aegis-mcp-server 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Cleburn
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,95 @@
+# aegis-mcp-server
+
+**MCP enforcement layer for the [Aegis](https://github.com/cleburn/aegis-spec) agent governance specification.**
+
+The spec writes the law. The CLI generates the law. This enforces the law.
+
+## What It Does
+
+`aegis-mcp-server` is an MCP server that validates every agent action against your `.agentpolicy/` files **before** it happens. Path permissions, content scanning, role boundaries, quality gates — all enforced at runtime with zero token overhead to the agent.
+
+The agent never loads your governance files. The MCP server reads them into its own process memory and validates silently. The agent calls governed tools (`aegis_write_file`, `aegis_read_file`, etc.) and gets back either a success or a blocked response with the specific reason.
+
+## Quick Start
+
+```bash
+npm install -g aegis-mcp-server
+
+# Or use npx
+npx aegis-mcp-server --project . --role default
+```
+
+### Claude Code Configuration
+
+```json
+{
+  "mcpServers": {
+    "aegis": {
+      "command": "npx",
+      "args": ["aegis-mcp-server", "--project", ".", "--role", "default"]
+    }
+  }
+}
+```
+
+For role-specific enforcement:
+
+```json
+{
+  "mcpServers": {
+    "aegis": {
+      "command": "npx",
+      "args": ["aegis-mcp-server", "--project", ".", "--role", "backend"]
+    }
+  }
+}
+```
+
+## Tools
+
+| Tool | What it does | Token cost |
+|------|-------------|------------|
+| `aegis_check_permissions` | Pre-check if an operation is allowed | Tiny — just the verdict |
+| `aegis_write_file` | Write with path + content validation | Same as a normal write |
+| `aegis_read_file` | Read with path validation | Same as a normal read |
+| `aegis_delete_file` | Delete with path validation | Tiny — just the verdict |
+| `aegis_execute` | Execute a command in project root | Command output only |
+| `aegis_complete_task` | Run quality gates before marking done | Gate results only |
+| `aegis_policy_summary` | Minimal role + permissions summary | ~200 tokens |
+
+## Zero Token Overhead
+
+Traditional approach: load governance files into the agent's context window. Token cost scales with policy complexity.
+
+Aegis MCP approach: the server loads policy into its own process memory. The agent calls tools and gets structured results. A project with 200 lines of governance has the same token cost as one with 20 lines. The complexity is absorbed by the server, not the agent.
+
+## Enforcement
+
+- **Governance boundaries** — `writable`, `read_only`, `forbidden` path lists from governance.json
+- **Role scoping** — agents confined to their role's writable and readable paths
+- **Sensitive pattern detection** — content scanned against governance-defined patterns
+- **Cross-domain boundaries** — imports validated against shared interface rules (when configured)
+- **Quality gate validation** — `pre_commit` flags mapped to `build_commands` and executed
+- **Override logging** — violations logged to append-only `overrides.jsonl`
+- **Immutable policies** — designated rules that cannot be overridden, even with human confirmation
+
+## Architecture
+
+```
+Agent ──→ aegis-mcp-server ──→ File System
+              │
+              ├── Loads .agentpolicy/ into process memory (once)
+              ├── Watches for policy changes (auto-reload)
+              ├── Validates every tool call against policy
+              └── Returns success or blocked with reason
+```
+
+Three artifacts, one governance framework:
+
+- [**aegis-spec**](https://github.com/cleburn/aegis-spec) — Writes the law
+- [**aegis-cli**](https://github.com/cleburn/aegis-cli) — Generates the law
+- **aegis-mcp-server** — Enforces the law
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,26 @@
+#!/usr/bin/env node
+/**
+ * Aegis MCP Server — Entry Point
+ *
+ * Starts the MCP enforcement server. Loads .agentpolicy/ into process memory,
+ * registers governed tools, and connects via stdio transport.
+ *
+ * The agent connects to this server and calls governed tools (aegis_write_file,
+ * aegis_read_file, etc.) instead of raw file system operations. All validation
+ * happens in this process at zero token cost to the agent.
