@aexhq/sdk 0.30.0 → 0.32.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +23 -9
- package/dist/_contracts/connection-ticket.d.ts +1 -1
- package/dist/_contracts/connection-ticket.js +1 -1
- package/dist/_contracts/event-envelope.d.ts +5 -8
- package/dist/_contracts/event-envelope.js +5 -6
- package/dist/_contracts/event-stream-client.d.ts +1 -1
- package/dist/_contracts/http.js +1 -1
- package/dist/_contracts/models.d.ts +0 -76
- package/dist/_contracts/models.js +0 -20
- package/dist/_contracts/operations.d.ts +2 -64
- package/dist/_contracts/operations.js +9 -152
- package/dist/_contracts/provider-support.d.ts +48 -138
- package/dist/_contracts/provider-support.js +10 -41
- package/dist/_contracts/proxy-protocol.d.ts +7 -7
- package/dist/_contracts/proxy-protocol.js +8 -8
- package/dist/_contracts/run-config.d.ts +7 -20
- package/dist/_contracts/run-config.js +8 -46
- package/dist/_contracts/run-cost.d.ts +1 -5
- package/dist/_contracts/run-cost.js +0 -8
- package/dist/_contracts/run-custody.d.ts +4 -6
- package/dist/_contracts/run-custody.js +0 -8
- package/dist/_contracts/run-unit.d.ts +1 -1
- package/dist/_contracts/run-unit.js +6 -6
- package/dist/_contracts/runner-event.d.ts +1 -1
- package/dist/_contracts/runner-event.js +1 -1
- package/dist/_contracts/runtime-manifest.d.ts +13 -26
- package/dist/_contracts/runtime-manifest.js +6 -35
- package/dist/_contracts/runtime-types.d.ts +1 -3
- package/dist/_contracts/sdk-secrets.js +4 -4
- package/dist/_contracts/side-effect-audit.d.ts +2 -4
- package/dist/_contracts/side-effect-audit.js +2 -4
- package/dist/_contracts/status.d.ts +1 -1
- package/dist/_contracts/status.js +1 -1
- package/dist/_contracts/submission.d.ts +5 -126
- package/dist/_contracts/submission.js +10 -182
- package/dist/_contracts/webhook-verify.d.ts +1 -1
- package/dist/_contracts/webhook-verify.js +1 -1
- package/dist/asset-upload.d.ts +4 -10
- package/dist/asset-upload.js +4 -47
- package/dist/asset-upload.js.map +1 -1
- package/dist/cli.mjs +27 -231
- package/dist/cli.mjs.sha256 +1 -1
- package/dist/client.d.ts +10 -107
- package/dist/client.js +23 -132
- package/dist/client.js.map +1 -1
- package/dist/index.d.ts +4 -4
- package/dist/index.js +3 -4
- package/dist/index.js.map +1 -1
- package/dist/skill.d.ts +1 -1
- package/dist/skill.js +1 -1
- package/dist/version.d.ts +1 -1
- package/dist/version.js +1 -1
- package/docs/cleanup.md +4 -4
- package/docs/concepts/agent-tools.md +2 -2
- package/docs/concepts/composition.md +1 -1
- package/docs/concepts/providers-and-runtimes.md +2 -4
- package/docs/concepts/runs.md +3 -6
- package/docs/credentials.md +5 -8
- package/docs/defaults.md +22 -22
- package/docs/limits-and-quotas.md +40 -40
- package/docs/limits.md +1 -1
- package/docs/networking.md +2 -2
- package/docs/outputs.md +3 -3
- package/docs/provider-runtime-capabilities.md +37 -65
- package/docs/public-surface.json +4 -5
- package/docs/quickstart.md +19 -6
- package/docs/run-config.md +5 -6
- package/docs/secrets.md +9 -7
- package/docs/skills.md +8 -16
- package/docs/vision-skills.md +3 -3
- package/package.json +2 -2
|
@@ -11,7 +11,7 @@ export type JsonValue = JsonPrimitive | JsonValue[] | {
|
|
|
11
11
|
};
|
|
12
12
|
/**
|
|
13
13
|
* Networking + runtime-package snapshot carried inside a flat submission
|
|
14
|
-
* so the
|
|
14
|
+
* so the hosted API can deep-clone and mutate it per run (e.g. injecting the
|
|
15
15
|
* proxy hostname into `allowed_hosts`) without sharing state across
|
|
16
16
|
* concurrent runs.
|
|
17
17
|
*
|
|
@@ -58,7 +58,7 @@ export declare const ENV_VARS_MAX_VALUE_BYTES = 4096;
|
|
|
58
58
|
export declare const ENV_VARS_MAX_TOTAL_BYTES = 65536;
|
|
59
59
|
export interface PlatformNetworking {
|
|
60
60
|
readonly mode: "limited" | "open";
|
|
61
|
-
/** Lowercase host names. The
|
|
61
|
+
/** Lowercase host names. The hosted API always appends the proxy host. */
|
|
62
62
|
readonly allowedHosts?: readonly string[];
|
|
63
63
|
}
|
|
64
64
|
/**
|
|
@@ -137,60 +137,6 @@ export declare const Providers: {
|
|
|
137
137
|
/** Doubao (ByteDance) via the official China Volcengine Ark gateway. */
|
|
138
138
|
readonly DOUBAO_CN: "doubao-cn";
|
|
139
139
|
};
|
|
140
|
-
/**
|
|
141
|
-
* Product placement regions accepted on run submission. These are
|
|
142
|
-
* product-level tokens, not exact city guarantees: the hosted platform maps
|
|
143
|
-
* each region to co-located managed Postgres, object storage, run-state
|
|
144
|
-
* placement, and sandbox backing.
|
|
145
|
-
*
|
|
146
|
-
* eu-west → London (Western Europe)
|
|
147
|
-
* us-west → N. California (Western North America)
|
|
148
|
-
* ap-northeast → Seoul (Northeast Asia)
|
|
149
|
-
*
|
|
150
|
-
* Prefer the {@link Regions} accessors over raw strings so a typo is a compile
|
|
151
|
-
* error, not a runtime 400.
