@agent-native/core 0.15.7 → 0.15.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/dist/agent/engine/builder-engine.d.ts.map +1 -1
  2. package/dist/agent/engine/builder-engine.js +19 -1
  3. package/dist/agent/engine/builder-engine.js.map +1 -1
  4. package/dist/client/settings/SettingsPanel.js.map +1 -1
  5. package/dist/client/settings/useBuilderStatus.d.ts +10 -1
  6. package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
  7. package/dist/client/settings/useBuilderStatus.js +39 -3
  8. package/dist/client/settings/useBuilderStatus.js.map +1 -1
  9. package/dist/client/settings/useBuilderStatus.spec.js +76 -0
  10. package/dist/client/settings/useBuilderStatus.spec.js.map +1 -1
  11. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  12. package/dist/server/agent-chat-plugin.js +5 -2
  13. package/dist/server/agent-chat-plugin.js.map +1 -1
  14. package/dist/server/builder-browser.d.ts +52 -15
  15. package/dist/server/builder-browser.d.ts.map +1 -1
  16. package/dist/server/builder-browser.js +126 -15
  17. package/dist/server/builder-browser.js.map +1 -1
  18. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  19. package/dist/server/core-routes-plugin.js +105 -19
  20. package/dist/server/core-routes-plugin.js.map +1 -1
  21. package/dist/server/credential-provider.d.ts +25 -4
  22. package/dist/server/credential-provider.d.ts.map +1 -1
  23. package/dist/server/credential-provider.js +112 -15
  24. package/dist/server/credential-provider.js.map +1 -1
  25. package/dist/server/google-realtime-session.d.ts.map +1 -1
  26. package/dist/server/google-realtime-session.js +1 -1
  27. package/dist/server/google-realtime-session.js.map +1 -1
  28. package/package.json +1 -1
package/dist/server/builder-browser.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"builder-browser.js","sourceRoot":"","sources":["../../src/server/builder-browser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,OAAO,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAE9D,MAAM,wBAAwB,GAAG,oBAAoB,CAAC;AACtD,MAAM,wBAAwB,GAAG,wBAAwB,CAAC;AAC1D,MAAM,oBAAoB,GAAG,sBAAsB,CAAC;AACpD,MAAM,yBAAyB,GAAG,sBAAsB,CAAC;AAEzD,MAAM,CAAC,MAAM,qBAAqB,GAAG,iCAAiC,CAAC;AAEvE,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,EAAE;QACtC,QAAQ,EAAE,EAAE,CAAC;YACX,KAAK,GAAG;gBACN,OAAO,OAAO,CAAC;YACjB,KAAK,GAAG;gBACN,OAAO,MAAM,CAAC;YAChB,KAAK,GAAG;gBACN,OAAO,MAAM,CAAC;YAChB,KAAK,GAAG;gBACN,OAAO,QAAQ,CAAC;YAClB;gBACE,OAAO,OAAO,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,WAAW,CAAC;AAC/C,MAAM,CAAC,MAAM,qBAAqB,GAAG,aAAa,CAAC;AACnD,MAAM,CAAC,MAAM,4BAA4B,GAAG,0BAA0B,CAAC;AAEvE,MAAM,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AA0C5C,SAAS,oBAAoB,CAAC,OAAkC;IAC9D,4EAA4E;IAC5E,iEAAiE;IACjE,OAAO,OAAO,KAAK,UAAU;QAC3B,CAAC,CAAC,gBAAgB,aAAa,EAAE,EAAE;QACnC,CAAC,CAAC,mBAAmB,aAAa,EAAE,EAAE,CAAC;AAC3C,CAAC;AAED,SAAS,WAAW,CAClB,OAAkC,EAClC,KAAa,EACb,YAAoB,EACpB,EAAU;IAEV,OAAO,UAAU,CAAC,QAAQ,EAAE,oBAAoB,CAAC,OAAO,CAAC,CAAC;SACvD,MAAM,CAAC,GAAG,KAAK,IAAI,YAAY,IAAI,EAAE,EAAE,CAAC;SACxC,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,0BAA0B,CACjC,UAAkB,EAClB,OAAkC;IAElC,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC3E,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC;IAC1D,OAAO,GAAG,KAAK,IAAI,YAAY,IAAI,EAAE,IAAI,GAAG,EAAE,CAAC;AACjD,CAAC;AAED,SAAS,4BAA4B,CACnC,KAAgC,EAChC,UAAkB,EAClB,OAAkC;IAElC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAClE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,CAAC,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;IAChD,IAAI,CAAC,KAAK,IAAI,CAAC,YAAY,IAAI,CAAC,KAAK,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAE5D,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,UAAU,KAAK,UAAU;QAAE,OAAO,KAAK,CAAC;IAE5C,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,2EAA2E;IAC3E,sEAAsE;IACtE,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,oBAAoB;QAAE,OAAO,KAAK,CAAC;IAEnE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC,CAAC;IAC5E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACvD,OAAO,eAAe,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,wBAAwB,CAAC,YAAoB;IAC3D,OAAO,0BAA0B,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;AAC9D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CACxC,KAAgC,EAChC,YAAoB;IAEpB,OAAO,4BAA4B,CAAC,KAAK,EAAE,YAAY,EAAE,UAAU,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,qCAAqC,CACnD,KAAgC;IAEhC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAE/B,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,UAAkB;IACxD,OAAO,0BAA0B,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,KAAgC,EAChC,UAAkB;IAElB,OAAO,4BAA4B,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,oCAAoC,CAClD,KAAgC;IAEhC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAE/B,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,yBAAyB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,UAAkB,EAClB,UAAkB;IAElB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAChC,GAAG,CAAC,YAAY,CAAC,GAAG,CAClB,qBAAqB,EACrB,uBAAuB,CAAC,UAAU,CAAC,CACpC,CAAC;IACF,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,yBAAyB,CAAC,SAAiB;IAClD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAClC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC/C,MAAM,iBAAiB,GACrB,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;QAC9D,MAAM,WAAW,GACf,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,OAAO,CAAC;QACvB,MAAM,eAAe,GACnB,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QACtC,MAAM,mBAAmB,GACvB,QAAQ,KAAK,kBAAkB,IAAI,QAAQ,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;QAC5E,OAAO,CACL,iBAAiB;YACjB,CAAC,WAAW,IAAI,eAAe,IAAI,mBAAmB,CAAC,CACxD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,MAAc;IACrC,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,OAAO,CAAC,GAAG,CAAC,uBAAuB;QACnC,wBAAwB,CACzB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,QAAQ;QACpB,OAAO,CAAC,GAAG,CAAC,YAAY;QACxB,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,wBAAwB,CACzB,CAAC;AACJ,CAAC;AAED,SAAS,mCAAmC;IAC1C,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,2BAA2B;QACvC,OAAO,CAAC,GAAG,CAAC,yBAAyB;QACrC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IACjC,OAAO,SAAS,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,OAAO,mCAAmC,EAAE,IAAI,EAAE,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,OAAO,CAAC,CAAC,mCAAmC,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,6BAA6B;IACjD,MAAM,YAAY,GAAG,mCAAmC,EAAE,CAAC;IAC3D,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;QACnE,KAAK,MAAM,GAAG,IAAI;YAChB,6BAA6B;YAC7B,2BAA2B;YAC3B,oBAAoB;SACrB,EAAE,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,CAAC;YACvC,IAAI,KAAK,EAAE,IAAI,EAAE;gBAAE,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wEAAwE;IAC1E,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gCAAgC;IACpD,OAAO,CAAC,CAAC,CAAC,MAAM,6BAA6B,EAAE,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,sBAAsB,CACpC,MAAc,EACd,QAAuB,IAAI;IAE3B,MAAM,gBAAgB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,MAAM,WAAW,GAAG,IAAI,GAAG,CACzB,GAAG,WAAW,GAAG,qBAAqB,EAAE,EACxC,gBAAgB,CACjB,CAAC;IACF,IAAI,KAAK,EAAE,CAAC;QACV,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,iBAAiB,EAAE,CAAC,CAAC;IACtD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;IACnD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,yBAAyB,CAAC,CAAC;IAC7D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC7D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,GAAG,gBAAgB,GAAG,WAAW,EAAE,CAAC,CAAC;IACzE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IAClD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,MAAc;IACxD,OAAO,GAAG,eAAe,CAAC,MAAM,CAAC,GAAG,cAAc,EAAE,gCAAgC,CAAC;AACvF,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAyB;IACjD,OAAO,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACnD,CAAC;AAED,SAAS,eAAe,CAAC,KAAc,EAAE,IAAY;IACnD,IAAI,CAAC;QACH,OAAO,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,SAAS,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,OAAO,GACX,KAKD,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC;QACrB,MAAM,KAAK,GAAG,OAAO,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,IAAI,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAC/D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAC1C,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IACvD,CAAC;AACH,CAAC;AAED,SAAS,2BAA2B,CAAC,IAAwB;IAC3D,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAClE,OAAO,CACL,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,KAAK;YAClB,QAAQ,KAAK,OAAO;YACpB,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CACjC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,4BAA4B,CAAC,IAAwB;IAC5D,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAClE,OAAO,CACL,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,KAAK;YAClB,QAAQ,KAAK,OAAO,CACrB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,sCAAsC;IAC7C,KAAK,MAAM,GAAG,IAAI;QAChB,mBAAmB;QACnB,wBAAwB;QACxB,qBAAqB;QACrB,0BAA0B;KAC3B,EAAE,CAAC;QACF,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YACzB,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;gBAAE,SAAS;YACpE,IAAI,4BAA4B,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACrD,IAAI,CAAC,2BAA2B,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACrD,OAAO,GAAG,CAAC,MAAM,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,uCAAuC;QACzC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B,CAAC,KAAc;IAC5D,MAAM,UAAU,GAAG,gBAAgB,CACjC,eAAe,CAAC,KAAK,EAAE,kBAAkB,CAAC;QACxC,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CACjC,CAAC;IACF,IAAI,CAAC,2BAA2B,CAAC,UAAU,CAAC;QAAE,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,4BAA4B,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,MAAM,mBAAmB,GAAG,sCAAsC,EAAE,CAAC;QACrE,IAAI,mBAAmB;YAAE,OAAO,mBAAmB,CAAC;IACtD,CAAC;IAED,MAAM,QAAQ,GAAG,gBAAgB,CAC/B,eAAe,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAC5C,CAAC;IACF,MAAM,KAAK,GACT,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,OAAO;QACzC,CAAC,CAAC,QAAQ;QACV,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;YACrC,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,MAAM,CAAC;IACf,OAAO,GAAG,KAAK,MAAM,UAAU,EAAE,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,MAAc;IACpD,MAAM,eAAe,GAAG,mCAAmC,EAAE,CAAC;IAC9D,MAAM,UAAU,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,CAAC,CAAC,CACZ,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAClE;QACD,cAAc,EAAE,yBAAyB,EAAE;QAC3C,yBAAyB,EAAE,CAAC,CAAC,eAAe;QAC5C,eAAe,EAAE,eAAe,IAAI,SAAS;QAC7C,UAAU;QACV,gBAAgB,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QAChD,OAAO,EAAE,iBAAiB,EAAE;QAC5B,OAAO,EAAE,iBAAiB,EAAE;QAC5B,UAAU,EAAE,2BAA2B,CAAC,MAAM,CAAC;QAC/C,mBAAmB,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB;QACrD,oBAAoB,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB;QACvD,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,SAAS;QAChD,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,SAAS;QAClD,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,SAAS;KACnD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,KAAc;IAEd,OAAO,uBAAuB,CAAC,+BAA+B,CAAC,KAAK,CAAC,CAAC,CAAC;AACzE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;CACV,CAAC;AAIX,MAAM,UAAU,yBAAyB,CAAC,MAMzC;IACC,MAAM,MAAM,GAAkC;QAC5C,mBAAmB,EAAE,MAAM,CAAC,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE;QACpD,kBAAkB,EAAE,MAAM,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE;QAClD,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE;QAC5C,gBAAgB,EAAE,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE;QAC9C,gBAAgB,EAAE,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE;KAC/C,CAAC;IACF,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,UAAqC,EACrC,KAAc;IAEd,IAAI,UAAU,IAAI,yBAAyB,CAAC,UAAU,CAAC,EAAE,CAAC;QACxD,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,OAAO,+BAA+B,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,6BAA6B,GAAG;;;;;;;;;;;;;;;UAe5B,CAAC;AAEX;;;;;;;GAOG;AACH,MAAM,yBAAyB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgHjC,CAAC;AAEF,MAAM,UAAU,gCAAgC,CAAC,UAAkB;IACjE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC9C,OAAO;;;;;;;;;MASH,6BAA6B;aACtB,yBAAyB;;;;;;;;;;4BAUV,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sCAkCA,UAAU;;;;;;QAMxC,CAAC;AACT,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,qCAAqC,CACnD,OAAe,EACf,OAII,EAAE;IAEN,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,kCAAkC,CAAC;IAC/D,MAAM,IAAI,GACR,IAAI,CAAC,IAAI;QACT,kFAAkF,CAAC;IACrF,MAAM,SAAS,GACb,IAAI,CAAC,SAAS,IAAI,qDAAqD,CAAC;IAC1E,OAAO;;;;;;;;;MASH,6BAA6B;aACtB,yBAAyB;;;;;;;YAO1B,UAAU,CAAC,KAAK,CAAC;yBACJ,UAAU,CAAC,IAAI,CAAC;;iDAEQ,UAAU,CAAC,SAAS,CAAC;;;;oBAIlD,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;QA2B1B,CAAC;AACT,CAAC;AAiBD,SAAS,yBAAyB,CAAC,KAAc,EAAE,SAAiB;IAClE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,sCAAsC,SAAS,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,0CAA0C,SAAS,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAc;IAC/C,MAAM,SAAS,GAAG,yBAAyB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC1D,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IACE,MAAM,CAAC,QAAQ,KAAK,YAAY;QAChC,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,EACxC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,MAAM,CAAC,QAAQ,EAAE,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAyB;IAEzB,MAAM,EAAE,yBAAyB,EAAE,GACjC,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;IAChD,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,0HAA0H,CAC3H,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,IAAI,SAAS,CAAC;IAC/D,MAAM,gBAAgB,GAAG,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC;IACpE,IAAI,CAAC,gBAAgB,IAAI,CAAC,aAAa,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,aAAa,EAAE,iBAAiB,EAAE,CAAC,CAAC;IACxD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAEhD,MAAM,IAAI,GAA4B;QACpC,WAAW,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,MAAM,EAAE;QACxC,SAAS;KACV,CAAC;IACF,IAAI,IAAI,CAAC,UAAU;QAAE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IACvD,IAAI,gBAAgB;QAAE,IAAI,CAAC,SAAS,GAAG,gBAAgB,CAAC;IACxD,IAAI,aAAa;QAAE,IAAI,CAAC,MAAM,GAAG,aAAa,CAAC;IAE/C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,CAAC,UAAU,EAAE;YAC3C,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAGtD,CAAC;IACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,GAAG,GACP,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ;YAC9B,CAAC,CAAC,MAAM,CAAC,KAAK;YACd,CAAC,CAAC,6BAA6B,QAAQ,CAAC,MAAM,GAAG,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,OAAO;QACL,UAAU,EAAE,yBAAyB,CAAC,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC;QACtE,SAAS,EACP,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE;YAC7D,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE;YACzB,CAAC,CAAC,SAAS;QACf,GAAG,EAAE,yBAAyB,CAAC,MAAM,CAAC,GAAG,CAAC;QAC1C,MAAM,EACJ,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE;YACvD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE;YACtB,CAAC,CAAC,YAAY;KACnB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,IAA2B;IAE3B,MAAM,EAAE,yBAAyB,EAAE,GACjC,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;IAChD,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,iCAAiC,EAAE,iBAAiB,EAAE,CAAC,CAAC;IAC5E,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,CAAC,UAAU,EAAE;YAC3C,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,SAAS;YACtC,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,SAAS;YACxC,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,SAAS;YAC1C,kBAAkB,EAAE,IAAI,CAAC,kBAAkB,IAAI,SAAS;YACxD,QAAQ,EAAE,IAAI,CAAC,gBAAgB,IAAI,SAAS;SAC7C,CAAC;KACH,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAGpD,CAAC;IACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,KAAK,GACT,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;YAC5B,CAAC,CAAC,IAAI,CAAC,KAAK;YACZ,CAAC,CAAC,mCAAmC,QAAQ,CAAC,MAAM,GAAG,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["import { createHmac, randomBytes, timingSafeEqual } from \"node:crypto\";\nimport type { H3Event } from \"h3\";\nimport { getHeader } from \"h3\";\nimport { getAuthSecret } from \"./better-auth-instance.js\";\nimport { getAppBasePath, getOrigin } from \"./google-oauth.js\";\n\nconst DEFAULT_BUILDER_APP_HOST = \"https://builder.io\";\nconst DEFAULT_BUILDER_API_HOST = \"https://api.builder.io\";\nconst BUILDER_BROWSER_HOST = \"agent-native-browser\";\nconst BUILDER_BROWSER_CLIENT_ID = \"Agent Native Browser\";\n\nexport const BUILDER_CALLBACK_PATH = \"/_agent-native/builder/callback\";\n\nfunction escapeHtml(value: string): string {\n return value.replace(/[&<>\"']/g, (ch) => {\n switch (ch) {\n case \"&\":\n return \"&amp;\";\n case \"<\":\n return \"&lt;\";\n case \">\":\n return \"&gt;\";\n case '\"':\n return \"&quot;\";\n default:\n return \"&#39;\";\n }\n });\n}\n\n/**\n * Query-param name carrying the signed CSRF state on the connect→callback\n * round-trip. Prefixed with `_an_` to avoid collisions if Builder ever\n * adds standard OAuth `state` support to cli-auth. Builder preserves\n * the path/query of `redirect_url` verbatim when redirecting back, so\n * we embed `_an_state=…` inside the redirect_url query string at\n * connect time and read it back on the callback.