@praxis.guard/auditor-cli 0.0.1

package/dist/hooks/run-before-shell.js

@@ -0,0 +1,132 @@
+import { classifyArgv, loadPoliciesV1, readPoliciesV1Revision } from "../policy/index.js";
+import { appendAuditJsonl } from "../audit/jsonl.js";
+import { getInstallId } from "../cli/install-id.js";
+import { DEFAULT_GOVERNED_SHELL_TOOLS } from "../shell/governed-tools.js";
+import { parseCommandToArgv } from "../shell/parse.js";
+import { tryConsumeShellApprovalBridge } from "../bridge/shell-approval-bridge.js";
+import { sendGuardEvent } from "../telemetry/guard-events.js";
+function tierToPermission(tier) {
+    if (tier === "READ")
+        return "allow";
+    return "deny";
+}
+async function readStdinJson() {
+    return await new Promise((resolve, reject) => {
+        let data = "";
+        process.stdin.setEncoding("utf8");
+        process.stdin.on("data", (chunk) => (data += chunk));
+        process.stdin.on("end", () => {
+            try {
+                resolve(JSON.parse(data));
+            }
+            catch (e) {
+                reject(e);
+            }
+        });
+    });
+}
+async function tryAppendAuditEvent(evt, auditLogRoot) {
+    try {
+        await appendAuditJsonl(evt, auditLogRoot);
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        process.stderr.write(`[auditor] audit log append failed: ${msg}\n`);
+    }
+}
+/**
+ * Cursor `beforeShellExecution` contract: read one JSON object from stdin, write one JSON object to stdout.
+ */
+export async function runBeforeShellHookFromStdin() {
+    const payload = await readStdinJson();
+    const argv = parseCommandToArgv(payload.command);
+    const rawMetacharacters = /(;|&&|\|\||\||`|>|<|\$\()/.test(payload.command);
+    const tool = argv[0];
+    if (!tool || !DEFAULT_GOVERNED_SHELL_TOOLS.includes(tool)) {
+        const response = { permission: "allow" };
+        process.stdout.write(JSON.stringify(response, null, 2));
+        return;
+    }
+    const policy = await loadPoliciesV1();
+    const policyRevision = await readPoliciesV1Revision();
+    const { classification, flags } = classifyArgv(policy, argv);
+    let tier = classification.tier;
+    const reasons = [];
+    if (!classification.matched)
+        reasons.push("unknown_command(default_deny)");
+    if (flags.metacharacters || rawMetacharacters)
+        reasons.push("metacharacters");
+    if (flags.dangerous_flags)
+        reasons.push("dangerous_flags");
+    if ((flags.metacharacters || rawMetacharacters) && tier === "READ")
+        tier = "MUTATE";
+    if (flags.dangerous_flags)
+        tier = "DESTRUCTIVE";
+    let permission = tierToPermission(tier);
+    let bridgeConsumed = false;
+    if (permission === "deny" && tier === "MUTATE") {
+        bridgeConsumed = await tryConsumeShellApprovalBridge(argv, { cwd: payload.cwd });
+        if (bridgeConsumed) {
+            permission = "allow";
+        }
+    }
+    const response = permission === "allow"
+        ? {
+            permission,
+            ...(bridgeConsumed
+                ? {
+                    agent_message: "Allowed via shell approval bridge (MCP guard token redeemed for this argv; one-shot consumed).",
+                }
+                : {}),
+        }
+        : {
+            permission,
+            user_message: `Shell command blocked by guard (tier=${tier}).`,
+            agent_message: `Blocked by guard. tier=${tier} reasons=${reasons.join(",") || "policy"}. argv=${JSON.stringify(argv)}`,
+        };
+    const auditLogRoot = typeof payload.cwd === "string" && payload.cwd.trim() ? payload.cwd.trim() : undefined;
+    await tryAppendAuditEvent({
+        ts: new Date().toISOString(),
+        hook: "beforeShellExecution",
+        cwd: payload.cwd,
+        command: payload.command,
+        argv,
+        classification,
+        flags,
+        tier,
+        permission,
+        bridgeConsumed,
+        reasons,
+    }, auditLogRoot);
+    // Write stdout immediately so Cursor gets the response without waiting for network.
