@opensip-cli/output 0.1.0

package/dist/format/signal-table.js

@@ -0,0 +1,84 @@
+/**
+ * @fileoverview signal-table formatter (ADR-0011, Phase 2 Task 2.5).
+ *
+ * Derives the terminal-table view-model purely from the envelope's `units` +
+ * `signals` — one row per unit — so tools stop pre-computing `TableRow[]` on
+ * their `*DoneResult` (today fitness builds rows in
+ * `result-builders.ts:buildFitDoneResult`). The Ink `ResultsTable` (cli-ui)
+ * consumes these rows; this layer does no Ink and no IO (formatter-purity
+ * contract).
+ *
+ * Unlike json/sarif, the table is structured, not a single string — so this
+ * exports a row/summary view-model builder rather than a `Formatter`
+ * (`(envelope) => string`). The Ink renderer (cli-ui) is the string side.
+ *
+ * The envelope carries only what a flat `Signal[]` cannot express (ran,
+ * errored, timing). Two further per-unit facts a flat list cannot express —
+ * fitness's `filesValidated`/`ignoredCount` — ride on {@link UnitResult} as
+ * optional fields; this formatter surfaces them as the optional
+ * `validated`/`ignored` row columns when present (graph/sim omit them → the
+ * renderer leaves the column blank). This keeps ONE shared table formatter
+ * (ADR-0011, Phase 6, decision B) rather than a fitness-specific rich view.
+ */
+import { formatDuration, isErrorSignal } from '@opensip-cli/core';
+/** Group a run's signals by their `source` (the emitting unit's slug). */
+function groupSignalsBySource(signals) {
+    const bySource = new Map();
+    for (const signal of signals) {
+        const bucket = bySource.get(signal.source);
+        if (bucket)
+            bucket.push(signal);
+        else
+            bySource.set(signal.source, [signal]);
+    }
+    return bySource;
+}
+/** Status for a unit: ERROR when it errored, else PASS/FAIL from `unit.passed`. */
+function rowStatus(unit) {
+    if (unit.error !== undefined)
+        return 'ERROR';
+    return unit.passed ? 'PASS' : 'FAIL';
+}
+/**
+ * Build one {@link SignalTableRow} per unit, attributing signals to units by
+ * `signal.source === unit.slug`. Pure: no IO, no clock.
+ */
+export function formatSignalTableRows(envelope) {
+    const bySource = groupSignalsBySource(envelope.signals);
+    return envelope.units.map((unit) => {
+        const unitSignals = bySource.get(unit.slug) ?? [];
+        let errors = 0;
+        let warnings = 0;
+        for (const signal of unitSignals) {
+            if (isErrorSignal(signal))
+                errors += 1;
+            else
+                warnings += 1;
+        }
+        return {
+            unit: unit.slug,
+            status: rowStatus(unit),
+            errors,
+            warnings,
+            duration: formatDuration(unit.durationMs),
+            durationMs: unit.durationMs,
+            error: unit.error,
+            validated: unit.filesValidated,
+            itemType: unit.itemType,
+            ignored: unit.ignoredCount,
+        };
+    });
+}
+/** Build the aggregate summary line from the envelope's verdict. Pure. */
+export function formatSignalTableSummary(envelope) {
+    const { summary } = envelope.verdict;
+    const durationMs = envelope.units.reduce((total, unit) => total + unit.durationMs, 0);
+    return {
+        passed: summary.passed,
+        failed: summary.failed,
+        totalErrors: summary.errors,
+        totalWarnings: summary.warnings,
+        durationMs,
+    };
+}
+//# sourceMappingURL=signal-table.js.map

