defense-mcp-server 0.9.3 → 0.9.4

package/build/core/distro-adapter.d.ts

@@ -1,172 +0,0 @@
-/**
- * DistroAdapter — unified cross-distribution API for the Defense MCP Server.
- *
- * This module provides a single, cached adapter instance that abstracts away
- * distribution-specific differences in:
- *   - Package management (apt / dnf / yum / zypper / pacman / apk)
- *   - Service management (systemd / openrc / sysvinit / launchd)
- *   - Firewall backends (iptables / nftables / ufw / firewalld)
- *   - File system paths (logs, PAM configs, syslog, package tools)
- *   - Package integrity checking (debsums / rpm -V)
- *   - Automatic updates configuration
- *
- * Supported distributions:
- *   Debian, Ubuntu, Kali, Linux Mint, Pop!_OS  →  debian family
- *   RHEL, CentOS, Fedora, Rocky, AlmaLinux     →  rhel family
- *   openSUSE, SLES                              →  suse family
- *   Arch, Manjaro                               →  arch family
- *   Alpine                                      →  alpine family
- *
- * Usage:
- *   import { getDistroAdapter } from "../core/distro-adapter.js";
- *   const da = await getDistroAdapter();
- *   const cmd = da.pkg.installCmd("nginx");  // distro-correct install
- *   const logPath = da.paths.syslog;          // "/var/log/syslog" or "/var/log/messages"
- */
-import { type DistroInfo, type PackageManagerCommands, type ServiceManagerCommands, type FirewallBackendCommands } from "./distro.js";
-/** System paths that vary across distributions. */
-export interface DistroPaths {
-    /** Primary syslog file */
-    syslog: string;
-    /** Authentication log */
-    authLog: string;
-    /** PAM common-auth or system-auth equivalent */
-    pamAuth: string;
-    /** PAM common-password or password-auth equivalent */
-    pamPassword: string;
-    /** PAM common-session equivalent */
-    pamSession: string;
-    /** PAM common-account equivalent */
-    pamAccount: string;
-    /** All PAM config files to audit */
-    pamAllConfigs: string[];
-    /** Auto-update config dir (apt.conf.d, dnf automatic, etc.) */
-    autoUpdateConfig: string;
-    /** Auto-update package name */
-    autoUpdatePackage: string;
-    /** Auto-update service name */
-    autoUpdateService: string;
-    /** Firewall persistence config path */
-    firewallPersistenceConfig: string;
-    /** Package manager lock file */
-    packageLockFile: string;
-    /** Network interface config dir */
-    networkConfigDir: string;
-    /** Kernel modules blacklist config */
-    modprobeDir: string;
-    /** GRUB config file */
-    grubConfig: string;
-    /** GRUB defaults file */
-    grubDefaults: string;
-    /** GRUB update command */
-    grubUpdateCmd: string[];
-}
-/** Package integrity check configuration. */
-export interface IntegrityCheckConfig {
-    /** Whether integrity checking is supported */
-    supported: boolean;
-    /** The command to check package integrity */
-    checkCmd: string[];
-    /** The command to check a specific package */
-    checkPackageCmd: (pkg: string) => string[];
-    /** Name of the integrity tool */
-    toolName: string;
-    /** How to install the integrity tool */
-    installHint: string;
-}
-/** Auto-update audit configuration. */
-export interface AutoUpdateConfig {
-    /** Whether auto-updates are supported on this distro */
-    supported: boolean;
-    /** Package name for auto-updates */
-    packageName: string;
-    /** How to check if auto-update is installed */
-    checkInstalledCmd: string[];
-    /** Service name to check */
-    serviceName: string;
-    /** Config files to audit */
-    configFiles: string[];
-    /** How to install auto-updates */
-    installHint: string;
-}
-/** Package listing/querying commands. */
-export interface PackageQueryCommands {
-    /** List all installed packages */
-    listInstalledCmd: string[];
-    /** Query a specific package (returns version info) */
-    queryPackageCmd: (pkg: string) => string[];
-    /** List available upgrades */
-    listUpgradableCmd: string[];
-    /** Show held/locked packages */
-    showHeldCmd: string[];
-    /** Simulate upgrade (dry-run) */
-    simulateUpgradeCmd: string[];
-    /** Show package changelog */
-    changelogCmd: (pkg: string) => string[];
-    /** Show package policy/info */
-    policyCmd: (pkg: string) => string[];
-    /** Check if a specific package is installed */
-    isInstalledCmd: (pkg: string) => string[];
-    /** List installed kernel packages */
-    listKernelsCmd: string[];
-    /** Check for auto-removable packages */
-    autoRemoveCmd: string[];
-}
-/** Firewall persistence commands. */
-export interface FirewallPersistenceConfig {
-    /** Package name for firewall persistence */
-    packageName: string;
-    /** How to check if persistence is installed */
-    checkInstalledCmd: string[];
-    /** Install command (already includes sudo) */
-    installCmd: string[];
-    /** Service name for persistence */
-    serviceName: string;
-    /** Enable persistence service */
-    enableCmd: string[];
-    /** Save rules command */
-    saveCmd: string[];
-    /** Rollback/uninstall hint */
-    uninstallHint: string;
-}
-export declare class DistroAdapter {
-    readonly distro: DistroInfo;
-    readonly pkg: PackageManagerCommands;
-    readonly svc: ServiceManagerCommands;
-    readonly fw: FirewallBackendCommands;
-    readonly paths: DistroPaths;
-    readonly integrity: IntegrityCheckConfig;
-    readonly autoUpdate: AutoUpdateConfig;
-    readonly pkgQuery: PackageQueryCommands;
-    readonly fwPersistence: FirewallPersistenceConfig;
-    constructor(distro: DistroInfo, pkg: PackageManagerCommands, svc: ServiceManagerCommands, fw: FirewallBackendCommands);
-    /** Human-readable summary of the detected environment. */
-    get summary(): string;
-    /** Whether the distro family is Debian-based. */
-    get isDebian(): boolean;
-    /** Whether the distro family is RHEL-based. */
-    get isRhel(): boolean;
-    /** Whether the distro family is SUSE-based. */
-    get isSuse(): boolean;
-    /** Whether the distro family is Arch-based. */
-    get isArch(): boolean;
-    /** Whether the distro family is Alpine. */
-    get isAlpine(): boolean;
-    /** Install a package using the distro's package manager (returns command array). */
-    installPkg(pkg: string): {
-        command: string;
-        args: string[];
-    };
-    /** Remove a package using the distro's package manager (returns command array). */
-    removePkg(pkg: string): {
-        command: string;
-        args: string[];
-    };
-}
-/**
- * Returns the singleton DistroAdapter.
- * On first call it detects the distribution and builds all adapters.
- * Subsequent calls return the cached instance.
- */
-export declare function getDistroAdapter(): Promise<DistroAdapter>;
-//# sourceMappingURL=distro-adapter.d.ts.map

