smol-symphony 0.2.0 → 0.3.0

package/dist/src/core/coerce.js

@@ -0,0 +1,75 @@
+// FCIS rewrite — canonical scalar coercers for YAML/JSON-decoded front-matter
+// and config values. Pure + synchronous; imports nothing (src/types not even
+// needed). This is the ONE home for the `asString`/`asInt`/`asStringList`/
+// `asNumber`/`asTimestamp` family that had drifted across ~5 core modules.
+//
+// 100% PURE + SYNCHRONOUS. No IO, no node: imports, no clock/randomness.
+//
+// ─── Resolved drift (the reason this module exists) ──────────────────────────
+//   • asInt: the issue parser used `Number.isInteger` (rejects a fractional
+//     `2.5` → null) while the actions/workflow parsers used `Number.isFinite`
+//     + `Math.trunc` (accepts `2.5` → 2). The workflow-config path (20+ call
+//     sites: timeouts, counts) is the dominant consumer and relies on the
+//     truncating form, so `isFinite + Math.trunc` is canonical. Pinned by
+//     tests/core/coerce.test.ts.
+//   • asString: the http renderer carried a `&& v.length > 0` length-guard the
+//     three parse copies did not. The canonical (no length-guard) matches the
+//     issue-parsing contract; emptiness is the CALLER's concern (most sites
+//     already truthiness-check the result). Pinned by tests/core/coerce.test.ts.
+/** A string value, or null. No length guard — an empty string passes through. */
+export function asString(v) {
+    return typeof v === 'string' ? v : null;
+}
+/**
+ * An integer, or null. Accepts a finite number (truncated toward zero) or a
+ * decimal-digit string; everything else → null. `isFinite + Math.trunc` (NOT
+ * `Number.isInteger`) is canonical: a fractional `2.5` truncates to `2`.
+ */
+export function asInt(v) {
+    if (typeof v === 'number' && Number.isFinite(v))
+        return Math.trunc(v);
+    if (typeof v === 'string' && /^-?\d+$/.test(v))
+        return parseInt(v, 10);
+    return null;
+}
+/**
+ * Like {@link asInt} but with a `fallback` for when the value is absent or
+ * un-coercible (the workflow-config form — every config knob has a default).
+ */
+export function asIntOr(v, fallback) {
+    return asInt(v) ?? fallback;
+}
+/** The string elements of an array, or `[]`. Non-string elements are dropped. */
+export function asStringList(v) {
+    if (Array.isArray(v))
+        return v.filter((x) => typeof x === 'string');
+    return [];
+}
+/** Like {@link asStringList} but returns `fallback` when `v` is not an array. */
+export function asStringListOr(v, fallback) {
+    if (Array.isArray(v))
+        return v.filter((x) => typeof x === 'string');
+    return fallback;
+}
+/** A finite number, or null. (No truncation — fractional values pass through.) */
+export function asNumber(v) {
+    if (typeof v === 'number' && Number.isFinite(v))
+        return v;
+    return null;
+}
+/**
+ * A timestamp as a string. A non-empty string passes through; everything else →
+ * null. The empty string is NOT a timestamp (folds the old `formatTimestamp`
+ * length-guard in, which the bare `asTimestamp` lacked).
+ *
+ * Core coercers operate over PLAIN DATA only, so this NEVER sees a `Date`: the
+ * `yaml` lib auto-decodes ISO timestamps to `Date`, but the shell front-matter
+ * decode (shell/interp/tracker-parse.ts:normalizeDates) renders any decoded `Date`
+ * back to its ISO string at the boundary before core consumes the map.
+ */
+export function asTimestamp(v) {
+    if (typeof v === 'string')
+        return v.length > 0 ? v : null;
+    return null;
+}
+//# sourceMappingURL=coerce.js.map

package/dist/src/core/coerce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"coerce.js","sourceRoot":"","sources":["../../../src/core/coerce.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,6EAA6E;AAC7E,2EAA2E;AAC3E,2EAA2E;AAC3E,EAAE;AACF,yEAAyE;AACzE,EAAE;AACF,gFAAgF;AAChF,4EAA4E;AAC5E,8EAA8E;AAC9E,6EAA6E;AAC7E,0EAA0E;AAC1E,0EAA0E;AAC1E,iCAAiC;AACjC,+EAA+E;AAC/E,8EAA8E;AAC9E,4EAA4E;AAC5E,iFAAiF;AAEjF,iFAAiF;AACjF,MAAM,UAAU,QAAQ,CAAC,CAAU;IACjC,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,KAAK,CAAC,CAAU;IAC9B,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvE,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,CAAU,EAAE,QAAgB;IAClD,OAAO,KAAK,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC;AAC9B,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,YAAY,CAAC,CAAU;IACrC,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;IACjF,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,cAAc,CAAC,CAAU,EAAE,QAAkB;IAC3D,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;IACjF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,kFAAkF;AAClF,MAAM,UAAU,QAAQ,CAAC,CAAU;IACjC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC;IAC1D,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,WAAW,CAAC,CAAU;IACpC,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC1D,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/src/core/credential/account-id.js

@@ -0,0 +1,20 @@
+// FCIS rewrite — the ONE shared account-id guard (codex review HIGH).
