dravix-agent 0.1.0

package/dist/orchestrator.js

@@ -0,0 +1,596 @@
+/**
+ * Phase-0 orchestrator: runs all available engines in parallel on one file,
+ * merges + de-duplicates findings, returns a single `Action` decision.
+ *
+ * Hard end-to-end timeout (`totalTimeoutMs`) — if any engine is still running
+ * past that, its result is dropped (the gate prefers a timely "WARN, partial"
+ * over blocking the agent indefinitely).
+ *
+ * Caches per (engine, lang, content_hash) so re-runs on the same content are
+ * effectively free.
+ */
+import { existsSync, mkdirSync, appendFileSync } from "node:fs";
+import { join, resolve } from "node:path";
+import { Cache, cacheKeyForEngine } from "./cache.js";
+import { safeRun } from "./engines/types.js";
+import { ENGINES, STAGE2_ENGINES } from "./engines/registry.js";
+import { buildProjectContext } from "./index/context.js";
+import { findCallerSideRiskSignals } from "./index/graph_routing.js";
+import { findPropertyCandidates } from "./index/property-test.js";
+import { getIndexer } from "./index/scip.js";
+import { getVulRag } from "./index/vulrag.js";
+import { detectLang } from "./lang.js";
+import { isSuppressed } from "./learning/suppressions.js";
+import { findingMatches, loadPolicy } from "./policy.js";
+import { decide } from "./risk.js";
+import { getLogger } from "./util/logger.js";
+import { safeResolve } from "./util/safe-paths.js";
+const log = getLogger("aegis.orchestrator");
+const DEFAULT_TOTAL_TIMEOUT_MS = 5_000;
+const DEFAULT_PER_ENGINE_TIMEOUT_MS = 4_000;
+const ENGINE_RESULT_CACHE_TTL_MS = 5 * 60 * 1000; // 5 min — keep through a coding session
+/** Critic gets its own budget — claude -p --effort max routinely takes
+ * 15-60 s, far longer than DEFAULT_TOTAL_TIMEOUT_MS. Override via
+ * ``AEGIS_CRITIC_TIMEOUT_MS``. */
+const DEFAULT_CRITIC_TIMEOUT_MS = 120_000;
+/** Vul-RAG similarity above which we consider the file "suspicious enough"
+ * to warrant a critic call even when stage-1 had nothing. The default
+ * (0.55) was empirically chosen against the canonical CWE pattern smoke:
+ * SQLi/XSS/cmd-inj/secret-leak patterns all hit ≥ 0.55 on top-1; benign
+ * code lands < 0.4. Override with ``AEGIS_CRITIC_ROUTE_VULRAG``. */
+const DEFAULT_VULRAG_ROUTE_THRESHOLD = 0.55;
+/** Lightweight detection: does the file use a concurrency primitive in a
+ * way that warrants the critic? Cheap regex pass — no AST, no I/O.
+ *
+ * Hits one of:
+ *   - Python: threading|asyncio|multiprocessing|concurrent.futures import
+ *             AND .start() / await / asyncio.gather / .submit() / .map_async
+ *   - JS/TS:  Promise.all / Promise.race / Worker / new Worker / cluster.fork
+ *
+ * Race conditions / missing-await / ordering bugs almost never show up in
+ * stage-1 static engines without a CPG (Joern / Pysa) and Vul-RAG often
+ * misses them too — but the critic catches them reliably when invoked
+ * (verified via AEGIS_CRITIC_FORCE on the redteam/v2_18/worker.py case
+ * which had 0 stage-1 findings but 2 critic findings when forced).
+ */
+function concurrencyHint(content, lang) {
+    if (lang === "python") {
+        const importsThreading = /\b(?:from\s+threading\b|import\s+threading\b|from\s+asyncio\b|import\s+asyncio\b|from\s+multiprocessing\b|import\s+multiprocessing\b|from\s+concurrent\.futures\b)/.test(content);
+        if (!importsThreading)
+            return false;
+        const dispatches = /\b(?:Thread\s*\(|Process\s*\(|\.start\s*\(\s*\)|asyncio\.gather|asyncio\.create_task|asyncio\.run\s*\(|await\s+|\.submit\s*\(|\.map\s*\(|\.map_async\s*\()/.test(content);
+        return dispatches;
+    }
+    if (lang === "javascript" || lang === "typescript") {
+        const concurrencyApi = /\b(?:Promise\.(?:all|race|allSettled|any)|new\s+Worker\s*\(|cluster\.fork\s*\(|worker_threads|setImmediate\s*\()/.test(content);
+        return concurrencyApi;
+    }
+    return false;
+}
+/** Routing predicate: should we spend an LLM message on this file?
+ *
+ * Decision matrix (first hit wins):
+ *   AEGIS_CRITIC_DISABLE=1  → never (kill switch)
+ *   AEGIS_CRITIC_FORCE=1    → always (debugging / force-check)
+ *   stage-1 finding         → run
+ *   caller_of_risky         → run + carry hits to the critic.
+ *                             V2-14 eval found 2/7 cross-file bugs were
+ *                             missed because the caller file (e.g. a
+ *                             route) had no obvious pattern in isolation
+ *                             but imported a function Joern had already
+ *                             flagged. This signal closes that gap.
+ *   property_candidate      → run (Python math/money names)
+ *   vulrag_signal           → run (security KB semantic match)
+ *   else                    → skip
+ *
+ * Vul-RAG check costs ~30 ms after warm; candidate scan + import parse
+ * are each <1 ms. Phase 4 will replace the whole stack with the 150M
+ * router for sharper classification.
