@llm-dev-ops/agentics-cli 1.4.4 → 1.4.7

package/dist/enterprise/lineage.js

@@ -0,0 +1,218 @@
+/**
+ * Lineage Tracking Module (ADR-004, Domain 2)
+ *
+ * PURPOSE: Track parent-child relationships between simulation artifacts.
+ * Ruvector stores lineage as first-class data, not inferred from timestamps.
+ *
+ * INVARIANTS ENFORCED:
+ * - Invariant 1: Every simulation has a memory footprint
+ * - Invariant 2: Every integration/ERP mapping derives from a simulation
+ * - Invariant 3: No integration proposal without traceability
+ * - Invariant 7: CLI is only path for artifact creation
+ *
+ * FORBIDDEN:
+ * - Creating lineage without a simulation parent
+ * - Querying live enterprise systems
+ * - Storing credentials or tokens
+ * - Business logic (lineage is structural, not behavioral)
+ */
+import * as crypto from 'node:crypto';
+// ============================================================================
+// Lineage Record Construction
+// ============================================================================
+/**
+ * Create a lineage record for an artifact.
+ * Every artifact persisted in Ruvector must have a corresponding lineage record.
+ *
+ * @param artifactId - The artifact this lineage entry describes
+ * @param category - The type of artifact
+ * @param simulationId - The parent simulation (Invariant 2)
+ * @param decisionContext - The natural language input that seeded synthesis
+ * @param attribution - Identity attribution (user_id, org_id)
+ * @param planId - The plan this artifact belongs to (optional)
+ */
+export function createLineageRecord(artifactId, category, simulationId, decisionContext, attribution, planId) {
+    return {
+        id: `lin-${crypto.randomUUID()}`,
+        artifact_id: artifactId,
+        artifact_category: category,
+        simulation_id: simulationId,
+        plan_id: planId,
+        decision_context: decisionContext,
+        attribution,
+        governance: {
+            gate_pipeline_version: '1.0.0',
+            synthesis_classification: classifySynthesis(category),
+        },
+        created_at: new Date().toISOString(),
+    };
+}
+/**
+ * Determine the synthesis classification for an artifact category.
+ * Mirrors ADR-001 classifications.
+ */
+function classifySynthesis(category) {
+    switch (category) {
+        case 'simulation':
+        case 'plan':
+        case 'integration_mapping':
+        case 'erp_proposal':
+        case 'cost_projection':
+        case 'risk_assessment':
+            return 'SYNTHESIS_REQUIRED';
+        case 'deployment':
+        case 'decision':
+            return 'COMMITMENT_GRADE';
+        default:
+            return 'SYNTHESIS_REQUIRED';
+    }
+}
+// ============================================================================
+// Simulation Memory Record Construction
+// ============================================================================
+/**
+ * Create a simulation memory record for Ruvector persistence (Invariant 1).
+ * Called when a simulation is initiated through the CLI.
+ */
+export function createSimulationMemoryRecord(id, intent, attribution) {
+    const now = new Date().toISOString();
+    return {
+        id,
+        type: 'simulation',
+        intent,
+        status: 'created',
+        attribution,
+        artifact_ids: [],
+        created_at: now,
+        updated_at: now,
+        checksum: computeChecksum({ id, intent, created_at: now }),
+    };
+}
+/**
+ * Update a simulation memory record with completion data.
+ */
+export function completeSimulationMemoryRecord(record, result, artifactIds) {
+    const now = new Date().toISOString();
+    return {
+        ...record,
+        status: 'completed',
+        result,
+        artifact_ids: [...record.artifact_ids, ...artifactIds],
+        updated_at: now,
+        checksum: computeChecksum({ ...record, result, updated_at: now }),
+    };
+}
+/**
+ * Mark a simulation memory record as failed.
+ */
+export function failSimulationMemoryRecord(record, error) {
+    const now = new Date().toISOString();
+    return {
+        ...record,
+        status: 'failed',
+        result: { error },
+        updated_at: now,
+        checksum: computeChecksum({ ...record, error, updated_at: now }),
+    };
+}
+// ============================================================================
+// Integration Proposal Construction
+// ============================================================================
+/**
+ * Create an integration proposal derived from a simulation (Invariant 2).
+ * Proposals describe what would change, not what has changed.
