proofscan 0.6.9 → 0.7.0

package/dist/secrets/providers/dpapi.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpapi.js","sourceRoot":"","sources":["../../../src/secrets/providers/dpapi.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAGzC,uDAAuD;AACvD,MAAM,qBAAqB,GAAG,MAAM,CAAC;AAErC,gFAAgF;AAChF,MAAM,cAAc,GAAG,wBAAwB,CAAC;AAEhD;;;GAGG;AACH,SAAS,aAAa,CAAC,KAAa;IAClC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC;AAED;;;;;GAKG;AACH,MAAM,OAAO,aAAa;IACf,IAAI,GAAiB,OAAO,CAAC;IAEtC,WAAW;QACT,4BAA4B;QAC5B,OAAO,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,SAAiB;QAC7B,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QAED,2DAA2D;QAC3D,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAEvE,2CAA2C;QAC3C,MAAM,MAAM,GAAG;;qDAEkC,WAAW;;;KAG3D,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAE9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,QAAQ,CAAC,mDAAmD,MAAM,GAAG,EAAE;gBACpF,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,IAAI;gBACjB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,IAAI,KAAK,CAAC,4BAA4B,OAAO,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB;QAC9B,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QAED,oEAAoE;QACpE,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QAED,2CAA2C;QAC3C,MAAM,MAAM,GAAG;;yDAEsC,UAAU;;;KAG9D,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAE9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,QAAQ,CAAC,mDAAmD,MAAM,GAAG,EAAE;gBACpF,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,IAAI;gBACjB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,qCAAqC;YACrC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAChE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,IAAI,KAAK,CAAC,4BAA4B,OAAO,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;CACF"}

package/dist/secrets/providers/index.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Encryption providers index
+ */
+export { PlainProvider } from './plain.js';
+export { DpapiProvider } from './dpapi.js';
+import type { IEncryptionProvider, ProviderType } from '../types.js';
+/**
+ * Get the best available encryption provider for the current platform
+ *
+ * Priority:
+ * 1. DPAPI on Windows
+ * 2. Keychain on macOS (future)
+ * 3. Plain fallback (no encryption, with warning)
+ */
+export declare function getBestProvider(): IEncryptionProvider;
+/**
+ * Get a specific provider by type
+ */
+export declare function getProvider(type: ProviderType): IEncryptionProvider;
+//# sourceMappingURL=index.d.ts.map

package/dist/secrets/providers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,OAAO,KAAK,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAIrE;;;;;;;GAOG;AACH,wBAAgB,eAAe,IAAI,mBAAmB,CAgBrD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,YAAY,GAAG,mBAAmB,CAYnE"}

package/dist/secrets/providers/index.js

@@ -0,0 +1,47 @@
+/**
+ * Encryption providers index
+ */
+export { PlainProvider } from './plain.js';
+export { DpapiProvider } from './dpapi.js';
+import { PlainProvider } from './plain.js';
+import { DpapiProvider } from './dpapi.js';
+/**
+ * Get the best available encryption provider for the current platform
+ *
+ * Priority:
+ * 1. DPAPI on Windows
+ * 2. Keychain on macOS (future)
+ * 3. Plain fallback (no encryption, with warning)
+ */
+export function getBestProvider() {
+    // Try DPAPI first (Windows)
+    const dpapi = new DpapiProvider();
+    if (dpapi.isAvailable()) {
+        return dpapi;
+    }
+    // TODO: Add macOS Keychain support
+    // const keychain = new KeychainProvider();
+    // if (keychain.isAvailable()) {
+    //   return keychain;
+    // }
+    // Fallback to plain (no encryption)
+    console.warn('Warning: No secure encryption provider available. Secrets will be stored without encryption.');
+    return new PlainProvider();
+}
+/**
+ * Get a specific provider by type
+ */
+export function getProvider(type) {
+    switch (type) {
+        case 'dpapi':
+            return new DpapiProvider();
+        case 'plain':
+            return new PlainProvider();
+        case 'keychain':
+            // Not yet implemented
+            throw new Error('Keychain provider not yet implemented');
+        default:
+            throw new Error(`Unknown provider type: ${type}`);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/secrets/providers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAG3C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe;IAC7B,4BAA4B;IAC5B,MAAM,KAAK,GAAG,IAAI,aAAa,EAAE,CAAC;IAClC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,mCAAmC;IACnC,2CAA2C;IAC3C,gCAAgC;IAChC,qBAAqB;IACrB,IAAI;IAEJ,oCAAoC;IACpC,OAAO,CAAC,IAAI,CAAC,8FAA8F,CAAC,CAAC;IAC7G,OAAO,IAAI,aAAa,EAAE,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAkB;IAC5C,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,OAAO;YACV,OAAO,IAAI,aAAa,EAAE,CAAC;QAC7B,KAAK,OAAO;YACV,OAAO,IAAI,aAAa,EAAE,CAAC;QAC7B,KAAK,UAAU;YACb,sBAAsB;YACtB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D;YACE,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC;AACH,CAAC"}

