@neurcode-ai/cli 0.10.1 → 0.14.0

package/dist/governance/intent/intent-graph.js

@@ -0,0 +1,67 @@
+"use strict";
+/**
+ * Intent Graph — typed model for architectural intent.
+ *
+ * The Intent Graph is the foundational data structure for Intent-Aware Governance
+ * Intelligence. It represents the *intended* architecture of a codebase as a
+ * declarative, machine-verifiable artifact, distinct from:
+ *
+ *   - Plan contracts (`expectedFiles`)        — per-change file expectations
+ *   - Change contracts                        — diff-vs-plan enforcement
+ *   - Intent engine (`runIntentEngine`)       — NL prompt → code coverage matcher
+ *   - Structural rules                        — code-pattern violations (SR001 ...)
+ *
+ * What the Intent Graph adds: a stable, declarative model of *which parts of the
+ * codebase are allowed to depend on which other parts*. Layers, modules, trust
+ * boundaries, and directional dependency rules are first-class nodes/edges.
+ *
+ * Phase 1 scope (this file):
+ *   - Typed primitives only.
+ *   - No runtime computation, no I/O, no validation.
+ *   - Used as the shared vocabulary across intent-contract.ts (loading),
+ *     drift-detector.ts (analysis), and verify.ts (reporting).
+ *
+ * Intelligence classification: DETERMINISTIC (pure types).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EMPTY_INTENT_GRAPH = exports.INTENT_GRAPH_SCHEMA_VERSION = void 0;
+exports.isEmptyIntentGraph = isEmptyIntentGraph;
+exports.intentGraphHasEnforcement = intentGraphHasEnforcement;
+// ── Schema version ───────────────────────────────────────────────────────────
+/** Current schema version. Bumped only with a breaking-change migration plan. */
+exports.INTENT_GRAPH_SCHEMA_VERSION = 1;
+// ── Empty graph ──────────────────────────────────────────────────────────────
+/**
+ * A canonical empty graph. Used when no intent contract is configured — drift
+ * detection short-circuits to "no violations" deterministically.
+ */
+exports.EMPTY_INTENT_GRAPH = Object.freeze({
+    schemaVersion: exports.INTENT_GRAPH_SCHEMA_VERSION,
+    layers: [],
+    modules: [],
+    trustBoundaries: [],
+    allowedEdges: [],
+    forbiddenEdges: [],
+    fingerprint: 'empty:0',
+});
+// ── Predicates ───────────────────────────────────────────────────────────────
+/**
+ * Return true when the graph defines *no* layers/modules/boundaries/edges.
+ * Drift detection skips entirely when this is true.
+ */
+function isEmptyIntentGraph(graph) {
+    return (graph.layers.length === 0 &&
+        graph.modules.length === 0 &&
+        graph.trustBoundaries.length === 0 &&
+        graph.allowedEdges.length === 0 &&
+        graph.forbiddenEdges.length === 0);
+}
+/**
+ * Returns true if the graph has at least one rule that can produce a drift
+ * finding. A graph with only layers but no edges is "in observation mode" —
+ * it can classify files but not flag violations.
+ */
+function intentGraphHasEnforcement(graph) {
+    return graph.allowedEdges.length > 0 || graph.forbiddenEdges.length > 0;
+}
+//# sourceMappingURL=intent-graph.js.map

package/dist/governance/intent/intent-graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"intent-graph.js","sourceRoot":"","sources":["../../../src/governance/intent/intent-graph.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;;AAwIH,gDAQC;AAOD,8DAEC;AAvJD,gFAAgF;AAEhF,iFAAiF;AACpE,QAAA,2BAA2B,GAAG,CAAU,CAAC;AA6GtD,gFAAgF;AAEhF;;;GAGG;AACU,QAAA,kBAAkB,GAAgB,MAAM,CAAC,MAAM,CAAC;IAC3D,aAAa,EAAE,mCAA2B;IAC1C,MAAM,EAAE,EAAE;IACV,OAAO,EAAE,EAAE;IACX,eAAe,EAAE,EAAE;IACnB,YAAY,EAAE,EAAE;IAChB,cAAc,EAAE,EAAE;IAClB,WAAW,EAAE,SAAS;CACvB,CAAgB,CAAC;AAElB,gFAAgF;AAEhF;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,KAAkB;IACnD,OAAO,CACL,KAAK,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;QACzB,KAAK,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QAC1B,KAAK,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;QAClC,KAAK,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC;QAC/B,KAAK,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,CAClC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAgB,yBAAyB,CAAC,KAAkB;IAC1D,OAAO,KAAK,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;AAC1E,CAAC"}

