npm - @lannguyensi/harness - Versions diffs - 0.25.1 → 0.26.0 - Mend

@lannguyensi/harness 0.25.1 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

package/CHANGELOG.md +30 -0
package/dist/cli/apply/apply.d.ts +11 -0
package/dist/cli/apply/apply.js +11 -0
package/dist/cli/apply/apply.js.map +1 -1
package/dist/cli/event-input.d.ts +28 -0
package/dist/cli/event-input.js +72 -0
package/dist/cli/event-input.js.map +1 -0
package/dist/cli/explain-action.d.ts +20 -0
package/dist/cli/explain-action.js +27 -0
package/dist/cli/explain-action.js.map +1 -0
package/dist/cli/index.js +76 -10
package/dist/cli/index.js.map +1 -1
package/dist/cli/init/interactive.js +10 -3
package/dist/cli/init/interactive.js.map +1 -1
package/dist/cli/pack/hook-branch-protection.js +1 -1
package/dist/cli/pack/hook-branch-protection.js.map +1 -1
package/dist/cli/pack/hook-codex-pre-tool-use.js +1 -1
package/dist/cli/pack/hook-codex-pre-tool-use.js.map +1 -1
package/dist/cli/pack/hook-post-tool-use.js +1 -1
package/dist/cli/pack/hook-post-tool-use.js.map +1 -1
package/dist/cli/pack/hook-pre-tool-use.d.ts +8 -0
package/dist/cli/pack/hook-pre-tool-use.js +3 -1
package/dist/cli/pack/hook-pre-tool-use.js.map +1 -1
package/dist/cli/pack/hook-track-active-claim.js +1 -1
package/dist/cli/pack/hook-track-active-claim.js.map +1 -1
package/dist/cli/{pack/pause-check.d.ts → pause-check.d.ts} +1 -1
package/dist/cli/{pack/pause-check.js → pause-check.js} +14 -11
package/dist/cli/pause-check.js.map +1 -0
package/dist/cli/policy/intercept.d.ts +5 -0
package/dist/cli/policy/intercept.js +21 -0
package/dist/cli/policy/intercept.js.map +1 -1
package/dist/cli/resolve-env.d.ts +32 -0
package/dist/cli/resolve-env.js +47 -0
package/dist/cli/resolve-env.js.map +1 -0
package/dist/cli/test-risk.d.ts +26 -0
package/dist/cli/test-risk.js +34 -0
package/dist/cli/test-risk.js.map +1 -0
package/dist/runtime/action-envelope.d.ts +64 -0
package/dist/runtime/action-envelope.js +46 -0
package/dist/runtime/action-envelope.js.map +1 -0
package/dist/runtime/environment-resolver.d.ts +36 -0
package/dist/runtime/environment-resolver.js +138 -0
package/dist/runtime/environment-resolver.js.map +1 -0
package/dist/runtime/home-dir.js +1 -1
package/dist/runtime/home-dir.js.map +1 -1
package/dist/runtime/index.d.ts +4 -0
package/dist/runtime/index.js +4 -0
package/dist/runtime/index.js.map +1 -1
package/dist/runtime/kube-context.d.ts +16 -0
package/dist/runtime/kube-context.js +63 -0
package/dist/runtime/kube-context.js.map +1 -0
package/dist/runtime/risk-classifier.d.ts +38 -0
package/dist/runtime/risk-classifier.js +121 -0
package/dist/runtime/risk-classifier.js.map +1 -0
package/dist/schema/environments.d.ts +215 -0
package/dist/schema/environments.js +101 -0
package/dist/schema/environments.js.map +1 -0
package/dist/schema/index.d.ts +408 -0
package/dist/schema/index.js +8 -0
package/dist/schema/index.js.map +1 -1
package/dist/schema/policies.d.ts +139 -0
package/dist/schema/policies.js +39 -0
package/dist/schema/policies.js.map +1 -1
package/dist/schema/risk.d.ts +131 -0
package/dist/schema/risk.js +87 -0
package/dist/schema/risk.js.map +1 -0
package/package.json +1 -1
package/dist/cli/pack/pause-check.js.map +0 -1

