instar 1.3.565 → 1.3.567

package/dist/monitoring/SelfUnblockChecklist.js

@@ -0,0 +1,433 @@
+/**
+ * SelfUnblockChecklist — the deterministic, code-driven exhaustion checklist that
+ * COMPLETES the constitutional standard "Self-Unblock Before Escalating"
+ * (docs/specs/self-unblock-before-escalating.md).
+ *
+ * Foundation (§0): this does NOT fork a parallel gate. BlockerLedger's
+ * `settleTrueBlocker` already MANDATES a recorded failed self-fetch/dry-run before
+ * a credential/account blocker can settle as a `true-blocker`. The MISSING half
+ * was a STANDARD, code-driven set of sources an agent must have probed first —
+ * turning "you must record a failed attempt" into "here is the ordered list of
+ * places a self-unblockable credential could live, all of which came up empty".
+ *
+ * What this module provides (the four genuine additions over BlockerLedger):
+ *   1. A deterministic relevance matcher (`isScopeRelevant`) — a credential's
+ *      declared scope tag is "relevant" to a target zone/service iff a
+ *      deterministic tag/zone match (domain hierarchy + wildcard). Ambiguous,
+ *      conflicting, or MISSING metadata fails CLOSED. NO LLM in this path.
+ *   2. An ORDERED probe runner (`SelfUnblockChecklist.run`) — cheapest/local
+ *      first, short-circuit on the first `holdsRelevantCred: true`. Each probe is
+ *      independently timeout-bounded BY CLASS (local sub-second; remote 10–15s),
+ *      failing toward `reachable: false` on timeout.
+ *   3. A durable run STORE (`SelfUnblockRunStore`) — persists each run keyed by an
+ *      immutable runId; `loadRun(runId)` is what BlockerLedger LOADS + verifies so
+ *      a caller cannot mint a run the runner did not produce (closes the round-1
+ *      "self-asserted/gameable list" finding mechanically).
+ *   4. The ladder/rung-floor helper (`resolveRung` / `rungToAuthorityCheck`) — maps
+ *      the human-requirement ladder (§3) onto BlockerLedger's existing
+ *      `AuthorityCheckEvidence`; enforces the rung FLOOR (capability ≠ authority).
+ *
+ * Signal vs Authority: this module RECORDS and STRUCTURES. The one judgment —
+ * the `true-blocker` settle — stays with BlockerLedger's injected Tier-1
+ * authority. This module never blocks an outbound message.
+ *
+ * Ships DARK behind the existing `monitoring.blockerLedger.*` gate (dev-gate via
+ * omitted `enabled`). When the run store is not injected into BlockerLedger, the
+ * existing caller-supplied `failedAttempt` path is unchanged.
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+// ─── Types ────────────────────────────────────────────────────────────────────
+/** The ordered probe sources (cheapest/local first). Closed taxonomy. */
+export const SELF_UNBLOCK_PROBE_SOURCES = [
+    'own-vault', // 1. own per-agent vault (secret-get)
+    'org-bitwarden', // 2. org Bitwarden (durable session, §5.3)
+    'cloud-vercel', // 3a. authed Vercel account
+    'cloud-cloudflare', // 3b. authed Cloudflare account
+    'cloud-github', // 3c. authed GitHub (gh)
+    'cloud-launchd', // 3d. launchd (extensible: Netlify/Heroku)
+    'mcp-tools', // 4. MCP tools
+    'browser-playwright', // 5. browser/Playwright sessions
+    'controlled-resource', // 6. "a resource I already control?"
+];
+/** Default timeout budget (ms) per class. */
+export const PROBE_TIMEOUT_MS = {
+    local: 800, // sub-second keychain/vault read
+    remote: 12_000, // remote CLI / network call (10–15s codebase norm)
+};
+/** Which class each source belongs to (drives the per-probe timeout). */
+export const PROBE_SOURCE_CLASS = {
+    'own-vault': 'local',
+    'org-bitwarden': 'remote',
+    'cloud-vercel': 'remote',
+    'cloud-cloudflare': 'remote',
+    'cloud-github': 'remote',
+    'cloud-launchd': 'local',
+    'mcp-tools': 'local',
+    'browser-playwright': 'local',
+    'controlled-resource': 'local',
+};
+/**
+ * Parse a `service:scope` tag. Returns null when the shape is malformed (a tag
+ * the matcher must treat as ambiguous → fail closed).
+ *
+ * A scope is allowed to contain ':' (rare), so only the FIRST colon splits
+ * service from scope. An empty service or empty scope is malformed.
