@ttctl/core 0.0.0 → 0.1.0-rc.1

package/dist/config.d.ts

@@ -0,0 +1,212 @@
+import { z } from "zod";
+/**
+ * Source pattern for a 1Password item reference, exported as a STRING (not
+ * a `RegExp`) so non-schema consumers (the CLI's interactive `auth init`
+ * flow's validation closure) can adopt the canonical pattern without
+ * pulling the entire Zod schema into their bundle. Analogous to
+ * {@link ./lib/redact.ts#BEARER_PATTERN_SOURCE}.
+ *
+ * Forms accepted:
+ *   - `op://VAULT/ITEM` (2-segment) — relies on `op` CLI default-account or
+ *     `OP_ACCOUNT` env. Works for single-account setups.
+ *   - `op://ACCOUNT/VAULT/ITEM` (3-segment) — selects a specific account
+ *     when the user has multiple `op` accounts configured. ACCOUNT is
+ *     forwarded verbatim to `op item get --account` (accepts UUID,
+ *     shorthand, or sign-in email — `op` CLI validates).
+ *
+ * Per-field references (`op://VAULT/ITEM/FIELD` or 4+ segments) are
+ * deliberately NOT supported — TTCtl always reads `username` and `password`
+ * from a single LOGIN-category item. The pattern rejects 4+ segments.
+ */
+export declare const OP_REF_PATTERN_SOURCE: "^op://(?:[^/]+/)?[^/]+/[^/]+$";
+/**
+ * Canonical user-facing hint paired with {@link OP_REF_PATTERN_SOURCE}.
+ * Used as the Zod error message AND as the CLI's interactive-prompt
+ * validation hint so both surfaces speak the same language. Phrased as a
+ * standalone sentence (no field-name prefix) because the schema's
+ * `formatLoadValidationError` adds the field path (`auth.credentials:`) and
+ * the CLI prompt has its own context.
+ */
+export declare const OP_REF_PATTERN_HINT: "Expected op://[account/]vault/item \u2014 no /field suffix";
+/**
+ * Literal credentials in YAML — discouraged for daily use; the 1Password form
+ * is recommended.
+ *
+ * Field name is `username` (matching 1Password's `USERNAME` purpose semantics
+ * and the issue's user-facing schema). The value must be a valid email since
+ * Toptal's `EmailPasswordSignIn` mutation only accepts emails.
+ */
+declare const LiteralCredentialsSchema: z.ZodObject<{
+    username: z.ZodEmail;
+    password: z.ZodString;
+}, z.core.$strict>;
+/**
+ * Polymorphic credentials value:
+ *   - string → 1Password item reference (Form A)
+ *   - object → literal { username, password } (Form B)
+ *
+ * The runtime `signIn()` flow collapses both into the internal `Credentials`
+ * shape `{ email, password }` (the GraphQL mutation parameter name is
+ * `email` — the YAML/op:// surface uses `username` to match 1Password's
+ * USERNAME purpose).
+ */
+export declare const AuthCredentialsSchema: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
+    username: z.ZodEmail;
+    password: z.ZodString;
+}, z.core.$strict>]>;
+export type AuthCredentials = z.infer<typeof AuthCredentialsSchema>;
+export type LiteralAuthCredentials = z.infer<typeof LiteralCredentialsSchema>;
+/**
+ * `auth` block schema for runtime LOAD operations. Strict — rejects unknown
+ * fields and rejects an empty `auth: {}` (the user must author at least one
+ * of `credentials` or `token` for the runtime to be useful).
+ *
+ * Four valid lifecycle states (Forms A-D from the design doc):
+ *
+ *   - **Form A** — `credentials: "op://..."` (1Password reference). No token
+ *     yet — `auth signin` will write one.
+ *   - **Form B** — `credentials: { username, password }` (literal). No token
+ *     yet.
+ *   - **Form C** — `token: "..."` only (no credentials). The bearer is
+ *     supplied directly; `auth signin` is not applicable. Common in the E2E
+ *     sandbox and in deployments that bootstrap a token out-of-band.
+ *   - **Form D** — both `credentials` AND `token`. Post-signin state for
+ *     Form A or B configs; the captured bearer is persisted alongside the
+ *     credentials.
+ */
+declare const AuthBlockLoadSchema: z.ZodObject<{
+    credentials: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
+        username: z.ZodEmail;
+        password: z.ZodString;
+    }, z.core.$strict>]>>;
+    token: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type AuthBlock = z.infer<typeof AuthBlockLoadSchema>;
+/**
+ * Top-level config schema (load form). Single config; no profiles.
