npm - @adcp/sdk - Versions diffs - 7.1.0 → 7.3.0 - Mend

@adcp/sdk 7.1.0 → 7.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (85) hide show

package/bin/adcp-config.js +10 -1
package/bin/adcp.js +376 -22
package/dist/lib/auth/oauth/authorization-required.d.ts +17 -0
package/dist/lib/auth/oauth/authorization-required.d.ts.map +1 -1
package/dist/lib/auth/oauth/authorization-required.js +20 -0
package/dist/lib/auth/oauth/authorization-required.js.map +1 -1
package/dist/lib/auth/oauth/index.d.ts +1 -1
package/dist/lib/auth/oauth/index.d.ts.map +1 -1
package/dist/lib/auth/oauth/index.js +2 -1
package/dist/lib/auth/oauth/index.js.map +1 -1
package/dist/lib/core/AgentClient.d.ts.map +1 -1
package/dist/lib/core/SingleAgentClient.d.ts.map +1 -1
package/dist/lib/core/SingleAgentClient.js +13 -2
package/dist/lib/core/SingleAgentClient.js.map +1 -1
package/dist/lib/discovery/property-crawler.d.ts +13 -1
package/dist/lib/discovery/property-crawler.d.ts.map +1 -1
package/dist/lib/discovery/property-crawler.js +40 -14
package/dist/lib/discovery/property-crawler.js.map +1 -1
package/dist/lib/discovery/resolve-agent-properties.d.ts +103 -0
package/dist/lib/discovery/resolve-agent-properties.d.ts.map +1 -0
package/dist/lib/discovery/resolve-agent-properties.js +182 -0
package/dist/lib/discovery/resolve-agent-properties.js.map +1 -0
package/dist/lib/discovery/types.d.ts +41 -2
package/dist/lib/discovery/types.d.ts.map +1 -1
package/dist/lib/discovery/types.js +2 -1
package/dist/lib/discovery/types.js.map +1 -1
package/dist/lib/discovery/validate-adagents.d.ts +114 -0
package/dist/lib/discovery/validate-adagents.d.ts.map +1 -0
package/dist/lib/discovery/validate-adagents.js +417 -0
package/dist/lib/discovery/validate-adagents.js.map +1 -0
package/dist/lib/errors/index.d.ts +42 -5
package/dist/lib/errors/index.d.ts.map +1 -1
package/dist/lib/errors/index.js +64 -9
package/dist/lib/errors/index.js.map +1 -1
package/dist/lib/index.d.ts +3 -1
package/dist/lib/index.d.ts.map +1 -1
package/dist/lib/index.js +17 -10
package/dist/lib/index.js.map +1 -1
package/dist/lib/protocols/a2a.d.ts.map +1 -1
package/dist/lib/protocols/a2a.js +70 -11
package/dist/lib/protocols/a2a.js.map +1 -1
package/dist/lib/protocols/mcp.d.ts.map +1 -1
package/dist/lib/protocols/mcp.js +61 -5
package/dist/lib/protocols/mcp.js.map +1 -1
package/dist/lib/schemas-data/v2.5/_provenance.json +1 -1
package/dist/lib/server/idempotency/store.d.ts +6 -5
package/dist/lib/server/idempotency/store.d.ts.map +1 -1
package/dist/lib/server/idempotency/store.js +11 -14
package/dist/lib/server/idempotency/store.js.map +1 -1
package/dist/lib/signing/fetch-async.d.ts.map +1 -1
package/dist/lib/signing/fetch-async.js +5 -0
package/dist/lib/signing/fetch-async.js.map +1 -1
package/dist/lib/signing/fetch.d.ts.map +1 -1
package/dist/lib/signing/fetch.js +11 -0
package/dist/lib/signing/fetch.js.map +1 -1
package/dist/lib/testing/client.d.ts +8 -0
package/dist/lib/testing/client.d.ts.map +1 -1
package/dist/lib/testing/client.js +73 -2
package/dist/lib/testing/client.js.map +1 -1
package/dist/lib/testing/compliance/comply.d.ts +27 -3
package/dist/lib/testing/compliance/comply.d.ts.map +1 -1
package/dist/lib/testing/compliance/comply.js +21 -31
package/dist/lib/testing/compliance/comply.js.map +1 -1
package/dist/lib/testing/compliance/index.d.ts +1 -1
package/dist/lib/testing/compliance/index.d.ts.map +1 -1
package/dist/lib/testing/compliance/index.js +2 -1
package/dist/lib/testing/compliance/index.js.map +1 -1
package/dist/lib/testing/scenarios/error-compliance.d.ts.map +1 -1
package/dist/lib/testing/scenarios/error-compliance.js +11 -1
package/dist/lib/testing/scenarios/error-compliance.js.map +1 -1
package/dist/lib/testing/storyboard/parallel-dispatch.d.ts.map +1 -1
package/dist/lib/testing/storyboard/parallel-dispatch.js +6 -4
package/dist/lib/testing/storyboard/parallel-dispatch.js.map +1 -1
package/dist/lib/testing/storyboard/validations.d.ts.map +1 -1
package/dist/lib/testing/storyboard/validations.js +18 -7
package/dist/lib/testing/storyboard/validations.js.map +1 -1
package/dist/lib/types/index.d.ts +2 -0
package/dist/lib/types/index.d.ts.map +1 -1
package/dist/lib/types/index.js +4 -0
package/dist/lib/types/index.js.map +1 -1
package/dist/lib/version.d.ts +3 -3
package/dist/lib/version.js +3 -3
package/docs/llms.txt +10 -2
package/package.json +2 -1
package/skills/call-adcp-agent/SKILL.md +1 -1

package/dist/lib/discovery/validate-adagents.d.ts ADDED Viewed

@@ -0,0 +1,114 @@
+/**
+ * `adagents.json` discovery + validation with the ads.txt `MANAGERDOMAIN`
+ * one-hop fallback (adcp#4175 / adcontextprotocol/adcp PR #4173, adcp-client#1717).
+ *
+ * Discovery order:
+ *   1. `https://{publisher}/.well-known/adagents.json` (direct)
+ *      - if the file carries `authoritative_location`, follow one redirect
+ *        and report `discovery_method = 'authoritative_location'`
+ *   2. On HTTP 404 only — fetch `https://{publisher}/ads.txt`, parse the
+ *      `MANAGERDOMAIN=` directive, and attempt
+ *      `https://{managerdomain}/.well-known/adagents.json`.
+ *      Reports `discovery_method = 'ads_txt_managerdomain'` and
+ *      `manager_domain`.
+ *
+ * Per the #4173 resolution of the RFC's open questions:
+ *   - Only the IAB directive form `MANAGERDOMAIN=example.com` counts;
+ *     the comment form `# managerdomain=example.com` is rejected.
+ *   - Duplicate `MANAGERDOMAIN` lines: last-wins (rather than the RFC's
+ *     fail-closed default — IAB-aligned).
+ *
+ * Other safety rules from the RFC carry through:
+ *   - Fallback fires only on 404 (not 5xx / timeout / invalid JSON).
+ *   - Exactly one hop. The manager-domain file is fetched once, never
+ *     recursed into.
+ *   - `publisher → publisher` cycle is rejected.