package/dist/format/signal-table.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signal-table.js","sourceRoot":"","sources":["../../src/format/signal-table.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AA0ClE,0EAA0E;AAC1E,SAAS,oBAAoB,CAAC,OAA0B;IACtD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC7C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,MAAM;YAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;;YAC3B,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,mFAAmF;AACnF,SAAS,SAAS,CAAC,IAAgB;IACjC,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS;QAAE,OAAO,OAAO,CAAC;IAC7C,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAwB;IAC5D,MAAM,QAAQ,GAAG,oBAAoB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAExD,OAAO,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACjC,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAClD,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;YACjC,IAAI,aAAa,CAAC,MAAM,CAAC;gBAAE,MAAM,IAAI,CAAC,CAAC;;gBAClC,QAAQ,IAAI,CAAC,CAAC;QACrB,CAAC;QACD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC;YACvB,MAAM;YACN,QAAQ;YACR,QAAQ,EAAE,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC;YACzC,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,IAAI,CAAC,cAAc;YAC9B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,YAAY;SAC3B,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,0EAA0E;AAC1E,MAAM,UAAU,wBAAwB,CAAC,QAAwB;IAC/D,MAAM,EAAE,OAAO,EAAE,GAAG,QAAQ,CAAC,OAAO,CAAC;IACrC,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IACtF,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,WAAW,EAAE,OAAO,CAAC,MAAM;QAC3B,aAAa,EAAE,OAAO,CAAC,QAAQ;QAC/B,UAAU;KACX,CAAC;AACJ,CAAC"}

package/dist/format/types.d.ts

@@ -0,0 +1,20 @@
+/**
+ * @fileoverview The shared formatter contract (ADR-0011).
+ *
+ * A `Formatter` is a pure `(envelope) => string` transform — one per target
+ * format (json, sarif, table). It is modelled on graph's `Renderer`
+ * (`graph/engine/src/render/types.ts`, `(signals, context) => string`) but
+ * keyed on the universal {@link SignalEnvelope} so every tool shares one set
+ * of formatters.
+ *
+ * Formatter-purity contract: a formatter performs NO IO — no
+ * `process.stdout`, no network, no `Date.now()`/`randomUUID`. The run id and
+ * timestamp arrive on the envelope, so a fixed envelope renders to a fixed
+ * string (snapshot-testable with zero mocks). All effects live in
+ * `@opensip-cli/output/sink`; a sink may import a formatter, never the
+ * reverse.
+ */
+import type { SignalEnvelope } from '@opensip-cli/contracts';
+/** Pure `(envelope) => string` formatter. The shared output transform contract. */
+export type Formatter = (envelope: SignalEnvelope) => string;
+//# sourceMappingURL=types.d.ts.map

package/dist/format/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/format/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAE7D,mFAAmF;AACnF,MAAM,MAAM,SAAS,GAAG,CAAC,QAAQ,EAAE,cAAc,KAAK,MAAM,CAAC"}

package/dist/format/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/format/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/format/types.ts"],"names":[],"mappings":""}

package/dist/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * @opensip-cli/output — the tool-run output layer.
+ *
+ * Renamed from `@opensip-cli/reporting` (Phase 2, ADR-0011): the package no
+ * longer just reports to cloud — it owns all machine formatting + delivery.
+ * It depends on core + contracts only.
+ */
+export type { Formatter } from './format/types.js';
+export { formatSignalJson } from './format/signal-json.js';
+export { formatSignalSarif, buildOpenSipSarif, type SarifDriver } from './format/signal-sarif.js';
+export { diffBaseline } from './format/baseline-diff.js';
+export type { GateCompareResult, BaselineDiffRow } from './format/baseline-diff.js';
+export { formatSignalTableRows, formatSignalTableSummary, type SignalTableRow, type SignalTableSummary, } from './format/signal-table.js';
+export { checkEntitlement, invalidateEntitlement, type EntitlementResult, type EntitlementSource, type CheckEntitlementInput, } from './sink/entitlement.js';
+export { createCloudSignalSink, type CloudSignalSinkOptions } from './sink/cloud-signal-sink.js';
+export { postChunked, type EgressResult, type RetryPolicy, type PostChunkedArgs, } from './sink/http-egress.js';
+export { resolveSignalSink, DEFAULT_CLOUD_ENDPOINT, type ResolveSignalSinkInput, } from './sink/resolve-signal-sink.js';
+export { resolveRepoIdentity } from './sink/repo-identity.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,KAAK,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAElG,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACzD,YAAY,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AACpF,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,KAAK,cAAc,EACnB,KAAK,kBAAkB,GACxB,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,qBAAqB,EAAE,KAAK,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACjG,OAAO,EACL,WAAW,EACX,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,eAAe,GACrB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EACtB,KAAK,sBAAsB,GAC5B,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/index.js

