ctx-sync 1.0.0

package/dist/core/command-validator.js

@@ -0,0 +1,299 @@
+/**
+ * Command validator module.
+ *
+ * Validates shell commands for suspicious patterns before execution.
+ * Used by the `restore` command to prevent remote code execution (RCE)
+ * via a compromised Git repo injecting malicious commands into the
+ * encrypted state.
+ *
+ * **Critical security property:** No command is ever executed without
+ * explicit user confirmation. There is no `--yes` or `--no-confirm`
+ * flag — command confirmation cannot be bypassed.
+ *
+ * @module core/command-validator
+ */
+/**
+ * Suspicious command patterns — each entry is a regex and a description
+ * of the threat it detects.
+ */
+const SUSPICIOUS_PATTERNS = [
+    {
+        pattern: /\b(curl|wget)\b.*\|\s*(sh|bash|zsh|ksh|dash|csh)\b/i,
+        reason: 'Pipes remote content to a shell — potential remote code execution.',
+    },
+    {
+        pattern: /\brm\s+(-[a-zA-Z]*r[a-zA-Z]*f|--recursive\s+--force|-[a-zA-Z]*f[a-zA-Z]*r)\b/i,
+        reason: 'Recursive force-delete — destructive operation.',
+    },
+    {
+        pattern: /\brm\s+-rf\s+\/\s*$/i,
+        reason: 'Attempts to delete root filesystem — catastrophic operation.',
+    },
+    {
+        pattern: /\bnc\b.*-[a-zA-Z]*e\b/i,
+        reason: 'Netcat with execute flag — potential reverse shell.',
+    },
+    {
+        pattern: /\bpython[23]?\s+-c\b/i,
+        reason: 'Inline Python execution — potential arbitrary code execution.',
+    },
+    {
+        pattern: /\bperl\s+-e\b/i,
+        reason: 'Inline Perl execution — potential arbitrary code execution.',
+    },
+    {
+        pattern: /\bruby\s+-e\b/i,
+        reason: 'Inline Ruby execution — potential arbitrary code execution.',
+    },
+    {
+        pattern: /\bnode\s+-e\b/i,
+        reason: 'Inline Node.js execution — potential arbitrary code execution.',
+    },
+    {
+        pattern: /\$\(.*\)/,
+        reason: 'Command substitution — embedded command may execute arbitrary code.',
+    },
+    {
+        pattern: /`[^`]+`/,
+        reason: 'Backtick command substitution — embedded command may execute arbitrary code.',
+    },
+    {
+        pattern: /\beval\b/i,
+        reason: 'eval — executes arbitrary string as code.',
+    },
+    {
+        pattern: /\bexec\b/i,
+        reason: 'exec — replaces the current process with another command.',
+    },
+    {
+        pattern: /\b(bash|sh|zsh)\s+-[a-zA-Z]*c\b/i,
+        reason: 'Shell with -c flag — executes inline command string.',
+    },
+    {
+        pattern: /\/dev\/(tcp|udp)\//i,
+        reason: 'Bash /dev/tcp or /dev/udp — potential reverse shell.',
+    },
+    {
+        pattern: /\bmkfifo\b/i,
+        reason: 'Named pipe creation — often used in reverse shell patterns.',
+    },
+    {
+        pattern: /\bchmod\s+[0-7]*[4-7][0-7]{2}\b/i,
+        reason: 'Changing file permissions to world-readable — potential security issue.',
+    },
+    {
+        pattern: /\bchown\b/i,
+        reason: 'Changing file ownership — potential privilege escalation.',
+    },
+    {
+        pattern: />\s*\/etc\//i,
+        reason: 'Writing to /etc/ — modifying system configuration.',
+    },
+    {
+        pattern: /\bsudo\b/i,
+        reason: 'sudo — elevated privilege execution.',
+    },
+    {
+        pattern: /\bsu\s+-?\s*\w/i,
+        reason: 'su — switching user context.',
+    },
+    {
+        pattern: /\bcrontab\b/i,
+        reason: 'crontab — scheduling persistent tasks.',
+    },
+    {
+        pattern: /&&\s*(curl|wget)\b/i,
+        reason: 'Chained remote download — may be part of a multi-stage attack.',
+    },
+];
+/**
+ * Validate a shell command for suspicious patterns.
