@adcp/sdk 7.1.0 → 7.2.0

package/dist/lib/discovery/validate-adagents.d.ts

@@ -0,0 +1,114 @@
+/**
+ * `adagents.json` discovery + validation with the ads.txt `MANAGERDOMAIN`
+ * one-hop fallback (adcp#4175 / adcontextprotocol/adcp PR #4173, adcp-client#1717).
+ *
+ * Discovery order:
+ *   1. `https://{publisher}/.well-known/adagents.json` (direct)
+ *      - if the file carries `authoritative_location`, follow one redirect
+ *        and report `discovery_method = 'authoritative_location'`
+ *   2. On HTTP 404 only — fetch `https://{publisher}/ads.txt`, parse the
+ *      `MANAGERDOMAIN=` directive, and attempt
+ *      `https://{managerdomain}/.well-known/adagents.json`.
+ *      Reports `discovery_method = 'ads_txt_managerdomain'` and
+ *      `manager_domain`.
+ *
+ * Per the #4173 resolution of the RFC's open questions:
+ *   - Only the IAB directive form `MANAGERDOMAIN=example.com` counts;
+ *     the comment form `# managerdomain=example.com` is rejected.
+ *   - Duplicate `MANAGERDOMAIN` lines: last-wins (rather than the RFC's
+ *     fail-closed default — IAB-aligned).
+ *
+ * Other safety rules from the RFC carry through:
+ *   - Fallback fires only on 404 (not 5xx / timeout / invalid JSON).
+ *   - Exactly one hop. The manager-domain file is fetched once, never
+ *     recursed into.
+ *   - `publisher → publisher` cycle is rejected.
+ *   - `#noagents` trailing comment on a `MANAGERDOMAIN` line excludes
+ *     that entry from fallback discovery.
+ *   - Manager-domain failure is terminal — never a silent pass.
+ */
+import { type LogLevel } from '../utils/logger';
+import type { AdAgentsJson } from './types';
+/** How the validator located the authoritative `adagents.json` for a publisher. */
+export type DiscoveryMethod = 'direct' | 'authoritative_location' | 'ads_txt_managerdomain';
+export interface AdAgentsValidationResult {
+    /** Whether a valid `adagents.json` was discovered for this publisher. */
+    valid: boolean;
+    /** The publisher domain the caller asked us to validate. */
+    publisher_domain: string;
+    /**
+     * Which discovery path was used. Defaults to `'direct'`: a failure on
+     * the publisher's own `.well-known/adagents.json` reports `'direct'`
+     * even when no file was retrieved. `'authoritative_location'` and
+     * `'ads_txt_managerdomain'` only appear once the validator has
+     * committed to that path (followed the pointer / parsed a directive).
+     */
+    discovery_method: DiscoveryMethod;
+    /**
+     * The manager domain consulted when `discovery_method ===
+     * 'ads_txt_managerdomain'`. Populated even on manager-domain failure
+     * so callers can surface "we tried <manager>" in error reports.
+     *
+     * Note for chained validators: re-invoking `validateAdAgents` against
+     * `manager_domain` to walk N hops re-enters the discovery flow from
+     * scratch. This validator's one-hop guarantee is per-call, not
+     * per-chain — callers stringing multiple invocations together are
+     * responsible for their own loop guard.
+     */
+    manager_domain?: string;
+    /** URL the `adagents.json` was ultimately loaded from. Omitted when nothing loaded. */
+    resolved_url?: string;
+    /**
+     * Parsed authoritative file. Omitted on failure.
+     *
+     * **Counterparty-controlled.** This JSON came verbatim from the
+     * publisher (or their declared manager domain). Treat as untrusted
+     * input: do NOT splice into LLM system prompts, log-aggregator
+     * indices, or any context that interprets text as instructions
+     * without first stripping or sanitizing. Field names like
+     * `authorized_for` (free-text) and `properties[].name` are obvious
+     * vectors; less-obvious ones include arbitrary `$schema` URLs and
+     * structured `tags`.
+     */
+    adagents?: AdAgentsJson;
+    /** One or more reasons validation failed. Empty when `valid === true`. */
+    errors: string[];
+}
+export interface ValidateAdAgentsOptions {
+    /** Per-request timeout in ms (default 10_000). */
+    timeoutMs?: number;
+    /** Optional User-Agent suffix (validated via `validateUserAgent`). */
+    userAgent?: string;
+    /** Logger level (default `'warn'`). */
+    logLevel?: LogLevel;
+    /**
+     * Build the URL for a `domain` + well-known `path` pair. Defaults to
+     * `https://{domain}{path}`. Provide a custom builder to point the
+     * validator at a loopback test server (`http://...`), an internal
+     * mirror, or a CDN-rewriting host.
+     */
+    urlForDomain?: (domain: string, path: string) => string;
+}
+/**
+ * Validate `adagents.json` for a publisher domain. Implements the
+ * ads.txt `MANAGERDOMAIN` one-hop fallback specified in adcp#4175.
+ */
+export declare function validateAdAgents(publisherDomain: string, options?: ValidateAdAgentsOptions): Promise<AdAgentsValidationResult>;
+/**
+ * Parse a MANAGERDOMAIN directive out of an ads.txt body. Returns the
+ * lowercased host token (last-wins on duplicates) or `undefined` when
+ * no eligible directive is present.
+ *
+ * Eligibility rules (per adcp-client#1717 / adcp#4175 + #4173 resolution):
+ *   - Directive form `MANAGERDOMAIN=<host>` only. Case-insensitive on
+ *     the key; the value preserves no case. Comment-only lines like
+ *     `# managerdomain=...` are rejected.
+ *   - Value must be a host token (no scheme, no path, no whitespace).
+ *   - Trailing inline comment containing `noagents` (case-insensitive)
+ *     opts that entry out of fallback discovery.
+ *   - Duplicate eligible entries: the last one wins.
+ *
+ * Exported for direct unit testing.
