@llm-dev-ops/agentics-cli 1.4.14 → 1.4.16

package/dist/gates/execution-gate.js

@@ -1,30 +1,28 @@
 /**
- * Execution Gate Module
+ * Execution Gate Module — Credential Pre-flight
  *
- * PURPOSE: Global execution gate that controls command access based on
- *          user entitlement (internal email or paid API key).
+ * ARCHITECTURE:
+ *   The CLI does NOT resolve entitlements, maintain email allowlists,
+ *   or enforce access policy locally. Authorization is a platform concern.
  *
- * ENTITLEMENTS:
- * - "internal" - Internal maintainers (allow-listed by email)
- * - "paid" - Users with a valid API key
- * - "none" - No entitlement, blocked from operational commands
+ *   This gate checks whether ANY credential source exists before sending
+ *   a request that would be guaranteed to 401. It checks:
+ *     1. Environment variables (AGENTICS_API_KEY, AGENTICS_AUTH_TOKEN, etc.)
+ *     2. Stored credentials from `agentics login`
  *
- * LOGIC:
- * - Identity commands (login, logout, whoami, help, version) always allowed
- * - Internal or paid users get full access to all commands
- * - Users with no entitlement are blocked
+ *   If any credential exists, the request proceeds and the platform
+ *   enforces actual policy.
  */
-import * as fs from 'node:fs';
-import * as path from 'node:path';
-import * as os from 'node:os';
 import { EXIT_CODES } from '../types/index.js';
-import { getActiveAccount } from '../auth/gcp-identity.js';
+import { createCredentialStore } from '../utils/credentials.js';
 // ============================================================================
-// Execution Gate Configuration
+// Constants
 // ============================================================================
 /**
- * Commands that are ALWAYS allowed, regardless of entitlement.
- * These are identity and help commands only.
+ * Commands that bypass the execution gate entirely.
+ * These are identity bootstrapping and help commands — the CLI must
+ * allow them so the user can authenticate in the first place.
+ * This is transport-level routing, not policy enforcement.
  */
 const ALLOWED_COMMANDS = new Set([
     'login',
@@ -32,160 +30,58 @@ const ALLOWED_COMMANDS = new Set([
     'whoami',
     'help',
     'version',
+    'demo',
 ]);
-/**
- * Default internal emails (fallback if config file doesn't exist).
- */
-const DEFAULT_INTERNAL_EMAILS = [
-    'nick@nicholasruest.com',
-    'sales@globalbusinessadvisors.co',
-    'nicholasruest1@gmail.com',
-    'nick.ruest@agentics.org',
-    'ruv@ruv.net',
-    'ruv@agentics.org',
-    'cvsrohit@gmail.com',
-    'rishubcheddlla@gmail.com',
-];
-/**
- * Load internal emails from config file or use defaults.
- * Config file: ~/.agentics/internal-users.json
- * Format: { "emails": ["email1@example.com", "email2@example.com"] }
- */
-function loadInternalEmails() {
-    try {
-        const configPath = path.join(os.homedir(), '.agentics', 'internal-users.json');
-        if (fs.existsSync(configPath)) {
-            const content = fs.readFileSync(configPath, 'utf-8');
-            const config = JSON.parse(content);
-            if (Array.isArray(config.emails)) {
-                return new Set(config.emails.map((e) => e.toLowerCase()));
-            }
-        }
-    }
-    catch {
-        // Config file doesn't exist or is invalid, use defaults
-    }
-    // Create default config file if it doesn't exist
-    try {
-        const configDir = path.join(os.homedir(), '.agentics');
-        const configPath = path.join(configDir, 'internal-users.json');
-        if (!fs.existsSync(configPath)) {
-            if (!fs.existsSync(configDir)) {
-                fs.mkdirSync(configDir, { recursive: true });
-            }
-            fs.writeFileSync(configPath, JSON.stringify({ emails: DEFAULT_INTERNAL_EMAILS }, null, 2));
-        }
-    }
-    catch {
-        // Failed to create config file, continue with defaults
-    }
-    return new Set(DEFAULT_INTERNAL_EMAILS.map(e => e.toLowerCase()));
-}
-// Load internal emails once at startup
-const INTERNAL_EMAILS = loadInternalEmails();
-/**
- * Resolve the entitlement for the currently authenticated user.
- *
- * Checks in order:
- * 1. AGENTICS_USER_EMAIL environment variable
- * 2. Email stored in credentials file (~/.agentics/credentials.json)
- * 3. gcloud authenticated account
- *
- * @returns The user's entitlement: 'internal' for allow-listed users, 'none' otherwise
- */
-export function resolveEntitlement() {
-    // Check environment variable first (simplest path for internal users)
-    const envEmail = process.env['AGENTICS_USER_EMAIL'];
-    if (envEmail && INTERNAL_EMAILS.has(envEmail.toLowerCase())) {
-        return 'internal';
-    }
-    // Check stored credentials for email and payment status
-    const storedCreds = getStoredCredentials();
-    if (storedCreds?.email && INTERNAL_EMAILS.has(storedCreds.email.toLowerCase())) {
-        return 'internal';
-    }
-    // Check if API key holder has paid status
-    if (storedCreds?.api_key && storedCreds.payment_status === 'paid') {
-        return 'paid';
-    }
-    // Fall back to gcloud account
-    const account = getActiveAccount();
-    if (account && INTERNAL_EMAILS.has(account.toLowerCase())) {
-        return 'internal';
-    }
-    // If user has a valid API key, treat as paid (API keys are issued to paying users)
-    if (storedCreds?.api_key) {
-        return 'paid';
-    }
-    return 'none';
-}
-/**
- * Read stored credentials (sync).
- */
-function getStoredCredentials() {
-    try {
-        const credPath = path.join(os.homedir(), '.agentics', 'credentials.json');
-        const content = fs.readFileSync(credPath, 'utf-8');
-        const creds = JSON.parse(content);
-        if (!creds.api_key)
-            return null;
-        return creds;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Exit code for blocked execution.
- * Uses PERMISSION_DENIED (77) to indicate access is denied.
- */
 export const EXECUTION_BLOCKED_EXIT_CODE = EXIT_CODES.PERMISSION_DENIED;
-// ============================================================================
-// Execution Gate Error Message
-// ============================================================================
 const BLOCKED_MESSAGE = `
 ❌ Execution Disabled
 
