@pleri/olam-cli 0.1.147 → 0.1.148

package/dist/lib/upgrade-kubernetes.js

@@ -4,48 +4,102 @@
  * Phase 1b C2 of olam-host-suite-phase-1b-k3s-beta-flavour (plan
  * ~/.claude/plans/olam-host-suite-phase-1b-k3s-beta-flavour.md).
  *
+ * Phase 2 Phase C extensions:
+ *   C1  — step 2.5: in-memory ConfigMap substitution for inter-peripheral K8s DNS URLs (D4)
+ *   C2  — step 2.6: per-peripheral Secret pre-check (iterates PERIPHERALS; D12 pattern)
+ *   C3  — step 2.7: CoreDNS warm-up wait + extend steps 3/4/5 to iterate peripherals
+ *
+ * Phase 2 Phase D extensions:
+ *   D5  — OLAM_PHASE_2_BETA guard removed; all peripherals deploy unconditionally (Phase 2 GA)
+ *
  * Decisions consumed:
+ *   D4  — K8s DNS URL form for inter-peripheral service URLs
  *   D10 — context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality check
  *   D12 — Secret pre-check (base64-decode + key-name + placeholder exact match)
  *   D14 — --force-refresh-manifests flag + --accept-security-regression guard
  *   D15 — kubectl rollout status --timeout=90s; state snapshot on failure
  *   D17 — port-forward spawn via flock (spawnPortForward from port-forward.ts)
  *   D22 — probeKubernetesApiReachable pre-flight via kubectl-wrap (5s timeout)
+ *   D27 — audit log entry (phase2.flag_removed) emitted per upgrade run
  *
- * Step order:
- *   0  probeKubernetesApiReachable — 5s timeout kubectl cluster-info
- *   1  D10 context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality byte-for-byte
- *   2  D12 Secret pre-check (olam-host-cp-secret; base64-decode; key-name check)
- *   3  kubectl apply --context <pinned> -f ~/.olam/k8s/manifests/
- *   4  D15 kubectl rollout status --context <pinned> --timeout=90s (95s wrap)
- *   5  D17 port-forward spawn via flock
- *   6  verify /health returns X-Olam-Engine: kubernetes
- *   7  emit upgrade.complete instrumentation event
- *   8  success message
+ * Step order (Phase D — kubernetes substrate, Phase 2 GA):
+ *   0    probeKubernetesApiReachable — 5s timeout kubectl cluster-info
+ *   1    D10 context-allowlist + OLAM_K8S_CONTEXT_ACK strict-equality byte-for-byte
+ *   2    D12 Secret pre-check (olam-host-cp-secret; base64-decode; key-name check)
+ *   2.5  C1 in-memory ConfigMap substitution — K8s DNS URLs for inter-peripheral URLs
+ *   2.6  C2 per-peripheral Secret pre-check (iterates PERIPHERALS; unconditional — D5)
+ *   2.7  C3 CoreDNS warm-up wait (kubectl wait --for=condition=Available deployment/coredns -n kube-system)
+ *   3    kubectl apply host-cp manifests + all 4 peripheral manifest dirs (alphabetical)
+ *   4    D15 kubectl rollout status (all 5 deployments in parallel)
+ *   5    D17 port-forward spawn for host-cp + spawnAllPeripheralPortForwards in parallel
+ *   6    verify /health returns X-Olam-Engine: kubernetes
+ *   7    emit upgrade.complete instrumentation event
+ *   8    success message
  *
  * Manifests NOT auto-rolled-back on failure (D15 spec). Operator must
  * manually intervene; state snapshot is printed on failure.
  */
+import * as fs from 'node:fs';
 import * as os from 'node:os';
 import * as path from 'node:path';
+import { parse as yamlParse, stringify as yamlStringify } from 'yaml';
 import ora from 'ora';
 import pc from 'picocolors';
 import { printError, printSuccess, printInfo, printWarning } from '../output.js';
 import { kubectlWrap } from './kubectl-wrap.js';
-import { spawnPortForward, probePortForwardLiveness } from './port-forward.js';
+import { spawnPortForward, spawnAllPeripheralPortForwards, probePortForwardLiveness } from './port-forward.js';
 import { emitUpgradeComplete } from './instrumentation.js';
 import { runManifestRefresh } from './manifest-refresh.js';
-import { OLAM_HOME } from './config.js';
+import { OLAM_HOME, OLAM_STATE_DIR } from './config.js';
+import { PERIPHERALS } from './peripheral-registry.js';
 export const OLAM_K8S_MANIFESTS_DIR = path.join(OLAM_HOME, 'k8s', 'manifests');
 export const K8S_NAMESPACE = 'olam';
 export const HOST_CP_SECRET_NAME = 'olam-host-cp-secret';
 export const HOST_CP_DEPLOYMENT_NAME = 'olam-host-cp';
 export const PORT_FORWARD_TARGET = 'service/olam-host-cp';
 export const HOST_CP_HEALTH_URL = 'http://127.0.0.1:19000/health';
+/** Audit log for substrate upgrade events (D18). */
+export const SUBSTRATE_AUDIT_LOG = path.join(OLAM_STATE_DIR, 'substrate-audit.jsonl');
 /** Placeholder values that indicate the Secret has not been configured (D12). */
 const PLACEHOLDER_VALUES = new Set(['OLAM_AUTH_SECRET', 'GH_TOKEN']);
 /** Required keys in the olam-host-cp-secret (D12). */
 const REQUIRED_SECRET_KEYS = ['OLAM_AUTH_SECRET', 'GH_TOKEN'];
+/**
+ * Peripheral secret metadata: name and required keys with their placeholder patterns.
+ * Placeholder pattern: starts with REPLACE_ME_ (as per the template files in
+ * packages/host-cp/k8s/templates/).
+ */
+const PERIPHERAL_SECRETS = [
+    { name: 'auth-service', secretName: 'olam-auth-service-secret', keys: ['OLAM_AUTH_DB_SECRET'] },
+    { name: 'mcp-auth-service', secretName: 'olam-mcp-auth-service-secret', keys: ['OLAM_MCP_AUTH_JWT_SECRET'] },
+    { name: 'kg-service', secretName: 'olam-kg-service-secret', keys: ['OLAM_KG_BEARER_TOKEN'] },
+    { name: 'memory-service', secretName: 'olam-memory-service-secret', keys: ['OLAM_MEMORY_BEARER_SECRET'] },
+];
+/** K8s cluster DNS base domain for the olam namespace. */
+const K8S_DNS_SUFFIX = 'olam.svc.cluster.local';
+/**
+ * Build the K8s in-cluster DNS URL for a peripheral service.
+ * Form: http://<k8sServiceName>.olam.svc.cluster.local:<port>
+ */
+function buildK8sDnsUrl(k8sServiceName, port) {
+    return `http://${k8sServiceName}.${K8S_DNS_SUFFIX}:${port}`;
+}
+/**
+ * Append a JSONL audit entry to the substrate audit log (D18).
+ * Best-effort: errors are logged to stderr but do not abort the upgrade.
