@trenchwork/erosolar 1.1.25 → 1.1.27

package/README.md

@@ -431,6 +431,12 @@ that range will print an `npm deprecate` warning. Upgrade to ≥
 
 ## Security posture
 
+> **Full threat model + controls live in [SECURITY.md](SECURITY.md).**
+> The summary below is an index; SECURITY.md is the authoritative
+> reference (SSO, allowlist, revocation, profile gating, audit log,
+> threat model, residual risk).
+
+
 - The CLI is dual-use offensive-security tooling. U.S. classification
   is EAR-controlled (CCL [ECCN 4D004](https://www.federalregister.gov/documents/2021/10/21/2021-22774/information-security-controls-cybersecurity-items)),
   not USML/ITAR. Domestic development and use is unrestricted; export

package/SECURITY.md

@@ -0,0 +1,195 @@
+# Security model
+
+`@trenchwork/erosolar` ships dual-use offsec capabilities (Kali
+tooling, AFL++, gdb, pwntools, Ghidra MCP wiring). The package can
+operate against authorized targets — e.g. a research engagement
+with the operator's own infrastructure or an in-scope bug bounty —
+and is potentially harmful if misused. This document describes the
+controls in place, the threat model they address, and the disclosure
+path for issues.
+
+The motto is "show, don't tell": each control below corresponds to
+a code path you can read, a Firestore rule you can deploy, or an
+admin script you can run.
+
+## Authentication
+
+### Google SSO required
+
+The CLI signs the user in via Firebase Auth at `https://ero.solar/auth`
+which exposes Google as the only provider. SSO is enforced a second
+time at the Firestore rule layer:
+
+```
+request.auth.token.firebase.sign_in_provider == 'google.com'
+```
+
+A non-SSO token (anonymous, password, custom) cannot read
+`approved_users/{email}`, `shared_secrets/{name}`, or write
+`usage_logs/{uid}/sessions/{id}`. The gate fails closed: even if
+the auth page were misconfigured, Firestore would deny the read.
+
+### Token storage
+
+`~/.erosolar/auth.json` (file `0o600`, parent dir `0o700`). Atomic
+writes prevent half-written JSON from breaking subsequent loads.
+The ID token is rotated automatically; the refresh token is
+long-lived and revocable by the user at
+[Google Account → Security → Connections to apps](https://myaccount.google.com/connections).
+
+## Authorization — approved users only
+
+The CLI is **not open-launch**. Every boot checks
+`approved_users/{lowercased-email}` in Firestore. The doc has the
+shape:
+
+```json
+{
+  "email": "alice@example.com",
+  "approved": true,
+  "approvedAt": "2026-05-08T...",
+  "revoked": false,
+  "profiles_allowed": ["erosolar-code"]
+}
+```
+
+Three failure modes are surfaced separately (`src/core/userApproval.ts`):
+
+- **Not on the list.** Writes a pending request to
+  `approval_requests/{uid}` and exits with a clear message. The
+  operator reviews requests at the
+  [Firebase Console](https://console.firebase.google.com/project/erosolar-1b0db/firestore/data/~2Fapproval_requests).
+
+- **Revoked.** `revoked: true` denies access even when `approved: true`.
+  Preserved-but-revoked beats deletion so the audit trail of who
+  held access when stays intact. Revoked accounts cannot file new
+  requests (they must contact the operator).
+
+- **Profile not granted.** A user approved for `erosolar-code` but
+  not `variant-research` cannot launch the offsec rulebook. New
+  approvals via `scripts/approve-user.mjs` default to
+  `['erosolar-code']` only — offsec profiles require an explicit
+  grant.
+
+The Firestore rule for the allowlist requires the request's email to
+exactly match the doc id, preventing enumeration of who else is
+approved.
+
+## Secrets
+
+The npm tarball **ships zero embedded API keys** since `1.1.20`.
+The audit test at `test/shared-secrets.test.ts` walks the source
+tree and fails CI if a literal `sk-[a-f0-9]{32,64}` is ever
+re-introduced. Resolution order at boot:
+
+1. `process.env.DEEPSEEK_API_KEY` — explicit env override
+2. `~/.erosolar/secrets.json` — user-set via `/key` or `/secrets`
+3. Firestore `shared_secrets/deepseek` — admin-managed, rule-gated
+   to authenticated *and approved* users
+
+Versions `1.1.16` → `1.1.19` are deprecated on npm with a rotation
+warning — they bundled an embedded DeepSeek key that's now revoked.
+
+## Audit log
+
+Every CLI launch (after the gates pass) writes a session-start
+entry at `usage_logs/{uid}/sessions/{timestampedId}`:
+
+```json
+{
+  "uid": "...",
+  "email": "alice@example.com",
+  "startedAt": "2026-05-09T12:34:56.789Z",
+  "profile": "erosolar-code",
+  "model": "default",
+  "version": "1.1.26",
+  "platform": "linux"
+}
+```
+
+The Firestore rule allows **create-only** for the owning user —
+no read, no update, no delete. The operator reviews via the
+service account / Firebase Console. A compromised user cannot
+scrub their own history.
+
+**No prompt content is logged.** The schema is deliberately minimal:
+session metadata for abuse review, not surveillance. If you object
+to the audit log, please raise a request — the controls here are
+meant to be defensible, not adversarial.
+
+## Coordinated disclosure
+
+Output of the `variant-research` profile is pinned to coordinated
+channels in the rulebook (`agents/variant-research.rules.json`),
+critical-severity rule `vr.r.no_brokerage`:
+
+> Disclosure terminal MUST be one of: hackerone, bugcrowd, vendor
+> PSIRT, CERT/CC, internal-writeup, or published-advisory.
+> NOT broker / NOT silent / NOT 'sit on it'.
+
+The model reads the rulebook from its system prompt. This is a
+soft enforcement — the model can in principle ignore guidance —
+but the prose is graded `severity: critical` and the operator's
+delivery is the audit point.
+
+## Repo posture
+
+- Source repo `Aroxora/deepseek-coder-cli` and the companion
+  `Aroxora/patchpivot` workspace are **private**.
+- The npm tarball is public for distribution but cannot be used
+  without passing the SSO + allowlist gates above.
+- Pre-push hook at `scripts/git-hooks/pre-push` runs `npm test`
+  before every push, including the embedded-key audit and the
+  HITL-suspension regression.
+- 2FA on the publisher's GitHub + npm accounts is **required** for
+  any contributor with publish rights.
+
+## Export controls
+
+The agent surface includes offensive cyber tooling. U.S. export
+classification: EAR-controlled (CCL [ECCN 4D004](https://www.federalregister.gov/documents/2021/10/21/2021-22774/information-security-controls-cybersecurity-items)),
+not USML/ITAR. Domestic development and use is unrestricted; export
+controls apply to international transfer. See
+[ero.solar/about](https://ero.solar/about) for the full disclosure
+including BIS / DDTC links and the relevant rulemaking.
+
+## Reporting a vulnerability or abuse
+
+- **Vulnerability in the CLI itself:** open a private GitHub issue
+  on `Aroxora/deepseek-coder-cli`, or email the operator listed in
+  the npm package's `bugs` field. Do not include exploit details
+  in public issues.
+- **Abuse of an approved-user account:** the operator can revoke
+  via `scripts/revoke-user.mjs <email> --reason "…"`; revocation
+  is reflected on the next CLI launch.
+- **Coordinated disclosure of a finding the CLI helped uncover:**
+  follow the rulebook's coordinated-disclosure terminal — submit
+  to the vendor / HackerOne / Bugcrowd / CERT-CC, *not* a broker,
+  *not* silent.
+
+## Threat model — what we don't claim to defend against
+
+This is "show, don't tell" both ways: be honest about residual
+risk.
+
+- **Source-level circumvention.** An approved user could fork the
+  repo, comment out the `checkApproval()` call, and run with their
+  own DeepSeek key. The gate keeps the *shared* key + audit log on
+  Erosolar's terms; it does not prevent forks.
+- **Compromised admin credentials.** The firebase-tools OAuth
+  token (`~/.config/configstore/firebase-tools.json`) on the
+  publisher's machine has owner privileges on `erosolar-1b0db`.
+  Treat it like a service-account JSON — if it leaks, the attacker
+  can mutate the allowlist. 2FA on the underlying Google account
+  is the primary mitigation.
+- **Model-level circumvention.** The rulebook is guidance the
+  model reads, not enforced state. A determined operator can
+  prompt around it. This is mitigated by who can launch the
+  profile (allowlist), not by the model itself.
+- **Offline use.** A user who's already authenticated and pulled
+  the shared key into env can run the CLI without network — the
+  audit log entry won't land. Subsequent launches re-trigger the
+  gate.
+
+If you can demonstrate a circumvention not listed here, please
+report it via the vulnerability process above.

