hackmyagent 0.11.13 → 0.11.15

package/dist/nanomind-core/security/integrity-verifier.d.ts

@@ -0,0 +1,132 @@
+/**
+ * NanoMind Integrity Verifier
+ *
+ * Startup integrity verification that runs BEFORE any scanning or model loading.
+ * Detects tampering of the CLI binary, NanoMind model files, and rule manifests.
+ *
+ * Three outcomes:
+ *   CLEAN      -- All checks pass, proceed normally
+ *   DEGRADE    -- Model integrity failed, fall back to heuristic scanning (warn user)
+ *   QUARANTINE -- Package/dist integrity failed, refuse to output, exit code 3
+ *
+ * Design constraints:
+ *   - Must complete in < 5ms for unmodified installations
+ *   - Uses SHA-256 for all hashes, HMAC-SHA256 as Ed25519 fallback
+ *   - Tamper-evident event chain (append-only JSONL with hash linking)
+ *   - Model hash verified BEFORE loading into memory
+ */
+export type IntegrityStatus = 'CLEAN' | 'QUARANTINE' | 'DEGRADE';
+export interface IntegrityCheck {
+    name: string;
+    passed: boolean;
+    reason?: string;
+}
+export interface IntegrityResult {
+    status: IntegrityStatus;
+    checks: IntegrityCheck[];
+    durationMs: number;
+}
+export interface IntegrityManifest {
+    version: string;
+    files: Record<string, string>;
+    modelHash?: string;
+    ruleCategories?: number;
+    signature?: string;
+}
+export interface TamperEvent {
+    seq: number;
+    timestamp: string;
+    eventType: 'startup' | 'check_pass' | 'check_fail' | 'tamper_detected' | 'degraded' | 'quarantine';
+    detail: string;
+    prevHash: string;
+}
+export declare function sha256(data: string | Buffer): string;
+export declare function sha256File(filePath: string): string;
+/**
+ * HMAC-SHA256 signature (fallback when Ed25519 keys are unavailable).
+ * In production with Ed25519 keys, this would be replaced by Ed25519 sign/verify.
+ */
+export declare function hmacSign(data: string, key: string): string;
+export declare function hmacVerify(data: string, key: string, expectedSig: string): boolean;
+/**
+ * Load the integrity manifest from the package root.
+ * Returns null if no manifest exists (first run or dev mode).
+ */
+export declare function loadManifest(packageRoot: string): IntegrityManifest | null;
+/**
+ * Generate a manifest from the current state of dist/ files.
+ * Used during build/publish to create the signed manifest.
+ */
+export declare function generateManifest(packageRoot: string, signingKey?: string): IntegrityManifest;
+export declare class EventChain {
+    private chainPath;
+    constructor(chainPath?: string);
+    /**
+     * Append an event to the chain. Each event references the hash of the
+     * previous event, forming a tamper-evident linked chain.
+     */
+    append(eventType: TamperEvent['eventType'], detail: string): TamperEvent;
+    /**
+     * Read all events from the chain file.
+     */
+    readAll(): TamperEvent[];
+    /**
+     * Get the last event in the chain.
+     */
+    getLastEvent(): TamperEvent | null;
+    /**
+     * Verify the entire chain is intact. Returns the index of the first
+     * broken link, or -1 if the chain is valid.
+     *
+     * Detects:
+     *   - Modified events (prevHash mismatch)
+     *   - Truncated chains (missing events break the link)
+     *   - Inserted events (sequence number gaps or hash mismatches)
+     */
+    verify(): {
+        valid: boolean;
+        brokenAt: number;
+        reason?: string;
+    };
+}
+/**
+ * Verify package dist/ files against the manifest.
+ * If any file hash differs, the package has been tampered with.
+ */
+export declare function checkPackageIntegrity(packageRoot: string, manifest: IntegrityManifest): IntegrityCheck;
+/**
+ * Verify NanoMind GGUF model file hash BEFORE loading.
+ * If the model does not exist, the check passes (model is optional).
+ * If the model exists but hash differs, return failure (DEGRADE mode).
+ */
+export declare function checkModelIntegrity(manifest: IntegrityManifest): IntegrityCheck;
+/**
+ * Verify rule manifest integrity.
+ * If the manifest specifies a rule category count, verify it matches.
+ */
+export declare function checkRuleManifest(manifest: IntegrityManifest): IntegrityCheck;
+/**
+ * Verify manifest signature using HMAC-SHA256 (Ed25519 fallback).
+ * If no signing key is available, this check is skipped.