package/dist/governance/pipeline/computation-trace.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Governance computation trace surface.
+ *
+ * Produces a compact, human-readable summary of HOW a verify run computed
+ * its governance verdict. The trace is derived entirely from the pipeline
+ * ledger — no re-computation, no re-inspection. Pure observability.
+ *
+ * Audience:
+ *   - dashboards rendering an explainability column
+ *   - audit / replay reviewers who want a one-screen narrative
+ *   - operators triaging degraded or failed governance runs
+ *
+ * Constraints:
+ *   - Deterministic given the same ledger.
+ *   - No PII or excerpts — only stage IDs, statuses, fingerprints.
+ *   - Bounded length: at most one line per stage plus a header.
+ */
+import type { GovernanceStageId, GovernanceStageResult, GovernanceStageStatus } from '@neurcode-ai/contracts';
+export interface GovernanceComputationTrace {
+    /** One-line summary suitable for a dashboard header. */
+    headline: string;
+    /** Detail rows; one per stage, in canonical execution order. */
+    rows: GovernanceComputationTraceRow[];
+    /** Stage IDs of stages that did not reach 'succeeded'. */
+    notableStages: GovernanceStageId[];
+}
+export interface GovernanceComputationTraceRow {
+    stageId: GovernanceStageId;
+    status: GovernanceStageStatus;
+    determinism: string;
+    durationMs: number;
+    outputFingerprintShort: string | null;
+    dependsOn: GovernanceStageId[];
+    failureCategory?: string;
+}
+/**
+ * Build a deterministic computation trace from a pipeline ledger.
+ *
+ * The trace renders the same way for the same ledger across runs and
+ * machines. Wall-clock durations are reported but never used in headlines
+ * (they would non-determinize the trace).
+ */
+export declare function buildComputationTrace(ledger: readonly GovernanceStageResult[]): GovernanceComputationTrace;
+/**
+ * Render a computation trace as a deterministic multi-line text block.
+ *
+ * Output format is stable across runs given the same ledger (durations are
+ * truncated to integer milliseconds; nothing else is wall-clock-dependent).
+ * Suitable for embedding in --explain output or in CI logs.
+ */
+export declare function renderComputationTrace(trace: GovernanceComputationTrace): string;
+//# sourceMappingURL=computation-trace.d.ts.map

package/dist/governance/pipeline/computation-trace.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"computation-trace.d.ts","sourceRoot":"","sources":["../../../src/governance/pipeline/computation-trace.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,qBAAqB,EACrB,qBAAqB,EACtB,MAAM,wBAAwB,CAAC;AAEhC,MAAM,WAAW,0BAA0B;IACzC,wDAAwD;IACxD,QAAQ,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,IAAI,EAAE,6BAA6B,EAAE,CAAC;IACtC,0DAA0D;IAC1D,aAAa,EAAE,iBAAiB,EAAE,CAAC;CACpC;AAED,MAAM,WAAW,6BAA6B;IAC5C,OAAO,EAAE,iBAAiB,CAAC;IAC3B,MAAM,EAAE,qBAAqB,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,sBAAsB,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,SAAS,EAAE,iBAAiB,EAAE,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,SAAS,qBAAqB,EAAE,GACvC,0BAA0B,CAgC5B;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,0BAA0B,GAChC,MAAM,CAaR"}

