signalk-container 1.5.0 → 1.6.0

package/.coderabbit.yaml

@@ -0,0 +1,161 @@
+language: en-US
+
+reviews:
+  profile: assertive
+  # dist/ is the TS+webpack build output; checked in for the App Store
+  # install path, but never authored. Exclude here so the review engine
+  # never opens it.
+  path_filters:
+    - "!dist/**"
+  auto_review:
+    enabled: true
+    drafts: false
+  high_level_summary_instructions: |
+    Write all summaries in present tense.
+    Describe what the code does, not what it did.
+    Example: "This PR adds feature X" instead of "This PR added feature X"
+
+  path_instructions:
+    - path: "**/*"
+      instructions: |
+        ## Repository workflow
+
+        signalk-container ships as an npm package consumed by Signal K
+        plugins. The maintainer owns the release process — version bumps
+        happen in their own `chore(release): X.Y.Z` PR, separate from
+        feature/fix work. **Do not include `package.json` version changes
+        in feature or fix PRs.** Flag any PR that mixes a `"version"` bump
+        with non-release changes.
+
+        Other workflow rules to enforce:
+        - Branch names use hyphens, not slashes (`fix-something`, not
+          `fix/something`). The Signal K server convention applies here.
+        - Angular conventional commits: `<type>(<scope>): <subject>`.
+          Subject ≤ 50 chars, imperative mood, no period.
+        - No `Co-Authored-By` lines and no "Generated with Claude Code"
+          attribution in commit messages or PR bodies.
+
+        ## Echo comments
+
+        Flag any comment that merely restates what the code already says.
+        Examples to flag:
+        - `// Sets the age` above a function named `setAge()`
+        - `// Loop through items` above a `for` loop
+        - `// returns null on failure` next to `return null` in an error
+          branch
+        These add noise without adding meaning. Request removal or
+        replacement with a comment explaining *why*, not *what*.
+
+        ## Leftover crumbs from intermediate commits
+
+        Check for references to things that existed in earlier commits of
+        this PR but are no longer present — removed variables, old function
+        names, deleted files, superseded approaches. These are confusing
+        to future readers. Flag any comments, docs, or code that refer to
+        something not present in the current state of the branch.
+
+        ## Documentation drift risk
+
+        Flag any `.md` file that contains detailed implementation steps,
+        specific API call sequences, code snippets, or configuration
+        values that are likely to fall out of sync as the code evolves.
+        Documentation should describe architecture and how things work
+        conceptually — not step-by-step instructions that duplicate or
+        shadow the code itself.
+
+        Specifically for this repo: the API reference in
+        `doc/plugin-developer-guide.md` and `README.md`'s API table must
+        stay aligned with `ContainerManagerApi` in `src/types.ts`. Flag
+        any new method on the type that is missing from either doc, or
+        any doc method whose JSDoc-style signature has drifted from the
+        type.
+
+        ## Implementation status in documentation
+
+        Flag any `.md` file that describes implementation progress,
+        status, or build steps (e.g. "Step 3: implement X", "TODO: add Y",
+        "currently implemented as Z"). This belongs in PR descriptions or
+        commit messages, not in documentation. Documentation should
+        describe how things work, not how they were built or what stage
+        they are in.
+
+        Architecture decisions and design rationale are fine. Build
+        narratives are not.
+
+        ## Unchecked items in test plans
+
+        If a PR description or any `.md` file contains a checklist with
+        unchecked items, flag it. Either the work is incomplete, or the
+        checklist should be removed before merge.
+
+        ## Runtime concerns
+
+        signalk-container shells out to `podman`/`docker` via
+        `execRuntime` (`src/runtime.ts`). When reviewing changes to
+        `src/containers.ts`, `src/jobs.ts`, `src/resources.ts`, or
+        `src/updates/`:
+        - Every new external command should accept an injectable `exec`
+          parameter so tests can stub it (see existing
+          `ExecFn = execRuntime` pattern). Flag new direct `execRuntime`
+          calls in exported helpers.
+        - Prefer Go-template format strings (`inspect --format '{{...}}'`)
+          for diff/state probes over JSON parsing of full inspect output —
+          they work uniformly across podman and docker. See
+          `getLiveResources` / `getLiveContainerConfig` for the canonical
+          pattern.
+        - Podman bind mounts get a `:Z` suffix for SELinux relabel;
+          named volumes (no leading `/`) must NOT receive `:Z` — podman
+          rejects it. Use `volumeArg` in `src/containers.ts` rather than
+          building bind strings inline.
+        - Docker reports `HostConfig.NetworkMode` as `"default"` or
+          `"bridge"`; podman rootless reports `"slirp4netns"` or
+          `"pasta"`. The diff path canonicalizes these. Do not introduce
+          new networkMode comparisons without going through
+          `canonicalNetworkMode`.
+
+        ## Tests
+
+        - The test runner is `node:test`. Tests live in `src/test/*.ts`,
+          compile to `dist/test/*.js`, run via `node --test
+          "dist/test/**/*.test.js"`. The glob must be double-quoted so
+          Windows actually expands it (single quotes are passed through
+          literally by cmd).
+        - Container-integration tests (`runJobCallbacks.test.ts`) gate
+          on `hasContainerRuntime()` which returns `null` on Windows.
+          Do not add new integration tests that pull real Linux images
+          without the same guard.
+        - Unit-style tests inject `fakeExec` rather than touching the
+          real runtime. New tests should follow that pattern — see
+          `src/test/getLiveResources.test.ts` and
+          `src/test/diffContainerConfig.test.ts` for the canonical
+          shape.
+
+        ## Cross-plugin API surface
+
+        Consumer plugins access signalk-container via
+        `(globalThis as any).__signalk_containerManager` and then call
+        `await containers.whenReady()` before any other API call. Any
+        change to `ContainerManagerApi` in `src/types.ts` is a public
+        contract change — flag missing JSDoc on new methods, removed
+        methods, or signature-breaking changes that are not called out
+        in the PR description.
+
+        ## What NOT to flag
+
+        Do not flag the following — they are intentional:
+        - Single-character variable names inside Go-template format
+          strings (e.g. `{{.Config.Image}}`). These are runtime syntax,
+          not JS code.
+        - The `_postRecreate` recursion-guard parameter on
+          `ensureRunning` — the underscore prefix is intentional, marks
+          it as an internal-use-only param.
+        - Tests skipping on `process.platform === "win32"` for
+          integration tests that pull Linux images. The Windows runner
+          has Docker Desktop in Windows-container mode; there is no
+          easy way around it.
+
+        ## Scope
+
+        Focus on files changed since master. Think carefully about how
+        changes interact with existing code and documentation — not just
+        the diff in isolation.

