@pleri/olam-cli 0.1.147 → 0.1.148

package/dist/lib/auth-refresh-kubernetes.d.ts

@@ -0,0 +1,62 @@
+/**
+ * auth-refresh-kubernetes.ts — D4 kubernetes Secret rotation for `olam auth refresh`.
+ *
+ * Extracted from auth.ts to keep the testable logic free of @olam/core dependencies.
+ * No @olam/core imports here — tested directly by auth.test.ts without needing
+ * to mock the entire @olam/core workspace package.
+ *
+ * D20 security invariant: secret value NEVER in subprocess argv (–from-literal forbidden).
+ * SEC-NEW-003: refuses when kubectl_context_pinned absent (no ambient KUBECONFIG fallthrough).
+ * ADV-N-003: kubectl rollout restart after apply (K8s does NOT hot-update mounted Secrets).
+ */
+import { kubectlWrap } from './kubectl-wrap.js';
+export interface AuthRefreshKubernetesDeps {
+    /** Injectable kubectlWrap for tests (Secret apply + rollout restart). */
+    readonly kubectlWrapImpl?: typeof kubectlWrap;
+    /** Injectable readFileSync for reading ~/.olam/auth-secret. */
+    readonly readFileSyncImpl?: (p: string, enc: 'utf8') => string;
+    /** Injectable writeFileSync for writing ~/.olam/auth-secret. */
+    readonly writeFileSyncImpl?: (p: string, data: string, opts: {
+        mode: number;
+    }) => void;
+    /** Injectable config path for readConfig. */
+    readonly configPath?: string;
+    /** Injectable olam home override (for auth-secret path). */
+    readonly olamHomeOverride?: string;
+    /** Injectable stdout. */
+    readonly stdout?: NodeJS.WritableStream;
+    /** Injectable stderr. */
+    readonly stderr?: NodeJS.WritableStream;
+}
+/**
+ * Construct the olam-host-cp-secret YAML in-process (D20 stdin-safe design).
+ * Values are base64-encoded via Buffer. NEVER uses --from-literal in subprocess argv.
+ */
+export declare function buildSecretYaml(secretName: string, data: Record<string, string>): string;
+/**
+ * Resolve the pinned kubectl context from config or OLAM_K8S_CONTEXT_ACK fallback.
+ *
+ * Returns { context } on success.
+ * Returns { error } when neither source has a context (SEC-NEW-003 enforcement).
+ * Returns { context, deprecationWarning } when OLAM_K8S_CONTEXT_ACK fallback is used.
+ */
+export declare function resolveKubectlContext(configPath?: string): {
+    context?: string;
+    deprecationWarning?: string;
+    error?: string;
+};
+/**
+ * Run the kubernetes-substrate portion of auth refresh (D4).
+ *
+ * Called by auth.ts after a successful `client.refreshAccount()` when
+ * the substrate is kubernetes. Performs:
+ *   1. Reads ~/.olam/auth-secret for the bearer secret value.
+ *   2. Writes ~/.olam/auth-secret back (idempotent, sets mode 0o600).
+ *   3. Constructs olam-host-cp-secret YAML in-process (D20: value in stdin, not argv).
+ *   4. kubectl apply -f - via stdin pipe.
+ *   5. kubectl rollout restart deployment/olam-host-cp -n olam (ADV-N-003).
+ *
+ * Returns exit code: 0 = success, 1 = error.
+ */
+export declare function applyK8sAuthRefresh(pinnedContext: string, deps?: AuthRefreshKubernetesDeps): Promise<number>;
+//# sourceMappingURL=auth-refresh-kubernetes.d.ts.map

package/dist/lib/auth-refresh-kubernetes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-refresh-kubernetes.d.ts","sourceRoot":"","sources":["../../src/lib/auth-refresh-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAKhD,MAAM,WAAW,yBAAyB;IACxC,yEAAyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,+DAA+D;IAC/D,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC;IAC/D,gEAAgE;IAChE,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IACvF,6CAA6C;IAC7C,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,4DAA4D;IAC5D,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,yBAAyB;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,yBAAyB;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;CACzC;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAYxF;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG;IAC1D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAqBA;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,mBAAmB,CACvC,aAAa,EAAE,MAAM,EACrB,IAAI,GAAE,yBAA8B,GACnC,OAAO,CAAC,MAAM,CAAC,CAoEjB"}