package/dist/runtime/environment-resolver.js ADDED Viewed

@@ -0,0 +1,138 @@
+// Phase 7 #4 — Context Resolver.
+//
+// Classifies an Action Envelope's target environment by matching the
+// manifest's `environments.resolvers[]` signals. The Risk Gate stage
+// that reads the `environments:` schema vocabulary shipped in
+// Phase 7 #1.
+//
+// STATUS: invoked by `harness resolve-env` (Phase 7 #4). NOT yet
+// consumed by `harness policy intercept` — wiring the runtime through
+// the resolver is Phase 7 #5. See docs/risk-gate.md and docs/ROADMAP.md.
+//
+// "Unknown is not safe": when no resolver matches, the environment is
+// `unknown` — not a safe default. The Phase 7 #5 policy evaluator must
+// treat `unknown` as risk-bearing. `MatchableEnvironmentSchema` already
+// admits `unknown` so a `policy.when.environment.name` clause can gate
+// on it.
+//
+// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md
+// (design phase C).
+// Most-dangerous-wins precedence: when resolvers disagree, the earlier
+// entry here is the resolved environment. `unknown` is the implicit
+// fallback and is not a resolver-assertable value.
+const ENV_PRECEDENCE = [
+    "production",
+    "staging",
+    "dev",
+    "local",
+];
+/**
+ * Convert a `*`-glob to an anchored RegExp. Only `*` is special (the
+ * Phase 7 #1 signal patterns are simple, e.g. `main`, `release/*`); all
+ * other regex metacharacters are escaped literally.
+ */
+function globToRegExp(glob) {
+    const escaped = glob
+        .replace(/[.+^${}()|[\]\\?]/g, "\\$&")
+        .replace(/\*/g, ".*");
+    return new RegExp(`^${escaped}$`);
+}
+/**
+ * Match one resolver's signals against the envelope + ambient inputs.
+ * Signals are OR-ed: a resolver fires when ANY signal matches. Returns
+ * the matched signal descriptors (empty when the resolver did not fire).
+ *
+ * Per-signal-kind semantics: `branch_patterns` and
+ * `kube_namespace_patterns` are globs, `kube_context_patterns` are
+ * regexes, `env_var_patterns` are substrings of the variable's value.
+ */
+function matchResolver(resolver, envelope, inputs) {
+    const matched = [];
+    const sig = resolver.signals;
+    const branch = envelope.session.branch;
+    if (sig.branch_patterns !== undefined && branch !== "") {
+        for (const p of sig.branch_patterns) {
+            if (globToRegExp(p).test(branch)) {
+                matched.push(`branch:${branch} ~ ${p}`);
+            }
+        }
+    }
+    if (sig.env_var_patterns !== undefined) {
+        for (const evp of sig.env_var_patterns) {
+            const value = inputs.env[evp.var];
+            if (typeof value !== "string")
+                continue;
+            for (const p of evp.patterns) {
+                if (value.includes(p)) {
+                    matched.push(`env:${evp.var} contains "${p}"`);
+                }
+            }
+        }
+    }
+    if (sig.kube_context_patterns !== undefined && inputs.kubeContext !== "") {
+        for (const p of sig.kube_context_patterns) {
+            let re;
+            try {
+                re = new RegExp(p);
+            }
+            catch {
+                continue;
+            }
+            if (re.test(inputs.kubeContext)) {
+                matched.push(`kube-context:${inputs.kubeContext} ~ /${p}/`);
+            }
+        }
+    }
+    if (sig.kube_namespace_patterns !== undefined &&
+        inputs.kubeNamespace !== "") {
+        for (const p of sig.kube_namespace_patterns) {
+            if (globToRegExp(p).test(inputs.kubeNamespace)) {
+                matched.push(`kube-namespace:${inputs.kubeNamespace} ~ ${p}`);
+            }
+        }
+    }
+    return matched;
+}
+/**
+ * Resolve the target environment of an Action Envelope.
+ *
+ * Pure: envelope + resolvers + ambient inputs in, resolution out, no
+ * I/O. When resolvers disagree, the most-dangerous environment wins
+ * (`ENV_PRECEDENCE`). Signals from every fired resolver that asserts the
+ * winning environment are unioned for explainability. When nothing
+ * matches, the result is `unknown` — deliberately not a safe default.
+ */
+export function resolveEnvironment(envelope, resolvers, inputs) {
+    const fired = [];
+    for (const resolver of resolvers) {
+        const signals = matchResolver(resolver, envelope, inputs);
+        if (signals.length > 0)
+            fired.push({ resolver, signals });
+    }
+    if (fired.length === 0) {
+        return { name: "unknown", confidence: "low", signals: [], resolver: null };
+    }
+    let best = fired[0];
+    for (const f of fired) {
+        if (ENV_PRECEDENCE.indexOf(f.resolver.environment) <
+            ENV_PRECEDENCE.indexOf(best.resolver.environment)) {
+            best = f;
+        }
+    }
+    // Union the signals of every fired resolver that asserts the winning
+    // environment, so the explanation is complete when several resolvers
+    // agree. `resolver` names the highest-precedence (first-found) one.
+    const winningEnv = best.resolver.environment;
+    const signals = [
+        ...new Set(fired
+            .filter((f) => f.resolver.environment === winningEnv)
+            .flatMap((f) => f.signals)),
+    ].sort();
+    return {
+        name: winningEnv,
+        confidence: signals.length >= 2 ? "high" : "medium",
+        signals,
+        resolver: best.resolver.name,
+    };
+}
+//# sourceMappingURL=environment-resolver.js.map

