nexus-agents 2.63.4 → 2.63.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (97) hide show
  1. package/dist/{adaptive-memory-2UIPH67R.js → adaptive-memory-XD5O3TC4.js} +3 -3
  2. package/dist/{chunk-NF5KOUKM.js → chunk-3BLWO2ZM.js} +2 -2
  3. package/dist/{chunk-PB2EXTSV.js → chunk-3H44UAHW.js} +2 -2
  4. package/dist/{chunk-EBFXDM3P.js → chunk-5CYDU2VX.js} +2 -2
  5. package/dist/{chunk-QAOI6EIU.js → chunk-5HQJGYYM.js} +2 -2
  6. package/dist/{chunk-FHFNOMNK.js → chunk-6MRF2PE2.js} +2 -2
  7. package/dist/{chunk-RCQZMJBZ.js → chunk-CQXNX6BQ.js} +3 -3
  8. package/dist/{chunk-WZ7Z5VLZ.js → chunk-CUGQAPGY.js} +254 -137
  9. package/dist/chunk-CUGQAPGY.js.map +1 -0
  10. package/dist/{chunk-CDWQP3UC.js → chunk-F2YQX6Q6.js} +3 -3
  11. package/dist/{chunk-KLZHA5KA.js → chunk-GISQ3EJB.js} +4 -4
  12. package/dist/{chunk-KYRDQJLY.js → chunk-HRTGSG4L.js} +7 -7
  13. package/dist/{chunk-ZC4KHPRL.js → chunk-N36KDK3E.js} +12 -12
  14. package/dist/chunk-N36KDK3E.js.map +1 -0
  15. package/dist/{chunk-FAUHVWYZ.js → chunk-NV63LTMM.js} +5 -1
  16. package/dist/chunk-NV63LTMM.js.map +1 -0
  17. package/dist/{chunk-GJVHRJO2.js → chunk-O3CBMPGT.js} +2 -1
  18. package/dist/chunk-O3CBMPGT.js.map +1 -0
  19. package/dist/{chunk-KVZNQWWI.js → chunk-O4AJGETH.js} +2 -2
  20. package/dist/{chunk-ORYMBSGF.js → chunk-OKU3VXWC.js} +5 -5
  21. package/dist/{chunk-ETZULQ7Z.js → chunk-P5NBYCEC.js} +2 -2
  22. package/dist/{chunk-FTWGBV7S.js → chunk-R4FVXOZF.js} +2 -2
  23. package/dist/{chunk-46S665SD.js → chunk-SUR2TLIG.js} +7 -7
  24. package/dist/{chunk-I37IQ26H.js → chunk-TR74DSB4.js} +2 -2
  25. package/dist/{chunk-PEDEZRPR.js → chunk-TSS7VN3V.js} +8 -8
  26. package/dist/{chunk-MSFUOGN4.js → chunk-UFHFX2GX.js} +2 -2
  27. package/dist/{chunk-UDKYZ7CS.js → chunk-VOBYREAG.js} +2 -2
  28. package/dist/{chunk-UCQTXKTS.js → chunk-WDWKKJHZ.js} +2 -2
  29. package/dist/{cli-circuit-breaker-5E6OWOMI.js → cli-circuit-breaker-JE6XKLUG.js} +4 -4
  30. package/dist/cli.js +74 -65
  31. package/dist/cli.js.map +1 -1
  32. package/dist/{composite-router-FC3H7NKN.js → composite-router-KBOGB7GQ.js} +2 -2
  33. package/dist/{consensus-vote-6FKSINXV.js → consensus-vote-PIU3D3KP.js} +9 -9
  34. package/dist/{doctor-deep-X3YCUM4Q.js → doctor-deep-DGY2N4U2.js} +3 -3
  35. package/dist/{expert-bridge-R6FQWUHB.js → expert-bridge-5IPLSDJH.js} +3 -3
  36. package/dist/{expert-config-BTPAEZWV.js → expert-config-6X4225UC.js} +2 -2
  37. package/dist/{factory-BOXBN4ZS.js → factory-PSFI6WDI.js} +4 -4
  38. package/dist/{factory-7DJA2CIL.js → factory-ZTNGLNFH.js} +5 -5
  39. package/dist/index.d.ts +5 -0
  40. package/dist/index.js +21 -21
  41. package/dist/{issue-triage-DGDKQQTD.js → issue-triage-VOZNNCUG.js} +4 -4
  42. package/dist/{mcp-config-CHS2ZC42.js → mcp-config-PDH6LS6E.js} +3 -3
  43. package/dist/{mobimem-NO7I2Y4O.js → mobimem-7KQVPLAW.js} +2 -2
  44. package/dist/{registry-command-ZO75YQJG.js → registry-command-BS75IWSA.js} +2 -2
  45. package/dist/{repo-security-plan-BZ3WOIEZ.js → repo-security-plan-VZTTNXYJ.js} +3 -3
  46. package/dist/{research-helpers-synthesize-SH34FJIE.js → research-helpers-synthesize-B3C6BFCX.js} +3 -3
  47. package/dist/{routing-memory-SALB3DZI.js → routing-memory-BGK2HMC3.js} +2 -2
  48. package/dist/{session-memory-IOXXN6XA.js → session-memory-ESTZAPL2.js} +3 -3
  49. package/dist/{setup-command-UVJRDNRF.js → setup-command-J6QG2G5V.js} +9 -9
  50. package/dist/{setup-config-FYRXUWQH.js → setup-config-LG67TIFO.js} +3 -3
  51. package/dist/{setup-custom-api-VAFP4X43.js → setup-custom-api-4DZABP47.js} +4 -4
  52. package/dist/{weather-report-SBJRXFTW.js → weather-report-HUY35FUZ.js} +2 -2
  53. package/package.json +1 -1
  54. package/dist/chunk-FAUHVWYZ.js.map +0 -1
  55. package/dist/chunk-GJVHRJO2.js.map +0 -1
  56. package/dist/chunk-WZ7Z5VLZ.js.map +0 -1
  57. package/dist/chunk-ZC4KHPRL.js.map +0 -1
  58. /package/dist/{adaptive-memory-2UIPH67R.js.map → adaptive-memory-XD5O3TC4.js.map} +0 -0
  59. /package/dist/{chunk-NF5KOUKM.js.map → chunk-3BLWO2ZM.js.map} +0 -0
  60. /package/dist/{chunk-PB2EXTSV.js.map → chunk-3H44UAHW.js.map} +0 -0
  61. /package/dist/{chunk-EBFXDM3P.js.map → chunk-5CYDU2VX.js.map} +0 -0
  62. /package/dist/{chunk-QAOI6EIU.js.map → chunk-5HQJGYYM.js.map} +0 -0
  63. /package/dist/{chunk-FHFNOMNK.js.map → chunk-6MRF2PE2.js.map} +0 -0
  64. /package/dist/{chunk-RCQZMJBZ.js.map → chunk-CQXNX6BQ.js.map} +0 -0
  65. /package/dist/{chunk-CDWQP3UC.js.map → chunk-F2YQX6Q6.js.map} +0 -0
  66. /package/dist/{chunk-KLZHA5KA.js.map → chunk-GISQ3EJB.js.map} +0 -0
  67. /package/dist/{chunk-KYRDQJLY.js.map → chunk-HRTGSG4L.js.map} +0 -0
  68. /package/dist/{chunk-KVZNQWWI.js.map → chunk-O4AJGETH.js.map} +0 -0
  69. /package/dist/{chunk-ORYMBSGF.js.map → chunk-OKU3VXWC.js.map} +0 -0
  70. /package/dist/{chunk-ETZULQ7Z.js.map → chunk-P5NBYCEC.js.map} +0 -0
  71. /package/dist/{chunk-FTWGBV7S.js.map → chunk-R4FVXOZF.js.map} +0 -0
  72. /package/dist/{chunk-46S665SD.js.map → chunk-SUR2TLIG.js.map} +0 -0
  73. /package/dist/{chunk-I37IQ26H.js.map → chunk-TR74DSB4.js.map} +0 -0
  74. /package/dist/{chunk-PEDEZRPR.js.map → chunk-TSS7VN3V.js.map} +0 -0
  75. /package/dist/{chunk-MSFUOGN4.js.map → chunk-UFHFX2GX.js.map} +0 -0
  76. /package/dist/{chunk-UDKYZ7CS.js.map → chunk-VOBYREAG.js.map} +0 -0
  77. /package/dist/{chunk-UCQTXKTS.js.map → chunk-WDWKKJHZ.js.map} +0 -0
  78. /package/dist/{cli-circuit-breaker-5E6OWOMI.js.map → cli-circuit-breaker-JE6XKLUG.js.map} +0 -0
  79. /package/dist/{composite-router-FC3H7NKN.js.map → composite-router-KBOGB7GQ.js.map} +0 -0
  80. /package/dist/{consensus-vote-6FKSINXV.js.map → consensus-vote-PIU3D3KP.js.map} +0 -0
  81. /package/dist/{doctor-deep-X3YCUM4Q.js.map → doctor-deep-DGY2N4U2.js.map} +0 -0
  82. /package/dist/{expert-bridge-R6FQWUHB.js.map → expert-bridge-5IPLSDJH.js.map} +0 -0
  83. /package/dist/{expert-config-BTPAEZWV.js.map → expert-config-6X4225UC.js.map} +0 -0
  84. /package/dist/{factory-7DJA2CIL.js.map → factory-PSFI6WDI.js.map} +0 -0
  85. /package/dist/{factory-BOXBN4ZS.js.map → factory-ZTNGLNFH.js.map} +0 -0
  86. /package/dist/{issue-triage-DGDKQQTD.js.map → issue-triage-VOZNNCUG.js.map} +0 -0
  87. /package/dist/{mcp-config-CHS2ZC42.js.map → mcp-config-PDH6LS6E.js.map} +0 -0
  88. /package/dist/{mobimem-NO7I2Y4O.js.map → mobimem-7KQVPLAW.js.map} +0 -0
  89. /package/dist/{registry-command-ZO75YQJG.js.map → registry-command-BS75IWSA.js.map} +0 -0
  90. /package/dist/{repo-security-plan-BZ3WOIEZ.js.map → repo-security-plan-VZTTNXYJ.js.map} +0 -0
  91. /package/dist/{research-helpers-synthesize-SH34FJIE.js.map → research-helpers-synthesize-B3C6BFCX.js.map} +0 -0
  92. /package/dist/{routing-memory-SALB3DZI.js.map → routing-memory-BGK2HMC3.js.map} +0 -0
  93. /package/dist/{session-memory-IOXXN6XA.js.map → session-memory-ESTZAPL2.js.map} +0 -0
  94. /package/dist/{setup-command-UVJRDNRF.js.map → setup-command-J6QG2G5V.js.map} +0 -0
  95. /package/dist/{setup-config-FYRXUWQH.js.map → setup-config-LG67TIFO.js.map} +0 -0
  96. /package/dist/{setup-custom-api-VAFP4X43.js.map → setup-custom-api-4DZABP47.js.map} +0 -0
  97. /package/dist/{weather-report-SBJRXFTW.js.map → weather-report-HUY35FUZ.js.map} +0 -0
package/dist/chunk-O3CBMPGT.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/agents/experts/expert-config.ts","../src/agents/experts/knowledge/architecture/clean-architecture.ts","../src/agents/experts/knowledge/architecture/microservices.ts","../src/agents/experts/knowledge/architecture/index.ts","../src/agents/experts/knowledge/security/owasp-api-top10.ts","../src/agents/experts/knowledge/security/authentication.ts","../src/agents/experts/knowledge/security/authorization.ts","../src/agents/experts/knowledge/security/input-validation.ts","../src/agents/experts/knowledge/security/secrets-management.ts","../src/agents/experts/knowledge/security/threat-modeling.ts","../src/agents/experts/knowledge/security/nist-controls.ts","../src/agents/experts/knowledge/security/supply-chain.ts","../src/agents/experts/knowledge/security/index.ts","../src/agents/experts/knowledge/devops/iac-patterns.ts","../src/agents/experts/knowledge/devops/container-orchestration.ts","../src/agents/experts/knowledge/devops/observability.ts","../src/agents/experts/knowledge/devops/systemd-bare-metal.ts","../src/agents/experts/knowledge/devops/index.ts","../src/agents/experts/knowledge/research/index.ts","../src/agents/experts/knowledge/code/typescript-patterns.ts","../src/agents/experts/knowledge/code/python-patterns.ts","../src/agents/experts/knowledge/code/cicd-patterns.ts","../src/agents/experts/knowledge/code/index.ts","../src/agents/experts/knowledge/testing/unit-patterns.ts","../src/agents/experts/knowledge/testing/integration-patterns.ts","../src/agents/experts/knowledge/testing/e2e-patterns.ts","../src/agents/experts/knowledge/testing/performance-patterns.ts","../src/agents/experts/knowledge/testing/index.ts","../src/agents/experts/knowledge/documentation/diataxis.ts","../src/agents/experts/knowledge/documentation/index.ts","../src/agents/experts/enriched-prompts.ts","../src/agents/experts/expert-prompts/pm-expert.ts","../src/agents/experts/expert-prompts/ux-expert.ts","../src/agents/experts/expert-prompts/infrastructure-expert.ts","../src/agents/experts/expert-prompts/data-visualization-expert.ts"],"sourcesContent":["/* eslint-disable max-lines */\n/**\n * nexus-agents/agents - Expert Configuration\n *\n * Configuration schema and types for dynamically creating expert agents.\n * Experts are specialized agents with specific capabilities and prompts.\n * 10 built-in expert definitions — cohesive, single-concern file.\n */\n\nimport { z } from 'zod';\nimport type { AgentRole, AgentCapability } from '../../core/index.js';\nimport {\n buildArchitecturePrompt,\n buildSecurityPrompt,\n buildDevOpsPrompt,\n buildResearchPrompt,\n buildCodePrompt,\n buildTestingPrompt,\n buildDocumentationPrompt,\n buildPmPrompt,\n buildUxPrompt,\n buildInfrastructurePrompt,\n} from './enriched-prompts.js';\nimport { PM_EXPERT_BASE_PROMPT } from './expert-prompts/pm-expert.js';\nimport { UX_EXPERT_BASE_PROMPT } from './expert-prompts/ux-expert.js';\nimport { INFRASTRUCTURE_EXPERT_BASE_PROMPT } from './expert-prompts/infrastructure-expert.js';\nimport { DATA_VISUALIZATION_EXPERT_BASE_PROMPT } from './expert-prompts/data-visualization-expert.js';\n\n/**\n * Model preference configuration for an expert.\n */\nexport interface ModelPreference {\n /** Provider ID (e.g., 'anthropic', 'openai') */\n provider?: string;\n /** Specific model ID */\n modelId?: string;\n /** Temperature for generation (0.0 - 2.0) */\n temperature?: number;\n /** Maximum tokens for responses */\n maxTokens?: number;\n}\n\n/**\n * Configuration for creating a dynamic expert agent.\n */\nexport interface ExpertConfig {\n /** Unique identifier for this expert */\n id: string;\n /** Human-readable name */\n name: string;\n /** Role classification */\n role: AgentRole;\n /** System prompt defining the expert's behavior */\n systemPrompt: string;\n /** List of capabilities this expert has */\n capabilities: AgentCapability[];\n /** Optional model preferences */\n modelPreference?: ModelPreference;\n /** Optional tool restrictions (allowlist/denylist per role) */\n toolRestrictions?: ToolRestrictions;\n /** Optional metadata for extensions */\n metadata?: Record<string, unknown>;\n}\n\n/**\n * Built-in expert type identifiers.\n */\nexport type BuiltInExpertType =\n | 'code'\n | 'architecture'\n | 'security'\n | 'documentation'\n | 'testing'\n | 'devops'\n | 'research'\n | 'pm'\n | 'ux'\n | 'infrastructure'\n | 'qa'\n | 'data-visualization';\n\n/**\n * Zod schema for ModelPreference.\n */\nexport const ModelPreferenceSchema = z.object({\n provider: z.string().min(1).optional(),\n modelId: z.string().min(1).optional(),\n temperature: z.number().min(0).max(2).optional(),\n maxTokens: z.number().min(1).max(200000).optional(),\n});\n\n/**\n * Zod schema for AgentRole enum values.\n */\nconst AgentRoleSchema = z.enum([\n 'tech_lead',\n 'code_expert',\n 'architecture_expert',\n 'security_expert',\n 'documentation_expert',\n 'testing_expert',\n 'devops_expert',\n 'research_expert',\n 'pm_expert',\n 'ux_expert',\n 'infrastructure_expert',\n 'qa_expert',\n 'data_visualization_expert',\n 'custom',\n]);\n\n/**\n * Zod schema for AgentCapability enum values.\n */\nconst AgentCapabilitySchema = z.enum([\n 'task_execution',\n 'delegation',\n 'collaboration',\n 'tool_use',\n 'code_generation',\n 'code_review',\n 'research',\n]);\n\n/**\n * Zod schema for ExpertConfig.\n */\n/**\n * Tool restriction configuration for expert roles.\n * Inspired by Augment Code's subagent tool access control.\n * Allowlist takes priority — if set, only listed tools are available.\n * Denylist blocks specific tools (used when allowlist is not set).\n */\nexport const ToolRestrictionsSchema = z\n .object({\n /** Tools the expert is allowed to use (allowlist — exclusive). */\n allowedTools: z.array(z.string()).optional(),\n /** Tools the expert is NOT allowed to use (denylist — additive). */\n deniedTools: z.array(z.string()).optional(),\n })\n .optional();\n\nexport type ToolRestrictions = z.infer<typeof ToolRestrictionsSchema>;\n\nexport const ExpertConfigSchema = z.object({\n id: z.string().min(1, 'Expert ID is required'),\n name: z.string().min(1, 'Expert name is required'),\n role: AgentRoleSchema,\n systemPrompt: z.string().min(1, 'System prompt is required'),\n capabilities: z.array(AgentCapabilitySchema).min(1, 'At least one capability required'),\n modelPreference: ModelPreferenceSchema.optional(),\n toolRestrictions: ToolRestrictionsSchema,\n metadata: z.record(z.string(), z.unknown()).optional(),\n});\n\n/**\n * Zod schema for BuiltInExpertType.\n *\n * MUST stay in lockstep with the `BuiltInExpertType` type union above.\n * Tested by `BuiltInExpertTypeSchema accepts every literal in BuiltInExpertType`\n * in expert-config.test.ts to prevent drift (#2338).\n */\nexport const BuiltInExpertTypeSchema = z.enum([\n 'code',\n 'architecture',\n 'security',\n 'documentation',\n 'testing',\n 'devops',\n 'research',\n 'pm',\n 'ux',\n 'infrastructure',\n 'qa',\n 'data-visualization',\n]);\n\n/**\n * Built-in expert configurations.\n * These provide sensible defaults for common expert types.\n */\nexport const BUILT_IN_EXPERTS: Readonly<Record<BuiltInExpertType, ExpertConfig>> = {\n code: {\n id: 'code-expert',\n name: 'Code Expert',\n role: 'code_expert',\n systemPrompt:\n buildCodePrompt(`You are a senior software engineer specialized in writing clean, maintainable, and efficient code.\n\n## Core Responsibilities\n1. Write production-quality code that meets requirements\n2. Follow best practices and design patterns\n3. Implement robust error handling\n4. Optimize performance while maintaining readability\n5. Collaborate with other experts when needed\n\n## Guidelines\n- Use clear, descriptive naming conventions\n- Apply SOLID principles when designing classes\n- Write self-documenting code with comments for complex logic\n- Keep functions small and focused (single responsibility)\n- Validate all inputs at boundaries\n- Handle errors explicitly with proper error types\n- Use Result<T, E> pattern for fallible operations\n\n## Technical Standards\n- TypeScript 5.8+ with strict mode\n- Node.js 22.x LTS\n- ES2024 features where appropriate\n\n## Output Format\nWhen providing code:\n1. Include necessary imports\n2. Add JSDoc comments for public APIs\n3. Handle edge cases explicitly\n4. Provide brief explanation of key decisions`),\n capabilities: ['task_execution', 'code_generation', 'code_review', 'tool_use', 'collaboration'],\n modelPreference: {\n temperature: 0.2,\n },\n },\n\n architecture: {\n id: 'architecture-expert',\n name: 'Architecture Expert',\n role: 'architecture_expert',\n systemPrompt:\n buildArchitecturePrompt(`You are a software architect specialized in system design and architectural decisions.\n\n## Core Responsibilities\n1. Design scalable and maintainable system architectures\n2. Make informed technology and pattern choices\n3. Document architectural decisions (ADRs)\n4. Guide teams on best practices\n\n## Guidelines\n- Consider trade-offs explicitly (CAP, latency vs throughput)\n- Design for change and extensibility\n- Apply appropriate patterns (microservices, event-driven, etc.)\n- Consider operational aspects (monitoring, scaling, deployment)\n- Document assumptions and constraints\n\n## Visualization Standards\n- C4 Model: Use Context, Container, Component, Code levels\n- Mermaid diagrams for architecture visualization\n- Sequence diagrams for complex interactions\n\n## Scalability Checklist\nWhen designing systems, address:\n- [ ] Horizontal vs vertical scaling strategy\n- [ ] Stateless service design\n- [ ] Caching strategy (local, distributed)\n- [ ] Database sharding/partitioning approach\n- [ ] Load balancing and failover\n- [ ] Async processing for heavy operations\n\n## ADR Template\nWhen documenting decisions:\n\\`\\`\\`\n# ADR-NNN: [Title]\nStatus: [Proposed|Accepted|Deprecated|Superseded]\nContext: [Problem statement and constraints]\nDecision: [What we decided and why]\nConsequences: [Trade-offs and implications]\n\\`\\`\\`\n\n## Output Format\nWhen providing architectural guidance:\n1. State the problem/context clearly\n2. List options considered with trade-offs\n3. Recommend a solution with rationale using C4 diagrams\n4. Include ADR for significant decisions\n5. Note scalability and operational considerations`),\n capabilities: ['task_execution', 'research', 'collaboration'],\n modelPreference: {\n temperature: 0.3,\n },\n },\n\n security: {\n id: 'security-expert',\n name: 'Security Expert',\n role: 'security_expert',\n systemPrompt:\n buildSecurityPrompt(`You are a security engineer specialized in application and infrastructure security.\n\n## Core Responsibilities\n1. Identify security vulnerabilities and risks\n2. Review code for security issues\n3. Recommend security controls and mitigations\n4. Guide secure development practices\n\n## Guidelines\n- Reference OWASP Top 10 and CWE when applicable\n- Consider attack vectors and threat models\n- Prioritize risks by severity and likelihood\n- Provide actionable remediation steps\n- Never expose sensitive information in examples\n\n## Security Standards\n- NIST Cybersecurity Framework (CSF 2.0)\n- OWASP Application Security Verification Standard (ASVS)\n- CWE/SANS Top 25 Most Dangerous Software Weaknesses\n\n## Vulnerability Reporting Format\nWhen reporting vulnerabilities:\n1. **CVE Format**: Reference known CVEs as CVE-YYYY-NNNNN\n2. **CVSS Scoring**: Provide severity using CVSS 3.1 (Critical/High/Medium/Low)\n3. **CWE Classification**: Map to CWE-XXX identifiers\n\n## Output Format\nWhen providing security guidance:\n1. Describe the vulnerability/risk with CWE classification\n2. Assign CVSS severity (Critical: 9.0-10.0, High: 7.0-8.9, Medium: 4.0-6.9, Low: 0.1-3.9)\n3. Explain potential impact and attack vectors\n4. Provide remediation steps with code examples\n5. Reference relevant standards (OWASP, NIST, CWE)`),\n capabilities: ['task_execution', 'code_review', 'research'],\n // Security experts should not write files — read-only analysis\n toolRestrictions: {\n deniedTools: ['write_file', 'save_file', 'str_replace_editor', 'launch_process'],\n },\n modelPreference: {\n // Raised from 0.1 to 0.2 to allow nuanced analysis of ambiguous patterns\n // 0.1 was too rigid — caused parsing failures on contextual security questions\n temperature: 0.2,\n },\n },\n\n documentation: {\n id: 'documentation-expert',\n name: 'Documentation Expert',\n role: 'documentation_expert',\n systemPrompt:\n buildDocumentationPrompt(`You are a technical writer specialized in creating clear, comprehensive documentation.\n\nWrite like a technically precise, experienced engineer who respects the reader's intelligence. Be direct, honest, and clear. No marketing fluff, no exaggeration, no hand-waving.\n\n## Core Responsibilities\n1. Write clear and accurate documentation\n2. Create API documentation and guides\n3. Document architecture and design decisions\n4. Maintain consistency across documentation\n5. Generate diagrams and visual aids when helpful\n\n## Guidelines\n- Write for the target audience (developers, users, operators)\n- Use clear, concise language - say it once, say it right\n- Include practical working examples\n- Structure content logically with headings\n- Keep documentation up-to-date with code\n- Admit limitations honestly\n\n## Technical Standards\n- CommonMark specification for Markdown\n- Mermaid for diagrams\n- JSDoc for API documentation\n\n## Output Format\nWhen providing documentation:\n1. Use appropriate markdown formatting\n2. Include code examples where helpful\n3. Add cross-references to related docs\n4. Note any prerequisites or assumptions\n5. Test that examples actually work`),\n capabilities: ['task_execution', 'research', 'tool_use'],\n modelPreference: {\n temperature: 0.4,\n },\n },\n\n testing: {\n id: 'testing-expert',\n name: 'Testing Expert',\n role: 'testing_expert',\n systemPrompt:\n buildTestingPrompt(`You are a QA engineer specialized in testing strategies and test implementation.\n\n## Core Responsibilities\n1. Design comprehensive test strategies\n2. Write unit, integration, and e2e tests\n3. Identify edge cases and failure scenarios\n4. Improve test coverage and reliability\n5. Review existing test code for quality and coverage gaps\n\n## Guidelines\n- Follow the testing pyramid (unit > integration > e2e)\n- Test behavior, not implementation details\n- Use meaningful test descriptions (given/when/then)\n- Mock external dependencies appropriately\n- Cover error cases and edge conditions\n\n## Coverage Targets\n- Line coverage: >= 80%\n- Branch coverage: >= 75%\n- Critical paths: 100%\n\n## Technical Standards\n- Vitest for unit and integration tests\n- Playwright for e2e tests\n- Testing Library for component tests\n\n## Output Format\nWhen providing tests:\n1. Include arrange/act/assert structure\n2. Use descriptive test names\n3. Cover happy path and error cases\n4. Note any test fixtures or setup needed`),\n capabilities: ['task_execution', 'code_generation', 'code_review', 'tool_use'],\n modelPreference: {\n temperature: 0.2,\n },\n },\n\n devops: {\n id: 'devops-expert',\n name: 'DevOps/SRE Expert',\n role: 'devops_expert',\n systemPrompt:\n buildDevOpsPrompt(`You are a DevOps/SRE engineer specialized in infrastructure, CI/CD, and operational excellence.\n\n## Core Responsibilities\n1. Design and implement CI/CD pipelines\n2. Manage infrastructure as code (IaC)\n3. Configure monitoring, alerting, and observability\n4. Implement reliability and incident response practices\n5. Optimize cloud resource usage and costs\n\n## Guidelines\n- Infrastructure as Code: Terraform, Pulumi, CloudFormation\n- Container orchestration: Kubernetes, Docker\n- Follow GitOps principles for deployments\n- Implement the SRE golden signals: latency, traffic, errors, saturation\n- Design for failure with circuit breakers and graceful degradation\n\n## Technical Standards\n- Terraform 1.x with proper state management\n- Kubernetes 1.28+ with Helm charts\n- Prometheus/Grafana for metrics\n- OpenTelemetry for distributed tracing\n- GitHub Actions or GitLab CI for pipelines\n\n## SRE Practices\n- Define SLOs (Service Level Objectives) with error budgets\n- Implement proper runbooks for incident response\n- Use chaos engineering for resilience testing\n- Automate toil reduction\n\n## Output Format\nWhen providing DevOps guidance:\n1. State the infrastructure or operational problem\n2. Provide IaC code examples (Terraform, K8s manifests)\n3. Include monitoring/alerting configuration\n4. Note scaling and cost considerations\n5. Provide rollback and recovery procedures`),\n capabilities: ['task_execution', 'code_generation', 'tool_use', 'collaboration'],\n modelPreference: {\n temperature: 0.2,\n },\n },\n\n research: {\n id: 'research-expert',\n name: 'Research Expert',\n role: 'research_expert',\n systemPrompt:\n buildResearchPrompt(`You are a research expert specialized in literature review, gap analysis, and technique extraction for multi-agent systems and LLM orchestration.\n\n## Core Responsibilities\n1. Evaluate research papers and open-source projects for relevance\n2. Extract actionable techniques from academic literature\n3. Identify gaps in research coverage and suggest areas to explore\n4. Prioritize findings by potential impact on the system\n5. Maintain the research registry with accurate, up-to-date entries\n\n## Guidelines\n- Assess sources by impact, relevance, recency, and reproducibility\n- Use systematic literature review methodology\n- Compare findings against existing registry to avoid duplicates\n- Provide structured output compatible with the research registry format\n- Consider both academic papers and production-grade open-source implementations\n\n## Research Domains\n- Multi-agent orchestration and coordination\n- LLM reasoning, planning, and tool use\n- Consensus mechanisms and collective intelligence\n- Agent evaluation and benchmarking\n- Code generation and software engineering with LLMs\n\n## Output Format\nWhen providing research analysis:\n1. State the research question or gap being addressed\n2. List sources evaluated with quality assessment\n3. Extract techniques with implementation feasibility\n4. Recommend priorities and next steps\n5. Provide registry-compatible metadata for cataloging`),\n capabilities: ['task_execution', 'research', 'collaboration'],\n modelPreference: {\n temperature: 0.3,\n },\n },\n\n pm: {\n id: 'pm-expert',\n name: 'Product Manager Expert',\n role: 'pm_expert',\n systemPrompt: buildPmPrompt(PM_EXPERT_BASE_PROMPT),\n capabilities: ['task_execution', 'collaboration', 'research'],\n modelPreference: {\n temperature: 0.4,\n },\n },\n\n ux: {\n id: 'ux-expert',\n name: 'UX/UI Front-End Engineer Expert',\n role: 'ux_expert',\n systemPrompt: buildUxPrompt(UX_EXPERT_BASE_PROMPT),\n capabilities: ['task_execution', 'collaboration', 'research', 'code_generation'],\n modelPreference: {\n temperature: 0.4,\n },\n },\n\n infrastructure: {\n id: 'infrastructure-expert',\n name: 'Infrastructure Expert',\n role: 'infrastructure_expert',\n systemPrompt: buildInfrastructurePrompt(INFRASTRUCTURE_EXPERT_BASE_PROMPT),\n capabilities: ['task_execution', 'code_generation', 'tool_use', 'collaboration'],\n modelPreference: {\n temperature: 0.2,\n },\n },\n\n qa: {\n id: 'qa-expert',\n name: 'Quality Assurance Expert',\n role: 'qa_expert',\n systemPrompt: `You are a Quality Assurance expert. Your role is to review code changes, verify they meet requirements, and ensure quality standards are satisfied.\n\nFor each review:\n1. Check if the implementation matches the specification/issue requirements\n2. Verify test coverage — are edge cases handled?\n3. Check for regressions — does existing functionality still work?\n4. Verify code style and standards compliance\n5. Check for security issues (injection, XSS, path traversal)\n6. Assess readability and maintainability\n\nProvide your review as a structured assessment:\n- PASS: meets all criteria, ready to ship\n- NEEDS_WORK: specific issues listed with file:line references\n- REJECT: fundamental problems requiring redesign\n\nAlways cite specific code locations. Never approve without reviewing the actual changes.`,\n capabilities: ['task_execution', 'collaboration', 'research'],\n modelPreference: {\n temperature: 0.2,\n },\n },\n 'data-visualization': {\n id: 'data-visualization-expert',\n name: 'Data Visualization Expert',\n role: 'data_visualization_expert',\n systemPrompt: DATA_VISUALIZATION_EXPERT_BASE_PROMPT,\n capabilities: ['task_execution', 'research', 'code_generation', 'collaboration'],\n modelPreference: {\n temperature: 0.3,\n },\n },\n};\n\n/**\n * Maps built-in expert types to their AgentRole.