@intentius/chant-lexicon-temporal 0.7.0 → 0.8.1

package/dist/op/activities/index.d.ts

@@ -0,0 +1,29 @@
+export { chantBuild } from "./build.js";
+export type { ChantBuildArgs } from "./build.js";
+export { kubectlApply } from "./kubectl.js";
+export type { KubectlApplyArgs } from "./kubectl.js";
+export { helmInstall } from "./helm.js";
+export type { HelmInstallArgs } from "./helm.js";
+export { waitForStack } from "./wait.js";
+export type { WaitForStackArgs } from "./wait.js";
+export { gitlabPipeline } from "./gitlab.js";
+export type { GitlabPipelineArgs } from "./gitlab.js";
+export { shellCmd } from "./shell.js";
+export type { ShellCmdArgs } from "./shell.js";
+export { lifecycleSnapshot, lifecycleDiff } from "./lifecycle.js";
+export type { LifecycleSnapshotArgs, LifecycleDiffArgs, LifecycleDiffResult } from "./lifecycle.js";
+export { chantTeardown } from "./teardown.js";
+export type { ChantTeardownArgs } from "./teardown.js";
+export { reconcilePr } from "./reconcile.js";
+export type { ReconcilePrArgs, ReconcileResult, ReconcileMode, ReconcileEntry } from "./reconcile.js";
+export { nativeApply, compensateApply } from "./apply.js";
+export type { NativeApplyArgs, CompensateApplyArgs, ApplyTarget, DeleteMode } from "./apply.js";
+export { waitForArgoSync, defaultArgoStatusFetcher, ArgoSyncFailedError } from "./argo.js";
+export type { WaitForArgoSyncArgs, ArgoAppStatus, ArgoStatusFetcher } from "./argo.js";
+export { policyGate } from "./policy.js";
+export type { PolicyGateArgs } from "./policy.js";
+export { workflowSupplyChainAudit, collectAuditRefs, defaultActionRefResolver } from "./workflow-audit.js";
+export type { WorkflowAuditArgs, WorkflowAuditResult, WorkflowAuditMode, WorkflowAuditFinding, WorkflowAuditFindingKind, ActionRefResolver, ActionRefResolution, } from "./workflow-audit.js";
+export { pipelineSupplyChainAudit, collectPipelineRefs, defaultGitlabRefResolver } from "./pipeline-audit.js";
+export type { PipelineAuditArgs, PipelineAuditResult, PipelineAuditMode, PipelineAuditFinding, PipelineAuditFindingKind, PipelineRefKind, GitlabRefResolver, PipelineRefResolution, } from "./pipeline-audit.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/op/activities/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/op/activities/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE9C,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,YAAY,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAElD,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,YAAY,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AACtC,YAAY,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AAE/C,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,YAAY,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAEnD,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,YAAY,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC/D,YAAY,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAEjG,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,YAAY,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAEnG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AACvD,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE7F,OAAO,EAAE,eAAe,EAAE,wBAAwB,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AACxF,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAEpF,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE/C,OAAO,EAAE,wBAAwB,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AACxG,YAAY,EACV,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,EACjB,oBAAoB,EACpB,wBAAwB,EACxB,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,wBAAwB,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAC3G,YAAY,EACV,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,EACjB,oBAAoB,EACpB,wBAAwB,EACxB,eAAe,EACf,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC"}

package/dist/op/activities/kubectl.d.ts

@@ -0,0 +1,11 @@
+export interface KubectlApplyArgs {
+    manifest: string;
+    /** kubectl context name. Uses current context if omitted. */
+    context?: string;
+}
+/**
+ * Run `kubectl apply -f <manifest>`.
+ * Uses longInfra profile — 20m timeout, heartbeat every 15s.
+ */
+export declare function kubectlApply(args: KubectlApplyArgs, signal?: AbortSignal): Promise<void>;
+//# sourceMappingURL=kubectl.d.ts.map

package/dist/op/activities/kubectl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kubectl.d.ts","sourceRoot":"","sources":["../../../src/op/activities/kubectl.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,gBAAgB,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAgB9F"}

