projscan 4.13.0 → 4.15.0

package/README.md

@@ -79,35 +79,47 @@ projscan start --intent "does projscan read .env values?"
 
 ## Daily workflows
 
-Use these three workflows before scanning the full command catalog.
+Use these four workflows before scanning the full command catalog.
 
 ### Before editing a feature
 
 ```bash
 projscan start --intent "what files do I need to change for auth?"
 projscan start --intent "what should we build next?" # Routes to a before-edit implementation workplan
+projscan start --intent "is my agent allowed to change billing retry logic?"
 projscan understand --view change --intent "add auth token refresh" --format json
 projscan prove --intent "is my agent allowed to change billing retry logic?"
 projscan preflight --mode before_edit --format json
 ```
 
-You get a cited change map, read-first files, likely touched files, blocked inputs, an executable Proof Contract, and a before-edit proof gate.
+You get a cited change map, read-first files, likely touched files, blocked inputs, an executable Proof Contract, and a before-edit proof gate. Agent-permission intents route to `projscan prove`, so `start` can hand the next agent a contract path instead of a broad checklist.
 
 Success criteria: the agent can name the files to read first, the likely files to touch, the forbidden files to avoid, and the proof commands to run before editing.
 
-### Before handing work to an agent
+### Verified change workflow
 
 ```bash
+projscan start --intent "is my agent allowed to change billing retry logic?"
 projscan prove --intent "is my agent allowed to change billing retry logic?" --save-contract .projscan/proof-contract.json
-projscan prove --record-command "npm test -- tests/billing/retry.test.ts" --exit-code 0 --duration-ms 1842 --summary "billing retry tests passed"
+# Make the bounded edit, then run the proof command.
+projscan prove --run -- npm test -- tests/billing/retry.test.ts
 projscan prove --changed --contract .projscan/proof-contract.json --format markdown
 ```
 
-You get a Proof Contract before edits and a Proof Receipt after edits. The contract names allowed files, forbidden files, risky contracts, likely tests, missing regression-test evidence, proof commands, safe change shape, rollback, confidence, and reviewer guidance. The receipt checks the real working tree against that contract and classifies changed files as allowed production, expected tests, documentation, generated proof artifacts, config/security drift, forbidden touches, or unexpected production. It also reports proof replay status, risk delta, commit readiness, and a reviewer checklist.
+The command path is `start -> prove -> run -> changed`. Make the bounded edit after the contract exists and before `prove --run`. `start` chooses the contract workflow. `prove --intent` writes `.projscan/proof-contract.json` only when `--save-contract` is present. `prove --run -- <command...>` executes a local proof command, records the exit code, captures a redacted log, and fingerprints the current changed files. `prove --record-command` remains available for imported CI or external evidence when projscan did not run the command. `prove --changed` checks the current working tree against the contract and local ledger.
 
-Proof Replay records command, exit code, duration, changed-file fingerprint, redacted summary, and optional log path in `.projscan/proof-ledger.jsonl`. `prove --changed` marks proof as passed, missing, failed, partial, or stale. If the agent edits new files after proof ran, the receipt says the proof is stale before a reviewer reads the diff.
+You get a Proof Contract before edits and a Proof Receipt after edits. The contract names allowed files, forbidden files, risky contracts, likely tests, missing regression-test evidence, proof commands, safe change shape, rollback, confidence, reviewer guidance, and `proofRequirements` for each risk surface. The receipt checks the real working tree against that contract and classifies changed files as allowed production, expected tests, documentation, generated proof artifacts, config/security drift, forbidden touches, or unexpected production. The receipt reports proof replay status, Proof Sufficiency, risk delta, commit readiness, and a reviewer checklist.
 
-Success criteria: the reviewer sees whether the agent stayed inside the contract, whether the right proof ran, and whether that proof is still fresh.
+Proof Replay records command, exit code, duration, changed-file fingerprint, redacted summary, log path, and source in `.projscan/proof-ledger.jsonl`. Executed proof logs stay under `.projscan/proof-logs/`. `prove --changed` marks proof as passed, missing, failed, partial, or stale. The receipt JSON includes `proofReplay` with a replay timeline, `changedAfterProof`, replay command, and local receipt fingerprint. If the agent edits new files after proof ran, the receipt says the proof is stale before a reviewer reads the diff.
+
+Proof Sufficiency estimates whether the local ledger covers each changed surface. `proofSufficiency` marks rows as strong, adequate, weak, missing, stale, or failed, then lists the exact gaps reviewers need to resolve.
+
+Team Proof Recipes let a repo encode required proof for sensitive paths in `proofRecipes`; when a matching recipe is configured, `prove --intent` adds that recipe's commands, reviewers, and forbidden files to the Proof Contract. `prove --changed` and `projscan evidence-pack --pr-comment` then show missing recipe proof, required reviewers, and recipe drift in the Proof Receipt. The recipe does not run proof commands by itself; use `prove --run -- <command...>` or `prove --record-command` to add evidence to the local ledger.
+Saved contracts are the source of truth for `prove --changed`; update the contract when a team recipe changes.
+
+Every `prove` report includes `verifiedWorkflow`, a compact JSON summary for agents and MCP clients. It names the phase, next action, next command, scope status, proof status, proof sufficiency status, risk delta direction, reviewer decision, and stale/missing/failed proof flags.
+
+Success criteria: the reviewer sees scope, proof execution, proof freshness, and sufficiency for the changed risk surface.
 