package/dist/lib/auth-refresh-kubernetes.js

@@ -0,0 +1,127 @@
+/**
+ * auth-refresh-kubernetes.ts — D4 kubernetes Secret rotation for `olam auth refresh`.
+ *
+ * Extracted from auth.ts to keep the testable logic free of @olam/core dependencies.
+ * No @olam/core imports here — tested directly by auth.test.ts without needing
+ * to mock the entire @olam/core workspace package.
+ *
+ * D20 security invariant: secret value NEVER in subprocess argv (–from-literal forbidden).
+ * SEC-NEW-003: refuses when kubectl_context_pinned absent (no ambient KUBECONFIG fallthrough).
+ * ADV-N-003: kubectl rollout restart after apply (K8s does NOT hot-update mounted Secrets).
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import pc from 'picocolors';
+import { stringify as yamlStringify } from 'yaml';
+import { readConfig, OLAM_HOME } from './config.js';
+import { kubectlWrap } from './kubectl-wrap.js';
+import { HOST_CP_SECRET_NAME, HOST_CP_DEPLOYMENT_NAME } from './upgrade-kubernetes.js';
+const K8S_NAMESPACE = 'olam';
+/**
+ * Construct the olam-host-cp-secret YAML in-process (D20 stdin-safe design).
+ * Values are base64-encoded via Buffer. NEVER uses --from-literal in subprocess argv.
+ */
+export function buildSecretYaml(secretName, data) {
+    const base64Data = {};
+    for (const [key, value] of Object.entries(data)) {
+        base64Data[key] = Buffer.from(value).toString('base64');
+    }
+    return yamlStringify({
+        apiVersion: 'v1',
+        kind: 'Secret',
+        metadata: { name: secretName, namespace: K8S_NAMESPACE },
+        type: 'Opaque',
+        data: base64Data,
+    });
+}
+/**
+ * Resolve the pinned kubectl context from config or OLAM_K8S_CONTEXT_ACK fallback.
+ *
+ * Returns { context } on success.
+ * Returns { error } when neither source has a context (SEC-NEW-003 enforcement).
+ * Returns { context, deprecationWarning } when OLAM_K8S_CONTEXT_ACK fallback is used.
+ */
+export function resolveKubectlContext(configPath) {
+    const cfg = readConfig({ configPath });
+    const raw = cfg.host['kubectl_context_pinned'];
+    if (typeof raw === 'string' && raw.length > 0) {
+        return { context: raw };
+    }
+    const ack = process.env['OLAM_K8S_CONTEXT_ACK'];
+    if (typeof ack === 'string' && ack.length > 0) {
+        return {
+            context: ack,
+            deprecationWarning: 'OLAM_K8S_CONTEXT_ACK is deprecated; set host.kubectl_context_pinned in ~/.olam/config.json',
+        };
+    }
+    return {
+        error: 'kubectl_context_pinned is not set in ~/.olam/config.json and OLAM_K8S_CONTEXT_ACK is not set.\n' +
+            '  Set host.kubectl_context_pinned in ~/.olam/config.json to your kubectl context name.',
+    };
+}
+/**
+ * Run the kubernetes-substrate portion of auth refresh (D4).
+ *
+ * Called by auth.ts after a successful `client.refreshAccount()` when
+ * the substrate is kubernetes. Performs:
+ *   1. Reads ~/.olam/auth-secret for the bearer secret value.
+ *   2. Writes ~/.olam/auth-secret back (idempotent, sets mode 0o600).
+ *   3. Constructs olam-host-cp-secret YAML in-process (D20: value in stdin, not argv).
+ *   4. kubectl apply -f - via stdin pipe.
+ *   5. kubectl rollout restart deployment/olam-host-cp -n olam (ADV-N-003).
+ *
+ * Returns exit code: 0 = success, 1 = error.
+ */
+export async function applyK8sAuthRefresh(pinnedContext, deps = {}) {
+    const stdout = deps.stdout ?? process.stdout;
+    const stderr = deps.stderr ?? process.stderr;
+    const olamHome = deps.olamHomeOverride ?? OLAM_HOME;
+    const authSecretFile = path.join(olamHome, 'auth-secret');
+    const readFn = deps.readFileSyncImpl ?? ((p, enc) => fs.readFileSync(p, enc));
+    const writeFn = deps.writeFileSyncImpl ?? ((p, data, opts) => {
+        fs.mkdirSync(path.dirname(p), { recursive: true });
+        fs.writeFileSync(p, data, { encoding: 'utf8', mode: opts.mode });
+    });
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    // Read current ~/.olam/auth-secret.
+    let authSecretValue = null;
+    try {
+        const raw = readFn(authSecretFile, 'utf8').trim();
+        if (raw.length > 0)
+            authSecretValue = raw;
+    }
+    catch {
+        // File absent — warn and skip Secret update.
+    }
+    // Write ~/.olam/auth-secret (both substrates; idempotent).
+    if (authSecretValue !== null) {
+        writeFn(authSecretFile, authSecretValue + '\n', { mode: 0o600 });
+    }
+    else {
+        stderr.write(`${pc.yellow('[warn]')} ~/.olam/auth-secret not found — skipping kubernetes Secret update. ` +
+            `Run \`olam upgrade\` to populate the Secret.\n`);
+        return 0;
+    }
+    // D20: construct Secret YAML in-process; secret value NEVER in subprocess argv.
+    const secretYaml = buildSecretYaml(HOST_CP_SECRET_NAME, {
+        OLAM_AUTH_SECRET: authSecretValue,
+    });
+    // Apply the Secret via stdin pipe.
+    const applyResult = await wrap(['--context', pinnedContext, 'apply', '-f', '-'], { timeout: 30_000, stdin: secretYaml });
+    if (!applyResult.ok) {
+        stderr.write(`${pc.red('error:')} kubectl apply (Secret update) failed: ${applyResult.stderr.split('\n')[0] ?? ''}\n`);
+        return 1;
+    }
+    // ADV-N-003: rollout restart to flush the mounted Secret into host-cp.
+    const rolloutResult = await wrap(['--context', pinnedContext, 'rollout', 'restart', `deployment/${HOST_CP_DEPLOYMENT_NAME}`, '-n', K8S_NAMESPACE], { timeout: 60_000 });
+    if (!rolloutResult.ok) {
+        stderr.write(`${pc.yellow('[warn]')} rollout restart failed: ${rolloutResult.stderr.split('\n')[0] ?? ''}. ` +
+            `host-cp may not pick up the new token until the next pod restart.\n`);
+        // Non-fatal: apply succeeded; warn but return 0.
+    }
+    else {
+        stdout.write(`${pc.green('✓')} Restarted deployment/${HOST_CP_DEPLOYMENT_NAME} (new token mounted)\n`);
+    }
+    return 0;
+}
+//# sourceMappingURL=auth-refresh-kubernetes.js.map

package/dist/lib/auth-refresh-kubernetes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-refresh-kubernetes.js","sourceRoot":"","sources":["../../src/lib/auth-refresh-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAEvF,MAAM,aAAa,GAAG,MAAM,CAAC;AAmB7B;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,IAA4B;IAC9E,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,UAAU,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,aAAa,CAAC;QACnB,UAAU,EAAE,IAAI;QAChB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE;QACxD,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,UAAU;KACjB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,UAAmB;IAKvD,MAAM,GAAG,GAAG,UAAU,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;IACvC,MAAM,GAAG,GAAI,GAAG,CAAC,IAAgC,CAAC,wBAAwB,CAAC,CAAC;IAE5E,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAC1B,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAChD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,OAAO;YACL,OAAO,EAAE,GAAG;YACZ,kBAAkB,EAAE,4FAA4F;SACjH,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,EACH,iGAAiG;YACjG,wFAAwF;KAC3F,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,aAAqB,EACrB,OAAkC,EAAE;IAEpC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,IAAI,SAAS,CAAC;IACpD,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAE1D,MAAM,MAAM,GAAG,IAAI,CAAC,gBAAgB,IAAI,CAAC,CAAC,CAAS,EAAE,GAAW,EAAE,EAAE,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IAC9F,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,IAAI,CAAC,CAAC,CAAS,EAAE,IAAY,EAAE,IAAsB,EAAE,EAAE;QAC7F,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IAEjD,oCAAoC;IACpC,IAAI,eAAe,GAAkB,IAAI,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QAClD,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;YAAE,eAAe,GAAG,GAAG,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,6CAA6C;IAC/C,CAAC;IAED,2DAA2D;IAC3D,IAAI,eAAe,KAAK,IAAI,EAAE,CAAC;QAC7B,OAAO,CAAC,cAAc,EAAE,eAAe,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnE,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,sEAAsE;YAC5F,gDAAgD,CACjD,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,gFAAgF;IAChF,MAAM,UAAU,GAAG,eAAe,CAAC,mBAAmB,EAAE;QACtD,gBAAgB,EAAE,eAAe;KAClC,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,WAAW,GAAG,MAAM,IAAI,CAC5B,CAAC,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,EAChD,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CACvC,CAAC;IAEF,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACpB,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,0CAA0C,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,CACzG,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,uEAAuE;IACvE,MAAM,aAAa,GAAG,MAAM,IAAI,CAC9B,CAAC,WAAW,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,cAAc,uBAAuB,EAAE,EAAE,IAAI,EAAE,aAAa,CAAC,EAChH,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IAEF,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;QACtB,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,4BAA4B,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI;YAC/F,qEAAqE,CACtE,CAAC;QACF,iDAAiD;IACnD,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,yBAAyB,uBAAuB,wBAAwB,CAAC,CAAC;IACzG,CAAC;IAED,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/lib/kubectl-wrap.d.ts

