@aexhq/sdk 0.29.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (90) hide show
  1. package/README.md +95 -8
  2. package/dist/_contracts/connection-ticket.d.ts +1 -1
  3. package/dist/_contracts/connection-ticket.js +1 -1
  4. package/dist/_contracts/event-envelope.d.ts +5 -8
  5. package/dist/_contracts/event-envelope.js +5 -6
  6. package/dist/_contracts/event-guards.d.ts +67 -0
  7. package/dist/_contracts/event-guards.js +36 -0
  8. package/dist/_contracts/event-stream-client.d.ts +1 -1
  9. package/dist/_contracts/http.js +1 -1
  10. package/dist/_contracts/index.d.ts +2 -0
  11. package/dist/_contracts/index.js +6 -0
  12. package/dist/_contracts/operations.d.ts +2 -47
  13. package/dist/_contracts/operations.js +7 -112
  14. package/dist/_contracts/provider-support.d.ts +48 -138
  15. package/dist/_contracts/provider-support.js +10 -41
  16. package/dist/_contracts/proxy-protocol.d.ts +7 -7
  17. package/dist/_contracts/proxy-protocol.js +8 -8
  18. package/dist/_contracts/run-config.d.ts +7 -20
  19. package/dist/_contracts/run-config.js +8 -46
  20. package/dist/_contracts/run-cost.d.ts +1 -5
  21. package/dist/_contracts/run-cost.js +0 -8
  22. package/dist/_contracts/run-custody.d.ts +4 -6
  23. package/dist/_contracts/run-custody.js +0 -8
  24. package/dist/_contracts/run-trace.d.ts +7 -0
  25. package/dist/_contracts/run-trace.js +9 -0
  26. package/dist/_contracts/run-unit.d.ts +1 -1
  27. package/dist/_contracts/run-unit.js +2 -2
  28. package/dist/_contracts/runner-event.d.ts +1 -1
  29. package/dist/_contracts/runner-event.js +1 -1
  30. package/dist/_contracts/runtime-manifest.d.ts +13 -26
  31. package/dist/_contracts/runtime-manifest.js +6 -35
  32. package/dist/_contracts/runtime-types.d.ts +32 -1
  33. package/dist/_contracts/sdk-secrets.js +4 -4
  34. package/dist/_contracts/side-effect-audit.d.ts +2 -4
  35. package/dist/_contracts/side-effect-audit.js +2 -4
  36. package/dist/_contracts/status.d.ts +1 -1
  37. package/dist/_contracts/status.js +1 -1
  38. package/dist/_contracts/submission.d.ts +19 -126
  39. package/dist/_contracts/submission.js +31 -185
  40. package/dist/_contracts/webhook-verify.d.ts +1 -1
  41. package/dist/_contracts/webhook-verify.js +1 -1
  42. package/dist/agents-md.d.ts +4 -1
  43. package/dist/agents-md.js +10 -9
  44. package/dist/agents-md.js.map +1 -1
  45. package/dist/asset-upload.d.ts +4 -10
  46. package/dist/asset-upload.js +4 -47
  47. package/dist/asset-upload.js.map +1 -1
  48. package/dist/cli.mjs +17647 -3950
  49. package/dist/cli.mjs.sha256 +1 -1
  50. package/dist/client.d.ts +79 -61
  51. package/dist/client.js +207 -125
  52. package/dist/client.js.map +1 -1
  53. package/dist/data-tools.d.ts +23 -0
  54. package/dist/data-tools.js +102 -13
  55. package/dist/data-tools.js.map +1 -1
  56. package/dist/file.d.ts +4 -1
  57. package/dist/file.js +10 -9
  58. package/dist/file.js.map +1 -1
  59. package/dist/index.d.ts +9 -8
  60. package/dist/index.js +10 -8
  61. package/dist/index.js.map +1 -1
  62. package/dist/skill.d.ts +9 -7
  63. package/dist/skill.js +15 -15
  64. package/dist/skill.js.map +1 -1
  65. package/dist/tool.d.ts +4 -1
  66. package/dist/tool.js +10 -8
  67. package/dist/tool.js.map +1 -1
  68. package/dist/version.d.ts +1 -1
  69. package/dist/version.js +1 -1
  70. package/docs/cleanup.md +2 -2
  71. package/docs/concepts/agent-tools.md +9 -5
  72. package/docs/concepts/composition.md +1 -1
  73. package/docs/concepts/providers-and-runtimes.md +2 -4
  74. package/docs/concepts/runs.md +3 -6
  75. package/docs/credentials.md +2 -5
  76. package/docs/defaults.md +22 -22
  77. package/docs/events.md +32 -9
  78. package/docs/limits-and-quotas.md +40 -40
  79. package/docs/limits.md +1 -1
  80. package/docs/networking.md +141 -0
  81. package/docs/outputs.md +1 -1
  82. package/docs/provider-runtime-capabilities.md +36 -64
  83. package/docs/public-surface.json +2 -3
  84. package/docs/quickstart.md +32 -11
  85. package/docs/run-config.md +3 -4
  86. package/docs/secrets.md +7 -5
  87. package/docs/skills.md +4 -12
  88. package/docs/vision-skills.md +1 -1
  89. package/examples/chat-corpus.ts +85 -0
  90. package/package.json +2 -2
@@ -32,7 +32,7 @@ export function isTerminalRunStatus(status) {
32
32
  * `markRunTerminal` (and that a `run/terminal` event carries). This is a
33
33
  * STRICT SUBSET of {@link TERMINAL_RUN_STATUSES}: the read-terminal set also
34
34
  * includes `cleanup_failed`, which the funnel never writes as an outcome.
