@sentropic/h2a-cli 0.21.0 → 0.23.0

package/dist/mcp.d.ts

@@ -1,2 +1,2 @@
-export declare const H2A_CLI_MCP_TOOL_NAMES: readonly ["h2a_register_instance", "h2a_discover_instances", "h2a_open_negotiation", "h2a_offer", "h2a_counteroffer", "h2a_sign", "h2a_stabilize", "h2a_inbox", "h2a_append_journal", "h2a_escalate", "h2a_session_open", "h2a_session_close", "h2a_discover_sessions", "h2a_nhi_report", "h2a_nhi_inventory", "h2a_nhi_attest", "h2a_nhi_offboard", "h2a_nhi_export", "h2a_blockage_raise", "h2a_blockage_list", "h2a_blockage_resolve"];
+export declare const H2A_CLI_MCP_TOOL_NAMES: readonly ["h2a_register_instance", "h2a_discover_instances", "h2a_open_negotiation", "h2a_offer", "h2a_counteroffer", "h2a_sign", "h2a_stabilize", "h2a_declare_conflit_interet", "h2a_conflict_posture", "h2a_inbox", "h2a_append_journal", "h2a_escalate", "h2a_session_open", "h2a_session_close", "h2a_discover_sessions", "h2a_nhi_report", "h2a_nhi_inventory", "h2a_nhi_attest", "h2a_nhi_offboard", "h2a_nhi_export", "h2a_blockage_raise", "h2a_blockage_list", "h2a_blockage_resolve"];
 //# sourceMappingURL=mcp.d.ts.map

package/dist/mcp.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../src/mcp.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,sBAAsB,2aAsBzB,CAAC"}
+{"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../src/mcp.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,sBAAsB,keAwBzB,CAAC"}

package/dist/mcp.js

@@ -6,6 +6,8 @@ export const H2A_CLI_MCP_TOOL_NAMES = [
     "h2a_counteroffer",
     "h2a_sign",
     "h2a_stabilize",
+    "h2a_declare_conflit_interet",
+    "h2a_conflict_posture",
     "h2a_inbox",
     "h2a_append_journal",
     "h2a_escalate",

package/dist/mcp.js.map

@@ -1 +1 @@
-{"version":3,"file":"mcp.js","sourceRoot":"","sources":["../src/mcp.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,uBAAuB;IACvB,wBAAwB;IACxB,sBAAsB;IACtB,WAAW;IACX,kBAAkB;IAClB,UAAU;IACV,eAAe;IACf,WAAW;IACX,oBAAoB;IACpB,cAAc;IACd,kBAAkB;IAClB,mBAAmB;IACnB,uBAAuB;IACvB,gBAAgB;IAChB,mBAAmB;IACnB,gBAAgB;IAChB,kBAAkB;IAClB,gBAAgB;IAChB,oBAAoB;IACpB,mBAAmB;IACnB,sBAAsB;CACd,CAAC"}
+{"version":3,"file":"mcp.js","sourceRoot":"","sources":["../src/mcp.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,uBAAuB;IACvB,wBAAwB;IACxB,sBAAsB;IACtB,WAAW;IACX,kBAAkB;IAClB,UAAU;IACV,eAAe;IACf,6BAA6B;IAC7B,sBAAsB;IACtB,WAAW;IACX,oBAAoB;IACpB,cAAc;IACd,kBAAkB;IAClB,mBAAmB;IACnB,uBAAuB;IACvB,gBAAgB;IAChB,mBAAmB;IACnB,gBAAgB;IAChB,kBAAkB;IAClB,gBAAgB;IAChB,oBAAoB;IACpB,mBAAmB;IACnB,sBAAsB;CACd,CAAC"}

package/dist/runtime/drive/index.d.ts

@@ -0,0 +1,72 @@
+import { type H2ALaunchContext, type H2AReplayGuard, type H2ASignature } from "@sentropic/h2a";
+import type { LocalStore } from "../local-files/store.js";
+import { type RelauncherRuntime } from "../drumbeat/relaunchers.js";
+export interface H2ADriveInstructionPayload {
+    readonly from: string;
+    readonly to: string;
+    readonly instruction: string;
+    readonly nonce: string;
+    readonly at: string;
+}
+export interface FormatSignedDriveInstructionOptions {
+    readonly from: string;
+    readonly to: string;
+    readonly instruction: string;
+    readonly privateKeyPem: string;
+    readonly nonce?: string;
+    readonly at?: string;
+    readonly now?: () => number;
+}
+export interface ParsedSignedDriveInstruction {
+    readonly payload: H2ADriveInstructionPayload;
+    readonly signature: H2ASignature;
+}
+export type H2ADriveVerifyReason = "malformed" | "no-public-key" | "bad-signature" | "invalid-timestamp" | "expired" | "future" | "replayed";
+export type H2ADriveVerifyResult = {
+    readonly ok: true;
+    readonly payload: H2ADriveInstructionPayload;
+} | {
+    readonly ok: false;
+    readonly reason: H2ADriveVerifyReason;
+};
+export interface VerifySignedDriveInstructionOptions {
+    readonly resolvePublicKeys: (instance: string) => readonly string[];
+    readonly guard: H2AReplayGuard;
+    readonly now?: number;
+}
+export type H2ADriveAuthorizeReason = "missing-registration" | "unauthorized";
+export type H2ADriveAuthorizeResult = {
+    readonly ok: true;
+} | {
+    readonly ok: false;
+    readonly reason: H2ADriveAuthorizeReason;
+};
+export interface H2ADriveRequest {
+    readonly to: string;
+    readonly instructionLine: string;
+    readonly launchContext?: H2ALaunchContext;
+}
+export interface H2ADriver {
+    drive(request: H2ADriveRequest): boolean | Promise<boolean>;
+}
+export type H2ADriverKind = "logging" | "native" | "local-tmux" | "headless" | "auto";
+export interface NativeBackchannelDriverOptions {
+    readonly send?: (request: H2ADriveRequest) => boolean | Promise<boolean>;
+}
+export interface DriverRuntimeOptions {
+    readonly runtime?: RelauncherRuntime;
+    readonly log?: (line: string) => void;
+}
+export declare function formatSignedDriveInstruction(options: FormatSignedDriveInstructionOptions): string;
+export declare function parseSignedDriveInstruction(line: string): ParsedSignedDriveInstruction | undefined;
+export declare function verifySignedDriveInstruction(line: string, options: VerifySignedDriveInstructionOptions): H2ADriveVerifyResult;
+export declare function authorizeDrive(store: Pick<LocalStore, "findInstance">, request: {
+    readonly from: string;
+    readonly to: string;
+}): H2ADriveAuthorizeResult;
+export declare function loggingDriver(log?: (line: string) => void): H2ADriver;
+export declare function nativeBackchannelDriver(options?: NativeBackchannelDriverOptions): H2ADriver;
+export declare function localTmuxDriver(options?: DriverRuntimeOptions): H2ADriver;
+export declare function headlessDriver(options?: DriverRuntimeOptions): H2ADriver;
+export declare function chainDriver(...drivers: readonly H2ADriver[]): H2ADriver;
+//# sourceMappingURL=index.d.ts.map

