@remnic/core 1.1.2 → 1.1.4

package/dist/chunk-ASIQZXYO.js

@@ -0,0 +1,277 @@
+import {
+  DEFAULT_POLL_INTERVAL_MS,
+  GITHUB_CONNECTOR_ID,
+  GITHUB_DEFAULT_POLL_INTERVAL_MS,
+  GMAIL_CONNECTOR_ID,
+  GMAIL_DEFAULT_POLL_INTERVAL_MS,
+  GOOGLE_DRIVE_CONNECTOR_ID,
+  NOTION_CONNECTOR_ID,
+  NOTION_DEFAULT_POLL_INTERVAL_MS,
+  createGitHubConnector,
+  createGmailConnector,
+  createGoogleDriveConnector,
+  createNotionConnector,
+  validateGitHubConfig,
+  validateGmailConfig,
+  validateGoogleDriveConfig,
+  validateNotionConfig
+} from "./chunk-L2IO2QPY.js";
+import {
+  readConnectorState,
+  writeConnectorState
+} from "./chunk-6TBWYBJ3.js";
+import {
+  runConnectorPollOnce
+} from "./chunk-OZHRDTDX.js";
+
+// src/live-connectors-runner.ts
+function builtInLiveConnectorDefinitions(config) {
+  return [
+    {
+      id: GOOGLE_DRIVE_CONNECTOR_ID,
+      displayName: "Google Drive",
+      enabled: config.googleDrive.enabled,
+      pollIntervalMs: config.googleDrive.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS,
+      rawConfig: config.googleDrive,
+      createConnector: createGoogleDriveConnector,
+      validateConfig: (raw) => validateGoogleDriveConfig(raw)
+    },
+    {
+      id: NOTION_CONNECTOR_ID,
+      displayName: "Notion",
+      enabled: config.notion.enabled,
+      pollIntervalMs: config.notion.pollIntervalMs ?? NOTION_DEFAULT_POLL_INTERVAL_MS,
+      rawConfig: config.notion,
+      createConnector: createNotionConnector,
+      validateConfig: (raw) => validateNotionConfig(raw)
+    },
+    {
+      id: GMAIL_CONNECTOR_ID,
+      displayName: "Gmail",
+      enabled: config.gmail.enabled,
+      pollIntervalMs: config.gmail.pollIntervalMs ?? GMAIL_DEFAULT_POLL_INTERVAL_MS,
+      rawConfig: config.gmail,
+      createConnector: createGmailConnector,
+      validateConfig: (raw) => validateGmailConfig(raw)
+    },
+    {
+      id: GITHUB_CONNECTOR_ID,
+      displayName: "GitHub",
+      enabled: config.github.enabled,
+      pollIntervalMs: config.github.pollIntervalMs ?? GITHUB_DEFAULT_POLL_INTERVAL_MS,
+      rawConfig: config.github,
+      createConnector: createGitHubConnector,
+      validateConfig: (raw) => validateGitHubConfig(raw)
+    }
+  ];
+}
+function hasEnabledLiveConnector(config) {
+  return config.googleDrive.enabled || config.notion.enabled || config.gmail.enabled || config.github.enabled;
+}
+async function runLiveConnectorsOnce(options) {
+  const ranAt = resolveNow(options.now);
+  const force = options.force === true;
+  const definitions = options.definitions ?? builtInLiveConnectorDefinitions(options.connectors);
+  const results = [];
+  for (const definition of definitions) {
+    const checkAt = resolveNow(options.now);
+    if (!definition.enabled) {
+      results.push(skipResult(definition, null, "disabled"));
+      continue;
+    }
+    let state;
+    try {
+      state = await readConnectorState(options.memoryDir, definition.id);
+    } catch (err) {
+      results.push({
+        id: definition.id,
+        displayName: definition.displayName,
+        enabled: true,
+        ran: false,
+        skippedReason: "state_read_error",
+        docsImported: 0,
+        error: err instanceof Error ? err.message : String(err),
+        lastSyncAt: null,
+        nextDueAt: null
+      });
+      continue;
+    }
+    if (!force && !isConnectorDue(state, definition.pollIntervalMs, checkAt)) {
+      results.push(skipResult(definition, state, "not_due"));
+      continue;
+    }
+    let validatedConfig;
+    try {
+      validatedConfig = definition.validateConfig(definition.rawConfig);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      let stateWriteError;
+      let writtenErrorState;
+      const errorAt = resolveNow(options.now);
+      try {
+        writtenErrorState = await writeConnectorErrorState({
+          memoryDir: options.memoryDir,
+          connectorId: definition.id,
+          state,
+          error: message,
+          now: errorAt
+        });
+      } catch (writeErr) {
+        stateWriteError = writeErr instanceof Error ? writeErr.message : String(writeErr);
+      }
+      const reportedState = writtenErrorState ?? state;
+      results.push({
+        id: definition.id,
+        displayName: definition.displayName,
+        enabled: true,
+        ran: false,
+        skippedReason: "invalid_config",
+        docsImported: 0,
+        error: message,
+        ...stateWriteError !== void 0 ? { stateWriteError } : {},
+        lastSyncAt: reportedState?.lastSyncAt ?? null,
+        nextDueAt: nextDueAt(reportedState, definition.pollIntervalMs)
+      });
+      continue;
+    }
+    let runResult;
+    let lastStateWrittenAt;
+    try {
+      const connector = definition.createConnector();
+      runResult = await runConnectorPollOnce({
+        connectorId: definition.id,
+        priorState: state,
+        syncFn: (cursor) => connector.syncIncremental({
+          cursor,
+          config: validatedConfig,
+          abortSignal: options.abortSignal
+        }),
+        ingestFn: options.ingestDocuments,
+        writeCursorFn: (writeState) => {
+          const writeAt = resolveNow(options.now);
+          return writeConnectorState(options.memoryDir, definition.id, {
+            id: definition.id,
+            cursor: writeState.cursor,
+            lastSyncAt: writeAt.toISOString(),
+            lastSyncStatus: writeState.lastSyncStatus,
+            ...writeState.lastSyncError !== void 0 ? { lastSyncError: writeState.lastSyncError } : {},
+            totalDocsImported: writeState.totalDocsImported
+          }).then(() => {
+            lastStateWrittenAt = writeAt;
+          });
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      let stateWriteError;
+      let writtenErrorState;
+      const errorAt = resolveNow(options.now);
+      try {
+        writtenErrorState = await writeConnectorErrorState({
+          memoryDir: options.memoryDir,
+          connectorId: definition.id,
+          state,
+          error: message,
+          now: errorAt
+        });
+      } catch (writeErr) {
+        stateWriteError = writeErr instanceof Error ? writeErr.message : String(writeErr);
+      }
+      const reportedState = writtenErrorState ?? state;
+      results.push({
+        id: definition.id,
+        displayName: definition.displayName,
+        enabled: true,
+        ran: false,
+        skippedReason: "connector_error",
+        docsImported: 0,
+        error: message,
+        ...stateWriteError !== void 0 ? { stateWriteError } : {},
+        lastSyncAt: reportedState?.lastSyncAt ?? null,
+        nextDueAt: nextDueAt(reportedState, definition.pollIntervalMs)
+      });
+      continue;
+    }
+    results.push(
+      runItemFromResult(
+        definition,
+        runResult,
+        state,
+        lastStateWrittenAt ?? resolveNow(options.now)
+      )
+    );
+  }
+  return {
+    ranAt: ranAt.toISOString(),
+    force,
+    totalDocsImported: results.reduce((sum, item) => sum + item.docsImported, 0),
+    ranCount: results.filter((item) => item.ran).length,
+    skippedCount: results.filter((item) => !item.ran).length,
+    errorCount: results.filter(
+      (item) => item.error !== void 0 || item.stateWriteError !== void 0
+    ).length,
+    results
+  };
+}
+function resolveNow(now) {
+  return typeof now === "function" ? now() : now ?? /* @__PURE__ */ new Date();
+}
+function isConnectorDue(state, pollIntervalMs, now) {
+  if (state?.lastSyncAt === null || state?.lastSyncAt === void 0) return true;
+  const lastMs = Date.parse(state.lastSyncAt);
+  if (!Number.isFinite(lastMs)) return true;
+  return now.getTime() - lastMs >= Math.max(1, Math.floor(pollIntervalMs));
