@remnic/core 9.3.544 → 9.3.545

package/src/secure-store/secure-store.test.ts

@@ -14,11 +14,11 @@
  * silently regress them.
  */
 
-import { PassThrough } from "node:stream";
-import { mkdir, mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
+import assert from "node:assert/strict";
+import { mkdir, mkdtemp, readFile, rm, symlink, writeFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import path from "node:path";
-import assert from "node:assert/strict";
+import { PassThrough } from "node:stream";
 import test from "node:test";
 
 import {
@@ -32,6 +32,7 @@ import {
   parseEnvelope,
   seal,
 } from "./cipher.js";
+import { renderInitReport, renderLockReport, renderStatusReport, renderUnlockReport } from "./cli-renderer.js";
 import {
   HEADER_FORMAT,
   HEADER_FORMAT_VERSION,
@@ -40,30 +41,18 @@ import {
   validateHeader,
 } from "./header.js";
 import {
-  FILE_FORMAT_FLAGS,
-  FILE_FORMAT_VERSION,
-  MAGIC_BYTES,
-  SecureStoreDecryptError,
-  decryptFileBody,
-  decryptMemoryDirToPlaintext,
-  encryptFileBody,
-  filePathAad,
-  migrateMemoryDirToEncrypted,
-  readMaybeEncryptedFile,
-} from "./secure-fs.js";
-import {
+  type Argon2idParams,
   DEFAULT_ARGON2ID_PARAMS,
   DEFAULT_SCRYPT_PARAMS,
   KDF_KEY_LENGTH,
   KDF_SALT_LENGTH,
+  type ScryptParams,
   constantTimeEqual,
   deriveKey,
   deriveKeyArgon2id,
   deriveKeyScrypt,
   validateArgon2idParams,
   validateScryptParams,
-  type Argon2idParams,
-  type ScryptParams,
 } from "./kdf.js";
 import {
   METADATA_FORMAT,
@@ -76,11 +65,18 @@ import {
 } from "./metadata.js";
 import { createPassphraseReader } from "./passphrase-reader.js";
 import {
-  renderInitReport,
-  renderLockReport,
-  renderStatusReport,
-  renderUnlockReport,
-} from "./cli-renderer.js";
+  FILE_FORMAT_FLAGS,
+  FILE_FORMAT_VERSION,
+  MAGIC_BYTES,
+  SecureStoreDecryptError,
+  decryptFileBody,
+  decryptMemoryDirToPlaintext,
+  encryptFileBody,
+  filePathAad,
+  isEncryptedFile,
+  migrateMemoryDirToEncrypted,
+  readMaybeEncryptedFile,
+} from "./secure-fs.js";
 
 /** Cheap scrypt params for tests — still hex-correct but ~milliseconds. */
 const FAST_SCRYPT: ScryptParams = {
@@ -153,7 +149,7 @@ test("secure-store CLI renderers describe process-local unlock scope, not daemon
       unlockedAt: "2026-05-21T00:00:01.000Z",
       algorithm: "scrypt",
     }),
-    /unlocked in this process/,
+    /unlocked in this process/
   );
   assert.match(renderLockReport({ ok: true, cleared: true }), /this process's in-memory keyring/);
   assert.match(
@@ -169,7 +165,7 @@ test("secure-store CLI renderers describe process-local unlock scope, not daemon
         salt: Buffer.alloc(KDF_SALT_LENGTH, 0x22).toString("hex"),
       },
     }),
-    /lockedInThisProcess: no/,
+    /lockedInThisProcess: no/
   );
 });
 
@@ -179,10 +175,7 @@ test("deriveKeyScrypt rejects empty passphrase", () => {
 });
 
 test("deriveKeyScrypt rejects too-short salt", () => {
-  assert.throws(
-    () => deriveKeyScrypt("pw", Buffer.alloc(4, 0), FAST_SCRYPT),
-    /salt/,
-  );
+  assert.throws(() => deriveKeyScrypt("pw", Buffer.alloc(4, 0), FAST_SCRYPT), /salt/);
 });
 
 test("deriveKey('scrypt') dispatches to scryptSync", () => {
@@ -219,29 +212,14 @@ test("deriveKey('argon2id') dispatches to Argon2id", () => {
 });
 
 test("validateArgon2idParams rejects invalid values", () => {
-  assert.throws(
-    () => validateArgon2idParams({ ...FAST_ARGON2ID, memoryKiB: 0 }),
-    /memoryKiB/,
-  );
-  assert.throws(
-    () => validateArgon2idParams({ ...FAST_ARGON2ID, iterations: 0 }),
-    /iterations/,
-  );
-  assert.throws(
-    () => validateArgon2idParams({ ...FAST_ARGON2ID, parallelism: 0 }),
-    /parallelism/,
-  );
-  assert.throws(
-    () => validateArgon2idParams({ ...FAST_ARGON2ID, keyLength: 16 }),
-    /keyLength/,
-  );
+  assert.throws(() => validateArgon2idParams({ ...FAST_ARGON2ID, memoryKiB: 0 }), /memoryKiB/);
+  assert.throws(() => validateArgon2idParams({ ...FAST_ARGON2ID, iterations: 0 }), /iterations/);
+  assert.throws(() => validateArgon2idParams({ ...FAST_ARGON2ID, parallelism: 0 }), /parallelism/);
+  assert.throws(() => validateArgon2idParams({ ...FAST_ARGON2ID, keyLength: 16 }), /keyLength/);
 });
 
 test("validateScryptParams rejects non-power-of-2 N", () => {
-  assert.throws(
-    () => validateScryptParams({ ...FAST_SCRYPT, N: 1000 }),
-    /power of 2/,
-  );
+  assert.throws(() => validateScryptParams({ ...FAST_SCRYPT, N: 1000 }), /power of 2/);
 });
 
 test("validateScryptParams rejects N < 2", () => {
@@ -312,7 +290,7 @@ test("decryptFileBody reports truncated envelopes as structural errors", () => {
       assert.equal(error instanceof SecureStoreDecryptError, false);
       assert.match(error.message, /envelope too short/);
       return true;
-    },
+    }
   );
 });
 
@@ -335,10 +313,7 @@ test("seal envelope layout matches the documented format", () => {
   const sealed = seal(key, salt, Buffer.from("payload"));
   assert.equal(sealed[ENVELOPE_LAYOUT.version], ENVELOPE_VERSION);
   // Salt bytes round-trip exactly.
-  const saltSlice = sealed.subarray(
-    ENVELOPE_LAYOUT.salt,
-    ENVELOPE_LAYOUT.salt + ENVELOPE_SALT_LENGTH,
-  );
+  const saltSlice = sealed.subarray(ENVELOPE_LAYOUT.salt, ENVELOPE_LAYOUT.salt + ENVELOPE_SALT_LENGTH);
   assert.ok(saltSlice.equals(salt));
   // Total length = header + ciphertext("payload" is 7 bytes).
   assert.equal(sealed.length, ENVELOPE_HEADER_SIZE + 7);
@@ -419,10 +394,7 @@ test("open fails when AAD is mismatched", () => {
 
 test("seal rejects key of wrong length", () => {
   const salt = generateSalt();
-  assert.throws(
-    () => seal(Buffer.alloc(16), salt, Buffer.from("x")),
-    /AES-256-GCM/,
-  );
+  assert.throws(() => seal(Buffer.alloc(16), salt, Buffer.from("x")), /AES-256-GCM/);
 });
 
 test("seal rejects salt of wrong length", () => {
@@ -494,10 +466,7 @@ test("buildMetadata defaults createdAt to a parseable ISO string when omitted",
 });
 
 test("buildMetadata rejects salt of wrong length", () => {
-  assert.throws(
-    () => buildMetadata({ algorithm: "scrypt", salt: Buffer.alloc(8) }),
-    /salt/,
-  );
+  assert.throws(() => buildMetadata({ algorithm: "scrypt", salt: Buffer.alloc(8) }), /salt/);
 });
 
 test("parseMetadata rejects non-JSON input", () => {
@@ -600,11 +569,8 @@ test("serializeMetadata produces stable top-level key order", () => {
   const kdfIdx = json.indexOf('"kdf"');
   const createdAtIdx = json.indexOf('"createdAt"');
   assert.ok(
-    formatIdx >= 0 &&
-      formatIdx < formatVersionIdx &&
-      formatVersionIdx < kdfIdx &&
-      kdfIdx < createdAtIdx,
-    `unexpected top-level key order in: ${json}`,
+    formatIdx >= 0 && formatIdx < formatVersionIdx && formatVersionIdx < kdfIdx && kdfIdx < createdAtIdx,
+    `unexpected top-level key order in: ${json}`
   );
 });
 
