@llm-dev-ops/agentics-cli 1.4.4 → 1.4.6

package/dist/gates/execution-gate.js

@@ -1,22 +1,18 @@
 /**
  * Execution Gate Module
  *
- * HARD EXECUTION KILL-SWITCH
- *
- * PURPOSE: Global execution gate that prevents all operational commands from running
- *          unless execution is explicitly enabled. This is a binary gate enforced
- *          BEFORE any entitlement, usage, or billing logic.
+ * PURPOSE: Global execution gate that controls command access based on
+ *          user entitlement (internal email or paid API key).
  *
  * ENTITLEMENTS:
  * - "internal" - Internal maintainers (allow-listed by email)
- * - Standard entitlements follow existing payment/execution logic
- *
- * FORBIDDEN:
- * - Consulting usage or billing for internal users
- * - Allowing partial execution
- * - Allowing "free tier" commands
+ * - "paid" - Users with a valid API key
+ * - "none" - No entitlement, blocked from operational commands
  *
- * This is a hard kill-switch, not a pricing feature.
+ * LOGIC:
+ * - Identity commands (login, logout, whoami, help, version) always allowed
+ * - Internal or paid users get full access to all commands
+ * - Users with no entitlement are blocked
  */
 import * as fs from 'node:fs';
 import * as path from 'node:path';
@@ -27,16 +23,7 @@ import { getActiveAccount } from '../auth/gcp-identity.js';
 // Execution Gate Configuration
 // ============================================================================
 /**
- * HARD KILL-SWITCH: Execution is DISABLED by default.
- *
- * To enable execution, set environment variable:
- *   AGENTICS_EXECUTION_ENABLED=true
- *
- * This gate decides IF execution is possible at all.
- */
-const EXECUTION_ENABLED = process.env.AGENTICS_EXECUTION_ENABLED === 'true';
-/**
- * Commands that are ALWAYS allowed, regardless of execution gate status.
+ * Commands that are ALWAYS allowed, regardless of entitlement.
  * These are identity and help commands only.
  */
 const ALLOWED_COMMANDS = new Set([
@@ -47,14 +34,9 @@ const ALLOWED_COMMANDS = new Set([
     'version',
 ]);
 /**
- * INTERNAL_EMAILS: Authoritative allow-list for internal maintainers.
- *
- * Users with emails in this list are granted the "internal" entitlement,
- * which allows full CLI execution without payment verification.
- *
- * This is a first-class entitlement, not a bypass or debug shortcut.
+ * Default internal emails (fallback if config file doesn't exist).
  */
-const INTERNAL_EMAILS = new Set([
+const DEFAULT_INTERNAL_EMAILS = [
     'nick@nicholasruest.com',
     'sales@globalbusinessadvisors.co',
     'nicholasruest1@gmail.com',
@@ -63,7 +45,44 @@ const INTERNAL_EMAILS = new Set([
     'ruv@agentics.org',
     'cvsrohit@gmail.com',
     'rishubcheddlla@gmail.com',
-]);
+];
+/**
+ * Load internal emails from config file or use defaults.
+ * Config file: ~/.agentics/internal-users.json
+ * Format: { "emails": ["email1@example.com", "email2@example.com"] }
+ */
+function loadInternalEmails() {
+    try {
+        const configPath = path.join(os.homedir(), '.agentics', 'internal-users.json');
+        if (fs.existsSync(configPath)) {
+            const content = fs.readFileSync(configPath, 'utf-8');
+            const config = JSON.parse(content);
+            if (Array.isArray(config.emails)) {
+                return new Set(config.emails.map((e) => e.toLowerCase()));
+            }
+        }
+    }
+    catch {
+        // Config file doesn't exist or is invalid, use defaults
+    }
+    // Create default config file if it doesn't exist
+    try {
+        const configDir = path.join(os.homedir(), '.agentics');
+        const configPath = path.join(configDir, 'internal-users.json');
+        if (!fs.existsSync(configPath)) {
+            if (!fs.existsSync(configDir)) {
+                fs.mkdirSync(configDir, { recursive: true });