+ *
+ * Compared to the prior shape:
+ *   - Removed top-level `auth` polymorphic value (string or `{email,password}`)
+ *     in favor of a structured `auth: { credentials?, token? }` block.
+ *   - Removed `auth-token-path` field — the captured bearer now lives inside
+ *     the same YAML file at `auth.token`. Project-scoped configs are routed
+ *     via direnv (see README § Configuration).
+ */
+export declare const ConfigLoadSchema: z.ZodObject<{
+    auth: z.ZodObject<{
+        credentials: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
+            username: z.ZodEmail;
+            password: z.ZodString;
+        }, z.core.$strict>]>>;
+        token: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+/**
+ * Top-level config schema (write form). Permits empty `auth: {}` for the
+ * post-signout transient state when the source was Form C.
+ */
+export declare const ConfigWriteSchema: z.ZodObject<{
+    auth: z.ZodObject<{
+        credentials: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
+            username: z.ZodEmail;
+            password: z.ZodString;
+        }, z.core.$strict>]>>;
+        token: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+/**
+ * Runtime-validated config object (load form). The shape clients read from
+ * disk after `loadConfigFile`.
+ */
+export type TtctlConfig = z.infer<typeof ConfigLoadSchema>;
+/**
+ * Permissive config shape used for write-back (`persistAuthToken`,
+ * `signOut`). Empty `auth: {}` is acceptable mid-lifecycle.
+ */
+export type TtctlConfigWritable = z.infer<typeof ConfigWriteSchema>;
+/**
+ * Discriminator on `ConfigError` so consumers can switch on error class
+ * without pattern-matching prose messages.
+ *
+ *   - `NO_CREDS`   — config not found via the resolution chain, or the
+ *                    chosen path doesn't exist on disk.
+ *   - `PARSE`      — YAML parse error (malformed file).
+ *   - `VALIDATION` — schema validation error (wrong shape, missing fields).
+ *   - `PERMISSION` — file exists but is not accessible (EACCES / EPERM), OR
+ *                    file is at an unsafe location (sync-root, symlink) per
+ *                    the security gates in the resolution chain.
+ *   - `LOCKED`     — advisory write-back lock could not be acquired within
+ *                    the contention budget (≤1s). Another ttctl process
+ *                    (CLI signin or long-running MCP tool call) holds the
+ *                    sibling lockfile. Retry the operation.
+ */
+export type ConfigErrorCode = "NO_CREDS" | "PARSE" | "VALIDATION" | "PERMISSION" | "LOCKED";
+export declare class ConfigError extends Error {
+    readonly code: ConfigErrorCode;
+    readonly path?: string | undefined;
+    readonly name = "ConfigError";
+    constructor(message: string, code: ConfigErrorCode, path?: string | undefined);
+}
+/**
+ * Read, parse, and validate the config file at `path`.
+ *
+ * Pre-flight `fs.stat`:
+ *   - ENOENT → `ConfigError(code: NO_CREDS)` so a missing explicit path or
+ *     `TTCTL_CONFIG_FILE` value surfaces uniformly with the
+ *     "no config found anywhere" branch in `resolveConfig`.
+ *   - EACCES / EPERM → `ConfigError(code: PERMISSION)`.
+ *   - Mode-strictness gate (POSIX): refuse to LOAD when the file is
+ *     world-writable (`mode & 0o002 != 0` — covers 0666, 0777, etc.).
+ *     Closes a TOCTOU window on credential reads. Throws
+ *     `ConfigError(PERMISSION)` with the actual mode in the error message.
+ *   - Mode-warning (POSIX): emit a stderr warning when group/world bits
+ *     other than world-writable are set (e.g. 0644). Non-fatal; the file
+ *     may carry a 1Password reference (low-risk on its own) or, in literal
+ *     form, a plaintext password — `0o600` is the right posture.
+ */
+export declare function loadConfigFile(path: string): TtctlConfig;
+/**
+ * Options for `resolveConfig`. Currently only `path`; kept as an options
+ * object so future flags don't require another signature break.
+ */
+export interface ResolveConfigOptions {
+    /**
+     * Explicit config path. Wins over `TTCTL_CONFIG_FILE` and the home default.
+     * Used verbatim — no existence pre-check (`loadConfigFile` surfaces ENOENT
+     * as `code: 'NO_CREDS'`).
+     */
+    path?: string;
+}
+/**
+ * Deterministic config-path resolution.
+ *
+ * Precedence (highest → lowest):
+ *
+ *   1. Explicit `path` argument (passed by the caller — e.g., `--config`
+ *      flag from #93). Used verbatim, no existence check.