@@ -641,10 +607,7 @@ test("secure-store migration keeps namespaced file AAD readable through memory r
 
     assert.equal(migrated.encrypted, 1);
     assert.deepEqual(migrated.errors, []);
-    assert.equal(
-      await readMaybeEncryptedFile(filePath, key, memoryDir),
-      "namespaced fact",
-    );
+    assert.equal(await readMaybeEncryptedFile(filePath, key, memoryDir), "namespaced fact");
 
     const decrypted = await decryptMemoryDirToPlaintext(memoryDir, key);
     assert.equal(decrypted.decrypted, 1);
@@ -655,6 +618,117 @@ test("secure-store migration keeps namespaced file AAD readable through memory r
   }
 });
 
+test("secure-store migration treats missing memory roots as empty", async () => {
+  const tempRoot = await mkdtemp(path.join(tmpdir(), "remnic-secure-store-missing-root-"));
+  try {
+    const missingMemoryDir = path.join(tempRoot, "missing-memory");
+    const key = deriveKeyScrypt("missing-root", Buffer.alloc(KDF_SALT_LENGTH, 0x55), FAST_SCRYPT);
+
+    const migrated = await migrateMemoryDirToEncrypted(missingMemoryDir, key);
+    assert.deepEqual(migrated, { encrypted: 0, skipped: 0, errors: [] });
+
+    const decrypted = await decryptMemoryDirToPlaintext(missingMemoryDir, key);
+    assert.deepEqual(decrypted, { decrypted: 0, skipped: 0, errors: [] });
+  } finally {
+    await rm(tempRoot, { recursive: true, force: true });
+  }
+});
+
+test("secure-store migration scans the normalized root for symlink dot-dot paths", async () => {
+  const tempRoot = await mkdtemp(path.join(tmpdir(), "remnic-secure-store-root-dotdot-"));
+  try {
+    const baseDir = path.join(tempRoot, "base");
+    const outsideParent = path.join(tempRoot, "outside-parent");
+    const outsideTarget = path.join(outsideParent, "target");
+    const memoryLink = path.join(baseDir, "memory-link");
+    const traversalRoot = `${memoryLink}${path.sep}..`;
+    const insideFilePath = path.join(baseDir, "facts", "note.md");
+    const outsideFilePath = path.join(outsideParent, "facts", "note.md");
+    await mkdir(path.dirname(insideFilePath), { recursive: true });
+    await mkdir(path.dirname(outsideFilePath), { recursive: true });
+    await mkdir(outsideTarget, { recursive: true });
+    await writeFile(insideFilePath, "inside fact", "utf8");
+    await writeFile(outsideFilePath, "outside fact", "utf8");
+    await symlink(outsideTarget, memoryLink, "dir");
+
+    const key = deriveKeyScrypt("dotdot-root-symlink", Buffer.alloc(KDF_SALT_LENGTH, 0x56), FAST_SCRYPT);
+    const migrated = await migrateMemoryDirToEncrypted(traversalRoot, key);
+
+    assert.equal(migrated.encrypted, 1);
+    assert.equal(isEncryptedFile(await readFile(insideFilePath)), true);
+    assert.equal(await readFile(outsideFilePath, "utf8"), "outside fact");
+
+    const decrypted = await decryptMemoryDirToPlaintext(traversalRoot, key);
+    assert.equal(decrypted.decrypted, 1);
+    assert.equal(await readFile(insideFilePath, "utf8"), "inside fact");
+    assert.equal(await readFile(outsideFilePath, "utf8"), "outside fact");
+  } finally {
+    await rm(tempRoot, { recursive: true, force: true });
+  }
+});
+
+test("secure-store migration rejects symlinked memory roots without rewriting the target", async () => {
+  const tempRoot = await mkdtemp(path.join(tmpdir(), "remnic-secure-store-root-symlink-"));
+  try {
+    const outsideDir = path.join(tempRoot, "outside");
+    const memoryDir = path.join(tempRoot, "memory-link");
+    const filePath = path.join(outsideDir, "facts", "note.md");
+    await mkdir(path.dirname(filePath), { recursive: true });
+    await writeFile(filePath, "outside fact", "utf8");
+    await symlink(outsideDir, memoryDir, "dir");
+
+    const key = deriveKeyScrypt("root-symlink", Buffer.alloc(KDF_SALT_LENGTH, 0x66), FAST_SCRYPT);
+    await assert.rejects(
+      () => migrateMemoryDirToEncrypted(`${memoryDir}${path.sep}`, key),
+      /root must not be a symlink/
+    );
+    await assert.rejects(
+      () => migrateMemoryDirToEncrypted(`${memoryDir}${path.sep}.`, key),
+      /root must not be a symlink/
+    );
+
+    assert.equal(await readFile(filePath, "utf8"), "outside fact");
+  } finally {
+    await rm(tempRoot, { recursive: true, force: true });
+  }
+});
+
+test("secure-store plaintext migration rejects symlinked memory roots without rewriting the target", async () => {
+  const tempRoot = await mkdtemp(path.join(tmpdir(), "remnic-secure-store-decrypt-root-symlink-"));
+  try {
+    const outsideDir = path.join(tempRoot, "outside");
+    const memoryDir = path.join(tempRoot, "memory-link");
+    const realFilePath = path.join(outsideDir, "facts", "note.md");
+    const linkedFilePath = path.join(memoryDir, "facts", "note.md");
+    await mkdir(path.dirname(realFilePath), { recursive: true });
+    await symlink(outsideDir, memoryDir, "dir");
+
+    const key = deriveKeyScrypt("decrypt-root-symlink", Buffer.alloc(KDF_SALT_LENGTH, 0x77), FAST_SCRYPT);
+    await writeFile(
+      realFilePath,
+      encryptFileBody("outside encrypted fact", key, filePathAad(linkedFilePath, memoryDir))
+    );
+
+    await assert.rejects(
+      () => decryptMemoryDirToPlaintext(`${memoryDir}${path.sep}`, key),
+      /root must not be a symlink/
+    );
+    await assert.rejects(
+      () => decryptMemoryDirToPlaintext(`${memoryDir}${path.sep}.`, key),
+      /root must not be a symlink/
+    );
+
+    const stillEncrypted = await readFile(realFilePath);
+    assert.equal(isEncryptedFile(stillEncrypted), true);
+    assert.equal(
+      decryptFileBody(stillEncrypted, key, filePathAad(linkedFilePath, memoryDir)).toString("utf8"),
+      "outside encrypted fact"
+    );
+  } finally {
+    await rm(tempRoot, { recursive: true, force: true });
+  }
+});
+
 test("secure-store can recover namespaced files encrypted with legacy namespace AAD", async () => {
   const memoryDir = await mkdtemp(path.join(tmpdir(), "remnic-secure-store-legacy-aad-"));
   try {
@@ -663,17 +737,10 @@ test("secure-store can recover namespaced files encrypted with legacy namespace
     await mkdir(path.dirname(filePath), { recursive: true });
 
     const key = deriveKeyScrypt("legacy-namespace-aad", Buffer.alloc(KDF_SALT_LENGTH, 0x55), FAST_SCRYPT);
-    const legacyEncrypted = encryptFileBody(
-      "legacy namespaced fact",
-      key,
-      filePathAad(filePath, namespaceRoot),
-    );
+    const legacyEncrypted = encryptFileBody("legacy namespaced fact", key, filePathAad(filePath, namespaceRoot));
     await writeFile(filePath, legacyEncrypted);
 
-    assert.equal(
-      await readMaybeEncryptedFile(filePath, key, memoryDir),
-      "legacy namespaced fact",
-    );
+    assert.equal(await readMaybeEncryptedFile(filePath, key, memoryDir), "legacy namespaced fact");
 
     const decrypted = await decryptMemoryDirToPlaintext(memoryDir, key);
     assert.equal(decrypted.decrypted, 1);
@@ -703,7 +770,7 @@ test("metadata rejects keyLength != 32 (codex P2 — match cipher AES-256)", ()
   meta.kdf.params.keyLength = 16;
   assert.throws(
     () => validateMetadata(meta as unknown as Parameters<typeof validateMetadata>[0]),
-    /keyLength must be 32/,
+    /keyLength must be 32/
   );
 });
 
