@trenchwork/coder 1.3.0

package/dist/core/hooks.js

@@ -0,0 +1,236 @@
+/**
+ * Hooks — Claude-Code-style shell-command hooks that fire around
+ * tool execution. Lets users customize agent behavior without
+ * editing source: run a linter after every Edit, log Bash commands,
+ * block dangerous tools, etc.
+ *
+ * Settings file (per Claude Code convention):
+ *   {
+ *     "hooks": {
+ *       "PreToolUse": [
+ *         { "matcher": "Bash", "hooks": [{ "type": "command", "command": "/path/to/script.sh" }] }
+ *       ],
+ *       "PostToolUse": [ ... ]
+ *     }
+ *   }
+ *
+ * Loaded from (in priority order):
+ *   1. <workingDir>/.trenchwork/settings.json    (project-local)
+ *   2. ~/.trenchwork/settings.json               (user-global)
+ *
+ * Both load — project-local extends user-global; matchers from both
+ * files fire if applicable.
+ *
+ * Hook contract: the command receives a JSON envelope on stdin,
+ * shape:
+ *   { event: 'PreToolUse'|'PostToolUse', toolName, toolArgs, toolResult? }
+ * The command exits 0 + writes a JSON response on stdout to either
+ * pass through or shape the result:
+ *   {}                            — pass through
+ *   { "decision": "block",
+ *     "reason": "string" }        — PreToolUse: block the tool call
+ *   { "appendToResult": "..." }   — PostToolUse: append text to the
+ *                                     model-visible tool result
+ *
+ * Hooks are best-effort: a hook that times out, errors, or returns
+ * malformed JSON is logged and skipped — never crashes the agent.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { exec, execFile } from 'node:child_process';
+/**
+ * Read + merge settings from project-local + user-global locations.
+ * Returns an empty config if neither file exists. Malformed JSON is
+ * silently skipped (with a console.warn).
+ */
+export function loadHooksConfig(workingDir) {
+    const candidates = [
+        join(workingDir, '.trenchwork', 'settings.json'),
+        join(homedir(), '.trenchwork', 'settings.json'),
+    ];
+    const merged = { hooks: {} };
+    for (const path of candidates) {
+        if (!existsSync(path))
+            continue;
+        let parsed = null;
+        try {
+            const raw = readFileSync(path, 'utf-8');
+            parsed = JSON.parse(raw);
+        }
+        catch (err) {
+            console.warn(`[hooks] Skipping malformed settings: ${path}: ${err.message}`);
+            continue;
+        }
+        if (!parsed?.hooks)
+            continue;
+        for (const ev of Object.keys(parsed.hooks)) {
+            const list = parsed.hooks[ev];
+            if (!Array.isArray(list))
+                continue;
+            const existing = merged.hooks[ev] ?? [];
+            // Shallow-validate each entry before merging so the executor
+            // never has to re-check shape.
+            const safe = list.filter((m) => m && typeof m === 'object' && Array.isArray(m.hooks));
+            merged.hooks[ev] = [...existing, ...safe];
+        }
+    }
+    return merged;
+}
+function matchesMatcher(matcher, toolName) {
+    if (!matcher || matcher === '*' || matcher === '.*')
+        return true;
+    try {
+        return new RegExp(`^${matcher}$`).test(toolName);
+    }
+    catch {
+        return matcher === toolName;
+    }
+}
+/**
+ * Run a single hook command with structured input. Returns the
+ * parsed JSON response, or null if the hook errored / timed out /
+ * returned malformed output. Never throws — non-fatal on purpose.
+ */
+async function runHookCommand(cmd, input) {
+    const timeoutMs = Math.min(30_000, Math.max(500, cmd.timeoutMs ?? 5000));
+    return new Promise((resolve) => {
+        let settled = false;
+        const finish = (val) => {
+            if (settled)
+                return;
+            settled = true;
+            resolve(val);
+        };
+        // Use exec (not spawn) so the command string is interpreted by
+        // the platform's default shell with its native quoting rules.
+        // spawn('cmd.exe', ['/c', '<cmd with quotes>']) on Windows
+        // mishandles inner double-quotes; exec handles that internally.
+        // We do NOT pass exec's `timeout` option — on Windows it sends
+        // SIGTERM which doesn't always reliably kill child processes
+        // that aren't blocked on I/O (e.g. a node child sitting on a
+        // setTimeout). Instead we own the timeout: fire our own timer,
+        // resolve the promise immediately, and force-kill the process
+        // tree. The exec callback may still fire later but `settled`
+        // makes it a no-op.
