opena2a-cli 0.1.2 → 0.2.0

package/dist/shield/arp-bridge.js

@@ -0,0 +1,198 @@
+"use strict";
+/**
+ * ARP-Shield Event Bridge
+ *
+ * Translates ARP (Agent Runtime Protection) events into Shield's
+ * tamper-evident hash chain. Supports both bulk import of existing
+ * ARP event logs and live bridging during ARP monitoring.
+ *
+ * ARP events live in .opena2a/arp/events.jsonl (ARP native format).
+ * Shield events live in ~/.opena2a/shield/events.jsonl (hash-chained).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.translateARPEvent = translateARPEvent;
+exports.importARPEvents = importARPEvents;
+exports.getARPStats = getARPStats;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const events_js_1 = require("./events.js");
+// ---------------------------------------------------------------------------
+// Translation
+// ---------------------------------------------------------------------------
+/** Map ARP category to Shield outcome. */
+function mapOutcome(arpCategory, enforcement) {
+    if (enforcement === 'kill' || enforcement === 'pause')
+        return 'blocked';
+    if (arpCategory === 'violation' || arpCategory === 'threat')
+        return 'blocked';
+    if (arpCategory === 'anomaly')
+        return 'monitored';
+    return 'allowed';
+}
+/** Map ARP severity to Shield severity. */
+function mapSeverity(arpSeverity) {
+    const map = {
+        info: 'info',
+        low: 'low',
+        medium: 'medium',
+        high: 'high',
+        critical: 'critical',
+    };
+    return map[arpSeverity] ?? 'info';
+}
+/** Build a human-readable action string from ARP event data. */
+function buildAction(arp) {
+    const src = arp.source;
+    const cat = arp.category;
+    if (src === 'process')
+        return `process.${cat === 'normal' ? 'spawn' : cat}`;
+    if (src === 'network')
+        return `network.${cat === 'normal' ? 'connection' : cat}`;
+    if (src === 'filesystem')
+        return `filesystem.${cat === 'normal' ? 'access' : cat}`;
+    if (src === 'prompt')
+        return `prompt.${cat}`;
+    if (src === 'mcp-protocol')
+        return `mcp.${cat}`;
+    if (src === 'a2a-protocol')
+        return `a2a.${cat}`;
+    return `${src}.${cat}`;
+}
+/** Build a target string from ARP event data. */
+function buildTarget(arp) {
+    const data = arp.data ?? {};
+    if (data.command)
+        return String(data.command);
+    if (data.host)
+        return String(data.host);
+    if (data.path)
+        return String(data.path);
+    if (data.name)
+        return String(data.name);
+    if (data.pid)
+        return `pid:${data.pid}`;
+    return arp.description?.slice(0, 80) ?? 'unknown';
+}
+/**
+ * Translate a single ARP event into a Shield writeEvent partial.
+ * This does NOT write the event -- caller decides when to persist.
+ */
+function translateARPEvent(arp, agentName) {
+    return {
+        source: 'arp',
+        category: `arp.${arp.source}`,
+        severity: mapSeverity(arp.severity),
+        agent: agentName ?? arp.data?.agentName ?? null,
+        sessionId: null,
+        action: buildAction(arp),
+        target: buildTarget(arp),
+        outcome: mapOutcome(arp.category, arp.llmAssessment?.recommendation),
+        detail: {
+            arpEventId: arp.id,
+            arpSource: arp.source,
+            arpCategory: arp.category,
+            classifiedBy: arp.classifiedBy ?? 'L0-rules',
+            description: arp.description,
+            data: arp.data,
+            ...(arp.llmAssessment ? { llmAssessment: arp.llmAssessment } : {}),
+        },
+        orgId: null,
+        managed: false,
+        agentId: null,
+    };
+}
+// ---------------------------------------------------------------------------
+// Bulk import
+// ---------------------------------------------------------------------------
+/**
+ * Read ARP events from .opena2a/arp/events.jsonl and import them into
+ * Shield's tamper-evident event log. Skips events that have already been
+ * imported (checks for matching arpEventId in existing Shield events).
+ *
+ * Returns the count of newly imported events.
+ */
+function importARPEvents(targetDir, agentName) {
+    const arpEventsPath = (0, node_path_1.join)(targetDir, '.opena2a', 'arp', 'events.jsonl');
+    if (!(0, node_fs_1.existsSync)(arpEventsPath)) {
+        return { imported: 0, skipped: 0, errors: 0, total: 0 };
+    }
+    let content;
+    try {
+        content = (0, node_fs_1.readFileSync)(arpEventsPath, 'utf-8');
+    }
+    catch {
+        return { imported: 0, skipped: 0, errors: 0, total: 0 };
+    }
+    const lines = content.trim().split('\n').filter(Boolean);
+    // Build set of already-imported ARP event IDs
+    const existingEvents = (0, events_js_1.readEvents)({ count: 10000, source: 'arp' });
+    const importedIds = new Set();
+    for (const event of existingEvents) {
+        const detail = event.detail;
+        if (detail?.arpEventId) {
+            importedIds.add(String(detail.arpEventId));
+        }
+    }
+    let imported = 0;
+    let skipped = 0;
+    let errors = 0;
+    for (const line of lines) {
+        let arpEvent;
+        try {
+            arpEvent = JSON.parse(line);
+        }
+        catch {
+            errors++;
+            continue;
+        }
+        // Skip already-imported events
+        if (importedIds.has(arpEvent.id)) {
+            skipped++;
+            continue;
+        }
+        const partial = translateARPEvent(arpEvent, agentName);
+        (0, events_js_1.writeEvent)(partial);
+        imported++;
+    }
+    return { imported, skipped, errors, total: lines.length };
+}
+/**
+ * Compute stats from ARP events in Shield's log (source === 'arp').