+    process.stdout.write(JSON.stringify(response, null, 2));
+    // Upload event to backend (keep process alive until done).
+    const status = permission === "allow" ? "passed" : "blocked";
+    await sendGuardEvent({
+        ts: new Date().toISOString(),
+        status,
+        tool: "auditor-hook",
+        command_path: argv[0] ?? null,
+        verb: argv[1] ?? null,
+        resource: argv.length > 2 ? argv.slice(2).join(" ") : null,
+        reason: reasons[0] ?? null,
+        cmd: payload.command,
+        tier,
+        decision: permission === "allow" ? "allow" : "block",
+        installId: getInstallId(),
+        kind: "shell",
+        ...(policyRevision !== null ? { policy_revision: policyRevision } : {}),
+        meta: {
+            hook: "beforeShellExecution",
+            bridgeConsumed,
+        },
+    });
+}
+export function failClosedHookErrorResponse(err) {
+    return {
+        permission: "deny",
+        user_message: "Guard hook crashed; blocking shell command (failClosed).",
+        agent_message: `Guard hook crashed: ${String(err)}`,
+    };
+}
+//# sourceMappingURL=run-before-shell.js.map

package/dist/hooks/run-before-shell.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-before-shell.js","sourceRoot":"","sources":["../../src/hooks/run-before-shell.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,sBAAsB,EAAa,MAAM,oBAAoB,CAAC;AAErG,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAc9D,SAAS,gBAAgB,CAAC,IAAU;IAClC,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACpC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,aAAa;IAC1B,OAAO,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAClC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC;QACrD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YAC3B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;YAC5B,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,GAA4B,EAAE,YAAqB;IACpF,IAAI,CAAC;QACH,MAAM,gBAAgB,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,GAAG,IAAI,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,MAAM,OAAO,GAAG,MAAM,aAAa,EAA+B,CAAC;IAEnE,MAAM,IAAI,GAAG,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,iBAAiB,GAAG,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAE5E,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACrB,IAAI,CAAC,IAAI,IAAI,CAAC,4BAA4B,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1D,MAAM,QAAQ,GAAiC,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;QACvE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;IACtC,MAAM,cAAc,GAAG,MAAM,sBAAsB,EAAE,CAAC;IACtD,MAAM,EAAE,cAAc,EAAE,KAAK,EAAE,GAAG,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAE7D,IAAI,IAAI,GAAS,cAAc,CAAC,IAAI,CAAC;IACrC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,cAAc,CAAC,OAAO;QAAE,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IAC3E,IAAI,KAAK,CAAC,cAAc,IAAI,iBAAiB;QAAE,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC9E,IAAI,KAAK,CAAC,eAAe;QAAE,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAE3D,IAAI,CAAC,KAAK,CAAC,cAAc,IAAI,iBAAiB,CAAC,IAAI,IAAI,KAAK,MAAM;QAAE,IAAI,GAAG,QAAQ,CAAC;IACpF,IAAI,KAAK,CAAC,eAAe;QAAE,IAAI,GAAG,aAAa,CAAC;IAEhD,IAAI,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,cAAc,GAAG,KAAK,CAAC;IAC3B,IAAI,UAAU,KAAK,MAAM,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/C,cAAc,GAAG,MAAM,6BAA6B,CAAC,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QACjF,IAAI,cAAc,EAAE,CAAC;YACnB,UAAU,GAAG,OAAO,CAAC;QACvB,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GACZ,UAAU,KAAK,OAAO;QACpB,CAAC,CAAC;YACE,UAAU;YACV,GAAG,CAAC,cAAc;gBAChB,CAAC,CAAC;oBACE,aAAa,EACX,gGAAgG;iBACnG;gBACH,CAAC,CAAC,EAAE,CAAC;SACR;QACH,CAAC,CAAC;YACE,UAAU;YACV,YAAY,EAAE,wCAAwC,IAAI,IAAI;YAC9D,aAAa,EAAE,0BAA0B,IAAI,YAAY,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,UAAU,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;SACvH,CAAC;IAER,MAAM,YAAY,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