@@ -0,0 +1,19 @@
+/**
+ * @opensip-cli/output — the tool-run output layer.
+ *
+ * Renamed from `@opensip-cli/reporting` (Phase 2, ADR-0011): the package no
+ * longer just reports to cloud — it owns all machine formatting + delivery.
+ * It depends on core + contracts only.
+ */
+export { formatSignalJson } from './format/signal-json.js';
+export { formatSignalSarif, buildOpenSipSarif } from './format/signal-sarif.js';
+// Pure baseline diff — the generic net-new ratchet (ADR-0036).
+export { diffBaseline } from './format/baseline-diff.js';
+export { formatSignalTableRows, formatSignalTableSummary, } from './format/signal-table.js';
+// --- sink/ — effectful delivery (file/cloud egress) ---
+export { checkEntitlement, invalidateEntitlement, } from './sink/entitlement.js';
+export { createCloudSignalSink } from './sink/cloud-signal-sink.js';
+export { postChunked, } from './sink/http-egress.js';
+export { resolveSignalSink, DEFAULT_CLOUD_ENDPOINT, } from './sink/resolve-signal-sink.js';
+export { resolveRepoIdentity } from './sink/repo-identity.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAoB,MAAM,0BAA0B,CAAC;AAClG,+DAA+D;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAEzD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,GAGzB,MAAM,0BAA0B,CAAC;AAElC,yDAAyD;AACzD,OAAO,EACL,gBAAgB,EAChB,qBAAqB,GAItB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,qBAAqB,EAA+B,MAAM,6BAA6B,CAAC;AACjG,OAAO,EACL,WAAW,GAIZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,EACjB,sBAAsB,GAEvB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/sink/cloud-signal-sink.d.ts

@@ -0,0 +1,10 @@
+import type { SignalSink } from '@opensip-cli/core';
+/** Construction options for the OpenSIP Cloud signal sink: target endpoint, API key, and an injectable `fetch` for tests. */
+export interface CloudSignalSinkOptions {
+    readonly endpoint: string;
+    readonly apiKey: string;
+    readonly fetchImpl?: typeof fetch;
+}
+/** Build the OpenSIP Cloud signal sink. Selection/gating happens at the CLI; this just emits. */
+export declare function createCloudSignalSink(opts: CloudSignalSinkOptions): SignalSink;
+//# sourceMappingURL=cloud-signal-sink.d.ts.map

package/dist/sink/cloud-signal-sink.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-signal-sink.d.ts","sourceRoot":"","sources":["../../src/sink/cloud-signal-sink.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAiD,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAQnG,6HAA6H;AAC7H,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CACnC;AAiCD,iGAAiG;AACjG,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,sBAAsB,GAAG,UAAU,CAiE9E"}