+ */
+export declare function parseManagerDomain(adsTxt: string): string | undefined;
+//# sourceMappingURL=validate-adagents.d.ts.map

package/dist/lib/discovery/validate-adagents.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-adagents.d.ts","sourceRoot":"","sources":["../../../src/lib/discovery/validate-adagents.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,OAAO,EAAgB,KAAK,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAK9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,mFAAmF;AACnF,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,wBAAwB,GAAG,uBAAuB,CAAC;AAE5F,MAAM,WAAW,wBAAwB;IACvC,yEAAyE;IACzE,KAAK,EAAE,OAAO,CAAC;IACf,4DAA4D;IAC5D,gBAAgB,EAAE,MAAM,CAAC;IACzB;;;;;;OAMG;IACH,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;;;;;;;;OAUG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uFAAuF;IACvF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,0EAA0E;IAC1E,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,uBAAuB;IACtC,kDAAkD;IAClD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sEAAsE;IACtE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,MAAM,CAAC;CACzD;AAYD;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,eAAe,EAAE,MAAM,EACvB,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,wBAAwB,CAAC,CA4MnC;AAaD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CA8BrE"}

package/dist/lib/discovery/validate-adagents.js

@@ -0,0 +1,417 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateAdAgents = validateAdAgents;
+exports.parseManagerDomain = parseManagerDomain;
+/**
+ * `adagents.json` discovery + validation with the ads.txt `MANAGERDOMAIN`
+ * one-hop fallback (adcp#4175 / adcontextprotocol/adcp PR #4173, adcp-client#1717).
+ *
+ * Discovery order:
+ *   1. `https://{publisher}/.well-known/adagents.json` (direct)
+ *      - if the file carries `authoritative_location`, follow one redirect
+ *        and report `discovery_method = 'authoritative_location'`
+ *   2. On HTTP 404 only — fetch `https://{publisher}/ads.txt`, parse the
+ *      `MANAGERDOMAIN=` directive, and attempt
+ *      `https://{managerdomain}/.well-known/adagents.json`.
+ *      Reports `discovery_method = 'ads_txt_managerdomain'` and
+ *      `manager_domain`.
+ *
+ * Per the #4173 resolution of the RFC's open questions:
+ *   - Only the IAB directive form `MANAGERDOMAIN=example.com` counts;
+ *     the comment form `# managerdomain=example.com` is rejected.
+ *   - Duplicate `MANAGERDOMAIN` lines: last-wins (rather than the RFC's
+ *     fail-closed default — IAB-aligned).
+ *
+ * Other safety rules from the RFC carry through:
+ *   - Fallback fires only on 404 (not 5xx / timeout / invalid JSON).
+ *   - Exactly one hop. The manager-domain file is fetched once, never
+ *     recursed into.
+ *   - `publisher → publisher` cycle is rejected.
+ *   - `#noagents` trailing comment on a `MANAGERDOMAIN` line excludes
+ *     that entry from fallback discovery.
+ *   - Manager-domain failure is terminal — never a silent pass.
+ */
+const logger_1 = require("../utils/logger");
+const version_1 = require("../version");
+const validate_user_agent_1 = require("../utils/validate-user-agent");
+const ssrf_fetch_1 = require("../net/ssrf-fetch");
+const probe_policy_1 = require("../utils/probe-policy");
+const DEFAULT_TIMEOUT_MS = 10_000;
+const MAX_ADAGENTS_BYTES = 256 * 1024;
+const MAX_ADS_TXT_BYTES = 256 * 1024;
+const FETCH_HEADERS = {
+    Accept: 'application/json, text/plain, */*',
+    'Accept-Language': 'en-US,en;q=0.9',
+    'Accept-Encoding': 'gzip, deflate, br',
+};
+/**
+ * Validate `adagents.json` for a publisher domain. Implements the
+ * ads.txt `MANAGERDOMAIN` one-hop fallback specified in adcp#4175.
+ */
+async function validateAdAgents(publisherDomain, options = {}) {
+    if (!publisherDomain || typeof publisherDomain !== 'string') {
+        throw new Error('publisherDomain must be a non-empty string');
+    }
+    if (options.userAgent) {
+        (0, validate_user_agent_1.validateUserAgent)(options.userAgent);
+    }
+    const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    const logger = (0, logger_1.createLogger)({ level: options.logLevel ?? 'warn' }).child('validateAdAgents');
+    const userAgentHeader = `adcp-validate-adagents/${version_1.LIBRARY_VERSION} (+https://adcontextprotocol.org)`;
+    const fromHeader = options.userAgent
+        ? `adcp-validate-adagents@adcontextprotocol.org (${options.userAgent}; v${version_1.LIBRARY_VERSION})`
+        : `adcp-validate-adagents@adcontextprotocol.org (v${version_1.LIBRARY_VERSION})`;
+    const publisher = publisherDomain.toLowerCase();
+    const buildUrl = options.urlForDomain ?? ((domain, path) => `https://${domain}${path}`);
+    const publisherUrl = buildUrl(publisher, '/.well-known/adagents.json');
+    // Step 1: try the publisher's canonical location.
+    const direct = await fetchJsonOrStatus(publisherUrl, {
+        timeoutMs,
+        maxBodyBytes: MAX_ADAGENTS_BYTES,
+        userAgentHeader,
+        fromHeader,
+    });
+    if (direct.kind === 'ok') {
+        const data = coerceAdAgentsObject(direct.data);
+        if (!data) {
+            return {
+                valid: false,
+                publisher_domain: publisher,
+                discovery_method: 'direct',
+                resolved_url: publisherUrl,
+                errors: ['adagents.json fetch failed: invalid JSON: response is not a JSON object'],
+            };
+        }
+        // Handle `authoritative_location` indirection: a pointer file with no
+        // inline `authorized_agents` should be followed exactly once.
+        if (data.authoritative_location && !data.authorized_agents) {
+            const target = data.authoritative_location;
+            // Production: HTTPS-only. Loopback test runs (gated by
+            // ADCP_ALLOW_INTERNAL_PROBES=1) may use `http://` against a
+            // 127.0.0.1 server — the same opt-in that lets `ssrfSafeFetch`
+            // touch loopback in the first place.
+            const allowHttp = (0, probe_policy_1.isInternalProbesAllowed)();
+            if (!target.startsWith('https://') && !(allowHttp && target.startsWith('http://'))) {
+                return {
+                    valid: false,
+                    publisher_domain: publisher,
+                    discovery_method: 'authoritative_location',
+                    resolved_url: publisherUrl,
+                    errors: [`authoritative_location must use https://, got: ${target}`],
+                };
+            }
+            // Normalize before cycle-comparing — string equality misses
+            // trivial bounce variants (trailing slash, `?query`, fragment,
+            // uppercase scheme). Worst case of missing one of these is a
+            // wasted RTT against the publisher's own server, not SSRF
+            // (still routed through `ssrfSafeFetch`), but the right check
+            // is on origin+pathname.