\n */\nexport const EXPERT_TYPE_TO_ROLE: Readonly<Record<BuiltInExpertType, AgentRole>> = {\n code: 'code_expert',\n architecture: 'architecture_expert',\n security: 'security_expert',\n documentation: 'documentation_expert',\n testing: 'testing_expert',\n devops: 'devops_expert',\n research: 'research_expert',\n pm: 'pm_expert',\n ux: 'ux_expert',\n infrastructure: 'infrastructure_expert',\n qa: 'qa_expert',\n 'data-visualization': 'data_visualization_expert',\n};\n\n/**\n * Validates an expert configuration.\n * @param config - Configuration to validate\n * @returns Parsed config or throws on validation error\n */\nexport function validateExpertConfig(config: unknown): ExpertConfig {\n return ExpertConfigSchema.parse(config) as ExpertConfig;\n}\n\n/**\n * Safely validates an expert configuration.\n * @param config - Configuration to validate\n * @returns Safe parse result with success/error\n */\nexport function safeValidateExpertConfig(\n config: unknown\n): { success: true; data: ExpertConfig } | { success: false; error: z.ZodError } {\n const result = ExpertConfigSchema.safeParse(config);\n if (result.success) {\n return { success: true, data: result.data as ExpertConfig };\n }\n return { success: false, error: result.error };\n}\n","/**\n * Clean Architecture Knowledge Module\n *\n * Covers hexagonal/ports-and-adapters, clean architecture layers,\n * onion architecture, SOLID principles, and module boundary patterns.\n *\n * @module agents/experts/knowledge/architecture/clean-architecture\n * @see https://blog.cleancoder.com/uncle-bob/2012/08/13/the-clean-architecture.html\n * (Source: Epic #643 / Issue #648 - Phase 1d)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const CLEAN_ARCHITECTURE_MODULE: KnowledgeModule = {\n id: 'architecture-clean-architecture',\n domain: 'architecture',\n title: 'Clean Architecture Patterns',\n tags: ['clean-architecture', 'hexagonal', 'solid', 'ports-adapters', 'onion'],\n sections: [\n {\n title: 'Clean Architecture Layers',\n content: [\n 'LAYER 1 - Entities: Enterprise business rules, domain objects, value objects',\n 'LAYER 2 - Use Cases: Application-specific business rules, orchestrate entity interactions',\n 'LAYER 3 - Interface Adapters: Controllers, presenters, gateways, DTOs',\n 'LAYER 4 - Frameworks & Drivers: Web frameworks, databases, external APIs, UI',\n 'RULE: Dependencies ONLY point inward (outer layers depend on inner layers)',\n 'RULE: Inner layers MUST NOT know about outer layers',\n 'RULE: Data crossing boundaries uses simple DTOs or value objects',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'Hexagonal / Ports-and-Adapters',\n content: [\n 'CONCEPT: Application core defines ports (interfaces); adapters implement them',\n 'PORT types: Driving (primary/inbound) and Driven (secondary/outbound)',\n 'DRIVING PORT: API exposed by the application (e.g., IOrderService)',\n 'DRIVEN PORT: Interface the application requires (e.g., IOrderRepository)',\n 'DRIVING ADAPTER: HTTP controller, CLI handler, message consumer',\n 'DRIVEN ADAPTER: Database implementation, email sender, external API client',\n 'BENEFIT: Swap adapters without changing business logic (test with in-memory)',\n 'PATTERN: Use dependency injection to wire adapters to ports at composition root',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Onion Architecture Comparison',\n content: [\n 'SIMILARITY: Dependencies point inward, domain at center',\n 'DIFFERENCE: Onion explicitly names Domain Model, Domain Services, Application Services',\n 'ONION INNER: Domain Model (entities, value objects, domain events)',\n 'ONION MIDDLE: Domain Services (cross-entity logic, repository interfaces)',\n 'ONION OUTER: Application Services (use case orchestration, transaction boundaries)',\n 'ONION OUTERMOST: Infrastructure (persistence, messaging, UI)',\n 'USE ONION WHEN: Team is more comfortable with layered thinking than port/adapter',\n ].join('\\n'),\n priority: 6,\n },\n {\n title: 'SOLID Principles Applied',\n content: [\n 'S - Single Responsibility: Each module has ONE reason to change',\n ' APPLY: Split OrderService into OrderCreator, OrderValidator, OrderNotifier',\n 'O - Open/Closed: Extend behavior without modifying existing code',\n ' APPLY: Use strategy pattern for payment methods instead of if/else chains',\n 'L - Liskov Substitution: Subtypes must be substitutable for base types',\n ' APPLY: If Square extends Rectangle, setWidth must not break area calculation',\n 'I - Interface Segregation: Clients should not depend on unused methods',\n ' APPLY: Split IRepository into IReader and IWriter when queries differ from commands',\n 'D - Dependency Inversion: Depend on abstractions, not concretions',\n ' APPLY: Use case imports IEmailSender interface, not SmtpEmailSender class',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Module Boundary Patterns',\n content: [\n 'PUBLIC API: Each module exposes a single index.ts barrel export',\n 'INTERNAL: Implementation details are not exported; enforce via eslint import rules',\n 'ANTI-CORRUPTION LAYER: Translate external models at boundary, never leak them inward',\n 'SHARED KERNEL: Minimal shared types between modules (value objects, events)',\n 'PATTERN: Module boundary = npm package boundary in monorepo architecture',\n 'ENFORCE: Use path aliases and eslint-plugin-boundaries to prevent cross-cutting imports',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'Monolith vs Clean Architecture Decision Tree',\n content: [\n 'Q1: Is the project < 6 months old or a prototype? → START with modular monolith',\n 'Q2: Do you have < 3 developers? → Modular monolith (clean arch adds overhead)',\n 'Q3: Is domain complexity high with many business rules? → Clean architecture',\n 'Q4: Do you need to swap infrastructure frequently? → Hexagonal/ports-adapters',\n 'Q5: Is the team unfamiliar with DDD/clean arch? → Start simple, refactor later',\n 'PRINCIPLE: Monolith-first — extract when you have evidence of need',\n 'WARNING: Premature clean architecture = over-engineering for simple CRUD apps',\n 'SIGNAL TO ADOPT: Business logic tangled with infrastructure, testing requires DB',\n ].join('\\n'),\n priority: 7,\n },\n ],\n} as const;\n","/**\n * Microservices Architecture Knowledge Module\n *\n * Covers service decomposition, saga patterns, circuit breakers,\n * service mesh, API gateways, event-driven architecture, and resilience.\n *\n * @module agents/experts/knowledge/architecture/microservices\n * @see https://microservices.io/patterns/\n * (Source: Epic #643 / Issue #648 - Phase 1d)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const MICROSERVICES_MODULE: KnowledgeModule = {\n id: 'architecture-microservices',\n domain: 'architecture',\n title: 'Microservices Architecture Patterns',\n tags: ['microservices', 'distributed-systems', 'saga', 'circuit-breaker', 'cqrs'],\n sections: [\n {\n title: 'Service Decomposition Strategies',\n content: [\n 'BY DOMAIN (DDD Bounded Contexts): Align services with business domains',\n ' APPLY: Order service, Inventory service, Payment service',\n ' BENEFIT: Changes isolated to domain, team autonomy',\n \"BY TEAM (Conway's Law): One service per team, team owns full lifecycle\",\n ' APPLY: Max 8 people per team, max 3 services per team',\n ' BENEFIT: Clear ownership, independent deployment',\n 'BY DATA: Services own their data store, no shared databases',\n ' APPLY: Each service has private DB; communicate via APIs/events',\n ' WARNING: Shared database = distributed monolith, defeats the purpose',\n 'RULE: If two services MUST deploy together, they are one service',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'Saga Pattern: Choreography vs Orchestration',\n content: [\n 'CHOREOGRAPHY: Services emit events; other services react autonomously',\n ' USE WHEN: ≤ 4 steps, simple flows, loose coupling preferred',\n ' RISK: Hard to track overall flow, debugging distributed events is complex',\n ' EXAMPLE: OrderCreated → PaymentCharged → InventoryReserved → OrderConfirmed',\n 'ORCHESTRATION: Central coordinator directs the saga step by step',\n ' USE WHEN: > 4 steps, complex compensation logic, visibility required',\n ' RISK: Coordinator is a single point of coupling (not failure if stateless)',\n ' EXAMPLE: OrderSaga calls PaymentService.charge(), then InventoryService.reserve()',\n 'COMPENSATION: Every step needs an undo action for rollback',\n 'DECISION: Simple linear flows → choreography; branching/retries → orchestration',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Circuit Breaker Pattern',\n content: [\n 'STATE: CLOSED → requests pass through, failures counted',\n 'STATE: OPEN → requests fail fast, no calls to downstream (after threshold)',\n 'STATE: HALF-OPEN → limited test requests sent, success → CLOSED, failure → OPEN',\n 'CONFIG: failure threshold (e.g., 5 failures in 60s), reset timeout (e.g., 30s)',\n 'CONFIG: half-open max requests (e.g., 3 probe requests)',\n 'APPLY: Wrap all external service calls in circuit breakers',\n 'MONITOR: Track state transitions, alert on OPEN state',\n 'COMBINE WITH: Fallback responses (cached data, degraded mode, default values)',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Event-Driven Architecture',\n content: [\n 'EVENT SOURCING: Store state changes as immutable event log, derive current state',\n ' USE WHEN: Audit trail required, temporal queries, complex domain events',\n ' WARNING: Adds complexity; do NOT use for simple CRUD',\n 'CQRS: Separate read models (queries) from write models (commands)',\n ' USE WHEN: Read and write patterns differ significantly in shape/scale',\n ' PATTERN: Command → write to event store; Event → project to read-optimized view',\n 'EVENT TYPES: Domain events (business), integration events (cross-service)',\n 'DELIVERY: At-least-once delivery default; design consumers to be idempotent',\n 'ORDERING: Use partition keys to guarantee order within an aggregate',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'API Gateway and Service Mesh',\n content: [\n 'API GATEWAY: Single entry point for external clients',\n ' HANDLES: Auth, rate limiting, request routing, response aggregation',\n ' PATTERNS: Backend-for-Frontend (BFF) — one gateway per client type',\n 'SERVICE MESH: Infrastructure layer for service-to-service communication',\n ' HANDLES: mTLS, load balancing, retries, observability (sidecar proxy)',\n ' OPTIONS: Istio (feature-rich, complex), Linkerd (lightweight, simpler)',\n 'DECISION: External traffic → API gateway; internal traffic → service mesh',\n 'WARNING: Service mesh adds latency (~1-2ms per hop) and operational complexity',\n ].join('\\n'),\n priority: 7,\n },\n {\n title: 'Resilience Patterns',\n content: [\n 'RETRY: Retry transient failures with exponential backoff + jitter',\n ' CONFIG: max 3 retries, base delay 100ms, max delay 5s, jitter ±50ms',\n ' RULE: Only retry idempotent operations; never retry non-idempotent POST',\n 'TIMEOUT: Set explicit timeouts on all external calls',\n ' CONFIG: connect timeout 3s, read timeout 10s, total timeout 30s',\n 'BULKHEAD: Isolate resources per downstream dependency',\n ' APPLY: Separate thread pools/connection pools per service',\n ' BENEFIT: Slow service X cannot exhaust resources needed for service Y',\n 'FALLBACK: Provide degraded response when dependency fails',\n ' EXAMPLES: Cached data, default values, reduced functionality',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'When NOT to Use Microservices',\n content: [\n 'MONOLITH-FIRST: Start with a well-structured monolith; extract later',\n 'AVOID WHEN: Team < 5 people (overhead exceeds benefit)',\n 'AVOID WHEN: Domain is not well understood (wrong boundaries are expensive)',\n 'AVOID WHEN: Low deployment frequency (< weekly releases)',\n 'AVOID WHEN: Limited DevOps maturity (need CI/CD, monitoring, container orchestration)',\n 'COST: Distributed tracing, eventual consistency, network failures, data management',\n 'SIGNAL TO ADOPT: Monolith deploys are bottlenecked, teams step on each other',\n 'SIGNAL TO ADOPT: Different parts need different scaling characteristics',\n ].join('\\n'),\n priority: 7,\n },\n ],\n} as const;\n","/**\n * Architecture Knowledge Modules\n *\n * Domain knowledge for enriching architecture expert agent prompts.\n * Contains architectural patterns, system design principles, and decision frameworks.\n *\n * @module agents/experts/knowledge/architecture\n * (Source: Epic #643 / Issue #648 - Phase 1d, Phase 5a)\n */\n\nimport type { KnowledgeModule } from '../types.js';\nimport { CLEAN_ARCHITECTURE_MODULE } from './clean-architecture.js';\nimport { MICROSERVICES_MODULE } from './microservices.js';\n\nexport { CLEAN_ARCHITECTURE_MODULE } from './clean-architecture.js';\nexport { MICROSERVICES_MODULE } from './microservices.js';\n\n/**\n * Architecture domain knowledge modules.\n * Includes clean architecture patterns and microservices architecture guidance.\n */\nexport const ARCHITECTURE_KNOWLEDGE_MODULES: readonly KnowledgeModule[] = [\n CLEAN_ARCHITECTURE_MODULE,\n MICROSERVICES_MODULE,\n];\n\n/**\n * Common architecture domain patterns for quick reference injection.\n */\nexport const ARCHITECTURE_DOMAIN_PATTERNS = {\n cleanArchLayers: 'Entities > Use Cases > Interface Adapters > Frameworks; deps point inward only',\n hexagonal: 'Core defines ports (interfaces); adapters implement them; swap via DI',\n solidPrinciples: 'Single Responsibility, Open/Closed, Liskov, Interface Segregation, DI',\n moduleBoundaries: 'Single barrel export; anti-corruption layers; shared kernel minimal',\n decomposition: 'Bounded contexts; one service per team; services own their data store',\n} as const;\n\n/**\n * Architecture best practices summary for prompt injection.\n */\nexport const ARCHITECTURE_BEST_PRACTICES = {\n designDecisions: 'Document all decisions as ADRs with context, decision, and consequences',\n tradeoffs: 'State trade-offs explicitly; no decision is free; CAP, latency vs throughput',\n monolithFirst: 'Start with modular monolith; extract when evidence of need exists',\n resilience: 'Circuit breakers on external calls; retry with backoff; timeout everything',\n scalability: 'Stateless services; caching strategy; async processing for heavy work',\n} as const;\n\n/**\n * Build a formatted knowledge prompt for architecture expert prompt injection.\n *\n * @returns Formatted string with architecture domain knowledge\n */\nexport function getArchitectureKnowledgePrompt(): string {\n const sections = ARCHITECTURE_KNOWLEDGE_MODULES.flatMap((module) => module.sections)\n .sort((a, b) => b.priority - a.priority)\n .slice(0, 8);\n\n const formatted = sections\n .map((section) => `### ${section.title}\\n${section.content}`)\n .join('\\n\\n');\n\n return `## Architecture Domain Knowledge\\n\\n${formatted}`;\n}\n","/**\n * OWASP API Security Top 10 (2023) Knowledge Module\n *\n * Detection patterns and remediation guidance for each OWASP API\n * security risk category.\n *\n * @module agents/experts/knowledge/security/owasp-api-top10\n * @see https://owasp.org/API-Security/\n * (Source: Epic #643 / Issue #645 - Phase 1a)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const OWASP_API_TOP10_MODULE: KnowledgeModule = {\n id: 'security-owasp-api-top10',\n domain: 'security',\n title: 'OWASP API Security Top 10 (2023)',\n nistControls: ['AC-3', 'AC-4', 'AC-6', 'IA-2', 'IA-5', 'SC-8', 'SI-10', 'AU-2'],\n tags: ['owasp', 'api', 'web-security', 'top10'],\n sections: [\n {\n title: 'API1 - Broken Object Level Authorization (BOLA)',\n content: [\n 'DETECT: Direct object references in URL paths (e.g., /api/users/{id})',\n 'DETECT: Missing ownership checks on resource access',\n 'DETECT: Sequential or guessable IDs without authz validation',\n 'REMEDIATE: Enforce per-object authorization checks in every handler',\n 'REMEDIATE: Use non-sequential UUIDs for resource identifiers',\n 'REMEDIATE: Validate resource ownership against authenticated user context',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'API2 - Broken Authentication',\n content: [\n 'DETECT: Missing rate limiting on auth endpoints',\n 'DETECT: Credentials in URL query parameters',\n 'DETECT: Weak token generation (short, predictable)',\n 'REMEDIATE: Enforce strong password policies + MFA',\n 'REMEDIATE: Use short-lived access tokens (<15 min) with refresh rotation',\n 'REMEDIATE: Rate-limit login attempts per IP and per account',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'API3 - Broken Object Property Level Authorization',\n content: [\n 'DETECT: API responses exposing internal fields (isAdmin, passwordHash)',\n 'DETECT: Mass assignment via unfiltered request bodies',\n 'DETECT: Missing field-level access control on PATCH/PUT',\n 'REMEDIATE: Define explicit response schemas per role',\n 'REMEDIATE: Whitelist assignable fields; reject unknown properties',\n 'REMEDIATE: Use DTOs to decouple internal models from API contracts',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'API4 - Unrestricted Resource Consumption',\n content: [\n 'DETECT: Missing pagination limits on list endpoints',\n 'DETECT: No request size limits on file uploads or payloads',\n 'DETECT: Unbounded queries (SELECT * without LIMIT)',\n 'REMEDIATE: Set max page size (e.g., 100 items), enforce server-side',\n 'REMEDIATE: Limit request body size, file upload size, query complexity',\n 'REMEDIATE: Implement rate limiting per user/IP with budget tracking',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'API5 - Broken Function Level Authorization',\n content: [\n 'DETECT: Admin endpoints accessible by regular users',\n 'DETECT: HTTP method-based access control bypass (GET vs DELETE)',\n 'DETECT: Missing role checks on privileged operations',\n 'REMEDIATE: Deny by default; explicitly grant per-role access',\n 'REMEDIATE: Enforce authz at middleware layer, not just in handlers',\n 'REMEDIATE: Audit all endpoints for correct role requirements',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'API6 - Unrestricted Access to Sensitive Business Flows',\n content: [\n 'DETECT: No rate limiting on business-critical flows (checkout, transfers)',\n 'DETECT: Automated abuse of referral/reward systems',\n 'DETECT: Missing CAPTCHA or bot detection on high-value operations',\n 'REMEDIATE: Identify and protect business-critical flows',\n 'REMEDIATE: Add velocity checks and anomaly detection',\n 'REMEDIATE: Implement step-up authentication for sensitive operations',\n ].join('\\n'),\n priority: 7,\n },\n {\n title: 'API7 - Server Side Request Forgery (SSRF)',\n content: [\n 'DETECT: User-supplied URLs fetched server-side without validation',\n 'DETECT: Internal service endpoints reachable via URL parameters',\n 'DETECT: DNS rebinding or redirect-following in URL fetchers',\n 'REMEDIATE: Validate and whitelist allowed URL schemes and hosts',\n 'REMEDIATE: Block requests to internal/private IP ranges (RFC 1918)',\n 'REMEDIATE: Use allowlists for external service integrations',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'API8 - Security Misconfiguration',\n content: [\n 'DETECT: Verbose error messages exposing stack traces',\n 'DETECT: Missing security headers (CORS wildcard, no CSP)',\n 'DETECT: Default credentials or unnecessary HTTP methods enabled',\n 'REMEDIATE: Harden CORS: explicit origins, no wildcard with credentials',\n 'REMEDIATE: Enable security headers: CSP, HSTS, X-Content-Type-Options',\n 'REMEDIATE: Disable debug endpoints and verbose errors in production',\n ].join('\\n'),\n priority: 7,\n },\n {\n title: 'API9 - Improper Inventory Management',\n content: [\n 'DETECT: Undocumented or shadow API endpoints',\n 'DETECT: Old API versions still accessible without deprecation',\n 'DETECT: Missing API gateway or centralized access control',\n 'REMEDIATE: Maintain an API inventory with OpenAPI specs',\n 'REMEDIATE: Enforce versioning policy with sunset dates',\n 'REMEDIATE: Route all traffic through API gateway for visibility',\n ].join('\\n'),\n priority: 6,\n },\n {\n title: 'API10 - Unsafe Consumption of APIs',\n content: [\n 'DETECT: Third-party API responses used without validation',\n 'DETECT: Missing TLS verification on outbound API calls',\n 'DETECT: No timeout or circuit breaker on external dependencies',\n 'REMEDIATE: Validate and sanitize all third-party API responses',\n 'REMEDIATE: Enforce TLS 1.2+ with certificate verification',\n 'REMEDIATE: Set timeouts, retries, and circuit breakers on external calls',\n ].join('\\n'),\n priority: 7,\n },\n ],\n} as const;\n","/**\n * Authentication Knowledge Module\n *\n * OAuth2 flows, JWT validation, MFA patterns, session management,\n * and password storage best practices.\n *\n * @module agents/experts/knowledge/security/authentication\n * @see NIST 800-53: IA-2, IA-5, IA-8\n * (Source: Epic #643 / Issue #645 - Phase 1a)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const AUTHENTICATION_MODULE: KnowledgeModule = {\n id: 'security-authentication',\n domain: 'security',\n title: 'Authentication Standards and Patterns',\n nistControls: ['IA-2', 'IA-5', 'IA-8'],\n tags: ['authentication', 'oauth2', 'jwt', 'mfa', 'session'],\n sections: [\n {\n title: 'OAuth2 Authorization Code Flow with PKCE',\n content: [\n 'REQUIRED for SPAs and mobile apps (no client_secret in public clients)',\n 'FLOW: 1) Generate code_verifier (43-128 chars, [A-Za-z0-9-._~])',\n ' 2) Derive code_challenge = BASE64URL(SHA256(code_verifier))',\n ' 3) Redirect to /authorize with code_challenge + method=S256',\n ' 4) Exchange auth code + code_verifier at /token endpoint',\n 'CHECKLIST:',\n ' - Use state parameter to prevent CSRF (bind to session)',\n ' - Validate redirect_uri exactly (no open redirects)',\n ' - Store tokens in memory or httpOnly cookies (never localStorage)',\n ' - Use nonce parameter with OIDC to prevent replay attacks',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'JWT Validation Rules',\n content: [\n 'SIGNING: Use RS256 (RSA + SHA-256) or ES256 (ECDSA); never HS256 with public keys',\n 'VALIDATION CHECKLIST:',\n ' 1. Verify signature against known public key (JWKS endpoint)',\n ' 2. Check exp claim (reject expired tokens)',\n ' 3. Check iss claim (must match expected issuer)',\n ' 4. Check aud claim (must match this service)',\n ' 5. Check iat claim (reject tokens issued too far in the past)',\n ' 6. Reject alg: \"none\" explicitly',\n 'TOKEN LIFETIMES:',\n ' - Access token: max 15 minutes',\n ' - Refresh token: max 7 days, single-use with rotation',\n ' - ID token: max 1 hour',\n 'DENY: Embedded secrets in JWT payloads, JWTs in URL parameters',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'Multi-Factor Authentication (MFA)',\n content: [\n 'TOTP (Time-based One-Time Password):',\n ' - Use SHA-1/SHA-256 with 6-digit codes, 30-second window',\n ' - Allow +/- 1 time step for clock drift',\n ' - Store shared secret encrypted at rest (AES-256)',\n ' - Provide backup codes (8+ chars, single-use, hashed in storage)',\n 'WebAuthn / FIDO2 (preferred):',\n ' - Phishing-resistant: origin-bound credentials',\n ' - Use resident keys for passwordless flows',\n ' - Store credential public key + credential ID, never private key',\n ' - Set attestation: \"none\" unless compliance requires \"direct\"',\n 'ENFORCEMENT: Require MFA for admin actions, sensitive data access, account recovery',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Session Management',\n content: [\n 'COOKIE SETTINGS (all required):',\n ' - httpOnly: true (prevent XSS token theft)',\n ' - secure: true (HTTPS only)',\n ' - sameSite: \"Lax\" (default) or \"Strict\" (sensitive ops)',\n ' - path: \"/\" or most restrictive path needed',\n ' - maxAge: match session timeout (idle: 15min, absolute: 8hr)',\n 'SESSION LIFECYCLE:',\n ' - Regenerate session ID after authentication',\n ' - Invalidate session server-side on logout (not just cookie clear)',\n ' - Implement idle timeout (15 min) and absolute timeout (8 hr)',\n ' - Bind session to user-agent + IP range for anomaly detection',\n 'DENY: Session IDs in URLs, persistent sessions without re-auth',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Password Storage',\n content: [\n 'ALGORITHMS (in preference order):',\n ' 1. argon2id (memory=64MB, iterations=3, parallelism=4)',\n ' 2. bcrypt (cost factor=12, max input 72 bytes)',\n ' 3. scrypt (N=2^17, r=8, p=1) — if argon2 unavailable',\n 'RULES:',\n ' - Minimum 12 characters, no maximum below 128',\n ' - Check against breach databases (HIBP k-anonymity API)',\n ' - No composition rules (uppercase/special char requirements)',\n ' - Hash on server side, never client-only',\n 'DENY: MD5, SHA-1, SHA-256 without KDF, plain-text storage, reversible encryption',\n ].join('\\n'),\n priority: 8,\n },\n ],\n} as const;\n","/**\n * Authorization Knowledge Module\n *\n * RBAC/ABAC decision trees, policy patterns, least privilege,\n * and access control enforcement.\n *\n * @module agents/experts/knowledge/security/authorization\n * @see NIST 800-53: AC-3, AC-4, AC-6\n * (Source: Epic #643 / Issue #645 - Phase 1a)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const AUTHORIZATION_MODULE: KnowledgeModule = {\n id: 'security-authorization',\n domain: 'security',\n title: 'Authorization Patterns and Access Control',\n nistControls: ['AC-3', 'AC-4', 'AC-6'],\n tags: ['authorization', 'rbac', 'abac', 'access-control', 'least-privilege'],\n sections: [\n {\n title: 'RBAC vs ABAC Decision Tree',\n content: [\n 'USE RBAC WHEN:',\n ' - Permissions map cleanly to job roles',\n ' - Organization has stable, well-defined role hierarchy',\n ' - Fewer than ~20 distinct permission sets needed',\n ' - Compliance requires auditable role assignments',\n 'USE ABAC WHEN:',\n ' - Access depends on resource attributes (owner, classification)',\n ' - Context-sensitive rules (time-of-day, location, device)',\n ' - Fine-grained per-field or per-record authorization',\n ' - Dynamic policies that change without code deployment',\n 'HYBRID APPROACH: Use RBAC for coarse-grained + ABAC for fine-grained',\n ' Example: RBAC grants \"editor\" role, ABAC restricts to own-department docs',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'Permission Inheritance and Hierarchy',\n content: [\n 'PATTERN: Role hierarchy with additive permissions',\n ' viewer < editor < admin < super-admin',\n ' Each level inherits ALL permissions from levels below',\n 'RULES:',\n ' - Deny overrides allow at every level',\n ' - Explicit deny cannot be overridden by inherited allow',\n ' - Permission boundaries: cap maximum permissions regardless of role',\n ' - Scope permissions to resource type + action pairs',\n 'ANTI-PATTERNS:',\n ' - Negation-based rules (allow all except...) — use allowlists instead',\n ' - Role explosion (>50 roles) — indicates need for ABAC migration',\n ' - Permission creep — audit and revoke unused permissions quarterly',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Deny-by-Default Enforcement',\n content: [\n 'PRINCIPLE: All access is denied unless explicitly granted',\n 'IMPLEMENTATION:',\n ' 1. Default middleware rejects unauthenticated requests (401)',\n ' 2. Default authz middleware rejects unauthorized requests (403)',\n ' 3. Routes explicitly declare required permissions',\n ' 4. Missing permission annotations = denied (fail closed)',\n 'CHECKLIST:',\n ' - [ ] No endpoint is accessible without authz check',\n ' - [ ] New routes require explicit permission declaration',\n ' - [ ] Wildcard permissions (e.g., resource:*) are prohibited',\n ' - [ ] Service-to-service calls use scoped service accounts',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'Policy Enforcement Points',\n content: [\n 'LAYERED ENFORCEMENT (defense in depth):',\n ' Layer 1 — API Gateway: Rate limiting, IP filtering, token validation',\n ' Layer 2 — Service Middleware: Role/permission checks, scope validation',\n ' Layer 3 — Business Logic: Resource ownership, field-level access',\n ' Layer 4 — Data Layer: Row-level security, column masking',\n 'RULES:',\n ' - Never rely on a single enforcement point',\n ' - Gateway checks are necessary but not sufficient',\n ' - Authorization decisions must be logged (who, what, when, result)',\n ' - Cache authz decisions with short TTL (max 5 min)',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'OAuth2 Scopes and API Authorization',\n content: [\n 'SCOPE DESIGN:',\n ' - Use resource:action format (e.g., users:read, orders:write)',\n ' - Define minimal scope sets for each client type',\n ' - Require scope consent for third-party clients',\n 'ENFORCEMENT:',\n ' - Validate token scopes on every API request',\n ' - Reject tokens with broader scopes than endpoint requires',\n ' - Use audience (aud) restriction to prevent token misuse across services',\n 'LEAST PRIVILEGE:',\n ' - Grant minimum scopes needed for the client use case',\n ' - Short-lived tokens with narrow scopes over long-lived broad tokens',\n ' - Review and prune granted scopes periodically',\n ].join('\\n'),\n priority: 8,\n },\n ],\n} as const;\n","/**\n * Input Validation Knowledge Module\n *\n * Validation rules by input type, sanitization patterns,\n * and injection prevention guidance.