@office-ai/aioncli-core 0.30.0 → 0.30.2

package/dist/src/mcp/mcp-oauth-provider.test.js

@@ -0,0 +1,63 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, it, expect, vi } from 'vitest';
+import { MCPOAuthClientProvider, } from './mcp-oauth-provider.js';
+describe('MCPOAuthClientProvider', () => {
+    const mockRedirectUrl = 'http://localhost:8090/callback';
+    const mockClientMetadata = {
+        client_name: 'Test Client',
+        redirect_uris: [mockRedirectUrl],
+        grant_types: ['authorization_code', 'refresh_token'],
+        response_types: ['code'],
+        token_endpoint_auth_method: 'client_secret_post',
+        scope: 'test-scope',
+    };
+    const mockState = 'test-state-123';
+    describe('oauth flow', () => {
+        it('should support full OAuth flow', async () => {
+            const onRedirectMock = vi.fn();
+            const provider = new MCPOAuthClientProvider(mockRedirectUrl, mockClientMetadata, mockState, onRedirectMock);
+            // Step 1: Save client information
+            const clientInfo = {
+                client_id: 'my-client-id',
+                client_secret: 'my-client-secret',
+            };
+            provider.saveClientInformation(clientInfo);
+            // Step 2: Save code verifier
+            provider.saveCodeVerifier('my-code-verifier');
+            // Step 3: Set up callback server
+            const mockAuthResponse = {
+                code: 'authorization-code',
+                state: mockState,
+            };
+            const mockServer = {
+                port: Promise.resolve(8090),
+                waitForResponse: vi.fn().mockResolvedValue(mockAuthResponse),
+                close: vi.fn().mockResolvedValue(undefined),
+            };
+            provider.saveCallbackServer(mockServer);
+            // Step 4: Redirect to authorization
+            const authUrl = new URL('http://auth.example.com/authorize');
+            await provider.redirectToAuthorization(authUrl);
+            // Step 5: Save tokens after exchange
+            const tokens = {
+                access_token: 'final-access-token',
+                token_type: 'Bearer',
+                expires_in: 3600,
+                refresh_token: 'final-refresh-token',
+            };
+            provider.saveTokens(tokens);
+            // Verify all data is stored correctly
+            expect(provider.clientInformation()).toEqual(clientInfo);
+            expect(provider.codeVerifier()).toBe('my-code-verifier');
+            expect(provider.state()).toBe(mockState);
+            expect(provider.tokens()).toEqual(tokens);
+            expect(onRedirectMock).toHaveBeenCalledWith(authUrl);
+            expect(provider.getSavedCallbackServer()).toBe(mockServer);
+        });
+    });
+});
+//# sourceMappingURL=mcp-oauth-provider.test.js.map

package/dist/src/mcp/mcp-oauth-provider.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-oauth-provider.test.js","sourceRoot":"","sources":["../../../src/mcp/mcp-oauth-provider.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EACL,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AAOjC,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,MAAM,eAAe,GAAG,gCAAgC,CAAC;IACzD,MAAM,kBAAkB,GAAwB;QAC9C,WAAW,EAAE,aAAa;QAC1B,aAAa,EAAE,CAAC,eAAe,CAAC;QAChC,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QACpD,cAAc,EAAE,CAAC,MAAM,CAAC;QACxB,0BAA0B,EAAE,oBAAoB;QAChD,KAAK,EAAE,YAAY;KACpB,CAAC;IACF,MAAM,SAAS,GAAG,gBAAgB,CAAC;IAEnC,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;QAC1B,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,cAAc,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,IAAI,sBAAsB,CACzC,eAAe,EACf,kBAAkB,EAClB,SAAS,EACT,cAAc,CACf,CAAC;YAEF,kCAAkC;YAClC,MAAM,UAAU,GAA2B;gBACzC,SAAS,EAAE,cAAc;gBACzB,aAAa,EAAE,kBAAkB;aAClC,CAAC;YACF,QAAQ,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC;YAE3C,6BAA6B;YAC7B,QAAQ,CAAC,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;YAE9C,iCAAiC;YACjC,MAAM,gBAAgB,GAA+B;gBACnD,IAAI,EAAE,oBAAoB;gBAC1B,KAAK,EAAE,SAAS;aACjB,CAAC;YACF,MAAM,UAAU,GAAG;gBACjB,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC;gBAC3B,eAAe,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,gBAAgB,CAAC;gBAC5D,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,SAAS,CAAC;aAC5C,CAAC;YACF,QAAQ,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;YAExC,oCAAoC;YACpC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,mCAAmC,CAAC,CAAC;YAC7D,MAAM,QAAQ,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;YAEhD,qCAAqC;YACrC,MAAM,MAAM,GAAgB;gBAC1B,YAAY,EAAE,oBAAoB;gBAClC,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,IAAI;gBAChB,aAAa,EAAE,qBAAqB;aACrC,CAAC;YACF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAE5B,sCAAsC;YACtC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YACzD,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YACzD,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACzC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,CAAC,cAAc,CAAC,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;YACrD,MAAM,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/policy/integrity.d.ts