package/dist/runtime/drive/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/runtime/drive/index.ts"],"names":[],"mappings":"AAmBA,OAAO,EAOL,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,YAAY,EAClB,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAGL,KAAK,iBAAiB,EACvB,MAAM,4BAA4B,CAAC;AAEpC,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,mCAAmC;IAClD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,OAAO,EAAE,0BAA0B,CAAC;IAC7C,QAAQ,CAAC,SAAS,EAAE,YAAY,CAAC;CAClC;AAED,MAAM,MAAM,oBAAoB,GAC5B,WAAW,GACX,eAAe,GACf,eAAe,GACf,mBAAmB,GACnB,SAAS,GACT,QAAQ,GACR,UAAU,CAAC;AAEf,MAAM,MAAM,oBAAoB,GAC5B;IAAE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,0BAA0B,CAAA;CAAE,GACnE;IAAE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAA;CAAE,CAAC;AAElE,MAAM,WAAW,mCAAmC;IAClD,QAAQ,CAAC,iBAAiB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,SAAS,MAAM,EAAE,CAAC;IACpE,QAAQ,CAAC,KAAK,EAAE,cAAc,CAAC;IAC/B,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,MAAM,uBAAuB,GAAG,sBAAsB,GAAG,cAAc,CAAC;AAE9E,MAAM,MAAM,uBAAuB,GAC/B;IAAE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;CAAE,GACrB;IAAE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,uBAAuB,CAAA;CAAE,CAAC;AAErE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,aAAa,CAAC,EAAE,gBAAgB,CAAC;CAC3C;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC7D;AAED,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,QAAQ,GAAG,YAAY,GAAG,UAAU,GAAG,MAAM,CAAC;AAEtF,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,eAAe,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC1E;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,OAAO,CAAC,EAAE,iBAAiB,CAAC;IACrC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;CACvC;AAuBD,wBAAgB,4BAA4B,CAC1C,OAAO,EAAE,mCAAmC,GAC3C,MAAM,CAcR;AAED,wBAAgB,2BAA2B,CACzC,IAAI,EAAE,MAAM,GACX,4BAA4B,GAAG,SAAS,CAmB1C;AAED,wBAAgB,4BAA4B,CAC1C,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,mCAAmC,GAC3C,oBAAoB,CActB;AAeD,wBAAgB,cAAc,CAC5B,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,EACvC,OAAO,EAAE;IAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;CAAE,GACtD,uBAAuB,CAUzB;AAED,wBAAgB,aAAa,CAAC,GAAG,GAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAsB,GAAG,SAAS,CAOtF;AAED,wBAAgB,uBAAuB,CACrC,OAAO,GAAE,8BAAmC,GAC3C,SAAS,CAMX;AAED,wBAAgB,eAAe,CAAC,OAAO,GAAE,oBAAyB,GAAG,SAAS,CAkB7E;AAED,wBAAgB,cAAc,CAAC,OAAO,GAAE,oBAAyB,GAAG,SAAS,CAY5E;AAED,wBAAgB,WAAW,CAAC,GAAG,OAAO,EAAE,SAAS,SAAS,EAAE,GAAG,SAAS,CASvE"}