+ */
+export function parseScopeTag(tag) {
+    if (typeof tag !== 'string')
+        return null;
+    const trimmed = tag.trim();
+    const idx = trimmed.indexOf(':');
+    if (idx <= 0 || idx === trimmed.length - 1)
+        return null; // no colon, leading colon, or trailing colon
+    const service = trimmed.slice(0, idx).trim().toLowerCase();
+    const scope = trimmed.slice(idx + 1).trim().toLowerCase();
+    if (!service || !scope)
+        return null;
+    return { service, scope };
+}
+/**
+ * Deterministic domain-hierarchy match between a credential's scope and a target
+ * scope, with wildcard support:
+ *   - exact:           `dawn-tunnel.dev`         matches `dawn-tunnel.dev`
+ *   - parent-zone:     `dawn-tunnel.dev`         matches `feedback.dawn-tunnel.dev`
+ *   - wildcard:        `*.dawn-tunnel.dev`       matches `feedback.dawn-tunnel.dev`
+ *                       (but a bare wildcard label only matches a SUB-domain, not
+ *                        the apex — `*.dawn-tunnel.dev` does NOT match the apex
+ *                        `dawn-tunnel.dev`, matching CA/DNS wildcard semantics)
+ *   - non-domain scope (e.g. `project`, `*`): exact string match only; a literal
+ *     `*` matches ANYTHING for that service (a deliberate "whole-account" tag).
+ *
+ * NOT a match: a sub-zone credential against a parent target (a credential scoped
+ * to `feedback.dawn-tunnel.dev` is NOT relevant to the parent zone
+ * `dawn-tunnel.dev` — narrower authority cannot grant the broader goal).
+ */
+function domainScopeMatches(credScope, targetScope) {
+    // Whole-account wildcard tag for a non-domain service.
+    if (credScope === '*')
+        return true;
+    const looksLikeDomain = (s) => s.includes('.') || s.startsWith('*.');
+    // If neither looks like a domain, require an exact match (e.g. `project`).
+    if (!looksLikeDomain(credScope) && !looksLikeDomain(targetScope)) {
+        return credScope === targetScope;
+    }
+    // Wildcard domain: `*.dawn-tunnel.dev` matches a STRICT sub-domain of the base.
+    if (credScope.startsWith('*.')) {
+        const base = credScope.slice(2);
+        if (!base)
+            return false;
+        // strict sub-domain: target ends with `.base` AND is longer than the base.
+        return targetScope.endsWith('.' + base) && targetScope.length > base.length + 1;
+    }
+    // Exact zone match.
+    if (credScope === targetScope)
+        return true;
+    // Parent-zone match: a credential for `dawn-tunnel.dev` is relevant to the
+    // sub-zone `feedback.dawn-tunnel.dev` (broader authority covers the narrower
+    // target). Require a label boundary so `evil-dawn-tunnel.dev` never matches.
+    return targetScope.endsWith('.' + credScope) && targetScope.length > credScope.length + 1;
+}
+/**
+ * Is a credential whose declared scope tag is `credTag` RELEVANT to the blocker
+ * `target` (also a `service:scope` tag)? Deterministic. Fails CLOSED on any
+ * malformed/missing/cross-service input.
+ *
+ * - Both tags must parse (`service:scope`).
+ * - The SERVICE must match exactly (a Vercel cred is never relevant to a
+ *   Cloudflare target).
+ * - The SCOPE must match per `domainScopeMatches`.
+ */
+export function isScopeRelevant(credTag, target) {
+    const cred = parseScopeTag(credTag);
+    const tgt = parseScopeTag(target);
+    if (!cred || !tgt)
+        return false; // missing/ambiguous metadata → fail closed
+    if (cred.service !== tgt.service)
+        return false; // cross-service never relevant
+    return domainScopeMatches(cred.scope, tgt.scope);
+}
+/**
+ * Given a set of scope tags a source advertises, is ANY of them relevant to the
+ * target? An empty/undefined set fails CLOSED → false (under-tagged credential is
+ * simply not surfaced). Returns the matching tags for the audit surface.
+ */
+export function relevantScopeTags(advertised, target) {
+    if (!Array.isArray(advertised))
+        return [];
+    const out = [];
+    for (const tag of advertised) {
+        if (isScopeRelevant(tag, target) && typeof tag === 'string')
+            out.push(tag);
+    }
+    return out;
+}
+/**
+ * Durable JSONL store for checklist runs. One run per line, keyed by an immutable
+ * runId. `loadRun` is skip-corrupt-lines tolerant + bounded (precedent:
+ * ReapLog.read). A run is APPEND-only; the store never mutates a prior run.
