@agent-native/core 0.15.3 → 0.15.5

package/dist/tools/actions.js

@@ -0,0 +1,272 @@
+import { createTool, getTool, updateTool, updateToolContent } from "./store.js";
+import { addToolSlotTarget, installToolSlot, uninstallToolSlot, listToolsForSlot, listSlotsForTool, } from "./slots/store.js";
+export function createToolActionEntries() {
+    return {
+        "create-tool": {
+            tool: {
+                description: "Create a sandboxed Alpine.js mini-app tool. Use this when the user asks to create, build, or make a tool/widget/dashboard/calculator. The content must be a self-contained Alpine.js HTML body snippet that can use appAction(), appFetch(), dbQuery(), dbExec(), toolFetch(), and toolData.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        name: {
+                            type: "string",
+                            description: 'Short display name for the tool. Do not include "app" — e.g. name a todo app "Todos", a weather app "Weather".',
+                        },
+                        description: {
+                            type: "string",
+                            description: "One-sentence summary of what the tool does.",
+                        },
+                        content: {
+                            type: "string",
+                            description: "Self-contained Alpine.js HTML body snippet. The iframe body has no padding, so add p-4 or p-6 to the outermost element. Use semantic Tailwind colors (bg-background, text-foreground, bg-primary, etc.) for native theming. Do not include a full app build, React code, or source files.",
+                        },
+                        icon: {
+                            type: "string",
+                            description: "Optional icon name or short label.",
+                        },
+                    },
+                    required: ["name", "content"],
+                },
+            },
+            run: async (args) => {
+                const name = String(args?.name ?? "").trim();
+                const content = String(args?.content ?? "").trim();
+                if (!name)
+                    return "Error: name is required.";
+                if (!content)
+                    return "Error: content is required.";
+                const tool = await createTool({
+                    name,
+                    description: String(args?.description ?? "").trim(),
+                    content,
+                    icon: args?.icon ? String(args.icon) : undefined,
+                });
+                return {
+                    ok: true,
+                    tool,
+                    next: `Navigate to /tools/${tool.id} or use the navigate action with --view=tools --toolId=${tool.id}.`,
+                };
+            },
+        },
+        "update-tool": {
+            tool: {
+                description: "Update an existing sandboxed Alpine.js mini-app tool. Prefer patches for surgical edits; use full content replacement only when necessary.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        id: {
+                            type: "string",
+                            description: "Tool id to update.",
+                        },
+                        name: {
+                            type: "string",
+                            description: "Optional new display name.",
+                        },
+                        description: {
+                            type: "string",
+                            description: "Optional new description.",
+                        },
+                        content: {
+                            type: "string",
+                            description: "Optional full replacement Alpine.js HTML body snippet.",
+                        },
+                        patches: {
+                            type: "string",
+                            description: 'Optional JSON array of { "find": "...", "replace": "..." } patches to apply to the current content.',
+                        },
+                        icon: {
+                            type: "string",
+                            description: "Optional icon name or short label.",
+                        },
+                        visibility: {
+                            type: "string",
+                            description: "Optional sharing visibility.",
+                            enum: ["private", "org", "public"],
+                        },
+                    },
+                    required: ["id"],
+                },
+            },
+            run: async (args) => {
+                const id = String(args?.id ?? "").trim();
+                if (!id)
+                    return "Error: id is required.";
+                let result = null;
+                if (args?.content !== undefined || args?.patches !== undefined) {
+                    const patches = parsePatches(args.patches);
+                    if (args?.patches !== undefined && !patches) {
+                        return "Error: patches must be a JSON array of { find, replace } objects.";
+                    }
+                    result = await updateToolContent(id, {
+                        content: args?.content !== undefined ? String(args.content) : undefined,
+                        patches,
+                    });
+                }
+                const meta = {};
+                if (args?.name !== undefined)
+                    meta.name = String(args.name).trim();
+                if (args?.description !== undefined) {
+                    meta.description = String(args.description).trim();
+                }
+                if (args?.icon !== undefined)
+                    meta.icon = String(args.icon);
+                if (args?.visibility !== undefined) {
+                    meta.visibility = String(args.visibility);
+                }
+                if (Object.keys(meta).length > 0) {
+                    result = await updateTool(id, meta);
+                }
+                if (!result)
+                    result = await getTool(id);
+                if (!result)
+                    return `Error: tool not found: ${id}`;
+                return { ok: true, tool: result };
+            },
+        },
+        "add-tool-slot-target": {
+            tool: {
+                description: 'Declare that a tool can render in a UI extension-point slot of an app (e.g. "mail.contact-sidebar.bottom"). Apps drop ExtensionSlot components in their UI; this action registers a tool as installable into one of those slots. Slot IDs follow the convention <app>.<area>.<position>. Caller must have editor access to the tool.',
+                parameters: {
+                    type: "object",
+                    properties: {
+                        toolId: { type: "string", description: "Tool id." },
+                        slotId: {
+                            type: "string",
+                            description: 'Slot identifier — e.g. "mail.contact-sidebar.bottom".',
+                        },
+                        config: {
+                            type: "string",
+                            description: "Optional JSON string with slot-specific config (defaults, hints, etc.).",
+                        },
+                    },
+                    required: ["toolId", "slotId"],
+                },
+            },
+            run: async (args) => {
+                const toolId = String(args?.toolId ?? "").trim();
+                const slotId = String(args?.slotId ?? "").trim();
+                if (!toolId)
+                    return "Error: toolId is required.";
+                if (!slotId)
+                    return "Error: slotId is required.";
+                const row = await addToolSlotTarget(toolId, slotId, args?.config ? String(args.config) : undefined);
+                return { ok: true, slot: row };
+            },
+        },
+        "install-extension": {
+            tool: {
+                description: "Install a tool as a widget in an extension-point slot for the current user. The tool must already declare the slot via add-tool-slot-target. Per-user installation — only affects the calling user's view. Use after creating a tool that targets a slot, or when the user asks to add an existing widget to a slot.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        toolId: { type: "string", description: "Tool id to install." },