package/dist/op/activities/lifecycle.d.ts

@@ -0,0 +1,42 @@
+export interface LifecycleSnapshotArgs {
+    /** Environment name (e.g. "dev", "staging", "prod"). */
+    env: string;
+}
+/**
+ * Take a chant lifecycle snapshot for the given environment.
+ * Uses fastIdempotent profile — 5m timeout, 3 retries.
+ */
+export declare function lifecycleSnapshot(args: LifecycleSnapshotArgs, signal?: AbortSignal): Promise<void>;
+export interface LifecycleDiffArgs {
+    /** Environment name (e.g. "dev", "staging", "prod"). */
+    env: string;
+    /**
+     * When true, run `chant lifecycle diff <env> --live` (queries cloud APIs).
+     * When false (default), run digest-only diff against the last snapshot.
+     */
+    live?: boolean;
+}
+export interface LifecycleDiffResult {
+    /** Combined stdout + stderr from the chant command. */
+    output: string;
+    /** Process exit code (0 = success). */
+    exitCode: number;
+    /**
+     * True when the diff output contains any drift indicators
+     * (MISSING / ORPHAN / DRIFTED / DISAPPEARED section headers from
+     * `chant lifecycle diff --live`).
+     */
+    drifted: boolean;
+}
+/**
+ * Run `chant lifecycle diff <env>` and return the output + structured drift
+ * flag. Read-only; intended for use inside watch/observation workflows.
+ * Uses fastIdempotent profile.
+ *
+ * The `drifted` field is computed by scanning the output for any of the
+ * MISSING / ORPHAN / DRIFTED / DISAPPEARED section headers documented in
+ * cli/state.mdx. Pair with `outcomeAttribute: { name: "Drift", from: "drifted" }`
+ * on a WatchOp activity step to surface drift as a workflow search attribute.
+ */
+export declare function lifecycleDiff(args: LifecycleDiffArgs, signal?: AbortSignal): Promise<LifecycleDiffResult>;
+//# sourceMappingURL=lifecycle.d.ts.map

package/dist/op/activities/lifecycle.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lifecycle.d.ts","sourceRoot":"","sources":["../../../src/op/activities/lifecycle.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,qBAAqB;IACpC,wDAAwD;IACxD,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,qBAAqB,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAIxG;AAED,MAAM,WAAW,iBAAiB;IAChC,wDAAwD;IACxD,GAAG,EAAE,MAAM,CAAC;IACZ;;;OAGG;IACH,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,uDAAuD;IACvD,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,OAAO,EAAE,OAAO,CAAC;CAClB;AAoBD;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,iBAAiB,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAa/G"}

package/dist/op/activities/pipeline-audit.d.ts

@@ -0,0 +1,84 @@
+/**
+ * pipelineSupplyChainAudit — the live counterpart to the gitlab post-synth
+ * include/component/image checks (#297).
+ *
+ * Some include/component checks can only be answered against a moving external
+ * truth: whether a pinned component/include ref still resolves upstream, whether
+ * the upstream project was archived or moved, or whether a new advisory now
+ * covers a component/image already in use. These change independent of the
+ * source, so they cannot live in the deterministic build — this activity owns
+ * *only* the checks that require live resolution.
+ *
+ * Dependency-free and primitives-only: it reads the emitted `.gitlab-ci.yml`
+ * (passed as a string) and resolves references through an injectable
+ * `GitlabRefResolver`, so Temporal/`chant run` can schedule it and tests can run
+ * it against recorded responses with no live network.
+ */
+/** What the audit produces on findings. For GitLab the PR mode is a merge request. */
+export type PipelineAuditMode = "report" | "issue" | "merge-request";
+/** The kind of reference being resolved. */
+export type PipelineRefKind = "include" | "component" | "image";
+/** Live resolution of a single pipeline reference against its upstream. */
+export interface PipelineRefResolution {
+    /** Does the project/component/image (at this ref/version) still resolve? */
+    exists: boolean;
+    /** Has the upstream project been archived? */
+    archived: boolean;
+    /** Has the upstream project moved (new path), if known. */
+    movedTo?: string;
+    /** Disclosed advisory identifiers affecting this reference. */
+    advisories: string[];
+}
+/** Pluggable upstream resolver — overridden in tests with recorded responses. */
+export type GitlabRefResolver = (kind: PipelineRefKind, identifier: string, ref: string) => Promise<PipelineRefResolution>;
+export type PipelineAuditFindingKind = "unresolved" | "archived" | "moved" | "advisory";
+export interface PipelineAuditFinding {
+    kind: PipelineAuditFindingKind;
+    refKind: PipelineRefKind;
+    /** project path / component address / image. */
+    identifier: string;
+    /** ref / version / tag. */
+    ref: string;
+    detail: string;
+}
+export interface PipelineAuditArgs {
+    /** One emitted `.gitlab-ci.yml` document. */
+    yaml?: string;
+    /** Several emitted documents. */
+    yamls?: string[];
+    /** Path to an emitted `.gitlab-ci.yml` to read at run time (default `.gitlab-ci.yml`). */
+    pipelineFile?: string;
+    /** What to produce. Default: report. */
+    mode?: PipelineAuditMode;
+    /** Injectable upstream resolver. Defaults to the live GitLab REST resolver. */
+    resolver?: GitlabRefResolver;
+}
+export interface PipelineAuditResult {
+    mode: PipelineAuditMode;
+    findings: PipelineAuditFinding[];
+    summary: string;
+}
+interface CollectedRef {
+    refKind: PipelineRefKind;
+    identifier: string;
+    ref: string;
+}
+/**
+ * Collect `include:project` (+ ref), `component:` (with @version), and `image:`
+ * references from a `.gitlab-ci.yml`.
+ */
+export declare function collectPipelineRefs(yaml: string): CollectedRef[];
+/**
+ * Default resolver: query the GitLab REST API for project existence / archive /
+ * move status. Best-effort and resilient — errors yield an "unknown" resolution
+ * (exists=true, no findings) rather than a false positive. Component/image
+ * advisory lookups are left to a configured resolver.
+ */
+export declare const defaultGitlabRefResolver: GitlabRefResolver;
+/**
+ * Resolve each include/component/image reference in the emitted pipeline against
+ * live upstreams and report drift.
+ */
+export declare function pipelineSupplyChainAudit(args: PipelineAuditArgs): Promise<PipelineAuditResult>;
+export {};
+//# sourceMappingURL=pipeline-audit.d.ts.map

