@oscharko-dev/keiko-server 0.2.0

package/dist/qualityIntelligence/figma/figmaConnectorAudit.d.ts

@@ -0,0 +1,52 @@
+import type { FigmaConnectorErrorCode } from "./figmaConnectorErrors.js";
+import type { FigmaScopeRef } from "./figmaScopeRef.js";
+export declare const FIGMA_AUDIT_SCHEMA_VERSION: 1;
+/**
+ * The four AC1-audited connector actions (Issue #760). `"snapshot"`, `"resnapshot"`, and `"revoke"`
+ * are emitted at their respective operations. `"connect"` is emitted exactly once — at the operator's
+ * first read-only-scope acknowledgement (acknowledgeReadOnly on the first build for a scope), by the
+ * orchestration's `gateConsent` (figmaSnapshotOrchestration.ts) — the durable record of the operator
+ * establishing the connection. Re-acknowledging an already-consented scope emits no further connect.
+ */
+export type FigmaConnectorAction = "connect" | "snapshot" | "resnapshot" | "revoke";
+export type FigmaConnectorOutcome = "ok" | "error";
+/** Pure cardinalities only — never names, ids, links, or design content. */
+export interface FigmaConnectorAuditCounts {
+    readonly screens: number;
+    readonly renders: number;
+    readonly skipped: number;
+    readonly designTokens: number;
+    /** Inter-screen transitions; present only when the IR carried links (nav graph #811 is additive). */
+    readonly navTransitions?: number;
+}
+export interface FigmaConnectorAuditEntry {
+    readonly at: string;
+    readonly action: FigmaConnectorAction;
+    readonly outcome: FigmaConnectorOutcome;
+    /** Present only when `outcome === "error"`. A coded, safe error from the connector taxonomy. */
+    readonly errorCode?: FigmaConnectorErrorCode;
+    /** Present only on a successful action that produced board cardinalities. */
+    readonly counts?: FigmaConnectorAuditCounts;
+}
+export interface FigmaConnectorAuditArtifact {
+    readonly figmaAuditSchemaVersion: typeof FIGMA_AUDIT_SCHEMA_VERSION;
+    readonly scopeRef: FigmaScopeRef;
+    readonly auditLog: readonly FigmaConnectorAuditEntry[];
+    readonly lastUpdatedAt: string;
+}
+export declare const loadFigmaConnectorAudit: (scopeRef: FigmaScopeRef, evidenceDir: string) => FigmaConnectorAuditArtifact | undefined;
+export interface AppendFigmaConnectorAuditInput {
+    readonly scopeRef: FigmaScopeRef;
+    readonly evidenceDir: string;
+    readonly action: FigmaConnectorAction;
+    readonly outcome: FigmaConnectorOutcome;
+    readonly now: string;
+    readonly errorCode?: FigmaConnectorErrorCode;
+    readonly counts?: FigmaConnectorAuditCounts;
+}
+/**
+ * Append an append-only connector-action audit entry through the reused Evidence audit seam.
+ * Creates the artifact on first use. Returns the updated artifact. The caller authorises the action.
+ */
+export declare const appendFigmaConnectorAudit: (input: AppendFigmaConnectorAuditInput) => FigmaConnectorAuditArtifact;
+//# sourceMappingURL=figmaConnectorAudit.d.ts.map

package/dist/qualityIntelligence/figma/figmaConnectorAudit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"figmaConnectorAudit.d.ts","sourceRoot":"","sources":["../../../src/qualityIntelligence/figma/figmaConnectorAudit.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAExD,eAAO,MAAM,0BAA0B,EAAG,CAAU,CAAC;AAGrD;;;;;;GAMG;AACH,MAAM,MAAM,oBAAoB,GAAG,SAAS,GAAG,UAAU,GAAG,YAAY,GAAG,QAAQ,CAAC;AACpF,MAAM,MAAM,qBAAqB,GAAG,IAAI,GAAG,OAAO,CAAC;AAEnD,4EAA4E;AAC5E,MAAM,WAAW,yBAAyB;IACxC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,qGAAqG;IACrG,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,OAAO,EAAE,qBAAqB,CAAC;IACxC,gGAAgG;IAChG,QAAQ,CAAC,SAAS,CAAC,EAAE,uBAAuB,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,CAAC,MAAM,CAAC,EAAE,yBAAyB,CAAC;CAC7C;AAED,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,CAAC,uBAAuB,EAAE,OAAO,0BAA0B,CAAC;IACpE,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC;IACjC,QAAQ,CAAC,QAAQ,EAAE,SAAS,wBAAwB,EAAE,CAAC;IACvD,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;CAChC;AAoBD,eAAO,MAAM,uBAAuB,GAClC,UAAU,aAAa,EACvB,aAAa,MAAM,KAClB,2BAA2B,GAAG,SAAiD,CAAC;AAEnF,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC;IACjC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,OAAO,EAAE,qBAAqB,CAAC;IACxC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,SAAS,CAAC,EAAE,uBAAuB,CAAC;IAC7C,QAAQ,CAAC,MAAM,CAAC,EAAE,yBAAyB,CAAC;CAC7C;AAeD;;;GAGG;AACH,eAAO,MAAM,yBAAyB,GACpC,OAAO,8BAA8B,KACpC,2BAWF,CAAC"}