+ */
+async function decideStage2(stage1Findings, content, lang, projectRoot) {
+    if (process.env.AEGIS_CRITIC_DISABLE === "1") {
+        return { run: false, reason: "disabled" };
+    }
+    if (process.env.AEGIS_CRITIC_FORCE === "1") {
+        return { run: true, reason: "forced" };
+    }
+    if (stage1Findings.length > 0) {
+        return { run: true, reason: "stage1_findings" };
+    }
+    // Graph-aware routing: file imports a module that ALREADY has Joern
+    // or Pysa findings. The critic on this file needs to see THIS file's
+    // usage of that risky module — without this, the route file looks
+    // clean alone but the SQLi flowing into the imported module isn't
+    // even routed for review.
+    if (projectRoot) {
+        try {
+            const hits = findCallerSideRiskSignals(content, projectRoot, lang);
+            if (hits.length > 0) {
+                log.debug("stage2 routing: caller_of_risky", {
+                    n_hits: hits.length,
+                    modules: [...new Set(hits.map((h) => h.importedModule))].slice(0, 5),
+                    source_engines: [...new Set(hits.map((h) => h.sourceEngine))],
+                });
+                return { run: true, reason: "caller_of_risky", callerHits: hits };
+            }
+        }
+        catch (err) {
+            log.debug("caller-of-risky check failed; falling through", { err: String(err) });
+        }
+    }
+    // Property-test signal: Python file with at least one high-risk function
+    // (math / money / auth name pattern). Cheap regex pass, no I/O.
+    if (lang === "python") {
+        const cands = findPropertyCandidates(content, 1);
+        if (cands.length > 0) {
+            log.debug("stage2 routing: python property-test candidate", { fn: cands[0].name });
+            return { run: true, reason: "property_candidate" };
+        }
+    }
+    // Concurrency-hint signal: race conditions / missing-await / ordering
+    // bugs almost never surface in stage-1 static engines without a CPG,
+    // and Vul-RAG often misses them too — but the critic catches them
+    // reliably when invoked.
+    if (concurrencyHint(content, lang)) {
+        log.debug("stage2 routing: concurrency primitives detected");
+        return { run: true, reason: "concurrency_hint" };
+    }
+    // Vul-RAG fallback signal — Semgrep / Pyright / etc. may be absent.
+    try {
+        const threshold = Number(process.env.AEGIS_CRITIC_ROUTE_VULRAG ?? DEFAULT_VULRAG_ROUTE_THRESHOLD);
+        if (!Number.isFinite(threshold) || threshold > 1 || threshold < 0) {
+            return { run: false, reason: "bad_threshold" };
+        }
+        const rag = getVulRag();
+        const hits = await rag.topK(content.slice(0, 4000), 1, {
+            ...(lang !== "unknown" ? { language: String(lang) } : {}),
+            minSimilarity: threshold,
+        });
+        if (hits.length > 0) {
+            log.debug("critic routing: vulrag top-1 above threshold", {
+                cwe: hits[0].entry.cwe,
+                similarity: hits[0].similarity,
+                threshold,
+            });
+            return { run: true, reason: "vulrag_signal" };
+        }
+        return { run: false, reason: "no_signal" };
+    }
+    catch (err) {
+        log.debug("critic routing: vulrag check failed; default to skip", { err: String(err) });
+        return { run: false, reason: "vulrag_unavailable" };
+    }
+}
+export async function runGate(input) {
+    const t0 = Date.now();
+    const totalTimeout = input.totalTimeoutMs ?? DEFAULT_TOTAL_TIMEOUT_MS;
+    const lang = detectLang(input.filePath);
+    // Safety: resolve the file path against the project root if given. When the
+    // caller explicitly opts out (ad-hoc scan), only the denylist applies.
+    const containmentRoot = input.enforceContainment === false ? undefined : input.projectRoot;
+    const sp = safeResolve(input.filePath, containmentRoot);
+    if (!sp.ok) {
+        log.warn("path check failed", { file: input.filePath, reason: sp.reason });
+        return {
+            filePath: input.filePath,
+            lang,
+            decision: {
+                action: "block",
+                driving: null,
+                summary: `BLOCK — refused to scan path (${sp.reason}).`,
+                blockCount: 1,
+                warnCount: 0,
+                totalFindings: 0,
+            },
+            findings: [],
+            engineResults: [],
+            durationMs: Date.now() - t0,
+            truncated: false,
+            pathCheck: { ok: false, reason: sp.reason ?? "denied" },
+        };
+    }
+    const enginesAll = input.engines ?? ENGINES;
+    // Engine availability is cached per process inside each engine impl;
+    // the warm path additionally supplies an override map that was probed
+    // once at server boot, so we don't even cross the engine boundary.
+    const enginesAvailable = [];
+    for (const e of enginesAll) {
+        const override = input.availabilityOverride?.get(e.name);
+        let ok;
+        if (override !== undefined) {
+            ok = override;
+        }
+        else {
+            ok = await e.available();
+        }
+        if (ok)
+            enginesAvailable.push(e);
+        else
+            log.debug("engine unavailable, skipping", { engine: e.name });
+    }
+    const cache = input.noCache ? null : new Cache(input.projectRoot);
+    // Per-engine wrapper: cache check → safeRun → cache write.
+    const runOne = async (engine) => {
+        if (cache) {
+            const ck = cacheKeyForEngine(engine.name, lang, input.content);
+            const hit = await cache.get(ck);
+            if (hit) {
+                log.debug("cache hit", { engine: engine.name });
+                return hit;
+            }
+        }
+        const eInput = {
+            filePath: sp.resolved,
+            content: input.content,
+            lang,
+            ...(input.projectRoot !== undefined ? { projectRoot: input.projectRoot } : {}),
+            timeoutMs: Math.min(DEFAULT_PER_ENGINE_TIMEOUT_MS, totalTimeout),
+        };
+        const res = await safeRun(engine, eInput);
+        if (cache && !res.unavailable) {
+            const ck = cacheKeyForEngine(engine.name, lang, input.content);
+            await cache.put(ck, res, ENGINE_RESULT_CACHE_TTL_MS);
+        }
+        return res;
+    };
+    // Race the parallel engine fleet against the overall budget.