+        const child = exec(cmd.command, { maxBuffer: 1024 * 1024, encoding: 'utf-8' }, (err, stdout, stderr) => {
+            if (settled)
+                return;
+            if (err && err.code) {
+                if (typeof stderr === 'string' && stderr.trim()) {
+                    console.warn(`[hooks] ${cmd.command} exit ${err.code}: ${stderr.slice(0, 400)}`);
+                }
+                return finish(null);
+            }
+            const out = (typeof stdout === 'string' ? stdout : '').trim();
+            if (!out)
+                return finish({});
+            try {
+                const parsed = JSON.parse(out);
+                if (parsed && typeof parsed === 'object')
+                    return finish(parsed);
+                return finish({});
+            }
+            catch {
+                // A hook that prints non-JSON is treated as pass-through.
+                return finish({});
+            }
+        });
+        // Owned timeout — kill the process tree on expiry. On Windows
+        // we use taskkill /T /F to clean up children of the shell wrapper;
+        // on POSIX, killing the negative pid of the process group does it.
+        const timeout = setTimeout(() => {
+            if (settled)
+                return;
+            console.warn(`[hooks] ${cmd.command}: timed out after ${timeoutMs}ms`);
+            try {
+                if (process.platform === 'win32' && child.pid) {
+                    // /T = terminate child tree, /F = force. Use execFile with an
+                    // arg array so the PID can never be interpreted as taskkill
+                    // flags (defense-in-depth — child.pid is a number from Node so
+                    // injection isn't reachable today, but the safer pattern is
+                    // free here).
+                    execFile('taskkill', ['/pid', String(child.pid), '/T', '/F'], () => { });
+                }
+                else {
+                    child.kill('SIGKILL');
+                }
+            }
+            catch (_) { /* best effort */ }
+            finish(null);
+        }, timeoutMs);
+        timeout.unref?.();
+        child.on('exit', () => clearTimeout(timeout));
+        // A hook that errors/exits fast closes its stdin before we finish
+        // writing, which surfaces as an ASYNC 'error' (EPIPE) on the stream —
+        // not catchable by the try/catch below. Swallow it so a dead hook is
+        // silently skipped instead of crashing the runner with an unhandled
+        // stream error.
+        child.stdin?.on('error', () => { });
+        try {
+            child.stdin?.write(JSON.stringify(input));
+            child.stdin?.end();
+        }
+        catch (err) {
+            console.warn(`[hooks] stdin write failed: ${err.message}`);
+        }
+    });
+}
+/**
+ * Run all PreToolUse hooks matching `toolName`. Returns the FIRST
+ * blocking decision encountered, or null if no hook blocks.
+ */
+export async function runPreToolUseHooks(config, toolName, toolArgs) {
+    const matchers = config.hooks?.PreToolUse ?? [];
+    for (const m of matchers) {
+        if (!matchesMatcher(m.matcher, toolName))
+            continue;
+        for (const cmd of m.hooks) {
+            const result = await runHookCommand(cmd, {
+                event: 'PreToolUse',
+                toolName,
+                toolArgs,
+            });
+            if (!result)
+                continue;
+            if (result['decision'] === 'block') {
+                return {
+                    decision: 'block',
+                    reason: typeof result['reason'] === 'string' ? result['reason'] : 'Blocked by hook',
+                };
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Run all PostToolUse hooks matching `toolName`. Concatenates any
+ * appendToResult strings (in matcher order) so multiple hooks can
+ * each contribute a note.
