err.message}`);
+    }
+    let receipt;
+    try {
+        receipt = JSON.parse(receiptBytes.toString('utf-8'));
+    }
+    catch (err) {
+        throw new BridgeError(`@hesohq/sdk: could not parse assembled quorum receipt: ${err.message}`);
+    }
+    // Defense in depth: a quorum is L1 WITH a multi_approval block. Refuse to push
+    // anything that is not locally Valid(L1) carrying that block (distinguished by the
+    // block, never by the level — a plain single-approver L1 has no multi_approval).
+    const verdict = native().verify(receiptBytes);
+    if (verdict.verdict !== 'Valid' ||
+        verdict.trustLevel !== 'L1' ||
+        receipt.content.multi_approval === undefined) {
+        throw new BridgeError(`@hesohq/sdk: assembled receipt is not a Valid(L1) quorum — verdict=${verdict.verdict} ` +
+            `trustLevel=${verdict.trustLevel} multi_approval=${receipt.content.multi_approval !== undefined}; ` +
+            `refusing to push`);
+    }
+    // The quorum supersedes the suspended L0 entry it was built from (M5: suspended -> L1).
+    await (0, cloud_js_1.pushReceipt)(receipt, actionHash);
+    return receipt;
+}
+/**
+ * Drive the key-rotation recovery: re-suspend under the current key, hand the fresh
+ * result to ``onKeyRotation`` if supplied, then ALWAYS throw the typed
+ * {@link OperatorKeyMismatchError} (never return a receipt) so a key mismatch can
+ * never be mistaken for a successful mint. ``cause`` carries the fresh re-suspend
+ * result for callers that inspect it.
+ */
+function recoverFromKeyRotation(suspendedContent, config, onKeyRotation, loadedPublicKey) {
+    const fresh = reSuspendUnderNewKey(suspendedContent, config);
+    if (onKeyRotation !== undefined)
+        onKeyRotation(fresh);
+    const err = new OperatorKeyMismatchError(suspendedContent.action_hash, suspendedContent.agent_identity, loadedPublicKey);
+    err.cause = fresh;
+    throw err;
+}
+//# sourceMappingURL=capture.js.map

package/dist/capture.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capture.js","sourceRoot":"","sources":["../src/capture.ts"],"names":[],"mappings":";AAAA,iFAAiF;AACjF,iFAAiF;AACjF,gFAAgF;AAChF,8EAA8E;AAC9E,sEAAsE;AACtE,EAAE;AACF,mFAAmF;AACnF,iFAAiF;AACjF,kFAAkF;AAClF,4EAA4E;AAC5E,kFAAkF;AAClF,kFAAkF;AAClF,EAAE;AACF,wEAAwE;AACxE,EAAE;AACF,2EAA2E;AAC3E,+EAA+E;AAC/E,gFAAgF;AAChF,iFAAiF;AACjF,qDAAqD;;;AAoRrD,0CAkBC;AAiED,kCAiBC;AA6DD,4BAQC;AAQD,oBAOC;AAuBD,oCASC;AAOD,kCAEC;AA0BD,gCA4DC;AAqGD,wCAoGC;AAjxBD,6CAAoE;AACpE,yCAAwC;AAiDxC,IAAI,OAAO,GAAyB,IAAI,CAAA;AAExC,SAAS,MAAM;IACb,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,OAAO,CAAA;IACpC,IAAI,GAA2B,CAAA;IAC/B,IAAI,CAAC;QACH,2EAA2E;QAC3E,gEAAgE;QAChE,8DAA8D;QAC9D,GAAG,GAAG,OAAO,CAAC,cAAc,CAA2B,CAAA;IACzD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CACnB,iGAAiG;YAC/F,4DAA6D,GAAa,CAAC,OAAO,EAAE,CACvF,CAAA;IACH,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,aAAa,KAAK,UAAU,EAAE,CAAC;QAC5C,MAAM,IAAI,WAAW,CACnB,+FAA+F;YAC7F,iDAAiD,CACpD,CAAA;IACH,CAAC;IACD,OAAO,GAAG,GAAoB,CAAA;IAC9B,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,+EAA+E;AAE/E,uFAAuF;AACvF,MAAa,WAAY,SAAQ,KAAK;IACpC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAA;QACd,IAAI,CAAC,IAAI,GAAG,aAAa,CAAA;IAC3B,CAAC;CACF;