+//
+// `validAccountId` + its `UUID_RE` were inlined BYTE-IDENTICAL across three
+// credential modules (identity.ts / fake-creds.ts / shape.ts), each commenting
+// "SHARED" / "codex review HIGH". This is the single canonical home; those three
+// modules import and re-export it so every existing importer keeps its specifier.
+//
+// 100% PURE + SYNCHRONOUS. No IO, no node: imports, no clock/randomness.
+/** Canonical RFC-4122-shaped UUID (any case). */
+export const UUID_RE = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/;
+/**
+ * Defense-in-depth guard for a credential `account_id`: returns the value iff it
+ * is a UUID, else null. A hostile/malformed `account_id` (a token, a JWT, a path
+ * fragment) must NOT flow into the placeholder/identity machinery — it is dropped
+ * to null rather than trusted.
+ */
+export function validAccountId(v) {
+    return v !== null && UUID_RE.test(v) ? v : null;
+}
+//# sourceMappingURL=account-id.js.map

package/dist/src/core/credential/account-id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"account-id.js","sourceRoot":"","sources":["../../../../src/core/credential/account-id.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,EAAE;AACF,4EAA4E;AAC5E,+EAA+E;AAC/E,iFAAiF;AACjF,kFAAkF;AAClF,EAAE;AACF,yEAAyE;AAEzE,iDAAiD;AACjD,MAAM,CAAC,MAAM,OAAO,GAClB,+EAA+E,CAAC;AAElF;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,CAAgB;IAC7C,OAAO,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAClD,CAAC"}

package/dist/src/core/credential/adapter-config.js

@@ -0,0 +1,136 @@
+// FCIS rewrite — pure per-adapter staged-config generation.
+//
+// Ported faithfully from the reference `src/agent/adapters.ts`:
+//   • stageClaudeIdentity        — the claude settings.json effortLevel file + the
+//                                  non-secret identity file content.
+//   • stageCodexPlaceholderAuth  — the fake codex auth.json placeholder shape.
+//
+// In the reference these were `async` because they also did host IO (read
+// `~/.claude.json`, write the file 0600 with symlink-race defenses, resolve the
+// `.git/` vs `.symphony-runtime/` staging root). That IO is the SHELL's job in
+// the FCIS split. What this module owns — and the "critic gap" the synthesis
+// called out — is the PURE content/path decision: given the chosen model /
+// effort / already-extracted host identity, return the `StagedFileSpec[]` that
+// describe what file must land where in the guest, with what bytes. Zero IO, no
+// node builtins, no clock/random — every input is plain data supplied by the
+// caller (the shell reads `~/.claude.json` via `HostIdentityReaders` and passes
+// the extracted `ClaudeIdentity` in; this module never touches the filesystem).
+//
+// A `StagedFileSpec` is `{ stagedName, content, guestPath }` (src/types/credentials):
+//   • stagedName — the name inside the workspace runtime staging dir; the shell
+//                  composes the actual on-host path (`.git/symphony-runtime/...`
+//                  or `.symphony-runtime/...`) — that resolution stays in the shell.
+//   • content    — the exact UTF-8 bytes to write.
+//   • guestPath  — the absolute path inside the VM the dispatcher materializes to.
+//
+// Faithful semantics preserved from the reference:
+//   • claude settings.json: `{ "effortLevel": <effort> }`, compact JSON, copied
+//     to /root/.claude/settings.json (matches the reference effortInjection).
+//   • claude identity: ONLY `{ oauthAccount: { accountUuid, organizationUuid } }`
+//     — no token strings, no device/session ids, no local config. Skipped
+//     (null) when no identity was extracted (reference returned null).
+//   • codex placeholder auth.json: `{ OPENAI_API_KEY: <placeholder>, auth_mode:
+//     'apikey' }`, NO real credential, NO OAuth tokens block.
+// ── claude settings.json (effortLevel) + non-secret identity ───────────────
+/** Absolute guest path the claude settings.json (effortLevel) lands at. */
+export const CLAUDE_SETTINGS_GUEST_PATH = '/root/.claude/settings.json';
+/** Absolute guest path the non-secret claude identity file lands at. */
+export const CLAUDE_IDENTITY_GUEST_PATH = '/root/.claude.json';
+/**
+ * The claude `effortLevel` settings.json spec. Mirrors the reference
+ * `ADAPTERS.claude.effortInjection`: a compact `{ "effortLevel": <effort> }`
+ * copied to /root/.claude/settings.json before the adapter starts. Valid values
+ * (`low|medium|high|xhigh|max`) are gated per-model by claude-agent-acp; symphony
+ * lets the adapter reject invalid choices rather than mirroring the gate, so we
+ * emit whatever non-empty string the caller supplies.