+ */
+export async function runPostToolUseHooks(config, toolName, toolArgs, toolResult) {
+    const matchers = config.hooks?.PostToolUse ?? [];
+    const appended = [];
+    for (const m of matchers) {
+        if (!matchesMatcher(m.matcher, toolName))
+            continue;
+        for (const cmd of m.hooks) {
+            const result = await runHookCommand(cmd, {
+                event: 'PostToolUse',
+                toolName,
+                toolArgs,
+                toolResult,
+            });
+            if (!result)
+                continue;
+            const append = result['appendToResult'];
+            if (typeof append === 'string' && append.trim()) {
+                appended.push(append.trim());
+            }
+        }
+    }
+    if (appended.length === 0)
+        return null;
+    return { appendToResult: appended.join('\n\n') };
+}
+//# sourceMappingURL=hooks.js.map

package/dist/core/hooks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hooks.js","sourceRoot":"","sources":["../../src/core/hooks.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAgDpD;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB;IAChD,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,UAAU,EAAE,aAAa,EAAE,eAAe,CAAC;QAChD,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,eAAe,CAAC;KAChD,CAAC;IACF,MAAM,MAAM,GAA0B,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAS;QAChC,IAAI,MAAM,GAAuB,IAAI,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACxC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;QAC1C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,wCAAwC,IAAI,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YACxF,SAAS;QACX,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,KAAK;YAAE,SAAS;QAC7B,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAgB,EAAE,CAAC;YAC1D,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBAAE,SAAS;YACnC,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;YACxC,6DAA6D;YAC7D,+BAA+B;YAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CACtB,CAAC,CAAC,EAAoB,EAAE,CACtB,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAE,CAAiB,CAAC,KAAK,CAAC,CACxE,CAAC;YACF,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,OAA2B,EAAE,QAAgB;IACnE,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACjE,IAAI,CAAC;QACH,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,KAAK,QAAQ,CAAC;IAC9B,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,cAAc,CAC3B,GAAgB,EAChB,KAAyC;IAEzC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC;IACzE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,MAAM,GAAG,CAAC,GAAmC,EAAQ,EAAE;YAC3D,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,CAAC;QACf,CAAC,CAAC;QAEF,+DAA+D;QAC/D,8DAA8D;QAC9D,2DAA2D;QAC3D,gEAAgE;QAChE,+DAA+D;QAC/D,6DAA6D;QAC7D,6DAA6D;QAC7D,+DAA+D;QAC/D,8DAA8D;QAC9D,6DAA6D;QAC7D,oBAAoB;QACpB,MAAM,KAAK,GAAG,IAAI,CAChB,GAAG,CAAC,OAAO,EACX,EAAE,SAAS,EAAE,IAAI,GAAG,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAC7C,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YACtB,IAAI,OAAO;gBAAE,OAAO;YACpB,IAAI,GAAG,IAAK,GAAyB,CAAC,IAAI,EAAE,CAAC;gBAC3C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;oBAChD,OAAO,CAAC,IAAI,CAAC,WAAW,GAAG,CAAC,OAAO,SAAU,GAAyB,CAAC,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC1G,CAAC;gBACD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;YACD,MAAM,GAAG,GAAG,CAAC,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC9D,IAAI,CAAC,GAAG;gBAAE,OAAO,MAAM,CAAC,EAAE,CAAC,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC/B,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;oBAAE,OAAO,MAAM,CAAC,MAAiC,CAAC,CAAC;gBAC3F,OAAO,MAAM,CAAC,EAAE,CAAC,CAAC;YACpB,CAAC;YAAC,MAAM,CAAC;gBACP,0DAA0D;gBAC1D,OAAO,MAAM,CAAC,EAAE,CAAC,CAAC;YACpB,CAAC;QACH,CAAC,CACF,CAAC;QAEF,8DAA8D;QAC9D,mEAAmE;QACnE,mEAAmE;QACnE,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,CAAC,IAAI,CAAC,WAAW,GAAG,CAAC,OAAO,qBAAqB,SAAS,IAAI,CAAC,CAAC;YACvE,IAAI,CAAC;gBACH,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;oBAC9C,8DAA8D;oBAC9D,4DAA4D;oBAC5D,+DAA+D;oBAC/D,4DAA4D;oBAC5D,cAAc;oBACd,QAAQ,CAAC,UAAU,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;gBAC1E,CAAC;qBAAM,CAAC;oBACN,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACxB,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,CAAC;QACf,CAAC,EAAE,SAAS,CAAC,CAAC;QACd,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;QAClB,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC;QAE9C,kEAAkE;QAClE,sEAAsE;QACtE,qEAAqE;QACrE,oEAAoE;QACpE,gBAAgB;QAChB,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAA0C,CAAC,CAAC,CAAC;QAC3E,IAAI,CAAC;YACH,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;YAC1C,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC;QACrB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,+BAAgC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACxE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAmB,EACnB,QAAgB,EAChB,QAAiB;IAEjB,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,EAAE,UAAU,IAAI,EAAE,CAAC;IAChD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC;YAAE,SAAS;QACnD,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,GAAG,EAAE;gBACvC,KAAK,EAAE,YAAY;gBACnB,QAAQ;gBACR,QAAQ;aACT,CAAC,CAAC;YACH,IAAI,CAAC,MAAM;gBAAE,SAAS;YACtB,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,OAAO,EAAE,CAAC;gBACnC,OAAO;oBACL,QAAQ,EAAE,OAAO;oBACjB,MAAM,EAAE,OAAO,MAAM,CAAC,QAAQ,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,iBAAiB;iBACpF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAmB,EACnB,QAAgB,EAChB,QAAiB,EACjB,UAAmB;IAEnB,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,EAAE,WAAW,IAAI,EAAE,CAAC;IACjD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC;YAAE,SAAS;QACnD,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,GAAG,EAAE;gBACvC,KAAK,EAAE,aAAa;gBACpB,QAAQ;gBACR,QAAQ;gBACR,UAAU;aACX,CAAC,CAAC;YACH,IAAI,CAAC,MAAM;gBAAE,SAAS;YACtB,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACxC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAChD,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,EAAE,cAAc,EAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;AACnD,CAAC"}

package/dist/core/hostedAuth.d.ts

@@ -0,0 +1,88 @@
+/**
+ * Hosted-key access — the CLIENT side of "optional sign-in unlocks hosted keys,
+ * or bring your own." Keys NEVER ship in this client (Project Glasswing); they
+ * live only in the ero.solar AWS backend, exactly like the Tavily search proxy
+ * already does (see src/tools/webTools.ts). Sign-in mints a short-lived token;
+ * the proxies validate it and use the operator keys.
