sandstream-kit 1.6.0 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/README.md +20 -0
  2. package/dist/bumblebee.js +23 -7
  3. package/dist/bumblebee.js.map +1 -1
  4. package/dist/cli.js +149 -4
  5. package/dist/cli.js.map +1 -1
  6. package/dist/config.d.ts +15 -0
  7. package/dist/config.js +14 -1
  8. package/dist/config.js.map +1 -1
  9. package/dist/findings-track.d.ts +23 -0
  10. package/dist/findings-track.js +45 -0
  11. package/dist/findings-track.js.map +1 -0
  12. package/dist/fix.js +3 -1
  13. package/dist/fix.js.map +1 -1
  14. package/dist/heal.d.ts +60 -0
  15. package/dist/heal.js +159 -0
  16. package/dist/heal.js.map +1 -0
  17. package/dist/install.d.ts +15 -2
  18. package/dist/install.js +18 -2
  19. package/dist/install.js.map +1 -1
  20. package/dist/memory/db.d.ts +10 -0
  21. package/dist/memory/db.js +17 -1
  22. package/dist/memory/db.js.map +1 -1
  23. package/dist/memory/hook.js +32 -4
  24. package/dist/memory/hook.js.map +1 -1
  25. package/dist/memory/pal.d.ts +28 -0
  26. package/dist/memory/pal.js +51 -1
  27. package/dist/memory/pal.js.map +1 -1
  28. package/dist/triage-gate.d.ts +51 -0
  29. package/dist/triage-gate.js +96 -0
  30. package/dist/triage-gate.js.map +1 -0
  31. package/dist/update-check.d.ts +9 -0
  32. package/dist/update-check.js +35 -2
  33. package/dist/update-check.js.map +1 -1
  34. package/package.json +1 -1
package/README.md CHANGED
@@ -23,6 +23,26 @@ npm i -g sandstream-kit
23
23
  # echo 'export PATH="$HOME/.npm-global/bin:$PATH"' >> ~/.zshrc && source ~/.zshrc
24
24
  ```
25
25
 
26
+ ### Run via Docker
27
+
28
+ Prefer a container (no local Node or mise)? The CLI ships as a signed image on
29
+ Docker Hub. Mount your project and point the workdir at it:
30
+
31
+ ```bash
32
+ docker run --rm sandstream/kit:latest --version
33
+ docker run --rm -v "$PWD":/work -w /work sandstream/kit:latest check
34
+ ```
35
+
36
+ Each release publishes `sandstream/kit` (version + `latest` tags), keyless-signed
37
+ with cosign and shipped with a CycloneDX SBOM. Verify the signature before
38
+ trusting an image:
39
+
40
+ ```bash
41
+ cosign verify sandstream/kit:latest \
42
+ --certificate-identity-regexp 'https://github.com/sandstream/kit/\.github/workflows/docker-build\.yml@.*' \
43
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com
44
+ ```
45
+
26
46
  Then, in a repo:
27
47
 
28
48
  ```bash
package/dist/bumblebee.js CHANGED
@@ -13,7 +13,7 @@
13
13
  import { execFile } from "node:child_process";
14
14
  import { promisify } from "node:util";
15
15
  import { createHash } from "node:crypto";
16
- import { writeFile, mkdir, mkdtemp, rm, chmod, access, rename, readdir, stat, } from "node:fs/promises";
16
+ import { writeFile, readFile, mkdir, mkdtemp, rm, chmod, access, rename, readdir, stat, } from "node:fs/promises";
17
17
  import { homedir } from "node:os";
18
18
  import { join } from "node:path";
19
19
  const exec = promisify(execFile);
@@ -82,7 +82,9 @@ async function pathExists(p) {
82
82
  }
83
83
  }
84
84
  function cacheParent() {
85
- return join(homedir(), ".kit", "tools", "bumblebee");
85
+ // KIT_BUMBLEBEE_CACHE overrides the cache root (test isolation + CI sandboxes).
86
+ const override = process.env.KIT_BUMBLEBEE_CACHE;
87
+ return override && override.length > 0 ? override : join(homedir(), ".kit", "tools", "bumblebee");
86
88
  }
87
89
  function cacheRoot(version = BUMBLEBEE_VERSION) {
88
90
  return join(cacheParent(), version);
@@ -133,15 +135,22 @@ export async function ensureBumblebee(opts = {}) {
133
135
  const root = cacheRoot();
134
136
  const binPath = join(root, "bumblebee");
135
137
  const catalogDir = join(root, "threat_intel");
136
- if ((await pathExists(binPath)) && (await pathExists(catalogDir))) {
137
- // F3 re-verify the cached binary's SHA-256 against the pinned checksum
138
- // before reuse. Catches tampering or accidental corruption since download.
