@red-codes/core 1.0.0

package/dist/persona.js

@@ -0,0 +1,138 @@
+// Agent persona resolver — merges persona from multiple sources (policy, env, per-action).
+// Layered: policy defaults < environment overrides < per-action overrides.
+const TRUST_TIERS = ['untrusted', 'limited', 'standard', 'elevated', 'admin'];
+const AUTONOMY_LEVELS = ['supervised', 'semi-autonomous', 'autonomous'];
+const RISK_TOLERANCES = ['conservative', 'moderate', 'aggressive'];
+const PERSONA_ROLES = ['developer', 'reviewer', 'ops', 'security', 'ci'];
+function isValidTrustTier(v) {
+    return TRUST_TIERS.includes(v);
+}
+function isValidAutonomy(v) {
+    return AUTONOMY_LEVELS.includes(v);
+}
+function isValidRiskTolerance(v) {
+    return RISK_TOLERANCES.includes(v);
+}
+function isValidRole(v) {
+    return PERSONA_ROLES.includes(v);
+}
+function mergeTags(...sources) {
+    const merged = new Set();
+    for (const tags of sources) {
+        if (tags) {
+            for (const t of tags)
+                merged.add(t);
+        }
+    }
+    return merged.size > 0 ? [...merged] : undefined;
+}
+function mergeModelMeta(...sources) {
+    const result = {};
+    for (const meta of sources) {
+        if (!meta)
+            continue;
+        if (meta.model)
+            result.model = meta.model;
+        if (meta.provider)
+            result.provider = meta.provider;
+        if (meta.runtime)
+            result.runtime = meta.runtime;
+        if (meta.version)
+            result.version = meta.version;
+    }
+    return Object.keys(result).length > 0 ? result : undefined;
+}
+/**
+ * Merge persona from multiple sources. Later sources override earlier ones.
+ * Order: policy defaults < environment overrides < per-action overrides.
+ */
+export function resolvePersona(policyPersona, envPersona, actionPersona) {
+    const result = {
+        modelMeta: mergeModelMeta(policyPersona?.modelMeta, envPersona?.modelMeta, actionPersona?.modelMeta),
+        trustTier: actionPersona?.trustTier ?? envPersona?.trustTier ?? policyPersona?.trustTier,
+        autonomy: actionPersona?.autonomy ?? envPersona?.autonomy ?? policyPersona?.autonomy,
+        riskTolerance: actionPersona?.riskTolerance ?? envPersona?.riskTolerance ?? policyPersona?.riskTolerance,
+        role: actionPersona?.role ?? envPersona?.role ?? policyPersona?.role,
+        tags: mergeTags(policyPersona?.tags, envPersona?.tags, actionPersona?.tags),
+    };
+    return result;
+}
+/**
+ * Read persona fields from environment variables.