+ *
+ * ── CONTRACT (the ero.solar backend implements this; this file codes against it) ──
+ *   Sign-in (loopback OAuth, increment 2):
+ *     open  https://ero.solar/cli/login?port=<loopbackPort>&state=<csrf>
+ *     → Google SSO → 302 http://127.0.0.1:<port>/cb?token=<jwt>&email=<e>&state=<csrf>
+ *   DeepSeek (hosted): POST {HOSTED_DEEPSEEK_PROXY}  header `Authorization: Bearer <token>`
+ *   Tavily   (hosted): the existing tavilySearch proxy, same Bearer token
+ *   The token is short-lived and server-validated; if it 401s the CLI drops to
+ *   "signed out" and asks the user to /login again or use their own key.
+ *
+ * THIS MODULE is state + resolution only (increment 1, fully testable). The live
+ * sign-in flow and the provider→proxy wiring are increment 2 (backend-gated).
+ */
+export declare const HOSTED_LOGIN_URL = "https://ero.solar/cli/login";
+export declare const HOSTED_DEEPSEEK_PROXY = "https://ero.solar/api/deepseek";
+export interface HostedSession {
+    token: string;
+    email: string;
+}
+export type KeyMode = 'hosted' | 'own' | 'none';
+export interface KeyModeStatus {
+    mode: KeyMode;
+    email: string | null;
+    signedIn: boolean;
+    ownDeepSeek: boolean;
+    ownTavily: boolean;
+    preferOwnKeys: boolean;
+}
+/** The active hosted session (token + email), or null when signed out. */
+export declare function getHostedSession(): HostedSession | null;
+/** Persist a hosted session (called by /login once the backend returns a token). */
+export declare function setHostedSession(session: HostedSession): void;
+/** Sign out: drop the token but keep the own/hosted preference. */
+export declare function clearHostedSession(): void;
+export declare function prefersOwnKeys(): boolean;
+export declare function setPreferOwnKeys(value: boolean): void;
+/**
+ * Resolve which keys are in effect. Preference order: an explicit "use my own
+ * keys" wins when the user actually has a DeepSeek key; otherwise a hosted
+ * session is used; otherwise the user's own key; otherwise nothing is set up.
+ */
+export declare function resolveKeyMode(): KeyModeStatus;
+/**
+ * The dim welcome/banner line that makes the active key source unmistakable —
+ * the user must be able to see at a glance whether they're on hosted keys or
+ * their own. Returns null in 'none' mode (the welcome already shows key setup).
+ */
+export declare function keyModeLine(status?: KeyModeStatus): string | null;
+/**
+ * Resolve the DeepSeek endpoint the provider should use. Hosted mode routes
+ * through the ero.solar proxy authenticated by the short-lived sign-in token
+ * (the real key lives only server-side, Glasswing); otherwise the user's own
+ * key hits the API directly. `apiKey` is '' in 'none' mode (caller errors).