package/AGENTS.md

@@ -0,0 +1,150 @@
+# signalk-container
+
+Shared container runtime management (Podman/Docker) for Signal K plugins. This plugin runs _inside_ the Signal K server and exposes a cross-plugin API at `globalThis.__signalk_containerManager` so other plugins (questdb, grafana, mayara, etc.) can manage their own containers without each implementing their own dockerode integration.
+
+Key components:
+
+- **`src/index.ts`** — Signal K plugin entrypoint. Wires the runtime probe, exposes the `ContainerManagerApi` on `globalThis`, owns the REST endpoints (`/plugins/signalk-container/api/...`) and the React config panel mount.
+- **`src/containers.ts`** — Thin runtime layer. Pure functions over `execRuntime` for lifecycle (`ensureRunning`, `removeContainer`, `getContainerState`), config-drift detection (`getLiveContainerConfig`, `diffContainerConfig`), and live-state probes (`getLiveResources`, `getActualPortBindings`).
+- **`src/jobs.ts`** — One-shot helper containers via `runJob`. Used by chart-provider and similar plugins that need short-lived workers (GDAL, tippecanoe, etc.).
+- **`src/resources.ts`** — cgroup-limit flag emission + live-update path via `podman/docker update`. The "Bug D" precedent for diff-on-already-running lives here.
+- **`src/runtime.ts`** — Runtime detection (`podman` vs `docker`), version probing, `execRuntime`/`execRuntimeLong` dispatch, `isContainerized()` self-detection.
+- **`src/updates/`** — Centralized image-update detection (digest drift for floating tags, version comparison for semver). Used by all consumer plugins via `containers.updates.register(...)`.
+- **`public/`** — React config panel served via Module Federation into the Signal K Admin UI.
+
+## Code Quality Principles
+
+### Scope and Complexity
+
+Follow YAGNI, SOLID, DRY, and KISS. Only make changes that are directly requested or clearly necessary. A bug fix does not need surrounding code cleaned up. A simple feature does not need extra configurability.
+
+Do not add error handling, fallbacks, or validation for scenarios that cannot happen. Trust internal code and framework guarantees. Only validate at system boundaries (user input from the config panel, runtime command output, REST request bodies).
+
+### General Standards
+
+- Self-documenting code; comments explain _why_, not _what_ — no echo comments restating what the code already says.
+- Documentation describes current state, not development history. Avoid "previously this did X" or "added in PR #N" in source comments — that information belongs in git, not in the code.
+- No magic numbers; use named constants. The `FIELDS_THAT_CANNOT_LIVE_UNSET` set in `src/resources.ts` is the canonical example.
+
+### Type Safety
+
+- **All new code in TypeScript.** No new `.js` source files.
+- Reuse types from `src/types.ts` rather than redefining. `ContainerConfig`, `ContainerRuntimeInfo`, `ContainerResourceLimits`, `LiveContainerConfig`, `PortBinding`, etc. are the public vocabulary — extend them rather than creating parallel shapes.
+- Avoid `any` and equivalent escape hatches. The one allowed use is `(globalThis as any).__signalk_containerManager` because the consumer-plugin side cannot import `ContainerManagerApi` without taking a dependency.
+- Validate external inputs at system boundaries — runtime command output, REST request bodies, plugin config schema. Internal calls trust their callers.
+
+### Testing
+
+- Test runner is `node:test`. Tests in `src/test/*.ts`, compiled to `dist/test/*.js`, run via `node --test "dist/test/**/*.test.js"`. The glob **must** be double-quoted so Windows expands it.
+- All new code requires tests. Test behavior at the function boundary, not internal control flow.
+- Inject `exec: ExecFn = execRuntime` rather than calling the runtime directly. Tests stub via `fakeExec`. See `src/test/getLiveResources.test.ts` for the canonical pattern: synthetic `{stdout, stderr, exitCode}`, no real podman invocations.
+- Container-integration tests (those that actually pull `alpine:3.19`) gate on `hasContainerRuntime()` which returns `null` on Windows. Do not add new tests that pull real Linux images without the same guard.
+- 333 tests today across 59 suites; expect them all green on every commit.
+
+## Runtime Invariants
+
+These are non-obvious rules baked into the runtime layer. Breaking them produces silent failures or runtime-specific bugs.
+
+### Podman SELinux flag
+
+`volumeArg(hostPath, containerPath, runtime)` adds `:Z` for podman bind mounts (Fedora/RHEL SELinux relabel). Named volumes — host strings without a leading `/` or `.` — MUST NOT receive `:Z`; podman rejects them with `"invalid option z for named volume"`. Always go through `volumeArg`, never build `-v host:container[:flags]` strings inline.
+
+### Volume source policy
+
+`ContainerConfig.volumes` accepts either a bare host-path string (auto-create — the runtime creates the host dir if missing) or `{ source, ifMissing: 'create' | 'skip' | 'abort' }` for per-volume policy. Classification happens in the API wrapper (`src/index.ts`) via `classifyVolumeSources` before `containers.ensureRunning` is called, so the diff and `buildRunArgs` both see the pre-filtered `Record<string, string>` map. The `lastConfigs` cache stores the post-filter shape — drift detection sees consistent state across calls.
+
+`'skip'` and `'abort'` events fire `onVolumeIssue` in the options arg (`EnsureRunningOptions extends HealthCheckOptions`). Recovery events fire when a previously-missing source reappears and the container is recreated to include it; recovery tracking lives in a module-level `lastVolumeIssues: Map<name, ...>` in the wrapper. Handler errors are caught + logged at error level, never propagate.
+
+Named volumes (source without leading `/`) always pass through; `ifMissing` only applies to host paths. `volumeSource()` in `containers.ts` is the single narrower from the union back to bare-string for the two call sites that consume `config.volumes` after classification (`buildRunArgs`, `diffContainerConfig`).
+
+### Podman image qualification
+
+`qualifyImage("foo/bar:tag", podmanRuntime)` prefixes `docker.io/` when needed (podman requires fully qualified names unless `unqualified-search-registries` is set). Docker passes through. Use this everywhere we feed an image string to a runtime command.
+
+### Inspect-format diff pattern
+
+When we need to read live container state, we use a single `inspect --format` call with a pipe-delimited Go-template format string:
+
+```gotemplate
+{{.HostConfig.NanoCpus}}|{{.HostConfig.Memory}}|...
+```
+
