@runcore-sh/runcore 0.1.8 → 0.1.10

package/dist/lib/audit.js

@@ -0,0 +1,120 @@
+/**
+ * Audit logging for brain file access.
+ * Appends access records to brain/ops/audit.jsonl.
+ * Uses AsyncLocalStorage to track caller identity (MCP tool, HTTP route, etc.).
+ *
+ * Fire-and-forget — audit failures never block or crash the caller.
+ */
+import { AsyncLocalStorage } from "node:async_hooks";
+import { appendFile } from "node:fs/promises";
+import { appendFileSync, mkdirSync, existsSync } from "node:fs";
+import { join, relative } from "node:path";
+import { createLogger } from "../utils/logger.js";
+const log = createLogger("audit");
+// ── Caller context via AsyncLocalStorage ─────────────────────────────────────
+const auditContextStore = new AsyncLocalStorage();
+/**
+ * Run a function with audit context. All brain file reads within the callback
+ * will be tagged with the given caller and channel.
+ */
+export function runWithAuditContext(ctx, fn) {
+    return auditContextStore.run(ctx, fn);
+}
+/** Get the current audit context (if set). */
+export function getAuditContext() {
+    return auditContextStore.getStore();
+}
+// ── File setup ───────────────────────────────────────────────────────────────
+const BRAIN_DIR = join(process.cwd(), "brain");
+const OPS_DIR = join(BRAIN_DIR, "ops");
+const AUDIT_FILE = join(OPS_DIR, "audit.jsonl");
+const SCHEMA_LINE = JSON.stringify({
+    _schema: "audit",
+    _version: "1.0",
+    _fields: "timestamp,file,method,caller,channel",
+});
+let fileEnsured = false;
+function ensureFile() {
+    if (fileEnsured)
+        return;
+    try {
+        if (!existsSync(OPS_DIR)) {
+            mkdirSync(OPS_DIR, { recursive: true });
+        }
+        if (!existsSync(AUDIT_FILE)) {
+            appendFileSync(AUDIT_FILE, SCHEMA_LINE + "\n", "utf-8");
+        }
+        fileEnsured = true;
+    }
+    catch (err) {
+        log.debug(`Failed to ensure audit file: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
+// ── Core logging ─────────────────────────────────────────────────────────────
+/**
+ * Resolve a full path to a relative brain path for cleaner logs.
+ * Returns the path as-is if it's not under brain/.
+ */
+function toBrainRelative(filePath) {
+    try {
+        const rel = relative(BRAIN_DIR, filePath);
+        // If the relative path escapes brain/, return the original
+        if (rel.startsWith("..") || rel.startsWith("/"))
+            return filePath;
+        return rel.replace(/\\/g, "/");
+    }
+    catch {
+        return filePath;
+    }
+}
+/**
+ * Log a brain file read. Fire-and-forget (async).
+ * Skips logging reads of the audit file itself to avoid recursion.
+ */
+export function logAccess(filePath, method) {
+    // Prevent recursive audit of the audit file
+    if (filePath === AUDIT_FILE)
+        return;
+    const ctx = auditContextStore.getStore();
+    const entry = {
+        timestamp: new Date().toISOString(),
+        file: toBrainRelative(filePath),
+        method,
+        caller: ctx?.caller,
+        channel: ctx?.channel,
+    };
+    try {
+        ensureFile();
+        const line = JSON.stringify(entry);
+        // Async append — fire-and-forget
+        appendFile(AUDIT_FILE, line + "\n", "utf-8").catch((err) => {
+            log.debug(`Audit write failed: ${err instanceof Error ? err.message : String(err)}`);
+        });
+    }
+    catch (err) {
+        log.debug(`Audit log error: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
+/**
+ * Synchronous variant for use in readBrainLinesSync.
+ */
+export function logAccessSync(filePath, method) {
+    if (filePath === AUDIT_FILE)
+        return;
+    const ctx = auditContextStore.getStore();
+    const entry = {
+        timestamp: new Date().toISOString(),
+        file: toBrainRelative(filePath),
+        method,
+        caller: ctx?.caller,
+        channel: ctx?.channel,
+    };
+    try {
+        ensureFile();
+        appendFileSync(AUDIT_FILE, JSON.stringify(entry) + "\n", "utf-8");
+    }
+    catch (err) {
+        log.debug(`Audit sync write failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
+//# sourceMappingURL=audit.js.map