\n *\n * @module agents/experts/knowledge/security/input-validation\n * @see NIST 800-53: SI-10, SI-15\n * (Source: Epic #643 / Issue #645 - Phase 1a)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const INPUT_VALIDATION_MODULE: KnowledgeModule = {\n id: 'security-input-validation',\n domain: 'security',\n title: 'Input Validation and Sanitization',\n nistControls: ['SI-10', 'SI-15'],\n tags: ['input-validation', 'sanitization', 'injection-prevention', 'xss'],\n sections: [\n {\n title: 'Validation Strategy: Allowlist Over Denylist',\n content: [\n 'PRINCIPLE: Define what IS valid, reject everything else',\n 'ORDER OF OPERATIONS:',\n ' 1. Type check (is it the expected type?)',\n ' 2. Length/size check (within bounds?)',\n ' 3. Format check (matches allowed pattern?)',\n ' 4. Range/value check (within allowed values?)',\n ' 5. Business logic check (makes sense in context?)',\n 'RULES:',\n ' - Validate on server side (client validation is UX only)',\n ' - Validate at system boundaries (API entry, file upload, DB input)',\n ' - Use schema validation libraries (Zod, Joi) over manual checks',\n ' - Reject invalid input with 400 status, not silent transformation',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'Type-Specific Validation Rules',\n content: [\n 'STRING:',\n ' - Max length: enforce per field (name: 255, bio: 2000)',\n ' - Character set: restrict to expected chars (alphanumeric + limited special)',\n ' - Encoding: normalize to UTF-8, reject overlong sequences',\n 'EMAIL:',\n ' - Use RFC 5322 validation, max 254 chars total',\n ' - Reject emails without @ and domain part',\n ' - Verify via confirmation email, not regex alone',\n 'URL:',\n ' - Allowlist schemes: https only (http for dev only)',\n ' - Reject javascript:, data:, file:, ftp: schemes',\n ' - Validate against URL parser, not regex',\n 'NUMERIC:',\n ' - Define min/max bounds per field',\n ' - Reject NaN, Infinity, negative zero where inappropriate',\n ' - Use integer types where decimals are not expected',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'File Upload Validation',\n content: [\n 'CHECKLIST:',\n ' - [ ] Validate MIME type via magic bytes, not just extension',\n ' - [ ] Enforce max file size (server-side, before full read)',\n ' - [ ] Allowlist file extensions (.pdf, .png, .jpg, .docx)',\n ' - [ ] Rename uploaded files (UUID-based, strip original name)',\n ' - [ ] Store outside web root, serve via signed URLs',\n ' - [ ] Scan for malware before processing',\n ' - [ ] Set Content-Disposition: attachment on download',\n 'DENY: Executable extensions (.exe, .sh, .bat, .ps1, .jar)',\n 'DENY: Double extensions (file.pdf.exe), null byte injection (file.pdf%00.exe)',\n 'DENY: SVG uploads without sanitization (can contain scripts)',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Injection Prevention Patterns',\n content: [\n 'SQL INJECTION:',\n ' - Use parameterized queries / prepared statements exclusively',\n ' - Never concatenate user input into SQL strings',\n ' - Use ORM query builders with parameter binding',\n ' - Escape identifiers (table/column names) separately',\n 'XSS (Cross-Site Scripting):',\n ' - HTML-encode output by default (framework auto-escaping)',\n ' - Use Content-Security-Policy header to block inline scripts',\n ' - Sanitize rich text with allowlist-based sanitizer (DOMPurify)',\n ' - Set httpOnly on cookies to prevent JS access',\n 'PATH TRAVERSAL:',\n ' - Resolve path and verify it starts with expected root',\n ' - Reject inputs containing ../ or ..\\\\',\n ' - Use path.resolve() then check prefix, not string matching',\n 'COMMAND INJECTION:',\n ' - Avoid shell exec; use direct process spawn with arg arrays',\n ' - If shell required: use allowlisted commands only, no user input in args',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'HTML Sanitization',\n content: [\n 'WHEN: Accepting rich text / HTML content from users',\n 'APPROACH:',\n ' 1. Parse HTML into DOM tree',\n ' 2. Walk tree, remove elements not in allowlist',\n ' 3. Remove attributes not in allowlist per element',\n ' 4. Remove event handler attributes (onclick, onerror, etc.)',\n ' 5. Serialize back to HTML string',\n 'SAFE ELEMENTS: p, br, strong, em, ul, ol, li, a (href only), img (src only)',\n 'DENY: script, iframe, object, embed, form, input, style, link, meta, base',\n 'TOOLS: DOMPurify (browser/Node), sanitize-html (Node)',\n 'RULE: Sanitize on input AND escape on output (defense in depth)',\n ].join('\\n'),\n priority: 8,\n },\n ],\n} as const;\n","/**\n * Secrets Management Knowledge Module\n *\n * Secrets lifecycle, rotation patterns, vault integration,\n * environment variable handling, and pre-commit scanning.\n *\n * @module agents/experts/knowledge/security/secrets-management\n * @see NIST 800-53: SC-12, SC-13\n * (Source: Epic #643 / Issue #645 - Phase 1a)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const SECRETS_MANAGEMENT_MODULE: KnowledgeModule = {\n id: 'security-secrets-management',\n domain: 'security',\n title: 'Secrets Management and Key Lifecycle',\n nistControls: ['SC-12', 'SC-13'],\n tags: ['secrets', 'vault', 'key-management', 'rotation', 'environment-variables'],\n sections: [\n {\n title: 'Secrets Lifecycle',\n content: [\n 'PHASES: Generation -> Storage -> Distribution -> Usage -> Rotation -> Revocation',\n 'GENERATION:',\n ' - Use cryptographically secure RNG (crypto.randomBytes, /dev/urandom)',\n ' - Minimum entropy: API keys 256-bit, passwords 128-bit',\n ' - Generate secrets in secure environment, not dev machines',\n 'STORAGE:',\n ' - Secrets manager (Vault, AWS Secrets Manager, GCP Secret Manager)',\n ' - Encrypted at rest with managed keys (AES-256-GCM)',\n ' - Access-controlled: least privilege, audit logged',\n 'REVOCATION:',\n ' - Immediate revocation capability for all secret types',\n ' - Maintain revocation list or use short-lived secrets',\n ' - Automate revocation on personnel changes',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'Never Hardcode Secrets',\n content: [\n 'DETECT: Strings matching secret patterns in source code',\n ' - API keys: long alphanumeric strings, base64 blocks',\n ' - Connection strings with embedded passwords',\n ' - Private keys (-----BEGIN RSA PRIVATE KEY-----)',\n ' - AWS access keys (AKIA...), GCP service account JSON',\n 'PREVENTION:',\n ' - Pre-commit hooks: git-secrets, Gitleaks, detect-secrets',\n ' - CI scanning: run secret detection in every PR pipeline',\n ' - IDE plugins: flag secrets in real-time during development',\n 'IF EXPOSED:',\n ' 1. Revoke the secret immediately',\n ' 2. Rotate to a new secret',\n ' 3. Audit usage logs for unauthorized access',\n ' 4. Remove from git history (BFG Repo-Cleaner or git filter-branch)',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'Rotation Policies',\n content: [\n 'ROTATION SCHEDULE:',\n ' - API keys: every 90 days or on suspected compromise',\n ' - Database credentials: every 90 days, automated',\n \" - TLS certificates: before expiry (automate with ACME/Let's Encrypt)\",\n ' - Signing keys: annually, with key versioning',\n ' - Service account tokens: every 30 days',\n 'ZERO-DOWNTIME ROTATION:',\n ' 1. Create new secret (version N+1)',\n ' 2. Deploy consumers to accept both N and N+1',\n ' 3. Update producers to use N+1',\n ' 4. Verify all traffic uses N+1',\n ' 5. Revoke version N',\n 'AUTOMATION: Use secrets manager native rotation (Vault dynamic secrets)',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Environment Variable Handling',\n content: [\n 'RULES:',\n ' - Use env vars for runtime secrets injection (12-factor app)',\n ' - Never log env var values (log presence only: KEY_SET=true)',\n ' - Never pass secrets via CLI arguments (visible in ps/proc)',\n ' - Never commit .env files (add to .gitignore)',\n 'LOADING PATTERN:',\n ' 1. Load from secrets manager at startup (preferred)',\n ' 2. Inject via orchestrator env (Kubernetes secrets, ECS secrets)',\n ' 3. Load from .env file in development only (dotenv)',\n 'VALIDATION:',\n ' - Fail fast on missing required secrets at startup',\n ' - Validate secret format (expected length, prefix) without logging value',\n ' - Use typed config schemas (Zod) to enforce required secrets',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'Vault Integration Patterns',\n content: [\n 'HASHICORP VAULT:',\n ' - Use AppRole auth for services (role_id + secret_id)',\n ' - Use Kubernetes auth for K8s workloads (service account JWT)',\n ' - Prefer dynamic secrets (database, AWS STS) over static',\n ' - Set TTL on leases; renew before expiry',\n 'CERTIFICATE MANAGEMENT:',\n ' - Use Vault PKI engine for internal TLS certificates',\n ' - Short-lived certs (24-72 hours) with automated renewal',\n ' - Pin to CA, not individual leaf certificates',\n 'CLIENT PATTERN:',\n ' - Cache secrets in memory with TTL (never write to disk)',\n ' - Handle lease expiry gracefully (re-fetch, not crash)',\n ' - Use connection pooling for Vault client requests',\n ].join('\\n'),\n priority: 7,\n },\n ],\n} as const;\n","/**\n * Threat Modeling Knowledge Module\n *\n * STRIDE methodology, attack trees, threat matrix templates,\n * and risk prioritization frameworks.\n *\n * @module agents/experts/knowledge/security/threat-modeling\n * @see NIST 800-53: RA-3, RA-5\n * (Source: Epic #643 / Issue #645 - Phase 1a)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const THREAT_MODELING_MODULE: KnowledgeModule = {\n id: 'security-threat-modeling',\n domain: 'security',\n title: 'Threat Modeling with STRIDE',\n nistControls: ['RA-3', 'RA-5'],\n tags: ['threat-modeling', 'stride', 'attack-trees', 'risk-assessment'],\n sections: [\n {\n title: 'STRIDE Categories',\n content: [\n 'S — SPOOFING (violates Authentication):',\n ' Threat: Attacker impersonates a user or system',\n ' Examples: Credential theft, session hijacking, token forgery',\n ' Mitigations: MFA, mutual TLS, signed tokens, certificate pinning',\n 'T — TAMPERING (violates Integrity):',\n ' Threat: Attacker modifies data in transit or at rest',\n ' Examples: Man-in-middle, SQL injection, file modification',\n ' Mitigations: TLS, HMAC signatures, input validation, checksums',\n 'R — REPUDIATION (violates Non-repudiation):',\n ' Threat: Attacker denies performing an action',\n ' Examples: Deleting logs, unsigned transactions',\n ' Mitigations: Audit logging, digital signatures, append-only logs',\n 'I — INFORMATION DISCLOSURE (violates Confidentiality):',\n ' Threat: Data exposed to unauthorized parties',\n ' Examples: Verbose errors, directory listing, unencrypted PII',\n ' Mitigations: Encryption at rest/transit, access control, data masking',\n 'D — DENIAL OF SERVICE (violates Availability):',\n ' Threat: System rendered unavailable',\n ' Examples: Resource exhaustion, amplification attacks, deadlocks',\n ' Mitigations: Rate limiting, auto-scaling, circuit breakers, CDN',\n 'E — ELEVATION OF PRIVILEGE (violates Authorization):',\n ' Threat: Attacker gains higher privileges',\n ' Examples: Privilege escalation, IDOR, insecure deserialization',\n ' Mitigations: Least privilege, input validation, sandboxing',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'Threat Modeling Process',\n content: [\n 'STEP 1 — Define Scope:',\n ' - Identify system boundaries and trust boundaries',\n ' - List assets (data, services, infrastructure)',\n ' - Identify entry points (APIs, UIs, message queues)',\n 'STEP 2 — Create Data Flow Diagram (DFD):',\n ' - External entities (users, third-party services)',\n ' - Processes (services, functions)',\n ' - Data stores (databases, caches, file systems)',\n ' - Data flows (arrows showing data movement)',\n ' - Trust boundaries (dashed lines separating trust zones)',\n 'STEP 3 — Identify Threats:',\n ' - Apply STRIDE to each element in the DFD',\n ' - Focus on trust boundary crossings',\n ' - Document threat scenarios with attacker goals',\n 'STEP 4 — Assess and Prioritize:',\n ' - Use risk matrix (likelihood x impact)',\n ' - Categorize: Critical / High / Medium / Low',\n 'STEP 5 — Define Mitigations:',\n ' - Map each threat to specific controls',\n ' - Track in issue tracker with severity labels',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Attack Surface Mapping',\n content: [\n 'IDENTIFY ATTACK SURFACE:',\n ' - Network: open ports, exposed services, DNS records',\n ' - Application: API endpoints, file upload, auth flows',\n ' - Human: phishing targets, social engineering vectors',\n ' - Supply chain: dependencies, build pipeline, CI/CD',\n 'REDUCE ATTACK SURFACE:',\n ' - Disable unused services and ports',\n ' - Remove debug endpoints in production',\n ' - Minimize public API surface area',\n ' - Use network segmentation (VPC, subnets)',\n ' - Pin and audit third-party dependencies',\n 'MONITOR:',\n ' - Track new endpoints added per release',\n ' - Alert on unexpected port openings',\n ' - Review dependency additions in PRs',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'Risk Prioritization Matrix',\n content: [\n 'LIKELIHOOD SCALE:',\n ' 5-Certain: Exploit publicly known, trivial to execute',\n ' 4-Likely: Exploit known, requires moderate skill',\n ' 3-Possible: Exploit theoretical, requires significant skill',\n ' 2-Unlikely: Requires insider access + specialized knowledge',\n ' 1-Rare: Requires multiple unlikely conditions',\n 'IMPACT SCALE:',\n ' 5-Critical: Full system compromise, mass data breach',\n ' 4-High: Significant data exposure, service outage',\n ' 3-Medium: Limited data exposure, degraded service',\n ' 2-Low: Minor information leak, no direct harm',\n ' 1-Negligible: Cosmetic, no security impact',\n 'RISK SCORE: Likelihood x Impact (1-25)',\n ' Critical (20-25): Immediate remediation, block release',\n ' High (12-19): Remediate within current sprint',\n ' Medium (6-11): Schedule for next sprint',\n ' Low (1-5): Track in backlog, accept risk if justified',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'Attack Tree Template',\n content: [\n 'ROOT GOAL: [Attacker objective, e.g., \"Exfiltrate user PII\"]',\n 'BRANCHES (OR = any path, AND = all required):',\n ' OR 1: Exploit API vulnerability',\n ' AND 1.1: Discover undocumented endpoint (recon)',\n ' AND 1.2: Bypass authentication (BOLA, broken auth)',\n ' AND 1.3: Extract data (pagination abuse, export)',\n ' OR 2: Compromise credentials',\n ' AND 2.1: Phishing attack on admin user',\n ' AND 2.2: Use credentials to access admin panel',\n ' AND 2.3: Export user data via admin tools',\n ' OR 3: Supply chain attack',\n ' AND 3.1: Compromise dependency with data exfil payload',\n ' AND 3.2: Wait for dependency update in target system',\n 'ANNOTATE each node with: likelihood, impact, existing controls, gaps',\n 'USE: Identify cheapest attack path for attacker = highest priority to defend',\n ].join('\\n'),\n priority: 7,\n },\n ],\n} as const;\n","/**\n * NIST 800-53 Controls Reference Knowledge Module\n *\n * Control reference table for common security findings across\n * Access Control (AC), Identification and Authentication (IA),\n * System and Communications Protection (SC), and Audit (AU) families.\n *\n * @module agents/experts/knowledge/security/nist-controls\n * @see https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\n * (Source: Epic #643 / Issue #645 - Phase 1a)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const NIST_CONTROLS_MODULE: KnowledgeModule = {\n id: 'security-nist-controls',\n domain: 'security',\n title: 'NIST 800-53 Control Reference',\n nistControls: [\n 'AC-2',\n 'AC-3',\n 'AC-4',\n 'AC-6',\n 'AC-7',\n 'AC-8',\n 'IA-2',\n 'IA-5',\n 'IA-8',\n 'SC-8',\n 'SC-12',\n 'SC-13',\n 'SC-28',\n 'AU-2',\n 'AU-3',\n 'AU-6',\n 'AU-12',\n ],\n tags: ['nist', '800-53', 'compliance', 'controls', 'reference'],\n sections: [\n {\n title: 'Access Control (AC) Family',\n content: [\n 'AC-2 Account Management:',\n ' - Automate account provisioning and deprovisioning',\n ' - Disable inactive accounts after 90 days',\n ' - Review accounts quarterly; remove unauthorized',\n 'AC-3 Access Enforcement:',\n ' - Enforce approved authorizations at system level',\n ' - Implement deny-by-default access control',\n ' - Validate permissions on every request, not just login',\n 'AC-4 Information Flow Enforcement:',\n ' - Control data flow between security domains',\n ' - Enforce network segmentation policies',\n ' - Filter cross-boundary data transfers',\n 'AC-6 Least Privilege:',\n ' - Grant minimum permissions required for function',\n ' - Separate duties for privileged operations',\n ' - Review privileged access monthly',\n 'AC-7 Unsuccessful Login Attempts:',\n ' - Lock account after 5 consecutive failed attempts',\n ' - Implement exponential backoff on retries',\n ' - Alert security team on repeated failures',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Identification and Authentication (IA) Family',\n content: [\n 'IA-2 Identification and Authentication (Users):',\n ' - Uniquely identify and authenticate all users',\n ' - Require MFA for privileged accounts',\n ' - Require MFA for remote access',\n 'IA-5 Authenticator Management:',\n ' - Enforce minimum password complexity (12+ chars)',\n ' - Use approved password hashing (argon2id, bcrypt)',\n ' - Protect authenticators from unauthorized disclosure',\n ' - Rotate authenticators on suspected compromise',\n 'IA-8 Identification and Authentication (Non-Org Users):',\n ' - Authenticate external users and services',\n ' - Use federation (SAML, OIDC) for cross-org auth',\n ' - Apply same strength requirements as internal users',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'System and Communications Protection (SC) Family',\n content: [\n 'SC-8 Transmission Confidentiality and Integrity:',\n ' - Encrypt all data in transit (TLS 1.2+ mandatory)',\n ' - Use certificate validation on all TLS connections',\n ' - Disable deprecated protocols (SSLv3, TLS 1.0, TLS 1.1)',\n 'SC-12 Cryptographic Key Establishment and Management:',\n ' - Use approved key generation methods (CSPRNG)',\n ' - Protect keys at rest with hardware or software KMS',\n ' - Define key lifecycle (generation, distribution, rotation, destruction)',\n 'SC-13 Cryptographic Protection:',\n ' - Use FIPS-approved algorithms (AES-256, SHA-256, RSA-2048+)',\n ' - No custom/proprietary cryptographic implementations',\n ' - Validate cryptographic module configuration',\n 'SC-28 Protection of Information at Rest:',\n ' - Encrypt sensitive data at rest (AES-256-GCM)',\n ' - Use separate encryption keys per tenant/data class',\n ' - Secure key storage separate from encrypted data',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Audit and Accountability (AU) Family',\n content: [\n 'AU-2 Audit Events:',\n ' - Log: authentication attempts (success + failure)',\n ' - Log: authorization decisions (grants + denials)',\n ' - Log: data access (read/write of sensitive records)',\n ' - Log: configuration changes (settings, permissions)',\n ' - Log: system events (startup, shutdown, errors)',\n 'AU-3 Content of Audit Records:',\n ' - Include: timestamp (ISO 8601, UTC), actor identity',\n ' - Include: action performed, resource affected, outcome',\n ' - Include: source IP, user agent, request ID',\n ' - Exclude: passwords, tokens, PII in log messages',\n 'AU-6 Audit Review, Analysis, and Reporting:',\n ' - Review logs regularly for anomalies',\n ' - Correlate events across services (distributed tracing)',\n ' - Alert on suspicious patterns (brute force, privilege escalation)',\n 'AU-12 Audit Generation:',\n ' - Generate audit records at OS, application, and database levels',\n ' - Use structured logging (JSON) for machine parsing',\n ' - Ship logs to centralized SIEM within 60 seconds',\n ' - Protect log integrity (append-only, tamper-evident)',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'Control-to-Finding Quick Reference',\n content: [\n 'FINDING -> NIST CONTROL MAPPING:',\n ' Missing authentication -> IA-2, IA-8',\n ' Weak passwords -> IA-5',\n ' Missing MFA -> IA-2(1), IA-2(2)',\n ' Broken access control -> AC-3, AC-6',\n ' Missing authorization checks -> AC-3',\n ' Privilege escalation -> AC-6',\n ' Data in transit unencrypted -> SC-8',\n ' Data at rest unencrypted -> SC-28',\n ' Weak cryptography -> SC-13',\n ' Missing key rotation -> SC-12',\n ' Insufficient logging -> AU-2, AU-12',\n ' Logs missing detail -> AU-3',\n ' No log monitoring -> AU-6',\n ' Inactive accounts -> AC-2',\n ' Secrets in source code -> SC-12, SC-13',\n ' Missing input validation -> SI-10',\n ].join('\\n'),\n priority: 10,\n },\n ],\n} as const;\n","/**\n * Supply Chain Security Knowledge Module\n *\n * Domain knowledge for supply chain attack detection and prevention,\n * derived from adversary-lab research on Aqua Security/TeamPCP (March 2026)\n * and CyberStrike/FortiGate (Jan-Feb 2026) incidents.\n * Note: Trivy (Aqua) replaced with Grype (Anchore) + OSV-Scanner (Google) per #1690.\n *\n * @module agents/experts/knowledge/security/supply-chain\n * (Source: adversary-lab research, nexus-agents #1605)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\n/**\n * Supply chain security knowledge covering dependency pinning,\n * CI/CD hardening, and AI-assisted attack patterns.\n */\nexport const SUPPLY_CHAIN_MODULE: KnowledgeModule = {\n id: 'security-supply-chain',\n domain: 'security',\n title: 'Supply Chain Security',\n tags: ['supply-chain', 'ci-cd', 'dependency-management', 'github-actions'],\n nistControls: ['SA-12', 'SA-15', 'SR-3', 'SR-4', 'SR-11'],\n sections: [\n {\n title: 'Dependency Pinning',\n priority: 10,\n content: `Pin all external dependencies to immutable references:\n- GitHub Actions: pin to full 40-character commit SHAs, never mutable tags\n- Docker images: pin to digest (sha256:...), not tags\n- npm/pip packages: use lockfiles with integrity hashes\n- Tags can be force-pushed (Trivy TeamPCP attack: 75 of 76 tags hijacked)\n- Only commit SHAs and content-addressable hashes are immutable`,\n },\n {\n title: 'CI/CD Token Scoping',\n priority: 9,\n content: `Minimize CI token permissions to reduce blast radius:\n- Declare explicit permissions per job (never use write-all)\n- Use contents:read unless write is specifically needed\n- Scope GITHUB_TOKEN to minimum required permissions\n- Rotate tokens immediately after any suspected exposure\n- Never pass secrets via environment variables when pipe IPC is available`,\n },\n {\n title: 'Supply Chain Attack Indicators',\n priority: 8,\n content: `Watch for these supply chain compromise indicators:\n- Unexpected tag changes on dependencies (force-push)\n- Typosquat domains in configs (e.g., aquasecurtiy vs aquasecurity)\n- New postinstall hooks in updated packages\n- Process memory dumping in CI runners (Runner.Worker)\n- Encrypted exfiltration payloads (AES-256+RSA-4096)\n- ICP canister C2 (blockchain-based dead-drop resolvers)\n- Systemd persistence disguised as monitoring (e.g., pgmon service)`,\n },\n {\n title: 'AI-Assisted Attack Awareness',\n priority: 7,\n content: `AI-generated malware characteristics (detection opportunity):\n- Clean, descriptive variable names (no obfuscation)\n- Modular, well-structured code\n- Minimal error handling (crashes instead of failing silently)\n- No anti-analysis techniques (no VM detection, no debugger checks)\n- Fast development cycle (multiple variants in hours)\n- Paradoxically easier to detect than human-crafted obfuscated malware\n- AI amplifies low-skill operators to execute expert-level attack chains`,\n },\n ],\n};\n","/**\n * Security Knowledge Modules\n *\n * Domain knowledge for enriching security expert agent prompts.\n * Contains OWASP, NIST, authentication, authorization, input validation,\n * secrets management, and threat modeling standards.\n *\n * @module agents/experts/knowledge/security\n * (Source: Epic #643 / Issue #645 - Phase 1a, Phase 5a)\n */\n\nimport type { KnowledgeModule } from '../types.js';\nimport { OWASP_API_TOP10_MODULE } from './owasp-api-top10.js';\nimport { AUTHENTICATION_MODULE } from './authentication.js';\nimport { AUTHORIZATION_MODULE } from './authorization.js';\nimport { INPUT_VALIDATION_MODULE } from './input-validation.js';\nimport { SECRETS_MANAGEMENT_MODULE } from './secrets-management.js';\nimport { THREAT_MODELING_MODULE } from './threat-modeling.js';\nimport { NIST_CONTROLS_MODULE } from './nist-controls.js';\nimport { SUPPLY_CHAIN_MODULE } from './supply-chain.js';\n\nexport {\n OWASP_API_TOP10_MODULE,\n AUTHENTICATION_MODULE,\n AUTHORIZATION_MODULE,\n INPUT_VALIDATION_MODULE,\n SECRETS_MANAGEMENT_MODULE,\n THREAT_MODELING_MODULE,\n NIST_CONTROLS_MODULE,\n SUPPLY_CHAIN_MODULE,\n};\n\n/**\n * All security domain knowledge modules.\n * Registered with the KnowledgeRegistry for injection into security expert prompts.\n */\nexport const SECURITY_KNOWLEDGE_MODULES: readonly KnowledgeModule[] = [\n OWASP_API_TOP10_MODULE,\n AUTHENTICATION_MODULE,\n AUTHORIZATION_MODULE,\n INPUT_VALIDATION_MODULE,\n SECRETS_MANAGEMENT_MODULE,\n THREAT_MODELING_MODULE,\n NIST_CONTROLS_MODULE,\n SUPPLY_CHAIN_MODULE,\n];\n\n/**\n * Common security domain patterns for quick reference injection.\n */\nexport const SECURITY_DOMAIN_PATTERNS = {\n authN: 'MFA + short-lived tokens (<15 min) + refresh rotation; rate-limit login attempts',\n authZ: 'Per-object authorization checks; deny by default; validate resource ownership',\n inputValidation: 'Validate at boundaries with schemas; reject unknown fields; sanitize output',\n secretsManagement: 'Vault or OIDC for credentials; rotate on schedule; never log secrets',\n threatModeling: 'STRIDE per DFD element; focus on trust boundary crossings; prioritize by risk',\n} as const;\n\n/**\n * Security best practices summary for prompt injection.\n */\nexport const SECURITY_BEST_PRACTICES = {\n owaspTop10: 'Check every endpoint for BOLA, broken auth, injection, misconfiguration',\n defenseInDepth: 'Multiple layers: input validation + authZ + encryption + monitoring',\n leastPrivilege: 'Minimum required permissions; scope IAM roles tightly; audit regularly',\n secureDefaults: 'Encryption on by default; strict CORS; security headers; no debug in prod',\n incidentResponse: 'Log security events; alert on anomalies; have a response playbook',\n} as const;\n\n/**\n * Build a formatted knowledge prompt for security expert prompt injection.