|
|
152
|
-
*/
|
|
153
|
-
export declare const REGIONS: readonly ["eu-west", "us-west", "ap-northeast"];
|
|
154
|
-
export type Region = (typeof REGIONS)[number];
|
|
155
|
-
/** Symbol-style accessors for the closed region set — e.g. `Regions.EU_WEST`. */
|
|
156
|
-
export declare const Regions: {
|
|
157
|
-
/** Western Europe — London. */
|
|
158
|
-
readonly EU_WEST: "eu-west";
|
|
159
|
-
/** Western North America — N. California. */
|
|
160
|
-
readonly US_WEST: "us-west";
|
|
161
|
-
/** Northeast Asia — Seoul. */
|
|
162
|
-
readonly AP_NORTHEAST: "ap-northeast";
|
|
163
|
-
};
|
|
164
|
-
/**
|
|
165
|
-
* Customer-facing runtime selector. Optional on the wire; absent resolves
|
|
166
|
-
* to the same managed runtime as `"managed"`. `"native"` is no longer an
|
|
167
|
-
* accepted submission value and fails schema validation.
|
|
168
|
-
*/
|
|
169
|
-
export declare const RUNTIME_KINDS: readonly ["managed"];
|
|
170
|
-
export type RuntimeKind = (typeof RUNTIME_KINDS)[number];
|
|
171
|
-
/**
|
|
172
|
-
* Credential source for upstream provider access. Launch accepts only BYOK:
|
|
173
|
-
* callers may omit `credentialMode` or pass `"byok"`. Other strings, including
|
|
174
|
-
* `"managed"`, are invalid submission values rather than reserved product
|
|
175
|
-
* promises.
|
|
176
|
-
*/
|
|
177
|
-
export declare const CREDENTIAL_MODES: readonly ["byok"];
|
|
178
|
-
export type CredentialMode = (typeof CREDENTIAL_MODES)[number];
|
|
179
|
-
export declare const DEFAULT_CREDENTIAL_MODE: CredentialMode;
|
|
180
|
-
export declare function parseCredentialMode(input: unknown): CredentialMode;
|
|
181
|
-
export declare function credentialModeOrDefault(input: CredentialMode | undefined): CredentialMode;
|
|
182
|
-
/** Outcome of the centralized runtime-support check. */
|
|
183
|
-
export interface RuntimeSupportCheck {
|
|
184
|
-
readonly ok: boolean;
|
|
185
|
-
readonly message?: string;
|
|
186
|
-
}
|
|
187
|
-
/**
|
|
188
|
-
* Centralized runtime-support validator. Native is removed from the public
|
|
189
|
-
* runtime enum, so an absent runtime and `"managed"` are the only supported
|
|
190
|
-
* inputs. Schema parsing rejects other runtime strings before this helper is
|
|
191
|
-
* reached, but the result type remains for SDK preflight checks.
|
|
192
|
-
*/
|
|
193
|
-
export declare function checkRuntimeSupported(provider: RunProvider, runtime: RuntimeKind | undefined): RuntimeSupportCheck;
|
|
194
140
|
export interface PlatformMcpServerSecret {
|
|
195
141
|
readonly name: string;
|
|
196
142
|
readonly url: string;
|
|
@@ -230,13 +176,6 @@ export type PlatformProxyAuthValue = {
|
|
|
230
176
|
* driving the MCP client).
|
|
231
177
|
*/
|
|
232
178
|
export interface PlatformInlineSecrets {
|
|
233
|
-
/**
|
|
234
|
-
* Deprecated compatibility field: the BYOK key for the run's selected
|
|
235
|
-
* provider. New multi-provider callers should use `apiKeys`, but the parser
|
|
236
|
-
* still accepts and preserves this flat field so existing SDK/CLI callers
|
|
237
|
-
* continue to work.
|
|
238
|
-
*/
|
|
239
|
-
readonly apiKey?: string;
|
|
240
179
|
readonly apiKeys?: Partial<Record<RunProvider, string>>;
|
|
241
180
|
readonly mcpServers?: readonly PlatformMcpServerSecret[];
|
|
242
181
|
readonly proxyEndpointAuth?: readonly PlatformProxyEndpointAuth[];
|
|
@@ -331,7 +270,7 @@ export declare function optionalPositiveInt(input: unknown, field: string): numb
|
|
|
331
270
|
export declare function optionalPositiveNumber(input: unknown, field: string): number | undefined;
|
|
332
271
|
/**
|
|
333
272
|
* Wire-level submission posted to /api/runs in the flat surface. The
|
|
334
|
-
* `prompt` is always an array internally so the
|
|
273
|
+
* `prompt` is always an array internally so the hosted API, the audit log,
|
|
335
274
|
* and the BFF idempotency hash all see one shape. `mcpServers` carries
|
|
336
275
|
* only the non-secret half; bearer headers travel in
|
|
337
276
|
* `secrets.mcpServers` keyed by `name`.
|
|
@@ -435,30 +374,12 @@ export interface PlatformInjectionConfig {
|
|
|
435
374
|
export interface PlatformRunSubmissionRequest {
|
|
436
375
|
readonly workspaceId: string;
|
|
437
376
|
readonly idempotencyKey: string;
|
|
438
|
-
/**
|
|
439
|
-
* Credential source for upstream provider access. Omitted means
|
|
440
|
-
* `"byok"`; launch does not accept managed provider credentials.
|
|
441
|
-
*/
|
|
442
|
-
readonly credentialMode: CredentialMode;
|
|
443
377
|
/**
|
|
444
378
|
* Provider selector. Always populated after parsing — absent on the
|
|
445
379
|
* wire means {@link DEFAULT_RUN_PROVIDER}. All providers are dispatched
|
|
446
380
|
* through the managed runtime.
|
|
447
381
|
*/
|
|
448
382
|
readonly provider: RunProvider;
|
|
449
|
-
/**
|
|
450
|
-
* Customer's explicit runtime choice. `undefined` and `"managed"` both
|
|
451
|
-
* resolve to the managed runtime. Other runtime values are rejected by
|
|
452
|
-
* `parseRunSubmissionRequest`.
