@vorionsys/atsf-core 0.1.0 → 0.2.1

package/dist/trust-engine/ceiling-enforcement/audit.js

@@ -0,0 +1,160 @@
+/**
+ * Phase 6 Q1: Ceiling Enforcement - Audit Layer
+ *
+ * Core responsibility: Log and track all ceiling enforcement decisions
+ * - Dual logging: raw_score + clamped_score for every event
+ * - Audit trail: timestamp, reason, context
+ * - Analytics: ceiling hit frequency, patterns, drift detection
+ */
+import { ContextType, } from './kernel';
+/**
+ * In-memory audit log (would be backed by persistent storage in production)
+ */
+export class CeilingAuditLog {
+    entries = [];
+    maxEntries = 10000; // Prevent unbounded growth in memory
+    /**
+     * Record a ceiling enforcement operation
+     */
+    addEntry(eventId, agentId, result, reason = 'automatic', tags = []) {
+        const entry = {
+            eventId,
+            agentId,
+            timestamp: new Date(),
+            rawScore: result.rawScore,
+            clampedScore: result.clampedScore,
+            ceiling: result.ceiling,
+            contextType: result.contextType,
+            ceilingHit: result.ceilingApplied,
+            reason,
+            tags,
+        };
+        this.entries.push(entry);
+        // Rotate oldest entries if we exceed max
+        if (this.entries.length > this.maxEntries) {
+            this.entries = this.entries.slice(-this.maxEntries);
+        }
+        return entry;
+    }
+    /**
+     * Get all audit entries
+     */
+    getEntries() {
+        return [...this.entries];
+    }
+    /**
+     * Get audit entries for a specific agent
+     */
+    getEntriesForAgent(agentId) {
+        return this.entries.filter((e) => e.agentId === agentId);
+    }
+    /**
+     * Get recent entries (last N)
+     */
+    getRecentEntries(count) {
+        return this.entries.slice(-count);
+    }
+    /**
+     * Clear audit log (for testing or reset)
+     */
+    clear() {
+        this.entries = [];
+    }
+    /**
+     * Compute statistics from audit log
+     */
+    computeStatistics() {
+        if (this.entries.length === 0) {
+            return {
+                totalEvents: 0,
+                ceilingHits: 0,
+                ceilingHitRate: 0,
+                avgRawScore: 0,
+                avgClampedScore: 0,
+                maxRawScore: 0,
+                maxClampingDelta: 0,
+                byContext: {
+                    [ContextType.LOCAL]: { hits: 0, rate: 0 },
+                    [ContextType.ENTERPRISE]: { hits: 0, rate: 0 },
+                    [ContextType.SOVEREIGN]: { hits: 0, rate: 0 },
+                },
+            };
+        }
+        let totalRawScore = 0;
+        let totalClampedScore = 0;
+        let ceilingHits = 0;
+        let maxRawScore = -Infinity;
+        let maxClampingDelta = 0;
+        const byContext = {
+            [ContextType.LOCAL]: { hits: 0, total: 0 },
+            [ContextType.ENTERPRISE]: { hits: 0, total: 0 },
+            [ContextType.SOVEREIGN]: { hits: 0, total: 0 },
+        };
+        for (const entry of this.entries) {
+            totalRawScore += entry.rawScore;
+            totalClampedScore += entry.clampedScore;
+            maxRawScore = Math.max(maxRawScore, entry.rawScore);
+            maxClampingDelta = Math.max(maxClampingDelta, entry.rawScore - entry.clampedScore);
+            if (entry.ceilingHit) {
+                ceilingHits++;
+            }
+            byContext[entry.contextType].total++;
+            if (entry.ceilingHit) {
+                byContext[entry.contextType].hits++;
+            }
+        }
+        return {
+            totalEvents: this.entries.length,
+            ceilingHits,
+            ceilingHitRate: ceilingHits / this.entries.length,
+            avgRawScore: totalRawScore / this.entries.length,
+            avgClampedScore: totalClampedScore / this.entries.length,
+            maxRawScore,
+            maxClampingDelta,
+            byContext: {
+                [ContextType.LOCAL]: {
+                    hits: byContext[ContextType.LOCAL].hits,
+                    rate: byContext[ContextType.LOCAL].total === 0
+                        ? 0
+                        : byContext[ContextType.LOCAL].hits /
+                            byContext[ContextType.LOCAL].total,
+                },
+                [ContextType.ENTERPRISE]: {
+                    hits: byContext[ContextType.ENTERPRISE].hits,
+                    rate: byContext[ContextType.ENTERPRISE].total === 0
+                        ? 0
+                        : byContext[ContextType.ENTERPRISE].hits /
+                            byContext[ContextType.ENTERPRISE].total,
+                },
+                [ContextType.SOVEREIGN]: {
+                    hits: byContext[ContextType.SOVEREIGN].hits,
+                    rate: byContext[ContextType.SOVEREIGN].total === 0
+                        ? 0
+                        : byContext[ContextType.SOVEREIGN].hits /
+                            byContext[ContextType.SOVEREIGN].total,
+                },
+            },
+        };
+    }
+    /**
+     * Check for anomalies (ceiling hits for normally-trusted agents)
+     */
+    detectCeilingAnomalies(agentId, anomalyThreshold = 0.05) {
+        const agentEntries = this.getEntriesForAgent(agentId);
+        if (agentEntries.length === 0) {
+            return [];
+        }
+        const hitRate = agentEntries.filter((e) => e.ceilingHit).length /
+            agentEntries.length;
+        // If hit rate is above threshold (normally 5%), flag as anomaly
+        if (hitRate > anomalyThreshold) {
+            return agentEntries.filter((e) => e.ceilingHit);
+        }
+        return [];
+    }
+}
+/**
+ * Global audit log instance
+ */
+export const globalCeilingAuditLog = new CeilingAuditLog();
+//# sourceMappingURL=audit.js.map

