@lcv-ideas-software/cross-review 4.0.0

package/dist/src/core/cache-manifest.js

@@ -0,0 +1,133 @@
+// v2.21.0 (caching): per-session cache manifest persistence.
+//
+// Path: ${data_dir}/sessions/${session_id}/cache_manifest.json
+//
+// Atomic write pattern mirrors session-store.ts writeJson: tmp file via
+// `flag: "wx"` + crypto-random nonce + retry-on-Windows-EPERM. The
+// manifest is APPEND-ONLY at the entry level — every peer call adds one
+// row. Readers (dashboard, reports, FinOps) snapshot the file; the
+// runtime never deletes rows from it.
+//
+// Concurrency: appends within the same process are serialized via a
+// short re-read + write cycle. Cross-process appends on the same
+// session are NOT supported (same as the rest of session-store.ts —
+// SECURITY.md documents single-process-per-data-dir).
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+export const CACHE_SCHEMA_VERSION_DEFAULT = "v1";
+const MANIFEST_FILENAME = "cache_manifest.json";
+const ATOMIC_WRITE_RETRY_CODES = new Set(["EPERM", "EACCES", "EBUSY", "EEXIST"]);
+const ATOMIC_WRITE_MAX_ATTEMPTS = 5;
+const TMP_NONCE_BYTES = 2;
+function manifestPath(dataDir, sessionId) {
+    return path.resolve(dataDir, "sessions", sessionId, MANIFEST_FILENAME);
+}
+function writeJsonAtomic(file, data) {
+    fs.mkdirSync(path.dirname(file), { recursive: true });
+    const nonce = crypto.randomBytes(TMP_NONCE_BYTES).toString("hex");
+    const tmp = `${file}.${process.pid}.${Date.now()}.${nonce}.tmp`;
+    fs.writeFileSync(tmp, `${JSON.stringify(data, null, 2)}\n`, "utf8");
+    let lastErr = null;
+    for (let attempt = 0; attempt < ATOMIC_WRITE_MAX_ATTEMPTS; attempt += 1) {
+        try {
+            fs.renameSync(tmp, file);
+            return;
+        }
+        catch (err) {
+            lastErr = err;
+            const code = err.code;
+            if (!code || !ATOMIC_WRITE_RETRY_CODES.has(code))
+                break;
+            const wait = 10 * 2 ** attempt;
+            const start = Date.now();
+            while (Date.now() - start < wait) {
+                /* spin */
+            }
+        }
+    }
+    try {
+        fs.unlinkSync(tmp);
+    }
+    catch {
+        /* ignore */
+    }
+    throw lastErr;
+}
+/**
+ * Read the manifest from disk. Returns null when the file is absent
+ * (most sessions never emit cache telemetry, so the manifest is
+ * lazily created on first append).
+ */
+export function readCacheManifest(dataDir, sessionId) {
+    const file = manifestPath(dataDir, sessionId);
+    if (!fs.existsSync(file))
+        return null;
+    try {
+        const raw = fs.readFileSync(file, "utf8");
+        const parsed = JSON.parse(raw);
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Write a complete manifest, replacing any existing file. Mostly used
+ * by tests; production callers should append entries via
+ * appendCacheManifestEntry.
+ */
+export function writeCacheManifest(dataDir, sessionId, manifest) {
+    writeJsonAtomic(manifestPath(dataDir, sessionId), manifest);
+}
+/**
+ * Append a single entry to the session manifest. Lazily creates the
+ * manifest if it does not exist. Each call performs (a) read-current,
+ * (b) push entry, (c) atomic-write. This is sequential within a
+ * process; concurrent calls in the same process must be awaited in
+ * order by the caller.
+ */
+export function appendCacheManifestEntry(dataDir, sessionId, entry, cacheSchemaVersion = CACHE_SCHEMA_VERSION_DEFAULT) {
+    const file = manifestPath(dataDir, sessionId);
+    const nowIso = new Date().toISOString();
+    let current;
+    if (fs.existsSync(file)) {
+        try {
+            const raw = fs.readFileSync(file, "utf8");
+            current = JSON.parse(raw);
+        }
+        catch {
+            // Corrupted manifest: rebuild from scratch with this entry as
+            // the sole row. Old contents are best-effort backed up next to
+            // the file with a `.corrupt-<ts>` suffix so an operator can
+            // forensically inspect.