+ */
+export declare function checkManifestSignature(manifest: IntegrityManifest, signingKey?: string): IntegrityCheck;
+export interface VerifyOptions {
+    /** Package root directory (defaults to resolved from this module) */
+    packageRoot?: string;
+    /** HMAC signing key for manifest signature verification */
+    signingKey?: string;
+    /** Path to event chain file (defaults to ~/.nanomind/integrity-events.jsonl) */
+    eventChainPath?: string;
+    /** Custom manifest (for testing) */
+    manifest?: IntegrityManifest;
+}
+/**
+ * Run all startup integrity checks. Must complete in < 5ms for clean installations.
+ *
+ * Returns:
+ *   CLEAN      -- All checks passed
+ *   DEGRADE    -- Model integrity failed (heuristic fallback)
+ *   QUARANTINE -- Package integrity failed (refuse to output, exit code 3)
+ */
+export declare function verifyAll(options?: VerifyOptions): IntegrityResult;
+//# sourceMappingURL=integrity-verifier.d.ts.map

package/dist/nanomind-core/security/integrity-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"integrity-verifier.d.ts","sourceRoot":"","sources":["../../../src/nanomind-core/security/integrity-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAWH,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,YAAY,GAAG,SAAS,CAAC;AAEjE,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,eAAe,CAAC;IACxB,MAAM,EAAE,cAAc,EAAE,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,SAAS,GAAG,YAAY,GAAG,YAAY,GAAG,iBAAiB,GAAG,UAAU,GAAG,YAAY,CAAC;IACnG,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAgBD,wBAAgB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAEpD;AAED,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAE1D;AAED,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAQlF;AAMD;;;GAGG;AACH,wBAAgB,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAS1E;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,UAAU,CAAC,EAAE,MAAM,GAClB,iBAAiB,CA8BnB;AA6BD,qBAAa,UAAU;IACrB,OAAO,CAAC,SAAS,CAAS;gBAEd,SAAS,GAAE,MAAyB;IAIhD;;;OAGG;IACH,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,WAAW;IAsBxE;;OAEG;IACH,OAAO,IAAI,WAAW,EAAE;IAOxB;;OAEG;IACH,YAAY,IAAI,WAAW,GAAG,IAAI;IAKlC;;;;;;;;OAQG;IACH,MAAM,IAAI;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;CAmChE;AAMD;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,iBAAiB,GAC1B,cAAc,CA6ChB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,cAAc,CAyB/E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,cAAc,CA6B7E;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,iBAAiB,EAC3B,UAAU,CAAC,EAAE,MAAM,GAClB,cAAc,CAqBhB;AAMD,MAAM,WAAW,aAAa;IAC5B,qEAAqE;IACrE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2DAA2D;IAC3D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,GAAE,aAAkB,GAAG,eAAe,CAiEtE"}

package/dist/nanomind-core/security/integrity-verifier.js

@@ -0,0 +1,437 @@
+"use strict";
+/**
+ * NanoMind Integrity Verifier
+ *
+ * Startup integrity verification that runs BEFORE any scanning or model loading.
+ * Detects tampering of the CLI binary, NanoMind model files, and rule manifests.
+ *
+ * Three outcomes:
+ *   CLEAN      -- All checks pass, proceed normally
+ *   DEGRADE    -- Model integrity failed, fall back to heuristic scanning (warn user)
+ *   QUARANTINE -- Package/dist integrity failed, refuse to output, exit code 3
+ *
+ * Design constraints:
+ *   - Must complete in < 5ms for unmodified installations
+ *   - Uses SHA-256 for all hashes, HMAC-SHA256 as Ed25519 fallback
+ *   - Tamper-evident event chain (append-only JSONL with hash linking)
+ *   - Model hash verified BEFORE loading into memory
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EventChain = void 0;
+exports.sha256 = sha256;
+exports.sha256File = sha256File;
+exports.hmacSign = hmacSign;
+exports.hmacVerify = hmacVerify;
+exports.loadManifest = loadManifest;
+exports.generateManifest = generateManifest;
+exports.checkPackageIntegrity = checkPackageIntegrity;
+exports.checkModelIntegrity = checkModelIntegrity;
+exports.checkRuleManifest = checkRuleManifest;
+exports.checkManifestSignature = checkManifestSignature;
+exports.verifyAll = verifyAll;
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+// ============================================================================
+// Constants
+// ============================================================================
+const NANOMIND_DIR = (0, node_path_1.join)((0, node_os_1.homedir)(), '.nanomind');
+const MODELS_DIR = (0, node_path_1.join)(NANOMIND_DIR, 'models');
+const EVENT_CHAIN_PATH = (0, node_path_1.join)(NANOMIND_DIR, 'integrity-events.jsonl');
+const MANIFEST_FILENAME = '.integrity-manifest.json';
+const GENESIS_PREV_HASH = '0'.repeat(64);
+// ============================================================================
+// SHA-256 Utilities
+// ============================================================================
+function sha256(data) {
+    return (0, node_crypto_1.createHash)('sha256').update(data).digest('hex');
+}
+function sha256File(filePath) {
+    const content = (0, node_fs_1.readFileSync)(filePath);
+    return sha256(content);
+}
+/**
+ * HMAC-SHA256 signature (fallback when Ed25519 keys are unavailable).