138
+ const sidecarPath = join(root, "bumblebee.sha256");
139
+ if ((await pathExists(binPath)) && (await pathExists(catalogDir)) && (await pathExists(sidecarPath))) {
140
+ // F3 re-verify the cached binary against the hash recorded at trusted
141
+ // INSTALL time (the sidecar), NOT the tarball checksum. The pinned
142
+ // TARBALL_CHECKSUMS gate the DOWNLOAD (authoritative supply-chain anchor);
143
+ // the sidecar gates CACHE reuse, catching corruption/tampering of the
144
+ // cached binary since install. (A prior version compared the extracted
145
+ // binary to the *tarball* digest — different artifacts, so it mismatched on
146
+ // every reuse and silently disabled the scanner after first download.)
139
147
  try {
148
+ const expected = (await readFile(sidecarPath, "utf8")).trim();
140
149
  const actual = await sha256File(binPath);
141
- if (actual !== target.checksum) {
150
+ if (actual !== expected) {
142
151
  return {
143
152
  kind: "integrity",
144
- reason: `cached binary checksum mismatch (expected ${target.checksum}, got ${actual}); clear ~/.kit/tools/bumblebee and retry`,
153
+ reason: `cached binary checksum mismatch (expected ${expected}, got ${actual}); clear ~/.kit/tools/bumblebee and retry`,
145
154
  };
146
155
  }
147
156
  }
@@ -153,6 +162,8 @@ export async function ensureBumblebee(opts = {}) {
153
162
  }
154
163
  return { install: { binPath, catalogDir } };
155
164
  }
165
+ // A cached binary with no sidecar is a legacy cache (pre-fix): fall through and
166
+ // re-download to re-establish trust via the pinned tarball checksum.
156
167
  if (opts.allowDownload === false) {
157
168
  return {
158
169
  kind: "network",
@@ -218,6 +229,11 @@ async function downloadAndInstall(target, root, timeoutMs) {
218
229
  throw new Error("extracted archive is missing threat_intel catalogs");
219
230
  }
220
231
  await chmod(stagedBin, 0o755);
232
+ // Record the extracted binary's own SHA-256 so cache reuse (F3) can verify
233
+ // the BINARY — the tarball is discarded after extraction. Authenticity was
234
+ // already proven by the pinned tarball checksum above; this anchors the
235
+ // cached binary to that trusted install.
236
+ await writeFile(join(staging, "bumblebee.sha256"), `${await sha256File(stagedBin)}\n`);
221
237
  await rm(tarPath, { force: true });
222
238
  await rm(root, { recursive: true, force: true });
223
239
  await rename(staging, root);
package/dist/bumblebee.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"bumblebee.js","sourceRoot":"","sources":["../src/bumblebee.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EACL,SAAS,EACT,KAAK,EACL,OAAO,EACP,EAAE,EACF,KAAK,EACL,MAAM,EACN,MAAM,EACN,OAAO,EACP,IAAI,GACL,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAEjC,yFAAyF;AACzF,MAAM,OAAO,cAAe,SAAQ,KAAK;IACvC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAWD;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAEzC,MAAM,gBAAgB,GACpB,6DAA6D,CAAC;AAEhE;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA2B;IACvD,qCAAqC,EACnC,kEAAkE;IACpE,qCAAqC,EACnC,kEAAkE;IACpE,oCAAoC,EAClC,kEAAkE;IACpE,oCAAoC,EAClC,kEAAkE;CACrE,CAAC;AASF;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,WAA4B,OAAO,CAAC,QAAQ,EAC5C,OAAe,OAAO,CAAC,IAAI,EAC3B,UAAkB,iBAAiB;IAEnC,MAAM,EAAE,GACN,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3E,MAAM,CAAC,GAAG,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IACvE,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,SAAS,GAAG,aAAa,OAAO,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;IAC3D,MAAM,QAAQ,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC9C,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,IAAyB;IAC9C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzD,CAAC;AAED,gFAAgF;AAChF,KAAK,UAAU,UAAU,CAAC,QAAgB;IACxC,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAClC,OAAO,IAAI,OAAO,CAAC,CAAC,WAAW,EAAE,MAAM,EAAE,EAAE;QACzC,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACxD,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,CAAS;IACjC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,CAAC,CAAC,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,WAAW;IAClB,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,SAAS,CAAC,OAAO,GAAG,iBAAiB;IAC5C,OAAO,IAAI,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAClC,CAAC;IACD,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAkBD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAsB,EAAE;IAExB,mEAAmE;IACnE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC7C,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YAChC,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE,+CAA+C,MAAM,EAAE;aAChE,CAAC;QACJ,CAAC;QACD,MAAM,UAAU,GACd,