opensip-cli 0.1.7 → 0.1.9

package/dist/bootstrap/tool-command-worker-context.d.ts

@@ -0,0 +1,55 @@
+/**
+ * tool-command-worker-context — the WORKER-side {@link ToolCliContext} shim for
+ * the ADR-0054 out-of-process dispatch plane (increments M4-C / M4-D).
+ *
+ * Each seam the worker exposes to the dispatched handler is implemented per its
+ * transport strategy from ADR-0054's M4-C mapping table:
+ *
+ *   - final-result-return (FRR): `render` / `emitJson` / `emitEnvelope` /
+ *     `emitRaw` / `emitError` / `setExitCode` record into a {@link
+ *     ResultAccumulator} drained into a `ToolCommandResult` after the handler
+ *     resolves; the host replays them through the real seams.
+ *   - host-RPC (RPC): `deliverSignals` / `writeSarif` / the four baseline seams
+ *     / `toolState.*` / `hostPlanes.*` / `maybeOpenReport` / `getExitCode` issue
+ *     a typed {@link HostRpcRequest} via the {@link WorkerRpcClient} and await
+ *     the host's reply — the HOST performs the privileged effect (datastore /
+ *     egress / FS / process exit) and returns the result.
+ *   - host-only (fail loud): the live-view seams (`registerLiveView` /
+ *     `renderLive`) throw {@link UnsupportedSeamError} — Ink/TTY rendering
+ *     cannot leave the host (documented as a later increment).
+ *
+ * `scope` / `runSession` / `logger` are backed by the worker's own minimal
+ * {@link RunScope} + run timer (the worker re-bootstraps its own scope; it never
+ * ships a live `RunScope` across IPC).
+ */
+import { type RunScope, type RunTimer, type ToolCliContext } from '@opensip-cli/core';
+import type { ToolCommandFailureClass, ToolCommandResult } from './tool-command-dispatch-types.js';
+import type { WorkerRpcClient } from './tool-command-worker-rpc.js';
+/**
+ * A loud, marked failure for a seam the worker shim cannot marshal (the
+ * live-view seams). Carries the {@link ToolCommandFailureClass} so the
+ * supervisor can triage; the worker catch turns it into an `error` IPC message.
+ */
+export declare class UnsupportedSeamError extends Error {
+    readonly failureClass: ToolCommandFailureClass;
+    constructor(seam: string);
+}
+/**
+ * The mutable accumulator the worker-side context shim records final-result
+ * seam calls into. Drained into a {@link ToolCommandResult} after the handler
+ * resolves.
+ */
+export interface ResultAccumulator {
+    render?: unknown;
+    envelope?: unknown;
+    json?: unknown;
+    raw?: unknown;
+    error?: ToolCommandResult['error'];
+    exitCode?: number;
+}
+/**
+ * Build the worker-side {@link ToolCliContext} shim. FRR seams record into
+ * `acc`; RPC seams upcall via `rpcClient`; the live-view seams fail loud.
+ */
+export declare function buildWorkerContext(scope: RunScope, timing: RunTimer, acc: ResultAccumulator, rpcClient: WorkerRpcClient): ToolCliContext;
+//# sourceMappingURL=tool-command-worker-context.d.ts.map

package/dist/bootstrap/tool-command-worker-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-command-worker-context.d.ts","sourceRoot":"","sources":["../../src/bootstrap/tool-command-worker-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAKL,KAAK,QAAQ,EACb,KAAK,QAAQ,EAEb,KAAK,cAAc,EACpB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,KAAK,EAGV,uBAAuB,EACvB,iBAAiB,EAClB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAEpE;;;;GAIG;AACH,qBAAa,oBAAqB,SAAQ,KAAK;IAC7C,QAAQ,CAAC,YAAY,EAAE,uBAAuB,CAAsB;gBACxD,IAAI,EAAE,MAAM;CAQzB;AAgBD;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,KAAK,CAAC,EAAE,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AA2DD;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,QAAQ,EACf,MAAM,EAAE,QAAQ,EAChB,GAAG,EAAE,iBAAiB,EACtB,SAAS,EAAE,eAAe,GACzB,cAAc,CA+DhB"}

package/dist/bootstrap/tool-command-worker-context.js

@@ -0,0 +1,163 @@
+/**
+ * tool-command-worker-context — the WORKER-side {@link ToolCliContext} shim for
+ * the ADR-0054 out-of-process dispatch plane (increments M4-C / M4-D).
+ *
+ * Each seam the worker exposes to the dispatched handler is implemented per its
+ * transport strategy from ADR-0054's M4-C mapping table:
+ *
+ *   - final-result-return (FRR): `render` / `emitJson` / `emitEnvelope` /
+ *     `emitRaw` / `emitError` / `setExitCode` record into a {@link
+ *     ResultAccumulator} drained into a `ToolCommandResult` after the handler
+ *     resolves; the host replays them through the real seams.
+ *   - host-RPC (RPC): `deliverSignals` / `writeSarif` / the four baseline seams
+ *     / `toolState.*` / `hostPlanes.*` / `maybeOpenReport` / `getExitCode` issue
+ *     a typed {@link HostRpcRequest} via the {@link WorkerRpcClient} and await
+ *     the host's reply — the HOST performs the privileged effect (datastore /
+ *     egress / FS / process exit) and returns the result.
+ *   - host-only (fail loud): the live-view seams (`registerLiveView` /
+ *     `renderLive`) throw {@link UnsupportedSeamError} — Ink/TTY rendering
+ *     cannot leave the host (documented as a later increment).
+ *
+ * `scope` / `runSession` / `logger` are backed by the worker's own minimal
+ * {@link RunScope} + run timer (the worker re-bootstraps its own scope; it never
+ * ships a live `RunScope` across IPC).
+ */
+/**
+ * A loud, marked failure for a seam the worker shim cannot marshal (the
+ * live-view seams). Carries the {@link ToolCommandFailureClass} so the
+ * supervisor can triage; the worker catch turns it into an `error` IPC message.