AALD,kCAKC;AAED,uFAAuF;AACvF,MAAa,YAAa,SAAQ,KAAK;IACrC,YACW,QAAgB,EAChB,MAAqB,EACrB,MAAqB;QAE9B,KAAK,CAAC,kBAAkB,QAAQ,YAAY,MAAM,IAAI,GAAG,MAAM,MAAM,IAAI,mBAAmB,EAAE,CAAC,CAAA;QAJtF,aAAQ,GAAR,QAAQ,CAAQ;QAChB,WAAM,GAAN,MAAM,CAAe;QACrB,WAAM,GAAN,MAAM,CAAe;QAG9B,IAAI,CAAC,IAAI,GAAG,cAAc,CAAA;IAC5B,CAAC;CACF;AATD,oCASC;AAED,4FAA4F;AAC5F,MAAa,cAAe,SAAQ,KAAK;IACvC,YACW,QAAgB,EAChB,UAAyB;QAElC,KAAK,CAAC,oBAAoB,QAAQ,oCAAoC,UAAU,IAAI,GAAG,GAAG,CAAC,CAAA;QAHlF,aAAQ,GAAR,QAAQ,CAAQ;QAChB,eAAU,GAAV,UAAU,CAAe;QAGlC,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAA;IAC9B,CAAC;CACF;AARD,wCAQC;AAED;;;;;GAKG;AACH,MAAa,qBAAsB,SAAQ,KAAK;IAC9C,YACW,UAAkB,EAClB,QAAgB;QAEzB,KAAK,CAAC,iBAAiB,UAAU,eAAe,QAAQ,kCAAkC,CAAC,CAAA;QAHlF,eAAU,GAAV,UAAU,CAAQ;QAClB,aAAQ,GAAR,QAAQ,CAAQ;QAGzB,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAA;IACrC,CAAC;CACF;AARD,sDAQC;AAED;;;;;;;;;;GAUG;AACH,SAAS,kBAAkB,CAAC,MAAc;IACxC,IAAI,MAAe,CAAA;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;IAC7B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CAAC,2DAA4D,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;IAC5G,CAAC;IACD,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,MAAM,KAAK,IAAI;QACf,OAAQ,MAAiC,CAAC,QAAQ,KAAK,QAAQ,EAC/D,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,qEAAqE,CAAC,CAAA;IAC9F,CAAC;IACD,OAAQ,MAA+B,CAAC,QAAQ,CAAA;AAClD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAa,wBAAyB,SAAQ,KAAK;IACjD,YACW,UAAkB,EAClB,qBAA6B;IACtC;6EACyE;IAChE,kBAAiC,IAAI;QAE9C,KAAK,CACH,yCAAyC,UAAU,8BAA8B;YAC/E,+BAA+B,qBAAqB,EAAE;YACtD,CAAC,eAAe,KAAK,IAAI,CAAC,CAAC,CAAC,oCAAoC,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACvF,sEAAsE,CACzE,CAAA;QAXQ,eAAU,GAAV,UAAU,CAAQ;QAClB,0BAAqB,GAArB,qBAAqB,CAAQ;QAG7B,oBAAe,GAAf,eAAe,CAAsB;QAQ9C,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAA;IACxC,CAAC;CACF;AAhBD,4DAgBC;AAED;;4EAE4E;AAC5E,SAAS,qBAAqB,CAAC,GAAY;IACzC,OAAO,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CAAA;AAC9E,CAAC;AAiFD,iFAAiF;AAEjF;;;;GAIG;AACH,SAAgB,eAAe,CAAC,KAAc;IAC5C,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,CAAA;IACpD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACvD,OAAO,YAAY,CAAC,KAAgC,CAAC,CAAA;IACvD,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,MAAe,CAAA;QACnB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,KAAK,EAAE,CAAA;QAClB,CAAC;QACD,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5E,OAAO,YAAY,CAAC,MAAiC,CAAC,CAAA;QACxD,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAA;IACpC,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAA;AACnC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,QAAQ,CAAC,KAAc;IAC9B,IAAI,CAAC;QACH,kFAAkF;QAClF,mFAAmF;QACnF,iFAAiF;QACjF,oFAAoF;QACpF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IACpE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,MAAM,CAAC,KAAK,CAAC,CAAA;IACtB,CAAC;AACH,CAAC;AAED,6DAA6D;AAC7D,SAAS,YAAY,CAAC,GAA4B;IAChD,MAAM,GAAG,GAAW,EAAE,CAAA;IACtB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;IAC9D,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAS,iBAAiB,CACxB,QAAgB,EAChB,MAAc,EACd,IAAU,EACV,OAAgB,EAChB,UAA8B,EAC9B,WAAgD,EAChD,YAAsB,EACtB,cAA6B,EAC7B,MAAyB;IAEzB,MAAM,MAAM,GAA4B,EAAE,OAAO,EAAE,CAAA;IACnD,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;YACjD,