+}
+function nextDueAt(state, pollIntervalMs) {
+  if (state?.lastSyncAt === null || state?.lastSyncAt === void 0) return null;
+  const lastMs = Date.parse(state.lastSyncAt);
+  if (!Number.isFinite(lastMs)) return null;
+  return new Date(lastMs + Math.max(1, Math.floor(pollIntervalMs))).toISOString();
+}
+function skipResult(definition, state, skippedReason) {
+  return {
+    id: definition.id,
+    displayName: definition.displayName,
+    enabled: definition.enabled,
+    ran: false,
+    skippedReason,
+    docsImported: 0,
+    lastSyncAt: state?.lastSyncAt ?? null,
+    nextDueAt: skippedReason === "not_due" ? nextDueAt(state, definition.pollIntervalMs) : null
+  };
+}
+function runItemFromResult(definition, result, priorState, now) {
+  const stateWriteFailed = result.stateWriteError !== void 0;
+  const reportedLastSyncAt = stateWriteFailed ? priorState?.lastSyncAt ?? null : now.toISOString();
+  const reportedNextDueAt = stateWriteFailed ? nextDueAt(priorState, definition.pollIntervalMs) : new Date(
+    now.getTime() + Math.max(1, Math.floor(definition.pollIntervalMs))
+  ).toISOString();
+  return {
+    id: definition.id,
+    displayName: definition.displayName,
+    enabled: definition.enabled,
+    ran: true,
+    docsImported: result.docsImported,
+    ...result.error !== void 0 ? { error: result.error } : {},
+    ...result.stateWriteError !== void 0 ? { stateWriteError: result.stateWriteError } : {},
+    lastSyncAt: reportedLastSyncAt,
+    nextDueAt: reportedNextDueAt
+  };
+}
+async function writeConnectorErrorState(options) {
+  return writeConnectorState(options.memoryDir, options.connectorId, {
+    id: options.connectorId,
+    cursor: options.state?.cursor ?? null,
+    lastSyncAt: options.now.toISOString(),
+    lastSyncStatus: "error",
+    lastSyncError: options.error,
+    totalDocsImported: options.state?.totalDocsImported ?? 0
+  });
+}
+
+export {
+  builtInLiveConnectorDefinitions,
+  hasEnabledLiveConnector,
+  runLiveConnectorsOnce
+};
+//# sourceMappingURL=chunk-ASIQZXYO.js.map

package/dist/chunk-ASIQZXYO.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/live-connectors-runner.ts"],"sourcesContent":["import {\n  runConnectorPollOnce,\n  type ConnectorRunResult,\n} from \"./connectors-cli.js\";\nimport {\n  createGitHubConnector,\n  createGmailConnector,\n  createGoogleDriveConnector,\n  createNotionConnector,\n  GITHUB_CONNECTOR_ID,\n  GITHUB_DEFAULT_POLL_INTERVAL_MS,\n  GMAIL_CONNECTOR_ID,\n  GMAIL_DEFAULT_POLL_INTERVAL_MS,\n  GOOGLE_DRIVE_CONNECTOR_ID,\n  GOOGLE_DRIVE_DEFAULT_POLL_INTERVAL_MS,\n  NOTION_CONNECTOR_ID,\n  NOTION_DEFAULT_POLL_INTERVAL_MS,\n  readConnectorState,\n  writeConnectorState,\n  validateGitHubConfig,\n  validateGmailConfig,\n  validateGoogleDriveConfig,\n  validateNotionConfig,\n  type ConnectorConfig,\n  type ConnectorCursor,\n  type ConnectorDocument,\n  type ConnectorState,\n  type LiveConnector,\n} from \"./connectors/live/index.js\";\nimport type { LiveConnectorsConfig } from \"./types.js\";\n\nexport type LiveConnectorSkipReason =\n  | \"disabled\"\n  | \"not_due\"\n  | \"invalid_config\"\n  | \"state_read_error\"\n  | \"connector_error\";\n\nexport interface LiveConnectorRunItem {\n  id: string;\n  displayName: string;\n  enabled: boolean;\n  ran: boolean;\n  skippedReason?: LiveConnectorSkipReason;\n  docsImported: number;\n  error?: string;\n  stateWriteError?: string;\n  lastSyncAt: string | null;\n  nextDueAt: string | null;\n}\n\nexport interface LiveConnectorsRunSummary {\n  ranAt: string;\n  force: boolean;\n  totalDocsImported: number;\n  ranCount: number;\n  skippedCount: number;\n  errorCount: number;\n  results: LiveConnectorRunItem[];\n}\n\nexport interface LiveConnectorDefinition {\n  id: string;\n  displayName: string;\n  enabled: boolean;\n  pollIntervalMs: number;\n  rawConfig: unknown;\n  createConnector: () => LiveConnector;\n  validateConfig: (raw: unknown) => ConnectorConfig;\n}\n\ntype LiveConnectorsNow = Date | (() => Date);\n\nexport function builtInLiveConnectorDefinitions(\n  config: LiveConnectorsConfig,\n): LiveConnectorDefinition[] {\n  return [\n    {\n      id: GOOGLE_DRIVE_CONNECTOR_ID,\n      displayName: \"Google Drive\",\n      enabled: config.googleDrive.enabled,\n      pollIntervalMs:\n        config.googleDrive.pollIntervalMs ?? GOOGLE_DRIVE_DEFAULT_POLL_INTERVAL_MS,\n      rawConfig: config.googleDrive,\n      createConnector: createGoogleDriveConnector,\n      validateConfig: (raw) =>\n        validateGoogleDriveConfig(raw) as unknown as ConnectorConfig,\n    },\n    {\n      id: NOTION_CONNECTOR_ID,\n      displayName: \"Notion\",\n      enabled: config.notion.enabled,\n      pollIntervalMs: config.notion.pollIntervalMs ?? NOTION_DEFAULT_POLL_INTERVAL_MS,\n      rawConfig: config.notion,\n      createConnector: createNotionConnector,\n      validateConfig: (raw) =>\n        validateNotionConfig(raw) as unknown as ConnectorConfig,\n    },\n    {\n      id: GMAIL_CONNECTOR_ID,\n      displayName: \"Gmail\",\n      enabled: config.gmail.enabled,\n      pollIntervalMs: config.gmail.pollIntervalMs ?? GMAIL_DEFAULT_POLL_INTERVAL_MS,\n      rawConfig: config.gmail,\n      createConnector: createGmailConnector,\n      validateConfig: (raw) => validateGmailConfig(raw) as unknown as ConnectorConfig,\n    },\n    {\n      id: GITHUB_CONNECTOR_ID,\n      displayName: \"GitHub\",\n      enabled: config.github.enabled,\n      pollIntervalMs:\n        config.github.pollIntervalMs ?? GITHUB_DEFAULT_POLL_INTERVAL_MS,\n      rawConfig: config.github,\n      createConnector: createGitHubConnector,\n      validateConfig: (raw) => validateGitHubConfig(raw) as unknown as ConnectorConfig,\n    },\n  ];\n}\n\nexport function hasEnabledLiveConnector(config: LiveConnectorsConfig): boolean {\n  return (\n    config.googleDrive.enabled ||\n    config.notion.enabled ||\n    config.gmail.enabled ||\n    config.github.enabled\n  );\n}\n\nexport async function runLiveConnectorsOnce(options: {\n  memoryDir: string;\n  connectors: LiveConnectorsConfig;\n  ingestDocuments: (docs: ConnectorDocument[]) => Promise<void>;\n  force?: boolean;\n  now?: LiveConnectorsNow;\n  abortSignal?: AbortSignal;\n  definitions?: LiveConnectorDefinition[];\n}): Promise<LiveConnectorsRunSummary> {\n  const ranAt = resolveNow(options.now);\n  const force = options.force === true;\n  const definitions =\n    options.definitions ?? builtInLiveConnectorDefinitions(options.connectors);\n  const results: LiveConnectorRunItem[] = [];\n\n  for (const definition of definitions) {\n    const checkAt = resolveNow(options.now);\n    if (!definition.enabled) {\n      results.push(skipResult(definition, null, \"disabled\"));\n      continue;\n    }\n    let state: ConnectorState | null;\n    try {\n      state = await readConnectorState(options.memoryDir, definition.id);\n    } catch (err) {\n      results.push({\n        id: definition.id,\n        displayName: definition.displayName,\n        enabled: true,\n        ran: false,\n        skippedReason: \"state_read_error\",\n        docsImported: 0,\n        error: err instanceof Error ? err.message : String(err),\n        lastSyncAt: null,\n        nextDueAt: null,\n      });\n      continue;\n    }\n    if (!force && !isConnectorDue(state, definition.pollIntervalMs, checkAt)) {\n      results.push(skipResult(definition, state, \"not_due\"));\n      continue;\n    }\n\n    let validatedConfig: ConnectorConfig;\n    try {\n      validatedConfig = definition.validateConfig(definition.rawConfig);\n    } catch (err) {\n      const message = err instanceof Error ? err.message : String(err);\n      let stateWriteError: string | undefined;\n      let writtenErrorState: ConnectorState | undefined;\n      const errorAt = resolveNow(options.now);\n      try {\n        writtenErrorState = await writeConnectorErrorState({\n          memoryDir: options.memoryDir,\n          connectorId: definition.id,\n          state,\n          error: message,\n          now: errorAt,\n        });\n      } catch (writeErr) {\n        stateWriteError =\n          writeErr instanceof Error ? writeErr.message : String(writeErr);\n      }\n      const reportedState = writtenErrorState ?? state;\n      results.push({\n        id: definition.id,\n        displayName: definition.displayName,\n        enabled: true,\n        ran: false,\n        skippedReason: \"invalid_config\",\n        docsImported: 0,\n        error: message,\n        ...