+ * In production with Ed25519 keys, this would be replaced by Ed25519 sign/verify.
+ */
+function hmacSign(data, key) {
+    return (0, node_crypto_1.createHmac)('sha256', key).update(data).digest('hex');
+}
+function hmacVerify(data, key, expectedSig) {
+    const computed = hmacSign(data, key);
+    if (computed.length !== expectedSig.length)
+        return false;
+    try {
+        return (0, node_crypto_1.timingSafeEqual)(Buffer.from(computed, 'hex'), Buffer.from(expectedSig, 'hex'));
+    }
+    catch {
+        return false;
+    }
+}
+// ============================================================================
+// Manifest Operations
+// ============================================================================
+/**
+ * Load the integrity manifest from the package root.
+ * Returns null if no manifest exists (first run or dev mode).
+ */
+function loadManifest(packageRoot) {
+    const manifestPath = (0, node_path_1.join)(packageRoot, MANIFEST_FILENAME);
+    if (!(0, node_fs_1.existsSync)(manifestPath))
+        return null;
+    try {
+        const raw = (0, node_fs_1.readFileSync)(manifestPath, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Generate a manifest from the current state of dist/ files.
+ * Used during build/publish to create the signed manifest.
+ */
+function generateManifest(packageRoot, signingKey) {
+    const pkgJsonPath = (0, node_path_1.join)(packageRoot, 'package.json');
+    const pkgJson = JSON.parse((0, node_fs_1.readFileSync)(pkgJsonPath, 'utf-8'));
+    const distDir = (0, node_path_1.join)(packageRoot, 'dist');
+    const files = {};
+    if ((0, node_fs_1.existsSync)(distDir)) {
+        collectFileHashes(distDir, distDir, files);
+    }
+    const manifest = {
+        version: pkgJson.version,
+        files,
+    };
+    // Add model hash if model exists
+    if ((0, node_fs_1.existsSync)(MODELS_DIR)) {
+        const modelFiles = (0, node_fs_1.readdirSync)(MODELS_DIR).filter(f => f.endsWith('.gguf'));
+        if (modelFiles.length > 0) {
+            manifest.modelHash = sha256File((0, node_path_1.join)(MODELS_DIR, modelFiles[0]));
+        }
+    }
+    // Sign if key provided
+    if (signingKey) {
+        const payload = canonicalManifestPayload(manifest);
+        manifest.signature = hmacSign(payload, signingKey);
+    }
+    return manifest;
+}
+function collectFileHashes(baseDir, currentDir, out) {
+    const entries = (0, node_fs_1.readdirSync)(currentDir, { withFileTypes: true });
+    for (const entry of entries) {
+        const fullPath = (0, node_path_1.join)(currentDir, entry.name);
+        if (entry.isDirectory()) {
+            collectFileHashes(baseDir, fullPath, out);
+        }
+        else if (entry.isFile()) {
+            const relative = fullPath.slice(baseDir.length + 1);
+            out[relative] = sha256File(fullPath);
+        }
+    }
+}
+function canonicalManifestPayload(manifest) {
+    // Exclude the signature field itself from the payload
+    const { signature: _, ...rest } = manifest;
+    return JSON.stringify(rest, Object.keys(rest).sort());
+}
+// ============================================================================
+// Tamper-Evident Event Chain
+// ============================================================================
+class EventChain {
+    constructor(chainPath = EVENT_CHAIN_PATH) {
+        this.chainPath = chainPath;
+    }
+    /**
+     * Append an event to the chain. Each event references the hash of the
+     * previous event, forming a tamper-evident linked chain.
+     */
+    append(eventType, detail) {
+        const lastEvent = this.getLastEvent();
+        const prevHash = lastEvent
+            ? sha256(JSON.stringify(lastEvent))
+            : GENESIS_PREV_HASH;
+        const event = {
+            seq: lastEvent ? lastEvent.seq + 1 : 0,
+            timestamp: new Date().toISOString(),
+            eventType,
+            detail,
+            prevHash,
+        };
+        const dir = (0, node_path_1.dirname)(this.chainPath);
+        if (!(0, node_fs_1.existsSync)(dir)) {
+            (0, node_fs_1.mkdirSync)(dir, { recursive: true });
+        }
+        (0, node_fs_1.appendFileSync)(this.chainPath, JSON.stringify(event) + '\n', 'utf-8');
+        return event;
+    }
+    /**
+     * Read all events from the chain file.