+ */
+export class SelfUnblockRunStore {
+    runsPath;
+    /** Bound on how many trailing lines `loadRun` will scan (newest runs win). */
+    maxScan;
+    constructor(opts) {
+        this.runsPath = path.join(opts.stateDir, 'state', 'self-unblock-runs', 'runs.jsonl');
+        this.maxScan = opts.maxScan ?? 2000;
+    }
+    /** The file the store reads/writes (exposed for tests). */
+    get path() {
+        return this.runsPath;
+    }
+    /** Append a completed run. Best-effort durable (atomic append). */
+    save(run) {
+        fs.mkdirSync(path.dirname(this.runsPath), { recursive: true });
+        fs.appendFileSync(this.runsPath, JSON.stringify(run) + '\n');
+    }
+    /**
+     * Load a run by id, scanning the trailing `maxScan` lines newest-first so a
+     * recent run is found fast and a corrupt/partial line never fails the read.
+     * Returns null when the id is unknown.
+     */
+    loadRun(runId) {
+        if (typeof runId !== 'string' || !runId)
+            return null;
+        let raw;
+        try {
+            raw = fs.readFileSync(this.runsPath, 'utf-8');
+        }
+        catch {
+            // @silent-fallback-ok — no runs file yet means no run by that id.
+            return null;
+        }
+        const lines = raw.split('\n').filter((l) => l.trim().length > 0);
+        const tail = lines.slice(-this.maxScan);
+        for (let i = tail.length - 1; i >= 0; i--) {
+            try {
+                const parsed = JSON.parse(tail[i]);
+                if (parsed && parsed.runId === runId)
+                    return parsed;
+            }
+            catch {
+                // @silent-fallback-ok — skip a corrupt/partial JSONL line rather than
+                // failing the whole read; a partial trailing line is a normal
+                // crash-during-append artifact, not a degradation worth reporting.
+            }
+        }
+        return null;
+    }
+    /** Read the most-recent `limit` runs (newest last) for the read surface. */
+    list(limit = 200) {
+        let raw;
+        try {
+            raw = fs.readFileSync(this.runsPath, 'utf-8');
+        }
+        catch {
+            // @silent-fallback-ok — no runs file yet means an empty list (first run),
+            // the same expected first-run condition as loadRun's read above.
+            return [];
+        }
+        const lines = raw.split('\n').filter((l) => l.trim().length > 0);
+        const tail = limit > 0 ? lines.slice(-limit) : lines;
+        const out = [];
+        for (const line of tail) {
+            try {
+                out.push(JSON.parse(line));
+            }
+            catch {
+                // skip a corrupt/partial line
+            }
+        }
+        return out;
+    }
+}
+export class SelfUnblockChecklist {
+    providers;
+    store;
+    now;
+    timeouts;
+    mintRunId;
+    constructor(opts) {
+        this.providers = opts.providers ?? {};
+        this.store = opts.store;
+        this.now = opts.now ?? (() => new Date());
+        this.timeouts = {
+            local: opts.timeoutMs?.local ?? PROBE_TIMEOUT_MS.local,
+            remote: opts.timeoutMs?.remote ?? PROBE_TIMEOUT_MS.remote,
+        };
+        this.mintRunId =
+            opts.mintRunId ??
+                (() => `SUN-${this.now().getTime().toString(36)}-${Math.random().toString(36).slice(2, 8)}`);
+    }
+    /**
+     * Run the ORDERED checklist against `target`, short-circuiting on the first
+     * `holdsRelevantCred: true`. Persists the run and returns it.
+     *
+     * `requiredAttemptType` matches BlockerLedger's taxonomy: `self-fetch` for the
+     * credential/account-kind blockers (vault/cloud-account probes), `dry-run`
+     * otherwise.
+     */
+    async run(input) {
+        const target = input.target;
+        const probes = [];
+        for (const source of SELF_UNBLOCK_PROBE_SOURCES) {
+            const result = await this.probeOne(source, target);
+            probes.push(result);
+            if (result.holdsRelevantCred) {
+                // Short-circuit: a self-unblock credential exists; the agent should USE it,
+                // not escalate. The run is NOT exhausted.
+                break;
+            }
+        }
+        const exhausted = probes.length > 0 && probes.every((p) => !p.holdsRelevantCred);
+        const run = {
+            runId: this.mintRunId(),
+            target,
+            requiredAttemptType: input.requiredAttemptType,
+            probes,
+            completedAt: this.now().toISOString(),
+            exhausted,
+        };
+        this.store.save(run);
+        return run;
+    }
+    /** Probe ONE source with a hard per-class timeout. Fails toward `reachable: false`. */
+    async probeOne(source, target) {
+        const probedAt = this.now().toISOString();
+        const provider = this.providers[source];
+        if (!provider) {
+            // No provider wired for this source → unreachable (degrade gracefully).
+            return { source, reachable: false, holdsRelevantCred: false, probedAt, detail: 'no provider' };
+        }
+        const budget = this.timeouts[PROBE_SOURCE_CLASS[source]];
+        let providerResult;
+        try {
+            providerResult = await this.withTimeout(provider(target), budget);
+        }
+        catch {
+            // Timeout or provider error → unreachable, fail closed.