 This command requires an active Agentics execution environment.
 
-The Agentics CLI is currently in explore-only mode.
+No valid credentials found. To authenticate:
+
+  Option 1: Platform login (recommended)
+    agentics login
+
+  Option 2: API key via environment variable
+    export AGENTICS_API_KEY=agentics_sk_...
 
-Contact the Agentics team to enable execution.
 `.trim();
+// ============================================================================
+// Execution Gate — Credential Pre-flight
+// ============================================================================
 /**
  * Check if a command is allowed to execute.
  *
- * This is the SINGLE, CENTRALIZED execution gate.
- * It must be called BEFORE:
- *   - command parsing (post-parse)
- *   - network calls
- *   - domain service invocation
- *
- * Execution flow:
- *   1. Always allow identity and help commands
- *   2. Resolve user entitlement
- *   3. If entitlement === "internal" or "paid" → allow execution
- *   4. Otherwise → block execution
- *
- * @param command - The command name (e.g., 'plan', 'simulate', 'login')
- * @returns ExecutionGateResult indicating if execution is allowed
+ * For identity/help commands: always allowed (transport-level).
+ * For all other commands: checks whether any credential source exists.
+ * The platform decides actual authorization when the request arrives.
  */
-export function checkExecutionGate(command) {
-    // Always allow identity and help commands
+export async function checkExecutionGate(command) {
+    // Identity/help commands always allowed — transport-level bypass
     if (ALLOWED_COMMANDS.has(command)) {
         return { allowed: true };
     }
-    // Resolve entitlement before applying execution gate
-    const entitlement = resolveEntitlement();
-    // Internal users have full access
-    if (entitlement === 'internal') {
+    // 1. Check environment variables
+    const hasEnvCredentials = !!(process.env['AGENTICS_API_KEY'] ||
+        process.env['AGENTICS_AUTH_TOKEN'] ||
+        process.env['AGENTICS_USER_EMAIL'] ||
+        process.env['AGENTICS_INTERNAL_KEY']);
+    if (hasEnvCredentials) {
         return { allowed: true };
     }
-    // Paid users have full access
-    if (entitlement === 'paid') {
-        return { allowed: true };
+    // 2. Check stored credentials from `agentics login`
+    try {
+        const store = createCredentialStore();
+        const credentials = await store.load();
+        if (credentials && credentials.api_key) {
+            return { allowed: true };
+        }
     }
-    // Block all other commands
+    catch {
+        // Stored credential check failed — continue to next source
+    }
+    // No credentials found from any source
     return {
         allowed: false,
         exitCode: EXECUTION_BLOCKED_EXIT_CODE,
@@ -194,29 +90,33 @@ export function checkExecutionGate(command) {
 }
 /**
  * Enforce the execution gate. Exits the process if blocked.
- *
- * @param command - The command name to check
  */
-export function enforceExecutionGate(command) {
-    const result = checkExecutionGate(command);
+export async function enforceExecutionGate(command) {
+    const result = await checkExecutionGate(command);
     if (!result.allowed) {
         console.error(result.message);
         process.exit(result.exitCode);
     }
 }
 /**
- * Check if execution is enabled for the current user.
- *
- * @returns true if the user has internal or paid entitlement
+ * @deprecated Entitlement resolution is now platform-side.
+ * This stub checks for credential presence only — not entitlement type.
  */
-export function isExecutionEnabled() {
-    const entitlement = resolveEntitlement();
-    return entitlement === 'internal' || entitlement === 'paid';
+export function resolveEntitlement() {
+    const hasCredentials = !!(process.env['AGENTICS_API_KEY'] ||
+        process.env['AGENTICS_AUTH_TOKEN'] ||
+        process.env['AGENTICS_INTERNAL_KEY']);
+    return hasCredentials ? 'paid' : 'none';
 }
 /**
- * Get the list of commands that are always allowed.
- *
- * @returns Set of allowed command names
+ * @deprecated Use checkExecutionGate() instead.
+ */
+export async function isExecutionEnabled() {
+    const result = await checkExecutionGate('_check');
+    return result.allowed;
