@openthink/stamp 1.0.0

package/dist/chunk-TTOMORIY.js

@@ -0,0 +1,502 @@
+#!/usr/bin/env node
+
+// src/lib/git.ts
+import { execFileSync, spawnSync } from "child_process";
+function currentBranch(cwd) {
+  return git(["rev-parse", "--abbrev-ref", "HEAD"], cwd).trim();
+}
+function firstParentCommits(branch, limit, cwd) {
+  const sep = "----stamp-record-end----";
+  const fmt = `%H%n%P%n%an <%ae>%n%ai%n%s%n%n%b${sep}`;
+  const out = git(
+    ["log", "--first-parent", `-${limit}`, `--format=${fmt}`, branch],
+    cwd
+  );
+  const records = out.split(sep).map((r) => r.trim()).filter(Boolean);
+  const commits = [];
+  for (const rec of records) {
+    const lines = rec.split("\n");
+    if (lines.length < 5) continue;
+    const [sha, parents, author, date, title, ...rest] = lines;
+    const body = rest.join("\n").replace(/^\n+/, "").trimEnd();
+    commits.push({
+      sha,
+      parents: parents.split(/\s+/).filter(Boolean),
+      author,
+      date,
+      title,
+      body
+    });
+  }
+  return commits;
+}
+function commitMessage(sha, cwd) {
+  return git(["show", "-s", "--format=%B", sha], cwd);
+}
+function showAtRef(ref, path, cwd) {
+  return runGit(["show", `${ref}:${path}`], cwd);
+}
+function pathExistsAtRef(ref, path, cwd) {
+  const result = spawnSync("git", ["cat-file", "-e", `${ref}:${path}`], {
+    cwd,
+    stdio: ["ignore", "ignore", "pipe"]
+  });
+  if (result.status === 0) return true;
+  if (result.status === 128) return false;
+  const stderr = result.stderr?.toString("utf8").trim() ?? "";
+  throw new Error(
+    `git cat-file -e ${ref}:${path} failed (status ${result.status}): ${stderr || "(no stderr)"}`
+  );
+}
+function isPathTracked(path, cwd) {
+  try {
+    runGit(["ls-files", "--error-unmatch", path], cwd);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function repoHasAnyCommit(cwd) {
+  try {
+    runGit(["rev-parse", "--verify", "HEAD"], cwd);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function resolveDiff(revspec, cwd) {
+  const parts = revspec.split("..");
+  if (parts.length !== 2 || !parts[0] || !parts[1]) {
+    throw new Error(
+      `invalid revspec "${revspec}": expected form <base>..<head> (two dots)`
+    );
+  }
+  const [baseRef, headRef] = parts;
+  const base_sha = git(["merge-base", baseRef, headRef], cwd).trim();
+  const head_sha = git(["rev-parse", "--verify", `${headRef}^{commit}`], cwd).trim();
+  const diff = git(["diff", `${baseRef}...${headRef}`], cwd);
+  return { revspec, base_sha, head_sha, diff };
+}
+function runGit(args, cwd) {
+  try {
+    return execFileSync("git", args, {
+      cwd,
+      encoding: "utf8",
+      maxBuffer: 64 * 1024 * 1024,
+      // 64MB; big diffs happen
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+  } catch (err) {
+    const stderr = err?.stderr;
+    const stderrText = typeof stderr === "string" ? stderr : stderr?.toString("utf8") ?? "";
+    const base = err instanceof Error ? err.message : String(err);
+    throw new Error(
+      `git ${args.join(" ")} failed: ${stderrText.trim() || base}`
+    );
+  }
+}
+var git = runGit;
+
+// src/lib/paths.ts
+import { existsSync, mkdirSync, readFileSync, statSync } from "fs";
+import { homedir } from "os";
+import { dirname, isAbsolute, join, resolve } from "path";
+function findRepoRoot(startFrom = process.cwd()) {
+  let current = resolve(startFrom);
+  while (true) {
+    if (existsSync(join(current, ".git"))) return current;
+    const parent = dirname(current);
+    if (parent === current) {
+      throw new Error(
+        `not inside a git repository (searched up from ${startFrom})`
+      );
+    }
+    current = parent;
+  }
+}
+function stampConfigDir(repoRoot) {
+  return join(repoRoot, ".stamp");
+}
+function stampReviewersDir(repoRoot) {
+  return join(repoRoot, ".stamp", "reviewers");
+}
+function stampTrustedKeysDir(repoRoot) {
+  return join(repoRoot, ".stamp", "trusted-keys");
+}
+function stampConfigFile(repoRoot) {
+  return join(repoRoot, ".stamp", "config.yml");
+}
+function stampStateDbPath(repoRoot) {
+  return join(gitCommonDir(repoRoot), "stamp", "state.db");
+}
+function stampLlmNoticeMarkerPath(repoRoot) {
+  return join(gitCommonDir(repoRoot), "stamp", "llm-notice-shown");
+}
+function gitCommonDir(repoRoot) {
+  const dotGit = join(repoRoot, ".git");
+  const st = statSync(dotGit);
+  if (st.isDirectory()) return dotGit;
+  const contents = readFileSync(dotGit, "utf8");
+  const match = contents.match(/^gitdir:\s*(.+)$/m);
+  if (!match || !match[1]) {
+    throw new Error(
+      `expected '.git' at ${repoRoot} to be a directory or a 'gitdir:' pointer file, got: ${contents.slice(0, 120)}`
+    );
+  }
+  const gitdirRaw = match[1].trim();
+  const gitdir = isAbsolute(gitdirRaw) ? gitdirRaw : resolve(repoRoot, gitdirRaw);
+  const commondirPath = join(gitdir, "commondir");
+  if (!existsSync(commondirPath)) return gitdir;
+  const commondirRaw = readFileSync(commondirPath, "utf8").trim();
+  return isAbsolute(commondirRaw) ? commondirRaw : resolve(gitdir, commondirRaw);
+}
+function userKeysDir() {
+  return join(homedir(), ".stamp", "keys");
+}
+function userServerConfigPath() {
+  return join(homedir(), ".stamp", "server.yml");
+}
+function ensureDir(path, mode = 493) {
+  if (!existsSync(path)) {
+    mkdirSync(path, { recursive: true, mode });
+  }
+}
+function isFile(path) {
+  try {
+    return statSync(path).isFile();
+  } catch {
+    return false;
+  }
+}
+
+// src/lib/db.ts
+import { chmodSync, existsSync as existsSync2 } from "fs";
+import { DatabaseSync } from "node:sqlite";
+import { dirname as dirname2 } from "path";
+function openDb(path) {
+  const dir = dirname2(path);
+  ensureDir(dir, 448);
+  chmodSync(dir, 448);
+  const db = new DatabaseSync(path);
+  db.exec("PRAGMA journal_mode = WAL");
+  db.exec("PRAGMA foreign_keys = ON");
+  initSchema(db);
+  chmodSync(path, 384);
+  for (const sidecar of [`${path}-wal`, `${path}-shm`]) {
+    if (existsSync2(sidecar)) chmodSync(sidecar, 384);
+  }
+  return db;
+}
+function initSchema(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS reviews (
+      id          INTEGER PRIMARY KEY AUTOINCREMENT,
+      reviewer    TEXT    NOT NULL,
+      base_sha    TEXT    NOT NULL,
+      head_sha    TEXT    NOT NULL,
+      verdict     TEXT    NOT NULL CHECK (verdict IN ('approved','changes_requested','denied')),
+      issues      TEXT,
+      tool_calls  TEXT,
+      created_at  TEXT    NOT NULL DEFAULT (datetime('now'))
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_reviews_shas
+      ON reviews(base_sha, head_sha, reviewer);
+  `);
+  const cols = db.prepare("PRAGMA table_info(reviews)").all();
+  if (!cols.some((c) => c.name === "tool_calls")) {
+    db.exec("ALTER TABLE reviews ADD COLUMN tool_calls TEXT");
+  }
+}
+function recordReview(db, input) {
+  const stmt = db.prepare(
+    `INSERT INTO reviews (reviewer, base_sha, head_sha, verdict, issues, tool_calls)
+     VALUES (?, ?, ?, ?, ?, ?)`
+  );
+  const result = stmt.run(
+    input.reviewer,
+    input.base_sha,
+    input.head_sha,
+    input.verdict,
+    input.issues ?? null,
+    input.tool_calls ?? null
+  );
+  return Number(result.lastInsertRowid);
+}
+var LATEST_VERDICTS_SQL = `
+  SELECT id, reviewer, verdict, issues, tool_calls
+  FROM (
+    SELECT
+      id,
+      reviewer,
+      verdict,
+      issues,
+      tool_calls,
+      ROW_NUMBER() OVER (
+        PARTITION BY reviewer
+        ORDER BY created_at DESC, id DESC
+      ) AS rn
+    FROM reviews
+    WHERE base_sha = ? AND head_sha = ?