package/dist/runtime/environment-resolver.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"environment-resolver.js","sourceRoot":"","sources":["../../src/runtime/environment-resolver.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,EAAE;AACF,qEAAqE;AACrE,qEAAqE;AACrE,8DAA8D;AAC9D,cAAc;AACd,EAAE;AACF,iEAAiE;AACjE,sEAAsE;AACtE,yEAAyE;AACzE,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,wEAAwE;AACxE,uEAAuE;AACvE,SAAS;AACT,EAAE;AACF,yEAAyE;AACzE,oBAAoB;AAmCpB,uEAAuE;AACvE,oEAAoE;AACpE,mDAAmD;AACnD,MAAM,cAAc,GAAoC;IACtD,YAAY;IACZ,SAAS;IACT,KAAK;IACL,OAAO;CACR,CAAC;AAEF;;;;GAIG;AACH,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,OAAO,GAAG,IAAI;SACjB,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC;SACrC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACxB,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC;AACpC,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,aAAa,CACpB,QAA6B,EAC7B,QAAwB,EACxB,MAAoB;IAEpB,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC;IAE7B,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC;IACvC,IAAI,GAAG,CAAC,eAAe,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;YACpC,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,IAAI,CAAC,UAAU,MAAM,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACvC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,gBAAgB,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,OAAO,KAAK,KAAK,QAAQ;gBAAE,SAAS;YACxC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBAC7B,IAAI,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;oBACtB,OAAO,CAAC,IAAI,CAAC,OAAO,GAAG,CAAC,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,qBAAqB,KAAK,SAAS,IAAI,MAAM,CAAC,WAAW,KAAK,EAAE,EAAE,CAAC;QACzE,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,qBAAqB,EAAE,CAAC;YAC1C,IAAI,EAAU,CAAC;YACf,IAAI,CAAC;gBACH,EAAE,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;gBAChC,OAAO,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,WAAW,OAAO,CAAC,GAAG,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IACE,GAAG,CAAC,uBAAuB,KAAK,SAAS;QACzC,MAAM,CAAC,aAAa,KAAK,EAAE,EAC3B,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,uBAAuB,EAAE,CAAC;YAC5C,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC/C,OAAO,CAAC,IAAI,CAAC,kBAAkB,MAAM,CAAC,aAAa,MAAM,CAAC,EAAE,CAAC,CAAC;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAwB,EACxB,SAAyC,EACzC,MAAoB;IAEpB,MAAM,KAAK,GAAgE,EAAE,CAAC;IAC9E,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC7E,CAAC;IAED,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IACE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9C,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EACjD,CAAC;YACD,IAAI,GAAG,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;IAC7C,MAAM,OAAO,GAAG;QACd,GAAG,IAAI,GAAG,CACR,KAAK;aACF,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,KAAK,UAAU,CAAC;aACpD,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAC7B;KACF,CAAC,IAAI,EAAE,CAAC;IAET,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QACnD,OAAO;QACP,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;KAC7B,CAAC;AACJ,CAAC"}

package/dist/runtime/home-dir.js CHANGED Viewed

@@ -63,7 +63,7 @@ export function resolveHomeDir(opts = {}) {
     if (legacyHasHarnessState(legacyPath)) {
         if (!warnedLegacy) {
             const stderr = opts.stderr ?? process.stderr;
-            stderr.write(`harness: state still under legacy ${legacyPath}/; run \`harness migrate-home\` to move it to ${newPath}/. The legacy fallback is removed in v0.25.0.\n`);
+            stderr.write(`harness: state still under legacy ${legacyPath}/; run \`harness migrate-home\` to move it to ${newPath}/. The legacy fallback will be removed in a future release.\n`);
             warnedLegacy = true;
         }
         return { path: legacyPath, source: "legacy" };

