fixo-cli 1.0.4 → 2.0.0

package/dist/runtime/loop-mitigation.d.ts

@@ -19,25 +19,96 @@
  *
  * Hard-abort is left untouched — the detector still raises
  * SemanticLoopAbortedError at its existing threshold.
+ *
+ * ── Phase 1b (Sliding Window) ──────────────────────────────────────
+ *
+ * The original tracker stored warn counts permanently for the lifetime
+ * of the session and never decayed them. Once a file accumulated 2
+ * warns it became "immortal" — every subsequent read was rejected and,
+ * because `task-session.canMutate()` requires a fresh read before any
+ * write, the file also became un-modifiable. This deadlock was
+ * observed in the June 22, 2026 log session on `style.css`,
+ * `portfolio.css`, and `script.js`.
+ *
+ * Phase 1b adds an optional sliding-window mode. When enabled, each
+ * warn carries the `currentTurn` it occurred on, and `isBlocked()`
+ * only considers warns within the last N turns. Default N is 10. The
+ * legacy session-lifetime behavior is preserved as the default
+ * (toggled by `preferences.agent.loopGuard.useSlidingWindow`) until
+ * Phase 7 flips the flag after soak.
  */
 /** Number of `warn` verdicts on the same target before reads are blocked. */
 export declare const REPEAT_WARN_BLOCK_THRESHOLD = 2;
+/** Default sliding-window size in tool calls (used when sliding is enabled). */
+export declare const DEFAULT_BLOCK_WINDOW_TURNS = 10;
 export declare function isReadTool(name: string): boolean;
+/**
+ * Construction-time options for the tracker. All fields optional.
+ * When `useSlidingWindow` is false (default), behavior is identical
+ * to the pre-Phase-1b implementation: warns accumulate for the entire
+ * session, and the block flips on at the threshold and stays on.
+ */
+export interface LoopMitigationOptions {
+    /** When true, warns decay outside `blockWindowTurns`. Default false. */
+    useSlidingWindow?: boolean;
+    /** Sliding-window size in tool calls. Default {@link DEFAULT_BLOCK_WINDOW_TURNS}. */
+    blockWindowTurns?: number;
+}
 export declare class LoopMitigationTracker {
+    /** Legacy-mode running count of warns per target. */
     private readonly warnCounts;
+    /** Legacy-mode set of targets that have flipped to blocked. */
     private readonly blockedTargets;
+    /** Sliding-mode timestamps (tool-call counts) of warns per target. */
+    private readonly warnTimestamps;
+    private readonly useSlidingWindow;
+    private readonly blockWindowTurns;
+    /**
+     * Monotonic fallback counter used when sliding mode is enabled but
+     * the caller didn't pass a `currentTurn`. Ensures the sliding-window
+     * path stays consistent (both recordWarn and isBlocked operate on
+     * the same datastructure) even for legacy callers.
+     */
+    private fallbackTurn;
+    constructor(options?: LoopMitigationOptions);
     /**
      * Record a `warn` verdict for `target`. Returns true if this verdict
      * pushed `target` over the block threshold (caller may choose to
      * surface a one-time "now blocking" message).
+     *
+     * `currentTurn` is required when the tracker was constructed with
+     * `useSlidingWindow: true` — it's the tool-call count at the moment
+     * of the warn, used to compare against the sliding window. In
+     * legacy mode the parameter is accepted but ignored, preserving
+     * backward-compatible callers.
+     */
+    recordWarn(target: string, currentTurn?: number): boolean;
+    private recordWarnLegacy;
+    /**
+     * True if the target has been blocked from further reads.
+     *
+     * In sliding-window mode, `currentTurn` should be passed so the
+     * window can be evaluated against the present moment. Without it
+     * the method evaluates against the most recent warn timestamp,
+     * which is usually correct but may keep a target blocked for one
+     * extra turn after the window would have decayed.
+     */
+    isBlocked(target: string, currentTurn?: number): boolean;
+    /**
+     * Number of warns recorded for the target (for diagnostics).
+     * In sliding mode this returns warns within the current window
+     * rather than the cumulative session count.
+     */
+    warnsFor(target: string, currentTurn?: number): number;
+    /**
+     * Reset all tracker state. Used between sessions, in tests, and
+     * (Phase 1b) optionally between orchestrator subtasks so one stuck
+     * subtask cannot poison the rest of the run.
+     *
+     * Passing a target resets state for just that path; passing nothing
+     * clears everything.
      */
-    recordWarn(target: string): boolean;
-    /** True if the target has been blocked from further reads. */
-    isBlocked(target: string): boolean;
-    /** Number of warns recorded for the target (for diagnostics). */
-    warnsFor(target: string): number;
-    /** Reset all state (used between sessions or in tests). */
-    reset(): void;
+    reset(target?: string): void;
 }
 /**
  * Build the synthetic tool-result that replaces a blocked read.

