@neurcode-ai/contracts 0.1.2 → 0.1.3

package/dist/admission/framing.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Runtime Admission — canonical byte-safe framing (Phase A).
+ *
+ * Deterministic, length-prefixed framing for the delta and coverage hashes.
+ * Web-safe: uses Uint8Array + TextEncoder only (this package is imported by
+ * the dashboard and other non-Node surfaces). No Node Buffer, no crypto here —
+ * hashing of the framed bytes happens in the governance-runtime core.
+ *
+ * Why length-prefixed framing (and not a delimiter join):
+ *   A delimiter such as "\0" or "\t" can appear inside a path, so a delimiter
+ *   join lets two distinct field sets collapse to the same byte stream
+ *   (e.g. ["a\tb"] vs ["a","b"]). Every field and every record here is prefixed
+ *   with its exact byte length, so field and record boundaries are
+ *   unambiguous and no path content can forge a boundary.
+ */
+/** Schema/domain version for the framing contract. Bump only on a breaking framing change. */
+export declare const ADMISSION_FRAMING_VERSION: "neurcode.admission-framing.v1";
+/** Domain separators so delta and coverage hashes can never alias each other. */
+export declare const ADMISSION_DELTA_HASH_DOMAIN: "neurcode.admission.delta.v1";
+export declare const ADMISSION_COVERAGE_SET_HASH_DOMAIN: "neurcode.admission.coverage-set.v1";
+/** Frame a single field as: u32be(byteLength) ‖ utf8(value). */
+export declare function frameField(value: string): Uint8Array;
+/** Frame an ordered list of fields. Order is preserved; the caller sorts records. */
+export declare function frameFields(fields: readonly string[]): Uint8Array;
+/**
+ * Frame a header plus an ordered set of records into one canonical byte stream.
+ *
+ * Layout:
+ *   frameFields(header)
+ *   for each record: u32be(recordByteLength) ‖ frameFields(record)
+ *
+ * Records must already be canonically sorted by the caller (the hash functions
+ * sort before calling this, which is what makes shuffled input produce an
+ * identical hash). Double length-prefixing (record length + per-field length)
+ * makes both record and field boundaries unambiguous.
+ */
+export declare function frameRecordSet(header: readonly string[], records: readonly (readonly string[])[]): Uint8Array;
+//# sourceMappingURL=framing.d.ts.map

package/dist/admission/framing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"framing.d.ts","sourceRoot":"","sources":["../../src/admission/framing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,8FAA8F;AAC9F,eAAO,MAAM,yBAAyB,EAAG,+BAAwC,CAAC;AAElF,iFAAiF;AACjF,eAAO,MAAM,2BAA2B,EAAG,6BAAsC,CAAC;AAClF,eAAO,MAAM,kCAAkC,EAAG,oCAA6C,CAAC;AA0BhG,gEAAgE;AAChE,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,CAGpD;AAED,qFAAqF;AACrF,wBAAgB,WAAW,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,GAAG,UAAU,CAEjE;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,SAAS,MAAM,EAAE,CAAC,EAAE,GAAG,UAAU,CAO7G"}

package/dist/admission/framing.js

@@ -0,0 +1,78 @@
+"use strict";
+/**
+ * Runtime Admission — canonical byte-safe framing (Phase A).
+ *
+ * Deterministic, length-prefixed framing for the delta and coverage hashes.
+ * Web-safe: uses Uint8Array + TextEncoder only (this package is imported by
+ * the dashboard and other non-Node surfaces). No Node Buffer, no crypto here —
+ * hashing of the framed bytes happens in the governance-runtime core.
+ *
+ * Why length-prefixed framing (and not a delimiter join):
+ *   A delimiter such as "\0" or "\t" can appear inside a path, so a delimiter
+ *   join lets two distinct field sets collapse to the same byte stream
+ *   (e.g. ["a\tb"] vs ["a","b"]). Every field and every record here is prefixed
+ *   with its exact byte length, so field and record boundaries are
+ *   unambiguous and no path content can forge a boundary.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ADMISSION_COVERAGE_SET_HASH_DOMAIN = exports.ADMISSION_DELTA_HASH_DOMAIN = exports.ADMISSION_FRAMING_VERSION = void 0;
+exports.frameField = frameField;
+exports.frameFields = frameFields;
+exports.frameRecordSet = frameRecordSet;
+/** Schema/domain version for the framing contract. Bump only on a breaking framing change. */
+exports.ADMISSION_FRAMING_VERSION = 'neurcode.admission-framing.v1';
+/** Domain separators so delta and coverage hashes can never alias each other. */
+exports.ADMISSION_DELTA_HASH_DOMAIN = 'neurcode.admission.delta.v1';
+exports.ADMISSION_COVERAGE_SET_HASH_DOMAIN = 'neurcode.admission.coverage-set.v1';
+const textEncoder = new TextEncoder();
+function u32be(value) {
+    if (!Number.isInteger(value) || value < 0 || value > 0xffffffff) {
+        throw new Error(`admission framing: length out of range: ${value}`);
+    }
+    const out = new Uint8Array(4);
+    const view = new DataView(out.buffer);
+    view.setUint32(0, value, false);
+    return out;
+}
+function concatBytes(parts) {
+    let total = 0;
+    for (const part of parts)
+        total += part.length;
+    const out = new Uint8Array(total);
+    let offset = 0;
+    for (const part of parts) {
+        out.set(part, offset);
+        offset += part.length;
+    }
+    return out;
+}
+/** Frame a single field as: u32be(byteLength) ‖ utf8(value). */
+function frameField(value) {
+    const bytes = textEncoder.encode(value);
+    return concatBytes([u32be(bytes.length), bytes]);
+}
+/** Frame an ordered list of fields. Order is preserved; the caller sorts records. */
+function frameFields(fields) {
+    return concatBytes(fields.map((field) => frameField(field)));
+}
+/**
+ * Frame a header plus an ordered set of records into one canonical byte stream.
+ *
+ * Layout:
+ *   frameFields(header)
+ *   for each record: u32be(recordByteLength) ‖ frameFields(record)
+ *
+ * Records must already be canonically sorted by the caller (the hash functions
+ * sort before calling this, which is what makes shuffled input produce an
+ * identical hash). Double length-prefixing (record length + per-field length)
+ * makes both record and field boundaries unambiguous.
+ */
+function frameRecordSet(header, records) {
+    const parts = [frameFields(header)];
+    for (const record of records) {
+        const recordBytes = frameFields(record);
+        parts.push(u32be(recordBytes.length), recordBytes);
+    }
+    return concatBytes(parts);
+}
+//# sourceMappingURL=framing.js.map

