@agent-native/core 0.12.22 → 0.12.24

package/dist/extensions/html-shell.js.map

@@ -1 +1 @@
-{"version":3,"file":"html-shell.js","sourceRoot":"","sources":["../../src/extensions/html-shell.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,oBAAoB,GAC/B,2YAA2Y,CAAC;AAE9Y,MAAM,CAAC,MAAM,yBAAyB,GAAG,oBAAoB,CAAC,OAAO,CACnE,8BAA8B,EAC9B,EAAE,CACH,CAAC;AAwDF,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,SAAiB,EACjB,MAAe,EACf,WAAoB,EACpB,OAAgC;IAEhC,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IAC1D,MAAM,eAAe,GAAG,mBAAmB,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAChC,OAAO,IAAI;QACT,WAAW,EAAE,EAAE;QACf,WAAW,EAAE,EAAE;QACf,QAAQ,EAAE,IAAI;QACd,IAAI,EAAE,OAAO;KACd,CACF,CAAC;IAEF,OAAO;iBACQ,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE;;;;wDAIU,yBAAyB;IAC7E,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,uDAAuD,mBAAmB,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA8ElI,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAmPK,eAAe;8BACV,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA0NjC,WAAW,CAAC,CAAC,CAAC,uBAAuB,eAAe,mBAAmB,eAAe,GAAG,CAAC,CAAC,CAAC,EAAE;GACnG,OAAO;;;;;;;;;;SAUD,CAAC;AACV,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC3B,CAAC","sourcesContent":["export const EXTENSION_IFRAME_CSP =\n  \"default-src 'none'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com; font-src https://fonts.gstatic.com; connect-src 'self'; img-src 'self' data: blob:; media-src 'self' data: blob:; frame-src 'none'; object-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'self';\";\n\nexport const EXTENSION_IFRAME_META_CSP = EXTENSION_IFRAME_CSP.replace(\n  /\\s*frame-ancestors 'self';?$/,\n  \"\",\n);\n\n/**\n * SECURITY — EXTENSION CONTENT IS UNTRUSTED.\n *\n * `${content}` (line ~Body) interpolates raw HTML/JS authored by a user. This\n * file is the boundary between framework-controlled HTML and user-controlled\n * HTML. Two non-negotiable invariants for every change here:\n *\n *   1. The iframe MUST be rendered with a `sandbox` attribute that does NOT\n *      include `allow-same-origin`. The viewer (`ExtensionViewer.tsx`,\n *      `EmbeddedExtension.tsx`) sets `sandbox=\"allow-scripts allow-forms\"` —\n *      and that is the only acceptable shape. Adding `allow-same-origin`\n *      would give the extension full DOM access to the parent window via\n *      cross-frame script.\n *\n *   2. Every reachable parent action must treat the postMessage payload as\n *      hostile. The bridge in `iframe-bridge.ts` enforces a path allowlist,\n *      header sanitization, and method allowlist; do not relax those gates\n *      for \"convenience\" in this file or any caller.\n *\n * For the trust model rationale, see audit 05-tools-sandbox.md (C1) and the\n * `extensions` skill. When in doubt, fail closed.\n *\n * BACKWARDS COMPAT — the iframe injects helpers under both their canonical\n * `extension*` names (`extensionFetch`, `extensionData`, `extensionId`,\n * `extensionBinding`) AND legacy `tool*` aliases (`toolFetch`, `toolData`,\n * `toolId`, `toolBinding`) so existing user-authored extension bodies that\n * pre-date the rename keep working. Same for layout opt-ins:\n * `data-extension-layout=\"full-bleed\"` / `data-extension-padding=\"none\"` /\n * class `agent-native-extension-bleed` / CSS var\n * `--agent-native-extension-padding` are canonical; the `data-tool-*`,\n * `agent-native-tool-bleed`, and `--agent-native-tool-padding` variants are\n * accepted as aliases.\n */\n\nexport interface ExtensionRenderBinding {\n  /** Email of the user who authored / owns the extension. */\n  authorEmail: string;\n  /** Email of the user currently viewing/running the extension. */\n  viewerEmail: string;\n  /** True when viewer === author. */\n  isAuthor: boolean;\n  /**\n   * Resolved role for the viewer (\"owner\" | \"admin\" | \"editor\" | \"viewer\").\n   *\n   * TODO(security, audit H4): the host-side bridge does not yet gate any\n   * helper based on this value — every viewer gets the same powers as the\n   * author. The role is plumbed through so a follow-up PR can constrain\n   * `appAction` / `dbExec` / `extensionFetch` for non-author viewers (and\n   * eventually require an explicit consent step before running a shared\n   * extension, audit C1). For now this is metadata only.\n   */\n  role: \"owner\" | \"admin\" | \"editor\" | \"viewer\";\n}\n\nexport function buildExtensionHtml(\n  content: string,\n  themeVars: string,\n  isDark: boolean,\n  extensionId?: string,\n  binding?: ExtensionRenderBinding,\n): string {\n  const extensionIdJson = JSON.stringify(extensionId ?? \"\");\n  const extensionIdAttr = escapeHtmlAttribute(extensionId ?? \"\");\n  const bindingJson = JSON.stringify(\n    binding ?? {\n      authorEmail: \"\",\n      viewerEmail: \"\",\n      isAuthor: true,\n      role: \"owner\",\n    },\n  );\n\n  return `<!DOCTYPE html>\n<html lang=\"en\"${isDark ? ' class=\"dark\"' : \"\"}>\n<head>\n  <meta charset=\"utf-8\" />\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n  <meta http-equiv=\"Content-Security-Policy\" content=\"${EXTENSION_IFRAME_META_CSP}\" />\n  ${binding && !binding.isAuthor ? `<meta name=\"agent-native-extension-author\" content=\"${escapeHtmlAttribute(binding.authorEmail)}\" />` : \"\"}\n  <link rel=\"preconnect\" href=\"https://fonts.googleapis.com\" />\n  <link rel=\"preconnect\" href=\"https://fonts.gstatic.com\" crossorigin />\n  <link href=\"https://fonts.googleapis.com/css2?family=Inter:wght@300..700&display=swap\" rel=\"stylesheet\" />\n  <script>\n    var _extensionErrors = [];\n    var _extensionErrorDetails = [];\n    var _consoleLogs = [];\n    var _networkLogs = [];\n\n    var _origConsole = { log: console.log, warn: console.warn, error: console.error, info: console.info };\n    function _wrapConsole(level, orig) {\n      return function() {\n        var args = Array.prototype.slice.call(arguments);\n        var msg = args.map(function(a) {\n          try { return typeof a === 'object' ? JSON.stringify(a) : String(a); }\n          catch(e) { return String(a); }\n        }).join(' ');\n        if (_consoleLogs.length >= 50) _consoleLogs.shift();\n        _consoleLogs.push({ level: level, message: msg });\n        orig.apply(console, arguments);\n      };\n    }\n    console.log = _wrapConsole('log', _origConsole.log);\n    console.warn = _wrapConsole('warn', _origConsole.warn);\n    console.error = _wrapConsole('error', _origConsole.error);\n    console.info = _wrapConsole('info', _origConsole.info);\n\n    function _collectError(message, stack) {\n      if (!message) return;\n      if (message === 'Script error.' || message === 'Script error') message = 'Runtime error';\n      if (_extensionErrors.indexOf(message) !== -1) return;\n      _extensionErrors.push(message);\n      _extensionErrorDetails.push({ message: message, stack: stack || '' });\n      var toast = document.getElementById('__extension-error-toast');\n      if (!toast) return;\n      var msg = document.getElementById('__extension-error-msg');\n      if (_extensionErrors.length === 1) {\n        msg.textContent = _extensionErrors[0];\n      } else {\n        msg.textContent = _extensionErrors.length + ' errors — ' + _extensionErrors[_extensionErrors.length - 1];\n      }\n      toast.style.display = 'block';\n    }\n\n    window.addEventListener('error', function(event) {\n      var msg = event.message || '';\n      if (msg.indexOf('Alpine Expression Error') === 0) return;\n      var stack = event.error && event.error.stack ? event.error.stack : '';\n      _collectError(msg, stack);\n    });\n\n    window.addEventListener('unhandledrejection', function(event) {\n      var msg = event.reason && event.reason.message ? event.reason.message : String(event.reason);\n      var stack = event.reason && event.reason.stack ? event.reason.stack : '';\n      _collectError(msg, stack);\n    });\n  </script>\n  <!--\n    SECURITY: pinned to exact patch versions + SRI integrity hashes. A\n    malicious republish of @tailwindcss/browser@4.x or alpinejs@3.x would\n    otherwise inject code into every extension. To bump these versions:\n      1. npm view @tailwindcss/browser version  (or alpinejs)\n      2. curl -sL https://cdn.jsdelivr.net/npm/@tailwindcss/browser@<v> \\\\\n         | openssl dgst -sha384 -binary | openssl base64 -A\n      3. Update the URL + integrity hash below in lockstep.\n  -->\n  <script\n    src=\"https://cdn.jsdelivr.net/npm/@tailwindcss/browser@4.2.4\"\n    integrity=\"sha384-yNSZBFvuOWcmww494a9+1zNuvgUGEXoWkein7cxP8wHUTi3iXCU4vJ7hr3tzBCml\"\n    crossorigin=\"anonymous\"\n  ></script>\n  <script\n    defer\n    src=\"https://cdn.jsdelivr.net/npm/alpinejs@3.15.11/dist/cdn.min.js\"\n    integrity=\"sha384-WPtu0YHhJ3arcykfnv1JgUffWDSKRnqnDeTpJUbOc2os2moEmLkIdaeR0trPN4be\"\n    crossorigin=\"anonymous\"\n  ></script>\n  <style>${themeVars}</style>\n  <style type=\"text/tailwindcss\">\n    @custom-variant dark (&:where(.dark, .dark *));\n    @theme {\n      --color-border: hsl(var(--border));\n      --color-input: hsl(var(--input));\n      --color-ring: hsl(var(--ring));\n      --color-background: hsl(var(--background));\n      --color-foreground: hsl(var(--foreground));\n      --color-primary: hsl(var(--primary));\n      --color-primary-foreground: hsl(var(--primary-foreground));\n      --color-secondary: hsl(var(--secondary));\n      --color-secondary-foreground: hsl(var(--secondary-foreground));\n      --color-destructive: hsl(var(--destructive));\n      --color-destructive-foreground: hsl(var(--destructive-foreground));\n      --color-muted: hsl(var(--muted));\n      --color-muted-foreground: hsl(var(--muted-foreground));\n      --color-accent: hsl(var(--accent));\n      --color-accent-foreground: hsl(var(--accent-foreground));\n      --color-popover: hsl(var(--popover));\n      --color-popover-foreground: hsl(var(--popover-foreground));\n      --color-card: hsl(var(--card));\n      --color-card-foreground: hsl(var(--card-foreground));\n      --color-sidebar: hsl(var(--sidebar-background));\n      --color-sidebar-foreground: hsl(var(--sidebar-foreground));\n      --color-sidebar-primary: hsl(var(--sidebar-primary));\n      --color-sidebar-primary-foreground: hsl(var(--sidebar-primary-foreground));\n      --color-sidebar-accent: hsl(var(--sidebar-accent));\n      --color-sidebar-accent-foreground: hsl(var(--sidebar-accent-foreground));\n      --color-sidebar-border: hsl(var(--sidebar-border));\n      --color-sidebar-ring: hsl(var(--sidebar-ring));\n      --radius-lg: var(--radius);\n      --radius-md: calc(var(--radius) - 2px);\n      --radius-sm: calc(var(--radius) - 4px);\n    }\n  </style>\n\t  <style>\n\t    *, *::before, *::after { border-color: hsl(var(--border)); }\n\t    body {\n\t      --agent-native-extension-padding: clamp(16px, 2vw, 24px);\n\t      /* Legacy alias for pre-rename extension content (do not remove). */\n\t      --agent-native-tool-padding: var(--agent-native-extension-padding);\n\t      box-sizing: border-box;\n\t      font-family: 'Inter', sans-serif;\n\t      margin: 0;\n\t      min-height: 100vh;\n\t      padding: var(--agent-native-extension-padding);\n\t    }\n\t    body:has(> [data-extension-layout=\"full-bleed\"]),\n\t    body:has(> [data-extension-padding=\"none\"]),\n\t    body:has(> .agent-native-extension-bleed),\n\t    /* Legacy aliases (do not remove). */\n\t    body:has(> [data-tool-layout=\"full-bleed\"]),\n\t    body:has(> [data-tool-padding=\"none\"]),\n\t    body:has(> .agent-native-tool-bleed) {\n\t      padding: 0;\n\t    }\n\t  </style>\n\t  <script>\n\t    var _extensionRequestSeq = 0;\n\t    var _extensionPendingRequests = {};\n\n\t    window.addEventListener('message', function(event) {\n\t      if (event.source !== window.parent) return;\n\t      var message = event.data || {};\n\t      if (\n\t        message.type !== 'agent-native-extension-response' &&\n\t        message.type !== 'agent-native-tool-response'\n\t      ) return;\n\t      var pending = _extensionPendingRequests[message.requestId];\n\t      if (!pending) return;\n\t      delete _extensionPendingRequests[message.requestId];\n\t      if (message.error) {\n\t        pending.reject(new Error(message.error));\n\t      } else {\n\t        pending.resolve(message.response);\n\t      }\n\t    });\n\n\t    function hostRequest(path, options) {\n\t      options = options || {};\n\t      return new Promise(function(resolve, reject) {\n\t        var requestId = 'extension-req-' + (++_extensionRequestSeq);\n\t        _extensionPendingRequests[requestId] = { resolve: resolve, reject: reject };\n\t        window.parent.postMessage({\n\t          type: 'agent-native-extension-request',\n\t          requestId: requestId,\n\t          path: path,\n\t          options: {\n\t            method: options.method || 'GET',\n\t            headers: options.headers || {},\n\t            body: options.body,\n\t          },\n\t        }, '*');\n\t        setTimeout(function() {\n\t          var pending = _extensionPendingRequests[requestId];\n\t          if (!pending) return;\n\t          delete _extensionPendingRequests[requestId];\n\t          pending.reject(new Error('Extension host request timed out'));\n\t        }, 30000);\n\t      });\n\t    }\n\n\t    var _origHostRequest = hostRequest;\n\t    hostRequest = function(path, options) {\n\t      var entry = { path: path, method: (options && options.method) || 'GET' };\n\t      return _origHostRequest(path, options).then(function(res) {\n\t        entry.ok = res.ok;\n\t        entry.status = res.status;\n\t        if (!res.ok && res.body) {\n\t          try { entry.error = typeof res.body === 'string' ? res.body.slice(0, 200) : JSON.stringify(res.body).slice(0, 200); } catch(e) {}\n\t        }\n\t        if (_networkLogs.length >= 20) _networkLogs.shift();\n\t        _networkLogs.push(entry);\n\t        return res;\n\t      }, function(err) {\n\t        entry.ok = false;\n\t        entry.error = err.message;\n\t        if (_networkLogs.length >= 20) _networkLogs.shift();\n\t        _networkLogs.push(entry);\n\t        throw err;\n\t      });\n\t    };\n\n\t    function extensionFetch(url, options) {\n\t      var opts = options || {};\n\t      return hostRequest('/_agent-native/extensions/proxy', {\n\t        method: 'POST',\n\t        headers: { 'Content-Type': 'application/json' },\n\t        body: JSON.stringify({\n\t          url: url,\n          method: opts.method || 'GET',\n          headers: opts.headers,\n          body: opts.body,\n        }),\n\t      }).then(function(res) {\n\t        var data = res.body;\n\t          if (data.error && data.status === undefined) {\n\t            throw new Error(data.error);\n\t          }\n          return {\n            ok: data.status >= 200 && data.status < 300,\n            status: data.status,\n\t            json: function() { return Promise.resolve(data.body); },\n\t            text: function() { return Promise.resolve(typeof data.body === 'string' ? data.body : JSON.stringify(data.body)); },\n\t          };\n\t      });\n\t    }\n\n\t    function _appendActionQuery(path, params) {\n\t      var search = new URLSearchParams();\n\t      params = params || {};\n\t      Object.keys(params).forEach(function(key) {\n\t        var value = params[key];\n\t        if (value === undefined || value === null) return;\n\t        if (Array.isArray(value)) {\n\t          value.forEach(function(item) {\n\t            if (item !== undefined && item !== null) {\n\t              search.append(key, String(item));\n\t            }\n\t          });\n\t          return;\n\t        }\n\t        search.set(key, String(value));\n\t      });\n\t      var qs = search.toString();\n\t      return qs ? path + '?' + qs : path;\n\t    }\n\n\t    function _methodHintFromActionResponse(res) {\n\t      if (!res || res.status !== 405) return null;\n\t      var body = res.body || {};\n\t      var message = typeof body === 'string' ? body : body.error;\n\t      if (!message) return null;\n\t      var match = String(message).match(/Use (GET|POST|PUT|PATCH|DELETE|HEAD)\\\\.?/i);\n\t      return match ? match[1].toUpperCase() : null;\n\t    }\n\n\t    async function appAction(name, params) {\n\t      params = params || {};\n\t      var path = '/_agent-native/actions/' + encodeURIComponent(name);\n\t      var res = await hostRequest(path, {\n\t        method: 'POST',\n\t        headers: { 'Content-Type': 'application/json' },\n\t        body: JSON.stringify(params),\n\t      });\n\n\t      var retryMethod = _methodHintFromActionResponse(res);\n\t      if (!res.ok && retryMethod && retryMethod !== 'POST') {\n\t        var retryPath = path;\n\t        var retryOptions = {\n\t          method: retryMethod,\n\t          headers: { 'Content-Type': 'application/json' },\n\t        };\n\t        if (retryMethod === 'GET' || retryMethod === 'HEAD') {\n\t          retryPath = _appendActionQuery(path, params);\n\t        } else {\n\t          retryOptions.body = JSON.stringify(params);\n\t        }\n\t        res = await hostRequest(retryPath, retryOptions);\n\t      }\n\n\t      if (!res.ok) {\n\t        var err = res.body || { error: res.statusText };\n\t        throw new Error(err.error || 'Action failed: ' + res.status);\n\t      }\n\t      return res.body;\n\t    }\n\n\t    async function appFetch(path, options) {\n\t      options = options || {};\n\t      var res = await hostRequest(path, {\n\t        ...options,\n\t        headers: {\n\t          'Content-Type': 'application/json',\n\t          ...(options.headers || {}),\n\t        },\n\t      });\n\t      if (!res.ok) {\n\t        var err = typeof res.body === 'object' && res.body ? res.body : { error: res.statusText };\n\t        throw new Error(err.error || 'Request failed: ' + res.status);\n\t      }\n\t      return res.body;\n\t    }\n\n    async function dbQuery(sql, args) {\n      var body = { sql: sql };\n      if (args) body.args = args;\n      return appFetch('/_agent-native/extensions/sql/query', {\n        method: 'POST',\n        body: JSON.stringify(body),\n      });\n    }\n\n    async function dbExec(sql, args) {\n      var body = { sql: sql };\n      if (args) body.args = args;\n      return appFetch('/_agent-native/extensions/sql/exec', {\n        method: 'POST',\n        body: JSON.stringify(body),\n      });\n    }\n\n    var _extensionId = ${extensionIdJson};\n    var _extensionBinding = ${bindingJson};\n    window.extensionBinding = _extensionBinding;\n    // Legacy alias for extension bodies authored before the rename.\n    window.toolBinding = _extensionBinding;\n    // SECURITY (audit H4): announce the resolved binding to the parent so the\n    // host bridge can gate dangerous helpers based on viewer role. Sent\n    // BEFORE the user-authored content has a chance to run, so a malicious\n    // extension body cannot suppress or rewrite the announcement. The parent\n    // ignores subsequent announcements for the same iframe; see\n    // ExtensionViewer.tsx / EmbeddedExtension.tsx.\n    try {\n      window.parent.postMessage(\n        {\n          type: 'agent-native-extension-binding',\n          extensionId: _extensionId,\n          binding: _extensionBinding,\n        },\n        '*',\n      );\n    } catch (_) {}\n    // SECURITY: when the viewer is not the author of this extension, emit a\n    // clear console warning. The bridge currently runs every helper with the\n    // viewer's session — a malicious shared extension can call any action,\n    // read any owned table row in scope, and resolve any user-scope secret.\n    // A full consent step is tracked as TODO C1 in audit 05-tools-sandbox.md.\n    if (_extensionBinding && !_extensionBinding.isAuthor) {\n      try {\n        console.warn(\n          '[agent-native] Shared extension — running with viewer\\\\'s session. ' +\n            'Author: ' + (_extensionBinding.authorEmail || '<unknown>') + '. ' +\n            'Bridge calls (appAction, dbExec, extensionFetch) execute under ' +\n            'your account; they are gated by your permissions, not the ' +\n            'author\\\\'s. Do not run untrusted shared extensions.',\n        );\n      } catch (_) {}\n    }\n\n    var extensionData = {\n\t      async list(collection, opts) {\n\t        var limit = (opts && opts.limit) || 100;\n\t        var scope = (opts && opts.scope) || 'user';\n\t        var res = await hostRequest('/_agent-native/extensions/data/' + _extensionId + '/' + encodeURIComponent(collection) + '?limit=' + limit + '&scope=' + scope);\n\t        if (!res.ok) throw new Error('Failed to list extension data');\n\t        return res.body;\n\t      },\n      async get(collection, id, opts) {\n        var scope = (opts && opts.scope) || 'user';\n        var items = await this.list(collection, { scope: scope });\n        return (items || []).find(function(item) { return item.id === id; }) || null;\n      },\n      async set(collection, id, data, opts) {\n\t        var scope = (opts && opts.scope) || 'user';\n\t        var res = await hostRequest('/_agent-native/extensions/data/' + _extensionId + '/' + encodeURIComponent(collection), {\n\t          method: 'POST',\n\t          headers: { 'Content-Type': 'application/json' },\n\t          body: JSON.stringify({ id: id, data: data, scope: scope }),\n\t        });\n\t        if (!res.ok) throw new Error('Failed to save extension data');\n\t        return res.body;\n\t      },\n\t      async remove(collection, id, opts) {\n\t        var scope = (opts && opts.scope) || 'user';\n\t        var res = await hostRequest('/_agent-native/extensions/data/' + _extensionId + '/' + encodeURIComponent(collection) + '/' + encodeURIComponent(id) + '?scope=' + scope, {\n\t          method: 'DELETE',\n\t        });\n\t        if (!res.ok) throw new Error('Failed to delete extension data');\n\t        return res.body;\n\t      },\n\t    };\n\n\t    // Legacy aliases — extension bodies authored before the rename use\n\t    // toolFetch, toolData, toolId. Keep these working forever.\n\t    var toolFetch = extensionFetch;\n\t    var toolData = extensionData;\n\t    var _toolId = _extensionId;\n\t  </script>\n\t  <style>\n\t    #__extension-error-toast {\n\t      display: none;\n\t      position: fixed;\n\t      bottom: 16px;\n\t      right: 16px;\n\t      max-width: 420px;\n\t      background: hsl(var(--destructive));\n\t      color: hsl(var(--destructive-foreground));\n\t      border: 1px solid hsl(var(--destructive) / .6);\n\t      border-radius: calc(var(--radius, .5rem) + 2px);\n\t      padding: 12px 16px;\n\t      font-size: 13px;\n\t      line-height: 1.4;\n\t      font-family: 'Inter', sans-serif;\n\t      z-index: 9999;\n\t      box-shadow: 0 4px 12px rgba(0,0,0,.15), 0 1px 3px rgba(0,0,0,.1);\n\t      animation: __toast-in 0.2s ease-out;\n\t    }\n\t    @keyframes __toast-in {\n\t      from { opacity: 0; transform: translateY(8px); }\n\t      to { opacity: 1; transform: translateY(0); }\n\t    }\n\t  </style>\n\t  <script>\n\t    // Extension-point slot context: when an extension is rendered embedded\n\t    // inside an ExtensionSlot, the host pushes a context object via\n\t    // postMessage. Extensions read it synchronously via window.slotContext\n\t    // or subscribe to changes via window.onSlotContext(fn). When rendered\n\t    // full-page (no ?slot= param), slotContext stays null and extensions\n\t    // branch on that.\n\t    window.slotContext = null;\n\t    var _slotContextSubscribers = [];\n\t    window.onSlotContext = function(fn) {\n\t      _slotContextSubscribers.push(fn);\n\t      if (window.slotContext !== null) {\n\t        try { fn(window.slotContext); } catch(_) {}\n\t      }\n\t      return function() {\n\t        _slotContextSubscribers = _slotContextSubscribers.filter(function(f) { return f !== fn; });\n\t      };\n\t    };\n\t    window.addEventListener('message', function(event) {\n\t      if (event.source !== window.parent) return;\n\t      var msg = event.data;\n\t      if (!msg || msg.type !== 'agent-native-slot-context') return;\n\t      window.slotContext = msg.context || {};\n\t      _slotContextSubscribers.forEach(function(fn) {\n\t        try { fn(window.slotContext); } catch(_) {}\n\t      });\n\t    });\n\n\t    // Auto-resize the iframe to its content when running in slot mode. The\n\t    // host listens for agent-native-extension-resize and adjusts the iframe height.\n\t    if (new URLSearchParams(location.search).get('slot')) {\n\t      var _lastH = 0;\n\t      var _reportHeight = function() {\n\t        var h = Math.max(\n\t          document.documentElement.scrollHeight,\n\t          document.body ? document.body.scrollHeight : 0,\n\t        );\n\t        if (h !== _lastH) {\n\t          _lastH = h;\n\t          window.parent.postMessage({ type: 'agent-native-extension-resize', height: h }, '*');\n\t        }\n\t      };\n\t      if (typeof ResizeObserver !== 'undefined') {\n\t        var _ro = new ResizeObserver(_reportHeight);\n\t        document.addEventListener('DOMContentLoaded', function() {\n\t          _ro.observe(document.documentElement);\n\t          if (document.body) _ro.observe(document.body);\n\t        });\n\t      }\n\t      // Initial reports — Alpine takes a tick to render after DOMContentLoaded.\n\t      setTimeout(_reportHeight, 50);\n\t      setTimeout(_reportHeight, 250);\n\t    }\n\n\t    window.addEventListener('message', function(event) {\n\t      if (event.source !== window.parent) return;\n\t      var msg = event.data;\n\t      if (!msg || msg.type !== 'agent-native-theme-update') return;\n\t      var root = document.documentElement;\n\t      if (msg.isDark !== undefined) {\n\t        if (msg.isDark) root.classList.add('dark');\n\t        else root.classList.remove('dark');\n\t      }\n\t      var vars = msg.vars || {};\n\t      for (var key in vars) {\n\t        if (vars.hasOwnProperty(key)) {\n\t          root.style.setProperty(key, vars[key]);\n\t        }\n\t      }\n\t    });\n\n\t    document.addEventListener('keydown', function(e) {\n\t      if ((e.metaKey || e.ctrlKey) && !e.altKey) {\n\t        var key = e.key.toLowerCase();\n\t        if (key === 'c' || key === 'v' || key === 'x' || key === 'a' || key === 'z' || key === 'y') return;\n\t        e.preventDefault();\n\t        e.stopPropagation();\n\t        window.parent.postMessage({\n\t          type: 'agent-native-extension-keydown',\n\t          key: e.key, code: e.code,\n\t          metaKey: e.metaKey, ctrlKey: e.ctrlKey,\n\t          shiftKey: e.shiftKey, altKey: e.altKey,\n\t        }, '*');\n\t        return;\n\t      }\n\t      if (e.key === 'Escape') {\n\t        window.parent.postMessage({\n\t          type: 'agent-native-extension-keydown',\n\t          key: e.key, code: e.code,\n\t          metaKey: false, ctrlKey: false,\n\t          shiftKey: false, altKey: false,\n\t        }, '*');\n\t      }\n\t    });\n\n\t    document.addEventListener('DOMContentLoaded', function() {\n\t      var fixBtn = document.getElementById('__extension-error-fix');\n\t      if (fixBtn) {\n\t        fixBtn.addEventListener('click', function() {\n\t          window.parent.postMessage({\n\t            type: 'agent-native-extension-error-fix',\n\t            errors: _extensionErrors,\n\t            errorDetails: _extensionErrorDetails,\n\t            consoleLogs: _consoleLogs.slice(-30),\n\t            networkLogs: _networkLogs.slice(-15)\n\t          }, '*');\n\t          document.getElementById('__extension-error-toast').style.display = 'none';\n\t        });\n\t      }\n\t      var dismissBtn = document.getElementById('__extension-error-dismiss');\n\t      if (dismissBtn) {\n\t        dismissBtn.addEventListener('click', function() {\n\t          document.getElementById('__extension-error-toast').style.display = 'none';\n\t        });\n\t      }\n\t    });\n\t  </script>\n\t</head>\n\t<body${extensionId ? ` data-extension-id=\"${extensionIdAttr}\" data-tool-id=\"${extensionIdAttr}\"` : \"\"} class=\"bg-background text-foreground\">\n\t${content}\n\t<div id=\"__extension-error-toast\">\n\t  <div style=\"display:flex;align-items:flex-start;gap:8px;\">\n\t    <svg xmlns=\"http://www.w3.org/2000/svg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" style=\"flex-shrink:0;margin-top:1px;\"><circle cx=\"12\" cy=\"12\" r=\"10\"/><line x1=\"12\" y1=\"8\" x2=\"12\" y2=\"12\"/><line x1=\"12\" y1=\"16\" x2=\"12.01\" y2=\"16\"/></svg>\n\t    <span id=\"__extension-error-msg\" style=\"flex:1;overflow:hidden;display:-webkit-box;-webkit-line-clamp:3;-webkit-box-orient:vertical;\"></span>\n\t    <button id=\"__extension-error-fix\" style=\"cursor:pointer;border:none;background:rgba(255,255,255,.9);color:hsl(0 84.2% 40%);font-size:12px;font-weight:500;padding:4px 12px;border-radius:4px;flex-shrink:0;\">Fix</button>\n\t    <button id=\"__extension-error-dismiss\" style=\"cursor:pointer;border:none;background:transparent;color:inherit;font-size:16px;padding:2px 6px;opacity:0.7;flex-shrink:0;\">&#215;</button>\n\t  </div>\n\t</div>\n\t</body>\n\t</html>`;\n}\n\nfunction escapeHtmlAttribute(value: string): string {\n  return value\n    .replace(/&/g, \"&amp;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\");\n}\n"]}