package/dist/sink/cloud-signal-sink.js

@@ -0,0 +1,94 @@
+/**
+ * OpenSIP Cloud SignalSink (ADR-0008).
+ *
+ * The Strategy implementation that POSTs a run's `SignalBatch` to OpenSIP
+ * Cloud, chunked, via the shared `postChunked` transport with the best-effort
+ * policy. Wraps the sync in a `signal-sync` span and returns
+ * `{ accepted, authRejected }`; it NEVER throws (the non-blocking invariant) —
+ * the CLI uses `accepted` for the "Sent N signals" line and `authRejected` to
+ * bust the entitlement cache.
+ */
+import { logger, withSpanAsync } from '@opensip-cli/core';
+import { postChunked } from './http-egress.js';
+const MODULE_TAG = 'cloud-signal-sink';
+const MAX_SIGNALS_PER_CHUNK = 500;
+// Best-effort policy: try a little harder than reportToCloud, but bound the
+// whole sync so a throttling server can never hang the CLI.
+const POLICY = { maxAttempts: 4, overallDeadlineMs: 120_000, honorRetryAfter: true };
+function chunkBatch(batch, size) {
+    const groups = [];
+    for (let i = 0; i < batch.signals.length; i += size) {
+        groups.push(batch.signals.slice(i, i + size));
+    }
+    return groups.map((signals, chunkIndex) => ({
+        schemaVersion: batch.schemaVersion,
+        tool: batch.tool,
+        recipe: batch.recipe,
+        repo: batch.repo,
+        runId: batch.runId,
+        createdAt: batch.createdAt,
+        chunkIndex,
+        chunkCount: groups.length,
+        signals,
+    }));
+}
+/** Build the OpenSIP Cloud signal sink. Selection/gating happens at the CLI; this just emits. */
+export function createCloudSignalSink(opts) {
+    return {
+        async emit(batch) {
+            try {
+                if (batch.signals.length === 0)
+                    return { accepted: 0, authRejected: false };
+                const url = opts.endpoint.endsWith('/signals') ? opts.endpoint : `${opts.endpoint}/signals`;
+                const chunks = chunkBatch(batch, MAX_SIGNALS_PER_CHUNK);
+                const result = await withSpanAsync('reporting', 'signal-sync', async (span) => {
+                    const r = await postChunked({
+                        url,
+                        apiKey: opts.apiKey,
+                        chunks,
+                        idempotencyKeyFor: (i) => `${batch.runId}:${i}`,
+                        // @fitness-ignore-next-line null-safety -- `i` is the in-range index of the chunks array being posted; chunks[i] is always defined
+                        timeoutFor: (_chunk, i) => Math.min(120_000, 30_000 + chunks[i].signals.length * 50),
+                        policy: POLICY,
+                        evtPrefix: 'cli.signal-sync',
+                        fetchImpl: opts.fetchImpl,
+                    });
+                    span.setAttributes({
+                        tool: batch.tool,
+                        runId: batch.runId,
+                        'signal.count': batch.signals.length,
+                        'chunk.count': chunks.length,
+                        throttled: r.throttled,
+                        outcome: r.outcome,
+                    });
+                    return r;
+                }, { tool: batch.tool, runId: batch.runId });
+                const accepted = chunks.reduce((n, c, i) => (result.chunkResults[i] ? n + c.signals.length : n), 0);
+                logger.info({
+                    evt: 'cli.signal-sync.done',
+                    module: MODULE_TAG,
+                    accepted,
+                    outcome: result.outcome,
+                    authRejected: result.authRejected,
+                });
+                return {
+                    accepted,
+                    authRejected: result.authRejected,
+                    // Surface a transport-level total failure so the root can tell the
+                    // user their signals did not ship (still non-blocking, ADR-0008).
+                    ...(accepted === 0 ? { skippedReason: 'error' } : {}),
+                };
+            }
+            catch (error) {
+                // Defense in depth — postChunked never throws, but emit MUST NOT either.
+                logger.warn({
+                    evt: 'cli.signal-sync.error',
+                    module: MODULE_TAG,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+                return { accepted: 0, authRejected: false, skippedReason: 'error' };
+            }
+        },
+    };
+}
+//# sourceMappingURL=cloud-signal-sink.js.map