package/dist/lib/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/lib/audit.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAS,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAChE,OAAO,EAAE,IAAI,EAAW,QAAQ,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;AAyBlC,gFAAgF;AAEhF,MAAM,iBAAiB,GAAG,IAAI,iBAAiB,EAAgB,CAAC;AAEhE;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAI,GAAiB,EAAE,EAAW;IACnE,OAAO,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;AACxC,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,eAAe;IAC7B,OAAO,iBAAiB,CAAC,QAAQ,EAAE,CAAC;AACtC,CAAC;AAED,gFAAgF;AAEhF,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,CAAC,CAAC;AAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;AACvC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;AAChD,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;IACjC,OAAO,EAAE,OAAO;IAChB,QAAQ,EAAE,KAAK;IACf,OAAO,EAAE,sCAAsC;CAChD,CAAC,CAAC;AAEH,IAAI,WAAW,GAAG,KAAK,CAAC;AAExB,SAAS,UAAU;IACjB,IAAI,WAAW;QAAE,OAAO;IACxB,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACzB,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1C,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5B,cAAc,CAAC,UAAU,EAAE,WAAW,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1D,CAAC;QACD,WAAW,GAAG,IAAI,CAAC;IACrB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,KAAK,CAAC,gCAAgC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChG,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF;;;GAGG;AACH,SAAS,eAAe,CAAC,QAAgB;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC1C,2DAA2D;QAC3D,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,QAAQ,CAAC;QACjE,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CACvB,QAAgB,EAChB,MAA4B;IAE5B,4CAA4C;IAC5C,IAAI,QAAQ,KAAK,UAAU;QAAE,OAAO;IAEpC,MAAM,GAAG,GAAG,iBAAiB,CAAC,QAAQ,EAAE,CAAC;IACzC,MAAM,KAAK,GAAe;QACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,IAAI,EAAE,eAAe,CAAC,QAAQ,CAAC;QAC/B,MAAM;QACN,MAAM,EAAE,GAAG,EAAE,MAAM;QACnB,OAAO,EAAE,GAAG,EAAE,OAAO;KACtB,CAAC;IAEF,IAAI,CAAC;QACH,UAAU,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACnC,iCAAiC;QACjC,UAAU,CAAC,UAAU,EAAE,IAAI,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACzD,GAAG,CAAC,KAAK,CAAC,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,KAAK,CAAC,oBAAoB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACpF,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAC3B,QAAgB,EAChB,MAA4B;IAE5B,IAAI,QAAQ,KAAK,UAAU;QAAE,OAAO;IAEpC,MAAM,GAAG,GAAG,iBAAiB,CAAC,QAAQ,EAAE,CAAC;IACzC,MAAM,KAAK,GAAe;QACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,IAAI,EAAE,eAAe,CAAC,QAAQ,CAAC;QAC/B,MAAM;QACN,MAAM,EAAE,GAAG,EAAE,MAAM;QACnB,OAAO,EAAE,GAAG,EAAE,OAAO;KACtB,CAAC;IAEF,IAAI,CAAC;QACH,UAAU,EAAE,CAAC;QACb,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACpE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,KAAK,CAAC,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC5F,CAAC;AACH,CAAC"}

package/dist/lib/brain-io.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"brain-io.d.ts","sourceRoot":"","sources":["../../src/lib/brain-io.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAyCH;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAuBxE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAIvF;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAM1F;AAID;;;GAGG;AACH,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAOrE;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAKrF;AAID;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAuB7D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAI5E;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAInD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAO9E;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAS1F"}
+{"version":3,"file":"brain-io.d.ts","sourceRoot":"","sources":["../../src/lib/brain-io.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AA+EH;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CA0BxE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAMvF;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAQ1F;AAID;;;GAGG;AACH,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAUrE;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAOrF;AAID;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CA0B7D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAM5E;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAInD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAO9E;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAS1F"}