+     */
+    readAll() {
+        if (!(0, node_fs_1.existsSync)(this.chainPath))
+            return [];
+        const raw = (0, node_fs_1.readFileSync)(this.chainPath, 'utf-8').trim();
+        if (!raw)
+            return [];
+        return raw.split('\n').map(line => JSON.parse(line));
+    }
+    /**
+     * Get the last event in the chain.
+     */
+    getLastEvent() {
+        const events = this.readAll();
+        return events.length > 0 ? events[events.length - 1] : null;
+    }
+    /**
+     * Verify the entire chain is intact. Returns the index of the first
+     * broken link, or -1 if the chain is valid.
+     *
+     * Detects:
+     *   - Modified events (prevHash mismatch)
+     *   - Truncated chains (missing events break the link)
+     *   - Inserted events (sequence number gaps or hash mismatches)
+     */
+    verify() {
+        const events = this.readAll();
+        if (events.length === 0) {
+            return { valid: true, brokenAt: -1 };
+        }
+        // Genesis event must reference the zero hash
+        if (events[0].prevHash !== GENESIS_PREV_HASH) {
+            return { valid: false, brokenAt: 0, reason: 'Genesis event has wrong prevHash' };
+        }
+        if (events[0].seq !== 0) {
+            return { valid: false, brokenAt: 0, reason: 'Genesis event has wrong sequence number' };
+        }
+        for (let i = 1; i < events.length; i++) {
+            const expectedPrevHash = sha256(JSON.stringify(events[i - 1]));
+            if (events[i].prevHash !== expectedPrevHash) {
+                return {
+                    valid: false,
+                    brokenAt: i,
+                    reason: `Event ${i}: prevHash mismatch (expected ${expectedPrevHash.slice(0, 16)}..., got ${events[i].prevHash.slice(0, 16)}...)`,
+                };
+            }
+            if (events[i].seq !== i) {
+                return {
+                    valid: false,
+                    brokenAt: i,
+                    reason: `Event ${i}: sequence number mismatch (expected ${i}, got ${events[i].seq})`,
+                };
+            }
+        }
+        return { valid: true, brokenAt: -1 };
+    }
+}
+exports.EventChain = EventChain;
+// ============================================================================
+// Individual Integrity Checks
+// ============================================================================
+/**
+ * Verify package dist/ files against the manifest.
+ * If any file hash differs, the package has been tampered with.
+ */
+function checkPackageIntegrity(packageRoot, manifest) {
+    const distDir = (0, node_path_1.join)(packageRoot, 'dist');
+    if (!(0, node_fs_1.existsSync)(distDir)) {
+        return { name: 'package_integrity', passed: false, reason: 'dist/ directory missing' };
+    }
+    // Verify version matches
+    const pkgJsonPath = (0, node_path_1.join)(packageRoot, 'package.json');
+    if ((0, node_fs_1.existsSync)(pkgJsonPath)) {
+        try {
+            const pkgJson = JSON.parse((0, node_fs_1.readFileSync)(pkgJsonPath, 'utf-8'));
+            if (pkgJson.version !== manifest.version) {
+                return {
+                    name: 'package_integrity',
+                    passed: false,
+                    reason: `Version mismatch: package.json=${pkgJson.version}, manifest=${manifest.version}`,
+                };
+            }
+        }
+        catch {
+            return { name: 'package_integrity', passed: false, reason: 'Failed to read package.json' };
+        }
+    }
+    // Verify file hashes
+    for (const [relativePath, expectedHash] of Object.entries(manifest.files)) {
+        const fullPath = (0, node_path_1.join)(distDir, relativePath);
+        if (!(0, node_fs_1.existsSync)(fullPath)) {
+            return {
+                name: 'package_integrity',
+                passed: false,
+                reason: `Missing file: dist/${relativePath}`,
+            };
+        }
+        const actualHash = sha256File(fullPath);
+        if (actualHash !== expectedHash) {
+            return {
+                name: 'package_integrity',
+                passed: false,
+                reason: `Tampered file: dist/${relativePath}`,
+            };
+        }
+    }
+    return { name: 'package_integrity', passed: true };
+}
+/**
+ * Verify NanoMind GGUF model file hash BEFORE loading.
