oh-my-codex 0.16.4 → 0.17.0

package/dist/mcp/__tests__/hermes-bridge.test.js

@@ -0,0 +1,374 @@
+import assert from "node:assert/strict";
+import { mkdir, mkdtemp, realpath, rm, symlink, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, it } from "node:test";
+import { hermesListArtifacts, hermesListSessions, hermesReadArtifact, hermesReadStatus, hermesReadTail, hermesReportStatus, hermesSendPrompt, hermesStartSession, } from "../hermes-bridge.js";
+const originalRoots = process.env.OMX_MCP_WORKDIR_ROOTS;
+const originalOmxRoot = process.env.OMX_ROOT;
+const originalOmxStateRoot = process.env.OMX_STATE_ROOT;
+const originalTeamStateRoot = process.env.OMX_TEAM_STATE_ROOT;
+const originalSessionId = process.env.OMX_SESSION_ID;
+const originalCodexSessionId = process.env.CODEX_SESSION_ID;
+const originalGenericSessionId = process.env.SESSION_ID;
+beforeEach(() => {
+    delete process.env.OMX_MCP_WORKDIR_ROOTS;
+    delete process.env.OMX_ROOT;
+    delete process.env.OMX_STATE_ROOT;
+    delete process.env.OMX_TEAM_STATE_ROOT;
+    delete process.env.OMX_SESSION_ID;
+    delete process.env.CODEX_SESSION_ID;
+    delete process.env.SESSION_ID;
+});
+afterEach(() => {
+    if (typeof originalRoots === "string")
+        process.env.OMX_MCP_WORKDIR_ROOTS = originalRoots;
+    else
+        delete process.env.OMX_MCP_WORKDIR_ROOTS;
+    if (typeof originalOmxRoot === "string")
+        process.env.OMX_ROOT = originalOmxRoot;
+    else
+        delete process.env.OMX_ROOT;
+    if (typeof originalOmxStateRoot === "string")
+        process.env.OMX_STATE_ROOT = originalOmxStateRoot;
+    else
+        delete process.env.OMX_STATE_ROOT;
+    if (typeof originalTeamStateRoot === "string")
+        process.env.OMX_TEAM_STATE_ROOT = originalTeamStateRoot;
+    else
+        delete process.env.OMX_TEAM_STATE_ROOT;
+    if (typeof originalSessionId === "string")
+        process.env.OMX_SESSION_ID = originalSessionId;
+    else
+        delete process.env.OMX_SESSION_ID;
+    if (typeof originalCodexSessionId === "string")
+        process.env.CODEX_SESSION_ID = originalCodexSessionId;
+    else
+        delete process.env.CODEX_SESSION_ID;
+    if (typeof originalGenericSessionId === "string")
+        process.env.SESSION_ID = originalGenericSessionId;
+    else
+        delete process.env.SESSION_ID;
+});
+async function tempWorkspace(name) {
+    delete process.env.OMX_ROOT;
+    delete process.env.OMX_STATE_ROOT;
+    delete process.env.OMX_TEAM_STATE_ROOT;
+    return await realpath(await mkdtemp(join(await realpath(tmpdir()), name)));
+}
+describe("Hermes MCP bridge core", () => {
+    it("lists session-scoped OMX state without exposing terminal internals", async () => {
+        const cwd = await tempWorkspace("omx-hermes-list-");
+        try {
+            await mkdir(join(cwd, ".omx", "state", "sessions", "sess-a"), { recursive: true });
+            await writeFile(join(cwd, ".omx", "state", "sessions", "sess-a", "ralph-state.json"), JSON.stringify({ active: true, current_phase: "executing" }));
+            const result = await hermesListSessions({ workingDirectory: cwd });
+            assert.equal(result.ok, true);
+            assert.deepEqual(result.data?.sessions, [
+                { session_id: "sess-a", active: false, source: "session_state_dir", modes: ["ralph"] },
+            ]);
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+        }
+    });
+    it("projects status without leaking raw internal mode state", async () => {
+        const cwd = await tempWorkspace("omx-hermes-status-");
+        try {
+            await mkdir(join(cwd, ".omx", "state", "sessions", "sess-a"), { recursive: true });
+            await writeFile(join(cwd, ".omx", "state", "sessions", "sess-a", "ralph-state.json"), JSON.stringify({
+                active: true,
+                current_phase: "verifying",
+                run_outcome: "continue",
+                lifecycle_outcome: "finished",
+                updated_at: "2026-05-11T00:00:00.000Z",
+                completed_at: "2026-05-11T00:01:00.000Z",
+                private_control_room: { token: "do-not-leak" },
+                state: { prompt_to_artifact_checklist: ["internal"] },
+            }));
+            const result = await hermesReadStatus({ workingDirectory: cwd, session_id: "sess-a" });
+            assert.equal(result.ok, true);
+            assert.deepEqual(result.data?.modes, [
+                {
+                    mode: "ralph",
+                    scope: "session",
+                    active: true,
+                    phase: "verifying",
+                    run_outcome: "continue",
+                    lifecycle_outcome: "finished",
+                    updated_at: "2026-05-11T00:00:00.000Z",
+                    completed_at: "2026-05-11T00:01:00.000Z",
+                },
+            ]);
+            assert.equal(JSON.stringify(result).includes("do-not-leak"), false);
+            assert.equal(JSON.stringify(result).includes("prompt_to_artifact_checklist"), false);
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+        }
+    });
+    it("projects current session metadata without leaking process or tmux internals", async () => {
+        const cwd = await tempWorkspace("omx-hermes-current-status-");
+        try {
+            const result = await hermesReadStatus({ workingDirectory: cwd }, {