package/dist/runtime/loop-mitigation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"loop-mitigation.d.ts","sourceRoot":"","sources":["../../src/runtime/loop-mitigation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,6EAA6E;AAC7E,eAAO,MAAM,2BAA2B,IAAI,CAAC;AAS7C,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEhD;AAED,qBAAa,qBAAqB;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA6B;IACxD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAqB;IAEpD;;;;OAIG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAWnC,8DAA8D;IAC9D,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAIlC,iEAAiE;IACjE,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAIhC,2DAA2D;IAC3D,KAAK,IAAI,IAAI;CAId;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAShF"}
+{"version":3,"file":"loop-mitigation.d.ts","sourceRoot":"","sources":["../../src/runtime/loop-mitigation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,6EAA6E;AAC7E,eAAO,MAAM,2BAA2B,IAAI,CAAC;AAE7C,gFAAgF;AAChF,eAAO,MAAM,0BAA0B,KAAK,CAAC;AAS7C,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEhD;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,wEAAwE;IACxE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,qFAAqF;IACrF,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,qBAAqB;IAChC,qDAAqD;IACrD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA6B;IACxD,+DAA+D;IAC/D,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAqB;IACpD,sEAAsE;IACtE,OAAO,CAAC,QAAQ,CAAC,cAAc,CAA+B;IAE9D,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAU;IAC3C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C;;;;;OAKG;IACH,OAAO,CAAC,YAAY,CAAK;gBAEb,OAAO,GAAE,qBAA0B;IAK/C;;;;;;;;;;OAUG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO;IA0BzD,OAAO,CAAC,gBAAgB;IAWxB;;;;;;;;OAQG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO;IAYxD;;;;OAIG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM;IAWtD;;;;;;;OAOG;IACH,KAAK,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI;CAY7B;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAShF"}

package/dist/runtime/loop-mitigation.js

@@ -19,9 +19,28 @@
  *
  * Hard-abort is left untouched — the detector still raises
  * SemanticLoopAbortedError at its existing threshold.
+ *
+ * ── Phase 1b (Sliding Window) ──────────────────────────────────────
+ *
+ * The original tracker stored warn counts permanently for the lifetime
+ * of the session and never decayed them. Once a file accumulated 2
+ * warns it became "immortal" — every subsequent read was rejected and,
+ * because `task-session.canMutate()` requires a fresh read before any
+ * write, the file also became un-modifiable. This deadlock was
+ * observed in the June 22, 2026 log session on `style.css`,
+ * `portfolio.css`, and `script.js`.
+ *
+ * Phase 1b adds an optional sliding-window mode. When enabled, each
+ * warn carries the `currentTurn` it occurred on, and `isBlocked()`
+ * only considers warns within the last N turns. Default N is 10. The
+ * legacy session-lifetime behavior is preserved as the default
+ * (toggled by `preferences.agent.loopGuard.useSlidingWindow`) until
+ * Phase 7 flips the flag after soak.
  */
 /** Number of `warn` verdicts on the same target before reads are blocked. */
 export const REPEAT_WARN_BLOCK_THRESHOLD = 2;
+/** Default sliding-window size in tool calls (used when sliding is enabled). */
+export const DEFAULT_BLOCK_WINDOW_TURNS = 10;
 /** Tool names that count as "reading" the target path. */
 const READ_TOOL_NAMES = new Set([
     'read_file',
@@ -32,14 +51,63 @@ export function isReadTool(name) {
     return READ_TOOL_NAMES.has(name);
 }
 export class LoopMitigationTracker {
+    /** Legacy-mode running count of warns per target. */
     warnCounts = new Map();
+    /** Legacy-mode set of targets that have flipped to blocked. */
     blockedTargets = new Set();
+    /** Sliding-mode timestamps (tool-call counts) of warns per target. */
+    warnTimestamps = new Map();
+    useSlidingWindow;
+    blockWindowTurns;
+    /**
+     * Monotonic fallback counter used when sliding mode is enabled but
+     * the caller didn't pass a `currentTurn`. Ensures the sliding-window
+     * path stays consistent (both recordWarn and isBlocked operate on
+     * the same datastructure) even for legacy callers.
+     */
+    fallbackTurn = 0;
+    constructor(options = {}) {
+        this.useSlidingWindow = options.useSlidingWindow === true;
+        this.blockWindowTurns = options.blockWindowTurns ?? DEFAULT_BLOCK_WINDOW_TURNS;
+    }
     /**
      * Record a `warn` verdict for `target`. Returns true if this verdict
      * pushed `target` over the block threshold (caller may choose to
      * surface a one-time "now blocking" message).
+     *
+     * `currentTurn` is required when the tracker was constructed with
+     * `useSlidingWindow: true` — it's the tool-call count at the moment
+     * of the warn, used to compare against the sliding window. In
+     * legacy mode the parameter is accepted but ignored, preserving
+     * backward-compatible callers.