package/build/core/distro-adapter.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"distro-adapter.d.ts","sourceRoot":"","sources":["../../src/core/distro-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAKL,KAAK,UAAU,EACf,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC7B,MAAM,aAAa,CAAC;AAIrB,mDAAmD;AACnD,MAAM,WAAW,WAAW;IAC1B,0BAA0B;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,yBAAyB;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,sDAAsD;IACtD,WAAW,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,+DAA+D;IAC/D,gBAAgB,EAAE,MAAM,CAAC;IACzB,+BAA+B;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,+BAA+B;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,uCAAuC;IACvC,yBAAyB,EAAE,MAAM,CAAC;IAClC,gCAAgC;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,mCAAmC;IACnC,gBAAgB,EAAE,MAAM,CAAC;IACzB,sCAAsC;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,0BAA0B;IAC1B,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,6CAA6C;AAC7C,MAAM,WAAW,oBAAoB;IACnC,8CAA8C;IAC9C,SAAS,EAAE,OAAO,CAAC;IACnB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,8CAA8C;IAC9C,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IAC3C,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,uCAAuC;AACvC,MAAM,WAAW,gBAAgB;IAC/B,wDAAwD;IACxD,SAAS,EAAE,OAAO,CAAC;IACnB,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,4BAA4B;IAC5B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACnC,kCAAkC;IAClC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,sDAAsD;IACtD,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IAC3C,8BAA8B;IAC9B,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,gCAAgC;IAChC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,iCAAiC;IACjC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,6BAA6B;IAC7B,YAAY,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IACxC,+BAA+B;IAC/B,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IACrC,+CAA+C;IAC/C,cAAc,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IAC1C,qCAAqC;IACrC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,wCAAwC;IACxC,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,qCAAqC;AACrC,MAAM,WAAW,yBAAyB;IACxC,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,8CAA8C;IAC9C,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,yBAAyB;IACzB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,8BAA8B;IAC9B,aAAa,EAAE,MAAM,CAAC;CACvB;AAID,qBAAa,aAAa;IACxB,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,GAAG,EAAE,sBAAsB,CAAC;IACrC,QAAQ,CAAC,GAAG,EAAE,sBAAsB,CAAC;IACrC,QAAQ,CAAC,EAAE,EAAE,uBAAuB,CAAC;IACrC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,oBAAoB,CAAC;IACzC,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,oBAAoB,CAAC;IACxC,QAAQ,CAAC,aAAa,EAAE,yBAAyB,CAAC;gBAGhD,MAAM,EAAE,UAAU,EAClB,GAAG,EAAE,sBAAsB,EAC3B,GAAG,EAAE,sBAAsB,EAC3B,EAAE,EAAE,uBAAuB;IAa7B,0DAA0D;IAC1D,IAAI,OAAO,IAAI,MAAM,CAMpB;IAED,iDAAiD;IACjD,IAAI,QAAQ,IAAI,OAAO,CAA4C;IAEnE,+CAA+C;IAC/C,IAAI,MAAM,IAAI,OAAO,CAA0C;IAE/D,+CAA+C;IAC/C,IAAI,MAAM,IAAI,OAAO,CAA0C;IAE/D,+CAA+C;IAC/C,IAAI,MAAM,IAAI,OAAO,CAA0C;IAE/D,2CAA2C;IAC3C,IAAI,QAAQ,IAAI,OAAO,CAA4C;IAEnE,oFAAoF;IACpF,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;IAK5D,mFAAmF;IACnF,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;CAI5D;AA0ZD;;;;GAIG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,aAAa,CAAC,CAa/D"}