package/dist/bin/deepseek.js

@@ -6,6 +6,21 @@ import { reportStatus, reportStatusError } from '../utils/statusReporter.js';
 import { track } from '../utils/analytics.js';
 // Fast path: Handle --version, --help, --key before any heavy imports
 const rawArgs = process.argv.slice(2);
+/** Extract `--profile NAME` or `--profile=NAME` from argv. Used by the
+ * approval gate to check profile-specific authorization before the
+ * profile manifest is loaded. */
+function pickProfileArg(args) {
+    const idx = args.findIndex((a) => a === '--profile');
+    if (idx >= 0) {
+        const next = args[idx + 1];
+        if (next && !next.startsWith('-'))
+            return next;
+    }
+    const eq = args.find((a) => a.startsWith('--profile='));
+    if (eq)
+        return eq.slice('--profile='.length);
+    return undefined;
+}
 // Best-effort, non-blocking analytics ping. Never throws, never awaited.
 const subcommand = rawArgs[0]?.startsWith('-') ? '(flags)' : (rawArgs[0] || 'default');
 track('cli_invoked', { subcommand, arg_count: rawArgs.length });
@@ -219,14 +234,24 @@ async function main() {
     // the operator to review, then the CLI refuses to start. SSO is
     // also enforced at the Firestore-rule layer (sign_in_provider ==
     // 'google.com'), so a non-SSO token can't even read the doc.
+    // The check also enforces:
+    //   - revocation: `revoked: true` on the doc denies access even if
+    //     `approved: true` (faster than removing the doc — preserves
+    //     the audit trail of who held access when).
+    //   - profile gating: `profiles_allowed: ['variant-research', ...]`
+    //     restricts which agent profiles a user can launch. Missing
+    //     field = permissive (backward compat). New approvals default
+    //     to `['erosolar-code']` only.
+    const requestedProfile = pickProfileArg(rawArgs) ?? process.env['EROSOLAR_PROFILE'] ?? 'erosolar-code';
     const { checkApproval, requestApproval } = await import('../core/userApproval.js');
-    const approval = await checkApproval();
+    const approval = await checkApproval(requestedProfile);
     if (!approval.approved) {
         process.stderr.write('\n');
-        process.stderr.write('Access denied — this account is not on the approved-users list.\n');
-        process.stderr.write(`  Email:  ${approval.email ?? '(no email on token — SSO required)'}\n`);
-        process.stderr.write(`  Reason: ${approval.reason ?? 'unknown'}\n\n`);
-        if (approval.email && approval.uid) {
+        process.stderr.write('Access denied — this account is not authorized.\n');
+        process.stderr.write(`  Email:    ${approval.email ?? '(no email on token — SSO required)'}\n`);
+        process.stderr.write(`  Profile:  ${requestedProfile}\n`);
+        process.stderr.write(`  Reason:   ${approval.reason ?? 'unknown'}\n\n`);
+        if (approval.email && approval.uid && !approval.revoked) {
             const req = await requestApproval();
             if (req.ok) {
                 process.stderr.write('A request has been recorded. The administrator will review it.\n');
@@ -236,6 +261,9 @@ async function main() {
                 process.stderr.write(`Could not file approval request: ${req.reason}\n`);
             }
         }
+        else if (approval.revoked) {
+            process.stderr.write('Revoked accounts cannot file new requests. Contact the operator directly.\n');
+        }
         process.exit(1);
     }
     // Hydrate shared provider keys from Firestore. Runs after requireAuth
@@ -248,6 +276,18 @@ async function main() {
     // ships zero embedded keys.
     const { prefetchAllSharedSecrets } = await import('../core/sharedSecrets.js');
     await prefetchAllSharedSecrets();
+    // Audit log — best-effort write of session metadata to Firestore.
+    // Schema is deliberately minimal: profile/model/version/platform.
+    // No prompt content is recorded; logs are for abuse review and
+    // accountability, not surveillance. Failures here are non-fatal —
+    // logging is observability, not a runtime gate.
+    const { writeUsageLog } = await import('../core/userApproval.js');
+    void writeUsageLog({
+        profile: requestedProfile,
+        model: process.env[`${requestedProfile.toUpperCase().replace(/[^A-Z0-9]/g, '_')}_MODEL`] || 'default',
+        version: process.env['npm_package_version'] || 'unknown',
+        platform: process.platform,
+    }).catch(() => { });
     // Force color support for TTY terminals
     if (process.stdout.isTTY && !process.env['NO_COLOR']) {
         process.env['FORCE_COLOR'] = process.env['FORCE_COLOR'] ?? '1';

package/dist/bin/deepseek.js.map

@@ -1 +1 @@
-{"version":3,"file":"deepseek.js","sourceRoot":"","sources":["../../src/bin/deepseek.ts"],"names":[],"mappings":";AACA;;GAEG;AACH,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC7E,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAE9C,sEAAsE;AACtE,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEtC,yEAAyE;AACzE,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC;AACvF,KAAK,CAAC,aAAa,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;AAEhE,gEAAgE;AAChE,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;AACvF,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;IACpB,IAAI,QAA4B,CAAC;IACjC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5E,QAAQ,GAAG,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;YAC1B,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC9B,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;oBAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;oBACvD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;oBAExD,IAAI,CAAC;wBACH,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;wBAC7C,MAAM,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;4BACxC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;4BAClD,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,CAAC,kBAAkB,CAAC,GAAG,QAAQ,CAAC;wBACxC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;wBACvE,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;wBACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBAClB,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,YAAY,CAAC,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;wBAChF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBAClB,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,YAAY,CAAC,oCAAoC,CAAC,CAAC;QACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;KAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IACnE,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;QAC1B,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC9B,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;gBAC5B,IAAI,CAAC;oBACH,MAAM,UAAU,GAAG,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBACtD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,oBAAoB,CAAC,CAAC;oBAC7E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;oBAC1D,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,CAAC,OAAO,IAAI,OAAO,EAAE,CAAC,CAAC;gBAC/D,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;gBACtD,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;CAuBb,CAAC,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;KAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,OAAO,EAAE,CAAC;IAClC,qEAAqE;IACrE,sEAAsE;IACtE,mEAAmE;IACnE,uEAAuE;IACvE,0CAA0C;IAC1C,KAAK,eAAe,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnD,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,CAAC;IACN,KAAK,IAAI,EAAE,CAAC;AACd,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,IAAc;IAC3C,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAClE,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IAE/B,MAAM,KAAK,GAAG;;;;;;;;;;;;;;;CAef,CAAC;IAEA,IAAI,CAAC;QACH,IAAI,MAAe,CAAC;QACpB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,CAAC,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC,CAAC,EAAE,CAAC;oBACP,OAAO,CAAC,KAAK,CAAC,+EAA+E,CAAC,CAAC;oBAC/F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBACD,MAAM,GAAG,CAAC,CAAC;gBACX,MAAM;YACR,CAAC;YACD,KAAK,OAAO;gBACV,MAAM,GAAG,EAAE,IAAI,EAAE,YAAY,CAAC,SAAS,EAAE,EAAE,CAAC;gBAC5C,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;gBACnC,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC7C,MAAM;YACR,KAAK,OAAO;gBACV,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAC/C,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAChD,MAAM;YACR,KAAK,QAAQ;gBACX,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5C,MAAM;YACR,KAAK,UAAU,CAAC;YAChB,KAAK,KAAK;gBACR,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAC/C,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC1C,MAAM;YACR,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACrC,IAAI,CAAC,IAAI,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACrD,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBACzC,MAAM;YACR,CAAC;YACD,KAAK,OAAO;gBACV,MAAM,GAAG,MAAM,YAAY,CAAC,KAAK,EAAE,CAAC;gBACpC,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC1C,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI,CAAC;YACV,KAAK,MAAM;gBACT,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB;gBACE,OAAO,CAAC,KAAK,CAAC,uBAAuB,IAAI,OAAO,KAAK,EAAE,CAAC,CAAC;gBACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,KAAK,CAAC,SAAS,IAAI,KAAK,GAAG,EAAE,CAAC,CAAC;QACvC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,2CAA2C;IAC3C,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACxD,MAAM,WAAW,EAAE,CAAC;IAEpB,gEAAgE;IAChE,oEAAoE;IACpE,oEAAoE;IACpE,gEAAgE;IAChE,iEAAiE;IACjE,6DAA6D;IAC7D,MAAM,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;IACnF,MAAM,QAAQ,GAAG,MAAM,aAAa,EAAE,CAAC;IACvC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mEAAmE,CAAC,CAAC;QAC1F,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,QAAQ,CAAC,KAAK,IAAI,oCAAoC,IAAI,CAAC,CAAC;QAC9F,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,QAAQ,CAAC,MAAM,IAAI,SAAS,MAAM,CAAC,CAAC;QACtE,IAAI,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,GAAG,EAAE,CAAC;YACnC,MAAM,GAAG,GAAG,MAAM,eAAe,EAAE,CAAC;YACpC,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;gBACzF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;YAC/E,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,sEAAsE;IACtE,kEAAkE;IAClE,8DAA8D;IAC9D,kEAAkE;IAClE,gDAAgD;IAChD,oEAAoE;IACpE,kEAAkE;IAClE,4BAA4B;IAC5B,MAAM,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAC9E,MAAM,wBAAwB,EAAE,CAAC;IAEjC,wCAAwC;IACxC,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,GAAG,CAAC;IACjE,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACpC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QACtD,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,OAAO;IACT,CAAC;IAED,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;IAChF,mBAAmB,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;QACrD,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"deepseek.js","sourceRoot":"","sources":["../../src/bin/deepseek.ts"],"names":[],"mappings":";AACA;;GAEG;AACH,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC7E,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAE9C,sEAAsE;AACtE,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEtC;;iCAEiC;AACjC,SAAS,cAAc,CAAC,IAAc;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC;IACrD,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QAC3B,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC;IACxD,IAAI,EAAE;QAAE,OAAO,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7C,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC;AACvF,KAAK,CAAC,aAAa,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;AAEhE,gEAAgE;AAChE,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;AACvF,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;IACpB,IAAI,QAA4B,CAAC;IACjC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5E,QAAQ,GAAG,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;YAC1B,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC9B,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;oBAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;oBACvD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;oBAExD,IAAI,CAAC;wBACH,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;wBAC7C,MAAM,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;4BACxC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;4BAClD,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,CAAC,kBAAkB,CAAC,GAAG,QAAQ,CAAC;wBACxC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;wBACvE,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;wBACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBAClB,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,YAAY,CAAC,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;wBAChF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBAClB,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,YAAY,CAAC,oCAAoC,CAAC,CAAC;QACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;KAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IACnE,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;QAC1B,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC9B,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;gBAC5B,IAAI,CAAC;oBACH,MAAM,UAAU,GAAG,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBACtD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,oBAAoB,CAAC,CAAC;oBAC7E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;oBAC1D,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,CAAC,OAAO,IAAI,OAAO,EAAE,CAAC,CAAC;gBAC/D,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;gBACtD,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;CAuBb,CAAC,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;KAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,OAAO,EAAE,CAAC;IAClC,qEAAqE;IACrE,sEAAsE;IACtE,mEAAmE;IACnE,uEAAuE;IACvE,0CAA0C;IAC1C,KAAK,eAAe,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnD,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,CAAC;IACN,KAAK,IAAI,EAAE,CAAC;AACd,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,IAAc;IAC3C,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAClE,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IAE/B,MAAM,KAAK,GAAG;;;;;;;;;;;;;;;CAef,CAAC;IAEA,IAAI,CAAC;QACH,IAAI,MAAe,CAAC;QACpB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,CAAC,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC,CAAC,EAAE,CAAC;oBACP,OAAO,CAAC,KAAK,CAAC,+EAA+E,CAAC,CAAC;oBAC/F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBACD,MAAM,GAAG,CAAC,CAAC;gBACX,MAAM;YACR,CAAC;YACD,KAAK,OAAO;gBACV,MAAM,GAAG,EAAE,IAAI,EAAE,YAAY,CAAC,SAAS,EAAE,EAAE,CAAC;gBAC5C,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;gBACnC,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC7C,MAAM;YACR,KAAK,OAAO;gBACV,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAC/C,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAChD,MAAM;YACR,KAAK,QAAQ;gBACX,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5C,MAAM;YACR,KAAK,UAAU,CAAC;YAChB,KAAK,KAAK;gBACR,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACxD,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAC/C,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC1C,MAAM;YACR,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACrC,IAAI,CAAC,IAAI,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACrD,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBACzC,MAAM;YACR,CAAC;YACD,KAAK,OAAO;gBACV,MAAM,GAAG,MAAM,YAAY,CAAC,KAAK,EAAE,CAAC;gBACpC,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,CAAC;gBAC1C,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI,CAAC;YACV,KAAK,MAAM;gBACT,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB;gBACE,OAAO,CAAC,KAAK,CAAC,uBAAuB,IAAI,OAAO,KAAK,EAAE,CAAC,CAAC;gBACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,KAAK,CAAC,SAAS,IAAI,KAAK,GAAG,EAAE,CAAC,CAAC;QACvC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,2CAA2C;IAC3C,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACxD,MAAM,WAAW,EAAE,CAAC;IAEpB,gEAAgE;IAChE,oEAAoE;IACpE,oEAAoE;IACpE,gEAAgE;IAChE,iEAAiE;IACjE,6DAA6D;IAC7D,2BAA2B;IAC3B,mEAAmE;IACnE,iEAAiE;IACjE,gDAAgD;IAChD,oEAAoE;IACpE,gEAAgE;IAChE,kEAAkE;IAClE,mCAAmC;IACnC,MAAM,gBAAgB,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,eAAe,CAAC;IACvG,MAAM,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;IACnF,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,gBAAgB,CAAC,CAAC;IACvD,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;QAC1E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,QAAQ,CAAC,KAAK,IAAI,oCAAoC,IAAI,CAAC,CAAC;QAChG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,gBAAgB,IAAI,CAAC,CAAC;QAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,QAAQ,CAAC,MAAM,IAAI,SAAS,MAAM,CAAC,CAAC;QACxE,IAAI,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACxD,MAAM,GAAG,GAAG,MAAM,eAAe,EAAE,CAAC;YACpC,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;gBACzF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;YAC/E,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6EAA6E,CAAC,CAAC;QACtG,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,sEAAsE;IACtE,kEAAkE;IAClE,8DAA8D;IAC9D,kEAAkE;IAClE,gDAAgD;IAChD,oEAAoE;IACpE,kEAAkE;IAClE,4BAA4B;IAC5B,MAAM,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAC9E,MAAM,wBAAwB,EAAE,CAAC;IAEjC,kEAAkE;IAClE,kEAAkE;IAClE,+DAA+D;IAC/D,kEAAkE;IAClE,gDAAgD;IAChD,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;IAClE,KAAK,aAAa,CAAC;QACjB,OAAO,EAAE,gBAAgB;QACzB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS;QACrG,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,SAAS;QACxD,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAqB,CAAC,CAAC,CAAC;IAEtC,wCAAwC;IACxC,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,GAAG,CAAC;IACjE,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACpC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QACtD,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,OAAO;IACT,CAAC;IAED,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;IAChF,mBAAmB,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;QACrD,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/capabilities/ghidraHeadlessCapability.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Ghidra `analyzeHeadless` wrappers — direct binding to the
+ * support/analyzeHeadless driver Project Zero / NSA / Trail of Bits
+ * use at scale, no MCP bridge required. Each tool spawns
+ * analyzeHeadless with one of the embedded Jython post-scripts;
+ * scripts write JSON to a temp file the TS handler reads. Project
+ * databases live under ~/.erosolar/ghidra-projects/<project>/ so
+ * a follow-up tool call (decompile, xrefs, list-functions) reuses
+ * the analysis from the prior `ghidra_analyze` run.
+ *
+ * The post-script approach is preferred over running scripts via
+ * the Ghidra GUI / MCP bridge because:
+ *   - No process to keep alive; analyzeHeadless exits per call.
+ *   - Version-stable; the Jython script API is much more stable
+ *     than the MCP server's surface.
+ *   - First-class to Ghidra; this is the path the security
+ *     research community already uses.
+ */
+import type { CapabilityContext, CapabilityContribution, CapabilityModule } from '../runtime/agentHost.js';
+export declare class GhidraHeadlessCapabilityModule implements CapabilityModule {
+    readonly id = "capability.ghidraHeadless";
+    readonly description = "Ghidra analyzeHeadless wrappers \u2014 ghidra_analyze, ghidra_list_functions, ghidra_decompile, ghidra_xrefs, ghidra_fid_matches, ghidra_function_diff, ghidra_delete_project. Each tool spawns analyzeHeadless once with an embedded Jython post-script; project databases persist under ~/.erosolar/ghidra-projects/.";
+    create(_context: CapabilityContext): Promise<CapabilityContribution>;
+}
+//# sourceMappingURL=ghidraHeadlessCapability.d.ts.map