package/dist/secrets/providers/plain.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Plain encryption provider (no encryption)
+ *
+ * This is a fallback provider for testing and platforms without
+ * native encryption support. It provides NO security and should
+ * only be used for development/testing purposes.
+ */
+import type { IEncryptionProvider, ProviderType } from '../types.js';
+/**
+ * Plain provider - stores secrets as base64 without encryption
+ *
+ * WARNING: This provider offers NO security. Secrets are only
+ * base64 encoded, not encrypted. Use only for testing.
+ */
+export declare class PlainProvider implements IEncryptionProvider {
+    readonly type: ProviderType;
+    isAvailable(): boolean;
+    encrypt(plaintext: string): Promise<string>;
+    decrypt(ciphertext: string): Promise<string>;
+}
+//# sourceMappingURL=plain.d.ts.map

package/dist/secrets/providers/plain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plain.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/plain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAErE;;;;;GAKG;AACH,qBAAa,aAAc,YAAW,mBAAmB;IACvD,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAW;IAEtC,WAAW,IAAI,OAAO;IAKhB,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK3C,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAInD"}

package/dist/secrets/providers/plain.js

@@ -0,0 +1,29 @@
+/**
+ * Plain encryption provider (no encryption)
+ *
+ * This is a fallback provider for testing and platforms without
+ * native encryption support. It provides NO security and should
+ * only be used for development/testing purposes.
+ */
+/**
+ * Plain provider - stores secrets as base64 without encryption
+ *
+ * WARNING: This provider offers NO security. Secrets are only
+ * base64 encoded, not encrypted. Use only for testing.
+ */
+export class PlainProvider {
+    type = 'plain';
+    isAvailable() {
+        // Always available as fallback
+        return true;
+    }
+    async encrypt(plaintext) {
+        // Just base64 encode - NO ENCRYPTION
+        return Buffer.from(plaintext, 'utf-8').toString('base64');
+    }
+    async decrypt(ciphertext) {
+        // Just base64 decode
+        return Buffer.from(ciphertext, 'base64').toString('utf-8');
+    }
+}
+//# sourceMappingURL=plain.js.map

package/dist/secrets/providers/plain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plain.js","sourceRoot":"","sources":["../../../src/secrets/providers/plain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH;;;;;GAKG;AACH,MAAM,OAAO,aAAa;IACf,IAAI,GAAiB,OAAO,CAAC;IAEtC,WAAW;QACT,+BAA+B;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,SAAiB;QAC7B,qCAAqC;QACrC,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB;QAC9B,qBAAqB;QACrB,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC7D,CAAC;CACF"}