package/build/core/distro.d.ts

@@ -1,57 +0,0 @@
-/**
- * Top-level operating system family.
- * 'wsl' is reported when running inside Windows Subsystem for Linux.
- */
-export type OsFamily = "linux" | "darwin" | "wsl";
-/** Linux distribution family identifiers. */
-export type DistroFamily = "debian" | "rhel" | "arch" | "alpine" | "suse" | "unknown";
-export type SpecificDistro = "debian" | "ubuntu" | "kali" | "fedora" | "rhel" | "centos" | "arch" | "alpine" | "opensuse" | "macos" | "unknown";
-/** Package manager identifiers (extended with brew). */
-export type PackageManagerName = "apt" | "dnf" | "yum" | "pacman" | "brew" | "apk" | "zypper" | "unknown";
-export type InitSystem = "systemd" | "openrc" | "launchd" | "sysvinit" | "unknown";
-export interface PackageManagerCommands {
-    installCmd(pkg: string): string[];
-    removeCmd(pkg: string): string[];
-    updateCmd(): string[];
-    searchCmd(term: string): string[];
-    listInstalledCmd(): string[];
-}
-export interface ServiceManagerCommands {
-    startCmd(svc: string): string[];
-    stopCmd(svc: string): string[];
-    enableCmd(svc: string): string[];
-    disableCmd(svc: string): string[];
-    statusCmd(svc: string): string[];
-    listServicesCmd(): string[];
-}
-export type FirewallBackendName = "iptables" | "nftables" | "ufw" | "firewalld" | "pf" | "unknown";
-export interface FirewallBackendCommands {
-    readonly name: FirewallBackendName;
-    allowCmd(port: number, proto?: string): string[];
-    denyCmd(port: number, proto?: string): string[];
-    listCmd(): string[];
-    flushCmd(): string[];
-}
-export interface DistroInfo {
-    id: string;
-    name: string;
-    version: string;
-    osFamily: OsFamily;
-    specificDistro: SpecificDistro;
-    family: DistroFamily;
-    packageManager: PackageManagerName;
-    initSystem: InitSystem;
-    hasFirewalld: boolean;
-    hasUfw: boolean;
-    hasSelinux: boolean;
-    hasApparmor: boolean;
-}
-export declare function detectDistro(): Promise<DistroInfo>;
-export declare function getPackageManager(nameOrDistro?: string): PackageManagerCommands;
-export declare function getServiceManager(initSystem?: InitSystem): ServiceManagerCommands;
-export declare function getFirewallBackend(): Promise<FirewallBackendCommands>;
-/** @deprecated Prefer getPackageManager(pkgManager).installCmd(pkg) */
-export declare function getInstallCommand(pkgManager: PackageManagerName, pkg: string): string[];
-/** @deprecated Prefer getPackageManager(pkgManager).updateCmd() */
-export declare function getUpdateCommand(pkgManager: PackageManagerName): string[];
-//# sourceMappingURL=distro.d.ts.map

