fixo-cli 1.0.0

package/dist/runtime/policy.js

@@ -0,0 +1,60 @@
+const SAFE_COMMANDS = [
+    /^npm\s+(run\s+)?(test|build|lint|typecheck|check)(\s|$)/,
+    /^npm\s+run\s+build:cli(\s|$)/,
+    /^git\s+(status|diff|log|show)(\s|$)/,
+    /^node\s+--version$/,
+];
+export const DANGEROUS_COMMANDS = [
+    /\brm\s+-rf\b/,
+    /\bsudo\b/,
+    /\bchmod\s+-R\b/,
+    /\bchown\b/,
+    /\bdd\s+if=/,
+    /\bmkfs\b/,
+    /\bcurl\b.*\|\s*(sh|bash)/,
+    /\bwget\b.*\|\s*(sh|bash)/,
+    /(^|\s)env(\s|$)/,
+    /(^|\s)printenv(\s|$)/,
+    /\b(?:cat|less|more|tail|head)\s+.*(\.env|id_rsa|credentials|passwd|shadow)/,
+    /[;&|`$<>]/,
+];
+export function classifyCommand(command) {
+    const trimmed = command.trim();
+    if (!trimmed)
+        return 'blocked';
+    if (DANGEROUS_COMMANDS.some(pattern => pattern.test(trimmed)))
+        return 'high';
+    if (SAFE_COMMANDS.some(pattern => pattern.test(trimmed)))
+        return 'low';
+    if (/^(npm|pnpm|yarn)\s+(install|add|remove|update)\b/.test(trimmed))
+        return 'high';
+    if (/^git\s+(add|commit|reset|checkout|clean|push|pull|merge|rebase)\b/.test(trimmed))
+        return 'high';
+    return 'medium';
+}
+export function decidePolicy(profile, action, detail = '', allowRules = { commands: [] }) {
+    if (profile === 'dangerous-deny') {
+        return { allowed: false, needsConfirmation: false, risk: 'blocked', reason: 'Dangerous actions are denied by policy.' };
+    }
+    if (profile === 'read-only' && action !== 'read') {
+        return { allowed: false, needsConfirmation: false, risk: 'blocked', reason: 'Read-only policy blocks mutations and commands.' };
+    }
+    if (action === 'command') {
+        const risk = classifyCommand(detail);
+        if (allowRules.commands.includes(detail.trim()) && risk === 'low') {
+            return { allowed: true, needsConfirmation: false, risk, reason: 'Command allowed by project policy.' };
+        }
+        if (risk === 'high' && profile !== 'trusted-project') {
+            return { allowed: true, needsConfirmation: true, risk, reason: 'High-risk command requires explicit confirmation.' };
+        }
+        if (risk === 'low' && profile === 'trusted-project') {
+            return { allowed: true, needsConfirmation: false, risk, reason: 'Safe command allowed by trusted project policy.' };
+        }
+        return { allowed: true, needsConfirmation: true, risk, reason: 'Shell command requires confirmation.' };
+    }
+    if (action === 'write' || action === 'delete') {
+        return { allowed: true, needsConfirmation: profile !== 'trusted-project', risk: 'medium', reason: 'Workspace mutation requires confirmation unless trusted.' };
+    }
+    return { allowed: true, needsConfirmation: false, risk: 'low', reason: 'Read action allowed.' };
+}
+//# sourceMappingURL=policy.js.map

package/dist/runtime/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/runtime/policy.ts"],"names":[],"mappings":"AAoBA,MAAM,aAAa,GAAG;IACpB,yDAAyD;IACzD,8BAA8B;IAC9B,qCAAqC;IACrC,oBAAoB;CACrB,CAAC;AAEF,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,cAAc;IACd,UAAU;IACV,gBAAgB;IAChB,WAAW;IACX,YAAY;IACZ,UAAU;IACV,0BAA0B;IAC1B,0BAA0B;IAC1B,iBAAiB;IACjB,sBAAsB;IACtB,4EAA4E;IAC5E,WAAW;CACZ,CAAC;AAEF,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAAE,OAAO,MAAM,CAAC;IAC7E,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACvE,IAAI,kDAAkD,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,MAAM,CAAC;IACpF,IAAI,mEAAmE,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,MAAM,CAAC;IACrG,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAsB,EAAE,MAA+C,EAAE,MAAM,GAAG,EAAE,EAAE,aAA6B,EAAE,QAAQ,EAAE,EAAE,EAAE;IAC9J,IAAI,OAAO,KAAK,gBAAgB,EAAE,CAAC;QACjC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,yCAAyC,EAAE,CAAC;IAC