@agent-native/core 0.22.29 → 0.22.31
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/mcp/build-server.d.ts.map +1 -1
- package/dist/mcp/build-server.js +35 -12
- package/dist/mcp/build-server.js.map +1 -1
- package/dist/mcp/builtin-tools.d.ts.map +1 -1
- package/dist/mcp/builtin-tools.js +28 -2
- package/dist/mcp/builtin-tools.js.map +1 -1
- package/docs/content/external-agents.md +3 -0
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"build-server.d.ts","sourceRoot":"","sources":["../../src/mcp/build-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAyBhE,MAAM,WAAW,SAAS;IACxB,wCAAwC;IACxC,IAAI,EAAE,MAAM,CAAC;IACb;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,uCAAuC;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACrC;;;;;;;;;;;OAWG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAChD,qEAAqE;IACrE,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAChD;;;;;;OAMG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,gEAAgE;IAChE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,gEAAgE;IAChE,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;kEAGkE;AAClE,MAAM,WAAW,cAAc;IAC7B,+DAA+D;IAC/D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yEAAyE;IACzE,MAAM,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,UAAU,CAAC;IAC5C;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;
|
|
1
|
+
{"version":3,"file":"build-server.d.ts","sourceRoot":"","sources":["../../src/mcp/build-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAyBhE,MAAM,WAAW,SAAS;IACxB,wCAAwC;IACxC,IAAI,EAAE,MAAM,CAAC;IACb;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,uCAAuC;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACrC;;;;;;;;;;;OAWG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAChD,qEAAqE;IACrE,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAChD;;;;;;OAMG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,gEAAgE;IAChE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,gEAAgE;IAChE,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;kEAGkE;AAClE,MAAM,WAAW,cAAc;IAC7B,+DAA+D;IAC/D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yEAAyE;IACzE,MAAM,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,UAAU,CAAC;IAC5C;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAyLD;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,WAAW,EAClB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,MAAM,EAAE,GAAG,EACX,IAAI,EAAE,cAAc,GAAG,SAAS,GAC/B;IACD,KAAK,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAyBA;AA+WD;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,SAAS,EACjB,QAAQ,EAAE,iBAAiB,GAAG,SAAS,EACvC,WAAW,CAAC,EAAE,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA2Z7B;AAOD,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAc1C;AA+FD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,UAAU,CAC9B,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,gBAAgB,CAAC,EAAE,MAAM,GAAG,SAAS,EACrC,OAAO,GAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAO,GAC7D,OAAO,CAAC;IACT,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB,CAAC,CAoHD;AAED,wBAAsB,sBAAsB,CAC1C,SAAS,EAAE,MAAM,GAAG,SAAS,GAC5B,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAS7B"}
|
package/dist/mcp/build-server.js
CHANGED
|
@@ -251,6 +251,13 @@ function versionMcpAppResourceUri(rawUri) {
|
|
|
251
251
|
...(versionedUri !== uri ? { legacyUris: [uri] } : {}),
|
|
252
252
|
};
|
|
253
253
|
}
|
|
254
|
+
function getMcpAppResourceUri(config, actionName, entry) {
|
|
255
|
+
const resource = entry.mcpApp?.resource;
|
|
256
|
+
if (!resource)
|
|
257
|
+
return null;
|
|
258
|
+
const baseUri = resource.uri?.trim() || legacyDefaultMcpAppUri(config, actionName);
|
|
259
|
+
return versionMcpAppResourceUri(baseUri);
|
|
260
|
+
}
|
|
254
261
|
function expandRequestOriginSources(sources, requestMeta) {
|
|
255
262
|
if (!sources)
|
|
256
263
|
return undefined;
|
|
@@ -324,8 +331,7 @@ async function resolveMcpAppResource(config, actionName, entry, requestMeta) {
|
|
|
324
331
|
const resource = entry.mcpApp?.resource;
|
|
325
332
|
if (!resource)
|
|
326
333
|
return null;
|
|
327
|
-
const
|
|
328
|
-
const resolvedUri = versionMcpAppResourceUri(baseUri);
|
|
334
|
+
const resolvedUri = getMcpAppResourceUri(config, actionName, entry);
|
|
329
335
|
if (!resolvedUri)
|
|
330
336
|
return null;
|
|
331
337
|
const description = resource.description ?? entry.tool.description;
|
|
@@ -346,8 +352,17 @@ async function resolveMcpAppResource(config, actionName, entry, requestMeta) {
|
|
|
346
352
|
...(resourceMeta ? { _meta: resourceMeta } : {}),
|
|
347
353
|
};
|
|
348
354
|
}
|
|
355
|
+
async function resolveMcpAppResourceSafely(config, actionName, entry, requestMeta) {
|
|
356
|
+
try {
|
|
357
|
+
return await resolveMcpAppResource(config, actionName, entry, requestMeta);
|
|
358
|
+
}
|
|
359
|
+
catch (error) {
|
|
360
|
+
console.warn(`[mcp] Skipping MCP App resource for action "${actionName}" because its metadata could not be resolved.`, error);
|
|
361
|
+
return null;
|
|
362
|
+
}
|
|
363
|
+
}
|
|
349
364
|
async function getMcpAppResources(config, actions, requestMeta) {
|
|
350
|
-
const resources = await Promise.all(Object.entries(actions).map(([name, entry]) =>
|
|
365
|
+
const resources = await Promise.all(Object.entries(actions).map(([name, entry]) => resolveMcpAppResourceSafely(config, name, entry, requestMeta)));
|
|
351
366
|
return resources.filter((resource) => Boolean(resource));
|
|
352
367
|
}
|
|
353
368
|
function renderMcpAppHtml(resource, actionName, config, requestMeta) {
|
|
@@ -530,7 +545,7 @@ export async function createMCPServerForRequest(config, identity, requestMeta) {
|
|
|
530
545
|
return withCallerContext(async () => {
|
|
531
546
|
const tools = await Promise.all(Object.entries(advertisedActions).map(async ([name, entry]) => {
|
|
532
547
|
const hasLink = typeof entry.link === "function";
|
|
533
|
-
const mcpAppResource = await
|
|
548
|
+
const mcpAppResource = await resolveMcpAppResourceSafely(config, name, entry, requestMeta);
|
|
534
549
|
const rawToolMeta = entry.tool._meta &&
|
|
535
550
|
typeof entry.tool._meta === "object" &&
|
|
536
551
|
!Array.isArray(entry.tool._meta)
|
|
@@ -659,7 +674,7 @@ export async function createMCPServerForRequest(config, identity, requestMeta) {
|
|
|
659
674
|
const resultForClient = isMcpActionResult(result)
|
|
660
675
|
? result.text
|
|
661
676
|
: result;
|
|
662
|
-
const mcpAppResource = await
|
|
677
|
+
const mcpAppResource = await resolveMcpAppResourceSafely(config, name, entry, requestMeta);
|
|
663
678
|
const { block, _meta } = buildLinkArtifacts(entry, args ?? {}, rawResult, requestMeta);
|
|
664
679
|
const responseMeta = {
|
|
665
680
|
...(_meta ?? {}),
|
|
@@ -733,13 +748,21 @@ export async function createMCPServerForRequest(config, identity, requestMeta) {
|
|
|
733
748
|
server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
|
|
734
749
|
return withCallerContext(async () => {
|
|
735
750
|
const uri = request.params?.uri;
|
|
736
|
-
|
|
737
|
-
|
|
738
|
-
|
|
739
|
-
|
|
740
|
-
|
|
741
|
-
|
|
742
|
-
|
|
751
|
+
let found = null;
|
|
752
|
+
for (const [name, entry] of Object.entries(advertisedActions)) {
|
|
753
|
+
const resourceUri = getMcpAppResourceUri(config, name, entry);
|
|
754
|
+
if (!resourceUri ||
|
|
755
|
+
(resourceUri.uri !== uri &&
|
|
756
|
+
!resourceUri.legacyUris?.includes(uri))) {
|
|
757
|
+
continue;
|
|
758
|
+
}
|
|
759
|
+
const resource = await resolveMcpAppResourceSafely(config, name, entry, requestMeta);
|
|
760
|
+
if (resource) {
|
|
761
|
+
found = { actionName: name, resource };
|
|
762
|
+
}
|
|
763
|
+
break;
|
|
764
|
+
}
|
|
765
|
+
if (!found) {
|
|
743
766
|
throw new Error(`MCP App resource not found: ${uri}`);
|
|
744
767
|
}
|
|
745
768
|
return {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"build-server.js","sourceRoot":"","sources":["../../src/mcp/build-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,6BAA6B,GAG9B,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,iCAAiC,EAAE,MAAM,gBAAgB,CAAC;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC7E,OAAO,EACL,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,+BAA+B,EAAE,MAAM,yBAAyB,CAAC;AAC1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAEL,gBAAgB,EAChB,yBAAyB,GAC1B,MAAM,kBAAkB,CAAC;AAoF1B,SAAS,4BAA4B,CACnC,KAAkB,EAClB,MAA4B;IAE5B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,QAAQ,GACZ,KAAK,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC;IACrD,OAAO,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,gCAAgC,GAAG,IAAI,GAAG,CAAC;IAC/C,WAAW;IACX,UAAU;IACV,sBAAsB;CACvB,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,MAAiB;IACzC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9C,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/C,OAAO,EAAE,KAAK,UAAU,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,wCAAwC,CAC/C,MAAiB,EACjB,IAAY,EACZ,KAAkB;IAElB,IAAI,gCAAgC,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,IAAI,IAAI,KAAK,SAAS,IAAI,gBAAgB,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAChE,OAAO,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,uBAAuB,GAAG,wCAAwC,CAAC;AACzE,MAAM,uBAAuB,GAC3B,qEAAqE,CAAC;AACxE,MAAM,8BAA8B,GAClC,2DAA2D,CAAC;AAE9D,KAAK,UAAU,wBAAwB,CACrC,QAAuC;IAEvC,MAAM,QAAQ,GAAG,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAE5B,SAAS,oBAAoB,CAAC,KAAgC;QAC5D,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,OAAO,CACL,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC;YACnC,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,CACrC,CAAC;IACJ,CAAC;IAED,SAAS,uBAAuB,CAAC,KAAgC;QAC/D,OAAO,OAAO,CAAC,KAAK,IAAI,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,SAAS,wBAAwB,CAAC,GAAW;QAC3C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YACzB,OAAO,CACL,GAAG,CAAC,QAAQ,KAAK,QAAQ;gBACzB,8BAA8B,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAClD,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,IAAI,oBAAoB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,uBAAuB,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAEpD,IAAI,CAAC;QACH,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC9C,2EAA2E;QAC3E,2EAA2E;QAC3E,yBAAyB;QACzB,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,IAAI,oBAAoB,CAAC,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QACzD,IAAI,uBAAuB,CAAC,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QAC7D,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,wBAAwB,CAAC;YAAE,OAAO,IAAI,CAAC;QACpE,0EAA0E;QAC1E,0EAA0E;QAC1E,mCAAmC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;QACzE,2EAA2E;QAC3E,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAmBD,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAChE,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,EAAE,CAAC;AACT,CAAC;AAED,SAAS,sBAAsB,CAAC,SAAiB;IAC/C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,6BAA6B,CAAC;QAC3C,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YACnC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC;YAC1B,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QACvB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;QAC3D,OAAO,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YAC9B,CAAC,CAAC,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE;YAC3C,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAC9B,MAAe,EACf,QAAgC,EAChC,IAAgC;IAEhC,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,aAAa,GACjB,OAAO,GAAG,CAAC,aAAa,KAAK,QAAQ;QACnC,CAAC,CAAC,GAAG,CAAC,aAAa;QACnB,CAAC,CAAC,GAAG,CAAC,KAAK,KAAK,IAAI;YAChB,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;YAC3B,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,4BAA4B,CAAC;YAChD,CAAC,CAAC,GAAG,CAAC,GAAG;YACT,CAAC,CAAC,IAAI,CAAC;IACb,IAAI,CAAC,aAAa;QAAE,OAAO,EAAE,CAAC;IAE9B,MAAM,MAAM,GAAG,iBAAiB,CAC9B,sBAAsB,CAAC,aAAa,CAAC,EACrC,IAAI,EAAE,MAAM,CACb,CAAC;IACF,MAAM,WAAW,GACf,OAAO,GAAG,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/D,MAAM,aAAa,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,IAAI,KAAK,CAAC;IAC/D,MAAM,KAAK,GACT,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;QAC3C,CAAC,CAAC,QAAQ,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE;QAC1B,CAAC,CAAC,aAAa,CAAC;IACpB,MAAM,IAAI,GACR,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;QAC7C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;QACjB,CAAC,CAAC,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YAC/C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YACjB,CAAC,CAAC,SAAS,CAAC;IAElB,OAAO;QACL,uBAAuB,EAAE;YACvB,KAAK;YACL,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACzB,MAAM;YACN,UAAU,EAAE,WAAW;gBACrB,CAAC,CAAC,iBAAiB,CAAC,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC;gBAC9C,CAAC,CAAC,MAAM;SACX;KACF,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,KAAkB,EAClB,IAAyB,EACzB,MAAW,EACX,IAAgC;IAKhC,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,UAAU;QAAE,OAAO,EAAE,CAAC;IAChD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QACpD,IAAI,CAAC,EAAE,EAAE,GAAG;YAAE,OAAO,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,yBAAyB,CAAC,EAAE,CAAC,GAAG,CAAC;YAC/C,CAAC,CAAC,8BAA8B,CAAC,EAAE,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;QACX,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,IAAI,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;QACrE,OAAO;YACL,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,KAAK,OAAO,WAAW,GAAG,EAAE;YACpE,KAAK,EAAE;gBACL,uBAAuB,EAAE;oBACvB,KAAK,EAAE,EAAE,CAAC,KAAK;oBACf,IAAI,EAAE,EAAE,CAAC,IAAI;oBACb,MAAM;oBACN,UAAU;iBACX;aACF;SACF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,iBAAiB,CACxB,MAAiB,EACjB,WAAwC,EACxC,WAA4B;IAE5B,IAAI,MAAM,CAAC,oBAAoB,KAAK,KAAK;QAAE,OAAO,WAAW,CAAC;IAC9D,MAAM,QAAQ,GAAG,uBAAuB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAgC,EAAE,GAAG,QAAQ,EAAE,CAAC;IAC5D,wDAAwD;IACxD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,aAAa,CAAC,KAAyB,EAAE,QAAgB;IAChE,MAAM,UAAU,GAAG,CAAC,KAAK,IAAI,QAAQ,CAAC;SACnC,IAAI,EAAE;SACN,WAAW,EAAE;SACb,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC;SAC9B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,OAAO,UAAU,IAAI,QAAQ,CAAC;AAChC,CAAC;AAED,2EAA2E;AAC3E,2EAA2E;AAC3E,MAAM,8BAA8B,GAAG,WAAW,CAAC;AAEnD,SAAS,sBAAsB,CAAC,MAAiB,EAAE,UAAkB;IACnE,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACvE,MAAM,MAAM,GAAG,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACjD,OAAO,QAAQ,GAAG,IAAI,MAAM,EAAE,CAAC;AACjC,CAAC;AAED,SAAS,wBAAwB,CAC/B,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC1B,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,aAAa,GAAG,IAAI,8BAA8B,EAAE,CAAC;IAC3D,IAAI,YAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAClD,MAAM,CAAC,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,aAAa,CAAC;YAC9C,CAAC,CAAC,GAAG,IAAI,GAAG,aAAa,EAAE,CAAC;QAC9B,YAAY,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO;QACL,GAAG,EAAE,YAAY;QACjB,GAAG,CAAC,YAAY,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvD,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CACjC,OAA6B,EAC7B,WAA4B;IAE5B,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,MAAM,MAAM,GAAG,WAAW,EAAE,MAAM,CAAC;IACnC,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAChC,MAAM,KAAK,iCAAiC,IAAI,MAAM;QACpD,CAAC,CAAC,CAAC,MAAM,CAAC;QACV,CAAC,CAAC,CAAC,MAAM,CAAC,CACb,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,SAAsC,EACtC,WAA4B;IAE5B,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,MAAM,GAAG,GAA6B,EAAE,CAAC;IACzC,MAAM,cAAc,GAAG,0BAA0B,CAC/C,SAAS,CAAC,cAAc,EACxB,WAAW,CACZ,CAAC;IACF,MAAM,eAAe,GAAG,0BAA0B,CAChD,SAAS,CAAC,eAAe,EACzB,WAAW,CACZ,CAAC;IACF,MAAM,YAAY,GAAG,0BAA0B,CAC7C,SAAS,CAAC,YAAY,EACtB,WAAW,CACZ,CAAC;IACF,IAAI,cAAc,EAAE,MAAM;QAAE,GAAG,CAAC,eAAe,GAAG,cAAc,CAAC;IACjE,IAAI,eAAe,EAAE,MAAM;QAAE,GAAG,CAAC,gBAAgB,GAAG,eAAe,CAAC;IACpE,IAAI,YAAY,EAAE,MAAM;QAAE,GAAG,CAAC,aAAa,GAAG,YAAY,CAAC;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;AACvD,CAAC;AAED,SAAS,YAAY,CACnB,QAAoC,EACpC,WAAwC,EACxC,WAA4B,EAC5B,WAAoB;IAEpB,MAAM,IAAI,GACR,QAAQ,CAAC,KAAK,IAAI,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ;QAClD,CAAC,CAAC,EAAE,GAAG,QAAQ,CAAC,KAAK,EAAE;QACvB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,UAAU,GACd,IAAI,CAAC,EAAE,IAAI,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/D,CAAC,CAAE,IAAI,CAAC,EAA8B;QACtC,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,EAAE,GAA4B,EAAE,GAAG,UAAU,EAAE,CAAC;IACtD,IAAI,WAAW,EAAE,CAAC;QAChB,EAAE,CAAC,GAAG,GAAG;YACP,GAAG,WAAW;YACd,cAAc,EAAE,0BAA0B,CACxC,WAAW,CAAC,cAAc,EAC1B,WAAW,CACZ;YACD,eAAe,EAAE,0BAA0B,CACzC,WAAW,CAAC,eAAe,EAC3B,WAAW,CACZ;YACD,YAAY,EAAE,0BAA0B,CACtC,WAAW,CAAC,YAAY,EACxB,WAAW,CACZ;YACD,cAAc,EAAE,0BAA0B,CACxC,WAAW,CAAC,cAAc,EAC1B,WAAW,CACZ;SACF,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,WAAW;QAAE,EAAE,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;IAChE,IAAI,QAAQ,CAAC,MAAM;QAAE,EAAE,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;IACjD,IAAI,OAAO,QAAQ,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAChD,EAAE,CAAC,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC;IAC5C,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IAC7C,IAAI,WAAW,IAAI,IAAI,CAAC,0BAA0B,CAAC,IAAI,IAAI,EAAE,CAAC;QAC5D,IAAI,CAAC,0BAA0B,CAAC,GAAG,WAAW,CAAC;IACjD,CAAC;IACD,IACE,OAAO,QAAQ,CAAC,aAAa,KAAK,SAAS;QAC3C,IAAI,CAAC,4BAA4B,CAAC,IAAI,IAAI,EAC1C,CAAC;QACD,IAAI,CAAC,4BAA4B,CAAC,GAAG,QAAQ,CAAC,aAAa,CAAC;IAC9D,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAC5D,IAAI,SAAS,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,IAAI,EAAE,CAAC;QAClD,IAAI,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC;IACvC,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,QAAoC,EACpC,GAA0B;IAE1B,IAAI,CAAC,QAAQ,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IACpC,OAAO,OAAO,QAAQ,CAAC,GAAG,KAAK,UAAU;QACvC,CAAC,CAAC,MAAM,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;QACzB,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,MAAiB,EACjB,UAAkB,EAClB,KAAkB,EAClB,WAA4B;IAE5B,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC;IACxC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,OAAO,GACX,QAAQ,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,sBAAsB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACrE,MAAM,WAAW,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACtD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;IACnE,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,QAAQ,EAAE;QACnD,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,aAAa,EAAE,WAAW,EAAE,MAAM;KACnC,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,YAAY,CAC/B,QAAQ,EACR,WAAW,EACX,WAAW,EACX,WAAW,CACZ,CAAC;IACF,OAAO;QACL,GAAG,EAAE,WAAW,CAAC,GAAG;QACpB,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,UAAU;QACzC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpD,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,iBAAiB;QAChD,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,MAAiB,EACjB,OAAoC,EACpC,WAA4B;IAE5B,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAC5C,qBAAqB,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,CAAC,CACxD,CACF,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAsC,EAAE,CACvE,OAAO,CAAC,QAAQ,CAAC,CAClB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgC,EAChC,UAAkB,EAClB,MAAiB,EACjB,WAA4B;IAE5B,IAAI,OAAO,QAAQ,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,IAAI,CAAC;YACnB,UAAU;YACV,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,aAAa,EAAE,WAAW,EAAE,MAAM;SACnC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC,IAAI,CAAC;AACvB,CAAC;AAED,SAAS,wBAAwB,CAC/B,QAAgC;IAEhC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC9C,MAAM,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACvE,OAAO;QACL,uBAAuB,EAAE,QAAQ,CAAC,GAAG;QACrC,gCAAgC,EAAE,WAAW,KAAK,EAAE;QACpD,+BAA+B,EAAE,GAAG,KAAK,QAAQ;QACjD,yBAAyB,EAAE,IAAI;QAC/B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC;YACnC,CAAC,CAAC,EAAE,kBAAkB,EAAE,SAAS,EAAE;YACnC,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,QAAgC;IAEhC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC9C,MAAM,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACvE,OAAO;QACL,uBAAuB,EAAE,QAAQ,CAAC,GAAG;QACrC,gCAAgC,EAAE,WAAW,KAAK,EAAE;QACpD,+BAA+B,EAAE,GAAG,KAAK,QAAQ;QACjD,yBAAyB,EAAE,IAAI;QAC/B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC;YACnC,CAAC,CAAC,EAAE,kBAAkB,EAAE,SAAS,EAAE;YACnC,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgC,EAChC,UAAmB;IAEnB,OAAO;QACL,WAAW,EAAE,QAAQ,CAAC,GAAG;QACzB,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC;KACtE,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,OAAO,KAAK,KAAK,QAAQ;QACzB,OAAO,KAAK,KAAK,SAAS,CAC3B,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,MAAe,EACf,IAAyC;IAEzC,MAAM,GAAG,GACP,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAC5D,CAAC,CAAC,EAAE,GAAI,MAAkC,EAAE;QAC5C,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,EAAE,MAAM,EAAE;YACZ,CAAC,CAAC,EAAE,CAAC;IACX,MAAM,QAAQ,GAAG,IAAI,EAAE,CAAC,uBAAuB,CAAC,CAAC;IACjD,IAAI,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzE,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACxB,MAAM,MAAM,GAAI,QAAoC,CAAC,MAAM,CAAC;QAC5D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,GAAG;YAAE,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC;IAC/D,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AAC9D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa,EAAE,GAAG,GAAG,IAAI;IACjD,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC;AACvC,CAAC;AAED,SAAS,qBAAqB,CAC5B,IAAY,EACZ,MAAe,EACf,iBAA0C;IAE1C,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC;IAC1C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QAClD,OAAO,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,IAAI,iBAAiB,CAAC,IAAI,CAAC;IAChE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QAC9C,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,YAAY,CAAC;IACrC,CAAC;IACD,MAAM,EAAE,GAAG,iBAAiB,CAAC,EAAE,CAAC;IAChC,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;QACxC,OAAO,GAAG,IAAI,kBAAkB,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC;IAC/C,CAAC;IACD,OAAO,GAAG,IAAI,aAAa,CAAC;AAC9B,CAAC;AAED,8EAA8E;AAC9E,mEAAmE;AACnE,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAiB,EACjB,QAAuC,EACvC,WAA4B;IAE5B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;IAC7E,MAAM,EACJ,sBAAsB,EACtB,qBAAqB,EACrB,0BAA0B,EAC1B,yBAAyB,EACzB,kCAAkC,GACnC,GAAG,MAAM,MAAM,CAAC,oCAAoC,CAAC,CAAC;IAEvD,uEAAuE;IACvE,0EAA0E;IAC1E,8DAA8D;IAC9D,4EAA4E;IAC5E,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,sBAAsB;IACtB,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,EAAE,CAAC;IAClE,MAAM,iBAAiB,GACrB,QAAQ;QACR,CAAC,YAAY;YACX,CAAC,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE;YACnD,CAAC,CAAC,SAAS,CAAC,CAAC;IAEjB,0EAA0E;IAC1E,yEAAyE;IACzE,yEAAyE;IACzE,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,yEAAyE;IACzE,YAAY;IACZ,MAAM,cAAc,GAAG,WAAW,EAAE,WAAW,KAAK,IAAI,IAAI,CAAC,CAAC,YAAY,CAAC;IAC3E,MAAM,WAAW,GACf,cAAc,IAAI,MAAM,CAAC,iBAAiB;QACxC,CAAC,CAAC,MAAM,CAAC,iBAAiB;QAC1B,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;IACrB,MAAM,OAAO,GAAG,iBAAiB,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;IACpE,MAAM,cAAc,GAAG,MAAM,CAAC,WAAW,CACvC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAC3C,4BAA4B,CAAC,KAAK,EAAE,iBAAiB,EAAE,WAAW,CAAC,CACpE,CACF,CAAC;IACF,MAAM,oBAAoB,GACxB,CAAC,KAAK,CAAC,OAAO,CAAC,iBAAiB,EAAE,WAAW,CAAC;QAC5C,gBAAgB,CAAC,iBAAiB,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAC9D,CAAC,MAAM,wBAAwB,CAAC,iBAAiB,CAAC,CAAC,CAAC;IACtD,MAAM,iBAAiB,GAAG,oBAAoB;QAC5C,CAAC,CAAC,MAAM,CAAC,WAAW,CAChB,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CACtD,wCAAwC,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAC9D,CACF;QACH,CAAC,CAAC,cAAc,CAAC;IACnB,MAAM,eAAe,GACnB,oBAAoB;QACpB,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC9C,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAChC,CAAC;IACJ,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,OAAO,EAAE,EACzD;QACE,YAAY,EAAE;YACZ,KAAK,EAAE,EAAE;YACT,GAAG,CAAC,eAAe;gBACjB,CAAC,CAAC;oBACE,SAAS,EAAE,EAAE;oBACb,UAAU,EAAE;wBACV,CAAC,oBAAoB,CAAC,EAAE;4BACtB,SAAS,EAAE,CAAC,iBAAiB,CAAC;yBAC/B;qBACF;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;SACR;KACF,CACF,CAAC;IAEF,qEAAqE;IACrE,wEAAwE;IACxE,sEAAsE;IACtE,qEAAqE;IACrE,wCAAwC;IACxC,MAAM,YAAY,GAAG,sBAAsB,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAE1E;;;;;;;;;;OAUG;IACH,KAAK,UAAU,iBAAiB,CAAI,EAAoB;QACtD,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC;QACjC,OAAO,qBAAqB,CAC1B;YACE,SAAS,EAAE,iBAAiB,EAAE,SAAS;YACvC,KAAK;YACL,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtE,EACD,EAAE,CACW,CAAC;IAClB,CAAC;IAED,wEAAwE;IACxE,wEAAwE;IACxE,8BAA8B;IAC9B,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QAC1D,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAC7B,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE;gBAC5D,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,UAAU,CAAC;gBACjD,MAAM,cAAc,GAAG,MAAM,qBAAqB,CAChD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;gBACF,MAAM,WAAW,GACd,KAAK,CAAC,IAAY,CAAC,KAAK;oBACzB,OAAQ,KAAK,CAAC,IAAY,CAAC,KAAK,KAAK,QAAQ;oBAC7C,CAAC,KAAK,CAAC,OAAO,CAAE,KAAK,CAAC,IAAY,CAAC,KAAK,CAAC;oBACvC,CAAC,CAAC,EAAE,GAAK,KAAK,CAAC,IAAY,CAAC,KAAiC,EAAE;oBAC/D,CAAC,CAAC,EAAE,CAAC;gBACT,MAAM,QAAQ,GAAG;oBACf,GAAG,WAAW;oBACd,GAAG,CAAC,cAAc;wBAChB,CAAC,CAAC;4BACE,GAAG,wBAAwB,CAAC,cAAc,CAAC;4BAC3C,CAAC,6BAA6B,CAAC,EAAE,cAAc,CAAC,GAAG;4BACnD,EAAE,EAAE,gBAAgB,CAClB,cAAc,EACd,KAAK,CAAC,MAAM,EAAE,UAAU;gCACtB,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,UAAU,CAC5C;yBACF;wBACH,CAAC,CAAC,EAAE,CAAC;iBACR,CAAC;gBACF,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC;gBACvD,MAAM,WAAW,GAA4B;oBAC3C,YAAY,EAAE,KAAK,CAAC,QAAQ,KAAK,IAAI;oBACrC,eAAe,EAAE,KAAK,CAAC,WAAW,EAAE,eAAe,KAAK,IAAI;oBAC5D,aAAa,EAAE,KAAK;iBACrB,CAAC;gBACF,IAAI,OAAO;oBAAE,WAAW,CAAC,+BAA+B,CAAC,GAAG,IAAI,CAAC;gBACjE,OAAO;oBACL,IAAI;oBACJ,WAAW,EAAE,OAAO;wBAClB,CAAC,CAAC,GAAG,eAAe,sEAAsE;wBAC1F,CAAC,CAAC,eAAe;oBACnB,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI;wBACpC,IAAI,EAAE,QAAiB;wBACvB,UAAU,EAAE,EAAE;qBACf;oBACD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChE,WAAW;iBACZ,CAAC;YACJ,CAAC,CAAC,CACH,CAAC;YAEF,IACE,CAAC,oBAAoB;gBACrB,MAAM,CAAC,QAAQ;gBACf,gBAAgB,CAAC,iBAAiB,EAAE,WAAW,EAAE,WAAW,CAAC,EAC7D,CAAC;gBACD,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,WAAW;oBACjB,WAAW,EACT,4EAA4E;wBAC5E,4EAA4E;wBAC5E,iCAAiC;oBACnC,WAAW,EAAE;wBACX,IAAI,EAAE,QAAiB;wBACvB,UAAU,EAAE;4BACV,OAAO,EAAE;gCACP,IAAI,EAAE,QAAQ;gCACd,WAAW,EAAE,kCAAkC;6BAChD;yBACF;wBACD,QAAQ,EAAE,CAAC,SAAS,CAAC;qBACtB;oBACD,WAAW,EAAE;wBACX,YAAY,EAAE,KAAK;wBACnB,eAAe,EAAE,KAAK;wBACtB,aAAa,EAAE,KAAK;qBACrB;iBACF,CAAC,CAAC;YACL,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,wEAAwE;IACxE,uEAAuE;IACvE,iEAAiE;IACjE,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QACrE,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;YAEjD,IAAI,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC5C,IAAI,oBAAoB,EAAE,CAAC;oBACzB,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;wBAC1D,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,gBAAgB,CAAC,iBAAiB,EAAE,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;oBACnE,OAAO;wBACL,OAAO,EAAE;4BACP;gCACE,IAAI,EAAE,MAAM;gCACZ,IAAI,EAAE,iDAAiD;6BACxD;yBACF;wBACD,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;gBACD,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;gBACvD,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;wBAC1D,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,MAAM,eAAe,GAAG,oBAAoB;gBAC1C,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,OAAO,CAAC;YACZ,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;YACpC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YACD,IACE,CAAC,4BAA4B,CAAC,KAAK,EAAE,iBAAiB,EAAE,WAAW,CAAC,EACpE,CAAC;gBACD,