 ### Before handoff or commit
 
@@ -118,7 +130,7 @@ projscan preflight --mode before_commit --format json
 projscan evidence-pack --pr-comment
 ```
 
-You get the changed-file risk, one or two trusted next actions, manual review gates, owner routing, baseline trend memory, and exact proof commands for the reviewer. Use `projscan bug-hunt --format json` when you want the raw fix queue behind the assessment.
+You get changed-file risk, one or two ranked next actions, manual review gates, owner routing, baseline trend memory, and exact proof commands for the reviewer. Use `projscan bug-hunt --format json` when you want the raw fix queue behind the assessment.
 
 Success criteria: the reviewer sees the top fix, the remaining proof, and any manual sign-off gate without reading the full scan output.
 
@@ -191,33 +203,72 @@ npm run docs:screenshots
 npm run docs:demos
 ```
 
-## 4.13.0 Notes
+## 4.15.0 Notes
 
-4.13.0 ships Proof Replay for Executable Proof Contracts:
+4.15.0 strengthens the proof-first change loop:
 
 - `projscan prove --intent "<change>"` creates a local Proof Contract before
   editing. It names allowed files, forbidden files, risky contracts, likely
   tests, missing regression-test evidence, proof commands, rollback, confidence,
-  Trust Memory signals, evidence gaps, and reviewer guidance. Noisy feedback or
-  missing-signal feedback lowers the confidence reason instead of hiding it.
+  Trust Memory signals, evidence gaps, reviewer guidance, and
+  `proofRequirements` for each risk surface.
+- `projscan start --intent "is my agent allowed to change billing retry logic?"`
+  routes directly to `projscan prove`, so agent-permission prompts start with a
+  bounded contract instead of a broad checklist.
+- `projscan prove --run -- <command...>` executes an explicit local proof
+  command with shell execution disabled, writes a redacted log under
+  `.projscan/proof-logs/`, appends a `prove-run` ledger row, and lets
+  `prove --changed` replay executed proof instead of self-reported evidence.
 - `projscan prove --changed` validates the current working tree against a saved
   contract and emits a Proof Receipt for PRs, agents, and CI. Its changed-file
   classes separate allowed production edits, expected tests, documentation,
   generated proof artifacts, config/security drift, forbidden touches, and
   unexpected production changes before giving a copyable reviewer decision.
+  The receipt also includes `proofReplay` with replay status, timeline events,
+  `changedAfterProof`, replay command, and receipt fingerprint. Proof
+  Sufficiency shows whether each `proofRequirements` row has strong, adequate,
+  weak, missing, stale, or failed proof.
+- Team Proof Recipes let a repo add path-matched `proofRecipes` to
+  `.projscanrc.json`. Matching recipes add required commands, reviewers, and
+  forbidden drift to the Proof Contract and Proof Receipt.
 - `projscan prove --record-command "<command>" --exit-code <code>` appends a
   local Proof Ledger row with command, duration, changed-file fingerprint,
-  redacted output summary, and optional log path. `prove --changed` replays
-  those rows and reports passed, missing, failed, partial, or stale proof.
+  redacted output summary, and optional log path when importing proof from CI or
+  another runner.
+- Every `prove` JSON report includes `verifiedWorkflow`, so agents can read the
+  next action, next command, scope status, proof status, `proofSufficiency`
+  status, reviewer decision, and stale/missing/failed proof flags without
+  parsing Markdown.
 - Saved Mission Control bundles append Proof Ledger rows while `mission.sh`
   runs the existing proof queue. The script still writes proof logs and status
   JSONL for humans.
 - `projscan evidence-pack --pr-comment` includes the latest Proof Receipt
   summary when a contract and ledger are available, so PR comments show proof
-  status, reviewer decision, scope, stale proof, failed proof, and the replay
-  command.
+  status, proof replay, reviewer decision, scope, stale proof, failed proof,
+  proof sufficiency, recipe gaps, required reviewers, changed-after-proof files,
+  receipt fingerprint, and the replay command.
+- Proof artifacts are harder to spoof: Proof Contract and Proof Ledger reads
+  reject symlink escapes, proof logs redact more standalone token/key shapes,
+  and generated mission scripts reject shell control syntax before running.
+- The codebase behind the proof workflow is smaller and easier to review:
+  source hotspots in Mission Control, bug-hunt, quality-scorecard, workplan,
+  adoption, start-mode routing, and intent routing were split into focused
+  helpers with architecture tests.
 - MCP now includes `projscan_prove`, bringing the MCP surface to 48 tools.
 