@@ -48,6 +48,12 @@ export interface KubectlWrapOpts {
      * Signature matches `child_process.spawn` return type.
      */
     readonly spawnImpl?: typeof spawn;
+    /**
+     * Optional stdin payload. When set, the subprocess stdin is set to 'pipe'
+     * and this string is written then closed. Used for `kubectl apply -f -`
+     * patterns (C1 ConfigMap substitution; D20 — value never in argv).
+     */
+    readonly stdin?: string;
 }
 /**
  * Invoke kubectl with a timeout.

package/dist/lib/kubectl-wrap.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"kubectl-wrap.d.ts","sourceRoot":"","sources":["../../src/lib/kubectl-wrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,eAAO,MAAM,kBAAkB,SAAU,CAAC;AAG1C,MAAM,MAAM,aAAa,GACrB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC/D;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,SAAS,GAAG,OAAO,GAAG,SAAS,CAAA;CAAE,CAAC;AAE7G,MAAM,WAAW,eAAe;IAC9B,8EAA8E;IAC9E,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,yEAAyE;IACzE,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC;;;OAGG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CACnC;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,GAAE,eAAoB,GACzB,OAAO,CAAC,aAAa,CAAC,CAuFxB"}
+{"version":3,"file":"kubectl-wrap.d.ts","sourceRoot":"","sources":["../../src/lib/kubectl-wrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,eAAO,MAAM,kBAAkB,SAAU,CAAC;AAG1C,MAAM,MAAM,aAAa,GACrB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC/D;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,SAAS,GAAG,OAAO,GAAG,SAAS,CAAA;CAAE,CAAC;AAE7G,MAAM,WAAW,eAAe;IAC9B,8EAA8E;IAC9E,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,yEAAyE;IACzE,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC;;;OAGG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IAClC;;;;OAIG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,GAAE,eAAoB,GACzB,OAAO,CAAC,aAAa,CAAC,CA6FxB"}

package/dist/lib/kubectl-wrap.js

@@ -59,7 +59,7 @@ export async function kubectlWrap(args, opts = {}) {
         let child;
         try {
             child = spawnImpl('kubectl', [...args], {
-                stdio: ['ignore', 'pipe', 'pipe'],
+                stdio: [opts.stdin !== undefined ? 'pipe' : 'ignore', 'pipe', 'pipe'],
                 env: { ...process.env, ...(opts.env ?? {}) },
             });
         }
@@ -73,6 +73,11 @@ export async function kubectlWrap(args, opts = {}) {
             });
             return;
         }
+        // Write stdin payload and close the stream when provided.
+        if (opts.stdin !== undefined && child.stdin) {
+            child.stdin.write(opts.stdin, 'utf8');
+            child.stdin.end();
+        }
         if (child.stdout) {
             child.stdout.on('data', (chunk) => { stdout.push(chunk.toString('utf8')); });
         }

package/dist/lib/kubectl-wrap.js.map

@@ -1 +1 @@
-{"version":3,"file":"kubectl-wrap.js","sourceRoot":"","sources":["../../src/lib/kubectl-wrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,MAAM,CAAC,MAAM,kBAAkB,GAAG,OAAO,CAAC;AAC1C,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAkB/B;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAuB,EACvB,OAAwB,EAAE;IAE1B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,IAAI,kBAAkB,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAE1C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,OAAO,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,EAAE;QAC5C,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,SAAS,GAAyC,IAAI,CAAC;QAC3D,IAAI,YAAY,GAAyC,IAAI,CAAC;QAE9D,SAAS,WAAW,CAAC,CAAgB;YACnC,IAAI,QAAQ;gBAAE,OAAO;YACrB,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;gBAAC,YAAY,CAAC,SAAS,CAAC,CAAC;gBAAC,SAAS,GAAG,IAAI,CAAC;YAAC,CAAC;YACtE,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;gBAAC,YAAY,CAAC,YAAY,CAAC,CAAC;gBAAC,YAAY,GAAG,IAAI,CAAC;YAAC,CAAC;YAC/E,OAAO,CAAC,CAAC,CAAC,CAAC;QACb,CAAC;QAED,IAAI,KAA+B,CAAC;QACpC,IAAI,CAAC;YACH,KAAK,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE;gBACtC,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;gBACjC,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE;aAC7C,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC;gBACN,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;gBACxD,QAAQ,EAAE,CAAC,CAAC;gBACZ,MAAM,EAAE,OAAO;aAChB,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvF,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvF,CAAC;QAED,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,WAAW,CAAC;gBACV,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,MAAM,EAAE,GAAG,CAAC,OAAO;gBACnB,QAAQ,EAAE,CAAC,CAAC;gBACZ,MAAM,EAAE,OAAO;aAChB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC;YAC5B,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClC,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;gBACnB,WAAW,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC5E,CAAC;iBAAM,CAAC;gBACN,WAAW,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;YAChG,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,+DAA+D;QAC/D,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;YAC1B,SAAS,GAAG,IAAI,CAAC;YACjB,qCAAqC;YACrC,IAAI,CAAC;gBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,CAAC;YAE7D,gEAAgE;YAChE,YAAY,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC7B,YAAY,GAAG,IAAI,CAAC;gBACpB,IAAI,CAAC;oBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,CAAC;gBAC7D,0EAA0E;gBAC1E,2EAA2E;gBAC3E,WAAW,CAAC;oBACV,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,QAAQ,EAAE,CAAC,CAAC;oBACZ,MAAM,EAAE,SAAS;iBAClB,CAAC,CAAC;YACL,CAAC,EAAE,gBAAgB,CAAC,CAAC;QACvB,CAAC,EAAE,SAAS,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"kubectl-wrap.js","sourceRoot":"","sources":["../../src/lib/kubectl-wrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,MAAM,CAAC,MAAM,kBAAkB,GAAG,OAAO,CAAC;AAC1C,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAwB/B;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAuB,EACvB,OAAwB,EAAE;IAE1B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,IAAI,kBAAkB,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAE1C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,OAAO,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,EAAE;QAC5C,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,SAAS,GAAyC,IAAI,CAAC;QAC3D,IAAI,YAAY,GAAyC,IAAI,CAAC;QAE9D,SAAS,WAAW,CAAC,CAAgB;YACnC,IAAI,QAAQ;gBAAE,OAAO;YACrB,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;gBAAC,YAAY,CAAC,SAAS,CAAC,CAAC;gBAAC,SAAS,GAAG,IAAI,CAAC;YAAC,CAAC;YACtE,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;gBAAC,YAAY,CAAC,YAAY,CAAC,CAAC;gBAAC,YAAY,GAAG,IAAI,CAAC;YAAC,CAAC;YAC/E,OAAO,CAAC,CAAC,CAAC,CAAC;QACb,CAAC;QAED,IAAI,KAA+B,CAAC;QACpC,IAAI,CAAC;YACH,KAAK,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE;gBACtC,KAAK,EAAE,CAAC,IAAI,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;gBACrE,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE;aAC7C,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC;gBACN,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;gBACxD,QAAQ,EAAE,CAAC,CAAC;gBACZ,MAAM,EAAE,OAAO;aAChB,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,0DAA0D;QAC1D,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAC5C,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YACtC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACpB,CAAC;QAED,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvF,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvF,CAAC;QAED,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,WAAW,CAAC;gBACV,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,MAAM,EAAE,GAAG,CAAC,OAAO;gBACnB,QAAQ,EAAE,CAAC,CAAC;gBACZ,MAAM,EAAE,OAAO;aAChB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC;YAC5B,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClC,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;gBACnB,WAAW,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC5E,CAAC;iBAAM,CAAC;gBACN,WAAW,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;YAChG,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,+DAA+D;QAC/D,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;YAC1B,SAAS,GAAG,IAAI,CAAC;YACjB,qCAAqC;YACrC,IAAI,CAAC;gBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,CAAC;YAE7D,gEAAgE;YAChE,YAAY,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC7B,YAAY,GAAG,IAAI,CAAC;gBACpB,IAAI,CAAC;oBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,CAAC;gBAC7D,0EAA0E;gBAC1E,2EAA2E;gBAC3E,WAAW,CAAC;oBACV,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,QAAQ,EAAE,CAAC,CAAC;oBACZ,MAAM,EAAE,SAAS;iBAClB,CAAC,CAAC;YACL,CAAC,EAAE,gBAAgB,CAAC,CAAC;QACvB,CAAC,EAAE,SAAS,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/lib/manifest-refresh.d.ts