+ */
+export function createIntegrationProposal(integrationName, proposedChanges, risks, dependencies, simulationId, attribution, planId) {
+    return {
+        id: `intprop-${crypto.randomUUID()}`,
+        type: 'integration_proposal',
+        integration_name: integrationName,
+        proposed_changes: proposedChanges,
+        risks,
+        dependencies,
+        simulation_id: simulationId,
+        plan_id: planId,
+        attribution,
+        created_at: new Date().toISOString(),
+    };
+}
+// ============================================================================
+// ERP Surface Mapping Construction
+// ============================================================================
+/**
+ * Create an ERP Surface mapping derived from a simulation (Invariant 6).
+ * ERP Surface never initiates — it receives proposed implementations.
+ */
+export function createErpSurfaceMapping(erpType, entityType, proposedImplementation, simulationId, integrationProposalIds, attribution) {
+    return {
+        id: `erpmap-${crypto.randomUUID()}`,
+        type: 'erp_mapping',
+        erp_type: erpType,
+        entity_type: entityType,
+        proposed_implementation: proposedImplementation,
+        simulation_id: simulationId,
+        integration_proposal_ids: integrationProposalIds,
+        attribution,
+        created_at: new Date().toISOString(),
+    };
+}
+// ============================================================================
+// Traceability Validation
+// ============================================================================
+/**
+ * Validate that an artifact has a valid simulation parent.
+ * Returns a validation result with specific error messaging.
+ *
+ * ADR-004, Invariant 3: No integration proposal exists without traceability.
+ */
+export function validateTraceability(simulationId, artifactType) {
+    if (!simulationId) {
+        return {
+            valid: false,
+            message: `${artifactType} requires a simulation_id. ` +
+                `All enterprise artifacts must trace to a governed simulation ` +
+                `(ADR-004, Invariant 2).`,
+        };
+    }
+    if (typeof simulationId !== 'string' || simulationId.trim() === '') {
+        return {
+            valid: false,
+            message: `${artifactType} simulation_id must be a non-empty string. ` +
+                `Received: ${String(simulationId)}`,
+        };
+    }
+    return { valid: true, message: '' };
+}
+/**
+ * Validate that a lineage chain is complete.
+ * Checks that simulation → plan → artifact chain is traceable.
+ */
+export function validateLineageChain(records) {
+    const missing = [];
+    for (const record of records) {
+        if (!record.simulation_id) {
+            missing.push(`Lineage ${record.id}: missing simulation_id`);
+        }
+        if (!record.attribution.created_by) {
+            missing.push(`Lineage ${record.id}: missing attribution.created_by`);
+        }
+        if (!record.attribution.org_id) {
+            missing.push(`Lineage ${record.id}: missing attribution.org_id`);
+        }
+        if (!record.decision_context) {
+            missing.push(`Lineage ${record.id}: missing decision_context`);
+        }
+    }
+    return {
+        complete: missing.length === 0,
+        missing,
+    };
+}
+// ============================================================================
+// Internal Helpers
+// ============================================================================
+function computeChecksum(data) {
+    const canonical = JSON.stringify(data);
+    return crypto.createHash('sha256').update(canonical).digest('hex');
+}
+//# sourceMappingURL=lineage.js.map