+ */
+function appendSubstrateAuditEntry(entry, stderr) {
+    try {
+        const line = JSON.stringify(entry) + '\n';
+        const dir = path.dirname(SUBSTRATE_AUDIT_LOG);
+        if (!fs.existsSync(dir))
+            fs.mkdirSync(dir, { recursive: true });
+        fs.writeFileSync(SUBSTRATE_AUDIT_LOG, line, { encoding: 'utf8', flag: 'a', mode: 0o600 });
+    }
+    catch (err) {
+        stderr.write(`${pc.yellow('[warn]')} could not write substrate audit log: ${err instanceof Error ? err.message : String(err)}\n`);
+    }
+}
 /** D10 — allowed kubectl context patterns. Currently: anything non-empty.
  * The allowlist is enforced by OLAM_K8S_CONTEXT_ACK strict-equality. */
 function isContextAllowed(context) {
@@ -135,6 +189,122 @@ async function waitForRollout(context, deps, stderr) {
     stderr.write(`\n${pc.yellow('note:')} Manifests are NOT auto-rolled-back. Inspect the state above and remediate manually.\n`);
     return false;
 }
+/**
+ * Step 2.5 — C1: in-memory ConfigMap substitution for inter-peripheral K8s DNS URLs (D4).
+ *
+ * Reads the bundled host-cp ConfigMap YAML from manifestsDir/30-configmap.yaml,
+ * patches the inter-peripheral URL values to K8s cluster-DNS form, then applies
+ * the patched manifest via `kubectl apply -f -` on stdin.
+ *
+ * Does NOT rewrite any file on disk.
+ * Only runs on kubernetes substrate (called after substrate check).
+ *
+ * Returns null on success; error message string on failure.
+ */
+async function applyConfigMapSubstitution(context, manifestsDir, deps) {
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    const readFileSync = deps.readFileSyncImpl ?? fs.readFileSync;
+    const configMapPath = path.join(manifestsDir, '30-configmap.yaml');
+    let rawYaml;
+    try {
+        rawYaml = readFileSync(configMapPath, 'utf8');
+    }
+    catch (err) {
+        return `Failed to read ConfigMap at ${configMapPath}: ${err instanceof Error ? err.message : String(err)}`;
+    }
+    // Parse → patch data values → re-serialize.
+    let parsed;
+    try {
+        parsed = yamlParse(rawYaml);
+    }
+    catch (err) {
+        return `Failed to parse ConfigMap YAML at ${configMapPath}: ${err instanceof Error ? err.message : String(err)}`;
+    }
+    const data = (parsed['data'] ?? {});
+    // Substitute each peripheral's ConfigMap key to K8s DNS form.
+    for (const peripheral of PERIPHERALS) {
+        data[peripheral.configMapKeyInHostCp] = buildK8sDnsUrl(peripheral.k8sServiceName, peripheral.port);
+    }
+    parsed['data'] = data;
+    const patchedYaml = yamlStringify(parsed);
+    // Apply via stdin pipe (D20 compliance: no value in argv).
+    const result = await wrap(['--context', context, 'apply', '-f', '-'], { timeout: 30_000, stdin: patchedYaml });
+    if (!result.ok) {
+        return `kubectl apply (ConfigMap substitution) failed: ${result.stderr.split('\n')[0] ?? ''}`;
+    }
+    return null;
+}
+/**
+ * Step 2.6 — C2: per-peripheral Secret pre-check.
+ *
+ * Iterates PERIPHERAL_SECRETS; for each, fetches the Secret via kubectl,
+ * base64-decodes each value, and refuses if:
+ *   (a) Secret does not exist → names the peripheral + Secret resource.
+ *   (b) Any key is missing → names the peripheral + key.
+ *   (c) Any value starts with REPLACE_ME_ (placeholder not configured) → names key.
+ *
+ * Mirrors Phase 1b's D12 host-cp Secret pre-check pattern, generalised to N peripherals.
+ *
+ * Returns null on success; error message string on first failure.
+ */
+async function checkPeripheralSecrets(context, deps) {
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    for (const { name, secretName, keys } of PERIPHERAL_SECRETS) {
+        const result = await wrap([
+            '--context', context,
+            'get', 'secret', secretName,
+            '-n', K8S_NAMESPACE,
+            '-o', 'json',
+        ], { timeout: 15_000 });
+        if (!result.ok) {
+            return (`Peripheral Secret "${secretName}" (${name}) not found in namespace "${K8S_NAMESPACE}".\n` +
+                `  Create it first: kubectl --context ${context} apply -f <your-${name}-secret.yaml>\n` +
+                `  ${result.stderr.split('\n')[0] ?? ''}`);
+        }
+        let secretJson;
+        try {
+            secretJson = JSON.parse(result.stdout);
+        }
+        catch {
+            return `Failed to parse Secret JSON for "${secretName}" (${name}): ${result.stdout.slice(0, 200)}`;
+        }
+        const data = secretJson.data ?? {};
+        for (const key of keys) {
+            if (!(key in data)) {
+                return (`Peripheral Secret "${secretName}" (${name}) is missing required key "${key}".\n` +
+                    `  Keys found: ${Object.keys(data).join(', ') || '(none)'}\n` +
+                    `  Add the key and re-run.`);
+            }
+            const b64 = data[key] ?? '';
+            const decoded = Buffer.from(b64, 'base64').toString('utf8');
+            if (decoded.startsWith('REPLACE_ME_')) {
+                return (`Peripheral Secret "${secretName}" (${name}) key "${key}" still holds its placeholder value.\n` +
+                    `  Replace the placeholder with a real value, then re-run.`);
+            }
+        }
+    }
+    return null; // all peripheral secrets verified
+}
+/**
+ * Step 2.7 — C3: CoreDNS warm-up wait.
+ *
+ * Runs `kubectl wait --for=condition=Available deployment/coredns -n kube-system --timeout=30s`
+ * before step 3 to ensure DNS resolution is available for peripheral service discovery.
+ *
+ * Returns true on success; false on timeout or failure.
+ */
+async function waitForCoreDns(context, deps) {
+    const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    const result = await wrap([
+        '--context', context,
+        'wait',
+        '--for=condition=Available',
+        'deployment/coredns',
+        '-n', 'kube-system',
+        '--timeout=30s',
+    ], { timeout: 35_000 });
+    return result.ok;
+}
 /**
  * Step 6 — verify /health returns X-Olam-Engine: kubernetes.
  */
@@ -214,9 +384,46 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
         return { exitCode: 1, summary: 'secret pre-check failed' };
     }
     step2Spinner.succeed(`Secret ${HOST_CP_SECRET_NAME} verified`);
+    // ── D5: Phase 2 GA — OLAM_PHASE_2_BETA guard removed (D27) ──────
+    // Emit phase2.flag_removed audit log entry per upgrade run (D27).