+  )
+  WHERE rn = 1
+`;
+function latestVerdicts(db, base_sha, head_sha) {
+  const stmt = db.prepare(LATEST_VERDICTS_SQL);
+  return stmt.all(base_sha, head_sha);
+}
+function latestReviews(db, base_sha, head_sha) {
+  const stmt = db.prepare(LATEST_VERDICTS_SQL);
+  return stmt.all(base_sha, head_sha);
+}
+function reviewHistory(db, opts = {}) {
+  const limit = opts.limit ?? 50;
+  const stmt = db.prepare(`
+    SELECT id, reviewer, base_sha, head_sha, verdict, issues, created_at
+    FROM reviews
+    ORDER BY created_at DESC, id DESC
+    LIMIT ?
+  `);
+  return stmt.all(limit);
+}
+function reviewerStats(db, reviewer) {
+  const stmt = db.prepare(`
+    SELECT
+      COUNT(*) AS total,
+      SUM(CASE WHEN verdict = 'approved'          THEN 1 ELSE 0 END) AS approved,
+      SUM(CASE WHEN verdict = 'changes_requested' THEN 1 ELSE 0 END) AS changes_requested,
+      SUM(CASE WHEN verdict = 'denied'            THEN 1 ELSE 0 END) AS denied,
+      MIN(created_at) AS first_seen,
+      MAX(created_at) AS last_seen
+    FROM reviews
+    WHERE reviewer = ?
+  `);
+  const row = stmt.get(reviewer);
+  return {
+    reviewer,
+    total: row.total ?? 0,
+    approved: row.approved ?? 0,
+    changes_requested: row.changes_requested ?? 0,
+    denied: row.denied ?? 0,
+    first_seen: row.first_seen,
+    last_seen: row.last_seen
+  };
+}
+function recentReviewsByReviewer(db, reviewer, limit) {
+  const stmt = db.prepare(`
+    SELECT id, reviewer, base_sha, head_sha, verdict, issues, created_at
+    FROM reviews
+    WHERE reviewer = ?
+    ORDER BY created_at DESC, id DESC
+    LIMIT ?
+  `);
+  return stmt.all(reviewer, limit);
+}
+function peekPrunable(db, sqliteModifier) {
+  const stmt = db.prepare(`
+    SELECT reviewer, COUNT(*) AS count
+    FROM reviews
+    WHERE created_at < datetime('now', ?)
+    GROUP BY reviewer
+    ORDER BY reviewer
+  `);
+  const rows = stmt.all(sqliteModifier);
+  const total = rows.reduce((sum, r) => sum + r.count, 0);
+  return { total, perReviewer: rows };
+}
+function pruneReviews(db, sqliteModifier) {
+  const peek = peekPrunable(db, sqliteModifier);
+  if (peek.total === 0) return peek;
+  const del = db.prepare(
+    "DELETE FROM reviews WHERE created_at < datetime('now', ?)"
+  );
+  del.run(sqliteModifier);
+  return peek;
+}
+
+// src/lib/keys.ts
+import {
+  createHash,
+  createPublicKey,
+  generateKeyPairSync
+} from "crypto";
+import {
+  chmodSync as chmodSync2,
+  readdirSync,
+  readFileSync as readFileSync2,
+  writeFileSync
+} from "fs";
+import { join as join2 } from "path";
+var PRIVATE_KEY_FILE = "ed25519";
+var PUBLIC_KEY_FILE = "ed25519.pub";
+function generateKeypair() {
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+  const privateKeyPem = privateKey.export({
+    type: "pkcs8",
+    format: "pem"
+  });
+  const publicKeyPem = publicKey.export({
+    type: "spki",
+    format: "pem"
+  });
+  return {
+    privateKeyPem,
+    publicKeyPem,
+    fingerprint: fingerprintFromPem(publicKeyPem)
+  };
+}
+function fingerprintFromPem(publicKeyPem) {
+  const pub = createPublicKey(publicKeyPem);
+  const raw = pub.export({ type: "spki", format: "der" });
+  const hash = createHash("sha256").update(raw).digest("hex");
+  return `sha256:${hash}`;
+}
+function loadUserKeypair() {
+  const dir = userKeysDir();
+  const privPath = join2(dir, PRIVATE_KEY_FILE);
+  const pubPath = join2(dir, PUBLIC_KEY_FILE);
+  if (!isFile(privPath) || !isFile(pubPath)) return null;
+  const privateKeyPem = readFileSync2(privPath, "utf8");
+  const publicKeyPem = readFileSync2(pubPath, "utf8");
+  return {
+    privateKeyPem,
+    publicKeyPem,
+    fingerprint: fingerprintFromPem(publicKeyPem)
+  };
+}
+function saveUserKeypair(kp) {
+  const dir = userKeysDir();
+  ensureDir(dir, 448);
+  chmodSync2(dir, 448);
+  const privPath = join2(dir, PRIVATE_KEY_FILE);
+  const pubPath = join2(dir, PUBLIC_KEY_FILE);
+  writeFileSync(privPath, kp.privateKeyPem, { mode: 384 });
+  writeFileSync(pubPath, kp.publicKeyPem, { mode: 420 });
+}
+function ensureUserKeypair() {
+  const existing = loadUserKeypair();
+  if (existing) return { keypair: existing, created: false };
+  const kp = generateKeypair();
+  saveUserKeypair(kp);
+  return { keypair: kp, created: true };
+}
+function publicKeyFingerprintFilename(fingerprint) {
+  return fingerprint.replace(":", "_") + ".pub";
+}
+function findTrustedKey(repoRoot, fingerprint) {
+  const dir = stampTrustedKeysDir(repoRoot);
+  let files;
+  try {
+    files = readdirSync(dir);
+  } catch {
+    return null;
+  }
+  for (const f of files) {
+    if (!f.endsWith(".pub")) continue;
+    let pem;
+    try {
+      pem = readFileSync2(join2(dir, f), "utf8");
+    } catch {
+      continue;
+    }
+    try {
+      if (fingerprintFromPem(pem) === fingerprint) return pem;
+    } catch {
+    }
+  }
+  return null;
+}
+
+// src/lib/attestation.ts
+var CURRENT_PAYLOAD_VERSION = 3;
+var STAMP_PAYLOAD_TRAILER = "Stamp-Payload";
+var STAMP_VERIFIED_TRAILER = "Stamp-Verified";
+var MAX_TRAILER_BYTES = 64 * 1024;
+function serializePayload(p) {
+  return Buffer.from(JSON.stringify(p), "utf8");
+}
+function payloadToTrailerValue(p) {
+  return serializePayload(p).toString("base64");
+}
+function trailerValueToPayloadBytes(b64) {
+  return Buffer.from(b64, "base64");
+}
+function parseCommitAttestation(commitMessage2) {
+  const payloadMatch = commitMessage2.match(
+    new RegExp(`^${STAMP_PAYLOAD_TRAILER}:\\s*(.+)$`, "m")
+  );
+  const sigMatch = commitMessage2.match(
+    new RegExp(`^${STAMP_VERIFIED_TRAILER}:\\s*(.+)$`, "m")
+  );
+  if (!payloadMatch || !sigMatch) return null;
+  const b64Payload = payloadMatch[1]?.trim();
+  const b64Sig = sigMatch[1]?.trim();
+  if (!b64Payload || !b64Sig) return null;
+  if (b64Payload.length > MAX_TRAILER_BYTES) return null;
+  const payloadBytes = trailerValueToPayloadBytes(b64Payload);
+  if (payloadBytes.length > MAX_TRAILER_BYTES) return null;
+  const payload = JSON.parse(payloadBytes.toString("utf8"));
+  return { payload, payloadBytes, signatureBase64: b64Sig };
+}
+function formatTrailers(p, signatureBase64) {
+  return `${STAMP_PAYLOAD_TRAILER}: ${payloadToTrailerValue(p)}
+${STAMP_VERIFIED_TRAILER}: ${signatureBase64}`;
+}
+
+// src/lib/signing.ts
+import { createPrivateKey, createPublicKey as createPublicKey2, sign, verify } from "crypto";
+function signBytes(privateKeyPem, data) {
+  const key = createPrivateKey(privateKeyPem);
+  const sig = sign(null, data, key);
+  return sig.toString("base64");
+}
+function verifyBytes(publicKeyPem, data, signatureBase64) {
+  const key = createPublicKey2(publicKeyPem);
+  const sig = Buffer.from(signatureBase64, "base64");
+  return verify(null, data, key, sig);
+}
+
+export {
+  currentBranch,
+  firstParentCommits,
+  commitMessage,
+  showAtRef,
+  pathExistsAtRef,
+  isPathTracked,