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,IAAI,CAAC,SAAS,EAAE,EAAE,cAAc,CAAC,CAAC;QACzE,OAAO,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,CAAC;IACtD,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,yBAAyB,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,gDAAgD;SAClH,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,SAAS,EAAE,CAAC;IACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IAE9C,IAAI,CAAC,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;QAClE,yEAAyE;QACzE,2EAA2E;QAC3E,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC;YACzC,IAAI,MAAM,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC/B,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,6CAA6C,MAAM,CAAC,QAAQ,SAAS,MAAM,2CAA2C;iBAC/H,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,+CAA+C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;aAC1G,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC;IAC9C,CAAC;IAED,IAAI,IAAI,CAAC,aAAa,KAAK,KAAK,EAAE,CAAC;QACjC,OAAO;YACL,IAAI,EAAE,SAAS;YACf,MAAM,EACJ,iEAAiE;SACpE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAC9E,MAAM,CACJ,oDAAoD,iBAAiB,cAAc,CACpF,CAAC;QACF,MAAM,kBAAkB,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,CAAC;QAClE,OAAO,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,6EAA6E;QAC7E,+EAA+E;QAC/E,MAAM,WAAW,GAAG,GAAG,YAAY,cAAc,CAAC;QAClD,OAAO;YACL,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YAC3C,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,iBAAiB,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;SAC7H,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,MAAsB,EACtB,IAAY,EACZ,SAAiB;IAEjB,MAAM,GAAG,GAAG,GAAG,gBAAgB,KAAK,iBAAiB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;IAE5E,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IAC9D,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;QAChF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,0EAA0E;QAC1E,kEAAkE;QAClE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,oDAAoD,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;QACjF,CAAC;QACD,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IAC7C,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,MAAM,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,cAAc,CACtB,yBAAyB,MAAM,CAAC,SAAS,cAAc,MAAM,CAAC,QAAQ,SAAS,MAAM,EAAE,CACxF,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,4EAA4E;IAC5E,8CAA8C;IAC9C,MAAM,KAAK,CAAC,WAAW,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC;IAC5D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QAChD,MAAM,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC9B,oFAAoF;QACpF,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QAEzE,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC7C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QACpD,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QACD,MAAM,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC9B,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAEnC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,MAAM,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACpE,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAuBD,SAAS,GAAG,CAAC,GAA4B,EAAE,GAAW;IACpD,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACnB,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,GAAG,CAAC,CAAU;IACrB,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,MAAc;IAC5C,MAAM,OAAO,GAAgB;QAC3B,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,KAAK;QAClB,QAAQ,EAAE,EAAE;QACZ,eAAe,EAAE,CAAC;KACnB,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,IAAI,GAA4B,CAAC;QACjC,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QAED,IAAI,GAAG,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACpB,QAAQ,EAAE,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,SAAS;gBAC3C,SAAS,EAAE,GAAG,CAAC,GAAG,EAAE,YAAY,CAAC;gBACjC,WAAW,EAAE,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC;gBACrC,SAAS,EAAE,GAAG,CAAC,GAAG,EAAE,WAAW,CAAC;gBAChC,WAAW,EAAE,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,iBAAiB,CAAC;gBACpE,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC;gBAC5B,UAAU,EAAE,GAAG,CAAC,GAAG,EAAE,aAAa,CAAC;gBACnC,QAAQ,EAAE,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC;aAC/B,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,GAAG,CAAC,WAAW,KAAK,cAAc,EAAE,CAAC;YAC9C,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;YAC3B,OAAO,CAAC,MAAM,GAAG,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,SAAS,CAAC;YACjD,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC,SAAS,KAAK,IAAI,CAAC;YAC1C,MAAM,OAAO,GAAG,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACjD,MAAM,UAAU,GAAG,GAAG,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;YACvD,MAAM,MAAM,GAAG,GAAG,CAAC,MAA6C