1H,CAAC;IACD,IAAI,OAAO,KAAK,WAAW,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACjD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,iDAAiD,EAAE,CAAC;IAClI,CAAC;IACD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;YAClE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC;QACzG,CAAC;QACD,IAAI,IAAI,KAAK,MAAM,IAAI,OAAO,KAAK,iBAAiB,EAAE,CAAC;YACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,mDAAmD,EAAE,CAAC;QACvH,CAAC;QACD,IAAI,IAAI,KAAK,KAAK,IAAI,OAAO,KAAK,iBAAiB,EAAE,CAAC;YACpD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,iDAAiD,EAAE,CAAC;QACtH,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,sCAAsC,EAAE,CAAC;IAC1G,CAAC;IACD,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC9C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,KAAK,iBAAiB,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,0DAA0D,EAAE,CAAC;IACjK,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;AAClG,CAAC"}

package/dist/runtime/redaction.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Redaction & credential-scrubbing utilities.
+ *
+ * Pillar 4 of the Phase 2 safety refactor expanded the pattern
+ * catalogue to cover every major LLM provider's credential
+ * shape. The new public API is {@link scrubForLlm} — used by
+ * the {@link ProviderKeyVault} and by every tool that pipes
+ * external output (command results, HTTP responses, file
+ * contents) back into a model prompt.
+ *
+ * The legacy {@link redactSecrets} and {@link redactedEnv}
+ * functions are preserved as thin wrappers that delegate to the
+ * new implementation, so existing callers keep working and
+ * automatically inherit the expanded pattern set.
+ */
+export declare function stripAnsi(value: string): string;
+/**
+ * Replace every ANSI escape sequence with its printable form so
+ * the bytes survive a log write / telemetry upload without
+ * accidentally injecting terminal control codes downstream.
+ *
+ * Use this in places where the *content* matters (file paths,
+ * error messages) and the colour information is incidental. The
+ * default `stripAnsi` is the right choice when the consumer is
+ * another tool that doesn't care about colour.
+ */
+export declare function redactAnsi(value: string): string;
+/**
+ * Comprehensive secret-detection pattern catalogue, covering
+ * OpenAI, Anthropic, OpenRouter, GitHub, Google, AWS, JWT-style
+ * tokens, and generic env-style assignments.
+ *
+ * Each pattern is `RegExp` with the `g` flag. They are
+ * deliberately conservative — they err on the side of false
+ * positives (a Base64-looking blob gets redacted) over false
+ * negatives (a real key leaks through). The downstream cost of
+ * a false positive is a string of `[REDACTED]` in a tool
+ * result; the downstream cost of a false negative is a leaked
+ * credential.
+ */
+export declare const SCRUB_PATTERNS: ReadonlyArray<RegExp>;
+/**
+ * Scrub a string of every recognised secret pattern. Used by
+ * the credential vault and by every tool that pipes external
+ * output into a model prompt. Strips ANSI escapes first so a
+ * colourised `Bearer <token>` cannot dodge the redaction.
+ */
+export declare function scrubForLlm(value: string): string;
+/**
+ * Legacy alias for {@link scrubForLlm}. Kept for backward
+ * compatibility with the 163 tests that exercise this API.
+ * New code should call `scrubForLlm` directly.
+ *
+ * @deprecated Use {@link scrubForLlm} for clarity. This alias
+ * remains in place so existing callers automatically inherit
+ * the expanded pattern catalogue.
+ */
+export declare function redactSecrets(value: string): string;
+/**
+ * Return a copy of `source` with secret-bearing environment
+ * variables removed. Used by `executeRunCommand` so child
+ * processes (npm install, test runners) never inherit a leaked
+ * key.