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE,8CAA8C,IAAI,EAAE;yBAC3D;qBACF;oBACD,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAE,IAA+B,IAAI,EAAE,CAAC,CAAC;gBACvE,MAAM,SAAS,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;gBAClE,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC;oBAC/C,CAAC,CAAC,MAAM,CAAC,IAAI;oBACb,CAAC,CAAC,MAAM,CAAC;gBACX,MAAM,cAAc,GAAG,MAAM,qBAAqB,CAChD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;gBACF,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,kBAAkB,CACzC,KAAK,EACJ,IAA4B,IAAI,EAAE,EACnC,SAAS,EACT,WAAW,CACZ,CAAC;gBACF,MAAM,YAAY,GAA4B;oBAC5C,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;oBAChB,GAAG,CAAC,cAAc;wBAChB,CAAC,CAAC,uBAAuB,CAAC,SAAS,EAAE,cAAc,EAAE,WAAW,CAAC;wBACjE,CAAC,CAAC,EAAE,CAAC;oBACP,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;iBAChE,CAAC;gBACF,MAAM,iBAAiB,GAAG,cAAc;oBACtC,CAAC,CAAC,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC;oBAClD,CAAC,CAAC,SAAS,CAAC;gBACd,MAAM,IAAI,GAAG,cAAc;oBACzB,CAAC,CAAC,qBAAqB,CAAC,IAAI,EAAE,eAAe,EAAE,iBAAkB,CAAC;oBAClE,CAAC,CAAC,OAAO,eAAe,KAAK,QAAQ;wBACnC,CAAC,CAAC,eAAe;wBACjB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;gBACtC,MAAM,OAAO,GAAU,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;gBAChD,IAAI,KAAK;oBAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAC/B,OAAO;oBACL,OAAO;oBACP,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACnD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC;wBACtC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE;wBACzB,CAAC,CAAC,EAAE,CAAC;iBACR,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,CAAC,iBAAiB,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;YAC9D,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,EACN,iBAAiB,EACjB,WAAW,CACZ,CAAC;gBACF,OAAO;oBACL,SAAS,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;wBAC5C,GAAG,EAAE,QAAQ,CAAC,GAAG;wBACjB,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpD,GAAG,CAAC,QAAQ,CAAC,WAAW;4BACtB,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;4BACvC,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,EAAE,QAAQ,CAAC,QAAQ;wBAC3B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACrD,CAAC,CAAC;iBACJ,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,iBAAiB,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YACtE,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,EACN,iBAAiB,EACjB,WAAW,CACZ,CAAC;gBACF,OAAO;oBACL,iBAAiB,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;wBACpD,WAAW,EAAE,QAAQ,CAAC,GAAG;wBACzB,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpD,GAAG,CAAC,QAAQ,CAAC,WAAW;4BACtB,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;4BACvC,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,EAAE,QAAQ,CAAC,QAAQ;wBAC3B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACrD,CAAC,CAAC;iBACJ,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,iBAAiB,CACtB,yBAAyB,EACzB,KAAK,EAAE,OAAY,EAAE,EAAE;YACrB,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;gBAChC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,GAAG,CAClC,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC9D,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,MAAM,qBAAqB,CACnC,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ;iBACF,CAAC,CAAC,CACJ,CAAC;gBACF,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAC3B,CAAC,SAAS,EAAE,EAAE,CACZ,SAAS,CAAC,QAAQ,EAAE,GAAG,KAAK,GAAG;oBAC/B,SAAS,CAAC,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,GAAG,CAAC,CAChD,CAAC;gBACF,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;oBACrB,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO;oBACL,QAAQ,EAAE;wBACR;4BACE,GAAG;4BACH,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,QAAQ;4BACjC,IAAI,EAAE,gBAAgB,CACpB,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,UAAU,EAChB,MAAM,EACN,WAAW,CACZ;4BACD,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK;gCACtB,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,KAAK,EAAE;gCACjC,CAAC,CAAC,EAAE,CAAC;yBACR;qBACF;iBACF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,6EAA6E;AAC7E,gFAAgF;AAChF,8EAA8E;AAE9E,MAAM,UAAU,eAAe;IAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CACT,GAAG,KAAK;aACL,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAS,yBAAyB,CAChC,gBAAoC;IAEpC,MAAM,KAAK,GACT,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,EAAE;QAC5C,CAAC,OAAO,gBAAgB,KAAK,QAAQ,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;QACjE,EAAE,CAAC;IACL,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAAiC;IAEjC,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,KAAa;IAEb,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,iBAAiB,GAAmC,IAAI,CAAC;IAC7D,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAA4B,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAE7D,MAAM,SAAS,GACb,OAAO,iBAAiB,CAAC,UAAU,KAAK,QAAQ;QAC9C,CAAC,CAAC,iBAAiB,CAAC,UAAU;QAC9B,CAAC,CAAC,SAAS,CAAC;IAChB,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,kBAAkB,CAChB,gBAAgB,EAChB,MAAM,oBAAoB,CAAC,SAAS,CAAC,CACtC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,0EAA0E;QAC5E,CAAC;IACH,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CACjC,CAAC;YACF,OAAO,OAAkC,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,gEAAgE;QAClE,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,gBAAqC,EACrC,UAA4D,EAAE;IAa9D,oEAAoE;IACpE,yEAAyE;IACzE,0EAA0E;IAC1E,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IAC9C,MAAM,KAAK,GAAG,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC;QAC7C,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;QACrB,CAAC,CAAC,SAAS,CAAC;IACd,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,aAAa,GAAG,MAAM,yBAAyB,CACnD,KAAK,EACL,OAAO,CAAC,WAAW,CACpB,CAAC;QACF,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE;oBACR,SAAS,EAAE,aAAa,CAAC,SAAS;oBAClC,SAAS,EAAE,aAAa,CAAC,SAAS;oBAClC,WAAW,EAAE,aAAa,CAAC,MAAM;oBACjC,aAAa,EAAE,aAAa,CAAC,QAAQ;iBACtC;gBACD,WAAW,EAAE,IAAI;aAClB,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,KAAK,EAAE,CAAC;QACzD,IAAI,OAAO,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;YACnC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;YACrD,uEAAuE;YACvE,sEAAsE;YACtE,uEAAuE;YACvE,iDAAiD;YACjD,WAAW,EAAE,CAAC,CAAC,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAErC,wEAAwE;IACxE,uDAAuD;IACvD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAChD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,UAAU,GACd,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAChE,IAAI,UAAU,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;YACnD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QAED,uEAAuE;QACvE,mEAAmE;QACnE,sEAAsE;QACtE,uDAAuD;QACvD,mEAAmE;QACnE,kDAAkD;QAClD,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;YACrC,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBACpD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YAC3B,CAAC;YACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YACxB,IAAI,CAAC;gBACH,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,GACpC,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;gBACrC,IAAI,MAAM,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC5B,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;gBAC3B,CAAC;gBACD,uDAAuD;gBACvD,KAAK,cAAc,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;YAClE,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE;gBACR,SAAS,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;gBACpE,SAAS,EACP,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ;oBACpC,CAAC,CAAE,OAAO,CAAC,UAAqB;oBAChC,CAAC,CAAC,SAAS;aAChB;YACD,mEAAmE;YACnE,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/C,IAAI,OAAO,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;YACnC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;YACrD,WAAW,EAAE,CAAC,CAAC,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,uEAAuE;IACvE,4DAA4D;IAC5D,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;YACrD,qDAAqD;YACrD,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,SAA6B;IAE7B,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAChD,OAAO,GAAG,EAAE,KAAK,IAAI,SAAS,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC","sourcesContent":["/**\n * Shared MCP server builder.\n *\n * Extracted from `server.ts` so the stateless Streamable-HTTP mount\n * (`mountMCP`) and the stdio transport (`runMCPStdio --standalone`) build the\n * *same* MCP server from the *same* `ActionEntry` registry. Both surfaces:\n *\n * - expose every action as an MCP tool (+ the `ask-agent` meta-tool),\n * - append the framework deep-link block / `_meta` to every tool result,\n * - wrap `run()` / `askAgent()` in `runWithRequestContext` so per-user /\n * per-org scoping (accessFilter, resolveCredential, MCP visibility) is\n * honoured.\n *\n * `server.ts` re-exports `createMCPServerForRequest` and the auth helpers so\n * any (future) external importer of `@agent-native/core/mcp` keeps resolving.\n *\n * Node-only at the SDK level, but this module itself has no Node-only imports\n * — it can be bundled into the serverless function alongside `mountMCP`.\n */\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport { isMcpActionResult } from \"../mcp-client/app-result.js\";\nimport {\n MCP_APP_EXTENSION_ID,\n MCP_APP_MIME_TYPE,\n MCP_APP_RESOURCE_URI_META_KEY,\n type ActionMcpAppCsp,\n type ActionMcpAppResourceConfig,\n} from \"../action.js\";\nimport { MCP_APP_REQUEST_ORIGIN_CSP_SOURCE } from \"./embed-app.js\";\nimport { runWithRequestContext } from \"../server/request-context.js\";\nimport { toAbsoluteOpenUrl, toDesktopOpenUrl } from \"../server/deep-link.js\";\nimport {\n isAgentNativeOpenDeepLink,\n withCollapsedAgentSidebarParam,\n} from \"../shared/agent-sidebar-url.js\";\nimport { MCP_APP_CHAT_BRIDGE_QUERY_PARAM } from \"../shared/embed-auth.js\";\nimport { getBuiltinCrossAppTools } from \"./builtin-tools.js\";\nimport { MCP_CONNECT_SCOPE } from \"./connect-store.js\";\nimport {\n MCP_OAUTH_SCOPES,\n hasMcpOAuthScope,\n verifyMcpOAuthAccessToken,\n} from \"./oauth-token.js\";\n\nexport interface MCPConfig {\n /** App name shown in MCP server info */\n name: string;\n /**\n * Canonical app id (directory under `apps/`, e.g. `mail`) this MCP server\n * is mounted for. Optional & back-compat: when omitted the builtin\n * cross-app tools fall back to lowercasing `name`. Used by `open_app` /\n * `ask_app` / `create_workspace_app` to tell \"this app\" from a cross-app\n * target so they resolve the *target* app's origin rather than echoing the\n * current request origin.\n */\n appId?: string;\n /** App description */\n description: string;\n /** Version string (default \"1.0.0\") */\n version?: string;\n /** Action registry — same as agent chat and A2A */\n actions: Record<string, ActionEntry>;\n /**\n * Full (\"production\") action surface served to an **authenticated real\n * caller** — a connect-minted token, an `agent-native mcp install` stdio\n * proxy (owner-email header / `AGENT_NATIVE_OWNER_EMAIL`), or a deployed /\n * `AGENT_MODE=production` app. In local dev `actions` is intentionally the\n * sparse, dev-toggled surface (builtins + read-only public-agent actions)\n * so the local agent chat and unauthenticated dev probes don't see every\n * mutating tool; but per the external-agents contract a real caller that\n * connected with a token MUST get the full surface even in dev. When unset\n * (production, where `actions` already IS the full set) the swap is a\n * no-op. See `external-agents` skill, \"Dev vs production tool surface\".\n */\n productionActions?: Record<string, ActionEntry>;\n /** Handler for the ask-agent meta-tool — runs the full agent loop */\n askAgent?: (message: string) => Promise<string>;\n /**\n * Disable the generic cross-app builtin tools (`list_apps`, `open_app`,\n * `ask_app`, `create_workspace_app`, `list_templates`). They are merged in\n * by default so external agents get a stable verb set; a template action of\n * the same name always wins (template precedence). Set to `false` only for\n * a constrained / locked-down mount.\n */\n builtinCrossAppTools?: boolean;\n}\n\n/**\n * Identity extracted from a verified MCP bearer token / JWT. Used to wrap\n * `entry.run()` and `config.askAgent()` calls in `runWithRequestContext`\n * so downstream tools (db-query, accessFilter, resolveCredential) honour\n * per-user / per-org scoping. Without this wrap the MCP endpoint would\n * silently bypass tenant isolation. See finding #6 in\n * /tmp/security-audit/12-mcp-a2a-agent.md.\n */\nexport interface MCPCallerIdentity {\n userEmail: string | undefined;\n orgDomain: string | undefined;\n /** Present only for standard remote MCP OAuth access tokens. */\n oauthScopes?: string[];\n /** Present only for standard remote MCP OAuth access tokens. */\n oauthClientId?: string;\n}\n\n/** Per-request context used to turn an action's relative deep link into the\n * absolute web URL (and desktop `agentnative://` URL) the external agent\n * surfaces. Derived from the inbound request headers in `mountMCP`, or from\n * the resolved local app origin in the stdio standalone path. */\nexport interface MCPRequestMeta {\n /** Origin of the running app, e.g. `http://localhost:8100`. */\n origin?: string;\n /** Optional client preference for which URL the *markdown* link uses. */\n target?: \"browser\" | \"desktop\" | \"terminal\";\n /**\n * The caller authenticated with a real credential (verified A2A/connect\n * JWT, matching ACCESS_TOKEN, or a forwarded owner-email header from\n * `agent-native mcp install`) — not the unauthenticated local dev-open\n * path. When true, `createMCPServerForRequest` serves\n * `config.productionActions` (the full surface) instead of the sparse dev\n * `config.actions`. Set by `mountMCP` from `verifyAuth`.\n */\n fullSurface?: boolean;\n}\n\ntype McpOAuthScope = (typeof MCP_OAUTH_SCOPES)[number];\n\nfunction isActionVisibleForOAuthScope(\n entry: ActionEntry,\n scopes: string[] | undefined,\n): boolean {\n if (!scopes) return true;\n const required: McpOAuthScope =\n entry.readOnly === true ? \"mcp:read\" : \"mcp:write\";\n return hasMcpOAuthScope(scopes, required);\n}\n\nconst COMPACT_MCP_APP_CATALOG_BUILTINS = new Set([\n \"list_apps\",\n \"open_app\",\n \"create_embed_session\",\n]);\n\nfunction isDispatchConfig(config: MCPConfig): boolean {\n const id = (config.appId ?? \"\").toLowerCase();\n const name = (config.name ?? \"\").toLowerCase();\n return id === \"dispatch\" || name.includes(\"dispatch\");\n}\n\nfunction isActionAdvertisedInCompactMcpAppCatalog(\n config: MCPConfig,\n name: string,\n entry: ActionEntry,\n): boolean {\n if (COMPACT_MCP_APP_CATALOG_BUILTINS.has(name)) return true;\n if (name === \"ask_app\" && isDispatchConfig(config)) return true;\n return Boolean(entry.mcpApp?.resource);\n}\n\nconst MCP_APP_OAUTH_CLIENT_RE = /\\b(chatgpt|openai|claude|anthropic)\\b/i;\nconst NON_APP_OAUTH_CLIENT_RE =\n /\\b(code|desktop|cli|cursor|codex|goose|postman|mcpjam|inspector)\\b/i;\nconst MCP_APP_OAUTH_REDIRECT_HOST_RE =\n /(^|\\.)((chatgpt|openai)\\.com|claude\\.ai|anthropic\\.com)$/i;\n\nasync function isKnownMcpAppOAuthClient(\n identity: MCPCallerIdentity | undefined,\n): Promise<boolean> {\n const clientId = identity?.oauthClientId?.trim();\n if (!clientId) return false;\n\n function isKnownAppClientName(value: string | undefined | null): boolean {\n if (!value) return false;\n return (\n MCP_APP_OAUTH_CLIENT_RE.test(value) &&\n !NON_APP_OAUTH_CLIENT_RE.test(value)\n );\n }\n\n function isKnownNonAppClientName(value: string | undefined | null): boolean {\n return Boolean(value && NON_APP_OAUTH_CLIENT_RE.test(value));\n }\n\n function isKnownMcpAppRedirectUri(uri: string): boolean {\n try {\n const url = new URL(uri);\n return (\n url.protocol === \"https:\" &&\n MCP_APP_OAUTH_REDIRECT_HOST_RE.test(url.hostname)\n );\n } catch {\n return false;\n }\n }\n\n if (isKnownAppClientName(clientId)) return true;\n if (isKnownNonAppClientName(clientId)) return false;\n\n try {\n const { getOAuthClient } = await import(\"./oauth-store.js\");\n const client = await getOAuthClient(clientId);\n // If the token carries an OAuth client id but its registration is missing,\n // keep the model on the compact MCP Apps surface instead of exposing every\n // private action/schema.\n if (!client) return true;\n if (isKnownAppClientName(client.clientName)) return true;\n if (isKnownNonAppClientName(client.clientName)) return false;\n if (client.redirectUris.some(isKnownMcpAppRedirectUri)) return true;\n // Most OAuth hosts are UI-oriented MCP clients. Preserve the full catalog\n // only for known code/CLI clients so unknown browser hosts cannot trigger\n // massive resources/list payloads.\n return true;\n } catch {\n // On metadata lookup errors, fail compact instead of falling back to the\n // full action surface; ChatGPT/Claude old tokens otherwise get huge lists.\n return true;\n }\n}\n\ninterface ResolvedMcpAppResource {\n uri: string;\n legacyUris?: string[];\n name: string;\n title?: string;\n description?: string;\n html: ActionMcpAppResourceConfig[\"html\"];\n mimeType: typeof MCP_APP_MIME_TYPE;\n _meta?: Record<string, unknown>;\n}\n\ninterface McpAppResourceContext {\n actionName: string;\n appId?: string;\n requestOrigin?: string;\n}\n\nfunction metadataObject(value: unknown): Record<string, unknown> {\n return value && typeof value === \"object\" && !Array.isArray(value)\n ? (value as Record<string, unknown>)\n : {};\n}\n\nfunction withMcpChatBridgeParam(urlOrPath: string): string {\n try {\n const base = \"http://agent-native.invalid\";\n const url = urlOrPath.startsWith(\"/\")\n ? new URL(urlOrPath, base)\n : new URL(urlOrPath);\n url.searchParams.set(MCP_APP_CHAT_BRIDGE_QUERY_PARAM, \"1\");\n return urlOrPath.startsWith(\"/\")\n ? `${url.pathname}${url.search}${url.hash}`\n : url.toString();\n } catch {\n return urlOrPath;\n }\n}\n\nfunction mcpAppEmbedOpenLinkMeta(\n result: unknown,\n resource: ResolvedMcpAppResource,\n meta: MCPRequestMeta | undefined,\n): Record<string, unknown> {\n const out = metadataObject(result);\n const embedStartUrl =\n typeof out.embedStartUrl === \"string\"\n ? out.embedStartUrl\n : out.embed === true &&\n typeof out.url === \"string\" &&\n out.url.includes(\"/_agent-native/embed/start\")\n ? out.url\n : null;\n if (!embedStartUrl) return {};\n\n const webUrl = toAbsoluteOpenUrl(\n withMcpChatBridgeParam(embedStartUrl),\n meta?.origin,\n );\n const deepLinkUrl =\n typeof out.deepLinkUrl === \"string\" ? out.deepLinkUrl : null;\n const fallbackLabel = resource.title ?? resource.name ?? \"app\";\n const label =\n typeof out.app === \"string\" && out.app.trim()\n ? `Open ${out.app.trim()}`\n : fallbackLabel;\n const view =\n typeof out.view === \"string\" && out.view.trim()\n ? out.view.trim()\n : typeof out.path === \"string\" && out.path.trim()\n ? out.path.trim()\n : undefined;\n\n return {\n \"agent-native/openLink\": {\n label,\n ...(view ? { view } : {}),\n webUrl,\n desktopUrl: deepLinkUrl\n ? toAbsoluteOpenUrl(deepLinkUrl, meta?.origin)\n : webUrl,\n },\n };\n}\n\n/**\n * Build the deep-link content block + structured `_meta` for a tool result.\n * Best-effort: any throw / nullish link is swallowed so a bad `link` builder\n * never fails the tool call.\n */\nexport function buildLinkArtifacts(\n entry: ActionEntry,\n args: Record<string, any>,\n result: any,\n meta: MCPRequestMeta | undefined,\n): {\n block?: { type: \"text\"; text: string };\n _meta?: Record<string, unknown>;\n} {\n if (typeof entry.link !== \"function\") return {};\n try {\n const lk = entry.link({ args: args ?? {}, result });\n if (!lk?.url) return {};\n const linkUrl = isAgentNativeOpenDeepLink(lk.url)\n ? withCollapsedAgentSidebarParam(lk.url)\n : lk.url;\n const webUrl = toAbsoluteOpenUrl(linkUrl, meta?.origin);\n const desktopUrl = toDesktopOpenUrl(linkUrl);\n const markdownUrl = meta?.target === \"desktop\" ? desktopUrl : webUrl;\n return {\n block: { type: \"text\", text: `\\n\\n[${lk.label} →](${markdownUrl})` },\n _meta: {\n \"agent-native/openLink\": {\n label: lk.label,\n view: lk.view,\n webUrl,\n desktopUrl,\n },\n },\n };\n } catch {\n return {};\n }\n}\n\n/**\n * Merge the generic cross-app builtin tools into the config's action\n * registry. **Template actions take precedence**: if a template defines an\n * action with the same name as a builtin (e.g. its own `list_apps`), the\n * template entry wins and the builtin is dropped. This mirrors the\n * template-over-workspace-core precedence in `autoDiscoverActions`.\n *\n * The builtins are pure-ish navigators / scaffolders; they call back into the\n * same `config.actions` / `config.askAgent` so there is no second agent loop.\n */\nfunction mergeBuiltinTools(\n config: MCPConfig,\n baseActions: Record<string, ActionEntry>,\n requestMeta?: MCPRequestMeta,\n): Record<string, ActionEntry> {\n if (config.builtinCrossAppTools === false) return baseActions;\n const builtins = getBuiltinCrossAppTools(config, requestMeta);\n const merged: Record<string, ActionEntry> = { ...builtins };\n // Template / app actions overwrite same-named builtins.\n for (const [name, entry] of Object.entries(baseActions)) {\n merged[name] = entry;\n }\n return merged;\n}\n\nfunction safeUiSegment(value: string | undefined, fallback: string): string {\n const normalized = (value || fallback)\n .trim()\n .toLowerCase()\n .replace(/[^a-z0-9._-]+/g, \"-\")\n .replace(/^-+|-+$/g, \"\");\n return normalized || fallback;\n}\n\n// ChatGPT and Claude cache MCP App resource HTML by `ui://` URI. Bump this\n// when the shared shell changes in a way that must invalidate host caches.\nconst MCP_APP_RESOURCE_SHELL_VERSION = \"shell-v25\";\n\nfunction legacyDefaultMcpAppUri(config: MCPConfig, actionName: string): string {\n const app = safeUiSegment(config.appId ?? config.name, \"agent-native\");\n const action = safeUiSegment(actionName, \"tool\");\n return `ui://${app}/${action}`;\n}\n\nfunction versionMcpAppResourceUri(\n rawUri: string,\n): { uri: string; legacyUris?: string[] } | null {\n const uri = rawUri.trim();\n if (!uri.startsWith(\"ui://\")) return null;\n const versionSuffix = `/${MCP_APP_RESOURCE_SHELL_VERSION}`;\n let versionedUri: string;\n try {\n const parsed = new URL(uri);\n const path = parsed.pathname.replace(/\\/+$/g, \"\");\n parsed.pathname = /\\/shell-v\\d+$/.test(path)\n ? path.replace(/\\/shell-v\\d+$/, versionSuffix)\n : `${path}${versionSuffix}`;\n versionedUri = parsed.toString();\n } catch {\n return null;\n }\n return {\n uri: versionedUri,\n ...(versionedUri !== uri ? { legacyUris: [uri] } : {}),\n };\n}\n\nfunction expandRequestOriginSources(\n sources: string[] | undefined,\n requestMeta?: MCPRequestMeta,\n): string[] | undefined {\n if (!sources) return undefined;\n const origin = requestMeta?.origin;\n return sources.flatMap((source) =>\n source === MCP_APP_REQUEST_ORIGIN_CSP_SOURCE && origin\n ? [origin]\n : [source],\n );\n}\n\nfunction openAiWidgetCsp(\n cspConfig: ActionMcpAppCsp | undefined,\n requestMeta?: MCPRequestMeta,\n): Record<string, string[]> | undefined {\n if (!cspConfig) return undefined;\n const csp: Record<string, string[]> = {};\n const connectDomains = expandRequestOriginSources(\n cspConfig.connectDomains,\n requestMeta,\n );\n const resourceDomains = expandRequestOriginSources(\n cspConfig.resourceDomains,\n requestMeta,\n );\n const frameDomains = expandRequestOriginSources(\n cspConfig.frameDomains,\n requestMeta,\n );\n if (connectDomains?.length) csp.connect_domains = connectDomains;\n if (resourceDomains?.length) csp.resource_domains = resourceDomains;\n if (frameDomains?.length) csp.frame_domains = frameDomains;\n return Object.keys(csp).length > 0 ? csp : undefined;\n}\n\nfunction mcpAppUiMeta(\n resource: ActionMcpAppResourceConfig,\n resolvedCsp: ActionMcpAppCsp | undefined,\n requestMeta?: MCPRequestMeta,\n description?: string,\n): Record<string, unknown> | undefined {\n const base =\n resource._meta && typeof resource._meta === \"object\"\n ? { ...resource._meta }\n : {};\n const existingUi =\n base.ui && typeof base.ui === \"object\" && !Array.isArray(base.ui)\n ? (base.ui as Record<string, unknown>)\n : {};\n const ui: Record<string, unknown> = { ...existingUi };\n if (resolvedCsp) {\n ui.csp = {\n ...resolvedCsp,\n connectDomains: expandRequestOriginSources(\n resolvedCsp.connectDomains,\n requestMeta,\n ),\n resourceDomains: expandRequestOriginSources(\n resolvedCsp.resourceDomains,\n requestMeta,\n ),\n frameDomains: expandRequestOriginSources(\n resolvedCsp.frameDomains,\n requestMeta,\n ),\n baseUriDomains: expandRequestOriginSources(\n resolvedCsp.baseUriDomains,\n requestMeta,\n ),\n };\n }\n if (resource.permissions) ui.permissions = resource.permissions;\n if (resource.domain) ui.domain = resource.domain;\n if (typeof resource.prefersBorder === \"boolean\") {\n ui.prefersBorder = resource.prefersBorder;\n }\n if (Object.keys(ui).length > 0) base.ui = ui;\n if (description && base[\"openai/widgetDescription\"] == null) {\n base[\"openai/widgetDescription\"] = description;\n }\n if (\n typeof resource.prefersBorder === \"boolean\" &&\n base[\"openai/widgetPrefersBorder\"] == null\n ) {\n base[\"openai/widgetPrefersBorder\"] = resource.prefersBorder;\n }\n const openAiCsp = openAiWidgetCsp(resolvedCsp, requestMeta);\n if (openAiCsp && base[\"openai/widgetCSP\"] == null) {\n base[\"openai/widgetCSP\"] = openAiCsp;\n }\n return Object.keys(base).length > 0 ? base : undefined;\n}\n\nasync function resolveMcpAppCsp(\n resource: ActionMcpAppResourceConfig,\n ctx: McpAppResourceContext,\n): Promise<ActionMcpAppCsp | undefined> {\n if (!resource.csp) return undefined;\n return typeof resource.csp === \"function\"\n ? await resource.csp(ctx)\n : resource.csp;\n}\n\nasync function resolveMcpAppResource(\n config: MCPConfig,\n actionName: string,\n entry: ActionEntry,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource | null> {\n const resource = entry.mcpApp?.resource;\n if (!resource) return null;\n const baseUri =\n resource.uri?.trim() || legacyDefaultMcpAppUri(config, actionName);\n const resolvedUri = versionMcpAppResourceUri(baseUri);\n if (!resolvedUri) return null;\n const description = resource.description ?? entry.tool.description;\n const resolvedCsp = await resolveMcpAppCsp(resource, {\n actionName,\n appId: config.appId,\n requestOrigin: requestMeta?.origin,\n });\n const resourceMeta = mcpAppUiMeta(\n resource,\n resolvedCsp,\n requestMeta,\n description,\n );\n return {\n uri: resolvedUri.uri,\n ...(resolvedUri.legacyUris ? { legacyUris: resolvedUri.legacyUris } : {}),\n name: resource.name?.trim() || actionName,\n ...(resource.title ? { title: resource.title } : {}),\n ...(description ? { description } : {}),\n html: resource.html,\n mimeType: resource.mimeType ?? MCP_APP_MIME_TYPE,\n ...(resourceMeta ? { _meta: resourceMeta } : {}),\n };\n}\n\nasync function getMcpAppResources(\n config: MCPConfig,\n actions: Record<string, ActionEntry>,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource[]> {\n const resources = await Promise.all(\n Object.entries(actions).map(([name, entry]) =>\n resolveMcpAppResource(config, name, entry, requestMeta),\n ),\n );\n return resources.filter((resource): resource is ResolvedMcpAppResource =>\n Boolean(resource),\n );\n}\n\nfunction renderMcpAppHtml(\n resource: ResolvedMcpAppResource,\n actionName: string,\n config: MCPConfig,\n requestMeta?: MCPRequestMeta,\n): string {\n if (typeof resource.html === \"function\") {\n return resource.html({\n actionName,\n appId: config.appId,\n requestOrigin: requestMeta?.origin,\n });\n }\n return resource.html;\n}\n\nfunction openAiToolDescriptorMeta(\n resource: ResolvedMcpAppResource,\n): Record<string, unknown> {\n const label = resource.title ?? resource.name;\n const widgetCsp = metadataObject(resource._meta?.