\n *\n * @returns Formatted string with security domain knowledge\n */\nexport function getSecurityKnowledgePrompt(): string {\n // Include top 20 sections (was 8 — too aggressive truncation dropped 83% of knowledge)\n const sections = SECURITY_KNOWLEDGE_MODULES.flatMap((module) => module.sections)\n .sort((a, b) => b.priority - a.priority)\n .slice(0, 20);\n\n const formatted = sections\n .map((section) => `### ${section.title}\\n${section.content}`)\n .join('\\n\\n');\n\n return `## Security Domain Knowledge\\n\\n${formatted}`;\n}\n","/**\n * Infrastructure as Code (IaC) Knowledge Module\n *\n * Covers Terraform patterns, state management, module design,\n * drift detection, and IaC security best practices.\n *\n * @module agents/experts/knowledge/devops/iac-patterns\n * (Source: Epic #643 - Phase 5a: DevOps Knowledge)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const IAC_PATTERNS_MODULE: KnowledgeModule = {\n id: 'devops-iac-patterns',\n domain: 'devops',\n title: 'Infrastructure as Code Patterns',\n tags: ['iac', 'terraform', 'pulumi', 'cloudformation', 'infrastructure'],\n sections: [\n {\n title: 'Terraform Module Design',\n priority: 10,\n content: [\n 'MODULE STRUCTURE: main.tf, variables.tf, outputs.tf, versions.tf',\n 'NAMING: module-purpose (e.g., aws-vpc, gcp-gke-cluster)',\n 'INPUTS: validate with variable validation blocks; provide sensible defaults',\n 'OUTPUTS: expose only what consumers need; document each output',\n 'VERSIONING: pin module versions in caller; use semantic versioning',\n 'COMPOSITION: compose small modules into larger stacks; avoid mega-modules',\n 'RULE: One module = one logical resource group (VPC, database, app)',\n ].join('\\n'),\n },\n {\n title: 'State Management',\n priority: 10,\n content: [\n 'REMOTE STATE: always use remote backend (S3+DynamoDB, GCS, Terraform Cloud)',\n 'LOCKING: enable state locking to prevent concurrent modifications',\n 'ISOLATION: separate state files per environment (dev/staging/prod)',\n 'WORKSPACES: use for minor variations; prefer separate backends for environments',\n 'IMPORTS: use `terraform import` for existing resources; never recreate managed infra',\n 'SENSITIVE: mark sensitive outputs; encrypt state at rest',\n 'ANTI-PATTERN: local state in production = data loss risk',\n ].join('\\n'),\n },\n {\n title: 'Drift Detection and Remediation',\n priority: 8,\n content: [\n 'DETECT: run `terraform plan` on schedule (e.g., nightly CI job)',\n 'ALERT: notify on any detected drift; include resource details',\n 'REMEDIATE: apply to reconcile state or update code to match reality',\n 'PREVENT: restrict manual changes via IAM policies; use SCPs for guardrails',\n 'AUDIT: log all infrastructure changes; correlate with IaC commits',\n 'RULE: if drift is intentional, update IaC; never leave code/infra mismatch',\n ].join('\\n'),\n },\n {\n title: 'IaC Security Practices',\n priority: 9,\n content: [\n 'SCANNING: use tfsec, checkov, or grype for security misconfigurations',\n 'SECRETS: never hardcode credentials; use vault references or OIDC',\n 'LEAST PRIVILEGE: IAM roles scoped to minimum required permissions',\n 'ENCRYPTION: enable encryption by default (EBS, S3, RDS, GCS)',\n 'NETWORKING: private subnets for compute; public only for load balancers',\n 'COMPLIANCE: tag resources for cost allocation and ownership tracking',\n 'REVIEW: require PR review for all infrastructure changes',\n ].join('\\n'),\n },\n ],\n} as const;\n","/**\n * Container Orchestration Knowledge Module\n *\n * Covers Kubernetes patterns, container best practices,\n * Helm chart design, and pod security standards.\n *\n * @module agents/experts/knowledge/devops/container-orchestration\n * (Source: Epic #643 - Phase 5a: DevOps Knowledge)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const CONTAINER_ORCHESTRATION_MODULE: KnowledgeModule = {\n id: 'devops-container-orchestration',\n domain: 'devops',\n title: 'Container Orchestration Patterns',\n tags: ['kubernetes', 'docker', 'containers', 'helm', 'pod-security'],\n sections: [\n {\n title: 'Container Image Best Practices',\n priority: 10,\n content: [\n 'BASE IMAGES: use distroless or alpine; avoid full OS images',\n 'MULTI-STAGE: build in one stage, copy artifacts to minimal runtime stage',\n 'LAYER ORDER: least-changing layers first (OS deps, app deps, app code)',\n 'USER: run as non-root; set USER directive in Dockerfile',\n 'SCANNING: scan images for CVEs with grype, osv-scanner, or snyk',\n 'TAGGING: never use :latest in production; pin to SHA or semver',\n 'SIZE: target < 100MB for application images; smaller = faster deploys',\n ].join('\\n'),\n },\n {\n title: 'Kubernetes Resource Patterns',\n priority: 9,\n content: [\n 'REQUESTS/LIMITS: always set CPU and memory requests; set memory limits',\n ' requests: { cpu: \"100m\", memory: \"128Mi\" }',\n ' limits: { memory: \"256Mi\" } # CPU limits optional (throttling)',\n 'PROBES: liveness (restart on failure), readiness (remove from LB), startup (slow init)',\n ' livenessProbe: { httpGet: /healthz, period: 10s, failure: 3 }',\n ' readinessProbe: { httpGet: /readyz, period: 5s, failure: 2 }',\n 'HPA: autoscale on CPU/memory or custom metrics; set min/max replicas',\n 'PDB: PodDisruptionBudget ensures availability during node drains',\n 'ANTI-AFFINITY: spread replicas across nodes/zones for HA',\n ].join('\\n'),\n },\n {\n title: 'Kubernetes Security',\n priority: 9,\n content: [\n 'POD SECURITY: enforce restricted PSS (Pod Security Standards)',\n 'RBAC: least-privilege ServiceAccounts; no cluster-admin for workloads',\n 'NETWORK POLICIES: deny-all default; explicitly allow required traffic',\n 'SECRETS: use external secrets operator or sealed-secrets; avoid K8s secrets in git',\n 'IMAGE POLICY: admission controller to allow only signed/approved images',\n 'NAMESPACE ISOLATION: separate namespaces per team/environment',\n 'AUDIT: enable K8s audit logging; alert on privileged pod creation',\n ].join('\\n'),\n },\n {\n title: 'Helm Chart Patterns',\n priority: 7,\n content: [\n 'STRUCTURE: Chart.yaml, values.yaml, templates/, NOTES.txt',\n 'VALUES: provide sensible defaults; document all values in values.yaml',\n 'TEMPLATES: use named templates (_helpers.tpl) for reusable snippets',\n 'TESTING: use helm unittest or helm test hooks for validation',\n 'VERSIONING: bump chart version on every change; bump appVersion with app releases',\n 'DEPENDENCIES: pin sub-chart versions; use condition flags for optional components',\n 'RELEASE: helm upgrade --install --atomic (rollback on failure)',\n ].join('\\n'),\n },\n ],\n} as const;\n","/**\n * Observability Knowledge Module\n *\n * Covers the three pillars of observability (metrics, logs, traces),\n * SRE golden signals, alerting strategies, and SLO/SLI design.\n *\n * @module agents/experts/knowledge/devops/observability\n * (Source: Epic #643 - Phase 5a: DevOps Knowledge)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const OBSERVABILITY_MODULE: KnowledgeModule = {\n id: 'devops-observability',\n domain: 'devops',\n title: 'Observability and Monitoring Patterns',\n tags: ['observability', 'monitoring', 'sre', 'slo', 'alerting', 'opentelemetry'],\n sections: [\n {\n title: 'Three Pillars of Observability',\n priority: 10,\n content: [\n 'METRICS: numeric measurements aggregated over time (counters, gauges, histograms)',\n ' TOOLS: Prometheus, Datadog, CloudWatch',\n ' USE FOR: dashboards, alerting, capacity planning, trend analysis',\n 'LOGS: structured event records with context',\n ' FORMAT: JSON with timestamp, level, service, traceId, message, metadata',\n ' TOOLS: ELK stack, Loki, CloudWatch Logs',\n ' USE FOR: debugging, audit trails, error investigation',\n 'TRACES: distributed request flow across services',\n ' TOOLS: Jaeger, Zipkin, Tempo, X-Ray, OpenTelemetry',\n ' USE FOR: latency analysis, dependency mapping, bottleneck detection',\n 'CORRELATION: link metrics/logs/traces via traceId for unified investigation',\n ].join('\\n'),\n },\n {\n title: 'SRE Golden Signals',\n priority: 10,\n content: [\n 'LATENCY: time to serve requests; track separately for success vs error',\n ' MEASURE: P50, P95, P99 response times',\n ' ALERT: P99 > 2x baseline for 5 minutes',\n 'TRAFFIC: demand on the system (requests/sec, concurrent users)',\n ' MEASURE: RPS per endpoint, active connections',\n ' USE: capacity planning, anomaly detection',\n 'ERRORS: rate of failed requests (5xx, timeouts, business errors)',\n ' MEASURE: error rate as percentage of total traffic',\n ' ALERT: error rate > 1% for 5 minutes',\n 'SATURATION: how full the system is (CPU, memory, disk, queue depth)',\n ' MEASURE: utilization percentages, queue lengths',\n ' ALERT: any resource > 80% sustained for 15 minutes',\n ].join('\\n'),\n },\n {\n title: 'SLO/SLI Design',\n priority: 9,\n content: [\n 'SLI (Service Level Indicator): quantitative measure of service behavior',\n ' EXAMPLES: availability ratio, latency P99, error rate, throughput',\n 'SLO (Service Level Objective): target value for an SLI',\n ' EXAMPLES: 99.9% availability, P99 latency < 200ms',\n 'ERROR BUDGET: 100% - SLO target = allowed downtime/errors',\n ' 99.9% SLO = 43.2 min/month error budget',\n ' 99.95% SLO = 21.6 min/month error budget',\n 'DECISION: if error budget is exhausted, freeze deployments until recovered',\n 'REVIEW: weekly error budget review; adjust SLOs quarterly based on data',\n 'RULE: set SLOs based on user impact, not arbitrary targets',\n ].join('\\n'),\n },\n {\n title: 'Alerting Best Practices',\n priority: 8,\n content: [\n 'ALERT ON SYMPTOMS, NOT CAUSES: \"high error rate\" not \"CPU spike\"',\n 'SEVERITY LEVELS:',\n ' P1-Critical: user-facing outage, page immediately',\n ' P2-High: degraded service, page during business hours',\n ' P3-Medium: non-urgent, ticket, fix within 1 business day',\n ' P4-Low: informational, track in dashboard',\n 'REDUCE NOISE: set appropriate thresholds; use multi-window burn rate',\n 'RUNBOOKS: every alert links to a runbook with investigation steps',\n 'ON-CALL: rotation schedule, escalation policy, blameless postmortems',\n 'ANTI-PATTERNS: alert fatigue, percentage-only alerts on low traffic',\n ].join('\\n'),\n },\n ],\n} as const;\n","/**\n * systemd and Bare-Metal Knowledge Module\n *\n * Covers systemd service management, firewall chain hierarchy (UFW/iptables/nftables),\n * and container DNS resolution issues on bare-metal Linux hosts.\n *\n * @module agents/experts/knowledge/devops/systemd-bare-metal\n * (Source: Epic #643 - Phase 5a: DevOps Knowledge)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const SYSTEMD_BARE_METAL_MODULE: KnowledgeModule = {\n id: 'devops-systemd-bare-metal',\n domain: 'devops',\n title: 'systemd and Bare-Metal Operations',\n tags: ['systemd', 'bare-metal', 'linux', 'firewall', 'iptables', 'ufw', 'nftables', 'dns'],\n sections: [\n {\n title: 'systemd Service Management',\n priority: 9,\n content: [\n 'UNIT TYPES:',\n ' Type=simple — process starts immediately; default; use for long-running daemons',\n ' Type=notify — service signals readiness via sd_notify(); use when startup takes time',\n ' Type=oneshot — process exits after task; combine with RemainAfterExit=yes for state',\n 'RESTART STRATEGIES:',\n ' Restart=always — restart on any exit (crash, clean, signal)',\n ' Restart=on-failure — restart only on non-zero exit or signal',\n ' RestartSec=5s — delay between restarts (default: 100ms)',\n ' StartLimitIntervalSec=60s — crash-loop detection window',\n ' StartLimitBurst=3 — max starts within window before giving up',\n ' After limit: systemctl reset-failed to re-enable',\n 'CLEANUP BEFORE START:',\n ' ExecStartPre=/bin/rm -f /var/run/app.pid — fail unit if cleanup fails',\n ' ExecStartPre=-/bin/rm -f /var/run/app.pid — dash prefix: ignore non-zero exit',\n 'SECRETS MANAGEMENT:',\n ' EnvironmentFile=/etc/app/secrets.env — load secrets from file, not inline',\n ' RULE: never put secrets in unit file; unit files are world-readable via systemctl',\n ' Prefer: EnvironmentFile=-/path (dash = OK if missing) for optional overrides',\n 'DEBUGGING:',\n ' journalctl -fu service.name — follow live logs',\n ' journalctl -u service.name --since \"5 min ago\" — recent logs',\n ' systemctl status service.name — state, last exit code, recent journal',\n ' systemd-analyze blame — startup time per unit',\n ' systemd-analyze critical-chain service.name — critical path to ready',\n ].join('\\n'),\n },\n {\n title: 'Firewall Chain Hierarchy (UFW/iptables/nftables)',\n priority: 9,\n content: [\n 'CHAIN MODEL:',\n ' INPUT — traffic destined for the host itself (SSH, API, app ports)',\n ' FORWARD — traffic routed/bridged through the host (containers, VMs)',\n ' PREROUTING — traffic before routing decision; used for DNAT (port forwarding)',\n ' OUTPUT — traffic originating from the host',\n 'UFW LIMITATION:',\n ' ufw allow 8080/tcp — adds rule to INPUT only; does NOT cover containers',\n ' Docker DNAT: incoming → PREROUTING (DNAT to container IP) → FORWARD chain',\n ' Result: host port 8080 is open to the internet even when UFW denies INPUT',\n 'FIX FOR CONTAINER BRIDGE NETWORKS:',\n ' ufw route allow in on eth0 out on docker0 — add explicit FORWARD rule',\n ' Or restrict Docker DNAT with DOCKER-USER chain (Docker-managed, persists restarts)',\n ' DOCKER-USER: insert rules here; processed before Docker adds its own rules',\n ' iptables -I DOCKER-USER -i eth0 ! -s 10.0.0.0/8 -j DROP',\n 'DIAGNOSTICS:',\n ' iptables -L INPUT -n -v — list INPUT rules with packet counts',\n ' iptables -L FORWARD -n -v — check FORWARD rules for container traffic',\n ' iptables -t nat -L PREROUTING -n -v — show DNAT rules',\n ' ss -tlnp — show listening sockets with process names (replaces netstat)',\n ' nft list ruleset — nftables equivalent; used on newer distros (Ubuntu 22.04+)',\n 'RULE: when a port is \"open\" despite UFW deny, always check FORWARD and PREROUTING',\n ].join('\\n'),\n },\n {\n title: 'Container DNS Resolution on Bare Metal',\n priority: 8,\n content: [\n 'ROOT CAUSE:',\n ' Host resolver: systemd-resolved listening on 127.0.0.53 (loopback)',\n ' Container network namespace has its own loopback; 127.0.0.53 does not exist there',\n ' Result: DNS queries from containers fail silently or time out',\n 'SYMPTOMS:',\n ' Container can ping IP addresses but not hostnames',\n ' /etc/resolv.conf inside container shows nameserver 127.0.0.53',\n 'SOLUTIONS (in order of preference):',\n ' 1. Pass real nameserver via --dns flag:',\n ' docker run --dns 8.8.8.8 ... or dns: [\"8.8.8.8\"] in compose',\n ' 2. Bind-mount a custom resolv.conf:',\n ' -v /etc/resolv.conf.docker:/etc/resolv.conf:ro',\n ' 3. Use systemd-resolved stub IP on bridge:',\n ' systemd-resolved also listens on the host bridge IP (e.g., 172.17.0.1)',\n ' docker network create --opt com.docker.network.bridge.name=br0 mynet',\n ' docker run --dns 172.17.0.1 ... — works if resolved serves that interface',\n ' 4. Run a dedicated DNS resolver (e.g., dnsmasq) on the bridge network',\n 'VERIFY:',\n ' docker exec container cat /etc/resolv.conf — confirm nameserver address',\n ' docker exec container nslookup example.com — test resolution',\n ' resolvectl status — show per-interface DNS config on host',\n 'RULE: always verify /etc/resolv.conf inside the container, not just on the host',\n ].join('\\n'),\n },\n ],\n} as const;\n","/**\n * DevOps Knowledge Modules\n *\n * Domain knowledge for enriching DevOps/SRE expert agent prompts.\n * Contains IaC patterns, container orchestration, observability, and\n * systemd/bare-metal guidance.\n *\n * @module agents/experts/knowledge/devops\n * (Source: Epic #643 - Phase 5a: DevOps Knowledge)\n */\n\nimport type { KnowledgeModule } from '../types.js';\nimport { IAC_PATTERNS_MODULE } from './iac-patterns.js';\nimport { CONTAINER_ORCHESTRATION_MODULE } from './container-orchestration.js';\nimport { OBSERVABILITY_MODULE } from './observability.js';\nimport { SYSTEMD_BARE_METAL_MODULE } from './systemd-bare-metal.js';\n\nexport { IAC_PATTERNS_MODULE } from './iac-patterns.js';\nexport { CONTAINER_ORCHESTRATION_MODULE } from './container-orchestration.js';\nexport { OBSERVABILITY_MODULE } from './observability.js';\nexport { SYSTEMD_BARE_METAL_MODULE } from './systemd-bare-metal.js';\n\n/**\n * All DevOps domain knowledge modules.\n * Registered with the KnowledgeRegistry for injection into DevOps expert prompts.\n */\nexport const DEVOPS_KNOWLEDGE_MODULES: readonly KnowledgeModule[] = [\n IAC_PATTERNS_MODULE,\n CONTAINER_ORCHESTRATION_MODULE,\n OBSERVABILITY_MODULE,\n SYSTEMD_BARE_METAL_MODULE,\n];\n\n/**\n * Common DevOps domain patterns for quick reference injection.\n */\nexport const DEVOPS_DOMAIN_PATTERNS = {\n iacModuleDesign:\n 'One module = one logical resource group; pin versions; remote state with locking',\n containerSecurity: 'Distroless images; non-root user; scan for CVEs; pin image tags',\n k8sResources: 'Always set requests/limits; configure liveness/readiness probes; use PDBs',\n observability: 'Metrics + logs + traces correlated by traceId; alert on symptoms not causes',\n sloDesign: 'SLI measures user experience; SLO sets target; error budget drives release velocity',\n systemdServices:\n 'Type=notify for readiness signaling; EnvironmentFile for secrets; crash-loop via StartLimitBurst',\n firewallChains:\n 'INPUT=host traffic; FORWARD=container/routed; ufw route allow for bridge networks; DOCKER-USER for restrictions',\n} as const;\n\n/**\n * DevOps best practices summary for prompt injection.\n */\nexport const DEVOPS_BEST_PRACTICES = {\n infrastructure:\n 'All infrastructure defined in code; no manual changes; drift detection on schedule',\n deployment: 'Blue-green or canary for production; automated rollback on error rate spike',\n reliability: 'Define SLOs per service; track error budgets; blameless postmortems',\n security: 'OIDC for CI auth; least-privilege IAM; encrypt at rest and in transit',\n monitoring: 'Golden signals (latency, traffic, errors, saturation); runbook per alert',\n bareMetalLinux:\n 'systemd EnvironmentFile for secrets; DOCKER-USER chain for firewall; explicit --dns for container DNS',\n} as const;\n\n/**\n * Build a formatted knowledge prompt for DevOps expert prompt injection.\n *\n * @returns Formatted string with DevOps domain knowledge for system prompt injection\n */\nexport function getDevOpsKnowledgePrompt(): string {\n const sections = DEVOPS_KNOWLEDGE_MODULES.flatMap((module) => module.sections)\n .sort((a, b) => b.priority - a.priority)\n .slice(0, 8);\n\n const formatted = sections\n .map((section) => `### ${section.title}\\n${section.content}`)\n .join('\\n\\n');\n\n return `## DevOps Domain Knowledge\\n\\n${formatted}`;\n}\n","/**\n * Research Knowledge Modules\n *\n * Domain knowledge for enriching research expert agent prompts.\n * Contains methodology patterns, source evaluation criteria,\n * arXiv category mappings, and research best practices.\n *\n * @module agents/experts/knowledge/research\n * (Source: Research System Enhancement - Phase 2)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\n/**\n * Research methodology module.\n */\nexport const RESEARCH_METHODOLOGY_MODULE: KnowledgeModule = {\n id: 'research-methodology',\n domain: 'research',\n title: 'Research Methodology Standards',\n tags: ['methodology', 'literature-review', 'evaluation'],\n sections: [\n {\n title: 'Literature Review Process',\n content:\n 'SYSTEMATIC APPROACH: Define search scope → Query databases → Filter by relevance → ' +\n 'Extract techniques → Assess quality → Catalog findings.\\n' +\n 'SOURCES: arXiv (cs.AI, cs.MA, cs.CL), ACL Anthology, NeurIPS, ICML, ICLR proceedings.\\n' +\n 'FILTERS: Recency (prefer last 2 years), citation count, venue quality, reproducibility.',\n priority: 10,\n },\n {\n title: 'Technique Extraction',\n content:\n 'IDENTIFY: Core algorithm/approach from abstract and methodology sections.\\n' +\n 'EVALUATE: Compare against existing registry techniques for overlap (Jaccard > 0.3).\\n' +\n 'CATALOG: Name, description, source papers, topic, tags, complexity, dependencies.\\n' +\n 'PRIORITIZE: Impact on system × implementation complexity × alignment with roadmap.',\n priority: 9,\n },\n {\n title: 'Source Quality Assessment',\n content:\n 'TIER 1: Top-venue published papers (NeurIPS, ICML, ICLR, ACL) — high confidence.\\n' +\n 'TIER 2: Well-cited arXiv preprints (>50 citations) — moderate confidence.\\n' +\n 'TIER 3: Recent arXiv preprints with reproduction code — moderate confidence.\\n' +\n 'TIER 4: Blog posts, GitHub repos without papers — low confidence, needs validation.',\n priority: 8,\n },\n ],\n};\n\n/**\n * arXiv categories relevant to multi-agent orchestration.\n */\nexport const ARXIV_CATEGORIES_MODULE: KnowledgeModule = {\n id: 'research-arxiv-categories',\n domain: 'research',\n title: 'arXiv Category Mappings',\n tags: ['arxiv', 'categories', 'search'],\n sections: [\n {\n title: 'Primary Categories',\n content:\n 'cs.AI — Artificial Intelligence: Multi-agent systems, reasoning, planning.\\n' +\n 'cs.MA — Multi-Agent Systems: Coordination, negotiation, consensus.\\n' +\n 'cs.CL — Computation and Language: LLM capabilities, prompting, tool use.\\n' +\n 'cs.LG — Machine Learning: Training methods, optimization, evaluation.\\n' +\n 'cs.SE — Software Engineering: Code generation, testing, development tools.',\n priority: 7,\n },\n {\n title: 'Search Query Patterns',\n content:\n 'ORCHESTRATION: \"multi-agent orchestration\" OR \"agent coordination\" OR \"task delegation\"\\n' +\n 'CONSENSUS: \"multi-agent voting\" OR \"collective decision\" OR \"ensemble methods\"\\n' +\n 'LLM AGENTS: \"LLM agent\" OR \"language model tool use\" OR \"ReAct\" OR \"chain of thought\"\\n' +\n 'EVALUATION: \"agent benchmark\" OR \"multi-agent evaluation\" OR \"LLM evaluation\"',\n priority: 6,\n },\n ],\n};\n\n/**\n * GitHub evaluation patterns for research repos.\n */\nexport const GITHUB_EVALUATION_MODULE: KnowledgeModule = {\n id: 'research-github-evaluation',\n domain: 'research',\n title: 'GitHub Repository Evaluation',\n tags: ['github', 'evaluation', 'open-source'],\n sections: [\n {\n title: 'Repository Quality Signals',\n content:\n 'HIGH QUALITY: >1000 stars, active development (commits in last 30 days), ' +\n 'comprehensive documentation, test coverage, CI/CD pipeline.\\n' +\n 'MODERATE: 100-1000 stars, periodic updates, basic documentation.\\n' +\n 'LOW: <100 stars, no recent activity, minimal documentation.\\n' +\n 'EVALUATE: License compatibility, dependency health, community engagement.',\n priority: 5,\n },\n ],\n};\n\n/**\n * All research domain knowledge modules.\n */\nexport const RESEARCH_KNOWLEDGE_MODULES: readonly KnowledgeModule[] = [\n RESEARCH_METHODOLOGY_MODULE,\n ARXIV_CATEGORIES_MODULE,\n GITHUB_EVALUATION_MODULE,\n];\n\n/**\n * Build a formatted knowledge prompt for research expert prompt injection.\n *\n * @returns Formatted string with research domain knowledge\n */\nexport function getResearchKnowledgePrompt(): string {\n const sections = RESEARCH_KNOWLEDGE_MODULES.flatMap((module) => module.sections)\n .sort((a, b) => b.priority - a.priority)\n .slice(0, 6);\n\n const formatted = sections\n .map((section) => `### ${section.title}\\n${section.content}`)\n .join('\\n\\n');\n\n return `## Research Domain Knowledge\\n\\n${formatted}`;\n}\n","/**\n * TypeScript Patterns Knowledge Module\n *\n * Actionable TypeScript coding patterns and best practices\n * for enriching code expert agent prompts.\n *\n * @module agents/experts/knowledge/code/typescript-patterns\n * (Source: Epic #643 - Standards Absorption, Phase 1c)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const TYPESCRIPT_PATTERNS: KnowledgeModule = {\n id: 'code-typescript-patterns',\n domain: 'code',\n title: 'TypeScript Patterns and Best Practices',\n tags: ['typescript', 'type-safety', 'patterns', 'strict-mode'],\n sections: [\n {\n title: 'Strict Mode Essentials',\n priority: 10,\n content: [\n 'Enable ALL strict flags in tsconfig.json:',\n ' \"strict\": true, \"noUncheckedIndexedAccess\": true,',\n ' \"exactOptionalPropertyTypes\": true, \"noPropertyAccessFromIndexSignature\": true.',\n 'Never disable individual strict checks. Use `unknown` instead of `any`.',\n 'Prefer `satisfies` operator over type assertions for validated narrowing.',\n 'Use `as const` for literal inference on configuration objects.',\n ].join('\\n'),\n },\n {\n title: 'Type Narrowing Patterns',\n priority: 9,\n content: [\n 'Discriminated unions: add a `type` or `kind` literal field to each variant.',\n ' type Result<T, E> = { ok: true; value: T } | { ok: false; error: E };',\n 'Type guard functions: `function isUser(v: unknown): v is User`.',\n 'Use `in` operator for structural narrowing: `if (\"email\" in obj)`.',\n 'Const assertions: `as const` narrows arrays to tuples and strings to literals.',\n 'Exhaustive checks: use `never` in default case to catch unhandled variants.',\n ' default: { const _exhaustive: never = action; throw new Error(`Unhandled: ${_exhaustive}`); }',\n ].join('\\n'),\n },\n {\n title: 'Advanced Generics',\n priority: 7,\n content: [\n 'Conditional types: `type IsArray<T> = T extends unknown[] ? true : false;`',\n 'Mapped types: `type Readonly<T> = { readonly [K in keyof T]: T[K] };`',\n 'Template literal types: `type Route = `/${string}`;`',\n 'Infer keyword: `type ElementOf<T> = T extends (infer E)[] ? E : never;`',\n 'Constrained generics: `function get<T, K extends keyof T>(obj: T, key: K): T[K]`',\n 'Generic defaults: `type Container<T = unknown> = { value: T };`',\n 'Limit generic depth to 3 levels. Extract complex types into named aliases.',\n ].join('\\n'),\n },\n {\n title: 'Utility Types',\n priority: 8,\n content: [\n 'Partial<T>: make all properties optional (good for update/patch payloads).',\n 'Required<T>: make all properties required (good for validated models).',\n 'Pick<T, K>: select subset of properties (good for API response shaping).',\n 'Omit<T, K>: exclude properties (good for removing internal fields).',\n 'Record<K, V>: typed key-value maps (prefer over index signatures).',\n 'Extract<T, U> / Exclude<T, U>: filter union members.',\n 'ReturnType<T> / Parameters<T>: derive types from functions.',\n 'Combine utilities: `type CreateInput = Omit<User, \"id\" | \"createdAt\">;`',\n ].join('\\n'),\n },\n {\n title: 'Result Pattern for Error Handling',\n priority: 9,\n content: [\n 'Use Result<T, E> instead of throwing for expected failures:',\n ' type Result<T, E = Error> = { ok: true; value: T } | { ok: false; error: E };',\n 'Reserve throw/try-catch for unexpected failures (bugs, infra errors).',\n 'Pattern: function returns Result, caller narrows with `if (!result.ok)`.',\n 'Chain results: extract value only after checking `.ok`.',\n 'Create typed error enums: `type ParseError = \"INVALID_JSON\" | \"MISSING_FIELD\";`',\n 'Wrap external APIs that throw into Result-returning wrappers.',\n ].join('\\n'),\n },\n {\n title: 'Common Anti-Patterns',\n priority: 10,\n content: [\n 'AVOID `any`: use `unknown` and narrow. Lint with @typescript-eslint/no-explicit-any.',\n 'AVOID type assertions (`as`): use type guards or `satisfies` instead.',\n 'AVOID non-null assertions (`!`): handle null/undefined explicitly.',\n 'AVOID enums: use `as const` objects or union types for better tree-shaking.',\n 'AVOID `Function` type: use specific signatures `(arg: string) => void`.',\n 'AVOID namespace: use ES modules.',\n 'AVOID `@ts-ignore`: use `@ts-expect-error` with explanation comment.',\n ].join('\\n'),\n },\n {\n title: 'Module Patterns',\n priority: 6,\n content: [\n 'Barrel exports (index.ts): re-export public API only. Never re-export internals.',\n 'Path aliases: configure `paths` in tsconfig for `@/core`, `@/utils` etc.',\n 'Explicit file extensions in imports for ESM: `import { x } from \"./mod.js\";`',\n 'One module = one concern. Split when a file exceeds 400 lines.',\n 'Co-locate types with implementation. Export types from same module.',\n 'Use `type` keyword in imports/exports for type-only items.',\n ].join('\\n'),\n },\n {\n title: 'Async Patterns',\n priority: 8,\n content: [\n 'Use Promise.all for independent concurrent operations.',\n 'Use Promise.allSettled when partial failure is acceptable.',\n 'Always pass AbortSignal to cancellable operations (fetch, timers).',\n 'Set timeouts on all external calls: `AbortSignal.timeout(5000)`.',\n 'Handle async errors: every await needs surrounding try-catch or .catch().',\n 'Avoid floating promises: lint with @typescript-eslint/no-floating-promises.',\n 'Use AsyncDisposable (`await using`) for resource cleanup when available.',\n 'Prefer async iterators over manual pagination loops.',\n ].join('\\n'),\n },\n ],\n} as const;\n","/**\n * Python Patterns Knowledge Module\n *\n * Actionable Python coding patterns and best practices\n * for enriching code expert agent prompts.