+ */
+export declare function redactedEnv(source?: NodeJS.ProcessEnv): NodeJS.ProcessEnv;
+//# sourceMappingURL=redaction.d.ts.map

package/dist/runtime/redaction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../../src/runtime/redaction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED;;;;;;;;;GASG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEhD;AAID;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,cAAc,EAAE,aAAa,CAAC,MAAM,CA6DhD,CAAC;AAIF;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAMjD;AAED;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,MAAM,GAAE,MAAM,CAAC,UAAwB,GAAG,MAAM,CAAC,UAAU,CAuBtF"}

package/dist/runtime/redaction.js

@@ -0,0 +1,155 @@
+/**
+ * Redaction & credential-scrubbing utilities.
+ *
+ * Pillar 4 of the Phase 2 safety refactor expanded the pattern
+ * catalogue to cover every major LLM provider's credential
+ * shape. The new public API is {@link scrubForLlm} — used by
+ * the {@link ProviderKeyVault} and by every tool that pipes
+ * external output (command results, HTTP responses, file
+ * contents) back into a model prompt.
+ *
+ * The legacy {@link redactSecrets} and {@link redactedEnv}
+ * functions are preserved as thin wrappers that delegate to the
+ * new implementation, so existing callers keep working and
+ * automatically inherit the expanded pattern set.
+ */
+const ANSI_PATTERN = /\x1b\[[0-9;]*[a-zA-Z]/g;
+export function stripAnsi(value) {
+    return value.replace(ANSI_PATTERN, '');
+}
+/**
+ * Replace every ANSI escape sequence with its printable form so
+ * the bytes survive a log write / telemetry upload without
+ * accidentally injecting terminal control codes downstream.
+ *
+ * Use this in places where the *content* matters (file paths,
+ * error messages) and the colour information is incidental. The
+ * default `stripAnsi` is the right choice when the consumer is
+ * another tool that doesn't care about colour.
+ */
+export function redactAnsi(value) {
+    return value.replace(/\x1b/g, '\\x1b');
+}
+/* ──────────────────────── Pattern catalogue ──────────────────────── */
+/**
+ * Comprehensive secret-detection pattern catalogue, covering
+ * OpenAI, Anthropic, OpenRouter, GitHub, Google, AWS, JWT-style
+ * tokens, and generic env-style assignments.
+ *
+ * Each pattern is `RegExp` with the `g` flag. They are
+ * deliberately conservative — they err on the side of false
+ * positives (a Base64-looking blob gets redacted) over false
+ * negatives (a real key leaks through). The downstream cost of
+ * a false positive is a string of `[REDACTED]` in a tool
+ * result; the downstream cost of a false negative is a leaked
+ * credential.
+ */
+export const SCRUB_PATTERNS = [
+    // ── OpenAI ──────────────────────────────────────────────────
+    // sk-... (legacy), sk-proj-... (project keys), sk-svcacct-... (service accounts)
+    /sk-[A-Za-z0-9._-]{16,}/g,
+    /sk-proj-[A-Za-z0-9._-]{16,}/g,
+    /sk-svcacct-[A-Za-z0-9._-]{16,}/g,
+    // ── Anthropic ───────────────────────────────────────────────
+    // sk-ant-api03-... and legacy sk-ant-...
+    /sk-ant-api03-[A-Za-z0-9._-]{16,}/g,
+    /sk-ant-[A-Za-z0-9._-]{16,}/g,
+    // ── OpenRouter ──────────────────────────────────────────────
+    // sk-or-v1-... and sk-or-...