+ *
+ * Checks the command string against known dangerous patterns. This is a
+ * defence-in-depth measure — the primary protection is the mandatory
+ * user confirmation before any command executes.
+ *
+ * @param cmd - The shell command string to validate.
+ * @returns Validation result with suspicious flag and reason.
+ */
+export function validateCommand(cmd) {
+    if (!cmd || typeof cmd !== 'string' || cmd.trim().length === 0) {
+        return { suspicious: false, reason: '' };
+    }
+    const trimmed = cmd.trim();
+    for (const { pattern, reason } of SUSPICIOUS_PATTERNS) {
+        if (pattern.test(trimmed)) {
+            return { suspicious: true, reason };
+        }
+    }
+    return { suspicious: false, reason: '' };
+}
+/**
+ * Validate a Docker image name for suspicious patterns.
+ *
+ * Flags images from unofficial registries or suspicious names.
+ * Trusted images come from well-known publishers (e.g. `postgres`,
+ * `redis`, `node`) without a registry prefix, or from trusted registries
+ * like `docker.io`.
+ *
+ * @param image - The Docker image name (e.g. 'postgres:15', 'evil.com/malware:latest').
+ * @returns Validation result with warning flag and reason.
+ */
+export function validateDockerImage(image) {
+    if (!image || typeof image !== 'string' || image.trim().length === 0) {
+        return { suspicious: false, reason: '' };
+    }
+    const trimmed = image.trim();
+    // Images with a registry prefix that isn't docker.io/library are suspicious
+    // Official images: 'postgres:15', 'redis:7-alpine', 'node:20'
+    // Suspicious images: 'evil.com/postgres:latest', 'attacker/redis:backdoored'
+    const hasSlash = trimmed.includes('/');
+    if (hasSlash) {
+        // Check if it's from a known official source
+        const officialPrefixes = [
+            'docker.io/library/',
+            'docker.io/',
+            'library/',
+            'ghcr.io/',
+            'gcr.io/',
+            'mcr.microsoft.com/',
+            'public.ecr.aws/',
+        ];
+        const isOfficial = officialPrefixes.some((prefix) => trimmed.startsWith(prefix));
+        if (!isOfficial) {
+            return {
+                suspicious: true,
+                reason: `Non-official Docker image registry: ${trimmed}. Verify this image is trusted.`,
+            };
+        }
+    }
+    return { suspicious: false, reason: '' };
+}
+/**
+ * Format commands for display to the user before execution.
+ *
+ * Groups commands by category (Docker services, auto-start services)
+ * and adds warning indicators for suspicious commands.
+ *
+ * @param commands - The list of commands pending approval.
+ * @returns Formatted string for terminal display.
+ */
+export function formatCommandsForDisplay(commands) {
+    if (commands.length === 0) {
+        return '';
+    }
+    const lines = [];
+    lines.push('┌────────────────────────────────────────────┐');
+    // Group by label
+    const groups = new Map();
+    for (const cmd of commands) {
+        const existing = groups.get(cmd.label) ?? [];
+        existing.push(cmd);
+        groups.set(cmd.label, existing);
+    }
+    let index = 1;
+    for (const [label, groupCommands] of groups) {
+        lines.push(`│ ${label}:`);
+        for (const cmd of groupCommands) {
+            const validation = validateCommand(cmd.command);
+            const imageValidation = cmd.image
+                ? validateDockerImage(cmd.image)
+                : null;
+            const prefix = `│   ${index}.`;
+            lines.push(`${prefix} ${cmd.command}`);
+            if (cmd.image) {
+                lines.push(`│      Image: ${cmd.image}`);
+            }
+            if (cmd.port) {
+                lines.push(`│      Port: ${cmd.port}`);
+            }
+            if (cmd.cwd) {
+                lines.push(`│      Working dir: ${cmd.cwd}`);
+            }
+            if (validation.suspicious) {
+                lines.push(`│      ⚠️  WARNING: ${validation.reason}`);
+            }
+            if (imageValidation?.suspicious) {
+                lines.push(`│      ⚠️  WARNING: ${imageValidation.reason}`);
+            }
+            lines.push('│');
+            index++;
+        }
+    }
+    lines.push('│ Review each command carefully!             │');
+    lines.push('└────────────────────────────────────────────┘');
+    return lines.join('\n');
+}
+/**
+ * Present commands for user approval.