+ */
+export declare function resolveDeepSeekEndpoint(): {
+    apiKey: string;
+    baseURL: string;
+    mode: KeyMode;
+};
+export interface LoginResult {
+    ok: boolean;
+    session?: HostedSession;
+    error?: string;
+}
+/**
+ * Loopback-OAuth sign-in (the contract's increment 2). Starts a one-shot
+ * 127.0.0.1 server on an ephemeral port, opens the browser to the ero.solar
+ * Google-SSO login URL with that port + a CSRF state, and waits for the
+ * redirect back to /cb?token=&email=&state=. On match it persists the hosted
+ * session. The browser launch is injected (`open`) so the flow is testable
+ * against the REAL loopback server without a real browser.
+ *
+ * Requires the ero.solar backend (SSO + token mint + redirect) to be live; with
+ * no backend the browser opens to a not-yet-served endpoint and the wait times
+ * out — the caller surfaces that honestly.
+ */
+export declare function loginViaLoopback(opts: {
+    open: (url: string) => void | Promise<void>;
+    timeoutMs?: number;
+    loginUrl?: string;
+}): Promise<LoginResult>;
+//# sourceMappingURL=hostedAuth.d.ts.map

package/dist/core/hostedAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hostedAuth.d.ts","sourceRoot":"","sources":["../../src/core/hostedAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAUH,eAAO,MAAM,gBAAgB,gCAAgC,CAAC;AAC9D,eAAO,MAAM,qBAAqB,mCAAmC,CAAC;AAWtE,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AASD,MAAM,MAAM,OAAO,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEhD,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,aAAa,EAAE,OAAO,CAAC;CACxB;AA+BD,0EAA0E;AAC1E,wBAAgB,gBAAgB,IAAI,aAAa,GAAG,IAAI,CAGvD;AAED,oFAAoF;AACpF,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,aAAa,GAAG,IAAI,CAG7D;AAED,mEAAmE;AACnE,wBAAgB,kBAAkB,IAAI,IAAI,CAMzC;AAED,wBAAgB,cAAc,IAAI,OAAO,CAExC;AAED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAErD;AAED;;;;GAIG;AACH,wBAAgB,cAAc,IAAI,aAAa,CAa9C;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,MAAM,GAAE,aAAgC,GAAG,MAAM,GAAG,IAAI,CAanF;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,OAAO,CAAA;CAAE,CAW5F;AAED,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,OAAO,CAAC;IACZ,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE;IACrC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,OAAO,CAAC,WAAW,CAAC,CAuCvB"}

package/dist/core/hostedAuth.js

@@ -0,0 +1,219 @@
+/**
+ * Hosted-key access — the CLIENT side of "optional sign-in unlocks hosted keys,
+ * or bring your own." Keys NEVER ship in this client (Project Glasswing); they
+ * live only in the ero.solar AWS backend, exactly like the Tavily search proxy
+ * already does (see src/tools/webTools.ts). Sign-in mints a short-lived token;
+ * the proxies validate it and use the operator keys.
+ *
+ * ── CONTRACT (the ero.solar backend implements this; this file codes against it) ──
+ *   Sign-in (loopback OAuth, increment 2):
+ *     open  https://ero.solar/cli/login?port=<loopbackPort>&state=<csrf>
+ *     → Google SSO → 302 http://127.0.0.1:<port>/cb?token=<jwt>&email=<e>&state=<csrf>
+ *   DeepSeek (hosted): POST {HOSTED_DEEPSEEK_PROXY}  header `Authorization: Bearer <token>`
+ *   Tavily   (hosted): the existing tavilySearch proxy, same Bearer token
+ *   The token is short-lived and server-validated; if it 401s the CLI drops to
+ *   "signed out" and asks the user to /login again or use their own key.
+ *
+ * THIS MODULE is state + resolution only (increment 1, fully testable). The live
+ * sign-in flow and the provider→proxy wiring are increment 2 (backend-gated).
+ */
+import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync, rmSync } from 'node:fs';
+import { createServer } from 'node:http';
+import { randomBytes } from 'node:crypto';
+import { homedir } from 'node:os';
+import { join, resolve } from 'node:path';
+import { getSecretValue } from './secretStore.js';
+// Contract endpoints (the backend the user is building must match these).
+export const HOSTED_LOGIN_URL = 'https://ero.solar/cli/login';
+export const HOSTED_DEEPSEEK_PROXY = 'https://ero.solar/api/deepseek';
+// Resolved per call (not captured at module load) so TRENCHWORK_HOME changes —
+// and tests pointing at a temp dir — take effect.
