zora-agent 0.10.6 → 0.11.0

package/README.md

@@ -2,6 +2,8 @@
 
 # Zora
 
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/ryaker/zora)
+
 **Your personal AI agent. Local, secure, and memory-first.**
 
 Zora runs on your computer, takes real actions (reads files, runs commands, automates tasks), and actually remembers what it's doing between sessions — without giving up control of your system.

package/bin/zora-agent

@@ -1,10 +1,23 @@
 #!/bin/sh
 # Strip Claude Code environment variables that cause the claude-agent-sdk to
 # enter CLI mode (CLAUDE_CODE_ENTRYPOINT=cli) or refuse to run (CLAUDECODE=1).
-# These must be unset before Node.js loads any SDK modules, so we exec a fresh
-# Node.js process with a clean environment rather than trying to delete them
-# inside the JavaScript handler (which runs after static imports fire).
+# These must be unset before Node.js loads any SDK modules.
+#
+# Resolve the real location of this script so the path works whether called
+# directly or through an npm-installed symlink.
+SCRIPT="$0"
+while [ -L "$SCRIPT" ]; do
+  DIR="$(cd "$(dirname "$SCRIPT")" && pwd)"
+  SCRIPT="$(readlink "$SCRIPT")"
+  case "$SCRIPT" in
+    /*) ;;
+    *) SCRIPT="$DIR/$SCRIPT" ;;
+  esac
+done
+SCRIPT_DIR="$(cd "$(dirname "$SCRIPT")" && pwd)"
+ENTRY="$SCRIPT_DIR/../dist/cli/index.js"
+
 exec env -u CLAUDECODE \
          -u CLAUDE_CODE_ENTRYPOINT \
          -u CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS \
-         node "$(dirname "$0")/../dist/cli/index.js" "$@"
+         node "$ENTRY" "$@"

package/dist/channels/capability-resolver.d.ts

@@ -0,0 +1,34 @@
+/**
+ * CapabilityResolver — maps (senderPhone, channelId) → CapabilitySet.
+ *
+ * Resolution order:
+ *   1. gate.getRole(senderPhone, channelId)
+ *   2. If null → return deniedCapability()
+ *   3. registry.getCapabilitySet(role, senderPhone, channelId)
+ *   4. If undefined → return deniedCapability()
+ *
+ * Hot-reload: delegates to registry.reload() + gate rebuild.
+ *
+ * INVARIANT-1: No tool execution without a valid, current CapabilitySet.
+ */
+import { CapabilitySet } from '../types/channel.js';
+import { ChannelIdentityRegistry } from './channel-identity-registry.js';
+import { ChannelPolicyGate } from './channel-policy-gate.js';
+export declare class CapabilityResolver {
+    private readonly _registry;
+    private readonly _gate;
+    constructor(registry: ChannelIdentityRegistry, gate: ChannelPolicyGate);
+    /**
+     * Resolves the CapabilitySet for a given (sender, channel) pair.
+     * Returns a denied CapabilitySet if the sender is not authorized.
+     *
+     * INVARIANT-1: Always returns a CapabilitySet — never throws.
+     */
+    resolve(senderPhone: string, channelId: string): Promise<CapabilitySet>;
+    /**
+     * Hot-reload policy from config file.
+     * Delegates to registry.reload() — gate rebuilds via onReload callback.
+     */
+    reload(): Promise<void>;
+}
+//# sourceMappingURL=capability-resolver.d.ts.map

package/dist/channels/capability-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability-resolver.d.ts","sourceRoot":"","sources":["../../src/channels/capability-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,aAAa,EAAoB,MAAM,qBAAqB,CAAC;AACtE,OAAO,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AACzE,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAK7D,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAA0B;IACpD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAoB;gBAE9B,QAAQ,EAAE,uBAAuB,EAAE,IAAI,EAAE,iBAAiB;IAKtE;;;;;OAKG;IACG,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAkB7E;;;OAGG;IACG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;CAI9B"}