+This works uniformly across podman and docker, parses cheaply, and avoids the JSON-shape divergence between the two runtimes. `getLiveResources` and `getLiveContainerConfig` are the canonical examples. Do not introduce new live-state probes that parse full `inspect` JSON output.
+
+### networkMode canonicalization
+
+Docker reports `HostConfig.NetworkMode` as `"default"` or `"bridge"` when no `--network` was passed. Podman rootless reports `"slirp4netns"` or `"pasta"`. These are runtime defaults equivalent to "user did not request a specific network." `canonicalNetworkMode()` in `src/containers.ts` normalizes all of them to `""` so comparison against a requested `undefined`/`""` is correct. Any new comparison of `networkMode` between requested and live state must go through this helper.
+
+### Auto-recreate on config drift
+
+`ensureRunning` compares the requested `ContainerConfig` against the live container's effective config on every call. On drift across `image+tag`, `command`, `networkMode`, `env`, `volumes`, or `ports`, it removes and recreates the container transparently. `resources` follows the existing live-update path. Consumer plugins do not need (and should remove) per-plugin `${dataDir}.container-hash` files — this is centralized.
+
+The diff has an optional `prior?: ContainerConfig` parameter for detecting "unset" drift (an env key previously set is now absent, a `command` previously set is now `undefined`). The wrapper in `src/index.ts` reads it from `lastConfigs` before overwriting.
+
+### Recursion guard in ensureRunning
+
+After auto-recreate, `ensureRunning` recursively re-enters itself with `_postRecreate=true`. The underscore prefix marks this as an internal-use-only parameter — do not document it for consumer plugins, do not move it earlier in the signature. The guard breaks the loop if state somehow stays `running` or `stopped` after the `remove`.
+
+### Cross-plugin API surface
+
+`ContainerManagerApi` in `src/types.ts` is the public contract. Adding methods is fine (additive). Removing or changing signatures is a semver-major change. Anything new on the interface must have a JSDoc comment so consumer plugins see it via TypeScript intellisense — the consumer side accesses it via `(globalThis as any).__signalk_containerManager` so JSDoc is its only documentation.
+
+`whenReady()` (added in 1.6.0) is the canonical "wait for runtime detection to settle" call. Consumer plugins should use it instead of polling `getRuntime()` in a loop. Tests and code in this repo do not need it — they have direct access to the detection result.
+
+## Workflow Conventions
+
+This repo is maintained by Dirk Wahrheit. Workflow is deliberate; AI tools should follow it strictly.
+
+### Branch and commit rules
+
+- Branch names use **hyphens**, never slashes: `fix-something`, `feat-something`, `chore-release-1-6-0`. Signal K server maintainers reject slash names.
+- Angular conventional commits: `<type>(<scope>): <subject>`. Types: `feat|fix|docs|style|refactor|test|chore|perf`. Subject ≤ 50 chars, imperative mood, no period.
+- One logical change per commit. The history tells a story — each commit is a meaningful, self-contained step.
+- No `Co-Authored-By` lines. No "Generated with Claude Code" attribution.
+
+### PR rules
+
+- Never commit directly to `master`. Every change goes through a PR — including version bumps.
+- Version bumps live in their own `chore(release): X.Y.Z` PR. Do not mix `package.json` version changes with feature/fix work.
+- One logical change per PR. Refactors, behavior changes, and features belong in separate PRs. If a single change would produce multiple changelog entries, split it.
+- PR titles describe what changes; PR bodies explain _why_ and summarize the approach, not the mechanics.
+- No checkboxes in PR descriptions (Signal K maintainers convention). If you need a "Tested" section, list what was actually verified, not what's planned.
+- PR descriptions must reflect reality. Never list speculative tests; only what actually ran.
+
+### Pre-PR checklist
+
+Before pushing or opening a PR:
+
+1. `npm run format` — prettier write + eslint --fix
+2. `npm run build:all` — `clean && tsc && webpack && test`. All 333 tests must pass.
+3. `npm run ci-lint` — `eslint && prettier --check` (the strict-no-write variant CI runs)
+4. `cr review --plain | tee /tmp/cr-review-<branch>.txt` — local CodeRabbit pass. `cr` only sees committed changes, so commit first, then review. The CLI is rate-limited (~50min cooldown); pipe to a file so reruns aren't needed.
+
+Only push after all four pass. **Never push without explicit approval.** `git push` always needs its own permission — commit/test/format/cr approval does not cover push.
+
+### Release flow
+
+Tag-triggered (`.github/workflows/publish.yml` fires on `v*` tags):
+
+1. Branch `chore-release-X.Y.Z` off master.
+2. Bump `version` in `package.json`. There is no `package-lock.json` (the `~/.npmrc` setting disables it).
+3. Commit `chore(release): X.Y.Z`. Run the pre-PR checklist.
+4. Open PR, wait for explicit merge approval.
+5. After merge: `git checkout master && git pull --ff-only`, then `git tag vX.Y.Z && git push --tags`. The workflow creates the GitHub Release and runs `npm publish --provenance --access public` (prereleases use `--tag beta`).
+6. Never publish to npm without explicit approval.
+
+Angular semver:
+
+- `feat` → minor
+- `fix` → patch
+- `BREAKING CHANGE:` footer or `!` → major
+- Pure `chore`/`docs`/`refactor` → patch (or skip release)
+
+Dirk may override the bump rule (e.g. ship behavior change as minor even if technically API-compatible). Ask before assuming.
+
+## Common Pitfalls
+
+- **Stale `dist/`**: TypeScript leaves prior compile output. After a branch switch that removes test files, `dist/test/` still holds old `.js` files and `node --test` runs them. The `build` script now starts with `rimraf dist` to avoid this; do not bypass with `tsc --watch` or partial rebuilds when running tests.
+- **node_modules drift**: `node_modules/` in a long-running clone can lag the registry. After a `package.json` change involving a tooling dependency (prettier, typescript, eslint), run `npm install` before `npm run format` — formatter output between versions diverges and CI will reject the result.
+- **cr review needs a commit**: cr only reviews committed changes. Run `git commit` first, then `cr review --plain`. Running it against the working tree produces "No files to review."
+- **Windows runner is Windows containers**: GitHub-hosted Windows runners ship Docker Desktop in Windows-container mode. `docker --version` works; `docker pull alpine:3.19` does not. The `hasContainerRuntime()` helper returns `null` on Windows so integration tests skip cleanly. Do not try to "fix" the Windows runner — there's no Linux daemon available, only the skip.