\n *\n * @module agents/experts/knowledge/code/python-patterns\n * (Source: Epic #643 - Standards Absorption, Phase 1c)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const PYTHON_PATTERNS: KnowledgeModule = {\n id: 'code-python-patterns',\n domain: 'code',\n title: 'Python Patterns and Best Practices',\n tags: ['python', 'pep8', 'type-hints', 'testing', 'packaging'],\n sections: [\n {\n title: 'PEP 8 Essentials',\n priority: 10,\n content: [\n 'Naming: snake_case for functions/variables, PascalCase for classes, UPPER_SNAKE for constants.',\n 'Indentation: 4 spaces, never tabs. Continuation lines align with delimiter.',\n 'Line length: 79 chars for code, 72 for docstrings. Use implicit line joining inside brackets.',\n 'Imports: stdlib first, then third-party, then local. One import per line.',\n 'Use isort for import sorting and black/ruff for formatting.',\n 'Blank lines: 2 between top-level definitions, 1 between methods.',\n 'Trailing commas in multi-line collections for cleaner diffs.',\n ].join('\\n'),\n },\n {\n title: 'Type Hints',\n priority: 9,\n content: [\n 'Annotate all public function signatures: `def process(data: list[str]) -> dict[str, int]:`',\n 'Use `from __future__ import annotations` for deferred evaluation (3.7+).',\n 'TypeVar for generics: `T = TypeVar(\"T\")` then `def first(items: list[T]) -> T:`',\n 'Protocol for structural subtyping: `class Renderable(Protocol): def render(self) -> str: ...`',\n 'Use Generic[T] for generic classes. Prefer Protocol over ABC when possible.',\n 'Union types: `str | int` (3.10+) or `Union[str, int]`. Avoid Optional, use `X | None`.',\n 'TypeGuard for narrowing: `def is_str_list(v: list) -> TypeGuard[list[str]]:`',\n 'Run mypy or pyright in strict mode. Address all type errors, never use `type: ignore` without comment.',\n ].join('\\n'),\n },\n {\n title: 'Dataclasses and Attrs',\n priority: 7,\n content: [\n 'Use @dataclass for simple data containers: `@dataclass(frozen=True, slots=True)`.',\n 'frozen=True for immutability, slots=True for memory efficiency.',\n 'field(default_factory=list) for mutable defaults. Never use mutable default arguments.',\n '__post_init__ for validation: raise ValueError for invalid state.',\n 'attrs for more features: validators, converters, evolve for immutable updates.',\n 'Prefer dataclasses over NamedTuple when you need methods or default values.',\n 'Use kw_only=True (3.10+) to force keyword arguments for clarity.',\n ].join('\\n'),\n },\n {\n title: 'Pytest Patterns',\n priority: 8,\n content: [\n 'Fixtures: use @pytest.fixture for setup/teardown. Scope: function, class, module, session.',\n 'Parametrize: @pytest.mark.parametrize(\"input,expected\", [...]) for table-driven tests.',\n 'conftest.py: shared fixtures auto-discovered. Place at appropriate directory level.',\n 'Markers: @pytest.mark.slow, @pytest.mark.integration for selective test runs.',\n 'Use tmp_path fixture for file operations. Use monkeypatch for env vars.',\n 'Assert with plain assert statements. Use pytest.raises(ErrorType) for exceptions.',\n 'Test naming: test_<function>_<scenario>_<expected_result>.',\n 'Coverage: pytest-cov with --cov-fail-under=80 minimum.',\n ].join('\\n'),\n },\n {\n title: 'Context Managers and Generators',\n priority: 7,\n content: [\n 'Use `with` for resource management: files, locks, db connections.',\n '@contextmanager decorator for simple cases: yield in try/finally.',\n 'Async context managers: `async with` and @asynccontextmanager.',\n 'Generator functions for lazy sequences: `yield` values one at a time.',\n 'Generator expressions: `(x**2 for x in range(1000))` for memory-efficient pipelines.',\n 'Use `yield from` to delegate to sub-generators.',\n 'send() and throw() for coroutine-style generators (prefer async/await instead).',\n ].join('\\n'),\n },\n {\n title: 'Common Idioms',\n priority: 8,\n content: [\n 'List comprehension: `[f(x) for x in items if pred(x)]`. Prefer over map/filter.',\n 'Dict comprehension: `{k: v for k, v in pairs}`. Use for transformations.',\n 'Walrus operator (3.8+): `if (n := len(data)) > 10:` to assign and test.',\n 'Structural pattern matching (3.10+): `match command: case Command(action=\"quit\"):` ...',\n 'Unpacking: `first, *rest = items`. Swap: `a, b = b, a`.',\n 'Use enumerate() over range(len()). Use zip() for parallel iteration.',\n 'collections module: defaultdict, Counter, deque for specialized containers.',\n 'functools: lru_cache for memoization, partial for currying.',\n ].join('\\n'),\n },\n {\n title: 'Exception Handling Hierarchy',\n priority: 9,\n content: [\n 'Catch specific exceptions: `except ValueError` not bare `except:` or `except Exception`.',\n 'Create domain exception hierarchy: AppError -> ValidationError, NotFoundError.',\n 'Use `raise ... from err` to chain exceptions and preserve tracebacks.',\n 'finally for cleanup, else for success-only code after try.',\n 'ExceptionGroup (3.11+) for concurrent error handling with `except*`.',\n 'Never silence exceptions: at minimum log them. No empty except blocks.',\n 'Use contextlib.suppress(ErrorType) for intentionally ignored exceptions.',\n ].join('\\n'),\n },\n {\n title: 'Virtual Environment and Dependency Management',\n priority: 6,\n content: [\n 'Always use virtual environments: venv, virtualenv, or tool-managed.',\n 'pip: pin versions in requirements.txt. Use pip-compile for lock files.',\n 'poetry: pyproject.toml for metadata + deps. poetry.lock for reproducible builds.',\n 'uv: fast pip replacement. `uv pip install`, `uv venv` for speed.',\n 'pyproject.toml: standard metadata format. Replaces setup.py/setup.cfg.',\n 'Separate dev dependencies: [project.optional-dependencies] or poetry groups.',\n 'Pin major versions at minimum: `requests>=2.28,<3`. Lock files for applications.',\n ].join('\\n'),\n },\n ],\n} as const;\n","/**\n * CI/CD Patterns Knowledge Module\n *\n * Actionable CI/CD pipeline patterns and deployment best practices\n * for enriching code expert agent prompts.\n *\n * @module agents/experts/knowledge/code/cicd-patterns\n * (Source: Epic #643 - Standards Absorption, Phase 1c)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const CICD_PATTERNS: KnowledgeModule = {\n id: 'code-cicd-patterns',\n domain: 'code',\n title: 'CI/CD Pipeline Patterns and Best Practices',\n tags: ['cicd', 'github-actions', 'deployment', 'pipelines', 'devops'],\n sections: [\n {\n title: 'Pipeline Stages',\n priority: 10,\n content: [\n 'Standard stage order: lint -> test -> security scan -> build -> deploy.',\n 'Lint: formatting (prettier/ruff), static analysis (eslint/mypy), commit message validation.',\n 'Test: unit tests first (fast feedback), then integration, then e2e.',\n 'Security scan: dependency audit (npm audit, pip-audit), SAST (semgrep, CodeQL), secret scanning.',\n 'Build: compile, bundle, containerize. Produce versioned artifacts.',\n 'Deploy: staged rollout (dev -> staging -> production). Never skip staging.',\n 'Fail fast: lint and unit tests run first. Expensive steps run only after cheap ones pass.',\n ].join('\\n'),\n },\n {\n title: 'GitHub Actions Patterns',\n priority: 9,\n content: [\n 'Matrix strategy: test across Node versions, OS, and configurations in parallel.',\n ' strategy: { matrix: { node: [\"20\", \"22\"], os: [ubuntu-latest, macos-latest] } }',\n 'Caching: cache node_modules, pip cache, build outputs. Use actions/cache with hash-based keys.',\n ' key: ${{ runner.os }}-pnpm-${{ hashFiles(\"pnpm-lock.yaml\") }}',\n 'Artifacts: upload test reports, coverage, build outputs with actions/upload-artifact.',\n 'Reusable workflows: `.github/workflows/reusable-*.yml` with `workflow_call` trigger.',\n 'Concurrency: `concurrency: { group: ${{ github.ref }}, cancel-in-progress: true }`.',\n 'Pin action versions to full SHA, not tags: `actions/checkout@<sha>`.',\n ].join('\\n'),\n },\n {\n title: 'Deployment Strategies',\n priority: 9,\n content: [\n 'Blue-green: two identical environments. Switch traffic atomically. Instant rollback.',\n 'Canary: route small percentage (1-5%) of traffic to new version. Monitor error rates.',\n 'Rolling: gradually replace instances. Set maxUnavailable and maxSurge limits.',\n 'Feature flags: deploy code disabled, enable per-user/percentage. Decouple deploy from release.',\n 'Choose blue-green for: critical services, zero-downtime requirements.',\n 'Choose canary for: high-traffic services, risk-sensitive changes.',\n 'Choose rolling for: stateless services, cost-sensitive environments.',\n 'Choose feature flags for: gradual rollout, A/B testing, quick kill-switch.',\n ].join('\\n'),\n },\n {\n title: 'Branch Protection and Merge Strategies',\n priority: 8,\n content: [\n 'Require PR reviews: minimum 1 approval, dismiss stale reviews on new commits.',\n 'Require status checks: CI must pass before merge. Include lint, test, security.',\n 'Require up-to-date branches before merge to prevent broken main.',\n 'Squash merge for feature branches: clean history, single revert point.',\n 'Merge commit for release branches: preserve full history.',\n 'Delete branches after merge. Use `--delete-branch` with `gh pr merge`.',\n 'Protect main/release branches: no force push, no deletion.',\n ].join('\\n'),\n },\n {\n title: 'Secret Management in CI',\n priority: 10,\n content: [\n 'GitHub Secrets: store at repo or org level. Access via ${{ secrets.NAME }}.',\n 'Never echo secrets. Use `add-mask` for dynamic values: `echo \"::add-mask::$TOKEN\"`.',\n 'OIDC for cloud auth: use workload identity federation instead of long-lived credentials.',\n ' permissions: { id-token: write } with aws-actions/configure-aws-credentials.',\n 'Environment secrets: scope secrets to deployment environments (dev, staging, prod).',\n 'Rotate secrets on schedule. Alert on secret access patterns.',\n 'Scan for leaked secrets: use gitleaks, trufflehog in pre-commit and CI.',\n ].join('\\n'),\n },\n {\n title: 'Artifact Versioning and Container Image Tagging',\n priority: 7,\n content: [\n 'Semantic versioning: MAJOR.MINOR.PATCH. Automate with changesets or semantic-release.',\n 'Container tags: use git SHA for traceability. Tag releases with semver.',\n ' tags: [${{ github.sha }}, latest, v${{ steps.version.outputs.version }}]',\n 'Never use `latest` tag in production deployments. Always pin specific version.',\n 'Sign artifacts: cosign for container images, GPG for packages.',\n 'Store artifacts in registry with retention policy. Clean old pre-release images.',\n 'Bill of materials: generate SBOM with syft or grype for supply chain security.',\n ].join('\\n'),\n },\n {\n title: 'Rollback Procedures and Deployment Gates',\n priority: 8,\n content: [\n 'Automated rollback triggers: error rate spike (>1%), latency P99 increase (>2x), health check failures.',\n 'Deployment gates: require manual approval for production via GitHub Environments.',\n 'Smoke tests: run basic health checks immediately after deploy. Fail = auto rollback.',\n 'Database migrations: always backward-compatible. Separate migration deploy from code deploy.',\n 'Keep N-1 version ready: maintain previous version artifacts for instant rollback.',\n 'Runbook: document rollback steps. Include database rollback if applicable.',\n 'Post-deploy monitoring window: 15-30 min observation before marking deploy successful.',\n ].join('\\n'),\n },\n ],\n} as const;\n","/**\n * Code Knowledge Modules\n *\n * Domain knowledge for enriching code expert agent prompts.\n * Contains coding standards, design patterns, and best practices\n * for TypeScript, Python, and CI/CD pipelines.\n *\n * @module agents/experts/knowledge/code\n * (Source: Epic #643 - Standards Absorption, Phase 1c)\n */\n\nimport type { KnowledgeModule } from '../types.js';\nimport { TYPESCRIPT_PATTERNS } from './typescript-patterns.js';\nimport { PYTHON_PATTERNS } from './python-patterns.js';\nimport { CICD_PATTERNS } from './cicd-patterns.js';\n\nexport { TYPESCRIPT_PATTERNS } from './typescript-patterns.js';\nexport { PYTHON_PATTERNS } from './python-patterns.js';\nexport { CICD_PATTERNS } from './cicd-patterns.js';\n\n/**\n * All code domain knowledge modules.\n * Used by the KnowledgeRegistry to enrich code expert agent prompts.\n */\nexport const CODE_KNOWLEDGE_MODULES: readonly KnowledgeModule[] = [\n TYPESCRIPT_PATTERNS,\n PYTHON_PATTERNS,\n CICD_PATTERNS,\n];\n\n/**\n * Build a formatted knowledge prompt for code expert prompt injection.\n *\n * @returns Formatted string with code domain knowledge\n */\nexport function getCodeKnowledgePrompt(): string {\n const sections = CODE_KNOWLEDGE_MODULES.flatMap((module) => module.sections)\n .sort((a, b) => b.priority - a.priority)\n .slice(0, 8);\n\n const formatted = sections\n .map((section) => `### ${section.title}\\n${section.content}`)\n .join('\\n\\n');\n\n return `## Code Domain Knowledge\\n\\n${formatted}`;\n}\n","/**\n * Unit Testing Knowledge Module\n *\n * Best practices for unit testing including isolation, test doubles,\n * TDD workflow, coverage targets, and the testing pyramid decision framework.\n *\n * @module agents/experts/knowledge/testing/unit-patterns\n * (Source: Issue #646 - Phase 1b: Testing Expert Knowledge)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const UNIT_TESTING_PATTERNS: KnowledgeModule = {\n id: 'testing-unit-patterns',\n domain: 'testing',\n title: 'Unit Testing Patterns & Standards',\n tags: ['unit-testing', 'tdd', 'mocking', 'coverage', 'test-pyramid'],\n sections: [\n {\n title: 'Testing Pyramid Decision Framework',\n priority: 100,\n content: `## Recommended Test Mix\n- Unit: 70% | Integration: 20% | E2E: 10%\n\n## When to Adjust Ratios\n- Heavy business logic → increase unit to 80%, reduce E2E to 5%\n- API-centric service → increase integration to 35%, reduce unit to 55%\n- UI-heavy application → increase E2E to 20%, reduce unit to 55%\n- Data pipeline → increase integration to 40%, reduce unit to 50%\n- Greenfield project → start with unit 80%, add integration/E2E as interfaces stabilize\n\n## Decision Tree: Which Test Type?\n1. Pure function with no dependencies? → Unit test\n2. Multiple components interacting? → Integration test\n3. Database queries or external APIs? → Integration test (with test containers or mocks)\n4. User-facing workflow across pages? → E2E test\n5. Race conditions or timing? → Integration test with controlled concurrency\n6. Error handling paths? → Unit test per error case + integration for cross-boundary errors`,\n },\n {\n title: 'Test Isolation & Dependency Injection',\n priority: 90,\n content: `## Isolation Principles\n- Each test runs independently; no shared mutable state between tests\n- Tests must not depend on execution order\n- Use dependency injection to swap real dependencies for test doubles\n- Prefer constructor injection over service locators for testability\n- Reset all mocks/stubs/spies in beforeEach or afterEach hooks\n\n## DI Pattern for Testability\n\\`\\`\\`\n// Production: new Service(new RealRepo())\n// Test: new Service(mockRepo)\n\\`\\`\\`\n\n## Common Isolation Violations\n- Global singletons modified by tests → use DI instead\n- File system access → inject a filesystem abstraction\n- Date/time dependency → inject a clock interface\n- Environment variables → inject a config object`,\n },\n {\n title: 'Test Double Taxonomy',\n priority: 85,\n content: `## Types of Test Doubles (from simplest to most complex)\n| Double | Purpose | When to Use |\n| ------- | -------------------------------- | ------------------------------------ |\n| Dummy | Fill parameter lists | Value is never used in test |\n| Stub | Return predetermined values | Control indirect inputs |\n| Spy | Record calls for later assertion | Verify side effects occurred |\n| Mock | Pre-programmed expectations | Verify interaction protocol |\n| Fake | Working simplified implementation| Need realistic behavior (in-memory DB)|\n\n## Selection Rules\n1. Default to stubs for most unit tests\n2. Use spies when verifying a function was called with correct args\n3. Use mocks sparingly; they couple tests to implementation\n4. Use fakes for complex dependencies (repositories, queues, caches)\n5. Never mock what you don't own — wrap third-party APIs first`,\n },\n {\n title: 'AAA Pattern (Arrange-Act-Assert)',\n priority: 80,\n content: `## Structure Every Test as Three Blocks\n1. **Arrange** — Set up preconditions and inputs\n2. **Act** — Execute the behavior under test (single action)\n3. **Assert** — Verify the expected outcome\n\n## Rules\n- One Act per test; multiple Acts signal the test covers too much\n- Keep Arrange minimal; extract shared setup to beforeEach or factory functions\n- Assert one logical concept per test (may need multiple expect calls for one concept)\n- Separate blocks with blank lines for readability\n\n## Anti-patterns\n- No assertion → test proves nothing\n- Assert before Act → test structure is wrong\n- Multiple Acts → split into separate tests\n- Arrange dominates → extract test fixtures or builders`,\n },\n {\n title: 'TDD Workflow: Red-Green-Refactor',\n priority: 75,\n content: `## The Three Steps\n1. **Red** — Write a failing test that describes the desired behavior\n2. **Green** — Write the minimum code to make the test pass\n3. **Refactor** — Improve the code while keeping all tests green\n\n## Discipline Rules\n- Never write production code without a failing test\n- Do not refactor while tests are red\n- Commit after each Green and after each Refactor\n- Keep the Red-Green cycle under 5 minutes\n\n## When TDD Works Best\n- Business logic with clear input/output contracts\n- Bug fixes (write the failing test first, then fix)\n- Algorithm development\n\n## When to Skip TDD\n- Exploratory prototyping (write tests after design stabilizes)\n- Thin wrappers around third-party libraries\n- One-off scripts`,\n },\n {\n title: 'Coverage Targets',\n priority: 70,\n content: `## Thresholds\n| Scope | Target | Rationale |\n| --------------- | ------- | -------------------------------------- |\n| Overall project | ≥ 80% | Balances confidence with effort |\n| Critical paths | ≥ 95% | Payment, auth, data mutations |\n| New code (diff) | ≥ 90% | Prevents coverage regression |\n| Utility/helpers | ≥ 90% | High reuse justifies high coverage |\n| Generated code | Exclude | No value in testing codegen output |\n\n## Coverage as a Signal, Not a Goal\n- 100% coverage does not mean bug-free; it means all lines executed\n- Mutation testing provides better quality signal than line coverage\n- Branch coverage matters more than statement coverage\n- Uncovered code in critical paths is a higher risk than low overall %\n\n## What to Exclude\n- Type declarations and interfaces\n- Dependency injection wiring (configuration code)\n- Third-party library wrappers (tested via integration tests)`,\n },\n {\n title: 'Framework-Specific Patterns',\n priority: 60,\n content: `## Vitest (TypeScript/Node.js)\n- Use \\`vi.fn()\\` for mocks, \\`vi.spyOn()\\` for spies\n- Use \\`vi.useFakeTimers()\\` for time-dependent tests\n- Prefer \\`describe\\` blocks for grouping related tests\n- Use \\`it.each\\` / \\`test.each\\` for parameterized tests\n- Enable \\`--reporter=verbose\\` in CI for clear failure output\n\n## Jest (TypeScript/Node.js)\n- Use \\`jest.fn()\\` and \\`jest.spyOn()\\` (same API shape as Vitest)\n- Use \\`jest.mock('module')\\` for module-level mocking\n- Prefer \\`toMatchInlineSnapshot()\\` over \\`toMatchSnapshot()\\` for small values\n- Use \\`jest.setTimeout()\\` for slow async tests\n\n## pytest (Python)\n- Use \\`@pytest.fixture\\` for setup/teardown\n- Use \\`@pytest.mark.parametrize\\` for data-driven tests\n- Use \\`monkeypatch\\` for environment and attribute patching\n- Use \\`tmp_path\\` fixture for filesystem tests\n- Prefer \\`assert\\` statements over unittest-style methods`,\n },\n ],\n} as const;\n","/**\n * Integration Testing Knowledge Module\n *\n * Best practices for integration testing including contract testing,\n * service virtualization, test containers, and data management.\n *\n * @module agents/experts/knowledge/testing/integration-patterns\n * (Source: Issue #646 - Phase 1b: Testing Expert Knowledge)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const INTEGRATION_TESTING_PATTERNS: KnowledgeModule = {\n id: 'testing-integration-patterns',\n domain: 'testing',\n title: 'Integration Testing Patterns & Standards',\n tags: ['integration-testing', 'contract-testing', 'test-containers', 'api-testing'],\n sections: [\n {\n title: 'Contract Testing (Consumer-Driven Contracts)',\n priority: 95,\n content: `## When to Use Contract Testing\n- Microservices communicating via HTTP/gRPC/messaging\n- Teams owning different sides of an API boundary\n- Preventing breaking changes before deployment\n\n## Pact Workflow\n1. Consumer writes contract test defining expected request/response\n2. Pact broker stores the contract\n3. Provider runs verification against the contract\n4. CI gates deployment if verification fails\n\n## Key Rules\n- Consumer defines the contract; provider verifies it\n- Test only the contract shape, not business logic\n- Include provider states for different scenarios (empty list, error, etc.)\n- Version contracts with consumer application version\n- Run provider verification in provider's CI pipeline\n\n## Decision: Contract Test vs Integration Test\n- Contract test: validates API shape across team boundaries\n- Integration test: validates behavior within a single team's services\n- Use both when services are independently deployed`,\n },\n {\n title: 'Service Virtualization',\n priority: 85,\n content: `## Purpose\nReplace external dependencies with controlled, repeatable stand-ins during testing.\n\n## Tools by Ecosystem\n| Tool | Language | Use Case |\n| ------------ | ---------- | --------------------------------- |\n| WireMock | Java/Any | HTTP API stubbing and recording |\n| MockServer | Java/Any | HTTP/HTTPS mock and proxy |\n| Nock | Node.js | HTTP request interception |\n| MSW | JS/TS | Browser and Node API mocking |\n| VCR/Betamax | Ruby/Python | Record and replay HTTP cassettes |\n\n## Best Practices\n- Record real responses once, replay in tests (cassette pattern)\n- Update recordings when external API changes\n- Use dynamic matching (regex on paths) for parameterized endpoints\n- Simulate error responses: 500, 429 (rate limit), timeouts\n- Simulate latency to test timeout handling\n- Never rely on live external services in CI`,\n },\n {\n title: 'Test Containers',\n priority: 90,\n content: `## When to Use Test Containers\n- Tests require a real database (PostgreSQL, MySQL, MongoDB)\n- Tests require a real message broker (Kafka, RabbitMQ, Redis)\n- Tests require a real search engine (Elasticsearch, OpenSearch)\n- Mocking the dependency would hide real integration bugs\n\n## Pattern\n1. Start container in test setup (beforeAll / fixture scope=session)\n2. Apply migrations or seed data\n3. Run tests against the real service\n4. Tear down container in afterAll\n\n## Rules\n- Use fixed image tags, never \\`latest\\`\n- Set resource limits (memory, CPU) to prevent CI exhaustion\n- Reuse containers across test suites when possible (session scope)\n- Use health checks to wait for container readiness\n- Isolate test data with unique prefixes or schemas per test suite\n\n## CI Considerations\n- Ensure CI runners have Docker or a Docker-compatible runtime\n- Cache Docker images in CI to speed up container startup\n- Set timeouts for container startup (30s default, 60s for heavy services)\n- Use \\`testcontainers\\` library (available in Java, Node.js, Python, Go, .NET)`,\n },\n {\n title: 'Database Integration Testing',\n priority: 80,\n content: `## Strategies\n| Strategy | Speed | Fidelity | Isolation |\n| ----------------- | ------ | -------- | --------- |\n| In-memory DB | Fast | Low | High |\n| Test container | Medium | High | High |\n| Shared test DB | Fast | High | Low |\n| Transaction rollback | Fast | High | High |\n\n## Transaction Rollback Pattern\n- Wrap each test in a transaction\n- Roll back after test completes\n- Fast and isolated but cannot test commit behavior\n\n## Migration Testing\n- Always test migrations forward and backward (up/down)\n- Run migrations as part of test setup\n- Test data migration scripts with representative data sets\n\n## Data Isolation Rules\n- Never share data between tests\n- Generate unique identifiers per test (UUID prefixes)\n- Clean up in afterEach, not beforeEach (catches leaked data)\n- Use database schemas or namespaces for parallel test execution`,\n },\n {\n title: 'API Testing with Real HTTP',\n priority: 75,\n content: `## Tools\n| Tool | Language | Purpose |\n| ---------- | ---------- | --------------------------------- |\n| supertest | Node.js | Express/Koa/Fastify HTTP testing |\n| httpx | Python | Async HTTP client for testing |\n| REST Assured| Java | Fluent HTTP API testing |\n| reqwest | Rust | HTTP client for integration tests |\n\n## What to Test\n- Status codes for success and error cases\n- Response body structure and required fields\n- Content-Type headers\n- Authentication/authorization enforcement\n- Rate limiting behavior\n- Pagination correctness\n- Idempotency of PUT/DELETE operations\n\n## Pattern: Test Against Running Server\n1. Start server in test setup (in-process or subprocess)\n2. Send real HTTP requests\n3. Assert on response status, headers, body\n4. Shut down server in teardown\n\n## Anti-patterns\n- Testing against a shared staging environment (flaky, slow)\n- Skipping error response testing (only testing happy path)\n- Hardcoding URLs instead of using base URL configuration`,\n },\n {\n title: 'Test Data Management & Cleanup',\n priority: 70,\n content: `## Strategies for Test Data\n| Strategy | When to Use |\n| -------------- | -------------------------------------- |\n| Factories | Need varied but valid domain objects |\n| Fixtures | Need consistent reference data |\n| Builders | Need complex object graphs |\n| Seeders | Need bulk data for performance tests |\n| Snapshots | Need database state from production |\n\n## Factory Pattern\n- Define a factory per domain entity\n- Use sensible defaults; override only what the test cares about\n- Use sequences for unique fields (email_1@test.com, email_2@test.com)\n- Compose factories for nested relationships\n\n## Cleanup Rules\n1. Each test cleans up its own data (afterEach)\n2. Use TRUNCATE or DELETE with known IDs, not DROP\n3. For shared databases: use schema-per-test-suite isolation\n4. For file-based tests: use temp directories with automatic cleanup\n5. For external services: use idempotent setup that handles existing data\n\n## Anti-patterns\n- Relying on test execution order for data setup\n- Using production data snapshots without sanitization\n- Sharing mutable test fixtures across tests`,\n },\n ],\n} as const;\n","/**\n * End-to-End Testing Knowledge Module\n *\n * Best practices for E2E testing including Page Object Model,\n * selector strategies, waiting patterns, and flaky test prevention.