@trenchwork/erosolar 1.1.27 → 1.1.29

package/dist/core/projectTracker.js

@@ -0,0 +1,275 @@
+/**
+ * Project tracking — pairs every CLI session with a stable project
+ * doc keyed off the working directory. The project doc rolls up
+ * lastSeenAt / sessionCount / totalTokens so the audit portal can
+ * show "what's the CLI been doing in /home/bo/GitHub/foo lately"
+ * without scanning every session.
+ *
+ * Identity:
+ *   projectId = sha256(absolute path).slice(0, 12)
+ * Same checkout on the same machine → same project across launches,
+ * with no operator input needed.
+ *
+ * Schema (Firestore):
+ *   projects/{projectId}
+ *     ownerUid:        string
+ *     name:            string                 (basename of workingDir)
+ *     workingDir:      string
+ *     workingDirHash:  string                 (the projectId, repeated for queries)
+ *     gitRemote:       string | null
+ *     gitBranchAtFirst: string | null
+ *     createdAt:       timestamp              (server time)
+ *     lastSeenAt:      timestamp              (server time, every boot)
+ *     sessionCount:    int                    (Firestore Increment(+1) per boot)
+ *     totalTokens:     int                    (Increment on session-end with usage)
+ *     status:          'active' | 'archived'
+ *
+ *   usage_logs/{uid}/sessions/{sessionId}
+ *     ... existing session-start fields ...
+ *     projectId:       string                 (FK)
+ *     gitBranch:       string | null
+ *     gitCommit:       string | null
+ *     outcome:         'in_progress' | 'completed' | 'cancelled' | 'errored'
+ *     filesModified:   string[]               (post-end update)
+ *     toolsUsed:       string[]               (post-end update)
+ *     tokensIn / tokensOut: int               (post-end update)
+ *     endedAt:         timestamp | null       (post-end update)
+ */
+import { createHash } from 'node:crypto';
+import { execSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { basename, resolve } from 'node:path';
+import { FIREBASE_PROJECT_ID, getAuthStatus, getValidIdToken } from './auth.js';
+const FIRESTORE_BASE = `https://firestore.googleapis.com/v1/projects/${FIREBASE_PROJECT_ID}/databases/(default)/documents`;
+export function deriveProjectId(workingDir) {
+    return createHash('sha256').update(resolve(workingDir)).digest('hex').slice(0, 12);
+}
+function safeGit(args, cwd) {
+    try {
+        const out = execSync(`git ${args.map(shellQuote).join(' ')}`, {
+            cwd,
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+            timeout: 2000,
+        });
+        return out.trim() || null;
+    }
+    catch {
+        return null;
+    }
+}
+function shellQuote(s) {
+    return /^[\w./:=-]+$/.test(s) ? s : `'${s.replace(/'/g, "'\\''")}'`;
+}
+function gitInfo(workingDir) {
+    if (!existsSync(workingDir))
+        return { branch: null, commit: null, remote: null };
+    return {
+        branch: safeGit(['rev-parse', '--abbrev-ref', 'HEAD'], workingDir),
+        commit: safeGit(['rev-parse', 'HEAD'], workingDir),
+        remote: safeGit(['config', '--get', 'remote.origin.url'], workingDir),
+    };
+}
+export function buildProjectContext(workingDir) {
+    const abs = resolve(workingDir);
+    const id = deriveProjectId(abs);
+    const { branch, commit, remote } = gitInfo(abs);
+    return {
+        projectId: id,
+        workingDir: abs,
+        name: basename(abs) || abs,
+        gitBranch: branch,
+        gitCommit: commit,
+        gitRemote: remote,
+    };
+}
+function strField(v) {
+    if (v == null || v === '')
+        return { nullValue: null };
+    return { stringValue: v };
+}
+/**
+ * Idempotent register of `projects/{projectId}`. Uses Firestore's
+ * REST `commit` endpoint with two writes in a transaction-like
+ * batch: an upsert of mutable fields + a server-side
+ * `Increment(1)` on sessionCount. The createdAt-vs-lastSeenAt
+ * distinction is preserved because Firestore PATCH with a partial
+ * field mask only touches the listed fields.
+ */
+export async function registerProject(workingDir) {
+    const context = buildProjectContext(workingDir);
+    const status = getAuthStatus();
+    if (!status.authenticated || !status.uid) {
+        return { ok: false, context, reason: 'not signed in' };
+    }
+    try {
+        const idToken = await getValidIdToken();
+        // Two writes via :commit so server-side timestamps + Increment fire
+        // atomically. The first PATCH ensures createdAt and gitBranchAtFirst
+        // only land on first write (updateMask omits them on subsequent
+        // calls — see below). The second write Increments sessionCount and
+        // sets lastSeenAt every boot.
+        const docPath = `projects/${context.projectId}`;
+        const fullName = `projects/${FIREBASE_PROJECT_ID}/databases/(default)/documents/${docPath}`;
+        // Discover whether the doc exists (so we can skip writing
+        // createdAt / gitBranchAtFirst on subsequent boots).
+        const getRes = await fetch(`${FIRESTORE_BASE}/${docPath}`, {
+            headers: { Authorization: `Bearer ${idToken}` },
+        });
+        const exists = getRes.status === 200;
+        const fields = {
+            ownerUid: { stringValue: status.uid },
+            name: { stringValue: context.name },
+            workingDir: { stringValue: context.workingDir },
+            workingDirHash: { stringValue: context.projectId },
+            gitRemote: strField(context.gitRemote),
+            lastSeenAt: { timestampValue: new Date().toISOString() },
+            status: { stringValue: 'active' },
+        };
+        if (!exists) {
+            fields['createdAt'] = { timestampValue: new Date().toISOString() };
+            fields['gitBranchAtFirst'] = strField(context.gitBranch);
+            fields['sessionCount'] = { integerValue: '1' };
+            fields['totalTokens'] = { integerValue: '0' };
+        }
+        const updateMask = Object.keys(fields).map((k) => `updateMask.fieldPaths=${k}`).join('&');
+        const patchUrl = `${FIRESTORE_BASE}/${docPath}?${updateMask}`;
+        const patchRes = await fetch(patchUrl, {
+            method: 'PATCH',
+            headers: { Authorization: `Bearer ${idToken}`, 'Content-Type': 'application/json' },
+            body: JSON.stringify({ fields }),
+        });
+        if (!patchRes.ok) {
+            const txt = await patchRes.text().catch(() => '<no body>');
+            return { ok: false, context, reason: `PATCH ${patchRes.status}: ${txt.slice(0, 200)}` };
+        }
+        // For existing docs, increment sessionCount via the :commit endpoint.