(stateWriteError !== undefined ? { stateWriteError } : {}),\n        lastSyncAt: reportedState?.lastSyncAt ?? null,\n        nextDueAt: nextDueAt(reportedState, definition.pollIntervalMs),\n      });\n      continue;\n    }\n\n    let runResult: ConnectorRunResult;\n    let lastStateWrittenAt: Date | undefined;\n    try {\n      const connector = definition.createConnector();\n      runResult = await runConnectorPollOnce({\n        connectorId: definition.id,\n        priorState: state,\n        syncFn: (cursor: ConnectorCursor | null) =>\n          connector.syncIncremental({\n            cursor,\n            config: validatedConfig,\n            abortSignal: options.abortSignal,\n          }),\n        ingestFn: options.ingestDocuments,\n        writeCursorFn: (writeState) => {\n          const writeAt = resolveNow(options.now);\n          return writeConnectorState(options.memoryDir, definition.id, {\n            id: definition.id,\n            cursor: writeState.cursor,\n            lastSyncAt: writeAt.toISOString(),\n            lastSyncStatus: writeState.lastSyncStatus,\n            ...(writeState.lastSyncError !== undefined\n              ? { lastSyncError: writeState.lastSyncError }\n              : {}),\n            totalDocsImported: writeState.totalDocsImported,\n          }).then(() => {\n            lastStateWrittenAt = writeAt;\n          });\n        },\n      });\n    } catch (err) {\n      const message = err instanceof Error ? err.message : String(err);\n      let stateWriteError: string | undefined;\n      let writtenErrorState: ConnectorState | undefined;\n      const errorAt = resolveNow(options.now);\n      try {\n        writtenErrorState = await writeConnectorErrorState({\n          memoryDir: options.memoryDir,\n          connectorId: definition.id,\n          state,\n          error: message,\n          now: errorAt,\n        });\n      } catch (writeErr) {\n        stateWriteError =\n          writeErr instanceof Error ? writeErr.message : String(writeErr);\n      }\n      const reportedState = writtenErrorState ?? state;\n      results.push({\n        id: definition.id,\n        displayName: definition.displayName,\n        enabled: true,\n        ran: false,\n        skippedReason: \"connector_error\",\n        docsImported: 0,\n        error: message,\n        ...(stateWriteError !== undefined ? { stateWriteError } : {}),\n        lastSyncAt: reportedState?.lastSyncAt ?? null,\n        nextDueAt: nextDueAt(reportedState, definition.pollIntervalMs),\n      });\n      continue;\n    }\n    results.push(\n      runItemFromResult(\n        definition,\n        runResult,\n        state,\n        lastStateWrittenAt ?? resolveNow(options.now),\n      ),\n    );\n  }\n\n  return {\n    ranAt: ranAt.toISOString(),\n    force,\n    totalDocsImported: results.reduce((sum, item) => sum + item.docsImported, 0),\n    ranCount: results.filter((item) => item.ran).length,\n    skippedCount: results.filter((item) => !item.ran).length,\n    errorCount: results.filter(\n      (item) => item.error !== undefined || item.stateWriteError !== undefined,\n    ).length,\n    results,\n  };\n}\n\nfunction resolveNow(now: LiveConnectorsNow | undefined): Date {\n  return typeof now === \"function\" ? now() : now ?? new Date();\n}\n\nfunction isConnectorDue(\n  state: ConnectorState | null,\n  pollIntervalMs: number,\n  now: Date,\n): boolean {\n  if (state?.lastSyncAt === null || state?.lastSyncAt === undefined) return true;\n  const lastMs = Date.parse(state.lastSyncAt);\n  if (!Number.isFinite(lastMs)) return true;\n  return now.getTime() - lastMs >= Math.max(1, Math.floor(pollIntervalMs));\n}\n\nfunction nextDueAt(\n  state: ConnectorState | null,\n  pollIntervalMs: number,\n): string | null {\n  if (state?.lastSyncAt === null || state?.lastSyncAt === undefined) return null;\n  const lastMs = Date.parse(state.lastSyncAt);\n  if (!Number.isFinite(lastMs)) return null;\n  return new Date(lastMs + Math.max(1, Math.floor(pollIntervalMs))).toISOString();\n}\n\nfunction skipResult(\n  definition: LiveConnectorDefinition,\n  state: ConnectorState | null,\n  skippedReason: LiveConnectorSkipReason,\n): LiveConnectorRunItem {\n  return {\n    id: definition.id,\n    displayName: definition.displayName,\n    enabled: definition.enabled,\n    ran: false,\n    skippedReason,\n    docsImported: 0,\n    lastSyncAt: state?.lastSyncAt ?? null,\n    nextDueAt:\n      skippedReason === \"not_due\"\n        ? nextDueAt(state, definition.pollIntervalMs)\n        : null,\n  };\n}\n\nfunction runItemFromResult(\n  definition: LiveConnectorDefinition,\n  result: ConnectorRunResult,\n  priorState: ConnectorState | null,\n  now: Date,\n): LiveConnectorRunItem {\n  const stateWriteFailed = result.stateWriteError !== undefined;\n  const reportedLastSyncAt = stateWriteFailed\n    ? priorState?.lastSyncAt ?? null\n    : now.toISOString();\n  const reportedNextDueAt = stateWriteFailed\n    ? nextDueAt(priorState, definition.pollIntervalMs)\n    : new Date(\n        now.getTime() + Math.max(1, Math.floor(definition.pollIntervalMs)),\n      ).toISOString();\n\n  return {\n    id: definition.id,\n    displayName: definition.displayName,\n    enabled: definition.enabled,\n    ran: true,\n    docsImported: result.docsImported,\n    ...(result.error !== undefined ? { error: result.error } : {}),\n    ...(result.stateWriteError !== undefined\n      ? { stateWriteError: result.stateWriteError }\n      : {}),\n    lastSyncAt: reportedLastSyncAt,\n    nextDueAt: reportedNextDueAt,\n  };\n}\n\nasync function writeConnectorErrorState(options: {\n  memoryDir: string;\n  connectorId: string;\n  state: ConnectorState | null;\n  error: string;\n  now: Date;\n}): Promise<ConnectorState> {\n  return writeConnectorState(options.memoryDir, options.connectorId, {\n    id: options.connectorId,\n    cursor: options.state?.cursor ?? null,\n    lastSyncAt: options.now.toISOString(),\n    lastSyncStatus: \"error\",\n    lastSyncError: options.error,\n    totalDocsImported: options.state?.totalDocsImported ?? 