+    appendSubstrateAuditEntry({
+        ts: new Date(deps.nowImpl ? deps.nowImpl() : Date.now()).toISOString(),
+        op: 'upgrade',
+        substrate: 'kubernetes',
+        phase2: { flag_removed: true },
+    }, stderr);
+    // ── Step 2.5: C1 — in-memory ConfigMap substitution (K8s DNS URLs) ──
+    const step25Spinner = ora('Patching ConfigMap with K8s DNS URLs (C1/D4)').start();
+    const configMapError = await applyConfigMapSubstitution(pinnedContext, manifestsDir, deps);
+    if (configMapError !== null) {
+        step25Spinner.fail('ConfigMap substitution failed');
+        stderr.write(`${pc.red('error:')} ${configMapError}\n`);
+        return { exitCode: 1, summary: 'configmap substitution failed' };
+    }
+    step25Spinner.succeed('ConfigMap patched with K8s DNS URLs');
+    // ── Step 2.6: C2 — per-peripheral Secret pre-check ──────────────
+    const step26Spinner = ora('Checking peripheral Secrets (C2)').start();
+    const peripheralSecretError = await checkPeripheralSecrets(pinnedContext, deps);
+    if (peripheralSecretError !== null) {
+        step26Spinner.fail('Peripheral Secret pre-check failed');
+        stderr.write(`${pc.red('error:')} ${peripheralSecretError}\n`);
+        return { exitCode: 1, summary: 'peripheral secret pre-check failed' };
+    }
+    step26Spinner.succeed('All peripheral Secrets verified');
+    // ── Step 2.7: C3 — CoreDNS warm-up wait ────────────────────────
+    const step27Spinner = ora('Waiting for CoreDNS (C3, 30s timeout)').start();
+    const coreDnsOk = await waitForCoreDns(pinnedContext, deps);
+    if (!coreDnsOk) {
+        step27Spinner.warn('CoreDNS not Available within 30s — continuing (DNS may be degraded)');
+    }
+    else {
+        step27Spinner.succeed('CoreDNS Available');
+    }
     // ── Step 3: kubectl apply ─────────────────────────────────────────
     const step3Spinner = ora('Applying manifests').start();
     const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
+    // Always apply host-cp manifests (top-level manifests dir).
+    // kubectl -f <dir> does NOT recurse by default — peripheral subdirs are ignored here.
     const applyResult = await wrap(['--context', pinnedContext, 'apply', '-f', manifestsDir], { timeout: 120_000 });
     if (!applyResult.ok) {
         step3Spinner.fail('kubectl apply failed');
@@ -224,24 +431,61 @@ export async function runUpgradeKubernetes(opts = {}, deps = {}) {
             `  ${applyResult.stderr.split('\n').slice(0, 5).join('\n  ')}\n`);
         return { exitCode: 1, summary: 'kubectl apply failed' };
     }
-    step3Spinner.succeed('Manifests applied');
+    // Apply each peripheral's manifest directory (alphabetical order).
+    const peripheralNames = [...PERIPHERALS.map((p) => p.name)].sort();
+    for (const name of peripheralNames) {
+        const peripheralManifestsDir = path.join(manifestsDir, name);
+        const peripheralApplyResult = await wrap(['--context', pinnedContext, 'apply', '-f', peripheralManifestsDir], { timeout: 120_000 });
+        if (!peripheralApplyResult.ok) {
+            step3Spinner.fail(`kubectl apply failed for peripheral "${name}"`);
+            stderr.write(`${pc.red('error:')} kubectl apply failed for peripheral "${name}" (exit ${peripheralApplyResult.exitCode}):\n` +
+                `  ${peripheralApplyResult.stderr.split('\n').slice(0, 5).join('\n  ')}\n`);
+            return { exitCode: 1, summary: `kubectl apply failed for peripheral ${name}` };
+        }
+    }
+    step3Spinner.succeed('All manifests applied (host-cp + 4 peripherals)');
     // ── Step 4: D15 — kubectl rollout status (90s timeout, 95s wrap) ──
-    const step4Spinner = ora('Waiting for rollout (90s)').start();
-    const rolloutOk = await waitForRollout(pinnedContext, deps, stderr);
-    if (!rolloutOk) {
-        step4Spinner.fail('Rollout status failed or timed out');
+    // Wait for all 5 deployments in parallel (host-cp + 4 peripherals).
+    const step4Spinner = ora('Waiting for rollout (all 5 deployments, 90s each)').start();
+    const deploymentNames = [
+        HOST_CP_DEPLOYMENT_NAME,
+        ...PERIPHERALS.map((p) => p.name),
+    ];
+    const rolloutResults = await Promise.all(deploymentNames.map((deploymentName) => (deps.kubectlWrapImpl ?? kubectlWrap)([
+        '--context', pinnedContext,
+        'rollout', 'status',
+        `deployment/${deploymentName}`,
+        '-n', K8S_NAMESPACE,
+        '--timeout=90s',
+    ], { timeout: 95_000 })));
+    const failedDeployments = deploymentNames.filter((_, i) => !rolloutResults[i]?.ok);
+    if (failedDeployments.length > 0) {
+        step4Spinner.fail(`Rollout failed for: ${failedDeployments.join(', ')}`);
+        // Emit state snapshot for failed deployments (mirrors D15 pattern).
+        for (const name of failedDeployments) {
+            stderr.write(`${pc.red('error:')} rollout status failed for deployment/${name}.\n`);
+            stderr.write(`${pc.dim(`--- kubectl get pods -n ${K8S_NAMESPACE} -o wide ---`)}\n`);
+            const podsResult = await wrap(['--context', pinnedContext, 'get', 'pods', '-n', K8S_NAMESPACE, '-o', 'wide'], { timeout: 10_000 });
+            stderr.write((podsResult.stdout || podsResult.stderr || '(no output)') + '\n');
+        }
+        stderr.write(`\n${pc.yellow('note:')} Manifests are NOT auto-rolled-back. Inspect the state above and remediate manually.\n`);
         return { exitCode: 1, summary: 'rollout status timed out' };
     }
-    step4Spinner.succeed('Rollout complete');
+    step4Spinner.succeed('All 5 deployments rolled out');
     // ── Step 5: D17 — port-forward spawn via flock ───────────────────
+    // Spawn host-cp and all peripheral port-forwards in parallel.