[\"openai/widgetCSP\"]);\n return {\n \"openai/outputTemplate\": resource.uri,\n \"openai/toolInvocation/invoking\": `Opening ${label}`,\n \"openai/toolInvocation/invoked\": `${label} ready`,\n \"openai/widgetAccessible\": true,\n ...(Object.keys(widgetCsp).length > 0\n ? { \"openai/widgetCSP\": widgetCsp }\n : {}),\n };\n}\n\nfunction openAiToolResultMeta(\n resource: ResolvedMcpAppResource,\n): Record<string, unknown> {\n const label = resource.title ?? resource.name;\n const widgetCsp = metadataObject(resource._meta?.[\"openai/widgetCSP\"]);\n return {\n \"openai/outputTemplate\": resource.uri,\n \"openai/toolInvocation/invoking\": `Opening ${label}`,\n \"openai/toolInvocation/invoked\": `${label} ready`,\n \"openai/widgetAccessible\": true,\n ...(Object.keys(widgetCsp).length > 0\n ? { \"openai/widgetCSP\": widgetCsp }\n : {}),\n };\n}\n\nfunction mcpAppToolUiMeta(\n resource: ResolvedMcpAppResource,\n visibility: unknown,\n): Record<string, unknown> {\n return {\n resourceUri: resource.uri,\n visibility: Array.isArray(visibility) ? visibility : [\"model\", \"app\"],\n };\n}\n\nfunction primitiveValue(value: unknown): value is string | number | boolean {\n return (\n typeof value === \"string\" ||\n typeof value === \"number\" ||\n typeof value === \"boolean\"\n );\n}\n\nfunction mcpAppStructuredContent(\n result: unknown,\n meta: Record<string, unknown> | undefined,\n): Record<string, unknown> {\n const out: Record<string, unknown> =\n result && typeof result === \"object\" && !Array.isArray(result)\n ? { ...(result as Record<string, unknown>) }\n : primitiveValue(result)\n ? { result }\n : {};\n const openLink = meta?.[\"agent-native/openLink\"];\n if (openLink && typeof openLink === \"object\" && !Array.isArray(openLink)) {\n out.openLink = openLink;\n const webUrl = (openLink as Record<string, unknown>).webUrl;\n if (typeof webUrl === \"string\" && !out.url) out.url = webUrl;\n }\n return Object.keys(out).length > 0 ? out : { status: \"ok\" };\n}\n\nfunction truncateToolText(value: string, max = 2000): string {\n if (value.length <= max) return value;\n return `${value.slice(0, max - 1)}…`;\n}\n\nfunction conciseMcpAppToolText(\n name: string,\n result: unknown,\n structuredContent: Record<string, unknown>,\n): string {\n if (typeof result === \"string\") return truncateToolText(result);\n const message = structuredContent.message;\n if (typeof message === \"string\" && message.trim()) {\n return truncateToolText(message.trim());\n }\n const title = structuredContent.title ?? structuredContent.name;\n if (typeof title === \"string\" && title.trim()) {\n return `${title.trim()} is ready.`;\n }\n const id = structuredContent.id;\n if (typeof id === \"string\" && id.trim()) {\n return `${name} completed for ${id.trim()}.`;\n }\n return `${name} completed.`;\n}\n\n// ---------------------------------------------------------------------------\n// MCP Server creation — converts ActionEntry registry to MCP tools\n// ---------------------------------------------------------------------------\n\n/**\n * Build a fully-wired MCP `Server` for a single request / session.\n *\n * Shared by the stateless Streamable-HTTP mount (`mountMCP`) and the stdio\n * standalone transport. The HTTP mount passes the per-request origin via\n * `requestMeta`; the stdio standalone path passes the resolved local app\n * origin so deep links still become absolute URLs.\n */\nexport async function createMCPServerForRequest(\n config: MCPConfig,\n identity: MCPCallerIdentity | undefined,\n requestMeta?: MCPRequestMeta,\n) {\n const { Server } = await import(\"@modelcontextprotocol/sdk/server/index.js\");\n const {\n ListToolsRequestSchema,\n CallToolRequestSchema,\n ListResourcesRequestSchema,\n ReadResourceRequestSchema,\n ListResourceTemplatesRequestSchema,\n } = await import(\"@modelcontextprotocol/sdk/types.js\");\n\n // Resolve the effective caller identity. JWT / header-derived identity\n // (passed by `mountMCP` via `verifyAuth`) wins. When the caller passed no\n // identity — the stdio **standalone** path — fall back to the\n // `AGENT_NATIVE_OWNER_EMAIL` env the `agent-native mcp install` flow writes\n // into the `agent-native mcp serve` process env, so standalone tool runs are\n // tenant-scoped to the configured owner instead of running unscoped. Stays\n // undefined for true dev-open (no token, no secret, no owner) — behavior\n // there is unchanged.\n const ownerFromEnv = process.env.AGENT_NATIVE_OWNER_EMAIL?.trim();\n const effectiveIdentity: MCPCallerIdentity | undefined =\n identity ??\n (ownerFromEnv\n ? { userEmail: ownerFromEnv, orgDomain: undefined }\n : undefined);\n\n // The action set the request handlers operate on = base actions + generic\n // cross-app builtins (template wins on name collision). An authenticated\n // real caller (connect-minted token / `mcp install` owner / production —\n // `requestMeta.fullSurface`, or the stdio standalone path identified by\n // `AGENT_NATIVE_OWNER_EMAIL`) gets the full `productionActions` surface\n // even in local dev; the unauthenticated dev-open path keeps the sparse\n // `config.actions`. See `external-agents` skill, \"Dev vs production tool\n // surface\".\n const useFullSurface = requestMeta?.fullSurface === true || !!ownerFromEnv;\n const baseActions =\n useFullSurface && config.productionActions\n ? config.productionActions\n : config.actions;\n const actions = mergeBuiltinTools(config, baseActions, requestMeta);\n const visibleActions = Object.fromEntries(\n Object.entries(actions).filter(([, entry]) =>\n isActionVisibleForOAuthScope(entry, effectiveIdentity?.oauthScopes),\n ),\n );\n const compactMcpAppCatalog =\n (Array.isArray(effectiveIdentity?.oauthScopes) &&\n hasMcpOAuthScope(effectiveIdentity.oauthScopes, \"mcp:apps\")) ||\n (await isKnownMcpAppOAuthClient(effectiveIdentity));\n const advertisedActions = compactMcpAppCatalog\n ? Object.fromEntries(\n Object.entries(visibleActions).filter(([name, entry]) =>\n isActionAdvertisedInCompactMcpAppCatalog(config, name, entry),\n ),\n )\n : visibleActions;\n const supportsMcpApps =\n compactMcpAppCatalog &&\n Object.values(advertisedActions).some((entry) =>\n Boolean(entry.mcpApp?.resource),\n );\n const server = new Server(\n { name: config.name, version: config.version ?? \"1.0.0\" },\n {\n capabilities: {\n tools: {},\n ...(supportsMcpApps\n ? {\n resources: {},\n extensions: {\n [MCP_APP_EXTENSION_ID]: {\n mimeTypes: [MCP_APP_MIME_TYPE],\n },\n },\n }\n : {}),\n },\n },\n );\n\n // Resolve orgId once per request (DB lookup) so subsequent wraps are\n // synchronous. The caller identity may be undefined for true dev-open —\n // in that case we run with no userEmail/orgId, which makes downstream\n // tools that require per-user scope return empty results rather than\n // cross-tenant data (the safe default).\n const orgIdPromise = resolveOrgIdFromDomain(effectiveIdentity?.orgDomain);\n\n /**\n * Wrap a callback in\n * `runWithRequestContext({ userEmail, orgId, requestOrigin }, fn)`.\n * Both the tools/list and tools/call handlers go through this so\n * downstream `accessFilter`, `resolveCredential`, and per-user MCP\n * visibility checks see the verified caller's identity. `requestOrigin`\n * is the live server origin derived from the inbound request (same value\n * used to absolutize deep links) so actions that build fetchable URLs\n * (e.g. design `export-coding-handoff`'s signed raw-code URL) resolve the\n * correct local-workspace origin instead of a prod/localhost fallback.\n */\n async function withCallerContext<T>(fn: () => Promise<T>): Promise<T> {\n const orgId = await orgIdPromise;\n return runWithRequestContext(\n {\n userEmail: effectiveIdentity?.userEmail,\n orgId,\n ...(requestMeta?.origin ? { requestOrigin: requestMeta.origin } : {}),\n },\n fn,\n ) as Promise<T>;\n }\n\n // tools/list — return all actions + ask-agent meta-tool. Wrapped in the\n // request context so per-user MCP visibility (mcp-client/visibility.ts)\n // applies to the listing too.\n server.setRequestHandler(ListToolsRequestSchema, async () => {\n return withCallerContext(async () => {\n const tools = await Promise.all(\n Object.entries(advertisedActions).map(async ([name, entry]) => {\n const hasLink = typeof entry.link === \"function\";\n const mcpAppResource = await resolveMcpAppResource(\n config,\n name,\n entry,\n requestMeta,\n );\n const rawToolMeta =\n (entry.tool as any)._meta &&\n typeof (entry.tool as any)._meta === \"object\" &&\n !Array.isArray((entry.tool as any)._meta)\n ? { ...((entry.tool as any)._meta as Record<string, unknown>) }\n : {};\n const toolMeta = {\n ...rawToolMeta,\n ...(mcpAppResource\n ? {\n ...openAiToolDescriptorMeta(mcpAppResource),\n [MCP_APP_RESOURCE_URI_META_KEY]: mcpAppResource.uri,\n ui: mcpAppToolUiMeta(\n mcpAppResource,\n entry.mcpApp?.visibility ??\n metadataObject(rawToolMeta.ui).visibility,\n ),\n }\n : {}),\n };\n const baseDescription = entry.tool.description ?? name;\n const annotations: Record<string, unknown> = {\n readOnlyHint: entry.readOnly === true,\n destructiveHint: entry.publicAgent?.isConsequential === true,\n openWorldHint: false,\n };\n if (hasLink) annotations[\"agent-native/producesOpenLink\"] = true;\n return {\n name,\n description: hasLink\n ? `${baseDescription} After calling, surface the returned \"Open in … →\" link to the user.`\n : baseDescription,\n inputSchema: entry.tool.parameters ?? {\n type: \"object\" as const,\n properties: {},\n },\n ...(Object.keys(toolMeta).length > 0 ? { _meta: toolMeta } : {}),\n annotations,\n };\n }),\n );\n\n if (\n !compactMcpAppCatalog &&\n config.askAgent &&\n hasMcpOAuthScope(effectiveIdentity?.oauthScopes, \"mcp:write\")\n ) {\n tools.push({\n name: \"ask-agent\",\n description:\n \"Send a natural-language message to the app's AI agent and get a response. \" +\n \"Use this for complex, multi-step tasks that require the agent's reasoning \" +\n \"and full context about the app.\",\n inputSchema: {\n type: \"object\" as const,\n properties: {\n message: {\n type: \"string\",\n description: \"The message to send to the agent\",\n },\n },\n required: [\"message\"],\n },\n annotations: {\n readOnlyHint: false,\n destructiveHint: false,\n openWorldHint: false,\n },\n });\n }\n\n return { tools };\n });\n });\n\n // tools/call — dispatch to action registry or ask-agent. Wrapped in the\n // request context so the action's `run(args)` and `askAgent()` execute\n // with the verified caller's identity, not the platform default.\n server.setRequestHandler(CallToolRequestSchema, async (request: any) => {\n return withCallerContext(async () => {\n const { name, arguments: args } = request.params;\n\n if (name === \"ask-agent\" && config.askAgent) {\n if (compactMcpAppCatalog) {\n return {\n content: [{ type: \"text\", text: `Unknown tool: ${name}` }],\n isError: true,\n };\n }\n if (!hasMcpOAuthScope(effectiveIdentity?.oauthScopes, \"mcp:write\")) {\n return {\n content: [\n {\n type: \"text\",\n text: \"Forbidden: OAuth scope does not allow ask-agent\",\n },\n ],\n isError: true,\n };\n }\n const message = args?.message ?? \"\";\n try {\n const result = await config.askAgent(message);\n return { content: [{ type: \"text\", text: result }] };\n } catch (err: any) {\n return {\n content: [{ type: \"text\", text: `Error: ${err.message}` }],\n isError: true,\n };\n }\n }\n\n const callableActions = compactMcpAppCatalog\n ? advertisedActions\n : actions;\n const entry = callableActions[name];\n if (!entry) {\n return {\n content: [{ type: \"text\", text: `Unknown tool: ${name}` }],\n isError: true,\n };\n }\n if (\n !isActionVisibleForOAuthScope(entry, effectiveIdentity?.oauthScopes)\n ) {\n return {\n content: [\n {\n type: \"text\",\n text: `Forbidden: OAuth scope does not allow tool ${name}`,\n },\n ],\n isError: true,\n };\n }\n\n try {\n const result = await entry.run((args as Record<string, string>) ?? {});\n const rawResult = isMcpActionResult(result) ? result.raw : result;\n const resultForClient = isMcpActionResult(result)\n ? result.text\n : result;\n const mcpAppResource = await resolveMcpAppResource(\n config,\n name,\n entry,\n requestMeta,\n );\n const { block, _meta } = buildLinkArtifacts(\n entry,\n (args as Record<string, any>) ?? {},\n rawResult,\n requestMeta,\n );\n const responseMeta: Record<string, unknown> = {\n ...(_meta ?? {}),\n ...(mcpAppResource\n ? mcpAppEmbedOpenLinkMeta(rawResult, mcpAppResource, requestMeta)\n : {}),\n ...(mcpAppResource ? openAiToolResultMeta(mcpAppResource) : {}),\n };\n const structuredContent = mcpAppResource\n ? mcpAppStructuredContent(rawResult, responseMeta)\n : undefined;\n const text = mcpAppResource\n ? conciseMcpAppToolText(name, resultForClient, structuredContent!)\n : typeof resultForClient === \"string\"\n ? resultForClient\n : JSON.stringify(resultForClient);\n const content: any[] = [{ type: \"text\", text }];\n if (block) content.push(block);\n return {\n content,\n ...(structuredContent ? { structuredContent } : {}),\n ...(Object.keys(responseMeta).length > 0\n ? { _meta: responseMeta }\n : {}),\n };\n } catch (err: any) {\n return {\n content: [{ type: \"text\", text: `Error: ${err.message}` }],\n isError: true,\n };\n }\n });\n });\n\n if (supportsMcpApps) {\n server.setRequestHandler(ListResourcesRequestSchema, async () => {\n return withCallerContext(async () => {\n const mcpAppResources = await getMcpAppResources(\n config,\n advertisedActions,\n requestMeta,\n );\n return {\n resources: mcpAppResources.map((resource) => ({\n uri: resource.uri,\n name: resource.name,\n ...(resource.title ? { title: resource.title } : {}),\n ...(resource.description\n ? { description: resource.description }\n : {}),\n mimeType: resource.mimeType,\n ...(resource._meta ? { _meta: resource._meta } : {}),\n })),\n };\n });\n });\n\n server.setRequestHandler(ListResourceTemplatesRequestSchema, async () => {\n return withCallerContext(async () => {\n const mcpAppResources = await getMcpAppResources(\n config,\n advertisedActions,\n requestMeta,\n );\n return {\n resourceTemplates: mcpAppResources.map((resource) => ({\n uriTemplate: resource.uri,\n name: resource.name,\n ...(resource.title ? { title: resource.title } : {}),\n ...(resource.description\n ? { description: resource.description }\n : {}),\n mimeType: resource.mimeType,\n ...(resource._meta ? { _meta: resource._meta } : {}),\n })),\n };\n });\n });\n\n server.setRequestHandler(\n ReadResourceRequestSchema,\n async (request: any) => {\n return withCallerContext(async () => {\n const uri = request.params?.uri;\n const candidates = await Promise.all(\n Object.entries(advertisedActions).map(async ([name, entry]) => ({\n actionName: name,\n resource: await resolveMcpAppResource(\n config,\n name,\n entry,\n requestMeta,\n ),\n })),\n );\n const found = candidates.find(\n (candidate) =>\n candidate.resource?.uri === uri ||\n candidate.resource?.legacyUris?.includes(uri),\n );\n if (!found?.resource) {\n throw new Error(`MCP App resource not found: ${uri}`);\n }\n return {\n contents: [\n {\n uri,\n mimeType: found.resource.mimeType,\n text: renderMcpAppHtml(\n found.resource,\n found.actionName,\n config,\n requestMeta,\n ),\n ...(found.resource._meta\n ? { _meta: found.resource._meta }\n : {}),\n },\n ],\n };\n });\n },\n );\n }\n\n return server;\n}\n\n// ---------------------------------------------------------------------------\n// Auth — reuses the same pattern as A2A (Bearer token or JWT). Shared so the\n// HTTP mount and any stdio-side auth-aware helper resolve identity identically.\n// ---------------------------------------------------------------------------\n\nexport function getAccessTokens(): string[] {\n const single = process.env.ACCESS_TOKEN;\n const multi = process.env.ACCESS_TOKENS;\n const tokens: string[] = [];\n if (single) tokens.push(single);\n if (multi) {\n tokens.push(\n ...multi\n .split(\",\")\n .map((t) => t.trim())\n .filter(Boolean),\n );\n }\n return tokens;\n}\n\n/**\n * Resolve the caller identity for a static-token (or dev-open) auth path.\n *\n * Static `ACCESS_TOKEN` / `ACCESS_TOKENS` auth carries no per-caller claims,\n * so without this the MCP endpoint would run every tool with\n * `userEmail === undefined` and per-user / per-org scoped actions\n * (`accessFilter`, `resolveAccess`, `resolveCredential`) would return\n * empty / wrong data. The `agent-native mcp install` flow writes\n * `AGENT_NATIVE_OWNER_EMAIL` into the client config env and the stdio proxy\n * forwards it as the `X-Agent-Native-Owner-Email` request header (see\n * `mcp/stdio.ts#authHeaders`). We trust that owner hint *only* on the\n * static-token path — JWT auth already carries a cryptographically verified\n * `sub`, so the header is ignored there and never widens JWT scope.\n *\n * Precedence is server-trusted-first: the server process's\n * `AGENT_NATIVE_OWNER_EMAIL` env (set out-of-band by the operator / deploy)\n * ALWAYS wins, and a client-supplied `X-Agent-Native-Owner-Email` header is\n * honored *only as a fallback when that env is unset*. A static `ACCESS_TOKEN`\n * is a shared bearer secret; letting a request header override a\n * server-configured owner would let anyone holding a leaked token act as any\n * user. The header path remains for the single-tenant local-dev install flow\n * where the app server process has no owner env and the token *is* the\n * workspace secret; multi-tenant deployments must use A2A JWT (verified `sub`),\n * not a static token, for per-user scope.\n *\n * Returns `undefined` when no owner email is available (true dev-open: no\n * token, no secret, no owner) so behavior there stays unchanged.\n */\nfunction deriveStaticTokenIdentity(\n ownerEmailHeader: string | undefined,\n): MCPCallerIdentity | undefined {\n const owner =\n process.env.AGENT_NATIVE_OWNER_EMAIL?.trim() ||\n (typeof ownerEmailHeader === \"string\" && ownerEmailHeader.trim()) ||\n \"\";\n if (!owner) return undefined;\n return { userEmail: owner, orgDomain: undefined };\n}\n\nfunction addSecretCandidate(\n candidates: string[],\n secret: string | null | undefined,\n): void {\n const trimmed = secret?.trim();\n if (!trimmed || candidates.includes(trimmed)) return;\n candidates.push(trimmed);\n}\n\nasync function verifyA2AJwtForMcp(\n token: string,\n): Promise<Record<string, unknown> | null> {\n const jose = await import(\"jose\");\n let unverifiedPayload: Record<string, unknown> | null = null;\n try {\n unverifiedPayload = jose.decodeJwt(token) as Record<string, unknown>;\n } catch {\n return null;\n }\n\n const candidateSecrets: string[] = [];\n addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n\n const orgDomain =\n typeof unverifiedPayload.org_domain === \"string\"\n ? unverifiedPayload.org_domain\n : undefined;\n if (orgDomain) {\n try {\n const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n addSecretCandidate(\n candidateSecrets,\n await getA2ASecretByDomain(orgDomain),\n );\n } catch {\n // DB not ready or org lookup unavailable — fall back to other candidates.\n }\n }\n\n for (const secret of candidateSecrets) {\n try {\n const { payload } = await jose.jwtVerify(\n token,\n new TextEncoder().encode(secret),\n );\n return payload as Record<string, unknown>;\n } catch {\n // Try the next candidate without exposing which secret matched.\n }\n }\n\n return null;\n}\n\n/**\n * Verify the inbound auth header. Returns:\n * - { authed: true, identity } when verified — `identity` is derived from\n * the JWT (`sub` / `org_domain`) for JWT auth, or from the\n * `AGENT_NATIVE_OWNER_EMAIL` env / `X-Agent-Native-Owner-Email` header\n * for static-token auth (the `agent-native mcp install` flow). `identity`\n * is undefined only for true dev-open with no owner hint.\n * - { authed: false } on rejection.\n *\n * When A2A_SECRET is set we extract the JWT's `sub` (caller email) and\n * `org_domain` claims so the MCP endpoint can wrap tool runs in\n * `runWithRequestContext({ userEmail, orgId })`. Without that wrap, the\n * MCP endpoint loses tenant identity and downstream `accessFilter` /\n * `resolveCredential` calls fall back to platform-wide defaults.\n *\n * `ownerEmailHeader` is the forwarded `X-Agent-Native-Owner-Email` value; it\n * is consulted ONLY on the static-token / dev-open path (never to influence\n * verified JWT identity), so the install flow runs tools as the configured\n * owner instead of an unscoped anonymous caller.\n */\nexport async function verifyAuth(\n authHeader: string | undefined,\n ownerEmailHeader?: string | undefined,\n options: { allowDevOpen?: boolean; resourceUrl?: string } = {},\n): Promise<{\n authed: boolean;\n identity?: MCPCallerIdentity;\n /**\n * The caller presented a real credential — a verified A2A/connect JWT, a\n * matching ACCESS_TOKEN, or (on the no-auth-configured path) a forwarded\n * owner-email header from `agent-native mcp install`. Drives the full vs\n * sparse MCP tool surface in local dev. The pure unauthenticated dev-open\n * path (no secret, no token, no owner header) is `false`.\n */\n fullSurface?: boolean;\n}> {\n // No auth configured → allow only when the route caller has already\n // established that this is a loopback/local dev request. Still honour an\n // owner hint there so the local install/connect flow stays tenant-scoped.\n const accessTokens = getAccessTokens();\n const hasA2ASecret = !!process.env.A2A_SECRET;\n const token = authHeader?.startsWith(\"Bearer \")\n ? authHeader.slice(7)\n : undefined;\n if (token) {\n const oauthIdentity = await verifyMcpOAuthAccessToken(\n token,\n options.resourceUrl,\n );\n if (oauthIdentity) {\n return {\n authed: true,\n identity: {\n userEmail: oauthIdentity.userEmail,\n orgDomain: oauthIdentity.orgDomain,\n oauthScopes: oauthIdentity.scopes,\n oauthClientId: oauthIdentity.clientId,\n },\n fullSurface: true,\n };\n }\n }\n if (accessTokens.length === 0 && !hasA2ASecret && !token) {\n if (options.allowDevOpen === false) {\n return { authed: false };\n }\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n // `mcp install`'s stdio proxy forwards an owner-email header even when\n // the local app has no secret configured — that is a real, identified\n // caller and gets the full surface. A bare browser/curl dev probe with\n // no owner hint stays on the sparse dev surface.\n fullSurface: !!(ownerEmailHeader && ownerEmailHeader.trim()),\n };\n }\n\n if (!token) return { authed: false };\n\n // Try an A2A JWT via the shared A2A_SECRET first, then the caller org's\n // synced A2A secret when the token carries org_domain.\n const payload = await verifyA2AJwtForMcp(token);\n if (payload) {\n const tokenScope =\n typeof payload.scope === \"string\" ? payload.scope : undefined;\n if (tokenScope && tokenScope !== MCP_CONNECT_SCOPE) {\n return { authed: false };\n }\n\n // Connect-minted tokens (scope === \"mcp-connect\") carry a random `jti`\n // and are individually revocable. Only these tokens hit the revoke\n // store — ordinary A2A delegation JWTs skip the DB lookup entirely so\n // the hot path is unchanged. The signature was already\n // cryptographically verified, so failing open here only widens the\n // explicit-revoke gate, never the trust boundary.\n if (tokenScope === MCP_CONNECT_SCOPE) {\n if (typeof payload.jti !== \"string\" || !payload.jti) {\n return { authed: false };\n }\n const jti = payload.jti;\n try {\n const { isJtiRevoked, touchTokenUsed } =\n await import(\"./connect-store.js\");\n if (await isJtiRevoked(jti)) {\n return { authed: false };\n }\n // Best-effort usage telemetry — never blocks / throws.\n void touchTokenUsed(jti);\n } catch {\n // Store import / lookup failed — fail open (see comment above).\n }\n }\n\n return {\n authed: true,\n identity: {\n userEmail: typeof payload.sub === \"string\" ? payload.sub : undefined,\n orgDomain:\n typeof payload.org_domain === \"string\"\n ? (payload.org_domain as string)\n : undefined,\n },\n // Verified JWT (connect-minted or A2A delegation) — a real caller.\n fullSurface: true,\n };\n }\n\n if (accessTokens.length === 0 && !hasA2ASecret) {\n if (options.allowDevOpen === false) {\n return { authed: false };\n }\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n fullSurface: !!(ownerEmailHeader && ownerEmailHeader.trim()),\n };\n }\n\n // Try ACCESS_TOKEN / ACCESS_TOKENS exact match. Static tokens carry no\n // per-caller claims, so derive identity from the forwarded owner-email\n // hint (install flow) — otherwise tools would run unscoped.\n if (accessTokens.length > 0 && accessTokens.includes(token)) {\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n // Matched a configured ACCESS_TOKEN — a real caller.\n fullSurface: true,\n };\n }\n\n return { authed: false };\n}\n\nexport async function resolveOrgIdFromDomain(\n orgDomain: string | undefined,\n): Promise<string | undefined> {\n if (!orgDomain) return undefined;\n try {\n const { resolveOrgByDomain } = await import(\"../org/context.js\");\n const org = await resolveOrgByDomain(orgDomain);\n return org?.orgId ?? undefined;\n } catch {\n return undefined;\n }\n}\n"]}
|
|
1
|
+