package/dist/runtime/drive/index.js

@@ -0,0 +1,175 @@
+/**
+ * EVO-1 bilateral-discussion driver (signed terminal injection), slice E1a.
+ *
+ * Provides the SENDER half end-to-end (`h2a drive`): a signed instruction line
+ * `[h2a from=… sig=…] <instruction>`, an `H2ADriver` chain
+ * (logging/native/local-tmux/headless/auto), and a sender-side authority gate.
+ *
+ * `verifySignedDriveInstruction` + the receiver `authorizeDrive` below are
+ * exported, tested primitives but are **library-only in E1a — not yet wired
+ * into any host receive hook**. The receiver-side "verify-before-act" is
+ * deferred to E1c (local plugin authority hook) and is mandatory in E1d
+ * (remote, which crosses the trust boundary). This is consistent with the
+ * ratified single-trusted-user local threat model (DEC-116): a malicious local
+ * injector is out of scope; the signature gives provenance + accountability and
+ * the sender gate blocks unauthorized h2a drives. Declared boundary, not a gap
+ * — see docs/superpowers/specs/2026-05-31-evo1-bilateral-discussion-driver-framing.md.
+ */
+import { randomBytes } from "node:crypto";
+import { H2A_AUTHORITY_MATRIX, canSignArtifactKind, signCanonical, verifyCanonical } from "@sentropic/h2a";
+import { defaultRelauncherRuntime, tmuxTarget } from "../drumbeat/relaunchers.js";
+function randomNonce() {
+    return randomBytes(12).toString("hex");
+}
+function driveReplayEnvelope(payload) {
+    return {
+        protocol: "sentropic.h2a",
+        version: "0.1",
+        id: `drive:${payload.from}:${payload.to}:${payload.nonce}`,
+        type: "event",
+        actor: { instance: payload.from, role: "AGENTS", scope: "scope:default" },
+        target: { instance: payload.to },
+        body: { kind: "drive.instruction" },
+        createdAt: payload.at
+    };
+}
+function shellQuote(value) {
+    return `'${value.replace(/'/g, `'\\''`)}'`;
+}
+export function formatSignedDriveInstruction(options) {
+    const now = options.now?.() ?? Date.now();
+    const payload = {
+        from: options.from,
+        to: options.to,
+        instruction: options.instruction,
+        nonce: options.nonce ?? randomNonce(),
+        at: options.at ?? new Date(now).toISOString()
+    };
+    const signature = signCanonical(payload, {
+        by: options.from,
+        privateKeyPem: options.privateKeyPem
+    });
+    return `[h2a from=${payload.from} to=${payload.to} nonce=${payload.nonce} at=${payload.at} sig=${signature.value}] ${payload.instruction}`;
+}
+export function parseSignedDriveInstruction(line) {
+    const match = /^\[h2a ([^\]]+)\] ([\s\S]*)$/.exec(line);
+    if (!match)
+        return undefined;
+    const attrs = new Map();
+    for (const part of match[1].split(" ")) {
+        const idx = part.indexOf("=");
+        if (idx <= 0)
+            return undefined;
+        attrs.set(part.slice(0, idx), part.slice(idx + 1));
+    }
+    const from = attrs.get("from");
+    const to = attrs.get("to");
+    const nonce = attrs.get("nonce");
+    const at = attrs.get("at");
+    const sig = attrs.get("sig");
+    if (!from || !to || !nonce || !at || !sig)
+        return undefined;
+    return {
+        payload: { from, to, instruction: match[2], nonce, at },
+        signature: { by: from, alg: "ed25519", value: sig }
+    };
+}
+export function verifySignedDriveInstruction(line, options) {
+    const parsed = parseSignedDriveInstruction(line);
+    if (!parsed)
+        return { ok: false, reason: "malformed" };
+    const publicKeys = options.resolvePublicKeys(parsed.payload.from);
+    if (publicKeys.length === 0)
+        return { ok: false, reason: "no-public-key" };
+    const signatureOk = publicKeys.some((pem) => verifyCanonical(parsed.payload, parsed.signature, pem));
+    if (!signatureOk)
+        return { ok: false, reason: "bad-signature" };
+    const replay = options.guard.accept(driveReplayEnvelope(parsed.payload), options.now);
+    if (!replay.ok) {
+        return { ok: false, reason: replay.reason ?? "replayed" };
+    }
+    return { ok: true, payload: parsed.payload };
+}
+function hasSharedScope(a, b) {
+    const bScopes = new Set(b.scopes);
+    return a.scopes.some((scope) => bScopes.has(scope));
+}
+function canIssueMandate(reg) {
+    return reg.roles.some((role) => H2A_AUTHORITY_MATRIX.MANDATE.roles.includes(role) &&
+        canSignArtifactKind(role, "MANDATE"));
+}
+export function authorizeDrive(store, request) {
+    const from = store.findInstance(request.from);
+    const to = store.findInstance(request.to);
+    if (!from || !to)
+        return { ok: false, reason: "missing-registration" };
+    if (request.from === request.to)
+        return { ok: true };
+    if (to.conductor === request.from || to.principal === request.from)
+        return { ok: true };
+    if (hasSharedScope(from, to) && canIssueMandate(from)) {
+        return { ok: true };
+    }
+    return { ok: false, reason: "unauthorized" };
+}
+export function loggingDriver(log = () => undefined) {
+    return {
+        drive(request) {
+            log(`drive[logging]: ${request.to} <= ${request.instructionLine}`);
+            return true;
+        }
+    };
+}
+export function nativeBackchannelDriver(options = {}) {
+    return {
+        drive(request) {
+            return options.send?.(request) ?? false;
+        }
+    };
+}
+export function localTmuxDriver(options = {}) {
+    const runtime = options.runtime ?? defaultRelauncherRuntime;
+    return {
+        drive(request) {
+            const tmux = request.launchContext?.tmux;
+            if (!tmux)
+                return false;
+            const target = tmuxTarget(tmux);
+            const ok = runtime.run("tmux", [
+                "send-keys",
+                "-t",
+                target,
+                request.instructionLine,
+                "Enter"
+            ]);
+            options.log?.(`drive[local-tmux]: ${request.to} -> ${target} (${ok ? "ok" : "failed"})`);
+            return ok;
+        }
+    };
+}
+export function headlessDriver(options = {}) {
+    const runtime = options.runtime ?? defaultRelauncherRuntime;
+    return {
+        drive(request) {
+            const base = request.launchContext?.command;
+            if (!base)
+                return false;
+            const command = `${base} ${shellQuote(request.instructionLine)}`;
+            const ok = runtime.spawnDetached(command, { cwd: request.launchContext?.cwd });
+            options.log?.(`drive[headless]: ${request.to} -> detached (${ok ? "spawned" : "failed"})`);
+            return ok;
+        }
+    };
+}
+export function chainDriver(...drivers) {
+    return {
+        async drive(request) {
+            for (const driver of drivers) {
+                if (await driver.drive(request))
+                    return true;
+            }
+            return false;
+        }
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/runtime/drive/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/runtime/drive/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,aAAa,EACb,eAAe,EAMhB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,wBAAwB,EACxB,UAAU,EAEX,MAAM,4BAA4B,CAAC;AAuEpC,SAAS,WAAW;IAClB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAmC;IAC9D,OAAO;QACL,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,SAAS,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,EAAE,IAAI,OAAO,CAAC,KAAK,EAAE;QAC1D,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE;QACzE,MAAM,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,EAAE,EAAE;QAChC,IAAI,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE;QACnC,SAAS,EAAE,OAAO,CAAC,EAAE;KACtB,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,OAA4C;IAE5C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IAC1C,MAAM,OAAO,GAA+B;QAC1C,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,EAAE,EAAE,OAAO,CAAC,EAAE;QACd,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,WAAW,EAAE;QACrC,EAAE,EAAE,OAAO,CAAC,EAAE,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE;KAC9C,CAAC;IACF,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,EAAE;QACvC,EAAE,EAAE,OAAO,CAAC,IAAI;QAChB,aAAa,EAAE,OAAO,CAAC,aAAa;KACrC,CAAC,CAAC;IACH,OAAO,aAAa,OAAO,CAAC,IAAI,OAAO,OAAO,CAAC,EAAE,UAAU,OAAO,CAAC,KAAK,OAAO,OAAO,CAAC,EAAE,QAAQ,SAAS,CAAC,KAAK,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;AAC7I,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,IAAY;IAEZ,MAAM,KAAK,GAAG,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxD,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,GAAG,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QAC/B,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC/B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACjC,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC7B,IAAI,CAAC,IAAI,IAAI,CAAC,EAAE,IAAI,CAAC,KAAK,IAAI,CAAC,EAAE,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC5D,OAAO;QACL,OAAO,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvD,SAAS,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE;KACpD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,IAAY,EACZ,OAA4C;IAE5C,MAAM,MAAM,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC;IACjD,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACvD,MAAM,UAAU,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAC3E,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAC1C,eAAe,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CACvD,CAAC;IACF,IAAI,CAAC,WAAW;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IACtF,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,UAAU,EAAE,CAAC;IAC5D,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;AAC/C,CAAC;AAED,SAAS,cAAc,CAAC,CAAuB,EAAE,CAAuB;IACtE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAClC,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,eAAe,CAAC,GAAyB;IAChD,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,CACnB,CAAC,IAAI,EAAE,EAAE,CACP,oBAAoB,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QACjD,mBAAmB,CAAC,IAAI,EAAE,SAAS,CAAC,CACvC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,KAAuC,EACvC,OAAuD;IAEvD,MAAM,IAAI,GAAG,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9C,MAAM,EAAE,GAAG,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI,IAAI,CAAC,EAAE;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACvE,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC,EAAE;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACrD,IAAI,EAAE,CAAC,SAAS,KAAK,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,SAAS,KAAK,OAAO,CAAC,IAAI;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACxF,IAAI,cAAc,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;QACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAA8B,GAAG,EAAE,CAAC,SAAS;IACzE,OAAO;QACL,KAAK,CAAC,OAAO;YACX,GAAG,CAAC,mBAAmB,OAAO,CAAC,EAAE,OAAO,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;YACnE,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,UAA0C,EAAE;IAE5C,OAAO;QACL,KAAK,CAAC,OAAO;YACX,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC;QAC1C,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,UAAgC,EAAE;IAChE,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,wBAAwB,CAAC;IAC5D,OAAO;QACL,KAAK,CAAC,OAAO;YACX,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,EAAE,IAAI,CAAC;YACzC,IAAI,CAAC,IAAI;gBAAE,OAAO,KAAK,CAAC;YACxB,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;YAChC,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC7B,WAAW;gBACX,IAAI;gBACJ,MAAM;gBACN,OAAO,CAAC,eAAe;gBACvB,OAAO;aACR,CAAC,CAAC;YACH,OAAO,CAAC,GAAG,EAAE,CAAC,sBAAsB,OAAO,CAAC,EAAE,OAAO,MAAM,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC;YACzF,OAAO,EAAE,CAAC;QACZ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,UAAgC,EAAE;IAC/D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,wBAAwB,CAAC;IAC5D,OAAO;QACL,KAAK,CAAC,OAAO;YACX,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC;YAC5C,IAAI,CAAC,IAAI;gBAAE,OAAO,KAAK,CAAC;YACxB,MAAM,OAAO,GAAG,GAAG,IAAI,IAAI,UAAU,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YACjE,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,CAAC,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC,CAAC;YAC/E,OAAO,CAAC,GAAG,EAAE,CAAC,oBAAoB,OAAO,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC;YAC3F,OAAO,EAAE,CAAC;QACZ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,GAAG,OAA6B;IAC1D,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,OAAO;YACjB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,IAAI,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC;oBAAE,OAAO,IAAI,CAAC;YAC/C,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/runtime/identity/index.d.ts