@@ -0,0 +1,45 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export declare enum IntegrityStatus {
+    MATCH = "MATCH",
+    MISMATCH = "MISMATCH",
+    NEW = "NEW"
+}
+export interface IntegrityResult {
+    status: IntegrityStatus;
+    hash: string;
+    fileCount: number;
+}
+export declare class PolicyIntegrityManager {
+    /**
+     * Checks the integrity of policies in a given directory against the stored hash.
+     *
+     * @param scope The scope of the policy (e.g., 'project', 'user').
+     * @param identifier A unique identifier for the policy scope (e.g., project path).
+     * @param policyDir The directory containing the policy files.
+     * @returns IntegrityResult indicating if the current policies match the stored hash.
+     */
+    checkIntegrity(scope: string, identifier: string, policyDir: string): Promise<IntegrityResult>;
+    /**
+     * Accepts and persists the current integrity hash for a given policy scope.
+     *
+     * @param scope The scope of the policy.
+     * @param identifier A unique identifier for the policy scope (e.g., project path).
+     * @param hash The hash to persist.
+     */
+    acceptIntegrity(scope: string, identifier: string, hash: string): Promise<void>;
+    /**
+     * Calculates a SHA-256 hash of all policy files in the directory.
+     * The hash includes the relative file path and content to detect renames and modifications.
+     *
+     * @param policyDir The directory containing the policy files.
+     * @returns The calculated hash and file count
+     */
+    private static calculateIntegrityHash;
+    private getIntegrityKey;
+    private loadIntegrityData;
+    private saveIntegrityData;
+}

package/dist/src/policy/integrity.js

@@ -0,0 +1,121 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+import { Storage } from '../config/storage.js';
+import { readPolicyFiles } from './toml-loader.js';
+import { debugLogger } from '../utils/debugLogger.js';
+import { isNodeError } from '../utils/errors.js';
+export var IntegrityStatus;
+(function (IntegrityStatus) {
+    IntegrityStatus["MATCH"] = "MATCH";
+    IntegrityStatus["MISMATCH"] = "MISMATCH";
+    IntegrityStatus["NEW"] = "NEW";
+})(IntegrityStatus || (IntegrityStatus = {}));
+export class PolicyIntegrityManager {
+    /**
+     * Checks the integrity of policies in a given directory against the stored hash.
+     *
+     * @param scope The scope of the policy (e.g., 'project', 'user').
+     * @param identifier A unique identifier for the policy scope (e.g., project path).
+     * @param policyDir The directory containing the policy files.
+     * @returns IntegrityResult indicating if the current policies match the stored hash.
+     */
+    async checkIntegrity(scope, identifier, policyDir) {
+        const { hash: currentHash, fileCount } = await PolicyIntegrityManager.calculateIntegrityHash(policyDir);
+        const storedData = await this.loadIntegrityData();
+        const key = this.getIntegrityKey(scope, identifier);
+        const storedHash = storedData[key];
+        if (!storedHash) {
+            return { status: IntegrityStatus.NEW, hash: currentHash, fileCount };
+        }
+        if (storedHash === currentHash) {
+            return { status: IntegrityStatus.MATCH, hash: currentHash, fileCount };
+        }
+        return { status: IntegrityStatus.MISMATCH, hash: currentHash, fileCount };
+    }
+    /**
+     * Accepts and persists the current integrity hash for a given policy scope.
+     *
+     * @param scope The scope of the policy.
+     * @param identifier A unique identifier for the policy scope (e.g., project path).
+     * @param hash The hash to persist.
+     */
+    async acceptIntegrity(scope, identifier, hash) {
+        const storedData = await this.loadIntegrityData();
+        const key = this.getIntegrityKey(scope, identifier);
+        storedData[key] = hash;
+        await this.saveIntegrityData(storedData);
+    }
+    /**
+     * Calculates a SHA-256 hash of all policy files in the directory.
+     * The hash includes the relative file path and content to detect renames and modifications.
+     *
+     * @param policyDir The directory containing the policy files.
+     * @returns The calculated hash and file count
+     */
+    static async calculateIntegrityHash(policyDir) {
+        try {
+            const files = await readPolicyFiles(policyDir);
+            // Sort files by path to ensure deterministic hashing
+            files.sort((a, b) => a.path.localeCompare(b.path));
+            const hash = crypto.createHash('sha256');
+            for (const file of files) {
+                const relativePath = path.relative(policyDir, file.path);
+                // Include relative path and content in the hash
+                hash.update(relativePath);
+                hash.update('\0'); // Separator
+                hash.update(file.content);
+                hash.update('\0'); // Separator
+            }
+            return { hash: hash.digest('hex'), fileCount: files.length };
+        }
+        catch (error) {
+            debugLogger.error('Failed to calculate policy integrity hash', error);
+            // Return a unique hash (random) to force a mismatch if calculation fails?
+            // Or throw? Throwing is better so we don't accidentally accept/deny corrupted state.
+            throw error;
+        }
+    }
+    getIntegrityKey(scope, identifier) {
+        return `${scope}:${identifier}`;
+    }
+    async loadIntegrityData() {
+        const storagePath = Storage.getPolicyIntegrityStoragePath();
+        try {
+            const content = await fs.readFile(storagePath, 'utf-8');
+            const parsed = JSON.parse(content);
+            if (typeof parsed === 'object' &&
+                parsed !== null &&
+                Object.values(parsed).every((v) => typeof v === 'string')) {
+                // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
+                return parsed;
+            }
+            debugLogger.warn('Invalid policy integrity data format');
+            return {};
+        }
+        catch (error) {
+            if (isNodeError(error) && error.code === 'ENOENT') {
+                return {};
+            }
+            debugLogger.error('Failed to load policy integrity data', error);
+            return {};
+        }
+    }
+    async saveIntegrityData(data) {
+        const storagePath = Storage.getPolicyIntegrityStoragePath();
+        try {
+            await fs.mkdir(path.dirname(storagePath), { recursive: true });
+            await fs.writeFile(storagePath, JSON.stringify(data, null, 2), 'utf-8');
+        }
+        catch (error) {
+            debugLogger.error('Failed to save policy integrity data', error);
+            throw error;
+        }
+    }
+}
+//# sourceMappingURL=integrity.js.map

