@aexhq/sdk 0.30.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. package/README.md +23 -9
  2. package/dist/_contracts/connection-ticket.d.ts +1 -1
  3. package/dist/_contracts/connection-ticket.js +1 -1
  4. package/dist/_contracts/event-envelope.d.ts +5 -8
  5. package/dist/_contracts/event-envelope.js +5 -6
  6. package/dist/_contracts/event-stream-client.d.ts +1 -1
  7. package/dist/_contracts/http.js +1 -1
  8. package/dist/_contracts/operations.d.ts +2 -47
  9. package/dist/_contracts/operations.js +7 -112
  10. package/dist/_contracts/provider-support.d.ts +48 -138
  11. package/dist/_contracts/provider-support.js +10 -41
  12. package/dist/_contracts/proxy-protocol.d.ts +7 -7
  13. package/dist/_contracts/proxy-protocol.js +8 -8
  14. package/dist/_contracts/run-config.d.ts +7 -20
  15. package/dist/_contracts/run-config.js +8 -46
  16. package/dist/_contracts/run-cost.d.ts +1 -5
  17. package/dist/_contracts/run-cost.js +0 -8
  18. package/dist/_contracts/run-custody.d.ts +4 -6
  19. package/dist/_contracts/run-custody.js +0 -8
  20. package/dist/_contracts/run-unit.d.ts +1 -1
  21. package/dist/_contracts/run-unit.js +2 -2
  22. package/dist/_contracts/runner-event.d.ts +1 -1
  23. package/dist/_contracts/runner-event.js +1 -1
  24. package/dist/_contracts/runtime-manifest.d.ts +13 -26
  25. package/dist/_contracts/runtime-manifest.js +6 -35
  26. package/dist/_contracts/runtime-types.d.ts +1 -1
  27. package/dist/_contracts/sdk-secrets.js +4 -4
  28. package/dist/_contracts/side-effect-audit.d.ts +2 -4
  29. package/dist/_contracts/side-effect-audit.js +2 -4
  30. package/dist/_contracts/status.d.ts +1 -1
  31. package/dist/_contracts/status.js +1 -1
  32. package/dist/_contracts/submission.d.ts +5 -126
  33. package/dist/_contracts/submission.js +10 -182
  34. package/dist/_contracts/webhook-verify.d.ts +1 -1
  35. package/dist/_contracts/webhook-verify.js +1 -1
  36. package/dist/asset-upload.d.ts +4 -10
  37. package/dist/asset-upload.js +4 -47
  38. package/dist/asset-upload.js.map +1 -1
  39. package/dist/cli.mjs +19 -193
  40. package/dist/cli.mjs.sha256 +1 -1
  41. package/dist/client.d.ts +8 -69
  42. package/dist/client.js +21 -98
  43. package/dist/client.js.map +1 -1
  44. package/dist/index.d.ts +4 -4
  45. package/dist/index.js +3 -4
  46. package/dist/index.js.map +1 -1
  47. package/dist/skill.d.ts +1 -1
  48. package/dist/skill.js +1 -1
  49. package/dist/version.d.ts +1 -1
  50. package/dist/version.js +1 -1
  51. package/docs/cleanup.md +2 -2
  52. package/docs/concepts/agent-tools.md +2 -2
  53. package/docs/concepts/composition.md +1 -1
  54. package/docs/concepts/providers-and-runtimes.md +2 -4
  55. package/docs/concepts/runs.md +3 -6
  56. package/docs/credentials.md +2 -5
  57. package/docs/defaults.md +22 -22
  58. package/docs/limits-and-quotas.md +40 -40
  59. package/docs/limits.md +1 -1
  60. package/docs/networking.md +2 -2
  61. package/docs/outputs.md +1 -1
  62. package/docs/provider-runtime-capabilities.md +36 -64
  63. package/docs/public-surface.json +2 -3
  64. package/docs/quickstart.md +18 -6
  65. package/docs/run-config.md +3 -4
  66. package/docs/secrets.md +7 -5
  67. package/docs/skills.md +4 -12
  68. package/docs/vision-skills.md +1 -1
  69. package/package.json +2 -2
@@ -11,7 +11,7 @@ export type JsonValue = JsonPrimitive | JsonValue[] | {
11
11
  };
12
12
  /**
13
13
  * Networking + runtime-package snapshot carried inside a flat submission
14
- * so the worker can deep-clone and mutate it per run (e.g. injecting the
14
+ * so the hosted API can deep-clone and mutate it per run (e.g. injecting the
15
15
  * proxy hostname into `allowed_hosts`) without sharing state across
16
16
  * concurrent runs.
17
17
  *
@@ -58,7 +58,7 @@ export declare const ENV_VARS_MAX_VALUE_BYTES = 4096;
58
58
  export declare const ENV_VARS_MAX_TOTAL_BYTES = 65536;
59
59
  export interface PlatformNetworking {
60
60
  readonly mode: "limited" | "open";
61
- /** Lowercase host names. The worker always appends the proxy host. */
61
+ /** Lowercase host names. The hosted API always appends the proxy host. */
62
62
  readonly allowedHosts?: readonly string[];
63
63
  }
64
64
  /**
@@ -137,60 +137,6 @@ export declare const Providers: {
137
137
  /** Doubao (ByteDance) via the official China Volcengine Ark gateway. */
138
138
  readonly DOUBAO_CN: "doubao-cn";
139
139
  };
140
- /**
141
- * Product placement regions accepted on run submission. These are
142
- * product-level tokens, not exact city guarantees: the hosted platform maps
143
- * each region to co-located managed Postgres, object storage, run-state
144
- * placement, and sandbox backing.