package/dist/capabilities/ghidraHeadlessCapability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ghidraHeadlessCapability.d.ts","sourceRoot":"","sources":["../../src/capabilities/ghidraHeadlessCapability.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAcH,OAAO,KAAK,EACV,iBAAiB,EACjB,sBAAsB,EACtB,gBAAgB,EACjB,MAAM,yBAAyB,CAAC;AAqkBjC,qBAAa,8BAA+B,YAAW,gBAAgB;IACrE,QAAQ,CAAC,EAAE,+BAA+B;IAC1C,QAAQ,CAAC,WAAW,6TAAwT;IAEtU,MAAM,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC,sBAAsB,CAAC;CAU3E"}

package/dist/capabilities/ghidraHeadlessCapability.js

@@ -0,0 +1,593 @@
+/**
+ * Ghidra `analyzeHeadless` wrappers — direct binding to the
+ * support/analyzeHeadless driver Project Zero / NSA / Trail of Bits
+ * use at scale, no MCP bridge required. Each tool spawns
+ * analyzeHeadless with one of the embedded Jython post-scripts;
+ * scripts write JSON to a temp file the TS handler reads. Project
+ * databases live under ~/.erosolar/ghidra-projects/<project>/ so
+ * a follow-up tool call (decompile, xrefs, list-functions) reuses
+ * the analysis from the prior `ghidra_analyze` run.
+ *
+ * The post-script approach is preferred over running scripts via
+ * the Ghidra GUI / MCP bridge because:
+ *   - No process to keep alive; analyzeHeadless exits per call.
+ *   - Version-stable; the Jython script API is much more stable
+ *     than the MCP server's surface.
+ *   - First-class to Ghidra; this is the path the security
+ *     research community already uses.
+ */
+import { spawn } from 'node:child_process';
+import { existsSync, mkdirSync, readFileSync, rmSync, unlinkSync, writeFileSync, } from 'node:fs';
+import { homedir, tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { logDebug } from '../utils/debugLogger.js';
+const GHIDRA_HEADLESS = process.env['GHIDRA_HEADLESS']
+    || (existsSync('/usr/share/ghidra/support/analyzeHeadless')
+        ? '/usr/share/ghidra/support/analyzeHeadless'
+        : '/opt/ghidra/support/analyzeHeadless');
+const PROJECTS_ROOT = join(homedir(), '.erosolar', 'ghidra-projects');
+const DEFAULT_TIMEOUT_MS = 30 * 60 * 1000; // analyzeHeadless can take a while on large binaries
+const SCRIPT_DIR = join(tmpdir(), 'erosolar-ghidra-scripts');
+/* ------------------------------------------------------------------
+ *  Embedded Java GhidraScript post-scripts.
+ *
+ *  Modern Ghidra (12.x in Kali 2026) replaced Jython with PyGhidra
+ *  (CPython bridge), which requires `pip install pyghidra`. Java
+ *  GhidraScripts compile at script-load time inside Ghidra's JVM —
+ *  no extra deps for end users. Each script writes a JSON file the
+ *  TS handler reads back.
+ *
+ *  All scripts share the same shape:
+ *    public class <Name> extends GhidraScript {
+ *        public void run() throws Exception {
+ *            String[] args = getScriptArgs();
+ *            String out = args[0];
+ *            // ... build JSON, write to out ...
+ *        }
+ *    }
+ *
+ *  JSON is hand-built. The shape is small per-call and Ghidra's
+ *  classpath doesn't reliably expose Jackson/Gson to scripts.
+ * ----------------------------------------------------------------*/
+const JSON_HELPERS = `
+    private static String jsonStr(String s) {
+        if (s == null) return "null";
+        StringBuilder sb = new StringBuilder("\\"");
+        for (int i = 0; i < s.length(); i++) {
+            char c = s.charAt(i);
+            switch (c) {
+                case '\\\\': sb.append("\\\\\\\\"); break;
+                case '"': sb.append("\\\\\\""); break;
+                case '\\n': sb.append("\\\\n"); break;
+                case '\\r': sb.append("\\\\r"); break;
+                case '\\t': sb.append("\\\\t"); break;
+                case '\\b': sb.append("\\\\b"); break;
+                case '\\f': sb.append("\\\\f"); break;
+                default:
+                    if (c < 0x20) {
+                        sb.append(String.format("\\\\u%04x", (int) c));
+                    } else {
+                        sb.append(c);
+                    }
+            }
+        }
+        sb.append("\\"");
+        return sb.toString();
+    }
+    private static String hex(long v) { return "0x" + Long.toHexString(v); }
+`;
+const SCRIPT_LIST_FUNCTIONS = `// EvrpListFunctions.java
+import ghidra.app.script.GhidraScript;
+import ghidra.program.model.listing.Function;
+import java.io.FileWriter;
+import java.util.ArrayList;
+import java.util.List;
+
+public class EvrpListFunctions extends GhidraScript {
+${JSON_HELPERS}
+    @Override
+    public void run() throws Exception {
+        String[] args = getScriptArgs();
+        String out = args[0];
+        List<String> entries = new ArrayList<>();
+        for (Function f : currentProgram.getFunctionManager().getFunctions(true)) {
+            String sig;
+            try { sig = f.getPrototypeString(true, true); } catch (Exception e) { sig = f.getName() + "()"; }
+            entries.add("{\\"name\\":" + jsonStr(f.getName())
+                + ",\\"entry\\":" + jsonStr(hex(f.getEntryPoint().getOffset()))
+                + ",\\"size\\":" + f.getBody().getNumAddresses()
+                + ",\\"signature\\":" + jsonStr(sig)
+                + ",\\"thunk\\":" + f.isThunk()
+                + ",\\"external\\":" + f.isExternal() + "}");
+        }
+        StringBuilder sb = new StringBuilder();
+        sb.append("{\\"program\\":").append(jsonStr(currentProgram.getName()));
+        sb.append(",\\"functionCount\\":").append(entries.size());
+        sb.append(",\\"functions\\":[");
+        for (int i = 0; i < entries.size(); i++) {
+            if (i > 0) sb.append(",");
+            sb.append(entries.get(i));
+        }
+        sb.append("]}");
+        try (FileWriter fw = new FileWriter(out)) { fw.write(sb.toString()); }
+    }
+}
+`;
+const SCRIPT_DECOMPILE = `// EvrpDecompile.java
+import ghidra.app.script.GhidraScript;
+import ghidra.app.decompiler.DecompInterface;
+import ghidra.app.decompiler.DecompileResults;
+import ghidra.program.model.address.Address;
+import ghidra.program.model.listing.Function;
+import ghidra.program.model.listing.FunctionManager;
+import ghidra.util.task.ConsoleTaskMonitor;
+import java.io.FileWriter;
+
+public class EvrpDecompile extends GhidraScript {
+${JSON_HELPERS}
+    @Override
+    public void run() throws Exception {
+        String[] args = getScriptArgs();
+        String out = args[0];
+        String target = args[1];
+
+        FunctionManager fm = currentProgram.getFunctionManager();
+        Function fn = null;
+        if (target.startsWith("0x")) {
+            Address addr = currentProgram.getAddressFactory().getAddress(target);
+            fn = fm.getFunctionAt(addr);
+            if (fn == null) fn = fm.getFunctionContaining(addr);
+        } else {
+            for (Function f : fm.getFunctions(true)) {
+                if (f.getName().equals(target)) { fn = f; break; }
+            }
+        }
+
+        try (FileWriter fw = new FileWriter(out)) {
+            if (fn == null) {
+                fw.write("{\\"error\\":\\"function not found\\",\\"target\\":" + jsonStr(target) + "}");
+                return;
+            }
+            DecompInterface di = new DecompInterface();
+            di.openProgram(currentProgram);
+            DecompileResults res = di.decompileFunction(fn, 60, new ConsoleTaskMonitor());
+            if (res.decompileCompleted()) {
+                String code = res.getDecompiledFunction().getC();
+                fw.write("{\\"name\\":" + jsonStr(fn.getName())
+                    + ",\\"entry\\":" + jsonStr(hex(fn.getEntryPoint().getOffset()))
+                    + ",\\"signature\\":" + jsonStr(fn.getPrototypeString(true, true))
+                    + ",\\"decompilation\\":" + jsonStr(code) + "}");
+            } else {
+                fw.write("{\\"name\\":" + jsonStr(fn.getName())
+                    + ",\\"error\\":" + jsonStr(res.getErrorMessage() != null ? res.getErrorMessage() : "decompile failed") + "}");
+            }
+        }
+    }
+}
+`;
+const SCRIPT_XREFS = `// EvrpXrefs.java
+import ghidra.app.script.GhidraScript;
+import ghidra.program.model.address.Address;
+import ghidra.program.model.listing.Function;
+import ghidra.program.model.listing.FunctionManager;
+import ghidra.program.model.symbol.Reference;
+import ghidra.util.task.ConsoleTaskMonitor;
+import java.io.FileWriter;
+import java.util.Set;
+import java.util.TreeSet;
+
+public class EvrpXrefs extends GhidraScript {
+${JSON_HELPERS}
+    @Override
+    public void run() throws Exception {
+        String[] args = getScriptArgs();
+        String out = args[0];
+        String target = args[1];
+
+        FunctionManager fm = currentProgram.getFunctionManager();
+        Function fn = null;
+        if (target.startsWith("0x")) {
+            Address addr = currentProgram.getAddressFactory().getAddress(target);
+            fn = fm.getFunctionAt(addr);
+            if (fn == null) fn = fm.getFunctionContaining(addr);
+        } else {
+            for (Function f : fm.getFunctions(true)) {
+                if (f.getName().equals(target)) { fn = f; break; }
+            }
+        }
+
+        try (FileWriter fw = new FileWriter(out)) {
+            if (fn == null) {
+                fw.write("{\\"error\\":\\"function not found\\",\\"target\\":" + jsonStr(target) + "}");
+                return;
+            }
+            Set<String> callers = new TreeSet<>();
+            for (Reference ref : currentProgram.getReferenceManager().getReferencesTo(fn.getEntryPoint())) {
+                Function cf = fm.getFunctionContaining(ref.getFromAddress());
+                if (cf != null) callers.add(cf.getName());
+            }
+            Set<String> callees = new TreeSet<>();
+            for (Function callee : fn.getCalledFunctions(new ConsoleTaskMonitor())) {
+                callees.add(callee.getName());
+            }
+            StringBuilder sb = new StringBuilder();
+            sb.append("{\\"name\\":").append(jsonStr(fn.getName()));
+            sb.append(",\\"entry\\":").append(jsonStr(hex(fn.getEntryPoint().getOffset())));
+            sb.append(",\\"callers\\":[");
+            int i = 0;
+            for (String c : callers) { if (i > 0) sb.append(","); sb.append(jsonStr(c)); i++; }
+            sb.append("],\\"callees\\":[");
+            i = 0;
+            for (String c : callees) { if (i > 0) sb.append(","); sb.append(jsonStr(c)); i++; }
+            sb.append("]}");
+            fw.write(sb.toString());
+        }
+    }
+}
+`;
+const SCRIPT_FID_MATCHES = `// EvrpFidMatches.java
+import ghidra.app.script.GhidraScript;
+import ghidra.program.model.listing.Function;
+import java.io.FileWriter;
+import java.util.ArrayList;
+import java.util.List;
+
+public class EvrpFidMatches extends GhidraScript {
+${JSON_HELPERS}
+    @Override
+    public void run() throws Exception {
+        String[] args = getScriptArgs();
+        String out = args[0];
+        List<String> recognized = new ArrayList<>();
+        int unrecognized = 0;
+        for (Function f : currentProgram.getFunctionManager().getFunctions(true)) {
+            String name = f.getName();
+            if (name.startsWith("FUN_") || name.startsWith("sub_")) { unrecognized++; continue; }
+            if (f.isThunk() || f.isExternal()) continue;
+            if (recognized.size() < 1000) {
+                recognized.add("{\\"name\\":" + jsonStr(name)
+                    + ",\\"entry\\":" + jsonStr(hex(f.getEntryPoint().getOffset()))
+                    + ",\\"size\\":" + f.getBody().getNumAddresses() + "}");
+            }
+        }
+        StringBuilder sb = new StringBuilder();
+        sb.append("{\\"program\\":").append(jsonStr(currentProgram.getName()));
+        sb.append(",\\"recognized_count\\":").append(recognized.size());
+        sb.append(",\\"unrecognized_count\\":").append(unrecognized);
+        sb.append(",\\"recognized\\":[");
+        for (int i = 0; i < recognized.size(); i++) {
+            if (i > 0) sb.append(",");
+            sb.append(recognized.get(i));
+        }
+        sb.append("]}");
+        try (FileWriter fw = new FileWriter(out)) { fw.write(sb.toString()); }
+    }
+}
+`;
+function ensureScriptDir() {
+    if (!existsSync(SCRIPT_DIR))
+        mkdirSync(SCRIPT_DIR, { recursive: true });
+    return SCRIPT_DIR;
+}
+function ensureProjectDir(name) {
+    if (!/^[A-Za-z0-9._-]+$/.test(name)) {
+        throw new Error(`bad project name "${name}" — use [A-Za-z0-9._-]+`);
+    }
+    if (!existsSync(PROJECTS_ROOT))
+        mkdirSync(PROJECTS_ROOT, { recursive: true });
+    const dir = join(PROJECTS_ROOT, name);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    return dir;
+}
+async function runGhidra(options) {
+    const scriptDir = ensureScriptDir();
+    const scriptPath = join(scriptDir, options.scriptName);
+    writeFileSync(scriptPath, options.scriptBody, 'utf8');
+    const projectDir = ensureProjectDir(options.project);
+    const outFile = join(tmpdir(), `evrp-ghidra-${Date.now()}-${Math.random().toString(36).slice(2, 8)}.json`);
+    const argv = [projectDir, options.project];
+    if (options.importBinary) {
+        argv.push('-import', options.importBinary, '-overwrite');
+    }
+    else {
+        argv.push('-process', '-noanalysis');
+    }
+    if (options.readOnly)
+        argv.push('-readOnly');
+    argv.push('-scriptPath', scriptDir);
+    argv.push('-postScript', options.scriptName, outFile, ...options.scriptArgs);