+ *
+ * Usage:
+ *   aegis-mcp --project /path/to/project --role backend
+ *
+ * Claude Code MCP config:
+ *   {
+ *     "mcpServers": {
+ *       "aegis": {
+ *         "command": "npx",
+ *         "args": ["aegis-mcp-server", "--project", ".", "--role", "default"]
+ *       }
+ *     }
+ *   }
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;;;;GAsBG"}

package/dist/index.js

@@ -0,0 +1,144 @@
+#!/usr/bin/env node
+/**
+ * Aegis MCP Server — Entry Point
+ *
+ * Starts the MCP enforcement server. Loads .agentpolicy/ into process memory,
+ * registers governed tools, and connects via stdio transport.
+ *
+ * The agent connects to this server and calls governed tools (aegis_write_file,
+ * aegis_read_file, etc.) instead of raw file system operations. All validation
+ * happens in this process at zero token cost to the agent.
+ *
+ * Usage:
+ *   aegis-mcp --project /path/to/project --role backend
+ *
+ * Claude Code MCP config:
+ *   {
+ *     "mcpServers": {
+ *       "aegis": {
+ *         "command": "npx",
+ *         "args": ["aegis-mcp-server", "--project", ".", "--role", "default"]
+ *       }
+ *     }
+ *   }
+ */
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { resolve } from 'node:path';
+import { PolicyLoader } from './services/policy-loader.js';
+import { EnforcementEngine } from './services/enforcement-engine.js';
+import { registerTools } from './tools/file-tools.js';
+// ─── Parse CLI Args ─────────────────────────────────────────────────────────
+function parseArgs() {
+    const args = process.argv.slice(2);
+    let projectRoot = process.cwd();
+    let role = 'default';
+    let policyDir;
+    for (let i = 0; i < args.length; i++) {
+        switch (args[i]) {
+            case '--project':
+            case '-p':
+                projectRoot = resolve(args[++i] ?? '.');
+                break;
+            case '--role':
+            case '-r':
+                role = args[++i] ?? 'default';
+                break;
+            case '--policy-dir':
+                policyDir = args[++i];
+                break;
+            case '--help':
+            case '-h':
+                printHelp();
+                process.exit(0);
+                break;
+            case '--version':
+            case '-v':
+                log('aegis-mcp-server v0.1.0');
+                process.exit(0);
+                break;
+        }
+    }
+    return { projectRoot, role, policyDir };
+}
+function printHelp() {
+    log(`
+aegis-mcp-server — MCP enforcement layer for Aegis agent governance
+
+USAGE:
+  aegis-mcp-server [OPTIONS]
+
+OPTIONS:
+  -p, --project <path>     Project root directory (default: cwd)
+  -r, --role <role-id>     Agent role to enforce (default: "default")
+      --policy-dir <dir>   Policy directory name (default: ".agentpolicy")
+  -h, --help               Show this help
+  -v, --version            Show version
+
+CLAUDE CODE CONFIG:
+  {
+    "mcpServers": {
+      "aegis": {
+        "command": "npx",
+        "args": ["aegis-mcp-server", "--project", ".", "--role", "default"]
+      }
+    }
+  }
+
+TOOLS PROVIDED:
+  aegis_check_permissions   Pre-check if an operation is allowed
+  aegis_write_file          Governed file write with content scanning
+  aegis_read_file           Governed file read
+  aegis_delete_file         Governed file delete
+  aegis_execute             Governed command execution
+  aegis_complete_task       Task completion with quality gate validation
+  aegis_policy_summary      Minimal summary of current role and permissions
+`);
+}
+// ─── Main ───────────────────────────────────────────────────────────────────
+async function main() {
+    const config = parseArgs();
+    log('Starting aegis-mcp-server');
+    log(`  Project: ${config.projectRoot}`);
+    log(`  Role: ${config.role}`);
+    log(`  Policy dir: ${config.policyDir ?? '.agentpolicy'}`);
+    // 1. Load policy into process memory
+    const loader = new PolicyLoader(config);
+    let state = await loader.load();
+    let activeRole = loader.getActiveRole();
+    let engine = new EnforcementEngine(state, activeRole);
+    // 2. Watch for policy changes and auto-reload
+    loader.startWatching(() => {
+        state = loader.getState();
+        activeRole = loader.getActiveRole();
+        engine.updateState(state, activeRole);