145
- *
146
- * eu-west → London (Western Europe)
147
- * us-west → N. California (Western North America)
148
- * ap-northeast → Seoul (Northeast Asia)
149
- *
150
- * Prefer the {@link Regions} accessors over raw strings so a typo is a compile
151
- * error, not a runtime 400.
152
- */
153
- export declare const REGIONS: readonly ["eu-west", "us-west", "ap-northeast"];
154
- export type Region = (typeof REGIONS)[number];
155
- /** Symbol-style accessors for the closed region set — e.g. `Regions.EU_WEST`. */
156
- export declare const Regions: {
157
- /** Western Europe — London. */
158
- readonly EU_WEST: "eu-west";
159
- /** Western North America — N. California. */
160
- readonly US_WEST: "us-west";
161
- /** Northeast Asia — Seoul. */
162
- readonly AP_NORTHEAST: "ap-northeast";
163
- };
164
- /**
165
- * Customer-facing runtime selector. Optional on the wire; absent resolves
166
- * to the same managed runtime as `"managed"`. `"native"` is no longer an
167
- * accepted submission value and fails schema validation.
168
- */
169
- export declare const RUNTIME_KINDS: readonly ["managed"];
170
- export type RuntimeKind = (typeof RUNTIME_KINDS)[number];
171
- /**
172
- * Credential source for upstream provider access. Launch accepts only BYOK:
173
- * callers may omit `credentialMode` or pass `"byok"`. Other strings, including
174
- * `"managed"`, are invalid submission values rather than reserved product
175
- * promises.
176
- */
177
- export declare const CREDENTIAL_MODES: readonly ["byok"];
178
- export type CredentialMode = (typeof CREDENTIAL_MODES)[number];
179
- export declare const DEFAULT_CREDENTIAL_MODE: CredentialMode;
180
- export declare function parseCredentialMode(input: unknown): CredentialMode;
181
- export declare function credentialModeOrDefault(input: CredentialMode | undefined): CredentialMode;
182
- /** Outcome of the centralized runtime-support check. */
183
- export interface RuntimeSupportCheck {
184
- readonly ok: boolean;
185
- readonly message?: string;
186
- }
187
- /**
188
- * Centralized runtime-support validator. Native is removed from the public
189
- * runtime enum, so an absent runtime and `"managed"` are the only supported
190
- * inputs. Schema parsing rejects other runtime strings before this helper is
191
- * reached, but the result type remains for SDK preflight checks.
192
- */
193
- export declare function checkRuntimeSupported(provider: RunProvider, runtime: RuntimeKind | undefined): RuntimeSupportCheck;
194
140
  export interface PlatformMcpServerSecret {
195
141
  readonly name: string;
196
142
  readonly url: string;
@@ -230,13 +176,6 @@ export type PlatformProxyAuthValue = {
230
176
  * driving the MCP client).
231
177
  */
232
178
  export interface PlatformInlineSecrets {
233
- /**
234
- * Deprecated compatibility field: the BYOK key for the run's selected
235
- * provider. New multi-provider callers should use `apiKeys`, but the parser
236
- * still accepts and preserves this flat field so existing SDK/CLI callers
237
- * continue to work.
238
- */
239
- readonly apiKey?: string;
240
179
  readonly apiKeys?: Partial<Record<RunProvider, string>>;
241
180
  readonly mcpServers?: readonly PlatformMcpServerSecret[];
242
181
  readonly proxyEndpointAuth?: readonly PlatformProxyEndpointAuth[];
@@ -331,7 +270,7 @@ export declare function optionalPositiveInt(input: unknown, field: string): numb
331
270
  export declare function optionalPositiveNumber(input: unknown, field: string): number | undefined;
332
271
  /**
333
272
  * Wire-level submission posted to /api/runs in the flat surface. The
334
- * `prompt` is always an array internally so the worker, the audit log,
273
+ * `prompt` is always an array internally so the hosted API, the audit log,
335
274
  * and the BFF idempotency hash all see one shape. `mcpServers` carries
336
275
  * only the non-secret half; bearer headers travel in
337
276
  * `secrets.mcpServers` keyed by `name`.
@@ -435,30 +374,12 @@ export interface PlatformInjectionConfig {
435
374
  export interface PlatformRunSubmissionRequest {
436
375
  readonly workspaceId: string;
437
376
  readonly idempotencyKey: string;
438
- /**
439
- * Credential source for upstream provider access. Omitted means
440
- * `"byok"`; launch does not accept managed provider credentials.
441
- */
442
- readonly credentialMode: CredentialMode;
443
377
  /**
444
378
  * Provider selector. Always populated after parsing — absent on the
445
379
  * wire means {@link DEFAULT_RUN_PROVIDER}. All providers are dispatched
446
380
  * through the managed runtime.
447
381
  */
448
382
  readonly provider: RunProvider;
449
- /**
450
- * Customer's explicit runtime choice. `undefined` and `"managed"` both
451
- * resolve to the managed runtime. Other runtime values are rejected by
452
- * `parseRunSubmissionRequest`.
453
- */
454
- readonly runtime?: RuntimeKind;
455
- /**
456
- * Optional product placement token requested by the caller. Omitted means
457
- * the hosted platform infers a configured region from request geography and
458
- * falls back to its default region. Accepted tokens do not promise exact
459
- * city-level placement.