package/CLAUDE.md

@@ -0,0 +1 @@
+@AGENTS.md

package/README.md

@@ -6,8 +6,9 @@ Instead of each plugin implementing its own container orchestration, they delega
 
 ## Features
 
-- **Runtime detection** -- Podman preferred, Docker fallback, podman-shim aware
+- **Runtime detection** -- Podman preferred, Docker fallback, podman-shim aware. Consumer plugins `await containers.whenReady()` once instead of polling in a loop — resolves when the probe settles in either direction.
 - **Container lifecycle** -- pull, create, start, stop, remove with `sk-` prefix naming
+- **Automatic config-drift recreation** -- `ensureRunning` compares the requested `ContainerConfig` against the live container on every call. If `image`, `tag`, `command`, `networkMode`, `env`, `volumes`, or `ports` differ, the container is removed and recreated transparently. Consumer plugins no longer need a per-plugin hash file to detect "config changed since last start." See the [developer guide](doc/plugin-developer-guide.md#container-config-changes).
 - **One-shot jobs** -- run containers for batch tasks (export, conversion, etc.)
 - **Update detection** -- centralized "is there a newer image?" service for all consumer plugins. Auto-detects semver vs floating tags (`:latest`, `:main`), offline-tolerant with persistent cache, emits Signal K notifications, visible inline in the config panel. See the [developer guide](doc/plugin-developer-guide.md#update-detection).
 - **Resource limits editor** -- interactive UI in the config panel for setting CPU/memory/PID caps per container. Values are applied live via `podman update` when possible (no downtime), falls back to recreate when needed. Stored overrides are minimized against the consumer plugin's defaults so a future default bump flows through automatically. See the [developer guide](doc/plugin-developer-guide.md#resource-limits).
@@ -17,6 +18,7 @@ Instead of each plugin implementing its own container orchestration, they delega
 - **Zero-config config root sharing** -- `signalkConfigRootMount` mounts the entire SignalK installation config (`~/.signalk/`) — for backup, audit, or config-sync tools that need the whole tree, not the per-plugin subdirectory.
 - **Zero-config container service connectivity** -- `signalkAccessiblePorts` lets the SignalK process connect back to a service running inside a managed container (e.g. an HTTP or TCP server). signalk-container picks the right networking strategy automatically — port binding on the host loopback for bare-metal deployments, or a shared Docker network with DNS for containerised ones. No host ports are exposed unnecessarily.
 - **SELinux support** -- `:Z` volume flags for Podman bind mounts on Fedora/RHEL; named volumes are handled correctly (`:Z` is not applied)
+- **Per-volume host-source policy** -- volumes accept `{ source, ifMissing: "skip" | "abort" }` for user-managed (USB drives, NFS) or deployment-required (TLS certs) mounts. Plugins subscribe to `onVolumeIssue` events for `'skipped'`, `'aborted'`, and `'recovered'` actions; signalk-container auto-recreates the container when a previously-missing source reappears. See the [developer guide](doc/plugin-developer-guide.md#optional-and-required-volumes).
 - **Podman image qualification** -- automatically prefixes `docker.io/` for short image names
 - **Cross-plugin API** -- other plugins use `globalThis.__signalk_containerManager`
 
@@ -70,7 +72,16 @@ if (!containers) {
   return;
 }
 
-// Start a long-running service container
+// Wait for runtime detection to settle, then verify a runtime was found.
+await containers.whenReady();
+if (!containers.getRuntime()) {
+  app.setPluginError("No container runtime detected");
+  return;
+}
+
+// Start a long-running service container. ensureRunning compares this
+// config against the live container and recreates on drift — no per-
+// plugin hash file or remove() dance needed.
 await containers.ensureRunning("my-service", {
   image: "myorg/myimage",
   tag: "latest",
@@ -104,10 +115,11 @@ See [doc/plugin-developer-guide.md](doc/plugin-developer-guide.md) for the full
 | Method                                  | Description                                                                                                                                                   |
 | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `getRuntime()`                          | Returns `{ runtime, version, isPodmanDockerShim }` or `null`                                                                                                  |
+| `whenReady()`                           | Resolves once runtime detection settles (success OR failure). Replaces the polling-loop pattern; check `getRuntime()` after the await                         |
 | `pullImage(image, onProgress?)`         | Pull a container image (auto-qualifies for Podman)                                                                                                            |
 | `imageExists(image)`                    | Check if image exists locally                                                                                                                                 |
 | `getImageDigest(imageOrContainer)`      | Local image ID (sha256) for an image:tag or container                                                                                                         |
-| `ensureRunning(name, config, options?)` | Create and start container if not running                                                                                                                     |
+| `ensureRunning(name, config, options?)` | Create and start container if not running; auto-recreates on config drift across `image`, `tag`, `command`, `networkMode`, `env`, `volumes`, `ports`          |
 | `start(name)`                           | Start a stopped container                                                                                                                                     |
 | `stop(name)`                            | Stop a running container                                                                                                                                      |
 | `remove(name)`                          | Stop and remove a container                                                                                                                                   |