package/dist/admission/framing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"framing.js","sourceRoot":"","sources":["../../src/admission/framing.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAkCH,gCAGC;AAGD,kCAEC;AAcD,wCAOC;AA7DD,8FAA8F;AACjF,QAAA,yBAAyB,GAAG,+BAAwC,CAAC;AAElF,iFAAiF;AACpE,QAAA,2BAA2B,GAAG,6BAAsC,CAAC;AACrE,QAAA,kCAAkC,GAAG,oCAA6C,CAAC;AAEhG,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AAEtC,SAAS,KAAK,CAAC,KAAa;IAC1B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,UAAU,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,2CAA2C,KAAK,EAAE,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IAChC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,KAAmB;IACtC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,MAAM,IAAI,IAAI,KAAK;QAAE,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACtB,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC;IACxB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,gEAAgE;AAChE,SAAgB,UAAU,CAAC,KAAa;IACtC,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACxC,OAAO,WAAW,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,qFAAqF;AACrF,SAAgB,WAAW,CAAC,MAAyB;IACnD,OAAO,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,cAAc,CAAC,MAAyB,EAAE,OAAuC;IAC/F,MAAM,KAAK,GAAiB,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;IAClD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACxC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,WAAW,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC"}

package/dist/admission/index.d.ts

@@ -0,0 +1,4 @@
+export { ADMISSION_COVERAGE_MANIFEST_SCHEMA_VERSION, ADMISSION_CONSISTENCY_DECISION_SCHEMA_VERSION, SELF_ATTESTED_ADMISSION_RECORD_SCHEMA_VERSION, SELF_ATTESTED_ADMISSION_DISCLAIMER, GIT_MODE_ABSENT, GIT_MODE_BLOB, GIT_MODE_EXEC, GIT_MODE_SUBMODULE, GIT_MODE_SYMLINK, coverageEntryCanonicalFields, coverageEntryIdentityKey, deltaEntryCanonicalFields, isAdmissibleClassification, isGovernedClassification, isKnownGitMode, isStrictlyAdmissible, isValidObjectId, isZeroObjectId, objectIdHexLength, objectTypeForMode, zeroObjectId, type AdmissionCaptureDescriptor, type AdmissionCaptureMode, type AdmissionChangeType, type AdmissionEligibilityMode, type AdmissionEligibilityOptions, type AdmissionConsistencyDecision, type AdmissionConsistencyVerdict, type AdmissionCoverageClassification, type AdmissionCoverageEntry, type AdmissionCoverageManifest, type AdmissionDeltaEntry, type AdmissionObjectType, type AdmissionRepoIdentifiers, type AdmissionSessionRef, type GitObjectFormat, type RuntimeAdmissionAgentHost, type RuntimeAdmissionContext, type RuntimeAdmissionReceiptSummary, type RuntimeAdmissionTrustLevel, type SelfAttestedAdmissionRecord, } from './schema';
+export { ADMISSION_COVERAGE_SET_HASH_DOMAIN, ADMISSION_DELTA_HASH_DOMAIN, ADMISSION_FRAMING_VERSION, frameField, frameFields, frameRecordSet, } from './framing';
+export { ADMISSION_SOURCE_LIKE_KEYS, AdmissionSourceLeakError, assertSourceFreeAdmissionValue, } from './privacy';
+//# sourceMappingURL=index.d.ts.map

package/dist/admission/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/admission/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,0CAA0C,EAC1C,6CAA6C,EAC7C,6CAA6C,EAC7C,kCAAkC,EAClC,eAAe,EACf,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,4BAA4B,EAC5B,wBAAwB,EACxB,yBAAyB,EACzB,0BAA0B,EAC1B,wBAAwB,EACxB,cAAc,EACd,oBAAoB,EACpB,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,iBAAiB,EACjB,YAAY,EACZ,KAAK,0BAA0B,EAC/B,KAAK,oBAAoB,EACzB,KAAK,mBAAmB,EACxB,KAAK,wBAAwB,EAC7B,KAAK,2BAA2B,EAChC,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,KAAK,+BAA+B,EACpC,KAAK,sBAAsB,EAC3B,KAAK,yBAAyB,EAC9B,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,wBAAwB,EAC7B,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,yBAAyB,EAC9B,KAAK,uBAAuB,EAC5B,KAAK,8BAA8B,EACnC,KAAK,0BAA0B,EAC/B,KAAK,2BAA2B,GACjC,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,kCAAkC,EAClC,2BAA2B,EAC3B,yBAAyB,EACzB,UAAU,EACV,WAAW,EACX,cAAc,GACf,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,0BAA0B,EAC1B,wBAAwB,EACxB,8BAA8B,GAC/B,MAAM,WAAW,CAAC"}