460
- */
461
- readonly region?: Region;
462
383
  readonly submission: PlatformSubmission;
463
384
  readonly secrets: PlatformInlineSecrets;
464
385
  readonly proxyEndpoints?: readonly PlatformProxyEndpoint[];
@@ -545,21 +466,9 @@ export interface RunLimits {
545
466
  * {@link DEFAULT_RUN_PROVIDER} (`anthropic`). The parser fills it in
546
467
  * before the value enters the run snapshot.
547
468
  */
548
- export type PlatformRunSubmissionInput = Omit<PlatformRunSubmissionRequest, "workspaceId" | "credentialMode" | "provider" | "runtime" | "region" | "timeoutMs" | "postHook"> & {
469
+ export type PlatformRunSubmissionInput = Omit<PlatformRunSubmissionRequest, "workspaceId" | "provider" | "timeoutMs" | "postHook"> & {
549
470
  readonly workspaceId?: string;
550
- readonly credentialMode?: CredentialMode;
551
471
  readonly provider?: RunProvider;
552
- /**
553
- * Optional runtime selector. Set `"managed"` explicitly or omit the
554
- * field; both resolve to the managed runtime. `"native"` is no longer
555
- * accepted.
556
- */
557
- readonly runtime?: RuntimeKind;
558
- /**
559
- * Optional product placement region. Invalid explicit values are rejected;
560
- * omission lets the platform infer/fallback.
561
- */
562
- readonly region?: Region;
563
472
  /**
564
473
  * Run deadline as a human duration string (`"1h"`, `"90m"`, `"30s"`).
565
474
  * Parsed + bounded to [1m, 6h] server-side into
@@ -592,8 +501,6 @@ export declare function parseRunWebhook(input: unknown): RunWebhookSpec | undefi
592
501
  * collapses to `undefined` so it carries no signal onto the request.
593
502
  */
594
503
  export declare function parseRunLimits(input: unknown): RunLimits | undefined;
595
- export declare function parseRegion(input: unknown): Region | undefined;
596
- export declare function parseRuntimeKind(input: unknown): RuntimeKind | undefined;
597
504
  export declare function parseRunProvider(input: unknown): RunProvider;
598
505
  /**
599
506
  * Cross-check the supplied secrets bundle against the credential mode. BYOK
@@ -607,7 +514,7 @@ export declare function parseRunProvider(input: unknown): RunProvider;
607
514
  * it need not carry any of its own. The server still verifies, at admission,
608
515
  * that the parent actually holds a key for the child's provider.
609
516
  */
610
- export declare function enforceCredentialSecretPolicy(credentialMode: CredentialMode, secrets: PlatformInlineSecrets, provider: RunProvider, opts?: {
517
+ export declare function enforceCredentialSecretPolicy(secrets: PlatformInlineSecrets, provider: RunProvider, opts?: {
611
518
  readonly inheritsFromParent?: boolean;
612
519
  }): void;
613
520
  export declare function parseSubmission(input: unknown): PlatformSubmission;
@@ -679,31 +586,3 @@ export declare const DEFAULT_BUILTIN_TOOLS: readonly BuiltinToolName[];
679
586
  * union is validated ⊆ the closed set so an invalid name can never leak through.
680
587
  */
681
588
  export declare function resolveBuiltinToolNames(includeBuiltinTools: boolean | undefined, toolRefs?: readonly string[]): readonly BuiltinToolName[];
682
- /**
683
- * Codes emitted when a submission contains features the active runtime cannot
684
- * serve. Code values are stable so dashboard / SDK error rendering can branch
685
- * on them.
686
- */
687
- export declare const RUNTIME_VALIDATION_CODES: readonly ["feature_runtime_mismatch"];
688
- export type RuntimeValidationCode = (typeof RUNTIME_VALIDATION_CODES)[number];
689
- /**
690
- * Thrown by `parseRunSubmissionRequest` and `selectRuntime` when the submitted
691
- * run cannot be served by the active managed runtime. The `code` field is part
692
- * of the public contract; keep it stable when phrasing changes.
693
- */
694
- export declare class RuntimeValidationError extends Error {
695
- readonly code: RuntimeValidationCode;
696
- constructor(code: RuntimeValidationCode, message: string);
697
- }
698
- /**
699
- * Walk the parsed submission and collect features that the active managed
700
- * runtime cannot serve. Provider-hosted skill refs (`kind:"provider"`) are
701
- * rejected now that new submissions only dispatch through managed runs.
702
- */
703
- export declare function collectManagedUnsupportedFeatures(req: PlatformRunSubmissionRequest): string[];
704
- /**
705
- * Backward-incompatible replacement for the old dual-runtime dispatcher. It is
706
- * kept as a pure helper so SDK, CLI, and tests can resolve the runtime without
707
- * I/O.
708
- */
709
- export declare function selectRuntime(req: PlatformRunSubmissionRequest): RuntimeKind;
@@ -114,65 +114,6 @@ export const Providers = {
114
114
  /** Doubao (ByteDance) via the official China Volcengine Ark gateway. */
115
115
  DOUBAO_CN: "doubao-cn"
116
116
  };
117
- /**
118
- * Product placement regions accepted on run submission. These are
119
- * product-level tokens, not exact city guarantees: the hosted platform maps
120
- * each region to co-located managed Postgres, object storage, run-state
121
- * placement, and sandbox backing.
122
- *
123
- * eu-west → London (Western Europe)
124
- * us-west → N. California (Western North America)
125
- * ap-northeast → Seoul (Northeast Asia)
126
- *
127
- * Prefer the {@link Regions} accessors over raw strings so a typo is a compile
128
- * error, not a runtime 400.