@@ -42,6 +42,8 @@ export interface ManifestRefreshAuditEntry {
     changed_fields: string[];
     accepted: boolean;
     operator_pid: number;
+    /** When set, the refresh was scoped to this peripheral's manifest subdir (C4/D19). */
+    peripheral?: string;
 }
 export interface ManifestRefreshDeps {
     /** Override state dir for tests. */
@@ -82,14 +84,19 @@ export type ManifestRefreshResult = {
  * @param manifestsDir    — path to ~/.olam/k8s/manifests/
  * @param acceptRegression — true when --accept-security-regression is set
  * @param deps            — injectable for tests
+ * @param peripheral      — when set, scope diff to manifests/<peripheral>/ ONLY (C4/D19)
  *
  * Returns ok=false when:
  *   - Security-sensitive fields differ AND !acceptRegression.
  *   - Audit log write fails (ENOSPC).
+ *   - peripheral is set but the peripheral subdir does not exist.
  *
  * On ok=true the audit log entry is written with accepted=true (or
  * accepted=false when no regression was detected — regression-free
  * refreshes are still audited).
+ *
+ * When peripheral is set, the audit-log entry includes { peripheral: <name> } (D19).
+ * Other peripherals' security drift does NOT block a targeted peripheral refresh (D19).
  */
-export declare function runManifestRefresh(manifestsDir: string, acceptRegression: boolean, deps?: ManifestRefreshDeps): Promise<ManifestRefreshResult>;
+export declare function runManifestRefresh(manifestsDir: string, acceptRegression: boolean, deps?: ManifestRefreshDeps, peripheral?: string): Promise<ManifestRefreshResult>;
 //# sourceMappingURL=manifest-refresh.d.ts.map

package/dist/lib/manifest-refresh.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manifest-refresh.d.ts","sourceRoot":"","sources":["../../src/lib/manifest-refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAI9B,eAAO,MAAM,0BAA0B,QAA4D,CAAC;AAEpG,0DAA0D;AAC1D,eAAO,MAAM,yBAAyB,qGAM5B,CAAC;AAEX,MAAM,MAAM,sBAAsB,GAAG,CAAC,OAAO,yBAAyB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEhF,MAAM,WAAW,kBAAkB;IACjC,gFAAgF;IAChF,qBAAqB,EAAE,OAAO,CAAC;IAC/B,uCAAuC;IACvC,aAAa,EAAE,sBAAsB,EAAE,CAAC;CACzC;AAED,MAAM,WAAW,yBAAyB;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,mBAAmB,EAAE,OAAO,CAAC;IAC7B,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,wCAAwC;IACxC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,yCAAyC;IACzC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,yCAAyC;IACzC,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,CAAC,WAAW,CAAC;IAC7C,0CAA0C;IAC1C,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,EAAE,CAAC,YAAY,CAAC;IAC/C,2CAA2C;IAC3C,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,EAAE,CAAC,aAAa,CAAC;IACjD,wCAAwC;IACxC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,UAAU,CAAC;IAC3C,mCAAmC;IACnC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;CAC3B;AAkCD;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CACxC,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,kBAAkB,CA4BpB;AAyBD,MAAM,MAAM,qBAAqB,GAC7B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC7B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnC;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,gBAAgB,EAAE,OAAO,EACzB,IAAI,GAAE,mBAAwB,GAC7B,OAAO,CAAC,qBAAqB,CAAC,CAqFhC"}
+{"version":3,"file":"manifest-refresh.d.ts","sourceRoot":"","sources":["../../src/lib/manifest-refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAI9B,eAAO,MAAM,0BAA0B,QAA4D,CAAC;AAEpG,0DAA0D;AAC1D,eAAO,MAAM,yBAAyB,qGAM5B,CAAC;AAEX,MAAM,MAAM,sBAAsB,GAAG,CAAC,OAAO,yBAAyB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEhF,MAAM,WAAW,kBAAkB;IACjC,gFAAgF;IAChF,qBAAqB,EAAE,OAAO,CAAC;IAC/B,uCAAuC;IACvC,aAAa,EAAE,sBAAsB,EAAE,CAAC;CACzC;AAED,MAAM,WAAW,yBAAyB;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,mBAAmB,EAAE,OAAO,CAAC;IAC7B,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,sFAAsF;IACtF,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,wCAAwC;IACxC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,yCAAyC;IACzC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,yCAAyC;IACzC,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,CAAC,WAAW,CAAC;IAC7C,0CAA0C;IAC1C,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,EAAE,CAAC,YAAY,CAAC;IAC/C,2CAA2C;IAC3C,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,EAAE,CAAC,aAAa,CAAC;IACjD,wCAAwC;IACxC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,UAAU,CAAC;IAC3C,mCAAmC;IACnC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;CAC3B;AAkCD;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CACxC,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,kBAAkB,CA4BpB;AAyBD,MAAM,MAAM,qBAAqB,GAC7B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC7B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,gBAAgB,EAAE,OAAO,EACzB,IAAI,GAAE,mBAAwB,EAC9B,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,qBAAqB,CAAC,CA2FhC"}