package/build/core/distro.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"distro.d.ts","sourceRoot":"","sources":["../../src/core/distro.ts"],"names":[],"mappings":"AAMA;;;GAGG;AACH,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,KAAK,CAAC;AAIlD,6CAA6C;AAC7C,MAAM,MAAM,YAAY,GACpB,QAAQ,GACR,MAAM,GACN,MAAM,GACN,QAAQ,GACR,MAAM,GACN,SAAS,CAAC;AAId,MAAM,MAAM,cAAc,GACtB,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAC3D,MAAM,GAAG,QAAQ,GAAG,UAAU,GAAG,OAAO,GAAG,SAAS,CAAC;AAIzD,wDAAwD;AACxD,MAAM,MAAM,kBAAkB,GAC1B,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,SAAS,CAAC;AAK7E,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;AAInF,MAAM,WAAW,sBAAsB;IACrC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,SAAS,IAAI,MAAM,EAAE,CAAC;IACtB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,gBAAgB,IAAI,MAAM,EAAE,CAAC;CAC9B;AAID,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAChC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC/B,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,eAAe,IAAI,MAAM,EAAE,CAAC;CAC7B;AAID,MAAM,MAAM,mBAAmB,GAC3B,UAAU,GAAG,UAAU,GAAG,KAAK,GAAG,WAAW,GAAG,IAAI,GAAG,SAAS,CAAC;AAErE,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,mBAAmB,CAAC;IACnC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjD,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAChD,OAAO,IAAI,MAAM,EAAE,CAAC;IACpB,QAAQ,IAAI,MAAM,EAAE,CAAC;CACtB;AAID,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,cAAc,EAAE,cAAc,CAAC;IAC/B,MAAM,EAAE,YAAY,CAAC;IACrB,cAAc,EAAE,kBAAkB,CAAC;IACnC,UAAU,EAAE,UAAU,CAAC;IACvB,YAAY,EAAE,OAAO,CAAC;IACtB,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,OAAO,CAAC;IACpB,WAAW,EAAE,OAAO,CAAC;CACtB;AAgFD,wBAAsB,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC,CAmHxD;AAID,wBAAgB,iBAAiB,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,sBAAsB,CA4D/E;AA4BD,wBAAgB,iBAAiB,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,sBAAsB,CAoCjF;AAmDD,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,uBAAuB,CAAC,CAc3E;AAID,uEAAuE;AACvE,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,kBAAkB,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAEvF;AAED,mEAAmE;AACnE,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,kBAAkB,GAAG,MAAM,EAAE,CAEzE"}