+ * Returns undefined if no persona env vars are set.
+ *
+ * Supported variables:
+ * - AGENTGUARD_PERSONA_MODEL
+ * - AGENTGUARD_PERSONA_PROVIDER
+ * - AGENTGUARD_PERSONA_RUNTIME
+ * - AGENTGUARD_PERSONA_VERSION
+ * - AGENTGUARD_PERSONA_TRUST_TIER
+ * - AGENTGUARD_PERSONA_AUTONOMY
+ * - AGENTGUARD_PERSONA_RISK_TOLERANCE
+ * - AGENTGUARD_PERSONA_ROLE
+ * - AGENTGUARD_PERSONA_TAGS (comma-separated)
+ */
+export function personaFromEnv(env = process.env) {
+    const model = env.AGENTGUARD_PERSONA_MODEL;
+    const provider = env.AGENTGUARD_PERSONA_PROVIDER;
+    const runtime = env.AGENTGUARD_PERSONA_RUNTIME;
+    const version = env.AGENTGUARD_PERSONA_VERSION;
+    const trustTier = env.AGENTGUARD_PERSONA_TRUST_TIER;
+    const autonomy = env.AGENTGUARD_PERSONA_AUTONOMY;
+    const riskTolerance = env.AGENTGUARD_PERSONA_RISK_TOLERANCE;
+    const role = env.AGENTGUARD_PERSONA_ROLE;
+    const tagsRaw = env.AGENTGUARD_PERSONA_TAGS;
+    let hasAny = false;
+    const result = {};
+    // Model metadata
+    const modelMeta = {};
+    if (model) {
+        modelMeta.model = model;
+        hasAny = true;
+    }
+    if (provider) {
+        modelMeta.provider = provider;
+        hasAny = true;
+    }
+    if (runtime) {
+        modelMeta.runtime = runtime;
+        hasAny = true;
+    }
+    if (version) {
+        modelMeta.version = version;
+        hasAny = true;
+    }
+    if (Object.keys(modelMeta).length > 0) {
+        result.modelMeta = modelMeta;
+    }
+    // Behavioral traits
+    if (trustTier && isValidTrustTier(trustTier)) {
+        result.trustTier = trustTier;
+        hasAny = true;
+    }
+    if (autonomy && isValidAutonomy(autonomy)) {
+        result.autonomy = autonomy;
+        hasAny = true;
+    }
+    if (riskTolerance && isValidRiskTolerance(riskTolerance)) {
+        result.riskTolerance = riskTolerance;
+        hasAny = true;
+    }
+    if (role && isValidRole(role)) {
+        result.role = role;
+        hasAny = true;
+    }
+    if (tagsRaw) {
+        const tags = tagsRaw
+            .split(',')
+            .map((t) => t.trim())
+            .filter((t) => t.length > 0);
+        if (tags.length > 0) {
+            result.tags = tags;
+            hasAny = true;
+        }
+    }
+    return hasAny ? result : undefined;
+}
+export { TRUST_TIERS, AUTONOMY_LEVELS, RISK_TOLERANCES, PERSONA_ROLES, isValidTrustTier, isValidAutonomy, isValidRiskTolerance, isValidRole, };
+//# sourceMappingURL=persona.js.map