35
- * The worker's `TerminalRunStatus` and the workflow `TerminalOutcome` both
35
+ * The platform lifecycle `TerminalRunStatus` and the workflow `TerminalOutcome` both
36
36
  * derive from this so the four call sites can't drift.
37
37
  */
38
38
  export const RUN_TERMINAL_OUTCOMES = [
@@ -11,7 +11,7 @@ export type JsonValue = JsonPrimitive | JsonValue[] | {
11
11
  };
12
12
  /**
13
13
  * Networking + runtime-package snapshot carried inside a flat submission
14
- * so the worker can deep-clone and mutate it per run (e.g. injecting the
14
+ * so the hosted API can deep-clone and mutate it per run (e.g. injecting the
15
15
  * proxy hostname into `allowed_hosts`) without sharing state across
16
16
  * concurrent runs.
17
17
  *
@@ -58,7 +58,7 @@ export declare const ENV_VARS_MAX_VALUE_BYTES = 4096;
58
58
  export declare const ENV_VARS_MAX_TOTAL_BYTES = 65536;
59
59
  export interface PlatformNetworking {
60
60
  readonly mode: "limited" | "open";
61
- /** Lowercase host names. The worker always appends the proxy host. */
61
+ /** Lowercase host names. The hosted API always appends the proxy host. */
62
62
  readonly allowedHosts?: readonly string[];
63
63
  }
64
64
  /**
@@ -137,60 +137,6 @@ export declare const Providers: {
137
137
  /** Doubao (ByteDance) via the official China Volcengine Ark gateway. */
138
138
  readonly DOUBAO_CN: "doubao-cn";
139
139
  };
140
- /**
141
- * Product placement regions accepted on run submission. These are
142
- * product-level tokens, not exact city guarantees: the hosted platform maps
143
- * each region to co-located managed Postgres, object storage, run-state
144
- * placement, and sandbox backing.
145
- *
146
- * eu-west → London (Western Europe; hard EU data residency)
147
- * us-west → N. California (Western North America)
148
- * ap-northeast → Seoul (Northeast Asia)
149
- *
150
- * Prefer the {@link Regions} accessors over raw strings so a typo is a compile
151
- * error, not a runtime 400.
152
- */
153
- export declare const REGIONS: readonly ["eu-west", "us-west", "ap-northeast"];
154
- export type Region = (typeof REGIONS)[number];
155
- /** Symbol-style accessors for the closed region set — e.g. `Regions.EU_WEST`. */
156
- export declare const Regions: {
157
- /** Western Europe — London. Hard EU data residency. */
158
- readonly EU_WEST: "eu-west";
159
- /** Western North America — N. California. */
160
- readonly US_WEST: "us-west";
161
- /** Northeast Asia — Seoul. */
162
- readonly AP_NORTHEAST: "ap-northeast";
163
- };
164
- /**
165
- * Customer-facing runtime selector. Optional on the wire; absent resolves
166
- * to the same managed runtime as `"managed"`. `"native"` is no longer an
167
- * accepted submission value and fails schema validation.
168
- */
169
- export declare const RUNTIME_KINDS: readonly ["managed"];
170
- export type RuntimeKind = (typeof RUNTIME_KINDS)[number];
171
- /**
172
- * Credential source for upstream provider access. Launch accepts only BYOK:
173
- * callers may omit `credentialMode` or pass `"byok"`. Other strings, including
174
- * `"managed"`, are invalid submission values rather than reserved product
175
- * promises.
176
- */
177
- export declare const CREDENTIAL_MODES: readonly ["byok"];
178
- export type CredentialMode = (typeof CREDENTIAL_MODES)[number];
179
- export declare const DEFAULT_CREDENTIAL_MODE: CredentialMode;
180
- export declare function parseCredentialMode(input: unknown): CredentialMode;
181
- export declare function credentialModeOrDefault(input: CredentialMode | undefined): CredentialMode;
182
- /** Outcome of the centralized runtime-support check. */
183
- export interface RuntimeSupportCheck {
184
- readonly ok: boolean;
185
- readonly message?: string;
186
- }
187
- /**
188
- * Centralized runtime-support validator. Native is removed from the public
189
- * runtime enum, so an absent runtime and `"managed"` are the only supported
190
- * inputs. Schema parsing rejects other runtime strings before this helper is
191
- * reached, but the result type remains for SDK preflight checks.
192
- */
193
- export declare function checkRuntimeSupported(provider: RunProvider, runtime: RuntimeKind | undefined): RuntimeSupportCheck;
194
140
  export interface PlatformMcpServerSecret {
195
141
  readonly name: string;
196
142
  readonly url: string;
@@ -230,13 +176,6 @@ export type PlatformProxyAuthValue = {
230
176
  * driving the MCP client).
231
177
  */
232
178
  export interface PlatformInlineSecrets {
233
- /**
234
- * Deprecated compatibility field: the BYOK key for the run's selected
235
- * provider. New multi-provider callers should use `apiKeys`, but the parser
236
- * still accepts and preserves this flat field so existing SDK/CLI callers
237
- * continue to work.
238
- */
239
- readonly apiKey?: string;
240
179
  readonly apiKeys?: Partial<Record<RunProvider, string>>;
241
180
  readonly mcpServers?: readonly PlatformMcpServerSecret[];
242
181
  readonly proxyEndpointAuth?: readonly PlatformProxyEndpointAuth[];
@@ -324,9 +263,14 @@ export declare function requireString(input: unknown, field: string): string;
324
263
  export declare function optionalString(input: unknown, field: string): string | undefined;
325
264
  export declare function optionalEnum<const T extends readonly string[]>(input: unknown, field: string, allowed: T): T[number] | undefined;
326
265
  export declare function optionalPositiveInt(input: unknown, field: string): number | undefined;
266
+ /**
267
+ * A finite positive NUMBER (fractional allowed — e.g. a USD amount like `2.5`), or
268
+ * undefined when absent. Rejects non-numbers, NaN/Infinity, and `<= 0`.
