@trenchwork/erosolar 1.1.24 → 1.1.26

package/README.md

@@ -39,17 +39,51 @@ erosolar
 On first launch the CLI:
 
 1. Pops a browser tab to `https://ero.solar/auth?port=…`. You sign in
-   (Erosolar Auth — Firebase Auth under the hood, project
-   `erosolar-1b0db`).
+   with **Google SSO** (Erosolar Auth — Firebase Auth under the hood,
+   project `erosolar-1b0db`). SSO is enforced both at the web auth
+   page and at the Firestore-rule layer
+   (`request.auth.token.firebase.sign_in_provider == 'google.com'`).
 2. Stores a Firebase ID token + refresh token at `~/.erosolar/auth.json`
    (`0o600`). The refresh token is long-lived; the ID token is auto-
    renewed before expiry.
-3. Fetches the shared DeepSeek API key from Firestore at
+3. **Approval gate.** The CLI checks `approved_users/{your-email}` in
+   Firestore. The package ships offsec capabilities (Kali tools /
+   AFL++ / gdb / pwntools / Ghidra MCP), so only allowlisted emails
+   can launch. If your email isn't approved, the CLI writes a
+   pending request to `approval_requests/{uid}` for the operator to
+   review and exits with a clear message — re-run after the request
+   is approved.
+4. Fetches the shared DeepSeek API key from Firestore at
    `shared_secrets/deepseek` and writes it into `process.env.DEEPSEEK_API_KEY`
    for the duration of the process. **Nothing lands on disk.** Reads
-   are gated by Firestore security rules to authenticated users only;
-   writes are admin-only.
-4. Starts the interactive Ink-based shell.
+   are gated by Firestore rules to authenticated *and approved*
+   users only; writes are admin-only.
+5. Starts the interactive Ink-based shell.
+
+### Requesting approval
+
+Sign in once via Google SSO. The CLI will detect that your email
+isn't on the allowlist and file a pending request at
+`approval_requests/{uid}`. The operator reviews the queue and
+adds your email via:
+
+```sh
+node scripts/approve-user.mjs <your-email>
+```
+
+You can re-run `erosolar` once the operator confirms approval.
+
+### Approval gate — admin operations
+
+Adding a user (uses the Firebase CLI's stored OAuth token; bypasses
+Firestore rules via owner privileges):
+
+```sh
+node scripts/approve-user.mjs alice@example.com
+```
+
+Inspecting pending requests via Firebase Console:
+[Firestore → `approval_requests`](https://console.firebase.google.com/project/erosolar-1b0db/firestore/data/~2Fapproval_requests)
 
 ### Bring-your-own key
 
@@ -397,6 +431,12 @@ that range will print an `npm deprecate` warning. Upgrade to ≥
 
 ## Security posture
 
+> **Full threat model + controls live in [SECURITY.md](SECURITY.md).**
+> The summary below is an index; SECURITY.md is the authoritative
+> reference (SSO, allowlist, revocation, profile gating, audit log,
+> threat model, residual risk).
+
+
 - The CLI is dual-use offensive-security tooling. U.S. classification
   is EAR-controlled (CCL [ECCN 4D004](https://www.federalregister.gov/documents/2021/10/21/2021-22774/information-security-controls-cybersecurity-items)),
   not USML/ITAR. Domestic development and use is unrestricted; export