package/dist/lib/brain-io.js

@@ -16,6 +16,10 @@ import { readFileSync, appendFileSync, mkdirSync, existsSync, } from "node:fs";
 import { dirname } from "node:path";
 import { createLogger } from "../utils/logger.js";
 import { getEncryptionKey, getWriteEncryptionKey } from "./key-store.js";
+import { logAccess, logAccessSync } from "./audit.js";
+import { assertNotLocked, toBrainRelativePath } from "./locked.js";
+import { getAuditContext } from "./audit.js";
+import { getManifest, canRead, canWrite } from "../access/manifest.js";
 const log = createLogger("brain-io");
 import { shouldEncryptFile } from "./encryption-config.js";
 import { encryptLine, decryptLine, isEncryptedLine, encryptFile, decryptFile, isEncryptedFile, } from "./encryption.js";
@@ -32,6 +36,37 @@ function writeKey(filePath) {
         return null;
     return getWriteEncryptionKey();
 }
+// ── Access enforcement ───────────────────────────────────────────────────────
+/**
+ * Assert that the current instance (from AuditContext) has access to the path.
+ * No-op when instanceName is undefined (backward compatible).
+ * Checks the instance's access manifest; logs denied access to audit.
+ *
+ * @param absolutePath - Absolute file path
+ * @param operation - "read" or "write"
+ */
+function assertAccess(absolutePath, operation) {
+    const ctx = getAuditContext();
+    if (!ctx?.instanceName)
+        return; // No instance context — skip check
+    const relPath = toBrainRelativePath(absolutePath);
+    if (relPath === null)
+        return; // Not a brain path
+    const manifest = getManifest(ctx.instanceName);
+    if (!manifest)
+        return; // No manifest loaded — skip (permissive for unknown instances)
+    const allowed = operation === "read"
+        ? canRead(manifest, relPath)
+        : canWrite(manifest, relPath);
+    if (!allowed) {
+        log.warn("Access denied by manifest", {
+            instance: ctx.instanceName,
+            path: relPath,
+            operation,
+        });
+        throw new Error(`Access denied: ${ctx.instanceName} cannot ${operation} ${relPath}`);
+    }
+}
 // ── Async JSONL (per-line) I/O ───────────────────────────────────────────────
 /**
  * Read a JSONL file, decrypting each line if needed.
@@ -39,6 +74,9 @@ function writeKey(filePath) {
  * Empty/whitespace lines are filtered out.
  */
 export async function readBrainLines(filePath) {
+    assertNotLocked(filePath);
+    assertAccess(filePath, "read");
+    logAccess(filePath, "readBrainLines");
     let raw;
     try {
         raw = await readFile(filePath, "utf-8");
@@ -68,6 +106,8 @@ export async function readBrainLines(filePath) {
  * The line should be a JSON string (not newline-terminated).
  */
 export async function appendBrainLine(filePath, jsonLine) {
+    assertNotLocked(filePath);
+    assertAccess(filePath, "write");
     const key = writeKey(filePath);
     const line = key ? encryptLine(jsonLine, key) : jsonLine;
     await appendFile(filePath, line + "\n", "utf-8");
@@ -77,6 +117,8 @@ export async function appendBrainLine(filePath, jsonLine) {
  * Used for compaction/rotation where the whole file is rewritten.
  */
 export async function writeBrainLines(filePath, jsonLines) {
+    assertNotLocked(filePath);
+    assertAccess(filePath, "write");
     const key = writeKey(filePath);
     const output = jsonLines
         .map((l) => (key ? encryptLine(l, key) : l))
@@ -89,6 +131,9 @@ export async function writeBrainLines(filePath, jsonLines) {
  * Returns the plaintext content. Falls back to raw content if not encrypted.
  */
 export async function readBrainFile(filePath) {
+    assertNotLocked(filePath);
+    assertAccess(filePath, "read");
+    logAccess(filePath, "readBrainFile");
     const raw = await readFile(filePath, "utf-8");
     const key = readKey(filePath);
     if (key && isEncryptedFile(raw)) {
@@ -101,6 +146,8 @@ export async function readBrainFile(filePath) {
  * Creates parent directories if needed.
  */
 export async function writeBrainFile(filePath, content) {
+    assertNotLocked(filePath);
+    assertAccess(filePath, "write");
     await mkdir(dirname(filePath), { recursive: true });
     const key = writeKey(filePath);
     const output = key ? encryptFile(content, key) : content;
@@ -111,6 +158,9 @@ export async function writeBrainFile(filePath, content) {
  * Synchronously read a JSONL file, decrypting each line if needed.
  */
 export function readBrainLinesSync(filePath) {
+    assertNotLocked(filePath);
+    assertAccess(filePath, "read");
+    logAccessSync(filePath, "readBrainLinesSync");
     let raw;
     try {
         raw = readFileSync(filePath, "utf-8");
@@ -139,6 +189,8 @@ export function readBrainLinesSync(filePath) {
  * Synchronously append a single line to a JSONL file, encrypting if enabled.
  */
 export function appendBrainLineSync(filePath, jsonLine) {
+    assertNotLocked(filePath);
+    assertAccess(filePath, "write");
     const key = writeKey(filePath);
     const line = key ? encryptLine(jsonLine, key) : jsonLine;
     appendFileSync(filePath, line + "\n", "utf-8");