|
|
453
|
-
*/
|
|
454
|
-
readonly runtime?: RuntimeKind;
|
|
455
|
-
/**
|
|
456
|
-
* Optional product placement token requested by the caller. Omitted means
|
|
457
|
-
* the hosted platform infers a configured region from request geography and
|
|
458
|
-
* falls back to its default region. Accepted tokens do not promise exact
|
|
459
|
-
* city-level placement.
|
|
460
|
-
*/
|
|
461
|
-
readonly region?: Region;
|
|
462
383
|
readonly submission: PlatformSubmission;
|
|
463
384
|
readonly secrets: PlatformInlineSecrets;
|
|
464
385
|
readonly proxyEndpoints?: readonly PlatformProxyEndpoint[];
|
|
@@ -545,21 +466,9 @@ export interface RunLimits {
|
|
|
545
466
|
* {@link DEFAULT_RUN_PROVIDER} (`anthropic`). The parser fills it in
|
|
546
467
|
* before the value enters the run snapshot.
|
|
547
468
|
*/
|
|
548
|
-
export type PlatformRunSubmissionInput = Omit<PlatformRunSubmissionRequest, "workspaceId" | "
|
|
469
|
+
export type PlatformRunSubmissionInput = Omit<PlatformRunSubmissionRequest, "workspaceId" | "provider" | "timeoutMs" | "postHook"> & {
|
|
549
470
|
readonly workspaceId?: string;
|
|
550
|
-
readonly credentialMode?: CredentialMode;
|
|
551
471
|
readonly provider?: RunProvider;
|
|
552
|
-
/**
|
|
553
|
-
* Optional runtime selector. Set `"managed"` explicitly or omit the
|
|
554
|
-
* field; both resolve to the managed runtime. `"native"` is no longer
|
|
555
|
-
* accepted.
|
|
556
|
-
*/
|
|
557
|
-
readonly runtime?: RuntimeKind;
|
|
558
|
-
/**
|
|
559
|
-
* Optional product placement region. Invalid explicit values are rejected;
|
|
560
|
-
* omission lets the platform infer/fallback.
|
|
561
|
-
*/
|
|
562
|
-
readonly region?: Region;
|
|
563
472
|
/**
|
|
564
473
|
* Run deadline as a human duration string (`"1h"`, `"90m"`, `"30s"`).
|
|
565
474
|
* Parsed + bounded to [1m, 6h] server-side into
|
|
@@ -592,8 +501,6 @@ export declare function parseRunWebhook(input: unknown): RunWebhookSpec | undefi
|
|
|
592
501
|
* collapses to `undefined` so it carries no signal onto the request.
|
|
593
502
|
*/
|
|
594
503
|
export declare function parseRunLimits(input: unknown): RunLimits | undefined;
|
|
595
|
-
export declare function parseRegion(input: unknown): Region | undefined;
|
|
596
|
-
export declare function parseRuntimeKind(input: unknown): RuntimeKind | undefined;
|
|
597
504
|
export declare function parseRunProvider(input: unknown): RunProvider;
|
|
598
505
|
/**
|
|
599
506
|
* Cross-check the supplied secrets bundle against the credential mode. BYOK
|
|
@@ -607,7 +514,7 @@ export declare function parseRunProvider(input: unknown): RunProvider;
|
|
|
607
514
|
* it need not carry any of its own. The server still verifies, at admission,
|
|
608
515
|
* that the parent actually holds a key for the child's provider.
|
|
609
516
|
*/
|
|
610
|
-
export declare function enforceCredentialSecretPolicy(
|
|
517
|
+
export declare function enforceCredentialSecretPolicy(secrets: PlatformInlineSecrets, provider: RunProvider, opts?: {
|
|
611
518
|
readonly inheritsFromParent?: boolean;
|
|
612
519
|
}): void;
|
|
613
520
|
export declare function parseSubmission(input: unknown): PlatformSubmission;
|
|
@@ -679,31 +586,3 @@ export declare const DEFAULT_BUILTIN_TOOLS: readonly BuiltinToolName[];
|
|
|
679
586
|
* union is validated ⊆ the closed set so an invalid name can never leak through.
|
|
680
587
|
*/
|
|
681
588
|
export declare function resolveBuiltinToolNames(includeBuiltinTools: boolean | undefined, toolRefs?: readonly string[]): readonly BuiltinToolName[];
|
|
682
|
-
/**
|
|
683
|
-
* Codes emitted when a submission contains features the active runtime cannot
|
|
684
|
-
* serve. Code values are stable so dashboard / SDK error rendering can branch
|
|
685
|
-
* on them.
|
|
686
|
-
*/
|
|
687
|
-
export declare const RUNTIME_VALIDATION_CODES: readonly ["feature_runtime_mismatch"];
|
|
688
|
-
export type RuntimeValidationCode = (typeof RUNTIME_VALIDATION_CODES)[number];
|
|
689
|
-
/**
|
|
690
|
-
* Thrown by `parseRunSubmissionRequest` and `selectRuntime` when the submitted
|
|
691
|
-
* run cannot be served by the active managed runtime. The `code` field is part
|
|
692
|
-
* of the public contract; keep it stable when phrasing changes.
|
|
693
|
-
*/
|
|
694
|
-
export declare class RuntimeValidationError extends Error {
|
|
695
|
-
readonly code: RuntimeValidationCode;
|
|
696
|
-
constructor(code: RuntimeValidationCode, message: string);
|
|
697
|
-
}
|
|
698
|
-
/**
|
|
699
|
-
* Walk the parsed submission and collect features that the active managed
|
|
700
|
-
* runtime cannot serve. Provider-hosted skill refs (`kind:"provider"`) are
|
|
701
|
-
* rejected now that new submissions only dispatch through managed runs.
|
|
702
|
-
*/
|
|
703
|
-
export declare function collectManagedUnsupportedFeatures(req: PlatformRunSubmissionRequest): string[];
|
|
704
|
-
/**
|
|
705
|
-
* Backward-incompatible replacement for the old dual-runtime dispatcher. It is
|
|
706
|
-
* kept as a pure helper so SDK, CLI, and tests can resolve the runtime without
|
|
707
|
-
* I/O.