package/dist/persona.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"persona.js","sourceRoot":"","sources":["../src/persona.ts"],"names":[],"mappings":"AAAA,2FAA2F;AAC3F,2EAA2E;AAW3E,MAAM,WAAW,GAAsB,CAAC,WAAW,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;AACjG,MAAM,eAAe,GAAsB,CAAC,YAAY,EAAE,iBAAiB,EAAE,YAAY,CAAC,CAAC;AAC3F,MAAM,eAAe,GAAsB,CAAC,cAAc,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;AACtF,MAAM,aAAa,GAAsB,CAAC,WAAW,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,CAAC,CAAC;AAE5F,SAAS,gBAAgB,CAAC,CAAS;IACjC,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,OAAO,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,oBAAoB,CAAC,CAAS;IACrC,OAAO,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,OAAO,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,SAAS,CAAC,GAAG,OAA0C;IAC9D,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,IAAI,IAAI,EAAE,CAAC;YACT,KAAK,MAAM,CAAC,IAAI,IAAI;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACnD,CAAC;AAED,SAAS,cAAc,CAAC,GAAG,OAAuC;IAChE,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,IAAI,IAAI,CAAC,KAAK;YAAE,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAC1C,IAAI,IAAI,CAAC,QAAQ;YAAE,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QACnD,IAAI,IAAI,CAAC,OAAO;YAAE,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAChD,IAAI,IAAI,CAAC,OAAO;YAAE,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IAClD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,aAAqC,EACrC,UAAkC,EAClC,aAAqC;IAErC,MAAM,MAAM,GAAiB;QAC3B,SAAS,EAAE,cAAc,CACvB,aAAa,EAAE,SAAS,EACxB,UAAU,EAAE,SAAS,EACrB,aAAa,EAAE,SAAS,CACzB;QACD,SAAS,EAAE,aAAa,EAAE,SAAS,IAAI,UAAU,EAAE,SAAS,IAAI,aAAa,EAAE,SAAS;QACxF,QAAQ,EAAE,aAAa,EAAE,QAAQ,IAAI,UAAU,EAAE,QAAQ,IAAI,aAAa,EAAE,QAAQ;QACpF,aAAa,EACX,aAAa,EAAE,aAAa,IAAI,UAAU,EAAE,aAAa,IAAI,aAAa,EAAE,aAAa;QAC3F,IAAI,EAAE,aAAa,EAAE,IAAI,IAAI,UAAU,EAAE,IAAI,IAAI,aAAa,EAAE,IAAI;QACpE,IAAI,EAAE,SAAS,CAAC,aAAa,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,CAAC;KAC5E,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,cAAc,CAC5B,MAA0C,OAAO,CAAC,GAAG;IAErD,MAAM,KAAK,GAAG,GAAG,CAAC,wBAAwB,CAAC;IAC3C,MAAM,QAAQ,GAAG,GAAG,CAAC,2BAA2B,CAAC;IACjD,MAAM,OAAO,GAAG,GAAG,CAAC,0BAA0B,CAAC;IAC/C,MAAM,OAAO,GAAG,GAAG,CAAC,0BAA0B,CAAC;IAC/C,MAAM,SAAS,GAAG,GAAG,CAAC,6BAA6B,CAAC;IACpD,MAAM,QAAQ,GAAG,GAAG,CAAC,2BAA2B,CAAC;IACjD,MAAM,aAAa,GAAG,GAAG,CAAC,iCAAiC,CAAC;IAC5D,MAAM,IAAI,GAAG,GAAG,CAAC,uBAAuB,CAAC;IACzC,MAAM,OAAO,GAAG,GAAG,CAAC,uBAAuB,CAAC;IAE5C,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,iBAAiB;IACjB,MAAM,SAAS,GAA2B,EAAE,CAAC;IAC7C,IAAI,KAAK,EAAE,CAAC;QACV,SAAS,CAAC,KAAK,GAAG,KAAK,CAAC;QACxB,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,SAAS,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAC9B,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;IACD,IAAI,OAAO,EAAE,CAAC;QACZ,SAAS,CAAC,OAAO,GAAG,OAAO,CAAC;QAC5B,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;IACD,IAAI,OAAO,EAAE,CAAC;QACZ,SAAS,CAAC,OAAO,GAAG,OAAO,CAAC;QAC5B,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtC,MAAM,CAAC,SAAS,GAAG,SAAS,CAAC;IAC/B,CAAC;IAED,oBAAoB;IACpB,IAAI,SAAS,IAAI,gBAAgB,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7C,MAAM,CAAC,SAAS,GAAG,SAAS,CAAC;QAC7B,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;IACD,IAAI,QAAQ,IAAI,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1C,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAC3B,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;IACD,IAAI,aAAa,IAAI,oBAAoB,CAAC,aAAa,CAAC,EAAE,CAAC;QACzD,MAAM,CAAC,aAAa,GAAG,aAAa,CAAC;QACrC,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;IACD,IAAI,IAAI,IAAI,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;QACnB,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;IACD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,OAAO;aACjB,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC/B,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;YACnB,MAAM,GAAG,IAAI,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,CAAC,CAAE,MAAgC,CAAC,CAAC,CAAC,SAAS,CAAC;AAChE,CAAC;AAED,OAAO,EACL,WAAW,EACX,eAAe,EACf,eAAe,EACf,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,oBAAoB,EACpB,WAAW,GACZ,CAAC"}