\n */\nexport const BUILDER_STATE_PARAM = \"_an_state\";\nexport const BUILDER_CONNECT_PARAM = \"_an_connect\";\nexport const BUILDER_CONNECT_OWNER_COOKIE = \"an_builder_connect_owner\";\n\nconst BUILDER_STATE_TTL_MS = 10 * 60 * 1000;\n\nexport interface BuilderBrowserStatus {\n configured: boolean;\n builderEnabled: boolean;\n branchProjectIdConfigured: boolean;\n branchProjectId?: string;\n /**\n * True when `BUILDER_PRIVATE_KEY` is set at the deployment level. This is a\n * fallback credential; signed-in users can still connect their own Builder\n * account, which takes precedence for their request.\n */\n envManaged: boolean;\n credentialSource?: \"user\" | \"org\" | \"env\";\n appHost: string;\n apiHost: string;\n /**\n * Ready-to-open Builder CLI auth URL for this request owner. This points\n * directly at builder.io/cli-auth and carries signed callback state in the\n * nested redirect_url so the popup never has to visit the app's connect\n * trampoline first.\n */\n cliAuthUrl?: string;\n connectUrl: string;\n publicKeyConfigured: boolean;\n privateKeyConfigured: boolean;\n userId?: string;\n orgName?: string;\n orgKind?: string;\n}\n\nexport interface BrowserConnectionArgs {\n sessionId?: string;\n projectId?: string;\n branchName?: string;\n proxyOrigin?: string;\n proxyDefaultOrigin?: string;\n proxyDestination?: string;\n}\n\ntype BuilderSignedTokenPurpose = \"callback\" | \"connect\";\n\nfunction signingKeyForPurpose(purpose: BuilderSignedTokenPurpose): string {\n // Preserve the original callback-state signing key for any in-flight legacy\n // callbacks; use a separate key domain for connect-entry tokens.\n return purpose === \"callback\"\n ? `builder-csrf:${getAuthSecret()}`\n : `builder-connect:${getAuthSecret()}`;\n}\n\nfunction macForParts(\n purpose: BuilderSignedTokenPurpose,\n nonce: string,\n emailEncoded: string,\n ts: number,\n): string {\n return createHmac(\"sha256\", signingKeyForPurpose(purpose))\n .update(`${nonce}.${emailEncoded}.${ts}`)\n .digest(\"base64url\");\n}\n\nfunction signEmailBoundBuilderToken(\n ownerEmail: string,\n purpose: BuilderSignedTokenPurpose,\n): string {\n const nonce = randomBytes(16).toString(\"base64url\");\n const ts = Date.now();\n const emailEncoded = Buffer.from(ownerEmail, \"utf8\").toString(\"base64url\");\n const mac = macForParts(purpose, nonce, emailEncoded, ts);\n return `${nonce}.${emailEncoded}.${ts}.${mac}`;\n}\n\nfunction verifyEmailBoundBuilderToken(\n token: string | null | undefined,\n ownerEmail: string,\n purpose: BuilderSignedTokenPurpose,\n): boolean {\n if (typeof token !== \"string\" || token.length === 0) return false;\n const parts = token.split(\".\");\n if (parts.length !== 4) return false;\n const [nonce, emailEncoded, tsStr, mac] = parts;\n if (!nonce || !emailEncoded || !tsStr || !mac) return false;\n\n let boundEmail: string;\n try {\n boundEmail = Buffer.from(emailEncoded, \"base64url\").toString(\"utf8\");\n } catch {\n return false;\n }\n if (boundEmail !== ownerEmail) return false;\n\n const ts = Number(tsStr);\n if (!Number.isFinite(ts)) return false;\n // Reject expired AND far-future timestamps so leaked tokens do not gain an\n // arbitrary lifetime through clock skew or forged future issue times.\n if (Math.abs(Date.now() - ts) > BUILDER_STATE_TTL_MS) return false;\n\n const expected = Buffer.from(macForParts(purpose, nonce, emailEncoded, ts));\n const candidate = Buffer.from(mac);\n if (expected.length !== candidate.length) return false;\n return timingSafeEqual(expected, candidate);\n}\n\n/**\n * Mint a signed CSRF state token bound to the current session's email\n * and a fresh nonce. Round-trips through Builder's cli-auth flow inside\n * the redirect_url query string and is verified on the callback before\n * any keys are written.\n *\n * Why bind to email: it's the only stable, universally-available\n * identity field across all auth modes (Better Auth, BYOA, AUTH_MODE=local).\n * Binding to the session token instead would put the cookie value in a\n * URL that may end up in server logs / browser history.\n */\nexport function signBuilderCallbackState(sessionEmail: string): string {\n return signEmailBoundBuilderToken(sessionEmail, \"callback\");\n}\n\n/**\n * Verify a state token produced by `signBuilderCallbackState`. Returns\n * false on any malformed, forged, expired, or cross-session token.\n */\nexport function verifyBuilderCallbackState(\n token: string | null | undefined,\n sessionEmail: string,\n): boolean {\n return verifyEmailBoundBuilderToken(token, sessionEmail, \"callback\");\n}\n\nexport function verifyBuilderCallbackStateAndGetOwner(\n token: string | null | undefined,\n): string | null {\n if (typeof token !== \"string\" || token.length === 0) return null;\n const parts = token.split(\".\");\n if (parts.length !== 4) return null;\n const emailEncoded = parts[1];\n if (!emailEncoded) return null;\n\n let ownerEmail: string;\n try {\n ownerEmail = Buffer.from(emailEncoded, \"base64url\").toString(\"utf8\");\n } catch {\n return null;\n }\n if (!ownerEmail) return null;\n return verifyBuilderCallbackState(token, ownerEmail) ? ownerEmail : null;\n}\n\nexport function signBuilderConnectToken(ownerEmail: string): string {\n return signEmailBoundBuilderToken(ownerEmail, \"connect\");\n}\n\nexport function verifyBuilderConnectToken(\n token: string | null | undefined,\n ownerEmail: string,\n): boolean {\n return verifyEmailBoundBuilderToken(token, ownerEmail, \"connect\");\n}\n\nexport function verifyBuilderConnectTokenAndGetOwner(\n token: string | null | undefined,\n): string | null {\n if (typeof token !== \"string\" || token.length === 0) return null;\n const parts = token.split(\".\");\n if (parts.length !== 4) return null;\n const emailEncoded = parts[1];\n if (!emailEncoded) return null;\n\n let ownerEmail: string;\n try {\n ownerEmail = Buffer.from(emailEncoded, \"base64url\").toString(\"utf8\");\n } catch {\n return null;\n }\n if (!ownerEmail) return null;\n return verifyBuilderConnectToken(token, ownerEmail) ? ownerEmail : null;\n}\n\nexport function appendBuilderConnectToken(\n connectUrl: string,\n ownerEmail: string,\n): string {\n const url = new URL(connectUrl);\n url.searchParams.set(\n BUILDER_CONNECT_PARAM,\n signBuilderConnectToken(ownerEmail),\n );\n return url.toString();\n}\n\nfunction isAllowedBrowserReturnUrl(urlString: string): boolean {\n try {\n const parsed = new URL(urlString);\n const hostname = parsed.hostname.toLowerCase();\n const isAllowedProtocol =\n parsed.protocol === \"http:\" || parsed.protocol === \"https:\";\n const isLocalhost =\n hostname === \"localhost\" ||\n hostname === \"127.0.0.1\" ||\n hostname === \"[::1]\";\n const isBuilderDomain =\n hostname === \"builder.io\" ||\n hostname.endsWith(\".builder.io\") ||\n hostname === \"builder.my\" ||\n hostname.endsWith(\".builder.my\") ||\n hostname === \"builderio.xyz\" ||\n hostname.endsWith(\".builderio.xyz\") ||\n hostname === \"builderio.dev\" ||\n hostname.endsWith(\".builderio.dev\") ||\n hostname === \"builder.codes\" ||\n hostname.endsWith(\".builder.codes\");\n const isAgentNativeDomain =\n hostname === \"agent-native.com\" || hostname.endsWith(\".agent-native.com\");\n return (\n isAllowedProtocol &&\n (isLocalhost || isBuilderDomain || isAgentNativeDomain)\n );\n } catch {\n return false;\n }\n}\n\nfunction normalizeOrigin(origin: string): string {\n return origin.replace(/\\/+$/, \"\");\n}\n\nexport function getBuilderAppHost(): string {\n return (\n process.env.BUILDER_APP_HOST ||\n process.env.BUILDER_PUBLIC_APP_HOST ||\n DEFAULT_BUILDER_APP_HOST\n );\n}\n\nexport function getBuilderApiHost(): string {\n return (\n process.env.AIR_HOST ||\n process.env.BUILDER_HOST ||\n process.env.BUILDER_API_HOST ||\n DEFAULT_BUILDER_API_HOST\n );\n}\n\nfunction getConfiguredBuilderBranchProjectId(): string | undefined {\n const projectId =\n process.env.DISPATCH_BUILDER_PROJECT_ID ||\n process.env.BUILDER_BRANCH_PROJECT_ID ||\n process.env.BUILDER_PROJECT_ID;\n return projectId?.trim() || undefined;\n}\n\nexport function getBuilderBranchProjectId(): string {\n return getConfiguredBuilderBranchProjectId() || \"\";\n}\n\nexport function isBuilderBranchingEnabled(): boolean {\n return !!getConfiguredBuilderBranchProjectId();\n}\n\nexport async function resolveBuilderBranchProjectId(): Promise<string> {\n const envProjectId = getConfiguredBuilderBranchProjectId();\n if (envProjectId) return envProjectId;\n\n try {\n const { resolveSecret } = await import(\"./credential-provider.js\");\n for (const key of [\n \"DISPATCH_BUILDER_PROJECT_ID\",\n \"BUILDER_BRANCH_PROJECT_ID\",\n \"BUILDER_PROJECT_ID\",\n ]) {\n const value = await resolveSecret(key);\n if (value?.trim()) return value.trim();\n }\n } catch {\n // Secrets table or request context not ready — treat as not configured.\n }\n\n return \"\";\n}\n\nexport async function resolveIsBuilderBranchingEnabled(): Promise<boolean> {\n return !!(await resolveBuilderBranchProjectId());\n}\n\n/**\n * Build the Builder cli-auth URL for the connect popup. When a signed\n * `state` token is supplied it is embedded inside the `redirect_url`\n * query string so it survives Builder's redirect verbatim — Builder\n * preserves the redirect_url's existing query when appending p-key /\n * api-key / etc., so we don't depend on Builder echoing a top-level\n * `state` parameter (it doesn't).\n *\n * The user-facing connect entry point is `/_agent-native/builder/connect`\n * (a server-side 302). Status / chat-card responses surface that path\n * rather than the cli-auth URL directly, so the 302 handler can mint a\n * fresh state bound to the current session on every click.\n */\nexport function buildBuilderCliAuthUrl(\n origin: string,\n state: string | null = null,\n): string {\n const normalizedOrigin = normalizeOrigin(origin);\n const appBasePath = getAppBasePath();\n const callbackUrl = new URL(\n `${appBasePath}${BUILDER_CALLBACK_PATH}`,\n normalizedOrigin,\n );\n if (state) {\n callbackUrl.searchParams.set(BUILDER_STATE_PARAM, state);\n }\n const url = new URL(\"/cli-auth\", getBuilderAppHost());\n url.searchParams.set(\"response_type\", \"code\");\n url.searchParams.set(\"host\", BUILDER_BROWSER_HOST);\n url.searchParams.set(\"client_id\", BUILDER_BROWSER_CLIENT_ID);\n url.searchParams.set(\"redirect_url\", callbackUrl.toString());\n url.searchParams.set(\"preview_url\", `${normalizedOrigin}${appBasePath}`);\n url.searchParams.set(\"framework\", \"agent-native\");\n return url.toString();\n}\n\n/**\n * The bare URL surfaced to clients as `connectUrl`. The status route appends\n * a short-lived signed connect token when it knows the current owner; this\n * helper stays bare so server-rendered cards can still render without a\n * request-bound owner and the connect route can fall back to Fetch Metadata.\n */\nexport function getBuilderBrowserConnectUrl(origin: string): string {\n return `${normalizeOrigin(origin)}${getAppBasePath()}/_agent-native/builder/connect`;\n}\n\nfunction firstHeaderValue(value: string | undefined): string | undefined {\n return value?.split(\",\")[0]?.trim() || undefined;\n}\n\nfunction readEventHeader(event: H3Event, name: string): string | undefined {\n try {\n return getHeader(event, name) ?? undefined;\n } catch {\n const headers = (\n event as unknown as {\n node?: {\n req?: { headers?: Record<string, string | string[] | undefined> };\n };\n }\n ).node?.req?.headers;\n const value = headers?.[name.toLowerCase()] ?? headers?.[name];\n if (Array.isArray(value)) return value[0];\n return typeof value === \"string\" ? value : undefined;\n }\n}\n\nfunction isTrustedBuilderRequestHost(host: string | undefined): boolean {\n if (!host) return false;\n try {\n const hostname = new URL(`http://${host}`).hostname.toLowerCase();\n return (\n hostname === \"localhost\" ||\n hostname === \"127.0.0.1\" ||\n hostname === \"::1\" ||\n hostname === \"[::1]\" ||\n hostname === \"builderio.xyz\" ||\n hostname.endsWith(\".builderio.xyz\") ||\n hostname === \"builderio.dev\" ||\n hostname.endsWith(\".builderio.dev\") ||\n hostname === \"builder.codes\" ||\n hostname.endsWith(\".builder.codes\") ||\n hostname === \"builder.io\" ||\n hostname.endsWith(\".builder.io\") ||\n hostname === \"builder.my\" ||\n hostname.endsWith(\".builder.my\")\n );\n } catch {\n return false;\n }\n}\n\nfunction isLoopbackBuilderRequestHost(host: string | undefined): boolean {\n if (!host) return false;\n try {\n const hostname = new URL(`http://${host}`).hostname.toLowerCase();\n return (\n hostname === \"localhost\" ||\n hostname === \"127.0.0.1\" ||\n hostname === \"::1\" ||\n hostname === \"[::1]\"\n );\n } catch {\n return false;\n }\n}\n\nfunction firstPublicBuilderPreviewOriginFromEnv(): string | null {\n for (const key of [\n \"FUSION_ENV_ORIGIN\",\n \"VITE_FUSION_ENV_ORIGIN\",\n \"BUILDER_PREVIEW_URL\",\n \"VITE_BUILDER_PREVIEW_URL\",\n ]) {\n const raw = process.env[key];\n if (!raw) continue;\n try {\n const url = new URL(raw);\n if (url.protocol !== \"http:\" && url.protocol !== \"https:\") continue;\n if (isLoopbackBuilderRequestHost(url.host)) continue;\n if (!isTrustedBuilderRequestHost(url.host)) continue;\n return url.origin;\n } catch {\n // Ignore malformed environment values.\n }\n }\n return null;\n}\n\n/**\n * Builder CLI-auth does not need the workspace OAuth relay that Google uses.\n * In Builder/Fusion previews, keep connect + callback URLs on the actual app\n * preview origin so the signed connect token and pending row are verified by\n * the same deployment that minted them.