+                        slotId: {
+                            type: "string",
+                            description: 'Slot identifier — e.g. "mail.contact-sidebar.bottom".',
+                        },
+                        position: {
+                            type: "number",
+                            description: "Optional integer position within the slot (lower = earlier). Defaults to end.",
+                        },
+                        config: {
+                            type: "string",
+                            description: "Optional JSON string with per-install config (overrides, settings).",
+                        },
+                    },
+                    required: ["toolId", "slotId"],
+                },
+            },
+            run: async (args) => {
+                const toolId = String(args?.toolId ?? "").trim();
+                const slotId = String(args?.slotId ?? "").trim();
+                if (!toolId)
+                    return "Error: toolId is required.";
+                if (!slotId)
+                    return "Error: slotId is required.";
+                const position = args?.position !== undefined && args.position !== null
+                    ? Number(args.position)
+                    : undefined;
+                const row = await installToolSlot(toolId, slotId, {
+                    position: Number.isFinite(position) ? position : undefined,
+                    config: args?.config ? String(args.config) : undefined,
+                });
+                return { ok: true, install: row };
+            },
+        },
+        "uninstall-extension": {
+            tool: {
+                description: "Remove a tool from an extension-point slot for the current user. Does not delete the tool itself.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        toolId: { type: "string", description: "Tool id." },
+                        slotId: { type: "string", description: "Slot identifier." },
+                    },
+                    required: ["toolId", "slotId"],
+                },
+            },
+            run: async (args) => {
+                const toolId = String(args?.toolId ?? "").trim();
+                const slotId = String(args?.slotId ?? "").trim();
+                if (!toolId)
+                    return "Error: toolId is required.";
+                if (!slotId)
+                    return "Error: slotId is required.";
+                await uninstallToolSlot(toolId, slotId);
+                return { ok: true };
+            },
+        },
+        "list-tools-for-slot": {
+            tool: {
+                description: "List tools the current user has access to that declare a given extension-point slot. Use to discover what's available to install into a slot the user mentioned.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        slotId: { type: "string", description: "Slot identifier." },
+                    },
+                    required: ["slotId"],
+                },
+            },
+            run: async (args) => {
+                const slotId = String(args?.slotId ?? "").trim();
+                if (!slotId)
+                    return "Error: slotId is required.";
+                return { tools: await listToolsForSlot(slotId) };
+            },
+            readOnly: true,
+        },
+        "list-tool-slots": {
+            tool: {
+                description: "List the extension-point slots a specific tool declares it can render in. Caller must have viewer access to the tool.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        toolId: { type: "string", description: "Tool id." },
+                    },
+                    required: ["toolId"],
+                },
+            },
+            run: async (args) => {
+                const toolId = String(args?.toolId ?? "").trim();
+                if (!toolId)
+                    return "Error: toolId is required.";
+                return { slots: await listSlotsForTool(toolId) };
+            },
+            readOnly: true,
+        },
+    };
+}
+function parsePatches(value) {
+    if (value === undefined)
+        return undefined;
+    const parsed = typeof value === "string" ? JSON.parse(value) : value;
+    if (!Array.isArray(parsed))
+        return undefined;
+    if (parsed.some((patch) => !patch ||
+        typeof patch.find !== "string" ||
+        typeof patch.replace !== "string")) {
+        return undefined;
+    }
+    return parsed;
+}
+//# sourceMappingURL=actions.js.map

package/dist/tools/actions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"actions.js","sourceRoot":"","sources":["../../src/tools/actions.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAChF,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,kBAAkB,CAAC;AAI1B,MAAM,UAAU,uBAAuB;IACrC,OAAO;QACL,aAAa,EAAE;YACb,IAAI,EAAE;gBACJ,WAAW,EACT,8RAA8R;gBAChS,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,gHAAgH;yBACnH;wBACD,WAAW,EAAE;4BACX,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,6CAA6C;yBAC3D;wBACD,OAAO,EAAE;4BACP,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,2RAA2R;yBAC9R;wBACD,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,oCAAoC;yBAClD;qBACF;oBACD,QAAQ,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC;iBAC9B;aACF;YACD,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBAClB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC7C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACnD,IAAI,CAAC,IAAI;oBAAE,OAAO,0BAA0B,CAAC;gBAC7C,IAAI,CAAC,OAAO;oBAAE,OAAO,6BAA6B,CAAC;gBAEnD,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC;oBAC5B,IAAI;oBACJ,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,WAAW,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;oBACnD,OAAO;oBACP,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;iBACjD,CAAC,CAAC;gBAEH,OAAO;oBACL,EAAE,EAAE,IAAI;oBACR,IAAI;oBACJ,IAAI,EAAE,sBAAsB,IAAI,CAAC,EAAE,0DAA0D,IAAI,CAAC,EAAE,GAAG;iBACxG,CAAC;YACJ,CAAC;SACF;QAED,aAAa,EAAE;YACb,IAAI,EAAE;gBACJ,WAAW,EACT,4IAA4I;gBAC9I,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,EAAE,EAAE;4BACF,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,oBAAoB;yBAClC;wBACD,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,4BAA4B;yBAC1C;wBACD,WAAW,EAAE;4BACX,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,2BAA2B;yBACzC;wBACD,OAAO,EAAE;4BACP,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,wDAAwD;yBAC3D;wBACD,OAAO,EAAE;4BACP,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,qGAAqG;yBACxG;wBACD,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,oCAAoC;yBAClD;wBACD,UAAU,EAAE;4BACV,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,8BAA8B;4BAC3C,IAAI,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,QAAQ,CAAC;yBACnC;qBACF;oBACD,QAAQ,EAAE,CAAC,IAAI,CAAC;iBACjB;aACF;YACD,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBAClB,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACzC,IAAI,CAAC,EAAE;oBAAE,OAAO,wBAAwB,CAAC;gBAEzC,IAAI,MAAM,GAAG,IAAI,CAAC;gBAClB,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,EAAE,CAAC;oBAC/D,MAAM,OAAO,GAAG,YAAY,CAAE,IAAY,CAAC,OAAO,CAAC,CAAC;oBACpD,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,CAAC,OAAO,EAAE,CAAC;wBAC5C,OAAO,mEAAmE,CAAC;oBAC7E,CAAC;oBACD,MAAM,GAAG,MAAM,iBAAiB,CAAC,EAAE,EAAE;wBACnC,OAAO,EACL,IAAI,EAAE,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS;wBAChE,OAAO;qBACR,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,IAAI,GAA2B,EAAE,CAAC;gBACxC,IAAI,IAAI,EAAE,IAAI,KAAK,SAAS;oBAAE,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;gBACnE,IAAI,IAAI,EAAE,WAAW,KAAK,SAAS,EAAE,CAAC;oBACpC,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC;gBACrD,CAAC;gBACD,IAAI,IAAI,EAAE,IAAI,KAAK,SAAS;oBAAE,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC5D,IAAI,IAAI,EAAE,UAAU,KAAK,SAAS,EAAE,CAAC;oBACnC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC5C,CAAC;gBACD,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACjC,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,EAAE,IAAW,CAAC,CAAC;gBAC7C,CAAC;gBAED,IAAI,CAAC,MAAM;oBAAE,