package/dist/src/policy/integrity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"integrity.js","sourceRoot":"","sources":["../../../src/policy/integrity.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,MAAM,CAAN,IAAY,eAIX;AAJD,WAAY,eAAe;IACzB,kCAAe,CAAA;IACf,wCAAqB,CAAA;IACrB,8BAAW,CAAA;AACb,CAAC,EAJW,eAAe,KAAf,eAAe,QAI1B;AAYD,MAAM,OAAO,sBAAsB;IACjC;;;;;;;OAOG;IACH,KAAK,CAAC,cAAc,CAClB,KAAa,EACb,UAAkB,EAClB,SAAiB;QAEjB,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,GACpC,MAAM,sBAAsB,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QACjE,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAClD,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QACpD,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAEnC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,GAAG,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;QACvE,CAAC;QAED,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;YAC/B,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;QACzE,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;IAC5E,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,eAAe,CACnB,KAAa,EACb,UAAkB,EAClB,IAAY;QAEZ,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAClD,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QACpD,UAAU,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;QACvB,MAAM,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED;;;;;;OAMG;IACK,MAAM,CAAC,KAAK,CAAC,sBAAsB,CACzC,SAAiB;QAEjB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC;YAE/C,qDAAqD;YACrD,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAEnD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAEzC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzD,gDAAgD;gBAChD,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBAC1B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY;gBAC/B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC1B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY;YACjC,CAAC;YAED,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;QAC/D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,WAAW,CAAC,KAAK,CAAC,2CAA2C,EAAE,KAAK,CAAC,CAAC;YACtE,0EAA0E;YAC1E,qFAAqF;YACrF,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,KAAa,EAAE,UAAkB;QACvD,OAAO,GAAG,KAAK,IAAI,UAAU,EAAE,CAAC;IAClC,CAAC;IAEO,KAAK,CAAC,iBAAiB;QAC7B,MAAM,WAAW,GAAG,OAAO,CAAC,6BAA6B,EAAE,CAAC;QAC5D,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YACxD,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC5C,IACE,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,KAAK,IAAI;gBACf,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EACzD,CAAC;gBACD,uEAAuE;gBACvE,OAAO,MAA6B,CAAC;YACvC,CAAC;YACD,WAAW,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACzD,OAAO,EAAE,CAAC;QACZ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,WAAW,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAClD,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,WAAW,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;YACjE,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,IAAyB;QACvD,MAAM,WAAW,GAAG,OAAO,CAAC,6BAA6B,EAAE,CAAC;QAC5D,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC/D,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAC1E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,WAAW,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;YACjE,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CACF"}

package/dist/src/policy/integrity.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};