package/dist/containers.d.ts

@@ -1,4 +1,4 @@
-import { ContainerConfig, ContainerInfo, ContainerRuntimeInfo, ContainerState, HealthCheckOptions } from "./types";
+import { ContainerConfig, ContainerInfo, ContainerRuntimeInfo, ContainerState, HealthCheckOptions, VolumeIssue, VolumeSpec } from "./types";
 /**
  * Build the value for a `-v <source>:<dest>[:flags]` argument with the
  * correct SELinux relabel suffix for the runtime.
@@ -11,8 +11,95 @@ import { ContainerConfig, ContainerInfo, ContainerRuntimeInfo, ContainerState, H
  * inputs/outputs (jobs.ts) so the named-volume guard stays in one place.
  */
 export declare function volumeArg(hostPath: string, containerPath: string, runtime: ContainerRuntimeInfo, readOnly?: boolean): string;
+/**
+ * Classify each volume entry against host-source existence and the
+ * declared `ifMissing` policy. Returns:
+ *
+ *   - `kept`: the volumes that should be passed to the runtime,
+ *     normalized to bare-string form (the shape `buildRunArgs` and
+ *     `diffContainerConfig` already consume).
+ *   - `skipped`: host-path volumes whose source is missing AND whose
+ *     policy is `'skip'`. Caller should emit `onVolumeIssue`
+ *     events for each.
+ *   - `aborted`: host-path volumes whose source is missing AND whose
+ *     policy is `'abort'`. Caller should emit `onVolumeIssue`
+ *     events then throw.
+ *
+ * Bare-string entries and `ifMissing: 'create'` entries always end
+ * up in `kept` (the runtime auto-creates the host dir on demand,
+ * matching today's behaviour for the bare-string form).
+ *
+ * Named volumes (source without a leading `/` or `.`) always end up
+ * in `kept` regardless of policy — the runtime owns their lifecycle.
+ *
+ * `probe` is the host-path existence check; defaults to `existsSync`.
+ * Tests inject a stub so they don't touch the filesystem.
+ */
+export declare function classifyVolumeSources(volumes: Record<string, string | VolumeSpec> | undefined, probe?: (path: string) => boolean): {
+    kept: Record<string, string>;
+    skipped: Array<{
+        containerPath: string;
+        source: string;
+    }>;
+    aborted: Array<{
+        containerPath: string;
+        source: string;
+    }>;
+};
+/**
+ * Given the volume issues from the last `ensureRunning` call (both
+ * skipped and aborted entries) and the current call's classification,
+ * return the list of entries that are now present and applied — i.e.
+ * recovered. Used to fire `onVolumeIssue` with `action: 'recovered'`
+ * after the inner `ensureRunning` has recreated the container to
+ * include the recovered mount.
+ *
+ * A volume has "recovered" when:
+ *   - it was in `prior.skipped` or `prior.aborted` (i.e. missing on
+ *     the last call), AND
+ *   - it is NOT in the current call's `currentSkipped` or
+ *     `currentAborted` (i.e. it is no longer missing), AND
+ *   - its `containerPath` is in `kept` (i.e. the runtime will actually
+ *     mount it this time).
+ *
+ * Pure function — no I/O.
+ */
+export declare function collectRecoveredVolumes(prior: {
+    skipped: Array<{
+        containerPath: string;
+        source: string;
+    }>;
+    aborted: Array<{
+        containerPath: string;
+        source: string;
+    }>;
+} | undefined, currentSkipped: Array<{
+    containerPath: string;
+    source: string;
+}>, currentAborted: Array<{
+    containerPath: string;
+    source: string;
+}>, kept: Record<string, string>): Array<{
+    containerPath: string;
+    source: string;
+}>;
+/**
+ * Invoke an `onVolumeIssue` callback safely. Synchronous throws AND
+ * rejected promises both route to `reportError`, so handler bugs (in
+ * either flavour) never escape as unhandled rejections.
+ *
+ * The declared callback type is `(event) => void | Promise<void>`,
+ * but TS allows assigning a plain async function where `void` is
+ * expected — the eventual rejection bypasses a naive `try/catch`.
+ * Wrap the call in `Promise.resolve(...).catch(...)` so the same
+ * error path catches both shapes.
+ *
+ * Pure-by-design: `reportError` is injected so tests can capture
+ * the message instead of writing to `app.error`.
+ */
+export declare function safeInvokeVolumeIssue(handler: ((event: VolumeIssue) => void | Promise<void>) | undefined, event: VolumeIssue, reportError: (err: unknown) => void): void;
 export declare function qualifyImage(image: string, runtime: ContainerRuntimeInfo): string;
-export declare function imageExists(runtime: ContainerRuntimeInfo, image: string): Promise<boolean>;
+export declare function imageExists(runtime: ContainerRuntimeInfo, image: string, exec?: ExecFn): Promise<boolean>;
 /**
  * Return the local image ID (sha256 digest) for a given image reference,
  * or null if the image is not present locally. Used for digest-drift
@@ -95,10 +182,84 @@ export declare function parsePortBindings(json: string): Map<number, PortBinding
  * had pre-validation.
  */
 export declare function getActualPortBindings(runtime: ContainerRuntimeInfo, name: string, exec?: ExecFn): Promise<Map<number, PortBinding[]>>;
