@action-llama/action-llama 0.3.0 → 0.4.0

package/dist/docker/cloud-run-runtime.js

@@ -0,0 +1,510 @@
+import { execFileSync } from "child_process";
+import { parseCredentialRef } from "../shared/credentials.js";
+import { AWS_CONSTANTS } from "../shared/aws-constants.js";
+/**
+ * GCP Cloud Run Jobs runtime.
+ *
+ * Launches agents as Cloud Run job executions with GSM secrets mounted
+ * as files at /credentials/<type>/<instance>/<field>.
+ *
+ * Auth resolution order (same as GoogleSecretManagerBackend):
+ * 1. GCP_SERVICE_ACCOUNT_KEY env var (JSON key — CI/Railway)
+ * 2. GOOGLE_APPLICATION_CREDENTIALS env var (file path)
+ * 3. gcloud auth application-default login (local dev)
+ *
+ * The runtime SA (your machine) needs:
+ *   - run.jobs.create, run.jobs.run, run.jobs.get
+ *   - run.executions.get, run.executions.cancel
+ *   - artifactregistry.repositories.uploadArtifacts (for pushImage)
+ *
+ * The job SA (container) needs per-agent:
+ *   - secretmanager.secretAccessor on its specific secrets
+ */
+export class CloudRunJobRuntime {
+    needsGateway = false;
+    config;
+    prefix;
+    accessToken;
+    tokenExpiry = 0;
+    constructor(config) {
+        this.config = config;
+        this.prefix = config.secretPrefix || AWS_CONSTANTS.DEFAULT_SECRET_PREFIX;
+    }
+    // --- Agent tracking ---
+    async isAgentRunning(agentName) {
+        const jobName = AWS_CONSTANTS.agentFamily(agentName);
+        const { gcpProject, region } = this.config;
+        const fullName = `projects/${gcpProject}/locations/${region}/jobs/${jobName}`;
+        try {
+            // List recent executions for this job
+            const res = await this.gcpRequest("GET", `https://run.googleapis.com/v2/${fullName}/executions?pageSize=1`);
+            if (!res.ok)
+                return false;
+            const data = await res.json();
+            const latest = data.executions?.[0];
+            // If the latest execution has no completionTime, it's still running
+            return !!latest && !latest.completionTime;
+        }
+        catch {
+            return false;
+        }
+    }
+    async listRunningAgents() {
+        const { gcpProject, region } = this.config;
+        const parent = `projects/${gcpProject}/locations/${region}`;
+        const jobsRes = await this.gcpRequest("GET", `https://run.googleapis.com/v2/${parent}/jobs?pageSize=100`);
+        if (!jobsRes.ok)
+            return [];
+        const jobsData = await jobsRes.json();
+        const jobs = (jobsData.jobs ?? []).filter((j) => {
+            const name = j.name.split("/").pop() ?? "";
+            return name.startsWith(AWS_CONSTANTS.CONTAINER_FILTER);
+        });
+        const running = [];
+        for (const job of jobs) {
+            const jobName = job.name.split("/").pop();
+            const agentName = AWS_CONSTANTS.agentNameFromFamily(jobName);
+            const execRes = await this.gcpRequest("GET", `https://run.googleapis.com/v2/${job.name}/executions?pageSize=1`);
+            if (!execRes.ok)
+                continue;
+            const execData = await execRes.json();
+            const latest = execData.executions?.[0];
+            if (latest && !latest.completionTime) {
+                running.push({
+                    agentName,
+                    taskId: latest.name.split("/").pop() ?? "unknown",
+                    status: "RUNNING",
+                    startedAt: latest.createTime ? new Date(latest.createTime) : undefined,
+                });
+            }
+        }
+        return running;
+    }
+    // --- Credential preparation ---
+    async prepareCredentials(credRefs) {
+        const mounts = [];
+        for (const credRef of credRefs) {
+            const { type, instance } = parseCredentialRef(credRef);
+            // List all fields for this credential by querying GSM
+            const fields = await this.listSecretFields(type, instance);
+            for (const field of fields) {
+                const secretName = this.gsmSecretName(type, instance, field);
+                mounts.push({
+                    secretId: secretName,
+                    mountPath: `/credentials/${type}/${instance}/${field}`,
+                });
+            }
+        }
+        return { strategy: "secrets-manager", mounts };
+    }
+    cleanupCredentials(_creds) {
+        // No-op — cloud secrets don't need cleanup
+    }
+    // --- Image management ---
+    async buildImage(opts) {
+        const remoteTag = `${this.config.artifactRegistry}/${opts.tag}`;
+        // Use Cloud Build — no local Docker needed
+        // Submits the build context to Cloud Build which builds and pushes in one step
+        opts.onProgress?.("Submitting to Cloud Build");
+        execFileSync("gcloud", [
+            "builds", "submit",
+            "--tag", remoteTag,
+            "--gcs-log-dir", `gs://${this.config.gcpProject}_cloudbuild/logs`,
+            "--project", this.config.gcpProject,
+            "--region", this.config.region,
+            "--quiet",
+        ], {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "inherit"],
+            timeout: 600_000, // 10 min for cloud builds
+            cwd: opts.contextDir,
+        });
+        return remoteTag;
+    }
+    async pushImage(localImage) {
+        const remoteTag = `${this.config.artifactRegistry}/${localImage}`;
+        // Tag and push the local image to Artifact Registry