+    const allPromise = Promise.allSettled(enginesAvailable.map(runOne));
+    const timeoutPromise = new Promise((r) => setTimeout(() => r("TIMEOUT"), totalTimeout));
+    const raceResult = await Promise.race([allPromise, timeoutPromise]);
+    let engineResults;
+    let truncated = false;
+    if (raceResult === "TIMEOUT") {
+        // Take whatever finished so far. We do this by re-running the same
+        // promise with Promise.allSettled (already in flight) AFTER awaiting it,
+        // because Promise.allSettled never rejects — but here we've already
+        // raced and lost. We accept the engines we got back so far by querying
+        // their cached results from the same input. If none, we degrade to allow.
+        truncated = true;
+        log.warn("orchestrator timeout — degraded run", { totalTimeout });
+        engineResults = [];
+        // Best-effort: give the in-flight set a brief tail to finish so we don't
+        // toss completed work.
+        const tail = await Promise.race([
+            allPromise,
+            new Promise((r) => setTimeout(() => r("GIVEUP"), 250)),
+        ]);
+        if (tail !== "GIVEUP") {
+            engineResults = tail
+                .filter((s) => s.status === "fulfilled")
+                .map((s) => s.value);
+        }
+    }
+    else {
+        engineResults = raceResult
+            .filter((s) => s.status === "fulfilled")
+            .map((s) => s.value);
+    }
+    // Merge + dedup STAGE-1 findings. Dedup key = id (engine+file+line+rule),
+    // so identical findings from the same engine across cache + live runs collapse.
+    const seen = new Set();
+    const stage1Findings = [];
+    for (const r of engineResults) {
+        for (const f of r.findings) {
+            if (seen.has(f.id))
+                continue;
+            seen.add(f.id);
+            stage1Findings.push(f);
+        }
+    }
+    // Phase 1: enrich the report with cross-file context from the SCIP index,
+    // when a project root is given. Best-effort — never throws / never blocks.
+    // The indexer is lazy: if no index exists yet, the block reports
+    // ``available: false`` and the caller can run ``aegis index`` to enable it.
+    // Built BEFORE stage-2 so the critic can consume it.
+    let projectContext;
+    if (input.projectRoot) {
+        try {
+            const indexer = getIndexer();
+            projectContext = await buildProjectContext(indexer, {
+                filePath: input.filePath,
+                content: input.content,
+                lang,
+                projectRoot: input.projectRoot,
+            });
+        }
+        catch (err) {
+            log.debug("project context build failed", { err: String(err) });
+        }
+    }
+    // Stage 2 — LLM critic. Sequential to stage 1, runs only when the routing
+    // predicate says it's worth a Claude message. The critic has its own
+    // budget (much longer than the stage-1 cap) because --effort max can take
+    // a full minute on cold calls. Crashes here are isolated — they never
+    // fail-close the whole gate.
+    const findings = [...stage1Findings];
+    const allEngineResults = [...engineResults];
+    const stage2EnginesToRun = input.engines === undefined ? STAGE2_ENGINES : [];
+    if (stage2EnginesToRun.length > 0) {
+        const decision = await decideStage2(stage1Findings, input.content, lang, input.projectRoot);
+        if (decision.run) {
+            log.debug("stage2 routing", { reason: decision.reason });
+            // Surface caller-of-risky hits as synthetic priorFindings so the
+            // critic's prompt explicitly names the risky import. These never
+            // hit the audit log or contribute to the natural decide() rank —
+            // they're context only. The synthetic finding's rule_id makes
+            // its provenance obvious if it shows up in a debug dump.
+            if (decision.callerHits && decision.callerHits.length > 0) {
+                for (const h of decision.callerHits.slice(0, 5)) {
+                    stage1Findings.push({
+                        ...h.finding,
+                        // Annotate with the import that pulled this finding into the
+                        // current file's blast radius — the critic can quote this back.
+                        message: `[via import '${h.importedModule}' resolved to ${h.resolvedFile}] ` +
+                            h.finding.message,
+                        // Synthesise a distinct id so dedup doesn't drop it.
+                        id: (h.finding.id.slice(0, 8) + h.importedModule.slice(0, 8).padEnd(8, "0"))
+                            .toLowerCase()
+                            .replace(/[^0-9a-f]/g, "0"),
+                    });
+                }
+            }
+            const criticTimeoutMs = Number(process.env.AEGIS_CRITIC_TIMEOUT_MS ?? DEFAULT_CRITIC_TIMEOUT_MS) || DEFAULT_CRITIC_TIMEOUT_MS;
+            for (const e of stage2EnginesToRun) {
+                const stage2Override = input.availabilityOverride?.get(e.name);
+                const stage2Ok = stage2Override !== undefined ? stage2Override : await e.available();
+                if (!stage2Ok) {
+                    log.debug("stage2 engine unavailable", { engine: e.name });
+                    continue;
+                }
+                // Cache the critic result via the same per-(engine, lang, content_hash)
+                // key the stage-1 pipeline uses. The critic itself ALSO writes a
+                // finer-grained cache (keyed on findings + context + vulrag hashes),
+                // so this layer is a free fast-path for "same file content, same
+                // stage-1 verdict twice in a row".