\n */\nexport function getBuilderBrowserOriginForEvent(event: H3Event): string {\n const headerHost = firstHeaderValue(\n readEventHeader(event, \"x-forwarded-host\") ||\n readEventHeader(event, \"host\"),\n );\n if (!isTrustedBuilderRequestHost(headerHost)) return getOrigin(event);\n if (isLoopbackBuilderRequestHost(headerHost)) {\n const publicPreviewOrigin = firstPublicBuilderPreviewOriginFromEnv();\n if (publicPreviewOrigin) return publicPreviewOrigin;\n }\n\n const rawProto = firstHeaderValue(\n readEventHeader(event, \"x-forwarded-proto\"),\n );\n const proto =\n rawProto === \"http\" || rawProto === \"https\"\n ? rawProto\n : process.env.NODE_ENV === \"production\"\n ? \"https\"\n : \"http\";\n return `${proto}://${headerHost}`;\n}\n\nexport function getBuilderBrowserStatus(origin: string): BuilderBrowserStatus {\n const branchProjectId = getConfiguredBuilderBranchProjectId();\n const envManaged = !!process.env.BUILDER_PRIVATE_KEY;\n return {\n configured: !!(\n process.env.BUILDER_PRIVATE_KEY && process.env.BUILDER_PUBLIC_KEY\n ),\n builderEnabled: isBuilderBranchingEnabled(),\n branchProjectIdConfigured: !!branchProjectId,\n branchProjectId: branchProjectId || undefined,\n envManaged,\n credentialSource: envManaged ? \"env\" : undefined,\n appHost: getBuilderAppHost(),\n apiHost: getBuilderApiHost(),\n connectUrl: getBuilderBrowserConnectUrl(origin),\n publicKeyConfigured: !!process.env.BUILDER_PUBLIC_KEY,\n privateKeyConfigured: !!process.env.BUILDER_PRIVATE_KEY,\n userId: process.env.BUILDER_USER_ID || undefined,\n orgName: process.env.BUILDER_ORG_NAME || undefined,\n orgKind: process.env.BUILDER_ORG_KIND || undefined,\n };\n}\n\nexport function getBuilderBrowserStatusForEvent(\n event: H3Event,\n): BuilderBrowserStatus {\n return getBuilderBrowserStatus(getBuilderBrowserOriginForEvent(event));\n}\n\n/**\n * Env vars written by the Builder CLI-auth callback. Single source of truth\n * for the connect/disconnect key set — `getBuilderCallbackEnvVars` and the\n * disconnect handler's scrub loop both derive from this list, so drift\n * (e.g. disconnect silently leaving `BUILDER_USER_ID` behind because\n * someone added a key to one site but not the other) is impossible.\n */\nexport const BUILDER_ENV_KEYS = [\n \"BUILDER_PRIVATE_KEY\",\n \"BUILDER_PUBLIC_KEY\",\n \"BUILDER_USER_ID\",\n \"BUILDER_ORG_NAME\",\n \"BUILDER_ORG_KIND\",\n] as const;\n\nexport type BuilderEnvKey = (typeof BUILDER_ENV_KEYS)[number];\n\nexport function getBuilderCallbackEnvVars(params: {\n privateKey?: string | null;\n publicKey?: string | null;\n userId?: string | null;\n orgName?: string | null;\n orgKind?: string | null;\n}) {\n const values: Record<BuilderEnvKey, string> = {\n BUILDER_PRIVATE_KEY: params.privateKey?.trim() || \"\",\n BUILDER_PUBLIC_KEY: params.publicKey?.trim() || \"\",\n BUILDER_USER_ID: params.userId?.trim() || \"\",\n BUILDER_ORG_NAME: params.orgName?.trim() || \"\",\n BUILDER_ORG_KIND: params.orgKind?.trim() || \"\",\n };\n return BUILDER_ENV_KEYS.map((key) => ({ key, value: values[key] }));\n}\n\nexport function resolveSafePreviewUrl(\n previewUrl: string | null | undefined,\n event: H3Event,\n): string {\n if (previewUrl && isAllowedBrowserReturnUrl(previewUrl)) {\n return previewUrl;\n }\n return getBuilderBrowserOriginForEvent(event);\n}\n\n/**\n * Inline theme-detection script that runs before the body paints. Reads the\n * app's stored theme preference (same `localStorage.theme` key used by the\n * client-side theme manager) and falls back to `prefers-color-scheme`. This\n * way the popup matches whatever theme the user already picked in the app\n * — light, dark, or auto — instead of always rendering in OS-default mode.\n */\nconst BUILDER_CALLBACK_THEME_SCRIPT = `<script>\n(function () {\n try {\n var stored = window.localStorage && window.localStorage.getItem(\"theme\");\n var resolved;\n if (stored === \"light\" || stored === \"dark\") {\n resolved = stored;\n } else {\n var mq = window.matchMedia && window.matchMedia(\"(prefers-color-scheme: dark)\");\n resolved = mq && mq.matches ? \"dark\" : \"light\";\n }\n document.documentElement.classList.add(resolved);\n document.documentElement.style.colorScheme = resolved;\n } catch (e) {}\n})();\n</script>`;\n\n/**\n * Brand-aligned CSS for the Builder connect callback / error pages.\n *\n * Uses the same neutral-zinc palette and Inter font as the rest of the\n * framework's templates (see `templates/*\\/app/global.css`). Tokens map to\n * the same HSL values the templates set on `:root` / `.dark`, so the popup\n * reads as part of the same app — not a stranded marketing page.\n */\nconst BUILDER_CALLBACK_BASE_CSS = `\n :root {\n --bg: hsl(0 0% 100%);\n --fg: hsl(220 10% 10%);\n --muted-fg: hsl(220 5% 45%);\n --card: hsl(0 0% 100%);\n --border: hsl(220 10% 90%);\n --primary: hsl(220 10% 15%);\n --primary-fg: hsl(0 0% 100%);\n --primary-hover: hsl(220 10% 25%);\n --success-bg: hsl(143 50% 96%);\n --success-fg: hsl(143 60% 32%);\n --error-fg: hsl(0 75% 45%);\n --error-bg: hsl(0 80% 97%);\n --error-border: hsl(0 80% 92%);\n }\n :root.dark {\n --bg: hsl(220 6% 6%);\n --fg: hsl(0 0% 92%);\n --muted-fg: hsl(220 4% 60%);\n --card: hsl(220 5% 8%);\n --border: hsl(220 4% 14%);\n --primary: hsl(0 0% 92%);\n --primary-fg: hsl(220 6% 6%);\n --primary-hover: hsl(0 0% 75%);\n --success-bg: hsl(143 30% 12%);\n --success-fg: hsl(143 50% 70%);\n --error-fg: hsl(0 80% 75%);\n --error-bg: hsl(0 35% 12%);\n --error-border: hsl(0 30% 20%);\n }\n *, *::before, *::after { box-sizing: border-box; }\n html, body { height: 100%; }\n body {\n margin: 0;\n min-height: 100vh;\n display: grid;\n place-items: center;\n background: var(--bg);\n color: var(--fg);\n font-family: \"Inter\", ui-sans-serif, system-ui, -apple-system, \"Segoe UI\", \"Helvetica Neue\", Arial, sans-serif;\n font-size: 14px;\n line-height: 1.55;\n font-feature-settings: \"cv02\", \"cv03\", \"cv04\", \"cv11\";\n -webkit-font-smoothing: antialiased;\n -moz-osx-font-smoothing: grayscale;\n padding: 24px;\n }\n .card {\n width: min(420px, 100%);\n border: 1px solid var(--border);\n border-radius: 12px;\n padding: 32px 28px;\n background: var(--card);\n text-align: center;\n }\n .icon {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n width: 44px;\n height: 44px;\n border-radius: 999px;\n margin-bottom: 16px;\n }\n .icon svg { width: 22px; height: 22px; display: block; }\n .icon-success { background: var(--success-bg); color: var(--success-fg); }\n .icon-error { background: var(--error-bg); color: var(--error-fg); }\n h1 {\n margin: 0 0 6px;\n font-size: 17px;\n font-weight: 600;\n letter-spacing: -0.01em;\n color: var(--fg);\n }\n p {\n margin: 0 0 4px;\n color: var(--fg);\n font-size: 14px;\n }\n p.muted { color: var(--muted-fg); }\n .btn {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n height: 36px;\n padding: 0 16px;\n margin-top: 20px;\n background: var(--primary);\n color: var(--primary-fg);\n border-radius: 8px;\n font-size: 13px;\n font-weight: 500;\n text-decoration: none;\n border: none;\n cursor: pointer;\n }\n .btn:hover { background: var(--primary-hover); }\n pre.error-detail {\n margin: 16px 0 0;\n padding: 10px 12px;\n background: var(--error-bg);\n border: 1px solid var(--error-border);\n border-radius: 8px;\n color: var(--error-fg);\n font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;\n font-size: 12px;\n line-height: 1.5;\n text-align: left;\n white-space: pre-wrap;\n word-break: break-word;\n }\n`;\n\nexport function createBuilderBrowserCallbackPage(previewUrl: string): string {\n const escapedUrl = JSON.stringify(previewUrl);\n return `<!doctype html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\" />\n <title>Builder connected</title>\n <link rel=\"preconnect\" href=\"https://fonts.googleapis.com\" />\n <link rel=\"preconnect\" href=\"https://fonts.gstatic.com\" crossorigin />\n <link href=\"https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&display=swap\" rel=\"stylesheet\" />\n ${BUILDER_CALLBACK_THEME_SCRIPT}\n <style>${BUILDER_CALLBACK_BASE_CSS}</style>\n </head>\n <body>\n <main class=\"card\" role=\"status\" aria-live=\"polite\">\n <span class=\"icon icon-success\" aria-hidden=\"true\">\n <svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><polyline points=\"20 6 9 17 4 12\"></polyline></svg>\n </span>\n <h1>Builder connected</h1>\n <p>Browser access is now available to your app.</p>\n <p class=\"muted\">You can close this tab and return to the workspace.</p>\n <a class=\"btn\" href=${escapedUrl}>Open the workspace</a>\n </main>\n <script>\n // Tell the opener tab the connect succeeded. The parent has two ways\n // to learn this:\n // 1. The popup-based connect flow (window.open + 2s polling on\n // /builder/status) — picks it up via the next poll within ~2s.\n // 2. The link-based \"Use Builder\" flow (target=\"_blank\" tab) — the\n // AgentPanel only fetches /builder/status once on mount, so it\n // stays stuck on \"Use Builder\" unless we explicitly signal.\n // BroadcastChannel + postMessage cover both cases. Use the same channel\n // name as the error path (createBuilderBrowserCallbackErrorPage) and\n // mirror the parent-side listener in useBuilderStatus / useBuilderConnectUrl.\n try {\n var bc = new BroadcastChannel(\"builder-connect:\" + window.location.host);\n bc.postMessage({ type: \"builder-connect-success\" });\n bc.close();\n } catch (e) {}\n try {\n if (window.opener && !window.opener.closed) {\n window.opener.postMessage(\n { type: \"builder-connect-success\" },\n \"*\",\n );\n }\n } catch (e) {}\n // If we're a popup opened by the app, close ourselves and let the\n // parent tab keep polling for connection status. If close() is\n // blocked (e.g. we're the top-level tab because popups were\n // downgraded), fall back to navigating back to the workspace.\n window.setTimeout(function () {\n try { window.close(); } catch (e) {}\n window.setTimeout(function () {\n if (!window.closed) {\n window.location.replace(${escapedUrl});\n }\n }, 200);\n }, 700);\n </script>\n </body>\n</html>`;\n}\n\n/**\n * HTML page rendered inside the OAuth popup when the callback handler caught\n * an error persisting the per-user Builder credentials. Without this, the\n * popup would show the success page even though the write failed — leaving\n * the parent window stuck on \"Waiting for Builder…\" until the 5-minute poll\n * timeout fires (Midhun reported this on 2026-04-28).\n *\n * The page does two things:\n * 1. Shows the user a clear \"couldn't save credentials\" message with the\n * underlying error so they can retry or report.\n * 2. `postMessage`s the parent (same-origin opener) so the connect-flow\n * polling stops immediately rather than waiting for the next /status\n * poll to surface the SQL `builder-connect-error:<email>` row.\n */\nexport function createBuilderBrowserCallbackErrorPage(\n message: string,\n opts: {\n title?: string;\n body?: string;\n closeHint?: string;\n } = {},\n): string {\n const escapedMessage = JSON.stringify(message);\n const title = opts.title ?? \"Couldn't save Builder connection\";\n const body =\n opts.body ??\n \"Builder authorized your account but the server couldn't persist the credentials.\";\n const closeHint =\n opts.closeHint ?? \"You can close this tab and try again from settings.\";\n return `<!doctype html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\" />\n <title>Builder connect failed</title>\n <link rel=\"preconnect\" href=\"https://fonts.googleapis.com\" />\n <link rel=\"preconnect\" href=\"https://fonts.gstatic.com\" crossorigin />\n <link href=\"https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&display=swap\" rel=\"stylesheet\" />\n ${BUILDER_CALLBACK_THEME_SCRIPT}\n <style>${BUILDER_CALLBACK_BASE_CSS}</style>\n </head>\n <body>\n <main class=\"card\" role=\"alert\" aria-live=\"assertive\">\n <span class=\"icon icon-error\" aria-hidden=\"true\">\n <svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><path d=\"M10.29 3.86 1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0Z\"></path><line x1=\"12\" y1=\"9\" x2=\"12\" y2=\"13\"></line><line x1=\"12\" y1=\"17\" x2=\"12.01\" y2=\"17\"></line></svg>\n </span>\n <h1>${escapeHtml(title)}</h1>\n <p class=\"muted\">${escapeHtml(body)}</p>\n <pre class=\"error-detail\" id=\"msg\"></pre>\n <p class=\"muted\" style=\"margin-top:12px\">${escapeHtml(closeHint)}</p>\n </main>\n <script>\n try {\n var msg = ${escapedMessage};\n document.getElementById(\"msg\").textContent = msg;\n // Notify the parent tab immediately so its polling loop stops\n // without waiting for the next /builder/status tick.\n //\n // BroadcastChannel works across same-origin windows regardless of\n // opener access — it is the only reliable channel here because\n // popups opened with window.open(..., \"noopener\") or links with\n // rel=\"noopener\" have window.opener === null. The legacy\n // window.opener.postMessage path is kept as a belt-and-suspenders\n // fallback for non-BroadcastChannel environments.\n try {\n var bc = new BroadcastChannel(\"builder-connect:\" + window.location.host);\n bc.postMessage({ type: \"builder-connect-error\", message: msg });\n bc.close();\n } catch (e) {}\n if (window.opener && !window.opener.closed) {\n try {\n window.opener.postMessage(\n { type: \"builder-connect-error\", message: msg },\n \"*\",\n );\n } catch (e) {}\n }\n } catch (e) {}\n </script>\n </body>\n</html>`;\n}\n\nexport interface RunBuilderAgentArgs {\n prompt: string;\n projectId?: string;\n branchName?: string;\n userEmail?: string;\n userId?: string;\n}\n\nexport interface RunBuilderAgentResult {\n branchName: string;\n projectId: string;\n url: string;\n status: string;\n}\n\nfunction normalizeBuilderApiString(value: unknown, fieldName: string): string {\n if (typeof value !== \"string\" || !value.trim()) {\n throw new Error(`Builder agent run returned a blank ${fieldName}`);\n }\n const trimmed = value.trim();\n if (/[\\u0000-\\u001f\\u007f]/.test(trimmed)) {\n throw new Error(`Builder agent run returned a malformed ${fieldName}`);\n }\n return trimmed;\n}\n\nfunction normalizeBuilderBranchUrl(value: unknown): string {\n const urlString = normalizeBuilderApiString(value, \"url\");\n let parsed: URL;\n try {\n parsed = new URL(urlString);\n } catch {\n throw new Error(\"Builder agent run returned a malformed url\");\n }\n if (parsed.protocol !== \"https:\" && parsed.protocol !== \"http:\") {\n throw new Error(\"Builder agent run returned a malformed url\");\n }\n if (\n parsed.hostname !== \"builder.io\" &&\n !parsed.hostname.endsWith(\".builder.io\")\n ) {\n throw new Error(\"Builder agent run returned a non-Builder url\");\n }\n return parsed.toString();\n}\n\n/**\n * POST a prompt to the Builder agents-run API. The Builder agent runs in a\n * cloud sandbox and writes code to a branch; the returned URL opens that\n * branch in the Visual Editor so the user can watch progress.\n *\n * Spec: https://www.builder.io/c/docs/agents-run-api\n */\nexport async function runBuilderAgent(\n args: RunBuilderAgentArgs,\n): Promise<RunBuilderAgentResult> {\n const { resolveBuilderCredentials } =\n await import(\"./credential-provider.js\");\n const creds = await resolveBuilderCredentials();\n if (!creds.privateKey || !creds.publicKey) {\n throw new Error(\"Builder keys are not configured\");\n }\n if (!args.prompt || !args.prompt.trim()) {\n throw new Error(\"prompt is required\");\n }\n const projectId = args.projectId?.trim();\n if (!projectId) {\n throw new Error(\n \"Builder project ID is not configured. Set DISPATCH_BUILDER_PROJECT_ID, BUILDER_BRANCH_PROJECT_ID, or BUILDER_PROJECT_ID.