+ *   2. `TTCTL_CONFIG_FILE` env var. Same verbatim treatment as `path`.
+ *   3. `~/.ttctl.yaml` (POSIX home dotfile), when the file exists on disk.
+ *
+ * Returns `null` when none of the above produce a path. Callers that want
+ * project-scoped configs use `direnv` to set `TTCTL_CONFIG_FILE` per
+ * directory — the CWD `./.ttctl.yaml` is NOT consulted (closed since #92).
+ *
+ * NOTE: XDG paths (`$XDG_CONFIG_HOME/ttctl/config.yaml`,
+ * `~/.config/ttctl/config.yaml`) are NO LONGER consulted. The single-file
+ * model places the captured bearer in the same YAML; `~/.ttctl.yaml` is
+ * the canonical home location.
+ */
+export declare function discoverConfigPath(path?: string): string | null;
+/**
+ * Convenience: discover and load.
+ *
+ * When the resolution chain returns `null` AND a `./.ttctl.yaml` exists in
+ * `process.cwd()`, surface a deprecation message pointing the user at the
+ * supported escape hatches. The CWD file is NEVER auto-loaded.
+ */
+export declare function resolveConfig(options?: ResolveConfigOptions): {
+    config: TtctlConfig;
+    path: string;
+};
+export {};
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,qBAAqB,EAAG,+BAAwC,CAAC;AAE9E;;;;;;;GAOG;AACH,eAAO,MAAM,mBAAmB,EAAG,4DAAgE,CAAC;AAIpG;;;;;;;GAOG;AACH,QAAA,MAAM,wBAAwB;;;kBAKnB,CAAC;AAEZ;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB;;;oBAAkE,CAAC;AAErG,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACpE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE9E;;;;;;;;;;;;;;;;;GAiBG;AACH,QAAA,MAAM,mBAAmB;;;;;;kBAgBrB,CAAC;AAEL,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAiB5D;;;;;;;;;GASG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;kBAIlB,CAAC;AAEZ;;;GAGG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;kBAInB,CAAC;AAEZ;;;GAGG;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE3D;;;GAGG;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAEpE;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,OAAO,GAAG,YAAY,GAAG,YAAY,GAAG,QAAQ,CAAC;AAE5F,qBAAa,WAAY,SAAQ,KAAK;aAIlB,IAAI,EAAE,eAAe;aACrB,IAAI,CAAC,EAAE,MAAM;IAJ/B,SAAkB,IAAI,iBAAiB;gBAErC,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,eAAe,EACrB,IAAI,CAAC,EAAE,MAAM,YAAA;CAIhC;AAoFD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,CAkExD;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC;;;;OAIG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU/D;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,oBAAyB,GAAG;IAAE,MAAM,EAAE,WAAW,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAkBvG"}

package/dist/config.js

@@ -0,0 +1,349 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+// Copyright (C) 2026 Oleksii PELYKH
+import { existsSync, readFileSync, statSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, resolve } from "node:path";
+import { parse as parseYaml } from "yaml";
+import { z } from "zod";
+/**
+ * Source pattern for a 1Password item reference, exported as a STRING (not
+ * a `RegExp`) so non-schema consumers (the CLI's interactive `auth init`
+ * flow's validation closure) can adopt the canonical pattern without
+ * pulling the entire Zod schema into their bundle. Analogous to
+ * {@link ./lib/redact.ts#BEARER_PATTERN_SOURCE}.
+ *
+ * Forms accepted:
+ *   - `op://VAULT/ITEM` (2-segment) — relies on `op` CLI default-account or
+ *     `OP_ACCOUNT` env. Works for single-account setups.
+ *   - `op://ACCOUNT/VAULT/ITEM` (3-segment) — selects a specific account
+ *     when the user has multiple `op` accounts configured. ACCOUNT is
+ *     forwarded verbatim to `op item get --account` (accepts UUID,
+ *     shorthand, or sign-in email — `op` CLI validates).
+ *
+ * Per-field references (`op://VAULT/ITEM/FIELD` or 4+ segments) are
+ * deliberately NOT supported — TTCtl always reads `username` and `password`
+ * from a single LOGIN-category item. The pattern rejects 4+ segments.
+ */
+export const OP_REF_PATTERN_SOURCE = "^op://(?:[^/]+/)?[^/]+/[^/]+$";
+/**
+ * Canonical user-facing hint paired with {@link OP_REF_PATTERN_SOURCE}.