{"version":3,"file":"build-server.js","sourceRoot":"","sources":["../../src/mcp/build-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,6BAA6B,GAG9B,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,iCAAiC,EAAE,MAAM,gBAAgB,CAAC;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC7E,OAAO,EACL,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,+BAA+B,EAAE,MAAM,yBAAyB,CAAC;AAC1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAEL,gBAAgB,EAChB,yBAAyB,GAC1B,MAAM,kBAAkB,CAAC;AAoF1B,SAAS,4BAA4B,CACnC,KAAkB,EAClB,MAA4B;IAE5B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,QAAQ,GACZ,KAAK,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC;IACrD,OAAO,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,gCAAgC,GAAG,IAAI,GAAG,CAAC;IAC/C,WAAW;IACX,UAAU;IACV,sBAAsB;CACvB,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,MAAiB;IACzC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9C,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/C,OAAO,EAAE,KAAK,UAAU,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,wCAAwC,CAC/C,MAAiB,EACjB,IAAY,EACZ,KAAkB;IAElB,IAAI,gCAAgC,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,IAAI,IAAI,KAAK,SAAS,IAAI,gBAAgB,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAChE,OAAO,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,uBAAuB,GAAG,wCAAwC,CAAC;AACzE,MAAM,uBAAuB,GAC3B,qEAAqE,CAAC;AACxE,MAAM,8BAA8B,GAClC,2DAA2D,CAAC;AAE9D,KAAK,UAAU,wBAAwB,CACrC,QAAuC;IAEvC,MAAM,QAAQ,GAAG,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAE5B,SAAS,oBAAoB,CAAC,KAAgC;QAC5D,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,OAAO,CACL,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC;YACnC,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,CACrC,CAAC;IACJ,CAAC;IAED,SAAS,uBAAuB,CAAC,KAAgC;QAC/D,OAAO,OAAO,CAAC,KAAK,IAAI,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,SAAS,wBAAwB,CAAC,GAAW;QAC3C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YACzB,OAAO,CACL,GAAG,CAAC,QAAQ,KAAK,QAAQ;gBACzB,8BAA8B,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAClD,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,IAAI,oBAAoB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,uBAAuB,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAEpD,IAAI,CAAC;QACH,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC9C,2EAA2E;QAC3E,2EAA2E;QAC3E,yBAAyB;QACzB,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,IAAI,oBAAoB,CAAC,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QACzD,IAAI,uBAAuB,CAAC,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QAC7D,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,wBAAwB,CAAC;YAAE,OAAO,IAAI,CAAC;QACpE,0EAA0E;QAC1E,0EAA0E;QAC1E,mCAAmC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;QACzE,2EAA2E;QAC3E,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAwBD,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAChE,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,EAAE,CAAC;AACT,CAAC;AAED,SAAS,sBAAsB,CAAC,SAAiB;IAC/C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,6BAA6B,CAAC;QAC3C,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YACnC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC;YAC1B,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QACvB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;QAC3D,OAAO,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YAC9B,CAAC,CAAC,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE;YAC3C,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAC9B,MAAe,EACf,QAAgC,EAChC,IAAgC;IAEhC,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,aAAa,GACjB,OAAO,GAAG,CAAC,aAAa,KAAK,QAAQ;QACnC,CAAC,CAAC,GAAG,CAAC,aAAa;QACnB,CAAC,CAAC,GAAG,CAAC,KAAK,KAAK,IAAI;YAChB,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;YAC3B,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,4BAA4B,CAAC;YAChD,CAAC,CAAC,GAAG,CAAC,GAAG;YACT,CAAC,CAAC,IAAI,CAAC;IACb,IAAI,CAAC,aAAa;QAAE,OAAO,EAAE,CAAC;IAE9B,MAAM,MAAM,GAAG,iBAAiB,CAC9B,sBAAsB,CAAC,aAAa,CAAC,EACrC,IAAI,EAAE,MAAM,CACb,CAAC;IACF,MAAM,WAAW,GACf,OAAO,GAAG,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/D,MAAM,aAAa,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,IAAI,KAAK,CAAC;IAC/D,MAAM,KAAK,GACT,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;QAC3C,CAAC,CAAC,QAAQ,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE;QAC1B,CAAC,CAAC,aAAa,CAAC;IACpB,MAAM,IAAI,GACR,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;QAC7C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;QACjB,CAAC,CAAC,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YAC/C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YACjB,CAAC,CAAC,SAAS,CAAC;IAElB,OAAO;QACL,uBAAuB,EAAE;YACvB,KAAK;YACL,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACzB,MAAM;YACN,UAAU,EAAE,WAAW;gBACrB,CAAC,CAAC,iBAAiB,CAAC,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC;gBAC9C,CAAC,CAAC,MAAM;SACX;KACF,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,KAAkB,EAClB,IAAyB,EACzB,MAAW,EACX,IAAgC;IAKhC,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,UAAU;QAAE,OAAO,EAAE,CAAC;IAChD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QACpD,IAAI,CAAC,EAAE,EAAE,GAAG;YAAE,OAAO,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,yBAAyB,CAAC,EAAE,CAAC,GAAG,CAAC;YAC/C,CAAC,CAAC,8BAA8B,CAAC,EAAE,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;QACX,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,IAAI,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;QACrE,OAAO;YACL,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,KAAK,OAAO,WAAW,GAAG,EAAE;YACpE,KAAK,EAAE;gBACL,uBAAuB,EAAE;oBACvB,KAAK,EAAE,EAAE,CAAC,KAAK;oBACf,IAAI,EAAE,EAAE,CAAC,IAAI;oBACb,MAAM;oBACN,UAAU;iBACX;aACF;SACF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,iBAAiB,CACxB,MAAiB,EACjB,WAAwC,EACxC,WAA4B;IAE5B,IAAI,MAAM,CAAC,oBAAoB,KAAK,KAAK;QAAE,OAAO,WAAW,CAAC;IAC9D,MAAM,QAAQ,GAAG,uBAAuB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAgC,EAAE,GAAG,QAAQ,EAAE,CAAC;IAC5D,wDAAwD;IACxD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,aAAa,CAAC,KAAyB,EAAE,QAAgB;IAChE,MAAM,UAAU,GAAG,CAAC,KAAK,IAAI,QAAQ,CAAC;SACnC,IAAI,EAAE;SACN,WAAW,EAAE;SACb,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC;SAC9B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,OAAO,UAAU,IAAI,QAAQ,CAAC;AAChC,CAAC;AAED,2EAA2E;AAC3E,2EAA2E;AAC3E,MAAM,8BAA8B,GAAG,WAAW,CAAC;AAEnD,SAAS,sBAAsB,CAAC,MAAiB,EAAE,UAAkB;IACnE,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACvE,MAAM,MAAM,GAAG,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACjD,OAAO,QAAQ,GAAG,IAAI,MAAM,EAAE,CAAC;AACjC,CAAC;AAED,SAAS,wBAAwB,CAC/B,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC1B,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,aAAa,GAAG,IAAI,8BAA8B,EAAE,CAAC;IAC3D,IAAI,YAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAClD,MAAM,CAAC,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,aAAa,CAAC;YAC9C,CAAC,CAAC,GAAG,IAAI,GAAG,aAAa,EAAE,CAAC;QAC9B,YAAY,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO;QACL,GAAG,EAAE,YAAY;QACjB,GAAG,CAAC,YAAY,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvD,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,MAAiB,EACjB,UAAkB,EAClB,KAAkB;IAElB,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC;IACxC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,OAAO,GACX,QAAQ,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,sBAAsB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACrE,OAAO,wBAAwB,CAAC,OAAO,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,0BAA0B,CACjC,OAA6B,EAC7B,WAA4B;IAE5B,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,MAAM,MAAM,GAAG,WAAW,EAAE,MAAM,CAAC;IACnC,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAChC,MAAM,KAAK,iCAAiC,IAAI,MAAM;QACpD,CAAC,CAAC,CAAC,MAAM,CAAC;QACV,CAAC,CAAC,CAAC,MAAM,CAAC,CACb,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,SAAsC,EACtC,WAA4B;IAE5B,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,MAAM,GAAG,GAA6B,EAAE,CAAC;IACzC,MAAM,cAAc,GAAG,0BAA0B,CAC/C,SAAS,CAAC,cAAc,EACxB,WAAW,CACZ,CAAC;IACF,MAAM,eAAe,GAAG,0BAA0B,CAChD,SAAS,CAAC,eAAe,EACzB,WAAW,CACZ,CAAC;IACF,MAAM,YAAY,GAAG,0BAA0B,CAC7C,SAAS,CAAC,YAAY,EACtB,WAAW,CACZ,CAAC;IACF,IAAI,cAAc,EAAE,MAAM;QAAE,GAAG,CAAC,eAAe,GAAG,cAAc,CAAC;IACjE,IAAI,eAAe,EAAE,MAAM;QAAE,GAAG,CAAC,gBAAgB,GAAG,eAAe,CAAC;IACpE,IAAI,YAAY,EAAE,MAAM;QAAE,GAAG,CAAC,aAAa,GAAG,YAAY,CAAC;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;AACvD,CAAC;AAED,SAAS,YAAY,CACnB,QAAoC,EACpC,WAAwC,EACxC,WAA4B,EAC5B,WAAoB;IAEpB,MAAM,IAAI,GACR,QAAQ,CAAC,KAAK,IAAI,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ;QAClD,CAAC,CAAC,EAAE,GAAG,QAAQ,CAAC,KAAK,EAAE;QACvB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,UAAU,GACd,IAAI,CAAC,EAAE,IAAI,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/D,CAAC,CAAE,IAAI,CAAC,EAA8B;QACtC,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,EAAE,GAA4B,EAAE,GAAG,UAAU,EAAE,CAAC;IACtD,IAAI,WAAW,EAAE,CAAC;QAChB,EAAE,CAAC,GAAG,GAAG;YACP,GAAG,WAAW;YACd,cAAc,EAAE,0BAA0B,CACxC,WAAW,CAAC,cAAc,EAC1B,WAAW,CACZ;YACD,eAAe,EAAE,0BAA0B,CACzC,WAAW,CAAC,eAAe,EAC3B,WAAW,CACZ;YACD,YAAY,EAAE,0BAA0B,CACtC,WAAW,CAAC,YAAY,EACxB,WAAW,CACZ;YACD,cAAc,EAAE,0BAA0B,CACxC,WAAW,CAAC,cAAc,EAC1B,WAAW,CACZ;SACF,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,WAAW;QAAE,EAAE,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;IAChE,IAAI,QAAQ,CAAC,MAAM;QAAE,EAAE,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;IACjD,IAAI,OAAO,QAAQ,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAChD,EAAE,CAAC,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC;IAC5C,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IAC7C,IAAI,WAAW,IAAI,IAAI,CAAC,0BAA0B,CAAC,IAAI,IAAI,EAAE,CAAC;QAC5D,IAAI,CAAC,0BAA0B,CAAC,GAAG,WAAW,CAAC;IACjD,CAAC;IACD,IACE,OAAO,QAAQ,CAAC,aAAa,KAAK,SAAS;QAC3C,IAAI,CAAC,4BAA4B,CAAC,IAAI,IAAI,EAC1C,CAAC;QACD,IAAI,CAAC,4BAA4B,CAAC,GAAG,QAAQ,CAAC,aAAa,CAAC;IAC9D,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAC5D,IAAI,SAAS,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,IAAI,EAAE,CAAC;QAClD,IAAI,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC;IACvC,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,QAAoC,EACpC,GAA0B;IAE1B,IAAI,CAAC,QAAQ,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IACpC,OAAO,OAAO,QAAQ,CAAC,GAAG,KAAK,UAAU;QACvC,CAAC,CAAC,MAAM,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;QACzB,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,MAAiB,EACjB,UAAkB,EAClB,KAAkB,EAClB,WAA4B;IAE5B,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC;IACxC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;IACpE,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;IACnE,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,QAAQ,EAAE;QACnD,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,aAAa,EAAE,WAAW,EAAE,MAAM;KACnC,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,YAAY,CAC/B,QAAQ,EACR,WAAW,EACX,WAAW,EACX,WAAW,CACZ,CAAC;IACF,OAAO;QACL,GAAG,EAAE,WAAW,CAAC,GAAG;QACpB,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,UAAU;QACzC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpD,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,iBAAiB;QAChD,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,2BAA2B,CACxC,MAAiB,EACjB,UAAkB,EAClB,KAAkB,EAClB,WAA4B;IAE5B,IAAI,CAAC;QACH,OAAO,MAAM,qBAAqB,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;IAC7E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CACV,+CAA+C,UAAU,+CAA+C,EACxG,KAAK,CACN,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,MAAiB,EACjB,OAAoC,EACpC,WAA4B;IAE5B,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAC5C,2BAA2B,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,CAAC,CAC9D,CACF,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAsC,EAAE,CACvE,OAAO,CAAC,QAAQ,CAAC,CAClB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgC,EAChC,UAAkB,EAClB,MAAiB,EACjB,WAA4B;IAE5B,IAAI,OAAO,QAAQ,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,IAAI,CAAC;YACnB,UAAU;YACV,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,aAAa,EAAE,WAAW,EAAE,MAAM;SACnC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC,IAAI,CAAC;AACvB,CAAC;AAED,SAAS,wBAAwB,CAC/B,QAAgC;IAEhC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC9C,MAAM,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACvE,OAAO;QACL,uBAAuB,EAAE,QAAQ,CAAC,GAAG;QACrC,gCAAgC,EAAE,WAAW,KAAK,EAAE;QACpD,+BAA+B,EAAE,GAAG,KAAK,QAAQ;QACjD,yBAAyB,EAAE,IAAI;QAC/B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC;YACnC,CAAC,CAAC,EAAE,kBAAkB,EAAE,SAAS,EAAE;YACnC,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,QAAgC;IAEhC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC9C,MAAM,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACvE,OAAO;QACL,uBAAuB,EAAE,QAAQ,CAAC,GAAG;QACrC,gCAAgC,EAAE,WAAW,KAAK,EAAE;QACpD,+BAA+B,EAAE,GAAG,KAAK,QAAQ;QACjD,yBAAyB,EAAE,IAAI;QAC/B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC;YACnC,CAAC,CAAC,EAAE,kBAAkB,EAAE,SAAS,EAAE;YACnC,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgC,EAChC,UAAmB;IAEnB,OAAO;QACL,WAAW,EAAE,QAAQ,CAAC,GAAG;QACzB,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC;KACtE,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,OAAO,KAAK,KAAK,QAAQ;QACzB,OAAO,KAAK,KAAK,SAAS,CAC3B,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,MAAe,EACf,IAAyC;IAEzC,MAAM,GAAG,GACP,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAC5D,CAAC,CAAC,EAAE,GAAI,MAAkC,EAAE;QAC5C,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,EAAE,MAAM,EAAE;YACZ,CAAC,CAAC,EAAE,CAAC;IACX,MAAM,QAAQ,GAAG,IAAI,EAAE,CAAC,uBAAuB,CAAC,CAAC;IACjD,IAAI,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzE,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACxB,MAAM,MAAM,GAAI,QAAoC,CAAC,MAAM,CAAC;QAC5D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,GAAG;YAAE,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC;IAC/D,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AAC9D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa,EAAE,GAAG,GAAG,IAAI;IACjD,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC;AACvC,CAAC;AAED,SAAS,qBAAqB,CAC5B,IAAY,EACZ,MAAe,EACf,iBAA0C;IAE1C,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC;IAC1C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QAClD,OAAO,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,IAAI,iBAAiB,CAAC,IAAI,CAAC;IAChE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QAC9C,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,YAAY,CAAC;IACrC,CAAC;IACD,MAAM,EAAE,GAAG,iBAAiB,CAAC,EAAE,CAAC;IAChC,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;QACxC,OAAO,GAAG,IAAI,kBAAkB,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC;IAC/C,CAAC;IACD,OAAO,GAAG,IAAI,aAAa,CAAC;AAC9B,CAAC;AAED,8EAA8E;AAC9E,mEAAmE;AACnE,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAiB,EACjB,QAAuC,EACvC,WAA4B;IAE5B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;IAC7E,MAAM,EACJ,sBAAsB,EACtB,qBAAqB,EACrB,0BAA0B,EAC1B,yBAAyB,EACzB,kCAAkC,GACnC,GAAG,MAAM,MAAM,CAAC,oCAAoC,CAAC,CAAC;IAEvD,uEAAuE;IACvE,0EAA0E;IAC1E,8DAA8D;IAC9D,4EAA4E;IAC5E,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,sBAAsB;IACtB,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,EAAE,CAAC;IAClE,MAAM,iBAAiB,GACrB,QAAQ;QACR,CAAC,YAAY;YACX,CAAC,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE;YACnD,CAAC,CAAC,SAAS,CAAC,CAAC;IAEjB,0EAA0E;IAC1E,yEAAyE;IACzE,yEAAyE;IACzE,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,yEAAyE;IACzE,YAAY;IACZ,MAAM,cAAc,GAAG,WAAW,EAAE,WAAW,KAAK,IAAI,IAAI,CAAC,CAAC,YAAY,CAAC;IAC3E,MAAM,WAAW,GACf,cAAc,IAAI,MAAM,CAAC,iBAAiB;QACxC,CAAC,CAAC,MAAM,CAAC,iBAAiB;QAC1B,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;IACrB,MAAM,OAAO,GAAG,iBAAiB,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;IACpE,MAAM,cAAc,GAAG,MAAM,CAAC,WAAW,CACvC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAC3C,4BAA4B,CAAC,KAAK,EAAE,iBAAiB,EAAE,WAAW,CAAC,CACpE,CACF,CAAC;IACF,MAAM,oBAAoB,GACxB,CAAC,KAAK,CAAC,OAAO,CAAC,iBAAiB,EAAE,WAAW,CAAC;QAC5C,gBAAgB,CAAC,iBAAiB,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAC9D,CAAC,MAAM,wBAAwB,CAAC,iBAAiB,CAAC,CAAC,CAAC;IACtD,MAAM,iBAAiB,GAAG,oBAAoB;QAC5C,CAAC,CAAC,MAAM,CAAC,WAAW,CAChB,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CACtD,wCAAwC,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAC9D,CACF;QACH,CAAC,CAAC,cAAc,CAAC;IACnB,MAAM,eAAe,GACnB,oBAAoB;QACpB,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC9C,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAChC,CAAC;IACJ,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,OAAO,EAAE,EACzD;QACE,YAAY,EAAE;YACZ,KAAK,EAAE,EAAE;YACT,GAAG,CAAC,eAAe;gBACjB,CAAC,CAAC;oBACE,SAAS,EAAE,EAAE;oBACb,UAAU,EAAE;wBACV,CAAC,oBAAoB,CAAC,EAAE;4BACtB,SAAS,EAAE,CAAC,iBAAiB,CAAC;yBAC/B;qBACF;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;SACR;KACF,CACF,CAAC;IAEF,qEAAqE;IACrE,wEAAwE;IACxE,sEAAsE;IACtE,qEAAqE;IACrE,wCAAwC;IACxC,MAAM,YAAY,GAAG,sBAAsB,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAE1E;;;;;;;;;;OAUG;IACH,KAAK,UAAU,iBAAiB,CAAI,EAAoB;QACtD,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC;QACjC,OAAO,qBAAqB,CAC1B;YACE,SAAS,EAAE,iBAAiB,EAAE,SAAS;YACvC,KAAK;YACL,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtE,EACD,EAAE,CACW,CAAC;IAClB,CAAC;IAED,wEAAwE;IACxE,wEAAwE;IACxE,8BAA8B;IAC9B,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QAC1D,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAC7B,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE;gBAC5D,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,UAAU,CAAC;gBACjD,MAAM,cAAc,GAAG,MAAM,2BAA2B,CACtD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;gBACF,MAAM,WAAW,GACd,KAAK,CAAC,IAAY,CAAC,KAAK;oBACzB,OAAQ,KAAK,CAAC,IAAY,CAAC,KAAK,KAAK,QAAQ;oBAC7C,CAAC,KAAK,CAAC,OAAO,CAAE,KAAK,CAAC,IAAY,CAAC,KAAK,CAAC;oBACvC,CAAC,CAAC,EAAE,GAAK,KAAK,CAAC,IAAY,CAAC,KAAiC,EAAE;oBAC/D,CAAC,CAAC,EAAE,CAAC;gBACT,MAAM,QAAQ,GAAG;oBACf,GAAG,WAAW;oBACd,GAAG,CAAC,cAAc;wBAChB,CAAC,CAAC;4BACE,GAAG,wBAAwB,CAAC,cAAc,CAAC;4BAC3C,CAAC,6BAA6B,CAAC,EAAE,cAAc,CAAC,GAAG;4BACnD,EAAE,EAAE,gBAAgB,CAClB,cAAc,EACd,KAAK,CAAC,MAAM,EAAE,UAAU;gCACtB,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,UAAU,CAC5C;yBACF;wBACH,CAAC,CAAC,EAAE,CAAC;iBACR,CAAC;gBACF,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC;gBACvD,MAAM,WAAW,GAA4B;oBAC3C,YAAY,EAAE,KAAK,CAAC,QAAQ,KAAK,IAAI;oBACrC,eAAe,EAAE,KAAK,CAAC,WAAW,EAAE,eAAe,KAAK,IAAI;oBAC5D,aAAa,EAAE,KAAK;iBACrB,CAAC;gBACF,IAAI,OAAO;oBAAE,WAAW,CAAC,+BAA+B,CAAC,GAAG,IAAI,CAAC;gBACjE,OAAO;oBACL,IAAI;oBACJ,WAAW,EAAE,OAAO;wBAClB,CAAC,CAAC,GAAG,eAAe,sEAAsE;wBAC1F,CAAC,CAAC,eAAe;oBACnB,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI;wBACpC,IAAI,EAAE,QAAiB;wBACvB,UAAU,EAAE,EAAE;qBACf;oBACD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChE,WAAW;iBACZ,CAAC;YACJ,CAAC,CAAC,CACH,CAAC;YAEF,IACE,CAAC,oBAAoB;gBACrB,MAAM,CAAC,QAAQ;gBACf,gBAAgB,CAAC,iBAAiB,EAAE,WAAW,EAAE,WAAW,CAAC,EAC7D,CAAC;gBACD,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,WAAW;oBACjB,WAAW,EACT,4EAA4E;wBAC5E,4EAA4E;wBAC5E,iCAAiC;oBACnC,WAAW,EAAE;wBACX,IAAI,EAAE,QAAiB;wBACvB,UAAU,EAAE;4BACV,OAAO,EAAE;gCACP,IAAI,EAAE,QAAQ;gCACd,WAAW,EAAE,kCAAkC;6BAChD;yBACF;wBACD,QAAQ,EAAE,CAAC,SAAS,CAAC;qBACtB;oBACD,WAAW,EAAE;wBACX,YAAY,EAAE,KAAK;wBACnB,eAAe,EAAE,KAAK;wBACtB,aAAa,EAAE,KAAK;qBACrB;iBACF,CAAC,CAAC;YACL,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,wEAAwE;IACxE,uEAAuE;IACvE,iEAAiE;IACjE,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QACrE,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;YAEjD,IAAI,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC5C,IAAI,oBAAoB,EAAE,CAAC;oBACzB,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;wBAC1D,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,gBAAgB,CAAC,iBAAiB,EAAE,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;oBACnE,OAAO;wBACL,OAAO,EAAE;4BACP;gCACE,IAAI,EAAE,MAAM;gCACZ,IAAI,EAAE,iDAAiD;6BACxD;yBACF;wBACD,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;gBACD,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;gBACvD,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;wBAC1D,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,MAAM,eAAe,GAAG,oBAAoB;gBAC1C,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,OAAO,CAAC;YACZ,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;YACpC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YACD,IACE,CAAC,4BAA4B,CAAC,KAAK,EAAE,iBAAiB,EAAE,WAAW,CAAC,EACpE,CAAC;gBACD,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE,8CAA8C,IAAI,EAAE;yBAC3D;qBACF;oBACD,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAE,IAA+B,IAAI,EAAE,CAAC,CAAC;gBACvE,MAAM,SAAS,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;gBAClE,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC;oBAC/C,CAAC,CAAC,MAAM,CAAC,IAAI;oBACb,CAAC,CAAC,MAAM,CAAC;gBACX,MAAM,cAAc,GAAG,MAAM,2BAA2B,CACtD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;gBACF,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,kBAAkB,CACzC,KAAK,EACJ,IAA4B,IAAI,EAAE,EACnC,SAAS,EACT,WAAW,CACZ,CAAC;gBACF,MAAM,YAAY,GAA4B;oBAC5C,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;oBAChB,GAAG,CAAC,cAAc;wBAChB,CAAC,CAAC,uBAAuB,CAAC,SAAS,EAAE,cAAc,EAAE,WAAW,CAAC;wBACjE,CAAC,CAAC,EAAE,CAAC;oBACP,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;iBAChE,CAAC;gBACF,MAAM,iBAAiB,GAAG,cAAc;oBACtC,CAAC,CAAC,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC;oBAClD,CAAC,CAAC,SAAS,CAAC;gBACd,MAAM,IAAI,GAAG,cAAc;oBACzB,CAAC,CAAC,qBAAqB,CAAC,IAAI,EAAE,eAAe,EAAE,iBAAkB,CAAC;oBAClE,CAAC,CAAC,OAAO,eAAe,KAAK,QAAQ;wBACnC,CAAC,CAAC,eAAe;wBACjB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;gBACtC,MAAM,OAAO,GAAU,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;gBAChD,IAAI,KAAK;oBAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAC/B,OAAO;oBACL,OAAO;oBACP,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACnD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC;wBACtC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE;wBACzB,CAAC,CAAC,EAAE,CAAC;iBACR,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,CAAC,iBAAiB,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;YAC9D,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,EACN,iBAAiB,EACjB,WAAW,CACZ,CAAC;gBACF,OAAO;oBACL,SAAS,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;wBAC5C,GAAG,EAAE,QAAQ,CAAC,GAAG;wBACjB,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpD,GAAG,CAAC,QAAQ,CAAC,WAAW;4BACtB,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;4BACvC,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,EAAE,QAAQ,CAAC,QAAQ;wBAC3B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACrD,CAAC,CAAC;iBACJ,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,iBAAiB,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YACtE,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,EACN,iBAAiB,EACjB,WAAW,CACZ,CAAC;gBACF,OAAO;oBACL,iBAAiB,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;wBACpD,WAAW,EAAE,QAAQ,CAAC,GAAG;wBACzB,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpD,GAAG,CAAC,QAAQ,CAAC,WAAW;4BACtB,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;4BACvC,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,EAAE,QAAQ,CAAC,QAAQ;wBAC3B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACrD,CAAC,CAAC;iBACJ,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,iBAAiB,CACtB,yBAAyB,EACzB,KAAK,EAAE,OAAY,EAAE,EAAE;YACrB,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;gBAChC,IAAI,KAAK,GAGE,IAAI,CAAC;gBAChB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC9D,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;oBAC9D,IACE,CAAC,WAAW;wBACZ,CAAC,WAAW,CAAC,GAAG,KAAK,GAAG;4BACtB,CAAC,WAAW,CAAC,UAAU,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EACzC,CAAC;wBACD,SAAS;oBACX,CAAC;oBACD,MAAM,QAAQ,GAAG,MAAM,2BAA2B,CAChD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;oBACF,IAAI,QAAQ,EAAE,CAAC;wBACb,KAAK,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;oBACzC,CAAC;oBACD,MAAM;gBACR,CAAC;gBACD,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO;oBACL,QAAQ,EAAE;wBACR;4BACE,GAAG;4BACH,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,QAAQ;4BACjC,IAAI,EAAE,gBAAgB,CACpB,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,UAAU,EAChB,MAAM,EACN,WAAW,CACZ;4BACD,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK;gCACtB,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,KAAK,EAAE;gCACjC,CAAC,CAAC,EAAE,CAAC;yBACR;qBACF;iBACF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,6EAA6E;AAC7E,gFAAgF;AAChF,8EAA8E;AAE9E,MAAM,UAAU,eAAe;IAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CACT,GAAG,KAAK;aACL,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAS,yBAAyB,CAChC,gBAAoC;IAEpC,MAAM,KAAK,GACT,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,EAAE;QAC5C,CAAC,OAAO,gBAAgB,KAAK,QAAQ,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;QACjE,EAAE,CAAC;IACL,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAAiC;IAEjC,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,KAAa;IAEb,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,iBAAiB,GAAmC,IAAI,CAAC;IAC7D,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAA4B,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAE7D,MAAM,SAAS,GACb,OAAO,iBAAiB,CAAC,UAAU,KAAK,QAAQ;QAC9C,CAAC,CAAC,iBAAiB,CAAC,UAAU;QAC9B,CAAC,CAAC,SAAS,CAAC;IAChB,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,kBAAkB,CAChB,gBAAgB,EAChB,MAAM,oBAAoB,CAAC,SAAS,CAAC,CACtC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,0EAA0E;QAC5E,CAAC;IACH,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CACjC,CAAC;YACF,OAAO,OAAkC,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,gEAAgE;QAClE,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,gBAAqC,EACrC,UAA4D,EAAE;IAa9D,oEAAoE;IACpE,yEAAyE;IACzE,0EAA0E;IAC1E,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IAC9C,MAAM,KAAK,GAAG,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC;QAC7C,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;QACrB,CAAC,CAAC,SAAS,CAAC;IACd,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,aAAa,GAAG,MAAM,yBAAyB,CACnD,KAAK,EACL,OAAO,CAAC,WAAW,CACpB,CAAC;QACF,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE;oBACR,SAAS,EAAE,aAAa,CAAC,SAAS;oBAClC,SAAS,EAAE,aAAa,CAAC,SAAS;oBAClC,WAAW,EAAE,aAAa,CAAC,MAAM;oBACjC,aAAa,EAAE,aAAa,CAAC,QAAQ;iBACtC;gBACD,WAAW,EAAE,IAAI;aAClB,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,KAAK,EAAE,CAAC;QACzD,IAAI,OAAO,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;YACnC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;YACrD,uEAAuE;YACvE,sEAAsE;YACtE,uEAAuE;YACvE,iDAAiD;YACjD,WAAW,EAAE,CAAC,CAAC,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAErC,wEAAwE;IACxE,uDAAuD;IACvD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAChD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,UAAU,GACd,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAChE,IAAI,UAAU,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;YACnD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QAED,uEAAuE;QACvE,mEAAmE;QACnE,sEAAsE;QACtE,uDAAuD;QACvD,mEAAmE;QACnE,kDAAkD;QAClD,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;YACrC,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBACpD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YAC3B,CAAC;YACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YACxB,IAAI,CAAC;gBACH,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,GACpC,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;gBACrC,IAAI,MAAM,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC5B,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;gBAC3B,CAAC;gBACD,uDAAuD;gBACvD,KAAK,cAAc,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;YAClE,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE;gBACR,SAAS,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;gBACpE,SAAS,EACP,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ;oBACpC,CAAC,CAAE,OAAO,CAAC,UAAqB;oBAChC,CAAC,CAAC,SAAS;aAChB;YACD,mEAAmE;YACnE,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/C,IAAI,OAAO,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;YACnC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;YACrD,WAAW,EAAE,CAAC,CAAC,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,uEAAuE;IACvE,4DAA4D;IAC5D,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;YACrD,qDAAqD;YACrD,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,SAA6B;IAE7B,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAChD,OAAO,GAAG,EAAE,KAAK,IAAI,SAAS,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC","sourcesContent":["/**\n * Shared MCP server builder.\n *\n * Extracted from `server.ts` so the stateless Streamable-HTTP mount\n * (`mountMCP`) and the stdio transport (`runMCPStdio --standalone`) build the\n * *same* MCP server from the *same* `ActionEntry` registry. Both surfaces:\n *\n * - expose every action as an MCP tool (+ the `ask-agent` meta-tool),\n * - append the framework deep-link block / `_meta` to every tool result,\n * - wrap `run()` / `askAgent()` in `runWithRequestContext` so per-user /\n * per-org scoping (accessFilter, resolveCredential, MCP visibility) is\n * honoured.\n *\n * `server.ts` re-exports `createMCPServerForRequest` and the auth helpers so\n * any (future) external importer of `@agent-native/core/mcp` keeps resolving.\n *\n * Node-only at the SDK level, but this module itself has no Node-only imports\n * — it can be bundled into the serverless function alongside `mountMCP`.\n */\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport { isMcpActionResult } from \"../mcp-client/app-result.js\";\nimport {\n MCP_APP_EXTENSION_ID,\n MCP_APP_MIME_TYPE,\n MCP_APP_RESOURCE_URI_META_KEY,\n type ActionMcpAppCsp,\n type ActionMcpAppResourceConfig,\n} from \"../action.js\";\nimport { MCP_APP_REQUEST_ORIGIN_CSP_SOURCE } from \"./embed-app.js\";\nimport { runWithRequestContext } from \"../server/request-context.js\";\nimport { toAbsoluteOpenUrl, toDesktopOpenUrl } from \"../server/deep-link.js\";\nimport {\n isAgentNativeOpenDeepLink,\n withCollapsedAgentSidebarParam,\n} from \"../shared/agent-sidebar-url.js\";\nimport { MCP_APP_CHAT_BRIDGE_QUERY_PARAM } from \"../shared/embed-auth.js\";\nimport { getBuiltinCrossAppTools } from \"./builtin-tools.js\";\nimport { MCP_CONNECT_SCOPE } from \"./connect-store.js\";\nimport {\n MCP_OAUTH_SCOPES,\n hasMcpOAuthScope,\n verifyMcpOAuthAccessToken,\n} from \"./oauth-token.js\";\n\nexport interface MCPConfig {\n /** App name shown in MCP server info */\n name: string;\n /**\n * Canonical app id (directory under `apps/`, e.g. `mail`) this MCP server\n * is mounted for. Optional & back-compat: when omitted the builtin\n * cross-app tools fall back to lowercasing `name`. Used by `open_app` /\n * `ask_app` / `create_workspace_app` to tell \"this app\" from a cross-app\n * target so they resolve the *target* app's origin rather than echoing the\n * current request origin.