package/dist/secrets/redaction.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Secret redaction utilities (Phase 3.5)
+ *
+ * Provides deep redaction of secrets in config output.
+ * Used by config show, export, and snapshot commands.
+ */
+/** Redacted placeholder for secrets */
+export declare const REDACTED = "***REDACTED***";
+/** Redacted placeholder for secret references */
+export declare const REDACTED_REF = "***SECRET_REF***";
+/**
+ * Result of redaction
+ */
+export interface RedactionResult {
+    /** Redacted value */
+    value: unknown;
+    /** Number of values redacted */
+    count: number;
+}
+/**
+ * Options for redaction
+ */
+export interface RedactionOptions {
+    /** Redact values for secret keys (default: true) */
+    redactSecretKeys?: boolean;
+    /** Redact secret references like "dpapi:xxx" (default: true) */
+    redactSecretRefs?: boolean;
+    /** Custom redaction string for values */
+    redactedValue?: string;
+    /** Custom redaction string for references */
+    redactedRef?: string;
+}
+/**
+ * Recursively redact secrets in a value
+ *
+ * Handles:
+ * - Secret references (dpapi:xxx, keychain:xxx)
+ * - Values for keys that match secret patterns
+ *
+ * @param value - Any JSON-serializable value
+ * @param options - Redaction options
+ * @returns Redacted value and count
+ */
+export declare function redactDeep(value: unknown, options?: RedactionOptions): RedactionResult;
+/**
+ * Redact a single value based on key and options
+ *
+ * @param key - The key name
+ * @param value - The value to potentially redact
+ * @param options - Redaction options
+ * @returns Redacted value if applicable, original otherwise
+ */
+export declare function redactValue(key: string, value: string, options?: RedactionOptions): string;
+/**
+ * Redact env variables object
+ *
+ * @param env - Environment variables
+ * @param options - Redaction options
+ * @returns Redacted env and count
+ */
+export declare function redactEnv(env: Record<string, string>, options?: RedactionOptions): {
+    env: Record<string, string>;
+    count: number;
+};
+/**
+ * Create a summary of redacted values
+ *
+ * @param count - Number of values redacted
+ * @returns Human-readable summary
+ */
+export declare function redactionSummary(count: number): string;
+/**
+ * Check if a value has been redacted
+ */
+export declare function isRedacted(value: string): boolean;
+//# sourceMappingURL=redaction.d.ts.map

package/dist/secrets/redaction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../../src/secrets/redaction.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,uCAAuC;AACvC,eAAO,MAAM,QAAQ,mBAAmB,CAAC;AAEzC,iDAAiD;AACjD,eAAO,MAAM,YAAY,qBAAqB,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,qBAAqB;IACrB,KAAK,EAAE,OAAO,CAAC;IACf,gCAAgC;IAChC,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oDAAoD;IACpD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,gEAAgE;IAChE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,yCAAyC;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AASD;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CACxB,KAAK,EAAE,OAAO,EACd,OAAO,GAAE,gBAAqB,GAC7B,eAAe,CAkDjB;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CACzB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,gBAAqB,GAC7B,MAAM,CAgBR;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CACvB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC3B,OAAO,GAAE,gBAAqB,GAC7B;IAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAchD;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQtD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEjD"}