+        log('Policy reloaded');
+    });
+    // 3. Create MCP server
+    const server = new McpServer({
+        name: 'aegis-mcp-server',
+        version: '0.1.0',
+    });
+    // 4. Register governed tools
+    registerTools(server, () => engine, () => state, () => activeRole);
+    // 5. Connect via stdio transport
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    log('Connected via stdio — enforcement active');
+    // Graceful shutdown
+    const shutdown = async () => {
+        log('Shutting down...');
+        await loader.stopWatching();
+        process.exit(0);
+    };
+    process.on('SIGINT', shutdown);
+    process.on('SIGTERM', shutdown);
+}
+function log(message) {
+    process.stderr.write(`[aegis-mcp] ${message}\n`);
+}
+main().catch((err) => {
+    process.stderr.write(`[aegis-mcp] Fatal: ${err instanceof Error ? err.message : String(err)}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAGtD,+EAA+E;AAE/E,SAAS,SAAS;IAChB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,WAAW,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAChC,IAAI,IAAI,GAAG,SAAS,CAAC;IACrB,IAAI,SAA6B,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,QAAQ,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAChB,KAAK,WAAW,CAAC;YACjB,KAAK,IAAI;gBACP,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;gBACxC,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI;gBACP,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,SAAS,CAAC;gBAC9B,MAAM;YACR,KAAK,cAAc;gBACjB,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;gBACtB,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI;gBACP,SAAS,EAAE,CAAC;gBACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAChB,MAAM;YACR,KAAK,WAAW,CAAC;YACjB,KAAK,IAAI;gBACP,GAAG,CAAC,yBAAyB,CAAC,CAAC;gBAC/B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAChB,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,SAAS;IAChB,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+BL,CAAC,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACjC,GAAG,CAAC,cAAc,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACxC,GAAG,CAAC,WAAW,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9B,GAAG,CAAC,iBAAiB,MAAM,CAAC,SAAS,IAAI,cAAc,EAAE,CAAC,CAAC;IAE3D,qCAAqC;IACrC,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,KAAK,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;IAChC,IAAI,UAAU,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;IACxC,IAAI,MAAM,GAAG,IAAI,iBAAiB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAEtD,8CAA8C;IAC9C,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE;QACxB,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC1B,UAAU,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;QACpC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QACtC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,uBAAuB;IACvB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,6BAA6B;IAC7B,aAAa,CACX,MAAM,EACN,GAAG,EAAE,CAAC,MAAM,EACZ,GAAG,EAAE,CAAC,KAAK,EACX,GAAG,EAAE,CAAC,UAAU,CACjB,CAAC;IAEF,iCAAiC;IACjC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEhC,GAAG,CAAC,0CAA0C,CAAC,CAAC;IAEhD,oBAAoB;IACpB,MAAM,QAAQ,GAAG,KAAK,IAAmB,EAAE;QACzC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QACxB,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;QAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,GAAG,CAAC,OAAe;IAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,OAAO,IAAI,CAAC,CAAC;AACnD,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAC3E,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/services/enforcement-engine.d.ts

@@ -0,0 +1,64 @@
+/**
+ * EnforcementEngine — Validates agent actions against loaded policy.
+ *
+ * All validation happens in Node.js process memory. The agent never sees
+ * the policy files. It only sees the verdict: allowed, or blocked with reason.
+ *
+ * Two-layer enforcement:
+ * Layer 1 (skeleton): permissions.boundaries, scope paths, override_protocol
+ * Layer 2 (extensions): sensitive_patterns, cross_domain_rules, sensitivity_tiers
+ */
+import type { PolicyState, ResolvedRole, EnforcementVerdict, OverrideLogEntry } from '../types.js';
+export declare class EnforcementEngine {
+    private state;
+    private activeRole;
+    constructor(state: PolicyState, activeRole: ResolvedRole);
+    /**
+     * Update references when policy reloads.