+ */
+export function claudeEffortSpec(effort) {
+    return {
+        stagedName: 'claude-settings.json',
+        content: JSON.stringify({ effortLevel: effort }),
+        guestPath: CLAUDE_SETTINGS_GUEST_PATH,
+    };
+}
+/**
+ * The non-secret claude identity staged-file spec (pure replacement for the
+ * reference `stageClaudeIdentity`, minus the host `~/.claude.json` read — that
+ * read + the `oauthAccount` extraction is the shell's `HostIdentityReaders` job;
+ * this module receives the already-extracted identity).
+ *
+ * Defensive shape (faithful): ONLY `{ oauthAccount: { accountUuid,
+ * organizationUuid } }` — NO token strings, NO device/session ids, NO local
+ * config. Returns `null` when no identity is available, exactly as the reference
+ * returned null when `~/.claude.json` was missing or had no `oauthAccount`
+ * (staging the identity is defense in depth, not a hard gate on dispatch).
+ */
+export function claudeIdentitySpec(identity) {
+    if (!identity)
+        return null;
+    return {
+        stagedName: 'claude.json',
+        content: JSON.stringify({
+            oauthAccount: {
+                accountUuid: identity.accountUuid,
+                organizationUuid: identity.organizationUuid,
+            },
+        }),
+        guestPath: CLAUDE_IDENTITY_GUEST_PATH,
+    };
+}
+// ── codex placeholder auth.json ────────────────────────────────────────────
+/** Absolute guest path the fake codex auth.json lands at. */
+export const CODEX_AUTH_GUEST_PATH = '/root/.codex/auth.json';
+/** Placeholder bearer staged into the fake codex auth.json (NOT a real token). */
+export const CODEX_PLACEHOLDER_API_KEY = 'sk-symphony-placeholder';
+/**
+ * The fake codex `~/.codex/auth.json` placeholder spec (pure replacement for the
+ * reference `stageCodexPlaceholderAuth`, minus the host write). It exists PURELY
+ * to satisfy codex-acp's session-init credential check; it contains NO real
+ * credential — `OPENAI_API_KEY` is a token-shaped placeholder and there is no
+ * OAuth `tokens` block — so codex falls through to the env `OPENAI_API_KEY`
+ * placeholder as its request bearer and Gondolin substitutes the real token at
+ * egress. `auth_mode: 'apikey'` forces the API-key path, never an OAuth
+ * handshake; `last_refresh` is omitted (no OAuth tokens to age).
+ */
+export function codexPlaceholderAuthSpec() {
+    return {
+        stagedName: 'auth.json',
+        content: JSON.stringify({
+            OPENAI_API_KEY: CODEX_PLACEHOLDER_API_KEY,
+            auth_mode: 'apikey',
+        }),
+        guestPath: CODEX_AUTH_GUEST_PATH,
+    };
+}
+/**
+ * Aggregate every staged-file spec one adapter dispatch needs into a single
+ * `StagedFileSpec[]`, in a stable order (identity/config first, then the
+ * effort/model overlays). Pure: the shell materializes each spec into the
+ * workspace runtime tree + the guest. No spec is ever a secret — the only
+ * credential bytes are token-shaped placeholders.
+ *
+ * Per-adapter (faithful to the reference staging in `runner.stageAdapterExtras`):
+ *   • claude    — optional non-secret identity (when extracted) + optional
+ *                 effortLevel settings.json (when effort is set).
+ *   • codex     — the fake placeholder auth.json (always; the init check needs it).
+ */
+export function buildStagedConfigs(input) {
+    const specs = [];
+    switch (input.adapter) {
+        case 'claude': {
+            const identity = claudeIdentitySpec(input.claudeIdentity);
+            if (identity)
+                specs.push(identity);
+            if (input.effort && input.effort.length > 0) {
+                specs.push(claudeEffortSpec(input.effort));
+            }
+            break;
+        }
+        case 'codex': {
+            specs.push(codexPlaceholderAuthSpec());
+            break;
+        }
+    }
+    return specs;
+}
+//# sourceMappingURL=adapter-config.js.map