package/dist/repo-root.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Returns the main git repository root, resolving through worktrees.
+ * In a worktree, this returns the main repo root (not the worktree root).
+ * Falls back to process.cwd() if not in a git repo or git is unavailable.
+ * Result is cached per-process.
+ */
+export declare function resolveMainRepoRoot(): string;
+/**
+ * Returns true if the current working directory is a git worktree
+ * (not the main repository checkout).
+ */
+export declare function isWorktree(): boolean;
+/** Reset the cached root (for testing). */
+export declare function _resetRepoRootCache(): void;
+//# sourceMappingURL=repo-root.d.ts.map

package/dist/repo-root.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"repo-root.d.ts","sourceRoot":"","sources":["../src/repo-root.ts"],"names":[],"mappings":"AASA;;;;;GAKG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAqB5C;AAED;;;GAGG;AACH,wBAAgB,UAAU,IAAI,OAAO,CAWpC;AAED,2CAA2C;AAC3C,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C"}

package/dist/repo-root.js

@@ -0,0 +1,56 @@
+// Worktree-aware repository root resolution.
+// In a git worktree, process.cwd() returns the worktree path, not the main repo root.
+// This utility resolves the main repo root so governance paths (policy, storage, hooks)
+// are consistent across all worktrees.
+import { execSync } from 'node:child_process';
+let _cachedMainRoot; // undefined = not yet computed
+/**
+ * Returns the main git repository root, resolving through worktrees.
+ * In a worktree, this returns the main repo root (not the worktree root).
+ * Falls back to process.cwd() if not in a git repo or git is unavailable.
+ * Result is cached per-process.
+ */
+export function resolveMainRepoRoot() {
+    if (_cachedMainRoot !== undefined)
+        return _cachedMainRoot ?? process.cwd();
+    try {
+        // `git worktree list --porcelain` always lists the main worktree first
+        const output = execSync('git worktree list --porcelain', {
+            encoding: 'utf8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+            timeout: 3000,
+        });
+        const firstLine = output.split('\n')[0];
+        if (firstLine?.startsWith('worktree ')) {
+            _cachedMainRoot = firstLine.slice('worktree '.length).trim();
+            return _cachedMainRoot;
+        }
+    }
+    catch {
+        // Not in a git repo, or git not available
+    }
+    _cachedMainRoot = null;
+    return process.cwd();
+}
+/**
+ * Returns true if the current working directory is a git worktree
+ * (not the main repository checkout).
+ */
+export function isWorktree() {
+    try {
+        const toplevel = execSync('git rev-parse --show-toplevel', {
+            encoding: 'utf8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+            timeout: 3000,
+        }).trim();
+        return toplevel !== resolveMainRepoRoot();
+    }
+    catch {
+        return false;
+    }
+}
+/** Reset the cached root (for testing). */
+export function _resetRepoRootCache() {
+    _cachedMainRoot = undefined;
+}
+//# sourceMappingURL=repo-root.js.map

package/dist/repo-root.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"repo-root.js","sourceRoot":"","sources":["../src/repo-root.ts"],"names":[],"mappings":"AAAA,6CAA6C;AAC7C,sFAAsF;AACtF,wFAAwF;AACxF,uCAAuC;AAEvC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C,IAAI,eAA0C,CAAC,CAAC,+BAA+B;AAE/E;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,eAAe,KAAK,SAAS;QAAE,OAAO,eAAe,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAE3E,IAAI,CAAC;QACH,uEAAuE;QACvE,MAAM,MAAM,GAAG,QAAQ,CAAC,+BAA+B,EAAE;YACvD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,IAAI;SACd,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,SAAS,EAAE,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YACvC,eAAe,GAAG,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7D,OAAO,eAAe,CAAC;QACzB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0CAA0C;IAC5C,CAAC;IAED,eAAe,GAAG,IAAI,CAAC;IACvB,OAAO,OAAO,CAAC,GAAG,EAAE,CAAC;AACvB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU;IACxB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,QAAQ,CAAC,+BAA+B,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,IAAI;SACd,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,QAAQ,KAAK,mBAAmB,EAAE,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,2CAA2C;AAC3C,MAAM,UAAU,mBAAmB;IACjC,eAAe,GAAG,SAAS,CAAC;AAC9B,CAAC"}