+ * If the model does not exist, the check passes (model is optional).
+ * If the model exists but hash differs, return failure (DEGRADE mode).
+ */
+function checkModelIntegrity(manifest) {
+    if (!manifest.modelHash) {
+        return { name: 'model_integrity', passed: true, reason: 'No model hash in manifest (model optional)' };
+    }
+    if (!(0, node_fs_1.existsSync)(MODELS_DIR)) {
+        return { name: 'model_integrity', passed: true, reason: 'No models directory (model optional)' };
+    }
+    const modelFiles = (0, node_fs_1.readdirSync)(MODELS_DIR).filter(f => f.endsWith('.gguf'));
+    if (modelFiles.length === 0) {
+        return { name: 'model_integrity', passed: true, reason: 'No model files found (model optional)' };
+    }
+    const modelPath = (0, node_path_1.join)(MODELS_DIR, modelFiles[0]);
+    const actualHash = sha256File(modelPath);
+    if (actualHash !== manifest.modelHash) {
+        return {
+            name: 'model_integrity',
+            passed: false,
+            reason: `Model hash mismatch: expected ${manifest.modelHash.slice(0, 16)}..., got ${actualHash.slice(0, 16)}...`,
+        };
+    }
+    return { name: 'model_integrity', passed: true };
+}
+/**
+ * Verify rule manifest integrity.
+ * If the manifest specifies a rule category count, verify it matches.
+ */
+function checkRuleManifest(manifest) {
+    if (manifest.ruleCategories === undefined) {
+        return { name: 'rule_manifest', passed: true, reason: 'No rule category count in manifest' };
+    }
+    // Count actual rule categories from the scanner rules directory
+    // This is a fast check: just count directories in the rules path
+    const rulesDir = (0, node_path_1.join)((0, node_path_1.dirname)((0, node_path_1.dirname)(__dirname)), 'rules');
+    if (!(0, node_fs_1.existsSync)(rulesDir)) {
+        // In dist/ the rules may not exist as a directory, accept the count from manifest
+        return { name: 'rule_manifest', passed: true, reason: 'Rules directory not found (packaged mode)' };
+    }
+    try {
+        const categories = (0, node_fs_1.readdirSync)(rulesDir, { withFileTypes: true })
+            .filter(d => d.isDirectory())
+            .length;
+        if (categories !== manifest.ruleCategories) {
+            return {
+                name: 'rule_manifest',
+                passed: false,
+                reason: `Rule category count mismatch: expected ${manifest.ruleCategories}, got ${categories}`,
+            };
+        }
+    }
+    catch {
+        return { name: 'rule_manifest', passed: true, reason: 'Could not enumerate rules (non-critical)' };
+    }
+    return { name: 'rule_manifest', passed: true };
+}
+/**
+ * Verify manifest signature using HMAC-SHA256 (Ed25519 fallback).
+ * If no signing key is available, this check is skipped.
+ */
+function checkManifestSignature(manifest, signingKey) {
+    if (!manifest.signature) {
+        return { name: 'manifest_signature', passed: true, reason: 'No signature in manifest (unsigned)' };
+    }
+    if (!signingKey) {
+        return { name: 'manifest_signature', passed: true, reason: 'No signing key available (skipped)' };
+    }
+    const payload = canonicalManifestPayload(manifest);
+    const valid = hmacVerify(payload, signingKey, manifest.signature);
+    if (!valid) {
+        return {
+            name: 'manifest_signature',
+            passed: false,
+            reason: 'Manifest signature verification failed',
+        };
+    }
+    return { name: 'manifest_signature', passed: true };
+}
+/**
+ * Run all startup integrity checks. Must complete in < 5ms for clean installations.
+ *
+ * Returns:
+ *   CLEAN      -- All checks passed
+ *   DEGRADE    -- Model integrity failed (heuristic fallback)
+ *   QUARANTINE -- Package integrity failed (refuse to output, exit code 3)
+ */
+function verifyAll(options = {}) {
+    const start = performance.now();
+    const packageRoot = options.packageRoot ?? resolvePackageRoot();
+    const eventChain = new EventChain(options.eventChainPath);
+    const checks = [];
+    // Load manifest
+    const manifest = options.manifest ?? loadManifest(packageRoot);
+    if (!manifest) {
+        // No manifest = development mode or first install. Pass all checks.