5G,MAAM,mBAAmB,CACvB;QACE,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,IAAI,EAAE,sBAAsB;QAC5B,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,IAAI;QACJ,cAAc;QACd,KAAK;QACL,IAAI;QACJ,UAAU;QACV,cAAc;QACd,OAAO;KACR,EACD,YAAY,CACb,CAAC;IAEF,oFAAoF;IACpF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAExD,2DAA2D;IAC3D,MAAM,MAAM,GAAG,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7D,MAAM,cAAc,CAAC;QACnB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,MAAM;QACN,IAAI,EAAE,cAAc;QACpB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;QAC7B,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;QACrB,QAAQ,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;QAC1D,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI;QAC1B,GAAG,EAAE,OAAO,CAAC,OAAO;QACpB,IAAI;QACJ,QAAQ,EAAE,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO;QACpD,SAAS,EAAE,YAAY,EAAE;QACzB,IAAI,EAAE,OAAO;QACb,GAAG,CAAC,cAAc,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvE,IAAI,EAAE;YACJ,IAAI,EAAE,sBAAsB;YAC5B,cAAc;SACf;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,GAAY;IACtD,OAAO;QACL,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,0DAA0D;QACxE,aAAa,EAAE,uBAAuB,MAAM,CAAC,GAAG,CAAC,EAAE;KACpD,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { loadPoliciesV1 } from "./policy/index.js";
+export type { PoliciesV1, Tier, Classification } from "./policy/index.js";
+export { appendAuditJsonl } from "./audit/jsonl.js";
+export { DEFAULT_SHELL_BRIDGE_TTL_MS, recordShellApprovalBridge, shellArgvApprovalId, shellBridgeDir, shouldRecordShellBridge, tryConsumeShellApprovalBridge, } from "./bridge/shell-approval-bridge.js";
+export { DEFAULT_GOVERNED_SHELL_TOOLS, evaluateArgv, evaluateShellProposal, gateShellCommand, parseCommandToArgv, type GuardEvaluation, type GuardReason, type ShellGateDecision, } from "./shell/evaluate.js";
+export { failClosedHookErrorResponse, runBeforeShellHookFromStdin, type BeforeShellExecutionPayload, type BeforeShellExecutionResponse, } from "./hooks/run-before-shell.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAE1E,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,mBAAmB,EACnB,cAAc,EACd,uBAAuB,EACvB,6BAA6B,GAC9B,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EACL,4BAA4B,EAC5B,YAAY,EACZ,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,KAAK,iBAAiB,GACvB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,2BAA2B,EAC3B,2BAA2B,EAC3B,KAAK,2BAA2B,EAChC,KAAK,4BAA4B,GAClC,MAAM,6BAA6B,CAAC"}

package/dist/index.js

@@ -0,0 +1,6 @@
+export { loadPoliciesV1 } from "./policy/index.js";
+export { appendAuditJsonl } from "./audit/jsonl.js";
+export { DEFAULT_SHELL_BRIDGE_TTL_MS, recordShellApprovalBridge, shellArgvApprovalId, shellBridgeDir, shouldRecordShellBridge, tryConsumeShellApprovalBridge, } from "./bridge/shell-approval-bridge.js";
+export { DEFAULT_GOVERNED_SHELL_TOOLS, evaluateArgv, evaluateShellProposal, gateShellCommand, parseCommandToArgv, } from "./shell/evaluate.js";
+export { failClosedHookErrorResponse, runBeforeShellHookFromStdin, } from "./hooks/run-before-shell.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,mBAAmB,EACnB,cAAc,EACd,uBAAuB,EACvB,6BAA6B,GAC9B,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EACL,4BAA4B,EAC5B,YAAY,EACZ,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,GAInB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,2BAA2B,EAC3B,2BAA2B,GAG5B,MAAM,6BAA6B,CAAC"}

package/dist/mcp/server.d.ts

@@ -0,0 +1,3 @@
+/** Start the Praxis `guard` MCP server on stdio (blocks until disconnect). */
+export declare function runMcpStdioServer(): Promise<void>;
+//# sourceMappingURL=server.d.ts.map

package/dist/mcp/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAmJA,8EAA8E;AAC9E,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAqJvD"}

package/dist/mcp/server.js

@@ -0,0 +1,252 @@
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { z } from "zod";