package/dist/rng.d.ts

@@ -0,0 +1,29 @@
+/**
+ * A seeded PRNG instance. All methods are deterministic given the same
+ * seed and the same sequence of calls.
+ */
+export interface SeededRng {
+    /** The seed used to initialize this RNG */
+    readonly seed: number;
+    /** Returns a random float in [0, 1) */
+    random(): number;
+    /** Returns a random integer in [min, max) */
+    randomInt(min: number, max: number): number;
+    /** Returns a random hex string of the given length */
+    randomHex(length: number): string;
+    /** Creates a fork with a derived seed (independent stream) */
+    fork(): SeededRng;
+}
+/**
+ * Generate a seed from system entropy (non-deterministic).
+ * Used when recording a new session to capture the initial seed.
+ */
+export declare function generateSeed(): number;
+/**
+ * Create a seeded PRNG using the mulberry32 algorithm.
+ *
+ * Mulberry32 is a simple 32-bit state PRNG with good statistical properties.
+ * It passes BigCrush and is sufficient for ID generation and shuffling.
+ */
+export declare function createSeededRng(seed: number): SeededRng;
+//# sourceMappingURL=rng.d.ts.map

package/dist/rng.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rng.d.ts","sourceRoot":"","sources":["../src/rng.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,2CAA2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,uCAAuC;IACvC,MAAM,IAAI,MAAM,CAAC;IACjB,6CAA6C;IAC7C,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5C,sDAAsD;IACtD,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IAClC,8DAA8D;IAC9D,IAAI,IAAI,SAAS,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,CAoCvD"}

package/dist/rng.js

@@ -0,0 +1,48 @@
+// Seeded pseudo-random number generator for deterministic replay.
+// Uses the mulberry32 algorithm — fast, simple, well-distributed outputs.
+// Same seed + same call sequence = identical results.
+/**
+ * Generate a seed from system entropy (non-deterministic).
+ * Used when recording a new session to capture the initial seed.
+ */
+export function generateSeed() {
+    return (Math.random() * 0xffffffff) >>> 0;
+}
+/**
+ * Create a seeded PRNG using the mulberry32 algorithm.
+ *
+ * Mulberry32 is a simple 32-bit state PRNG with good statistical properties.
+ * It passes BigCrush and is sufficient for ID generation and shuffling.
+ */
+export function createSeededRng(seed) {
+    let state = seed >>> 0;
+    function next() {
+        state |= 0;
+        state = (state + 0x6d2b79f5) | 0;
+        let t = Math.imul(state ^ (state >>> 15), 1 | state);
+        t = (t + Math.imul(t ^ (t >>> 7), 61 | t)) ^ t;
+        return ((t ^ (t >>> 14)) >>> 0) / 0x100000000;
+    }
+    return {
+        get seed() {
+            return seed;
+        },
+        random: next,
+        randomInt(min, max) {
+            return Math.floor(next() * (max - min)) + min;
+        },
+        randomHex(length) {
+            const chars = '0123456789abcdef';
+            let result = '';
+            for (let i = 0; i < length; i++) {
+                result += chars[Math.floor(next() * 16)];
+            }
+            return result;
+        },
+        fork() {
+            const derivedSeed = (next() * 0xffffffff) >>> 0;
+            return createSeededRng(derivedSeed);
+        },
+    };
+}
+//# sourceMappingURL=rng.js.map

package/dist/rng.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rng.js","sourceRoot":"","sources":["../src/rng.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,0EAA0E;AAC1E,sDAAsD;AAmBtD;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,IAAI,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC;IAEvB,SAAS,IAAI;QACX,KAAK,IAAI,CAAC,CAAC;QACX,KAAK,GAAG,CAAC,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,KAAK,KAAK,EAAE,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC;QACrD,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC/C,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,WAAW,CAAC;IAChD,CAAC;IAED,OAAO;QACL,IAAI,IAAI;YACN,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,EAAE,IAAI;QAEZ,SAAS,CAAC,GAAW,EAAE,GAAW;YAChC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC,GAAG,GAAG,CAAC;QAChD,CAAC;QAED,SAAS,CAAC,MAAc;YACtB,MAAM,KAAK,GAAG,kBAAkB,CAAC;YACjC,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAChC,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;YAC3C,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,IAAI;YACF,MAAM,WAAW,GAAG,CAAC,IAAI,EAAE,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;YAChD,OAAO,eAAe,CAAC,WAAW,CAAC,CAAC;QACtC,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/rtk.d.ts