\",\n );\n }\n const builderUserId = args.userId || creds.userId || undefined;\n const builderUserEmail = builderUserId ? undefined : args.userEmail;\n if (!builderUserEmail && !builderUserId) {\n throw new Error(\"userEmail or userId is required\");\n }\n\n const url = new URL(\"/agents/run\", getBuilderApiHost());\n url.searchParams.set(\"apiKey\", creds.publicKey);\n\n const body: Record<string, unknown> = {\n userMessage: { userPrompt: args.prompt },\n projectId,\n };\n if (args.branchName) body.branchName = args.branchName;\n if (builderUserEmail) body.userEmail = builderUserEmail;\n if (builderUserId) body.userId = builderUserId;\n\n const response = await fetch(url, {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${creds.privateKey}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify(body),\n });\n\n const parsed = (await response.json().catch(() => ({}))) as Record<\n string,\n unknown\n >;\n if (!response.ok) {\n const msg =\n typeof parsed.error === \"string\"\n ? parsed.error\n : `Builder agent run failed (${response.status})`;\n throw new Error(msg);\n }\n\n return {\n branchName: normalizeBuilderApiString(parsed.branchName, \"branchName\"),\n projectId:\n typeof parsed.projectId === \"string\" && parsed.projectId.trim()\n ? parsed.projectId.trim()\n : projectId,\n url: normalizeBuilderBranchUrl(parsed.url),\n status:\n typeof parsed.status === \"string\" && parsed.status.trim()\n ? parsed.status.trim()\n : \"processing\",\n };\n}\n\nexport async function requestBuilderBrowserConnection(\n args: BrowserConnectionArgs,\n): Promise<Record<string, unknown>> {\n const { resolveBuilderCredentials } =\n await import(\"./credential-provider.js\");\n const creds = await resolveBuilderCredentials();\n if (!creds.privateKey || !creds.publicKey) {\n throw new Error(\"Builder browser access is not configured\");\n }\n\n const sessionId = args.sessionId?.trim();\n if (!sessionId) {\n throw new Error(\"sessionId is required\");\n }\n\n const url = new URL(\"/codegen/get-browser-connection\", getBuilderApiHost());\n url.searchParams.set(\"apiKey\", creds.publicKey);\n if (creds.userId) {\n url.searchParams.set(\"userId\", creds.userId);\n }\n\n const response = await fetch(url, {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${creds.privateKey}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify({\n sessionId,\n projectId: args.projectId || undefined,\n branchName: args.branchName || undefined,\n proxyOrigin: args.proxyOrigin || undefined,\n proxyDefaultOrigin: args.proxyDefaultOrigin || undefined,\n proxyDst: args.proxyDestination || undefined,\n }),\n });\n\n const body = (await response.json().catch(() => ({}))) as Record<\n string,\n unknown\n >;\n if (!response.ok) {\n const error =\n typeof body.error === \"string\"\n ? body.error\n : `Builder browser request failed (${response.status})`;\n throw new Error(error);\n }\n\n return body;\n}\n"]}
1
+ {"version":3,"file":"builder-browser.js","sourceRoot":"","sources":["../../src/server/builder-browser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,OAAO,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAE9D,MAAM,wBAAwB,GAAG,oBAAoB,CAAC;AACtD,MAAM,wBAAwB,GAAG,wBAAwB,CAAC;AAC1D,MAAM,oBAAoB,GAAG,sBAAsB,CAAC;AACpD,MAAM,yBAAyB,GAAG,sBAAsB,CAAC;AAEzD,MAAM,CAAC,MAAM,qBAAqB,GAAG,iCAAiC,CAAC;AAEvE,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,EAAE;QACtC,QAAQ,EAAE,EAAE,CAAC;YACX,KAAK,GAAG;gBACN,OAAO,OAAO,CAAC;YACjB,KAAK,GAAG;gBACN,OAAO,MAAM,CAAC;YAChB,KAAK,GAAG;gBACN,OAAO,MAAM,CAAC;YAChB,KAAK,GAAG;gBACN,OAAO,QAAQ,CAAC;YAClB;gBACE,OAAO,OAAO,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,WAAW,CAAC;AAC/C,MAAM,CAAC,MAAM,qBAAqB,GAAG,aAAa,CAAC;AACnD,MAAM,CAAC,MAAM,4BAA4B,GAAG,0BAA0B,CAAC;AAEvE,MAAM,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAiD5C,SAAS,oBAAoB,CAAC,OAAkC;IAC9D,4EAA4E;IAC5E,iEAAiE;IACjE,OAAO,OAAO,KAAK,UAAU;QAC3B,CAAC,CAAC,gBAAgB,aAAa,EAAE,EAAE;QACnC,CAAC,CAAC,mBAAmB,aAAa,EAAE,EAAE,CAAC;AAC3C,CAAC;AAED,SAAS,WAAW,CAClB,OAAkC,EAClC,KAAa,EACb,YAAoB,EACpB,EAAU;IAEV,OAAO,UAAU,CAAC,QAAQ,EAAE,oBAAoB,CAAC,OAAO,CAAC,CAAC;SACvD,MAAM,CAAC,GAAG,KAAK,IAAI,YAAY,IAAI,EAAE,EAAE,CAAC;SACxC,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,0BAA0B,CACjC,UAAkB,EAClB,OAAkC;IAElC,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC3E,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC;IAC1D,OAAO,GAAG,KAAK,IAAI,YAAY,IAAI,EAAE,IAAI,GAAG,EAAE,CAAC;AACjD,CAAC;AAED,SAAS,4BAA4B,CACnC,KAAgC,EAChC,UAAkB,EAClB,OAAkC;IAElC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAClE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,CAAC,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;IAChD,IAAI,CAAC,KAAK,IAAI,CAAC,YAAY,IAAI,CAAC,KAAK,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAE5D,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,UAAU,KAAK,UAAU;QAAE,OAAO,KAAK,CAAC;IAE5C,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,2EAA2E;IAC3E,sEAAsE;IACtE,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,oBAAoB;QAAE,OAAO,KAAK,CAAC;IAEnE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC,CAAC;IAC5E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACvD,OAAO,eAAe,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,wBAAwB,CAAC,YAAoB;IAC3D,OAAO,0BAA0B,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;AAC9D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CACxC,KAAgC,EAChC,YAAoB;IAEpB,OAAO,4BAA4B,CAAC,KAAK,EAAE,YAAY,EAAE,UAAU,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,qCAAqC,CACnD,KAAgC;IAEhC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAE/B,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,UAAkB;IACxD,OAAO,0BAA0B,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,KAAgC,EAChC,UAAkB;IAElB,OAAO,4BAA4B,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,oCAAoC,CAClD,KAAgC;IAEhC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAE/B,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,yBAAyB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,UAAkB,EAClB,UAAkB;IAElB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAChC,GAAG,CAAC,YAAY,CAAC,GAAG,CAClB,qBAAqB,EACrB,uBAAuB,CAAC,UAAU,CAAC,CACpC,CAAC;IACF,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,yBAAyB,CAAC,SAAiB;IAClD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAClC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC/C,MAAM,iBAAiB,GACrB,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;QAC9D,MAAM,WAAW,GACf,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,OAAO,CAAC;QACvB,MAAM,eAAe,GACnB,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QACtC,MAAM,mBAAmB,GACvB,QAAQ,KAAK,kBAAkB,IAAI,QAAQ,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;QAC5E,OAAO,CACL,iBAAiB;YACjB,CAAC,WAAW,IAAI,eAAe,IAAI,mBAAmB,CAAC,CACxD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,MAAc;IACrC,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,OAAO,CAAC,GAAG,CAAC,uBAAuB;QACnC,wBAAwB,CACzB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,QAAQ;QACpB,OAAO,CAAC,GAAG,CAAC,YAAY;QACxB,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,wBAAwB,CACzB,CAAC;AACJ,CAAC;AAED,SAAS,mCAAmC;IAC1C,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,2BAA2B;QACvC,OAAO,CAAC,GAAG,CAAC,yBAAyB;QACrC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IACjC,OAAO,SAAS,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,OAAO,mCAAmC,EAAE,IAAI,EAAE,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,OAAO,CAAC,CAAC,mCAAmC,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,6BAA6B;IACjD,MAAM,YAAY,GAAG,mCAAmC,EAAE,CAAC;IAC3D,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;QACnE,KAAK,MAAM,GAAG,IAAI;YAChB,6BAA6B;YAC7B,2BAA2B;YAC3B,oBAAoB;SACrB,EAAE,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,CAAC;YACvC,IAAI,KAAK,EAAE,IAAI,EAAE;gBAAE,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wEAAwE;IAC1E,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gCAAgC;IACpD,OAAO,CAAC,CAAC,CAAC,MAAM,6BAA6B,EAAE,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,6BAA6B,CAAC,MAAiC;IACtE,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC/C,MAAM,iBAAiB,GACrB,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;QAC9D,MAAM,WAAW,GACf,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,KAAK;YAClB,QAAQ,KAAK,OAAO,CAAC;QACvB,MAAM,eAAe,GACnB,QAAQ,KAAK,YAAY,IAAI,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAChE,MAAM,mBAAmB,GACvB,QAAQ,KAAK,kBAAkB,IAAI,QAAQ,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;QAC5E,OAAO,CACL,iBAAiB;YACjB,CAAC,WAAW,IAAI,eAAe,IAAI,mBAAmB,CAAC,CACxD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,wCAAwC;IAC/C,KAAK,MAAM,GAAG,IAAI;QAChB,SAAS;QACT,cAAc;QACd,iBAAiB;QACjB,sBAAsB;QACtB,uBAAuB;QACvB,4BAA4B;KAC7B,EAAE,CAAC;QACF,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;YACnC,IAAI,6BAA6B,CAAC,MAAM,CAAC;gBAAE,OAAO,MAAM,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,uCAAuC;QACzC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,YAAY,CAAC;AAEjD,SAAS,yBAAyB,CAAC,KAAgC;IACjE,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC9B,OAAO,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,sBAAsB,CACpC,cAAsB,EACtB,QAAuB,IAAI,EAC3B,UAAsC,EAAE;IAExC,MAAM,wBAAwB,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC;IACjE,MAAM,sBAAsB,GAAG,eAAe,CAC5C,OAAO,CAAC,aAAa,IAAI,cAAc,CACxC,CAAC;IACF,MAAM,uBAAuB,GAAG,6BAA6B,CAC3D,sBAAsB,CACvB;QACC,CAAC,CAAC,sBAAsB;QACxB,CAAC,CAAC,wBAAwB,CAAC;IAC7B,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,MAAM,WAAW,GAAG,IAAI,GAAG,CACzB,GAAG,WAAW,GAAG,qBAAqB,EAAE,EACxC,wBAAwB,CACzB,CAAC;IACF,IAAI,KAAK,EAAE,CAAC;QACV,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;IAC3D,CAAC;IACD,2EAA2E;IAC3E,wEAAwE;IACxE,uEAAuE;IACvE,oEAAoE;IACpE,0EAA0E;IAC1E,oEAAoE;IACpE,IACE,sBAAsB;QACtB,sBAAsB,KAAK,uBAAuB;QAClD,yBAAyB,CAAC,sBAAsB,CAAC,EACjD,CAAC;QACD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,oBAAoB,EAAE,sBAAsB,CAAC,CAAC;IAC7E,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,iBAAiB,EAAE,CAAC,CAAC;IACtD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;IACnD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,yBAAyB,CAAC,CAAC;IAC7D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC7D,GAAG,CAAC,YAAY,CAAC,GAAG,CAClB,aAAa,EACb,GAAG,uBAAuB,GAAG,WAAW,EAAE,CAC3C,CAAC;IACF,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IAClD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,MAAc;IACxD,OAAO,GAAG,eAAe,CAAC,MAAM,CAAC,GAAG,cAAc,EAAE,gCAAgC,CAAC;AACvF,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAyB;IACjD,OAAO,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACnD,CAAC;AAED,SAAS,eAAe,CAAC,KAAc,EAAE,IAAY;IACnD,IAAI,CAAC;QACH,OAAO,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,SAAS,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,OAAO,GACX,KAKD,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC;QACrB,MAAM,KAAK,GAAG,OAAO,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,IAAI,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;QAC/D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAC1C,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IACvD,CAAC;AACH,CAAC;AAED,SAAS,2BAA2B,CAAC,IAAwB;IAC3D,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAClE,OAAO,CACL,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,KAAK;YAClB,QAAQ,KAAK,OAAO;YACpB,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CACjC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,4BAA4B,CAAC,IAAwB;IAC5D,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAClE,OAAO,CACL,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,KAAK;YAClB,QAAQ,KAAK,OAAO,CACrB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,sCAAsC;IAC7C,KAAK,MAAM,GAAG,IAAI;QAChB,mBAAmB;QACnB,wBAAwB;QACxB,qBAAqB;QACrB,0BAA0B;KAC3B,EAAE,CAAC;QACF,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YACzB,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;gBAAE,SAAS;YACpE,IAAI,4BAA4B,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACrD,IAAI,CAAC,2BAA2B,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACrD,OAAO,GAAG,CAAC,MAAM,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,uCAAuC;QACzC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,+BAA+B,CAAC,KAAc;IAC5D,MAAM,UAAU,GAAG,gBAAgB,CACjC,eAAe,CAAC,KAAK,EAAE,kBAAkB,CAAC;QACxC,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CACjC,CAAC;IACF,IAAI,CAAC,2BAA2B,CAAC,UAAU,CAAC;QAAE,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,4BAA4B,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,MAAM,mBAAmB,GAAG,sCAAsC,EAAE,CAAC;QACrE,IAAI,mBAAmB;YAAE,OAAO,mBAAmB,CAAC;IACtD,CAAC;IAED,MAAM,QAAQ,GAAG,gBAAgB,CAC/B,eAAe,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAC5C,CAAC;IACF,MAAM,KAAK,GACT,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,OAAO;QACzC,CAAC,CAAC,QAAQ;QACV,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;YACrC,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,MAAM,CAAC;IACf,OAAO,GAAG,KAAK,MAAM,UAAU,EAAE,CAAC;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,uCAAuC,CACrD,KAAc;IAEd,MAAM,aAAa,GAAG,+BAA+B,CAAC,KAAK,CAAC,CAAC;IAC7D,IAAI,6BAA6B,CAAC,aAAa,CAAC;QAAE,OAAO,aAAa,CAAC;IACvE,OAAO,wCAAwC,EAAE,IAAI,aAAa,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,MAAc;IACpD,MAAM,eAAe,GAAG,mCAAmC,EAAE,CAAC;IAC9D,MAAM,UAAU,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,CAAC,CAAC,CACZ,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAClE;QACD,cAAc,EAAE,yBAAyB,EAAE;QAC3C,yBAAyB,EAAE,CAAC,CAAC,eAAe;QAC5C,eAAe,EAAE,eAAe,IAAI,SAAS;QAC7C,UAAU;QACV,gBAAgB,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QAChD,OAAO,EAAE,iBAAiB,EAAE;QAC5B,OAAO,EAAE,iBAAiB,EAAE;QAC5B,UAAU,EAAE,2BAA2B,CAAC,MAAM,CAAC;QAC/C,mBAAmB,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB;QACrD,oBAAoB,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB;QACvD,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,SAAS;QAChD,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,SAAS;QAClD,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,SAAS;KACnD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,KAAc;IAEd,OAAO,uBAAuB,CAAC,+BAA+B,CAAC,KAAK,CAAC,CAAC,CAAC;AACzE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;CACV,CAAC;AAIX,MAAM,UAAU,yBAAyB,CAAC,MAMzC;IACC,MAAM,MAAM,GAAkC;QAC5C,mBAAmB,EAAE,MAAM,CAAC,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE;QACpD,kBAAkB,EAAE,MAAM,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE;QAClD,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE;QAC5C,gBAAgB,EAAE,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE;QAC9C,gBAAgB,EAAE,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE;KAC/C,CAAC;IACF,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,UAAqC,EACrC,KAAc;IAEd,IAAI,UAAU,IAAI,yBAAyB,CAAC,UAAU,CAAC,EAAE,CAAC;QACxD,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,OAAO,+BAA+B,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,6BAA6B,GAAG;;;;;;;;;;;;;;;UAe5B,CAAC;AAEX;;;;;;;GAOG;AACH,MAAM,yBAAyB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgHjC,CAAC;AAEF,SAAS,iBAAiB,CAAC,KAAgC;IACzD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gCAAgC,CAC9C,UAAkB,EAClB,OAAkC,EAAE;IAEpC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC9C,MAAM,YAAY,GAChB,iBAAiB,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,iBAAiB,CAAC,UAAU,CAAC,CAAC;IACxE,wEAAwE;IACxE,qEAAqE;IACrE,wEAAwE;IACxE,yBAAyB;IACzB,MAAM,mBAAmB,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,IAAI,GAAG,CAAC,CAAC;IAChE,OAAO;;;;;;;;;MASH,