+    /sk-or-v1-[A-Za-z0-9._-]{16,}/g,
+    /sk-or-[A-Za-z0-9._-]{16,}/g,
+    // ── Google (AI Studio, GCP service accounts) ────────────────
+    // AIzaSy... (Gemini/AI Studio)
+    /AIza[A-Za-z0-9_-]{35}/g,
+    // GCP service account private_key
+    /"private_key"\s*:\s*"-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----"/g,
+    /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,
+    // ── AWS ─────────────────────────────────────────────────────
+    // Access key ID: 20 chars, all-caps alphanumeric
+    /AKIA[0-9A-Z]{16}/g,
+    // ASIA prefix (temporary STS credentials)
+    /ASIA[0-9A-Z]{16}/g,
+    // Secret access key in env/ini/json form
+    /(?:aws_secret_access_key|aws_session_token|secret_access_key)\s*[=:]\s*["']?([A-Za-z0-9/+=]{40})["']?/gi,
+    // ── GitHub ──────────────────────────────────────────────────
+    /ghp_[A-Za-z0-9]{20,}/g,
+    /github_pat_[A-Za-z0-9_]{20,}/g,
+    /gho_[A-Za-z0-9]{20,}/g,
+    /ghu_[A-Za-z0-9]{20,}/g,
+    /ghs_[A-Za-z0-9]{20,}/g,
+    /ghr_[A-Za-z0-9]{20,}/g,
+    // ── Slack ───────────────────────────────────────────────────
+    /xox[baprs]-[A-Za-z0-9-]{10,}/g,
+    // ── Stripe ──────────────────────────────────────────────────
+    /sk_live_[A-Za-z0-9]{20,}/g,
+    /rk_live_[A-Za-z0-9]{20,}/g,
+    // ── Generic JWT (header.payload.signature) ─────────────────
+    /eyJ[A-Za-z0-9_-]{8,}\.eyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}/g,
+    // ── Bearer token in Authorization header ────────────────────
+    /(?:Bearer|Token)\s+([A-Za-z0-9._~+/=-]{20,})/g,
+    // ── freellmapi proxy keys ──────────────────────────────────
+    /freellmapi-[A-Za-z0-9._-]{16,}/g,
+    // ── Generic env-style assignments (covers any provider's
+    //    *_KEY / *_SECRET / *_TOKEN env var serialised to text).
+    //    Look-behind is supported in Node 24's V8 build, so we use
+    //    a non-anchored form for max compatibility.
+    /(?<=(api[_-]?key|apikey|secret|token|password|passwd|pwd)\s*["':=]{1,3}\s*)[A-Za-z0-9._/+=-]{16,}/gi,
+];
+/* ──────────────────────── Public API ──────────────────────── */
+/**
+ * Scrub a string of every recognised secret pattern. Used by
+ * the credential vault and by every tool that pipes external
+ * output into a model prompt. Strips ANSI escapes first so a
+ * colourised `Bearer <token>` cannot dodge the redaction.
+ */
+export function scrubForLlm(value) {
+    let scrubbed = stripAnsi(value);
+    for (const pattern of SCRUB_PATTERNS) {
+        scrubbed = scrubbed.replace(pattern, '[REDACTED]');
+    }
+    return scrubbed;
+}
+/**
+ * Legacy alias for {@link scrubForLlm}. Kept for backward
+ * compatibility with the 163 tests that exercise this API.
+ * New code should call `scrubForLlm` directly.
+ *
+ * @deprecated Use {@link scrubForLlm} for clarity. This alias
+ * remains in place so existing callers automatically inherit
+ * the expanded pattern catalogue.
+ */
+export function redactSecrets(value) {
+    return scrubForLlm(value);
+}
+/**
+ * Return a copy of `source` with secret-bearing environment
+ * variables removed. Used by `executeRunCommand` so child
+ * processes (npm install, test runners) never inherit a leaked
+ * key.