package/dist/governance/pipeline/computation-trace.js

@@ -0,0 +1,79 @@
+"use strict";
+/**
+ * Governance computation trace surface.
+ *
+ * Produces a compact, human-readable summary of HOW a verify run computed
+ * its governance verdict. The trace is derived entirely from the pipeline
+ * ledger — no re-computation, no re-inspection. Pure observability.
+ *
+ * Audience:
+ *   - dashboards rendering an explainability column
+ *   - audit / replay reviewers who want a one-screen narrative
+ *   - operators triaging degraded or failed governance runs
+ *
+ * Constraints:
+ *   - Deterministic given the same ledger.
+ *   - No PII or excerpts — only stage IDs, statuses, fingerprints.
+ *   - Bounded length: at most one line per stage plus a header.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildComputationTrace = buildComputationTrace;
+exports.renderComputationTrace = renderComputationTrace;
+/**
+ * Build a deterministic computation trace from a pipeline ledger.
+ *
+ * The trace renders the same way for the same ledger across runs and
+ * machines. Wall-clock durations are reported but never used in headlines
+ * (they would non-determinize the trace).
+ */
+function buildComputationTrace(ledger) {
+    const rows = ledger.map((entry) => ({
+        stageId: entry.stageId,
+        status: entry.status,
+        determinism: entry.replay.determinism,
+        durationMs: entry.metrics.durationMs,
+        outputFingerprintShort: entry.replay.outputFingerprint
+            ? entry.replay.outputFingerprint.slice(0, 12)
+            : null,
+        dependsOn: [...entry.replay.dependsOn],
+        failureCategory: entry.failure?.category,
+    }));
+    const notableStages = ledger
+        .filter((e) => e.status !== 'succeeded')
+        .map((e) => e.stageId);
+    const succeededCount = ledger.filter((e) => e.status === 'succeeded').length;
+    const totalCount = ledger.length;
+    let headline;
+    if (totalCount === 0) {
+        headline = 'governance pipeline: no stages executed';
+    }
+    else if (notableStages.length === 0) {
+        headline = `governance pipeline: ${totalCount} stage(s) succeeded`;
+    }
+    else {
+        headline =
+            `governance pipeline: ${succeededCount}/${totalCount} succeeded; ` +
+                `${notableStages.length} stage(s) did not succeed`;
+    }
+    return { headline, rows, notableStages };
+}
+/**
+ * Render a computation trace as a deterministic multi-line text block.
+ *
+ * Output format is stable across runs given the same ledger (durations are
+ * truncated to integer milliseconds; nothing else is wall-clock-dependent).
+ * Suitable for embedding in --explain output or in CI logs.
+ */
+function renderComputationTrace(trace) {
+    const lines = [];
+    lines.push(trace.headline);
+    for (const row of trace.rows) {
+        const fp = row.outputFingerprintShort ?? '-';
+        const deps = row.dependsOn.length > 0 ? ` ← [${row.dependsOn.join(', ')}]` : '';
+        const failure = row.failureCategory ? ` (failure: ${row.failureCategory})` : '';
+        lines.push(`  • ${row.stageId.padEnd(28)} ${row.status.padEnd(10)} ` +
+            `${row.determinism.padEnd(28)} fp=${fp}${deps}${failure}`);
+    }
+    return lines.join('\n');
+}
+//# sourceMappingURL=computation-trace.js.map

package/dist/governance/pipeline/computation-trace.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"computation-trace.js","sourceRoot":"","sources":["../../../src/governance/pipeline/computation-trace.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;AAkCH,sDAkCC;AASD,wDAeC;AAjED;;;;;;GAMG;AACH,SAAgB,qBAAqB,CACnC,MAAwC;IAExC,MAAM,IAAI,GAAoC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACnE,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,WAAW;QACrC,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,UAAU;QACpC,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,iBAAiB;YACpD,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAC7C,CAAC,CAAC,IAAI;QACR,SAAS,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC;QACtC,eAAe,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ;KACzC,CAAC,CAAC,CAAC;IAEJ,MAAM,aAAa,GAAwB,MAAM;SAC9C,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC;SACvC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAEzB,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC,CAAC,MAAM,CAAC;IAC7E,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC;IAEjC,IAAI,QAAgB,CAAC;IACrB,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;QACrB,QAAQ,GAAG,yCAAyC,CAAC;IACvD,CAAC;SAAM,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,QAAQ,GAAG,wBAAwB,UAAU,qBAAqB,CAAC;IACrE,CAAC;SAAM,CAAC;QACN,QAAQ;YACN,wBAAwB,cAAc,IAAI,UAAU,cAAc;gBAClE,GAAG,aAAa,CAAC,MAAM,2BAA2B,CAAC;IACvD,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,sBAAsB,CACpC,KAAiC;IAEjC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC3B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,GAAG,CAAC,sBAAsB,IAAI,GAAG,CAAC;QAC7C,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,MAAM,OAAO,GAAG,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,cAAc,GAAG,CAAC,eAAe,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,KAAK,CAAC,IAAI,CACR,OAAO,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG;YACzD,GAAG,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,IAAI,GAAG,OAAO,EAAE,CAC1D,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/governance/pipeline/envelope-assembly.d.ts