package/dist/src/policy/integrity.test.js

@@ -0,0 +1,132 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, it, expect, vi, afterEach, beforeEach } from 'vitest';
+import { PolicyIntegrityManager, IntegrityStatus } from './integrity.js';
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { Storage } from '../config/storage.js';
+describe('PolicyIntegrityManager', () => {
+    let integrityManager;
+    let tempDir;
+    let integrityStoragePath;
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'gemini-cli-test-'));
+        integrityStoragePath = path.join(tempDir, 'policy_integrity.json');
+        vi.spyOn(Storage, 'getPolicyIntegrityStoragePath').mockReturnValue(integrityStoragePath);
+        integrityManager = new PolicyIntegrityManager();
+    });
+    afterEach(async () => {
+        await fs.rm(tempDir, { recursive: true, force: true });
+        vi.restoreAllMocks();
+    });
+    describe('checkIntegrity', () => {
+        it('should return NEW if no stored hash', async () => {
+            const policyDir = path.join(tempDir, 'policies');
+            await fs.mkdir(policyDir);
+            await fs.writeFile(path.join(policyDir, 'a.toml'), 'contentA');
+            const result = await integrityManager.checkIntegrity('workspace', 'id', policyDir);
+            expect(result.status).toBe(IntegrityStatus.NEW);
+            expect(result.hash).toBeDefined();
+            expect(result.hash).toHaveLength(64);
+            expect(result.fileCount).toBe(1);
+        });
+        it('should return MATCH if stored hash matches', async () => {
+            const policyDir = path.join(tempDir, 'policies');
+            await fs.mkdir(policyDir);
+            await fs.writeFile(path.join(policyDir, 'a.toml'), 'contentA');
+            // First run to get the hash
+            const resultNew = await integrityManager.checkIntegrity('workspace', 'id', policyDir);
+            const currentHash = resultNew.hash;
+            // Save the hash to mock storage
+            await fs.writeFile(integrityStoragePath, JSON.stringify({ 'workspace:id': currentHash }));
+            const result = await integrityManager.checkIntegrity('workspace', 'id', policyDir);
+            expect(result.status).toBe(IntegrityStatus.MATCH);
+            expect(result.hash).toBe(currentHash);
+        });
+        it('should return MISMATCH if stored hash differs', async () => {
+            const policyDir = path.join(tempDir, 'policies');
+            await fs.mkdir(policyDir);
+            await fs.writeFile(path.join(policyDir, 'a.toml'), 'contentA');
+            const resultNew = await integrityManager.checkIntegrity('workspace', 'id', policyDir);
+            const currentHash = resultNew.hash;
+            // Save a different hash
+            await fs.writeFile(integrityStoragePath, JSON.stringify({ 'workspace:id': 'different_hash' }));
+            const result = await integrityManager.checkIntegrity('workspace', 'id', policyDir);
+            expect(result.status).toBe(IntegrityStatus.MISMATCH);
+            expect(result.hash).toBe(currentHash);
+        });
+        it('should result in different hash if filename changes', async () => {
+            const policyDir1 = path.join(tempDir, 'policies1');
+            await fs.mkdir(policyDir1);
+            await fs.writeFile(path.join(policyDir1, 'a.toml'), 'contentA');
+            const result1 = await integrityManager.checkIntegrity('workspace', 'id', policyDir1);
+            const policyDir2 = path.join(tempDir, 'policies2');
+            await fs.mkdir(policyDir2);
+            await fs.writeFile(path.join(policyDir2, 'b.toml'), 'contentA');
+            const result2 = await integrityManager.checkIntegrity('workspace', 'id', policyDir2);
+            expect(result1.hash).not.toBe(result2.hash);
+        });
+        it('should result in different hash if content changes', async () => {
+            const policyDir = path.join(tempDir, 'policies');
+            await fs.mkdir(policyDir);
+            await fs.writeFile(path.join(policyDir, 'a.toml'), 'contentA');
+            const result1 = await integrityManager.checkIntegrity('workspace', 'id', policyDir);
+            await fs.writeFile(path.join(policyDir, 'a.toml'), 'contentB');
+            const result2 = await integrityManager.checkIntegrity('workspace', 'id', policyDir);
+            expect(result1.hash).not.toBe(result2.hash);
+        });
+        it('should be deterministic (sort order)', async () => {
+            const policyDir1 = path.join(tempDir, 'policies1');
+            await fs.mkdir(policyDir1);
+            await fs.writeFile(path.join(policyDir1, 'a.toml'), 'contentA');
+            await fs.writeFile(path.join(policyDir1, 'b.toml'), 'contentB');
+            const result1 = await integrityManager.checkIntegrity('workspace', 'id', policyDir1);
+            // Re-read with same files but they might be in different order in readdir
+            // PolicyIntegrityManager should sort them.
+            const result2 = await integrityManager.checkIntegrity('workspace', 'id', policyDir1);
+            expect(result1.hash).toBe(result2.hash);
+        });
+        it('should handle multiple projects correctly', async () => {
+            const dirA = path.join(tempDir, 'dirA');
+            await fs.mkdir(dirA);
+            await fs.writeFile(path.join(dirA, 'p.toml'), 'contentA');
+            const dirB = path.join(tempDir, 'dirB');
+            await fs.mkdir(dirB);
+            await fs.writeFile(path.join(dirB, 'p.toml'), 'contentB');
+            const { hash: hashA } = await integrityManager.checkIntegrity('workspace', 'idA', dirA);
+            const { hash: hashB } = await integrityManager.checkIntegrity('workspace', 'idB', dirB);
+            // Save to storage
+            await fs.writeFile(integrityStoragePath, JSON.stringify({
+                'workspace:idA': hashA,
+                'workspace:idB': 'oldHashB',
+            }));
+            // Project A should match
+            const resultA = await integrityManager.checkIntegrity('workspace', 'idA', dirA);
+            expect(resultA.status).toBe(IntegrityStatus.MATCH);
+            expect(resultA.hash).toBe(hashA);
+            // Project B should mismatch
+            const resultB = await integrityManager.checkIntegrity('workspace', 'idB', dirB);
+            expect(resultB.status).toBe(IntegrityStatus.MISMATCH);
+            expect(resultB.hash).toBe(hashB);
+        });
+    });
+    describe('acceptIntegrity', () => {
+        it('should save the hash to storage', async () => {
+            await integrityManager.acceptIntegrity('workspace', 'id', 'hash123');
+            const stored = JSON.parse(await fs.readFile(integrityStoragePath, 'utf-8'));
+            expect(stored['workspace:id']).toBe('hash123');
+        });
+        it('should update existing hash', async () => {
+            await fs.writeFile(integrityStoragePath, JSON.stringify({ 'other:id': 'otherhash' }));
+            await integrityManager.acceptIntegrity('workspace', 'id', 'hash123');
+            const stored = JSON.parse(await fs.readFile(integrityStoragePath, 'utf-8'));
+            expect(stored['other:id']).toBe('otherhash');
+            expect(stored['workspace:id']).toBe('hash123');
+        });
+    });
+});
+//# sourceMappingURL=integrity.test.js.map