+function homeDir() {
+    return process.env['TRENCHWORK_HOME'] ? resolve(process.env['TRENCHWORK_HOME']) : join(homedir(), '.trenchwork');
+}
+function sessionFile() {
+    return join(homeDir(), 'session.json');
+}
+function readFile() {
+    // Read the on-disk session first (the future /login writes it; it also holds
+    // the own/hosted preference), then let env override the token+email — env
+    // lets tests/CI inject a session without touching disk, while still honouring
+    // a stored preference.
+    let data = {};
+    const file = sessionFile();
+    if (existsSync(file)) {
+        try {
+            const parsed = JSON.parse(readFileSync(file, 'utf8'));
+            if (parsed && typeof parsed === 'object')
+                data = parsed;
+        }
+        catch { /* corrupt → treat as empty */ }
+    }
+    const envToken = process.env['TRENCHWORK_HOSTED_TOKEN']?.trim();
+    if (envToken) {
+        data.token = envToken;
+        data.email = process.env['TRENCHWORK_HOSTED_EMAIL']?.trim() || 'you@hosted';
+    }
+    return data;
+}
+function writeFile(data) {
+    const file = sessionFile();
+    mkdirSync(homeDir(), { recursive: true, mode: 0o700 });
+    const tmp = `${file}.${process.pid}.tmp`;
+    writeFileSync(tmp, JSON.stringify(data, null, 2) + '\n', { mode: 0o600 });
+    renameSync(tmp, file);
+}
+/** The active hosted session (token + email), or null when signed out. */
+export function getHostedSession() {
+    const f = readFile();
+    return f.token ? { token: f.token, email: f.email || 'you@hosted' } : null;
+}
+/** Persist a hosted session (called by /login once the backend returns a token). */
+export function setHostedSession(session) {
+    const f = readFile();
+    writeFile({ ...f, token: session.token, email: session.email });
+}
+/** Sign out: drop the token but keep the own/hosted preference. */
+export function clearHostedSession() {
+    const f = readFile();
+    delete f.token;
+    delete f.email;
+    if (Object.keys(f).length === 0) {
+        try {
+            rmSync(sessionFile(), { force: true });
+        }
+        catch { /* ignore */ }
+        return;
+    }
+    writeFile(f);
+}
+export function prefersOwnKeys() {
+    return readFile().preferOwnKeys === true;
+}
+export function setPreferOwnKeys(value) {
+    writeFile({ ...readFile(), preferOwnKeys: value });
+}
+/**
+ * Resolve which keys are in effect. Preference order: an explicit "use my own
+ * keys" wins when the user actually has a DeepSeek key; otherwise a hosted
+ * session is used; otherwise the user's own key; otherwise nothing is set up.
+ */
+export function resolveKeyMode() {
+    const session = getHostedSession();
+    const ownDeepSeek = Boolean(getSecretValue('DEEPSEEK_API_KEY'));
+    const ownTavily = Boolean(getSecretValue('TAVILY_API_KEY'));
+    const preferOwnKeys = prefersOwnKeys();
+    let mode;
+    if (preferOwnKeys && ownDeepSeek)
+        mode = 'own';
+    else if (session)
+        mode = 'hosted';
+    else if (ownDeepSeek)
+        mode = 'own';
+    else
+        mode = 'none';
+    return { mode, email: session?.email ?? null, signedIn: Boolean(session), ownDeepSeek, ownTavily, preferOwnKeys };
+}
+/**
+ * The dim welcome/banner line that makes the active key source unmistakable —
+ * the user must be able to see at a glance whether they're on hosted keys or
+ * their own. Returns null in 'none' mode (the welcome already shows key setup).
+ */
+export function keyModeLine(status = resolveKeyMode()) {
+    switch (status.mode) {
+        case 'hosted':
+            return `Signed in as ${status.email} · using hosted keys` +
+                (status.ownDeepSeek ? ' · /account to use your own' : '');
+        case 'own': {
+            const tav = status.ownTavily ? 'Tavily ✓' : 'Tavily (shared proxy)';
+            const base = `Using your own keys · DeepSeek ✓ · ${tav}`;
+            return status.signedIn ? `${base} · /account to use hosted` : base;
+        }
+        default:
+            return null;
+    }
+}
+/**
+ * Resolve the DeepSeek endpoint the provider should use. Hosted mode routes
+ * through the ero.solar proxy authenticated by the short-lived sign-in token
+ * (the real key lives only server-side, Glasswing); otherwise the user's own
+ * key hits the API directly. `apiKey` is '' in 'none' mode (caller errors).