+ */
+export class UnsupportedSeamError extends Error {
+    failureClass = 'unsupported-seam';
+    constructor(seam) {
+        super(`tool command worker: seam '${seam}' cannot be marshalled across the ADR-0054 ` +
+            'dispatch boundary (Ink/TTY rendering stays host-side). The external command ' +
+            'attempted a live-view effect the worker cannot perform.');
+        this.name = 'UnsupportedSeamError';
+    }
+}
+/**
+ * Build a host-only seam stub that fails loudly when an external handler calls a
+ * seam the worker cannot marshal (the live-view seams).
+ *
+ * @throws {UnsupportedSeamError} always — that is the point: an unmarshallable
+ *   seam must surface as a structured failure, never a silent no-op.
+ */
+function unsupported(seam) {
+    // @fitness-ignore-next-line throws-documentation -- the throw is documented on the enclosing `unsupported` factory's @throws above; this is the one-line closure it returns.
+    return () => {
+        throw new UnsupportedSeamError(seam);
+    };
+}
+/** Issue one RPC upcall and cast the host's reply to the seam's return type. */
+function rpc(client, request) {
+    return client.call(request);
+}
+/** Build the RPC-backed `toolState` member (ADR-0042 datastore-backed). */
+function buildToolStateRpc(client) {
+    return {
+        get: (tool, key) => rpc(client, { seam: 'toolState.get', tool, key }),
+        put: (tool, key, payload) => rpc(client, { seam: 'toolState.put', tool, key, payload }),
+        delete: (tool, key) => rpc(client, { seam: 'toolState.delete', tool, key }),
+        list: (tool) => rpc(client, { seam: 'toolState.list', tool }),
+    };
+}
+/**
+ * Make one host-plane method into a generic `hostPlane` upcall
+ * (`plane`/`method`/`args`). The host dispatches to the real plane impl by name;
+ * the worker never holds a plane handle.
+ */
+function planeMethod(client, plane, method) {
+    return (...args) => rpc(client, { seam: 'hostPlane', plane, method, args });
+}
+/**
+ * Build the RPC-backed `hostPlanes` bag (governance / audit / entitlements).
+ * Each plane's methods are enumerated explicitly (rather than via a Proxy) so
+ * the shim conforms to the core host-plane interfaces structurally — every
+ * method routes through {@link planeMethod} to a generic `hostPlane` upcall.
+ */
+function buildHostPlanesRpc(client) {
+    const governance = {
+        getGovernanceState: planeMethod(client, 'governance', 'getGovernanceState'),
+        listForProject: planeMethod(client, 'governance', 'listForProject'),
+        queryAudit: planeMethod(client, 'governance', 'queryAudit'),
+        recordInstallation: planeMethod(client, 'governance', 'recordInstallation'),
+        recordApprovalDecision: planeMethod(client, 'governance', 'recordApprovalDecision'),
+        setBlock: planeMethod(client, 'governance', 'setBlock'),
+        checkAllowed: planeMethod(client, 'governance', 'checkAllowed'),
+    };
+    const audit = {
+        append: planeMethod(client, 'audit', 'append'),
+        query: planeMethod(client, 'audit', 'query'),
+        exportForCloud: planeMethod(client, 'audit', 'exportForCloud'),
+    };
+    const entitlements = {
+        check: planeMethod(client, 'entitlements', 'check'),
+        recordUsage: planeMethod(client, 'entitlements', 'recordUsage'),
+        getLicenseState: planeMethod(client, 'entitlements', 'getLicenseState'),
+    };
+    return { governance, audit, entitlements };
+}
+/**
+ * Build the worker-side {@link ToolCliContext} shim. FRR seams record into
+ * `acc`; RPC seams upcall via `rpcClient`; the live-view seams fail loud.
+ */
+export function buildWorkerContext(scope, timing, acc, rpcClient) {
+    return {
+        scope,
+        runSession: { timing },
+        logger: scope.logger,
+        // ── Final-result-return seams (recorded, replayed host-side) ──────────
+        render: (result) => {
+            acc.render = result;
+            return Promise.resolve();
+        },
+        emitJson: (value) => {
+            acc.json = value;
+        },
+        emitEnvelope: (envelope) => {
+            acc.envelope = envelope;
+        },
+        emitRaw: (value) => {
+            acc.raw = value;
+        },
+        emitError: (detail) => {
+            acc.error = {
+                message: detail.message,
+                exitCode: detail.exitCode,
+                ...(detail.suggestion === undefined ? {} : { suggestion: detail.suggestion }),
+                ...(detail.code === undefined ? {} : { code: detail.code }),
+            };
+        },
+        setExitCode: (code) => {
+            acc.exitCode = code;
+        },
+        // ── Host-RPC seams (M4-C upcalls — host performs the effect) ──────────
+        getExitCode: () => acc.exitCode,
+        deliverSignals: (envelope, opts) => rpc(rpcClient, {
+            seam: 'deliverSignals',
+            envelope,
+            opts: {
+                cwd: opts.cwd,
+                ...(opts.reportTo === undefined ? {} : { reportTo: opts.reportTo }),
+                ...(opts.apiKey === undefined ? {} : { apiKey: opts.apiKey }),
+                ...(opts.runFailed === undefined ? {} : { runFailed: opts.runFailed }),
+            },
+        }),
+        writeSarif: (envelope, path) => rpc(rpcClient, { seam: 'writeSarif', envelope, path }),
+        saveBaseline: (tool, envelope) => rpc(rpcClient, { seam: 'saveBaseline', tool, envelope }),
+        compareBaseline: (tool, envelope) => rpc(rpcClient, { seam: 'compareBaseline', tool, envelope }),
+        exportBaselineSarif: (tool, path) => rpc(rpcClient, { seam: 'exportBaselineSarif', tool, path }),
+        exportBaselineFingerprints: (tool, path) => rpc(rpcClient, { seam: 'exportBaselineFingerprints', tool, path }),
+        maybeOpenReport: (opts) => rpc(rpcClient, {