package/dist/op/activities/pipeline-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pipeline-audit.d.ts","sourceRoot":"","sources":["../../../src/op/activities/pipeline-audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,sFAAsF;AACtF,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,OAAO,GAAG,eAAe,CAAC;AAErE,4CAA4C;AAC5C,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,WAAW,GAAG,OAAO,CAAC;AAEhE,2EAA2E;AAC3E,MAAM,WAAW,qBAAqB;IACpC,4EAA4E;IAC5E,MAAM,EAAE,OAAO,CAAC;IAChB,8CAA8C;IAC9C,QAAQ,EAAE,OAAO,CAAC;IAClB,2DAA2D;IAC3D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,iFAAiF;AACjF,MAAM,MAAM,iBAAiB,GAAG,CAAC,IAAI,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,qBAAqB,CAAC,CAAC;AAE3H,MAAM,MAAM,wBAAwB,GAAG,YAAY,GAAG,UAAU,GAAG,OAAO,GAAG,UAAU,CAAC;AAExF,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,wBAAwB,CAAC;IAC/B,OAAO,EAAE,eAAe,CAAC;IACzB,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,6CAA6C;IAC7C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iCAAiC;IACjC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,0FAA0F;IAC1F,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,iBAAiB,CAAC;IACxB,QAAQ,EAAE,oBAAoB,EAAE,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,UAAU,YAAY;IACpB,OAAO,EAAE,eAAe,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,EAAE,CAwChE;AAED;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,EAAE,iBAgBtC,CAAC;AAmBF;;;GAGG;AACH,wBAAsB,wBAAwB,CAAC,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAkCpG"}

package/dist/op/activities/policy.d.ts

@@ -0,0 +1,17 @@
+export interface PolicyGateArgs {
+    /** Project/source directory to build and evaluate. Default ".". */
+    path?: string;
+    /** Environment for policy evaluation (falls back to `ownership.env`). */
+    env?: string;
+}
+/**
+ * Gate an apply on organizational policy: build the project, run its
+ * `lint.policies` over the resolved resources, and **block** on any violation.
+ * Place it as a step before the apply phase — a violation fails the workflow
+ * (non-retryable; the `policyCheck` profile is single-attempt) so nothing is
+ * applied. A clean evaluation passes through.
+ *
+ * Runs in both executors — it is a plain activity, not a Temporal gate.
+ */
+export declare function policyGate(args: PolicyGateArgs, _signal?: AbortSignal): Promise<void>;
+//# sourceMappingURL=policy.d.ts.map

package/dist/op/activities/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/op/activities/policy.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,yEAAyE;IACzE,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;;;;;;GAQG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,cAAc,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAY3F"}