@@ -722,16 +789,11 @@ test("parseHeader rejects odd-length verifier hex (thread 6 — even-length guar
   const badJson = JSON.stringify({
     format: HEADER_FORMAT,
     formatVersion: HEADER_FORMAT_VERSION,
-    metadata: JSON.parse(
-      JSON.stringify(header.metadata),
-    ),
+    metadata: JSON.parse(JSON.stringify(header.metadata)),
     verifier: header.verifier.slice(0, -1), // odd length
     createdAt: header.createdAt,
   });
-  assert.throws(
-    () => parseHeader(badJson),
-    /even length|even/i,
-  );
+  assert.throws(() => parseHeader(badJson), /even length|even/i);
 });
 
 test("validateHeader rejects odd-length verifier hex (thread 6 — even-length guard)", () => {
@@ -743,10 +805,7 @@ test("validateHeader rejects odd-length verifier hex (thread 6 — even-length g
     params: { N: 1 << 10, r: 8, p: 1, keyLength: 32, maxmem: 64 * 1024 * 1024 },
   });
   const bad = { ...header, verifier: header.verifier.slice(0, -1) }; // odd length
-  assert.throws(
-    () => validateHeader(bad),
-    /even length|even/i,
-  );
+  assert.throws(() => validateHeader(bad), /even length|even/i);
 });
 
 test("parseHeader rejects non-hex characters in verifier (thread 6)", () => {
@@ -761,13 +820,10 @@ test("parseHeader rejects non-hex characters in verifier (thread 6)", () => {
     format: HEADER_FORMAT,
     formatVersion: HEADER_FORMAT_VERSION,
     metadata: JSON.parse(JSON.stringify(header.metadata)),
-    verifier: "zz" + header.verifier.slice(2), // non-hex prefix
+    verifier: `zz${header.verifier.slice(2)}`, // non-hex prefix
     createdAt: header.createdAt,
   });
-  assert.throws(
-    () => parseHeader(badJson),
-    /hex/i,
-  );
+  assert.throws(() => parseHeader(badJson), /hex/i);
 });
 
 // ─── passphrase-reader.ts — Thread 5: prompts to stderr (#737) ──────────
@@ -800,13 +856,10 @@ test("non-TTY prompt is written to errorStream, not output (thread 5)", async ()
   // The prompt must appear on stderr, not stdout.
   const stderr = stderrChunks.join("");
   const stdout = stdoutChunks.join("");
-  assert.ok(
-    stderr.includes("Enter passphrase: "),
-    `expected prompt on stderr but got: ${JSON.stringify(stderr)}`,
-  );
+  assert.ok(stderr.includes("Enter passphrase: "), `expected prompt on stderr but got: ${JSON.stringify(stderr)}`);
   assert.ok(
     !stdout.includes("Enter passphrase: "),
-    `prompt must not appear on stdout but got: ${JSON.stringify(stdout)}`,
+    `prompt must not appear on stdout but got: ${JSON.stringify(stdout)}`
   );
 });
 
@@ -850,11 +903,7 @@ test("backspace removes full non-BMP (emoji) code point atomically (thread 7)",
 
   const result = await readPromise;
 
-  assert.equal(
-    result,
-    "a",
-    `expected 'a' after backspace removed the emoji, but got: ${JSON.stringify(result)}`,
-  );
+  assert.equal(result, "a", `expected 'a' after backspace removed the emoji, but got: ${JSON.stringify(result)}`);
 });
 
 test("backspace on BMP character removes exactly one character (thread 7 — regression)", async () => {