+        this.dockerExec("tag", localImage, remoteTag);
+        this.dockerExec("push", remoteTag);
+        return remoteTag;
+    }
+    // --- Container lifecycle ---
+    async launch(opts) {
+        const jobName = AWS_CONSTANTS.agentFamily(opts.agentName);
+        // Build the job spec with secret volume mounts
+        const secretMounts = opts.credentials.strategy === "secrets-manager"
+            ? opts.credentials.mounts
+            : [];
+        // Use per-agent SA if available (created by `al doctor -c`),
+        // otherwise fall back to the shared SA from config
+        const perAgentSa = AWS_CONSTANTS.serviceAccountEmail(opts.agentName, this.config.gcpProject);
+        const serviceAccount = opts.serviceAccount || perAgentSa;
+        // Create or update the Cloud Run job
+        await this.createOrUpdateJob(jobName, {
+            image: opts.image,
+            env: opts.env,
+            secretMounts,
+            memory: opts.memory || "4Gi",
+            cpus: String(opts.cpus || 2),
+            serviceAccount,
+        });
+        // Execute the job and return the execution name
+        const executionName = await this.executeJob(jobName);
+        return executionName;
+    }
+    streamLogs(executionName, onLine, onStderr) {
+        let stopped = false;
+        let lastTimestamp;
+        const poll = async () => {
+            while (!stopped) {
+                try {
+                    const entries = await this.readLogs(executionName, lastTimestamp);
+                    for (const entry of entries) {
+                        if (entry.timestamp)
+                            lastTimestamp = entry.timestamp;
+                        if (entry.textPayload) {
+                            onLine(entry.textPayload);
+                        }
+                        else if (entry.jsonPayload) {
+                            onLine(JSON.stringify(entry.jsonPayload));
+                        }
+                    }
+                }
+                catch (err) {
+                    if (!stopped && onStderr) {
+                        onStderr(`Log polling error: ${err.message}`);
+                    }
+                }
+                // Cloud Logging has ~5-15s ingestion delay
+                if (!stopped)
+                    await sleep(5000);
+            }
+        };
+        poll();
+        return {
+            stop: () => { stopped = true; },
+        };
+    }
+    async waitForExit(executionName, timeoutSeconds) {
+        const deadline = Date.now() + timeoutSeconds * 1000;
+        while (Date.now() < deadline) {
+            const status = await this.getExecutionStatus(executionName);
+            if (status.succeeded)
+                return 0;
+            if (status.failed)
+                return 1;
+            if (status.cancelled)
+                return 130;
+            await sleep(5000);
+        }
+        // Timeout — cancel the execution
+        await this.kill(executionName);
+        throw new Error(`Cloud Run execution ${executionName} timed out after ${timeoutSeconds}s`);
+    }
+    async kill(executionName) {
+        try {
+            await this.gcpRequest("POST", `https://run.googleapis.com/v2/${executionName}:cancel`, {});
+        }
+        catch {
+            // Execution may already be finished
+        }
+    }
+    async remove(_executionName) {
+        // Cloud Run auto-cleans up executions
+    }
+    async fetchLogs(agentName, limit) {
+        const jobName = AWS_CONSTANTS.agentFamily(agentName);
+        const token = await this.getAccessToken();
+        const res = await fetch("https://logging.googleapis.com/v2/entries:list", {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${token}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({
+                resourceNames: [`projects/${this.config.gcpProject}`],
+                filter: `resource.type="cloud_run_job" AND labels."run.googleapis.com/job_name"="${jobName}"`,
+                orderBy: "timestamp desc",
+                pageSize: limit,
+            }),
+        });
+        if (!res.ok) {
+            const body = await res.text();
+            throw new Error(`Cloud Logging read failed: ${res.status} ${body}`);
+        }
+        const data = await res.json();
+        return (data.entries ?? [])
+            .reverse()
+            .map((e) => e.textPayload ?? (e.jsonPayload ? JSON.stringify(e.jsonPayload) : ""))
+            .filter(Boolean);
+    }
+    // --- Internal: GCP API helpers ---
+    gsmSecretName(type, instance, field) {
+        return `${this.prefix}--${type}--${instance}--${field}`;
+    }
+    async listSecretFields(type, instance) {
+        const prefix = `${this.prefix}--${type}--${instance}--`;
+        const token = await this.getAccessToken();
+        const url = `https://secretmanager.googleapis.com/v1/projects/${this.config.gcpProject}/secrets?filter=name:${encodeURIComponent(prefix)}`;
+        const res = await fetch(url, {
+            headers: { Authorization: `Bearer ${token}` },
+        });
+        if (!res.ok) {
+            const body = await res.text();
+            throw new Error(`Failed to list GSM secrets for ${type}:${instance}: ${res.status} ${body}`);
+        }
+        const data = await res.json();
+        const fields = [];
+        for (const secret of data.secrets || []) {