@@ -0,0 +1,22 @@
+export interface RtkDetectionResult {
+    readonly available: boolean;
+    readonly version?: string;
+}
+export interface RtkRewriteResult {
+    readonly rewritten: boolean;
+    readonly command: string;
+}
+/**
+ * Detect whether rtk is installed and available on PATH.
+ * Result is cached for the lifetime of the process.
+ */
+export declare function detectRtk(): RtkDetectionResult;
+/**
+ * Ask rtk to rewrite a command for token-optimized output.
+ * If rtk has an equivalent (exit 0), returns the rewritten command.
+ * If no equivalent (exit 1) or rtk is unavailable, returns the original command.
+ */
+export declare function rtkRewrite(command: string): RtkRewriteResult;
+/** Reset the cached detection result. Exported for testing. */
+export declare function resetRtkCache(): void;
+//# sourceMappingURL=rtk.d.ts.map

package/dist/rtk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rtk.d.ts","sourceRoot":"","sources":["../src/rtk.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAID;;;GAGG;AACH,wBAAgB,SAAS,IAAI,kBAAkB,CAqB9C;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,CAmB5D;AAED,+DAA+D;AAC/D,wBAAgB,aAAa,IAAI,IAAI,CAEpC"}

package/dist/rtk.js

@@ -0,0 +1,61 @@
+// RTK (rtk-ai/rtk) detection and integration utility.
+// RTK is a CLI proxy that reduces LLM token consumption by 60-90%
+// through intelligent command output filtering.
+// All functions are safe to call when rtk is not installed — they return graceful defaults.
+import { execSync } from 'node:child_process';
+const RTK_DETECT_TIMEOUT = 2_000;
+let cachedDetection = null;
+/**
+ * Detect whether rtk is installed and available on PATH.
+ * Result is cached for the lifetime of the process.
+ */
+export function detectRtk() {
+    if (cachedDetection !== null)
+        return cachedDetection;
+    try {
+        const output = execSync('rtk --version', {
+            encoding: 'utf8',
+            timeout: RTK_DETECT_TIMEOUT,
+            stdio: ['ignore', 'pipe', 'ignore'],
+        }).trim();
+        // rtk --version outputs something like "rtk 0.30.0" or just "0.30.0"
+        const versionMatch = output.match(/(\d+\.\d+\.\d+)/);
+        cachedDetection = {
+            available: true,
+            version: versionMatch?.[1],
+        };
+    }
+    catch {
+        cachedDetection = { available: false };
+    }
+    return cachedDetection;
+}
+/**
+ * Ask rtk to rewrite a command for token-optimized output.
+ * If rtk has an equivalent (exit 0), returns the rewritten command.
+ * If no equivalent (exit 1) or rtk is unavailable, returns the original command.
+ */
+export function rtkRewrite(command) {
+    const rtk = detectRtk();
+    if (!rtk.available)
+        return { rewritten: false, command };
+    try {
+        const rewritten = execSync(`rtk rewrite ${JSON.stringify(command)}`, {
+            encoding: 'utf8',
+            timeout: RTK_DETECT_TIMEOUT,
+            stdio: ['ignore', 'pipe', 'ignore'],
+        }).trim();
+        if (rewritten) {
+            return { rewritten: true, command: rewritten };
+        }
+    }
+    catch {
+        // Exit code 1 = no rtk equivalent, or rtk error — use original
+    }
+    return { rewritten: false, command };
+}
+/** Reset the cached detection result. Exported for testing. */
+export function resetRtkCache() {
+    cachedDetection = null;
+}
+//# sourceMappingURL=rtk.js.map