package/SECURITY.md

@@ -0,0 +1,195 @@
+# Security model
+
+`@trenchwork/erosolar` ships dual-use offsec capabilities (Kali
+tooling, AFL++, gdb, pwntools, Ghidra MCP wiring). The package can
+operate against authorized targets — e.g. a research engagement
+with the operator's own infrastructure or an in-scope bug bounty —
+and is potentially harmful if misused. This document describes the
+controls in place, the threat model they address, and the disclosure
+path for issues.
+
+The motto is "show, don't tell": each control below corresponds to
+a code path you can read, a Firestore rule you can deploy, or an
+admin script you can run.
+
+## Authentication
+
+### Google SSO required
+
+The CLI signs the user in via Firebase Auth at `https://ero.solar/auth`
+which exposes Google as the only provider. SSO is enforced a second
+time at the Firestore rule layer:
+
+```
+request.auth.token.firebase.sign_in_provider == 'google.com'
+```
+
+A non-SSO token (anonymous, password, custom) cannot read
+`approved_users/{email}`, `shared_secrets/{name}`, or write
+`usage_logs/{uid}/sessions/{id}`. The gate fails closed: even if
+the auth page were misconfigured, Firestore would deny the read.
+
+### Token storage
+
+`~/.erosolar/auth.json` (file `0o600`, parent dir `0o700`). Atomic
+writes prevent half-written JSON from breaking subsequent loads.
+The ID token is rotated automatically; the refresh token is
+long-lived and revocable by the user at
+[Google Account → Security → Connections to apps](https://myaccount.google.com/connections).
+
+## Authorization — approved users only
+
+The CLI is **not open-launch**. Every boot checks
+`approved_users/{lowercased-email}` in Firestore. The doc has the
+shape:
+
+```json
+{
+  "email": "alice@example.com",
+  "approved": true,
+  "approvedAt": "2026-05-08T...",
+  "revoked": false,
+  "profiles_allowed": ["erosolar-code"]
+}
+```
+
+Three failure modes are surfaced separately (`src/core/userApproval.ts`):
+
+- **Not on the list.** Writes a pending request to
+  `approval_requests/{uid}` and exits with a clear message. The
+  operator reviews requests at the
+  [Firebase Console](https://console.firebase.google.com/project/erosolar-1b0db/firestore/data/~2Fapproval_requests).
+
+- **Revoked.** `revoked: true` denies access even when `approved: true`.
+  Preserved-but-revoked beats deletion so the audit trail of who
+  held access when stays intact. Revoked accounts cannot file new
+  requests (they must contact the operator).
+
+- **Profile not granted.** A user approved for `erosolar-code` but
+  not `variant-research` cannot launch the offsec rulebook. New
+  approvals via `scripts/approve-user.mjs` default to
+  `['erosolar-code']` only — offsec profiles require an explicit
+  grant.
+
+The Firestore rule for the allowlist requires the request's email to
+exactly match the doc id, preventing enumeration of who else is
+approved.
+
+## Secrets
+
+The npm tarball **ships zero embedded API keys** since `1.1.20`.
+The audit test at `test/shared-secrets.test.ts` walks the source
+tree and fails CI if a literal `sk-[a-f0-9]{32,64}` is ever
+re-introduced. Resolution order at boot:
+
+1. `process.env.DEEPSEEK_API_KEY` — explicit env override
+2. `~/.erosolar/secrets.json` — user-set via `/key` or `/secrets`
+3. Firestore `shared_secrets/deepseek` — admin-managed, rule-gated
+   to authenticated *and approved* users
+
+Versions `1.1.16` → `1.1.19` are deprecated on npm with a rotation
+warning — they bundled an embedded DeepSeek key that's now revoked.
+
+## Audit log
+
+Every CLI launch (after the gates pass) writes a session-start
+entry at `usage_logs/{uid}/sessions/{timestampedId}`:
+
+```json
+{
+  "uid": "...",
+  "email": "alice@example.com",
+  "startedAt": "2026-05-09T12:34:56.789Z",
+  "profile": "erosolar-code",
+  "model": "default",
+  "version": "1.1.26",
+  "platform": "linux"
+}
+```
+
+The Firestore rule allows **create-only** for the owning user —