+            const secretId = secret.name.split("/").pop();
+            const parts = secretId.split("--");
+            if (parts.length === 4 && parts[0] === this.prefix && parts[1] === type && parts[2] === instance) {
+                fields.push(parts[3]);
+            }
+        }
+        return fields;
+    }
+    async createOrUpdateJob(jobName, opts) {
+        const { gcpProject, region } = this.config;
+        const parent = `projects/${gcpProject}/locations/${region}`;
+        const fullName = `${parent}/jobs/${jobName}`;
+        // Build volume mounts and volumes from secret mounts
+        const volumes = [];
+        const volumeMounts = [];
+        for (let i = 0; i < opts.secretMounts.length; i++) {
+            const mount = opts.secretMounts[i];
+            const volName = `secret-${i}`;
+            volumes.push({
+                name: volName,
+                secret: {
+                    secret: `projects/${gcpProject}/secrets/${mount.secretId}`,
+                    items: [{ version: "latest", path: mount.mountPath.split("/").pop() }],
+                },
+            });
+            // Mount the volume at the parent directory of the target path
+            const parentDir = mount.mountPath.split("/").slice(0, -1).join("/");
+            volumeMounts.push({ name: volName, mountPath: parentDir });
+        }
+        // Deduplicate volume mounts with the same mountPath — Cloud Run only allows
+        // one mount per path, so we need to use a single volume per directory
+        const mountsByDir = new Map();
+        for (const mount of opts.secretMounts) {
+            const dir = mount.mountPath.split("/").slice(0, -1).join("/");
+            if (!mountsByDir.has(dir))
+                mountsByDir.set(dir, []);
+            mountsByDir.get(dir).push(mount);
+        }
+        // Rebuild volumes/mounts properly — one volume per unique directory
+        volumes.length = 0;
+        volumeMounts.length = 0;
+        let volIdx = 0;
+        for (const [dir, mounts] of mountsByDir) {
+            const volName = `secrets-${volIdx++}`;
+            volumes.push({
+                name: volName,
+                secret: {
+                    // For multi-file secret volumes, use items to map each secret
+                    // Cloud Run requires using secret references
+                    items: mounts.map((m) => ({
+                        version: "latest",
+                        path: m.mountPath.split("/").pop(),
+                        secret: `projects/${gcpProject}/secrets/${m.secretId}`,
+                    })),
+                },
+            });
+            volumeMounts.push({ name: volName, mountPath: dir });
+        }
+        const envVars = Object.entries(opts.env).map(([name, value]) => ({ name, value }));
+        // Derive timeout from TIMEOUT_SECONDS env var (set by container-runner)
+        const timeoutSeconds = opts.env.TIMEOUT_SECONDS || "3600";
+        const jobSpec = {
+            template: {
+                template: {
+                    containers: [{
+                            image: opts.image,
+                            env: envVars,
+                            resources: {
+                                limits: {
+                                    memory: opts.memory,
+                                    cpu: opts.cpus,
+                                },
+                            },
+                            volumeMounts,
+                        }],
+                    volumes,
+                    serviceAccount: opts.serviceAccount,
+                    timeout: `${timeoutSeconds}s`,
+                    maxRetries: 0,
+                },
+            },
+        };
+        // Try to update existing job, create if not found
+        const updateRes = await this.gcpRequest("PATCH", `https://run.googleapis.com/v2/${fullName}`, jobSpec);
+        if (updateRes.status === 404) {
+            await updateRes.text(); // drain
+            const createRes = await this.gcpRequest("POST", `https://run.googleapis.com/v2/${parent}/jobs?jobId=${jobName}`, jobSpec);
+            if (!createRes.ok) {
+                const body = await createRes.text();
+                throw new Error(`Failed to create Cloud Run job ${jobName}: ${createRes.status} ${body}`);
+            }
+            await createRes.text(); // drain
+        }
+        else if (!updateRes.ok) {
+            const body = await updateRes.text();
+            throw new Error(`Failed to update Cloud Run job ${jobName}: ${updateRes.status} ${body}`);
+        }
+        else {
+            await updateRes.text(); // drain
+        }
+    }
+    async executeJob(jobName) {
+        const { gcpProject, region } = this.config;
+        const fullName = `projects/${gcpProject}/locations/${region}/jobs/${jobName}`;
+        const res = await this.gcpRequest("POST", `https://run.googleapis.com/v2/${fullName}:run`, {});
+        if (!res.ok) {
+            const body = await res.text();
+            throw new Error(`Failed to execute Cloud Run job ${jobName}: ${res.status} ${body}`);
+        }
+        const data = await res.json();
+        // The response is an Operation; the execution name is in metadata or name
+        return data.metadata?.name || data.name || fullName;
+    }
+    async getExecutionStatus(executionName) {