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;gBACxC,IAAI,CAAC,MAAM;oBAAE,OAAO,0BAA0B,EAAE,EAAE,CAAC;gBACnD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;YACpC,CAAC;SACF;QAED,sBAAsB,EAAE;YACtB,IAAI,EAAE;gBACJ,WAAW,EACT,sUAAsU;gBACxU,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE;wBACnD,MAAM,EAAE;4BACN,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,uDAAuD;yBAC1D;wBACD,MAAM,EAAE;4BACN,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,yEAAyE;yBAC5E;qBACF;oBACD,QAAQ,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;iBAC/B;aACF;YACD,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBAClB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACjD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,4BAA4B,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,4BAA4B,CAAC;gBACjD,MAAM,GAAG,GAAG,MAAM,iBAAiB,CACjC,MAAM,EACN,MAAM,EACN,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAC/C,CAAC;gBACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;YACjC,CAAC;SACF;QAED,mBAAmB,EAAE;YACnB,IAAI,EAAE;gBACJ,WAAW,EACT,sTAAsT;gBACxT,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,qBAAqB,EAAE;wBAC9D,MAAM,EAAE;4BACN,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,uDAAuD;yBAC1D;wBACD,QAAQ,EAAE;4BACR,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,+EAA+E;yBAClF;wBACD,MAAM,EAAE;4BACN,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,qEAAqE;yBACxE;qBACF;oBACD,QAAQ,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;iBAC/B;aACF;YACD,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBAClB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACjD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,4BAA4B,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,4BAA4B,CAAC;gBACjD,MAAM,QAAQ,GACZ,IAAI,EAAE,QAAQ,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI;oBACpD,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC;oBACvB,CAAC,CAAC,SAAS,CAAC;gBAChB,MAAM,GAAG,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE;oBAChD,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAkB,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;oBACpE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;iBACvD,CAAC,CAAC;gBACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;YACpC,CAAC;SACF;QAED,qBAAqB,EAAE;YACrB,IAAI,EAAE;gBACJ,WAAW,EACT,mGAAmG;gBACrG,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE;wBACnD,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,kBAAkB,EAAE;qBAC5D;oBACD,QAAQ,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;iBAC/B;aACF;YACD,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBAClB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACjD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,4BAA4B,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,4BAA4B,CAAC;gBACjD,MAAM,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBACxC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;YACtB,CAAC;SACF;QAED,qBAAqB,EAAE;YACrB,IAAI,EAAE;gBACJ,WAAW,EACT,kKAAkK;gBACpK,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,kBAAkB,EAAE;qBAC5D;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;aACF;YACD,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBAClB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,4BAA4B,CAAC;gBACjD,OAAO,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;YACnD,CAAC;YACD,QAAQ,EAAE,IAAI;SACf;QAED,iBAAiB,EAAE;YACjB,IAAI,EAAE;gBACJ,WAAW,EACT,uHAAuH;gBACzH,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE;qBACpD;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;aACF;YACD,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;gBAClB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,4BAA4B,CAAC;gBACjD,OAAO,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;YACnD,CAAC;YACD,QAAQ,EAAE,IAAI;SACf;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IACrE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,SAAS,CAAC;IAC7C,IACE,MAAM,CAAC,IAAI,CACT,CAAC,KAAK,EAAE,EAAE,CACR,CAAC,KAAK;QACN,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAC9B,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,CACpC,EACD,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import type { ActionEntry } from \"../agent/production-agent.js\";\nimport { createTool, getTool, updateTool, updateToolContent } from \"./store.js\";\nimport {\n  addToolSlotTarget,\n  installToolSlot,\n  uninstallToolSlot,\n  listToolsForSlot,\n  listSlotsForTool,\n} from \"./slots/store.js\";\n\ntype ToolPatch = { find: string; replace: string };\n\nexport function createToolActionEntries(): Record<string, ActionEntry> {\n  return {\n    \"create-tool\": {\n      tool: {\n        description:\n          \"Create a sandboxed Alpine.js mini-app tool. Use this when the user asks to create, build, or make a tool/widget/dashboard/calculator. The content must be a self-contained Alpine.js HTML body snippet that can use appAction(), appFetch(), dbQuery(), dbExec(), toolFetch(), and toolData.\",\n        parameters: {\n          type: \"object\",\n          properties: {\n            name: {\n              type: \"string\",\n              description:\n                'Short display name for the tool. Do not include \"app\" — e.g. name a todo app \"Todos\", a weather app \"Weather\".',\n            },\n            description: {\n              type: \"string\",\n              description: \"One-sentence summary of what the tool does.\",\n            },\n            content: {\n              type: \"string\",\n              description:\n                \"Self-contained Alpine.js HTML body snippet. The iframe body has no padding, so add p-4 or p-6 to the outermost element. Use semantic Tailwind colors (bg-background, text-foreground, bg-primary, etc.) for native theming. Do not include a full app build, React code, or source files.\",\n            },\n            icon: {\n              type: \"string\",\n              description: \"Optional icon name or short label.\",\n            },\n          },\n          required: [\"name\", \"content\"],\n        },\n      },\n      run: async (args) => {\n        const name = String(args?.name ?? \"\").trim();\n        const content = String(args?.content ?? \"\").trim();\n        if (!name) return \"Error: name is required.\";\n        if (!content) return \"Error: content is required.\";\n\n        const tool = await createTool({\n          name,\n          description: String(args?.description ?? \"\").trim(),\n          content,\n          icon: args?.icon ? String(args.icon) : undefined,\n        });\n\n        return {\n          ok: true,\n          tool,\n          next: `Navigate to /tools/${tool.id} or use the navigate action with --view=tools --toolId=${tool.id}.`,\n        };\n      },\n    },\n\n    \"update-tool\": {\n      tool: {\n        description:\n          \"Update an existing sandboxed Alpine.js mini-app tool. Prefer patches for surgical edits; use full content replacement only when necessary.\",\n        parameters: {\n          type: \"object\",\n          properties: {\n            id: {\n              type: \"string\",\n              description: \"Tool id to update.\",\n            },\n            name: {\n              type: \"string\",\n              description: \"Optional new display name.\",\n            },\n            description: {\n              type: \"string\",\n              description: \"Optional new description.\",\n            },\n            content: {\n              type: \"string\",\n              description:\n                \"Optional full replacement Alpine.js HTML body snippet.\",\n            },\n            patches: {\n              type: \"string\",\n              description:\n                'Optional JSON array of { \"find\": \"...\", \"replace\": \"...\" } patches to apply to the current content.',\n            },\n            icon: {\n              type: \"string\",\n              description: \"Optional icon name or short label.\",\n            },\n            visibility: {\n              type: \"string\",\n              description: \"Optional sharing visibility.\",\n              enum: [\"private\", \"org\", \"public\"],\n            },\n          },\n          required: [\"id\"],\n        },\n      },\n      run: async (args) => {\n        const id = String(args?.id ?? \"\").trim();\n        if (!id) return \"Error: id is required.