@action-llama/action-llama 0.10.1 → 0.11.0

package/dist/cloud/aws/iam.js

@@ -0,0 +1,442 @@
+/**
+ * AWS IAM reconciliation for ECS cloud agents.
+ *
+ * Extracted from cli/commands/cloud-iam.ts into the cloud provider module.
+ * Handles per-agent IAM task roles, Lambda roles, and ECR policies.
+ */
+import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
+import { IAMClient, CreateRoleCommand, PutRolePolicyCommand, PutUserPolicyCommand, GetRoleCommand, } from "@aws-sdk/client-iam";
+import { ECRClient, SetRepositoryPolicyCommand } from "@aws-sdk/client-ecr";
+import { discoverAgents, loadAgentConfig, loadGlobalConfig } from "../../shared/config.js";
+import { parseCredentialRef } from "../../shared/credentials.js";
+import { AWS_CONSTANTS } from "./constants.js";
+import { CONSTANTS } from "../../shared/constants.js";
+import { ConfigError, CloudProviderError } from "../../shared/errors.js";
+/**
+ * Reconcile per-agent ECS task roles and Secrets Manager policies.
+ *
+ * Creates an IAM task role for each agent with a trust policy for
+ * ecs-tasks.amazonaws.com, then attaches an inline policy granting
+ * secretsmanager:GetSecretValue on each agent's declared credentials.
+ */
+export async function reconcileAwsAgents(projectPath, cloud) {
+    const { awsRegion, ecrRepository, awsSecretPrefix } = cloud;
+    if (!awsRegion) {
+        throw new ConfigError("cloud.awsRegion is required in config.toml");
+    }
+    if (!ecrRepository) {
+        throw new ConfigError("cloud.ecrRepository is required in config.toml");
+    }
+    const secretPrefix = awsSecretPrefix || CONSTANTS.DEFAULT_SECRET_PREFIX;
+    // Extract account ID from ECR repo URI
+    const accountMatch = ecrRepository.match(/^(\d+)\.dkr\.ecr\./);
+    if (!accountMatch) {
+        throw new ConfigError(`Cannot extract AWS account ID from cloud.ecrRepository: "${ecrRepository}". ` +
+            `Expected format: 123456789012.dkr.ecr.<region>.amazonaws.com/<repo>`);
+    }
+    const accountId = accountMatch[1];
+    // Verify AWS credentials are valid
+    const stsClient = new STSClient({ region: awsRegion });
+    try {
+        await stsClient.send(new GetCallerIdentityCommand({}));
+    }
+    catch (err) {
+        throw new CloudProviderError("AWS CLI is not authenticated. Run 'aws configure' or set AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY.\n" +
+            `Original error: ${err.message}`);
+    }
+    const agents = discoverAgents(projectPath);
+    if (agents.length === 0) {
+        console.log("No agents found. Create agents first.");
+        return;
+    }
+    // Trust policy for ECS tasks
+    const trustPolicy = JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [{
+                Effect: "Allow",
+                Principal: { Service: "ecs-tasks.amazonaws.com" },
+                Action: "sts:AssumeRole",
+            }],
+    });
+    const iamClient = new IAMClient({ region: awsRegion });
+    // Ensure execution role has Secrets Manager access (ECS uses this role to inject secrets)
+    if (cloud.executionRoleArn) {
+        const executionRoleName = cloud.executionRoleArn.split("/").pop();
+        try {
+            await iamClient.send(new PutRolePolicyCommand({
+                RoleName: executionRoleName,
+                PolicyName: "ActionLlamaExecution",
+                PolicyDocument: JSON.stringify({
+                    Version: "2012-10-17",
+                    Statement: [
+                        {
+                            Effect: "Allow",
+                            Action: "secretsmanager:GetSecretValue",
+                            Resource: `arn:aws:secretsmanager:${awsRegion}:${accountId}:secret:${secretPrefix}/*`,
+                        },
+                        {
+                            Effect: "Allow",
+                            Action: "logs:CreateLogGroup",
+                            Resource: `arn:aws:logs:${awsRegion}:${accountId}:log-group:${AWS_CONSTANTS.LOG_GROUP}*`,
+                        },
+                    ],
+                }),
+            }));
+            console.log(`Execution role (${executionRoleName}): Secrets Manager + CloudWatch policy applied`);
+        }
+        catch (err) {
+            throw new CloudProviderError(`Failed to attach ActionLlamaExecution policy to ${executionRoleName}: ${err.message}\n` +
+                `The execution role needs secretsmanager:GetSecretValue and logs:CreateLogGroup permissions.\n` +
+                `Either grant your IAM user iam:PutRolePolicy on this role, or attach the policy manually in the AWS Console.`);
+        }
+    }
+    // Ensure ECR repository policy grants Lambda pull access
+    await ensureLambdaEcrPolicy(awsRegion, ecrRepository);
+    console.log(`\nSetting up ECS task roles for ${agents.length} agent(s)...\n`);
+    for (const name of agents) {
+        const config = loadAgentConfig(projectPath, name);