+            const corrupt = `${file}.corrupt-${Date.now()}`;
+            try {
+                fs.renameSync(file, corrupt);
+            }
+            catch {
+                /* ignore */
+            }
+            current = {
+                session_id: sessionId,
+                cache_schema_version: cacheSchemaVersion,
+                created_at: nowIso,
+                updated_at: nowIso,
+                entries: [],
+            };
+        }
+    }
+    else {
+        current = {
+            session_id: sessionId,
+            cache_schema_version: cacheSchemaVersion,
+            created_at: nowIso,
+            updated_at: nowIso,
+            entries: [],
+        };
+    }
+    current.entries.push(entry);
+    current.updated_at = nowIso;
+    writeJsonAtomic(file, current);
+}
+//# sourceMappingURL=cache-manifest.js.map

package/dist/src/core/cache-manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache-manifest.js","sourceRoot":"","sources":["../../../src/core/cache-manifest.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAC7D,EAAE;AACF,+DAA+D;AAC/D,EAAE;AACF,wEAAwE;AACxE,mEAAmE;AACnE,wEAAwE;AACxE,mEAAmE;AACnE,sCAAsC;AACtC,EAAE;AACF,oEAAoE;AACpE,iEAAiE;AACjE,oEAAoE;AACpE,sDAAsD;AAEtD,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,MAAM,CAAC,MAAM,4BAA4B,GAAG,IAAI,CAAC;AACjD,MAAM,iBAAiB,GAAG,qBAAqB,CAAC;AAChD,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AACjF,MAAM,yBAAyB,GAAG,CAAC,CAAC;AACpC,MAAM,eAAe,GAAG,CAAC,CAAC;AAE1B,SAAS,YAAY,CAAC,OAAe,EAAE,SAAiB;IACtD,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,iBAAiB,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,IAAa;IAClD,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtD,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,GAAG,IAAI,IAAI,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,MAAM,CAAC;IAChE,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACpE,IAAI,OAAO,GAAY,IAAI,CAAC;IAC5B,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,yBAAyB,EAAE,OAAO,IAAI,CAAC,EAAE,CAAC;QACxE,IAAI,CAAC;YACH,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACzB,OAAO;QACT,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,GAAG,GAAG,CAAC;YACd,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;YACjD,IAAI,CAAC,IAAI,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,MAAM;YACxD,MAAM,IAAI,GAAG,EAAE,GAAG,CAAC,IAAI,OAAO,CAAC;YAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,IAAI,EAAE,CAAC;gBACjC,UAAU;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IACD,MAAM,OAAO,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAe,EAAE,SAAiB;IAClE,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAC9C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;QAChD,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,SAAiB,EACjB,QAAuB;IAEvB,eAAe,CAAC,YAAY,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CACtC,OAAe,EACf,SAAiB,EACjB,KAAyB,EACzB,qBAA6B,4BAA4B;IAEzD,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACxC,IAAI,OAAsB,CAAC;IAC3B,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC1C,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,8DAA8D;YAC9D,+DAA+D;YAC/D,4DAA4D;YAC5D,wBAAwB;YACxB,MAAM,OAAO,GAAG,GAAG,IAAI,YAAY,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAChD,IAAI,CAAC;gBACH,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;YACD,OAAO,GAAG;gBACR,UAAU,EAAE,SAAS;gBACrB,oBAAoB,EAAE,kBAAkB;gBACxC,UAAU,EAAE,MAAM;gBAClB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,EAAE;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,GAAG;YACR,UAAU,EAAE,SAAS;YACrB,oBAAoB,EAAE,kBAAkB;YACxC,UAAU,EAAE,MAAM;YAClB,UAAU,EAAE,MAAM;YAClB,OAAO,EAAE,EAAE;SACZ,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5B,OAAO,CAAC,UAAU,GAAG,MAAM,CAAC;IAC5B,eAAe,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AACjC,CAAC"}

package/dist/src/core/caller-tokens.d.ts

@@ -0,0 +1,32 @@
+import type { PeerId } from "./types.js";
+export declare const TOKEN_BYTES = 32;
+export declare const TOKEN_HEX_LENGTH: number;
+export type HostTokensMap = Record<PeerId, string>;
+export interface HostTokensRecord {
+    filePath: string;
+    map: HostTokensMap;
+    generated_at: string | null;