+        if (exists) {
+            const commitUrl = `${FIRESTORE_BASE.replace(/\/documents$/, '')}/documents:commit`;
+            const commitBody = {
+                writes: [{
+                        transform: {
+                            document: fullName,
+                            fieldTransforms: [{
+                                    fieldPath: 'sessionCount',
+                                    increment: { integerValue: '1' },
+                                }],
+                        },
+                    }],
+            };
+            await fetch(commitUrl, {
+                method: 'POST',
+                headers: { Authorization: `Bearer ${idToken}`, 'Content-Type': 'application/json' },
+                body: JSON.stringify(commitBody),
+            }).catch(() => { });
+        }
+        return { ok: true, context };
+    }
+    catch (err) {
+        return { ok: false, context, reason: err instanceof Error ? err.message : String(err) };
+    }
+}
+/**
+ * Append `usage_logs/{uid}/sessions/{sessionId}` with the project FK.
+ * Returns the sessionId so the caller can later write session-end.
+ * Replaces the prior `writeUsageLog` for the project-aware path.
+ */
+export async function writeSessionStart(entry) {
+    const status = getAuthStatus();
+    if (!status.authenticated || !status.uid) {
+        return { ok: false, sessionId: null, reason: 'not signed in' };
+    }
+    try {
+        const idToken = await getValidIdToken();
+        const sessionId = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        const url = `${FIRESTORE_BASE}/usage_logs/${encodeURIComponent(status.uid)}/sessions?documentId=${encodeURIComponent(sessionId)}`;
+        const body = {
+            fields: {
+                uid: { stringValue: status.uid },
+                email: strField(status.email ?? ''),
+                startedAt: { timestampValue: new Date().toISOString() },
+                profile: { stringValue: entry.profile },
+                model: { stringValue: entry.model },
+                version: { stringValue: entry.version },
+                platform: { stringValue: entry.platform },
+                projectId: { stringValue: entry.project.projectId },
+                gitBranch: strField(entry.project.gitBranch),
+                gitCommit: strField(entry.project.gitCommit),
+                outcome: { stringValue: 'in_progress' },
+                tokensIn: { integerValue: '0' },
+                tokensOut: { integerValue: '0' },
+            },
+        };
+        const res = await fetch(url, {
+            method: 'POST',
+            headers: { Authorization: `Bearer ${idToken}`, 'Content-Type': 'application/json' },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+            const txt = await res.text().catch(() => '<no body>');
+            return { ok: false, sessionId: null, reason: `Firestore ${res.status}: ${txt.slice(0, 200)}` };
+        }
+        return { ok: true, sessionId };
+    }
+    catch (err) {
+        return { ok: false, sessionId: null, reason: err instanceof Error ? err.message : String(err) };
+    }
+}
+/**
+ * Patch the session row on shell exit + bump the parent project's
+ * totalTokens. Best-effort; a kill -9 leaves the session at
+ * `outcome: in_progress` which the audit page can highlight.
+ */
+export async function writeSessionEnd(entry) {
+    const status = getAuthStatus();
+    if (!status.authenticated || !status.uid) {
+        return { ok: false, reason: 'not signed in' };
+    }
+    try {
+        const idToken = await getValidIdToken();
+        const sessionDoc = `usage_logs/${encodeURIComponent(status.uid)}/sessions/${encodeURIComponent(entry.sessionId)}`;
+        const sessionFields = ['outcome', 'endedAt', 'filesModified', 'toolsUsed', 'tokensIn', 'tokensOut'];
+        const sessionMask = sessionFields.map((k) => `updateMask.fieldPaths=${k}`).join('&');
+        const sessionBody = {
+            fields: {
+                outcome: { stringValue: entry.outcome },
+                endedAt: { timestampValue: new Date().toISOString() },
+                filesModified: { arrayValue: { values: entry.filesModified.slice(0, 100).map((s) => ({ stringValue: s })) } },
+                toolsUsed: { arrayValue: { values: entry.toolsUsed.slice(0, 100).map((s) => ({ stringValue: s })) } },
+                tokensIn: { integerValue: String(entry.tokensIn) },
+                tokensOut: { integerValue: String(entry.tokensOut) },
+            },
+        };
+        await fetch(`${FIRESTORE_BASE}/${sessionDoc}?${sessionMask}`, {
+            method: 'PATCH',
+            headers: { Authorization: `Bearer ${idToken}`, 'Content-Type': 'application/json' },
+            body: JSON.stringify(sessionBody),
+        });
+        // Increment the project's totalTokens via the :commit endpoint.