+{"version":3,"file":"html-shell.js","sourceRoot":"","sources":["../../src/extensions/html-shell.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,oBAAoB,GAC/B,2YAA2Y,CAAC;AAE9Y,MAAM,CAAC,MAAM,yBAAyB,GAAG,oBAAoB,CAAC,OAAO,CACnE,8BAA8B,EAC9B,EAAE,CACH,CAAC;AAwDF,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,SAAiB,EACjB,MAAe,EACf,WAAoB,EACpB,OAAgC;IAEhC,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IAC1D,MAAM,eAAe,GAAG,mBAAmB,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAChC,OAAO,IAAI;QACT,WAAW,EAAE,EAAE;QACf,WAAW,EAAE,EAAE;QACf,QAAQ,EAAE,IAAI;QACd,IAAI,EAAE,OAAO;KACd,CACF,CAAC;IAEF,OAAO;iBACQ,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE;;;;wDAIU,yBAAyB;IAC7E,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,uDAAuD,mBAAmB,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA8ElI,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBA+PK,eAAe;8BACV,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA0NjC,WAAW,CAAC,CAAC,CAAC,uBAAuB,eAAe,mBAAmB,eAAe,GAAG,CAAC,CAAC,CAAC,EAAE;GACnG,OAAO;;;;;;;;;;SAUD,CAAC;AACV,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC3B,CAAC","sourcesContent":["export const EXTENSION_IFRAME_CSP =\n  \"default-src 'none'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com; font-src https://fonts.gstatic.com; connect-src 'self'; img-src 'self' data: blob:; media-src 'self' data: blob:; frame-src 'none'; object-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'self';\";\n\nexport const EXTENSION_IFRAME_META_CSP = EXTENSION_IFRAME_CSP.replace(\n  /\\s*frame-ancestors 'self';?$/,\n  \"\",\n);\n\n/**\n * SECURITY — EXTENSION CONTENT IS UNTRUSTED.\n *\n * `${content}` (line ~Body) interpolates raw HTML/JS authored by a user. This\n * file is the boundary between framework-controlled HTML and user-controlled\n * HTML. Two non-negotiable invariants for every change here:\n *\n *   1. The iframe MUST be rendered with a `sandbox` attribute that does NOT\n *      include `allow-same-origin`. The viewer (`ExtensionViewer.tsx`,\n *      `EmbeddedExtension.tsx`) sets `sandbox=\"allow-scripts allow-forms\"` —\n *      and that is the only acceptable shape. Adding `allow-same-origin`\n *      would give the extension full DOM access to the parent window via\n *      cross-frame script.\n *\n *   2. Every reachable parent action must treat the postMessage payload as\n *      hostile. The bridge in `iframe-bridge.ts` enforces a path allowlist,\n *      header sanitization, and method allowlist; do not relax those gates\n *      for \"convenience\" in this file or any caller.\n *\n * For the trust model rationale, see audit 05-tools-sandbox.md (C1) and the\n * `extensions` skill. When in doubt, fail closed.\n *\n * BACKWARDS COMPAT — the iframe injects helpers under both their canonical\n * `extension*` names (`extensionFetch`, `extensionData`, `extensionId`,\n * `extensionBinding`) AND legacy `tool*` aliases (`toolFetch`, `toolData`,\n * `toolId`, `toolBinding`) so existing user-authored extension bodies that\n * pre-date the rename keep working. Same for layout opt-ins:\n * `data-extension-layout=\"full-bleed\"` / `data-extension-padding=\"none\"` /\n * class `agent-native-extension-bleed` / CSS var\n * `--agent-native-extension-padding` are canonical; the `data-tool-*`,\n * `agent-native-tool-bleed`, and `--agent-native-tool-padding` variants are\n * accepted as aliases.\n */\n\nexport interface ExtensionRenderBinding {\n  /** Email of the user who authored / owns the extension. */\n  authorEmail: string;\n  /** Email of the user currently viewing/running the extension. */\n  viewerEmail: string;\n  /** True when viewer === author. */\n  isAuthor: boolean;\n  /**\n   * Resolved role for the viewer (\"owner\" | \"admin\" | \"editor\" | \"viewer\").\n   *\n   * TODO(security, audit H4): the host-side bridge does not yet gate any\n   * helper based on this value — every viewer gets the same powers as the\n   * author. The role is plumbed through so a follow-up PR can constrain\n   * `appAction` / `dbExec` / `extensionFetch` for non-author viewers (and\n   * eventually require an explicit consent step before running a shared\n   * extension, audit C1). For now this is metadata only.\n   */\n  role: \"owner\" | \"admin\" | \"editor\" | \"viewer\";\n}\n\nexport function buildExtensionHtml(\n  content: string,\n  themeVars: string,\n  isDark: boolean,\n  extensionId?: string,\n  binding?: ExtensionRenderBinding,\n): string {\n  const extensionIdJson = JSON.stringify(extensionId ?? \"\");\n  const extensionIdAttr = escapeHtmlAttribute(extensionId ?? \"\");\n  const bindingJson = JSON.stringify(\n    binding ?? {\n      authorEmail: \"\",\n      viewerEmail: \"\",\n      isAuthor: true,\n      role: \"owner\",\n    },\n  );\n\n  return `<!DOCTYPE html>\n<html lang=\"en\"${isDark ? ' class=\"dark\"' : \"\"}>\n<head>\n  <meta charset=\"utf-8\" />\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n  <meta http-equiv=\"Content-Security-Policy\" content=\"${EXTENSION_IFRAME_META_CSP}\" />\n  ${binding && !binding.isAuthor ? `<meta name=\"agent-native-extension-author\" content=\"${escapeHtmlAttribute(binding.authorEmail)}\" />` : \"\"}\n  <link rel=\"preconnect\" href=\"https://fonts.googleapis.com\" />\n  <link rel=\"preconnect\" href=\"https://fonts.gstatic.com\" crossorigin />\n  <link href=\"https://fonts.googleapis.com/css2?family=Inter:wght@300..700&display=swap\" rel=\"stylesheet\" />\n  <script>\n    var _extensionErrors = [];\n    var _extensionErrorDetails = [];\n    var _consoleLogs = [];\n    var _networkLogs = [];\n\n    var _origConsole = { log: console.log, warn: console.warn, error: console.error, info: console.info };\n    function _wrapConsole(level, orig) {\n      return function() {\n        var args = Array.prototype.slice.call(arguments);\n        var msg = args.map(function(a) {\n          try { return typeof a === 'object' ? JSON.stringify(a) : String(a); }\n          catch(e) { return String(a); }\n        }).join(' ');\n        if (_consoleLogs.length >= 50) _consoleLogs.shift();\n        _consoleLogs.push({ level: level, message: msg });\n        orig.apply(console, arguments);\n      };\n    }\n    console.log = _wrapConsole('log', _origConsole.log);\n    console.warn = _wrapConsole('warn', _origConsole.warn);\n    console.error = _wrapConsole('error', _origConsole.error);\n    console.info = _wrapConsole('info', _origConsole.info);\n\n    function _collectError(message, stack) {\n      if (!message) return;\n      if (message === 'Script error.' || message === 'Script error') message = 'Runtime error';\n      if (_extensionErrors.indexOf(message) !== -1) return;\n      _extensionErrors.push(message);\n      _extensionErrorDetails.push({ message: message, stack: stack || '' });\n      var toast = document.getElementById('__extension-error-toast');\n      if (!toast) return;\n      var msg = document.getElementById('__extension-error-msg');\n      if (_extensionErrors.length === 1) {\n        msg.textContent = _extensionErrors[0];\n      } else {\n        msg.textContent = _extensionErrors.length + ' errors — ' + _extensionErrors[_extensionErrors.length - 1];\n      }\n      toast.style.display = 'block';\n    }\n\n    window.addEventListener('error', function(event) {\n      var msg = event.message || '';\n      if (msg.indexOf('Alpine Expression Error') === 0) return;\n      var stack = event.error && event.error.stack ? event.error.stack : '';\n      _collectError(msg, stack);\n    });\n\n    window.addEventListener('unhandledrejection', function(event) {\n      var msg = event.reason && event.reason.message ? event.reason.message : String(event.reason);\n      var stack = event.reason && event.reason.stack ? event.reason.stack : '';\n      _collectError(msg, stack);\n    });\n  </script>\n  <!--\n    SECURITY: pinned to exact patch versions + SRI integrity hashes. A\n    malicious republish of @tailwindcss/browser@4.x or alpinejs@3.x would\n    otherwise inject code into every extension. To bump these versions:\n      1. npm view @tailwindcss/browser version  (or alpinejs)\n      2. curl -sL https://cdn.jsdelivr.net/npm/@tailwindcss/browser@<v> \\\\\n         | openssl dgst -sha384 -binary | openssl base64 -A\n      3. Update the URL + integrity hash below in lockstep.\n  -->\n  <script\n    src=\"https://cdn.jsdelivr.net/npm/@tailwindcss/browser@4.2.4\"\n    integrity=\"sha384-yNSZBFvuOWcmww494a9+1zNuvgUGEXoWkein7cxP8wHUTi3iXCU4vJ7hr3tzBCml\"\n    crossorigin=\"anonymous\"\n  ></script>\n  <script\n    defer\n    src=\"https://cdn.jsdelivr.net/npm/alpinejs@3.15.11/dist/cdn.min.js\"\n    integrity=\"sha384-WPtu0YHhJ3arcykfnv1JgUffWDSKRnqnDeTpJUbOc2os2moEmLkIdaeR0trPN4be\"\n    crossorigin=\"anonymous\"\n  ></script>\n  <style>${themeVars}</style>\n  <style type=\"text/tailwindcss\">\n    @custom-variant dark (&:where(.dark, .dark *));\n    @theme {\n      --color-border: hsl(var(--border));\n      --color-input: hsl(var(--input));\n      --color-ring: hsl(var(--ring));\n      --color-background: hsl(var(--background));\n      --color-foreground: hsl(var(--foreground));\n      --color-primary: hsl(var(--primary));\n      --color-primary-foreground: hsl(var(--primary-foreground));\n      --color-secondary: hsl(var(--secondary));\n      --color-secondary-foreground: hsl(var(--secondary-foreground));\n      --color-destructive: hsl(var(--destructive));\n      --color-destructive-foreground: hsl(var(--destructive-foreground));\n      --color-muted: hsl(var(--muted));\n      --color-muted-foreground: hsl(var(--muted-foreground));\n      --color-accent: hsl(var(--accent));\n      --color-accent-foreground: hsl(var(--accent-foreground));\n      --color-popover: hsl(var(--popover));\n      --color-popover-foreground: hsl(var(--popover-foreground));\n      --color-card: hsl(var(--card));\n      --color-card-foreground: hsl(var(--card-foreground));\n      --color-sidebar: hsl(var(--sidebar-background));\n      --color-sidebar-foreground: hsl(var(--sidebar-foreground));\n      --color-sidebar-primary: hsl(var(--sidebar-primary));\n      --color-sidebar-primary-foreground: hsl(var(--sidebar-primary-foreground));\n      --color-sidebar-accent: hsl(var(--sidebar-accent));\n      --color-sidebar-accent-foreground: hsl(var(--sidebar-accent-foreground));\n      --color-sidebar-border: hsl(var(--sidebar-border));\n      --color-sidebar-ring: hsl(var(--sidebar-ring));\n      --radius-lg: var(--radius);\n      --radius-md: calc(var(--radius) - 2px);\n      --radius-sm: calc(var(--radius) - 4px);\n    }\n  </style>\n\t  <style>\n\t    *, *::before, *::after { border-color: hsl(var(--border)); }\n\t    body {\n\t      --agent-native-extension-padding: clamp(16px, 2vw, 24px);\n\t      /* Legacy alias for pre-rename extension content (do not remove). */\n\t      --agent-native-tool-padding: var(--agent-native-extension-padding);\n\t      box-sizing: border-box;\n\t      font-family: 'Inter', sans-serif;\n\t      margin: 0;\n\t      min-height: 100vh;\n\t      padding: var(--agent-native-extension-padding);\n\t    }\n\t    body:has(> [data-extension-layout=\"full-bleed\"]),\n\t    body:has(> [data-extension-padding=\"none\"]),\n\t    body:has(> .agent-native-extension-bleed),\n\t    /* Legacy aliases (do not remove). */\n\t    body:has(> [data-tool-layout=\"full-bleed\"]),\n\t    body:has(> [data-tool-padding=\"none\"]),\n\t    body:has(> .agent-native-tool-bleed) {\n\t      padding: 0;\n\t    }\n\t  </style>\n\t  <script>\n\t    var _extensionRequestSeq = 0;\n\t    var _extensionPendingRequests = {};\n\n\t    window.addEventListener('message', function(event) {\n\t      if (event.source !== window.parent) return;\n\t      var message = event.data || {};\n\t      if (\n\t        message.type !== 'agent-native-extension-response' &&\n\t        message.type !== 'agent-native-tool-response'\n\t      ) return;\n\t      var pending = _extensionPendingRequests[message.requestId];\n\t      if (!pending) return;\n\t      delete _extensionPendingRequests[message.requestId];\n\t      if (message.error) {\n\t        pending.reject(new Error(message.error));\n\t      } else {\n\t        pending.resolve(message.response);\n\t      }\n\t    });\n\n\t    function hostRequest(path, options) {\n\t      options = options || {};\n\t      return new Promise(function(resolve, reject) {\n\t        var requestId = 'extension-req-' + (++_extensionRequestSeq);\n\t        _extensionPendingRequests[requestId] = { resolve: resolve, reject: reject };\n\t        window.parent.postMessage({\n\t          type: 'agent-native-extension-request',\n\t          requestId: requestId,\n\t          path: path,\n\t          options: {\n\t            method: options.method || 'GET',\n\t            headers: options.headers || {},\n\t            body: options.body,\n\t          },\n\t        }, '*');\n\t        setTimeout(function() {\n\t          var pending = _extensionPendingRequests[requestId];\n\t          if (!pending) return;\n\t          delete _extensionPendingRequests[requestId];\n\t          pending.reject(new Error('Extension host request timed out'));\n\t        }, 30000);\n\t      });\n\t    }\n\n\t    var _origHostRequest = hostRequest;\n\t    hostRequest = function(path, options) {\n\t      var entry = { path: path, method: (options && options.method) || 'GET' };\n\t      return _origHostRequest(path, options).then(function(res) {\n\t        entry.ok = res.ok;\n\t        entry.status = res.status;\n\t        if (!res.ok && res.body) {\n\t          try { entry.error = typeof res.body === 'string' ? res.body.slice(0, 200) : JSON.stringify(res.body).slice(0, 200); } catch(e) {}\n\t        }\n\t        if (_networkLogs.length >= 20) _networkLogs.shift();\n\t        _networkLogs.push(entry);\n\t        return res;\n\t      }, function(err) {\n\t        entry.ok = false;\n\t        entry.error = err.message;\n\t        if (_networkLogs.length >= 20) _networkLogs.shift();\n\t        _networkLogs.push(entry);\n\t        throw err;\n\t      });\n\t    };\n\n\t    function extensionFetch(url, options) {\n\t      var opts = options || {};\n\t      return hostRequest('/_agent-native/extensions/proxy', {\n\t        method: 'POST',\n\t        headers: { 'Content-Type': 'application/json' },\n\t        body: JSON.stringify({\n\t          url: url,\n          method: opts.method || 'GET',\n          headers: opts.headers,\n          body: opts.body,\n        }),\n\t      }).then(function(res) {\n\t        var data = res.body;\n\t          if (data.error && data.status === undefined) {\n\t            throw new Error(data.error);\n\t          }\n          return {\n            ok: data.status >= 200 && data.status < 300,\n            status: data.status,\n\t            json: function() { return Promise.resolve(data.body); },\n\t            text: function() { return Promise.resolve(typeof data.body === 'string' ? data.body : JSON.stringify(data.body)); },\n\t          };\n\t      });\n\t    }\n\n\t    function _appendActionQuery(path, params) {\n\t      var search = new URLSearchParams();\n\t      params = params || {};\n\t      Object.keys(params).forEach(function(key) {\n\t        var value = params[key];\n\t        if (value === undefined || value === null) return;\n\t        if (Array.isArray(value)) {\n\t          value.forEach(function(item) {\n\t            if (item !== undefined && item !== null) {\n\t              search.append(key, String(item));\n\t            }\n\t          });\n\t          return;\n\t        }\n\t        search.set(key, String(value));\n\t      });\n\t      var qs = search.toString();\n\t      return qs ? path + '?' + qs : path;\n\t    }\n\n\t    function _methodHintFromActionResponse(res) {\n\t      if (!res || res.status !== 405) return null;\n\t      var body = res.body || {};\n\t      var message = typeof body === 'string' ? body : body.error;\n\t      if (!message) return null;\n\t      var match = String(message).match(/Use (GET|POST|PUT|PATCH|DELETE|HEAD)\\\\.?/i);\n\t      return match ? match[1].toUpperCase() : null;\n\t    }\n\n\t    async function appAction(name, params) {\n\t      params = params || {};\n\t      if (name === 'navigate') {\n\t        var navRes = await hostRequest('/_agent-native/application-state/navigate', {\n\t          method: 'PUT',\n\t          headers: { 'Content-Type': 'application/json' },\n\t          body: JSON.stringify(params),\n\t        });\n\t        if (!navRes.ok) {\n\t          var navErr = navRes.body || { error: navRes.statusText };\n\t          throw new Error(navErr.error || 'Navigation failed: ' + navRes.status);\n\t        }\n\t        return navRes.body;\n\t      }\n\t      var path = '/_agent-native/actions/' + encodeURIComponent(name);\n\t      var res = await hostRequest(path, {\n\t        method: 'POST',\n\t        headers: { 'Content-Type': 'application/json' },\n\t        body: JSON.stringify(params),\n\t      });\n\n\t      var retryMethod = _methodHintFromActionResponse(res);\n\t      if (!res.ok && retryMethod && retryMethod !== 'POST') {\n\t        var retryPath = path;\n\t        var retryOptions = {\n\t          method: retryMethod,\n\t          headers: { 'Content-Type': 'application/json' },\n\t        };\n\t        if (retryMethod === 'GET' || retryMethod === 'HEAD') {\n\t          retryPath = _appendActionQuery(path, params);\n\t        } else {\n\t          retryOptions.body = JSON.stringify(params);\n\t        }\n\t        res = await hostRequest(retryPath, retryOptions);\n\t      }\n\n\t      if (!res.ok) {\n\t        var err = res.body || { error: res.statusText };\n\t        throw new Error(err.error || 'Action failed: ' + res.status);\n\t      }\n\t      return res.body;\n\t    }\n\n\t    async function appFetch(path, options) {\n\t      options = options || {};\n\t      var res = await hostRequest(path, {\n\t        ...options,\n\t        headers: {\n\t          'Content-Type': 'application/json',\n\t          ...(options.headers || {}),\n\t        },\n\t      });\n\t      if (!res.ok) {\n\t        var err = typeof res.body === 'object' && res.body ? res.body : { error: res.statusText };\n\t        throw new Error(err.error || 'Request failed: ' + res.status);\n\t      }\n\t      return res.body;\n\t    }\n\n    async function dbQuery(sql, args) {\n      var body = { sql: sql };\n      if (args) body.args = args;\n      return appFetch('/_agent-native/extensions/sql/query', {\n        method: 'POST',\n        body: JSON.stringify(body),\n      });\n    }\n\n    async function dbExec(sql, args) {\n      var body = { sql: sql };\n      if (args) body.args = args;\n      return appFetch('/_agent-native/extensions/sql/exec', {\n        method: 'POST',\n        body: JSON.stringify(body),\n      });\n    }\n\n    var _extensionId = ${extensionIdJson};\n    var _extensionBinding = ${bindingJson};\n    window.extensionBinding = _extensionBinding;\n    // Legacy alias for extension bodies authored before the rename.\n    window.toolBinding = _extensionBinding;\n    // SECURITY (audit H4): announce the resolved binding to the parent so the\n    // host bridge can gate dangerous helpers based on viewer role. Sent\n    // BEFORE the user-authored content has a chance to run, so a malicious\n    // extension body cannot suppress or rewrite the announcement. The parent\n    // ignores subsequent announcements for the same iframe; see\n    // ExtensionViewer.tsx / EmbeddedExtension.tsx.\n    try {\n      window.parent.postMessage(\n        {\n          type: 'agent-native-extension-binding',\n          extensionId: _extensionId,\n          binding: _extensionBinding,\n        },\n        '*',\n      );\n    } catch (_) {}\n    // SECURITY: when the viewer is not the author of this extension, emit a\n    // clear console warning. The bridge currently runs every helper with the\n    // viewer's session — a malicious shared extension can call any action,\n    // read any owned table row in scope, and resolve any user-scope secret.\n    // A full consent step is tracked as TODO C1 in audit 05-tools-sandbox.md.\n    if (_extensionBinding && !_extensionBinding.isAuthor) {\n      try {\n        console.warn(\n          '[agent-native] Shared extension — running with viewer\\\\'s session. ' +\n            'Author: ' + (_extensionBinding.authorEmail || '<unknown>') + '. ' +\n            'Bridge calls (appAction, dbExec, extensionFetch) execute under ' +\n            'your account; they are gated by your permissions, not the ' +\n            'author\\\\'s. Do not run untrusted shared extensions.',\n        );\n      } catch (_) {}\n    }\n\n    var extensionData = {\n\t      async list(collection, opts) {\n\t        var limit = (opts && opts.limit) || 100;\n\t        var scope = (opts && opts.scope) || 'user';\n\t        var res = await hostRequest('/_agent-native/extensions/data/' + _extensionId + '/' + encodeURIComponent(collection) + '?limit=' + limit + '&scope=' + scope);\n\t        if (!res.ok) throw new Error('Failed to list extension data');\n\t        return res.body;\n\t      },\n      async get(collection, id, opts) {\n        var scope = (opts && opts.scope) || 'user';\n        var items = await this.list(collection, { scope: scope });\n        return (items || []).find(function(item) { return item.id === id; }) || null;\n      },\n      async set(collection, id, data, opts) {\n\t        var scope = (opts && opts.scope) || 'user';\n\t        var res = await hostRequest('/_agent-native/extensions/data/' + _extensionId + '/' + encodeURIComponent(collection), {\n\t          method: 'POST',\n\t          headers: { 'Content-Type': 'application/json' },\n\t          body: JSON.stringify({ id: id, data: data, scope: scope }),\n\t        });\n\t        if (!res.ok) throw new Error('Failed to save extension data');\n\t        return res.body;\n\t      },\n\t      async remove(collection, id, opts) {\n\t        var scope = (opts && opts.scope) || 'user';\n\t        var res = await hostRequest('/_agent-native/extensions/data/' + _extensionId + '/' + encodeURIComponent(collection) + '/' + encodeURIComponent(id) + '?scope=' + scope, {\n\t          method: 'DELETE',\n\t        });\n\t        if (!res.ok) throw new Error('Failed to delete extension data');\n\t        return res.body;\n\t      },\n\t    };\n\n\t    // Legacy aliases — extension bodies authored before the rename use\n\t    // toolFetch, toolData, toolId. Keep these working forever.\n\t    var toolFetch = extensionFetch;\n\t    var toolData = extensionData;\n\t    var _toolId = _extensionId;\n\t  </script>\n\t  <style>\n\t    #__extension-error-toast {\n\t      display: none;\n\t      position: fixed;\n\t      bottom: 16px;\n\t      right: 16px;\n\t      max-width: 420px;\n\t      background: hsl(var(--destructive));\n\t      color: hsl(var(--destructive-foreground));\n\t      border: 1px solid hsl(var(--destructive) / .6);\n\t      border-radius: calc(var(--radius, .5rem) + 2px);\n\t      padding: 12px 16px;\n\t      font-size: 13px;\n\t      line-height: 1.4;\n\t      font-family: 'Inter', sans-serif;\n\t      z-index: 9999;\n\t      box-shadow: 0 4px 12px rgba(0,0,0,.15), 0 1px 3px rgba(0,0,0,.1);\n\t      animation: __toast-in 0.2s ease-out;\n\t    }\n\t    @keyframes __toast-in {\n\t      from { opacity: 0; transform: translateY(8px); }\n\t      to { opacity: 1; transform: translateY(0); }\n\t    }\n\t  </style>\n\t  <script>\n\t    // Extension-point slot context: when an extension is rendered embedded\n\t    // inside an ExtensionSlot, the host pushes a context object via\n\t    // postMessage. Extensions read it synchronously via window.slotContext\n\t    // or subscribe to changes via window.onSlotContext(fn). When rendered\n\t    // full-page (no ?slot= param), slotContext stays null and extensions\n\t    // branch on that.\n\t    window.slotContext = null;\n\t    var _slotContextSubscribers = [];\n\t    window.onSlotContext = function(fn) {\n\t      _slotContextSubscribers.push(fn);\n\t      if (window.slotContext !== null) {\n\t        try { fn(window.slotContext); } catch(_) {}\n\t      }\n\t      return function() {\n\t        _slotContextSubscribers = _slotContextSubscribers.filter(function(f) { return f !== fn; });\n\t      };\n\t    };\n\t    window.addEventListener('message', function(event) {\n\t      if (event.source !== window.parent) return;\n\t      var msg = event.data;\n\t      if (!msg || msg.type !== 'agent-native-slot-context') return;\n\t      window.slotContext = msg.context || {};\n\t      _slotContextSubscribers.forEach(function(fn) {\n\t        try { fn(window.slotContext); } catch(_) {}\n\t      });\n\t    });\n\n\t    // Auto-resize the iframe to its content when running in slot mode. The\n\t    // host listens for agent-native-extension-resize and adjusts the iframe height.\n\t    if (new URLSearchParams(location.search).get('slot')) {\n\t      var _lastH = 0;\n\t      var _reportHeight = function() {\n\t        var h = Math.max(\n\t          document.documentElement.scrollHeight,\n\t          document.body ? document.body.scrollHeight : 0,\n\t        );\n\t        if (h !== _lastH) {\n\t          _lastH = h;\n\t          window.parent.postMessage({ type: 'agent-native-extension-resize', height: h }, '*');\n\t        }\n\t      };\n\t      if (typeof ResizeObserver !== 'undefined') {\n\t        var _ro = new ResizeObserver(_reportHeight);\n\t        document.addEventListener('DOMContentLoaded', function() {\n\t          _ro.observe(document.documentElement);\n\t          if (document.body) _ro.observe(document.body);\n\t        });\n\t      }\n\t      // Initial reports — Alpine takes a tick to render after DOMContentLoaded.\n\t      setTimeout(_reportHeight, 50);\n\t      setTimeout(_reportHeight, 250);\n\t    }\n\n\t    window.addEventListener('message', function(event) {\n\t      if (event.source !== window.parent) return;\n\t      var msg = event.data;\n\t      if (!msg || msg.type !== 'agent-native-theme-update') return;\n\t      var root = document.documentElement;\n\t      if (msg.isDark !== undefined) {\n\t        if (msg.isDark) root.classList.add('dark');\n\t        else root.classList.remove('dark');\n\t      }\n\t      var vars = msg.vars || {};\n\t      for (var key in vars) {\n\t        if (vars.hasOwnProperty(key)) {\n\t          root.style.setProperty(key, vars[key]);\n\t        }\n\t      }\n\t    });\n\n\t    document.addEventListener('keydown', function(e) {\n\t      if ((e.metaKey || e.ctrlKey) && !e.altKey) {\n\t        var key = e.key.toLowerCase();\n\t        if (key === 'c' || key === 'v' || key === 'x' || key === 'a' || key === 'z' || key === 'y') return;\n\t        e.preventDefault();\n\t        e.stopPropagation();\n\t        window.parent.postMessage({\n\t          type: 'agent-native-extension-keydown',\n\t          key: e.key, code: e.code,\n\t          metaKey: e.metaKey, ctrlKey: e.ctrlKey,\n\t          shiftKey: e.shiftKey, altKey: e.altKey,\n\t        }, '*');\n\t        return;\n\t      }\n\t      if (e.key === 'Escape') {\n\t        window.parent.postMessage({\n\t          type: 'agent-native-extension-keydown',\n\t          key: e.key, code: e.code,\n\t          metaKey: false, ctrlKey: false,\n\t          shiftKey: false, altKey: false,\n\t        }, '*');\n\t      }\n\t    });\n\n\t    document.addEventListener('DOMContentLoaded', function() {\n\t      var fixBtn = document.getElementById('__extension-error-fix');\n\t      if (fixBtn) {\n\t        fixBtn.addEventListener('click', function() {\n\t          window.parent.postMessage({\n\t            type: 'agent-native-extension-error-fix',\n\t            errors: _extensionErrors,\n\t            errorDetails: _extensionErrorDetails,\n\t            consoleLogs: _consoleLogs.slice(-30),\n\t            networkLogs: _networkLogs.slice(-15)\n\t          }, '*');\n\t          document.getElementById('__extension-error-toast').style.display = 'none';\n\t        });\n\t      }\n\t      var dismissBtn = document.getElementById('__extension-error-dismiss');\n\t      if (dismissBtn) {\n\t        dismissBtn.addEventListener('click', function() {\n\t          document.getElementById('__extension-error-toast').style.display = 'none';\n\t        });\n\t      }\n\t    });\n\t  </script>\n\t</head>\n\t<body${extensionId ? ` data-extension-id=\"${extensionIdAttr}\" data-tool-id=\"${extensionIdAttr}\"` : \"\"} class=\"bg-background text-foreground\">\n\t${content}\n\t<div id=\"__extension-error-toast\">\n\t  <div style=\"display:flex;align-items:flex-start;gap:8px;\">\n\t    <svg xmlns=\"http://www.w3.org/2000/svg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" style=\"flex-shrink:0;margin-top:1px;\"><circle cx=\"12\" cy=\"12\" r=\"10\"/><line x1=\"12\" y1=\"8\" x2=\"12\" y2=\"12\"/><line x1=\"12\" y1=\"16\" x2=\"12.01\" y2=\"16\"/></svg>\n\t    <span id=\"__extension-error-msg\" style=\"flex:1;overflow:hidden;display:-webkit-box;-webkit-line-clamp:3;-webkit-box-orient:vertical;\"></span>\n\t    <button id=\"__extension-error-fix\" style=\"cursor:pointer;border:none;background:rgba(255,255,255,.9);color:hsl(0 84.2% 40%);font-size:12px;font-weight:500;padding:4px 12px;border-radius:4px;flex-shrink:0;\">Fix</button>\n\t    <button id=\"__extension-error-dismiss\" style=\"cursor:pointer;border:none;background:transparent;color:inherit;font-size:16px;padding:2px 6px;opacity:0.7;flex-shrink:0;\">&#215;</button>\n\t  </div>\n\t</div>\n\t</body>\n\t</html>`;\n}\n\nfunction escapeHtmlAttribute(value: string): string {\n  return value\n    .replace(/&/g, \"&amp;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\");\n}\n"]}