@@ -3,6 +3,8 @@ export type { ProviderSession, ProviderSessionReaders, ProviderSessionSource, Re
 export { defaultProviderSessionReaders } from "./readers.js";
 export { listBindings, findBinding, verifyReclaimProof, reclaimOrMint } from "./bindings.js";
 export type { H2AIdentityBinding, IdentityBindingKey, ReclaimOrMintDeps, ReclaimOrMintResult } from "./bindings.js";
-export { mergeInboxDedup, decideLegacyAdoption } from "./migration.js";
-export type { LegacyAdoptionInput, LegacyAdoptionDecision } from "./migration.js";
+export { mergeInboxDedup, decideLegacyAdoption, listIdentityAliases, legacyAliasAlreadyAdopted, recordIdentityAlias } from "./migration.js";
+export type { H2AIdentityAlias, LegacyAdoptionInput, LegacyAdoptionDecision } from "./migration.js";
+export { resolveLiveIdentity } from "./live.js";
+export type { ResolveLiveIdentityInput, ResolvedLiveIdentity } from "./live.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/runtime/identity/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/runtime/identity/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AACvD,YAAY,EACV,eAAe,EACf,sBAAsB,EACtB,qBAAqB,EACrB,2BAA2B,EAC5B,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,6BAA6B,EAAE,MAAM,cAAc,CAAC;AAC7D,OAAO,EACL,YAAY,EACZ,WAAW,EACX,kBAAkB,EAClB,aAAa,EACd,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,mBAAmB,EACpB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AACvE,YAAY,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/runtime/identity/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AACvD,YAAY,EACV,eAAe,EACf,sBAAsB,EACtB,qBAAqB,EACrB,2BAA2B,EAC5B,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,6BAA6B,EAAE,MAAM,cAAc,CAAC;AAC7D,OAAO,EACL,YAAY,EACZ,WAAW,EACX,kBAAkB,EAClB,aAAa,EACd,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,mBAAmB,EACpB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,mBAAmB,EACnB,yBAAyB,EACzB,mBAAmB,EACpB,MAAM,gBAAgB,CAAC;AACxB,YAAY,EACV,gBAAgB,EAChB,mBAAmB,EACnB,sBAAsB,EACvB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAChD,YAAY,EAAE,wBAAwB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}