+ * Used as the Zod error message AND as the CLI's interactive-prompt
+ * validation hint so both surfaces speak the same language. Phrased as a
+ * standalone sentence (no field-name prefix) because the schema's
+ * `formatLoadValidationError` adds the field path (`auth.credentials:`) and
+ * the CLI prompt has its own context.
+ */
+export const OP_REF_PATTERN_HINT = "Expected op://[account/]vault/item — no /field suffix";
+const OnePasswordReferenceSchema = z.string().regex(new RegExp(OP_REF_PATTERN_SOURCE), OP_REF_PATTERN_HINT);
+/**
+ * Literal credentials in YAML — discouraged for daily use; the 1Password form
+ * is recommended.
+ *
+ * Field name is `username` (matching 1Password's `USERNAME` purpose semantics
+ * and the issue's user-facing schema). The value must be a valid email since
+ * Toptal's `EmailPasswordSignIn` mutation only accepts emails.
+ */
+const LiteralCredentialsSchema = z
+    .object({
+    username: z.email({ message: "auth.credentials.username must be a valid email address" }),
+    password: z.string().min(1, { message: "auth.credentials.password must be a non-empty string" }),
+})
+    .strict();
+/**
+ * Polymorphic credentials value:
+ *   - string → 1Password item reference (Form A)
+ *   - object → literal { username, password } (Form B)
+ *
+ * The runtime `signIn()` flow collapses both into the internal `Credentials`
+ * shape `{ email, password }` (the GraphQL mutation parameter name is
+ * `email` — the YAML/op:// surface uses `username` to match 1Password's
+ * USERNAME purpose).
+ */
+export const AuthCredentialsSchema = z.union([OnePasswordReferenceSchema, LiteralCredentialsSchema]);
+/**
+ * `auth` block schema for runtime LOAD operations. Strict — rejects unknown
+ * fields and rejects an empty `auth: {}` (the user must author at least one
+ * of `credentials` or `token` for the runtime to be useful).
+ *
+ * Four valid lifecycle states (Forms A-D from the design doc):
+ *
+ *   - **Form A** — `credentials: "op://..."` (1Password reference). No token
+ *     yet — `auth signin` will write one.
+ *   - **Form B** — `credentials: { username, password }` (literal). No token
+ *     yet.
+ *   - **Form C** — `token: "..."` only (no credentials). The bearer is
+ *     supplied directly; `auth signin` is not applicable. Common in the E2E
+ *     sandbox and in deployments that bootstrap a token out-of-band.
+ *   - **Form D** — both `credentials` AND `token`. Post-signin state for
+ *     Form A or B configs; the captured bearer is persisted alongside the
+ *     credentials.
+ */
+const AuthBlockLoadSchema = z
+    .object({
+    credentials: AuthCredentialsSchema.optional(),
+    token: z.string().min(1, { message: "auth.token must be a non-empty string" }).optional(),
+})
+    .strict()
+    .superRefine((auth, ctx) => {
+    if (auth.credentials === undefined && auth.token === undefined) {
+        ctx.addIssue({
+            code: "custom",
+            message: "auth must contain at least one of 'credentials' (op:// reference or { username, password } object) " +
+                "or 'token' (bearer string captured by `ttctl auth signin`)",
+            path: [],
+        });
+    }
+});
+/**
+ * `auth` block schema for runtime WRITE operations. Permissive — both
+ * `credentials` and `token` are optional, AND empty `auth: {}` is accepted.
+ *
+ * Used by `persistAuthToken` and the signout flow during the brief window
+ * between mutation and disk-write. The strict load schema rejects empty
+ * `auth: {}` at the next file-load — see DQ-6 in the design doc.
+ */
+const AuthBlockWriteSchema = z
+    .object({
+    credentials: AuthCredentialsSchema.optional(),
+    token: z.string().min(1).optional(),
+})
+    .strict();
+/**
+ * Top-level config schema (load form). Single config; no profiles.
+ *
+ * Compared to the prior shape:
+ *   - Removed top-level `auth` polymorphic value (string or `{email,password}`)
+ *     in favor of a structured `auth: { credentials?, token? }` block.
+ *   - Removed `auth-token-path` field — the captured bearer now lives inside
+ *     the same YAML file at `auth.token`. Project-scoped configs are routed
+ *     via direnv (see README § Configuration).
+ */
+export const ConfigLoadSchema = z
+    .object({
+    auth: AuthBlockLoadSchema,
+})
+    .strict();
+/**
+ * Top-level config schema (write form). Permits empty `auth: {}` for the
+ * post-signout transient state when the source was Form C.