+        const roleName = AWS_CONSTANTS.taskRoleName(name);
+        console.log(`  Agent: ${name}`);
+        console.log(`    Role: ${roleName}`);
+        // 1. Create IAM role (idempotent)
+        try {
+            await iamClient.send(new CreateRoleCommand({
+                RoleName: roleName,
+                AssumeRolePolicyDocument: trustPolicy,
+            }));
+            console.log(`    Created IAM role`);
+        }
+        catch (err) {
+            if (err.name === "EntityAlreadyExistsException") {
+                console.log(`    IAM role already exists`);
+            }
+            else {
+                throw err;
+            }
+        }
+        // 2. Collect secret ARNs this agent needs
+        const credRefs = [...new Set(config.credentials)];
+        if (config.model.authType !== "pi_auth" && !credRefs.includes("anthropic_key:default")) {
+            credRefs.push("anthropic_key:default");
+        }
+        const secretArns = [];
+        for (const ref of credRefs) {
+            const { type, instance } = parseCredentialRef(ref);
+            secretArns.push(`arn:aws:secretsmanager:${awsRegion}:${accountId}:secret:${secretPrefix}/${type}/${instance}/*`);
+        }
+        // 3. Put inline policy for Secrets Manager access
+        if (secretArns.length > 0) {
+            const policy = JSON.stringify({
+                Version: "2012-10-17",
+                Statement: [{
+                        Effect: "Allow",
+                        Action: "secretsmanager:GetSecretValue",
+                        Resource: secretArns,
+                    }],
+            });
+            try {
+                await iamClient.send(new PutRolePolicyCommand({
+                    RoleName: roleName,
+                    PolicyName: "SecretsAccess",
+                    PolicyDocument: policy,
+                }));
+                console.log(`    Bound ${secretArns.length} secret path(s)`);
+            }
+            catch (err) {
+                console.log(`    Warning: failed to put policy: ${err.message}`);
+            }
+        }
+        else {
+            console.log(`    No secrets to bind`);
+        }
+        console.log("");
+    }
+    // Grant iam:PassRole on ECS task roles + execution role to the calling identity
+    const taskRoleArns = agents.map((name) => `arn:aws:iam::${accountId}:role/${AWS_CONSTANTS.taskRoleName(name)}`);
+    if (cloud.executionRoleArn) {
+        taskRoleArns.push(cloud.executionRoleArn);
+    }
+    if (taskRoleArns.length > 0) {
+        await grantPassRole(awsRegion, iamClient, taskRoleArns, "ActionLlamaEcsPassRole");
+    }
+    console.log("Done. Each agent now has an isolated IAM task role with access to only its declared secrets.");
+    console.log(`\nTask roles follow the convention: al-{agentName}-task-role`);
+    console.log("The ECS runtime will use them automatically at launch time.");
+}
+// --- Helpers ---
+/**
+ * Grant iam:PassRole on the given role ARNs to the calling IAM user.
+ * Required so the CLI can assign roles to ECS tasks and Lambda functions.
+ */
+export async function grantPassRole(awsRegion, iamClient, roleArns, policyName) {
+    const stsClient = new STSClient({ region: awsRegion });
+    const identity = await stsClient.send(new GetCallerIdentityCommand({}));
+    const callerArn = identity.Arn;
+    // Extract user name from ARN (arn:aws:iam::ACCOUNT:user/USERNAME)
+    const userMatch = callerArn.match(/:user\/(.+)$/);
+    if (!userMatch) {
+        console.log(`\n  Note: Caller ${callerArn} is not an IAM user — skipping iam:PassRole auto-grant.`);
+        console.log(`  If you get PassRole errors, add this policy to your IAM identity:`);
+        console.log(JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [{
+                    Effect: "Allow",
+                    Action: "iam:PassRole",
+                    Resource: roleArns,
+                }],
+        }, null, 2));
+        return;
+    }
+    const userName = userMatch[1];
+    const policy = JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [{
+                Effect: "Allow",
+                Action: "iam:PassRole",
+                Resource: roleArns,
+            }],
+    });
+    try {
+        await iamClient.send(new PutUserPolicyCommand({
+            UserName: userName,
+            PolicyName: policyName,
+            PolicyDocument: policy,
+        }));
+        console.log(`  Granted iam:PassRole on ${roleArns.length} role(s) to user ${userName}`);
+    }
+    catch (err) {
+        console.log(`  Warning: could not grant iam:PassRole to user ${userName}: ${err.message}`);
+        console.log(`  You may need to manually add iam:PassRole permission for these roles:`);
+        for (const arn of roleArns) {
+            console.log(`    - ${arn}`);
+        }
+    }
+}
+/**
+ * Validate that per-agent ECS task roles exist and have correct trust policies.