package/dist/trust-engine/ceiling-enforcement/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../../src/trust-engine/ceiling-enforcement/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAOH,OAAO,EAEL,WAAW,GAEZ,MAAM,UAAU,CAAC;AAkDlB;;GAEG;AACH,MAAM,OAAO,eAAe;IAClB,OAAO,GAAwB,EAAE,CAAC;IAClC,UAAU,GAAW,KAAK,CAAC,CAAC,qCAAqC;IAEzE;;OAEG;IACH,QAAQ,CACN,OAAe,EACf,OAAe,EACf,MAAgC,EAChC,SAAiB,WAAW,EAC5B,OAAiB,EAAE;QAEnB,MAAM,KAAK,GAAsB;YAC/B,OAAO;YACP,OAAO;YACP,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,UAAU,EAAE,MAAM,CAAC,cAAc;YACjC,MAAM;YACN,IAAI;SACL,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEzB,yCAAyC;QACzC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;YAC1C,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACtD,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,OAAe;QAChC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC;IAC3D,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,KAAa;QAC5B,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,OAAO,GAAG,EAAE,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,WAAW,EAAE,CAAC;gBACd,WAAW,EAAE,CAAC;gBACd,cAAc,EAAE,CAAC;gBACjB,WAAW,EAAE,CAAC;gBACd,eAAe,EAAE,CAAC;gBAClB,WAAW,EAAE,CAAC;gBACd,gBAAgB,EAAE,CAAC;gBACnB,SAAS,EAAE;oBACT,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE;oBACzC,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE;oBAC9C,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE;iBAC9C;aACF,CAAC;QACJ,CAAC;QAED,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,iBAAiB,GAAG,CAAC,CAAC;QAC1B,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,WAAW,GAAG,CAAC,QAAQ,CAAC;QAC5B,IAAI,gBAAgB,GAAG,CAAC,CAAC;QAEzB,MAAM,SAAS,GAAyD;YACtE,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE;YAC1C,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE;YAC/C,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE;SAC/C,CAAC;QAEF,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjC,aAAa,IAAI,KAAK,CAAC,QAAQ,CAAC;YAChC,iBAAiB,IAAI,KAAK,CAAC,YAAY,CAAC;YACxC,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;YACpD,gBAAgB,GAAG,IAAI,CAAC,GAAG,CACzB,gBAAgB,EAChB,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC,YAAY,CACpC,CAAC;YAEF,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;gBACrB,WAAW,EAAE,CAAC;YAChB,CAAC;YAED,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,KAAK,EAAE,CAAC;YACrC,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;gBACrB,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC;YACtC,CAAC;QACH,CAAC;QAED,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM;YAChC,WAAW;YACX,cAAc,EAAE,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM;YACjD,WAAW,EAAE,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM;YAChD,eAAe,EAAE,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM;YACxD,WAAW;YACX,gBAAgB;YAChB,SAAS,EAAE;gBACT,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE;oBACnB,IAAI,EAAE,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,IAAI;oBACvC,IAAI,EACF,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,KAAK,KAAK,CAAC;wBACtC,CAAC,CAAC,CAAC;wBACH,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,IAAI;4BACjC,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,KAAK;iBACzC;gBACD,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE;oBACxB,IAAI,EAAE,SAAS,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,IAAI;oBAC5C,IAAI,EACF,SAAS,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,KAAK,KAAK,CAAC;wBAC3C,CAAC,CAAC,CAAC;wBACH,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,IAAI;4BACtC,SAAS,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,KAAK;iBAC9C;gBACD,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE;oBACvB,IAAI,EAAE,SAAS,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,IAAI;oBAC3C,IAAI,EACF,SAAS,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,KAAK,KAAK,CAAC;wBAC1C,CAAC,CAAC,CAAC;wBACH,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,IAAI;4BACrC,SAAS,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,KAAK;iBAC7C;aACF;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,sBAAsB,CACpB,OAAe,EACf,mBAA2B,IAAI;QAE/B,MAAM,YAAY,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;QACtD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,OAAO,GACX,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,MAAM;YAC/C,YAAY,CAAC,MAAM,CAAC;QAEtB,gEAAgE;QAChE,IAAI,OAAO,GAAG,gBAAgB,EAAE,CAAC;YAC/B,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;QAClD,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,eAAe,EAAE,CAAC"}