package/dist/runtime/identity/index.js

@@ -1,5 +1,6 @@
 export { resolveProviderSession } from "./resolver.js";
 export { defaultProviderSessionReaders } from "./readers.js";
 export { listBindings, findBinding, verifyReclaimProof, reclaimOrMint } from "./bindings.js";
-export { mergeInboxDedup, decideLegacyAdoption } from "./migration.js";
+export { mergeInboxDedup, decideLegacyAdoption, listIdentityAliases, legacyAliasAlreadyAdopted, recordIdentityAlias } from "./migration.js";
+export { resolveLiveIdentity } from "./live.js";
 //# sourceMappingURL=index.js.map

package/dist/runtime/identity/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/runtime/identity/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAOvD,OAAO,EAAE,6BAA6B,EAAE,MAAM,cAAc,CAAC;AAC7D,OAAO,EACL,YAAY,EACZ,WAAW,EACX,kBAAkB,EAClB,aAAa,EACd,MAAM,eAAe,CAAC;AAOvB,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/runtime/identity/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAOvD,OAAO,EAAE,6BAA6B,EAAE,MAAM,cAAc,CAAC;AAC7D,OAAO,EACL,YAAY,EACZ,WAAW,EACX,kBAAkB,EAClB,aAAa,EACd,MAAM,eAAe,CAAC;AAOvB,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,mBAAmB,EACnB,yBAAyB,EACzB,mBAAmB,EACpB,MAAM,gBAAgB,CAAC;AAMxB,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC"}

package/dist/runtime/identity/live.d.ts

@@ -0,0 +1,26 @@
+import { type H2AWorkspaceRef } from "@sentropic/h2a";
+import { type ProviderSessionReaders } from "./resolver.js";
+export interface ResolveLiveIdentityInput {
+    readonly root: string;
+    readonly host: string;
+    readonly cwd: string;
+    readonly explicitInstance?: string;
+    readonly name?: string;
+    readonly scopes?: readonly string[];
+    readonly readers?: ProviderSessionReaders;
+    readonly now?: () => number;
+}
+export interface ResolvedLiveIdentity {
+    readonly instance: string;
+    readonly host: string;
+    readonly workspace?: H2AWorkspaceRef;
+    readonly name?: string;
+    readonly legacyInstance?: string;
+    readonly action: "override" | "reclaim" | "mint";
+    readonly providerSessionSource?: string;
+    readonly privateKeyPath?: string;
+    readonly publicKeyPath?: string;
+    readonly migrationNotice?: string;
+}
+export declare function resolveLiveIdentity(input: ResolveLiveIdentityInput): ResolvedLiveIdentity;
+//# sourceMappingURL=live.d.ts.map

package/dist/runtime/identity/live.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"live.d.ts","sourceRoot":"","sources":["../../../src/runtime/identity/live.ts"],"names":[],"mappings":"AAYA,OAAO,EAML,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AAUxB,OAAO,EAA0B,KAAK,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEpF,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,OAAO,CAAC,EAAE,sBAAsB,CAAC;IAC1C,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,CAAC,EAAE,eAAe,CAAC;IACrC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,MAAM,EAAE,UAAU,GAAG,SAAS,GAAG,MAAM,CAAC;IACjD,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;CACnC;AA6ID,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,wBAAwB,GAAG,oBAAoB,CA2FzF"}