,CAAC;YACjE,OAAO,CAAC,eAAe;gBACrB,OAAO,GAAG,UAAU,IAAI,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,aAAa,GAA2B;IAC5C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;CACP,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,QAA4B;IACtD,IAAI,IAAI,GAAkB,IAAI,CAAC;IAC/B,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC;IAClB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,IAAI,GAAG,QAAQ,EAAE,CAAC;YACpB,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAOD,gFAAgF;AAChF,MAAM,CAAC,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAE3C,iGAAiG;AACjG,MAAM,UAAU,cAAc,CAC5B,aAAqB,EACrB,KAAa,EACb,gBAAwB,wBAAwB;IAEhD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,GAAG,aAAa,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC;IAC9E,OAAO,EAAE,KAAK,EAAE,OAAO,GAAG,aAAa,EAAE,OAAO,EAAE,CAAC;AACrD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAClD,IAAI,OAAiB,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;YAAE,SAAS;QACtC,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;YACtC,IAAI,MAAM,KAAK,IAAI,IAAI,CAAC,CAAC,OAAO,GAAG,MAAM;gBAAE,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAcD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,GAAgB;IAEhB,MAAM,IAAI,GAAG;QACX,MAAM;QACN,UAAU;QACV,GAAG,CAAC,OAAO;QACX,mBAAmB;QACnB,GAAG,CAAC,OAAO,CAAC,UAAU;QACtB,gBAAgB;QAChB,SAAS;QACT,QAAQ;QACR,eAAe;QACf,GAAG,CAAC,WAAW,IAAI,KAAK;KACzB,CAAC;IACF,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC3B,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE;YACvD,OAAO,EAAE,GAAG,CAAC,SAAS,IAAI,OAAO;YACjC,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QACH,OAAO,EAAE,OAAO,EAAE,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,2EAA2E;QAC3E,+CAA+C;QAC/C,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,QAAQ,IAAI,GAAG,EAAE,CAAC;YACtD,MAAM,OAAO,GAAG,eAAe,CAAC,MAAM,CAAE,GAA4B,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;YACpF,IAAI,OAAO,CAAC,WAAW;gBAAE,OAAO,EAAE,OAAO,EAAE,CAAC;QAC9C,CAAC;QACD,OAAO;YACL,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC;IACJ,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"bumblebee.js","sourceRoot":"","sources":["../src/bumblebee.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EACL,SAAS,EACT,QAAQ,EACR,KAAK,EACL,OAAO,EACP,EAAE,EACF,KAAK,EACL,MAAM,EACN,MAAM,EACN,OAAO,EACP,IAAI,GACL,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAEjC,yFAAyF;AACzF,MAAM,OAAO,cAAe,SAAQ,KAAK;IACvC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAWD;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAEzC,MAAM,gBAAgB,GACpB,6DAA6D,CAAC;AAEhE;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA2B;IACvD,qCAAqC,EACnC,kEAAkE;IACpE,qCAAqC,EACnC,kEAAkE;IACpE,oCAAoC,EAClC,kEAAkE;IACpE,oCAAoC,EAClC,kEAAkE;CACrE,CAAC;AASF;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,WAA4B,OAAO,CAAC,QAAQ,EAC5C,OAAe,OAAO,CAAC,IAAI,EAC3B,UAAkB,iBAAiB;IAEnC,MAAM,EAAE,GACN,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3E,MAAM,CAAC,GAAG,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IACvE,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,SAAS,GAAG,aAAa,OAAO,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;IAC3D,MAAM,QAAQ,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC9C,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,IAAyB;IAC9C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzD,CAAC;AAED,gFAAgF;AAChF,KAAK,UAAU,UAAU,CAAC,QAAgB;IACxC,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAClC,OAAO,IAAI,OAAO,CAAC,CAAC,WAAW,EAAE,MAAM,EAAE,EAAE;QACzC,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACxD,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,CAAS;IACjC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,CAAC,CAAC,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,WAAW;IAClB,gFAAgF;IAChF,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACjD,OAAO,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;AACpG,CAAC;AAED,SAAS,SAAS,CAAC,OAAO,GAAG,iBAAiB;IAC5C,OAAO,IAAI,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAClC,CAAC;IACD,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAkBD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAsB,EAAE;IAExB,mEAAmE;IACnE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC7C,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YAChC,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE,+CAA+C,MAAM,EAAE;aAChE,CAAC;QACJ,CAAC;QACD,MAAM,UAAU,GACd,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,IAAI,CAAC,SAAS,EAAE,EAAE,cAAc,CAAC,CAAC;QACzE,OAAO,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,CAAC;IACtD,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;IAC/B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,yBAAyB,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