package/dist/enterprise/lineage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lineage.js","sourceRoot":"","sources":["../../src/enterprise/lineage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAUtC,+EAA+E;AAC/E,8BAA8B;AAC9B,+EAA+E;AAE/E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CACjC,UAAkB,EAClB,QAA0B,EAC1B,YAAoB,EACpB,eAAuB,EACvB,WAAwB,EACxB,MAAe;IAEf,OAAO;QACL,EAAE,EAAE,OAAO,MAAM,CAAC,UAAU,EAAE,EAAE;QAChC,WAAW,EAAE,UAAU;QACvB,iBAAiB,EAAE,QAAQ;QAC3B,aAAa,EAAE,YAAY;QAC3B,OAAO,EAAE,MAAM;QACf,gBAAgB,EAAE,eAAe;QACjC,WAAW;QACX,UAAU,EAAE;YACV,qBAAqB,EAAE,OAAO;YAC9B,wBAAwB,EAAE,iBAAiB,CAAC,QAAQ,CAAC;SACtD;QACD,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CAAC,QAA0B;IACnD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,YAAY,CAAC;QAClB,KAAK,MAAM,CAAC;QACZ,KAAK,qBAAqB,CAAC;QAC3B,KAAK,cAAc,CAAC;QACpB,KAAK,iBAAiB,CAAC;QACvB,KAAK,iBAAiB;YACpB,OAAO,oBAAoB,CAAC;QAC9B,KAAK,YAAY,CAAC;QAClB,KAAK,UAAU;YACb,OAAO,kBAAkB,CAAC;QAC5B;YACE,OAAO,oBAAoB,CAAC;IAChC,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,wCAAwC;AACxC,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,4BAA4B,CAC1C,EAAU,EACV,MAAc,EACd,WAAwB;IAExB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO;QACL,EAAE;QACF,IAAI,EAAE,YAAY;QAClB,MAAM;QACN,MAAM,EAAE,SAAS;QACjB,WAAW;QACX,YAAY,EAAE,EAAE;QAChB,UAAU,EAAE,GAAG;QACf,UAAU,EAAE,GAAG;QACf,QAAQ,EAAE,eAAe,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;KAC3D,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAC5C,MAA8B,EAC9B,MAAe,EACf,WAAqB;IAErB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO;QACL,GAAG,MAAM;QACT,MAAM,EAAE,WAAW;QACnB,MAAM;QACN,YAAY,EAAE,CAAC,GAAG,MAAM,CAAC,YAAY,EAAE,GAAG,WAAW,CAAC;QACtD,UAAU,EAAE,GAAG;QACf,QAAQ,EAAE,eAAe,CAAC,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B,CACxC,MAA8B,EAC9B,KAAa;IAEb,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO;QACL,GAAG,MAAM;QACT,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,EAAE,KAAK,EAAE;QACjB,UAAU,EAAE,GAAG;QACf,QAAQ,EAAE,eAAe,CAAC,EAAE,GAAG,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;KACjE,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,oCAAoC;AACpC,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CACvC,eAAuB,EACvB,eAAuB,EACvB,KAAe,EACf,YAAsB,EACtB,YAAoB,EACpB,WAAwB,EACxB,MAAe;IAEf,OAAO;QACL,EAAE,EAAE,WAAW,MAAM,CAAC,UAAU,EAAE,EAAE;QACpC,IAAI,EAAE,sBAAsB;QAC5B,gBAAgB,EAAE,eAAe;QACjC,gBAAgB,EAAE,eAAe;QACjC,KAAK;QACL,YAAY;QACZ,aAAa,EAAE,YAAY;QAC3B,OAAO,EAAE,MAAM;QACf,WAAW;QACX,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,mCAAmC;AACnC,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,OAAe,EACf,UAAkB,EAClB,sBAA+B,EAC/B,YAAoB,EACpB,sBAAgC,EAChC,WAAwB;IAExB,OAAO;QACL,EAAE,EAAE,UAAU,MAAM,CAAC,UAAU,EAAE,EAAE;QACnC,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,OAAO;QACjB,WAAW,EAAE,UAAU;QACvB,uBAAuB,EAAE,sBAAsB;QAC/C,aAAa,EAAE,YAAY;QAC3B,wBAAwB,EAAE,sBAAsB;QAChD,WAAW;QACX,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,YAAgC,EAChC,YAAoB;IAEpB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,GAAG,YAAY,6BAA6B;gBACnD,+DAA+D;gBAC/D,yBAAyB;SAC5B,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACnE,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,GAAG,YAAY,6CAA6C;gBACnE,aAAa,MAAM,CAAC,YAAY,CAAC,EAAE;SACtC,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAwB;IAI3D,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,OAAO,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,EAAE,yBAAyB,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,EAAE,kCAAkC,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;YAC/B,OAAO,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,EAAE,8BAA8B,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,EAAE,4BAA4B,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC;QAC9B,OAAO;KACR,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,SAAS,eAAe,CAAC,IAAa;IACpC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACvC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrE,CAAC"}

package/dist/gates/argument-guard.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Argument Guard Gate (Gate 5)
+ *
+ * Runtime validation middleware derived from ADR-001 (Command Argument Semantics).
+ * This gate enforces:
+ *
+ * 1. ID vs Natural Language argument rules
+ * 2. Required argument presence
+ * 3. Synthesis allow/deny per command
+ * 4. Confirmation enforcement for irreversible commands
+ * 5. Deterministic, instructional error messages
+ *
+ * The ADR (adr-command-semantics.ts) is the authoritative policy.
+ * This gate is mechanically derived from it.
+ */
+import type { CommandObject } from '../types/index.js';
+import { type CommandSpec } from '../contracts/adr-command-semantics.js';
+export interface ArgumentGuardResult {
+    allowed: boolean;
+    exitCode?: number;
+    message?: string;
+    spec?: CommandSpec;
+}
+/**
+ * Check if the given command object passes argument validation.
+ * Returns a result indicating whether the command may proceed.