package/dist/admission/index.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertSourceFreeAdmissionValue = exports.AdmissionSourceLeakError = exports.ADMISSION_SOURCE_LIKE_KEYS = exports.frameRecordSet = exports.frameFields = exports.frameField = exports.ADMISSION_FRAMING_VERSION = exports.ADMISSION_DELTA_HASH_DOMAIN = exports.ADMISSION_COVERAGE_SET_HASH_DOMAIN = exports.zeroObjectId = exports.objectTypeForMode = exports.objectIdHexLength = exports.isZeroObjectId = exports.isValidObjectId = exports.isStrictlyAdmissible = exports.isKnownGitMode = exports.isGovernedClassification = exports.isAdmissibleClassification = exports.deltaEntryCanonicalFields = exports.coverageEntryIdentityKey = exports.coverageEntryCanonicalFields = exports.GIT_MODE_SYMLINK = exports.GIT_MODE_SUBMODULE = exports.GIT_MODE_EXEC = exports.GIT_MODE_BLOB = exports.GIT_MODE_ABSENT = exports.SELF_ATTESTED_ADMISSION_DISCLAIMER = exports.SELF_ATTESTED_ADMISSION_RECORD_SCHEMA_VERSION = exports.ADMISSION_CONSISTENCY_DECISION_SCHEMA_VERSION = exports.ADMISSION_COVERAGE_MANIFEST_SCHEMA_VERSION = void 0;
+var schema_1 = require("./schema");
+Object.defineProperty(exports, "ADMISSION_COVERAGE_MANIFEST_SCHEMA_VERSION", { enumerable: true, get: function () { return schema_1.ADMISSION_COVERAGE_MANIFEST_SCHEMA_VERSION; } });
+Object.defineProperty(exports, "ADMISSION_CONSISTENCY_DECISION_SCHEMA_VERSION", { enumerable: true, get: function () { return schema_1.ADMISSION_CONSISTENCY_DECISION_SCHEMA_VERSION; } });
+Object.defineProperty(exports, "SELF_ATTESTED_ADMISSION_RECORD_SCHEMA_VERSION", { enumerable: true, get: function () { return schema_1.SELF_ATTESTED_ADMISSION_RECORD_SCHEMA_VERSION; } });
+Object.defineProperty(exports, "SELF_ATTESTED_ADMISSION_DISCLAIMER", { enumerable: true, get: function () { return schema_1.SELF_ATTESTED_ADMISSION_DISCLAIMER; } });
+Object.defineProperty(exports, "GIT_MODE_ABSENT", { enumerable: true, get: function () { return schema_1.GIT_MODE_ABSENT; } });
+Object.defineProperty(exports, "GIT_MODE_BLOB", { enumerable: true, get: function () { return schema_1.GIT_MODE_BLOB; } });
+Object.defineProperty(exports, "GIT_MODE_EXEC", { enumerable: true, get: function () { return schema_1.GIT_MODE_EXEC; } });
+Object.defineProperty(exports, "GIT_MODE_SUBMODULE", { enumerable: true, get: function () { return schema_1.GIT_MODE_SUBMODULE; } });
+Object.defineProperty(exports, "GIT_MODE_SYMLINK", { enumerable: true, get: function () { return schema_1.GIT_MODE_SYMLINK; } });
+Object.defineProperty(exports, "coverageEntryCanonicalFields", { enumerable: true, get: function () { return schema_1.coverageEntryCanonicalFields; } });
+Object.defineProperty(exports, "coverageEntryIdentityKey", { enumerable: true, get: function () { return schema_1.coverageEntryIdentityKey; } });
+Object.defineProperty(exports, "deltaEntryCanonicalFields", { enumerable: true, get: function () { return schema_1.deltaEntryCanonicalFields; } });
+Object.defineProperty(exports, "isAdmissibleClassification", { enumerable: true, get: function () { return schema_1.isAdmissibleClassification; } });
+Object.defineProperty(exports, "isGovernedClassification", { enumerable: true, get: function () { return schema_1.isGovernedClassification; } });
+Object.defineProperty(exports, "isKnownGitMode", { enumerable: true, get: function () { return schema_1.isKnownGitMode; } });
+Object.defineProperty(exports, "isStrictlyAdmissible", { enumerable: true, get: function () { return schema_1.isStrictlyAdmissible; } });
+Object.defineProperty(exports, "isValidObjectId", { enumerable: true, get: function () { return schema_1.isValidObjectId; } });
+Object.defineProperty(exports, "isZeroObjectId", { enumerable: true, get: function () { return schema_1.isZeroObjectId; } });
+Object.defineProperty(exports, "objectIdHexLength", { enumerable: true, get: function () { return schema_1.objectIdHexLength; } });
+Object.defineProperty(exports, "objectTypeForMode", { enumerable: true, get: function () { return schema_1.objectTypeForMode; } });
+Object.defineProperty(exports, "zeroObjectId", { enumerable: true, get: function () { return schema_1.zeroObjectId; } });
+var framing_1 = require("./framing");
+Object.defineProperty(exports, "ADMISSION_COVERAGE_SET_HASH_DOMAIN", { enumerable: true, get: function () { return framing_1.ADMISSION_COVERAGE_SET_HASH_DOMAIN; } });
+Object.defineProperty(exports, "ADMISSION_DELTA_HASH_DOMAIN", { enumerable: true, get: function () { return framing_1.ADMISSION_DELTA_HASH_DOMAIN; } });
+Object.defineProperty(exports, "ADMISSION_FRAMING_VERSION", { enumerable: true, get: function () { return framing_1.ADMISSION_FRAMING_VERSION; } });
+Object.defineProperty(exports, "frameField", { enumerable: true, get: function () { return framing_1.frameField; } });
+Object.defineProperty(exports, "frameFields", { enumerable: true, get: function () { return framing_1.frameFields; } });
+Object.defineProperty(exports, "frameRecordSet", { enumerable: true, get: function () { return framing_1.frameRecordSet; } });
+var privacy_1 = require("./privacy");
+Object.defineProperty(exports, "ADMISSION_SOURCE_LIKE_KEYS", { enumerable: true, get: function () { return privacy_1.ADMISSION_SOURCE_LIKE_KEYS; } });
+Object.defineProperty(exports, "AdmissionSourceLeakError", { enumerable: true, get: function () { return privacy_1.AdmissionSourceLeakError; } });
+Object.defineProperty(exports, "assertSourceFreeAdmissionValue", { enumerable: true, get: function () { return privacy_1.assertSourceFreeAdmissionValue; } });
+//# sourceMappingURL=index.js.map