129
- */
130
- export const REGIONS = ["eu-west", "us-west", "ap-northeast"];
131
- /** Symbol-style accessors for the closed region set — e.g. `Regions.EU_WEST`. */
132
- export const Regions = {
133
- /** Western Europe — London. */
134
- EU_WEST: "eu-west",
135
- /** Western North America — N. California. */
136
- US_WEST: "us-west",
137
- /** Northeast Asia — Seoul. */
138
- AP_NORTHEAST: "ap-northeast"
139
- };
140
- /**
141
- * Customer-facing runtime selector. Optional on the wire; absent resolves
142
- * to the same managed runtime as `"managed"`. `"native"` is no longer an
143
- * accepted submission value and fails schema validation.
144
- */
145
- export const RUNTIME_KINDS = ["managed"];
146
- /**
147
- * Credential source for upstream provider access. Launch accepts only BYOK:
148
- * callers may omit `credentialMode` or pass `"byok"`. Other strings, including
149
- * `"managed"`, are invalid submission values rather than reserved product
150
- * promises.
151
- */
152
- export const CREDENTIAL_MODES = ["byok"];
153
- export const DEFAULT_CREDENTIAL_MODE = "byok";
154
- export function parseCredentialMode(input) {
155
- if (input === undefined) {
156
- return DEFAULT_CREDENTIAL_MODE;
157
- }
158
- if (typeof input !== "string" || !CREDENTIAL_MODES.includes(input)) {
159
- throw new Error(`credentialMode must be one of: ${CREDENTIAL_MODES.join(", ")} (got ${JSON.stringify(input)})`);
160
- }
161
- return input;
162
- }
163
- export function credentialModeOrDefault(input) {
164
- return input ?? DEFAULT_CREDENTIAL_MODE;
165
- }
166
- /**
167
- * Centralized runtime-support validator. Native is removed from the public
168
- * runtime enum, so an absent runtime and `"managed"` are the only supported
169
- * inputs. Schema parsing rejects other runtime strings before this helper is
170
- * reached, but the result type remains for SDK preflight checks.
171
- */
172
- export function checkRuntimeSupported(provider, runtime) {
173
- void provider;
174
- return { ok: true };
175
- }
176
117
  export const SECRETS_KEY = "secrets";
177
118
  /** POSIX-style env var name a `secretEnv` entry binds to (e.g. `SERPER_API_KEY`). */
178
119
  export const SECRET_ENV_NAME_PATTERN = /^[A-Za-z_][A-Za-z0-9_]{0,127}$/;
@@ -239,7 +180,7 @@ function parseEnvironment(input) {
239
180
  * Validate a customer-supplied `environment.envVars` map. Returns a
240
181
  * frozen copy with keys in insertion order, or `undefined` when the
241
182
  * input is absent / an empty object (treated as not supplied so the
242
- * worker can omit the field from the parsed snapshot).
183
+ * hosted API can omit the field from the parsed snapshot).
243
184
  *
244
185
  * Rules:
245
186
  * - Must be a JSON object whose values are all strings.
@@ -723,7 +664,7 @@ export function parseInlineSecrets(input) {
723
664
  if (input === undefined || input === null)
724
665
  return {};
725
666
  const value = requireRecord(input, "secrets");
726
- const allowedTopLevel = new Set(["apiKey", "apiKeys", "mcpServers", "proxyEndpointAuth", "envSecrets"]);
667
+ const allowedTopLevel = new Set(["apiKeys", "mcpServers", "proxyEndpointAuth", "envSecrets"]);
727
668
  for (const key of Object.keys(value)) {
728
669
  if (key.startsWith("__aex_")) {
729
670
  // Platform-internal namespace (e.g. __aex_proxy_token). The BFF
@@ -736,13 +677,11 @@ export function parseInlineSecrets(input) {
736
677
  throw new Error(`secrets.${key} is not an allowed field; permitted: ${[...allowedTopLevel].join(", ")}`);
737
678
  }
738
679
  }
739
- const apiKey = value.apiKey !== undefined ? requireString(value.apiKey, "secrets.apiKey") : undefined;
740
680
  const apiKeys = parseApiKeys(value.apiKeys);
741
681
  const mcpServers = parseMcpServerSecrets(value.mcpServers);
742
682
  const proxyEndpointAuth = parseProxyEndpointAuth(value.proxyEndpointAuth);
743
683
  const envSecrets = parseEnvSecrets(value.envSecrets);
744
684
  return {
745
- ...(apiKey !== undefined ? { apiKey } : {}),
746
685
  ...(apiKeys ? { apiKeys } : {}),
747
686
  ...(mcpServers ? { mcpServers } : {}),
748
687
  ...(proxyEndpointAuth ? { proxyEndpointAuth } : {}),
@@ -1051,10 +990,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
1051
990
  const allowedTopLevelFields = new Set([
1052
991
  "workspaceId",
1053
992
  "idempotencyKey",
1054
- "credentialMode",
1055
993
  "provider",
1056
- "runtime",
1057
- "region",
1058
994
  "submission",
1059
995
  "runtimeSize",
1060
996
  "timeout",
@@ -1083,15 +1019,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
1083
1019
  assertNoSecretBearingFields(fieldValue, [key]);
1084
1020
  }
1085
1021
  const provider = parseRunProvider(value.provider);
1086
- const runtime = parseRuntimeKind(value.runtime);
1087
- const region = parseRegion(value.region);
1088
- const credentialMode = parseCredentialMode(value.credentialMode);
1089
1022
  void options;
1090
- // Cross-field validation via the centralized runtime-support validator.