package/dist/qualityIntelligence/figma/figmaConnectorAudit.js

@@ -0,0 +1,63 @@
+// Connector-activity audit ledger for the Figma connector (Epic #750, Issue #760).
+//
+// Reuses the SAME Evidence audit seam the QI inline-edit audit uses (`appendEditAudit` in
+// ../reviewStore.ts → `createNodeContainedJsonArtifactStore` in keiko-evidence): an append-only,
+// contained, atomically-written JSON artifact under `<evidenceDir>/qi/`. This module does NOT build
+// a parallel store — it records connector actions through that one seam under a distinct suffix.
+//
+// GOVERNANCE (load-bearing, #760): an audit entry carries ONLY
+//   - the action (connect | snapshot | resnapshot | revoke),
+//   - the opaque, non-reversible `scopeRef` (never the file key / node id / board link),
+//   - the outcome (ok | error) and, on error, a coded `errorCode`,
+//   - small INTEGER counts (screens, renders, skipped, design tokens, optional nav transitions),
+//   - a wall-clock `at`.
+// It carries NO token, NO PII, NO board id / link / name, and NO design content (no screen names,
+// no text). Counts are the only board-derived data and they are pure cardinalities.
+import { createNodeContainedJsonArtifactStore, } from "@oscharko-dev/keiko-evidence";
+export const FIGMA_AUDIT_SCHEMA_VERSION = 1;
+const FIGMA_AUDIT_SUFFIX = ".figma-audit.json";
+const parseArtifact = (value) => {
+    if (typeof value !== "object" || value === null)
+        return undefined;
+    const record = value;
+    if (record.figmaAuditSchemaVersion !== FIGMA_AUDIT_SCHEMA_VERSION)
+        return undefined;
+    if (typeof record.scopeRef !== "string" || !Array.isArray(record.auditLog))
+        return undefined;
+    return value;
+};
+const storeFor = (evidenceDir) => createNodeContainedJsonArtifactStore(evidenceDir, FIGMA_AUDIT_SUFFIX, { parse: parseArtifact });
+const emptyArtifact = (scopeRef, now) => ({
+    figmaAuditSchemaVersion: FIGMA_AUDIT_SCHEMA_VERSION,
+    scopeRef,
+    auditLog: [],
+    lastUpdatedAt: now,
+});
+export const loadFigmaConnectorAudit = (scopeRef, evidenceDir) => storeFor(evidenceDir).load(scopeRef);
+// Builds the entry with only the governance-permitted fields present. `errorCode` is attached only
+// for an error outcome; `counts` only when supplied. No other field is ever spread in, so customer
+// content cannot reach the entry even if the caller passed extra data.
+const buildEntry = (input) => ({
+    at: input.now,
+    action: input.action,
+    outcome: input.outcome,
+    ...(input.outcome === "error" && input.errorCode !== undefined
+        ? { errorCode: input.errorCode }
+        : {}),
+    ...(input.counts !== undefined ? { counts: input.counts } : {}),
+});
+/**
+ * Append an append-only connector-action audit entry through the reused Evidence audit seam.
+ * Creates the artifact on first use. Returns the updated artifact. The caller authorises the action.
+ */
+export const appendFigmaConnectorAudit = (input) => {
+    const current = loadFigmaConnectorAudit(input.scopeRef, input.evidenceDir) ??
+        emptyArtifact(input.scopeRef, input.now);
+    const next = {
+        ...current,
+        auditLog: [...current.auditLog, buildEntry(input)],
+        lastUpdatedAt: input.now,
+    };
+    storeFor(input.evidenceDir).record(input.scopeRef, next);
+    return next;
+};

package/dist/qualityIntelligence/figma/figmaConnectorErrors.d.ts

@@ -0,0 +1,31 @@
+export type FigmaConnectorErrorCode = "FIGMA_MALFORMED_URL" | "FIGMA_TOKEN_MISSING" | "FIGMA_CONSENT_REQUIRED" | "FIGMA_TOKEN_INVALID" | "FIGMA_TOKEN_EXPIRED" | "FIGMA_TOKEN_REVOKED" | "FIGMA_NOT_FOUND" | "FIGMA_NOT_READY" | "FIGMA_INSUFFICIENT_SCOPE" | "FIGMA_RENDER_FAILED" | "FIGMA_PROXY_EGRESS_FAILED" | "FIGMA_PROXY_UNREACHABLE" | "FIGMA_PROXY_AUTH_REQUIRED" | "FIGMA_PROXY_BLOCKED_BY_POLICY" | "FIGMA_TLS_CA_FAILURE" | "FIGMA_OVERSIZED_SCOPE" | "FIGMA_RESPONSE_TOO_LARGE" | "FIGMA_RATE_LIMITED" | "FIGMA_UPSTREAM_UNAVAILABLE" | "FIGMA_NETWORK_UNREACHABLE" | "FIGMA_EGRESS_TIMEOUT" | "FIGMA_EGRESS_FAILED" | "FIGMA_BUILD_TIMEOUT" | "FIGMA_INTERNAL";
+export interface FigmaConnectorErrorBody {
+    readonly error: {
+        readonly code: FigmaConnectorErrorCode;
+        readonly message: string;
+    };
+}
+export declare const figmaConnectorErrorBody: (code: FigmaConnectorErrorCode) => FigmaConnectorErrorBody;
+export declare class FigmaConnectorError extends Error {
+    readonly code: FigmaConnectorErrorCode;
+    constructor(code: FigmaConnectorErrorCode);
+}
+/**
+ * Classify a transport-level throw from `fetch` or the body read into a stable
+ * {@link FigmaConnectorErrorCode}. Side-effect-free and total — any non-Error
+ * throwable (string, undefined) maps to `FIGMA_EGRESS_FAILED`.
+ *
+ * Precedence:
+ *   (a) OutboundHttpEgressError (or plain Error with outbound code, for cross-package resilience)
+ *       → proxy/TLS-via-proxy codes. FIGMA_PROXY_* codes are ONLY reachable via this branch.
+ *   (b) TLS trust codes / messages → FIGMA_TLS_CA_FAILURE.
+ *   (c) Timeout / abort names (DOMException AbortError, Node TimeoutError) → FIGMA_EGRESS_TIMEOUT.
+ *   (d) Direct connectivity codes / messages → FIGMA_NETWORK_UNREACHABLE.
+ *   (e) Default → FIGMA_EGRESS_FAILED.
+ *
+ * Inspects `err.code`, `err.cause.code`, and `err.message` in that order of
+ * precedence so Node.js `TypeError: fetch failed` wrappers (undici wraps the
+ * underlying `cause.code`) are classified correctly.
+ */
+export declare const classifyFigmaTransportError: (err: unknown) => FigmaConnectorErrorCode;
+//# sourceMappingURL=figmaConnectorErrors.d.ts.map