package/dist/admission/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/admission/index.ts"],"names":[],"mappings":";;;AAAA,mCA0CkB;AAzChB,oIAAA,0CAA0C,OAAA;AAC1C,uIAAA,6CAA6C,OAAA;AAC7C,uIAAA,6CAA6C,OAAA;AAC7C,4HAAA,kCAAkC,OAAA;AAClC,yGAAA,eAAe,OAAA;AACf,uGAAA,aAAa,OAAA;AACb,uGAAA,aAAa,OAAA;AACb,4GAAA,kBAAkB,OAAA;AAClB,0GAAA,gBAAgB,OAAA;AAChB,sHAAA,4BAA4B,OAAA;AAC5B,kHAAA,wBAAwB,OAAA;AACxB,mHAAA,yBAAyB,OAAA;AACzB,oHAAA,0BAA0B,OAAA;AAC1B,kHAAA,wBAAwB,OAAA;AACxB,wGAAA,cAAc,OAAA;AACd,8GAAA,oBAAoB,OAAA;AACpB,yGAAA,eAAe,OAAA;AACf,wGAAA,cAAc,OAAA;AACd,2GAAA,iBAAiB,OAAA;AACjB,2GAAA,iBAAiB,OAAA;AACjB,sGAAA,YAAY,OAAA;AAuBd,qCAOmB;AANjB,6HAAA,kCAAkC,OAAA;AAClC,sHAAA,2BAA2B,OAAA;AAC3B,oHAAA,yBAAyB,OAAA;AACzB,qGAAA,UAAU,OAAA;AACV,sGAAA,WAAW,OAAA;AACX,yGAAA,cAAc,OAAA;AAGhB,qCAImB;AAHjB,qHAAA,0BAA0B,OAAA;AAC1B,mHAAA,wBAAwB,OAAA;AACxB,yHAAA,8BAA8B,OAAA"}

package/dist/admission/privacy.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Runtime Admission — source-free privacy guard (Phase A).
+ *
+ * The admission artifact may contain only: paths, object ids, modes, hashes,
+ * classifications, timestamps, session ids, and version strings. It must never
+ * contain file content, diff hunks, patch text, excerpts, or secrets.
+ *
+ * This guard is a denylist on key names (mirrors the runtime-sync upload guard)
+ * plus a value-shape check. It is intentionally conservative: any source-like
+ * key anywhere in the structure throws.
+ */
+/** Keys that would indicate source content / diffs / secrets leaked into the artifact. */
+export declare const ADMISSION_SOURCE_LIKE_KEYS: ReadonlySet<string>;
+export declare class AdmissionSourceLeakError extends Error {
+    readonly keyPath: string;
+    constructor(keyPath: string);
+}
+/**
+ * Walk a value and throw AdmissionSourceLeakError if any object key is a
+ * source-like key. Arrays and nested objects are walked recursively.
+ */
+export declare function assertSourceFreeAdmissionValue(value: unknown, path?: string): void;
+//# sourceMappingURL=privacy.d.ts.map

package/dist/admission/privacy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"privacy.d.ts","sourceRoot":"","sources":["../../src/admission/privacy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,EAAE,WAAW,CAAC,MAAM,CAyCzD,CAAC;AAEH,qBAAa,wBAAyB,SAAQ,KAAK;aACrB,OAAO,EAAE,MAAM;gBAAf,OAAO,EAAE,MAAM;CAI5C;AAeD;;;GAGG;AACH,wBAAgB,8BAA8B,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,SAAc,GAAG,IAAI,CAYvF"}

package/dist/admission/privacy.js

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * Runtime Admission — source-free privacy guard (Phase A).
+ *
+ * The admission artifact may contain only: paths, object ids, modes, hashes,
+ * classifications, timestamps, session ids, and version strings. It must never
+ * contain file content, diff hunks, patch text, excerpts, or secrets.
+ *
+ * This guard is a denylist on key names (mirrors the runtime-sync upload guard)
+ * plus a value-shape check. It is intentionally conservative: any source-like
+ * key anywhere in the structure throws.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdmissionSourceLeakError = exports.ADMISSION_SOURCE_LIKE_KEYS = void 0;
+exports.assertSourceFreeAdmissionValue = assertSourceFreeAdmissionValue;
+/** Keys that would indicate source content / diffs / secrets leaked into the artifact. */
+exports.ADMISSION_SOURCE_LIKE_KEYS = new Set([
+    'content',
+    'fileContent',
+    'file_content',
+    'sourceText',
+    'source_text',
+    'sourceCode',
+    'source_code',
+    'source',
+    'body',
+    'text',
+    'diff',
+    'diffText',
+    'diff_text',
+    'diffHunk',
+    'diffHunks',
+    'patch',
+    'patchText',
+    'patchBody',
+    'patch_body',
+    'hunk',
+    'hunks',
+    'excerpt',
+    'snippet',
+    'before',
+    'after',
+    'blobContent',
+    'contents',
+    'prompt',
+    'rawPrompt',
+    'raw_prompt',
+    'promptWithSource',
+    'prompt_with_source',
+    'commandBody',
+    'command_body',
+    'shellCommand',
+    'shell_command',
+    'secret',
+    'secrets',
+    'token',
+    'password',
+]);
+class AdmissionSourceLeakError extends Error {
+    keyPath;
+    constructor(keyPath) {
+        super(`admission artifact contains source-like key: ${keyPath}`);
+        this.keyPath = keyPath;
+        this.name = 'AdmissionSourceLeakError';
+    }
+}
+exports.AdmissionSourceLeakError = AdmissionSourceLeakError;
+function isSourceLikeAdmissionKey(key) {
+    if (exports.ADMISSION_SOURCE_LIKE_KEYS.has(key))
+        return true;
+    const normalized = key.toLowerCase().replace(/[^a-z0-9_]/g, '');
+    const compact = normalized.replace(/_/g, '');
+    for (const blocked of exports.ADMISSION_SOURCE_LIKE_KEYS) {
+        const blockedNormalized = blocked.toLowerCase().replace(/[^a-z0-9_]/g, '');
+        if (normalized === blockedNormalized || compact === blockedNormalized.replace(/_/g, '')) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Walk a value and throw AdmissionSourceLeakError if any object key is a
+ * source-like key. Arrays and nested objects are walked recursively.
+ */
+function assertSourceFreeAdmissionValue(value, path = 'admission') {
+    if (Array.isArray(value)) {
+        value.forEach((item, index) => assertSourceFreeAdmissionValue(item, `${path}[${index}]`));
+        return;
+    }
+    if (!value || typeof value !== 'object')
+        return;
+    for (const [key, child] of Object.entries(value)) {
+        if (isSourceLikeAdmissionKey(key)) {
+            throw new AdmissionSourceLeakError(`${path}.${key}`);
+        }
+        assertSourceFreeAdmissionValue(child, `${path}.${key}`);
+    }
+}
+//# sourceMappingURL=privacy.js.map