\n */\n appId?: string;\n /** App description */\n description: string;\n /** Version string (default \"1.0.0\") */\n version?: string;\n /** Action registry — same as agent chat and A2A */\n actions: Record<string, ActionEntry>;\n /**\n * Full (\"production\") action surface served to an **authenticated real\n * caller** — a connect-minted token, an `agent-native mcp install` stdio\n * proxy (owner-email header / `AGENT_NATIVE_OWNER_EMAIL`), or a deployed /\n * `AGENT_MODE=production` app. In local dev `actions` is intentionally the\n * sparse, dev-toggled surface (builtins + read-only public-agent actions)\n * so the local agent chat and unauthenticated dev probes don't see every\n * mutating tool; but per the external-agents contract a real caller that\n * connected with a token MUST get the full surface even in dev. When unset\n * (production, where `actions` already IS the full set) the swap is a\n * no-op. See `external-agents` skill, \"Dev vs production tool surface\".\n */\n productionActions?: Record<string, ActionEntry>;\n /** Handler for the ask-agent meta-tool — runs the full agent loop */\n askAgent?: (message: string) => Promise<string>;\n /**\n * Disable the generic cross-app builtin tools (`list_apps`, `open_app`,\n * `ask_app`, `create_workspace_app`, `list_templates`). They are merged in\n * by default so external agents get a stable verb set; a template action of\n * the same name always wins (template precedence). Set to `false` only for\n * a constrained / locked-down mount.\n */\n builtinCrossAppTools?: boolean;\n}\n\n/**\n * Identity extracted from a verified MCP bearer token / JWT. Used to wrap\n * `entry.run()` and `config.askAgent()` calls in `runWithRequestContext`\n * so downstream tools (db-query, accessFilter, resolveCredential) honour\n * per-user / per-org scoping. Without this wrap the MCP endpoint would\n * silently bypass tenant isolation. See finding #6 in\n * /tmp/security-audit/12-mcp-a2a-agent.md.\n */\nexport interface MCPCallerIdentity {\n userEmail: string | undefined;\n orgDomain: string | undefined;\n /** Present only for standard remote MCP OAuth access tokens. */\n oauthScopes?: string[];\n /** Present only for standard remote MCP OAuth access tokens. */\n oauthClientId?: string;\n}\n\n/** Per-request context used to turn an action's relative deep link into the\n * absolute web URL (and desktop `agentnative://` URL) the external agent\n * surfaces. Derived from the inbound request headers in `mountMCP`, or from\n * the resolved local app origin in the stdio standalone path. */\nexport interface MCPRequestMeta {\n /** Origin of the running app, e.g. `http://localhost:8100`. */\n origin?: string;\n /** Optional client preference for which URL the *markdown* link uses. */\n target?: \"browser\" | \"desktop\" | \"terminal\";\n /**\n * The caller authenticated with a real credential (verified A2A/connect\n * JWT, matching ACCESS_TOKEN, or a forwarded owner-email header from\n * `agent-native mcp install`) — not the unauthenticated local dev-open\n * path. When true, `createMCPServerForRequest` serves\n * `config.productionActions` (the full surface) instead of the sparse dev\n * `config.actions`. Set by `mountMCP` from `verifyAuth`.\n */\n fullSurface?: boolean;\n}\n\ntype McpOAuthScope = (typeof MCP_OAUTH_SCOPES)[number];\n\nfunction isActionVisibleForOAuthScope(\n entry: ActionEntry,\n scopes: string[] | undefined,\n): boolean {\n if (!scopes) return true;\n const required: McpOAuthScope =\n entry.readOnly === true ? \"mcp:read\" : \"mcp:write\";\n return hasMcpOAuthScope(scopes, required);\n}\n\nconst COMPACT_MCP_APP_CATALOG_BUILTINS = new Set([\n \"list_apps\",\n \"open_app\",\n \"create_embed_session\",\n]);\n\nfunction isDispatchConfig(config: MCPConfig): boolean {\n const id = (config.appId ?? \"\").toLowerCase();\n const name = (config.name ?? \"\").toLowerCase();\n return id === \"dispatch\" || name.includes(\"dispatch\");\n}\n\nfunction isActionAdvertisedInCompactMcpAppCatalog(\n config: MCPConfig,\n name: string,\n entry: ActionEntry,\n): boolean {\n if (COMPACT_MCP_APP_CATALOG_BUILTINS.has(name)) return true;\n if (name === \"ask_app\" && isDispatchConfig(config)) return true;\n return Boolean(entry.mcpApp?.resource);\n}\n\nconst MCP_APP_OAUTH_CLIENT_RE = /\\b(chatgpt|openai|claude|anthropic)\\b/i;\nconst NON_APP_OAUTH_CLIENT_RE =\n /\\b(code|desktop|cli|cursor|codex|goose|postman|mcpjam|inspector)\\b/i;\nconst MCP_APP_OAUTH_REDIRECT_HOST_RE =\n /(^|\\.)((chatgpt|openai)\\.com|claude\\.ai|anthropic\\.com)$/i;\n\nasync function isKnownMcpAppOAuthClient(\n identity: MCPCallerIdentity | undefined,\n): Promise<boolean> {\n const clientId = identity?.oauthClientId?.trim();\n if (!clientId) return false;\n\n function isKnownAppClientName(value: string | undefined | null): boolean {\n if (!value) return false;\n return (\n MCP_APP_OAUTH_CLIENT_RE.test(value) &&\n !NON_APP_OAUTH_CLIENT_RE.test(value)\n );\n }\n\n function isKnownNonAppClientName(value: string | undefined | null): boolean {\n return Boolean(value && NON_APP_OAUTH_CLIENT_RE.test(value));\n }\n\n function isKnownMcpAppRedirectUri(uri: string): boolean {\n try {\n const url = new URL(uri);\n return (\n url.protocol === \"https:\" &&\n MCP_APP_OAUTH_REDIRECT_HOST_RE.test(url.hostname)\n );\n } catch {\n return false;\n }\n }\n\n if (isKnownAppClientName(clientId)) return true;\n if (isKnownNonAppClientName(clientId)) return false;\n\n try {\n const { getOAuthClient } = await import(\"./oauth-store.js\");\n const client = await getOAuthClient(clientId);\n // If the token carries an OAuth client id but its registration is missing,\n // keep the model on the compact MCP Apps surface instead of exposing every\n // private action/schema.\n if (!client) return true;\n if (isKnownAppClientName(client.clientName)) return true;\n if (isKnownNonAppClientName(client.clientName)) return false;\n if (client.redirectUris.some(isKnownMcpAppRedirectUri)) return true;\n // Most OAuth hosts are UI-oriented MCP clients. Preserve the full catalog\n // only for known code/CLI clients so unknown browser hosts cannot trigger\n // massive resources/list payloads.\n return true;\n } catch {\n // On metadata lookup errors, fail compact instead of falling back to the\n // full action surface; ChatGPT/Claude old tokens otherwise get huge lists.\n return true;\n }\n}\n\ninterface ResolvedMcpAppResource {\n uri: string;\n legacyUris?: string[];\n name: string;\n title?: string;\n description?: string;\n html: ActionMcpAppResourceConfig[\"html\"];\n mimeType: typeof MCP_APP_MIME_TYPE;\n _meta?: Record<string, unknown>;\n}\n\ninterface McpAppResourceContext {\n actionName: string;\n appId?: string;\n requestOrigin?: string;\n}\n\ninterface VersionedMcpAppResourceUri {\n uri: string;\n legacyUris?: string[];\n}\n\nfunction metadataObject(value: unknown): Record<string, unknown> {\n return value && typeof value === \"object\" && !Array.isArray(value)\n ? (value as Record<string, unknown>)\n : {};\n}\n\nfunction withMcpChatBridgeParam(urlOrPath: string): string {\n try {\n const base = \"http://agent-native.invalid\";\n const url = urlOrPath.startsWith(\"/\")\n ? new URL(urlOrPath, base)\n : new URL(urlOrPath);\n url.searchParams.set(MCP_APP_CHAT_BRIDGE_QUERY_PARAM, \"1\");\n return urlOrPath.startsWith(\"/\")\n ? `${url.pathname}${url.search}${url.hash}`\n : url.toString();\n } catch {\n return urlOrPath;\n }\n}\n\nfunction mcpAppEmbedOpenLinkMeta(\n result: unknown,\n resource: ResolvedMcpAppResource,\n meta: MCPRequestMeta | undefined,\n): Record<string, unknown> {\n const out = metadataObject(result);\n const embedStartUrl =\n typeof out.embedStartUrl === \"string\"\n ? out.embedStartUrl\n : out.embed === true &&\n typeof out.url === \"string\" &&\n out.url.includes(\"/_agent-native/embed/start\")\n ? out.url\n : null;\n if (!embedStartUrl) return {};\n\n const webUrl = toAbsoluteOpenUrl(\n withMcpChatBridgeParam(embedStartUrl),\n meta?.origin,\n );\n const deepLinkUrl =\n typeof out.deepLinkUrl === \"string\" ? out.deepLinkUrl : null;\n const fallbackLabel = resource.title ?? resource.name ?? \"app\";\n const label =\n typeof out.app === \"string\" && out.app.trim()\n ? `Open ${out.app.trim()}`\n : fallbackLabel;\n const view =\n typeof out.view === \"string\" && out.view.trim()\n ? out.view.trim()\n : typeof out.path === \"string\" && out.path.trim()\n ? out.path.trim()\n : undefined;\n\n return {\n \"agent-native/openLink\": {\n label,\n ...(view ? { view } : {}),\n webUrl,\n desktopUrl: deepLinkUrl\n ? toAbsoluteOpenUrl(deepLinkUrl, meta?.origin)\n : webUrl,\n },\n };\n}\n\n/**\n * Build the deep-link content block + structured `_meta` for a tool result.\n * Best-effort: any throw / nullish link is swallowed so a bad `link` builder\n * never fails the tool call.\n */\nexport function buildLinkArtifacts(\n entry: ActionEntry,\n args: Record<string, any>,\n result: any,\n meta: MCPRequestMeta | undefined,\n): {\n block?: { type: \"text\"; text: string };\n _meta?: Record<string, unknown>;\n} {\n if (typeof entry.link !== \"function\") return {};\n try {\n const lk = entry.link({ args: args ?? {}, result });\n if (!lk?.url) return {};\n const linkUrl = isAgentNativeOpenDeepLink(lk.url)\n ? withCollapsedAgentSidebarParam(lk.url)\n : lk.url;\n const webUrl = toAbsoluteOpenUrl(linkUrl, meta?.origin);\n const desktopUrl = toDesktopOpenUrl(linkUrl);\n const markdownUrl = meta?.target === \"desktop\" ? desktopUrl : webUrl;\n return {\n block: { type: \"text\", text: `\\n\\n[${lk.label} →](${markdownUrl})` },\n _meta: {\n \"agent-native/openLink\": {\n label: lk.label,\n view: lk.view,\n webUrl,\n desktopUrl,\n },\n },\n };\n } catch {\n return {};\n }\n}\n\n/**\n * Merge the generic cross-app builtin tools into the config's action\n * registry. **Template actions take precedence**: if a template defines an\n * action with the same name as a builtin (e.g. its own `list_apps`), the\n * template entry wins and the builtin is dropped. This mirrors the\n * template-over-workspace-core precedence in `autoDiscoverActions`.\n *\n * The builtins are pure-ish navigators / scaffolders; they call back into the\n * same `config.actions` / `config.askAgent` so there is no second agent loop.\n */\nfunction mergeBuiltinTools(\n config: MCPConfig,\n baseActions: Record<string, ActionEntry>,\n requestMeta?: MCPRequestMeta,\n): Record<string, ActionEntry> {\n if (config.builtinCrossAppTools === false) return baseActions;\n const builtins = getBuiltinCrossAppTools(config, requestMeta);\n const merged: Record<string, ActionEntry> = { ...builtins };\n // Template / app actions overwrite same-named builtins.\n for (const [name, entry] of Object.entries(baseActions)) {\n merged[name] = entry;\n }\n return merged;\n}\n\nfunction safeUiSegment(value: string | undefined, fallback: string): string {\n const normalized = (value || fallback)\n .trim()\n .toLowerCase()\n .replace(/[^a-z0-9._-]+/g, \"-\")\n .replace(/^-+|-+$/g, \"\");\n return normalized || fallback;\n}\n\n// ChatGPT and Claude cache MCP App resource HTML by `ui://` URI. Bump this\n// when the shared shell changes in a way that must invalidate host caches.\nconst MCP_APP_RESOURCE_SHELL_VERSION = \"shell-v25\";\n\nfunction legacyDefaultMcpAppUri(config: MCPConfig, actionName: string): string {\n const app = safeUiSegment(config.appId ?? config.name, \"agent-native\");\n const action = safeUiSegment(actionName, \"tool\");\n return `ui://${app}/${action}`;\n}\n\nfunction versionMcpAppResourceUri(\n rawUri: string,\n): VersionedMcpAppResourceUri | null {\n const uri = rawUri.trim();\n if (!uri.startsWith(\"ui://\")) return null;\n const versionSuffix = `/${MCP_APP_RESOURCE_SHELL_VERSION}`;\n let versionedUri: string;\n try {\n const parsed = new URL(uri);\n const path = parsed.pathname.replace(/\\/+$/g, \"\");\n parsed.pathname = /\\/shell-v\\d+$/.test(path)\n ? path.replace(/\\/shell-v\\d+$/, versionSuffix)\n : `${path}${versionSuffix}`;\n versionedUri = parsed.toString();\n } catch {\n return null;\n }\n return {\n uri: versionedUri,\n ...(versionedUri !== uri ? { legacyUris: [uri] } : {}),\n };\n}\n\nfunction getMcpAppResourceUri(\n config: MCPConfig,\n actionName: string,\n entry: ActionEntry,\n): VersionedMcpAppResourceUri | null {\n const resource = entry.mcpApp?.resource;\n if (!resource) return null;\n const baseUri =\n resource.uri?.trim() || legacyDefaultMcpAppUri(config, actionName);\n return versionMcpAppResourceUri(baseUri);\n}\n\nfunction expandRequestOriginSources(\n sources: string[] | undefined,\n requestMeta?: MCPRequestMeta,\n): string[] | undefined {\n if (!sources) return undefined;\n const origin = requestMeta?.origin;\n return sources.flatMap((source) =>\n source === MCP_APP_REQUEST_ORIGIN_CSP_SOURCE && origin\n ? [origin]\n : [source],\n );\n}\n\nfunction openAiWidgetCsp(\n cspConfig: ActionMcpAppCsp | undefined,\n requestMeta?: MCPRequestMeta,\n): Record<string, string[]> | undefined {\n if (!cspConfig) return undefined;\n const csp: Record<string, string[]> = {};\n const connectDomains = expandRequestOriginSources(\n cspConfig.connectDomains,\n requestMeta,\n );\n const resourceDomains = expandRequestOriginSources(\n cspConfig.resourceDomains,\n requestMeta,\n );\n const frameDomains = expandRequestOriginSources(\n cspConfig.frameDomains,\n requestMeta,\n );\n if (connectDomains?.length) csp.connect_domains = connectDomains;\n if (resourceDomains?.length) csp.resource_domains = resourceDomains;\n if (frameDomains?.length) csp.frame_domains = frameDomains;\n return Object.keys(csp).length > 0 ? csp : undefined;\n}\n\nfunction mcpAppUiMeta(\n resource: ActionMcpAppResourceConfig,\n resolvedCsp: ActionMcpAppCsp | undefined,\n requestMeta?: MCPRequestMeta,\n description?: string,\n): Record<string, unknown> | undefined {\n const base =\n resource._meta && typeof resource._meta === \"object\"\n ? { ...resource._meta }\n : {};\n const existingUi =\n base.ui && typeof base.ui === \"object\" && !Array.isArray(base.ui)\n ? (base.ui as Record<string, unknown>)\n : {};\n const ui: Record<string, unknown> = { ...existingUi };\n if (resolvedCsp) {\n ui.csp = {\n ...resolvedCsp,\n connectDomains: expandRequestOriginSources(\n resolvedCsp.connectDomains,\n requestMeta,\n ),\n resourceDomains: expandRequestOriginSources(\n resolvedCsp.resourceDomains,\n requestMeta,\n ),\n frameDomains: expandRequestOriginSources(\n resolvedCsp.frameDomains,\n requestMeta,\n ),\n baseUriDomains: expandRequestOriginSources(\n resolvedCsp.baseUriDomains,\n requestMeta,\n ),\n };\n }\n if (resource.permissions) ui.permissions = resource.permissions;\n if (resource.domain) ui.domain = resource.domain;\n if (typeof resource.prefersBorder === \"boolean\") {\n ui.prefersBorder = resource.prefersBorder;\n }\n if (Object.keys(ui).length > 0) base.ui = ui;\n if (description && base[\"openai/widgetDescription\"] == null) {\n base[\"openai/widgetDescription\"] = description;\n }\n if (\n typeof resource.prefersBorder === \"boolean\" &&\n base[\"openai/widgetPrefersBorder\"] == null\n ) {\n base[\"openai/widgetPrefersBorder\"] = resource.prefersBorder;\n }\n const openAiCsp = openAiWidgetCsp(resolvedCsp, requestMeta);\n if (openAiCsp && base[\"openai/widgetCSP\"] == null) {\n base[\"openai/widgetCSP\"] = openAiCsp;\n }\n return Object.keys(base).length > 0 ? base : undefined;\n}\n\nasync function resolveMcpAppCsp(\n resource: ActionMcpAppResourceConfig,\n ctx: McpAppResourceContext,\n): Promise<ActionMcpAppCsp | undefined> {\n if (!resource.csp) return undefined;\n return typeof resource.csp === \"function\"\n ? await resource.csp(ctx)\n : resource.csp;\n}\n\nasync function resolveMcpAppResource(\n config: MCPConfig,\n actionName: string,\n entry: ActionEntry,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource | null> {\n const resource = entry.mcpApp?.resource;\n if (!resource) return null;\n const resolvedUri = getMcpAppResourceUri(config, actionName, entry);\n if (!resolvedUri) return null;\n const description = resource.description ?? entry.tool.description;\n const resolvedCsp = await resolveMcpAppCsp(resource, {\n actionName,\n appId: config.appId,\n requestOrigin: requestMeta?.origin,\n });\n const resourceMeta = mcpAppUiMeta(\n resource,\n resolvedCsp,\n requestMeta,\n description,\n );\n return {\n uri: resolvedUri.uri,\n ...(resolvedUri.legacyUris ? { legacyUris: resolvedUri.legacyUris } : {}),\n name: resource.name?.trim() || actionName,\n ...(resource.title ? { title: resource.title } : {}),\n ...(description ? { description } : {}),\n html: resource.html,\n mimeType: resource.mimeType ?? MCP_APP_MIME_TYPE,\n ...(resourceMeta ? { _meta: resourceMeta } : {}),\n };\n}\n\nasync function resolveMcpAppResourceSafely(\n config: MCPConfig,\n actionName: string,\n entry: ActionEntry,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource | null> {\n try {\n return await resolveMcpAppResource(config, actionName, entry, requestMeta);\n } catch (error) {\n console.warn(\n `[mcp] Skipping MCP App resource for action \"${actionName}\" because its metadata could not be resolved.`,\n error,\n );\n return null;\n }\n}\n\nasync function getMcpAppResources(\n config: MCPConfig,\n actions: Record<string, ActionEntry>,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource[]> {\n const resources = await Promise.all(\n Object.entries(actions).map(([name, entry]) =>\n resolveMcpAppResourceSafely(config, name, entry, requestMeta),\n ),\n );\n return resources.filter((resource): resource is ResolvedMcpAppResource =>\n Boolean(resource),\n );\n}\n\nfunction renderMcpAppHtml(\n resource: ResolvedMcpAppResource,\n actionName: string,\n config: MCPConfig,\n requestMeta?: MCPRequestMeta,\n): string {\n if (typeof resource.html === \"function\") {\n return resource.html({\n actionName,\n appId: config.appId,\n requestOrigin: requestMeta?.origin,\n });\n }\n return resource.html;\n}\n\nfunction openAiToolDescriptorMeta(\n resource: ResolvedMcpAppResource,\n): Record<string, unknown> {\n const label = resource.title ?? resource.name;\n const widgetCsp = metadataObject(resource._meta?.[\"openai/widgetCSP\"]);\n return {\n \"openai/outputTemplate\": resource.uri,\n \"openai/toolInvocation/invoking\": `Opening ${label}`,\n \"openai/toolInvocation/invoked\": `${label} ready`,\n \"openai/widgetAccessible\": true,\n ...(Object.keys(widgetCsp).length > 0\n ? { \"openai/widgetCSP\": widgetCsp }\n : {}),\n };\n}\n\nfunction openAiToolResultMeta(\n resource: ResolvedMcpAppResource,\n): Record<string, unknown> {\n const label = resource.title ?? resource.name;\n const widgetCsp = metadataObject(resource._meta?.[\"openai/widgetCSP\"]);\n return {\n \"openai/outputTemplate\": resource.uri,\n \"openai/toolInvocation/invoking\": `Opening ${label}`,\n \"openai/toolInvocation/invoked\": `${label} ready`,\n \"openai/widgetAccessible\": true,\n ...(Object.keys(widgetCsp).length > 0\n ? { \"openai/widgetCSP\": widgetCsp }\n : {}),\n };\n}\n\nfunction mcpAppToolUiMeta(\n resource: ResolvedMcpAppResource,\n visibility: unknown,\n): Record<string, unknown> {\n return {\n resourceUri: resource.uri,\n visibility: Array.isArray(visibility) ? visibility : [\"model\", \"app\"],\n };\n}\n\nfunction primitiveValue(value: unknown): value is string | number | boolean {\n return (\n typeof value === \"string\" ||\n typeof value === \"number\" ||\n typeof value === \"boolean\"\n );\n}\n\nfunction mcpAppStructuredContent(\n result: unknown,\n meta: Record<string, unknown> | undefined,\n): Record<string, unknown> {\n const out: Record<string, unknown> =\n result && typeof result === \"object\" && !Array.isArray(result)\n ? { ...(result as Record<string, unknown>) }\n : primitiveValue(result)\n ? { result }\n : {};\n const openLink = meta?.[\"agent-native/openLink\"];\n if (openLink && typeof openLink === \"object\" && !Array.isArray(openLink)) {\n out.openLink = openLink;\n const webUrl = (openLink as Record<string, unknown>).webUrl;\n if (typeof webUrl === \"string\" && !out.url) out.url = webUrl;\n }\n return Object.keys(out).length > 0 ? out : { status: \"ok\" };\n}\n\nfunction truncateToolText(value: string, max = 2000): string {\n if (value.length <= max) return value;\n return `${value.slice(0, max - 1)}…`;\n}\n\nfunction conciseMcpAppToolText(\n name: string,\n result: unknown,\n structuredContent: Record<string, unknown>,\n): string {\n if (typeof result === \"string\") return truncateToolText(result);\n const message = structuredContent.message;\n if (typeof message === \"string\" && message.trim()) {\n return truncateToolText(message.trim());\n }\n const title = structuredContent.title ?? structuredContent.name;\n if (typeof title === \"string\" && title.trim()) {\n return `${title.trim()} is ready.`;\n }\n const id = structuredContent.id;\n if (typeof id === \"string\" && id.trim()) {\n return `${name} completed for ${id.trim()}.`;\n }\n return `${name} completed.`;\n}\n\n// ---------------------------------------------------------------------------\n// MCP Server creation — converts ActionEntry registry to MCP tools\n// ---------------------------------------------------------------------------\n\n/**\n * Build a fully-wired MCP `Server` for a single request / session.\n *\n * Shared by the stateless Streamable-HTTP mount (`mountMCP`) and the stdio\n * standalone transport. The HTTP mount passes the per-request origin via\n * `requestMeta`; the stdio standalone path passes the resolved local app\n * origin so deep links still become absolute URLs.\n */\nexport async function createMCPServerForRequest(\n config: MCPConfig,\n identity: MCPCallerIdentity | undefined,\n requestMeta?: MCPRequestMeta,\n) {\n const { Server } = await import(\"@modelcontextprotocol/sdk/server/index.js\");\n const {\n ListToolsRequestSchema,\n CallToolRequestSchema,\n ListResourcesRequestSchema,\n ReadResourceRequestSchema,\n ListResourceTemplatesRequestSchema,\n } = await import(\"@modelcontextprotocol/sdk/types.js\");\n\n // Resolve the effective caller identity. JWT / header-derived identity\n // (passed by `mountMCP` via `verifyAuth`) wins. When the caller passed no\n // identity — the stdio **standalone** path — fall back to the\n // `AGENT_NATIVE_OWNER_EMAIL` env the `agent-native mcp install` flow writes\n // into the `agent-native mcp serve` process env, so standalone tool runs are\n // tenant-scoped to the configured owner instead of running unscoped. Stays\n // undefined for true dev-open (no token, no secret, no owner) — behavior\n // there is unchanged.\n const ownerFromEnv = process.env.AGENT_NATIVE_OWNER_EMAIL?.trim();\n const effectiveIdentity: MCPCallerIdentity | undefined =\n identity ??\n (ownerFromEnv\n ? { userEmail: ownerFromEnv, orgDomain: undefined }\n : undefined);\n\n // The action set the request handlers operate on = base actions + generic\n // cross-app builtins (template wins on name collision). An authenticated\n // real caller (connect-minted token / `mcp install` owner / production —\n // `requestMeta.fullSurface`, or the stdio standalone path identified by\n // `AGENT_NATIVE_OWNER_EMAIL`) gets the full `productionActions` surface\n // even in local dev; the unauthenticated dev-open path keeps the sparse\n // `config.actions`. See `external-agents` skill, \"Dev vs production tool\n // surface\".\n const useFullSurface = requestMeta?.fullSurface === true || !!ownerFromEnv;\n const baseActions =\n useFullSurface && config.productionActions\n ? config.productionActions\n : config.actions;\n const actions = mergeBuiltinTools(config, baseActions, requestMeta);\n const visibleActions = Object.fromEntries(\n Object.entries(actions).filter(([, entry]) =>\n isActionVisibleForOAuthScope(entry, effectiveIdentity?.oauthScopes),\n ),\n );\n const compactMcpAppCatalog =\n (Array.isArray(effectiveIdentity?.oauthScopes) &&\n hasMcpOAuthScope(effectiveIdentity.oauthScopes, \"mcp:apps\")) ||\n (await isKnownMcpAppOAuthClient(effectiveIdentity));\n const advertisedActions = compactMcpAppCatalog\n ? Object.fromEntries(\n Object.entries(visibleActions).filter(([name, entry]) =>\n isActionAdvertisedInCompactMcpAppCatalog(config, name, entry),\n ),\n )\n : visibleActions;\n const supportsMcpApps =\n compactMcpAppCatalog &&\n Object.values(advertisedActions).some((entry) =>\n Boolean(entry.mcpApp?.resource),\n );\n const server = new Server(\n { name: config.name, version: config.version ?? \"1.0.0\" },\n {\n capabilities: {\n tools: {},\n ...(supportsMcpApps\n ? {\n resources: {},\n extensions: {\n [MCP_APP_EXTENSION_ID]: {\n mimeTypes: [MCP_APP_MIME_TYPE],\n },\n },\n }\n : {}),\n },\n },\n );\n\n // Resolve orgId once per request (DB lookup) so subsequent wraps are\n // synchronous. The caller identity may be undefined for true dev-open —\n // in that case we run with no userEmail/orgId, which makes downstream\n // tools that require per-user scope return empty results rather than\n // cross-tenant data (the safe default).\n const orgIdPromise = resolveOrgIdFromDomain(effectiveIdentity?.orgDomain);\n\n /**\n * Wrap a callback in\n * `runWithRequestContext({ userEmail, orgId, requestOrigin }, fn)`.\n * Both the tools/list and tools/call handlers go through this so\n * downstream `accessFilter`, `resolveCredential`, and per-user MCP\n * visibility checks see the verified caller's identity. `requestOrigin`\n * is the live server origin derived from the inbound request (same value\n * used to absolutize deep links) so actions that build fetchable URLs\n * (e.g. design `export-coding-handoff`'s signed raw-code URL) resolve the\n * correct local-workspace origin instead of a prod/localhost fallback.\n */\n async function withCallerContext<T>(fn: () => Promise<T>): Promise<T> {\n const orgId = await orgIdPromise;\n return runWithRequestContext(\n {\n userEmail: effectiveIdentity?.userEmail,\n orgId,\n ...(requestMeta?.origin ? { requestOrigin: requestMeta.origin } : {}),\n },\n fn,\n ) as Promise<T>;\n }\n\n // tools/list — return all actions + ask-agent meta-tool. Wrapped in the\n // request context so per-user MCP visibility (mcp-client/visibility.ts)\n // applies to the listing too.\n server.setRequestHandler(ListToolsRequestSchema, async () => {\n return withCallerContext(async () => {\n const tools = await Promise.all(\n Object.entries(advertisedActions).map(async ([name, entry]) => {\n const hasLink = typeof entry.link === \"function\";\n const mcpAppResource = await resolveMcpAppResourceSafely(\n config,\n name,\n entry,\n requestMeta,\n );\n const rawToolMeta =\n (entry.tool as any)._meta &&\n typeof (entry.tool as any)._meta === \"object\" &&\n !Array.isArray((entry.tool as any)._meta)\n ? { ...((entry.tool as any)._meta as Record<string, unknown>) }\n : {};\n const toolMeta = {\n ...rawToolMeta,\n ...(mcpAppResource\n ? {\n ...openAiToolDescriptorMeta(mcpAppResource),\n [MCP_APP_RESOURCE_URI_META_KEY]: mcpAppResource.uri,\n ui: mcpAppToolUiMeta(\n mcpAppResource,\n entry.mcpApp?.visibility ??