      */
-    recordWarn(target) {
+    recordWarn(target, currentTurn) {
+        if (this.useSlidingWindow) {
+            // Sliding mode: append a timestamp and re-evaluate block state.
+            // If the caller didn't pass currentTurn, use a monotonic fallback
+            // so the sliding path remains the single source of truth (rather
+            // than splitting state across legacy + sliding stores).
+            const turn = currentTurn ?? ++this.fallbackTurn;
+            if (currentTurn !== undefined) {
+                // Keep fallback ahead of explicit turns so a later mixed call
+                // never re-uses an earlier turn id.
+                if (currentTurn > this.fallbackTurn)
+                    this.fallbackTurn = currentTurn;
+            }
+            const arr = this.warnTimestamps.get(target) ?? [];
+            arr.push(turn);
+            // Prune anything outside the current window so the array doesn't
+            // grow unboundedly across long sessions.
+            const cutoff = turn - this.blockWindowTurns;
+            const pruned = arr.filter((t) => t >= cutoff);
+            this.warnTimestamps.set(target, pruned);
+            const wasBlocked = pruned.length - 1 >= REPEAT_WARN_BLOCK_THRESHOLD; // prior state (before this push, but pruned)
+            const isNowBlocked = pruned.length >= REPEAT_WARN_BLOCK_THRESHOLD;
+            return !wasBlocked && isNowBlocked;
+        }
+        return this.recordWarnLegacy(target);
+    }
+    recordWarnLegacy(target) {
         const prev = this.warnCounts.get(target) ?? 0;
         const next = prev + 1;
         this.warnCounts.set(target, next);
@@ -49,18 +117,63 @@ export class LoopMitigationTracker {
         }
         return false;
     }
-    /** True if the target has been blocked from further reads. */
-    isBlocked(target) {
+    /**
+     * True if the target has been blocked from further reads.
+     *
+     * In sliding-window mode, `currentTurn` should be passed so the
+     * window can be evaluated against the present moment. Without it
+     * the method evaluates against the most recent warn timestamp,
+     * which is usually correct but may keep a target blocked for one
+     * extra turn after the window would have decayed.
+     */
+    isBlocked(target, currentTurn) {
+        if (this.useSlidingWindow) {
+            const arr = this.warnTimestamps.get(target);
+            if (!arr || arr.length === 0)
+                return false;
+            const ref = currentTurn ?? arr[arr.length - 1];
+            const cutoff = ref - this.blockWindowTurns;
+            const live = arr.filter((t) => t >= cutoff);
+            return live.length >= REPEAT_WARN_BLOCK_THRESHOLD;
+        }
         return this.blockedTargets.has(target);
     }
-    /** Number of warns recorded for the target (for diagnostics). */
-    warnsFor(target) {
+    /**
+     * Number of warns recorded for the target (for diagnostics).
+     * In sliding mode this returns warns within the current window
+     * rather than the cumulative session count.
+     */
+    warnsFor(target, currentTurn) {
+        if (this.useSlidingWindow) {
+            const arr = this.warnTimestamps.get(target);
+            if (!arr)
+                return 0;
+            if (currentTurn === undefined)
+                return arr.length;
+            const cutoff = currentTurn - this.blockWindowTurns;
+            return arr.filter((t) => t >= cutoff).length;
+        }
         return this.warnCounts.get(target) ?? 0;
     }
-    /** Reset all state (used between sessions or in tests). */
-    reset() {
-        this.warnCounts.clear();
-        this.blockedTargets.clear();
+    /**
+     * Reset all tracker state. Used between sessions, in tests, and
+     * (Phase 1b) optionally between orchestrator subtasks so one stuck
+     * subtask cannot poison the rest of the run.
+     *
+     * Passing a target resets state for just that path; passing nothing
+     * clears everything.