package/dist/chunk-73JGZ5VA.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/secure-store/secure-fs.ts"],"sourcesContent":["/**\n * Transparent file-level encryption for the secure-store module.\n *\n * Issue #690 (PR 3/4) — storage.ts integration layer.\n *\n * This module sits between the raw filesystem and StorageManager.\n * Every memory file is either:\n *   - a plain UTF-8 text file (legacy, back-compat), or\n *   - a REMNIC-ENC sealed file (AES-256-GCM, see format below).\n *\n * On-disk format\n * --------------\n * Encrypted files begin with a 9-byte magic header:\n *\n *   REMNIC-ENC  (7 ASCII bytes)\n *   VER         (1 byte, currently 0x01)\n *   FLAGS       (1 byte, reserved, must be 0x00)\n *\n * Followed immediately by a `seal()` envelope from `cipher.ts`:\n *\n *   [VERSION:1][SALT:16][IV:12][AUTHTAG:16][CIPHERTEXT:...]\n *\n * The magic header makes encrypted files sniffable without attempting\n * a full `open()` call and gives operators a clear signal that the\n * file cannot be read by opening it in an editor.\n *\n * AAD\n * ---\n * The file path relative to the memory root is bound as Associated\n * Authenticated Data (AAD) on both encrypt and decrypt. This means\n * moving or renaming an encrypted file without re-encrypting it will\n * cause auth-tag failure on the next read — the file is tied to its\n * path. Callers that move files must re-encrypt them.\n *\n * Back-compat\n * -----------\n * `readMaybeEncryptedFile` transparently handles both formats: if the\n * file does NOT start with the magic bytes, it is returned as-is (plain\n * text). This lets an operator migrate incrementally: newly-written\n * files are encrypted while existing files continue to be read in plain\n * form until `migrateMemoryDirToEncrypted` is run.\n *\n * Naming: `secure-fs.ts` (not `vault-fs.ts`) — see `kdf.ts` naming note.\n */\n\nimport { createCipheriv, randomBytes, randomUUID } from \"node:crypto\";\nimport { lstat, mkdir, open as openFile, readFile, readdir, rename, unlink, writeFile } from \"node:fs/promises\";\nimport path from \"node:path\";\n\nimport {\n  AUTH_TAG_LENGTH,\n  ENVELOPE_HEADER_SIZE,\n  ENVELOPE_LAYOUT,\n  ENVELOPE_SALT_LENGTH,\n  ENVELOPE_VERSION,\n  IV_LENGTH,\n  generateSalt,\n  open as openEnvelope,\n  parseEnvelope,\n  seal,\n} from \"./cipher.js\";\n\n// ---------------------------------------------------------------------------\n// Error classes\n// ---------------------------------------------------------------------------\n\n/**\n * Thrown when a read is attempted but the keyring entry for this\n * store is absent (i.e. `secure-store unlock` has not been run\n * since the last daemon start).\n */\nexport class SecureStoreLockedError extends Error {\n  constructor(message = \"secure-store is locked — run `remnic secure-store unlock` to decrypt\") {\n    super(message);\n    this.name = \"SecureStoreLockedError\";\n  }\n}\n\n/**\n * Thrown when `open()` fails because the auth tag does not validate.\n * This covers both wrong-key and tampered-ciphertext scenarios —\n * intentionally indistinguishable from the caller's perspective.\n */\nexport class SecureStoreDecryptError extends Error {\n  constructor(message = \"secure-store decryption failed — wrong key or tampered ciphertext\") {\n    super(message);\n    this.name = \"SecureStoreDecryptError\";\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Magic header\n// ---------------------------------------------------------------------------\n\n/** Magic bytes: the ASCII string \"REMNIC-ENC\" (10 bytes). */\nexport const MAGIC_BYTES = Buffer.from(\"REMNIC-ENC\", \"ascii\");\n\n/** Current on-disk version byte. */\nexport const FILE_FORMAT_VERSION = 0x01;\n\n/** Reserved flags byte — must be 0x00. */\nexport const FILE_FORMAT_FLAGS = 0x00;\n\n/** Total size of the magic header prefix (magic + version + flags). */\nexport const MAGIC_HEADER_SIZE = MAGIC_BYTES.length + 2; // 12 bytes\n\n// ---------------------------------------------------------------------------\n// Detection\n// ---------------------------------------------------------------------------\n\n/**\n * Return true iff `buf` begins with the REMNIC-ENC magic header.\n * Does not validate the envelope; just identifies the format.\n */\nexport function isEncryptedFile(buf: Uint8Array): boolean {\n  if (buf.length < MAGIC_HEADER_SIZE) return false;\n  const b = Buffer.isBuffer(buf) ? buf : Buffer.from(buf);\n  return b.subarray(0, MAGIC_BYTES.length).equals(MAGIC_BYTES);\n}\n\n// ---------------------------------------------------------------------------\n// Encrypt / decrypt file body\n// ---------------------------------------------------------------------------\n\n/**\n * Encrypt `plain` (UTF-8 content of a memory file) and return a\n * Buffer ready to write to disk.\n *\n * @param plain  Plain-text file content (UTF-8 string or Buffer).\n * @param key    32-byte AES-256 key from the keyring.\n * @param aad    Optional associated data — defaults to empty if omitted.\n *               Callers should pass the file path relative to memoryDir\n *               so the ciphertext is bound to its location.\n */\nexport function encryptFileBody(plain: string | Buffer, key: Buffer, aad?: Buffer): Buffer {\n  const plainBuf = typeof plain === \"string\" ? Buffer.from(plain, \"utf8\") : plain;\n  const salt = generateSalt();\n  const envelope = seal(key, salt, plainBuf, aad ? { aad } : {});\n\n  const header = Buffer.alloc(MAGIC_HEADER_SIZE);\n  MAGIC_BYTES.copy(header, 0);\n  header.writeUInt8(FILE_FORMAT_VERSION, MAGIC_BYTES.length);\n  header.writeUInt8(FILE_FORMAT_FLAGS, MAGIC_BYTES.length + 1);\n\n  return Buffer.concat([header, envelope]);\n}\n\n/**\n * Decrypt a buffer produced by `encryptFileBody` and return the\n * original UTF-8 content.\n *\n * Throws `SecureStoreDecryptError` on auth failure (wrong key or\n * tampered ciphertext). Throws a plain `Error` for structural problems\n * (truncated buffer, wrong magic, unsupported version).\n */\nexport function decryptFileBody(buf: Buffer, key: Buffer, aad?: Buffer): Buffer {\n  if (!isEncryptedFile(buf)) {\n    throw new Error(\"decryptFileBody: buffer does not start with REMNIC-ENC magic header\");\n  }\n  const version = buf.readUInt8(MAGIC_BYTES.length);\n  if (version !== FILE_FORMAT_VERSION) {\n    throw new Error(\n      `decryptFileBody: unsupported file format version ${version} (this build supports ${FILE_FORMAT_VERSION})`,\n    );\n  }\n  const flags = buf.readUInt8(MAGIC_BYTES.length + 1);\n  if (flags !