package/dist/src/core/credential/adapter-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter-config.js","sourceRoot":"","sources":["../../../../src/core/credential/adapter-config.ts"],"names":[],"mappings":"AAAA,4DAA4D;AAC5D,EAAE;AACF,gEAAgE;AAChE,mFAAmF;AACnF,qEAAqE;AACrE,+EAA+E;AAC/E,EAAE;AACF,0EAA0E;AAC1E,gFAAgF;AAChF,+EAA+E;AAC/E,6EAA6E;AAC7E,2EAA2E;AAC3E,+EAA+E;AAC/E,gFAAgF;AAChF,6EAA6E;AAC7E,gFAAgF;AAChF,gFAAgF;AAChF,EAAE;AACF,sFAAsF;AACtF,gFAAgF;AAChF,iFAAiF;AACjF,qFAAqF;AACrF,mDAAmD;AACnD,mFAAmF;AACnF,EAAE;AACF,mDAAmD;AACnD,gFAAgF;AAChF,8EAA8E;AAC9E,kFAAkF;AAClF,0EAA0E;AAC1E,uEAAuE;AACvE,gFAAgF;AAChF,8DAA8D;AAS9D,8EAA8E;AAE9E,2EAA2E;AAC3E,MAAM,CAAC,MAAM,0BAA0B,GAAG,6BAA6B,CAAC;AAExE,wEAAwE;AACxE,MAAM,CAAC,MAAM,0BAA0B,GAAG,oBAAoB,CAAC;AAE/D;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,OAAO;QACL,UAAU,EAAE,sBAAsB;QAClC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC;QAChD,SAAS,EAAE,0BAA0B;KACtC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAA+B;IAChE,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,OAAO;QACL,UAAU,EAAE,aAAa;QACzB,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;YACtB,YAAY,EAAE;gBACZ,WAAW,EAAE,QAAQ,CAAC,WAAW;gBACjC,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;aAC5C;SACF,CAAC;QACF,SAAS,EAAE,0BAA0B;KACtC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAE9E,6DAA6D;AAC7D,MAAM,CAAC,MAAM,qBAAqB,GAAG,wBAAwB,CAAC;AAE9D,kFAAkF;AAClF,MAAM,CAAC,MAAM,yBAAyB,GAAG,yBAAyB,CAAC;AAEnE;;;;;;;;;GASG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO;QACL,UAAU,EAAE,WAAW;QACvB,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;YACtB,cAAc,EAAE,yBAAyB;YACzC,SAAS,EAAE,QAAQ;SACpB,CAAC;QACF,SAAS,EAAE,qBAAqB;KACjC,CAAC;AACJ,CAAC;AAeD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAwB;IACzD,MAAM,KAAK,GAAqB,EAAE,CAAC;IACnC,QAAQ,KAAK,CAAC,OAAO,EAAE,CAAC;QACtB,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,QAAQ,GAAG,kBAAkB,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;YAC1D,IAAI,QAAQ;gBAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACnC,IAAI,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5C,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7C,CAAC;YACD,MAAM;QACR,CAAC;QACD,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,KAAK,CAAC,IAAI,CAAC,wBAAwB,EAAE,CAAC,CAAC;YACvC,MAAM;QACR,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/src/core/credential/availability.js

@@ -0,0 +1,98 @@
+// FCIS rewrite — PURE credential availability classification.
+//
+// Ports the pure half of the original `src/agent/adapter-names.ts`:
+//   codexCredentialAvailable, codexMissingCredentialMessage,
+//   host{Claude,Codex}CredentialPath, isKnownAdapter / KNOWN_ADAPTER_IDS.
+//
+// Critic gap this closes: availability classification is shared by BOTH the
+// doctor check and the startup probe, so it must live in the core (one source of
+// truth) rather than being re-implemented per call site.
+//
+// 100% synchronous, zero IO, imports ONLY from src/types.
+//
+// How the original's impure dependencies are made pure here:
+//   * `os.homedir()` (used to build the host credential paths) is replaced
+//     by an INJECTED `homeDir: string`. The shell derives it once (os.homedir())
+//     and threads it in; the core reads no real environment. This mirrors the
+//     homeDir(env) convention already used in src/core/workflow/parse.ts.
+//   * `node:path.join` is replaced by a tiny pure POSIX join (joinPath). The
+//     orchestrator targets Linux/macOS hosts, so POSIX semantics are faithful.
+//   * `NodeJS.ProcessEnv` becomes `WorkflowEnv` (Record<string, string|undefined>),
+//     the type already used across the core for injected environments.
+//
+// The actual file reads stay in the shell: the shell reads the credential file
+// (passing its text, or `null` when absent/unreadable) and the env in here, so
+// these functions mirror the host's egress read path EXACTLY — the startup probe
+// accepts a dispatch iff a real dispatch would resolve a credential.
+import { joinPosixParts } from '../path.js';
+import { nonEmptyString } from './strings.js';
+// ─── known-adapter registry ──────────────────────────────────────────────────
+//
+// The seam between the config layer and the IO adapter layer: both sides agree
+// on which adapter ids exist. The full adapter *profile* lives elsewhere
+// (AdapterProfile / the shell's adapter registry); this is only the id set.
+export const KNOWN_ADAPTER_IDS = ['claude', 'codex'];
+export function isKnownAdapter(id) {
+    return KNOWN_ADAPTER_IDS.includes(id);
+}
+// Host credential paths use the canonical variadic `joinPosixParts` from
+// core/path.ts (the old local `joinPath` was byte-identical to it).
+const joinPath = joinPosixParts;
+// ─── host credential paths ───────────────────────────────────────────────────
+//
+// Absolute paths to the host's credential files. The host reads these to
+// substitute the live access token into the outbound request at Gondolin egress
+// (the guest only ever holds a token-shaped placeholder); the startup probe
+// reads them once so a completely missing credential fails fast with a clear
+// message instead of an opaque mid-dispatch error.
