@remnic/core 1.1.1 → 1.1.3

package/dist/chunk-7GCMLT7J.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/operator-toolkit.ts","../src/namespaces/migrate.ts"],"sourcesContent":["import path from \"node:path\";\nimport { constants as fsConstants } from \"node:fs\";\nimport { access, mkdir, readFile, readdir, stat, unlink, writeFile } from \"node:fs/promises\";\nimport { lintWorkspaceFiles } from \"./hygiene.js\";\nimport { parseConfig } from \"./config.js\";\nimport { readEnvVar, resolveHomeDir } from \"./runtime/env.js\";\nimport { resolveRemnicPluginEntry } from \"./plugin-id.js\";\nimport {\n  resolveCuratedIncludeFilesStatePath,\n  resolveNativeKnowledgeStatePath,\n  resolveOpenClawWorkspaceStatePath,\n} from \"./native-knowledge.js\";\nimport { StorageManager } from \"./storage.js\";\nimport { listNamespaces } from \"./namespaces/migrate.js\";\nimport {\n  createEvalBaselineSnapshot,\n  getEvalHarnessStatus,\n  runEvalBaselineDeltaReport,\n  runEvalBenchmarkCiGate,\n  validateEvalBenchmarkPack,\n  type EvalBaselineDeltaReport,\n  type EvalCiGateReport,\n  type EvalHarnessStatus,\n} from \"./evals.js\";\nimport { analyzeGraphHealth, type GraphHealthReport } from \"./graph.js\";\nimport {\n  analyzeSessionIntegrity,\n  applySessionRepair,\n  planSessionRepair,\n  type SessionIntegrityReport,\n  type SessionRepairApplyResult,\n  type SessionRepairPlan,\n} from \"./session-integrity.js\";\nimport {\n  listMemoryGovernanceRuns,\n  readMemoryGovernanceRunArtifact,\n} from \"./maintenance/memory-governance.js\";\nimport {\n  runConsolidationProvenanceCheck,\n  type ConsolidationProvenanceReport,\n} from \"./consolidation-provenance-check.js\";\nimport type {\n  BufferSurpriseEvent,\n  DreamsPhasesConfig,\n  FileHygieneConfig,\n  MemoryFile,\n  PluginConfig,\n} from \"./types.js\";\nimport { reportBufferSurpriseDistribution } from \"./buffer-surprise-report.js\";\nimport { readJudgeVerdictStats } from \"./extraction-judge-telemetry.js\";\n\ninterface QmdRuntimeLike {\n  probe(): Promise<boolean>;\n  isAvailable(): boolean;\n  ensureCollection(memoryDir: string): Promise<\"present\" | \"missing\" | \"unknown\" | \"skipped\">;\n  debugStatus(): string;\n}\n\nfunction isMissingPathError(error: unknown): boolean {\n  return typeof error === \"object\"\n    && error !== null\n    && \"code\" in error\n    && (error as { code?: unknown }).code === \"ENOENT\";\n}\n\nfunction formatUnknownError(error: unknown): string {\n  return error instanceof Error ? error.message : String(error);\n}\n\ninterface ConversationIndexLike {\n  getConversationIndexHealth(): Promise<{\n    enabled: boolean;\n    backend: \"qmd\" | \"faiss\";\n    status: \"ok\" | \"degraded\" | \"disabled\";\n    chunkDocCount: number;\n    lastUpdateAt: string | null;\n    qmdAvailable?: boolean;\n    faiss?: {\n      ok: boolean;\n      status: \"ok\" | \"degraded\" | \"error\";\n      indexPath: string;\n      message?: string;\n      manifest?: {\n        version: number;\n        modelId: string;\n        normalizedModelId: string;\n        dimension: number;\n        chunkCount: number;\n        updatedAt: string;\n        lastSuccessfulRebuildAt: string;\n      };\n    };\n  }>;\n  rebuildConversationIndex(\n    sessionKey?: string,\n    hours?: number,\n    opts?: { embed?: boolean },\n  ): Promise<{\n    chunks: number;\n    skipped: boolean;\n    reason?: string;\n    embedded?: boolean;\n    rebuilt?: boolean;\n  }>;\n}\n\nexport interface OperatorToolkitOrchestrator extends ConversationIndexLike {\n  config: PluginConfig;\n  storage: StorageManager;\n  qmd: QmdRuntimeLike;\n}\n\nexport interface OperatorConfigLoadResult {\n  found: boolean;\n  path: string;\n  parsed: boolean;\n  memoryDir?: string;\n  workspaceDir?: string;\n  error?: string;\n}\n\nexport interface OperatorSetupReport {\n  schemaVersion: 1;\n  generatedAt: string;\n  config: OperatorConfigLoadResult;\n  memoryDir: string;\n  workspaceDir: string;\n  directories: Array<{ path: string; exists: boolean; writable: boolean }>;\n  qmd: {\n    enabled: boolean;\n    available: boolean;\n    collectionState: \"present\" | \"missing\" | \"unknown\" | \"skipped\";\n    debugStatus: string;\n  };\n  nativeKnowledge: {\n    enabled: boolean;\n    includeFiles: string[];\n    curatedIncludeSync: {\n      statePath: string;\n      exists: boolean;\n      updatedAt: string | null;\n      fileCount: number;\n      activeChunkCount: number;\n      deletedFileCount: number;\n    };\n    openclawWorkspaceAdapterEnabled: boolean;\n    obsidianVaultAdapterEnabled: boolean;\n    obsidianSync: {\n      statePath: string;\n      exists: boolean;\n      updatedAt: string | null;\n      vaultCount: number;\n      activeChunkCount: number;\n      deletedNoteCount: number;\n    };\n    openclawWorkspaceSync: {\n      statePath: string;\n      exists: boolean;\n      updatedAt: string | null;\n      fileCount: number;\n      activeChunkCount: number;\n      deletedFileCount: number;\n    };\n  };\n  explicitCapture: {\n    captureMode: string;\n    enabled: boolean;\n    memoryDocPath: string;\n    memoryDocExists: boolean;\n    memoryDocInstalled: boolean;\n    memoryDocUpdated: boolean;\n    memoryDocRemoved: boolean;\n    preview: string | null;\n  };\n  nextSteps: string[];\n  verificationCommands: string[];\n}\n\nexport interface OperatorDoctorCheck {\n  key: string;\n  status: \"ok\" | \"warn\" | \"error\";\n  summary: string;\n  remediation?: string;\n  details?: unknown;\n}\n\nexport interface OperatorConfigReviewFinding {\n  key: string;\n  status: \"recommend\" | \"problem\";\n  setting: string;\n  currentValue: string;\n  defaultValue: string;\n  recommendedValue: string;\n  summary: string;\n  rationale: string;\n}\n\nexport interface OperatorConfigReviewReport {\n  schemaVersion: 1;\n  generatedAt: string;\n  ok: boolean;\n  config: OperatorConfigLoadResult;\n  profile: {\n    memoryOsPreset?: string;\n    searchBackend: string;\n    qmdEnabled: boolean;\n    qmdDaemonEnabled: boolean;\n    nativeKnowledgeEnabled: boolean;\n    fileHygieneEnabled: boolean;\n    conversationIndexEnabled: boolean;\n  };\n  summary: {\n    recommend: number;\n    problem: number;\n  };\n  findings: OperatorConfigReviewFinding[];\n}\n\nexport interface OperatorDoctorReport {\n  schemaVersion: 1;\n  generatedAt: string;\n  ok: boolean;\n  summary: {\n    ok: number;\n    warn: number;\n    error: number;\n  };\n  config: OperatorConfigLoadResult;\n  checks: OperatorDoctorCheck[];\n}\n\nexport interface OperatorInventoryNamespaceSummary {\n  namespace: string;\n  memoryCount: number;\n  entityCount: number;\n}\n\nexport interface OperatorInventoryReport {\n  schemaVersion: 1;\n  generatedAt: string;\n  memoryDir: string;\n  totals: {\n    memories: number;\n    entities: number;\n    namespaces: number;\n    reviewQueue: number;\n    storageBytes: number;\n  };\n  categories: Record<string, number>;\n  statuses: Record<string, number>;\n  namespaces: OperatorInventoryNamespaceSummary[];\n  ageBands: Record<string, number>;\n  profile: {\n    exists: boolean;\n    chars: number;\n    lines: number;\n  };\n  storageFootprint: {\n    bytes: number;\n    byTopLevel: Record<string, number>;\n  };\n  archivePressure: {\n    archived: number;\n    pendingReview: number;\n    quarantined: number;\n    rejected: number;\n  };\n  conversationIndex: {\n    enabled: boolean;\n    backend: \"qmd\" | \"faiss\";\n    status: \"ok\" | \"degraded\" | \"disabled\";\n    chunkDocCount: number;\n    lastUpdateAt: string | null;\n  };\n  nativeKnowledge: {\n    enabled: boolean;\n    curatedIncludeSync: {\n      exists: boolean;\n      updatedAt: string | null;\n      fileCount: number;\n      activeChunkCount: number;\n      deletedFileCount: number;\n    };\n    obsidianSync: {\n      exists: boolean;\n      updatedAt: string | null;\n      vaultCount: number;\n      activeChunkCount: number;\n      deletedNoteCount: number;\n    };\n    openclawWorkspaceSync: {\n      exists: boolean;\n      updatedAt: string | null;\n      fileCount: number;\n      activeChunkCount: number;\n      deletedFileCount: number;\n    };\n  };\n}\n\nexport interface BenchmarkRecallReport {\n  schemaVersion: 1;\n  generatedAt: string;\n  mode: \"status\" | \"validate\" | \"baseline-report\" | \"ci-gate\" | \"snapshot\";\n  status: EvalHarnessStatus;\n  validate?: Awaited<ReturnType<typeof validateEvalBenchmarkPack>>;\n  baselineReport?: EvalBaselineDeltaReport;\n  ciGate?: EvalCiGateReport;\n  snapshot?: {\n    targetPath: string;\n    snapshotId: string;\n  };\n}\n\nexport interface OperatorRepairReport {\n  schemaVersion: 1;\n  generatedAt: string;\n  dryRun: boolean;\n  sessionCheck: SessionIntegrityReport;\n  sessionRepairPlan: SessionRepairPlan;\n  sessionRepairApply: SessionRepairApplyResult;\n  graphHealth: GraphHealthReport;\n}\n\nexport interface OperatorSetupOptions {\n  orchestrator: OperatorToolkitOrchestrator;\n  installCaptureInstructions?: boolean;\n  captureInstructionsMode?: \"preview\" | \"install\" | \"remove\";\n  configPath?: string;\n  now?: Date;\n}\n\nexport interface OperatorDoctorOptions {\n  orchestrator: OperatorToolkitOrchestrator;\n  configPath?: string;\n  now?: Date;\n}\n\nexport interface OperatorConfigReviewOptions {\n  orchestrator: OperatorToolkitOrchestrator;\n  configPath?: string;\n  now?: Date;\n}\n\nexport interface OperatorInventoryOptions {\n  orchestrator: OperatorToolkitOrchestrator;\n  now?: Date;\n}\n\nexport interface BenchmarkRecallOptions {\n  config: Pick<\n    PluginConfig,\n    | \"memoryDir\"\n    | \"evalStoreDir\"\n    | \"evalHarnessEnabled\"\n    | \"evalShadowModeEnabled\"\n    | \"benchmarkBaselineSnapshotsEnabled\"\n    | \"benchmarkDeltaReporterEnabled\"\n    | \"memoryRedTeamBenchEnabled\"\n  >;\n  validatePath?: string;\n  baseEvalStoreDir?: string;\n  candidateEvalStoreDir?: string;\n  snapshotId?: string;\n  createSnapshot?: boolean;\n  snapshotNotes?: string;\n  gitRef?: string;\n  createdAt?: string;\n  now?: Date;\n}\n\nexport interface OperatorRepairOptions {\n  config: Pick<\n    PluginConfig,\n    \"memoryDir\" | \"entityGraphEnabled\" | \"timeGraphEnabled\" | \"causalGraphEnabled\"\n  >;\n  apply?: boolean;\n  dryRun?: boolean;\n  allowSessionFileRepair?: boolean;\n  sessionFilesDir?: string;\n  now?: Date;\n}\n\nfunction resolveConfigPath(explicitPath?: string): string {\n  if (explicitPath && explicitPath.trim().length > 0) return explicitPath.trim();\n  const configured =\n    readEnvVar(\"OPENCLAW_ENGRAM_CONFIG_PATH\") ||\n    readEnvVar(\"OPENCLAW_CONFIG_PATH\");\n  if (configured && configured.trim().length > 0) return configured.trim();\n  return path.join(resolveHomeDir(), \".openclaw\", \"openclaw.json\");\n}\n\nasync function loadCliPluginConfig(configPath?: string): Promise<OperatorConfigLoadResult> {\n  const resolvedPath = resolveConfigPath(configPath);\n  try {\n    const raw = JSON.parse(await readFile(resolvedPath, \"utf-8\")) as Record<string, unknown>;\n    // Delegate slot → PLUGIN_ID → LEGACY_PLUGIN_ID resolution to the shared\n    // helper so all config loaders stay in sync (#403).\n    const entry = resolveRemnicPluginEntry(raw);\n    const parsedConfig = parseConfig(\n      entry && typeof entry === \"object\"\n        ? ((entry[\"config\"] as Record<string, unknown> | undefined) ?? {})\n        : {},\n    );\n    return {\n      found: true,\n      path: resolvedPath,\n      parsed: true,\n      memoryDir: parsedConfig.memoryDir,\n      workspaceDir: parsedConfig.workspaceDir,\n    };\n  } catch (error) {\n    const message = error instanceof Error ? error.message : String(error);\n    return {\n      found: !/ENOENT/i.test(message),\n      path: resolvedPath,\n      parsed: false,\n      error: message,\n    };\n  }\n}\n\nasync function isWritable(targetPath: string): Promise<boolean> {\n  try {\n    await access(targetPath, fsConstants.W_OK);\n    return true;\n  } catch {\n    return false;\n  }\n}\n\nasync function pathExists(targetPath: string): Promise<boolean> {\n  try {\n    await access(targetPath, fsConstants.F_OK);\n    return true;\n  } catch {\n    return false;\n  }\n}\n\nfunction formatConfigValue(value: unknown): string {\n  if (value === undefined || value === null) return \"(unset)\";\n  if (typeof value === \"string\") return value.length > 0 ? value : \"(unset)\";\n  if (typeof value === \"number\" || typeof value === \"boolean\") return String(value);\n  return JSON.stringify(value);\n}\n\nasync function gatherDirectoryStatus(\n  paths: string[],\n): Promise<Array<{ path: string; exists: boolean; writable: boolean }>> {\n  return Promise.all(paths.map(async (targetPath) => {\n    try {\n      await access(targetPath, fsConstants.F_OK);\n      return {\n        path: targetPath,\n        exists: true,\n        writable: await isWritable(targetPath),\n      };\n    } catch {\n      return {\n        path: targetPath,\n        exists: false,\n        writable: false,\n      };\n    }\n  }));\n}\n\nfunction getSetupPaths(config: PluginConfig): string[] {\n  return [\n    config.memoryDir,\n    config.workspaceDir,\n    path.join(config.memoryDir, \"facts\"),\n    path.join(config.memoryDir, \"entities\"),\n    path.join(config.memoryDir, \"state\"),\n    path.join(config.memoryDir, \"questions\"),\n    path.join(config.memoryDir, \"artifacts\"),\n    path.join(config.memoryDir, \"config\"),\n  ];\n}\n\nasync function readJsonIfExists(filePath: string): Promise<unknown | null> {\n  try {\n    return JSON.parse(await readFile(filePath, \"utf-8\")) as unknown;\n  } catch {\n    return null;\n  }\n}\n\nasync function summarizeNativeKnowledgeStatus(config: PluginConfig): Promise<{\n  enabled: boolean;\n  includeFiles: string[];\n  curatedIncludeSync: {\n    statePath: string;\n    exists: boolean;\n    updatedAt: string | null;\n    fileCount: number;\n    activeChunkCount: number;\n    deletedFileCount: number;\n  };\n  openclawWorkspaceAdapterEnabled: boolean;\n  obsidianVaultAdapterEnabled: boolean;\n  obsidianSync: {\n    statePath: string;\n    exists: boolean;\n    updatedAt: string | null;\n    vaultCount: number;\n    activeChunkCount: number;\n    deletedNoteCount: number;\n  };\n  openclawWorkspaceSync: {\n    statePath: string;\n    exists: boolean;\n    updatedAt: string | null;\n    fileCount: number;\n    activeChunkCount: number;\n    deletedFileCount: number;\n  };\n}> {\n  const nativeKnowledge = config.nativeKnowledge;\n  const nativeKnowledgeStateDir = nativeKnowledge?.stateDir ?? \"state/native-knowledge\";\n  const curatedStatePath = nativeKnowledge\n    ? resolveCuratedIncludeFilesStatePath(config.memoryDir, nativeKnowledge)\n    : path.join(config.memoryDir, nativeKnowledgeStateDir, \"curated-include-sync.json\");\n  const obsidianStatePath = nativeKnowledge\n    ? resolveNativeKnowledgeStatePath(config.memoryDir, nativeKnowledge)\n    : path.join(config.memoryDir, nativeKnowledgeStateDir, \"obsidian-sync.json\");\n  const openclawStatePath = nativeKnowledge\n    ? resolveOpenClawWorkspaceStatePath(config.memoryDir, nativeKnowledge)\n    : path.join(config.memoryDir, nativeKnowledgeStateDir, \"openclaw-workspace-sync.json\");\n  const [curatedRaw, obsidianRaw, openclawRaw] = await Promise.all([\n    readJsonIfExists(curatedStatePath),\n    readJsonIfExists(obsidianStatePath),\n    readJsonIfExists(openclawStatePath),\n  ]);\n\n  const curatedFiles = curatedRaw && typeof curatedRaw === \"object\" && curatedRaw !== null\n    && \"files\" in curatedRaw && typeof (curatedRaw as { files?: unknown }).files === \"object\"\n    && (curatedRaw as { files?: unknown }).files !== null\n      ? (curatedRaw as {\n          updatedAt?: unknown;\n          files: Record<string, { deleted?: boolean; chunks?: unknown[] }>;\n        })\n      : null;\n\n  let curatedActiveChunkCount = 0;\n  let curatedDeletedFileCount = 0;\n  for (const file of Object.values(curatedFiles?.files ?? {})) {\n    if (file.deleted) {\n      curatedDeletedFileCount += 1;\n      continue;\n    }\n    curatedActiveChunkCount += Array.isArray(file.chunks) ? file.chunks.length : 0;\n  }\n\n  const obsidianVaults = obsidianRaw && typeof obsidianRaw === \"object\" && obsidianRaw !== null\n    && \"vaults\" in obsidianRaw && typeof (obsidianRaw as { vaults?: unknown }).vaults === \"object\"\n    && (obsidianRaw as { vaults?: unknown }).vaults !