+}
+/**
+ * Get the list of commands that bypass the execution gate.
  */
 export function getAllowedCommands() {
     return ALLOWED_COMMANDS;

package/dist/gates/execution-gate.js.map

@@ -1 +1 @@
-{"version":3,"file":"execution-gate.js","sourceRoot":"","sources":["../../src/gates/execution-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,SAAS;CACV,CAAC,CAAC;AAWH;;GAEG;AACH,MAAM,uBAAuB,GAAG;IAC9B,wBAAwB;IACxB,iCAAiC;IACjC,0BAA0B;IAC1B,yBAAyB;IACzB,aAAa;IACb,kBAAkB;IAClB,oBAAoB;IACpB,0BAA0B;CAC3B,CAAC;AAEF;;;;GAIG;AACH,SAAS,kBAAkB;IACzB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,qBAAqB,CAAC,CAAC;QAC/E,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wDAAwD;IAC1D,CAAC;IAED,iDAAiD;IACjD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;QACvD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;QAC/D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC/C,CAAC;YACD,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,uBAAuB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uDAAuD;IACzD,CAAC;IAED,OAAO,IAAI,GAAG,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,uCAAuC;AACvC,MAAM,eAAe,GAAG,kBAAkB,EAAE,CAAC;AAE7C;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB;IAChC,sEAAsE;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IACpD,IAAI,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC5D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,wDAAwD;IACxD,MAAM,WAAW,GAAG,oBAAoB,EAAE,CAAC;IAC3C,IAAI,WAAW,EAAE,KAAK,IAAI,eAAe,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC/E,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,IAAI,WAAW,EAAE,OAAO,IAAI,WAAW,CAAC,cAAc,KAAK,MAAM,EAAE,CAAC;QAClE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,8BAA8B;IAC9B,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;IACnC,IAAI,OAAO,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC1D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,mFAAmF;IACnF,IAAI,WAAW,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB;IAC3B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,kBAAkB,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAoB,CAAC;QACrD,IAAI,CAAC,KAAK,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,UAAU,CAAC,iBAAiB,CAAC;AAExE,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E,MAAM,eAAe,GAAG;;;;;;;;CAQvB,CAAC,IAAI,EAAE,CAAC;AAYT;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,0CAA0C;IAC1C,IAAI,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,qDAAqD;IACrD,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;IAEzC,kCAAkC;IAClC,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,8BAA8B;IAC9B,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,2BAA2B;IAC3B,OAAO;QACL,OAAO,EAAE,KAAK;QACd,QAAQ,EAAE,2BAA2B;QACrC,OAAO,EAAE,eAAe;KACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;IACzC,OAAO,WAAW,KAAK,UAAU,IAAI,WAAW,KAAK,MAAM,CAAC;AAC9D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,gBAAgB,CAAC;AAC1B,CAAC"}
+{"version":3,"file":"execution-gate.js","sourceRoot":"","sources":["../../src/gates/execution-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAEhE,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;;;;GAKG;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,SAAS;IACT,MAAM;CACP,CAAC,CAAC;AAIH,MAAM,CAAC,MAAM,2BAA2B,GAAG,UAAU,CAAC,iBAAiB,CAAC;AAYxE,MAAM,eAAe,GAAG;;;;;;;;;;;;;CAavB,CAAC,IAAI,EAAE,CAAC;AAET,+EAA+E;AAC/E,yCAAyC;AACzC,+EAA+E;AAE/E;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,OAAe;IACtD,iEAAiE;IACjE,IAAI,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,iCAAiC;IACjC,MAAM,iBAAiB,GAAG,CAAC,CAAC,CAC1B,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CACrC,CAAC;IAEF,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,qBAAqB,EAAE,CAAC;QACtC,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;QACvC,IAAI,WAAW,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2DAA2D;IAC7D,CAAC;IAED,uCAAuC;IACvC,OAAO;QACL,OAAO,EAAE,KAAK;QACd,QAAQ,EAAE,2BAA2B;QACrC,OAAO,EAAE,eAAe;KACzB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAAe;IACxD,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,cAAc,GAAG,CAAC,CAAC,CACvB,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CACrC,CAAC;IACF,OAAO,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAClD,OAAO,MAAM,CAAC,OAAO,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,gBAAgB,CAAC;AAC1B,CAAC"}