== FILE_FORMAT_FLAGS) {\n    throw new Error(`decryptFileBody: unknown flags byte 0x${flags.toString(16).padStart(2, \"0\")}`);\n  }\n  const envelope = buf.subarray(MAGIC_HEADER_SIZE);\n  parseEnvelope(envelope);\n  try {\n    return openEnvelope(key, envelope, aad ? { aad } : {});\n  } catch (err) {\n    const msg = err instanceof Error ? err.message : String(err);\n    throw new SecureStoreDecryptError(\n      `secure-store decryption failed: ${msg}`,\n    );\n  }\n}\n\nfunction buildHeaderAad(salt: Uint8Array): Buffer {\n  const out = Buffer.alloc(1 + ENVELOPE_SALT_LENGTH);\n  out.writeUInt8(ENVELOPE_VERSION, 0);\n  Buffer.from(salt).copy(out, 1);\n  return out;\n}\n\n// ---------------------------------------------------------------------------\n// Path → AAD helper\n// ---------------------------------------------------------------------------\n\n/**\n * Build the AAD buffer for a file at `filePath` relative to\n * `memoryDir`. The AAD binds the ciphertext to its path so a\n * file cannot be silently relocated without re-encryption.\n *\n * When `memoryDir` is supplied and `filePath` is absolute, the\n * relative sub-path is used. Otherwise `filePath` is used verbatim.\n */\nexport function filePathAad(filePath: string, memoryDir?: string): Buffer {\n  let rel = filePath;\n  if (memoryDir && path.isAbsolute(filePath)) {\n    rel = path.relative(memoryDir, filePath);\n  }\n  return Buffer.from(rel, \"utf8\");\n}\n\n// ---------------------------------------------------------------------------\n// High-level read / write helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Read a file from `filePath`.\n *\n * - If the file is plaintext (no magic header), return its content\n *   as-is — back-compat with unencrypted stores.\n * - If the file is encrypted AND `key` is provided, decrypt and return\n *   the plaintext content.\n * - If the file is encrypted AND `key` is null, throw\n *   `SecureStoreLockedError`.\n *\n * @param filePath  Absolute path to the file.\n * @param key       32-byte AES-256 key, or null when the store is locked.\n * @param memoryDir Memory root for path-bound AAD.  Should be absolute.\n */\nexport async function readMaybeEncryptedFileBuffer(\n  filePath: string,\n  key: Buffer | null,\n  memoryDir?: string,\n): Promise<Buffer> {\n  const buf = await readFile(filePath);\n  if (!isEncryptedFile(buf)) {\n    // Plain file — legacy or unencrypted store.\n    return buf;\n  }\n  // Encrypted — key required.\n  if (key === null) {\n    throw new SecureStoreLockedError(\n      `secure-store is locked — cannot read encrypted file at ${filePath}. ` +\n        \"Run `remnic secure-store unlock` to decrypt.\",\n    );\n  }\n  return decryptFileBodyForPath(buf, key, filePath, memoryDir);\n}\n\nexport async function readMaybeEncryptedFile(\n  filePath: string,\n  key: Buffer | null,\n  memoryDir?: string,\n): Promise<string> {\n  return (await readMaybeEncryptedFileBuffer(filePath, key, memoryDir)).toString(\"utf8\");\n}\n\nexport interface WriteMaybeEncryptedFileOptions {\n  /**\n   * File mode bits. Default 0o600 (owner read/write only).\n   * Applied only on create; existing files inherit their existing mode.\n   */\n  mode?: number;\n  /**\n   * If true, write atomically via a temp file + rename (CLAUDE.md gotcha #54).\n   * Default true.\n   */\n  atomic?: boolean;\n}\n\n/**\n * Write `content` to `filePath`.\n *\n * - If `key` is provided and non-null, encrypt the content first.\n * - If `key` is null, write the content as plain UTF-8 (unencrypted store).\n *\n * Writes atomically: content is written to a unique temp file\n * first, then renamed into place (CLAUDE.md gotcha #54 — never delete\n * before write).\n */\nexport async function writeMaybeEncryptedFile(\n  filePath: string,\n  content: string | Buffer,\n  key: Buffer | null,\n  options: WriteMaybeEncryptedFileOptions = {},\n  memoryDir?: string,\n): Promise<void> {\n  const { mode = 0o600, atomic = true } = options;\n  await mkdir(path.dirname(filePath), { recursive: true });\n\n  let data: Buffer | string;\n  if (key !== null) {\n    const aad = filePathAad(filePath, memoryDir);\n    data = encryptFileBody(content, key, aad);\n  } else {\n    data = content;\n  }\n\n  if (atomic) {\n    const tempPath = uniqueAtomicTempPath(filePath, \"tmp\");\n    try {\n      await writeFile(tempPath, data, { mode });\n      await rename(tempPath, filePath);\n    } catch (err) {\n      // Best-effort cleanup of the temp file.\n      try {\n        await unlink(tempPath);\n      } catch {\n        // ignore\n      }\n      throw err;\n    }\n  } else {\n    await writeFile(filePath, data, { mode });\n  }\n}\n\nexport async function writeMaybeEncryptedFileFromChunks(\n  filePath: string,\n  chunks: AsyncIterable<Buffer>,\n  key: Buffer | null,\n  options: WriteMaybeEncryptedFileOptions = {},\n  memoryDir?: string,\n): Promise<void> {\n  const { mode = 0o600, atomic = true } = options;\n  await mkdir(path.dirname(filePath), { recursive: true });\n  const writePath = atomic ? `${filePath}.tmp-${process.pid}-${Date.now()}` : filePath;\n  let completed = false;\n  try {\n    const handle = await openFile(writePath, \"w\", mode);\n    try {\n      if (key !== null) {\n        const salt = generateSalt();\n        const iv = randomBytes(IV_LENGTH);\n        const header = Buffer.alloc(MAGIC_HEADER_SIZE + ENVELOPE_HEADER_SIZE);\n        MAGIC_BYTES.copy(header, 0);\n        header.writeUInt8(FILE_FORMAT_VERSION, MAGIC_BYTES.length);\n        header.writeUInt8(FILE_FORMAT_FLAGS, MAGIC_BYTES.length + 1);\n        const envelopeOffset = MAGIC_HEADER_SIZE;\n        header.writeUInt8(ENVELOPE_VERSION, envelopeOffset + ENVELOPE_LAYOUT.version);\n        salt.copy(header, envelopeOffset + ENVELOPE_LAYOUT.salt);\n        iv.copy(header, envelopeOffset + ENVELOPE_LAYOUT.iv);\n        await handle.write(header);\n\n        const cipher = createCipheriv(\"aes-256-gcm\", key, iv, { authTagLength: AUTH_TAG_LENGTH });\n        const aad = filePathAad(filePath, memoryDir);\n        cipher.setAAD(Buffer.concat([buildHeaderAad(salt), aad]));\n        for await (const chunk of chunks) {\n          if (chunk.length === 0) continue;\n          const encrypted = cipher.update(chunk);\n          if (encrypted.length > 0) await handle.write(encrypted);\n        }\n        const final = cipher.final();\n        if (final.length > 0) await handle.write(final);\n        const authTag = cipher.getAuthTag();\n        await handle.write(\n          authTag,\n          0,\n          authTag.length,\n          MAGIC_HEADER_SIZE + ENVELOPE_LAYOUT.authTag,\n        );\n      } else {\n        for await (const chunk of chunks) {\n          if (chunk.length > 0) await handle.write(chunk);\n        }\n      }\n    } finally {\n      await handle.close();\n    }\n    if (atomic) {\n      await rename(writePath, filePath);\n    }\n    completed = true;\n  } finally {\n    if (!completed && atomic) {\n      await unlink(writePath).catch(() => {});\n    }\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Migration\n// ---------------------------------------------------------------------------\n\nexport interface MigrateResult {\n  /** Number of files successfully encrypted. */\n  encrypted: number;\n  /** Number of files already encrypted (skipped). */\n  skipped: number;\n  /** Files that failed to encrypt (path → error message). */\n  errors: Array<{ filePath: string; error: string }>;\n}\n\nexport interface DecryptResult {\n  /** Number of files successfully decrypted back to plaintext. */\n  decrypted: number;\n  /** Number of files already plaintext (skipped). */\n  skipped: number;\n  /** Files that failed to decrypt (path → error message). */\n  errors: Array<{ filePath: string; error: string }>;\n}\n\n/**\n * Walk `dir` recursively, find encryptable storage-managed files that are not\n * yet encrypted, and re-write them as encrypted files under `key`.