     const step5Spinner = ora('Establishing port-forward').start();
     const pfSpawn = deps.spawnPortForwardImpl ?? spawnPortForward;
-    const pfResult = await pfSpawn(pinnedContext, K8S_NAMESPACE, PORT_FORWARD_TARGET, 19000, 19000, deps.portForwardDeps ?? {});
+    const spawnAllPeripheral = deps.spawnAllPeripheralPortForwardsImpl ?? spawnAllPeripheralPortForwards;
+    const [pfResult] = await Promise.all([
+        pfSpawn(pinnedContext, K8S_NAMESPACE, PORT_FORWARD_TARGET, 19000, 19000, deps.portForwardDeps ?? {}),
+        spawnAllPeripheral(pinnedContext, K8S_NAMESPACE, deps.peripheralPortForwardDeps ?? {}),
+    ]);
     if (pfResult.spawned) {
-        step5Spinner.succeed(`Port-forward spawned (pid ${pfResult.pid})`);
+        step5Spinner.succeed(`Port-forward spawned (pid ${pfResult.pid}) + all peripheral port-forwards`);
     }
     else if (pfResult.reason === 'live') {
-        step5Spinner.succeed('Port-forward already live');
+        step5Spinner.succeed('Port-forward already live + peripheral port-forwards spawned');
     }
     else {
         step5Spinner.warn('Port-forward lock held by concurrent caller; skipping spawn');

package/dist/lib/upgrade-kubernetes.js.map

@@ -1 +1 @@
-{"version":3,"file":"upgrade-kubernetes.js","sourceRoot":"","sources":["../../src/lib/upgrade-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACjF,OAAO,EAAE,WAAW,EAAwB,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAwB,MAAM,mBAAmB,CAAC;AACrG,OAAO,EAAE,mBAAmB,EAAiB,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAA4B,MAAM,uBAAuB,CAAC;AACrF,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;AAC/E,MAAM,CAAC,MAAM,aAAa,GAAG,MAAM,CAAC;AACpC,MAAM,CAAC,MAAM,mBAAmB,GAAG,qBAAqB,CAAC;AACzD,MAAM,CAAC,MAAM,uBAAuB,GAAG,cAAc,CAAC;AACtD,MAAM,CAAC,MAAM,mBAAmB,GAAG,sBAAsB,CAAC;AAC1D,MAAM,CAAC,MAAM,kBAAkB,GAAG,+BAA+B,CAAC;AAElE,iFAAiF;AACjF,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC,CAAC;AAErE,sDAAsD;AACtD,MAAM,oBAAoB,GAAG,CAAC,kBAAkB,EAAE,UAAU,CAAU,CAAC;AAEvE;wEACwE;AACxE,SAAS,gBAAgB,CAAC,OAAe;IACvC,OAAO,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;AAC3D,CAAC;AAqCD;;;GAGG;AACH,KAAK,UAAU,2BAA2B,CACxC,OAAe,EACf,IAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CACvB,CAAC,WAAW,EAAE,OAAO,EAAE,cAAc,CAAC,EACtC,EAAE,OAAO,EAAE,KAAK,EAAE,CACnB,CAAC;IACF,OAAO,MAAM,CAAC,EAAE,CAAC;AACnB,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,uBAAuB,CACpC,OAAe,EACf,IAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CACvB;QACE,WAAW,EAAE,OAAO;QACpB,KAAK,EAAE,QAAQ,EAAE,mBAAmB;QACpC,IAAI,EAAE,aAAa;QACnB,IAAI,EAAE,MAAM;KACb,EACD,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,OAAO,CACL,WAAW,mBAAmB,6BAA6B,aAAa,MAAM;YAC9E,wCAAwC,OAAO,gCAAgC;YAC/E,KAAK,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,CAC1C,CAAC;IACJ,CAAC;IAED,IAAI,UAA6C,CAAC;IAClD,IAAI,CAAC;QACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAsB,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,gCAAgC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;IACvE,CAAC;IAED,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,IAAI,EAAE,CAAC;IAEnC,KAAK,MAAM,GAAG,IAAI,oBAAoB,EAAE,CAAC;QACvC,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC;YACnB,OAAO,CACL,WAAW,mBAAmB,8BAA8B,GAAG,MAAM;gBACrE,iBAAiB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,IAAI;gBAC7D,2BAA2B,CAC5B,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC5D,6EAA6E;QAC7E,IAAI,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACpC,OAAO,CACL,WAAW,mBAAmB,UAAU,GAAG,wCAAwC;gBACnF,2DAA2D,CAC5D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC,CAAC,oBAAoB;AACnC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,cAAc,CAC3B,OAAe,EACf,IAA2B,EAC3B,MAA6B;IAE7B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CACvB;QACE,WAAW,EAAE,OAAO;QACpB,SAAS,EAAE,QAAQ;QACnB,cAAc,uBAAuB,EAAE;QACvC,IAAI,EAAE,aAAa;QACnB,eAAe;KAChB,EACD,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IAEF,IAAI,MAAM,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAE3B,mCAAmC;IACnC,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,gDAAgD;QACjE,aAAa,MAAM,CAAC,MAAM,IAAI,SAAS,aAAa,MAAM,CAAC,QAAQ,MAAM,CAC5E,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,0CAA0C,CAAC,IAAI,CAAC,CAAC;IACxE,MAAM,UAAU,GAAG,MAAM,IAAI,CAC3B,CAAC,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,CAAC,EACxE,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,CAAC,UAAU,CAAC,MAAM,IAAI,UAAU,CAAC,MAAM,IAAI,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC;IAE/E,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,0DAA0D,CAAC,IAAI,CAAC,CAAC;IAC1F,MAAM,UAAU,GAAG,MAAM,IAAI,CAC3B,CAAC,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,uBAAuB,EAAE,EAAE,IAAI,EAAE,aAAa,CAAC,EAChG,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,CAAC,UAAU,CAAC,MAAM,IAAI,UAAU,CAAC,MAAM,IAAI,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC;IAC/E,MAAM,CAAC,KAAK,CACV,KAAK,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,wFAAwF,CAChH,CAAC;IAEF,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAC/B,IAA2B;IAE3B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,kBAAkB,EAAE;YAC9C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QACpF,OAAO,EAAE,EAAE,EAAE,MAAM,KAAK,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IAC3C,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAA8B,EAAE,EAChC,OAA8B,EAAE;IAEhC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,sBAAsB,CAAC;IACjE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE3B,oEAAoE;IACpE,MAAM,YAAY,GAAG,GAAG,CAAC,qCAAqC,CAAC,CAAC,KAAK,EAAE,CAAC;IACxE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC;IAEvD,8EAA8E;IAC9E,iDAAiD;IACjD,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9D,MAAM,SAAS,GAAG,MAAM,2BAA2B,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;IACxE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,YAAY,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;QAClD,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,8CAA8C;YAC/D,0EAA0E;YAC1E,6EAA6E,CAChF,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;IAClE,CAAC;IACD,YAAY,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;IAEjD,oEAAoE;IACpE,MAAM,YAAY,GAAG,GAAG,CAAC,iCAAiC,CAAC,CAAC,KAAK,EAAE,CAAC;IAEpE,sEAAsE;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC;IACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzD,YAAY,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACvD,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,8CAA8C;YAC/D,gEAAgE;YAChE,uDAAuD;YACvD,+DAA+D,CAClE,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,qBAAqB,EAAE,CAAC;IACzD,CAAC;IAED,gEAAgE;IAChE,MAAM,aAAa,GAAG,QAAQ,CAAC;IAE/B,6FAA6F;IAC7F,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,oCAAoC,aAAa,IAAI,CAC5E,CAAC;IACF,YAAY,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;IAElE,oEAAoE;IACpE,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC/B,MAAM,aAAa,GAAG,GAAG,CAAC,4BAA4B,CAAC,CAAC,KAAK,EAAE,CAAC;QAChE,MAAM,WAAW,GAAG,IAAI,CAAC,mBAAmB,IAAI,kBAAkB,CAAC;QACnE,MAAM,aAAa,GAAG,MAAM,WAAW,CACrC,YAAY,EACZ,IAAI,CAAC,wBAAwB,KAAK,IAAI,EACtC,EAAyB,CAC1B,CAAC;QACF,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACtB,aAAa,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YAC/C,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,OAAO,IAAI,CAAC,CAAC;YAC/D,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;QAC9D,CAAC;QACD,aAAa,CAAC,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,oEAAoE;IACpE,MAAM,YAAY,GAAG,GAAG,CAAC,mBAAmB,mBAAmB,QAAQ,CAAC,CAAC,KAAK,EAAE,CAAC;IACjF,MAAM,WAAW,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACvE,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,YAAY,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,WAAW,IAAI,CAAC,CAAC;QACrD,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;IAC7D,CAAC;IACD,YAAY,CAAC,OAAO,CAAC,UAAU,mBAAmB,WAAW,CAAC,CAAC;IAE/D,qEAAqE;IACrE,MAAM,YAAY,GAAG,GAAG,CAAC,oBAAoB,CAAC,CAAC,KAAK,EAAE,CAAC;IACvD,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IACjD,MAAM,WAAW,GAAG,MAAM,IAAI,CAC5B,CAAC,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC,EACzD,EAAE,OAAO,EAAE,OAAO,EAAE,CACrB,CAAC;IACF,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACpB,YAAY,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC1C,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,+BAA+B,WAAW,CAAC,QAAQ,MAAM;YAC1E,KAAK,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CACnE,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC;IAC1D,CAAC;IACD,YAAY,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAE1C,qEAAqE;IACrE,MAAM,YAAY,GAAG,GAAG,CAAC,2BAA2B,CAAC,CAAC,KAAK,EAAE,CAAC;IAC9D,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,aAAa,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IACpE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,YAAY,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;QACxD,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IAC9D,CAAC;IACD,YAAY,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAEzC,oEAAoE;IACpE,MAAM,YAAY,GAAG,GAAG,CAAC,2BAA2B,CAAC,CAAC,KAAK,EAAE,CAAC;IAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,oBAAoB,IAAI,gBAAgB,CAAC;IAC9D,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,aAAa,EACb,aAAa,EACb,mBAAmB,EACnB,KAAK,EACL,KAAK,EACL,IAAI,CAAC,eAAe,IAAI,EAAE,CAC3B,CAAC;IACF,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,YAAY,CAAC,OAAO,CAAC,6BAA6B,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC;IACrE,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACtC,YAAY,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;IACpD,CAAC;SAAM,CAAC;QACN,YAAY,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;IACnF,CAAC;IAED,sEAAsE;IACtE,MAAM,IAAI,OAAO,CAAO,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;IAErD,oEAAoE;IACpE,MAAM,YAAY,GAAG,GAAG,CAAC,sDAAsD,CAAC,CAAC,KAAK,EAAE,CAAC;IACzF,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACpB,YAAY,CAAC,IAAI,CACf,WAAW,CAAC,YAAY,KAAK,IAAI;YAC/B,CAAC,CAAC,4BAA4B,WAAW,CAAC,YAAY,2BAA2B;YACjF,CAAC,CAAC,gDAAgD,CACrD,CAAC;QACF,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,8CAA8C;YAC/D,kEAAkE,CACrE,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;IAC3E,CAAC;IACD,YAAY,CAAC,OAAO,CAAC,2CAA2C,CAAC,CAAC;IAElE,qEAAqE;IACrE,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,mBAAmB,CAAC;IACtD,QAAQ,CACN;QACE,SAAS,EAAE,YAAY;QACvB,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;QACjC,MAAM,EAAE,KAAK;KACd,EACD,IAAI,CAAC,QAAQ,IAAI,EAAE,CACpB,CAAC;IAEF,sEAAsE;IACtE,YAAY,CAAC,oCAAoC,CAAC,CAAC;IACnD,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;IACrE,MAAM,CAAC,KAAK,CAAC,qCAAqC,mBAAmB,IAAI,CAAC,CAAC;IAE3E,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;AACjE,CAAC"}
+{"version":3,"file":"upgrade-kubernetes.js","sourceRoot":"","sources":["../../src/lib/upgrade-kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AACtE,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACjF,OAAO,EAAE,WAAW,EAAwB,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,wBAAwB,EAAwD,MAAM,mBAAmB,CAAC;AACrK,OAAO,EAAE,mBAAmB,EAAiB,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAA4B,MAAM,uBAAuB,CAAC;AACrF,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;AAC/E,MAAM,CAAC,MAAM,aAAa,GAAG,MAAM,CAAC;AACpC,MAAM,CAAC,MAAM,mBAAmB,GAAG,qBAAqB,CAAC;AACzD,MAAM,CAAC,MAAM,uBAAuB,GAAG,cAAc,CAAC;AACtD,MAAM,CAAC,MAAM,mBAAmB,GAAG,sBAAsB,CAAC;AAC1D,MAAM,CAAC,MAAM,kBAAkB,GAAG,+BAA+B,CAAC;AAElE,oDAAoD;AACpD,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,uBAAuB,CAAC,CAAC;AAEtF,iFAAiF;AACjF,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC,CAAC;AAErE,sDAAsD;AACtD,MAAM,oBAAoB,GAAG,CAAC,kBAAkB,EAAE,UAAU,CAAU,CAAC;AAEvE;;;;GAIG;AACH,MAAM,kBAAkB,GAAG;IACzB,EAAE,IAAI,EAAE,cAAc,EAAM,UAAU,EAAE,0BAA0B,EAAO,IAAI,EAAE,CAAC,qBAAqB,CAAC,EAAE;IACxG,EAAE,IAAI,EAAE,kBAAkB,EAAE,UAAU,EAAE,8BAA8B,EAAI,IAAI,EAAE,CAAC,0BAA0B,CAAC,EAAE;IAC9G,EAAE,IAAI,EAAE,YAAY,EAAQ,UAAU,EAAE,wBAAwB,EAAU,IAAI,EAAE,CAAC,sBAAsB,CAAC,EAAE;IAC1G,EAAE,IAAI,EAAE,gBAAgB,EAAI,UAAU,EAAE,4BAA4B,EAAM,IAAI,EAAE,CAAC,2BAA2B,CAAC,EAAE;CACvG,CAAC;AAEX,0DAA0D;AAC1D,MAAM,cAAc,GAAG,wBAAwB,CAAC;AAEhD;;;GAGG;AACH,SAAS,cAAc,CAAC,cAAsB,EAAE,IAAY;IAC1D,OAAO,UAAU,cAAc,IAAI,cAAc,IAAI,IAAI,EAAE,CAAC;AAC9D,CAAC;AAED;;;GAGG;AACH,SAAS,yBAAyB,CAAC,KAA8B,EAAE,MAA6B;IAC9F,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QAC9C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChE,EAAE,CAAC,aAAa,CAAC,mBAAmB,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5F,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,yCAAyC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CACpH,CAAC;IACJ,CAAC;AACH,CAAC;AAED;wEACwE;AACxE,SAAS,gBAAgB,CAAC,OAAe;IACvC,OAAO,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;AAC3D,CAAC;AA6CD;;;GAGG;AACH,KAAK,UAAU,2BAA2B,CACxC,OAAe,EACf,IAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CACvB,CAAC,WAAW,EAAE,OAAO,EAAE,cAAc,CAAC,EACtC,EAAE,OAAO,EAAE,KAAK,EAAE,CACnB,CAAC;IACF,OAAO,MAAM,CAAC,EAAE,CAAC;AACnB,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,uBAAuB,CACpC,OAAe,EACf,IAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CACvB;QACE,WAAW,EAAE,OAAO;QACpB,KAAK,EAAE,QAAQ,EAAE,mBAAmB;QACpC,IAAI,EAAE,aAAa;QACnB,IAAI,EAAE,MAAM;KACb,EACD,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,OAAO,CACL,WAAW,mBAAmB,6BAA6B,aAAa,MAAM;YAC9E,wCAAwC,OAAO,gCAAgC;YAC/E,KAAK,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,CAC1C,CAAC;IACJ,CAAC;IAED,IAAI,UAA6C,CAAC;IAClD,IAAI,CAAC;QACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAsB,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,gCAAgC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;IACvE,CAAC;IAED,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,IAAI,EAAE,CAAC;IAEnC,KAAK,MAAM,GAAG,IAAI,oBAAoB,EAAE,CAAC;QACvC,