package/dist/runtime/identity/live.js

@@ -0,0 +1,207 @@
+import { createHash, generateKeyPairSync } from "node:crypto";
+import { copyFileSync, existsSync, mkdirSync, readFileSync, realpathSync, writeFileSync } from "node:fs";
+import { hostname } from "node:os";
+import { basename, join } from "node:path";
+import { deriveInstanceId, deriveWorkspaceId, mintAgentUuid, signCanonical } from "@sentropic/h2a";
+import { createLocalStore } from "../local-files/store.js";
+import { findBinding, reclaimOrMint, verifyReclaimProof } from "./bindings.js";
+import { decideLegacyAdoption, legacyAliasAlreadyAdopted, recordIdentityAlias } from "./migration.js";
+import { defaultProviderSessionReaders } from "./readers.js";
+import { resolveProviderSession } from "./resolver.js";
+function safeKeyName(instance) {
+    return instance.replace(/[:/]/g, "-");
+}
+function keyPaths(root, instance) {
+    const keysDir = join(root, "keys");
+    return {
+        privateKeyPath: join(keysDir, `${safeKeyName(instance)}.key.pem`),
+        publicKeyPath: join(keysDir, `${safeKeyName(instance)}.pub.pem`)
+    };
+}
+function readMachineId() {
+    for (const path of ["/etc/machine-id", "/var/lib/dbus/machine-id"]) {
+        try {
+            const id = readFileSync(path, "utf8").trim();
+            if (id.length > 0)
+                return id;
+        }
+        catch {
+            // try the next source
+        }
+    }
+    return hostname() || "unknown-machine";
+}
+function realWorkspacePath(cwd) {
+    try {
+        return realpathSync(cwd);
+    }
+    catch {
+        return cwd;
+    }
+}
+function labelFromCwd(cwd) {
+    return basename(cwd) || "workspace";
+}
+function publicKeyFingerprint(publicKeyPem) {
+    return createHash("sha256").update(publicKeyPem, "utf8").digest("hex").slice(0, 16);
+}
+function generateKeypair() {
+    const { privateKey, publicKey } = generateKeyPairSync("ed25519");
+    return {
+        privateKeyPem: privateKey.export({ format: "pem", type: "pkcs8" }).toString(),
+        publicKeyPem: publicKey.export({ format: "pem", type: "spki" }).toString()
+    };
+}
+function readKeypair(root, instance) {
+    const paths = keyPaths(root, instance);
+    if (!existsSync(paths.privateKeyPath) || !existsSync(paths.publicKeyPath))
+        return undefined;
+    return {
+        privateKeyPem: readFileSync(paths.privateKeyPath, "utf8"),
+        publicKeyPem: readFileSync(paths.publicKeyPath, "utf8"),
+        ...paths
+    };
+}
+function ensureKeypair(root, instance, adoptFromInstance) {
+    const existing = readKeypair(root, instance);
+    if (existing) {
+        return {
+            publicKeyPem: existing.publicKeyPem,
+            privateKeyPath: existing.privateKeyPath,
+            publicKeyPath: existing.publicKeyPath
+        };
+    }
+    const paths = keyPaths(root, instance);
+    mkdirSync(join(root, "keys"), { recursive: true });
+    const adopted = adoptFromInstance ? readKeypair(root, adoptFromInstance) : undefined;
+    if (adopted) {
+        copyFileSync(adopted.privateKeyPath, paths.privateKeyPath);
+        copyFileSync(adopted.publicKeyPath, paths.publicKeyPath);
+        return { publicKeyPem: adopted.publicKeyPem, ...paths };
+    }
+    const generated = generateKeypair();
+    writeFileSync(paths.privateKeyPath, generated.privateKeyPem, { encoding: "utf8", mode: 0o600 });
+    writeFileSync(paths.publicKeyPath, generated.publicKeyPem, "utf8");
+    return { publicKeyPem: generated.publicKeyPem, ...paths };
+}
+function provesLocalKey(root, instance) {
+    const store = createLocalStore({ root });
+    const keypair = readKeypair(root, instance);
+    if (!keypair)
+        return false;
+    const activeKeys = store.listInstanceKeys(instance);
+    if (activeKeys.length === 0)
+        return false;
+    const nonce = `identity-reclaim:${instance}:${publicKeyFingerprint(keypair.publicKeyPem)}`;
+    try {
+        const signature = signCanonical(nonce, { by: instance, privateKeyPem: keypair.privateKeyPem });
+        return verifyReclaimProof(nonce, signature, activeKeys);
+    }
+    catch {
+        return false;
+    }
+}
+function ensureRegistered(input) {
+    const store = createLocalStore({ root: input.root });
+    const existing = store.findInstance(input.instance);
+    if (!existing) {
+        const registration = {
+            id: input.instance,
+            instance: input.instance,
+            roles: ["AGENTS"],
+            scopes: [...input.scopes],
+            capabilities: [],
+            endpoints: [{ kind: "local-files", uri: `file://${input.root}` }],
+            publicKeys: [input.publicKeyPem],
+            acceptedPolicies: [],
+            agentUuid: input.agentUuid,
+            workspace: input.workspace,
+            name: input.name,
+            createdAt: new Date(input.now()).toISOString()
+        };
+        store.registerInstance(registration);
+        return;
+    }
+    if (!store.listInstanceKeys(input.instance).includes(input.publicKeyPem)) {
+        store.addInstanceKey(input.instance, input.publicKeyPem);
+    }
+}
+export function resolveLiveIdentity(input) {
+    const host = input.host || "agent";
+    const label = labelFromCwd(input.cwd);
+    const name = input.name ?? label;
+    if (input.explicitInstance) {
+        return { instance: input.explicitInstance, host, action: "override" };
+    }
+    const readers = input.readers ?? defaultProviderSessionReaders;
+    const provider = resolveProviderSession({ host, cwd: input.cwd, readers });
+    const realPath = realWorkspacePath(input.cwd);
+    const workspaceId = provider.workspaceHint ??
+        deriveWorkspaceId({ machineId: readMachineId(), path: realPath });
+    const workspace = {
+        id: workspaceId,
+        path: realPath,
+        host,
+        label
+    };
+    const legacyInstance = `${host}:${label}`;
+    const now = input.now ?? Date.now;
+    const scopes = input.scopes?.length ? input.scopes : ["scope:default"];
+    const mint = () => {
+        const agentUuid = mintAgentUuid();
+        return {
+            agentUuid,
+            instance: deriveInstanceId({ host, label: name, uuid: agentUuid })
+        };
+    };
+    const providerSessionId = provider.providerSessionId ?? `fallback:${host}:${workspace.id}:${Date.now()}`;
+    const result = host === "remote"
+        ? { action: "mint", ...mint() }
+        : reclaimOrMint(input.root, { host, providerSessionId, workspaceId: workspace.id }, {
+            verifyProof: (binding) => provesLocalKey(input.root, binding.instance),
+            mint,
+            now
+        });
+    const existingBinding = findBinding(input.root, {
+        host,
+        providerSessionId,
+        workspaceId: workspace.id
+    });
+    const legacyDecision = decideLegacyAdoption({
+        legacyAlreadyAdopted: legacyAliasAlreadyAdopted(input.root, legacyInstance),
+        provedLegacyPossession: provesLocalKey(input.root, legacyInstance)
+    });
+    const adoptedFrom = result.action === "mint" && legacyDecision.adopt ? legacyInstance : undefined;
+    const keypair = ensureKeypair(input.root, result.instance, adoptedFrom);
+    ensureRegistered({
+        root: input.root,
+        instance: result.instance,
+        agentUuid: result.agentUuid,
+        workspace,
+        name,
+        publicKeyPem: keypair.publicKeyPem,
+        scopes,
+        now
+    });
+    recordIdentityAlias(input.root, {
+        instance: result.instance,
+        legacyInstance,
+        adoptedKeyring: Boolean(adoptedFrom),
+        at: new Date(now()).toISOString()
+    });
+    return {
+        instance: result.instance,
+        host,
+        workspace,
+        name,
+        legacyInstance,
+        action: result.action,
+        providerSessionSource: provider.source,
+        privateKeyPath: keypair.privateKeyPath,
+        publicKeyPath: keypair.publicKeyPath,
+        migrationNotice: result.action === "mint" || !existingBinding
+            ? `identity migration: ${result.instance} reads legacy ${legacyInstance}; ${legacyDecision.reason}`
+            : undefined
+    };
+}
+//# sourceMappingURL=live.js.map