+  repoHasAnyCommit,
+  resolveDiff,
+  runGit,
+  findRepoRoot,
+  stampConfigDir,
+  stampReviewersDir,
+  stampTrustedKeysDir,
+  stampConfigFile,
+  stampStateDbPath,
+  stampLlmNoticeMarkerPath,
+  userKeysDir,
+  userServerConfigPath,
+  ensureDir,
+  openDb,
+  recordReview,
+  latestVerdicts,
+  latestReviews,
+  reviewHistory,
+  reviewerStats,
+  recentReviewsByReviewer,
+  peekPrunable,
+  pruneReviews,
+  generateKeypair,
+  fingerprintFromPem,
+  loadUserKeypair,
+  saveUserKeypair,
+  ensureUserKeypair,
+  publicKeyFingerprintFilename,
+  findTrustedKey,
+  CURRENT_PAYLOAD_VERSION,
+  serializePayload,
+  parseCommitAttestation,
+  formatTrailers,
+  signBytes,
+  verifyBytes
+};
+//# sourceMappingURL=chunk-TTOMORIY.js.map

package/dist/chunk-TTOMORIY.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/lib/git.ts","../src/lib/paths.ts","../src/lib/db.ts","../src/lib/keys.ts","../src/lib/attestation.ts","../src/lib/signing.ts"],"sourcesContent":["import { execFileSync, spawnSync } from \"node:child_process\";\n\nexport interface ResolvedDiff {\n  /** Original revspec as passed by the user, e.g. \"main..HEAD\" */\n  revspec: string;\n  /** Commit SHA of the merge base (the \"base\" of the diff) */\n  base_sha: string;\n  /** Commit SHA of the head being reviewed */\n  head_sha: string;\n  /** Unified diff text covering the change from base to head */\n  diff: string;\n}\n\nexport interface CommitSummary {\n  sha: string;\n  title: string;\n  author: string;\n  date: string;\n  /** Full commit message body */\n  body: string;\n  /** Parent SHAs (typically 1 for normal commits, 2 for merges) */\n  parents: string[];\n}\n\nexport function currentBranch(cwd: string): string {\n  return git([\"rev-parse\", \"--abbrev-ref\", \"HEAD\"], cwd).trim();\n}\n\n/**\n * First-parent commit history on a branch — follows only the branch's linear\n * history, skipping commits that came in via merged feature branches. This\n * matches what the pre-receive hook verifies on push.\n */\nexport function firstParentCommits(\n  branch: string,\n  limit: number,\n  cwd: string,\n): CommitSummary[] {\n  const sep = \"----stamp-record-end----\";\n  const fmt = `%H%n%P%n%an <%ae>%n%ai%n%s%n%n%b${sep}`;\n  const out = git(\n    [\"log\", \"--first-parent\", `-${limit}`, `--format=${fmt}`, branch],\n    cwd,\n  );\n  const records = out.split(sep).map((r) => r.trim()).filter(Boolean);\n  const commits: CommitSummary[] = [];\n  for (const rec of records) {\n    const lines = rec.split(\"\\n\");\n    if (lines.length < 5) continue;\n    const [sha, parents, author, date, title, ...rest] = lines as [\n      string,\n      string,\n      string,\n      string,\n      string,\n      ...string[],\n    ];\n    const body = rest.join(\"\\n\").replace(/^\\n+/, \"\").trimEnd();\n    commits.push({\n      sha,\n      parents: parents.split(/\\s+/).filter(Boolean),\n      author,\n      date,\n      title,\n      body,\n    });\n  }\n  return commits;\n}\n\nexport function commitMessage(sha: string, cwd: string): string {\n  return git([\"show\", \"-s\", \"--format=%B\", sha], cwd);\n}\n\n/**\n * Read a file's contents from a specific git tree (commit / tag / branch /\n * tree-ish). Wraps `git show <ref>:<path>`. Throws via runGit's stderr-\n * capturing path if the file doesn't exist at that ref.\n *\n * Used by `stamp review` and `stamp merge` to source reviewer config +\n * prompts from the merge-base tree (rather than the working tree), which is\n * the security boundary that prevents a feature branch from reviewing\n * itself with a reviewer prompt it just modified.\n */\nexport function showAtRef(ref: string, path: string, cwd: string): string {\n  return runGit([\"show\", `${ref}:${path}`], cwd);\n}\n\n/**\n * True when `<path>` exists in the tree at `<ref>`. Use this when \"missing\"\n * is a legitimate state to branch on rather than an error to recover from —\n * e.g. probing for an optional file like a reviewer lock that may or may\n * not be pinned.\n *\n * Branches on `git cat-file -e`'s exit code: 0 = present, 128 = absent\n * (git's catch-all for \"path or ref didn't resolve\"), anything else =\n * unexpected failure (rethrown). Matches the status-128 = \"legitimate\n * bootstrap state\" convention loadConfigAtSha already uses in verify.ts.\n *\n * Use this instead of try/catch around `git show` when absence is expected,\n * so genuine non-128 failures aren't silently swallowed as \"absent.\"\n */\nexport function pathExistsAtRef(\n  ref: string,\n  path: string,\n  cwd: string,\n): boolean {\n  const result = spawnSync(\"git\", [\"cat-file\", \"-e\", `${ref}:${path}`], {\n    cwd,\n    stdio: [\"ignore\", \"ignore\", \"pipe\"],\n  });\n  if (result.status === 0) return true;\n  if (result.status === 128) return false;\n  const stderr = result.stderr?.toString(\"utf8\").trim() ?? \"\";\n  throw new Error(\n    `git cat-file -e ${ref}:${path} failed (status ${result.status}): ${stderr || \"(no stderr)\"}`,\n  );\n}\n\n/**\n * True when `<path>` is already tracked by git on the current branch. Used\n * by `stamp init` to detect \"is this the first time we're adding stamp\n * config\" — the bootstrap moment where the scaffolding files can be\n * committed directly to main.\n *\n * `--error-unmatch` exits non-zero if the path isn't tracked, so we just\n * branch on whether the call throws.\n */\nexport function isPathTracked(path: string, cwd: string): boolean {\n  try {\n    runGit([\"ls-files\", \"--error-unmatch\", path], cwd);\n    return true;\n  } catch {\n    return false;\n  }\n}\n\n/**\n * True when the repository has at least one commit on HEAD. False on a\n * freshly `git init`'d repo where no commits have been made yet.\n */\nexport function repoHasAnyCommit(cwd: string): boolean {\n  try {\n    runGit([\"rev-parse\", \"--verify\", \"HEAD\"], cwd);\n    return true;\n  } catch {\n    return false;\n  }\n}\n\nexport function commitSummary(sha: string, cwd: string): CommitSummary {\n  const commits = firstParentCommits(sha, 1, cwd);\n  if (commits.length === 0) {\n    throw new Error(`commit ${sha} not found`);\n  }\n  return commits[0]!;\n}\n\n/**\n * Parse and resolve a git revspec of the form \"<base>..<head>\".\n * - base_sha is merge-base(<base>, <head>), the point at which <head> diverged\n * - head_sha is the commit SHA that <head> currently points to\n * - diff is `git diff <base>...<head>` — changes introduced by <head>\n *   relative to <base>, ignoring any changes that <base> has since made\n *\n * Throws on invalid revspecs or on git failures.\n */\nexport function resolveDiff(revspec: string, cwd: string): ResolvedDiff {\n  const parts = revspec.split(\"..\");\n  if (parts.length !== 2 || !parts[0] || !parts[1]) {\n    throw new Error(\n      `invalid revspec \"${revspec}\": expected form <base>..