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC;YACnB,OAAO,CACL,WAAW,mBAAmB,8BAA8B,GAAG,MAAM;gBACrE,iBAAiB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,IAAI;gBAC7D,2BAA2B,CAC5B,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC5D,6EAA6E;QAC7E,IAAI,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACpC,OAAO,CACL,WAAW,mBAAmB,UAAU,GAAG,wCAAwC;gBACnF,2DAA2D,CAC5D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC,CAAC,oBAAoB;AACnC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,cAAc,CAC3B,OAAe,EACf,IAA2B,EAC3B,MAA6B;IAE7B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CACvB;QACE,WAAW,EAAE,OAAO;QACpB,SAAS,EAAE,QAAQ;QACnB,cAAc,uBAAuB,EAAE;QACvC,IAAI,EAAE,aAAa;QACnB,eAAe;KAChB,EACD,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IAEF,IAAI,MAAM,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAE3B,mCAAmC;IACnC,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,gDAAgD;QACjE,aAAa,MAAM,CAAC,MAAM,IAAI,SAAS,aAAa,MAAM,CAAC,QAAQ,MAAM,CAC5E,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,0CAA0C,CAAC,IAAI,CAAC,CAAC;IACxE,MAAM,UAAU,GAAG,MAAM,IAAI,CAC3B,CAAC,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,CAAC,EACxE,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,CAAC,UAAU,CAAC,MAAM,IAAI,UAAU,CAAC,MAAM,IAAI,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC;IAE/E,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,0DAA0D,CAAC,IAAI,CAAC,CAAC;IAC1F,MAAM,UAAU,GAAG,MAAM,IAAI,CAC3B,CAAC,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,uBAAuB,EAAE,EAAE,IAAI,EAAE,aAAa,CAAC,EAChG,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,CAAC,UAAU,CAAC,MAAM,IAAI,UAAU,CAAC,MAAM,IAAI,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC;IAC/E,MAAM,CAAC,KAAK,CACV,KAAK,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,wFAAwF,CAChH,CAAC;IAEF,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;GAWG;AACH,KAAK,UAAU,0BAA0B,CACvC,OAAe,EACf,YAAoB,EACpB,IAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IACjD,MAAM,YAAY,GAAG,IAAI,CAAC,gBAAgB,IAAI,EAAE,CAAC,YAAY,CAAC;IAE9D,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;IACnE,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,YAAY,CAAC,aAAa,EAAE,MAAM,CAAW,CAAC;IAC1D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,+BAA+B,aAAa,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IAC7G,CAAC;IAED,4CAA4C;IAC5C,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,SAAS,CAAC,OAAO,CAA4B,CAAC;IACzD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,qCAAqC,aAAa,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACnH,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAA2B,CAAC;IAE9D,8DAA8D;IAC9D,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC,UAAU,CAAC,oBAAoB,CAAC,GAAG,cAAc,CAAC,UAAU,CAAC,cAAc,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;IACrG,CAAC;IACD,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;IAEtB,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAE1C,2DAA2D;IAC3D,MAAM,MAAM,GAAG,MAAM,IAAI,CACvB,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,EAC1C,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,CACxC,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,OAAO,kDAAkD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IAChG,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,sBAAsB,CACnC,OAAe,EACf,IAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IAEjD,KAAK,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,kBAAkB,EAAE,CAAC;QAC5D,MAAM,MAAM,GAAG,MAAM,IAAI,CACvB;YACE,WAAW,EAAE,OAAO;YACpB,KAAK,EAAE,QAAQ,EAAE,UAAU;YAC3B,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,MAAM;SACb,EACD,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,OAAO,CACL,sBAAsB,UAAU,MAAM,IAAI,6BAA6B,aAAa,MAAM;gBAC1F,wCAAwC,OAAO,mBAAmB,IAAI,iBAAiB;gBACvF,KAAK,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,CAC1C,CAAC;QACJ,CAAC;QAED,IAAI,UAA6C,CAAC;QAClD,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAsB,CAAC;QAC9D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,oCAAoC,UAAU,MAAM,IAAI,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;QACrG,CAAC;QAED,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,IAAI,EAAE,CAAC;QAEnC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC;gBACnB,OAAO,CACL,sBAAsB,UAAU,MAAM,IAAI,8BAA8B,GAAG,MAAM;oBACjF,iBAAiB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,IAAI;oBAC7D,2BAA2B,CAC5B,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC5D,IAAI,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;gBACtC,OAAO,CACL,sBAAsB,UAAU,MAAM,IAAI,UAAU,GAAG,wCAAwC;oBAC/F,2DAA2D,CAC5D,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC,CAAC,kCAAkC;AACjD,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,cAAc,CAC3B,OAAe,EACf,IAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CACvB;QACE,WAAW,EAAE,OAAO;QACpB,MAAM;QACN,2BAA2B;QAC3B,oBAAoB;QACpB,IAAI,EAAE,aAAa;QACnB,eAAe;KAChB,EACD,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IACF,OAAO,MAAM,CAAC,EAAE,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAC/B,IAA2B;IAE3B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,kBAAkB,EAAE;YAC9C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QACpF,OAAO,EAAE,EAAE,EAAE,MAAM,KAAK,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IAC3C,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAA8B,EAAE,EAChC,OAA8B,EAAE;IAEhC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,sBAAsB,CAAC;IACjE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE3B,oEAAoE;IACpE,MAAM,YAAY,GAAG,GAAG,CAAC,qCAAqC,CAAC,CAAC,KAAK,EAAE,CAAC;IACxE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC;IAEvD,8EAA8E;IAC9E,iDAAiD;IACjD,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9D,MAAM,SAAS,GAAG,MAAM,2BAA2B,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;IACxE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,YAAY,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;QAClD,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,8CAA8C;YAC/D,0EAA0E;YAC1E,6EAA6E,CAChF,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;IAClE,CAAC;IACD,YAAY,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;IAEjD,oEAAoE;IACpE,MAAM,YAAY,GAAG,GAAG,CAAC,iCAAiC,CAAC,CAAC,KAAK,EAAE,CAAC;IAEpE,sEAAsE;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC;IACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzD,YAAY,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACvD,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,8CAA8C;YAC/D,gEAAgE;YAChE,uDAAuD;YACvD,+DAA+D,CAClE,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,qBAAqB,EAAE,CAAC;IACzD,CAAC;IAED,gEAAgE;IAChE,MAAM,aAAa,GAAG,QAAQ,CAAC;IAE/B,6FAA6F;IAC7F,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,oCAAoC,aAAa,IAAI,CAC5E,CAAC;IACF,YAAY,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;IAElE,oEAAoE;IACpE,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC/B,MAAM,aAAa,GAAG,GAAG,CAAC,4BAA4B,CAAC,CAAC,KAAK,EAAE,CAAC;QAChE,MAAM,WAAW,GAAG,IAAI,CAAC,mBAAmB,IAAI,kBAAkB,CAAC;QACnE,MAAM,aAAa,GAAG,MAAM,WAAW,CACrC,YAAY,EACZ,IAAI,CAAC,wBAAwB,KAAK,IAAI,EACtC,EAAyB,CAC1B,CAAC;QACF,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACtB,aAAa,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YAC/C,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,OAAO,IAAI,CAAC,CAAC;YAC/D,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;QAC9D,CAAC;QACD,aAAa,CAAC,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,oEAAoE;IACpE,MAAM,YAAY,GAAG,GAAG,CAAC,mBAAmB,mBAAmB,QAAQ,CAAC,CAAC,KAAK,EAAE,CAAC;IACjF,MAAM,WAAW,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACvE,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,YAAY,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,WAAW,IAAI,CAAC,CAAC;QACrD,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;IAC7D,CAAC;IACD,YAAY,CAAC,OAAO,CAAC,UAAU,mBAAmB,WAAW,CAAC,CAAC;IAE/D,mEAAmE;IACnE,kEAAkE;IAClE,yBAAyB,CACvB;QACE,EAAE,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;QACtE,EAAE,EAAE,SAAS;QACb,SAAS,EAAE,YAAY;QACvB,MAAM,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE;KAC/B,EACD,MAAM,CACP,CAAC;IAEF,uEAAuE;IACvE,MAAM,aAAa,GAAG,GAAG,CAAC,8CAA8C,CAAC,CAAC,KAAK,EAAE,CAAC;IAClF,MAAM,cAAc,GAAG,MAAM,0BAA0B,CAAC,aAAa,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;IAC3F,IAAI,cAAc,KAAK,IAAI,EAAE,CAAC;QAC5B,aAAa,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACpD,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,cAAc,IAAI,CAAC,CAAC;QACxD,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACnE,CAAC;IACD,aAAa,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAE7D,mEAAmE;IACnE,MAAM,aAAa,GAAG,GAAG,CAAC,kCAAkC,CAAC,CAAC,KAAK,EAAE,CAAC;IACtE,MAAM,qBAAqB,GAAG,MAAM,sBAAsB,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IAChF,IAAI,qBAAqB,KAAK,IAAI,EAAE,CAAC;QACnC,aAAa,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;QACzD,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,qBAAqB,IAAI,CAAC,CAAC;QAC/D,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC;IACxE,CAAC;IACD,aAAa,CAAC,OAAO,CAAC,iCAAiC,CAAC,CAAC;IAEzD,kEAAkE;IAClE,MAAM,aAAa,GAAG,GAAG,CAAC,uCAAuC,CAAC,CAAC,KAAK,EAAE,CAAC;IAC3E,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IAC5D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,aAAa,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;IAC5F,CAAC;SAAM,CAAC;QACN,aAAa,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC7C,CAAC;IAED,qEAAqE;IACrE,MAAM,YAAY,GAAG,GAAG,CAAC,oBAAoB,CAAC,CAAC,KAAK,EAAE,CAAC;IACvD,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC;IAEjD,4DAA4D;IAC5D,sFAAsF;IACtF,MAAM,WAAW,GAAG,MAAM,IAAI,CAC5B,CAAC,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC,EACzD,EAAE,OAAO,EAAE,OAAO,EAAE,CACrB,CAAC;IACF,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACpB,YAAY,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC1C,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,+BAA+B,WAAW,CAAC,QAAQ,MAAM;YAC1E,KAAK,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CACnE,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC;IAC1D,CAAC;IAED,mEAAmE;IACnE,MAAM,eAAe,GAAG,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACnE,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,sBAAsB,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QAC7D,MAAM,qBAAqB,GAAG,MAAM,IAAI,CACtC,CAAC,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,sBAAsB,CAAC,EACnE,EAAE,OAAO,EAAE,OAAO,EAAE,CACrB,CAAC;QACF,IAAI,CAAC,qBAAqB,CAAC,EAAE,EAAE,CAAC;YAC9B,YAAY,CAAC,IAAI,CAAC,wCAAwC,IAAI,GAAG,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,yCAAyC,IAAI,WAAW,qBAAqB,CAAC,QAAQ,MAAM;gBAC7G,KAAK,qBAAqB,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAC7E,CAAC;YACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,uCAAuC,IAAI,EAAE,EAAE,CAAC;QACjF,CAAC;IACH,CAAC;IAED,YAAY,CAAC,OAAO,CAAC,iDAAiD,CAAC,CAAC;IAExE,qEAAqE;IACrE,oEAAoE;IACpE,MAAM,YAAY,GAAG,GAAG,CAAC,mDAAmD,CAAC,CAAC,KAAK,EAAE,CAAC;IACtF,MAAM,eAAe,GAAG;QACtB,uBAAuB;QACvB,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;KAClC,CAAC;IACF,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,GAAG,CACtC,eAAe,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,EAAE,CACrC,CAAC,IAAI,CAAC,eAAe,IAAI,WAAW,CAAC,CACnC;QACE,WAAW,EAAE,aAAa;QAC1B,SAAS,EAAE,QAAQ;QACnB,cAAc,cAAc,EAAE;QAC9B,IAAI,EAAE,aAAa;QACnB,eAAe;KAChB,EACD,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CACF,CACF,CAAC;IAEF,MAAM,iBAAiB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACnF,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,YAAY,CAAC,IAAI,CAAC,uBAAuB,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzE,oEAAoE;QACpE,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;YACrC,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,yCAAyC,IAAI,KAAK,CAAC,CAAC;YACpF,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,2BAA2B,aAAa,cAAc,CAAC,IAAI,CAAC,CAAC;YACpF,MAAM,UAAU,GAAG,MAAM,IAAI,CAC3B,CAAC,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,CAAC,EAC9E,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;YACF,MAAM,CAAC,KAAK,CAAC,CAAC,UAAU,CAAC,MAAM,IAAI,UAAU,CAAC,MAAM,IAAI,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC;QACjF,CAAC;QACD,MAAM,CAAC,KAAK,CACV,KAAK,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,wFAAwF,CAChH,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IAC9D,CAAC;IACD,YAAY,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC;IAErD,oEAAoE;IACpE,8DAA8D;IAC9D,MAAM,YAAY,GAAG,GAAG,CAAC,2BAA2B,CAAC,CAAC,KAAK,EAAE,CAAC;IAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,oBAAoB,IAAI,gBAAgB,CAAC;IAC9D,MAAM,kBAAkB,GAAG,IAAI,CAAC,kCAAkC,IAAI,8BAA8B,CAAC;IACrG,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACnC,OAAO,CACL,aAAa,EACb,aAAa,EACb,mBAAmB,EACnB,KAAK,EACL,KAAK,EACL,IAAI,CAAC,eAAe,IAAI,EAAE,CAC3B;QACD,kBAAkB,CAChB,aAAa,EACb,aAAa,EACb,IAAI,CAAC,yBAAyB,IAAI,EAAE,CACrC;KACF,CAAC,CAAC;IACH,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,YAAY,CAAC,OAAO,CAAC,6BAA6B,QAAQ,CAAC,GAAG,kCAAkC,CAAC,CAAC;IACpG,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACtC,YAAY,CAAC,OAAO,CAAC,8DAA8D,CAAC,CAAC;IACvF,CAAC;SAAM,CAAC;QACN,YAAY,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;IACnF,CAAC;IAED,sEAAsE;IACtE,MAAM,IAAI,OAAO,CAAO,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;IAErD,oEAAoE;IACpE,MAAM,YAAY,GAAG,GAAG,CAAC,sDAAsD,CAAC,CAAC,KAAK,EAAE,CAAC;IACzF,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACpB,YAAY,CAAC,IAAI,CACf,WAAW,CAAC,YAAY,KAAK,IAAI;YAC/B,CAAC,CAAC,4BAA4B,WAAW,CAAC,YAAY,2BAA2B;YACjF,CAAC,CAAC,gDAAgD,CACrD,CAAC;QACF,MAAM,CAAC,KAAK,CACV,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,8CAA8C;YAC/D,kEAAkE,CACrE,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;IAC3E,CAAC;IACD,YAAY,CAAC,OAAO,CAAC,2CAA2C,CAAC,CAAC;IAElE,qEAAqE;IACrE,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,mBAAmB,CAAC;IACtD,QAAQ,CACN;QACE,SAAS,EAAE,YAAY;QACvB,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;QACjC,MAAM,EAAE,KAAK;KACd,EACD,IAAI,CAAC,QAAQ,IAAI,EAAE,CACpB,CAAC;IAEF,sEAAsE;IACtE,YAAY,CAAC,oCAAoC,CAAC,CAAC;IACnD,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;IACrE,MAAM,CAAC,KAAK,CAAC,qCAAqC,mBAAmB,IAAI,CAAC,CAAC;IAE3E,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;AACjE,CAAC"}