package/dist/admission/privacy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"privacy.js","sourceRoot":"","sources":["../../src/admission/privacy.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AAsEH,wEAYC;AAhFD,0FAA0F;AAC7E,QAAA,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IACrE,SAAS;IACT,aAAa;IACb,cAAc;IACd,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,aAAa;IACb,QAAQ;IACR,MAAM;IACN,MAAM;IACN,MAAM;IACN,UAAU;IACV,WAAW;IACX,UAAU;IACV,WAAW;IACX,OAAO;IACP,WAAW;IACX,WAAW;IACX,YAAY;IACZ,MAAM;IACN,OAAO;IACP,SAAS;IACT,SAAS;IACT,QAAQ;IACR,OAAO;IACP,aAAa;IACb,UAAU;IACV,QAAQ;IACR,WAAW;IACX,YAAY;IACZ,kBAAkB;IAClB,oBAAoB;IACpB,aAAa;IACb,cAAc;IACd,cAAc;IACd,eAAe;IACf,QAAQ;IACR,SAAS;IACT,OAAO;IACP,UAAU;CACX,CAAC,CAAC;AAEH,MAAa,wBAAyB,SAAQ,KAAK;IACrB;IAA5B,YAA4B,OAAe;QACzC,KAAK,CAAC,gDAAgD,OAAO,EAAE,CAAC,CAAC;QADvC,YAAO,GAAP,OAAO,CAAQ;QAEzC,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;IACzC,CAAC;CACF;AALD,4DAKC;AAED,SAAS,wBAAwB,CAAC,GAAW;IAC3C,IAAI,kCAA0B,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,UAAU,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC7C,KAAK,MAAM,OAAO,IAAI,kCAA0B,EAAE,CAAC;QACjD,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAC3E,IAAI,UAAU,KAAK,iBAAiB,IAAI,OAAO,KAAK,iBAAiB,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;YACxF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAgB,8BAA8B,CAAC,KAAc,EAAE,IAAI,GAAG,WAAW;IAC/E,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,8BAA8B,CAAC,IAAI,EAAE,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC;QAC1F,OAAO;IACT,CAAC;IACD,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO;IAChD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;QAC5E,IAAI,wBAAwB,CAAC,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,wBAAwB,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;QACvD,CAAC;QACD,8BAA8B,CAAC,KAAK,EAAE,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC"}