package/dist/trust-engine/ceiling-enforcement/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Ceiling Enforcement Module (Q1) - Public API
+ */
+export * from './kernel.js';
+export * from './audit.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/trust-engine/ceiling-enforcement/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/trust-engine/ceiling-enforcement/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC"}

package/dist/trust-engine/ceiling-enforcement/index.js

@@ -0,0 +1,6 @@
+/**
+ * Ceiling Enforcement Module (Q1) - Public API
+ */
+export * from './kernel.js';
+export * from './audit.js';
+//# sourceMappingURL=index.js.map

package/dist/trust-engine/ceiling-enforcement/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/trust-engine/ceiling-enforcement/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC"}

package/dist/trust-engine/ceiling-enforcement/kernel.d.ts

@@ -0,0 +1,112 @@
+/**
+ * Phase 6 Q1: Ceiling Enforcement - Kernel Layer
+ *
+ * Core responsibility: Apply ceiling enforcement at kernel level (0-1000 scale)
+ * - Receives raw trust scores (any numeric value)
+ * - Clamps to 0-1000 based on context ceiling
+ * - Preserves raw score for audit trail (ceilingApplied flag)
+ * - <1ms latency target
+ */
+import { TrustEvent } from '../phase6-types.js';
+/**
+ * Context-based ceiling levels (from CONTEXT_CEILINGS)
+ */
+export declare enum ContextType {
+    LOCAL = "local",// 0-700: Restricted to test environments
+    ENTERPRISE = "enterprise",// 0-900: Approved for business operations
+    SOVEREIGN = "sovereign"
+}
+/**
+ * Result of ceiling enforcement operation
+ */
+export interface CeilingEnforcementResult {
+    /** Original raw score (unclamped) */
+    rawScore: number;
+    /** Clamped score (post-ceiling) */
+    clampedScore: number;
+    /** Ceiling that was applied */
+    ceiling: number;
+    /** Whether clamping occurred (rawScore !== clampedScore) */
+    ceilingApplied: boolean;
+    /** Context type that determined the ceiling */
+    contextType: ContextType;
+}
+/**
+ * Get ceiling value for a context type
+ *
+ * @param contextType - The context (local/enterprise/sovereign)
+ * @returns The ceiling value (700/900/1000)
+ */
+export declare function getCeilingForContext(contextType: ContextType): number;
+/**
+ * Clamp a raw score to the ceiling for a given context
+ *
+ * This is the core Q1 enforcement: kernel-level ceiling with dual logging
+ * - Raw score always preserved (for analytics)
+ * - Clamped score enforced at runtime (for authorization decisions)
+ * - Flag indicates whether ceiling was applied
+ *
+ * @param rawScore - The unprocessed trust score (may be >1000 or <0)
+ * @param contextType - The context determining the ceiling
+ * @returns CeilingEnforcementResult with raw/clamped scores and flags
+ *
+ * @example
+ * const result = clampTrustScore(1050, ContextType.ENTERPRISE);
+ * // { rawScore: 1050, clampedScore: 900, ceiling: 900, ceilingApplied: true, contextType: 'enterprise' }
+ */
+export declare function clampTrustScore(rawScore: number, contextType: ContextType): CeilingEnforcementResult;
+/**
+ * Apply ceiling enforcement to a TrustEvent
+ *
+ * This wraps clampTrustScore and populates the event's score and ceilingApplied fields
+ *
+ * @param event - The trust event to enforce ceiling on
+ * @param contextType - The context determining the ceiling
+ * @returns The modified TrustEvent with score clamped and ceilingApplied set
+ */
+export declare function applyCeilingEnforcement(event: TrustEvent, contextType: ContextType): TrustEvent;
+/**
+ * Validate that a score complies with its context ceiling
+ *
+ * This is used for assertions/validation - checking that a score
+ * was properly clamped before being used in authorization decisions
+ *
+ * @param score - The score to validate
+ * @param contextType - The context that should be limiting the score
+ * @returns true if score ≤ ceiling for this context
+ */
+export declare function validateScoreForContext(score: number, contextType: ContextType): boolean;
+/**
+ * Get the effective autonomy tier based on clamped score
+ *
+ * Maps the clamped score (after ceiling enforcement) to a tier level.
+ * This is used downstream (in role-gates, context-policy) to determine
+ * what operations are allowed.
+ *
+ * Tier mapping:
+ * - T0: 0-100 (Sandbox)
+ * - T1: 100-300 (Monitored)
+ * - T2: 300-500 (Supervised)
+ * - T3: 500-700 (Autonomous)
+ * - T4: 700-900 (Sovereign)
+ * - T5: 900-1000 (Verified)
+ *
+ * @param clampedScore - Score after ceiling enforcement
+ * @returns Tier number 0-5
+ */
+export declare function getTierFromScore(clampedScore: number): number;
+/**
+ * Compute the effective authorization tier
+ *
+ * This combines:
+ * 1. The clamped trust score (from ceiling enforcement)
+ * 2. The context ceiling
+ *
+ * Result is the minimum tier that respects both constraints.
+ *
+ * @param clampedScore - Score after ceiling enforcement
+ * @param contextType - Context that limited the score
+ * @returns Effective tier 0-5
+ */
+export declare function getEffectiveAuthorizationTier(clampedScore: number, contextType: ContextType): number;
+//# sourceMappingURL=kernel.d.ts.map