+            seam: 'maybeOpenReport',
+            opts: { openRequested: opts.openRequested, jsonOutput: opts.jsonOutput },
+        }),
+        toolState: buildToolStateRpc(rpcClient),
+        hostPlanes: buildHostPlanesRpc(rpcClient),
+        // ── Live-view seams (host-only — fail loud) ───────────────────────────
+        registerLiveView: unsupported('registerLiveView'),
+        renderLive: unsupported('renderLive'),
+    };
+}
+//# sourceMappingURL=tool-command-worker-context.js.map

package/dist/bootstrap/tool-command-worker-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-command-worker-context.js","sourceRoot":"","sources":["../../src/bootstrap/tool-command-worker-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAqBH;;;;GAIG;AACH,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IACpC,YAAY,GAA4B,kBAAkB,CAAC;IACpE,YAAY,IAAY;QACtB,KAAK,CACH,8BAA8B,IAAI,6CAA6C;YAC7E,8EAA8E;YAC9E,yDAAyD,CAC5D,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACrC,CAAC;CACF;AAED;;;;;;GAMG;AACH,SAAS,WAAW,CAAC,IAAY;IAC/B,6KAA6K;IAC7K,OAAO,GAAG,EAAE;QACV,MAAM,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC,CAAC;AACJ,CAAC;AAgBD,gFAAgF;AAChF,SAAS,GAAG,CAAI,MAAuB,EAAE,OAAoB;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAe,CAAC;AAC5C,CAAC;AAED,2EAA2E;AAC3E,SAAS,iBAAiB,CAAC,MAAuB;IAChD,OAAO;QACL,GAAG,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;QACrE,GAAG,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,GAAG,CAAO,MAAM,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;QAC7F,MAAM,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,CAAO,MAAM,EAAE,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;QACjF,IAAI,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,CAAoB,MAAM,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC;KACjF,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,WAAW,CAClB,MAAuB,EACvB,KAAoB,EACpB,MAAc;IAEd,OAAO,CAAC,GAAG,IAAI,EAAE,EAAE,CAAC,GAAG,CAAI,MAAM,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;AACjF,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,MAAuB;IACjD,MAAM,UAAU,GAAmB;QACjC,kBAAkB,EAAE,WAAW,CAAC,MAAM,EAAE,YAAY,EAAE,oBAAoB,CAAC;QAC3E,cAAc,EAAE,WAAW,CAAC,MAAM,EAAE,YAAY,EAAE,gBAAgB,CAAC;QACnE,UAAU,EAAE,WAAW,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC3D,kBAAkB,EAAE,WAAW,CAAC,MAAM,EAAE,YAAY,EAAE,oBAAoB,CAAC;QAC3E,sBAAsB,EAAE,WAAW,CAAC,MAAM,EAAE,YAAY,EAAE,wBAAwB,CAAC;QACnF,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,YAAY,EAAE,UAAU,CAAC;QACvD,YAAY,EAAE,WAAW,CAAC,MAAM,EAAE,YAAY,EAAE,cAAc,CAAC;KAChE,CAAC;IACF,MAAM,KAAK,GAAc;QACvB,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC;QAC9C,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC;QAC5C,cAAc,EAAE,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,gBAAgB,CAAC;KAC/D,CAAC;IACF,MAAM,YAAY,GAAqB;QACrC,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,cAAc,EAAE,OAAO,CAAC;QACnD,WAAW,EAAE,WAAW,CAAC,MAAM,EAAE,cAAc,EAAE,aAAa,CAAC;QAC/D,eAAe,EAAE,WAAW,CAAC,MAAM,EAAE,cAAc,EAAE,iBAAiB,CAAC;KACxE,CAAC;IACF,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;AAC7C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,KAAe,EACf,MAAgB,EAChB,GAAsB,EACtB,SAA0B;IAE1B,OAAO;QACL,KAAK;QACL,UAAU,EAAE,EAAE,MAAM,EAAE;QACtB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,yEAAyE;QACzE,MAAM,EAAE,CAAC,MAAe,EAAE,EAAE;YAC1B,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;YACpB,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;QAC3B,CAAC;QACD,QAAQ,EAAE,CAAC,KAAc,EAAE,EAAE;YAC3B,GAAG,CAAC,IAAI,GAAG,KAAK,CAAC;QACnB,CAAC;QACD,YAAY,EAAE,CAAC,QAAiB,EAAE,EAAE;YAClC,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAC1B,CAAC;QACD,OAAO,EAAE,CAAC,KAAc,EAAE,EAAE;YAC1B,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC;QAClB,CAAC;QACD,SAAS,EAAE,CAAC,MAAM,EAAE,EAAE;YACpB,GAAG,CAAC,KAAK,GAAG;gBACV,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,GAAG,CAAC,MAAM,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC7E,GAAG,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;aAC5D,CAAC;QACJ,CAAC;QACD,WAAW,EAAE,CAAC,IAAY,EAAE,EAAE;YAC5B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC;QACtB,CAAC;QACD,yEAAyE;QACzE,WAAW,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,QAAQ;QAC/B,cAAc,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CACjC,GAAG,CAAuB,SAAS,EAAE;YACnC,IAAI,EAAE,gBAAgB;YACtB,QAAQ;YACR,IAAI,EAAE;gBACJ,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACnE,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;gBAC7D,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;aACvE;SACF,CAAC;QACJ,UAAU,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,CAAO,SAAS,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;QAC5F,YAAY,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAC/B,GAAG,CAAO,SAAS,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;QAChE,eAAe,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAClC,GAAG,CAAoB,SAAS,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;QAChF,mBAAmB,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAClC,GAAG,CAAO,SAAS,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACnE,0BAA0B,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CACzC,GAAG,CAAO,SAAS,EAAE,EAAE,IAAI,EAAE,4BAA4B,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QAC1E,eAAe,EAAE,CAAC,IAAI,EAAE,EAAE,CACxB,GAAG,CAAO,SAAS,EAAE;YACnB,IAAI,EAAE,iBAAiB;YACvB,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE;SACzE,CAAC;QACJ,SAAS,EAAE,iBAAiB,CAAC,SAAS,CAAC;QACvC,UAAU,EAAE,kBAAkB,CAAC,SAAS,CAAC;QACzC,yEAAyE;QACzE,gBAAgB,EAAE,WAAW,CAAC,kBAAkB,CAAC;QACjD,UAAU,EAAE,WAAW,CAAC,YAAY,CAAC;KACtC,CAAC;AACJ,CAAC"}

package/dist/bootstrap/tool-command-worker-entry.d.ts

@@ -0,0 +1,66 @@
+/**
+ * tool-command-worker-entry — the WORKER side of the out-of-process external
+ * tool command dispatch plane (ADR-0054, increments M4-C / M4-D / M4-E).