package/dist/runtime/identity/live.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"live.js","sourceRoot":"","sources":["../../../src/runtime/identity/live.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EACL,YAAY,EACZ,UAAU,EACV,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,aAAa,EACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE3C,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,aAAa,EACb,aAAa,EAGd,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAC/E,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,6BAA6B,EAAE,MAAM,cAAc,CAAC;AAC7D,OAAO,EAAE,sBAAsB,EAA+B,MAAM,eAAe,CAAC;AA0BpF,SAAS,WAAW,CAAC,QAAgB;IACnC,OAAO,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,QAAQ,CAAC,IAAY,EAAE,QAAgB;IAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnC,OAAO;QACL,cAAc,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;QACjE,aAAa,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;KACjE,CAAC;AACJ,CAAC;AAED,SAAS,aAAa;IACpB,KAAK,MAAM,IAAI,IAAI,CAAC,iBAAiB,EAAE,0BAA0B,CAAC,EAAE,CAAC;QACnE,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7C,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,EAAE,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,sBAAsB;QACxB,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,EAAE,IAAI,iBAAiB,CAAC;AACzC,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC;IACb,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,QAAQ,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC;AACtC,CAAC;AAED,SAAS,oBAAoB,CAAC,YAAoB;IAChD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACtF,CAAC;AAED,SAAS,eAAe;IACtB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACjE,OAAO;QACL,aAAa,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;QAC7E,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC3E,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,IAAY,EAAE,QAAgB;IAGjD,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACvC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,aAAa,CAAC;QAAE,OAAO,SAAS,CAAC;IAC5F,OAAO;QACL,aAAa,EAAE,YAAY,CAAC,KAAK,CAAC,cAAc,EAAE,MAAM,CAAC;QACzD,YAAY,EAAE,YAAY,CAAC,KAAK,CAAC,aAAa,EAAE,MAAM,CAAC;QACvD,GAAG,KAAK;KACT,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CACpB,IAAY,EACZ,QAAgB,EAChB,iBAA0B;IAE1B,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC7C,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO;YACL,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,cAAc,EAAE,QAAQ,CAAC,cAAc;YACvC,aAAa,EAAE,QAAQ,CAAC,aAAa;SACtC,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACvC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,MAAM,OAAO,GAAG,iBAAiB,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACrF,IAAI,OAAO,EAAE,CAAC;QACZ,YAAY,CAAC,OAAO,CAAC,cAAc,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;QAC3D,YAAY,CAAC,OAAO,CAAC,aAAa,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;QACzD,OAAO,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,GAAG,KAAK,EAAE,CAAC;IAC1D,CAAC;IAED,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;IACpC,aAAa,CAAC,KAAK,CAAC,cAAc,EAAE,SAAS,CAAC,aAAa,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAChG,aAAa,CAAC,KAAK,CAAC,aAAa,EAAE,SAAS,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACnE,OAAO,EAAE,YAAY,EAAE,SAAS,CAAC,YAAY,EAAE,GAAG,KAAK,EAAE,CAAC;AAC5D,CAAC;AAED,SAAS,cAAc,CAAC,IAAY,EAAE,QAAgB;IACpD,MAAM,KAAK,GAAG,gBAAgB,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,UAAU,GAAG,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,KAAK,GAAG,oBAAoB,QAAQ,IAAI,oBAAoB,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;IAC3F,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;QAC/F,OAAO,kBAAkB,CAAC,KAAK,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,KASzB;IACC,MAAM,KAAK,GAAG,gBAAgB,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,KAAK,CAAC,YAAY,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,YAAY,GAAyB;YACzC,EAAE,EAAE,KAAK,CAAC,QAAQ;YAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,KAAK,EAAE,CAAC,QAAQ,CAAC;YACjB,MAAM,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC;YACzB,YAAY,EAAE,EAAE;YAChB,SAAS,EAAE,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,EAAE,UAAU,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YACjE,UAAU,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC;YAChC,gBAAgB,EAAE,EAAE;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;SAC/C,CAAC;QACF,KAAK,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;QACrC,OAAO;IACT,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC;QACzE,KAAK,CAAC,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAA+B;IACjE,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,OAAO,CAAC;IACnC,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC;IACjC,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,gBAAgB,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,6BAA6B,CAAC;IAC/D,MAAM,QAAQ,GAAG,sBAAsB,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAC3E,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9C,MAAM,WAAW,GACf,QAAQ,CAAC,aAAa;QACtB,iBAAiB,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IACpE,MAAM,SAAS,GAAoB;QACjC,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,KAAK;KACN,CAAC;IACF,MAAM,cAAc,GAAG,GAAG,IAAI,IAAI,KAAK,EAAE,CAAC;IAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC;IAClC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC;IAEvE,MAAM,IAAI,GAAG,GAAG,EAAE;QAChB,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;QAClC,OAAO;YACL,SAAS;YACT,QAAQ,EAAE,gBAAgB,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;SACnE,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,iBAAiB,GACrB,QAAQ,CAAC,iBAAiB,IAAI,YAAY,IAAI,IAAI,SAAS,CAAC,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IACjF,MAAM,MAAM,GACV,IAAI,KAAK,QAAQ;QACf,CAAC,CAAC,EAAE,MAAM,EAAE,MAAe,EAAE,GAAG,IAAI,EAAE,EAAE;QACxC,CAAC,CAAC,aAAa,CACX,KAAK,CAAC,IAAI,EACV,EAAE,IAAI,EAAE,iBAAiB,EAAE,WAAW,EAAE,SAAS,CAAC,EAAE,EAAE,EACtD;YACE,WAAW,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC;YACtE,IAAI;YACJ,GAAG;SACJ,CACF,CAAC;IAER,MAAM,eAAe,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE;QAC9C,IAAI;QACJ,iBAAiB;QACjB,WAAW,EAAE,SAAS,CAAC,EAAE;KAC1B,CAAC,CAAC;IACH,MAAM,cAAc,GAAG,oBAAoB,CAAC;QAC1C,oBAAoB,EAAE,yBAAyB,CAAC,KAAK,CAAC,IAAI,EAAE,cAAc,CAAC;QAC3E,sBAAsB,EAAE,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,cAAc,CAAC;KACnE,CAAC,CAAC;IACH,MAAM,WAAW,GACf,MAAM,CAAC,MAAM,KAAK,MAAM,IAAI,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;IAChF,MAAM,OAAO,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IACxE,gBAAgB,CAAC;QACf,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,SAAS;QACT,IAAI;QACJ,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,MAAM;QACN,GAAG;KACJ,CAAC,CAAC;IACH,mBAAmB,CAAC,KAAK,CAAC,IAAI,EAAE;QAC9B,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,cAAc;QACd,cAAc,EAAE,OAAO,CAAC,WAAW,CAAC;QACpC,EAAE,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;KAClC,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,IAAI;QACJ,SAAS;QACT,IAAI;QACJ,cAAc;QACd,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,qBAAqB,EAAE,QAAQ,CAAC,MAAM;QACtC,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,eAAe,EACb,MAAM,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,eAAe;YAC1C,CAAC,CAAC,uBAAuB,MAAM,CAAC,QAAQ,iBAAiB,cAAc,KAAK,cAAc,CAAC,MAAM,EAAE;YACnG,CAAC,CAAC,SAAS;KAChB,CAAC;AACJ,CAAC"}