package/dist/runtime/home-dir.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"home-dir.js","sourceRoot":"","sources":["../../src/runtime/home-dir.ts"],"names":[],"mappings":"AAAA,6CAA6C;AAC7C,EAAE;AACF,kEAAkE;AAClE,gEAAgE;AAChE,+DAA+D;AAC/D,gEAAgE;AAChE,+DAA+D;AAC/D,+DAA+D;AAC/D,oBAAoB;AACpB,EAAE;AACF,yBAAyB;AACzB,qEAAqE;AACrE,mDAAmD;AACnD,2CAA2C;AAC3C,oEAAoE;AACpE,kEAAkE;AAClE,yDAAyD;AACzD,wDAAwD;AACxD,EAAE;AACF,uEAAuE;AACvE,qEAAqE;AACrE,oEAAoE;AACpE,qEAAqE;AACrE,aAAa;AACb,EAAE;AACF,oEAAoE;AACpE,0DAA0D;AAC1D,+DAA+D;AAC/D,iEAAiE;AACjE,iEAAiE;AACjE,mCAAmC;AAEnC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,MAAM,CAAC,MAAM,oBAAoB,GAAG,UAAU,CAAC;AAC/C,MAAM,CAAC,MAAM,2BAA2B,GAAG,SAAS,CAAC;AACrD,MAAM,CAAC,MAAM,gBAAgB,GAAG,cAAc,CAAC;AAE/C;;;;;GAKG;AACH,IAAI,YAAY,GAAG,KAAK,CAAC;AAiCzB,MAAM,UAAU,cAAc,CAAC,OAA8B,EAAE;IAC7D,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC/C,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC3C,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;IAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,2BAA2B,CAAC,CAAC;IAEpE,IAAI,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC1C,CAAC;IAED,iEAAiE;IACjE,+DAA+D;IAC/D,mEAAmE;IACnE,iDAAiD;IACjD,IAAI,qBAAqB,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;YAC7C,MAAM,CAAC,KAAK,CACV,qCAAqC,UAAU,iDAAiD,OAAO,~~iDAAiD~~,~~CACzJ,~~CAAC;YACF,YAAY,GAAG,IAAI,CAAC;QACtB,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAChD,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,SAAS,CAAC,CAAS;IAC1B,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,UAAkB;IAC/C,kEAAkE;IAClE,gEAAgE;IAChE,mEAAmE;IACnE,6DAA6D;IAC7D,IAAI,CAAC;QACH,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACtE,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;IAC7B,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,2BAA2B;IACzC,YAAY,GAAG,KAAK,CAAC;AACvB,CAAC"}
1	+ {"version":3,"file":"home-dir.js","sourceRoot":"","sources":["../../src/runtime/home-dir.ts"],"names":[],"mappings":"AAAA,6CAA6C;AAC7C,EAAE;AACF,kEAAkE;AAClE,gEAAgE;AAChE,+DAA+D;AAC/D,gEAAgE;AAChE,+DAA+D;AAC/D,+DAA+D;AAC/D,oBAAoB;AACpB,EAAE;AACF,yBAAyB;AACzB,qEAAqE;AACrE,mDAAmD;AACnD,2CAA2C;AAC3C,oEAAoE;AACpE,kEAAkE;AAClE,yDAAyD;AACzD,wDAAwD;AACxD,EAAE;AACF,uEAAuE;AACvE,qEAAqE;AACrE,oEAAoE;AACpE,qEAAqE;AACrE,aAAa;AACb,EAAE;AACF,oEAAoE;AACpE,0DAA0D;AAC1D,+DAA+D;AAC/D,iEAAiE;AACjE,iEAAiE;AACjE,mCAAmC;AAEnC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,MAAM,CAAC,MAAM,oBAAoB,GAAG,UAAU,CAAC;AAC/C,MAAM,CAAC,MAAM,2BAA2B,GAAG,SAAS,CAAC;AACrD,MAAM,CAAC,MAAM,gBAAgB,GAAG,cAAc,CAAC;AAE/C;;;;;GAKG;AACH,IAAI,YAAY,GAAG,KAAK,CAAC;AAiCzB,MAAM,UAAU,cAAc,CAAC,OAA8B,EAAE;IAC7D,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC/C,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC3C,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;IAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,2BAA2B,CAAC,CAAC;IAEpE,IAAI,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC1C,CAAC;IAED,iEAAiE;IACjE,+DAA+D;IAC/D,mEAAmE;IACnE,iDAAiD;IACjD,IAAI,qBAAqB,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;YAC7C,MAAM,CAAC,KAAK,CACV,qCAAqC,UAAU,iDAAiD,OAAO,+DAA+D,CACvK,CAAC;YACF,YAAY,GAAG,IAAI,CAAC;QACtB,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAChD,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,SAAS,CAAC,CAAS;IAC1B,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,UAAkB;IAC/C,kEAAkE;IAClE,gEAAgE;IAChE,mEAAmE;IACnE,6DAA6D;IAC7D,IAAI,CAAC;QACH,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACtE,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;IAC7B,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,2BAA2B;IACzC,YAAY,GAAG,KAAK,CAAC;AACvB,CAAC"}