269
+ */
270
+ export declare function optionalPositiveNumber(input: unknown, field: string): number | undefined;
327
271
  /**
328
272
  * Wire-level submission posted to /api/runs in the flat surface. The
329
- * `prompt` is always an array internally so the worker, the audit log,
273
+ * `prompt` is always an array internally so the hosted API, the audit log,
330
274
  * and the BFF idempotency hash all see one shape. `mcpServers` carries
331
275
  * only the non-secret half; bearer headers travel in
332
276
  * `secrets.mcpServers` keyed by `name`.
@@ -430,30 +374,12 @@ export interface PlatformInjectionConfig {
430
374
  export interface PlatformRunSubmissionRequest {
431
375
  readonly workspaceId: string;
432
376
  readonly idempotencyKey: string;
433
- /**
434
- * Credential source for upstream provider access. Omitted means
435
- * `"byok"`; launch does not accept managed provider credentials.
436
- */
437
- readonly credentialMode: CredentialMode;
438
377
  /**
439
378
  * Provider selector. Always populated after parsing — absent on the
440
379
  * wire means {@link DEFAULT_RUN_PROVIDER}. All providers are dispatched
441
380
  * through the managed runtime.
442
381
  */
443
382
  readonly provider: RunProvider;
444
- /**
445
- * Customer's explicit runtime choice. `undefined` and `"managed"` both
446
- * resolve to the managed runtime. Other runtime values are rejected by
447
- * `parseRunSubmissionRequest`.
448
- */
449
- readonly runtime?: RuntimeKind;
450
- /**
451
- * Optional product placement token requested by the caller. Omitted means
452
- * the hosted platform infers a configured region from request geography and
453
- * falls back to its default region. Accepted tokens do not promise exact
454
- * city-level placement.
455
- */
456
- readonly region?: Region;
457
383
  readonly submission: PlatformSubmission;
458
384
  readonly secrets: PlatformInlineSecrets;
459
385
  readonly proxyEndpoints?: readonly PlatformProxyEndpoint[];
@@ -517,6 +443,15 @@ export interface RunWebhookSpec {
517
443
  export interface RunLimits {
518
444
  readonly maxConcurrentChildRuns?: number;
519
445
  readonly maxSubagentDepth?: number;
446
+ /**
447
+ * Per-run spend cap in USD (defense-in-depth). The platform converts it to a
448
+ * wall-clock budget (priced compute is wall-time; BYOK provider tokens cost the
449
+ * platform nothing) and kills the run once it would out-spend the cap. A
450
+ * positive number; omitted ⇒ unbounded per-run (only the run's wall-clock
451
+ * `timeout` + the per-workspace spend cap apply). Only shape/positivity are
452
+ * validated here.
453
+ */
454
+ readonly maxSpendUsd?: number;
520
455
  }
521
456
  /**
522
457
  * Wire shape posted by the SDK and CLI. `workspaceId` is **omitted by
@@ -531,21 +466,9 @@ export interface RunLimits {
531
466
  * {@link DEFAULT_RUN_PROVIDER} (`anthropic`). The parser fills it in
532
467
  * before the value enters the run snapshot.
533
468
  */
534
- export type PlatformRunSubmissionInput = Omit<PlatformRunSubmissionRequest, "workspaceId" | "credentialMode" | "provider" | "runtime" | "region" | "timeoutMs" | "postHook"> & {
469
+ export type PlatformRunSubmissionInput = Omit<PlatformRunSubmissionRequest, "workspaceId" | "provider" | "timeoutMs" | "postHook"> & {
535
470
  readonly workspaceId?: string;
536
- readonly credentialMode?: CredentialMode;
537
471
  readonly provider?: RunProvider;
538
- /**
539
- * Optional runtime selector. Set `"managed"` explicitly or omit the
540
- * field; both resolve to the managed runtime. `"native"` is no longer
541
- * accepted.
542
- */
543
- readonly runtime?: RuntimeKind;
544
- /**
545
- * Optional product placement region. Invalid explicit values are rejected;
546
- * omission lets the platform infer/fallback.
547
- */
548
- readonly region?: Region;
549
472
  /**
550
473
  * Run deadline as a human duration string (`"1h"`, `"90m"`, `"30s"`).
551
474
  * Parsed + bounded to [1m, 6h] server-side into
@@ -578,8 +501,6 @@ export declare function parseRunWebhook(input: unknown): RunWebhookSpec | undefi
578
501
  * collapses to `undefined` so it carries no signal onto the request.
579
502
  */
580
503
  export declare function parseRunLimits(input: unknown): RunLimits | undefined;
581
- export declare function parseRegion(input: unknown): Region | undefined;
582
- export declare function parseRuntimeKind(input: unknown): RuntimeKind | undefined;
583
504
  export declare function parseRunProvider(input: unknown): RunProvider;
584
505
  /**
585
506
  * Cross-check the supplied secrets bundle against the credential mode. BYOK
@@ -593,7 +514,7 @@ export declare function parseRunProvider(input: unknown): RunProvider;
593
514
  * it need not carry any of its own. The server still verifies, at admission,
594
515
  * that the parent actually holds a key for the child's provider.