+ * Used by shield report to populate runtimeProtection section.
+ */
+function getARPStats(since) {
+    const events = (0, events_js_1.readEvents)({ source: 'arp', since, count: 10000 });
+    const stats = {
+        totalEvents: events.length,
+        anomalies: 0,
+        violations: 0,
+        threats: 0,
+        processEvents: 0,
+        networkEvents: 0,
+        filesystemEvents: 0,
+        promptEvents: 0,
+        enforcements: 0,
+    };
+    for (const event of events) {
+        const detail = event.detail;
+        const arpCategory = String(detail?.arpCategory ?? '');
+        if (arpCategory === 'anomaly')
+            stats.anomalies++;
+        if (arpCategory === 'violation')
+            stats.violations++;
+        if (arpCategory === 'threat')
+            stats.threats++;
+        if (event.category === 'arp.process')
+            stats.processEvents++;
+        if (event.category === 'arp.network')
+            stats.networkEvents++;
+        if (event.category === 'arp.filesystem')
+            stats.filesystemEvents++;
+        if (event.category === 'arp.prompt')
+            stats.promptEvents++;
+        if (event.outcome === 'blocked')
+            stats.enforcements++;
+    }
+    return stats;
+}
+//# sourceMappingURL=arp-bridge.js.map

package/dist/shield/arp-bridge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"arp-bridge.js","sourceRoot":"","sources":["../../src/shield/arp-bridge.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAiFH,8CA0BC;AAaD,0CAwDC;AAsBD,kCAgCC;AApOD,qCAAmD;AACnD,yCAAiC;AAEjC,2CAAqD;AAwBrD,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,0CAA0C;AAC1C,SAAS,UAAU,CAAC,WAAmB,EAAE,WAAoB;IAC3D,IAAI,WAAW,KAAK,MAAM,IAAI,WAAW,KAAK,OAAO;QAAE,OAAO,SAAS,CAAC;IACxE,IAAI,WAAW,KAAK,WAAW,IAAI,WAAW,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAC9E,IAAI,WAAW,KAAK,SAAS;QAAE,OAAO,WAAW,CAAC;IAClD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,2CAA2C;AAC3C,SAAS,WAAW,CAAC,WAAmB;IACtC,MAAM,GAAG,GAAkC;QACzC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,KAAK;QACV,MAAM,EAAE,QAAQ;QAChB,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,UAAU;KACrB,CAAC;IACF,OAAO,GAAG,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC;AACpC,CAAC;AAED,gEAAgE;AAChE,SAAS,WAAW,CAAC,GAAa;IAChC,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC;IACzB,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,WAAW,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;IAC5E,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,WAAW,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;IACjF,IAAI,GAAG,KAAK,YAAY;QAAE,OAAO,cAAc,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;IACnF,IAAI,GAAG,KAAK,QAAQ;QAAE,OAAO,UAAU,GAAG,EAAE,CAAC;IAC7C,IAAI,GAAG,KAAK,cAAc;QAAE,OAAO,OAAO,GAAG,EAAE,CAAC;IAChD,IAAI,GAAG,KAAK,cAAc;QAAE,OAAO,OAAO,GAAG,EAAE,CAAC;IAChD,OAAO,GAAG,GAAG,IAAI,GAAG,EAAE,CAAC;AACzB,CAAC;AAED,iDAAiD;AACjD,SAAS,WAAW,CAAC,GAAa;IAChC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IAC5B,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,IAAI,CAAC,IAAI;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,IAAI;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,IAAI;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,GAAG;QAAE,OAAO,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;IACvC,OAAO,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,SAAS,CAAC;AACpD,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAC/B,GAAa,EACb,SAAkB;IAElB,OAAO;QACL,MAAM,EAAE,KAA0B;QAClC,QAAQ,EAAE,OAAO,GAAG,CAAC,MAAM,EAAE;QAC7B,QAAQ,EAAE,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC;QACnC,KAAK,EAAE,SAAS,IAAK,GAAG,CAAC,IAAI,EAAE,SAAoB,IAAI,IAAI;QAC3D,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,WAAW,CAAC,GAAG,CAAC;QACxB,MAAM,EAAE,WAAW,CAAC,GAAG,CAAC;QACxB,OAAO,EAAE,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,aAAa,EAAE,cAAc,CAAC;QACpE,MAAM,EAAE;YACN,UAAU,EAAE,GAAG,CAAC,EAAE;YAClB,SAAS,EAAE,GAAG,CAAC,MAAM;YACrB,WAAW,EAAE,GAAG,CAAC,QAAQ;YACzB,YAAY,EAAE,GAAG,CAAC,YAAY,IAAI,UAAU;YAC5C,WAAW,EAAE,GAAG,CAAC,WAAW;YAC5B,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACnE;QACD,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,KAAK;QACd,OAAO,EAAE,IAAI;KACd,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E;;;;;;GAMG;AACH,SAAgB,eAAe,CAAC,SAAiB,EAAE,SAAkB;IAMnE,MAAM,aAAa,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;IAEzE,IAAI,CAAC,IAAA,oBAAU,EAAC,aAAa,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,IAAA,sBAAY,EAAC,aAAa,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEzD,8CAA8C;IAC9C,MAAM,cAAc,GAAG,IAAA,sBAAU,EAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACnE,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAiC,CAAC;QACvD,IAAI,MAAM,EAAE,UAAU,EAAE,CAAC;YACvB,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,QAAkB,CAAC;QACvB,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,EAAE,CAAC;YACT,SAAS;QACX,CAAC;QAED,+BAA+B;QAC/B,IAAI,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACjC,OAAO,EAAE,CAAC;YACV,SAAS;QACX,CAAC;QAED,MAAM,OAAO,GAAG,iBAAiB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACvD,IAAA,sBAAU,EAAC,OAAO,CAAC,CAAC;QACpB,QAAQ,EAAE,CAAC;IACb,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;AAC5D,CAAC;AAkBD;;;GAGG;AACH,SAAgB,WAAW,CAAC,KAAc;IACxC,MAAM,MAAM,GAAG,IAAA,sBAAU,EAAC,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAElE,MAAM,KAAK,GAAa;QACtB,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,SAAS,EAAE,CAAC;QACZ,UAAU,EAAE,CAAC;QACb,OAAO,EAAE,CAAC;QACV,aAAa,EAAE,CAAC;QAChB,aAAa,EAAE,CAAC;QAChB,gBAAgB,EAAE,CAAC;QACnB,YAAY,EAAE,CAAC;QACf,YAAY,EAAE,CAAC;KAChB,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,KAAK,CAAC,MAAiC,CAAC;QACvD,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,WAAW,IAAI,EAAE,CAAC,CAAC;QAEtD,IAAI,WAAW,KAAK,SAAS;YAAE,KAAK,CAAC,SAAS,EAAE,CAAC;QACjD,IAAI,WAAW,KAAK,WAAW;YAAE,KAAK,CAAC,UAAU,EAAE,CAAC;QACpD,IAAI,WAAW,KAAK,QAAQ;YAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAE9C,IAAI,KAAK,CAAC,QAAQ,KAAK,aAAa;YAAE,KAAK,CAAC,aAAa,EAAE,CAAC;QAC5D,IAAI,KAAK,CAAC,QAAQ,KAAK,aAAa;YAAE,KAAK,CAAC,aAAa,EAAE,CAAC;QAC5D,IAAI,KAAK,CAAC,QAAQ,KAAK,gBAAgB;YAAE,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAClE,IAAI,KAAK,CAAC,QAAQ,KAAK,YAAY;YAAE,KAAK,CAAC,YAAY,EAAE,CAAC;QAE1D,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS;YAAE,KAAK,CAAC,YAAY,EAAE,CAAC;IACxD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/shield/baselines.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Shield adaptive baselines: learn / suggest / protect enforcement flow.
+ *
+ * Baselines track observed agent behavior over time.  The stability
+ * algorithm determines when behavior has settled enough to recommend
+ * a policy.  The developer must explicitly approve before Shield
+ * starts enforcing.
+ *
+ * Storage: ~/.opena2a/shield/baselines/{agent}.json  (mode 0o600)
+ */
+import type { AgentBaseline } from './types.js';
+/**
+ * Get or create a baseline for an agent.
+ *
+ * Checks the in-memory cache first, then disk, and finally creates
+ * a new baseline if none exists.
+ */
+export declare function getBaseline(agent: string): AgentBaseline;
+/** List all persisted baselines (loads from disk). */
+export declare function listBaselines(): AgentBaseline[];
+/**
+ * Record an observed action from an agent into their baseline.
+ *
+ * This is the primary entry point for the adaptive enforcement loop.
+ * It handles session tracking, new-behavior detection, and stability
+ * recomputation.
+ */
+export declare function recordAction(agent: string, category: string, target: string): void;
+/**
+ * Compute a stability score between 0.0 and 1.0.
+ *
+ * Stability measures the fraction of recent sessions that had no new
+ * behavior (no previously unseen processes, credentials, etc.).
+ *
+ * Returns 0 until minimum action and session thresholds are met.
+ */
+export declare function computeStability(baseline: AgentBaseline): number;
+/**
+ * Check whether a baseline should transition phases.
+ *
+ * - learn -> suggest: stability >= STABILITY_THRESHOLD
+ * - suggest -> protect: manual approval only (approvePolicy)
+ */
+export declare function checkPhaseTransition(baseline: AgentBaseline): {
+    shouldTransition: boolean;
+    nextPhase: string;
+    reason: string;
+};
+/**
+ * Approve the recommended policy for an agent, transitioning
+ * from suggest to protect phase.