package/dist/lib/brain-io.js.map

@@ -1 +1 @@
-{"version":3,"file":"brain-io.js","sourceRoot":"","sources":["../../src/lib/brain-io.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EACL,YAAY,EAEZ,cAAc,EACd,SAAS,EACT,UAAU,GACX,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAEzE,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EACL,WAAW,EACX,WAAW,EACX,eAAe,EACf,WAAW,EACX,WAAW,EACX,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAEzB,gFAAgF;AAEhF,6FAA6F;AAC7F,SAAS,OAAO,CAAC,QAAgB;IAC/B,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO,gBAAgB,EAAE,CAAC;AAC5B,CAAC;AAED,qGAAqG;AACrG,SAAS,QAAQ,CAAC,QAAgB;IAChC,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO,qBAAqB,EAAE,CAAC;AACjC,CAAC;AAED,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB;IACnD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAEvB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACxB,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,WAAW,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,KAAK,CAAC,iCAAiC,QAAQ,0BAA0B,CAAC,CAAC;gBAC/E,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAgB,EAAE,QAAgB;IACtE,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IACzD,MAAM,UAAU,CAAC,QAAQ,EAAE,IAAI,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAgB,EAAE,SAAmB;IACzE,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,SAAS;SACrB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAC3C,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACrB,MAAM,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,QAAgB;IAClD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,OAAO,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,OAAe;IACpE,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACzD,MAAM,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB;IACjD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAEvB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACxB,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,WAAW,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,KAAK,CAAC,iCAAiC,QAAQ,0BAA0B,CAAC,CAAC;gBAC/E,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,QAAgB;IACpE,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IACzD,cAAc,CAAC,QAAQ,EAAE,IAAI,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,UAAkB;IACtE,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;IACjC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,cAAc,CAAC,QAAQ,EAAE,IAAI,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,QAAgB,EAAE,UAAkB;IACzE,IAAI,CAAC;QACH,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,MAAM,UAAU,CAAC,QAAQ,EAAE,IAAI,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;AACH,CAAC"}
+{"version":3,"file":"brain-io.js","sourceRoot":"","sources":["../../src/lib/brain-io.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EACL,YAAY,EAEZ,cAAc,EACd,SAAS,EACT,UAAU,GACX,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACzE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AACnE,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAEvE,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EACL,WAAW,EACX,WAAW,EACX,eAAe,EACf,WAAW,EACX,WAAW,EACX,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAEzB,gFAAgF;AAEhF,6FAA6F;AAC7F,SAAS,OAAO,CAAC,QAAgB;IAC/B,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO,gBAAgB,EAAE,CAAC;AAC5B,CAAC;AAED,qGAAqG;AACrG,SAAS,QAAQ,CAAC,QAAgB;IAChC,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO,qBAAqB,EAAE,CAAC;AACjC,CAAC;AAED,gFAAgF;AAEhF;;;;;;;GAOG;AACH,SAAS,YAAY,CAAC,YAAoB,EAAE,SAA2B;IACrE,MAAM,GAAG,GAAG,eAAe,EAAE,CAAC;IAC9B,IAAI,CAAC,GAAG,EAAE,YAAY;QAAE,OAAO,CAAC,mCAAmC;IAEnE,MAAM,OAAO,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAClD,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,CAAC,mBAAmB;IAEjD,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC/C,IAAI,CAAC,QAAQ;QAAE,OAAO,CAAC,+DAA+D;IAEtF,MAAM,OAAO,GAAG,SAAS,KAAK,MAAM;QAClC,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC;QAC5B,CAAC,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAEhC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,2BAA2B,