+ */
+export declare function checkArgumentGuard(cmd: CommandObject): ArgumentGuardResult;
+/**
+ * Enforce the argument guard. Exits the process on failure.
+ * Follows the same pattern as other gates (execution-gate, auth-session-gate).
+ */
+export declare function enforceArgumentGuard(cmd: CommandObject): void;
+/**
+ * Check if a command requires argument validation.
+ * Built-in commands (help, version) are exempt.
+ */
+export declare function requiresArgumentValidation(command: string): boolean;
+//# sourceMappingURL=argument-guard.d.ts.map

package/dist/gates/argument-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"argument-guard.d.ts","sourceRoot":"","sources":["../../src/gates/argument-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAIL,KAAK,WAAW,EAEjB,MAAM,uCAAuC,CAAC;AAO/C,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,WAAW,CAAC;CACpB;AAMD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,aAAa,GAAG,mBAAmB,CA6B1E;AA6HD;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,aAAa,GAAG,IAAI,CAO7D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAGnE"}

package/dist/gates/argument-guard.js

@@ -0,0 +1,180 @@
+/**
+ * Argument Guard Gate (Gate 5)
+ *
+ * Runtime validation middleware derived from ADR-001 (Command Argument Semantics).
+ * This gate enforces:
+ *
+ * 1. ID vs Natural Language argument rules
+ * 2. Required argument presence
+ * 3. Synthesis allow/deny per command
+ * 4. Confirmation enforcement for irreversible commands
+ * 5. Deterministic, instructional error messages
+ *
+ * The ADR (adr-command-semantics.ts) is the authoritative policy.
+ * This gate is mechanically derived from it.
+ */
+import { lookupCommand, classifyArgument, validateArgument, } from '../contracts/adr-command-semantics.js';
+import { EXIT_CODES } from '../types/index.js';
+// ============================================================================
+// Guard Implementation
+// ============================================================================
+/**
+ * Check if the given command object passes argument validation.
+ * Returns a result indicating whether the command may proceed.
+ */
+export function checkArgumentGuard(cmd) {
+    const { command, subcommand, positionalArgs } = cmd;
+    // Step 1: Look up command spec in ADR registry
+    const spec = lookupCommand(command, subcommand);
+    if (!spec) {
+        // Command not in registry. Commands like 'help', 'version' may have
+        // no subcommand spec. Allow unregistered commands to pass through
+        // (other gates handle unknown commands).
+        const primarySpec = lookupCommand(command);
+        if (!primarySpec && subcommand) {
+            // Try: maybe the subcommand is actually a positional arg
+            // for the primary command (e.g., "plan <manifestQuery>")
+            const parentSpec = lookupCommand(command);
+            if (parentSpec) {
+                const modifiedCmd = {
+                    ...cmd,
+                    positionalArgs: [subcommand, ...positionalArgs],
+                };
+                return validateArgs(parentSpec, modifiedCmd);
+            }
+        }
+        // No spec found — allow through (other gates will catch truly invalid commands)
+        return { allowed: true };
+    }
+    // Step 2: Validate argument count, types, and confirmation requirements
+    return validateArgs(spec, cmd);
+}
+/**
+ * Validate positional arguments against the command spec.
+ * Accepts the full CommandObject to access flags for confirmation checks.