+ */
+export async function validateEcsRoles(projectPath, cloud) {
+    const { awsRegion } = cloud;
+    if (!awsRegion) {
+        throw new ConfigError("cloud.awsRegion is required for ECS validation");
+    }
+    const agents = discoverAgents(projectPath);
+    if (agents.length === 0)
+        return;
+    const iamClient = new IAMClient({ region: awsRegion });
+    const missing = [];
+    const hasIncorrectTrust = [];
+    for (const name of agents) {
+        const roleName = AWS_CONSTANTS.taskRoleName(name);
+        try {
+            const role = await iamClient.send(new GetRoleCommand({ RoleName: roleName }));
+            // Check if the role has the correct trust policy for ECS tasks
+            const trustPolicy = JSON.parse(decodeURIComponent(role.Role.AssumeRolePolicyDocument));
+            const hasEcsTrust = trustPolicy.Statement?.some((stmt) => stmt.Effect === "Allow" &&
+                stmt.Principal?.Service === "ecs-tasks.amazonaws.com" &&
+                (stmt.Action === "sts:AssumeRole" || stmt.Action?.includes("sts:AssumeRole")));
+            if (!hasEcsTrust) {
+                hasIncorrectTrust.push(roleName);
+                console.log(`  [TRUST ISSUE] ${roleName} - missing ECS task trust policy`);
+            }
+            else {
+                console.log(`  [ok] ${roleName}`);
+            }
+        }
+        catch (err) {
+            if (err.name === "NoSuchEntityException") {
+                missing.push(roleName);
+                console.log(`  [MISSING] ${roleName}`);
+            }
+            else {
+                console.log(`  [ERROR] ${roleName}: ${err.message}`);
+            }
+        }
+    }
+    if (missing.length > 0 || hasIncorrectTrust.length > 0) {
+        console.log(`\nFound IAM role issues that will cause ECS task failures:`);
+        if (missing.length > 0) {
+            console.log(`\n${missing.length} IAM task role(s) are missing:`);
+            missing.forEach(role => console.log(`  - ${role}`));
+            console.log(`\nFix: Run 'al doctor -c' to create missing roles automatically.`);
+        }
+        if (hasIncorrectTrust.length > 0) {
+            console.log(`\n${hasIncorrectTrust.length} IAM role(s) have incorrect trust policies:`);
+            hasIncorrectTrust.forEach(role => console.log(`  - ${role}`));
+            console.log(`\nFix: Update trust policy to allow ECS tasks to assume the role:`);
+            console.log(`For each role above, run:`);
+            console.log(`  aws iam update-assume-role-policy --role-name ROLE_NAME --policy-document file://ecs-trust.json`);
+        }
+        console.log(`\nECS task trust policy (save as ecs-trust.json):`);
+        console.log(JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [{
+                    Effect: "Allow",
+                    Principal: { Service: "ecs-tasks.amazonaws.com" },
+                    Action: "sts:AssumeRole",
+                }],
+        }, null, 2));
+        console.log(`\nAlternatively, re-run the cloud setup to fix all issues:`);
+        console.log(`  al cloud setup`);
+        // Throw error to prevent proceeding with invalid configuration
+        throw new CloudProviderError(`${missing.length + hasIncorrectTrust.length} IAM task role(s) have issues that will prevent ECS tasks from starting. Fix the roles above before proceeding.`);
+    }
+    else {
+        console.log(`All ${agents.length} IAM task role(s) exist and have correct trust policies.`);
+    }
+}
+/**
+ * Ensure the ECR repository policy grants Lambda pull access.