package/dist/sink/cloud-signal-sink.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-signal-sink.js","sourceRoot":"","sources":["../../src/sink/cloud-signal-sink.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAE1D,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAI/C,MAAM,UAAU,GAAG,mBAAmB,CAAC;AACvC,MAAM,qBAAqB,GAAG,GAAG,CAAC;AAClC,4EAA4E;AAC5E,4DAA4D;AAC5D,MAAM,MAAM,GAAG,EAAE,WAAW,EAAE,CAAC,EAAE,iBAAiB,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAW,CAAC;AAsB9F,SAAS,UAAU,CAAC,KAAkB,EAAE,IAAY;IAClD,MAAM,MAAM,GAAe,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC;QAC1C,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,UAAU;QACV,UAAU,EAAE,MAAM,CAAC,MAAM;QACzB,OAAO;KACR,CAAC,CAAC,CAAC;AACN,CAAC;AAED,iGAAiG;AACjG,MAAM,UAAU,qBAAqB,CAAC,IAA4B;IAChE,OAAO;QACL,KAAK,CAAC,IAAI,CAAC,KAAkB;YAC3B,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;gBAC5E,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,QAAQ,UAAU,CAAC;gBAC5F,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;gBAExD,MAAM,MAAM,GAAG,MAAM,aAAa,CAChC,WAAW,EACX,aAAa,EACb,KAAK,EAAE,IAAI,EAAE,EAAE;oBACb,MAAM,CAAC,GAAG,MAAM,WAAW,CAAC;wBAC1B,GAAG;wBACH,MAAM,EAAE,IAAI,CAAC,MAAM;wBACnB,MAAM;wBACN,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,KAAK,IAAI,CAAC,EAAE;wBAC/C,mIAAmI;wBACnI,UAAU,EAAE,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC;wBACpF,MAAM,EAAE,MAAM;wBACd,SAAS,EAAE,iBAAiB;wBAC5B,SAAS,EAAE,IAAI,CAAC,SAAS;qBAC1B,CAAC,CAAC;oBACH,IAAI,CAAC,aAAa,CAAC;wBACjB,IAAI,EAAE,KAAK,CAAC,IAAI;wBAChB,KAAK,EAAE,KAAK,CAAC,KAAK;wBAClB,cAAc,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM;wBACpC,aAAa,EAAE,MAAM,CAAC,MAAM;wBAC5B,SAAS,EAAE,CAAC,CAAC,SAAS;wBACtB,OAAO,EAAE,CAAC,CAAC,OAAO;qBACnB,CAAC,CAAC;oBACH,OAAO,CAAC,CAAC;gBACX,CAAC,EACD,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CACzC,CAAC;gBAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAC5B,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAChE,CAAC,CACF,CAAC;gBACF,MAAM,CAAC,IAAI,CAAC;oBACV,GAAG,EAAE,sBAAsB;oBAC3B,MAAM,EAAE,UAAU;oBAClB,QAAQ;oBACR,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,YAAY,EAAE,MAAM,CAAC,YAAY;iBAClC,CAAC,CAAC;gBACH,OAAO;oBACL,QAAQ;oBACR,YAAY,EAAE,MAAM,CAAC,YAAY;oBACjC,mEAAmE;oBACnE,kEAAkE;oBAClE,GAAG,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,OAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC/D,CAAC;YACJ,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,yEAAyE;gBACzE,MAAM,CAAC,IAAI,CAAC;oBACV,GAAG,EAAE,uBAAuB;oBAC5B,MAAM,EAAE,UAAU;oBAClB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAC9D,CAAC,CAAC;gBACH,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC;YACtE,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/sink/entitlement.d.ts

@@ -0,0 +1,28 @@
+/** Where the decision came from — also the metric dimension. */
+export type EntitlementSource = 'cache' | 'network' | 'fail-closed';
+export interface EntitlementResult {
+    readonly entitled: boolean;
+    readonly source: EntitlementSource;
+}
+/** Input to {@link checkEntitlement}. `now`/`fetchImpl`/`cacheDir` are injectable for tests. */
+export interface CheckEntitlementInput {
+    readonly apiKey: string;
+    readonly endpoint: string;
+    readonly now: number;
+    readonly cacheDir: string;
+    readonly fetchImpl?: typeof fetch;
+}
+/**
+ * Resolve entitlement: cache hit → use it; else a single network check; any
+ * failure → fail-closed. A clear `401`/`403` or `{ entitled: false }` is a real
+ * negative (cached briefly); a transport/format failure is fail-closed and not
+ * cached as confident.
+ */
+export declare function checkEntitlement(input: CheckEntitlementInput): Promise<EntitlementResult>;
+/** Delete the cached entitlement for a key — called after a 401/403 at emit so a
+ *  revoked plan re-checks on the next run rather than waiting out the TTL. */
+export declare function invalidateEntitlement(input: {
+    apiKey: string;
+    cacheDir: string;
+}): Promise<void>;
+//# sourceMappingURL=entitlement.d.ts.map