package/dist/op/activities/reconcile.d.ts

@@ -0,0 +1,69 @@
+/** What the reconcile activity does with the regenerated source. */
+export type ReconcileMode = "pull-request" | "issue" | "report";
+/** A change-set entry that triggered reconciliation. */
+export interface ReconcileEntry {
+    /** chant entity name. */
+    name: string;
+    /** create | update | delete | adopt | noop (from `chant lifecycle plan`). */
+    action: string;
+    /** Resource type, when known. */
+    type?: string;
+}
+export interface ReconcilePrArgs {
+    /** Environment to reconcile from (passed to `chant import --from`). */
+    env: string;
+    /**
+     * The change-set entries that triggered this reconcile. Omit to derive them
+     * from `chant lifecycle plan <env> --json` at run time — the form used inside a
+     * workflow, where the entries aren't known until the activity runs.
+     */
+    entries?: ReconcileEntry[];
+    /** What to produce. Default: pull-request. */
+    mode?: ReconcileMode;
+    /** Output directory for regenerated source. Default: ./infra. */
+    output?: string;
+    /** Branch to open the PR from. Default: chant/reconcile-<env>. */
+    branch?: string;
+    /** Restrict live import to chant-owned resources. */
+    owned?: boolean;
+    /** PR / issue title. Default derived from env. */
+    title?: string;
+}
+export interface ReconcileResult {
+    mode: ReconcileMode;
+    /** Branch created (pull-request mode). */
+    branch?: string;
+    /** Opened PR URL (pull-request mode). */
+    prUrl?: string;
+    /** Opened issue URL (issue mode). */
+    issueUrl?: string;
+    /** The markdown summary used as the PR/issue body. */
+    summary: string;
+    /** The entries that triggered the reconcile. */
+    entries: ReconcileEntry[];
+}
+/** Default branch name for a reconcile PR. Deterministic — no timestamp. */
+export declare function reconcileBranchName(env: string): string;
+/**
+ * Build the markdown body summarizing which change-set entries triggered the
+ * reconcile. Pure — used as the PR/issue body and returned in `report` mode.
+ */
+export declare function reconcileSummary(env: string, entries: ReconcileEntry[]): string;
+/**
+ * Map a `chant lifecycle plan --json` ChangeSet to reconcile entries, dropping
+ * `noop` entries (nothing to reconcile). Pure — exported for testing.
+ */
+export declare function entriesFromPlan(planJson: string): ReconcileEntry[];
+/**
+ * Reconcile activity: turn regenerated TypeScript into a reviewable artifact.
+ *
+ * - `report` — return the summary only; no git, no network.
+ * - `issue` — open a GitHub issue describing the drift (no code change).
+ * - `pull-request` — create a branch, regenerate source via
+ *   `chant import --from <env>`, commit, push, and open a PR whose diff is the
+ *   regenerated TypeScript. Never commits to the main branch.
+ *
+ * Requires `chant` and (for non-report modes) `gh`/`git` in the environment.
+ */
+export declare function reconcilePr(args: ReconcilePrArgs, signal?: AbortSignal): Promise<ReconcileResult>;
+//# sourceMappingURL=reconcile.d.ts.map

package/dist/op/activities/reconcile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reconcile.d.ts","sourceRoot":"","sources":["../../../src/op/activities/reconcile.ts"],"names":[],"mappings":"AAKA,oEAAoE;AACpE,MAAM,MAAM,aAAa,GAAG,cAAc,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEhE,wDAAwD;AACxD,MAAM,WAAW,cAAc;IAC7B,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,6EAA6E;IAC7E,MAAM,EAAE,MAAM,CAAC;IACf,iCAAiC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,uEAAuE;IACvE,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,OAAO,CAAC,EAAE,cAAc,EAAE,CAAC;IAC3B,8CAA8C;IAC9C,IAAI,CAAC,EAAE,aAAa,CAAC;IACrB,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kEAAkE;IAClE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qDAAqD;IACrD,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,aAAa,CAAC;IACpB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,qCAAqC;IACrC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sDAAsD;IACtD,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,OAAO,EAAE,cAAc,EAAE,CAAC;CAC3B;AAED,4EAA4E;AAC5E,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGvD;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,MAAM,CAkB/E;AAMD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,EAAE,CAOlE;AAgBD;;;;;;;;;;GAUG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,eAAe,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,eAAe,CAAC,CAuCvG"}