== null\n      ? (obsidianRaw as {\n          updatedAt?: unknown;\n          vaults: Record<string, { notes?: Record<string, { deleted?: boolean; chunks?: unknown[] }> }>;\n        })\n      : null;\n\n  let obsidianActiveChunkCount = 0;\n  let obsidianDeletedNoteCount = 0;\n  for (const vault of Object.values(obsidianVaults?.vaults ?? {})) {\n    for (const note of Object.values(vault.notes ?? {})) {\n      if (note.deleted) {\n        obsidianDeletedNoteCount += 1;\n        continue;\n      }\n      obsidianActiveChunkCount += Array.isArray(note.chunks) ? note.chunks.length : 0;\n    }\n  }\n\n  const openclawFiles = openclawRaw && typeof openclawRaw === \"object\" && openclawRaw !== null\n    && \"files\" in openclawRaw && typeof (openclawRaw as { files?: unknown }).files === \"object\"\n    && (openclawRaw as { files?: unknown }).files !== null\n      ? (openclawRaw as {\n          updatedAt?: unknown;\n          files: Record<string, { deleted?: boolean; chunks?: unknown[] }>;\n        })\n      : null;\n\n  let openclawActiveChunkCount = 0;\n  let openclawDeletedFileCount = 0;\n  for (const file of Object.values(openclawFiles?.files ?? {})) {\n    if (file.deleted) {\n      openclawDeletedFileCount += 1;\n      continue;\n    }\n    openclawActiveChunkCount += Array.isArray(file.chunks) ? file.chunks.length : 0;\n  }\n\n  return {\n    enabled: nativeKnowledge?.enabled === true,\n    includeFiles: nativeKnowledge?.includeFiles ?? [],\n    curatedIncludeSync: {\n      statePath: curatedStatePath,\n      exists: curatedFiles !== null,\n      updatedAt: typeof curatedFiles?.updatedAt === \"string\" ? curatedFiles.updatedAt : null,\n      fileCount: Object.keys(curatedFiles?.files ?? {}).length,\n      activeChunkCount: curatedActiveChunkCount,\n      deletedFileCount: curatedDeletedFileCount,\n    },\n    openclawWorkspaceAdapterEnabled: nativeKnowledge?.openclawWorkspace?.enabled === true,\n    obsidianVaultAdapterEnabled: (nativeKnowledge?.obsidianVaults?.length ?? 0) > 0,\n    obsidianSync: {\n      statePath: obsidianStatePath,\n      exists: obsidianVaults !== null,\n      updatedAt: typeof obsidianVaults?.updatedAt === \"string\" ? obsidianVaults.updatedAt : null,\n      vaultCount: Object.keys(obsidianVaults?.vaults ?? {}).length,\n      activeChunkCount: obsidianActiveChunkCount,\n      deletedNoteCount: obsidianDeletedNoteCount,\n    },\n    openclawWorkspaceSync: {\n      statePath: openclawStatePath,\n      exists: openclawFiles !== null,\n      updatedAt: typeof openclawFiles?.updatedAt === \"string\" ? openclawFiles.updatedAt : null,\n      fileCount: Object.keys(openclawFiles?.files ?? {}).length,\n      activeChunkCount: openclawActiveChunkCount,\n      deletedFileCount: openclawDeletedFileCount,\n    },\n  };\n}\n\nconst CAPTURE_INSTRUCTIONS_START = \"<!-- BEGIN ENGRAM EXPLICIT CAPTURE INSTRUCTIONS -->\";\nconst CAPTURE_INSTRUCTIONS_END = \"<!-- END ENGRAM EXPLICIT CAPTURE INSTRUCTIONS -->\";\n\nfunction buildCaptureInstructions(): string {\n  return [\n    CAPTURE_INSTRUCTIONS_START,\n    \"# Memory\",\n    \"\",\n    \"Use this file for explicit memory capture notes when Engram runs in explicit or hybrid mode.\",\n    \"\",\n    \"## Suggested format\",\n    \"\",\n    \"- Write durable facts, decisions, commitments, or corrections.\",\n    \"- Keep entries concise and specific.\",\n    \"- Avoid secrets, tokens, and private credentials.\",\n    \"\",\n    \"## Example\",\n    \"\",\n    \"- Decision: recall benchmark packs live under `state/evals/benchmarks/`.\",\n    \"- Commitment: rerun `openclaw engram doctor --json` after changing retrieval settings.\",\n    \"\",\n    CAPTURE_INSTRUCTIONS_END,\n  ].join(\"\\n\");\n}\n\nfunction upsertManagedCaptureInstructions(existing: string | null, snippet: string): { content: string; updated: boolean; installed: boolean } {\n  if (!existing || existing.trim().length === 0) {\n    return { content: `${snippet}\\n`, updated: false, installed: true };\n  }\n  if (existing.includes(CAPTURE_INSTRUCTIONS_START) && existing.includes(CAPTURE_INSTRUCTIONS_END)) {\n    const next = existing.replace(\n      new RegExp(`${CAPTURE_INSTRUCTIONS_START}[\\\\s\\\\S]*?${CAPTURE_INSTRUCTIONS_END}`),\n      snippet,\n    );\n    return { content: next.endsWith(\"\\n\") ? next : `${next}\\n`, updated: next !== existing, installed: false };\n  }\n  const trimmed = existing.trimEnd();\n  return {\n    content: `${trimmed}\\n\\n${snippet}\\n`,\n    updated: false,\n    installed: true,\n  };\n}\n\nfunction removeManagedCaptureInstructions(existing: string): { content: string; removed: boolean } {\n  if (!existing.includes(CAPTURE_INSTRUCTIONS_START) || !existing.includes(CAPTURE_INSTRUCTIONS_END)) {\n    return { content: existing, removed: false };\n  }\n  const stripped = existing\n    .replace(new RegExp(`\\\\n*${CAPTURE_INSTRUCTIONS_START}[\\\\s\\\\S]*?${CAPTURE_INSTRUCTIONS_END}\\\\n*`), \"\\n\")\n    .replace(/\\n{3,}/g, \"\\n\\n\")\n    .trim();\n  return {\n    content: stripped.length > 0 ? `${stripped}\\n` : \"\",\n    removed: true,\n  };\n}\n\nexport async function runOperatorSetup(options: OperatorSetupOptions): Promise<OperatorSetupReport> {\n  const now = options.now ?? new Date();\n  const configStatus = await loadCliPluginConfig(options.configPath);\n  const storage = options.orchestrator.storage;\n  await storage.ensureDirectories();\n  await mkdir(options.orchestrator.config.workspaceDir, { recursive: true });\n\n  const qmdAvailable = await options.orchestrator.qmd.probe();\n  const collectionState = options.orchestrator.config.qmdEnabled\n    ? await options.orchestrator.qmd.ensureCollection(options.orchestrator.config.memoryDir)\n    : \"skipped\";\n  const nativeKnowledgeStatus = await summarizeNativeKnowledgeStatus(options.orchestrator.config);\n\n  const memoryDocPath = path.join(options.orchestrator.config.workspaceDir, \"MEMORY.md\");\n  const captureInstructionsMode =\n    options.captureInstructionsMode\n    ?? (options.installCaptureInstructions ? \"install\" : undefined);\n  let memoryDocExists = false;\n  try {\n    await access(memoryDocPath, fsConstants.F_OK);\n    memoryDocExists = true;\n  } catch {\n    memoryDocExists = false;\n  }\n  let memoryDocInstalled = false;\n  let memoryDocUpdated = false;\n  let memoryDocRemoved = false;\n  const explicitCaptureEnabled = options.orchestrator.config.captureMode === \"explicit\"\n    || options.orchestrator.config.captureMode === \"hybrid\";\n  const captureInstructionsPreview = captureInstructionsMode ? buildCaptureInstructions() : null;\n  if (captureInstructionsMode) {\n    if (captureInstructionsMode === \"preview\") {\n      // no-op, preview only\n    } else if (captureInstructionsMode === \"install\") {\n      const existing = memoryDocExists ? await readFile(memoryDocPath, \"utf-8\") : null;\n      const next = upsertManagedCaptureInstructions(existing, captureInstructionsPreview ?? \"\");\n      if (!existing || next.content !== existing) {\n        await writeFile(memoryDocPath, next.content, \"utf-8\");\n      }\n      memoryDocExists = true;\n      memoryDocInstalled = next.installed;\n      memoryDocUpdated = next.updated;\n    } else if (captureInstructionsMode === \"remove\" && memoryDocExists) {\n      const existing = await readFile(memoryDocPath, \"utf-8\");\n      const next = removeManagedCaptureInstructions(existing);\n      if (next.removed) {\n        if (next.content.length === 0) {\n          await unlink(memoryDocPath);\n          memoryDocExists = false;\n        } else {\n          await writeFile(memoryDocPath, next.content, \"utf-8\");\n          memoryDocExists = true;\n        }\n        memoryDocRemoved = true;\n      }\n    }\n  }\n\n  const directories = await gatherDirectoryStatus(getSetupPaths(options.orchestrator.config));\n  const nextSteps = [\n    `Run \\`openclaw engram doctor${options.installCaptureInstructions ? \"\" : \" --json\"}\\` to verify runtime health.`,\n    \"Run `openclaw engram inventory --json` to capture a baseline footprint.\",\n    \"If QMD is enabled and the collection is missing, add the collection to `~/.config/qmd/index.yml` and run `qmd update && qmd embed`.\",\n  ];\n  if (explicitCaptureEnabled && !memoryDocExists) {\n    nextSteps.push(\"Run `openclaw engram setup --preview-capture-instructions` to review the managed explicit-capture snippet, then `--install-capture-instructions` to write it.\");\n  }\n\n  return {\n    schemaVersion: 1,\n    generatedAt: now.toISOString(),\n    config: configStatus,\n    memoryDir: options.orchestrator.config.memoryDir,\n    workspaceDir: options.orchestrator.config.workspaceDir,\n    directories,\n    qmd: {\n      enabled: options.orchestrator.config.qmdEnabled,\n      available: qmdAvailable,\n      collectionState,\n      debugStatus: options.orchestrator.qmd.debugStatus(),\n    },\n    nativeKnowledge: nativeKnowledgeStatus,\n    explicitCapture: {\n      captureMode: options.orchestrator.config.captureMode,\n      enabled: explicitCaptureEnabled,\n      memoryDocPath,\n      memoryDocExists,\n      memoryDocInstalled,\n      memoryDocUpdated,\n      memoryDocRemoved,\n      preview: captureInstructionsMode === \"preview\" ? captureInstructionsPreview : null,\n    },\n    nextSteps,\n    verificationCommands: [\n      \"openclaw engram doctor --json\",\n      \"openclaw engram inventory --json\",\n      \"openclaw engram benchmark recall --json\",\n    ],\n  };\n}\n\nfunction summarizeHygieneWarnings(\n  warnings: Awaited<ReturnType<typeof lintWorkspaceFiles>>,\n  hygiene: FileHygieneConfig | undefined,\n): OperatorDoctorCheck {\n  if (!hygiene?.enabled || hygiene.lintEnabled !== true) {\n    return {\n      key: \"file_hygiene\",\n      status: \"warn\",\n      summary: \"File hygiene linting is disabled; bootstrap file truncation warnings are not active.\",\n      remediation: \"Enable `fileHygiene.enabled` and `fileHygiene.lintEnabled` if large workspace bootstrap files are common.\",\n      details: {\n        enabled: hygiene?.enabled === true,\n        lintEnabled: hygiene?.lintEnabled === true,\n      },\n    };\n  }\n  if (warnings.length > 0) {\n    return {\n      key: \"file_hygiene\",\n      status: \"warn\",\n      summary: `${warnings.length} bootstrap file(s) are near or above the configured budget.`,\n      remediation: \"Archive/split the listed files or adjust `fileHygiene` budgets.\",\n      details: { warnings },\n    };\n  }\n  return {\n    key: \"file_hygiene\",\n    status: \"ok\",\n    summary: \"Bootstrap file hygiene is within budget.\",\n    details: {\n      enabled: true,\n      lintPaths: hygiene.lintPaths,\n      budgetBytes: hygiene.lintBudgetBytes,\n    },\n  };\n}\n\nfunction buildConfigReviewFinding(input: {\n  key: string;\n  status: \"recommend\" | \"problem\";\n  setting: string;\n  currentValue: unknown;\n  defaultValue: unknown;\n  recommendedValue: unknown;\n  summary: string;\n  rationale: string;\n}): OperatorConfigReviewFinding {\n  return {\n    key: input.key,\n    status: input.status,\n    setting: input.setting,\n    currentValue: formatConfigValue(input.currentValue),\n    defaultValue: formatConfigValue(input.defaultValue),\n    recommendedValue: formatConfigValue(input.recommendedValue),\n    summary: input.summary,\n    rationale: input.rationale,\n  };\n}\n\nexport async function runOperatorConfigReview(\n  options: OperatorConfigReviewOptions,\n): Promise<OperatorConfigReviewReport> {\n  const now = options.now ?? new Date();\n  const configStatus = await loadCliPluginConfig(options.configPath);\n  return buildOperatorConfigReviewReport({\n    now,\n    configStatus,\n    config: options.orchestrator.config,\n  });\n}\n\nasync function buildOperatorConfigReviewReport(input: {\n  now: Date;\n  configStatus: OperatorConfigLoadResult;\n  config: PluginConfig;\n}): Promise<OperatorConfigReviewReport> {\n  const { now, configStatus, config } = input;\n  const findings: OperatorConfigReviewFinding[] = [];\n  const searchBackend = config.searchBackend ?? \"qmd\";\n  const workspaceBootstrapFiles = [\n    path.join(config.workspaceDir, \"IDENTITY.md\"),\n    path.join(config.workspaceDir, \"MEMORY.md\"),\n    path.join(config.workspaceDir, \"USER.md\"),\n  ];\n  const workspaceBootstrapExists = (await Promise.all(workspaceBootstrapFiles.map(pathExists))).some(Boolean);\n\n  if (\n    config.memoryOsPreset !== \"conservative\" &&\n    config.memoryOsPreset !== \"balanced\" &&\n    config.memoryOsPreset !== \"research-max\" &&\n    config.memoryOsPreset !== \"local-llm-heavy\" &&\n    config.queryAwareIndexingEnabled === false &&\n    config.verbatimArtifactsEnabled === false &&\n    config.rerankEnabled === false\n  ) {\n    findings.push(buildConfigReviewFinding({\n      key: \"balanced_preset\",\n      status: \"recommend\",\n      setting: \"memoryOsPreset\",\n      currentValue: config.memoryOsPreset,\n      defaultValue: \"(unset)\",\n      recommendedValue: \"balanced\",\n      summary: \"Adopt the balanced preset as the baseline configuration profile.\",\n      rationale:\n        \"The balanced preset enables the recommended indexing, reranking, and artifact defaults without turning on the higher-churn graph and learning loops.\",\n    }));\n  }\n\n  if (config.qmdEnabled && config.qmdDaemonEnabled === false) {\n    findings.push(buildConfigReviewFinding({\n      key: \"qmd_daemon\",\n      status: \"recommend\",\n      setting: \"qmdDaemonEnabled\",\n      currentValue: config.qmdDaemonEnabled,\n      defaultValue: true,\n      recommendedValue: true,\n      summary: \"Enable the QMD daemon path when QMD powers recall.\",\n      rationale:\n        \"The daemon path reduces recall/search contention by preferring the MCP transport instead of repeated subprocess calls when QMD is available.\",\n    }));\n  }\n\n  if (workspaceBootstrapExists && config.nativeKnowledge?.enabled !== true) {\n    findings.push(buildConfigReviewFinding({\n      key: \"native_knowledge_enabled\",\n      status: \"recommend\",\n      setting: \"nativeKnowledge.enabled\",\n      currentValue: config.nativeKnowledge?.enabled,\n      defaultValue: false,\n      recommendedValue: true,\n      summary: \"Enable native knowledge recall for workspace bootstrap documents.\",\n      rationale:\n        \"When files like IDENTITY.md or MEMORY.md already exist, native knowledge recall can chunk and inject them directly instead of relying only on extracted memories.\",\n    }));\n  }\n\n  if (workspaceBootstrapExists && config.fileHygiene?.enabled !== true) {\n    findings.push(buildConfigReviewFinding({\n      key: \"file_hygiene_enabled\",\n      status: \"recommend\",\n      setting: \"fileHygiene.enabled\",\n      currentValue: config.fileHygiene?.enabled,\n      defaultValue: false,\n      recommendedValue: true,\n      summary: \"Enable file hygiene to avoid silent workspace-file truncation.\",\n      rationale:\n        \"OpenClaw bootstrap files can grow quietly; file hygiene warns before oversized files are truncated during prompt bootstrap.\",\n    }));\n  }\n\n  if (searchBackend === \"qmd\" && config.qmdEnabled === false) {\n    findings.push(buildConfigReviewFinding({\n      key: \"qmd_search_backend_disabled\",\n      status: \"problem\",\n      setting: \"qmdEnabled\",\n      currentValue: config.qmdEnabled,\n      defaultValue: true,\n      recommendedValue: true,\n      summary: \"QMD search is selected but QMD is disabled.\",\n      rationale:\n        \"When searchBackend resolves to qmd while qmdEnabled is false, Engram falls back to the noop backend and disables the primary search path.\",\n    }));\n  }\n\n  if (config.qmdColdTierEnabled === true && config.qmdEnabled === false) {\n    findings.push(buildConfigReviewFinding({\n      key: \"qmd_cold_tier_requires_qmd\",\n      status: \"problem\",\n      setting: \"qmdEnabled\",\n      currentValue: config.qmdEnabled,\n      defaultValue: true,\n      recommendedValue: true,\n      summary: \"Cold-tier QMD recall is enabled while QMD itself is disabled.\",\n      rationale:\n        \"The cold tier depends on the same QMD runtime as the hot tier, so turning QMD off leaves the extra tiering path unusable.\",\n    }));\n  }\n\n  if (config.qmdTierMigrationEnabled && config.qmdColdTierEnabled !== true) {\n    findings.push(buildConfigReviewFinding({\n      key: \"qmd_tier_migration_requires_cold_tier\",\n      status: \"problem\",\n      setting: \"qmdColdTierEnabled\",\n      currentValue: config.qmdColdTierEnabled,\n      defaultValue: false,\n      recommendedValue: true,\n      summary: \"Hot/cold tier migration is enabled without the cold tier itself.\",\n      rationale:\n        \"Tier migration depends on the cold-tier collection and recall path, so enabling migration while the cold tier is off leaves the feature in a contradictory state.