package/dist/src/policy/integrity.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"integrity.test.js","sourceRoot":"","sources":["../../../src/policy/integrity.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,sBAAsB,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACzE,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAE/C,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,IAAI,gBAAwC,CAAC;IAC7C,IAAI,OAAe,CAAC;IACpB,IAAI,oBAA4B,CAAC;IAEjC,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;QACvE,oBAAoB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC;QAEnE,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,+BAA+B,CAAC,CAAC,eAAe,CAChE,oBAAoB,CACrB,CAAC;QAEF,gBAAgB,GAAG,IAAI,sBAAsB,EAAE,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,EAAE,CAAC,eAAe,EAAE,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACjD,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAC1B,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAE/D,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAClD,WAAW,EACX,IAAI,EACJ,SAAS,CACV,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACjD,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAC1B,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAE/D,4BAA4B;YAC5B,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CACrD,WAAW,EACX,IAAI,EACJ,SAAS,CACV,CAAC;YACF,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC;YAEnC,gCAAgC;YAChC,MAAM,EAAE,CAAC,SAAS,CAChB,oBAAoB,EACpB,IAAI,CAAC,SAAS,CAAC,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAChD,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAClD,WAAW,EACX,IAAI,EACJ,SAAS,CACV,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACjD,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAC1B,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAE/D,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CACrD,WAAW,EACX,IAAI,EACJ,SAAS,CACV,CAAC;YACF,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC;YAEnC,wBAAwB;YACxB,MAAM,EAAE,CAAC,SAAS,CAChB,oBAAoB,EACpB,IAAI,CAAC,SAAS,CAAC,EAAE,cAAc,EAAE,gBAAgB,EAAE,CAAC,CACrD,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAClD,WAAW,EACX,IAAI,EACJ,SAAS,CACV,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;YACrD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;YACnE,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YACnD,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAC3B,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAEhE,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,cAAc,CACnD,WAAW,EACX,IAAI,EACJ,UAAU,CACX,CAAC;YAEF,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YACnD,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAC3B,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAEhE,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,cAAc,CACnD,WAAW,EACX,IAAI,EACJ,UAAU,CACX,CAAC;YAEF,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACjD,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAE1B,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAC/D,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,cAAc,CACnD,WAAW,EACX,IAAI,EACJ,SAAS,CACV,CAAC;YAEF,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAC/D,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,cAAc,CACnD,WAAW,EACX,IAAI,EACJ,SAAS,CACV,CAAC;YAEF,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACpD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YACnD,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAC3B,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAChE,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAEhE,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,cAAc,CACnD,WAAW,EACX,IAAI,EACJ,UAAU,CACX,CAAC;YAEF,0EAA0E;YAC1E,2CAA2C;YAC3C,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,cAAc,CACnD,WAAW,EACX,IAAI,EACJ,UAAU,CACX,CAAC;YAEF,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACxC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACrB,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAE1D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACxC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACrB,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YAE1D,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAC3D,WAAW,EACX,KAAK,EACL,IAAI,CACL,CAAC;YACF,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAC3D,WAAW,EACX,KAAK,EACL,IAAI,CACL,CAAC;YAEF,kBAAkB;YAClB,MAAM,EAAE,CAAC,SAAS,CAChB,oBAAoB,EACpB,IAAI,CAAC,SAAS,CAAC;gBACb,eAAe,EAAE,KAAK;gBACtB,eAAe,EAAE,UAAU;aAC5B,CAAC,CACH,CAAC;YAEF,yBAAyB;YACzB,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,cAAc,CACnD,WAAW,EACX,KAAK,EACL,IAAI,CACL,CAAC;YACF,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAEjC,4BAA4B;YAC5B,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,cAAc,CACnD,WAAW,EACX,KAAK,EACL,IAAI,CACL,CAAC;YACF,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;YACtD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;QAC/B,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;YAC/C,MAAM,gBAAgB,CAAC,eAAe,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;YAErE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,MAAM,EAAE,CAAC,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC,CACjD,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,EAAE,CAAC,SAAS,CAChB,oBAAoB,EACpB,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAC5C,CAAC;YAEF,MAAM,gBAAgB,CAAC,eAAe,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;YAErE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,MAAM,EAAE,CAAC,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC,CACjD,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC7C,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/policy/policies/conseca.toml

@@ -0,0 +1,6 @@
+[[safety_checker]]
+toolName = "*"
+priority = 100
+[safety_checker.checker]
+type = "in-process"
+name = "conseca"