package/dist/trust-engine/ceiling-enforcement/kernel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kernel.d.ts","sourceRoot":"","sources":["../../../src/trust-engine/ceiling-enforcement/kernel.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAkC,MAAM,oBAAoB,CAAC;AAEhF;;GAEG;AACH,oBAAY,WAAW;IACrB,KAAK,UAAU,CAAS,yCAAyC;IACjE,UAAU,eAAe,CAAE,0CAA0C;IACrE,SAAS,cAAc;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,+BAA+B;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,4DAA4D;IAC5D,cAAc,EAAE,OAAO,CAAC;IACxB,+CAA+C;IAC/C,WAAW,EAAE,WAAW,CAAC;CAC1B;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,WAAW,GAAG,MAAM,CAWrE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,WAAW,GACvB,wBAAwB,CAqB1B;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,UAAU,EACjB,WAAW,EAAE,WAAW,GACvB,UAAU,CAQZ;AAED;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,WAAW,GACvB,OAAO,CAGT;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAW7D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,6BAA6B,CAC3C,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,WAAW,GACvB,MAAM,CASR"}

package/dist/trust-engine/ceiling-enforcement/kernel.js

@@ -0,0 +1,158 @@
+/**
+ * Phase 6 Q1: Ceiling Enforcement - Kernel Layer
+ *
+ * Core responsibility: Apply ceiling enforcement at kernel level (0-1000 scale)
+ * - Receives raw trust scores (any numeric value)
+ * - Clamps to 0-1000 based on context ceiling
+ * - Preserves raw score for audit trail (ceilingApplied flag)
+ * - <1ms latency target
+ */
+import { CONTEXT_CEILINGS } from '../phase6-types.js';
+/**
+ * Context-based ceiling levels (from CONTEXT_CEILINGS)
+ */
+export var ContextType;
+(function (ContextType) {
+    ContextType["LOCAL"] = "local";
+    ContextType["ENTERPRISE"] = "enterprise";
+    ContextType["SOVEREIGN"] = "sovereign";
+})(ContextType || (ContextType = {}));
+/**
+ * Get ceiling value for a context type
+ *
+ * @param contextType - The context (local/enterprise/sovereign)
+ * @returns The ceiling value (700/900/1000)
+ */
+export function getCeilingForContext(contextType) {
+    switch (contextType) {
+        case ContextType.LOCAL:
+            return CONTEXT_CEILINGS.local;
+        case ContextType.ENTERPRISE:
+            return CONTEXT_CEILINGS.enterprise;
+        case ContextType.SOVEREIGN:
+            return CONTEXT_CEILINGS.sovereign;
+        default:
+            throw new Error(`Unknown context type: ${contextType}`);
+    }
+}
+/**
+ * Clamp a raw score to the ceiling for a given context
+ *
+ * This is the core Q1 enforcement: kernel-level ceiling with dual logging
+ * - Raw score always preserved (for analytics)
+ * - Clamped score enforced at runtime (for authorization decisions)
+ * - Flag indicates whether ceiling was applied
+ *
+ * @param rawScore - The unprocessed trust score (may be >1000 or <0)
+ * @param contextType - The context determining the ceiling
+ * @returns CeilingEnforcementResult with raw/clamped scores and flags
+ *
+ * @example
+ * const result = clampTrustScore(1050, ContextType.ENTERPRISE);
+ * // { rawScore: 1050, clampedScore: 900, ceiling: 900, ceilingApplied: true, contextType: 'enterprise' }
+ */
+export function clampTrustScore(rawScore, contextType) {
+    // Validate inputs
+    if (!Number.isFinite(rawScore)) {
+        throw new Error(`Invalid raw score: ${rawScore}`);