+            if (sameOriginAndPath(target, publisherUrl)) {
+                return {
+                    valid: false,
+                    publisher_domain: publisher,
+                    discovery_method: 'authoritative_location',
+                    resolved_url: publisherUrl,
+                    errors: ['authoritative_location points back to the publisher (cycle)'],
+                };
+            }
+            const followed = await fetchJsonOrStatus(target, {
+                timeoutMs,
+                maxBodyBytes: MAX_ADAGENTS_BYTES,
+                userAgentHeader,
+                fromHeader,
+            });
+            if (followed.kind !== 'ok') {
+                return {
+                    valid: false,
+                    publisher_domain: publisher,
+                    discovery_method: 'authoritative_location',
+                    resolved_url: target,
+                    errors: [`authoritative_location fetch failed: ${describeOutcome(followed)}`],
+                };
+            }
+            const followedAdAgents = coerceAdAgentsObject(followed.data);
+            if (!followedAdAgents) {
+                return {
+                    valid: false,
+                    publisher_domain: publisher,
+                    discovery_method: 'authoritative_location',
+                    resolved_url: target,
+                    errors: ['authoritative_location target returned a non-object JSON value'],
+                };
+            }
+            return {
+                valid: true,
+                publisher_domain: publisher,
+                discovery_method: 'authoritative_location',
+                resolved_url: target,
+                adagents: followedAdAgents,
+                errors: [],
+            };
+        }
+        return {
+            valid: true,
+            publisher_domain: publisher,
+            discovery_method: 'direct',
+            resolved_url: publisherUrl,
+            adagents: data,
+            errors: [],
+        };
+    }
+    // Step 2: managerdomain fallback only fires on 404. Other failures
+    // (5xx, timeout, malformed JSON, SSRF refusal) are terminal under the
+    // RFC's "Only trigger fallback on 404" rule.
+    if (direct.kind !== 'not_found') {
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'direct',
+            errors: [`adagents.json fetch failed: ${describeOutcome(direct)}`],
+        };
+    }
+    // Step 3: fetch ads.txt and look for a MANAGERDOMAIN= directive.
+    const adsTxtUrl = buildUrl(publisher, '/ads.txt');
+    const adsTxt = await fetchTextOrStatus(adsTxtUrl, {
+        timeoutMs,
+        maxBodyBytes: MAX_ADS_TXT_BYTES,
+        userAgentHeader,
+        fromHeader,
+    });
+    if (adsTxt.kind !== 'ok') {
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'direct',
+            errors: [`adagents.json missing (404) and ads.txt unavailable: ${describeOutcome(adsTxt)}`],
+        };
+    }
+    const managerDomain = parseManagerDomain(adsTxt.text);
+    if (!managerDomain) {
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'direct',
+            errors: ['adagents.json missing (404) and no eligible MANAGERDOMAIN directive in ads.txt'],
+        };
+    }
+    if (managerDomain === publisher) {
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'direct',
+            errors: [`MANAGERDOMAIN references the publisher domain itself (cycle): ${managerDomain}`],
+        };
+    }
+    // Step 4: fetch the manager domain's adagents.json. One hop only —
+    // even if this file has its own `authoritative_location`, we do NOT
+    // follow it (the RFC restricts to one hop publisher → managerdomain).
+    const managerUrl = buildUrl(managerDomain, '/.well-known/adagents.json');
+    const manager = await fetchJsonOrStatus(managerUrl, {
+        timeoutMs,
+        maxBodyBytes: MAX_ADAGENTS_BYTES,
+        userAgentHeader,
+        fromHeader,
+    });
+    if (manager.kind !== 'ok') {
+        logger.debug(`Manager domain ${managerDomain} adagents.json fetch failed: ${describeOutcome(manager)}`);
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'ads_txt_managerdomain',
+            manager_domain: managerDomain,
+            errors: [`Manager domain adagents.json fetch failed: ${describeOutcome(manager)}`],
+        };
+    }
+    const managerAdAgents = coerceAdAgentsObject(manager.data);
+    if (!managerAdAgents) {
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'ads_txt_managerdomain',
+            manager_domain: managerDomain,
+            errors: ['Manager domain adagents.json returned a non-object JSON value'],
+        };
+    }
+    return {
+        valid: true,
+        publisher_domain: publisher,
+        discovery_method: 'ads_txt_managerdomain',
+        manager_domain: managerDomain,
+        resolved_url: managerUrl,
+        adagents: managerAdAgents,
+        errors: [],
+    };
+}
+/**
+ * Narrow `JSON.parse` output to a plain object — rejects `null`,
+ * arrays, primitives. Empty-body responses decode to `null` and
+ * pass the JSON parser; downstream code paths assume an object and
+ * would crash on null without this guard (#1720 review).
+ */
+function coerceAdAgentsObject(value) {
+    if (value === null || typeof value !== 'object' || Array.isArray(value))
+        return null;
+    return value;
+}
+/**
+ * Parse a MANAGERDOMAIN directive out of an ads.txt body. Returns the
+ * lowercased host token (last-wins on duplicates) or `undefined` when
+ * no eligible directive is present.
+ *
+ * Eligibility rules (per adcp-client#1717 / adcp#4175 + #4173 resolution):
+ *   - Directive form `MANAGERDOMAIN=<host>` only. Case-insensitive on
+ *     the key; the value preserves no case. Comment-only lines like
+ *     `# managerdomain=...` are rejected.
+ *   - Value must be a host token (no scheme, no path, no whitespace).
+ *   - Trailing inline comment containing `noagents` (case-insensitive)
+ *     opts that entry out of fallback discovery.
+ *   - Duplicate eligible entries: the last one wins.
+ *
+ * Exported for direct unit testing.
+ */
+function parseManagerDomain(adsTxt) {
+    if (!adsTxt)
+        return undefined;
+    // Strip BOM if present — common on Windows-authored ads.txt files.
+    // `charCodeAt` + `slice` is clearer than a regex match against a
+    // literal U+FEFF (per #1720 review).
+    const body = adsTxt.charCodeAt(0) === 0xfeff ? adsTxt.slice(1) : adsTxt;
+    let last;
+    for (const rawLine of body.split(/\r?\n/)) {
+        // Split off any inline comment so the directive parser only sees
+        // the code part, but keep the comment text around for the
+        // `#noagents` opt-out check.