+import { v4 as uuidv4 } from "uuid";
+import { loadPoliciesV1, readPoliciesV1Revision } from "../policy/index.js";
+import { resolveGuardToken } from "../cli/credentials.js";
+import { getInstallId } from "../cli/install-id.js";
+import { recordShellApprovalBridge, shouldRecordShellBridge } from "../bridge/shell-approval-bridge.js";
+import { evaluateArgv, evaluateShellProposal, parseCommandToArgv, } from "../shell/evaluate.js";
+import { sendGuardEvent } from "../telemetry/guard-events.js";
+const GuardModeSchema = z.enum(["shadow", "enforce"]);
+const ProposalKindSchema = z.enum(["shell", "mcp"]);
+const GuardInputSchema = z.object({
+    mode: GuardModeSchema,
+    proposal: z.object({
+        kind: ProposalKindSchema,
+        argv: z.array(z.string()).min(1),
+        cwd: z.string().optional(),
+        raw_command: z.string().optional(),
+    }),
+    context: z
+        .object({
+        provider: z.string().optional(),
+        session_id: z.string().optional(),
+        trace_id: z.string().optional(),
+        agent_id: z.string().optional(),
+        user_id: z.string().optional(),
+        environment: z.string().optional(),
+        approval: z.object({ token: z.string().nullable().optional() }).optional(),
+    })
+        .optional(),
+});
+function tierToDecision(tier) {
+    if (tier === "READ")
+        return "allow";
+    if (tier === "MUTATE")
+        return "require_approval";
+    return "block";
+}
+function argvFingerprint(argv) {
+    return JSON.stringify(argv);
+}
+/** One-time tokens from prior `require_approval` (same Node process). Not persisted. */
+const pendingApprovalByToken = new Map();
+const MCP_SERVER_VERSION = "0.0.1";
+function pruneExpiredApprovals() {
+    const now = Date.now();
+    for (const [token, row] of pendingApprovalByToken) {
+        if (now > row.expiresAt)
+            pendingApprovalByToken.delete(token);
+    }
+}
+import { prodFunctionUrl } from "../cli/function-url.js";
+const DEFAULT_HEARTBEAT_URL = prodFunctionUrl("guardHeartbeat");
+const HEARTBEAT_BASE_INTERVAL_MS = 5 * 60 * 1000;
+const HEARTBEAT_MAX_INTERVAL_MS = 30 * 60 * 1000;
+let heartbeatTimer = null;
+let consecutiveIdleHeartbeats = 0;
+function getNextHeartbeatInterval() {
+    if (consecutiveIdleHeartbeats < 3)
+        return HEARTBEAT_BASE_INTERVAL_MS;
+    return Math.min(HEARTBEAT_BASE_INTERVAL_MS * Math.pow(1.5, consecutiveIdleHeartbeats - 2), HEARTBEAT_MAX_INTERVAL_MS);
+}
+function scheduleNextHeartbeat() {
+    if (heartbeatTimer)
+        clearTimeout(heartbeatTimer);
+    heartbeatTimer = setTimeout(async () => {
+        consecutiveIdleHeartbeats++;
+        await sendGuardHeartbeat();
+        scheduleNextHeartbeat();
+    }, getNextHeartbeatInterval());
+}
+function resetHeartbeatIdle() {
+    consecutiveIdleHeartbeats = 0;
+}
+async function sendGuardHeartbeat() {
+    const heartbeatUrl = process.env.PRAXIS_GUARD_HEARTBEAT_URL || DEFAULT_HEARTBEAT_URL;
+    const token = resolveGuardToken();
+    if (!token)
+        return;
+    const payload = {
+        installId: getInstallId(),
+        kind: "auditor-mcp",
+        version: MCP_SERVER_VERSION,
+        status: "running",
+        client: {
+            os: process.platform,
+            arch: process.arch,
+            node: process.version,
+        },
+    };
+    try {
+        const res = await fetch(heartbeatUrl, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${token}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify(payload),
+            signal: AbortSignal.timeout(3000),
+        });
+        if (!res.ok) {
+            process.stderr.write(`[auditor:mcp] heartbeat failed (${res.status}).\n`);
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`[auditor:mcp] heartbeat error: ${msg}\n`);
+    }
+}
+function tryRedeemApprovalToken(token, fingerprint, tier) {
+    if (!token || tier !== "MUTATE")
+        return false;
+    const row = pendingApprovalByToken.get(token);