\",\n    }));\n  }\n\n  if (config.conversationIndexEnabled && config.conversationIndexBackend === \"qmd\" && config.qmdEnabled === false) {\n    findings.push(buildConfigReviewFinding({\n      key: \"conversation_index_qmd_requires_qmd\",\n      status: \"problem\",\n      setting: \"qmdEnabled\",\n      currentValue: config.qmdEnabled,\n      defaultValue: true,\n      recommendedValue: true,\n      summary: \"The conversation index is configured for QMD while QMD is disabled.\",\n      rationale:\n        \"A QMD-backed conversation index cannot rebuild or serve queries when the underlying QMD runtime is disabled.\",\n    }));\n  }\n\n  const summary = findings.reduce(\n    (acc, finding) => {\n      acc[finding.status] += 1;\n      return acc;\n    },\n    { recommend: 0, problem: 0 },\n  );\n\n  return {\n    schemaVersion: 1,\n    generatedAt: now.toISOString(),\n    ok: configStatus.parsed && summary.problem === 0,\n    config: configStatus,\n    profile: {\n      memoryOsPreset: config.memoryOsPreset,\n      searchBackend,\n      qmdEnabled: config.qmdEnabled,\n      qmdDaemonEnabled: config.qmdDaemonEnabled,\n      nativeKnowledgeEnabled: config.nativeKnowledge?.enabled === true,\n      fileHygieneEnabled: config.fileHygiene?.enabled === true,\n      conversationIndexEnabled: config.conversationIndexEnabled,\n    },\n    summary,\n    findings,\n  };\n}\n\nexport async function runOperatorDoctor(options: OperatorDoctorOptions): Promise<OperatorDoctorReport> {\n  const now = options.now ?? new Date();\n  const configStatus = await loadCliPluginConfig(options.configPath);\n  const checks: OperatorDoctorCheck[] = [];\n  const config = options.orchestrator.config;\n  const storage = options.orchestrator.storage;\n  const configReview = await buildOperatorConfigReviewReport({\n    now,\n    configStatus,\n    config,\n  });\n  const nativeKnowledgeStatus = await summarizeNativeKnowledgeStatus(config);\n  const setupPaths = await gatherDirectoryStatus(getSetupPaths(config));\n  const missingPaths = setupPaths.filter((entry) => !entry.exists).map((entry) => entry.path);\n\n  checks.push({\n    key: \"config\",\n    status: configStatus.parsed\n      ? \"ok\"\n      : options.configPath\n      ? \"error\"\n      : \"warn\",\n    summary: configStatus.parsed ? \"OpenClaw config loaded and Engram config parsed successfully.\" : \"Config file could not be parsed.\",\n    remediation: configStatus.parsed ? undefined : \"Fix the config file or set OPENCLAW_ENGRAM_CONFIG_PATH/OPENCLAW_CONFIG_PATH.\",\n    details: configStatus,\n  });\n\n  checks.push({\n    key: \"memory_dir\",\n    status: missingPaths.length === 0 ? \"ok\" : \"warn\",\n    summary: missingPaths.length === 0\n      ? \"Expected Engram directories exist.\"\n      : `${missingPaths.length} expected directory path(s) are missing.`,\n    remediation: missingPaths.length === 0 ? undefined : \"Run `openclaw engram setup` to create missing directories.\",\n    details: { directories: setupPaths },\n  });\n\n  checks.push({\n    key: \"config_review\",\n    status: configReview.summary.problem > 0 ? \"error\" : configReview.summary.recommend > 0 ? \"warn\" : \"ok\",\n    summary: configReview.summary.problem > 0\n      ? `${configReview.summary.problem} configuration problem(s) detected.`\n      : configReview.summary.recommend > 0\n      ? `No configuration problems detected; ${configReview.summary.recommend} optional recommendation(s) are available.`\n      : \"No configuration problems detected.\",\n    remediation: configReview.summary.problem > 0 || configReview.summary.recommend > 0\n      ? \"Run `openclaw engram config-review` to inspect and fix the flagged configuration combinations.\"\n      : undefined,\n    details: configReview,\n  });\n\n  const qmdAvailable = await options.orchestrator.qmd.probe();\n  const collectionState = config.qmdEnabled\n    ? await options.orchestrator.qmd.ensureCollection(config.memoryDir)\n    : \"skipped\";\n  checks.push({\n    key: \"qmd\",\n    status: !config.qmdEnabled\n      ? \"warn\"\n      : !qmdAvailable\n      ? \"error\"\n      : collectionState === \"present\"\n      ? \"ok\"\n      : collectionState === \"missing\"\n      ? \"error\"\n      : \"warn\",\n    summary: !config.qmdEnabled\n      ? \"QMD is disabled in config.\"\n      : qmdAvailable\n      ? `QMD is reachable (${collectionState}).`\n      : \"QMD is not currently reachable.\",\n    remediation: !config.qmdEnabled\n      ? \"Enable `qmdEnabled` if you expect hybrid search.\"\n      : !qmdAvailable\n      ? \"Ensure the `qmd` binary is installed and on PATH, or set `qmdPath`.\"\n      : collectionState === \"missing\"\n      ? \"Add the configured collection to `~/.config/qmd/index.yml`.\"\n      : collectionState === \"present\"\n      ? undefined\n      : \"Re-run `openclaw engram setup` after restoring QMD access.\",\n    details: {\n      available: qmdAvailable,\n      collectionState,\n      debugStatus: options.orchestrator.qmd.debugStatus(),\n    },\n  });\n\n  const conversationIndex = await options.orchestrator.getConversationIndexHealth();\n  checks.push({\n    key: \"conversation_index\",\n    status: conversationIndex.status === \"ok\"\n      ? \"ok\"\n      : conversationIndex.enabled\n      ? \"error\"\n      : \"warn\",\n    summary: conversationIndex.enabled\n      ? `Conversation index backend is ${conversationIndex.status}.`\n      : \"Conversation index is disabled.\",\n    remediation: conversationIndex.enabled && conversationIndex.status !== \"ok\"\n      ? \"Run `openclaw engram rebuild-index` to refresh the conversation index artifacts.\"\n      : undefined,\n    details: conversationIndex,\n  });\n\n  const meta = await storage.loadMeta();\n  checks.push({\n    key: \"maintenance\",\n    status: meta.lastExtractionAt || meta.lastConsolidationAt ? \"ok\" : \"warn\",\n    summary: meta.lastExtractionAt || meta.lastConsolidationAt\n      ? \"Extraction/consolidation metadata is present.\"\n      : \"No extraction or consolidation metadata found yet.\",\n    remediation: meta.lastExtractionAt || meta.lastConsolidationAt\n      ? undefined\n      : \"Run a normal agent turn or `openclaw engram consolidate` after seeding memory.\",\n    details: meta,\n  });\n\n  const syncedChunkCount =\n    nativeKnowledgeStatus.curatedIncludeSync.activeChunkCount +\n    nativeKnowledgeStatus.obsidianSync.activeChunkCount +\n    nativeKnowledgeStatus.openclawWorkspaceSync.activeChunkCount;\n  const hasSyncState =\n    nativeKnowledgeStatus.curatedIncludeSync.exists ||\n    nativeKnowledgeStatus.obsidianSync.exists ||\n    nativeKnowledgeStatus.openclawWorkspaceSync.exists;\n  checks.push({\n    key: \"native_knowledge\",\n    status: !nativeKnowledgeStatus.enabled\n      ? \"warn\"\n      : hasSyncState\n        ? \"ok\"\n        : \"warn\",\n    summary: !nativeKnowledgeStatus.enabled\n      ? \"Native knowledge sync is disabled.\"\n      : hasSyncState\n        ? `Native knowledge sync state is present (${syncedChunkCount} active chunks).`\n        : \"Native knowledge sync is enabled but no sync state has been written yet.\",\n    remediation: !nativeKnowledgeStatus.enabled\n      ? \"Enable `nativeKnowledge.enabled` if curated workspace recall should participate in retrieval.\"\n      : hasSyncState\n        ? undefined\n        : \"Run a recall, sync, or setup flow that touches native knowledge sources, then rerun `openclaw engram doctor --json`.\",\n    details: nativeKnowledgeStatus,\n  });\n\n  const agentAccessEnabled = config.agentAccessHttp?.enabled === true;\n  // A SecretRef object counts as \"configured\" (issue #757) — resolution\n  // happens at service-start time, not at doctor-time.  We only check that\n  // *something* is set; we never log the resolved value.\n  const rawAuthToken = config.agentAccessHttp?.authToken;\n  const authTokenConfigured =\n    (typeof rawAuthToken === \"string\" && rawAuthToken.length > 0) ||\n    (rawAuthToken !== null &&\n      typeof rawAuthToken === \"object\" &&\n      typeof (rawAuthToken as { source?: unknown }).source === \"string\");\n  checks.push({\n    key: \"access_http_auth\",\n    status: !agentAccessEnabled\n      ? \"warn\"\n      : authTokenConfigured\n      ? \"ok\"\n      : \"error\",\n    summary: !agentAccessEnabled\n      ? \"Agent access HTTP bridge is disabled.\"\n      : authTokenConfigured\n      ? \"Agent access HTTP bridge has an auth token configured.\"\n      : \"Agent access HTTP bridge is enabled without an auth token.\",\n    remediation: !agentAccessEnabled\n      ? \"Ignore unless you plan to enable the HTTP bridge.\"\n      : authTokenConfigured\n      ? undefined\n      : \"Set `agentAccessHttp.authToken` before exposing the bridge.\",\n  });\n\n  const warnings = config.fileHygiene?.lintEnabled\n    ? await lintWorkspaceFiles({\n        workspaceDir: config.workspaceDir,\n        paths: config.fileHygiene.lintPaths,\n        budgetBytes: config.fileHygiene.lintBudgetBytes,\n        warnRatio: config.fileHygiene.lintWarnRatio,\n      })\n    : [];\n  checks.push(summarizeHygieneWarnings(warnings, config.fileHygiene));\n\n  // Memory Worth legacy counter audit (issue #560 PR 1).\n  // Memories written before #560 have no `mw_success` / `mw_fail` frontmatter\n  // fields. That is fully supported — readers treat the absence as a uniform\n  // Beta(1,1) prior — but surfacing the count helps operators understand how\n  // much history will bootstrap the scoring pipeline landed in later PRs.\n  // This is an informational check, never an error.\n  checks.push(await summarizeMemoryWorthLegacyCounters(storage));\n\n  // Buffer surprise telemetry distribution (issue #563 PR 3).\n  // Surfaces recent surprise scores so operators can calibrate the\n  // `bufferSurpriseThreshold` from real traffic. Never an error — an empty\n  // ledger is the expected state until the flag is turned on.\n  checks.push(\n    await summarizeBufferSurpriseDistribution(storage, config),\n  );\n\n  // Consolidation provenance integrity (issue #561 PR 4).\n  // Validates that every `derived_from` entry resolves to an on-disk\n  // page-version snapshot and every `derived_via` is a known operator.\n  // Broken provenance emits warnings with the offending file path — the\n  // check is informational (never an error) because a missing snapshot\n  // can legitimately occur after log pruning or versioning being disabled\n  // retroactively; operators need visibility, not a hard fail.  Review\n  // feedback (PR #634): the summarizer threads the configured\n  // `versioningSidecarDir` into the scan so deployments that override\n  // the default `.versions` directory get accurate results instead of\n  // false-missing warnings.\n  checks.push(await summarizeConsolidationProvenance(storage, config));\n\n  // Graph-edge decay maintenance status (issue #681 PR 2/3).\n  // Reports whether the periodic decay job has run and surfaces last-run\n  // counts. Disabled is \"ok\" with a note; enabled-but-never-run is \"warn\".\n  checks.push(await summarizeGraphEdgeDecayStatus(config));\n\n  // Tier distribution (issue #686 retention-completion).\n  // Shows hot/cold counts, per-status breakdown, and forgotten-memory count.\n  // Informational only — never errors, never blocks doctor from returning ok.\n  checks.push(await summarizeTierDistribution(options.orchestrator.storage));\n\n  // Dreams phases thresholds and last-run timestamps (issue #678 PR 2/4).\n  // Surfaces per-phase: enabled status, cadence, threshold values, and the\n  // best-available last-run timestamp for each of the three pipeline phases.\n  checks.push(await summarizeDreamsPhases(config, storage));\n\n  // Security mitigation status (issue #565).\n  // Reports whether the cross-namespace budget and anomaly detection\n  // mitigations are enabled and surfaces config values for operator review.\n  checks.push(summarizeSecurityMitigations(config));\n\n  // Observation throughput + judge acceptance rate (issue #685).\n  // Surfaces the total verdict count, accept/reject/defer breakdown, and the\n  // most recent `observedAt` timestamp from the extraction-judge telemetry\n  // ledger.  This closes the *(future)* item deferred in\n  // `docs/trace-to-primitive.md`.  The check is purely informational — it\n  // always resolves to `ok`; an empty ledger is the expected cold-install\n  // state and is never an error.\n  checks.push(await summarizeObservationThroughput(config.memoryDir));\n\n  const summary = checks.reduce(\n    (acc, check) => {\n      acc[check.status] += 1;\n      return acc;\n    },\n    { ok: 0, warn: 0, error: 0 },\n  );\n\n  return {\n    schemaVersion: 1,\n    generatedAt: now.toISOString(),\n    ok: summary.error === 0,\n    summary,\n    config: configStatus,\n    checks,\n  };\n}\n\n/**\n * Categories whose memories are eligible for Memory Worth instrumentation.\n *\n * Memory Worth is a per-fact utility signal: the counters ride on extracted\n * facts whose retrieval outcome can be judged (success/fail) by the feedback\n * pipeline landing in issue #560 PR 3. Procedures, corrections, and other\n * non-fact memory kinds are out of scope — they are not expected to be\n * instrumented, and counting them as \"legacy\" would permanently inflate the\n * legacy bucket and make rollout progress misleading even when every fact\n * memory is instrumented.\n *\n * If a later PR widens Memory Worth to additional categories, extend this set\n * alongside the scoring/increment logic so the doctor audit stays in sync.\n */\nconst MEMORY_WORTH_ELIGIBLE_CATEGORIES: ReadonlySet<MemoryFile[\"frontmatter\"][\"category\"]> =\n  new Set([\"fact\"]);\n\n/**\n * Count memories that pre-date the Memory Worth counters introduced in issue\n * #560 — i.e., neither `mw_success` nor `mw_fail` is set on the frontmatter.\n *\n * Only memories whose category is eligible for Memory Worth (see\n * `MEMORY_WORTH_ELIGIBLE_CATEGORIES`) are considered. Procedures, corrections,\n * and other kinds that are not instrumented are excluded entirely — they're\n * neither \"legacy\" nor \"instrumented\" for the purposes of this audit. The\n * total in the returned details reflects only eligible memories.\n *\n * Returned as an `ok` check regardless of count, since legacy memories are\n * fully functional (readers treat missing counters as zero observations). The\n * numbers are informational for operators following the #560 rollout.\n *\n * Exported so unit tests can exercise the classification logic without\n * booting a full orchestrator.\n */\nexport async function summarizeMemoryWorthLegacyCounters(\n  storage: StorageManager,\n): Promise<OperatorDoctorCheck> {\n  let legacy = 0;\n  let instrumented = 0;\n  let ineligible = 0;\n  try {\n    const memories = await storage.readAllMemories();\n    for (const memory of memories) {\n      if (!MEMORY_WORTH_ELIGIBLE_CATEGORIES.has(memory.frontmatter.category)) {\n        ineligible += 1;\n        continue;\n      }\n      const { mw_success, mw_fail } = memory.frontmatter;\n      if (mw_success === undefined && mw_fail === undefined) {\n        legacy += 1;\n      } else {\n        instrumented += 1;\n      }\n    }\n  } catch (err) {\n    return {\n      key: \"memory_worth_legacy\",\n      status: \"warn\",\n      summary: \"Could not enumerate memories to count Memory Worth instrumentation.\",\n      remediation: \"Retry `remnic doctor` after ensuring the memory directory is readable.\",\n      details: { error: String(err) },\n    };\n  }\n\n  const total = legacy + instrumented;\n  return {\n    key: \"memory_worth_legacy\",\n    status: \"ok\",\n    summary:\n      total === 0\n        ? \"No Memory Worth–eligible memories on disk yet — counters will populate as facts are extracted.\"\n        : `${legacy} of ${total} eligible memories have no Memory Worth counters yet (${instrumented} instrumented).`,\n    details: { legacy, instrumented, total, ineligible },\n  };\n}\n\n/**\n * Summarize the recent buffer-surprise telemetry distribution for the\n * Doctor report (issue #563 PR 3).\n *\n * Reports mean/median/p90 surprise scores and the triggered-flush rate\n * over the most recent window of ledger rows. An empty ledger is the\n * expected state until `bufferSurpriseTriggerEnabled` is turned on — the\n * check never escalates beyond `ok` / `warn` (ledger unreadable).\n *\n * Exported so tests can exercise the formatting without booting a real\n * orchestrator.