package/host-cp/k8s/manifests/auth-service/10-serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-auth-service
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral

package/host-cp/k8s/manifests/auth-service/20-rbac.yaml

@@ -0,0 +1,34 @@
+# Phase 1a Decision 19: Role scoped to resourceNames: ["olam-auth-service"] on
+# apps/v1 deployments. Without this scope, the in-cluster ServiceAccount
+# could patch ANY Deployment in the namespace. This is the load-bearing
+# security guardrail — preserve verbatim.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-auth-service
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["olam-auth-service"]
+    verbs: ["get", "patch", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-auth-service
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+subjects:
+  - kind: ServiceAccount
+    name: olam-auth-service
+    namespace: olam
+roleRef:
+  kind: Role
+  name: olam-auth-service
+  apiGroup: rbac.authorization.k8s.io

package/host-cp/k8s/manifests/auth-service/30-configmap.yaml

@@ -0,0 +1,24 @@
+# ConfigMap for olam-auth-service environment. Sensitive values (AUTH_DB_SECRET,
+# API keys) are NOT here — they live in the Secret (see templates/auth-service-secret-template.yaml).
+# Operators apply the Secret separately before applying the manifests.
+#
+# Inter-peripheral URL placeholders (e.g. OLAM_MCP_AUTH_URL) are set to
+# cluster-internal DNS names. These are resolved by Phase C substitution;
+# operators running Phase 2 Beta may override them directly.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-auth-service-env
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+data:
+  # Port auth-service listens on. Must match 60-service.yaml targetPort.
+  OLAM_AUTH_PORT: "9999"
+  # Data directory — backed by the PVC mounted at /data.
+  OLAM_AUTH_DATA_PATH: "/data/auth"
+  # URL of mcp-auth-service (cluster-internal DNS). Override in non-k3d environments.
+  OLAM_MCP_AUTH_SERVICE_URL: "http://olam-mcp-auth-service.olam.svc.cluster.local:9998"
+  # Credential vault poll interval.
+  OLAM_CREDENTIAL_POLL_MS: "60000"

package/host-cp/k8s/manifests/auth-service/45-pvc.yaml

@@ -0,0 +1,25 @@
+# PersistentVolumeClaim for olam-auth-service /data volume.
+#
+# Why PVC instead of hostPath: see packages/host-cp/k8s/manifests/host-cp/45-pvc.yaml
+# for the full rationale (fsGroup, k3d node filesystem, etc.).
+#
+# local-path StorageClass ships with k3d by default (rancher/local-path-provisioner).
+# On non-k3d clusters, substitute storageClassName with your cluster's provisioner.
+# D24: storageClassName operator-editable — edit the field below for non-k3d substrates.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-auth-data
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+spec:
+  accessModes:
+    - ReadWriteOnce
+  # D24: operator-editable. k3d default is local-path. Change for non-k3d substrates.
+  storageClassName: local-path
+  resources:
+    requests:
+      # D25: auth-service PVC size 5Gi.
+      storage: 5Gi

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -0,0 +1,114 @@
+# Deployment for olam-auth-service.
+#
+# Image: pinned to sha256 digest (not :latest or named tag) per T4 threat model.
+# Digest resolves to ghcr.io/pleri/olam-auth-service:0.1.0 (multi-arch index).
+# To update: resolve the new tag's digest via:
+#   TOKEN=$(curl -s "https://ghcr.io/token?scope=repository:pleri/olam-auth-service:pull&service=ghcr.io" | jq -r .token)
+#   curl -sI -H "Authorization: Bearer $TOKEN" \
+#     -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.list.v2+json" \
+#     https://ghcr.io/v2/pleri/olam-auth-service/manifests/<tag> | grep docker-content-digest
+#
+# securityContext: conservative defaults per T6/T7 threat model (runAsNonRoot,
+# readOnlyRootFilesystem). /tmp backed by emptyDir for transient write needs.
+#
+# D17: auth-service does NOT mount /var/run/docker.sock (Phase 2 k8s pods
+# cannot reach docker.sock — no hostPath socket mount).
+#
+# chown-data init container: grants UID-1000 write access on the freshly-
+# provisioned PV (fsGroup alone is insufficient for local-path PVs).
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: olam-auth-service
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: olam-auth-service
+  template:
+    metadata:
+      labels:
+        app: olam-auth-service
+    spec:
+      serviceAccountName: olam-auth-service
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: chown-data
+          # busybox:1.36 — sha256-pinned per T4 threat model.
+          image: busybox@sha256:73aaf090f3d85aa34ee199857f03fa3a95c8ede2ffd4cc2cdb5b94e566b11662
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          command: ["chown", "-R", "1000:1000", "/data"]
+          volumeMounts:
+            - name: auth-data
+              mountPath: /data
+      containers:
+        - name: olam-auth-service
+          image: ghcr.io/pleri/olam-auth-service@sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - name: http
+              containerPort: 9999
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-auth-service-env
+            - secretRef:
+                name: olam-auth-service-secret
+          volumeMounts:
+            - name: auth-data
+              mountPath: /data
+            - name: tmp
+              mountPath: /tmp
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 9999
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 9999
+            initialDelaySeconds: 30
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "128Mi"
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+      volumes:
+        - name: auth-data
+          persistentVolumeClaim:
+            claimName: olam-auth-data
+        - name: tmp
+          emptyDir: {}

package/host-cp/k8s/manifests/auth-service/60-service.yaml

@@ -0,0 +1,21 @@
+# ClusterIP Service for olam-auth-service.
+# Port 9999 — consumed by host-cp and other peripherals via cluster-internal DNS.
+# Operator surfaces externally via:
+#   kubectl port-forward -n olam svc/olam-auth-service 9999:9999
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-auth-service
+  namespace: olam
+  labels:
+    app: olam-auth-service
+    olam.io/component: peripheral
+spec:
+  type: ClusterIP
+  selector:
+    app: olam-auth-service
+  ports:
+    - name: http
+      port: 9999
+      targetPort: 9999
+      protocol: TCP