+                readUsableSessionState: async () => ({
+                    session_id: "sess-current",
+                    native_session_id: "native-current",
+                    cwd,
+                    started_at: "2026-05-11T00:00:00.000Z",
+                    pid: 12345,
+                    pid_cmdline: "codex --secret",
+                    pid_start_ticks: 67890,
+                    tmux_session_name: "private-tmux",
+                }),
+            });
+            assert.equal(result.ok, true);
+            assert.deepEqual(result.data?.session, {
+                session_id: "sess-current",
+                native_session_id: "native-current",
+                cwd,
+                started_at: "2026-05-11T00:00:00.000Z",
+            });
+            assert.equal(JSON.stringify(result).includes("12345"), false);
+            assert.equal(JSON.stringify(result).includes("codex --secret"), false);
+            assert.equal(JSON.stringify(result).includes("private-tmux"), false);
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+        }
+    });
+    it("reads a bounded session-history tail without tmux scrollback", async () => {
+        const cwd = await tempWorkspace("omx-hermes-tail-");
+        try {
+            await mkdir(join(cwd, ".omx", "logs"), { recursive: true });
+            await writeFile(join(cwd, ".omx", "logs", "session-history.jsonl"), ["one", "two", "three"].map((message) => JSON.stringify({ message })).join("\n") + "\n");
+            const result = await hermesReadTail({ workingDirectory: cwd, lines: 2 });
+            assert.equal(result.ok, true);
+            assert.deepEqual(result.data?.tail, [JSON.stringify({ message: "two" }), JSON.stringify({ message: "three" })]);
+            assert.match(result.data?.path ?? "", /session-history\.jsonl$/);
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+        }
+    });
+    it("requires explicit mutation opt-in before queuing prompts", async () => {
+        const result = await hermesSendPrompt({ session_id: "sess-a", prompt: "continue" });
+        assert.equal(result.ok, false);
+        assert.equal(result.code, "mutation_not_allowed");
+    });
+    it("queues selected prompts through the audited exec follow-up contract", async () => {
+        const result = await hermesSendPrompt({ session_id: "sess-a", prompt: "continue", actor: "hermes-test", allow_mutation: true }, {
+            injectExecFollowup: async ({ sessionId, prompt, actor }) => ({
+                queued: {
+                    id: "followup-1",
+                    session_id: sessionId,
+                    prompt,
+                    actor: actor ?? "missing",
+                    created_at: "2026-05-11T00:00:00.000Z",
+                },
+                queuePath: "/tmp/queue.json",
+            }),
+        });
+        assert.equal(result.ok, true);
+        assert.deepEqual(result.data, {
+            followup_id: "followup-1",
+            session_id: "sess-a",
+            queue_path: "/tmp/queue.json",
+        });
+    });
+    it("starts sessions in tmux worktree mode and requires mutation opt-in", async () => {
+        const cwd = await tempWorkspace("omx-hermes-start-");
+        try {
+            let observed = null;
+            const result = await hermesStartSession({ workingDirectory: cwd, prompt: "$ralph fix it", worktreeName: "pkg/demo", allow_mutation: true }, {
+                resolveOmxCliEntryPath: () => "/opt/omx/dist/cli/omx.js",
+                spawnProcess: ((command, args, options) => {
+                    observed = { command, args, cwd: options.cwd };
+                    return { pid: 4242, unref() { } };
+                }),
+            });
+            assert.equal(result.ok, true);
+            assert.deepEqual(observed, {
+                command: "/opt/omx/dist/cli/omx.js",
+                args: ["--tmux", "--worktree=pkg/demo", "$ralph fix it"],
+                cwd,
+            });
+            assert.equal(result.data?.pid, 4242);
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+        }
+    });
+    it("lists and reads only safe result artifact paths", async () => {
+        const cwd = await tempWorkspace("omx-hermes-artifacts-");
+        try {
+            await mkdir(join(cwd, ".omx", "plans"), { recursive: true });
+            await writeFile(join(cwd, ".omx", "plans", "prd-demo.md"), "hello artifact");
+            const list = await hermesListArtifacts({ workingDirectory: cwd });
+            assert.equal(list.ok, true);
+            assert.deepEqual(list.data?.artifacts, [{ path: ".omx/plans/prd-demo.md", bytes: 14 }]);
+            const read = await hermesReadArtifact({ workingDirectory: cwd, path: ".omx/plans/prd-demo.md", max_bytes: 5 });
+            assert.equal(read.ok, true);
+            assert.deepEqual(read.data, { path: ".omx/plans/prd-demo.md", content: "hello", truncated: true });
+            const rejected = await hermesReadArtifact({ workingDirectory: cwd, path: "package.json" });
+            assert.equal(rejected.ok, false);
+            assert.equal(rejected.code, "artifact_outside_safe_roots");
+            const traversal = await hermesReadArtifact({ workingDirectory: cwd, path: ".omx/plans/../../package.json" });
+            assert.equal(traversal.ok, false);
+            assert.equal(traversal.code, "artifact_outside_safe_roots");