|
|
708
|
-
*/
|
|
709
|
-
export declare function selectRuntime(req: PlatformRunSubmissionRequest): RuntimeKind;
|
|
@@ -114,65 +114,6 @@ export const Providers = {
|
|
|
114
114
|
/** Doubao (ByteDance) via the official China Volcengine Ark gateway. */
|
|
115
115
|
DOUBAO_CN: "doubao-cn"
|
|
116
116
|
};
|
|
117
|
-
/**
|
|
118
|
-
* Product placement regions accepted on run submission. These are
|
|
119
|
-
* product-level tokens, not exact city guarantees: the hosted platform maps
|
|
120
|
-
* each region to co-located managed Postgres, object storage, run-state
|
|
121
|
-
* placement, and sandbox backing.
|
|
122
|
-
*
|
|
123
|
-
* eu-west → London (Western Europe)
|
|
124
|
-
* us-west → N. California (Western North America)
|
|
125
|
-
* ap-northeast → Seoul (Northeast Asia)
|
|
126
|
-
*
|
|
127
|
-
* Prefer the {@link Regions} accessors over raw strings so a typo is a compile
|
|
128
|
-
* error, not a runtime 400.
|
|
129
|
-
*/
|
|
130
|
-
export const REGIONS = ["eu-west", "us-west", "ap-northeast"];
|
|
131
|
-
/** Symbol-style accessors for the closed region set — e.g. `Regions.EU_WEST`. */
|
|
132
|
-
export const Regions = {
|
|
133
|
-
/** Western Europe — London. */
|
|
134
|
-
EU_WEST: "eu-west",
|
|
135
|
-
/** Western North America — N. California. */
|
|
136
|
-
US_WEST: "us-west",
|
|
137
|
-
/** Northeast Asia — Seoul. */
|
|
138
|
-
AP_NORTHEAST: "ap-northeast"
|
|
139
|
-
};
|
|
140
|
-
/**
|
|
141
|
-
* Customer-facing runtime selector. Optional on the wire; absent resolves
|
|
142
|
-
* to the same managed runtime as `"managed"`. `"native"` is no longer an
|
|
143
|
-
* accepted submission value and fails schema validation.
|
|
144
|
-
*/
|
|
145
|
-
export const RUNTIME_KINDS = ["managed"];
|
|
146
|
-
/**
|
|
147
|
-
* Credential source for upstream provider access. Launch accepts only BYOK:
|
|
148
|
-
* callers may omit `credentialMode` or pass `"byok"`. Other strings, including
|
|
149
|
-
* `"managed"`, are invalid submission values rather than reserved product
|
|
150
|
-
* promises.
|
|
151
|
-
*/
|
|
152
|
-
export const CREDENTIAL_MODES = ["byok"];
|
|
153
|
-
export const DEFAULT_CREDENTIAL_MODE = "byok";
|
|
154
|
-
export function parseCredentialMode(input) {
|
|
155
|
-
if (input === undefined) {
|
|
156
|
-
return DEFAULT_CREDENTIAL_MODE;
|
|
157
|
-
}
|
|
158
|
-
if (typeof input !== "string" || !CREDENTIAL_MODES.includes(input)) {
|
|
159
|
-
throw new Error(`credentialMode must be one of: ${CREDENTIAL_MODES.join(", ")} (got ${JSON.stringify(input)})`);
|
|
160
|
-
}
|
|
161
|
-
return input;
|
|
162
|
-
}
|
|
163
|
-
export function credentialModeOrDefault(input) {
|
|
164
|
-
return input ?? DEFAULT_CREDENTIAL_MODE;
|
|
165
|
-
}
|
|
166
|
-
/**
|
|
167
|
-
* Centralized runtime-support validator. Native is removed from the public
|
|
168
|
-
* runtime enum, so an absent runtime and `"managed"` are the only supported
|
|
169
|
-
* inputs. Schema parsing rejects other runtime strings before this helper is
|
|
170
|
-
* reached, but the result type remains for SDK preflight checks.
|
|
171
|
-
*/
|
|
172
|
-
export function checkRuntimeSupported(provider, runtime) {
|
|
173
|
-
void provider;
|
|
174
|
-
return { ok: true };
|
|
175
|
-
}
|
|
176
117
|
export const SECRETS_KEY = "secrets";
|
|
177
118
|
/** POSIX-style env var name a `secretEnv` entry binds to (e.g. `SERPER_API_KEY`). */
|
|
178
119
|
export const SECRET_ENV_NAME_PATTERN = /^[A-Za-z_][A-Za-z0-9_]{0,127}$/;
|
|
@@ -239,7 +180,7 @@ function parseEnvironment(input) {
|
|
|
239
180
|
* Validate a customer-supplied `environment.envVars` map. Returns a
|
|
240
181
|
* frozen copy with keys in insertion order, or `undefined` when the
|
|
241
182
|
* input is absent / an empty object (treated as not supplied so the
|
|
242
|
-
*
|
|
183
|
+
* hosted API can omit the field from the parsed snapshot).
|
|
243
184
|
*
|
|
244
185
|
* Rules:
|
|
245
186
|
* - Must be a JSON object whose values are all strings.