+        const hashIdx = rawLine.indexOf('#');
+        const code = (hashIdx === -1 ? rawLine : rawLine.slice(0, hashIdx)).trim();
+        const comment = hashIdx === -1 ? '' : rawLine.slice(hashIdx + 1);
+        if (!code)
+            continue;
+        // Directive form only: KEY=VALUE on its own line, key matched
+        // case-insensitively. We parse with `indexOf('=')` rather than a
+        // regex because `code` is uncontrolled network input — any regex
+        // shape like `^KEY\s*=\s*(...)$` invites polynomial-ReDoS backtracking
+        // on pathological whitespace-heavy lines (flagged by CodeQL).
+        const eq = code.indexOf('=');
+        if (eq === -1)
+            continue;
+        if (code.slice(0, eq).trim().toLowerCase() !== 'managerdomain')
+            continue;
+        const value = code.slice(eq + 1).trim();
+        if (!value)
+            continue;
+        if (!isEligibleHostToken(value))
+            continue;
+        if (/\bnoagents\b/i.test(comment))
+            continue;
+        last = value.toLowerCase();
+    }
+    return last;
+}
+/**
+ * URL equality for cycle detection. Compares lowercased origin
+ * (scheme + host + port) and pathname; ignores trailing slashes,
+ * query strings, fragments, and scheme case. Returns false on
+ * unparseable URLs (callers treat unparseable as "not a cycle" so
+ * `ssrfSafeFetch` can produce a cleaner error downstream).
+ */
+function sameOriginAndPath(a, b) {
+    try {
+        const ua = new URL(a);
+        const ub = new URL(b);
+        if (ua.origin.toLowerCase() !== ub.origin.toLowerCase())
+            return false;
+        const pathA = ua.pathname.replace(/\/+$/, '');
+        const pathB = ub.pathname.replace(/\/+$/, '');
+        return pathA === pathB;
+    }
+    catch {
+        return false;
+    }
+}
+function isEligibleHostToken(value) {
+    if (!value)
+        return false;
+    // Reject anything with whitespace, slashes, or query strings.
+    if (/[\s/?#]/.test(value))
+        return false;
+    // Reject anything that looks like a URL (`scheme:` prefix). The single
+    // `:` permitted in a host token is the port separator handled below —
+    // so look for the colon-before-slash-or-end shape `scheme:...`.
+    if (/^[a-z][a-z0-9+.-]*:[^0-9]/i.test(value))
+        return false;
+    // Split off an optional `:port` suffix. Port must be 1–5 digits.
+    const portMatch = value.match(/^(.*?):([0-9]{1,5})$/);
+    const host = portMatch?.[1] ?? value;
+    // Minimal hostname shape — at least one dot, labels per RFC 1035-ish.
+    // Reject `example` (no TLD) and obvious junk like `..` or `-foo.com`.
+    if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/i.test(host))
+        return false;
+    return true;
+}
+async function fetchJsonOrStatus(url, opts) {
+    const raw = await rawFetch(url, opts);
+    if (raw.kind !== 'ok-text')
+        return raw;
+    try {
+        return { kind: 'ok', data: JSON.parse(raw.text) };
+    }
+    catch (err) {
+        return { kind: 'parse_error', message: err instanceof Error ? err.message : 'invalid JSON' };
+    }
+}
+async function fetchTextOrStatus(url, opts) {
+    const raw = await rawFetch(url, opts);
+    if (raw.kind === 'ok-text')
+        return { kind: 'ok', text: raw.text };
+    return raw;
+}
+async function rawFetch(url, opts) {
+    try {
+        const result = await (0, ssrf_fetch_1.ssrfSafeFetch)(url, {
+            timeoutMs: opts.timeoutMs,
+            allowPrivateIp: (0, probe_policy_1.isInternalProbesAllowed)(),
+            maxBodyBytes: opts.maxBodyBytes,
+            headers: {
+                ...FETCH_HEADERS,
+                'User-Agent': opts.userAgentHeader,
+                From: opts.fromHeader,
+            },
+        });
+        if (result.status === 404)
+            return { kind: 'not_found' };
+        if (result.status < 200 || result.status >= 300) {
+            return { kind: 'http_error', status: result.status };
+        }
+        // Always decode as text — JSON parsing is the caller's choice. This
+        // lets ads.txt and adagents.json share the same fetch primitive.
+        const decoded = (0, ssrf_fetch_1.decodeBodyAsJsonOrText)(result.body, 'text/plain');
+        const text = typeof decoded === 'string' ? decoded : JSON.stringify(decoded);
+        return { kind: 'ok-text', text };
+    }
+    catch (err) {
+        if (err instanceof ssrf_fetch_1.SsrfRefusedError) {
+            return { kind: 'ssrf_refused', message: err.message };
+        }
+        return { kind: 'transport_error', message: err instanceof Error ? err.message : String(err) };
+    }
+}
+/**
+ * Render a fetch failure into a short, log-safe string. Callers only
+ * pass failures here — the `'ok'` branch is excluded at the type level
+ * so we don't keep a dead "ok" string lying around (#1720 review).