package/dist/qualityIntelligence/figma/figmaConnectorErrors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"figmaConnectorErrors.d.ts","sourceRoot":"","sources":["../../../src/qualityIntelligence/figma/figmaConnectorErrors.ts"],"names":[],"mappings":"AAmCA,MAAM,MAAM,uBAAuB,GAC/B,qBAAqB,GACrB,qBAAqB,GACrB,wBAAwB,GACxB,qBAAqB,GACrB,qBAAqB,GACrB,qBAAqB,GACrB,iBAAiB,GACjB,iBAAiB,GACjB,0BAA0B,GAC1B,qBAAqB,GACrB,2BAA2B,GAC3B,yBAAyB,GACzB,2BAA2B,GAC3B,+BAA+B,GAC/B,sBAAsB,GACtB,uBAAuB,GACvB,0BAA0B,GAC1B,oBAAoB,GACpB,4BAA4B,GAC5B,2BAA2B,GAC3B,sBAAsB,GACtB,qBAAqB,GACrB,qBAAqB,GACrB,gBAAgB,CAAC;AAkDrB,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,KAAK,EAAE;QAAE,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAC;QAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CACtF;AAED,eAAO,MAAM,uBAAuB,GAClC,MAAM,uBAAuB,KAC5B,uBAED,CAAC;AAEH,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAC;gBAE3B,IAAI,EAAE,uBAAuB;CAK1C;AA0JD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,2BAA2B,GAAI,KAAK,OAAO,KAAG,uBAa1D,CAAC"}