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+        }
+    });
+    it("reads large artifacts with max_bytes truncation and reports stat sizes", async () => {
+        const cwd = await tempWorkspace("omx-hermes-large-artifact-");
+        try {
+            await mkdir(join(cwd, ".omx", "plans"), { recursive: true });
+            const content = `${"a".repeat(1024 * 1024)}tail`;
+            await writeFile(join(cwd, ".omx", "plans", "large.md"), content);
+            const list = await hermesListArtifacts({ workingDirectory: cwd });
+            assert.equal(list.ok, true);
+            assert.deepEqual(list.data?.artifacts, [{ path: ".omx/plans/large.md", bytes: content.length }]);
+            const read = await hermesReadArtifact({ workingDirectory: cwd, path: ".omx/plans/large.md", max_bytes: 8 });
+            assert.equal(read.ok, true);
+            assert.deepEqual(read.data, { path: ".omx/plans/large.md", content: "aaaaaaaa", truncated: true });
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+        }
+    });
+    it("reads session-history tails from a bounded suffix", async () => {
+        const cwd = await tempWorkspace("omx-hermes-large-tail-");
+        try {
+            await mkdir(join(cwd, ".omx", "logs"), { recursive: true });
+            await writeFile(join(cwd, ".omx", "logs", "session-history.jsonl"), `${"ignored\n".repeat(40_000)}one\ntwo\nthree\n`);
+            const result = await hermesReadTail({ workingDirectory: cwd, lines: 2 });
+            assert.equal(result.ok, true);
+            assert.deepEqual(result.data?.tail, ["two", "three"]);
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+        }
+    });
+    it("does not list artifacts from safe-root directories symlinked outside the worktree", async () => {
+        const cwd = await tempWorkspace("omx-hermes-list-root-symlink-");
+        const outside = await tempWorkspace("omx-hermes-list-root-outside-");
+        try {
+            await mkdir(join(cwd, ".omx"), { recursive: true });
+            await mkdir(outside, { recursive: true });
+            await writeFile(join(outside, "secret.md"), "outside artifact");
+            await symlink(outside, join(cwd, ".omx", "plans"));
+            const result = await hermesListArtifacts({ workingDirectory: cwd });
+            assert.equal(result.ok, true);
+            assert.deepEqual(result.data?.artifacts, []);
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+            await rm(outside, { recursive: true, force: true });
+        }
+    });
+    it("rejects session-history tails symlinked outside the worktree", async () => {
+        const cwd = await tempWorkspace("omx-hermes-tail-symlink-");
+        const outside = await tempWorkspace("omx-hermes-tail-outside-");
+        try {
+            await mkdir(join(cwd, ".omx", "logs"), { recursive: true });
+            const outsideLog = join(outside, "session-history.jsonl");
+            await writeFile(outsideLog, "secret\n");
+            await symlink(outsideLog, join(cwd, ".omx", "logs", "session-history.jsonl"));
+            const result = await hermesReadTail({ workingDirectory: cwd, lines: 1 });
+            assert.equal(result.ok, false);
+            assert.equal(result.code, "invalid_input");
+            assert.match(result.error ?? "", /outside working directory/);
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+            await rm(outside, { recursive: true, force: true });
+        }
+    });
+    it("rejects safe-root artifact symlinks that resolve outside the worktree", async () => {
+        const cwd = await tempWorkspace("omx-hermes-artifact-symlink-");
+        const outside = await mkdtemp(join(tmpdir(), "omx-hermes-artifact-outside-"));
+        try {
+            await mkdir(join(cwd, ".omx", "plans"), { recursive: true });
+            const outsideFile = join(outside, "host.md");
+            await writeFile(outsideFile, "outside artifact");
+            await symlink(outsideFile, join(cwd, ".omx", "plans", "host.md"));
+            const result = await hermesReadArtifact({ workingDirectory: cwd, path: ".omx/plans/host.md" });
+            assert.equal(result.ok, false);
+            assert.equal(result.code, "artifact_outside_safe_roots");
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+            await rm(outside, { recursive: true, force: true });
+        }
+    });
+    it("rejects workdir-root candidate symlinks that would expose outside artifacts", async () => {
+        const allowed = await tempWorkspace("omx-hermes-allowed-root-");
+        const outside = await tempWorkspace("omx-hermes-outside-root-");
+        try {
+            await mkdir(join(outside, ".omx", "plans"), { recursive: true });
+            await writeFile(join(outside, ".omx", "plans", "secret.md"), "outside via workdir symlink");
+            await symlink(outside, join(allowed, "link"));
+            process.env.OMX_MCP_WORKDIR_ROOTS = allowed;
+            const result = await hermesReadArtifact({
+                workingDirectory: join(allowed, "link"),
+                path: ".omx/plans/secret.md",
+            });
+            assert.equal(result.ok, false);
+            assert.equal(result.code, "invalid_input");
+            assert.match(result.error ?? "", /outside allowed roots/);
+        }
+        finally {