+    }
+    if (!Object.values(ContextType).includes(contextType)) {
+        throw new Error(`Invalid context type: ${contextType}`);
+    }
+    const ceiling = getCeilingForContext(contextType);
+    // Clamp to [0, ceiling]
+    const clampedScore = Math.max(0, Math.min(rawScore, ceiling));
+    return {
+        rawScore,
+        clampedScore,
+        ceiling,
+        ceilingApplied: rawScore !== clampedScore,
+        contextType,
+    };
+}
+/**
+ * Apply ceiling enforcement to a TrustEvent
+ *
+ * This wraps clampTrustScore and populates the event's score and ceilingApplied fields
+ *
+ * @param event - The trust event to enforce ceiling on
+ * @param contextType - The context determining the ceiling
+ * @returns The modified TrustEvent with score clamped and ceilingApplied set
+ */
+export function applyCeilingEnforcement(event, contextType) {
+    const result = clampTrustScore(event.rawScore, contextType);
+    return {
+        ...event,
+        score: result.clampedScore,
+        ceilingApplied: result.ceilingApplied,
+    };
+}
+/**
+ * Validate that a score complies with its context ceiling
+ *
+ * This is used for assertions/validation - checking that a score
+ * was properly clamped before being used in authorization decisions
+ *
+ * @param score - The score to validate
+ * @param contextType - The context that should be limiting the score
+ * @returns true if score ≤ ceiling for this context
+ */
+export function validateScoreForContext(score, contextType) {
+    const ceiling = getCeilingForContext(contextType);
+    return score >= 0 && score <= ceiling;
+}
+/**
+ * Get the effective autonomy tier based on clamped score
+ *
+ * Maps the clamped score (after ceiling enforcement) to a tier level.
+ * This is used downstream (in role-gates, context-policy) to determine
+ * what operations are allowed.
+ *
+ * Tier mapping:
+ * - T0: 0-100 (Sandbox)
+ * - T1: 100-300 (Monitored)
+ * - T2: 300-500 (Supervised)
+ * - T3: 500-700 (Autonomous)
+ * - T4: 700-900 (Sovereign)
+ * - T5: 900-1000 (Verified)
+ *
+ * @param clampedScore - Score after ceiling enforcement
+ * @returns Tier number 0-5
+ */
+export function getTierFromScore(clampedScore) {
+    if (clampedScore < 0 || clampedScore > 1000) {
+        throw new Error(`Score out of range: ${clampedScore}`);
+    }
+    if (clampedScore < 100)
+        return 0;
+    if (clampedScore < 300)
+        return 1;
+    if (clampedScore < 500)
+        return 2;
+    if (clampedScore < 700)
+        return 3;
+    if (clampedScore < 900)
+        return 4;
+    return 5;
+}
+/**
+ * Compute the effective authorization tier
+ *
+ * This combines:
+ * 1. The clamped trust score (from ceiling enforcement)
+ * 2. The context ceiling
+ *
+ * Result is the minimum tier that respects both constraints.
+ *
+ * @param clampedScore - Score after ceiling enforcement
+ * @param contextType - Context that limited the score
+ * @returns Effective tier 0-5
+ */
+export function getEffectiveAuthorizationTier(clampedScore, contextType) {
+    // Validate that score respects the context ceiling
+    if (!validateScoreForContext(clampedScore, contextType)) {
+        throw new Error(`Score ${clampedScore} violates ceiling for context ${contextType}`);
+    }
+    return getTierFromScore(clampedScore);
+}
+//# sourceMappingURL=kernel.js.map