+        const res = await this.gcpRequest("GET", `https://run.googleapis.com/v2/${executionName}`);
+        if (!res.ok) {
+            const body = await res.text();
+            throw new Error(`Failed to get execution status: ${res.status} ${body}`);
+        }
+        const data = await res.json();
+        // Check terminal conditions
+        const completed = data.conditions?.find((c) => c.type === "Completed");
+        if (!completed || completed.state !== "CONDITION_SUCCEEDED") {
+            // Not done yet — check if explicitly failed or cancelled
+            return {
+                succeeded: false,
+                failed: (data.failedCount ?? 0) > 0,
+                cancelled: (data.cancelledCount ?? 0) > 0,
+            };
+        }
+        return {
+            succeeded: (data.succeededCount ?? 0) > 0,
+            failed: (data.failedCount ?? 0) > 0,
+            cancelled: (data.cancelledCount ?? 0) > 0,
+        };
+    }
+    async readLogs(executionName, afterTimestamp) {
+        const token = await this.getAccessToken();
+        // Extract execution short name for the filter
+        const execShortName = executionName.split("/").pop();
+        let filter = `resource.type="cloud_run_job" AND labels."run.googleapis.com/execution_name"="${execShortName}"`;
+        if (afterTimestamp) {
+            filter += ` AND timestamp>"${afterTimestamp}"`;
+        }
+        const params = new URLSearchParams({
+            resourceNames: `projects/${this.config.gcpProject}`,
+            filter,
+            orderBy: "timestamp asc",
+            pageSize: "100",
+        });
+        const res = await fetch(`https://logging.googleapis.com/v2/entries:list`, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${token}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({
+                resourceNames: [`projects/${this.config.gcpProject}`],
+                filter,
+                orderBy: "timestamp asc",
+                pageSize: 100,
+            }),
+        });
+        if (!res.ok) {
+            const body = await res.text();
+            throw new Error(`Cloud Logging read failed: ${res.status} ${body}`);
+        }
+        const data = await res.json();
+        return data.entries || [];
+    }
+    // --- Internal: Auth ---
+    async getAccessToken() {
+        if (this.accessToken && Date.now() < this.tokenExpiry - 60_000) {
+            return this.accessToken;
+        }
+        // GCP_SERVICE_ACCOUNT_KEY env var (JSON key for CI/Railway)
+        const saKeyJson = process.env.GCP_SERVICE_ACCOUNT_KEY;
+        if (saKeyJson) {
+            return this.getTokenFromServiceAccountKey(JSON.parse(saKeyJson));
+        }
+        // Fall back to gcloud ADC
+        return this.getTokenFromGcloud();
+    }
+    async getTokenFromServiceAccountKey(key) {
+        const { createSign } = await import("crypto");
+        const header = Buffer.from(JSON.stringify({ alg: "RS256", typ: "JWT" })).toString("base64url");
+        const now = Math.floor(Date.now() / 1000);
+        const claims = Buffer.from(JSON.stringify({
+            iss: key.client_email,
+            scope: "https://www.googleapis.com/auth/cloud-platform",
+            aud: key.token_uri,
+            iat: now,
+            exp: now + 3600,
+        })).toString("base64url");
+        const signer = createSign("RSA-SHA256");
+        signer.update(`${header}.${claims}`);
+        const signature = signer.sign(key.private_key, "base64url");
+        const jwt = `${header}.${claims}.${signature}`;
+        const res = await fetch(key.token_uri, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=${jwt}`,
+        });
+        if (!res.ok) {
+            const body = await res.text();
+            throw new Error(`Failed to get access token: ${res.status} ${body}`);
+        }
+        const data = await res.json();
+        this.accessToken = data.access_token;
+        this.tokenExpiry = Date.now() + data.expires_in * 1000;
+        return this.accessToken;
+    }
+    async getTokenFromGcloud() {
+        try {
+            const token = execFileSync("gcloud", ["auth", "application-default", "print-access-token"], {
+                encoding: "utf-8",
+                timeout: 10_000,
+                stdio: ["pipe", "pipe", "pipe"],
+            }).trim();
+            this.accessToken = token;
+            this.tokenExpiry = Date.now() + 3500_000;
+            return token;
+        }
+        catch (err) {
+            throw new Error("Failed to get GCP access token. Either:\n" +
+                "  1. Set GCP_SERVICE_ACCOUNT_KEY env var with a service account JSON key, or\n" +
+                "  2. Run: gcloud auth application-default login\n" +
+                `Original error: ${err.message}`);
+        }
+    }
+    async gcpRequest(method, url, body) {
+        const token = await this.getAccessToken();
+        return fetch(url, {
+            method,
+            headers: {
+                Authorization: `Bearer ${token}`,
+                "Content-Type": "application/json",
+            },
+            body: body !== undefined ? JSON.stringify(body) : undefined,
+        });
+    }
+    dockerExec(...args) {
+        return execFileSync("docker", args, {
+            encoding: "utf-8",
+            timeout: 300_000, // 5 min for push
+        }).trim();
+    }
+}
+function sleep(ms) {
+    return new Promise((r) => setTimeout(r, ms));