@@ -0,0 +1,132 @@
+/**
+ * Shared canonical-payload assembly.
+ *
+ * Both `verifyCommand` and `executePolicyOnlyMode` build a "canonical payload"
+ * — the dict that becomes the verify JSON output (and, via
+ * `synthesizeGovernance`, the canonical governance envelope).
+ *
+ * The two orchestrators previously inlined this assembly with mostly-identical
+ * fields and small mode-specific differences. This module extracts the
+ * shared core into a single helper that takes a typed input describing the
+ * mode-specific extras.
+ *
+ * Replay invariant:
+ *   The resulting payload, after `synthesizeGovernance`, MUST produce the same
+ *   `replayChecksum` it did under the prior inline implementation, for any
+ *   given input. The fields that contribute to the checksum (canonical sorted
+ *   findings) flow through `payload.structuralViolations` and the various
+ *   issue arrays — exactly as before.
+ *
+ * What this module does NOT do:
+ *   - It does not emit JSON.
+ *   - It does not call `synthesizeGovernance` (caller does that).
+ *   - It does not finalize evidence (caller does that).
+ *   - It does not record telemetry (caller does that).
+ *   - It is not a generic builder pattern; it is a typed extraction of a
+ *     duplicated literal-object construction.
+ */
+import type { StructuralViolation } from '../../structural-rules/types';
+import type { PolicyOnlySource } from './shared-types';
+/**
+ * Minimal "governance payload" surface — the parts of the canonical payload
+ * that are produced by the governance evaluator and threaded into both modes.
+ * Caller passes in an opaque object; we spread it.
+ */
+export type GovernancePayloadFragment = Record<string, unknown>;
+/**
+ * Policy-pack fragment — present when an installed pack contributed rules.
+ */
+export interface PolicyPackFragment {
+    id: string;
+    name: string;
+    version: string;
+    ruleCount: number;
+}
+export interface PolicyLockSummaryFragment {
+    enforced: boolean;
+    matched: boolean;
+    path: string;
+    mismatches: ReadonlyArray<unknown>;
+}
+export interface PolicyOnlyCanonicalPayloadInput {
+    grade: string;
+    score: number;
+    verdict: string;
+    message: string;
+    violations: ReadonlyArray<unknown>;
+    structuralViolations: ReadonlyArray<StructuralViolation>;
+    structuralRulesApplied: ReadonlyArray<string>;
+    structuralSuppressedCount: number;
+    source: PolicyOnlySource;
+    replayChecksum: string;
+    governancePayload: GovernancePayloadFragment;
+    policyLock: PolicyLockSummaryFragment;
+    policyExceptions: unknown;
+    policyGovernance: unknown;
+    policyPack?: PolicyPackFragment | null;
+}
+/**
+ * Assemble the policy-only canonical payload. Replaces the inline literal
+ * previously at `commands/verify.ts:2685–2724`.
+ *
+ * Field order is preserved byte-for-byte from the prior implementation so
+ * `JSON.stringify` output (and therefore stdout writes, evidence captures,
+ * and any string-equality fixtures) remains identical.
+ */
+export declare function buildPolicyOnlyCanonicalPayload(input: PolicyOnlyCanonicalPayloadInput): Record<string, unknown>;
+/**
+ * AI-debt summary fragment — pass-through; consumed by buildAiDebtReportViolations
+ * in the caller. The verify.ts payload includes this as an explicit `aiDebt` key.
+ */
+export type AiDebtSummaryFragment = unknown;
+/** Change-contract summary fragment — pass-through. */
+export type ChangeContractSummaryFragment = unknown;
+/** Compiled policy metadata fragment — pass-through. */
+export type CompiledPolicyMetadataFragment = Record<string, unknown> | null;
+/** Runtime guard summary fragment — pass-through. */
+export interface RuntimeGuardSummaryFragment {
+    required: boolean;
+    [key: string]: unknown;
+}
+/** Intent proof summary fragment — pass-through. */
+export type IntentProofSummaryFragment = unknown;
+/** Policy decision fragment — pass-through, only emitted when violations exist. */
+export type PolicyDecisionFragment = unknown;
+export interface VerifyCanonicalPayloadInput {
+    grade: string;
+    score: number;
+    verdict: string;
+    message: string;
+    violations: ReadonlyArray<unknown>;
+    scopeGuardPassed: boolean;
+    bloatCount: number;
+    bloatFiles: ReadonlyArray<string>;
+    plannedFilesModified: number;
+    totalPlannedFiles: number;
+    verificationSource: string;
+    structuralViolations: ReadonlyArray<StructuralViolation>;
+    structuralRulesApplied: ReadonlyArray<string>;
+    structuralSuppressedCount: number;
+    aiDebt: AiDebtSummaryFragment;
+    changeContract: ChangeContractSummaryFragment;
+    compiledPolicyMetadata: CompiledPolicyMetadataFragment;
+    governancePayload: GovernancePayloadFragment | undefined;
+    policyLock: PolicyLockSummaryFragment;
+    policyExceptions: unknown;
+    policyGovernance: unknown;
+    intentProof: IntentProofSummaryFragment;
+    runtimeGuard?: RuntimeGuardSummaryFragment | null;
+    policyDecision?: PolicyDecisionFragment;
+    policyPack?: PolicyPackFragment | null;
+}
+/**
+ * Assemble the main-flow (plan_enforced) canonical payload. Twin of
+ * `buildPolicyOnlyCanonicalPayload` for the verifyCommand main path.
+ * Replaces the inline literal previously at `commands/verify.ts:5542–5585`.
+ *
+ * Field order MUST be preserved byte-for-byte from the prior inline
+ * implementation. Replay consumers (audit dashboards, action JSON parsers)
+ * may depend on JSON serialization order.
+ */
+export declare function buildVerifyCanonicalPayload(input: VerifyCanonicalPayloadInput): Record<string, unknown>;
+//# sourceMappingURL=envelope-assembly.d.ts.map