package/dist/runtime/index.d.ts CHANGED Viewed

@@ -3,4 +3,8 @@ export { recordPolicyDecision, payloadFromDecision, encodeLedgerContent, decodeL
 export { resolveSessionId } from "./session-id.js";
 export { buildAgentFacingBlock, formatAgentFacingMessage, renderAgentFacing, type AgentFacingBlock, } from "./agent-facing.js";
 export { resolveGitContext, type GitRepoContext } from "./git-context.js";
+export { buildActionEnvelope, type ActionEnvelope, type ActionEnvelopeRuntime, type ActionEnvelopeSession, type EnvelopeContext, } from "./action-envelope.js";
+export { classifyRisk, type RiskConfidence, type RiskProfile, } from "./risk-classifier.js";
+export { resolveKubeContext, type KubeContext, type ResolveKubeContextOptions, } from "./kube-context.js";
+export { resolveEnvironment, type EnvironmentConfidence, type EnvironmentResolution, type SignalInputs, } from "./environment-resolver.js";
 export { addLedgerFact, type AddLedgerFactOptions, type AddLedgerFactResult, } from "./ledger-add.js";

package/dist/runtime/index.js CHANGED Viewed

@@ -3,5 +3,9 @@ export { recordPolicyDecision, payloadFromDecision, encodeLedgerContent, decodeL
 export { resolveSessionId } from "./session-id.js";
 export { buildAgentFacingBlock, formatAgentFacingMessage, renderAgentFacing, } from "./agent-facing.js";
 export { resolveGitContext } from "./git-context.js";
+export { buildActionEnvelope, } from "./action-envelope.js";
+export { classifyRisk, } from "./risk-classifier.js";
+export { resolveKubeContext, } from "./kube-context.js";
+export { resolveEnvironment, } from "./environment-resolver.js";
 export { addLedgerFact, } from "./ledger-add.js";
 //# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAQV,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,GAGhB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,GAElB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAuB,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EACL,aAAa,GAGd,MAAM,iBAAiB,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAQV,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,GAGhB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,GAElB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAuB,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EACL,mBAAmB,GAKpB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,YAAY,GAGb,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,kBAAkB,GAGnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,kBAAkB,GAInB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,aAAa,GAGd,MAAM,iBAAiB,CAAC"}

package/dist/runtime/kube-context.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+export interface KubeContext {
+    /** Current context name, or "" when unresolved. */
+    context: string;
+    /** Namespace of the current context, or "" when unresolved. */
+    namespace: string;
+}
+export interface ResolveKubeContextOptions {
+    /** Override the kubeconfig path (tests). Defaults to `~/.kube/config`. */
+    kubeconfigPath?: string;
+}
+/**
+ * Resolve `{ context, namespace }` from `~/.kube/config`. Returns empty
+ * strings when the file is absent, unparseable, or declares no
+ * `current-context`.
+ */
+export declare function resolveKubeContext(opts?: ResolveKubeContextOptions): KubeContext;