+## 4.14.0 Notes
+
+4.14.0 ships the Verified Change Workflow and Executed Proof Runner:
+
+- `projscan prove --intent "<change>"` creates a local Proof Contract before
+  editing.
+- `projscan prove --run -- <command...>` executes an explicit local proof
+  command with shell execution disabled and writes a redacted Proof Ledger row.
+- `projscan prove --changed` emits a Proof Receipt for PRs, agents, and CI.
+- `projscan evidence-pack --pr-comment` includes the latest Proof Receipt
+  summary when a contract and ledger are available.
+- MCP includes `projscan_prove`, bringing the MCP surface to 48 tools.
+
 ## 4.12.1 Notes
 
 4.12.1 is the simulator precision patch for the Proof Cards V2 release:
@@ -248,7 +299,7 @@ npm run docs:demos
 
 - Added a dedicated Proof Cards screenshot for `projscan assess` and
   `projscan simulate`.
-- Regenerated README screenshots so public media shows the current 47-tool MCP
+- Regenerated README screenshots so public media showed the 47-tool MCP
   surface.
 - Updated website handoff guidance to use immutable `v4.11.1` media URLs.
 
@@ -300,7 +351,7 @@ npx -y projscan mcp --watch
 | What should I fix first?                     | `projscan bug-hunt --format json`                                                        |
 | What is risky and worth fixing this week?    | `projscan assess --goal "make this repo safer to ship this week"`                        |
 | Is this refactor worth doing?                | `projscan simulate --plan "split bugHunt.ts into ranking, evidence, and output modules"` |
-| Is my agent allowed to make this change?     | `projscan prove --intent "is my agent allowed to change billing retry logic?"`           |
+| Is my agent allowed to make this change?     | `projscan start --intent "is my agent allowed to change billing retry logic?"`           |
 | Did the change stay inside scope?            | `projscan prove --changed --contract .projscan/proof-contract.json --format markdown`    |
 | Which files have high risk and low coverage? | `projscan coverage --format json`                                                        |
 | What should my agent do next?                | `projscan workplan --format json`                                                        |
@@ -316,8 +367,8 @@ npx -y projscan mcp --watch
 | `projscan preflight`      | proceed, caution, or block gate for edit, commit, or merge                  |
 | `projscan assess`         | proof-first assessment with Proof Cards, risk delta, and fix-first guidance |
 | `projscan simulate`       | risk delta simulator for a proposed change plan before editing              |
-| `projscan prove`          | executable Proof Contracts and reviewer-ready Proof Receipts                |
-| `projscan evidence-pack`  | PR-ready proof with risks, owners, and next commands                        |
+| `projscan prove`          | executable Proof Contracts, Verified Workflow JSON, and Proof Receipts      |
+| `projscan evidence-pack`  | review evidence with risks, owners, proof receipts, and next commands       |
 | `projscan bug-hunt`       | ranked fix queue from health, hotspots, session, and preflight evidence     |
 | `projscan workplan`       | ordered agent tasks with proof and handoff text                             |
 | `projscan doctor`         | project health, tooling gaps, dead code, and supply-chain signals           |
@@ -384,6 +435,15 @@ Create a `.projscanrc.json` when repo defaults should live in source control:
   "severityOverrides": {
     "missing-prettier": "info"
   },
+  "proofRecipes": [
+    {
+      "id": "billing-critical",
+      "matches": ["src/billing/**"],
+      "requiredCommands": ["npm test -- tests/billing/retry.test.ts"],
+      "requiredReviewers": ["@platform"],
+      "forbiddenFiles": ["src/auth/**"]
+    }
+  ],
   "reportPolicies": {
     "apiEvidence": {
       "reportScope": ["src/api", "packages/backend"],
@@ -400,6 +460,12 @@ the rule everywhere. For one line, add an inline directive next to the value:
 const firebaseKey = 'AIza...'; // projscan-ignore-line hardcoded-secret -- Firebase web keys are public identifiers
 ```
 
+Use `proofRecipes` when a path needs team-specific proof; when a matching recipe
+is configured, `projscan prove` adds its proof commands, reviewers, and forbidden