+        const totalDelta = entry.tokensIn + entry.tokensOut;
+        if (totalDelta > 0) {
+            const commitUrl = `${FIRESTORE_BASE.replace(/\/documents$/, '')}/documents:commit`;
+            const commitBody = {
+                writes: [{
+                        transform: {
+                            document: `projects/${FIREBASE_PROJECT_ID}/databases/(default)/documents/projects/${entry.projectId}`,
+                            fieldTransforms: [{
+                                    fieldPath: 'totalTokens',
+                                    increment: { integerValue: String(totalDelta) },
+                                }],
+                        },
+                    }],
+            };
+            await fetch(commitUrl, {
+                method: 'POST',
+                headers: { Authorization: `Bearer ${idToken}`, 'Content-Type': 'application/json' },
+                body: JSON.stringify(commitBody),
+            }).catch(() => { });
+        }
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+    }
+}
+//# sourceMappingURL=projectTracker.js.map

package/dist/core/projectTracker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"projectTracker.js","sourceRoot":"","sources":["../../src/core/projectTracker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE9C,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEhF,MAAM,cAAc,GAAG,gDAAgD,mBAAmB,gCAAgC,CAAC;AAW3H,MAAM,UAAU,eAAe,CAAC,UAAkB;IAChD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrF,CAAC;AAED,SAAS,OAAO,CAAC,IAAc,EAAE,GAAW;IAC1C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE;YAC5D,GAAG;YACH,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;YACnC,OAAO,EAAE,IAAI;SACd,CAAC,CAAC;QACH,OAAO,GAAG,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;AACtE,CAAC;AAED,SAAS,OAAO,CAAC,UAAkB;IACjC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACjF,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,CAAC,WAAW,EAAE,cAAc,EAAE,MAAM,CAAC,EAAE,UAAU,CAAC;QAClE,MAAM,EAAE,OAAO,CAAC,CAAC,WAAW,EAAE,MAAM,CAAC,EAAE,UAAU,CAAC;QAClD,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,EAAE,OAAO,EAAE,mBAAmB,CAAC,EAAE,UAAU,CAAC;KACtE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,UAAkB;IACpD,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAChC,MAAM,EAAE,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAChD,OAAO;QACL,SAAS,EAAE,EAAE;QACb,UAAU,EAAE,GAAG;QACf,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG;QAC1B,SAAS,EAAE,MAAM;QACjB,SAAS,EAAE,MAAM;QACjB,SAAS,EAAE,MAAM;KAClB,CAAC;AACJ,CAAC;AAWD,SAAS,QAAQ,CAAC,CAA4B;IAC5C,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACtD,OAAO,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,UAAkB;IAKtD,MAAM,OAAO,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACzD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;QACxC,oEAAoE;QACpE,qEAAqE;QACrE,gEAAgE;QAChE,mEAAmE;QACnE,8BAA8B;QAC9B,MAAM,OAAO,GAAG,YAAY,OAAO,CAAC,SAAS,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,YAAY,mBAAmB,kCAAkC,OAAO,EAAE,CAAC;QAE5F,0DAA0D;QAC1D,qDAAqD;QACrD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,cAAc,IAAI,OAAO,EAAE,EAAE;YACzD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE;SAChD,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,KAAK,GAAG,CAAC;QAErC,MAAM,MAAM,GAAmC;YAC7C,QAAQ,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,GAAG,EAAE;YACrC,IAAI,EAAE,EAAE,WAAW,EAAE,OAAO,CAAC,IAAI,EAAE;YACnC,UAAU,EAAE,EAAE,WAAW,EAAE,OAAO,CAAC,UAAU,EAAE;YAC/C,cAAc,EAAE,EAAE,WAAW,EAAE,OAAO,CAAC,SAAS,EAAE;YAClD,SAAS,EAAE,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC;YACtC,UAAU,EAAE,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;YACxD,MAAM,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE;SAClC,CAAC;QACF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;YACnE,MAAM,CAAC,kBAAkB,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACzD,MAAM,CAAC,cAAc,CAAC,GAAG,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;YAC/C,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;QAChD,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,yBAAyB,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1F,MAAM,QAAQ,GAAG,GAAG,cAAc,IAAI,OAAO,IAAI,UAAU,EAAE,CAAC;QAC9D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YACrC,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;SACjC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;YAC3D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,QAAQ,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;QAC1F,CAAC;QAED,sEAAsE;QACtE,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,SAAS,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,mBAAmB,CAAC;YACnF,MAAM,UAAU,GAAG;gBACjB,MAAM,EAAE,CAAC;wBACP,SAAS,EAAE;4BACT,QAAQ,EAAE,QAAQ;4BAClB,eAAe,EAAE,CAAC;oCAChB,SAAS,EAAE,cAAc;oCACzB,SAAS,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE;iCACjC,CAAC;yBACH;qBACF,CAAC;aACH,CAAC;YACF,MAAM,KAAK,CAAC,SAAS,EAAE;gBACrB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;aACjC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAkD,CAAC,CAAC,CAAC;QACrE,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IAC1F,CAAC;AACH,CAAC;AAUD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,KAAwB;IAK9D,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACjE,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAC5E,MAAM,GAAG,GAAG,GAAG,cAAc,eAAe,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,wBAAwB,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;QAClI,MAAM,IAAI,GAAG;YACX,MAAM,EAAE;gBACN,GAAG,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,GAAG,EAAE;gBAChC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;gBACnC,SAAS,EAAE,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;gBACvD,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE;gBACvC,KAAK,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,KAAK,EAAE;gBACnC,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE;gBACvC,QAAQ,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,QAAQ,EAAE;gBACzC,SAAS,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE;gBACnD,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;gBAC5C,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;gBAC5C,OAAO,EAAE,EAAE,WAAW,EAAE,aAAa,EAAE;gBACvC,QAAQ,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE;gBAC/B,SAAS,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE;aACjC;SACF,