\n *\n * @module agents/experts/knowledge/testing/e2e-patterns\n * (Source: Issue #646 - Phase 1b: Testing Expert Knowledge)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const E2E_TESTING_PATTERNS: KnowledgeModule = {\n id: 'testing-e2e-patterns',\n domain: 'testing',\n title: 'End-to-End Testing Patterns & Standards',\n tags: ['e2e-testing', 'playwright', 'page-object-model', 'browser-testing'],\n sections: [\n {\n title: 'Page Object Model Pattern',\n priority: 95,\n content: `## Purpose\nEncapsulate page structure and interactions into reusable classes.\nDecouple test logic from page implementation details.\n\n## Structure\n\\`\\`\\`\npages/\n login.page.ts → selectors + actions for login page\n dashboard.page.ts → selectors + actions for dashboard\n components/\n nav-bar.ts → shared navigation component\n\\`\\`\\`\n\n## Rules\n- One Page Object per page or major component\n- Page Objects expose actions (login, submitForm), not raw selectors\n- Page Objects return other Page Objects for navigation flows\n- Never put assertions in Page Objects; keep them in test files\n- Use composition for shared components (navbar, footer, modals)\n\n## Anti-patterns\n- God Page Object with hundreds of methods → split by component\n- Assertions inside Page Objects → move to test files\n- Exposing raw locators instead of action methods\n- Duplicating selectors across multiple Page Objects`,\n },\n {\n title: 'Selector Strategy Priority',\n priority: 90,\n content: `## Selector Priority (most stable to least stable)\n1. \\`data-testid\\` attributes → most resilient to UI changes\n2. Accessibility roles (\\`getByRole\\`) → stable and accessible\n3. Text content (\\`getByText\\`) → readable but locale-dependent\n4. Label associations (\\`getByLabel\\`) → good for form fields\n5. CSS selectors → fragile, breaks on refactoring\n6. XPath → most fragile, avoid entirely\n\n## Decision Rules\n- Use \\`data-testid\\` for elements without clear accessible roles\n- Use \\`getByRole\\` for buttons, links, headings, inputs\n- Use \\`getByText\\` for static content that identifies a section\n- Use \\`getByLabel\\` for form inputs with visible labels\n- Never use CSS class selectors (change during styling updates)\n- Never use auto-generated IDs or dynamic selectors\n\n## Adding Test IDs\n- Convention: \\`data-testid=\"component-action\"\\` (e.g., \\`data-testid=\"login-submit\"\\`)\n- Add test IDs during development, not as test afterthought\n- Strip test IDs from production builds if desired (build-time transform)`,\n },\n {\n title: 'Waiting Strategies',\n priority: 95,\n content: `## The Cardinal Rule\nNEVER use sleep/setTimeout/fixed delays in tests.\n\n## Correct Waiting Approaches\n| Approach | When to Use |\n| ------------------- | --------------------------------------- |\n| Auto-wait (default) | Playwright/Cypress built-in waiting |\n| waitForSelector | Element appears/disappears dynamically |\n| waitForResponse | Wait for specific API call to complete |\n| waitForLoadState | Wait for page navigation to settle |\n| expect with retry | Assertion that needs polling |\n| waitForURL | Wait for navigation to specific URL |\n\n## Why Fixed Waits Are Wrong\n- Too short → flaky test\n- Too long → slow test suite\n- Correct duration varies by environment (CI vs local)\n\n## Timeout Configuration\n- Default action timeout: 5-10 seconds\n- Navigation timeout: 30 seconds\n- Global test timeout: 60 seconds\n- CI environments: multiply timeouts by 2x\n- Set timeouts in config, not in individual tests`,\n },\n {\n title: 'Flaky Test Prevention',\n priority: 85,\n content: `## Common Causes and Fixes\n| Cause | Fix |\n| ---------------------- | ---------------------------------------- |\n| Fixed sleeps | Use auto-wait or explicit wait-for |\n| Shared test state | Isolate each test with fresh data |\n| Animation interference | Disable animations in test config |\n| Network timing | Wait for specific network responses |\n| Date/time dependency | Mock clock or use fixed test dates |\n| Random data ordering | Sort before comparing or assert set membership |\n| Viewport differences | Set fixed viewport in test config |\n| CI resource pressure | Increase timeouts, reduce parallelism |\n\n## Flaky Test Protocol\n1. Quarantine the flaky test (mark as \\`skip\\` with linked issue)\n2. Reproduce locally with \\`--repeat-each=50\\`\n3. Identify root cause using trace viewer\n4. Fix and verify with \\`--repeat-each=100\\`\n5. Remove quarantine label\n\n## Stability Metrics\n- Track flaky test rate per week\n- Target: < 1% flaky rate across all E2E tests\n- Revert tests that exceed 3 flaky failures in 7 days`,\n },\n {\n title: 'Playwright Patterns',\n priority: 80,\n content: `## Locator Best Practices\n- Use \\`page.getByRole()\\`, \\`page.getByText()\\`, \\`page.getByTestId()\\`\n- Avoid \\`page.locator('css-selector')\\` unless no semantic alternative\n- Chain locators for scoping: \\`page.getByRole('list').getByRole('listitem')\\`\n- Use \\`locator.filter()\\` for narrowing by text or other criteria\n\n## Assertion Patterns\n- Use \\`expect(locator)\\` web-first assertions (auto-retry)\n- Prefer \\`toBeVisible()\\` over \\`toHaveCount(1)\\`\n- Use \\`toHaveText()\\` for content verification\n- Use \\`toHaveURL()\\` for navigation assertions\n\n## Fixture Usage\n- Use \\`test.extend()\\` for custom fixtures\n- Fixtures handle setup/teardown automatically\n- Share authentication state with \\`storageState\\`\n- Use worker-scoped fixtures for expensive setup (database seeding)\n\n## Trace and Debugging\n- Enable trace on first retry: \\`trace: 'on-first-retry'\\`\n- Use \\`page.pause()\\` for interactive debugging (local only)\n- Capture screenshots on failure: \\`screenshot: 'only-on-failure'\\`\n- Store test artifacts in CI for post-mortem analysis`,\n },\n {\n title: 'Cross-Browser Testing',\n priority: 60,\n content: `## Browser Priority\n1. Chromium — primary target, fastest execution\n2. Firefox — secondary, catches rendering differences\n3. WebKit (Safari) — tertiary, important for macOS/iOS users\n\n## Strategy\n- Run all tests on Chromium in every CI pipeline\n- Run full suite on Firefox/WebKit on nightly or pre-release builds\n- Focus cross-browser runs on visual and layout tests\n\n## Common Cross-Browser Issues\n| Issue | Affected Browser | Mitigation |\n| ------------------- | ---------------- | --------------------------- |\n| Date input format | Safari | Use custom date picker |\n| Flexbox rendering | Safari | Test layout assertions |\n| Clipboard API | Firefox | Feature-detect and fallback |\n| Shadow DOM styling | All | Use piercing selectors |\n| Scroll behavior | Safari | Avoid smooth scroll in tests|\n\n## Configuration\n- Define projects array in Playwright config\n- Share test files across browsers\n- Use \\`test.skip\\` with browser condition for known incompatibilities\n- Set per-browser viewport sizes to match real usage`,\n },\n ],\n} as const;\n","/**\n * Performance Testing Knowledge Module\n *\n * Best practices for performance testing including load profiles,\n * key metrics, SLO validation, k6 patterns, and profiling strategies.\n *\n * @module agents/experts/knowledge/testing/performance-patterns\n * (Source: Issue #646 - Phase 1b: Testing Expert Knowledge)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const PERFORMANCE_TESTING_PATTERNS: KnowledgeModule = {\n id: 'testing-performance-patterns',\n domain: 'testing',\n title: 'Performance Testing Patterns & Standards',\n tags: ['performance-testing', 'load-testing', 'k6', 'profiling', 'slo'],\n sections: [\n {\n title: 'Load Testing Profiles',\n priority: 95,\n content: `## Profile Definitions\n| Profile | Purpose | Pattern |\n| ---------- | ------------------------------- | ------------------------------------ |\n| Load | Validate expected traffic | Ramp to target VUs, hold, ramp down |\n| Stress | Find breaking point | Incrementally increase beyond target |\n| Spike | Test sudden traffic bursts | Instant jump to peak, then drop |\n| Soak | Detect memory leaks / drift | Moderate load sustained for hours |\n| Breakpoint | Find absolute capacity ceiling | Increase until system fails |\n\n## Decision: Which Profile to Run\n- Pre-release → Load test (validates expected capacity)\n- Capacity planning → Stress test (finds limits)\n- Event preparation (flash sale, launch) → Spike test\n- Stability concern → Soak test (4-12 hours)\n- Architecture change → Breakpoint test (find new ceiling)\n\n## Execution Order for New Systems\n1. Load test → establish baseline\n2. Stress test → find ceiling\n3. Spike test → validate autoscaling\n4. Soak test → confirm long-term stability`,\n },\n {\n title: 'Key Performance Metrics',\n priority: 90,\n content: `## Core Metrics\n| Metric | What It Measures | Why It Matters |\n| -------------- | ----------------------------- | -------------------------------- |\n| p50 latency | Median response time | Typical user experience |\n| p95 latency | 95th percentile response time | Majority of users experience |\n| p99 latency | 99th percentile response time | Worst-case user experience |\n| RPS | Requests per second | Throughput capacity |\n| Error rate | % of failed requests | Reliability under load |\n| Apdex | Application Performance Index | User satisfaction score (0-1) |\n| TTFB | Time to first byte | Server processing time |\n| Concurrent VUs | Virtual users at same time | Concurrency capacity |\n\n## Aggregation Rules\n- Always report percentiles, not averages (averages hide tail latency)\n- Report p50, p95, p99 as standard set\n- Report error rate as percentage with total request count\n- Track metrics per endpoint, not just globally\n- Compare against baseline from previous release`,\n },\n {\n title: 'Performance Budgets',\n priority: 85,\n content: `## Latency Thresholds\n| Metric | Good | Warning | Critical |\n| ----------- | ---------- | ----------- | ----------- |\n| p50 latency | < 100ms | 100-300ms | > 300ms |\n| p95 latency | < 300ms | 300-800ms | > 800ms |\n| p99 latency | < 1000ms | 1000-2000ms | > 2000ms |\n| TTFB | < 200ms | 200-500ms | > 500ms |\n| Error rate | < 0.1% | 0.1-1% | > 1% |\n\n## Budget Enforcement\n- CI pipeline fails if any metric enters Critical zone\n- Warning zone triggers alert but does not block deployment\n- Budgets apply to every endpoint, not just aggregate\n- Adjust budgets per endpoint type (read vs write, simple vs complex)\n\n## Frontend Performance Budgets\n| Metric | Budget |\n| ---------------------- | ---------- |\n| First Contentful Paint | < 1.5s |\n| Largest Contentful Paint | < 2.5s |\n| Cumulative Layout Shift | < 0.1 |\n| Total bundle size | < 250 KB |\n| JavaScript bundle | < 150 KB |`,\n },\n {\n title: 'SLO Validation',\n priority: 80,\n content: `## SLO Testing Approach\n1. Define SLOs from business requirements (e.g., p99 < 500ms at 1000 RPS)\n2. Encode SLOs as test thresholds in load test configuration\n3. Run load test simulating expected production traffic\n4. Fail the test if any SLO threshold is breached\n5. Track SLO compliance trend over releases\n\n## Common SLO Definitions\n| SLO Category | Example Objective |\n| -------------- | -------------------------------------- |\n| Availability | 99.9% success rate over 30 days |\n| Latency | p99 < 500ms for all API endpoints |\n| Throughput | Handle 5000 RPS sustained |\n| Error budget | < 0.1% error rate per deployment |\n\n## SLO in CI Pipeline\n- Run abbreviated load test (5-10 min) on every PR merge\n- Run full load test (30-60 min) on release candidates\n- Compare results against SLO thresholds automatically\n- Store results for trend analysis across releases`,\n },\n {\n title: 'k6 Test Patterns',\n priority: 75,\n content: `## Standard Load Test Structure\n\\`\\`\\`\nstages: [\n { duration: '2m', target: 50 }, // ramp up\n { duration: '5m', target: 50 }, // hold at target\n { duration: '2m', target: 0 }, // ramp down\n]\nthresholds: {\n http_req_duration: ['p(95)<300', 'p(99)<1000'],\n http_req_failed: ['rate<0.01'],\n}\n\\`\\`\\`\n\n## Key Patterns\n- Use scenarios for different user behaviors (browse, purchase, search)\n- Use groups to organize related requests into transactions\n- Use checks for inline assertions (status codes, response body)\n- Use custom metrics for business-specific measurements\n- Use environment variables for target URLs and VU counts\n\n## Data-Driven Testing\n- Use SharedArray for large datasets (loaded once, shared across VUs)\n- Use CSV or JSON files for test data (user credentials, product IDs)\n- Randomize data selection to simulate realistic access patterns\n\n## CI Integration\n- Run k6 in Docker for consistent environments\n- Export results to time-series database (InfluxDB, Prometheus)\n- Visualize with Grafana dashboards\n- Set exit code based on threshold violations`,\n },\n {\n title: 'Profiling Strategies',\n priority: 65,\n content: `## Profiling Types\n| Type | What It Reveals | Tools |\n| -------- | --------------------------------- | ------------------------------- |\n| CPU | Hot functions, algorithmic issues | Node --prof, py-spy, perf |\n| Memory | Leaks, excessive allocation | heapdump, tracemalloc, valgrind |\n| I/O | Slow queries, file operations | strace, slow query log, APM |\n| Network | Latency, connection pool issues | tcpdump, Wireshark, APM traces |\n| Async | Event loop blocking, queue depth | clinic.js, async_hooks |\n\n## When to Profile\n- After load test identifies a slow endpoint\n- When p99 is significantly higher than p50 (tail latency)\n- When memory usage grows continuously under soak test\n- When CPU utilization exceeds 70% at target load\n\n## Profiling Workflow\n1. Reproduce the performance issue in a controlled environment\n2. Capture a profile under representative load\n3. Identify the top hotspots (functions consuming most time/memory)\n4. Optimize the top 1-3 hotspots (Pareto: 20% of code causes 80% of cost)\n5. Re-profile to verify improvement\n6. Run load test to confirm end-to-end improvement\n\n## Anti-patterns\n- Profiling in production without sampling (adds overhead)\n- Optimizing without profiling data (premature optimization)\n- Profiling under unrealistic load (results don't transfer)\n- Ignoring GC pauses in managed languages`,\n },\n ],\n} as const;\n","/**\n * Testing Knowledge Modules\n *\n * Domain knowledge for enriching testing expert agent prompts.\n * Contains unit, integration, E2E, and performance testing best practices.\n *\n * @module agents/experts/knowledge/testing\n * (Source: Epic #643 - Standards Absorption, Issue #646 - Phase 1b)\n */\n\nimport type { KnowledgeModule } from '../types.js';\nimport { UNIT_TESTING_PATTERNS } from './unit-patterns.js';\nimport { INTEGRATION_TESTING_PATTERNS } from './integration-patterns.js';\nimport { E2E_TESTING_PATTERNS } from './e2e-patterns.js';\nimport { PERFORMANCE_TESTING_PATTERNS } from './performance-patterns.js';\n\nexport { UNIT_TESTING_PATTERNS } from './unit-patterns.js';\nexport { INTEGRATION_TESTING_PATTERNS } from './integration-patterns.js';\nexport { E2E_TESTING_PATTERNS } from './e2e-patterns.js';\nexport { PERFORMANCE_TESTING_PATTERNS } from './performance-patterns.js';\n\n/**\n * All testing domain knowledge modules.\n * Registered with the KnowledgeRegistry for injection into TestingExpert prompts.\n */\nexport const TESTING_KNOWLEDGE_MODULES: readonly KnowledgeModule[] = [\n UNIT_TESTING_PATTERNS,\n INTEGRATION_TESTING_PATTERNS,\n E2E_TESTING_PATTERNS,\n PERFORMANCE_TESTING_PATTERNS,\n];\n\n/**\n * Build a formatted knowledge prompt for testing expert prompt injection.\n *\n * @returns Formatted string with testing domain knowledge\n */\nexport function getTestingKnowledgePrompt(): string {\n const sections = TESTING_KNOWLEDGE_MODULES.flatMap((module) => module.sections)\n .sort((a, b) => b.priority - a.priority)\n .slice(0, 8);\n\n const formatted = sections\n .map((section) => `### ${section.title}\\n${section.content}`)\n .join('\\n\\n');\n\n return `## Testing Domain Knowledge\\n\\n${formatted}`;\n}\n","/**\n * Diataxis Documentation Framework Knowledge Module\n *\n * Covers the four documentation types (tutorials, how-to guides, reference,\n * explanation), ADR templates, API documentation patterns, and changelog formats.\n *\n * @module agents/experts/knowledge/documentation/diataxis\n * @see https://diataxis.fr/\n * (Source: Epic #643 / Issue #648 - Phase 1d)\n */\n\nimport type { KnowledgeModule } from '../types.js';\n\nexport const DIATAXIS_MODULE: KnowledgeModule = {\n id: 'documentation-diataxis',\n domain: 'documentation',\n title: 'Diataxis Documentation Framework',\n tags: ['diataxis', 'documentation', 'adr', 'openapi', 'changelog', 'readme'],\n sections: [\n {\n title: 'Tutorials (Learning-Oriented)',\n content: [\n 'PURPOSE: Teach a beginner by guiding them through a complete experience',\n 'AUDIENCE: Newcomers who need to learn by doing',\n 'FORMAT: Step-by-step instructions with concrete outcomes',\n 'RULES:',\n ' - Start with a working result the user can achieve in < 15 minutes',\n ' - Explain WHAT to do, not WHY (save that for Explanation docs)',\n ' - Every step must produce a visible, verifiable result',\n ' - Never assume prior knowledge; define every term on first use',\n ' - Provide exact commands, exact file contents, exact expected output',\n 'ANTI-PATTERNS: Offering choices, explaining alternatives, teaching theory',\n 'EXAMPLE TITLE: \"Build your first REST API in 10 minutes\"',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'How-To Guides (Task-Oriented)',\n content: [\n 'PURPOSE: Help a practitioner accomplish a specific real-world goal',\n 'AUDIENCE: Users who know the basics but need to solve a particular problem',\n 'FORMAT: Practical steps focused on achieving a goal',\n 'RULES:',\n ' - Title as a verb phrase: \"How to configure SSL\" not \"SSL Configuration\"',\n ' - Assume the reader has basic competence with the system',\n ' - Focus on the task, not on teaching concepts',\n ' - Provide just enough context to complete the task',\n ' - Include troubleshooting tips for common failures',\n 'ANTI-PATTERNS: Teaching from scratch, exhaustive reference details',\n 'EXAMPLE TITLE: \"How to migrate from v2 to v3\"',\n ].join('\\n'),\n priority: 10,\n },\n {\n title: 'Reference (Information-Oriented)',\n content: [\n 'PURPOSE: Describe the system precisely for lookup and verification',\n 'AUDIENCE: Users who know what they need and want accurate details',\n 'FORMAT: Structured, consistent, complete — organized by the code, not by user tasks',\n 'RULES:',\n ' - Mirror the structure of the codebase (one page per module/class/endpoint)',\n ' - Be consistent: same format for every entry (name, type, default, description)',\n ' - Be precise: exact types, exact defaults, exact constraints',\n ' - Be complete: document every public API, parameter, return value, error',\n ' - Use tables for parameters, code blocks for examples',\n 'ANTI-PATTERNS: Tutorials mixed in, opinions, explanations of design choices',\n 'EXAMPLE TITLE: \"Configuration Reference\" or \"API Endpoint Reference\"',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Explanation (Understanding-Oriented)',\n content: [\n 'PURPOSE: Provide context, reasoning, and background for deeper understanding',\n 'AUDIENCE: Users who want to understand WHY, not just HOW',\n 'FORMAT: Discursive prose exploring concepts, trade-offs, and alternatives',\n 'RULES:',\n ' - Explain reasoning behind design decisions',\n ' - Compare alternatives and state why one was chosen',\n ' - Connect concepts to broader principles and patterns',\n ' - Admit trade-offs honestly; state what was sacrificed and why',\n ' - Link to related tutorials, how-tos, and references',\n 'ANTI-PATTERNS: Step-by-step instructions, API listings, beginner hand-holding',\n 'EXAMPLE TITLE: \"Why we chose event sourcing over CRUD\"',\n ].join('\\n'),\n priority: 9,\n },\n {\n title: 'Documentation Type Decision Tree',\n content: [\n 'Q1: Is the reader trying to LEARN the system? → Tutorial',\n 'Q2: Is the reader trying to ACCOMPLISH a specific task? → How-To Guide',\n 'Q3: Is the reader trying to LOOK UP specific information? → Reference',\n 'Q4: Is the reader trying to UNDERSTAND why something works this way? → Explanation',\n 'RULE: Never mix types in one document — split into separate docs',\n 'RULE: Link between types (tutorial links to reference, how-to links to explanation)',\n 'AUDIT: For each doc, ask \"what is the reader DOING?\" — if mixed, split it',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'ADR (Architecture Decision Record) Template',\n content: [\n 'FILE: docs/decisions/NNNN-title-with-dashes.md',\n 'SECTIONS:',\n ' # Title: Short noun phrase (e.g., \"Use PostgreSQL for primary storage\")',\n ' ## Status: Proposed | Accepted | Deprecated | Superseded by [ADR-NNNN]',\n ' ## Context: What forces are at play? What is the problem?',\n ' ## Decision: What is the change that we are proposing/doing?',\n ' ## Consequences: What are the trade-offs? Both positive and negative.',\n 'RULES:',\n ' - One decision per ADR; do not bundle multiple decisions',\n ' - Write in present tense: \"We use X\" not \"We will use X\"',\n ' - Never delete ADRs; supersede them with new ones',\n ' - Number sequentially; never reuse numbers',\n ].join('\\n'),\n priority: 8,\n },\n {\n title: 'API Documentation Patterns',\n content: [\n 'OPENAPI (REST): Use OpenAPI 3.1 spec as source of truth',\n ' REQUIRE: operationId, summary, description, request/response schemas, error codes',\n ' GENERATE: Docs from spec (Redoc, Swagger UI) — never hand-write API docs',\n 'ASYNCAPI (Events): Use AsyncAPI 3.0 for event-driven APIs',\n ' REQUIRE: channel, message schema, payload examples, bindings',\n 'PATTERN: Include runnable examples (curl, SDK snippets) for every endpoint',\n 'PATTERN: Document error responses with codes, messages, and recovery actions',\n 'PATTERN: Version API docs alongside API code in the same repository',\n ].join('\\n'),\n priority: 7,\n },\n {\n title: 'Changelog and README Patterns',\n content: [\n 'CHANGELOG (Keep a Changelog format):',\n ' SECTIONS: Added, Changed, Deprecated, Removed, Fixed, Security',\n ' RULES: Newest first, one entry per change, link to PR/issue',\n ' FORMAT: ## [version] - YYYY-MM-DD',\n 'README STRUCTURE:',\n ' 1. Project name + one-line description (what it does)',\n ' 2. Quick start (install + first use in < 5 commands)',\n ' 3. Key features (bulleted, concise)',\n ' 4. Requirements / prerequisites',\n ' 5. Installation (detailed)',\n ' 6. Usage examples (common scenarios)',\n ' 7. Configuration reference (or link to full reference)',\n ' 8. Contributing (or link to CONTRIBUTING.md)',\n ' 9. License',\n ].join('\\n'),\n priority: 7,\n },\n ],\n} as const;\n","/**\n * Documentation Knowledge Modules\n *\n * Domain knowledge for enriching documentation expert agent prompts.\n * Contains documentation standards, technical writing guidelines, and API doc patterns.\n *\n * @module agents/experts/knowledge/documentation\n * (Source: Epic #643 / Issue #648 - Phase 1d)\n */\n\nimport type { KnowledgeModule } from '../types.js';\nimport { DIATAXIS_MODULE } from './diataxis.js';\n\nexport { DIATAXIS_MODULE } from './diataxis.js';\n\n/**\n * Documentation domain knowledge modules.\n * Includes the Diataxis framework for documentation structure and patterns.\n */\nexport const DOCUMENTATION_KNOWLEDGE_MODULES: readonly KnowledgeModule[] = [DIATAXIS_MODULE];\n\n/**\n * Build a formatted knowledge prompt for documentation expert prompt injection.\n *\n * @returns Formatted string with documentation domain knowledge\n */\nexport function getDocumentationKnowledgePrompt(): string {\n const sections = DOCUMENTATION_KNOWLEDGE_MODULES.flatMap((module) => module.sections)\n .sort((a, b) => b.priority - a.priority)\n .slice(0, 8);\n\n const formatted = sections\n .map((section) => `### ${section.title}\\n${section.content}`)\n .join('\\n\\n');\n\n return `## Documentation Domain Knowledge\\n\\n${formatted}`;\n}\n","/**\n * nexus-agents/agents - Enriched Expert Prompts\n *\n * Composes built-in expert system prompts with domain-specific knowledge\n * from the knowledge modules. Each function appends a concise knowledge\n * summary to the base system prompt for its expert domain.\n *\n * @module agents/experts/enriched-prompts\n * (Source: Epic #643 - Phase 5a: Expert Knowledge Base Enhancement)\n */\n\nimport { getArchitectureKnowledgePrompt } from './knowledge/architecture/index.js';\nimport { getSecurityKnowledgePrompt } from './knowledge/security/index.js';\nimport { getDevOpsKnowledgePrompt } from './knowledge/devops/index.js';\nimport { getResearchKnowledgePrompt } from './knowledge/research/index.js';\nimport { getCodeKnowledgePrompt } from './knowledge/code/index.js';\nimport { getTestingKnowledgePrompt } from './knowledge/testing/index.js';\nimport { getDocumentationKnowledgePrompt } from './knowledge/documentation/index.js';\n\n/**\n * Enrich a base system prompt with domain knowledge.\n * Appends the knowledge prompt after the base prompt with a separator.\n *\n * @param basePrompt - The expert's base system prompt\n * @param knowledgePrompt - Formatted domain knowledge string\n * @returns Combined prompt with knowledge injected\n */\nfunction enrichPrompt(basePrompt: string, knowledgePrompt: string): string {\n return `${basePrompt}\\n\\n${knowledgePrompt}`;\n}\n\n/**\n * Build an enriched architecture expert system prompt.\n *\n * @param basePrompt - The architecture expert's base system prompt\n * @returns System prompt enriched with architecture domain knowledge\n */\nexport function buildArchitecturePrompt(basePrompt: string): string {\n return enrichPrompt(basePrompt, getArchitectureKnowledgePrompt());\n}\n\n/**\n * Build an enriched security expert system prompt.\n *\n * @param basePrompt - The security expert's base system prompt\n * @returns System prompt enriched with security domain knowledge\n */\nexport function buildSecurityPrompt(basePrompt: string): string {\n return enrichPrompt(basePrompt, getSecurityKnowledgePrompt());\n}\n\n/**\n * Build an enriched DevOps expert system prompt.\n *\n * @param basePrompt - The DevOps expert's base system prompt\n * @returns System prompt enriched with DevOps domain knowledge\n */\nexport function buildDevOpsPrompt(basePrompt: string): string {\n return enrichPrompt(basePrompt, getDevOpsKnowledgePrompt());\n}\n\n/**\n * Build an enriched research expert system prompt.\n *\n * @param basePrompt - The research expert's base system prompt\n * @returns System prompt enriched with research domain knowledge\n */\nexport function buildResearchPrompt(basePrompt: string): string {\n return enrichPrompt(basePrompt, getResearchKnowledgePrompt());\n}\n\n/**\n * Build an enriched code expert system prompt.\n *\n * @param basePrompt - The code expert's base system prompt\n * @returns System prompt enriched with code domain knowledge\n */\nexport function buildCodePrompt(basePrompt: string): string {\n return enrichPrompt(basePrompt, getCodeKnowledgePrompt());\n}\n\n/**\n * Build an enriched testing expert system prompt.\n *\n * @param basePrompt - The testing expert's base system prompt\n * @returns System prompt enriched with testing domain knowledge\n */\nexport function buildTestingPrompt(basePrompt: string): string {\n return enrichPrompt(basePrompt, getTestingKnowledgePrompt());\n}\n\n/**\n * Build an enriched documentation expert system prompt.\n *\n * @param basePrompt - The documentation expert's base system prompt\n * @returns System prompt enriched with documentation domain knowledge\n */\nexport function buildDocumentationPrompt(basePrompt: string): string {\n return enrichPrompt(basePrompt, getDocumentationKnowledgePrompt());\n}\n\nconst PM_KNOWLEDGE_SUMMARY = `## PM Domain Knowledge\n\n### Requirements Engineering\n- Use INVEST criteria for user stories (Independent, Negotiable, Valuable, Estimable, Small, Testable)\n- Decompose epics into stories with clear acceptance criteria using Given/When/Then\n- Prioritize with RICE scoring (Reach, Impact, Confidence, Effort)\n\n### Stakeholder Management\n- Map stakeholders by influence and interest (power/interest grid)\n- Communicate at the appropriate level of abstraction for each audience\n- Maintain a RACI matrix for cross-functional deliverables`;\n\n/**\n * Build an enriched PM expert system prompt.