EAAE;YACpC,QAAQ,EAAE,GAAG,CAAC,YAAY;YAC1B,IAAI,EAAE,OAAO;YACb,SAAS;SACV,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CAAC,kBAAkB,GAAG,CAAC,YAAY,WAAW,SAAS,IAAI,OAAO,EAAE,CAAC,CAAC;IACvF,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB;IACnD,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC1B,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC/B,SAAS,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;IACtC,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAEvB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACxB,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,WAAW,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,KAAK,CAAC,iCAAiC,QAAQ,0BAA0B,CAAC,CAAC;gBAC/E,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAgB,EAAE,QAAgB;IACtE,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC1B,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChC,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IACzD,MAAM,UAAU,CAAC,QAAQ,EAAE,IAAI,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAgB,EAAE,SAAmB;IACzE,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC1B,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChC,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,SAAS;SACrB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAC3C,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACrB,MAAM,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,QAAgB;IAClD,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC1B,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC/B,SAAS,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,OAAO,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,OAAe;IACpE,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC1B,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChC,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACzD,MAAM,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB;IACjD,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC1B,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC/B,aAAa,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;IAC9C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAEvB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACxB,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,WAAW,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,KAAK,CAAC,iCAAiC,QAAQ,0BAA0B,CAAC,CAAC;gBAC/E,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,QAAgB;IACpE,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC1B,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChC,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IACzD,cAAc,CAAC,QAAQ,EAAE,IAAI,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,UAAkB;IACtE,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;IACjC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,cAAc,CAAC,QAAQ,EAAE,IAAI,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,QAAgB,EAAE,UAAkB;IACzE,IAAI,CAAC;QACH,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,MAAM,UAAU,CAAC,QAAQ,EAAE,IAAI,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;AACH,CAAC"}

package/dist/lib/dpapi.d.ts

@@ -0,0 +1,14 @@
+/**
+ * DPAPI wrapper — encrypts/decrypts data using Windows Data Protection API.
+ * Keys are tied to the current Windows user account.
+ * Falls back to plaintext on non-Windows or if DPAPI is unavailable.
+ */
+/**
+ * Read a session key file. Tries DPAPI-protected format first (.dpapi),
+ * falls back to plaintext hex. If plaintext found, migrates to DPAPI.
+ * Returns the raw key as a Buffer, or null if not found.
+ */
+export declare function readSessionKey(keyPath: string): Promise<Buffer | null>;
+/** Check if DPAPI is available on this system. */
+export declare function isDpapiAvailable(): boolean;
+//# sourceMappingURL=dpapi.d.ts.map

package/dist/lib/dpapi.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpapi.d.ts","sourceRoot":"","sources":["../../src/lib/dpapi.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAkDH;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAuC5E;AAED,kDAAkD;AAClD,wBAAgB,gBAAgB,IAAI,OAAO,CAQ1C"}