+ *
+ * In interactive mode, displays commands and prompts the user to approve
+ * all, reject all, or select individually.
+ *
+ * In non-interactive mode, displays commands but does NOT execute any —
+ * this is the safe default.
+ *
+ * **Security:** There is no `--yes` or `--no-confirm` flag. Command
+ * confirmation cannot be bypassed programmatically.
+ *
+ * @param commands - The list of commands to present.
+ * @param options - Display options.
+ * @param options.interactive - Whether to prompt for approval (false = show only).
+ * @param options.promptFn - Optional override for the approval prompt (for testing).
+ * @returns The approval result (which commands were approved/rejected).
+ */
+export async function presentCommandsForApproval(commands, options = {}) {
+    const result = {
+        approved: [],
+        rejected: [],
+        skippedAll: false,
+    };
+    if (commands.length === 0) {
+        return result;
+    }
+    // Non-interactive mode: show commands but skip execution
+    if (!options.interactive) {
+        result.skippedAll = true;
+        result.rejected = [...commands];
+        return result;
+    }
+    // Interactive mode: prompt for approval
+    const promptFn = options.promptFn;
+    if (!promptFn) {
+        // Default: skip all if no prompt function (safety fallback)
+        result.skippedAll = true;
+        result.rejected = [...commands];
+        return result;
+    }
+    const choice = await promptFn(commands);
+    switch (choice) {
+        case 'all':
+            result.approved = [...commands];
+            break;
+        case 'none':
+            result.rejected = [...commands];
+            break;
+        case 'select': {
+            const selectFn = options.selectFn;
+            if (!selectFn) {
+                result.rejected = [...commands];
+                break;
+            }
+            for (let i = 0; i < commands.length; i++) {
+                const cmd = commands[i];
+                if (!cmd)
+                    continue;
+                const approved = await selectFn(cmd, i + 1);
+                if (approved) {
+                    result.approved.push(cmd);
+                }
+                else {
+                    result.rejected.push(cmd);
+                }
+            }
+            break;
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=command-validator.js.map

package/dist/core/command-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-validator.js","sourceRoot":"","sources":["../../src/core/command-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAkCH;;;GAGG;AACH,MAAM,mBAAmB,GAAuD;IAC9E;QACE,OAAO,EAAE,qDAAqD;QAC9D,MAAM,EAAE,oEAAoE;KAC7E;IACD;QACE,OAAO,EAAE,+EAA+E;QACxF,MAAM,EAAE,iDAAiD;KAC1D;IACD;QACE,OAAO,EAAE,sBAAsB;QAC/B,MAAM,EAAE,8DAA8D;KACvE;IACD;QACE,OAAO,EAAE,wBAAwB;QACjC,MAAM,EAAE,qDAAqD;KAC9D;IACD;QACE,OAAO,EAAE,uBAAuB;QAChC,MAAM,EAAE,+DAA+D;KACxE;IACD;QACE,OAAO,EAAE,gBAAgB;QACzB,MAAM,EAAE,6DAA6D;KACtE;IACD;QACE,OAAO,EAAE,gBAAgB;QACzB,MAAM,EAAE,6DAA6D;KACtE;IACD;QACE,OAAO,EAAE,gBAAgB;QACzB,MAAM,EAAE,gEAAgE;KACzE;IACD;QACE,OAAO,EAAE,UAAU;QACnB,MAAM,EAAE,qEAAqE;KAC9E;IACD;QACE,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,8EAA8E;KACvF;IACD;QACE,OAAO,EAAE,WAAW;QACpB,MAAM,EAAE,2CAA2C;KACpD;IACD;QACE,OAAO,EAAE,WAAW;QACpB,MAAM,EAAE,2DAA2D;KACpE;IACD;QACE,OAAO,EAAE,kCAAkC;QAC3C,MAAM,EAAE,sDAAsD;KAC/D;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,MAAM,EAAE,sDAAsD;KAC/D;IACD;QACE,OAAO,EAAE,aAAa;QACtB,MAAM,EAAE,6DAA6D;KACtE;IACD;QACE,OAAO,EAAE,kCAAkC;QAC3C,MAAM,EAAE,yEAAyE;KAClF;IACD;QACE,OAAO,EAAE,YAAY;QACrB,MAAM,EAAE,2DAA2D;KACpE;IACD;QACE,OAAO,EAAE,cAAc;QACvB,MAAM,EAAE,oDAAoD;KAC7D;IACD;QACE,OAAO,EAAE,WAAW;QACpB,MAAM,EAAE,sCAAsC;KAC/C;IACD;QACE,OAAO,EAAE,iBAAiB;QAC1B,MAAM,EAAE,8BAA8B;KACvC;IACD;QACE,OAAO,EAAE,cAAc;QACvB,MAAM,EAAE,wCAAwC;KACjD;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,MAAM,EAAE,gEAAgE;KACzE;CACF,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/D,