|
|
@@ -723,7 +664,7 @@ export function parseInlineSecrets(input) {
|
|
|
723
664
|
if (input === undefined || input === null)
|
|
724
665
|
return {};
|
|
725
666
|
const value = requireRecord(input, "secrets");
|
|
726
|
-
const allowedTopLevel = new Set(["
|
|
667
|
+
const allowedTopLevel = new Set(["apiKeys", "mcpServers", "proxyEndpointAuth", "envSecrets"]);
|
|
727
668
|
for (const key of Object.keys(value)) {
|
|
728
669
|
if (key.startsWith("__aex_")) {
|
|
729
670
|
// Platform-internal namespace (e.g. __aex_proxy_token). The BFF
|
|
@@ -736,13 +677,11 @@ export function parseInlineSecrets(input) {
|
|
|
736
677
|
throw new Error(`secrets.${key} is not an allowed field; permitted: ${[...allowedTopLevel].join(", ")}`);
|
|
737
678
|
}
|
|
738
679
|
}
|
|
739
|
-
const apiKey = value.apiKey !== undefined ? requireString(value.apiKey, "secrets.apiKey") : undefined;
|
|
740
680
|
const apiKeys = parseApiKeys(value.apiKeys);
|
|
741
681
|
const mcpServers = parseMcpServerSecrets(value.mcpServers);
|
|
742
682
|
const proxyEndpointAuth = parseProxyEndpointAuth(value.proxyEndpointAuth);
|
|
743
683
|
const envSecrets = parseEnvSecrets(value.envSecrets);
|
|
744
684
|
return {
|
|
745
|
-
...(apiKey !== undefined ? { apiKey } : {}),
|
|
746
685
|
...(apiKeys ? { apiKeys } : {}),
|
|
747
686
|
...(mcpServers ? { mcpServers } : {}),
|
|
748
687
|
...(proxyEndpointAuth ? { proxyEndpointAuth } : {}),
|
|
@@ -1051,10 +990,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
|
|
|
1051
990
|
const allowedTopLevelFields = new Set([
|
|
1052
991
|
"workspaceId",
|
|
1053
992
|
"idempotencyKey",
|
|
1054
|
-
"credentialMode",
|
|
1055
993
|
"provider",
|
|
1056
|
-
"runtime",
|
|
1057
|
-
"region",
|
|
1058
994
|
"submission",
|
|
1059
995
|
"runtimeSize",
|
|
1060
996
|
"timeout",
|
|
@@ -1083,15 +1019,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
|
|
|
1083
1019
|
assertNoSecretBearingFields(fieldValue, [key]);
|
|
1084
1020
|
}
|
|
1085
1021
|
const provider = parseRunProvider(value.provider);
|
|
1086
|
-
const runtime = parseRuntimeKind(value.runtime);
|
|
1087
|
-
const region = parseRegion(value.region);
|
|
1088
|
-
const credentialMode = parseCredentialMode(value.credentialMode);
|
|
1089
1022
|
void options;
|
|
1090
|
-
// Cross-field validation via the centralized runtime-support validator.
|
|
1091
|
-
const runtimeSupport = checkRuntimeSupported(provider, runtime);
|
|
1092
|
-
if (!runtimeSupport.ok) {
|
|
1093
|
-
throw new Error(runtimeSupport.message ?? "unsupported runtime");
|
|
1094
|
-
}
|
|
1095
1023
|
const runtimeSize = parseRuntimeSize(value.runtimeSize);
|
|
1096
1024
|
const timeoutMs = parseRunTimeout(value.timeout);
|
|
1097
1025
|
// Lineage parent only. `depth` is NEVER accepted from the wire — the server
|
|
@@ -1102,7 +1030,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
|
|
|
1102
1030
|
const postHook = parsePostHook(value.postHook, "submission.postHook");
|
|
1103
1031
|
const proxyEndpoints = parseProxyEndpoints(value.proxyEndpoints);
|
|
1104
1032
|
const secrets = parseInlineSecrets(value.secrets);
|
|
1105
|
-
enforceCredentialSecretPolicy(
|
|
1033
|
+
enforceCredentialSecretPolicy(secrets, provider, {
|
|
1106
1034
|
inheritsFromParent: parentRunId !== undefined
|
|
1107
1035
|
});
|
|
1108
1036
|
crossValidateProxyEndpointsAndAuth(proxyEndpoints, secrets.proxyEndpointAuth);
|
|
@@ -1127,28 +1055,10 @@ export function parseRunSubmissionRequest(input, options = {}) {
|
|
|
1127
1055
|
}
|
|
1128
1056
|
}
|
|
1129
1057
|
}
|
|
1130
|
-
const candidate = {
|
|
1131
|
-
workspaceId: "",
|
|
1132
|
-
idempotencyKey: "",
|
|
1133
|
-
credentialMode,
|
|
1134
|
-
provider,
|
|
1135
|
-
...(runtime ? { runtime } : {}),
|
|
1136
|
-
...(region ? { region } : {}),
|
|
1137
|
-
submission,
|
|
1138
|
-
secrets
|
|
1139
|
-
};
|
|
1140
|
-
const unsupportedManagedFeatures = collectManagedUnsupportedFeatures(candidate);
|
|
1141
|
-
if (unsupportedManagedFeatures.length > 0) {
|
|
1142
|
-
throw new RuntimeValidationError("feature_runtime_mismatch", `The managed runtime does not support these submission features: ` +
|
|
1143
|
-
`${unsupportedManagedFeatures.join(", ")}. Remove them or use inline aex skills.`);
|
|
1144
|
-
}
|
|
1145
1058
|
return {
|
|
1146
1059
|
workspaceId: requireString(value.workspaceId, "workspaceId"),
|
|
1147
1060
|
idempotencyKey: requireString(value.idempotencyKey, "idempotencyKey"),
|
|
1148
|
-
credentialMode,
|
|
1149
1061
|
provider,
|
|
1150
|
-
...(runtime ? { runtime } : {}),
|
|
1151
|
-
...(region ? { region } : {}),
|
|
1152
1062
|
submission,
|
|
1153
1063
|
...(runtimeSize ? { runtimeSize } : {}),
|
|
1154
1064
|
...(timeoutMs !== undefined ? { timeoutMs } : {}),
|
|
@@ -1235,24 +1145,6 @@ export function parseRunLimits(input) {
|
|
|
1235
1145
|
...(maxSpendUsd !== undefined ? { maxSpendUsd } : {})
|
|
1236
1146
|
};
|
|
1237
1147
|
}
|
|
1238
|
-
export function parseRegion(input) {
|
|
1239
|
-
if (input === undefined) {
|
|
1240
|
-
return undefined;
|
|
1241
|
-
}
|
|
1242
|
-
if (typeof input !== "string" || !REGIONS.includes(input)) {
|
|
1243
|
-
throw new Error(`region must be one of: ${REGIONS.join(", ")} (got ${JSON.stringify(input)})`);
|
|
1244
|
-
}
|
|
1245
|
-
return input;
|
|
1246
|
-
}
|
|
1247
|
-
export function parseRuntimeKind(input) {
|
|
1248
|
-
if (input === undefined) {
|
|
1249
|
-
return undefined;
|
|
1250
|
-
}
|
|
1251
|
-
if (typeof input !== "string" || !RUNTIME_KINDS.includes(input)) {
|
|
1252
|
-
throw new Error(`runtime must be one of: ${RUNTIME_KINDS.join(", ")} (got ${JSON.stringify(input)})`);
|
|
1253
|
-
}
|
|
1254
|
-
return input;
|
|
1255
|
-
}
|
|
1256
1148
|
export function parseRunProvider(input) {
|
|
1257
1149
|
if (input === undefined) {
|
|
1258
1150
|
return DEFAULT_RUN_PROVIDER;
|
|
@@ -1274,12 +1166,11 @@ export function parseRunProvider(input) {
|
|
|
1274
1166
|
* it need not carry any of its own. The server still verifies, at admission,
|
|
1275
1167
|
* that the parent actually holds a key for the child's provider.