+     */
+    updateState(state: PolicyState, role: ResolvedRole): void;
+    /**
+     * Check if a write to the given path is allowed.
+     * Checks in order: governance forbidden → role excluded → role writable scope.
+     */
+    validateWrite(targetPath: string): EnforcementVerdict;
+    /**
+     * Check if a read of the given path is allowed.
+     */
+    validateRead(targetPath: string): EnforcementVerdict;
+    /**
+     * Scan proposed file content for sensitive patterns.
+     * Uses governance.permissions.sensitive_patterns when present.
+     */
+    scanContent(content: string, targetPath: string): EnforcementVerdict;
+    /**
+     * Validate that a cross-domain import respects boundaries.
+     * Uses governance.cross_domain_rules when present (extension field).
+     */
+    validateCrossDomain(sourcePath: string, importPath: string): EnforcementVerdict;
+    /**
+     * Determine how to handle a policy violation based on the override protocol.
+     */
+    getOverrideBehavior(policyRef: string): {
+        behavior: 'block_and_log' | 'warn_confirm_and_log' | 'log_only';
+        isImmutable: boolean;
+    };
+    /**
+     * Log an override to the append-only overrides.jsonl file.
+     */
+    logOverride(entry: OverrideLogEntry): Promise<void>;
+    /**
+     * Build the list of commands to run for quality gate validation.
+     * Maps pre_commit booleans to build_commands from constitution or governance.
+     */
+    getQualityGateCommands(): Array<{
+        name: string;
+        command: string;
+    }>;
+    private matchesAny;
+    private toRelativePath;
+    private getDomain;
+    private compilePattern;
+    private log;
+}
+//# sourceMappingURL=enforcement-engine.d.ts.map

package/dist/services/enforcement-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcement-engine.d.ts","sourceRoot":"","sources":["../../src/services/enforcement-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,aAAa,CAAC;AAErB,qBAAa,iBAAiB;IAE1B,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,UAAU;gBADV,KAAK,EAAE,WAAW,EAClB,UAAU,EAAE,YAAY;IAGlC;;OAEG;IACH,WAAW,CAAC,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI;IAOzD;;;OAGG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,kBAAkB;IAoErD;;OAEG;IACH,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,kBAAkB;IAyCpD;;;OAGG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,kBAAkB;IAuBpE;;;OAGG;IACH,mBAAmB,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,kBAAkB;IA8B/E;;OAEG;IACH,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG;QACtC,QAAQ,EAAE,eAAe,GAAG,sBAAsB,GAAG,UAAU,CAAC;QAChE,WAAW,EAAE,OAAO,CAAC;KACtB;IAaD;;OAEG;IACG,WAAW,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IASzD;;;OAGG;IACH,sBAAsB,IAAI,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IA8BlE,OAAO,CAAC,UAAU;IAUlB,OAAO,CAAC,cAAc;IAOtB,OAAO,CAAC,SAAS;IAajB,OAAO,CAAC,cAAc;IAStB,OAAO,CAAC,GAAG;CAGZ"}

package/dist/services/enforcement-engine.js

@@ -0,0 +1,271 @@
+/**
+ * EnforcementEngine — Validates agent actions against loaded policy.
+ *
+ * All validation happens in Node.js process memory. The agent never sees
+ * the policy files. It only sees the verdict: allowed, or blocked with reason.
+ *
+ * Two-layer enforcement:
+ * Layer 1 (skeleton): permissions.boundaries, scope paths, override_protocol
+ * Layer 2 (extensions): sensitive_patterns, cross_domain_rules, sensitivity_tiers
+ */
+import { appendFile, mkdir } from 'node:fs/promises';
+import { dirname, join, relative, isAbsolute } from 'node:path';
+import { minimatch } from 'minimatch';
+export class EnforcementEngine {
+    state;
+    activeRole;
+    constructor(state, activeRole) {
+        this.state = state;
+        this.activeRole = activeRole;
+    }
+    /**
+     * Update references when policy reloads.