+ */
+export function redactedEnv(source = process.env) {
+    const blocked = [
+        /^freellmapi_/i,
+        /^fixo_/i,
+        /^opencode_/i,
+        /_secret$/i,
+        /_key$/i,
+        /_password$/i,
+        /_token$/i,
+        /^api_key$/i,
+        /^anthropic_/i,
+        /^openai_/i,
+        /^google_/i,
+        /^aws_/i,
+        /^openrouter_/i,
+        /^github_/i,
+    ];
+    const env = {};
+    for (const [key, value] of Object.entries(source)) {
+        if (blocked.some(pattern => pattern.test(key)))
+            continue;
+        env[key] = value;
+    }
+    return env;
+}
+//# sourceMappingURL=redaction.js.map

package/dist/runtime/redaction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redaction.js","sourceRoot":"","sources":["../../src/runtime/redaction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,MAAM,YAAY,GAAG,wBAAwB,CAAC;AAE9C,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,KAAK,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;AACzC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,OAAO,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;AACzC,CAAC;AAED,yEAAyE;AAEzE;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,cAAc,GAA0B;IACnD,+DAA+D;IAC/D,iFAAiF;IACjF,yBAAyB;IACzB,8BAA8B;IAC9B,iCAAiC;IAEjC,+DAA+D;IAC/D,yCAAyC;IACzC,mCAAmC;IACnC,6BAA6B;IAE7B,+DAA+D;IAC/D,6BAA6B;IAC7B,+BAA+B;IAC/B,4BAA4B;IAE5B,+DAA+D;IAC/D,+BAA+B;IAC/B,wBAAwB;IACxB,kCAAkC;IAClC,mGAAmG;IACnG,6EAA6E;IAE7E,+DAA+D;IAC/D,iDAAiD;IACjD,mBAAmB;IACnB,0CAA0C;IAC1C,mBAAmB;IACnB,yCAAyC;IACzC,yGAAyG;IAEzG,+DAA+D;IAC/D,uBAAuB;IACvB,+BAA+B;IAC/B,uBAAuB;IACvB,uBAAuB;IACvB,uBAAuB;IACvB,uBAAuB;IAEvB,+DAA+D;IAC/D,+BAA+B;IAE/B,+DAA+D;IAC/D,2BAA2B;IAC3B,2BAA2B;IAE3B,8DAA8D;IAC9D,gEAAgE;IAEhE,+DAA+D;IAC/D,+CAA+C;IAE/C,8DAA8D;IAC9D,iCAAiC;IAEjC,0DAA0D;IAC1D,6DAA6D;IAC7D,+DAA+D;IAC/D,gDAAgD;IAChD,qGAAqG;CACtG,CAAC;AAEF,kEAAkE;AAElE;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,IAAI,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;QACrC,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,SAA4B,OAAO,CAAC,GAAG;IACjE,MAAM,OAAO,GAAG;QACd,eAAe;QACf,SAAS;QACT,aAAa;QACb,WAAW;QACX,QAAQ;QACR,aAAa;QACb,UAAU;QACV,YAAY;QACZ,cAAc;QACd,WAAW;QACX,WAAW;QACX,QAAQ;QACR,eAAe;QACf,WAAW;KACZ,CAAC;IACF,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAAE,SAAS;QACzD,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/runtime/session-snapshots.d.ts

@@ -0,0 +1,76 @@
+import { type TodoList } from '../context/todo.js';
+export declare const SNAPSHOT_VERSION: 1;
+export declare const SNAPSHOT_KIND: "fixo-cli-session";
+export type AgentMode = 'PLAN' | 'BUILD' | 'EXPLORE' | 'SCOUT';
+export interface SessionMessage {
+    role: 'system' | 'user' | 'assistant' | 'tool';
+    content: string;
+    /** Tool name for `role === 'tool'` messages. */
+    name?: string;
+    /** Monotonic per-conversation index. */
+    index: number;
+}
+export interface SessionSnapshot {
+    version: typeof SNAPSHOT_VERSION;
+    kind: typeof SNAPSHOT_KIND;
+    /** Snapshot id = file basename without `.json`. */
+    id: string;
+    /** Absolute cwd captured at save time. */
+    cwd: string;
+    /** ISO-8601 timestamp. */
+    createdAt: string;
+    /** Conversation log. */
+    conversation: SessionMessage[];
+    /** Estimated prompt tokens (approximate, for UI display). */
+    tokens: number;
+    /** Active model at save time. */
+    model: string;
+    /** Agent mode at save time. */
+    mode: AgentMode;
+    /** Files the user had selected (e.g. via `--files` or the file picker). */
+    selectedFiles: string[];
+    /** Optional user-supplied session summary. */
+    summary?: string;
+    /** Optional system-prompt override (FIXO.md block stripped, but
+     *  the caller's original override preserved). */
+    fixedInstructions?: string;