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,IAAI;gBAAE,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;QAClD,CAAC;IACH,CAAC;IACD,MAAM,KAAK,GAAiB;QAC1B,IAAI;QACJ,SAAS,EAAE,QAAQ;QACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM;QACN,aAAa,EAAE,YAAY;QAC3B,eAAe,EAAE,cAAc;QAC/B,MAAM;KACP,CAAA;IACD,IAAI,UAAU,KAAK,SAAS;QAAE,KAAK,CAAC,WAAW,GAAG,UAAU,CAAA;IAC5D,IAAI,MAAM,CAAC,aAAa,KAAK,IAAI;QAAE,KAAK,CAAC,cAAc,GAAG,MAAM,CAAC,aAAa,CAAA;IAC9E,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;GAIG;AACH,SAAgB,WAAW,CAAC,QAAgB,EAAE,MAAc,EAAE,OAAoB,EAAE;IAClF,MAAM,MAAM,GAAG,IAAA,0BAAa,GAAE,CAAA;IAC9B,6EAA6E;IAC7E,8EAA8E;IAC9E,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,CAAA;IACpC,MAAM,KAAK,GAAG,iBAAiB,CAC7B,QAAQ,EACR,OAAO,EACP,IAAI,CAAC,IAAI,IAAI,WAAW,EACxB,IAAI,CAAC,OAAO,IAAI,WAAW,EAC3B,IAAI,CAAC,UAAU,EACf,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,MAAM,IAAI,EAAE,EACjB,IAAI,CAAC,cAAc,IAAI,aAAa,EACpC,MAAM,CACP,CAAA;IACD,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;AAC/D,CAAC;AAED,SAAS,KAAK,CAAC,KAAmB,EAAE,MAAyB;IAC3D,IAAI,GAAW,CAAA;IACf,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,WAAW,CAAC,CAAA;IACzE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CAAC,6CAA8C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;IAC9F,CAAC;IACD,IAAI,IAAuB,CAAA;IAC3B,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAsB,CAAA;IAC/D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CAAC,+CAAgD,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;IAChG,CAAC;IACD,OAAO,YAAY,CAAC,IAAI,CAAC,CAAA;AAC3B,CAAC;AAED,SAAS,YAAY,CAAC,IAAuB;IAC3C,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO;YACL,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,IAAI;YACZ,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,IAAI,IAAI;SACtD,CAAA;IACH,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO;YACL,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI;YAC5B,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,IAAI;YAC3B,UAAU,EAAE,IAAI;SACjB,CAAA;IACH,CAAC;IACD,OAAO;QACL,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,KAAK;QACd,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI;QAC7B,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,IAAI;QACZ,UAAU,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,IAAI,IAAI;KAC7C,CAAA;AACH,CAAC;AAED,SAAS,OAAO,CAAC,QAAgB,EAAE,OAAgB,EAAE,MAAyB;IAC5E,IAAI,OAAO,CAAC,OAAO;QAAE,OAAM;IAC3B,IAAI,CAAC,MAAM,CAAC,QAAQ;QAAE,OAAM,CAAC,uCAAuC;IACpE,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS;QAAE,MAAM,IAAI,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAA;IAChG,MAAM,IAAI,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,CAAA;AACxD,CAAC;AAED;;;;GAIG;AACH,SAAgB,QAAQ,CACtB,QAAgB,EAChB,KAAc,EACd,OAAoB,EAAE;IAEtB,MAAM,MAAM,GAAG,IAAA,0BAAa,GAAE,CAAA;IAC9B,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,EAAE,eAAe,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,CAAA;IAClE,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;AACzD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,IAAI,CAAC,QAAgB,EAAE,KAAc,EAAE,OAAoB,EAAE;IAC3E,MAAM,MAAM,GAAG,IAAA,0BAAa,GAAE,CAAA;IAC9B,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,EAAE,eAAe,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,CAAA;IAClE,