+no read, no update, no delete. The operator reviews via the
+service account / Firebase Console. A compromised user cannot
+scrub their own history.
+
+**No prompt content is logged.** The schema is deliberately minimal:
+session metadata for abuse review, not surveillance. If you object
+to the audit log, please raise a request — the controls here are
+meant to be defensible, not adversarial.
+
+## Coordinated disclosure
+
+Output of the `variant-research` profile is pinned to coordinated
+channels in the rulebook (`agents/variant-research.rules.json`),
+critical-severity rule `vr.r.no_brokerage`:
+
+> Disclosure terminal MUST be one of: hackerone, bugcrowd, vendor
+> PSIRT, CERT/CC, internal-writeup, or published-advisory.
+> NOT broker / NOT silent / NOT 'sit on it'.
+
+The model reads the rulebook from its system prompt. This is a
+soft enforcement — the model can in principle ignore guidance —
+but the prose is graded `severity: critical` and the operator's
+delivery is the audit point.
+
+## Repo posture
+
+- Source repo `Aroxora/deepseek-coder-cli` and the companion
+  `Aroxora/patchpivot` workspace are **private**.
+- The npm tarball is public for distribution but cannot be used
+  without passing the SSO + allowlist gates above.
+- Pre-push hook at `scripts/git-hooks/pre-push` runs `npm test`
+  before every push, including the embedded-key audit and the
+  HITL-suspension regression.
+- 2FA on the publisher's GitHub + npm accounts is **required** for
+  any contributor with publish rights.
+
+## Export controls
+
+The agent surface includes offensive cyber tooling. U.S. export
+classification: EAR-controlled (CCL [ECCN 4D004](https://www.federalregister.gov/documents/2021/10/21/2021-22774/information-security-controls-cybersecurity-items)),
+not USML/ITAR. Domestic development and use is unrestricted; export
+controls apply to international transfer. See
+[ero.solar/about](https://ero.solar/about) for the full disclosure
+including BIS / DDTC links and the relevant rulemaking.
+
+## Reporting a vulnerability or abuse
+
+- **Vulnerability in the CLI itself:** open a private GitHub issue
+  on `Aroxora/deepseek-coder-cli`, or email the operator listed in
+  the npm package's `bugs` field. Do not include exploit details
+  in public issues.
+- **Abuse of an approved-user account:** the operator can revoke
+  via `scripts/revoke-user.mjs <email> --reason "…"`; revocation
+  is reflected on the next CLI launch.
+- **Coordinated disclosure of a finding the CLI helped uncover:**
+  follow the rulebook's coordinated-disclosure terminal — submit
+  to the vendor / HackerOne / Bugcrowd / CERT-CC, *not* a broker,
+  *not* silent.
+
+## Threat model — what we don't claim to defend against
+
+This is "show, don't tell" both ways: be honest about residual
+risk.
+
+- **Source-level circumvention.** An approved user could fork the
+  repo, comment out the `checkApproval()` call, and run with their
+  own DeepSeek key. The gate keeps the *shared* key + audit log on
+  Erosolar's terms; it does not prevent forks.
+- **Compromised admin credentials.** The firebase-tools OAuth
+  token (`~/.config/configstore/firebase-tools.json`) on the
+  publisher's machine has owner privileges on `erosolar-1b0db`.
+  Treat it like a service-account JSON — if it leaks, the attacker
+  can mutate the allowlist. 2FA on the underlying Google account
+  is the primary mitigation.
+- **Model-level circumvention.** The rulebook is guidance the
+  model reads, not enforced state. A determined operator can
+  prompt around it. This is mitigated by who can launch the
+  profile (allowlist), not by the model itself.
+- **Offline use.** A user who's already authenticated and pulled
+  the shared key into env can run the CLI without network — the
+  audit log entry won't land. Subsequent launches re-trigger the
+  gate.
+
+If you can demonstrate a circumvention not listed here, please
+report it via the vulnerability process above.