|
|
1276
1168
|
*/
|
|
1277
|
-
export function enforceCredentialSecretPolicy(
|
|
1278
|
-
void credentialMode;
|
|
1169
|
+
export function enforceCredentialSecretPolicy(secrets, provider, opts) {
|
|
1279
1170
|
if (opts?.inheritsFromParent)
|
|
1280
1171
|
return;
|
|
1281
|
-
if (!
|
|
1282
|
-
throw new Error(`secrets.
|
|
1172
|
+
if (!secrets.apiKeys?.[provider]) {
|
|
1173
|
+
throw new Error(`secrets.apiKeys["${provider}"] is required`);
|
|
1283
1174
|
}
|
|
1284
1175
|
}
|
|
1285
1176
|
export function parseSubmission(input) {
|
|
@@ -1509,7 +1400,7 @@ function parseIncludeBuiltinTools(input) {
|
|
|
1509
1400
|
* plus a generous margin for legitimate multi-root use cases (per-tool
|
|
1510
1401
|
* output directory + scratch state + logs, repeated across a few
|
|
1511
1402
|
* subdirectories), without inviting abuse of the synthetic-turn path
|
|
1512
|
-
* the
|
|
1403
|
+
* the platform capture path drives at session terminal.
|
|
1513
1404
|
*/
|
|
1514
1405
|
const MAX_OUTPUT_DIRS = 32;
|
|
1515
1406
|
/**
|
|
@@ -1708,23 +1599,13 @@ function parseSkills(input) {
|
|
|
1708
1599
|
if (!Array.isArray(input)) {
|
|
1709
1600
|
throw new Error("submission.skills must be an array of SkillRef objects");
|
|
1710
1601
|
}
|
|
1711
|
-
const seenProvider = new Set();
|
|
1712
1602
|
const seenAssetId = new Set();
|
|
1713
1603
|
return input.map((item, index) => {
|
|
1714
1604
|
const ref = parseSkillRef(item, `submission.skills[${index}]`);
|
|
1715
|
-
if (ref.
|
|
1716
|
-
|
|
1717
|
-
if (seenProvider.has(key)) {
|
|
1718
|
-
throw new Error(`submission.skills duplicate provider skill: ${ref.vendor}:${ref.skillId}${ref.version ? `:${ref.version}` : ""}`);
|
|
1719
|
-
}
|
|
1720
|
-
seenProvider.add(key);
|
|
1721
|
-
}
|
|
1722
|
-
else if (ref.kind === "asset") {
|
|
1723
|
-
if (seenAssetId.has(ref.assetId)) {
|
|
1724
|
-
throw new Error(`submission.skills duplicate assetId: ${ref.assetId}`);
|
|
1725
|
-
}
|
|
1726
|
-
seenAssetId.add(ref.assetId);
|
|
1605
|
+
if (seenAssetId.has(ref.assetId)) {
|
|
1606
|
+
throw new Error(`submission.skills duplicate assetId: ${ref.assetId}`);
|
|
1727
1607
|
}
|
|
1608
|
+
seenAssetId.add(ref.assetId);
|
|
1728
1609
|
return ref;
|
|
1729
1610
|
});
|
|
1730
1611
|
}
|
|
@@ -1879,57 +1760,4 @@ function parseMcpServers(input) {
|
|
|
1879
1760
|
return ref;
|
|
1880
1761
|
});
|
|
1881
1762
|
}
|
|
1882
|
-
// ===========================================================================
|
|
1883
|
-
// Runtime dispatcher
|
|
1884
|
-
// ===========================================================================
|
|
1885
|
-
/**
|
|
1886
|
-
* Codes emitted when a submission contains features the active runtime cannot
|
|
1887
|
-
* serve. Code values are stable so dashboard / SDK error rendering can branch
|
|
1888
|
-
* on them.
|
|
1889
|
-
*/
|
|
1890
|
-
export const RUNTIME_VALIDATION_CODES = [
|
|
1891
|
-
"feature_runtime_mismatch"
|
|
1892
|
-
];
|
|
1893
|
-
/**
|
|
1894
|
-
* Thrown by `parseRunSubmissionRequest` and `selectRuntime` when the submitted
|
|
1895
|
-
* run cannot be served by the active managed runtime. The `code` field is part
|
|
1896
|
-
* of the public contract; keep it stable when phrasing changes.
|
|
1897
|
-
*/
|
|
1898
|
-
export class RuntimeValidationError extends Error {
|
|
1899
|
-
code;
|
|
1900
|
-
constructor(code, message) {
|
|
1901
|
-
super(message);
|
|
1902
|
-
this.name = "RuntimeValidationError";
|
|
1903
|
-
this.code = code;
|
|
1904
|
-
}
|
|
1905
|
-
}
|
|
1906
|
-
/**
|
|
1907
|
-
* Walk the parsed submission and collect features that the active managed
|
|
1908
|
-
* runtime cannot serve. Provider-hosted skill refs (`kind:"provider"`) are
|
|
1909
|
-
* rejected now that new submissions only dispatch through managed runs.
|
|
1910
|
-
*/
|
|
1911
|
-
export function collectManagedUnsupportedFeatures(req) {
|
|
1912
|
-
const features = [];
|
|
1913
|
-
for (const skill of req.submission.skills) {
|
|
1914
|
-
if (skill.kind === "provider") {
|
|
1915
|
-
const versionSuffix = skill.version ? `@${skill.version}` : "";
|
|
1916
|
-
features.push(`provider skill "${skill.vendor}/${skill.skillId}${versionSuffix}" (kind:"provider")`);
|
|
1917
|
-
}
|
|
1918
|
-
}
|
|
1919
|
-
return features;
|
|
1920
|
-
}
|
|
1921
|
-
/**
|
|
1922
|
-
* Backward-incompatible replacement for the old dual-runtime dispatcher. It is
|
|
1923
|
-
* kept as a pure helper so SDK, CLI, and tests can resolve the runtime without
|
|
1924
|
-
* I/O.