package/dist/governance/pipeline/envelope-assembly.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope-assembly.d.ts","sourceRoot":"","sources":["../../../src/governance/pipeline/envelope-assembly.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACxE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAEvD;;;;GAIG;AACH,MAAM,MAAM,yBAAyB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,aAAa,CAAC,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,+BAA+B;IAE9C,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAEhB,UAAU,EAAE,aAAa,CAAC,OAAO,CAAC,CAAC;IACnC,oBAAoB,EAAE,aAAa,CAAC,mBAAmB,CAAC,CAAC;IACzD,sBAAsB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,yBAAyB,EAAE,MAAM,CAAC;IAElC,MAAM,EAAE,gBAAgB,CAAC;IAEzB,cAAc,EAAE,MAAM,CAAC;IAEvB,iBAAiB,EAAE,yBAAyB,CAAC;IAC7C,UAAU,EAAE,yBAAyB,CAAC;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,UAAU,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACxC;AAED;;;;;;;GAOG;AACH,wBAAgB,+BAA+B,CAC7C,KAAK,EAAE,+BAA+B,GACrC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAyCzB;AAMD;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAAG,OAAO,CAAC;AAE5C,uDAAuD;AACvD,MAAM,MAAM,6BAA6B,GAAG,OAAO,CAAC;AAEpD,wDAAwD;AACxD,MAAM,MAAM,8BAA8B,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;AAE5E,qDAAqD;AACrD,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,OAAO,CAAC;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,oDAAoD;AACpD,MAAM,MAAM,0BAA0B,GAAG,OAAO,CAAC;AAEjD,mFAAmF;AACnF,MAAM,MAAM,sBAAsB,GAAG,OAAO,CAAC;AAE7C,MAAM,WAAW,2BAA2B;IAE1C,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAEhB,UAAU,EAAE,aAAa,CAAC,OAAO,CAAC,CAAC;IAEnC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAElC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,iBAAiB,EAAE,MAAM,CAAC;IAE1B,kBAAkB,EAAE,MAAM,CAAC;IAE3B,oBAAoB,EAAE,aAAa,CAAC,mBAAmB,CAAC,CAAC;IACzD,sBAAsB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,yBAAyB,EAAE,MAAM,CAAC;IAElC,MAAM,EAAE,qBAAqB,CAAC;IAC9B,cAAc,EAAE,6BAA6B,CAAC;IAC9C,sBAAsB,EAAE,8BAA8B,CAAC;IACvD,iBAAiB,EAAE,yBAAyB,GAAG,SAAS,CAAC;IACzD,UAAU,EAAE,yBAAyB,CAAC;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,WAAW,EAAE,0BAA0B,CAAC;IACxC,YAAY,CAAC,EAAE,2BAA2B,GAAG,IAAI,CAAC;IAClD,cAAc,CAAC,EAAE,sBAAsB,CAAC;IACxC,UAAU,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACxC;AAED;;;;;;;;GAQG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,2BAA2B,GACjC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgDzB"}