+            await rm(allowed, { recursive: true, force: true });
+            await rm(outside, { recursive: true, force: true });
+        }
+    });
+    it("rejects symlinked OMX_MCP_WORKDIR_ROOTS entries before reading artifacts", async () => {
+        const intended = await tempWorkspace("omx-hermes-intended-root-");
+        const outside = await tempWorkspace("omx-hermes-outside-root-");
+        try {
+            await mkdir(join(outside, ".omx", "plans"), { recursive: true });
+            await writeFile(join(outside, ".omx", "plans", "secret.md"), "outside via symlinked root");
+            const symlinkedRoot = join(intended, "allowed-link");
+            await symlink(outside, symlinkedRoot);
+            process.env.OMX_MCP_WORKDIR_ROOTS = symlinkedRoot;
+            const result = await hermesReadArtifact({
+                workingDirectory: symlinkedRoot,
+                path: ".omx/plans/secret.md",
+            });
+            assert.equal(result.ok, false);
+            assert.equal(result.code, "invalid_input");
+            assert.match(result.error ?? "", /resolves through a symlink/);
+        }
+        finally {
+            await rm(intended, { recursive: true, force: true });
+            await rm(outside, { recursive: true, force: true });
+        }
+    });
+    it("writes a bounded Hermes coordination report", async () => {
+        const cwd = await tempWorkspace("omx-hermes-report-");
+        try {
+            const result = await hermesReportStatus({
+                workingDirectory: cwd,
+                session_id: "sess-a",
+                status: "complete",
+                summary: "PR opened",
+                pr_url: "https://github.com/Yeachan-Heo/oh-my-codex/pull/1",
+                allow_mutation: true,
+            }, { now: () => new Date("2026-05-11T00:00:00.000Z") });
+            assert.equal(result.ok, true);
+            assert.match(result.data?.path ?? "", /sessions[/\\]sess-a[/\\]hermes-coordination\.json$/);
+            assert.deepEqual(result.data?.report, {
+                status: "complete",
+                updated_at: "2026-05-11T00:00:00.000Z",
+                summary: "PR opened",
+                pr_url: "https://github.com/Yeachan-Heo/oh-my-codex/pull/1",
+            });
+        }
+        finally {
+            await rm(cwd, { recursive: true, force: true });
+        }
+    });
+});
+//# sourceMappingURL=hermes-bridge.test.js.map

package/dist/mcp/__tests__/hermes-bridge.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hermes-bridge.test.js","sourceRoot":"","sources":["../../../src/mcp/__tests__/hermes-bridge.test.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACpF,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,WAAW,CAAC;AAChE,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,kBAAkB,EAClB,gBAAgB,EAChB,cAAc,EACd,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,qBAAqB,CAAC;AAE7B,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;AACxD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;AAC7C,MAAM,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;AACxD,MAAM,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC9D,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;AACrD,MAAM,sBAAsB,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AAC5D,MAAM,wBAAwB,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;AAExD,UAAU,CAAC,GAAG,EAAE;IACd,OAAO,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;IACzC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IAC5B,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACvC,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACpC,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;AAChC,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,GAAG,EAAE;IACb,IAAI,OAAO,aAAa,KAAK,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,aAAa,CAAC;;QACpF,OAAO,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;IAC9C,IAAI,OAAO,eAAe,KAAK,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,eAAe,CAAC;;QAC3E,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,IAAI,OAAO,oBAAoB,KAAK,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,oBAAoB,CAAC;;QAC3F,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IACvC,IAAI,OAAO,qBAAqB,KAAK,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,qBAAqB,CAAC;;QAClG,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,IAAI,OAAO,iBAAiB,KAAK,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,iBAAiB,CAAC;;QACrF,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IACvC,IAAI,OAAO,sBAAsB,KAAK,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,GAAG,sBAAsB,CAAC;;QACjG,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACzC,IAAI,OAAO,wBAAwB,KAAK,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,wBAAwB,CAAC;;QAC/F,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;AACrC,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,aAAa,CAAC,IAAY;IACvC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IAC5B,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACvC,OAAO,MAAM,QAAQ,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAClF,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,kBAAkB,CAAC,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACnF,MAAM,SAAS,CACb,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,kBAAkB,CAAC,EACpE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC,CAC7D