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAE3B,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,mBAAmB,EAAE,CAAC;QACtD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACtC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAE7B,4EAA4E;IAC5E,8DAA8D;IAC9D,6EAA6E;IAC7E,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,QAAQ,EAAE,CAAC;QACb,6CAA6C;QAC7C,MAAM,gBAAgB,GAAG;YACvB,oBAAoB;YACpB,YAAY;YACZ,UAAU;YACV,UAAU;YACV,SAAS;YACT,oBAAoB;YACpB,iBAAiB;SAClB,CAAC;QAEF,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAClD,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAC3B,CAAC;QAEF,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO;gBACL,UAAU,EAAE,IAAI;gBAChB,MAAM,EAAE,uCAAuC,OAAO,iCAAiC;aACxF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,wBAAwB,CAAC,QAA0B;IACjE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;IAE7D,iBAAiB;IACjB,MAAM,MAAM,GAAG,IAAI,GAAG,EAA4B,CAAC;IACnD,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC;IAED,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,MAAM,CAAC,KAAK,EAAE,aAAa,CAAC,IAAI,MAAM,EAAE,CAAC;QAC5C,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,GAAG,CAAC,CAAC;QAC1B,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAChD,MAAM,eAAe,GAAG,GAAG,CAAC,KAAK;gBAC/B,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,KAAK,CAAC;gBAChC,CAAC,CAAC,IAAI,CAAC;YAET,MAAM,MAAM,GAAG,OAAO,KAAK,GAAG,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YAEvC,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gBACd,KAAK,CAAC,IAAI,CAAC,iBAAiB,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;YAC3C,CAAC;YACD,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;gBACb,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;gBACZ,KAAK,CAAC,IAAI,CAAC,uBAAuB,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;YAC/C,CAAC;YAED,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;gBAC1B,KAAK,CAAC,IAAI,CAAC,uBAAuB,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACzD,CAAC;YACD,IAAI,eAAe,EAAE,UAAU,EAAE,CAAC;gBAChC,KAAK,CAAC,IAAI,CAAC,uBAAuB,eAAe,CAAC,MAAM,EAAE,CAAC,CAAC;YAC9D,CAAC;YAED,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAChB,KAAK,EAAE,CAAC;QACV,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;IAC7D,KAAK,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;IAE7D,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,QAA0B,EAC1B,UAII,EAAE;IAEN,MAAM,MAAM,GAAmB;QAC7B,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,UAAU,EAAE,KAAK;KAClB,CAAC;IAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,yDAAyD;IACzD,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QACzB,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QACzB,MAAM,CAAC,QAAQ,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC;QAChC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,wCAAwC;IACxC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,4DAA4D;QAC5D,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QACzB,MAAM,CAAC,QAAQ,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC;QAChC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAExC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,KAAK;YACR,MAAM,CAAC,QAAQ,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC;YAChC,MAAM;QACR,KAAK,MAAM;YACT,MAAM,CAAC,QAAQ,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC;YAChC,MAAM;QACR,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;YAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,CAAC,QAAQ,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC;gBAChC,MAAM;YACR,CAAC;YACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACzC,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;gBACxB,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC5C,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC5B,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC5B,CAAC;YACH,CAAC;YACD,MAAM;QACR,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/core/config-store.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Local user configuration store.