+/** Absolute path to the host's claude OAuth credential file (`~/.claude/.credentials.json`). */
+export function hostClaudeCredentialPath(homeDir) {
+    return joinPath(homeDir, '.claude', '.credentials.json');
+}
+/** Absolute path to the host's codex credential file (`~/.codex/auth.json`). */
+export function hostCodexCredentialPath(homeDir) {
+    return joinPath(homeDir, '.codex', 'auth.json');
+}
+// ─── codex credential resolution ─────────────────────────────────────────────
+/**
+ * Pure: does codex have a resolvable credential from either valid source? The
+ * host reads two — the `~/.codex/auth.json` token (a ChatGPT-OAuth
+ * `tokens.access_token` or a top-level `OPENAI_API_KEY`) or an `OPENAI_API_KEY`
+ * env var. The shell reads the file (passing `null` when absent/unreadable) and
+ * its env in; this mirrors the host's `extractCodexToken` + env fallback so the
+ * startup probe accepts exactly when a dispatch would.
+ */
+export function codexCredentialAvailable(authFileText, env) {
+    if (nonEmptyString(env['OPENAI_API_KEY']))
+        return true;
+    if (authFileText === null)
+        return false;
+    let parsed;
+    try {
+        parsed = JSON.parse(authFileText);
+    }
+    catch {
+        return false;
+    }
+    return codexAuthFileHasToken(parsed);
+}
+/** Human-readable explanation of which codex credential sources were checked. */
+export function codexMissingCredentialMessage(homeDir) {
+    return `adapter "codex" requires a host credential, but none is available: neither a token in ${hostCodexCredentialPath(homeDir)} (ChatGPT-OAuth tokens.access_token or OPENAI_API_KEY) nor an OPENAI_API_KEY environment variable is present`;
+}
+function codexAuthFileHasToken(parsed) {
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed))
+        return false;
+    const root = parsed;
+    const tokens = root['tokens'];
+    if (tokens && typeof tokens === 'object' && !Array.isArray(tokens)) {
+        if (nonEmptyString(tokens['access_token']))
+            return true;
+    }
+    return nonEmptyString(root['OPENAI_API_KEY']) !== null;
+}
+// nonEmptyString (string-valued) is the shared credential helper from
+// ./strings.js — imported at the top. The boolean-returning local copy that
+// used to live here was the §3a divergence; call sites that need a boolean use
+// `nonEmptyString(...) !== null`, the rest rely on the truthy string/null.
+//# sourceMappingURL=availability.js.map

package/dist/src/core/credential/availability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"availability.js","sourceRoot":"","sources":["../../../../src/core/credential/availability.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,EAAE;AACF,oEAAoE;AACpE,6DAA6D;AAC7D,0EAA0E;AAC1E,EAAE;AACF,4EAA4E;AAC5E,iFAAiF;AACjF,yDAAyD;AACzD,EAAE;AACF,0DAA0D;AAC1D,EAAE;AACF,6DAA6D;AAC7D,2EAA2E;AAC3E,iFAAiF;AACjF,8EAA8E;AAC9E,0EAA0E;AAC1E,6EAA6E;AAC7E,+EAA+E;AAC/E,oFAAoF;AACpF,uEAAuE;AACvE,EAAE;AACF,+EAA+E;AAC/E,+EAA+E;AAC/E,iFAAiF;AACjF,qEAAqE;AAIrE,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,gFAAgF;AAChF,EAAE;AACF,+EAA+E;AAC/E,yEAAyE;AACzE,4EAA4E;AAE5E,MAAM,CAAC,MAAM,iBAAiB,GAA4B,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;AAE9E,MAAM,UAAU,cAAc,CAAC,EAAU;IACvC,OAAQ,iBAAuC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,yEAAyE;AACzE,oEAAoE;AACpE,MAAM,QAAQ,GAAG,cAAc,CAAC;AAEhC,gFAAgF;AAChF,EAAE;AACF,yEAAyE;AACzE,gFAAgF;AAChF,4EAA4E;AAC5E,6EAA6E;AAC7E,mDAAmD;AAEnD,gGAAgG;AAChG,MAAM,UAAU,wBAAwB,CAAC,OAAe;IACtD,OAAO,QAAQ,CAAC,OAAO,EAAE,SAAS,EAAE,mBAAmB,CAAC,CAAC;AAC3D,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,uBAAuB,CAAC,OAAe;IACrD,OAAO,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;AAClD,CAAC;AAED,gFAAgF;AAEhF;;;;;;;GAOG;AACH,MAAM,UAAU,wBAAwB,CACtC,YAA2B,EAC3B,GAAgB;IAEhB,IAAI,cAAc,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACvD,IAAI,YAAY,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,qBAAqB,CAAC,MAAM,CAAC,CAAC;AACvC,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,6BAA6B,CAAC,OAAe;IAC3D,OAAO,yFAAyF,uBAAuB,CACrH,OAAO,CACR,8GAA8G,CAAC;AAClH,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAe;IAC5C,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACjF,MAAM,IAAI,GAAG,MAAiC,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,IAAI,cAAc,CAAE,MAAkC,CAAC,cAAc,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IACvF,CAAC;IACD,OAAO,cAAc,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,KAAK,IAAI,CAAC;AACzD,CAAC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,+EAA+E;AAC/E,2EAA2E"}

package/dist/src/core/credential/extract.js

@@ -0,0 +1,228 @@
+// FCIS rewrite — PURE token/JWT extraction over ALREADY-PARSED JSON.