+ */
+export async function ensureLambdaEcrPolicy(awsRegion, ecrRepoUri) {
+    const repoName = ecrRepoUri.split("/").pop();
+    if (!repoName)
+        return;
+    const ecrClient = new ECRClient({ region: awsRegion });
+    const policy = JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [{
+                Sid: "LambdaECRImageRetrievalPolicy",
+                Effect: "Allow",
+                Principal: { Service: "lambda.amazonaws.com" },
+                Action: [
+                    "ecr:BatchGetImage",
+                    "ecr:GetDownloadUrlForLayer",
+                ],
+            }],
+    });
+    try {
+        await ecrClient.send(new SetRepositoryPolicyCommand({
+            repositoryName: repoName,
+            policyText: policy,
+        }));
+        console.log(`ECR repository policy: granted Lambda pull access`);
+    }
+    catch (err) {
+        console.log(`Warning: could not set ECR repository policy for Lambda: ${err.message}`);
+    }
+}
+/**
+ * Reconcile per-agent Lambda execution roles for agents with short timeouts.
+ *
+ * Agents with timeout <= LAMBDA_MAX_TIMEOUT are automatically routed to Lambda.
+ * Each gets an IAM role with Secrets Manager, ECR, and CloudWatch Logs access.
+ */
+export async function reconcileLambdaRoles(projectPath, cloud) {
+    const { awsRegion, ecrRepository, awsSecretPrefix } = cloud;
+    if (!awsRegion || !ecrRepository)
+        return;
+    const secretPrefix = awsSecretPrefix || CONSTANTS.DEFAULT_SECRET_PREFIX;
+    const accountMatch = ecrRepository.match(/^(\d+)\.dkr\.ecr\./);
+    if (!accountMatch)
+        return;
+    const accountId = accountMatch[1];
+    const globalConfig = loadGlobalConfig(projectPath);
+    const agents = discoverAgents(projectPath);
+    const iamClient = new IAMClient({ region: awsRegion });
+    // Trust policy for Lambda
+    const trustPolicy = JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [{
+                Effect: "Allow",
+                Principal: { Service: "lambda.amazonaws.com" },
+                Action: "sts:AssumeRole",
+            }],
+    });
+    let created = 0;
+    for (const name of agents) {
+        const config = loadAgentConfig(projectPath, name);
+        const effectiveTimeout = config.timeout ?? globalConfig.local?.timeout ?? 900;
+        // Only create Lambda roles for agents that will route to Lambda
+        if (effectiveTimeout > AWS_CONSTANTS.LAMBDA_MAX_TIMEOUT)
+            continue;
+        const roleName = AWS_CONSTANTS.lambdaRoleName(name);
+        // Create role
+        try {
+            await iamClient.send(new CreateRoleCommand({
+                RoleName: roleName,
+                AssumeRolePolicyDocument: trustPolicy,
+            }));
+            console.log(`  Created Lambda role: ${roleName}`);
+            created++;
+        }
+        catch (err) {
+            if (err.name === "EntityAlreadyExistsException") {
+                console.log(`  [ok] ${roleName}`);
+            }
+            else {
+                console.log(`  [ERROR] ${roleName}: ${err.message}`);
+                continue;
+            }
+        }
+        // Add secrets + ECR + logs policy
+        const credRefs = [...new Set(config.credentials)];
+        if (config.model.authType !== "pi_auth" && !credRefs.includes("anthropic_key:default")) {
+            credRefs.push("anthropic_key:default");
+        }
+        const secretArns = credRefs.map((ref) => {
+            const { type, instance } = parseCredentialRef(ref);
+            return `arn:aws:secretsmanager:${awsRegion}:${accountId}:secret:${secretPrefix}/${type}/${instance}/*`;
+        });
+        const policy = JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: "secretsmanager:GetSecretValue",
+                    Resource: secretArns,
+                },
+                {
+                    Effect: "Allow",
+                    Action: [
+                        "logs:CreateLogGroup",
+                        "logs:CreateLogStream",
+                        "logs:PutLogEvents",
+                    ],
+                    Resource: `arn:aws:logs:${awsRegion}:${accountId}:*`,
+                },
+                {
+                    Effect: "Allow",
+                    Action: "ecr:GetAuthorizationToken",
+                    Resource: "*",
+                },
+                {
+                    Effect: "Allow",
+                    Action: [
+                        "ecr:BatchGetImage",
+                        "ecr:GetDownloadUrlForLayer",
+                    ],