0,\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAyEO,SAAS,gCACd,QAC2B;AAC3B,SAAO;AAAA,IACL;AAAA,MACE,IAAI;AAAA,MACJ,aAAa;AAAA,MACb,SAAS,OAAO,YAAY;AAAA,MAC5B,gBACE,OAAO,YAAY,kBAAkB;AAAA,MACvC,WAAW,OAAO;AAAA,MAClB,iBAAiB;AAAA,MACjB,gBAAgB,CAAC,QACf,0BAA0B,GAAG;AAAA,IACjC;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MACJ,aAAa;AAAA,MACb,SAAS,OAAO,OAAO;AAAA,MACvB,gBAAgB,OAAO,OAAO,kBAAkB;AAAA,MAChD,WAAW,OAAO;AAAA,MAClB,iBAAiB;AAAA,MACjB,gBAAgB,CAAC,QACf,qBAAqB,GAAG;AAAA,IAC5B;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MACJ,aAAa;AAAA,MACb,SAAS,OAAO,MAAM;AAAA,MACtB,gBAAgB,OAAO,MAAM,kBAAkB;AAAA,MAC/C,WAAW,OAAO;AAAA,MAClB,iBAAiB;AAAA,MACjB,gBAAgB,CAAC,QAAQ,oBAAoB,GAAG;AAAA,IAClD;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MACJ,aAAa;AAAA,MACb,SAAS,OAAO,OAAO;AAAA,MACvB,gBACE,OAAO,OAAO,kBAAkB;AAAA,MAClC,WAAW,OAAO;AAAA,MAClB,iBAAiB;AAAA,MACjB,gBAAgB,CAAC,QAAQ,qBAAqB,GAAG;AAAA,IACnD;AAAA,EACF;AACF;AAEO,SAAS,wBAAwB,QAAuC;AAC7E,SACE,OAAO,YAAY,WACnB,OAAO,OAAO,WACd,OAAO,MAAM,WACb,OAAO,OAAO;AAElB;AAEA,eAAsB,sBAAsB,SAQN;AACpC,QAAM,QAAQ,WAAW,QAAQ,GAAG;AACpC,QAAM,QAAQ,QAAQ,UAAU;AAChC,QAAM,cACJ,QAAQ,eAAe,gCAAgC,QAAQ,UAAU;AAC3E,QAAM,UAAkC,CAAC;AAEzC,aAAW,cAAc,aAAa;AACpC,UAAM,UAAU,WAAW,QAAQ,GAAG;AACtC,QAAI,CAAC,WAAW,SAAS;AACvB,cAAQ,KAAK,WAAW,YAAY,MAAM,UAAU,CAAC;AACrD;AAAA,IACF;AACA,QAAI;AACJ,QAAI;AACF,cAAQ,MAAM,mBAAmB,QAAQ,WAAW,WAAW,EAAE;AAAA,IACnE,SAAS,KAAK;AACZ,cAAQ,KAAK;AAAA,QACX,IAAI,WAAW;AAAA,QACf,aAAa,WAAW;AAAA,QACxB,SAAS;AAAA,QACT,KAAK;AAAA,QACL,eAAe;AAAA,QACf,cAAc;AAAA,QACd,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,QACtD,YAAY;AAAA,QACZ,WAAW;AAAA,MACb,CAAC;AACD;AAAA,IACF;AACA,QAAI,CAAC,SAAS,CAAC,eAAe,OAAO,WAAW,gBAAgB,OAAO,GAAG;AACxE,cAAQ,KAAK,WAAW,YAAY,OAAO,SAAS,CAAC;AACrD;AAAA,IACF;AAEA,QAAI;AACJ,QAAI;AACF,wBAAkB,WAAW,eAAe,WAAW,SAAS;AAAA,IAClE,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,UAAI;AACJ,UAAI;AACJ,YAAM,UAAU,WAAW,QAAQ,GAAG;AACtC,UAAI;AACF,4BAAoB,MAAM,yBAAyB;AAAA,UACjD,WAAW,QAAQ;AAAA,UACnB,aAAa,WAAW;AAAA,UACxB;AAAA,UACA,OAAO;AAAA,UACP,KAAK;AAAA,QACP,CAAC;AAAA,MACH,SAAS,UAAU;AACjB,0BACE,oBAAoB,QAAQ,SAAS,UAAU,OAAO,QAAQ;AAAA,MAClE;AACA,YAAM,gBAAgB,qBAAqB;AAC3C,cAAQ,KAAK;AAAA,QACX,IAAI,WAAW;AAAA,QACf,aAAa,WAAW;AAAA,QACxB,SAAS;AAAA,QACT,KAAK;AAAA,QACL,eAAe;AAAA,QACf,cAAc;AAAA,QACd,OAAO;AAAA,QACP,GAAI,oBAAoB,SAAY,EAAE,gBAAgB,IAAI,CAAC;AAAA,QAC3D,YAAY,eAAe,cAAc;AAAA,QACzC,WAAW,UAAU,eAAe,WAAW,cAAc;AAAA,MAC/D,CAAC;AACD;AAAA,IACF;AAEA,QAAI;AACJ,QAAI;AACJ,QAAI;AACF,YAAM,YAAY,WAAW,gBAAgB;AAC7C,kBAAY,MAAM,qBAAqB;AAAA,QACrC,aAAa,WAAW;AAAA,QACxB,YAAY;AAAA,QACZ,QAAQ,CAAC,WACP,UAAU,gBAAgB;AAAA,UACxB;AAAA,UACA,QAAQ;AAAA,UACR,aAAa,QAAQ;AAAA,QACvB,CAAC;AAAA,QACH,UAAU,QAAQ;AAAA,QAClB,eAAe,CAAC,eAAe;AAC7B,gBAAM,UAAU,WAAW,QAAQ,GAAG;AACtC,iBAAO,oBAAoB,QAAQ,WAAW,WAAW,IAAI;AAAA,YAC3D,IAAI,WAAW;AAAA,YACf,QAAQ,WAAW;AAAA,YACnB,YAAY,QAAQ,YAAY;AAAA,YAChC,gBAAgB,WAAW;AAAA,YAC3B,GAAI,WAAW,kBAAkB,SAC7B,EAAE,eAAe,WAAW,cAAc,IAC1C,CAAC;AAAA,YACL,mBAAmB,WAAW;AAAA,UAChC,CAAC,EAAE,KAAK,MAAM;AACZ,iCAAqB;AAAA,UACvB,CAAC;AAAA,QACH;AAAA,MACF,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,UAAI;AACJ,UAAI;AACJ,YAAM,UAAU,WAAW,QAAQ,GAAG;AACtC,UAAI;AACF,4BAAoB,MAAM,yBAAyB;AAAA,UACjD,WAAW,QAAQ;AAAA,UACnB,aAAa,WAAW;AAAA,UACxB;AAAA,UACA,OAAO;AAAA,UACP,KAAK;AAAA,QACP,CAAC;AAAA,MACH,SAAS,UAAU;AACjB,0BACE,oBAAoB,QAAQ,SAAS,UAAU,OAAO,QAAQ;AAAA,MAClE;AACA,YAAM,gBAAgB,qBAAqB;AAC3C,cAAQ,KAAK;AAAA,QACX,IAAI,WAAW;AAAA,QACf,aAAa,WAAW;AAAA,QACxB,SAAS;AAAA,QACT,KAAK;AAAA,QACL,eAAe;AAAA,QACf,cAAc;AAAA,QACd,OAAO;AAAA,QACP,GAAI,oBAAoB,SAAY,EAAE,gBAAgB,IAAI,CAAC;AAAA,QAC3D,YAAY,eAAe,cAAc;AAAA,QACzC,WAAW,UAAU,eAAe,WAAW,cAAc;AAAA,MAC/D,CAAC;AACD;AAAA,IACF;AACA,YAAQ;AAAA,MACN;AAAA,QACE;AAAA,QACA;AAAA,QACA;AAAA,QACA,sBAAsB,WAAW,QAAQ,GAAG;AAAA,MAC9C;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,OAAO,MAAM,YAAY;AAAA,IACzB;AAAA,IACA,mBAAmB,QAAQ,OAAO,CAAC,KAAK,SAAS,MAAM,KAAK,cAAc,CAAC;AAAA,IAC3E,UAAU,QAAQ,OAAO,CAAC,SAAS,KAAK,GAAG,EAAE;AAAA,IAC7C,cAAc,QAAQ,OAAO,CAAC,SAAS,CAAC,KAAK,GAAG,EAAE;AAAA,IAClD,YAAY,QAAQ;AAAA,MAClB,CAAC,SAAS,KAAK,UAAU,UAAa,KAAK,oBAAoB;AAAA,IACjE,EAAE;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,WAAW,KAA0C;AAC5D,SAAO,OAAO,QAAQ,aAAa,IAAI,IAAI,OAAO,oBAAI,KAAK;AAC7D;AAEA,SAAS,eACP,OACA,gBACA,KACS;AACT,MAAI,OAAO,eAAe,QAAQ,OAAO,eAAe,OAAW,QAAO;AAC1E,QAAM,SAAS,KAAK,MAAM,MAAM,UAAU;AAC1C,MAAI,CAAC,OAAO,SAAS,MAAM,EAAG,QAAO;AACrC,SAAO,IAAI,QAAQ,IAAI,UAAU,KAAK,IAAI,GAAG,KAAK,MAAM,cAAc,CAAC;AACzE;AAEA,SAAS,UACP,OACA,gBACe;AACf,MAAI,OAAO,eAAe,QAAQ,OAAO,eAAe,OAAW,QAAO;AAC1E,QAAM,SAAS,KAAK,MAAM,MAAM,UAAU;AAC1C,MAAI,CAAC,OAAO,SAAS,MAAM,EAAG,QAAO;AACrC,SAAO,IAAI,KAAK,SAAS,KAAK,IAAI,GAAG,KAAK,MAAM,cAAc,CAAC,CAAC,EAAE,YAAY;AAChF;AAEA,SAAS,WACP,YACA,OACA,eACsB;AACtB,SAAO;AAAA,IACL,IAAI,WAAW;AAAA,IACf,aAAa,WAAW;AAAA,IACxB,SAAS,WAAW;AAAA,IACpB,KAAK;AAAA,IACL;AAAA,IACA,cAAc;AAAA,IACd,YAAY,OAAO,cAAc;AAAA,IACjC,WACE,kBAAkB,YACd,UAAU,OAAO,WAAW,cAAc,IAC1C;AAAA,EACR;AACF;AAEA,SAAS,kBACP,YACA,QACA,YACA,KACsB;AACtB,QAAM,mBAAmB,OAAO,oBAAoB;AACpD,QAAM,qBAAqB,mBACvB,YAAY,cAAc,OAC1B,IAAI,YAAY;AACpB,QAAM,oBAAoB,mBACtB,UAAU,YAAY,WAAW,cAAc,IAC/C,IAAI;AAAA,IACF,IAAI,QAAQ,IAAI,KAAK,IAAI,GAAG,KAAK,MAAM,WAAW,cAAc,CAAC;AAAA,EACnE,EAAE,YAAY;AAElB,SAAO;AAAA,IACL,IAAI,WAAW;AAAA,IACf,aAAa,WAAW;AAAA,IACxB,SAAS,WAAW;AAAA,IACpB,KAAK;AAAA,IACL,cAAc,OAAO;AAAA,IACrB,GAAI,OAAO,UAAU,SAAY,EAAE,OAAO,OAAO,MAAM,IAAI,CAAC;AAAA,IAC5D,GAAI,OAAO,oBAAoB,SAC3B,EAAE,iBAAiB,OAAO,gBAAgB,IAC1C,CAAC;AAAA,IACL,YAAY;AAAA,IACZ,WAAW;AAAA,EACb;AACF;AAEA,eAAe,yBAAyB,SAMZ;AAC1B,SAAO,oBAAoB,QAAQ,WAAW,QAAQ,aAAa;AAAA,IACjE,IAAI,QAAQ;AAAA,IACZ,QAAQ,QAAQ,OAAO,UAAU;AAAA,IACjC,YAAY,QAAQ,IAAI,YAAY;AAAA,IACpC,gBAAgB;AAAA,IAChB,eAAe,QAAQ;AAAA,IACvB,mBAAmB,QAAQ,OAAO,qBAAqB;AAAA,EACzD,CAAC;AACH;","names":[]}

package/dist/{chunk-DG6YMRDC.js → chunk-B2TL6GA2.js}

@@ -11,7 +11,7 @@ import {
 } from "./chunk-R2XRID2N.js";
 import {
   FallbackLlmClient
-} from "./chunk-AYXIPSZO.js";
+} from "./chunk-CRU27Q4J.js";
 import {
   extractJsonCandidates
 } from "./chunk-UZB5KHKX.js";
@@ -618,4 +618,4 @@ ${truncatedConversation}`;
 export {
   HourlySummarizer
 };
-//# sourceMappingURL=chunk-DG6YMRDC.js.map
+//# sourceMappingURL=chunk-B2TL6GA2.js.map

package/dist/chunk-BJMBJZ2Y.js

@@ -0,0 +1,290 @@
+import {
+  buildMetadata,
+  decodeMetadataSalt,
+  parseMetadata,
+  serializeMetadata
+} from "./chunk-UKJAGEXH.js";
+import {
+  KDF_KEY_LENGTH,
+  KDF_SALT_LENGTH,
+  deriveKey
+} from "./chunk-FP2373TW.js";
+import {
+  open,
+  seal
+} from "./chunk-A6XUJE5D.js";
+import {
+  __export
+} from "./chunk-PZ5AY32C.js";
+
+// src/secure-store/header.ts
+import { mkdir, readFile, writeFile } from "fs/promises";
+import path from "path";
+var SECURE_STORE_DIR_NAME = ".secure-store";
+var HEADER_FILENAME = "header.json";
+var HEADER_FORMAT = "remnic.secure-store.header";
+var HEADER_FORMAT_VERSION = 1;
+var VERIFIER_PLAINTEXT = Buffer.from("remnic-secure-store-v1", "utf8");
+var VERIFIER_AAD = Buffer.from("remnic-secure-store/verifier", "utf8");
+function secureStoreDir(memoryDir) {
+  return path.join(memoryDir, SECURE_STORE_DIR_NAME);
+}
+function headerPath(memoryDir) {
+  return path.join(secureStoreDir(memoryDir), HEADER_FILENAME);
+}
+function buildHeader(options) {
+  const { metadata, derivedKey } = options;
+  if (!Buffer.isBuffer(derivedKey) || derivedKey.length !== KDF_KEY_LENGTH) {
+    throw new Error(
+      `derivedKey must be a ${KDF_KEY_LENGTH}-byte Buffer, got length=${derivedKey?.length ?? "non-buffer"}`
+    );
+  }
+  const salt = decodeMetadataSalt(metadata);
+  if (salt.length !== KDF_SALT_LENGTH) {
+    throw new Error(`metadata salt is ${salt.length} bytes, expected ${KDF_SALT_LENGTH}`);
+  }
+  const envelope = seal(derivedKey, salt, VERIFIER_PLAINTEXT, { aad: VERIFIER_AAD });
+  return {
+    format: HEADER_FORMAT,
+    formatVersion: HEADER_FORMAT_VERSION,
+    metadata,
+    verifier: envelope.toString("hex"),
+    createdAt: options.createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function serializeHeader(header) {
+  validateHeader(header);
+  const metadataString = serializeMetadata(header.metadata);
+  const metadataObject = JSON.parse(metadataString);
+  const ordered = {
+    format: header.format,
+    formatVersion: header.formatVersion,
+    metadata: metadataObject,
+    verifier: header.verifier,
+    createdAt: header.createdAt
+  };
+  return JSON.stringify(ordered, null, 2);
+}
+function parseHeader(json) {
+  if (typeof json !== "string") {
+    throw new Error("header input must be a string");
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(json);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    throw new Error(`header is not valid JSON: ${msg}`);
+  }