package/dist/mcp-client/errors.d.ts

@@ -0,0 +1,2 @@
+export declare function formatMcpConnectError(error: unknown): string;
+//# sourceMappingURL=errors.d.ts.map

package/dist/mcp-client/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/mcp-client/errors.ts"],"names":[],"mappings":"AAaA,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAwC5D"}

package/dist/mcp-client/errors.js

@@ -0,0 +1,47 @@
+function stringifyError(error) {
+    if (typeof error === "string")
+        return error;
+    if (error instanceof Error)
+        return error.message;
+    if (error && typeof error === "object") {
+        const record = error;
+        const message = record.message;
+        if (typeof message === "string" && message.trim())
+            return message;
+        const type = record.type;
+        if (typeof type === "string" && type.trim())
+            return type;
+    }
+    return String(error ?? "");
+}
+export function formatMcpConnectError(error) {
+    const raw = stringifyError(error);
+    const text = raw.trim();
+    if (!text)
+        return "Could not connect to that MCP server.";
+    if (/<!doctype|<html[\s>]|<\/html>|unexpected token '<'|is not valid json/i.test(text)) {
+        return "That URL returned a web page instead of an MCP response. Check that you pasted the Streamable HTTP endpoint, often ending in /mcp.";
+    }
+    if (/invalid_union|unrecognized_keys|invalid_type|invalid_value/i.test(text) &&
+        /jsonrpc|method|unrecognized keys|args|origin|url/i.test(text)) {
+        return "That URL returned JSON, but not an MCP JSON-RPC response. Check that you pasted the Streamable HTTP endpoint, often ending in /mcp.";
+    }
+    if (/streamable http/i.test(text) &&
+        /error|failed|non-200|status/i.test(text)) {
+        return "The server did not complete the Streamable HTTP MCP handshake. Check the URL and any required authorization headers.";
+    }
+    if (/failed to fetch|fetch failed|networkerror|econnrefused|enotfound|timed out/i.test(text)) {
+        return "Could not reach that MCP server. Check the URL and make sure it is publicly reachable from this app.";
+    }
+    if (/401|403|unauthorized|forbidden/i.test(text)) {
+        return "The MCP server rejected the request. Add or update the required Authorization header.";
+    }
+    if (/404|not found|405|method not allowed/i.test(text)) {
+        return "That URL is reachable, but it does not look like the MCP endpoint. Check the server's Streamable HTTP path.";
+    }
+    if (text === "[object ErrorEvent]" || text === "error") {
+        return "The MCP server connection failed while opening its event stream. Check the URL and any required authorization headers.";
+    }
+    return text.length > 240 ? `${text.slice(0, 237).trimEnd()}...` : text;
+}
+//# sourceMappingURL=errors.js.map

package/dist/mcp-client/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/mcp-client/errors.ts"],"names":[],"mappings":"AAAA,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,KAAK,YAAY,KAAK;QAAE,OAAO,KAAK,CAAC,OAAO,CAAC;IACjD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,MAAM,GAAG,KAAgC,CAAC;QAChD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC/B,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE;YAAE,OAAO,OAAO,CAAC;QAClE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACzB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,EAAE;YAAE,OAAO,IAAI,CAAC;IAC3D,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAAc;IAClD,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACxB,IAAI,CAAC,IAAI;QAAE,OAAO,uCAAuC,CAAC;IAC1D,IACE,uEAAuE,CAAC,IAAI,CAC1E,IAAI,CACL,EACD,CAAC;QACD,OAAO,oIAAoI,CAAC;IAC9I,CAAC;IACD,IACE,6DAA6D,CAAC,IAAI,CAAC,IAAI,CAAC;QACxE,mDAAmD,CAAC,IAAI,CAAC,IAAI,CAAC,EAC9D,CAAC;QACD,OAAO,qIAAqI,CAAC;IAC/I,CAAC;IACD,IACE,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;QAC7B,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EACzC,CAAC;QACD,OAAO,sHAAsH,CAAC;IAChI,CAAC;IACD,IACE,6EAA6E,CAAC,IAAI,CAChF,IAAI,CACL,EACD,CAAC;QACD,OAAO,sGAAsG,CAAC;IAChH,CAAC;IACD,IAAI,iCAAiC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACjD,OAAO,uFAAuF,CAAC;IACjG,CAAC;IACD,IAAI,uCAAuC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACvD,OAAO,6GAA6G,CAAC;IACvH,CAAC;IACD,IAAI,IAAI,KAAK,qBAAqB,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACvD,OAAO,wHAAwH,CAAC;IAClI,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AACzE,CAAC","sourcesContent":["function stringifyError(error: unknown): string {\n  if (typeof error === \"string\") return error;\n  if (error instanceof Error) return error.message;\n  if (error && typeof error === \"object\") {\n    const record = error as Record<string, unknown>;\n    const message = record.message;\n    if (typeof message === \"string\" && message.trim()) return message;\n    const type = record.type;\n    if (typeof type === \"string\" && type.trim()) return type;\n  }\n  return String(error ?? \"\");\n}\n\nexport function formatMcpConnectError(error: unknown): string {\n  const raw = stringifyError(error);\n  const text = raw.trim();\n  if (!text) return \"Could not connect to that MCP server.\";\n  if (\n    /<!doctype|<html[\\s>]|<\\/html>|unexpected token '<'|is not valid json/i.test(\n      text,\n    )\n  ) {\n    return \"That URL returned a web page instead of an MCP response. Check that you pasted the Streamable HTTP endpoint, often ending in /mcp.\";\n  }\n  if (\n    /invalid_union|unrecognized_keys|invalid_type|invalid_value/i.test(text) &&\n    /jsonrpc|method|unrecognized keys|args|origin|url/i.test(text)\n  ) {\n    return \"That URL returned JSON, but not an MCP JSON-RPC response. Check that you pasted the Streamable HTTP endpoint, often ending in /mcp.\";\n  }\n  if (\n    /streamable http/i.test(text) &&\n    /error|failed|non-200|status/i.test(text)\n  ) {\n    return \"The server did not complete the Streamable HTTP MCP handshake. Check the URL and any required authorization headers.\";\n  }\n  if (\n    /failed to fetch|fetch failed|networkerror|econnrefused|enotfound|timed out/i.test(\n      text,\n    )\n  ) {\n    return \"Could not reach that MCP server. Check the URL and make sure it is publicly reachable from this app.\";\n  }\n  if (/401|403|unauthorized|forbidden/i.test(text)) {\n    return \"The MCP server rejected the request. Add or update the required Authorization header.\";\n  }\n  if (/404|not found|405|method not allowed/i.test(text)) {\n    return \"That URL is reachable, but it does not look like the MCP endpoint. Check the server's Streamable HTTP path.\";\n  }\n  if (text === \"[object ErrorEvent]\" || text === \"error\") {\n    return \"The MCP server connection failed while opening its event stream. Check the URL and any required authorization headers.\";\n  }\n  return text.length > 240 ? `${text.slice(0, 237).trimEnd()}...` : text;\n}\n"]}

package/dist/mcp-client/manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/mcp-client/manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAmB,MAAM,aAAa,CAAC;AAE9D,eAAO,MAAM,eAAe,UAAU,CAAC;AAEvC,MAAM,WAAW,OAAO;IACtB,oCAAoC;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,IAAI,EAAE,MAAM,CAAC;IACb,kDAAkD;IAClD,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAuBD;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,MAAM,GACnB;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAS/C;AAED,MAAM,WAAW,uBAAuB;IACtC,iCAAiC;IACjC,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AA6BD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAuC;IAC/D,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAU;IAChC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,GAAG,CAA2B;IACtC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAA8B;IACxD;6EACyE;IACzE,OAAO,CAAC,gBAAgB,CAAuC;gBAEnD,MAAM,EAAE,SAAS,GAAG,IAAI,EAAE,OAAO,GAAE,uBAA4B;IAK3E,wDAAwD;IACxD,IAAI,OAAO,IAAI,OAAO,CAErB;IAED;+EAC2E;IAC3E,SAAS,IAAI,SAAS,GAAG,IAAI;IAI7B,wEAAwE;IACxE,IAAI,iBAAiB,IAAI,MAAM,EAAE,CAGhC;IAED,2EAA2E;IAC3E,IAAI,gBAAgB,IAAI,MAAM,EAAE,CAI/B;IAED;;;OAGG;YACW,OAAO;IA+CrB;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI;IAO1C,OAAO,CAAC,UAAU;IAYlB;;;;;;;OAOG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAQd,aAAa;IAkB3B;;;OAGG;YACW,SAAS;YA6BT,aAAa;IAsG3B;;;;;;;;;;;OAWG;IACG,WAAW,CAAC,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,OAAO,CAAC;QACtD,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,WAAW,EAAE,MAAM,EAAE,CAAC;KACvB,CAAC;YAUY,mBAAmB;IAyEjC,wDAAwD;IACxD,QAAQ,IAAI,OAAO,EAAE;IASrB;;;OAGG;IACG,QAAQ,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAiCrE,yDAAyD;IACnD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAoB3B,+DAA+D;IAC/D,SAAS,IAAI;QACX,iBAAiB,EAAE,MAAM,EAAE,CAAC;QAC5B,gBAAgB,EAAE,MAAM,EAAE,CAAC;QAC3B,UAAU,EAAE,MAAM,CAAC;QACnB,KAAK,EAAE,KAAK,CAAC;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,WAAW,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACpE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAChC;CAkBF"}
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/mcp-client/manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAmB,MAAM,aAAa,CAAC;AAG9D,eAAO,MAAM,eAAe,UAAU,CAAC;AAEvC,MAAM,WAAW,OAAO;IACtB,oCAAoC;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,IAAI,EAAE,MAAM,CAAC;IACb,kDAAkD;IAClD,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAyBD;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,MAAM,GACnB;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAS/C;AAED,MAAM,WAAW,uBAAuB;IACtC,iCAAiC;IACjC,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAwDD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAuC;IAC/D,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAU;IAChC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,GAAG,CAA2B;IACtC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAA8B;IACxD;6EACyE;IACzE,OAAO,CAAC,gBAAgB,CAAuC;gBAEnD,MAAM,EAAE,SAAS,GAAG,IAAI,EAAE,OAAO,GAAE,uBAA4B;IAK3E,wDAAwD;IACxD,IAAI,OAAO,IAAI,OAAO,CAErB;IAED;+EAC2E;IAC3E,SAAS,IAAI,SAAS,GAAG,IAAI;IAI7B,wEAAwE;IACxE,IAAI,iBAAiB,IAAI,MAAM,EAAE,CAGhC;IAED,2EAA2E;IAC3E,IAAI,gBAAgB,IAAI,MAAM,EAAE,CAI/B;IAED;;;OAGG;YACW,OAAO;IA+CrB;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI;IAO1C,OAAO,CAAC,UAAU;IAYlB;;;;;;;OAOG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAQd,aAAa;IAkB3B;;;OAGG;YACW,SAAS;YA6BT,aAAa;IA6G3B;;;;;;;;;;;OAWG;IACG,WAAW,CAAC,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,OAAO,CAAC;QACtD,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,WAAW,EAAE,MAAM,EAAE,CAAC;KACvB,CAAC;YAUY,mBAAmB;IAyEjC,wDAAwD;IACxD,QAAQ,IAAI,OAAO,EAAE;IASrB;;;OAGG;IACG,QAAQ,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAiCrE,yDAAyD;IACnD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAoB3B,+DAA+D;IAC/D,SAAS,IAAI;QACX,iBAAiB,EAAE,MAAM,EAAE,CAAC;QAC5B,gBAAgB,EAAE,MAAM,EAAE,CAAC;QAC3B,UAAU,EAAE,MAAM,CAAC;QACnB,KAAK,EAAE,KAAK,CAAC;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,WAAW,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACpE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAChC;CAkBF"}