+files to the contract and receipt. It does not run proof commands by itself.
+Recipes without `requiredCommands` are skipped, and duplicate recipe IDs keep the
+first valid recipe.
+
 Config docs live in [docs/GUIDE.md](docs/GUIDE.md#configuration-projscanrc).
 
 ## CI
@@ -475,7 +541,7 @@ Plugin docs:
 
 ## Supported Repos
 
-projscan reads TypeScript, JavaScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, C, and C++ with AST-aware adapters where available. It also detects file-level signals for Shell, CSS, HTML, SQL, Dart, Lua, Scala, R, and related project files.
+projscan reads TypeScript, JavaScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++ with AST-aware adapters where available. It also detects file-level signals for C, Shell, CSS, HTML, SQL, Dart, Lua, Scala, R, and related project files.
 
 Framework signals cover React, Next.js, Vue, Nuxt, Svelte, Angular, Express, Fastify, NestJS, Vite, Tailwind CSS, Prisma, Remix, SvelteKit, Astro, Hono, Koa, and common monorepo layouts.
 
@@ -491,7 +557,7 @@ JavaScript and TypeScript use `@babel/parser`. Non-JS languages use packaged tre
 | Network      | `audit`, registry checks, opt-in telemetry, and optional semantic model download can contact the network.                                      |
 | Telemetry    | Off until you run `projscan telemetry enable` or accept the `init team` prompt.                                                                |
 | Plugins      | Local plugin code runs after `PROJSCAN_PLUGINS_PREVIEW=1` and an execution path such as `doctor`, `ci`, `analyze`, or `plugin test --execute`. |
-| Repo writes  | Source writes require explicit fix commands. Cache and mission proof files stay under local projscan directories.                              |
+| Repo writes  | Source writes require explicit fix commands. Caches, saved missions, Proof Contracts, Proof Ledger rows, and proof logs stay under `.projscan*` local directories. |
 
 Audit helpers:
 
@@ -506,7 +572,7 @@ Supply-chain scanners may flag package strings or APIs used by `git`, `npm audit
 
 ## Install Notes
 
-`projscan@4.13.0` has seven direct runtime dependencies:
+`projscan@4.15.0` has seven direct runtime dependencies:
 
 - `@babel/parser`
 - `@babel/types`
@@ -516,7 +582,7 @@ Supply-chain scanners may flag package strings or APIs used by `git`, `npm audit
 - `ora`
 - `web-tree-sitter`
 
-If npm prints `allow-scripts` warnings during a global install, check which package names it lists. projscan core does not need `node-gyp` grammar builds at runtime in 4.13.0. Open an issue with the warning text if npm reports install scripts from `projscan@latest`, or run `projscan feedback intake --text "<warning text>" --format json` to turn it into a focused setup-trust task.
+If npm prints `allow-scripts` warnings during a global install, check which package names it lists. projscan core does not need `node-gyp` grammar builds at runtime in 4.15.0. Open an issue with the warning text if npm reports install scripts from `projscan@latest`, or run `projscan feedback intake --text "<warning text>" --format json` to turn it into a focused setup-trust task.
 
 The grammar packages are build-time sources, not global-install dependencies. Published grammar assets include `tree-sitter-python.wasm` and `tree-sitter-c_sharp.wasm`.
 

package/dist/cli/commands/evidencePack.js

@@ -8,6 +8,7 @@ export function registerEvidencePack() {
         .option('--line <line>', 'product line to include, repeatable (default: next six minor lines)', collectLine, [])
         .option('--website-prompt', 'include website-update prompt text')
         .option('--pr-comment', 'print a GitHub PR comment markdown artifact')
+        .option('--base-ref <ref>', 'explicit git base ref for review evidence')
         .option('--max-findings <count>', 'maximum bug-hunt findings to include', parsePositiveInt)
         .action(async (cmdOpts) => {
         setupLogLevel();
@@ -18,6 +19,7 @@ export function registerEvidencePack() {
                 lines: cmdOpts.line,
                 includeWebsitePrompt: cmdOpts.websitePrompt === true,
                 includePrComment: cmdOpts.prComment === true,
+                baseRef: cmdOpts.baseRef,
                 maxFindings: cmdOpts.maxFindings,
             });
             if (format === 'json') {

package/dist/cli/commands/evidencePack.js.map