+                let cachedHit = null;
+                if (cache) {
+                    const ck = cacheKeyForEngine(e.name, lang, input.content);
+                    cachedHit = (await cache.get(ck)) ?? null;
+                }
+                let res;
+                if (cachedHit) {
+                    log.debug("cache hit", { engine: e.name });
+                    res = cachedHit;
+                }
+                else {
+                    const eInput = {
+                        filePath: sp.resolved,
+                        content: input.content,
+                        lang,
+                        ...(input.projectRoot !== undefined ? { projectRoot: input.projectRoot } : {}),
+                        timeoutMs: criticTimeoutMs,
+                        priorFindings: stage1Findings,
+                        ...(projectContext ? { projectContext } : {}),
+                    };
+                    res = await safeRun(e, eInput);
+                    if (cache && !res.unavailable) {
+                        const ck = cacheKeyForEngine(e.name, lang, input.content);
+                        await cache.put(ck, res, ENGINE_RESULT_CACHE_TTL_MS);
+                    }
+                }
+                allEngineResults.push(res);
+                for (const f of res.findings) {
+                    if (seen.has(f.id))
+                        continue;
+                    seen.add(f.id);
+                    findings.push(f);
+                }
+            }
+        }
+        else {
+            log.debug("stage2 skipped by routing predicate", {
+                reason: decision.reason,
+                stage1FindingCount: stage1Findings.length,
+            });
+        }
+    }
+    // ── Critic-FP override ───────────────────────────────────────────────
+    // The LLM critic can emit `critic.fp.<rule_id>` or `critic.fp.<engine>`
+    // findings to declare a deterministic finding a false positive. Honor
+    // these by DROPPING the original finding at the same (file, line ±2).
+    // Without this, a deterministic severity:high finding overrides the
+    // critic's FP severity:info marker — and the file is wrongly blocked.
+    const fpMarkers = [];
+    for (const f of findings) {
+        if (f.engine === "llm-critic" && f.rule_id.startsWith("critic.fp.")) {
+            fpMarkers.push({
+                rulePart: f.rule_id.slice("critic.fp.".length),
+                ...(f.line !== undefined ? { line: f.line } : {}),
+                file: f.file,
+            });
+        }
+    }
+    if (fpMarkers.length > 0) {
+        const surviving = [];
+        for (const f of findings) {
+            if (f.engine === "llm-critic") {
+                surviving.push(f);
+                continue;
+            }
+            const overridden = fpMarkers.some((m) => {
+                // Match rule_id OR engine name OR engine-rule combo OR rule_id
+                // starts with the critic's named part (e.g. "child-process-exec"
+                // matches "child-process-exec-tainted").
+                const exactRuleMatch = m.rulePart === f.rule_id ||
+                    m.rulePart === `${f.engine}-${f.rule_id}` ||
+                    (f.rule_id.length > 0 && m.rulePart.includes(f.rule_id)) ||
+                    (m.rulePart.length > 3 && f.rule_id.startsWith(m.rulePart));
+                const engineOnlyMatch = m.rulePart === f.engine;
+                if (!exactRuleMatch && !engineOnlyMatch)
+                    return false;
+                // Line proximity: when rule_id matches exactly we trust the critic's
+                // intent across a wider window (±10 lines — the critic often points
+                // at the FUNCTION the FP lives in, not the exact RHS). When only
+                // the ENGINE matches (e.g. "critic.fp.eslint" → any eslint finding),
+                // we still require some proximity — ±15 — so unrelated findings on
+                // distant lines aren't swept up. Missing line on either side waives
+                // the check (treat as match).
+                if (m.line === undefined || f.line === undefined)
+                    return true;
+                const tolerance = exactRuleMatch ? 10 : 15;
+                return Math.abs(m.line - f.line) <= tolerance;
+            });
+            if (overridden) {
+                log.debug("critic FP override: dropping deterministic finding", {
+                    engine: f.engine,
+                    rule_id: f.rule_id,
+                    line: f.line,
+                });
+                continue;
+            }
+            surviving.push(f);
+        }
+        findings.length = 0;
+        findings.push(...surviving);
+    }
+    // ── Phase 3 productionization filters ────────────────────────────────
+    // Apply (in order, before risk scoring):
+    //   1. ``ignore`` from policy → drop the finding entirely
+    //   2. Active suppressions  → drop the finding entirely
+    //   3. ``warn`` from policy → tag for downgrade in risk decision
+    //   4. ``block`` from policy → tag for force-block in risk decision
+    //
+    // Tagging is via a side map (forceBlock / forceWarn id sets) that the
+    // decide() shim uses; we keep the Finding shape pristine.
+    const policy = input.projectRoot
+        ? loadPolicy(input.projectRoot)
+        : { block: new Set(), warn: new Set(), ignore: new Set(), sourcePath: null };
+    const beforeFilterCount = findings.length;
+    const forceBlock = new Set();
+    const forceWarn = new Set();
+    const survivingFindings = [];
+    for (const f of findings) {
+        // 1. policy.ignore wins outright.
+        if (findingMatches(f.cwe, f.rule_id, policy.ignore)) {
+            log.debug("policy: ignored", { id: f.id, cwe: f.cwe, rule: f.rule_id });
+            continue;
+        }
+        // 2. user-added suppression.
+        if (input.projectRoot && isSuppressed(input.projectRoot, f.id)) {
+            log.debug("suppression: filtered", { id: f.id });
+            continue;
+        }
+        // 3 / 4. policy.warn / policy.block → tag, but keep the finding.