package/dist/mcp-client/manager.js

@@ -7,6 +7,7 @@
  * browsers). HTTP servers work in any runtime with `fetch`; `reconfigure()`
  * lets callers add or remove servers at runtime without restarting the process.
  */
+import { formatMcpConnectError } from "./errors.js";
 export const MCP_TOOL_PREFIX = "mcp__";
 function isNode() {
     return (typeof process !== "undefined" &&
@@ -49,6 +50,32 @@ function sameServerConfig(a, b) {
     }
     return false;
 }
+async function safelyClose(value, recordError) {
+    try {
+        if (value?.close)
+            await value.close();
+    }
+    catch (err) {
+        recordError?.(err);
+    }
+}
+function guardClose(value, recordError) {
+    if (!value || typeof value.close !== "function")
+        return undefined;
+    const originalClose = value.close.bind(value);
+    value.close = async (...args) => {
+        try {
+            return await originalClose(...args);
+        }
+        catch (err) {
+            recordError(err);
+            return undefined;
+        }
+    };
+    return () => {
+        value.close = originalClose;
+    };
+}
 export class McpClientManager {
     servers = new Map();
     debug;
@@ -198,7 +225,7 @@ export class McpClientManager {
             console.log(`[mcp-client] connected to ${id}: ${entry.tools.length} tools`);
         }
         catch (err) {
-            entry.error = err?.message ?? String(err);
+            entry.error = formatMcpConnectError(err);
             console.warn(`[mcp-client] failed to connect to ${id}: ${entry.error}`);
         }
     }
@@ -256,6 +283,10 @@ export class McpClientManager {
             });
         }
         const client = new Client({ name: "agent-native-mcp-client", version: "1.0.0" }, { capabilities: {} });
+        const recordConnectionError = () => { };
+        const restoreClientClose = guardClose(client, recordConnectionError);
+        const restoreTransportClose = guardClose(transport, recordConnectionError);
+        client.onerror = recordConnectionError;
         // If connect or listTools throws, we still need to release the child
         // process (stdio) or pending HTTP session — otherwise repeated failures
         // leak transports. Assign to the entry only after the handshake succeeds.
@@ -275,24 +306,22 @@ export class McpClientManager {
                     properties: {},
                 }),
             }));
+            client.onerror = (error) => {
+                entry.error = formatMcpConnectError(error);
+                if (this.debug) {
+                    console.warn(`[mcp-client] runtime error from ${entry.id}: ${entry.error}`);
+                }
+            };
         }
         catch (err) {
-            try {
-                if (client?.close)
-                    await client.close();
-            }
-            catch {
-                // ignore
-            }
-            try {
-                if (transport?.close)
-                    await transport.close();
-            }
-            catch {
-                // ignore
-            }
+            await safelyClose(client, recordConnectionError);
+            await safelyClose(transport, recordConnectionError);
             throw err;
         }
+        finally {
+            restoreClientClose?.();
+            restoreTransportClose?.();
+        }
     }
     /**
      * Replace the configured server set. Servers that appear in the new config