package/build/core/encrypted-state.d.ts

@@ -1,69 +0,0 @@
-/**
- * encrypted-state.ts — Encrypted storage for sensitive state data.
- *
- * Provides AES-256-GCM encrypted at-rest storage for rollback data,
- * policy files, sudo session tokens, and other sensitive state.
- *
- * Key derivation uses PBKDF2 from a configurable secret via the
- * `DEFENSE_MCP_STATE_KEY` environment variable. If no key is
- * configured, falls back to unencrypted mode with a warning.
- *
- * @module encrypted-state
- */
-/**
- * Encrypted state storage for sensitive data at rest.
- *
- * Uses AES-256-GCM with PBKDF2-derived keys when `DEFENSE_MCP_STATE_KEY`
- * is set. Falls back to plaintext JSON when no key is configured.
- */
-export declare class SecureStateStore {
-    private readonly stateDir;
-    private readonly secret;
-    /**
-     * @param stateDir - Directory for state files (default: `/tmp/defense-mcp/state/`)
-     * @param secret - Encryption secret. If omitted, reads from `DEFENSE_MCP_STATE_KEY` env var.
-     *                 Pass empty string or omit to use unencrypted fallback.
-     */
-    constructor(stateDir?: string, secret?: string);
-    /**
-     * Whether the store is operating in encrypted mode.
-     */
-    get encrypted(): boolean;
-    /**
-     * Save a state object to disk.
-     *
-     * @param id - Unique identifier for the state (used as filename stem)
-     * @param data - JSON-serializable object to persist
-     */
-    save(id: string, data: object): void;
-    /**
-     * Load a state object from disk.
-     *
-     * @param id - Unique identifier for the state
-     * @returns The deserialized object, or `null` if the state file doesn't exist
-     */
-    load(id: string): object | null;
-    /**
-     * Delete a state file from disk.
-     *
-     * @param id - Unique identifier for the state to delete
-     */
-    delete(id: string): void;
-    /** Build the full file path for a state ID. */
-    private filePath;
-    /** Ensure the state directory exists with secure permissions. */
-    private ensureStateDir;
-    /** Derive an AES-256 key from the secret and a salt. */
-    private deriveKey;
-    /**
-     * Encrypt plaintext JSON using AES-256-GCM.
-     * Returns a Buffer: [salt (16)] [iv (12)] [authTag (16)] [ciphertext]
-     */
-    private encrypt;
-    /**
-     * Decrypt an AES-256-GCM encrypted buffer.
-     * Expects format: [salt (16)] [iv (12)] [authTag (16)] [ciphertext]
-     */
-    private decrypt;
-}
-//# sourceMappingURL=encrypted-state.d.ts.map

package/build/core/encrypted-state.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"encrypted-state.d.ts","sourceRoot":"","sources":["../../src/core/encrypted-state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AA4DH;;;;;GAKG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IAEvC;;;;OAIG;gBACS,QAAQ,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM;IAwB9C;;OAEG;IACH,IAAI,SAAS,IAAI,OAAO,CAEvB;IAED;;;;;OAKG;IACH,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAmBpC;;;;;OAKG;IACH,IAAI,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAiB/B;;;;OAIG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAcxB,+CAA+C;IAC/C,OAAO,CAAC,QAAQ;IAMhB,iEAAiE;IACjE,OAAO,CAAC,cAAc;IAOtB,wDAAwD;IACxD,OAAO,CAAC,SAAS;IAajB;;;OAGG;IACH,OAAO,CAAC,OAAO;IAgBf;;;OAGG;IACH,OAAO,CAAC,OAAO;CAoChB"}

package/build/core/executor.d.ts

@@ -1,65 +0,0 @@
-/**
- * Options for executing a command.
- */
-export interface ExecuteOptions {
-    /** The command binary to execute */
-    command: string;
-    /** Arguments to pass to the command */
-    args: string[];
-    /** Timeout in milliseconds (overrides default) */
-    timeout?: number;
-    /** Working directory for the command */
-    cwd?: string;
-    /** Additional environment variables */
-    env?: Record<string, string>;
-    /** Data to pipe to stdin (Buffer preferred for sensitive data like passwords) */
-    stdin?: string | Buffer;
-    /** Maximum output buffer size in bytes */
-    maxBuffer?: number;
-    /** Tool name for rate-limiting and timeout lookup (REQUIRED) */
-    toolName: string;
-    /** Skip automatic sudo credential injection (used internally) */
-    skipSudoInjection?: boolean;
-    /**
-     * Skip auto-sudo wrapping for this command.
-     *
-     * When a SudoSession is active, `executeCommand()` automatically wraps
-     * non-sudo commands with `sudo` so credentials are injected transparently.
-     * Set this to `true` for commands that must NOT run as root (e.g.,
-     * user-level operations or sudo-session management itself).
-     */
-    skipAutoSudo?: boolean;
-}
-/**
- * Result of a command execution.
- */
-export interface CommandResult {
-    /** Standard output content */
-    stdout: string;
-    /** Standard error content */
-    stderr: string;
-    /** Process exit code (124 on timeout) */
-    exitCode: number;
-    /** Whether the command was killed due to timeout */
-    timedOut: boolean;
-    /** Wall-clock duration in milliseconds */
-    duration: number;
-    /**
-     * Whether the command failed due to insufficient privileges.
-     * Detected by analyzing stderr/stdout against known permission error patterns.
-     * When `true`, the caller should prompt the user to call `sudo_elevate`.
-     */
-    permissionDenied: boolean;
-}
-/**
- * Executes a command safely using spawn with shell: false.
- *
- * - Transparently injects sudo credentials from SudoSession when available
- * - Uses AbortController for timeout enforcement
- * - Caps stdout/stderr buffers to maxBuffer
- * - Tracks execution duration
- * - Handles stdin piping
- * - Catches spawn errors gracefully
- */
-export declare function executeCommand(options: ExecuteOptions): Promise<CommandResult>;
-//# sourceMappingURL=executor.d.ts.map