+ *
+ * This is a HOST internal `CommandSpec` (`__tool-command-worker`), forked by the
+ * supervisor as `node <cliScript> __tool-command-worker <specPath> --cwd <cwd>`.
+ * Forking the CLI binary as a subcommand (the SAME pattern graph's
+ * `graph-run-worker` uses) means the FULL CLI bootstrap runs first: the preAction
+ * hook discovers + imports the external tool runtime IN THE WORKER, registers it,
+ * runs its `contributeScope`, composes + validates config, and builds the full
+ * per-run scope — so by the time this handler runs, `currentScope()` carries the
+ * tool's subscope (`scope.fitness`/…), the check/recipe registries, project
+ * context, and `toolConfig` exactly as an in-process run (ADR-0054 M4-C `scope`
+ * mapping: "the worker re-bootstraps its OWN scope … exactly like graph's
+ * worker"). This is the isolation move — the untrusted runtime loads HERE, in the
+ * worker, never in the host.
+ *
+ * The handler then resolves the dispatched tool from the re-bootstrapped registry
+ * and runs ITS command handler against the WORKER-side `ToolCliContext` shim
+ * (`tool-command-worker-context.ts`): FRR seams (render/json/envelope/raw/error/
+ * exit) record the value and return it once in the {@link ToolCommandResult}; the
+ * host-RPC seams (datastore / egress / SARIF / baselines / toolState / hostPlanes
+ * / report-open / exit-code re-affirm) UPCALL the host over the rpc-reply channel
+ * (the host performs the privileged effect — datastore/network/FS/exit stay
+ * host-owned). Only the live-view seams fail loud (`unsupported-seam`).
+ *
+ * A handler that calls `process.exit`, throws, crashes the native layer, or spins
+ * the event loop is contained: the supervisor turns a premature child exit /
+ * timeout / `error` message into a structured parent-side failure, and the host
+ * process survives.
+ */
+import { type CommandSpec, type WorkerMessage } from '@opensip-cli/core';
+import { type CliCommandsContext } from '../commands/shared.js';
+import type { HostRpcRequest, ToolCommandResult } from './tool-command-dispatch-types.js';
+/**
+ * The worker's IPC message type binding: host-RPC requests stream on the
+ * `progress` arm; the final {@link ToolCommandResult} settles `result`.
+ */
+type DispatchWorkerMessage = WorkerMessage<HostRpcRequest, ToolCommandResult>;
+/**
+ * The testable core: produce the {@link DispatchWorkerMessage} the worker would
+ * post, without touching `process.send`. Never throws — every failure becomes a
+ * structured `error` message (the supervisor rejects on it). Must run inside an
+ * entered scope (the bootstrap enters it for the real subcommand; unit tests wrap
+ * it in `runWithScope`).
+ */
+export declare function runToolCommandWorker(specPath: string): Promise<DispatchWorkerMessage>;
+/**
+ * Run one external tool command headless in this worker and post the slim
+ * {@link ToolCommandResult} (or a structured `error`) over IPC. Never throws to
+ * the caller — every failure becomes an `error` IPC message so the supervisor
+ * rejects cleanly. This is the host CommandSpec handler's body.
+ */
+export declare function executeToolCommandWorker(specPath: string): Promise<void>;
+/**
+ * `__tool-command-worker <specPath>` — the [internal] host subcommand the
+ * dispatch supervisor forks. Mirrors `graphRunWorkerCommandSpec`: `raw-stream`
+ * (it owns its own IPC output surface), `scope: 'project'` (the full bootstrap
+ * runs first), `visibility: 'internal'`. The supervisor passes `--cwd` so the
+ * bootstrap targets the right project. The handler ignores the host `ctx` it is
+ * given (the worker builds its OWN context shim over the bootstrapped scope) and
+ * posts the result over the IPC channel.
+ */
+export declare const toolCommandWorkerCommandSpec: CommandSpec<unknown, CliCommandsContext>;
+export {};
+//# sourceMappingURL=tool-command-worker-entry.d.ts.map

package/dist/bootstrap/tool-command-worker-entry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-command-worker-entry.d.ts","sourceRoot":"","sources":["../../src/bootstrap/tool-command-worker-entry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAIH,OAAO,EAKL,KAAK,WAAW,EAKhB,KAAK,aAAa,EACnB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,KAAK,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAUhE,OAAO,KAAK,EACV,cAAc,EAEd,iBAAiB,EAElB,MAAM,kCAAkC,CAAC;AAE1C;;;GAGG;AACH,KAAK,qBAAqB,GAAG,aAAa,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC;AAuQ9E;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAY3F;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAG9E;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,EAAE,WAAW,CAAC,OAAO,EAAE,kBAAkB,CAkBhF,CAAC"}

package/dist/bootstrap/tool-command-worker-entry.js

@@ -0,0 +1,298 @@
+/**
+ * tool-command-worker-entry — the WORKER side of the out-of-process external
+ * tool command dispatch plane (ADR-0054, increments M4-C / M4-D / M4-E).