+}
+export interface ParentProcessSnapshot {
+    parent_pid: number | null;
+    parent_exe_basename: string | null;
+}
+export type TokenVerification = {
+    method: "token";
+    verified: true;
+} | {
+    method: "absent";
+    verified: false;
+};
+export declare function getTokensFilePath(dataDir: string): string;
+export declare function generateHostTokens(dataDir: string, options?: {
+    overwrite?: boolean;
+}): HostTokensRecord | null;
+export declare function loadHostTokens(dataDir: string): HostTokensRecord | null;
+export declare function ensureHostTokens(dataDir: string): HostTokensRecord | null;
+export declare function tokensMatch(a: unknown, b: unknown): boolean;
+export declare function resolveAgentForToken(presented: string | null, tokensMap: HostTokensMap | undefined): PeerId | null;
+export declare function getEnvToken(): string | null;
+export declare function isHardEnforceMode(): boolean;
+export declare function verifyTokenForCaller(declaredCaller: PeerId, tokensRecord: HostTokensRecord | null): TokenVerification;
+export declare function getParentProcessSnapshot(): ParentProcessSnapshot;

package/dist/src/core/caller-tokens.js

@@ -0,0 +1,240 @@
+// Module: cross-review/src/core/caller-tokens.ts
+// Description: F1 caller capability tokens (v2.18.0). Generates and validates
+// per-host secret tokens that complement the v2.17.0 clientInfo identity gate.
+//
+// Threat model: pre-v2.18.0 the v2.17.0 cross-check between declared `caller`
+// and `clientInfo.name` only catches *inconsistent* self-reports — both
+// fields are declared by the caller. An attacker that lies consistently in
+// both fields passes the gate. F1 introduces a per-host secret bound to the
+// operator's MCP host config (env var CROSS_REVIEW_CALLER_TOKEN),
+// authoritative on match and rejected on mismatch.
+//
+// Operator decisions 2026-05-05:
+//   1. Option C (Hybrid): token enforcement + best-effort parent-process
+//      snapshot as forensics-only metadata.
+//   2. Tokens file path: default `<data_dir>/host-tokens.json` AND
+//      overridable via CROSS_REVIEW_TOKENS_FILE env var (note: same env
+//      name as v1 for operator simplicity, but the v2 default location is
+//      `<data_dir>/host-tokens.json` because v2 has its own data_dir
+//      separate from v1's STATE_DIR).
+//   3. regenerate_caller_tokens MCP tool ships in v2.18.0.
+//   4. Ship permissive: CROSS_REVIEW_REQUIRE_TOKEN remains opt-in.
+import { spawnSync } from "node:child_process";
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import { PEERS } from "./types.js";
+export const TOKEN_BYTES = 32;
+export const TOKEN_HEX_LENGTH = TOKEN_BYTES * 2;
+export function getTokensFilePath(dataDir) {
+    const override = process.env.CROSS_REVIEW_TOKENS_FILE;
+    if (typeof override === "string" && override.trim().length > 0) {
+        return path.resolve(override.trim());
+    }
+    return path.join(dataDir, "host-tokens.json");
+}
+export function generateHostTokens(dataDir, options = {}) {
+    const filePath = getTokensFilePath(dataDir);
+    const map = {};
+    for (const agent of PEERS) {
+        map[agent] = crypto.randomBytes(TOKEN_BYTES).toString("hex");
+    }
+    const seen = new Set();
+    for (const tok of Object.values(map)) {
+        if (seen.has(tok)) {
+            throw new Error("caller-tokens: generated tokens collide; refusing to write file");
+        }
+        seen.add(tok);
+    }
+    const payload = {
+        version: 1,
+        generated_at: new Date().toISOString(),
+        tokens: map,
+    };
+    const dir = path.dirname(filePath);
+    try {
+        fs.mkdirSync(dir, { recursive: true });
+    }
+    catch {
+        /* best-effort */
+    }
+    try {
+        fs.writeFileSync(filePath, JSON.stringify(payload, null, 2), {
+            flag: options.overwrite ? "w" : "wx",
+            mode: 0o600,
+        });
+    }
+    catch (err) {
+        if (typeof err === "object" &&
+            err !== null &&
+            "code" in err &&
+            err.code === "EEXIST" &&
+            !options.overwrite) {
+            // Lost race to a concurrent boot; caller falls back to load.