package/dist/gates/index.d.ts

@@ -11,6 +11,8 @@
  * 4. Output Format Gate - Enforces strict JSON output
  * 5. Argument Guard Gate - Validates argument types per ADR-001
  * 6. Lineage Gate - Enforces simulation traceability per ADR-004
+ * 7. Readiness Gate - Enforces execution safety when execution-gated
+ * 8. Ruvector Acceptance Gate - Mandatory blocking persistence (ADR-004)
  *
  * CRITICAL REQUIREMENTS MET:
  * - CLI requires Ruvector-backed services (Service Health Gate)
@@ -21,6 +23,8 @@
  * - Enforces strict JSON outputs (Output Format Gate)
  * - Never allows narrative output (Output Format Gate)
  * - Enterprise artifacts trace to governed simulations (Lineage Gate)
+ * - Simulations block until ruvector accepts (Ruvector Acceptance Gate)
+ * - Meta-simulations route to Tier-1 simulator (Meta-Simulation Detector)
  */
 export { checkExecutionGate, enforceExecutionGate, isExecutionEnabled, getAllowedCommands, resolveEntitlement, EXECUTION_BLOCKED_EXIT_CODE, type ExecutionGateResult, type Entitlement, } from './execution-gate.js';
 export { enforceAuthSessionGate, checkAuthSessionGate, requiresAuthentication, AUTH_REQUIRED_EXIT_CODE, AuthSessionRequiredError, type AuthSessionGateResult, } from './auth-session-gate.js';
@@ -28,4 +32,6 @@ export { enforceServiceHealthGate, checkServiceHealthGate, requiresHealthCheck,
 export { enforceOutputFormatGate, checkOutputFormatGate, requiresStructuredOutput, getDefaultFormat, INVALID_FORMAT_EXIT_CODE, InvalidOutputFormatError, type OutputFormatGateResult, } from './output-format-gate.js';
 export { checkArgumentGuard, enforceArgumentGuard, requiresArgumentValidation, type ArgumentGuardResult, } from './argument-guard.js';
 export { checkLineageGate, enforceLineageGate, requiresLineageValidation, LINEAGE_VIOLATION_EXIT_CODE, type LineageGateResult, } from './lineage-gate.js';
+export { blockUntilRuvectorAccepts, blockUntilLineageAccepted, buildRuvectorRootedGraph, validateRuvectorRootedGraph, RUVECTOR_ACCEPTANCE_EXIT_CODE, } from './ruvector-acceptance-gate.js';
+export { isMetaSimulation, getMetaSimulationTier, buildTier1Route, META_SIMULATION_EXIT_CODE, type Tier1Route, } from './meta-simulation-detector.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/gates/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,EAC3B,KAAK,mBAAmB,EACxB,KAAK,WAAW,GACjB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,EAClB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,GAC7B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,EACxB,KAAK,sBAAsB,GAC5B,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,0BAA0B,EAC1B,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,yBAAyB,EACzB,2BAA2B,EAC3B,KAAK,iBAAiB,GACvB,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAGH,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,EAC3B,KAAK,mBAAmB,EACxB,KAAK,WAAW,GACjB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,EAClB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,GAC7B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,EACxB,KAAK,sBAAsB,GAC5B,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,0BAA0B,EAC1B,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,yBAAyB,EACzB,2BAA2B,EAC3B,KAAK,iBAAiB,GACvB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,wBAAwB,EACxB,2BAA2B,EAC3B,6BAA6B,GAC9B,MAAM,+BAA+B,CAAC;AAGvC,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,EACf,yBAAyB,EACzB,KAAK,UAAU,GAChB,MAAM,+BAA+B,CAAC"}