+        if (findingMatches(f.cwe, f.rule_id, policy.block)) {
+            forceBlock.add(f.id);
+        }
+        else if (findingMatches(f.cwe, f.rule_id, policy.warn)) {
+            forceWarn.add(f.id);
+        }
+        survivingFindings.push(f);
+    }
+    const filteredCount = beforeFilterCount - survivingFindings.length;
+    if (filteredCount > 0) {
+        log.debug("findings filtered by policy/suppression", {
+            before: beforeFilterCount,
+            after: survivingFindings.length,
+            filtered: filteredCount,
+        });
+    }
+    const decision = decideWithPolicy(survivingFindings, forceBlock, forceWarn);
+    const durationMs = Date.now() - t0;
+    const report = {
+        filePath: input.filePath,
+        lang,
+        decision,
+        findings: survivingFindings,
+        engineResults: allEngineResults,
+        durationMs,
+        truncated,
+        pathCheck: { ok: true, resolved: sp.resolved },
+        ...(projectContext ? { projectContext } : {}),
+    };
+    // Append-only audit log (no PII; just decision + file + findings count).
+    appendAudit(input.projectRoot, report);
+    // Telemetry enqueue (opt-in, sanitized). Awaited so per-call CLI processes
+    // (aegis scan, aegis hook) actually populate the buffer before exit.
+    // The collector itself short-circuits when consent is OFF, so the cost when
+    // disabled is just one dynamic import (~0.5ms). MCP/long-running uses the
+    // same path with no observable extra latency.
+    try {
+        const { enqueueReport } = await import("./telemetry/collector.js");
+        enqueueReport(input.content, report);
+    }
+    catch (err) {
+        log.debug("telemetry enqueue failed", { err: String(err) });
+    }
+    return report;
+}
+/** Apply policy-as-code overrides to the natural risk decision:
+ *
+ * - If any surviving finding is in ``forceBlock``, decision MUST be "block"
+ *   (driving = first such finding so the user sees what triggered it).
+ * - Else if natural decision was "block" AND every block-eligible finding
+ *   is in ``forceWarn``, downgrade to "warn".
+ * - Else: pass through the natural decision unchanged.
+ *
+ * Confidence/severity bookkeeping in the returned ActionDecision stays
+ * truthful — we don't lie about counts, only about the gate verdict.
+ */
+function decideWithPolicy(findings, forceBlock, forceWarn) {
+    const natural = decide(findings);
+    // 1. policy.block — if any matching finding exists, force block.
+    if (forceBlock.size > 0) {
+        const blockTrigger = findings.find((f) => forceBlock.has(f.id));
+        if (blockTrigger) {
+            return {
+                action: "block",
+                driving: blockTrigger,
+                summary: `BLOCK (policy) — ${blockTrigger.engine}:${blockTrigger.rule_id} matched policy.block`,
+                blockCount: natural.blockCount + (natural.action === "block" ? 0 : 1),
+                warnCount: natural.warnCount,
+                totalFindings: natural.totalFindings,
+            };
+        }
+    }
+    // 2. policy.warn downgrade — only kicks in when natural decision was block.
+    if (natural.action === "block" && natural.driving && forceWarn.has(natural.driving.id)) {
+        // Look for any OTHER finding still triggering block; if none, downgrade.
+        const anyOtherBlocker = findings.some((f) => f.id !== natural.driving.id &&
+            !forceWarn.has(f.id) &&
+            (f.severity === "critical" || f.severity === "high"));
+        if (!anyOtherBlocker) {
+            return {
+                action: "warn",
+                driving: natural.driving,
+                summary: `WARN (policy downgrade) — ${natural.driving.engine}:${natural.driving.rule_id} matched policy.warn`,
+                blockCount: 0,
+                warnCount: natural.warnCount + 1,
+                totalFindings: natural.totalFindings,
+            };
+        }
+    }
+    return natural;
+}
+function appendAudit(projectRoot, report) {
+    try {
+        const dir = resolve(projectRoot ?? process.cwd(), ".aegis");
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true });
+        const row = {
+            ts: new Date().toISOString(),
+            file: report.filePath,
+            lang: report.lang,
+            action: report.decision.action,
+            duration_ms: report.durationMs,
+            truncated: report.truncated,
+            n_findings: report.findings.length,
+            n_block: report.decision.blockCount,
+            n_warn: report.decision.warnCount,
+            driving: report.decision.driving
+                ? {
+                    engine: report.decision.driving.engine,
+                    rule_id: report.decision.driving.rule_id,
+                    severity: report.decision.driving.severity,
+                    confidence: report.decision.driving.confidence,
+                    ...(report.decision.driving.cwe ? { cwe: report.decision.driving.cwe } : {}),
+                }
+                : null,
+        };
+        appendFileSync(join(dir, "audit.jsonl"), JSON.stringify(row) + "\n", "utf8");
+    }
+    catch (err) {
+        log.debug("audit append failed", { err: String(err) });
+    }
+}
+//# sourceMappingURL=orchestrator.js.map