<head> (two dots)`,\n    );\n  }\n  const [baseRef, headRef] = parts;\n\n  const base_sha = git([\"merge-base\", baseRef, headRef], cwd).trim();\n  const head_sha = git([\"rev-parse\", \"--verify\", `${headRef}^{commit}`], cwd).trim();\n  const diff = git([\"diff\", `${baseRef}...${headRef}`], cwd);\n\n  return { revspec, base_sha, head_sha, diff };\n}\n\n/**\n * Shared git-shell helper used by every command that needs to run git\n * subprocesses. Captures stderr (rather than inheriting it) so failures\n * surface via the thrown message — no raw `fatal: ...` lines bleed onto\n * the user's terminal alongside otherwise-successful output. Returns\n * stdout as utf-8.\n *\n * Use this in command modules (commands/*.ts) instead of a local copy.\n */\nexport function runGit(args: string[], cwd: string): string {\n  try {\n    return execFileSync(\"git\", args, {\n      cwd,\n      encoding: \"utf8\",\n      maxBuffer: 64 * 1024 * 1024, // 64MB; big diffs happen\n      stdio: [\"ignore\", \"pipe\", \"pipe\"],\n    });\n  } catch (err) {\n    const stderr = (err as { stderr?: Buffer | string } | null)?.stderr;\n    const stderrText =\n      typeof stderr === \"string\" ? stderr : stderr?.toString(\"utf8\") ?? \"\";\n    const base = err instanceof Error ? err.message : String(err);\n    throw new Error(\n      `git ${args.join(\" \")} failed: ${stderrText.trim() || base}`,\n    );\n  }\n}\n\n// Local alias so existing callers in this file keep their short name.\nconst git = runGit;\n","import { existsSync, mkdirSync, readFileSync, statSync } from \"node:fs\";\nimport { homedir } from \"node:os\";\nimport { dirname, isAbsolute, join, resolve } from \"node:path\";\n\nexport function findRepoRoot(startFrom: string = process.cwd()): string {\n  let current = resolve(startFrom);\n  while (true) {\n    if (existsSync(join(current, \".git\"))) return current;\n    const parent = dirname(current);\n    if (parent === current) {\n      throw new Error(\n        `not inside a git repository (searched up from ${startFrom})`,\n      );\n    }\n    current = parent;\n  }\n}\n\nexport function stampConfigDir(repoRoot: string): string {\n  return join(repoRoot, \".stamp\");\n}\n\nexport function stampReviewersDir(repoRoot: string): string {\n  return join(repoRoot, \".stamp\", \"reviewers\");\n}\n\nexport function stampTrustedKeysDir(repoRoot: string): string {\n  return join(repoRoot, \".stamp\", \"trusted-keys\");\n}\n\nexport function stampConfigFile(repoRoot: string): string {\n  return join(repoRoot, \".stamp\", \"config.yml\");\n}\n\nexport function stampStateDbPath(repoRoot: string): string {\n  return join(gitCommonDir(repoRoot), \"stamp\", \"state.db\");\n}\n\n/**\n * Marker file that records \"we have shown the LLM data-flow notice in this\n * repo at least once.\" Lives next to state.db under the git common dir so\n * it's per-repo (not per-worktree, not committed).\n */\nexport function stampLlmNoticeMarkerPath(repoRoot: string): string {\n  return join(gitCommonDir(repoRoot), \"stamp\", \"llm-notice-shown\");\n}\n\n/**\n * Resolve the git common directory for `repoRoot`. For a normal checkout this\n * is `<repoRoot>/.git`; for a worktree, `<repoRoot>/.git` is a *file* of the\n * form `gitdir: <path>` and the real common dir lives at `<gitdir>/commondir`\n * (a path relative to gitdir, typically `../..`). Mirrors `git rev-parse\n * --git-common-dir` without spawning git.\n *\n * State that should be shared across every worktree of one repository (review\n * verdicts, the per-machine sqlite db) lives under this common dir, so callers\n * resolve their paths through here rather than hard-coding `<repoRoot>/.git`.\n */\nexport function gitCommonDir(repoRoot: string): string {\n  const dotGit = join(repoRoot, \".git\");\n  const st = statSync(dotGit);\n  if (st.isDirectory()) return dotGit;\n\n  // Worktree (or submodule): `.git` is a file. Parse the `gitdir:` line, then\n  // follow the `commondir` pointer from there. Submodules have no `commondir`,\n  // so the gitdir itself is the writable common dir — fall through to that.\n  const contents = readFileSync(dotGit, \"utf8\");\n  const match = contents.match(/^gitdir:\\s*(.+)$/m);\n  if (!match || !match[1]) {\n    throw new Error(\n      `expected '.git' at ${repoRoot} to be a directory or a 'gitdir:' pointer file, got: ${contents.slice(0, 120)}`,\n    );\n  }\n  const gitdirRaw = match[1].trim();\n  const gitdir = isAbsolute(gitdirRaw) ? gitdirRaw : resolve(repoRoot, gitdirRaw);\n\n  const commondirPath = join(gitdir, \"commondir\");\n  if (!existsSync(commondirPath)) return gitdir;\n  const commondirRaw = readFileSync(commondirPath, \"utf8\").trim();\n  return isAbsolute(commondirRaw) ? commondirRaw : resolve(gitdir, commondirRaw);\n}\n\nexport function userKeysDir(): string {\n  return join(homedir(), \".stamp\", \"keys\");\n}\n\n/**\n * Per-user stamp-server config. Holds {host, port, user, repo_root_prefix}\n * so commands like `stamp provision` can reach the operator's stamp server\n * without making the agent guess at SSH endpoints.\n */\nexport function userServerConfigPath(): string {\n  return join(homedir(), \".stamp\", \"server.yml\");\n}\n\nexport function ensureDir(path: string, mode = 0o755): void {\n  if (!existsSync(path)) {\n    mkdirSync(path, { recursive: true, mode });\n  }\n}\n\nexport function isFile(path: string): boolean {\n  try {\n    return statSync(path).isFile();\n  } catch {\n    return false;\n  }\n}\n","import { chmodSync, existsSync } from \"node:fs\";\nimport { DatabaseSync } from \"node:sqlite\";\nimport { dirname } from \"node:path\";\nimport { ensureDir } from \"./paths.js\";\n\nexport type Verdict = \"approved\" | \"changes_requested\" | \"denied\";\n\nexport interface ReviewRow {\n  id: number;\n  reviewer: string;\n  base_sha: string;\n  head_sha: string;\n  verdict: Verdict;\n  issues: string | null;\n  /** JSON-encoded ToolCall[] (see lib/toolCalls.ts), or null for reviews\n   *  recorded before Step 4 shipped or where no tools were invoked. */\n  tool_calls: string | null;\n  created_at: string;\n}\n\nexport interface RecordReviewInput {\n  reviewer: string;\n  base_sha: string;\n  head_sha: string;\n  verdict: Verdict;\n  issues?: string | null;\n  /** JSON-encoded ToolCall[] or null. See lib/toolCalls.ts. */\n  tool_calls?: string | null;\n}\n\nexport function openDb(path: string): DatabaseSync {\n  // Tighten parent directory to 0700 so peer users on shared/dev machines\n  // can't enter `.git/stamp/` to read state.db (or its WAL sidecars). Done\n  // before opening the DB so a brand-new file inherits the locked-down\n  // ancestor. Idempotent: chmodSync runs on every open even if ensureDir\n  // no-oped, which tightens an already-existing 0755 dir from prior versions.