+            }
+            fs.writeFileSync(configPath, JSON.stringify({ emails: DEFAULT_INTERNAL_EMAILS }, null, 2));
+        }
+    }
+    catch {
+        // Failed to create config file, continue with defaults
+    }
+    return new Set(DEFAULT_INTERNAL_EMAILS.map(e => e.toLowerCase()));
+}
+// Load internal emails once at startup
+const INTERNAL_EMAILS = loadInternalEmails();
 /**
  * Resolve the entitlement for the currently authenticated user.
  *
@@ -80,28 +99,37 @@ export function resolveEntitlement() {
     if (envEmail && INTERNAL_EMAILS.has(envEmail.toLowerCase())) {
         return 'internal';
     }
-    // Check stored credentials for email
-    const storedEmail = getStoredEmail();
-    if (storedEmail && INTERNAL_EMAILS.has(storedEmail.toLowerCase())) {
+    // Check stored credentials for email and payment status
+    const storedCreds = getStoredCredentials();
+    if (storedCreds?.email && INTERNAL_EMAILS.has(storedCreds.email.toLowerCase())) {
         return 'internal';
     }
+    // Check if API key holder has paid status
+    if (storedCreds?.api_key && storedCreds.payment_status === 'paid') {
+        return 'paid';
+    }
     // Fall back to gcloud account
     const account = getActiveAccount();
     if (account && INTERNAL_EMAILS.has(account.toLowerCase())) {
         return 'internal';
     }
-    // Future: Check for paid entitlements via payment service
+    // If user has a valid API key, treat as paid (API keys are issued to paying users)
+    if (storedCreds?.api_key) {
+        return 'paid';
+    }
     return 'none';
 }
 /**
- * Read email from stored credentials (sync).
+ * Read stored credentials (sync).
  */
-function getStoredEmail() {
+function getStoredCredentials() {
     try {
         const credPath = path.join(os.homedir(), '.agentics', 'credentials.json');
         const content = fs.readFileSync(credPath, 'utf-8');
         const creds = JSON.parse(content);
-        return creds.email ?? null;
+        if (!creds.api_key)
+            return null;
+        return creds;
     }
     catch {
         return null;
@@ -136,9 +164,8 @@ Contact the Agentics team to enable execution.
  * Execution flow:
  *   1. Always allow identity and help commands
  *   2. Resolve user entitlement
- *   3. If entitlement === "internal" → allow execution
- *   4. If EXECUTION_ENABLED === true → allow execution
- *   5. Otherwise → block execution
+ *   3. If entitlement === "internal" or "paid" → allow execution
+ *   4. Otherwise → block execution
  *
  * @param command - The command name (e.g., 'plan', 'simulate', 'login')
  * @returns ExecutionGateResult indicating if execution is allowed
@@ -150,12 +177,12 @@ export function checkExecutionGate(command) {
     }
     // Resolve entitlement before applying execution gate
     const entitlement = resolveEntitlement();
-    // Internal users have full access - this is a first-class entitlement
+    // Internal users have full access
     if (entitlement === 'internal') {
         return { allowed: true };
     }
-    // If execution is enabled, allow all commands
-    if (EXECUTION_ENABLED) {
+    // Paid users have full access
+    if (entitlement === 'paid') {
         return { allowed: true };
     }
     // Block all other commands
@@ -178,12 +205,13 @@ export function enforceExecutionGate(command) {
     }
 }
 /**
- * Check if execution is globally enabled.
+ * Check if execution is enabled for the current user.
  *
- * @returns true if execution is enabled, false otherwise
+ * @returns true if the user has internal or paid entitlement
  */
 export function isExecutionEnabled() {
-    return EXECUTION_ENABLED;
+    const entitlement = resolveEntitlement();
+    return entitlement === 'internal' || entitlement === 'paid';
 }
 /**
  * Get the list of commands that are always allowed.