package/dist/bin/deepseek.js

@@ -6,6 +6,21 @@ import { reportStatus, reportStatusError } from '../utils/statusReporter.js';
 import { track } from '../utils/analytics.js';
 // Fast path: Handle --version, --help, --key before any heavy imports
 const rawArgs = process.argv.slice(2);
+/** Extract `--profile NAME` or `--profile=NAME` from argv. Used by the
+ * approval gate to check profile-specific authorization before the
+ * profile manifest is loaded. */
+function pickProfileArg(args) {
+    const idx = args.findIndex((a) => a === '--profile');
+    if (idx >= 0) {
+        const next = args[idx + 1];
+        if (next && !next.startsWith('-'))
+            return next;
+    }
+    const eq = args.find((a) => a.startsWith('--profile='));
+    if (eq)
+        return eq.slice('--profile='.length);
+    return undefined;
+}
 // Best-effort, non-blocking analytics ping. Never throws, never awaited.
 const subcommand = rawArgs[0]?.startsWith('-') ? '(flags)' : (rawArgs[0] || 'default');
 track('cli_invoked', { subcommand, arg_count: rawArgs.length });
@@ -213,15 +228,66 @@ async function main() {
     // Require authentication before continuing
     const { requireAuth } = await import('../core/auth.js');
     await requireAuth();
+    // Approved-users gate. The CLI carries offsec tooling, so every
+    // launch checks the signed-in email against the Firestore allowlist
+    // at `approved_users/{email}`. Misses get a request doc written for
+    // the operator to review, then the CLI refuses to start. SSO is
+    // also enforced at the Firestore-rule layer (sign_in_provider ==
+    // 'google.com'), so a non-SSO token can't even read the doc.
+    // The check also enforces:
+    //   - revocation: `revoked: true` on the doc denies access even if
+    //     `approved: true` (faster than removing the doc — preserves
+    //     the audit trail of who held access when).
+    //   - profile gating: `profiles_allowed: ['variant-research', ...]`
+    //     restricts which agent profiles a user can launch. Missing
+    //     field = permissive (backward compat). New approvals default
+    //     to `['erosolar-code']` only.
+    const requestedProfile = pickProfileArg(rawArgs) ?? process.env['EROSOLAR_PROFILE'] ?? 'erosolar-code';
+    const { checkApproval, requestApproval } = await import('../core/userApproval.js');
+    const approval = await checkApproval(requestedProfile);
+    if (!approval.approved) {
+        process.stderr.write('\n');
+        process.stderr.write('Access denied — this account is not authorized.\n');
+        process.stderr.write(`  Email:    ${approval.email ?? '(no email on token — SSO required)'}\n`);
+        process.stderr.write(`  Profile:  ${requestedProfile}\n`);
+        process.stderr.write(`  Reason:   ${approval.reason ?? 'unknown'}\n\n`);
+        if (approval.email && approval.uid && !approval.revoked) {
+            const req = await requestApproval();
+            if (req.ok) {
+                process.stderr.write('A request has been recorded. The administrator will review it.\n');
+                process.stderr.write('You can re-run `erosolar` once the approval lands.\n');
+            }
+            else {
+                process.stderr.write(`Could not file approval request: ${req.reason}\n`);
+            }
+        }
+        else if (approval.revoked) {
+            process.stderr.write('Revoked accounts cannot file new requests. Contact the operator directly.\n');
+        }
+        process.exit(1);
+    }
     // Hydrate shared provider keys from Firestore. Runs after requireAuth
-    // so a valid Firebase ID token is already on disk. If the user has
-    // their own DEEPSEEK_API_KEY in env or saved via /secrets, this is a
-    // no-op; otherwise it fetches the org-managed key from
+    // + checkApproval so a valid Firebase ID token is already on disk
+    // and the user is on the allowlist. If the user has their own
+    // DEEPSEEK_API_KEY in env or saved via /secrets, this is a no-op;
+    // otherwise it fetches the org-managed key from
     // shared_secrets/deepseek (Firestore-rule-gated by auth) and writes
     // it into process.env before any provider is constructed. The CLI
     // ships zero embedded keys.
     const { prefetchAllSharedSecrets } = await import('../core/sharedSecrets.js');
     await prefetchAllSharedSecrets();
+    // Audit log — best-effort write of session metadata to Firestore.
+    // Schema is deliberately minimal: profile/model/version/platform.
+    // No prompt content is recorded; logs are for abuse review and
+    // accountability, not surveillance. Failures here are non-fatal —
+    // logging is observability, not a runtime gate.
+    const { writeUsageLog } = await import('../core/userApproval.js');
+    void writeUsageLog({
+        profile: requestedProfile,
+        model: process.env[`${requestedProfile.toUpperCase().replace(/[^A-Z0-9]/g, '_')}_MODEL`] || 'default',
+        version: process.env['npm_package_version'] || 'unknown',
+        platform: process.platform,
+    }).catch(() => { });
     // Force color support for TTY terminals
     if (process.stdout.isTTY && !process.env['NO_COLOR']) {
         process.env['FORCE_COLOR'] = process.env['FORCE_COLOR'] ?? '1';