package/dist/governance/pipeline/envelope-assembly.js

@@ -0,0 +1,140 @@
+"use strict";
+/**
+ * Shared canonical-payload assembly.
+ *
+ * Both `verifyCommand` and `executePolicyOnlyMode` build a "canonical payload"
+ * — the dict that becomes the verify JSON output (and, via
+ * `synthesizeGovernance`, the canonical governance envelope).
+ *
+ * The two orchestrators previously inlined this assembly with mostly-identical
+ * fields and small mode-specific differences. This module extracts the
+ * shared core into a single helper that takes a typed input describing the
+ * mode-specific extras.
+ *
+ * Replay invariant:
+ *   The resulting payload, after `synthesizeGovernance`, MUST produce the same
+ *   `replayChecksum` it did under the prior inline implementation, for any
+ *   given input. The fields that contribute to the checksum (canonical sorted
+ *   findings) flow through `payload.structuralViolations` and the various
+ *   issue arrays — exactly as before.
+ *
+ * What this module does NOT do:
+ *   - It does not emit JSON.
+ *   - It does not call `synthesizeGovernance` (caller does that).
+ *   - It does not finalize evidence (caller does that).
+ *   - It does not record telemetry (caller does that).
+ *   - It is not a generic builder pattern; it is a typed extraction of a
+ *     duplicated literal-object construction.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildPolicyOnlyCanonicalPayload = buildPolicyOnlyCanonicalPayload;
+exports.buildVerifyCanonicalPayload = buildVerifyCanonicalPayload;
+/**
+ * Assemble the policy-only canonical payload. Replaces the inline literal
+ * previously at `commands/verify.ts:2685–2724`.
+ *
+ * Field order is preserved byte-for-byte from the prior implementation so
+ * `JSON.stringify` output (and therefore stdout writes, evidence captures,
+ * and any string-equality fixtures) remains identical.
+ */
+function buildPolicyOnlyCanonicalPayload(input) {
+    return {
+        grade: input.grade,
+        score: input.score,
+        verdict: input.verdict,
+        violations: input.violations,
+        message: input.message,
+        scopeGuardPassed: true, // N/A in policy-only mode
+        bloatCount: 0,
+        bloatFiles: [],
+        plannedFilesModified: 0,
+        totalPlannedFiles: 0,
+        adherenceScore: input.score,
+        structuralViolations: input.structuralViolations,
+        structuralRulesApplied: input.structuralRulesApplied,
+        structuralSuppressedCount: input.structuralSuppressedCount,
+        mode: 'policy_only',
+        policyOnly: true,
+        policyOnlySource: input.source,
+        replayChecksum: input.replayChecksum,
+        replayMode: 'local-structural',
+        ...input.governancePayload,
+        policyLock: {
+            enforced: input.policyLock.enforced,
+            matched: input.policyLock.matched,
+            path: input.policyLock.path,
+            mismatches: input.policyLock.mismatches,
+        },
+        policyExceptions: input.policyExceptions,
+        policyGovernance: input.policyGovernance,
+        ...(input.policyPack
+            ? {
+                policyPack: {
+                    id: input.policyPack.id,
+                    name: input.policyPack.name,
+                    version: input.policyPack.version,
+                    ruleCount: input.policyPack.ruleCount,
+                },
+            }
+            : {}),
+    };
+}
+/**
+ * Assemble the main-flow (plan_enforced) canonical payload. Twin of
+ * `buildPolicyOnlyCanonicalPayload` for the verifyCommand main path.
+ * Replaces the inline literal previously at `commands/verify.ts:5542–5585`.
+ *
+ * Field order MUST be preserved byte-for-byte from the prior inline
+ * implementation. Replay consumers (audit dashboards, action JSON parsers)
+ * may depend on JSON serialization order.
+ */
+function buildVerifyCanonicalPayload(input) {
+    const payload = {
+        grade: input.grade,
+        score: input.score,
+        verdict: input.verdict,
+        violations: input.violations,
+        message: input.message,
+        adherenceScore: input.score,
+        scopeGuardPassed: input.scopeGuardPassed,
+        bloatCount: input.bloatCount,
+        bloatFiles: input.bloatFiles,
+        plannedFilesModified: input.plannedFilesModified,
+        totalPlannedFiles: input.totalPlannedFiles,
+        verificationSource: input.verificationSource,
+        structuralViolations: input.structuralViolations,
+        structuralRulesApplied: input.structuralRulesApplied,
+        structuralSuppressedCount: input.structuralSuppressedCount,
+        mode: 'plan_enforced',
+        policyOnly: false,
+        aiDebt: input.aiDebt,
+        changeContract: input.changeContract,
+        ...(input.compiledPolicyMetadata ? { policyCompilation: input.compiledPolicyMetadata } : {}),
+        ...(input.governancePayload || {}),
+        policyLock: {
+            enforced: input.policyLock.enforced,
+            matched: input.policyLock.matched,
+            path: input.policyLock.path,
+            mismatches: input.policyLock.mismatches,
+        },
+        policyExceptions: input.policyExceptions,
+        policyGovernance: input.policyGovernance,
+        intentProof: input.intentProof,
+        ...(input.runtimeGuard && input.runtimeGuard.required
+            ? { runtimeGuard: input.runtimeGuard }
+            : {}),
+        ...(input.policyDecision !== undefined ? { policyDecision: input.policyDecision } : {}),
+        ...(input.policyPack
+            ? {
+                policyPack: {
+                    id: input.policyPack.id,
+                    name: input.policyPack.name,
+                    version: input.policyPack.version,
+                    ruleCount: input.policyPack.ruleCount,
+                },
+            }
+            : {}),
+    };
+    return payload;
+}
+//# sourceMappingURL=envelope-assembly.js.map