package/build/core/executor.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/core/executor.ts"],"names":[],"mappings":"AAmFA;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,0CAA0C;IAC1C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gEAAgE;IAChE,QAAQ,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,QAAQ,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AA0FD;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,CAAC,CAoPxB"}

package/build/core/installer.d.ts

@@ -1,129 +0,0 @@
-/**
- * Category of a defensive tool.
- */
-export type ToolCategory = "hardening" | "firewall" | "monitoring" | "assessment" | "network" | "access" | "access-control" | "encryption" | "container" | "malware" | "forensics" | "integrity" | "compliance" | "logging" | "supply-chain";
-/**
- * Package names per distribution family.
- */
-export interface PackageNames {
-    debian?: string;
-    rhel?: string;
-    arch?: string;
-    alpine?: string;
-    suse?: string;
-    fallback?: string;
-}
-/**
- * Requirements for a defensive tool.
- */
-export interface ToolRequirement {
-    /** Human-readable tool name */
-    name: string;
-    /** Binary name to check for availability */
-    binary: string;
-    /** Package names per distribution */
-    packages: PackageNames;
-    /** Category of the tool */
-    category: ToolCategory;
-    /** Whether the tool is required (vs optional) */
-    required: boolean;
-    /** If this tool is an alternative for another */
-    alternativeFor?: string;
-    /**
-     * If true, this tool is NOT a standalone binary — it's a PAM module, library,
-     * or other non-binary dependency. Binary existence checks should be skipped;
-     * instead check for the package being installed (e.g. via dpkg -l).
-     */
-    isPackageOnly?: boolean;
-    /**
-     * If true, this tool is NOT available in standard distro repos and requires
-     * third-party installation (manual download, external repo, npm global, etc.).
-     * The `thirdPartyInstallHint` field provides the install command.
-     */
-    isThirdParty?: boolean;
-    /** Install command/instructions for third-party tools not in standard repos. */
-    thirdPartyInstallHint?: string;
-    /**
-     * Known conflicts with other packages. If any of these packages are installed,
-     * this tool cannot be installed alongside them.
-     */
-    conflictsWith?: string[];
-    /**
-     * Notes about availability, deprecation, or platform-specific issues.
-     */
-    availabilityNote?: string;
-}
-/**
- * Result of checking a tool's availability.
- */
-export interface ToolCheckResult {
-    /** Tool requirement info */
-    tool: ToolRequirement;
-    /** Whether the tool is installed */
-    installed: boolean;
-    /** Detected version string (if available) */
-    version?: string;
-    /** Path to the binary (if found) */
-    path?: string;
-}
-/**
- * Result of installing a tool.
- */
-export interface InstallResult {
-    /** Tool requirement info */
-    tool: ToolRequirement;
-    /** Whether installation succeeded */
-    success: boolean;
-    /** Output/error message */
-    message: string;
-}
-/**
- * Comprehensive list of defensive security tools across categories.
- */
-export declare const DEFENSIVE_TOOLS: ToolRequirement[];
-/**
- * Checks whether a tool binary is available on the system.
- * Uses the command allowlist (which already resolved paths via existsSync at
- * startup) or falls back to probing standard binary directories with
- * existsSync. This avoids shelling out to `which`, which is blocked by the
- * command allowlist.
- */
-export declare function checkTool(binary: string): Promise<{
-    installed: boolean;
-    version?: string;
-    path?: string;
-}>;
-/**
- * Checks all defensive tools or a specific category.
- *
- * @param category Optional category to filter by
- * @returns Array of check results
- */
-export declare function checkAllTools(category?: ToolCategory): Promise<ToolCheckResult[]>;
-/**
- * Installs a tool using the detected distribution's package manager.
- *
- * @param tool Tool requirement to install
- * @returns Installation result
- */
-export declare function installTool(tool: ToolRequirement): Promise<InstallResult>;
-/**
- * Checks for missing tools and optionally installs them.
- *
- * @param category Optional category filter
- * @param dryRun If true, only report what would be installed
- * @returns Array of install results (or what would be installed)
- */
-export declare function installMissing(category?: ToolCategory, dryRun?: boolean): Promise<InstallResult[]>;
-/**
- * Returns a human-readable install command for a given tool on the detected distro.
- * E.g. "sudo apt install -y lynis"
- */
-export declare function getInstallHint(tool: ToolRequirement): Promise<string | null>;
-/**
- * Builds a reverse lookup from alternativeFor: primary tool name → alternative tools.
- * Used by the audit gate to skip blocking on a required tool when its alternative
- * is installed.
- */
-export declare function getAlternativesMap(): Map<string, ToolRequirement[]>;
-//# sourceMappingURL=installer.d.ts.map