package/dist/gates/execution-gate.js.map

@@ -1 +1 @@
-{"version":3,"file":"execution-gate.js","sourceRoot":"","sources":["../../src/gates/execution-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E;;;;;;;GAOG;AACH,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,MAAM,CAAC;AAE5E;;;GAGG;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,SAAS;CACV,CAAC,CAAC;AAWH;;;;;;;GAOG;AACH,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,wBAAwB;IACxB,iCAAiC;IACjC,0BAA0B;IAC1B,yBAAyB;IACzB,aAAa;IACb,kBAAkB;IAClB,oBAAoB;IACpB,0BAA0B;CAC3B,CAAC,CAAC;AAEH;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB;IAChC,sEAAsE;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IACpD,IAAI,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC5D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,qCAAqC;IACrC,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,IAAI,WAAW,IAAI,eAAe,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAClE,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,8BAA8B;IAC9B,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;IACnC,IAAI,OAAO,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC1D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,0DAA0D;IAC1D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc;IACrB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,kBAAkB,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,OAAO,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,UAAU,CAAC,iBAAiB,CAAC;AAExE,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E,MAAM,eAAe,GAAG;;;;;;;;CAQvB,CAAC,IAAI,EAAE,CAAC;AAYT;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,0CAA0C;IAC1C,IAAI,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,qDAAqD;IACrD,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;IAEzC,sEAAsE;IACtE,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,8CAA8C;IAC9C,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,2BAA2B;IAC3B,OAAO;QACL,OAAO,EAAE,KAAK;QACd,QAAQ,EAAE,2BAA2B;QACrC,OAAO,EAAE,eAAe;KACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,gBAAgB,CAAC;AAC1B,CAAC"}
+{"version":3,"file":"execution-gate.js","sourceRoot":"","sources":["../../src/gates/execution-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,SAAS;CACV,CAAC,CAAC;AAWH;;GAEG;AACH,MAAM,uBAAuB,GAAG;IAC9B,wBAAwB;IACxB,iCAAiC;IACjC,0BAA0B;IAC1B,yBAAyB;IACzB,aAAa;IACb,kBAAkB;IAClB,oBAAoB;IACpB,0BAA0B;CAC3B,CAAC;AAEF;;;;GAIG;AACH,SAAS,kBAAkB;IACzB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,qBAAqB,CAAC,CAAC;QAC/E,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wDAAwD;IAC1D,CAAC;IAED,iDAAiD;IACjD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;QACvD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;QAC/D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC/C,CAAC;YACD,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,uBAAuB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uDAAuD;IACzD,CAAC;IAED,OAAO,IAAI,GAAG,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,uCAAuC;AACvC,MAAM,eAAe,GAAG,kBAAkB,EAAE,CAAC;AAE7C;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB;IAChC,sEAAsE;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IACpD,IAAI,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC5D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,wDAAwD;IACxD,MAAM,WAAW,GAAG,oBAAoB,EAAE,CAAC;IAC3C,IAAI,WAAW,EAAE,KAAK,IAAI,eAAe,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC/E,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,IAAI,WAAW,EAAE,OAAO,IAAI,WAAW,CAAC,cAAc,KAAK,MAAM,EAAE,CAAC;QAClE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,8BAA8B;IAC9B,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;IACnC,IAAI,OAAO,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC1D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,mFAAmF;IACnF,IAAI,WAAW,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB;IAC3B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,kBAAkB,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAoB,CAAC;QACrD,IAAI,CAAC,KAAK,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,UAAU,CAAC,iBAAiB,CAAC;AAExE,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E,MAAM,eAAe,GAAG;;;;;;;;CAQvB,CAAC,IAAI,EAAE,CAAC;AAYT;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,0CAA0C;IAC1C,IAAI,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,qDAAqD;IACrD,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;IAEzC,kCAAkC;IAClC,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,8BAA8B;IAC9B,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,2BAA2B;IAC3B,OAAO;QACL,OAAO,EAAE,KAAK;QACd,QAAQ,EAAE,2BAA2B;QACrC,OAAO,EAAE,eAAe;KACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;IACzC,OAAO,WAAW,KAAK,UAAU,IAAI,WAAW,KAAK,MAAM,CAAC;AAC9D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,gBAAgB,CAAC;AAC1B,CAAC"}