package/dist/channels/capability-resolver.js

@@ -0,0 +1,53 @@
+/**
+ * CapabilityResolver — maps (senderPhone, channelId) → CapabilitySet.
+ *
+ * Resolution order:
+ *   1. gate.getRole(senderPhone, channelId)
+ *   2. If null → return deniedCapability()
+ *   3. registry.getCapabilitySet(role, senderPhone, channelId)
+ *   4. If undefined → return deniedCapability()
+ *
+ * Hot-reload: delegates to registry.reload() + gate rebuild.
+ *
+ * INVARIANT-1: No tool execution without a valid, current CapabilitySet.
+ */
+import { deniedCapability } from '../types/channel.js';
+import { createLogger } from '../utils/logger.js';
+const log = createLogger('capability-resolver');
+export class CapabilityResolver {
+    _registry;
+    _gate;
+    constructor(registry, gate) {
+        this._registry = registry;
+        this._gate = gate;
+    }
+    /**
+     * Resolves the CapabilitySet for a given (sender, channel) pair.
+     * Returns a denied CapabilitySet if the sender is not authorized.
+     *
+     * INVARIANT-1: Always returns a CapabilitySet — never throws.
+     */
+    async resolve(senderPhone, channelId) {
+        const role = await this._gate.getRole(senderPhone, channelId);
+        if (!role) {
+            log.debug({ senderPhone, channelId }, 'No role found — returning denied capability');
+            return { ...deniedCapability(), senderPhone, channelId };
+        }
+        const cap = this._registry.getCapabilitySet(role, senderPhone, channelId);
+        if (!cap) {
+            log.warn({ senderPhone, channelId, role }, 'Role found but no capability set configured — denying');
+            return { ...deniedCapability(), senderPhone, channelId, role };
+        }
+        log.debug({ senderPhone, channelId, role, tools: cap.allowedTools.length }, 'Capability resolved');
+        return cap;
+    }
+    /**
+     * Hot-reload policy from config file.
+     * Delegates to registry.reload() — gate rebuilds via onReload callback.
+     */
+    async reload() {
+        await this._registry.reload();
+        // Gate re-builds itself via its onReload callback registered in init()
+    }
+}
+//# sourceMappingURL=capability-resolver.js.map

package/dist/channels/capability-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability-resolver.js","sourceRoot":"","sources":["../../src/channels/capability-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAiB,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAGtE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,GAAG,GAAG,YAAY,CAAC,qBAAqB,CAAC,CAAC;AAEhD,MAAM,OAAO,kBAAkB;IACZ,SAAS,CAA0B;IACnC,KAAK,CAAoB;IAE1C,YAAY,QAAiC,EAAE,IAAuB;QACpE,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACpB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,WAAmB,EAAE,SAAiB;QAClD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAE9D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,GAAG,CAAC,KAAK,CAAC,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,6CAA6C,CAAC,CAAC;YACrF,OAAO,EAAE,GAAG,gBAAgB,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;QAC3D,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;QAC1E,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,GAAG,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,uDAAuD,CAAC,CAAC;YACpG,OAAO,EAAE,GAAG,gBAAgB,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QACjE,CAAC;QAED,GAAG,CAAC,KAAK,CAAC,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,YAAY,CAAC,MAAM,EAAE,EAAE,qBAAqB,CAAC,CAAC;QACnG,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM;QACV,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;QAC9B,uEAAuE;IACzE,CAAC;CACF"}

package/dist/channels/channel-adapter.d.ts

@@ -0,0 +1,42 @@
+/**
+ * IChannelAdapter — Abstract interface for Zora communication channels.
+ *
+ * All external integrations (Signal, Telegram, Slack, etc.) implement this
+ * to participate in the secure ChannelManager pipeline.
+ */
+import { ChannelIdentity, ChannelMessage } from '../types/channel.js';
+export interface SendOptions {
+    /** Original message timestamp for quoting (group replies) */
+    quoteTimestamp?: number;
+    /** Author identifier for the quoted message (phone or UUID) */
+    quoteAuthor?: string;
+}
+export interface IChannelAdapter {
+    /**
+     * Unique name for this adapter instance (e.g. "signal", "telegram").
+     */
+    readonly name: string;
+    /**
+     * Start the adapter (connect to daemon, start polling, etc.)
+     */
+    start(): Promise<void>;
+    /**
+     * Gracefully stop the adapter.
+     */
+    stop(): Promise<void>;
+    /**
+     * Register the message handler called for every inbound message.
+     * Only one handler is supported per adapter.
+     */
+    onMessage(handler: (msg: ChannelMessage) => Promise<void>): void;
+    /**
+     * Send a response message back to the channel.
+     *
+     * @param to - Recipient identity
+     * @param channelId - Target channel ("direct" or group ID)
+     * @param content - Text response
+     * @param options - Optional quoting context
+     */
+    send(to: ChannelIdentity, channelId: string, content: string, options?: SendOptions): Promise<void>;
+}
+//# sourceMappingURL=channel-adapter.d.ts.map