package/build/core/installer.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"installer.d.ts","sourceRoot":"","sources":["../../src/core/installer.ts"],"names":[],"mappings":"AAUA;;GAEG;AACH,MAAM,MAAM,YAAY,GACpB,WAAW,GACX,UAAU,GACV,YAAY,GACZ,YAAY,GACZ,SAAS,GACT,QAAQ,GACR,gBAAgB,GAChB,YAAY,GACZ,WAAW,GACX,SAAS,GACT,WAAW,GACX,WAAW,GACX,YAAY,GACZ,SAAS,GACT,cAAc,CAAC;AAEnB;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,+BAA+B;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,qCAAqC;IACrC,QAAQ,EAAE,YAAY,CAAC;IACvB,2BAA2B;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,iDAAiD;IACjD,QAAQ,EAAE,OAAO,CAAC;IAClB,iDAAiD;IACjD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;OAIG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,gFAAgF;IAChF,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB;;OAEG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,4BAA4B;IAC5B,IAAI,EAAE,eAAe,CAAC;IACtB,oCAAoC;IACpC,SAAS,EAAE,OAAO,CAAC;IACnB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oCAAoC;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,4BAA4B;IAC5B,IAAI,EAAE,eAAe,CAAC;IACtB,qCAAqC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAo9B5C,CAAC;AAYF;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAgDlE;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,QAAQ,CAAC,EAAE,YAAY,GACtB,OAAO,CAAC,eAAe,EAAE,CAAC,CAkB5B;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,aAAa,CAAC,CA0DxB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,QAAQ,CAAC,EAAE,YAAY,EACvB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,aAAa,EAAE,CAAC,CAgC1B;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAQlF;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,GAAG,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAYnE"}