+ *
+ * This is a HOST internal `CommandSpec` (`__tool-command-worker`), forked by the
+ * supervisor as `node <cliScript> __tool-command-worker <specPath> --cwd <cwd>`.
+ * Forking the CLI binary as a subcommand (the SAME pattern graph's
+ * `graph-run-worker` uses) means the FULL CLI bootstrap runs first: the preAction
+ * hook discovers + imports the external tool runtime IN THE WORKER, registers it,
+ * runs its `contributeScope`, composes + validates config, and builds the full
+ * per-run scope — so by the time this handler runs, `currentScope()` carries the
+ * tool's subscope (`scope.fitness`/…), the check/recipe registries, project
+ * context, and `toolConfig` exactly as an in-process run (ADR-0054 M4-C `scope`
+ * mapping: "the worker re-bootstraps its OWN scope … exactly like graph's
+ * worker"). This is the isolation move — the untrusted runtime loads HERE, in the
+ * worker, never in the host.
+ *
+ * The handler then resolves the dispatched tool from the re-bootstrapped registry
+ * and runs ITS command handler against the WORKER-side `ToolCliContext` shim
+ * (`tool-command-worker-context.ts`): FRR seams (render/json/envelope/raw/error/
+ * exit) record the value and return it once in the {@link ToolCommandResult}; the
+ * host-RPC seams (datastore / egress / SARIF / baselines / toolState / hostPlanes
+ * / report-open / exit-code re-affirm) UPCALL the host over the rpc-reply channel
+ * (the host performs the privileged effect — datastore/network/FS/exit stay
+ * host-owned). Only the live-view seams fail loud (`unsupported-seam`).
+ *
+ * A handler that calls `process.exit`, throws, crashes the native layer, or spins
+ * the event loop is contained: the supervisor turns a premature child exit /
+ * timeout / `error` message into a structured parent-side failure, and the host
+ * process survives.
+ */
+import { readFileSync } from 'node:fs';
+import { createRunTimer, currentScope, defineCommand, resolveToolHooks, } from '@opensip-cli/core';
+import { runDeepConfigPass } from './tool-command-worker-config-pass.js';
+import { buildWorkerContext, UnsupportedSeamError, } from './tool-command-worker-context.js';
+import { createWorkerRpcClient } from './tool-command-worker-rpc.js';
+/** Post one IPC message to the parent (no-op when not forked — e.g. a unit call). */
+function send(msg) {
+    process.send?.(msg);
+}
+/**
+ * Resolve the dispatched tool from the re-bootstrapped registry. The bootstrap
+ * already imported + registered it (the isolation import happened in this worker
+ * during preAction). Match by the registry's human key first, then by stable id /
+ * human name — symmetric to the host provenance/dispatch matchers.
+ *
+ * @throws {Error & {failureClass}} `runtime-load-failed` when the tool is not in
+ *   the worker's registry (the bootstrap did not admit it — e.g. a trust-policy
+ *   or discovery miss). Surfaces as a structured IPC error; the host survives.
+ */
+function resolveTool(spec) {
+    const tools = currentScope()?.tools;
+    const tool = tools?.get(spec.toolId) ??
+        tools?.list().find((t) => t.metadata.id === spec.toolId || t.metadata.name === spec.toolId);
+    if (tool === undefined) {
+        const err = new Error(`tool command worker: tool '${spec.toolId}' is not registered in the worker scope ` +
+            '(the bootstrap did not discover/admit it — check provenance/trust policy)');
+        err.failureClass = 'runtime-load-failed';
+        throw err;
+    }
+    return tool;
+}
+/** Resolve the command spec the worker should run, or throw `command-not-found`. */
+function findCommandSpec(tool, commandName) {
+    const spec = tool.commandSpecs?.find((s) => s.name === commandName);
+    if (spec === undefined) {
+        const err = new Error(`tool command worker: tool '${tool.metadata.id}' has no command '${commandName}'`);
+        err.failureClass = 'command-not-found';
+        throw err;
+    }
+    return spec;
+}
+/**
+ * ADR-0054 M4-F: run the dispatched tool's `initialize()` once, worker-side,
+ * before its handler. The host no longer runs an EXTERNAL owning tool's
+ * `initialize` (that would execute untrusted runtime in the kernel) — and the
+ * worker bootstraps the host `__tool-command-worker` subcommand (owned by NO
+ * tool), so the worker's own preflight never resolves the dispatched tool as the
+ * "owning tool". Running it here is the only place an external tool's
+ * `initialize` runs under worker dispatch. A throw propagates to
+ * {@link runToolCommandWorker}'s catch → structured `tool-handler-throw`; the
+ * host survives (fail loud, never a half-initialised silent run).
+ */
+async function runWorkerInitialize(tool) {
+    const initialize = resolveToolHooks(tool).initialize;
+    if (initialize === undefined)
+        return;
+    await initialize();
+}
+/** Build a structured `error` IPC message with a failure class (+ stack when present). */
+function errorMessage(message, failureClass, stack) {
+    return {
+        kind: 'error',
+        message,
+        failureClass,
+        ...(stack === undefined ? {} : { stack }),
+    };
+}
+/** Read + parse the worker spec file, or return a `bad-spec` error message. */
+function readSpec(specPath) {
+    try {
+        return JSON.parse(readFileSync(specPath, 'utf8'));
+    }
+    catch (error) {
+        return errorMessage(`tool command worker: unreadable spec at '${specPath}': ${error instanceof Error ? error.message : String(error)}`, 'bad-spec');
+    }
+}
+/**
+ * The output modes whose PAYLOAD is the handler's RETURN value (routed by the
+ * in-process `dispatchOutput`): `command-result` (a `CommandResult`) and
+ * `signal-envelope` (a `SignalEnvelope`). For these, the worker must carry the
+ * return back UNROUTED in `returned` so the supervisor replays it through the SAME
+ * `dispatchOutput`. `raw-stream` / `live-view` produce no routable return payload.