\n metadataObject(rawToolMeta.ui).visibility,\n ),\n }\n : {}),\n };\n const baseDescription = entry.tool.description ?? name;\n const annotations: Record<string, unknown> = {\n readOnlyHint: entry.readOnly === true,\n destructiveHint: entry.publicAgent?.isConsequential === true,\n openWorldHint: false,\n };\n if (hasLink) annotations[\"agent-native/producesOpenLink\"] = true;\n return {\n name,\n description: hasLink\n ? `${baseDescription} After calling, surface the returned \"Open in … →\" link to the user.`\n : baseDescription,\n inputSchema: entry.tool.parameters ?? {\n type: \"object\" as const,\n properties: {},\n },\n ...(Object.keys(toolMeta).length > 0 ? { _meta: toolMeta } : {}),\n annotations,\n };\n }),\n );\n\n if (\n !compactMcpAppCatalog &&\n config.askAgent &&\n hasMcpOAuthScope(effectiveIdentity?.oauthScopes, \"mcp:write\")\n ) {\n tools.push({\n name: \"ask-agent\",\n description:\n \"Send a natural-language message to the app's AI agent and get a response. \" +\n \"Use this for complex, multi-step tasks that require the agent's reasoning \" +\n \"and full context about the app.\",\n inputSchema: {\n type: \"object\" as const,\n properties: {\n message: {\n type: \"string\",\n description: \"The message to send to the agent\",\n },\n },\n required: [\"message\"],\n },\n annotations: {\n readOnlyHint: false,\n destructiveHint: false,\n openWorldHint: false,\n },\n });\n }\n\n return { tools };\n });\n });\n\n // tools/call — dispatch to action registry or ask-agent. Wrapped in the\n // request context so the action's `run(args)` and `askAgent()` execute\n // with the verified caller's identity, not the platform default.\n server.setRequestHandler(CallToolRequestSchema, async (request: any) => {\n return withCallerContext(async () => {\n const { name, arguments: args } = request.params;\n\n if (name === \"ask-agent\" && config.askAgent) {\n if (compactMcpAppCatalog) {\n return {\n content: [{ type: \"text\", text: `Unknown tool: ${name}` }],\n isError: true,\n };\n }\n if (!hasMcpOAuthScope(effectiveIdentity?.oauthScopes, \"mcp:write\")) {\n return {\n content: [\n {\n type: \"text\",\n text: \"Forbidden: OAuth scope does not allow ask-agent\",\n },\n ],\n isError: true,\n };\n }\n const message = args?.message ?? \"\";\n try {\n const result = await config.askAgent(message);\n return { content: [{ type: \"text\", text: result }] };\n } catch (err: any) {\n return {\n content: [{ type: \"text\", text: `Error: ${err.message}` }],\n isError: true,\n };\n }\n }\n\n const callableActions = compactMcpAppCatalog\n ? advertisedActions\n : actions;\n const entry = callableActions[name];\n if (!entry) {\n return {\n content: [{ type: \"text\", text: `Unknown tool: ${name}` }],\n isError: true,\n };\n }\n if (\n !isActionVisibleForOAuthScope(entry, effectiveIdentity?.oauthScopes)\n ) {\n return {\n content: [\n {\n type: \"text\",\n text: `Forbidden: OAuth scope does not allow tool ${name}`,\n },\n ],\n isError: true,\n };\n }\n\n try {\n const result = await entry.run((args as Record<string, string>) ?? {});\n const rawResult = isMcpActionResult(result) ? result.raw : result;\n const resultForClient = isMcpActionResult(result)\n ? result.text\n : result;\n const mcpAppResource = await resolveMcpAppResourceSafely(\n config,\n name,\n entry,\n requestMeta,\n );\n const { block, _meta } = buildLinkArtifacts(\n entry,\n (args as Record<string, any>) ?? {},\n rawResult,\n requestMeta,\n );\n const responseMeta: Record<string, unknown> = {\n ...(_meta ?? {}),\n ...(mcpAppResource\n ? mcpAppEmbedOpenLinkMeta(rawResult, mcpAppResource, requestMeta)\n : {}),\n ...(mcpAppResource ? openAiToolResultMeta(mcpAppResource) : {}),\n };\n const structuredContent = mcpAppResource\n ? mcpAppStructuredContent(rawResult, responseMeta)\n : undefined;\n const text = mcpAppResource\n ? conciseMcpAppToolText(name, resultForClient, structuredContent!)\n : typeof resultForClient === \"string\"\n ? resultForClient\n : JSON.stringify(resultForClient);\n const content: any[] = [{ type: \"text\", text }];\n if (block) content.push(block);\n return {\n content,\n ...(structuredContent ? { structuredContent } : {}),\n ...(Object.keys(responseMeta).length > 0\n ? { _meta: responseMeta }\n : {}),\n };\n } catch (err: any) {\n return {\n content: [{ type: \"text\", text: `Error: ${err.message}` }],\n isError: true,\n };\n }\n });\n });\n\n if (supportsMcpApps) {\n server.setRequestHandler(ListResourcesRequestSchema, async () => {\n return withCallerContext(async () => {\n const mcpAppResources = await getMcpAppResources(\n config,\n advertisedActions,\n requestMeta,\n );\n return {\n resources: mcpAppResources.map((resource) => ({\n uri: resource.uri,\n name: resource.name,\n ...(resource.title ? { title: resource.title } : {}),\n ...(resource.description\n ? { description: resource.description }\n : {}),\n mimeType: resource.mimeType,\n ...(resource._meta ? { _meta: resource._meta } : {}),\n })),\n };\n });\n });\n\n server.setRequestHandler(ListResourceTemplatesRequestSchema, async () => {\n return withCallerContext(async () => {\n const mcpAppResources = await getMcpAppResources(\n config,\n advertisedActions,\n requestMeta,\n );\n return {\n resourceTemplates: mcpAppResources.map((resource) => ({\n uriTemplate: resource.uri,\n name: resource.name,\n ...(resource.title ? { title: resource.title } : {}),\n ...(resource.description\n ? { description: resource.description }\n : {}),\n mimeType: resource.mimeType,\n ...(resource._meta ? { _meta: resource._meta } : {}),\n })),\n };\n });\n });\n\n server.setRequestHandler(\n ReadResourceRequestSchema,\n async (request: any) => {\n return withCallerContext(async () => {\n const uri = request.params?.uri;\n let found: {\n actionName: string;\n resource: ResolvedMcpAppResource;\n } | null = null;\n for (const [name, entry] of Object.entries(advertisedActions)) {\n const resourceUri = getMcpAppResourceUri(config, name, entry);\n if (\n !resourceUri ||\n (resourceUri.uri !== uri &&\n !resourceUri.legacyUris?.includes(uri))\n ) {\n continue;\n }\n const resource = await resolveMcpAppResourceSafely(\n config,\n name,\n entry,\n requestMeta,\n );\n if (resource) {\n found = { actionName: name, resource };\n }\n break;\n }\n if (!found) {\n throw new Error(`MCP App resource not found: ${uri}`);\n }\n return {\n contents: [\n {\n uri,\n mimeType: found.resource.mimeType,\n text: renderMcpAppHtml(\n found.resource,\n found.actionName,\n config,\n requestMeta,\n ),\n ...(found.resource._meta\n ? { _meta: found.resource._meta }\n : {}),\n },\n ],\n };\n });\n },\n );\n }\n\n return server;\n}\n\n// ---------------------------------------------------------------------------\n// Auth — reuses the same pattern as A2A (Bearer token or JWT). Shared so the\n// HTTP mount and any stdio-side auth-aware helper resolve identity identically.\n// ---------------------------------------------------------------------------\n\nexport function getAccessTokens(): string[] {\n const single = process.env.ACCESS_TOKEN;\n const multi = process.env.ACCESS_TOKENS;\n const tokens: string[] = [];\n if (single) tokens.push(single);\n if (multi) {\n tokens.push(\n ...multi\n .split(\",\")\n .map((t) => t.trim())\n .filter(Boolean),\n );\n }\n return tokens;\n}\n\n/**\n * Resolve the caller identity for a static-token (or dev-open) auth path.\n *\n * Static `ACCESS_TOKEN` / `ACCESS_TOKENS` auth carries no per-caller claims,\n * so without this the MCP endpoint would run every tool with\n * `userEmail === undefined` and per-user / per-org scoped actions\n * (`accessFilter`, `resolveAccess`, `resolveCredential`) would return\n * empty / wrong data. The `agent-native mcp install` flow writes\n * `AGENT_NATIVE_OWNER_EMAIL` into the client config env and the stdio proxy\n * forwards it as the `X-Agent-Native-Owner-Email` request header (see\n * `mcp/stdio.ts#authHeaders`). We trust that owner hint *only* on the\n * static-token path — JWT auth already carries a cryptographically verified\n * `sub`, so the header is ignored there and never widens JWT scope.\n *\n * Precedence is server-trusted-first: the server process's\n * `AGENT_NATIVE_OWNER_EMAIL` env (set out-of-band by the operator / deploy)\n * ALWAYS wins, and a client-supplied `X-Agent-Native-Owner-Email` header is\n * honored *only as a fallback when that env is unset*. A static `ACCESS_TOKEN`\n * is a shared bearer secret; letting a request header override a\n * server-configured owner would let anyone holding a leaked token act as any\n * user. The header path remains for the single-tenant local-dev install flow\n * where the app server process has no owner env and the token *is* the\n * workspace secret; multi-tenant deployments must use A2A JWT (verified `sub`),\n * not a static token, for per-user scope.\n *\n * Returns `undefined` when no owner email is available (true dev-open: no\n * token, no secret, no owner) so behavior there stays unchanged.\n */\nfunction deriveStaticTokenIdentity(\n ownerEmailHeader: string | undefined,\n): MCPCallerIdentity | undefined {\n const owner =\n process.env.AGENT_NATIVE_OWNER_EMAIL?.trim() ||\n (typeof ownerEmailHeader === \"string\" && ownerEmailHeader.trim()) ||\n \"\";\n if (!owner) return undefined;\n return { userEmail: owner, orgDomain: undefined };\n}\n\nfunction addSecretCandidate(\n candidates: string[],\n secret: string | null | undefined,\n): void {\n const trimmed = secret?.trim();\n if (!trimmed || candidates.includes(trimmed)) return;\n candidates.push(trimmed);\n}\n\nasync function verifyA2AJwtForMcp(\n token: string,\n): Promise<Record<string, unknown> | null> {\n const jose = await import(\"jose\");\n let unverifiedPayload: Record<string, unknown> | null = null;\n try {\n unverifiedPayload = jose.decodeJwt(token) as Record<string, unknown>;\n } catch {\n return null;\n }\n\n const candidateSecrets: string[] = [];\n addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n\n const orgDomain =\n typeof unverifiedPayload.org_domain === \"string\"\n ? unverifiedPayload.org_domain\n : undefined;\n if (orgDomain) {\n try {\n const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n addSecretCandidate(\n candidateSecrets,\n await getA2ASecretByDomain(orgDomain),\n );\n } catch {\n // DB not ready or org lookup unavailable — fall back to other candidates.\n }\n }\n\n for (const secret of candidateSecrets) {\n try {\n const { payload } = await jose.jwtVerify(\n token,\n new TextEncoder().encode(secret),\n );\n return payload as Record<string, unknown>;\n } catch {\n // Try the next candidate without exposing which secret matched.\n }\n }\n\n return null;\n}\n\n/**\n * Verify the inbound auth header. Returns:\n * - { authed: true, identity } when verified — `identity` is derived from\n * the JWT (`sub` / `org_domain`) for JWT auth, or from the\n * `AGENT_NATIVE_OWNER_EMAIL` env / `X-Agent-Native-Owner-Email` header\n * for static-token auth (the `agent-native mcp install` flow). `identity`\n * is undefined only for true dev-open with no owner hint.\n * - { authed: false } on rejection.\n *\n * When A2A_SECRET is set we extract the JWT's `sub` (caller email) and\n * `org_domain` claims so the MCP endpoint can wrap tool runs in\n * `runWithRequestContext({ userEmail, orgId })`. Without that wrap, the\n * MCP endpoint loses tenant identity and downstream `accessFilter` /\n * `resolveCredential` calls fall back to platform-wide defaults.\n *\n * `ownerEmailHeader` is the forwarded `X-Agent-Native-Owner-Email` value; it\n * is consulted ONLY on the static-token / dev-open path (never to influence\n * verified JWT identity), so the install flow runs tools as the configured\n * owner instead of an unscoped anonymous caller.\n */\nexport async function verifyAuth(\n authHeader: string | undefined,\n ownerEmailHeader?: string | undefined,\n options: { allowDevOpen?: boolean; resourceUrl?: string } = {},\n): Promise<{\n authed: boolean;\n identity?: MCPCallerIdentity;\n /**\n * The caller presented a real credential — a verified A2A/connect JWT, a\n * matching ACCESS_TOKEN, or (on the no-auth-configured path) a forwarded\n * owner-email header from `agent-native mcp install`. Drives the full vs\n * sparse MCP tool surface in local dev. The pure unauthenticated dev-open\n * path (no secret, no token, no owner header) is `false`.\n */\n fullSurface?: boolean;\n}> {\n // No auth configured → allow only when the route caller has already\n // established that this is a loopback/local dev request. Still honour an\n // owner hint there so the local install/connect flow stays tenant-scoped.\n const accessTokens = getAccessTokens();\n const hasA2ASecret = !!process.env.A2A_SECRET;\n const token = authHeader?.startsWith(\"Bearer \")\n ? authHeader.slice(7)\n : undefined;\n if (token) {\n const oauthIdentity = await verifyMcpOAuthAccessToken(\n token,\n options.resourceUrl,\n );\n if (oauthIdentity) {\n return {\n authed: true,\n identity: {\n userEmail: oauthIdentity.userEmail,\n orgDomain: oauthIdentity.orgDomain,\n oauthScopes: oauthIdentity.scopes,\n oauthClientId: oauthIdentity.clientId,\n },\n fullSurface: true,\n };\n }\n }\n if (accessTokens.length === 0 && !hasA2ASecret && !token) {\n if (options.allowDevOpen === false) {\n return { authed: false };\n }\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n // `mcp install`'s stdio proxy forwards an owner-email header even when\n // the local app has no secret configured — that is a real, identified\n // caller and gets the full surface. A bare browser/curl dev probe with\n // no owner hint stays on the sparse dev surface.\n fullSurface: !!(ownerEmailHeader && ownerEmailHeader.trim()),\n };\n }\n\n if (!token) return { authed: false };\n\n // Try an A2A JWT via the shared A2A_SECRET first, then the caller org's\n // synced A2A secret when the token carries org_domain.\n const payload = await verifyA2AJwtForMcp(token);\n if (payload) {\n const tokenScope =\n typeof payload.scope === \"string\" ? payload.scope : undefined;\n if (tokenScope && tokenScope !== MCP_CONNECT_SCOPE) {\n return { authed: false };\n }\n\n // Connect-minted tokens (scope === \"mcp-connect\") carry a random `jti`\n // and are individually revocable. Only these tokens hit the revoke\n // store — ordinary A2A delegation JWTs skip the DB lookup entirely so\n // the hot path is unchanged. The signature was already\n // cryptographically verified, so failing open here only widens the\n // explicit-revoke gate, never the trust boundary.\n if (tokenScope === MCP_CONNECT_SCOPE) {\n if (typeof payload.jti !== \"string\" || !payload.jti) {\n return { authed: false };\n }\n const jti = payload.jti;\n try {\n const { isJtiRevoked, touchTokenUsed } =\n await import(\"./connect-store.js\");\n if (await isJtiRevoked(jti)) {\n return { authed: false };\n }\n // Best-effort usage telemetry — never blocks / throws.\n void touchTokenUsed(jti);\n } catch {\n // Store import / lookup failed — fail open (see comment above).\n }\n }\n\n return {\n authed: true,\n identity: {\n userEmail: typeof payload.sub === \"string\" ? payload.sub : undefined,\n orgDomain:\n typeof payload.org_domain === \"string\"\n ? (payload.org_domain as string)\n : undefined,\n },\n // Verified JWT (connect-minted or A2A delegation) — a real caller.\n fullSurface: true,\n };\n }\n\n if (accessTokens.length === 0 && !hasA2ASecret) {\n if (options.allowDevOpen === false) {\n return { authed: false };\n }\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n fullSurface: !!(ownerEmailHeader && ownerEmailHeader.trim()),\n };\n }\n\n // Try ACCESS_TOKEN / ACCESS_TOKENS exact match. Static tokens carry no\n // per-caller claims, so derive identity from the forwarded owner-email\n // hint (install flow) — otherwise tools would run unscoped.\n if (accessTokens.length > 0 && accessTokens.includes(token)) {\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n // Matched a configured ACCESS_TOKEN — a real caller.\n fullSurface: true,\n };\n }\n\n return { authed: false };\n}\n\nexport async function resolveOrgIdFromDomain(\n orgDomain: string | undefined,\n): Promise<string | undefined> {\n if (!orgDomain) return undefined;\n try {\n const { resolveOrgByDomain } = await import(\"../org/context.js\");\n const org = await resolveOrgByDomain(orgDomain);\n return org?.orgId ?? undefined;\n } catch {\n return undefined;\n }\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"builtin-tools.d.ts","sourceRoot":"","sources":["../../src/mcp/builtin-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAIhE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;
|
|
1
|
+
{"version":3,"file":"builtin-tools.d.ts","sourceRoot":"","sources":["../../src/mcp/builtin-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAIhE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AA6wBnD;;;;GAIG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,SAAS,EACjB,WAAW,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GAChC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAS7B"}
|
|
@@ -273,7 +273,33 @@ function openAppTool(config, requestMeta) {
|
|
|
273
273
|
params = undefined;
|
|
274
274
|
}
|
|
275
275
|
}
|
|
276
|
-
const
|
|
276
|
+
const embeddedParam = params?.embed;
|
|
277
|
+
const chromeParam = params?.chrome;
|
|
278
|
+
let embed = args.embed === true || args.embed === "true";
|
|
279
|
+
if (args.embed == null &&
|
|
280
|
+
(embeddedParam === true || embeddedParam === "true")) {
|
|
281
|
+
embed = true;
|
|
282
|
+
}
|
|
283
|
+
else if (args.embed == null &&
|
|
284
|
+
(embeddedParam === false || embeddedParam === "false")) {
|
|
285
|
+
embed = false;
|
|
286
|
+
}
|
|
287
|
+
if (embeddedParam === true ||
|
|
288
|
+
embeddedParam === false ||
|
|
289
|
+
embeddedParam === "true" ||
|
|
290
|
+
embeddedParam === "false") {
|
|
291
|
+
delete params?.embed;
|
|
292
|
+
}
|
|
293
|
+
const chrome = typeof args.chrome === "string"
|
|
294
|
+
? args.chrome
|
|
295
|
+
: chromeParam === "full" || chromeParam === "minimal"
|
|
296
|
+
? chromeParam
|
|
297
|
+
: undefined;
|
|
298
|
+
if (chromeParam === "full" || chromeParam === "minimal") {
|
|
299
|
+
delete params?.chrome;
|
|
300
|
+
}
|
|
301
|
+
if (params && Object.keys(params).length === 0)
|
|
302
|
+
params = undefined;
|
|
277
303
|
const directViewPath = embed && view ? viewToAppPath(view) : null;
|
|
278
304
|
const relUrl = path
|
|
279
305
|
? appendParamsToPath(path, params)
|
|
@@ -307,7 +333,7 @@ function openAppTool(config, requestMeta) {
|
|
|
307
333
|
ownerEmail,
|
|
308
334
|
orgId: ctx?.orgId,
|
|
309
335
|
targetPath,
|
|
310
|
-
scope:
|
|
336
|
+
scope: chrome ?? null,
|
|
311
337
|
});
|
|
312
338
|
const startPath = buildEmbedStartPath(ticket.ticket);
|
|
313
339
|
embedStartUrl = requestMeta?.origin
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"builtin-tools.js","sourceRoot":"","sources":["../../src/mcp/builtin-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAGH,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,+BAA+B,EAAE,MAAM,yBAAyB,CAAC;AAE1E,OAAO,EAAE,YAAY,EAAe,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAU1C;;;;GAIG;AACH,SAAS,IAAI,CACX,WAAmB,EACnB,UAAmB,EACnB,QAAmB;IAEnB,IAAI,CAAC,UAAU;QAAE,OAAO,EAAE,WAAW,EAAE,CAAC;IACxC,OAAO;QACL,WAAW;QACX,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,UAAU;YACtB,GAAG,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACrD;KACF,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,YAAY,CAAC,MAAiB;IACrC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;AAC9D,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,0BAA0B,CAAC,CAAC;AAE7D,SAAS,WAAW,CAAC,GAAY;IAC/B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACxD,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACzB,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnE,IAAI,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,kBAAkB,CACzB,IAAY,EACZ,MAA6D;IAE7D,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,6BAA6B,CAAC,CAAC;IACzD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;AACnD,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC1B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO,WAAW,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;IACxC,IAAI,CAAC,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvE,OAAO,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,sBAAsB,CAAC,IAAY;IAC1C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,6BAA6B,CAAC,CAAC;QACzD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;QAC3D,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAiB,EACjB,WAAmB;IAEnB,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,YAAY,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,IAAI,CAAC;QACH,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QACpE,MAAM,EAAE,GAAG,MAAM,gBAAgB,EAAE,CAAC;QACpC,IAAI,CAAC,EAAE,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QACjC,MAAM,KAAK,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC;QACjE,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,SAAS,YAAY,CACnB,MAAiB,EACjB,WAAiC;IAEjC,OAAO;QACL,IAAI,EAAE,IAAI,CACR,qEAAqE;YACnE,mEAAmE;YACnE,kEAAkE;YAClE,qDAAqD,CACxD;QACD,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;QAClB,GAAG,EAAE,KAAK,IAAI,EAAE;YACd,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;YACpE,MAAM,EAAE,GAAG,MAAM,gBAAgB,EAAE,CAAC;YAEpC,kEAAkE;YAClE,iEAAiE;YACjE,sEAAsE;YACtE,kEAAkE;YAClE,kEAAkE;YAClE,gEAAgE;YAChE,qEAAqE;YACrE,iBAAiB;YACjB,MAAM,UAAU,GAAG,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;YAClE,IAAI,QAAQ,GAAG,CAAC,CAAC;YACjB,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,CAAC;oBACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;oBAC9B,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACpE,CAAC;gBAAC,MAAM,CAAC;oBACP,QAAQ,GAAG,CAAC,CAAC;gBACf,CAAC;YACH,CAAC;YACD,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAClD,MAAM,MAAM,GAAG,CAAC,EAAU,EAAE,EAAE,CAC5B,CAAC,CAAC,UAAU;gBACZ,CAAC,CAAC,EAAE,CAAC,WAAW,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC,CAAC;YAUjE,MAAM,IAAI,GAAe,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACzC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;gBACV,CAAC,CAAC;oBACE,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,GAAG,EAAE,UAAU;oBACf,IAAI,EAAE,CAAC,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAuB;oBAChD,OAAO,EAAE,IAAI;oBACb,MAAM,EAAE,WAAoB;iBAC7B;gBACH,CAAC,CAAC;oBACE,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,GAAG,EAAE,CAAC,CAAC,GAAG;oBACV,IAAI,EAAE,CAAC,CAAC,IAA0B;oBAClC,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,MAAM,EAAE,WAAoB;iBAC7B,CACN,CAAC;YACF,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;YAC7D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;YAExE,qEAAqE;YACrE,qEAAqE;YACrE,8DAA8D;YAC9D,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC;gBACjC,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC;aAC7B,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAc,CAAC,CAAC;YAC/B,KAAK,MAAM,EAAE,IAAI,OAAO,EAAE,CAAC;gBACzB,MAAM,KAAK,GAAG,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;gBAClC,MAAM,SAAS,GAAG,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;gBAC7C,gEAAgE;gBAChE,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC;oBAAE,SAAS;gBAC/D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACnB,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC3B,IAAI,CAAC,IAAI,CAAC;oBACR,EAAE,EAAE,EAAE,CAAC,EAAE;oBACT,GAAG,EAAE,EAAE,CAAC,GAAG;oBACX,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,IAAI;oBACb,MAAM,EAAE,eAAe;iBACxB,CAAC,CAAC;YACL,CAAC;YAED,OAAO;gBACL,SAAS,EAAE,EAAE,CAAC,WAAW;gBACzB,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,IAAI;aACL,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E,SAAS,WAAW,CAClB,MAAiB,EACjB,WAAiC;IAEjC,OAAO;QACL,IAAI,EAAE,IAAI,CACR,mEAAmE;YACjE,mCAAmC;YACnC,wEAAwE;YACxE,uEAAuE;YACvE,oCAAoC,EACtC;YACE,GAAG,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,qBAAqB,EAAE;YAC3D,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,uFAAuF;aAC1F;YACD,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,gIAAgI;aACnI;YACD,MAAM,EAAE;gBACN,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,iEAAiE;aACpE;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,SAAS;gBACf,WAAW,EACT,8FAA8F;aACjG;YACD,MAAM,EAAE;gBACN,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC;gBACzB,WAAW,EACT,sEAAsE;aACzE;SACF,EACD,CAAC,KAAK,CAAC,CACR;QACD,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;QAClB,GAAG,EAAE,KAAK,EAAE,IAAyB,EAAE,EAAE;YACvC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5C,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;YAC1E,CAAC;YACD,IAAI,MAA6D,CAAC;YAClE,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC;YACxB,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACnC,MAAM,GAAG,GAAgD,CAAC;YAC5D,CAAC;iBAAM,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;gBACjD,IAAI,CAAC;oBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC3B,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,GAAG,SAAS,CAAC;gBACrB,CAAC;YACH,CAAC;YACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,KAAK,IAAI,IAAI,IAAI,CAAC,KAAK,KAAK,MAAM,CAAC;YAC3D,MAAM,cAAc,GAAG,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAClE,MAAM,MAAM,GAAG,IAAI;gBACjB,CAAC,CAAC,kBAAkB,CAAC,IAAI,EAAE,MAAM,CAAC;gBAClC,CAAC,CAAC,cAAc;oBACd,CAAC,CAAC,kBAAkB,CAAC,cAAc,EAAE,MAAM,CAAC;oBAC5C,CAAC,CAAC,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;YAC3C,MAAM,UAAU,GACd,IAAI,IAAI,cAAc,CAAC,CAAC,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YAEnE,uEAAuE;YACvE,mEAAmE;YACnE,qEAAqE;YACrE,oEAAoE;YACpE,oEAAoE;YACpE,MAAM,SAAS,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAC5D,MAAM,MAAM,GAAG,SAAS;gBACtB,CAAC,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,MAAM,EAAE;gBACpD,CAAC,CAAC,UAAU,CAAC;YACf,MAAM,GAAG,GAAG,MAAM,CAAC;YACnB,IAAI,aAAiC,CAAC;YACtC,IAAI,eAAmC,CAAC;YACxC,IAAI,cAAkC,CAAC;YAEvC,IAAI,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;gBACxB,MAAM,EAAE,iBAAiB,EAAE,GACzB,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;gBAC/C,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;gBAChC,MAAM,UAAU,GAAG,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;gBAC1C,IAAI,UAAU,EAAE,CAAC;oBACf,MAAM,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,GAC1D,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;oBAC7C,MAAM,EAAE,mBAAmB,EAAE,GAC3B,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;oBAC3C,MAAM,UAAU,GAAG,wBAAwB,CACzC,sBAAsB,CAAC,GAAG,CAAC,EAC3B,WAAW,EAAE,MAAM,CACpB,CAAC;oBACF,IAAI,UAAU,EAAE,CAAC;wBACf,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC;4BAC5C,UAAU;4BACV,KAAK,EAAE,GAAG,EAAE,KAAK;4BACjB,UAAU;4BACV,KAAK,EAAE,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI;yBAC5D,CAAC,CAAC;wBACH,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;wBACrD,aAAa,GAAG,WAAW,EAAE,MAAM;4BACjC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;4BACnD,CAAC,CAAC,SAAS,CAAC;wBACd,eAAe,GAAG,UAAU,CAAC;wBAC7B,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC;oBACpC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO;gBACL,GAAG;gBACH,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzB,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzB,GAAG;gBACH,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3C,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC/C,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7C,KAAK;aACN,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE;YACnB,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACvD,MAAM,CAAC,GAAG,MAKT,CAAC;YACF,IAAI,CAAC,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