+    argv.push('-analysisTimeoutPerFile', '600');
+    return await new Promise((resolve, reject) => {
+        const start = Date.now();
+        const child = spawn(GHIDRA_HEADLESS, argv, {
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        let stdout = '';
+        let stderr = '';
+        let stdoutBytes = 0;
+        let stderrBytes = 0;
+        const MAX = 1 * 1024 * 1024;
+        child.stdout?.on('data', (b) => {
+            if (stdoutBytes < MAX) {
+                const room = MAX - stdoutBytes;
+                const slice = b.length > room ? b.subarray(0, room) : b;
+                stdout += slice.toString();
+                stdoutBytes += slice.length;
+            }
+        });
+        child.stderr?.on('data', (b) => {
+            if (stderrBytes < MAX) {
+                const room = MAX - stderrBytes;
+                const slice = b.length > room ? b.subarray(0, room) : b;
+                stderr += slice.toString();
+                stderrBytes += slice.length;
+            }
+        });
+        const timer = setTimeout(() => {
+            child.kill('SIGTERM');
+            setTimeout(() => child.kill('SIGKILL'), 1500);
+        }, options.timeoutMs ?? DEFAULT_TIMEOUT_MS);
+        child.on('error', (err) => {
+            clearTimeout(timer);
+            reject(err);
+        });
+        child.on('close', (code) => {
+            clearTimeout(timer);
+            let output = null;
+            if (existsSync(outFile)) {
+                try {
+                    output = JSON.parse(readFileSync(outFile, 'utf8'));
+                }
+                catch (e) {
+                    output = { error: `failed to parse script output: ${e.message}` };
+                }
+                try {
+                    unlinkSync(outFile);
+                }
+                catch { /* ignore */ }
+            }
+            resolve({ exitCode: code, stdout, stderr, output, durationMs: Date.now() - start });
+        });
+    });
+}
+function summarize(stdout, stderr) {
+    // analyzeHeadless is loud — extract just the final ERROR/WARN lines so
+    // the LLM-visible string isn't dominated by JVM banner text.
+    const lines = (stdout + '\n' + stderr).split('\n');
+    const interesting = lines.filter((l) => /\b(ERROR|WARN|FATAL|Exception|Traceback)\b/.test(l) ||
+        /^Analyzing|^DECOMPILER|^FID/i.test(l));
+    return interesting.slice(-20).join('\n');
+}
+function buildGhidraTools() {
+    return [
+        {
+            name: 'ghidra_analyze',
+            description: 'Run Ghidra analyzeHeadless against a binary. Creates / overwrites a project under ~/.erosolar/ghidra-projects/<project>/. Subsequent ghidra_decompile / ghidra_xrefs / ghidra_list_functions / ghidra_fid_matches calls reuse this project (no re-analysis). Use after any binary change.',
+            parameters: {
+                type: 'object',
+                properties: {
+                    binary: { type: 'string', description: 'Absolute path to the binary to analyze' },
+                    project: { type: 'string', description: 'Project name (alphanum/_-./) — pick one per binary so subsequent reads target the right db' },
+                    processor: { type: 'string', description: 'Optional Ghidra languageID (e.g. "x86:LE:64:default") to skip auto-detect' },
+                    timeoutMs: { type: 'number', description: 'Wall-clock cap; default 30min' },
+                },
+                required: ['binary', 'project'],
+            },
+            handler: async (args) => {
+                const r = await runGhidra({
+                    project: String(args.project),
+                    scriptName: 'EvrpListFunctions.java',
+                    scriptBody: SCRIPT_LIST_FUNCTIONS,
+                    scriptArgs: [],
+                    importBinary: String(args.binary),
+                    timeoutMs: typeof args.timeoutMs === 'number' ? args.timeoutMs : undefined,
+                });
+                const out = r.output;
+                const lines = [
+                    `analyzed binary=${args.binary} project=${args.project}`,
+                    `exit=${r.exitCode} duration=${r.durationMs}ms`,
+                    `program=${out?.program ?? '?'} functions=${out?.functionCount ?? 0}`,
+                    `project_dir=${join(PROJECTS_ROOT, String(args.project))}`,
+                ];
+                const tail = summarize(r.stdout, r.stderr);
+                if (tail)
+                    lines.push('--- analyzeHeadless tail ---', tail);
+                return lines.join('\n');
+            },
+        },
+        {
+            name: 'ghidra_list_functions',
+            description: 'List every defined function in an already-analyzed project (name, entry, size, signature, thunk/external flag). Run ghidra_analyze first.',
+            parameters: {
+                type: 'object',
+                properties: {
+                    project: { type: 'string' },
+                },
+                required: ['project'],
+            },
+            handler: async (args) => {
+                const r = await runGhidra({
+                    project: String(args.project),
+                    scriptName: 'EvrpListFunctions.java',
+                    scriptBody: SCRIPT_LIST_FUNCTIONS,
+                    scriptArgs: [],
+                    readOnly: true,
+                });
+                if (r.output === null) {
+                    return `ghidra_list_functions failed (exit ${r.exitCode})\n${summarize(r.stdout, r.stderr)}`;
+                }
+                return JSON.stringify(r.output);
+            },
+        },
+        {
+            name: 'ghidra_decompile',
+            description: 'Decompile one function in an already-analyzed project. Target by name or 0x-address. Returns C pseudocode + signature.',
+            parameters: {
+                type: 'object',
+                properties: {
+                    project: { type: 'string' },
+                    target: { type: 'string', description: 'Function name (e.g. "main") or hex address (e.g. "0x401040")' },
+                },
+                required: ['project', 'target'],
+            },
+            handler: async (args) => {
+                const r = await runGhidra({
+                    project: String(args.project),
+                    scriptName: 'EvrpDecompile.java',
+                    scriptBody: SCRIPT_DECOMPILE,
+                    scriptArgs: [String(args.target)],
+                    readOnly: true,
+                });
+                if (r.output === null) {
+                    return `ghidra_decompile failed (exit ${r.exitCode})\n${summarize(r.stdout, r.stderr)}`;
+                }
+                return JSON.stringify(r.output);
+            },
+        },
+        {
+            name: 'ghidra_xrefs',
+            description: 'List callers and callees of one function in an already-analyzed project. Target by name or 0x-address.',
+            parameters: {
+                type: 'object',
+                properties: {
+                    project: { type: 'string' },
+                    target: { type: 'string' },
+                },
+                required: ['project', 'target'],
+            },
+            handler: async (args) => {
+                const r = await runGhidra({
+                    project: String(args.project),
+                    scriptName: 'EvrpXrefs.java',
+                    scriptBody: SCRIPT_XREFS,
+                    scriptArgs: [String(args.target)],
+                    readOnly: true,
+                });
+                if (r.output === null) {
+                    return `ghidra_xrefs failed (exit ${r.exitCode})\n${summarize(r.stdout, r.stderr)}`;
+                }
+                return JSON.stringify(r.output);
+            },
+        },
+        {
+            name: 'ghidra_fid_matches',
+            description: 'Dump library-function name recognition results from Ghidra FID. Useful for reasoning about library calls inside a stripped binary.',
+            parameters: {
+                type: 'object',
+                properties: {
+                    project: { type: 'string' },
+                },
+                required: ['project'],
+            },
+            handler: async (args) => {
+                const r = await runGhidra({
+                    project: String(args.project),
+                    scriptName: 'EvrpFidMatches.java',
+                    scriptBody: SCRIPT_FID_MATCHES,
+                    scriptArgs: [],
+                    readOnly: true,
+                });
+                if (r.output === null) {
+                    return `ghidra_fid_matches failed (exit ${r.exitCode})\n${summarize(r.stdout, r.stderr)}`;
+                }
+                return JSON.stringify(r.output);
+            },
+        },
+        {
+            name: 'ghidra_function_diff',
+            description: 'Compare two already-analyzed projects at function-set granularity. Returns: only-in-A names, only-in-B names, and signature-changed pairs. For deep semantic diff, decompile each changed function in both projects and compare the C pseudocode.',
+            parameters: {
+                type: 'object',
+                properties: {
+                    projectA: { type: 'string', description: 'Vulnerable / pre-patch project' },
+                    projectB: { type: 'string', description: 'Patched project' },
+                },
+                required: ['projectA', 'projectB'],
+            },
+            handler: async (args) => {
+                const projA = String(args.projectA);
+                const projB = String(args.projectB);
+                const [rA, rB] = await Promise.all([
+                    runGhidra({
+                        project: projA,
+                        scriptName: 'EvrpListFunctions.java',
+                        scriptBody: SCRIPT_LIST_FUNCTIONS,
+                        scriptArgs: [],
+                        readOnly: true,
+                    }),
+                    runGhidra({
+                        project: projB,
+                        scriptName: 'EvrpListFunctions.java',
+                        scriptBody: SCRIPT_LIST_FUNCTIONS,
+                        scriptArgs: [],
+                        readOnly: true,
+                    }),
+                ]);
+                const a = rA.output?.functions ?? [];
+                const b = rB.output?.functions ?? [];
+                const aMap = new Map(a.map((f) => [f.name, f]));
+                const bMap = new Map(b.map((f) => [f.name, f]));
+                const onlyInA = [];
+                const onlyInB = [];
+                const sigChanged = [];
+                for (const [name, fa] of aMap) {
+                    const fb = bMap.get(name);
+                    if (!fb) {
+                        onlyInA.push(name);
+                    }
+                    else if (fa.signature !== fb.signature) {
+                        sigChanged.push({ name, a: fa.signature, b: fb.signature });
+                    }
+                }
+                for (const name of bMap.keys()) {
+                    if (!aMap.has(name))
+                        onlyInB.push(name);
+                }
+                return JSON.stringify({
+                    projectA: projA,
+                    projectB: projB,
+                    functionsA: a.length,
+                    functionsB: b.length,
+                    onlyInA: onlyInA.slice(0, 200),
+                    onlyInB: onlyInB.slice(0, 200),
+                    signatureChanged: sigChanged.slice(0, 200),
+                });
+            },
+        },
+        {
+            name: 'ghidra_delete_project',
+            description: 'Delete a Ghidra project directory under ~/.erosolar/ghidra-projects/. Use sparingly — projects represent expensive analysis runs.',
+            parameters: {
+                type: 'object',
+                properties: { project: { type: 'string' } },
+                required: ['project'],
+            },
+            handler: async (args) => {
+                const dir = join(PROJECTS_ROOT, String(args.project));
+                if (!/^[A-Za-z0-9._-]+$/.test(String(args.project))) {
+                    return `bad project name "${args.project}"`;
+                }
+                if (!existsSync(dir))
+                    return `no such project: ${args.project}`;
+                rmSync(dir, { recursive: true, force: true });
+                return `deleted ${dir}`;
+            },
+        },
+    ];
+}
+export class GhidraHeadlessCapabilityModule {
+    id = 'capability.ghidraHeadless';
+    description = 'Ghidra analyzeHeadless wrappers — ghidra_analyze, ghidra_list_functions, ghidra_decompile, ghidra_xrefs, ghidra_fid_matches, ghidra_function_diff, ghidra_delete_project. Each tool spawns analyzeHeadless once with an embedded Jython post-script; project databases persist under ~/.erosolar/ghidra-projects/.';
+    async create(_context) {
+        void _context;
+        logDebug('[GhidraHeadless] Capability initialized');
+        const toolSuite = {
+            id: 'ghidraHeadless.tools',
+            description: 'Ghidra analyzeHeadless wrappers',
+            tools: buildGhidraTools(),
+        };
+        return { id: this.id, description: this.description, toolSuite };
+    }
+}
+//# sourceMappingURL=ghidraHeadlessCapability.js.map