\";\n\n        let result = null;\n        if (args?.content !== undefined || args?.patches !== undefined) {\n          const patches = parsePatches((args as any).patches);\n          if (args?.patches !== undefined && !patches) {\n            return \"Error: patches must be a JSON array of { find, replace } objects.\";\n          }\n          result = await updateToolContent(id, {\n            content:\n              args?.content !== undefined ? String(args.content) : undefined,\n            patches,\n          });\n        }\n\n        const meta: Record<string, string> = {};\n        if (args?.name !== undefined) meta.name = String(args.name).trim();\n        if (args?.description !== undefined) {\n          meta.description = String(args.description).trim();\n        }\n        if (args?.icon !== undefined) meta.icon = String(args.icon);\n        if (args?.visibility !== undefined) {\n          meta.visibility = String(args.visibility);\n        }\n        if (Object.keys(meta).length > 0) {\n          result = await updateTool(id, meta as any);\n        }\n\n        if (!result) result = await getTool(id);\n        if (!result) return `Error: tool not found: ${id}`;\n        return { ok: true, tool: result };\n      },\n    },\n\n    \"add-tool-slot-target\": {\n      tool: {\n        description:\n          'Declare that a tool can render in a UI extension-point slot of an app (e.g. \"mail.contact-sidebar.bottom\"). Apps drop ExtensionSlot components in their UI; this action registers a tool as installable into one of those slots. Slot IDs follow the convention <app>.<area>.<position>. Caller must have editor access to the tool.',\n        parameters: {\n          type: \"object\",\n          properties: {\n            toolId: { type: \"string\", description: \"Tool id.\" },\n            slotId: {\n              type: \"string\",\n              description:\n                'Slot identifier — e.g. \"mail.contact-sidebar.bottom\".',\n            },\n            config: {\n              type: \"string\",\n              description:\n                \"Optional JSON string with slot-specific config (defaults, hints, etc.).\",\n            },\n          },\n          required: [\"toolId\", \"slotId\"],\n        },\n      },\n      run: async (args) => {\n        const toolId = String(args?.toolId ?? \"\").trim();\n        const slotId = String(args?.slotId ?? \"\").trim();\n        if (!toolId) return \"Error: toolId is required.\";\n        if (!slotId) return \"Error: slotId is required.\";\n        const row = await addToolSlotTarget(\n          toolId,\n          slotId,\n          args?.config ? String(args.config) : undefined,\n        );\n        return { ok: true, slot: row };\n      },\n    },\n\n    \"install-extension\": {\n      tool: {\n        description:\n          \"Install a tool as a widget in an extension-point slot for the current user. The tool must already declare the slot via add-tool-slot-target. Per-user installation — only affects the calling user's view. Use after creating a tool that targets a slot, or when the user asks to add an existing widget to a slot.\",\n        parameters: {\n          type: \"object\",\n          properties: {\n            toolId: { type: \"string\", description: \"Tool id to install.\" },\n            slotId: {\n              type: \"string\",\n              description:\n                'Slot identifier — e.g. \"mail.contact-sidebar.bottom\".',\n            },\n            position: {\n              type: \"number\",\n              description:\n                \"Optional integer position within the slot (lower = earlier). Defaults to end.\",\n            },\n            config: {\n              type: \"string\",\n              description:\n                \"Optional JSON string with per-install config (overrides, settings).\",\n            },\n          },\n          required: [\"toolId\", \"slotId\"],\n        },\n      },\n      run: async (args) => {\n        const toolId = String(args?.toolId ?? \"\").trim();\n        const slotId = String(args?.slotId ?? \"\").trim();\n        if (!toolId) return \"Error: toolId is required.\";\n        if (!slotId) return \"Error: slotId is required.\";\n        const position =\n          args?.position !== undefined && args.position !== null\n            ? Number(args.position)\n            : undefined;\n        const row = await installToolSlot(toolId, slotId, {\n          position: Number.isFinite(position as number) ? position : undefined,\n          config: args?.config ? String(args.config) : undefined,\n        });\n        return { ok: true, install: row };\n      },\n    },\n\n    \"uninstall-extension\": {\n      tool: {\n        description:\n          \"Remove a tool from an extension-point slot for the current user. Does not delete the tool itself.\",\n        parameters: {\n          type: \"object\",\n          properties: {\n            toolId: { type: \"string\", description: \"Tool id.\" },\n            slotId: { type: \"string\", description: \"Slot identifier.\" },\n          },\n          required: [\"toolId\", \"slotId\"],\n        },\n      },\n      run: async (args) => {\n        const toolId = String(args?.toolId ?? \"\").trim();\n        const slotId = String(args?.slotId ?? \"\").trim();\n        if (!toolId) return \"Error: toolId is required.\";\n        if (!slotId) return \"Error: slotId is required.\";\n        await uninstallToolSlot(toolId, slotId);\n        return { ok: true };\n      },\n    },\n\n    \"list-tools-for-slot\": {\n      tool: {\n        description:\n          \"List tools the current user has access to that declare a given extension-point slot. Use to discover what's available to install into a slot the user mentioned.\",\n        parameters: {\n          type: \"object\",\n          properties: {\n            slotId: { type: \"string\", description: \"Slot identifier.\" },\n          },\n          required: [\"slotId\"],\n        },\n      },\n      run: async (args) => {\n        const slotId = String(args?.slotId ?? \"\").trim();\n        if (!slotId) return \"Error: slotId is required.\";\n        return { tools: await listToolsForSlot(slotId) };\n      },\n      readOnly: true,\n    },\n\n    \"list-tool-slots\": {\n      tool: {\n        description:\n          \"List the extension-point slots a specific tool declares it can render in. Caller must have viewer access to the tool.\",\n        parameters: {\n          type: \"object\",\n          properties: {\n            toolId: { type: \"string\", description: \"Tool id.\" },\n          },\n          required: [\"toolId\"],\n        },\n      },\n      run: async (args) => {\n        const toolId = String(args?.toolId ?? \"\").trim();\n        if (!toolId) return \"Error: toolId is required.\";\n        return { slots: await listSlotsForTool(toolId) };\n      },\n      readOnly: true,\n    },\n  };\n}\n\nfunction parsePatches(value: unknown): ToolPatch[] | undefined {\n  if (value === undefined) return undefined;\n  const parsed = typeof value === \"string\" ? JSON.parse(value) : value;\n  if (!Array.isArray(parsed)) return undefined;\n  if (\n    parsed.some(\n      (patch) =>\n        !patch ||\n        typeof patch.find !== \"string\" ||\n        typeof patch.replace !== \"string\",\n    )\n  ) {\n    return undefined;\n  }\n  return parsed;\n}\n"]}

package/dist/tools/fetch-tool.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Fetch tool — outbound HTTP for automations and agent use.
+ *
+ * Supports ${keys.NAME} reference substitution in URL, headers, and body.
+ * Values are resolved server-side AFTER the model emits the tool call —
+ * the raw secret never enters the model's context.
+ */
+import type { ActionEntry } from "../agent/production-agent.js";
+export interface FetchToolOptions {
+    /** Resolve ${keys.NAME} references. Injected by the plugin at setup time. */
+    resolveKeys?: (text: string) => Promise<{
+        resolved: string;
+        usedKeys: string[];
+        secretValues?: string[];
+    }>;
+    /** Validate URL against per-key allowlists. */
+    validateUrl?: (url: string, usedKeys: string[]) => Promise<boolean>;
+}
+/**
+ * Create the fetch tool entry for the agent tool registry.