YACzB,IAAI,CAAC,CAAC,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YACxB,OAAO;gBACL,GAAG,EAAE,CAAC,CAAC,GAAG;gBACV,KAAK,EAAE,QAAQ,CAAC,CAAC,GAAG,IAAI,KAAK,EAAE;gBAC/B,IAAI,EAAE,CAAC,CAAC,IAAI;aACb,CAAC;QACJ,CAAC;QACD,MAAM,EAAE;YACN,QAAQ,EAAE,QAAQ,CAAC;gBACjB,KAAK,EAAE,UAAU;gBACjB,WAAW,EAAE,wCAAwC;gBACrD,WAAW,EAAE,kBAAkB;gBAC/B,SAAS,EAAE,UAAU;aACtB,CAAC;SACH;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,SAAS,sBAAsB,CAAC,WAE/B;IACC,OAAO;QACL,IAAI,EAAE;YACJ,GAAG,IAAI,CACL,qJAAqJ,EACrJ;gBACE,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,WAAW,EACT,yDAAyD;iBAC5D;gBACD,IAAI,EAAE;oBACJ,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,yCAAyC;iBACvD;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC;oBACzB,WAAW,EAAE,4CAA4C;iBAC1D;aACF,CACF;YACD,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE;SACzB;QACf,0EAA0E;QAC1E,uEAAuE;QACvE,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,IAAI;QAClB,GAAG,EAAE,KAAK,EAAE,IAAyB,EAAE,EAAE;YACvC,MAAM,EAAE,iBAAiB,EAAE,GACzB,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;YAC/C,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;YAChC,MAAM,UAAU,GAAG,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;YAC1C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;YACJ,CAAC;YAED,MAAM,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,GAC1D,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;YAC7C,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;YACzE,MAAM,SAAS,GACb,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE;gBAC7C,CAAC,CAAC,IAAI,CAAC,GAAG;gBACV,CAAC,CAAC,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;oBAC7B,CAAC,CAAC,IAAI,CAAC,IAAI;oBACX,CAAC,CAAC,EAAE,CAAC;YACX,MAAM,UAAU,GAAG,wBAAwB,CACzC,SAAS,EACT,WAAW,EAAE,MAAM,CACpB,CAAC;YACF,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,oEAAoE,CACrE,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC;gBAC5C,UAAU;gBACV,KAAK,EAAE,GAAG,EAAE,KAAK;gBACjB,UAAU;gBACV,KAAK,EAAE,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI;aAC5D,CAAC,CAAC;YACH,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,WAAW,EAAE,MAAM;gBAClC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;gBACnD,CAAC,CAAC,SAAS,CAAC;YACd,OAAO;gBACL,QAAQ;gBACR,UAAU;gBACV,SAAS,EAAE,MAAM,CAAC,SAAS;aAC5B,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,KAAK,UAAU,eAAe,CAC5B,MAAc,EACd,EAAU,EACV,OAAe;IAEf,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACvD,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IACvE,sEAAsE;IACtE,0EAA0E;IAC1E,0EAA0E;IAC1E,uBAAuB;IACvB,MAAM,IAAI,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,OAAO,EAAE;QAChD,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,yDAAyD;QACzD,SAAS,EAAE,CAAC,GAAG,MAAM;KACtB,CAAC,CAAC;IACH,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AACjD,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,UAAU,CAAC,MAAiB;IACnC,OAAO;QACL,IAAI,EAAE,IAAI,CACR,mEAAmE;YACjE,kEAAkE;YAClE,oEAAoE;YACpE,+DAA+D;YAC/D,oEAAoE;YACpE,gEAAgE,EAClE;YACE,GAAG,EAAE;gBACH,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,uDAAuD;aACrE;YACD,OAAO,EAAE;gBACP,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,wCAAwC;aACtD;SACF,EACD,CAAC,SAAS,CAAC,CACZ;QACD,GAAG,EAAE,KAAK,EAAE,IAAyB,EAAE,EAAE;YACvC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAClD,IAAI,CAAC,OAAO;gBAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAC/D,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YAEpC,qEAAqE;YACrE,iEAAiE;YACjE,mEAAmE;YACnE,oEAAoE;YACpE,MAAM,SAAS,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;YACrE,IAAI,SAAS,EAAE,CAAC;gBACd,IAAI,CAAC;oBACH,OAAO,MAAM,eAAe,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;gBACxE,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,oEAAoE;oBACpE,kDAAkD;oBAClD,MAAM,IAAI,KAAK,CACb,+BAA+B,SAAS,CAAC,EAAE,aAAa;wBACtD,GAAG,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAC3B,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,kEAAkE;YAClE,oEAAoE;YACpE,mEAAmE;YACnE,uEAAuE;YACvE,oEAAoE;YACpE,IAAI,YAAY,IAAI,YAAY,CAAC,WAAW,EAAE,KAAK,MAAM,EAAE,CAAC;gBAC1D,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,KAAK,CAClD,GAAG,EAAE,CAAC,EAAc,CACrB,CAAC;gBACF,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAC3B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,WAAW,EAAE,CAC3C,CAAC;gBACF,IAAI,QAAQ,EAAE,CAAC;oBACb,IAAI,CAAC;wBACH,OAAO,MAAM,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;oBACtE,CAAC;oBAAC,OAAO,GAAQ,EAAE,CAAC;wBAClB,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,EAAE,YAAY;4BACpD,oBAAoB,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAC5C,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAED,wEAAwE;YACxE,wEAAwE;YACxE,iDAAiD;YACjD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACrB,MAAM,IAAI,KAAK,CACb,2DAA2D,CAC5D,CAAC;YACJ,CAAC;YAED,qEAAqE;YACrE,iEAAiE;YACjE,MAAM,UAAU,GACd,CAAC,CAAC,YAAY,IAAI,YAAY,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC;YAC1D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;gBACL,GAAG,EAAE,MAAM;gBACX,SAAS,EAAE,OAAO;gBAClB,GAAG,CAAC,UAAU;oBACZ,CAAC,CAAC;wBACE,IAAI,EACF,kBAAkB,YAAY,iCAAiC;4BAC/D,iCAAiC,MAAM,aAAa;qBACvD;oBACH,CAAC,CAAC,EAAE,CAAC;gBACP,QAAQ;aACT,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,SAAS,iBAAiB;IACxB,OAAO;QACL,IAAI,EAAE,IAAI,CACR,yEAAyE;YACvE,gCAAgC,CACnC;QACD,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;QAClB,GAAG,EAAE,KAAK,IAAI,EAAE;YACd,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;YACtE,OAAO;gBACL,SAAS,EAAE,gBAAgB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACxC,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,KAAK,EAAE,CAAC,CAAC,KAAK;oBACd,IAAI,EAAE,CAAC,CAAC,IAAI;iBACb,CAAC,CAAC;aACJ,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,SAAS,sBAAsB;IAC7B,OAAO;QACL,IAAI,EAAE,IAAI,CACR,qEAAqE;YACnE,sEAAsE;YACtE,6CAA6C,EAC/C;YACE,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,mDAAmD;aACjE;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,uEAAuE;aAC1E;SACF,EACD,CAAC,MAAM,EAAE,UAAU,CAAC,CACrB;QACD,GAAG,EAAE,KAAK,EAAE,IAAyB,EAAE,EAAE;YACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACpD,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CACb,2DAA2D,CAC5D,CAAC;YACJ,CAAC;YAED,oEAAoE;YACpE,yEAAyE;YACzE,yEAAyE;YACzE,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;YACtE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,gBAAgB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CACb,aAAa,QAAQ,mCAAmC,CAAC,GAAG,OAAO,CAAC;qBACjE,IAAI,EAAE;qBACN,IAAI,CAAC,IAAI,CAAC,EAAE,CAChB,CAAC;YACJ,CAAC;YAED,MAAM,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,GAC3C,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;YACzC,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;YACnC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;YAEvC,MAAM,IAAI,GAAG,iBAAiB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YAC9C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,KAAK,CACb,+DAA+D;oBAC7D,oDAAoD,CACvD,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;YAC7C,MAAM,cAAc,GAAG,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAE7C,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,8DAA8D;gBAC9D,iEAAiE;gBACjE,oEAAoE;gBACpE,qEAAqE;gBACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC9B,IAAI,CAAC;oBACH,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACpB,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;oBAC/D,MAAM,iBAAiB,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC/D,CAAC;wBAAS,CAAC;oBACT,IAAI,CAAC;wBACH,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;oBACzB,CAAC;oBAAC,MAAM,CAAC;wBACP,0BAA0B;oBAC5B,CAAC;gBACH,CAAC;YACH,CAAC;YAED,iEAAiE;YACjE,mEAAmE;YACnE,uEAAuE;YACvE,qDAAqD;YACrD,MAAM,EAAE,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,OAAO,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,CAAC;YACnD,MAAM,IAAI,GAAG,OAAO,EAAE,IAAI,CAAC;YAC3B,mEAAmE;YACnE,iEAAiE;YACjE,qEAAqE;YACrE,mEAAmE;YACnE,6DAA6D;YAC7D,MAAM,WAAW,GAAG,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;YAC/D,MAAM,QAAQ,GAAG,OAAO,EAAE,GAAG;gBAC3B,CAAC,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,WAAW,EAAE;gBACpD,CAAC,CAAC,WAAW,CAAC;YAEhB,OAAO;gBACL,IAAI;gBACJ,QAAQ;gBACR,OAAO,EAAE,CAAC,cAAc;gBACxB,MAAM,EAAE,cAAc;gBACtB,IAAI;gBACJ,GAAG,EAAE,OAAO,EAAE,GAAG;gBACjB,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,QAAQ;aACT,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE;YACnB,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACvD,MAAM,CAAC,GAAG,MAA8C,CAAC;YACzD,IAAI,CAAC,CAAC,CAAC,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC7B,OAAO;gBACL,GAAG,EAAE,CAAC,CAAC,QAAQ;gBACf,KAAK,EAAE,QAAQ,CAAC,CAAC,IAAI,IAAI,KAAK,EAAE;gBAChC,IAAI,EAAE,MAAM;aACb,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CACrC,MAAiB,EACjB,WAAiC;IAEjC,OAAO;QACL,SAAS,EAAE,YAAY,CAAC,MAAM,EAAE,WAAW,CAAC;QAC5C,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC;QAC1C,oBAAoB,EAAE,sBAAsB,CAAC,WAAW,CAAC;QACzD,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC;QAC3B,oBAAoB,EAAE,sBAAsB,EAAE;QAC9C,cAAc,EAAE,iBAAiB,EAAE;KACpC,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Generic cross-app MCP tools — a stable verb set every external agent gets\n * regardless of which template it is talking to.\n *\n * These are merged into the MCP action registry by\n * `createMCPServerForRequest` (see `build-server.ts`). **Precedence: template\n * actions win.** If a template defines an action named `list_apps` /\n * `open_app` / `ask_app` / `create_workspace_app` / `list_templates`, the\n * template's `ActionEntry` overwrites the builtin of the same name. This is\n * the same template-over-framework precedence `autoDiscoverActions` uses.\n *\n * | Tool | Side effects | Returns |\n * | --------------------- | ------------ | ---------------------------------------- |\n * | `list_apps` | none | `{ apps: [{ id, url, running }] }` |\n * | `open_app` | none | `{ url }` (+ deep-link `link`) |\n * | `create_embed_session`| ticket mint | `{ startUrl }` for MCP App iframes |\n * | `ask_app` | agent loop | `{ app, routedVia, response }` |\n * | `create_workspace_app`| scaffolds | `{ name, url, port, deepLink }` (+ link) |\n *\n * `open_app` / `create_workspace_app` return an **absolute** URL on the\n * *target* app's origin when it differs from this app (so a workspace link\n * lands in the right app), and a relative path for the same app / standalone.\n * `ask_app` routes to a *different* workspace app over A2A when possible and\n * reports `routedVia: \"a2a\"`; otherwise it answers locally\n * (`routedVia: \"local\"`) and never falsely claims cross-app delegation.\n * | `list_templates` | none | `{ templates: [...] }` (allow-list only) |\n *\n * Node-only at call time (workspace resolution + scaffolding use `fs`), but\n * the module has no top-level Node imports so it bundles fine alongside\n * `mountMCP` — the Node bits are dynamically imported inside `run()`.\n */\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport { buildDeepLink } from \"../server/deep-link.js\";\nimport { getConfiguredAppBasePath } from \"../server/app-base-path.js\";\nimport { MCP_APP_CHAT_BRIDGE_QUERY_PARAM } from \"../shared/embed-auth.js\";\nimport type { MCPConfig } from \"./build-server.js\";\nimport { fetchOrgApps, type OrgApp } from \"./org-directory.js\";\nimport { embedApp } from \"./embed-app.js\";\n\nimport type { ActionTool } from \"../agent/types.js\";\n\n/** Flat map of param name → JSON-schema property. */\ntype Params = Record<\n string,\n { type: string; description?: string; enum?: string[] }\n>;\n\n/**\n * Build an `ActionTool`. `parameters` is wrapped in the\n * `{ type:\"object\", properties, required }` shape `createMCPServerForRequest`\n * forwards verbatim as the MCP tool `inputSchema`.\n */\nfunction tool(\n description: string,\n parameters?: Params,\n required?: string[],\n): ActionTool {\n if (!parameters) return { description };\n return {\n description,\n parameters: {\n type: \"object\",\n properties: parameters,\n ...(required && required.length ? { required } : {}),\n },\n };\n}\n\n/**\n * The canonical app id this MCP server is mounted for. `MCPConfig.appId` is\n * authoritative; fall back to lowercasing `name` (which is the capitalized\n * app id at every call site) for back-compat with configs that predate the\n * `appId` field.\n */\nfunction currentAppId(config: MCPConfig): string {\n return (config.appId || config.name || \"app\").toLowerCase();\n}\n\nconst CONTROL_CHARS = new RegExp(\"[\\\\u0000-\\\\u001f\\\\u007f]\");\n\nfunction safeAppPath(raw: unknown): string | null {\n if (typeof raw !== \"string\" || !raw.trim()) return null;\n const value = raw.trim();\n if (CONTROL_CHARS.test(value)) return null;\n if (!value.startsWith(\"/\")) return null;\n if (value.startsWith(\"//\") || value.startsWith(\"/\\\\\")) return null;\n if (/^\\/[a-z][a-z0-9+.-]*:/i.test(value)) return null;\n return value;\n}\n\nfunction appendParamsToPath(\n path: string,\n params: Record<string, string | number | boolean> | undefined,\n): string {\n if (!params || Object.keys(params).length === 0) return path;\n const url = new URL(path, \"http://agent-native.invalid\");\n for (const [key, value] of Object.entries(params)) {\n url.searchParams.set(key, String(value));\n }\n return `${url.pathname}${url.search}${url.hash}`;\n}\n\nfunction viewToAppPath(view: string): string | null {\n const value = view.trim();\n if (!value) return null;\n return safeAppPath(value.startsWith(\"/\") ? value : `/${value}`);\n}\n\nfunction withConfiguredBasePath(path: string): string {\n const base = getConfiguredAppBasePath();\n if (!base || path === base || path.startsWith(`${base}/`)) return path;\n return `${base}${path}`;\n}\n\nfunction withMcpChatBridgeParam(path: string): string {\n try {\n const url = new URL(path, \"http://agent-native.invalid\");\n url.searchParams.set(MCP_APP_CHAT_BRIDGE_QUERY_PARAM, \"1\");\n return `${url.pathname}${url.search}${url.hash}`;\n } catch {\n return path;\n }\n}\n\n/**\n * Resolve the absolute origin of a *target* workspace app (e.g.\n * `http://127.0.0.1:8101`) so cross-app deep links / A2A calls point at the\n * right app instead of the current request's origin. Reuses the same\n * workspace resolution `list_apps` / the stdio proxy use.\n *\n * Returns `null` when:\n * - the target is the current app (caller should keep relative behavior),\n * - there is no workspace info (standalone / single app), or\n * - the target app is unknown.\n */\nasync function resolveTargetAppOrigin(\n config: MCPConfig,\n targetAppId: string,\n): Promise<{ origin: string; id: string } | null> {\n const target = targetAppId.trim().toLowerCase();\n if (!target || target === currentAppId(config)) return null;\n try {\n const { resolveWorkspace } = await import(\"./workspace-resolve.js\");\n const ws = await resolveWorkspace();\n if (!ws.isWorkspace) return null;\n const match = ws.apps.find((a) => a.id.toLowerCase() === target);\n if (!match) return null;\n return { origin: match.url, id: match.id };\n } catch {\n return null;\n }\n}\n\n// ---------------------------------------------------------------------------\n// list_apps\n// ---------------------------------------------------------------------------\n\nfunction listAppsTool(\n config: MCPConfig,\n requestMeta?: { origin?: string },\n): ActionEntry {\n return {\n tool: tool(\n \"List the workspace apps and their URLs. Use this to discover which \" +\n \"apps exist before opening or asking one. In a single-app project \" +\n \"this returns just that app. When an org directory is configured \" +\n \"this also includes the org's deployed sibling apps.\",\n ),\n readOnly: true,\n parallelSafe: true,\n run: async () => {\n const { resolveWorkspace } = await import(\"./workspace-resolve.js\");\n const ws = await resolveWorkspace();\n\n // The MCP request is served BY the current app, so it is provably\n // reachable at the inbound request origin — that beats a guessed\n // `PORT || 5173` probe (which reports the wrong URL + `running:false`\n // whenever the dev server picked a non-default port, e.g. `agent-\n // native dev` on :8080). For the entry that IS this app (the sole\n // entry when single-app, or the id matching `config.appId` in a\n // workspace) prefer the live origin; other workspace apps keep their\n // probed values.\n const liveOrigin = requestMeta?.origin?.replace(/\\/+$/, \"\") || \"\";\n let livePort = 0;\n if (liveOrigin) {\n try {\n const u = new URL(liveOrigin);\n livePort = Number(u.port) || (u.protocol === \"https:\" ? 443 : 80);\n } catch {\n livePort = 0;\n }\n }\n const selfId = (config.appId ?? \"\").toLowerCase();\n const isSelf = (id: string) =>\n !!liveOrigin &&\n (!ws.isWorkspace || (!!selfId && id.toLowerCase() === selfId));\n\n interface AppEntry {\n id: string;\n url: string;\n port: number | undefined;\n running: boolean;\n source: \"workspace\" | \"org-directory\";\n }\n\n const apps: AppEntry[] = ws.apps.map((a) =>\n isSelf(a.id)\n ? {\n id: a.id,\n url: liveOrigin,\n port: (livePort || a.port) as number | undefined,\n running: true,\n source: \"workspace\" as const,\n }\n : {\n id: a.id,\n url: a.url,\n port: a.port as number | undefined,\n running: a.running,\n source: \"workspace\" as const,\n },\n );\n const seenIds = new Set(apps.map((a) => a.id.toLowerCase()));\n const seenOrigins = new Set(apps.map((a) => a.url.replace(/\\/+$/, \"\")));\n\n // Merge the org directory's deployed sibling apps. Inactive (no env)\n // or any failure ⇒ fetchOrgApps() returns [] and this is a no-op, so\n // the existing local/workspace behavior is preserved exactly.\n const orgApps = await fetchOrgApps({\n selfId: currentAppId(config),\n }).catch(() => [] as OrgApp[]);\n for (const oa of orgApps) {\n const idKey = oa.id.toLowerCase();\n const originKey = oa.url.replace(/\\/+$/, \"\");\n // Dedupe by id OR origin — a workspace app already listed wins.\n if (seenIds.has(idKey) || seenOrigins.has(originKey)) continue;\n seenIds.add(idKey);\n seenOrigins.add(originKey);\n apps.push({\n id: oa.id,\n url: oa.url,\n port: undefined,\n running: true,\n source: \"org-directory\",\n });\n }\n\n return {\n workspace: ws.isWorkspace,\n gatewayUrl: ws.gatewayUrl,\n apps,\n };\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// open_app\n// ---------------------------------------------------------------------------\n\nfunction openAppTool(\n config: MCPConfig,\n requestMeta?: { origin?: string },\n): ActionEntry {\n return {\n tool: tool(\n \"Build a deep link that opens an app at a specific view/record or \" +\n \"focused route/component. No side \" +\n \"effects — returns a URL the user can click to land in the running UI. \" +\n \"Set embed:true when a UI-capable MCP host should render the live app \" +\n \"or focused route/component inline.\",\n {\n app: { type: \"string\", description: \"App id, e.g. 'mail'\" },\n view: {\n type: \"string\",\n description:\n \"Target view, e.g. 'inbox' (maps to navigate command). Optional when path is provided.\",\n },\n path: {\n type: \"string\",\n description:\n \"Optional app route to open directly, e.g. '/extensions/abc', '/adhoc/q2', or '/chart?panel=...'. Must be same-origin relative.\",\n },\n params: {\n type: \"object\",\n description:\n \"Optional record-focus / filter params, e.g. { threadId: 'abc' }\",\n },\n embed: {\n type: \"boolean\",\n description:\n \"Render the full app or focused route/component inline in MCP Apps when the host supports it.\",\n },\n chrome: {\n type: \"string\",\n enum: [\"full\", \"minimal\"],\n description:\n \"Embed chrome preference for compatible app routes. Defaults to full.\",\n },\n },\n [\"app\"],\n ),\n readOnly: true,\n parallelSafe: true,\n run: async (args: Record<string, any>) => {\n const app = String(args.app ?? \"\").trim();\n const view = String(args.view ?? \"\").trim();\n const path = safeAppPath(args.path);\n if (!app || (!view && !path)) {\n throw new Error(\"open_app requires 'app' and either 'view' or 'path'.\");\n }\n let params: Record<string, string | number | boolean> | undefined;\n const raw = args.params;\n if (raw && typeof raw === \"object\") {\n params = raw as Record<string, string | number | boolean>;\n } else if (typeof raw === \"string\" && raw.trim()) {\n try {\n params = JSON.parse(raw);\n } catch {\n params = undefined;\n }\n }\n const embed = args.embed === true || args.embed === \"true\";\n const directViewPath = embed && view ? viewToAppPath(view) : null;\n const relUrl = path\n ? appendParamsToPath(path, params)\n : directViewPath\n ? appendParamsToPath(directViewPath, params)\n : buildDeepLink({ app, view, params });\n const sameAppUrl =\n path || directViewPath ? withConfiguredBasePath(relUrl) : relUrl;\n\n // Cross-app target in a workspace: resolve the TARGET app's origin and\n // return an absolute URL. Otherwise the MCP layer would prefix the\n // relative path with the CURRENT request origin, landing the user in\n // the wrong app (e.g. open_app({app:\"calendar\"}) served from Mail).\n // Same-app / standalone keeps the relative path (current behavior).\n const targetApp = await resolveTargetAppOrigin(config, app);\n const appUrl = targetApp\n ? `${targetApp.origin.replace(/\\/+$/, \"\")}${relUrl}`\n : sameAppUrl;\n const url = appUrl;\n let embedStartUrl: string | undefined;\n let embedTargetPath: string | undefined;\n let embedExpiresAt: number | undefined;\n\n if (embed && !targetApp) {\n const { getRequestContext } =\n await import(\"../server/request-context.js\");\n const ctx = getRequestContext();\n const ownerEmail = ctx?.userEmail?.trim();\n if (ownerEmail) {\n const { normalizeEmbedTargetPath, createEmbedSessionTicket } =\n await import(\"../server/embed-session.js\");\n const { buildEmbedStartPath } =\n await import(\"../server/embed-route.js\");\n const targetPath = normalizeEmbedTargetPath(\n withMcpChatBridgeParam(url),\n requestMeta?.origin,\n );\n if (targetPath) {\n const ticket = await createEmbedSessionTicket({\n ownerEmail,\n orgId: ctx?.orgId,\n targetPath,\n scope: typeof args.chrome === \"string\" ? args.chrome : null,\n });\n const startPath = buildEmbedStartPath(ticket.ticket);\n embedStartUrl = requestMeta?.origin\n ? new URL(startPath, requestMeta.origin).toString()\n : startPath;\n embedTargetPath = targetPath;\n embedExpiresAt = ticket.expiresAt;\n }\n }\n }\n\n return {\n app,\n ...(view ? { view } : {}),\n ...(path ? { path } : {}),\n url,\n ...(embedStartUrl ? { embedStartUrl } : {}),\n ...(embedTargetPath ? { embedTargetPath } : {}),\n ...(embedExpiresAt ? { embedExpiresAt } : {}),\n embed,\n };\n },\n link: ({ result }) => {\n if (!result || typeof result !== \"object\") return null;\n const r = result as {\n url?: string;\n app?: string;\n view?: string;\n embed?: boolean;\n };\n if (r.embed) return null;\n if (!r.url) return null;\n return {\n url: r.url,\n label: `Open ${r.app ?? \"app\"}`,\n view: r.view,\n };\n },\n mcpApp: {\n resource: embedApp({\n title: \"Open app\",\n description: \"Render the requested app route inline.\",\n iframeTitle: \"Agent Native app\",\n openLabel: \"Open app\",\n }),\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// create_embed_session\n// ---------------------------------------------------------------------------\n\nfunction createEmbedSessionTool(requestMeta?: {\n origin?: string;\n}): ActionEntry {\n return {\n tool: {\n ...tool(\n \"MCP Apps helper: create a one-time browser embed session for a same-origin app URL. Usually called by an MCP App iframe, not directly by the model.\",\n {\n url: {\n type: \"string\",\n description:\n \"Same-origin absolute URL or app-relative path to embed.\",\n },\n path: {\n type: \"string\",\n description: \"Same-origin app-relative path to embed.\",\n },\n chrome: {\n type: \"string\",\n enum: [\"full\", \"minimal\"],\n description: \"Embed chrome preference. Defaults to full.\",\n },\n },\n ),\n _meta: { ui: { visibility: [\"app\"] } },\n } as ActionTool,\n // App-only bootstrap helper: the ticket becomes a normal browser session,\n // so keep it write-scoped until embed sessions can enforce MCP scopes.\n readOnly: false,\n parallelSafe: true,\n run: async (args: Record<string, any>) => {\n const { getRequestContext } =\n await import(\"../server/request-context.js\");\n const ctx = getRequestContext();\n const ownerEmail = ctx?.userEmail?.trim();\n if (!ownerEmail) {\n throw new Error(\n \"create_embed_session requires an authenticated MCP caller.\",\n );\n }\n\n const { normalizeEmbedTargetPath, createEmbedSessionTicket } =\n await import(\"../server/embed-session.js\");\n const { buildEmbedStartPath } = await import(\"../server/embed-route.js\");\n const rawTarget =\n typeof args.url === \"string\" && args.url.trim()\n ? args.url\n : typeof args.path === \"string\"\n ? args.path\n : \"\";\n const targetPath = normalizeEmbedTargetPath(\n rawTarget,\n requestMeta?.origin,\n );\n if (!targetPath) {\n throw new Error(\n \"create_embed_session can only embed same-origin app-relative URLs.\",\n );\n }\n\n const ticket = await createEmbedSessionTicket({\n ownerEmail,\n orgId: ctx?.orgId,\n targetPath,\n scope: typeof args.chrome === \"string\" ? args.chrome : null,\n });\n const startPath = buildEmbedStartPath(ticket.ticket);\n const startUrl = requestMeta?.origin\n ? new URL(startPath, requestMeta.origin).toString()\n : startPath;\n return {\n startUrl,\n targetPath,\n expiresAt: ticket.expiresAt,\n };\n },\n };\n}\n\n/**\n * Route an `ask_app` message to a *different* app's agent over A2A. Shared by\n * the workspace-resolved path and the org-directory-resolved path so the A2A\n * call logic is not duplicated. `origin` is the target app's A2A base\n * (workspace dev origin or the directory's `a2aUrl`); `id` is reported back.\n *\n * Throws on failure so the caller can be honest — it never falls back to this\n * app's agent and pretends it was the target.\n */\nasync function routeAskOverA2A(\n origin: string,\n id: string,\n message: string,\n): Promise<{ app: string; routedVia: \"a2a\"; response: string }> {\n const { callAgent } = await import(\"../a2a/client.js\");\n const { resolveA2ACallerAuth } = await import(\"../a2a/caller-auth.js\");\n // The MCP handler runs inside `runWithRequestContext`, so this is the\n // verified caller identity and org scope. Reuse the same auth resolver as\n // org-directory discovery so the directory lookup and actual A2A call are\n // scoped the same way.\n const auth = await resolveA2ACallerAuth();\n const response = await callAgent(origin, message, {\n apiKey: auth.apiKey,\n userEmail: auth.userEmail,\n orgDomain: auth.orgDomain,\n orgSecret: auth.orgSecret,\n // Bound the wait — cross-app A2A polls async by default.\n timeoutMs: 5 * 60_000,\n });\n return { app: id, routedVia: \"a2a\", response };\n}\n\n// ---------------------------------------------------------------------------\n// ask_app\n// ---------------------------------------------------------------------------\n\nfunction askAppTool(config: MCPConfig): ActionEntry {\n return {\n tool: tool(\n \"Send a natural-language message to an app's AI agent and get its \" +\n \"response. Use for complex, multi-step tasks needing the agent's \" +\n \"reasoning and full app context. In a single-app project the 'app' \" +\n \"param is optional (defaults to this app). When 'app' names a \" +\n \"different workspace app it is routed there over A2A; the result's \" +\n \"'routedVia' field reports whether it ran cross-app or locally.\",\n {\n app: {\n type: \"string\",\n description: \"App id to route to (optional in a single-app project)\",\n },\n message: {\n type: \"string\",\n description: \"The message to send to the app's agent\",\n },\n },\n [\"message\"],\n ),\n run: async (args: Record<string, any>) => {\n const message = String(args.message ?? \"\").trim();\n if (!message) throw new Error(\"ask_app requires a 'message'.