+ */
+function validateArgs(spec, cmd) {
+    const positionalArgs = cmd.positionalArgs;
+    const requiredArgs = spec.args.filter(a => a.required);
+    // Case A: Missing required arguments
+    if (requiredArgs.length > 0 && positionalArgs.length < requiredArgs.length) {
+        const missing = requiredArgs.slice(positionalArgs.length);
+        const missingNames = missing.map(a => `<${a.name}>`).join(' ');
+        const examples = missing.map(a => `  ${a.example}  — ${a.description}`).join('\n');
+        return {
+            allowed: false,
+            exitCode: EXIT_CODES.ARG_VALIDATION_ERROR,
+            message: `Error: Missing required argument${missing.length > 1 ? 's' : ''}: ${missingNames}\n` +
+                `\n` +
+                `Usage: agentics ${spec.command} ${spec.args.map(a => a.required ? `<${a.name}>` : `[${a.name}]`).join(' ')}\n` +
+                `\n` +
+                `Expected:\n` +
+                `${examples}\n` +
+                `\n` +
+                formatArgumentTypeHint(missing[0].type),
+            spec,
+        };
+    }
+    // Case B/C: Wrong argument type
+    for (let i = 0; i < spec.args.length && i < positionalArgs.length; i++) {
+        const argSpec = spec.args[i];
+        const argValue = positionalArgs[i];
+        const error = validateArgument(argValue, argSpec);
+        if (error) {
+            return {
+                allowed: false,
+                exitCode: EXIT_CODES.ARG_VALIDATION_ERROR,
+                message: `Error: Invalid argument for '${spec.command}'\n` +
+                    `\n` +
+                    `${error}\n` +
+                    `\n` +
+                    `Usage: agentics ${spec.command} ${spec.args.map(a => a.required ? `<${a.name}>` : `[${a.name}]`).join(' ')}`,
+                spec,
+            };
+        }
+    }
+    // Case D: Synthesis attempted on forbidden command
+    // (Checked at the command level — if NL detected on SYNTHESIS_FORBIDDEN)
+    if (spec.synthesis === 'SYNTHESIS_FORBIDDEN') {
+        for (let i = 0; i < spec.args.length && i < positionalArgs.length; i++) {
+            const argSpec = spec.args[i];
+            if (argSpec.type === 'ID') {
+                const detected = classifyArgument(positionalArgs[i]);
+                if (detected === 'NATURAL_LANGUAGE') {
+                    return {
+                        allowed: false,
+                        exitCode: EXIT_CODES.ARG_VALIDATION_ERROR,
+                        message: `Error: Synthesis is not allowed on '${spec.command}'.\n` +
+                            `\n` +
+                            `This command requires an ID, not a description.\n` +
+                            `Natural language input triggers synthesis, which is forbidden for this command.\n` +
+                            `\n` +
+                            `Usage: agentics ${spec.command} <${argSpec.name}>\n` +
+                            `Example: agentics ${spec.command} ${argSpec.example}`,
+                        spec,
+                    };
+                }
+            }
+        }
+    }
+    // Case E: Irreversible command without explicit confirmation (ADR-002 Decision 2, Rule 4)
+    if (spec.requiresConfirmation) {
+        const hasForceFlag = cmd.flags['force'] === true;
+        if (!hasForceFlag) {
+            const argsUsage = spec.args.map(a => a.required ? `<${a.name}>` : `[${a.name}]`).join(' ');
+            return {
+                allowed: false,
+                exitCode: EXIT_CODES.ARG_VALIDATION_ERROR,
+                message: `Error: Command '${spec.command}' requires explicit confirmation.\n` +
+                    `\n` +
+                    (spec.irreversible
+                        ? `This command performs an irreversible operation and cannot be undone.\n`
+                        : `This command requires confirmation before proceeding.\n`) +
+                    `You must provide the --force flag to confirm.\n` +
+                    `\n` +
+                    `Usage: agentics ${spec.command} ${argsUsage} --force`,
+                spec,
+            };
+        }
+    }
+    return { allowed: true, spec };
+}
+/**
+ * Generate a hint string for the expected argument type.
+ */
+function formatArgumentTypeHint(type) {
+    switch (type) {
+        case 'ID':
+            return 'Hint: IDs are lowercase, hyphenated identifiers or UUIDs.\n' +
+                '      They resolve to persisted objects. Never use quoted text here.';
+        case 'NATURAL_LANGUAGE':
+            return 'Hint: Descriptions must be quoted natural language strings.\n' +
+                '      They seed synthesis to create new resources.';
+        case 'SELECTOR':
+            return 'Hint: Selectors are keywords like "latest" or UUIDs.\n' +
+                '      They select existing resources without triggering synthesis.';
+    }
+}
+// ============================================================================
+// Gate Enforcement
+// ============================================================================
+/**
+ * Enforce the argument guard. Exits the process on failure.
+ * Follows the same pattern as other gates (execution-gate, auth-session-gate).
+ */
+export function enforceArgumentGuard(cmd) {
+    const result = checkArgumentGuard(cmd);
+    if (!result.allowed) {
+        console.error(result.message);
+        process.exit(result.exitCode ?? EXIT_CODES.ARG_VALIDATION_ERROR);
+    }
+}
+/**
+ * Check if a command requires argument validation.
+ * Built-in commands (help, version) are exempt.