+//
+// Functional core: every export here is a pure, synchronous (data) -> data
+// function. No IO, no clock, no randomness, no node: imports, no process/env
+// read. Imports ONLY from src/types.
+//
+// SECURITY-LOAD-BEARING. This is the "impureCoreRisk fix" half of the original
+// src/agent/credential-extractors.ts + src/agent/adapter-names.ts: the original
+// extractors mixed pure parsing with host IO (file reads, https requests, flock,
+// refresher spawns, `process.env`). Here we keep ONLY the pure decisions:
+//   - extractClaudeToken       — pull accessToken+expiry out of parsed claude creds
+//   - extractCodexToken        — prefer ChatGPT-OAuth tokens.access_token (NEVER
+//                                reads refresh_token), else OPENAI_API_KEY; sets
+//                                chatgptOAuth + JWT-derived expiry
+//   - decodeJwtExpMs           — read a JWT `exp` claim (ms), signature unverified
+//   - coerceExpiresAtMs        — number | numeric-string | date-string -> ms|null
+//   - codexEnvFallback         — OPENAI_API_KEY env fallback as a codex credential
+//
+// The host invariant ("only the host refreshes; the guest never sees a refresh
+// token") is preserved at the extraction boundary: extractCodexToken NEVER reads
+// `tokens.refresh_token`. All host file/env reads that previously lived here are
+// now `credential.probe` Effects performed by the shell; the SHELL parses the
+// JSON and the host environment, then hands the already-parsed values to these
+// functions.
+import { nonEmptyString } from './strings.js';
+// ── claude ────────────────────────────────────────────────────────────────────
+/**
+ * Pull `accessToken` and `expiresAt` out of the already-parsed claude
+ * credentials JSON. The shape `claude` writes is
+ * `{ claudeAiOauth: { accessToken, expiresAt, ... } }`, but we tolerate flat
+ * top-level fields too for forward compatibility. Returns null when no non-empty
+ * access token is present.
+ */
+export function extractClaudeToken(parsed) {
+    if (!parsed || typeof parsed !== 'object')
+        return null;
+    const root = parsed;
+    const oauth = root['claudeAiOauth'];
+    const candidate = oauth && typeof oauth === 'object' && !Array.isArray(oauth)
+        ? oauth
+        : root;
+    const accessToken = candidate['accessToken'];
+    if (typeof accessToken !== 'string' || accessToken.length === 0)
+        return null;
+    const expiresAtMs = coerceExpiresAtMs(candidate['expiresAt']);
+    return { accessToken, expiresAtMs };
+}
+// ── codex ─────────────────────────────────────────────────────────────────────
+/**
+ * Pull the access token out of the already-parsed codex `~/.codex/auth.json`.
+ * Two flavours live there: a ChatGPT-OAuth `tokens.access_token` and an API-key
+ * `OPENAI_API_KEY`. We prefer the OAuth access token, then fall back to the API
+ * key. The `tokens.refresh_token` is NEVER read — it stays host-side so an in-VM
+ * agent cannot rotate (and thereby invalidate) the host's credential.
+ *
+ * For the ChatGPT-OAuth token, `expiresAtMs` is decoded from the access-token
+ * JWT `exp` claim so the proactive pre-expiry refresh tick can fire; a non-JWT /
+ * malformed token decodes to null (safe degradation to on-demand re-read). The
+ * API-key fallback keeps `expiresAtMs: null` (API keys do not expire/refresh).
+ */
+export function extractCodexToken(parsed) {
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed))
+        return null;
+    const root = parsed;
+    const tokens = codexTokensObject(root);
+    if (tokens !== null) {
+        const oauth = nonEmptyString(tokens['access_token']);
+        if (oauth !== null) {
+            // ChatGPT-OAuth subscription credential → ChatGPT-backend route. The
+            // account id (when present) becomes the `chatgpt-account-id` header, but
+            // routing keys on `chatgptOAuth`: this token is ALWAYS rejected by the
+            // platform API, with or without the account id.
+            return {
+                accessToken: oauth,
+                expiresAtMs: decodeJwtExpMs(oauth),
+                chatgptOAuth: true,
+                chatgptAccountId: nonEmptyString(tokens['account_id']),
+            };
+        }
+    }
+    // API-key credential: forward to the platform API (api.openai.com/v1) unchanged.