package/dist/bin/deepseek.js.map

@@ -1 +1 @@
-{"version":3,"file":"deepseek.js","sourceRoot":"","sources":["../../src/bin/deepseek.ts"],"names":[],"mappings":";AACA;;GAEG;AACH,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC7E,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAE9C,sEAAsE;AACtE,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEtC,yEAAyE;AACzE,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC;AACvF,KAAK,CAAC,aAAa,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;AAEhE,gEAAgE;AAChE,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;AACvF,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;IACpB,IAAI,QAA4B,CAAC;IACjC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5E,QAAQ,GAAG,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;YAC1B,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC9B,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;oBAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;oBACvD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;oBAExD,IAAI,CAAC;wBACH,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;wBAC7C,MAAM,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;4BACxC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;4BAClD,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,CAAC,kBAAkB,CAAC,GAAG,QAAQ,CAAC;wBACxC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;wBACvE,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;wBACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBAClB,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,YAAY,CAAC,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;wBAChF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBAClB,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,YAAY,CAAC,oCAAoC,CAAC,CAAC;QACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;KAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IACnE,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;QAC1B,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC9B,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;gBAC5B,IAAI,CAAC;oBACH,MAAM,UAAU,GAAG,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBACtD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,oBAAoB,CAAC,CAAC;oBAC7E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;oBAC1D,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,CAAC,OAAO,IAAI,OAAO,EAAE,CAAC,CAAC;gBAC/D,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;gBACtD,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;CAuBb,CAAC,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;KAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,OAAO,EAAE,CAAC;IAClC,qEAAqE;IACrE,sEAAsE;IACtE,mEAAmE;IACnE,uEAAuE;IACvE,0CAA0C;IAC1C,KAAK,eAAe,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnD,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,CAAC;IACN,KAAK,IAAI,EAAE,CAAC;AACd,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,IAAc;IAC3C,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAClE,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IAE/B,MAAM,KAAK,GAAG;;;;;;;;;;;;;;;CAef,CAAC;IAEA,IAAI,CAAC;QACH,IAAI,MAAe,CAAC;QACpB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,CAAC,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC,CAAC,EAAE,CAAC;oBACP,OAAO,CAAC,KAAK,CAAC,+EAA+E,CAAC,CAAC;oBAC/F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBACD,MAAM,GAAG,CAAC,CAAC;gBACX,MAAM;YACR,CAAC;YACD,KAAK,OAAO;gBACV,MAAM,GAAG,EAAE,IAAI,EAAE,YAAY,CAAC,SAAS,EAAE,EAAE,CAAC;gBAC5C,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;gBACnC,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC7C,MAAM;YACR,KAAK,OAAO;gBACV,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAC/C,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAChD,MAAM;YACR,KAAK,QAAQ;gBACX,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5C,MAAM;YACR,KAAK,UAAU,CAAC;YAChB,KAAK,KAAK;gBACR,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAC/C,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC1C,MAAM;YACR,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACrC,IAAI,CAAC,IAAI,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACrD,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBACzC,MAAM;YACR,CAAC;YACD,KAAK,OAAO;gBACV,MAAM,GAAG,MAAM,YAAY,CAAC,KAAK,EAAE,CAAC;gBACpC,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC1C,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI,CAAC;YACV,KAAK,MAAM;gBACT,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB;gBACE,OAAO,CAAC,KAAK,CAAC,uBAAuB,IAAI,OAAO,KAAK,EAAE,CAAC,CAAC;gBACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,KAAK,CAAC,SAAS,IAAI,KAAK,GAAG,EAAE,CAAC,CAAC;QACvC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,2CAA2C;IAC3C,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACxD,MAAM,WAAW,EAAE,CAAC;IAEpB,sEAAsE;IACtE,mEAAmE;IACnE,qEAAqE;IACrE,uDAAuD;IACvD,oEAAoE;IACpE,kEAAkE;IAClE,4BAA4B;IAC5B,MAAM,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAC9E,MAAM,wBAAwB,EAAE,CAAC;IAEjC,wCAAwC;IACxC,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,GAAG,CAAC;IACjE,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACpC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QACtD,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,OAAO;IACT,CAAC;IAED,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;IAChF,mBAAmB,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;QACrD,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"deepseek.js","sourceRoot":"","sources":["../../src/bin/deepseek.ts"],"names":[],"mappings":";AACA;;GAEG;AACH,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC7E,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAE9C,sEAAsE;AACtE,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEtC;;iCAEiC;AACjC,SAAS,cAAc,CAAC,IAAc;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC;IACrD,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QAC3B,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC;IACxD,IAAI,EAAE;QAAE,OAAO,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7C,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC;AACvF,KAAK,CAAC,aAAa,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;AAEhE,gEAAgE;AAChE,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;AACvF,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;IACpB,IAAI,QAA4B,CAAC;IACjC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5E,QAAQ,GAAG,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;YAC1B,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC9B,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;oBAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;oBACvD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;oBAExD,IAAI,CAAC;wBACH,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;wBAC7C,MAAM,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;4BACxC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;4BAClD,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,CAAC,kBAAkB,CAAC,GAAG,QAAQ,CAAC;wBACxC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;wBACvE,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;wBACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBAClB,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,YAAY,CAAC,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;wBAChF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBAClB,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,YAAY,CAAC,oCAAoC,CAAC,CAAC;QACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;KAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IACnE,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;QAC1B,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC9B,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;gBAC5B,IAAI,CAAC;oBACH,MAAM,UAAU,GAAG,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBACtD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,oBAAoB,CAAC,