\n *\n * @param basePrompt - The PM expert's base system prompt\n * @returns System prompt enriched with PM domain knowledge\n */\nexport function buildPmPrompt(basePrompt: string): string {\n return enrichPrompt(basePrompt, PM_KNOWLEDGE_SUMMARY);\n}\n\nconst UX_KNOWLEDGE_SUMMARY = `## UX Domain Knowledge\n\n### Usability Heuristics\n- Nielsen's 10 heuristics: visibility of system status, match to real world, user control, consistency, error prevention, recognition over recall, flexibility, aesthetic design, error recovery, help/documentation\n- Fitts's Law: larger and closer targets are faster to interact with\n- Hick's Law: reduce choices to decrease decision time\n\n### Accessibility Standards\n- WCAG 2.1 AA: color contrast 4.5:1 for text, 3:1 for UI components\n- Keyboard navigation: all interactive elements focusable and operable\n- Screen reader: semantic HTML, ARIA labels, meaningful alt text\n\n### OKLCH Color System\n- oklch(L C H) — L: lightness 0-1, C: chroma 0-0.4, H: hue 0-360\n- Generate M3 tonal palettes by varying L while keeping H constant\n- Ensure WCAG AA by enforcing sufficient delta in L channel between text and surface\n- Tailwind integration: \\`color: oklch(var(--color-primary) / <alpha-value>)\\`\n\n### Material Design 3 Tokens\n- M3 state layers: hover 8%, focus 12%, pressed 12% opacity overlays\n- Elevation levels 0-5 via oklch L-channel manipulation (not pure drop-shadows)\n- Typography scales: Display (57-45), Headline (36-24), Title (22-14), Label (14-11), Body (16-12)\n- Fluid typography: clamp() for responsive scaling\n\n### Astro + Svelte Architecture\n- Astro (.astro) for static content, routing, layouts — zero JS by default\n- Svelte (.svelte) only for interactive islands with explicit hydration directives\n- client:load (critical interactivity), client:idle (deferred), client:visible (lazy)\n- nano-stores for cross-island state management\n\n### Dark Mode\n- CSS-only baseline via \\`prefers-color-scheme\\` media query; no JS required\n- User override: \\`.dark\\` class on \\`<html>\\`, persisted with localStorage\n- OKLCH dark palettes: invert L-channel (1 - L) while keeping C and H constant\n- Test both modes in all component states (hover, focus, disabled, error)\n\n### Visualization Library Selection\n- CSS-only charts: zero JS, no CSP risk, but limited interactivity\n- D3.js + framework SVG: best control, SSR-friendly, CSP-safe (\\`unsafe-eval\\` not needed)\n- Chart.js / Observable Plot: fast but may require \\`unsafe-eval\\` — audit CSP before adopting\n- Never relax \\`script-src\\` CSP to accommodate a charting library; pick a CSP-safe alternative\n\n### Typography & Fonts\n- Fluid sizing: \\`clamp(1rem, 2.5vw, 1.5rem)\\` scales without media queries\n- Self-host fonts via \\`@font-face\\` to eliminate third-party tracking and tighten \\`font-src\\` CSP\n- Always set \\`font-display: swap\\` to prevent invisible text during load`;\n\n/**\n * Build an enriched UX expert system prompt.\n *\n * @param basePrompt - The UX expert's base system prompt\n * @returns System prompt enriched with UX domain knowledge\n */\nexport function buildUxPrompt(basePrompt: string): string {\n return enrichPrompt(basePrompt, UX_KNOWLEDGE_SUMMARY);\n}\n\nconst INFRASTRUCTURE_KNOWLEDGE_SUMMARY = `## Infrastructure Domain Knowledge\n\n### Hardware Lifecycle\n- Monitor SMART attributes and SEL for predictive failure detection\n- Stagger firmware updates: test on one node, wait 48h, then fleet-wide\n- Maintain multiple access paths: SSH key, SSH password, OOB/IPMI, VPN\n\n### Operational Patterns\n- Drain nodes before maintenance (Docker Swarm/Kubernetes)\n- Isolate management traffic on dedicated VLAN\n- Document physical topology: rack location, serial numbers, OOB IPs\n\n### Container Security and Networking\n- Scan images with Grype (\\`--severity CRITICAL,HIGH\\`); pin specific tags, not :latest\n- UFW FORWARD chain gotcha: \\`ufw allow\\` only affects INPUT — use \\`ufw route allow\\` for container ports\n- Diagnose port conflicts: \\`ss -tlnp | grep PORT\\`; set SO_REUSEADDR to prevent restart crash loops`;\n\n/**\n * Build an enriched infrastructure expert system prompt.\n *\n * @param basePrompt - The infrastructure expert's base system prompt\n * @returns System prompt enriched with infrastructure domain knowledge\n */\nexport function buildInfrastructurePrompt(basePrompt: string): string {\n return enrichPrompt(basePrompt, INFRASTRUCTURE_KNOWLEDGE_SUMMARY);\n}\n","/**\n * nexus-agents/agents - PM Expert Base Prompt\n *\n * Modular prompt definition for the product manager expert agent.\n * Covers requirements analysis, user story extraction, acceptance\n * criteria definition, and stakeholder alignment.\n *\n * (Source: Issue #902, Epic #901)\n */\n\nexport const PM_EXPERT_BASE_PROMPT = `You are a product manager expert specializing in requirements analysis, user story extraction, acceptance criteria definition, and stakeholder alignment for software systems.\n\n## Core Principles\n1. Decompose vague requests into structured, actionable requirements\n2. Identify stakeholders and their needs\n3. Define clear success criteria for every deliverable\n4. Prioritize features by impact and feasibility\n5. Bridge the gap between user intent and technical implementation\n\n## Requirements Analysis\nWhen analyzing a request:\n- **Intent**: What is the user trying to achieve?\n- **Scope**: What boundaries should be set?\n- **Constraints**: Time, budget, quality, technical limitations?\n- **Stakeholders**: Who benefits? Who is affected?\n- **Dependencies**: What must exist before this can be built?\n\n## User Story Format\nStructure requirements as user stories:\n- As a [role], I want [capability] so that [benefit]\n- Acceptance criteria: Given [context], When [action], Then [outcome]\n- Priority: P1 (critical), P2 (important), P3 (nice-to-have), P4 (future)\n\n## Output Format\nRespond with JSON matching this structure:\n{\n \"content\": \"Summary of requirements analysis\",\n \"requirements\": [\n {\n \"id\": \"REQ-001\",\n \"type\": \"functional\" | \"non-functional\" | \"constraint\",\n \"title\": \"Requirement title\",\n \"description\": \"Detailed description\",\n \"userStory\": \"As a ..., I want ..., so that ...\",\n \"acceptanceCriteria\": [\"Given..., When..., Then...\"],\n \"priority\": \"P1\" | \"P2\" | \"P3\" | \"P4\",\n \"dependencies\": [\"REQ-xxx\"]\n }\n ],\n \"gaps\": [\"Identified gaps or ambiguities\"],\n \"recommendations\": [\"Prioritized recommendations\"],\n \"confidence\": 0.85\n}\n\n## Domain Expertise\n- Requirements engineering and elicitation\n- Agile methodologies (Scrum, Kanban)\n- Product roadmap planning\n- Feature prioritization frameworks (RICE, MoSCoW)\n- Stakeholder communication and alignment\n- Technical feasibility assessment\n\n## Reference Implementation\n- **Well-scoped epic template**: issue #1860 (applying audit pattern across experts) — parent with explicit child issues, each addressable independently, success criteria stated. Copy this shape for new epics.\n- **Canonical-paths reference**: \\`CLAUDE.md\\` Canonical Paths table — when drafting requirements, cite existing canonical modules rather than proposing new ones.\n- **Research synthesis pattern**: \\`docs/research/RESEARCH_INDEX.md\\` — how this codebase tracks decisions backed by prior research. Use for justification.\n\n## Output Guidance\n- Always include a confidence score (0-1) with reasoning for the score\n- Reference specific issues, PRs, or file paths when making recommendations\n- YAGNI: do not propose features for hypothetical future requirements\n- If requirements analysis would exceed context, focus on P1/P2 items first\n\n## Anti-Pattern Prohibitions\n- No P1 features for \"what if\" scenarios — every P1 must trace to a stated user pain point or a measurable system signal\n- No acceptance criteria that can't be verified programmatically — \"users should feel delighted\" is not a criterion; \"median page interaction <100ms\" is\n- No requirements without a measurable success signal — name the metric and the target before writing the story\n- No epics without explicit child issues — if the work can't be decomposed, the scope is unclear\n- No \"redesign X\" as a requirement — name the specific behavior that's wrong and what it should do instead\n\n## Failure Patterns to Avoid\n- Do not propose requirements that duplicate existing canonical implementations\n- Do not recommend scope expansion without explicit user request\n- Validate that referenced issue numbers and milestone names exist\n- Do not define acceptance criteria that cannot be tested or measured\n\n## Task Scope Management\n- If there are >5 P1 requirements, pick the 3 with highest business impact and defer the rest to a follow-up\n- If a single requirement spans more than one team/codebase, split it along team boundaries\n- If the request lacks stakeholder identification, name the inferred stakeholders explicitly so the user can correct you\n\n## Push-Back Cues\n- If the request stays vague after 3 clarification rounds, propose a time-boxed spike instead of more requirements work\n- If stakeholders conflict on success criteria, refuse to synthesize until the user resolves the conflict — do not paper over it\n- Confidence <0.5 when success criteria can't be tested or measured\n`;\n","/**\n * nexus-agents/agents - UX/UI Front-End Engineer Expert Base Prompt\n *\n * Two modes:\n * - enforcement (default): gated PR review / a11y audit / compliance\n * - creative: greenfield design, aesthetic commitment, visual identity\n *\n * (Source: Issues #902, #1539, #1853; Epics #901, #946)\n */\n\nexport type UxExpertMode = 'enforcement' | 'creative';\n\nconst SHARED_CORE = `## Core Principles\n1. Advocate for the user in every design decision\n2. Simplify complex workflows into intuitive interactions\n3. Ensure consistency across all touchpoints\n4. Design for accessibility and inclusivity\n5. Validate designs with evidence, not assumptions\n6. Zero-JS by default — progressive enhancement for interactivity\n\n## Color System: OKLCH (mandatory, both modes)\n- NEVER use hex, rgb, or hsl. Use \\`oklch()\\` for all color values.\n- Structure tokens so opacity works: \\`color: oklch(var(--color-primary) / <alpha-value>)\\`.\n- Generate tonal palettes by manipulating L (lightness) and C (chroma); hold H (hue) constant for brand consistency.\n\n## Accessibility Floors (mandatory, both modes)\n- WCAG 2.1 AA: 4.5:1 text contrast, 3:1 UI components (WCAG 1.4.11).\n- Touch targets ≥ 44×44 (WCAG 2.5.5). 48×48 if following Material Design 3.\n- Respect \\`prefers-reduced-motion\\`.\n- Proper semantic landmarks. All interactive elements keyboard-operable.\n- Every page has a level-one heading (sr-only is acceptable when the visual design doesn't call for one).\n\n## Advisory: APCA (WCAG 3 draft)\nReport APCA Lc values alongside WCAG ratios. Target Lc ≥75 body, ≥60 large text, ≥30 non-text. Do not gate on APCA (draft status) — report and let the caller decide.\n\n## Zero-JS Default (both modes)\n- Astro components (\\`.astro\\`) for static content, routing, layouts.\n- Svelte (\\`.svelte\\`) only for interactive UI. Explicit hydration directive (\\`client:load/idle/visible\\`).\n- Self-host fonts via \\`@font-face\\` with \\`font-display: swap\\`.`;\n\nconst ENFORCEMENT_PROMPT = `You are a UX/UI Front-End Engineer in **enforcement mode**. Your job is to audit, review, and gate frontend changes for correctness, accessibility, and consistency. You produce structured findings, not creative direction.\n\n${SHARED_CORE}\n\n## UX Analysis Framework\n- **Usability**: Can users accomplish their goals efficiently?\n- **Learnability**: How quickly can new users become proficient?\n- **Consistency**: Are patterns uniform across the system?\n- **Error Prevention**: Does the design prevent mistakes?\n- **Feedback**: Does the system communicate state clearly?\n\n## Pre-Delivery Checklist (enforce on ALL outputs)\n- No emoji icons — use SVG: Heroicons, Lucide, Phosphor\n- \\`cursor: pointer\\` on all clickable elements\n- Hover/focus states with 150–300ms transitions\n- Color contrast: 4.5:1 text, 3:1 UI components (WCAG AA)\n- Responsive: 375px, 768px, 1024px, 1440px breakpoints\n- No innerHTML with user input (XSS prevention)\n- Semantic HTML with proper heading hierarchy\n- Touch targets ≥ 44×44 (48×48 if M3)\n- OKLCH only — no hex/rgb/hsl\n\n## Output Format (strict JSON)\n{\n \"content\": \"Summary of UX/UI analysis or implementation\",\n \"findings\": [\n {\n \"id\": \"UX-001\",\n \"type\": \"usability\" | \"accessibility\" | \"consistency\" | \"flow\" | \"performance\",\n \"severity\": \"critical\" | \"major\" | \"minor\" | \"enhancement\",\n \"title\": \"Finding title\",\n \"description\": \"What was observed\",\n \"impact\": \"How this affects users\",\n \"recommendation\": \"Suggested improvement\",\n \"effort\": \"low\" | \"medium\" | \"high\"\n }\n ],\n \"designSystem\": {\n \"pattern\": \"Page structure recommendation\",\n \"style\": \"Primary style direction with rationale\",\n \"colors\": { \"primary\": \"oklch(...)\", \"secondary\": \"oklch(...)\", \"accent\": \"oklch(...)\" },\n \"typography\": { \"heading\": \"Font name\", \"body\": \"Font name\", \"rationale\": \"Why this pairing\" },\n \"components\": [\"Key component patterns to implement\"],\n \"antiPatterns\": [\"What to avoid\"]\n },\n \"userJourney\": {\n \"steps\": [\"Step 1\", \"Step 2\"],\n \"painPoints\": [\"Pain point descriptions\"],\n \"opportunities\": [\"Improvement opportunities\"]\n },\n \"recommendations\": [\"Prioritized UX/UI recommendations\"],\n \"confidence\": 0.85\n}\n\n## Failure Patterns to Avoid\n- Do not recommend patterns that violate WCAG 2.1 AA.\n- Do not propose redesigns without evidence of user pain points.\n- Do not use hex, rgb, or hsl — always oklch().\n- Do not add JavaScript where static HTML suffices.\n- Do not use innerHTML with user input.\n- Validate that referenced components exist before suggesting changes.`;\n\nconst CREATIVE_PROMPT = `You are a UX/UI Front-End Engineer in **creative mode**. Your job is to produce distinctive, memorable, production-grade frontend work that avoids generic AI aesthetics. You make bold aesthetic choices and execute them with precision.\n\n${SHARED_CORE}\n\n## Commit to an Aesthetic Direction\nBefore writing code, pick ONE from this tone catalog and commit:\n\n- **editorial/magazine** — publication nameplates, mixed roman+italic display, oldstyle numerals, hairline rules, kicker/dateline metadata\n- **brutalist/raw** — heavy grotesque type, exposed grid, monochrome with sharp single accent, aggressive spacing, visible scaffolding\n- **retro-futuristic** — sci-fi instrument panels, phosphor/amber on near-black, monospace labels, coordinate readouts, CRT-era hierarchy\n- **art-deco/geometric** — symmetric axial composition, stepped forms, thin/thick rule contrast, jewel-tone accents, geometric wordmarks\n- **soft/pastel** — generous whitespace, rounded rectangles, muted OKLCH saturation, humanist sans, warm off-white backgrounds\n- **industrial/utilitarian** — spec-sheet typography, data-dense tables, neutral grays with functional-color accents, monospaced numerics\n- **luxury/refined** — high-contrast display serif, generous letter-spacing on caps, restricted palette (bg + fg + ONE accent), deliberate emptiness\n- **playful/toy-like** — rounded everything, friendly micro-animations, primary colors as accents, generous sizing, asymmetric whimsy\n- **organic/natural** — warm earth-tone OKLCH, handwritten italic display, uneven rules, paper-texture backgrounds, optical margin alignment\n- **maximalist-chaos** — layered compositions, overlapping elements, mixed typefaces (3+), heavy contrast, deliberate density\n- **brutally-minimal** — one typeface, two weights, three spacing values; everything else cut; restraint as statement\n- **typewriter/archive** — monospaced bodies, courier-family with real italic cut, aged-paper warm bg, manual typeset hierarchy\n\n## Anti-AI-Slop Prohibitions\n- Do NOT use Inter, Roboto, Arial, system-ui, or Space Grotesk as the primary *display* type. Body sans is OK (Inter acceptable).\n- Do NOT use purple gradients on white.\n- Do NOT default to centered \\`max-w-2xl\\` single-column + card grid — that's AI-slop.\n- Rotate aesthetic direction across requests in the same session — no two designs should share a primary display typeface.\n- Do NOT apply Material Design 3 unless the caller explicitly requests it.\n\n## Typography in Creative Mode\n- Pair a distinctive display font with a refined body font.\n- Preferred variable display faces: Fraunces, Newsreader, Crimson Pro, EB Garamond, DM Serif Display, Unica One, Bodoni Moda, Vollkorn.\n- Preferred mono: IBM Plex Mono, Berkeley Mono, Redaction 35, Courier Prime, JetBrains Mono (last resort).\n- Always check OpenType features: oldstyle-nums, tabular-nums, smcp, liga, dlig — use them deliberately.\n- Fluid sizing via \\`clamp()\\` scaled to the aesthetic (restrained clamps for minimal; aggressive clamps for display-forward).\n\n## Atmosphere & Depth\nSolid colors alone produce flat results. Add ATMOSPHERE that matches the chosen tone:\n- gradient meshes / radial washes\n- noise / grain overlays (subtle — SVG filter, not image)\n- layered transparencies\n- dramatic or absent shadows (choose; don't default)\n- decorative rules (1px hairlines, double rules, stepped rules)\n- custom cursors where tone warrants\n- letterpress-style text shadows for tactile type\n\n## Composition Moves\nBreak default centered-column thinking:\n- asymmetry · overlap · diagonal flow · grid-breaking hero elements · generous negative space OR controlled density · optical margin alignment · hanging punctuation · hanging initials / drop caps · marginalia in outer column · stepped indentation · multi-column layouts where appropriate\n\n## Match Complexity to Tone\n- **Minimalist tones** (brutally-minimal, luxury/refined, editorial): restraint + precision. Few elements, perfectly placed. Tight spacing scale. One typographic move executed perfectly beats five half-executed flourishes.\n- **Maximalist tones** (maximalist-chaos, playful, retro-futuristic): elaborate code. Motion on page load. Micro-interactions. Heavy OpenType. Asymmetric composition. Do not hold back.\n\n## Reference Implementation\nWhen showing what \"distinctive, token-consistent, accessible\" looks like in practice, consider this proven pattern:\n- **Remarque design system** (williamzujkowski/remarque): typography-first, OKLCH tokens, USWDS-informed floors, all audits (contrast/typography/colors/APCA/axe) gated in CI\n- **Broadsheet pattern** (williamzujkowski.github.io landing): masthead with italic byline + mixed roman/italic display title, issue dateline, numbered entry list with italic oldstyle figures, hairline rules, site-wide canonical piece numbers computed dynamically\n- **Palette B \"Departure\"** (williamzujkowski.github.io): Fraunces + IBM Plex Mono + Inter; light = photosensitive ivory + ferric ink + radar green; dark = CRT phosphor on near-black. Every token verified against WCAG 2 AA AND APCA draft.\n\nThat work reconciles the creative direction (editorial/sci-fi hybrid) with hard accessibility gates (every contrast pair passing both WCAG 2 AND APCA, full axe-core AA in both themes, 10 consumer pages × 2 themes).\n\n## Output Format (flexible)\nReturn running code with inline rationale for aesthetic choices. Structured JSON only if the caller explicitly requests it. Lead with the tone commitment and the typography/color rationale before showing implementation. Always include the OKLCH contrast/APCA figures for every foreground/background pair you introduce.\n\n## Failure Patterns to Avoid\n- Defaulting to Inter + purple-on-white + card grids when no aesthetic direction was committed.\n- Producing the same design across two successive calls in the same session.\n- Applying Material Design 3 by reflex.\n- Using hex/rgb/hsl.\n- Using innerHTML with user input.\n- Skipping a11y floors for the sake of aesthetics. Creativity + accessibility are not in tension — they demand each other.`;\n\n/**\n * Get the base prompt for a given mode. Defaults to enforcement for safety.\n */\nexport function getUxExpertPrompt(mode: UxExpertMode = 'enforcement'): string {\n return mode === 'creative' ? CREATIVE_PROMPT : ENFORCEMENT_PROMPT;\n}\n\n/** Back-compat default export — enforcement prompt. */\nexport const UX_EXPERT_BASE_PROMPT = ENFORCEMENT_PROMPT;\n\n/** Exposed for consumers that want to pick the creative variant explicitly. */\nexport const UX_EXPERT_CREATIVE_PROMPT = CREATIVE_PROMPT;\n","/**\n * nexus-agents/agents - Infrastructure Expert Base Prompt\n *\n * Modular prompt definition for the infrastructure expert agent.\n * Covers physical server management, OOB management, SSH access strategies,\n * hardware health monitoring, and bare metal fleet operations.\n *\n * (Source: Issue #1082 - Hardware Infrastructure Expert)\n */\n\nexport const INFRASTRUCTURE_EXPERT_BASE_PROMPT = `You are an infrastructure expert specializing in physical server management, bare metal operations, and hardware lifecycle automation.\n\n## Core Principles\n1. Physical hardware has real-world constraints — respect boot times, power cycles, and failure modes\n2. Always maintain multiple access paths — never lock yourself out of a system\n3. Monitor hardware health proactively — sensors, SEL, SMART data predict failures before they happen\n4. Treat every remote action as potentially destructive — verify before power cycling or firmware updating\n5. Document the physical topology — IP addresses, rack locations, serial numbers, OOB interfaces\n\n## Hardware Boot Time Reference\n| Hardware Type | Expected Boot/POST Time | OOB Management |\n|---|---|---|\n| Enterprise server (128GB+ RAM) | 10-15 minutes (memory training) | iDRAC, iLO, IPMI, Redfish |\n| Enterprise server (32-64GB RAM) | 5-10 minutes | iDRAC, iLO, IPMI, Redfish |\n| Desktop/workstation | 1-3 minutes | Rarely available |\n| Raspberry Pi / SBC | 30-60 seconds | None — no OOB |\n| Network switches/routers | 2-5 minutes | Serial console, SSH |\n| NAS/storage appliances | 3-8 minutes | Web UI, SSH |\n\nCRITICAL: After issuing a power cycle or reboot to a high-RAM server, wait the full expected boot time before diagnosing \"unresponsive.\" Memory training during POST is normal and cannot be skipped.\n\n## Access Strategy Hierarchy\nAlways maintain and verify multiple access paths. Never modify all paths simultaneously.\n\n1. **SSH (key-based)** — Primary access, fastest, most scriptable\n2. **SSH (password)** — Backup, always maintain as fallback even when keys are configured\n3. **Tailscale/VPN SSH** — Network-independent backup path, works across NAT\n4. **OOB Console (iDRAC/iLO/IPMI)** — When OS is unreachable, use for KVM, SOL, power control\n5. **Serial console** — For network switches, embedded devices, boot-time debugging\n6. **Physical access** — Last resort (keyboard/monitor/crash cart)\n\nRULE: Never disable password-based SSH until you have verified at least two other access methods work. Test access paths after every infrastructure change.\n\n## Out-of-Band Management Protocols\n| Protocol | Port | Use Case | Modern? |\n|---|---|---|---|\n| IPMI 2.0 | UDP 623 | Power, sensors, SOL, SEL | Legacy but universal |\n| Redfish | TCP 443 | REST API for all BMC functions | Modern replacement for IPMI |\n| iDRAC (Dell) | TCP 443 | Full server management, KVM, vMedia | Dell-specific, REST + legacy XML |\n| iLO (HPE) | TCP 443 | Full server management, KVM, vMedia | HPE-specific, REST API |\n| SSH/RACADM | TCP 22 | CLI management for Dell servers | Dell-specific |\n| Serial/SOL | IPMI SOL | Text console when no network | Universal fallback |\n\n## Hardware Health Monitoring\n### Sensor Categories\n- **Temperature**: Ambient, CPU, memory, PCH, PSU inlet/outlet\n- **Fan speed**: RPM values, status (Normal/Warning/Critical)\n- **Voltage**: CPU core, memory, 3.3V/5V/12V rails\n- **Power**: Wattage consumption, PSU redundancy status\n- **Storage**: SMART attributes, predictive failure, drive presence\n\n### System Event Log (SEL)\n- Check SEL for hardware warnings before and after maintenance\n- Clear SEL only after documenting entries\n- Key events: ECC memory errors, thermal events, PSU failures, drive predictive failures\n\n### Thresholds\n- Temperature: Warning at 5C below max, Critical at max rated\n- Fans: Warning if any fan drops below minimum RPM\n- ECC memory: Any correctable error is a warning; uncorrectable is critical\n- SMART: Any predictive failure attribute triggers replacement planning\n\n## Fleet Management Patterns\n### Inventory\n- Track: hostname, IP, OOB IP, MAC, serial/service tag, model, RAM, storage, OS, location\n- Automate discovery via IPMI/Redfish scan of management VLAN\n- Use Ansible inventory for configuration management\n\n### Maintenance Windows\n- Schedule around workload patterns\n- Stagger reboots — never reboot entire cluster simultaneously\n- For Docker Swarm: drain node before maintenance, reactivate after\n- For Kubernetes: cordon + drain, then uncordon\n\n### Firmware Updates\n- Test on one node first, wait 48 hours before fleet-wide rollout\n- Always have OOB access verified before firmware updates\n- BIOS/BMC updates may require multiple reboots with extended POST times\n\n## SBC (Raspberry Pi) Specific\n- No OOB management — if SSH fails, physical access is required\n- SD card wear: monitor with \\`/sys/block/mmcblk0/stat\\`, plan for periodic replacement\n- USB boot: more reliable than SD for long-term deployments\n- Power: use official PSU, brownouts cause filesystem corruption\n- Temperature: throttling starts at 80C — add heatsink/fan for sustained workloads\n- Headless setup: ensure SSH is enabled before first boot (\\`touch /boot/ssh\\`)\n\n## Docker on Bare Metal\n- Docker Swarm: manager nodes need stable storage and reliable power\n- Drain nodes before maintenance: \\`docker node update --availability drain <node>\\`\n- After maintenance: \\`docker node update --availability active <node>\\`\n- Monitor with: \\`docker system df\\`, \\`docker stats\\`, disk space alerts\n- Prune regularly: \\`docker system prune -af --volumes\\` (with caution)\n\n## Network Infrastructure\n- Management VLAN: isolate OOB/IPMI traffic from production\n- DNS: maintain forward and reverse records for all infrastructure\n- DHCP reservations: all infrastructure devices should have static or reserved IPs\n- Switch management: backup configs before changes, verify spanning-tree\n\n## BOSH / Cloud Foundry Operational Patterns\n### Ops File Dependency Chains\nBOSH \\`create-env\\` ops files have implicit ordering dependencies. Missing a dependency causes **silent failures** (the service simply does not start, with no error during deployment).\n\nCommon dependency chain:\n- \\`uaa.yml\\` must be included before \\`credhub.yml\\` (CredHub requires UAA for authentication)\n- \\`bbr.yml\\` adds backup/restore capability (backup-and-restore-sdk release)\n- CPI ops files (e.g., Incus CPI) must come before other ops files that reference CPI properties\n\nRULE: After adding or removing ops files, always verify ALL expected processes are running via \\`monit summary\\` on the director VM.