+ */
+export declare function approvePolicy(agent: string): AgentBaseline;
+/** Save a baseline to disk at ~/.opena2a/shield/baselines/{agent}.json. */
+export declare function saveBaseline(baseline: AgentBaseline): void;
+/** Load a baseline from disk. Returns null if not found or corrupted. */
+export declare function loadBaseline(agent: string): AgentBaseline | null;
+//# sourceMappingURL=baselines.d.ts.map

package/dist/shield/baselines.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"baselines.d.ts","sourceRoot":"","sources":["../../src/shield/baselines.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAaH,OAAO,KAAK,EAAE,aAAa,EAAe,MAAM,YAAY,CAAC;AAmF7D;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,CAaxD;AAED,sDAAsD;AACtD,wBAAgB,aAAa,IAAI,aAAa,EAAE,CAmB/C;AA6BD;;;;;;GAMG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,GACb,IAAI,CAkEN;AAMD;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,aAAa,GAAG,MAAM,CAuBhE;AAMD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,aAAa,GAAG;IAC7D,gBAAgB,EAAE,OAAO,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB,CA8CA;AAMD;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,CAsB1D;AAuCD,2EAA2E;AAC3E,wBAAgB,YAAY,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI,CAW1D;AAED,yEAAyE;AACzE,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAkBhE"}

package/dist/shield/baselines.js

@@ -0,0 +1,371 @@
+"use strict";
+/**
+ * Shield adaptive baselines: learn / suggest / protect enforcement flow.
+ *
+ * Baselines track observed agent behavior over time.  The stability
+ * algorithm determines when behavior has settled enough to recommend
+ * a policy.  The developer must explicitly approve before Shield
+ * starts enforcing.
+ *
+ * Storage: ~/.opena2a/shield/baselines/{agent}.json  (mode 0o600)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getBaseline = getBaseline;
+exports.listBaselines = listBaselines;
+exports.recordAction = recordAction;
+exports.computeStability = computeStability;
+exports.checkPhaseTransition = checkPhaseTransition;
+exports.approvePolicy = approvePolicy;
+exports.saveBaseline = saveBaseline;
+exports.loadBaseline = loadBaseline;
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const types_js_1 = require("./types.js");
+// ---------------------------------------------------------------------------
+// Directory helpers
+// ---------------------------------------------------------------------------
+/** Return the absolute path to the baselines directory. */
+function getBaselinesDir() {
+    const dir = (0, node_path_1.join)((0, node_os_1.homedir)(), '.opena2a', 'shield', types_js_1.SHIELD_BASELINES_DIR);
+    if (!(0, node_fs_1.existsSync)(dir)) {
+        (0, node_fs_1.mkdirSync)(dir, { recursive: true, mode: 0o700 });
+    }
+    return dir;
+}
+/** Return the path to a specific agent's baseline file. */
+function baselinePath(agent) {
+    return (0, node_path_1.join)(getBaselinesDir(), `${agent}.json`);
+}
+// ---------------------------------------------------------------------------
+// In-memory cache (keyed by agent name)
+// ---------------------------------------------------------------------------
+const cache = new Map();
+const sessionStates = new Map();
+// ---------------------------------------------------------------------------
+// Baseline CRUD
+// ---------------------------------------------------------------------------
+/** Create a fresh baseline for an agent. */
+function createBaseline(agent) {
+    const now = new Date().toISOString();
+    return {
+        agent,
+        observationStart: now,
+        observationEnd: now,
+        totalActions: 0,
+        totalSessions: 0,
+        phase: 'learn',
+        stabilityScore: 0,
+        lastNewBehaviorAt: null,
+        observed: {
+            processes: {},
+            credentials: {},
+            filesystemPaths: {},
+            networkHosts: {},
+            mcpServers: {},
+        },
+        recommended: null,
+        thresholds: {
+            maxProcessesPerHour: 0,
+            maxCredentialAccessPerSession: 0,
+            maxNewBinariesPerDay: 0,
+        },
+    };
+}
+/**
+ * Get or create a baseline for an agent.
+ *
+ * Checks the in-memory cache first, then disk, and finally creates
+ * a new baseline if none exists.
+ */
+function getBaseline(agent) {
+    const cached = cache.get(agent);
+    if (cached)
+        return cached.baseline;
+    const loaded = loadBaseline(agent);
+    if (loaded) {
+        cache.set(agent, { baseline: loaded, lastActionAt: 0 });
+        return loaded;
+    }
+    const fresh = createBaseline(agent);
+    cache.set(agent, { baseline: fresh, lastActionAt: 0 });
+    return fresh;
+}
+/** List all persisted baselines (loads from disk). */
+function listBaselines() {
+    const dir = getBaselinesDir();
+    const baselines = [];
+    let files;
+    try {
+        files = (0, node_fs_1.readdirSync)(dir);
+    }
+    catch {
+        return baselines;
+    }
+    for (const file of files) {
+        if (!file.endsWith('.json'))
+            continue;
+        const agent = file.replace(/\.json$/, '');
+        const bl = loadBaseline(agent);
+        if (bl)
+            baselines.push(bl);
+    }
+    return baselines;
+}
+// ---------------------------------------------------------------------------
+// Recording actions
+// ---------------------------------------------------------------------------
+/** Map a category string to the corresponding observed bucket key. */
+function categoryToBucket(category) {
+    switch (category) {
+        case 'process':
+        case 'processes':
+            return 'processes';
+        case 'credential':
+        case 'credentials':
+            return 'credentials';
+        case 'filesystem':
+            return 'filesystemPaths';
+        case 'network':
+            return 'networkHosts';
+        case 'mcp':
+        case 'mcpServers':
+            return 'mcpServers';
+        default:
+            return null;
+    }
+}
+/**
+ * Record an observed action from an agent into their baseline.