package/dist/runtime/kube-context.js ADDED Viewed

@@ -0,0 +1,63 @@
+// Resolves the current Kubernetes context + namespace from the
+// standard `~/.kube/config`, for the Phase 7 #4 Context Resolver's
+// `kube_context_patterns` / `kube_namespace_patterns` signals.
+//
+// Like `git-context.ts`, this is a deliberate filesystem approximation:
+// it reads `~/.kube/config` directly and does NOT consult `$KUBECONFIG`
+// file lists or in-cluster service-account state. For classifying a
+// target environment those exotic setups are out of the MVP's scope.
+// Every failure path returns empty strings, never throws — callers
+// treat "" as "unknown".
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { parse as parseYaml } from "yaml";
+const EMPTY = { context: "", namespace: "" };
+/**
+ * Resolve `{ context, namespace }` from `~/.kube/config`. Returns empty
+ * strings when the file is absent, unparseable, or declares no
+ * `current-context`.
+ */
+export function resolveKubeContext(opts = {}) {
+    const configPath = opts.kubeconfigPath ?? path.join(os.homedir(), ".kube", "config");
+    let raw;
+    try {
+        raw = fs.readFileSync(configPath, "utf8");
+    }
+    catch {
+        return EMPTY;
+    }
+    let doc;
+    try {
+        doc = parseYaml(raw);
+    }
+    catch {
+        return EMPTY;
+    }
+    if (typeof doc !== "object" || doc === null)
+        return EMPTY;
+    const config = doc;
+    const context = typeof config["current-context"] === "string"
+        ? config["current-context"]
+        : "";
+    if (context === "")
+        return EMPTY;
+    let namespace = "";
+    if (Array.isArray(config.contexts)) {
+        for (const entry of config.contexts) {
+            if (typeof entry !== "object" || entry === null)
+                continue;
+            const e = entry;
+            if (e.name !== context)
+                continue;
+            if (typeof e.context === "object" && e.context !== null) {
+                const ns = e.context.namespace;
+                if (typeof ns === "string")
+                    namespace = ns;
+            }
+            break;
+        }
+    }
+    return { context, namespace };
+}
+//# sourceMappingURL=kube-context.js.map

package/dist/runtime/kube-context.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"kube-context.js","sourceRoot":"","sources":["../../src/runtime/kube-context.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,mEAAmE;AACnE,+DAA+D;AAC/D,EAAE;AACF,wEAAwE;AACxE,wEAAwE;AACxE,oEAAoE;AACpE,qEAAqE;AACrE,mEAAmE;AACnE,yBAAyB;AAEzB,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAS1C,MAAM,KAAK,GAAgB,EAAE,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AAO1D;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAkC,EAAE;IAEpC,MAAM,UAAU,GACd,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAEpE,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAE1D,MAAM,MAAM,GAAG,GAA0D,CAAC;IAC1E,MAAM,OAAO,GACX,OAAO,MAAM,CAAC,iBAAiB,CAAC,KAAK,QAAQ;QAC3C,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC;QAC3B,CAAC,CAAC,EAAE,CAAC;IACT,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAEjC,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;gBAAE,SAAS;YAC1D,MAAM,CAAC,GAAG,KAA8C,CAAC;YACzD,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO;gBAAE,SAAS;YACjC,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;gBACxD,MAAM,EAAE,GAAI,CAAC,CAAC,OAAmC,CAAC,SAAS,CAAC;gBAC5D,IAAI,OAAO,EAAE,KAAK,QAAQ;oBAAE,SAAS,GAAG,EAAE,CAAC;YAC7C,CAAC;YACD,MAAM;QACR,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC"}

package/dist/runtime/risk-classifier.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+import type { RiskCategory, RiskClassifier, RiskSeverity } from "../schema/index.js";
+import type { ActionEnvelope } from "./action-envelope.js";
+export type RiskConfidence = "high" | "low";
+export interface RiskProfile {
+    /** Did any classifier pattern match the action? */
+    classified: boolean;
+    /**
+     * Highest matched severity, or `null` when unclassified. `null` is
+     * NOT "low" — see the module header on "unknown is not safe".
+     */
+    severity: RiskSeverity | null;
+    /** Union of every matched pattern's categories, sorted and deduplicated. */
+    categories: RiskCategory[];
+    /**
+     * `false` when a matched category marks the action irreversible,
+     * `true` when classified and nothing marks it irreversible, `null`
+     * when unclassified (reversibility is unknown, not assumed).
+     */
+    reversible: boolean | null;
+    /**
+     * `high` for any deterministic rule match, `low` when unclassified.
+     * A regex classifier has no real probability; the field is a
+     * placeholder for the v2 LLM-assisted classifier, where a graded
+     * confidence becomes meaningful.
+     */
+    confidence: RiskConfidence;
+    /** One human-readable line per matched pattern, or the no-match note. */
+    reasons: string[];
+}
+/**
+ * Classify an Action Envelope against the manifest's risk classifiers.
+ *
+ * Pure: envelope + classifiers in, profile out, no I/O. Multiple
+ * matching patterns compose — highest severity wins, categories union,
+ * one `reasons` line per hit. An envelope no pattern matches yields the
+ * honest unclassified profile (`classified: false`, `severity: null`).
+ */
+export declare function classifyRisk(envelope: ActionEnvelope, classifiers: readonly RiskClassifier[]): RiskProfile;