+ *   - `#noagents` trailing comment on a `MANAGERDOMAIN` line excludes
+ *     that entry from fallback discovery.
+ *   - Manager-domain failure is terminal — never a silent pass.
+ */
+import { type LogLevel } from '../utils/logger';
+import type { AdAgentsJson } from './types';
+/** How the validator located the authoritative `adagents.json` for a publisher. */
+export type DiscoveryMethod = 'direct' | 'authoritative_location' | 'ads_txt_managerdomain';
+export interface AdAgentsValidationResult {
+    /** Whether a valid `adagents.json` was discovered for this publisher. */
+    valid: boolean;
+    /** The publisher domain the caller asked us to validate. */
+    publisher_domain: string;
+    /**
+     * Which discovery path was used. Defaults to `'direct'`: a failure on
+     * the publisher's own `.well-known/adagents.json` reports `'direct'`
+     * even when no file was retrieved. `'authoritative_location'` and
+     * `'ads_txt_managerdomain'` only appear once the validator has
+     * committed to that path (followed the pointer / parsed a directive).
+     */
+    discovery_method: DiscoveryMethod;
+    /**
+     * The manager domain consulted when `discovery_method ===
+     * 'ads_txt_managerdomain'`. Populated even on manager-domain failure
+     * so callers can surface "we tried <manager>" in error reports.
+     *
+     * Note for chained validators: re-invoking `validateAdAgents` against
+     * `manager_domain` to walk N hops re-enters the discovery flow from
+     * scratch. This validator's one-hop guarantee is per-call, not
+     * per-chain — callers stringing multiple invocations together are
+     * responsible for their own loop guard.
+     */
+    manager_domain?: string;
+    /** URL the `adagents.json` was ultimately loaded from. Omitted when nothing loaded. */
+    resolved_url?: string;
+    /**
+     * Parsed authoritative file. Omitted on failure.
+     *
+     * **Counterparty-controlled.** This JSON came verbatim from the
+     * publisher (or their declared manager domain). Treat as untrusted
+     * input: do NOT splice into LLM system prompts, log-aggregator
+     * indices, or any context that interprets text as instructions
+     * without first stripping or sanitizing. Field names like
+     * `authorized_for` (free-text) and `properties[].name` are obvious
+     * vectors; less-obvious ones include arbitrary `$schema` URLs and
+     * structured `tags`.
+     */
+    adagents?: AdAgentsJson;
+    /** One or more reasons validation failed. Empty when `valid === true`. */
+    errors: string[];
+}
+export interface ValidateAdAgentsOptions {
+    /** Per-request timeout in ms (default 10_000). */
+    timeoutMs?: number;
+    /** Optional User-Agent suffix (validated via `validateUserAgent`). */
+    userAgent?: string;
+    /** Logger level (default `'warn'`). */
+    logLevel?: LogLevel;
+    /**
+     * Build the URL for a `domain` + well-known `path` pair. Defaults to
+     * `https://{domain}{path}`. Provide a custom builder to point the
+     * validator at a loopback test server (`http://...`), an internal
+     * mirror, or a CDN-rewriting host.
+     */
+    urlForDomain?: (domain: string, path: string) => string;
+}
+/**
+ * Validate `adagents.json` for a publisher domain. Implements the
+ * ads.txt `MANAGERDOMAIN` one-hop fallback specified in adcp#4175.
+ */
+export declare function validateAdAgents(publisherDomain: string, options?: ValidateAdAgentsOptions): Promise<AdAgentsValidationResult>;
+/**
+ * Parse a MANAGERDOMAIN directive out of an ads.txt body. Returns the
+ * lowercased host token (last-wins on duplicates) or `undefined` when
+ * no eligible directive is present.
+ *
+ * Eligibility rules (per adcp-client#1717 / adcp#4175 + #4173 resolution):
+ *   - Directive form `MANAGERDOMAIN=<host>` only. Case-insensitive on
+ *     the key; the value preserves no case. Comment-only lines like
+ *     `# managerdomain=...` are rejected.
+ *   - Value must be a host token (no scheme, no path, no whitespace).
+ *   - Trailing inline comment containing `noagents` (case-insensitive)
+ *     opts that entry out of fallback discovery.
+ *   - Duplicate eligible entries: the last one wins.
+ *
+ * Exported for direct unit testing.
+ */
+export declare function parseManagerDomain(adsTxt: string): string | undefined;
+//# sourceMappingURL=validate-adagents.d.ts.map

package/dist/lib/discovery/validate-adagents.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"validate-adagents.d.ts","sourceRoot":"","sources":["../../../src/lib/discovery/validate-adagents.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,OAAO,EAAgB,KAAK,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAK9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,mFAAmF;AACnF,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,wBAAwB,GAAG,uBAAuB,CAAC;AAE5F,MAAM,WAAW,wBAAwB;IACvC,yEAAyE;IACzE,KAAK,EAAE,OAAO,CAAC;IACf,4DAA4D;IAC5D,gBAAgB,EAAE,MAAM,CAAC;IACzB;;;;;;OAMG;IACH,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;;;;;;;;OAUG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uFAAuF;IACvF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,0EAA0E;IAC1E,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,uBAAuB;IACtC,kDAAkD;IAClD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sEAAsE;IACtE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,MAAM,CAAC;CACzD;AAYD;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,eAAe,EAAE,MAAM,EACvB,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,wBAAwB,CAAC,CA4MnC;AAaD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CA8BrE"}

package/dist/lib/discovery/validate-adagents.js ADDED Viewed

@@ -0,0 +1,417 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateAdAgents = validateAdAgents;
+exports.parseManagerDomain = parseManagerDomain;
+/**
+ * `adagents.json` discovery + validation with the ads.txt `MANAGERDOMAIN`
+ * one-hop fallback (adcp#4175 / adcontextprotocol/adcp PR #4173, adcp-client#1717).
+ *
+ * Discovery order:
+ *   1. `https://{publisher}/.well-known/adagents.json` (direct)
+ *      - if the file carries `authoritative_location`, follow one redirect
+ *        and report `discovery_method = 'authoritative_location'`
+ *   2. On HTTP 404 only — fetch `https://{publisher}/ads.txt`, parse the
+ *      `MANAGERDOMAIN=` directive, and attempt
+ *      `https://{managerdomain}/.well-known/adagents.json`.
+ *      Reports `discovery_method = 'ads_txt_managerdomain'` and
+ *      `manager_domain`.
+ *
+ * Per the #4173 resolution of the RFC's open questions:
+ *   - Only the IAB directive form `MANAGERDOMAIN=example.com` counts;
+ *     the comment form `# managerdomain=example.com` is rejected.
+ *   - Duplicate `MANAGERDOMAIN` lines: last-wins (rather than the RFC's
+ *     fail-closed default — IAB-aligned).
+ *
+ * Other safety rules from the RFC carry through:
+ *   - Fallback fires only on 404 (not 5xx / timeout / invalid JSON).
+ *   - Exactly one hop. The manager-domain file is fetched once, never
+ *     recursed into.
+ *   - `publisher → publisher` cycle is rejected.
+ *   - `#noagents` trailing comment on a `MANAGERDOMAIN` line excludes
+ *     that entry from fallback discovery.