package/dist/mcp-client/manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/mcp-client/manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,MAAM,CAAC,MAAM,eAAe,GAAG,OAAO,CAAC;AAwBvC,SAAS,MAAM;IACb,OAAO,CACL,OAAO,OAAO,KAAK,WAAW;QAC9B,CAAC,CAAE,OAAe,CAAC,QAAQ,EAAE,IAAI;QACjC,OAAQ,OAAe,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,CACnD,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB,EAAE,QAAgB;IAC3D,OAAO,GAAG,eAAe,GAAG,QAAQ,KAAK,QAAQ,EAAE,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,YAAoB;IAEpB,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,eAAe,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3D,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,OAAO;QACL,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;QAC5B,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;KAC9B,CAAC;AACJ,CAAC;AAOD,SAAS,gBAAgB,CAAC,CAAkB,EAAE,CAAkB;IAC9D,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,IAAI,OAAO,CAAC;IAChC,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,IAAI,OAAO,CAAC;IAChC,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAClC,IAAI,KAAK,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC/D,OAAO,CACL,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG;YACf,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CACpE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC3C,OAAO,CACL,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,OAAO;YACvB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;YAC7D,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;YAC3D,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,CAChC,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAQD,MAAM,OAAO,gBAAgB;IACV,OAAO,GAA6B,IAAI,GAAG,EAAE,CAAC;IAC9C,KAAK,CAAU;IACxB,OAAO,GAAG,KAAK,CAAC;IAChB,MAAM,CAAmB;IACzB,GAAG,GAAsB,IAAI,CAAC;IACrB,SAAS,GAAoB,IAAI,GAAG,EAAE,CAAC;IACxD;6EACyE;IACjE,gBAAgB,GAAqB,OAAO,CAAC,OAAO,EAAE,CAAC;IAE/D,YAAY,MAAwB,EAAE,UAAmC,EAAE;QACzE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAC/B,CAAC;IAED,wDAAwD;IACxD,IAAI,OAAO;QACT,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IACtE,CAAC;IAED;+EAC2E;IAC3E,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,wEAAwE;IACxE,IAAI,iBAAiB;QACnB,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC5B,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED,2EAA2E;IAC3E,IAAI,gBAAgB;QAClB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;aACrC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;aACnC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACtB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,OAAO,CAAC,SAAkB;QACtC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,iEAAiE;YACjE,IAAI,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,IAAI,MAAM,EAAE,EAAE,CAAC;gBAC5D,IAAI,CAAC;oBACH,MAAM,QAAQ,GACZ,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;oBAC5D,IAAI,CAAC,GAAG,CAAC,oBAAoB,GAAG,QAAQ,CAAC,oBAAoB,CAAC;gBAChE,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,OAAO,CAAC,IAAI,CACV,gDAAgD,GAAG,EAAE,OAAO,IAAI,GAAG,GAAG,CACvE,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC,GAAG,CAAC;QAClB,CAAC;QACD,IAAI,CAAC;YACH,MAAM,SAAS,GACb,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;YAC5D,MAAM,OAAO,GACX,MAAM,MAAM,CAAC,oDAAoD,CAAC,CAAC;YACrE,IAAI,oBAAoB,GAAQ,IAAI,CAAC;YACrC,IAAI,SAAS,IAAI,MAAM,EAAE,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,MAAM,QAAQ,GACZ,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;oBAC5D,oBAAoB,GAAG,QAAQ,CAAC,oBAAoB,CAAC;gBACvD,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,OAAO,CAAC,IAAI,CACV,gDAAgD,GAAG,EAAE,OAAO,IAAI,GAAG,GAAG,CACvE,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,IAAI,CAAC,GAAG,GAAG;gBACT,MAAM,EAAE,SAAS,CAAC,MAAM;gBACxB,oBAAoB;gBACpB,6BAA6B,EAAE,OAAO,CAAC,6BAA6B;aACrE,CAAC;YACF,OAAO,IAAI,CAAC,GAAG,CAAC;QAClB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CACV,wCAAwC,GAAG,EAAE,OAAO,IAAI,GAAG,uBAAuB,CACnF,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,QAAQ,CAAC,QAAoB;QAC3B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,OAAO,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC,CAAC;IACJ,CAAC;IAEO,UAAU;QAChB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC;gBACH,CAAC,EAAE,CAAC;YACN,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO,CAAC,IAAI,CACV,yCAAyC,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAC/D,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;QACpE,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE;YACtC,sDAAsD;QACxD,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,aAAa;QACzB,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO;QACzB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAE1B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CACxD,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,OAAO,CAC3C,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC1C,IAAI,CAAC,GAAG;YAAE,OAAO;QAEjB,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAO,CAAC,OAAO,CAAC,CAAC;QACrD,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAC/D,CAAC;QACF,IAAI,CAAC,UAAU,EAAE,CAAC;IACpB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,SAAS,CACrB,EAAU,EACV,GAAoB,EACpB,GAAe;QAEf,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CACV,qCAAqC,EAAE,uCAAuC,CAC/E,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAgB;YACzB,EAAE;YACF,MAAM,EAAE,GAAG;YACX,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE,IAAI;YACf,KAAK,EAAE,EAAE;SACV,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YACrC,OAAO,CAAC,GAAG,CACT,6BAA6B,EAAE,KAAK,KAAK,CAAC,KAAK,CAAC,MAAM,QAAQ,CAC/D,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,KAAK,CAAC,KAAK,GAAG,GAAG,EAAE,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,qCAAqC,EAAE,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,KAAkB,EAClB,GAAe;QAEf,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC;QACzB,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;QAEvB,IAAI,SAAc,CAAC;QACnB,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACxB,IAAI,CAAC,GAAG,CAAC,6BAA6B,EAAE,CAAC;gBACvC,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;YAClD,CAAC;YACD,MAAM,WAAW,GAA4B,EAAE,CAAC;YAChD,IAAI,GAAG,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvD,WAAW,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;YACpC,CAAC;YACD,SAAS,GAAG,IAAI,GAAG,CAAC,6BAA6B,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE;gBAClE,WAAW;aACZ,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;gBAC9B,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;YACJ,CAAC;YACD,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;YAC7C,kEAAkE;YAClE,6DAA6D;YAC7D,+DAA+D;YAC/D,kEAAkE;YAClE,2DAA2D;YAC3D,iEAAiE;YACjE,+DAA+D;YAC/D,6DAA6D;YAC7D,0DAA0D;YAC1D,MAAM,aAAa,GAAG;gBACpB,MAAM;gBACN,MAAM;gBACN,QAAQ;gBACR,MAAM;gBACN,QAAQ;gBACR,MAAM;gBACN,OAAO;aACR,CAAC;YACF,MAAM,QAAQ,GAA2B,EAAE,CAAC;YAC5C,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;gBAC9B,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACzB,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YAC7C,CAAC;YACD,MAAM,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;YAC3D,SAAS,GAAG,IAAI,GAAG,CAAC,oBAAoB,CAAC;gBACvC,OAAO;gBACP,IAAI;gBACJ,GAAG,EAAE,SAAmC;gBACxC,GAAG;aACJ,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,yBAAyB,EAAE,OAAO,EAAE,OAAO,EAAE,EACrD,EAAE,YAAY,EAAE,EAAE,EAAE,CACrB,CAAC;QAEF,qEAAqE;QACrE,wEAAwE;QACxE,0EAA0E;QAC1E,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,EAAE,CAAC;YACxC,MAAM,QAAQ,GAIT,CAAC,MAAM,EAAE,KAAK,IAAI,EAAE,CAAU,CAAC;YAEpC,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;YACtB,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;YAC5B,KAAK,CAAC,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACjC,MAAM,EAAE,KAAK,CAAC,EAAE;gBAChB,IAAI,EAAE,iBAAiB,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC;gBACzC,YAAY,EAAE,CAAC,CAAC,IAAI;gBACpB,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,IAAI;gBACpC,WAAW,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI;oBAC7B,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE,EAAE;iBACf,CAA4B;aAC9B,CAAC,CAAC,CAAC;QACN,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,IAAI,MAAM,EAAE,KAAK;oBAAE,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,CAAC;gBACH,IAAI,SAAS,EAAE,KAAK;oBAAE,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;YAChD,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,WAAW,CAAC,SAA2B;QAM3C,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,CAC3C,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,CACpC,CAAC;QACF,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE;YACtC,sDAAsD;QACxD,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAAC,SAA2B;QAM3D,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QAExB,MAAM,WAAW,GAAG,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,SAAS,EAAE,OAAO,IAAI,EAAE,CAAC;QAE7C,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAa,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAa,EAAE,CAAC;QAEjC,iDAAiD;QACjD,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,IAAI,CAAC,CAAC,EAAE,IAAI,WAAW,CAAC,EAAE,CAAC;gBACzB,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACnB,CAAC;iBAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;gBAC/D,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,IAAI,CAAC,CAAC,EAAE,IAAI,WAAW,CAAC;gBAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,GAAG,OAAO,EAAE,GAAG,WAAW,CAAC,CAAC;QAClD,MAAM,OAAO,CAAC,GAAG,CACf,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;YAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACnC,IAAI,CAAC,KAAK;gBAAE,OAAO;YACnB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACxB,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,MAAM,EAAE,KAAK;oBAAE,MAAM,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACtD,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,SAAS,EAAE,KAAK;oBAAE,MAAM,KAAK,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;YAC5D,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,SAAS,GAAG,CAAC,GAAG,KAAK,EAAE,GAAG,WAAW,CAAC,CAAC;QAC7C,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAC9B,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,OAAO,CACtD,CAAC;YACF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC1C,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,OAAO,CAAC,GAAG,CACf,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,CAChE,CAAC;YACJ,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACtB,CAAC;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAClB,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC;IACpD,CAAC;IAED,wDAAwD;IACxD,QAAQ;QACN,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAc,EAAE,CAAC;QAC1B,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1C,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK;gBAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ,CAAC,YAAoB,EAAE,IAAa;QAChD,MAAM,MAAM,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,cAAc,YAAY,mEAAmE,CAC9F,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CACb,eAAe,MAAM,CAAC,QAAQ,qBAC5B,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EACtC,EAAE,CACH,CAAC;QACJ,CAAC;QACD,2EAA2E;QAC3E,iCAAiC;QACjC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC;QAC/D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CACb,eAAe,MAAM,CAAC,QAAQ,2BAA2B,MAAM,CAAC,QAAQ,GAAG,CAC5E,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC;YACzC,IAAI,EAAE,MAAM,CAAC,QAAQ;YACrB,SAAS,EACP,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;gBAC9B,CAAC,CAAE,IAAgC;gBACnC,CAAC,CAAC,EAAE;SACT,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,yDAAyD;IACzD,KAAK,CAAC,IAAI;QACR,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YAC1B,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,MAAM,EAAE,KAAK;oBAAE,MAAM,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACtD,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,SAAS,EAAE,KAAK;oBAAE,MAAM,KAAK,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;YAC5D,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,+DAA+D;IAC/D,SAAS;QAOP,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACxC,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;SAC3B,CAAC,CAAC,CAAC;QACJ,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,KAAK;gBAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC;QAClD,CAAC;QACD,OAAO;YACL,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;YACvC,UAAU,EAAE,KAAK,CAAC,MAAM;YACxB,KAAK;YACL,MAAM;SACP,CAAC;IACJ,CAAC;CACF","sourcesContent":["/**\n * McpClientManager — connects to configured MCP servers (stdio or remote\n * Streamable HTTP), enumerates their tools, and exposes a flat tool registry\n * prefixed with `mcp__<server-id>__` so the agent's tool-use loop can call them.\n *\n * Stdio servers are a strict no-op in non-Node runtimes (Cloudflare Workers,\n * browsers). HTTP servers work in any runtime with `fetch`; `reconfigure()`\n * lets callers add or remove servers at runtime without restarting the process.\n */\n\nimport type { McpConfig, McpServerConfig } from \"./config.js\";\n\nexport const MCP_TOOL_PREFIX = \"mcp__\";\n\nexport interface McpTool {\n  /** Server id the tool belongs to */\n  source: string;\n  /** Prefixed tool name (e.g. \"mcp__claude-in-chrome__navigate\") */\n  name: string;\n  /** Original name as reported by the MCP server */\n  originalName: string;\n  /** Human-readable description */\n  description: string;\n  /** JSON-Schema input spec forwarded verbatim from the server */\n  inputSchema: Record<string, unknown>;\n}\n\ninterface ServerEntry {\n  id: string;\n  config: McpServerConfig;\n  client: any | null;\n  transport: any | null;\n  tools: McpTool[];\n  error?: string;\n}\n\nfunction isNode(): boolean {\n  return (\n    typeof process !== \"undefined\" &&\n    !!(process as any).versions?.node &&\n    typeof (process as any).versions.node === \"string\"\n  );\n}\n\nfunction buildPrefixedName(serverId: string, toolName: string): string {\n  return `${MCP_TOOL_PREFIX}${serverId}__${toolName}`;\n}\n\n/**\n * Parse a prefixed tool name back into its server id and original tool name.\n * Returns `null` if the name doesn't match the MCP prefix convention.\n */\nexport function parseMcpToolName(\n  prefixedName: string,\n): { serverId: string; toolName: string } | null {\n  if (!prefixedName.startsWith(MCP_TOOL_PREFIX)) return null;\n  const rest = prefixedName.slice(MCP_TOOL_PREFIX.length);\n  const idx = rest.indexOf(\"__\");\n  if (idx < 0) return null;\n  return {\n    serverId: rest.slice(0, idx),\n    toolName: rest.slice(idx + 2),\n  };\n}\n\nexport interface McpClientManagerOptions {\n  /** Emit debug logs on startup */\n  debug?: boolean;\n}\n\nfunction sameServerConfig(a: McpServerConfig, b: McpServerConfig): boolean {\n  const typeA = a.type ?? \"stdio\";\n  const typeB = b.type ?? \"stdio\";\n  if (typeA !== typeB) return false;\n  if (typeA === \"http\" && b.type === \"http\" && a.type === \"http\") {\n    return (\n      a.url === b.url &&\n      JSON.stringify(a.headers ?? {}) === JSON.stringify(b.headers ?? {})\n    );\n  }\n  if (a.type !== \"http\" && b.type !== \"http\") {\n    return (\n      a.command === b.command &&\n      JSON.stringify(a.args ?? []) === JSON.stringify(b.args ?? []) &&\n      JSON.stringify(a.env ?? {}) === JSON.stringify(b.env ?? {}) &&\n      (a.cwd ?? \"\") === (b.cwd ?? \"\")\n    );\n  }\n  return false;\n}\n\ntype SdkModules = {\n  Client: any;\n  StdioClientTransport: any | null;\n  StreamableHTTPClientTransport: any | null;\n};\n\nexport class McpClientManager {\n  private readonly servers: Map<string, ServerEntry> = new Map();\n  private readonly debug: boolean;\n  private started = false;\n  private config: McpConfig | null;\n  private sdk: SdkModules | null = null;\n  private readonly listeners: Set<() => void> = new Set();\n  /** Serialises reconfigure()/start() — two concurrent callers would\n   * otherwise race on `this.config` and on connect/disconnect ordering. */\n  private reconfigureQueue: Promise<unknown> = Promise.resolve();\n\n  constructor(config: McpConfig | null, options: McpClientManagerOptions = {}) {\n    this.config = config;\n    this.debug = !!options.debug;\n  }\n\n  /** True when the manager has any configured servers. */\n  get enabled(): boolean {\n    return !!this.config && Object.keys(this.config.servers).length > 0;\n  }\n\n  /** Return the current config (read-only snapshot for callers that need to\n   *  merge new servers into the existing set before calling reconfigure). */\n  getConfig(): McpConfig | null {\n    return this.config;\n  }\n\n  /** List of configured server ids (whether or not they're connected). */\n  get configuredServers(): string[] {\n    if (!this.config) return [];\n    return Object.keys(this.config.servers);\n  }\n\n  /** List of server ids that successfully connected and enumerated tools. */\n  get connectedServers(): string[] {\n    return Array.from(this.servers.values())\n      .filter((s) => s.client && !s.error)\n      .map((s) => s.id);\n  }\n\n  /**\n   * Load MCP SDK modules lazily so non-Node bundles don't pull them in.\n   * Stdio transport is only loaded when a stdio server is actually configured.\n   */\n  private async loadSdk(needStdio: boolean): Promise<SdkModules | null> {\n    if (this.sdk) {\n      // If we previously loaded without stdio and now need it, top up.\n      if (needStdio && !this.sdk.StdioClientTransport && isNode()) {\n        try {\n          const stdioMod =\n            await import(\"@modelcontextprotocol/sdk/client/stdio.js\");\n          this.sdk.StdioClientTransport = stdioMod.StdioClientTransport;\n        } catch (err: any) {\n          console.warn(\n            `[mcp-client] Failed to load stdio transport: ${err?.message ?? err}.`,\n          );\n        }\n      }\n      return this.sdk;\n    }\n    try {\n      const clientMod =\n        await import(\"@modelcontextprotocol/sdk/client/index.js\");\n      const httpMod =\n        await import(\"@modelcontextprotocol/sdk/client/streamableHttp.js\");\n      let StdioClientTransport: any = null;\n      if (needStdio && isNode()) {\n        try {\n          const stdioMod =\n            await import(\"@modelcontextprotocol/sdk/client/stdio.js\");\n          StdioClientTransport = stdioMod.StdioClientTransport;\n        } catch (err: any) {\n          console.warn(\n            `[mcp-client] Failed to load stdio transport: ${err?.message ?? err}.`,\n          );\n        }\n      }\n      this.sdk = {\n        Client: clientMod.Client,\n        StdioClientTransport,\n        StreamableHTTPClientTransport: httpMod.StreamableHTTPClientTransport,\n      };\n      return this.sdk;\n    } catch (err: any) {\n      console.warn(\n        `[mcp-client] Failed to load MCP SDK: ${err?.message ?? err}. MCP tools disabled.`,\n      );\n      return null;\n    }\n  }\n\n  /**\n   * Subscribe to tool-set changes (e.g. after `reconfigure()` adds/removes\n   * servers). The listener is called *after* connect/disconnect completes.\n   * Returns an unsubscribe function.\n   */\n  onChange(listener: () => void): () => void {\n    this.listeners.add(listener);\n    return () => {\n      this.listeners.delete(listener);\n    };\n  }\n\n  private emitChange(): void {\n    for (const l of this.listeners) {\n      try {\n        l();\n      } catch (err: any) {\n        console.warn(\n          `[mcp-client] onChange listener threw: ${err?.message ?? err}`,\n        );\n      }\n    }\n  }\n\n  /**\n   * Connect to each configured MCP server (stdio or http) and enumerate tools.\n   * Individual server failures are logged and skipped — the manager stays\n   * usable with whichever servers did come up.\n   *\n   * Queued against `reconfigure()` so a `reconfigure` that lands before\n   * `start()` finishes can't race on `this.started` / `this.servers`.\n   */\n  async start(): Promise<void> {\n    const task = this.reconfigureQueue.then(() => this.startInternal());\n    this.reconfigureQueue = task.catch(() => {\n      /* failures surface on the caller, not on the queue */\n    });\n    return task;\n  }\n\n  private async startInternal(): Promise<void> {\n    if (this.started) return;\n    this.started = true;\n    if (!this.enabled) return;\n\n    const needStdio = Object.values(this.config!.servers).some(\n      (cfg) => (cfg.type ?? \"stdio\") === \"stdio\",\n    );\n    const sdk = await this.loadSdk(needStdio);\n    if (!sdk) return;\n\n    const entries = Object.entries(this.config!.servers);\n    await Promise.all(\n      entries.map(async ([id, cfg]) => this.addServer(id, cfg, sdk)),\n    );\n    this.emitChange();\n  }\n\n  /**\n   * Create a new ServerEntry and attempt to connect. Logs and records errors\n   * on the entry rather than throwing — callers iterate many servers.