+ *
+ * This is the primary entry point for the adaptive enforcement loop.
+ * It handles session tracking, new-behavior detection, and stability
+ * recomputation.
+ */
+function recordAction(agent, category, target) {
+    const baseline = getBaseline(agent);
+    const now = Date.now();
+    const nowIso = new Date(now).toISOString();
+    // --- Session tracking ---
+    let ss = sessionStates.get(agent);
+    if (!ss) {
+        ss = {
+            lastActionAt: 0,
+            currentSessionHadNewBehavior: false,
+            recentSessionNewBehavior: [],
+        };
+        sessionStates.set(agent, ss);
+    }
+    const elapsed = ss.lastActionAt === 0 ? Infinity : now - ss.lastActionAt;
+    if (elapsed >= types_js_1.SESSION_TIMEOUT_MS) {
+        // Close previous session if there was one
+        if (ss.lastActionAt !== 0) {
+            ss.recentSessionNewBehavior.push(ss.currentSessionHadNewBehavior);
+            // Keep only the last STABILITY_WINDOW_SESSIONS entries
+            if (ss.recentSessionNewBehavior.length > types_js_1.STABILITY_WINDOW_SESSIONS) {
+                ss.recentSessionNewBehavior = ss.recentSessionNewBehavior.slice(-types_js_1.STABILITY_WINDOW_SESSIONS);
+            }
+        }
+        // Start a new session
+        baseline.totalSessions += 1;
+        ss.currentSessionHadNewBehavior = false;
+    }
+    ss.lastActionAt = now;
+    // --- Record the action ---
+    baseline.totalActions += 1;
+    baseline.observationEnd = nowIso;
+    const bucket = categoryToBucket(category);
+    if (bucket) {
+        const observed = baseline.observed[bucket];
+        const isNew = !(target in observed);
+        observed[target] = (observed[target] ?? 0) + 1;
+        if (isNew) {
+            baseline.lastNewBehaviorAt = nowIso;
+            ss.currentSessionHadNewBehavior = true;
+        }
+    }
+    // --- Recompute stability ---
+    baseline.stabilityScore = computeStability(baseline);
+    // --- Auto-transition learn -> suggest ---
+    if (baseline.phase === 'learn') {
+        const transition = checkPhaseTransition(baseline);
+        if (transition.shouldTransition) {
+            baseline.phase = transition.nextPhase;
+            baseline.recommended = buildRecommendedPolicy(baseline);
+        }
+    }
+    // --- Persist ---
+    cache.set(agent, { baseline, lastActionAt: now });
+    saveBaseline(baseline);
+}
+// ---------------------------------------------------------------------------
+// Stability computation
+// ---------------------------------------------------------------------------
+/**
+ * Compute a stability score between 0.0 and 1.0.
+ *
+ * Stability measures the fraction of recent sessions that had no new
+ * behavior (no previously unseen processes, credentials, etc.).
+ *
+ * Returns 0 until minimum action and session thresholds are met.
+ */
+function computeStability(baseline) {
+    if (baseline.totalActions < types_js_1.LEARN_PHASE_MIN_ACTIONS ||
+        baseline.totalSessions < types_js_1.LEARN_PHASE_MIN_SESSIONS) {
+        return 0;
+    }
+    const ss = sessionStates.get(baseline.agent);
+    if (!ss)
+        return 0;
+    // Include the current in-progress session in the window
+    const sessions = [
+        ...ss.recentSessionNewBehavior,
+        ss.currentSessionHadNewBehavior,
+    ];
+    // Take only the last STABILITY_WINDOW_SESSIONS
+    const window = sessions.slice(-types_js_1.STABILITY_WINDOW_SESSIONS);
+    if (window.length === 0)
+        return 0;
+    const stableSessions = window.filter((hadNew) => !hadNew).length;
+    return stableSessions / window.length;
+}
+// ---------------------------------------------------------------------------
+// Phase transitions
+// ---------------------------------------------------------------------------
+/**
+ * Check whether a baseline should transition phases.