package/dist/secrets/redaction.js

@@ -0,0 +1,136 @@
+/**
+ * Secret redaction utilities (Phase 3.5)
+ *
+ * Provides deep redaction of secrets in config output.
+ * Used by config show, export, and snapshot commands.
+ */
+import { isSecretRef } from './types.js';
+import { isSecretKey } from './detection.js';
+/** Redacted placeholder for secrets */
+export const REDACTED = '***REDACTED***';
+/** Redacted placeholder for secret references */
+export const REDACTED_REF = '***SECRET_REF***';
+const DEFAULT_OPTIONS = {
+    redactSecretKeys: true,
+    redactSecretRefs: true,
+    redactedValue: REDACTED,
+    redactedRef: REDACTED_REF,
+};
+/**
+ * Recursively redact secrets in a value
+ *
+ * Handles:
+ * - Secret references (dpapi:xxx, keychain:xxx)
+ * - Values for keys that match secret patterns
+ *
+ * @param value - Any JSON-serializable value
+ * @param options - Redaction options
+ * @returns Redacted value and count
+ */
+export function redactDeep(value, options = {}) {
+    const opts = { ...DEFAULT_OPTIONS, ...options };
+    let count = 0;
+    function processValue(val, parentKey) {
+        // Handle null/undefined
+        if (val === null || val === undefined) {
+            return val;
+        }
+        // Handle strings
+        if (typeof val === 'string') {
+            // Check if it's a secret reference
+            if (opts.redactSecretRefs && isSecretRef(val)) {
+                count++;
+                return opts.redactedRef;
+            }
+            // Check if parent key indicates a secret
+            if (opts.redactSecretKeys && parentKey && isSecretKey(parentKey)) {
+                // Don't redact empty strings or already-redacted values
+                if (val.length > 0 && val !== opts.redactedValue && val !== opts.redactedRef) {
+                    count++;
+                    return opts.redactedValue;
+                }
+            }
+            return val;
+        }
+        // Handle arrays
+        if (Array.isArray(val)) {
+            return val.map(item => processValue(item, parentKey));
+        }
+        // Handle objects
+        if (typeof val === 'object') {
+            const result = {};
+            for (const [key, v] of Object.entries(val)) {
+                result[key] = processValue(v, key);
+            }
+            return result;
+        }
+        // Primitives (number, boolean, etc.)
+        return val;
+    }
+    const redacted = processValue(value);
+    return { value: redacted, count };
+}
+/**
+ * Redact a single value based on key and options
+ *
+ * @param key - The key name
+ * @param value - The value to potentially redact
+ * @param options - Redaction options
+ * @returns Redacted value if applicable, original otherwise
+ */
+export function redactValue(key, value, options = {}) {
+    const opts = { ...DEFAULT_OPTIONS, ...options };
+    // Check if it's a secret reference
+    if (opts.redactSecretRefs && isSecretRef(value)) {
+        return opts.redactedRef;
+    }
+    // Check if key indicates a secret
+    if (opts.redactSecretKeys && isSecretKey(key)) {
+        if (value.length > 0 && value !== opts.redactedValue && value !== opts.redactedRef) {
+            return opts.redactedValue;
+        }
+    }
+    return value;
+}
+/**
+ * Redact env variables object
+ *
+ * @param env - Environment variables
+ * @param options - Redaction options
+ * @returns Redacted env and count
+ */
+export function redactEnv(env, options = {}) {
+    const opts = { ...DEFAULT_OPTIONS, ...options };
+    let count = 0;
+    const result = {};
+    for (const [key, value] of Object.entries(env)) {
+        const redacted = redactValue(key, value, opts);
+        if (redacted !== value) {
+            count++;
+        }
+        result[key] = redacted;
+    }
+    return { env: result, count };
+}
+/**
+ * Create a summary of redacted values
+ *
+ * @param count - Number of values redacted
+ * @returns Human-readable summary
+ */
+export function redactionSummary(count) {
+    if (count === 0) {
+        return '';
+    }
+    if (count === 1) {
+        return '(1 secret redacted)';
+    }
+    return `(${count} secrets redacted)`;
+}
+/**
+ * Check if a value has been redacted
+ */
+export function isRedacted(value) {
+    return value === REDACTED || value === REDACTED_REF;
+}
+//# sourceMappingURL=redaction.js.map

package/dist/secrets/redaction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redaction.js","sourceRoot":"","sources":["../../src/secrets/redaction.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAsB,MAAM,YAAY,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,uCAAuC;AACvC,MAAM,CAAC,MAAM,QAAQ,GAAG,gBAAgB,CAAC;AAEzC,iDAAiD;AACjD,MAAM,CAAC,MAAM,YAAY,GAAG,kBAAkB,CAAC;AA0B/C,MAAM,eAAe,GAA+B;IAClD,gBAAgB,EAAE,IAAI;IACtB,gBAAgB,EAAE,IAAI;IACtB,aAAa,EAAE,QAAQ;IACvB,WAAW,EAAE,YAAY;CAC1B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,UAAU,UAAU,CACxB,KAAc,EACd,UAA4B,EAAE;IAE9B,MAAM,IAAI,GAAG,EAAE,GAAG,eAAe,EAAE,GAAG,OAAO,EAAE,CAAC;IAChD,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,SAAS,YAAY,CAAC,GAAY,EAAE,SAAkB;QACpD,wBAAwB;QACxB,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtC,OAAO,GAAG,CAAC;QACb,CAAC;QAED,iBAAiB;QACjB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,mCAAmC;YACnC,IAAI,IAAI,CAAC,gBAAgB,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC9C,KAAK,EAAE,CAAC;gBACR,OAAO,IAAI,CAAC,WAAW,CAAC;YAC1B,CAAC;YAED,yCAAyC;YACzC,IAAI,IAAI,CAAC,gBAAgB,IAAI,SAAS,IAAI,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjE,wDAAwD;gBACxD,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,KAAK,IAAI,CAAC,aAAa,IAAI,GAAG,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC;oBAC7E,KAAK,EAAE,CAAC;oBACR,OAAO,IAAI,CAAC,aAAa,CAAC;gBAC5B,CAAC;YACH,CAAC;YAED,OAAO,GAAG,CAAC;QACb,CAAC;QAED,gBAAgB;QAChB,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC;QACxD,CAAC;QAED,iBAAiB;QACjB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3C,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YACrC,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,qCAAqC;QACrC,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACrC,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CACzB,GAAW,EACX,KAAa,EACb,UAA4B,EAAE;IAE9B,MAAM,IAAI,GAAG,EAAE,GAAG,eAAe,EAAE,GAAG,OAAO,EAAE,CAAC;IAEhD,mCAAmC;IACnC,IAAI,IAAI,CAAC,gBAAgB,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QAChD,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,kCAAkC;IAClC,IAAI,IAAI,CAAC,gBAAgB,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,KAAK,IAAI,CAAC,aAAa,IAAI,KAAK,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC;YACnF,OAAO,IAAI,CAAC,aAAa,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CACvB,GAA2B,EAC3B,UAA4B,EAAE;IAE9B,MAAM,IAAI,GAAG,EAAE,GAAG,eAAe,EAAE,GAAG,OAAO,EAAE,CAAC;IAChD,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,MAAM,MAAM,GAA2B,EAAE,CAAC;IAE1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;QAC/C,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;YACvB,KAAK,EAAE,CAAC;QACV,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC;IACzB,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAChC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IACD,OAAO,IAAI,KAAK,oBAAoB,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,YAAY,CAAC;AACtD,CAAC"}