+                    Resource: `arn:aws:ecr:${awsRegion}:${accountId}:repository/*`,
+                },
+            ],
+        });
+        try {
+            await iamClient.send(new PutRolePolicyCommand({
+                RoleName: roleName,
+                PolicyName: "LambdaExecution",
+                PolicyDocument: policy,
+            }));
+        }
+        catch (err) {
+            console.log(`  Warning: failed to put policy on ${roleName}: ${err.message}`);
+        }
+    }
+    if (created > 0) {
+        console.log(`Created ${created} Lambda execution role(s).`);
+    }
+    else {
+        console.log(`All Lambda roles up to date.`);
+    }
+    // Grant iam:PassRole on Lambda roles to the calling identity
+    const lambdaRoleArns = agents
+        .filter((name) => {
+        const config = loadAgentConfig(projectPath, name);
+        const effectiveTimeout = config.timeout ?? globalConfig.local?.timeout ?? 900;
+        return effectiveTimeout <= AWS_CONSTANTS.LAMBDA_MAX_TIMEOUT;
+    })
+        .map((name) => `arn:aws:iam::${accountId}:role/${AWS_CONSTANTS.lambdaRoleName(name)}`);
+    if (lambdaRoleArns.length > 0) {
+        await grantPassRole(awsRegion, iamClient, lambdaRoleArns, "ActionLlamaLambdaPassRole");
+    }
+}
+//# sourceMappingURL=iam.js.map

package/dist/cloud/aws/iam.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"iam.js","sourceRoot":"","sources":["../../../src/cloud/aws/iam.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,SAAS,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,EACpB,cAAc,GACf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE3F,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAEzE;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,WAAmB,EAAE,KAAqB;IACjF,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,KAAK,CAAC;IAC5D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,WAAW,CAAC,4CAA4C,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,WAAW,CAAC,gDAAgD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,YAAY,GAAG,eAAe,IAAI,SAAS,CAAC,qBAAqB,CAAC;IAExE,uCAAuC;IACvC,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAC/D,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,WAAW,CACnB,4DAA4D,aAAa,KAAK;YAC9E,qEAAqE,CACtE,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAElC,mCAAmC;IACnC,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,wBAAwB,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,IAAI,kBAAkB,CAC1B,qGAAqG;YACrG,mBAAmB,GAAG,CAAC,OAAO,EAAE,CACjC,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC3C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;QACrD,OAAO;IACT,CAAC;IAED,6BAA6B;IAC7B,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC;gBACV,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE,EAAE,OAAO,EAAE,yBAAyB,EAAE;gBACjD,MAAM,EAAE,gBAAgB;aACzB,CAAC;KACH,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvD,0FAA0F;IAC1F,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,MAAM,iBAAiB,GAAG,KAAK,CAAC,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC;QACnE,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC;gBAC5C,QAAQ,EAAE,iBAAiB;gBAC3B,UAAU,EAAE,sBAAsB;gBAClC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC;oBAC7B,OAAO,EAAE,YAAY;oBACrB,SAAS,EAAE;wBACT;4BACE,MAAM,EAAE,OAAO;4BACf,MAAM,EAAE,+BAA+B;4BACvC,QAAQ,EAAE,0BAA0B,SAAS,IAAI,SAAS,WAAW,YAAY,IAAI;yBACtF;wBACD;4BACE,MAAM,EAAE,OAAO;4BACf,MAAM,EAAE,qBAAqB;4BAC7B,QAAQ,EAAE,gBAAgB,SAAS,IAAI,SAAS,cAAc,aAAa,CAAC,SAAS,GAAG;yBACzF;qBACF;iBACF,CAAC;aACH,CAAC,CAAC,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,mBAAmB,iBAAiB,gDAAgD,CAAC,CAAC;QACpG,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,kBAAkB,CAC1B,mDAAmD,iBAAiB,KAAK,GAAG,CAAC,OAAO,IAAI;gBACxF,+FAA+F;gBAC/F,8GAA8G,CAC/G,CAAC;QACJ,CAAC;IACH,CAAC;IAED,yDAAyD;IACzD,MAAM,qBAAqB,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAEtD,OAAO,CAAC,GAAG,CAAC,mCAAmC,MAAM,CAAC,MAAM,gBAAgB,CAAC,CAAC;IAE9E,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,eAAe,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAClD,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QAElD,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC;QAChC,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,EAAE,CAAC,CAAC;QAErC,kCAAkC;QAClC,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,iBAAiB,CAAC;gBACzC,QAAQ,EAAE,QAAQ;gBAClB,wBAAwB,EAAE,WAAW;aACtC,CAAC,CAAC,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,GAAG,CAAC,IAAI,KAAK,8BAA8B,EAAE,CAAC;gBAChD,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;QAClD,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;YACvF,QAAQ,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACnD,UAAU,CAAC,IAAI,CACb,0BAA0B,SAAS,IAAI,SAAS,WAAW,YAAY,IAAI,IAAI,IAAI,QAAQ,IAAI,CAChG,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC5B,OAAO,EAAE,YAAY;gBACrB,SAAS,EAAE,CAAC;wBACV,MAAM,EAAE,OAAO;wBACf,MAAM,EAAE,+BAA+B;wBACvC,QAAQ,EAAE,UAAU;qBACrB,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC;gBACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC;oBAC5C,QAAQ,EAAE,QAAQ;oBAClB,UAAU,EAAE,eAAe;oBAC3B,cAAc,EAAE,MAAM;iBACvB,CAAC,CAAC,CAAC;gBACJ,OAAO,CAAC,GAAG,CAAC,aAAa,UAAU,CAAC,MAAM,iBAAiB,CAAC,CAAC;YAC/D,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,sCAAsC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAED,gFAAgF;IAChF,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAC7B,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,SAAS,SAAS,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAC/E,CAAC;IACF,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,wBAAwB,CAAC,CAAC;IACpF,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,8FAA8F,CAAC,CAAC;IAC5G,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;IAC5E,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;AAC7E,CAAC;AAED,kBAAkB;AAElB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,SAAiB,EACjB,SAAoB,EACpB,QAAkB,EAClB,UAAkB;IAElB,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,wBAAwB,CAAC,EAAE,CAAC,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAI,CAAC;IAEhC,kEAAkE;IAClE,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IAClD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,oBAAoB,SAAS,yDAAyD,CAAC,CAAC;QACpG,OAAO,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;QACnF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACzB,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE,CAAC;oBACV,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,cAAc;oBACtB,QAAQ,EAAE,QAAQ;iBACnB,CAAC;SACH,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACb,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;QAC5B,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC;gBACV,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,cAAc;gBACtB,QAAQ,EAAE,QAAQ;aACnB,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC;YAC5C,QAAQ,EAAE,QAAQ;YAClB,UAAU,EAAE,UAAU;YACtB,cAAc,EAAE,MAAM;SACvB,CAAC,CAAC,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,6BAA6B,QAAQ,CAAC,MAAM,oBAAoB,QAAQ,EAAE,CAAC,CAAC;IAC1F,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,mDAAmD,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,OAAO,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;QACvF,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,WAAmB,EAAE,KAAqB;IAC/E,MAAM,EAAE,SAAS,EAAE,GAAG,KAAK,CAAC;IAC5B,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,WAAW,CAAC,gDAAgD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC3C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAEhC,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,iBAAiB,GAAa,EAAE,CAAC;IAEvC,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;YAE9E,+DAA+D;YAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAK,CAAC,wBAAyB,CAAC,CAAC,CAAC;YACzF,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC,IAAS,EAAE,EAAE,CAC5D,IAAI,CAAC,MAAM,KAAK,OAAO;gBACvB,IAAI,CAAC,SAAS,EAAE,OAAO,KAAK,yBAAyB;gBACrD,CAAC,IAAI,CAAC,MAAM,KAAK,gBAAgB,IAAI,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAC9E,CAAC;YAEF,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACjC,OAAO,CAAC,GAAG,CAAC,mBAAmB,QAAQ,kCAAkC,CAAC,CAAC;YAC7E,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,UAAU,QAAQ,EAAE,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,GAAG,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;gBACzC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvB,OAAO,CAAC,GAAG,CAAC,eAAe,QAAQ,EAAE,CAAC,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAE1E,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,KAAK,OAAO,CAAC,MAAM,gCAAgC,CAAC,CAAC;YACjE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC;QAClF,CAAC;QAED,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,KAAK,iBAAiB,CAAC,MAAM,6CAA6C,CAAC,CAAC;YACxF,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC;YAC9D,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC;YACjF,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,mGAAmG,CAAC,CAAC;QACnH,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;QACjE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACzB,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE,CAAC;oBACV,MAAM,EAAE,OAAO;oBACf,SAAS,EAAE,EAAE,OAAO,EAAE,yBAAyB,EAAE;oBACjD,MAAM,EAAE,gBAAgB;iBACzB,CAAC;SACH,