+ */
+function isReturnValuedOutput(output) {
+    return output === 'command-result' || output === 'signal-envelope';
+}
+/** Drain the accumulator + the handler's return into a serializable result. */
+function toResult(output, acc, session, returned) {
+    return {
+        output,
+        ...(acc.render === undefined ? {} : { render: acc.render }),
+        ...(acc.envelope === undefined ? {} : { envelope: acc.envelope }),
+        ...(acc.json === undefined ? {} : { json: acc.json }),
+        ...(acc.raw === undefined ? {} : { raw: acc.raw }),
+        ...(acc.error === undefined ? {} : { error: acc.error }),
+        ...(acc.exitCode === undefined ? {} : { exitCode: acc.exitCode }),
+        ...(session === undefined ? {} : { session }),
+        // Carry the handler's return for the return-valued modes so the supervisor
+        // routes it via the same `dispatchOutput` the in-process path uses (parity).
+        ...(returned === undefined || !isReturnValuedOutput(output) ? {} : { returned }),
+    };
+}
+/** Map a thrown error to its structured failure class for the IPC `error` message. */
+function classifyThrow(error) {
+    if (error instanceof UnsupportedSeamError)
+        return error.failureClass;
+    return error.failureClass ?? 'tool-handler-throw';
+}
+/**
+ * Resolve the dispatched tool from the re-bootstrapped scope, run the deep config
+ * pass, then run its command handler against the worker-side context shim, and
+ * build the result. Throws on a handler error (caught by
+ * {@link runToolCommandWorker}); returns an `error` message for the structured
+ * pre-handler failures (config-invalid; tool / command-not-found are thrown with
+ * a failureClass tag).
+ *
+ * `currentScope()` here is the FULL per-run scope the CLI bootstrap built for the
+ * `__tool-command-worker` subcommand (project/config/registries/contributeScope),
+ * so the handler reads `cli.scope.toolConfig`/`cli.scope.<subscope>`/checks
+ * worker-LOCAL while datastore/egress cross to the host via the RPC shim.
+ */
+async function runLoadedCommand(spec) {
+    const tool = resolveTool(spec);
+    // ADR-0054 M4-F hook mode: when the spec names a lifecycle HOOK (not a command),
+    // run that hook worker-side and return its plain-data result. This is how the
+    // host gathers an external tool's `collectReportData` / `sessionReplay` without
+    // executing the untrusted runtime in the kernel process.
+    if (spec.hook !== undefined) {
+        return await runLoadedHook(tool, spec);
+    }
+    if (spec.commandName === undefined) {
+        return errorMessage(`tool command worker: spec for tool '${spec.toolId}' names neither a command nor a hook`, 'bad-spec');
+    }
+    const commandSpec = findCommandSpec(tool, spec.commandName);
+    // ADR-0054 M4-E DEEP config pass: run the tool's REAL Zod against its config
+    // namespace IN THE WORKER (the host validated only the coarse manifest shape
+    // pre-fork). A failure crosses IPC as `config-invalid` — never a host crash —
+    // and the supervisor maps it to the SAME typed config error the host coarse
+    // pass uses. Runs BEFORE building the context: a config failure must
+    // short-circuit before any handler effect.
+    const configFailure = runDeepConfigPass(tool, spec.config);
+    if (configFailure !== undefined)
+        return errorMessage(configFailure, 'config-invalid');
+    // ADR-0054 M4-F: run the dispatched tool's `initialize()` worker-side before the
+    // handler (the host no longer runs an external owning tool's initialize). A
+    // throw becomes a structured `tool-handler-throw` via the outer catch.
+    await runWorkerInitialize(tool);
+    // The host-RPC upcall client over the live IPC channel (M4-C). `process` is the
+    // duplex: requests post via `process.send`; replies arrive on
+    // `process.on('message')`. Disposed in the finally so the listener is removed.
+    const rpcClient = createWorkerRpcClient(process);
+    // The handler runs against the bootstrapped scope (worker-local reads) but with
+    // the WORKER context shim (FRR records + RPC upcalls for privileged effects).
+    const scope = currentScope();
+    if (scope === undefined) {
+        return errorMessage('tool command worker: no scope is entered (bootstrap did not run before the worker handler)', 'runtime-load-failed');
+    }
+    try {
+        const acc = {};
+        const ctx = buildWorkerContext(scope, createRunTimer(), acc, rpcClient);
+        // Run the handler. A `process.exit` / crash / hang here is contained by the
+        // supervisor (premature-exit / timeout → structured parent failure); a throw
+        // propagates to runToolCommandWorker's catch and becomes a structured error.
+        // The handler's RETURN serves two roles: (1) for `command-result` /
+        // `signal-envelope` it IS the output payload (routed by `dispatchOutput`
+        // host-side); (2) it may carry a `session` leg (ToolRunCompletion) the host
+        // persists after the worker resolves (host-owned-run-timing). Capture it once.
+        const returned = (await commandSpec.handler({ ...spec.opts, _args: spec.positionals }, ctx));
+        return {
+            kind: 'result',
+            value: toResult(commandSpec.output, acc, returned?.session, returned),
+        };
+    }
+    finally {
+        // @fitness-ignore-next-line detached-promises -- WorkerRpcClient.dispose() returns void (removes the reply listener + clears the pending map, synchronous); the name-based heuristic misfires inside this async fn.
+        rpcClient.dispose();
+    }
+}
+/**
+ * ADR-0054 M4-F: run a dispatched tool's LIFECYCLE HOOK worker-side and return its
+ * plain-data result in `hookResult`. This is how the host gathers an EXTERNAL
+ * tool's `collectReportData` / `sessionReplay` data WITHOUT executing the
+ * untrusted runtime in the kernel process. The hook runs against the worker's own
+ * re-bootstrapped scope (`currentScope()`), exactly the contract the in-host path
+ * gives a bundled tool — just inside the isolation boundary. The host owns the
+ * merge/render/replay-emit (privileged effect). A throw propagates to
+ * {@link runToolCommandWorker}'s catch → structured failure; the host survives.