package/dist/capabilities/ghidraHeadlessCapability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ghidraHeadlessCapability.js","sourceRoot":"","sources":["../../src/capabilities/ghidraHeadlessCapability.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EACL,UAAU,EACV,SAAS,EACT,YAAY,EACZ,MAAM,EACN,UAAU,EACV,aAAa,GACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC1C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAOjC,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AAEnD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;OACjD,CAAC,UAAU,CAAC,2CAA2C,CAAC;QACrD,CAAC,CAAC,2CAA2C;QAC7C,CAAC,CAAC,qCAAqC,CAAC,CAAC;AAEjD,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,iBAAiB,CAAC,CAAC;AACtE,MAAM,kBAAkB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,qDAAqD;AAChG,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,yBAAyB,CAAC,CAAC;AAE7D;;;;;;;;;;;;;;;;;;;;qEAoBqE;AAErE,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;CA0BpB,CAAC;AAEF,MAAM,qBAAqB,GAAG;;;;;;;;EAQ5B,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4Bb,CAAC;AAEF,MAAM,gBAAgB,GAAG;;;;;;;;;;;EAWvB,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwCb,CAAC;AAEF,MAAM,YAAY,GAAG;;;;;;;;;;;;EAYnB,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+Cb,CAAC;AAEF,MAAM,kBAAkB,GAAG;;;;;;;;EAQzB,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA8Bb,CAAC;AAoBF,SAAS,eAAe;IACtB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACxE,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,yBAAyB,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,OAAyB;IAChD,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACvD,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAEtD,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC;IAE3G,MAAM,IAAI,GAAa,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACrD,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IAC3D,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IACvC,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ;QAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IACpC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC7E,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;IAE5C,OAAO,MAAM,IAAI,OAAO,CAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,KAAK,CAAC,eAAe,EAAE,IAAI,EAAE;YACzC,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QACH,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;QAC5B,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACrC,IAAI,WAAW,GAAG,GAAG,EAAE,CAAC;gBACtB,MAAM,IAAI,GAAG,GAAG,GAAG,WAAW,CAAC;gBAC/B,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACxD,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC3B,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;YAC9B,CAAC;QACH,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACrC,IAAI,WAAW,GAAG,GAAG,EAAE,CAAC;gBACtB,MAAM,IAAI,GAAG,GAAG,GAAG,WAAW,CAAC;gBAC/B,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACxD,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC3B,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;YAC9B,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACtB,UAAU,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,CAAC;QAChD,CAAC,EAAE,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC,CAAC;QAC5C,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,IAAI,MAAM,GAAY,IAAI,CAAC;YAC3B,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxB,IAAI,CAAC;oBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;gBACrD,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,MAAM,GAAG,EAAE,KAAK,EAAE,kCAAmC,CAAW,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC/E,CAAC;gBACD,IAAI,CAAC;oBAAC,UAAU,CAAC,OAAO,CAAC,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YACrD,CAAC;YACD,OAAO,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;QACtF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,SAAS,CAAC,MAAc,EAAE,MAAc;IAC/C,uEAAuE;IACvE,6DAA6D;IAC7D,MAAM,KAAK,GAAG,CAAC,MAAM,GAAG,IAAI,GAAG,MAAM,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACnD,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACrC,4CAA4C,CAAC,IAAI,CAAC,CAAC,CAAC;QACpD,8BAA8B,CAAC,IAAI,CAAC,CAAC,CAAC,CACvC,CAAC;IACF,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,gBAAgB;IACvB,OAAO;QACL;YACE,IAAI,EAAE,gBAAgB;YACtB,WAAW,EAAE,2RAA2R;YACxS,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,wCAAwC,EAAE;oBACjF,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,4FAA4F,EAAE;oBACtI,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,2EAA2E,EAAE;oBACvH,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,+BAA+B,EAAE;iBAC5E;gBACD,QAAQ,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC;aAChC;YACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBACtB,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC;oBACxB,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;oBAC7B,UAAU,EAAE,wBAAwB;oBACpC,UAAU,EAAE,qBAAqB;oBACjC,UAAU,EAAE,EAAE;oBACd,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;oBACjC,SAAS,EAAE,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;iBAC3E,CAAC,CAAC;gBACH,MAAM,GAAG,GAAG,CAAC,CAAC,MAAoF,CAAC;gBACnG,MAAM,KAAK,GAAG;oBACZ,mBAAmB,IAAI,CAAC,MAAM,YAAY,IAAI,CAAC,OAAO,EAAE;oBACxD,QAAQ,CAAC,CAAC,QAAQ,aAAa,CAAC,CAAC,UAAU,IAAI;oBAC/C,WAAW,GAAG,EAAE,OAAO,IAAI,GAAG,cAAc,GAAG,EAAE,aAAa,IAAI,CAAC,EAAE;oBACrE,eAAe,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE;iBAC3D,CAAC;gBACF,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;gBAC3C,IAAI,IAAI;oBAAE,KAAK,CAAC,IAAI,CAAC,8BAA8B,EAAE,IAAI,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1B,CAAC;SACF;QACD;YACE,IAAI,EAAE,uBAAuB;YAC7B,WAAW,EAAE,2IAA2I;YACxJ,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;iBAC5B;gBACD,QAAQ,EAAE,CAAC,SAAS,CAAC;aACtB;YACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBACtB,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC;oBACxB,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;oBAC7B,UAAU,EAAE,wBAAwB;oBACpC,UAAU,EAAE,qBAAqB;oBACjC,UAAU,EAAE,EAAE;oBACd,QAAQ,EAAE,IAAI;iBACf,CAAC,CAAC;gBACH,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;oBACtB,OAAO,sCAAsC,CAAC,CAAC,QAAQ,MAAM,SAAS,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC/F,CAAC;gBACD,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC;SACF;QACD;YACE,IAAI,EAAE,kBAAkB;YACxB,WAAW,EAAE,wHAAwH;YACrI,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;oBAC3B,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,8DAA8D,EAAE;iBACxG;gBACD,QAAQ,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC;aAChC;YACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBACtB,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC;oBACxB,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;oBAC7B,UAAU,EAAE,oBAAoB;oBAChC,UAAU,EAAE,gBAAgB;oBAC5B,UAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBACjC,QAAQ,EAAE,IAAI;iBACf,CAAC,CAAC;gBACH,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;oBACtB,OAAO,iCAAiC,CAAC,CAAC,QAAQ,MAAM,SAAS,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1F,CAAC;gBACD,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC;SACF;QACD;YACE,IAAI,EAAE,cAAc;YACpB,WAAW,EAAE,wGAAwG;YACrH,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;oBAC3B,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;iBAC3B;gBACD,QAAQ,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC;aAChC;YACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBACtB,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC;oBACxB,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;oBAC7B,UAAU,EAAE,gBAAgB;oBAC5B,UAAU,EAAE,YAAY;oBACxB,UAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBACjC,QAAQ,EAAE,IAAI;iBACf,CAAC,CAAC;gBACH,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;oBACtB,OAAO,6BAA6B,CAAC,CAAC,QAAQ,MAAM,SAAS,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;gBACtF,CAAC;gBACD,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC;SACF;QACD;YACE,IAAI,EAAE,oBAAoB;YAC1B,WAAW,EAAE,oIAAoI;YACjJ,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;iBAC5B;gBACD,QAAQ,EAAE,CAAC,SAAS,CAAC;aACtB;YACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBACtB,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC;oBACxB,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;oBAC7B,UAAU,EAAE,qBAAqB;oBACjC,UAAU,EAAE,kBAAkB;oBAC9B,UAAU,EAAE,EAAE;oBACd,QAAQ,EAAE,IAAI;iBACf,CAAC,CAAC;gBACH,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;oBACtB,OAAO,mCAAmC,CAAC,CAAC,QAAQ,MAAM,SAAS,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5F,CAAC;gBACD,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC;SACF;QACD;YACE,IAAI,EAAE,sBAAsB;YAC5B,WAAW,EAAE,mPAAmP;YAChQ,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,gCAAgC,EAAE;oBAC3E,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,iBAAiB,EAAE;iBAC7D;gBACD,QAAQ,EAAE,CAAC,UAAU,EAAE,UAAU,CAAC;aACnC;YACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBACtB,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACpC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACpC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;oBACjC,SAAS,CAAC;wBACR,OAAO,EAAE,KAAK;wBACd,UAAU,EAAE,wBAAwB;wBACpC,UAAU,EAAE,qBAAqB;wBACjC,UAAU,EAAE,EAAE;wBACd,QAAQ,EAAE,IAAI;qBACf,CAAC;oBACF,SAAS,CAAC;wBACR,OAAO,EAAE,KAAK;wBACd,UAAU,EAAE,wBAAwB;wBACpC,UAAU,EAAE,qBAAqB;wBACjC,UAAU,EAAE,EAAE;wBACd,QAAQ,EAAE,IAAI;qBACf,CAAC;iBACH,CAAC,CAAC;gBACH,MAAM,CAAC,GAAI,EAAE,CAAC,MAAuE,EAAE,SAAS,IAAI,EAAE,CAAC;gBACvG,MAAM,CAAC,GAAI,EAAE,CAAC,MAAuE,EAAE,SAAS,IAAI,EAAE,CAAC;gBACvG,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;gBAChD,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;gBAChD,MAAM,OAAO,GAAa,EAAE,CAAC;gBAC7B,MAAM,OAAO,GAAa,EAAE,CAAC;gBAC7B,MAAM,UAAU,GAA6C,EAAE,CAAC;gBAChE,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC;oBAC9B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBAC1B,IAAI,CAAC,EAAE,EAAE,CAAC;wBACR,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACrB,CAAC;yBAAM,IAAI,EAAE,CAAC,SAAS,KAAK,EAAE,CAAC,SAAS,EAAE,CAAC;wBACzC,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC,SAAS,EAAE,CAAC,CAAC;oBAC9D,CAAC;gBACH,CAAC;gBACD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;oBAC/B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;wBAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC1C,CAAC;gBACD,OAAO,IAAI,CAAC,SAAS,CAAC;oBACpB,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,KAAK;oBACf,UAAU,EAAE,CAAC,CAAC,MAAM;oBACpB,UAAU,EAAE,CAAC,CAAC,MAAM;oBACpB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC9B,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC9B,gBAAgB,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBAC3C,CAAC,CAAC;YACL,CAAC;SACF;QACD;YACE,IAAI,EAAE,uBAAuB;YAC7B,WAAW,EAAE,mIAAmI;YAChJ,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE;gBAC3C,QAAQ,EAAE,CAAC,SAAS,CAAC;aACtB;YACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBACtB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;gBACtD,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;oBACpD,OAAO,qBAAqB,IAAI,CAAC,OAAO,GAAG,CAAC;gBAC9C,CAAC;gBACD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,OAAO,oBAAoB,IAAI,CAAC,OAAO,EAAE,CAAC;gBAChE,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC9C,OAAO,WAAW,GAAG,EAAE,CAAC;YAC1B,CAAC;SACF;KACF,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,8BAA8B;IAChC,EAAE,GAAG,2BAA2B,CAAC;IACjC,WAAW,GAAG,oTAAoT,CAAC;IAE5U,KAAK,CAAC,MAAM,CAAC,QAA2B;QACtC,KAAK,QAAQ,CAAC;QACd,QAAQ,CAAC,yCAAyC,CAAC,CAAC;QACpD,MAAM,SAAS,GAAc;YAC3B,EAAE,EAAE,sBAAsB;YAC1B,WAAW,EAAE,iCAAiC;YAC9C,KAAK,EAAE,gBAAgB,EAAE;SAC1B,CAAC;QACF,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,CAAC;IACnE,CAAC;CACF"}