+ */
+function describeOutcome(outcome) {
+    switch (outcome.kind) {
+        case 'not_found':
+            return 'HTTP 404';
+        case 'http_error':
+            return `HTTP ${outcome.status}`;
+        case 'transport_error':
+            return outcome.message;
+        case 'parse_error':
+            return `invalid JSON: ${outcome.message}`;
+        case 'ssrf_refused':
+            return `[SSRF refused] ${outcome.message}`;
+    }
+}
+//# sourceMappingURL=validate-adagents.js.map

package/dist/lib/discovery/validate-adagents.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-adagents.js","sourceRoot":"","sources":["../../../src/lib/discovery/validate-adagents.ts"],"names":[],"mappings":";;AAiHA,4CA+MC;AA6BD,gDA8BC;AA3XD;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,4CAA8D;AAC9D,wCAA6C;AAC7C,sEAAiE;AACjE,kDAA4F;AAC5F,wDAAgE;AAkEhE,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,MAAM,kBAAkB,GAAG,GAAG,GAAG,IAAI,CAAC;AACtC,MAAM,iBAAiB,GAAG,GAAG,GAAG,IAAI,CAAC;AAErC,MAAM,aAAa,GAAG;IACpB,MAAM,EAAE,mCAAmC;IAC3C,iBAAiB,EAAE,gBAAgB;IACnC,iBAAiB,EAAE,mBAAmB;CACvC,CAAC;AAEF;;;GAGG;AACI,KAAK,UAAU,gBAAgB,CACpC,eAAuB,EACvB,UAAmC,EAAE;IAErC,IAAI,CAAC,eAAe,IAAI,OAAO,eAAe,KAAK,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,IAAA,uCAAiB,EAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAC1D,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,EAAE,KAAK,EAAE,OAAO,CAAC,QAAQ,IAAI,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAC7F,MAAM,eAAe,GAAG,0BAA0B,yBAAe,mCAAmC,CAAC;IACrG,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS;QAClC,CAAC,CAAC,iDAAiD,OAAO,CAAC,SAAS,MAAM,yBAAe,GAAG;QAC5F,CAAC,CAAC,kDAAkD,yBAAe,GAAG,CAAC;IAEzE,MAAM,SAAS,GAAG,eAAe,CAAC,WAAW,EAAE,CAAC;IAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,YAAY,IAAI,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC,WAAW,MAAM,GAAG,IAAI,EAAE,CAAC,CAAC;IACxF,MAAM,YAAY,GAAG,QAAQ,CAAC,SAAS,EAAE,4BAA4B,CAAC,CAAC;IAEvE,kDAAkD;IAClD,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,YAAY,EAAE;QACnD,SAAS;QACT,YAAY,EAAE,kBAAkB;QAChC,eAAe;QACf,UAAU;KACX,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,gBAAgB,EAAE,SAAS;gBAC3B,gBAAgB,EAAE,QAAQ;gBAC1B,YAAY,EAAE,YAAY;gBAC1B,MAAM,EAAE,CAAC,yEAAyE,CAAC;aACpF,CAAC;QACJ,CAAC;QAED,sEAAsE;QACtE,8DAA8D;QAC9D,IAAI,IAAI,CAAC,sBAAsB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,sBAAsB,CAAC;YAC3C,uDAAuD;YACvD,4DAA4D;YAC5D,+DAA+D;YAC/D,qCAAqC;YACrC,MAAM,SAAS,GAAG,IAAA,sCAAuB,GAAE,CAAC;YAC5C,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,SAAS,IAAI,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;gBACnF,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,gBAAgB,EAAE,SAAS;oBAC3B,gBAAgB,EAAE,wBAAwB;oBAC1C,YAAY,EAAE,YAAY;oBAC1B,MAAM,EAAE,CAAC,kDAAkD,MAAM,EAAE,CAAC;iBACrE,CAAC;YACJ,CAAC;YACD,4DAA4D;YAC5D,+DAA+D;YAC/D,6DAA6D;YAC7D,0DAA0D;YAC1D,8DAA8D;YAC9D,yBAAyB;YACzB,IAAI,iBAAiB,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,gBAAgB,EAAE,SAAS;oBAC3B,gBAAgB,EAAE,wBAAwB;oBAC1C,YAAY,EAAE,YAAY;oBAC1B,MAAM,EAAE,CAAC,6DAA6D,CAAC;iBACxE,CAAC;YACJ,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE;gBAC/C,SAAS;gBACT,YAAY,EAAE,kBAAkB;gBAChC,eAAe;gBACf,UAAU;aACX,CAAC,CAAC;YACH,IAAI,QAAQ,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;gBAC3B,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,gBAAgB,EAAE,SAAS;oBAC3B,gBAAgB,EAAE,wBAAwB;oBAC1C,YAAY,EAAE,MAAM;oBACpB,MAAM,EAAE,CAAC,wCAAwC,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;iBAC9E,CAAC;YACJ,CAAC;YACD,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC7D,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,gBAAgB,EAAE,SAAS;oBAC3B,gBAAgB,EAAE,wBAAwB;oBAC1C,YAAY,EAAE,MAAM;oBACpB,MAAM,EAAE,CAAC,gEAAgE,CAAC;iBAC3E,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,gBAAgB,EAAE,SAAS;gBAC3B,gBAAgB,EAAE,wBAAwB;gBAC1C,YAAY,EAAE,MAAM;gBACpB,QAAQ,EAAE,gBAAgB;gBAC1B,MAAM,EAAE,EAAE;aACX,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,QAAQ;YAC1B,YAAY,EAAE,YAAY;YAC1B,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,EAAE;SACX,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,sEAAsE;IACtE,6CAA6C;IAC7C,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,CAAC,+BAA+B,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;SACnE,CAAC;IACJ,CAAC;IAED,iEAAiE;IACjE,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,SAAS,EAAE;QAChD,SAAS;QACT,YAAY,EAAE,iBAAiB;QAC/B,eAAe;QACf,UAAU;KACX,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;QACzB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,CAAC,wDAAwD,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;SAC5F,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACtD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,CAAC,gFAAgF,CAAC;SAC3F,CAAC;IACJ,CAAC;IACD,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,CAAC,iEAAiE,aAAa,EAAE,CAAC;SAC3F,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,oEAAoE;IACpE,sEAAsE;IACtE,MAAM,UAAU,GAAG,QAAQ,CAAC,aAAa,EAAE,4BAA4B,CAAC,CAAC;IACzE,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,UAAU,EAAE;QAClD,SAAS;QACT,YAAY,EAAE,kBAAkB;QAChC,eAAe;QACf,UAAU;KACX,CAAC,CAAC;IACH,IAAI,OAAO,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,kBAAkB,aAAa,gCAAgC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACxG,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,uBAAuB;YACzC,cAAc,EAAE,aAAa;YAC7B,MAAM,EAAE,CAAC,8CAA8C,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;SACnF,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,oBAAoB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3D,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,uBAAuB;YACzC,cAAc,EAAE,aAAa;YAC7B,MAAM,EAAE,CAAC,+DAA+D,CAAC;SAC1E,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,gBAAgB,EAAE,SAAS;QAC3B,gBAAgB,EAAE,uBAAuB;QACzC,cAAc,EAAE,aAAa;QAC7B,YAAY,EAAE,UAAU;QACxB,QAAQ,EAAE,eAAe;QACzB,MAAM,EAAE,EAAE;KACX,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,oBAAoB,CAAC,KAAc;IAC1C,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrF,OAAO,KAAqB,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,kBAAkB,CAAC,MAAc;IAC/C,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,mEAAmE;IACnE,iEAAiE;IACjE,qCAAqC;IACrC,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACxE,IAAI,IAAwB,CAAC;IAC7B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,iEAAiE;QACjE,0DAA0D;QAC1D,6BAA6B;QAC7B,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,CAAC,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3E,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;QACjE,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,8DAA8D