+ *
+ * The hook's runtime is resolved from the re-bootstrapped registry (the worker
+ * `initialize()` does NOT run for a hook-mode dispatch — hooks read data; an
+ * external tool that needs `initialize` for its report/replay should run it in
+ * the hook body, which is OUT of M4-F's first-party scope).
+ */
+async function runLoadedHook(tool, spec) {
+    const scope = currentScope();
+    if (scope === undefined) {
+        return errorMessage('tool command worker: no scope is entered for the hook run (bootstrap did not run)', 'runtime-load-failed');
+    }
+    const hooks = resolveToolHooks(tool);
+    // `collectReportData(scope)` takes the tool-facing ToolScope view; the worker
+    // RunScope IS a ToolScope (it extends it), so pass it directly — it returns a
+    // plain-data Record<string, unknown>. `sessionReplay` rebuilds the
+    // ToolSessionReplay from the stored row (`hookArg` is the serialized
+    // ToolSessionRecord the host read from the datastore).
+    const hookResult = spec.hook === 'collectReportData'
+        ? await hooks.collectReportData?.(scope)
+        : hooks.sessionReplay?.replaySession(spec.hookArg);
+    return {
+        kind: 'result',
+        // `output` is required on the result; the host never replays output for a
+        // hook-mode dispatch (it reads `hookResult`), so a benign default suffices.
+        value: { output: 'command-result', ...(hookResult === undefined ? {} : { hookResult }) },
+    };
+}
+/**
+ * The testable core: produce the {@link DispatchWorkerMessage} the worker would
+ * post, without touching `process.send`. Never throws — every failure becomes a
+ * structured `error` message (the supervisor rejects on it). Must run inside an
+ * entered scope (the bootstrap enters it for the real subcommand; unit tests wrap
+ * it in `runWithScope`).
+ */
+export async function runToolCommandWorker(specPath) {
+    const spec = readSpec(specPath);
+    if ('kind' in spec)
+        return spec; // bad-spec error message
+    try {
+        return await runLoadedCommand(spec);
+    }
+    catch (error) {
+        return errorMessage(error instanceof Error ? error.message : String(error), classifyThrow(error), error instanceof Error ? error.stack : undefined);
+    }
+}
+/**
+ * Run one external tool command headless in this worker and post the slim
+ * {@link ToolCommandResult} (or a structured `error`) over IPC. Never throws to
+ * the caller — every failure becomes an `error` IPC message so the supervisor
+ * rejects cleanly. This is the host CommandSpec handler's body.
+ */
+export async function executeToolCommandWorker(specPath) {
+    // @fitness-ignore-next-line detached-promises -- the promise IS awaited; `send(...)` is a synchronous void IPC post of the already-resolved value. The name-based heuristic misfires on `send(await ...)`.
+    send(await runToolCommandWorker(specPath));
+}
+/**
+ * `__tool-command-worker <specPath>` — the [internal] host subcommand the
+ * dispatch supervisor forks. Mirrors `graphRunWorkerCommandSpec`: `raw-stream`
+ * (it owns its own IPC output surface), `scope: 'project'` (the full bootstrap
+ * runs first), `visibility: 'internal'`. The supervisor passes `--cwd` so the
+ * bootstrap targets the right project. The handler ignores the host `ctx` it is
+ * given (the worker builds its OWN context shim over the bootstrapped scope) and
+ * posts the result over the IPC channel.
+ */
+export const toolCommandWorkerCommandSpec = defineCommand({
+    name: '__tool-command-worker',
+    visibility: 'internal',
+    description: '[internal] Run one external tool command headless in a forked worker and stream the result over IPC (forked by the ADR-0054 dispatch supervisor)',
+    // The supervisor passes `--cwd`; bootstrap uses it to resolve the project.
+    commonFlags: ['cwd'],
+    args: [{ name: 'specPath', description: 'Path to the JSON tool-command worker spec file' }],
+    scope: 'project',
+    output: 'raw-stream',
+    rawStreamReason: 'worker-ipc',
+    handler: async (rawOpts) => {
+        const specPath = rawOpts._args?.[0] ?? '';
+        await executeToolCommandWorker(specPath);
+    },
+});
+//# sourceMappingURL=tool-command-worker-entry.js.map

package/dist/bootstrap/tool-command-worker-entry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-command-worker-entry.js","sourceRoot":"","sources":["../../src/bootstrap/tool-command-worker-entry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC,OAAO,EACL,cAAc,EACd,YAAY,EACZ,aAAa,EACb,gBAAgB,GAOjB,MAAM,mBAAmB,CAAC;AAI3B,OAAO,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AACzE,OAAO,EACL,kBAAkB,EAClB,oBAAoB,GAErB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAerE,qFAAqF;AACrF,SAAS,IAAI,CAAC,GAA0B;IACtC,OAAO,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC;AACtB,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,WAAW,CAAC,IAA2B;IAC9C,MAAM,KAAK,GAAG,YAAY,EAAE,EAAE,KAAK,CAAC;IACpC,MAAM,IAAI,GACR,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC;QACvB,KAAK,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,KAAK,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9F,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,KAAK,CACnB,8BAA8B,IAAI,CAAC,MAAM,0CAA0C;YACjF,2EAA2E,CAC9E,CAAC;QACD,GAAyD,CAAC,YAAY,GAAG,qBAAqB,CAAC;QAChG,