+ */
+export declare function createFetchToolEntry(opts?: FetchToolOptions): Record<string, ActionEntry>;
+//# sourceMappingURL=fetch-tool.d.ts.map

package/dist/tools/fetch-tool.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch-tool.d.ts","sourceRoot":"","sources":["../../src/tools/fetch-tool.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAchE,MAAM,WAAW,gBAAgB;IAC/B,6EAA6E;IAC7E,WAAW,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC;QACtC,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;KACzB,CAAC,CAAC;IACH,+CAA+C;IAC/C,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CACrE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,GAAE,gBAAqB,GAC1B,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAgM7B"}

package/dist/tools/fetch-tool.js

@@ -0,0 +1,178 @@
+/**
+ * Fetch tool — outbound HTTP for automations and agent use.
+ *
+ * Supports ${keys.NAME} reference substitution in URL, headers, and body.
+ * Values are resolved server-side AFTER the model emits the tool call —
+ * the raw secret never enters the model's context.
+ */
+import { collectSecretValues, MAX_TOOL_PROXY_RESPONSE_SIZE, normalizeToolProxyMethod, readResponseTextWithLimit, redactSecrets, redactString, sanitizeOutboundHeaders, } from "./proxy-security.js";
+import { isBlockedToolUrlWithDns } from "./url-safety.js";
+const DEFAULT_TIMEOUT_MS = 15_000;
+/**
+ * Create the fetch tool entry for the agent tool registry.
+ */
+export function createFetchToolEntry(opts = {}) {
+    return {
+        "web-request": {
+            tool: {
+                description: `Make an outbound HTTP request to EXTERNAL APIs, webhooks, and services only. Supports \${keys.NAME} placeholders in url, headers, and body — these are resolved server-side from the user's saved keys (the raw value never enters your context). Example: \${keys.SLACK_WEBHOOK} in the url field. IMPORTANT: Never use this to call internal /_agent-native/ endpoints or localhost action URLs — use the registered action tools directly (e.g. \`log-meal\`, \`bigquery\`, \`hubspot-deals\`). Actions are already available as native tools; calling them via HTTP is slower and bypasses validation.`,
+                parameters: {
+                    type: "object",
+                    properties: {
+                        url: {
+                            type: "string",
+                            description: 'Full URL. May contain ${keys.NAME} references, e.g. "${keys.SLACK_WEBHOOK}".',
+                        },
+                        method: {
+                            type: "string",
+                            description: "HTTP method. Default: GET.",
+                            enum: ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD"],
+                        },
+                        headers: {
+                            type: "string",
+                            description: 'JSON object of headers. May contain ${keys.NAME} references. Example: \'{"Authorization": "Bearer ${keys.API_TOKEN}"}\'.',
+                        },
+                        body: {
+                            type: "string",
+                            description: "Request body (for POST/PUT/PATCH). May contain ${keys.NAME} references.",
+                        },
+                        timeout_ms: {
+                            type: "number",
+                            description: `Timeout in milliseconds. Default: ${DEFAULT_TIMEOUT_MS}. Max: 30000.`,
+                        },
+                    },
+                    required: ["url"],
+                },
+            },
+            run: async (args) => {
+                const startTime = Date.now();
+                const rawUrl = args.url;
+                const method = normalizeToolProxyMethod(args.method || "GET");
+                if (!method) {
+                    return "Unsupported HTTP method. Allowed methods: GET, POST, PUT, PATCH, DELETE, HEAD.";
+                }
+                const rawHeaders = args.headers || "{}";
+                const rawBody = args.body;
+                const timeoutMs = Math.min(Number(args.timeout_ms) || DEFAULT_TIMEOUT_MS, 30_000);
+                // Resolve key references
+                let resolvedUrl = rawUrl;
+                let resolvedHeaders = rawHeaders;
+                let resolvedBody = rawBody;
+                const allUsedKeys = [];
+                const allSecretValues = [];
+                if (opts.resolveKeys) {
+                    try {
+                        const urlResult = await opts.resolveKeys(rawUrl);
+                        resolvedUrl = urlResult.resolved;
+                        allUsedKeys.push(...urlResult.usedKeys);
+                        allSecretValues.push(...(urlResult.secretValues ?? []));
+                        const headerResult = await opts.resolveKeys(rawHeaders);
+                        resolvedHeaders = headerResult.resolved;
+                        allUsedKeys.push(...headerResult.usedKeys);
+                        allSecretValues.push(...(headerResult.secretValues ?? []));
+                        if (rawBody) {
+                            const bodyResult = await opts.resolveKeys(rawBody);
+                            resolvedBody = bodyResult.resolved;
+                            allUsedKeys.push(...bodyResult.usedKeys);
+                            allSecretValues.push(...(bodyResult.secretValues ?? []));
+                        }
+                    }
+                    catch (err) {
+                        return `Error resolving key references: ${err?.message ?? err}`;
+                    }
+                }
+                const secretValues = collectSecretValues(allSecretValues);
+                // Block SSRF targets regardless of key usage
+                if (await isBlockedToolUrlWithDns(resolvedUrl)) {
+                    return `Requests to private/internal addresses are not allowed: "${rawUrl}".`;
+                }
+                // Validate URL against per-key allowlists
+                if (opts.validateUrl && allUsedKeys.length > 0) {
+                    try {
+                        const allowed = await opts.validateUrl(resolvedUrl, allUsedKeys);
+                        if (!allowed) {
+                            return `URL "${rawUrl}" is not in the allowlist for the referenced keys. Check your key settings.`;
+                        }
+                    }
+                    catch (err) {
+                        return `URL validation error: ${err?.message ?? err}`;
+                    }
+                }
+                // Parse headers
+                let headers;
+                try {
+                    headers = sanitizeOutboundHeaders(JSON.parse(resolvedHeaders));
+                }
+                catch {
+                    return `Invalid headers JSON: ${rawHeaders}`;
+                }
+                // Make the request
+                const controller = new AbortController();
+                const timeout = setTimeout(() => controller.abort(), timeoutMs);
+                try {
+                    const fetchOpts = {
+                        method,
+                        headers,
+                        signal: controller.signal,
+                        redirect: "manual",
+                    };