;QAC9D,iEAAiE;QACjE,iEAAiE;QACjE,uEAAuE;QACvE,8DAA8D;QAC9D,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,EAAE,KAAK,CAAC,CAAC;YAAE,SAAS;QACxB,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,eAAe;YAAE,SAAS;QACzE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACxC,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC;YAAE,SAAS;QAC1C,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,SAAS;QAC5C,IAAI,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAC7B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,CAAS,EAAE,CAAS;IAC7C,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE;YAAE,OAAO,KAAK,CAAC;QACtE,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC9C,OAAO,KAAK,KAAK,KAAK,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,8DAA8D;IAC9D,IAAI,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,uEAAuE;IACvE,sEAAsE;IACtE,gEAAgE;IAChE,IAAI,4BAA4B,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3D,iEAAiE;IACjE,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;IACrC,sEAAsE;IACtE,sEAAsE;IACtE,IAAI,CAAC,oEAAoE,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACnG,OAAO,IAAI,CAAC;AACd,CAAC;AAsBD,KAAK,UAAU,iBAAiB,CAAC,GAAW,EAAE,IAA0B;IACtE,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC;IACvC,IAAI,CAAC;QACH,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;IACpD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,EAAE,CAAC;IAC/F,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,GAAW,EAAE,IAA0B;IACtE,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC;IAClE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,GAAW,EAAE,IAA0B;IAC7D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,0BAAa,EAAC,GAAG,EAAE;YACtC,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,cAAc,EAAE,IAAA,sCAAuB,GAAE;YACzC,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,OAAO,EAAE;gBACP,GAAG,aAAa;gBAChB,YAAY,EAAE,IAAI,CAAC,eAAe;gBAClC,IAAI,EAAE,IAAI,CAAC,UAAU;aACtB;SACF,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;QACxD,IAAI,MAAM,CAAC,MAAM,GAAG,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;YAChD,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;QACvD,CAAC;QACD,oEAAoE;QACpE,iEAAiE;QACjE,MAAM,OAAO,GAAG,IAAA,mCAAsB,EAAC,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QAClE,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC7E,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,6BAAgB,EAAE,CAAC;YACpC,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;QACxD,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IAChG,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,eAAe,CAAC,OAAqB;IAC5C,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,WAAW;YACd,OAAO,UAAU,CAAC;QACpB,KAAK,YAAY;YACf,OAAO,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;QAClC,KAAK,iBAAiB;YACpB,OAAO,OAAO,CAAC,OAAO,CAAC;QACzB,KAAK,aAAa;YAChB,OAAO,iBAAiB,OAAO,CAAC,OAAO,EAAE,CAAC;QAC5C,KAAK,cAAc;YACjB,OAAO,kBAAkB,OAAO,CAAC,OAAO,EAAE,CAAC;IAC/C,CAAC;AACH,CAAC"}

package/dist/lib/errors/index.d.ts

@@ -118,12 +118,39 @@ export interface OAuthMetadataInfo {
     /** Issuer identifier */
     issuer?: string;
 }
+/**
+ * Subset of the parsed `WWW-Authenticate` challenge surfaced on
+ * {@link AuthenticationRequiredError}. Mirrors the public shape of
+ * `WWWAuthenticateChallenge` from `@adcp/sdk/auth/oauth` without forcing the
+ * errors module to depend on the auth subtree (the dependency would invert
+ * the build graph).
+ *
+ * `scheme` is lowercased per RFC 9110 §11.6.1.
+ */
+export interface AuthChallengeInfo {
+    scheme: string;
+    realm?: string;
+    scope?: string;
+    error?: string;
+    error_description?: string;
+}
 /**
  * Error thrown when authentication is required to access an MCP endpoint
  *
  * This error is thrown during MCP endpoint discovery when the server returns
- * a 401 Unauthorized response. If the server supports OAuth, the error includes
- * the OAuth metadata to help clients initiate the authentication flow.
+ * a 401 Unauthorized response. The shape of the remediation depends on what
+ * the 401 disclosed:
+ *
+ * - OAuth metadata (RFC 9728 PRM walk succeeded) → `oauthMetadata` set,
+ *   message points at the authorization endpoint.
+ * - A `WWW-Authenticate` challenge with a non-Bearer scheme (e.g. Basic
+ *   behind an Apigee/Kong/AWS API GW gateway) → `challenge` set, message
+ *   names the scheme and the SDK / CLI surface that configures it.
+ * - Plain 401 with no metadata → fallback "provide auth_token" message.
+ *
+ * Consumers branching on `error.challenge?.scheme === 'basic'` can route
+ * straight to `auth: { type: 'basic', username, password }` instead of
+ * retrying Bearer indefinitely.
  *
  * @example
  * ```typescript
@@ -131,12 +158,15 @@ export interface OAuthMetadataInfo {
  *   await client.getProducts({ brief: 'test' });
  * } catch (error) {
  *   if (error instanceof AuthenticationRequiredError) {
- *     if (error.oauthMetadata) {
+ *     if (error.challenge?.scheme === 'basic') {
+ *       // Gateway-fronted agent — configure HTTP Basic
+ *       reconnect({ auth: { type: 'basic', username, password } });
+ *     } else if (error.oauthMetadata) {
  *       // Redirect user to OAuth flow
  *       const authUrl = error.oauthMetadata.authorization_endpoint;
  *       console.log(`Please authenticate at: ${authUrl}`);
  *     } else {
- *       console.log('Authentication required but OAuth not available');
+ *       console.log('Authentication required but no scheme metadata available');
  *     }
  *   }
  * }
@@ -145,8 +175,9 @@ export interface OAuthMetadataInfo {
 export declare class AuthenticationRequiredError extends ADCPError {
     readonly agentUrl: string;
     readonly oauthMetadata?: OAuthMetadataInfo | undefined;
+    readonly challenge?: AuthChallengeInfo | undefined;
     readonly code = "AUTHENTICATION_REQUIRED";
-    constructor(agentUrl: string, oauthMetadata?: OAuthMetadataInfo | undefined, message?: string);
+    constructor(agentUrl: string, oauthMetadata?: OAuthMetadataInfo | undefined, message?: string, challenge?: AuthChallengeInfo | undefined);
     /**
      * Check if OAuth authentication is available
      */
@@ -155,6 +186,12 @@ export declare class AuthenticationRequiredError extends ADCPError {
      * Get the authorization URL if OAuth is available
      */
     get authorizationUrl(): string | undefined;
+    /**
+     * Lowercased scheme from the `WWW-Authenticate` challenge, when present.
+     * `'basic'` is the common non-OAuth case — gateway-fronted agents speaking
+     * RFC 7617.