+}
+//# sourceMappingURL=cloud-run-runtime.js.map

package/dist/docker/cloud-run-runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-run-runtime.js","sourceRoot":"","sources":["../../src/docker/cloud-run-runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAU3D;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,kBAAkB;IACpB,YAAY,GAAG,KAAK,CAAC;IAEtB,MAAM,CAAoB;IAC1B,MAAM,CAAS;IACf,WAAW,CAAqB;IAChC,WAAW,GAAG,CAAC,CAAC;IAExB,YAAY,MAAyB;QACnC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,YAAY,IAAI,aAAa,CAAC,qBAAqB,CAAC;IAC3E,CAAC;IAED,yBAAyB;IAEzB,KAAK,CAAC,cAAc,CAAC,SAAiB;QACpC,MAAM,OAAO,GAAG,aAAa,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QACrD,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3C,MAAM,QAAQ,GAAG,YAAY,UAAU,cAAc,MAAM,SAAS,OAAO,EAAE,CAAC;QAE9E,IAAI,CAAC;YACH,sCAAsC;YACtC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EACrC,iCAAiC,QAAQ,wBAAwB,CAClE,CAAC;YACF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,KAAK,CAAC;YAE1B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAyD,CAAC;YACrF,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC;YACpC,oEAAoE;YACpE,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3C,MAAM,MAAM,GAAG,YAAY,UAAU,cAAc,MAAM,EAAE,CAAC;QAE5D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EACzC,iCAAiC,MAAM,oBAAoB,CAC5D,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,EAAE;YAAE,OAAO,EAAE,CAAC;QAE3B,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,EAAwC,CAAC;QAC5E,MAAM,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YAC9C,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAmB,EAAE,CAAC;QACnC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC;YAC3C,MAAM,SAAS,GAAG,aAAa,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC;YAE7D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EACzC,iCAAiC,GAAG,CAAC,IAAI,wBAAwB,CAClE,CAAC;YACF,IAAI,CAAC,OAAO,CAAC,EAAE;gBAAE,SAAS;YAE1B,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,EAMlC,CAAC;YAEF,MAAM,MAAM,GAAG,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC;YACxC,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC;oBACX,SAAS;oBACT,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,SAAS;oBACjD,MAAM,EAAE,SAAS;oBACjB,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS;iBACvE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,iCAAiC;IAEjC,KAAK,CAAC,kBAAkB,CAAC,QAAkB;QACzC,MAAM,MAAM,GAAkB,EAAE,CAAC;QAEjC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;YAEvD,sDAAsD;YACtD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAE3D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;gBAC7D,MAAM,CAAC,IAAI,CAAC;oBACV,QAAQ,EAAE,UAAU;oBACpB,SAAS,EAAE,gBAAgB,IAAI,IAAI,QAAQ,IAAI,KAAK,EAAE;iBACvD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,EAAE,CAAC;IACjD,CAAC;IAED,kBAAkB,CAAC,MAA0B;QAC3C,2CAA2C;IAC7C,CAAC;IAED,2BAA2B;IAE3B,KAAK,CAAC,UAAU,CAAC,IAAoB;QACnC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;QAEhE,2CAA2C;QAC3C,+EAA+E;QAC/E,IAAI,CAAC,UAAU,EAAE,CAAC,2BAA2B,CAAC,CAAC;QAC/C,YAAY,CAAC,QAAQ,EAAE;YACrB,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,SAAS;YAClB,eAAe,EAAE,QAAQ,IAAI,CAAC,MAAM,CAAC,UAAU,kBAAkB;YACjE,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;YACnC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC9B,SAAS;SACV,EAAE;YACD,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC;YAClC,OAAO,EAAE,OAAO,EAAE,0BAA0B;YAC5C,GAAG,EAAE,IAAI,CAAC,UAAU;SACrB,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,UAAkB;QAChC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,UAAU,EAAE,CAAC;QAElE,oDAAoD;QACpD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;QAC9C,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAEnC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,8BAA8B;IAE9B,KAAK,CAAC,MAAM,CAAC,IAAuB;QAClC,MAAM,OAAO,GAAG,aAAa,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAE1D,+CAA+C;QAC/C,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,KAAK,iBAAiB;YAClE,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM;YACzB,CAAC,CAAC,EAAE,CAAC;QAEP,6DAA6D;QAC7D,mDAAmD;QACnD,MAAM,UAAU,GAAG,aAAa,CAAC,mBAAmB,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC7F,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,UAAU,CAAC;QAEzD,qCAAqC;QACrC,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE;YACpC,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,YAAY;YACZ,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,KAAK;YAC5B,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;YAC5B,cAAc;SACf,CAAC,CAAC;QAEH,gDAAgD;QAChD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACrD,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,UAAU,CACR,aAAqB,EACrB,MAA8B,EAC9B,QAAiC;QAEjC,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,aAAiC,CAAC;QAEtC,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;YACtB,OAAO,CAAC,OAAO,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;oBAClE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;wBAC5B,IAAI,KAAK,CAAC,SAAS;4BAAE,aAAa,GAAG,KAAK,CAAC,SAAS,CAAC;wBACrD,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;4BACtB,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;wBAC5B,CAAC;6BAAM,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;4BAC7B,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC;wBAC5C,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,IAAI,CAAC,OAAO,IAAI,QAAQ,EAAE,CAAC;wBACzB,QAAQ,CAAC,sBAAsB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