package/dist/op/activities/shell.d.ts

@@ -0,0 +1,13 @@
+export interface ShellCmdArgs {
+    cmd: string;
+    /** Additional environment variables. */
+    env?: Record<string, string>;
+    /** Working directory. Default: process.cwd(). */
+    cwd?: string;
+}
+/**
+ * Run an arbitrary shell command.
+ * Uses fastIdempotent profile — 5m timeout, 3 retries.
+ */
+export declare function shellCmd(args: ShellCmdArgs, signal?: AbortSignal): Promise<string>;
+//# sourceMappingURL=shell.d.ts.map

package/dist/op/activities/shell.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shell.d.ts","sourceRoot":"","sources":["../../../src/op/activities/shell.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,iDAAiD;IACjD,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,wBAAsB,QAAQ,CAAC,IAAI,EAAE,YAAY,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAQxF"}

package/dist/op/activities/teardown.d.ts

@@ -0,0 +1,10 @@
+export interface ChantTeardownArgs {
+    /** Path to the chant project to tear down. */
+    path: string;
+}
+/**
+ * Run `chant teardown` in the given project path.
+ * Uses longInfra profile — 20m timeout.
+ */
+export declare function chantTeardown(args: ChantTeardownArgs, signal?: AbortSignal): Promise<void>;
+//# sourceMappingURL=teardown.d.ts.map

package/dist/op/activities/teardown.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"teardown.d.ts","sourceRoot":"","sources":["../../../src/op/activities/teardown.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,iBAAiB;IAChC,8CAA8C;IAC9C,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,iBAAiB,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAOhG"}

package/dist/op/activities/util.d.ts

@@ -0,0 +1,8 @@
+/** Shared helpers for activity implementations. */
+/**
+ * Sleep for `ms`, rejecting early if `signal` aborts. Polling activities use
+ * this between attempts so a local-executor timeout or Ctrl-C interrupts the
+ * wait instead of running it to completion.
+ */
+export declare function sleep(ms: number, signal?: AbortSignal): Promise<void>;
+//# sourceMappingURL=util.d.ts.map

package/dist/op/activities/util.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../../src/op/activities/util.ts"],"names":[],"mappings":"AAAA,mDAAmD;AAEnD;;;;GAIG;AACH,wBAAgB,KAAK,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAgBrE"}

package/dist/op/activities/wait.d.ts

@@ -0,0 +1,16 @@
+export interface WaitForStackArgs {
+    /** Stack name — used to locate the kubectl deployment/statefulset to poll. */
+    name: string;
+    /** Kubernetes namespace. */
+    namespace?: string;
+    /** kubectl context. */
+    context?: string;
+    /** Poll interval in ms. Default: 10000. */
+    intervalMs?: number;
+}
+/**
+ * Poll until a Kubernetes Deployment or StatefulSet named `name` is fully rolled out.
+ * Uses k8sWait profile — 15m timeout, heartbeat every poll.
+ */
+export declare function waitForStack(args: WaitForStackArgs, signal?: AbortSignal): Promise<void>;
+//# sourceMappingURL=wait.d.ts.map

package/dist/op/activities/wait.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wait.d.ts","sourceRoot":"","sources":["../../../src/op/activities/wait.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,gBAAgB;IAC/B,8EAA8E;IAC9E,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uBAAuB;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,gBAAgB,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAmC9F"}