package/dist/gates/index.js

@@ -11,6 +11,8 @@
  * 4. Output Format Gate - Enforces strict JSON output
  * 5. Argument Guard Gate - Validates argument types per ADR-001
  * 6. Lineage Gate - Enforces simulation traceability per ADR-004
+ * 7. Readiness Gate - Enforces execution safety when execution-gated
+ * 8. Ruvector Acceptance Gate - Mandatory blocking persistence (ADR-004)
  *
  * CRITICAL REQUIREMENTS MET:
  * - CLI requires Ruvector-backed services (Service Health Gate)
@@ -21,6 +23,8 @@
  * - Enforces strict JSON outputs (Output Format Gate)
  * - Never allows narrative output (Output Format Gate)
  * - Enterprise artifacts trace to governed simulations (Lineage Gate)
+ * - Simulations block until ruvector accepts (Ruvector Acceptance Gate)
+ * - Meta-simulations route to Tier-1 simulator (Meta-Simulation Detector)
  */
 // Execution Gate - Hard kill-switch
 export { checkExecutionGate, enforceExecutionGate, isExecutionEnabled, getAllowedCommands, resolveEntitlement, EXECUTION_BLOCKED_EXIT_CODE, } from './execution-gate.js';
@@ -34,4 +38,8 @@ export { enforceOutputFormatGate, checkOutputFormatGate, requiresStructuredOutpu
 export { checkArgumentGuard, enforceArgumentGuard, requiresArgumentValidation, } from './argument-guard.js';
 // Lineage Gate - Enforces simulation traceability per ADR-004
 export { checkLineageGate, enforceLineageGate, requiresLineageValidation, LINEAGE_VIOLATION_EXIT_CODE, } from './lineage-gate.js';
+// Ruvector Acceptance Gate - Mandatory blocking persistence (Gate 8)
+export { blockUntilRuvectorAccepts, blockUntilLineageAccepted, buildRuvectorRootedGraph, validateRuvectorRootedGraph, RUVECTOR_ACCEPTANCE_EXIT_CODE, } from './ruvector-acceptance-gate.js';
+// Meta-Simulation Detector - Tier-1 routing for meta-simulation requests
+export { isMetaSimulation, getMetaSimulationTier, buildTier1Route, META_SIMULATION_EXIT_CODE, } from './meta-simulation-detector.js';
 //# sourceMappingURL=index.js.map