;oBAChD,CAAC;gBACH,CAAC;gBACD,2CAA2C;gBAC3C,IAAI,CAAC,OAAO;oBAAE,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,CAAC;QACH,CAAC,CAAC;QAEF,IAAI,EAAE,CAAC;QAEP,OAAO;YACL,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;SAChC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,aAAqB,EAAE,cAAsB;QAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,GAAG,IAAI,CAAC;QAEpD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;YAE5D,IAAI,MAAM,CAAC,SAAS;gBAAE,OAAO,CAAC,CAAC;YAC/B,IAAI,MAAM,CAAC,MAAM;gBAAE,OAAO,CAAC,CAAC;YAC5B,IAAI,MAAM,CAAC,SAAS;gBAAE,OAAO,GAAG,CAAC;YAEjC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;QAED,iCAAiC;QACjC,MAAM,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,uBAAuB,aAAa,oBAAoB,cAAc,GAAG,CAAC,CAAC;IAC7F,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,aAAqB;QAC9B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,UAAU,CACnB,MAAM,EACN,iCAAiC,aAAa,SAAS,EACvD,EAAE,CACH,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,oCAAoC;QACtC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,cAAsB;QACjC,sCAAsC;IACxC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,SAAiB,EAAE,KAAa;QAC9C,MAAM,OAAO,GAAG,aAAa,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QACrD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAE1C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gDAAgD,EAAE;YACxE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,aAAa,EAAE,CAAC,YAAY,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;gBACrD,MAAM,EAAE,2EAA2E,OAAO,GAAG;gBAC7F,OAAO,EAAE,gBAAgB;gBACzB,QAAQ,EAAE,KAAK;aAChB,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAE1B,CAAC;QAEF,OAAO,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;aACxB,OAAO,EAAE;aACT,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;aACjF,MAAM,CAAC,OAAO,CAAC,CAAC;IACrB,CAAC;IAED,oCAAoC;IAE5B,aAAa,CAAC,IAAY,EAAE,QAAgB,EAAE,KAAa;QACjE,OAAO,GAAG,IAAI,CAAC,MAAM,KAAK,IAAI,KAAK,QAAQ,KAAK,KAAK,EAAE,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,IAAY,EAAE,QAAgB;QAC3D,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,KAAK,IAAI,KAAK,QAAQ,IAAI,CAAC;QACxD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,MAAM,GAAG,GAAG,oDAAoD,IAAI,CAAC,MAAM,CAAC,UAAU,wBAAwB,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;QAE3I,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;SAC9C,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,kCAAkC,IAAI,IAAI,QAAQ,KAAK,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QAC/F,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA2C,CAAC;QACvE,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC;YAC/C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACjG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAC7B,OAAe,EACf,IAOC;QAED,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3C,MAAM,MAAM,GAAG,YAAY,UAAU,cAAc,MAAM,EAAE,CAAC;QAC5D,MAAM,QAAQ,GAAG,GAAG,MAAM,SAAS,OAAO,EAAE,CAAC;QAE7C,qDAAqD;QACrD,MAAM,OAAO,GAAmC,EAAE,CAAC;QACnD,MAAM,YAAY,GAAkC,EAAE,CAAC;QAEvD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACnC,MAAM,OAAO,GAAG,UAAU,CAAC,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE;oBACN,MAAM,EAAE,YAAY,UAAU,YAAY,KAAK,CAAC,QAAQ,EAAE;oBAC1D,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,EAAE,CAAC;iBACxE;aACF,CAAC,CAAC;YACH,8DAA8D;YAC9D,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACpE,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC,CAAC;QAC7D,CAAC;QAED,4EAA4E;QAC5E,sEAAsE;QACtE,MAAM,WAAW,GAAG,IAAI,GAAG,EAAyB,CAAC;QACrD,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC9D,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACpD,WAAW,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,CAAC;QAED,oEAAoE;QACpE,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;QACnB,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QACxB,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YACxC,MAAM,OAAO,GAAG,WAAW,MAAM,EAAE,EAAE,CAAC;YACtC,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE;oBACN,8DAA8D;oBAC9D,6CAA6C;oBAC7C,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wBACxB,OAAO,EAAE,QAAQ;wBACjB,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG;wBACnC,MAAM,EAAE,YAAY,UAAU,YAAY,CAAC,CAAC,QAAQ,EAAE;qBACvD,CAAC,CAAC;iBACJ;aACF,CAAC,CAAC;YACH,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;QACvD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAEnF,wEAAwE;QACxE,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,eAAe,IAAI,MAAM,CAAC;QAE1D,MAAM,OAAO,GAAG;YACd,QAAQ,EAAE;gBACR,QAAQ,EAAE;oBACR,UAAU,EAAE,CAAC;4BACX,KAAK,EAAE,IAAI,CAAC,KAAK;4BACjB,GAAG,EAAE,OAAO;4BACZ,SAAS,EAAE;gCACT,MAAM,EAAE;oCACN,MAAM,EAAE,IAAI,CAAC,MAAM;oCACnB,GAAG,EAAE,IAAI,CAAC,IAAI;iCACf;6BACF;4BACD,YAAY;yBACb,CAAC;oBACF,OAAO;oBACP,cAAc,EAAE,IAAI,CAAC,cAAc;oBACnC,OAAO,EAAE,GAAG,cAAc,GAAG;oBAC7B,UAAU,EAAE,CAAC;iBACd;aACF;SACF,CAAC;QAEF,kDAAkD;QAClD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CACrC,OAAO,EACP,iCAAiC,QAAQ,EAAE,EAC3C,OAAO,CACR,CAAC;QAEF,IAAI,SAAS,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7B,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ;YAChC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CACrC,MAAM,EACN,iCAAiC,MAAM,eAAe,OAAO,EAAE,EAC/D,OAAO,CACR,CAAC;YACF,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;gBAClB,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC;gBACpC,MAAM,IAAI,KAAK,CAAC,kCAAkC,OAAO,KAAK,SAAS,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;YAC5F,CAAC;YACD,