package/dist/lib/manifest-refresh.js

@@ -129,32 +129,41 @@ function appendAuditEntry(entry, auditLogPath, writeFileSyncImpl) {
  * @param manifestsDir    — path to ~/.olam/k8s/manifests/
  * @param acceptRegression — true when --accept-security-regression is set
  * @param deps            — injectable for tests
+ * @param peripheral      — when set, scope diff to manifests/<peripheral>/ ONLY (C4/D19)
  *
  * Returns ok=false when:
  *   - Security-sensitive fields differ AND !acceptRegression.
  *   - Audit log write fails (ENOSPC).
+ *   - peripheral is set but the peripheral subdir does not exist.
  *
  * On ok=true the audit log entry is written with accepted=true (or
  * accepted=false when no regression was detected — regression-free
  * refreshes are still audited).
+ *
+ * When peripheral is set, the audit-log entry includes { peripheral: <name> } (D19).
+ * Other peripherals' security drift does NOT block a targeted peripheral refresh (D19).
  */
-export async function runManifestRefresh(manifestsDir, acceptRegression, deps = {}) {
+export async function runManifestRefresh(manifestsDir, acceptRegression, deps = {}, peripheral) {
     const auditLogPath = deps.auditLogPath ?? MANIFEST_REFRESH_AUDIT_LOG;
     const readdirSync = deps.readdirSync ?? fs.readdirSync;
     const readFileSync = deps.readFileSync ?? fs.readFileSync;
     const writeFileSyncImpl = deps.writeFileSync ?? fs.writeFileSync;
     const existsSync = deps.existsSync ?? fs.existsSync;
     const now = deps.now ? deps.now() : new Date();
-    if (!existsSync(manifestsDir)) {
+    // When --peripheral=<name> is set, scope to manifests/<peripheral>/ ONLY (C4/D19).
+    const targetDir = peripheral ? path.join(manifestsDir, peripheral) : manifestsDir;
+    if (!existsSync(targetDir)) {
         return {
             ok: false,
-            message: `manifests directory not found: ${manifestsDir}`,
+            message: peripheral
+                ? `peripheral manifests directory not found: ${targetDir}`
+                : `manifests directory not found: ${targetDir}`,
         };
     }
-    // Read all manifest files and diff security fields.
+    // Read manifest files from the scoped directory (non-recursive).
     let files;
     try {
-        const entries = readdirSync(manifestsDir, { withFileTypes: true });
+        const entries = readdirSync(targetDir, { withFileTypes: true });
         files = entries
             .filter((e) => e.isFile() && (e.name.endsWith('.yaml') || e.name.endsWith('.json')))
             .map((e) => e.name);
@@ -167,7 +176,7 @@ export async function runManifestRefresh(manifestsDir, acceptRegression, deps =
     }
     const allChangedFields = [];
     for (const file of files) {
-        const filePath = path.join(manifestsDir, file);
+        const filePath = path.join(targetDir, file);
         let content;
         try {
             content = readFileSync(filePath, 'utf8');
@@ -197,11 +206,12 @@ export async function runManifestRefresh(manifestsDir, acceptRegression, deps =
     // Write audit entry BEFORE confirming ok (ENOSPC aborts the refresh).
     const entry = {
         ts: now.toISOString(),
-        manifests_path: manifestsDir,
+        manifests_path: targetDir,
         security_regression: hasSecurityRegression,
         changed_fields: allChangedFields,
         accepted: acceptRegression,
         operator_pid: process.pid,
+        ...(peripheral !== undefined ? { peripheral } : {}),
     };
     try {
         appendAuditEntry(entry, auditLogPath, writeFileSyncImpl);