CAAC;oBAC7E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;oBAC1D,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,CAAC,OAAO,IAAI,OAAO,EAAE,CAAC,CAAC;gBAC/D,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;gBACtD,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;CAuBb,CAAC,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;KAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,OAAO,EAAE,CAAC;IAClC,qEAAqE;IACrE,sEAAsE;IACtE,mEAAmE;IACnE,uEAAuE;IACvE,0CAA0C;IAC1C,KAAK,eAAe,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnD,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,CAAC;IACN,KAAK,IAAI,EAAE,CAAC;AACd,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,IAAc;IAC3C,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAClE,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IAE/B,MAAM,KAAK,GAAG;;;;;;;;;;;;;;;CAef,CAAC;IAEA,IAAI,CAAC;QACH,IAAI,MAAe,CAAC;QACpB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,CAAC,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC,CAAC,EAAE,CAAC;oBACP,OAAO,CAAC,KAAK,CAAC,+EAA+E,CAAC,CAAC;oBAC/F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBACD,MAAM,GAAG,CAAC,CAAC;gBACX,MAAM;YACR,CAAC;YACD,KAAK,OAAO;gBACV,MAAM,GAAG,EAAE,IAAI,EAAE,YAAY,CAAC,SAAS,EAAE,EAAE,CAAC;gBAC5C,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;gBACnC,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC7C,MAAM;YACR,KAAK,OAAO;gBACV,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAC/C,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAChD,MAAM;YACR,KAAK,QAAQ;gBACX,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5C,MAAM;YACR,KAAK,UAAU,CAAC;YAChB,KAAK,KAAK;gBACR,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAC/C,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC1C,MAAM;YACR,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACrC,IAAI,CAAC,IAAI,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACrD,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBACzC,MAAM;YACR,CAAC;YACD,KAAK,OAAO;gBACV,MAAM,GAAG,MAAM,YAAY,CAAC,KAAK,EAAE,CAAC;gBACpC,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC1C,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI,CAAC;YACV,KAAK,MAAM;gBACT,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB;gBACE,OAAO,CAAC,KAAK,CAAC,uBAAuB,IAAI,OAAO,KAAK,EAAE,CAAC,CAAC;gBACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,KAAK,CAAC,SAAS,IAAI,KAAK,GAAG,EAAE,CAAC,CAAC;QACvC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,2CAA2C;IAC3C,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACxD,MAAM,WAAW,EAAE,CAAC;IAEpB,gEAAgE;IAChE,oEAAoE;IACpE,oEAAoE;IACpE,gEAAgE;IAChE,iEAAiE;IACjE,6DAA6D;IAC7D,2BAA2B;IAC3B,mEAAmE;IACnE,iEAAiE;IACjE,gDAAgD;IAChD,oEAAoE;IACpE,gEAAgE;IAChE,kEAAkE;IAClE,mCAAmC;IACnC,MAAM,gBAAgB,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,eAAe,CAAC;IACvG,MAAM,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;IACnF,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,gBAAgB,CAAC,CAAC;IACvD,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;QAC1E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,QAAQ,CAAC,KAAK,IAAI,oCAAoC,IAAI,CAAC,CAAC;QAChG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,gBAAgB,IAAI,CAAC,CAAC;QAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,QAAQ,CAAC,MAAM,IAAI,SAAS,MAAM,CAAC,CAAC;QACxE,IAAI,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACxD,MAAM,GAAG,GAAG,MAAM,eAAe,EAAE,CAAC;YACpC,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;gBACzF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;YAC/E,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6EAA6E,CAAC,CAAC;QACtG,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,sEAAsE;IACtE,kEAAkE;IAClE,8DAA8D;IAC9D,kEAAkE;IAClE,gDAAgD;IAChD,oEAAoE;IACpE,kEAAkE;IAClE,4BAA4B;IAC5B,MAAM,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAC9E,MAAM,wBAAwB,EAAE,CAAC;IAEjC,kEAAkE;IAClE,kEAAkE;IAClE,+DAA+D;IAC/D,kEAAkE;IAClE,gDAAgD;IAChD,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;IAClE,KAAK,aAAa,CAAC;QACjB,OAAO,EAAE,gBAAgB;QACzB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS;QACrG,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,SAAS;QACxD,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAqB,CAAC,CAAC,CAAC;IAEtC,wCAAwC;IACxC,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,GAAG,CAAC;IACjE,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACpC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QACtD,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,OAAO;IACT,CAAC;IAED,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;IAChF,mBAAmB,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;QACrD,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/core/userApproval.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Approved-user gate.
+ *
+ * The CLI ships offsec capabilities (Kali tools, AFL++, gdb, pwntools,
+ * Ghidra MCP wiring). To prevent random Google accounts from picking
+ * up the package and burning the shared key on toy targets, every
+ * launch checks the user's email against `approved_users/{email}` in
+ * Firestore. Misses get a `approval_requests/{uid}` doc written for
+ * the operator to review, then the CLI exits with an explanatory
+ * message.
+ *
+ * SSO is enforced two ways:
+ *   1. The web sign-in page only offers Google.
+ *   2. Firestore rules also check `request.auth.token.firebase.sign_in_provider == 'google.com'`
+ *      so a non-SSO token (anonymous, password) can't read the
+ *      approved_users doc — defense in depth.
+ *
+ * Email is the canonical identity here, lowercased + trimmed. UID is
+ * recorded on the request doc so the admin can correlate but not used
+ * as the primary key (UIDs are opaque; humans review by email).
+ */
+export interface ApprovalResult {
+    approved: boolean;
+    email: string | null;
+    uid: string | null;
+    reason?: string;
+    revoked?: boolean;
+    profilesAllowed?: string[];
+}
+export declare function normalizeEmail(email: string): string;
+/**
+ * Verify the currently-signed-in user is on the approved list.
+ * Side-effect free; just reads. Errors are surfaced as `approved: false`
+ * with a reason so the caller can decide whether to file a request
+ * doc and/or surface the message.
+ *
+ * Optional `profile` arg restricts the check: if set, the user's
+ * `profiles_allowed` must include either `*` (all) or this profile
+ * name. Missing `profiles_allowed` is treated as permissive for
+ * backward compatibility with the initial bootstrap docs that
+ * predate the field. New approvals via `scripts/approve-user.mjs`
+ * default to `['erosolar-code']` only — offsec profiles like
+ * `variant-research` require an explicit grant.
+ */
+export declare function checkApproval(profile?: string): Promise<ApprovalResult>;
+/**
+ * Idempotently write `approval_requests/{uid}` so the admin sees a
+ * pending request. Firestore rules let any authenticated user PATCH
+ * their own request doc but no one can read a sibling's. Returning
+ * `ok: true` doesn't mean approved — only that the request landed.
+ */
+export declare function requestApproval(): Promise<{
+    ok: boolean;
+    reason?: string;
+}>;
+export interface UsageLogEntry {
+    profile: string;
+    model: string;
+    version: string;
+    platform: string;
+}
+/**
+ * Append an audit-log entry at `usage_logs/{uid}/sessions/{sessionId}`.
+ * Best-effort: a Firestore failure does NOT block the user's session
+ * — logging is observability, not a runtime gate. Schema is
+ * deliberately minimal (no prompt content, no env): just session
+ * metadata so the operator can review patterns and detect abuse
+ * without retaining user-visible content.
+ */
+export declare function writeUsageLog(entry: UsageLogEntry): Promise<{
+    ok: boolean;
+    reason?: string;
+}>;
+//# sourceMappingURL=userApproval.d.ts.map