1091
- const runtimeSupport = checkRuntimeSupported(provider, runtime);
1092
- if (!runtimeSupport.ok) {
1093
- throw new Error(runtimeSupport.message ?? "unsupported runtime");
1094
- }
1095
1023
  const runtimeSize = parseRuntimeSize(value.runtimeSize);
1096
1024
  const timeoutMs = parseRunTimeout(value.timeout);
1097
1025
  // Lineage parent only. `depth` is NEVER accepted from the wire — the server
@@ -1102,7 +1030,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
1102
1030
  const postHook = parsePostHook(value.postHook, "submission.postHook");
1103
1031
  const proxyEndpoints = parseProxyEndpoints(value.proxyEndpoints);
1104
1032
  const secrets = parseInlineSecrets(value.secrets);
1105
- enforceCredentialSecretPolicy(credentialMode, secrets, provider, {
1033
+ enforceCredentialSecretPolicy(secrets, provider, {
1106
1034
  inheritsFromParent: parentRunId !== undefined
1107
1035
  });
1108
1036
  crossValidateProxyEndpointsAndAuth(proxyEndpoints, secrets.proxyEndpointAuth);
@@ -1127,28 +1055,10 @@ export function parseRunSubmissionRequest(input, options = {}) {
1127
1055
  }
1128
1056
  }
1129
1057
  }
1130
- const candidate = {
1131
- workspaceId: "",
1132
- idempotencyKey: "",
1133
- credentialMode,
1134
- provider,
1135
- ...(runtime ? { runtime } : {}),
1136
- ...(region ? { region } : {}),
1137
- submission,
1138
- secrets
1139
- };
1140
- const unsupportedManagedFeatures = collectManagedUnsupportedFeatures(candidate);
1141
- if (unsupportedManagedFeatures.length > 0) {
1142
- throw new RuntimeValidationError("feature_runtime_mismatch", `The managed runtime does not support these submission features: ` +
1143
- `${unsupportedManagedFeatures.join(", ")}. Remove them or use inline aex skills.`);
1144
- }
1145
1058
  return {
1146
1059
  workspaceId: requireString(value.workspaceId, "workspaceId"),
1147
1060
  idempotencyKey: requireString(value.idempotencyKey, "idempotencyKey"),
1148
- credentialMode,
1149
1061
  provider,
1150
- ...(runtime ? { runtime } : {}),
1151
- ...(region ? { region } : {}),
1152
1062
  submission,
1153
1063
  ...(runtimeSize ? { runtimeSize } : {}),
1154
1064
  ...(timeoutMs !== undefined ? { timeoutMs } : {}),
@@ -1235,24 +1145,6 @@ export function parseRunLimits(input) {
1235
1145
  ...(maxSpendUsd !== undefined ? { maxSpendUsd } : {})
1236
1146
  };
1237
1147
  }
1238
- export function parseRegion(input) {
1239
- if (input === undefined) {
1240
- return undefined;
1241
- }
1242
- if (typeof input !== "string" || !REGIONS.includes(input)) {
1243
- throw new Error(`region must be one of: ${REGIONS.join(", ")} (got ${JSON.stringify(input)})`);
1244
- }
1245
- return input;
1246
- }
1247
- export function parseRuntimeKind(input) {
1248
- if (input === undefined) {
1249
- return undefined;
1250
- }
1251
- if (typeof input !== "string" || !RUNTIME_KINDS.includes(input)) {
1252
- throw new Error(`runtime must be one of: ${RUNTIME_KINDS.join(", ")} (got ${JSON.stringify(input)})`);
1253
- }
1254
- return input;
1255
- }
1256
1148
  export function parseRunProvider(input) {
1257
1149
  if (input === undefined) {
1258
1150
  return DEFAULT_RUN_PROVIDER;
@@ -1274,12 +1166,11 @@ export function parseRunProvider(input) {
1274
1166
  * it need not carry any of its own. The server still verifies, at admission,
1275
1167
  * that the parent actually holds a key for the child's provider.
1276
1168
  */
1277
- export function enforceCredentialSecretPolicy(credentialMode, secrets, provider, opts) {
1278
- void credentialMode;
1169
+ export function enforceCredentialSecretPolicy(secrets, provider, opts) {
1279
1170
  if (opts?.inheritsFromParent)
1280
1171
  return;
1281
- if (!(secrets.apiKeys?.[provider] ?? secrets.apiKey)) {
1282
- throw new Error(`secrets.apiKey is required when credentialMode is byok (or secrets.apiKeys["${provider}"])`);
1172
+ if (!secrets.apiKeys?.[provider]) {
1173
+ throw new Error(`secrets.apiKeys["${provider}"] is required`);
1283
1174
  }
1284
1175
  }
1285
1176
  export function parseSubmission(input) {
@@ -1509,7 +1400,7 @@ function parseIncludeBuiltinTools(input) {
1509
1400
  * plus a generous margin for legitimate multi-root use cases (per-tool
1510
1401
  * output directory + scratch state + logs, repeated across a few
1511
1402
  * subdirectories), without inviting abuse of the synthetic-turn path
1512
- * the worker drives at session terminal.
1403
+ * the platform capture path drives at session terminal.