package/dist/orchestrator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"orchestrator.js","sourceRoot":"","sources":["../src/orchestrator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAChE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AACtD,OAAO,EAA2C,OAAO,EAAE,MAAM,oBAAoB,CAAC;AACtF,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAEhE,OAAO,EAAE,mBAAmB,EAA4B,MAAM,oBAAoB,CAAC;AACnF,OAAO,EAAE,yBAAyB,EAA0B,MAAM,0BAA0B,CAAC;AAC7F,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAQ,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAuB,cAAc,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAC9E,OAAO,EAAkB,MAAM,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAEnD,MAAM,GAAG,GAAG,SAAS,CAAC,oBAAoB,CAAC,CAAC;AAuC5C,MAAM,wBAAwB,GAAG,KAAK,CAAC;AACvC,MAAM,6BAA6B,GAAG,KAAK,CAAC;AAC5C,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,wCAAwC;AAE1F;;kCAEkC;AAClC,MAAM,yBAAyB,GAAG,OAAO,CAAC;AAE1C;;;;oEAIoE;AACpE,MAAM,8BAA8B,GAAG,IAAI,CAAC;AAE5C;;;;;;;;;;;;;GAaG;AACH,SAAS,eAAe,CAAC,OAAe,EAAE,IAAU;IAClD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,MAAM,gBAAgB,GACpB,oKAAoK,CAAC,IAAI,CACvK,OAAO,CACR,CAAC;QACJ,IAAI,CAAC,gBAAgB;YAAE,OAAO,KAAK,CAAC;QACpC,MAAM,UAAU,GACd,4JAA4J,CAAC,IAAI,CAC/J,OAAO,CACR,CAAC;QACJ,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QACnD,MAAM,cAAc,GAClB,kHAAkH,CAAC,IAAI,CACrH,OAAO,CACR,CAAC;QACJ,OAAO,cAAc,CAAC;IACxB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAYD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,KAAK,UAAU,YAAY,CACzB,cAAsC,EACtC,OAAe,EACf,IAAU,EACV,WAA+B;IAE/B,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,KAAK,GAAG,EAAE,CAAC;QAC7C,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IAC5C,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,GAAG,EAAE,CAAC;QAC3C,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IACzC,CAAC;IACD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAClD,CAAC;IACD,oEAAoE;IACpE,qEAAqE;IACrE,kEAAkE;IAClE,kEAAkE;IAClE,0BAA0B;IAC1B,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;YACnE,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,GAAG,CAAC,KAAK,CAAC,iCAAiC,EAAE;oBAC3C,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,OAAO,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBACpE,cAAc,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;iBAC9D,CAAC,CAAC;gBACH,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,iBAAiB,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;YACpE,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,KAAK,CAAC,+CAA+C,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IACD,yEAAyE;IACzE,gEAAgE;IAChE,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,MAAM,KAAK,GAAG,sBAAsB,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACjD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,GAAG,CAAC,KAAK,CAAC,gDAAgD,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAC,CAAC;YACpF,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;IACD,sEAAsE;IACtE,qEAAqE;IACrE,kEAAkE;IAClE,yBAAyB;IACzB,IAAI,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;QACnC,GAAG,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;QAC7D,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACnD,CAAC;IACD,oEAAoE;IACpE,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CACtB,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAI,8BAA8B,CACxE,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;YAClE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACjD,CAAC;QACD,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,EAAE;YACrD,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACzD,aAAa,EAAE,SAAS;SACzB,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,GAAG,CAAC,KAAK,CAAC,8CAA8C,EAAE;gBACxD,GAAG,EAAE,IAAI,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG;gBACvB,UAAU,EAAE,IAAI,CAAC,CAAC,CAAE,CAAC,UAAU;gBAC/B,SAAS;aACV,CAAC,CAAC;YACH,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QAChD,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC7C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,KAAK,CAAC,sDAAsD,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACxF,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IACtD,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,KAAgB;IAC5C,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,MAAM,YAAY,GAAG,KAAK,CAAC,cAAc,IAAI,wBAAwB,CAAC;IACtE,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAExC,4EAA4E;IAC5E,uEAAuE;IACvE,MAAM,eAAe,GACnB,KAAK,CAAC,kBAAkB,KAAK,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC;IACrE,MAAM,EAAE,GAAG,WAAW,CAAC,KAAK,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACX,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3E,OAAO;YACL,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,IAAI;YACJ,QAAQ,EAAE;gBACR,MAAM,EAAE,OAAO;gBACf,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,iCAAiC,EAAE,CAAC,MAAM,IAAI;gBACvD,UAAU,EAAE,CAAC;gBACb,SAAS,EAAE,CAAC;gBACZ,aAAa,EAAE,CAAC;aACjB;YACD,QAAQ,EAAE,EAAE;YACZ,aAAa,EAAE,EAAE;YACjB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;YAC3B,SAAS,EAAE,KAAK;YAChB,SAAS,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,IAAI,QAAQ,EAAE;SACxD,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,IAAI,OAAO,CAAC;IAC5C,qEAAqE;IACrE,sEAAsE;IACtE,mEAAmE;IACnE,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,KAAK,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACzD,IAAI,EAAW,CAAC;QAChB,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,EAAE,GAAG,QAAQ,CAAC;QAChB,CAAC;aAAM,CAAC;YACN,EAAE,GAAG,MAAM,CAAC,CAAC,SAAS,EAAE,CAAC;QAC3B,CAAC;QACD,IAAI,EAAE;YAAE,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;;YAC5B,GAAG,CAAC,KAAK,CAAC,8BAA8B,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAElE,2DAA2D;IAC3D,MAAM,MAAM,GAAG,KAAK,EAAE,MAAc,EAA4B,EAAE;QAChE,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,EAAE,GAAG,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAC/D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAkB,EAAE,CAAC,CAAC;YACjD,IAAI,GAAG,EAAE,CAAC;gBACR,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;gBAChD,OAAO,GAAG,CAAC;YACb,CAAC;QACH,CAAC;QACD,MAAM,MAAM,GAAmB;YAC7B,QAAQ,EAAE,EAAE,CAAC,QAAS;YACtB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,IAAI;YACJ,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9E,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,6BAA6B,EAAE,YAAY,CAAC;SACjE,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC1C,IAAI,KAAK,