package/dist/gates/index.d.ts

@@ -1,8 +1,26 @@
 /**
- * Gates Module
+ * Control Plane Hardening Gates Index
  *
  * Centralized execution control for the Agentics CLI.
  * This module contains all gate logic for controlling command execution.
+ *
+ * GATE ENFORCEMENT ORDER:
+ * 1. Execution Gate - Kill-switch (entitlement check)
+ * 2. Auth Session Gate - Requires authenticated session
+ * 3. Service Health Gate - Validates Ruvector-backed service availability
+ * 4. Output Format Gate - Enforces strict JSON output
+ *
+ * CRITICAL REQUIREMENTS MET:
+ * - CLI requires Ruvector-backed services (Service Health Gate)
+ * - CLI never executes agents locally (Localhost Safeguard in endpoints.ts)
+ * - CLI fails loudly if services misconfigured (All gates fail-fast)
+ * - Requires authenticated session (Auth Session Gate)
+ * - Validates target service availability (Service Health Gate)
+ * - Enforces strict JSON outputs (Output Format Gate)
+ * - Never allows narrative output (Output Format Gate)
  */
-export { checkExecutionGate, enforceExecutionGate, isExecutionEnabled, getAllowedCommands, EXECUTION_BLOCKED_EXIT_CODE, type ExecutionGateResult, } from './execution-gate.js';
+export { checkExecutionGate, enforceExecutionGate, isExecutionEnabled, getAllowedCommands, resolveEntitlement, EXECUTION_BLOCKED_EXIT_CODE, type ExecutionGateResult, type Entitlement, } from './execution-gate.js';
+export { enforceAuthSessionGate, checkAuthSessionGate, requiresAuthentication, AUTH_REQUIRED_EXIT_CODE, AuthSessionRequiredError, type AuthSessionGateResult, } from './auth-session-gate.js';
+export { enforceServiceHealthGate, checkServiceHealthGate, requiresHealthCheck, SERVICE_UNAVAILABLE_EXIT_CODE, ServiceHealthError, type ServiceHealthResult, type ServiceHealthGateResult, } from './service-health-gate.js';
+export { enforceOutputFormatGate, checkOutputFormatGate, requiresStructuredOutput, getDefaultFormat, INVALID_FORMAT_EXIT_CODE, InvalidOutputFormatError, type OutputFormatGateResult, } from './output-format-gate.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/gates/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,EAC3B,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,EAC3B,KAAK,mBAAmB,EACxB,KAAK,WAAW,GACjB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,EAClB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,GAC7B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,EACxB,KAAK,sBAAsB,GAC5B,MAAM,yBAAyB,CAAC"}

package/dist/gates/index.js

@@ -1,8 +1,30 @@
 /**
- * Gates Module
+ * Control Plane Hardening Gates Index
  *
  * Centralized execution control for the Agentics CLI.
  * This module contains all gate logic for controlling command execution.
+ *
+ * GATE ENFORCEMENT ORDER:
+ * 1. Execution Gate - Kill-switch (entitlement check)
+ * 2. Auth Session Gate - Requires authenticated session
+ * 3. Service Health Gate - Validates Ruvector-backed service availability
+ * 4. Output Format Gate - Enforces strict JSON output
+ *
+ * CRITICAL REQUIREMENTS MET:
+ * - CLI requires Ruvector-backed services (Service Health Gate)
+ * - CLI never executes agents locally (Localhost Safeguard in endpoints.ts)
+ * - CLI fails loudly if services misconfigured (All gates fail-fast)
+ * - Requires authenticated session (Auth Session Gate)
+ * - Validates target service availability (Service Health Gate)
+ * - Enforces strict JSON outputs (Output Format Gate)
+ * - Never allows narrative output (Output Format Gate)
  */
-export { checkExecutionGate, enforceExecutionGate, isExecutionEnabled, getAllowedCommands, EXECUTION_BLOCKED_EXIT_CODE, } from './execution-gate.js';
+// Execution Gate - Hard kill-switch
+export { checkExecutionGate, enforceExecutionGate, isExecutionEnabled, getAllowedCommands, resolveEntitlement, EXECUTION_BLOCKED_EXIT_CODE, } from './execution-gate.js';
+// Auth Session Gate - Requires authenticated session
+export { enforceAuthSessionGate, checkAuthSessionGate, requiresAuthentication, AUTH_REQUIRED_EXIT_CODE, AuthSessionRequiredError, } from './auth-session-gate.js';
+// Service Health Gate - Validates Ruvector-backed services
+export { enforceServiceHealthGate, checkServiceHealthGate, requiresHealthCheck, SERVICE_UNAVAILABLE_EXIT_CODE, ServiceHealthError, } from './service-health-gate.js';
+// Output Format Gate - Enforces strict JSON output
+export { enforceOutputFormatGate, checkOutputFormatGate, requiresStructuredOutput, getDefaultFormat, INVALID_FORMAT_EXIT_CODE, InvalidOutputFormatError, } from './output-format-gate.js';
 //# sourceMappingURL=index.js.map