package/dist/runtime/identity/migration.d.ts

@@ -43,4 +43,13 @@ export interface LegacyAdoptionDecision {
  * caller's (impure, locked) job; this is the deterministic decision.
  */
 export declare function decideLegacyAdoption(input: LegacyAdoptionInput): LegacyAdoptionDecision;
+export interface H2AIdentityAlias {
+    readonly instance: string;
+    readonly legacyInstance: string;
+    readonly adoptedKeyring: boolean;
+    readonly at: string;
+}
+export declare function listIdentityAliases(root: string, instance?: string): H2AIdentityAlias[];
+export declare function legacyAliasAlreadyAdopted(root: string, legacyInstance: string): boolean;
+export declare function recordIdentityAlias(root: string, alias: H2AIdentityAlias): void;
 //# sourceMappingURL=migration.d.ts.map

package/dist/runtime/identity/migration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"migration.d.ts","sourceRoot":"","sources":["../../../src/runtime/identity/migration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAElD;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,IAAI,EAAE,aAAa,CAAC,SAAS,WAAW,EAAE,CAAC,GAC1C,WAAW,EAAE,CAUf;AAED,MAAM,WAAW,mBAAmB;IAClC,yFAAyF;IACzF,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC;IACvC,+EAA+E;IAC/E,QAAQ,CAAC,sBAAsB,EAAE,OAAO,CAAC;CAC1C;AAED,MAAM,WAAW,sBAAsB;IACrC,4FAA4F;IAC5F,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,6EAA6E;IAC7E,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,mBAAmB,GAAG,sBAAsB,CAoBvF"}
+{"version":3,"file":"migration.d.ts","sourceRoot":"","sources":["../../../src/runtime/identity/migration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAElD;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,IAAI,EAAE,aAAa,CAAC,SAAS,WAAW,EAAE,CAAC,GAC1C,WAAW,EAAE,CAUf;AAED,MAAM,WAAW,mBAAmB;IAClC,yFAAyF;IACzF,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC;IACvC,+EAA+E;IAC/E,QAAQ,CAAC,sBAAsB,EAAE,OAAO,CAAC;CAC1C;AAED,MAAM,WAAW,sBAAsB;IACrC,4FAA4F;IAC5F,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,6EAA6E;IAC7E,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,mBAAmB,GAAG,sBAAsB,CAoBvF;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;CACrB;AAUD,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,gBAAgB,EAAE,CAcvF;AAED,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAIvF;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,gBAAgB,GAAG,IAAI,CAQ/E"}