+    if (!row || Date.now() > row.expiresAt) {
+        if (row)
+            pendingApprovalByToken.delete(token);
+        return false;
+    }
+    if (row.fingerprint !== fingerprint)
+        return false;
+    pendingApprovalByToken.delete(token);
+    return true;
+}
+/** Start the Praxis `guard` MCP server on stdio (blocks until disconnect). */
+export async function runMcpStdioServer() {
+    const policy = await loadPoliciesV1();
+    const policyRevision = await readPoliciesV1Revision();
+    await sendGuardHeartbeat();
+    scheduleNextHeartbeat();
+    const server = new McpServer({
+        name: "praxis-guard",
+        version: MCP_SERVER_VERSION,
+    });
+    server.registerTool("guard", {
+        description: "Policy gatekeeper for agent actions. Evaluates a proposal argv against policies.v1.json; returns allow/block/require_approval with reasons.",
+        inputSchema: GuardInputSchema,
+    }, async (input) => {
+        const startedAt = Date.now();
+        const event_id = uuidv4();
+        pruneExpiredApprovals();
+        resetHeartbeatIdle();
+        const argv = input.proposal.raw_command
+            ? parseCommandToArgv(input.proposal.raw_command)
+            : input.proposal.argv;
+        const { skipped, evaluation } = input.proposal.kind === "shell"
+            ? evaluateShellProposal(policy, argv)
+            : { skipped: false, evaluation: evaluateArgv(policy, argv) };
+        const tier = evaluation.tier;
+        const reasons = [...evaluation.reasons];
+        const fingerprint = argvFingerprint(argv);
+        const submittedToken = input.context?.approval?.token ?? null;
+        const redeemed = !skipped && tryRedeemApprovalToken(submittedToken, fingerprint, tier);
+        if (redeemed) {
+            reasons.push({
+                code: "approval_redeemed",
+                message: "context.approval.token matched a pending approval for this argv; allowing once.",
+            });
+        }
+        let decision;
+        if (skipped || redeemed)
+            decision = "allow";
+        else if (tier === "DESTRUCTIVE")
+            decision = "block";
+        else
+            decision = tierToDecision(tier);
+        const issueToken = decision === "require_approval";
+        const newToken = issueToken ? `apr_${event_id}` : null;
+        if (issueToken && newToken) {
+            pendingApprovalByToken.set(newToken, {
+                fingerprint,
+                expiresAt: Date.now() + 10 * 60 * 1000,
+            });
+        }
+        const response = {
+            decision,
+            skipped,
+            tier,
+            risk_score: skipped ? 0 : tier === "READ" ? 0 : tier === "MUTATE" ? 60 : 95,
+            reasons,
+            shadow: {
+                decision,
+                tier,
+                reasons: [],
+            },
+            approval: {
+                required: decision === "require_approval",
+                token: newToken,
+                expires_at: issueToken ? new Date(Date.now() + 10 * 60 * 1000).toISOString() : null,
+                instructions: decision === "require_approval"
+                    ? "Re-run the same proposal with context.approval.token set to the token value above (MUTATE only; DESTRUCTIVE cannot be approved this way)."
+                    : redeemed
+                        ? "Token consumed; this argv is cleared for one execution."
+                        : null,
+            },
+            audit: {
+                event_id,
+                timestamp: new Date().toISOString(),
+                latency_ms: Date.now() - startedAt,
+            },
+            execution: {
+                attempted: false,
+                result: null,
+            },
+        };
+        const firstReason = reasons.find((r) => typeof r?.message === "string")?.message ??
+            reasons.find((r) => typeof r?.code === "string")?.code ??