595
516
  */
596
- export declare function enforceCredentialSecretPolicy(credentialMode: CredentialMode, secrets: PlatformInlineSecrets, provider: RunProvider, opts?: {
517
+ export declare function enforceCredentialSecretPolicy(secrets: PlatformInlineSecrets, provider: RunProvider, opts?: {
597
518
  readonly inheritsFromParent?: boolean;
598
519
  }): void;
599
520
  export declare function parseSubmission(input: unknown): PlatformSubmission;
@@ -665,31 +586,3 @@ export declare const DEFAULT_BUILTIN_TOOLS: readonly BuiltinToolName[];
665
586
  * union is validated ⊆ the closed set so an invalid name can never leak through.
666
587
  */
667
588
  export declare function resolveBuiltinToolNames(includeBuiltinTools: boolean | undefined, toolRefs?: readonly string[]): readonly BuiltinToolName[];
668
- /**
669
- * Codes emitted when a submission contains features the active runtime cannot
670
- * serve. Code values are stable so dashboard / SDK error rendering can branch
671
- * on them.
672
- */
673
- export declare const RUNTIME_VALIDATION_CODES: readonly ["feature_runtime_mismatch"];
674
- export type RuntimeValidationCode = (typeof RUNTIME_VALIDATION_CODES)[number];
675
- /**
676
- * Thrown by `parseRunSubmissionRequest` and `selectRuntime` when the submitted
677
- * run cannot be served by the active managed runtime. The `code` field is part
678
- * of the public contract; keep it stable when phrasing changes.
679
- */
680
- export declare class RuntimeValidationError extends Error {
681
- readonly code: RuntimeValidationCode;
682
- constructor(code: RuntimeValidationCode, message: string);
683
- }
684
- /**
685
- * Walk the parsed submission and collect features that the active managed
686
- * runtime cannot serve. Provider-hosted skill refs (`kind:"provider"`) are
687
- * rejected now that new submissions only dispatch through managed runs.
688
- */
689
- export declare function collectManagedUnsupportedFeatures(req: PlatformRunSubmissionRequest): string[];
690
- /**
691
- * Backward-incompatible replacement for the old dual-runtime dispatcher. It is
692
- * kept as a pure helper so SDK, CLI, and tests can resolve the runtime without
693
- * I/O.
694
- */
695
- export declare function selectRuntime(req: PlatformRunSubmissionRequest): RuntimeKind;
@@ -114,65 +114,6 @@ export const Providers = {
114
114
  /** Doubao (ByteDance) via the official China Volcengine Ark gateway. */
115
115
  DOUBAO_CN: "doubao-cn"
116
116
  };
117
- /**
118
- * Product placement regions accepted on run submission. These are
119
- * product-level tokens, not exact city guarantees: the hosted platform maps
120
- * each region to co-located managed Postgres, object storage, run-state
121
- * placement, and sandbox backing.
122
- *
123
- * eu-west → London (Western Europe; hard EU data residency)
124
- * us-west → N. California (Western North America)
125
- * ap-northeast → Seoul (Northeast Asia)
126
- *
127
- * Prefer the {@link Regions} accessors over raw strings so a typo is a compile
128
- * error, not a runtime 400.
129
- */
130
- export const REGIONS = ["eu-west", "us-west", "ap-northeast"];
131
- /** Symbol-style accessors for the closed region set — e.g. `Regions.EU_WEST`. */
132
- export const Regions = {
133
- /** Western Europe — London. Hard EU data residency. */
134
- EU_WEST: "eu-west",
135
- /** Western North America — N. California. */
136
- US_WEST: "us-west",
137
- /** Northeast Asia — Seoul. */
138
- AP_NORTHEAST: "ap-northeast"
139
- };
140
- /**
141
- * Customer-facing runtime selector. Optional on the wire; absent resolves
142
- * to the same managed runtime as `"managed"`. `"native"` is no longer an
143
- * accepted submission value and fails schema validation.
144
- */
145
- export const RUNTIME_KINDS = ["managed"];
146
- /**
147
- * Credential source for upstream provider access. Launch accepts only BYOK:
148
- * callers may omit `credentialMode` or pass `"byok"`. Other strings, including
149
- * `"managed"`, are invalid submission values rather than reserved product
150
- * promises.
151
- */
152
- export const CREDENTIAL_MODES = ["byok"];
153
- export const DEFAULT_CREDENTIAL_MODE = "byok";
154
- export function parseCredentialMode(input) {
155
- if (input === undefined) {
156
- return DEFAULT_CREDENTIAL_MODE;
157
- }
158
- if (typeof input !== "string" || !CREDENTIAL_MODES.includes(input)) {
159
- throw new Error(`credentialMode must be one of: ${CREDENTIAL_MODES.join(", ")} (got ${JSON.stringify(input)})`);
160
- }
161
- return input;
162
- }
163
- export function credentialModeOrDefault(input) {
164
- return input ?? DEFAULT_CREDENTIAL_MODE;
165
- }
166
- /**
167
- * Centralized runtime-support validator. Native is removed from the public
168
- * runtime enum, so an absent runtime and `"managed"` are the only supported
169
- * inputs. Schema parsing rejects other runtime strings before this helper is
170
- * reached, but the result type remains for SDK preflight checks.
171
- */
172
- export function checkRuntimeSupported(provider, runtime) {
173
- void provider;
174
- return { ok: true };
175
- }
176
117
  export const SECRETS_KEY = "secrets";
177
118
  /** POSIX-style env var name a `secretEnv` entry binds to (e.g. `SERPER_API_KEY`). */
178
119
  export const SECRET_ENV_NAME_PATTERN = /^[A-Za-z_][A-Za-z0-9_]{0,127}$/;
@@ -239,7 +180,7 @@ function parseEnvironment(input) {
239
180
  * Validate a customer-supplied `environment.envVars` map. Returns a
240
181
  * frozen copy with keys in insertion order, or `undefined` when the
241
182
  * input is absent / an empty object (treated as not supplied so the
242
- * worker can omit the field from the parsed snapshot).