\n   */\n  private async addServer(\n    id: string,\n    cfg: McpServerConfig,\n    sdk: SdkModules,\n  ): Promise<void> {\n    if (this.servers.has(id)) {\n      console.warn(\n        `[mcp-client] Duplicate server ID '${id}' — overwriting previous registration`,\n      );\n    }\n    const entry: ServerEntry = {\n      id,\n      config: cfg,\n      client: null,\n      transport: null,\n      tools: [],\n    };\n    this.servers.set(id, entry);\n    try {\n      await this.connectServer(entry, sdk);\n      console.log(\n        `[mcp-client] connected to ${id}: ${entry.tools.length} tools`,\n      );\n    } catch (err: any) {\n      entry.error = err?.message ?? String(err);\n      console.warn(`[mcp-client] failed to connect to ${id}: ${entry.error}`);\n    }\n  }\n\n  private async connectServer(\n    entry: ServerEntry,\n    sdk: SdkModules,\n  ): Promise<void> {\n    const cfg = entry.config;\n    const { Client } = sdk;\n\n    let transport: any;\n    if (cfg.type === \"http\") {\n      if (!sdk.StreamableHTTPClientTransport) {\n        throw new Error(\"HTTP transport not available\");\n      }\n      const requestInit: Record<string, unknown> = {};\n      if (cfg.headers && Object.keys(cfg.headers).length > 0) {\n        requestInit.headers = cfg.headers;\n      }\n      transport = new sdk.StreamableHTTPClientTransport(new URL(cfg.url), {\n        requestInit,\n      });\n    } else {\n      if (!sdk.StdioClientTransport) {\n        throw new Error(\n          \"Stdio transport not available (needs Node runtime with MCP SDK)\",\n        );\n      }\n      const { command, args = [], env, cwd } = cfg;\n      // SECURITY: stdio MCP servers run as child processes that inherit\n      // their environment from us. We previously merged the entire\n      // `process.env` into the child, which exposed every deployment\n      // secret (A2A_SECRET, ANTHROPIC_API_KEY, BUILDER_PRIVATE_KEY, all\n      // database URLs, all platform tokens) to any MCP server in\n      // `mcp.config.json` — a malicious npx-fetched server could exfil\n      // them by reading its own env. Instead, only forward a minimal\n      // baseline plus the keys explicitly listed in `cfg.env`. See\n      // finding #10 in /tmp/security-audit/12-mcp-a2a-agent.md.\n      const ENV_ALLOWLIST = [\n        \"PATH\",\n        \"HOME\",\n        \"TMPDIR\",\n        \"LANG\",\n        \"LC_ALL\",\n        \"USER\",\n        \"SHELL\",\n      ];\n      const baseline: Record<string, string> = {};\n      for (const k of ENV_ALLOWLIST) {\n        const v = process.env[k];\n        if (typeof v === \"string\") baseline[k] = v;\n      }\n      const mergedEnv = env ? { ...baseline, ...env } : baseline;\n      transport = new sdk.StdioClientTransport({\n        command,\n        args,\n        env: mergedEnv as Record<string, string>,\n        cwd,\n      });\n    }\n\n    const client = new Client(\n      { name: \"agent-native-mcp-client\", version: \"1.0.0\" },\n      { capabilities: {} },\n    );\n\n    // If connect or listTools throws, we still need to release the child\n    // process (stdio) or pending HTTP session — otherwise repeated failures\n    // leak transports. Assign to the entry only after the handshake succeeds.\n    try {\n      await client.connect(transport);\n      const listed = await client.listTools();\n      const rawTools: Array<{\n        name: string;\n        description?: string;\n        inputSchema?: Record<string, unknown>;\n      }> = (listed?.tools ?? []) as any[];\n\n      entry.client = client;\n      entry.transport = transport;\n      entry.tools = rawTools.map((t) => ({\n        source: entry.id,\n        name: buildPrefixedName(entry.id, t.name),\n        originalName: t.name,\n        description: t.description ?? t.name,\n        inputSchema: (t.inputSchema ?? {\n          type: \"object\",\n          properties: {},\n        }) as Record<string, unknown>,\n      }));\n    } catch (err) {\n      try {\n        if (client?.close) await client.close();\n      } catch {\n        // ignore\n      }\n      try {\n        if (transport?.close) await transport.close();\n      } catch {\n        // ignore\n      }\n      throw err;\n    }\n  }\n\n  /**\n   * Replace the configured server set. Servers that appear in the new config\n   * under a different shape are reconnected; unchanged entries stay live;\n   * removed entries are disconnected. Safe to call while `start()` is in\n   * flight or after it has completed.\n   *\n   * Serialised against `start()` and any other `reconfigure()` call via the\n   * internal queue — two concurrent mutations would otherwise interleave on\n   * `this.config` and on connect/disconnect ordering.\n   *\n   * Returns a summary describing what happened for logging / UI feedback.\n   */\n  async reconfigure(newConfig: McpConfig | null): Promise<{\n    added: string[];\n    removed: string[];\n    unchanged: string[];\n    reconnected: string[];\n  }> {\n    const task = this.reconfigureQueue.then(() =>\n      this.reconfigureInternal(newConfig),\n    );\n    this.reconfigureQueue = task.catch(() => {\n      /* failures surface on the caller, not on the queue */\n    });\n    return task;\n  }\n\n  private async reconfigureInternal(newConfig: McpConfig | null): Promise<{\n    added: string[];\n    removed: string[];\n    unchanged: string[];\n    reconnected: string[];\n  }> {\n    const prev = this.config;\n    this.config = newConfig;\n\n    const prevServers = prev?.servers ?? {};\n    const nextServers = newConfig?.servers ?? {};\n\n    const added: string[] = [];\n    const removed: string[] = [];\n    const unchanged: string[] = [];\n    const reconnected: string[] = [];\n\n    // Remove entries that vanished or changed shape.\n    for (const id of Object.keys(prevServers)) {\n      if (!(id in nextServers)) {\n        removed.push(id);\n      } else if (!sameServerConfig(prevServers[id], nextServers[id])) {\n        reconnected.push(id);\n      } else {\n        unchanged.push(id);\n      }\n    }\n    for (const id of Object.keys(nextServers)) {\n      if (!(id in prevServers)) added.push(id);\n    }\n\n    const toDisconnect = [...removed, ...reconnected];\n    await Promise.all(\n      toDisconnect.map(async (id) => {\n        const entry = this.servers.get(id);\n        if (!entry) return;\n        this.servers.delete(id);\n        try {\n          if (entry.client?.close) await entry.client.close();\n        } catch {\n          // ignore\n        }\n        try {\n          if (entry.transport?.close) await entry.transport.close();\n        } catch {\n          // ignore\n        }\n      }),\n    );\n\n    const toConnect = [...added, ...reconnected];\n    if (toConnect.length > 0) {\n      const needStdio = toConnect.some(\n        (id) => (nextServers[id].type ?? \"stdio\") === \"stdio\",\n      );\n      const sdk = await this.loadSdk(needStdio);\n      if (sdk) {\n        await Promise.all(\n          toConnect.map((id) => this.addServer(id, nextServers[id], sdk)),\n        );\n      }\n    }\n\n    // If the manager was never started (e.g. empty initial config) but now has\n    // servers, mark it started so subsequent start() calls don't duplicate work.\n    if (!this.started && Object.keys(nextServers).length > 0) {\n      this.started = true;\n    }\n\n    this.emitChange();\n    return { added, removed, unchanged, reconnected };\n  }\n\n  /** Flattened tool list across all connected servers. */\n  getTools(): McpTool[] {\n    if (!this.enabled) return [];\n    const out: McpTool[] = [];\n    for (const entry of this.servers.values()) {\n      for (const tool of entry.tools) out.push(tool);\n    }\n    return out;\n  }\n\n  /**\n   * Invoke an MCP tool by prefixed name. Routes to the owning server based on\n   * the `mcp__<serverId>__` prefix.\n   */\n  async callTool(prefixedName: string, args: unknown): Promise<unknown> {\n    const parsed = parseMcpToolName(prefixedName);\n    if (!parsed) {\n      throw new Error(\n        `Tool name \"${prefixedName}\" does not look like an MCP tool (expected mcp__<server>__<tool>)`,\n      );\n    }\n    const entry = this.servers.get(parsed.serverId);\n    if (!entry || !entry.client) {\n      throw new Error(\n        `MCP server \"${parsed.serverId}\" is not connected${\n          entry?.error ? `: ${entry.error}` : \"\"\n        }`,\n      );\n    }\n    // Look up the tool so we fail loud for unknown names instead of forwarding\n    // garbage through to the server.\n    const known = entry.tools.find((t) => t.name === prefixedName);\n    if (!known) {\n      throw new Error(\n        `MCP server \"${parsed.serverId}\" does not expose tool \"${parsed.toolName}\"`,\n      );\n    }\n    const result = await entry.client.callTool({\n      name: parsed.toolName,\n      arguments:\n        args && typeof args === \"object\"\n          ? (args as Record<string, unknown>)\n          : {},\n    });\n    return result;\n  }\n\n  /** Cleanly close all MCP clients and child processes. */\n  async stop(): Promise<void> {\n    const entries = Array.from(this.servers.values());\n    this.servers.clear();\n    this.started = false;\n    await Promise.all(\n      entries.map(async (entry) => {\n        try {\n          if (entry.client?.close) await entry.client.close();\n        } catch {\n          // ignore\n        }\n        try {\n          if (entry.transport?.close) await entry.transport.close();\n        } catch {\n          // ignore\n        }\n      }),\n    );\n  }\n\n  /** Diagnostic snapshot used by `/_agent-native/mcp/status`. */\n  getStatus(): {\n    configuredServers: string[];\n    connectedServers: string[];\n    totalTools: number;\n    tools: Array<{ source: string; name: string; description: string }>;\n    errors: Record<string, string>;\n  } {\n    const tools = this.getTools().map((t) => ({\n      source: t.source,\n      name: t.name,\n      description: t.description,\n    }));\n    const errors: Record<string, string> = {};\n    for (const entry of this.servers.values()) {\n      if (entry.error) errors[entry.id] = entry.error;\n    }\n    return {\n      configuredServers: this.configuredServers,\n      connectedServers: this.connectedServers,\n      totalTools: tools.length,\n      tools,\n      errors,\n    };\n  }\n}\n"]}
+{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/mcp-client/manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,CAAC,MAAM,eAAe,GAAG,OAAO,CAAC;AA0BvC,SAAS,MAAM;IACb,OAAO,CACL,OAAO,OAAO,KAAK,WAAW;QAC9B,CAAC,CAAE,OAAe,CAAC,QAAQ,EAAE,IAAI;QACjC,OAAQ,OAAe,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,CACnD,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB,EAAE,QAAgB;IAC3D,OAAO,GAAG,eAAe,GAAG,QAAQ,KAAK,QAAQ,EAAE,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,YAAoB;IAEpB,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,eAAe,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3D,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,OAAO;QACL,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;QAC5B,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;KAC9B,CAAC;AACJ,CAAC;AAOD,SAAS,gBAAgB,CAAC,CAAkB,EAAE,CAAkB;IAC9D,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,IAAI,OAAO,CAAC;IAChC,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,IAAI,OAAO,CAAC;IAChC,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAClC,IAAI,KAAK,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC/D,OAAO,CACL,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG;YACf,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CACpE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC3C,OAAO,CACL,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,OAAO;YACvB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;YAC7D,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;YAC3D,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,CAChC,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAU,EAAE,WAAuB;IAC5D,IAAI,CAAC;QACH,IAAI,KAAK,EAAE,KAAK;YAAE,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IACxC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CACjB,KAAU,EACV,WAAsB;IAEtB,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,UAAU;QAAE,OAAO,SAAS,CAAC;IAClE,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,KAAK,CAAC,KAAK,GAAG,KAAK,EAAE,GAAG,IAAe,EAAE,EAAE;QACzC,IAAI,CAAC;YACH,OAAO,MAAM,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,WAAW,CAAC,GAAG,CAAC,CAAC;YACjB,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC,CAAC;IACF,OAAO,GAAG,EAAE;QACV,KAAK,CAAC,KAAK,GAAG,aAAa,CAAC;IAC9B,CAAC,CAAC;AACJ,CAAC;AAQD,MAAM,OAAO,gBAAgB;IACV,OAAO,GAA6B,IAAI,GAAG,EAAE,CAAC;IAC9C,KAAK,CAAU;IACxB,OAAO,GAAG,KAAK,CAAC;IAChB,MAAM,CAAmB;IACzB,GAAG,GAAsB,IAAI,CAAC;IACrB,SAAS,GAAoB,IAAI,GAAG,EAAE,CAAC;IACxD;6EACyE;IACjE,gBAAgB,GAAqB,OAAO,CAAC,OAAO,EAAE,CAAC;IAE/D,YAAY,MAAwB,EAAE,UAAmC,EAAE;QACzE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAC/B,CAAC;IAED,wDAAwD;IACxD,IAAI,OAAO;QACT,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IACtE,CAAC;IAED;+EAC2E;IAC3E,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,wEAAwE;IACxE,IAAI,iBAAiB;QACnB,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC5B,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED,2EAA2E;IAC3E,IAAI,gBAAgB;QAClB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;aACrC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;aACnC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACtB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,OAAO,CAAC,SAAkB;QACtC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,iEAAiE;YACjE,IAAI,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,IAAI,MAAM,EAAE,EAAE,CAAC;gBAC5D,IAAI,CAAC;oBACH,MAAM,QAAQ,GACZ,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;oBAC5D,IAAI,CAAC,GAAG,CAAC,oBAAoB,GAAG,QAAQ,CAAC,oBAAoB,CAAC;gBAChE,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,OAAO,CAAC,IAAI,CACV,gDAAgD,GAAG,EAAE,OAAO,IAAI,GAAG,GAAG,CACvE,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC,GAAG,CAAC;QAClB,CAAC;QACD,IAAI,CAAC;YACH,MAAM,SAAS,GACb,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;YAC5D,MAAM,OAAO,GACX,MAAM,MAAM,CAAC,oDAAoD,CAAC,CAAC;YACrE,IAAI,oBAAoB,GAAQ,IAAI,CAAC;YACrC,IAAI,SAAS,IAAI,MAAM,EAAE,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,MAAM,QAAQ,GACZ,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;oBAC5D,oBAAoB,GAAG,QAAQ,CAAC,oBAAoB,CAAC;gBACvD,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,OAAO,CAAC,IAAI,CACV,gDAAgD,GAAG,EAAE,OAAO,IAAI,GAAG,GAAG,CACvE,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,IAAI,CAAC,GAAG,GAAG;gBACT,MAAM,EAAE,SAAS,CAAC,MAAM;gBACxB,oBAAoB;gBACpB,6BAA6B,EAAE,OAAO,CAAC,6BAA6B;aACrE,CAAC;YACF,OAAO,IAAI,CAAC,GAAG,CAAC;QAClB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CACV,wCAAwC,GAAG,EAAE,OAAO,IAAI,GAAG,uBAAuB,CACnF,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,QAAQ,CAAC,QAAoB;QAC3B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,OAAO,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC,CAAC;IACJ,CAAC;IAEO,UAAU;QAChB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC;gBACH,CAAC,EAAE,CAAC;YACN,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO,CAAC,IAAI,CACV,yCAAyC,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAC/D,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;QACpE,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE;YACtC,sDAAsD;QACxD,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,aAAa;QACzB,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO;QACzB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAE1B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CACxD,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,OAAO,CAC3C,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC1C,IAAI,CAAC,GAAG;YAAE,OAAO;QAEjB,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAO,CAAC,OAAO,CAAC,CAAC;QACrD,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAC/D,CAAC;QACF,IAAI,CAAC,UAAU,EAAE,CAAC;IACpB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,SAAS,CACrB,EAAU,EACV,GAAoB,EACpB,GAAe;QAEf,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CACV,qCAAqC,EAAE,uCAAuC,CAC/E,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAgB;YACzB,EAAE;YACF,MAAM,EAAE,GAAG;YACX,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE,IAAI;YACf,KAAK,EAAE,EAAE;SACV,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YACrC,OAAO,CAAC,GAAG,CACT,6BAA6B,EAAE,KAAK,KAAK,CAAC,KAAK,CAAC,MAAM,QAAQ,CAC/D,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,KAAK,CAAC,KAAK,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;YACzC,OAAO,CAAC,IAAI,CAAC,qCAAqC,EAAE,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,KAAkB,EAClB,GAAe;QAEf,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC;QACzB,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;QAEvB,IAAI,SAAc,CAAC;QACnB,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACxB,IAAI,CAAC,GAAG,CAAC,6BAA6B,EAAE,CAAC;gBACvC,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;YAClD,CAAC;YACD,MAAM,WAAW,GAA4B,EAAE,CAAC;YAChD,IAAI,GAAG,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvD,WAAW,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;YACpC,CAAC;YACD,SAAS,GAAG,IAAI,GAAG,CAAC,6BAA6B,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE;gBAClE,WAAW;aACZ,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;gBAC9B,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;YACJ,CAAC;YACD,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;YAC7C,kEAAkE;YAClE,6DAA6D;YAC7D,+DAA+D;YAC/D,kEAAkE;YAClE,2DAA2D;YAC3D,iEAAiE;YACjE,+DAA+D;YAC/D,6DAA6D;YAC7D,0DAA0D;YAC1D,MAAM,aAAa,GAAG;gBACpB,MAAM;gBACN,MAAM;gBACN,QAAQ;gBACR,MAAM;gBACN,QAAQ;gBACR,MAAM;gBACN,OAAO;aACR,CAAC;YACF,MAAM,QAAQ,GAA2B,EAAE,CAAC;YAC5C,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;gBAC9B,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACzB,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YAC7C,CAAC;YACD,MAAM,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;YAC3D,SAAS,GAAG,IAAI,GAAG,CAAC,oBAAoB,CAAC;gBACvC,OAAO;gBACP,IAAI;gBACJ,GAAG,EAAE,SAAmC;gBACxC,GAAG;aACJ,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,yBAAyB,EAAE,OAAO,EAAE,OAAO,EAAE,EACrD,EAAE,YAAY,EAAE,EAAE,EAAE,CACrB,CAAC;QACF,MAAM,qBAAqB,GAAc,GAAG,EAAE,GAAE,CAAC,CAAC;QAClD,MAAM,kBAAkB,GAAG,UAAU,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;QACrE,MAAM,qBAAqB,GAAG,UAAU,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;QAC3E,MAAM,CAAC,OAAO,GAAG,qBAAqB,CAAC;QAEvC,qEAAqE;QACrE,wEAAwE;QACxE,0EAA0E;QAC1E,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,EAAE,CAAC;YACxC,MAAM,QAAQ,GAIT,CAAC,MAAM,EAAE,KAAK,IAAI,EAAE,CAAU,CAAC;YAEpC,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;YACtB,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;YAC5B,KAAK,CAAC,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACjC,MAAM,EAAE,KAAK,CAAC,EAAE;gBAChB,IAAI,EAAE,iBAAiB,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC;gBACzC,YAAY,EAAE,CAAC,CAAC,IAAI;gBACpB,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,IAAI;gBACpC,WAAW,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI;oBAC7B,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE,EAAE;iBACf,CAA4B;aAC9B,CAAC,CAAC,CAAC;YACJ,MAAM,CAAC,OAAO,GAAG,CAAC,KAAc,EAAE,EAAE;gBAClC,KAAK,CAAC,KAAK,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;gBAC3C,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;oBACf,OAAO,CAAC,IAAI,CACV,mCAAmC,KAAK,CAAC,EAAE,KAAK,KAAK,CAAC,KAAK,EAAE,CAC9D,CAAC;gBACJ,CAAC;YACH,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,WAAW,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;YACjD,MAAM,WAAW,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;YACpD,MAAM,GAAG,CAAC;QACZ,CAAC;gBAAS,CAAC;YACT,kBAAkB,EAAE,EAAE,CAAC;YACvB,qBAAqB,EAAE,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,WAAW,CAAC,SAA2B;QAM3C,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,CAC3C,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,CACpC,CAAC;QACF,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE;YACtC,sDAAsD;QACxD,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAAC,SAA2B;QAM3D,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QAExB,MAAM,WAAW,GAAG,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,SAAS,EAAE,OAAO,IAAI,EAAE,CAAC;QAE7C,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAa,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAa,EAAE,CAAC;QAEjC,iDAAiD;QACjD,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,IAAI,CAAC,CAAC,EAAE,IAAI,WAAW,CAAC,EAAE,CAAC;gBACzB,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACnB,CAAC;iBAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;gBAC/D,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,IAAI,CAAC,CAAC,EAAE,IAAI,WAAW,CAAC;gBAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,GAAG,OAAO,EAAE,GAAG,WAAW,CAAC,CAAC;QAClD,MAAM,OAAO,CAAC,GAAG,CACf,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;YAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACnC,IAAI,CAAC,KAAK;gBAAE,OAAO;YACnB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACxB,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,MAAM,EAAE,KAAK;oBAAE,MAAM,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACtD,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,SAAS,EAAE,KAAK;oBAAE,MAAM,KAAK,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;YAC5D,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,SAAS,GAAG,CAAC,GAAG,KAAK,EAAE,GAAG,WAAW,CAAC,CAAC;QAC7C,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAC9B,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,OAAO,CACtD,CAAC;YACF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC1C,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,OAAO,CAAC,GAAG,CACf,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,CAChE,CAAC;YACJ,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACtB,CAAC;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAClB,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC;IACpD,CAAC;IAED,wDAAwD;IACxD,QAAQ;QACN,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAc,EAAE,CAAC;QAC1B,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1C,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK;gBAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ,CAAC,YAAoB,EAAE,IAAa;QAChD,MAAM,MAAM,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,cAAc,YAAY,mEAAmE,CAC9F,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CACb,eAAe,MAAM,CAAC,QAAQ,qBAC5B,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EACtC,EAAE,CACH,CAAC;QACJ,CAAC;QACD,2EAA2E;QAC3E,iCAAiC;QACjC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC;QAC/D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CACb,eAAe,MAAM,CAAC,QAAQ,2BAA2B,MAAM,CAAC,QAAQ,GAAG,CAC5E,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC;YACzC,IAAI,EAAE,MAAM,CAAC,QAAQ;YACrB,SAAS,EACP,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;gBAC9B,CAAC,CAAE,IAAgC;gBACnC,CAAC,CAAC,EAAE;SACT,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,yDAAyD;IACzD,KAAK,CAAC,IAAI;QACR,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YAC1B,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,MAAM,EAAE,KAAK;oBAAE,MAAM,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACtD,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,SAAS,EAAE,KAAK;oBAAE,MAAM,KAAK,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;YAC5D,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,+DAA+D;IAC/D,SAAS;QAOP,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACxC,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;SAC3B,CAAC,CAAC,CAAC;QACJ,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,KAAK;gBAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC;QAClD,CAAC;QACD,OAAO;YACL,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;YACvC,UAAU,EAAE,KAAK,CAAC,MAAM;YACxB,KAAK;YACL,MAAM;SACP,CAAC;IACJ,CAAC;CACF","sourcesContent":["/**\n * McpClientManager — connects to configured MCP servers (stdio or remote\n * Streamable HTTP), enumerates their tools, and exposes a flat tool registry\n * prefixed with `mcp__<server-id>__` so the agent's tool-use loop can call them.