+  if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+    throw new Error("header must be a JSON object");
+  }
+  const obj = parsed;
+  if (obj.format !== HEADER_FORMAT) {
+    throw new Error(
+      `unexpected header format: ${String(obj.format)} (expected ${HEADER_FORMAT})`
+    );
+  }
+  if (obj.formatVersion !== HEADER_FORMAT_VERSION) {
+    throw new Error(
+      `unsupported header formatVersion: ${String(obj.formatVersion)} (this build supports ${HEADER_FORMAT_VERSION})`
+    );
+  }
+  if (typeof obj.verifier !== "string" || obj.verifier.length === 0) {
+    throw new Error("header.verifier must be a non-empty hex string");
+  }
+  if (!/^[0-9a-fA-F]+$/.test(obj.verifier)) {
+    throw new Error("header.verifier must be a hex-encoded string");
+  }
+  if (obj.verifier.length % 2 !== 0) {
+    throw new Error(
+      "header.verifier hex string must have even length (each byte encodes as two hex digits)"
+    );
+  }
+  if (typeof obj.createdAt !== "string" || obj.createdAt.length === 0) {
+    throw new Error("header.createdAt must be a non-empty string");
+  }
+  if (typeof obj.metadata !== "object" || obj.metadata === null) {
+    throw new Error("header.metadata must be an object");
+  }
+  const metadata = parseMetadata(JSON.stringify(obj.metadata));
+  const header = {
+    format: HEADER_FORMAT,
+    formatVersion: HEADER_FORMAT_VERSION,
+    metadata,
+    verifier: obj.verifier,
+    createdAt: obj.createdAt
+  };
+  validateHeader(header);
+  return header;
+}
+function validateHeader(header) {
+  if (header.format !== HEADER_FORMAT) {
+    throw new Error(`header.format must be ${HEADER_FORMAT}`);
+  }
+  if (header.formatVersion !== HEADER_FORMAT_VERSION) {
+    throw new Error(`header.formatVersion must be ${HEADER_FORMAT_VERSION}`);
+  }
+  if (typeof header.createdAt !== "string" || header.createdAt.length === 0) {
+    throw new Error("header.createdAt must be a non-empty ISO-8601 string");
+  }
+  if (typeof header.verifier !== "string" || header.verifier.length === 0) {
+    throw new Error("header.verifier must be a non-empty hex string");
+  }
+  if (!/^[0-9a-fA-F]+$/.test(header.verifier)) {
+    throw new Error("header.verifier must be a hex-encoded string");
+  }
+  if (header.verifier.length % 2 !== 0) {
+    throw new Error(
+      "header.verifier hex string must have even length (each byte encodes as two hex digits)"
+    );
+  }
+  if (header.metadata.format !== "remnic.secure-store.metadata") {
+    throw new Error("header.metadata.format must be remnic.secure-store.metadata");
+  }
+}
+function verifyKey(header, candidateKey) {
+  if (!Buffer.isBuffer(candidateKey) || candidateKey.length !== KDF_KEY_LENGTH) {
+    return false;
+  }
+  const envelope = Buffer.from(header.verifier, "hex");
+  try {
+    const plaintext = open(candidateKey, envelope, { aad: VERIFIER_AAD });
+    return plaintext.equals(VERIFIER_PLAINTEXT);
+  } catch {
+    return false;
+  }
+}
+function deriveKeyFromHeader(header, passphrase) {
+  const salt = decodeMetadataSalt(header.metadata);
+  const params = header.metadata.kdf.params;
+  return deriveKey(header.metadata.kdf.algorithm, passphrase, salt, params);
+}
+async function readHeader(memoryDir) {
+  const target = headerPath(memoryDir);
+  let raw;
+  try {
+    raw = await readFile(target, "utf8");
+  } catch (e) {
+    if (e.code === "ENOENT") {
+      return null;
+    }
+    throw e;
+  }
+  return parseHeader(raw);
+}
+async function writeHeader(memoryDir, header) {
+  validateHeader(header);
+  const dir = secureStoreDir(memoryDir);
+  await mkdir(dir, { recursive: true });
+  const target = headerPath(memoryDir);
+  try {
+    await writeFile(target, serializeHeader(header), {
+      encoding: "utf8",
+      mode: 384,
+      flag: "wx"
+    });
+  } catch (e) {
+    if (e.code === "EEXIST") {
+      throw new Error(
+        `secure-store header already exists at ${target}. Refusing to overwrite \u2014 initialize a fresh store or remove the existing header explicitly.`
+      );
+    }
+    throw e;
+  }
+  return target;
+}
+function buildHeaderFromPassphrase(options) {
+  const { passphrase, salt } = options;
+  const algorithm = options.algorithm ?? "argon2id";
+  const metadataOpts = { algorithm, salt };
+  if (options.params !== void 0) metadataOpts.params = options.params;
+  if (options.createdAt !== void 0) metadataOpts.createdAt = options.createdAt;
+  if (options.note !== void 0) metadataOpts.note = options.note;
+  const metadata = buildMetadata(metadataOpts);
+  const params = metadata.kdf.params;
+  const derivedKey = deriveKey(algorithm, passphrase, salt, params);
+  const headerOpts = {
+    metadata,
+    derivedKey
+  };
+  if (options.createdAt !== void 0) headerOpts.createdAt = options.createdAt;
+  const header = buildHeader(headerOpts);
+  return { header, derivedKey };
+}
+
+// src/secure-store/keyring.ts
+var keyring_exports = {};
+__export(keyring_exports, {
+  getKey: () => getKey,
+  lock: () => lock,
+  lockAll: () => lockAll,
+  size: () => size,
+  status: () => status,
+  unlock: () => unlock
+});
+var ENTRIES = /* @__PURE__ */ new Map();
+function unlock(id, key, now = () => /* @__PURE__ */ new Date()) {
+  if (typeof id !== "string" || id.length === 0) {
+    throw new Error("keyring id must be a non-empty string");
+  }
+  if (!Buffer.isBuffer(key) || key.length !== 32) {
+    throw new Error(`keyring key must be a 32-byte Buffer, got length=${key?.length ?? "non-buffer"}`);
+  }
+  const existing = ENTRIES.get(id);
+  if (existing) {
+    existing.key.fill(0);
+  }
+  ENTRIES.set(id, { key, unlockedAt: now().toISOString() });
+}
+function getKey(id) {
+  const entry = ENTRIES.get(id);
+  return entry ? entry.key : null;
+}
+function lock(id) {
+  const entry = ENTRIES.get(id);
+  if (!entry) return false;
+  entry.key.fill(0);
+  ENTRIES.delete(id);
+  return true;
+}
+function lockAll() {
+  for (const entry of ENTRIES.values()) {
+    entry.key.fill(0);
+  }
+  ENTRIES.clear();
+}
+function status(id) {
+  const entry = ENTRIES.get(id);
+  if (!entry) {
+    return { unlocked: false, unlockedAt: null };
+  }
+  return { unlocked: true, unlockedAt: entry.unlockedAt };
+}
+function size() {
+  return ENTRIES.size;
+}
+
+export {
+  SECURE_STORE_DIR_NAME,
+  HEADER_FILENAME,
+  HEADER_FORMAT,
+  HEADER_FORMAT_VERSION,
+  secureStoreDir,
+  headerPath,
+  buildHeader,
+  serializeHeader,
+  parseHeader,
+  validateHeader,
+  verifyKey,
+  deriveKeyFromHeader,
+  readHeader,
+  writeHeader,
+  buildHeaderFromPassphrase,
+  unlock,
+  getKey,
+  lock,
+  status,
+  keyring_exports
+};
+//# sourceMappingURL=chunk-BJMBJZ2Y.js.map