+            return null;
+        }
+        throw err;
+    }
+    if (process.platform !== "win32") {
+        try {
+            fs.chmodSync(filePath, 0o600);
+        }
+        catch {
+            /* best-effort POSIX hardening */
+        }
+    }
+    return { filePath, map, generated_at: payload.generated_at };
+}
+export function loadHostTokens(dataDir) {
+    const filePath = getTokensFilePath(dataDir);
+    let raw;
+    try {
+        raw = fs.readFileSync(filePath, "utf8");
+    }
+    catch (err) {
+        if (typeof err === "object" &&
+            err !== null &&
+            "code" in err &&
+            err.code === "ENOENT") {
+            return null;
+        }
+        return null;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+    if (typeof parsed !== "object" ||
+        parsed === null ||
+        parsed.version !== 1 ||
+        typeof parsed.tokens !== "object" ||
+        parsed.tokens === null) {
+        return null;
+    }
+    const tokensIn = parsed.tokens;
+    const map = {};
+    const seen = new Set();
+    for (const agent of PEERS) {
+        const tok = tokensIn[agent];
+        if (typeof tok !== "string" || tok.length !== TOKEN_HEX_LENGTH || !/^[0-9a-f]+$/i.test(tok)) {
+            return null;
+        }
+        if (seen.has(tok)) {
+            return null;
+        }
+        seen.add(tok);
+        map[agent] = tok.toLowerCase();
+    }
+    const generated_at = parsed.generated_at;
+    return {
+        filePath,
+        map,
+        generated_at: typeof generated_at === "string" ? generated_at : null,
+    };
+}
+export function ensureHostTokens(dataDir) {
+    const existing = loadHostTokens(dataDir);
+    if (existing)
+        return existing;
+    const generated = generateHostTokens(dataDir);
+    if (generated)
+        return generated;
+    return loadHostTokens(dataDir);
+}
+export function tokensMatch(a, b) {
+    if (typeof a !== "string" || typeof b !== "string")
+        return false;
+    if (a.length !== b.length || a.length === 0)
+        return false;
+    const ba = Buffer.from(a, "hex");
+    const bb = Buffer.from(b, "hex");
+    if (ba.length !== bb.length || ba.length === 0)
+        return false;
+    try {
+        return crypto.timingSafeEqual(ba, bb);
+    }
+    catch {
+        return false;
+    }
+}
+export function resolveAgentForToken(presented, tokensMap) {
+    if (!presented || !tokensMap)
+        return null;
+    let matched = null;
+    for (const agent of PEERS) {
+        const stored = tokensMap[agent];
+        if (tokensMatch(presented, stored) && matched === null) {
+            matched = agent;
+        }
+    }
+    return matched;
+}
+export function getEnvToken() {
+    const raw = process.env.CROSS_REVIEW_CALLER_TOKEN;
+    if (typeof raw !== "string")
+        return null;
+    const trimmed = raw.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+export function isHardEnforceMode() {
+    return process.env.CROSS_REVIEW_REQUIRE_TOKEN === "true";
+}
+export function verifyTokenForCaller(declaredCaller, tokensRecord) {
+    const presented = getEnvToken();
+    if (!presented)
+        return { method: "absent", verified: false };
+    if (!tokensRecord || !tokensRecord.map) {
+        throw new Error("identity_forgery_blocked: CROSS_REVIEW_CALLER_TOKEN is set but the host-tokens.json file could not be loaded; either remove the env var, regenerate the tokens file via the regenerate_caller_tokens tool, or repair the file (default path: <data_dir>/host-tokens.json; override via CROSS_REVIEW_TOKENS_FILE).");
+    }
+    const agent = resolveAgentForToken(presented, tokensRecord.map);
+    if (!agent) {
+        throw new Error("identity_forgery_blocked: CROSS_REVIEW_CALLER_TOKEN does not match any known agent's secret in host-tokens.json. Either the token is stale (regenerate via regenerate_caller_tokens) or the host-tokens.json file has been rotated without re-distributing the new value.");