package/dist/qualityIntelligence/figma/figmaConnectorErrors.js

@@ -0,0 +1,220 @@
+// Figma connector error shapes (Epic #750, Issues #751, #758, #760, #884).
+//
+// Coded, safe errors for the server-side Figma connector. A FigmaConnectorError carries
+// ONLY a stable code and a fixed, secret-free message — never the PAT, never a raw Figma
+// payload, never an outbound URL or header value. Mirrors the QI connector error posture
+// in ../connectorErrors.ts so the route tier can serialise it consistently.
+//
+// Complete coded taxonomy (#760, #884); every code is user-actionable. Each ticket-named
+// category maps to one or more codes below:
+//   auth          → FIGMA_TOKEN_MISSING | FIGMA_TOKEN_INVALID | FIGMA_TOKEN_EXPIRED
+//                   | FIGMA_TOKEN_REVOKED
+//   consent       → FIGMA_CONSENT_REQUIRED (no recorded read-only-scope acknowledgement)
+//   scope         → FIGMA_INSUFFICIENT_SCOPE
+//   rate-limit    → FIGMA_RATE_LIMITED
+//   not-found     → FIGMA_NOT_FOUND
+//   readiness     → FIGMA_NOT_READY
+//   oversized     → FIGMA_OVERSIZED_SCOPE | FIGMA_RESPONSE_TOO_LARGE
+//   render-failed → FIGMA_RENDER_FAILED
+//   proxy egress  → FIGMA_PROXY_UNREACHABLE (proxy host unreachable)
+//                   | FIGMA_PROXY_AUTH_REQUIRED (proxy requires authentication)
+//                   | FIGMA_PROXY_BLOCKED_BY_POLICY (proxy denied the request by policy)
+//                   | FIGMA_PROXY_EGRESS_FAILED (generic proxy egress failure, retained for back-compat)
+//   direct egress → FIGMA_NETWORK_UNREACHABLE (DNS/connection/socket error, no proxy)
+//                   | FIGMA_EGRESS_TIMEOUT (request timed out before completion)
+//                   | FIGMA_EGRESS_FAILED (generic direct egress failure; new default)
+//   tls/ca        → FIGMA_TLS_CA_FAILURE (custom-CA / TLS verification failure on egress)
+// FIGMA_MALFORMED_URL, FIGMA_UPSTREAM_UNAVAILABLE, and FIGMA_INTERNAL cover input and last-resort
+// faults. The proxy-aware + custom-CA HTTP client itself is #802; this connector only SURFACES
+// these proxy/TLS codes — it does not implement the proxy transport.
+import { OutboundHttpEgressError, } from "@oscharko-dev/keiko-model-gateway/internal/http";
+const SAFE_MESSAGES = {
+    FIGMA_MALFORMED_URL: "The supplied link is not a scoped Figma node link. Paste a board or section link that includes a node id.",
+    FIGMA_TOKEN_MISSING: "The Figma connector is not configured. Set a read-only access token before fetching a board.",
+    FIGMA_CONSENT_REQUIRED: "Acknowledge the read-only, least-privilege Figma scope before the first fetch for this board.",
+    FIGMA_TOKEN_INVALID: "The Figma access token is invalid. Re-key the connector with a current read-only token.",
+    FIGMA_TOKEN_EXPIRED: "The Figma access token has expired. Re-key the connector with a new read-only token.",
+    FIGMA_TOKEN_REVOKED: "The Figma access token has been revoked. Re-key the connector with a new read-only token.",
+    FIGMA_NOT_FOUND: "The requested Figma node could not be found for the supplied link.",
+    FIGMA_NOT_READY: "The requested Figma scope is not release-ready. Pin a Figma version, select a Release section, or mark the frame Ready for dev before snapshotting.",
+    FIGMA_INSUFFICIENT_SCOPE: "The configured Figma access token is not permitted to read the requested node. Re-key the connector with a read-only token that can read this file.",
+    FIGMA_RENDER_FAILED: "Figma could not render the requested screens. Re-run the snapshot; if it persists, connect a narrower section.",
+    FIGMA_PROXY_EGRESS_FAILED: "The Figma request could not be routed through the platform egress proxy. Check proxy connectivity and try again.",
+    FIGMA_PROXY_UNREACHABLE: "The platform egress proxy is unreachable. Check the proxy host and port and try again.",
+    FIGMA_PROXY_AUTH_REQUIRED: "The forward proxy requires authentication for the Figma egress request. Configure proxy credentials or an allow rule.",
+    FIGMA_PROXY_BLOCKED_BY_POLICY: "The forward proxy blocked the Figma egress request by policy. Ask the proxy operator to allow api.figma.com and the Figma render hosts.",
+    FIGMA_TLS_CA_FAILURE: "The TLS certificate for the Figma egress could not be verified. Check the configured certificate authority bundle and try again.",
+    FIGMA_OVERSIZED_SCOPE: "The requested Figma node subtree is too large for a single scoped fetch. Connect a narrower section.",
+    FIGMA_RESPONSE_TOO_LARGE: "The Figma API response exceeded the maximum allowed size. Connect a narrower section to reduce the response.",
+    FIGMA_RATE_LIMITED: "Figma rate-limited the snapshot-build after repeated retries. Re-run with a narrower Release section or lower the Figma fetch limits.",
+    FIGMA_UPSTREAM_UNAVAILABLE: "The Figma service is currently unavailable. Try the scoped fetch again later.",
+    FIGMA_NETWORK_UNREACHABLE: "The outbound network request to Figma failed (DNS, connection, or socket error). Check network connectivity and egress policy.",
+    FIGMA_EGRESS_TIMEOUT: "The Figma request timed out before completing. Retry; if it persists, raise KEIKO_FIGMA_REQUEST_TIMEOUT_MS or check upstream latency.",
+    FIGMA_EGRESS_FAILED: "The outbound request to Figma failed before a response was received.",
+    FIGMA_BUILD_TIMEOUT: "The snapshot build exceeded the configured deadline. No partial snapshot was stored. Retry or raise KEIKO_FIGMA_BUILD_DEADLINE_MS.",
+    FIGMA_INTERNAL: "The Figma connector could not service the request.",
+};
+export const figmaConnectorErrorBody = (code) => ({
+    error: { code, message: SAFE_MESSAGES[code] },
+});
+export class FigmaConnectorError extends Error {
+    code;
+    constructor(code) {
+        super(SAFE_MESSAGES[code]);
+        this.name = "FigmaConnectorError";
+        this.code = code;
+    }
+}
+// Node.js / undici error codes that indicate a TLS / certificate failure.
+const TLS_CODES = new Set([
+    "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
+    "SELF_SIGNED_CERT_IN_CHAIN",
+    "DEPTH_ZERO_SELF_SIGNED_CERT",
+    "CERT_HAS_EXPIRED",
+    "ERR_TLS_CERT_ALTNAME_INVALID",
+    "UNABLE_TO_GET_ISSUER_CERT",
+    "UNABLE_TO_GET_ISSUER_CERT_LOCALLY",
+]);
+// Node.js / undici error codes that indicate a direct connectivity / DNS / socket failure.
+// These are only reached when the error did NOT come through the OutboundHttpEgressError proxy
+// path — a raw ECONNREFUSED means no proxy is involved.
+const CONNECTIVITY_CODES = new Set([
+    "ECONNREFUSED",
+    "ECONNRESET",
+    "ETIMEDOUT",
+    "ENOTFOUND",
+    "EAI_AGAIN",
+    "EPIPE",
+    "ECONNABORTED",
+    "EHOSTUNREACH",
+    "ENETUNREACH",
+    "EPROTO",
+    "EPERM",
+    "EACCES",
+    "UND_ERR_CONNECT_TIMEOUT",
+    "UND_ERR_HEADERS_TIMEOUT",
+    "UND_ERR_BODY_TIMEOUT",
+    "UND_ERR_SOCKET",
+]);
+// Mapping from OutboundHttpEgressError codes (proxy path) to FigmaConnectorErrorCodes.
+// FIGMA_PROXY_* codes are ONLY reachable through the OutboundHttpEgressError branch.
+const OUTBOUND_CODE_TO_FIGMA = {
+    TLS_CA_FAILURE: "FIGMA_TLS_CA_FAILURE",
+    PROXY_UNREACHABLE: "FIGMA_PROXY_UNREACHABLE",
+    PROXY_AUTH_REQUIRED: "FIGMA_PROXY_AUTH_REQUIRED",
+    PROXY_BLOCKED_BY_POLICY: "FIGMA_PROXY_BLOCKED_BY_POLICY",
+    PROXY_EGRESS_FAILED: "FIGMA_PROXY_EGRESS_FAILED",
+};
+// String set of OutboundHttpEgressError codes for cross-package-boundary instanceof fallback.
+const OUTBOUND_EGRESS_CODES = new Set([
+    "TLS_CA_FAILURE",
+    "PROXY_UNREACHABLE",
+    "PROXY_AUTH_REQUIRED",
+    "PROXY_BLOCKED_BY_POLICY",
+    "PROXY_EGRESS_FAILED",
+]);
+const TLS_MSG_RE = /cert|self.?signed|unable to (?:verify|get).*(issuer|cert)|tls/i;
+// "fetch failed" is the Node.js TypeError message for generic direct-network failures (undici).
+const CONNECTIVITY_MSG_RE = /socket hang ?up|network|fetch failed|econn|enotfound/i;
+const extractCode = (err) => {
+    if (err !== null && typeof err === "object") {
+        const code = err.code;
+        if (typeof code === "string")
+            return code;
+    }
+    return undefined;
+};
+const extractCauseCode = (err) => {
+    if (err !== null && typeof err === "object") {
+        return extractCode(err.cause);
+    }
+    return undefined;
+};
+const extractMessage = (err) => {
+    if (err instanceof Error)
+        return err.message;
+    if (typeof err === "string")
+        return err;
+    return "";
+};
+const extractName = (err) => {
+    if (err !== null && typeof err === "object") {
+        const name = err.name;
+        if (typeof name === "string")
+            return name;
+    }
+    return "";
+};
+const extractCause = (err) => err !== null && typeof err === "object" ? err.cause : undefined;
+/** Map an outbound egress code string to a FigmaConnectorErrorCode, or return undefined. */
+const mapOutboundCode = (code) => {
+    if (!OUTBOUND_EGRESS_CODES.has(code))
+        return undefined;
+    return OUTBOUND_CODE_TO_FIGMA[code] ?? "FIGMA_PROXY_EGRESS_FAILED";
+};
+// Cross-package-boundary fallback: plain Error with a string .code in the outbound set.
+// Used when instanceof check fails because OutboundHttpEgressError came from a different
+// package copy (e.g. stale dist during tests).
+const mapOutboundCodeFallback = (topCode, causeCode) => {
+    if (topCode !== undefined && OUTBOUND_EGRESS_CODES.has(topCode)) {
+        return mapOutboundCode(topCode) ?? "FIGMA_PROXY_EGRESS_FAILED";
+    }
+    if (causeCode !== undefined && OUTBOUND_EGRESS_CODES.has(causeCode)) {
+        return mapOutboundCode(causeCode) ?? "FIGMA_PROXY_EGRESS_FAILED";
+    }
+    return undefined;
+};
+// (a) OutboundHttpEgressError path — a proxy was genuinely in play.
+// FIGMA_PROXY_* codes are ONLY reachable through this function.
+const classifyOutbound = (err, cause, topCode, causeCode) => {
+    const outbound = err instanceof OutboundHttpEgressError
+        ? err
+        : cause instanceof OutboundHttpEgressError
+            ? cause
+            : undefined;
+    if (outbound !== undefined)
+        return mapOutboundCode(outbound.code) ?? "FIGMA_PROXY_EGRESS_FAILED";
+    return mapOutboundCodeFallback(topCode, causeCode);
+};
+// (b) TLS by code or message.
+const classifyTls = (code, msg) => (code !== undefined && TLS_CODES.has(code)) || TLS_MSG_RE.test(msg)
+    ? "FIGMA_TLS_CA_FAILURE"
+    : undefined;
+// (c) Timeout / abort names — check both err and its cause.
+const isAbortName = (name) => name === "TimeoutError" || name === "AbortError";
+const classifyTimeout = (err, cause) => isAbortName(extractName(err)) || isAbortName(extractName(cause))
+    ? "FIGMA_EGRESS_TIMEOUT"
+    : undefined;
+// (d) Direct connectivity codes / messages — no proxy involved.
+const classifyConnectivity = (code, msg) => (code !== undefined && CONNECTIVITY_CODES.has(code)) || CONNECTIVITY_MSG_RE.test(msg)
+    ? "FIGMA_NETWORK_UNREACHABLE"
+    : undefined;
+/**
+ * Classify a transport-level throw from `fetch` or the body read into a stable
+ * {@link FigmaConnectorErrorCode}. Side-effect-free and total — any non-Error
+ * throwable (string, undefined) maps to `FIGMA_EGRESS_FAILED`.
+ *
+ * Precedence:
+ *   (a) OutboundHttpEgressError (or plain Error with outbound code, for cross-package resilience)
+ *       → proxy/TLS-via-proxy codes. FIGMA_PROXY_* codes are ONLY reachable via this branch.
+ *   (b) TLS trust codes / messages → FIGMA_TLS_CA_FAILURE.
+ *   (c) Timeout / abort names (DOMException AbortError, Node TimeoutError) → FIGMA_EGRESS_TIMEOUT.
+ *   (d) Direct connectivity codes / messages → FIGMA_NETWORK_UNREACHABLE.
+ *   (e) Default → FIGMA_EGRESS_FAILED.
+ *
+ * Inspects `err.code`, `err.cause.code`, and `err.message` in that order of
+ * precedence so Node.js `TypeError: fetch failed` wrappers (undici wraps the
+ * underlying `cause.code`) are classified correctly.
+ */
+export const classifyFigmaTransportError = (err) => {
+    const cause = extractCause(err);
+    const topCode = extractCode(err);
+    const causeCode = extractCauseCode(err);
+    const code = topCode ?? causeCode;
+    const msg = extractMessage(err);
+    return (classifyOutbound(err, cause, topCode, causeCode) ??
+        classifyTls(code, msg) ??
+        classifyTimeout(err, cause) ??
+        classifyConnectivity(code, msg) ??
+        "FIGMA_EGRESS_FAILED");
+};