package/dist/chunk-BJMBJZ2Y.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/secure-store/header.ts","../src/secure-store/keyring.ts"],"sourcesContent":["/**\n * On-disk header for an initialized secure-store (issue #690 PR 2/4).\n *\n * The header file is the persistent record that a memory directory\n * has had `remnic secure-store init` run against it. It is a JSON\n * file at `<memoryDir>/.secure-store/header.json` with two parts:\n *\n *   1. The KDF metadata from PR 1/4 (`SecureStoreMetadata`) —\n *      algorithm, params, and salt. Public; safe to read/copy.\n *   2. A \"verifier\" — a tiny AES-GCM-encrypted envelope sealed under\n *      the derived key at init time. Unlock re-derives the key from\n *      the entered passphrase and tries to `open()` the verifier; if\n *      the auth tag validates, the passphrase is correct.\n *\n * Why a verifier?\n * ---------------\n * Without one, \"wrong passphrase\" can only be detected when the\n * daemon tries to decrypt actual memory data — too late for a\n * useful CLI error. The verifier gives the unlock command a fast,\n * data-independent passphrase check.\n *\n * The verifier plaintext is a fixed magic string (no secret content).\n * Its only role is to be sealable + openable; the auth-tag check is\n * what proves the key.\n *\n * Naming\n * ------\n * Directory: `.secure-store/` (leading dot — hidden, hints at\n * sensitivity). File: `header.json`. Avoids collision with\n * `.secure-store-metadata.json` from PR 1/4 docs since the header\n * is a strict superset.\n */\n\nimport { mkdir, readFile, writeFile } from \"node:fs/promises\";\nimport path from \"node:path\";\n\nimport { open, seal } from \"./cipher.js\";\nimport {\n  KDF_KEY_LENGTH,\n  KDF_SALT_LENGTH,\n  deriveKey,\n  type Argon2idParams,\n  type ScryptParams,\n} from \"./kdf.js\";\nimport {\n  buildMetadata,\n  decodeMetadataSalt,\n  parseMetadata,\n  serializeMetadata,\n  type SecureStoreMetadata,\n} from \"./metadata.js\";\n\n/** Subdirectory under `memoryDir` that holds the header + future state. */\nexport const SECURE_STORE_DIR_NAME = \".secure-store\";\n\n/** Header filename. Stable name so operators can locate it. */\nexport const HEADER_FILENAME = \"header.json\";\n\n/** Stable identifier so the file shape is sniffable without parsing JSON. */\nexport const HEADER_FORMAT = \"remnic.secure-store.header\" as const;\n\n/** Current header format version. Bump on breaking schema changes. */\nexport const HEADER_FORMAT_VERSION = 1 as const;\n\n/**\n * Magic bytes sealed under the master key at init time. Constant\n * across stores — there's no value in randomizing it because the\n * salt + IV + auth tag already make every verifier envelope unique.\n *\n * The string never appears in plaintext on disk; it only exists\n * inside an AES-GCM-sealed envelope. Its job is purely to give the\n * cipher something to authenticate.\n */\nexport const VERIFIER_PLAINTEXT = Buffer.from(\"remnic-secure-store-v1\", \"utf8\");\n\n/** AAD bound into the verifier envelope. */\nconst VERIFIER_AAD = Buffer.from(\"remnic-secure-store/verifier\", \"utf8\");\n\nexport interface SecureStoreHeader {\n  format: typeof HEADER_FORMAT;\n  formatVersion: number;\n  /** KDF metadata (algorithm + params + salt). */\n  metadata: SecureStoreMetadata;\n  /** Hex-encoded sealed envelope. */\n  verifier: string;\n  /** ISO-8601 timestamp recorded at init time. */\n  createdAt: string;\n}\n\n/** Resolve the canonical secure-store directory for a memory root. */\nexport function secureStoreDir(memoryDir: string): string {\n  return path.join(memoryDir, SECURE_STORE_DIR_NAME);\n}\n\n/** Resolve the canonical header path for a memory root. */\nexport function headerPath(memoryDir: string): string {\n  return path.join(secureStoreDir(memoryDir), HEADER_FILENAME);\n}\n\n/**\n * Build a `SecureStoreHeader` in memory from an already-derived key\n * and metadata. Pure: does not touch the filesystem. The clock is\n * read once if `createdAt` is omitted.\n */\nexport function buildHeader(options: {\n  metadata: SecureStoreMetadata;\n  derivedKey: Buffer;\n  createdAt?: string;\n}): SecureStoreHeader {\n  const { metadata, derivedKey } = options;\n  if (!Buffer.isBuffer(derivedKey) || derivedKey.length !== KDF_KEY_LENGTH) {\n    throw new Error(\n      `derivedKey must be a ${KDF_KEY_LENGTH}-byte Buffer, got length=${derivedKey?.length ?? \"non-buffer\"}`,\n    );\n  }\n  const salt = decodeMetadataSalt(metadata);\n  if (salt.length !== KDF_SALT_LENGTH) {\n    throw new Error(`metadata salt is ${salt.length} bytes, expected ${KDF_SALT_LENGTH}`);\n  }\n  const envelope = seal(derivedKey, salt, VERIFIER_PLAINTEXT, { aad: VERIFIER_AAD });\n  return {\n    format: HEADER_FORMAT,\n    formatVersion: HEADER_FORMAT_VERSION,\n    metadata,\n    verifier: envelope.toString(\"hex\"),\n    createdAt: options.createdAt ?? new Date().toISOString(),\n  };\n}\n\n/** Stable JSON serialization with locked top-level key order. */\nexport function serializeHeader(header: SecureStoreHeader): string {\n  validateHeader(header);\n  // Inline metadata as a parsed object so it shares the same\n  // canonical key ordering as the standalone metadata file.\n  const metadataString = serializeMetadata(header.metadata);\n  const metadataObject = JSON.parse(metadataString) as Record<string, unknown>;\n  const ordered = {\n    format: header.format,\n    formatVersion: header.formatVersion,\n    metadata: metadataObject,\n    verifier: header.verifier,\n    createdAt: header.createdAt,\n  };\n  return JSON.stringify(ordered, null, 2);\n}\n\n/** Parse a header JSON string. Throws on any structural problem. */\nexport function parseHeader(json: string): SecureStoreHeader {\n  if (typeof json !== \"string\") {\n    throw new Error(\"header input must be a string\");\n  }\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(json);\n  } catch (e) {\n    const msg = e instanceof Error ? e.message : String(e);\n    throw new Error(`header is not valid JSON: ${msg}`);\n  }\n  if (typeof parsed !== \"object\" || parsed === null || Array.isArray(parsed)) {\n    throw new Error(\"header must be a JSON object\");\n  }\n  const obj = parsed as Record<string, unknown>;\n  if (obj.format !== HEADER_FORMAT) {\n    throw new Error(\n      `unexpected header format: ${String(obj.format)} (expected ${HEADER_FORMAT})`,\n    );\n  }\n  if (obj.formatVersion !== HEADER_FORMAT_VERSION) {\n    throw new Error(\n      `unsupported header formatVersion: ${String(obj.formatVersion)} (this build supports ${HEADER_FORMAT_VERSION})`,\n    );\n  }\n  if (typeof obj.verifier !== \"string\" || obj.verifier.length === 0) {\n    throw new Error(\"header.verifier must be a non-empty hex string\");\n  }\n  if (!/^[0-9a-fA-F]+$/.test(obj.verifier)) {\n    throw new Error(\"header.verifier must be a hex-encoded string\");\n  }\n  // Codex P2 on PR #737: odd-length hex strings produce a malformed\n  // Buffer via `Buffer.from(hex, \"hex\")` — Node silently truncates the\n  // trailing nibble, yielding a buffer that is one byte shorter than\n  // expected. Reject odd-length strings before they reach the cipher.\n  if (obj.verifier.length % 2 !== 0) {\n    throw new Error(\n      \"header.verifier hex string must have even length (each byte encodes as two hex digits)\",\n    );\n  }\n  if (typeof obj.createdAt !== \"string\" || obj.createdAt.length === 0) {\n    throw new Error(\"header.createdAt must be a non-empty string\");\n  }\n  if (typeof obj.metadata !== \"object\" || obj.metadata === null) {\n    throw new Error(\"header.metadata must be an object\");\n  }\n  // Reuse the metadata parser for nested validation. We re-stringify\n  // the nested object and feed it through `parseMetadata` so any\n  // schema drift is caught in one place.\n  const metadata = parseMetadata(JSON.stringify(obj.metadata));\n  const header: SecureStoreHeader = {\n    format: HEADER_FORMAT,\n    formatVersion: HEADER_FORMAT_VERSION,\n    metadata,\n    verifier: obj.verifier,\n    createdAt: obj.createdAt,\n  };\n  validateHeader(header);\n  return header;\n}\n\n/** Validate a header object's invariants. Throws on the first problem. */\nexport function validateHeader(header: SecureStoreHeader): void {\n  if (header.format !== HEADER_FORMAT) {\n    throw new Error(`header.format must be ${HEADER_FORMAT}`);\n  }\n  if (header.formatVersion !== HEADER_FORMAT_VERSION) {\n    throw new Error(`header.formatVersion must be ${HEADER_FORMAT_VERSION}`);\n  }\n  if (typeof header.createdAt !== \"string\" || header.createdAt.length === 0) {\n    throw new Error(\"header.createdAt must be a non-empty ISO-8601 string\");\n  }\n  if (typeof header.verifier !== \"string\" || header.verifier.length === 0) {\n    throw new Error(\"header.verifier must be a non-empty hex string\");\n  }\n  if (!