package/dist/trust-engine/ceiling-enforcement/kernel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kernel.js","sourceRoot":"","sources":["../../../src/trust-engine/ceiling-enforcement/kernel.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAA4B,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEhF;;GAEG;AACH,MAAM,CAAN,IAAY,WAIX;AAJD,WAAY,WAAW;IACrB,8BAAe,CAAA;IACf,wCAAyB,CAAA;IACzB,sCAAuB,CAAA;AACzB,CAAC,EAJW,WAAW,KAAX,WAAW,QAItB;AAkBD;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,WAAwB;IAC3D,QAAQ,WAAW,EAAE,CAAC;QACpB,KAAK,WAAW,CAAC,KAAK;YACpB,OAAO,gBAAgB,CAAC,KAAK,CAAC;QAChC,KAAK,WAAW,CAAC,UAAU;YACzB,OAAO,gBAAgB,CAAC,UAAU,CAAC;QACrC,KAAK,WAAW,CAAC,SAAS;YACxB,OAAO,gBAAgB,CAAC,SAAS,CAAC;QACpC;YACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAgB,EAChB,WAAwB;IAExB,kBAAkB;IAClB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,sBAAsB,QAAQ,EAAE,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,OAAO,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAElD,wBAAwB;IACxB,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;IAE9D,OAAO;QACL,QAAQ;QACR,YAAY;QACZ,OAAO;QACP,cAAc,EAAE,QAAQ,KAAK,YAAY;QACzC,WAAW;KACZ,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,uBAAuB,CACrC,KAAiB,EACjB,WAAwB;IAExB,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAE5D,OAAO;QACL,GAAG,KAAK;QACR,KAAK,EAAE,MAAM,CAAC,YAAY;QAC1B,cAAc,EAAE,MAAM,CAAC,cAAc;KACtC,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,uBAAuB,CACrC,KAAa,EACb,WAAwB;IAExB,MAAM,OAAO,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAClD,OAAO,KAAK,IAAI,CAAC,IAAI,KAAK,IAAI,OAAO,CAAC;AACxC,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,gBAAgB,CAAC,YAAoB;IACnD,IAAI,YAAY,GAAG,CAAC,IAAI,YAAY,GAAG,IAAI,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,uBAAuB,YAAY,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,YAAY,GAAG,GAAG;QAAE,OAAO,CAAC,CAAC;IACjC,IAAI,YAAY,GAAG,GAAG;QAAE,OAAO,CAAC,CAAC;IACjC,IAAI,YAAY,GAAG,GAAG;QAAE,OAAO,CAAC,CAAC;IACjC,IAAI,YAAY,GAAG,GAAG;QAAE,OAAO,CAAC,CAAC;IACjC,IAAI,YAAY,GAAG,GAAG;QAAE,OAAO,CAAC,CAAC;IACjC,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,6BAA6B,CAC3C,YAAoB,EACpB,WAAwB;IAExB,mDAAmD;IACnD,IAAI,CAAC,uBAAuB,CAAC,YAAY,EAAE,WAAW,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,SAAS,YAAY,iCAAiC,WAAW,EAAE,CACpE,CAAC;IACJ,CAAC;IAED,OAAO,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACxC,CAAC"}