package/dist/qualityIntelligence/figma/figmaConnectorMetrics.d.ts

@@ -0,0 +1,44 @@
+import type { QualityIntelligenceFigma } from "@oscharko-dev/keiko-quality-intelligence";
+import type { FigmaSnapshot } from "./figmaSnapshotTypes.js";
+/** Deterministic-vs-model augmentation tally. Supplied by the QI source (#754) as plain counts. */
+export interface FigmaAugmentationTally {
+    readonly deterministic: number;
+    readonly modelAugmented: number;
+}
+export interface FigmaAugmentationShare {
+    readonly deterministic: number;
+    readonly modelAugmented: number;
+    /** modelAugmented / (deterministic + modelAugmented), rounded to 4 dp; 0 when the total is 0. */
+    readonly modelAugmentedShare: number;
+}
+/** Optional navigation-graph cardinalities (#811). Present only when links/screens are supplied. */
+export interface FigmaNavGraphMetrics {
+    readonly screens: number;
+    readonly transitions: number;
+}
+/** Optional a11y-finding cardinalities (#812). Present only when a finding count is supplied. */
+export interface FigmaA11yMetrics {
+    readonly findings: number;
+}
+export interface FigmaConnectorMetrics {
+    /** Share of the raw subtree removed by deterministic cleaning, in [0, 1]. */
+    readonly reductionRatio: number;
+    readonly screenCount: number;
+    /** Screens that produced a render in the Snapshot (≤ screenCount; the rest are skippedScreens). */
+    readonly renderCount: number;
+    readonly designTokenCount: number;
+    readonly augmentation: FigmaAugmentationShare;
+    readonly navGraph?: FigmaNavGraphMetrics;
+    readonly a11y?: FigmaA11yMetrics;
+}
+/** Optional, additive metric inputs from siblings not yet merged. */
+export interface FigmaConnectorMetricsExtras {
+    /** A11y finding count from #812. Omit when the a11y baseline did not run. */
+    readonly a11yFindings?: number;
+}
+/**
+ * Compute the operational metrics from the deterministic IR, the assembled Snapshot, the
+ * augmentation tally, and any additive sibling inputs. Pure: same inputs → byte-identical metrics.
+ */
+export declare const computeFigmaConnectorMetrics: (ir: QualityIntelligenceFigma.ScreenIrResult, snapshot: FigmaSnapshot, augmentation: FigmaAugmentationTally, extras?: FigmaConnectorMetricsExtras) => FigmaConnectorMetrics;
+//# sourceMappingURL=figmaConnectorMetrics.d.ts.map

package/dist/qualityIntelligence/figma/figmaConnectorMetrics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"figmaConnectorMetrics.d.ts","sourceRoot":"","sources":["../../../src/qualityIntelligence/figma/figmaConnectorMetrics.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,0CAA0C,CAAC;AACzF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAE7D,mGAAmG;AACnG,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;CACjC;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,iGAAiG;IACjG,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC;CACtC;AAED,oGAAoG;AACpG,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,iGAAiG;AACjG,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,qBAAqB;IACpC,6EAA6E;IAC7E,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,mGAAmG;IACnG,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,YAAY,EAAE,sBAAsB,CAAC;IAC9C,QAAQ,CAAC,QAAQ,CAAC,EAAE,oBAAoB,CAAC;IACzC,QAAQ,CAAC,IAAI,CAAC,EAAE,gBAAgB,CAAC;CAClC;AAED,qEAAqE;AACrE,MAAM,WAAW,2BAA2B;IAC1C,6EAA6E;IAC7E,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AA2BD;;;GAGG;AACH,eAAO,MAAM,4BAA4B,GACvC,IAAI,wBAAwB,CAAC,cAAc,EAC3C,UAAU,aAAa,EACvB,cAAc,sBAAsB,EACpC,SAAQ,2BAAgC,KACvC,qBAWF,CAAC"}

package/dist/qualityIntelligence/figma/figmaConnectorMetrics.js

@@ -0,0 +1,49 @@
+// Operational metrics for the Figma connector (Epic #750, Issue #760).
+//
+// A small, typed, PURE structure derived ENTIRELY from the stored Snapshot boundary inputs — the
+// deterministic Screen-IR (#752) and the assembled Snapshot (#753) — plus a decoupled augmentation
+// tally. Figma is never contacted here; metrics read only what the bounded snapshot-build already
+// produced.
+//
+// GOVERNANCE (load-bearing, #760): every field is a NUMBER. No screen name, no board id / link /
+// name, no design content, no token ever enters this structure. The augmentation tally is supplied
+// by the QI source (#754) as two integers; this module does not inspect any test/candidate content.
+//
+// Optional `navGraph` and `a11y` are OMITTED ENTIRELY when their inputs are absent — the navigation
+// graph (#811) and a11y baseline (#812) are not merged yet, and a later child wires them in
+// additively. We never emit a zero/placeholder for an unmerged capability, so "absent" stays
+// distinguishable from "present and zero".
+const ROUND = 10_000;
+const roundShare = (value) => Math.round(value * ROUND) / ROUND;
+const computeShare = (tally) => {
+    const total = tally.deterministic + tally.modelAugmented;
+    return {
+        deterministic: tally.deterministic,
+        modelAugmented: tally.modelAugmented,
+        modelAugmentedShare: total === 0 ? 0 : roundShare(tally.modelAugmented / total),
+    };
+};
+const countDesignTokens = (tokens) => tokens.colors.length + tokens.typography.length + tokens.spacing.length + tokens.radius.length;
+// The navigation graph is present whenever the IR carried any screens or links — i.e. the source
+// material for #811 exists. We never synthesise it from nothing: an empty IR yields no nav graph.
+const navGraphOf = (ir) => {
+    if (ir.screens.length === 0 && ir.links.length === 0)
+        return undefined;
+    return { screens: ir.screens.length, transitions: ir.links.length };
+};
+/**
+ * Compute the operational metrics from the deterministic IR, the assembled Snapshot, the
+ * augmentation tally, and any additive sibling inputs. Pure: same inputs → byte-identical metrics.
+ */
+export const computeFigmaConnectorMetrics = (ir, snapshot, augmentation, extras = {}) => {
+    const navGraph = navGraphOf(ir);
+    return {
+        reductionRatio: ir.reduction.removedRatio,
+        screenCount: ir.screens.length,
+        renderCount: snapshot.screens.length,
+        designTokenCount: countDesignTokens(ir.tokens),
+        augmentation: computeShare(augmentation),
+        ...(navGraph !== undefined ? { navGraph } : {}),
+        ...(extras.a11yFindings !== undefined ? { a11y: { findings: extras.a11yFindings } } : {}),
+    };
+};