package/dist/src/policy/workspace-policy.test.js

@@ -0,0 +1,231 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, it, expect, vi, afterEach, beforeEach } from 'vitest';
+import nodePath from 'node:path';
+import { ApprovalMode } from './types.js';
+import { isDirectorySecure } from '../utils/security.js';
+// Mock dependencies
+vi.mock('../utils/security.js', () => ({
+    isDirectorySecure: vi.fn().mockResolvedValue({ secure: true }),
+}));
+describe('Workspace-Level Policies', () => {
+    beforeEach(async () => {
+        vi.resetModules();
+        const { Storage } = await import('../config/storage.js');
+        vi.spyOn(Storage, 'getUserPoliciesDir').mockReturnValue('/mock/user/policies');
+        vi.spyOn(Storage, 'getSystemPoliciesDir').mockReturnValue('/mock/system/policies');
+        // Ensure security check always returns secure
+        vi.mocked(isDirectorySecure).mockResolvedValue({ secure: true });
+    });
+    afterEach(() => {
+        vi.clearAllMocks();
+        vi.restoreAllMocks();
+        vi.doUnmock('node:fs/promises');
+    });
+    it('should load workspace policies with correct priority (Tier 3)', async () => {
+        const workspacePoliciesDir = '/mock/workspace/policies';
+        const defaultPoliciesDir = '/mock/default/policies';
+        // Mock FS
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockStat = vi.fn(async (path) => {
+            if (typeof path === 'string' && path.startsWith('/mock/')) {
+                return {
+                    isDirectory: () => true,
+                    isFile: () => false,
+                };
+            }
+            return actualFs.stat(path);
+        });
+        // Mock readdir to return a policy file for each tier
+        const mockReaddir = vi.fn(async (path) => {
+            const normalizedPath = nodePath.normalize(path);
+            if (normalizedPath.endsWith('default/policies'))
+                return [
+                    {
+                        name: 'default.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            if (normalizedPath.endsWith('user/policies'))
+                return [
+                    { name: 'user.toml', isFile: () => true, isDirectory: () => false },
+                ];
+            if (normalizedPath.endsWith('workspace/policies'))
+                return [
+                    {
+                        name: 'workspace.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            if (normalizedPath.endsWith('system/policies'))
+                return [
+                    { name: 'admin.toml', isFile: () => true, isDirectory: () => false },
+                ];
+            return [];
+        });
+        // Mock readFile to return content with distinct priorities/decisions
+        const mockReadFile = vi.fn(async (path) => {
+            if (path.includes('default.toml')) {
+                return `[[rule]]
+toolName = "test_tool"
+decision = "allow"
+priority = 10
+`; // Tier 1 -> 1.010
+            }
+            if (path.includes('user.toml')) {
+                return `[[rule]]
+toolName = "test_tool"
+decision = "deny"
+priority = 10
+`; // Tier 4 -> 4.010
+            }
+            if (path.includes('workspace.toml')) {
+                return `[[rule]]
+toolName = "test_tool"
+decision = "allow"
+priority = 10
+`; // Tier 3 -> 3.010
+            }
+            if (path.includes('admin.toml')) {
+                return `[[rule]]
+toolName = "test_tool"
+decision = "deny"
+priority = 10
+`; // Tier 5 -> 5.010
+            }
+            return '';
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: {
+                ...actualFs,
+                readdir: mockReaddir,
+                readFile: mockReadFile,
+                stat: mockStat,
+            },
+            readdir: mockReaddir,
+            readFile: mockReadFile,
+            stat: mockStat,
+        }));
+        const { createPolicyEngineConfig } = await import('./config.js');
+        // Test 1: Workspace vs User (User should win)
+        const config = await createPolicyEngineConfig({ workspacePoliciesDir }, ApprovalMode.DEFAULT, defaultPoliciesDir);
+        const rules = config.rules?.filter((r) => r.toolName === 'test_tool');
+        expect(rules).toBeDefined();
+        // Check for all 4 rules
+        const defaultRule = rules?.find((r) => r.priority === 1.01);
+        const workspaceRule = rules?.find((r) => r.priority === 3.01);
+        const userRule = rules?.find((r) => r.priority === 4.01);
+        const adminRule = rules?.find((r) => r.priority === 5.01);
+        expect(defaultRule).toBeDefined();
+        expect(userRule).toBeDefined();
+        expect(workspaceRule).toBeDefined();
+        expect(adminRule).toBeDefined();
+        // Verify Hierarchy: Admin > User > Workspace > Default
+        expect(adminRule.priority).toBeGreaterThan(userRule.priority);
+        expect(userRule.priority).toBeGreaterThan(workspaceRule.priority);
+        expect(workspaceRule.priority).toBeGreaterThan(defaultRule.priority);
+    });
+    it('should ignore workspace policies if workspacePoliciesDir is undefined', async () => {
+        const defaultPoliciesDir = '/mock/default/policies';
+        // Mock FS (simplified)
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockStat = vi.fn(async (path) => {
+            if (typeof path === 'string' && path.startsWith('/mock/')) {
+                return {
+                    isDirectory: () => true,
+                    isFile: () => false,
+                };
+            }
+            return actualFs.stat(path);
+        });
+        const mockReaddir = vi.fn(async (path) => {
+            const normalizedPath = nodePath.normalize(path);
+            if (normalizedPath.endsWith('default/policies'))
+                return [
+                    {
+                        name: 'default.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            return [];
+        });
+        const mockReadFile = vi.fn(async () => `[[rule]]
+toolName="t"
+decision="allow"
+priority=10`);
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: {
+                ...actualFs,
+                readdir: mockReaddir,
+                readFile: mockReadFile,
+                stat: mockStat,
+            },
+            readdir: mockReaddir,
+            readFile: mockReadFile,
+            stat: mockStat,
+        }));
+        const { createPolicyEngineConfig } = await import('./config.js');
+        const config = await createPolicyEngineConfig({ workspacePoliciesDir: undefined }, ApprovalMode.DEFAULT, defaultPoliciesDir);
+        // Should only have default tier rule (1.01)
+        const rules = config.rules;
+        expect(rules).toHaveLength(1);
+        expect(rules[0].priority).toBe(1.01);
+    });
+    it('should load workspace policies and correctly transform to Tier 3', async () => {
+        const workspacePoliciesDir = '/mock/workspace/policies';
+        // Mock FS
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockStat = vi.fn(async (path) => {
+            if (typeof path === 'string' && path.startsWith('/mock/')) {
+                return {
+                    isDirectory: () => true,
+                    isFile: () => false,
+                };
+            }
+            return actualFs.stat(path);
+        });
+        const mockReaddir = vi.fn(async (path) => {
+            const normalizedPath = nodePath.normalize(path);
+            if (normalizedPath.endsWith('workspace/policies'))
+                return [
+                    {
+                        name: 'workspace.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            return [];
+        });
+        const mockReadFile = vi.fn(async () => `[[rule]]
+toolName="p_tool"
+decision="allow"
+priority=500`);
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: {
+                ...actualFs,
+                readdir: mockReaddir,
+                readFile: mockReadFile,
+                stat: mockStat,
+            },
+            readdir: mockReaddir,
+            readFile: mockReadFile,
+            stat: mockStat,
+        }));
+        const { createPolicyEngineConfig } = await import('./config.js');
+        const config = await createPolicyEngineConfig({ workspacePoliciesDir }, ApprovalMode.DEFAULT);
+        const rule = config.rules?.find((r) => r.toolName === 'p_tool');
+        expect(rule).toBeDefined();
+        // Workspace Tier (3) + 500/1000 = 3.5
+        expect(rule?.priority).toBe(3.5);
+    });
+});
+//# sourceMappingURL=workspace-policy.test.js.map