package/dist/sink/entitlement.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entitlement.d.ts","sourceRoot":"","sources":["../../src/sink/entitlement.ts"],"names":[],"mappings":"AA0BA,gEAAgE;AAChE,MAAM,MAAM,iBAAiB,GAAG,OAAO,GAAG,SAAS,GAAG,aAAa,CAAC;AACpE,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,iBAAiB,CAAC;CACpC;AAOD,gGAAgG;AAChG,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CACnC;AAuCD;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAgC/F;AAED;8EAC8E;AAC9E,wBAAsB,qBAAqB,CAAC,KAAK,EAAE;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC,IAAI,CAAC,CAMhB"}

package/dist/sink/entitlement.js

@@ -0,0 +1,109 @@
+// @fitness-ignore-file error-handling-quality -- best-effort entitlement cache + check (ADR-0008): a missing/corrupt/unwritable cache and an unreachable endpoint all degrade to "not entitled" / a re-check next run, never throwing on the cloud hot path.
+// @fitness-ignore-file unbounded-memory -- reads a tiny tool-generated entitlement cache file (a single boolean + timestamp).
+/**
+ * Entitlement check for OpenSIP Cloud signal sync (ADR-0008).
+ *
+ * Answers "is this API key entitled to store signals?" with a locally cached
+ * result (so it is not a network round-trip every run) and a **fail-closed**
+ * default: on any ambiguity — no key, unreachable endpoint, non-2xx, malformed
+ * body — the answer is `entitled: false` and no positive cache entry is
+ * written. Data leaves the machine only on a clear positive signal.
+ *
+ * The ingestion/entitlement endpoint lives in the parent `opensip` repo and
+ * does not exist yet; this client codes against the agreed contract and is
+ * fully testable by injecting `fetchImpl` + `now` + a temp `cacheDir`.
+ */
+import { createHash } from 'node:crypto';
+import { mkdir, readFile, rm, writeFile } from 'node:fs/promises';
+import { dirname, join } from 'node:path';
+import { logger } from '@opensip-cli/core';
+const MODULE_TAG = 'entitlement';
+const POSITIVE_TTL_MS = 6 * 60 * 60 * 1000; // 6h — re-check entitled keys infrequently
+const NEGATIVE_TTL_MS = 5 * 60 * 1000; // 5m — a real "no" caches briefly to avoid hammering
+const REQUEST_TIMEOUT_MS = 10_000;
+function cacheFileFor(cacheDir, apiKey) {
+    // Key the cache by a hash of the API key, never the key itself.
+    const hash = createHash('sha256').update(apiKey).digest('hex').slice(0, 16);
+    return join(cacheDir, `entitlement-${hash}.json`);
+}
+async function readCache(file, now) {
+    try {
+        const entry = JSON.parse(await readFile(file, 'utf8'));
+        const ttl = entry.entitled ? POSITIVE_TTL_MS : NEGATIVE_TTL_MS;
+        if (now - entry.checkedAt < ttl)
+            return entry.entitled;
+    }
+    catch {
+        /* missing or corrupt cache → treat as a miss */
+    }
+    return undefined;
+}
+async function writeCache(file, entitled, now) {
+    try {
+        await mkdir(dirname(file), { recursive: true });
+        await writeFile(file, JSON.stringify({ entitled, checkedAt: now }));
+    }
+    catch {
+        /* cache write is best-effort — a failure just means we re-check next run */
+    }
+}
+function log(result) {
+    // Structured event doubles as the metric signal (labelled by source); never the key.
+    logger.info({
+        evt: 'cli.signal-sync.entitlement',
+        module: MODULE_TAG,
+        entitled: result.entitled,
+        source: result.source,
+    });
+    return result;
+}
+/**
+ * Resolve entitlement: cache hit → use it; else a single network check; any
+ * failure → fail-closed. A clear `401`/`403` or `{ entitled: false }` is a real
+ * negative (cached briefly); a transport/format failure is fail-closed and not
+ * cached as confident.
+ */
+export async function checkEntitlement(input) {
+    const { apiKey, endpoint, now, cacheDir } = input;
+    if (!apiKey)
+        return log({ entitled: false, source: 'fail-closed' });
+    const file = cacheFileFor(cacheDir, apiKey);
+    const cached = await readCache(file, now);
+    if (cached !== undefined)
+        return log({ entitled: cached, source: 'cache' });
+    const fetchImpl = input.fetchImpl ?? fetch;
+    try {
+        const url = endpoint.endsWith('/entitlements') ? endpoint : `${endpoint}/entitlements`;
+        const res = await fetchImpl(url, {
+            method: 'GET',
+            headers: { 'X-API-Key': apiKey },
+            signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
+        });
+        if (res.status === 401 || res.status === 403) {
+            await writeCache(file, false, now); // real negative
+            return log({ entitled: false, source: 'network' });
+        }
+        if (!res.ok)
+            return log({ entitled: false, source: 'fail-closed' }); // 5xx/other → don't trust, don't cache
+        const body = (await res.json().catch(() => null));
+        if (!body || typeof body.entitled !== 'boolean') {
+            return log({ entitled: false, source: 'fail-closed' });
+        }
+        await writeCache(file, body.entitled, now);
+        return log({ entitled: body.entitled, source: 'network' });
+    }
+    catch {
+        return log({ entitled: false, source: 'fail-closed' });
+    }
+}
+/** Delete the cached entitlement for a key — called after a 401/403 at emit so a
+ *  revoked plan re-checks on the next run rather than waiting out the TTL. */
+export async function invalidateEntitlement(input) {
+    try {
+        await rm(cacheFileFor(input.cacheDir, input.apiKey), { force: true });
+    }
+    catch {
+        /* best-effort */
+    }
+}
+//# sourceMappingURL=entitlement.js.map