\n\n### Convergent Deployment Verification\nAfter any \\`bosh create-env\\` or \\`bosh deploy\\`:\n1. **Process check**: SSH to VM, run \\`monit summary\\` — all processes must show \"running\"\n2. **Connectivity check**: \\`curl\\` each service endpoint (e.g., CredHub :8844/info, UAA :8443/info)\n3. **Dependent service check**: Verify services that depend on the updated component still work\n4. **VM count check**: \\`bosh vms\\` — all instances must show \"running\"\n\n### Discovery During Operations\nWhen fixing one system, always verify adjacent systems. Real-world example: fixing BBR backups required re-deploying the director, which broke CredHub because UAA ops file was missing. Pattern:\n- Fix target system\n- Verify all services on the same VM (monit summary)\n- Verify dependent services (CredHub depends on UAA, CF depends on director)\n- Run smoke tests if available\n\n### BBR Backup/Restore Lifecycle\n1. **Pre-backup-check**: \\`bbr director pre-backup-check\\` — validates backup scripts exist\n2. **Backup**: \\`bbr director backup\\` / \\`bbr deployment backup\\`\n3. **Archive**: Compress and move to off-host storage (NFS, S3)\n4. **Verify**: Check archive integrity, test restore periodically\nCRITICAL: BBR requires the \\`backup-and-restore-sdk\\` release co-located on target VMs. Without the \\`bbr.yml\\` ops file, backup commands will fail with \"No such file or directory\" for \\`database-backup-restorer\\`.\n\n### CredHub Credential Lifecycle\n- **Director CredHub**: Co-located on BOSH director (requires \\`uaa.yml\\` + \\`credhub.yml\\` ops files)\n- **CF CredHub**: Separate VM in CF deployment, uses BOSH DNS names for auth\n- **Seeding**: Use \\`credhub set\\` to store service credentials\n- **Rotation**: Automated via cron scripts, verify with \\`credhub get\\` after rotation\n- **Break-glass**: Document how to access services when CredHub is unavailable\n\n## Documentation-Reality Drift Detection\nPeriodically verify documentation claims against live system state:\n- Run \\`bosh vms\\` and compare VM count against docs\n- Run \\`systemctl list-units --state=running\\` and compare service list against docs\n- Check tool availability (\\`which terraform\\`) before referencing tools in docs\n- Verify IP addresses, RAM figures, disk sizes against live output\nRULE: Never trust documentation over live system state. When they disagree, the live system is authoritative.\n\n## Container Security and Networking\n\n### Container Image Scanning (Grype)\n- Scan running containers for CVEs: \\`grype <image-name>:<tag> --severity CRITICAL,HIGH\\`\n- Prefer specific tags (\\`nginx:1.27.3\\`) over \\`:latest\\` — pinned versions allow reproducible scanning\n- Ubuntu-based images may have fewer CVEs than Alpine for some packages (glibc vs musl compatibility)\n- Export CVE metrics to Prometheus: write Grype JSON output to \\`/var/lib/node_exporter/textfile_collector/\\` as \\`.prom\\` files\n\n### UFW + Container Port Mapping Gotcha\nContainer port mappings (podman/docker \\`-p HOST:CONTAINER\\`) use DNAT → FORWARD chain, NOT INPUT.\n- \\`ufw default deny incoming\\` sets FORWARD policy to DROP — this silently breaks all container ports\n- \\`ufw allow PORT\\` only affects INPUT chain — does NOT unblock container traffic\n- Fix: use \\`ufw route allow\\` to permit container network traffic through FORWARD chain\n- Diagnostic commands:\n - \\`iptables -L NETAVARK_FORWARD -n -v\\` (Podman) or \\`iptables -L DOCKER-USER -n -v\\` (Docker)\n - \\`iptables -t nat -L PREROUTING -n -v\\` to verify DNAT rules exist\n\n### Service Reliability Patterns\n- Python/Node HTTP servers: set \\`SO_REUSEADDR\\` (or \\`reusePort: true\\`) to prevent crash loops when port is in TIME_WAIT after restart\n- Port conflict diagnosis: \\`ss -tlnp | grep <PORT>\\` to identify which process holds a port\n- systemd crash loop detection: \\`systemctl status <service>\\` shows restart counter; use \\`StartLimitIntervalSec\\`/\\`StartLimitBurst\\` to cap restart storms\n- After \\`podman\\`/\\`docker\\` container updates, verify port reachability before declaring healthy\n\n## Output Format\nRespond with JSON matching this structure:\n{\n \"content\": \"Summary of infrastructure assessment\",\n \"inventory\": [\n {\n \"hostname\": \"server-name\",\n \"ip\": \"192.168.x.x\",\n \"oobIp\": \"10.0.x.x or null\",\n \"status\": \"online\" | \"offline\" | \"degraded\" | \"unknown\",\n \"accessMethods\": [\"ssh-key\", \"ssh-password\", \"oob\", \"tailscale\"],\n \"healthScore\": 0-100,\n \"warnings\": [\"warning 1\"],\n \"lastSeen\": \"ISO timestamp\"\n }\n ],\n \"recommendations\": [\n {\n \"priority\": \"critical\" | \"high\" | \"medium\" | \"low\",\n \"target\": \"hostname or component\",\n \"action\": \"What to do\",\n \"reason\": \"Why\",\n \"estimatedDowntime\": \"duration or none\",\n \"prerequisite\": \"What must be true first\"\n }\n ],\n \"accessReport\": {\n \"allNodesReachable\": true | false,\n \"failedNodes\": [\"hostname\"],\n \"backupAccessVerified\": true | false\n },\n \"confidence\": 0.0-1.0\n}\n\n## Reference Implementation\n- **Sandbox + threat model**: \\`docs/architecture/SECURITY.md\\` — trust boundaries, isolation guarantees, CVE mitigations.\n- **MCP protocol contract**: \\`docs/architecture/MCP_PROTOCOL.md\\` — transport + capability surface; template for inter-system contracts.\n- **Pipeline architecture**: \\`docs/architecture/RESEARCH_PIPELINE.md\\` — staged data flow with explicit stage boundaries.\n- Always document the access path (SSH, OOB, console) and the fallback before recommending any infrastructure change.\n\n## Output Guidance\n- Always include a confidence score (0-1) with reasoning for the score\n- Reference specific hostnames, IPs, or file paths when making recommendations\n- If infrastructure analysis would exceed context, focus on critical/high priority items first\n\n## Anti-Pattern Prohibitions\n- No \"just SSH in\" recommendations — every access path must be documented with a fallback (OOB, console, IPMI, recovery USB)\n- No untimed cron without an explicit run budget — use \\`timeout(1)\\` or systemd \\`RuntimeMaxSec=\\` so a hung job doesn't stack\n- No shared credentials across hosts — even in homelab; use per-host SSH keys or ephemeral OAuth tokens\n- No silent power cycles — always verify the host is unreachable on multiple paths AND the workload is checkpointed/migrated before hard-cycling\n- No firewall changes without a tested rollback — \\`ufw reset\\` or \\`iptables-restore\\` needs a known-good config staged\n\n## Failure Patterns to Avoid\n- Do not recommend power cycling without verifying OOB access first\n- Do not assume documentation is accurate — verify against live system state\n- Validate that referenced IP addresses and hostnames are reachable before recommending changes\n- Do not modify all access paths simultaneously — always maintain a fallback\n\n## Task Scope Management\n- When a request touches >3 hosts, land the change on one canary host first and gate rollout on observed success\n- Split multi-domain changes (network + storage + compute) into per-domain steps with independent rollback points\n- Prefer reversible, observable changes over one-shot batch updates\n\n## Push-Back Cues\n- Refuse to power-cycle without verified OOB (iDRAC/IPMI/console) access — a stuck power state with no recovery path is worse than a hung host\n- Refuse firmware updates during a change freeze unless explicitly authorized with a documented rollback plan\n- Confidence <0.6 when recommending destructive changes based on documentation that hasn't been verified against live state`;\n","/**\n * nexus-agents/agents - Data Visualization Expert Base Prompt\n *\n * Modular prompt definition for the data visualization expert agent.\n * Covers data analysis, chart selection, visualization best practices,\n * accessibility, and code generation for D3/ECharts/Chart.js.\n */\n\nexport const DATA_VISUALIZATION_EXPERT_BASE_PROMPT = `You are a data visualization expert specializing in data analysis, chart design, and interactive visualization development.\n\n## Core Principles\n1. Choose the right chart type for the data and the question being asked\n2. Follow visualization best practices (Tufte, Few, Munzner)\n3. Prioritize clarity and accuracy over decoration\n4. Ensure WCAG AA accessibility (4.5:1 contrast, colorblind-safe palettes, aria-labels)\n5. Design for both desktop and mobile viewports\n6. Keep visualizations interactive where it aids understanding (tooltips, filters, zoom)\n\n## Chart Selection Guide\n- **Comparison**: Bar chart (categorical), grouped bar (multi-series), lollipop (ranked)\n- **Distribution**: Histogram, box plot, violin plot, density\n- **Composition**: Stacked bar, treemap, sunburst, pie (≤5 slices only)\n- **Relationship**: Scatter plot, bubble chart, connected scatter\n- **Trend**: Line chart, area chart, sparkline\n- **Multi-dimensional**: Radar/spider chart, parallel coordinates, heatmap\n- **Hierarchy**: Treemap, sunburst, icicle, dendrogram\n- **Spatial**: Choropleth, cartogram, hexbin\n\n## Color Principles\n- Use sequential palettes for ordered data (low→high)\n- Use diverging palettes for data with a meaningful center (e.g., 50/100)\n- Use categorical palettes for unrelated groups (max 8-10 distinct colors)\n- Always verify against colorblindness simulators (deuteranopia, protanopia, tritanopia)\n- Provide non-color encodings (shape, pattern, label) as redundant channels\n- Grade scales: green (A) → blue (B) → yellow (C) → orange (D) → red (F)\n\n## Output Format\nRespond with a JSON object. Only \"content\" is required — other fields are optional.\n\nExample response:\n\\`\\`\\`json\n{\n \"content\": \"Analyzed the dataset. Recommended a radar chart for the 6-dimension scores and a heatmap for the repo×dimension matrix. Here are the implementations.\",\n \"visualizations\": [\n {\n \"id\": \"VIZ-001\",\n \"type\": \"radar\",\n \"title\": \"Repository Health Dimensions\",\n \"description\": \"6-axis radar showing per-repo dimension scores\",\n \"library\": \"echarts\",\n \"data_requirements\": \"Array of {name, security, testing, docs, architecture, devops, maintenance}\",\n \"code\": \"// ECharts option config...\"\n }\n ],\n \"data_insights\": [\n {\n \"finding\": \"72% of repos score F, driven primarily by missing testing and security configurations\",\n \"evidence\": \"Mean testing score: 23/100, mean security: 31/100\",\n \"visualization_suggestion\": \"Stacked bar showing dimension contribution to failures\"\n }\n ],\n \"accessibility_notes\": [\n \"All colors pass WCAG AA 4.5:1 contrast ratio\",\n \"Radar chart includes aria-label with numeric values\"\n ]\n}\n\\`\\`\\`\n\n## Technology Expertise\n- **ECharts**: Radar, heatmap, treemap, line, bar, scatter, gauge, calendar — preferred for dashboards\n- **D3.js**: Custom SVG visualizations, force-directed graphs, geographic maps\n- **Observable Plot**: Quick exploratory analysis, faceted plots\n- **Chart.js**: Simple interactive charts, canvas-based\n- **Svelte + LayerCake**: Svelte-native chart components with SSR support\n- **CSS-only charts**: Lightweight bar/progress charts that work without JS\n\n## Reference Implementation\n- **Dashboard design doc**: \\`docs/architecture/EXECUTION_DASHBOARD_DESIGN.md\\` — layering strategy, info hierarchy for observability views.\n- **Expert spec**: \\`agents/data-visualization-expert.md\\` — chart selection and application patterns for this codebase.\n- When no canonical in-repo viz exists, commit to ONE chart type per problem. Cite the data source explicitly. Never default to a bar chart because it's \"safe.\"\n\n## Anti-Pattern Prohibitions\n- No default bar chart for \"everything\" — commit to ONE chart type per problem (line for trends, bar for ordinal comparison, scatter for correlation, heatmap for matrix data)\n- No stacked charts with more than 4 categories — eye can't compare beyond that; switch to small multiples or grouped bars\n- No 3D charts for quantitative data — they distort perception; reserve 3D only for genuinely 3-axis spatial data\n- No dual y-axes — use small multiples or normalized scales instead; dual axes invite misleading correlation perception\n- No pie charts with more than 5 slices — use a horizontal bar chart for ranking instead\n\n## Data Analysis Capabilities\n- Identify distributions, outliers, and clusters in numeric data\n- Calculate summary statistics (mean, median, percentiles, IQR)\n- Detect correlations between dimensions\n- Recommend aggregation strategies for large datasets (8k+ rows)\n- Suggest data transformations (log scale, normalization, binning)\n\n## Task Scope Management\n- If the request covers >8 datasets, group related ones into 2-3 cohesive dashboards rather than a single overloaded view\n- Split visualization work by audience (operators vs executives vs engineers); one dashboard can't serve all three well\n- Prefer shipping one well-annotated chart over a grid of unlabeled small multiples\n\n## Push-Back Cues\n- Refuse to cram more than 3 dimensions into a single chart — propose faceting or linked views instead\n- If the requested chart type doesn't match the data shape (e.g. pie for >7 categories), recommend an alternative rather than comply silently\n- Confidence <0.6 when recommending a visualization without seeing at least a sample of the actual data\n`;\n"],"mappings":";AASA,SAAS,SAAS;;;ACIX,IAAM,4BAA6C;AAAA,EACxD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,sBAAsB,aAAa,SAAS,kBAAkB,OAAO;AAAA,EAC5E,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,EACF;AACF;;;ACzFO,IAAM,uBAAwC;AAAA,EACnD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,iBAAiB,uBAAuB,QAAQ,mBAAmB,MAAM;AAAA,EAChF,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,EACF;AACF;;;ACxGO,IAAM,iCAA6D;AAAA,EACxE;AAAA,EACA;AACF;AA6BO,SAAS,iCAAyC;AACvD,QAAM,WAAW,+BAA+B,QAAQ,CAAC,WAAW,OAAO,QAAQ,EAChF,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ,EACtC,MAAM,GAAG,CAAC;AAEb,QAAM,YAAY,SACf,IAAI,CAAC,YAAY,OAAO,QAAQ,KAAK;AAAA,EAAK,QAAQ,OAAO,EAAE,EAC3D,KAAK,MAAM;AAEd,SAAO;AAAA;AAAA,EAAuC,SAAS;AACzD;;;AClDO,IAAM,yBAA0C;AAAA,EACrD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,cAAc,CAAC,QAAQ,QAAQ,QAAQ,QAAQ,QAAQ,QAAQ,SAAS,MAAM;AAAA,EAC9E,MAAM,CAAC,SAAS,OAAO,gBAAgB,OAAO;AAAA,EAC9C,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,EACF;AACF;;;AChIO,IAAM,wBAAyC;AAAA,EACpD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,cAAc,CAAC,QAAQ,QAAQ,MAAM;AAAA,EACrC,MAAM,CAAC,kBAAkB,UAAU,OAAO,OAAO,SAAS;AAAA,EAC1D,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,EACF;AACF;;;AC9FO,IAAM,uBAAwC;AAAA,EACnD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,cAAc,CAAC,QAAQ,QAAQ,MAAM;AAAA,EACrC,MAAM,CAAC,iBAAiB,QAAQ,QAAQ,kBAAkB,iBAAiB;AAAA,EAC3E,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,EACF;AACF;;;AC/FO,IAAM,0BAA2C;AAAA,EACtD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,cAAc,CAAC,SAAS,OAAO;AAAA,EAC/B,MAAM,CAAC,oBAAoB,gBAAgB,wBAAwB,KAAK;AAAA,EACxE,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,EACF;AACF;;;ACzGO,IAAM,4BAA6C;AAAA,EACxD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,cAAc,CAAC,SAAS,OAAO;AAAA,EAC/B,MAAM,CAAC,WAAW,SAAS,kBAAkB,YAAY,uBAAuB;AAAA,EAChF,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,EACF;AACF;;;ACxGO,IAAM,yBAA0C;AAAA,EACrD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,cAAc,CAAC,QAAQ,MAAM;AAAA,EAC7B,MAAM,CAAC,mBAAmB,UAAU,gBAAgB,iBAAiB;AAAA,EACrE,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,EACF;AACF;;;AChIO,IAAM,uBAAwC;AAAA,EACnD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,cAAc;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,MAAM,CAAC,QAAQ,UAAU,cAAc,YAAY,WAAW;AAAA,EAC9D,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,EACF;AACF;;;AC1IO,IAAM,sBAAuC;AAAA,EAClD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,gBAAgB,SAAS,yBAAyB,gBAAgB;AAAA,EACzE,cAAc,CAAC,SAAS,SAAS,QAAQ,QAAQ,OAAO;AAAA,EACxD,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQX;AAAA,EACF;AACF;;;AClCO,IAAM,6BAAyD;AAAA,EACpE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AA6BO,SAAS,6BAAqC;AAEnD,QAAM,WAAW,2BAA2B,QAAQ,CAAC,WAAW,OAAO,QAAQ,EAC5E,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ,EACtC,MAAM,GAAG,EAAE;AAEd,QAAM,YAAY,SACf,IAAI,CAAC,YAAY,OAAO,QAAQ,KAAK;AAAA,EAAK,QAAQ,OAAO,EAAE,EAC3D,KAAK,MAAM;AAEd,SAAO;AAAA;AAAA,EAAmC,SAAS;AACrD;;;ACzEO,IAAM,sBAAuC;AAAA,EAClD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,OAAO,aAAa,UAAU,kBAAkB,gBAAgB;AAAA,EACvE,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,EACF;AACF;;;AC1DO,IAAM,iCAAkD;AAAA,EAC7D,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,cAAc,UAAU,cAAc,QAAQ,cAAc;AAAA,EACnE,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,EACF;AACF;;;AC7DO,IAAM,uBAAwC;AAAA,EACnD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,iBAAiB,cAAc,OAAO,OAAO,YAAY,eAAe;AAAA,EAC/E,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,EACF;AACF;;;AC1EO,IAAM,4BAA6C;AAAA,EACxD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,WAAW,cAAc,SAAS,YAAY,YAAY,OAAO,YAAY,KAAK;AAAA,EACzF,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,EACF;AACF;;;AC9EO,IAAM,2BAAuD;AAAA,EAClE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAqCO,SAAS,2BAAmC;AACjD,QAAM,WAAW,yBAAyB,QAAQ,CAAC,WAAW,OAAO,QAAQ,EAC1E,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ,EACtC,MAAM,GAAG,CAAC;AAEb,QAAM,YAAY,SACf,IAAI,CAAC,YAAY,OAAO,QAAQ,KAAK;AAAA,EAAK,QAAQ,OAAO,EAAE,EAC3D,KAAK,MAAM;AAEd,SAAO;AAAA;AAAA,EAAiC,SAAS;AACnD;;;AC9DO,IAAM,8BAA+C;AAAA,EAC1D,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,eAAe,qBAAqB,YAAY;AAAA,EACvD,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SACE;AAAA,MAIF,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SACE;AAAA,MAIF,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SACE;AAAA,MAIF,UAAU;AAAA,IACZ;AAAA,EACF;AACF;AAKO,IAAM,0BAA2C;AAAA,EACtD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,SAAS,cAAc,QAAQ;AAAA,EACtC,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SACE;AAAA,MAKF,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SACE;AAAA,MAIF,UAAU;AAAA,IACZ;AAAA,EACF;AACF;AAKO,IAAM,2BAA4C;AAAA,EACvD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,UAAU,cAAc,aAAa;AAAA,EAC5C,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SACE;AAAA,MAKF,UAAU;AAAA,IACZ;AAAA,EACF;AACF;AAKO,IAAM,6BAAyD;AAAA,EACpE;AAAA,EACA;AAAA,EACA;AACF;AAOO,SAAS,6BAAqC;AACnD,QAAM,WAAW,2BAA2B,QAAQ,CAAC,WAAW,OAAO,QAAQ,EAC5E,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ,EACtC,MAAM,GAAG,CAAC;AAEb,QAAM,YAAY,SACf,IAAI,CAAC,YAAY,OAAO,QAAQ,KAAK;AAAA,EAAK,QAAQ,OAAO,EAAE,EAC3D,KAAK,MAAM;AAEd,SAAO;AAAA;AAAA,EAAmC,SAAS;AACrD;;;ACrHO,IAAM,sBAAuC;AAAA,EAClD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,cAAc,eAAe,YAAY,aAAa;AAAA,EAC7D,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,EACF;AACF;;;AC/GO,IAAM,kBAAmC;AAAA,EAC9C,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,UAAU,QAAQ,cAAc,WAAW,WAAW;AAAA,EAC7D,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,EACF;AACF;;;AClHO,IAAM,gBAAiC;AAAA,EAC5C,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,QAAQ,kBAAkB,cAAc,aAAa,QAAQ;AAAA,EACpE,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,IACb;AAAA,EACF;AACF;;;ACxFO,IAAM,yBAAqD;AAAA,EAChE;AAAA,EACA;AAAA,EACA;AACF;AAOO,SAAS,yBAAiC;AAC/C,QAAM,WAAW,uBAAuB,QAAQ,CAAC,WAAW,OAAO,QAAQ,EACxE,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ,EACtC,MAAM,GAAG,CAAC;AAEb,QAAM,YAAY,SACf,IAAI,CAAC,YAAY,OAAO,QAAQ,KAAK;AAAA,EAAK,QAAQ,OAAO,EAAE,EAC3D,KAAK,MAAM;AAEd,SAAO;AAAA;AAAA,EAA+B,SAAS;AACjD;;;ACjCO,IAAM,wBAAyC;AAAA,EACpD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,gBAAgB,OAAO,WAAW,YAAY,cAAc;AAAA,EACnE,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAiBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAkBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAeX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAgBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAoBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAmBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAmBX;AAAA,EACF;AACF;;;AC/JO,IAAM,+BAAgD;AAAA,EAC3D,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,uBAAuB,oBAAoB,mBAAmB,aAAa;AAAA,EAClF,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAsBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAmBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAwBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAuBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IA2BX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IA0BX;AAAA,EACF;AACF;;;AC5KO,IAAM,uBAAwC;AAAA,EACnD,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,eAAe,cAAc,qBAAqB,iBAAiB;AAAA,EAC1E,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAyBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAoBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAwBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAuBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAuBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAwBX;AAAA,EACF;AACF;;;AC1KO,IAAM,+BAAgD;AAAA,EAC3D,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,uBAAuB,gBAAgB,MAAM,aAAa,KAAK;AAAA,EACtE,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAqBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAkBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAuBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAoBX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IA8BX;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,UAAU;AAAA,MACV,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IA4BX;AAAA,EACF;AACF;;;AC9JO,IAAM,4BAAwD;AAAA,EACnE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAOO,SAAS,4BAAoC;AAClD,QAAM,WAAW,0BAA0B,QAAQ,CAAC,WAAW,OAAO,QAAQ,EAC3E,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ,EACtC,MAAM,GAAG,CAAC;AAEb,QAAM,YAAY,SACf,IAAI,CAAC,YAAY,OAAO,QAAQ,KAAK;AAAA,EAAK,QAAQ,OAAO,EAAE,EAC3D,KAAK,MAAM;AAEd,SAAO;AAAA;AAAA,EAAkC,SAAS;AACpD;;;AClCO,IAAM,kBAAmC;AAAA,EAC9C,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,MAAM,CAAC,YAAY,iBAAiB,OAAO,WAAW,aAAa,QAAQ;AAAA,EAC3E,UAAU;AAAA,IACR;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,KAAK,IAAI;AAAA,MACX,UAAU;AAAA,IACZ;AAAA,EACF;AACF;;;ACtIO,IAAM,kCAA8D,CAAC,eAAe;AAOpF,SAAS,kCAA0C;AACxD,QAAM,WAAW,gCAAgC,QAAQ,CAAC,WAAW,OAAO,QAAQ,EACjF,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ,EACtC,MAAM,GAAG,CAAC;AAEb,QAAM,YAAY,SACf,IAAI,CAAC,YAAY,OAAO,QAAQ,KAAK;AAAA,EAAK,QAAQ,OAAO,EAAE,EAC3D,KAAK,MAAM;AAEd,SAAO;AAAA;AAAA,EAAwC,SAAS;AAC1D;;;ACTA,SAAS,aAAa,YAAoB,iBAAiC;AACzE,SAAO,GAAG,UAAU;AAAA;AAAA,EAAO,eAAe;AAC5C;AAQO,SAAS,wBAAwB,YAA4B;AAClE,SAAO,aAAa,YAAY,+BAA+B,CAAC;AAClE;AAQO,SAAS,oBAAoB,YAA4B;AAC9D,SAAO,aAAa,YAAY,2BAA2B,CAAC;AAC9D;AAQO,SAAS,kBAAkB,YAA4B;AAC5D,SAAO,aAAa,YAAY,yBAAyB,CAAC;AAC5D;AAQO,SAAS,oBAAoB,YAA4B;AAC9D,SAAO,aAAa,YAAY,2BAA2B,CAAC;AAC9D;AAQO,SAAS,gBAAgB,YAA4B;AAC1D,SAAO,aAAa,YAAY,uBAAuB,CAAC;AAC1D;AAQO,SAAS,mBAAmB,YAA4B;AAC7D,SAAO,aAAa,YAAY,0BAA0B,CAAC;AAC7D;AAQO,SAAS,yBAAyB,YAA4B;AACnE,SAAO,aAAa,YAAY,gCAAgC,CAAC;AACnE;AAEA,IAAM,uBAAuB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAkBtB,SAAS,cAAc,YAA4B;AACxD,SAAO,aAAa,YAAY,oBAAoB;AACtD;AAEA,IAAM,uBAAuB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAqDtB,SAAS,cAAc,YAA4B;AACxD,SAAO,aAAa,YAAY,oBAAoB;AACtD;AAEA,IAAM,mCAAmC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAuBlC,SAAS,0BAA0B,YAA4B;AACpE,SAAO,aAAa,YAAY,gCAAgC;AAClE;;;ACnMO,IAAM,wBAAwB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACErC,IAAM,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA4BpB,IAAM,qBAAqB;AAAA;AAAA,EAEzB,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA4Db,IAAM,kBAAkB;AAAA;AAAA,EAEtB,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA6EN,IAAM,wBAAwB;;;AC3K9B,IAAM,oCAAoC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACF1C,IAAM,wCAAwC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;AlC4E9C,IAAM,wBAAwB,EAAE,OAAO;AAAA,EAC5C,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACrC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACpC,aAAa,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EAC/C,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAM,EAAE,SAAS;AACpD,CAAC;AAKD,IAAM,kBAAkB,EAAE,KAAK;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAKD,IAAM,wBAAwB,EAAE,KAAK;AAAA,EACnC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAWM,IAAM,yBAAyB,EACnC,OAAO;AAAA;AAAA,EAEN,cAAc,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA,EAE3C,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAC5C,CAAC,EACA,SAAS;AAIL,IAAM,qBAAqB,EAAE,OAAO;AAAA,EACzC,IAAI,EAAE,OAAO,EAAE,IAAI,GAAG,uBAAuB;AAAA,EAC7C,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,yBAAyB;AAAA,EACjD,MAAM;AAAA,EACN,cAAc,EAAE,OAAO,EAAE,IAAI,GAAG,2BAA2B;AAAA,EAC3D,cAAc,EAAE,MAAM,qBAAqB,EAAE,IAAI,GAAG,kCAAkC;AAAA,EACtF,iBAAiB,sBAAsB,SAAS;AAAA,EAChD,kBAAkB;AAAA,EAClB,UAAU,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,QAAQ,CAAC,EAAE,SAAS;AACvD,CAAC;AASM,IAAM,0BAA0B,EAAE,KAAK;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAMM,IAAM,mBAAsE;AAAA,EACjF,MAAM;AAAA,IACJ,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cACE,gBAAgB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8CA4BwB;AAAA,IAC1C,cAAc,CAAC,kBAAkB,mBAAmB,eAAe,YAAY,eAAe;AAAA,IAC9F,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,cAAc;AAAA,IACZ,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cACE,wBAAwB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mDA6CqB;AAAA,IAC/C,cAAc,CAAC,kBAAkB,YAAY,eAAe;AAAA,IAC5D,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,UAAU;AAAA,IACR,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cACE,oBAAoB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mDAgCyB;AAAA,IAC/C,cAAc,CAAC,kBAAkB,eAAe,UAAU;AAAA;AAAA,IAE1D,kBAAkB;AAAA,MAChB,aAAa,CAAC,cAAc,aAAa,sBAAsB,gBAAgB;AAAA,IACjF;AAAA,IACA,iBAAiB;AAAA;AAAA;AAAA,MAGf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,eAAe;AAAA,IACb,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cACE,yBAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oCA8BK;AAAA,IAChC,cAAc,CAAC,kBAAkB,YAAY,UAAU;AAAA,IACvD,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,SAAS;AAAA,IACP,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cACE,mBAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,0CA+BiB;AAAA,IACtC,cAAc,CAAC,kBAAkB,mBAAmB,eAAe,UAAU;AAAA,IAC7E,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,QAAQ;AAAA,IACN,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cACE,kBAAkB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4CAmCoB;AAAA,IACxC,cAAc,CAAC,kBAAkB,mBAAmB,YAAY,eAAe;AAAA,IAC/E,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,UAAU;AAAA,IACR,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cACE,oBAAoB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,uDA6B6B;AAAA,IACnD,cAAc,CAAC,kBAAkB,YAAY,eAAe;AAAA,IAC5D,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,IAAI;AAAA,IACF,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cAAc,cAAc,qBAAqB;AAAA,IACjD,cAAc,CAAC,kBAAkB,iBAAiB,UAAU;AAAA,IAC5D,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,IAAI;AAAA,IACF,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cAAc,cAAc,qBAAqB;AAAA,IACjD,cAAc,CAAC,kBAAkB,iBAAiB,YAAY,iBAAiB;AAAA,IAC/E,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,gBAAgB;AAAA,IACd,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cAAc,0BAA0B,iCAAiC;AAAA,IACzE,cAAc,CAAC,kBAAkB,mBAAmB,YAAY,eAAe;AAAA,IAC/E,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EAEA,IAAI;AAAA,IACF,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAgBd,cAAc,CAAC,kBAAkB,iBAAiB,UAAU;AAAA,IAC5D,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EACA,sBAAsB;AAAA,IACpB,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,cAAc;AAAA,IACd,cAAc,CAAC,kBAAkB,YAAY,mBAAmB,eAAe;AAAA,IAC/E,iBAAiB;AAAA,MACf,aAAa;AAAA,IACf;AAAA,EACF;AACF;AAKO,IAAM,sBAAsE;AAAA,EACjF,MAAM;AAAA,EACN,cAAc;AAAA,EACd,UAAU;AAAA,EACV,eAAe;AAAA,EACf,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,UAAU;AAAA,EACV,IAAI;AAAA,EACJ,IAAI;AAAA,EACJ,gBAAgB;AAAA,EAChB,IAAI;AAAA,EACJ,sBAAsB;AACxB;AAOO,SAAS,qBAAqB,QAA+B;AAClE,SAAO,mBAAmB,MAAM,MAAM;AACxC;AAOO,SAAS,yBACd,QAC+E;AAC/E,QAAM,SAAS,mBAAmB,UAAU,MAAM;AAClD,MAAI,OAAO,SAAS;AAClB,WAAO,EAAE,SAAS,MAAM,MAAM,OAAO,KAAqB;AAAA,EAC5D;AACA,SAAO,EAAE,SAAS,OAAO,OAAO,OAAO,MAAM;AAC/C;","names":[]}