package/dist/capabilities/index.d.ts

@@ -13,5 +13,6 @@ export { AflppCapabilityModule } from './aflppCapability.js';
 export { GdbCapabilityModule } from './gdbCapability.js';
 export { BinaryAnalysisCapabilityModule } from './binaryAnalysisCapability.js';
 export { PwntoolsCapabilityModule } from './pwntoolsCapability.js';
+export { GhidraHeadlessCapabilityModule } from './ghidraHeadlessCapability.js';
 export { BaseCapabilityModule, type BaseCapabilityOptions, ToolSuiteBuilder, SharedUtilities } from './baseCapability.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/capabilities/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/capabilities/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,6BAA6B,EAAE,6BAA6B,EAAE,KAAK,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAGvI,OAAO,EAAE,0BAA0B,EAAE,KAAK,2BAA2B,EAAE,MAAM,2BAA2B,CAAC;AACzG,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,KAAK,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,KAAK,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AAInE,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/capabilities/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,6BAA6B,EAAE,6BAA6B,EAAE,KAAK,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAGvI,OAAO,EAAE,0BAA0B,EAAE,KAAK,2BAA2B,EAAE,MAAM,2BAA2B,CAAC;AACzG,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,KAAK,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,KAAK,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAI/E,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/capabilities/index.js

@@ -15,6 +15,7 @@ export { AflppCapabilityModule } from './aflppCapability.js';
 export { GdbCapabilityModule } from './gdbCapability.js';
 export { BinaryAnalysisCapabilityModule } from './binaryAnalysisCapability.js';
 export { PwntoolsCapabilityModule } from './pwntoolsCapability.js';
+export { GhidraHeadlessCapabilityModule } from './ghidraHeadlessCapability.js';
 // CoworkCapabilityModule moved to ~/GitHub/erosolar-cowork (2026-05) —
 // productivity-assistant surface kept separate from the coding CLI.
 // See CLAUDE.md "Capability separation".

package/dist/capabilities/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/capabilities/index.ts"],"names":[],"mappings":"AAAA,2CAA2C;AAC3C,OAAO,EAAE,6BAA6B,EAAE,6BAA6B,EAA6B,MAAM,8BAA8B,CAAC;AAEvI,4BAA4B;AAC5B,OAAO,EAAE,0BAA0B,EAAoC,MAAM,2BAA2B,CAAC;AACzG,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAA8B,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAgC,MAAM,uBAAuB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAA6B,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAA8B,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,uEAAuE;AACvE,oEAAoE;AACpE,yCAAyC;AACzC,OAAO,EAAE,oBAAoB,EAA8B,gBAAgB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/capabilities/index.ts"],"names":[],"mappings":"AAAA,2CAA2C;AAC3C,OAAO,EAAE,6BAA6B,EAAE,6BAA6B,EAA6B,MAAM,8BAA8B,CAAC;AAEvI,4BAA4B;AAC5B,OAAO,EAAE,0BAA0B,EAAoC,MAAM,2BAA2B,CAAC;AACzG,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAA8B,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAgC,MAAM,uBAAuB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAA6B,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAA8B,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,uEAAuE;AACvE,oEAAoE;AACpE,yCAAyC;AACzC,OAAO,EAAE,oBAAoB,EAA8B,gBAAgB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/core/userApproval.d.ts

@@ -24,6 +24,8 @@ export interface ApprovalResult {
     email: string | null;
     uid: string | null;
     reason?: string;
+    revoked?: boolean;
+    profilesAllowed?: string[];
 }
 export declare function normalizeEmail(email: string): string;
 /**
@@ -31,8 +33,16 @@ export declare function normalizeEmail(email: string): string;
  * Side-effect free; just reads. Errors are surfaced as `approved: false`
  * with a reason so the caller can decide whether to file a request
  * doc and/or surface the message.
+ *
+ * Optional `profile` arg restricts the check: if set, the user's
+ * `profiles_allowed` must include either `*` (all) or this profile
+ * name. Missing `profiles_allowed` is treated as permissive for
+ * backward compatibility with the initial bootstrap docs that
+ * predate the field. New approvals via `scripts/approve-user.mjs`
+ * default to `['erosolar-code']` only — offsec profiles like
+ * `variant-research` require an explicit grant.
  */
-export declare function checkApproval(): Promise<ApprovalResult>;
+export declare function checkApproval(profile?: string): Promise<ApprovalResult>;
 /**
  * Idempotently write `approval_requests/{uid}` so the admin sees a
  * pending request. Firestore rules let any authenticated user PATCH
@@ -43,4 +53,22 @@ export declare function requestApproval(): Promise<{
     ok: boolean;
     reason?: string;
 }>;
+export interface UsageLogEntry {
+    profile: string;
+    model: string;
+    version: string;
+    platform: string;
+}
+/**
+ * Append an audit-log entry at `usage_logs/{uid}/sessions/{sessionId}`.
+ * Best-effort: a Firestore failure does NOT block the user's session
+ * — logging is observability, not a runtime gate. Schema is
+ * deliberately minimal (no prompt content, no env): just session
+ * metadata so the operator can review patterns and detect abuse
+ * without retaining user-visible content.
+ */
+export declare function writeUsageLog(entry: UsageLogEntry): Promise<{
+    ok: boolean;
+    reason?: string;
+}>;
 //# sourceMappingURL=userApproval.d.ts.map

package/dist/core/userApproval.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"userApproval.d.ts","sourceRoot":"","sources":["../../src/core/userApproval.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAMH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEpD;AA4BD;;;;;GAKG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,cAAc,CAAC,CAkB7D;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6BjF"}
+{"version":3,"file":"userApproval.d.ts","sourceRoot":"","sources":["../../src/core/userApproval.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAMH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEpD;AA6CD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CA6C7E;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6BjF;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAiCnG"}