package/dist/gates/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,GAE5B,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,oCAAoC;AACpC,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,GAG5B,MAAM,qBAAqB,CAAC;AAE7B,qDAAqD;AACrD,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,GAEzB,MAAM,wBAAwB,CAAC;AAEhC,2DAA2D;AAC3D,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,GAGnB,MAAM,0BAA0B,CAAC;AAElC,mDAAmD;AACnD,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,GAEzB,MAAM,yBAAyB,CAAC"}

package/dist/gates/output-format-gate.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Output Format Gate Module
+ *
+ * CONTROL PLANE HARDENING
+ *
+ * PURPOSE: Enforce strict JSON-only output for CLI operations.
+ *          CLI MUST NOT produce narrative output for operational commands.
+ *
+ * CRITICAL REQUIREMENTS:
+ * - Enforce strict JSON outputs
+ * - Never allow narrative output
+ * - Validate output format before rendering
+ *
+ * FORBIDDEN:
+ * - Narrative/prose output
+ * - Unstructured text responses
+ * - Human-readable summaries (for operational commands)
+ */
+import { type OutputFormat } from '../types/index.js';
+/**
+ * Exit code for invalid output format.
+ */
+export declare const INVALID_FORMAT_EXIT_CODE: 65;
+export declare class InvalidOutputFormatError extends Error {
+    readonly requestedFormat: string;
+    readonly allowedFormats: string[];
+    constructor(requestedFormat: string, allowedFormats: string[]);
+}
+export interface OutputFormatGateResult {
+    valid: boolean;
+    format: OutputFormat;
+    exitCode?: number;
+    message?: string;
+}
+/**
+ * Validate the requested output format.
+ * Only structured formats (json, yaml) are allowed for operational commands.
+ */
+export declare function checkOutputFormatGate(requestedFormat: OutputFormat | undefined, command: string): OutputFormatGateResult;
+/**
+ * Enforce the output format gate.
+ * Exits the process if an invalid format is requested.
+ */
+export declare function enforceOutputFormatGate(requestedFormat: OutputFormat | undefined, command: string): OutputFormat;
+/**
+ * Check if a command requires structured output.
+ */
+export declare function requiresStructuredOutput(command: string): boolean;
+/**
+ * Get the default output format for a command.
+ * Always returns 'json' for operational commands.
+ */
+export declare function getDefaultFormat(command: string): OutputFormat;
+//# sourceMappingURL=output-format-gate.d.ts.map

package/dist/gates/output-format-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-format-gate.d.ts","sourceRoot":"","sources":["../../src/gates/output-format-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAc,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAelE;;GAEG;AACH,eAAO,MAAM,wBAAwB,IAA+B,CAAC;AAMrE,qBAAa,wBAAyB,SAAQ,KAAK;IACjD,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;gBAEtB,eAAe,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE;CA0B9D;AAMD,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,YAAY,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,eAAe,EAAE,YAAY,GAAG,SAAS,EACzC,OAAO,EAAE,MAAM,GACd,sBAAsB,CAmBxB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,eAAe,EAAE,YAAY,GAAG,SAAS,EACzC,OAAO,EAAE,MAAM,GACd,YAAY,CASd;AAoBD;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAEjE;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,CAK9D"}