183
+ * hosted API can omit the field from the parsed snapshot).
243
184
  *
244
185
  * Rules:
245
186
  * - Must be a JSON object whose values are all strings.
@@ -723,7 +664,7 @@ export function parseInlineSecrets(input) {
723
664
  if (input === undefined || input === null)
724
665
  return {};
725
666
  const value = requireRecord(input, "secrets");
726
- const allowedTopLevel = new Set(["apiKey", "apiKeys", "mcpServers", "proxyEndpointAuth", "envSecrets"]);
667
+ const allowedTopLevel = new Set(["apiKeys", "mcpServers", "proxyEndpointAuth", "envSecrets"]);
727
668
  for (const key of Object.keys(value)) {
728
669
  if (key.startsWith("__aex_")) {
729
670
  // Platform-internal namespace (e.g. __aex_proxy_token). The BFF
@@ -736,13 +677,11 @@ export function parseInlineSecrets(input) {
736
677
  throw new Error(`secrets.${key} is not an allowed field; permitted: ${[...allowedTopLevel].join(", ")}`);
737
678
  }
738
679
  }
739
- const apiKey = value.apiKey !== undefined ? requireString(value.apiKey, "secrets.apiKey") : undefined;
740
680
  const apiKeys = parseApiKeys(value.apiKeys);
741
681
  const mcpServers = parseMcpServerSecrets(value.mcpServers);
742
682
  const proxyEndpointAuth = parseProxyEndpointAuth(value.proxyEndpointAuth);
743
683
  const envSecrets = parseEnvSecrets(value.envSecrets);
744
684
  return {
745
- ...(apiKey !== undefined ? { apiKey } : {}),
746
685
  ...(apiKeys ? { apiKeys } : {}),
747
686
  ...(mcpServers ? { mcpServers } : {}),
748
687
  ...(proxyEndpointAuth ? { proxyEndpointAuth } : {}),
@@ -997,6 +936,19 @@ export function optionalPositiveInt(input, field) {
997
936
  }
998
937
  return input;
999
938
  }
939
+ /**
940
+ * A finite positive NUMBER (fractional allowed — e.g. a USD amount like `2.5`), or
941
+ * undefined when absent. Rejects non-numbers, NaN/Infinity, and `<= 0`.
942
+ */
943
+ export function optionalPositiveNumber(input, field) {
944
+ if (input === undefined) {
945
+ return undefined;
946
+ }
947
+ if (typeof input !== "number" || !Number.isFinite(input) || input <= 0) {
948
+ throw new Error(`${field} must be a positive finite number`);
949
+ }
950
+ return input;
951
+ }
1000
952
  function parseOptionalBoundedInt(input, field, min, max) {
1001
953
  if (input === undefined) {
1002
954
  return undefined;
@@ -1038,10 +990,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
1038
990
  const allowedTopLevelFields = new Set([
1039
991
  "workspaceId",
1040
992
  "idempotencyKey",
1041
- "credentialMode",
1042
993
  "provider",
1043
- "runtime",
1044
- "region",
1045
994
  "submission",
1046
995
  "runtimeSize",
1047
996
  "timeout",
@@ -1070,15 +1019,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
1070
1019
  assertNoSecretBearingFields(fieldValue, [key]);
1071
1020
  }
1072
1021
  const provider = parseRunProvider(value.provider);
1073
- const runtime = parseRuntimeKind(value.runtime);
1074
- const region = parseRegion(value.region);
1075
- const credentialMode = parseCredentialMode(value.credentialMode);
1076
1022
  void options;
1077
- // Cross-field validation via the centralized runtime-support validator.
1078
- const runtimeSupport = checkRuntimeSupported(provider, runtime);
1079
- if (!runtimeSupport.ok) {
1080
- throw new Error(runtimeSupport.message ?? "unsupported runtime");
1081
- }
1082
1023
  const runtimeSize = parseRuntimeSize(value.runtimeSize);
1083
1024
  const timeoutMs = parseRunTimeout(value.timeout);
1084
1025
  // Lineage parent only. `depth` is NEVER accepted from the wire — the server
@@ -1089,7 +1030,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
1089
1030
  const postHook = parsePostHook(value.postHook, "submission.postHook");
1090
1031
  const proxyEndpoints = parseProxyEndpoints(value.proxyEndpoints);
1091
1032
  const secrets = parseInlineSecrets(value.secrets);
1092
- enforceCredentialSecretPolicy(credentialMode, secrets, provider, {
1033
+ enforceCredentialSecretPolicy(secrets, provider, {
1093
1034
  inheritsFromParent: parentRunId !== undefined
1094
1035
  });
1095
1036
  crossValidateProxyEndpointsAndAuth(proxyEndpoints, secrets.proxyEndpointAuth);
@@ -1114,28 +1055,10 @@ export function parseRunSubmissionRequest(input, options = {}) {
1114
1055
  }
1115
1056
  }
1116
1057
  }
1117
- const candidate = {
1118
- workspaceId: "",
1119
- idempotencyKey: "",
1120
- credentialMode,
1121
- provider,
1122
- ...(runtime ? { runtime } : {}),
1123
- ...(region ? { region } : {}),
1124
- submission,
1125
- secrets
1126
- };
1127
- const unsupportedManagedFeatures = collectManagedUnsupportedFeatures(candidate);
1128
- if (unsupportedManagedFeatures.length > 0) {
1129
- throw new RuntimeValidationError("feature_runtime_mismatch", `The managed runtime does not support these submission features: ` +