\n */\nexport async function summarizeBufferSurpriseDistribution(\n  storage: StorageManager,\n  config: PluginConfig,\n): Promise<OperatorDoctorCheck> {\n  const storageWithLedger = storage as StorageManager & {\n    readBufferSurpriseEvents?: (\n      opts: { limit?: number },\n    ) => Promise<BufferSurpriseEvent[]>;\n  };\n\n  // Defensive: older StorageManager builds (not yet rebuilt) may lack the\n  // reader. Do not fail the entire Doctor run in that case.\n  if (typeof storageWithLedger.readBufferSurpriseEvents !== \"function\") {\n    return {\n      key: \"buffer_surprise_distribution\",\n      status: \"ok\",\n      summary: \"Buffer-surprise telemetry reader unavailable in this build.\",\n      details: { available: false },\n    };\n  }\n\n  try {\n    const dist = await reportBufferSurpriseDistribution(\n      async (opts) =>\n        storageWithLedger.readBufferSurpriseEvents!({ limit: opts.limit }),\n      { limit: 200 },\n    );\n\n    if (dist.count === 0) {\n      return {\n        key: \"buffer_surprise_distribution\",\n        status: \"ok\",\n        summary: config.bufferSurpriseTriggerEnabled\n          ? \"Surprise trigger is enabled but no telemetry has been recorded yet.\"\n          : \"Surprise trigger is disabled; no telemetry expected.\",\n        details: {\n          enabled: config.bufferSurpriseTriggerEnabled,\n          distribution: dist,\n        },\n      };\n    }\n\n    const pct = (value: number) => (value * 100).toFixed(1);\n    return {\n      key: \"buffer_surprise_distribution\",\n      status: \"ok\",\n      summary: `Recent surprise: mean=${dist.mean.toFixed(3)}, median=${dist.median.toFixed(3)}, p90=${dist.p90.toFixed(3)}, triggered=${pct(dist.triggeredRate)}% over ${dist.count} turns (threshold=${dist.currentThreshold ?? config.bufferSurpriseThreshold}).`,\n      details: {\n        enabled: config.bufferSurpriseTriggerEnabled,\n        distribution: dist,\n      },\n    };\n  } catch (err) {\n    return {\n      key: \"buffer_surprise_distribution\",\n      status: \"warn\",\n      summary: \"Could not read buffer-surprise telemetry ledger.\",\n      remediation:\n        \"Retry `remnic doctor` after ensuring the memory state directory is readable.\",\n      details: { error: String(err) },\n    };\n  }\n}\n\n/**\n * Summarize the consolidation-provenance integrity scan for the doctor\n * report (issue #561 PR 4).  Returns an `ok` check when no issues are\n * found, `warn` otherwise.  Never returns `error` — a broken provenance\n * pointer is informational because it can legitimately result from log\n * pruning, versioning being disabled retroactively, or operator-driven\n * archive operations.\n *\n * Exported so unit tests can exercise the summarization without booting a\n * full orchestrator.\n */\n\nasync function summarizeGraphEdgeDecayStatus(\n  config: Pick<\n    PluginConfig,\n    \"memoryDir\" | \"graphEdgeDecayEnabled\" | \"graphEdgeDecayCadenceMs\"\n  >,\n): Promise<OperatorDoctorCheck> {\n  // Lazy import to keep the doctor fast when the feature is disabled.\n  const { readGraphEdgeDecayStatus } = await import(\"./maintenance/graph-edge-decay.js\");\n  const enabled = config.graphEdgeDecayEnabled === true;\n  if (!enabled) {\n    return {\n      key: \"graph_edge_decay\",\n      status: \"ok\",\n      summary: \"Graph-edge decay maintenance is disabled (graphEdgeDecayEnabled = false).\",\n      remediation: \"Set graphEdgeDecayEnabled = true to opt into the periodic decay job (issue #681).\",\n      details: { enabled: false },\n    };\n  }\n\n  const status = await readGraphEdgeDecayStatus(config.memoryDir);\n  if (!status) {\n    return {\n      key: \"graph_edge_decay\",\n      status: \"warn\",\n      summary: \"Graph-edge decay is enabled but has not run yet (no status file present).\",\n      remediation:\n        \"Trigger the cron, run `engram.graph_edge_decay_run` via MCP, or wait for the scheduled cadence to fire.\",\n      details: { enabled: true, lastRun: null, cadenceMs: config.graphEdgeDecayCadenceMs },\n    };\n  }\n\n  return {\n    key: \"graph_edge_decay\",\n    status: \"ok\",\n    summary:\n      `Graph-edge decay last ran at ${status.ranAt} ` +\n      `(${status.edgesDecayed}/${status.edgesTotal} edges decayed, ` +\n      `${status.edgesBelowVisibilityThreshold} below visibility threshold).`,\n    details: {\n      enabled: true,\n      lastRun: status.ranAt,\n      durationMs: status.durationMs,\n      edgesTotal: status.edgesTotal,\n      edgesDecayed: status.edgesDecayed,\n      edgesBelowVisibilityThreshold: status.edgesBelowVisibilityThreshold,\n      topDecayedEntities: status.topDecayedEntities,\n      cadenceMs: config.graphEdgeDecayCadenceMs,\n    },\n  };\n}\n\n/**\n * Summarize hot/cold tier distribution for the Doctor report\n * (issue #686 retention-completion).\n *\n * Shows:\n *   - hot vs cold memory counts\n *   - forgotten-memory count\n *   - top per-status breakdown\n *   - recent migrations in the last 7 days (from the tier-migration journal)\n *   - top demotion reasons from the journal\n *\n * Always returns an `ok` check — this section is informational, never\n * a gate. A missing journal or unreadable corpus is surfaced as a note,\n * not an error.\n *\n * Exported so tests can exercise the summarizer without a full orchestrator.\n */\nexport async function summarizeTierDistribution(\n  storage: StorageManager,\n): Promise<OperatorDoctorCheck> {\n  try {\n    const { summarizeTiers } = await import(\"./maintenance/tier-stats.js\");\n    const summary = await summarizeTiers(storage);\n\n    // Read recent migration journal entries (last 7 days)\n    const storageDir = (storage as unknown as { dir?: string }).dir ?? \"\";\n    const journalPath = storageDir.length > 0\n      ? path.join(storageDir, \"state\", \"tier-migration-journal.jsonl\")\n      : null;\n    let recentMigrations = 0;\n    const demotionReasons: Record<string, number> = {};\n    const sevenDaysAgoMs = Date.now() - 7 * 86_400_000;\n\n    if (journalPath) {\n      try {\n        const { readFile } = await import(\"node:fs/promises\");\n        const raw = await readFile(journalPath, \"utf-8\");\n        for (const line of raw.split(\"\\n\")) {\n          const trimmed = line.trim();\n          if (trimmed.length === 0) continue;\n          try {\n            const entry = JSON.parse(trimmed) as {\n              ts?: string;\n              changed?: boolean;\n              fromTier?: string;\n              toTier?: string;\n              reason?: string;\n            };\n            const tsMs = entry.ts ? Date.parse(entry.ts) : NaN;\n            if (Number.isFinite(tsMs) && tsMs >= sevenDaysAgoMs && entry.changed === true) {\n              recentMigrations += 1;\n              if (entry.fromTier === \"hot\" && entry.toTier === \"cold\" && typeof entry.reason === \"string\") {\n                const reason = entry.reason;\n                demotionReasons[reason] = (demotionReasons[reason] ?? 0) + 1;\n              }\n            }\n          } catch {\n            // Malformed line — skip\n          }\n        }\n      } catch {\n        // Journal not present yet — expected on fresh installs\n      }\n    }\n\n    const topDemotionReasons = Object.entries(demotionReasons)\n      .sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0]))\n      .slice(0, 5)\n      .map(([reason, count]) => ({ reason, count }));\n\n    const statusParts = Object.entries(summary.byStatus)\n      .sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0]))\n      .slice(0, 6)\n      .map(([s, n]) => `${s}: ${n}`)\n      .join(\", \");\n\n    return {\n      key: \"tier_distribution\",\n      status: \"ok\",\n      summary:\n        `Tier distribution: hot=${summary.byTier.hot}, cold=${summary.byTier.cold}` +\n        (summary.forgottenCount > 0 ? `, forgotten=${summary.forgottenCount}` : \"\") +\n        `. Total: ${summary.total}.` +\n        (recentMigrations > 0 ? ` Recent migrations (7d): ${recentMigrations}.` : \"\"),\n      details: {\n        total: summary.total,\n        byTier: summary.byTier,\n        byStatus: summary.byStatus,\n        forgottenCount: summary.forgottenCount,\n        statusSummary: statusParts,\n        recentMigrations,\n        topDemotionReasons,\n      },\n    };\n  } catch (err) {\n    return {\n      key: \"tier_distribution\",\n      status: \"ok\",\n      summary: \"Tier distribution unavailable — could not enumerate memories.\",\n      details: { error: String(err) },\n    };\n  }\n}\n\n/**\n * Dreams phases doctor check (issue #678 PR 2/4).\n *\n * Reports per-phase: enabled status, cadence, threshold values, and last-run\n * timestamp sourced from `meta.json` (the existing maintenance ledger).\n *\n * Last-run mapping (best available in PR 2; PR 3/4 will emit per-phase events):\n *   light sleep → `meta.lastExtractionAt`   (lifecycle pass runs with extraction)\n *   REM         → `meta.lastConsolidationAt` (semantic consolidation)\n *   deep sleep  → latest governance run manifest when present, otherwise null\n */\nexport async function summarizeDreamsPhases(\n  config: Pick<PluginConfig, \"memoryDir\" | \"dreamsPhases\">,\n  storage: StorageManager = new StorageManager(config.memoryDir),\n): Promise<OperatorDoctorCheck> {\n  const phases: DreamsPhasesConfig = config.dreamsPhases;\n\n  // Load meta.json for best-available last-run timestamps.\n  const meta = await storage.loadMeta();\n\n  let deepSleepLastRun: string | null = null;\n  let deepSleepLastRunWarning: string | null = null;\n  try {\n    // Read the latest governance run's manifest from the real on-disk format\n    // rather than treating every failure as \"no runs yet\".\n    const runsDir = path.join(config.memoryDir, \"state\", \"memory-governance\", \"runs\");\n    const runIds = (await readdir(runsDir)).sort().reverse();\n    if (runIds.length > 0) {\n      const latestRunId = runIds[0];\n      const manifestPath = path.join(\n        runsDir,\n        latestRunId,\n        \"manifest.json\",\n      );\n      const raw = await readFile(manifestPath, \"utf-8\");\n      const parsed = JSON.parse(raw) as Record<string, unknown>;\n      if (typeof parsed.createdAt === \"string\" && parsed.createdAt.length > 0) {\n        deepSleepLastRun = parsed.createdAt;\n      }\n    }\n  } catch (error) {\n    if (!isMissingPathError(error)) {\n      deepSleepLastRunWarning = `Could not read latest governance run manifest: ${formatUnknownError(error)}`;\n    }\n  }\n\n  // Build per-phase summary lines for the human-readable `summary` field.\n  const phaseLines: string[] = [\n    `lightSleep: enabled=${phases.lightSleep.enabled}, cadenceMs=${phases.lightSleep.cadenceMs}, promoteHeat=${phases.lightSleep.promoteHeatThreshold}, staleDecay=${phases.lightSleep.staleDecayThreshold}, archiveDecay=${phases.lightSleep.archiveDecayThreshold}, filterStale=${phases.lightSleep.filterStaleEnabled}, lastRun=${meta.lastExtractionAt ?? \"never\"}`,\n    `rem: enabled=${phases.rem.enabled}, cadenceMs=${phases.rem.cadenceMs}, similarity=${phases.rem.similarityThreshold}, minCluster=${phases.rem.minClusterSize}, maxPerRun=${phases.rem.maxPerRun}, minIntervalMs=${phases.rem.minIntervalMs}, lastRun=${meta.lastConsolidationAt ?? \"never\"}`,\n    `deepSleep: enabled=${phases.deepSleep.enabled}, cadenceMs=${phases.deepSleep.cadenceMs}, versioning=${phases.deepSleep.versioningEnabled}, versioningMaxPerPage=${phases.deepSleep.versioningMaxPerPage}, lastRun=${deepSleepLastRun ?? \"never\"}`,\n  ];\n\n  return {\n    key: \"dreams_phases\",\n    status: deepSleepLastRunWarning ? \"warn\" : \"ok\",\n    summary: `Dreams pipeline phases: ${phaseLines.join(\"; \")}${deepSleepLastRunWarning ? `; ${deepSleepLastRunWarning}` : \"\"}`,\n    remediation: deepSleepLastRunWarning\n      ? \"Inspect state/memory-governance/runs and repair or remove unreadable governance run artifacts.\"\n      : undefined,\n    details: {\n      lightSleep: {\n        enabled: phases.lightSleep.enabled,\n        cadenceMs: phases.lightSleep.cadenceMs,\n        promoteHeatThreshold: phases.lightSleep.promoteHeatThreshold,\n        staleDecayThreshold: phases.lightSleep.staleDecayThreshold,\n        archiveDecayThreshold: phases.lightSleep.archiveDecayThreshold,\n        filterStaleEnabled: phases.lightSleep.filterStaleEnabled,\n        lastRun: meta.lastExtractionAt ?? null,\n      },\n      rem: {\n        enabled: phases.rem.enabled,\n        cadenceMs: phases.rem.cadenceMs,\n        similarityThreshold: phases.rem.similarityThreshold,\n        minClusterSize: phases.rem.minClusterSize,\n        maxPerRun: phases.rem.maxPerRun,\n        minIntervalMs: phases.rem.minIntervalMs,\n        lastRun: meta.lastConsolidationAt ?? null,\n      },\n      deepSleep: {\n        enabled: phases.deepSleep.enabled,\n        cadenceMs: phases.deepSleep.cadenceMs,\n        versioningEnabled: phases.deepSleep.versioningEnabled,\n        versioningMaxPerPage: phases.deepSleep.versioningMaxPerPage,\n        lastRun: deepSleepLastRun,\n        warning: deepSleepLastRunWarning,\n      },\n    },\n  };\n}\n\nfunction summarizeSecurityMitigations(\n  config: Pick<\n    PluginConfig,\n    | \"recallCrossNamespaceBudgetEnabled\"\n    | \"recallCrossNamespaceBudgetWindowMs\"\n    | \"recallCrossNamespaceBudgetSoftLimit\"\n    | \"recallCrossNamespaceBudgetHardLimit\"\n    | \"recallAuditAnomalyDetectionEnabled\"\n    | \"recallAuditAnomalyWindowMs\"\n    | \"recallAuditAnomalyRepeatQueryLimit\"\n    | \"recallAuditAnomalyNamespaceWalkLimit\"\n    | \"recallAuditAnomalyHighCardinalityLimit\"\n    | \"recallAuditAnomalyRapidFireLimit\"\n  >,\n): OperatorDoctorCheck {\n  const budgetEnabled = config.recallCrossNamespaceBudgetEnabled === true;\n  const anomalyEnabled = config.recallAuditAnomalyDetectionEnabled === true;\n\n  if (!budgetEnabled && !anomalyEnabled) {\n    return {\n      key: \"security_mitigations\",\n      status: \"warn\",\n      summary: \"Memory-extraction mitigations are disabled (cross-namespace budget and anomaly detection off).\",\n      remediation: \"Enable recallCrossNamespaceBudgetEnabled and/or recallAuditAnomalyDetectionEnabled for production deployments. See docs/security/memory-extraction-threat-model.md.\",\n      details: {\n        budgetEnabled: false,\n        anomalyDetectionEnabled: false,\n      },\n    };\n  }\n\n  const details: Record<string, unknown> = {\n    budgetEnabled,\n    anomalyDetectionEnabled: anomalyEnabled,\n  };\n\n  if (budgetEnabled) {\n    details.budgetConfig = {\n      windowMs: config.recallCrossNamespaceBudgetWindowMs,\n      softLimit: config.recallCrossNamespaceBudgetSoftLimit,\n      hardLimit: config.recallCrossNamespaceBudgetHardLimit,\n    };\n  }\n\n  if (anomalyEnabled) {\n    details.anomalyConfig = {\n      windowMs: config.recallAuditAnomalyWindowMs,\n      repeatQueryLimit: config.recallAuditAnomalyRepeatQueryLimit,\n      namespaceWalkLimit: config.recallAuditAnomalyNamespaceWalkLimit,\n      highCardinalityLimit: config.recallAuditAnomalyHighCardinalityLimit,\n      rapidFireLimit: config.recallAuditAnomalyRapidFireLimit,\n    };\n  }\n\n  return {\n    key: \"security_mitigations\",\n    status: \"ok\",\n    summary: `Memory-extraction mitigation config enabled: ${budgetEnabled ? \"budget\" : \"\"}${budgetEnabled && anomalyEnabled ? \", \" : \"\"}${anomalyEnabled ? \"anomaly detection\" : \"\"}.`,\n    details: { ...details, configOnly: true },\n  };\n}\n\n/**\n * Observation throughput check for `remnic doctor` (issue #685).\n *\n * Reads the extraction-judge verdict ledger to surface:\n *  - total observations (verdicts) recorded\n *  - accept / reject / defer breakdown\n *  - most-recent `observedAt` timestamp\n *\n * The check is purely informational (always `ok`): a missing or empty\n * ledger is the expected state on a fresh install and is never an error.\n * This closes the `*(future)*` item deferred in `docs/trace-to-primitive.md`.\n */\nexport async function summarizeObservationThroughput(\n  memoryDir: string,\n): Promise<OperatorDoctorCheck> {\n  try {\n    const stats = await readJudgeVerdictStats(memoryDir);\n    if (stats.total === 0) {\n      return {\n        key: \"observations\",\n        status: \"ok\",\n        summary: \"No observations recorded yet (extraction-judge telemetry ledger is empty or missing).\",\n        details: { total: 0, accept: 0, reject: 0, defer: 0, lastObservedAt: null },\n      };\n    }\n    const acceptPct = ((stats.accept / stats.total) * 100).toFixed(1);\n    const rejectPct = ((stats.reject / stats.total) * 100).toFixed(1);\n    const deferPct = ((stats.defer / stats.total) * 100).toFixed(1);\n    return {\n      key: \"observations\",\n      status: \"ok\",\n      summary: `${stats.total} observations recorded: accept=${acceptPct}%, reject=${rejectPct}%, defer=${deferPct}%. Last observed: ${stats.lastTs ?? \"unknown\"}.