,gDAAgD;SAClH,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,SAAS,EAAE,CAAC;IACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IAE9C,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;IACnD,IAAI,CAAC,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,UAAU,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACrG,wEAAwE;QACxE,mEAAmE;QACnE,2EAA2E;QAC3E,sEAAsE;QACtE,uEAAuE;QACvE,4EAA4E;QAC5E,uEAAuE;QACvE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC9D,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC;YACzC,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACxB,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,6CAA6C,QAAQ,SAAS,MAAM,2CAA2C;iBACxH,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,+CAA+C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;aAC1G,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC;IAC9C,CAAC;IACD,gFAAgF;IAChF,qEAAqE;IAErE,IAAI,IAAI,CAAC,aAAa,KAAK,KAAK,EAAE,CAAC;QACjC,OAAO;YACL,IAAI,EAAE,SAAS;YACf,MAAM,EACJ,iEAAiE;SACpE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAC9E,MAAM,CACJ,oDAAoD,iBAAiB,cAAc,CACpF,CAAC;QACF,MAAM,kBAAkB,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,CAAC;QAClE,OAAO,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,6EAA6E;QAC7E,+EAA+E;QAC/E,MAAM,WAAW,GAAG,GAAG,YAAY,cAAc,CAAC;QAClD,OAAO;YACL,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YAC3C,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,iBAAiB,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;SAC7H,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,MAAsB,EACtB,IAAY,EACZ,SAAiB;IAEjB,MAAM,GAAG,GAAG,GAAG,gBAAgB,KAAK,iBAAiB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;IAE5E,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IAC9D,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;QAChF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,0EAA0E;QAC1E,kEAAkE;QAClE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,oDAAoD,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;QACjF,CAAC;QACD,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IAC7C,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,MAAM,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,cAAc,CACtB,yBAAyB,MAAM,CAAC,SAAS,cAAc,MAAM,CAAC,QAAQ,SAAS,MAAM,EAAE,CACxF,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,4EAA4E;IAC5E,8CAA8C;IAC9C,MAAM,KAAK,CAAC,WAAW,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC;IAC5D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QAChD,MAAM,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC9B,oFAAoF;QACpF,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QAEzE,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC7C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QACpD,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QACD,MAAM,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC9B,2EAA2E;QAC3E,2EAA2E;QAC3E,wEAAwE;QACxE,yCAAyC;QACzC,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,EAAE,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACvF,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAEnC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,MAAM,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACpE,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAuBD,SAAS,GAAG,CAAC,GAA4B,EAAE,GAAW;IACpD,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACnB,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,GAAG,CAAC,CAAU;IACrB,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,MAAc;IAC5C,MAAM,OAAO,GAAgB;QAC3B,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,KAAK;QAClB,QAAQ,EAAE,EAAE;QACZ,eAAe,EAAE,CAAC;KACnB,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,IAAI,GAA4B,CAAC;QACjC,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QAED,IAAI,GAAG,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACpB,QAAQ,EAAE,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,SAAS;gBAC3C,SAAS,EAAE,GAAG,CAAC,GAAG,EAAE,YAAY,CAAC;gBACjC,WAAW,EAAE,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC;gBACrC,SAAS,EAAE,GAAG,CAAC,GAAG,EAAE,WAAW,CAAC;gBAChC,WAAW,EAAE,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,iBAAiB,CAAC;gBACpE,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC;gBAC5B,UAAU,EAAE,GAAG,CAAC,GAAG,EAAE,aAAa,CAAC;gBACnC,QAAQ,EAAE,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC;aAC/B,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,GAAG,CAAC,WAAW,KAAK,cAAc,EAAE,CAAC;YAC9C,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;YAC3B,OAAO,CAAC,MAAM,GAAG,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,SAAS,CAAC;YACjD,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC,SAAS,KAAK,IAAI,CAAC;YAC1C,MAAM,OAAO,GAAG,