1513
1404
  */
1514
1405
  const MAX_OUTPUT_DIRS = 32;
1515
1406
  /**
@@ -1708,23 +1599,13 @@ function parseSkills(input) {
1708
1599
  if (!Array.isArray(input)) {
1709
1600
  throw new Error("submission.skills must be an array of SkillRef objects");
1710
1601
  }
1711
- const seenProvider = new Set();
1712
1602
  const seenAssetId = new Set();
1713
1603
  return input.map((item, index) => {
1714
1604
  const ref = parseSkillRef(item, `submission.skills[${index}]`);
1715
- if (ref.kind === "provider") {
1716
- const key = `${ref.vendor}:${ref.skillId}:${ref.version ?? ""}`;
1717
- if (seenProvider.has(key)) {
1718
- throw new Error(`submission.skills duplicate provider skill: ${ref.vendor}:${ref.skillId}${ref.version ? `:${ref.version}` : ""}`);
1719
- }
1720
- seenProvider.add(key);
1721
- }
1722
- else if (ref.kind === "asset") {
1723
- if (seenAssetId.has(ref.assetId)) {
1724
- throw new Error(`submission.skills duplicate assetId: ${ref.assetId}`);
1725
- }
1726
- seenAssetId.add(ref.assetId);
1605
+ if (seenAssetId.has(ref.assetId)) {
1606
+ throw new Error(`submission.skills duplicate assetId: ${ref.assetId}`);
1727
1607
  }
1608
+ seenAssetId.add(ref.assetId);
1728
1609
  return ref;
1729
1610
  });
1730
1611
  }
@@ -1879,57 +1760,4 @@ function parseMcpServers(input) {
1879
1760
  return ref;
1880
1761
  });
1881
1762
  }
1882
- // ===========================================================================
1883
- // Runtime dispatcher
1884
- // ===========================================================================
1885
- /**
1886
- * Codes emitted when a submission contains features the active runtime cannot
1887
- * serve. Code values are stable so dashboard / SDK error rendering can branch
1888
- * on them.
1889
- */
1890
- export const RUNTIME_VALIDATION_CODES = [
1891
- "feature_runtime_mismatch"
1892
- ];
1893
- /**
1894
- * Thrown by `parseRunSubmissionRequest` and `selectRuntime` when the submitted
1895
- * run cannot be served by the active managed runtime. The `code` field is part
1896
- * of the public contract; keep it stable when phrasing changes.
1897
- */
1898
- export class RuntimeValidationError extends Error {
1899
- code;
1900
- constructor(code, message) {
1901
- super(message);
1902
- this.name = "RuntimeValidationError";
1903
- this.code = code;
1904
- }
1905
- }
1906
- /**
1907
- * Walk the parsed submission and collect features that the active managed
1908
- * runtime cannot serve. Provider-hosted skill refs (`kind:"provider"`) are
1909
- * rejected now that new submissions only dispatch through managed runs.
1910
- */
1911
- export function collectManagedUnsupportedFeatures(req) {
1912
- const features = [];
1913
- for (const skill of req.submission.skills) {
1914
- if (skill.kind === "provider") {
1915
- const versionSuffix = skill.version ? `@${skill.version}` : "";
1916
- features.push(`provider skill "${skill.vendor}/${skill.skillId}${versionSuffix}" (kind:"provider")`);
1917
- }
1918
- }
1919
- return features;
1920
- }
1921
- /**
1922
- * Backward-incompatible replacement for the old dual-runtime dispatcher. It is
1923
- * kept as a pure helper so SDK, CLI, and tests can resolve the runtime without
1924
- * I/O.
1925
- */
1926
- export function selectRuntime(req) {
1927
- const unsupported = collectManagedUnsupportedFeatures(req);
1928
- if (unsupported.length > 0) {
1929
- throw new RuntimeValidationError("feature_runtime_mismatch", `The managed runtime does not support these submission features: ` +
1930
- `${unsupported.join(", ")}. Remove them or use inline aex skills.`);
1931
- }
1932
- void req;
1933
- return "managed";
1934
- }
1935
1763
  //# sourceMappingURL=submission.js.map
@@ -12,7 +12,7 @@
12
12
  * the HMAC key is the raw bytes after the `whsec_` prefix. Verification accepts
13
13
  * the secret with or without the prefix.
14
14
  *
15
- * Pure Web Crypto — identical under Bun, Node, and workerd; this mirrors the
15
+ * Pure Web Crypto — identical under Bun and Node; this mirrors the
16
16
  * `standardwebhooks` library so a customer can verify with either.
17
17
  */
18
18
  export interface VerifyAexWebhookInput {
@@ -12,7 +12,7 @@
12
12
  * the HMAC key is the raw bytes after the `whsec_` prefix. Verification accepts
13
13
  * the secret with or without the prefix.
14
14
  *
15
- * Pure Web Crypto — identical under Bun, Node, and workerd; this mirrors the
15
+ * Pure Web Crypto — identical under Bun and Node; this mirrors the
16
16
  * `standardwebhooks` library so a customer can verify with either.
17
17
  */
18
18
  const encoder = new TextEncoder();
@@ -11,18 +11,13 @@
11
11
  *
12
12
  * 1. POST /assets/presign → { exists } | { uploadUrl, requiredHeaders }
13
13
  * - `exists:true` is a dedup hit; we're done.
14
- * - otherwise the Worker mints a presigned PUT scoped to the exact
14
+ * - otherwise the hosted API mints a presigned PUT scoped to the exact
15
15
  * content-addressed key and signs `x-amz-checksum-sha256` so the object
16
16
  * store enforces integrity server-side.
17
17
  * 2. PUT the bytes straight to `uploadUrl` with `requiredHeaders` (the signed
18
18
  * checksum). The store rejects a byte mismatch — a 2xx proves bytes == hash.
19
19
  * 3. POST /assets/finalize → confirms the object exists (HEAD only).
20
20
  *
21
- * Fallback: when the hosted API has no object-store upload credentials it
22
- * answers presign with 503 `presign_unconfigured`; we POST the bytes to the
23
- * buffered `/assets`
24
- * path (small bundles only). The runner re-verifies the hash on download in
25
- * every case.