package/dist/qualityIntelligence/figma/figmaConsent.d.ts

@@ -0,0 +1,39 @@
+import type { FigmaScopeRef } from "./figmaScopeRef.js";
+export declare const FIGMA_CONSENT_SCHEMA_VERSION: 1;
+/**
+ * Display-only list of the least-privilege, read-only Figma scopes the connector relies on. Shown to
+ * the operator before the first fetch so they can confirm the PAT they minted is read-only. The
+ * connector reads file content and renders images; it never writes. This is the human-readable
+ * expectation for an out-of-band PAT grant, not an enforced grant.
+ */
+export declare const EXPECTED_FIGMA_SCOPES: readonly string[];
+export interface FigmaScopeConsent {
+    readonly figmaConsentSchemaVersion: typeof FIGMA_CONSENT_SCHEMA_VERSION;
+    readonly scopeRef: FigmaScopeRef;
+    /** Always true once recorded: the operator acknowledged the read-only, least-privilege scope. */
+    readonly readOnlyAcknowledged: true;
+    /** Display-only echo of the scopes acknowledged. No token, no board reference. */
+    readonly acknowledgedScopes: readonly string[];
+    readonly acknowledgedBy: string;
+    readonly acknowledgedAt: string;
+}
+export declare const loadReadOnlyConsent: (scopeRef: FigmaScopeRef, evidenceDir: string) => FigmaScopeConsent | undefined;
+export declare const hasReadOnlyConsent: (scopeRef: FigmaScopeRef, evidenceDir: string) => boolean;
+export interface RecordReadOnlyConsentInput {
+    readonly scopeRef: FigmaScopeRef;
+    readonly evidenceDir: string;
+    readonly acknowledgedBy: string;
+    readonly now: string;
+}
+/**
+ * Record the operator's explicit acknowledgement of the read-only, least-privilege scope. Idempotent
+ * by overwrite (re-acknowledging refreshes the timestamp). Returns the stored consent record.
+ */
+export declare const recordReadOnlyConsent: (input: RecordReadOnlyConsentInput) => FigmaScopeConsent;
+/**
+ * Gate the first fetch on recorded consent. Throws a coded, safe error when the operator has not yet
+ * acknowledged the read-only scope for this connected scope. The connector calls this BEFORE token
+ * materialisation so an unconsented scope never reaches Figma.
+ */
+export declare const assertReadOnlyConsent: (scopeRef: FigmaScopeRef, evidenceDir: string) => void;
+//# sourceMappingURL=figmaConsent.d.ts.map

package/dist/qualityIntelligence/figma/figmaConsent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"figmaConsent.d.ts","sourceRoot":"","sources":["../../../src/qualityIntelligence/figma/figmaConsent.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAExD,eAAO,MAAM,4BAA4B,EAAG,CAAU,CAAC;AAGvD;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,EAAE,SAAS,MAAM,EAA0B,CAAC;AAE9E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,yBAAyB,EAAE,OAAO,4BAA4B,CAAC;IACxE,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC;IACjC,iGAAiG;IACjG,QAAQ,CAAC,oBAAoB,EAAE,IAAI,CAAC;IACpC,kFAAkF;IAClF,QAAQ,CAAC,kBAAkB,EAAE,SAAS,MAAM,EAAE,CAAC;IAC/C,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;CACjC;AAaD,eAAO,MAAM,mBAAmB,GAC9B,UAAU,aAAa,EACvB,aAAa,MAAM,KAClB,iBAAiB,GAAG,SAAiD,CAAC;AAEzE,eAAO,MAAM,kBAAkB,GAAI,UAAU,aAAa,EAAE,aAAa,MAAM,KAAG,OACxB,CAAC;AAE3D,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC;IACjC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB,GAAI,OAAO,0BAA0B,KAAG,iBAWzE,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,GAAI,UAAU,aAAa,EAAE,aAAa,MAAM,KAAG,IAIpF,CAAC"}