package/dist/core/userApproval.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"userApproval.d.ts","sourceRoot":"","sources":["../../src/core/userApproval.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAMH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEpD;AA6CD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CA6C7E;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6BjF;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAiCnG"}

package/dist/core/userApproval.js

@@ -0,0 +1,194 @@
+/**
+ * Approved-user gate.
+ *
+ * The CLI ships offsec capabilities (Kali tools, AFL++, gdb, pwntools,
+ * Ghidra MCP wiring). To prevent random Google accounts from picking
+ * up the package and burning the shared key on toy targets, every
+ * launch checks the user's email against `approved_users/{email}` in
+ * Firestore. Misses get a `approval_requests/{uid}` doc written for
+ * the operator to review, then the CLI exits with an explanatory
+ * message.
+ *
+ * SSO is enforced two ways:
+ *   1. The web sign-in page only offers Google.
+ *   2. Firestore rules also check `request.auth.token.firebase.sign_in_provider == 'google.com'`
+ *      so a non-SSO token (anonymous, password) can't read the
+ *      approved_users doc — defense in depth.
+ *
+ * Email is the canonical identity here, lowercased + trimmed. UID is
+ * recorded on the request doc so the admin can correlate but not used
+ * as the primary key (UIDs are opaque; humans review by email).
+ */
+import { FIREBASE_PROJECT_ID, getAuthStatus, getValidIdToken } from './auth.js';
+const FIRESTORE_BASE = `https://firestore.googleapis.com/v1/projects/${FIREBASE_PROJECT_ID}/databases/(default)/documents`;
+export function normalizeEmail(email) {
+    return email.trim().toLowerCase();
+}
+function readArrayOfStrings(field) {
+    const arr = field?.arrayValue?.values;
+    if (!Array.isArray(arr))
+        return undefined;
+    return arr
+        .map((v) => v.stringValue)
+        .filter((v) => typeof v === 'string');
+}
+async function fetchApprovalDoc(email) {
+    const idToken = await getValidIdToken();
+    const url = `${FIRESTORE_BASE}/approved_users/${encodeURIComponent(email)}`;
+    const res = await fetch(url, {
+        headers: { Authorization: `Bearer ${idToken}`, Accept: 'application/json' },
+    });
+    if (res.status === 404)
+        return null;
+    if (!res.ok) {
+        const body = await res.text().catch(() => '<no body>');
+        throw new Error(`Firestore ${res.status} reading approved_users/${email}: ${body.slice(0, 200)}`);
+    }
+    const doc = (await res.json());
+    const approved = doc.fields?.['approved']?.booleanValue === true;
+    const revoked = doc.fields?.['revoked']?.booleanValue === true;
+    const profilesAllowed = readArrayOfStrings(doc.fields?.['profiles_allowed']);
+    return { approved, revoked, profilesAllowed };
+}
+/**
+ * Verify the currently-signed-in user is on the approved list.
+ * Side-effect free; just reads. Errors are surfaced as `approved: false`
+ * with a reason so the caller can decide whether to file a request
+ * doc and/or surface the message.
+ *
+ * Optional `profile` arg restricts the check: if set, the user's
+ * `profiles_allowed` must include either `*` (all) or this profile
+ * name. Missing `profiles_allowed` is treated as permissive for
+ * backward compatibility with the initial bootstrap docs that
+ * predate the field. New approvals via `scripts/approve-user.mjs`
+ * default to `['erosolar-code']` only — offsec profiles like
+ * `variant-research` require an explicit grant.
+ */
+export async function checkApproval(profile) {
+    const status = getAuthStatus();
+    if (!status.authenticated) {
+        return { approved: false, email: null, uid: null, reason: 'not signed in' };
+    }
+    const email = status.email ? normalizeEmail(status.email) : null;
+    const uid = status.uid ?? null;
+    if (!email) {
+        return { approved: false, email, uid, reason: 'no email on auth token (SSO required)' };
+    }
+    try {
+        const doc = await fetchApprovalDoc(email);
+        if (!doc) {
+            return { approved: false, email, uid, reason: 'email not on approved-users list' };
+        }
+        if (!doc.approved) {
+            return { approved: false, email, uid, reason: 'email not on approved-users list' };
+        }
+        if (doc.revoked) {
+            return {
+                approved: false,
+                email,
+                uid,
+                reason: 'access revoked — contact the operator',
+                revoked: true,
+                profilesAllowed: doc.profilesAllowed,
+            };
+        }
+        if (profile && doc.profilesAllowed && doc.profilesAllowed.length > 0) {
+            const allowed = doc.profilesAllowed.includes('*') || doc.profilesAllowed.includes(profile);
+            if (!allowed) {
+                return {
+                    approved: false,
+                    email,
+                    uid,
+                    reason: `profile "${profile}" not granted to this account (allowed: ${doc.profilesAllowed.join(', ')})`,
+                    profilesAllowed: doc.profilesAllowed,
+                };
+            }
+        }
+        return { approved: true, email, uid, profilesAllowed: doc.profilesAllowed };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return { approved: false, email, uid, reason: `approval check failed: ${msg}` };
+    }
+}
+/**
+ * Idempotently write `approval_requests/{uid}` so the admin sees a
+ * pending request. Firestore rules let any authenticated user PATCH
+ * their own request doc but no one can read a sibling's. Returning
+ * `ok: true` doesn't mean approved — only that the request landed.
+ */
+export async function requestApproval() {
+    const status = getAuthStatus();
+    if (!status.authenticated || !status.uid) {
+        return { ok: false, reason: 'not signed in' };
+    }
+    try {
+        const idToken = await getValidIdToken();
+        const url = `${FIRESTORE_BASE}/approval_requests/${encodeURIComponent(status.uid)}`;
+        const body = {
+            fields: {
+                email: { stringValue: status.email ?? '' },
+                uid: { stringValue: status.uid },
+                requestedAt: { timestampValue: new Date().toISOString() },
+                status: { stringValue: 'pending' },
+            },
+        };
+        const res = await fetch(url, {
+            method: 'PATCH',
+            headers: { Authorization: `Bearer ${idToken}`, 'Content-Type': 'application/json' },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+            const txt = await res.text().catch(() => '<no body>');
+            return { ok: false, reason: `Firestore ${res.status}: ${txt.slice(0, 200)}` };
+        }
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+    }
+}
+/**
+ * Append an audit-log entry at `usage_logs/{uid}/sessions/{sessionId}`.
+ * Best-effort: a Firestore failure does NOT block the user's session
+ * — logging is observability, not a runtime gate. Schema is
+ * deliberately minimal (no prompt content, no env): just session
+ * metadata so the operator can review patterns and detect abuse
+ * without retaining user-visible content.
+ */
+export async function writeUsageLog(entry) {
+    const status = getAuthStatus();
+    if (!status.authenticated || !status.uid) {
+        return { ok: false, reason: 'not signed in' };
+    }
+    try {
+        const idToken = await getValidIdToken();
+        const sessionId = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        const url = `${FIRESTORE_BASE}/usage_logs/${encodeURIComponent(status.uid)}/sessions?documentId=${encodeURIComponent(sessionId)}`;
+        const body = {
+            fields: {
+                uid: { stringValue: status.uid },
+                email: { stringValue: status.email ?? '' },
+                startedAt: { timestampValue: new Date().toISOString() },
+                profile: { stringValue: entry.profile },
+                model: { stringValue: entry.model },
+                version: { stringValue: entry.version },
+                platform: { stringValue: entry.platform },
+            },
+        };
+        const res = await fetch(url, {
+            method: 'POST',
+            headers: { Authorization: `Bearer ${idToken}`, 'Content-Type': 'application/json' },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+            const txt = await res.text().catch(() => '<no body>');
+            return { ok: false, reason: `Firestore ${res.status}: ${txt.slice(0, 200)}` };
+        }
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+    }
+}
+//# sourceMappingURL=userApproval.js.map