package/dist/governance/pipeline/envelope-assembly.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope-assembly.js","sourceRoot":"","sources":["../../../src/governance/pipeline/envelope-assembly.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;;AA4DH,0EA2CC;AA0ED,kEAkDC;AA/KD;;;;;;;GAOG;AACH,SAAgB,+BAA+B,CAC7C,KAAsC;IAEtC,OAAO;QACL,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,gBAAgB,EAAE,IAAI,EAAE,0BAA0B;QAClD,UAAU,EAAE,CAAC;QACb,UAAU,EAAE,EAAE;QACd,oBAAoB,EAAE,CAAC;QACvB,iBAAiB,EAAE,CAAC;QACpB,cAAc,EAAE,KAAK,CAAC,KAAK;QAC3B,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;QAChD,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;QACpD,yBAAyB,EAAE,KAAK,CAAC,yBAAyB;QAC1D,IAAI,EAAE,aAAa;QACnB,UAAU,EAAE,IAAI;QAChB,gBAAgB,EAAE,KAAK,CAAC,MAAM;QAC9B,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,UAAU,EAAE,kBAAkB;QAC9B,GAAG,KAAK,CAAC,iBAAiB;QAC1B,UAAU,EAAE;YACV,QAAQ,EAAE,KAAK,CAAC,UAAU,CAAC,QAAQ;YACnC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,OAAO;YACjC,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI;YAC3B,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,UAAU;SACxC;QACD,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,GAAG,CAAC,KAAK,CAAC,UAAU;YAClB,CAAC,CAAC;gBACE,UAAU,EAAE;oBACV,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE;oBACvB,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI;oBAC3B,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,OAAO;oBACjC,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,SAAS;iBACtC;aACF;YACH,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAiED;;;;;;;;GAQG;AACH,SAAgB,2BAA2B,CACzC,KAAkC;IAElC,MAAM,OAAO,GAA4B;QACvC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,cAAc,EAAE,KAAK,CAAC,KAAK;QAC3B,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;QAChD,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAC1C,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;QAC5C,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;QAChD,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;QACpD,yBAAyB,EAAE,KAAK,CAAC,yBAAyB;QAC1D,IAAI,EAAE,eAAe;QACrB,UAAU,EAAE,KAAK;QACjB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,GAAG,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,KAAK,CAAC,sBAAsB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5F,GAAG,CAAC,KAAK,CAAC,iBAAiB,IAAI,EAAE,CAAC;QAClC,UAAU,EAAE;YACV,QAAQ,EAAE,KAAK,CAAC,UAAU,CAAC,QAAQ;YACnC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,OAAO;YACjC,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI;YAC3B,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,UAAU;SACxC;QACD,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,GAAG,CAAC,KAAK,CAAC,YAAY,IAAI,KAAK,CAAC,YAAY,CAAC,QAAQ;YACnD,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,YAAY,EAAE;YACtC,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,KAAK,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvF,GAAG,CAAC,KAAK,CAAC,UAAU;YAClB,CAAC,CAAC;gBACE,UAAU,EAAE;oBACV,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE;oBACvB,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI;oBAC3B,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,OAAO;oBACjC,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,SAAS;iBACtC;aACF;YACH,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;IACF,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/governance/pipeline/fingerprint.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Deterministic stage fingerprinting.
+ *
+ * A stage fingerprint is a SHA-256 over the stable identifiers of the stage's
+ * input or output. It MUST be:
+ *   - Independent of wall-clock time, run IDs, and process state
+ *   - Stable across operating systems and Node versions
+ *   - Computed only from canonical fields (no excerpts, no PII)
+ *
+ * Callers should provide a `signal` object containing the minimum stable
+ * descriptors. Anything not present in the signal is ignored by the fingerprint.
+ */
+/**
+ * Compute a deterministic SHA-256 fingerprint from a stage signal object.
+ *
+ * The signal is serialized via stable key ordering so logically identical inputs
+ * always produce the same hash, regardless of source object key insertion order.
+ *
+ * @param signal  An object containing stable, PII-free identifiers.
+ * @returns       64-char hex SHA-256 digest, or undefined when signal is empty.
+ */
+export declare function fingerprintStageSignal(signal: unknown): string | undefined;
+/**
+ * Deterministic JSON serialization with sorted object keys.
+ *
+ * Mirrors the contract of `@neurcode-ai/telemetry`'s `stableStringify` to avoid
+ * a cross-package dependency at this layer. Identical implementation invariants:
+ *   - Objects: keys sorted lexicographically
+ *   - Arrays: order preserved
+ *   - Numbers: NaN/Infinity become null (JSON-compatible)
+ *   - Functions / undefined values: omitted
+ */
+export declare function stableStringify(value: unknown): string;
+//# sourceMappingURL=fingerprint.d.ts.map