+    const apiKey = nonEmptyString(root['OPENAI_API_KEY']);
+    return apiKey === null ? null : { accessToken: apiKey, expiresAtMs: null };
+}
+/**
+ * Pure: read `OPENAI_API_KEY` from a host-environment snapshot as a codex
+ * credential fallback. The shell passes the env in (a `credential.probe`-adjacent
+ * env read); core never touches `process.env`.
+ */
+export function codexEnvFallback(env) {
+    const key = nonEmptyString(env['OPENAI_API_KEY']);
+    return key === null ? null : { accessToken: key, expiresAtMs: null };
+}
+// ── JWT / expiry coercion ───────────────────────────────────────────────────────
+/**
+ * Decode a JWT's `exp` claim (seconds since epoch) and return it as ms since
+ * epoch, or null when `token` is not a well-formed three-segment JWT or carries
+ * no finite numeric `exp`. The signature is NEVER verified — codex's own client
+ * owns verification; we read only the public `exp` claim to schedule a refresh.
+ */
+export function decodeJwtExpMs(token) {
+    const segments = token.split('.');
+    if (segments.length !== 3)
+        return null;
+    const payloadSeg = segments[1];
+    if (payloadSeg === undefined || payloadSeg.length === 0)
+        return null;
+    const json = decodeBase64UrlUtf8(payloadSeg);
+    if (json === null)
+        return null;
+    let payload;
+    try {
+        payload = JSON.parse(json);
+    }
+    catch {
+        return null;
+    }
+    if (!payload || typeof payload !== 'object' || Array.isArray(payload))
+        return null;
+    const exp = payload['exp'];
+    if (typeof exp !== 'number' || !Number.isFinite(exp))
+        return null;
+    return exp * 1000;
+}
+/**
+ * Coerce an `expiresAt`-shaped value into ms since epoch: a finite number is
+ * taken verbatim; a numeric string is parsed as a number; otherwise a string is
+ * tried as a parseable date. Anything else → null.
+ */
+export function coerceExpiresAtMs(value) {
+    if (typeof value === 'number' && Number.isFinite(value))
+        return value;
+    if (typeof value === 'string') {
+        const n = Number(value);
+        if (Number.isFinite(n))
+            return n;
+        const parsedDate = Date.parse(value);
+        if (Number.isFinite(parsedDate))
+            return parsedDate;
+    }
+    return null;
+}
+// ── internal helpers ─────────────────────────────────────────────────────────
+/** The ChatGPT-OAuth `tokens` bundle from auth.json, or null when absent/malformed. */
+function codexTokensObject(root) {
+    const tokens = root['tokens'];
+    if (!tokens || typeof tokens !== 'object' || Array.isArray(tokens))
+        return null;
+    return tokens;
+}
+// Standard base64 alphabet → 6-bit value (and -1 for non-alphabet chars).
+const BASE64_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
+/**
+ * Decode a base64url segment to a UTF-8 string, or null on malformed input.
+ *
+ * The original used `Buffer.from(seg, 'base64url').toString('utf8')`; core may
+ * not import `node:buffer` (and must not depend on an ambient `atob` global that
+ * the project's `lib` config does not surface), so this is a self-contained pure
+ * decoder: base64url→bytes, then a manual UTF-8 → string decode. Any malformed
+ * input (bad char, bad length, invalid UTF-8) → null, matching the original's
+ * try/catch → null degradation (JSON.parse then fails on null and yields null).
+ */
+function decodeBase64UrlUtf8(seg) {
+    const bytes = base64UrlToBytes(seg);
+    if (bytes === null)
+        return null;
+    return utf8BytesToString(bytes);
+}
+/** base64url string → byte values (0–255), or null on a malformed segment. */
+function base64UrlToBytes(seg) {
+    // base64url → base64: '-'→'+', '_'→'/'. (Padding is recomputed below.)