\n  const dir = dirname(path);\n  ensureDir(dir, 0o700);\n  chmodSync(dir, 0o700);\n\n  const db = new DatabaseSync(path);\n  db.exec(\"PRAGMA journal_mode = WAL\");\n  db.exec(\"PRAGMA foreign_keys = ON\");\n  initSchema(db);\n\n  // Tighten state.db itself plus the WAL sidecars (if SQLite has created\n  // them — `-wal` and `-shm` only exist while WAL writes are in flight or\n  // recently flushed). chmodSync targets the inode, not any open fd, so\n  // this is idempotent across opens; an in-flight write keeps its old fd\n  // mode but the on-disk bits flip immediately.\n  chmodSync(path, 0o600);\n  for (const sidecar of [`${path}-wal`, `${path}-shm`]) {\n    if (existsSync(sidecar)) chmodSync(sidecar, 0o600);\n  }\n\n  return db;\n}\n\nfunction initSchema(db: DatabaseSync): void {\n  db.exec(`\n    CREATE TABLE IF NOT EXISTS reviews (\n      id          INTEGER PRIMARY KEY AUTOINCREMENT,\n      reviewer    TEXT    NOT NULL,\n      base_sha    TEXT    NOT NULL,\n      head_sha    TEXT    NOT NULL,\n      verdict     TEXT    NOT NULL CHECK (verdict IN ('approved','changes_requested','denied')),\n      issues      TEXT,\n      tool_calls  TEXT,\n      created_at  TEXT    NOT NULL DEFAULT (datetime('now'))\n    );\n\n    CREATE INDEX IF NOT EXISTS idx_reviews_shas\n      ON reviews(base_sha, head_sha, reviewer);\n  `);\n\n  // Migration for DBs created before Step 4 shipped — tool_calls column\n  // wasn't in the original schema. PRAGMA table_info lists columns; if\n  // tool_calls is absent, add it. Idempotent: repeat opens no-op.\n  const cols = db.prepare(\"PRAGMA table_info(reviews)\").all() as Array<{ name: string }>;\n  if (!cols.some((c) => c.name === \"tool_calls\")) {\n    db.exec(\"ALTER TABLE reviews ADD COLUMN tool_calls TEXT\");\n  }\n}\n\nexport function recordReview(\n  db: DatabaseSync,\n  input: RecordReviewInput,\n): number {\n  const stmt = db.prepare(\n    `INSERT INTO reviews (reviewer, base_sha, head_sha, verdict, issues, tool_calls)\n     VALUES (?, ?, ?, ?, ?, ?)`,\n  );\n  const result = stmt.run(\n    input.reviewer,\n    input.base_sha,\n    input.head_sha,\n    input.verdict,\n    input.issues ?? null,\n    input.tool_calls ?? null,\n  );\n  return Number(result.lastInsertRowid);\n}\n\nexport interface LatestVerdict {\n  reviewer: string;\n  verdict: Verdict;\n}\n\nexport interface LatestReview {\n  id: number;\n  reviewer: string;\n  verdict: Verdict;\n  issues: string | null;\n  tool_calls: string | null;\n}\n\nconst LATEST_VERDICTS_SQL = `\n  SELECT id, reviewer, verdict, issues, tool_calls\n  FROM (\n    SELECT\n      id,\n      reviewer,\n      verdict,\n      issues,\n      tool_calls,\n      ROW_NUMBER() OVER (\n        PARTITION BY reviewer\n        ORDER BY created_at DESC, id DESC\n      ) AS rn\n    FROM reviews\n    WHERE base_sha = ? AND head_sha = ?\n  )\n  WHERE rn = 1\n`;\n\n/**\n * For a given (base_sha, head_sha), return the latest verdict per reviewer.\n * Uses ROW_NUMBER() window function with (created_at DESC, id DESC) ordering\n * so same-second inserts tiebreak on insertion order.\n */\nexport function latestVerdicts(\n  db: DatabaseSync,\n  base_sha: string,\n  head_sha: string,\n): LatestVerdict[] {\n  const stmt = db.prepare(LATEST_VERDICTS_SQL);\n  return stmt.all(base_sha, head_sha) as unknown as LatestVerdict[];\n}\n\n/**\n * Same as latestVerdicts but also returns prose (for computing review_sha\n * during attestation, or for display).\n */\nexport function latestReviews(\n  db: DatabaseSync,\n  base_sha: string,\n  head_sha: string,\n): LatestReview[] {\n  const stmt = db.prepare(LATEST_VERDICTS_SQL);\n  return stmt.all(base_sha, head_sha) as unknown as LatestReview[];\n}\n\nexport function reviewHistory(\n  db: DatabaseSync,\n  opts: { limit?: number } = {},\n): ReviewRow[] {\n  const limit = opts.limit ?? 50;\n  const stmt = db.prepare(`\n    SELECT id, reviewer, base_sha, head_sha, verdict, issues, created_at\n    FROM reviews\n    ORDER BY created_at DESC, id DESC\n    LIMIT ?\n  `);\n  return stmt.all(limit) as unknown as ReviewRow[];\n}\n\nexport interface ReviewerStats {\n  reviewer: string;\n  total: number;\n  approved: number;\n  changes_requested: number;\n  denied: number;\n  first_seen: string | null;\n  last_seen: string | null;\n}\n\nexport function reviewerStats(\n  db: DatabaseSync,\n  reviewer: string,\n): ReviewerStats {\n  const stmt = db.prepare(`\n    SELECT\n      COUNT(*) AS total,\n      SUM(CASE WHEN verdict = 'approved'          THEN 1 ELSE 0 END) AS approved,\n      SUM(CASE WHEN verdict = 'changes_requested' THEN 1 ELSE 0 END) AS changes_requested,\n      SUM(CASE WHEN verdict = 'denied'            THEN 1 ELSE 0 END) AS denied,\n      MIN(created_at) AS first_seen,\n      MAX(created_at) AS last_seen\n    FROM reviews\n    WHERE reviewer = ?\n  `);\n  const row = stmt.get(reviewer) as {\n    total: number;\n    approved: number | null;\n    changes_requested: number | null;\n    denied: number | null;\n    first_seen: string | null;\n    last_seen: string | null;\n  };\n  return {\n    reviewer,\n    total: row.total ?? 0,\n    approved: row.approved ?? 0,\n    changes_requested: row.changes_requested ?? 0,\n    denied: row.denied ?? 0,\n    first_seen: row.first_seen,\n    last_seen: row.last_seen,\n  };\n}\n\nexport function recentReviewsByReviewer(\n  db: DatabaseSync,\n  reviewer: string,\n  limit: number,\n): ReviewRow[] {\n  const stmt = db.prepare(`\n    SELECT id, reviewer, base_sha, head_sha, verdict, issues, created_at\n    FROM reviews\n    WHERE reviewer = ?\n    ORDER BY created_at DESC, id DESC\n    LIMIT ?\n  `);\n  return stmt.all(reviewer, limit) as unknown as ReviewRow[];\n}\n\nexport interface PrunePerReviewer {\n  reviewer: string;\n  count: number;\n}\n\nexport interface PrunePeekResult {\n  total: number;\n  perReviewer: PrunePerReviewer[];\n}\n\n/**\n * Count rows older than `now − sqliteModifier` per reviewer, without\n * deleting. Mirrors the row set that `pruneReviews` would delete given the\n * same modifier. Used by `--dry-run` and to compute the \"reviewers affected\"\n * count surfaced in non-dry-run output.\n *\n * `sqliteModifier` is a string suitable for SQLite's `datetime('now', ?)`\n * (e.g. `-30 days`, `-12 hours`); produced by parseRetentionDuration so the\n * cutoff is computed inside SQLite — avoids any wall-clock fencepost\n * between JS `Date.now()` and the `created_at` strings written via\n * `datetime('now')` at insert time.\n */\nexport function peekPrunable(\n  db: DatabaseSync,\n  sqliteModifier: string,\n): PrunePeekResult {\n  const stmt = db.prepare(`\n    SELECT reviewer, COUNT(*) AS count\n    FROM reviews\n    WHERE created_at < datetime('now', ?)\n    GROUP BY reviewer\n    ORDER BY reviewer\n  `);\n  const rows = stmt.all(sqliteModifier) as unknown as PrunePerReviewer[];\n  const total = rows.reduce((sum, r) => sum + r.count, 0);\n  return { total, perReviewer: rows };\n}\n\n/**\n * Delete rows older than `now − sqliteModifier`. Returns the same shape as\n * peekPrunable but with the actual deleted-row counts. The DELETE runs in\n * a single statement; callers must run VACUUM separately (and outside any\n * transaction) to actually shrink the file.