\n *\n * Safety rules per CLAUDE.md gotchas #54 and #25:\n *   1. A page-version snapshot is taken (via `createVersion`) BEFORE\n *      each overwrite so the plaintext version is preserved in history.\n *      Since this module has no direct access to `page-versioning.ts`\n *      internals, callers who have page-versioning configured should\n *      pass `onBeforeEncrypt` to take the snapshot.\n *   2. The new encrypted content is written to a temp file first,\n *      then renamed atomically — never deleted before written.\n *   3. If encryption of any file fails, the error is recorded and the\n *      original file is left intact (partial migration is safe).\n *\n * @param dir              Absolute path to the memory directory.\n * @param key              32-byte AES-256 key.\n * @param onBeforeEncrypt  Optional callback invoked before encrypting\n *                         each file. Can be used to take page-version\n *                         snapshots. Errors here are non-fatal.\n */\nexport async function migrateMemoryDirToEncrypted(\n  dir: string,\n  key: Buffer,\n  onBeforeEncrypt?: (filePath: string) => Promise<void>,\n): Promise<MigrateResult> {\n  const result: MigrateResult = { encrypted: 0, skipped: 0, errors: [] };\n\n  const files = await collectEncryptableStorageFiles(dir);\n  for (const filePath of files) {\n    try {\n      const buf = await readFile(filePath);\n      if (isEncryptedFile(buf)) {\n        result.skipped++;\n        continue;\n      }\n      // Call optional pre-encryption hook (e.g. page-version snapshot).\n      if (onBeforeEncrypt) {\n        try {\n          await onBeforeEncrypt(filePath);\n        } catch {\n          // Non-fatal — continue with encryption even if snapshot fails.\n        }\n      }\n      const content = buf.toString(\"utf8\");\n      const aad = filePathAad(filePath, dir);\n      const encrypted = encryptFileBody(content, key, aad);\n\n      // Atomic write: temp → rename (gotcha #54).\n      const tempPath = uniqueAtomicTempPath(filePath, \"enc-tmp\");\n      try {\n        await writeFile(tempPath, encrypted, { mode: 0o600 });\n        await rename(tempPath, filePath);\n        result.encrypted++;\n      } catch (writeErr) {\n        // Clean up temp file, leave original intact.\n        try {\n          const { unlink } = await import(\"node:fs/promises\");\n          await unlink(tempPath);\n        } catch {\n          // ignore\n        }\n        throw writeErr;\n      }\n    } catch (err) {\n      result.errors.push({\n        filePath,\n        error: err instanceof Error ? err.message : String(err),\n      });\n    }\n  }\n\n  return result;\n}\n\n/**\n * Walk `dir` recursively, find storage-managed encrypted files, and\n * re-write them as plaintext under the same paths.\n *\n * This is the reversible counterpart to {@link migrateMemoryDirToEncrypted}.\n * It only touches files under the same storage-managed roots, skips\n * plaintext files, skips symlinks, excludes `.secure-store/`, and writes\n * each plaintext replacement via temp-file + rename so a per-file failure\n * leaves the ciphertext intact.\n */\nexport async function decryptMemoryDirToPlaintext(\n  dir: string,\n  key: Buffer,\n): Promise<DecryptResult> {\n  const result: DecryptResult = { decrypted: 0, skipped: 0, errors: [] };\n\n  const files = await collectStorageManagedFiles(dir, isDecryptableStoragePath);\n  for (const filePath of files) {\n    try {\n      const buf = await readFile(filePath);\n      if (!isEncryptedFile(buf)) {\n        result.skipped++;\n        continue;\n      }\n\n      const plaintext = decryptFileBodyForPath(buf, key, filePath, dir);\n      const tempPath = uniqueAtomicTempPath(filePath, \"dec-tmp\");\n      try {\n        await writeFile(tempPath, plaintext, { mode: 0o600 });\n        await rename(tempPath, filePath);\n        result.decrypted++;\n      } catch (writeErr) {\n        try {\n          await unlink(tempPath);\n        } catch {\n          // ignore cleanup errors; original ciphertext is still intact.\n        }\n        throw writeErr;\n      }\n    } catch (err) {\n      result.errors.push({\n        filePath,\n        error: err instanceof Error ? err.message : String(err),\n      });\n    }\n  }\n\n  return result;\n}\n\n// ---------------------------------------------------------------------------\n// Internal helpers\n// ---------------------------------------------------------------------------\n\nfunction uniqueAtomicTempPath(filePath: string, label: string): string {\n  return `${filePath}.${label}-${process.pid}-${Date.now()}-${randomUUID()}`;\n}\n\nfunction decryptFileBodyForPath(\n  buf: Buffer,\n  key: Buffer,\n  filePath: string,\n  memoryDir?: string,\n): Buffer {\n  const aad = filePathAad(filePath, memoryDir);\n  try {\n    return decryptFileBody(buf, key, aad);\n  } catch (err) {\n    if (!(err instanceof SecureStoreDecryptError)) {\n      throw err;\n    }\n    const legacyRoot = legacyNamespaceAadRootForFile(filePath, memoryDir);\n    if (legacyRoot) {\n      try {\n        return decryptFileBody(buf, key, filePathAad(filePath, legacyRoot));\n      } catch {\n        // Fall through to the namespace-reader fallback below.\n      }\n    }\n\n    const topLevelRoot = topLevelAadRootForNamespaceReader(filePath, memoryDir);\n    if (topLevelRoot) {\n      try {\n        return decryptFileBody(buf, key, filePathAad(filePath, topLevelRoot));\n      } catch {\n        // Preserve the caller-facing error from the canonical decrypt attempt.\n      }\n    }\n\n    throw err;\n  }\n}\n\nfunction topLevelAadRootForNamespaceReader(filePath: string, memoryDir?: string): string | null {\n  if (!memoryDir || !path.isAbsolute(filePath)) return null;\n  const resolvedMemoryDir = path.resolve(memoryDir);\n  const rel = path.relative(resolvedMemoryDir, filePath);\n  if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return null;\n  const parts = resolvedMemoryDir.split(path.sep);\n  if (parts.length < 3 || parts.at(-2) !== \"namespaces\" || !parts.at(-1)) return null;\n  const topLevelRoot = parts.slice(0, -2).join(path.sep) || path.sep;\n  const topRel = path.relative(topLevelRoot, filePath);\n  if (topRel === \"\" || topRel.startsWith(\"..\") || path.isAbsolute(topRel)) {\n    return null;\n  }\n  const topParts = topRel.split(path.sep);\n  if (topParts[0] !== \"namespaces\" || topParts[1] !