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IAC3C,eAAe,CAAC,OAAO,CAAC,CAAA;IACxB,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;IAClC,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,eAAe,CAAC,OAAgB;IACvC,IAAI,OAAO,CAAC,IAAI,KAAK,WAAW,IAAI,OAAO,CAAC,OAAO,KAAK,IAAI;QAAE,OAAM;IACpE,KAAK,IAAA,sBAAW,EAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;QAC3C,gFAAgF;IAClF,CAAC,CAAC,CAAA;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,YAAY,CAAC,MAAc,EAAE,MAAe;IAC1D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,0BAAa,GAAE,CAAA;QAC9B,MAAM,IAAI,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,IAAI,CAAC,CAAA;QACjF,MAAM,KAAK,GAAiB,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAA;QACtF,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,uDAAuD;IACzD,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,WAAW;IACzB,OAAO,IAAA,0BAAa,GAAE,CAAC,QAAQ,CAAA;AACjC,CAAC;AAED,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,UAAU,CAC9B,gBAA+B,EAC/B,YAAqB,EACrB,aAAsB;IAEtB,MAAM,MAAM,GAAG,IAAA,0BAAa,GAAE,CAAA;IAC9B,MAAM,UAAU,GAAG,gBAAgB,CAAC,WAAW,CAAA;IAE/C,oFAAoF;IACpF,iFAAiF;IACjF,uFAAuF;IACvF,MAAM,QAAQ,GAAG,kBAAkB,CAAC,YAAY,CAAC,MAAM,CAAC,CAAA;IACxD,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;QAC5B,MAAM,IAAI,qBAAqB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;IACvD,CAAC;IAED,+EAA+E;IAC/E,kFAAkF;IAClF,sFAAsF;IACtF,wFAAwF;IACxF,qFAAqF;IACrF,oCAAoC;IACpC,IAAI,YAAoB,CAAA;IACxB,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,EAAE,CAAC,mBAAmB,CACzC,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,EAChC,YAAY,CAAC,MAAM,EACnB,YAAY,CAAC,iBAAiB,EAC9B,YAAY,CAAC,QAAQ,EACrB,MAAM,CAAC,WAAW,EAClB,aAAa,EACb,YAAY,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAC5F,CAAA;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,8EAA8E;QAC9E,4EAA4E;QAC5E,IAAI,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,wBAAwB,CAAC,UAAU,EAAE,gBAAgB,CAAC,cAAc,CAAC,CAAA;QACjF,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,4CAA6C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;IAC7F,CAAC;IAED,2EAA2E;IAC3E,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IAC7C,IAAI,OAAO,CAAC,OAAO,KAAK,OAAO,IAAI,OAAO,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;QAC/D,MAAM,IAAI,WAAW,CACnB,6DAA6D,OAAO,CAAC,OAAO,eAAe,OAAO,CAAC,UAAU,oBAAoB,CAClI,CAAA;IACH,CAAC;IAED,IAAI,OAAsB,CAAA;IAC1B,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAkB,CAAA;IACvE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CAAC,sDAAuD,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;IACvG,CAAC;IAED,oFAAoF;IACpF,MAAM,IAAA,sBAAW,EAAC,OAAO,EAAE,UAAU,CAAC,CAAA;IACtC,OAAO,OAAO,CAAA;AAChB,CAAC;AAiBD;;;;;;;;;;GAUG;AACH,SAAS,oBAAoB,CAC3B,gBAA+B,EAC/B,MAAyB;IAEzB,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAA;IACtC,kFAAkF;IAClF,gFAAgF;IAChF,gCAAgC;IAChC,MAAM,KAAK,GAAiB;QAC1B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,aAAa,EAAE,EAAE;QACjB,eAAe,EAAE,aAAa;QAC9B,MAAM,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE;KAChC,CAAA;IACD,IAAI,MAAM,CAAC,WAAW,KAAK,SAAS;QAAE,KAAK,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAA;IAC5E,IAAI,MAAM,CAAC,aAAa,KAAK,IAAI;QAAE,KAAK,CAAC,cAAc,GAAG,MAAM,CAAC,aAAa,CAAA;IAE9E,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IACpC,IAAI,OAAO,CAAC,IAAI,KAAK,WAAW,IAAI,OAAO,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;QAC7D,MAAM,IAAI,WAAW,CACnB,oFAAoF;YAClF,cAAc,OAAO,CAAC,IAAI,iDAAiD,CAC9E,CAAA;IACH,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAA;IACrD,iFAAiF;IACjF,KAAK,IAAA,sBAAW,EAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;QAC3C,sDAAsD;IACxD,CAAC,CAAC,CAAA;IACF,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,UAAU,EAAE,SAAS;QACrB,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc;KACtD,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACI,KAAK,UAAU,cAAc,CAClC,gBAA+B,EAC/B,YAAyB,EACzB,UAUI,EAAE;IAEN,MAAM,MAAM,GAAG,IAAA,0BAAa,GAAE,CAAA;IAC9B,MAAM,UAAU,GAAG,gBAAgB,CAAC,WAAW,CAAA;IAC/C,MAAM,EAAE,aAAa,EAAE,uBAAuB,EAAE,aAAa,EAAE,GAAG,OAAO,CAAA;IAEzE,0FAA0F;IAC1F,gFAAgF;IAChF,8EAA8E;IAC9E,KAAK,MAAM,GAAG,IAAI,YAAY,CAAC,IAAI,EAAE,CAAC;QACpC,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC/C,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;YAC5B,MAAM,IAAI,qBAAqB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;QACvD,CAAC;IACH,CAAC;IAED,kFAAkF;IAClF,IACE,uBAAuB,KAAK,SAAS;QACrC,uBAAuB,KAAK,gBAAgB,CAAC,cAAc,EAC3D,CAAC;QACD,OAAO,sBAAsB,CAC3B,gBAAgB,EAChB,MAAM,EACN,aAAa,EACb,uBAAuB,CACxB,CAAA;IACH,CAAC;IAED,gFAAgF;IAChF,uFAAuF;IACvF,oFAAoF;IACpF,kFAAkF;IAClF,uFAAuF;IACvF,uDAAuD;IACvD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAC9B,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC9B,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;QACxC,QAAQ,EAAE,GAAG,CAAC,QAAQ;KACvB,CAAC,CAAC,CACJ,CAAA;IAED,IAAI,YAAoB,CAAA;IACxB,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,EAAE,CAAC,uBAAuB,CAC7C,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,EAChC,YAAY,CAAC,SAAS,EACtB,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,MAAM,CAAC,EACnC,SAAS,EACT,MAAM,CAAC,WAAW,EAClB,aAAa,CACd,CAAA;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,8DAA8D;QAC9D,IAAI,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,sBAAsB,CAAC,gBAAgB,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,CAAC,CAAA;QAC9E,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,gDAAiD,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;IACjG,CAAC;IAED,IAAI,OAAsB,CAAA;IAC1B,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAkB,CAAA;IACvE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CAAC,0DAA2D,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;IAC3G,CAAC;IAED,+EAA+E;IAC/E,mFAAmF;IACnF,iFAAiF;IACjF,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IAC7C,IACE,OAAO,CAAC,OAAO,KAAK,OAAO;QAC3B,OAAO,CAAC,UAAU,KAAK,IAAI;QAC3B,OAAO,CAAC,OAAO,CAAC,cAAc,KAAK,SAAS,EAC5C,CAAC;QACD,MAAM,IAAI,WAAW,CACnB,sEAAsE,OAAO,CAAC,OAAO,GAAG;YACtF,cAAc,OAAO,CAAC,UAAU,mBAAmB,OAAO,CAAC,OAAO,CAAC,cAAc,KAAK,SAAS,IAAI;YACnG,kBAAkB,CACrB,CAAA;IACH,CAAC;IAED,wFAAwF;IACxF,MAAM,IAAA,sBAAW,EAAC,OAAO,EAAE,UAAU,CAAC,CAAA;IACtC,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAC7B,gBAA+B,EAC/B,MAAyB,EACzB,aAA8D,EAC9D,eAA8B;IAE9B,MAAM,KAAK,GAAG,oBAAoB,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAA;IAC5D,IAAI,aAAa,KAAK,SAAS;QAAE,aAAa,CAAC,KAAK,CAAC,CAAA;IACrD,MAAM,GAAG,GAAG,IAAI,wBAAwB,CACtC,gBAAgB,CAAC,WAAW,EAC5B,gBAAgB,CAAC,cAAc,EAC/B,eAAe,CAChB,CACA;IAAC,GAAmC,CAAC,KAAK,GAAG,KAAK,CAAA;IACnD,MAAM,GAAG,CAAA;AACX,CAAC"}