6BAA6B;aACtB,yBAAyB;;;;;;;;;;4BAUV,UAAU;;;;;;;;;;;;;;;;;;;;;;cAsBxB,mBAAmB;;;;;;;;;;;;sCAYK,UAAU;;;;;;QAMxC,CAAC;AACT,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,qCAAqC,CACnD,OAAe,EACf,OAKI,EAAE;IAEN,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1D,MAAM,mBAAmB,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,IAAI,GAAG,CAAC,CAAC;IAChE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,kCAAkC,CAAC;IAC/D,MAAM,IAAI,GACR,IAAI,CAAC,IAAI;QACT,kFAAkF,CAAC;IACrF,MAAM,SAAS,GACb,IAAI,CAAC,SAAS,IAAI,qDAAqD,CAAC;IAC1E,OAAO;;;;;;;;;MASH,6BAA6B;aACtB,yBAAyB;;;;;;;YAO1B,UAAU,CAAC,KAAK,CAAC;yBACJ,UAAU,CAAC,IAAI,CAAC;;iDAEQ,UAAU,CAAC,SAAS,CAAC;;;;oBAIlD,cAAc;;;;;;;;;;;;;;;;;;;;gBAoBlB,mBAAmB;;;;;;;QAO3B,CAAC;AACT,CAAC;AAiBD,SAAS,yBAAyB,CAAC,KAAc,EAAE,SAAiB;IAClE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,sCAAsC,SAAS,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,0CAA0C,SAAS,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAc;IAC/C,MAAM,SAAS,GAAG,yBAAyB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC1D,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IACE,MAAM,CAAC,QAAQ,KAAK,YAAY;QAChC,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,EACxC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,MAAM,CAAC,QAAQ,EAAE,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAyB;IAEzB,MAAM,EAAE,yBAAyB,EAAE,GACjC,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;IAChD,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,0HAA0H,CAC3H,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,IAAI,SAAS,CAAC;IAC/D,MAAM,gBAAgB,GAAG,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC;IACpE,IAAI,CAAC,gBAAgB,IAAI,CAAC,aAAa,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,aAAa,EAAE,iBAAiB,EAAE,CAAC,CAAC;IACxD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAEhD,MAAM,IAAI,GAA4B;QACpC,WAAW,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,MAAM,EAAE;QACxC,SAAS;KACV,CAAC;IACF,IAAI,IAAI,CAAC,UAAU;QAAE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IACvD,IAAI,gBAAgB;QAAE,IAAI,CAAC,SAAS,GAAG,gBAAgB,CAAC;IACxD,IAAI,aAAa;QAAE,IAAI,CAAC,MAAM,GAAG,aAAa,CAAC;IAE/C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,CAAC,UAAU,EAAE;YAC3C,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAGtD,CAAC;IACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,GAAG,GACP,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ;YAC9B,CAAC,CAAC,MAAM,CAAC,KAAK;YACd,CAAC,CAAC,6BAA6B,QAAQ,CAAC,MAAM,GAAG,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,OAAO;QACL,UAAU,EAAE,yBAAyB,CAAC,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC;QACtE,SAAS,EACP,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE;YAC7D,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE;YACzB,CAAC,CAAC,SAAS;QACf,GAAG,EAAE,yBAAyB,CAAC,MAAM,CAAC,GAAG,CAAC;QAC1C,MAAM,EACJ,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE;YACvD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE;YACtB,CAAC,CAAC,YAAY;KACnB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,IAA2B;IAE3B,MAAM,EAAE,yBAAyB,EAAE,GACjC,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;IAChD,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,iCAAiC,EAAE,iBAAiB,EAAE,CAAC,CAAC;IAC5E,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,CAAC,UAAU,EAAE;YAC3C,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,SAAS;YACtC,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,SAAS;YACxC,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,SAAS;YAC1C,kBAAkB,EAAE,IAAI,CAAC,kBAAkB,IAAI,SAAS;YACxD,QAAQ,EAAE,IAAI,CAAC,gBAAgB,IAAI,SAAS;SAC7C,CAAC;KACH,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAGpD,CAAC;IACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,KAAK,GACT,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;YAC5B,CAAC,CAAC,IAAI,CAAC,KAAK;YACZ,CAAC,CAAC,mCAAmC,QAAQ,CAAC,MAAM,GAAG,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["import { createHmac, randomBytes, timingSafeEqual } from \"node:crypto\";\nimport type { H3Event } from \"h3\";\nimport { getHeader } from \"h3\";\nimport { getAuthSecret } from \"./better-auth-instance.js\";\nimport { getAppBasePath, getOrigin } from \"./google-oauth.js\";\n\nconst DEFAULT_BUILDER_APP_HOST = \"https://builder.io\";\nconst DEFAULT_BUILDER_API_HOST = \"https://api.builder.io\";\nconst BUILDER_BROWSER_HOST = \"agent-native-browser\";\nconst BUILDER_BROWSER_CLIENT_ID = \"Agent Native Browser\";\n\nexport const BUILDER_CALLBACK_PATH = \"/_agent-native/builder/callback\";\n\nfunction escapeHtml(value: string): string {\n return value.replace(/[&<>\"']/g, (ch) => {\n switch (ch) {\n case \"&\":\n return \"&amp;\";\n case \"<\":\n return \"&lt;\";\n case \">\":\n return \"&gt;\";\n case '\"':\n return \"&quot;\";\n default:\n return \"&#39;\";\n }\n });\n}\n\n/**\n * Query-param name carrying the signed CSRF state on the connect→callback\n * round-trip. Prefixed with `_an_` to avoid collisions if Builder ever\n * adds standard OAuth `state` support to cli-auth. Builder preserves\n * the path/query of `redirect_url` verbatim when redirecting back, so\n * we embed `_an_state=…` inside the redirect_url query string at\n * connect time and read it back on the callback.\n */\nexport const BUILDER_STATE_PARAM = \"_an_state\";\nexport const BUILDER_CONNECT_PARAM = \"_an_connect\";\nexport const BUILDER_CONNECT_OWNER_COOKIE = \"an_builder_connect_owner\";\n\nconst BUILDER_STATE_TTL_MS = 10 * 60 * 1000;\n\nexport interface BuilderBrowserStatus {\n configured: boolean;\n builderEnabled: boolean;\n branchProjectIdConfigured: boolean;\n branchProjectId?: string;\n /**\n * True when `BUILDER_PRIVATE_KEY` is set at the deployment level. This is a\n * fallback credential; signed-in users can still connect their own Builder\n * account, which takes precedence for their request.\n */\n envManaged: boolean;\n credentialSource?: \"user\" | \"org\" | \"workspace\" | \"env\";\n /**\n * The currently effective Builder credential was rejected by Builder's API.\n * This is durable status about the credential pair, not a failure of an\n * in-progress cli-auth callback.\n */\n authError?: { message: string; at: number };\n connectError?: { message: string; at: number };\n appHost: string;\n apiHost: string;\n /**\n * Ready-to-open Builder CLI auth URL for this request owner, when the\n * callback can return to the same deployment that minted the state. Preview\n * deployments that must callback through a gateway omit this and use\n * connectUrl so the server can write a pending-connect row first.\n */\n cliAuthUrl?: string;\n connectUrl: string;\n publicKeyConfigured: boolean;\n privateKeyConfigured: boolean;\n userId?: string;\n orgName?: string;\n orgKind?: string;\n}\n\nexport interface BrowserConnectionArgs {\n sessionId?: string;\n projectId?: string;\n branchName?: string;\n proxyOrigin?: string;\n proxyDefaultOrigin?: string;\n proxyDestination?: string;\n}\n\ntype BuilderSignedTokenPurpose = \"callback\" | \"connect\";\n\nfunction signingKeyForPurpose(purpose: BuilderSignedTokenPurpose): string {\n // Preserve the original callback-state signing key for any in-flight legacy\n // callbacks; use a separate key domain for connect-entry tokens.\n return purpose === \"callback\"\n ? `builder-csrf:${getAuthSecret()}`\n : `builder-connect:${getAuthSecret()}`;\n}\n\nfunction macForParts(\n purpose: BuilderSignedTokenPurpose,\n nonce: string,\n emailEncoded: string,\n ts: number,\n): string {\n return createHmac(\"sha256\", signingKeyForPurpose(purpose))\n .update(`${nonce}.${emailEncoded}.${ts}`)\n .digest(\"base64url\");\n}\n\nfunction signEmailBoundBuilderToken(\n ownerEmail: string,\n purpose: BuilderSignedTokenPurpose,\n): string {\n const nonce = randomBytes(16).toString(\"base64url\");\n const ts = Date.now();\n const emailEncoded = Buffer.from(ownerEmail, \"utf8\").toString(\"base64url\");\n const mac = macForParts(purpose, nonce, emailEncoded, ts);\n return `${nonce}.${emailEncoded}.${ts}.${mac}`;\n}\n\nfunction verifyEmailBoundBuilderToken(\n token: string | null | undefined,\n ownerEmail: string,\n purpose: BuilderSignedTokenPurpose,\n): boolean {\n if (typeof token !== \"string\" || token.length === 0) return false;\n const parts = token.split(\".\");\n if (parts.length !== 4) return false;\n const [nonce, emailEncoded, tsStr, mac] = parts;\n if (!nonce || !emailEncoded || !tsStr || !mac) return false;\n\n let boundEmail: string;\n try {\n boundEmail = Buffer.from(emailEncoded, \"base64url\").toString(\"utf8\");\n } catch {\n return false;\n }\n if (boundEmail !== ownerEmail) return false;\n\n const ts = Number(tsStr);\n if (!Number.isFinite(ts)) return false;\n // Reject expired AND far-future timestamps so leaked tokens do not gain an\n // arbitrary lifetime through clock skew or forged future issue times.\n if (Math.abs(Date.now() - ts) > BUILDER_STATE_TTL_MS) return false;\n\n const expected = Buffer.from(macForParts(purpose, nonce, emailEncoded, ts));\n const candidate = Buffer.from(mac);\n if (expected.length !== candidate.length) return false;\n return timingSafeEqual(expected, candidate);\n}\n\n/**\n * Mint a signed CSRF state token bound to the current session's email\n * and a fresh nonce. Round-trips through Builder's cli-auth flow inside\n * the redirect_url query string and is verified on the callback before\n * any keys are written.\n *\n * Why bind to email: it's the only stable, universally-available\n * identity field across all auth modes (Better Auth, BYOA, AUTH_MODE=local).\n * Binding to the session token instead would put the cookie value in a\n * URL that may end up in server logs / browser history.\n */\nexport function signBuilderCallbackState(sessionEmail: string): string {\n return signEmailBoundBuilderToken(sessionEmail, \"callback\");\n}\n\n/**\n * Verify a state token produced by `signBuilderCallbackState`. Returns\n * false on any malformed, forged, expired, or cross-session token.\n */\nexport function verifyBuilderCallbackState(\n token: string | null | undefined,\n sessionEmail: string,\n): boolean {\n return verifyEmailBoundBuilderToken(token, sessionEmail, \"callback\");\n}\n\nexport function verifyBuilderCallbackStateAndGetOwner(\n token: string | null | undefined,\n): string | null {\n if (typeof token !== \"string\" || token.length === 0) return null;\n const parts = token.split(\".\");\n if (parts.length !== 4) return null;\n const emailEncoded = parts[1];\n if (!emailEncoded) return null;\n\n let ownerEmail: string;\n try {\n ownerEmail = Buffer.from(emailEncoded, \"base64url\").toString(\"utf8\");\n } catch {\n return null;\n }\n if (!ownerEmail) return null;\n return verifyBuilderCallbackState(token, ownerEmail) ? ownerEmail : null;\n}\n\nexport function signBuilderConnectToken(ownerEmail: string): string {\n return signEmailBoundBuilderToken(ownerEmail, \"connect\");\n}\n\nexport function verifyBuilderConnectToken(\n token: string | null | undefined,\n ownerEmail: string,\n): boolean {\n return verifyEmailBoundBuilderToken(token, ownerEmail, \"connect\");\n}\n\nexport function verifyBuilderConnectTokenAndGetOwner(\n token: string | null | undefined,\n): string | null {\n if (typeof token !== \"string\" || token.length === 0) return null;\n const parts = token.split(\".\");\n if (parts.length !== 4) return null;\n const emailEncoded = parts[1];\n if (!emailEncoded) return null;\n\n let ownerEmail: string;\n try {\n ownerEmail = Buffer.from(emailEncoded, \"base64url\").toString(\"utf8\");\n } catch {\n return null;\n }\n if (!ownerEmail) return null;\n return verifyBuilderConnectToken(token, ownerEmail) ? ownerEmail : null;\n}\n\nexport function appendBuilderConnectToken(\n connectUrl: string,\n ownerEmail: string,\n): string {\n const url = new URL(connectUrl);\n url.searchParams.set(\n BUILDER_CONNECT_PARAM,\n signBuilderConnectToken(ownerEmail),\n );\n return url.toString();\n}\n\nfunction isAllowedBrowserReturnUrl(urlString: string): boolean {\n try {\n const parsed = new URL(urlString);\n const hostname = parsed.hostname.toLowerCase();\n const isAllowedProtocol =\n parsed.protocol === \"http:\" || parsed.protocol === \"https:\";\n const isLocalhost =\n hostname === \"localhost\" ||\n hostname === \"127.0.0.1\" ||\n hostname === \"[::1]\";\n const isBuilderDomain =\n hostname === \"builder.io\" ||\n hostname.endsWith(\".builder.io\") ||\n hostname === \"builder.my\" ||\n hostname.endsWith(\".builder.my\") ||\n hostname === \"builderio.xyz\" ||\n hostname.endsWith(\".builderio.xyz\") ||\n hostname === \"builderio.dev\" ||\n hostname.endsWith(\".builderio.dev\") ||\n hostname === \"builder.codes\" ||\n hostname.endsWith(\".builder.codes\");\n const isAgentNativeDomain =\n hostname === \"agent-native.com\" || hostname.endsWith(\".agent-native.com\");\n return (\n isAllowedProtocol &&\n (isLocalhost || isBuilderDomain || isAgentNativeDomain)\n );\n } catch {\n return false;\n }\n}\n\nfunction normalizeOrigin(origin: string): string {\n return origin.replace(/\\/+$/, \"\");\n}\n\nexport function getBuilderAppHost(): string {\n return (\n process.env.BUILDER_APP_HOST ||\n process.env.BUILDER_PUBLIC_APP_HOST ||\n DEFAULT_BUILDER_APP_HOST\n );\n}\n\nexport function getBuilderApiHost(): string {\n return (\n process.env.AIR_HOST ||\n process.env.BUILDER_HOST ||\n process.env.BUILDER_API_HOST ||\n DEFAULT_BUILDER_API_HOST\n );\n}\n\nfunction getConfiguredBuilderBranchProjectId(): string | undefined {\n const projectId =\n process.env.DISPATCH_BUILDER_PROJECT_ID ||\n process.env.BUILDER_BRANCH_PROJECT_ID ||\n process.env.BUILDER_PROJECT_ID;\n return projectId?.trim() || undefined;\n}\n\nexport function getBuilderBranchProjectId(): string {\n return getConfiguredBuilderBranchProjectId() || \"\";\n}\n\nexport function isBuilderBranchingEnabled(): boolean {\n return !!getConfiguredBuilderBranchProjectId();\n}\n\nexport async function resolveBuilderBranchProjectId(): Promise<string> {\n const envProjectId = getConfiguredBuilderBranchProjectId();\n if (envProjectId) return envProjectId;\n\n try {\n const { resolveSecret } = await import(\"./credential-provider.js\");\n for (const key of [\n \"DISPATCH_BUILDER_PROJECT_ID\",\n \"BUILDER_BRANCH_PROJECT_ID\",\n \"BUILDER_PROJECT_ID\",\n ]) {\n const value = await resolveSecret(key);\n if (value?.trim()) return value.trim();\n }\n } catch {\n // Secrets table or request context not ready — treat as not configured.\n }\n\n return \"\";\n}\n\nexport async function resolveIsBuilderBranchingEnabled(): Promise<boolean> {\n return !!(await resolveBuilderBranchProjectId());\n}\n\nfunction isBuilderCliAuthAllowedOrigin(origin: string | null | undefined) {\n if (!origin) return false;\n try {\n const parsed = new URL(origin);\n const hostname = parsed.hostname.toLowerCase();\n const isAllowedProtocol =\n parsed.protocol === \"http:\" || parsed.protocol === \"https:\";\n const isLocalhost =\n hostname === \"localhost\" ||\n hostname === \"127.0.0.1\" ||\n hostname === \"::1\" ||\n hostname === \"[::1]\";\n const isBuilderDomain =\n hostname === \"builder.io\" || hostname.endsWith(\".builder.io\");\n const isAgentNativeDomain =\n hostname === \"agent-native.com\" || hostname.endsWith(\".agent-native.com\");\n return (\n isAllowedProtocol &&\n (isLocalhost || isBuilderDomain || isAgentNativeDomain)\n );\n } catch {\n return false;\n }\n}\n\nfunction firstBuilderCliAuthCallbackOriginFromEnv(): string | null {\n for (const key of [\n \"APP_URL\",\n \"VITE_APP_URL\",\n \"BETTER_AUTH_URL\",\n \"VITE_BETTER_AUTH_URL\",\n \"WORKSPACE_GATEWAY_URL\",\n \"VITE_WORKSPACE_GATEWAY_URL\",\n ]) {\n const raw = process.env[key];\n if (!raw) continue;\n try {\n const origin = new URL(raw).origin;\n if (isBuilderCliAuthAllowedOrigin(origin)) return origin;\n } catch {\n // Ignore malformed environment values.