+    /** Persisted todo list at save time. */
+    todo: TodoList;
+}
+export declare function makeSnapshotId(now?: Date): string;
+export declare function snapshotPath(cwd: string, id: string): string;
+export interface SaveInput {
+    cwd: string;
+    conversation: SessionMessage[];
+    tokens: number;
+    model: string;
+    mode: AgentMode;
+    selectedFiles: string[];
+    summary?: string;
+    fixedInstructions?: string;
+    /** If omitted, the todo list is reloaded from disk. */
+    todo?: TodoList;
+}
+export interface SaveResult {
+    ok: boolean;
+    id: string;
+    path: string;
+    error?: string;
+}
+export declare function saveSnapshot(input: SaveInput, now?: Date): SaveResult;
+export interface LoadResult {
+    ok: boolean;
+    snapshot: SessionSnapshot | null;
+    error?: string;
+}
+export declare function loadSnapshot(cwd: string, id: string): LoadResult;
+export interface SnapshotListEntry {
+    id: string;
+    path: string;
+    createdAt: string;
+    tokens: number;
+    items: number;
+    summary?: string;
+}
+export declare function listSnapshots(cwd: string): SnapshotListEntry[];
+//# sourceMappingURL=session-snapshots.d.ts.map

package/dist/runtime/session-snapshots.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-snapshots.d.ts","sourceRoot":"","sources":["../../src/runtime/session-snapshots.ts"],"names":[],"mappings":"AA4BA,OAAO,EAGL,KAAK,QAAQ,EACd,MAAM,oBAAoB,CAAC;AAM5B,eAAO,MAAM,gBAAgB,EAAG,CAAU,CAAC;AAC3C,eAAO,MAAM,aAAa,EAAG,kBAA2B,CAAC;AAEzD,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC;AAE/D,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,WAAW,GAAG,MAAM,CAAC;IAC/C,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wCAAwC;IACxC,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,gBAAgB,CAAC;IACjC,IAAI,EAAE,OAAO,aAAa,CAAC;IAC3B,mDAAmD;IACnD,EAAE,EAAE,MAAM,CAAC;IACX,0CAA0C;IAC1C,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,wBAAwB;IACxB,YAAY,EAAE,cAAc,EAAE,CAAC;IAC/B,6DAA6D;IAC7D,MAAM,EAAE,MAAM,CAAC;IACf,iCAAiC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,+BAA+B;IAC/B,IAAI,EAAE,SAAS,CAAC;IAChB,2EAA2E;IAC3E,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,8CAA8C;IAC9C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;qDACiD;IACjD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,wCAAwC;IACxC,IAAI,EAAE,QAAQ,CAAC;CAChB;AAoBD,wBAAgB,cAAc,CAAC,GAAG,GAAE,IAAiB,GAAG,MAAM,CAG7D;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAE5D;AAID,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,cAAc,EAAE,CAAC;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,uDAAuD;IACvD,IAAI,CAAC,EAAE,QAAQ,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,SAAS,EAAE,GAAG,GAAE,IAAiB,GAAG,UAAU,CAyCjF;AAID,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,EAAE,eAAe,GAAG,IAAI,CAAC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,UAAU,CA4BhE;AAID,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,iBAAiB,EAAE,CAmC9D"}

package/dist/runtime/session-snapshots.js

@@ -0,0 +1,166 @@
+/**
+ * session-snapshots.ts — Persistence layer for `--resume <id>`.
+ *
+ * A snapshot is a single JSON file under
+ * `~/.fixocli/sessions/<sha256(cwd)>/<iso-ts>_<short-uuid>.json`
+ * capturing the exact state the REPL needs to rehydrate a
+ * previous conversation: the message log, the todo list, the
+ * selected files, the model, the user-supplied summary, the
+ * agent mode, and the system-prompt override.
+ *
+ * The directory layout is keyed by `sha256(cwd)` so two
+ * different working directories never collide. The snapshot id
+ * is the file's basename (without `.json`) — short enough to
+ * copy/paste, deterministic when re-derived.
+ *
+ * Atomicity: writes go to `<file>.tmp` first, then `renameSync`
+ * over the final path, matching the pattern used by todo
+ * persistence and the staging manager.