+ *   - Manager-domain failure is terminal — never a silent pass.
+ */
+const logger_1 = require("../utils/logger");
+const version_1 = require("../version");
+const validate_user_agent_1 = require("../utils/validate-user-agent");
+const ssrf_fetch_1 = require("../net/ssrf-fetch");
+const probe_policy_1 = require("../utils/probe-policy");
+const DEFAULT_TIMEOUT_MS = 10_000;
+const MAX_ADAGENTS_BYTES = 256 * 1024;
+const MAX_ADS_TXT_BYTES = 256 * 1024;
+const FETCH_HEADERS = {
+    Accept: 'application/json, text/plain, */*',
+    'Accept-Language': 'en-US,en;q=0.9',
+    'Accept-Encoding': 'gzip, deflate, br',
+};
+/**
+ * Validate `adagents.json` for a publisher domain. Implements the
+ * ads.txt `MANAGERDOMAIN` one-hop fallback specified in adcp#4175.
+ */
+async function validateAdAgents(publisherDomain, options = {}) {
+    if (!publisherDomain || typeof publisherDomain !== 'string') {
+        throw new Error('publisherDomain must be a non-empty string');
+    }
+    if (options.userAgent) {
+        (0, validate_user_agent_1.validateUserAgent)(options.userAgent);
+    }
+    const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    const logger = (0, logger_1.createLogger)({ level: options.logLevel ?? 'warn' }).child('validateAdAgents');
+    const userAgentHeader = `adcp-validate-adagents/${version_1.LIBRARY_VERSION} (+https://adcontextprotocol.org)`;
+    const fromHeader = options.userAgent
+        ? `adcp-validate-adagents@adcontextprotocol.org (${options.userAgent}; v${version_1.LIBRARY_VERSION})`
+        : `adcp-validate-adagents@adcontextprotocol.org (v${version_1.LIBRARY_VERSION})`;
+    const publisher = publisherDomain.toLowerCase();
+    const buildUrl = options.urlForDomain ?? ((domain, path) => `https://${domain}${path}`);
+    const publisherUrl = buildUrl(publisher, '/.well-known/adagents.json');
+    // Step 1: try the publisher's canonical location.
+    const direct = await fetchJsonOrStatus(publisherUrl, {
+        timeoutMs,
+        maxBodyBytes: MAX_ADAGENTS_BYTES,
+        userAgentHeader,
+        fromHeader,
+    });
+    if (direct.kind === 'ok') {
+        const data = coerceAdAgentsObject(direct.data);
+        if (!data) {
+            return {
+                valid: false,
+                publisher_domain: publisher,
+                discovery_method: 'direct',
+                resolved_url: publisherUrl,
+                errors: ['adagents.json fetch failed: invalid JSON: response is not a JSON object'],
+            };
+        }
+        // Handle `authoritative_location` indirection: a pointer file with no
+        // inline `authorized_agents` should be followed exactly once.
+        if (data.authoritative_location && !data.authorized_agents) {
+            const target = data.authoritative_location;
+            // Production: HTTPS-only. Loopback test runs (gated by
+            // ADCP_ALLOW_INTERNAL_PROBES=1) may use `http://` against a
+            // 127.0.0.1 server — the same opt-in that lets `ssrfSafeFetch`
+            // touch loopback in the first place.
+            const allowHttp = (0, probe_policy_1.isInternalProbesAllowed)();
+            if (!target.startsWith('https://') && !(allowHttp && target.startsWith('http://'))) {
+                return {
+                    valid: false,
+                    publisher_domain: publisher,
+                    discovery_method: 'authoritative_location',
+                    resolved_url: publisherUrl,
+                    errors: [`authoritative_location must use https://, got: ${target}`],
+                };
+            }
+            // Normalize before cycle-comparing — string equality misses
+            // trivial bounce variants (trailing slash, `?query`, fragment,
+            // uppercase scheme). Worst case of missing one of these is a
+            // wasted RTT against the publisher's own server, not SSRF
+            // (still routed through `ssrfSafeFetch`), but the right check
+            // is on origin+pathname.
+            if (sameOriginAndPath(target, publisherUrl)) {
+                return {
+                    valid: false,
+                    publisher_domain: publisher,
+                    discovery_method: 'authoritative_location',
+                    resolved_url: publisherUrl,
+                    errors: ['authoritative_location points back to the publisher (cycle)'],
+                };
+            }
+            const followed = await fetchJsonOrStatus(target, {
+                timeoutMs,
+                maxBodyBytes: MAX_ADAGENTS_BYTES,
+                userAgentHeader,
+                fromHeader,
+            });
+            if (followed.kind !== 'ok') {
+                return {
+                    valid: false,
+                    publisher_domain: publisher,
+                    discovery_method: 'authoritative_location',
+                    resolved_url: target,
+                    errors: [`authoritative_location fetch failed: ${describeOutcome(followed)}`],
+                };
+            }
+            const followedAdAgents = coerceAdAgentsObject(followed.data);
+            if (!followedAdAgents) {
+                return {
+                    valid: false,
+                    publisher_domain: publisher,
+                    discovery_method: 'authoritative_location',
+                    resolved_url: target,
+                    errors: ['authoritative_location target returned a non-object JSON value'],
+                };
+            }
+            return {
+                valid: true,
+                publisher_domain: publisher,
+                discovery_method: 'authoritative_location',
+                resolved_url: target,
+                adagents: followedAdAgents,
+                errors: [],
+            };
+        }
+        return {
+            valid: true,
+            publisher_domain: publisher,
+            discovery_method: 'direct',
+            resolved_url: publisherUrl,
+            adagents: data,
+            errors: [],
+        };
+    }
+    // Step 2: managerdomain fallback only fires on 404. Other failures
+    // (5xx, timeout, malformed JSON, SSRF refusal) are terminal under the
+    // RFC's "Only trigger fallback on 404" rule.
+    if (direct.kind !== 'not_found') {
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'direct',
+            errors: [`adagents.json fetch failed: ${describeOutcome(direct)}`],
+        };
+    }
+    // Step 3: fetch ads.txt and look for a MANAGERDOMAIN= directive.
+    const adsTxtUrl = buildUrl(publisher, '/ads.txt');
+    const adsTxt = await fetchTextOrStatus(adsTxtUrl, {
+        timeoutMs,
+        maxBodyBytes: MAX_ADS_TXT_BYTES,
+        userAgentHeader,
+        fromHeader,
+    });
+    if (adsTxt.kind !== 'ok') {
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'direct',
+            errors: [`adagents.json missing (404) and ads.txt unavailable: ${describeOutcome(adsTxt)}`],
+        };
+    }
+    const managerDomain = parseManagerDomain(adsTxt.text);
+    if (!managerDomain) {
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'direct',
+            errors: ['adagents.json missing (404) and no eligible MANAGERDOMAIN directive in ads.txt'],
+        };
+    }
+    if (managerDomain === publisher) {
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'direct',
+            errors: [`MANAGERDOMAIN references the publisher domain itself (cycle): ${managerDomain}`],
+        };
+    }
+    // Step 4: fetch the manager domain's adagents.json. One hop only —
+    // even if this file has its own `authoritative_location`, we do NOT
+    // follow it (the RFC restricts to one hop publisher → managerdomain).