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAEb,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAEhC,+DAA+D;QAC/D,MAAM,IAAI,kBAAkB,CAAC,GAAG,OAAO,CAAC,MAAM,GAAG,iBAAiB,CAAC,MAAM,iHAAiH,CAAC,CAAC;IAC9L,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,CAAC,MAAM,0DAA0D,CAAC,CAAC;IAC9F,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,SAAiB,EAAE,UAAkB;IAC/E,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;IAC7C,IAAI,CAAC,QAAQ;QAAE,OAAO;IAEtB,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;QAC5B,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC;gBACV,GAAG,EAAE,+BAA+B;gBACpC,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE,EAAE,OAAO,EAAE,sBAAsB,EAAE;gBAC9C,MAAM,EAAE;oBACN,mBAAmB;oBACnB,4BAA4B;iBAC7B;aACF,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,0BAA0B,CAAC;YAClD,cAAc,EAAE,QAAQ;YACxB,UAAU,EAAE,MAAM;SACnB,CAAC,CAAC,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACnE,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,4DAA4D,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACzF,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,WAAmB,EAAE,KAAqB;IACnF,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,KAAK,CAAC;IAC5D,IAAI,CAAC,SAAS,IAAI,CAAC,aAAa;QAAE,OAAO;IAEzC,MAAM,YAAY,GAAG,eAAe,IAAI,SAAS,CAAC,qBAAqB,CAAC;IACxE,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAC/D,IAAI,CAAC,YAAY;QAAE,OAAO;IAC1B,MAAM,SAAS,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAElC,MAAM,YAAY,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC3C,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvD,0BAA0B;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC;gBACV,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE,EAAE,OAAO,EAAE,sBAAsB,EAAE;gBAC9C,MAAM,EAAE,gBAAgB;aACzB,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,eAAe,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAClD,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE,OAAO,IAAI,GAAG,CAAC;QAE9E,gEAAgE;QAChE,IAAI,gBAAgB,GAAG,aAAa,CAAC,kBAAkB;YAAE,SAAS;QAElE,MAAM,QAAQ,GAAG,aAAa,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAEpD,cAAc;QACd,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,iBAAiB,CAAC;gBACzC,QAAQ,EAAE,QAAQ;gBAClB,wBAAwB,EAAE,WAAW;aACtC,CAAC,CAAC,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,0BAA0B,QAAQ,EAAE,CAAC,CAAC;YAClD,OAAO,EAAE,CAAC;QACZ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,GAAG,CAAC,IAAI,KAAK,8BAA8B,EAAE,CAAC;gBAChD,OAAO,CAAC,GAAG,CAAC,UAAU,QAAQ,EAAE,CAAC,CAAC;YACpC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBACrD,SAAS;YACX,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,MAAM,QAAQ,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;QAClD,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;YACvF,QAAQ,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,UAAU,GAAa,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YAChD,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACnD,OAAO,0BAA0B,SAAS,IAAI,SAAS,WAAW,YAAY,IAAI,IAAI,IAAI,QAAQ,IAAI,CAAC;QACzG,CAAC,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;YAC5B,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,+BAA+B;oBACvC,QAAQ,EAAE,UAAU;iBACrB;gBACD;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE;wBACN,qBAAqB;wBACrB,sBAAsB;wBACtB,mBAAmB;qBACpB;oBACD,QAAQ,EAAE,gBAAgB,SAAS,IAAI,SAAS,IAAI;iBACrD;gBACD;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,2BAA2B;oBACnC,QAAQ,EAAE,GAAG;iBACd;gBACD;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE;wBACN,mBAAmB;wBACnB,4BAA4B;qBAC7B;oBACD,QAAQ,EAAE,eAAe,SAAS,IAAI,SAAS,eAAe;iBAC/D;aACF;SACF,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC;gBAC5C,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,iBAAiB;gBAC7B,cAAc,EAAE,MAAM;aACvB,CAAC,CAAC,CAAC;QACN,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,sCAAsC,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,4BAA4B,CAAC,CAAC;IAC9D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAC9C,CAAC;IAED,6DAA6D;IAC7D,MAAM,cAAc,GAAG,MAAM;SAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QACf,MAAM,MAAM,GAAG,eAAe,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAClD,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE,OAAO,IAAI,GAAG,CAAC;QAC9E,OAAO,gBAAgB,IAAI,aAAa,CAAC,kBAAkB,CAAC;IAC9D,CAAC,CAAC;SACD,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,SAAS,SAAS,aAAa,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEzF,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,cAAc,EAAE,2BAA2B,CAAC,CAAC;IACzF,CAAC;AACH,CAAC"}

package/dist/cloud/aws/provider.d.ts

@@ -0,0 +1,69 @@
+/**
+ * AWS (ECS) cloud provider implementation.