+     */
+    reset(target) {
+        if (target === undefined) {
+            this.warnCounts.clear();
+            this.blockedTargets.clear();
+            this.warnTimestamps.clear();
+            this.fallbackTurn = 0;
+            return;
+        }
+        this.warnCounts.delete(target);
+        this.blockedTargets.delete(target);
+        this.warnTimestamps.delete(target);
     }
 }
 /**

package/dist/runtime/loop-mitigation.js.map

@@ -1 +1 @@
-{"version":3,"file":"loop-mitigation.js","sourceRoot":"","sources":["../../src/runtime/loop-mitigation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,6EAA6E;AAC7E,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC;AAE7C,0DAA0D;AAC1D,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,WAAW;IACX,iBAAiB;IACjB,iBAAiB;CAClB,CAAC,CAAC;AAEH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,OAAO,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,OAAO,qBAAqB;IACf,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;IAEpD;;;;OAIG;IACH,UAAU,CAAC,MAAc;QACvB,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC;QACtB,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAClC,IAAI,IAAI,IAAI,2BAA2B,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5E,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,8DAA8D;IAC9D,SAAS,CAAC,MAAc;QACtB,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED,iEAAiE;IACjE,QAAQ,CAAC,MAAc;QACrB,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC;IAED,2DAA2D;IAC3D,KAAK;QACH,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACxB,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CAAC,MAAc,EAAE,KAAa;IACtE,OAAO,CACL,iEAAiE,MAAM,IAAI;QAC3E,QAAQ,KAAK,0DAA0D;QACvE,oEAAoE;QACpE,iEAAiE;QACjE,iFAAiF;QACjF,sFAAsF,CACvF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"loop-mitigation.js","sourceRoot":"","sources":["../../src/runtime/loop-mitigation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,6EAA6E;AAC7E,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC;AAE7C,gFAAgF;AAChF,MAAM,CAAC,MAAM,0BAA0B,GAAG,EAAE,CAAC;AAE7C,0DAA0D;AAC1D,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,WAAW;IACX,iBAAiB;IACjB,iBAAiB;CAClB,CAAC,CAAC;AAEH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,OAAO,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAeD,MAAM,OAAO,qBAAqB;IAChC,qDAAqD;IACpC,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxD,+DAA+D;IAC9C,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;IACpD,sEAAsE;IACrD,cAAc,GAAG,IAAI,GAAG,EAAoB,CAAC;IAE7C,gBAAgB,CAAU;IAC1B,gBAAgB,CAAS;IAC1C;;;;;OAKG;IACK,YAAY,GAAG,CAAC,CAAC;IAEzB,YAAY,UAAiC,EAAE;QAC7C,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,KAAK,IAAI,CAAC;QAC1D,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,0BAA0B,CAAC;IACjF,CAAC;IAED;;;;;;;;;;OAUG;IACH,UAAU,CAAC,MAAc,EAAE,WAAoB;QAC7C,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,gEAAgE;YAChE,kEAAkE;YAClE,iEAAiE;YACjE,wDAAwD;YACxD,MAAM,IAAI,GAAG,WAAW,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC;YAChD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;gBAC9B,8DAA8D;gBAC9D,oCAAoC;gBACpC,IAAI,WAAW,GAAG,IAAI,CAAC,YAAY;oBAAE,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;YACvE,CAAC;YACD,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAClD,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACf,iEAAiE;YACjE,yCAAyC;YACzC,MAAM,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC;YAC5C,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC;YAC9C,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACxC,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,2BAA2B,CAAC,CAAC,6CAA6C;YAClH,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,IAAI,2BAA2B,CAAC;YAClE,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC;QACrC,CAAC;QACD,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAEO,gBAAgB,CAAC,MAAc;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC;QACtB,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAClC,IAAI,IAAI,IAAI,2BAA2B,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5E,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;;;OAQG;IACH,SAAS,CAAC,MAAc,EAAE,WAAoB;QAC5C,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,GAAG,GAAG,WAAW,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,gBAAgB,CAAC;YAC3C,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC;YAC5C,OAAO,IAAI,CAAC,MAAM,IAAI,2BAA2B,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACH,QAAQ,CAAC,MAAc,EAAE,WAAoB;QAC3C,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,GAAG;gBAAE,OAAO,CAAC,CAAC;YACnB,IAAI,WAAW,KAAK,SAAS;gBAAE,OAAO,GAAG,CAAC,MAAM,CAAC;YACjD,MAAM,MAAM,GAAG,WAAW,GAAG,IAAI,CAAC,gBAAgB,CAAC;YACnD,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,MAAM,CAAC;QAC/C,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,MAAe;QACnB,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACxB,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;YAC5B,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;YAC5B,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC;YACtB,OAAO;QACT,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CAAC,MAAc,EAAE,KAAa;IACtE,OAAO,CACL,iEAAiE,MAAM,IAAI;QAC3E,QAAQ,KAAK,0DAA0D;QACvE,oEAAoE;QACpE,iEAAiE;QACjE,iFAAiF;QACjF,sFAAsF,CACvF,CAAC;AACJ,CAAC"}

package/dist/runtime/os-sandbox.d.ts

@@ -0,0 +1,100 @@
+/**
+ * os-sandbox.ts — Phase 1.2 OS-level sandbox wrapper for `run_command`.
+ *
+ * The CLI already enforces a regex-based command-parser layer and
+ * a WorkspaceGuard path-boundary check before any shell command runs.
+ * That stops the obvious cases (`> /etc/passwd`, `sed -i ../foo`) but
+ * is not a complete defence against a confused or prompt-injected
+ * model — a regex blocklist is a speed bump, not a wall.
+ *
+ * This module adds an OS-enforced second layer that the model has no
+ * way around: `sandbox-exec` on macOS, `bwrap` on Linux. Both use the
+ * same OS primitives Apple's own `xcrun` and Flatpak rely on, so the
+ * deny semantics are exactly the kernel's, not a JavaScript regex.