package/dist/admission/schema.d.ts

@@ -0,0 +1,277 @@
+/**
+ * Runtime Admission — Phase A schema (Provenance Core V1).
+ *
+ * Source-free, deterministic provenance types shared across CLI, the future
+ * OSS advisory Action, and future Enterprise enforcement. Phase A defines the
+ * normalized git tree-delta, the governed coverage manifest, the self-attested
+ * local artifact, and the consistency decision. No signing, no receipts, no
+ * backend, no Action here — those are later phases.
+ *
+ * Two distinct hashes by design (do not collapse them):
+ *   - deltaHash:       exact, base-specific tree-delta fingerprint (debugging /
+ *                      deterministic reproduction).
+ *   - coverageSetHash: governed-effect set fingerprint used for squash/rebase-
+ *                      survivable, per-entry subset matching of a PR to sessions.
+ */
+export declare const ADMISSION_COVERAGE_MANIFEST_SCHEMA_VERSION: "neurcode.admission-coverage.v1";
+export declare const SELF_ATTESTED_ADMISSION_RECORD_SCHEMA_VERSION: "neurcode.admission-record.v1";
+export declare const ADMISSION_CONSISTENCY_DECISION_SCHEMA_VERSION: "neurcode.admission-consistency.v1";
+/**
+ * Mandatory honesty label. A locally committed artifact is authored by the same
+ * untrusted principal who authored the diff, so it can be fabricated with
+ * matching object ids. It is a claim, never proof.
+ */
+export declare const SELF_ATTESTED_ADMISSION_DISCLAIMER: string;
+/** Git object hash format. Determines object-id hex width (40 vs 64). */
+export type GitObjectFormat = 'sha1' | 'sha256';
+/** Post-image (or pre-image, for deletes) object kind, derived from git mode. */
+export type AdmissionObjectType = 'blob' | 'symlink' | 'submodule' | 'absent';
+/** Normalized change kind. Renames are normalized to delete + add (never a 'rename' type). */
+export type AdmissionChangeType = 'added' | 'modified' | 'deleted' | 'typechanged';
+/**
+ * Descriptive classification of a covered effect (source-free).
+ *
+ * NOTE: classification is descriptive, not an eligibility verdict. Strict
+ * runtime admission (see `isStrictlyAdmissible`) accepts only pre-write
+ * governance (`governed_prewrite`, `governed_delete`). `observed_postwrite`
+ * means the write was only observed after the fact — visible, but NOT strictly
+ * admissible. `generated` is admissible only under an explicit policy opt-in.
+ */
+export type AdmissionCoverageClassification = 'governed_prewrite' | 'governed_delete' | 'observed_postwrite' | 'generated' | 'ungoverned';
+/** Canonical git file modes used by this contract. */
+export declare const GIT_MODE_BLOB: "100644";
+export declare const GIT_MODE_EXEC: "100755";
+export declare const GIT_MODE_SYMLINK: "120000";
+export declare const GIT_MODE_SUBMODULE: "160000";
+export declare const GIT_MODE_ABSENT: "000000";
+/**
+ * Exact normalized tree-delta entry. Object ids are content-addressed git
+ * hashes (non-invertible); no file content is ever carried.
+ */
+export interface AdmissionDeltaEntry {
+    /** Post-image path; for a delete, the deleted path. */
+    path: string;
+    changeType: AdmissionChangeType;
+    /** Object kind of the side that carries identity (new side, or old side for deletes). */
+    objectType: AdmissionObjectType;
+    /** Pre-image mode, or '000000' when absent (added). */
+    oldMode: string;
+    /** Post-image mode, or '000000' when absent (deleted). */
+    newMode: string;
+    /** Pre-image object id, or the all-zeros id when absent. */
+    oldObjectId: string;
+    /** Post-image object id, or the all-zeros id when absent. */
+    newObjectId: string;
+}
+/**
+ * A single governed effect. Identity fields per the matching contract:
+ *   added/modified/typechanged → path + newMode + newObjectId
+ *   deleted                    → path + oldMode + oldObjectId
+ * The identity mode/id are flattened into `mode`/`objectId` so matching is a
+ * simple per-entry set membership test. `classification` and `sessions` are
+ * annotations and are intentionally excluded from coverageSetHash.
+ */
+export interface AdmissionCoverageEntry {
+    path: string;
+    changeType: AdmissionChangeType;
+    objectType: AdmissionObjectType;
+    /** Identity mode: newMode for non-deletes, oldMode for deletes. */
+    mode: string;
+    /** Identity object id: newObjectId for non-deletes, oldObjectId for deletes. */
+    objectId: string;
+    classification: AdmissionCoverageClassification;
+    /** Contributing governed session ids, sorted and de-duplicated. */
+    sessions: string[];
+}
+export interface AdmissionCoverageManifest {
+    schemaVersion: typeof ADMISSION_COVERAGE_MANIFEST_SCHEMA_VERSION;
+    objectFormat: GitObjectFormat;
+    framingVersion: string;
+    entryCount: number;
+    /** Exact, base-specific normalized tree-delta fingerprint (full SHA-256 hex). */
+    deltaHash: string;
+    /** Squash/rebase-survivable governed-effect set fingerprint (full SHA-256 hex). */
+    coverageSetHash: string;
+    /** Normalized delta entries, canonically sorted. */
+    delta: AdmissionDeltaEntry[];
+    /** Derived governed coverage entries, canonically sorted. */
+    coverage: AdmissionCoverageEntry[];
+}
+export interface AdmissionSessionRef {
+    sessionId: string;
+    replayHash?: string;
+    profileHash?: string;
+}
+export type AdmissionCaptureMode = 'worktree' | 'committed';
+export interface AdmissionCaptureDescriptor {
+    mode: AdmissionCaptureMode;
+    capturedAt: string;
+    baseRef?: string;
+    headRef?: string;
+}
+/** Source-free repo identifiers. Hashes of local/remote paths, never the URL itself. */
+export interface AdmissionRepoIdentifiers {
+    name?: string;
+    rootHash?: string;
+    remoteHash?: string;
+}
+export type RuntimeAdmissionTrustLevel = 'unsigned_local' | 'self_attested' | 'backend_signed';
+export interface RuntimeAdmissionAgentHost {
+    adapter: string | null;
+    enforcementLevel: string | null;
+    controlLevel?: string | null;
+    automatic?: boolean;
+}
+export interface RuntimeAdmissionReceiptSummary {
+    present: boolean;
+    trustLevel: RuntimeAdmissionTrustLevel;
+    receiptId?: string;
+    keyId?: string | null;
+    replayHash?: string | null;
+    signatureStatus?: string | null;
+    verificationStatus?: string | null;
+    signedAt?: string | null;
+    verifier?: string | null;
+}
+export interface RuntimeAdmissionContext {
+    schemaVersion: 'neurcode.runtime-admission-context.v1';
+    trustLevel: RuntimeAdmissionTrustLevel;