+                    if (resolvedBody && ["POST", "PUT", "PATCH"].includes(method)) {
+                        fetchOpts.body = resolvedBody;
+                        if (!headers["content-type"] && !headers["Content-Type"]) {
+                            headers["Content-Type"] = "application/json";
+                        }
+                    }
+                    const response = await fetch(resolvedUrl, fetchOpts);
+                    const elapsed = Date.now() - startTime;
+                    if (response.status >= 300 && response.status < 400) {
+                        const location = response.headers.get("location");
+                        const redirectUrl = location
+                            ? new URL(location, resolvedUrl).href
+                            : null;
+                        if (redirectUrl && (await isBlockedToolUrlWithDns(redirectUrl))) {
+                            return "Redirect to private/internal address blocked.";
+                        }
+                        if (redirectUrl && opts.validateUrl && allUsedKeys.length > 0) {
+                            const allowed = await opts.validateUrl(redirectUrl, allUsedKeys);
+                            if (!allowed) {
+                                return "Redirect URL is not in the allowlist for the referenced keys.";
+                            }
+                        }
+                        return `HTTP ${response.status} ${response.statusText}\n\nRedirect: ${redirectUrl ? redactString(redirectUrl, secretValues) : "(none)"}`;
+                    }
+                    let body;
+                    try {
+                        const result = await readResponseTextWithLimit(response, MAX_TOOL_PROXY_RESPONSE_SIZE);
+                        body = result.text;
+                    }
+                    catch {
+                        body = "(could not read response body)";
+                    }
+                    body = redactString(body, secretValues);
+                    // Truncate very long responses for the agent
+                    if (body.length > 8000) {
+                        body = body.slice(0, 8000) + "\n... (truncated)";
+                    }
+                    // Audit log
+                    console.log(`[fetch-tool] ${method} ${rawUrl} → ${response.status} (${elapsed}ms, keys: ${allUsedKeys.join(",") || "none"})`);
+                    return `HTTP ${response.status} ${response.statusText}\n\n${body}`;
+                }
+                catch (err) {
+                    const elapsed = Date.now() - startTime;
+                    if (err?.name === "AbortError") {
+                        console.log(`[fetch-tool] ${method} ${rawUrl} → TIMEOUT (${elapsed}ms)`);
+                        return `Request timed out after ${timeoutMs}ms.`;
+                    }
+                    const message = redactSecrets(err?.message ?? String(err), secretValues);
+                    console.log(`[fetch-tool] ${method} ${rawUrl} → ERROR: ${message} (${elapsed}ms)`);
+                    return `Request failed: ${message}`;
+                }
+                finally {
+                    clearTimeout(timeout);
+                }
+            },
+            readOnly: true,
+        },
+    };
+}
+//# sourceMappingURL=fetch-tool.js.map

package/dist/tools/fetch-tool.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch-tool.js","sourceRoot":"","sources":["../../src/tools/fetch-tool.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EACL,mBAAmB,EACnB,4BAA4B,EAC5B,wBAAwB,EACxB,yBAAyB,EACzB,aAAa,EACb,YAAY,EACZ,uBAAuB,GACxB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE1D,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAalC;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAAyB,EAAE;IAE3B,OAAO;QACL,aAAa,EAAE;YACb,IAAI,EAAE;gBACJ,WAAW,EAAE,4kBAA4kB;gBACzlB,UAAU,EAAE;oBACV,IAAI,EAAE,QAAiB;oBACvB,UAAU,EAAE;wBACV,GAAG,EAAE;4BACH,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,8EAA8E;yBACjF;wBACD,MAAM,EAAE;4BACN,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,4BAA4B;4BACzC,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC;yBACxD;wBACD,OAAO,EAAE;4BACP,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,0HAA0H;yBAC7H;wBACD,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,yEAAyE;yBAC5E;wBACD,UAAU,EAAE;4BACV,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,qCAAqC,kBAAkB,eAAe;yBACpF;qBACF;oBACD,QAAQ,EAAE,CAAC,KAAK,CAAC;iBAClB;aACF;YACD,GAAG,EAAE,KAAK,EAAE,IAA4B,EAAE,EAAE;gBAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC;gBACxB,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC;gBAC9D,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,OAAO,gFAAgF,CAAC;gBAC1F,CAAC;gBACD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC;gBACxC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC;gBAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CACxB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,kBAAkB,EAC7C,MAAM,CACP,CAAC;gBAEF,yBAAyB;gBACzB,IAAI,WAAW,GAAG,MAAM,CAAC;gBACzB,IAAI,eAAe,GAAG,UAAU,CAAC;gBACjC,IAAI,YAAY,GAAG,OAAO,CAAC;gBAC3B,MAAM,WAAW,GAAa,EAAE,CAAC;gBACjC,MAAM,eAAe,GAAa,EAAE,CAAC;gBAErC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,IAAI,CAAC;wBACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;wBACjD,WAAW,GAAG,SAAS,CAAC,QAAQ,CAAC;wBACjC,WAAW,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;wBACxC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,CAAC;wBAExD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;wBACxD,eAAe,GAAG,YAAY,CAAC,QAAQ,CAAC;wBACxC,WAAW,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;wBAC3C,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,CAAC;wBAE3D,IAAI,OAAO,EAAE,CAAC;4BACZ,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;4BACnD,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC;4BACnC,WAAW,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;4BACzC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,CAAC;wBAC3D,CAAC;oBACH,CAAC;oBAAC,OAAO,GAAQ,EAAE,CAAC;wBAClB,OAAO,mCAAmC,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC;oBAClE,CAAC;gBACH,CAAC;gBACD,MAAM,YAAY,GAAG,mBAAmB,CAAC,eAAe,CAAC,CAAC;gBAE1D,6CAA6C;gBAC7C,IAAI,MAAM,uBAAuB,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC/C,OAAO,4DAA4D,MAAM,IAAI,CAAC;gBAChF,CAAC;gBAED,0CAA0C;gBAC1C,IAAI,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC/C,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;wBACjE,IAAI,CAAC,OAAO,EAAE,CAAC;4BACb,OAAO,QAAQ,MAAM,6EAA6E,CAAC;wBACrG,CAAC;oBACH,CAAC;oBAAC,OAAO,GAAQ,EAAE,CAAC;wBAClB,OAAO,yBAAyB,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC;oBACxD,CAAC;gBACH,CAAC;gBAED,gBAAgB;gBAChB,IAAI,OAA+B,CAAC;gBACpC,IAAI,CAAC;oBACH,OAAO,GAAG,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;gBACjE,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,yBAAyB,UAAU,EAAE,CAAC;gBAC/C,CAAC;gBAED,mBAAmB;gBACnB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;gBACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;gBAEhE,IAAI,CAAC;oBACH,MAAM,SAAS,GAAgB;wBAC7B,MAAM;wBACN,OAAO;wBACP,MAAM,EAAE,UAAU,CAAC,MAAM;wBACzB,QAAQ,EAAE,QAAQ;qBACnB,CAAC;oBACF,IAAI,YAAY,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;wBAC9D,SAAS,CAAC,IAAI,GAAG,YAAY,CAAC;wBAC9B,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;4BACzD,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;wBAC/C,CAAC;oBACH,CAAC;oBAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;oBACrD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;oBAEvC,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;wBACpD,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;wBAClD,MAAM,WAAW,GAAG,QAAQ;4BAC1B,CAAC,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,IAAI;4BACrC,CAAC,CAAC,IAAI,CAAC;wBACT,IAAI,WAAW,IAAI,CAAC,MAAM,uBAAuB,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;4BAChE,OAAO,+CAA+C,CAAC;wBACzD,CAAC;wBACD,IAAI,WAAW,IAAI,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;4BAC9D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;4BACjE,IAAI,CAAC,OAAO,EAAE,CAAC;gCACb,OAAO,+DAA+D,CAAC;4BACzE,CAAC;wBACH,CAAC;wBACD,OAAO,QAAQ,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,iBACnD,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,QAC1D,EAAE,CAAC;oBACL,CAAC;oBAED,IAAI,IAAY,CAAC;oBACjB,IAAI,CAAC;wBACH,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,QAAQ,EACR,4BAA4B,CAC7B,CAAC;wBACF,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;oBACrB,CAAC;oBAAC,MAAM,CAAC;wBACP,IAAI,GAAG,gCAAgC,CAAC;oBAC1C,CAAC;oBACD,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;oBAExC,6CAA6C;oBAC7C,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;wBACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,mBAAmB,CAAC;oBACnD,CAAC;oBAED,YAAY;oBACZ,OAAO,CAAC,GAAG,CACT,gBAAgB,MAAM,IAAI,MAAM,MAAM,QAAQ,CAAC,MAAM,KAAK,OAAO,aAAa,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,MAAM,GAAG,CACjH,CAAC;oBAEF,OAAO,QAAQ,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,OAAO,IAAI,EAAE,CAAC;gBACrE,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;oBACvC,IAAI,GAAG,EAAE,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC/B,OAAO,CAAC,GAAG,CACT,gBAAgB,MAAM,IAAI,MAAM,eAAe,OAAO,KAAK,CAC5D,CAAC;wBACF,OAAO,2BAA2B,SAAS,KAAK,CAAC;oBACnD,CAAC;oBACD,MAAM,OAAO,GAAG,aAAa,CAC3B,GAAG,EAAE,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,EAC3B,YAAY,CACb,CAAC;oBACF,OAAO,CAAC,GAAG,CACT,gBAAgB,MAAM,IAAI,MAAM,aAAa,OAAO,KAAK,OAAO,KAAK,CACtE,CAAC;oBACF,OAAO,mBAAmB,OAAO,EAAE,CAAC;gBACtC,CAAC;wBAAS,CAAC;oBACT,YAAY,CAAC,OAAO,CAAC,CAAC;gBACxB,CAAC;YACH,CAAC;YACD,QAAQ,EAAE,IAAI;SACf;KACF,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Fetch tool — outbound HTTP for automations and agent use.\n *\n * Supports ${keys.NAME} reference substitution in URL, headers, and body.\n * Values are resolved server-side AFTER the model emits the tool call —\n * the raw secret never enters the model's context.\n */\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport {\n  collectSecretValues,\n  MAX_TOOL_PROXY_RESPONSE_SIZE,\n  normalizeToolProxyMethod,\n  readResponseTextWithLimit,\n  redactSecrets,\n  redactString,\n  sanitizeOutboundHeaders,\n} from \"./proxy-security.js\";\nimport { isBlockedToolUrlWithDns } from \"./url-safety.js\";\n\nconst DEFAULT_TIMEOUT_MS = 15_000;\n\nexport interface FetchToolOptions {\n  /** Resolve ${keys.NAME} references. Injected by the plugin at setup time. */\n  resolveKeys?: (text: string) => Promise<{\n    resolved: string;\n    usedKeys: string[];\n    secretValues?: string[];\n  }>;\n  /** Validate URL against per-key allowlists. */\n  validateUrl?: (url: string, usedKeys: string[]) => Promise<boolean>;\n}\n\n/**\n * Create the fetch tool entry for the agent tool registry.\n */\nexport function createFetchToolEntry(\n  opts: FetchToolOptions = {},\n): Record<string, ActionEntry> {\n  return {\n    \"web-request\": {\n      tool: {\n        description: `Make an outbound HTTP request to EXTERNAL APIs, webhooks, and services only. Supports \\${keys.NAME} placeholders in url, headers, and body — these are resolved server-side from the user's saved keys (the raw value never enters your context). Example: \\${keys.SLACK_WEBHOOK} in the url field. IMPORTANT: Never use this to call internal /_agent-native/ endpoints or localhost action URLs — use the registered action tools directly (e.g. \\`log-meal\\`, \\`bigquery\\`, \\`hubspot-deals\\`). Actions are already available as native tools; calling them via HTTP is slower and bypasses validation.`,\n        parameters: {\n          type: \"object\" as const,\n          properties: {\n            url: {\n              type: \"string\",\n              description:\n                'Full URL. May contain ${keys.NAME} references, e.g. \"${keys.SLACK_WEBHOOK}\".',\n            },\n            method: {\n              type: \"string\",\n              description: \"HTTP method. Default: GET.\",\n              enum: [\"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", \"HEAD\"],\n            },\n            headers: {\n              type: \"string\",\n              description:\n                'JSON object of headers. May contain ${keys.NAME} references. Example: \\'{\"Authorization\": \"Bearer ${keys.API_TOKEN}\"}\\'.',\n            },\n            body: {\n              type: \"string\",\n              description:\n                \"Request body (for POST/PUT/PATCH). May contain ${keys.NAME} references.\",\n            },\n            timeout_ms: {\n              type: \"number\",\n              description: `Timeout in milliseconds. Default: ${DEFAULT_TIMEOUT_MS}. Max: 30000.`,\n            },\n          },\n          required: [\"url\"],\n        },\n      },\n      run: async (args: Record<string, string>) => {\n        const startTime = Date.now();\n        const rawUrl = args.url;\n        const method = normalizeToolProxyMethod(args.method || \"GET\");\n        if (!method) {\n          return \"Unsupported HTTP method. Allowed methods: GET, POST, PUT, PATCH, DELETE, HEAD.\";\n        }\n        const rawHeaders = args.headers || \"{}\";\n        const rawBody = args.body;\n        const timeoutMs = Math.min(\n          Number(args.timeout_ms) || DEFAULT_TIMEOUT_MS,\n          30_000,\n        );\n\n        // Resolve key references\n        let resolvedUrl = rawUrl;\n        let resolvedHeaders = rawHeaders;\n        let resolvedBody = rawBody;\n        const allUsedKeys: string[] = [];\n        const allSecretValues: string[] = [];\n\n        if (opts.resolveKeys) {\n          try {\n            const urlResult = await opts.resolveKeys(rawUrl);\n            resolvedUrl = urlResult.resolved;\n            allUsedKeys.push(...urlResult.usedKeys);\n            allSecretValues.push(...(urlResult.secretValues ?? []));\n\n            const headerResult = await opts.resolveKeys(rawHeaders);\n            resolvedHeaders = headerResult.resolved;\n            allUsedKeys.push(...headerResult.usedKeys);\n            allSecretValues.push(...(headerResult.secretValues ?? []));\n\n            if (rawBody) {\n              const bodyResult = await opts.resolveKeys(rawBody);\n              resolvedBody = bodyResult.resolved;\n              allUsedKeys.push(...bodyResult.usedKeys);\n              allSecretValues.push(...(bodyResult.secretValues ?? []));\n            }\n          } catch (err: any) {\n            return `Error resolving key references: ${err?.message ?? err}`;\n          }\n        }\n        const secretValues = collectSecretValues(allSecretValues);\n\n        // Block SSRF targets regardless of key usage\n        if (await isBlockedToolUrlWithDns(resolvedUrl)) {\n          return `Requests to private/internal addresses are not allowed: \"${rawUrl}\".