1130
- `${unsupportedManagedFeatures.join(", ")}. Remove them or use inline aex skills.`);
1131
- }
1132
1058
  return {
1133
1059
  workspaceId: requireString(value.workspaceId, "workspaceId"),
1134
1060
  idempotencyKey: requireString(value.idempotencyKey, "idempotencyKey"),
1135
- credentialMode,
1136
1061
  provider,
1137
- ...(runtime ? { runtime } : {}),
1138
- ...(region ? { region } : {}),
1139
1062
  submission,
1140
1063
  ...(runtimeSize ? { runtimeSize } : {}),
1141
1064
  ...(timeoutMs !== undefined ? { timeoutMs } : {}),
@@ -1198,7 +1121,7 @@ export function parseRunLimits(input) {
1198
1121
  return undefined;
1199
1122
  }
1200
1123
  const value = requireRecord(input, "limits");
1201
- const allowed = new Set(["maxConcurrentChildRuns", "maxSubagentDepth"]);
1124
+ const allowed = new Set(["maxConcurrentChildRuns", "maxSubagentDepth", "maxSpendUsd"]);
1202
1125
  for (const key of Object.keys(value)) {
1203
1126
  if (!allowed.has(key)) {
1204
1127
  throw new Error(`limits.${key} is not an allowed field; permitted: ${[...allowed].join(", ")}`);
@@ -1206,35 +1129,22 @@ export function parseRunLimits(input) {
1206
1129
  }
1207
1130
  const maxConcurrentChildRuns = optionalPositiveInt(value.maxConcurrentChildRuns, "limits.maxConcurrentChildRuns");
1208
1131
  const maxSubagentDepth = optionalPositiveInt(value.maxSubagentDepth, "limits.maxSubagentDepth");
1132
+ // maxSpendUsd is a USD amount (may be fractional, e.g. $2.50) so it is a positive
1133
+ // NUMBER, not a positive int. Clamping to the workspace/platform ceiling is the
1134
+ // resolver's job; here we only enforce shape + positivity.
1135
+ const maxSpendUsd = optionalPositiveNumber(value.maxSpendUsd, "limits.maxSpendUsd");
1209
1136
  // Collapse an all-absent override (e.g. `limits: {}`) to `undefined` so it never
1210
1137
  // lands an empty object on the request — matches sibling parsers (parseRunWebhook,
1211
1138
  // parseEnvironment). The resolver supplies platform defaults for absent fields.
1212
- if (maxConcurrentChildRuns === undefined && maxSubagentDepth === undefined) {
1139
+ if (maxConcurrentChildRuns === undefined && maxSubagentDepth === undefined && maxSpendUsd === undefined) {
1213
1140
  return undefined;
1214
1141
  }
1215
1142
  return {
1216
1143
  ...(maxConcurrentChildRuns !== undefined ? { maxConcurrentChildRuns } : {}),
1217
- ...(maxSubagentDepth !== undefined ? { maxSubagentDepth } : {})
1144
+ ...(maxSubagentDepth !== undefined ? { maxSubagentDepth } : {}),
1145
+ ...(maxSpendUsd !== undefined ? { maxSpendUsd } : {})
1218
1146
  };
1219
1147
  }
1220
- export function parseRegion(input) {
1221
- if (input === undefined) {
1222
- return undefined;
1223
- }
1224
- if (typeof input !== "string" || !REGIONS.includes(input)) {
1225
- throw new Error(`region must be one of: ${REGIONS.join(", ")} (got ${JSON.stringify(input)})`);
1226
- }
1227
- return input;
1228
- }
1229
- export function parseRuntimeKind(input) {
1230
- if (input === undefined) {
1231
- return undefined;
1232
- }
1233
- if (typeof input !== "string" || !RUNTIME_KINDS.includes(input)) {
1234
- throw new Error(`runtime must be one of: ${RUNTIME_KINDS.join(", ")} (got ${JSON.stringify(input)})`);
1235
- }
1236
- return input;
1237
- }
1238
1148
  export function parseRunProvider(input) {
1239
1149
  if (input === undefined) {
1240
1150
  return DEFAULT_RUN_PROVIDER;
@@ -1256,12 +1166,11 @@ export function parseRunProvider(input) {
1256
1166
  * it need not carry any of its own. The server still verifies, at admission,
1257
1167
  * that the parent actually holds a key for the child's provider.
1258
1168
  */
1259
- export function enforceCredentialSecretPolicy(credentialMode, secrets, provider, opts) {
1260
- void credentialMode;
1169
+ export function enforceCredentialSecretPolicy(secrets, provider, opts) {
1261
1170
  if (opts?.inheritsFromParent)
1262
1171
  return;
1263
- if (!(secrets.apiKeys?.[provider] ?? secrets.apiKey)) {
1264
- throw new Error(`secrets.apiKey is required when credentialMode is byok (or secrets.apiKeys["${provider}"])`);
1172
+ if (!secrets.apiKeys?.[provider]) {
1173
+ throw new Error(`secrets.apiKeys["${provider}"] is required`);
1265
1174
  }
1266
1175
  }
1267
1176
  export function parseSubmission(input) {
@@ -1491,7 +1400,7 @@ function parseIncludeBuiltinTools(input) {
1491
1400
  * plus a generous margin for legitimate multi-root use cases (per-tool
1492
1401
  * output directory + scratch state + logs, repeated across a few
1493
1402
  * subdirectories), without inviting abuse of the synthetic-turn path
1494
- * the worker drives at session terminal.
1403
+ * the platform capture path drives at session terminal.