+    const b64 = seg.replace(/-/g, '+').replace(/_/g, '/').replace(/=+$/, '');
+    if (b64.length % 4 === 1)
+        return null; // an invalid base64 length
+    const out = [];
+    let acc = 0;
+    let bits = 0;
+    for (const ch of b64) {
+        const v = BASE64_ALPHABET.indexOf(ch);
+        if (v === -1)
+            return null; // non-alphabet character
+        acc = (acc << 6) | v;
+        bits += 6;
+        if (bits >= 8) {
+            bits -= 8;
+            out.push((acc >> bits) & 0xff);
+        }
+    }
+    return out;
+}
+/** Decode a UTF-8 byte sequence into a string, or null on invalid UTF-8. */
+function utf8BytesToString(bytes) {
+    let result = '';
+    let i = 0;
+    while (i < bytes.length) {
+        const b0 = bytes[i++];
+        if (b0 < 0x80) {
+            result += String.fromCharCode(b0);
+            continue;
+        }
+        let needed;
+        let cp;
+        if ((b0 & 0xe0) === 0xc0) {
+            needed = 1;
+            cp = b0 & 0x1f;
+        }
+        else if ((b0 & 0xf0) === 0xe0) {
+            needed = 2;
+            cp = b0 & 0x0f;
+        }
+        else if ((b0 & 0xf8) === 0xf0) {
+            needed = 3;
+            cp = b0 & 0x07;
+        }
+        else {
+            return null; // invalid leading byte
+        }
+        for (let k = 0; k < needed; k++) {
+            const cb = bytes[i++];
+            if (cb === undefined || (cb & 0xc0) !== 0x80)
+                return null; // bad continuation
+            cp = (cp << 6) | (cb & 0x3f);
+        }
+        result += String.fromCodePoint(cp);
+    }
+    return result;
+}
+//# sourceMappingURL=extract.js.map

package/dist/src/core/credential/extract.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"extract.js","sourceRoot":"","sources":["../../../../src/core/credential/extract.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,2EAA2E;AAC3E,6EAA6E;AAC7E,qCAAqC;AACrC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,iFAAiF;AACjF,0EAA0E;AAC1E,oFAAoF;AACpF,iFAAiF;AACjF,iFAAiF;AACjF,mEAAmE;AACnE,mFAAmF;AACnF,kFAAkF;AAClF,mFAAmF;AACnF,EAAE;AACF,+EAA+E;AAC/E,iFAAiF;AACjF,iFAAiF;AACjF,8EAA8E;AAC9E,+EAA+E;AAC/E,aAAa;AAGb,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAQ9C,iFAAiF;AAEjF;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAe;IAChD,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACvD,MAAM,IAAI,GAAG,MAAiC,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;IACpC,MAAM,SAAS,GACb,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACzD,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,IAAI,CAAC;IACX,MAAM,WAAW,GAAG,SAAS,CAAC,aAAa,CAAC,CAAC;IAC7C,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7E,MAAM,WAAW,GAAG,iBAAiB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;IAC9D,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC;AACtC,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAe;IAC/C,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAChF,MAAM,IAAI,GAAG,MAAiC,CAAC;IAC/C,MAAM,MAAM,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC;QACrD,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,qEAAqE;YACrE,yEAAyE;YACzE,uEAAuE;YACvE,gDAAgD;YAChD,OAAO;gBACL,WAAW,EAAE,KAAK;gBAClB,WAAW,EAAE,cAAc,CAAC,KAAK,CAAC;gBAClC,YAAY,EAAE,IAAI;gBAClB,gBAAgB,EAAE,cAAc,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;aACvD,CAAC;QACJ,CAAC;IACH,CAAC;IACD,iFAAiF;IACjF,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACtD,OAAO,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;AAC7E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAc;IAC7C,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAClD,OAAO,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;AACvE,CAAC;AAED,mFAAmF;AAEnF;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,UAAU,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IAC/B,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrE,MAAM,IAAI,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAC7C,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC/B,IAAI,OAAgB,CAAC;IACrB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IACnF,MAAM,GAAG,GAAI,OAAmC,CAAC,KAAK,CAAC,CAAC;IACxD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,OAAO,GAAG,GAAG,IAAI,CAAC;AACpB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAc;IAC9C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;QACjC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,OAAO,UAAU,CAAC;IACrD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gFAAgF;AAEhF,uFAAuF;AACvF,SAAS,iBAAiB,CAAC,IAA6B;IACtD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAChF,OAAO,MAAiC,CAAC;AAC3C,CAAC;AAED,0EAA0E;AAC1E,MAAM,eAAe,GAAG,kEAAkE,CAAC;AAE3F;;;;;;;;;GASG;AACH,SAAS,mBAAmB,CAAC,GAAW;IACtC,MAAM,KAAK,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,iBAAiB,CAAC,KAAK,CAAC,CAAC;AAClC,CAAC;AAED,8EAA8E;AAC9E,SAAS,gBAAgB,CAAC,GAAW;IACnC,uEAAuE;IACvE,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACzE,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,2BAA2B;IAClE,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,CAAC,GAAG,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,yBAAyB;QACpD,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACrB,IAAI,IAAI,CAAC,CAAC;QACV,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;YACd,IAAI,IAAI,CAAC,CAAC;YACV,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4EAA4E;AAC5E,SAAS,iBAAiB,CAAC,KAAe;IACxC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;QACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,EAAE,CAAE,CAAC;QACvB,IAAI,EAAE,GAAG,IAAI,EAAE,CAAC;YACd,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YAClC,SAAS;QACX,CAAC;QACD,IAAI,MAAc,CAAC;QACnB,IAAI,EAAU,CAAC;QACf,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,GAAG,CAAC,CAAC;YACX,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACjB,CAAC;aAAM,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YAChC,MAAM,GAAG,CAAC,CAAC;YACX,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACjB,CAAC;aAAM,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YAChC,MAAM,GAAG,CAAC,CAAC;YACX,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACjB,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,CAAC,uBAAuB;QACtC,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAChC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YACtB,IAAI,EAAE,KAAK,SAAS,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC,CAAC,mBAAmB;YAC9E,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC;QAC/B,CAAC;QACD,MAAM,IAAI,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}