package/dist/op/activities/workflow-audit.d.ts

@@ -0,0 +1,92 @@
+/**
+ * workflowSupplyChainAudit — the live counterpart to the github post-synth
+ * supply-chain checks (#286-#291).
+ *
+ * Some workflow-reference checks can only be answered against a moving external
+ * truth: whether a pinned SHA still corresponds to a real tag/release upstream,
+ * whether a referenced commit exists in the repo it claims, whether a ref is
+ * confusable as both a tag and a branch, whether a pin matches its version
+ * comment, or whether a new advisory now covers an action already in use. These
+ * change over time independent of the source, so they cannot live in the
+ * deterministic build — this activity owns *only* the checks that require live
+ * resolution.
+ *
+ * It is dependency-free and primitives-only: it reads the emitted workflow YAML
+ * (passed as a string) and resolves references through an injectable
+ * `ActionRefResolver`, so Temporal/`chant run` can schedule it and tests can run
+ * it against recorded responses with no live network.
+ */
+/** What the audit produces on findings, mirroring ReconcileOp's modes. */
+export type WorkflowAuditMode = "report" | "issue" | "pull-request";
+/** Live resolution of a single action reference against its upstream. */
+export interface ActionRefResolution {
+    /** Does the ref/SHA exist in the claimed repo? */
+    exists: boolean;
+    /** Tag/release names that point at this commit (empty for a SHA ⇒ stale pin). */
+    tags: string[];
+    /** Is the upstream repository archived? */
+    archived: boolean;
+    /** Disclosed advisory identifiers affecting this action. */
+    advisories: string[];
+    /** Is the ref resolvable as BOTH a tag and a branch upstream? */
+    ambiguousRef?: boolean;
+}
+/** Pluggable upstream resolver — overridden in tests with recorded responses. */
+export type ActionRefResolver = (slug: string, ref: string) => Promise<ActionRefResolution>;
+export type WorkflowAuditFindingKind = "stale-pin" | "impostor" | "ambiguous-ref" | "pin-comment-mismatch" | "advisory" | "archived";
+export interface WorkflowAuditFinding {
+    /** owner/repo slug. */
+    slug: string;
+    /** The pinned ref/SHA. */
+    ref: string;
+    kind: WorkflowAuditFindingKind;
+    detail: string;
+}
+export interface WorkflowAuditArgs {
+    /** One emitted workflow YAML document. */
+    yaml?: string;
+    /** Several emitted workflow YAML documents. */
+    yamls?: string[];
+    /**
+     * Directory of emitted workflow files (`*.yml`/`*.yaml`) to read at run time
+     * when no `yaml`/`yamls` is given — the form used inside a scheduled Op.
+     * Default `.github/workflows`.
+     */
+    workflowsDir?: string;
+    /** What to produce. Default: report. */
+    mode?: WorkflowAuditMode;
+    /** Injectable upstream resolver. Defaults to the live GitHub REST resolver. */
+    resolver?: ActionRefResolver;
+}
+export interface WorkflowAuditResult {
+    mode: WorkflowAuditMode;
+    findings: WorkflowAuditFinding[];
+    /** Markdown summary used as the PR/issue body or printed in report mode. */
+    summary: string;
+}
+interface CollectedRef {
+    slug: string;
+    ref: string;
+    /** Adjacent `# vX.Y.Z` comment, when present. */
+    comment?: string;
+}
+/**
+ * Collect external action references (`uses: owner/repo@ref`, with an optional
+ * trailing version comment) from a workflow YAML. Local (`./`) and `docker://`
+ * references are excluded.
+ */
+export declare function collectAuditRefs(yaml: string): CollectedRef[];
+/**
+ * Default resolver: query the GitHub REST API for whether the ref exists, what
+ * tags point at it, archive status, and advisories. Best-effort and resilient —
+ * a network/HTTP error yields an "unknown" resolution (exists=true, no findings)
+ * rather than a false positive.
+ */
+export declare const defaultActionRefResolver: ActionRefResolver;
+/**
+ * Resolve each pinned external reference in the emitted workflows against live
+ * upstreams and report drift.
+ */
+export declare function workflowSupplyChainAudit(args: WorkflowAuditArgs): Promise<WorkflowAuditResult>;
+export {};
+//# sourceMappingURL=workflow-audit.d.ts.map

package/dist/op/activities/workflow-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workflow-audit.d.ts","sourceRoot":"","sources":["../../../src/op/activities/workflow-audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,0EAA0E;AAC1E,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,OAAO,GAAG,cAAc,CAAC;AAEpE,yEAAyE;AACzE,MAAM,WAAW,mBAAmB;IAClC,kDAAkD;IAClD,MAAM,EAAE,OAAO,CAAC;IAChB,iFAAiF;IACjF,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,2CAA2C;IAC3C,QAAQ,EAAE,OAAO,CAAC;IAClB,4DAA4D;IAC5D,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,iEAAiE;IACjE,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,iFAAiF;AACjF,MAAM,MAAM,iBAAiB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;AAE5F,MAAM,MAAM,wBAAwB,GAChC,WAAW,GACX,UAAU,GACV,eAAe,GACf,sBAAsB,GACtB,UAAU,GACV,UAAU,CAAC;AAEf,MAAM,WAAW,oBAAoB;IACnC,uBAAuB;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,wBAAwB,CAAC;IAC/B,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,0CAA0C;IAC1C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,+CAA+C;IAC/C,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAcD,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,iBAAiB,CAAC;IACxB,QAAQ,EAAE,oBAAoB,EAAE,CAAC;IACjC,4EAA4E;IAC5E,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,UAAU,YAAY;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,iDAAiD;IACjD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,EAAE,CAQ7D;AAED;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,EAAE,iBA0BtC,CAAC;AAUF;;;GAGG;AACH,wBAAsB,wBAAwB,CAAC,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAwCpG"}