+    const managerUrl = buildUrl(managerDomain, '/.well-known/adagents.json');
+    const manager = await fetchJsonOrStatus(managerUrl, {
+        timeoutMs,
+        maxBodyBytes: MAX_ADAGENTS_BYTES,
+        userAgentHeader,
+        fromHeader,
+    });
+    if (manager.kind !== 'ok') {
+        logger.debug(`Manager domain ${managerDomain} adagents.json fetch failed: ${describeOutcome(manager)}`);
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'ads_txt_managerdomain',
+            manager_domain: managerDomain,
+            errors: [`Manager domain adagents.json fetch failed: ${describeOutcome(manager)}`],
+        };
+    }
+    const managerAdAgents = coerceAdAgentsObject(manager.data);
+    if (!managerAdAgents) {
+        return {
+            valid: false,
+            publisher_domain: publisher,
+            discovery_method: 'ads_txt_managerdomain',
+            manager_domain: managerDomain,
+            errors: ['Manager domain adagents.json returned a non-object JSON value'],
+        };
+    }
+    return {
+        valid: true,
+        publisher_domain: publisher,
+        discovery_method: 'ads_txt_managerdomain',
+        manager_domain: managerDomain,
+        resolved_url: managerUrl,
+        adagents: managerAdAgents,
+        errors: [],
+    };
+}
+/**
+ * Narrow `JSON.parse` output to a plain object — rejects `null`,
+ * arrays, primitives. Empty-body responses decode to `null` and
+ * pass the JSON parser; downstream code paths assume an object and
+ * would crash on null without this guard (#1720 review).
+ */
+function coerceAdAgentsObject(value) {
+    if (value === null || typeof value !== 'object' || Array.isArray(value))
+        return null;
+    return value;
+}
+/**
+ * Parse a MANAGERDOMAIN directive out of an ads.txt body. Returns the
+ * lowercased host token (last-wins on duplicates) or `undefined` when
+ * no eligible directive is present.
+ *
+ * Eligibility rules (per adcp-client#1717 / adcp#4175 + #4173 resolution):
+ *   - Directive form `MANAGERDOMAIN=<host>` only. Case-insensitive on
+ *     the key; the value preserves no case. Comment-only lines like
+ *     `# managerdomain=...` are rejected.
+ *   - Value must be a host token (no scheme, no path, no whitespace).
+ *   - Trailing inline comment containing `noagents` (case-insensitive)
+ *     opts that entry out of fallback discovery.
+ *   - Duplicate eligible entries: the last one wins.
+ *
+ * Exported for direct unit testing.
+ */
+function parseManagerDomain(adsTxt) {
+    if (!adsTxt)
+        return undefined;
+    // Strip BOM if present — common on Windows-authored ads.txt files.
+    // `charCodeAt` + `slice` is clearer than a regex match against a
+    // literal U+FEFF (per #1720 review).
+    const body = adsTxt.charCodeAt(0) === 0xfeff ? adsTxt.slice(1) : adsTxt;
+    let last;
+    for (const rawLine of body.split(/\r?\n/)) {
+        // Split off any inline comment so the directive parser only sees
+        // the code part, but keep the comment text around for the
+        // `#noagents` opt-out check.
+        const hashIdx = rawLine.indexOf('#');
+        const code = (hashIdx === -1 ? rawLine : rawLine.slice(0, hashIdx)).trim();
+        const comment = hashIdx === -1 ? '' : rawLine.slice(hashIdx + 1);
+        if (!code)
+            continue;
+        // Directive form only: KEY=VALUE on its own line, key matched
+        // case-insensitively. We parse with `indexOf('=')` rather than a
+        // regex because `code` is uncontrolled network input — any regex
+        // shape like `^KEY\s*=\s*(...)$` invites polynomial-ReDoS backtracking
+        // on pathological whitespace-heavy lines (flagged by CodeQL).
+        const eq = code.indexOf('=');
+        if (eq === -1)
+            continue;
+        if (code.slice(0, eq).trim().toLowerCase() !== 'managerdomain')
+            continue;
+        const value = code.slice(eq + 1).trim();
+        if (!value)
+            continue;
+        if (!isEligibleHostToken(value))
+            continue;
+        if (/\bnoagents\b/i.test(comment))
+            continue;
+        last = value.toLowerCase();
+    }
+    return last;
+}
+/**
+ * URL equality for cycle detection. Compares lowercased origin
+ * (scheme + host + port) and pathname; ignores trailing slashes,
+ * query strings, fragments, and scheme case. Returns false on
+ * unparseable URLs (callers treat unparseable as "not a cycle" so
+ * `ssrfSafeFetch` can produce a cleaner error downstream).
+ */
+function sameOriginAndPath(a, b) {
+    try {
+        const ua = new URL(a);
+        const ub = new URL(b);
+        if (ua.origin.toLowerCase() !== ub.origin.toLowerCase())
+            return false;
+        const pathA = ua.pathname.replace(/\/+$/, '');
+        const pathB = ub.pathname.replace(/\/+$/, '');
+        return pathA === pathB;
+    }
+    catch {
+        return false;
+    }
+}
+function isEligibleHostToken(value) {
+    if (!value)
+        return false;
+    // Reject anything with whitespace, slashes, or query strings.
+    if (/[\s/?#]/.test(value))
+        return false;
+    // Reject anything that looks like a URL (`scheme:` prefix). The single
+    // `:` permitted in a host token is the port separator handled below —
+    // so look for the colon-before-slash-or-end shape `scheme:...`.
+    if (/^[a-z][a-z0-9+.-]*:[^0-9]/i.test(value))
+        return false;
+    // Split off an optional `:port` suffix. Port must be 1–5 digits.
+    const portMatch = value.match(/^(.*?):([0-9]{1,5})$/);
+    const host = portMatch?.[1] ?? value;
+    // Minimal hostname shape — at least one dot, labels per RFC 1035-ish.
+    // Reject `example` (no TLD) and obvious junk like `..` or `-foo.com`.
+    if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/i.test(host))
+        return false;
+    return true;
+}
+async function fetchJsonOrStatus(url, opts) {
+    const raw = await rawFetch(url, opts);
+    if (raw.kind !== 'ok-text')
+        return raw;
+    try {
+        return { kind: 'ok', data: JSON.parse(raw.text) };
+    }
+    catch (err) {
+        return { kind: 'parse_error', message: err instanceof Error ? err.message : 'invalid JSON' };
+    }
+}
+async function fetchTextOrStatus(url, opts) {
+    const raw = await rawFetch(url, opts);
+    if (raw.kind === 'ok-text')
+        return { kind: 'ok', text: raw.text };
+    return raw;
+}
+async function rawFetch(url, opts) {
+    try {
+        const result = await (0, ssrf_fetch_1.ssrfSafeFetch)(url, {
+            timeoutMs: opts.timeoutMs,
+            allowPrivateIp: (0, probe_policy_1.isInternalProbesAllowed)(),
+            maxBodyBytes: opts.maxBodyBytes,
+            headers: {
+                ...FETCH_HEADERS,
+                'User-Agent': opts.userAgentHeader,
+                From: opts.fromHeader,
+            },
+        });
+        if (result.status === 404)
+            return { kind: 'not_found' };
+        if (result.status < 200 || result.status >= 300) {
+            return { kind: 'http_error', status: result.status };
+        }
+        // Always decode as text — JSON parsing is the caller's choice. This
+        // lets ads.txt and adagents.json share the same fetch primitive.