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;QACjG,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IAClG,CAAC;AACH,CAAC;AAYD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAsB;IAC1D,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;QACxC,MAAM,UAAU,GAAG,cAAc,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,aAAa,kBAAkB,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;QAClH,MAAM,aAAa,GAAG,CAAC,SAAS,EAAE,SAAS,EAAE,eAAe,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;QACpG,MAAM,WAAW,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,yBAAyB,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrF,MAAM,WAAW,GAAG;YAClB,MAAM,EAAE;gBACN,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE;gBACvC,OAAO,EAAE,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;gBACrD,aAAa,EAAE,EAAE,UAAU,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE;gBAC7G,SAAS,EAAE,EAAE,UAAU,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE;gBACrG,QAAQ,EAAE,EAAE,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE;gBAClD,SAAS,EAAE,EAAE,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE;aACrD;SACF,CAAC;QACF,MAAM,KAAK,CAAC,GAAG,cAAc,IAAI,UAAU,IAAI,WAAW,EAAE,EAAE;YAC5D,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;SAClC,CAAC,CAAC;QAEH,gEAAgE;QAChE,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC,SAAS,CAAC;QACpD,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,SAAS,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,mBAAmB,CAAC;YACnF,MAAM,UAAU,GAAG;gBACjB,MAAM,EAAE,CAAC;wBACP,SAAS,EAAE;4BACT,QAAQ,EAAE,YAAY,mBAAmB,2CAA2C,KAAK,CAAC,SAAS,EAAE;4BACrG,eAAe,EAAE,CAAC;oCAChB,SAAS,EAAE,aAAa;oCACxB,SAAS,EAAE,EAAE,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE;iCAChD,CAAC;yBACH;qBACF,CAAC;aACH,CAAC;YACF,MAAM,KAAK,CAAC,SAAS,EAAE;gBACrB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;aACjC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAqB,CAAC,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACjF,CAAC;AACH,CAAC"}

package/dist/core/reviewerGuard.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Constitutional reviewer-agent guard. Runs between user-configured
+ * shell hooks and the actual tool handler. Two layers:
+ *
+ *   1. **Hardcoded heuristic guard (always on)**. Catches the
+ *      well-known catastrophic patterns (rm -rf /, curl-to-shell,
+ *      anything that targets a path outside the workspace AND
+ *      destroys data). Cheap, deterministic, no LLM call.
+ *
+ *   2. **LLM reviewer (gated by EROSOLAR_REVIEWER=1)**. Sends the
+ *      proposed tool call + a brief constitution to a small, cheap
+ *      reviewer model (Anthropic Haiku by default). Returns one of
+ *      `approve | refine | veto` with a reason. The decision is
+ *      logged to Firestore at reviewer_log/{uid}/decisions/{id} for
+ *      operator review.
+ *
+ * The reviewer fails *open* on any error (network blip, unparseable
+ * model response, missing API key). Refusing-by-default would brick
+ * the CLI for users without the reviewer model configured. Instead,
+ * a failure is itself an audit-log event the operator can review.
+ */
+export interface ReviewDecision {
+    decision: 'approve' | 'refine' | 'veto';
+    reason: string;
+    source: 'heuristic' | 'llm' | 'disabled' | 'error';
+}
+export declare function buildReviewPrompt(toolName: string, args: unknown): string;
+export declare function parseReviewDecision(text: string): ReviewDecision | null;
+/**
+ * Review a proposed tool call. Decision flow:
+ *   1. Heuristic veto patterns — if any match, veto immediately (no LLM).
+ *   2. If EROSOLAR_REVIEWER env is on AND ANTHROPIC_API_KEY is present,
+ *      call the reviewer model.
+ *   3. Otherwise, approve.
+ */
+export declare function reviewToolCall(toolName: string, args: unknown): Promise<ReviewDecision>;
+//# sourceMappingURL=reviewerGuard.d.ts.map

package/dist/core/reviewerGuard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reviewerGuard.d.ts","sourceRoot":"","sources":["../../src/core/reviewerGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAIH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,SAAS,GAAG,QAAQ,GAAG,MAAM,CAAC;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,WAAW,GAAG,KAAK,GAAG,UAAU,GAAG,OAAO,CAAC;CACpD;AAwGD,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,MAAM,CAazE;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI,CAWvE;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,cAAc,CAAC,CAmC7F"}

package/dist/core/reviewerGuard.js

@@ -0,0 +1,188 @@
+/**
+ * Constitutional reviewer-agent guard. Runs between user-configured
+ * shell hooks and the actual tool handler. Two layers:
+ *
+ *   1. **Hardcoded heuristic guard (always on)**. Catches the
+ *      well-known catastrophic patterns (rm -rf /, curl-to-shell,
+ *      anything that targets a path outside the workspace AND
+ *      destroys data). Cheap, deterministic, no LLM call.
+ *
+ *   2. **LLM reviewer (gated by EROSOLAR_REVIEWER=1)**. Sends the
+ *      proposed tool call + a brief constitution to a small, cheap
+ *      reviewer model (Anthropic Haiku by default). Returns one of
+ *      `approve | refine | veto` with a reason. The decision is
+ *      logged to Firestore at reviewer_log/{uid}/decisions/{id} for
+ *      operator review.
+ *
+ * The reviewer fails *open* on any error (network blip, unparseable
+ * model response, missing API key). Refusing-by-default would brick
+ * the CLI for users without the reviewer model configured. Instead,
+ * a failure is itself an audit-log event the operator can review.
+ */
+const CONSTITUTION = `You are the constitutional reviewer for a CLI agent that holds offsec
+tooling. Before any tool call fires, you say approve / refine / veto.
+
+PRINCIPLES (most important first):
+
+1. Operator authorization is the load-bearing assumption. The user has
+   pre-authorized targets via the rulebook + their own engagement
+   scope. You don't second-guess that. You DO catch drift: tools
+   targeting hosts/files/URLs that have nothing to do with the recent
+   conversation.
+
+2. Coordinated disclosure is pinned. Any tool call whose effect is to
+   exfiltrate, sell, or silently retain a finding without sending it
+   through hackerone / vendor PSIRT / CERT-CC / published-advisory /
+   internal-writeup must be vetoed. "Broker" / "buyer" / "private
+   sale" in args means veto.