/^[0-9a-fA-F]+$/.test(header.verifier)) {\n    throw new Error(\"header.verifier must be a hex-encoded string\");\n  }\n  // Enforce even length: odd-length hex is silently truncated by\n  // `Buffer.from(hex, \"hex\")` which yields a malformed envelope.\n  if (header.verifier.length % 2 !== 0) {\n    throw new Error(\n      \"header.verifier hex string must have even length (each byte encodes as two hex digits)\",\n    );\n  }\n  // The nested metadata object is already validated by `parseMetadata`\n  // when read from disk; on the build path, `buildHeader` constructs\n  // it via `buildMetadata`. We still re-run shape validation here as\n  // a belt-and-braces guard for callers that hand-construct headers.\n  if (header.metadata.format !== \"remnic.secure-store.metadata\") {\n    throw new Error(\"header.metadata.format must be remnic.secure-store.metadata\");\n  }\n}\n\n/**\n * Verify a candidate key against the header's verifier envelope.\n *\n * Returns true iff the AES-GCM auth tag validates. Wrong passphrase,\n * tampered envelope, and tampered AAD all return false.\n */\nexport function verifyKey(header: SecureStoreHeader, candidateKey: Buffer): boolean {\n  if (!Buffer.isBuffer(candidateKey) || candidateKey.length !== KDF_KEY_LENGTH) {\n    return false;\n  }\n  const envelope = Buffer.from(header.verifier, \"hex\");\n  try {\n    const plaintext = open(candidateKey, envelope, { aad: VERIFIER_AAD });\n    return plaintext.equals(VERIFIER_PLAINTEXT);\n  } catch {\n    return false;\n  }\n}\n\n/**\n * Derive a key from the passphrase using the algorithm + params +\n * salt recorded in the header. Pure: no I/O.\n */\nexport function deriveKeyFromHeader(header: SecureStoreHeader, passphrase: string): Buffer {\n  const salt = decodeMetadataSalt(header.metadata);\n  // Cursor low on PR #737: a previous version branched on the\n  // algorithm and returned `header.metadata.kdf.params` from both\n  // arms — a no-op conditional. Pass the discriminated union member\n  // through directly; `deriveKey` performs the algorithm dispatch.\n  const params: ScryptParams | Argon2idParams = header.metadata.kdf.params;\n  return deriveKey(header.metadata.kdf.algorithm, passphrase, salt, params);\n}\n\n/**\n * Read and parse the header at `<memoryDir>/.secure-store/header.json`.\n * Returns `null` if the file does not exist; throws on malformed\n * content.\n */\nexport async function readHeader(memoryDir: string): Promise<SecureStoreHeader | null> {\n  const target = headerPath(memoryDir);\n  let raw: string;\n  try {\n    raw = await readFile(target, \"utf8\");\n  } catch (e) {\n    if ((e as NodeJS.ErrnoException).code === \"ENOENT\") {\n      return null;\n    }\n    throw e;\n  }\n  return parseHeader(raw);\n}\n\n/**\n * Write the header with atomic exclusive-create semantics.\n *\n * Uses the `wx` flag (`O_CREAT | O_EXCL`) so the OS rejects the call\n * atomically when the file already exists. Two concurrent\n * `secure-store init` invocations cannot both observe \"missing\" and\n * race to overwrite each other — the second writer reliably gets\n * `EEXIST` and surfaces \"Refusing to overwrite\".\n *\n * Codex P1 on PR #737: a previous version pre-checked existence with\n * `readFile` then `writeFile`+`rename`, which is a check-then-act\n * race. The `wx` flag closes that window at the kernel layer.\n *\n * Crash safety: if the write is interrupted mid-flight, a partial\n * `header.json` may remain on disk. `parseHeader` rejects partial\n * files cleanly and the operator can delete the stub and retry. We\n * don't use temp+rename here because (a) headers are tiny (≤ 1 KiB),\n * (b) there is no prior valid file to destroy, and (c) `wx` already\n * gives us atomic exclusivity — the rename trick (CLAUDE.md gotcha\n * #54) is for replacing an existing valid file, which is exactly the\n * scenario this function refuses.\n */\nexport async function writeHeader(memoryDir: string, header: SecureStoreHeader): Promise<string> {\n  validateHeader(header);\n  const dir = secureStoreDir(memoryDir);\n  await mkdir(dir, { recursive: true });\n  const target = headerPath(memoryDir);\n  try {\n    await writeFile(target, serializeHeader(header), {\n      encoding: \"utf8\",\n      mode: 0o600,\n      flag: \"wx\",\n    });\n  } catch (e) {\n    if ((e as NodeJS.ErrnoException).code === \"EEXIST\") {\n      throw new Error(\n        `secure-store header already exists at ${target}. Refusing to overwrite — initialize a fresh store or remove the existing header explicitly.`,\n      );\n    }\n    throw e;\n  }\n  return target;\n}\n\n/** Convenience: build metadata + header in one call from a passphrase. */\nexport function buildHeaderFromPassphrase(options: {\n  passphrase: string;\n  salt: Buffer;\n  /** Optional override; defaults to Argon2id with `DEFAULT_ARGON2ID_PARAMS`. */\n  algorithm?: \"scrypt\" | \"argon2id\";\n  params?: ScryptParams | Argon2idParams;\n  createdAt?: string;\n  note?: string;\n}): { header: SecureStoreHeader; derivedKey: Buffer } {\n  const { passphrase, salt } = options;\n  const algorithm = options.algorithm ?? \"argon2id\";\n  const metadataOpts: {\n    algorithm: \"scrypt\" | \"argon2id\";\n    salt: Buffer;\n    params?: ScryptParams | Argon2idParams;\n    createdAt?: string;\n    note?: string;\n  } = { algorithm, salt };\n  if (options.params !== undefined) metadataOpts.params = options.params;\n  if (options.createdAt !== undefined) metadataOpts.createdAt = options.createdAt;\n  if (options.note !== undefined) metadataOpts.note = options.note;\n  const metadata = buildMetadata(metadataOpts);\n  // Cursor low on PR #737: same identical-branches ternary as in\n  // `deriveKeyFromHeader`. The discriminated union already carries\n  // the right shape; `deriveKey` dispatches on `algorithm`.\n  const params: ScryptParams | Argon2idParams = metadata.kdf.params;\n  const derivedKey = deriveKey(algorithm, passphrase, salt, params);\n  const headerOpts: { metadata: SecureStoreMetadata; derivedKey: Buffer; createdAt?: string } = {\n    metadata,\n    derivedKey,\n  };\n  if (options.createdAt !== undefined) headerOpts.createdAt = options.createdAt;\n  const header = buildHeader(headerOpts);\n  return { header, derivedKey };\n}\n","/**\n * In-memory keyring for the secure-store module (issue #690 PR 2/4).\n *\n * Holds derived AES-256-GCM master keys for unlocked stores. The\n * keyring is process-local: keys are NEVER persisted to disk, never\n * logged, and never serialized. A daemon restart re-locks every\n * registered store.\n *\n * Scoping\n * -------\n * Entries are keyed by a stable string id (typically the absolute\n * path to the secure-store directory, after `~` expansion). This\n * lets multiple memory roots share a single daemon process without\n * one store's key bleeding into another (matches the per-`serviceId`\n * scoping discipline called out in CLAUDE.md gotcha #11).\n *\n * Lifecycle\n * ---------\n *   - `unlock(id, key)` — register a derived key.\n *   - `getKey(id)` — read a registered key (or `null`).\n *   - `lock(id)` — clear a single entry, zeroing the key bytes.\n *   - `lockAll()` — clear every entry, zeroing every key.\n *   - `status(id)` — non-secret status snapshot for `secure-store\n *     status`.\n *\n * Zeroization\n * -----------\n * `lock` and `lockAll` overwrite the key buffer with zeros before\n * dropping the reference. The JS engine may keep additional copies\n * outside our control; this is best-effort hygiene, not a defense\n * against memory-dump attacks.