package/dist/lib/manifest-refresh.js.map

@@ -1 +1 @@
-{"version":3,"file":"manifest-refresh.js","sourceRoot":"","sources":["../../src/lib/manifest-refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,8BAA8B,CAAC,CAAC;AAEpG,0DAA0D;AAC1D,MAAM,CAAC,MAAM,yBAAyB,GAAG;IACvC,iBAAiB;IACjB,kBAAkB;IAClB,cAAc;IACd,wBAAwB;IACxB,OAAO,EAAW,kBAAkB;CAC5B,CAAC;AAuCX;;;;;GAKG;AACH,SAAS,YAAY,CAAC,GAAY,EAAE,QAAgB;IAClD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IACvD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,OAAO,GAAY,GAAG,CAAC;IAC3B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,EAAE,CAAC;QAC/D,OAAO,GAAI,OAAmC,CAAC,CAAC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACrC,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED;;;;;GAKG;AACH,SAAS,+BAA+B,CAAC,MAAe;IACtD,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,KAAK,IAAI,yBAAyB,EAAE,CAAC;QAC9C,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CACxC,UAAkB,EAClB,UAAkB;IAElB,IAAI,SAAkB,CAAC;IACvB,IAAI,SAAkB,CAAC;IACvB,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,SAAS,GAAG,+BAA+B,CAAC,SAAS,CAAC,CAAC;IAC7D,MAAM,SAAS,GAAG,+BAA+B,CAAC,SAAS,CAAC,CAAC;IAE7D,MAAM,aAAa,GAA6B,EAAE,CAAC;IACnD,KAAK,MAAM,KAAK,IAAI,yBAAyB,EAAE,CAAC;QAC9C,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1C,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO;QACL,qBAAqB,EAAE,aAAa,CAAC,MAAM,GAAG,CAAC;QAC/C,aAAa;KACd,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CACvB,KAAgC,EAChC,YAAoB,EACpB,iBAA0C;IAE1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;IAC1C,IAAI,CAAC;QACH,iBAAiB,CAAC,YAAY,EAAE,IAAI,EAAE;YACpC,QAAQ,EAAE,MAAM;YAChB,IAAI,EAAE,GAAG;YACT,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChG,CAAC;AACH,CAAC;AAMD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,YAAoB,EACpB,gBAAyB,EACzB,OAA4B,EAAE;IAE9B,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,0BAA0B,CAAC;IACrE,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,WAAW,CAAC;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,YAAY,CAAC;IAC1D,MAAM,iBAAiB,GAAG,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC,aAAa,CAAC;IACjE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,UAAU,CAAC;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAE/C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,OAAO;YACL,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,kCAAkC,YAAY,EAAE;SAC1D,CAAC;IACJ,CAAC;IAED,oDAAoD;IACpD,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,WAAW,CAAC,YAAY,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QACnE,KAAK,GAAI,OAAuB;aAC7B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;aACnF,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,iCAAiC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;SAC7F,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAA6B,EAAE,CAAC;IACtD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QAC/C,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAW,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,kBAAkB;QAC9B,CAAC;QACD,sEAAsE;QACtE,qEAAqE;QACrE,sDAAsD;QACtD,gFAAgF;QAChF,2EAA2E;QAC3E,MAAM,IAAI,GAAG,0BAA0B,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACnC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAAE,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,MAAM,qBAAqB,GAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC;IAE1D,IAAI,qBAAqB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC/C,OAAO;YACL,EAAE,EAAE,KAAK;YACT,OAAO,EACL,gEAAgE,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM;gBACjG,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,MAAM,KAAK,GAA8B;QACvC,EAAE,EAAE,GAAG,CAAC,WAAW,EAAE;QACrB,cAAc,EAAE,YAAY;QAC5B,mBAAmB,EAAE,qBAAqB;QAC1C,cAAc,EAAE,gBAAgB;QAChC,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,OAAO,CAAC,GAAG;KAC1B,CAAC;IAEF,IAAI,CAAC;QACH,gBAAgB,CAAC,KAAK,EAAE,YAAY,EAAE,iBAAiB,CAAC,CAAC;IAC3D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SAC1D,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,OAAO,EAAE,qBAAqB;YAC5B,CAAC,CAAC,sCAAsC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,oEAAoE;YACvI,CAAC,CAAC,wFAAwF;KAC7F,CAAC;AACJ,CAAC"}
+{"version":3,"file":"manifest-refresh.js","sourceRoot":"","sources":["../../src/lib/manifest-refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,8BAA8B,CAAC,CAAC;AAEpG,0DAA0D;AAC1D,MAAM,CAAC,MAAM,yBAAyB,GAAG;IACvC,iBAAiB;IACjB,kBAAkB;IAClB,cAAc;IACd,wBAAwB;IACxB,OAAO,EAAW,kBAAkB;CAC5B,CAAC;AAyCX;;;;;GAKG;AACH,SAAS,YAAY,CAAC,GAAY,EAAE,QAAgB;IAClD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IACvD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,OAAO,GAAY,GAAG,CAAC;IAC3B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,EAAE,CAAC;QAC/D,OAAO,GAAI,OAAmC,CAAC,CAAC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACrC,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED;;;;;GAKG;AACH,SAAS,+BAA+B,CAAC,MAAe;IACtD,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,KAAK,IAAI,yBAAyB,EAAE,CAAC;QAC9C,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CACxC,UAAkB,EAClB,UAAkB;IAElB,IAAI,SAAkB,CAAC;IACvB,IAAI,SAAkB,CAAC;IACvB,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,SAAS,GAAG,+BAA+B,CAAC,SAAS,CAAC,CAAC;IAC7D,MAAM,SAAS,GAAG,+BAA+B,CAAC,SAAS,CAAC,CAAC;IAE7D,MAAM,aAAa,GAA6B,EAAE,CAAC;IACnD,KAAK,MAAM,KAAK,IAAI,yBAAyB,EAAE,CAAC;QAC9C,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1C,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO;QACL,qBAAqB,EAAE,aAAa,CAAC,MAAM,GAAG,CAAC;QAC/C,aAAa;KACd,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CACvB,KAAgC,EAChC,YAAoB,EACpB,iBAA0C;IAE1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;IAC1C,IAAI,CAAC;QACH,iBAAiB,CAAC,YAAY,EAAE,IAAI,EAAE;YACpC,QAAQ,EAAE,MAAM;YAChB,IAAI,EAAE,GAAG;YACT,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChG,CAAC;AACH,CAAC;AAMD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,YAAoB,EACpB,gBAAyB,EACzB,OAA4B,EAAE,EAC9B,UAAmB;IAEnB,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,0BAA0B,CAAC;IACrE,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,WAAW,CAAC;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,YAAY,CAAC;IAC1D,MAAM,iBAAiB,GAAG,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC,aAAa,CAAC;IACjE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,UAAU,CAAC;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAE/C,mFAAmF;IACnF,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;IAElF,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO;YACL,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,UAAU;gBACjB,CAAC,CAAC,6CAA6C,SAAS,EAAE;gBAC1D,CAAC,CAAC,kCAAkC,SAAS,EAAE;SAClD,CAAC;IACJ,CAAC;IAED,iEAAiE;IACjE,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,WAAW,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAChE,KAAK,GAAI,OAAuB;aAC7B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;aACnF,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,iCAAiC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;SAC7F,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAA6B,EAAE,CAAC;IACtD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC5C,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAW,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,kBAAkB;QAC9B,CAAC;QACD,sEAAsE;QACtE,qEAAqE;QACrE,sDAAsD;QACtD,gFAAgF;QAChF,2EAA2E;QAC3E,MAAM,IAAI,GAAG,0BAA0B,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACnC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAAE,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,MAAM,qBAAqB,GAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC;IAE1D,IAAI,qBAAqB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC/C,OAAO;YACL,EAAE,EAAE,KAAK;YACT,OAAO,EACL,gEAAgE,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM;gBACjG,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,MAAM,KAAK,GAA8B;QACvC,EAAE,EAAE,GAAG,CAAC,WAAW,EAAE;QACrB,cAAc,EAAE,SAAS;QACzB,mBAAmB,EAAE,qBAAqB;QAC1C,cAAc,EAAE,gBAAgB;QAChC,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,OAAO,CAAC,GAAG;QACzB,GAAG,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpD,CAAC;IAEF,IAAI,CAAC;QACH,gBAAgB,CAAC,KAAK,EAAE,YAAY,EAAE,iBAAiB,CAAC,CAAC;IAC3D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SAC1D,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,OAAO,EAAE,qBAAqB;YAC5B,CAAC,CAAC,sCAAsC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,oEAAoE;YACvI,CAAC,CAAC,wFAAwF;KAC7F,CAAC;AACJ,CAAC"}

package/dist/lib/peripheral-registry.d.ts

@@ -0,0 +1,36 @@
+/**
+ * peripheral-registry.ts — Typed const registry of olam's 4 k8s peripheral services.
+ *
+ * Phase 2 Phase B (olam-host-suite-phase-2-peripheral-services-on-k3s).
+ *
+ * Each entry describes everything port-forward.ts (B2), upgrade-kubernetes.ts (C),
+ * and services.ts / doctor.ts (D) need to drive the lifecycle of one peripheral.
+ *
+ * ---
+ * YAML-DRIVEN REFACTOR TRIGGER (Decision D26)
+ *
+ * This file uses a hardcoded TypeScript const — acceptable while the registry
+ * has ≤4 entries (small, type-safe, IDE-checkable). ADD THE 5th PERIPHERAL HERE
+ * as a plain object literal first; if the registry grows to 5+ entries and the
+ * pattern becomes repetitive, THEN migrate to yaml-driven config. Do not
+ * over-engineer for the case that hasn't arrived.
+ * ---
+ *
+ * host-cp is NOT in PERIPHERALS. It is a named special-case in port-forward.ts.
+ */
+export type Peripheral = {
+    /** Human-readable name; matches the k8s Service metadata.name and docker-compose service name (olam-<name> prefix for compose). */
+    name: 'auth-service' | 'mcp-auth-service' | 'kg-service' | 'memory-service';
+    /** Local port kubectl port-forward binds on the host. */
+    port: number;
+    /** k8s Service metadata.name in the olam namespace (Phase A 60-service.yaml). */
+    k8sServiceName: string;
+    /** docker-compose service name for the compose substrate equivalent (Phase D). */
+    composeContainerName: string;
+    /** ENV var name in host-cp's deployment ConfigMap that exposes this peripheral's URL. */
+    configMapKeyInHostCp: string;
+    /** Health check path — e.g. /health or /agentmemory/livez. */
+    healthPath: string;
+};
+export declare const PERIPHERALS: ReadonlyArray<Peripheral>;
+//# sourceMappingURL=peripheral-registry.d.ts.map