26
21
  */
27
22
  /**
28
23
  * Subset of `HttpClient` needed by the asset uploader. Defined as a
@@ -56,11 +51,10 @@ export interface UploadedAsset {
56
51
  }
57
52
  /**
58
53
  * Upload `bytes` to the hosted API's content-addressable asset store via the
59
- * direct-to-storage presign flow, falling back to the buffered `/assets` POST
60
- * when the hosted API has no object-store upload credentials.
54
+ * direct-to-storage presign flow.
61
55
  *
62
56
  * Verifies the advisory hash matches the bytes BEFORE sending so a mismatch
63
- * fails fast on the client. The store (or the buffered endpoint) re-verifies, and the
64
- * runner re-checks on download.
57
+ * fails fast on the client. Object storage re-verifies via the signed checksum,
58
+ * and the runner re-checks on download.
65
59
  */
66
60
  export declare function uploadAsset(args: UploadAssetArgs): Promise<UploadedAsset>;
@@ -11,27 +11,21 @@
11
11
  *
12
12
  * 1. POST /assets/presign → { exists } | { uploadUrl, requiredHeaders }
13
13
  * - `exists:true` is a dedup hit; we're done.
14
- * - otherwise the Worker mints a presigned PUT scoped to the exact
14
+ * - otherwise the hosted API mints a presigned PUT scoped to the exact
15
15
  * content-addressed key and signs `x-amz-checksum-sha256` so the object
16
16
  * store enforces integrity server-side.
17
17
  * 2. PUT the bytes straight to `uploadUrl` with `requiredHeaders` (the signed
18
18
  * checksum). The store rejects a byte mismatch — a 2xx proves bytes == hash.
19
19
  * 3. POST /assets/finalize → confirms the object exists (HEAD only).
20
20
  *
21
- * Fallback: when the hosted API has no object-store upload credentials it
22
- * answers presign with 503 `presign_unconfigured`; we POST the bytes to the
23
- * buffered `/assets`
24
- * path (small bundles only). The runner re-verifies the hash on download in
25
- * every case.
26
21
  */
27
22
  /**
28
23
  * Upload `bytes` to the hosted API's content-addressable asset store via the
29
- * direct-to-storage presign flow, falling back to the buffered `/assets` POST
30
- * when the hosted API has no object-store upload credentials.
24
+ * direct-to-storage presign flow.
31
25
  *
32
26
  * Verifies the advisory hash matches the bytes BEFORE sending so a mismatch
33
- * fails fast on the client. The store (or the buffered endpoint) re-verifies, and the
34
- * runner re-checks on download.
27
+ * fails fast on the client. Object storage re-verifies via the signed checksum,
28
+ * and the runner re-checks on download.
35
29
  */
36
30
  export async function uploadAsset(args) {
37
31
  const expected = args.hash.startsWith("sha256:") ? args.hash.slice("sha256:".length) : args.hash;
@@ -51,10 +45,6 @@ export async function uploadAsset(args) {
51
45
  });
52
46
  }
53
47
  catch (err) {
54
- // 503 presign_unconfigured → fall back to the buffered upload path.
55
- if (isPresignUnconfigured(err)) {
56
- return uploadAssetBuffered(args, actual);
57
- }
58
48
  throw err;
59
49
  }
60
50
  // Dedup hit — identical bytes already vaulted under this workspace.
@@ -100,39 +90,6 @@ export async function uploadAsset(args) {
100
90
  exists: false
101
91
  };
102
92
  }
103
- /** Detect the 503 `presign_unconfigured` rejection, regardless of error class. */
104
- function isPresignUnconfigured(err) {
105
- if (!err || typeof err !== "object")
106
- return false;
107
- const e = err;
108
- if (e.status !== 503)
109
- return false;
110
- const detailCode = e.details?.code;
111
- return e.code === "presign_unconfigured" || detailCode === "presign_unconfigured";
112
- }
113
- /**
114
- * Fallback: POST the bytes to the buffered `/assets` endpoint. Used only when
115
- * the hosted API has no object-store upload credentials (presign 503). Subject to the API's
116
- * payload limit, so suitable for small bundles only.