+ */
+export const ConfigWriteSchema = z
+    .object({
+    auth: AuthBlockWriteSchema,
+})
+    .strict();
+export class ConfigError extends Error {
+    code;
+    path;
+    name = "ConfigError";
+    constructor(message, code, path) {
+        super(message);
+        this.code = code;
+        this.path = path;
+    }
+}
+/**
+ * Map a Zod issue path to a human-friendly field reference for surfacing
+ * validation failures. Walks the issue's path array to build a dotted-prose
+ * descriptor (e.g. `["auth", "credentials", "password"]` → `auth.credentials.password`).
+ *
+ * The empty-path case (refinement-level errors) returns `auth` as the
+ * operative scope so the message reads naturally.
+ */
+function formatIssuePath(path) {
+    if (path.length === 0)
+        return "auth";
+    const parts = [];
+    for (const segment of path) {
+        if (typeof segment === "number") {
+            parts[parts.length - 1] = `${parts[parts.length - 1] ?? ""}[${segment.toString()}]`;
+        }
+        else if (typeof segment === "string") {
+            parts.push(segment);
+        }
+        else {
+            // symbol key — zod permits this in object schemas but our config has
+            // no symbol-keyed fields. Render via .toString() so the message is
+            // still readable rather than dropping the segment.
+            parts.push(segment.toString());
+        }
+    }
+    return parts.join(".");
+}
+/**
+ * Detect the legacy pre-#107 config shape (`auth` as a top-level string,
+ * e.g. `auth: "op://Personal/ttctl"`) and return a tailored migration error,
+ * or `null` if the parsed YAML does not match this shape.
+ *
+ * The post-#107 `ConfigLoadSchema` rejects `auth: <string>` at union
+ * discrimination, so `superRefine` never fires for this case — the dedicated
+ * migration message MUST land before Zod runs. Detection point is mechanical:
+ * after `parseYaml(raw)`, before `ConfigLoadSchema.safeParse(parsed)`.
+ *
+ * Other malformed shapes (typos, missing fields, wrong scalar types other
+ * than string at `auth`) continue to flow through `formatLoadValidationError`.
+ *
+ * The error code stays `VALIDATION` — preserves the CLI/MCP exit-code
+ * contract from #107. The migration text is part of `ConfigError.message`,
+ * not a separate stderr emit, so JSON wire-format consumers see one
+ * coherent `{ code, message }` payload.
+ */
+function detectLegacyShape(parsed, path) {
+    if (parsed !== null && typeof parsed === "object" && "auth" in parsed && typeof parsed.auth === "string") {
+        const literal = parsed.auth;
+        return new ConfigError([
+            `Config file ${path} uses the legacy pre-#107 shape:`,
+            ``,
+            `    auth: "${literal}"`,
+            ``,
+            `Migrate to the structured shape:`,
+            ``,
+            `    auth:`,
+            `      credentials: "${literal}"`,
+            ``,
+            `See CLAUDE.md § Auth Model for the canonical migration recipe.`,
+        ].join("\n"), "VALIDATION", path);
+    }
+    return null;
+}
+/**
+ * Render a Zod safe-parse failure into a single-line `ConfigError` message
+ * that names the failing branch / field where possible. Defends against the
+ * naked `z.union` "Invalid input" UX.
+ */
+function formatLoadValidationError(err, path) {
+    const lines = [];
+    for (const issue of err.issues) {
+        const fieldPath = formatIssuePath(issue.path);
+        lines.push(`${fieldPath}: ${issue.message}`);
+    }
+    const summary = lines.length === 0 ? "Invalid config shape" : lines.join("; ");
+    return new ConfigError(`Config validation failed: ${summary}`, "VALIDATION", path);
+}
+/**
+ * Read, parse, and validate the config file at `path`.
+ *
+ * Pre-flight `fs.stat`:
+ *   - ENOENT → `ConfigError(code: NO_CREDS)` so a missing explicit path or
+ *     `TTCTL_CONFIG_FILE` value surfaces uniformly with the
+ *     "no config found anywhere" branch in `resolveConfig`.
+ *   - EACCES / EPERM → `ConfigError(code: PERMISSION)`.
+ *   - Mode-strictness gate (POSIX): refuse to LOAD when the file is
+ *     world-writable (`mode & 0o002 != 0` — covers 0666, 0777, etc.).
+ *     Closes a TOCTOU window on credential reads. Throws
+ *     `ConfigError(PERMISSION)` with the actual mode in the error message.
+ *   - Mode-warning (POSIX): emit a stderr warning when group/world bits
+ *     other than world-writable are set (e.g. 0644). Non-fatal; the file
+ *     may carry a 1Password reference (low-risk on its own) or, in literal
+ *     form, a plaintext password — `0o600` is the right posture.