+     */
+    get suggestedScheme(): string | undefined;
 }
 /**
  * Error thrown when a request reused an `idempotency_key` with a different

package/dist/lib/errors/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/errors/index.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,8BAAsB,SAAU,SAAQ,KAAK;IAKlC,OAAO,CAAC,EAAE,OAAO;IAJ1B,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAG7B,OAAO,EAAE,MAAM,EACR,OAAO,CAAC,EAAE,OAAO,YAAA;CAK3B;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,SAAS;aAI3B,MAAM,EAAE,MAAM;aACd,OAAO,EAAE,MAAM;IAJjC,QAAQ,CAAC,IAAI,kBAAkB;gBAGb,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM;CAIlC;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,SAAS;aAIhC,MAAM,EAAE,MAAM;aACd,WAAW,EAAE,MAAM;IAJrC,QAAQ,CAAC,IAAI,wBAAwB;gBAGnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM;CAItC;AAED;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;aAGlB,KAAK,EAAE,MAAM;IAFzC,QAAQ,CAAC,IAAI,mBAAmB;gBAEJ,KAAK,EAAE,MAAM;CAG1C;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,SAAS;aAI3B,MAAM,EAAE,MAAM;aACd,MAAM,CAAC,EAAE,MAAM;IAJjC,QAAQ,CAAC,IAAI,kBAAkB;gBAGb,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,YAAA;CAIlC;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;aAI7B,OAAO,EAAE,MAAM;aACf,eAAe,EAAE,MAAM,EAAE;IAJ3C,QAAQ,CAAC,IAAI,qBAAqB;gBAGhB,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EAAE;CAI5C;AAED;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,SAAS;aAI/B,OAAO,EAAE,MAAM;aACf,QAAQ,EAAE,MAAM;aAChB,cAAc,CAAC,EAAE,MAAM,EAAE;IAL3C,QAAQ,CAAC,IAAI,sBAAsB;gBAGjB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,cAAc,CAAC,EAAE,MAAM,EAAE,YAAA;CAK5C;AAED;;GAEG;AACH,qBAAa,aAAc,SAAQ,SAAS;aAIxB,QAAQ,EAAE,KAAK,GAAG,KAAK;aAEvB,aAAa,CAAC,EAAE,KAAK;IALvC,QAAQ,CAAC,IAAI,oBAAoB;gBAGf,QAAQ,EAAE,KAAK,GAAG,KAAK,EACvC,OAAO,EAAE,MAAM,EACC,aAAa,CAAC,EAAE,KAAK,YAAA;CAKxC;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,SAAS;aAI1B,KAAK,EAAE,MAAM;aACb,KAAK,EAAE,OAAO;aACd,UAAU,EAAE,MAAM;IALpC,QAAQ,CAAC,IAAI,sBAAsB;gBAGjB,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM;CAKrC;AAED;;GAEG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;aAInC,MAAM,EAAE,MAAM;aACd,QAAQ,EAAE,MAAM;IAJlC,QAAQ,CAAC,IAAI,2BAA2B;gBAGtB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM;CAInC;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,SAAS;aAI9B,SAAS,EAAE,MAAM;IAHnC,QAAQ,CAAC,IAAI,qBAAqB;gBAGhB,SAAS,EAAE,MAAM,EACjC,MAAM,EAAE,MAAM;CAIjB;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;aAK7B,WAAW,CAAC,EAAE,MAAM;IAJtC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpC,OAAO,EAAE,MAAM,EACC,WAAW,CAAC,EAAE,MAAM,YAAA;CAKvC;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,wCAAwC;IACxC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gCAAgC;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,iEAAiE;IACjE,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,2BAA4B,SAAQ,SAAS;aAItC,QAAQ,EAAE,MAAM;aAChB,aAAa,CAAC,EAAE,iBAAiB;IAJnD,QAAQ,CAAC,IAAI,6BAA6B;gBAGxB,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,iBAAiB,YAAA,EACjD,OAAO,CAAC,EAAE,MAAM;IASlB;;OAEG;IACH,IAAI,QAAQ,IAAI,OAAO,CAEtB;IAED;;OAEG;IACH,IAAI,gBAAgB,IAAI,MAAM,GAAG,SAAS,CAEzC;CACF;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;IACrD,QAAQ,CAAC,IAAI,0BAA0B;IAKvC,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;gBAEhC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM;CAajE;AAED;;;;;;;;;;;;GAYG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;IACpD,QAAQ,CAAC,IAAI,yBAAyB;IAItC,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;gBAEhC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM;CAajE;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;aAIlC,mBAAmB,EAAE,MAAM,EAAE;aAC7B,gBAAgB,EAAE,MAAM,EAAE;aAC1B,QAAQ,CAAC,EAAE,MAAM;IALnC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpB,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,QAAQ,CAAC,EAAE,MAAM,YAAA;CAOpC;AAED;;;;;;;;;;GAUG;AACH,qBAAa,qBAAsB,SAAQ,SAAS;aAIhC,KAAK,EAAE,MAAM;aACb,SAAS,EAAE,MAAM;aACjB,GAAG,EAAE,MAAM;IAC3B;;;;;OAKG;aACa,mBAAmB,CAAC,EAAE,MAAM;IAZ9C,QAAQ,CAAC,IAAI,wBAAwB;gBAGnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM;IAC3B;;;;;OAKG;IACa,mBAAmB,CAAC,EAAE,MAAM,YAAA;CAS/C;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,wBAAwB,GAAG,SAAS,GAAG,aAAa,GAAG,WAAW,CAAC;AAE/E;;;;;;;;GAQG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;aAIlC,QAAQ,EAAE,MAAM;aAChB,MAAM,EAAE,wBAAwB;aAChC,aAAa,EAAE,IAAI,GAAG,IAAI;aAC1B,QAAQ,CAAC,EAAE,MAAM;IANnC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,wBAAwB,EAChC,aAAa,EAAE,IAAI,GAAG,IAAI,EAC1B,QAAQ,CAAC,EAAE,MAAM,YAAA;IASnC,OAAO,CAAC,MAAM,CAAC,OAAO;CAUvB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,EAAE,UAAU,UAAQ,GAAG,OAAO,CA2BtE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CACnC,SAAS,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,EAC7C,cAAc,CAAC,EAAE,MAAM,GACtB,SAAS,GAAG,SAAS,CASvB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,SAAS,CAE9D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,CAEpH;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAoBA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/errors/index.