+ *
+ * Design choices, deliberate:
+ *
+ *  - Default is OFF (config `safety.sandboxMode === 'guard'`). Turning
+ *    it on changes runtime behaviour and we want users to opt in
+ *    explicitly, not be surprised by a build that suddenly fails
+ *    because their `npm test` script writes to `~/.npm/_cacache`.
+ *
+ *  - When ON and the platform binary is missing, we surface a clear
+ *    structured error instead of silently downgrading. A user who
+ *    opted into `os-sandbox` and got the regex layer would have the
+ *    worst of both worlds — false safety.
+ *
+ *  - Network is allowed by default — most legitimate build/test
+ *    commands need it (npm install, cargo fetch, pip). Callers that
+ *    want strict isolation can pass `allowNetwork: false`.
+ *
+ *  - Reads are unrestricted. The agent legitimately needs to inspect
+ *    the system to plan its work. Writes are the dangerous side.
+ *
+ *  - The macOS profile is generated at runtime into the OS temp dir
+ *    from a template (no static `.sb` file shipped) so allow-write
+ *    paths can be parameterised per-invocation without macros.
+ *    `sandbox-exec` is technically deprecated by Apple but still
+ *    ships and works on darwin 25; what's available today wins.
+ */
+import { type SpawnSyncReturns } from 'node:child_process';
+export type SandboxPlatform = 'darwin' | 'linux';
+export interface SandboxOpts {
+    /** Directory the shell runs in. Must be readable. */
+    cwd: string;
+    /**
+     * Roots the sandboxed process may write to. Reads are not
+     * restricted — only writes. Always includes the OS temp dir
+     * regardless of what the caller passes, because nearly every
+     * build tool writes there.
+     */
+    allowedWritePaths: string[];
+    /**
+     * Whether the sandboxed process may open network sockets. Most
+     * legitimate `run_command` calls need this (npm install,
+     * cargo fetch), so the caller usually wants `true`.
+     */
+    allowNetwork: boolean;
+    /** Wall-clock timeout in ms. Defaults to 60s. */
+    timeout?: number;
+    /** Max captured stdout/stderr bytes. Defaults to 1 MiB. */
+    maxBuffer?: number;
+    /** Environment for the child process. */
+    env?: NodeJS.ProcessEnv;
+}
+/**
+ * Why a sandboxed `run_command` couldn't actually be wrapped in an
+ * OS sandbox. Distinct from a *command-failed-inside-the-sandbox*
+ * error, which surfaces through {@link SpawnSyncReturns.status} as
+ * usual.
+ */
+export declare class SandboxUnavailableError extends Error {
+    platform: NodeJS.Platform;
+    reason: string;
+    constructor(platform: NodeJS.Platform, reason: string);
+}
+/**
+ * Run a shell command inside an OS-enforced sandbox.
+ *
+ * Throws {@link SandboxUnavailableError} if the current platform has
+ * no supported wrapper or the required binary is not on `$PATH`.
+ * Otherwise returns the same {@link SpawnSyncReturns} shape the
+ * caller would get from a plain `spawnSync(command, { shell: true })`
+ * call — so the call site only differs by routing decision, not by
+ * result handling.
+ */
+export declare function runSandboxed(command: string, opts: SandboxOpts): SpawnSyncReturns<string>;
+/**
+ * Best-effort probe: would {@link runSandboxed} succeed on this
+ * machine without actually running a command? Used by the CLI's
+ * startup sanity check so we can warn at boot rather than at the
+ * first command. Returns `null` on success, a structured reason on
+ * failure.
+ */
+export declare function probeSandbox(): {
+    ok: true;
+} | {
+    ok: false;
+    reason: string;
+};
+//# sourceMappingURL=os-sandbox.d.ts.map

package/dist/runtime/os-sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"os-sandbox.d.ts","sourceRoot":"","sources":["../../src/runtime/os-sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,OAAO,EAAa,KAAK,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAKtE,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,OAAO,CAAC;AAEjD,MAAM,WAAW,WAAW;IAC1B,qDAAqD;IACrD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;OAKG;IACH,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B;;;;OAIG;IACH,YAAY,EAAE,OAAO,CAAC;IACtB,iDAAiD;IACjD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,2DAA2D;IAC3D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;CACzB;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;IAC7B,QAAQ,EAAE,MAAM,CAAC,QAAQ;IAAS,MAAM,EAAE,MAAM;gBAAhD,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAS,MAAM,EAAE,MAAM;CAIpE;AAID;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,GAAG,gBAAgB,CAAC,MAAM,CAAC,CASzF;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,IAAI;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAe3E"}

package/dist/runtime/os-sandbox.js

@@ -0,0 +1,246 @@
+/**
+ * os-sandbox.ts — Phase 1.2 OS-level sandbox wrapper for `run_command`.
+ *
+ * The CLI already enforces a regex-based command-parser layer and
+ * a WorkspaceGuard path-boundary check before any shell command runs.
+ * That stops the obvious cases (`> /etc/passwd`, `sed -i ../foo`) but
+ * is not a complete defence against a confused or prompt-injected
+ * model — a regex blocklist is a speed bump, not a wall.