package/dist/secrets/store.d.ts

@@ -0,0 +1,42 @@
+/**
+ * SQLite-backed secret store (Phase 3.5)
+ *
+ * Stores encrypted secrets in ~/.proofscan/secrets.db
+ * Uses platform-specific encryption providers (DPAPI on Windows).
+ */
+import type { ISecretStore, IEncryptionProvider, SecretMeta, StoreSecretResult, ProviderType } from './types.js';
+/**
+ * SQLite-backed secret store
+ */
+export declare class SqliteSecretStore implements ISecretStore {
+    private db;
+    private provider;
+    private closed;
+    constructor(configDir?: string, provider?: IEncryptionProvider);
+    private initSchema;
+    private ensureOpen;
+    store(plaintext: string, meta?: SecretMeta): Promise<StoreSecretResult>;
+    retrieve(id: string): Promise<string | null>;
+    exists(id: string): Promise<boolean>;
+    delete(id: string): Promise<boolean>;
+    list(): Promise<string[]>;
+    getMeta(id: string): Promise<SecretMeta | null>;
+    /**
+     * Get the provider type in use
+     */
+    getProviderType(): ProviderType;
+    /**
+     * Get count of stored secrets
+     */
+    count(): number;
+    close(): void;
+}
+/**
+ * Get or create the global secret store
+ */
+export declare function getSecretStore(configDir?: string): SqliteSecretStore;
+/**
+ * Close the global secret store
+ */
+export declare function closeSecretStore(): void;
+//# sourceMappingURL=store.d.ts.map

package/dist/secrets/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/secrets/store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EACV,YAAY,EACZ,mBAAmB,EACnB,UAAU,EAEV,iBAAiB,EACjB,YAAY,EACb,MAAM,YAAY,CAAC;AAsBpB;;GAEG;AACH,qBAAa,iBAAkB,YAAW,YAAY;IACpD,OAAO,CAAC,EAAE,CAAoB;IAC9B,OAAO,CAAC,QAAQ,CAAsB;IACtC,OAAO,CAAC,MAAM,CAAS;gBAEX,SAAS,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,mBAAmB;IAiB9D,OAAO,CAAC,UAAU;IAUlB,OAAO,CAAC,UAAU;IAMZ,KAAK,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,iBAAiB,CAAC;IA0BvE,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IA8B5C,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAOpC,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQpC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAQzB,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAiBrD;;OAEG;IACH,eAAe,IAAI,YAAY;IAI/B;;OAEG;IACH,KAAK,IAAI,MAAM;IAQf,KAAK,IAAI,IAAI;CAMd;AAKD;;GAEG;AACH,wBAAgB,cAAc,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAKpE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAKvC"}