117
- */
118
- async function uploadAssetBuffered(args, actualHex) {
119
- const body = await args.http.request("/assets", {
120
- method: "POST",
121
- headers: {
122
- "content-type": args.contentType ?? "application/zip",
123
- "content-length": String(args.bytes.byteLength),
124
- "x-asset-hash": `sha256:${actualHex}`
125
- },
126
- body: args.bytes
127
- });
128
- const contentHash = body.contentHash ?? body.hash ?? `sha256:${actualHex}`;
129
- return {
130
- assetId: body.assetId ?? assetIdFromContentHash(contentHash),
131
- contentHash,
132
- sizeBytes: body.sizeBytes,
133
- exists: body.exists
134
- };
135
- }
136
93
  // ---------------------------------------------------------------------------
137
94
  // Internal helpers
138
95
  // ---------------------------------------------------------------------------
@@ -1 +1 @@
1
- {"version":3,"file":"asset-upload.js","sourceRoot":"","sources":["../src/asset-upload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAoCH;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAqB;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;IACjG,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,2DAA2D,MAAM,GAAG;YAClE,uBAAuB,IAAI,CAAC,IAAI,+CAA+C,CAClF,CAAC;IACJ,CAAC;IACD,MAAM,iBAAiB,GAAG,UAAU,MAAM,EAAE,CAAC;IAE7C,4CAA4C;IAC5C,IAAI,OAUS,CAAC;IACd,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAA8B,iBAAiB,EAAE;YAChF,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;SACpF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oEAAoE;QACpE,IAAI,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,mBAAmB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,oEAAoE;IACpE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,iBAAiB,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,sBAAsB,CAAC,WAAW,CAAC;YAC/D,WAAW;YACX,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU;YACrD,MAAM,EAAE,IAAI;SACb,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IAED,+FAA+F;IAC/F,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,IAAK,UAAU,CAAC,KAA+B,CAAC;IAC1E,MAAM,UAAU,GAA2B;QACzC,cAAc,EAAE,IAAI,CAAC,WAAW,IAAI,iBAAiB;QACrD,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,CAAC;KACnC,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE;QAC9C,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,UAAU;QACnB,IAAI,EAAE,IAAI,CAAC,KAAK;KACjB,CAAC,CAAC;IACH,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CACb,qDAAqD,MAAM,CAAC,MAAM,EAAE;YAClE,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAC9C,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAKhC,kBAAkB,EAAE;QACrB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;KACpF,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,IAAI,OAAO,CAAC,WAAW,IAAI,iBAAiB,CAAC;IAChF,OAAO;QACL,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,IAAI,sBAAsB,CAAC,WAAW,CAAC;QAC9E,WAAW;QACX,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU;QACjD,MAAM,EAAE,KAAK;KACd,CAAC;AACJ,CAAC;AAED,kFAAkF;AAClF,SAAS,qBAAqB,CAAC,GAAY;IACzC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAClD,MAAM,CAAC,GAAG,GAA8D,CAAC;IACzE,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IACnC,MAAM,UAAU,GAAI,CAAC,CAAC,OAA0C,EAAE,IAAI,CAAC;IACvE,OAAO,CAAC,CAAC,IAAI,KAAK,sBAAsB,IAAI,UAAU,KAAK,sBAAsB,CAAC;AACpF,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,mBAAmB,CAAC,IAAqB,EAAE,SAAiB;IACzE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAQjC,SAAS,EAAE;QACZ,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,IAAI,CAAC,WAAW,IAAI,iBAAiB;YACrD,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;YAC/C,cAAc,EAAE,UAAU,SAAS,EAAE;SACtC;QACD,IAAI,EAAE,IAAI,CAAC,KAAK;KACjB,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,IAAI,IAAI,UAAU,SAAS,EAAE,CAAC;IAC3E,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,sBAAsB,CAAC,WAAW,CAAC;QAC5D,WAAW;QACX,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,MAAM,EAAE,IAAI,CAAC,MAAM;KACpB,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;GAIG;AACH,KAAK,UAAU,gBAAgB,CAAC,KAAiB;IAC/C,MAAM,MAAM,GAAI,UAAqD,CAAC,MAAM,EAAE,MAAM,CAAC;IACrF,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,0DAA0D;YACxD,4DAA4D,CAC/D,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3D,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,sBAAsB,CAAC,WAAmB;IACjD,MAAM,GAAG,GAAG,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IAClG,OAAO,SAAS,GAAG,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,WAAW,CAAC,MAAmB;IACtC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAW,CAAC;QAC/B,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
1
+ {"version":3,"file":"asset-upload.js","sourceRoot":"","sources":["../src/asset-upload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAoCH;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAqB;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;IACjG,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,2DAA2D,MAAM,GAAG;YAClE,uBAAuB,IAAI,CAAC,IAAI,+CAA+C,CAClF,CAAC;IACJ,CAAC;IACD,MAAM,iBAAiB,GAAG,UAAU,MAAM,EAAE,CAAC;IAE7C,4CAA4C;IAC5C,IAAI,OAUS,CAAC;IACd,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAA8B,iBAAiB,EAAE;YAChF,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;SACpF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,oEAAoE;IACpE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,iBAAiB,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,sBAAsB,CAAC,WAAW,CAAC;YAC/D,WAAW;YACX,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU;YACrD,MAAM,EAAE,IAAI;SACb,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IAED,+FAA+F;IAC/F,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,IAAK,UAAU,CAAC,KAA+B,CAAC;IAC1E,MAAM,UAAU,GAA2B;QACzC,cAAc,EAAE,IAAI,CAAC,WAAW,IAAI,iBAAiB;QACrD,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,CAAC;KACnC,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE;QAC9C,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,UAAU;QACnB,IAAI,EAAE,IAAI,CAAC,KAAK;KACjB,CAAC,CAAC;IACH,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CACb,qDAAqD,MAAM,CAAC,MAAM,EAAE;YAClE,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAC9C,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAKhC,kBAAkB,EAAE;QACrB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;KACpF,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,IAAI,OAAO,CAAC,WAAW,IAAI,iBAAiB,CAAC;IAChF,OAAO;QACL,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,IAAI,sBAAsB,CAAC,WAAW,CAAC;QAC9E,WAAW;QACX,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU;QACjD,MAAM,EAAE,KAAK;KACd,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;GAIG;AACH,KAAK,UAAU,gBAAgB,CAAC,KAAiB;IAC/C,MAAM,MAAM,GAAI,UAAqD,CAAC,MAAM,EAAE,MAAM,CAAC;IACrF,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,0DAA0D;YACxD,4DAA4D,CAC/D,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3D,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,sBAAsB,CAAC,WAAmB;IACjD,MAAM,GAAG,GAAG,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IAClG,OAAO,SAAS,GAAG,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,WAAW,CAAC,MAAmB;IACtC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAW,CAAC;QAC/B,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}