+ */
+export function resolveDeepSeekEndpoint() {
+    const status = resolveKeyMode();
+    if (status.mode === 'hosted') {
+        const session = getHostedSession();
+        if (session)
+            return { apiKey: session.token, baseURL: HOSTED_DEEPSEEK_PROXY, mode: 'hosted' };
+    }
+    const userKey = (process.env['DEEPSEEK_API_KEY'] || '').trim();
+    if (userKey) {
+        return { apiKey: userKey, baseURL: process.env['DEEPSEEK_BASE_URL'] || 'https://api.deepseek.com', mode: 'own' };
+    }
+    return { apiKey: '', baseURL: '', mode: 'none' };
+}
+/**
+ * Loopback-OAuth sign-in (the contract's increment 2). Starts a one-shot
+ * 127.0.0.1 server on an ephemeral port, opens the browser to the ero.solar
+ * Google-SSO login URL with that port + a CSRF state, and waits for the
+ * redirect back to /cb?token=&email=&state=. On match it persists the hosted
+ * session. The browser launch is injected (`open`) so the flow is testable
+ * against the REAL loopback server without a real browser.
+ *
+ * Requires the ero.solar backend (SSO + token mint + redirect) to be live; with
+ * no backend the browser opens to a not-yet-served endpoint and the wait times
+ * out — the caller surfaces that honestly.
+ */
+export function loginViaLoopback(opts) {
+    const state = randomBytes(16).toString('hex');
+    const loginUrl = opts.loginUrl ?? HOSTED_LOGIN_URL;
+    return new Promise((resolveP) => {
+        let settled = false;
+        const finish = (result) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            try {
+                server.close();
+            }
+            catch { /* ignore */ }
+            resolveP(result);
+        };
+        const server = createServer((req, res) => {
+            const url = new URL(req.url ?? '/', 'http://127.0.0.1');
+            if (url.pathname !== '/cb') {
+                res.writeHead(404);
+                res.end('not found');
+                return;
+            }
+            const token = url.searchParams.get('token') ?? '';
+            const email = url.searchParams.get('email') ?? '';
+            const gotState = url.searchParams.get('state') ?? '';
+            const okPage = '<!doctype html><meta charset="utf-8"><body style="font:16px system-ui;padding:3rem">'
+                + 'Signed in to Trenchwork Coder. You can close this tab and return to the terminal.</body>';
+            res.writeHead(200, { 'content-type': 'text/html' });
+            res.end(okPage);
+            if (gotState !== state) {
+                finish({ ok: false, error: 'state mismatch — sign-in rejected (possible CSRF)' });
+                return;
+            }
+            if (!token) {
+                finish({ ok: false, error: 'sign-in returned no token' });
+                return;
+            }
+            const session = { token, email: email || 'you@hosted' };
+            setHostedSession(session);
+            finish({ ok: true, session });
+        });
+        const timer = setTimeout(() => finish({ ok: false, error: 'timed out waiting for sign-in' }), opts.timeoutMs ?? 120_000);
+        server.on('error', (e) => finish({ ok: false, error: `loopback server failed: ${e.message}` }));
+        server.listen(0, '127.0.0.1', () => {
+            const addr = server.address();
+            const port = addr && typeof addr === 'object' ? addr.port : 0;
+            const url = `${loginUrl}?port=${port}&state=${state}`;
+            Promise.resolve(opts.open(url)).catch(() => { });
+        });
+    });
+}
+//# sourceMappingURL=hostedAuth.js.map

package/dist/core/hostedAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hostedAuth.js","sourceRoot":"","sources":["../../src/core/hostedAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjG,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAElD,0EAA0E;AAC1E,MAAM,CAAC,MAAM,gBAAgB,GAAG,6BAA6B,CAAC;AAC9D,MAAM,CAAC,MAAM,qBAAqB,GAAG,gCAAgC,CAAC;AAEtE,+EAA+E;AAC/E,kDAAkD;AAClD,SAAS,OAAO;IACd,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,CAAC,CAAC;AACnH,CAAC;AACD,SAAS,WAAW;IAClB,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,cAAc,CAAC,CAAC;AACzC,CAAC;AAyBD,SAAS,QAAQ;IACf,6EAA6E;IAC7E,0EAA0E;IAC1E,8EAA8E;IAC9E,uBAAuB;IACvB,IAAI,IAAI,GAAgB,EAAE,CAAC;IAC3B,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;IAC3B,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;YACtD,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,IAAI,GAAG,MAAqB,CAAC;QACzE,CAAC;QAAC,MAAM,CAAC,CAAC,8BAA8B,CAAC,CAAC;IAC5C,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,EAAE,IAAI,EAAE,CAAC;IAChE,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,CAAC,KAAK,GAAG,QAAQ,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,EAAE,IAAI,EAAE