`,\n      details: {\n        total: stats.total,\n        accept: stats.accept,\n        reject: stats.reject,\n        defer: stats.defer,\n        deferCapTriggered: stats.deferCapTriggered,\n        deferRate: stats.deferRate,\n        meanElapsedMs: stats.meanElapsedMs,\n        firstObservedAt: stats.firstTs ?? null,\n        lastObservedAt: stats.lastTs ?? null,\n      },\n    };\n  } catch (err) {\n    return {\n      key: \"observations\",\n      status: \"warn\",\n      summary: \"Could not read observation telemetry ledger.\",\n      remediation: \"Retry `remnic doctor` after ensuring the memory state directory is readable.\",\n      details: { error: String(err) },\n    };\n  }\n}\n\nexport async function summarizeConsolidationProvenance(\n  storage: StorageManager,\n  config: Pick<PluginConfig, \"memoryDir\"> & { versioningSidecarDir?: string },\n): Promise<OperatorDoctorCheck> {\n  let report: ConsolidationProvenanceReport;\n  try {\n    report = await runConsolidationProvenanceCheck({\n      storage,\n      memoryDir: config.memoryDir,\n      // Honor the configured sidecar directory (PR #634 review): when an\n      // operator overrides `versioningSidecarDir`, the default `.versions`\n      // would point at the wrong location and every entry would report as\n      // missing.  Undefined falls back to the helper's default.\n      sidecarDir: config.versioningSidecarDir,\n    });\n  } catch (err) {\n    return {\n      key: \"consolidation_provenance\",\n      status: \"warn\",\n      summary: \"Could not run consolidation-provenance integrity check.\",\n      remediation: \"Ensure the memory directory is readable and rerun `remnic doctor`.\",\n      details: { error: String(err) },\n    };\n  }\n\n  if (report.issues.length === 0) {\n    return {\n      key: \"consolidation_provenance\",\n      status: \"ok\",\n      summary:\n        report.withProvenance === 0\n          ? \"No consolidation-provenance memories on disk yet.\"\n          : `${report.withProvenance} consolidation-provenance memories verified (no broken references).`,\n      details: report,\n    };\n  }\n\n  return {\n    key: \"consolidation_provenance\",\n    status: \"warn\",\n    summary: `${report.issues.length} consolidation-provenance integrity issue(s) detected across ${report.withProvenance} memories with provenance frontmatter.`,\n    remediation:\n      \"Broken pointers are informational. Inspect flagged memories, and if they should resolve, re-snapshot via a consolidation pass or accept pruning.\",\n    details: report,\n  };\n}\n\nfunction getMemoryAgeBand(memory: MemoryFile, now: Date): string {\n  const created = Date.parse(memory.frontmatter.created ?? \"\");\n  if (!Number.isFinite(created)) return \"unknown\";\n  const ageDays = Math.max(0, Math.floor((now.getTime() - created) / 86_400_000));\n  if (ageDays < 7) return \"0_6d\";\n  if (ageDays < 30) return \"7_29d\";\n  if (ageDays < 90) return \"30_89d\";\n  return \"90d_plus\";\n}\n\nasync function dirSize(targetPath: string): Promise<number> {\n  try {\n    const info = await stat(targetPath);\n    if (info.isFile()) return info.size;\n    if (!info.isDirectory()) return 0;\n  } catch {\n    return 0;\n  }\n\n  let total = 0;\n  let entries;\n  try {\n    entries = await readdir(targetPath, { withFileTypes: true });\n  } catch {\n    return 0;\n  }\n  for (const entry of entries) {\n    total += await dirSize(path.join(targetPath, entry.name));\n  }\n  return total;\n}\n\nasync function summarizeStorageFootprint(memoryDir: string): Promise<{ bytes: number; byTopLevel: Record<string, number> }> {\n  const topLevel = [\n    \"facts\",\n    \"entities\",\n    \"questions\",\n    \"corrections\",\n    \"artifacts\",\n    \"state\",\n    \"identity\",\n    \"namespaces\",\n    \"summaries\",\n    \"profile.md\",\n  ];\n  const byTopLevel: Record<string, number> = {};\n  let bytes = 0;\n  for (const name of topLevel) {\n    const size = await dirSize(path.join(memoryDir, name));\n    if (size > 0) {\n      byTopLevel[name] = size;\n      bytes += size;\n    }\n  }\n  return { bytes, byTopLevel };\n}\n\nexport async function runOperatorInventory(options: OperatorInventoryOptions): Promise<OperatorInventoryReport> {\n  const now = options.now ?? new Date();\n  const config = options.orchestrator.config;\n  const namespaceEntries = await listNamespaces({ config });\n  const uniqueRootEntries = new Map<string, { namespace: string; rootDir: string }>();\n  for (const entry of namespaceEntries) {\n    if (!uniqueRootEntries.has(entry.rootDir)) {\n      uniqueRootEntries.set(entry.rootDir, { namespace: entry.namespace, rootDir: entry.rootDir });\n    }\n  }\n  const categories: Record<string, number> = {};\n  const statuses: Record<string, number> = {};\n  const ageBands: Record<string, number> = {\n    \"0_6d\": 0,\n    \"7_29d\": 0,\n    \"30_89d\": 0,\n    \"90d_plus\": 0,\n    unknown: 0,\n  };\n  const namespaces: OperatorInventoryNamespaceSummary[] = [];\n  let totalMemories = 0;\n  let totalEntities = 0;\n  let archived = 0;\n  let pendingReview = 0;\n  let quarantined = 0;\n  let rejected = 0;\n\n  for (const entry of uniqueRootEntries.values()) {\n    const storage = new StorageManager(entry.rootDir);\n    const memories = await storage.readAllMemories();\n    const entities = await storage.readAllEntityFiles();\n    namespaces.push({\n      namespace: entry.namespace,\n      memoryCount: memories.length,\n      entityCount: entities.length,\n    });\n    totalMemories += memories.length;\n    totalEntities += entities.length;\n    for (const memory of memories) {\n      const category = memory.frontmatter.category;\n      categories[category] = (categories[category] ?? 0) + 1;\n      const status = memory.frontmatter.status ?? \"active\";\n      statuses[status] = (statuses[status] ?? 0) + 1;\n      ageBands[getMemoryAgeBand(memory, now)] += 1;\n      if (status === \"archived\") archived += 1;\n      if (status === \"pending_review\") pendingReview += 1;\n      if (status === \"quarantined\") quarantined += 1;\n      if (status === \"rejected\") rejected += 1;\n    }\n  }\n\n  const defaultStorage = new StorageManager(config.memoryDir);\n  const profile = await defaultStorage.readProfile();\n  const footprint = await summarizeStorageFootprint(config.memoryDir);\n  const reviewRunId = (await listMemoryGovernanceRuns(config.memoryDir))[0];\n  let reviewQueue = 0;\n  if (reviewRunId) {\n    try {\n      reviewQueue = (await readMemoryGovernanceRunArtifact(config.memoryDir, reviewRunId)).reviewQueue.length;\n    } catch {\n      reviewQueue = 0;\n    }\n  }\n  const conversationIndex = await options.orchestrator.getConversationIndexHealth();\n  const nativeKnowledgeStatus = await summarizeNativeKnowledgeStatus(config);\n\n  return {\n    schemaVersion: 1,\n    generatedAt: now.toISOString(),\n    memoryDir: config.memoryDir,\n    totals: {\n      memories: totalMemories,\n      entities: totalEntities,\n      namespaces: namespaceEntries.length,\n      reviewQueue,\n      storageBytes: footprint.bytes,\n    },\n    categories,\n    statuses,\n    namespaces,\n    ageBands,\n    profile: {\n      exists: profile.length > 0,\n      chars: profile.length,\n      lines: profile.length > 0 ? profile.split(\"\\n\").length : 0,\n    },\n    storageFootprint: footprint,\n    archivePressure: {\n      archived,\n      pendingReview,\n      quarantined,\n      rejected,\n    },\n    conversationIndex: {\n      enabled: conversationIndex.enabled,\n      backend: conversationIndex.backend,\n      status: conversationIndex.status,\n      chunkDocCount: conversationIndex.chunkDocCount,\n      lastUpdateAt: conversationIndex.lastUpdateAt,\n    },\n    nativeKnowledge: {\n      enabled: nativeKnowledgeStatus.enabled,\n      curatedIncludeSync: nativeKnowledgeStatus.curatedIncludeSync,\n      obsidianSync: nativeKnowledgeStatus.obsidianSync,\n      openclawWorkspaceSync: nativeKnowledgeStatus.openclawWorkspaceSync,\n    },\n  };\n}\n\nexport async function runBenchmarkRecall(options: BenchmarkRecallOptions): Promise<BenchmarkRecallReport> {\n  const now = options.now ?? new Date();\n  const status = await getEvalHarnessStatus({\n    memoryDir: options.config.memoryDir,\n    evalStoreDir: options.config.evalStoreDir,\n    enabled: options.config.evalHarnessEnabled,\n    shadowModeEnabled: options.config.evalShadowModeEnabled,\n    baselineSnapshotsEnabled: options.config.benchmarkBaselineSnapshotsEnabled,\n    memoryRedTeamBenchEnabled: options.config.memoryRedTeamBenchEnabled,\n  });\n\n  if (options.createSnapshot && options.snapshotId) {\n    const snapshot = await createEvalBaselineSnapshot({\n      memoryDir: options.config.memoryDir,\n      evalStoreDir: options.config.evalStoreDir,\n      baselineSnapshotsEnabled: options.config.benchmarkBaselineSnapshotsEnabled,\n      snapshotId: options.snapshotId,\n      notes: options.snapshotNotes,\n      gitRef: options.gitRef,\n      createdAt: options.createdAt,\n    });\n    return {\n      schemaVersion: 1,\n      generatedAt: now.toISOString(),\n      mode: \"snapshot\",\n      status,\n      snapshot: {\n        targetPath: snapshot.targetPath,\n        snapshotId: snapshot.snapshot.snapshotId,\n      },\n    };\n  }\n\n  if (options.baseEvalStoreDir && options.candidateEvalStoreDir) {\n    const ciGate = await runEvalBenchmarkCiGate({\n      baseEvalStoreDir: options.baseEvalStoreDir,\n      candidateEvalStoreDir: options.candidateEvalStoreDir,\n    });\n    return {\n      schemaVersion: 1,\n      generatedAt: now.toISOString(),\n      mode: \"ci-gate\",\n      status,\n      ciGate,\n    };\n  }\n\n  if (options.snapshotId) {\n    const baselineReport = await runEvalBaselineDeltaReport({\n      memoryDir: options.config.memoryDir,\n      evalStoreDir: options.config.evalStoreDir,\n      benchmarkDeltaReporterEnabled: options.config.benchmarkDeltaReporterEnabled,\n      snapshotId: options.snapshotId,\n    });\n    return {\n      schemaVersion: 1,\n      generatedAt: now.toISOString(),\n      mode: \"baseline-report\",\n      status,\n      baselineReport,\n    };\n  }\n\n  if (options.validatePath) {\n    const validate = await validateEvalBenchmarkPack(options.validatePath, {\n      memoryRedTeamBenchEnabled: options.config.memoryRedTeamBenchEnabled,\n    });\n    return {\n      schemaVersion: 1,\n      generatedAt: now.toISOString(),\n      mode: \"validate\",\n      status,\n      validate,\n    };\n  }\n\n  return {\n    schemaVersion: 1,\n    generatedAt: now.toISOString(),\n    mode: \"status\",\n    status,\n  };\n}\n\nexport async function runOperatorRepair(options: OperatorRepairOptions): Promise<OperatorRepairReport> {\n  const now = options.now ?? new Date();\n  const dryRun = options.dryRun === true || options.apply !== true;\n  const sessionCheck = await analyzeSessionIntegrity({ memoryDir: options.config.memoryDir });\n  const sessionRepairPlan = planSessionRepair({\n    report: sessionCheck,\n    dryRun,\n    allowSessionFileRepair: options.allowSessionFileRepair,\n    sessionFilesDir: options.sessionFilesDir,\n  });\n  const sessionRepairApply = await applySessionRepair({\n    plan: sessionRepairPlan,\n  });\n  const graphHealth = await analyzeGraphHealth(options.config.memoryDir, {\n    entityGraphEnabled: options.config.entityGraphEnabled,\n    timeGraphEnabled: options.config.timeGraphEnabled,\n    causalGraphEnabled: options.config.causalGraphEnabled,\n    includeRepairGuidance: true,\n  });\n  return {\n    schemaVersion: 1,\n    generatedAt: now.toISOString(),\n    dryRun,\n    sessionCheck,\n    sessionRepairPlan,\n    sessionRepairApply,\n    graphHealth,\n  };\n}\n","import path from \"node:path\";\nimport { access, mkdir, readdir, rename } from \"node:fs/promises\";\nimport type { PluginConfig } from \"../types.js\";\nimport { NamespaceStorageRouter } from \"./storage.js\";\nimport { namespaceCollectionName } from \"./search.js\";\nimport { isSafeRouteNamespace } from \"../routing/engine.js\";\n\nconst LEGACY_NAMESPACE_CHILDREN = [\n  \"facts\",\n  \"corrections\",\n  \"entities\",\n  \"questions\",\n  \"artifacts\",\n  \"identity\",\n  \"state\",\n  \"config\",\n  \"summaries\",\n  \"procedures\",\n  // Issue #564 PR 3: reasoning_trace memories live in their own subtree.\n  // Must be included here so namespace migration moves existing traces\n  // into the target namespace root alongside other memory data.\n  \"reasoning-traces\",\n  \"profile.md\",\n] as const;\n\nexport interface NamespaceInventoryEntry {\n  namespace: string;\n  rootDir: string;\n  exists: boolean;\n  usesLegacyRoot: boolean;\n  hasMemoryData: boolean;\n  collection: string;\n}\n\nexport interface NamespaceVerifyReport {\n  ok: boolean;\n  problems: string[];\n  namespaces: NamespaceInventoryEntry[];\n}\n\nexport interface NamespaceMigrationMove {\n  from: string;\n  to: string;\n}\n\nexport interface NamespaceMigrationReport {\n  dryRun: boolean;\n  fromRoot: string;\n  targetRoot: string;\n  moved: NamespaceMigrationMove[];\n  collection: string;\n}\n\nasync function exists(p: string): Promise<boolean> {\n  try {\n    await access(p);\n    return true;\n  } catch {\n    return false;\n  }\n}\n\nasync function hasAnyLegacyData(rootDir: string): Promise<boolean> {\n  for (const child of LEGACY_NAMESPACE_CHILDREN) {\n    if (await exists(path.join(rootDir, child))) return true;\n  }\n  return false;\n}\n\nasync function discoverConfiguredNamespaces(\n  config: PluginConfig,\n): Promise<string[]> {\n  const discovered = new Set<string>([\n    config.defaultNamespace,\n    config.sharedNamespace,\n    ...config.namespacePolicies.map((policy) => policy.name),\n  ]);\n\n  const namespacesDir = path.join(config.memoryDir, \"namespaces\");\n  try {\n    const entries = await readdir(namespacesDir, { withFileTypes: true });\n    for (const entry of entries) {\n      if (entry.isDirectory() && isSafeRouteNamespace(entry.name)) {\n        discovered.add(entry.name);\n      }\n    }\n  } catch {\n    // No namespace directory yet.\n  }\n\n  return [...discovered];\n}\n\nexport async function listNamespaces(options: {\n  config: PluginConfig;\n  storageRouter?: NamespaceStorageRouter;\n}): Promise<NamespaceInventoryEntry[]> {\n  const storageRouter = options.storageRouter ?? new NamespaceStorageRouter(options.config);\n  const namespaces = await discoverConfiguredNamespaces(options.config);\n  const items = await Promise.all(\n    namespaces.map(async (namespace) => {\n      const storage = await storageRouter.storageFor(namespace);\n      const usesLegacyRoot =\n        namespace === options.config.defaultNamespace &&\n        storage.dir === options.config.memoryDir;\n      return {\n        namespace,\n        rootDir: storage.dir,\n        exists: await exists(storage.dir),\n        usesLegacyRoot,\n        hasMemoryData: await hasAnyLegacyData(storage.dir),\n        collection: namespaceCollectionName(options.config.qmdCollection, namespace, {\n          defaultNamespace: options.config.defaultNamespace,\n          useLegacyDefaultCollection: usesLegacyRoot,\n        }),\n      } satisfies NamespaceInventoryEntry;\n    }),\n  );\n\n  return items.sort((a, b) => a.namespace.localeCompare(b.namespace));\n}\n\nexport async function verifyNamespaces(options: {\n  config: PluginConfig;\n  storageRouter?: NamespaceStorageRouter;\n}): Promise<NamespaceVerifyReport> {\n  const namespaces = await listNamespaces(options);\n  const problems: string[] = [];\n\n  for (const entry of namespaces) {\n    if (entry.exists && !entry.hasMemoryData) {\n      problems.push(`${entry.namespace}: root exists but contains no Engram data`);\n    }\n  }\n\n  return {\n    ok: problems.length === 0,\n    problems,\n    namespaces,\n  };\n}\n\nexport async function runNamespaceMigration(options: {\n  config: PluginConfig;\n  to: string;\n  dryRun?: boolean;\n}): Promise<NamespaceMigrationReport> {\n  if (!options.config.namespacesEnabled) {\n    throw new Error(\"Namespaces are disabled.\");\n  }\n\n  const targetNamespace = options.to.trim();\n  if (!isSafeRouteNamespace(targetNamespace)) {\n    throw new Error(`Invalid namespace: ${options.to}`);\n  }\n\n  const targetRoot = path.join(options.config.memoryDir, \"namespaces\", targetNamespace);\n  const moved: NamespaceMigrationMove[] = [];\n\n  for (const child of LEGACY_NAMESPACE_CHILDREN) {\n    const from = path.join(options.config.memoryDir, child);\n    if (!