+        const duration = performance.now() - start;
+        checks.push({ name: 'manifest_load', passed: true, reason: 'No manifest found (dev mode)' });
+        eventChain.append('startup', `Integrity check: no manifest, dev mode (${duration.toFixed(2)}ms)`);
+        return { status: 'CLEAN', checks, durationMs: duration };
+    }
+    // Run checks in order of severity (most severe first for early determination)
+    // 1. Package/dist integrity (QUARANTINE if failed)
+    const pkgCheck = checkPackageIntegrity(packageRoot, manifest);
+    checks.push(pkgCheck);
+    // 2. Manifest signature
+    const sigCheck = checkManifestSignature(manifest, options.signingKey);
+    checks.push(sigCheck);
+    // 3. Model integrity (DEGRADE if failed)
+    const modelCheck = checkModelIntegrity(manifest);
+    checks.push(modelCheck);
+    // 4. Rule manifest
+    const ruleCheck = checkRuleManifest(manifest);
+    checks.push(ruleCheck);
+    // Determine status
+    let status = 'CLEAN';
+    // QUARANTINE: package tampered or signature invalid
+    if (!pkgCheck.passed || !sigCheck.passed) {
+        status = 'QUARANTINE';
+    }
+    // DEGRADE: model tampered (but package is fine)
+    else if (!modelCheck.passed) {
+        status = 'DEGRADE';
+    }
+    // Rule manifest failure is a soft degrade
+    else if (!ruleCheck.passed) {
+        status = 'DEGRADE';
+    }
+    const duration = performance.now() - start;
+    // Log to event chain
+    const eventType = status === 'CLEAN' ? 'check_pass'
+        : status === 'DEGRADE' ? 'degraded'
+            : 'quarantine';
+    const failedChecks = checks.filter(c => !c.passed).map(c => c.name).join(', ');
+    const detail = status === 'CLEAN'
+        ? `All ${checks.length} checks passed (${duration.toFixed(2)}ms)`
+        : `Status=${status}, failed=[${failedChecks}] (${duration.toFixed(2)}ms)`;
+    eventChain.append(eventType, detail);
+    return { status, checks, durationMs: duration };
+}
+/**
+ * Resolve the package root by walking up from this file to find package.json.
+ */
+function resolvePackageRoot() {
+    let dir = __dirname;
+    for (let i = 0; i < 10; i++) {
+        if ((0, node_fs_1.existsSync)((0, node_path_1.join)(dir, 'package.json'))) {
+            return dir;
+        }
+        const parent = (0, node_path_1.dirname)(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return process.cwd();
+}
+//# sourceMappingURL=integrity-verifier.js.map

package/dist/nanomind-core/security/integrity-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"integrity-verifier.js","sourceRoot":"","sources":["../../../src/nanomind-core/security/integrity-verifier.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;;AAuDH,wBAEC;AAED,gCAGC;AAMD,4BAEC;AAED,gCAQC;AAUD,oCASC;AAMD,4CAiCC;AAsID,sDAgDC;AAOD,kDAyBC;AAMD,8CA6BC;AAMD,wDAwBC;AAyBD,8BAiEC;AAzfD,6CAAsE;AACtE,qCAA2F;AAC3F,yCAA0C;AAC1C,qCAAkC;AAoClC,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,YAAY,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,WAAW,CAAC,CAAC;AAClD,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;AAChD,MAAM,gBAAgB,GAAG,IAAA,gBAAI,EAAC,YAAY,EAAE,wBAAwB,CAAC,CAAC;AACtE,MAAM,iBAAiB,GAAG,0BAA0B,CAAC;AACrD,MAAM,iBAAiB,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAEzC,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E,SAAgB,MAAM,CAAC,IAAqB;IAC1C,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzD,CAAC;AAED,SAAgB,UAAU,CAAC,QAAgB;IACzC,MAAM,OAAO,GAAG,IAAA,sBAAY,EAAC,QAAQ,CAAC,CAAC;IACvC,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAED;;;GAGG;AACH,SAAgB,QAAQ,CAAC,IAAY,EAAE,GAAW;IAChD,OAAO,IAAA,wBAAU,EAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC9D,CAAC;AAED,SAAgB,UAAU,CAAC,IAAY,EAAE,GAAW,EAAE,WAAmB;IACvE,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACrC,IAAI,QAAQ,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACzD,IAAI,CAAC;QACH,OAAO,IAAA,6BAAe,EAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;IACxF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,YAAY,CAAC,WAAmB;IAC9C,MAAM,YAAY,GAAG,IAAA,gBAAI,EAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC;IAC1D,IAAI,CAAC,IAAA,oBAAU,EAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAsB,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,gBAAgB,CAC9B,WAAmB,EACnB,UAAmB;IAEnB,MAAM,WAAW,GAAG,IAAA,gBAAI,EAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,sBAAY,EAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAG,IAAA,gBAAI,EAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAC1C,MAAM,KAAK,GAA2B,EAAE,CAAC;IAEzC,IAAI,IAAA,oBAAU,EAAC,OAAO,CAAC,EAAE,CAAC;QACxB,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAsB;QAClC,OAAO,EAAE,OAAO,CAAC,OAAiB;QAClC,KAAK;KACN,CAAC;IAEF,iCAAiC;IACjC,IAAI,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAA,qBAAW,EAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC5E,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,SAAS,GAAG,UAAU,CAAC,IAAA,gBAAI,EAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QACnD,QAAQ,CAAC,SAAS,GAAG,QAAQ,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IACrD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,iBAAiB,CACxB,OAAe,EACf,UAAkB,EAClB,GAA2B;IAE3B,MAAM,OAAO,GAAG,IAAA,qBAAW,EAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACjE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,iBAAiB,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1B,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACpD,GAAG,CAAC,QAAQ,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,wBAAwB,CAAC,QAA2B;IAC3D,sDAAsD;IACtD,MAAM,EAAE,SAAS,EAAE,CAAC,EAAE,GAAG,IAAI,EAAE,GAAG,QAAQ,CAAC;IAC3C,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,+EAA+E;AAC/E,6BAA6B;AAC7B,+EAA+E;AAE/E,MAAa,UAAU;IAGrB,YAAY,YAAoB,gBAAgB;QAC9C,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,SAAmC,EAAE,MAAc;QACxD,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,SAAS;YACxB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACnC,CAAC,CAAC,iBAAiB,CAAC;QAEtB,MAAM,KAAK,GAAgB;YACzB,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACtC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS;YACT,MAAM;YACN,QAAQ;SACT,CAAC;QAEF,MAAM,GAAG,GAAG,IAAA,mBAAO,EAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACpC,IAAI,CAAC,IAAA,oBAAU,EAAC,GAAG,CAAC,EAAE,CAAC;YACrB,IAAA,mBAAS,EAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,IAAA,wBAAc,EAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;QACtE,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,CAAC,IAAA,oBAAU,EAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,CAAC;QACpB,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAgB,CAAC,CAAC;IACtE,CAAC;IAED;;OAEG;IACH,YAAY;QACV,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;IAED;;;;;;;;OAQG;IACH,MAAM;QACJ,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAC9B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,EAAE,CAAC;QACvC,CAAC;QAED,6CAA6C;QAC7C,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,iBAAiB,EAAE,CAAC;YAC7C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;QACnF,CAAC;QAED,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,yCAAyC,EAAE,CAAC;QAC1F,CAAC;QAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,gBAAgB,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,QAAQ,EAAE,CAAC;oBACX,MAAM,EAAE,SAAS,CAAC,iCAAiC,gBAAgB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM;iBAClI,CAAC;YACJ,CAAC;YACD,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,EAAE,CAAC;gBACxB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,QAAQ,EAAE,CAAC;oBACX,MAAM,EAAE,SAAS,CAAC,wCAAwC,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG;iBACrF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,EAAE,CAAC;IACvC,CAAC;CACF;AA/FD,gCA+FC;AAED,+EAA+E;AAC/E,8BAA8B;AAC9B,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,qBAAqB,CACnC,WAAmB,EACnB,QAA2B;IAE3B,MAAM,OAAO,GAAG,IAAA,gBAAI,EAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAE1C,IAAI,CAAC,IAAA,oBAAU,EAAC,OAAO,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;IACzF,CAAC;IAED,yBAAyB;IACzB,MAAM,WAAW,GAAG,IAAA,gBAAI,EAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IACtD,IAAI,IAAA,oBAAU,EAAC,WAAW,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,sBAAY,EAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;YAC/D,IAAI,OAAO,CAAC,OAAO,KAAK,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACzC,OAAO;oBACL,IAAI,EAAE,mBAAmB;oBACzB,MAAM,EAAE,KAAK;oBACb,MAAM,EAAE,kCAAkC,OAAO,CAAC,OAAO,cAAc,QAAQ,CAAC,OAAO,EAAE;iBAC1F,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;QAC7F,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,KAAK,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1E,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAA,oBAAU,EAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,IAAI,EAAE,mBAAmB;gBACzB,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,sBAAsB,YAAY,EAAE;aAC7C,CAAC;QACJ,CAAC;QACD,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,UAAU,KAAK,YAAY,EAAE,CAAC;YAChC,OAAO;gBACL,IAAI,EAAE,mBAAmB;gBACzB,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,uBAAuB,YAAY,EAAE;aAC9C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AACrD,CAAC;AAED;;;;GAIG;AACH,SAAgB,mBAAmB,CAAC,QAA2B;IAC7D,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QACxB,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,4CAA4C,EAAE,CAAC;IACzG,CAAC;IAED,IAAI,CAAC,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,sCAAsC,EAAE,CAAC;IACnG,CAAC;IAED,MAAM,UAAU,GAAG,IAAA,qBAAW,EAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5E,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC;IACpG,CAAC;IAED,MAAM,SAAS,GAAG,IAAA,gBAAI,EAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACzC,IAAI,UAAU,KAAK,QAAQ,CAAC,SAAS,EAAE,CAAC;QACtC,OAAO;YACL,IAAI,EAAE,iBAAiB;YACvB,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,iCAAiC,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK;SACjH,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,QAA2B;IAC3D,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC;IAC/F,CAAC;IAED,gEAAgE;IAChE,iEAAiE;IACjE,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,IAAA,mBAAO,EAAC,IAAA,mBAAO,EAAC,SAAS,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAC5D,IAAI,CAAC,IAAA,oBAAU,EAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,kFAAkF;QAClF,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,2CAA2C,EAAE,CAAC;IACtG,CAAC;IAED,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAA,qBAAW,EAAC,QAAQ,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;aAC9D,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;aAC5B,MAAM,CAAC;QACV,IAAI,UAAU,KAAK,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,OAAO;gBACL,IAAI,EAAE,eAAe;gBACrB,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,0CAA0C,QAAQ,CAAC,cAAc,SAAS,UAAU,EAAE;aAC/F,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,0CAA0C,EAAE,CAAC;IACrG,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AACjD,CAAC;AAED;;;GAGG;AACH,SAAgB,sBAAsB,CACpC,QAA2B,EAC3B,UAAmB;IAEnB,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QACxB,OAAO,EAAE,IAAI,EAAE,oBAAoB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;IACrG,CAAC;IAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,IAAI,EAAE,oBAAoB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC;IACpG,CAAC;IAED,MAAM,OAAO,GAAG,wBAAwB,CAAC,QAAQ,CAAC,CAAC;IACnD,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;IAElE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,wCAAwC;SACjD,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,oBAAoB,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AACtD,CAAC;AAiBD;;;;;;;GAOG;AACH,SAAgB,SAAS,CAAC,UAAyB,EAAE;IACnD,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAEhC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,kBAAkB,EAAE,CAAC;IAChE,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAqB,EAAE,CAAC;IAEpC,gBAAgB;IAChB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,YAAY,CAAC,WAAW,CAAC,CAAC;IAE/D,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,oEAAoE;QACpE,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC,CAAC;QAC7F,UAAU,CAAC,MAAM,CAAC,SAAS,EAAE,2CAA2C,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAClG,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IAC3D,CAAC;IAED,8EAA8E;IAE9E,mDAAmD;IACnD,MAAM,QAAQ,GAAG,qBAAqB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC9D,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAEtB,wBAAwB;IACxB,MAAM,QAAQ,GAAG,sBAAsB,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAEtB,yCAAyC;IACzC,MAAM,UAAU,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACjD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAExB,mBAAmB;IACnB,MAAM,SAAS,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAEvB,mBAAmB;IACnB,IAAI,MAAM,GAAoB,OAAO,CAAC;IAEtC,oDAAoD;IACpD,IAAI,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,GAAG,YAAY,CAAC;IACxB,CAAC;IACD,gDAAgD;SAC3C,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,GAAG,SAAS,CAAC;IACrB,CAAC;IACD,0CAA0C;SACrC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;QAC3B,MAAM,GAAG,SAAS,CAAC;IACrB,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;IAE3C,qBAAqB;IACrB,MAAM,SAAS,GAAG,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,YAAY;QACjD,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU;YACnC,CAAC,CAAC,YAAY,CAAC;IACjB,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/E,MAAM,MAAM,GAAG,MAAM,KAAK,OAAO;QAC/B,CAAC,CAAC,OAAO,MAAM,CAAC,MAAM,mBAAmB,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK;QACjE,CAAC,CAAC,UAAU,MAAM,aAAa,YAAY,MAAM,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IAC5E,UAAU,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAErC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB;IACzB,IAAI,GAAG,GAAG,SAAS,CAAC;IACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,IAAI,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,GAAG,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;YAC1C,OAAO,GAAG,CAAC;QACb,CAAC;QACD,MAAM,MAAM,GAAG,IAAA,mBAAO,EAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,MAAM,KAAK,GAAG;YAAE,MAAM;QAC1B,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;IACD,OAAO,OAAO,CAAC,GAAG,EAAE,CAAC;AACvB,CAAC"}