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YAC9B,MAAM,EAAE,GAAG,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAC/D,MAAM,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,EAAE,0BAA0B,CAAC,CAAC;QACvD,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC;IAEF,6DAA6D;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;IACpE,MAAM,cAAc,GAAuB,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAC3D,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,YAAY,CAAC,CAC7C,CAAC;IACF,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC;IAEpE,IAAI,aAAgC,CAAC;IACrC,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,mEAAmE;QACnE,yEAAyE;QACzE,oEAAoE;QACpE,uEAAuE;QACvE,0EAA0E;QAC1E,SAAS,GAAG,IAAI,CAAC;QACjB,GAAG,CAAC,IAAI,CAAC,qCAAqC,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;QAClE,aAAa,GAAG,EAAE,CAAC;QACnB,yEAAyE;QACzE,uBAAuB;QACvB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YAC9B,UAAU;YACV,IAAI,OAAO,CAAW,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,GAAG,CAAC,CAAC;SACjE,CAAC,CAAC;QACH,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,aAAa,GAAI,IAAgD;iBAC9D,MAAM,CAAC,CAAC,CAAC,EAAgD,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC;iBACrF,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,aAAa,GAAI,UAAsD;aACpE,MAAM,CAAC,CAAC,CAAC,EAAgD,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC;aACrF,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC;IAED,0EAA0E;IAC1E,gFAAgF;IAChF,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,cAAc,GAAc,EAAE,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;QAC9B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;YAC3B,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAE,SAAS;YAC7B,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACf,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,2EAA2E;IAC3E,iEAAiE;IACjE,4EAA4E;IAC5E,qDAAqD;IACrD,IAAI,cAA+C,CAAC;IACpD,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;YAC7B,cAAc,GAAG,MAAM,mBAAmB,CAAC,OAAO,EAAE;gBAClD,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,IAAI;gBACJ,WAAW,EAAE,KAAK,CAAC,WAAW;aAC/B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,KAAK,CAAC,8BAA8B,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,qEAAqE;IACrE,0EAA0E;IAC1E,sEAAsE;IACtE,6BAA6B;IAC7B,MAAM,QAAQ,GAAc,CAAC,GAAG,cAAc,CAAC,CAAC;IAChD,MAAM,gBAAgB,GAAsB,CAAC,GAAG,aAAa,CAAC,CAAC;IAC/D,MAAM,kBAAkB,GAAG,KAAK,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7E,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,cAAc,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QAC5F,IAAI,QAAQ,CAAC,GAAG,EAAE,CAAC;YACjB,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YACzD,iEAAiE;YACjE,iEAAiE;YACjE,iEAAiE;YACjE,8DAA8D;YAC9D,yDAAyD;YACzD,IAAI,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1D,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;oBAChD,cAAc,CAAC,IAAI,CAAC;wBAClB,GAAG,CAAC,CAAC,OAAO;wBACZ,6DAA6D;wBAC7D,gEAAgE;wBAChE,OAAO,EACL,gBAAgB,CAAC,CAAC,cAAc,iBAAiB,CAAC,CAAC,YAAY,IAAI;4BACnE,CAAC,CAAC,OAAO,CAAC,OAAO;wBACnB,qDAAqD;wBACrD,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;6BACzE,WAAW,EAAE;6BACb,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC;qBACnB,CAAC,CAAC;gBAChB,CAAC;YACH,CAAC;YACD,MAAM,eAAe,GAAG,MAAM,CAC5B,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,yBAAyB,CACjE,IAAI,yBAAyB,CAAC;YAC/B,KAAK,MAAM,CAAC,IAAI,kBAAkB,EAAE,CAAC;gBACnC,MAAM,cAAc,GAAG,KAAK,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;gBAC/D,MAAM,QAAQ,GACZ,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,CAAC;gBACtE,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,GAAG,CAAC,KAAK,CAAC,2BAA2B,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;oBAC3D,SAAS;gBACX,CAAC;gBACD,wEAAwE;gBACxE,iEAAiE;gBACjE,qEAAqE;gBACrE,iEAAiE;gBACjE,mCAAmC;gBACnC,IAAI,SAAS,GAA2B,IAAI,CAAC;gBAC7C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,GAAG,iBAAiB,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;oBAC1D,SAAS,GAAG,CAAC,MAAM,KAAK,CAAC,GAAG,CAAkB,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC;gBAC7D,CAAC;gBACD,IAAI,GAAoB,CAAC;gBACzB,IAAI,SAAS,EAAE,CAAC;oBACd,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;oBAC3C,GAAG,GAAG,SAAS,CAAC;gBAClB,CAAC;qBAAM,CAAC;oBACN,MAAM,MAAM,GAAmB;wBAC7B,QAAQ,EAAE,EAAE,CAAC,QAAS;wBACtB,OAAO,EAAE,KAAK,CAAC,OAAO;wBACtB,IAAI;wBACJ,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC9E,SAAS,EAAE,eAAe;wBAC1B,aAAa,EAAE,cAAc;wBAC7B,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBAC9C,CAAC;oBACF,GAAG,GAAG,MAAM,OAAO,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;oBAC/B,IAAI,KAAK,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;wBAC9B,MAAM,EAAE,GAAG,iBAAiB,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;wBAC1D,MAAM,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,EAAE,0BAA0B,CAAC,CAAC;oBACvD,CAAC;gBACH,CAAC;gBACD,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC3B,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;oBAC7B,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;wBAAE,SAAS;oBAC7B,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBACf,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,KAAK,CAAC,qCAAqC,EAAE;gBAC/C,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,kBAAkB,EAAE,cAAc,CAAC,MAAM;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,wEAAwE;IACxE,sEAAsE;IACtE,sEAAsE;IACtE,oEAAoE;IACpE,sEAAsE;IACtE,MAAM,SAAS,GAA8D,EAAE,CAAC;IAChF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,MAAM,KAAK,YAAY,IAAI,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACpE,SAAS,CAAC,IAAI,CAAC;gBACb,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC;gBAC9C,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjD,IAAI,EAAE,CAAC,CAAC,IAAI;aACb,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,SAAS,GAAc,EAAE,CAAC;QAChC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,IAAI,CAAC,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