package/dist/runtime/risk-classifier.js ADDED Viewed

@@ -0,0 +1,121 @@
+// Phase 7 #3 — Risk Classifier.
+//
+// Assigns an Action Envelope a risk profile by regex-matching the
+// manifest's `risk.classifiers[]` against the action. The first Risk
+// Gate stage that reads the `risk:` schema vocabulary shipped in
+// Phase 7 #1.
+//
+// STATUS: invoked by `harness test-risk` (Phase 7 #3). NOT yet consumed
+// by `harness policy intercept` — wiring the runtime through the
+// classifier is Phase 7 #5. See docs/risk-gate.md and docs/ROADMAP.md.
+//
+// "Unknown is not safe": an envelope no pattern matches yields a
+// profile with `classified: false` and `severity: null`, deliberately
+// NOT a low/zero-risk profile. The Phase 7 #5 policy evaluator must
+// treat an unclassified action as risk-bearing rather than allow it by
+// default; this module's job is only to report the unclassified state
+// honestly.
+//
+// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md
+// (design phase B).
+import { RiskSeveritySchema } from "../schema/index.js";
+import { expandToolNameAliases, extractShellCommand } from "./tool-name-aliases.js";
+// Ordered severity scale: a value's index here is the comparison key
+// for "highest matched severity wins". Sourced from the schema enum so
+// a future reordering there flows through unchanged.
+const SEVERITY_ORDER = RiskSeveritySchema.options;
+// Categories that mean the action does not cleanly undo itself. When a
+// matched pattern carries any of these the profile is `reversible:
+// false`. `destructive` and `data_loss` are included alongside the
+// explicit `irreversible_action`: a regex classifier cannot prove an
+// action is safely undoable, and the Risk Gate exists to err toward
+// caution. A genuinely destructive-but-reversible action simply should
+// not be tagged `destructive` by its classifier author.
+const IRREVERSIBLE_CATEGORIES = new Set(["irreversible_action", "data_loss", "destructive"]);
+/**
+ * The string a classifier's patterns are regex-matched against. For a
+ * shell-class tool (or any tool whose input carries a `command` / `cmd`
+ * field) it is that command. For other tools it is the serialized raw
+ * input — blunt, but it keeps non-shell classifiers usable in the MVP.
+ */
+function subjectFor(envelope) {
+    const command = extractShellCommand({ raw_input: envelope.raw_input });
+    if (command !== null)
+        return command;
+    const raw = envelope.raw_input;
+    if (raw === null || raw === undefined)
+        return "";
+    if (typeof raw === "string")
+        return raw;
+    try {
+        return JSON.stringify(raw);
+    }
+    catch {
+        return "";
+    }
+}
+/** A classifier applies when its `tool` is an alias of the envelope's tool. */
+function classifierApplies(classifier, envelope) {
+    return expandToolNameAliases(envelope.tool).includes(classifier.tool);
+}
+/**
+ * Classify an Action Envelope against the manifest's risk classifiers.
+ *
+ * Pure: envelope + classifiers in, profile out, no I/O. Multiple
+ * matching patterns compose — highest severity wins, categories union,
+ * one `reasons` line per hit. An envelope no pattern matches yields the
+ * honest unclassified profile (`classified: false`, `severity: null`).
+ */
+export function classifyRisk(envelope, classifiers) {
+    const applicable = classifiers.filter((c) => classifierApplies(c, envelope));
+    const subject = subjectFor(envelope);
+    const categories = new Set();
+    const reasons = [];
+    let severityIdx = -1;
+    for (const classifier of applicable) {
+        for (const pat of classifier.patterns) {
+            let re;
+            try {
+                re = new RegExp(pat.pattern);
+            }
+            catch {
+                // The schema regex-validates patterns at parse time; this guard
+                // only covers a manifest that bypassed `harness validate`.
+                continue;
+            }
+            if (!re.test(subject))
+                continue;
+            for (const cat of pat.categories)
+                categories.add(cat);
+            const idx = SEVERITY_ORDER.indexOf(pat.severity);
+            if (idx > severityIdx)
+                severityIdx = idx;
+            reasons.push(`classifier "${classifier.name}" pattern /${pat.pattern}/ matched: ` +
+                `severity ${pat.severity}, categories [${pat.categories.join(", ")}]`);
+        }
+    }
+    if (severityIdx === -1) {
+        return {
+            classified: false,
+            severity: null,
+            categories: [],
+            reversible: null,
+            confidence: "low",
+            reasons: [
+                applicable.length === 0
+                    ? `no risk classifier is declared for tool "${envelope.tool}"`
+                    : `no classifier pattern matched the action for tool "${envelope.tool}"`,
+            ],
+        };
+    }
+    const sortedCategories = [...categories].sort();
+    return {
+        classified: true,
+        severity: SEVERITY_ORDER[severityIdx],
+        categories: sortedCategories,
+        reversible: !sortedCategories.some((c) => IRREVERSIBLE_CATEGORIES.has(c)),
+        confidence: "high",
+        reasons,
+    };
+}
+//# sourceMappingURL=risk-classifier.js.map