package/dist/channels/channel-adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-adapter.d.ts","sourceRoot":"","sources":["../../src/channels/channel-adapter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAEtE,MAAM,WAAW,WAAW;IAC1B,6DAA6D;IAC7D,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+DAA+D;IAC/D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB;;OAEG;IACH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB;;OAEG;IACH,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtB;;;OAGG;IACH,SAAS,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,cAAc,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAEjE;;;;;;;OAOG;IACH,IAAI,CACF,EAAE,EAAE,eAAe,EACnB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,WAAW,GACpB,OAAO,CAAC,IAAI,CAAC,CAAC;CAClB"}

package/dist/channels/channel-adapter.js

@@ -0,0 +1,8 @@
+/**
+ * IChannelAdapter — Abstract interface for Zora communication channels.
+ *
+ * All external integrations (Signal, Telegram, Slack, etc.) implement this
+ * to participate in the secure ChannelManager pipeline.
+ */
+export {};
+//# sourceMappingURL=channel-adapter.js.map

package/dist/channels/channel-adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-adapter.js","sourceRoot":"","sources":["../../src/channels/channel-adapter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}

package/dist/channels/channel-audit-log.d.ts

@@ -0,0 +1,33 @@
+/**
+ * ChannelAuditLog — Append-only JSONL logger for all channel intake decisions.
+ *
+ * Logs:
+ *   - Intake decisions (allow/deny)
+ *   - Quarantine flags (suspicious patterns)
+ *   - Tool calls / action budget events
+ *
+ * Rotation: rotates at 10MB.
+ * Location: ~/.zora/audit/channel.log
+ *
+ * INVARIANT-6: Never log raw message content.
+ */
+export interface AuditEntry {
+    timestamp: string;
+    adapter: string;
+    sender: string;
+    channelId: string;
+    action: 'intake_allowed' | 'intake_denied' | 'quarantine_flag' | 'tool_call' | 'budget_exhausted';
+    status: 'ok' | 'blocked' | 'error';
+    metadata?: Record<string, unknown>;
+}
+export declare class ChannelAuditLog {
+    private readonly _logPath;
+    constructor(baseDir?: string);
+    /**
+     * Append an entry to the JSONL log.
+     */
+    append(entry: Omit<AuditEntry, 'timestamp'>): Promise<void>;
+    /** Internal: Rotate log file if it exceeds MAX_LOG_SIZE */
+    private _checkRotation;
+}
+//# sourceMappingURL=channel-audit-log.d.ts.map

package/dist/channels/channel-audit-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-audit-log.d.ts","sourceRoot":"","sources":["../../src/channels/channel-audit-log.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AASH,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,gBAAgB,GAAG,eAAe,GAAG,iBAAiB,GAAG,WAAW,GAAG,kBAAkB,CAAC;IAClG,MAAM,EAAE,IAAI,GAAG,SAAS,GAAG,OAAO,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAID,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,OAAO,CAAC,EAAE,MAAM;IAW5B;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBjE,2DAA2D;YAC7C,cAAc;CAe7B"}