\n */\nexport function pruneReviews(\n  db: DatabaseSync,\n  sqliteModifier: string,\n): PrunePeekResult {\n  const peek = peekPrunable(db, sqliteModifier);\n  if (peek.total === 0) return peek;\n  const del = db.prepare(\n    \"DELETE FROM reviews WHERE created_at < datetime('now', ?)\",\n  );\n  del.run(sqliteModifier);\n  return peek;\n}\n","import {\n  createHash,\n  createPublicKey,\n  generateKeyPairSync,\n  KeyObject,\n} from \"node:crypto\";\nimport {\n  chmodSync,\n  readdirSync,\n  readFileSync,\n  writeFileSync,\n} from \"node:fs\";\nimport { join } from \"node:path\";\nimport {\n  ensureDir,\n  isFile,\n  stampTrustedKeysDir,\n  userKeysDir,\n} from \"./paths.js\";\n\nexport interface Keypair {\n  privateKeyPem: string;\n  publicKeyPem: string;\n  fingerprint: string; // \"sha256:<hex>\"\n}\n\nconst PRIVATE_KEY_FILE = \"ed25519\";\nconst PUBLIC_KEY_FILE = \"ed25519.pub\";\n\nexport function generateKeypair(): Keypair {\n  const { publicKey, privateKey } = generateKeyPairSync(\"ed25519\");\n  const privateKeyPem = privateKey.export({\n    type: \"pkcs8\",\n    format: \"pem\",\n  }) as string;\n  const publicKeyPem = publicKey.export({\n    type: \"spki\",\n    format: \"pem\",\n  }) as string;\n  return {\n    privateKeyPem,\n    publicKeyPem,\n    fingerprint: fingerprintFromPem(publicKeyPem),\n  };\n}\n\nexport function fingerprintFromPem(publicKeyPem: string): string {\n  const pub = createPublicKey(publicKeyPem);\n  const raw = pub.export({ type: \"spki\", format: \"der\" }) as Buffer;\n  const hash = createHash(\"sha256\").update(raw).digest(\"hex\");\n  return `sha256:${hash}`;\n}\n\nexport function loadUserKeypair(): Keypair | null {\n  const dir = userKeysDir();\n  const privPath = join(dir, PRIVATE_KEY_FILE);\n  const pubPath = join(dir, PUBLIC_KEY_FILE);\n  if (!isFile(privPath) || !isFile(pubPath)) return null;\n  const privateKeyPem = readFileSync(privPath, \"utf8\");\n  const publicKeyPem = readFileSync(pubPath, \"utf8\");\n  return {\n    privateKeyPem,\n    publicKeyPem,\n    fingerprint: fingerprintFromPem(publicKeyPem),\n  };\n}\n\nexport function saveUserKeypair(kp: Keypair): void {\n  const dir = userKeysDir();\n  ensureDir(dir, 0o700);\n  chmodSync(dir, 0o700);\n  const privPath = join(dir, PRIVATE_KEY_FILE);\n  const pubPath = join(dir, PUBLIC_KEY_FILE);\n  writeFileSync(privPath, kp.privateKeyPem, { mode: 0o600 });\n  writeFileSync(pubPath, kp.publicKeyPem, { mode: 0o644 });\n}\n\nexport function ensureUserKeypair(): {\n  keypair: Keypair;\n  created: boolean;\n} {\n  const existing = loadUserKeypair();\n  if (existing) return { keypair: existing, created: false };\n  const kp = generateKeypair();\n  saveUserKeypair(kp);\n  return { keypair: kp, created: true };\n}\n\nexport function publicKeyFingerprintFilename(fingerprint: string): string {\n  // \"sha256:abc...\" -> \"sha256_abc....pub\" (colons are valid on unix but messy)\n  return fingerprint.replace(\":\", \"_\") + \".pub\";\n}\n\nexport function publicKeyFromObject(obj: KeyObject): string {\n  return obj.export({ type: \"spki\", format: \"pem\" }) as string;\n}\n\n/**\n * Look up a public key PEM in a repo's .stamp/trusted-keys/ directory by\n * fingerprint. Returns null if no file in the directory matches.\n */\nexport function findTrustedKey(\n  repoRoot: string,\n  fingerprint: string,\n): string | null {\n  const dir = stampTrustedKeysDir(repoRoot);\n  let files: string[];\n  try {\n    files = readdirSync(dir);\n  } catch {\n    return null;\n  }\n  for (const f of files) {\n    if (!f.endsWith(\".pub\")) continue;\n    let pem: string;\n    try {\n      pem = readFileSync(join(dir, f), \"utf8\");\n    } catch {\n      continue;\n    }\n    try {\n      if (fingerprintFromPem(pem) === fingerprint) return pem;\n    } catch {\n      // skip malformed keys\n    }\n  }\n  return null;\n}\n","import type { Verdict } from \"./db.js\";\nimport type { ToolCall } from \"./toolCalls.js\";\n\n/**\n * Current attestation payload schema version.\n *\n *   v1 (absent field) — initial shape; no hash binding to reviewer config.\n *   v2 — per-approval prompt/tools/mcp hashes, sourced from the merge\n *        commit's own tree. SECURITY ISSUE: a feature branch could modify\n *        a reviewer's prompt and the resulting attestation hash matched\n *        the modified prompt, so the server hook accepted a self-reviewing\n *        merge.\n *   v3 — same hash fields, but sourced from the merge-base tree (the\n *        common ancestor of the two merge parents). This is the version\n *        of the reviewer that existed BEFORE the diff, so a feature\n *        branch cannot self-review by modifying its own reviewer prompt.\n *\n * Verifiers reject v2 and below — they're known-broken under the self-\n * review attack. Only v3+ is accepted.\n */\nexport const CURRENT_PAYLOAD_VERSION = 3;\nexport const MIN_ACCEPTED_PAYLOAD_VERSION = 3;\n\nexport interface Approval {\n  reviewer: string;\n  verdict: Verdict;\n  /** sha256 of the review's prose, hex — lets verifiers tie attestation to a specific DB row */\n  review_sha: string;\n  /** v2+: sha256 of the reviewer's prompt file at merge time */\n  prompt_sha256?: string;\n  /** v2+: sha256 of the canonical-form tool allowlist (sorted JSON array) */\n  tools_sha256?: string;\n  /** v2+: sha256 of the canonical-form mcp_servers config (sorted-key JSON) */\n  mcp_sha256?: string;\n  /** v2+: canonical source the reviewer was fetched from (if a lock file\n   *  existed at merge time). Enables downstream audit: \"was this reviewer\n   *  fetched from an approved manifest at an approved version?\" */\n  reviewer_source?: {\n    source: string;\n    ref: string;\n  };\n  /** v2+: audit trace of tool calls the reviewer's agent made during review.\n   *  Each entry is `{ tool, input_sha256 }`. Not cryptographically verified —\n   *  the operator can forge the list — but catches lazy tampering and gives\n   *  auditors a concrete signal (\"did product call linear.get_issue at all?\").\n   *  Omitted or empty for reviewers that ran with no tools or where the SDK\n   *  version didn't surface tool-use blocks. */\n  tool_calls?: ToolCall[];\n}\n\nexport interface CheckAttestation {\n  name: string;\n  command: string;\n  exit_code: number;\n  output_sha: string;\n}\n\nexport interface AttestationPayload {\n  /** Schema version. Absent = v1 (pre-Step-2). Present = v2+. */\n  schema_version?: number;\n  base_sha: string;\n  head_sha: string;\n  target_branch: string;\n  approvals: Approval[];\n  /** Pre-merge checks that ran on the signer's machine and passed.