\n *\n * Stdio servers are a strict no-op in non-Node runtimes (Cloudflare Workers,\n * browsers). HTTP servers work in any runtime with `fetch`; `reconfigure()`\n * lets callers add or remove servers at runtime without restarting the process.\n */\n\nimport type { McpConfig, McpServerConfig } from \"./config.js\";\nimport { formatMcpConnectError } from \"./errors.js\";\n\nexport const MCP_TOOL_PREFIX = \"mcp__\";\n\nexport interface McpTool {\n  /** Server id the tool belongs to */\n  source: string;\n  /** Prefixed tool name (e.g. \"mcp__claude-in-chrome__navigate\") */\n  name: string;\n  /** Original name as reported by the MCP server */\n  originalName: string;\n  /** Human-readable description */\n  description: string;\n  /** JSON-Schema input spec forwarded verbatim from the server */\n  inputSchema: Record<string, unknown>;\n}\n\ninterface ServerEntry {\n  id: string;\n  config: McpServerConfig;\n  client: any | null;\n  transport: any | null;\n  tools: McpTool[];\n  error?: string;\n}\n\ntype ErrorSink = (error: unknown) => void;\n\nfunction isNode(): boolean {\n  return (\n    typeof process !== \"undefined\" &&\n    !!(process as any).versions?.node &&\n    typeof (process as any).versions.node === \"string\"\n  );\n}\n\nfunction buildPrefixedName(serverId: string, toolName: string): string {\n  return `${MCP_TOOL_PREFIX}${serverId}__${toolName}`;\n}\n\n/**\n * Parse a prefixed tool name back into its server id and original tool name.\n * Returns `null` if the name doesn't match the MCP prefix convention.\n */\nexport function parseMcpToolName(\n  prefixedName: string,\n): { serverId: string; toolName: string } | null {\n  if (!prefixedName.startsWith(MCP_TOOL_PREFIX)) return null;\n  const rest = prefixedName.slice(MCP_TOOL_PREFIX.length);\n  const idx = rest.indexOf(\"__\");\n  if (idx < 0) return null;\n  return {\n    serverId: rest.slice(0, idx),\n    toolName: rest.slice(idx + 2),\n  };\n}\n\nexport interface McpClientManagerOptions {\n  /** Emit debug logs on startup */\n  debug?: boolean;\n}\n\nfunction sameServerConfig(a: McpServerConfig, b: McpServerConfig): boolean {\n  const typeA = a.type ?? \"stdio\";\n  const typeB = b.type ?? \"stdio\";\n  if (typeA !== typeB) return false;\n  if (typeA === \"http\" && b.type === \"http\" && a.type === \"http\") {\n    return (\n      a.url === b.url &&\n      JSON.stringify(a.headers ?? {}) === JSON.stringify(b.headers ?? {})\n    );\n  }\n  if (a.type !== \"http\" && b.type !== \"http\") {\n    return (\n      a.command === b.command &&\n      JSON.stringify(a.args ?? []) === JSON.stringify(b.args ?? []) &&\n      JSON.stringify(a.env ?? {}) === JSON.stringify(b.env ?? {}) &&\n      (a.cwd ?? \"\") === (b.cwd ?? \"\")\n    );\n  }\n  return false;\n}\n\nasync function safelyClose(value: any, recordError?: ErrorSink): Promise<void> {\n  try {\n    if (value?.close) await value.close();\n  } catch (err) {\n    recordError?.(err);\n  }\n}\n\nfunction guardClose(\n  value: any,\n  recordError: ErrorSink,\n): (() => void) | undefined {\n  if (!value || typeof value.close !== \"function\") return undefined;\n  const originalClose = value.close.bind(value);\n  value.close = async (...args: unknown[]) => {\n    try {\n      return await originalClose(...args);\n    } catch (err) {\n      recordError(err);\n      return undefined;\n    }\n  };\n  return () => {\n    value.close = originalClose;\n  };\n}\n\ntype SdkModules = {\n  Client: any;\n  StdioClientTransport: any | null;\n  StreamableHTTPClientTransport: any | null;\n};\n\nexport class McpClientManager {\n  private readonly servers: Map<string, ServerEntry> = new Map();\n  private readonly debug: boolean;\n  private started = false;\n  private config: McpConfig | null;\n  private sdk: SdkModules | null = null;\n  private readonly listeners: Set<() => void> = new Set();\n  /** Serialises reconfigure()/start() — two concurrent callers would\n   * otherwise race on `this.config` and on connect/disconnect ordering. */\n  private reconfigureQueue: Promise<unknown> = Promise.resolve();\n\n  constructor(config: McpConfig | null, options: McpClientManagerOptions = {}) {\n    this.config = config;\n    this.debug = !!options.debug;\n  }\n\n  /** True when the manager has any configured servers. */\n  get enabled(): boolean {\n    return !!this.config && Object.keys(this.config.servers).length > 0;\n  }\n\n  /** Return the current config (read-only snapshot for callers that need to\n   *  merge new servers into the existing set before calling reconfigure). */\n  getConfig(): McpConfig | null {\n    return this.config;\n  }\n\n  /** List of configured server ids (whether or not they're connected). */\n  get configuredServers(): string[] {\n    if (!this.config) return [];\n    return Object.keys(this.config.servers);\n  }\n\n  /** List of server ids that successfully connected and enumerated tools. */\n  get connectedServers(): string[] {\n    return Array.from(this.servers.values())\n      .filter((s) => s.client && !s.error)\n      .map((s) => s.id);\n  }\n\n  /**\n   * Load MCP SDK modules lazily so non-Node bundles don't pull them in.\n   * Stdio transport is only loaded when a stdio server is actually configured.\n   */\n  private async loadSdk(needStdio: boolean): Promise<SdkModules | null> {\n    if (this.sdk) {\n      // If we previously loaded without stdio and now need it, top up.\n      if (needStdio && !this.sdk.StdioClientTransport && isNode()) {\n        try {\n          const stdioMod =\n            await import(\"@modelcontextprotocol/sdk/client/stdio.js\");\n          this.sdk.StdioClientTransport = stdioMod.StdioClientTransport;\n        } catch (err: any) {\n          console.warn(\n            `[mcp-client] Failed to load stdio transport: ${err?.message ?? err}.`,\n          );\n        }\n      }\n      return this.sdk;\n    }\n    try {\n      const clientMod =\n        await import(\"@modelcontextprotocol/sdk/client/index.js\");\n      const httpMod =\n        await import(\"@modelcontextprotocol/sdk/client/streamableHttp.js\");\n      let StdioClientTransport: any = null;\n      if (needStdio && isNode()) {\n        try {\n          const stdioMod =\n            await import(\"@modelcontextprotocol/sdk/client/stdio.js\");\n          StdioClientTransport = stdioMod.StdioClientTransport;\n        } catch (err: any) {\n          console.warn(\n            `[mcp-client] Failed to load stdio transport: ${err?.message ?? err}.`,\n          );\n        }\n      }\n      this.sdk = {\n        Client: clientMod.Client,\n        StdioClientTransport,\n        StreamableHTTPClientTransport: httpMod.StreamableHTTPClientTransport,\n      };\n      return this.sdk;\n    } catch (err: any) {\n      console.warn(\n        `[mcp-client] Failed to load MCP SDK: ${err?.message ?? err}. MCP tools disabled.`,\n      );\n      return null;\n    }\n  }\n\n  /**\n   * Subscribe to tool-set changes (e.g. after `reconfigure()` adds/removes\n   * servers). The listener is called *after* connect/disconnect completes.\n   * Returns an unsubscribe function.\n   */\n  onChange(listener: () => void): () => void {\n    this.listeners.add(listener);\n    return () => {\n      this.listeners.delete(listener);\n    };\n  }\n\n  private emitChange(): void {\n    for (const l of this.listeners) {\n      try {\n        l();\n      } catch (err: any) {\n        console.warn(\n          `[mcp-client] onChange listener threw: ${err?.message ?? err}`,\n        );\n      }\n    }\n  }\n\n  /**\n   * Connect to each configured MCP server (stdio or http) and enumerate tools.\n   * Individual server failures are logged and skipped — the manager stays\n   * usable with whichever servers did come up.\n   *\n   * Queued against `reconfigure()` so a `reconfigure` that lands before\n   * `start()` finishes can't race on `this.started` / `this.servers`.\n   */\n  async start(): Promise<void> {\n    const task = this.reconfigureQueue.then(() => this.startInternal());\n    this.reconfigureQueue = task.catch(() => {\n      /* failures surface on the caller, not on the queue */\n    });\n    return task;\n  }\n\n  private async startInternal(): Promise<void> {\n    if (this.started) return;\n    this.started = true;\n    if (!this.enabled) return;\n\n    const needStdio = Object.values(this.config!.servers).some(\n      (cfg) => (cfg.type ?? \"stdio\") === \"stdio\",\n    );\n    const sdk = await this.loadSdk(needStdio);\n    if (!sdk) return;\n\n    const entries = Object.entries(this.config!.servers);\n    await Promise.all(\n      entries.map(async ([id, cfg]) => this.addServer(id, cfg, sdk)),\n    );\n    this.emitChange();\n  }\n\n  /**\n   * Create a new ServerEntry and attempt to connect. Logs and records errors\n   * on the entry rather than throwing — callers iterate many servers.\n   */\n  private async addServer(\n    id: string,\n    cfg: McpServerConfig,\n    sdk: SdkModules,\n  ): Promise<void> {\n    if (this.servers.has(id)) {\n      console.warn(\n        `[mcp-client] Duplicate server ID '${id}' — overwriting previous registration`,\n      );\n    }\n    const entry: ServerEntry = {\n      id,\n      config: cfg,\n      client: null,\n      transport: null,\n      tools: [],\n    };\n    this.servers.set(id, entry);\n    try {\n      await this.connectServer(entry, sdk);\n      console.log(\n        `[mcp-client] connected to ${id}: ${entry.tools.length} tools`,\n      );\n    } catch (err: any) {\n      entry.error = formatMcpConnectError(err);\n      console.warn(`[mcp-client] failed to connect to ${id}: ${entry.error}`);\n    }\n  }\n\n  private async connectServer(\n    entry: ServerEntry,\n    sdk: SdkModules,\n  ): Promise<void> {\n    const cfg = entry.config;\n    const { Client } = sdk;\n\n    let transport: any;\n    if (cfg.type === \"http\") {\n      if (!sdk.StreamableHTTPClientTransport) {\n        throw new Error(\"HTTP transport not available\");\n      }\n      const requestInit: Record<string, unknown> = {};\n      if (cfg.headers && Object.keys(cfg.headers).length > 0) {\n        requestInit.headers = cfg.headers;\n      }\n      transport = new sdk.StreamableHTTPClientTransport(new URL(cfg.url), {\n        requestInit,\n      });\n    } else {\n      if (!sdk.StdioClientTransport) {\n        throw new Error(\n          \"Stdio transport not available (needs Node runtime with MCP SDK)\",\n        );\n      }\n      const { command, args = [], env, cwd } = cfg;\n      // SECURITY: stdio MCP servers run as child processes that inherit\n      // their environment from us. We previously merged the entire\n      // `process.env` into the child, which exposed every deployment\n      // secret (A2A_SECRET, ANTHROPIC_API_KEY, BUILDER_PRIVATE_KEY, all\n      // database URLs, all platform tokens) to any MCP server in\n      // `mcp.config.json` — a malicious npx-fetched server could exfil\n      // them by reading its own env. Instead, only forward a minimal\n      // baseline plus the keys explicitly listed in `cfg.env`. See\n      // finding #10 in /tmp/security-audit/12-mcp-a2a-agent.md.\n      const ENV_ALLOWLIST = [\n        \"PATH\",\n        \"HOME\",\n        \"TMPDIR\",\n        \"LANG\",\n        \"LC_ALL\",\n        \"USER\",\n        \"SHELL\",\n      ];\n      const baseline: Record<string, string> = {};\n      for (const k of ENV_ALLOWLIST) {\n        const v = process.env[k];\n        if (typeof v === \"string\") baseline[k] = v;\n      }\n      const mergedEnv = env ? { ...baseline, ...env } : baseline;\n      transport = new sdk.StdioClientTransport({\n        command,\n        args,\n        env: mergedEnv as Record<string, string>,\n        cwd,\n      });\n    }\n\n    const client = new Client(\n      { name: \"agent-native-mcp-client\", version: \"1.0.0\" },\n      { capabilities: {} },\n    );\n    const recordConnectionError: ErrorSink = () => {};\n    const restoreClientClose = guardClose(client, recordConnectionError);\n    const restoreTransportClose = guardClose(transport, recordConnectionError);\n    client.onerror = recordConnectionError;\n\n    // If connect or listTools throws, we still need to release the child\n    // process (stdio) or pending HTTP session — otherwise repeated failures\n    // leak transports. Assign to the entry only after the handshake succeeds.\n    try {\n      await client.connect(transport);\n      const listed = await client.listTools();\n      const rawTools: Array<{\n        name: string;\n        description?: string;\n        inputSchema?: Record<string, unknown>;\n      }> = (listed?.tools ?? []) as any[];\n\n      entry.client = client;\n      entry.transport = transport;\n      entry.tools = rawTools.map((t) => ({\n        source: entry.id,\n        name: buildPrefixedName(entry.id, t.name),\n        originalName: t.name,\n        description: t.description ?? t.name,\n        inputSchema: (t.inputSchema ?? {\n          type: \"object\",\n          properties: {},\n        }) as Record<string, unknown>,\n      }));\n      client.onerror = (error: unknown) => {\n        entry.error = formatMcpConnectError(error);\n        if (this.debug) {\n          console.warn(\n            `[mcp-client] runtime error from ${entry.id}: ${entry.error}`,\n          );\n        }\n      };\n    } catch (err) {\n      await safelyClose(client, recordConnectionError);\n      await safelyClose(transport, recordConnectionError);\n      throw err;\n    } finally {\n      restoreClientClose?.();\n      restoreTransportClose?.();\n    }\n  }\n\n  /**\n   * Replace the configured server set. Servers that appear in the new config\n   * under a different shape are reconnected; unchanged entries stay live;\n   * removed entries are disconnected. Safe to call while `start()` is in\n   * flight or after it has completed.\n   *\n   * Serialised against `start()` and any other `reconfigure()` call via the\n   * internal queue — two concurrent mutations would otherwise interleave on\n   * `this.config` and on connect/disconnect ordering.\n   *\n   * Returns a summary describing what happened for logging / UI feedback.\n   */\n  async reconfigure(newConfig: McpConfig | null): Promise<{\n    added: string[];\n    removed: string[];\n    unchanged: string[];\n    reconnected: string[];\n  }> {\n    const task = this.reconfigureQueue.then(() =>\n      this.reconfigureInternal(newConfig),\n    );\n    this.reconfigureQueue = task.catch(() => {\n      /* failures surface on the caller, not on the queue */\n    });\n    return task;\n  }\n\n  private async reconfigureInternal(newConfig: McpConfig | null): Promise<{\n    added: string[];\n    removed: string[];\n    unchanged: string[];\n    reconnected: string[];\n  }> {\n    const prev = this.config;\n    this.config = newConfig;\n\n    const prevServers = prev?.servers ?? {};\n    const nextServers = newConfig?.servers ?? {};\n\n    const added: string[] = [];\n    const removed: string[] = [];\n    const unchanged: string[] = [];\n    const reconnected: string[] = [];\n\n    // Remove entries that vanished or changed shape.\n    for (const id of Object.keys(prevServers)) {\n      if (!(id in nextServers)) {\n        removed.push(id);\n      } else if (!sameServerConfig(prevServers[id], nextServers[id])) {\n        reconnected.push(id);\n      } else {\n        unchanged.push(id);\n      }\n    }\n    for (const id of Object.keys(nextServers)) {\n      if (!(id in prevServers)) added.push(id);\n    }\n\n    const toDisconnect = [...removed, ...reconnected];\n    await Promise.all(\n      toDisconnect.map(async (id) => {\n        const entry = this.servers.get(id);\n        if (!entry) return;\n        this.servers.delete(id);\n        try {\n          if (entry.client?.close) await entry.client.close();\n        } catch {\n          // ignore\n        }\n        try {\n          if (entry.transport?.close) await entry.transport.close();\n        } catch {\n          // ignore\n        }\n      }),\n    );\n\n    const toConnect = [...added, ...reconnected];\n    if (toConnect.length > 0) {\n      const needStdio = toConnect.some(\n        (id) => (nextServers[id].type ?? \"stdio\") === \"stdio\",\n      );\n      const sdk = await this.loadSdk(needStdio);\n      if (sdk) {\n        await Promise.all(\n          toConnect.map((id) => this.addServer(id, nextServers[id], sdk)),\n        );\n      }\n    }\n\n    // If the manager was never started (e.g. empty initial config) but now has\n    // servers, mark it started so subsequent start() calls don't duplicate work.\n    if (!this.started && Object.keys(nextServers).length > 0) {\n      this.started = true;\n    }\n\n    this.emitChange();\n    return { added, removed, unchanged, reconnected };\n  }\n\n  /** Flattened tool list across all connected servers. */\n  getTools(): McpTool[] {\n    if (!this.enabled) return [];\n    const out: McpTool[] = [];\n    for (const entry of this.servers.values()) {\n      for (const tool of entry.tools) out.push(tool);\n    }\n    return out;\n  }\n\n  /**\n   * Invoke an MCP tool by prefixed name. Routes to the owning server based on\n   * the `mcp__<serverId>__` prefix.\n   */\n  async callTool(prefixedName: string, args: unknown): Promise<unknown> {\n    const parsed = parseMcpToolName(prefixedName);\n    if (!parsed) {\n      throw new Error(\n        `Tool name \"${prefixedName}\" does not look like an MCP tool (expected mcp__<server>__<tool>)`,\n      );\n    }\n    const entry = this.servers.get(parsed.serverId);\n    if (!entry || !entry.client) {\n      throw new Error(\n        `MCP server \"${parsed.serverId}\" is not connected${\n          entry?.error ? `: ${entry.error}` : \"\"\n        }`,\n      );\n    }\n    // Look up the tool so we fail loud for unknown names instead of forwarding\n    // garbage through to the server.\n    const known = entry.tools.find((t) => t.name === prefixedName);\n    if (!known) {\n      throw new Error(\n        `MCP server \"${parsed.serverId}\" does not expose tool \"${parsed.toolName}\"`,\n      );\n    }\n    const result = await entry.client.callTool({\n      name: parsed.toolName,\n      arguments:\n        args && typeof args === \"object\"\n          ? (args as Record<string, unknown>)\n          : {},\n    });\n    return result;\n  }\n\n  /** Cleanly close all MCP clients and child processes. */\n  async stop(): Promise<void> {\n    const entries = Array.from(this.servers.values());\n    this.servers.clear();\n    this.started = false;\n    await Promise.all(\n      entries.map(async (entry) => {\n        try {\n          if (entry.client?.close) await entry.client.close();\n        } catch {\n          // ignore\n        }\n        try {\n          if (entry.transport?.close) await entry.transport.close();\n        } catch {\n          // ignore\n        }\n      }),\n    );\n  }\n\n  /** Diagnostic snapshot used by `/_agent-native/mcp/status`. */\n  getStatus(): {\n    configuredServers: string[];\n    connectedServers: string[];\n    totalTools: number;\n    tools: Array<{ source: string; name: string; description: string }>;\n    errors: Record<string, string>;\n  } {\n    const tools = this.getTools().map((t) => ({\n      source: t.source,\n      name: t.name,\n      description: t.description,\n    }));\n    const errors: Record<string, string> = {};\n    for (const entry of this.servers.values()) {\n      if (entry.error) errors[entry.id] = entry.error;\n    }\n    return {\n      configuredServers: this.configuredServers,\n      connectedServers: this.connectedServers,\n      totalTools: tools.length,\n      tools,\n      errors,\n    };\n  }\n}\n"]}