package/dist/gates/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,oCAAoC;AACpC,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,GAG5B,MAAM,qBAAqB,CAAC;AAE7B,qDAAqD;AACrD,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,GAEzB,MAAM,wBAAwB,CAAC;AAEhC,2DAA2D;AAC3D,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,GAGnB,MAAM,0BAA0B,CAAC;AAElC,mDAAmD;AACnD,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,GAEzB,MAAM,yBAAyB,CAAC;AAEjC,6DAA6D;AAC7D,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,0BAA0B,GAE3B,MAAM,qBAAqB,CAAC;AAE7B,8DAA8D;AAC9D,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,yBAAyB,EACzB,2BAA2B,GAE5B,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,oCAAoC;AACpC,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,GAG5B,MAAM,qBAAqB,CAAC;AAE7B,qDAAqD;AACrD,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,GAEzB,MAAM,wBAAwB,CAAC;AAEhC,2DAA2D;AAC3D,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,GAGnB,MAAM,0BAA0B,CAAC;AAElC,mDAAmD;AACnD,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,GAEzB,MAAM,yBAAyB,CAAC;AAEjC,6DAA6D;AAC7D,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,0BAA0B,GAE3B,MAAM,qBAAqB,CAAC;AAE7B,8DAA8D;AAC9D,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,yBAAyB,EACzB,2BAA2B,GAE5B,MAAM,mBAAmB,CAAC;AAE3B,qEAAqE;AACrE,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,wBAAwB,EACxB,2BAA2B,EAC3B,6BAA6B,GAC9B,MAAM,+BAA+B,CAAC;AAEvC,yEAAyE;AACzE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,EACf,yBAAyB,GAE1B,MAAM,+BAA+B,CAAC"}

package/dist/gates/meta-simulation-detector.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Meta-Simulation Detector — Thin Passthrough
+ *
+ * ARCHITECTURE:
+ *   The CLI does NOT classify whether a request is a meta-simulation.
+ *   That is platform-side intent classification. The CLI sends the raw
+ *   description to the platform, which returns tier routing decisions.
+ *
+ * REMOVED (moved to platform):
+ *   - META_SIMULATION_PHRASES / phrase matching
+ *   - META_SIMULATION_KEYWORDS / keyword matching
+ *   - isMetaSimulation() / local classification logic
+ *   - buildTier1Route() / confidence scoring + tier routing
+ *   - getMetaSimulationTier() / local tier assignment
+ *
+ * WHAT REMAINS:
+ *   - Type definitions (for contract compatibility)
+ *   - Exit code constant
+ *   - Deprecated stubs for callers that haven't migrated
+ */
+export declare const META_SIMULATION_EXIT_CODE = 142;
+/** Tier-1 routing configuration returned by platform */
+export interface Tier1Route {
+    tier: 'tier-1';
+    endpoint: '/v1/simulate';
+    adapter: 'simulation-engine';
+    metaSimulation: true;
+    confidence: number;
+    detectedSignals: string[];
+    originalDescription: string;
+}
+/**
+ * @deprecated Meta-simulation detection is now platform-side.
+ * The CLI sends the raw description; the platform classifies it.
+ * Always returns false — the platform will route appropriately.
+ */
+export declare function isMetaSimulation(_description: string): boolean;
+/**
+ * @deprecated Tier routing is now platform-side.
+ * Always returns null — the platform determines the tier.
+ */
+export declare function getMetaSimulationTier(_description: string): 'tier-1' | null;
+/**
+ * @deprecated Tier-1 route construction is now platform-side.
+ * This stub should not be called — the platform returns routing info.
+ */
+export declare function buildTier1Route(_description: string, _correlationId: string): never;
+//# sourceMappingURL=meta-simulation-detector.d.ts.map

package/dist/gates/meta-simulation-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"meta-simulation-detector.d.ts","sourceRoot":"","sources":["../../src/gates/meta-simulation-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,eAAO,MAAM,yBAAyB,MAAM,CAAC;AAE7C,wDAAwD;AACxD,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,QAAQ,CAAC;IACf,QAAQ,EAAE,cAAc,CAAC;IACzB,OAAO,EAAE,mBAAmB,CAAC;IAC7B,cAAc,EAAE,IAAI,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAE9D;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,YAAY,EAAE,MAAM,GACnB,QAAQ,GAAG,IAAI,CAEjB;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,YAAY,EAAE,MAAM,EACpB,cAAc,EAAE,MAAM,GACrB,KAAK,CAKP"}