package/dist/governance/pipeline/fingerprint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../../src/governance/pipeline/fingerprint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAS1E;AAED;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEtD"}

package/dist/governance/pipeline/fingerprint.js

@@ -0,0 +1,78 @@
+"use strict";
+/**
+ * Deterministic stage fingerprinting.
+ *
+ * A stage fingerprint is a SHA-256 over the stable identifiers of the stage's
+ * input or output. It MUST be:
+ *   - Independent of wall-clock time, run IDs, and process state
+ *   - Stable across operating systems and Node versions
+ *   - Computed only from canonical fields (no excerpts, no PII)
+ *
+ * Callers should provide a `signal` object containing the minimum stable
+ * descriptors. Anything not present in the signal is ignored by the fingerprint.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fingerprintStageSignal = fingerprintStageSignal;
+exports.stableStringify = stableStringify;
+const crypto_1 = require("crypto");
+/**
+ * Compute a deterministic SHA-256 fingerprint from a stage signal object.
+ *
+ * The signal is serialized via stable key ordering so logically identical inputs
+ * always produce the same hash, regardless of source object key insertion order.
+ *
+ * @param signal  An object containing stable, PII-free identifiers.
+ * @returns       64-char hex SHA-256 digest, or undefined when signal is empty.
+ */
+function fingerprintStageSignal(signal) {
+    if (signal === null || signal === undefined) {
+        return undefined;
+    }
+    const stable = stableStringify(signal);
+    if (!stable || stable === '{}' || stable === '[]') {
+        return undefined;
+    }
+    return (0, crypto_1.createHash)('sha256').update(stable, 'utf-8').digest('hex');
+}
+/**
+ * Deterministic JSON serialization with sorted object keys.
+ *
+ * Mirrors the contract of `@neurcode-ai/telemetry`'s `stableStringify` to avoid
+ * a cross-package dependency at this layer. Identical implementation invariants:
+ *   - Objects: keys sorted lexicographically
+ *   - Arrays: order preserved
+ *   - Numbers: NaN/Infinity become null (JSON-compatible)
+ *   - Functions / undefined values: omitted
+ */
+function stableStringify(value) {
+    return JSON.stringify(canonicalize(value));
+}
+function canonicalize(value) {
+    if (value === null || value === undefined) {
+        return null;
+    }
+    if (typeof value === 'number') {
+        return Number.isFinite(value) ? value : null;
+    }
+    if (typeof value === 'string' || typeof value === 'boolean') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map(canonicalize);
+    }
+    if (typeof value === 'object') {
+        const obj = value;
+        const keys = Object.keys(obj).sort();
+        const out = {};
+        for (const k of keys) {
+            const v = obj[k];
+            if (v === undefined || typeof v === 'function')
+                continue;
+            out[k] = canonicalize(v);
+        }
+        return out;
+    }
+    // bigint, symbol, etc. — drop
+    return null;
+}
+//# sourceMappingURL=fingerprint.js.map

package/dist/governance/pipeline/fingerprint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../../src/governance/pipeline/fingerprint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAaH,wDASC;AAYD,0CAEC;AAlCD,mCAAoC;AAEpC;;;;;;;;GAQG;AACH,SAAgB,sBAAsB,CAAC,MAAe;IACpD,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5C,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAClD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,eAAe,CAAC,KAAc;IAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/C,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;QAC5D,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACjC,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAgC,CAAC;QAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;YACjB,IAAI,CAAC,KAAK,SAAS,IAAI,OAAO,CAAC,KAAK,UAAU;gBAAE,SAAS;YACzD,GAAG,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,8BAA8B;IAC9B,OAAO,IAAI,CAAC;AACd,CAAC"}