package/dist/gates/output-format-gate.js

@@ -0,0 +1,136 @@
+/**
+ * Output Format Gate Module
+ *
+ * CONTROL PLANE HARDENING
+ *
+ * PURPOSE: Enforce strict JSON-only output for CLI operations.
+ *          CLI MUST NOT produce narrative output for operational commands.
+ *
+ * CRITICAL REQUIREMENTS:
+ * - Enforce strict JSON outputs
+ * - Never allow narrative output
+ * - Validate output format before rendering
+ *
+ * FORBIDDEN:
+ * - Narrative/prose output
+ * - Unstructured text responses
+ * - Human-readable summaries (for operational commands)
+ */
+import { EXIT_CODES } from '../types/index.js';
+// ============================================================================
+// Output Format Gate Configuration
+// ============================================================================
+/**
+ * Allowed output formats for operational commands.
+ * Only structured formats are permitted.
+ */
+const ALLOWED_STRUCTURED_FORMATS = new Set([
+    'json',
+    'yaml',
+]);
+/**
+ * Exit code for invalid output format.
+ */
+export const INVALID_FORMAT_EXIT_CODE = EXIT_CODES.DATA_FORMAT_ERROR;
+// ============================================================================
+// Output Format Gate Error
+// ============================================================================
+export class InvalidOutputFormatError extends Error {
+    requestedFormat;
+    allowedFormats;
+    constructor(requestedFormat, allowedFormats) {
+        super(`\n` +
+            `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n` +
+            `  INVALID OUTPUT FORMAT\n` +
+            `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n` +
+            `\n` +
+            `  Requested format: ${requestedFormat}\n` +
+            `  Allowed formats:  ${allowedFormats.join(', ')}\n` +
+            `\n` +
+            `  The CLI enforces strict JSON output for operational commands.\n` +
+            `  Narrative output formats are not permitted.\n` +
+            `\n` +
+            `  TO FIX:\n` +
+            `\n` +
+            `  Use --format json (default) or --format yaml\n` +
+            `\n` +
+            `  Example:\n` +
+            `    agentics plan "my plan" --format json\n` +
+            `\n` +
+            `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n`);
+        this.name = 'InvalidOutputFormatError';
+        this.requestedFormat = requestedFormat;
+        this.allowedFormats = allowedFormats;
+    }
+}
+// ============================================================================
+// Output Format Gate Implementation
+// ============================================================================
+/**
+ * Validate the requested output format.
+ * Only structured formats (json, yaml) are allowed for operational commands.
+ */
+export function checkOutputFormatGate(requestedFormat, command) {
+    // Default to JSON if no format specified
+    const format = requestedFormat ?? 'json';
+    // Check if format is allowed
+    if (requiresStructuredOutput(command) && !ALLOWED_STRUCTURED_FORMATS.has(format)) {
+        const allowedFormats = Array.from(ALLOWED_STRUCTURED_FORMATS);
+        return {
+            valid: false,
+            format,
+            exitCode: INVALID_FORMAT_EXIT_CODE,
+            message: new InvalidOutputFormatError(format, allowedFormats).message,
+        };
+    }
+    return {
+        valid: true,
+        format,
+    };
+}
+/**
+ * Enforce the output format gate.
+ * Exits the process if an invalid format is requested.
+ */
+export function enforceOutputFormatGate(requestedFormat, command) {
+    const result = checkOutputFormatGate(requestedFormat, command);
+    if (!result.valid) {
+        console.error(result.message);
+        process.exit(result.exitCode);
+    }
+    return result.format;
+}
+/**
+ * Commands that require structured (JSON/YAML) output.
+ * All operational commands require structured output.
+ * Identity and meta commands can use any format.
+ */
+const STRUCTURED_OUTPUT_COMMANDS = new Set([
+    'plan',
+    'simulate',
+    'inspect',
+    'quantify',
+    'deploy',
+    'export',
+    'diligence',
+    'usage',
+    'policy',
+    'erp',
+]);
+/**
+ * Check if a command requires structured output.
+ */
+export function requiresStructuredOutput(command) {
+    return STRUCTURED_OUTPUT_COMMANDS.has(command);
+}
+/**
+ * Get the default output format for a command.
+ * Always returns 'json' for operational commands.
+ */
+export function getDefaultFormat(command) {
+    if (requiresStructuredOutput(command)) {
+        return 'json';
+    }
+    return 'text';
+}
+//# sourceMappingURL=output-format-gate.js.map