+ *
+ * Manages `config.json` in the config directory (~/.config/ctx-sync/).
+ * This file is NEVER synced to Git — it holds local preferences only.
+ *
+ * Primary use: custom safe-list additions that merge with DEFAULT_SAFE_LIST.
+ *
+ * @module core/config-store
+ */
+import type { UserConfig } from '@ctx-sync/shared';
+/** Config file name (stored in config dir, never synced) */
+export declare const CONFIG_FILE = "config.json";
+/**
+ * Load the user config from disk.
+ *
+ * @param configDir - The config directory path (~/.config/ctx-sync).
+ * @returns The parsed UserConfig, or `null` if the file does not exist.
+ */
+export declare function getUserConfig(configDir: string): UserConfig | null;
+/**
+ * Save the user config to disk.
+ *
+ * @param configDir - The config directory path.
+ * @param config - The UserConfig to persist.
+ */
+export declare function saveUserConfig(configDir: string, config: UserConfig): void;
+/**
+ * Get the effective safe-list: DEFAULT_SAFE_LIST merged with user additions.
+ *
+ * User keys are uppercased and deduplicated against the defaults.
+ *
+ * @param configDir - The config directory path.
+ * @returns The merged safe-list (all uppercase).
+ */
+export declare function getEffectiveSafeList(configDir: string): string[];
+/**
+ * Add a key to the user's custom safe-list.
+ *
+ * The key is normalised to uppercase. Duplicate additions (already in
+ * default or custom list) are detected and reported.
+ *
+ * @param configDir - The config directory path.
+ * @param key - The env var key to add.
+ * @returns An object indicating whether the key was added and a message.
+ */
+export declare function addToSafeList(configDir: string, key: string): {
+    added: boolean;
+    message: string;
+};
+/**
+ * Remove a key from the user's custom safe-list.
+ *
+ * Keys that are part of DEFAULT_SAFE_LIST cannot be removed (they are
+ * built-in). Only user-added custom keys can be removed.
+ *
+ * @param configDir - The config directory path.
+ * @param key - The env var key to remove.
+ * @returns An object indicating whether the key was removed and a message.
+ */
+export declare function removeFromSafeList(configDir: string, key: string): {
+    removed: boolean;
+    message: string;
+};
+/**
+ * List the current safe-list, split into defaults and custom additions.
+ *
+ * @param configDir - The config directory path.
+ * @returns Object with default keys, custom keys, and the full effective list.
+ */
+export declare function listSafeList(configDir: string): {
+    defaults: readonly string[];
+    custom: string[];
+    effective: string[];
+};
+//# sourceMappingURL=config-store.d.ts.map

package/dist/core/config-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-store.d.ts","sourceRoot":"","sources":["../../src/core/config-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD,4DAA4D;AAC5D,eAAO,MAAM,WAAW,gBAAgB,CAAC;AAEzC;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAclE;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAS1E;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE,CAWhE;AAED;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAC3B,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CA4BrC;AAED;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAChC,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CA8BvC;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG;IAC/C,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB,CASA"}

package/dist/core/config-store.js

@@ -0,0 +1,148 @@
+/**
+ * Local user configuration store.
+ *
+ * Manages `config.json` in the config directory (~/.config/ctx-sync/).
+ * This file is NEVER synced to Git — it holds local preferences only.
+ *
+ * Primary use: custom safe-list additions that merge with DEFAULT_SAFE_LIST.
+ *
+ * @module core/config-store
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { DEFAULT_SAFE_LIST } from '@ctx-sync/shared';
+/** Config file name (stored in config dir, never synced) */
+export const CONFIG_FILE = 'config.json';
+/**
+ * Load the user config from disk.