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACjD,MAAM,UAAU,GAAG,GAAG,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;YACvD,MAAM,MAAM,GAAG,GAAG,CAAC,MAA6C,CAAC;YACjE,OAAO,CAAC,eAAe;gBACrB,OAAO,GAAG,UAAU,IAAI,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,aAAa,GAA2B;IAC5C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;CACP,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,QAA4B;IACtD,IAAI,IAAI,GAAkB,IAAI,CAAC;IAC/B,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC;IAClB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,IAAI,GAAG,QAAQ,EAAE,CAAC;YACpB,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAOD,gFAAgF;AAChF,MAAM,CAAC,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAE3C,iGAAiG;AACjG,MAAM,UAAU,cAAc,CAC5B,aAAqB,EACrB,KAAa,EACb,gBAAwB,wBAAwB;IAEhD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,GAAG,aAAa,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC;IAC9E,OAAO,EAAE,KAAK,EAAE,OAAO,GAAG,aAAa,EAAE,OAAO,EAAE,CAAC;AACrD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAClD,IAAI,OAAiB,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;YAAE,SAAS;QACtC,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;YACtC,IAAI,MAAM,KAAK,IAAI,IAAI,CAAC,CAAC,OAAO,GAAG,MAAM;gBAAE,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAcD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,GAAgB;IAEhB,MAAM,IAAI,GAAG;QACX,MAAM;QACN,UAAU;QACV,GAAG,CAAC,OAAO;QACX,mBAAmB;QACnB,GAAG,CAAC,OAAO,CAAC,UAAU;QACtB,gBAAgB;QAChB,SAAS;QACT,QAAQ;QACR,eAAe;QACf,GAAG,CAAC,WAAW,IAAI,KAAK;KACzB,CAAC;IACF,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC3B,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE;YACvD,OAAO,EAAE,GAAG,CAAC,SAAS,IAAI,OAAO;YACjC,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QACH,OAAO,EAAE,OAAO,EAAE,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,2EAA2E;QAC3E,+CAA+C;QAC/C,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,QAAQ,IAAI,GAAG,EAAE,CAAC;YACtD,MAAM,OAAO,GAAG,eAAe,CAAC,MAAM,CAAE,GAA4B,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;YACpF,IAAI,OAAO,CAAC,WAAW;gBAAE,OAAO,EAAE,OAAO,EAAE,CAAC;QAC9C,CAAC;QACD,OAAO;YACL,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC;IACJ,CAAC;AACH,CAAC"}
package/dist/cli.js CHANGED
@@ -8,6 +8,7 @@ import { checkTools } from "./check-tools.js";
8
8
  import { checkServices } from "./check-services.js";
9
9
  import { checkSecrets } from "./check-secrets.js";
10
10
  import { checkSecurity } from "./check-security.js";
11
+ import { syncSecurityFindings } from "./findings-track.js";
11
12
  import { checkWebSearch } from "./check-web-search.js";
12
13
  import { installTools } from "./install.js";
13
14
  import { loginServices } from "./login.js";
@@ -79,6 +80,63 @@ import { parsePkgSpec, installPkg } from "./pkg.js";
79
80
  import { cmdMemory } from "./commands/memory.js";
80
81
  const __dirname = dirname(fileURLToPath(import.meta.url));
81
82
  const KIT_VERSION = JSON.parse(readFileSync(join(__dirname, "..", "package.json"), "utf-8")).version;
83
+ /** Map a security finding to a short, actionable PAL title/detail. */
84
+ async function cmdHeal() {
85
+ const dryRun = hasFlag(process.argv, "--dry-run");
86
+ const agent = hasFlag(process.argv, "--agent");
87
+ console.log(`${c.bold}${c.cyan}kit heal${c.reset}${dryRun ? `${c.dim} (dry-run)${c.reset}` : ""}`);
88
+ console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
89
+ const { runHeal } = await import("./heal.js");
90
+ // Progress goes to stderr: live feedback for a human watching, without
91
+ // polluting the machine-readable proposals on stdout (--agent).
92
+ const res = await runHeal({ dryRun, onProgress: (m) => console.error(`${c.dim}${m}${c.reset}`) });
93
+ console.log();
94
+ if (dryRun) {
95
+ if (res.plannedSafe.length > 0) {
96
+ console.log(`${c.bold}Would auto-fix (safe):${c.reset}`);
97
+ for (const k of res.plannedSafe)
98
+ console.log(` ${c.green}✓${c.reset} ${k}`);
99
+ }
100
+ else {
101
+ console.log(`${c.dim}Nothing to auto-fix.${c.reset}`);
102
+ }
103
+ }
104
+ else if (res.healed.length > 0) {
105
+ console.log(`${c.green}${c.bold}Healed ${res.healed.length}:${c.reset}`);
106
+ for (const k of res.healed)
107
+ console.log(` ${c.green}✓${c.reset} ${k}`);
108
+ }
109
+ // FAIL-CLOSED — loud, never auto-healed.
110
+ if (res.failClosed.length > 0) {
111
+ console.log(`\n${c.red}${c.bold}⚠ FAIL-CLOSED — not auto-healed (possible tampering):${c.reset}`);
112
+ for (const r of res.failClosed) {
113
+ console.log(` ${c.red}✗${c.reset} ${r.name}: ${r.detail}`);
114
+ if (r.suggestion)
115
+ console.log(` ${c.dim}${r.suggestion}${c.reset}`);
116
+ }
117
+ }
118
+ // GATED — proposed, never auto-run by kit.