`;\n        }\n\n        // Validate URL against per-key allowlists\n        if (opts.validateUrl && allUsedKeys.length > 0) {\n          try {\n            const allowed = await opts.validateUrl(resolvedUrl, allUsedKeys);\n            if (!allowed) {\n              return `URL \"${rawUrl}\" is not in the allowlist for the referenced keys. Check your key settings.`;\n            }\n          } catch (err: any) {\n            return `URL validation error: ${err?.message ?? err}`;\n          }\n        }\n\n        // Parse headers\n        let headers: Record<string, string>;\n        try {\n          headers = sanitizeOutboundHeaders(JSON.parse(resolvedHeaders));\n        } catch {\n          return `Invalid headers JSON: ${rawHeaders}`;\n        }\n\n        // Make the request\n        const controller = new AbortController();\n        const timeout = setTimeout(() => controller.abort(), timeoutMs);\n\n        try {\n          const fetchOpts: RequestInit = {\n            method,\n            headers,\n            signal: controller.signal,\n            redirect: \"manual\",\n          };\n          if (resolvedBody && [\"POST\", \"PUT\", \"PATCH\"].includes(method)) {\n            fetchOpts.body = resolvedBody;\n            if (!headers[\"content-type\"] && !headers[\"Content-Type\"]) {\n              headers[\"Content-Type\"] = \"application/json\";\n            }\n          }\n\n          const response = await fetch(resolvedUrl, fetchOpts);\n          const elapsed = Date.now() - startTime;\n\n          if (response.status >= 300 && response.status < 400) {\n            const location = response.headers.get(\"location\");\n            const redirectUrl = location\n              ? new URL(location, resolvedUrl).href\n              : null;\n            if (redirectUrl && (await isBlockedToolUrlWithDns(redirectUrl))) {\n              return \"Redirect to private/internal address blocked.\";\n            }\n            if (redirectUrl && opts.validateUrl && allUsedKeys.length > 0) {\n              const allowed = await opts.validateUrl(redirectUrl, allUsedKeys);\n              if (!allowed) {\n                return \"Redirect URL is not in the allowlist for the referenced keys.\";\n              }\n            }\n            return `HTTP ${response.status} ${response.statusText}\\n\\nRedirect: ${\n              redirectUrl ? redactString(redirectUrl, secretValues) : \"(none)\"\n            }`;\n          }\n\n          let body: string;\n          try {\n            const result = await readResponseTextWithLimit(\n              response,\n              MAX_TOOL_PROXY_RESPONSE_SIZE,\n            );\n            body = result.text;\n          } catch {\n            body = \"(could not read response body)\";\n          }\n          body = redactString(body, secretValues);\n\n          // Truncate very long responses for the agent\n          if (body.length > 8000) {\n            body = body.slice(0, 8000) + \"\\n... (truncated)\";\n          }\n\n          // Audit log\n          console.log(\n            `[fetch-tool] ${method} ${rawUrl} → ${response.status} (${elapsed}ms, keys: ${allUsedKeys.join(\",\") || \"none\"})`,\n          );\n\n          return `HTTP ${response.status} ${response.statusText}\\n\\n${body}`;\n        } catch (err: any) {\n          const elapsed = Date.now() - startTime;\n          if (err?.name === \"AbortError\") {\n            console.log(\n              `[fetch-tool] ${method} ${rawUrl} → TIMEOUT (${elapsed}ms)`,\n            );\n            return `Request timed out after ${timeoutMs}ms.`;\n          }\n          const message = redactSecrets(\n            err?.message ?? String(err),\n            secretValues,\n          );\n          console.log(\n            `[fetch-tool] ${method} ${rawUrl} → ERROR: ${message} (${elapsed}ms)`,\n          );\n          return `Request failed: ${message}`;\n        } finally {\n          clearTimeout(timeout);\n        }\n      },\n      readOnly: true,\n    },\n  };\n}\n"]}

package/dist/tools/html-shell.d.ts

@@ -0,0 +1,45 @@
+export declare const TOOL_IFRAME_CSP = "default-src 'none'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com; font-src https://fonts.gstatic.com; connect-src 'self'; img-src 'self' data: blob:; media-src 'self' data: blob:; frame-src 'none'; object-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'self';";
+export declare const TOOL_IFRAME_META_CSP: string;
+/**
+ * SECURITY — TOOL CONTENT IS UNTRUSTED.
+ *
+ * `${content}` (line ~Body) interpolates raw HTML/JS authored by a user. This
+ * file is the boundary between framework-controlled HTML and user-controlled
+ * HTML. Two non-negotiable invariants for every change here:
+ *
+ *   1. The iframe MUST be rendered with a `sandbox` attribute that does NOT
+ *      include `allow-same-origin`. The viewer (`ToolViewer.tsx`,
+ *      `EmbeddedTool.tsx`) sets `sandbox="allow-scripts allow-forms"` — and
+ *      that is the only acceptable shape. Adding `allow-same-origin` would
+ *      give the tool full DOM access to the parent window via cross-frame
+ *      script.
+ *
+ *   2. Every reachable parent action must treat the postMessage payload as
+ *      hostile. The bridge in `iframe-bridge.ts` enforces a path allowlist,
+ *      header sanitization, and method allowlist; do not relax those gates
+ *      for "convenience" in this file or any caller.
+ *
+ * For the trust model rationale, see audit 05-tools-sandbox.md (C1) and the
+ * `tools` skill. When in doubt, fail closed.
+ */
+export interface ToolRenderBinding {
+    /** Email of the user who authored / owns the tool. */
+    authorEmail: string;
+    /** Email of the user currently viewing/running the tool. */
+    viewerEmail: string;
+    /** True when viewer === author. */
+    isAuthor: boolean;
+    /**
+     * Resolved role for the viewer ("owner" | "admin" | "editor" | "viewer").
+     *
+     * TODO(security, audit H4): the host-side bridge does not yet gate any
+     * helper based on this value — every viewer gets the same powers as the
+     * author. The role is plumbed through so a follow-up PR can constrain
+     * `appAction` / `dbExec` / `toolFetch` for non-author viewers (and
+     * eventually require an explicit consent step before running a shared
+     * tool, audit C1). For now this is metadata only.
+     */
+    role: "owner" | "admin" | "editor" | "viewer";
+}
+export declare function buildToolHtml(content: string, themeVars: string, isDark: boolean, toolId?: string, binding?: ToolRenderBinding): string;
+//# sourceMappingURL=html-shell.d.ts.map

package/dist/tools/html-shell.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"html-shell.d.ts","sourceRoot":"","sources":["../../src/tools/html-shell.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe,8YACiX,CAAC;AAE9Y,eAAO,MAAM,oBAAoB,QAGhC,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,MAAM,WAAW,iBAAiB;IAChC,sDAAsD;IACtD,WAAW,EAAE,MAAM,CAAC;IACpB,4DAA4D;IAC5D,WAAW,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,QAAQ,EAAE,OAAO,CAAC;IAClB;;;;;;;;;OASG;IACH,IAAI,EAAE,OAAO,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;CAC/C;AAED,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,OAAO,EACf,MAAM,CAAC,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,iBAAiB,GAC1B,MAAM,CA0fR"}