+    createdAt: string;
+    sessionId: string;
+    sessionStatus: 'active' | 'finished' | string;
+    agentHost: RuntimeAdmissionAgentHost;
+    intentSummary: string | null;
+    scopeMode: string | null;
+    counts: {
+        changedPaths: number;
+        blockedPaths: number;
+        suggestedApprovalPaths: number;
+        approvedExactPaths: number;
+        deniedPaths: number;
+        approvalRequiredSurfaces: number;
+        owners: number;
+        preWriteChecks: number;
+        allowedChecks: number;
+        warningChecks: number;
+    };
+    paths: {
+        changed: string[];
+        blocked: string[];
+        suggestedApproval: string[];
+        approvedExact: string[];
+        denied: string[];
+        approvalRequiredSurfaces: string[];
+    };
+    owners: Array<{
+        owner: string;
+        count: number;
+    }>;
+    guard: {
+        status: string;
+        verifiedPrewrite: number;
+        deniedButChanged: number;
+        unverifiedWrites: number;
+        observedAfterOnly: number;
+    };
+    integrity: {
+        sourceFree: true;
+        replayHash: string | null;
+        replayHashStatus: 'present' | 'missing';
+        deltaHash: string;
+        coverageSetHash: string;
+        evidenceIntegrityStatus: 'local_self_attested' | 'backend_signed' | 'unsigned_local';
+        receipt: RuntimeAdmissionReceiptSummary;
+    };
+}
+/**
+ * The local runtime artifact, written to ignored runtime state under
+ * .neurcode/admission/<sessionId>.json. A selected record may later be exported
+ * explicitly for the OSS advisory Action. Self-attested by construction — see
+ * SELF_ATTESTED_ADMISSION_DISCLAIMER.
+ */
+export interface SelfAttestedAdmissionRecord {
+    schemaVersion: typeof SELF_ATTESTED_ADMISSION_RECORD_SCHEMA_VERSION;
+    attestationKind: 'self-attested';
+    admissionContractVersion: string;
+    disclaimer: string;
+    sessionId: string;
+    sessionRefs: AdmissionSessionRef[];
+    repo: AdmissionRepoIdentifiers;
+    capture: AdmissionCaptureDescriptor;
+    manifest: AdmissionCoverageManifest;
+    runtimeContext?: RuntimeAdmissionContext;
+}
+export type AdmissionConsistencyVerdict = 'self_attested_complete' | 'self_attested_incomplete' | 'self_attested_inconsistent' | 'no_record';
+/**
+ * Output of validating a self-attested record against a recomputed ground-truth
+ * delta. `trustLevel` is always 'self-attested' in Phase A; `notProof` is always
+ * true. Coverage verdict is decided by per-entry subset matching (squash/rebase
+ * survivable). `deltaHashMatches` is a diagnostic only and never gates coverage.
+ */
+export interface AdmissionConsistencyDecision {
+    schemaVersion: typeof ADMISSION_CONSISTENCY_DECISION_SCHEMA_VERSION;
+    verdict: AdmissionConsistencyVerdict;
+    trustLevel: 'self-attested';
+    notProof: true;
+    /** True only when the PR delta is byte-identical to the captured delta (same base, no rebase). */
+    deltaHashMatches: boolean;
+    /** Ground-truth changed paths covered by an admission-eligible entry. */
+    coveredPaths: string[];
+    /** Ground-truth paths with no admission-eligible coverage (drift / post-session edits). */
+    uncoveredPaths: string[];
+    /** Coverage entries not present in the ground-truth delta (stale/multi-session/padding). */
+    unexpectedCoverage: string[];
+    reasons: string[];
+}
+export declare function objectIdHexLength(format: GitObjectFormat): number;
+export declare function zeroObjectId(format: GitObjectFormat): string;
+export declare function isZeroObjectId(objectId: string): boolean;
+export declare function isValidObjectId(objectId: string, format: GitObjectFormat): boolean;
+export declare function isKnownGitMode(mode: string): boolean;
+export declare function objectTypeForMode(mode: string): AdmissionObjectType;
+/**
+ * Canonical, ordered field list for a delta entry. The field ORDER is part of
+ * the hashing contract and must never be reordered.
+ */
+export declare function deltaEntryCanonicalFields(entry: AdmissionDeltaEntry): string[];
+/**
+ * Canonical, ordered identity field list for a coverage entry.
+ *
+ * Identity per the matching contract:
+ *   present (added/modified/typechanged) → path + newMode + newObjectId
+ *   deleted                              → path + oldMode + oldObjectId
+ *
+ * `mode`/`objectId` already hold the correct side. `changeType` collapses to a
+ * single present/deleted flag so a squash/rebase that reclassifies modified↔added
+ * (same resulting content) still matches. `objectType` is derived from `mode` and
+ * is excluded. `classification` and `sessions` are annotations and excluded.
+ */
+export declare function coverageEntryCanonicalFields(entry: AdmissionCoverageEntry): string[];
+/** Stable in-memory identity key for set/union operations (not a security hash). */
+export declare function coverageEntryIdentityKey(entry: AdmissionCoverageEntry): string;
+/**
+ * Descriptive test: did this effect have ANY governance evidence (pre- or
+ * post-write, or generated)? Use this for descriptive surfaces (telemetry,
+ * "what did the runtime observe"). It is NOT the admission eligibility test.
+ */
+export declare function isGovernedClassification(classification: AdmissionCoverageClassification): boolean;
+export type AdmissionEligibilityMode = 'strict' | 'descriptive';
+export interface AdmissionEligibilityOptions {
+    /** 'strict' (default): pre-write governance only. 'descriptive': any evidence. */
+    mode?: AdmissionEligibilityMode;
+    /** When true, 'generated' counts as admissible under strict mode (explicit policy opt-in). */
+    allowGenerated?: boolean;
+}
+/**
+ * Strict runtime admission eligibility. Only pre-write governance is admissible:
+ * `governed_prewrite` and `governed_delete`. `observed_postwrite` is visible but
+ * NOT admissible (the write was only seen after it happened). `generated` is
+ * admissible only when `allowGenerated` is explicitly set by policy.
+ */
+export declare function isStrictlyAdmissible(classification: AdmissionCoverageClassification, options?: AdmissionEligibilityOptions): boolean;
+/**
+ * Eligibility predicate honoring the requested mode. Strict (default) uses
+ * `isStrictlyAdmissible`; descriptive uses `isGovernedClassification`.
+ */
+export declare function isAdmissibleClassification(classification: AdmissionCoverageClassification, options?: AdmissionEligibilityOptions): boolean;
+//# sourceMappingURL=schema.d.ts.map