+ */
+export function loadConfigFile(path) {
+    const stat = (() => {
+        try {
+            return statSync(path);
+        }
+        catch (err) {
+            const e = err;
+            if (e.code === "ENOENT") {
+                throw new ConfigError(`Config file not found: ${path}`, "NO_CREDS", path);
+            }
+            if (e.code === "EACCES" || e.code === "EPERM") {
+                throw new ConfigError(`Cannot access config file (permission denied): ${path}`, "PERMISSION", path);
+            }
+            throw new ConfigError(`Cannot stat config file: ${e.message}`, "NO_CREDS", path);
+        }
+    })();
+    if (process.platform !== "win32") {
+        const mode = stat.mode & 0o777;
+        if ((mode & 0o002) !== 0) {
+            const modeStr = mode.toString(8).padStart(3, "0");
+            throw new ConfigError(`Refusing to load world-writable config file ${path} (mode 0${modeStr}). ` +
+                `The file may contain a captured bearer token; world-writable mode opens a TOCTOU window. ` +
+                `Run: chmod 600 ${path}`, "PERMISSION", path);
+        }
+        if ((mode & 0o077) !== 0) {
+            const modeStr = mode.toString(8).padStart(3, "0");
+            process.stderr.write(`WARNING: config file ${path} is group/world readable (mode 0${modeStr}). ` +
+                `It may contain a 1Password reference, plaintext password, or captured bearer. ` +
+                `Run: chmod 600 ${path}\n`);
+        }
+    }
+    let raw;
+    try {
+        raw = readFileSync(path, "utf8");
+    }
+    catch (err) {
+        const e = err;
+        if (e.code === "EACCES" || e.code === "EPERM") {
+            throw new ConfigError(`Cannot read config file (permission denied): ${path}`, "PERMISSION", path);
+        }
+        throw new ConfigError(`Cannot read config file: ${e.message}`, "NO_CREDS", path);
+    }
+    let parsed;
+    try {
+        parsed = parseYaml(raw);
+    }
+    catch (err) {
+        throw new ConfigError(`Invalid YAML: ${err.message}`, "PARSE", path);
+    }
+    const legacyError = detectLegacyShape(parsed, path);
+    if (legacyError !== null) {
+        throw legacyError;
+    }
+    const result = ConfigLoadSchema.safeParse(parsed);
+    if (!result.success) {
+        throw formatLoadValidationError(result.error, path);
+    }
+    return result.data;
+}
+/**
+ * Deterministic config-path resolution.
+ *
+ * Precedence (highest → lowest):
+ *
+ *   1. Explicit `path` argument (passed by the caller — e.g., `--config`
+ *      flag from #93). Used verbatim, no existence check.
+ *   2. `TTCTL_CONFIG_FILE` env var. Same verbatim treatment as `path`.
+ *   3. `~/.ttctl.yaml` (POSIX home dotfile), when the file exists on disk.
+ *
+ * Returns `null` when none of the above produce a path. Callers that want
+ * project-scoped configs use `direnv` to set `TTCTL_CONFIG_FILE` per
+ * directory — the CWD `./.ttctl.yaml` is NOT consulted (closed since #92).
+ *
+ * NOTE: XDG paths (`$XDG_CONFIG_HOME/ttctl/config.yaml`,
+ * `~/.config/ttctl/config.yaml`) are NO LONGER consulted. The single-file
+ * model places the captured bearer in the same YAML; `~/.ttctl.yaml` is
+ * the canonical home location.
+ */
+export function discoverConfigPath(path) {
+    if (path !== undefined)
+        return path;
+    const envPath = process.env["TTCTL_CONFIG_FILE"];
+    if (envPath !== undefined && envPath !== "")
+        return envPath;
+    const homePath = join(homedir(), ".ttctl.yaml");
+    if (existsSync(homePath))
+        return homePath;
+    return null;
+}
+/**
+ * Convenience: discover and load.
+ *
+ * When the resolution chain returns `null` AND a `./.ttctl.yaml` exists in
+ * `process.cwd()`, surface a deprecation message pointing the user at the
+ * supported escape hatches. The CWD file is NEVER auto-loaded.