119
+ if (res.gated.length > 0) {
120
+ console.log(`\n${c.yellow}${c.bold}Gated — needs you (kit won't auto-run these):${c.reset}`);
121
+ for (const g of res.gated) {
122
+ console.log(` ${c.yellow}!${c.reset} ${g.name}: ${g.issue}`);
123
+ console.log(` ${c.dim}→ ${g.action}${c.reset}`);
124
+ }
125
+ if (agent) {
126
+ console.log(`\n${c.dim}# agent: each command below still hits the elevation gate + audit log${c.reset}`);
127
+ for (const g of res.gated)
128
+ console.log(g.action);
129
+ }
130
+ }
131
+ const green = res.failClosed.length === 0 && res.gated.length === 0;
132
+ console.log();
133
+ if (!dryRun) {
134
+ console.log(green
135
+ ? `${c.green}${c.bold}All findings healed or clean ✓${c.reset}`
136
+ : `${c.yellow}Auto-heal done; items above need you.${c.reset}`);
137
+ }
138
+ return green;
139
+ }
82
140
  async function cmdCheck() {
83
141
  const jsonMode = hasFlag(process.argv, "--json");
84
142
  const enforceTests = hasFlag(process.argv, "--enforce-tests");
@@ -134,6 +192,19 @@ async function cmdCheck() {
134
192
  securityOk &&
135
193
  testsOk &&
136
194
  lockOk;
195
+ // Track security findings in the PAL ledger (cross-session reminders +
196
+ // auto-close on a clean re-scan). Opt out with [memory] track_findings = false.
197
+ if (config.memory?.track_findings !== false) {
198
+ const r = await syncSecurityFindings(securityResults);
199
+ if (!jsonMode && r && (r.added || r.closed.length || r.reopened)) {
200
+ const parts = [`+${r.added} tracked`];
201
+ if (r.reopened)
202
+ parts.push(`${r.reopened} reopened`);
203
+ if (r.closed.length)
204
+ parts.push(`−${r.closed.length} auto-closed`);
205
+ console.log(`${c.dim}PAL: ${parts.join(" · ")}${c.reset}`);
206
+ }
207
+ }
137
208
  if (jsonMode) {
138
209
  const checks = [
139
210
  ...toolResults.map((t) => ({
@@ -254,6 +325,25 @@ async function cmdCheck() {
254
325
  console.log();
255
326
  }
256
327
  printSummary(toolResults, serviceResults, secretResults.keys, securityResults);
328
+ // Surface a stale kit (a newer published version) as a warn — a stale CLI
329
+ // can carry already-fixed bugs. Gated by [update].check; checkForUpdate
330
+ // also self-skips in CI and with KIT_NO_UPDATE_CHECK=1, and returns null
331
+ // when already on latest or the check fails.
332
+ if (config.update?.check !== false) {
333
+ const { checkForUpdate } = await import("./update-check.js");
334
+ const u = await checkForUpdate(KIT_VERSION);
335
+ if (u) {
336
+ if (config.update?.auto === true) {
337
+ // Opt-in auto-update — still WATERTIGHT: selfUpgrade triages kit's own
338
+ // package and installs ONLY on a triage PASS. Never installs on fail.
339
+ console.log(`${c.yellow}! kit ${u.current} → ${u.latest} — auto-update on, triaging before install…${c.reset}`);
340
+ await selfUpgrade();
341
+ }
342
+ else {
343
+ console.log(`${c.yellow}! kit ${u.current} → ${u.latest} available${c.reset} ${c.dim}— run ${c.reset}${c.bold}kit upgrade --self${c.reset}${c.dim} (triages before installing)${c.reset}\n`);
344
+ }
345
+ }
346
+ }
257
347
  return allOk;
258
348
  });
259
349
  }
@@ -357,27 +447,46 @@ async function cmdInstall() {
357
447
  return true;
358
448
  }
359
449
  const toolsConfig = config.tools;
450
+ // WATERTIGHT: kit triages every third-party tool before installing it. The
451
+ // `--no-triage` override is a deliberate, audited security action — it must
452
+ // hold a one-shot elevation, or the install is refused.