\n }\n }\n return null;\n}\n\n/**\n * Query param on the callback URL that carries the original preview opener\n * origin when cli-auth's allow-list forces `preview_url` to the gateway.\n * Read on the callback to derive the correct postMessage targetOrigin.\n *\n * Not signed: the receive-side trust check in `useBuilderStatus` still\n * gates messages by allow-listed origin. The worst an attacker could do by\n * crafting a different `_an_opener` value is target a postMessage to an\n * origin that doesn't match the actual opener — postMessage drops the\n * message in that case, identical to the legacy wildcard-fallback path.\n */\nexport const BUILDER_OPENER_PARAM = \"_an_opener\";\n\nfunction isBuilderOpenerOriginSafe(value: string | null | undefined): boolean {\n if (!value) return false;\n try {\n const parsed = new URL(value);\n return parsed.protocol === \"http:\" || parsed.protocol === \"https:\";\n } catch {\n return false;\n }\n}\n\n/**\n * Build the Builder cli-auth URL for the connect popup. When a signed\n * `state` token is supplied it is embedded inside the `redirect_url`\n * query string so it survives Builder's redirect verbatim — Builder\n * preserves the redirect_url's existing query when appending p-key /\n * api-key / etc., so we don't depend on Builder echoing a top-level\n * `state` parameter (it doesn't).\n *\n * Status responses can surface this URL directly; the legacy\n * `/_agent-native/builder/connect` trampoline still calls this helper for\n * clients that only know the app-local connect URL.\n */\nexport function buildBuilderCliAuthUrl(\n callbackOrigin: string,\n state: string | null = null,\n options: { previewOrigin?: string } = {},\n): string {\n const normalizedCallbackOrigin = normalizeOrigin(callbackOrigin);\n const requestedPreviewOrigin = normalizeOrigin(\n options.previewOrigin || callbackOrigin,\n );\n const normalizedPreviewOrigin = isBuilderCliAuthAllowedOrigin(\n requestedPreviewOrigin,\n )\n ? requestedPreviewOrigin\n : normalizedCallbackOrigin;\n const appBasePath = getAppBasePath();\n const callbackUrl = new URL(\n `${appBasePath}${BUILDER_CALLBACK_PATH}`,\n normalizedCallbackOrigin,\n );\n if (state) {\n callbackUrl.searchParams.set(BUILDER_STATE_PARAM, state);\n }\n // When the cli-auth allow-list forces preview_url onto the gateway origin,\n // the callback would otherwise lose the real opener origin and post its\n // success message to the gateway instead of the preview tab. Embed the\n // original preview origin in the callback's own query string so the\n // callback handler can recover it for parentOrigin / postMessage. Builder\n // preserves the redirect_url's query verbatim, so this round-trips.\n if (\n requestedPreviewOrigin &&\n requestedPreviewOrigin !== normalizedPreviewOrigin &&\n isBuilderOpenerOriginSafe(requestedPreviewOrigin)\n ) {\n callbackUrl.searchParams.set(BUILDER_OPENER_PARAM, requestedPreviewOrigin);\n }\n const url = new URL(\"/cli-auth\", getBuilderAppHost());\n url.searchParams.set(\"response_type\", \"code\");\n url.searchParams.set(\"host\", BUILDER_BROWSER_HOST);\n url.searchParams.set(\"client_id\", BUILDER_BROWSER_CLIENT_ID);\n url.searchParams.set(\"redirect_url\", callbackUrl.toString());\n url.searchParams.set(\n \"preview_url\",\n `${normalizedPreviewOrigin}${appBasePath}`,\n );\n url.searchParams.set(\"framework\", \"agent-native\");\n return url.toString();\n}\n\n/**\n * The bare URL surfaced to clients as `connectUrl`. The status route appends\n * a short-lived signed connect token when it knows the current owner; this\n * helper stays bare so server-rendered cards can still render without a\n * request-bound owner and the connect route can fall back to Fetch Metadata.\n */\nexport function getBuilderBrowserConnectUrl(origin: string): string {\n return `${normalizeOrigin(origin)}${getAppBasePath()}/_agent-native/builder/connect`;\n}\n\nfunction firstHeaderValue(value: string | undefined): string | undefined {\n return value?.split(\",\")[0]?.trim() || undefined;\n}\n\nfunction readEventHeader(event: H3Event, name: string): string | undefined {\n try {\n return getHeader(event, name) ?? undefined;\n } catch {\n const headers = (\n event as unknown as {\n node?: {\n req?: { headers?: Record<string, string | string[] | undefined> };\n };\n }\n ).node?.req?.headers;\n const value = headers?.[name.toLowerCase()] ?? headers?.[name];\n if (Array.isArray(value)) return value[0];\n return typeof value === \"string\" ? value : undefined;\n }\n}\n\nfunction isTrustedBuilderRequestHost(host: string | undefined): boolean {\n if (!host) return false;\n try {\n const hostname = new URL(`http://${host}`).hostname.toLowerCase();\n return (\n hostname === \"localhost\" ||\n hostname === \"127.0.0.1\" ||\n hostname === \"::1\" ||\n hostname === \"[::1]\" ||\n hostname === \"builderio.xyz\" ||\n hostname.endsWith(\".builderio.xyz\") ||\n hostname === \"builderio.dev\" ||\n hostname.endsWith(\".builderio.dev\") ||\n hostname === \"builder.codes\" ||\n hostname.endsWith(\".builder.codes\") ||\n hostname === \"builder.io\" ||\n hostname.endsWith(\".builder.io\") ||\n hostname === \"builder.my\" ||\n hostname.endsWith(\".builder.my\")\n );\n } catch {\n return false;\n }\n}\n\nfunction isLoopbackBuilderRequestHost(host: string | undefined): boolean {\n if (!host) return false;\n try {\n const hostname = new URL(`http://${host}`).hostname.toLowerCase();\n return (\n hostname === \"localhost\" ||\n hostname === \"127.0.0.1\" ||\n hostname === \"::1\" ||\n hostname === \"[::1]\"\n );\n } catch {\n return false;\n }\n}\n\nfunction firstPublicBuilderPreviewOriginFromEnv(): string | null {\n for (const key of [\n \"FUSION_ENV_ORIGIN\",\n \"VITE_FUSION_ENV_ORIGIN\",\n \"BUILDER_PREVIEW_URL\",\n \"VITE_BUILDER_PREVIEW_URL\",\n ]) {\n const raw = process.env[key];\n if (!raw) continue;\n try {\n const url = new URL(raw);\n if (url.protocol !== \"http:\" && url.protocol !== \"https:\") continue;\n if (isLoopbackBuilderRequestHost(url.host)) continue;\n if (!isTrustedBuilderRequestHost(url.host)) continue;\n return url.origin;\n } catch {\n // Ignore malformed environment values.\n }\n }\n return null;\n}\n\n/**\n * User-visible Builder connect origin. In Builder/Fusion previews, keep the\n * connect URL on the actual app preview origin so clicking Connect happens in\n * the same deployment that minted the signed connect token.\n */\nexport function getBuilderBrowserOriginForEvent(event: H3Event): string {\n const headerHost = firstHeaderValue(\n readEventHeader(event, \"x-forwarded-host\") ||\n readEventHeader(event, \"host\"),\n );\n if (!isTrustedBuilderRequestHost(headerHost)) return getOrigin(event);\n if (isLoopbackBuilderRequestHost(headerHost)) {\n const publicPreviewOrigin = firstPublicBuilderPreviewOriginFromEnv();\n if (publicPreviewOrigin) return publicPreviewOrigin;\n }\n\n const rawProto = firstHeaderValue(\n readEventHeader(event, \"x-forwarded-proto\"),\n );\n const proto =\n rawProto === \"http\" || rawProto === \"https\"\n ? rawProto\n : process.env.NODE_ENV === \"production\"\n ? \"https\"\n : \"http\";\n return `${proto}://${headerHost}`;\n}\n\n/**\n * Builder's /cli-auth page currently only accepts localhost, *.builder.io,\n * *.agent-native.com, or builder: redirect_url destinations. Preview hosts\n * such as *.builderio.xyz and *.builder.codes are valid app origins for us,\n * but Builder rejects them and falls back to http://localhost:10110/auth.\n * Use a configured public gateway for the callback in those cases while\n * leaving the surfaced connect URL on the user's active preview.\n */\nexport function getBuilderCliAuthCallbackOriginForEvent(\n event: H3Event,\n): string {\n const previewOrigin = getBuilderBrowserOriginForEvent(event);\n if (isBuilderCliAuthAllowedOrigin(previewOrigin)) return previewOrigin;\n return firstBuilderCliAuthCallbackOriginFromEnv() ?? previewOrigin;\n}\n\nexport function getBuilderBrowserStatus(origin: string): BuilderBrowserStatus {\n const branchProjectId = getConfiguredBuilderBranchProjectId();\n const envManaged = !!process.env.BUILDER_PRIVATE_KEY;\n return {\n configured: !!(\n process.env.BUILDER_PRIVATE_KEY && process.env.BUILDER_PUBLIC_KEY\n ),\n builderEnabled: isBuilderBranchingEnabled(),\n branchProjectIdConfigured: !!branchProjectId,\n branchProjectId: branchProjectId || undefined,\n envManaged,\n credentialSource: envManaged ? \"env\" : undefined,\n appHost: getBuilderAppHost(),\n apiHost: getBuilderApiHost(),\n connectUrl: getBuilderBrowserConnectUrl(origin),\n publicKeyConfigured: !!process.env.BUILDER_PUBLIC_KEY,\n privateKeyConfigured: !!process.env.BUILDER_PRIVATE_KEY,\n userId: process.env.BUILDER_USER_ID || undefined,\n orgName: process.env.BUILDER_ORG_NAME || undefined,\n orgKind: process.env.BUILDER_ORG_KIND || undefined,\n };\n}\n\nexport function getBuilderBrowserStatusForEvent(\n event: H3Event,\n): BuilderBrowserStatus {\n return getBuilderBrowserStatus(getBuilderBrowserOriginForEvent(event));\n}\n\n/**\n * Env vars written by the Builder CLI-auth callback. Single source of truth\n * for the connect/disconnect key set — `getBuilderCallbackEnvVars` and the\n * disconnect handler's scrub loop both derive from this list, so drift\n * (e.g. disconnect silently leaving `BUILDER_USER_ID` behind because\n * someone added a key to one site but not the other) is impossible.\n */\nexport const BUILDER_ENV_KEYS = [\n \"BUILDER_PRIVATE_KEY\",\n \"BUILDER_PUBLIC_KEY\",\n \"BUILDER_USER_ID\",\n \"BUILDER_ORG_NAME\",\n \"BUILDER_ORG_KIND\",\n] as const;\n\nexport type BuilderEnvKey = (typeof BUILDER_ENV_KEYS)[number];\n\nexport function getBuilderCallbackEnvVars(params: {\n privateKey?: string | null;\n publicKey?: string | null;\n userId?: string | null;\n orgName?: string | null;\n orgKind?: string | null;\n}) {\n const values: Record<BuilderEnvKey, string> = {\n BUILDER_PRIVATE_KEY: params.privateKey?.trim() || \"\",\n BUILDER_PUBLIC_KEY: params.publicKey?.trim() || \"\",\n BUILDER_USER_ID: params.userId?.trim() || \"\",\n BUILDER_ORG_NAME: params.orgName?.trim() || \"\",\n BUILDER_ORG_KIND: params.orgKind?.trim() || \"\",\n };\n return BUILDER_ENV_KEYS.map((key) => ({ key, value: values[key] }));\n}\n\nexport function resolveSafePreviewUrl(\n previewUrl: string | null | undefined,\n event: H3Event,\n): string {\n if (previewUrl && isAllowedBrowserReturnUrl(previewUrl)) {\n return previewUrl;\n }\n return getBuilderBrowserOriginForEvent(event);\n}\n\n/**\n * Inline theme-detection script that runs before the body paints. Reads the\n * app's stored theme preference (same `localStorage.theme` key used by the\n * client-side theme manager) and falls back to `prefers-color-scheme`. This\n * way the popup matches whatever theme the user already picked in the app\n * — light, dark, or auto — instead of always rendering in OS-default mode.\n */\nconst BUILDER_CALLBACK_THEME_SCRIPT = `<script>\n(function () {\n try {\n var stored = window.localStorage && window.localStorage.getItem(\"theme\");\n var resolved;\n if (stored === \"light\" || stored === \"dark\") {\n resolved = stored;\n } else {\n var mq = window.matchMedia && window.matchMedia(\"(prefers-color-scheme: dark)\");\n resolved = mq && mq.matches ? \"dark\" : \"light\";\n }\n document.documentElement.classList.add(resolved);\n document.documentElement.style.colorScheme = resolved;\n } catch (e) {}\n})();\n</script>`;\n\n/**\n * Brand-aligned CSS for the Builder connect callback / error pages.\n *\n * Uses the same neutral-zinc palette and Inter font as the rest of the\n * framework's templates (see `templates/*\\/app/global.css`). Tokens map to\n * the same HSL values the templates set on `:root` / `.dark`, so the popup\n * reads as part of the same app — not a stranded marketing page.\n */\nconst BUILDER_CALLBACK_BASE_CSS = `\n :root {\n --bg: hsl(0 0% 100%);\n --fg: hsl(220 10% 10%);\n --muted-fg: hsl(220 5% 45%);\n --card: hsl(0 0% 100%);\n --border: hsl(220 10% 90%);\n --primary: hsl(220 10% 15%);\n --primary-fg: hsl(0 0% 100%);\n --primary-hover: hsl(220 10% 25%);\n --success-bg: hsl(143 50% 96%);\n --success-fg: hsl(143 60% 32%);\n --error-fg: hsl(0 75% 45%);\n --error-bg: hsl(0 80% 97%);\n --error-border: hsl(0 80% 92%);\n }\n :root.dark {\n --bg: hsl(220 6% 6%);\n --fg: hsl(0 0% 92%);\n --muted-fg: hsl(220 4% 60%);\n --card: hsl(220 5% 8%);\n --border: hsl(220 4% 14%);\n --primary: hsl(0 0% 92%);\n --primary-fg: hsl(220 6% 6%);\n --primary-hover: hsl(0 0% 75%);\n --success-bg: hsl(143 30% 12%);\n --success-fg: hsl(143 50% 70%);\n --error-fg: hsl(0 80% 75%);\n --error-bg: hsl(0 35% 12%);\n --error-border: hsl(0 30% 20%);\n }\n *, *::before, *::after { box-sizing: border-box; }\n html, body { height: 100%; }\n body {\n margin: 0;\n min-height: 100vh;\n display: grid;\n place-items: center;\n background: var(--bg);\n color: var(--fg);\n font-family: \"Inter\", ui-sans-serif, system-ui, -apple-system, \"Segoe UI\", \"Helvetica Neue\", Arial, sans-serif;\n font-size: 14px;\n line-height: 1.55;\n font-feature-settings: \"cv02\", \"cv03\", \"cv04\", \"cv11\";\n -webkit-font-smoothing: antialiased;\n -moz-osx-font-smoothing: grayscale;\n padding: 24px;\n }\n .card {\n width: min(420px, 100%);\n border: 1px solid var(--border);\n border-radius: 12px;\n padding: 32px 28px;\n background: var(--card);\n text-align: center;\n }\n .icon {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n width: 44px;\n height: 44px;\n border-radius: 999px;\n margin-bottom: 16px;\n }\n .icon svg { width: 22px; height: 22px; display: block; }\n .icon-success { background: var(--success-bg); color: var(--success-fg); }\n .icon-error { background: var(--error-bg); color: var(--error-fg); }\n h1 {\n margin: 0 0 6px;\n font-size: 17px;\n font-weight: 600;\n letter-spacing: -0.01em;\n color: var(--fg);\n }\n p {\n margin: 0 0 4px;\n color: var(--fg);\n font-size: 14px;\n }\n p.muted { color: var(--muted-fg); }\n .btn {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n height: 36px;\n padding: 0 16px;\n margin-top: 20px;\n background: var(--primary);\n color: var(--primary-fg);\n border-radius: 8px;\n font-size: 13px;\n font-weight: 500;\n text-decoration: none;\n border: none;\n cursor: pointer;\n }\n .btn:hover { background: var(--primary-hover); }\n pre.error-detail {\n margin: 16px 0 0;\n padding: 10px 12px;\n background: var(--error-bg);\n border: 1px solid var(--error-border);\n border-radius: 8px;\n color: var(--error-fg);\n font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;\n font-size: 12px;\n line-height: 1.5;\n text-align: left;\n white-space: pre-wrap;\n word-break: break-word;\n }\n`;\n\nfunction safeOriginFromUrl(value: string | null | undefined): string | null {\n if (!value) return null;\n try {\n return new URL(value).origin;\n } catch {\n return null;\n }\n}\n\nexport function createBuilderBrowserCallbackPage(\n previewUrl: string,\n opts: { parentOrigin?: string } = {},\n): string {\n const escapedUrl = JSON.stringify(previewUrl);\n const parentOrigin =\n safeOriginFromUrl(opts.parentOrigin) ?? safeOriginFromUrl(previewUrl);\n // postMessage requires a specific target origin for cross-origin opener\n // delivery; only fall back to \"*\" when we have no usable origin (the\n // BroadcastChannel path on the success page still works for same-origin\n // openers in that case).