+ *
+ * @param configDir - The config directory path (~/.config/ctx-sync).
+ * @returns The parsed UserConfig, or `null` if the file does not exist.
+ */
+export function getUserConfig(configDir) {
+    const filePath = path.join(configDir, CONFIG_FILE);
+    if (!fs.existsSync(filePath)) {
+        return null;
+    }
+    const content = fs.readFileSync(filePath, 'utf-8');
+    if (!content.trim()) {
+        return null;
+    }
+    return JSON.parse(content);
+}
+/**
+ * Save the user config to disk.
+ *
+ * @param configDir - The config directory path.
+ * @param config - The UserConfig to persist.
+ */
+export function saveUserConfig(configDir, config) {
+    const filePath = path.join(configDir, CONFIG_FILE);
+    // Ensure the config directory exists
+    if (!fs.existsSync(configDir)) {
+        fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+    }
+    fs.writeFileSync(filePath, JSON.stringify(config, null, 2), 'utf-8');
+}
+/**
+ * Get the effective safe-list: DEFAULT_SAFE_LIST merged with user additions.
+ *
+ * User keys are uppercased and deduplicated against the defaults.
+ *
+ * @param configDir - The config directory path.
+ * @returns The merged safe-list (all uppercase).
+ */
+export function getEffectiveSafeList(configDir) {
+    const config = getUserConfig(configDir);
+    const userKeys = config?.safeList ?? [];
+    // Merge: defaults + user additions (uppercased, deduplicated)
+    const merged = new Set(DEFAULT_SAFE_LIST);
+    for (const key of userKeys) {
+        merged.add(key.toUpperCase());
+    }
+    return [...merged];
+}
+/**
+ * Add a key to the user's custom safe-list.
+ *
+ * The key is normalised to uppercase. Duplicate additions (already in
+ * default or custom list) are detected and reported.
+ *
+ * @param configDir - The config directory path.
+ * @param key - The env var key to add.
+ * @returns An object indicating whether the key was added and a message.
+ */
+export function addToSafeList(configDir, key) {
+    const normKey = key.toUpperCase();
+    // Check if already in default safe-list
+    if (DEFAULT_SAFE_LIST.includes(normKey)) {
+        return {
+            added: false,
+            message: `${normKey} is already in the default safe-list.`,
+        };
+    }
+    const config = getUserConfig(configDir) ?? {};
+    const existing = (config.safeList ?? []).map((k) => k.toUpperCase());
+    if (existing.includes(normKey)) {
+        return {
+            added: false,
+            message: `${normKey} is already in your custom safe-list.`,
+        };
+    }
+    config.safeList = [...(config.safeList ?? []), normKey];
+    saveUserConfig(configDir, config);
+    return {
+        added: true,
+        message: `Added ${normKey} to the safe-list.`,
+    };
+}
+/**
+ * Remove a key from the user's custom safe-list.
+ *
+ * Keys that are part of DEFAULT_SAFE_LIST cannot be removed (they are
+ * built-in). Only user-added custom keys can be removed.
+ *
+ * @param configDir - The config directory path.
+ * @param key - The env var key to remove.
+ * @returns An object indicating whether the key was removed and a message.
+ */
+export function removeFromSafeList(configDir, key) {
+    const normKey = key.toUpperCase();
+    // Cannot remove default keys
+    if (DEFAULT_SAFE_LIST.includes(normKey)) {
+        return {
+            removed: false,
+            message: `${normKey} is a built-in default and cannot be removed. It will always be on the safe-list.`,
+        };
+    }
+    const config = getUserConfig(configDir) ?? {};
+    const existing = (config.safeList ?? []).map((k) => k.toUpperCase());
+    if (!existing.includes(normKey)) {
+        return {
+            removed: false,
+            message: `${normKey} is not in your custom safe-list.`,
+        };
+    }
+    config.safeList = (config.safeList ?? []).filter((k) => k.toUpperCase() !== normKey);
+    saveUserConfig(configDir, config);
+    return {
+        removed: true,
+        message: `Removed ${normKey} from the safe-list. It will be encrypted on next import.`,
+    };
+}
+/**
+ * List the current safe-list, split into defaults and custom additions.