package/dist/gates/meta-simulation-detector.js

@@ -0,0 +1,45 @@
+/**
+ * Meta-Simulation Detector — Thin Passthrough
+ *
+ * ARCHITECTURE:
+ *   The CLI does NOT classify whether a request is a meta-simulation.
+ *   That is platform-side intent classification. The CLI sends the raw
+ *   description to the platform, which returns tier routing decisions.
+ *
+ * REMOVED (moved to platform):
+ *   - META_SIMULATION_PHRASES / phrase matching
+ *   - META_SIMULATION_KEYWORDS / keyword matching
+ *   - isMetaSimulation() / local classification logic
+ *   - buildTier1Route() / confidence scoring + tier routing
+ *   - getMetaSimulationTier() / local tier assignment
+ *
+ * WHAT REMAINS:
+ *   - Type definitions (for contract compatibility)
+ *   - Exit code constant
+ *   - Deprecated stubs for callers that haven't migrated
+ */
+export const META_SIMULATION_EXIT_CODE = 142;
+/**
+ * @deprecated Meta-simulation detection is now platform-side.
+ * The CLI sends the raw description; the platform classifies it.
+ * Always returns false — the platform will route appropriately.
+ */
+export function isMetaSimulation(_description) {
+    return false;
+}
+/**
+ * @deprecated Tier routing is now platform-side.
+ * Always returns null — the platform determines the tier.
+ */
+export function getMetaSimulationTier(_description) {
+    return null;
+}
+/**
+ * @deprecated Tier-1 route construction is now platform-side.
+ * This stub should not be called — the platform returns routing info.
+ */
+export function buildTier1Route(_description, _correlationId) {
+    throw new Error('buildTier1Route() removed: meta-simulation routing is now platform-side. ' +
+        'Send the description to the platform and use its routing response.');
+}
+//# sourceMappingURL=meta-simulation-detector.js.map

package/dist/gates/meta-simulation-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"meta-simulation-detector.js","sourceRoot":"","sources":["../../src/gates/meta-simulation-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,MAAM,CAAC,MAAM,yBAAyB,GAAG,GAAG,CAAC;AAa7C;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,YAAoB;IACnD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CACnC,YAAoB;IAEpB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAC7B,YAAoB,EACpB,cAAsB;IAEtB,MAAM,IAAI,KAAK,CACb,2EAA2E;QAC3E,oEAAoE,CACrE,CAAC;AACJ,CAAC"}

package/dist/gates/readiness-gate.d.ts

@@ -0,0 +1,108 @@
+/**
+ * Readiness Gate — Gate 7 (Execution Safety Enforcement)
+ *
+ * PURPOSE: Enforce that write-path commands (deploy run, erp export in
+ * execute mode, rollback, live sync) are blocked when the platform state
+ * is INTEGRATION_READY_EXECUTION_GATED. This gate ensures no ERP writes
+ * or production deployments occur until all prerequisites are met.
+ *
+ * INVARIANTS ENFORCED:
+ * - No production writes when execution_gate is LOCKED
+ * - No deploy run / deploy rollback when connectors are missing
+ * - No erp export --mode=execute when systems are BLOCKED
+ * - Read-only and integration-mode commands always allowed
+ *
+ * EXIT CODE: 111 (READINESS_GATE_VIOLATION)
+ *
+ * BEHAVIOR:
+ * - Commands that perform external writes (deploy run, deploy rollback)
+ *   are blocked when the readiness state has execution_gate.locked = true.
+ * - Commands that are read-only (readiness show, inspect, erp list) are
+ *   always permitted regardless of readiness state.
+ * - The gate reads state from ~/.agentics/exports/decision-readiness/readiness-state.json.
+ *   If the file does not exist, the gate assumes INSPECTION_ONLY (most restrictive).
+ */
+import type { CommandObject } from '../types/index.js';
+export declare const READINESS_GATE_EXIT_CODE = 111;
+/**
+ * Canonical readiness states.
+ * Transitions: INSPECTION_ONLY -> INTEGRATION_READY_EXECUTION_GATED -> EXECUTION_READY
+ */
+export type ReadinessState = 'INSPECTION_ONLY' | 'INTEGRATION_READY_EXECUTION_GATED' | 'EXECUTION_READY';
+export interface ReadinessGateResult {
+    /** Whether the command passed readiness validation */
+    allowed: boolean;
+    /** Error message if validation failed */
+    message: string;
+    /** Exit code if validation failed */
+    exitCode: number;
+    /** Whether this command requires readiness validation */
+    readinessRequired: boolean;
+    /** Current readiness state (if loaded) */
+    state?: ReadinessState;
+}
+export interface ReadinessStateFile {
+    schema: string;
+    state: ReadinessState;
+    simulation_id: string;
+    plan_ref: string;
+    determined_at: string;
+    execution_gate: {
+        locked: boolean;
+        reason: string;
+        prerequisites_total: number;
+        prerequisites_completed: number;
+        critical_blockers: Array<{
+            id: number;
+            system: string;
+            severity: string;
+            effort: string;
+        }>;
+    };
+    integration_readiness: {
+        entities_ready: number;
+        entities_blocked: number;
+        entities_total: number;
+        readiness_pct: number;
+        systems_ready: string[];
+        systems_blocked: string[];
+    };
+    financial_posture: {
+        annual_api_spend_usd: number;
+        year1_investment_usd: number;
+        annual_savings_usd: number;
+        roi_payback_months: number;
+        npv_5yr_usd: number;
+    };
+    audit_matrix: {
+        result: string;
+        checks_passed: number;
+        checks_total: number;
+        last_audit: string;
+    };
+}
+/**
+ * Load readiness state from the canonical artifact path.
+ * Returns null if the file does not exist or is invalid.
+ */
+export declare function loadReadinessState(): ReadinessStateFile | null;
+/**
+ * Check whether a command passes readiness validation.
+ * Returns a result indicating whether the command is allowed.
+ *
+ * Write-path commands are blocked when:
+ * 1. The readiness state file exists AND execution_gate.locked === true
+ * 2. The readiness state file does not exist (defaults to most restrictive)
+ *
+ * Read-only commands always pass.
+ */
+export declare function checkReadinessGate(cmd: CommandObject): ReadinessGateResult;
+/**
+ * Enforce readiness gate — exits the process if validation fails.
+ */
+export declare function enforceReadinessGate(cmd: CommandObject): void;
+/**
+ * Check if a command requires readiness validation.
+ */
+export declare function requiresReadinessValidation(primary: string, sub?: string): boolean;
+//# sourceMappingURL=readiness-gate.d.ts.map