|
|
1925
|
-
*/
|
|
1926
|
-
export function selectRuntime(req) {
|
|
1927
|
-
const unsupported = collectManagedUnsupportedFeatures(req);
|
|
1928
|
-
if (unsupported.length > 0) {
|
|
1929
|
-
throw new RuntimeValidationError("feature_runtime_mismatch", `The managed runtime does not support these submission features: ` +
|
|
1930
|
-
`${unsupported.join(", ")}. Remove them or use inline aex skills.`);
|
|
1931
|
-
}
|
|
1932
|
-
void req;
|
|
1933
|
-
return "managed";
|
|
1934
|
-
}
|
|
1935
1763
|
//# sourceMappingURL=submission.js.map
|
|
@@ -12,7 +12,7 @@
|
|
|
12
12
|
* the HMAC key is the raw bytes after the `whsec_` prefix. Verification accepts
|
|
13
13
|
* the secret with or without the prefix.
|
|
14
14
|
*
|
|
15
|
-
* Pure Web Crypto — identical under Bun
|
|
15
|
+
* Pure Web Crypto — identical under Bun and Node; this mirrors the
|
|
16
16
|
* `standardwebhooks` library so a customer can verify with either.
|
|
17
17
|
*/
|
|
18
18
|
export interface VerifyAexWebhookInput {
|
|
@@ -12,7 +12,7 @@
|
|
|
12
12
|
* the HMAC key is the raw bytes after the `whsec_` prefix. Verification accepts
|
|
13
13
|
* the secret with or without the prefix.
|
|
14
14
|
*
|
|
15
|
-
* Pure Web Crypto — identical under Bun
|
|
15
|
+
* Pure Web Crypto — identical under Bun and Node; this mirrors the
|
|
16
16
|
* `standardwebhooks` library so a customer can verify with either.
|
|
17
17
|
*/
|
|
18
18
|
const encoder = new TextEncoder();
|
package/dist/asset-upload.d.ts
CHANGED
|
@@ -11,18 +11,13 @@
|
|
|
11
11
|
*
|
|
12
12
|
* 1. POST /assets/presign → { exists } | { uploadUrl, requiredHeaders }
|
|
13
13
|
* - `exists:true` is a dedup hit; we're done.
|
|
14
|
-
* - otherwise the
|
|
14
|
+
* - otherwise the hosted API mints a presigned PUT scoped to the exact
|
|
15
15
|
* content-addressed key and signs `x-amz-checksum-sha256` so the object
|
|
16
16
|
* store enforces integrity server-side.
|
|
17
17
|
* 2. PUT the bytes straight to `uploadUrl` with `requiredHeaders` (the signed
|
|
18
18
|
* checksum). The store rejects a byte mismatch — a 2xx proves bytes == hash.
|
|
19
19
|
* 3. POST /assets/finalize → confirms the object exists (HEAD only).
|
|
20
20
|
*
|
|
21
|
-
* Fallback: when the hosted API has no object-store upload credentials it
|
|
22
|
-
* answers presign with 503 `presign_unconfigured`; we POST the bytes to the
|
|
23
|
-
* buffered `/assets`
|
|
24
|
-
* path (small bundles only). The runner re-verifies the hash on download in
|
|
25
|
-
* every case.
|
|
26
21
|
*/
|
|
27
22
|
/**
|
|
28
23
|
* Subset of `HttpClient` needed by the asset uploader. Defined as a
|
|
@@ -56,11 +51,10 @@ export interface UploadedAsset {
|
|
|
56
51
|
}
|
|
57
52
|
/**
|
|
58
53
|
* Upload `bytes` to the hosted API's content-addressable asset store via the
|
|
59
|
-
* direct-to-storage presign flow
|
|
60
|
-
* when the hosted API has no object-store upload credentials.
|
|
54
|
+
* direct-to-storage presign flow.
|
|
61
55
|
*
|
|
62
56
|
* Verifies the advisory hash matches the bytes BEFORE sending so a mismatch
|
|
63
|
-
* fails fast on the client.
|
|
64
|
-
* runner re-checks on download.
|
|
57
|
+
* fails fast on the client. Object storage re-verifies via the signed checksum,
|
|
58
|
+
* and the runner re-checks on download.
|
|
65
59
|
*/
|
|
66
60
|
export declare function uploadAsset(args: UploadAssetArgs): Promise<UploadedAsset>;
|
package/dist/asset-upload.js
CHANGED
|
@@ -11,27 +11,21 @@
|
|
|
11
11
|
*
|
|
12
12
|
* 1. POST /assets/presign → { exists } | { uploadUrl, requiredHeaders }
|
|
13
13
|
* - `exists:true` is a dedup hit; we're done.
|
|
14
|
-
* - otherwise the
|
|
14
|
+
* - otherwise the hosted API mints a presigned PUT scoped to the exact
|
|
15
15
|
* content-addressed key and signs `x-amz-checksum-sha256` so the object
|
|
16
16
|
* store enforces integrity server-side.
|
|
17
17
|
* 2. PUT the bytes straight to `uploadUrl` with `requiredHeaders` (the signed
|
|
18
18
|
* checksum). The store rejects a byte mismatch — a 2xx proves bytes == hash.
|
|
19
19
|
* 3. POST /assets/finalize → confirms the object exists (HEAD only).
|
|
20
20
|
*
|
|
21
|
-
* Fallback: when the hosted API has no object-store upload credentials it
|
|
22
|
-
* answers presign with 503 `presign_unconfigured`; we POST the bytes to the
|
|
23
|
-
* buffered `/assets`
|
|
24
|
-
* path (small bundles only). The runner re-verifies the hash on download in
|
|
25
|
-
* every case.