package/dist/lib/dpapi.js

@@ -0,0 +1,104 @@
+/**
+ * DPAPI wrapper — encrypts/decrypts data using Windows Data Protection API.
+ * Keys are tied to the current Windows user account.
+ * Falls back to plaintext on non-Windows or if DPAPI is unavailable.
+ */
+import { execSync } from "node:child_process";
+import { readFile, writeFile, realpath } from "node:fs/promises";
+import { existsSync } from "node:fs";
+const IS_WINDOWS = process.platform === "win32";
+/** Encode a PowerShell script as base64 UTF-16LE for -EncodedCommand. */
+function encodePS(script) {
+    return Buffer.from(script, "utf16le").toString("base64");
+}
+/** Run a PowerShell script reliably via -EncodedCommand. */
+function runPS(script) {
+    const encoded = encodePS(script);
+    return execSync(`powershell -NoProfile -EncodedCommand ${encoded}`, { encoding: "utf-8", windowsHide: true }).trim();
+}
+/** DPAPI-protect a Buffer, returns base64-encoded ciphertext. */
+function dpapiProtect(data) {
+    const b64Input = data.toString("base64");
+    return runPS(`
+    Add-Type -AssemblyName System.Security
+    $bytes = [Convert]::FromBase64String("${b64Input}")
+    $enc = [System.Security.Cryptography.ProtectedData]::Protect(
+      $bytes, [byte[]]@(),
+      [System.Security.Cryptography.DataProtectionScope]::CurrentUser
+    )
+    [Convert]::ToBase64String($enc)
+  `);
+}
+/** DPAPI-unprotect a base64-encoded ciphertext, returns Buffer. */
+function dpapiUnprotect(b64Ciphertext) {
+    const result = runPS(`
+    Add-Type -AssemblyName System.Security
+    $enc = [Convert]::FromBase64String("${b64Ciphertext}")
+    $dec = [System.Security.Cryptography.ProtectedData]::Unprotect(
+      $enc, [byte[]]@(),
+      [System.Security.Cryptography.DataProtectionScope]::CurrentUser
+    )
+    [Convert]::ToBase64String($dec)
+  `);
+    return Buffer.from(result, "base64");
+}
+/**
+ * Read a session key file. Tries DPAPI-protected format first (.dpapi),
+ * falls back to plaintext hex. If plaintext found, migrates to DPAPI.
+ * Returns the raw key as a Buffer, or null if not found.
+ */
+export async function readSessionKey(keyPath) {
+    // Resolve symlinks so .dpapi file lands next to the real key
+    let resolvedPath = keyPath;
+    try {
+        resolvedPath = await realpath(keyPath);
+    }
+    catch {
+        // realpath fails if file doesn't exist — use original
+    }
+    const dpapiPath = resolvedPath + ".dpapi";
+    // Try DPAPI-protected version first
+    if (IS_WINDOWS && existsSync(dpapiPath)) {
+        try {
+            const b64 = (await readFile(dpapiPath, "utf-8")).trim();
+            if (b64.length > 0)
+                return dpapiUnprotect(b64);
+        }
+        catch {
+            // DPAPI decrypt failed — fall through to plaintext
+        }
+    }
+    // Try plaintext hex file
+    if (!existsSync(resolvedPath))
+        return null;
+    const hex = (await readFile(resolvedPath, "utf-8")).trim();
+    if (!/^[0-9a-f]{64}$/i.test(hex))
+        return null;
+    const key = Buffer.from(hex, "hex");
+    // Migrate: protect with DPAPI and save
+    if (IS_WINDOWS) {
+        try {
+            const protected64 = dpapiProtect(key);
+            await writeFile(dpapiPath, protected64, "utf-8");
+            // Don't delete the plaintext yet — Dash may still need it
+            // until Dash also uses this reader
+        }
+        catch {
+            // DPAPI not available — keep using plaintext
+        }
+    }
+    return key;
+}
+/** Check if DPAPI is available on this system. */
+export function isDpapiAvailable() {
+    if (!IS_WINDOWS)
+        return false;
+    try {
+        dpapiProtect(Buffer.from("test"));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=dpapi.js.map