package/dist/gates/readiness-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"readiness-gate.d.ts","sourceRoot":"","sources":["../../src/gates/readiness-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAKH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAMvD,eAAO,MAAM,wBAAwB,MAAM,CAAC;AAE5C;;;GAGG;AACH,MAAM,MAAM,cAAc,GACtB,iBAAiB,GACjB,mCAAmC,GACnC,iBAAiB,CAAC;AAiCtB,MAAM,WAAW,mBAAmB;IAClC,sDAAsD;IACtD,OAAO,EAAE,OAAO,CAAC;IACjB,yCAAyC;IACzC,OAAO,EAAE,MAAM,CAAC;IAChB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,iBAAiB,EAAE,OAAO,CAAC;IAC3B,0CAA0C;IAC1C,KAAK,CAAC,EAAE,cAAc,CAAC;CACxB;AAMD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,cAAc,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE;QACd,MAAM,EAAE,OAAO,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,mBAAmB,EAAE,MAAM,CAAC;QAC5B,uBAAuB,EAAE,MAAM,CAAC;QAChC,iBAAiB,EAAE,KAAK,CAAC;YACvB,EAAE,EAAE,MAAM,CAAC;YACX,MAAM,EAAE,MAAM,CAAC;YACf,QAAQ,EAAE,MAAM,CAAC;YACjB,MAAM,EAAE,MAAM,CAAC;SAChB,CAAC,CAAC;KACJ,CAAC;IACF,qBAAqB,EAAE;QACrB,cAAc,EAAE,MAAM,CAAC;QACvB,gBAAgB,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,aAAa,EAAE,MAAM,CAAC;QACtB,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,eAAe,EAAE,MAAM,EAAE,CAAC;KAC3B,CAAC;IACF,iBAAiB,EAAE;QACjB,oBAAoB,EAAE,MAAM,CAAC;QAC7B,oBAAoB,EAAE,MAAM,CAAC;QAC7B,kBAAkB,EAAE,MAAM,CAAC;QAC3B,kBAAkB,EAAE,MAAM,CAAC;QAC3B,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,YAAY,EAAE;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAcD;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,kBAAkB,GAAG,IAAI,CAc9D;AAMD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,aAAa,GAAG,mBAAmB,CA8E1E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,aAAa,GAAG,IAAI,CAc7D;AAED;;GAEG;AACH,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAMlF"}