package/dist/rtk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rtk.js","sourceRoot":"","sources":["../src/rtk.ts"],"names":[],"mappings":"AAAA,sDAAsD;AACtD,kEAAkE;AAClE,gDAAgD;AAChD,4FAA4F;AAE5F,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C,MAAM,kBAAkB,GAAG,KAAK,CAAC;AAYjC,IAAI,eAAe,GAA8B,IAAI,CAAC;AAEtD;;;GAGG;AACH,MAAM,UAAU,SAAS;IACvB,IAAI,eAAe,KAAK,IAAI;QAAE,OAAO,eAAe,CAAC;IAErD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,eAAe,EAAE;YACvC,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,kBAAkB;YAC3B,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEV,qEAAqE;QACrE,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QACrD,eAAe,GAAG;YAChB,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;SAC3B,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,eAAe,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACzC,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,OAAe;IACxC,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,IAAI,CAAC,GAAG,CAAC,SAAS;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAEzD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,QAAQ,CAAC,eAAe,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,EAAE;YACnE,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,kBAAkB;YAC3B,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEV,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;IACjE,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;AACvC,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,aAAa;IAC3B,eAAe,GAAG,IAAI,CAAC;AACzB,CAAC"}

package/dist/trust-store.d.ts

@@ -0,0 +1,19 @@
+export interface TrustEntry {
+    path: string;
+    hash: string;
+    trustedAt: string;
+    trustedBy: 'user' | 'ci-override';
+}
+export interface TrustStore {
+    version: 1;
+    entries: Record<string, TrustEntry>;
+}
+export declare function loadTrustStore(): TrustStore;
+export declare function saveTrustStore(store: TrustStore): void;
+export declare function computeFileHash(filePath: string): Promise<string>;
+export declare function verifyTrust(filePath: string): Promise<'trusted' | 'untrusted' | 'content_changed'>;
+export declare function trustFile(filePath: string): Promise<TrustEntry>;
+export declare function revokeTrust(filePath: string): void;
+export declare function detectCiPlatform(): string | null;
+export declare function isCiTrustOverride(): boolean;
+//# sourceMappingURL=trust-store.d.ts.map

package/dist/trust-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust-store.d.ts","sourceRoot":"","sources":["../src/trust-store.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,GAAG,aAAa,CAAC;CACnC;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;CACrC;AAsBD,wBAAgB,cAAc,IAAI,UAAU,CAe3C;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI,CAItD;AAED,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEvE;AAED,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,SAAS,GAAG,WAAW,GAAG,iBAAiB,CAAC,CAOtD;AAED,wBAAsB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAarE;AAED,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAKlD;AAED,wBAAgB,gBAAgB,IAAI,MAAM,GAAG,IAAI,CAUhD;AAED,wBAAgB,iBAAiB,IAAI,OAAO,CAE3C"}