package/dist/core/userApproval.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"userApproval.js","sourceRoot":"","sources":["../../src/core/userApproval.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEhF,MAAM,cAAc,GAAG,gDAAgD,mBAAmB,gCAAgC,CAAC;AAW3H,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AACpC,CAAC;AAaD,SAAS,kBAAkB,CAAC,KAAsB;IAChD,MAAM,GAAG,GAAG,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1C,OAAO,GAAG;SACP,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;SACzB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AACvD,CAAC;AAQD,KAAK,UAAU,gBAAgB,CAAC,KAAa;IAC3C,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;IACxC,MAAM,GAAG,GAAG,GAAG,cAAc,mBAAmB,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;IAC5E,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;KAC5E,CAAC,CAAC;IACH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,aAAa,GAAG,CAAC,MAAM,2BAA2B,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACpG,CAAC;IACD,MAAM,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAsB,CAAC;IACpD,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,YAAY,KAAK,IAAI,CAAC;IACjE,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE,YAAY,KAAK,IAAI,CAAC;IAC/D,MAAM,eAAe,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAC7E,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;AAChD,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAgB;IAClD,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1B,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAC9E,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACjE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC;IAC1F,CAAC;IACD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAC1C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;QACrF,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAClB,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;QACrF,CAAC;QACD,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;YAChB,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,KAAK;gBACL,GAAG;gBACH,MAAM,EAAE,uCAAuC;gBAC/C,OAAO,EAAE,IAAI;gBACb,eAAe,EAAE,GAAG,CAAC,eAAe;aACrC,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,MAAM,OAAO,GAAG,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC3F,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO;oBACL,QAAQ,EAAE,KAAK;oBACf,KAAK;oBACL,GAAG;oBACH,MAAM,EAAE,YAAY,OAAO,2CAA2C,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;oBACvG,eAAe,EAAE,GAAG,CAAC,eAAe;iBACrC,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,eAAe,EAAE,GAAG,CAAC,eAAe,EAAE,CAAC;IAC9E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,0BAA0B,GAAG,EAAE,EAAE,CAAC;IAClF,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,GAAG,cAAc,sBAAsB,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACpF,MAAM,IAAI,GAAG;YACX,MAAM,EAAE;gBACN,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE;gBAC1C,GAAG,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,GAAG,EAAE;gBAChC,WAAW,EAAE,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;gBACzD,MAAM,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE;aACnC;SACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;QAChF,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACjF,CAAC;AACH,CAAC;AASD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAoB;IACtD,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAC5E,MAAM,GAAG,GAAG,GAAG,cAAc,eAAe,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,wBAAwB,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;QAClI,MAAM,IAAI,GAAG;YACX,MAAM,EAAE;gBACN,GAAG,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,GAAG,EAAE;gBAChC,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE;gBAC1C,SAAS,EAAE,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;gBACvD,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE;gBACvC,KAAK,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,KAAK,EAAE;gBACnC,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE;gBACvC,QAAQ,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,QAAQ,EAAE;aAC1C;SACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;QAChF,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACjF,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trenchwork/erosolar",
-  "version": "1.1.24",
+  "version": "1.1.26",
   "description": "DeepSeek AI-powered CLI agent for code assistance and automation",
   "deepseek": {
     "rulebookSchema": "src/contracts/schemas/agent-rules.schema.json"
@@ -17,6 +17,7 @@
     "dist",
     "scripts/postinstall.cjs",
     "README.md",
+    "SECURITY.md",
     "agents",
     "LICENSE"
   ],