+            null;
+        const actionVerb = argv[1] ?? null;
+        const actionResource = argv.length > 2 ? argv.slice(2).join(" ") : null;
+        const status = decision === "allow" ? "passed" : decision === "block" ? "blocked" : "needs_approval";
+        void sendGuardEvent({
+            ts: new Date().toISOString(),
+            status,
+            tool: "auditor-mcp",
+            command_path: argv[0] ?? null,
+            verb: actionVerb,
+            resource: actionResource,
+            reason: firstReason,
+            cmd: argv.join(" "),
+            tier,
+            decision,
+            latency_ms: Date.now() - startedAt,
+            event_id,
+            installId: getInstallId(),
+            kind: input.proposal.kind,
+            ...(policyRevision !== null ? { policy_revision: policyRevision } : {}),
+        });
+        if (input.proposal.kind === "shell" &&
+            shouldRecordShellBridge({ decision, skipped, tier })) {
+            try {
+                await recordShellApprovalBridge(argv, { cwd: input.proposal.cwd });
+                reasons.push({
+                    code: "shell_bridge_recorded",
+                    message: "Recorded one-shot shell approval bridge for beforeShellExecution (same argv within TTL).",
+                });
+            }
+            catch {
+                reasons.push({
+                    code: "shell_bridge_record_failed",
+                    message: "Could not write shell approval bridge file; hook may still deny MUTATE.",
+                });
+            }
+        }
+        return {
+            content: [{ type: "text", text: JSON.stringify(response, null, 2) }],
+        };
+    });
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}
+//# sourceMappingURL=server.js.map

package/dist/mcp/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAa,MAAM,oBAAoB,CAAC;AAEvF,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,MAAM,oCAAoC,CAAC;AACxG,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE9D,MAAM,eAAe,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC;AACtD,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;AAEpD,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,IAAI,EAAE,eAAe;IACrB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,IAAI,EAAE,kBAAkB;QACxB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACnC,CAAC;IACF,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACjC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC9B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC3E,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAIH,SAAS,cAAc,CAAC,IAAU;IAChC,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACpC,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,kBAAkB,CAAC;IACjD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,IAAuB;IAC9C,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,wFAAwF;AACxF,MAAM,sBAAsB,GAAG,IAAI,GAAG,EAAsD,CAAC;AAC7F,MAAM,kBAAkB,GAAG,OAAO,CAAC;AAEnC,SAAS,qBAAqB;IAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,sBAAsB,EAAE,CAAC;QAClD,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS;YAAE,sBAAsB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,qBAAqB,GAAG,eAAe,CAAC,gBAAgB,CAAC,CAAC;AAEhE,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACjD,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACjD,IAAI,cAAc,GAAyC,IAAI,CAAC;AAChE,IAAI,yBAAyB,GAAG,CAAC,CAAC;AAElC,SAAS,wBAAwB;IAC/B,IAAI,yBAAyB,GAAG,CAAC;QAAE,OAAO,0BAA0B,CAAC;IACrE,OAAO,IAAI,CAAC,GAAG,CACb,0BAA0B,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,yBAAyB,GAAG,CAAC,CAAC,EACzE,yBAAyB,CAC1B,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB;IAC5B,IAAI,cAAc;QAAE,YAAY,CAAC,cAAc,CAAC,CAAC;IACjD,cAAc,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;QACrC,yBAAyB,EAAE,CAAC;QAC5B,MAAM,kBAAkB,EAAE,CAAC;QAC3B,qBAAqB,EAAE,CAAC;IAC1B,CAAC,EAAE,wBAAwB,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,kBAAkB;IACzB,yBAAyB,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,qBAAqB,CAAC;IACrF,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,MAAM,OAAO,GAAG;QACd,SAAS,EAAE,YAAY,EAAE;QACzB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,kBAAkB;QAC3B,MAAM,EAAE,SAAS;QACjB,MAAM,EAAE;YACN,EAAE,EAAE,OAAO,CAAC,QAAQ;YACpB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,OAAO;SACtB;KACF,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;YACpC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;YAC7B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,GAAG,CAAC,MAAM,MAAM,