-export declare function ensureRunning(runtime: ContainerRuntimeInfo, name: string, config: ContainerConfig, debug: (msg: string) => void, options?: HealthCheckOptions): Promise<void>;
+/**
+ * The recreate-requiring half of a live container's effective config, parsed
+ * from a single `inspect` call. Mirror of the recreate-requiring fields on
+ * `ContainerConfig` after `buildRunArgs` would have rendered them. Resources
+ * have their own `getLiveResources` reader and live-update path.
+ *
+ * `image+tag` come from `.Config.Image` (the as-passed reference like
+ * `questdb/questdb:latest`), not `.Image` (the resolved sha256 digest) —
+ * digest-drift detection is the update service's job (`src/updates/`).
+ */
+export interface LiveContainerConfig {
+    image: string;
+    tag: string;
+    command: string[] | null;
+    networkMode: string;
+    env: Map<string, string>;
+    binds: Array<{
+        host: string;
+        container: string;
+    }>;
+    portBindings: Map<string, PortBinding[]>;
+}
+/**
+ * Read the live equivalent of `ContainerConfig`'s recreate-requiring fields
+ * for an already-running container. Returns `null` on inspect failure (the
+ * caller treats that as "can't diff, fall back to early-return" — fail-safe).
+ *
+ * Used by `ensureRunning` to detect drift between the requested config and
+ * what the container was actually created with, so a recreate can fire
+ * automatically instead of silently ignoring the new config until restart.
+ */
+export declare function getLiveContainerConfig(runtime: ContainerRuntimeInfo, name: string, exec?: ExecFn): Promise<LiveContainerConfig | null>;
+/**
+ * Compare a requested `ContainerConfig` against the live container's
+ * effective config and return the list of fields that have drifted.
+ *
+ * Pure function — no I/O. The caller (`ensureRunning`) decides what to do
+ * with a non-empty drift list (today: log + remove + recreate).
+ *
+ * Field semantics:
+ *   - image+tag: tag-string equality only, never digest. Update detection
+ *     for floating tags (`:latest` digest drift) is the update service's job.
+ *   - command: explicit drift when `requested.command` is set and differs
+ *     from `live.command`. When `requested.command` is undefined, drift is
+ *     reported only if a `prior.command` was set (i.e. the user is now
+ *     unsetting it). Without a `prior`, an undefined `requested.command`
+ *     can't be told apart from "image's baked CMD" so we skip — the
+ *     wrapper's prior-config cache (`lastConfigs`) closes that loop on the
+ *     second-and-later calls within a single signalk-container lifetime.
+ *   - networkMode: runtime defaults (`bridge`, `slirp4netns`, etc.) are
+ *     normalized to `""` and compared as equivalent to requested undefined.
+ *   - env: requested keys must match live values. Additionally, any key
+ *     present in `prior.env` but absent from `requested.env` is treated
+ *     as drift (the user is unsetting it). Image-baked env keys not in
+ *     either `requested.env` or `prior.env` are ignored — they were never
+ *     ours.
+ *   - volumes: trailing slashes stripped on both sides; `(host, container)`
+ *     tuples compared as a Map keyed by container path. Live binds have
+ *     their `:Z`/`:ro` flags already stripped by `getLiveContainerConfig`.
+ *   - ports: container-port key compared as runtime-emitted (`9000/tcp`).
+ *     Multiple host bindings per container port compared as a sorted set.
+ */
+export declare function diffContainerConfig(requested: ContainerConfig, live: LiveContainerConfig, runtime: ContainerRuntimeInfo, prior?: ContainerConfig): {
+    drifted: string[];
+};
+export declare function ensureRunning(runtime: ContainerRuntimeInfo, name: string, config: ContainerConfig, debug: (msg: string) => void, options?: HealthCheckOptions, exec?: ExecFn, 
+/**
+ * Prior `ContainerConfig` from the previous `ensureRunning` call within
+ * this signalk-container lifetime, if any. Used to detect "unset" drift
+ * — env keys removed, `command` previously set and now undefined. The
+ * wrapper in `index.ts` reads from its `lastConfigs` cache before
+ * overwriting it; on the first call (or after a Signal K restart) this
+ * will be undefined and only positive drift is detected.
+ */
+prior?: ContainerConfig, _postRecreate?: boolean): Promise<void>;
 export declare function startContainer(runtime: ContainerRuntimeInfo, name: string): Promise<void>;
 export declare function stopContainer(runtime: ContainerRuntimeInfo, name: string): Promise<void>;
-export declare function removeContainer(runtime: ContainerRuntimeInfo, name: string): Promise<void>;
+export declare function removeContainer(runtime: ContainerRuntimeInfo, name: string, exec?: ExecFn): Promise<void>;
 export declare function listContainers(runtime: ContainerRuntimeInfo): Promise<ContainerInfo[]>;
 export declare function pruneImages(runtime: ContainerRuntimeInfo): Promise<{
     imagesRemoved: number;