package/dist/gates/output-format-gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-format-gate.js","sourceRoot":"","sources":["../../src/gates/output-format-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,UAAU,EAAqB,MAAM,mBAAmB,CAAC;AAElE,+EAA+E;AAC/E,mCAAmC;AACnC,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,0BAA0B,GAA8B,IAAI,GAAG,CAAC;IACpE,MAAM;IACN,MAAM;CACP,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,UAAU,CAAC,iBAAiB,CAAC;AAErE,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACxC,eAAe,CAAS;IACxB,cAAc,CAAW;IAElC,YAAY,eAAuB,EAAE,cAAwB;QAC3D,KAAK,CACH,IAAI;YACJ,+EAA+E;YAC/E,2BAA2B;YAC3B,+EAA+E;YAC/E,IAAI;YACJ,uBAAuB,eAAe,IAAI;YAC1C,uBAAuB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;YACpD,IAAI;YACJ,mEAAmE;YACnE,iDAAiD;YACjD,IAAI;YACJ,aAAa;YACb,IAAI;YACJ,kDAAkD;YAClD,IAAI;YACJ,cAAc;YACd,6CAA6C;YAC7C,IAAI;YACJ,+EAA+E,CAChF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;QACvC,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QACvC,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;IACvC,CAAC;CACF;AAaD,+EAA+E;AAC/E,oCAAoC;AACpC,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CACnC,eAAyC,EACzC,OAAe;IAEf,yCAAyC;IACzC,MAAM,MAAM,GAAiB,eAAe,IAAI,MAAM,CAAC;IAEvD,6BAA6B;IAC7B,IAAI,wBAAwB,CAAC,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACjF,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC9D,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM;YACN,QAAQ,EAAE,wBAAwB;YAClC,OAAO,EAAE,IAAI,wBAAwB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,OAAO;SACtE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,eAAyC,EACzC,OAAe;IAEf,MAAM,MAAM,GAAG,qBAAqB,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;IAE/D,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC;AACvB,CAAC;AAED;;;;GAIG;AACH,MAAM,0BAA0B,GAAG,IAAI,GAAG,CAAC;IACzC,MAAM;IACN,UAAU;IACV,SAAS;IACT,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,WAAW;IACX,OAAO;IACP,QAAQ;IACR,KAAK;CACN,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAe;IACtD,OAAO,0BAA0B,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACjD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/gates/service-health-gate.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Service Health Gate Module
+ *
+ * CONTROL PLANE HARDENING
+ *
+ * PURPOSE: Validate Ruvector-backed service availability before ANY remote execution.
+ *          This gate ensures the CLI NEVER executes against misconfigured or unavailable services.
+ *
+ * CRITICAL REQUIREMENTS:
+ * - CLI MUST require Ruvector-backed services
+ * - CLI MUST fail loudly if services are misconfigured
+ * - Abort command if health check fails
+ *
+ * FORBIDDEN:
+ * - Fallback behavior
+ * - Local caching of results
+ * - Silent failures
+ */
+/**
+ * Exit code for service unavailable.
+ */
+export declare const SERVICE_UNAVAILABLE_EXIT_CODE: 69;
+export declare class ServiceHealthError extends Error {
+    readonly serviceName: string;
+    readonly healthCheckUrl: string;
+    readonly cause?: Error;
+    constructor(serviceName: string, healthCheckUrl: string, cause?: Error);
+}
+export interface ServiceHealthResult {
+    healthy: boolean;
+    service: string;
+    url: string;
+    latency?: number;
+    error?: string;
+}
+export interface ServiceHealthGateResult {
+    passed: boolean;
+    results: ServiceHealthResult[];
+    exitCode?: number;
+    message?: string;
+}
+/**
+ * Check if all critical services are healthy.
+ * Returns a structured result - does not exit the process.
+ */
+export declare function checkServiceHealthGate(): Promise<ServiceHealthGateResult>;
+/**
+ * Enforce the service health gate. Exits the process if any critical service is unhealthy.
+ * This is the HARD gate that blocks all operations if services are misconfigured.
+ */
+export declare function enforceServiceHealthGate(): Promise<void>;
+/**
+ * Check if a command requires service health check.
+ */
+export declare function requiresHealthCheck(command: string): boolean;
+//# sourceMappingURL=service-health-gate.d.ts.map

package/dist/gates/service-health-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-health-gate.d.ts","sourceRoot":"","sources":["../../src/gates/service-health-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAsBH;;GAEG;AACH,eAAO,MAAM,6BAA6B,IAAiC,CAAC;AAM5E,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC;gBAEX,WAAW,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK;CAoCvE;AAMD,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AA4CD;;;GAGG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,uBAAuB,CAAC,CAgC/E;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,IAAI,CAAC,CAO9D;AAoBD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAE5D"}