1495
1404
  */
1496
1405
  const MAX_OUTPUT_DIRS = 32;
1497
1406
  /**
@@ -1690,23 +1599,13 @@ function parseSkills(input) {
1690
1599
  if (!Array.isArray(input)) {
1691
1600
  throw new Error("submission.skills must be an array of SkillRef objects");
1692
1601
  }
1693
- const seenProvider = new Set();
1694
1602
  const seenAssetId = new Set();
1695
1603
  return input.map((item, index) => {
1696
1604
  const ref = parseSkillRef(item, `submission.skills[${index}]`);
1697
- if (ref.kind === "provider") {
1698
- const key = `${ref.vendor}:${ref.skillId}:${ref.version ?? ""}`;
1699
- if (seenProvider.has(key)) {
1700
- throw new Error(`submission.skills duplicate provider skill: ${ref.vendor}:${ref.skillId}${ref.version ? `:${ref.version}` : ""}`);
1701
- }
1702
- seenProvider.add(key);
1703
- }
1704
- else if (ref.kind === "asset") {
1705
- if (seenAssetId.has(ref.assetId)) {
1706
- throw new Error(`submission.skills duplicate assetId: ${ref.assetId}`);
1707
- }
1708
- seenAssetId.add(ref.assetId);
1605
+ if (seenAssetId.has(ref.assetId)) {
1606
+ throw new Error(`submission.skills duplicate assetId: ${ref.assetId}`);
1709
1607
  }
1608
+ seenAssetId.add(ref.assetId);
1710
1609
  return ref;
1711
1610
  });
1712
1611
  }
@@ -1861,57 +1760,4 @@ function parseMcpServers(input) {
1861
1760
  return ref;
1862
1761
  });
1863
1762
  }
1864
- // ===========================================================================
1865
- // Runtime dispatcher
1866
- // ===========================================================================
1867
- /**
1868
- * Codes emitted when a submission contains features the active runtime cannot
1869
- * serve. Code values are stable so dashboard / SDK error rendering can branch
1870
- * on them.
1871
- */
1872
- export const RUNTIME_VALIDATION_CODES = [
1873
- "feature_runtime_mismatch"
1874
- ];
1875
- /**
1876
- * Thrown by `parseRunSubmissionRequest` and `selectRuntime` when the submitted
1877
- * run cannot be served by the active managed runtime. The `code` field is part
1878
- * of the public contract; keep it stable when phrasing changes.
1879
- */
1880
- export class RuntimeValidationError extends Error {
1881
- code;
1882
- constructor(code, message) {
1883
- super(message);
1884
- this.name = "RuntimeValidationError";
1885
- this.code = code;
1886
- }
1887
- }
1888
- /**
1889
- * Walk the parsed submission and collect features that the active managed
1890
- * runtime cannot serve. Provider-hosted skill refs (`kind:"provider"`) are
1891
- * rejected now that new submissions only dispatch through managed runs.
1892
- */
1893
- export function collectManagedUnsupportedFeatures(req) {
1894
- const features = [];
1895
- for (const skill of req.submission.skills) {
1896
- if (skill.kind === "provider") {
1897
- const versionSuffix = skill.version ? `@${skill.version}` : "";
1898
- features.push(`provider skill "${skill.vendor}/${skill.skillId}${versionSuffix}" (kind:"provider")`);
1899
- }
1900
- }
1901
- return features;
1902
- }
1903
- /**
1904
- * Backward-incompatible replacement for the old dual-runtime dispatcher. It is
1905
- * kept as a pure helper so SDK, CLI, and tests can resolve the runtime without
1906
- * I/O.
1907
- */
1908
- export function selectRuntime(req) {
1909
- const unsupported = collectManagedUnsupportedFeatures(req);
1910
- if (unsupported.length > 0) {
1911
- throw new RuntimeValidationError("feature_runtime_mismatch", `The managed runtime does not support these submission features: ` +
1912
- `${unsupported.join(", ")}. Remove them or use inline aex skills.`);
1913
- }
1914
- void req;
1915
- return "managed";
1916
- }
1917
1763
  //# sourceMappingURL=submission.js.map
@@ -12,7 +12,7 @@
12
12
  * the HMAC key is the raw bytes after the `whsec_` prefix. Verification accepts
13
13
  * the secret with or without the prefix.
14
14
  *
15
- * Pure Web Crypto — identical under Bun, Node, and workerd; this mirrors the
15
+ * Pure Web Crypto — identical under Bun and Node; this mirrors the
16
16
  * `standardwebhooks` library so a customer can verify with either.
17
17
  */
18
18
  export interface VerifyAexWebhookInput {
@@ -12,7 +12,7 @@
12
12
  * the HMAC key is the raw bytes after the `whsec_` prefix. Verification accepts
13
13
  * the secret with or without the prefix.
14
14
  *
15
- * Pure Web Crypto — identical under Bun, Node, and workerd; this mirrors the
15
+ * Pure Web Crypto — identical under Bun and Node; this mirrors the
16
16
  * `standardwebhooks` library so a customer can verify with either.