+
+3. Destructive operations on shared infrastructure get refined. rm -rf
+   on a path the agent didn't itself create, force-push to main,
+   DROP TABLE on prod-shaped DBs — these get a refine with a tighter
+   scope suggestion, not a veto (the operator can override).
+
+4. Scope creep beats target drift. "We were investigating X but the
+   agent now wants to scan Y" gets a veto. "We were on phase.recon
+   but the agent skipped to phase.disclose" gets a refine.
+
+5. Fail open. If you can't decide, approve with reason="uncertain —
+   approving conservatively". Refusing every uncertain call locks the
+   CLI for no benefit.`;
+const VETO_PATTERNS_BASH = [
+    // rm -rf where the target is the filesystem root, $HOME, or ~ as the
+    // full atom (not a path prefix). The lookahead requires a shell-
+    // separator or end-of-string immediately after, so `rm -rf /tmp/x`
+    // is allowed and `rm -rf /` / `rm -rf $HOME` are vetoed.
+    { pattern: /\brm\s+-[a-zA-Z]*r[a-zA-Z]*f?\s+(?:\/|\$HOME|~)(?=\s|$|;|&|\|)/, reason: 'rm -rf on filesystem root, $HOME, or ~' },
+    // dd / mkfs to block devices
+    { pattern: /\bdd\s+if=\/dev\/(?:zero|random|urandom)\s+of=\/(?:dev\/[hsv]d[a-z]|[A-Za-z])/, reason: 'dd-zero/random to a block device or filesystem root' },
+    { pattern: /\bmkfs\b.*\/dev\/[hsv]d[a-z]/, reason: 'mkfs targeting a block device' },
+    // fork bomb
+    { pattern: /:\(\)\s*\{\s*:\|:&\s*\}\s*;\s*:/, reason: 'fork bomb' },
+    // curl/wget piped to shell. Match wget/curl, any non-pipe/separator
+    // text up to the first |, then a shell name as the next word.
+    { pattern: /\bcurl\b[^|;&]*\|\s*(?:bash|sh|zsh|fish)\b/i, reason: 'curl-to-shell' },
+    { pattern: /\bwget\b[^|;&]*\|\s*(?:bash|sh|zsh|fish)\b/i, reason: 'wget-to-shell' },
+];
+const VETO_PATTERNS_DISCLOSURE = /\b(?:broker|brokerage|zerodium|crowdfense|silent\s+sale|private\s+buyer|sell\s+(?:exploit|0day|zero[- ]day))\b/i;
+function heuristicReview(toolName, args) {
+    if (toolName === 'Bash' || toolName === 'kali_sqlmap' /* … other shell-shaped tools */) {
+        const cmd = args?.command || '';
+        for (const { pattern, reason } of VETO_PATTERNS_BASH) {
+            if (pattern.test(cmd)) {
+                return { decision: 'veto', reason, source: 'heuristic' };
+            }
+        }
+    }
+    // Cross-tool: any args field that looks like a brokerage handoff is
+    // a hard veto regardless of the tool surface.
+    const argsJson = JSON.stringify(args ?? {});
+    if (VETO_PATTERNS_DISCLOSURE.test(argsJson)) {
+        return { decision: 'veto', reason: 'disclosure path resembles brokerage / private sale', source: 'heuristic' };
+    }
+    return null; // no heuristic verdict — defer to LLM (or approve)
+}
+function isLlmReviewerEnabled() {
+    const v = (process.env['EROSOLAR_REVIEWER'] || '').toLowerCase();
+    return v === '1' || v === 'true' || v === 'on';
+}
+let cachedReviewer = null;
+let reviewerInitFailed = false;
+async function getLlmReviewer() {
+    if (reviewerInitFailed)
+        return null;
+    if (cachedReviewer)
+        return cachedReviewer;
+    if (!process.env['ANTHROPIC_API_KEY']) {
+        reviewerInitFailed = true;
+        return null;
+    }
+    try {
+        const { createProvider, hasProvider } = await import('../providers/providerFactory.js');
+        if (!hasProvider('anthropic')) {
+            // Provider plugin not registered yet — happens when reviewerGuard
+            // runs before agent boot completes the registration. Mark as
+            // failed (we'll fail open) and let the next boot retry.
+            reviewerInitFailed = true;
+            return null;
+        }
+        cachedReviewer = createProvider({
+            provider: 'anthropic',
+            model: process.env['EROSOLAR_REVIEWER_MODEL'] || 'claude-haiku-4-5-20251001',
+        });
+        return cachedReviewer;
+    }
+    catch {
+        reviewerInitFailed = true;
+        return null;
+    }
+}
+export function buildReviewPrompt(toolName, args) {
+    return [
+        CONSTITUTION,
+        '',
+        '## Proposed tool call',
+        `tool: ${toolName}`,
+        `args: ${JSON.stringify(args, null, 2).slice(0, 4000)}`,
+        '',
+        '## Output',
+        'Reply with ONLY a JSON object on a single line:',
+        '{"decision": "approve" | "refine" | "veto", "reason": "≤200 chars"}',
+        'No preamble, no markdown fences, no commentary.',
+    ].join('\n');
+}
+export function parseReviewDecision(text) {
+    const match = text.match(/\{[\s\S]*?\}/);
+    if (!match)
+        return null;
+    try {
+        const obj = JSON.parse(match[0]);
+        const d = String(obj.decision || '').toLowerCase();
+        if (d === 'approve' || d === 'refine' || d === 'veto') {
+            return { decision: d, reason: String(obj.reason || '').slice(0, 200), source: 'llm' };
+        }
+    }
+    catch { /* fall through */ }
+    return null;
+}
+/**
+ * Review a proposed tool call. Decision flow:
+ *   1. Heuristic veto patterns — if any match, veto immediately (no LLM).
+ *   2. If EROSOLAR_REVIEWER env is on AND ANTHROPIC_API_KEY is present,
+ *      call the reviewer model.