package/dist/trust-engine/context-policy/enforcement.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Phase 6 Q2: Context Policy - Enforcement Layer
+ *
+ * Core responsibility: Enforce immutable agent context at instantiation
+ * - Context set at construction, never changes
+ * - Unforgeable governance audit trail
+ * - Clean multi-tenant isolation
+ * - <0.5ms validation latency
+ */
+/**
+ * Valid context types for agents
+ */
+export declare enum ContextType {
+    LOCAL = "local",// 0-700: Test/sandbox only
+    ENTERPRISE = "enterprise",// 0-900: Internal operations
+    SOVEREIGN = "sovereign"
+}
+/**
+ * Agent context with immutability guarantees
+ */
+export interface AgentContext {
+    readonly contextType: ContextType;
+    readonly agentId: string;
+    readonly tenantId: string;
+    readonly createdAt: Date;
+    readonly createdBy: string;
+    readonly contextHash: string;
+}
+/**
+ * Validate that a context type is valid
+ */
+export declare function validateContextType(value: unknown): value is ContextType;
+/**
+ * Create a cryptographic hash of context properties for immutability proof
+ * This prevents tampering with context post-creation
+ */
+export declare function computeContextHash(contextType: ContextType, agentId: string, tenantId: string, createdAt: Date, createdBy: string): string;
+/**
+ * Create an immutable agent context at instantiation time
+ * This is the only place context can be set - thereafter readonly
+ */
+export declare function createAgentContext(contextType: ContextType, agentId: string, tenantId: string, createdBy: string): AgentContext;
+/**
+ * Verify that context hasn't been tampered with
+ * by checking the cryptographic hash
+ */
+export declare function verifyContextIntegrity(context: AgentContext): boolean;
+/**
+ * Get the ceiling for a context (0-1000 scale)
+ */
+export declare function getContextCeiling(contextType: ContextType): number;
+/**
+ * Validate that an agent's context is appropriate for a given operation
+ * This is called by upstream decision layers (ceiling enforcement, role gates)
+ */
+export declare function validateContextForOperation(context: AgentContext, requiredContext: ContextType): boolean;
+/**
+ * Multi-tenant isolation check
+ * Ensures agents from one tenant can't access another tenant's context
+ */
+export declare function validateTenantIsolation(context: AgentContext, targetTenantId: string): boolean;
+//# sourceMappingURL=enforcement.d.ts.map

package/dist/trust-engine/context-policy/enforcement.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcement.d.ts","sourceRoot":"","sources":["../../../src/trust-engine/context-policy/enforcement.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH;;GAEG;AACH,oBAAY,WAAW;IACrB,KAAK,UAAU,CAAc,2BAA2B;IACxD,UAAU,eAAe,CAAI,6BAA6B;IAC1D,SAAS,cAAc;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,WAAW,CAExE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,WAAW,EAAE,WAAW,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,IAAI,EACf,SAAS,EAAE,MAAM,GAChB,MAAM,CAUR;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,WAAW,EAAE,WAAW,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAChB,YAAY,CAuBd;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CASrE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,WAAW,GAAG,MAAM,CASlE;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,YAAY,EACrB,eAAe,EAAE,WAAW,GAC3B,OAAO,CAaT;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,YAAY,EACrB,cAAc,EAAE,MAAM,GACrB,OAAO,CAET"}

package/dist/trust-engine/context-policy/enforcement.js

@@ -0,0 +1,104 @@
+/**
+ * Phase 6 Q2: Context Policy - Enforcement Layer
+ *
+ * Core responsibility: Enforce immutable agent context at instantiation
+ * - Context set at construction, never changes
+ * - Unforgeable governance audit trail
+ * - Clean multi-tenant isolation
+ * - <0.5ms validation latency
+ */
+/**
+ * Valid context types for agents
+ */
+export var ContextType;
+(function (ContextType) {
+    ContextType["LOCAL"] = "local";
+    ContextType["ENTERPRISE"] = "enterprise";
+    ContextType["SOVEREIGN"] = "sovereign";
+})(ContextType || (ContextType = {}));
+/**
+ * Validate that a context type is valid
+ */
+export function validateContextType(value) {
+    return Object.values(ContextType).includes(value);
+}
+/**
+ * Create a cryptographic hash of context properties for immutability proof
+ * This prevents tampering with context post-creation
+ */
+export function computeContextHash(contextType, agentId, tenantId, createdAt, createdBy) {
+    const data = `${contextType}|${agentId}|${tenantId}|${createdAt.toISOString()}|${createdBy}`;
+    // Simple hash for demo (production would use crypto.createHash)
+    let hash = 0;
+    for (let i = 0; i < data.length; i++) {
+        const char = data.charCodeAt(i);
+        hash = (hash << 5) - hash + char;
+        hash = hash & hash; // Convert to 32-bit integer
+    }
+    return Math.abs(hash).toString(16);
+}
+/**
+ * Create an immutable agent context at instantiation time
+ * This is the only place context can be set - thereafter readonly
+ */
+export function createAgentContext(contextType, agentId, tenantId, createdBy) {
+    // Validate context type
+    if (!validateContextType(contextType)) {
+        throw new Error(`Invalid context type: ${contextType}`);
+    }
+    const createdAt = new Date();
+    const contextHash = computeContextHash(contextType, agentId, tenantId, createdAt, createdBy);
+    return Object.freeze({
+        contextType,
+        agentId,
+        tenantId,
+        createdAt,
+        createdBy,
+        contextHash,
+    });
+}
+/**
+ * Verify that context hasn't been tampered with
+ * by checking the cryptographic hash
+ */
+export function verifyContextIntegrity(context) {
+    const expectedHash = computeContextHash(context.contextType, context.agentId, context.tenantId, context.createdAt, context.createdBy);
+    return context.contextHash === expectedHash;
+}
+/**
+ * Get the ceiling for a context (0-1000 scale)
+ */
+export function getContextCeiling(contextType) {
+    switch (contextType) {
+        case ContextType.LOCAL:
+            return 700;
+        case ContextType.ENTERPRISE:
+            return 900;
+        case ContextType.SOVEREIGN:
+            return 1000;
+    }
+}
+/**
+ * Validate that an agent's context is appropriate for a given operation
+ * This is called by upstream decision layers (ceiling enforcement, role gates)
+ */
+export function validateContextForOperation(context, requiredContext) {
+    // Can't operate in a context more privileged than the agent's context
+    const contextHierarchy = [
+        ContextType.LOCAL,
+        ContextType.ENTERPRISE,
+        ContextType.SOVEREIGN,
+    ];
+    const agentContextRank = contextHierarchy.indexOf(context.contextType);
+    const requiredRank = contextHierarchy.indexOf(requiredContext);
+    // Agent can operate in required context if agent's context >= required
+    return agentContextRank >= requiredRank;
+}
+/**
+ * Multi-tenant isolation check
+ * Ensures agents from one tenant can't access another tenant's context
+ */
+export function validateTenantIsolation(context, targetTenantId) {
+    return context.tenantId === targetTenantId;
+}
+//# sourceMappingURL=enforcement.js.map