package/dist/lib/dpapi.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpapi.js","sourceRoot":"","sources":["../../src/lib/dpapi.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;AAEhD,yEAAyE;AACzE,SAAS,QAAQ,CAAC,MAAc;IAC9B,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC3D,CAAC;AAED,4DAA4D;AAC5D,SAAS,KAAK,CAAC,MAAc;IAC3B,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;IACjC,OAAO,QAAQ,CACb,yCAAyC,OAAO,EAAE,EAClD,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CACzC,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AAED,iEAAiE;AACjE,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzC,OAAO,KAAK,CAAC;;4CAE6B,QAAQ;;;;;;GAMjD,CAAC,CAAC;AACL,CAAC;AAED,mEAAmE;AACnE,SAAS,cAAc,CAAC,aAAqB;IAC3C,MAAM,MAAM,GAAG,KAAK,CAAC;;0CAEmB,aAAa;;;;;;GAMpD,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAe;IAClD,6DAA6D;IAC7D,IAAI,YAAY,GAAG,OAAO,CAAC;IAC3B,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;IACxD,CAAC;IACD,MAAM,SAAS,GAAG,YAAY,GAAG,QAAQ,CAAC;IAE1C,oCAAoC;IACpC,IAAI,UAAU,IAAI,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,CAAC,MAAM,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACxD,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,GAAG,GAAG,CAAC,MAAM,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC3D,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAEpC,uCAAuC;IACvC,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;YACtC,MAAM,SAAS,CAAC,SAAS,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;YACjD,0DAA0D;YAC1D,mCAAmC;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;QAC/C,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,kDAAkD;AAClD,MAAM,UAAU,gBAAgB;IAC9B,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,IAAI,CAAC;QACH,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/lib/glob-match.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Minimal glob matcher for brain-relative paths.
+ *
+ * Supports:
+ *   - `**`  — match any number of path segments (including zero)
+ *   - `*`   — match a single path segment (no slashes)
+ *   - exact — literal string match
+ *
+ * No external dependencies. Used by vault policy + access manifests.
+ */
+/**
+ * Test whether a brain-relative path matches a glob pattern.
+ *
+ * @param pattern - Glob pattern (e.g. "memory/**", "identity/*.md", "ops/audit.jsonl")
+ * @param path    - Brain-relative path with forward slashes (e.g. "memory/semantic.jsonl")
+ */
+export declare function matchGlob(pattern: string, path: string): boolean;
+/**
+ * Test whether a path matches ANY of the given glob patterns.
+ */
+export declare function matchAnyGlob(patterns: string[], path: string): boolean;
+//# sourceMappingURL=glob-match.d.ts.map

package/dist/lib/glob-match.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"glob-match.d.ts","sourceRoot":"","sources":["../../src/lib/glob-match.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAqCH;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAIhE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAEtE"}

package/dist/lib/glob-match.js

@@ -0,0 +1,64 @@
+/**
+ * Minimal glob matcher for brain-relative paths.
+ *
+ * Supports:
+ *   - `**`  — match any number of path segments (including zero)
+ *   - `*`   — match a single path segment (no slashes)
+ *   - exact — literal string match
+ *
+ * No external dependencies. Used by vault policy + access manifests.
+ */
+/**
+ * Convert a glob pattern to a RegExp.
+ * Patterns are matched against forward-slash-normalized brain-relative paths.
+ */
+function globToRegex(pattern) {
+    // Normalize
+    const p = pattern.replace(/\\/g, "/").replace(/\/+$/, "");
+    let regex = "^";
+    let i = 0;
+    while (i < p.length) {
+        if (p[i] === "*" && p[i + 1] === "*") {
+            // ** — match any depth (including zero segments)
+            // Consume trailing slash if present
+            i += 2;
+            if (p[i] === "/")
+                i++;
+            regex += "(?:.+/)?";
+        }
+        else if (p[i] === "*") {
+            // * — match single segment (no slashes)
+            regex += "[^/]+";
+            i++;
+        }
+        else if (".+?^${}()|[]\\".includes(p[i])) {
+            // Escape regex special chars
+            regex += "\\" + p[i];
+            i++;
+        }
+        else {
+            regex += p[i];
+            i++;
+        }
+    }
+    regex += "$";
+    return new RegExp(regex);
+}
+/**
+ * Test whether a brain-relative path matches a glob pattern.
+ *
+ * @param pattern - Glob pattern (e.g. "memory/**", "identity/*.md", "ops/audit.jsonl")
+ * @param path    - Brain-relative path with forward slashes (e.g. "memory/semantic.jsonl")
+ */
+export function matchGlob(pattern, path) {
+    const normalized = path.replace(/\\/g, "/");
+    const re = globToRegex(pattern);
+    return re.test(normalized);
+}
+/**
+ * Test whether a path matches ANY of the given glob patterns.
+ */
+export function matchAnyGlob(patterns, path) {
+    return patterns.some((p) => matchGlob(p, path));
+}
+//# sourceMappingURL=glob-match.js.map