package/dist/runtime/risk-classifier.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"risk-classifier.js","sourceRoot":"","sources":["../../src/runtime/risk-classifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,iEAAiE;AACjE,cAAc;AACd,EAAE;AACF,wEAAwE;AACxE,iEAAiE;AACjE,uEAAuE;AACvE,EAAE;AACF,iEAAiE;AACjE,sEAAsE;AACtE,oEAAoE;AACpE,uEAAuE;AACvE,sEAAsE;AACtE,YAAY;AACZ,EAAE;AACF,yEAAyE;AACzE,oBAAoB;AAOpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAEpF,qEAAqE;AACrE,uEAAuE;AACvE,qDAAqD;AACrD,MAAM,cAAc,GAA4B,kBAAkB,CAAC,OAAO,CAAC;AAE3E,uEAAuE;AACvE,mEAAmE;AACnE,mEAAmE;AACnE,qEAAqE;AACrE,oEAAoE;AACpE,uEAAuE;AACvE,wDAAwD;AACxD,MAAM,uBAAuB,GAA8B,IAAI,GAAG,CAChE,CAAC,qBAAqB,EAAE,WAAW,EAAE,aAAa,CAAC,CACpD,CAAC;AA+BF;;;;;GAKG;AACH,SAAS,UAAU,CAAC,QAAwB;IAC1C,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;IACvE,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,OAAO,CAAC;IACrC,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC/B,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACjD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,SAAS,iBAAiB,CACxB,UAA0B,EAC1B,QAAwB;IAExB,OAAO,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,QAAwB,EACxB,WAAsC;IAEtC,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAErC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAgB,CAAC;IAC3C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,WAAW,GAAG,CAAC,CAAC,CAAC;IAErB,KAAK,MAAM,UAAU,IAAI,UAAU,EAAE,CAAC;QACpC,KAAK,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACtC,IAAI,EAAU,CAAC;YACf,IAAI,CAAC;gBACH,EAAE,GAAG,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,2DAA2D;gBAC3D,SAAS;YACX,CAAC;YACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,SAAS;YAChC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU;gBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACjD,IAAI,GAAG,GAAG,WAAW;gBAAE,WAAW,GAAG,GAAG,CAAC;YACzC,OAAO,CAAC,IAAI,CACV,eAAe,UAAU,CAAC,IAAI,cAAc,GAAG,CAAC,OAAO,aAAa;gBAClE,YAAY,GAAG,CAAC,QAAQ,iBAAiB,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE;gBACP,UAAU,CAAC,MAAM,KAAK,CAAC;oBACrB,CAAC,CAAC,4CAA4C,QAAQ,CAAC,IAAI,GAAG;oBAC9D,CAAC,CAAC,sDAAsD,QAAQ,CAAC,IAAI,GAAG;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,OAAO;QACL,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,cAAc,CAAC,WAAW,CAAE;QACtC,UAAU,EAAE,gBAAgB;QAC5B,UAAU,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACzE,UAAU,EAAE,MAAM;QAClB,OAAO;KACR,CAAC;AACJ,CAAC"}