+ *
+ * Stability: every snapshot is *self-describing* — it carries a
+ * `version` field and a `kind: 'fixo-cli-session'` discriminator
+ * so a future change to the on-disk format can be migrated
+ * rather than orphaned.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import crypto from 'node:crypto';
+import { loadTodoList, saveTodoList, } from '../context/todo.js';
+import { recordTelemetry, telemetry, } from '../agent/telemetry.js';
+export const SNAPSHOT_VERSION = 1;
+export const SNAPSHOT_KIND = 'fixo-cli-session';
+/* ──────────────────────── path helpers ──────────────────────── */
+function sessionsRoot() {
+    return path.join(os.homedir(), '.fixocli', 'sessions');
+}
+function hashCwd(cwd) {
+    return crypto.createHash('sha256').update(cwd).digest('hex').slice(0, 32);
+}
+function dirForCwd(cwd) {
+    return path.join(sessionsRoot(), hashCwd(cwd));
+}
+function shortUuid() {
+    return crypto.randomBytes(6).toString('base64url');
+}
+export function makeSnapshotId(now = new Date()) {
+    const iso = now.toISOString().replace(/[:.]/g, '-');
+    return `${iso}_${shortUuid()}`;
+}
+export function snapshotPath(cwd, id) {
+    return path.join(dirForCwd(cwd), `${id}.json`);
+}
+export function saveSnapshot(input, now = new Date()) {
+    const id = makeSnapshotId(now);
+    const file = snapshotPath(input.cwd, id);
+    const dir = path.dirname(file);
+    try {
+        fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+    }
+    catch (err) {
+        return { ok: false, id, path: file, error: err.message };
+    }
+    const todo = input.todo ?? loadTodoList(input.cwd);
+    const snapshot = {
+        version: SNAPSHOT_VERSION,
+        kind: SNAPSHOT_KIND,
+        id,
+        cwd: input.cwd,
+        createdAt: now.toISOString(),
+        conversation: input.conversation,
+        tokens: input.tokens,
+        model: input.model,
+        mode: input.mode,
+        selectedFiles: input.selectedFiles,
+        summary: input.summary,
+        fixedInstructions: input.fixedInstructions,
+        todo,
+    };
+    const tmp = `${file}.tmp`;
+    try {
+        fs.writeFileSync(tmp, JSON.stringify(snapshot, null, 2), { encoding: 'utf-8', mode: 0o600 });
+        fs.renameSync(tmp, file);
+        recordTelemetry(telemetry.sessionSnapshot({ id, op: 'save', tokens: input.tokens, items: todo.items.length }));
+        // Best-effort: mirror the todo list to its on-disk location so
+        // a stale-snapshot resume still gets a sensible todo list
+        // *if* the caller didn't supply one. This keeps
+        // `loadTodoList(cwd)` consistent with what the user saw.
+        if (!input.todo)
+            saveTodoList(input.cwd, todo);
+        return { ok: true, id, path: file };
+    }
+    catch (err) {
+        return { ok: false, id, path: file, error: err.message };
+    }
+}
+export function loadSnapshot(cwd, id) {
+    const file = snapshotPath(cwd, id);
+    let raw;
+    try {
+        raw = fs.readFileSync(file, 'utf-8');
+    }
+    catch (err) {
+        return { ok: false, snapshot: null, error: err.message };
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== 'object') {
+            return { ok: false, snapshot: null, error: 'snapshot is not an object' };
+        }
+        const obj = parsed;
+        if (obj.kind !== SNAPSHOT_KIND) {
+            return { ok: false, snapshot: null, error: `unexpected snapshot kind: ${String(obj.kind)}` };
+        }
+        if (obj.version !== SNAPSHOT_VERSION) {
+            return { ok: false, snapshot: null, error: `unsupported snapshot version: ${String(obj.version)}` };
+        }
+        const snap = obj;
+        recordTelemetry(telemetry.sessionSnapshot({ id, op: 'load', tokens: snap.tokens, items: snap.todo.items.length }));
+        return { ok: true, snapshot: snap };
+    }
+    catch (err) {
+        return { ok: false, snapshot: null, error: err.message };
+    }
+}
+export function listSnapshots(cwd) {
+    const dir = dirForCwd(cwd);
+    if (!fs.existsSync(dir))
+        return [];
+    let entries;
+    try {
+        entries = fs.readdirSync(dir).filter((n) => n.endsWith('.json'));
+    }
+    catch {
+        return [];
+    }
+    const out = [];
+    for (const name of entries) {
+        const file = path.join(dir, name);
+        try {
+            const raw = fs.readFileSync(file, 'utf-8');
+            const parsed = JSON.parse(raw);
+            if (!parsed || typeof parsed !== 'object')
+                continue;
+            const obj = parsed;
+            if (obj.kind !== SNAPSHOT_KIND)