,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,CAAC,CAAC;YAEnE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC9B,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE;gBACtC,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE;aACvF,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAGH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,oBAAoB,CAAC,CAAC;QACtD,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACnF,MAAM,SAAS,CACb,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,kBAAkB,CAAC,EACpE,IAAI,CAAC,SAAS,CAAC;gBACb,MAAM,EAAE,IAAI;gBACZ,aAAa,EAAE,WAAW;gBAC1B,WAAW,EAAE,UAAU;gBACvB,iBAAiB,EAAE,UAAU;gBAC7B,UAAU,EAAE,0BAA0B;gBACtC,YAAY,EAAE,0BAA0B;gBACxC,oBAAoB,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE;gBAC9C,KAAK,EAAE,EAAE,4BAA4B,EAAE,CAAC,UAAU,CAAC,EAAE;aACtD,CAAC,CACH,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,CAAC;YAEvF,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC9B,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE;gBACnC;oBACE,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,SAAS;oBAChB,MAAM,EAAE,IAAI;oBACZ,KAAK,EAAE,WAAW;oBAClB,WAAW,EAAE,UAAU;oBACvB,iBAAiB,EAAE,UAAU;oBAC7B,UAAU,EAAE,0BAA0B;oBACtC,YAAY,EAAE,0BAA0B;iBACzC;aACF,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC;YACpE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,8BAA8B,CAAC,EAAE,KAAK,CAAC,CAAC;QACvF,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAGH,EAAE,CAAC,6EAA6E,EAAE,KAAK,IAAI,EAAE;QAC3F,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,4BAA4B,CAAC,CAAC;QAC9D,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,gBAAgB,CACnC,EAAE,gBAAgB,EAAE,GAAG,EAAE,EACzB;gBACE,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;oBACnC,UAAU,EAAE,cAAc;oBAC1B,iBAAiB,EAAE,gBAAgB;oBACnC,GAAG;oBACH,UAAU,EAAE,0BAA0B;oBACtC,GAAG,EAAE,KAAK;oBACV,WAAW,EAAE,gBAAgB;oBAC7B,eAAe,EAAE,KAAK;oBACtB,iBAAiB,EAAE,cAAc;iBAClC,CAAC;aACH,CACF,CAAC;YAEF,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC9B,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE;gBACrC,UAAU,EAAE,cAAc;gBAC1B,iBAAiB,EAAE,gBAAgB;gBACnC,GAAG;gBACH,UAAU,EAAE,0BAA0B;aACvC,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,KAAK,CAAC,CAAC;YAC9D,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,CAAC;QACvE,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,kBAAkB,CAAC,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC5D,MAAM,SAAS,CACb,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,uBAAuB,CAAC,EAClD,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CACxF,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;YAEzE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC9B,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;YAChH,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,EAAE,yBAAyB,CAAC,CAAC;QACnE,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;QAEpF,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAC/B,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,sBAAsB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,MAAM,MAAM,GAAG,MAAM,gBAAgB,CACnC,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,IAAI,EAAE,EACxF;YACE,kBAAkB,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;gBAC3D,MAAM,EAAE;oBACN,EAAE,EAAE,YAAY;oBAChB,UAAU,EAAE,SAAS;oBACrB,MAAM;oBACN,KAAK,EAAE,KAAK,IAAI,SAAS;oBACzB,UAAU,EAAE,0BAA0B;iBACvC;gBACD,SAAS,EAAE,iBAAiB;aAC7B,CAAC;SACH,CACF,CAAC;QAEF,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QAC9B,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE;YAC5B,WAAW,EAAE,YAAY;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,iBAAiB;SAC9B,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAClF,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,mBAAmB,CAAC,CAAC;QACrD,IAAI,CAAC;YACH,IAAI,QAAQ,GAA6D,IAAI,CAAC;YAC9E,MAAM,MAAM,GAAG,MAAM,kBAAkB,CACrC,EAAE,gBAAgB,EAAE,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,IAAI,EAAE,EAClG;gBACE,sBAAsB,EAAE,GAAG,EAAE,CAAC,0BAA0B;gBACxD,YAAY,EAAE,CAAC,CAAC,OAAe,EAAE,IAAc,EAAE,OAAyB,EAAE,EAAE;oBAC5E,QAAQ,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;oBAC/C,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,KAAI,CAAC,EAAE,CAAC;gBACnC,CAAC,CAAU;aACZ,CACF,CAAC;YAEF,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC9B,MAAM,CAAC,SAAS,CAAC,QAAQ,EAAE;gBACzB,OAAO,EAAE,0BAA0B;gBACnC,IAAI,EAAE,CAAC,QAAQ,EAAE,qBAAqB,EAAE,eAAe,CAAC;gBACxD,GAAG;aACJ,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACvC,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,uBAAuB,CAAC,CAAC;QACzD,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7D,MAAM,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,CAAC,EAAE,gBAAgB,CAAC,CAAC;YAE7E,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,CAAC,CAAC;YAClE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC5B,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,EAAE,IAAI,EAAE,wBAAwB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;YAExF,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,IAAI,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC;YAC/G,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC5B,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAEnG,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;YAC3F,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YACjC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,6BAA6B,CAAC,CAAC;YAE3D,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,IAAI,EAAE,+BAA+B,EAAE,CAAC,CAAC;YAC7G,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAClC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,6BAA6B,CAAC,CAAC;QAC9D,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAGH,EAAE,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;QACtF,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,4BAA4B,CAAC,CAAC;QAC9D,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7D,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC;YACjD,MAAM,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC;YAEjE,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,CAAC,CAAC;YAClE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC5B,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,EAAE,IAAI,EAAE,qBAAqB,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YAEjG,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,IAAI,EAAE,qBAAqB,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC;YAC5G,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC5B,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrG,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,wBAAwB,CAAC,CAAC;QAC1D,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC5D,MAAM,SAAS,CACb,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,uBAAuB,CAAC,EAClD,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,mBAAmB,CACjD,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;YAEzE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC9B,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;QACxD,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mFAAmF,EAAE,KAAK,IAAI,EAAE;QACjG,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,+BAA+B,CAAC,CAAC;QACjE,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,+BAA+B,CAAC,CAAC;QACrE,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACpD,MAAM,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1C,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,kBAAkB,CAAC,CAAC;YAChE,MAAM,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;YAEnD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,CAAC,CAAC;YAEpE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC9B,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAC/C,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAChD,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,0BAA0B,CAAC,CAAC;QAC5D,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,0BAA0B,CAAC,CAAC;QAChE,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC5D,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC;YAC1D,MAAM,SAAS,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;YACxC,MAAM,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,uBAAuB,CAAC,CAAC,CAAC;YAE9E,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;YAEzE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAC/B,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;YAC3C,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,2BAA2B,CAAC,CAAC;QAChE,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAChD,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,8BAA8B,CAAC,CAAC;QAChE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,8BAA8B,CAAC,CAAC,CAAC;QAC9E,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7D,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YAC7C,MAAM,SAAS,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;YACjD,MAAM,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;YAElE,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,IAAI,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAC/F,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAC/B,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,6BAA6B,CAAC,CAAC;QAC3D,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAChD,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC,CAAC,CAAC;IAGH,EAAE,CAAC,6EAA6E,EAAE,KAAK,IAAI,EAAE;QAC3F,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,0BAA0B,CAAC,CAAC;QAChE,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,0BAA0B,CAAC,CAAC;QAChE,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACjE,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,EAAE,6BAA6B,CAAC,CAAC;YAC5F,MAAM,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;YAC9C,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,OAAO,CAAC;YAE5C,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC;gBACtC,gBAAgB,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC;gBACvC,IAAI,EAAE,sBAAsB;aAC7B,CAAC,CAAC;YAEH,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAC/B,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;YAC3C,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,uBAAuB,CAAC,CAAC;QAC5D,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YACpD,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,KAAK,IAAI,EAAE;QACxF,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,2BAA2B,CAAC,CAAC;QAClE,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,0BAA0B,CAAC,CAAC;QAChE,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACjE,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,EAAE,4BAA4B,CAAC,CAAC;YAC3F,MAAM,aAAa,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;YACrD,MAAM,OAAO,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,aAAa,CAAC;YAElD,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC;gBACtC,gBAAgB,EAAE,aAAa;gBAC/B,IAAI,EAAE,sBAAsB;aAC7B,CAAC,CAAC;YAEH,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAC/B,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;YAC3C,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,4BAA4B,CAAC,CAAC;QACjE,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YACrD,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,oBAAoB,CAAC,CAAC;QACtD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,kBAAkB,CACrC;gBACE,gBAAgB,EAAE,GAAG;gBACrB,UAAU,EAAE,QAAQ;gBACpB,MAAM,EAAE,UAAU;gBAClB,OAAO,EAAE,WAAW;gBACpB,MAAM,EAAE,mDAAmD;gBAC3D,cAAc,EAAE,IAAI;aACrB,EACD,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,IAAI,CAAC,0BAA0B,CAAC,EAAE,CACpD,CAAC;YAEF,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAC9B,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,EAAE,oDAAoD,CAAC,CAAC;YAC5F,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE;gBACpC,MAAM,EAAE,UAAU;gBAClB,UAAU,EAAE,0BAA0B;gBACtC,OAAO,EAAE,WAAW;gBACpB,MAAM,EAAE,mDAAmD;aAC5D,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/mcp/__tests__/state-paths.test.js

@@ -1,10 +1,36 @@
-import { describe, it } from 'node:test';
+import { afterEach, beforeEach, describe, it } from 'node:test';
 import assert from 'node:assert/strict';
-import { mkdir, mkdtemp, rm, writeFile } from 'fs/promises';
+import { mkdir, mkdtemp, realpath, rm, symlink, writeFile } from 'fs/promises';
 import { existsSync } from 'fs';
 import { tmpdir } from 'os';
 import { join, resolve as resolvePath } from 'path';
 import { getAllScopedStateDirs, getAllScopedStatePaths, getBaseStateDir, getAllSessionScopedStateDirs, getAllSessionScopedStatePaths, getReadScopedStateFilePaths, readCurrentSessionId, resolveWorkingDirectoryForState, getStateDir, getStateFilePath, getStatePath, validateStateFileName, validateStateModeSegment, validateSessionId, } from '../state-paths.js';
+const isolatedEnvKeys = [
+    'OMX_MCP_WORKDIR_ROOTS',
+    'OMX_ROOT',
+    'OMX_STATE_ROOT',
+    'OMX_TEAM_STATE_ROOT',
+    'OMX_SESSION_ID',
+    'CODEX_SESSION_ID',
+    'SESSION_ID',
+];
+const originalEnv = Object.fromEntries(isolatedEnvKeys.map((key) => [key, process.env[key]]));
+beforeEach(() => {
+    for (const key of isolatedEnvKeys)
+        delete process.env[key];
+});
+afterEach(() => {
+    for (const key of isolatedEnvKeys) {
+        const value = originalEnv[key];
+        if (typeof value === 'string')
+            process.env[key] = value;
+        else
+            delete process.env[key];
+    }
+});
+async function mkRealTemp(prefix) {
+    return await realpath(await mkdtemp(join(await realpath(tmpdir()), prefix)));
+}
 describe('validateSessionId', () => {
     it('accepts undefined and valid ids', () => {
         assert.equal(validateSessionId(undefined), undefined);
@@ -118,8 +144,8 @@ describe('state paths', () => {
         assert.throws(() => resolveWorkingDirectoryForState('bad\0path'), /NUL byte/);
     });
     it('enforces OMX_MCP_WORKDIR_ROOTS allowlist when configured', async () => {
-        const allowedRoot = await mkdtemp(join(tmpdir(), 'omx-allowed-root-'));
-        const disallowedRoot = await mkdtemp(join(tmpdir(), 'omx-disallowed-root-'));
+        const allowedRoot = await mkRealTemp('omx-allowed-root-');
+        const disallowedRoot = await mkRealTemp('omx-disallowed-root-');
         const prev = process.env.OMX_MCP_WORKDIR_ROOTS;
         process.env.OMX_MCP_WORKDIR_ROOTS = allowedRoot;
         try {
@@ -135,6 +161,63 @@ describe('state paths', () => {
             await rm(disallowedRoot, { recursive: true, force: true });
         }
     });
+    it('preserves symlinked workingDirectory spelling when no allowlist is configured', async () => {
+        const realRoot = await mkRealTemp('omx-real-root-');
+        const linkParent = await mkRealTemp('omx-link-parent-');
+        const link = join(linkParent, 'workspace-link');
+        const prev = process.env.OMX_MCP_WORKDIR_ROOTS;
+        delete process.env.OMX_MCP_WORKDIR_ROOTS;
+        try {
+            await symlink(realRoot, link);
+            assert.equal(resolveWorkingDirectoryForState(link), link);
+        }
+        finally {
+            if (typeof prev === 'string')
+                process.env.OMX_MCP_WORKDIR_ROOTS = prev;
+            else
+                delete process.env.OMX_MCP_WORKDIR_ROOTS;
+            await rm(realRoot, { recursive: true, force: true });
+            await rm(linkParent, { recursive: true, force: true });
+        }
+    });
+    it('rejects symlinked workingDirectory candidates that escape OMX_MCP_WORKDIR_ROOTS', async () => {
+        const allowedRoot = await mkRealTemp('omx-allowed-root-');
+        const outsideRoot = await mkRealTemp('omx-outside-root-');
+        const prev = process.env.OMX_MCP_WORKDIR_ROOTS;
+        process.env.OMX_MCP_WORKDIR_ROOTS = allowedRoot;
+        try {
+            const link = join(allowedRoot, 'link');
+            await symlink(outsideRoot, link);
+            assert.throws(() => resolveWorkingDirectoryForState(link), /outside allowed roots \(OMX_MCP_WORKDIR_ROOTS\)/);
+        }
+        finally {
+            if (typeof prev === 'string')
+                process.env.OMX_MCP_WORKDIR_ROOTS = prev;
+            else
+                delete process.env.OMX_MCP_WORKDIR_ROOTS;
+            await rm(allowedRoot, { recursive: true, force: true });
+            await rm(outsideRoot, { recursive: true, force: true });
+        }
+    });