\n const escapedTargetOrigin = JSON.stringify(parentOrigin ?? \"*\");\n return `<!doctype html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\" />\n <title>Builder connected</title>\n <link rel=\"preconnect\" href=\"https://fonts.googleapis.com\" />\n <link rel=\"preconnect\" href=\"https://fonts.gstatic.com\" crossorigin />\n <link href=\"https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&display=swap\" rel=\"stylesheet\" />\n ${BUILDER_CALLBACK_THEME_SCRIPT}\n <style>${BUILDER_CALLBACK_BASE_CSS}</style>\n </head>\n <body>\n <main class=\"card\" role=\"status\" aria-live=\"polite\">\n <span class=\"icon icon-success\" aria-hidden=\"true\">\n <svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><polyline points=\"20 6 9 17 4 12\"></polyline></svg>\n </span>\n <h1>Builder connected</h1>\n <p>Browser access is now available to your app.</p>\n <p class=\"muted\">You can close this tab and return to the workspace.</p>\n <a class=\"btn\" href=${escapedUrl}>Open the workspace</a>\n </main>\n <script>\n // Tell the opener tab the connect succeeded. The parent has two ways\n // to learn this:\n // 1. The popup-based connect flow (window.open + 2s polling on\n // /builder/status) — picks it up via the next poll within ~2s.\n // 2. The link-based \"Use Builder\" flow (target=\"_blank\" tab) — the\n // AgentPanel only fetches /builder/status once on mount, so it\n // stays stuck on \"Use Builder\" unless we explicitly signal.\n // BroadcastChannel + postMessage cover both cases. Use the same channel\n // name as the error path (createBuilderBrowserCallbackErrorPage) and\n // mirror the parent-side listener in useBuilderStatus / useBuilderConnectUrl.\n try {\n var bc = new BroadcastChannel(\"builder-connect:\" + window.location.host);\n bc.postMessage({ type: \"builder-connect-success\" });\n bc.close();\n } catch (e) {}\n try {\n if (window.opener && !window.opener.closed) {\n window.opener.postMessage(\n { type: \"builder-connect-success\" },\n ${escapedTargetOrigin},\n );\n }\n } catch (e) {}\n // If we're a popup opened by the app, close ourselves and let the\n // parent tab keep polling for connection status. If close() is\n // blocked (e.g. we're the top-level tab because popups were\n // downgraded), fall back to navigating back to the workspace.\n window.setTimeout(function () {\n try { window.close(); } catch (e) {}\n window.setTimeout(function () {\n if (!window.closed) {\n window.location.replace(${escapedUrl});\n }\n }, 200);\n }, 700);\n </script>\n </body>\n</html>`;\n}\n\n/**\n * HTML page rendered inside the OAuth popup when the callback handler caught\n * an error persisting the per-user Builder credentials. Without this, the\n * popup would show the success page even though the write failed — leaving\n * the parent window stuck on \"Waiting for Builder…\" until the 5-minute poll\n * timeout fires (Midhun reported this on 2026-04-28).\n *\n * The page does two things:\n * 1. Shows the user a clear \"couldn't save credentials\" message with the\n * underlying error so they can retry or report.\n * 2. `postMessage`s the parent (same-origin opener) so the connect-flow\n * polling stops immediately rather than waiting for the next /status\n * poll to surface the SQL `builder-connect-error:<email>` row.\n */\nexport function createBuilderBrowserCallbackErrorPage(\n message: string,\n opts: {\n title?: string;\n body?: string;\n closeHint?: string;\n parentOrigin?: string;\n } = {},\n): string {\n const escapedMessage = JSON.stringify(message);\n const parentOrigin = safeOriginFromUrl(opts.parentOrigin);\n const escapedTargetOrigin = JSON.stringify(parentOrigin ?? \"*\");\n const title = opts.title ?? \"Couldn't save Builder connection\";\n const body =\n opts.body ??\n \"Builder authorized your account but the server couldn't persist the credentials.\";\n const closeHint =\n opts.closeHint ?? \"You can close this tab and try again from settings.\";\n return `<!doctype html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\" />\n <title>Builder connect failed</title>\n <link rel=\"preconnect\" href=\"https://fonts.googleapis.com\" />\n <link rel=\"preconnect\" href=\"https://fonts.gstatic.com\" crossorigin />\n <link href=\"https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&display=swap\" rel=\"stylesheet\" />\n ${BUILDER_CALLBACK_THEME_SCRIPT}\n <style>${BUILDER_CALLBACK_BASE_CSS}</style>\n </head>\n <body>\n <main class=\"card\" role=\"alert\" aria-live=\"assertive\">\n <span class=\"icon icon-error\" aria-hidden=\"true\">\n <svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><path d=\"M10.29 3.86 1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0Z\"></path><line x1=\"12\" y1=\"9\" x2=\"12\" y2=\"13\"></line><line x1=\"12\" y1=\"17\" x2=\"12.01\" y2=\"17\"></line></svg>\n </span>\n <h1>${escapeHtml(title)}</h1>\n <p class=\"muted\">${escapeHtml(body)}</p>\n <pre class=\"error-detail\" id=\"msg\"></pre>\n <p class=\"muted\" style=\"margin-top:12px\">${escapeHtml(closeHint)}</p>\n </main>\n <script>\n try {\n var msg = ${escapedMessage};\n document.getElementById(\"msg\").textContent = msg;\n // Notify the parent tab immediately so its polling loop stops\n // without waiting for the next /builder/status tick.\n //\n // BroadcastChannel works across same-origin windows regardless of\n // opener access — it is the only reliable channel here because\n // popups opened with window.open(..., \"noopener\") or links with\n // rel=\"noopener\" have window.opener === null. The legacy\n // window.opener.postMessage path is kept as a belt-and-suspenders\n // fallback for non-BroadcastChannel environments.\n try {\n var bc = new BroadcastChannel(\"builder-connect:\" + window.location.host);\n bc.postMessage({ type: \"builder-connect-error\", message: msg });\n bc.close();\n } catch (e) {}\n if (window.opener && !window.opener.closed) {\n try {\n window.opener.postMessage(\n { type: \"builder-connect-error\", message: msg },\n ${escapedTargetOrigin},\n );\n } catch (e) {}\n }\n } catch (e) {}\n </script>\n </body>\n</html>`;\n}\n\nexport interface RunBuilderAgentArgs {\n prompt: string;\n projectId?: string;\n branchName?: string;\n userEmail?: string;\n userId?: string;\n}\n\nexport interface RunBuilderAgentResult {\n branchName: string;\n projectId: string;\n url: string;\n status: string;\n}\n\nfunction normalizeBuilderApiString(value: unknown, fieldName: string): string {\n if (typeof value !== \"string\" || !value.trim()) {\n throw new Error(`Builder agent run returned a blank ${fieldName}`);\n }\n const trimmed = value.trim();\n if (/[\\u0000-\\u001f\\u007f]/.test(trimmed)) {\n throw new Error(`Builder agent run returned a malformed ${fieldName}`);\n }\n return trimmed;\n}\n\nfunction normalizeBuilderBranchUrl(value: unknown): string {\n const urlString = normalizeBuilderApiString(value, \"url\");\n let parsed: URL;\n try {\n parsed = new URL(urlString);\n } catch {\n throw new Error(\"Builder agent run returned a malformed url\");\n }\n if (parsed.protocol !== \"https:\" && parsed.protocol !== \"http:\") {\n throw new Error(\"Builder agent run returned a malformed url\");\n }\n if (\n parsed.hostname !== \"builder.io\" &&\n !parsed.hostname.endsWith(\".builder.io\")\n ) {\n throw new Error(\"Builder agent run returned a non-Builder url\");\n }\n return parsed.toString();\n}\n\n/**\n * POST a prompt to the Builder agents-run API. The Builder agent runs in a\n * cloud sandbox and writes code to a branch; the returned URL opens that\n * branch in the Visual Editor so the user can watch progress.\n *\n * Spec: https://www.builder.io/c/docs/agents-run-api\n */\nexport async function runBuilderAgent(\n args: RunBuilderAgentArgs,\n): Promise<RunBuilderAgentResult> {\n const { resolveBuilderCredentials } =\n await import(\"./credential-provider.js\");\n const creds = await resolveBuilderCredentials();\n if (!creds.privateKey || !creds.publicKey) {\n throw new Error(\"Builder keys are not configured\");\n }\n if (!args.prompt || !args.prompt.trim()) {\n throw new Error(\"prompt is required\");\n }\n const projectId = args.projectId?.trim();\n if (!projectId) {\n throw new Error(\n \"Builder project ID is not configured. Set DISPATCH_BUILDER_PROJECT_ID, BUILDER_BRANCH_PROJECT_ID, or BUILDER_PROJECT_ID.\",\n );\n }\n const builderUserId = args.userId || creds.userId || undefined;\n const builderUserEmail = builderUserId ? undefined : args.userEmail;\n if (!builderUserEmail && !builderUserId) {\n throw new Error(\"userEmail or userId is required\");\n }\n\n const url = new URL(\"/agents/run\", getBuilderApiHost());\n url.searchParams.set(\"apiKey\", creds.publicKey);\n\n const body: Record<string, unknown> = {\n userMessage: { userPrompt: args.prompt },\n projectId,\n };\n if (args.branchName) body.branchName = args.branchName;\n if (builderUserEmail) body.userEmail = builderUserEmail;\n if (builderUserId) body.userId = builderUserId;\n\n const response = await fetch(url, {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${creds.privateKey}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify(body),\n });\n\n const parsed = (await response.json().catch(() => ({}))) as Record<\n string,\n unknown\n >;\n if (!response.ok) {\n const msg =\n typeof parsed.error === \"string\"\n ? parsed.error\n : `Builder agent run failed (${response.status})`;\n throw new Error(msg);\n }\n\n return {\n branchName: normalizeBuilderApiString(parsed.branchName, \"branchName\"),\n projectId:\n typeof parsed.projectId === \"string\" && parsed.projectId.trim()\n ? parsed.projectId.trim()\n : projectId,\n url: normalizeBuilderBranchUrl(parsed.url),\n status:\n typeof parsed.status === \"string\" && parsed.status.trim()\n ? parsed.status.trim()\n : \"processing\",\n };\n}\n\nexport async function requestBuilderBrowserConnection(\n args: BrowserConnectionArgs,\n): Promise<Record<string, unknown>> {\n const { resolveBuilderCredentials } =\n await import(\"./credential-provider.js\");\n const creds = await resolveBuilderCredentials();\n if (!creds.privateKey || !creds.publicKey) {\n throw new Error(\"Builder browser access is not configured\");\n }\n\n const sessionId = args.sessionId?.trim();\n if (!sessionId) {\n throw new Error(\"sessionId is required\");\n }\n\n const url = new URL(\"/codegen/get-browser-connection\", getBuilderApiHost());\n url.searchParams.set(\"apiKey\", creds.publicKey);\n if (creds.userId) {\n url.searchParams.set(\"userId\", creds.userId);\n }\n\n const response = await fetch(url, {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${creds.privateKey}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify({\n sessionId,\n projectId: args.projectId || undefined,\n branchName: args.branchName || undefined,\n proxyOrigin: args.proxyOrigin || undefined,\n proxyDefaultOrigin: args.proxyDefaultOrigin || undefined,\n proxyDst: args.proxyDestination || undefined,\n }),\n });\n\n const body = (await response.json().catch(() => ({}))) as Record<\n string,\n unknown\n >;\n if (!response.ok) {\n const error =\n typeof body.error === \"string\"\n ? body.error\n : `Builder browser request failed (${response.status})`;\n throw new Error(error);\n }\n\n return body;\n}\n"]}
package/dist/server/core-routes-plugin.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"core-routes-plugin.d.ts","sourceRoot":"","sources":["../../src/server/core-routes-plugin.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAKlC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAqFvD;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,mBAAmB,CAAC;AAoIvD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,MAAM,GAAG,IAAI,CAWf;AAUD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,uBAAuB;IACtC,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,oDAAoD;IACpD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,qEAAqE;IACrE,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAC7E;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,uBAA4B,GACpC,cAAc,CAggEhB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAAyC,CAAC"}
1
+ {"version":3,"file":"core-routes-plugin.d.ts","sourceRoot":"","sources":["../../src/server/core-routes-plugin.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAKlC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAuFvD;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,mBAAmB,CAAC;AAoIvD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,MAAM,GAAG,IAAI,CAWf;AAUD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,uBAAuB;IACtC,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,oDAAoD;IACpD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,qEAAqE;IACrE,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAC7E;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,uBAA4B,GACpC,cAAc,CAsmEhB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAAyC,CAAC"}
package/dist/server/core-routes-plugin.js CHANGED
@@ -6,7 +6,7 @@ import { createPollHandler } from "./poll.js";
6
6
  import { createPollEventsHandler } from "./poll-events.js";
7
7
  import { upsertEnvFile } from "./create-server.js";
8
8
  import { readBody } from "./h3-helpers.js";
9
- import { BUILDER_CONNECT_PARAM, BUILDER_CONNECT_OWNER_COOKIE, BUILDER_ENV_KEYS, BUILDER_STATE_PARAM, appendBuilderConnectToken, buildBuilderCliAuthUrl, createBuilderBrowserCallbackErrorPage, createBuilderBrowserCallbackPage, getBuilderBrowserOriginForEvent, getBuilderBrowserStatusForEvent, resolveBuilderBranchProjectId, resolveSafePreviewUrl, runBuilderAgent, signBuilderCallbackState, verifyBuilderConnectTokenAndGetOwner, verifyBuilderCallbackStateAndGetOwner, signBuilderConnectToken, } from "./builder-browser.js";
9
+ import { BUILDER_CONNECT_PARAM, BUILDER_CONNECT_OWNER_COOKIE, BUILDER_ENV_KEYS, BUILDER_OPENER_PARAM, BUILDER_STATE_PARAM, appendBuilderConnectToken, buildBuilderCliAuthUrl, createBuilderBrowserCallbackErrorPage, createBuilderBrowserCallbackPage, getBuilderCliAuthCallbackOriginForEvent, getBuilderBrowserOriginForEvent, getBuilderBrowserStatusForEvent, resolveBuilderBranchProjectId, resolveSafePreviewUrl, runBuilderAgent, signBuilderCallbackState, verifyBuilderConnectTokenAndGetOwner, verifyBuilderCallbackStateAndGetOwner, signBuilderConnectToken, } from "./builder-browser.js";
10
10
  import { getState, putState, deleteState, listComposeDrafts, getComposeDraft, putComposeDraft, deleteComposeDraft, deleteAllComposeDrafts, } from "../application-state/handlers.js";
11
11
  import { getSetting, putSetting, deleteSetting } from "../settings/store.js";
12
12
  import { getUserSetting, putUserSetting, deleteUserSetting, } from "../settings/user-settings.js";
@@ -408,16 +408,24 @@ export function createCoreRoutesPlugin(options = {}) {
408
408
  const withConnectToken = (status) => {
409
409
  if (!userEmail)
410
410
  return status;
411
- // Use the preview-aware origin (same one connectUrl uses) so
412
- // Builder's CLI auth flow returns to the active preview deployment
413
- // instead of bouncing through the gateway. getOrigin(event) falls
414
- // back to the gateway on Builder preview hosts, which defeats the
415
- // whole preview-aware isolation goal of this PR.