+ *
+ * @param configDir - The config directory path.
+ * @returns Object with default keys, custom keys, and the full effective list.
+ */
+export function listSafeList(configDir) {
+    const config = getUserConfig(configDir);
+    const custom = (config?.safeList ?? []).map((k) => k.toUpperCase());
+    return {
+        defaults: DEFAULT_SAFE_LIST,
+        custom,
+        effective: getEffectiveSafeList(configDir),
+    };
+}
+//# sourceMappingURL=config-store.js.map

package/dist/core/config-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-store.js","sourceRoot":"","sources":["../../src/core/config-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,4DAA4D;AAC5D,MAAM,CAAC,MAAM,WAAW,GAAG,aAAa,CAAC;AAEzC;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB;IAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAEnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAEnD,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAe,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB,EAAE,MAAkB;IAClE,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAEnD,qCAAqC;IACrC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AACvE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,SAAiB;IACpD,MAAM,MAAM,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,MAAM,EAAE,QAAQ,IAAI,EAAE,CAAC;IAExC,8DAA8D;IAC9D,MAAM,MAAM,GAAG,IAAI,GAAG,CAAS,iBAAiB,CAAC,CAAC;IAClD,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,aAAa,CAC3B,SAAiB,EACjB,GAAW;IAEX,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAElC,wCAAwC;IACxC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACxC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,GAAG,OAAO,uCAAuC;SAC3D,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IAC9C,MAAM,QAAQ,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAErE,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,GAAG,OAAO,uCAAuC;SAC3D,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;IACxD,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAElC,OAAO;QACL,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,SAAS,OAAO,oBAAoB;KAC9C,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAChC,SAAiB,EACjB,GAAW;IAEX,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAElC,6BAA6B;IAC7B,IAAI,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACxC,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,GAAG,OAAO,mFAAmF;SACvG,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IAC9C,MAAM,QAAQ,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAErE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,GAAG,OAAO,mCAAmC;SACvD,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,MAAM,CAC9C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,OAAO,CACnC,CAAC;IACF,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAElC,OAAO;QACL,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,WAAW,OAAO,2DAA2D;KACvF,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,SAAiB;IAK5C,MAAM,MAAM,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,CAAC,MAAM,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAEpE,OAAO;QACL,QAAQ,EAAE,iBAAiB;QAC3B,MAAM;QACN,SAAS,EAAE,oBAAoB,CAAC,SAAS,CAAC;KAC3C,CAAC;AACJ,CAAC"}

package/dist/core/directories-handler.d.ts

@@ -0,0 +1,116 @@
+/**
+ * Directories handler module.
+ *
+ * Tracks recent working directories and pinned directories associated
+ * with a user's development workflow. State is persisted in
+ * `directories.age` (encrypted).
+ *
+ * **Path validation:** All directory paths are validated through the
+ * path-validator module to prevent path traversal attacks.
+ *
+ * @module core/directories-handler
+ */
+import type { RecentDirectory, DirectoryState } from '@ctx-sync/shared';
+/**
+ * Maximum number of recent directories to retain.
+ * Older, less-frequent entries are pruned when this limit is exceeded.
+ */
+export declare const MAX_RECENT_DIRS = 50;
+/**
+ * Load directory state from encrypted storage.
+ *
+ * @param syncDir    - The sync directory (e.g. ~/.context-sync).
+ * @param privateKey - Age private key for decryption.
+ * @returns The decrypted `DirectoryState`, or an empty state if the
+ *          file does not exist.
+ */
+export declare function loadDirectories(syncDir: string, privateKey: string): Promise<DirectoryState>;
+/**
+ * Save (overwrite) the entire directory state.
+ *
+ * @param syncDir   - The sync directory.
+ * @param state     - The complete `DirectoryState` to persist.
+ * @param publicKey - Age public key for encryption.
+ */
+export declare function saveDirectories(syncDir: string, state: DirectoryState, publicKey: string): Promise<void>;
+/**
+ * Record a directory visit.
+ *
+ * - If the directory already exists in the recent list, its frequency is
+ *   incremented and its lastVisit timestamp updated.