+    it('rejects symlinked OMX_MCP_WORKDIR_ROOTS entries instead of treating their targets as allowed roots', async () => {
+        const intendedRoot = await mkRealTemp('omx-intended-root-');
+        const outsideRoot = await mkRealTemp('omx-outside-root-');
+        const prev = process.env.OMX_MCP_WORKDIR_ROOTS;
+        const symlinkedRoot = join(intendedRoot, 'allowed-link');
+        process.env.OMX_MCP_WORKDIR_ROOTS = symlinkedRoot;
+        try {
+            await symlink(outsideRoot, symlinkedRoot);
+            assert.throws(() => resolveWorkingDirectoryForState(symlinkedRoot), /OMX_MCP_WORKDIR_ROOTS root .* resolves through a symlink/);
+        }
+        finally {
+            if (typeof prev === 'string')
+                process.env.OMX_MCP_WORKDIR_ROOTS = prev;
+            else
+                delete process.env.OMX_MCP_WORKDIR_ROOTS;
+            await rm(intendedRoot, { recursive: true, force: true });
+            await rm(outsideRoot, { recursive: true, force: true });
+        }
+    });
     it('builds global state paths', () => {
         const base = getBaseStateDir('/repo');
         assert.equal(base, '/repo/.omx/state');
@@ -150,7 +233,7 @@ describe('state paths', () => {
         assert.throws(() => getStatePath('../../etc/passwd', '/repo'), /must not contain "\.\."/);
     });
     it('enumerates global-only path', async () => {
-        const wd = await mkdtemp(join(tmpdir(), 'omx-state-paths-'));
+        const wd = await mkRealTemp('omx-state-paths-');
         try {
             const paths = await getAllScopedStatePaths('team', wd);
             assert.deepEqual(paths, [getStatePath('team', wd)]);
@@ -160,7 +243,7 @@ describe('state paths', () => {
         }
     });
     it('enumerates session-scoped paths', async () => {
-        const wd = await mkdtemp(join(tmpdir(), 'omx-state-paths-'));
+        const wd = await mkRealTemp('omx-state-paths-');
         try {
             const sessionsRoot = join(getBaseStateDir(wd), 'sessions');
             await mkdir(join(sessionsRoot, 'sess1'), { recursive: true });
@@ -176,7 +259,7 @@ describe('state paths', () => {
         }
     });
     it('enumerates state directories across all scopes', async () => {
-        const wd = await mkdtemp(join(tmpdir(), 'omx-state-paths-'));
+        const wd = await mkRealTemp('omx-state-paths-');
         try {
             const sessionsRoot = join(getBaseStateDir(wd), 'sessions');
             await mkdir(join(sessionsRoot, 'sess1'), { recursive: true });
@@ -191,7 +274,7 @@ describe('state paths', () => {
         }
     });
     it('enumerates global and session-scoped paths together', async () => {
-        const wd = await mkdtemp(join(tmpdir(), 'omx-state-paths-'));
+        const wd = await mkRealTemp('omx-state-paths-');
         try {
             const sessionsRoot = join(getBaseStateDir(wd), 'sessions');
             await mkdir(join(sessionsRoot, 'sess1'), { recursive: true });
@@ -208,7 +291,7 @@ describe('state paths', () => {
         }
     });
     it('ignores invalid session directory names', async () => {
-        const wd = await mkdtemp(join(tmpdir(), 'omx-state-paths-'));
+        const wd = await mkRealTemp('omx-state-paths-');
         try {
             const sessionsRoot = join(getBaseStateDir(wd), 'sessions');
             await mkdir(join(sessionsRoot, 'valid-session'), { recursive: true });
@@ -222,7 +305,7 @@ describe('state paths', () => {
         }
     });
     it('reads session-sensitive runtime files from the current session without root fallback when requested', async () => {
-        const wd = await mkdtemp(join(tmpdir(), 'omx-state-paths-'));
+        const wd = await mkRealTemp('omx-state-paths-');
         try {
             const stateDir = getBaseStateDir(wd);
             await mkdir(join(stateDir, 'sessions', 'sess-current'), { recursive: true });
@@ -238,7 +321,7 @@ describe('state paths', () => {
         }
     });
     it('prefers OMX_SESSION_ID over stale session.json when resolving current session id', async () => {
-        const wd = await mkdtemp(join(tmpdir(), 'omx-state-paths-'));
+        const wd = await mkRealTemp('omx-state-paths-');
         const previousSessionId = process.env.OMX_SESSION_ID;
         try {
             const stateDir = getBaseStateDir(wd);
@@ -260,7 +343,7 @@ describe('state paths', () => {
         }
     });
     it('resolves current session from authoritative team state root without OMX_SESSION_ID', async () => {
-        const wd = await mkdtemp(join(tmpdir(), 'omx-state-paths-team-root-session-'));
+        const wd = await mkRealTemp('omx-state-paths-team-root-session-');
         const teamStateRoot = join(wd, 'team-state-root');
         const previousTeamStateRoot = process.env.OMX_TEAM_STATE_ROOT;
         const previousSessionId = process.env.OMX_SESSION_ID;
@@ -292,7 +375,7 @@ describe('state paths', () => {
         }
     });
     it('does not resolve current session from source root when a team state root is authoritative', async () => {
-        const wd = await mkdtemp(join(tmpdir(), 'omx-state-paths-ignore-source-session-'));
+        const wd = await mkRealTemp('omx-state-paths-ignore-source-session-');
         const teamStateRoot = join(wd, 'team-state-root');
         const previousTeamStateRoot = process.env.OMX_TEAM_STATE_ROOT;
         const previousSessionId = process.env.OMX_SESSION_ID;