+            return {
+                source,
+                reachable: false,
+                holdsRelevantCred: false,
+                probedAt,
+                detail: 'probe timed out or errored',
+            };
+        }
+        if (!providerResult.reachable) {
+            return {
+                source,
+                reachable: false,
+                holdsRelevantCred: false,
+                probedAt,
+                detail: providerResult.detail,
+            };
+        }
+        const matched = relevantScopeTags(providerResult.advertisedScopeTags, target);
+        return {
+            source,
+            reachable: true,
+            holdsRelevantCred: matched.length > 0,
+            probedAt,
+            detail: providerResult.detail,
+            matchedScopeTags: matched.length > 0 ? matched : undefined,
+        };
+    }
+    /** Reject after `ms`, so a hung provider can never stall the path. */
+    withTimeout(p, ms) {
+        return new Promise((resolve, reject) => {
+            const timer = setTimeout(() => reject(new Error('probe-timeout')), ms);
+            // Do not keep the event loop alive on the timer.
+            if (typeof timer.unref === 'function') {
+                timer.unref();
+            }
+            p.then((v) => {
+                clearTimeout(timer);
+                resolve(v);
+            }, (e) => {
+                clearTimeout(timer);
+                reject(e);
+            });
+        });
+    }
+}
+/** True iff the action class triggers the rung-1 floor. */
+export function actionTriggersRungFloor(action) {
+    if (!action)
+        return false;
+    return !!(action.irreversible ||
+        action.costBearingAboveThreshold ||
+        action.outOfScope ||
+        action.policySensitive);
+}
+/**
+ * Resolve the lowest legitimate rung for a blocker, ENFORCING the rung floor.
+ *
+ * Base resolution:
+ *   - run NOT exhausted (a self-unblock cred exists) → rung 0 (nothing required)
+ *   - run exhausted + operator-only secret              → rung 2 (operator-only credential)
+ *   - run exhausted otherwise                           → rung 1 (an approval)
+ *
+ * Floor (capability ≠ authority): if the action class is irreversible /
+ * cost-bearing-above-threshold / out-of-scope / policy-sensitive, the rung can
+ * never be BELOW 1 — even a rung-0 self-unblock is raised to rung 1 (approval).
+ */
+export function resolveRung(input) {
+    let base;
+    let reason;
+    if (!input.run.exhausted) {
+        base = 0;
+        reason = 'a self-unblock credential is available within the agent\'s own access';
+    }
+    else if (input.operatorOnlySecret) {
+        base = 2;
+        reason = 'exhausted self-unblock paths; the dependency is an operator-only credential';
+    }
+    else {
+        base = 1;
+        reason = 'exhausted self-unblock paths; an operator approval is required';
+    }
+    const floor = actionTriggersRungFloor(input.action);
+    if (floor && base < 1) {
+        return {
+            rung: 1,
+            raisedByFloor: true,
+            reason: 'the action is irreversible/cost-bearing/out-of-scope/policy-sensitive, so an approval ' +
+                'is required even though a self-unblock credential exists (capability is not authority)',
+        };
+    }
+    return { rung: base, raisedByFloor: false, reason };
+}
+/**
+ * Map a resolved rung onto BlockerLedger's existing `AuthorityCheckEvidence`
+ * shape (§3 — the rung is recorded there, NOT in a new field). A rung-1 grant
+ * MUST resolve against a VERIFIED principal (Know Your Principal): when the rung
+ * is >=1 and the grant matters, `principalVerified` must be true or the grant is
+ * not honored. This function refuses to assert `userHasAuthority: true` for an
+ * unverified principal.
+ */
+export function rungToAuthorityCheck(input) {
+    const { rung, reason, raisedByFloor } = input.resolution;
+    // Rung 0: the agent has the authority itself (no human needed).
+    if (rung === 0) {
+        return {
+            agentHasAuthority: true,
+            userHasAuthority: false,
+            note: `rung 0 — ${reason}`,
+        };
+    }
+    // Rung 1/2: a human is required. The grant only counts against a VERIFIED
+    // principal — an unverified principal can never be recorded as holding the
+    // authority (a name seen in content is a question, not a fact).