+ */
+export function resolveConfig(options = {}) {
+    const path = discoverConfigPath(options.path);
+    if (path === null) {
+        const legacyCwdPath = resolve(process.cwd(), ".ttctl.yaml");
+        if (existsSync(legacyCwdPath)) {
+            throw new ConfigError(`No config found via --config, TTCTL_CONFIG_FILE, or ~/.ttctl.yaml. ` +
+                `Note: a CWD .ttctl.yaml was found at ${legacyCwdPath} but is not auto-discovered. ` +
+                `Set TTCTL_CONFIG_FILE=${legacyCwdPath} (e.g. via direnv) or move it to ~/.ttctl.yaml.`, "NO_CREDS");
+        }
+        throw new ConfigError("No config found. Pass --config <path>, set TTCTL_CONFIG_FILE, or place config at ~/.ttctl.yaml. See README for setup.", "NO_CREDS");
+    }
+    return { config: loadConfigFile(path), path };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,oCAAoC;AAEpC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,+BAAwC,CAAC;AAE9E;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,uDAAgE,CAAC;AAEpG,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,qBAAqB,CAAC,EAAE,mBAAmB,CAAC,CAAC;AAE5G;;;;;;;GAOG;AACH,MAAM,wBAAwB,GAAG,CAAC;KAC/B,MAAM,CAAC;IACN,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,yDAAyD,EAAE,CAAC;IACzF,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,sDAAsD,EAAE,CAAC;CACjG,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,0BAA0B,EAAE,wBAAwB,CAAC,CAAC,CAAC;AAKrG;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,mBAAmB,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,WAAW,EAAE,qBAAqB,CAAC,QAAQ,EAAE;IAC7C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC1F,CAAC;KACD,MAAM,EAAE;KACR,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC/D,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,OAAO,EACL,qGAAqG;gBACrG,4DAA4D;YAC9D,IAAI,EAAE,EAAE;SACT,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAIL;;;;;;;GAOG;AACH,MAAM,oBAAoB,GAAG,CAAC;KAC3B,MAAM,CAAC;IACN,WAAW,EAAE,qBAAqB,CAAC,QAAQ,EAAE;IAC7C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACpC,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC;KAC9B,MAAM,CAAC;IACN,IAAI,EAAE,mBAAmB;CAC1B,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,MAAM,CAAC;IACN,IAAI,EAAE,oBAAoB;CAC3B,CAAC;KACD,MAAM,EAAE,CAAC;AAgCZ,MAAM,OAAO,WAAY,SAAQ,KAAK;IAIlB;IACA;IAJA,IAAI,GAAG,aAAa,CAAC;IACvC,YACE,OAAe,EACC,IAAqB,EACrB,IAAa;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,SAAI,GAAJ,IAAI,CAAiB;QACrB,SAAI,GAAJ,IAAI,CAAS;IAG/B,CAAC;CACF;AAED;;;;;;;GAOG;AACH,SAAS,eAAe,CAAC,IAAgC;IACvD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IACrC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,OAAO,IAAI,IAAI,EAAE,CAAC;QAC3B,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC;QACtF,CAAC;aAAM,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YACvC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtB,CAAC;aAAM,CAAC;YACN,qEAAqE;YACrE,mEAAmE;YACnE,mDAAmD;YACnD,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAS,iBAAiB,CAAC,MAAe,EAAE,IAAY;IACtD,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACzG,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC;QAC5B,OAAO,IAAI,WAAW,CACpB;YACE,eAAe,IAAI,kCAAkC;YACrD,EAAE;YACF,cAAc,OAAO,GAAG;YACxB,EAAE;YACF,kCAAkC;YAClC,EAAE;YACF,WAAW;YACX,uBAAuB,OAAO,GAAG;YACjC,EAAE;YACF,gEAAgE;SACjE,CAAC,IAAI,CAAC,IAAI,CAAC,EACZ,YAAY,EACZ,IAAI,CACL,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,SAAS,yBAAyB,CAAC,GAAe,EAAE,IAAY;IAC9D,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9C,KAAK,CAAC,IAAI,CAAC,GAAG,SAAS,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAC/C,CAAC;IACD,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/E,OAAO,IAAI,WAAW,CAAC,6BAA6B,OAAO,EAAE,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;AACrF,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,IAAI,GAAG,CAAC,GAAG,EAAE;QACjB,IAAI,CAAC;YACH,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC;QACxB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,GAAG,GAA4B,CAAC;YACvC,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACxB,MAAM,IAAI,WAAW,CAAC,0BAA0B,IAAI,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC9C,MAAM,IAAI,WAAW,CAAC,kDAAkD,IAAI,EAAE,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;YACtG,CAAC;YACD,MAAM,IAAI,WAAW,CAAC,4BAA4B,CAAC,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,CAAC;QACnF,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAClD,MAAM,IAAI,WAAW,CACnB,+CAA+C,IAAI,WAAW,OAAO,KAAK;gBACxE,2FAA2F;gBAC3F,kBAAkB,IAAI,EAAE,EAC1B,YAAY,EACZ,IAAI,CACL,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAClD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,wBAAwB,IAAI,mCAAmC,OAAO,KAAK;gBACzE,gFAAgF;gBAChF,kBAAkB,IAAI,IAAI,CAC7B