+ */
+export function requiresArgumentValidation(command) {
+    const exempt = ['help', 'version'];
+    return !exempt.includes(command);
+}
+//# sourceMappingURL=argument-guard.js.map

package/dist/gates/argument-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"argument-guard.js","sourceRoot":"","sources":["../../src/gates/argument-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,gBAAgB,GAGjB,MAAM,uCAAuC,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAa/C,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAkB;IACnD,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,GAAG,GAAG,CAAC;IAEpD,+CAA+C;IAC/C,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAEhD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,oEAAoE;QACpE,kEAAkE;QAClE,yCAAyC;QACzC,MAAM,WAAW,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QAC3C,IAAI,CAAC,WAAW,IAAI,UAAU,EAAE,CAAC;YAC/B,yDAAyD;YACzD,yDAAyD;YACzD,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;YAC1C,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,WAAW,GAAkB;oBACjC,GAAG,GAAG;oBACN,cAAc,EAAE,CAAC,UAAU,EAAE,GAAG,cAAc,CAAC;iBAChD,CAAC;gBACF,OAAO,YAAY,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QACD,gFAAgF;QAChF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,wEAAwE;IACxE,OAAO,YAAY,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,SAAS,YAAY,CAAC,IAAiB,EAAE,GAAkB;IACzD,MAAM,cAAc,GAAG,GAAG,CAAC,cAAc,CAAC;IAC1C,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEvD,qCAAqC;IACrC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,cAAc,CAAC,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC;QAC3E,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,OAAO,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEnF,OAAO;YACL,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,UAAU,CAAC,oBAAoB;YACzC,OAAO,EACL,mCAAmC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,IAAI;gBACrF,IAAI;gBACJ,mBAAmB,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI;gBAC/G,IAAI;gBACJ,aAAa;gBACb,GAAG,QAAQ,IAAI;gBACf,IAAI;gBACJ,sBAAsB,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC,IAAI,CAAC;YAC1C,IAAI;SACL,CAAC;IACJ,CAAC;IAED,gCAAgC;IAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,GAAG,cAAc,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,cAAc,CAAC,CAAC,CAAE,CAAC;QACpC,MAAM,KAAK,GAAG,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAElD,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,QAAQ,EAAE,UAAU,CAAC,oBAAoB;gBACzC,OAAO,EACL,gCAAgC,IAAI,CAAC,OAAO,KAAK;oBACjD,IAAI;oBACJ,GAAG,KAAK,IAAI;oBACZ,IAAI;oBACJ,mBAAmB,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;gBAC/G,IAAI;aACL,CAAC;QACJ,CAAC;IACH,CAAC;IAED,mDAAmD;IACnD,yEAAyE;IACzE,IAAI,IAAI,CAAC,SAAS,KAAK,qBAAqB,EAAE,CAAC;QAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,GAAG,cAAc,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC;YAC9B,IAAI,OAAO,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;gBAC1B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC,CAAE,CAAC,CAAC;gBACtD,IAAI,QAAQ,KAAK,kBAAkB,EAAE,CAAC;oBACpC,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,QAAQ,EAAE,UAAU,CAAC,oBAAoB;wBACzC,OAAO,EACL,uCAAuC,IAAI,CAAC,OAAO,MAAM;4BACzD,IAAI;4BACJ,mDAAmD;4BACnD,mFAAmF;4BACnF,IAAI;4BACJ,mBAAmB,IAAI,CAAC,OAAO,KAAK,OAAO,CAAC,IAAI,KAAK;4BACrD,qBAAqB,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE;wBACxD,IAAI;qBACL,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,0FAA0F;IAC1F,IAAI,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC9B,MAAM,YAAY,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC;QACjD,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC3F,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,QAAQ,EAAE,UAAU,CAAC,oBAAoB;gBACzC,OAAO,EACL,mBAAmB,IAAI,CAAC,OAAO,qCAAqC;oBACpE,IAAI;oBACJ,CAAC,IAAI,CAAC,YAAY;wBAChB,CAAC,CAAC,yEAAyE;wBAC3E,CAAC,CAAC,yDAAyD,CAAC;oBAC9D,iDAAiD;oBACjD,IAAI;oBACJ,mBAAmB,IAAI,CAAC,OAAO,IAAI,SAAS,UAAU;gBACxD,IAAI;aACL,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,IAAkB;IAChD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,IAAI;YACP,OAAO,6DAA6D;gBAC7D,sEAAsE,CAAC;QAChF,KAAK,kBAAkB;YACrB,OAAO,+DAA+D;gBAC/D,oDAAoD,CAAC;QAC9D,KAAK,UAAU;YACb,OAAO,wDAAwD;gBACxD,oEAAoE,CAAC;IAChF,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAkB;IACrD,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IAEvC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACnE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAe;IACxD,MAAM,MAAM,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACnC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACnC,CAAC"}

package/dist/gates/auth-session-gate.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Authentication Session Gate Module
+ *
+ * CONTROL PLANE HARDENING
+ *
+ * PURPOSE: Enforce authenticated session requirement for ALL operational commands.