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,GAAG,IAAI,CAAC,CAAC;IAClE,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAC7B,KAAgC,EAChC,WAAmB,EACnB,IAAU;IAEV,IAAI,CAAC,KAAK,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9C,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;QACvC,IAAI,GAAG;YAAE,sBAAsB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9C,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,GAAG,CAAC,WAAW,KAAK,WAAW;QAAE,OAAO,KAAK,CAAC;IAClD,sBAAsB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACrC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;IACtC,MAAM,cAAc,GAAG,MAAM,sBAAsB,EAAE,CAAC;IACtD,MAAM,kBAAkB,EAAE,CAAC;IAC3B,qBAAqB,EAAE,CAAC;IAExB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,kBAAkB;KAC5B,CAAC,CAAC;IAEH,MAAM,CAAC,YAAY,CACjB,OAAO,EACP;QACE,WAAW,EACT,6IAA6I;QAC/I,WAAW,EAAE,gBAAgB;KAC9B,EACD,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC;QAC1B,qBAAqB,EAAE,CAAC;QACxB,kBAAkB,EAAE,CAAC;QAErB,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,WAAW;YACrC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC;YAChD,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAExB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAC3B,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO;YAC7B,CAAC,CAAC,qBAAqB,CAAC,MAAM,EAAE,IAAI,CAAC;YACrC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAc,EAAE,UAAU,EAAE,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;QAE1E,MAAM,IAAI,GAAS,UAAU,CAAC,IAAI,CAAC;QACnC,MAAM,OAAO,GAAG,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;QACxC,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,IAAI,IAAI,CAAC;QAE9D,MAAM,QAAQ,GACZ,CAAC,OAAO,IAAI,sBAAsB,CAAC,cAAc,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;QAExE,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,iFAAiF;aAC3F,CAAC,CAAC;QACL,CAAC;QAED,IAAI,QAAkB,CAAC;QACvB,IAAI,OAAO,IAAI,QAAQ;YAAE,QAAQ,GAAG,OAAO,CAAC;aACvC,IAAI,IAAI,KAAK,aAAa;YAAE,QAAQ,GAAG,OAAO,CAAC;;YAC/C,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QAErC,MAAM,UAAU,GAAG,QAAQ,KAAK,kBAAkB,CAAC;QACnD,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,QAAQ,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACvD,IAAI,UAAU,IAAI,QAAQ,EAAE,CAAC;YAC3B,sBAAsB,CAAC,GAAG,CAAC,QAAQ,EAAE;gBACnC,WAAW;gBACX,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;aACvC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,QAAQ,GAAG;YACf,QAAQ;YACR,OAAO;YACP,IAAI;YACJ,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE;YAC3E,OAAO;YACP,MAAM,EAAE;gBACN,QAAQ;gBACR,IAAI;gBACJ,OAAO,EAAE,EAAE;aACZ;YACD,QAAQ,EAAE;gBACR,QAAQ,EAAE,QAAQ,KAAK,kBAAkB;gBACzC,KAAK,EAAE,QAAQ;gBACf,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI;gBACnF,YAAY,EACV,QAAQ,KAAK,kBAAkB;oBAC7B,CAAC,CAAC,2IAA2I;oBAC7I,CAAC,CAAC,QAAQ;wBACR,CAAC,CAAC,yDAAyD;wBAC3D,CAAC,CAAC,IAAI;aACb;YACD,KAAK,EAAE;gBACL,QAAQ;gBACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC;YACD,SAAS,EAAE;gBACT,SAAS,EAAE,KAAK;gBAChB,MAAM,EAAE,IAAI;aACb;SACF,CAAC;QAEF,MAAM,WAAW,GACf,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,QAAQ,CAAC,EAAE,OAAO;YAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,IAAI,KAAK,QAAQ,CAAC,EAAE,IAAI;YACtD,IAAI,CAAC;QACP,MAAM,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QACnC,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACxE,MAAM,MAAM,GACV,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC;QAExF,KAAK,cAAc,CAAC;YAClB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,MAAM;YACN,IAAI,EAAE,aAAa;YACnB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;YAC7B,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,cAAc;YACxB,MAAM,EAAE,WAAW;YACnB,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;YACnB,IAAI;YACJ,QAAQ;YACR,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAClC,QAAQ;YACR,SAAS,EAAE,YAAY,EAAE;YACzB,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;YACzB,GAAG,CAAC,cAAc,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxE,CAAC,CAAC;QAEH,IACE,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO;YAC/B,uBAAuB,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,EACpD,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,yBAAyB,CAAC,IAAI,EAAE,EAAE,GAAG,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;gBACnE,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,uBAAuB;oBAC7B,OAAO,EACL,0FAA0F;iBAC7F,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,4BAA4B;oBAClC,OAAO,EAAE,yEAAyE;iBACnF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;SACrE,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}