package/dist/channels/channel-audit-log.js

@@ -0,0 +1,67 @@
+/**
+ * ChannelAuditLog — Append-only JSONL logger for all channel intake decisions.
+ *
+ * Logs:
+ *   - Intake decisions (allow/deny)
+ *   - Quarantine flags (suspicious patterns)
+ *   - Tool calls / action budget events
+ *
+ * Rotation: rotates at 10MB.
+ * Location: ~/.zora/audit/channel.log
+ *
+ * INVARIANT-6: Never log raw message content.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import { createLogger } from '../utils/logger.js';
+const log = createLogger('channel-audit');
+const MAX_LOG_SIZE = 10 * 1024 * 1024; // 10MB
+export class ChannelAuditLog {
+    _logPath;
+    constructor(baseDir) {
+        const root = baseDir ?? path.join(os.homedir(), '.zora');
+        this._logPath = path.join(root, 'audit', 'channel.log');
+        // Ensure directory exists
+        const dir = path.dirname(this._logPath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+    }
+    /**
+     * Append an entry to the JSONL log.
+     */
+    async append(entry) {
+        const fullEntry = {
+            timestamp: new Date().toISOString(),
+            ...entry,
+        };
+        try {
+            // Rotation check before append
+            await this._checkRotation();
+            const line = JSON.stringify(fullEntry) + '\n';
+            await fs.promises.appendFile(this._logPath, line, 'utf-8');
+        }
+        catch (err) {
+            log.error({ err, action: entry.action }, 'Failed to write to channel audit log');
+        }
+    }
+    /** Internal: Rotate log file if it exceeds MAX_LOG_SIZE */
+    async _checkRotation() {
+        try {
+            if (!fs.existsSync(this._logPath))
+                return;
+            const stats = await fs.promises.stat(this._logPath);
+            if (stats.size > MAX_LOG_SIZE) {
+                const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+                const rotatedPath = `${this._logPath}.${timestamp}.bak`;
+                await fs.promises.rename(this._logPath, rotatedPath);
+                log.info({ rotatedTo: rotatedPath }, 'Channel audit log rotated');
+            }
+        }
+        catch (err) {
+            log.warn({ err }, 'Log rotation check failed');
+        }
+    }
+}
+//# sourceMappingURL=channel-audit-log.js.map

package/dist/channels/channel-audit-log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-audit-log.js","sourceRoot":"","sources":["../../src/channels/channel-audit-log.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,GAAG,GAAG,YAAY,CAAC,eAAe,CAAC,CAAC;AAY1C,MAAM,YAAY,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AAE9C,MAAM,OAAO,eAAe;IACT,QAAQ,CAAS;IAElC,YAAY,OAAgB;QAC1B,MAAM,IAAI,GAAG,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;QACzD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;QAExD,0BAA0B;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,KAAoC;QAC/C,MAAM,SAAS,GAAe;YAC5B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,GAAG,KAAK;SACT,CAAC;QAEF,IAAI,CAAC;YACH,+BAA+B;YAC/B,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAE5B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;YAC9C,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAC7D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,EAAE,sCAAsC,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED,2DAA2D;IACnD,KAAK,CAAC,cAAc;QAC1B,IAAI,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,OAAO;YAE1C,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACpD,IAAI,KAAK,CAAC,IAAI,GAAG,YAAY,EAAE,CAAC;gBAC9B,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;gBACjE,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,SAAS,MAAM,CAAC;gBACxD,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;gBACrD,GAAG,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,EAAE,2BAA2B,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,2BAA2B,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;CACF"}

package/dist/channels/channel-identity-registry.d.ts

@@ -0,0 +1,103 @@
+/**
+ * ChannelIdentityRegistry — loads and manages channel policy configuration.
+ *
+ * Reads config/channel-policy.toml and provides:
+ *   - User trust definitions (phone → role mappings)
+ *   - Capability set definitions (role → allowed tools)
+ *   - Hot-reload on SIGHUP
+ *
+ * INVARIANT-3: Unknown senders receive NO response
+ */
+import { CapabilitySet } from "../types/channel.js";
+export interface UserPolicy {
+    phone: string;
+    name: string;
+    channels: string[];
+    role: string;
+    dm_role?: string;
+}
+export interface CapabilitySetConfig {
+    tools: string[];
+    destructive_ops: boolean;
+    action_budget: number;
+    param_constraints?: {
+        bash?: {
+            command_allowlist?: string[];
+            command_blocklist?: string[];
+        };
+        write_file?: {
+            path_allowlist?: string[];
+        };
+    };
+}
+export interface ChannelPolicyConfig {
+    signal?: {
+        phone_number?: string;
+        signal_cli_path?: string;
+        linked_device?: boolean;
+        daemon_port?: number;
+        auto_trust_new_identities?: boolean;
+    };
+    channels?: {
+        prompt_injection?: {
+            enabled?: boolean;
+            scanner_url?: string;
+            block_on_high_risk?: boolean;
+        };
+        quarantine?: {
+            enabled?: boolean;
+            model?: string;
+        };
+    };
+    channel_policy?: {
+        users?: UserPolicy[];
+    };
+    capability_sets?: Record<string, CapabilitySetConfig>;
+}
+export declare class ChannelIdentityRegistry {
+    private config;
+    private configPath;
+    private reloadCallbacks;
+    private constructor();
+    /**
+     * Load registry from TOML file.
+     * Throws if file doesn't exist or has invalid structure.
+     */
+    static load(configPath: string): Promise<ChannelIdentityRegistry>;
+    /**
+     * Reload configuration from disk.
+     * Called on startup and on SIGHUP.
+     */
+    reload(): Promise<void>;
+    /** Register a callback to be called when config is hot-reloaded */
+    onReload(callback: () => void): void;
+    /** Get all user policies */
+    getUsers(): UserPolicy[];
+    /**
+     * Get a specific user policy by phone number.
+     * Normalizes input to handle minor formatting differences before lookup.
+     */
+    getUser(phone: string): UserPolicy | undefined;
+    /** Get all capability set definitions */
+    getCapabilitySets(): Record<string, CapabilitySetConfig>;
+    /** Get raw capability set config (snake_case) for a given role */
+    getCapabilitySetConfig(role: string): CapabilitySetConfig | undefined;
+    /**
+     * Get a fully-typed CapabilitySet (camelCase) for a given role and sender.
+     * Transforms snake_case TOML config fields to the CapabilitySet interface.
+     * Returns undefined when the role is not found.
+     */
+    getCapabilitySet(role: string, senderPhone: string, channelId: string): CapabilitySet | undefined;
+    /** Get Signal daemon configuration */
+    getSignalConfig(): ChannelPolicyConfig["signal"];
+    /** Get quarantine model name */
+    getQuarantineModel(): string;
+    /** Get prompt injection config */
+    getPromptInjectionConfig(): NonNullable<ChannelPolicyConfig["channels"]>["prompt_injection"];
+    /**
+     * Set up hot-reload via SIGHUP.
+     * Call once after registry is loaded.
+     */
+    listenForReload(): void;
+}
+//# sourceMappingURL=channel-identity-registry.d.ts.map