package/dist/src/policy/workspace-policy.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-policy.test.js","sourceRoot":"","sources":["../../../src/policy/workspace-policy.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,QAAQ,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAEzD,oBAAoB;AACpB,EAAE,CAAC,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE,CAAC,CAAC;IACrC,iBAAiB,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;CAC/D,CAAC,CAAC,CAAC;AAEJ,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,EAAE,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QACzD,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC,eAAe,CACrD,qBAAqB,CACtB,CAAC;QACF,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,sBAAsB,CAAC,CAAC,eAAe,CACvD,uBAAuB,CACxB,CAAC;QACF,8CAA8C;QAC9C,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,iBAAiB,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,aAAa,EAAE,CAAC;QACnB,EAAE,CAAC,eAAe,EAAE,CAAC;QACrB,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,oBAAoB,GAAG,0BAA0B,CAAC;QACxD,MAAM,kBAAkB,GAAG,wBAAwB,CAAC;QAEpD,UAAU;QACV,MAAM,QAAQ,GACZ,MAAM,EAAE,CAAC,YAAY,CACnB,kBAAkB,CACnB,CAAC;QAEJ,MAAM,QAAQ,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAY,EAAE,EAAE;YAC5C,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC1D,OAAO;oBACL,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI;oBACvB,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;iBACoC,CAAC;YAC5D,CAAC;YACD,OAAO,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;QAEH,qDAAqD;QACrD,MAAM,WAAW,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAY,EAAE,EAAE;YAC/C,MAAM,cAAc,GAAG,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAChD,IAAI,cAAc,CAAC,QAAQ,CAAC,kBAAkB,CAAC;gBAC7C,OAAO;oBACL;wBACE,IAAI,EAAE,cAAc;wBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;wBAClB,WAAW,EAAE,GAAG,EAAE,CAAC,KAAK;qBACzB;iBACyD,CAAC;YAC/D,IAAI,cAAc,CAAC,QAAQ,CAAC,eAAe,CAAC;gBAC1C,OAAO;oBACL,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE;iBACT,CAAC;YAC/D,IAAI,cAAc,CAAC,QAAQ,CAAC,oBAAoB,CAAC;gBAC/C,OAAO;oBACL;wBACE,IAAI,EAAE,gBAAgB;wBACtB,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;wBAClB,WAAW,EAAE,GAAG,EAAE,CAAC,KAAK;qBACzB;iBACyD,CAAC;YAC/D,IAAI,cAAc,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBAC5C,OAAO;oBACL,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE;iBACV,CAAC;YAC/D,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QAEH,qEAAqE;QACrE,MAAM,YAAY,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAY,EAAE,EAAE;YAChD,IAAI,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;gBAClC,OAAO;;;;CAId,CAAC,CAAC,kBAAkB;YACf,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC/B,OAAO;;;;CAId,CAAC,CAAC,kBAAkB;YACf,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBACpC,OAAO;;;;CAId,CAAC,CAAC,kBAAkB;YACf,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;gBAChC,OAAO;;;;CAId,CAAC,CAAC,kBAAkB;YACf,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,MAAM,CAAC,kBAAkB,EAAE,GAAG,EAAE,CAAC,CAAC;YACnC,GAAG,QAAQ;YACX,OAAO,EAAE;gBACP,GAAG,QAAQ;gBACX,OAAO,EAAE,WAAW;gBACpB,QAAQ,EAAE,YAAY;gBACtB,IAAI,EAAE,QAAQ;aACf;YACD,OAAO,EAAE,WAAW;YACpB,QAAQ,EAAE,YAAY;YACtB,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC,CAAC;QAEJ,MAAM,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAEjE,8CAA8C;QAC9C,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAC3C,EAAE,oBAAoB,EAAE,EACxB,YAAY,CAAC,OAAO,EACpB,kBAAkB,CACnB,CAAC;QAEF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,WAAW,CAAC,CAAC;QACtE,MAAM,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QAE5B,wBAAwB;QACxB,MAAM,WAAW,GAAG,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC;QAC5D,MAAM,aAAa,GAAG,