@@ -1 +1 @@
-{"version":3,"file":"evidencePack.js","sourceRoot":"","sources":["../../../src/cli/commands/evidencePack.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EACL,qBAAqB,EACrB,WAAW,EACX,kBAAkB,EAClB,OAAO,EACP,aAAa,GACd,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AAGpE,MAAM,UAAU,oBAAoB;IAClC,OAAO;SACJ,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CACV,6FAA6F,CAC9F;SACA,MAAM,CACL,eAAe,EACf,qEAAqE,EACrE,WAAW,EACX,EAAE,CACH;SACA,MAAM,CAAC,kBAAkB,EAAE,oCAAoC,CAAC;SAChE,MAAM,CAAC,cAAc,EAAE,6CAA6C,CAAC;SACrE,MAAM,CAAC,wBAAwB,EAAE,sCAAsC,EAAE,gBAAgB,CAAC;SAC1F,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACxB,aAAa,EAAE,CAAC;QAChB,kBAAkB,EAAE,CAAC;QACrB,MAAM,MAAM,GAAG,qBAAqB,CAAC,eAAe,CAAC,CAAC;QAEtD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,WAAW,EAAE,EAAE;gBACtD,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,oBAAoB,EAAE,OAAO,CAAC,aAAa,KAAK,IAAI;gBACpD,gBAAgB,EAAE,OAAO,CAAC,SAAS,KAAK,IAAI;gBAC5C,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC,CAAC,CAAC;YAEH,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC7C,OAAO;YACT,CAAC;YACD,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;gBACxC,OAAO;YACT,CAAC;YACD,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAC5B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,WAAW,CAAC,KAAa,EAAE,QAAkB;IACpD,OAAO,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,iBAAiB,CAAC,MAA0B;IACnD,MAAM,KAAK,GACT,MAAM,CAAC,OAAO,KAAK,SAAS;QAC1B,CAAC,CAAC,KAAK,CAAC,GAAG;QACX,CAAC,CAAC,MAAM,CAAC,OAAO,KAAK,SAAS;YAC5B,CAAC,CAAC,KAAK,CAAC,MAAM;YACd,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC;IACpB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,kBAAkB,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACvD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,cAAc,IAAI,SAAS,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IACrC,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;IACnD,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QACjE,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,QAA8B;IACnD,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,KAAK,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"evidencePack.js","sourceRoot":"","sources":["../../../src/cli/commands/evidencePack.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EACL,qBAAqB,EACrB,WAAW,EACX,kBAAkB,EAClB,OAAO,EACP,aAAa,GACd,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AAGpE,MAAM,UAAU,oBAAoB;IAClC,OAAO;SACJ,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CACV,6FAA6F,CAC9F;SACA,MAAM,CACL,eAAe,EACf,qEAAqE,EACrE,WAAW,EACX,EAAE,CACH;SACA,MAAM,CAAC,kBAAkB,EAAE,oCAAoC,CAAC;SAChE,MAAM,CAAC,cAAc,EAAE,6CAA6C,CAAC;SACrE,MAAM,CAAC,kBAAkB,EAAE,2CAA2C,CAAC;SACvE,MAAM,CAAC,wBAAwB,EAAE,sCAAsC,EAAE,gBAAgB,CAAC;SAC1F,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACxB,aAAa,EAAE,CAAC;QAChB,kBAAkB,EAAE,CAAC;QACrB,MAAM,MAAM,GAAG,qBAAqB,CAAC,eAAe,CAAC,CAAC;QAEtD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,WAAW,EAAE,EAAE;gBACtD,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,oBAAoB,EAAE,OAAO,CAAC,aAAa,KAAK,IAAI;gBACpD,gBAAgB,EAAE,OAAO,CAAC,SAAS,KAAK,IAAI;gBAC5C,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC,CAAC,CAAC;YAEH,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC7C,OAAO;YACT,CAAC;YACD,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;gBACxC,OAAO;YACT,CAAC;YACD,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAC5B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,WAAW,CAAC,KAAa,EAAE,QAAkB;IACpD,OAAO,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,iBAAiB,CAAC,MAA0B;IACnD,MAAM,KAAK,GACT,MAAM,CAAC,OAAO,KAAK,SAAS;QAC1B,CAAC,CAAC,KAAK,CAAC,GAAG;QACX,CAAC,CAAC,MAAM,CAAC,OAAO,KAAK,SAAS;YAC5B,CAAC,CAAC,KAAK,CAAC,MAAM;YACd,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC;IACpB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,kBAAkB,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACvD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,cAAc,IAAI,SAAS,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IACrC,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;IACnD,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QACjE,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,QAA8B;IACnD,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,KAAK,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}