;gBAC9B,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,SAAS;YACX,CAAC;YACD,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;gBACtC,+DAA+D;gBAC/D,iEAAiE;gBACjE,yCAAyC;gBACzC,MAAM,cAAc,GAClB,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,OAAO;oBACxB,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,OAAO,EAAE;oBACzC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;oBACxD,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAC9D,MAAM,eAAe,GAAG,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,MAAM,CAAC;gBAChD,IAAI,CAAC,cAAc,IAAI,CAAC,eAAe;oBAAE,OAAO,KAAK,CAAC;gBACtD,qEAAqE;gBACrE,oEAAoE;gBACpE,iEAAiE;gBACjE,qEAAqE;gBACrE,mEAAmE;gBACnE,oEAAoE;gBACpE,8BAA8B;gBAC9B,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;oBAAE,OAAO,IAAI,CAAC;gBAC9D,MAAM,SAAS,GAAG,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;YAChD,CAAC,CAAC,CAAC;YACH,IAAI,UAAU,EAAE,CAAC;gBACf,GAAG,CAAC,KAAK,CAAC,oDAAoD,EAAE;oBAC9D,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,IAAI,EAAE,CAAC,CAAC,IAAI;iBACb,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YACD,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QACpB,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,CAAC;IAC9B,CAAC;IAED,wEAAwE;IACxE,yCAAyC;IACzC,0DAA0D;IAC1D,wDAAwD;IACxD,iEAAiE;IACjE,oEAAoE;IACpE,EAAE;IACF,sEAAsE;IACtE,0DAA0D;IAC1D,MAAM,MAAM,GAAmB,KAAK,CAAC,WAAW;QAC9C,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,WAAW,CAAC;QAC/B,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,GAAG,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;IAE/E,MAAM,iBAAiB,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC1C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,iBAAiB,GAAc,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,kCAAkC;QAClC,IAAI,cAAc,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACxE,SAAS;QACX,CAAC;QACD,6BAA6B;QAC7B,IAAI,KAAK,CAAC,WAAW,IAAI,YAAY,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;YAC/D,GAAG,CAAC,KAAK,CAAC,uBAAuB,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjD,SAAS;QACX,CAAC;QACD,iEAAiE;QACjE,IAAI,cAAc,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACnD,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACvB,CAAC;aAAM,IAAI,cAAc,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACzD,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACtB,CAAC;QACD,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC;IACD,MAAM,aAAa,GAAG,iBAAiB,GAAG,iBAAiB,CAAC,MAAM,CAAC;IACnE,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;QACtB,GAAG,CAAC,KAAK,CAAC,yCAAyC,EAAE;YACnD,MAAM,EAAE,iBAAiB;YACzB,KAAK,EAAE,iBAAiB,CAAC,MAAM;YAC/B,QAAQ,EAAE,aAAa;SACxB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,gBAAgB,CAAC,iBAAiB,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IAE5E,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;IACnC,MAAM,MAAM,GAAe;QACzB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,IAAI;QACJ,QAAQ;QACR,QAAQ,EAAE,iBAAiB;QAC3B,aAAa,EAAE,gBAAgB;QAC/B,UAAU;QACV,SAAS;QACT,SAAS,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,QAAS,EAAE;QAC/C,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC9C,CAAC;IAEF,yEAAyE;IACzE,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAEvC,2EAA2E;IAC3E,qEAAqE;IACrE,4EAA4E;IAC5E,0EAA0E;IAC1E,8CAA8C;IAC9C,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;QACnE,aAAa,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,KAAK,CAAC,0BAA0B,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,gBAAgB,CACvB,QAAmB,EACnB,UAAuB,EACvB,SAAsB;IAEtB,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;IAEjC,iEAAiE;IACjE,IAAI,UAAU,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAChE,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,OAAO,EAAE,YAAY;gBACrB,OAAO,EAAE,oBAAoB,YAAY,CAAC,MAAM,IAAI,YAAY,CAAC,OAAO,uBAAuB;gBAC/F,UAAU,EAAE,OAAO,CAAC,UAAU,GAAG,CAAC,OAAO,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACrE,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,aAAa,EAAE,OAAO,CAAC,aAAa;aACrC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,IAAI,OAAO,CAAC,MAAM,KAAK,OAAO,IAAI,OAAO,CAAC,OAAO,IAAI,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;QACvF,yEAAyE;QACzE,MAAM,eAAe,GAAG,QAAQ,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,EAAE,KAAK,OAAO,CAAC,OAAQ,CAAC,EAAE;YAC5B,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACpB,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CACvD,CAAC;QACF,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO;gBACL,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,OAAO,EAAE,6BAA6B,OAAO,CAAC,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,sBAAsB;gBAC7G,UAAU,EAAE,CAAC;gBACb,SAAS,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC;gBAChC,aAAa,EAAE,OAAO,CAAC,aAAa;aACrC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,WAAW,CAAC,WAA+B,EAAE,MAAkB;IACtE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC5D,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,GAAG,GAAG;YACV,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,IAAI,EAAE,MAAM,CAAC,QAAQ;YACrB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;YAC9B,WAAW,EAAE,MAAM,CAAC,UAAU;YAC9B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;YAClC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU;YACnC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,SAAS;YACjC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO;gBAC9B,CAAC,CAAC;oBACE,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM;oBACtC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO;oBACxC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ;oBAC1C,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU;oBAC9C,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC7E;gBACH,CAAC,CAAC,IAAI;SACT,CAAC;QACF,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;IAC/E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACzD,CAAC;AACH,CAAC"}