416
- const callbackOrigin = getBuilderBrowserOriginForEvent(event);
417
- const cliAuthUrl = buildBuilderCliAuthUrl(callbackOrigin, signBuilderCallbackState(userEmail));
418
- return {
411
+ const previewOrigin = getBuilderBrowserOriginForEvent(event);
412
+ const callbackOrigin = getBuilderCliAuthCallbackOriginForEvent(event);
413
+ const statusWithConnectToken = {
419
414
  ...status,
420
415
  connectUrl: appendBuilderConnectToken(status.connectUrl, userEmail),
416
+ };
417
+ // Direct cli-auth only works when the callback lands on the same
418
+ // deployment that minted the signed state. Builder/Fusion previews
419
+ // often need a gateway callback origin; in that case use the
420
+ // /builder/connect trampoline so it can write the pending-connect
421
+ // row that the gateway callback validates against.
422
+ if (previewOrigin.replace(/\/+$/, "") !==
423
+ callbackOrigin.replace(/\/+$/, "")) {
424
+ return statusWithConnectToken;
425
+ }
426
+ const cliAuthUrl = buildBuilderCliAuthUrl(callbackOrigin, signBuilderCallbackState(userEmail), { previewOrigin });
427
+ return {
428
+ ...statusWithConnectToken,
421
429
  cliAuthUrl,
422
430
  };
423
431
  };
@@ -480,12 +488,34 @@ export function createCoreRoutesPlugin(options = {}) {
480
488
  // the fallback. This keeps a root/local BUILDER_PRIVATE_KEY from
481
489
  // blocking a user from connecting their own Builder account.
482
490
  try {
483
- const { resolveBuilderCredentials, resolveBuilderCredentialSource, } = await import("./credential-provider.js");
491
+ const { resolveBuilderCredentials, resolveBuilderCredentialSource, getBuilderCredentialAuthFailure, } = await import("./credential-provider.js");
484
492
  const [creds, credentialSource] = await Promise.all([
485
493
  resolveBuilderCredentials(),
486
494
  resolveBuilderCredentialSource(),
487
495
  ]);
488
- if (creds.privateKey) {
496
+ const authFailure = await getBuilderCredentialAuthFailure(creds);
497
+ if (authFailure) {
498
+ return withConnectToken({
499
+ ...requestStatus,
500
+ configured: false,
501
+ privateKeyConfigured: false,
502
+ publicKeyConfigured: false,
503
+ userId: undefined,
504
+ orgName: undefined,
505
+ orgKind: undefined,
506
+ credentialSource: credentialSource ?? undefined,
507
+ // Surface durable credential rejection separately from
508
+ // one-shot cli-auth callback failures. The reconnect UI keeps
509
+ // polling through authError while the user chooses a new
510
+ // Builder space; connectError means the active callback itself
511
+ // failed and should stop the flow.
512
+ authError: {
513
+ message: authFailure.message,
514
+ at: authFailure.at,
515
+ },
516
+ });
517
+ }
518
+ if (creds.privateKey && creds.publicKey) {
489
519
  return withConnectToken({
490
520
  ...requestStatus,
491
521
  configured: true,
@@ -641,6 +671,7 @@ export function createCoreRoutesPlugin(options = {}) {
641
671
  title: "Couldn't start Builder connection",
642
672
  body: "The connect popup did not include a valid signed link for this app.",
643
673
  closeHint: "Close this popup, refresh the app, and try Connect account again.",
674
+ parentOrigin: getBuilderBrowserOriginForEvent(event),
644
675
  });
645
676
  }
646
677
  // Clear any prior failure row from a previous attempt — otherwise
@@ -676,7 +707,9 @@ export function createCoreRoutesPlugin(options = {}) {
676
707
  }).catch(() => { });
677
708
  setResponseStatus(event, 503);
678
709
  setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
679
- return createBuilderBrowserCallbackErrorPage(msg);
710
+ return createBuilderBrowserCallbackErrorPage(msg, {
711
+ parentOrigin: getBuilderBrowserOriginForEvent(event),
712
+ });
680
713
  }
681
714
  await trackBuilderLifecycle(event, "builder connect started", ownerEmail, {
682
715
  stage: "connect",
@@ -687,7 +720,7 @@ export function createCoreRoutesPlugin(options = {}) {
687
720
  // from /builder/status. Keep this legacy trampoline working for older
688
721
  // clients, but still send it to Builder immediately and include signed
689
722
  // callback state so the callback does not depend on popup cookies.
690
- const cliAuthUrl = buildBuilderCliAuthUrl(getBuilderBrowserOriginForEvent(event), signBuilderCallbackState(ownerEmail));
723
+ const cliAuthUrl = buildBuilderCliAuthUrl(getBuilderCliAuthCallbackOriginForEvent(event), signBuilderCallbackState(ownerEmail), { previewOrigin: getBuilderBrowserOriginForEvent(event) });
691
724
  setResponseStatus(event, 302);
692
725
  setResponseHeader(event, "Location", cliAuthUrl);
693
726
  return "";
@@ -787,12 +820,43 @@ export function createCoreRoutesPlugin(options = {}) {
787
820
  // /builder/connect) blocks CSRF and callback replay.
788
821
  const ownerContext = await resolveBuilderOwnerContext(event);
789
822
  const ownerEmail = ownerContext.email;
823
+ // Diagnostic: log the resolver's inputs for debugging "No active
824
+ // connect flow found" reports. Reveals session-vs-state owner
825
+ // mismatches and missing/forged _an_state without leaking the
826
+ // signed token itself.
827
+ try {
828
+ const debugSearch = new URLSearchParams((event.url?.search || "").replace(/^\?/, ""));
829
+ const stateRaw = debugSearch.get(BUILDER_STATE_PARAM);
830
+ const stateOwnerProbe = verifyBuilderCallbackStateAndGetOwner(stateRaw);
831
+ const session = await getSession(event).catch(() => null);
832
+ console.log(`[builder-callback] resolved-owner=${ownerEmail ?? "(none)"} session-email=${session?.email ?? "(none)"} state-owner=${stateOwnerProbe ?? "(none)"} state-present=${Boolean(stateRaw)} anon=${ownerContext.anonymous} host=${getHeader(event, "host") ?? "(none)"} sec-fetch-site=${getHeader(event, "sec-fetch-site") ?? "(none)"} origin=${getHeader(event, "origin") ?? "(none)"} referer=${getHeader(event, "referer") ?? "(none)"}`);
833
+ }
834
+ catch {
835
+ // Diagnostic logging is best-effort; do not break the callback.
836
+ }
790
837
  if (!ownerEmail) {
791
838
  setResponseStatus(event, 401);
792
839
  return { error: "Authentication required" };
793
840
  }
794
841
  clearBuilderConnectOwnerCookie(event);
795
842
  const requestUrl = new URL(`${event.url?.pathname || "/"}${event.url?.search || ""}`, getOrigin(event));
843
+ // postMessage from the callback success/error pages must target the
844
+ // original preview opener, not the callback server. On the fallback
845
+ // path the callback is served from the env-configured gateway while
846
+ // the opener lives on the preview origin. Three sources of opener
847
+ // origin, in priority order:
848
+ // 1. `_an_opener` — written into the callback URL's query by
849
+ // buildBuilderCliAuthUrl when cli-auth's allow-list forced
850
+ // preview_url onto the gateway. Survives Builder's redirect
851
+ // verbatim (Builder preserves redirect_url's query string).
852
+ // 2. `preview-url` — Builder echoes the top-level preview_url back
853
+ // as a query param on the callback. Reflects the gateway on
854
+ // the fallback path, but matches the opener on the happy path.
855
+ // 3. The event's own origin — last-resort fallback.
856
+ const openerOriginFromQuery = requestUrl.searchParams.get(BUILDER_OPENER_PARAM);
857
+ const callbackParentOrigin = resolveSafePreviewUrl(openerOriginFromQuery, event) ||
858
+ resolveSafePreviewUrl(requestUrl.searchParams.get("preview-url"), event) ||
859
+ getBuilderBrowserOriginForEvent(event);
796
860
  const callbackStateOwner = verifyBuilderCallbackStateAndGetOwner(requestUrl.searchParams.get(BUILDER_STATE_PARAM));
797
861
  const hasValidCallbackState = callbackStateOwner === ownerEmail;
798
862
  // Verify either:
@@ -844,9 +908,15 @@ export function createCoreRoutesPlugin(options = {}) {
844
908
  }).catch(() => { });
845
909
  setResponseStatus(event, 503);
846
910
  setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
847
- return createBuilderBrowserCallbackErrorPage(pendingError);
911
+ return createBuilderBrowserCallbackErrorPage(pendingError, {
912
+ parentOrigin: callbackParentOrigin,
913
+ });
848
914
  }
849
915
  if (!pendingValid) {
916
+ // Diagnostic: log the exact reason pendingValid is false so we can
917
+ // distinguish "state didn't validate" from "no pending row" in
918
+ // production "No active connect flow found" reports.
919
+ console.warn(`[builder-callback] pending-invalid owner=${ownerEmail} has-state-param=${Boolean(requestUrl.searchParams.get(BUILDER_STATE_PARAM))} state-validated=${hasValidCallbackState} pending-error=${pendingError ?? "(none)"}`);
850
920
  await trackBuilderLifecycle(event, "builder connect failed", ownerEmail, {
851
921
  reason: hasValidCallbackState
852
922
  ? "callback_state_unexpectedly_rejected"
@@ -868,7 +938,9 @@ export function createCoreRoutesPlugin(options = {}) {
868
938
  }
869
939
  setResponseStatus(event, 403);
870
940
  setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
871
- return createBuilderBrowserCallbackErrorPage(msg);
941
+ return createBuilderBrowserCallbackErrorPage(msg, {
942
+ parentOrigin: callbackParentOrigin,
943
+ });
872
944
  }
873
945
  const privateKey = requestUrl.searchParams.get("p-key");
874
946
  const publicKey = requestUrl.searchParams.get("api-key");
@@ -888,7 +960,9 @@ export function createCoreRoutesPlugin(options = {}) {
888
960
  }).catch(() => { });
889
961
  setResponseStatus(event, 400);
890
962
  setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
891
- return createBuilderBrowserCallbackErrorPage(msg);
963
+ return createBuilderBrowserCallbackErrorPage(msg, {
964
+ parentOrigin: callbackParentOrigin,
965
+ });
892
966
  }
893
967
  const userId = requestUrl.searchParams.get("user-id");
894
968
  const orgName = requestUrl.searchParams.get("org-name");
@@ -952,7 +1026,9 @@ export function createCoreRoutesPlugin(options = {}) {
952
1026
  }
953
1027
  setResponseStatus(event, 500);
954
1028
  setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
955
- return createBuilderBrowserCallbackErrorPage(writeError);
1029
+ return createBuilderBrowserCallbackErrorPage(writeError, {
1030
+ parentOrigin: callbackParentOrigin,
1031
+ });
956
1032
  }
957
1033
  // Clear any legacy disconnect flag and any prior connect-error row
958
1034
  // (so a successful retry doesn't surface the previous failure).
@@ -975,7 +1051,17 @@ export function createCoreRoutesPlugin(options = {}) {
975
1051
  org_kind: orgKind || undefined,
976
1052
  });
977
1053
  setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
978
- return createBuilderBrowserCallbackPage(previewUrl);
1054
+ // The parent (opener) is the original preview surface that started the
1055
+ // connect flow, NOT the callback server's own origin — when the
1056
+ // env-configured gateway is used as the callback fallback (because
1057
+ // Builder rejects the preview host), the callback server and the
1058
+ // opener live on different origins, and postMessage to the gateway
1059
+ // origin would be dropped by the preview opener. callbackParentOrigin
1060
+ // is the precomputed best-available opener origin (`_an_opener` →
1061
+ // `preview-url` → event origin).
1062
+ return createBuilderBrowserCallbackPage(previewUrl, {
1063
+ parentOrigin: callbackParentOrigin,
1064
+ });
979
1065
  }));
980
1066
  // POST /_agent-native/builder/disconnect — revoke the user's per-user
981
1067
  // or org-scoped Builder credentials in app_secrets. Deploy-level env
@@ -1051,7 +1137,7 @@ export function createCoreRoutesPlugin(options = {}) {
1051
1137
  setResponseStatus(event, 400);
1052
1138
  return { error: "userMessage is required" };
1053
1139
  }
1054
- const apiHost = process.env.BUILDER_API_HOST || "https://ai-services.builder.io";
1140
+ const apiHost = process.env.BUILDER_API_HOST || "https://api.builder.io";
1055
1141
  try {
1056
1142
  const res = await fetch(`${apiHost}/agents/run?apiKey=${encodeURIComponent(creds.publicKey)}`, {
1057
1143
  method: "POST",