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,GAAG,GAA4B,CAAC;QACvC,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC9C,MAAM,IAAI,WAAW,CAAC,gDAAgD,IAAI,EAAE,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;QACpG,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,4BAA4B,CAAC,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,CAAC;IACnF,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CAAC,iBAAkB,GAAa,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,WAAW,GAAG,iBAAiB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACpD,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,MAAM,WAAW,CAAC;IACpB,CAAC;IAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAClD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,yBAAyB,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAeD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAa;IAC9C,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACjD,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,OAAO,CAAC;IAE5D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,CAAC,CAAC;IAChD,IAAI,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAE1C,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,UAAgC,EAAE;IAC9D,MAAM,IAAI,GAAG,kBAAkB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9C,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,CAAC,CAAC;QAC5D,IAAI,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,WAAW,CACnB,qEAAqE;gBACnE,wCAAwC,aAAa,+BAA+B;gBACpF,yBAAyB,aAAa,iDAAiD,EACzF,UAAU,CACX,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,WAAW,CACnB,uHAAuH,EACvH,UAAU,CACX,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC;AAChD,CAAC"}

package/dist/configLock.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Handle returned by `acquireConfigLock`. The caller MUST `release()` the
+ * handle when done — the recommended pattern is `try { ... } finally { await
+ * handle.release(); }` so the lock is released on every error path
+ * (read-fail, parse-fail, mtime-drift, write-fail, rename-fail, post-rename
+ * verify-fail).
+ *
+ * `release` is idempotent in practice — `proper-lockfile` registers an
+ * exit-handler via `signal-exit` that auto-cleans the lock on process death,
+ * so a missed release doesn't strand the lock across runs. But explicit
+ * release is still required for the in-process retry semantics: a deferred
+ * release means the next `acquireConfigLock` in the SAME process would see
+ * the lock held by itself and deadlock.
+ */
+export interface ConfigLockHandle {
+    release: () => Promise<void>;
+}
+/**
+ * Acquire an advisory exclusive lock for `configPath`.
+ *
+ * Implementation: `proper-lockfile` creates `<configPath>.lock` as a
+ * sibling DIRECTORY via atomic `mkdir(2)`. The `mkdir` syscall is atomic on
+ * ext4, APFS, NTFS, and any other filesystem with POSIX-equivalent
+ * semantics — `EEXIST` is the contention signal.
+ *
+ * Why sibling-lockfile and NOT self-lock: the atomic-rename pattern in
+ * `performYamlMutation` swaps the inode at `<configPath>` mid-operation. A
+ * `flock(fd)` on the original inode does NOT survive the rename and a
+ * concurrent locker on the post-rename inode sees no contention. The
+ * sibling pattern sidesteps this — the `.lock` directory's existence is the
+ * lock signal, independent of the config file's inode.
+ *
+ * Cross-platform: works identically on Linux/macOS/Windows — `mkdir`-based
+ * atomic creation is portable. No Windows no-op needed (in contrast to the
+ * existing POSIX-mode logic in `loadConfigFile` and `performYamlMutation`,
+ * which IS Windows-skipped because mode bits aren't meaningful).
+ *
+ * Contention: ≤1.0s wall-clock budget per `LOCK_RETRY_OPTIONS`. On timeout,
+ * throws `ConfigError(LOCKED)` naming the path and suggesting retry — never
+ * blocks indefinitely.
+ *
+ * `realpath: false` skips proper-lockfile's pre-flight `realpath()` check.
+ * The caller has already resolved `configPath` to an absolute, symlink-free
+ * path via `assertSafePath`, AND the config file may not exist yet (e.g.,
+ * the lock is acquired BEFORE the stat baseline that throws ENOENT). With
+ * `realpath: true` (the library default), a missing file would surface as
+ * an opaque proper-lockfile error before our own ENOENT path runs.
+ */
+export declare function acquireConfigLock(configPath: string): Promise<ConfigLockHandle>;
+//# sourceMappingURL=configLock.d.ts.map

package/dist/configLock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"configLock.d.ts","sourceRoot":"","sources":["../src/configLock.ts"],"names":[],"mappings":"AAOA;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AA6BD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAiCrF"}