package/dist/lib/peripheral-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"peripheral-registry.d.ts","sourceRoot":"","sources":["../../src/lib/peripheral-registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,MAAM,MAAM,UAAU,GAAG;IACvB,mIAAmI;IACnI,IAAI,EAAE,cAAc,GAAG,kBAAkB,GAAG,YAAY,GAAG,gBAAgB,CAAC;IAC5E,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,iFAAiF;IACjF,cAAc,EAAE,MAAM,CAAC;IACvB,kFAAkF;IAClF,oBAAoB,EAAE,MAAM,CAAC;IAC7B,yFAAyF;IACzF,oBAAoB,EAAE,MAAM,CAAC;IAC7B,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,aAAa,CAAC,UAAU,CAiCxC,CAAC"}

package/dist/lib/peripheral-registry.js

@@ -0,0 +1,55 @@
+/**
+ * peripheral-registry.ts — Typed const registry of olam's 4 k8s peripheral services.
+ *
+ * Phase 2 Phase B (olam-host-suite-phase-2-peripheral-services-on-k3s).
+ *
+ * Each entry describes everything port-forward.ts (B2), upgrade-kubernetes.ts (C),
+ * and services.ts / doctor.ts (D) need to drive the lifecycle of one peripheral.
+ *
+ * ---
+ * YAML-DRIVEN REFACTOR TRIGGER (Decision D26)
+ *
+ * This file uses a hardcoded TypeScript const — acceptable while the registry
+ * has ≤4 entries (small, type-safe, IDE-checkable). ADD THE 5th PERIPHERAL HERE
+ * as a plain object literal first; if the registry grows to 5+ entries and the
+ * pattern becomes repetitive, THEN migrate to yaml-driven config. Do not
+ * over-engineer for the case that hasn't arrived.
+ * ---
+ *
+ * host-cp is NOT in PERIPHERALS. It is a named special-case in port-forward.ts.
+ */
+export const PERIPHERALS = [
+    {
+        name: 'auth-service',
+        port: 9999,
+        k8sServiceName: 'auth-service',
+        composeContainerName: 'olam-auth-service',
+        configMapKeyInHostCp: 'OLAM_AUTH_SERVICE_URL',
+        healthPath: '/health',
+    },
+    {
+        name: 'mcp-auth-service',
+        port: 9998,
+        k8sServiceName: 'mcp-auth-service',
+        composeContainerName: 'olam-mcp-auth-service',
+        configMapKeyInHostCp: 'OLAM_MCP_AUTH_SERVICE_URL',
+        healthPath: '/health',
+    },
+    {
+        name: 'kg-service',
+        port: 9997,
+        k8sServiceName: 'kg-service',
+        composeContainerName: 'olam-kg-service',
+        configMapKeyInHostCp: 'OLAM_KG_SERVICE_URL',
+        healthPath: '/health',
+    },
+    {
+        name: 'memory-service',
+        port: 3111,
+        k8sServiceName: 'memory-service',
+        composeContainerName: 'olam-memory-service',
+        configMapKeyInHostCp: 'OLAM_MEMORY_SERVICE_URL',
+        healthPath: '/agentmemory/livez',
+    },
+];
+//# sourceMappingURL=peripheral-registry.js.map

package/dist/lib/peripheral-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"peripheral-registry.js","sourceRoot":"","sources":["../../src/lib/peripheral-registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAiBH,MAAM,CAAC,MAAM,WAAW,GAA8B;IACpD;QACE,IAAI,EAAE,cAAc;QACpB,IAAI,EAAE,IAAI;QACV,cAAc,EAAE,cAAc;QAC9B,oBAAoB,EAAE,mBAAmB;QACzC,oBAAoB,EAAE,uBAAuB;QAC7C,UAAU,EAAE,SAAS;KACtB;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,IAAI,EAAE,IAAI;QACV,cAAc,EAAE,kBAAkB;QAClC,oBAAoB,EAAE,uBAAuB;QAC7C,oBAAoB,EAAE,2BAA2B;QACjD,UAAU,EAAE,SAAS;KACtB;IACD;QACE,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,IAAI;QACV,cAAc,EAAE,YAAY;QAC5B,oBAAoB,EAAE,iBAAiB;QACvC,oBAAoB,EAAE,qBAAqB;QAC3C,UAAU,EAAE,SAAS;KACtB;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,IAAI;QACV,cAAc,EAAE,gBAAgB;QAChC,oBAAoB,EAAE,qBAAqB;QAC3C,oBAAoB,EAAE,yBAAyB;QAC/C,UAAU,EAAE,oBAAoB;KACjC;CACO,CAAC"}