package/dist/channels/channel-identity-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-identity-registry.d.ts","sourceRoot":"","sources":["../../src/channels/channel-identity-registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAiCpD,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,eAAe,EAAE,OAAO,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE;QAClB,IAAI,CAAC,EAAE;YAAE,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;YAAC,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC;QACtE,UAAU,CAAC,EAAE;YAAE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC;KAC5C,CAAC;CACH;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,CAAC,EAAE;QACP,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,yBAAyB,CAAC,EAAE,OAAO,CAAC;KACrC,CAAC;IACF,QAAQ,CAAC,EAAE;QACT,gBAAgB,CAAC,EAAE;YACjB,OAAO,CAAC,EAAE,OAAO,CAAC;YAClB,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,kBAAkB,CAAC,EAAE,OAAO,CAAC;SAC9B,CAAC;QACF,UAAU,CAAC,EAAE;YACX,OAAO,CAAC,EAAE,OAAO,CAAC;YAClB,KAAK,CAAC,EAAE,MAAM,CAAC;SAChB,CAAC;KACH,CAAC;IACF,cAAc,CAAC,EAAE;QACf,KAAK,CAAC,EAAE,UAAU,EAAE,CAAC;KACtB,CAAC;IACF,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;CACvD;AAED,qBAAa,uBAAuB;IAClC,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,eAAe,CAAyB;IAEhD,OAAO;IAIP;;;OAGG;WACU,IAAI,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAMvE;;;OAGG;IACG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAO7B,mEAAmE;IACnE,QAAQ,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,IAAI;IAIpC,4BAA4B;IAC5B,QAAQ,IAAI,UAAU,EAAE;IAIxB;;;OAGG;IACH,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IAU9C,yCAAyC;IACzC,iBAAiB,IAAI,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC;IAIxD,kEAAkE;IAClE,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,mBAAmB,GAAG,SAAS;IAIrE;;;;OAIG;IACH,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAsBjG,sCAAsC;IACtC,eAAe,IAAI,mBAAmB,CAAC,QAAQ,CAAC;IAIhD,gCAAgC;IAChC,kBAAkB,IAAI,MAAM;IAI5B,kCAAkC;IAClC,wBAAwB,IAAI,WAAW,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC,CAAC,kBAAkB,CAAC;IAI5F;;;OAGG;IACH,eAAe,IAAI,IAAI;CAaxB"}