package/dist/mcp-client/routes.d.ts

@@ -14,6 +14,7 @@
 import type { McpClientManager } from "./manager.js";
 import type { McpConfig } from "./config.js";
 import { type RemoteMcpScope } from "./remote-store.js";
+export { formatMcpConnectError } from "./errors.js";
 export interface ClientServer {
     id: string;
     scope: RemoteMcpScope;
@@ -37,7 +38,6 @@ type ServerStatus = {
 } | {
     state: "unknown";
 };
-export declare function formatMcpConnectError(error: unknown): string;
 /**
  * Build the merged MCP config the manager should run with: file/env config
  * plus **every** user-scope and org-scope remote server persisted in the
@@ -52,5 +52,4 @@ export declare function formatMcpConnectError(error: unknown): string;
  */
 export declare function buildMergedConfig(): Promise<McpConfig | null>;
 export declare function mountMcpServersRoutes(nitroApp: any, manager: McpClientManager): void;
-export {};
 //# sourceMappingURL=routes.d.ts.map

package/dist/mcp-client/routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/mcp-client/routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAeH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,SAAS,EAAmB,MAAM,aAAa,CAAC;AAE9D,OAAO,EAOL,KAAK,cAAc,EAEpB,MAAM,mBAAmB,CAAC;AAgC3B,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,cAAc,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,GAAG,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,KAAK,YAAY,GACb;IAAE,KAAK,EAAE,WAAW,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GACzC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACjC;IAAE,KAAK,EAAE,SAAS,CAAA;CAAE,CAAC;AAiBzB,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAoC5D;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CA+CnE;AAmCD,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,GAAG,EACb,OAAO,EAAE,gBAAgB,GACxB,IAAI,CAoDN"}
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/mcp-client/routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAeH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,SAAS,EAAmB,MAAM,aAAa,CAAC;AAG9D,OAAO,EAOL,KAAK,cAAc,EAEpB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AA+BpD,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,cAAc,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,GAAG,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,KAAK,YAAY,GACb;IAAE,KAAK,EAAE,WAAW,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GACzC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACjC;IAAE,KAAK,EAAE,SAAS,CAAA;CAAE,CAAC;AAiBzB;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CA+CnE;AAmCD,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,GAAG,EACb,OAAO,EAAE,gBAAgB,GACxB,IAAI,CAoDN"}

package/dist/mcp-client/routes.js

@@ -18,8 +18,10 @@ import { getOrgContext } from "../org/context.js";
 import { getSession } from "../server/auth.js";
 import { getAllSettings } from "../settings/store.js";
 import { loadMcpConfig, autoDetectMcpConfig } from "./config.js";
+import { formatMcpConnectError } from "./errors.js";
 import { addRemoteServer, listRemoteServers, mergedConfigKey, removeRemoteServer, toHttpServerConfigAsync, validateRemoteUrl, } from "./remote-store.js";
 import { fetchHubServers } from "./hub-client.js";
+export { formatMcpConnectError } from "./errors.js";
 /** Redact obvious auth header values before sending to the client. */
 function redactHeaders(headers) {
     if (!headers)
@@ -56,33 +58,6 @@ function statusFor(manager, mergedId) {
     }
     return { state: "unknown" };
 }
-export function formatMcpConnectError(error) {
-    const raw = typeof error === "string"
-        ? error
-        : error instanceof Error
-            ? error.message
-            : String(error ?? "");
-    const text = raw.trim();
-    if (!text)
-        return "Could not connect to that MCP server.";
-    if (/<!doctype|<html[\s>]|<\/html>|unexpected token '<'|is not valid json/i.test(text)) {
-        return "That URL returned a web page instead of an MCP response. Check that you pasted the Streamable HTTP endpoint, often ending in /mcp.";
-    }
-    if (/streamable http/i.test(text) &&
-        /error|failed|non-200|status/i.test(text)) {
-        return "The server did not complete the Streamable HTTP MCP handshake. Check the URL and any required authorization headers.";
-    }
-    if (/failed to fetch|fetch failed|networkerror|econnrefused|enotfound|timed out/i.test(text)) {
-        return "Could not reach that MCP server. Check the URL and make sure it is publicly reachable from this app.";
-    }
-    if (/401|403|unauthorized|forbidden/i.test(text)) {
-        return "The MCP server rejected the request. Add or update the required Authorization header.";
-    }
-    if (/404|not found|405|method not allowed/i.test(text)) {
-        return "That URL is reachable, but it does not look like the MCP endpoint. Check the server's Streamable HTTP path.";
-    }
-    return text.length > 240 ? `${text.slice(0, 237).trimEnd()}...` : text;
-}
 /**
  * Build the merged MCP config the manager should run with: file/env config
  * plus **every** user-scope and org-scope remote server persisted in the