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,oFAAoF;AACpF,SAAS,eAAe,CAAC,IAAU,EAAE,WAAmB;IACtD,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC;IACpE,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,KAAK,CACnB,8BAA8B,IAAI,CAAC,QAAQ,CAAC,EAAE,qBAAqB,WAAW,GAAG,CAClF,CAAC;QACD,GAAyD,CAAC,YAAY,GAAG,mBAAmB,CAAC;QAC9F,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,mBAAmB,CAAC,IAAU;IAC3C,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC;IACrD,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO;IACrC,MAAM,UAAU,EAAE,CAAC;AACrB,CAAC;AAED,0FAA0F;AAC1F,SAAS,YAAY,CACnB,OAAe,EACf,YAAqC,EACrC,KAAc;IAEd,OAAO;QACL,IAAI,EAAE,OAAO;QACb,OAAO;QACP,YAAY;QACZ,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC;KAC1C,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,SAAS,QAAQ,CAAC,QAAgB;IAChC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAA0B,CAAC;IAC7E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,YAAY,CACjB,4CAA4C,QAAQ,MAClD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,UAAU,CACX,CAAC;IACJ,CAAC;AACH,CAAC;AAOD;;;;;;GAMG;AACH,SAAS,oBAAoB,CAAC,MAAmC;IAC/D,OAAO,MAAM,KAAK,gBAAgB,IAAI,MAAM,KAAK,iBAAiB,CAAC;AACrE,CAAC;AAED,+EAA+E;AAC/E,SAAS,QAAQ,CACf,MAAmC,EACnC,GAAsB,EACtB,OAA4C,EAC5C,QAAiB;IAEjB,OAAO;QACL,MAAM;QACN,GAAG,CAAC,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjE,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC;QACrD,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;QAClD,GAAG,CAAC,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QACxD,GAAG,CAAC,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjE,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC;QAC7C,2EAA2E;QAC3E,6EAA6E;QAC7E,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC;KACjF,CAAC;AACJ,CAAC;AAED,sFAAsF;AACtF,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,KAAK,YAAY,oBAAoB;QAAE,OAAO,KAAK,CAAC,YAAY,CAAC;IACrE,OAAQ,KAAoD,CAAC,YAAY,IAAI,oBAAoB,CAAC;AACpG,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,gBAAgB,CAAC,IAA2B;IACzD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IAE/B,iFAAiF;IACjF,8EAA8E;IAC9E,gFAAgF;IAChF,yDAAyD;IACzD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,MAAM,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO,YAAY,CACjB,uCAAuC,IAAI,CAAC,MAAM,sCAAsC,EACxF,UAAU,CACX,CAAC;IACJ,CAAC;IACD,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IAE5D,6EAA6E;IAC7E,6EAA6E;IAC7E,8EAA8E;IAC9E,4EAA4E;IAC5E,qEAAqE;IACrE,2CAA2C;IAC3C,MAAM,aAAa,GAAG,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3D,IAAI,aAAa,KAAK,SAAS;QAAE,OAAO,YAAY,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC;IAEtF,iFAAiF;IACjF,4EAA4E;IAC5E,uEAAuE;IACvE,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAEhC,gFAAgF;IAChF,8DAA8D;IAC9D,+EAA+E;IAC/E,MAAM,SAAS,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACjD,gFAAgF;IAChF,8EAA8E;IAC9E,MAAM,KAAK,GAAG,YAAY,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,YAAY,CACjB,4FAA4F,EAC5F,qBAAqB,CACtB,CAAC;IACJ,CAAC;IACD,IAAI,CAAC;QACH,MAAM,GAAG,GAAsB,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,kBAAkB,CAAC,KAAK,EAAE,cAAc,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;QAExE,4EAA4E;QAC5E,6EAA6E;QAC7E,6EAA6E;QAC7E,oEAAoE;QACpE,yEAAyE;QACzE,4EAA4E;QAC5E,+EAA+E;QAC/E,MAAM,QAAQ,GAAG,CAAC,MAAM,WAAW,CAAC,OAAO,CACzC,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,WAAW,EAAE,EACzC,GAAG,CACJ,CAA2B,CAAC;QAC7B,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,KAAK,EAAE,QAAQ,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC;SACtE,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,oNAAoN;QACpN,SAAS,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,KAAK,UAAU,aAAa,CAC1B,IAAU,EACV,IAA2B;IAE3B,MAAM,KAAK,GAAG,YAAY,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,YAAY,CACjB,mFAAmF,EACnF,qBAAqB,CACtB,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACrC,8EAA8E;IAC9E,8EAA8E;IAC9E,mEAAmE;IACnE,qEAAqE;IACrE,uDAAuD;IACvD,MAAM,UAAU,GACd,IAAI,CAAC,IAAI,KAAK,mBAAmB;QAC/B,CAAC,CAAC,MAAM,KAAK,CAAC,iBAAiB,EAAE,CAAC,KAAK,CAAC;QACxC,CAAC,CAAC,KAAK,CAAC,aAAa,EAAE,aAAa,CAAC,IAAI,CAAC,OAA4B,CAAC,CAAC;IAC5E,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,0EAA0E;QAC1E,4EAA4E;QAC5E,KAAK,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,GAAG,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE;KACzF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,QAAgB;IACzD,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChC,IAAI,MAAM,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC,CAAC,yBAAyB;IAC1D,IAAI,CAAC;QACH,OAAO,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,YAAY,CACjB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EACtD,aAAa,CAAC,KAAK,CAAC,EACpB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CACjD,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAAC,QAAgB;IAC7D,2MAA2M;IAC3M,IAAI,CAAC,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAA6C,aAAa,CAGjG;IACA,IAAI,EAAE,uBAAuB;IAC7B,UAAU,EAAE,UAAU;IACtB,WAAW,EACT,kJAAkJ;IACpJ,2EAA2E;IAC3E,WAAW,EAAE,CAAC,KAAK,CAAC;IACpB,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,gDAAgD,EAAE,CAAC;IAC3F,KAAK,EAAE,SAAS;IAChB,MAAM,EAAE,YAAY;IACpB,eAAe,EAAE,YAAY;IAC7B,OAAO,EAAE,KAAK,EAAE,OAAO,EAAiB,EAAE;QACxC,MAAM,QAAQ,GAAI,OAAyC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7E,MAAM,wBAAwB,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;CACF,CAAC,CAAC"}