package/dist/channels/channel-identity-registry.js

@@ -0,0 +1,155 @@
+/**
+ * ChannelIdentityRegistry — loads and manages channel policy configuration.
+ *
+ * Reads config/channel-policy.toml and provides:
+ *   - User trust definitions (phone → role mappings)
+ *   - Capability set definitions (role → allowed tools)
+ *   - Hot-reload on SIGHUP
+ *
+ * INVARIANT-3: Unknown senders receive NO response
+ */
+import { readFileSync } from "fs";
+import { resolve } from "path";
+// Using smol-toml or @iarna/toml if available, fallback to manual parse
+// Try dynamic import to handle either package
+async function loadTomlParser() {
+    try {
+        const { parse } = await import("smol-toml");
+        return parse;
+    }
+    catch {
+        try {
+            const toml = await import("@iarna/toml");
+            return toml.parse;
+        }
+        catch {
+            // Fallback: basic TOML-like parser for our specific config shape
+            // This handles the exact structure of channel-policy.toml
+            return parseChannelPolicyToml;
+        }
+    }
+}
+/**
+ * Basic TOML parser for channel-policy.toml structure.
+ * Only handles the exact keys we need — not a general TOML parser.
+ */
+function parseChannelPolicyToml(_content) {
+    // We'll use a JSON-compatible approach: convert TOML to a JS object manually
+    // This is a limited fallback — recommend installing smol-toml
+    throw new Error("No TOML parser available. Install smol-toml: npm install smol-toml\n" +
+        "Or @iarna/toml: npm install @iarna/toml");
+}
+export class ChannelIdentityRegistry {
+    config = {};
+    configPath;
+    reloadCallbacks = [];
+    constructor(configPath) {
+        this.configPath = resolve(configPath);
+    }
+    /**
+     * Load registry from TOML file.
+     * Throws if file doesn't exist or has invalid structure.
+     */
+    static async load(configPath) {
+        const registry = new ChannelIdentityRegistry(configPath);
+        await registry.reload();
+        return registry;
+    }
+    /**
+     * Reload configuration from disk.
+     * Called on startup and on SIGHUP.
+     */
+    async reload() {
+        const parse = await loadTomlParser();
+        const content = readFileSync(this.configPath, "utf-8");
+        this.config = parse(content);
+        this.reloadCallbacks.forEach(cb => cb());
+    }
+    /** Register a callback to be called when config is hot-reloaded */
+    onReload(callback) {
+        this.reloadCallbacks.push(callback);
+    }
+    /** Get all user policies */
+    getUsers() {
+        return this.config.channel_policy?.users ?? [];
+    }
+    /**
+     * Get a specific user policy by phone number.
+     * Normalizes input to handle minor formatting differences before lookup.
+     */
+    getUser(phone) {
+        // Normalize both sides: strip formatting, ensure + prefix for consistent comparison.
+        const norm = (p) => {
+            const stripped = p.trim().replace(/[\s\-().]/g, "");
+            return stripped.startsWith("+") ? stripped : "+" + stripped;
+        };
+        const lookup = norm(phone);
+        return this.getUsers().find(u => norm(u.phone) === lookup);
+    }
+    /** Get all capability set definitions */
+    getCapabilitySets() {
+        return this.config.capability_sets ?? {};
+    }
+    /** Get raw capability set config (snake_case) for a given role */
+    getCapabilitySetConfig(role) {
+        return this.getCapabilitySets()[role];
+    }
+    /**
+     * Get a fully-typed CapabilitySet (camelCase) for a given role and sender.
+     * Transforms snake_case TOML config fields to the CapabilitySet interface.
+     * Returns undefined when the role is not found.
+     */
+    getCapabilitySet(role, senderPhone, channelId) {
+        const cfg = this.getCapabilitySetConfig(role);
+        if (!cfg)
+            return undefined;
+        return {
+            senderPhone,
+            channelId,
+            role,
+            allowedTools: cfg.tools ?? [],
+            destructiveOpsAllowed: cfg.destructive_ops ?? false,
+            actionBudget: cfg.action_budget ?? 0,
+            paramConstraints: cfg.param_constraints ? {
+                bash: cfg.param_constraints.bash ? {
+                    commandAllowlist: cfg.param_constraints.bash.command_allowlist,
+                    commandBlocklist: cfg.param_constraints.bash.command_blocklist,
+                } : undefined,
+                write_file: cfg.param_constraints.write_file ? {
+                    pathAllowlist: cfg.param_constraints.write_file.path_allowlist,
+                } : undefined,
+            } : undefined,
+        };
+    }
+    /** Get Signal daemon configuration */
+    getSignalConfig() {
+        return this.config.signal;
+    }
+    /** Get quarantine model name */
+    getQuarantineModel() {
+        return this.config.channels?.quarantine?.model ?? "claude-haiku-4-5-20251001";
+    }
+    /** Get prompt injection config */
+    getPromptInjectionConfig() {
+        return this.config.channels?.prompt_injection;
+    }
+    /**
+     * Set up hot-reload via SIGHUP.
+     * Call once after registry is loaded.
+     */
+    listenForReload() {
+        process.on("SIGHUP", async () => {
+            try {
+                console.log("[policy] SIGHUP received — reloading channel policy...");
+                await this.reload();
+                const userCount = this.getUsers().length;
+                const setCount = Object.keys(this.getCapabilitySets()).length;
+                console.log(`[policy] Config reloaded: ${userCount} users, ${setCount} capability sets`);
+            }
+            catch (err) {
+                console.error("[policy] Config reload failed:", err);
+            }
+        });
+    }
+}
+//# sourceMappingURL=channel-identity-registry.js.map