+ * - If new, it is added with frequency 1.
+ * - The list is pruned to `MAX_RECENT_DIRS` after insertion.
+ * - The path is validated against the path-validator to reject traversal
+ *   attacks.
+ *
+ * @param syncDir    - The sync directory.
+ * @param dirPath    - The directory path to record (will be validated).
+ * @param publicKey  - Age public key for encryption.
+ * @param privateKey - Age private key for decryption.
+ * @throws If the path fails validation.
+ */
+export declare function visitDirectory(syncDir: string, dirPath: string, publicKey: string, privateKey: string): Promise<void>;
+/**
+ * Pin a directory.
+ *
+ * Pinned directories are always shown at the top of directory listings
+ * and are not subject to the recent-directory pruning limit.
+ *
+ * @param syncDir    - The sync directory.
+ * @param dirPath    - The directory path to pin (will be validated).
+ * @param publicKey  - Age public key for encryption.
+ * @param privateKey - Age private key for decryption.
+ * @returns `true` if the directory was newly pinned, `false` if already pinned.
+ * @throws If the path fails validation.
+ */
+export declare function pinDirectory(syncDir: string, dirPath: string, publicKey: string, privateKey: string): Promise<boolean>;
+/**
+ * Unpin a directory.
+ *
+ * @param syncDir    - The sync directory.
+ * @param dirPath    - The directory path to unpin (will be validated).
+ * @param publicKey  - Age public key for encryption.
+ * @param privateKey - Age private key for decryption.
+ * @returns `true` if the directory was unpinned, `false` if it was not pinned.
+ * @throws If the path fails validation.
+ */
+export declare function unpinDirectory(syncDir: string, dirPath: string, publicKey: string, privateKey: string): Promise<boolean>;
+/**
+ * Remove a directory from the recent list (does not affect pinned).
+ *
+ * @param syncDir    - The sync directory.
+ * @param dirPath    - The directory path to remove.
+ * @param publicKey  - Age public key for encryption.
+ * @param privateKey - Age private key for decryption.
+ * @returns `true` if the directory was removed, `false` if not found.
+ */
+export declare function removeRecentDirectory(syncDir: string, dirPath: string, publicKey: string, privateKey: string): Promise<boolean>;
+/**
+ * Get the most-visited recent directories.
+ *
+ * @param syncDir    - The sync directory.
+ * @param privateKey - Age private key.
+ * @param limit      - Maximum number to return (default: 10).
+ * @returns Sorted recent directories (most-visited first).
+ */
+export declare function getTopDirectories(syncDir: string, privateKey: string, limit?: number): Promise<RecentDirectory[]>;
+/**
+ * Get all pinned directories.
+ *
+ * @param syncDir    - The sync directory.
+ * @param privateKey - Age private key.
+ * @returns Array of pinned directory paths.
+ */
+export declare function getPinnedDirectories(syncDir: string, privateKey: string): Promise<string[]>;
+/**
+ * Validate a directory path for use in directory state.
+ *
+ * Thin wrapper around `validateProjectPath` exposed for external callers
+ * who want to validate before calling other functions.
+ *
+ * @param dirPath - The directory path to validate.
+ * @returns The canonicalised, validated path.
+ * @throws If the path is invalid.
+ */
+export declare function validateDirectoryPath(dirPath: string): string;
+//# sourceMappingURL=directories-handler.d.ts.map

package/dist/core/directories-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"directories-handler.d.ts","sourceRoot":"","sources":["../../src/core/directories-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAMxE;;;GAGG;AACH,eAAO,MAAM,eAAe,KAAK,CAAC;AAwBlC;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,cAAc,CAAC,CAOzB;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,cAAc,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC,CAEf;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,OAAO,CAAC,CAYlB;AAED;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,OAAO,CAAC,CAalB;AAED;;;;;;;;GAQG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,OAAO,CAAC,CAalB;AAED;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,KAAK,SAAK,GACT,OAAO,CAAC,eAAe,EAAE,CAAC,CAG5B;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,EAAE,CAAC,CAGnB;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAE7D"}