+ *   3. Otherwise, approve.
+ */
+export async function reviewToolCall(toolName, args) {
+    const heuristic = heuristicReview(toolName, args);
+    if (heuristic)
+        return heuristic;
+    if (!isLlmReviewerEnabled()) {
+        return { decision: 'approve', reason: 'reviewer disabled', source: 'disabled' };
+    }
+    const reviewer = await getLlmReviewer();
+    if (!reviewer) {
+        return { decision: 'approve', reason: 'no LLM reviewer configured', source: 'disabled' };
+    }
+    try {
+        const prompt = buildReviewPrompt(toolName, args);
+        const res = await reviewer.generate([{ role: 'user', content: prompt }], []);
+        const text = res.type === 'message' ? res.content : (res.content ?? '');
+        const parsed = parseReviewDecision(text);
+        if (!parsed) {
+            return {
+                decision: 'approve',
+                reason: 'unparseable reviewer response — failing open',
+                source: 'error',
+            };
+        }
+        return parsed;
+    }
+    catch (err) {
+        return {
+            decision: 'approve',
+            reason: `reviewer error: ${err.message.slice(0, 100)} — failing open`,
+            source: 'error',
+        };
+    }
+}
+//# sourceMappingURL=reviewerGuard.js.map

package/dist/core/reviewerGuard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reviewerGuard.js","sourceRoot":"","sources":["../../src/core/reviewerGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAUH,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;uBA4BE,CAAC;AAExB,MAAM,kBAAkB,GAA0C;IAChE,qEAAqE;IACrE,iEAAiE;IACjE,mEAAmE;IACnE,yDAAyD;IACzD,EAAE,OAAO,EAAE,gEAAgE,EAAE,MAAM,EAAE,wCAAwC,EAAE;IAC/H,6BAA6B;IAC7B,EAAE,OAAO,EAAE,+EAA+E,EAAE,MAAM,EAAE,qDAAqD,EAAE;IAC3J,EAAE,OAAO,EAAE,8BAA8B,EAAE,MAAM,EAAE,+BAA+B,EAAE;IACpF,YAAY;IACZ,EAAE,OAAO,EAAE,iCAAiC,EAAE,MAAM,EAAE,WAAW,EAAE;IACnE,oEAAoE;IACpE,8DAA8D;IAC9D,EAAE,OAAO,EAAE,6CAA6C,EAAE,MAAM,EAAE,eAAe,EAAE;IACnF,EAAE,OAAO,EAAE,6CAA6C,EAAE,MAAM,EAAE,eAAe,EAAE;CACpF,CAAC;AAEF,MAAM,wBAAwB,GAAG,iHAAiH,CAAC;AAEnJ,SAAS,eAAe,CAAC,QAAgB,EAAE,IAAa;IACtD,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,aAAa,CAAC,gCAAgC,EAAE,CAAC;QACvF,MAAM,GAAG,GAAI,IAA6B,EAAE,OAAO,IAAI,EAAE,CAAC;QAC1D,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,kBAAkB,EAAE,CAAC;YACrD,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtB,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YAC3D,CAAC;QACH,CAAC;IACH,CAAC;IACD,oEAAoE;IACpE,8CAA8C;IAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAC5C,IAAI,wBAAwB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,oDAAoD,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACjH,CAAC;IACD,OAAO,IAAI,CAAC,CAAC,mDAAmD;AAClE,CAAC;AAED,SAAS,oBAAoB;IAC3B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACjE,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,IAAI,CAAC;AACjD,CAAC;AAED,IAAI,cAAc,GAAuB,IAAI,CAAC;AAC9C,IAAI,kBAAkB,GAAG,KAAK,CAAC;AAE/B,KAAK,UAAU,cAAc;IAC3B,IAAI,kBAAkB;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,cAAc;QAAE,OAAO,cAAc,CAAC;IAC1C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACtC,kBAAkB,GAAG,IAAI,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC;QACH,MAAM,EAAE,cAAc,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;QACxF,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC;YAC9B,kEAAkE;YAClE,6DAA6D;YAC7D,wDAAwD;YACxD,kBAAkB,GAAG,IAAI,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,cAAc,GAAG,cAAc,CAAC;YAC9B,QAAQ,EAAE,WAAW;YACrB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,IAAI,2BAA2B;SAC7E,CAAC,CAAC;QACH,OAAO,cAAc,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB,GAAG,IAAI,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,IAAa;IAC/D,OAAO;QACL,YAAY;QACZ,EAAE;QACF,uBAAuB;QACvB,SAAS,QAAQ,EAAE;QACnB,SAAS,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE;QACvD,EAAE;QACF,WAAW;QACX,iDAAiD;QACjD,qEAAqE;QACrE,iDAAiD;KAClD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAA6C,CAAC;QAC7E,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACnD,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,MAAM,EAAE,CAAC;YACtD,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QACxF,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;IAC9B,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,IAAa;IAClE,MAAM,SAAS,GAAG,eAAe,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAClD,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAEhC,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC5B,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,mBAAmB,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IAClF,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,cAAc,EAAE,CAAC;IACxC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,4BAA4B,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IAC3F,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,CACjC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,EACnC,EAAE,CACH,CAAC;QACF,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;QACxE,MAAM,MAAM,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,8CAA8C;gBACtD,MAAM,EAAE,OAAO;aAChB,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,mBAAoB,GAAa,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,iBAAiB;YAChF,MAAM,EAAE,OAAO;SAChB,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/core/toolRuntime.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"toolRuntime.d.ts","sourceRoot":"","sources":["../../src/core/toolRuntime.