== parts.at(-1)) {\n    return null;\n  }\n  return topLevelRoot;\n}\n\nfunction legacyNamespaceAadRootForFile(filePath: string, memoryDir?: string): string | null {\n  if (!memoryDir || !path.isAbsolute(filePath)) return null;\n  const rel = path.relative(memoryDir, filePath);\n  if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return null;\n  const parts = rel.split(path.sep);\n  if (parts[0] === \"namespaces\" && parts.length >= 3 && parts[1]) {\n    return path.join(memoryDir, \"namespaces\", parts[1]);\n  }\n  return null;\n}\n\n/**\n * Recursively collect files under `dir` that are read through the\n * storage-layer secure-store helpers, excluding symlinked entries and\n * `.secure-store/` metadata.\n */\nasync function collectEncryptableStorageFiles(dir: string, rootDir = dir): Promise<string[]> {\n  return collectStorageManagedFiles(dir, isEncryptableStoragePath, rootDir);\n}\n\n/**\n * Recursively collect regular files under storage-managed roots, excluding\n * symlinked entries and `.secure-store/` metadata. This broader collector is\n * used by the decrypt/disable path so future encrypted sidecars can be\n * restored without requiring extension-specific logic.\n */\nasync function collectStorageManagedFiles(\n  dir: string,\n  includeFile: (filePath: string, rootDir: string) => boolean,\n  rootDir = dir,\n): Promise<string[]> {\n  const results: string[] = [];\n  let names: string[];\n  try {\n    names = await readdir(dir, { encoding: \"utf8\" });\n  } catch {\n    return results;\n  }\n  for (const name of names) {\n    if (name.startsWith(\".secure-store\")) continue;\n    const full = path.join(dir, name);\n    let isDir = false;\n    let isFile = false;\n    try {\n      const s = await lstat(full);\n      if (s.isSymbolicLink()) continue;\n      isDir = s.isDirectory();\n      isFile = s.isFile();\n    } catch {\n      continue;\n    }\n    if (isDir) {\n      const sub = await collectStorageManagedFiles(full, includeFile, rootDir);\n      results.push(...sub);\n    } else if (isFile && includeFile(full, rootDir)) {\n      results.push(full);\n    }\n  }\n  return results;\n}\n\nfunction isEncryptableStoragePath(filePath: string, rootDir: string): boolean {\n  const rel = path.relative(rootDir, filePath);\n  if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return false;\n  const normalized = normalizeStorageRelativePath(rel);\n  if (normalized === \"profile.md\") return true;\n  if (isEncryptableStateSidecar(normalized)) return true;\n  if (isEncryptableSummarySidecar(normalized)) return true;\n  const firstSegment = normalized.split(\"/\", 1)[0];\n  return ENCRYPTABLE_MARKDOWN_STORAGE_ROOTS.has(firstSegment) && normalized.endsWith(\".md\");\n}\n\nfunction isDecryptableStoragePath(filePath: string, rootDir: string): boolean {\n  if (isEncryptableStoragePath(filePath, rootDir)) return true;\n  const rel = path.relative(rootDir, filePath);\n  if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return false;\n  const normalized = normalizeStorageRelativePath(rel);\n  const firstSegment = normalized.split(\"/\", 1)[0];\n  return DECRYPTABLE_SIDECAR_ROOTS.has(firstSegment);\n}\n\nfunction normalizeStorageRelativePath(rel: string): string {\n  const normalized = rel.split(path.sep).join(\"/\");\n  const parts = normalized.split(\"/\");\n  if (parts[0] === \"namespaces\" && parts.length >= 3) {\n    return parts.slice(2).join(\"/\");\n  }\n  return normalized;\n}\n\nconst ENCRYPTABLE_MARKDOWN_STORAGE_ROOTS = new Set([\n  \"facts\",\n  \"corrections\",\n  \"procedures\",\n  \"reasoning-traces\",\n  \"artifacts\",\n  \"archive\",\n  \"entities\",\n  \"identity\",\n]);\n\nconst ENCRYPTABLE_STATE_SIDECARS = new Set([\n  \"state/behavior-signals.jsonl\",\n  \"state/buffer-surprise-ledger.jsonl\",\n  \"state/buffer.json\",\n  \"state/compression-guideline-draft-state.json\",\n  \"state/compression-guideline-state.json\",\n  \"state/compression-guidelines.draft.md\",\n  \"state/compression-guidelines.md\",\n  \"state/entity-synthesis-queue.json\",\n  \"state/fact-hashes.txt\",\n  \"state/memory-actions.jsonl\",\n  \"state/memory-lifecycle-ledger.jsonl\",\n  \"state/meta.json\",\n  \"state/reextract-jobs.jsonl\",\n  \"state/topics.json\",\n]);\n\nfunction isEncryptableStateSidecar(normalized: string): boolean {\n  return ENCRYPTABLE_STATE_SIDECARS.has(normalized);\n}\n\nfunction isEncryptableSummarySidecar(normalized: string): boolean {\n  return normalized.startsWith(\"summaries/\") && normalized.endsWith(\".json\");\n}\n\nconst DECRYPTABLE_SIDECAR_ROOTS = new Set([\n  \"state\",\n  \"indexes\",\n  \"index\",\n  \"provenance\",\n]);\n"],"mappings":";;;;;;;;;;;;;;AA6CA,SAAS,gBAAgB,aAAa,kBAAkB;AACxD,SAAS,OAAO,OAAO,QAAQ,UAAU,UAAU,SAAS,QAAQ,QAAQ,iBAAiB;AAC7F,OAAO,UAAU;AAwBV,IAAM,yBAAN,cAAqC,MAAM;AAAA,EAChD,YAAY,UAAU,6EAAwE;AAC5F,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,0BAAN,cAAsC,MAAM;AAAA,EACjD,YAAY,UAAU,0EAAqE;AACzF,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,cAAc,OAAO,KAAK,cAAc,OAAO;AAGrD,IAAM,sBAAsB;AAG5B,IAAM,oBAAoB;AAG1B,IAAM,oBAAoB,YAAY,SAAS;AAU/C,SAAS,gBAAgB,KAA0B;AACxD,MAAI,IAAI,SAAS,kBAAmB,QAAO;AAC3C,QAAM,IAAI,OAAO,SAAS,GAAG,IAAI,MAAM,OAAO,KAAK,GAAG;AACtD,SAAO,EAAE,SAAS,GAAG,YAAY,MAAM,EAAE,OAAO,WAAW;AAC7D;AAgBO,SAAS,gBAAgB,OAAwB,KAAa,KAAsB;AACzF,QAAM,WAAW,OAAO,UAAU,WAAW,OAAO,KAAK,OAAO,MAAM,IAAI;AAC1E,QAAM,OAAO,aAAa;AAC1B,QAAM,WAAW,KAAK,KAAK,MAAM,UAAU,MAAM,EAAE,IAAI,IAAI,CAAC,CAAC;AAE7D,QAAM,SAAS,OAAO,MAAM,iBAAiB;AAC7C,cAAY,KAAK,QAAQ,CAAC;AAC1B,SAAO,WAAW,qBAAqB,YAAY,MAAM;AACzD,SAAO,WAAW,mBAAmB,YAAY,SAAS,CAAC;AAE3D,SAAO,OAAO,OAAO,CAAC,QAAQ,QAAQ,CAAC;AACzC;AAUO,SAAS,gBAAgB,KAAa,KAAa,KAAsB;AAC9E,MAAI,CAAC,gBAAgB,GAAG,GAAG;AACzB,UAAM,IAAI,MAAM,qEAAqE;AAAA,EACvF;AACA,QAAM,UAAU,IAAI,UAAU,YAAY,MAAM;AAChD,MAAI,YAAY,qBAAqB;AACnC,UAAM,IAAI;AAAA,MACR,oDAAoD,OAAO,yBAAyB,mBAAmB;AAAA,IACzG;AAAA,EACF;AACA,QAAM,QAAQ,IAAI,UAAU,YAAY,SAAS,CAAC;AAClD,MAAI,UAAU,mBAAmB;AAC/B,UAAM,IAAI,MAAM,yCAAyC,MAAM,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE;AAAA,EAChG;AACA,QAAM,WAAW,IAAI,SAAS,iBAAiB;AAC/C,gBAAc,QAAQ;AACtB,MAAI;AACF,WAAO,KAAa,KAAK,UAAU,MAAM,EAAE,IAAI,IAAI,CAAC,CAAC;AAAA,EACvD,SAAS,KAAK;AACZ,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,UAAM,IAAI;AAAA,MACR,mCAAmC,GAAG;AAAA,IACxC;AAAA,EACF;AACF;AAEA,SAAS,eAAe,MAA0B;AAChD,QAAM,MAAM,OAAO,MAAM,IAAI,oBAAoB;AACjD,MAAI,WAAW,kBAAkB,CAAC;AAClC,SAAO,KAAK,IAAI,EAAE,KAAK,KAAK,CAAC;AAC7B,SAAO;AACT;AAcO,SAAS,YAAY,UAAkB,WAA4B;AACxE,MAAI,MAAM;AACV,MAAI,aAAa,KAAK,WAAW,QAAQ,GAAG;AAC1C,UAAM,KAAK,SAAS,WAAW,QAAQ;AAAA,EACzC;AACA,SAAO,OAAO,KAAK,KAAK,MAAM;AAChC;AAoBA,eAAsB,6BACpB,UACA,KACA,WACiB;AACjB,QAAM,MAAM,MAAM,SAAS,QAAQ;AACnC,MAAI,CAAC,gBAAgB,GAAG,GAAG;AAEzB,WAAO;AAAA,EACT;AAEA,MAAI,QAAQ,MAAM;AAChB,UAAM,IAAI;AAAA,MACR,+DAA0D,QAAQ;AAAA,IAEpE;AAAA,EACF;AACA,SAAO,uBAAuB,KAAK,KAAK,UAAU,SAAS;AAC7D;AAEA,eAAsB,uBACpB,UACA,KACA,WACiB;AACjB,UAAQ,MAAM,6BAA6B,UAAU,KAAK,SAAS,GAAG,SAAS,MAAM;AACvF;AAyBA,eAAsB,wBACpB,UACA,SACA,KACA,UAA0C,CAAC,GAC3C,WACe;AACf,QAAM,EAAE,OAAO,KAAO,SAAS,KAAK,IAAI;AACxC,QAAM,MAAM,KAAK,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAEvD,MAAI;AACJ,MAAI