+                continue;
+            const conv = Array.isArray(obj.conversation) ? obj.conversation : [];
+            const todo = (obj.todo && typeof obj.todo === 'object') ? obj.todo : {};
+            const items = Array.isArray(todo.items) ? todo.items.length : 0;
+            out.push({
+                id: name.slice(0, -'.json'.length),
+                path: file,
+                createdAt: typeof obj.createdAt === 'string' ? obj.createdAt : '',
+                tokens: typeof obj.tokens === 'number' ? obj.tokens : 0,
+                items,
+                summary: typeof obj.summary === 'string' ? obj.summary : undefined,
+            });
+        }
+        catch {
+            // skip unreadable
+        }
+    }
+    out.sort((a, b) => b.createdAt.localeCompare(a.createdAt));
+    return out;
+}
+//# sourceMappingURL=session-snapshots.js.map

package/dist/runtime/session-snapshots.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-snapshots.js","sourceRoot":"","sources":["../../src/runtime/session-snapshots.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EACL,YAAY,EACZ,YAAY,GAEb,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,eAAe,EACf,SAAS,GACV,MAAM,uBAAuB,CAAC;AAE/B,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAU,CAAC;AAC3C,MAAM,CAAC,MAAM,aAAa,GAAG,kBAA2B,CAAC;AAyCzD,oEAAoE;AAEpE,SAAS,YAAY;IACnB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,OAAO,CAAC,GAAW;IAC1B,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,SAAS,CAAC,GAAW;IAC5B,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAY,IAAI,IAAI,EAAE;IACnD,MAAM,GAAG,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACpD,OAAO,GAAG,GAAG,IAAI,SAAS,EAAE,EAAE,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,EAAU;IAClD,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AACjD,CAAC;AAwBD,MAAM,UAAU,YAAY,CAAC,KAAgB,EAAE,MAAY,IAAI,IAAI,EAAE;IACnE,MAAM,EAAE,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACtD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IACtE,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAoB;QAChC,OAAO,EAAE,gBAAgB;QACzB,IAAI,EAAE,aAAa;QACnB,EAAE;QACF,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;QAC5B,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAC1C,IAAI;KACL,CAAC;IACF,MAAM,GAAG,GAAG,GAAG,IAAI,MAAM,CAAC;IAC1B,IAAI,CAAC;QACH,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7F,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACzB,eAAe,CACb,SAAS,CAAC,eAAe,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAC9F,CAAC;QACF,+DAA+D;QAC/D,0DAA0D;QAC1D,gDAAgD;QAChD,yDAAyD;QACzD,IAAI,CAAC,KAAK,CAAC,IAAI;YAAE,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC/C,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IACtE,CAAC;AACH,CAAC;AAUD,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,EAAU;IAClD,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IACtE,CAAC;IACD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;QAC1C,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC1C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC;QAC3E,CAAC;QACD,MAAM,GAAG,GAAG,MAAiC,CAAC;QAC9C,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;YAC/B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,6BAA6B,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QAC/F,CAAC;QACD,IAAI,GAAG,CAAC,OAAO,KAAK,gBAAgB,EAAE,CAAC;YACrC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,iCAAiC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QACtG,CAAC;QACD,MAAM,IAAI,GAAG,GAAiC,CAAC;QAC/C,eAAe,CACb,SAAS,CAAC,eAAe,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAClG,CAAC;QACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IACtE,CAAC;AACH,CAAC;AAaD,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IACnC,IAAI,OAAiB,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;YAC1C,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,SAAS;YACpD,MAAM,GAAG,GAAG,MAAiC,CAAC;YAC9C,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa;gBAAE,SAAS;YACzC,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAA6B,CAAC,CAAC,CAAC,EAAE,CAAC;YACjG,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YAChE,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;gBAClC,IAAI,EAAE,IAAI;gBACV,SAAS,EAAE,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;gBACjE,MAAM,EAAE,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACvD,KAAK;gBACL,OAAO,EAAE,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;aACnE,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,kBAAkB;QACpB,CAAC;IACH,CAAC;IACD,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;IAC3D,OAAO,GAAG,CAAC;AACb,CAAC"}