package/dist/lib/glob-match.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"glob-match.js","sourceRoot":"","sources":["../../src/lib/glob-match.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;;GAGG;AACH,SAAS,WAAW,CAAC,OAAe;IAClC,YAAY;IACZ,MAAM,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAE1D,IAAI,KAAK,GAAG,GAAG,CAAC;IAChB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;QACpB,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACrC,iDAAiD;YACjD,oCAAoC;YACpC,CAAC,IAAI,CAAC,CAAC;YACP,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG;gBAAE,CAAC,EAAE,CAAC;YACtB,KAAK,IAAI,UAAU,CAAC;QACtB,CAAC;aAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACxB,wCAAwC;YACxC,KAAK,IAAI,OAAO,CAAC;YACjB,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3C,6BAA6B;YAC7B,KAAK,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,CAAC;YACN,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YACd,CAAC,EAAE,CAAC;QACN,CAAC;IACH,CAAC;IACD,KAAK,IAAI,GAAG,CAAC;IAEb,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,OAAe,EAAE,IAAY;IACrD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC5C,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAChC,OAAO,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,QAAkB,EAAE,IAAY;IAC3D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAClD,CAAC"}

package/dist/lib/locked.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Centralized .locked file enforcement for brain paths.
+ *
+ * Shared by both MCP server (stdio) and direct file access (brain-io).
+ * Ensures locked paths are consistently protected regardless of access channel.
+ *
+ * Lock rules:
+ * - Exact path match (e.g. "identity/human.json")
+ * - Filename-only match (e.g. ".session-key" matches "identity/.session-key")
+ * - Directory prefix match (e.g. "identity/" matches "identity/foo.md")
+ */
+/**
+ * Read brain/.locked and merge with hardcoded minimums. Caches result.
+ * Safe to call multiple times — returns cached paths after first load.
+ */
+export declare function loadLockedPaths(): Promise<string[]>;
+/**
+ * Synchronous variant — reads .locked file on first call, caches after.
+ */
+export declare function loadLockedPathsSync(): string[];
+/** Force reload of locked paths (e.g. when listing current locks). */
+export declare function reloadLockedPaths(): Promise<string[]>;
+/** Get the currently cached locked paths. Loads synchronously if not yet cached. */
+export declare function getLockedPaths(): string[];
+/**
+ * Check if a brain-relative path (forward slashes) is locked.
+ * Matches exact paths, filename-only, and directory prefixes.
+ */
+export declare function isLocked(relPath: string): boolean;
+/**
+ * Convert an absolute file path to a brain-relative path.
+ * Returns null if the path is not under brain/.
+ */
+export declare function toBrainRelativePath(absolutePath: string): string | null;
+/**
+ * Assert that an absolute path is not locked. Throws if locked.
+ * No-op for paths outside brain/.
+ */
+export declare function assertNotLocked(absolutePath: string): void;
+//# sourceMappingURL=locked.d.ts.map

package/dist/lib/locked.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"locked.d.ts","sourceRoot":"","sources":["../../src/lib/locked.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAgBH;;;GAGG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAezD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,EAAE,CAkB9C;AAED,sEAAsE;AACtE,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAG3D;AAED,oFAAoF;AACpF,wBAAgB,cAAc,IAAI,MAAM,EAAE,CAGzC;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAajD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASvE;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAM1D"}