+ *
+ * Wraps EcsCloudConfig and delegates to the extracted AWS modules
+ * (provision, teardown, iam, deploy) via the CloudProvider interface.
+ */
+import type { EcsCloudConfig, AgentConfig, GlobalConfig } from "../../shared/config.js";
+import type { ContainerRuntime } from "../../docker/runtime.js";
+import type { CredentialBackend } from "../../shared/credential-backend.js";
+import type { CloudProvider, SchedulerServiceInfo, RuntimeResult } from "../provider.js";
+export declare class AwsCloudProvider implements CloudProvider {
+    readonly providerName: "ecs";
+    private config;
+    constructor(config: EcsCloudConfig);
+    /**
+     * Interactive provisioning wizard. Runs the ECS setup flow and
+     * returns config fields to write to config.toml.
+     */
+    provision(): Promise<Record<string, unknown> | null>;
+    /**
+     * Tear down all provisioned AWS cloud resources for this project.
+     */
+    teardown(projectPath: string): Promise<void>;
+    /**
+     * Reconcile per-agent IAM resources (ECS task roles + Lambda roles).
+     */
+    reconcileAgents(projectPath: string): Promise<void>;
+    /**
+     * Validate that per-agent IAM task roles exist and are correctly configured.
+     */
+    validateRoles(projectPath: string): Promise<void>;
+    /**
+     * Create the primary ECS Fargate container runtime.
+     */
+    createRuntime(): ContainerRuntime;
+    /**
+     * Create a runtime for a specific agent.
+     *
+     * Agents with timeout <= LAMBDA_MAX_TIMEOUT are routed to Lambda
+     * for faster cold starts and lower cost. All others use ECS Fargate.
+     */
+    createAgentRuntime(agentConfig: AgentConfig, globalConfig: GlobalConfig): ContainerRuntime;
+    /**
+     * Create primary ECS runtime + per-agent Lambda overrides for
+     * agents with short timeouts.
+     */
+    createRuntimes(activeAgentConfigs: AgentConfig[], globalConfig: GlobalConfig): RuntimeResult;
+    /**
+     * Create an AWS Secrets Manager credential backend.
+     */
+    createCredentialBackend(): Promise<CredentialBackend>;
+    /**
+     * Deploy the scheduler as an App Runner service.
+     */
+    deployScheduler(imageUri: string): Promise<SchedulerServiceInfo>;
+    /**
+     * Get the current scheduler App Runner service status.
+     */
+    getSchedulerStatus(): Promise<SchedulerServiceInfo | null>;
+    /**
+     * Fetch recent scheduler logs from CloudWatch.
+     */
+    getSchedulerLogs(limit: number): Promise<string[]>;
+    /**
+     * Tear down the scheduler App Runner service only.
+     */
+    teardownScheduler(): Promise<void>;
+}
+//# sourceMappingURL=provider.d.ts.map

package/dist/cloud/aws/provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/cloud/aws/provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACxF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAC5E,OAAO,KAAK,EACV,aAAa,EACb,oBAAoB,EACpB,aAAa,EACd,MAAM,gBAAgB,CAAC;AAMxB,qBAAa,gBAAiB,YAAW,aAAa;IACpD,QAAQ,CAAC,YAAY,EAAG,KAAK,CAAU;IACvC,OAAO,CAAC,MAAM,CAAiB;gBAEnB,MAAM,EAAE,cAAc;IAIlC;;;OAGG;IACG,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAY1D;;OAEG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKlD;;OAEG;IACG,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMzD;;OAEG;IACG,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKvD;;OAEG;IACH,aAAa,IAAI,gBAAgB;IAcjC;;;;;OAKG;IACH,kBAAkB,CAAC,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,GAAG,gBAAgB;IAkB1F;;;OAGG;IACH,cAAc,CAAC,kBAAkB,EAAE,WAAW,EAAE,EAAE,YAAY,EAAE,YAAY,GAAG,aAAa;IA8B5F;;OAEG;IACG,uBAAuB,IAAI,OAAO,CAAC,iBAAiB,CAAC;IAQ3D;;OAEG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IActE;;OAEG;IACG,kBAAkB,IAAI,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAYhE;;OAEG;IACG,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKxD;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;CAIzC"}