package/dist/sink/entitlement.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entitlement.js","sourceRoot":"","sources":["../../src/sink/entitlement.ts"],"names":[],"mappings":"AAAA,6PAA6P;AAC7P,8HAA8H;AAC9H;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,MAAM,UAAU,GAAG,aAAa,CAAC;AACjC,MAAM,eAAe,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,2CAA2C;AACvF,MAAM,eAAe,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,qDAAqD;AAC5F,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAuBlC,SAAS,YAAY,CAAC,QAAgB,EAAE,MAAc;IACpD,gEAAgE;IAChE,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5E,OAAO,IAAI,CAAC,QAAQ,EAAE,eAAe,IAAI,OAAO,CAAC,CAAC;AACpD,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,IAAY,EAAE,GAAW;IAChD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAe,CAAC;QACrE,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,eAAe,CAAC;QAC/D,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,GAAG,GAAG;YAAE,OAAO,KAAK,CAAC,QAAQ,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,IAAY,EAAE,QAAiB,EAAE,GAAW;IACpE,IAAI,CAAC;QACH,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,EAAuB,CAAC,CAAC,CAAC;IAC3F,CAAC;IAAC,MAAM,CAAC;QACP,4EAA4E;IAC9E,CAAC;AACH,CAAC;AAED,SAAS,GAAG,CAAC,MAAyB;IACpC,qFAAqF;IACrF,MAAM,CAAC,IAAI,CAAC;QACV,GAAG,EAAE,6BAA6B;QAClC,MAAM,EAAE,UAAU;QAClB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAA4B;IACjE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,KAAK,CAAC;IAClD,IAAI,CAAC,MAAM;QAAE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC;IAEpE,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1C,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;IAE5E,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,eAAe,CAAC;QACvF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,WAAW,EAAE,MAAM,EAAE;YAChC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;SAChD,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7C,MAAM,UAAU,CAAC,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,gBAAgB;YACpD,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;QACrD,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,uCAAuC;QAE5G,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAkC,CAAC;QACnF,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YAChD,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC3C,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED;8EAC8E;AAC9E,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,KAG3C;IACC,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB;IACnB,CAAC;AACH,CAAC"}