+ *          CLI MUST require valid authentication before invoking remote services.
+ *
+ * CRITICAL REQUIREMENTS:
+ * - CLI requires authenticated session
+ * - No anonymous operations allowed
+ * - Clear error messaging for auth failures
+ *
+ * FORBIDDEN:
+ * - Fallback to anonymous access
+ * - Silent auth bypass
+ * - Local execution fallback
+ */
+/**
+ * Exit code for authentication required.
+ */
+export declare const AUTH_REQUIRED_EXIT_CODE: 130;
+export declare class AuthSessionRequiredError extends Error {
+    constructor();
+}
+export interface AuthSessionGateResult {
+    authenticated: boolean;
+    method?: 'platform' | 'gcp';
+    account?: string;
+    exitCode?: number;
+    message?: string;
+}
+/**
+ * Check if user has valid authentication.
+ * Checks both platform credentials and GCP credentials.
+ */
+export declare function checkAuthSessionGate(): Promise<AuthSessionGateResult>;
+/**
+ * Enforce the authentication session gate.
+ * Exits the process if no valid authentication is found.
+ */
+export declare function enforceAuthSessionGate(): Promise<void>;
+/**
+ * Check if a command requires authentication.
+ */
+export declare function requiresAuthentication(command: string): boolean;
+//# sourceMappingURL=auth-session-gate.d.ts.map

package/dist/gates/auth-session-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-session-gate.d.ts","sourceRoot":"","sources":["../../src/gates/auth-session-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAUH;;GAEG;AACH,eAAO,MAAM,uBAAuB,KAAwB,CAAC;AAM7D,qBAAa,wBAAyB,SAAQ,KAAK;;CAyBlD;AAMD,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,OAAO,CAAC;IACvB,MAAM,CAAC,EAAE,UAAU,GAAG,KAAK,CAAC;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAoCD;;;GAGG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,qBAAqB,CAAC,CA2B3E;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,IAAI,CAAC,CAO5D;AAqBD;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAE/D"}

package/dist/gates/auth-session-gate.js

@@ -0,0 +1,151 @@
+/**
+ * Authentication Session Gate Module
+ *
+ * CONTROL PLANE HARDENING
+ *
+ * PURPOSE: Enforce authenticated session requirement for ALL operational commands.
+ *          CLI MUST require valid authentication before invoking remote services.
+ *
+ * CRITICAL REQUIREMENTS:
+ * - CLI requires authenticated session
+ * - No anonymous operations allowed
+ * - Clear error messaging for auth failures
+ *
+ * FORBIDDEN:
+ * - Fallback to anonymous access
+ * - Silent auth bypass
+ * - Local execution fallback
+ */
+import { hasValidCredentials, getActiveAccount } from '../auth/gcp-identity.js';
+import { createCredentialStore } from '../utils/credentials.js';
+import { EXIT_CODES } from '../types/index.js';
+// ============================================================================
+// Authentication Gate Configuration
+// ============================================================================
+/**
+ * Exit code for authentication required.
+ */
+export const AUTH_REQUIRED_EXIT_CODE = EXIT_CODES.AUTH_ERROR;
+// ============================================================================
+// Authentication Gate Error
+// ============================================================================
+export class AuthSessionRequiredError extends Error {
+    constructor() {
+        super(`\n` +
+            `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n` +
+            `  AUTHENTICATION REQUIRED\n` +
+            `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n` +
+            `\n` +
+            `  The CLI requires an authenticated session to execute this command.\n` +
+            `  No valid credentials were found.\n` +
+            `\n` +
+            `  TO AUTHENTICATE:\n` +
+            `\n` +
+            `  Option 1: Platform login (recommended)\n` +
+            `    agentics login\n` +
+            `\n` +
+            `  Option 2: GCP authentication\n` +
+            `    gcloud auth login\n` +
+            `\n` +
+            `  After authenticating, re-run your command.\n` +
+            `\n` +
+            `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n`);
+        this.name = 'AuthSessionRequiredError';
+    }
+}
+// ============================================================================
+// Authentication Gate Implementation
+// ============================================================================
+/**
+ * Check if user has valid platform credentials.
+ */
+async function hasPlatformCredentials() {
+    try {
+        const store = createCredentialStore();
+        const credentials = await store.load();
+        if (credentials && credentials.api_key) {
+            return { valid: true, email: credentials.email };
+        }
+        return { valid: false };
+    }
+    catch {
+        return { valid: false };
+    }
+}
+/**
+ * Check if user has valid GCP credentials.