package/dist/trust-store.js

@@ -0,0 +1,98 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync, realpathSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { homedir } from 'node:os';
+import { computeSHA256 } from './crypto-hash.js';
+const CURRENT_VERSION = 1;
+function getTrustStorePath() {
+    const base = process.env.AGENTGUARD_HOME ?? join(homedir(), '.agentguard');
+    return join(base, 'trust.json');
+}
+function ensureDir(filePath) {
+    const dir = dirname(filePath);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+}
+function canonicalPath(filePath) {
+    try {
+        return realpathSync(filePath);
+    }
+    catch {
+        return filePath;
+    }
+}
+export function loadTrustStore() {
+    const storePath = getTrustStorePath();
+    if (!existsSync(storePath))
+        return { version: CURRENT_VERSION, entries: {} };
+    try {
+        const raw = JSON.parse(readFileSync(storePath, 'utf8'));
+        if (raw.version !== CURRENT_VERSION) {
+            process.stderr.write(`Warning: Trust store version ${String(raw.version)} not recognized, treating as empty\n`);
+            return { version: CURRENT_VERSION, entries: {} };
+        }
+        return { version: CURRENT_VERSION, entries: (raw.entries ?? {}) };
+    }
+    catch {
+        return { version: CURRENT_VERSION, entries: {} };
+    }
+}
+export function saveTrustStore(store) {
+    const storePath = getTrustStorePath();
+    ensureDir(storePath);
+    writeFileSync(storePath, JSON.stringify(store, null, 2));
+}
+export async function computeFileHash(filePath) {
+    return computeSHA256(readFileSync(filePath));
+}
+export async function verifyTrust(filePath) {
+    const canonical = canonicalPath(filePath);
+    const store = loadTrustStore();
+    const entry = store.entries[canonical];
+    if (!entry)
+        return 'untrusted';
+    const currentHash = await computeFileHash(filePath);
+    return currentHash === entry.hash ? 'trusted' : 'content_changed';
+}
+export async function trustFile(filePath) {
+    const canonical = canonicalPath(filePath);
+    const hash = await computeFileHash(filePath);
+    const entry = {
+        path: canonical,
+        hash,
+        trustedAt: new Date().toISOString(),
+        trustedBy: 'user',
+    };
+    const store = loadTrustStore();
+    store.entries[canonical] = entry;
+    saveTrustStore(store);
+    return entry;
+}
+export function revokeTrust(filePath) {
+    const canonical = canonicalPath(filePath);
+    const store = loadTrustStore();
+    delete store.entries[canonical];
+    saveTrustStore(store);
+}
+export function detectCiPlatform() {
+    if (process.env.GITHUB_ACTIONS)
+        return 'github-actions';
+    if (process.env.GITLAB_CI)
+        return 'gitlab-ci';
+    if (process.env.JENKINS_URL)
+        return 'jenkins';
+    if (process.env.CIRCLECI)
+        return 'circleci';
+    if (process.env.TRAVIS)
+        return 'travis';
+    if (process.env.BUILDKITE)
+        return 'buildkite';
+    if (process.env.CODEBUILD_BUILD_ID)
+        return 'aws-codebuild';
+    if (process.env.TF_BUILD)
+        return 'azure-devops';
+    return null;
+}
+export function isCiTrustOverride() {
+    return process.env.AGENTGUARD_TRUST_PROJECT_POLICY === '1' && detectCiPlatform() !== null;
+}
+//# sourceMappingURL=trust-store.js.map

package/dist/trust-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust-store.js","sourceRoot":"","sources":["../src/trust-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC3F,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAcjD,MAAM,eAAe,GAAG,CAAC,CAAC;AAE1B,SAAS,iBAAiB;IACxB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,CAAC,CAAC;IAC3E,OAAO,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB;IACjC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB;IACrC,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAC7E,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAA4B,CAAC;QACnF,IAAI,GAAG,CAAC,OAAO,KAAK,eAAe,EAAE,CAAC;YACpC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,gCAAgC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,sCAAsC,CAC1F,CAAC;YACF,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACnD,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAA+B,EAAE,CAAC;IAClG,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACnD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAiB;IAC9C,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,SAAS,CAAC,SAAS,CAAC,CAAC;IACrB,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAgB;IACpD,OAAO,aAAa,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAgB;IAEhB,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACvC,IAAI,CAAC,KAAK;QAAE,OAAO,WAAW,CAAC;IAC/B,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;IACpD,OAAO,WAAW,KAAK,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,iBAAiB,CAAC;AACpE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,QAAgB;IAC9C,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAe;QACxB,IAAI,EAAE,SAAS;QACf,IAAI;QACJ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,SAAS,EAAE,MAAM;KAClB,CAAC;IACF,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;IACjC,cAAc,CAAC,KAAK,CAAC,CAAC;IACtB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,QAAgB;IAC1C,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,OAAO,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,cAAc,CAAC,KAAK,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QAAE,OAAO,gBAAgB,CAAC;IACxD,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,OAAO,WAAW,CAAC;IAC9C,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW;QAAE,OAAO,SAAS,CAAC;IAC9C,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ;QAAE,OAAO,UAAU,CAAC;IAC5C,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM;QAAE,OAAO,QAAQ,CAAC;IACxC,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,OAAO,WAAW,CAAC;IAC9C,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAAE,OAAO,eAAe,CAAC;IAC3D,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ;QAAE,OAAO,cAAc,CAAC;IAChD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,OAAO,CAAC,GAAG,CAAC,+BAA+B,KAAK,GAAG,IAAI,gBAAgB,EAAE,KAAK,IAAI,CAAC;AAC5F,CAAC"}