package/dist/op/serializer.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Op serializer — generates Temporal workflow, worker, and activities files
+ * for each Temporal::Op entity.
+ *
+ * For an Op named "alb-deploy" it emits three files under dist/ops/alb-deploy/:
+ *   workflow.ts   — the Temporal workflow function
+ *   activities.ts — re-exports from the pre-built activity library
+ *   worker.ts     — bootstrap worker that reads chant.config.ts
+ */
+import type { Declarable } from "@intentius/chant/declarable";
+/**
+ * Serialize a map of Temporal::Op entities into generated file content.
+ *
+ * Returns a map of relative output paths → file content.
+ * e.g. `{ "ops/alb-deploy/workflow.ts": "...", ... }`
+ *
+ * Throws if a `depends` reference names an Op that is not in the entity map.
+ */
+export declare function serializeOps(ops: Map<string, Declarable>): Record<string, string>;
+//# sourceMappingURL=serializer.d.ts.map

package/dist/op/serializer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serializer.d.ts","sourceRoot":"","sources":["../../src/op/serializer.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAuT9D;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAkCjF"}

package/dist/plugin.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Temporal lexicon plugin — implements the LexiconPlugin lifecycle.
+ *
+ * All resources are hand-written; there is no remote spec to generate from.
+ * The generate step is a no-op. The package step builds dist/manifest.json
+ * and copies skill markdown files.
+ */
+import type { LexiconPlugin } from "@intentius/chant/lexicon";
+export declare const temporalPlugin: LexiconPlugin;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAK9D,eAAO,MAAM,cAAc,EAAE,aA6Q5B,CAAC"}

package/dist/resources.d.ts

@@ -0,0 +1,101 @@
+/**
+ * Temporal lexicon resources — hand-written Declarable constructors.
+ *
+ * These model the Temporal.io infrastructure concerns that chant serializes:
+ * server deployment configs, namespace provisioning scripts, search attribute
+ * registration, and SDK schedule creation code.
+ *
+ * All 4 resources are hand-written (no upstream spec to generate from).
+ *
+ * Reference: https://docs.temporal.io
+ */
+export declare const TemporalServer: new (props: Record<string, unknown>, attributes?: Record<string, unknown>) => import("packages/core/src").Declarable & Record<string, string>;
+export interface TemporalServerProps {
+    /** Temporal server version tag. Default: "1.26.2" */
+    version?: string;
+    /** Deployment mode. Default: "dev" */
+    mode?: "dev" | "full";
+    /** gRPC port. Default: 7233 */
+    port?: number;
+    /** Web UI port. Default: 8080 */
+    uiPort?: number;
+    /** PostgreSQL image tag for "full" mode. Default: "16-alpine" */
+    postgresVersion?: string;
+    /** Helm chart version hint — written as a comment in helm-values.yaml */
+    helmChartVersion?: string;
+}
+export declare const TemporalNamespace: new (props: Record<string, unknown>, attributes?: Record<string, unknown>) => import("packages/core/src").Declarable & Record<string, string>;
+export interface TemporalNamespaceProps {
+    /** Namespace name */
+    name: string;
+    /** Workflow execution retention period. Default: "7d" */
+    retention?: string;
+    /** Human-readable description */
+    description?: string;
+    /** Whether this is a global (multi-cluster) namespace */
+    isGlobalNamespace?: boolean;
+}
+export declare const SearchAttribute: new (props: Record<string, unknown>, attributes?: Record<string, unknown>) => import("packages/core/src").Declarable & Record<string, string>;
+export interface SearchAttributeProps {
+    /** Attribute name (PascalCase recommended by Temporal) */
+    name: string;
+    /** Attribute value type */
+    type: "Text" | "Keyword" | "Int" | "Double" | "Bool" | "Datetime" | "KeywordList";
+    /** Namespace to register in. If omitted, --namespace flag is not emitted */
+    namespace?: string;
+}
+export declare const TemporalSchedule: new (props: Record<string, unknown>, attributes?: Record<string, unknown>) => import("packages/core/src").Declarable & Record<string, string>;
+export interface TemporalScheduleProps {
+    /** Unique schedule identifier */
+    scheduleId: string;
+    /** Schedule timing specification */
+    spec: {
+        /** Cron expressions (e.g. "0 9 * * MON-FRI") */
+        cronExpressions?: string[];
+        /** Fixed intervals (e.g. { every: "1d" }) */
+        intervals?: Array<{
+            every: string;
+            offset?: string;
+        }>;
+    };
+    /** What workflow to start */
+    action: {
+        workflowType: string;
+        taskQueue: string;
+        args?: unknown[];
+        workflowExecutionTimeout?: string;
+        workflowRunTimeout?: string;
+        memo?: Record<string, unknown>;
+        searchAttributes?: Record<string, unknown>;
+        /**
+         * Retry policy for the triggered workflow execution.
+         * When set, the generated schedule script emits it as the schedule
+         * action's `retry` (Temporal `ScheduleOptions` action.retry).
+         */
+        workflowRetryPolicy?: {
+            /** Initial retry interval (e.g. "10s"). Default: Temporal server default (~1s). */
+            initialInterval?: string;
+            /** Backoff multiplier for each subsequent retry (e.g. 2). */
+            backoffCoefficient?: number;
+            /** 0 = unlimited retries; defaults to Temporal server default (unlimited). */
+            maximumAttempts?: number;
+            /** Cap on retry intervals (e.g. "5m"). */
+            maximumInterval?: string;
+            /** Error types that should NOT trigger a retry. */
+            nonRetryableErrorTypes?: string[];
+        };
+    };
+    policies?: {
+        overlap?: "Skip" | "BufferOne" | "BufferAll" | "CancelOther" | "TerminateOther" | "AllowAll";
+        catchupWindow?: string;
+        pauseOnFailure?: boolean;
+    };
+    /** Initial paused state */
+    state?: {
+        paused?: boolean;
+        note?: string;
+    };
+    /** Namespace to create schedule in. Default: process.env.TEMPORAL_NAMESPACE ?? "default" */
+    namespace?: string;
+}
+//# sourceMappingURL=resources.d.ts.map