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,UAAU,EACf,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACrB,MAAM,YAAY,CAAC;AAMpB,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,OAAO,EAAwE,KAAK,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAKrI;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3C;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAC9F,wCAAwC;IACxC,WAAW,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IAExD,wDAAwD;IACxD,YAAY,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAEzE,uCAAuC;IACvC,WAAW,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAEvE,6DAA6D;IAC7D,UAAU,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IAEvD,iEAAiE;IACjE,cAAc,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,EAAE,QAAQ,EAAE,kBAAkB,GAAG,IAAI,CAAC;IAEzF,2DAA2D;IAC3D,aAAa,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,EAAE,OAAO,EAAE,gBAAgB,GAAG,MAAM,GAAG,IAAI,CAAC;CAC/F;AAED,UAAU,kBAAkB;IAC1B,QAAQ,CAAC,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IACxC,QAAQ,CAAC,cAAc,CAAC,EAAE,cAAc,CAAC;IACzC,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;IAC/B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,KAAK,WAAW,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAC9E,IAAI,EAAE,CAAC,KACJ,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;AAE9B;;GAEG;AACH,MAAM,WAAW,cAAc,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IACzF,qCAAqC;IACrC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,sDAAsD;IACtD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,0DAA0D;IAC1D,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAEvC,mDAAmD;IACnD,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAEjC,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAE7B,kFAAkF;IAClF,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IAEpB,wDAAwD;IACxD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAE9B,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE,SAAS,cAAc,EAAE,CAAC;CAC3C;AAYD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AASD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,IAAI,CAkBrE;AA+CD;;GAEG;AACH,yBAAiB,gBAAgB,CAAC;IAChC;;OAEG;IACH,SAAgB,oBAAoB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACpE,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,GAC5B,cAAc,CAAC,CAAC,CAAC,CAEnB;IAED;;OAEG;IACH,SAAgB,eAAe,CAC7B,KAAK,EAAE,SAAS,GACf,SAAS,CAEX;IAED;;OAEG;IACH,SAAgB,gBAAgB,CAC9B,MAAM,EAAE,cAAc,EACtB,cAAc,CAAC,EAAE,gBAAgB,GAChC,OAAO,CAIT;CACF;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,iBAAiB,IAAI,sBAAsB,EAAE,CAAC;IAC9C,OAAO,CAAC,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACvH,aAAa,CAAC,KAAK,EAAE,SAAS,GAAG,IAAI,CAAC;IACtC,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,UAAU,IAAI,IAAI,CAAC;IACnB,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IACnD,gBAAgB,IAAI,IAAI,CAAC;IACzB,cAAc,IAAI,SAAS,gBAAgB,EAAE,CAAC;IAC9C,kBAAkB,IAAI,IAAI,CAAC;IAC3B,gBAAgB,IAAI,SAAS,kBAAkB,EAAE,CAAC;CACnD;AAED,qBAAa,WAAY,YAAW,YAAY;IAC9C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiC;IAC1D,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAgB;IAClD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA6B;IACtD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAwB;IACvD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAiC;IACvD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAU;IACtC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA0B;IACtD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAM;IACrC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA4B;IAC1D,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAK;IACtC,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAQ;IAE9C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAc;gBAExB,SAAS,GAAE,cAAc,EAAO,EAAE,OAAO,GAAE,kBAAuB;IAwB9E,aAAa,CAAC,KAAK,EAAE,SAAS,GAAG,IAAI;IAUrC,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAYjC,iBAAiB,IAAI,sBAAsB,EAAE;IAWvC,OAAO,CAAC,IAAI,EAAE,eAAe,EAAE,QAAQ,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IA2L7H,OAAO,CAAC,WAAW;IAInB,UAAU,IAAI,IAAI;IAIlB,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IAWlD,gBAAgB,IAAI,IAAI;IAIxB,cAAc,IAAI,SAAS,gBAAgB,EAAE;IAI7C,OAAO,CAAC,iBAAiB;IAOzB,kBAAkB,IAAI,IAAI;IAI1B,gBAAgB,IAAI,SAAS,kBAAkB,EAAE;IAIjD,OAAO,CAAC,OAAO;IAef,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,kBAAkB;IAS1B,OAAO,CAAC,eAAe;IAoBvB,OAAO,CAAC,gBAAgB;CAGzB;AAED,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,oBAAoB,EAC7B,UAAU,GAAE,SAAS,EAAO,EAC5B,OAAO,GAAE,kBAAuB,GAC/B,WAAW,CAUb"}
+{"version":3,"file":"toolRuntime.d.ts","sourceRoot":"","sources":["../../src/core/toolRuntime.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,UAAU,EACf,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACrB,MAAM,YAAY,CAAC;AAMpB,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,OAAO,EAAwE,KAAK,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAKrI;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3C;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAC9F,wCAAwC;IACxC,WAAW,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IAExD,wDAAwD;IACxD,YAAY,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAEzE,uCAAuC;IACvC,WAAW,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAEvE,6DAA6D;IAC7D,UAAU,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IAEvD,iEAAiE;IACjE,cAAc,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,EAAE,QAAQ,EAAE,kBAAkB,GAAG,IAAI,CAAC;IAEzF,2DAA2D;IAC3D,aAAa,CAAC,CAAC,IAAI,EAAE,eAAe,GAAG;QAAE,IAAI,EAAE,CAAC,CAAA;KAAE,EAAE,OAAO,EAAE,gBAAgB,GAAG,MAAM,GAAG,IAAI,CAAC;CAC/F;AAED,UAAU,kBAAkB;IAC1B,QAAQ,CAAC,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IACxC,QAAQ,CAAC,cAAc,CAAC,EAAE,cAAc,CAAC;IACzC,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;IAC/B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,KAAK,WAAW,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAC9E,IAAI,EAAE,CAAC,KACJ,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;AAE9B;;GAEG;AACH,MAAM,WAAW,cAAc,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IACzF,qCAAqC;IACrC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,sDAAsD;IACtD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,0DAA0D;IAC1D,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAEvC,mDAAmD;IACnD,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAEjC,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAE7B,kFAAkF;IAClF,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IAEpB,wDAAwD;IACxD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAE9B,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE,SAAS,cAAc,EAAE,CAAC;CAC