+        const decoded = (0, ssrf_fetch_1.decodeBodyAsJsonOrText)(result.body, 'text/plain');
+        const text = typeof decoded === 'string' ? decoded : JSON.stringify(decoded);
+        return { kind: 'ok-text', text };
+    }
+    catch (err) {
+        if (err instanceof ssrf_fetch_1.SsrfRefusedError) {
+            return { kind: 'ssrf_refused', message: err.message };
+        }
+        return { kind: 'transport_error', message: err instanceof Error ? err.message : String(err) };
+    }
+}
+/**
+ * Render a fetch failure into a short, log-safe string. Callers only
+ * pass failures here — the `'ok'` branch is excluded at the type level
+ * so we don't keep a dead "ok" string lying around (#1720 review).
+ */
+function describeOutcome(outcome) {
+    switch (outcome.kind) {
+        case 'not_found':
+            return 'HTTP 404';
+        case 'http_error':
+            return `HTTP ${outcome.status}`;
+        case 'transport_error':
+            return outcome.message;
+        case 'parse_error':
+            return `invalid JSON: ${outcome.message}`;
+        case 'ssrf_refused':
+            return `[SSRF refused] ${outcome.message}`;
+    }
+}
+//# sourceMappingURL=validate-adagents.js.map

package/dist/lib/discovery/validate-adagents.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"validate-adagents.js","sourceRoot":"","sources":["../../../src/lib/discovery/validate-adagents.ts"],"names":[],"mappings":";;AAiHA,4CA+MC;AA6BD,gDA8BC;AA3XD;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,4CAA8D;AAC9D,wCAA6C;AAC7C,sEAAiE;AACjE,kDAA4F;AAC5F,wDAAgE;AAkEhE,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,MAAM,kBAAkB,GAAG,GAAG,GAAG,IAAI,CAAC;AACtC,MAAM,iBAAiB,GAAG,GAAG,GAAG,IAAI,CAAC;AAErC,MAAM,aAAa,GAAG;IACpB,MAAM,EAAE,mCAAmC;IAC3C,iBAAiB,EAAE,gBAAgB;IACnC,iBAAiB,EAAE,mBAAmB;CACvC,CAAC;AAEF;;;GAGG;AACI,KAAK,UAAU,gBAAgB,CACpC,eAAuB,EACvB,UAAmC,EAAE;IAErC,IAAI,CAAC,eAAe,IAAI,OAAO,eAAe,KAAK,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,IAAA,uCAAiB,EAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAC1D,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,EAAE,KAAK,EAAE,OAAO,CAAC,QAAQ,IAAI,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAC7F,MAAM,eAAe,GAAG,0BAA0B,yBAAe,mCAAmC,CAAC;IACrG,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS;QAClC,CAAC,CAAC,iDAAiD,OAAO,CAAC,SAAS,MAAM,yBAAe,GAAG;QAC5F,CAAC,CAAC,kDAAkD,yBAAe,GAAG,CAAC;IAEzE,MAAM,SAAS,GAAG,eAAe,CAAC,WAAW,EAAE,CAAC;IAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,YAAY,IAAI,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC,WAAW,MAAM,GAAG,IAAI,EAAE,CAAC,CAAC;IACxF,MAAM,YAAY,GAAG,QAAQ,CAAC,SAAS,EAAE,4BAA4B,CAAC,CAAC;IAEvE,kDAAkD;IAClD,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,YAAY,EAAE;QACnD,SAAS;QACT,YAAY,EAAE,kBAAkB;QAChC,eAAe;QACf,UAAU;KACX,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,gBAAgB,EAAE,SAAS;gBAC3B,gBAAgB,EAAE,QAAQ;gBAC1B,YAAY,EAAE,YAAY;gBAC1B,MAAM,EAAE,CAAC,yEAAyE,CAAC;aACpF,CAAC;QACJ,CAAC;QAED,sEAAsE;QACtE,8DAA8D;QAC9D,IAAI,IAAI,CAAC,sBAAsB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,sBAAsB,CAAC;YAC3C,uDAAuD;YACvD,4DAA4D;YAC5D,+DAA+D;YAC/D,qCAAqC;YACrC,MAAM,SAAS,GAAG,IAAA,sCAAuB,GAAE,CAAC;YAC5C,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,SAAS,IAAI,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;gBACnF,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,gBAAgB,EAAE,SAAS;oBAC3B,gBAAgB,EAAE,wBAAwB;oBAC1C,YAAY,EAAE,YAAY;oBAC1B,MAAM,EAAE,CAAC,kDAAkD,MAAM,EAAE,CAAC;iBACrE,CAAC;YACJ,CAAC;YACD,4DAA4D;YAC5D,+DAA+D;YAC/D,6DAA6D;YAC7D,0DAA0D;YAC1D,8DAA8D;YAC9D,yBAAyB;YACzB,IAAI,iBAAiB,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,gBAAgB,EAAE,SAAS;oBAC3B,gBAAgB,EAAE,wBAAwB;oBAC1C,YAAY,EAAE,YAAY;oBAC1B,MAAM,EAAE,CAAC,6DAA6D,CAAC;iBACxE,CAAC;YACJ,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE;gBAC/C,SAAS;gBACT,YAAY,EAAE,kBAAkB;gBAChC,eAAe;gBACf,UAAU;aACX,CAAC,CAAC;YACH,IAAI,QAAQ,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;gBAC3B,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,gBAAgB,EAAE,SAAS;oBAC3B,gBAAgB,EAAE,wBAAwB;oBAC1C,YAAY,EAAE,MAAM;oBACpB,MAAM,EAAE,CAAC,wCAAwC,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;iBAC9E,CAAC;YACJ,CAAC;YACD,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC7D,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,gBAAgB,EAAE,SAAS;oBAC3B,gBAAgB,EAAE,wBAAwB;oBAC1C,YAAY,EAAE,MAAM;oBACpB,MAAM,EAAE,CAAC,gEAAgE,CAAC;iBAC3E,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,gBAAgB,EAAE,SAAS;gBAC3B,gBAAgB,EAAE,wBAAwB;gBAC1C,YAAY,EAAE,MAAM;gBACpB,QAAQ,EAAE,gBAAgB;gBAC1B,MAAM,EAAE,EAAE;aACX,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,QAAQ;YAC1B,YAAY,EAAE,YAAY;YAC1B,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,EAAE;SACX,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,sEAAsE;IACtE,6CAA6C;IAC7C,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,CAAC,+BAA+B,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;SACnE,CAAC;IACJ,CAAC;IAED,iEAAiE;IACjE,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,SAAS,EAAE;QAChD,SAAS;QACT,YAAY,EAAE,iBAAiB;QAC/B,eAAe;QACf,UAAU;KACX,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;QACzB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,CAAC,wDAAwD,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;SAC5F,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACtD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,CAAC,gFAAgF,CAAC;SAC3F,CAAC;IACJ,CAAC;IACD,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,CAAC,iEAAiE,aAAa,EAAE,CAAC;SAC3F,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,oEAAoE;IACpE,sEAAsE;IACtE,MAAM,UAAU,GAAG,QAAQ,CAAC,aAAa,EAAE,4BAA4B,CAAC,CAAC;IACzE,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,UAAU,EAAE;QAClD,SAAS;QACT,YAAY,EAAE,kBAAkB;QAChC,eAAe;QACf,UAAU;KACX,CAAC,CAAC;IACH,IAAI,OAAO,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,kBAAkB,aAAa,gCAAgC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACxG,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