package/dist/trust-engine/context-policy/enforcement.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcement.js","sourceRoot":"","sources":["../../../src/trust-engine/context-policy/enforcement.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH;;GAEG;AACH,MAAM,CAAN,IAAY,WAIX;AAJD,WAAY,WAAW;IACrB,8BAAe,CAAA;IACf,wCAAyB,CAAA;IACzB,sCAAuB,CAAA;AACzB,CAAC,EAJW,WAAW,KAAX,WAAW,QAItB;AAcD;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAc;IAChD,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAoB,CAAC,CAAC;AACnE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,WAAwB,EACxB,OAAe,EACf,QAAgB,EAChB,SAAe,EACf,SAAiB;IAEjB,MAAM,IAAI,GAAG,GAAG,WAAW,IAAI,OAAO,IAAI,QAAQ,IAAI,SAAS,CAAC,WAAW,EAAE,IAAI,SAAS,EAAE,CAAC;IAC7F,gEAAgE;IAChE,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAChC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;QACjC,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,4BAA4B;IAClD,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AACrC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,WAAwB,EACxB,OAAe,EACf,QAAgB,EAChB,SAAiB;IAEjB,wBAAwB;IACxB,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,WAAW,GAAG,kBAAkB,CACpC,WAAW,EACX,OAAO,EACP,QAAQ,EACR,SAAS,EACT,SAAS,CACV,CAAC;IAEF,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,WAAW;QACX,OAAO;QACP,QAAQ;QACR,SAAS;QACT,SAAS;QACT,WAAW;KACZ,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAqB;IAC1D,MAAM,YAAY,GAAG,kBAAkB,CACrC,OAAO,CAAC,WAAW,EACnB,OAAO,CAAC,OAAO,EACf,OAAO,CAAC,QAAQ,EAChB,OAAO,CAAC,SAAS,EACjB,OAAO,CAAC,SAAS,CAClB,CAAC;IACF,OAAO,OAAO,CAAC,WAAW,KAAK,YAAY,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAAwB;IACxD,QAAQ,WAAW,EAAE,CAAC;QACpB,KAAK,WAAW,CAAC,KAAK;YACpB,OAAO,GAAG,CAAC;QACb,KAAK,WAAW,CAAC,UAAU;YACzB,OAAO,GAAG,CAAC;QACb,KAAK,WAAW,CAAC,SAAS;YACxB,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAqB,EACrB,eAA4B;IAE5B,sEAAsE;IACtE,MAAM,gBAAgB,GAAG;QACvB,WAAW,CAAC,KAAK;QACjB,WAAW,CAAC,UAAU;QACtB,WAAW,CAAC,SAAS;KACtB,CAAC;IAEF,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACvE,MAAM,YAAY,GAAG,gBAAgB,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAE/D,uEAAuE;IACvE,OAAO,gBAAgB,IAAI,YAAY,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,OAAqB,EACrB,cAAsB;IAEtB,OAAO,OAAO,CAAC,QAAQ,KAAK,cAAc,CAAC;AAC7C,CAAC"}