+    const userHasAuthority = input.principalVerified;
+    const floorNote = raisedByFloor ? ' (rung raised by the action-class floor)' : '';
+    const principalNote = input.principalVerified
+        ? 'verified principal'
+        : 'principal NOT verified — grant cannot be honored until resolved against a verified-operator/mandate surface';
+    return {
+        agentHasAuthority: false,
+        userHasAuthority,
+        note: `rung ${rung} — ${reason}${floorNote}; ${principalNote}`,
+    };
+}
+//# sourceMappingURL=SelfUnblockChecklist.js.map

package/dist/monitoring/SelfUnblockChecklist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SelfUnblockChecklist.js","sourceRoot":"","sources":["../../src/monitoring/SelfUnblockChecklist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B,iFAAiF;AAEjF,yEAAyE;AACzE,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,WAAW,EAAE,sCAAsC;IACnD,eAAe,EAAE,2CAA2C;IAC5D,cAAc,EAAE,4BAA4B;IAC5C,kBAAkB,EAAE,gCAAgC;IACpD,cAAc,EAAE,yBAAyB;IACzC,eAAe,EAAE,2CAA2C;IAC5D,WAAW,EAAE,eAAe;IAC5B,oBAAoB,EAAE,iCAAiC;IACvD,qBAAqB,EAAE,qCAAqC;CACpD,CAAC;AAOX,6CAA6C;AAC7C,MAAM,CAAC,MAAM,gBAAgB,GAAsC;IACjE,KAAK,EAAE,GAAG,EAAE,iCAAiC;IAC7C,MAAM,EAAE,MAAM,EAAE,mDAAmD;CACpE,CAAC;AAEF,yEAAyE;AACzE,MAAM,CAAC,MAAM,kBAAkB,GAAsD;IACnF,WAAW,EAAE,OAAO;IACpB,eAAe,EAAE,QAAQ;IACzB,cAAc,EAAE,QAAQ;IACxB,kBAAkB,EAAE,QAAQ;IAC5B,cAAc,EAAE,QAAQ;IACxB,eAAe,EAAE,OAAO;IACxB,WAAW,EAAE,OAAO;IACpB,oBAAoB,EAAE,OAAO;IAC7B,qBAAqB,EAAE,OAAO;CAC/B,CAAC;AAwDF;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,GAAY;IACxC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,KAAK,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,6CAA6C;IACtG,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1D,IAAI,CAAC,OAAO,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAS,kBAAkB,CAAC,SAAiB,EAAE,WAAmB;IAChE,uDAAuD;IACvD,IAAI,SAAS,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAEnC,MAAM,eAAe,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IAE7E,2EAA2E;IAC3E,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC;QACjE,OAAO,SAAS,KAAK,WAAW,CAAC;IACnC,CAAC;IAED,gFAAgF;IAChF,IAAI,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAChC,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QACxB,2EAA2E;QAC3E,OAAO,WAAW,CAAC,QAAQ,CAAC,GAAG,GAAG,IAAI,CAAC,IAAI,WAAW,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,oBAAoB;IACpB,IAAI,SAAS,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IAE3C,2EAA2E;IAC3E,6EAA6E;IAC7E,6EAA6E;IAC7E,OAAO,WAAW,CAAC,QAAQ,CAAC,GAAG,GAAG,SAAS,CAAC,IAAI,WAAW,CAAC,MAAM,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC;AAC5F,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,OAAgB,EAAE,MAAe;IAC/D,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC,CAAC,2CAA2C;IAC5E,IAAI,IAAI,CAAC,OAAO,KAAK,GAAG,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC,CAAC,+BAA+B;IAC/E,OAAO,kBAAkB,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;AACnD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAAmB,EAAE,MAAc;IACnE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC;QAAE,OAAO,EAAE,CAAC;IAC1C,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAiCD;;;;GAIG;AACH,MAAM,OAAO,mBAAmB;IACb,QAAQ,CAAS;IAClC,8EAA8E;IAC7D,OAAO,CAAS;IAEjC,YAAY,IAA4C;QACtD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,mBAAmB,EAAE,YAAY,CAAC,CAAC;QACrF,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC;IACtC,CAAC;IAED,2DAA2D;IAC3D,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,mEAAmE;IACnE,IAAI,CAAC,GAAmB;QACtB,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;IAC/D,CAAC;IAED;;;;OAIG;IACH,OAAO,CAAC,KAAa;QACnB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACrD,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACjE,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAmB,CAAC;gBACrD,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK;oBAAE,OAAO,MAAM,CAAC;YACtD,CAAC;YAAC,MAAM,CAAC;gBACP,sEAAsE;gBACtE,8DAA8D;gBAC9D,mEAAmE;YACrE,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4EAA4E;IAC5E,