3C;AAYD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AASD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,IAAI,CAkBrE;AA+CD;;GAEG;AACH,yBAAiB,gBAAgB,CAAC;IAChC;;OAEG;IACH,SAAgB,oBAAoB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACpE,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,GAC5B,cAAc,CAAC,CAAC,CAAC,CAEnB;IAED;;OAEG;IACH,SAAgB,eAAe,CAC7B,KAAK,EAAE,SAAS,GACf,SAAS,CAEX;IAED;;OAEG;IACH,SAAgB,gBAAgB,CAC9B,MAAM,EAAE,cAAc,EACtB,cAAc,CAAC,EAAE,gBAAgB,GAChC,OAAO,CAIT;CACF;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,iBAAiB,IAAI,sBAAsB,EAAE,CAAC;IAC9C,OAAO,CAAC,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACvH,aAAa,CAAC,KAAK,EAAE,SAAS,GAAG,IAAI,CAAC;IACtC,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,UAAU,IAAI,IAAI,CAAC;IACnB,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IACnD,gBAAgB,IAAI,IAAI,CAAC;IACzB,cAAc,IAAI,SAAS,gBAAgB,EAAE,CAAC;IAC9C,kBAAkB,IAAI,IAAI,CAAC;IAC3B,gBAAgB,IAAI,SAAS,kBAAkB,EAAE,CAAC;CACnD;AAED,qBAAa,WAAY,YAAW,YAAY;IAC9C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiC;IAC1D,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAgB;IAClD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA6B;IACtD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAwB;IACvD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAiC;IACvD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAU;IACtC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA0B;IACtD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAM;IACrC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA4B;IAC1D,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAK;IACtC,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAQ;IAE9C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAc;gBAExB,SAAS,GAAE,cAAc,EAAO,EAAE,OAAO,GAAE,kBAAuB;IAwB9E,aAAa,CAAC,KAAK,EAAE,SAAS,GAAG,IAAI;IAUrC,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAYjC,iBAAiB,IAAI,sBAAsB,EAAE;IAWvC,OAAO,CAAC,IAAI,EAAE,eAAe,EAAE,QAAQ,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IA6O7H,OAAO,CAAC,WAAW;IAInB,UAAU,IAAI,IAAI;IAIlB,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IAWlD,gBAAgB,IAAI,IAAI;IAIxB,cAAc,IAAI,SAAS,gBAAgB,EAAE;IAI7C,OAAO,CAAC,iBAAiB;IAOzB,kBAAkB,IAAI,IAAI;IAI1B,gBAAgB,IAAI,SAAS,kBAAkB,EAAE;IAIjD,OAAO,CAAC,OAAO;IAef,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,kBAAkB;IAS1B,OAAO,CAAC,eAAe;IAoBvB,OAAO,CAAC,gBAAgB;CAGzB;AAED,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,oBAAoB,EAC7B,UAAU,GAAE,SAAS,EAAO,EAC5B,OAAO,GAAE,kBAAuB,GAC/B,WAAW,CAUb"}

package/dist/core/toolRuntime.js

@@ -248,6 +248,57 @@ export class ToolRuntime {
                 // A buggy hook should never crash the agent. Log + continue.
                 logDebug('[hooks] PreToolUse error: ' + err.message);
             }
+            // Constitutional reviewer guard. Two layers:
+            //   - Heuristic veto patterns (always on) — `rm -rf /` style
+            //     destructive ops, fork bombs, curl-to-shell, broker-shaped
+            //     disclosure args.
+            //   - LLM reviewer (gated by EROSOLAR_REVIEWER=1, default off)
+            //     — Anthropic Haiku-tier model checks the call against a
+            //     short constitution, returns approve/refine/veto.
+            // Vetoes block the call. Refines log + continue (soft warning).
+            // All non-approve decisions are audit-logged (best-effort) to
+            // Firestore at reviewer_log/{uid}/decisions/{id}. The reviewer
+            // fails open on any internal error — refusing every uncertain
+            // call would brick the CLI for users without the reviewer
+            // model configured.
+            try {
+                const { reviewToolCall } = await import('./reviewerGuard.js');
+                const review = await reviewToolCall(call.name, args);
+                if (review.decision !== 'approve') {
+                    // Best-effort audit log — fire-and-forget.
+                    void (async () => {
+                        try {
+                            const { writeReviewerLog } = await import('./userApproval.js');
+                            await writeReviewerLog({
+                                toolName: call.name,
+                                decision: review.decision,
+                                reason: review.reason,
+                                source: review.source,
+                                argsSummary: JSON.stringify(args).slice(0, 500),
+                            });
+                        }
+                        catch { /* swallow — audit is non-critical */ }
+                    })();
+                    if (review.decision === 'veto') {
+                        const message = `Error: ${call.name} vetoed by constitutional reviewer (${review.source}): ${review.reason}`;
+                        this.observer?.onToolError?.(augmentedCall, message);
+                        this.recordToolHistory({
+                            toolName: call.name,
+                            args,
+                            timestamp: Date.now(),
+                            success: false,
+                            hasOutput: false,
+                        });
+                        return message;
+                    }
+                    // 'refine' is a soft warning — log and proceed; the model
+                    // will see the tool output and can self-correct on retry.
+                    logDebug(`[reviewer] refine ${call.name}: ${review.reason}`);
+                }
+            }
+            catch (err) {
+                logDebug('[reviewer] guard error: ' + err.message);
+            }
             const result = await toolExecutionContext.run({ call: augmentedCall, observer: this.observer ?? undefined }, async () => record.definition.handler(args));
             let output = typeof result === 'string' ? result : JSON.stringify(result, null, 2);
             // PostToolUse hooks: append text from each matching hook so