package/dist/sink/http-egress.d.ts

@@ -0,0 +1,49 @@
+/** Per-caller retry/throttle policy. */
+export interface RetryPolicy {
+    /** Max attempts per chunk. */
+    readonly maxAttempts: number;
+    /** Whole-batch wall-clock budget; once exceeded, stop and return partial. */
+    readonly overallDeadlineMs: number;
+    /** Parse + honor `Retry-After` on `429`/`503`. */
+    readonly honorRetryAfter: boolean;
+}
+/** Structured outcome of a chunked POST. Never thrown — always returned. */
+export interface EgressResult {
+    /** Count of chunks the server acked with 2xx. */
+    readonly acceptedChunks: number;
+    /** Per-chunk success, indexed by ordinal (lets callers sum item counts). */
+    readonly chunkResults: readonly boolean[];
+    readonly outcome: 'ok' | 'partial' | 'failed';
+    /** Saw a 401/403 — caller should bust any auth/entitlement cache. */
+    readonly authRejected: boolean;
+    /** Saw a 429. */
+    readonly throttled: boolean;
+    /** Stopped early because the overall deadline elapsed. */
+    readonly deadlineExceeded: boolean;
+    readonly errors: readonly string[];
+}
+/** Arguments for posting pre-chunked SARIF/signal bodies to a cloud receiver, one POST per body, under the retry policy. */
+export interface PostChunkedArgs {
+    readonly url: string;
+    readonly apiKey?: string;
+    /** JSON-serializable bodies, one POST each. */
+    readonly chunks: readonly unknown[];
+    /** Stable idempotency key for the chunk at `ordinal` (same across its retries). */
+    readonly idempotencyKeyFor: (ordinal: number) => string;
+    /** Per-chunk request timeout in ms. */
+    readonly timeoutFor: (chunk: unknown, ordinal: number) => number;
+    readonly policy: RetryPolicy;
+    /** Log event prefix, e.g. `cli.report` or `cli.signal-sync`. */
+    readonly evtPrefix: string;
+    readonly fetchImpl?: typeof fetch;
+    /** Injectable clock/sleep for deterministic tests. */
+    readonly now?: () => number;
+    readonly sleep?: (ms: number) => Promise<void>;
+}
+/**
+ * POST each chunk with bounded per-chunk retries on `429`/`5xx`/transport
+ * errors, honoring `Retry-After`, an overall deadline, and stable idempotency
+ * keys. Returns an {@link EgressResult}; never throws.
+ */
+export declare function postChunked(args: PostChunkedArgs): Promise<EgressResult>;
+//# sourceMappingURL=http-egress.d.ts.map

package/dist/sink/http-egress.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-egress.d.ts","sourceRoot":"","sources":["../../src/sink/http-egress.ts"],"names":[],"mappings":"AAiBA,wCAAwC;AACxC,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,6EAA6E;IAC7E,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,kDAAkD;IAClD,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC;CACnC;AAED,4EAA4E;AAC5E,MAAM,WAAW,YAAY;IAC3B,iDAAiD;IACjD,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,4EAA4E;IAC5E,QAAQ,CAAC,YAAY,EAAE,SAAS,OAAO,EAAE,CAAC;IAC1C,QAAQ,CAAC,OAAO,EAAE,IAAI,GAAG,SAAS,GAAG,QAAQ,CAAC;IAC9C,qEAAqE;IACrE,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC;IAC/B,iBAAiB;IACjB,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B,0DAA0D;IAC1D,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;CACpC;AAED,4HAA4H;AAC5H,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,+CAA+C;IAC/C,QAAQ,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAC;IACpC,mFAAmF;IACnF,QAAQ,CAAC,iBAAiB,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,MAAM,CAAC;IACxD,uCAAuC;IACvC,QAAQ,CAAC,UAAU,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,KAAK,MAAM,CAAC;IACjE,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B,gEAAgE;IAChE,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IAClC,sDAAsD;IACtD,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IAC5B,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAChD;AAyBD;;;;GAIG;AAEH,wBAAsB,WAAW,CAAC,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,YAAY,CAAC,CAwH9E"}