+    }
+    if (agent !== declaredCaller) {
+        throw new Error(`identity_forgery_blocked: CROSS_REVIEW_CALLER_TOKEN resolves to agent='${agent}' but caller declared='${declaredCaller}'. The token is bound to a specific agent's MCP host config; declaring a different caller from a host carrying another agent's token is identity forgery.`);
+    }
+    return { method: "token", verified: true };
+}
+export function getParentProcessSnapshot() {
+    const snapshot = {
+        parent_pid: typeof process.ppid === "number" ? process.ppid : null,
+        parent_exe_basename: null,
+    };
+    if (!snapshot.parent_pid)
+        return snapshot;
+    if (process.platform === "win32") {
+        // Windows path (added v2.18.2 / Tier 5): shell out to `tasklist` and
+        // parse the leading quoted CSV field. Best-effort, time-bounded 500ms,
+        // never throws. "PID not found" output starts with INFO/INFORMAÇÕES
+        // (no leading quote) so we use that as a discriminator.
+        try {
+            const r = spawnSync("tasklist", ["/FI", `PID eq ${snapshot.parent_pid}`, "/FO", "CSV", "/NH"], { encoding: "utf8", timeout: 500, windowsHide: true });
+            const stdout = String(r.stdout || "").trim();
+            if (stdout.startsWith('"')) {
+                const m = stdout.match(/^"([^"]+)"/);
+                if (m && m[1].length > 0 && m[1].length < 128) {
+                    snapshot.parent_exe_basename = m[1];
+                }
+            }
+        }
+        catch {
+            /* best-effort */
+        }
+    }
+    else {
+        try {
+            const comm = fs.readFileSync(`/proc/${snapshot.parent_pid}/comm`, "utf8").trim();
+            if (comm.length > 0 && comm.length < 128) {
+                snapshot.parent_exe_basename = comm;
+            }
+        }
+        catch {
+            /* best-effort */
+        }
+    }
+    return snapshot;
+}
+//# sourceMappingURL=caller-tokens.js.map

package/dist/src/core/caller-tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"caller-tokens.js","sourceRoot":"","sources":["../../../src/core/caller-tokens.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,8EAA8E;AAC9E,+EAA+E;AAC/E,EAAE;AACF,8EAA8E;AAC9E,wEAAwE;AACxE,2EAA2E;AAC3E,4EAA4E;AAC5E,kEAAkE;AAClE,mDAAmD;AACnD,EAAE;AACF,iCAAiC;AACjC,yEAAyE;AACzE,4CAA4C;AAC5C,mEAAmE;AACnE,wEAAwE;AACxE,0EAA0E;AAC1E,qEAAqE;AACrE,sCAAsC;AACtC,2DAA2D;AAC3D,mEAAmE;AAEnE,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAGnC,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC;AAC9B,MAAM,CAAC,MAAM,gBAAgB,GAAG,WAAW,GAAG,CAAC,CAAC;AAmBhD,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IACtD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/D,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IACvC,CAAC;IACD,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,UAAmC,EAAE;IAErC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,EAAmB,CAAC;IAChC,KAAK,MAAM,KAAK,IAAI,KAAK,EAAE,CAAC;QAC1B,GAAG,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/D,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChB,CAAC;IACD,MAAM,OAAO,GAAG;QACd,OAAO,EAAE,CAAU;QACnB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,MAAM,EAAE,GAAG;KACZ,CAAC;IACF,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB;IACnB,CAAC;IACD,IAAI,CAAC;QACH,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;YAC3D,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI;YACpC,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IACE,OAAO,GAAG,KAAK,QAAQ;YACvB,GAAG,KAAK,IAAI;YACZ,MAAM,IAAI,GAAG;YACZ,GAAyB,CAAC,IAAI,KAAK,QAAQ;YAC5C,CAAC,OAAO,CAAC,SAAS,EAClB,CAAC;YACD,6DAA6D;YAC7D,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;QACnC,CAAC;IACH,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC5C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IACE,OAAO,GAAG,KAAK,QAAQ;YACvB,GAAG,KAAK,IAAI;YACZ,MAAM,IAAI,GAAG;YACZ,GAAyB,CAAC