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC;QACzD,MAAM,SAAS,GAAG,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC;QAE1D,MAAM,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;QAClC,MAAM,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,aAAa,CAAC,CAAC,WAAW,EAAE,CAAC;QACpC,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QAEhC,uDAAuD;QACvD,MAAM,CAAC,SAAU,CAAC,QAAQ,CAAC,CAAC,eAAe,CAAC,QAAS,CAAC,QAAS,CAAC,CAAC;QACjE,MAAM,CAAC,QAAS,CAAC,QAAQ,CAAC,CAAC,eAAe,CAAC,aAAc,CAAC,QAAS,CAAC,CAAC;QACrE,MAAM,CAAC,aAAc,CAAC,QAAQ,CAAC,CAAC,eAAe,CAAC,WAAY,CAAC,QAAS,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,MAAM,kBAAkB,GAAG,wBAAwB,CAAC;QAEpD,uBAAuB;QACvB,MAAM,QAAQ,GACZ,MAAM,EAAE,CAAC,YAAY,CACnB,kBAAkB,CACnB,CAAC;QAEJ,MAAM,QAAQ,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAY,EAAE,EAAE;YAC5C,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC1D,OAAO;oBACL,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI;oBACvB,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;iBACoC,CAAC;YAC5D,CAAC;YACD,OAAO,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAY,EAAE,EAAE;YAC/C,MAAM,cAAc,GAAG,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAChD,IAAI,cAAc,CAAC,QAAQ,CAAC,kBAAkB,CAAC;gBAC7C,OAAO;oBACL;wBACE,IAAI,EAAE,cAAc;wBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;wBAClB,WAAW,EAAE,GAAG,EAAE,CAAC,KAAK;qBACzB;iBACyD,CAAC;YAC/D,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,EAAE,CAAC,EAAE,CACxB,KAAK,IAAI,EAAE,CAAC;;;YAGN,CACP,CAAC;QAEF,EAAE,CAAC,MAAM,CAAC,kBAAkB,EAAE,GAAG,EAAE,CAAC,CAAC;YACnC,GAAG,QAAQ;YACX,OAAO,EAAE;gBACP,GAAG,QAAQ;gBACX,OAAO,EAAE,WAAW;gBACpB,QAAQ,EAAE,YAAY;gBACtB,IAAI,EAAE,QAAQ;aACf;YACD,OAAO,EAAE,WAAW;YACpB,QAAQ,EAAE,YAAY;YACtB,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC,CAAC;QAEJ,MAAM,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAEjE,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAC3C,EAAE,oBAAoB,EAAE,SAAS,EAAE,EACnC,YAAY,CAAC,OAAO,EACpB,kBAAkB,CACnB,CAAC;QAEF,4CAA4C;QAC5C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QAC3B,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,CAAC,KAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,oBAAoB,GAAG,0BAA0B,CAAC;QAExD,UAAU;QACV,MAAM,QAAQ,GACZ,MAAM,EAAE,CAAC,YAAY,CACnB,kBAAkB,CACnB,CAAC;QAEJ,MAAM,QAAQ,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAY,EAAE,EAAE;YAC5C,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC1D,OAAO;oBACL,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI;oBACvB,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;iBACoC,CAAC;YAC5D,CAAC;YACD,OAAO,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAY,EAAE,EAAE;YAC/C,MAAM,cAAc,GAAG,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAChD,IAAI,cAAc,CAAC,QAAQ,CAAC,oBAAoB,CAAC;gBAC/C,OAAO;oBACL;wBACE,IAAI,EAAE,gBAAgB;wBACtB,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;wBAClB,WAAW,EAAE,GAAG,EAAE,CAAC,KAAK;qBACzB;iBACyD,CAAC;YAC/D,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,EAAE,CAAC,EAAE,CACxB,KAAK,IAAI,EAAE,CAAC;;;aAGL,CACR,CAAC;QAEF,EAAE,CAAC,MAAM,CAAC,kBAAkB,EAAE,GAAG,EAAE,CAAC,CAAC;YACnC,GAAG,QAAQ;YACX,OAAO,EAAE;gBACP,GAAG,QAAQ;gBACX,OAAO,EAAE,WAAW;gBACpB,QAAQ,EAAE,YAAY;gBACtB,IAAI,EAAE,QAAQ;aACf;YACD,OAAO,EAAE,WAAW;YACpB,QAAQ,EAAE,YAAY;YACtB,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC,CAAC;QAEJ,MAAM,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAEjE,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAC3C,EAAE,oBAAoB,EAAE,EACxB,YAAY,CAAC,OAAO,CACrB,CAAC;QAEF,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;QAChE,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC3B,sCAAsC;QACtC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}