|
|
26
21
|
*/
|
|
27
22
|
/**
|
|
28
23
|
* Upload `bytes` to the hosted API's content-addressable asset store via the
|
|
29
|
-
* direct-to-storage presign flow
|
|
30
|
-
* when the hosted API has no object-store upload credentials.
|
|
24
|
+
* direct-to-storage presign flow.
|
|
31
25
|
*
|
|
32
26
|
* Verifies the advisory hash matches the bytes BEFORE sending so a mismatch
|
|
33
|
-
* fails fast on the client.
|
|
34
|
-
* runner re-checks on download.
|
|
27
|
+
* fails fast on the client. Object storage re-verifies via the signed checksum,
|
|
28
|
+
* and the runner re-checks on download.
|
|
35
29
|
*/
|
|
36
30
|
export async function uploadAsset(args) {
|
|
37
31
|
const expected = args.hash.startsWith("sha256:") ? args.hash.slice("sha256:".length) : args.hash;
|
|
@@ -51,10 +45,6 @@ export async function uploadAsset(args) {
|
|
|
51
45
|
});
|
|
52
46
|
}
|
|
53
47
|
catch (err) {
|
|
54
|
-
// 503 presign_unconfigured → fall back to the buffered upload path.
|
|
55
|
-
if (isPresignUnconfigured(err)) {
|
|
56
|
-
return uploadAssetBuffered(args, actual);
|
|
57
|
-
}
|
|
58
48
|
throw err;
|
|
59
49
|
}
|
|
60
50
|
// Dedup hit — identical bytes already vaulted under this workspace.
|
|
@@ -100,39 +90,6 @@ export async function uploadAsset(args) {
|
|
|
100
90
|
exists: false
|
|
101
91
|
};
|
|
102
92
|
}
|
|
103
|
-
/** Detect the 503 `presign_unconfigured` rejection, regardless of error class. */
|
|
104
|
-
function isPresignUnconfigured(err) {
|
|
105
|
-
if (!err || typeof err !== "object")
|
|
106
|
-
return false;
|
|
107
|
-
const e = err;
|
|
108
|
-
if (e.status !== 503)
|
|
109
|
-
return false;
|
|
110
|
-
const detailCode = e.details?.code;
|
|
111
|
-
return e.code === "presign_unconfigured" || detailCode === "presign_unconfigured";
|
|
112
|
-
}
|
|
113
|
-
/**
|
|
114
|
-
* Fallback: POST the bytes to the buffered `/assets` endpoint. Used only when
|
|
115
|
-
* the hosted API has no object-store upload credentials (presign 503). Subject to the API's
|
|
116
|
-
* payload limit, so suitable for small bundles only.
|
|
117
|
-
*/
|
|
118
|
-
async function uploadAssetBuffered(args, actualHex) {
|
|
119
|
-
const body = await args.http.request("/assets", {
|
|
120
|
-
method: "POST",
|
|
121
|
-
headers: {
|
|
122
|
-
"content-type": args.contentType ?? "application/zip",
|
|
123
|
-
"content-length": String(args.bytes.byteLength),
|
|
124
|
-
"x-asset-hash": `sha256:${actualHex}`
|
|
125
|
-
},
|
|
126
|
-
body: args.bytes
|
|
127
|
-
});
|
|
128
|
-
const contentHash = body.contentHash ?? body.hash ?? `sha256:${actualHex}`;
|
|
129
|
-
return {
|
|
130
|
-
assetId: body.assetId ?? assetIdFromContentHash(contentHash),
|
|
131
|
-
contentHash,
|
|
132
|
-
sizeBytes: body.sizeBytes,
|
|
133
|
-
exists: body.exists
|
|
134
|
-
};
|
|
135
|
-
}
|
|
136
93
|
// ---------------------------------------------------------------------------
|
|
137
94
|
// Internal helpers
|
|
138
95
|
// ---------------------------------------------------------------------------
|
package/dist/asset-upload.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"asset-upload.js","sourceRoot":"","sources":["../src/asset-upload.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"asset-upload.js","sourceRoot":"","sources":["../src/asset-upload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAoCH;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAqB;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;IACjG,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,2DAA2D,MAAM,GAAG;YAClE,uBAAuB,IAAI,CAAC,IAAI,+CAA+C,CAClF,CAAC;IACJ,CAAC;IACD,MAAM,iBAAiB,GAAG,UAAU,MAAM,EAAE,CAAC;IAE7C,4CAA4C;IAC5C,IAAI,OAUS,CAAC;IACd,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAA8B,iBAAiB,EAAE;YAChF,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;SACpF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,oEAAoE;IACpE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,iBAAiB,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,sBAAsB,CAAC,WAAW,CAAC;YAC/D,WAAW;YACX,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU;YACrD,MAAM,EAAE,IAAI;SACb,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IAED,+FAA+F;IAC/F,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,IAAK,UAAU,CAAC,KAA+B,CAAC;IAC1E,MAAM,UAAU,GAA2B;QACzC,cAAc,EAAE,IAAI,CAAC,WAAW,IAAI,iBAAiB;QACrD,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,CAAC;KACnC,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE;QAC9C,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,UAAU;QACnB,IAAI,EAAE,IAAI,CAAC,KAAK;KACjB,CAAC,CAAC;IACH,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CACb,qDAAqD,MAAM,CAAC,MAAM,EAAE;YAClE,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAC9C,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAKhC,kBAAkB,EAAE;QACrB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;KACpF,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,IAAI,OAAO,CAAC,WAAW,IAAI,iBAAiB,CAAC;IAChF,OAAO;QACL,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,IAAI,sBAAsB,CAAC,WAAW,CAAC;QAC9E,WAAW;QACX,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU;QACjD,MAAM,EAAE,KAAK;KACd,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;GAIG;AACH,KAAK,UAAU,gBAAgB,CAAC,KAAiB;IAC/C,MAAM,MAAM,GAAI,UAAqD,CAAC,MAAM,EAAE,MAAM,CAAC;IACrF,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,0DAA0D;YACxD,4DAA4D,CAC/D,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3D,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,sBAAsB,CAAC,WAAmB;IACjD,MAAM,GAAG,GAAG,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IAClG,OAAO,SAAS,GAAG,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,WAAW,CAAC,MAAmB;IACtC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAW,CAAC;QAC/B,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
|