IAAI,CAAC,KAAK,GAAG,GAAG;QACd,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,0EAA0E;YAC1E,iEAAiE;YACjE,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACjE,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QACrD,MAAM,GAAG,GAAqB,EAAE,CAAC;QACjC,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;YACxB,IAAI,CAAC;gBACH,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAmB,CAAC,CAAC;YAC/C,CAAC;YAAC,MAAM,CAAC;gBACP,8BAA8B;YAChC,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;CACF;AAiBD,MAAM,OAAO,oBAAoB;IACd,SAAS,CAAiB;IAC1B,KAAK,CAAsB;IAC3B,GAAG,CAAa;IAChB,QAAQ,CAAoC;IAC5C,SAAS,CAAe;IAEzC,YAAY,IAAiC;QAC3C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACxB,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,GAAG;YACd,KAAK,EAAE,IAAI,CAAC,SAAS,EAAE,KAAK,IAAI,gBAAgB,CAAC,KAAK;YACtD,MAAM,EAAE,IAAI,CAAC,SAAS,EAAE,MAAM,IAAI,gBAAgB,CAAC,MAAM;SAC1D,CAAC;QACF,IAAI,CAAC,SAAS;YACZ,IAAI,CAAC,SAAS;gBACd,CAAC,GAAG,EAAE,CAAC,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IACjG,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,GAAG,CAAC,KAGT;QACC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;QAC5B,MAAM,MAAM,GAA6B,EAAE,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,0BAA0B,EAAE,CAAC;YAChD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACpB,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;gBAC7B,4EAA4E;gBAC5E,0CAA0C;gBAC1C,MAAM;YACR,CAAC;QACH,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC;QACjF,MAAM,GAAG,GAAmB;YAC1B,KAAK,EAAE,IAAI,CAAC,SAAS,EAAE;YACvB,MAAM;YACN,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;YAC9C,MAAM;YACN,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;YACrC,SAAS;SACV,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,OAAO,GAAG,CAAC;IACb,CAAC;IAED,uFAAuF;IAC/E,KAAK,CAAC,QAAQ,CACpB,MAA8B,EAC9B,MAAc;QAEd,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,wEAAwE;YACxE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,iBAAiB,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QACjG,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC;QACzD,IAAI,cAAmC,CAAC;QACxC,IAAI,CAAC;YACH,cAAc,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC;QACpE,CAAC;QAAC,MAAM,CAAC;YACP,wDAAwD;YACxD,OAAO;gBACL,MAAM;gBACN,SAAS,EAAE,KAAK;gBAChB,iBAAiB,EAAE,KAAK;gBACxB,QAAQ;gBACR,MAAM,EAAE,4BAA4B;aACrC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC;YAC9B,OAAO;gBACL,MAAM;gBACN,SAAS,EAAE,KAAK;gBAChB,iBAAiB,EAAE,KAAK;gBACxB,QAAQ;gBACR,MAAM,EAAE,cAAc,CAAC,MAAM;aAC9B,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,iBAAiB,CAAC,cAAc,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC;QAC9E,OAAO;YACL,MAAM;YACN,SAAS,EAAE,IAAI;YACf,iBAAiB,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC;YACrC,QAAQ;YACR,MAAM,EAAE,cAAc,CAAC,MAAM;YAC7B,gBAAgB,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;SAC3D,CAAC;IACJ,CAAC;IAED,sEAAsE;IAC9D,WAAW,CAAI,CAAa,EAAE,EAAU;QAC9C,OAAO,IAAI,OAAO,CAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACxC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACvE,iDAAiD;YACjD,IAAI,OAAQ,KAAgC,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;gBACjE,KAA+B,CAAC,KAAK,EAAE,CAAC;YAC3C,CAAC;YACD,CAAC,CAAC,IAAI,CACJ,CAAC,CAAC,EAAE,EAAE;gBACJ,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,OAAO,CAAC,CAAC,CAAC,CAAC;YACb,CAAC,EACD,CAAC,CAAC,EAAE,EAAE;gBACJ,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAwBD,2DAA2D;AAC3D,MAAM,UAAU,uBAAuB,CAAC,MAA+B;IACrE,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,OAAO,CAAC,CAAC,CACP,MAAM,CAAC,YAAY;QACnB,MAAM,CAAC,yBAAyB;QAChC,MAAM,CAAC,UAAU;QACjB,MAAM,CAAC,eAAe,CACvB,CAAC;AACJ,CAAC;AA6BD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,WAAW,CAAC,KAAuB;IACjD,IAAI,IAAqB,CAAC;IAC1B,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,CAAC;QACT,MAAM,GAAG,uEAAuE,CAAC;IACnF,CAAC;SAAM,IAAI,KAAK,CAAC,kBAAkB,EAAE,CAAC;QACpC,IAAI,GAAG,CAAC,CAAC;QACT,MAAM,GAAG,6EAA6E,CAAC;IACzF,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,CAAC,CAAC;QACT,MAAM,GAAG,gEAAgE,CAAC;IAC5E,CAAC;IAED,MAAM,KAAK,GAAG,uBAAuB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACpD,IAAI,KAAK,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO;YACL,IAAI,EAAE,CAAC;YACP,aAAa,EAAE,IAAI;YACnB,MAAM,EACJ,wFAAwF;gBACxF,wFAAwF;SAC3F,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAIpC;IACC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;IACzD,gEAAgE;IAChE,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;QACf,OAAO;YACL,iBAAiB,EAAE,IAAI;YACvB,gBAAgB,EAAE,KAAK;YACvB,IAAI,EAAE,YAAY,MAAM,EAAE;SAC3B,CAAC;IACJ,CAAC;IACD,0EAA0E;IAC1E,2EAA2E;IAC3E,gEAAgE;IAChE,MAAM,gBAAgB,GAAG,KAAK,CAAC,iBAAiB,CAAC;IACjD,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,0CAA0C,CAAC,CAAC,CAAC,EAAE,CAAC;IAClF,MAAM,aAAa,GAAG,KAAK,CAAC,iBAAiB;QAC3C,CAAC,CAAC,oBAAoB;QACtB,CAAC,CAAC,6GAA6G,CAAC;IAClH,OAAO;QACL,iBAAiB,EAAE,KAAK;QACxB,gBAAgB;QAChB,IAAI,EAAE,QAAQ,IAAI,MAAM,MAAM,GAAG,SAAS,KAAK,aAAa,EAAE;KAC/D,CAAC;AACJ,CAAC"}

package/dist/monitoring/SelfUnblockProbeProviders.d.ts

@@ -0,0 +1,116 @@
+/**
+ * SelfUnblockProbeProviders — the PRODUCTION probe providers that wire
+ * SelfUnblockChecklist to the real world. This is the PRODUCER half of
+ * "Self-Unblock Before Escalating" (docs/specs/self-unblock-before-escalating.md):
+ * SelfUnblockChecklist (the runner), DurableVaultSession (the warm org-vault
+ * session), and BlockerLedger (the verifier) already exist — but until this file
+ * NOTHING in production instantiates the checklist with REAL providers, so a
+ * credential-blocker could never be settled (the gate demands a run that could
+ * not be produced). This closes that gap.
+ *
+ * The checklist runner owns the deterministic relevance match and the per-class
+ * timeout; a provider's ONLY job is to (a) reach its source and (b) report the
+ * NON-SECRET scope tags that source ADVERTISES, so the runner can match them.
+ *
+ * HARD SAFETY RULES (a violation is a bug — the prior incident spiked machine
+ * load to ~70 from a recursive grep; never repeat that):
+ *   (a) A provider NEVER returns or logs a secret VALUE. It returns ONLY
+ *       `{ reachable, advertisedScopeTags?, detail? }`, where advertisedScopeTags
+ *       are non-secret scope strings (zone/project/service names).
+ *   (b) Each provider does AT MOST ONE bounded call — a single CLI exec with a
+ *       small explicit timeout, or a single fetch. NEVER a recursive/unbounded
+ *       filesystem scan or `grep -r` over a large tree. The runner's per-class
+ *       timeout is the backstop; every execFile here ALSO carries its own timeout.
+ *   (c) Relevance is OPERATOR-DECLARED + fail-closed. A provider NEVER infers
+ *       which credential is relevant; advertised scope tags come from the
+ *       `credentialScopeTags` config map (keyed by source name and/or vault key).
+ *       A source with no declared tags advertises an EMPTY tag list → the runner's
+ *       `relevantScopeTags` never matches it → it is never surfaced. Nothing
+ *       declared ⇒ every probe non-matching ⇒ runs exhaust ⇒ behaves like today
+ *       (under-self-unblock, never mis-apply — the safe direction).
+ *
+ * Everything external is INJECTED via `deps`, so unit tests never shell out.
+ */
+import type { DurableVaultSession } from './DurableVaultSession.js';
+import type { ProbeProviders } from './SelfUnblockChecklist.js';
+/**
+ * The result of a single bounded child-process call. `code` 0 = success.
+ * `stdout` is the captured output (a provider parses NON-SECRET tags from it; it
+ * MUST NOT return raw stdout as a tag without scrubbing).
+ */
+export interface BoundedExecResult {
+    code: number | null;
+    stdout: string;
+    stderr: string;
+    timedOut: boolean;
+}
+/**
+ * A single, timeout-bounded `execFile`. Always pass an explicit `timeoutMs`
+ * (rule (b)) — never rely on the runner's class timeout alone. Returns a
+ * non-throwing result (a non-zero exit is `{ code: !=0 }`, not an exception) so
+ * a provider stays a single bounded call with no surprise rejections.