17
17
  */
18
18
  const encoder = new TextEncoder();
@@ -15,7 +15,10 @@ export declare class AgentsMd {
15
15
  constructor(ref: AgentsMdRef | DraftAgentsMdRef, zipBytes?: Uint8Array);
16
16
  get ref(): AgentsMdRef | DraftAgentsMdRef;
17
17
  get isDraft(): boolean;
18
- get isConsumed(): boolean;
18
+ /** Internal: the asset id resolved on a prior submit, or undefined. */
19
+ get _cachedAssetId(): string | undefined;
20
+ /** Internal: remember the asset id resolved for this draft's bytes. */
21
+ _rememberAsset(assetId: string): void;
19
22
  /**
20
23
  * Build a draft AgentsMd from a markdown string. The SDK zips the
21
24
  * content under the canonical filename `AGENTS.md` so the hash is a
package/dist/agents-md.js CHANGED
@@ -15,7 +15,8 @@ import { strToU8, zipSync } from "fflate";
15
15
  export class AgentsMd {
16
16
  #ref;
17
17
  #zipBytes;
18
- #consumed = false;
18
+ /** Asset id cached after the first submit, so reuse skips a re-upload. */
19
+ #assetId;
19
20
  constructor(ref, zipBytes) {
20
21
  this.#ref = ref;
21
22
  this.#zipBytes = zipBytes;
@@ -24,10 +25,15 @@ export class AgentsMd {
24
25
  return this.#ref;
25
26
  }
26
27
  get isDraft() {
27
- return this.#ref.kind === "draft" && !this.#consumed;
28
+ return this.#ref.kind === "draft";
28
29
  }
29
- get isConsumed() {
30
- return this.#consumed;
30
+ /** Internal: the asset id resolved on a prior submit, or undefined. */
31
+ get _cachedAssetId() {
32
+ return this.#assetId;
33
+ }
34
+ /** Internal: remember the asset id resolved for this draft's bytes. */
35
+ _rememberAsset(assetId) {
36
+ this.#assetId = assetId;
31
37
  }
32
38
  /**
33
39
  * Build a draft AgentsMd from a markdown string. The SDK zips the
@@ -56,14 +62,9 @@ export class AgentsMd {
56
62
  * `client.submit` can upload it as an asset.
57
63
  */
58
64
  _takeDraftBundle() {
59
- if (this.#consumed) {
60
- throw new Error("AgentsMd: cannot reuse a consumed AgentsMd in submit. Build a fresh one " +
61
- "via AgentsMd.fromContent(...) / AgentsMd.fromPath(...) per submit call.");
62
- }
63
65
  if (this.#ref.kind !== "draft" || !this.#zipBytes) {
64
66
  return undefined;
65
67
  }
66
- this.#consumed = true;
67
68
  return {
68
69
  name: this.#ref.name,
69
70
  contentHash: this.#ref.contentHash,
@@ -1 +1 @@
1
- {"version":3,"file":"agents-md.js","sourceRoot":"","sources":["../src/agents-md.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AAE1C;;;;;;;;;;GAUG;AACH,MAAM,OAAO,QAAQ;IACV,IAAI,CAAiC;IACrC,SAAS,CAAyB;IAC3C,SAAS,GAAG,KAAK,CAAC;IAElB,YAAY,GAAmC,EAAE,QAAqB;QACpE,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;IAC5B,CAAC;IAED,IAAI,GAAG;QACL,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;IACvD,CAAC;IAED,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,OAAe,EAAE,IAA+B;QACvE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACjF,MAAM,IAAI,KAAK,CAAC,yCAAyC,iBAAiB,CAAC,MAAM,EAAE,CAAC,CAAC;QACvF,CAAC;QACD,MAAM,GAAG,GAAG,OAAO,CAAC,EAAE,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QAC7F,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;QAC/C,MAAM,GAAG,GAAqB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC;QAC9E,OAAO,IAAI,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,uEAAuE;IACvE,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAY,EAAE,IAA+B;QACjE,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC7C,OAAO,QAAQ,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACH,gBAAgB;QACd,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CACb,0EAA0E;gBACxE,yEAAyE,CAC5E,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAClD,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACtB,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;YACpB,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;YAClC,KAAK,EAAE,IAAI,CAAC,SAAS;SACtB,CAAC;IACJ,CAAC;IAED,MAAM;QACJ,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CACb,8EAA8E;gBAC5E,uDAAuD,CAC1D,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;CACF;AAQD,MAAM,iBAAiB,GAAG,mCAAmC,CAAC;AAC9D,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC"}
1
+ {"version":3,"file":"agents-md.js","sourceRoot":"","sources":["../src/agents-md.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AAE1C;;;;;;;;;;GAUG;AACH,MAAM,OAAO,QAAQ;IACV,IAAI,CAAiC;IACrC,SAAS,CAAyB;IAC3C,0EAA0E;IAC1E,QAAQ,CAAqB;IAE7B,YAAY,GAAmC,EAAE,QAAqB;QACpE,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;IAC5B,CAAC;IAED,IAAI,GAAG;QACL,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,CAAC;IACpC,CAAC;IAED,uEAAuE;IACvE,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,uEAAuE;IACvE,cAAc,CAAC,OAAe;QAC5B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;IAC1B,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,OAAe,EAAE,IAA+B;QACvE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACjF,MAAM,IAAI,KAAK,CAAC,yCAAyC,iBAAiB,CAAC,MAAM,EAAE,CAAC,CAAC;QACvF,CAAC;QACD,MAAM,GAAG,GAAG,OAAO,CAAC,EAAE,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QAC7F,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;QAC/C,MAAM,GAAG,GAAqB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC;QAC9E,OAAO,IAAI,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,uEAAuE;IACvE,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAY,EAAE,IAA+B;QACjE,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC7C,OAAO,QAAQ,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACH,gBAAgB;QACd,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAClD,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;YACpB,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;YAClC,KAAK,EAAE,IAAI,CAAC,SAAS;SACtB,CAAC;IACJ,CAAC;IAED,MAAM;QACJ,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CACb,8EAA8E;gBAC5E,uDAAuD,CAC1D,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;CACF;AAQD,MAAM,iBAAiB,GAAG,mCAAmC,CAAC;AAC9D,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC"}