(await exists(from))) continue;\n    const to = path.join(targetRoot, child);\n    if (await exists(to)) {\n      throw new Error(`Target already contains ${child}: ${to}`);\n    }\n    moved.push({ from, to });\n  }\n\n  if (!options.dryRun && moved.length > 0) {\n    await mkdir(targetRoot, { recursive: true });\n    for (const move of moved) {\n      await rename(move.from, move.to);\n    }\n  }\n\n  return {\n    dryRun: options.dryRun === true,\n    fromRoot: options.config.memoryDir,\n    targetRoot,\n    moved,\n    collection: namespaceCollectionName(options.config.qmdCollection, targetNamespace, {\n      defaultNamespace: options.config.defaultNamespace,\n      useLegacyDefaultCollection: false,\n    }),\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAOA,WAAU;AACjB,SAAS,aAAa,mBAAmB;AACzC,SAAS,UAAAC,SAAQ,SAAAC,QAAO,UAAU,WAAAC,UAAS,MAAM,QAAQ,iBAAiB;;;ACF1E,OAAO,UAAU;AACjB,SAAS,QAAQ,OAAO,SAAS,cAAc;AAM/C,IAAM,4BAA4B;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA,EAIA;AAAA,EACA;AACF;AA8BA,eAAe,OAAO,GAA6B;AACjD,MAAI;AACF,UAAM,OAAO,CAAC;AACd,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,iBAAiB,SAAmC;AACjE,aAAW,SAAS,2BAA2B;AAC7C,QAAI,MAAM,OAAO,KAAK,KAAK,SAAS,KAAK,CAAC,EAAG,QAAO;AAAA,EACtD;AACA,SAAO;AACT;AAEA,eAAe,6BACb,QACmB;AACnB,QAAM,aAAa,oBAAI,IAAY;AAAA,IACjC,OAAO;AAAA,IACP,OAAO;AAAA,IACP,GAAG,OAAO,kBAAkB,IAAI,CAAC,WAAW,OAAO,IAAI;AAAA,EACzD,CAAC;AAED,QAAM,gBAAgB,KAAK,KAAK,OAAO,WAAW,YAAY;AAC9D,MAAI;AACF,UAAM,UAAU,MAAM,QAAQ,eAAe,EAAE,eAAe,KAAK,CAAC;AACpE,eAAW,SAAS,SAAS;AAC3B,UAAI,MAAM,YAAY,KAAK,qBAAqB,MAAM,IAAI,GAAG;AAC3D,mBAAW,IAAI,MAAM,IAAI;AAAA,MAC3B;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAEA,SAAO,CAAC,GAAG,UAAU;AACvB;AAEA,eAAsB,eAAe,SAGE;AACrC,QAAM,gBAAgB,QAAQ,iBAAiB,IAAI,uBAAuB,QAAQ,MAAM;AACxF,QAAM,aAAa,MAAM,6BAA6B,QAAQ,MAAM;AACpE,QAAM,QAAQ,MAAM,QAAQ;AAAA,IAC1B,WAAW,IAAI,OAAO,cAAc;AAClC,YAAM,UAAU,MAAM,cAAc,WAAW,SAAS;AACxD,YAAM,iBACJ,cAAc,QAAQ,OAAO,oBAC7B,QAAQ,QAAQ,QAAQ,OAAO;AACjC,aAAO;AAAA,QACL;AAAA,QACA,SAAS,QAAQ;AAAA,QACjB,QAAQ,MAAM,OAAO,QAAQ,GAAG;AAAA,QAChC;AAAA,QACA,eAAe,MAAM,iBAAiB,QAAQ,GAAG;AAAA,QACjD,YAAY,wBAAwB,QAAQ,OAAO,eAAe,WAAW;AAAA,UAC3E,kBAAkB,QAAQ,OAAO;AAAA,UACjC,4BAA4B;AAAA,QAC9B,CAAC;AAAA,MACH;AAAA,IACF,CAAC;AAAA,EACH;AAEA,SAAO,MAAM,KAAK,CAAC,GAAG,MAAM,EAAE,UAAU,cAAc,EAAE,SAAS,CAAC;AACpE;AAEA,eAAsB,iBAAiB,SAGJ;AACjC,QAAM,aAAa,MAAM,eAAe,OAAO;AAC/C,QAAM,WAAqB,CAAC;AAE5B,aAAW,SAAS,YAAY;AAC9B,QAAI,MAAM,UAAU,CAAC,MAAM,eAAe;AACxC,eAAS,KAAK,GAAG,MAAM,SAAS,2CAA2C;AAAA,IAC7E;AAAA,EACF;AAEA,SAAO;AAAA,IACL,IAAI,SAAS,WAAW;AAAA,IACxB;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAsB,sBAAsB,SAIN;AACpC,MAAI,CAAC,QAAQ,OAAO,mBAAmB;AACrC,UAAM,IAAI,MAAM,0BAA0B;AAAA,EAC5C;AAEA,QAAM,kBAAkB,QAAQ,GAAG,KAAK;AACxC,MAAI,CAAC,qBAAqB,eAAe,GAAG;AAC1C,UAAM,IAAI,MAAM,sBAAsB,QAAQ,EAAE,EAAE;AAAA,EACpD;AAEA,QAAM,aAAa,KAAK,KAAK,QAAQ,OAAO,WAAW,cAAc,eAAe;AACpF,QAAM,QAAkC,CAAC;AAEzC,aAAW,SAAS,2BAA2B;AAC7C,UAAM,OAAO,KAAK,KAAK,QAAQ,OAAO,WAAW,KAAK;AACtD,QAAI,CAAE,MAAM,OAAO,IAAI,EAAI;AAC3B,UAAM,KAAK,KAAK,KAAK,YAAY,KAAK;AACtC,QAAI,MAAM,OAAO,EAAE,GAAG;AACpB,YAAM,IAAI,MAAM,2BAA2B,KAAK,KAAK,EAAE,EAAE;AAAA,IAC3D;AACA,UAAM,KAAK,EAAE,MAAM,GAAG,CAAC;AAAA,EACzB;AAEA,MAAI,CAAC,QAAQ,UAAU,MAAM,SAAS,GAAG;AACvC,UAAM,MAAM,YAAY,EAAE,WAAW,KAAK,CAAC;AAC3C,eAAW,QAAQ,OAAO;AACxB,YAAM,OAAO,KAAK,MAAM,KAAK,EAAE;AAAA,IACjC;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAQ,QAAQ,WAAW;AAAA,IAC3B,UAAU,QAAQ,OAAO;AAAA,IACzB;AAAA,IACA;AAAA,IACA,YAAY,wBAAwB,QAAQ,OAAO,eAAe,iBAAiB;AAAA,MACjF,kBAAkB,QAAQ,OAAO;AAAA,MACjC,4BAA4B;AAAA,IAC9B,CAAC;AAAA,EACH;AACF;;;ADhIA,SAAS,mBAAmB,OAAyB;AACnD,SAAO,OAAO,UAAU,YACnB,UAAU,QACV,UAAU,SACT,MAA6B,SAAS;AAC9C;AAEA,SAAS,mBAAmB,OAAwB;AAClD,SAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAC9D;AA4TA,SAAS,kBAAkB,cAA+B;AACxD,MAAI,gBAAgB,aAAa,KAAK,EAAE,SAAS,EAAG,QAAO,aAAa,KAAK;AAC7E,QAAM,aACJ,WAAW,6BAA6B,KACxC,WAAW,sBAAsB;AACnC,MAAI,cAAc,WAAW,KAAK,EAAE,SAAS,EAAG,QAAO,WAAW,KAAK;AACvE,SAAOC,MAAK,KAAK,eAAe,GAAG,aAAa,eAAe;AACjE;AAEA,eAAe,oBAAoB,YAAwD;AACzF,QAAM,eAAe,kBAAkB,UAAU;AACjD,MAAI;AACF,UAAM,MAAM,KAAK,MAAM,MAAM,SAAS,cAAc,OAAO,CAAC;AAG5D,UAAM,QAAQ,yBAAyB,GAAG;AAC1C,UAAM,eAAe;AAAA,MACnB,SAAS,OAAO,UAAU,WACpB,MAAM,QAAQ,KAA6C,CAAC,IAC9D,CAAC;AAAA,IACP;AACA,WAAO;AAAA,MACL,OAAO;AAAA,MACP,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,WAAW,aAAa;AAAA,MACxB,cAAc,aAAa;AAAA,IAC7B;AAAA,EACF,SAAS,OAAO;AACd,UAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,WAAO;AAAA,MACL,OAAO,CAAC,UAAU,KAAK,OAAO;AAAA,MAC9B,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,OAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,eAAe,WAAW,YAAsC;AAC9D,MAAI;AACF,UAAMC,QAAO,YAAY,YAAY,IAAI;AACzC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,WAAW,YAAsC;AAC9D,MAAI;AACF,UAAMA,QAAO,YAAY,YAAY,IAAI;AACzC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,kBAAkB,OAAwB;AACjD,MAAI,UAAU,UAAa,UAAU,KAAM,QAAO;AAClD,MAAI,OAAO,UAAU,SAAU,QAAO,MAAM,SAAS,IAAI,QAAQ;AACjE,MAAI,OAAO,UAAU,YAAY,OAAO,UAAU,UAAW,QAAO,OAAO,KAAK;AAChF,SAAO,KAAK,UAAU,KAAK;AAC7B;AAEA,eAAe,sBACb,OACsE;AACtE,SAAO,QAAQ,IAAI,MAAM,IAAI,OAAO,eAAe;AACjD,QAAI;AACF,YAAMA,QAAO,YAAY,YAAY,IAAI;AACzC,aAAO;AAAA,QACL,MAAM;AAAA,QACN,QAAQ;AAAA,QACR,UAAU,MAAM,WAAW,UAAU;AAAA,MACvC;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,QACL,MAAM;AAAA,QACN,QAAQ;AAAA,QACR,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF,CAAC,CAAC;AACJ;AAEA,SAAS,cAAc,QAAgC;AACrD,SAAO;AAAA,IACL,OAAO;AAAA,IACP,OAAO;AAAA,IACPD,MAAK,KAAK,OAAO,WAAW,OAAO;AAAA,IACnCA,MAAK,KAAK,OAAO,WAAW,UAAU;AAAA,IACtCA,MAAK,KAAK,OAAO,WAAW,OAAO;AAAA,IACnCA,MAAK,KAAK,OAAO,WAAW,WAAW;AAAA,IACvCA,MAAK,KAAK,OAAO,WAAW,WAAW;AAAA,IACvCA,MAAK,KAAK,OAAO,WAAW,QAAQ;AAAA,EACtC;AACF;AAEA,eAAe,iBAAiB,UAA2C;AACzE,MAAI;AACF,WAAO,KAAK,MAAM,MAAM,SAAS,UAAU,OAAO,CAAC;AAAA,EACrD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,+BAA+B,QA6B3C;AACD,QAAM,kBAAkB,OAAO;AAC/B,QAAM,0BAA0B,iBAAiB,YAAY;AAC7D,QAAM,mBAAmB,kBACrB,oCAAoC,OAAO,WAAW,eAAe,IACrEA,MAAK,KAAK,OAAO,WAAW,yBAAyB,2BAA2B;AACpF,QAAM,oBAAoB,kBACtB,gCAAgC,OAAO,WAAW,eAAe,IACjEA,MAAK,KAAK,OAAO,WAAW,yBAAyB,oBAAoB;AAC7E,QAAM,oBAAoB,kBACtB,kCAAkC,OAAO,WAAW,eAAe,IACnEA,MAAK,KAAK,OAAO,WAAW,yBAAyB,8BAA8B;AACvF,QAAM,CAAC,YAAY,aAAa,WAAW,IAAI,MAAM,QAAQ,IAAI;AAAA,IAC/D,iBAAiB,gBAAgB;AAAA,IACjC,iBAAiB,iBAAiB;AAAA,IAClC,iBAAiB,iBAAiB;AAAA,EACpC,CAAC;AAED,QAAM,eAAe,cAAc,OAAO,eAAe,YAAY,eAAe,QAC/E,WAAW,cAAc,OAAQ,WAAmC,UAAU,YAC7E,WAAmC,UAAU,OAC5C,aAID;AAEN,MAAI,0BAA0B;AAC9B,MAAI,0BAA0B;AAC9B,aAAW,QAAQ,OAAO,OAAO,cAAc,SAAS,CAAC,CAAC,GAAG;AAC3D,QAAI,KAAK,SAAS;AAChB,iCAA2B;AAC3B;AAAA,IACF;AACA,+BAA2B,MAAM,QAAQ,KAAK,MAAM,IAAI,KAAK,OAAO,SAAS;AAAA,EAC/E;AAEA,QAAM,iBAAiB,eAAe,OAAO,gBAAgB,YAAY,gBAAgB,QACpF,YAAY,eAAe,OAAQ,YAAqC,WAAW,YAClF,YAAqC,WAAW,OAC/C,cAID;AAEN,MAAI,2BAA2B;AAC/B,MAAI,2BAA2B;AAC/B,aAAW,SAAS,OAAO,OAAO,gBAAgB,UAAU,CAAC,CAAC,GAAG;AAC/D,eAAW,QAAQ,OAAO,OAAO,MAAM,SAAS,CAAC,CAAC,GAAG;AACnD,UAAI,KAAK,SAAS;AAChB,oCAA4B;AAC5B;AAAA,MACF;AACA,kCAA4B,MAAM,QAAQ,KAAK,MAAM,IAAI,KAAK,OAAO,SAAS;AAAA,IAChF;AAAA,EACF;AAEA,QAAM,gBAAgB,eAAe,OAAO,gBAAgB,YAAY,gBAAgB,QACnF,WAAW,eAAe,OAAQ,YAAoC,UAAU,YAC/E,YAAoC,UAAU,OAC7C,cAID;AAEN,MAAI,2BAA2B;AAC/B,MAAI,2BAA2B;AAC/B,aAAW,QAAQ,OAAO,OAAO,eAAe,SAAS,CAAC,CAAC,GAAG;AAC5D,QAAI,KAAK,SAAS;AAChB,kCAA4B;AAC5B;AAAA,IACF;AACA,gCAA4B,MAAM,QAAQ,KAAK,MAAM,IAAI,KAAK,OAAO,SAAS;AAAA,EAChF;AAEA,SAAO;AAAA,IACL,SAAS,iBAAiB,YAAY;AAAA,IACtC,cAAc,iBAAiB,gBAAgB,CAAC;AAAA,IAChD,oBAAoB;AAAA,MAClB,WAAW;AAAA,MACX,QAAQ,iBAAiB;AAAA,MACzB,WAAW,OAAO,cAAc,cAAc,WAAW,aAAa,YAAY;AAAA,MAClF,WAAW,OAAO,KAAK,cAAc,SAAS,CAAC,CAAC,EAAE;AAAA,MAClD,kBAAkB;AAAA,MAClB,kBAAkB;AAAA,IACpB;AAAA,IACA,iCAAiC,iBAAiB,mBAAmB,YAAY;AAAA,IACjF,8BAA8B,iBAAiB,gBAAgB,UAAU,KAAK;AAAA,IAC9E,cAAc;AAAA,MACZ,WAAW;AAAA,MACX,QAAQ,mBAAmB;AAAA,MAC3B,WAAW,OAAO,gBAAgB,cAAc,WAAW,eAAe,YAAY;AAAA,MACtF,YAAY,OAAO,KAAK,gBAAgB,UAAU,CAAC,CAAC,EAAE;AAAA,MACtD,kBAAkB;AAAA,MAClB,kBAAkB;AAAA,IACpB;AAAA,IACA,uBAAuB;AAAA,MACrB,WAAW;AAAA,MACX,QAAQ,kBAAkB;AAAA,MAC1B,WAAW,OAAO,eAAe,cAAc,WAAW,cAAc,YAAY;AAAA,MACpF,WAAW,OAAO,KAAK,eAAe,SAAS,CAAC,CAAC,EAAE;AAAA,MACnD,kBAAkB;AAAA,MAClB,kBAAkB;AAAA,IACpB;AAAA,EACF;AACF;AAEA,IAAM,6BAA6B;AACnC,IAAM,2BAA2B;AAEjC,SAAS,2BAAmC;AAC1C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,EAAE,KAAK,IAAI;AACb;AAEA,SAAS,iCAAiC,UAAyB,SAA4E;AAC7I,MAAI,CAAC,YAAY,SAAS,KAAK,EAAE,WAAW,GAAG;AAC7C,WAAO,EAAE,SAAS,GAAG,OAAO;AAAA,GAAM,SAAS,OAAO,WAAW,KAAK;AAAA,EACpE;AACA,MAAI,SAAS,SAAS,0BAA0B,KAAK,SAAS,SAAS,wBAAwB,GAAG;AAChG,UAAM,OAAO,SAAS;AAAA,MACpB,IAAI,OAAO,GAAG,0BAA0B,aAAa,wBAAwB,EAAE;AAAA,MAC/E;AAAA,IACF;AACA,WAAO,EAAE,SAAS,KAAK,SAAS,IAAI,IAAI,OAAO,GAAG,IAAI;AAAA,GAAM,SAAS,SAAS,UAAU,WAAW,MAAM;AAAA,EAC3G;AACA,QAAM,UAAU,SAAS,QAAQ;AACjC,SAAO;AAAA,IACL,SAAS,GAAG,OAAO;AAAA;AAAA,EAAO,OAAO;AAAA;AAAA,IACjC,SAAS;AAAA,IACT,WAAW;AAAA,EACb;AACF;AAEA,SAAS,iCAAiC,UAAyD;AACjG,MAAI,CAAC,SAAS,SAAS,0BAA0B,KAAK,CAAC,SAAS,SAAS,wBAAwB,GAAG;AAClG,WAAO,EAAE,SAAS,UAAU,SAAS,MAAM;AAAA,EAC7C;AACA,QAAM,WAAW,SACd,QAAQ,IAAI,OAAO,OAAO,0BAA0B,aAAa,wBAAwB,MAAM,GAAG,IAAI,EACtG,QAAQ,WAAW,MAAM,EACzB,KAAK;AACR,SAAO;AAAA,IACL,SAAS,SAAS,SAAS,IAAI,GAAG,QAAQ;AAAA,IAAO;AAAA,IACjD,SAAS;AAAA,EACX;AACF;AAEA,eAAsB,iBAAiB,SAA6D;AAClG,QAAM,MAAM,QAAQ,OAAO,oBAAI,KAAK;AACpC,QAAM,eAAe,MAAM,oBAAoB,QAAQ,UAAU;AACjE,QAAM,UAAU,QAAQ,aAAa;AACrC,QAAM,QAAQ,kBAAkB;AAChC,QAAME,OAAM,QAAQ,aAAa,OAAO,cAAc,EAAE,WAAW,KAAK,CAAC;AAEzE,QAAM,eAAe,MAAM,QAAQ,aAAa,IAAI,MAAM;AAC1D,QAAM,kBAAkB,QAAQ,aAAa,OAAO,aAChD,MAAM,QAAQ,aAAa,IAAI,iBAAiB,QAAQ,aAAa,OAAO,SAAS,IACrF;AACJ,QAAM,wBAAwB,MAAM,+BAA+B,QAAQ,aAAa,MAAM;AAE9F,QAAM,gBAAgBF,MAAK,KAAK,QAAQ,aAAa,OAAO,cAAc,WAAW;AACrF,QAAM,0BACJ,QAAQ,4BACJ,QAAQ,6BAA6B,YAAY;AACvD,MAAI,kBAAkB;AACtB,MAAI;AACF,UAAMC,QAAO,eAAe,YAAY,IAAI;AAC5C,sBAAkB;AAAA,EACpB,QAAQ;AACN,sBAAkB;AAAA,EACpB;AACA,MAAI,qBAAqB;AACzB,MAAI,mBAAmB;AACvB,MAAI,mBAAmB;AACvB,QAAM,yBAAyB,QAAQ,aAAa,OAAO,gBAAgB,cACtE,QAAQ,aAAa,OAAO,gBAAgB;AACjD,QAAM,6BAA6B,0BAA0B,yBAAyB,IAAI;AAC1F,MAAI,yBAAyB;AAC3B,QAAI,4BAA4B,WAAW;AAAA,IAE3C,WAAW,4BAA4B,WAAW;AAChD,YAAM,WAAW,kBAAkB,MAAM,SAAS,eAAe,OAAO,IAAI;AAC5E,YAAM,OAAO,iCAAiC,UAAU,8BAA8B,EAAE;AACxF,UAAI,CAAC,YAAY,KAAK,YAAY,UAAU;AAC1C,cAAM,UAAU,eAAe,KAAK,SAAS,OAAO;AAAA,MACtD;AACA,wBAAkB;AAClB,2BAAqB,KAAK;AAC1B,yBAAmB,KAAK;AAAA,IAC1B,WAAW,4BAA4B,YAAY,iBAAiB;AAClE,YAAM,WAAW,MAAM,SAAS,eAAe,OAAO;AACtD,YAAM,OAAO,iCAAiC,QAAQ;AACtD,UAAI,KAAK,SAAS;AAChB,YAAI,KAAK,QAAQ,WAAW,GAAG;AAC7B,gBAAM,OAAO,aAAa;AAC1B,4BAAkB;AAAA,QACpB,OAAO;AACL,gBAAM,UAAU,eAAe,KAAK,SAAS,OAAO;AACpD,4BAAkB;AAAA,QACpB;AACA,2BAAmB;AAAA,MACrB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,sBAAsB,cAAc,QAAQ,aAAa,MAAM,CAAC;AAC1F,QAAM,YAAY;AAAA,IAChB,+BAA+B,QAAQ,6BAA6B,KAAK,SAAS;AAAA,IAClF;AAAA,IACA;AAAA,EACF;AACA,MAAI,0BAA0B,CAAC,iBAAiB;AAC9C,cAAU,KAAK,+JAA+J;AAAA,EAChL;AAEA,SAAO;AAAA,IACL,eAAe;AAAA,IACf,aAAa,IAAI,YAAY;AAAA,IAC7B,QAAQ;AAAA,IACR,WAAW,QAAQ,aAAa,OAAO;AAAA,IACvC,cAAc,QAAQ,aAAa,OAAO;AAAA,IAC1C;AAAA,IACA,KAAK;AAAA,MACH,SAAS,QAAQ,aAAa,OAAO;AAAA,MACrC,WAAW;AAAA,MACX;AAAA,MACA,aAAa,QAAQ,aAAa,IAAI,YAAY;AAAA,IACpD;AAAA,IACA,iBAAiB;AAAA,IACjB,iBAAiB;AAAA,MACf,aAAa,QAAQ,aAAa,OAAO;AAAA,MACzC,SAAS;AAAA,MACT;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,SAAS,4BAA4B,YAAY,6BAA6B;AAAA,IAChF;AAAA,IACA;AAAA,IACA,sBAAsB;AAAA,MACpB;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,yBACP,UACA,SACqB;AACrB,MAAI,CAAC,SAAS,WAAW,QAAQ,gBAAgB,MAAM;AACrD,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,QACP,SAAS,SAAS,YAAY;AAAA,QAC9B,aAAa,SAAS,gBAAgB;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AACA,MAAI,SAAS,SAAS,GAAG;AACvB,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS,GAAG,SAAS,MAAM;AAAA,MAC3B,aAAa;AAAA,MACb,SAAS,EAAE,SAAS;AAAA,IACtB;AAAA,EACF;AACA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,MACP,SAAS;AAAA,MACT,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,IACvB;AAAA,EACF;AACF;AAEA,SAAS,yBAAyB,OASF;AAC9B,SAAO;AAAA,IACL,KAAK,MAAM;AAAA,IACX,QAAQ,MAAM;AAAA,IACd,SAAS,MAAM;AAAA,IACf,cAAc,kBAAkB,MAAM,YAAY;AAAA,IAClD,cAAc,kBAAkB,MAAM,YAAY;AAAA,IAClD,kBAAkB,kBAAkB,MAAM,gBAAgB;AAAA,IAC1D,SAAS,MAAM;AAAA,IACf,WAAW,MAAM;AAAA,EACnB;AACF;AAEA,eAAsB,wBACpB,SACqC;AACrC,QAAM,MAAM,QAAQ,OAAO,oBAAI,KAAK;AACpC,QAAM,eAAe,MAAM,oBAAoB,QAAQ,UAAU;AACjE,SAAO,gCAAgC;AAAA,IACrC;AAAA,IACA;AAAA,IACA,QAAQ,QAAQ,aAAa;AAAA,EAC/B,CAAC;AACH;AAEA,eAAe,gCAAgC,OAIP;AACtC,QAAM,EAAE,KAAK,cAAc,OAAO,IAAI;AACtC,QAAM,WAA0C,CAAC;AACjD,QAAM,gBAAgB,OAAO,iBAAiB;AAC9C,QAAM,0BAA0B;AAAA,IAC9BD,MAAK,KAAK,OAAO,cAAc,aAAa;AAAA,IAC5CA,MAAK,KAAK,OAAO,cAAc,WAAW;AAAA,IAC1CA,MAAK,KAAK,OAAO,cAAc,SAAS;AAAA,EAC1C;AACA,QAAM,4BAA4B,MAAM,QAAQ,IAAI,wBAAwB,IAAI,UAAU,CAAC,GAAG,KAAK,OAAO;AAE1G,MACE,OAAO,mBAAmB,kBAC1B,OAAO,mBAAmB,cAC1B,OAAO,mBAAmB,kBAC1B,OAAO,mBAAmB,qBAC1B,OAAO,8BAA8B,SACrC,OAAO,6BAA6B,SACpC,OAAO,kBAAkB,OACzB;AACA,aAAS,KAAK,yBAAyB;AAAA,MACrC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,cAAc,OAAO;AAAA,MACrB,cAAc;AAAA,MACd,kBAAkB;AAAA,MAClB,SAAS;AAAA,MACT,WACE;AAAA,IACJ,CAAC,CAAC;AAAA,EACJ;AAEA,MAAI,OAAO,cAAc,OAAO,qBAAqB,OAAO;AAC1D,aAAS,KAAK,yBAAyB;AAAA,MACrC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,cAAc,OAAO;AAAA,MACrB,cAAc;AAAA,MACd,kBAAkB;AAAA,MAClB,SAAS;AAAA,MACT,WACE;AAAA,IACJ,CAAC,CAAC;AAAA,EACJ;AAEA,MAAI,4BAA4B,OAAO,iBAAiB,YAAY,MAAM;AACxE,aAAS,KAAK,yBAAyB;AAAA,MACrC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,cAAc,OAAO,iBAAiB;AAAA,MACtC,cAAc;AAAA,MACd,kBAAkB;AAAA,MAClB,SAAS;AAAA,MACT,WACE;AAAA,IACJ,CAAC,CAAC;AAAA,EACJ;AAEA,MAAI,4BAA4B,OAAO,aAAa,YAAY,MAAM;AACpE,aAAS,KAAK,yBAAyB;AAAA,MACrC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,cAAc,OAAO,aAAa;AAAA,MAClC,cAAc;AAAA,MACd,kBAAkB;AAAA,MAClB,SAAS;AAAA,MACT,WACE;AAAA,IACJ,CAAC,CAAC;AAAA,EACJ;AAEA,MAAI,kBAAkB,SAAS,OAAO,eAAe,OAAO;AAC1D,aAAS,KAAK,yBAAyB;AAAA,MACrC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,cAAc,OAAO;AAAA,MACrB,cAAc;AAAA,MACd,kBAAkB;AAAA,MAClB,SAAS;AAAA,MACT,WACE;AAAA,IACJ,CAAC,CAAC;AAAA,EACJ;AAEA,MAAI,OAAO,uBAAuB,QAAQ,OAAO,eAAe,OAAO;AACrE,aAAS,KAAK,yBAAyB;AAAA,MACrC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,cAAc,OAAO;AAAA,MACrB,cAAc;AAAA,MACd,kBAAkB;AAAA,MAClB,SAAS;AAAA,MACT,WACE;AAAA,IACJ,CAAC,CAAC;AAAA,EACJ;AAEA,MAAI,OAAO,2BAA2B,OAAO,uBAAuB,MAAM;AACxE,aAAS,KAAK,yBAAyB;AAAA,MACrC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,cAAc,OAAO;AAAA,MACrB,cAAc;AAAA,MACd,kBAAkB;AAAA,MAClB,SAAS;AAAA,MACT,WACE;AAAA,IACJ,CAAC,CAAC;AAAA,EACJ;AAEA,MAAI,OAAO,4BAA4B,OAAO,6BAA6B,SAAS,OAAO,eAAe,OAAO;AAC/G,aAAS,KAAK,yBAAyB;AAAA,MACrC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,cAAc,OAAO;AAAA,MACrB,cAAc;AAAA,MACd,kBAAkB;AAAA,MAClB,SAAS;AAAA,MACT,WACE;AAAA,IACJ,CAAC,CAAC;AAAA,EACJ;AAEA,QAAM,UAAU,SAAS;AAAA,IACvB,CAAC,KAAK,YAAY;AAChB,UAAI,QAAQ,MAAM,KAAK;AACvB,aAAO;AAAA,IACT;AAAA,IACA,EAAE,WAAW,GAAG,SAAS,EAAE;AAAA,EAC7B;AAEA,SAAO;AAAA,IACL,eAAe;AAAA,IACf,aAAa,IAAI,YAAY;AAAA,IAC7B,IAAI,aAAa,UAAU,QAAQ,YAAY;AAAA,IAC/C,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB,OAAO;AAAA,MACvB;AAAA,MACA,YAAY,OAAO;AAAA,MACnB,kBAAkB,OAAO;AAAA,MACzB,wBAAwB,OAAO,iBAAiB,YAAY;AAAA,MAC5D,oBAAoB,OAAO,aAAa,YAAY;AAAA,MACpD,0BAA0B,OAAO;AAAA,IACnC;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAsB,kBAAkB,SAA+D;AACrG,QAAM,MAAM,QAAQ,OAAO,oBAAI,KAAK;AACpC,QAAM,eAAe,MAAM,oBAAoB,QAAQ,UAAU;AACjE,QAAM,SAAgC,CAAC;AACvC,QAAM,SAAS,QAAQ,aAAa;AACpC,QAAM,UAAU,QAAQ,aAAa;AACrC,QAAM,eAAe,MAAM,gCAAgC;AAAA,IACzD;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACD,QAAM,wBAAwB,MAAM,+BAA+B,MAAM;AACzE,QAAM,aAAa,MAAM,sBAAsB,cAAc,MAAM,CAAC;AACpE,QAAM,eAAe,WAAW,OAAO,CAAC,UAAU,CAAC,MAAM,MAAM,EAAE,IAAI,CAAC,UAAU,MAAM,IAAI;AAE1F,SAAO,KAAK;AAAA,IACV,KAAK;AAAA,IACL,QAAQ,aAAa,SACjB,OACA,QAAQ,aACR,UACA;AAAA,IACJ,SAAS,aAAa,SAAS,kEAAkE;AAAA,IACjG,aAAa,aAAa,SAAS,SAAY;AAAA,IAC/C,SAAS;AAAA,EACX,CAAC;AAED,SAAO,KAAK;AAAA,IACV,KAAK;AAAA,IACL,QAAQ,aAAa,WAAW,IAAI,OAAO;AAAA,IAC3C,SAAS,aAAa,WAAW,IAC7B,uCACA,GAAG,aAAa,MAAM;AAAA,IAC1B,aAAa,aAAa,WAAW,IAAI,SAAY;AAAA,IACrD,SAAS,EAAE,aAAa,WAAW;AAAA,EACrC,CAAC;AAED,SAAO,KAAK;AAAA,IACV,KAAK;AAAA,IACL,QAAQ,aAAa,QAAQ,UAAU,IAAI,UAAU,aAAa,QAAQ,YAAY,IAAI,SAAS;AAAA,IACnG,SAAS,aAAa,QAAQ,UAAU,IACpC,GAAG,aAAa,QAAQ,OAAO,wCAC/B,aAAa,QAAQ,YAAY,IACjC,uCAAuC,aAAa,QAAQ,SAAS,+CACrE;AAAA,IACJ,aAAa,aAAa,QAAQ,UAAU,KAAK,aAAa,QAAQ,YAAY,IAC9E,mGACA;AAAA,IACJ,SAAS;AAAA,EACX,CAAC;AAED,QAAM,eAAe,MAAM,QAAQ,aAAa,IAAI,MAAM;AAC1D,QAAM,kBAAkB,OAAO,aAC3B,MAAM,QAAQ,aAAa,IAAI,iBAAiB,OAAO,SAAS,IAChE;AACJ,SAAO,KAAK;AAAA,IACV,KAAK;AAAA,IACL,QAAQ,CAAC,OAAO,aACZ,SACA,CAAC,eACD,UACA,oBAAoB,YACpB,OACA,oBAAoB,YACpB,UACA;AAAA,IACJ,SAAS,CAAC,OAAO,aACb,+BACA,eACA,qBAAqB,eAAe,OACpC;AAAA,IACJ,aAAa,CAAC,OAAO,aACjB,qDACA,CAAC,eACD,wEACA,oBAAoB,YACpB,gEACA,oBAAoB,YACpB,SACA;AAAA,IACJ,SAAS;AAAA,MACP,WAAW;AAAA,MACX;AAAA,MACA,aAAa,QAAQ,aAAa,IAAI,YAAY;AAAA,IACpD;AAAA,EACF,CAAC;AAED,QAAM,oBAAoB,MAAM,QAAQ,aAAa,2BAA2B;AAChF,SAAO,KAAK;AAAA,IACV,KAAK;AAAA,IACL,QAAQ,kBAAkB,WAAW,OACjC,OACA,kBAAkB,UAClB,UACA;AAAA,IACJ,SAAS,kBAAkB,UACvB,iCAAiC,kBAAkB,MAAM,MACzD;AAAA,IACJ,aAAa,kBAAkB,WAAW,kBAAkB,WAAW,OACnE,qFACA;AAAA,IACJ,SAAS;AAAA,EACX,CAAC;AAED,QAAM,OAAO,MAAM,QAAQ,SAAS;AACpC,SAAO,KAAK;AAAA,IACV,KAAK;AAAA,IACL,QAAQ,KAAK,oBAAoB,KAAK,sBAAsB,OAAO;AAAA,IACnE,SAAS,KAAK,oBAAoB,KAAK,sBACnC,kDACA;AAAA,IACJ,aAAa,KAAK,oBAAoB,KAAK,sBACvC,SACA;AAAA,IACJ,SAAS;AAAA,EACX,CAAC;AAED,QAAM,mBACJ,sBAAsB,mBAAmB,mBACzC,sBAAsB,aAAa,mBACnC,sBAAsB,sBAAsB;AAC9C,QAAM,eACJ,sBAAsB,mBAAmB,UACzC,sBAAsB,aAAa,UACnC,sBAAsB,sBAAsB;AAC9C,SAAO,KAAK;AAAA,IACV,KAAK;AAAA,IACL,QAAQ,CAAC,sBAAsB,UAC3B,SACA,eACE,OACA;AAAA,IACN,SAAS,CAAC,sBAAsB,UAC5B,uCACA,eACE,2CAA2C,gBAAgB,qBAC3D;AAAA,IACN,aAAa,CAAC,sBAAsB,UAChC,kGACA,eACE,SACA;AAAA,IACN,SAAS;AAAA,EACX,CAAC;AAED,QAAM,qBAAqB,OAAO,iBAAiB,YAAY;AAI/D,QAAM,eAAe,OAAO,iBAAiB;AAC7C,QAAM,sBACH,OAAO,iBAAiB,YAAY,aAAa,SAAS,KAC1D,iBAAiB,QAChB,OAAO,iBAAiB,YACxB,OAAQ,aAAsC,WAAW;AAC7D,SAAO,KAAK;AAAA,IACV,KAAK;AAAA,IACL,QAAQ,CAAC,qBACL,SACA,sBACA,OACA;AAAA,IACJ,SAAS,CAAC,qBACN,0CACA,sBACA,2DACA;AAAA,IACJ,aAAa,CAAC,qBACV,sDACA,sBACA,SACA;AAAA,EACN,CAAC;AAED,QAAM,WAAW,OAAO,aAAa,cACjC,MAAM,mBAAmB;AAAA,IACvB,cAAc,OAAO;AAAA,IACrB,OAAO,OAAO,YAAY;AAAA,IAC1B,aAAa,OAAO,YAAY;AAAA,IAChC,WAAW,OAAO,YAAY;AAAA,EAChC,CAAC,IACD,CAAC;AACL,SAAO,KAAK,yBAAyB,UAAU,OAAO,WAAW,CAAC;AAQlE,SAAO,KAAK,MAAM,mCAAmC,OAAO,CAAC;AAM7D,SAAO;AAAA,IACL,MAAM,oCAAoC,SAAS,MAAM;AAAA,EAC3D;AAaA,SAAO,KAAK,MAAM,iCAAiC,SAAS,MAAM,CAAC;AAKnE,SAAO,KAAK,MAAM,8BAA8B,MAAM,CAAC;AAKvD,SAAO,KAAK,MAAM,0BAA0B,QAAQ,aAAa,OAAO,CAAC;AAKzE,SAAO,KAAK,MAAM,sBAAsB,QAAQ,OAAO,CAAC;AAKxD,SAAO,KAAK,6BAA6B,MAAM,CAAC;AAShD,SAAO,KAAK,MAAM,+BAA+B,OAAO,SAAS,CAAC;AAElE,QAAM,UAAU,OAAO;AAAA,IACrB,CAAC,KAAK,UAAU;AACd,UAAI,MAAM,MAAM,KAAK;AACrB,aAAO;AAAA,IACT;AAAA,IACA,EAAE,IAAI,GAAG,MAAM,GAAG,OAAO,EAAE;AAAA,EAC7B;AAEA,SAAO;AAAA,IACL,eAAe;AAAA,IACf,aAAa,IAAI,YAAY;AAAA,IAC7B,IAAI,QAAQ,UAAU;AAAA,IACtB;AAAA,IACA,QAAQ;AAAA,IACR;AAAA,EACF;AACF;AAgBA,IAAM,mCACJ,oBAAI,IAAI,CAAC,MAAM,CAAC;AAmBlB,eAAsB,mCACpB,SAC8B;AAC9B,MAAI,SAAS;AACb,MAAI,eAAe;AACnB,MAAI,aAAa;AACjB,MAAI;AACF,UAAM,WAAW,MAAM,QAAQ,gBAAgB;AAC/C,eAAW,UAAU,UAAU;AAC7B,UAAI,CAAC,iCAAiC,IAAI,OAAO,YAAY,QAAQ,GAAG;AACtE,sBAAc;AACd;AAAA,MACF;AACA,YAAM,EAAE,YAAY,QAAQ,IAAI,OAAO;AACvC,UAAI,eAAe,UAAa,YAAY,QAAW;AACrD,kBAAU;AAAA,MACZ,OAAO;AACL,wBAAgB;AAAA,MAClB;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,aAAa;AAAA,MACb,SAAS,EAAE,OAAO,OAAO,GAAG,EAAE;AAAA,IAChC;AAAA,EACF;AAEA,QAAM,QAAQ,SAAS;AACvB,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,SACE,UAAU,IACN,6GACA,GAAG,MAAM,OAAO,KAAK,yDAAyD,YAAY;AAAA,IAChG,SAAS,EAAE,QAAQ,cAAc,OAAO,WAAW;AAAA,EACrD;AACF;AAcA,eAAsB,oCACpB,SACA,QAC8B;AAC9B,QAAM,oBAAoB;AAQ1B,MAAI,OAAO,kBAAkB,6BAA6B,YAAY;AACpE,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,SAAS,EAAE,WAAW,MAAM;AAAA,IAC9B;AAAA,EACF;AAEA,MAAI;AACF,UAAM,OAAO,MAAM;AAAA,MACjB,OAAO,SACL,kBAAkB,yBAA0B,EAAE,OAAO,KAAK,MAAM,CAAC;AAAA,MACnE,EAAE,OAAO,IAAI;AAAA,IACf;AAEA,QAAI,KAAK,UAAU,GAAG;AACpB,aAAO;AAAA,QACL,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,OAAO,+BACZ,wEACA;AAAA,QACJ,SAAS;AAAA,UACP,SAAS,OAAO;AAAA,UAChB,cAAc;AAAA,QAChB;AAAA,MACF;AAAA,IACF;AAEA,UAAM,MAAM,CAAC,WAAmB,QAAQ,KAAK,QAAQ,CAAC;AACtD,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS,yBAAyB,KAAK,KAAK,QAAQ,CAAC,CAAC,YAAY,KAAK,OAAO,QAAQ,CAAC,CAAC,SAAS,KAAK,IAAI,QAAQ,CAAC,CAAC,eAAe,IAAI,KAAK,aAAa,CAAC,UAAU,KAAK,KAAK,qBAAqB,KAAK,oBAAoB,OAAO,uBAAuB;AAAA,MAC1P,SAAS;AAAA,QACP,SAAS,OAAO;AAAA,QAChB,cAAc;AAAA,MAChB;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,aACE;AAAA,MACF,SAAS,EAAE,OAAO,OAAO,GAAG,EAAE;AAAA,IAChC;AAAA,EACF;AACF;AAcA,eAAe,8BACb,QAI8B;AAE9B,QAAM,EAAE,yBAAyB,IAAI,MAAM,OAAO,gCAAmC;AACrF,QAAM,UAAU,OAAO,0BAA0B;AACjD,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,aAAa;AAAA,MACb,SAAS,EAAE,SAAS,MAAM;AAAA,IAC5B;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,yBAAyB,OAAO,SAAS;AAC9D,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,aACE;AAAA,MACF,SAAS,EAAE,SAAS,MAAM,SAAS,MAAM,WAAW,OAAO,wBAAwB;AAAA,IACrF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,SACE,gCAAgC,OAAO,KAAK,KACxC,OAAO,YAAY,IAAI,OAAO,UAAU,mBACzC,OAAO,6BAA6B;AAAA,IACzC,SAAS;AAAA,MACP,SAAS;AAAA,MACT,SAAS,OAAO;AAAA,MAChB,YAAY,OAAO;AAAA,MACnB,YAAY,OAAO;AAAA,MACnB,cAAc,OAAO;AAAA,MACrB,+BAA+B,OAAO;AAAA,MACtC,oBAAoB,OAAO;AAAA,MAC3B,WAAW,OAAO;AAAA,IACpB;AAAA,EACF;AACF;AAmBA,eAAsB,0BACpB,SAC8B;AAC9B,MAAI;AACF,UAAM,EAAE,eAAe,IAAI,MAAM,OAAO,0BAA6B;AACrE,UAAM,UAAU,MAAM,eAAe,OAAO;AAG5C,UAAM,aAAc,QAAwC,OAAO;AACnE,UAAM,cAAc,WAAW,SAAS,IACpCA,MAAK,KAAK,YAAY,SAAS,8BAA8B,IAC7D;AACJ,QAAI,mBAAmB;AACvB,UAAM,kBAA0C,CAAC;AACjD,UAAM,iBAAiB,KAAK,IAAI,IAAI,IAAI;AAExC,QAAI,aAAa;AACf,UAAI;AACF,cAAM,EAAE,UAAAG,UAAS,IAAI,MAAM,OAAO,aAAkB;AACpD,cAAM,MAAM,MAAMA,UAAS,aAAa,OAAO;AAC/C,mBAAW,QAAQ,IAAI,MAAM,IAAI,GAAG;AAClC,gBAAM,UAAU,KAAK,KAAK;AAC1B,cAAI,QAAQ,WAAW,EAAG;AAC1B,cAAI;AACF,kBAAM,QAAQ,KAAK,MAAM,OAAO;AAOhC,kBAAM,OAAO,MAAM,KAAK,KAAK,MAAM,MAAM,EAAE,IAAI;AAC/C,gBAAI,OAAO,SAAS,IAAI,KAAK,QAAQ,kBAAkB,MAAM,YAAY,MAAM;AAC7E,kCAAoB;AACpB,kBAAI,MAAM,aAAa,SAAS,MAAM,WAAW,UAAU,OAAO,MAAM,WAAW,UAAU;AAC3F,sBAAM,SAAS,MAAM;AACrB,gCAAgB,MAAM,KAAK,gBAAgB,MAAM,KAAK,KAAK;AAAA,cAC7D;AAAA,YACF;AAAA,UACF,QAAQ;AAAA,UAER;AAAA,QACF;AAAA,MACF,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,UAAM,qBAAqB,OAAO,QAAQ,eAAe,EACtD,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EACtD,MAAM,GAAG,CAAC,EACV,IAAI,CAAC,CAAC,QAAQ,KAAK,OAAO,EAAE,QAAQ,MAAM,EAAE;AAE/C,UAAM,cAAc,OAAO,QAAQ,QAAQ,QAAQ,EAChD,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EACtD,MAAM,GAAG,CAAC,EACV,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,EAC5B,KAAK,IAAI;AAEZ,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SACE,0BAA0B,QAAQ,OAAO,GAAG,UAAU,QAAQ,OAAO,IAAI,MACxE,QAAQ,iBAAiB,IAAI,eAAe,QAAQ,cAAc,KAAK,MACxE,YAAY,QAAQ,KAAK,OACxB,mBAAmB,IAAI,4BAA4B,gBAAgB,MAAM;AAAA,MAC5E,SAAS;AAAA,QACP,OAAO,QAAQ;AAAA,QACf,QAAQ,QAAQ;AAAA,QAChB,UAAU,QAAQ;AAAA,QAClB,gBAAgB,QAAQ;AAAA,QACxB,eAAe;AAAA,QACf;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,SAAS,EAAE,OAAO,OAAO,GAAG,EAAE;AAAA,IAChC;AAAA,EACF;AACF;AAaA,eAAsB,sBACpB,QACA,UAA0B,IAAI,eAAe,OAAO,SAAS,GAC/B;AAC9B,QAAM,SAA6B,OAAO;AAG1C,QAAM,OAAO,MAAM,QAAQ,SAAS;AAEpC,MAAI,mBAAkC;AACtC,MAAI,0BAAyC;AAC7C,MAAI;AAGF,UAAM,UAAUH,MAAK,KAAK,OAAO,WAAW,SAAS,qBAAqB,MAAM;AAChF,UAAM,UAAU,MAAMI,SAAQ,OAAO,GAAG,KAAK,EAAE,QAAQ;AACvD,QAAI,OAAO,SAAS,GAAG;AACrB,YAAM,cAAc,OAAO,CAAC;AAC5B,YAAM,eAAeJ,MAAK;AAAA,QACxB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,YAAM,MAAM,MAAM,SAAS,cAAc,OAAO;AAChD,YAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,UAAI,OAAO,OAAO,cAAc,YAAY,OAAO,UAAU,SAAS,GAAG;AACvE,2BAAmB,OAAO;AAAA,MAC5B;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,QAAI,CAAC,mBAAmB,KAAK,GAAG;AAC9B,gCAA0B,kDAAkD,mBAAmB,KAAK,CAAC;AAAA,IACvG;AAAA,EACF;AAGA,QAAM,aAAuB;AAAA,IAC3B,uBAAuB,OAAO,WAAW,OAAO,eAAe,OAAO,WAAW,SAAS,iBAAiB,OAAO,WAAW,oBAAoB,gBAAgB,OAAO,WAAW,mBAAmB,kBAAkB,OAAO,WAAW,qBAAqB,iBAAiB,OAAO,WAAW,kBAAkB,aAAa,KAAK,oBAAoB,OAAO;AAAA,IACjW,gBAAgB,OAAO,IAAI,OAAO,eAAe,OAAO,IAAI,SAAS,gBAAgB,OAAO,IAAI,mBAAmB,gBAAgB,OAAO,IAAI,cAAc,eAAe,OAAO,IAAI,SAAS,mBAAmB,OAAO,IAAI,aAAa,aAAa,KAAK,uBAAuB,OAAO;AAAA,IAC1R,sBAAsB,OAAO,UAAU,OAAO,eAAe,OAAO,UAAU,SAAS,gBAAgB,OAAO,UAAU,iBAAiB,0BAA0B,OAAO,UAAU,oBAAoB,aAAa,oBAAoB,OAAO;AAAA,EAClP;AAEA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ,0BAA0B,SAAS;AAAA,IAC3C,SAAS,2BAA2B,WAAW,KAAK,IAAI,CAAC,GAAG,0BAA0B,KAAK,uBAAuB,KAAK,EAAE;AAAA,IACzH,aAAa,0BACT,mGACA;AAAA,IACJ,SAAS;AAAA,MACP,YAAY;AAAA,QACV,SAAS,OAAO,WAAW;AAAA,QAC3B,WAAW,OAAO,WAAW;AAAA,QAC7B,sBAAsB,OAAO,WAAW;AAAA,QACxC,qBAAqB,OAAO,WAAW;AAAA,QACvC,uBAAuB,OAAO,WAAW;AAAA,QACzC,oBAAoB,OAAO,WAAW;AAAA,QACtC,SAAS,KAAK,oBAAoB;AAAA,MACpC;AAAA,MACA,KAAK;AAAA,QACH,SAAS,OAAO,IAAI;AAAA,QACpB,WAAW,OAAO,IAAI;AAAA,QACtB,qBAAqB,OAAO,IAAI;AAAA,QAChC,gBAAgB,OAAO,IAAI;AAAA,QAC3B,WAAW,OAAO,IAAI;AAAA,QACtB,eAAe,OAAO,IAAI;AAAA,QAC1B,SAAS,KAAK,uBAAuB;AAAA,MACvC;AAAA,MACA,WAAW;AAAA,QACT,SAAS,OAAO,UAAU;AAAA,QAC1B,WAAW,OAAO,UAAU;AAAA,QAC5B,mBAAmB,OAAO,UAAU;AAAA,QACpC,sBAAsB,OAAO,UAAU;AAAA,QACvC,SAAS;AAAA,QACT,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,6BACP,QAaqB;AACrB,QAAM,gBAAgB,OAAO,sCAAsC;AACnE,QAAM,iBAAiB,OAAO,uCAAuC;AAErE,MAAI,CAAC,iBAAiB,CAAC,gBAAgB;AACrC,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,aAAa;AAAA,MACb,SAAS;AAAA,QACP,eAAe;AAAA,QACf,yBAAyB;AAAA,MAC3B;AAAA,IACF;AAAA,EACF;AAEA,QAAM,UAAmC;AAAA,IACvC;AAAA,IACA,yBAAyB;AAAA,EAC3B;AAEA,MAAI,eAAe;AACjB,YAAQ,eAAe;AAAA,MACrB,UAAU,OAAO;AAAA,MACjB,WAAW,OAAO;AAAA,MAClB,WAAW,OAAO;AAAA,IACpB;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,YAAQ,gBAAgB;AAAA,MACtB,UAAU,OAAO;AAAA,MACjB,kBAAkB,OAAO;AAAA,MACzB,oBAAoB,OAAO;AAAA,MAC3B,sBAAsB,OAAO;AAAA,MAC7B,gBAAgB,OAAO;AAAA,IACzB;AAAA,EACF;AAEA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,SAAS,gDAAgD,gBAAgB,WAAW,EAAE,GAAG,iBAAiB,iBAAiB,OAAO,EAAE,GAAG,iBAAiB,sBAAsB,EAAE;AAAA,IAChL,SAAS,EAAE,GAAG,SAAS,YAAY,KAAK;AAAA,EAC1C;AACF;AAcA,eAAsB,+BACpB,WAC8B;AAC9B,MAAI;AACF,UAAM,QAAQ,MAAM,sBAAsB,SAAS;AACnD,QAAI,MAAM,UAAU,GAAG;AACrB,aAAO;AAAA,QACL,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,SAAS;AAAA,QACT,SAAS,EAAE,OAAO,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,gBAAgB,KAAK;AAAA,MAC5E;AAAA,IACF;AACA,UAAM,aAAc,MAAM,SAAS,MAAM,QAAS,KAAK,QAAQ,CAAC;AAChE,UAAM,aAAc,MAAM,SAAS,MAAM,QAAS,KAAK,QAAQ,CAAC;AAChE,UAAM,YAAa,MAAM,QAAQ,MAAM,QAAS,KAAK,QAAQ,CAAC;AAC9D,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS,GAAG,MAAM,KAAK,kCAAkC,SAAS,aAAa,SAAS,YAAY,QAAQ,qBAAqB,MAAM,UAAU,SAAS;AAAA,MAC1J,SAAS;AAAA,QACP,OAAO,MAAM;AAAA,QACb,QAAQ,MAAM;AAAA,QACd,QAAQ,MAAM;AAAA,QACd,OAAO,MAAM;AAAA,QACb,mBAAmB,MAAM;AAAA,QACzB,WAAW,MAAM;AAAA,QACjB,eAAe,MAAM;AAAA,QACrB,iBAAiB,MAAM,WAAW;AAAA,QAClC,gBAAgB,MAAM,UAAU;AAAA,MAClC;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,aAAa;AAAA,MACb,SAAS,EAAE,OAAO,OAAO,GAAG,EAAE;AAAA,IAChC;AAAA,EACF;AACF;AAEA,eAAsB,iCACpB,SACA,QAC8B;AAC9B,MAAI;AACJ,MAAI;AACF,aAAS,MAAM,gCAAgC;AAAA,MAC7C;AAAA,MACA,WAAW,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,MAKlB,YAAY,OAAO;AAAA,IACrB,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,aAAa;AAAA,MACb,SAAS,EAAE,OAAO,OAAO,GAAG,EAAE;AAAA,IAChC;AAAA,EACF;AAEA,MAAI,OAAO,OAAO,WAAW,GAAG;AAC9B,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,SACE,OAAO,mBAAmB,IACtB,sDACA,GAAG,OAAO,cAAc;AAAA,MAC9B,SAAS;AAAA,IACX;AAAA,EACF;AAEA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,SAAS,GAAG,OAAO,OAAO,MAAM,gEAAgE,OAAO,cAAc;AAAA,IACrH,aACE;AAAA,IACF,SAAS;AAAA,EACX;AACF;AAEA,SAAS,iBAAiB,QAAoB,KAAmB;AAC/D,QAAM,UAAU,KAAK,MAAM,OAAO,YAAY,WAAW,EAAE;AAC3D,MAAI,CAAC,OAAO,SAAS,OAAO,EAAG,QAAO;AACtC,QAAM,UAAU,KAAK,IAAI,GAAG,KAAK,OAAO,IAAI,QAAQ,IAAI,WAAW,KAAU,CAAC;AAC9E,MAAI,UAAU,EAAG,QAAO;AACxB,MAAI,UAAU,GAAI,QAAO;AACzB,MAAI,UAAU,GAAI,QAAO;AACzB,SAAO;AACT;AAEA,eAAe,QAAQ,YAAqC;AAC1D,MAAI;AACF,UAAM,OAAO,MAAM,KAAK,UAAU;AAClC,QAAI,KAAK,OAAO,EAAG,QAAO,KAAK;AAC/B,QAAI,CAAC,KAAK,YAAY,EAAG,QAAO;AAAA,EAClC,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,QAAQ;AACZ,MAAI;AACJ,MAAI;AACF,cAAU,MAAMI,SAAQ,YAAY,EAAE,eAAe,KAAK,CAAC;AAAA,EAC7D,QAAQ;AACN,WAAO;AAAA,EACT;AACA,aAAW,SAAS,SAAS;AAC3B,aAAS,MAAM,QAAQJ,MAAK,KAAK,YAAY,MAAM,IAAI,CAAC;AAAA,EAC1D;AACA,SAAO;AACT;AAEA,eAAe,0BAA0B,WAAmF;AAC1H,QAAM,WAAW;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,aAAqC,CAAC;AAC5C,MAAI,QAAQ;AACZ,aAAW,QAAQ,UAAU;AAC3B,UAAM,OAAO,MAAM,QAAQA,MAAK,KAAK,WAAW,IAAI,CAAC;AACrD,QAAI,OAAO,GAAG;AACZ,iBAAW,IAAI,IAAI;AACnB,eAAS;AAAA,IACX;AAAA,EACF;AACA,SAAO,EAAE,OAAO,WAAW;AAC7B;AAEA,eAAsB,qBAAqB,SAAqE;AAC9G,QAAM,MAAM,QAAQ,OAAO,oBAAI,KAAK;AACpC,QAAM,SAAS,QAAQ,aAAa;AACpC,QAAM,mBAAmB,MAAM,eAAe,EAAE,OAAO,CAAC;AACxD,QAAM,oBAAoB,oBAAI,IAAoD;AAClF,aAAW,SAAS,kBAAkB;AACpC,QAAI,CAAC,kBAAkB,IAAI,MAAM,OAAO,GAAG;AACzC,wBAAkB,IAAI,MAAM,SAAS,EAAE,WAAW,MAAM,WAAW,SAAS,MAAM,QAAQ,CAAC;AAAA,IAC7F;AAAA,EACF;AACA,QAAM,aAAqC,CAAC;AAC5C,QAAM,WAAmC,CAAC;AAC1C,QAAM,WAAmC;AAAA,IACvC,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,SAAS;AAAA,EACX;AACA,QAAM,aAAkD,CAAC;AACzD,MAAI,gBAAgB;AACpB,MAAI,gBAAgB;AACpB,MAAI,WAAW;AACf,MAAI,gBAAgB;AACpB,MAAI,cAAc;AAClB,MAAI,WAAW;AAEf,aAAW,SAAS,kBAAkB,OAAO,GAAG;AAC9C,UAAM,UAAU,IAAI,eAAe,MAAM,OAAO;AAChD,UAAM,WAAW,MAAM,QAAQ,gBAAgB;AAC/C,UAAM,WAAW,MAAM,QAAQ,mBAAmB;AAClD,eAAW,KAAK;AAAA,MACd,WAAW,MAAM;AAAA,MACjB,aAAa,SAAS;AAAA,MACtB,aAAa,SAAS;AAAA,IACxB,CAAC;AACD,qBAAiB,SAAS;AAC1B,qBAAiB,SAAS;AAC1B,eAAW,UAAU,UAAU;AAC7B,YAAM,WAAW,OAAO,YAAY;AACpC,iBAAW,QAAQ,KAAK,WAAW,QAAQ,KAAK,KAAK;AACrD,YAAM,SAAS,OAAO,YAAY,UAAU;AAC5C,eAAS,MAAM,KAAK,SAAS,MAAM,KAAK,KAAK;AAC7C,eAAS,iBAAiB,QAAQ,GAAG,CAAC,KAAK;AAC3C,UAAI,WAAW,WAAY,aAAY;AACvC,UAAI,WAAW,iBAAkB,kBAAiB;AAClD,UAAI,WAAW,cAAe,gBAAe;AAC7C,UAAI,WAAW,WAAY,aAAY;AAAA,IACzC;AAAA,EACF;AAEA,QAAM,iBAAiB,IAAI,eAAe,OAAO,SAAS;AAC1D,QAAM,UAAU,MAAM,eAAe,YAAY;AACjD,QAAM,YAAY,MAAM,0BAA0B,OAAO,SAAS;AAClE,QAAM,eAAe,MAAM,yBAAyB,OAAO,SAAS,GAAG,CAAC;AACxE,MAAI,cAAc;AAClB,MAAI,aAAa;AACf,QAAI;AACF,qBAAe,MAAM,gCAAgC,OAAO,WAAW,WAAW,GAAG,YAAY;AAAA,IACnG,QAAQ;AACN,oBAAc;AAAA,IAChB;AAAA,EACF;AACA,QAAM,oBAAoB,MAAM,QAAQ,aAAa,2BAA2B;AAChF,QAAM,wBAAwB,MAAM,+BAA+B,MAAM;AAEzE,SAAO;AAAA,IACL,eAAe;AAAA,IACf,aAAa,IAAI,YAAY;AAAA,IAC7B,WAAW,OAAO;AAAA,IAClB,QAAQ;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,YAAY,iBAAiB;AAAA,MAC7B;AAAA,MACA,cAAc,UAAU;AAAA,IAC1B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,MACP,QAAQ,QAAQ,SAAS;AAAA,MACzB,OAAO,QAAQ;AAAA,MACf,OAAO,QAAQ,SAAS,IAAI,QAAQ,MAAM,IAAI,EAAE,SAAS;AAAA,IAC3D;AAAA,IACA,kBAAkB;AAAA,IAClB,iBAAiB;AAAA,MACf;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,mBAAmB;AAAA,MACjB,SAAS,kBAAkB;AAAA,MAC3B,SAAS,kBAAkB;AAAA,MAC3B,QAAQ,kBAAkB;AAAA,MAC1B,eAAe,kBAAkB;AAAA,MACjC,cAAc,kBAAkB;AAAA,IAClC;AAAA,IACA,iBAAiB;AAAA,MACf,SAAS,sBAAsB;AAAA,MAC/B,oBAAoB,sBAAsB;AAAA,MAC1C,cAAc,sBAAsB;AAAA,MACpC,uBAAuB,sBAAsB;AAAA,IAC/C;AAAA,EACF;AACF;AAEA,eAAsB,mBAAmB,SAAiE;AACxG,QAAM,MAAM,QAAQ,OAAO,oBAAI,KAAK;AACpC,QAAM,SAAS,MAAM,qBAAqB;AAAA,IACxC,WAAW,QAAQ,OAAO;AAAA,IAC1B,cAAc,QAAQ,OAAO;AAAA,IAC7B,SAAS,QAAQ,OAAO;AAAA,IACxB,mBAAmB,QAAQ,OAAO;AAAA,IAClC,0BAA0B,QAAQ,OAAO;AAAA,IACzC,2BAA2B,QAAQ,OAAO;AAAA,EAC5C,CAAC;AAED,MAAI,QAAQ,kBAAkB,QAAQ,YAAY;AAChD,UAAM,WAAW,MAAM,2BAA2B;AAAA,MAChD,WAAW,QAAQ,OAAO;AAAA,MAC1B,cAAc,QAAQ,OAAO;AAAA,MAC7B,0BAA0B,QAAQ,OAAO;AAAA,MACzC,YAAY,QAAQ;AAAA,MACpB,OAAO,QAAQ;AAAA,MACf,QAAQ,QAAQ;AAAA,MAChB,WAAW,QAAQ;AAAA,IACrB,CAAC;AACD,WAAO;AAAA,MACL,eAAe;AAAA,MACf,aAAa,IAAI,YAAY;AAAA,MAC7B,MAAM;AAAA,MACN;AAAA,MACA,UAAU;AAAA,QACR,YAAY,SAAS;AAAA,QACrB,YAAY,SAAS,SAAS;AAAA,MAChC;AAAA,IACF;AAAA,EACF;AAEA,MAAI,QAAQ,oBAAoB,QAAQ,uBAAuB;AAC7D,UAAM,SAAS,MAAM,uBAAuB;AAAA,MAC1C,kBAAkB,QAAQ;AAAA,MAC1B,uBAAuB,QAAQ;AAAA,IACjC,CAAC;AACD,WAAO;AAAA,MACL,eAAe;AAAA,MACf,aAAa,IAAI,YAAY;AAAA,MAC7B,MAAM;AAAA,MACN;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MAAI,QAAQ,YAAY;AACtB,UAAM,iBAAiB,MAAM,2BAA2B;AAAA,MACtD,WAAW,QAAQ,OAAO;AAAA,MAC1B,cAAc,QAAQ,OAAO;AAAA,MAC7B,+BAA+B,QAAQ,OAAO;AAAA,MAC9C,YAAY,QAAQ;AAAA,IACtB,CAAC;AACD,WAAO;AAAA,MACL,eAAe;AAAA,MACf,aAAa,IAAI,YAAY;AAAA,MAC7B,MAAM;AAAA,MACN;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MAAI,QAAQ,cAAc;AACxB,UAAM,WAAW,MAAM,0BAA0B,QAAQ,cAAc;AAAA,MACrE,2BAA2B,QAAQ,OAAO;AAAA,IAC5C,CAAC;AACD,WAAO;AAAA,MACL,eAAe;AAAA,MACf,aAAa,IAAI,YAAY;AAAA,MAC7B,MAAM;AAAA,MACN;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,eAAe;AAAA,IACf,aAAa,IAAI,YAAY;AAAA,IAC7B,MAAM;AAAA,IACN;AAAA,EACF;AACF;AAEA,eAAsB,kBAAkB,SAA+D;AACrG,QAAM,MAAM,QAAQ,OAAO,oBAAI,KAAK;AACpC,QAAM,SAAS,QAAQ,WAAW,QAAQ,QAAQ,UAAU;AAC5D,QAAM,eAAe,MAAM,wBAAwB,EAAE,WAAW,QAAQ,OAAO,UAAU,CAAC;AAC1F,QAAM,oBAAoB,kBAAkB;AAAA,IAC1C,QAAQ;AAAA,IACR;AAAA,IACA,wBAAwB,QAAQ;AAAA,IAChC,iBAAiB,QAAQ;AAAA,EAC3B,CAAC;AACD,QAAM,qBAAqB,MAAM,mBAAmB;AAAA,IAClD,MAAM;AAAA,EACR,CAAC;AACD,QAAM,cAAc,MAAM,mBAAmB,QAAQ,OAAO,WAAW;AAAA,IACrE,oBAAoB,QAAQ,OAAO;AAAA,IACnC,kBAAkB,QAAQ,OAAO;AAAA,IACjC,oBAAoB,QAAQ,OAAO;AAAA,IACnC,uBAAuB;AAAA,EACzB,CAAC;AACD,SAAO;AAAA,IACL,eAAe;AAAA,IACf,aAAa,IAAI,YAAY;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":["path","access","mkdir","readdir","path","access","mkdir","readFile","readdir"]}

package/dist/chunk-A6XUJE5D.js

@@ -0,0 +1,126 @@
+// src/secure-store/cipher.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+var ENVELOPE_VERSION = 1;
+var IV_LENGTH = 12;
+var AUTH_TAG_LENGTH = 16;
+var ENVELOPE_SALT_LENGTH = 16;
+var AES_KEY_LENGTH = 32;
+var ENVELOPE_LAYOUT = Object.freeze({
+  version: 0,
+  salt: 1,
+  iv: 1 + ENVELOPE_SALT_LENGTH,
+  authTag: 1 + ENVELOPE_SALT_LENGTH + IV_LENGTH,
+  ciphertext: 1 + ENVELOPE_SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH
+});
+var ENVELOPE_HEADER_SIZE = ENVELOPE_LAYOUT.ciphertext;
+function assertAesKey(key) {
+  if (!(key instanceof Uint8Array)) {
+    throw new Error("key must be a Uint8Array");
+  }
+  if (key.length !== AES_KEY_LENGTH) {
+    throw new Error(
+      `AES-256-GCM requires a ${AES_KEY_LENGTH}-byte key, got ${key.length}`
+    );
+  }
+}
+function seal(key, salt, plaintext, options = {}) {
+  assertAesKey(key);
+  if (!(salt instanceof Uint8Array) || salt.length !== ENVELOPE_SALT_LENGTH) {