package/dist/channels/channel-identity-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-identity-registry.js","sourceRoot":"","sources":["../../src/channels/channel-identity-registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAG/B,wEAAwE;AACxE,8CAA8C;AAC9C,KAAK,UAAU,cAAc;IAC3B,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,WAAqB,CAAC,CAAC;QACtD,OAAO,KAAqD,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,aAAuB,CAAC,CAAC;YACnD,OAAO,IAAI,CAAC,KAAqD,CAAC;QACpE,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;YACjE,0DAA0D;YAC1D,OAAO,sBAAsB,CAAC;QAChC,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,QAAgB;IAC9C,6EAA6E;IAC7E,8DAA8D;IAC9D,MAAM,IAAI,KAAK,CACb,sEAAsE;QACtE,yCAAyC,CAC1C,CAAC;AACJ,CAAC;AA6CD,MAAM,OAAO,uBAAuB;IAC1B,MAAM,GAAwB,EAAE,CAAC;IACjC,UAAU,CAAS;IACnB,eAAe,GAAsB,EAAE,CAAC;IAEhD,YAAoB,UAAkB;QACpC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACxC,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,UAAkB;QAClC,MAAM,QAAQ,GAAG,IAAI,uBAAuB,CAAC,UAAU,CAAC,CAAC;QACzD,MAAM,QAAQ,CAAC,MAAM,EAAE,CAAC;QACxB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM;QACV,MAAM,KAAK,GAAG,MAAM,cAAc,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,OAAO,CAAwB,CAAC;QACpD,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED,mEAAmE;IACnE,QAAQ,CAAC,QAAoB;QAC3B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,4BAA4B;IAC5B,QAAQ;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC;IACjD,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,KAAa;QACnB,qFAAqF;QACrF,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE;YACzB,MAAM,QAAQ,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;YACpD,OAAO,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,GAAG,QAAQ,CAAC;QAC9D,CAAC,CAAC;QACF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3B,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,CAAC;IAC7D,CAAC;IAED,yCAAyC;IACzC,iBAAiB;QACf,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC;IAC3C,CAAC;IAED,kEAAkE;IAClE,sBAAsB,CAAC,IAAY;QACjC,OAAO,IAAI,CAAC,iBAAiB,EAAE,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAED;;;;OAIG;IACH,gBAAgB,CAAC,IAAY,EAAE,WAAmB,EAAE,SAAiB;QACnE,MAAM,GAAG,GAAG,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,OAAO;YACL,WAAW;YACX,SAAS;YACT,IAAI;YACJ,YAAY,EAAE,GAAG,CAAC,KAAK,IAAI,EAAE;YAC7B,qBAAqB,EAAE,GAAG,CAAC,eAAe,IAAI,KAAK;YACnD,YAAY,EAAE,GAAG,CAAC,aAAa,IAAI,CAAC;YACpC,gBAAgB,EAAE,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC;gBACxC,IAAI,EAAE,GAAG,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;oBACjC,gBAAgB,EAAE,GAAG,CAAC,iBAAiB,CAAC,IAAI,CAAC,iBAAiB;oBAC9D,gBAAgB,EAAE,GAAG,CAAC,iBAAiB,CAAC,IAAI,CAAC,iBAAiB;iBAC/D,CAAC,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,CAAC;oBAC7C,aAAa,EAAE,GAAG,CAAC,iBAAiB,CAAC,UAAU,CAAC,cAAc;iBAC/D,CAAC,CAAC,CAAC,SAAS;aACd,CAAC,CAAC,CAAC,SAAS;SACd,CAAC;IACJ,CAAC;IAED,sCAAsC;IACtC,eAAe;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC5B,CAAC;IAED,gCAAgC;IAChC,kBAAkB;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,KAAK,IAAI,2BAA2B,CAAC;IAChF,CAAC;IAED,kCAAkC;IAClC,wBAAwB;QACtB,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;IAChD,CAAC;IAED;;;OAGG;IACH,eAAe;QACb,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC9B,IAAI,CAAC;gBACH,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;gBACtE,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;gBACpB,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC;gBACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC;gBAC9D,OAAO,CAAC,GAAG,CAAC,6BAA6B,SAAS,WAAW,QAAQ,kBAAkB,CAAC,CAAC;YAC3F,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,GAAG,CAAC,CAAC;YACvD,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/channels/channel-manager.d.ts