package/dist/containers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"containers.d.ts","sourceRoot":"","sources":["../src/containers.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,cAAc,EACd,kBAAkB,EACnB,MAAM,SAAS,CAAC;AAYjB;;;;;;;;;;GAUG;AACH,wBAAgB,SAAS,CACvB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,oBAAoB,EAC7B,QAAQ,GAAE,OAAe,GACxB,MAAM,CAOR;AAED,wBAAgB,YAAY,CAC1B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,oBAAoB,GAC5B,MAAM,CAgBR;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,oBAAoB,EAC7B,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,OAAO,CAAC,CAGlB;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,oBAAoB,EAC7B,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA0BxB;AAED,wBAAsB,SAAS,CAC7B,OAAO,EAAE,oBAAoB,EAC7B,KAAK,EAAE,MAAM,EACb,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GACjC,OAAO,CAAC,IAAI,CAAC,CAUf;AAED,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,MAAoB,GACzB,OAAO,CAAC,cAAc,CAAC,CAoCzB;AAED;;;GAGG;AACH,KAAK,MAAM,GAAG,CACZ,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EAAE,KACX,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAEnE;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,MAAoB,GACzB,OAAO,CAAC,OAAO,SAAS,EAAE,uBAAuB,CAAC,CA2EpD;AAmBD;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC,CAkC1E;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,MAAoB,GACzB,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC,CAUrC;AAoDD,wBAAsB,aAAa,CACjC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,eAAe,EACvB,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,EAE5B,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,IAAI,CAAC,CAmCf;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAMf;AAkCD,wBAAsB,aAAa,CACjC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAUf;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,aAAa,EAAE,CAAC,CA6B1B;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,cAAc,EAAE,MAAM,CAAA;CAAE,CAAC,CAY5D;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EAAE,GAChB,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAG/D;AAED,wBAAsB,aAAa,CACjC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,aAAa,CACjC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,oBAAoB,EAC7B,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAmBf;AAED,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,oBAAoB,EAC7B,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAaf;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAW1E;AAED;;;;;;;;GAQG;AACH,wBAAgB,mCAAmC,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAW7E;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,8BAA8B,IAAI,MAAM,EAAE,CAQzD;AAgCD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,oBAAoB,EAC7B,KAAK,GAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAe,GACtC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA0BxB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,oBAAoB,EAC7B,KAAK,GAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAe,GACtC,OAAO,CAAC,MAAM,CAAC,CA2EjB;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,cAAc,EAAE,GACvB,wBAAwB,GAAG,IAAI,CAgCjC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,oBAAoB,EAC7B,KAAK,GAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAe,GACtC,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CA6C1C;AAcD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAEtD;AAeD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAS1E;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,oBAAoB,EAC7B,KAAK,GAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAe,GACtC,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAsC1B;AAED,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,SAAS,GAAE,MAAc,EACzB,UAAU,GAAE,MAAY,GACvB,OAAO,CAAC,IAAI,CAAC,CAYf"}
+{"version":3,"file":"containers.d.ts","sourceRoot":"","sources":["../src/containers.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,cAAc,EACd,kBAAkB,EAClB,WAAW,EACX,UAAU,EACX,MAAM,SAAS,CAAC;AAYjB;;;;;;;;;;GAUG;AACH,wBAAgB,SAAS,CACvB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,oBAAoB,EAC7B,QAAQ,GAAE,OAAe,GACxB,MAAM,CAOR;AAcD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC,GAAG,SAAS,EACxD,KAAK,GAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAoB,GAC5C;IACD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,OAAO,EAAE,KAAK,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC1D,OAAO,EAAE,KAAK,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC3D,CAuCA;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EACD;IACE,OAAO,EAAE,KAAK,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC1D,OAAO,EAAE,KAAK,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC3D,GACD,SAAS,EACb,cAAc,EAAE,KAAK,CAAC;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,EAChE,cAAc,EAAE,KAAK,CAAC;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,EAChE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC3B,KAAK,CAAC;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAmBlD;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,CAAC,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,SAAS,EACnE,KAAK,EAAE,WAAW,EAClB,WAAW,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,IAAI,GAClC,IAAI,CAUN;AAED,wBAAgB,YAAY,CAC1B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,oBAAoB,GAC5B,MAAM,CAgBR;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,oBAAoB,EAC7B,KAAK,EAAE,MAAM,EACb,IAAI,GAAE,MAAoB,GACzB,OAAO,CAAC,OAAO,CAAC,CAGlB;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,oBAAoB,EAC7B,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA0BxB;AAED,wBAAsB,SAAS,CAC7B,OAAO,EAAE,oBAAoB,EAC7B,KAAK,EAAE,MAAM,EACb,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GACjC,OAAO,CAAC,IAAI,CAAC,CAUf;AAED,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,MAAoB,GACzB,OAAO,CAAC,cAAc,CAAC,CAoCzB;AAED;;;GAGG;AACH,KAAK,MAAM,GAAG,CACZ,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EAAE,KACX,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAEnE;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,MAAoB,GACzB,OAAO,CAAC,OAAO,SAAS,EAAE,uBAAuB,CAAC,CA2EpD;AAmBD;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC,CAkC1E;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,MAAoB,GACzB,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC,CAUrC;AAED;;;;;;;;;GASG;AACH,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACzB,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClD,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;CAC1C;AAED;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,MAAoB,GACzB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAuGrC;AAqGD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,eAAe,EAC1B,IAAI,EAAE,mBAAmB,EACzB,OAAO,EAAE,oBAAoB,EAC7B,KAAK,CAAC,EAAE,eAAe,GACtB;IAAE,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAsGvB;AAoDD,wBAAsB,aAAa,CACjC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,eAAe,EACvB,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,EAE5B,OAAO,CAAC,EAAE,kBAAkB,EAC5B,IAAI,GAAE,MAAoB;AAC1B;;;;;;;GAOG;AACH,KAAK,CAAC,EAAE,eAAe,EACvB,aAAa,GAAE,OAAe,GAC7B,OAAO,CAAC,IAAI,CAAC,CA0Ff;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAMf;AA4BD,wBAAsB,aAAa,CACjC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAUf;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,MAAoB,GACzB,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,aAAa,EAAE,CAAC,CA6B1B;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,cAAc,EAAE,MAAM,CAAA;CAAE,CAAC,CAY5D;AAED,wBAAsB,eAAe,CACnC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EAAE,GAChB,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAG/D;AAED,wBAAsB,aAAa,CACjC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,aAAa,CACjC,OAAO,EAAE,oBAAoB,EAC7B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,oBAAoB,EAC7B,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAmBf;AAED,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,oBAAoB,EAC7B,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAaf;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAW1E;AAED;;;;;;;;GAQG;AACH,wBAAgB,mCAAmC,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAW7E;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,8BAA8B,IAAI,MAAM,EAAE,CAQzD;AAgCD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,oBAAoB,EAC7B,KAAK,GAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAe,GACtC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA0BxB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,oBAAoB,EAC7B,KAAK,GAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAe,GACtC,OAAO,CAAC,MAAM,CAAC,CA2EjB;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,cAAc,EAAE,GACvB,wBAAwB,GAAG,IAAI,CAgCjC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,oBAAoB,EAC7B,KAAK,GAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAe,GACtC,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CA6C1C;AAcD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAEtD;AAeD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAS1E;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,oBAAoB,EAC7B,KAAK,GAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAe,GACtC,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAsC1B;AAED,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,SAAS,GAAE,MAAc,EACzB,UAAU,GAAE,MAAY,GACvB,OAAO,CAAC,IAAI,CAAC,CAYf"}