+     */
+    updateState(state, role) {
+        this.state = state;
+        this.activeRole = role;
+    }
+    // ─── Write Validation ─────────────────────────────────────────────────────
+    /**
+     * Check if a write to the given path is allowed.
+     * Checks in order: governance forbidden → role excluded → role writable scope.
+     */
+    validateWrite(targetPath) {
+        const relPath = this.toRelativePath(targetPath);
+        // 1. Governance-level forbidden paths (highest priority)
+        const forbidden = this.state.governance.permissions.boundaries.forbidden;
+        if (forbidden && this.matchesAny(relPath, forbidden)) {
+            return {
+                allowed: false,
+                reason: `Path "${relPath}" is in the forbidden list. This path must never be read or modified.`,
+                policy_ref: 'governance.json > permissions > boundaries > forbidden',
+                immutable: true,
+            };
+        }
+        // 2. Governance-level read_only paths
+        const readOnly = this.state.governance.permissions.boundaries.read_only;
+        if (readOnly && this.matchesAny(relPath, readOnly)) {
+            return {
+                allowed: false,
+                reason: `Path "${relPath}" is read-only per governance policy.`,
+                policy_ref: 'governance.json > permissions > boundaries > read_only',
+                immutable: false,
+            };
+        }
+        // 3. Role excluded paths
+        if (this.activeRole.excluded_paths.length > 0 &&
+            this.matchesAny(relPath, this.activeRole.excluded_paths)) {
+            return {
+                allowed: false,
+                reason: `Path "${relPath}" is excluded for role "${this.activeRole.id}".`,
+                policy_ref: `roles/${this.activeRole.id}.json > scope > excluded_paths`,
+                immutable: false,
+            };
+        }
+        // 4. Role writable scope — must be in writable_paths or secondary_paths
+        if (this.activeRole.writable_paths.length > 0) {
+            const inWritable = this.matchesAny(relPath, this.activeRole.writable_paths);
+            const inSecondary = this.activeRole.secondary_paths.length > 0 &&
+                this.matchesAny(relPath, this.activeRole.secondary_paths);
+            if (!inWritable && !inSecondary) {
+                return {
+                    allowed: false,
+                    reason: `Path "${relPath}" is outside the writable scope of role "${this.activeRole.id}".`,
+                    policy_ref: `roles/${this.activeRole.id}.json > scope`,
+                    immutable: false,
+                };
+            }
+        }
+        // 5. Governance-level writable whitelist (if defined, path must match)
+        const writable = this.state.governance.permissions.boundaries.writable;
+        if (writable && writable.length > 0 && !this.matchesAny(relPath, writable)) {
+            return {
+                allowed: false,
+                reason: `Path "${relPath}" is not in the governance writable list.`,
+                policy_ref: 'governance.json > permissions > boundaries > writable',
+                immutable: false,
+            };
+        }
+        return { allowed: true };
+    }
+    // ─── Read Validation ──────────────────────────────────────────────────────
+    /**
+     * Check if a read of the given path is allowed.
+     */
+    validateRead(targetPath) {
+        const relPath = this.toRelativePath(targetPath);
+        // Governance-level forbidden
+        const forbidden = this.state.governance.permissions.boundaries.forbidden;
+        if (forbidden && this.matchesAny(relPath, forbidden)) {
+            return {
+                allowed: false,
+                reason: `Path "${relPath}" is forbidden. This path must never be read or modified.`,
+                policy_ref: 'governance.json > permissions > boundaries > forbidden',
+                immutable: true,
+            };
+        }
+        // Role excluded paths block reads too
+        if (this.activeRole.excluded_paths.length > 0 &&
+            this.matchesAny(relPath, this.activeRole.excluded_paths)) {
+            return {
+                allowed: false,
+                reason: `Path "${relPath}" is excluded for role "${this.activeRole.id}".`,
+                policy_ref: `roles/${this.activeRole.id}.json > scope > excluded_paths`,
+                immutable: false,
+            };
+        }
+        // Role readable scope — if defined, must match
+        if (this.activeRole.readable_paths.length > 0 &&
+            !this.matchesAny(relPath, this.activeRole.readable_paths)) {
+            return {
+                allowed: false,
+                reason: `Path "${relPath}" is outside the readable scope of role "${this.activeRole.id}".`,
+                policy_ref: `roles/${this.activeRole.id}.json > paths > read`,
+                immutable: false,
+            };
+        }
+        return { allowed: true };
+    }
+    // ─── Content Scanning ─────────────────────────────────────────────────────
+    /**
+     * Scan proposed file content for sensitive patterns.