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ;QAClC,CAAC;aAAM,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,kCAAkC,OAAO,KAAK,SAAS,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QAC5F,CAAC;aAAM,CAAC;YACN,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ;QAClC,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,OAAe;QACtC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3C,MAAM,QAAQ,GAAG,YAAY,UAAU,cAAc,MAAM,SAAS,OAAO,EAAE,CAAC;QAE9E,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAC/B,MAAM,EACN,iCAAiC,QAAQ,MAAM,EAC/C,EAAE,CACH,CAAC;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,mCAAmC,OAAO,KAAK,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QACvF,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAoD,CAAC;QAChF,0EAA0E;QAC1E,OAAO,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,QAAQ,CAAC;IACtD,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAAC,aAAqB;QAKpD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,iCAAiC,aAAa,EAAE,CAAC,CAAC;QAE3F,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,mCAAmC,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAM1B,CAAC;QAEF,4BAA4B;QAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC;QACvE,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,KAAK,KAAK,qBAAqB,EAAE,CAAC;YAC5D,yDAAyD;YACzD,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,CAAC,GAAG,CAAC;gBACnC,SAAS,EAAE,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,CAAC,GAAG,CAAC;aAC1C,CAAC;QACJ,CAAC;QAED,OAAO;YACL,SAAS,EAAE,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,CAAC,GAAG,CAAC;YACzC,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,CAAC,GAAG,CAAC;YACnC,SAAS,EAAE,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,CAAC,GAAG,CAAC;SAC1C,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,QAAQ,CACpB,aAAqB,EACrB,cAAuB;QAEvB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAE1C,8CAA8C;QAC9C,MAAM,aAAa,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC;QACtD,IAAI,MAAM,GAAG,iFAAiF,aAAa,GAAG,CAAC;QAC/G,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,IAAI,mBAAmB,cAAc,GAAG,CAAC;QACjD,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,aAAa,EAAE,YAAY,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE;YACnD,MAAM;YACN,OAAO,EAAE,eAAe;YACxB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gDAAgD,EAAE;YACxE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,aAAa,EAAE,CAAC,YAAY,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;gBACrD,MAAM;gBACN,OAAO,EAAE,eAAe;gBACxB,QAAQ,EAAE,GAAG;aACd,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAE1B,CAAC;QAEF,OAAO,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;IAC5B,CAAC;IAED,yBAAyB;IAEjB,KAAK,CAAC,cAAc;QAC1B,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,WAAW,GAAG,MAAM,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAC,WAAW,CAAC;QAC1B,CAAC;QAED,4DAA4D;QAC5D,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;QACtD,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,6BAA6B,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;QACnE,CAAC;QAED,0BAA0B;QAC1B,OAAO,IAAI,CAAC,kBAAkB,EAAE,CAAC;IACnC,CAAC;IAEO,KAAK,CAAC,6BAA6B,CAAC,GAI3C;QACC,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QAE9C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC/F,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACxC,GAAG,EAAE,GAAG,CAAC,YAAY;YACrB,KAAK,EAAE,gDAAgD;YACvD,GAAG,EAAE,GAAG,CAAC,SAAS;YAClB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,IAAI;SAChB,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAE1B,MAAM,MAAM,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC,CAAC;QACrC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,GAAG,MAAM,IAAI,MAAM,IAAI,SAAS,EAAE,CAAC;QAE/C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,oEAAoE,GAAG,EAAE;SAChF,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAkD,CAAC;QAC9E,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;QACrC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACvD,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,kBAAkB;QAC9B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,qBAAqB,EAAE,oBAAoB,CAAC,EAAE;gBAC1F,QAAQ,EAAE,OAAO;gBACjB,OAAO,EAAE,MAAM;gBACf,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;YACzB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC;YACzC,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CACb,2CAA2C;gBAC3C,gFAAgF;gBAChF,mDAAmD;gBACnD,mBAAmB,GAAG,CAAC,OAAO,EAAE,CACjC,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,MAAc,EAAE,GAAW,EAAE,IAAc;QAClE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC,GAAG,EAAE;YAChB,MAAM;YACN,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC5D,CAAC,CAAC;IACL,CAAC;IAEO,UAAU,CAAC,GAAG,IAAc;QAClC,OAAO,YAAY,CAAC,QAAQ,EAAE,IAAI,EAAE;YAClC,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,OAAO,EAAE,iBAAiB;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;CACF;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAC/C,CAAC"}

package/dist/docker/ecs-runtime.d.ts

@@ -0,0 +1,73 @@
+import type { ContainerRuntime, RuntimeLaunchOpts, RuntimeCredentials, BuildImageOpts, RunningAgent } from "./runtime.js";
+export interface ECSFargateConfig {
+    awsRegion: string;
+    ecsCluster: string;
+    ecrRepository: string;
+    executionRoleArn: string;
+    taskRoleArn: string;
+    subnets: string[];
+    securityGroups?: string[];
+    secretPrefix?: string;
+    buildBucket?: string;
+}
+/**
+ * AWS ECS Fargate runtime.