package/build/core/logger.d.ts

@@ -1,118 +0,0 @@
-/**
- * logger.ts — Structured logging module for security event correlation.
- *
- * Outputs JSON-formatted log entries with consistent fields for easy parsing
- * by log aggregation systems (ELK, Splunk, Loki, etc.).
- *
- * Supports standard log levels plus a `security` level for security-relevant
- * events (authentication, privilege escalation, policy violations).
- *
- * Optional file-based logging with size-based rotation via:
- *   DEFENSE_MCP_LOG_FILE=/path/to/logfile.json
- *   DEFENSE_MCP_LOG_MAX_SIZE=10485760  (10 MB default)
- *   DEFENSE_MCP_LOG_MAX_FILES=5        (keep 5 rotated files)
- *
- * @module logger
- * @see CICD-027
- */
-/** Supported log levels, ordered by severity (lowest to highest). */
-export type LogLevel = "debug" | "info" | "warn" | "error" | "security";
-/** A structured log entry written as JSON to stderr. */
-export interface LogEntry {
-    /** ISO 8601 UTC timestamp */
-    timestamp: string;
-    /** Log severity level */
-    level: LogLevel;
-    /** Module or subsystem that produced the log (e.g., "preflight", "executor") */
-    component: string;
-    /** Action being performed (e.g., "tool_invoked", "sudo_elevated") */
-    action: string;
-    /** Human-readable message */
-    message: string;
-    /** Optional structured details (tool params, error info, metrics, etc.) */
-    details?: Record<string, unknown>;
-}
-/**
- * Structured logger that outputs JSON to stderr.
- *
- * Uses stderr so log output doesn't interfere with MCP protocol messages
- * on stdout (StdioServerTransport).
- *
- * Optionally writes to a file with automatic size-based rotation when
- * DEFENSE_MCP_LOG_FILE is set.
- *
- * Usage:
- * ```typescript
- * import { logger } from './logger.js';
- *
- * logger.info('preflight', 'cache_hit', 'Pre-flight cache hit for tool', { toolName: 'firewall_iptables' });
- * logger.security('sudo-guard', 'elevation_requested', 'Sudo elevation requested', { tool: 'harden_sysctl' });
- * ```
- */
-export declare class Logger {
-    private minLevel;
-    private logFile;
-    private maxFileSize;
-    private maxFiles;
-    constructor(minLevel?: LogLevel);
-    /**
-     * Read the minimum log level from `DEFENSE_MCP_LOG_LEVEL` env var.
-     * Falls back to `"info"` if unset or invalid.
-     */
-    private parseEnvLevel;
-    /** Check whether a message at `level` should be emitted. */
-    private shouldLog;
-    /**
-     * Write a log line to the file, with size-based rotation.
-     * This is best-effort — file write failures don't throw.
-     */
-    private writeToFile;
-    /**
-     * Emit a structured log entry as a single JSON line to stderr.
-     *
-     * @param level     - Severity level
-     * @param component - Subsystem name (e.g., "executor", "preflight")
-     * @param action    - Action identifier (e.g., "command_executed", "cache_miss")
-     * @param message   - Human-readable description
-     * @param details   - Optional structured metadata
-     */
-    log(level: LogLevel, component: string, action: string, message: string, details?: Record<string, unknown>): void;
-    /** Log a debug-level message. */
-    debug(component: string, action: string, message: string, details?: Record<string, unknown>): void;
-    /** Log an info-level message. */
-    info(component: string, action: string, message: string, details?: Record<string, unknown>): void;
-    /** Log a warning-level message. */
-    warn(component: string, action: string, message: string, details?: Record<string, unknown>): void;
-    /** Log an error-level message. */
-    error(component: string, action: string, message: string, details?: Record<string, unknown>): void;
-    /**
-     * Log a security-relevant event.
-     *
-     * Security events are **always** emitted regardless of the configured
-     * minimum log level. Use for:
-     * - Authentication / privilege escalation events
-     * - Policy violations
-     * - Rate limit breaches
-     * - Suspicious input patterns
-     * - Configuration changes with security impact
-     */
-    security(component: string, action: string, message: string, details?: Record<string, unknown>): void;
-    /**
-     * Update the minimum log level at runtime.
-     * Useful for tests or dynamic configuration changes.
-     */
-    setLevel(level: LogLevel): void;
-    /** Get the current minimum log level. */
-    getLevel(): LogLevel;
-}
-/**
- * Default singleton logger instance.
- *
- * Import and use directly:
- * ```typescript
- * import { logger } from '../core/logger.js';
- * logger.info('my-module', 'action', 'Something happened');
- * ```
- */
-export declare const logger: Logger;
-//# sourceMappingURL=logger.d.ts.map

package/build/core/logger.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/core/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAOH,qEAAqE;AACrE,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,UAAU,CAAC;AAYxE,wDAAwD;AACxD,MAAM,WAAW,QAAQ;IACvB,6BAA6B;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,KAAK,EAAE,QAAQ,CAAC;IAChB,gFAAgF;IAChF,SAAS,EAAE,MAAM,CAAC;IAClB,qEAAqE;IACrE,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AA6CD;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,MAAM;IACjB,OAAO,CAAC,QAAQ,CAAW;IAC3B,OAAO,CAAC,OAAO,CAAgB;IAC/B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAS;gBAEb,QAAQ,CAAC,EAAE,QAAQ;IAmB/B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAQrB,4DAA4D;IAC5D,OAAO,CAAC,SAAS;IAIjB;;;OAGG;IACH,OAAO,CAAC,WAAW;IAqBnB;;;;;;;;OAQG;IACH,GAAG,CACD,KAAK,EAAE,QAAQ,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAoBP,iCAAiC;IACjC,KAAK,CACH,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP,iCAAiC;IACjC,IAAI,CACF,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP,mCAAmC;IACnC,IAAI,CACF,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP,kCAAkC;IAClC,KAAK,CACH,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP;;;;;;;;;;OAUG;IACH,QAAQ,CACN,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI;IAI/B,yCAAyC;IACzC,QAAQ,IAAI,QAAQ;CAGrB;AAID;;;;;;;;GAQG;AACH,eAAO,MAAM,MAAM,QAAe,CAAC"}