+ */
+function hasGcpCredentials() {
+    const hasCredentials = hasValidCredentials();
+    if (hasCredentials) {
+        const account = getActiveAccount();
+        return { valid: true, account: account ?? undefined };
+    }
+    return { valid: false };
+}
+/**
+ * Check if user has valid authentication.
+ * Checks both platform credentials and GCP credentials.
+ */
+export async function checkAuthSessionGate() {
+    // Check platform credentials first
+    const platformAuth = await hasPlatformCredentials();
+    if (platformAuth.valid) {
+        return {
+            authenticated: true,
+            method: 'platform',
+            account: platformAuth.email,
+        };
+    }
+    // Fall back to GCP credentials
+    const gcpAuth = hasGcpCredentials();
+    if (gcpAuth.valid) {
+        return {
+            authenticated: true,
+            method: 'gcp',
+            account: gcpAuth.account,
+        };
+    }
+    // No valid credentials found
+    return {
+        authenticated: false,
+        exitCode: AUTH_REQUIRED_EXIT_CODE,
+        message: new AuthSessionRequiredError().message,
+    };
+}
+/**
+ * Enforce the authentication session gate.
+ * Exits the process if no valid authentication is found.
+ */
+export async function enforceAuthSessionGate() {
+    const result = await checkAuthSessionGate();
+    if (!result.authenticated) {
+        console.error(result.message);
+        process.exit(result.exitCode);
+    }
+}
+/**
+ * Commands that require authentication.
+ * All operational commands require authentication.
+ * Only login, whoami, help, and version are allowed without authentication.
+ */
+const AUTH_REQUIRED_COMMANDS = new Set([
+    'plan',
+    'simulate',
+    'inspect',
+    'quantify',
+    'deploy',
+    'export',
+    'diligence',
+    'usage',
+    'policy',
+    'erp',
+    'logout',
+]);
+/**
+ * Check if a command requires authentication.
+ */
+export function requiresAuthentication(command) {
+    return AUTH_REQUIRED_COMMANDS.has(command);
+}
+//# sourceMappingURL=auth-session-gate.js.map

package/dist/gates/auth-session-gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-session-gate.js","sourceRoot":"","sources":["../../src/gates/auth-session-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,+EAA+E;AAC/E,oCAAoC;AACpC,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,UAAU,CAAC,UAAU,CAAC;AAE7D,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACjD;QACE,KAAK,CACH,IAAI;YACJ,+EAA+E;YAC/E,6BAA6B;YAC7B,+EAA+E;YAC/E,IAAI;YACJ,wEAAwE;YACxE,sCAAsC;YACtC,IAAI;YACJ,sBAAsB;YACtB,IAAI;YACJ,4CAA4C;YAC5C,sBAAsB;YACtB,IAAI;YACJ,kCAAkC;YAClC,yBAAyB;YACzB,IAAI;YACJ,gDAAgD;YAChD,IAAI;YACJ,+EAA+E,CAChF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;IACzC,CAAC;CACF;AAcD,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAE/E;;GAEG;AACH,KAAK,UAAU,sBAAsB;IACnC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,qBAAqB,EAAE,CAAC;QACtC,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;QAEvC,IAAI,WAAW,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACvC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC;QACnD,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB;IACxB,MAAM,cAAc,GAAG,mBAAmB,EAAE,CAAC;IAC7C,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;QACnC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,CAAC;IACxD,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;AAC1B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB;IACxC,mCAAmC;IACnC,MAAM,YAAY,GAAG,MAAM,sBAAsB,EAAE,CAAC;IACpD,IAAI,YAAY,CAAC,KAAK,EAAE,CAAC;QACvB,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,YAAY,CAAC,KAAK;SAC5B,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,OAAO,CAAC,OAAO;SACzB,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,OAAO;QACL,aAAa,EAAE,KAAK;QACpB,QAAQ,EAAE,uBAAuB;QACjC,OAAO,EAAE,IAAI,wBAAwB,EAAE,CAAC,OAAO;KAChD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB;IAC1C,MAAM,MAAM,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAE5C,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1B,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IACrC,MAAM;IACN,UAAU;IACV,SAAS;IACT,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,WAAW;IACX,OAAO;IACP,QAAQ;IACR,KAAK;IACL,QAAQ;CACT,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,OAAO,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAC7C,CAAC"}