@@ -0,0 +1,55 @@
+/**
+ * ChannelManager — Orchestrates the secure message pipeline for all channels.
+ *
+ * Single pipeline:
+ *   policy gate → capability resolver → quarantine → orchestrator → response.
+ *
+ * Every channel (Signal, Telegram, etc.) uses this path. No bypass.
+ *
+ * INVARIANT-9: All channels use ChannelManager.handleMessage() — no bypass path.
+ */
+import { ChannelMessage } from '../types/channel.js';
+import { IChannelAdapter } from './channel-adapter.js';
+import { ChannelPolicyGate } from './channel-policy-gate.js';
+import { CapabilityResolver } from './capability-resolver.js';
+import { QuarantineProcessor } from './quarantine-processor.js';
+import { ChannelAuditLog } from './channel-audit-log.js';
+/** Interface for the Orchestrator's submitTask method used by ChannelManager */
+interface TaskSubmittable {
+    submitTask(options: {
+        prompt: string;
+        channelContext: {
+            capability: any;
+            channelMessage: ChannelMessage;
+        };
+        onEvent: (event: any) => void;
+    }): Promise<string>;
+}
+export declare class ChannelManager {
+    private readonly _adapters;
+    private readonly _orchestrator;
+    private readonly _gate;
+    private readonly _resolver;
+    private readonly _quarantine;
+    private readonly _audit;
+    constructor(orchestrator: TaskSubmittable, gate: ChannelPolicyGate, resolver: CapabilityResolver, quarantine: QuarantineProcessor, audit?: ChannelAuditLog | null);
+    /**
+     * Register a communication adapter and start its message listener.
+     */
+    registerAdapter(adapter: IChannelAdapter): Promise<void>;
+    /**
+     * Start all registered adapters.
+     */
+    start(): Promise<void>;
+    /**
+     * Stop all registered adapters.
+     */
+    stop(): Promise<void>;
+    /**
+     * The secure message pipeline.
+     * INVARIANT-9: All channels use this path.
+     */
+    handleMessage(adapter: IChannelAdapter, msg: ChannelMessage): Promise<void>;
+}
+export {};
+//# sourceMappingURL=channel-manager.d.ts.map

package/dist/channels/channel-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-manager.d.ts","sourceRoot":"","sources":["../../src/channels/channel-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAKzD,gFAAgF;AAChF,UAAU,eAAe;IACvB,UAAU,CAAC,OAAO,EAAE;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE;YACd,UAAU,EAAE,GAAG,CAAC;YAChB,cAAc,EAAE,cAAc,CAAC;SAChC,CAAC;QACF,OAAO,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,IAAI,CAAC;KAC/B,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACrB;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAsC;IAChE,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAkB;IAChD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAoB;IAC1C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAqB;IAC/C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAsB;IAClD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAyB;gBAG9C,YAAY,EAAE,eAAe,EAC7B,IAAI,EAAE,iBAAiB,EACvB,QAAQ,EAAE,kBAAkB,EAC5B,UAAU,EAAE,mBAAmB,EAC/B,KAAK,GAAE,eAAe,GAAG,IAAW;IAStC;;OAEG;IACG,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;IAa9D;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAO5B;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAO3B;;;OAGG;IACG,aAAa,CAAC,OAAO,EAAE,eAAe,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;CA4FlF"}