+ *
+ * This module adds an OS-enforced second layer that the model has no
+ * way around: `sandbox-exec` on macOS, `bwrap` on Linux. Both use the
+ * same OS primitives Apple's own `xcrun` and Flatpak rely on, so the
+ * deny semantics are exactly the kernel's, not a JavaScript regex.
+ *
+ * Design choices, deliberate:
+ *
+ *  - Default is OFF (config `safety.sandboxMode === 'guard'`). Turning
+ *    it on changes runtime behaviour and we want users to opt in
+ *    explicitly, not be surprised by a build that suddenly fails
+ *    because their `npm test` script writes to `~/.npm/_cacache`.
+ *
+ *  - When ON and the platform binary is missing, we surface a clear
+ *    structured error instead of silently downgrading. A user who
+ *    opted into `os-sandbox` and got the regex layer would have the
+ *    worst of both worlds — false safety.
+ *
+ *  - Network is allowed by default — most legitimate build/test
+ *    commands need it (npm install, cargo fetch, pip). Callers that
+ *    want strict isolation can pass `allowNetwork: false`.
+ *
+ *  - Reads are unrestricted. The agent legitimately needs to inspect
+ *    the system to plan its work. Writes are the dangerous side.
+ *
+ *  - The macOS profile is generated at runtime into the OS temp dir
+ *    from a template (no static `.sb` file shipped) so allow-write
+ *    paths can be parameterised per-invocation without macros.
+ *    `sandbox-exec` is technically deprecated by Apple but still
+ *    ships and works on darwin 25; what's available today wins.
+ */
+import { spawnSync } from 'node:child_process';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+/**
+ * Why a sandboxed `run_command` couldn't actually be wrapped in an
+ * OS sandbox. Distinct from a *command-failed-inside-the-sandbox*
+ * error, which surfaces through {@link SpawnSyncReturns.status} as
+ * usual.
+ */
+export class SandboxUnavailableError extends Error {
+    platform;
+    reason;
+    constructor(platform, reason) {
+        super(`OS sandbox unavailable on ${platform}: ${reason}`);
+        this.platform = platform;
+        this.reason = reason;
+        this.name = 'SandboxUnavailableError';
+    }
+}
+/* ──────────────────────── Public entry point ──────────────────────── */
+/**
+ * Run a shell command inside an OS-enforced sandbox.
+ *
+ * Throws {@link SandboxUnavailableError} if the current platform has
+ * no supported wrapper or the required binary is not on `$PATH`.
+ * Otherwise returns the same {@link SpawnSyncReturns} shape the
+ * caller would get from a plain `spawnSync(command, { shell: true })`
+ * call — so the call site only differs by routing decision, not by
+ * result handling.
+ */
+export function runSandboxed(command, opts) {
+    const platform = process.platform;
+    if (platform === 'darwin') {
+        return runSandboxedMacos(command, opts);
+    }
+    if (platform === 'linux') {
+        return runSandboxedLinux(command, opts);
+    }
+    throw new SandboxUnavailableError(platform, 'no supported OS sandbox wrapper for this platform');
+}
+/**
+ * Best-effort probe: would {@link runSandboxed} succeed on this
+ * machine without actually running a command? Used by the CLI's
+ * startup sanity check so we can warn at boot rather than at the
+ * first command. Returns `null` on success, a structured reason on
+ * failure.
+ */
+export function probeSandbox() {
+    const platform = process.platform;
+    if (platform === 'darwin') {
+        const which = whichBinary('sandbox-exec');
+        return which ? { ok: true } : { ok: false, reason: '`sandbox-exec` not on $PATH (macOS system tool)' };
+    }
+    if (platform === 'linux') {
+        const which = whichBinary('bwrap');
+        if (which)
+            return { ok: true };
+        return {
+            ok: false,
+            reason: '`bwrap` (bubblewrap) not installed. Install with: apt install bubblewrap | dnf install bubblewrap | apk add bubblewrap',
+        };
+    }
+    return { ok: false, reason: `unsupported platform: ${platform}` };
+}
+/* ──────────────────────── macOS: sandbox-exec ──────────────────────── */
+function runSandboxedMacos(command, opts) {
+    if (!whichBinary('sandbox-exec')) {
+        throw new SandboxUnavailableError('darwin', '`sandbox-exec` not on $PATH');
+    }
+    const profile = buildMacosProfile({
+        allowedWritePaths: dedupeAndResolve([...opts.allowedWritePaths, os.tmpdir()]),
+        allowNetwork: opts.allowNetwork,
+    });
+    // Write the profile to a temp file. sandbox-exec will read it
+    // before exec; we delete it immediately after the child returns.