+     * Uses governance.permissions.sensitive_patterns when present.
+     */
+    scanContent(content, targetPath) {
+        const patterns = this.state.governance.permissions.sensitive_patterns;
+        if (!patterns || patterns.length === 0)
+            return { allowed: true };
+        for (const sp of patterns) {
+            const regex = this.compilePattern(sp.pattern);
+            if (!regex)
+                continue;
+            if (regex.test(content)) {
+                return {
+                    allowed: false,
+                    reason: `Content for "${targetPath}" contains a sensitive pattern: ${sp.reason}`,
+                    policy_ref: 'governance.json > permissions > sensitive_patterns',
+                    immutable: false,
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    // ─── Cross-Domain Validation ──────────────────────────────────────────────
+    /**
+     * Validate that a cross-domain import respects boundaries.
+     * Uses governance.cross_domain_rules when present (extension field).
+     */
+    validateCrossDomain(sourcePath, importPath) {
+        const rules = this.state.governance.cross_domain_rules;
+        if (!rules || !rules.shared_interfaces_path)
+            return { allowed: true };
+        const domains = this.state.constitution.project.domains;
+        if (!domains || domains.length === 0)
+            return { allowed: true };
+        const sourceDomain = this.getDomain(sourcePath, domains);
+        const importDomain = this.getDomain(importPath, domains);
+        // Same domain or can't determine — allow
+        if (!sourceDomain || !importDomain || sourceDomain === importDomain) {
+            return { allowed: true };
+        }
+        // Cross-domain — must go through shared interfaces
+        if (!importPath.includes(rules.shared_interfaces_path)) {
+            return {
+                allowed: false,
+                reason: `Cross-domain import from "${sourceDomain}" to "${importDomain}" must go through "${rules.shared_interfaces_path}". Direct import of "${importPath}" is not allowed.`,
+                policy_ref: 'governance.json > cross_domain_rules',
+                immutable: false,
+            };
+        }
+        return { allowed: true };
+    }
+    // ─── Override Protocol ────────────────────────────────────────────────────
+    /**
+     * Determine how to handle a policy violation based on the override protocol.
+     */
+    getOverrideBehavior(policyRef) {
+        const protocol = this.state.governance.override_protocol;
+        const behavior = protocol?.behavior ?? 'warn_confirm_and_log';
+        const immutable = protocol?.immutable_policies ?? [];
+        const isImmutable = immutable.some((p) => policyRef.includes(p));
+        return {
+            behavior: isImmutable ? 'block_and_log' : behavior,
+            isImmutable,
+        };
+    }
+    /**
+     * Log an override to the append-only overrides.jsonl file.
+     */
+    async logOverride(entry) {
+        const logPath = join(this.state.policyDir, 'state', 'overrides.jsonl');
+        await mkdir(dirname(logPath), { recursive: true });
+        const line = JSON.stringify(entry) + '\n';
+        await appendFile(logPath, line, 'utf-8');
+    }
+    // ─── Quality Gates ────────────────────────────────────────────────────────
+    /**
+     * Build the list of commands to run for quality gate validation.
+     * Maps pre_commit booleans to build_commands from constitution or governance.
+     */
+    getQualityGateCommands() {
+        const gates = this.state.governance.quality_gate.pre_commit;
+        const commands = this.state.constitution.build_commands ??
+            this.state.governance.build_commands ??