package/dist/admission/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/admission/schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,eAAO,MAAM,0CAA0C,EAAG,gCAAyC,CAAC;AACpG,eAAO,MAAM,6CAA6C,EAAG,8BAAuC,CAAC;AACrG,eAAO,MAAM,6CAA6C,EAAG,mCAA4C,CAAC;AAE1G;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,MAGqB,CAAC;AAEvE,yEAAyE;AACzE,MAAM,MAAM,eAAe,GAAG,MAAM,GAAG,QAAQ,CAAC;AAEhD,iFAAiF;AACjF,MAAM,MAAM,mBAAmB,GAAG,MAAM,GAAG,SAAS,GAAG,WAAW,GAAG,QAAQ,CAAC;AAE9E,8FAA8F;AAC9F,MAAM,MAAM,mBAAmB,GAAG,OAAO,GAAG,UAAU,GAAG,SAAS,GAAG,aAAa,CAAC;AAEnF;;;;;;;;GAQG;AACH,MAAM,MAAM,+BAA+B,GACvC,mBAAmB,GACnB,iBAAiB,GACjB,oBAAoB,GACpB,WAAW,GACX,YAAY,CAAC;AAEjB,sDAAsD;AACtD,eAAO,MAAM,aAAa,EAAG,QAAiB,CAAC;AAC/C,eAAO,MAAM,aAAa,EAAG,QAAiB,CAAC;AAC/C,eAAO,MAAM,gBAAgB,EAAG,QAAiB,CAAC;AAClD,eAAO,MAAM,kBAAkB,EAAG,QAAiB,CAAC;AACpD,eAAO,MAAM,eAAe,EAAG,QAAiB,CAAC;AAUjD;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,mBAAmB,CAAC;IAChC,yFAAyF;IACzF,UAAU,EAAE,mBAAmB,CAAC;IAChC,uDAAuD;IACvD,OAAO,EAAE,MAAM,CAAC;IAChB,0DAA0D;IAC1D,OAAO,EAAE,MAAM,CAAC;IAChB,4DAA4D;IAC5D,WAAW,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,mBAAmB,CAAC;IAChC,UAAU,EAAE,mBAAmB,CAAC;IAChC,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,+BAA+B,CAAC;IAChD,mEAAmE;IACnE,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,yBAAyB;IACxC,aAAa,EAAE,OAAO,0CAA0C,CAAC;IACjE,YAAY,EAAE,eAAe,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,iFAAiF;IACjF,SAAS,EAAE,MAAM,CAAC;IAClB,mFAAmF;IACnF,eAAe,EAAE,MAAM,CAAC;IACxB,oDAAoD;IACpD,KAAK,EAAE,mBAAmB,EAAE,CAAC;IAC7B,6DAA6D;IAC7D,QAAQ,EAAE,sBAAsB,EAAE,CAAC;CACpC;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,oBAAoB,GAAG,UAAU,GAAG,WAAW,CAAC;AAE5D,MAAM,WAAW,0BAA0B;IACzC,IAAI,EAAE,oBAAoB,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,wFAAwF;AACxF,MAAM,WAAW,wBAAwB;IACvC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,MAAM,0BAA0B,GAAG,gBAAgB,GAAG,eAAe,GAAG,gBAAgB,CAAC;AAE/F,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,8BAA8B;IAC7C,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,0BAA0B,CAAC;IACvC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,uBAAuB;IACtC,aAAa,EAAE,uCAAuC,CAAC;IACvD,UAAU,EAAE,0BAA0B,CAAC;IACvC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,QAAQ,GAAG,UAAU,GAAG,MAAM,CAAC;IAC9C,SAAS,EAAE,yBAAyB,CAAC;IACrC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE;QACN,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,CAAC;QACrB,sBAAsB,EAAE,MAAM,CAAC;QAC/B,kBAAkB,EAAE,MAAM,CAAC;QAC3B,WAAW,EAAE,MAAM,CAAC;QACpB,wBAAwB,EAAE,MAAM,CAAC;QACjC,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,CAAC;QACvB,aAAa,EAAE,MAAM,CAAC;QACtB,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,KAAK,EAAE;QACL,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,iBAAiB,EAAE,MAAM,EAAE,CAAC;QAC5B,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,wBAAwB,EAAE,MAAM,EAAE,CAAC;KACpC,CAAC;IACF,MAAM,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAChD,KAAK,EAAE;QACL,MAAM,EAAE,MAAM,CAAC;QACf,gBAAgB,EAAE,MAAM,CAAC;QACzB,gBAAgB,EAAE,MAAM,CAAC;QACzB,gBAAgB,EAAE,MAAM,CAAC;QACzB,iBAAiB,EAAE,MAAM,CAAC;KAC3B,CAAC;IACF,SAAS,EAAE;QACT,UAAU,EAAE,IAAI,CAAC;QACjB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,gBAAgB,EAAE,SAAS,GAAG,SAAS,CAAC;QACxC,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,CAAC;QACxB,uBAAuB,EAAE,qBAAqB,GAAG,gBAAgB,GAAG,gBAAgB,CAAC;QACrF,OAAO,EAAE,8BAA8B,CAAC;KACzC,CAAC;CACH;AAED;;;;;GAKG;AACH,MAAM,WAAW,2BAA2B;IAC1C,aAAa,EAAE,OAAO,6CAA6C,CAAC;IACpE,eAAe,EAAE,eAAe,CAAC;IACjC,wBAAwB,EAAE,MAAM,CAAC;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,mBAAmB,EAAE,CAAC;IACnC,IAAI,EAAE,wBAAwB,CAAC;IAC/B,OAAO,EAAE,0BAA0B,CAAC;IACpC,QAAQ,EAAE,yBAAyB,CAAC;IACpC,cAAc,CAAC,EAAE,uBAAuB,CAAC;CAC1C;AAED,MAAM,MAAM,2BAA2B,GACnC,wBAAwB,GACxB,0BAA0B,GAC1B,4BAA4B,GAC5B,WAAW,CAAC;AAEhB;;;;;GAKG;AACH,MAAM,WAAW,4BAA4B;IAC3C,aAAa,EAAE,OAAO,6CAA6C,CAAC;IACpE,OAAO,EAAE,2BAA2B,CAAC;IACrC,UAAU,EAAE,eAAe,CAAC;IAC5B,QAAQ,EAAE,IAAI,CAAC;IACf,kGAAkG;IAClG,gBAAgB,EAAE,OAAO,CAAC;IAC1B,yEAAyE;IACzE,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,2FAA2F;IAC3F,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,4FAA4F;IAC5F,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAID,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,CAEjE;AAED,wBAAgB,YAAY,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,CAE5D;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAExD;AAED,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,CAGlF;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEpD;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,mBAAmB,CAcnE;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,mBAAmB,GAAG,MAAM,EAAE,CAU9E;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,sBAAsB,GAAG,MAAM,EAAE,CAGpF;AAED,oFAAoF;AACpF,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,sBAAsB,GAAG,MAAM,CAE9E;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,cAAc,EAAE,+BAA+B,GAAG,OAAO,CAOjG;AAED,MAAM,MAAM,wBAAwB,GAAG,QAAQ,GAAG,aAAa,CAAC;AAEhE,MAAM,WAAW,2BAA2B;IAC1C,kFAAkF;IAClF,IAAI,CAAC,EAAE,wBAAwB,CAAC;IAChC,8FAA8F;IAC9F,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,cAAc,EAAE,+BAA+B,EAC/C,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAIT;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,cAAc,EAAE,+BAA+B,EAC/C,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAKT"}