,IAAI,KAAK,QAAQ,EAC5C,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,MAAM,KAAK,IAAI;QACd,MAAgC,CAAC,OAAO,KAAK,CAAC;QAC/C,OAAQ,MAA+B,CAAC,MAAM,KAAK,QAAQ;QAC1D,MAA+B,CAAC,MAAM,KAAK,IAAI,EAChD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,QAAQ,GAAI,MAA8C,CAAC,MAAM,CAAC;IACxE,MAAM,GAAG,GAAG,EAAmB,CAAC;IAChC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,KAAK,IAAI,KAAK,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC5B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,gBAAgB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5F,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACd,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IACjC,CAAC;IACD,MAAM,YAAY,GAAI,MAAqC,CAAC,YAAY,CAAC;IACzE,OAAO;QACL,QAAQ;QACR,GAAG;QACH,YAAY,EAAE,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI;KACrE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,MAAM,SAAS,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,OAAO,cAAc,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,CAAU,EAAE,CAAU;IAChD,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACjE,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACjC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACjC,IAAI,EAAE,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7D,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,SAAwB,EACxB,SAAoC;IAEpC,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,OAAO,GAAkB,IAAI,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,KAAK,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,WAAW,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACvD,OAAO,GAAG,KAAK,CAAC;QAClB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;IAClD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,MAAM,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,cAAsB,EACtB,YAAqC;IAErC,MAAM,SAAS,GAAG,WAAW,EAAE,CAAC;IAChC,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7D,IAAI,CAAC,YAAY,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CACb,mTAAmT,CACpT,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,oBAAoB,CAAC,SAAS,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC;IAChE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,2QAA2Q,CAC5Q,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,KAAK,cAAc,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,0EAA0E,KAAK,0BAA0B,cAAc,2JAA2J,CACnR,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,wBAAwB;IACtC,MAAM,QAAQ,GAA0B;QACtC,UAAU,EAAE,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;QAClE,mBAAmB,EAAE,IAAI;KAC1B,CAAC;IACF,IAAI,CAAC,QAAQ,CAAC,UAAU;QAAE,OAAO,QAAQ,CAAC;IAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,qEAAqE;QACrE,uEAAuE;QACvE,oEAAoE;QACpE,wDAAwD;QACxD,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,SAAS,CACjB,UAAU,EACV,CAAC,KAAK,EAAE,UAAU,QAAQ,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,EAC7D,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,CACtD,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7C,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;gBACrC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;oBAC9C,QAAQ,CAAC,mBAAmB,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,QAAQ,CAAC,UAAU,OAAO,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;YACjF,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACzC,QAAQ,CAAC,mBAAmB,GAAG,IAAI,CAAC;YACtC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/src/core/config.d.ts

@@ -0,0 +1,9 @@
+import type { AppConfig, PeerId } from "./types.js";
+export declare const VERSION = "4.0.0";
+export declare const RELEASE_DATE = "2026-05-15";
+export declare const DEFAULT_MAX_OUTPUT_TOKENS = 20000;
+export declare function getLastFileConfigResult(): import("./file-config.js").ApplyFileConfigResult | undefined;
+export declare function loadConfig(): AppConfig;
+export declare function missingFinancialControlVars(config: AppConfig, peers: PeerId[], options?: {
+    untilStopped?: boolean;
+}): string[];