package/dist/lib/port-forward.d.ts

@@ -4,10 +4,19 @@
  * Phase 1b C1 of olam-host-suite-phase-1b-k3s-beta-flavour (plan
  * ~/.claude/plans/olam-host-suite-phase-1b-k3s-beta-flavour.md).
  *
+ * Phase 2 Phase B B2 (olam-host-suite-phase-2-peripheral-services-on-k3s):
+ *   Extended with registry-driven multi-peripheral support:
+ *     spawnAllPeripheralPortForwards() — iterate PERIPHERALS; spawn each in parallel
+ *     stopAllPeripheralPortForwards()  — SIGTERM each peripheral's port-forward
+ *     getPeripheralLivenessSnapshot()  — TCP probe all 4 peripherals; return {name, alive}[]
+ *   Each peripheral uses its own independent flock + PID file named by peripheral.name.
+ *   host-cp port-forward retained as a named special-case; Phase 1b callers unchanged.
+ *
  * Decisions consumed:
  *   D17 — port-forward spawn via flock advisory lock (race-safe)
  *   D23 — PID file at ~/.olam/state/port-forward.pid (mode 0600)
  *   D24 — probePortForwardLiveness uses TCP probe, NOT kill(pid, 0)
+ *   D26 — per-peripheral PID/lock at ~/.olam/state/port-forward-<name>.{pid,lock}
  *
  * ## Flock strategy (why O_CREAT|O_EXCL, not POSIX flock(2))
  *
@@ -40,6 +49,7 @@
 import { spawn } from 'node:child_process';
 import * as path from 'node:path';
 import * as os from 'node:os';
+import { type Peripheral } from './peripheral-registry.js';
 export declare const PORT_FORWARD_PORT = 19000;
 export declare const PORT_FORWARD_LOCK_PATH: string;
 export declare const PORT_FORWARD_PID_PATH: string;
@@ -97,5 +107,62 @@ export declare function spawnPortForward(context: string, namespace: string, tar
  * No-op when no PID file exists. Returns true when a process was signalled.
  */
 export declare function stopPortForward(deps?: PortForwardDeps): boolean;
+/**
+ * Options for peripheral port-forward operations (injectable for tests).
+ * Extends the same deps pattern as the host-cp single port-forward.
+ */
+export interface PeripheralPortForwardDeps {
+    /** Override state directory (default: OLAM_STATE_DIR). Used in tests to isolate state. */
+    readonly stateDir?: string;
+    /** Override spawn factory (default: child_process.spawn). */
+    readonly spawnImpl?: typeof spawn;
+    /** Override TCP probe (default: real TCP socket). */
+    readonly tcpProbeImpl?: (host: string, port: number, timeoutMs: number) => Promise<boolean>;
+}
+/**
+ * Spawn a kubectl port-forward for a single peripheral, guarded by an
+ * independent advisory lock per peripheral. Mirrors the Phase 1b host-cp
+ * pattern (D17/D23/D24) generalised to any Peripheral entry.
+ *
+ * Returns true when a new process was spawned; false when the tunnel was
+ * already live or the lock was held by a concurrent caller.
+ *
+ * @internal — called by spawnAllPeripheralPortForwards; exported for test injection.
+ */
+export declare function spawnPeripheralPortForward(peripheral: Peripheral, context: string, namespace: string, deps?: PeripheralPortForwardDeps): Promise<boolean>;
+/**
+ * Spawn kubectl port-forward processes for all 4 peripherals in parallel.
+ *
+ * Each peripheral uses its own independent flock + PID file
+ * (`~/.olam/state/port-forward-<name>.{lock,pid}`), so locking one
+ * peripheral does NOT block another.
+ *
+ * @param context - kubectl context name (--context flag); defaults to 'olam'
+ * @param namespace - target namespace; defaults to 'olam'
+ * @param deps - injectable dependencies for testing
+ */
+export declare function spawnAllPeripheralPortForwards(context?: string, namespace?: string, deps?: PeripheralPortForwardDeps): Promise<void>;
+/**
+ * Send SIGTERM to all running peripheral port-forward processes and
+ * remove their PID and lock files.
+ *
+ * No-op for any peripheral whose PID file is absent (process already stopped).
+ *
+ * @param deps - injectable dependencies for testing (stateDir override)
+ */
+export declare function stopAllPeripheralPortForwards(deps?: Pick<PeripheralPortForwardDeps, 'stateDir'>): void;
+export interface PeripheralLivenessEntry {
+    name: string;
+    alive: boolean;
+}
+/**
+ * TCP-probe each peripheral and return a snapshot of their liveness.
+ *
+ * Uses the same realTcpProbe utility as probePortForwardLiveness (D24).
+ * Probes run in parallel for speed.
+ *
+ * @param deps - injectable dependencies for testing
+ */
+export declare function getPeripheralLivenessSnapshot(deps?: Pick<PeripheralPortForwardDeps, 'tcpProbeImpl'>): Promise<PeripheralLivenessEntry[]>;
 export { os, path };
 //# sourceMappingURL=port-forward.d.ts.map

package/dist/lib/port-forward.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"port-forward.d.ts","sourceRoot":"","sources":["../../src/lib/port-forward.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAG3C,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAG9B,eAAO,MAAM,iBAAiB,QAAQ,CAAC;AACvC,eAAO,MAAM,sBAAsB,QAAiD,CAAC;AACrF,eAAO,MAAM,qBAAqB,QAAgD,CAAC;AAKnF,MAAM,WAAW,eAAe;IAC9B,2EAA2E;IAC3E,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,qDAAqD;IACrD,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IAClC,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5F,uEAAuE;IACvE,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CAC7B;AAED;;;;;;;;GAQG;AACH,wBAAsB,wBAAwB,CAC5C,IAAI,GAAE,IAAI,CAAC,eAAe,EAAE,cAAc,CAAM,GAC/C,OAAO,CAAC,OAAO,CAAC,CAGlB;AA8ED,MAAM,MAAM,sBAAsB,GAC9B;IAAE,OAAO,EAAE,IAAI,CAAC;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,GAC/B;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,GAAG,WAAW,CAAA;CAAE,CAAC;AAErD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,GAAE,MAA0B,EACrC,UAAU,GAAE,MAA0B,EACtC,IAAI,GAAE,eAAoB,GACzB,OAAO,CAAC,sBAAsB,CAAC,CAgEjC;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,IAAI,GAAE,eAAoB,GAAG,OAAO,CAWnE;AAGD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC"}
+{"version":3,"file":"port-forward.d.ts","sourceRoot":"","sources":["../../src/lib/port-forward.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAG3C,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAe,KAAK,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAExE,eAAO,MAAM,iBAAiB,QAAQ,CAAC;AACvC,eAAO,MAAM,sBAAsB,QAAiD,CAAC;AACrF,eAAO,MAAM,qBAAqB,QAAgD,CAAC;AAKnF,MAAM,WAAW,eAAe;IAC9B,2EAA2E;IAC3E,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,qDAAqD;IACrD,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IAClC,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5F,uEAAuE;IACvE,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CAC7B;AAED;;;;;;;;GAQG;AACH,wBAAsB,wBAAwB,CAC5C,IAAI,GAAE,IAAI,CAAC,eAAe,EAAE,cAAc,CAAM,GAC/C,OAAO,CAAC,OAAO,CAAC,CAGlB;AA8ED,MAAM,MAAM,sBAAsB,GAC9B;IAAE,OAAO,EAAE,IAAI,CAAC;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,GAC/B;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,GAAG,WAAW,CAAA;CAAE,CAAC;AAErD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,GAAE,MAA0B,EACrC,UAAU,GAAE,MAA0B,EACtC,IAAI,GAAE,eAAoB,GACzB,OAAO,CAAC,sBAAsB,CAAC,CAgEjC;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,IAAI,GAAE,eAAoB,GAAG,OAAO,CAWnE;AAID;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,0FAA0F;IAC1F,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,6DAA6D;IAC7D,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IAClC,qDAAqD;IACrD,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CAC7F;AAoBD;;;;;;;;;GASG;AACH,wBAAsB,0BAA0B,CAC9C,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,IAAI,GAAE,yBAA8B,GACnC,OAAO,CAAC,OAAO,CAAC,CAkElB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,8BAA8B,CAClD,OAAO,SAAS,EAChB,SAAS,SAAS,EAClB,IAAI,GAAE,yBAA8B,GACnC,OAAO,CAAC,IAAI,CAAC,CAIf;AAED;;;;;;;GAOG;AACH,wBAAgB,6BAA6B,CAC3C,IAAI,GAAE,IAAI,CAAC,yBAAyB,EAAE,UAAU,CAAM,GACrD,IAAI,CAYN;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,OAAO,CAAC;CAChB;AAED;;;;;;;GAOG;AACH,wBAAsB,6BAA6B,CACjD,IAAI,GAAE,IAAI,CAAC,yBAAyB,EAAE,cAAc,CAAM,GACzD,OAAO,CAAC,uBAAuB,EAAE,CAAC,CAQpC;AAGD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC"}