package/dist/resources.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resources.d.ts","sourceRoot":"","sources":["../src/resources.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AASH,eAAO,MAAM,cAAc,+IAAqD,CAAC;AAEjF,MAAM,WAAW,mBAAmB;IAClC,qDAAqD;IACrD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,sCAAsC;IACtC,IAAI,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IACtB,+BAA+B;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iCAAiC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iEAAiE;IACjE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,yEAAyE;IACzE,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAKD,eAAO,MAAM,iBAAiB,+IAAwD,CAAC;AAEvF,MAAM,WAAW,sBAAsB;IACrC,qBAAqB;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yDAAyD;IACzD,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAKD,eAAO,MAAM,eAAe,+IAA8D,CAAC;AAE3F,MAAM,WAAW,oBAAoB;IACnC,0DAA0D;IAC1D,IAAI,EAAE,MAAM,CAAC;IACb,2BAA2B;IAC3B,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,GAAG,aAAa,CAAC;IAClF,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAMD,eAAO,MAAM,gBAAgB,+IAAuD,CAAC;AAErF,MAAM,WAAW,qBAAqB;IACpC,iCAAiC;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,IAAI,EAAE;QACJ,gDAAgD;QAChD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,6CAA6C;QAC7C,SAAS,CAAC,EAAE,KAAK,CAAC;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KACvD,CAAC;IACF,6BAA6B;IAC7B,MAAM,EAAE;QACN,YAAY,EAAE,MAAM,CAAC;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC;QACjB,wBAAwB,CAAC,EAAE,MAAM,CAAC;QAClC,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC3C;;;;WAIG;QACH,mBAAmB,CAAC,EAAE;YACpB,mFAAmF;YACnF,eAAe,CAAC,EAAE,MAAM,CAAC;YACzB,6DAA6D;YAC7D,kBAAkB,CAAC,EAAE,MAAM,CAAC;YAC5B,8EAA8E;YAC9E,eAAe,CAAC,EAAE,MAAM,CAAC;YACzB,0CAA0C;YAC1C,eAAe,CAAC,EAAE,MAAM,CAAC;YACzB,mDAAmD;YACnD,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;SACnC,CAAC;KACH,CAAC;IACF,QAAQ,CAAC,EAAE;QACT,OAAO,CAAC,EAAE,MAAM,GAAG,WAAW,GAAG,WAAW,GAAG,aAAa,GAAG,gBAAgB,GAAG,UAAU,CAAC;QAC7F,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,CAAC;IACF,2BAA2B;IAC3B,KAAK,CAAC,EAAE;QACN,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;IACF,4FAA4F;IAC5F,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB"}