,uBAAuB;YACzC,cAAc,EAAE,aAAa;YAC7B,MAAM,EAAE,CAAC,8CAA8C,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;SACnF,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,oBAAoB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3D,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,gBAAgB,EAAE,SAAS;YAC3B,gBAAgB,EAAE,uBAAuB;YACzC,cAAc,EAAE,aAAa;YAC7B,MAAM,EAAE,CAAC,+DAA+D,CAAC;SAC1E,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,gBAAgB,EAAE,SAAS;QAC3B,gBAAgB,EAAE,uBAAuB;QACzC,cAAc,EAAE,aAAa;QAC7B,YAAY,EAAE,UAAU;QACxB,QAAQ,EAAE,eAAe;QACzB,MAAM,EAAE,EAAE;KACX,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,oBAAoB,CAAC,KAAc;IAC1C,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrF,OAAO,KAAqB,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,kBAAkB,CAAC,MAAc;IAC/C,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,mEAAmE;IACnE,iEAAiE;IACjE,qCAAqC;IACrC,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACxE,IAAI,IAAwB,CAAC;IAC7B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,iEAAiE;QACjE,0DAA0D;QAC1D,6BAA6B;QAC7B,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,CAAC,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3E,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;QACjE,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,8DAA8D;QAC9D,iEAAiE;QACjE,iEAAiE;QACjE,uEAAuE;QACvE,8DAA8D;QAC9D,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,EAAE,KAAK,CAAC,CAAC;YAAE,SAAS;QACxB,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,eAAe;YAAE,SAAS;QACzE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACxC,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC;YAAE,SAAS;QAC1C,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,SAAS;QAC5C,IAAI,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAC7B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,CAAS,EAAE,CAAS;IAC7C,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE;YAAE,OAAO,KAAK,CAAC;QACtE,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC9C,OAAO,KAAK,KAAK,KAAK,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,8DAA8D;IAC9D,IAAI,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,uEAAuE;IACvE,sEAAsE;IACtE,gEAAgE;IAChE,IAAI,4BAA4B,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3D,iEAAiE;IACjE,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;IACrC,sEAAsE;IACtE,sEAAsE;IACtE,IAAI,CAAC,oEAAoE,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACnG,OAAO,IAAI,CAAC;AACd,CAAC;AAsBD,KAAK,UAAU,iBAAiB,CAAC,GAAW,EAAE,IAA0B;IACtE,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC;IACvC,IAAI,CAAC;QACH,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;IACpD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,EAAE,CAAC;IAC/F,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,GAAW,EAAE,IAA0B;IACtE,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC;IAClE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,GAAW,EAAE,IAA0B;IAC7D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,0BAAa,EAAC,GAAG,EAAE;YACtC,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,cAAc,EAAE,IAAA,sCAAuB,GAAE;YACzC,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,OAAO,EAAE;gBACP,GAAG,aAAa;gBAChB,YAAY,EAAE,IAAI,CAAC,eAAe;gBAClC,IAAI,EAAE,IAAI,CAAC,UAAU;aACtB;SACF,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;QACxD,IAAI,MAAM,CAAC,MAAM,GAAG,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;YAChD,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;QACvD,CAAC;QACD,oEAAoE;QACpE,iEAAiE;QACjE,MAAM,OAAO,GAAG,IAAA,mCAAsB,EAAC,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QAClE,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC7E,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,6BAAgB,EAAE,CAAC;YACpC,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;QACxD,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IAChG,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,eAAe,CAAC,OAAqB;IAC5C,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,WAAW;YACd,OAAO,UAAU,CAAC;QACpB,KAAK,YAAY;YACf,OAAO,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;QAClC,KAAK,iBAAiB;YACpB,OAAO,OAAO,CAAC,OAAO,CAAC;QACzB,KAAK,aAAa;YAChB,OAAO,iBAAiB,OAAO,CAAC,OAAO,EAAE,CAAC;QAC5C,KAAK,cAAc;YACjB,OAAO,kBAAkB,OAAO,CAAC,OAAO,EAAE,CAAC;IAC/C,CAAC;AACH,CAAC"}

package/dist/lib/errors/index.d.ts CHANGED Viewed

@@ -118,12 +118,39 @@ export interface OAuthMetadataInfo {
     /** Issuer identifier */
     issuer?: string;
 }
+/**
+ * Subset of the parsed `WWW-Authenticate` challenge surfaced on
+ * {@link AuthenticationRequiredError}. Mirrors the public shape of
+ * `WWWAuthenticateChallenge` from `@adcp/sdk/auth/oauth` without forcing the
+ * errors module to depend on the auth subtree (the dependency would invert
+ * the build graph).
+ *
+ * `scheme` is lowercased per RFC 9110 §11.6.1.
+ */
+export interface AuthChallengeInfo {
+    scheme: string;
+    realm?: string;
+    scope?: string;
+    error?: string;
+    error_description?: string;
+}
 /**
  * Error thrown when authentication is required to access an MCP endpoint
  *
  * This error is thrown during MCP endpoint discovery when the server returns
- * a 401 Unauthorized response. If the server supports OAuth, the error includes
- * the OAuth metadata to help clients initiate the authentication flow.
+ * a 401 Unauthorized response. The shape of the remediation depends on what
+ * the 401 disclosed:
+ *
+ * - OAuth metadata (RFC 9728 PRM walk succeeded) → `oauthMetadata` set,
+ *   message points at the authorization endpoint.
+ * - A `WWW-Authenticate` challenge with a non-Bearer scheme (e.g. Basic
+ *   behind an Apigee/Kong/AWS API GW gateway) → `challenge` set, message
+ *   names the scheme and the SDK / CLI surface that configures it.
+ * - Plain 401 with no metadata → fallback "provide auth_token" message.
+ *
+ * Consumers branching on `error.challenge?.scheme === 'basic'` can route
+ * straight to `auth: { type: 'basic', username, password }` instead of
+ * retrying Bearer indefinitely.