453
+ let skipTriage = false;
454
+ if (hasFlag(process.argv, "--no-triage")) {
455
+ const elev = await consumeElevation("tools.install.no-triage");
456
+ if (!elev.ok) {
457
+ console.error(`${c.red}✗ --no-triage refused: ${elev.reason}${c.reset}`);
458
+ console.error(`${c.dim}Run 'kit auth elevate --scope tools.install.no-triage' first, or drop --no-triage to let triage run.${c.reset}`);
459
+ return false;
460
+ }
461
+ skipTriage = true;
462
+ console.log(`${c.yellow}⚠ --no-triage: triage gate bypassed (elevation consumed, audit-logged)${c.reset}`);
463
+ }
360
464
  console.log(`${c.bold}${c.cyan}Installing tools via mise...${c.reset}\n`);
361
465
  return await withGovernance(config, {
362
466
  operation: "tools.install",
363
467
  operationType: "write",
364
468
  metadata: {
365
469
  tools: Object.keys(toolsConfig),
470
+ skipTriage,
366
471
  },
367
472
  }, async () => {
368
- const results = await installTools(toolsConfig);
473
+ const results = await installTools(toolsConfig, undefined, { skipTriage });
369
474
  let allOk = true;
370
475
  for (const r of results) {
371
476
  const icon = r.action === "failed"
372
477
  ? `${c.red}✗${c.reset}`
373
- : `${c.green}✓${c.reset}`;
478
+ : r.action === "blocked"
479
+ ? `${c.yellow}⛔${c.reset}`
480
+ : `${c.green}✓${c.reset}`;
374
481
  const label = r.action === "already_ok"
375
482
  ? `${c.dim}already installed${c.reset}`
376
483
  : r.action === "installed"
377
484
  ? `${c.green}installed${c.reset}`
378
- : `${c.red}failed${c.reset}`;
485
+ : r.action === "blocked"
486
+ ? `${c.yellow}blocked by triage${c.reset}`
487
+ : `${c.red}failed${c.reset}`;
379
488
  console.log(` ${icon} ${r.name} ${label} ${c.dim}${r.detail}${c.reset}`);
380
- if (r.action === "failed")
489
+ if (r.action === "failed" || r.action === "blocked")
381
490
  allOk = false;
382
491
  }
383
492
  console.log();
@@ -965,9 +1074,43 @@ async function cmdGovernance() {
965
1074
  console.log();
966
1075
  return true;
967
1076
  }
1077
+ /**
1078
+ * Governed self-upgrade: kit triages its OWN npm package before installing a new
1079
+ * version of itself. WATERTIGHT — an untriaged kit is never installed; offline /
1080
+ * triage-unavailable → blocked (fail-closed). The raw `npm i -g sandstream-kit`
1081
+ * is still available to the user, but that path is outside kit's governance.
1082
+ */
1083
+ async function selfUpgrade() {
1084
+ const { gateInstall } = await import("./triage-gate.js");
1085
+ console.log(`${c.dim}Triaging sandstream-kit before upgrading itself…${c.reset}`);
1086
+ const verdict = await gateInstall("npm:sandstream-kit");
1087
+ if (verdict.decision === "blocked") {
1088
+ console.error(`${c.red}✗ self-upgrade blocked: ${verdict.reason}${c.reset}`);
1089
+ console.error(`${c.dim}kit will not install an untriaged version of itself. Get online with the triage skill installed, then retry.${c.reset}`);
1090
+ return false;
1091
+ }
1092
+ console.log(`${c.green}✓${c.reset} ${verdict.reason} — upgrading…\n`);
1093
+ try {
1094
+ const { exec } = await import("./utils/exec.js");
1095
+ await exec("npm", ["install", "-g", "sandstream-kit@latest"], {
1096
+ timeout: 180_000,
1097
+ env: { ...process.env },
1098
+ });
1099
+ console.log(`\n${c.green}${c.bold}✓ kit upgraded${c.reset} — run ${c.bold}kit --version${c.reset} to confirm.`);
1100
+ return true;
1101
+ }
1102
+ catch (err) {
1103
+ const msg = err instanceof Error ? err.message : String(err);
1104
+ console.error(`${c.red}✗ npm install failed: ${msg.split("\n")[0]}${c.reset}`);
1105
+ return false;
1106
+ }
1107
+ }
968
1108
  async function cmdUpgrade() {
969
1109
  console.log(`${c.bold}${c.cyan}kit upgrade${c.reset}`);
970
1110
  console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
1111
+ if (hasFlag(process.argv, "--self")) {
1112
+ return await selfUpgrade();
1113
+ }
971
1114
  const config = await loadConfig(resolveConfigPath());
972
1115
  // Update skills lock
973
1116
  const skills = {};
@@ -3246,6 +3389,7 @@ const COMMAND_HELP = {
3246
3389
  setup: "Full pipeline: install → login → secrets → agent config → verify",
3247
3390
  "setup --recommended": "Opinionated profile: setup + memory hooks + git secret-scan/context-check gates",
3248
3391
  fix: "Auto-fix what is possible",
3392
+ heal: "Loop: auto-fix safe findings, re-scan until green; gate destructive, fail-closed on tamper (--dry-run, --agent)",
3249
3393
  escalate: "List what needs human action",
3250
3394
  governance: "View governance status and agent access controls",
3251
3395
  skills: "Check status of agent skills",
@@ -3779,6 +3923,7 @@ async function main() {
3779
3923
  setup: cmdSetup,
3780
3924
  skills: cmdSkills,
3781
3925
  fix: cmdFix,
3926
+ heal: cmdHeal,
3782
3927
  escalate: cmdEscalate,
3783
3928
  governance: cmdGovernance,
3784
3929
  "agent-config": cmdAgentConfig,