+    throw new Error(
+      `salt must be ${ENVELOPE_SALT_LENGTH} bytes, got ${salt?.length ?? "non-buffer"}`
+    );
+  }
+  if (!(plaintext instanceof Uint8Array)) {
+    throw new Error("plaintext must be a Uint8Array");
+  }
+  let iv;
+  if (options.iv) {
+    if (options.iv.length !== IV_LENGTH) {
+      throw new Error(`iv must be ${IV_LENGTH} bytes, got ${options.iv.length}`);
+    }
+    iv = options.iv;
+  } else {
+    iv = randomBytes(IV_LENGTH);
+  }
+  const cipher = createCipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv), {
+    authTagLength: AUTH_TAG_LENGTH
+  });
+  const headerAad = buildHeaderAad(salt);
+  const finalAad = options.aad ? Buffer.concat([headerAad, Buffer.from(options.aad)]) : headerAad;
+  cipher.setAAD(finalAad);
+  const ciphertext = Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  if (authTag.length !== AUTH_TAG_LENGTH) {
+    throw new Error(`unexpected auth tag length: ${authTag.length}`);
+  }
+  const envelope = Buffer.alloc(ENVELOPE_HEADER_SIZE + ciphertext.length);
+  envelope.writeUInt8(ENVELOPE_VERSION, ENVELOPE_LAYOUT.version);
+  Buffer.from(salt).copy(envelope, ENVELOPE_LAYOUT.salt);
+  Buffer.from(iv).copy(envelope, ENVELOPE_LAYOUT.iv);
+  authTag.copy(envelope, ENVELOPE_LAYOUT.authTag);
+  ciphertext.copy(envelope, ENVELOPE_LAYOUT.ciphertext);
+  return envelope;
+}
+function parseEnvelope(envelope) {
+  if (!(envelope instanceof Uint8Array)) {
+    throw new Error("envelope must be a Uint8Array");
+  }
+  if (envelope.length < ENVELOPE_HEADER_SIZE) {
+    throw new Error(
+      `envelope too short: need \u2265 ${ENVELOPE_HEADER_SIZE} bytes, got ${envelope.length}`
+    );
+  }
+  const buf = Buffer.from(envelope.buffer, envelope.byteOffset, envelope.byteLength);
+  const version = buf.readUInt8(ENVELOPE_LAYOUT.version);
+  if (version !== ENVELOPE_VERSION) {
+    throw new Error(
+      `unsupported envelope version: ${version} (this build supports ${ENVELOPE_VERSION})`
+    );
+  }
+  return {
+    version,
+    salt: buf.subarray(ENVELOPE_LAYOUT.salt, ENVELOPE_LAYOUT.salt + ENVELOPE_SALT_LENGTH),
+    iv: buf.subarray(ENVELOPE_LAYOUT.iv, ENVELOPE_LAYOUT.iv + IV_LENGTH),
+    authTag: buf.subarray(
+      ENVELOPE_LAYOUT.authTag,
+      ENVELOPE_LAYOUT.authTag + AUTH_TAG_LENGTH
+    ),
+    ciphertext: buf.subarray(ENVELOPE_LAYOUT.ciphertext)
+  };
+}
+function open(key, envelope, options = {}) {
+  assertAesKey(key);
+  const parsed = parseEnvelope(envelope);
+  const decipher = createDecipheriv("aes-256-gcm", Buffer.from(key), parsed.iv, {
+    authTagLength: AUTH_TAG_LENGTH
+  });
+  decipher.setAuthTag(parsed.authTag);
+  const headerAad = buildHeaderAad(parsed.salt);
+  const finalAad = options.aad ? Buffer.concat([headerAad, Buffer.from(options.aad)]) : headerAad;
+  decipher.setAAD(finalAad);
+  return Buffer.concat([decipher.update(parsed.ciphertext), decipher.final()]);
+}
+function buildHeaderAad(salt) {
+  const out = Buffer.alloc(1 + ENVELOPE_SALT_LENGTH);
+  out.writeUInt8(ENVELOPE_VERSION, 0);
+  Buffer.from(salt).copy(out, 1);
+  return out;
+}
+function generateSalt() {
+  return randomBytes(ENVELOPE_SALT_LENGTH);
+}
+
+export {
+  ENVELOPE_VERSION,
+  IV_LENGTH,
+  AUTH_TAG_LENGTH,
+  ENVELOPE_SALT_LENGTH,
+  AES_KEY_LENGTH,
+  ENVELOPE_LAYOUT,
+  ENVELOPE_HEADER_SIZE,
+  seal,
+  parseEnvelope,
+  open,
+  generateSalt
+};
+//# sourceMappingURL=chunk-A6XUJE5D.js.map

package/dist/chunk-A6XUJE5D.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/secure-store/cipher.ts"],"sourcesContent":["/**\n * AES-256-GCM encrypt / decrypt primitives for the secure-store\n * module.\n *\n * Issue #690 (PR 1/4) — pure primitives, no I/O.\n *\n * Sealed envelope format\n * ----------------------\n * A \"sealed\" buffer is the canonical on-disk shape for a single\n * encrypted blob. It contains the salt used to derive the key from\n * the user's passphrase, so a caller who has the passphrase + the\n * sealed buffer can decrypt without any external metadata.\n *\n *   [VERSION:1][SALT:16][IV:12][AUTHTAG:16][CIPHERTEXT:...]\n *\n *   - VERSION (1 byte): envelope format version. Currently 1. Future\n *     versions can change the layout (e.g. variable salt length, an\n *     algorithm identifier byte) by bumping this byte.\n *   - SALT (16 bytes): KDF salt. Persisted with the ciphertext so the\n *     same passphrase can re-derive the key on read.\n *   - IV (12 bytes): GCM nonce. Must be unique per (key, ciphertext)\n *     pair. We generate it fresh from `randomBytes` on every encrypt\n *     call. Reusing an IV with the same key destroys GCM's\n *     confidentiality and authenticity guarantees.\n *   - AUTHTAG (16 bytes): GCM authentication tag. Tampering with any\n *     byte of (salt | iv | tag | ciphertext) causes decryption to\n *     fail with an auth-tag mismatch.\n *   - CIPHERTEXT (variable): the encrypted payload.\n *\n * The salt is stored alongside the ciphertext (rather than only in a\n * separate metadata file) so an individual encrypted blob is\n * self-contained for diagnostics and recovery. The metadata file\n * (see `metadata.ts`) records the *canonical* salt + KDF params for a\n * store; the per-blob salt is expected to match the metadata salt in\n * normal operation, but the format does not require it — a future PR\n * could rotate per-blob salts if desired.\n *\n * AAD support\n * -----------\n * Callers can pass associated authenticated data (AAD) — typically a\n * file path or namespace tag — that is authenticated but not\n * encrypted. AAD must be supplied identically on encrypt and decrypt;\n * a mismatch causes auth-tag failure. AAD is NOT serialized into the\n * envelope; the caller is responsible for re-supplying it on decrypt.\n */\n\nimport { createCipheriv, createDecipheriv, randomBytes } from \"node:crypto\";\n\n/** Current envelope format version. */\nexport const ENVELOPE_VERSION = 1 as const;\n\n/** GCM nonce length. 96 bits is the NIST-recommended size for AES-GCM. */\nexport const IV_LENGTH = 12;\n\n/** GCM authentication tag length. 16 bytes (128 bits) — the maximum. */\nexport const AUTH_TAG_LENGTH = 16;\n\n/** Salt length carried in the envelope. Must match KDF_SALT_LENGTH. */\nexport const ENVELOPE_SALT_LENGTH = 16;\n\n/** Required key length for AES-256. */\nexport const AES_KEY_LENGTH = 32;\n\n/** Byte offsets of each envelope field (for clarity at call sites). */\nexport const ENVELOPE_LAYOUT = Object.freeze({\n  version: 0,\n  salt: 1,\n  iv: 1 + ENVELOPE_SALT_LENGTH,\n  authTag: 1 + ENVELOPE_SALT_LENGTH + IV_LENGTH,\n  ciphertext: 1 + ENVELOPE_SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH,\n});\n\n/** Minimum envelope size: header + zero-length ciphertext. */\nexport const ENVELOPE_HEADER_SIZE = ENVELOPE_LAYOUT.ciphertext;\n\nexport interface EncryptOptions {\n  /**\n   * Optional associated data — authenticated but not encrypted.\n   * Caller must supply the same value on decrypt.\n   */\n  aad?: Uint8Array;\n  /**\n   * Override the per-call IV. Strongly discouraged outside of tests:\n   * GCM is catastrophically broken if an IV is reused under the same\n   * key. Production callers should always let the cipher generate a\n   * fresh random IV.\n   */\n  iv?: Uint8Array;\n}\n\nexport interface DecryptOptions {\n  /** Same AAD that was supplied to `encrypt`. */\n  aad?: Uint8Array;\n}\n\n/**\n * Validate that a key is a 32-byte buffer suitable for AES-256.\n */\nfunction assertAesKey(key: Uint8Array): void {\n  if (!(key instanceof Uint8Array)) {\n    throw new Error(\"key must be a Uint8Array\");\n  }\n  if (key.length !== AES_KEY_LENGTH) {\n    throw new Error(\n      `AES-256-GCM requires a ${AES_KEY_LENGTH}-byte key, got ${key.length}`,\n    );\n  }\n}\n\n/**\n * Encrypt `plaintext` under `key` and return a sealed envelope buffer.\n *\n * @param key 32-byte AES-256 key (from `deriveKey`).\n * @param salt 16-byte KDF salt to embed in the envelope. The caller is\n *   responsible for using the same salt that was passed to the KDF.\n * @param plaintext the bytes to encrypt.\n * @param options optional `aad` / `iv` overrides.\n */\nexport function seal(\n  key: Uint8Array,\n  salt: Uint8Array,\n  plaintext: Uint8Array,\n  options: EncryptOptions = {},\n): Buffer {\n  assertAesKey(key);\n  if (!(salt instanceof Uint8Array) || salt.length !== ENVELOPE_SALT_LENGTH) {\n    throw new Error(\n      `salt must be ${ENVELOPE_SALT_LENGTH} bytes, got ${salt?.length ?? \"non-buffer\"}`,\n    );\n  }\n  if (!(plaintext instanceof Uint8Array)) {\n    throw new Error(\"plaintext must be a Uint8Array\");\n  }\n  let iv: Uint8Array;\n  if (options.iv) {\n    if (options.iv.length !== IV_LENGTH) {\n      throw new Error(`iv must be ${IV_LENGTH} bytes, got ${options.iv.length}`);\n    }\n    iv = options.iv;\n  } else {\n    iv = randomBytes(IV_LENGTH);\n  }\n\n  const cipher = createCipheriv(\"aes-256-gcm\", Buffer.from(key), Buffer.from(iv), {\n    authTagLength: AUTH_TAG_LENGTH,\n  });\n  // Codex P1: bind the envelope header (version + salt) into AAD so\n  // flipping the salt or version on a sealed envelope triggers an\n  // auth failure on open. Without this, callers using a metadata-\n  // derived store key would still decrypt successfully even after\n  // the per-blob salt was tampered with — silently desynchronizing\n  // per-blob salt from metadata/recovery logic. Caller-supplied AAD\n  // is appended after the header so existing AAD usage stays intact.\n  const headerAad = buildHeaderAad(salt);\n  const finalAad = options.aad\n    ? Buffer.concat([headerAad, Buffer.from(options.aad)])\n    : headerAad;\n  cipher.setAAD(finalAad);\n  const ciphertext = Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()]);\n  const authTag = cipher.getAuthTag();\n  if (authTag.length !== AUTH_TAG_LENGTH) {\n    // Defensive: Node always produces 16 bytes when authTagLength is 16.\n    throw new Error(`unexpected auth tag length: ${authTag.length}`);\n  }\n\n  const envelope = Buffer.alloc(ENVELOPE_HEADER_SIZE + ciphertext.length);\n  envelope.writeUInt8(ENVELOPE_VERSION, ENVELOPE_LAYOUT.version);\n  Buffer.from(salt).copy(envelope, ENVELOPE_LAYOUT.salt);\n  Buffer.from(iv).copy(envelope, ENVELOPE_LAYOUT.iv);\n  authTag.copy(envelope, ENVELOPE_LAYOUT.authTag);\n  ciphertext.copy(envelope, ENVELOPE_LAYOUT.ciphertext);\n  return envelope;\n}\n\n/** Parsed view of a sealed envelope. Useful for inspection in tests. */\nexport interface ParsedEnvelope {\n  version: number;\n  salt: Buffer;\n  iv: Buffer;\n  authTag: Buffer;\n  ciphertext: Buffer;\n}\n\n/**\n * Parse a sealed envelope into its component fields without\n * decrypting. Throws on malformed input. The returned buffers are\n * sub-views (not copies) — do not mutate.\n */\nexport function parseEnvelope(envelope: Uint8Array): ParsedEnvelope {\n  if (!(envelope instanceof Uint8Array)) {\n    throw new Error(\"envelope must be a Uint8Array\");\n  }\n  if (envelope.length < ENVELOPE_HEADER_SIZE) {\n    throw new Error(\n      `envelope too short: need ≥ ${ENVELOPE_HEADER_SIZE} bytes, got ${envelope.length}`,\n    );\n  }\n  const buf = Buffer.from(envelope.buffer, envelope.byteOffset, envelope.byteLength);\n  const version = buf.readUInt8(ENVELOPE_LAYOUT.version);\n  if (version !== ENVELOPE_VERSION) {\n    throw new Error(\n      `unsupported envelope version: ${version} (this build supports ${ENVELOPE_VERSION})`,\n    );\n  }\n  return {\n    version,\n    salt: buf.subarray(ENVELOPE_LAYOUT.salt, ENVELOPE_LAYOUT.salt + ENVELOPE_SALT_LENGTH),\n    iv: buf.subarray(ENVELOPE_LAYOUT.iv, ENVELOPE_LAYOUT.iv + IV_LENGTH),\n    authTag: buf.subarray(\n      ENVELOPE_LAYOUT.authTag,\n      ENVELOPE_LAYOUT.authTag + AUTH_TAG_LENGTH,\n    ),\n    ciphertext: buf.subarray(ENVELOPE_LAYOUT.ciphertext),\n  };\n}\n\n/**\n * Decrypt a sealed envelope and return the plaintext.\n *\n * Throws on:\n *   - malformed envelope (wrong length, wrong version);\n *   - wrong key (auth-tag mismatch);\n *   - tampered ciphertext / iv / auth tag (auth-tag mismatch);\n *   - mismatched AAD (auth-tag mismatch).\n *\n * The same error class is intentional: from the caller's standpoint\n * \"wrong passphrase\" and \"tampered ciphertext\" should both be\n * non-recoverable failures.\n */\nexport function open(\n  key: Uint8Array,\n  envelope: Uint8Array,\n  options: DecryptOptions = {},\n): Buffer {\n  assertAesKey(key);\n  const parsed = parseEnvelope(envelope);\n  const decipher = createDecipheriv(\"aes-256-gcm\", Buffer.from(key), parsed.iv, {\n    authTagLength: AUTH_TAG_LENGTH,\n  });\n  decipher.setAuthTag(parsed.authTag);\n  // Codex P1: header (version + salt) is bound at seal time.\n  // Reconstruct it identically so a tampered salt fails auth.\n  const headerAad = buildHeaderAad(parsed.salt);\n  const finalAad = options.aad\n    ? Buffer.concat([headerAad, Buffer.from(options.aad)])\n    : headerAad;\n  decipher.setAAD(finalAad);\n  // `final()` throws if the auth tag doesn't validate.\n  return Buffer.concat([decipher.update(parsed.ciphertext), decipher.final()]);\n}\n\n/**\n * Build the canonical header AAD: a single byte version followed by\n * the per-blob salt. Binds the immutable envelope header into AES-GCM\n * authentication so tampering with either value triggers auth failure\n * on open (codex P1 on PR #718).\n */\nfunction buildHeaderAad(salt: Uint8Array): Buffer {\n  const out = Buffer.alloc(1 + ENVELOPE_SALT_LENGTH);\n  out.writeUInt8(ENVELOPE_VERSION, 0);\n  Buffer.from(salt).copy(out, 1);\n  return out;\n}\n\n/**\n * Generate a fresh random salt of the canonical envelope length.\n * Convenience wrapper so callers don't reach into `node:crypto`.\n */\nexport function generateSalt(): Buffer {\n  return randomBytes(ENVELOPE_SALT_LENGTH);\n}\n"],"mappings":";AA8CA,SAAS,gBAAgB,kBAAkB,mBAAmB;AAGvD,IAAM,mBAAmB;AAGzB,IAAM,YAAY;AAGlB,IAAM,kBAAkB;AAGxB,IAAM,uBAAuB;AAG7B,IAAM,iBAAiB;AAGvB,IAAM,kBAAkB,OAAO,OAAO;AAAA,EAC3C,SAAS;AAAA,EACT,MAAM;AAAA,EACN,IAAI,IAAI;AAAA,EACR,SAAS,IAAI,uBAAuB;AAAA,EACpC,YAAY,IAAI,uBAAuB,YAAY;AACrD,CAAC;AAGM,IAAM,uBAAuB,gBAAgB;AAyBpD,SAAS,aAAa,KAAuB;AAC3C,MAAI,EAAE,eAAe,aAAa;AAChC,UAAM,IAAI,MAAM,0BAA0B;AAAA,EAC5C;AACA,MAAI,IAAI,WAAW,gBAAgB;AACjC,UAAM,IAAI;AAAA,MACR,0BAA0B,cAAc,kBAAkB,IAAI,MAAM;AAAA,IACtE;AAAA,EACF;AACF;AAWO,SAAS,KACd,KACA,MACA,WACA,UAA0B,CAAC,GACnB;AACR,eAAa,GAAG;AAChB,MAAI,EAAE,gBAAgB,eAAe,KAAK,WAAW,sBAAsB;AACzE,UAAM,IAAI;AAAA,MACR,gBAAgB,oBAAoB,eAAe,MAAM,UAAU,YAAY;AAAA,IACjF;AAAA,EACF;AACA,MAAI,EAAE,qBAAqB,aAAa;AACtC,UAAM,IAAI,MAAM,gCAAgC;AAAA,EAClD;AACA,MAAI;AACJ,MAAI,QAAQ,IAAI;AACd,QAAI,QAAQ,GAAG,WAAW,WAAW;AACnC,YAAM,IAAI,MAAM,cAAc,SAAS,eAAe,QAAQ,GAAG,MAAM,EAAE;AAAA,IAC3E;AACA,SAAK,QAAQ;AAAA,EACf,OAAO;AACL,SAAK,YAAY,SAAS;AAAA,EAC5B;AAEA,QAAM,SAAS,eAAe,eAAe,OAAO,KAAK,GAAG,GAAG,OAAO,KAAK,EAAE,GAAG;AAAA,IAC9E,eAAe;AAAA,EACjB,CAAC;AAQD,QAAM,YAAY,eAAe,IAAI;AACrC,QAAM,WAAW,QAAQ,MACrB,OAAO,OAAO,CAAC,WAAW,OAAO,KAAK,QAAQ,GAAG,CAAC,CAAC,IACnD;AACJ,SAAO,OAAO,QAAQ;AACtB,QAAM,aAAa,OAAO,OAAO,CAAC,OAAO,OAAO,OAAO,KAAK,SAAS,CAAC,GAAG,OAAO,MAAM,CAAC,CAAC;AACxF,QAAM,UAAU,OAAO,WAAW;AAClC,MAAI,QAAQ,WAAW,iBAAiB;AAEtC,UAAM,IAAI,MAAM,+BAA+B,QAAQ,MAAM,EAAE;AAAA,EACjE;AAEA,QAAM,WAAW,OAAO,MAAM,uBAAuB,WAAW,MAAM;AACtE,WAAS,WAAW,kBAAkB,gBAAgB,OAAO;AAC7D,SAAO,KAAK,IAAI,EAAE,KAAK,UAAU,gBAAgB,IAAI;AACrD,SAAO,KAAK,EAAE,EAAE,KAAK,UAAU,gBAAgB,EAAE;AACjD,UAAQ,KAAK,UAAU,gBAAgB,OAAO;AAC9C,aAAW,KAAK,UAAU,gBAAgB,UAAU;AACpD,SAAO;AACT;AAgBO,SAAS,cAAc,UAAsC;AAClE,MAAI,EAAE,oBAAoB,aAAa;AACrC,UAAM,IAAI,MAAM,+BAA+B;AAAA,EACjD;AACA,MAAI,SAAS,SAAS,sBAAsB;AAC1C,UAAM,IAAI;AAAA,MACR,mCAA8B,oBAAoB,eAAe,SAAS,MAAM;AAAA,IAClF;AAAA,EACF;AACA,QAAM,MAAM,OAAO,KAAK,SAAS,QAAQ,SAAS,YAAY,SAAS,UAAU;AACjF,QAAM,UAAU,IAAI,UAAU,gBAAgB,OAAO;AACrD,MAAI,YAAY,kBAAkB;AAChC,UAAM,IAAI;AAAA,MACR,iCAAiC,OAAO,yBAAyB,gBAAgB;AAAA,IACnF;AAAA,EACF;AACA,SAAO;AAAA,IACL;AAAA,IACA,MAAM,IAAI,SAAS,gBAAgB,MAAM,gBAAgB,OAAO,oBAAoB;AAAA,IACpF,IAAI,IAAI,SAAS,gBAAgB,IAAI,gBAAgB,KAAK,SAAS;AAAA,IACnE,SAAS,IAAI;AAAA,MACX,gBAAgB;AAAA,MAChB,gBAAgB,UAAU;AAAA,IAC5B;AAAA,IACA,YAAY,IAAI,SAAS,gBAAgB,UAAU;AAAA,EACrD;AACF;AAeO,SAAS,KACd,KACA,UACA,UAA0B,CAAC,GACnB;AACR,eAAa,GAAG;AAChB,QAAM,SAAS,cAAc,QAAQ;AACrC,QAAM,WAAW,iBAAiB,eAAe,OAAO,KAAK,GAAG,GAAG,OAAO,IAAI;AAAA,IAC5E,eAAe;AAAA,EACjB,CAAC;AACD,WAAS,WAAW,OAAO,OAAO;AAGlC,QAAM,YAAY,eAAe,OAAO,IAAI;AAC5C,QAAM,WAAW,QAAQ,MACrB,OAAO,OAAO,CAAC,WAAW,OAAO,KAAK,QAAQ,GAAG,CAAC,CAAC,IACnD;AACJ,WAAS,OAAO,QAAQ;AAExB,SAAO,OAAO,OAAO,CAAC,SAAS,OAAO,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC7E;AAQA,SAAS,eAAe,MAA0B;AAChD,QAAM,MAAM,OAAO,MAAM,IAAI,oBAAoB;AACjD,MAAI,WAAW,kBAAkB,CAAC;AAClC,SAAO,KAAK,IAAI,EAAE,KAAK,KAAK,CAAC;AAC7B,SAAO;AACT;AAMO,SAAS,eAAuB;AACrC,SAAO,YAAY,oBAAoB;AACzC;","names":[]}