+ *
+ * Launches agents as ECS Fargate tasks with AWS Secrets Manager secrets
+ * injected as environment variables or mounted via container definitions.
+ *
+ * Auth: AWS SDK default credential provider chain
+ * 1. AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY env vars
+ * 2. AWS_PROFILE / ~/.aws/credentials
+ * 3. SSO / IAM instance role (EC2/ECS/Lambda)
+ *
+ * The runtime credentials (your machine) need:
+ *   - ecs:RegisterTaskDefinition, ecs:RunTask, ecs:DescribeTasks, ecs:StopTask
+ *   - ecr:GetAuthorizationToken, ecr:BatchCheckLayerAvailability, ecr:PutImage, etc.
+ *   - logs:GetLogEvents
+ *
+ * The task role (container) needs per-agent:
+ *   - secretsmanager:GetSecretValue on its specific secrets
+ */
+export declare class ECSFargateRuntime implements ContainerRuntime {
+    readonly needsGateway = false;
+    private config;
+    private prefix;
+    private ecsClient;
+    private smClient;
+    private logsClient;
+    private cbClient;
+    private s3Client;
+    private ecrClient;
+    constructor(config: ECSFargateConfig);
+    private static readonly STARTED_BY_PREFIX;
+    static readonly LOG_GROUP: string;
+    private logGroupCreated;
+    private ensureLogGroup;
+    isAgentRunning(agentName: string): Promise<boolean>;
+    listRunningAgents(): Promise<RunningAgent[]>;
+    prepareCredentials(credRefs: string[]): Promise<RuntimeCredentials>;
+    cleanupCredentials(_creds: RuntimeCredentials): void;
+    buildImage(opts: BuildImageOpts): Promise<string>;
+    pushImage(_localImage: string): Promise<string>;
+    private buildImageCodeBuild;
+    private ecrImageExists;
+    private ensureBuildBucket;
+    private ensureCodeBuildProject;
+    launch(opts: RuntimeLaunchOpts): Promise<string>;
+    streamLogs(taskArn: string, onLine: (line: string) => void, onStderr?: (text: string) => void): {
+        stop: () => void;
+    };
+    waitForExit(taskArn: string, timeoutSeconds: number): Promise<number>;
+    kill(taskArn: string): Promise<void>;
+    remove(_taskArn: string): Promise<void>;
+    fetchLogs(agentName: string, limit: number): Promise<string[]>;
+    private awsSecretName;
+    private listSecretFields;
+    private registerTaskDefinition;
+    private runTask;
+    private getLogEvents;
+    private deriveTaskRoleArn;
+    private getAccountId;
+}
+//# sourceMappingURL=ecs-runtime.d.ts.map

package/dist/docker/ecs-runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecs-runtime.d.ts","sourceRoot":"","sources":["../../src/docker/ecs-runtime.ts"],"names":[],"mappings":"AAsCA,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAe,cAAc,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAIvI,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,iBAAkB,YAAW,gBAAgB;IACxD,QAAQ,CAAC,YAAY,SAAS;IAE9B,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,SAAS,CAAY;IAC7B,OAAO,CAAC,QAAQ,CAAuB;IACvC,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,QAAQ,CAAkB;IAClC,OAAO,CAAC,QAAQ,CAAW;IAC3B,OAAO,CAAC,SAAS,CAAY;gBAEjB,MAAM,EAAE,gBAAgB;IAapC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAA4B;IACrE,MAAM,CAAC,QAAQ,CAAC,SAAS,SAA2B;IACpD,OAAO,CAAC,eAAe,CAAS;YAElB,cAAc;IAYtB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUnD,iBAAiB,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;IA6B5C,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAmBzE,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,IAAI;IAM9C,UAAU,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC;IAIjD,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAKvC,mBAAmB;YAmMnB,cAAc;YAgBd,iBAAiB;YAuBjB,sBAAsB;IA2C9B,MAAM,CAAC,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;IA0BtD,UAAU,CACR,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,EAC9B,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,GAChC;QAAE,IAAI,EAAE,MAAM,IAAI,CAAA;KAAE;IAwCjB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAwBrE,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpC,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvC,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAcpE,OAAO,CAAC,aAAa;YAIP,gBAAgB;YAoBhB,sBAAsB;YAwDtB,OAAO;YA0BP,YAAY;IAoB1B,OAAO,CAAC,iBAAiB;IAMzB,OAAO,CAAC,YAAY;CAKrB"}