package/dist/secrets/store.js

@@ -0,0 +1,174 @@
+/**
+ * SQLite-backed secret store (Phase 3.5)
+ *
+ * Stores encrypted secrets in ~/.proofscan/secrets.db
+ * Uses platform-specific encryption providers (DPAPI on Windows).
+ */
+import Database from 'better-sqlite3';
+import { join } from 'path';
+import { mkdirSync } from 'fs';
+import { v4 as uuidv4 } from 'uuid';
+import { makeSecretRef } from './types.js';
+import { getBestProvider, getProvider } from './providers/index.js';
+import { getDefaultConfigDir } from '../utils/config-path.js';
+/** Database schema version */
+const SECRETS_DB_VERSION = 1;
+/** Database schema */
+const SECRETS_DB_SCHEMA = `
+CREATE TABLE IF NOT EXISTS secrets (
+  id TEXT PRIMARY KEY,
+  provider TEXT NOT NULL,
+  ciphertext TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  meta_json TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_secrets_provider ON secrets(provider);
+CREATE INDEX IF NOT EXISTS idx_secrets_created ON secrets(created_at);
+`;
+/**
+ * SQLite-backed secret store
+ */
+export class SqliteSecretStore {
+    db;
+    provider;
+    closed = false;
+    constructor(configDir, provider) {
+        const dir = configDir || getDefaultConfigDir();
+        // Ensure directory exists
+        mkdirSync(dir, { recursive: true });
+        // Open database
+        const dbPath = join(dir, 'secrets.db');
+        this.db = new Database(dbPath);
+        // Initialize schema
+        this.initSchema();
+        // Use provided provider or get best available
+        this.provider = provider || getBestProvider();
+    }
+    initSchema() {
+        // Check version
+        const currentVersion = this.db.pragma('user_version', { simple: true });
+        if (currentVersion < SECRETS_DB_VERSION) {
+            this.db.exec(SECRETS_DB_SCHEMA);
+            this.db.pragma(`user_version = ${SECRETS_DB_VERSION}`);
+        }
+    }
+    ensureOpen() {
+        if (this.closed) {
+            throw new Error('SecretStore has been closed');
+        }
+    }
+    async store(plaintext, meta) {
+        this.ensureOpen();
+        // Generate unique ID
+        const id = uuidv4();
+        // Encrypt the plaintext
+        const ciphertext = await this.provider.encrypt(plaintext);
+        // Serialize metadata
+        const metaJson = meta ? JSON.stringify(meta) : null;
+        // Insert into database
+        const stmt = this.db.prepare(`
+      INSERT INTO secrets (id, provider, ciphertext, created_at, meta_json)
+      VALUES (?, ?, ?, ?, ?)
+    `);
+        stmt.run(id, this.provider.type, ciphertext, new Date().toISOString(), metaJson);
+        return {
+            id,
+            reference: makeSecretRef(this.provider.type, id),
+        };
+    }
+    async retrieve(id) {
+        this.ensureOpen();
+        const stmt = this.db.prepare(`
+      SELECT provider, ciphertext FROM secrets WHERE id = ?
+    `);
+        const row = stmt.get(id);
+        if (!row) {
+            return null;
+        }
+        // Get the appropriate provider
+        const provider = row.provider === this.provider.type
+            ? this.provider
+            : getProvider(row.provider);
+        // Security: Check if provider is available on this platform
+        if (!provider.isAvailable()) {
+            throw new Error(`Secret was encrypted with '${row.provider}' which is not available on this platform. ` +
+                `This secret can only be decrypted on a system where ${row.provider} is supported.`);
+        }
+        // Decrypt and return
+        return provider.decrypt(row.ciphertext);
+    }
+    async exists(id) {
+        this.ensureOpen();
+        const stmt = this.db.prepare(`SELECT 1 FROM secrets WHERE id = ?`);
+        return stmt.get(id) !== undefined;
+    }
+    async delete(id) {
+        this.ensureOpen();
+        const stmt = this.db.prepare(`DELETE FROM secrets WHERE id = ?`);
+        const result = stmt.run(id);
+        return result.changes > 0;
+    }
+    async list() {
+        this.ensureOpen();
+        const stmt = this.db.prepare(`SELECT id FROM secrets ORDER BY created_at DESC`);
+        const rows = stmt.all();
+        return rows.map(r => r.id);
+    }
+    async getMeta(id) {
+        this.ensureOpen();
+        const stmt = this.db.prepare(`SELECT meta_json FROM secrets WHERE id = ?`);
+        const row = stmt.get(id);
+        if (!row || !row.meta_json) {
+            return null;
+        }
+        try {
+            return JSON.parse(row.meta_json);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Get the provider type in use
+     */
+    getProviderType() {
+        return this.provider.type;
+    }
+    /**
+     * Get count of stored secrets
+     */
+    count() {
+        this.ensureOpen();
+        const stmt = this.db.prepare(`SELECT COUNT(*) as count FROM secrets`);
+        const row = stmt.get();
+        return row.count;
+    }
+    close() {
+        if (!this.closed) {
+            this.db.close();
+            this.closed = true;
+        }
+    }
+}
+// Singleton instance
+let secretStore = null;
+/**
+ * Get or create the global secret store
+ */
+export function getSecretStore(configDir) {
+    if (!secretStore) {
+        secretStore = new SqliteSecretStore(configDir);
+    }
+    return secretStore;
+}
+/**
+ * Close the global secret store
+ */
+export function closeSecretStore() {
+    if (secretStore) {
+        secretStore.close();
+        secretStore = null;
+    }
+}
+//# sourceMappingURL=store.js.map