,IAAI,YAAY,CAAC;IAC9E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,SAAS,CAAC,IAAiB;IAClC,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;IAC3B,SAAS,CAAC,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,GAAG,IAAI,IAAI,OAAO,CAAC,GAAG,MAAM,CAAC;IACzC,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1E,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AACxB,CAAC;AAED,0EAA0E;AAC1E,MAAM,UAAU,gBAAgB;IAC9B,MAAM,CAAC,GAAG,QAAQ,EAAE,CAAC;IACrB,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,YAAY,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7E,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,gBAAgB,CAAC,OAAsB;IACrD,MAAM,CAAC,GAAG,QAAQ,EAAE,CAAC;IACrB,SAAS,CAAC,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;AAClE,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,kBAAkB;IAChC,MAAM,CAAC,GAAG,QAAQ,EAAE,CAAC;IACrB,OAAO,CAAC,CAAC,KAAK,CAAC;IACf,OAAO,CAAC,CAAC,KAAK,CAAC;IACf,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAAC,IAAI,CAAC;YAAC,MAAM,CAAC,WAAW,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAAC,OAAO;IAAC,CAAC;IACnH,SAAS,CAAC,CAAC,CAAC,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,OAAO,QAAQ,EAAE,CAAC,aAAa,KAAK,IAAI,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,KAAc;IAC7C,SAAS,CAAC,EAAE,GAAG,QAAQ,EAAE,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;AACrD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc;IAC5B,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;IACnC,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAChE,MAAM,SAAS,GAAG,OAAO,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAC5D,MAAM,aAAa,GAAG,cAAc,EAAE,CAAC;IAEvC,IAAI,IAAa,CAAC;IAClB,IAAI,aAAa,IAAI,WAAW;QAAE,IAAI,GAAG,KAAK,CAAC;SAC1C,IAAI,OAAO;QAAE,IAAI,GAAG,QAAQ,CAAC;SAC7B,IAAI,WAAW;QAAE,IAAI,GAAG,KAAK,CAAC;;QAC9B,IAAI,GAAG,MAAM,CAAC;IAEnB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC;AACpH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,SAAwB,cAAc,EAAE;IAClE,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,QAAQ;YACX,OAAO,gBAAgB,MAAM,CAAC,KAAK,sBAAsB;gBACvD,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC9D,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC;YACpE,MAAM,IAAI,GAAG,sCAAsC,GAAG,EAAE,CAAC;YACzD,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,IAAI,2BAA2B,CAAC,CAAC,CAAC,IAAI,CAAC;QACrE,CAAC;QACD;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAChC,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;QACnC,IAAI,OAAO;YAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAChG,CAAC;IACD,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC/D,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,0BAA0B,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACnH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AACnD,CAAC;AAQD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAIhC;IACC,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,gBAAgB,CAAC;IACnD,OAAO,IAAI,OAAO,CAAc,CAAC,QAAQ,EAAE,EAAE;QAC3C,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,MAAM,GAAG,CAAC,MAAmB,EAAQ,EAAE;YAC3C,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,IAAI,CAAC;gBAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YAC9C,QAAQ,CAAC,MAAM,CAAC,CAAC;QACnB,CAAC,CAAC;QAEF,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACvC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;YACxD,IAAI,GAAG,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;gBAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBAAC,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBAAC,OAAO;YAAC,CAAC;YACjF,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClD,MAAM,QAAQ,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YACrD,MAAM,MAAM,GAAG,sFAAsF;kBACjG,0FAA0F,CAAC;YAC/F,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;YACpD,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAChB,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;gBAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mDAAmD,EAAE,CAAC,CAAC;gBAAC,OAAO;YAAC,CAAC;YACtH,IAAI,CAAC,KAAK,EAAE,CAAC;gBAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,CAAC;gBAAC,OAAO;YAAC,CAAC;YAClF,MAAM,OAAO,GAAkB,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,IAAI,YAAY,EAAE,CAAC;YACvE,gBAAgB,CAAC,OAAO,CAAC,CAAC;YAC1B,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,CAAC;QACzH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA4B,CAAW,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;QAC3G,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;YAC9B,MAAM,IAAI,GAAG,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9D,MAAM,GAAG,GAAG,GAAG,QAAQ,SAAS,IAAI,UAAU,KAAK,EAAE,CAAC;YACtD,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAuC,CAAC,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}