+ */
+export type ExecFileBounded = (file: string, args: string[], opts: {
+    timeoutMs: number;
+    env?: NodeJS.ProcessEnv;
+}) => Promise<BoundedExecResult>;
+/** The default bounded execFile — one child process, hard timeout, captured output. */
+export declare const defaultExecFileBounded: ExecFileBounded;
+export interface SelfUnblockProbeDeps {
+    /**
+     * OPERATOR-DECLARED scope tags, keyed by source name (e.g. `org-bitwarden`,
+     * `cloud-vercel`) AND/OR by vault key name. A source with no entry advertises an
+     * EMPTY tag list → it is never surfaced (rule (c), fail-closed). The values are
+     * non-secret `service:scope` strings (e.g. `["cloudflare:dawn-tunnel.dev"]`).
+     */
+    credentialScopeTags?: Record<string, string[]>;
+    /**
+     * The flag-gated warm org-Bitwarden session (§5.3). When absent the org-vault
+     * probe reports unreachable with a clear detail (never a throw-stub).
+     */
+    durableVaultSession?: DurableVaultSession;
+    /**
+     * Returns the NAMES of secrets in the agent's own vault (NEVER values). Used by
+     * the own-vault probe to decide reachability + which declared tags to advertise.
+     * Absent (or a thrown read) → own-vault reports unreachable, fail-closed.
+     */
+    getVaultKeys?: () => string[];
+    /**
+     * Returns the Cloudflare API token VALUE for the single bounded zones fetch, or
+     * null when none is configured. The VALUE is used in-process only (an
+     * Authorization header) — NEVER logged, NEVER returned. Absent/null → the
+     * cloudflare probe reports unreachable.
+     */
+    getCloudflareToken?: () => string | null;
+    /** Injectable bounded execFile (tests pass a fake; production uses the default). */
+    execFileBounded?: ExecFileBounded;
+    /** Injectable fetch (tests pass a fake; production uses global fetch). */
+    fetchImpl?: typeof fetch;
+}
+/** The minimal BitwardenProvider surface the session derivation needs. */
+export interface BitwardenUnlockSurface {
+    unlock(masterPassword: string): boolean;
+    getSessionKey(): string | null;
+}
+/**
+ * Derive a fresh org-Bitwarden session value for `DurableVaultSession.deriveSession`,
+ * TESTABLY. The AgentServer closure that wires this is otherwise untestable — which
+ * is exactly how a `process.env.BW_SESSION` read (wrong: `unlock()` stores the
+ * session in a PRIVATE field, never the env) slipped past the injected-fake tests.
+ *
+ * Reads the operator-held master password from the agent's own vault (an EXISTING
+ * key — no new on-disk secret) via the injected getter, unlocks via the injected
+ * BitwardenProvider surface, and returns the live session from `getSessionKey()`.
+ * The password and the session are used in-process ONLY and NEVER logged or returned
+ * through any other surface.
+ */
+export declare function deriveBitwardenSession(opts: {
+    getMasterPassword: () => string | null;
+    bw: BitwardenUnlockSurface;
+}): string | null;
+/**
+ * Build the full production provider set — a REAL provider for EVERY one of the 9
+ * sources in `SELF_UNBLOCK_PROBE_SOURCES`. No source is left unwired.
+ */
+export declare function buildProductionProbeProviders(deps: SelfUnblockProbeDeps): ProbeProviders;
+//# sourceMappingURL=SelfUnblockProbeProviders.d.ts.map

package/dist/monitoring/SelfUnblockProbeProviders.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SelfUnblockProbeProviders.d.ts","sourceRoot":"","sources":["../../src/monitoring/SelfUnblockProbeProviders.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAIH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AACpE,OAAO,KAAK,EAEV,cAAc,EAGf,MAAM,2BAA2B,CAAC;AAKnC;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,MAAM,eAAe,GAAG,CAC5B,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EAAE,EACd,IAAI,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAA;CAAE,KACjD,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEhC,uFAAuF;AACvF,eAAO,MAAM,sBAAsB,EAAE,eAuBjC,CAAC;AAIL,MAAM,WAAW,oBAAoB;IACnC;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/C;;;OAGG;IACH,mBAAmB,CAAC,EAAE,mBAAmB,CAAC;IAC1C;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,MAAM,EAAE,CAAC;IAC9B;;;;;OAKG;IACH,kBAAkB,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IACzC,oFAAoF;IACpF,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,0EAA0E;IAC1E,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B;AAqMD,0EAA0E;AAC1E,MAAM,WAAW,sBAAsB;IACrC,MAAM,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC;IACxC,aAAa,IAAI,MAAM,GAAG,IAAI,CAAC;CAChC;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE;IAC3C,iBAAiB,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IACvC,EAAE,EAAE,sBAAsB,CAAC;CAC5B,GAAG,MAAM,GAAG,IAAI,CAYhB;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,GAAG,cAAc,CAoDxF"}