+            {};
+        const result = [];
+        if (gates.must_pass_tests && commands.test) {
+            result.push({ name: 'tests', command: commands.test });
+        }
+        if (gates.must_pass_lint && commands.lint) {
+            result.push({ name: 'lint', command: commands.lint });
+        }
+        if (gates.must_pass_typecheck && commands.typecheck) {
+            result.push({ name: 'typecheck', command: commands.typecheck });
+        }
+        // Custom checks from quality gate
+        if (gates.custom_checks) {
+            for (const check of gates.custom_checks) {
+                result.push({ name: check.name, command: check.command });
+            }
+        }
+        return result;
+    }
+    // ─── Private Helpers ──────────────────────────────────────────────────────
+    matchesAny(path, patterns) {
+        return patterns.some((pattern) => {
+            // Normalize: "compliance/" should match "compliance/src/index.ts"
+            const normalized = pattern.endsWith('/')
+                ? pattern + '**'
+                : pattern;
+            return minimatch(path, normalized, { dot: true });
+        });
+    }
+    toRelativePath(targetPath) {
+        if (isAbsolute(targetPath)) {
+            return relative(this.state.projectRoot, targetPath);
+        }
+        return targetPath;
+    }
+    getDomain(filePath, domains) {
+        for (const domain of domains) {
+            const domainPath = domain.path.replace(/\/$/, '');
+            if (filePath.startsWith(domainPath + '/') || filePath.startsWith(domainPath)) {
+                return domain.name;
+            }
+        }
+        return null;
+    }
+    compilePattern(pattern) {
+        try {
+            return new RegExp(pattern, 'gi');
+        }
+        catch {
+            this.log(`Invalid regex in sensitive_patterns: ${pattern}`);
+            return null;
+        }
+    }
+    log(message) {
+        process.stderr.write(`[aegis-enforce] ${message}\n`);
+    }
+}
+//# sourceMappingURL=enforcement-engine.js.map

package/dist/services/enforcement-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcement-engine.js","sourceRoot":"","sources":["../../src/services/enforcement-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAQtC,MAAM,OAAO,iBAAiB;IAElB;IACA;IAFV,YACU,KAAkB,EAClB,UAAwB;QADxB,UAAK,GAAL,KAAK,CAAa;QAClB,eAAU,GAAV,UAAU,CAAc;IAC/B,CAAC;IAEJ;;OAEG;IACH,WAAW,CAAC,KAAkB,EAAE,IAAkB;QAChD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;IACzB,CAAC;IAED,6EAA6E;IAE7E;;;OAGG;IACH,aAAa,CAAC,UAAkB;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAEhD,yDAAyD;QACzD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC;QACzE,IAAI,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;YACrD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,uEAAuE;gBAC/F,UAAU,EAAE,wDAAwD;gBACpE,SAAS,EAAE,IAAI;aAChB,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC;QACxE,IAAI,QAAQ,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;YACnD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,uCAAuC;gBAC/D,UAAU,EAAE,wDAAwD;gBACpE,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,yBAAyB;QACzB,IAAI,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YACzC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,2BAA2B,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI;gBACzE,UAAU,EAAE,SAAS,IAAI,CAAC,UAAU,CAAC,EAAE,gCAAgC;gBACvE,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,wEAAwE;QACxE,IAAI,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;YAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC;gBAC5D,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;YAE5D,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC;gBAChC,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,SAAS,OAAO,4CAA4C,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI;oBAC1F,UAAU,EAAE,SAAS,IAAI,CAAC,UAAU,CAAC,EAAE,eAAe;oBACtD,SAAS,EAAE,KAAK;iBACjB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC,UAAU,CAAC,QAAQ,CAAC;QACvE,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;YAC3E,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,2CAA2C;gBACnE,UAAU,EAAE,uDAAuD;gBACnE,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,6EAA6E;IAE7E;;OAEG;IACH,YAAY,CAAC,UAAkB;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAEhD,6BAA6B;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC;QACzE,IAAI,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;YACrD