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,8BAAsB,SAAU,SAAQ,KAAK;IAKlC,OAAO,CAAC,EAAE,OAAO;IAJ1B,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAG7B,OAAO,EAAE,MAAM,EACR,OAAO,CAAC,EAAE,OAAO,YAAA;CAK3B;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,SAAS;aAI3B,MAAM,EAAE,MAAM;aACd,OAAO,EAAE,MAAM;IAJjC,QAAQ,CAAC,IAAI,kBAAkB;gBAGb,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM;CAIlC;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,SAAS;aAIhC,MAAM,EAAE,MAAM;aACd,WAAW,EAAE,MAAM;IAJrC,QAAQ,CAAC,IAAI,wBAAwB;gBAGnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM;CAItC;AAED;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;aAGlB,KAAK,EAAE,MAAM;IAFzC,QAAQ,CAAC,IAAI,mBAAmB;gBAEJ,KAAK,EAAE,MAAM;CAG1C;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,SAAS;aAI3B,MAAM,EAAE,MAAM;aACd,MAAM,CAAC,EAAE,MAAM;IAJjC,QAAQ,CAAC,IAAI,kBAAkB;gBAGb,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,YAAA;CAIlC;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;aAI7B,OAAO,EAAE,MAAM;aACf,eAAe,EAAE,MAAM,EAAE;IAJ3C,QAAQ,CAAC,IAAI,qBAAqB;gBAGhB,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EAAE;CAI5C;AAED;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,SAAS;aAI/B,OAAO,EAAE,MAAM;aACf,QAAQ,EAAE,MAAM;aAChB,cAAc,CAAC,EAAE,MAAM,EAAE;IAL3C,QAAQ,CAAC,IAAI,sBAAsB;gBAGjB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,cAAc,CAAC,EAAE,MAAM,EAAE,YAAA;CAK5C;AAED;;GAEG;AACH,qBAAa,aAAc,SAAQ,SAAS;aAIxB,QAAQ,EAAE,KAAK,GAAG,KAAK;aAEvB,aAAa,CAAC,EAAE,KAAK;IALvC,QAAQ,CAAC,IAAI,oBAAoB;gBAGf,QAAQ,EAAE,KAAK,GAAG,KAAK,EACvC,OAAO,EAAE,MAAM,EACC,aAAa,CAAC,EAAE,KAAK,YAAA;CAKxC;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,SAAS;aAI1B,KAAK,EAAE,MAAM;aACb,KAAK,EAAE,OAAO;aACd,UAAU,EAAE,MAAM;IALpC,QAAQ,CAAC,IAAI,sBAAsB;gBAGjB,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM;CAKrC;AAED;;GAEG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;aAInC,MAAM,EAAE,MAAM;aACd,QAAQ,EAAE,MAAM;IAJlC,QAAQ,CAAC,IAAI,2BAA2B;gBAGtB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM;CAInC;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,SAAS;aAI9B,SAAS,EAAE,MAAM;IAHnC,QAAQ,CAAC,IAAI,qBAAqB;gBAGhB,SAAS,EAAE,MAAM,EACjC,MAAM,EAAE,MAAM;CAIjB;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;aAK7B,WAAW,CAAC,EAAE,MAAM;IAJtC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpC,OAAO,EAAE,MAAM,EACC,WAAW,CAAC,EAAE,MAAM,YAAA;CAKvC;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,wCAAwC;IACxC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gCAAgC;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,iEAAiE;IACjE,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,qBAAa,2BAA4B,SAAQ,SAAS;aAItC,QAAQ,EAAE,MAAM;aAChB,aAAa,CAAC,EAAE,iBAAiB;aAEjC,SAAS,CAAC,EAAE,iBAAiB;IAN/C,QAAQ,CAAC,IAAI,6BAA6B;gBAGxB,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,iBAAiB,YAAA,EACjD,OAAO,CAAC,EAAE,MAAM,EACA,SAAS,CAAC,EAAE,iBAAiB,YAAA;IAU/C;;OAEG;IACH,IAAI,QAAQ,IAAI,OAAO,CAEtB;IAED;;OAEG;IACH,IAAI,gBAAgB,IAAI,MAAM,GAAG,SAAS,CAEzC;IAED;;;;OAIG;IACH,IAAI,eAAe,IAAI,MAAM,GAAG,SAAS,CAExC;CACF;AAyCD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;IACrD,QAAQ,CAAC,IAAI,0BAA0B;IAKvC,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;gBAEhC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM;CAajE;AAED;;;;;;;;;;;;GAYG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;IACpD,QAAQ,CAAC,IAAI,yBAAyB;IAItC,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;gBAEhC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM;CAajE;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;aAIlC,mBAAmB,EAAE,MAAM,EAAE;aAC7B,gBAAgB,EAAE,MAAM,EAAE;aAC1B,QAAQ,CAAC,EAAE,MAAM;IALnC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpB,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,QAAQ,CAAC,EAAE,MAAM,YAAA;CAOpC;AAED;;;;;;;;;;GAUG;AACH,qBAAa,qBAAsB,SAAQ,SAAS;aAIhC,KAAK,EAAE,MAAM;aACb,SAAS,EAAE,MAAM;aACjB,GAAG,EAAE,MAAM;IAC3B;;;;;OAKG;aACa,mBAAmB,CAAC,EAAE,MAAM;IAZ9C,QAAQ,CAAC,IAAI,wBAAwB;gBAGnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM;IAC3B;;;;;OAKG;IACa,mBAAmB,CAAC,EAAE,MAAM,YAAA;CAS/C;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,wBAAwB,GAAG,SAAS,GAAG,aAAa,GAAG,WAAW,CAAC;AAE/E;;;;;;;;GAQG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;aAIlC,QAAQ,EAAE,MAAM;aAChB,MAAM,EAAE,wBAAwB;aAChC,aAAa,EAAE,IAAI,GAAG,IAAI;aAC1B,QAAQ,CAAC,EAAE,MAAM;IANnC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,wBAAwB,EAChC,aAAa,EAAE,IAAI,GAAG,IAAI,EAC1B,QAAQ,CAAC,EAAE,MAAM,YAAA;IASnC,OAAO,CAAC,MAAM,CAAC,OAAO;CAUvB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,EAAE,UAAU,UAAQ,GAAG,OAAO,CA2BtE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CACnC,SAAS,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,EAC7C,cAAc,CAAC,EAAE,MAAM,GACtB,SAAS,GAAG,SAAS,CASvB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,SAAS,CAE9D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,CAEpH;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAoBA"}