+ *
+ * - learn -> suggest: stability >= STABILITY_THRESHOLD
+ * - suggest -> protect: manual approval only (approvePolicy)
+ */
+function checkPhaseTransition(baseline) {
+    if (baseline.phase === 'learn') {
+        if (baseline.totalActions < types_js_1.LEARN_PHASE_MIN_ACTIONS) {
+            return {
+                shouldTransition: false,
+                nextPhase: 'learn',
+                reason: `Need ${types_js_1.LEARN_PHASE_MIN_ACTIONS - baseline.totalActions} more actions before stability check`,
+            };
+        }
+        if (baseline.totalSessions < types_js_1.LEARN_PHASE_MIN_SESSIONS) {
+            return {
+                shouldTransition: false,
+                nextPhase: 'learn',
+                reason: `Need ${types_js_1.LEARN_PHASE_MIN_SESSIONS - baseline.totalSessions} more sessions before stability check`,
+            };
+        }
+        const stability = computeStability(baseline);
+        if (stability >= types_js_1.STABILITY_THRESHOLD) {
+            return {
+                shouldTransition: true,
+                nextPhase: 'suggest',
+                reason: `Stability score ${stability.toFixed(2)} >= ${types_js_1.STABILITY_THRESHOLD} threshold`,
+            };
+        }
+        return {
+            shouldTransition: false,
+            nextPhase: 'learn',
+            reason: `Stability score ${stability.toFixed(2)} < ${types_js_1.STABILITY_THRESHOLD} threshold`,
+        };
+    }
+    if (baseline.phase === 'suggest') {
+        return {
+            shouldTransition: false,
+            nextPhase: 'suggest',
+            reason: 'Awaiting developer approval to transition to protect',
+        };
+    }
+    // Already in protect phase
+    return {
+        shouldTransition: false,
+        nextPhase: 'protect',
+        reason: 'Already in protect phase',
+    };
+}
+// ---------------------------------------------------------------------------
+// Policy approval (suggest -> protect)
+// ---------------------------------------------------------------------------
+/**
+ * Approve the recommended policy for an agent, transitioning
+ * from suggest to protect phase.
+ */
+function approvePolicy(agent) {
+    const baseline = getBaseline(agent);
+    if (baseline.phase !== 'suggest') {
+        throw new Error(`Cannot approve policy for agent "${agent}" in phase "${baseline.phase}". ` +
+            'Agent must be in suggest phase.');
+    }
+    if (!baseline.recommended) {
+        baseline.recommended = buildRecommendedPolicy(baseline);
+    }
+    baseline.phase = 'protect';
+    cache.set(agent, {
+        baseline,
+        lastActionAt: cache.get(agent)?.lastActionAt ?? 0,
+    });
+    saveBaseline(baseline);
+    return baseline;
+}
+// ---------------------------------------------------------------------------
+// Recommended policy builder
+// ---------------------------------------------------------------------------
+/** Build a recommended policy from observed behavior. */
+function buildRecommendedPolicy(baseline) {
+    const toAllowList = (observed) => Object.keys(observed);
+    return {
+        processes: {
+            allow: toAllowList(baseline.observed.processes),
+            deny: [],
+        },
+        credentials: {
+            allow: toAllowList(baseline.observed.credentials),
+            deny: [],
+        },
+        filesystem: {
+            allow: toAllowList(baseline.observed.filesystemPaths),
+            deny: [],
+        },
+        network: {
+            allow: toAllowList(baseline.observed.networkHosts),
+            deny: [],
+        },
+        mcpServers: {
+            allow: toAllowList(baseline.observed.mcpServers),
+            deny: [],
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Persistence
+// ---------------------------------------------------------------------------
+/** Save a baseline to disk at ~/.opena2a/shield/baselines/{agent}.json. */
+function saveBaseline(baseline) {
+    const filePath = baselinePath(baseline.agent);
+    const data = JSON.stringify(baseline, null, 2) + '\n';
+    (0, node_fs_1.writeFileSync)(filePath, data, { encoding: 'utf-8', mode: 0o600 });
+    try {
+        (0, node_fs_1.chmodSync)(filePath, 0o600);
+    }
+    catch {
+        // Best-effort
+    }
+}
+/** Load a baseline from disk. Returns null if not found or corrupted. */
+function loadBaseline(agent) {
+    const filePath = baselinePath(agent);