package/dist/secrets/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/secrets/store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AASpC,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAE9D,8BAA8B;AAC9B,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAE7B,sBAAsB;AACtB,MAAM,iBAAiB,GAAG;;;;;;;;;;;CAWzB,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,iBAAiB;IACpB,EAAE,CAAoB;IACtB,QAAQ,CAAsB;IAC9B,MAAM,GAAG,KAAK,CAAC;IAEvB,YAAY,SAAkB,EAAE,QAA8B;QAC5D,MAAM,GAAG,GAAG,SAAS,IAAI,mBAAmB,EAAE,CAAC;QAE/C,0BAA0B;QAC1B,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEpC,gBAAgB;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,IAAI,CAAC,EAAE,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;QAE/B,oBAAoB;QACpB,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,8CAA8C;QAC9C,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,eAAe,EAAE,CAAC;IAChD,CAAC;IAEO,UAAU;QAChB,gBAAgB;QAChB,MAAM,cAAc,GAAG,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAW,CAAC;QAElF,IAAI,cAAc,GAAG,kBAAkB,EAAE,CAAC;YACxC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAChC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,kBAAkB,kBAAkB,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAEO,UAAU;QAChB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,SAAiB,EAAE,IAAiB;QAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,qBAAqB;QACrB,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;QAEpB,wBAAwB;QACxB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAE1D,qBAAqB;QACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAEpD,uBAAuB;QACvB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;KAG5B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,QAAQ,CAAC,CAAC;QAEjF,OAAO;YACL,EAAE;YACF,SAAS,EAAE,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC;SACjD,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,EAAU;QACvB,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;KAE5B,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAA+D,CAAC;QAEvF,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,IAAI,CAAC;QACd,CAAC;QAED,+BAA+B;QAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ,CAAC,IAAI;YAClD,CAAC,CAAC,IAAI,CAAC,QAAQ;YACf,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE9B,4DAA4D;QAC5D,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CACb,8BAA8B,GAAG,CAAC,QAAQ,6CAA6C;gBACvF,uDAAuD,GAAG,CAAC,QAAQ,gBAAgB,CACpF,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,OAAO,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,SAAS,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,kCAAkC,CAAC,CAAC;QACjE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,iDAAiD,CAAC,CAAC;QAChF,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAsB,CAAC;QAC5C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EAAU;QACtB,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC;QAC3E,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAA6C,CAAC;QAErE,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAe,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC,CAAC;QACtE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAuB,CAAC;QAC5C,OAAO,GAAG,CAAC,KAAK,CAAC;IACnB,CAAC;IAED,KAAK;QACH,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;CACF;AAED,qBAAqB;AACrB,IAAI,WAAW,GAA6B,IAAI,CAAC;AAEjD;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,SAAkB;IAC/C,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,WAAW,GAAG,IAAI,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAC9B,IAAI,WAAW,EAAE,CAAC;QAChB,WAAW,CAAC,KAAK,EAAE,CAAC;QACpB,WAAW,GAAG,IAAI,CAAC;IACrB,CAAC;AACH,CAAC"}