\n   * Empty array if the branch has no required_checks configured. */\n  checks: CheckAttestation[];\n  /** \"sha256:<hex>\" fingerprint of the signer's public key */\n  signer_key_id: string;\n}\n\nexport const STAMP_PAYLOAD_TRAILER = \"Stamp-Payload\";\nexport const STAMP_VERIFIED_TRAILER = \"Stamp-Verified\";\n\n/**\n * Hard cap on the base64 trailer value AND its decoded bytes. parseCommit-\n * Attestation runs on every new commit in the pre-receive hook BEFORE the\n * Ed25519 signature is checked, so an attacker who can produce a commit\n * (any push attempt) could otherwise force JSON.parse on a multi-megabyte\n * payload before reaching the signature verification step that would\n * reject it. 64KB is generous for any sane attestation — the largest real\n * payloads are a few KB even with full tool-call traces.\n */\nexport const MAX_TRAILER_BYTES = 64 * 1024;\n\n/**\n * Serialize the payload to the exact bytes that will be signed. We do NOT\n * canonicalize JSON — the signer and verifier both operate on the base64\n * Stamp-Payload trailer value, so whatever bytes we produce here are the\n * same bytes the verifier base64-decodes. Deterministic serialization\n * isn't required for correctness.\n */\nexport function serializePayload(p: AttestationPayload): Buffer {\n  return Buffer.from(JSON.stringify(p), \"utf8\");\n}\n\nexport function payloadToTrailerValue(p: AttestationPayload): string {\n  return serializePayload(p).toString(\"base64\");\n}\n\nexport function trailerValueToPayload(b64: string): AttestationPayload {\n  const json = Buffer.from(b64, \"base64\").toString(\"utf8\");\n  return JSON.parse(json) as AttestationPayload;\n}\n\nexport function trailerValueToPayloadBytes(b64: string): Buffer {\n  return Buffer.from(b64, \"base64\");\n}\n\nexport interface ParsedAttestation {\n  payload: AttestationPayload;\n  payloadBytes: Buffer;\n  signatureBase64: string;\n}\n\n/**\n * Extract Stamp-Payload + Stamp-Verified trailers from a commit message.\n * Returns null if either is missing. Matches single-line trailer values.\n */\nexport function parseCommitAttestation(\n  commitMessage: string,\n): ParsedAttestation | null {\n  const payloadMatch = commitMessage.match(\n    new RegExp(`^${STAMP_PAYLOAD_TRAILER}:\\\\s*(.+)$`, \"m\"),\n  );\n  const sigMatch = commitMessage.match(\n    new RegExp(`^${STAMP_VERIFIED_TRAILER}:\\\\s*(.+)$`, \"m\"),\n  );\n  if (!payloadMatch || !sigMatch) return null;\n  const b64Payload = payloadMatch[1]?.trim();\n  const b64Sig = sigMatch[1]?.trim();\n  if (!b64Payload || !b64Sig) return null;\n\n  // Bail before allocating or parsing if the trailer is oversized — both as\n  // a base64 string and as decoded bytes. See MAX_TRAILER_BYTES rationale.\n  if (b64Payload.length > MAX_TRAILER_BYTES) return null;\n  const payloadBytes = trailerValueToPayloadBytes(b64Payload);\n  if (payloadBytes.length > MAX_TRAILER_BYTES) return null;\n  const payload = JSON.parse(payloadBytes.toString(\"utf8\")) as AttestationPayload;\n  return { payload, payloadBytes, signatureBase64: b64Sig };\n}\n\n/**\n * Format the two trailer lines. Suitable for appending to a commit message\n * body after a blank-line separator.\n */\nexport function formatTrailers(\n  p: AttestationPayload,\n  signatureBase64: string,\n): string {\n  return (\n    `${STAMP_PAYLOAD_TRAILER}: ${payloadToTrailerValue(p)}\\n` +\n    `${STAMP_VERIFIED_TRAILER}: ${signatureBase64}`\n  );\n}\n","import { createPrivateKey, createPublicKey, sign, verify } from \"node:crypto\";\n\n/**\n * Ed25519 signing. Per RFC 8032, Ed25519 signatures commit to the message\n * directly — no pre-hashing, no padding. Node's crypto.sign/verify accept\n * `null` as the algorithm to get this mode.\n */\n\nexport function signBytes(privateKeyPem: string, data: Buffer): string {\n  const key = createPrivateKey(privateKeyPem);\n  const sig = sign(null, data, key);\n  return sig.toString(\"base64\");\n}\n\nexport function verifyBytes(\n  publicKeyPem: string,\n  data: Buffer,\n  signatureBase64: string,\n): boolean {\n  const key = createPublicKey(publicKeyPem);\n  const sig = Buffer.from(signatureBase64, \"base64\");\n  return verify(null, data, key, sig);\n}\n"],"mappings":";;;AAAA,SAAS,cAAc,iBAAiB;AAwBjC,SAAS,cAAc,KAAqB;AACjD,SAAO,IAAI,CAAC,aAAa,gBAAgB,MAAM,GAAG,GAAG,EAAE,KAAK;AAC9D;AAOO,SAAS,mBACd,QACA,OACA,KACiB;AACjB,QAAM,MAAM;AACZ,QAAM,MAAM,mCAAmC,GAAG;AAClD,QAAM,MAAM;AAAA,IACV,CAAC,OAAO,kBAAkB,IAAI,KAAK,IAAI,YAAY,GAAG,IAAI,MAAM;AAAA,IAChE;AAAA,EACF;AACA,QAAM,UAAU,IAAI,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AAClE,QAAM,UAA2B,CAAC;AAClC,aAAW,OAAO,SAAS;AACzB,UAAM,QAAQ,IAAI,MAAM,IAAI;AAC5B,QAAI,MAAM,SAAS,EAAG;AACtB,UAAM,CAAC,KAAK,SAAS,QAAQ,MAAM,OAAO,GAAG,IAAI,IAAI;AAQrD,UAAM,OAAO,KAAK,KAAK,IAAI,EAAE,QAAQ,QAAQ,EAAE,EAAE,QAAQ;AACzD,YAAQ,KAAK;AAAA,MACX;AAAA,MACA,SAAS,QAAQ,MAAM,KAAK,EAAE,OAAO,OAAO;AAAA,MAC5C;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEO,SAAS,cAAc,KAAa,KAAqB;AAC9D,SAAO,IAAI,CAAC,QAAQ,MAAM,eAAe,GAAG,GAAG,GAAG;AACpD;AAYO,SAAS,UAAU,KAAa,MAAc,KAAqB;AACxE,SAAO,OAAO,CAAC,QAAQ,GAAG,GAAG,IAAI,IAAI,EAAE,GAAG,GAAG;AAC/C;AAgBO,SAAS,gBACd,KACA,MACA,KACS;AACT,QAAM,SAAS,UAAU,OAAO,CAAC,YAAY,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,GAAG;AAAA,IACpE;AAAA,IACA,OAAO,CAAC,UAAU,UAAU,MAAM;AAAA,EACpC,CAAC;AACD,MAAI,OAAO,WAAW,EAAG,QAAO;AAChC,MAAI,OAAO,WAAW,IAAK,QAAO;AAClC,QAAM,SAAS,OAAO,QAAQ,SAAS,MAAM,EAAE,KAAK,KAAK;AACzD,QAAM,IAAI;AAAA,IACR,mBAAmB,GAAG,IAAI,IAAI,mBAAmB,OAAO,MAAM,MAAM,UAAU,aAAa;AAAA,EAC7F;AACF;AAWO,SAAS,cAAc,MAAc,KAAsB;AAChE,MAAI;AACF,WAAO,CAAC,YAAY,mBAAmB,IAAI,GAAG,GAAG;AACjD,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,iBAAiB,KAAsB;AACrD,MAAI;AACF,WAAO,CAAC,aAAa,YAAY,MAAM,GAAG,GAAG;AAC7C,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAmBO,SAAS,YAAY,SAAiB,KAA2B;AACtE,QAAM,QAAQ,QAAQ,MAAM,IAAI;AAChC,MAAI,MAAM,WAAW,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG;AAChD,UAAM,IAAI;AAAA,MACR,oBAAoB,OAAO;AAAA,IAC7B;AAAA,EACF;AACA,QAAM,CAAC,SAAS,OAAO,IAAI;AAE3B,QAAM,WAAW,IAAI,CAAC,cAAc,SAAS,OAAO,GAAG,GAAG,EAAE,KAAK;AACjE,QAAM,WAAW,IAAI,CAAC,aAAa,YAAY,GAAG,OAAO,WAAW,GAAG,GAAG,EAAE,KAAK;AACjF,QAAM,OAAO,IAAI,CAAC,QAAQ,GAAG,OAAO,MAAM,OAAO,EAAE,GAAG,GAAG;AAEzD,SAAO,EAAE,SAAS,UAAU,UAAU,KAAK;AAC7C;AAWO,SAAS,OAAO,MAAgB,KAAqB;AAC1D,MAAI;AACF,WAAO,aAAa,OAAO,MAAM;AAAA,MAC/B;AAAA,MACA,UAAU;AAAA,MACV,WAAW,KAAK,OAAO;AAAA;AAAA,MACvB,OAAO,CAAC,UAAU,QAAQ,MAAM;AAAA,IAClC,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,UAAM,SAAU,KAA6C;AAC7D,UAAM,aACJ,OAAO,WAAW,WAAW,SAAS,QAAQ,SAAS,MAAM,KAAK;AACpE,UAAM,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC5D,UAAM,IAAI;AAAA,MACR,OAAO,KAAK,KAAK,GAAG,CAAC,YAAY,WAAW,KAAK,KAAK,IAAI;AAAA,IAC5D;AAAA,EACF;AACF;AAGA,IAAM,MAAM;;;ACpNZ,SAAS,YAAY,WAAW,cAAc,gBAAgB;AAC9D,SAAS,eAAe;AACxB,SAAS,SAAS,YAAY,MAAM,eAAe;AAE5C,SAAS,aAAa,YAAoB,QAAQ,IAAI,GAAW;AACtE,MAAI,UAAU,QAAQ,SAAS;AAC/B,SAAO,MAAM;AACX,QAAI,WAAW,KAAK,SAAS,MAAM,CAAC,EAAG,QAAO;AAC9C,UAAM,SAAS,QAAQ,OAAO;AAC9B,QAAI,WAAW,SAAS;AACtB,YAAM,IAAI;AAAA,QACR,iDAAiD,SAAS;AAAA,MAC5D;AAAA,IACF;AACA,cAAU;AAAA,EACZ;AACF;AAEO,SAAS,eAAe,UAA0B;AACvD,SAAO,KAAK,UAAU,QAAQ;AAChC;AAEO,SAAS,kBAAkB,UAA0B;AAC1D,SAAO,KAAK,UAAU,UAAU,WAAW;AAC7C;AAEO,SAAS,oBAAoB,UAA0B;AAC5D,SAAO,KAAK,UAAU,UAAU,cAAc;AAChD;AAEO,SAAS,gBAAgB,UAA0B;AACxD,SAAO,KAAK,UAAU,UAAU,YAAY;AAC9C;AAEO,SAAS,iBAAiB,UAA0B;AACzD,SAAO,KAAK,aAAa,QAAQ,GAAG,SAAS,UAAU;AACzD;AAOO,SAAS,yBAAyB,UAA0B;AACjE,SAAO,KAAK,aAAa,QAAQ,GAAG,SAAS,kBAAkB;AACjE;AAaO,SAAS,aAAa,UAA0B;AACrD,QAAM,SAAS,KAAK,UAAU,MAAM;AACpC,QAAM,KAAK,SAAS,MAAM;AAC1B,MAAI,GAAG,YAAY,EAAG,QAAO;AAK7B,QAAM,WAAW,aAAa,QAAQ,MAAM;AAC5C,QAAM,QAAQ,SAAS,MAAM,mBAAmB;AAChD,MAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG;AACvB,UAAM,IAAI;AAAA,MACR,sBAAsB,QAAQ,wDAAwD,SAAS,MAAM,GAAG,GAAG,CAAC;AAAA,IAC9G;AAAA,EACF;AACA,QAAM,YAAY,MAAM,CAAC,EAAE,KAAK;AAChC,QAAM,SAAS,WAAW,SAAS,IAAI,YAAY,QAAQ,UAAU,SAAS;AAE9E,QAAM,gBAAgB,KAAK,QAAQ,WAAW;AAC9C,MAAI,CAAC,WAAW,aAAa,EAAG,QAAO;AACvC,QAAM,eAAe,aAAa,eAAe,MAAM,EAAE,KAAK;AAC9D,SAAO,WAAW,YAAY,IAAI,eAAe,QAAQ,QAAQ,YAAY;AAC/E;AAEO,SAAS,cAAsB;AACpC,SAAO,KAAK,QAAQ,GAAG,UAAU,MAAM;AACzC;AAOO,SAAS,uBAA+B;AAC7C,SAAO,KAAK,QAAQ,GAAG,UAAU,YAAY;AAC/C;AAEO,SAAS,UAAU,MAAc,OAAO,KAAa;AAC1D,MAAI,CAAC,WAAW,IAAI,GAAG;AACrB,cAAU,MAAM,EAAE,WAAW,MAAM,KAAK,CAAC;AAAA,EAC3C;AACF;AAEO,SAAS,OAAO,MAAuB;AAC5C,MAAI;AACF,WAAO,SAAS,IAAI,EAAE,OAAO;AAAA,EAC/B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AC3GA,SAAS,WAAW,cAAAA,mBAAkB;AACtC,SAAS,oBAAoB;AAC7B,SAAS,WAAAC,gBAAe;AA4BjB,SAAS,OAAO,MAA4B;AAMjD,QAAM,MAAMC,SAAQ,IAAI;AACxB,YAAU,KAAK,GAAK;AACpB,YAAU,KAAK,GAAK;AAEpB,QAAM,KAAK,IAAI,aAAa,IAAI;AAChC,KAAG,KAAK,2BAA2B;AACnC,KAAG,KAAK,0BAA0B;AAClC,aAAW,EAAE;AAOb,YAAU,MAAM,GAAK;AACrB,aAAW,WAAW,CAAC,GAAG,IAAI,QAAQ,GAAG,IAAI,MAAM,GAAG;AACpD,QAAIC,YAAW,OAAO,EAAG,WAAU,SAAS,GAAK;AAAA,EACnD;AAEA,SAAO;AACT;AAEA,SAAS,WAAW,IAAwB;AAC1C,KAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAcP;AAKD,QAAM,OAAO,GAAG,QAAQ,4BAA4B,EAAE,IAAI;AAC1D,MAAI,CAAC,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,YAAY,GAAG;AAC9C,OAAG,KAAK,gDAAgD;AAAA,EAC1D;AACF;AAEO,SAAS,aACd,IACA,OACQ;AACR,QAAM,OAAO,GAAG;AAAA,IACd;AAAA;AAAA,EAEF;AACA,QAAM,SAAS,KAAK;AAAA,IAClB,MAAM;AAAA,IACN,MAAM;AAAA,IACN,MAAM;AAAA,IACN,MAAM;AAAA,IACN,MAAM,UAAU;AAAA,IAChB,MAAM,cAAc;AAAA,EACtB;AACA,SAAO,OAAO,OAAO,eAAe;AACtC;AAeA,IAAM,sBAAsB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAwBrB,SAAS,eACd,IACA,UACA,UACiB;AACjB,QAAM,OAAO,GAAG,QAAQ,mBAAmB;AAC3C,SAAO,KAAK,IAAI,UAAU,QAAQ;AACpC;AAMO,SAAS,cACd,IACA,UACA,UACgB;AAChB,QAAM,OAAO,GAAG,QAAQ,mBAAmB;AAC3C,SAAO,KAAK,IAAI,UAAU,QAAQ;AACpC;AAEO,SAAS,cACd,IACA,OAA2B,CAAC,GACf;AACb,QAAM,QAAQ,KAAK,SAAS;AAC5B,QAAM,OAAO,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,GAKvB;AACD,SAAO,KAAK,IAAI,KAAK;AACvB;AAYO,SAAS,cACd,IACA,UACe;AACf,QAAM,OAAO,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAUvB;AACD,QAAM,MAAM,KAAK,IAAI,QAAQ;AAQ7B,SAAO;AAAA,IACL;AAAA,IACA,OAAO,IAAI,SAAS;AAAA,IACpB,UAAU,IAAI,YAAY;AAAA,IAC1B,mBAAmB,IAAI,qBAAqB;AAAA,IAC5C,QAAQ,IAAI,UAAU;AAAA,IACtB,YAAY,IAAI;AAAA,IAChB,WAAW,IAAI;AAAA,EACjB;AACF;AAEO,SAAS,wBACd,IACA,UACA,OACa;AACb,QAAM,OAAO,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAMvB;AACD,SAAO,KAAK,IAAI,UAAU,KAAK;AACjC;AAwBO,SAAS,aACd,IACA,gBACiB;AACjB,QAAM,OAAO,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAMvB;AACD,QAAM,OAAO,KAAK,IAAI,cAAc;AACpC,QAAM,QAAQ,KAAK,OAAO,CAAC,KAAK,MAAM,MAAM,EAAE,OAAO,CAAC;AACtD,SAAO,EAAE,OAAO,aAAa,KAAK;AACpC;AAQO,SAAS,aACd,IACA,gBACiB;AACjB,QAAM,OAAO,aAAa,IAAI,cAAc;AAC5C,MAAI,KAAK,UAAU,EAAG,QAAO;AAC7B,QAAM,MAAM,GAAG;AAAA,IACb;AAAA,EACF;AACA,MAAI,IAAI,cAAc;AACtB,SAAO;AACT;;;AClSA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AACP;AAAA,EACE,aAAAC;AAAA,EACA;AAAA,EACA,gBAAAC;AAAA,EACA;AAAA,OACK;AACP,SAAS,QAAAC,aAAY;AAcrB,IAAM,mBAAmB;AACzB,IAAM,kBAAkB;AAEjB,SAAS,kBAA2B;AACzC,QAAM,EAAE,WAAW,WAAW,IAAI,oBAAoB,SAAS;AAC/D,QAAM,gBAAgB,WAAW,OAAO;AAAA,IACtC,MAAM;AAAA,IACN,QAAQ;AAAA,EACV,CAAC;AACD,QAAM,eAAe,UAAU,OAAO;AAAA,IACpC,MAAM;AAAA,IACN,QAAQ;AAAA,EACV,CAAC;AACD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,aAAa,mBAAmB,YAAY;AAAA,EAC9C;AACF;AAEO,SAAS,mBAAmB,cAA8B;AAC/D,QAAM,MAAM,gBAAgB,YAAY;AACxC,QAAM,MAAM,IAAI,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC;AACtD,QAAM,OAAO,WAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO,KAAK;AAC1D,SAAO,UAAU,IAAI;AACvB;AAEO,SAAS,kBAAkC;AAChD,QAAM,MAAM,YAAY;AACxB,QAAM,WAAWC,MAAK,KAAK,gBAAgB;AAC3C,QAAM,UAAUA,MAAK,KAAK,eAAe;AACzC,MAAI,CAAC,OAAO,QAAQ,KAAK,CAAC,OAAO,OAAO,EAAG,QAAO;AAClD,QAAM,gBAAgBC,cAAa,UAAU,MAAM;AACnD,QAAM,eAAeA,cAAa,SAAS,MAAM;AACjD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,aAAa,mBAAmB,YAAY;AAAA,EAC9C;AACF;AAEO,SAAS,gBAAgB,IAAmB;AACjD,QAAM,MAAM,YAAY;AACxB,YAAU,KAAK,GAAK;AACpB,EAAAC,WAAU,KAAK,GAAK;AACpB,QAAM,WAAWF,MAAK,KAAK,gBAAgB;AAC3C,QAAM,UAAUA,MAAK,KAAK,eAAe;AACzC,gBAAc,UAAU,GAAG,eAAe,EAAE,MAAM,IAAM,CAAC;AACzD,gBAAc,SAAS,GAAG,cAAc,EAAE,MAAM,IAAM,CAAC;AACzD;AAEO,SAAS,oBAGd;AACA,QAAM,WAAW,gBAAgB;AACjC,MAAI,SAAU,QAAO,EAAE,SAAS,UAAU,SAAS,MAAM;AACzD,QAAM,KAAK,gBAAgB;AAC3B,kBAAgB,EAAE;AAClB,SAAO,EAAE,SAAS,IAAI,SAAS,KAAK;AACtC;AAEO,SAAS,6BAA6B,aAA6B;AAExE,SAAO,YAAY,QAAQ,KAAK,GAAG,IAAI;AACzC;AAUO,SAAS,eACd,UACA,aACe;AACf,QAAM,MAAM,oBAAoB,QAAQ;AACxC,MAAI;AACJ,MAAI;AACF,YAAQ,YAAY,GAAG;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACA,aAAW,KAAK,OAAO;AACrB,QAAI,CAAC,EAAE,SAAS,MAAM,EAAG;AACzB,QAAI;AACJ,QAAI;AACF,YAAMG,cAAaC,MAAK,KAAK,CAAC,GAAG,MAAM;AAAA,IACzC,QAAQ;AACN;AAAA,IACF;AACA,QAAI;AACF,UAAI,mBAAmB,GAAG,MAAM,YAAa,QAAO;AAAA,IACtD,QAAQ;AAAA,IAER;AAAA,EACF;AACA,SAAO;AACT;;;AC3GO,IAAM,0BAA0B;AAmDhC,IAAM,wBAAwB;AAC9B,IAAM,yBAAyB;AAW/B,IAAM,oBAAoB,KAAK;AAS/B,SAAS,iBAAiB,GAA+B;AAC9D,SAAO,OAAO,KAAK,KAAK,UAAU,CAAC,GAAG,MAAM;AAC9C;AAEO,SAAS,sBAAsB,GAA+B;AACnE,SAAO,iBAAiB,CAAC,EAAE,SAAS,QAAQ;AAC9C;AAOO,SAAS,2BAA2B,KAAqB;AAC9D,SAAO,OAAO,KAAK,KAAK,QAAQ;AAClC;AAYO,SAAS,uBACdC,gBAC0B;AAC1B,QAAM,eAAeA,eAAc;AAAA,IACjC,IAAI,OAAO,IAAI,qBAAqB,cAAc,GAAG;AAAA,EACvD;AACA,QAAM,WAAWA,eAAc;AAAA,IAC7B,IAAI,OAAO,IAAI,sBAAsB,cAAc,GAAG;AAAA,EACxD;AACA,MAAI,CAAC,gBAAgB,CAAC,SAAU,QAAO;AACvC,QAAM,aAAa,aAAa,CAAC,GAAG,KAAK;AACzC,QAAM,SAAS,SAAS,CAAC,GAAG,KAAK;AACjC,MAAI,CAAC,cAAc,CAAC,OAAQ,QAAO;AAInC,MAAI,WAAW,SAAS,kBAAmB,QAAO;AAClD,QAAM,eAAe,2BAA2B,UAAU;AAC1D,MAAI,aAAa,SAAS,kBAAmB,QAAO;AACpD,QAAM,UAAU,KAAK,MAAM,aAAa,SAAS,MAAM,CAAC;AACxD,SAAO,EAAE,SAAS,cAAc,iBAAiB,OAAO;AAC1D;AAMO,SAAS,eACd,GACA,iBACQ;AACR,SACE,GAAG,qBAAqB,KAAK,sBAAsB,CAAC,CAAC;AAAA,EAClD,sBAAsB,KAAK,eAAe;AAEjD;;;AC1JA,SAAS,kBAAkB,mBAAAC,kBAAiB,MAAM,cAAc;AAQzD,SAAS,UAAU,eAAuB,MAAsB;AACrE,QAAM,MAAM,iBAAiB,aAAa;AAC1C,QAAM,MAAM,KAAK,MAAM,MAAM,GAAG;AAChC,SAAO,IAAI,SAAS,QAAQ;AAC9B;AAEO,SAAS,YACd,cACA,MACA,iBACS;AACT,QAAM,MAAMA,iBAAgB,YAAY;AACxC,QAAM,MAAM,OAAO,KAAK,iBAAiB,QAAQ;AACjD,SAAO,OAAO,MAAM,MAAM,KAAK,GAAG;AACpC;","names":["existsSync","dirname","dirname","existsSync","chmodSync","readFileSync","join","join","readFileSync","chmodSync","readFileSync","join","commitMessage","createPublicKey"]}