+    if (!(0, node_fs_1.existsSync)(filePath))
+        return null;
+    try {
+        const raw = (0, node_fs_1.readFileSync)(filePath, 'utf-8');
+        const parsed = JSON.parse(raw);
+        // Basic validation
+        if (!parsed.agent || typeof parsed.totalActions !== 'number') {
+            return null;
+        }
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=baselines.js.map

package/dist/shield/baselines.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"baselines.js","sourceRoot":"","sources":["../../src/shield/baselines.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAsGH,kCAaC;AAGD,sCAmBC;AAoCD,oCAsEC;AAcD,4CAuBC;AAYD,oDAkDC;AAUD,sCAsBC;AAwCD,oCAWC;AAGD,oCAkBC;AA5bD,qCAOiB;AACjB,qCAAkC;AAClC,yCAAiC;AAGjC,yCAOoB;AAEpB,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,2DAA2D;AAC3D,SAAS,eAAe;IACtB,MAAM,GAAG,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,+BAAoB,CAAC,CAAC;IACxE,IAAI,CAAC,IAAA,oBAAU,EAAC,GAAG,CAAC,EAAE,CAAC;QACrB,IAAA,mBAAS,EAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,2DAA2D;AAC3D,SAAS,YAAY,CAAC,KAAa;IACjC,OAAO,IAAA,gBAAI,EAAC,eAAe,EAAE,EAAE,GAAG,KAAK,OAAO,CAAC,CAAC;AAClD,CAAC;AAED,8EAA8E;AAC9E,wCAAwC;AACxC,8EAA8E;AAE9E,MAAM,KAAK,GAAG,IAAI,GAAG,EAA6D,CAAC;AAiBnF,MAAM,aAAa,GAAG,IAAI,GAAG,EAAwB,CAAC;AAEtD,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,4CAA4C;AAC5C,SAAS,cAAc,CAAC,KAAa;IACnC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO;QACL,KAAK;QACL,gBAAgB,EAAE,GAAG;QACrB,cAAc,EAAE,GAAG;QACnB,YAAY,EAAE,CAAC;QACf,aAAa,EAAE,CAAC;QAChB,KAAK,EAAE,OAAO;QACd,cAAc,EAAE,CAAC;QACjB,iBAAiB,EAAE,IAAI;QACvB,QAAQ,EAAE;YACR,SAAS,EAAE,EAAE;YACb,WAAW,EAAE,EAAE;YACf,eAAe,EAAE,EAAE;YACnB,YAAY,EAAE,EAAE;YAChB,UAAU,EAAE,EAAE;SACf;QACD,WAAW,EAAE,IAAI;QACjB,UAAU,EAAE;YACV,mBAAmB,EAAE,CAAC;YACtB,6BAA6B,EAAE,CAAC;YAChC,oBAAoB,EAAE,CAAC;SACxB;KACF,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,KAAa;IACvC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,QAAQ,CAAC;IAEnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,IAAI,MAAM,EAAE,CAAC;QACX,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC,CAAC;QACxD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IACpC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC,CAAC;IACvD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,sDAAsD;AACtD,SAAgB,aAAa;IAC3B,MAAM,GAAG,GAAG,eAAe,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAoB,EAAE,CAAC;IAEtC,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,KAAK,GAAG,IAAA,qBAAW,EAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;YAAE,SAAS;QACtC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC1C,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QAC/B,IAAI,EAAE;YAAE,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7B,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,sEAAsE;AACtE,SAAS,gBAAgB,CACvB,QAAgB;IAEhB,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,SAAS,CAAC;QACf,KAAK,WAAW;YACd,OAAO,WAAW,CAAC;QACrB,KAAK,YAAY,CAAC;QAClB,KAAK,aAAa;YAChB,OAAO,aAAa,CAAC;QACvB,KAAK,YAAY;YACf,OAAO,iBAAiB,CAAC;QAC3B,KAAK,SAAS;YACZ,OAAO,cAAc,CAAC;QACxB,KAAK,KAAK,CAAC;QACX,KAAK,YAAY;YACf,OAAO,YAAY,CAAC;QACtB;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,YAAY,CAC1B,KAAa,EACb,QAAgB,EAChB,MAAc;IAEd,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IAE3C,2BAA2B;IAC3B,IAAI,EAAE,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,EAAE,GAAG;YACH,YAAY,EAAE,CAAC;YACf,4BAA4B,EAAE,KAAK;YACnC,wBAAwB,EAAE,EAAE;SAC7B,CAAC;QACF,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC/B,CAAC;IAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC;IACzE,IAAI,OAAO,IAAI,6BAAkB,EAAE,CAAC;QAClC,0CAA0C;QAC1C,IAAI,EAAE,CAAC,YAAY,KAAK,CAAC,EAAE,CAAC;YAC1B,EAAE,CAAC,wBAAwB,CAAC,IAAI,CAAC,EAAE,CAAC,4BAA4B,CAAC,CAAC;YAClE,uDAAuD;YACvD,IAAI,EAAE,CAAC,wBAAwB,CAAC,MAAM,GAAG,oCAAyB,EAAE,CAAC;gBACnE,EAAE,CAAC,wBAAwB,GAAG,EAAE,CAAC,wBAAwB,CAAC,KAAK,CAC7D,CAAC,oCAAyB,CAC3B,CAAC;YACJ,CAAC;QACH,CAAC;QACD,sBAAsB;QACtB,QAAQ,CAAC,aAAa,IAAI,CAAC,CAAC;QAC5B,EAAE,CAAC,4BAA4B,GAAG,KAAK,CAAC;IAC1C,CAAC;IACD,EAAE,CAAC,YAAY,GAAG,GAAG,CAAC;IAEtB,4BAA4B;IAC5B,QAAQ,CAAC,YAAY,IAAI,CAAC,CAAC;IAC3B,QAAQ,CAAC,cAAc,GAAG,MAAM,CAAC;IAEjC,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC1C,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC3C,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,IAAI,QAAQ,CAAC,CAAC;QAEpC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAE/C,IAAI,KAAK,EAAE,CAAC;YACV,QAAQ,CAAC,iBAAiB,GAAG,MAAM,CAAC;YACpC,EAAE,CAAC,4BAA4B,GAAG,IAAI,CAAC;QACzC,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,QAAQ,CAAC,cAAc,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAErD,2CAA2C;IAC3C,IAAI,QAAQ,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;QAC/B,MAAM,UAAU,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;QAClD,IAAI,UAAU,CAAC,gBAAgB,EAAE,CAAC;YAChC,QAAQ,CAAC,KAAK,GAAG,UAAU,CAAC,SAAsB,CAAC;YACnD,QAAQ,CAAC,WAAW,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC,CAAC;IAClD,YAAY,CAAC,QAAQ,CAAC,CAAC;AACzB,CAAC;AAED,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;;GAOG;AACH,SAAgB,gBAAgB,CAAC,QAAuB;IACtD,IACE,QAAQ,CAAC,YAAY,GAAG,kCAAuB;QAC/C,QAAQ,CAAC,aAAa,GAAG,mCAAwB,EACjD,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,EAAE,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7C,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,CAAC;IAElB,wDAAwD;IACxD,MAAM,QAAQ,GAAG;QACf,GAAG,EAAE,CAAC,wBAAwB;QAC9B,EAAE,CAAC,4BAA4B;KAChC,CAAC;IAEF,+CAA+C;IAC/C,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,oCAAyB,CAAC,CAAC;IAC1D,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAElC,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IACjE,OAAO,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC;AACxC,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAgB,oBAAoB,CAAC,QAAuB;IAK1D,IAAI,QAAQ,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;QAC/B,IAAI,QAAQ,CAAC,YAAY,GAAG,kCAAuB,EAAE,CAAC;YACpD,OAAO;gBACL,gBAAgB,EAAE,KAAK;gBACvB,SAAS,EAAE,OAAO;gBAClB,MAAM,EAAE,QAAQ,kCAAuB,GAAG,QAAQ,CAAC,YAAY,sCAAsC;aACtG,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,CAAC,aAAa,GAAG,mCAAwB,EAAE,CAAC;YACtD,OAAO;gBACL,gBAAgB,EAAE,KAAK;gBACvB,SAAS,EAAE,OAAO;gBAClB,MAAM,EAAE,QAAQ,mCAAwB,GAAG,QAAQ,CAAC,aAAa,uCAAuC;aACzG,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,SAAS,IAAI,8BAAmB,EAAE,CAAC;YACrC,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,SAAS,EAAE,SAAS;gBACpB,MAAM,EAAE,mBAAmB,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,8BAAmB,YAAY;aACtF,CAAC;QACJ,CAAC;QACD,OAAO;YACL,gBAAgB,EAAE,KAAK;YACvB,SAAS,EAAE,OAAO;YAClB,MAAM,EAAE,mBAAmB,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,8BAAmB,YAAY;SACrF,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACjC,OAAO;YACL,gBAAgB,EAAE,KAAK;YACvB,SAAS,EAAE,SAAS;YACpB,MAAM,EAAE,sDAAsD;SAC/D,CAAC;IACJ,CAAC;IAED,2BAA2B;IAC3B,OAAO;QACL,gBAAgB,EAAE,KAAK;QACvB,SAAS,EAAE,SAAS;QACpB,MAAM,EAAE,0BAA0B;KACnC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,uCAAuC;AACvC,8EAA8E;AAE9E;;;GAGG;AACH,SAAgB,aAAa,CAAC,KAAa;IACzC,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAEpC,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,oCAAoC,KAAK,eAAe,QAAQ,CAAC,KAAK,KAAK;YACzE,iCAAiC,CACpC,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC1B,QAAQ,CAAC,WAAW,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,QAAQ,CAAC,KAAK,GAAG,SAAS,CAAC;IAC3B,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE;QACf,QAAQ;QACR,YAAY,EAAE,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,YAAY,IAAI,CAAC;KAClD,CAAC,CAAC;IACH,YAAY,CAAC,QAAQ,CAAC,CAAC;IAEvB,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E,yDAAyD;AACzD,SAAS,sBAAsB,CAAC,QAAuB;IACrD,MAAM,WAAW,GAAG,CAAC,QAAgC,EAAY,EAAE,CACjE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAExB,OAAO;QACL,SAAS,EAAE;YACT,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC/C,IAAI,EAAE,EAAE;SACT;QACD,WAAW,EAAE;YACX,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC;YACjD,IAAI,EAAE,EAAE;SACT;QACD,UAAU,EAAE;YACV,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC;YACrD,IAAI,EAAE,EAAE;SACT;QACD,OAAO,EAAE;YACP,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC;YAClD,IAAI,EAAE,EAAE;SACT;QACD,UAAU,EAAE;YACV,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC;YAChD,IAAI,EAAE,EAAE;SACT;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,2EAA2E;AAC3E,SAAgB,YAAY,CAAC,QAAuB;IAClD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;IAEtD,IAAA,uBAAa,EAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAElE,IAAI,CAAC;QACH,IAAA,mBAAS,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,SAAgB,YAAY,CAAC,KAAa;IACxC,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAErC,IAAI,CAAC,IAAA,oBAAU,EAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;QAEhD,mBAAmB;QACnB,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;YAC7D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}