+    const profilePath = path.join(os.tmpdir(), `fixo-sandbox-${process.pid}-${Date.now()}.sb`);
+    fs.writeFileSync(profilePath, profile, { encoding: 'utf-8', mode: 0o600 });
+    try {
+        return spawnSync('sandbox-exec', ['-f', profilePath, '/bin/sh', '-c', command], {
+            cwd: opts.cwd,
+            encoding: 'utf-8',
+            timeout: opts.timeout ?? 60_000,
+            maxBuffer: opts.maxBuffer ?? 1024 * 1024,
+            env: opts.env ?? process.env,
+        });
+    }
+    finally {
+        try {
+            fs.unlinkSync(profilePath);
+        }
+        catch { /* safe: best-effort cleanup of tmp profile */ }
+    }
+}
+function buildMacosProfile(opts) {
+    // Quote each allow-write path in TinyScheme-style string literal
+    // form. sandbox-exec uses backslash-escaped double-quoted strings.
+    const writeRoots = opts.allowedWritePaths
+        .map((p) => `  (subpath ${quoteSb(p)})`)
+        .join('\n');
+    const networkRule = opts.allowNetwork ? '(allow network*)' : '(deny network*)';
+    // Inspired by Apple's own /System/Library/Sandbox/Profiles seed
+    // profiles. `allow file-read*` is total because the agent must be
+    // able to read the system to do useful work; writes are the side
+    // we lock down. The auxiliary `allow` rules (sysctl, mach-lookup,
+    // process-fork, ipc-posix-shm) are the bare minimum a `/bin/sh`
+    // exec of a typical build command needs to not crash.
+    return `(version 1)
+(deny default)
+
+; Reads: unrestricted. The agent needs to inspect the system.
+(allow file-read*)
+
+; Writes: only inside the explicitly-allowed roots.
+(allow file-write*
+${writeRoots})
+
+; Process / sysctl / IPC: required for /bin/sh to execute a command.
+(allow process-fork)
+(allow process-exec*)
+(allow sysctl-read)
+(allow mach-lookup)
+(allow file-ioctl)
+(allow ipc-posix-shm)
+(allow signal (target self))
+
+; Network rule (gated by caller).
+${networkRule}
+`;
+}
+function quoteSb(s) {
+    // sandbox-exec strings use double-quotes with backslash escaping.
+    return `"${s.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`;
+}
+/* ──────────────────────── Linux: bubblewrap ──────────────────────── */
+function runSandboxedLinux(command, opts) {
+    if (!whichBinary('bwrap')) {
+        throw new SandboxUnavailableError('linux', '`bwrap` (bubblewrap) not installed. Install with: apt install bubblewrap | dnf install bubblewrap | apk add bubblewrap');
+    }
+    const writeRoots = dedupeAndResolve([...opts.allowedWritePaths, os.tmpdir()]);
+    const args = [
+        // Read-only mount the standard system tree. /usr is the
+        // important one — that's where /bin/sh, coreutils, etc. live.
+        '--ro-bind', '/usr', '/usr',
+        '--ro-bind', '/bin', '/bin',
+        '--ro-bind', '/sbin', '/sbin',
+        '--ro-bind', '/lib', '/lib',
+        '--symlink', 'usr/lib64', '/lib64',
+        '--ro-bind', '/etc', '/etc',
+        // Procfs + devtmpfs: needed by virtually every binary.
+        '--proc', '/proc',
+        '--dev', '/dev',
+        // Tmpfs for /run and /var so the child can drop pidfiles.
+        '--tmpfs', '/run',
+        '--tmpfs', '/var',
+    ];
+    for (const wr of writeRoots) {
+        args.push('--bind', wr, wr);
+    }
+    if (!opts.allowNetwork) {
+        args.push('--unshare-net');
+    }
+    // PID + user namespaces — cheap isolation that doesn't break
+    // most build tools.
+    args.push('--unshare-pid');
+    args.push('--die-with-parent');
+    args.push('--chdir', opts.cwd);
+    args.push('/bin/sh', '-c', command);
+    return spawnSync('bwrap', args, {
+        cwd: opts.cwd,
+        encoding: 'utf-8',
+        timeout: opts.timeout ?? 60_000,
+        maxBuffer: opts.maxBuffer ?? 1024 * 1024,
+        env: opts.env ?? process.env,
+    });
+}
+/* ──────────────────────── Helpers ──────────────────────── */
+function whichBinary(name) {
+    const which = spawnSync('which', [name], { encoding: 'utf-8' });
+    return which.status === 0 && which.stdout.trim().length > 0;
+}
+function dedupeAndResolve(paths) {
+    const seen = new Set();
+    const out = [];
+    for (const p of paths) {
+        // Canonicalize: on macOS `/var/folders/...` is actually
+        // `/private/var/folders/...`; sandbox-exec matches on the
+        // canonical path, so an allow rule written against the symlink
+        // path silently denies. Same trap exists for `/tmp` →
+        // `/private/tmp`. realpathSync resolves both. Fall back to the
+        // resolved-but-uncanonicalized path if the directory does not
+        // exist yet (callers may pass it before creation).