  *
  * @example
  * ```typescript
@@ -131,12 +158,15 @@ export interface OAuthMetadataInfo {
  *   await client.getProducts({ brief: 'test' });
  * } catch (error) {
  *   if (error instanceof AuthenticationRequiredError) {
- *     if (error.oauthMetadata) {
+ *     if (error.challenge?.scheme === 'basic') {
+ *       // Gateway-fronted agent — configure HTTP Basic
+ *       reconnect({ auth: { type: 'basic', username, password } });
+ *     } else if (error.oauthMetadata) {
  *       // Redirect user to OAuth flow
  *       const authUrl = error.oauthMetadata.authorization_endpoint;
  *       console.log(`Please authenticate at: ${authUrl}`);
  *     } else {
- *       console.log('Authentication required but OAuth not available');
+ *       console.log('Authentication required but no scheme metadata available');
  *     }
  *   }
  * }
@@ -145,8 +175,9 @@ export interface OAuthMetadataInfo {
 export declare class AuthenticationRequiredError extends ADCPError {
     readonly agentUrl: string;
     readonly oauthMetadata?: OAuthMetadataInfo | undefined;
+    readonly challenge?: AuthChallengeInfo | undefined;
     readonly code = "AUTHENTICATION_REQUIRED";
-    constructor(agentUrl: string, oauthMetadata?: OAuthMetadataInfo | undefined, message?: string);
+    constructor(agentUrl: string, oauthMetadata?: OAuthMetadataInfo | undefined, message?: string, challenge?: AuthChallengeInfo | undefined);
     /**
      * Check if OAuth authentication is available
      */
@@ -155,6 +186,12 @@ export declare class AuthenticationRequiredError extends ADCPError {
      * Get the authorization URL if OAuth is available
      */
     get authorizationUrl(): string | undefined;
+    /**
+     * Lowercased scheme from the `WWW-Authenticate` challenge, when present.
+     * `'basic'` is the common non-OAuth case — gateway-fronted agents speaking
+     * RFC 7617.
+     */
+    get suggestedScheme(): string | undefined;
 }
 /**
  * Error thrown when a request reused an `idempotency_key` with a different

package/dist/lib/errors/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/errors/index.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,8BAAsB,SAAU,SAAQ,KAAK;IAKlC,OAAO,CAAC,EAAE,OAAO;IAJ1B,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAG7B,OAAO,EAAE,MAAM,EACR,OAAO,CAAC,EAAE,OAAO,YAAA;CAK3B;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,SAAS;aAI3B,MAAM,EAAE,MAAM;aACd,OAAO,EAAE,MAAM;IAJjC,QAAQ,CAAC,IAAI,kBAAkB;gBAGb,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM;CAIlC;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,SAAS;aAIhC,MAAM,EAAE,MAAM;aACd,WAAW,EAAE,MAAM;IAJrC,QAAQ,CAAC,IAAI,wBAAwB;gBAGnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM;CAItC;AAED;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;aAGlB,KAAK,EAAE,MAAM;IAFzC,QAAQ,CAAC,IAAI,mBAAmB;gBAEJ,KAAK,EAAE,MAAM;CAG1C;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,SAAS;aAI3B,MAAM,EAAE,MAAM;aACd,MAAM,CAAC,EAAE,MAAM;IAJjC,QAAQ,CAAC,IAAI,kBAAkB;gBAGb,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,YAAA;CAIlC;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;aAI7B,OAAO,EAAE,MAAM;aACf,eAAe,EAAE,MAAM,EAAE;IAJ3C,QAAQ,CAAC,IAAI,qBAAqB;gBAGhB,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EAAE;CAI5C;AAED;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,SAAS;aAI/B,OAAO,EAAE,MAAM;aACf,QAAQ,EAAE,MAAM;aAChB,cAAc,CAAC,EAAE,MAAM,EAAE;IAL3C,QAAQ,CAAC,IAAI,sBAAsB;gBAGjB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,cAAc,CAAC,EAAE,MAAM,EAAE,YAAA;CAK5C;AAED;;GAEG;AACH,qBAAa,aAAc,SAAQ,SAAS;aAIxB,QAAQ,EAAE,KAAK,GAAG,KAAK;aAEvB,aAAa,CAAC,EAAE,KAAK;IALvC,QAAQ,CAAC,IAAI,oBAAoB;gBAGf,QAAQ,EAAE,KAAK,GAAG,KAAK,EACvC,OAAO,EAAE,MAAM,EACC,aAAa,CAAC,EAAE,KAAK,YAAA;CAKxC;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,SAAS;aAI1B,KAAK,EAAE,MAAM;aACb,KAAK,EAAE,OAAO;aACd,UAAU,EAAE,MAAM;IALpC,QAAQ,CAAC,IAAI,sBAAsB;gBAGjB,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM;CAKrC;AAED;;GAEG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;aAInC,MAAM,EAAE,MAAM;aACd,QAAQ,EAAE,MAAM;IAJlC,QAAQ,CAAC,IAAI,2BAA2B;gBAGtB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM;CAInC;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,SAAS;aAI9B,SAAS,EAAE,MAAM;IAHnC,QAAQ,CAAC,IAAI,qBAAqB;gBAGhB,SAAS,EAAE,MAAM,EACjC,MAAM,EAAE,MAAM;CAIjB;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;aAK7B,WAAW,CAAC,EAAE,MAAM;IAJtC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpC,OAAO,EAAE,MAAM,EACC,WAAW,CAAC,EAAE,MAAM,YAAA;CAKvC;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,wCAAwC;IACxC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gCAAgC;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,iEAAiE;IACjE,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED~~;;;;;;;;;;;;;;;;;;;;;;;GAuBG~~;AACH,qBAAa,2BAA4B,SAAQ,SAAS;aAItC,QAAQ,EAAE,MAAM;aAChB,aAAa,CAAC,EAAE,iBAAiB;~~IAJnD~~,QAAQ,CAAC,IAAI,6BAA6B;gBAGxB,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,iBAAiB,YAAA,EACjD,OAAO,CAAC,EAAE,MAAM;~~IASlB~~;;OAEG;IACH,IAAI,QAAQ,IAAI,OAAO,CAEtB;IAED;;OAEG;IACH,IAAI,gBAAgB,IAAI,MAAM,GAAG,SAAS,CAEzC;CACF;~~AAED~~;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;IACrD,QAAQ,CAAC,IAAI,0BAA0B;IAKvC,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;gBAEhC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM;CAajE;AAED;;;;;;;;;;;;GAYG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;IACpD,QAAQ,CAAC,IAAI,yBAAyB;IAItC,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;gBAEhC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM;CAajE;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;aAIlC,mBAAmB,EAAE,MAAM,EAAE;aAC7B,gBAAgB,EAAE,MAAM,EAAE;aAC1B,QAAQ,CAAC,EAAE,MAAM;IALnC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpB,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,QAAQ,CAAC,EAAE,MAAM,YAAA;CAOpC;AAED;;;;;;;;;;GAUG;AACH,qBAAa,qBAAsB,SAAQ,SAAS;aAIhC,KAAK,EAAE,MAAM;aACb,SAAS,EAAE,MAAM;aACjB,GAAG,EAAE,MAAM;IAC3B;;;;;OAKG;aACa,mBAAmB,CAAC,EAAE,MAAM;IAZ9C,QAAQ,CAAC,IAAI,wBAAwB;gBAGnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM;IAC3B;;;;;OAKG;IACa,mBAAmB,CAAC,EAAE,MAAM,YAAA;CAS/C;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,wBAAwB,GAAG,SAAS,GAAG,aAAa,GAAG,WAAW,CAAC;AAE/E;;;;;;;;GAQG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;aAIlC,QAAQ,EAAE,MAAM;aAChB,MAAM,EAAE,wBAAwB;aAChC,aAAa,EAAE,IAAI,GAAG,IAAI;aAC1B,QAAQ,CAAC,EAAE,MAAM;IANnC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,wBAAwB,EAChC,aAAa,EAAE,IAAI,GAAG,IAAI,EAC1B,QAAQ,CAAC,EAAE,MAAM,YAAA;IASnC,OAAO,CAAC,MAAM,CAAC,OAAO;CAUvB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,EAAE,UAAU,UAAQ,GAAG,OAAO,CA2BtE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CACnC,SAAS,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,EAC7C,cAAc,CAAC,EAAE,MAAM,GACtB,SAAS,GAAG,SAAS,CASvB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,SAAS,CAE9D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,CAEpH;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAoBA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/errors/index.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,8BAAsB,SAAU,SAAQ,KAAK;IAKlC,OAAO,CAAC,EAAE,OAAO;IAJ1B,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAG7B,OAAO,EAAE,MAAM,EACR,OAAO,CAAC,EAAE,OAAO,YAAA;CAK3B;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,SAAS;aAI3B,MAAM,EAAE,MAAM;aACd,OAAO,EAAE,MAAM;IAJjC,QAAQ,CAAC,IAAI,kBAAkB;gBAGb,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM;CAIlC;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,SAAS;aAIhC,MAAM,EAAE,MAAM;aACd,WAAW,EAAE,MAAM;IAJrC,QAAQ,CAAC,IAAI,wBAAwB;gBAGnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM;CAItC;AAED;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;aAGlB,KAAK,EAAE,MAAM;IAFzC,QAAQ,CAAC,IAAI,mBAAmB;gBAEJ,KAAK,EAAE,MAAM;CAG1C;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,SAAS;aAI3B,MAAM,EAAE,MAAM;aACd,MAAM,CAAC,EAAE,MAAM;IAJjC,QAAQ,CAAC,IAAI,kBAAkB;gBAGb,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,YAAA;CAIlC;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;aAI7B,OAAO,EAAE,MAAM;aACf,eAAe,EAAE,MAAM,EAAE;IAJ3C,QAAQ,CAAC,IAAI,qBAAqB;gBAGhB,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EAAE;CAI5C;AAED;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,SAAS;aAI/B,OAAO,EAAE,MAAM;aACf,QAAQ,EAAE,MAAM;aAChB,cAAc,CAAC,EAAE,MAAM,EAAE;IAL3C,QAAQ,CAAC,IAAI,sBAAsB;gBAGjB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,cAAc,CAAC,EAAE,MAAM,EAAE,YAAA;CAK5C;AAED;;GAEG;AACH,qBAAa,aAAc,SAAQ,SAAS;aAIxB,QAAQ,EAAE,KAAK,GAAG,KAAK;aAEvB,aAAa,CAAC,EAAE,KAAK;IALvC,QAAQ,CAAC,IAAI,oBAAoB;gBAGf,QAAQ,EAAE,KAAK,GAAG,KAAK,EACvC,OAAO,EAAE,MAAM,EACC,aAAa,CAAC,EAAE,KAAK,YAAA;CAKxC;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,SAAS;aAI1B,KAAK,EAAE,MAAM;aACb,KAAK,EAAE,OAAO;aACd,UAAU,EAAE,MAAM;IALpC,QAAQ,CAAC,IAAI,sBAAsB;gBAGjB,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM;CAKrC;AAED;;GAEG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;aAInC,MAAM,EAAE,MAAM;aACd,QAAQ,EAAE,MAAM;IAJlC,QAAQ,CAAC,IAAI,2BAA2B;gBAGtB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM;CAInC;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,SAAS;aAI9B,SAAS,EAAE,MAAM;IAHnC,QAAQ,CAAC,IAAI,qBAAqB;gBAGhB,SAAS,EAAE,MAAM,EACjC,MAAM,EAAE,MAAM;CAIjB;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,SAAS;aAK7B,WAAW,CAAC,EAAE,MAAM;IAJtC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpC,OAAO,EAAE,MAAM,EACC,WAAW,CAAC,EAAE,MAAM,YAAA;CAKvC;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,wCAAwC;IACxC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gCAAgC;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,iEAAiE;IACjE,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,qBAAa,2BAA4B,SAAQ,SAAS;aAItC,QAAQ,EAAE,MAAM;aAChB,aAAa,CAAC,EAAE,iBAAiB;aAEjC,SAAS,CAAC,EAAE,iBAAiB;IAN/C,QAAQ,CAAC,IAAI,6BAA6B;gBAGxB,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,iBAAiB,YAAA,EACjD,OAAO,CAAC,EAAE,MAAM,EACA,SAAS,CAAC,EAAE,iBAAiB,YAAA;IAU/C;;OAEG;IACH,IAAI,QAAQ,IAAI,OAAO,CAEtB;IAED;;OAEG;IACH,IAAI,gBAAgB,IAAI,MAAM,GAAG,SAAS,CAEzC;IAED;;;;OAIG;IACH,IAAI,eAAe,IAAI,MAAM,GAAG,SAAS,CAExC;CACF;AAyCD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;IACrD,QAAQ,CAAC,IAAI,0BAA0B;IAKvC,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;gBAEhC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM;CAajE;AAED;;;;;;;;;;;;GAYG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;IACpD,QAAQ,CAAC,IAAI,yBAAyB;IAItC,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;gBAEhC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM;CAajE;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;aAIlC,mBAAmB,EAAE,MAAM,EAAE;aAC7B,gBAAgB,EAAE,MAAM,EAAE;aAC1B,QAAQ,CAAC,EAAE,MAAM;IALnC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpB,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,QAAQ,CAAC,EAAE,MAAM,YAAA;CAOpC;AAED;;;;;;;;;;GAUG;AACH,qBAAa,qBAAsB,SAAQ,SAAS;aAIhC,KAAK,EAAE,MAAM;aACb,SAAS,EAAE,MAAM;aACjB,GAAG,EAAE,MAAM;IAC3B;;;;;OAKG;aACa,mBAAmB,CAAC,EAAE,MAAM;IAZ9C,QAAQ,CAAC,IAAI,wBAAwB;gBAGnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM;IAC3B;;;;;OAKG;IACa,mBAAmB,CAAC,EAAE,MAAM,YAAA;CAS/C;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,wBAAwB,GAAG,SAAS,GAAG,aAAa,GAAG,WAAW,CAAC;AAE/E;;;;;;;;GAQG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;aAIlC,QAAQ,EAAE,MAAM;aAChB,MAAM,EAAE,wBAAwB;aAChC,aAAa,EAAE,IAAI,GAAG,IAAI;aAC1B,QAAQ,CAAC,EAAE,MAAM;IANnC,QAAQ,CAAC,IAAI,yBAAyB;gBAGpB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,wBAAwB,EAChC,aAAa,EAAE,IAAI,GAAG,IAAI,EAC1B,QAAQ,CAAC,EAAE,MAAM,YAAA;IASnC,OAAO,CAAC,MAAM,CAAC,OAAO;CAUvB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,EAAE,UAAU,UAAQ,GAAG,OAAO,CA2BtE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CACnC,SAAS,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,EAC7C,cAAc,CAAC,EAAE,MAAM,GACtB,SAAS,GAAG,SAAS,CASvB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,SAAS,CAE9D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,CAEpH;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAoBA"}