,QAAQ,MAAM;AAChB,UAAM,MAAM,YAAY,UAAU,SAAS;AAC3C,WAAO,gBAAgB,SAAS,KAAK,GAAG;AAAA,EAC1C,OAAO;AACL,WAAO;AAAA,EACT;AAEA,MAAI,QAAQ;AACV,UAAM,WAAW,qBAAqB,UAAU,KAAK;AACrD,QAAI;AACF,YAAM,UAAU,UAAU,MAAM,EAAE,KAAK,CAAC;AACxC,YAAM,OAAO,UAAU,QAAQ;AAAA,IACjC,SAAS,KAAK;AAEZ,UAAI;AACF,cAAM,OAAO,QAAQ;AAAA,MACvB,QAAQ;AAAA,MAER;AACA,YAAM;AAAA,IACR;AAAA,EACF,OAAO;AACL,UAAM,UAAU,UAAU,MAAM,EAAE,KAAK,CAAC;AAAA,EAC1C;AACF;AAEA,eAAsB,kCACpB,UACA,QACA,KACA,UAA0C,CAAC,GAC3C,WACe;AACf,QAAM,EAAE,OAAO,KAAO,SAAS,KAAK,IAAI;AACxC,QAAM,MAAM,KAAK,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AACvD,QAAM,YAAY,SAAS,GAAG,QAAQ,QAAQ,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC,KAAK;AAC5E,MAAI,YAAY;AAChB,MAAI;AACF,UAAM,SAAS,MAAM,SAAS,WAAW,KAAK,IAAI;AAClD,QAAI;AACF,UAAI,QAAQ,MAAM;AAChB,cAAM,OAAO,aAAa;AAC1B,cAAM,KAAK,YAAY,SAAS;AAChC,cAAM,SAAS,OAAO,MAAM,oBAAoB,oBAAoB;AACpE,oBAAY,KAAK,QAAQ,CAAC;AAC1B,eAAO,WAAW,qBAAqB,YAAY,MAAM;AACzD,eAAO,WAAW,mBAAmB,YAAY,SAAS,CAAC;AAC3D,cAAM,iBAAiB;AACvB,eAAO,WAAW,kBAAkB,iBAAiB,gBAAgB,OAAO;AAC5E,aAAK,KAAK,QAAQ,iBAAiB,gBAAgB,IAAI;AACvD,WAAG,KAAK,QAAQ,iBAAiB,gBAAgB,EAAE;AACnD,cAAM,OAAO,MAAM,MAAM;AAEzB,cAAM,SAAS,eAAe,eAAe,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,cAAM,MAAM,YAAY,UAAU,SAAS;AAC3C,eAAO,OAAO,OAAO,OAAO,CAAC,eAAe,IAAI,GAAG,GAAG,CAAC,CAAC;AACxD,yBAAiB,SAAS,QAAQ;AAChC,cAAI,MAAM,WAAW,EAAG;AACxB,gBAAM,YAAY,OAAO,OAAO,KAAK;AACrC,cAAI,UAAU,SAAS,EAAG,OAAM,OAAO,MAAM,SAAS;AAAA,QACxD;AACA,cAAM,QAAQ,OAAO,MAAM;AAC3B,YAAI,MAAM,SAAS,EAAG,OAAM,OAAO,MAAM,KAAK;AAC9C,cAAM,UAAU,OAAO,WAAW;AAClC,cAAM,OAAO;AAAA,UACX;AAAA,UACA;AAAA,UACA,QAAQ;AAAA,UACR,oBAAoB,gBAAgB;AAAA,QACtC;AAAA,MACF,OAAO;AACL,yBAAiB,SAAS,QAAQ;AAChC,cAAI,MAAM,SAAS,EAAG,OAAM,OAAO,MAAM,KAAK;AAAA,QAChD;AAAA,MACF;AAAA,IACF,UAAE;AACA,YAAM,OAAO,MAAM;AAAA,IACrB;AACA,QAAI,QAAQ;AACV,YAAM,OAAO,WAAW,QAAQ;AAAA,IAClC;AACA,gBAAY;AAAA,EACd,UAAE;AACA,QAAI,CAAC,aAAa,QAAQ;AACxB,YAAM,OAAO,SAAS,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAAA,IACxC;AAAA,EACF;AACF;AA6CA,eAAsB,4BACpB,KACA,KACA,iBACwB;AACxB,QAAM,SAAwB,EAAE,WAAW,GAAG,SAAS,GAAG,QAAQ,CAAC,EAAE;AAErE,QAAM,QAAQ,MAAM,+BAA+B,GAAG;AACtD,aAAW,YAAY,OAAO;AAC5B,QAAI;AACF,YAAM,MAAM,MAAM,SAAS,QAAQ;AACnC,UAAI,gBAAgB,GAAG,GAAG;AACxB,eAAO;AACP;AAAA,MACF;AAEA,UAAI,iBAAiB;AACnB,YAAI;AACF,gBAAM,gBAAgB,QAAQ;AAAA,QAChC,QAAQ;AAAA,QAER;AAAA,MACF;AACA,YAAM,UAAU,IAAI,SAAS,MAAM;AACnC,YAAM,MAAM,YAAY,UAAU,GAAG;AACrC,YAAM,YAAY,gBAAgB,SAAS,KAAK,GAAG;AAGnD,YAAM,WAAW,qBAAqB,UAAU,SAAS;AACzD,UAAI;AACF,cAAM,UAAU,UAAU,WAAW,EAAE,MAAM,IAAM,CAAC;AACpD,cAAM,OAAO,UAAU,QAAQ;AAC/B,eAAO;AAAA,MACT,SAAS,UAAU;AAEjB,YAAI;AACF,gBAAM,EAAE,QAAAA,QAAO,IAAI,MAAM,OAAO,aAAkB;AAClD,gBAAMA,QAAO,QAAQ;AAAA,QACvB,QAAQ;AAAA,QAER;AACA,cAAM;AAAA,MACR;AAAA,IACF,SAAS,KAAK;AACZ,aAAO,OAAO,KAAK;AAAA,QACjB;AAAA,QACA,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAYA,eAAsB,4BACpB,KACA,KACwB;AACxB,QAAM,SAAwB,EAAE,WAAW,GAAG,SAAS,GAAG,QAAQ,CAAC,EAAE;AAErE,QAAM,QAAQ,MAAM,2BAA2B,KAAK,wBAAwB;AAC5E,aAAW,YAAY,OAAO;AAC5B,QAAI;AACF,YAAM,MAAM,MAAM,SAAS,QAAQ;AACnC,UAAI,CAAC,gBAAgB,GAAG,GAAG;AACzB,eAAO;AACP;AAAA,MACF;AAEA,YAAM,YAAY,uBAAuB,KAAK,KAAK,UAAU,GAAG;AAChE,YAAM,WAAW,qBAAqB,UAAU,SAAS;AACzD,UAAI;AACF,cAAM,UAAU,UAAU,WAAW,EAAE,MAAM,IAAM,CAAC;AACpD,cAAM,OAAO,UAAU,QAAQ;AAC/B,eAAO;AAAA,MACT,SAAS,UAAU;AACjB,YAAI;AACF,gBAAM,OAAO,QAAQ;AAAA,QACvB,QAAQ;AAAA,QAER;AACA,cAAM;AAAA,MACR;AAAA,IACF,SAAS,KAAK;AACZ,aAAO,OAAO,KAAK;AAAA,QACjB;AAAA,QACA,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,qBAAqB,UAAkB,OAAuB;AACrE,SAAO,GAAG,QAAQ,IAAI,KAAK,IAAI,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC,IAAI,WAAW,CAAC;AAC1E;AAEA,SAAS,uBACP,KACA,KACA,UACA,WACQ;AACR,QAAM,MAAM,YAAY,UAAU,SAAS;AAC3C,MAAI;AACF,WAAO,gBAAgB,KAAK,KAAK,GAAG;AAAA,EACtC,SAAS,KAAK;AACZ,QAAI,EAAE,eAAe,0BAA0B;AAC7C,YAAM;AAAA,IACR;AACA,UAAM,aAAa,8BAA8B,UAAU,SAAS;AACpE,QAAI,YAAY;AACd,UAAI;AACF,eAAO,gBAAgB,KAAK,KAAK,YAAY,UAAU,UAAU,CAAC;AAAA,MACpE,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,UAAM,eAAe,kCAAkC,UAAU,SAAS;AAC1E,QAAI,cAAc;AAChB,UAAI;AACF,eAAO,gBAAgB,KAAK,KAAK,YAAY,UAAU,YAAY,CAAC;AAAA,MACtE,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,UAAM;AAAA,EACR;AACF;AAEA,SAAS,kCAAkC,UAAkB,WAAmC;AAC9F,MAAI,CAAC,aAAa,CAAC,KAAK,WAAW,QAAQ,EAAG,QAAO;AACrD,QAAM,oBAAoB,KAAK,QAAQ,SAAS;AAChD,QAAM,MAAM,KAAK,SAAS,mBAAmB,QAAQ;AACrD,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,QAAQ,kBAAkB,MAAM,KAAK,GAAG;AAC9C,MAAI,MAAM,SAAS,KAAK,MAAM,GAAG,EAAE,MAAM,gBAAgB,CAAC,MAAM,GAAG,EAAE,EAAG,QAAO;AAC/E,QAAM,eAAe,MAAM,MAAM,GAAG,EAAE,EAAE,KAAK,KAAK,GAAG,KAAK,KAAK;AAC/D,QAAM,SAAS,KAAK,SAAS,cAAc,QAAQ;AACnD,MAAI,WAAW,MAAM,OAAO,WAAW,IAAI,KAAK,KAAK,WAAW,MAAM,GAAG;AACvE,WAAO;AAAA,EACT;AACA,QAAM,WAAW,OAAO,MAAM,KAAK,GAAG;AACtC,MAAI,SAAS,CAAC,MAAM,gBAAgB,SAAS,CAAC,MAAM,MAAM,GAAG,EAAE,GAAG;AAChE,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,8BAA8B,UAAkB,WAAmC;AAC1F,MAAI,CAAC,aAAa,CAAC,KAAK,WAAW,QAAQ,EAAG,QAAO;AACrD,QAAM,MAAM,KAAK,SAAS,WAAW,QAAQ;AAC7C,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,QAAQ,IAAI,MAAM,KAAK,GAAG;AAChC,MAAI,MAAM,CAAC,MAAM,gBAAgB,MAAM,UAAU,KAAK,MAAM,CAAC,GAAG;AAC9D,WAAO,KAAK,KAAK,WAAW,cAAc,MAAM,CAAC,CAAC;AAAA,EACpD;AACA,SAAO;AACT;AAOA,eAAe,+BAA+B,KAAa,UAAU,KAAwB;AAC3F,SAAO,2BAA2B,KAAK,0BAA0B,OAAO;AAC1E;AAQA,eAAe,2BACb,KACA,aACA,UAAU,KACS;AACnB,QAAM,UAAoB,CAAC;AAC3B,MAAI;AACJ,MAAI;AACF,YAAQ,MAAM,QAAQ,KAAK,EAAE,UAAU,OAAO,CAAC;AAAA,EACjD,QAAQ;AACN,WAAO;AAAA,EACT;AACA,aAAW,QAAQ,OAAO;AACxB,QAAI,KAAK,WAAW,eAAe,EAAG;AACtC,UAAM,OAAO,KAAK,KAAK,KAAK,IAAI;AAChC,QAAI,QAAQ;AACZ,QAAI,SAAS;AACb,QAAI;AACF,YAAM,IAAI,MAAM,MAAM,IAAI;AAC1B,UAAI,EAAE,eAAe,EAAG;AACxB,cAAQ,EAAE,YAAY;AACtB,eAAS,EAAE,OAAO;AAAA,IACpB,QAAQ;AACN;AAAA,IACF;AACA,QAAI,OAAO;AACT,YAAM,MAAM,MAAM,2BAA2B,MAAM,aAAa,OAAO;AACvE,cAAQ,KAAK,GAAG,GAAG;AAAA,IACrB,WAAW,UAAU,YAAY,MAAM,OAAO,GAAG;AAC/C,cAAQ,KAAK,IAAI;AAAA,IACnB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,yBAAyB,UAAkB,SAA0B;AAC5E,QAAM,MAAM,KAAK,SAAS,SAAS,QAAQ;AAC3C,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,aAAa,6BAA6B,GAAG;AACnD,MAAI,eAAe,aAAc,QAAO;AACxC,MAAI,0BAA0B,UAAU,EAAG,QAAO;AAClD,MAAI,4BAA4B,UAAU,EAAG,QAAO;AACpD,QAAM,eAAe,WAAW,MAAM,KAAK,CAAC,EAAE,CAAC;AAC/C,SAAO,mCAAmC,IAAI,YAAY,KAAK,WAAW,SAAS,KAAK;AAC1F;AAEA,SAAS,yBAAyB,UAAkB,SAA0B;AAC5E,MAAI,yBAAyB,UAAU,OAAO,EAAG,QAAO;AACxD,QAAM,MAAM,KAAK,SAAS,SAAS,QAAQ;AAC3C,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,aAAa,6BAA6B,GAAG;AACnD,QAAM,eAAe,WAAW,MAAM,KAAK,CAAC,EAAE,CAAC;AAC/C,SAAO,0BAA0B,IAAI,YAAY;AACnD;AAEA,SAAS,6BAA6B,KAAqB;AACzD,QAAM,aAAa,IAAI,MAAM,KAAK,GAAG,EAAE,KAAK,GAAG;AAC/C,QAAM,QAAQ,WAAW,MAAM,GAAG;AAClC,MAAI,MAAM,CAAC,MAAM,gBAAgB,MAAM,UAAU,GAAG;AAClD,WAAO,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG;AAAA,EAChC;AACA,SAAO;AACT;AAEA,IAAM,qCAAqC,oBAAI,IAAI;AAAA,EACjD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,IAAM,6BAA6B,oBAAI,IAAI;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,SAAS,0BAA0B,YAA6B;AAC9D,SAAO,2BAA2B,IAAI,UAAU;AAClD;AAEA,SAAS,4BAA4B,YAA6B;AAChE,SAAO,WAAW,WAAW,YAAY,KAAK,WAAW,SAAS,OAAO;AAC3E;AAEA,IAAM,4BAA4B,oBAAI,IAAI;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;","names":["unlink"]}