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,2DAA2D;gBACnF,UAAU,EAAE,wDAAwD;gBACpE,SAAS,EAAE,IAAI;aAChB,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,IAAI,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YACzC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,2BAA2B,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI;gBACzE,UAAU,EAAE,SAAS,IAAI,CAAC,UAAU,CAAC,EAAE,gCAAgC;gBACvE,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,IAAI,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YACzC,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YAC9D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,4CAA4C,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI;gBAC1F,UAAU,EAAE,SAAS,IAAI,CAAC,UAAU,CAAC,EAAE,sBAAsB;gBAC7D,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,6EAA6E;IAE7E;;;OAGG;IACH,WAAW,CAAC,OAAe,EAAE,UAAkB;QAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC,kBAAkB,CAAC;QACtE,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAEjE,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC;YAC9C,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,gBAAgB,UAAU,mCAAmC,EAAE,CAAC,MAAM,EAAE;oBAChF,UAAU,EAAE,oDAAoD;oBAChE,SAAS,EAAE,KAAK;iBACjB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,6EAA6E;IAE7E;;;OAGG;IACH,mBAAmB,CAAC,UAAkB,EAAE,UAAkB;QACxD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,kBAAkB,CAAC;QACvD,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,sBAAsB;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAEtE,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,OAAO,CAAC;QACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAE/D,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACzD,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAEzD,yCAAyC;QACzC,IAAI,CAAC,YAAY,IAAI,CAAC,YAAY,IAAI,YAAY,KAAK,YAAY,EAAE,CAAC;YACpE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,mDAAmD;QACnD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YACvD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,6BAA6B,YAAY,SAAS,YAAY,sBAAsB,KAAK,CAAC,sBAAsB,wBAAwB,UAAU,mBAAmB;gBAC7K,UAAU,EAAE,sCAAsC;gBAClD,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,6EAA6E;IAE7E;;OAEG;IACH,mBAAmB,CAAC,SAAiB;QAInC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACzD,MAAM,QAAQ,GAAG,QAAQ,EAAE,QAAQ,IAAI,sBAAsB,CAAC;QAC9D,MAAM,SAAS,GAAG,QAAQ,EAAE,kBAAkB,IAAI,EAAE,CAAC;QAErD,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAEjE,OAAO;YACL,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,QAAQ;YAClD,WAAW;SACZ,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,KAAuB;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,iBAAiB,CAAC,CAAC;QACvE,MAAM,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;QAC1C,MAAM,UAAU,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED,6EAA6E;IAE7E;;;OAGG;IACH,sBAAsB;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,YAAY,CAAC,UAAU,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,cAAc;YACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,cAAc;YACpC,EAAE,CAAC;QAEpB,MAAM,MAAM,GAA6C,EAAE,CAAC;QAE5D,IAAI,KAAK,CAAC,eAAe,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC3C,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,KAAK,CAAC,cAAc,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,KAAK,CAAC,mBAAmB,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;QAClE,CAAC;QAED,kCAAkC;QAClC,IAAI,KAAK,CAAC,aAAa,EAAE,CAAC;YACxB,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,aAAa,EAAE,CAAC;gBACxC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,6EAA6E;IAErE,UAAU,CAAC,IAAY,EAAE,QAAkB;QACjD,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;YAC/B,kEAAkE;YAClE,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBACtC,CAAC,CAAC,OAAO,GAAG,IAAI;gBAChB,CAAC,CAAC,OAAO,CAAC;YACZ,OAAO,SAAS,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,cAAc,CAAC,UAAkB;QACvC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3B,OAAO,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAEO,SAAS,CACf,QAAgB,EAChB,OAA8C;QAE9C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAClD,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC7E,OAAO,MAAM,CAAC,IAAI,CAAC;YACrB,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,cAAc,CAAC,OAAe;QACpC,IAAI,CAAC;YACH,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,GAAG,CAAC,wCAAwC,OAAO,EAAE,CAAC,CAAC;YAC5D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,GAAG,CAAC,OAAe;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,OAAO,IAAI,CAAC,CAAC;IACvD,CAAC;CACF"}