\n */\n\nconst ENTRIES = new Map<string, KeyringEntry>();\n\n/** A single unlocked store. The key buffer is never copied out. */\ninterface KeyringEntry {\n  key: Buffer;\n  unlockedAt: string;\n}\n\n/** Status snapshot — no secret material. */\nexport interface KeyringStatus {\n  /** True iff a key is currently registered for this id. */\n  unlocked: boolean;\n  /** ISO-8601 timestamp the key was registered, or null when locked. */\n  unlockedAt: string | null;\n}\n\n/**\n * Register a derived key for the given id. If an entry already\n * exists, its old key is zeroed before being replaced.\n *\n * The caller MUST pass an exclusive 32-byte buffer; the keyring\n * takes ownership and will zero it on lock.\n */\nexport function unlock(id: string, key: Buffer, now: () => Date = () => new Date()): void {\n  if (typeof id !== \"string\" || id.length === 0) {\n    throw new Error(\"keyring id must be a non-empty string\");\n  }\n  if (!Buffer.isBuffer(key) || key.length !== 32) {\n    throw new Error(`keyring key must be a 32-byte Buffer, got length=${key?.length ?? \"non-buffer\"}`);\n  }\n  const existing = ENTRIES.get(id);\n  if (existing) {\n    existing.key.fill(0);\n  }\n  ENTRIES.set(id, { key, unlockedAt: now().toISOString() });\n}\n\n/** Read the registered key for `id`, or `null` if locked. */\nexport function getKey(id: string): Buffer | null {\n  const entry = ENTRIES.get(id);\n  return entry ? entry.key : null;\n}\n\n/** Clear a single entry. Zeros the underlying buffer. Returns true if cleared. */\nexport function lock(id: string): boolean {\n  const entry = ENTRIES.get(id);\n  if (!entry) return false;\n  entry.key.fill(0);\n  ENTRIES.delete(id);\n  return true;\n}\n\n/** Clear every registered key. Used on shutdown or for tests. */\nexport function lockAll(): void {\n  for (const entry of ENTRIES.values()) {\n    entry.key.fill(0);\n  }\n  ENTRIES.clear();\n}\n\n/** Non-secret status snapshot. */\nexport function status(id: string): KeyringStatus {\n  const entry = ENTRIES.get(id);\n  if (!entry) {\n    return { unlocked: false, unlockedAt: null };\n  }\n  return { unlocked: true, unlockedAt: entry.unlockedAt };\n}\n\n/** Test-only helper: how many entries are currently registered. */\nexport function size(): number {\n  return ENTRIES.size;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAiCA,SAAS,OAAO,UAAU,iBAAiB;AAC3C,OAAO,UAAU;AAmBV,IAAM,wBAAwB;AAG9B,IAAM,kBAAkB;AAGxB,IAAM,gBAAgB;AAGtB,IAAM,wBAAwB;AAW9B,IAAM,qBAAqB,OAAO,KAAK,0BAA0B,MAAM;AAG9E,IAAM,eAAe,OAAO,KAAK,gCAAgC,MAAM;AAchE,SAAS,eAAe,WAA2B;AACxD,SAAO,KAAK,KAAK,WAAW,qBAAqB;AACnD;AAGO,SAAS,WAAW,WAA2B;AACpD,SAAO,KAAK,KAAK,eAAe,SAAS,GAAG,eAAe;AAC7D;AAOO,SAAS,YAAY,SAIN;AACpB,QAAM,EAAE,UAAU,WAAW,IAAI;AACjC,MAAI,CAAC,OAAO,SAAS,UAAU,KAAK,WAAW,WAAW,gBAAgB;AACxE,UAAM,IAAI;AAAA,MACR,wBAAwB,cAAc,4BAA4B,YAAY,UAAU,YAAY;AAAA,IACtG;AAAA,EACF;AACA,QAAM,OAAO,mBAAmB,QAAQ;AACxC,MAAI,KAAK,WAAW,iBAAiB;AACnC,UAAM,IAAI,MAAM,oBAAoB,KAAK,MAAM,oBAAoB,eAAe,EAAE;AAAA,EACtF;AACA,QAAM,WAAW,KAAK,YAAY,MAAM,oBAAoB,EAAE,KAAK,aAAa,CAAC;AACjF,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,eAAe;AAAA,IACf;AAAA,IACA,UAAU,SAAS,SAAS,KAAK;AAAA,IACjC,WAAW,QAAQ,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,EACzD;AACF;AAGO,SAAS,gBAAgB,QAAmC;AACjE,iBAAe,MAAM;AAGrB,QAAM,iBAAiB,kBAAkB,OAAO,QAAQ;AACxD,QAAM,iBAAiB,KAAK,MAAM,cAAc;AAChD,QAAM,UAAU;AAAA,IACd,QAAQ,OAAO;AAAA,IACf,eAAe,OAAO;AAAA,IACtB,UAAU;AAAA,IACV,UAAU,OAAO;AAAA,IACjB,WAAW,OAAO;AAAA,EACpB;AACA,SAAO,KAAK,UAAU,SAAS,MAAM,CAAC;AACxC;AAGO,SAAS,YAAY,MAAiC;AAC3D,MAAI,OAAO,SAAS,UAAU;AAC5B,UAAM,IAAI,MAAM,+BAA+B;AAAA,EACjD;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI;AAAA,EAC1B,SAAS,GAAG;AACV,UAAM,MAAM,aAAa,QAAQ,EAAE,UAAU,OAAO,CAAC;AACrD,UAAM,IAAI,MAAM,6BAA6B,GAAG,EAAE;AAAA,EACpD;AACA,MAAI,OAAO,WAAW,YAAY,WAAW,QAAQ,MAAM,QAAQ,MAAM,GAAG;AAC1E,UAAM,IAAI,MAAM,8BAA8B;AAAA,EAChD;AACA,QAAM,MAAM;AACZ,MAAI,IAAI,WAAW,eAAe;AAChC,UAAM,IAAI;AAAA,MACR,6BAA6B,OAAO,IAAI,MAAM,CAAC,cAAc,aAAa;AAAA,IAC5E;AAAA,EACF;AACA,MAAI,IAAI,kBAAkB,uBAAuB;AAC/C,UAAM,IAAI;AAAA,MACR,qCAAqC,OAAO,IAAI,aAAa,CAAC,yBAAyB,qBAAqB;AAAA,IAC9G;AAAA,EACF;AACA,MAAI,OAAO,IAAI,aAAa,YAAY,IAAI,SAAS,WAAW,GAAG;AACjE,UAAM,IAAI,MAAM,gDAAgD;AAAA,EAClE;AACA,MAAI,CAAC,iBAAiB,KAAK,IAAI,QAAQ,GAAG;AACxC,UAAM,IAAI,MAAM,8CAA8C;AAAA,EAChE;AAKA,MAAI,IAAI,SAAS,SAAS,MAAM,GAAG;AACjC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,OAAO,IAAI,cAAc,YAAY,IAAI,UAAU,WAAW,GAAG;AACnE,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,MAAI,OAAO,IAAI,aAAa,YAAY,IAAI,aAAa,MAAM;AAC7D,UAAM,IAAI,MAAM,mCAAmC;AAAA,EACrD;AAIA,QAAM,WAAW,cAAc,KAAK,UAAU,IAAI,QAAQ,CAAC;AAC3D,QAAM,SAA4B;AAAA,IAChC,QAAQ;AAAA,IACR,eAAe;AAAA,IACf;AAAA,IACA,UAAU,IAAI;AAAA,IACd,WAAW,IAAI;AAAA,EACjB;AACA,iBAAe,MAAM;AACrB,SAAO;AACT;AAGO,SAAS,eAAe,QAAiC;AAC9D,MAAI,OAAO,WAAW,eAAe;AACnC,UAAM,IAAI,MAAM,yBAAyB,aAAa,EAAE;AAAA,EAC1D;AACA,MAAI,OAAO,kBAAkB,uBAAuB;AAClD,UAAM,IAAI,MAAM,gCAAgC,qBAAqB,EAAE;AAAA,EACzE;AACA,MAAI,OAAO,OAAO,cAAc,YAAY,OAAO,UAAU,WAAW,GAAG;AACzE,UAAM,IAAI,MAAM,sDAAsD;AAAA,EACxE;AACA,MAAI,OAAO,OAAO,aAAa,YAAY,OAAO,SAAS,WAAW,GAAG;AACvE,UAAM,IAAI,MAAM,gDAAgD;AAAA,EAClE;AACA,MAAI,CAAC,iBAAiB,KAAK,OAAO,QAAQ,GAAG;AAC3C,UAAM,IAAI,MAAM,8CAA8C;AAAA,EAChE;AAGA,MAAI,OAAO,SAAS,SAAS,MAAM,GAAG;AACpC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAKA,MAAI,OAAO,SAAS,WAAW,gCAAgC;AAC7D,UAAM,IAAI,MAAM,6DAA6D;AAAA,EAC/E;AACF;AAQO,SAAS,UAAU,QAA2B,cAA+B;AAClF,MAAI,CAAC,OAAO,SAAS,YAAY,KAAK,aAAa,WAAW,gBAAgB;AAC5E,WAAO;AAAA,EACT;AACA,QAAM,WAAW,OAAO,KAAK,OAAO,UAAU,KAAK;AACnD,MAAI;AACF,UAAM,YAAY,KAAK,cAAc,UAAU,EAAE,KAAK,aAAa,CAAC;AACpE,WAAO,UAAU,OAAO,kBAAkB;AAAA,EAC5C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,oBAAoB,QAA2B,YAA4B;AACzF,QAAM,OAAO,mBAAmB,OAAO,QAAQ;AAK/C,QAAM,SAAwC,OAAO,SAAS,IAAI;AAClE,SAAO,UAAU,OAAO,SAAS,IAAI,WAAW,YAAY,MAAM,MAAM;AAC1E;AAOA,eAAsB,WAAW,WAAsD;AACrF,QAAM,SAAS,WAAW,SAAS;AACnC,MAAI;AACJ,MAAI;AACF,UAAM,MAAM,SAAS,QAAQ,MAAM;AAAA,EACrC,SAAS,GAAG;AACV,QAAK,EAA4B,SAAS,UAAU;AAClD,aAAO;AAAA,IACT;AACA,UAAM;AAAA,EACR;AACA,SAAO,YAAY,GAAG;AACxB;AAwBA,eAAsB,YAAY,WAAmB,QAA4C;AAC/F,iBAAe,MAAM;AACrB,QAAM,MAAM,eAAe,SAAS;AACpC,QAAM,MAAM,KAAK,EAAE,WAAW,KAAK,CAAC;AACpC,QAAM,SAAS,WAAW,SAAS;AACnC,MAAI;AACF,UAAM,UAAU,QAAQ,gBAAgB,MAAM,GAAG;AAAA,MAC/C,UAAU;AAAA,MACV,MAAM;AAAA,MACN,MAAM;AAAA,IACR,CAAC;AAAA,EACH,SAAS,GAAG;AACV,QAAK,EAA4B,SAAS,UAAU;AAClD,YAAM,IAAI;AAAA,QACR,yCAAyC,MAAM;AAAA,MACjD;AAAA,IACF;AACA,UAAM;AAAA,EACR;AACA,SAAO;AACT;AAGO,SAAS,0BAA0B,SAQY;AACpD,QAAM,EAAE,YAAY,KAAK,IAAI;AAC7B,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,eAMF,EAAE,WAAW,KAAK;AACtB,MAAI,QAAQ,WAAW,OAAW,cAAa,SAAS,QAAQ;AAChE,MAAI,QAAQ,cAAc,OAAW,cAAa,YAAY,QAAQ;AACtE,MAAI,QAAQ,SAAS,OAAW,cAAa,OAAO,QAAQ;AAC5D,QAAM,WAAW,cAAc,YAAY;AAI3C,QAAM,SAAwC,SAAS,IAAI;AAC3D,QAAM,aAAa,UAAU,WAAW,YAAY,MAAM,MAAM;AAChE,QAAM,aAAwF;AAAA,IAC5F;AAAA,IACA;AAAA,EACF;AACA,MAAI,QAAQ,cAAc,OAAW,YAAW,YAAY,QAAQ;AACpE,QAAM,SAAS,YAAY,UAAU;AACrC,SAAO,EAAE,QAAQ,WAAW;AAC9B;;;ACpXA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAiCA,IAAM,UAAU,oBAAI,IAA0B;AAuBvC,SAAS,OAAO,IAAY,KAAa,MAAkB,MAAM,oBAAI,KAAK,GAAS;AACxF,MAAI,OAAO,OAAO,YAAY,GAAG,WAAW,GAAG;AAC7C,UAAM,IAAI,MAAM,uCAAuC;AAAA,EACzD;AACA,MAAI,CAAC,OAAO,SAAS,GAAG,KAAK,IAAI,WAAW,IAAI;AAC9C,UAAM,IAAI,MAAM,oDAAoD,KAAK,UAAU,YAAY,EAAE;AAAA,EACnG;AACA,QAAM,WAAW,QAAQ,IAAI,EAAE;AAC/B,MAAI,UAAU;AACZ,aAAS,IAAI,KAAK,CAAC;AAAA,EACrB;AACA,UAAQ,IAAI,IAAI,EAAE,KAAK,YAAY,IAAI,EAAE,YAAY,EAAE,CAAC;AAC1D;AAGO,SAAS,OAAO,IAA2B;AAChD,QAAM,QAAQ,QAAQ,IAAI,EAAE;AAC5B,SAAO,QAAQ,MAAM,MAAM;AAC7B;AAGO,SAAS,KAAK,IAAqB;AACxC,QAAM,QAAQ,QAAQ,IAAI,EAAE;AAC5B,MAAI,CAAC,MAAO,QAAO;AACnB,QAAM,IAAI,KAAK,CAAC;AAChB,UAAQ,OAAO,EAAE;AACjB,SAAO;AACT;AAGO,SAAS,UAAgB;AAC9B,aAAW,SAAS,QAAQ,OAAO,GAAG;AACpC,UAAM,IAAI,KAAK,CAAC;AAAA,EAClB;AACA,UAAQ,MAAM;AAChB;AAGO,SAAS,OAAO,IAA2B;AAChD,QAAM,QAAQ,QAAQ,IAAI,EAAE;AAC5B,MAAI,CAAC,OAAO;AACV,WAAO,EAAE,UAAU,OAAO,YAAY,KAAK;AAAA,EAC7C;AACA,SAAO,EAAE,UAAU,MAAM,YAAY,MAAM,WAAW;AACxD;AAGO,SAAS,OAAe;AAC7B,SAAO,QAAQ;AACjB;","names":[]}