+        let abs;
+        try {
+            abs = fs.realpathSync(path.resolve(p));
+        }
+        catch {
+            abs = path.resolve(p);
+        }
+        if (seen.has(abs))
+            continue;
+        seen.add(abs);
+        out.push(abs);
+    }
+    return out;
+}
+//# sourceMappingURL=os-sandbox.js.map

package/dist/runtime/os-sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"os-sandbox.js","sourceRoot":"","sources":["../../src/runtime/os-sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,OAAO,EAAE,SAAS,EAAyB,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AA4B7B;;;;;GAKG;AACH,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAC7B;IAAkC;IAArD,YAAmB,QAAyB,EAAS,MAAc;QACjE,KAAK,CAAC,6BAA6B,QAAQ,KAAK,MAAM,EAAE,CAAC,CAAC;QADzC,aAAQ,GAAR,QAAQ,CAAiB;QAAS,WAAM,GAAN,MAAM,CAAQ;QAEjE,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED,0EAA0E;AAE1E;;;;;;;;;GASG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe,EAAE,IAAiB;IAC7D,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAClC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,IAAI,uBAAuB,CAAC,QAAQ,EAAE,mDAAmD,CAAC,CAAC;AACnG,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAClC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC;QAC1C,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iDAAiD,EAAE,CAAC;IACzG,CAAC;IACD,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACnC,IAAI,KAAK;YAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QAC/B,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,wHAAwH;SACjI,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,QAAQ,EAAE,EAAE,CAAC;AACpE,CAAC;AAED,2EAA2E;AAE3E,SAAS,iBAAiB,CAAC,OAAe,EAAE,IAAiB;IAC3D,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,uBAAuB,CAAC,QAAQ,EAAE,6BAA6B,CAAC,CAAC;IAC7E,CAAC;IAED,MAAM,OAAO,GAAG,iBAAiB,CAAC;QAChC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC,GAAG,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7E,YAAY,EAAE,IAAI,CAAC,YAAY;KAChC,CAAC,CAAC;IAEH,8DAA8D;IAC9D,iEAAiE;IACjE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,gBAAgB,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC3F,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAE3E,IAAI,CAAC;QACH,OAAO,SAAS,CAAC,cAAc,EAAE,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE;YAC9E,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,MAAM;YAC/B,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI,GAAG,IAAI;YACxC,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG;SAC7B,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,IAAI,CAAC;YAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,8CAA8C,CAAC,CAAC;IAC9F,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,IAA4D;IACrF,iEAAiE;IACjE,mEAAmE;IACnE,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB;SACtC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;SACvC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,iBAAiB,CAAC;IAE/E,gEAAgE;IAChE,kEAAkE;IAClE,iEAAiE;IACjE,kEAAkE;IAClE,gEAAgE;IAChE,sDAAsD;IACtD,OAAO;;;;;;;;EAQP,UAAU;;;;;;;;;;;;EAYV,WAAW;CACZ,CAAC;AACF,CAAC;AAED,SAAS,OAAO,CAAC,CAAS;IACxB,kEAAkE;IAClE,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC;AAC9D,CAAC;AAED,yEAAyE;AAEzE,SAAS,iBAAiB,CAAC,OAAe,EAAE,IAAiB;IAC3D,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,uBAAuB,CAC/B,OAAO,EACP,wHAAwH,CACzH,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,CAAC,GAAG,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAE9E,MAAM,IAAI,GAAa;QACrB,wDAAwD;QACxD,8DAA8D;QAC9D,WAAW,EAAE,MAAM,EAAE,MAAM;QAC3B,WAAW,EAAE,MAAM,EAAE,MAAM;QAC3B,WAAW,EAAE,OAAO,EAAE,OAAO;QAC7B,WAAW,EAAE,MAAM,EAAE,MAAM;QAC3B,WAAW,EAAE,WAAW,EAAE,QAAQ;QAClC,WAAW,EAAE,MAAM,EAAE,MAAM;QAC3B,uDAAuD;QACvD,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,MAAM;QACf,0DAA0D;QAC1D,SAAS,EAAE,MAAM;QACjB,SAAS,EAAE,MAAM;KAClB,CAAC;IAEF,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC7B,CAAC;IAED,6DAA6D;IAC7D,oBAAoB;IACpB,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC3B,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAEpC,OAAO,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE;QAC9B,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,MAAM;QAC/B,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI,GAAG,IAAI;QACxC,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG;KAC7B,CAAC,CAAC;AACL,CAAC;AAED,+DAA+D;AAE/D,SAAS,WAAW,CAAC,IAAY;IAC/B,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IAChE,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAe;IACvC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,wDAAwD;QACxD,0DAA0D;QAC1D,+DAA+D;QAC/D,sDAAsD;QACtD,+DAA+D;QAC/D,8DAA8D;QAC9D,mDAAmD;QACnD,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACxB,CAAC;QACD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACd,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}