package/dist/core/userApproval.js

@@ -24,6 +24,14 @@ const FIRESTORE_BASE = `https://firestore.googleapis.com/v1/projects/${FIREBASE_
 export function normalizeEmail(email) {
     return email.trim().toLowerCase();
 }
+function readArrayOfStrings(field) {
+    const arr = field?.arrayValue?.values;
+    if (!Array.isArray(arr))
+        return undefined;
+    return arr
+        .map((v) => v.stringValue)
+        .filter((v) => typeof v === 'string');
+}
 async function fetchApprovalDoc(email) {
     const idToken = await getValidIdToken();
     const url = `${FIRESTORE_BASE}/approved_users/${encodeURIComponent(email)}`;
@@ -38,15 +46,25 @@ async function fetchApprovalDoc(email) {
     }
     const doc = (await res.json());
     const approved = doc.fields?.['approved']?.booleanValue === true;
-    return { approved };
+    const revoked = doc.fields?.['revoked']?.booleanValue === true;
+    const profilesAllowed = readArrayOfStrings(doc.fields?.['profiles_allowed']);
+    return { approved, revoked, profilesAllowed };
 }
 /**
  * Verify the currently-signed-in user is on the approved list.
  * Side-effect free; just reads. Errors are surfaced as `approved: false`
  * with a reason so the caller can decide whether to file a request
  * doc and/or surface the message.
+ *
+ * Optional `profile` arg restricts the check: if set, the user's
+ * `profiles_allowed` must include either `*` (all) or this profile
+ * name. Missing `profiles_allowed` is treated as permissive for
+ * backward compatibility with the initial bootstrap docs that
+ * predate the field. New approvals via `scripts/approve-user.mjs`
+ * default to `['erosolar-code']` only — offsec profiles like
+ * `variant-research` require an explicit grant.
  */
-export async function checkApproval() {
+export async function checkApproval(profile) {
     const status = getAuthStatus();
     if (!status.authenticated) {
         return { approved: false, email: null, uid: null, reason: 'not signed in' };
@@ -58,9 +76,35 @@ export async function checkApproval() {
     }
     try {
         const doc = await fetchApprovalDoc(email);
-        if (doc?.approved)
-            return { approved: true, email, uid };
-        return { approved: false, email, uid, reason: 'email not on approved-users list' };
+        if (!doc) {
+            return { approved: false, email, uid, reason: 'email not on approved-users list' };
+        }
+        if (!doc.approved) {
+            return { approved: false, email, uid, reason: 'email not on approved-users list' };
+        }
+        if (doc.revoked) {
+            return {
+                approved: false,
+                email,
+                uid,
+                reason: 'access revoked — contact the operator',
+                revoked: true,
+                profilesAllowed: doc.profilesAllowed,
+            };
+        }
+        if (profile && doc.profilesAllowed && doc.profilesAllowed.length > 0) {
+            const allowed = doc.profilesAllowed.includes('*') || doc.profilesAllowed.includes(profile);
+            if (!allowed) {
+                return {
+                    approved: false,
+                    email,
+                    uid,
+                    reason: `profile "${profile}" not granted to this account (allowed: ${doc.profilesAllowed.join(', ')})`,
+                    profilesAllowed: doc.profilesAllowed,
+                };
+            }
+        }
+        return { approved: true, email, uid, profilesAllowed: doc.profilesAllowed };
     }
     catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
@@ -104,4 +148,47 @@ export async function requestApproval() {
         return { ok: false, reason: err instanceof Error ? err.message : String(err) };
     }
 }
+/**
+ * Append an audit-log entry at `usage_logs/{uid}/sessions/{sessionId}`.
+ * Best-effort: a Firestore failure does NOT block the user's session
+ * — logging is observability, not a runtime gate. Schema is
+ * deliberately minimal (no prompt content, no env): just session
+ * metadata so the operator can review patterns and detect abuse
+ * without retaining user-visible content.
+ */
+export async function writeUsageLog(entry) {
+    const status = getAuthStatus();
+    if (!status.authenticated || !status.uid) {
+        return { ok: false, reason: 'not signed in' };
+    }
+    try {
+        const idToken = await getValidIdToken();
+        const sessionId = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        const url = `${FIRESTORE_BASE}/usage_logs/${encodeURIComponent(status.uid)}/sessions?documentId=${encodeURIComponent(sessionId)}`;
+        const body = {
+            fields: {
+                uid: { stringValue: status.uid },
+                email: { stringValue: status.email ?? '' },
+                startedAt: { timestampValue: new Date().toISOString() },
+                profile: { stringValue: entry.profile },
+                model: { stringValue: entry.model },
+                version: { stringValue: entry.version },
+                platform: { stringValue: entry.platform },
+            },
+        };
+        const res = await fetch(url, {
+            method: 'POST',
+            headers: { Authorization: `Bearer ${idToken}`, 'Content-Type': 'application/json' },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+            const txt = await res.text().catch(() => '<no body>');
+            return { ok: false, reason: `Firestore ${res.status}: ${txt.slice(0, 200)}` };
+        }
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+    }
+}
 //# sourceMappingURL=userApproval.js.map

package/dist/core/userApproval.js.map

@@ -1 +1 @@
-{"version":3,"file":"userApproval.js","sourceRoot":"","sources":["../../src/core/userApproval.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEhF,MAAM,cAAc,GAAG,gDAAgD,mBAAmB,gCAAgC,CAAC;AAS3H,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AACpC,CAAC;AAYD,KAAK,UAAU,gBAAgB,CAAC,KAAa;IAC3C,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;IACxC,MAAM,GAAG,GAAG,GAAG,cAAc,mBAAmB,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;IAC5E,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;KAC5E,CAAC,CAAC;IACH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,aAAa,GAAG,CAAC,MAAM,2BAA2B,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACpG,CAAC;IACD,MAAM,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAsB,CAAC;IACpD,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,YAAY,KAAK,IAAI,CAAC;IACjE,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1B,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAC9E,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACjE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC;IAC1F,CAAC;IACD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAC1C,IAAI,GAAG,EAAE,QAAQ;YAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;QACzD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;IACrF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,0BAA0B,GAAG,EAAE,EAAE,CAAC;IAClF,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,GAAG,cAAc,sBAAsB,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACpF,MAAM,IAAI,GAAG;YACX,MAAM,EAAE;gBACN,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE;gBAC1C,GAAG,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,GAAG,EAAE;gBAChC,WAAW,EAAE,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;gBACzD,MAAM,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE;aACnC;SACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;QAChF,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACjF,CAAC;AACH,CAAC"}
+{"version":3,"file":"userApproval.js","sourceRoot":"","sources":["../../src/core/userApproval.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEhF,MAAM,cAAc,GAAG,gDAAgD,mBAAmB,gCAAgC,CAAC;AAW3H,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AACpC,CAAC;AAaD,SAAS,kBAAkB,CAAC,KAAsB;IAChD,MAAM,GAAG,GAAG,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1C,OAAO,GAAG;SACP,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;SACzB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AACvD,CAAC;AAQD,KAAK,UAAU,gBAAgB,CAAC,KAAa;IAC3C,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;IACxC,MAAM,GAAG,GAAG,GAAG,cAAc,mBAAmB,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;IAC5E,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;KAC5E,CAAC,CAAC;IACH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,aAAa,GAAG,CAAC,MAAM,2BAA2B,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACpG,CAAC;IACD,MAAM,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAsB,CAAC;IACpD,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,YAAY,KAAK,IAAI,CAAC;IACjE,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE,YAAY,KAAK,IAAI,CAAC;IAC/D,MAAM,eAAe,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAC7E,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;AAChD,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAgB;IAClD,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1B,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAC9E,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACjE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC;IAC1F,CAAC;IACD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAC1C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;QACrF,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAClB,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;QACrF,CAAC;QACD,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;YAChB,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,KAAK;gBACL,GAAG;gBACH,MAAM,EAAE,uCAAuC;gBAC/C,OAAO,EAAE,IAAI;gBACb,eAAe,EAAE,GAAG,CAAC,eAAe;aACrC,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,MAAM,OAAO,GAAG,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC3F,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO;oBACL,QAAQ,EAAE,KAAK;oBACf,KAAK;oBACL,GAAG;oBACH,MAAM,EAAE,YAAY,OAAO,2CAA2C,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;oBACvG,eAAe,EAAE,GAAG,CAAC,eAAe;iBACrC,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,eAAe,EAAE,GAAG,CAAC,eAAe,EAAE,CAAC;IAC9E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,0BAA0B,GAAG,EAAE,EAAE,CAAC;IAClF,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,GAAG,cAAc,sBAAsB,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACpF,MAAM,IAAI,GAAG;YACX,MAAM,EAAE;gBACN,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE;gBAC1C,GAAG,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,GAAG,EAAE;gBAChC,WAAW,EAAE,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;gBACzD,MAAM,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE;aACnC;SACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;QAChF,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACjF,CAAC;AACH,CAAC;AASD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAoB;IACtD,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAC5E,MAAM,GAAG,GAAG,GAAG,cAAc,eAAe,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,wBAAwB,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;QAClI,MAAM,IAAI,GAAG;YACX,MAAM,EAAE;gBACN,GAAG,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,GAAG,EAAE;gBAChC,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE;gBAC1C,SAAS,EAAE,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;gBACvD,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE;gBACvC,KAAK,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,KAAK,EAAE;gBACnC,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE;gBACvC,QAAQ,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,QAAQ,EAAE;aAC1C;SACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;QAChF,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACjF,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trenchwork/erosolar",
-  "version": "1.1.25",
+  "version": "1.1.27",
   "description": "DeepSeek AI-powered CLI agent for code assistance and automation",
   "deepseek": {
     "rulebookSchema": "src/contracts/schemas/agent-rules.schema.json"
@@ -17,6 +17,7 @@
     "dist",
     "scripts/postinstall.cjs",
     "README.md",
+    "SECURITY.md",
     "agents",
     "LICENSE"
   ],