package/dist/qualityIntelligence/figma/figmaConsent.js

@@ -0,0 +1,62 @@
+// Recorded read-only-scope consent for the Figma connector (Epic #750, Issue #760).
+//
+// There is NO OAuth grant flow: the operator mints a least-privilege, READ-ONLY Personal Access
+// Token out of band. Before the FIRST scoped fetch for a connected scope, the operator must
+// explicitly acknowledge that the configured PAT is read-only and least-privilege; this module
+// records that acknowledgement as durable evidence. The expected scopes are DISPLAY-ONLY — the
+// connector cannot grant or widen anything; it only shows what a least-privilege read-only token
+// covers so the operator can confirm before the first fetch.
+//
+// The consent record carries NO token, NO PII, and NO board id / link / content — only the opaque
+// `scopeRef`, the acknowledged read-only flag, an optional operator label, and a timestamp. It is
+// persisted through the SAME reused Evidence contained-store seam as the connector audit.
+import { createNodeContainedJsonArtifactStore, } from "@oscharko-dev/keiko-evidence";
+import { FigmaConnectorError } from "./figmaConnectorErrors.js";
+export const FIGMA_CONSENT_SCHEMA_VERSION = 1;
+const FIGMA_CONSENT_SUFFIX = ".figma-consent.json";
+/**
+ * Display-only list of the least-privilege, read-only Figma scopes the connector relies on. Shown to
+ * the operator before the first fetch so they can confirm the PAT they minted is read-only. The
+ * connector reads file content and renders images; it never writes. This is the human-readable
+ * expectation for an out-of-band PAT grant, not an enforced grant.
+ */
+export const EXPECTED_FIGMA_SCOPES = ["file_content:read"];
+const parseConsent = (value) => {
+    if (typeof value !== "object" || value === null)
+        return undefined;
+    const record = value;
+    if (record.figmaConsentSchemaVersion !== FIGMA_CONSENT_SCHEMA_VERSION)
+        return undefined;
+    if (typeof record.scopeRef !== "string" || record.readOnlyAcknowledged !== true)
+        return undefined;
+    return value;
+};
+const storeFor = (evidenceDir) => createNodeContainedJsonArtifactStore(evidenceDir, FIGMA_CONSENT_SUFFIX, { parse: parseConsent });
+export const loadReadOnlyConsent = (scopeRef, evidenceDir) => storeFor(evidenceDir).load(scopeRef);
+export const hasReadOnlyConsent = (scopeRef, evidenceDir) => loadReadOnlyConsent(scopeRef, evidenceDir) !== undefined;
+/**
+ * Record the operator's explicit acknowledgement of the read-only, least-privilege scope. Idempotent
+ * by overwrite (re-acknowledging refreshes the timestamp). Returns the stored consent record.
+ */
+export const recordReadOnlyConsent = (input) => {
+    const consent = {
+        figmaConsentSchemaVersion: FIGMA_CONSENT_SCHEMA_VERSION,
+        scopeRef: input.scopeRef,
+        readOnlyAcknowledged: true,
+        acknowledgedScopes: EXPECTED_FIGMA_SCOPES,
+        acknowledgedBy: input.acknowledgedBy,
+        acknowledgedAt: input.now,
+    };
+    storeFor(input.evidenceDir).record(input.scopeRef, consent);
+    return consent;
+};
+/**
+ * Gate the first fetch on recorded consent. Throws a coded, safe error when the operator has not yet
+ * acknowledged the read-only scope for this connected scope. The connector calls this BEFORE token
+ * materialisation so an unconsented scope never reaches Figma.
+ */
+export const assertReadOnlyConsent = (scopeRef, evidenceDir) => {
+    if (!hasReadOnlyConsent(scopeRef, evidenceDir)) {
+        throw new FigmaConnectorError("FIGMA_CONSENT_REQUIRED");
+    }
+};

package/dist/qualityIntelligence/figma/figmaHttpPort.d.ts

@@ -0,0 +1,28 @@
+import { type OutboundHttpEgressConfig } from "@oscharko-dev/keiko-model-gateway/internal/http";
+export interface FigmaHttpRequest {
+    readonly url: string;
+    readonly headers: Readonly<Record<string, string>>;
+}
+export interface FigmaHttpResponse {
+    readonly status: number;
+    readonly json: unknown;
+    readonly headers: Readonly<Record<string, string>>;
+}
+export type FigmaHttpPort = (request: FigmaHttpRequest) => Promise<FigmaHttpResponse>;
+/** Optional creation-time overrides for the default HTTP port. */
+export interface FigmaHttpPortOptions {
+    readonly timeoutMs?: number;
+    readonly maxResponseBytes?: number;
+}
+/**
+ * Thin default adapter over the platform `fetch`. This is the ONLY place `fetch` is named.
+ * It forwards the caller-built headers verbatim and reads the body as JSON with an explicit
+ * byte cap; it does not log, retry, or inspect the token. Resilience/backoff is out of scope
+ * here (#759); the proxy/custom-CA transport is the platform prerequisite (#802) that replaces
+ * this adapter.
+ *
+ * `redirect: "manual"` prevents the PAT auth header from following a cross-origin redirect.
+ * A 3xx response surfaces as a non-2xx port result; the connector treats non-2xx as upstream error.
+ */
+export declare const createDefaultFigmaHttpPort: (egress?: OutboundHttpEgressConfig, fetchImpl?: typeof fetch, options?: FigmaHttpPortOptions) => FigmaHttpPort;
+//# sourceMappingURL=figmaHttpPort.d.ts.map

package/dist/qualityIntelligence/figma/figmaHttpPort.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"figmaHttpPort.d.ts","sourceRoot":"","sources":["../../../src/qualityIntelligence/figma/figmaHttpPort.ts"],"names":[],"mappings":"AAgBA,OAAO,EAGL,KAAK,wBAAwB,EAC9B,MAAM,iDAAiD,CAAC;AAQzD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACpD;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IAGvB,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACpD;AAED,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,gBAAgB,KAAK,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEtF,kEAAkE;AAClE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CACpC;AAYD;;;;;;;;;GASG;AACH,eAAO,MAAM,0BAA0B,GACrC,SAAS,wBAAwB,EACjC,YAAY,OAAO,KAAK,EACxB,UAAU,oBAAoB,KAC7B,aA4BF,CAAC"}