\");\n const requestedApp = String(args.app ?? \"\").trim();\n const selfId = currentAppId(config);\n\n // Cross-app: the caller named a *different* workspace app. Route the\n // message to THAT app's agent over A2A (its `/_agent-native/a2a`\n // endpoint runs the real agent loop with JWT identity) rather than\n // silently answering from this app's agent and claiming delegation.\n const targetApp = await resolveTargetAppOrigin(config, requestedApp);\n if (targetApp) {\n try {\n return await routeAskOverA2A(targetApp.origin, targetApp.id, message);\n } catch (err: any) {\n // Be honest: routing was attempted and failed — do NOT fall back to\n // this app's agent and pretend it was the target.\n throw new Error(\n `Failed to route ask_app to \"${targetApp.id}\" via A2A: ` +\n `${err?.message ?? err}`,\n );\n }\n }\n\n // Not a known local/workspace app — try the org directory. When a\n // directory is configured and the requested app is one of the org's\n // deployed sibling apps, route to it over A2A (same path as above,\n // against its `a2aUrl`). Inactive directory / any failure ⇒ orgApps is\n // [] and this is skipped, preserving the exact local-only behavior.\n if (requestedApp && requestedApp.toLowerCase() !== selfId) {\n const orgApps = await fetchOrgApps({ selfId }).catch(\n () => [] as OrgApp[],\n );\n const dirMatch = orgApps.find(\n (a) => a.id === requestedApp.toLowerCase(),\n );\n if (dirMatch) {\n try {\n return await routeAskOverA2A(dirMatch.a2aUrl, dirMatch.id, message);\n } catch (err: any) {\n throw new Error(\n `Failed to route ask_app to \"${dirMatch.id}\" via A2A ` +\n `(org directory): ${err?.message ?? err}`,\n );\n }\n }\n }\n\n // Same app (or no workspace / unknown target): answer locally with this\n // app's own ask-agent handler — the same entry point the HTTP MCP mount\n // + A2A use, so there is no second agent runner.\n if (!config.askAgent) {\n throw new Error(\n \"This app does not expose an agent (no ask-agent handler).\",\n );\n }\n\n // If the caller named an app we couldn't route to (unknown id, or no\n // workspace), say so honestly instead of claiming we reached it.\n const unresolved =\n !!requestedApp && requestedApp.toLowerCase() !== selfId;\n const response = await config.askAgent(message);\n return {\n app: selfId,\n routedVia: \"local\",\n ...(unresolved\n ? {\n note:\n `Requested app \"${requestedApp}\" is not a reachable workspace ` +\n `app; answered with this app (\"${selfId}\") instead.`,\n }\n : {}),\n response,\n };\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// list_templates\n// ---------------------------------------------------------------------------\n\nfunction listTemplatesTool(): ActionEntry {\n return {\n tool: tool(\n \"List the first-party templates that can be scaffolded into a workspace \" +\n \"(allow-listed templates only).\",\n ),\n readOnly: true,\n parallelSafe: true,\n run: async () => {\n const { visibleTemplates } = await import(\"../cli/templates-meta.js\");\n return {\n templates: visibleTemplates().map((t) => ({\n name: t.name,\n label: t.label,\n hint: t.hint,\n })),\n };\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// create_workspace_app\n// ---------------------------------------------------------------------------\n\nfunction createWorkspaceAppTool(): ActionEntry {\n return {\n tool: tool(\n \"Scaffold a new app into the current workspace from an allow-listed \" +\n \"template, then return a deep link to open it. Idempotent: if an app \" +\n \"with that name already exists it is reused.\",\n {\n name: {\n type: \"string\",\n description: \"New app id (directory under apps/), e.g. 'mymail'\",\n },\n template: {\n type: \"string\",\n description:\n \"Template to scaffold from — must be allow-listed (see list_templates)\",\n },\n },\n [\"name\", \"template\"],\n ),\n run: async (args: Record<string, any>) => {\n const name = String(args.name ?? \"\").trim();\n const template = String(args.template ?? \"\").trim();\n if (!name || !template) {\n throw new Error(\n \"create_workspace_app requires both 'name' and 'template'.\",\n );\n }\n\n // Enforce the strict public template allow-list. The authoritative,\n // dependency-free source inside @agent-native/core is cli/templates-meta\n // (kept in sync with packages/shared-app-config/templates.ts; CI guard).\n const { visibleTemplates } = await import(\"../cli/templates-meta.js\");\n const allowed = new Set(visibleTemplates().map((t) => t.name));\n if (!allowed.has(template)) {\n throw new Error(\n `Template \"${template}\" is not allow-listed. Allowed: ${[...allowed]\n .sort()\n .join(\", \")}`,\n );\n }\n\n const { findWorkspaceRoot, resolveWorkspace } =\n await import(\"./workspace-resolve.js\");\n const fs = await import(\"node:fs\");\n const path = await import(\"node:path\");\n\n const root = findWorkspaceRoot(process.cwd());\n if (!root) {\n throw new Error(\n \"Not inside a workspace. create_workspace_app only works in a \" +\n \"multi-app workspace (run from the workspace root).\",\n );\n }\n\n const appDir = path.join(root, \"apps\", name);\n const alreadyExisted = fs.existsSync(appDir);\n\n if (!alreadyExisted) {\n // Reuse the CLI scaffolder directly (no second `agent-native`\n // subprocess). `addAppToWorkspace(name, { template })` takes the\n // non-interactive single-template path when name + one template are\n // given. Run it from the workspace root so detectWorkspace resolves.\n const prevCwd = process.cwd();\n try {\n process.chdir(root);\n const { addAppToWorkspace } = await import(\"../cli/create.js\");\n await addAppToWorkspace(name, { template, noInstall: true });\n } finally {\n try {\n process.chdir(prevCwd);\n } catch {\n // best-effort cwd restore\n }\n }\n }\n\n // The workspace gateway auto-detects new apps/* dirs (fs.watch +\n // 2s sync) and lazily boots the dev server on first request, so we\n // don't spawn vite ourselves — opening the deep link warms it. Resolve\n // the port the gateway will use so we can report it.\n const ws = await resolveWorkspace(root);\n const appInfo = ws.apps.find((a) => a.id === name);\n const port = appInfo?.port;\n // The scaffolded app is always a *different* app from the host MCP\n // server, so anchor the deep link to the new app's own origin. A\n // relative path would otherwise be prefixed with the current request\n // origin and land on the wrong app. Fall back to the relative path\n // only if the gateway hasn't reported the new app's URL yet.\n const relDeepLink = buildDeepLink({ app: name, view: \"home\" });\n const deepLink = appInfo?.url\n ? `${appInfo.url.replace(/\\/+$/, \"\")}${relDeepLink}`\n : relDeepLink;\n\n return {\n name,\n template,\n created: !alreadyExisted,\n reused: alreadyExisted,\n port,\n url: appInfo?.url,\n gatewayUrl: ws.gatewayUrl,\n deepLink,\n };\n },\n link: ({ result }) => {\n if (!result || typeof result !== \"object\") return null;\n const r = result as { deepLink?: string; name?: string };\n if (!r.deepLink) return null;\n return {\n url: r.deepLink,\n label: `Open ${r.name ?? \"app\"}`,\n view: \"home\",\n };\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// Registry\n// ---------------------------------------------------------------------------\n\n/**\n * Build the generic cross-app builtin tool registry. Called by\n * `createMCPServerForRequest`; the result is merged UNDER the config's\n * actions so template actions of the same name win.\n */\nexport function getBuiltinCrossAppTools(\n config: MCPConfig,\n requestMeta?: { origin?: string },\n): Record<string, ActionEntry> {\n return {\n list_apps: listAppsTool(config, requestMeta),\n open_app: openAppTool(config, requestMeta),\n create_embed_session: createEmbedSessionTool(requestMeta),\n ask_app: askAppTool(config),\n create_workspace_app: createWorkspaceAppTool(),\n list_templates: listTemplatesTool(),\n };\n}\n"]}
|
|
1
|
+
{"version":3,"file":"builtin-tools.js","sourceRoot":"","sources":["../../src/mcp/builtin-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAGH,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,+BAA+B,EAAE,MAAM,yBAAyB,CAAC;AAE1E,OAAO,EAAE,YAAY,EAAe,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAU1C;;;;GAIG;AACH,SAAS,IAAI,CACX,WAAmB,EACnB,UAAmB,EACnB,QAAmB;IAEnB,IAAI,CAAC,UAAU;QAAE,OAAO,EAAE,WAAW,EAAE,CAAC;IACxC,OAAO;QACL,WAAW;QACX,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,UAAU;YACtB,GAAG,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACrD;KACF,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,YAAY,CAAC,MAAiB;IACrC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;AAC9D,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,0BAA0B,CAAC,CAAC;AAE7D,SAAS,WAAW,CAAC,GAAY;IAC/B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACxD,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACzB,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnE,IAAI,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,kBAAkB,CACzB,IAAY,EACZ,MAA6D;IAE7D,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,6BAA6B,CAAC,CAAC;IACzD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;AACnD,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC1B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO,WAAW,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;IACxC,IAAI,CAAC,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvE,OAAO,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,sBAAsB,CAAC,IAAY;IAC1C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,6BAA6B,CAAC,CAAC;QACzD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;QAC3D,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAiB,EACjB,WAAmB;IAEnB,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,YAAY,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,IAAI,CAAC;QACH,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QACpE,MAAM,EAAE,GAAG,MAAM,gBAAgB,EAAE,CAAC;QACpC,IAAI,CAAC,EAAE,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QACjC,MAAM,KAAK,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC;QACjE,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,SAAS,YAAY,CACnB,MAAiB,EACjB,WAAiC;IAEjC,OAAO;QACL,IAAI,EAAE,IAAI,CACR,qEAAqE;YACnE,mEAAmE;YACnE,kEAAkE;YAClE,qDAAqD,CACxD;QACD,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;QAClB,GAAG,EAAE,KAAK,IAAI,EAAE;YACd,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;YACpE,MAAM,EAAE,GAAG,MAAM,gBAAgB,EAAE,CAAC;YAEpC,kEAAkE;YAClE,iEAAiE;YACjE,sEAAsE;YACtE,kEAAkE;YAClE,kEAAkE;YAClE,gEAAgE;YAChE,qEAAqE;YACrE,iBAAiB;YACjB,MAAM,UAAU,GAAG,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;YAClE,IAAI,QAAQ,GAAG,CAAC,CAAC;YACjB,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,CAAC;oBACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;oBAC9B,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACpE,CAAC;gBAAC,MAAM,CAAC;oBACP,QAAQ,GAAG,CAAC,CAAC;gBACf,CAAC;YACH,CAAC;YACD,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAClD,MAAM,MAAM,GAAG,CAAC,EAAU,EAAE,EAAE,CAC5B,CAAC,CAAC,UAAU;gBACZ,CAAC,CAAC,EAAE,CAAC,WAAW,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC,CAAC;YAUjE,MAAM,IAAI,GAAe,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACzC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;gBACV,CAAC,CAAC;oBACE,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,GAAG,EAAE,UAAU;oBACf,IAAI,EAAE,CAAC,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAuB;oBAChD,OAAO,EAAE,IAAI;oBACb,MAAM,EAAE,WAAoB;iBAC7B;gBACH,CAAC,CAAC;oBACE,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,GAAG,EAAE,CAAC,CAAC,GAAG;oBACV,IAAI,EAAE,CAAC,CAAC,IAA0B;oBAClC,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,MAAM,EAAE,WAAoB;iBAC7B,CACN,CAAC;YACF,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;YAC7D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;YAExE,qEAAqE;YACrE,qEAAqE;YACrE,8DAA8D;YAC9D,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC;gBACjC,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC;aAC7B,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAc,CAAC,CAAC;YAC/B,KAAK,MAAM,EAAE,IAAI,OAAO,EAAE,CAAC;gBACzB,MAAM,KAAK,GAAG,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;gBAClC,MAAM,SAAS,GAAG,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;gBAC7C,gEAAgE;gBAChE,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC;oBAAE,SAAS;gBAC/D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACnB,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC3B,IAAI,CAAC,IAAI,CAAC;oBACR,EAAE,EAAE,EAAE,CAAC,EAAE;oBACT,GAAG,EAAE,EAAE,CAAC,GAAG;oBACX,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,IAAI;oBACb,MAAM,EAAE,eAAe;iBACxB,CAAC,CAAC;YACL,CAAC;YAED,OAAO;gBACL,SAAS,EAAE,EAAE,CAAC,WAAW;gBACzB,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,IAAI;aACL,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E,SAAS,WAAW,CAClB,MAAiB,EACjB,WAAiC;IAEjC,OAAO;QACL,IAAI,EAAE,IAAI,CACR,mEAAmE;YACjE,mCAAmC;YACnC,wEAAwE;YACxE,uEAAuE;YACvE,oCAAoC,EACtC;YACE,GAAG,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,qBAAqB,EAAE;YAC3D,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,uFAAuF;aAC1F;YACD,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,gIAAgI;aACnI;YACD,MAAM,EAAE;gBACN,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,iEAAiE;aACpE;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,SAAS;gBACf,WAAW,EACT,8FAA8F;aACjG;YACD,MAAM,EAAE;gBACN,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC;gBACzB,WAAW,EACT,sEAAsE;aACzE;SACF,EACD,CAAC,KAAK,CAAC,CACR;QACD,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;QAClB,GAAG,EAAE,KAAK,EAAE,IAAyB,EAAE,EAAE;YACvC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5C,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;YAC1E,CAAC;YACD,IAAI,MAA6D,CAAC;YAClE,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC;YACxB,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACnC,MAAM,GAAG,GAAgD,CAAC;YAC5D,CAAC;iBAAM,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;gBACjD,IAAI,CAAC;oBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC3B,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,GAAG,SAAS,CAAC;gBACrB,CAAC;YACH,CAAC;YACD,MAAM,aAAa,GAAG,MAAM,EAAE,KAAK,CAAC;YACpC,MAAM,WAAW,GAAG,MAAM,EAAE,MAAM,CAAC;YACnC,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,KAAK,IAAI,IAAI,IAAI,CAAC,KAAK,KAAK,MAAM,CAAC;YACzD,IACE,IAAI,CAAC,KAAK,IAAI,IAAI;gBAClB,CAAC,aAAa,KAAK,IAAI,IAAI,aAAa,KAAK,MAAM,CAAC,EACpD,CAAC;gBACD,KAAK,GAAG,IAAI,CAAC;YACf,CAAC;iBAAM,IACL,IAAI,CAAC,KAAK,IAAI,IAAI;gBAClB,CAAC,aAAa,KAAK,KAAK,IAAI,aAAa,KAAK,OAAO,CAAC,EACtD,CAAC;gBACD,KAAK,GAAG,KAAK,CAAC;YAChB,CAAC;YACD,IACE,aAAa,KAAK,IAAI;gBACtB,aAAa,KAAK,KAAK;gBACvB,aAAa,KAAK,MAAM;gBACxB,aAAa,KAAK,OAAO,EACzB,CAAC;gBACD,OAAO,MAAM,EAAE,KAAK,CAAC;YACvB,CAAC;YAED,MAAM,MAAM,GACV,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ;gBAC7B,CAAC,CAAC,IAAI,CAAC,MAAM;gBACb,CAAC,CAAC,WAAW,KAAK,MAAM,IAAI,WAAW,KAAK,SAAS;oBACnD,CAAC,CAAC,WAAW;oBACb,CAAC,CAAC,SAAS,CAAC;YAClB,IAAI,WAAW,KAAK,MAAM,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;gBACxD,OAAO,MAAM,EAAE,MAAM,CAAC;YACxB,CAAC;YACD,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC;gBAAE,MAAM,GAAG,SAAS,CAAC;YAEnE,MAAM,cAAc,GAAG,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAClE,MAAM,MAAM,GAAG,IAAI;gBACjB,CAAC,CAAC,kBAAkB,CAAC,IAAI,EAAE,MAAM,CAAC;gBAClC,CAAC,CAAC,cAAc;oBACd,CAAC,CAAC,kBAAkB,CAAC,cAAc,EAAE,MAAM,CAAC;oBAC5C,CAAC,CAAC,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;YAC3C,MAAM,UAAU,GACd,IAAI,IAAI,cAAc,CAAC,CAAC,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YAEnE,uEAAuE;YACvE,mEAAmE;YACnE,qEAAqE;YACrE,oEAAoE;YACpE,oEAAoE;YACpE,MAAM,SAAS,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAC5D,MAAM,MAAM,GAAG,SAAS;gBACtB,CAAC,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,MAAM,EAAE;gBACpD,CAAC,CAAC,UAAU,CAAC;YACf,MAAM,GAAG,GAAG,MAAM,CAAC;YACnB,IAAI,aAAiC,CAAC;YACtC,IAAI,eAAmC,CAAC;YACxC,IAAI,cAAkC,CAAC;YAEvC,IAAI,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;gBACxB,MAAM,EAAE,iBAAiB,EAAE,GACzB,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;gBAC/C,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;gBAChC,MAAM,UAAU,GAAG,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;gBAC1C,IAAI,UAAU,EAAE,CAAC;oBACf,MAAM,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,GAC1D,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;oBAC7C,MAAM,EAAE,mBAAmB,EAAE,GAC3B,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;oBAC3C,MAAM,UAAU,GAAG,wBAAwB,CACzC,sBAAsB,CAAC,GAAG,CAAC,EAC3B,WAAW,EAAE,MAAM,CACpB,CAAC;oBACF,IAAI,UAAU,EAAE,CAAC;wBACf,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC;4BAC5C,UAAU;4BACV,KAAK,EAAE,GAAG,EAAE,KAAK;4BACjB,UAAU;4BACV,KAAK,EAAE,MAAM,IAAI,IAAI;yBACtB,CAAC,CAAC;wBACH,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;wBACrD,aAAa,GAAG,WAAW,EAAE,MAAM;4BACjC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;4BACnD,CAAC,CAAC,SAAS,CAAC;wBACd,eAAe,GAAG,UAAU,CAAC;wBAC7B,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC;oBACpC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO;gBACL,GAAG;gBACH,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzB,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzB,GAAG;gBACH,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3C,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC/C,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7C,KAAK;aACN,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE;YACnB,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACvD,MAAM,CAAC,GAAG,MAKT,CAAC;YACF,IAAI,CAAC,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YACzB,IAAI,CAAC,CAAC,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YACxB,OAAO;gBACL,GAAG,EAAE,CAAC,CAAC,GAAG;gBACV,KAAK,EAAE,QAAQ,CAAC,CAAC,GAAG,IAAI,KAAK,EAAE;gBAC/B,IAAI,EAAE,CAAC,CAAC,IAAI;aACb,CAAC;QACJ,CAAC;QACD,MAAM,EAAE;YACN,QAAQ,EAAE,QAAQ,CAAC;gBACjB,KAAK,EAAE,UAAU;gBACjB,WAAW,EAAE,wCAAwC;gBACrD,WAAW,EAAE,kBAAkB;gBAC/B,SAAS,EAAE,UAAU;aACtB,CAAC;SACH;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,SAAS,sBAAsB,CAAC,WAE/B;IACC,OAAO;QACL,IAAI,EAAE;YACJ,GAAG,IAAI,CACL,qJAAqJ,EACrJ;gBACE,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,WAAW,EACT,yDAAyD;iBAC5D;gBACD,IAAI,EAAE;oBACJ,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,yCAAyC;iBACvD;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC;oBACzB,WAAW,EAAE,4CAA4C;iBAC1D;aACF,CACF;YACD,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE;SACzB;QACf,0EAA0E;QAC1E,uEAAuE;QACvE,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,IAAI;QAClB,GAAG,EAAE,KAAK,EAAE,IAAyB,EAAE,EAAE;YACvC,MAAM,EAAE,iBAAiB,EAAE,GACzB,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;YAC/C,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;YAChC,MAAM,UAAU,GAAG,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;YAC1C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;YACJ,CAAC;YAED,MAAM,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,GAC1D,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;YAC7C,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;YACzE,MAAM,SAAS,GACb,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE;gBAC7C,CAAC,CAAC,IAAI,CAAC,GAAG;gBACV,CAAC,CAAC,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ;oBAC7B,CAAC,CAAC,IAAI,CAAC,IAAI;oBACX,CAAC,CAAC,EAAE,CAAC;YACX,MAAM,UAAU,GAAG,wBAAwB,CACzC,SAAS,EACT,WAAW,EAAE,MAAM,CACpB,CAAC;YACF,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,oEAAoE,CACrE,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC;gBAC5C,UAAU;gBACV,KAAK,EAAE,GAAG,EAAE,KAAK;gBACjB,UAAU;gBACV,KAAK,EAAE,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI;aAC5D,CAAC,CAAC;YACH,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,WAAW,EAAE,MAAM;gBAClC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;gBACnD,CAAC,CAAC,SAAS,CAAC;YACd,OAAO;gBACL,QAAQ;gBACR,UAAU;gBACV,SAAS,EAAE,MAAM,CAAC,SAAS;aAC5B,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,KAAK,UAAU,eAAe,CAC5B,MAAc,EACd,EAAU,EACV,OAAe;IAEf,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACvD,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IACvE,sEAAsE;IACtE,0EAA0E;IAC1E,0EAA0E;IAC1E,uBAAuB;IACvB,MAAM,IAAI,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,OAAO,EAAE;QAChD,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,yDAAyD;QACzD,SAAS,EAAE,CAAC,GAAG,MAAM;KACtB,CAAC,CAAC;IACH,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AACjD,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,UAAU,CAAC,MAAiB;IACnC,OAAO;QACL,IAAI,EAAE,IAAI,CACR,mEAAmE;YACjE,kEAAkE;YAClE,oEAAoE;YACpE,+DAA+D;YAC/D,oEAAoE;YACpE,gEAAgE,EAClE;YACE,GAAG,EAAE;gBACH,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,uDAAuD;aACrE;YACD,OAAO,EAAE;gBACP,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,wCAAwC;aACtD;SACF,EACD,CAAC,SAAS,CAAC,CACZ;QACD,GAAG,EAAE,KAAK,EAAE,IAAyB,EAAE,EAAE;YACvC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAClD,IAAI,CAAC,OAAO;gBAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAC/D,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YAEpC,qEAAqE;YACrE,iEAAiE;YACjE,mEAAmE;YACnE,oEAAoE;YACpE,MAAM,SAAS,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;YACrE,IAAI,SAAS,EAAE,CAAC;gBACd,IAAI,CAAC;oBACH,OAAO,MAAM,eAAe,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;gBACxE,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,oEAAoE;oBACpE,kDAAkD;oBAClD,MAAM,IAAI,KAAK,CACb,+BAA+B,SAAS,CAAC,EAAE,aAAa;wBACtD,GAAG,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAC3B,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,kEAAkE;YAClE,oEAAoE;YACpE,mEAAmE;YACnE,uEAAuE;YACvE,oEAAoE;YACpE,IAAI,YAAY,IAAI,YAAY,CAAC,WAAW,EAAE,KAAK,MAAM,EAAE,CAAC;gBAC1D,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,KAAK,CAClD,GAAG,EAAE,CAAC,EAAc,CACrB,CAAC;gBACF,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAC3B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,WAAW,EAAE,CAC3C,CAAC;gBACF,IAAI,QAAQ,EAAE,CAAC;oBACb,IAAI,CAAC;wBACH,OAAO,MAAM,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;oBACtE,CAAC;oBAAC,OAAO,GAAQ,EAAE,CAAC;wBAClB,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,EAAE,YAAY;4BACpD,oBAAoB,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAC5C,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAED,wEAAwE;YACxE,wEAAwE;YACxE,iDAAiD;YACjD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACrB,MAAM,IAAI,KAAK,CACb,2DAA2D,CAC5D,CAAC;YACJ,CAAC;YAED,qEAAqE;YACrE,iEAAiE;YACjE,MAAM,UAAU,GACd,CAAC,CAAC,YAAY,IAAI,YAAY,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC;YAC1D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;gBACL,GAAG,EAAE,MAAM;gBACX,SAAS,EAAE,OAAO;gBAClB,GAAG,CAAC,UAAU;oBACZ,CAAC,CAAC;wBACE,IAAI,EACF,kBAAkB,YAAY,iCAAiC;4BAC/D,iCAAiC,MAAM,aAAa;qBACvD;oBACH,CAAC,CAAC,EAAE,CAAC;gBACP,QAAQ;aACT,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,SAAS,iBAAiB;IACxB,OAAO;QACL,IAAI,EAAE,IAAI,CACR,yEAAyE;YACvE,gCAAgC,CACnC;QACD,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;QAClB,GAAG,EAAE,KAAK,IAAI,EAAE;YACd,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;YACtE,OAAO;gBACL,SAAS,EAAE,gBAAgB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACxC,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,KAAK,EAAE,CAAC,CAAC,KAAK;oBACd,IAAI,EAAE,CAAC,CAAC,IAAI;iBACb,CAAC,CAAC;aACJ,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,SAAS,sBAAsB;IAC7B,OAAO;QACL,IAAI,EAAE,IAAI,CACR,qEAAqE;YACnE,sEAAsE;YACtE,6CAA6C,EAC/C;YACE,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,mDAAmD;aACjE;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,uEAAuE;aAC1E;SACF,EACD,CAAC,MAAM,EAAE,UAAU,CAAC,CACrB;QACD,GAAG,EAAE,KAAK,EAAE,IAAyB,EAAE,EAAE;YACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACpD,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CACb,2DAA2D,CAC5D,CAAC;YACJ,CAAC;YAED,oEAAoE;YACpE,yEAAyE;YACzE,yEAAyE;YACzE,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;YACtE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,gBAAgB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CACb,aAAa,QAAQ,mCAAmC,CAAC,GAAG,OAAO,CAAC;qBACjE,IAAI,EAAE;qBACN,IAAI,CAAC,IAAI,CAAC,EAAE,CAChB,CAAC;YACJ,CAAC;YAED,MAAM,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,GAC3C,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;YACzC,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;YACnC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;YAEvC,MAAM,IAAI,GAAG,iBAAiB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YAC9C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,KAAK,CACb,+DAA+D;oBAC7D,oDAAoD,CACvD,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;YAC7C,MAAM,cAAc,GAAG,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAE7C,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,8DAA8D;gBAC9D,iEAAiE;gBACjE,oEAAoE;gBACpE,qEAAqE;gBACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC9B,IAAI,CAAC;oBACH,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACpB,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;oBAC/D,MAAM,iBAAiB,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC/D,CAAC;wBAAS,CAAC;oBACT,IAAI,CAAC;wBACH,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;oBACzB,CAAC;oBAAC,MAAM,CAAC;wBACP,0BAA0B;oBAC5B,CAAC;gBACH,CAAC;YACH,CAAC;YAED,iEAAiE;YACjE,mEAAmE;YACnE,uEAAuE;YACvE,qDAAqD;YACrD,MAAM,EAAE,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,OAAO,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,CAAC;YACnD,MAAM,IAAI,GAAG,OAAO,EAAE,IAAI,CAAC;YAC3B,mEAAmE;YACnE,iEAAiE;YACjE,qEAAqE;YACrE,mEAAmE;YACnE,6DAA6D;YAC7D,MAAM,WAAW,GAAG,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;YAC/D,MAAM,QAAQ,GAAG,OAAO,EAAE,GAAG;gBAC3B,CAAC,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,WAAW,EAAE;gBACpD,CAAC,CAAC,WAAW,CAAC;YAEhB,OAAO;gBACL,IAAI;gBACJ,QAAQ;gBACR,OAAO,EAAE,CAAC,cAAc;gBACxB,MAAM,EAAE,cAAc;gBACtB,IAAI;gBACJ,GAAG,EAAE,OAAO,EAAE,GAAG;gBACjB,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,QAAQ;aACT,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE;YACnB,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACvD,MAAM,CAAC,GAAG,MAA8C,CAAC;YACzD,IAAI,CAAC,CAAC,CAAC,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC7B,OAAO;gBACL,GAAG,EAAE,CAAC,CAAC,QAAQ;gBACf,KAAK,EAAE,QAAQ,CAAC,CAAC,IAAI,IAAI,KAAK,EAAE;gBAChC,IAAI,EAAE,MAAM;aACb,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CACrC,MAAiB,EACjB,WAAiC;IAEjC,OAAO;QACL,SAAS,EAAE,YAAY,CAAC,MAAM,EAAE,WAAW,CAAC;QAC5C,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC;QAC1C,oBAAoB,EAAE,sBAAsB,CAAC,WAAW,CAAC;QACzD,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC;QAC3B,oBAAoB,EAAE,sBAAsB,EAAE;QAC9C,cAAc,EAAE,iBAAiB,EAAE;KACpC,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Generic cross-app MCP tools — a stable verb set every external agent gets\n * regardless of which template it is talking to.\n *\n * These are merged into the MCP action registry by\n * `createMCPServerForRequest` (see `build-server.ts`). **Precedence: template\n * actions win.** If a template defines an action named `list_apps` /\n * `open_app` / `ask_app` / `create_workspace_app` / `list_templates`, the\n * template's `ActionEntry` overwrites the builtin of the same name. This is\n * the same template-over-framework precedence `autoDiscoverActions` uses.\n *\n * | Tool | Side effects | Returns |\n * | --------------------- | ------------ | ---------------------------------------- |\n * | `list_apps` | none | `{ apps: [{ id, url, running }] }` |\n * | `open_app` | none | `{ url }` (+ deep-link `link`) |\n * | `create_embed_session`| ticket mint | `{ startUrl }` for MCP App iframes |\n * | `ask_app` | agent loop | `{ app, routedVia, response }` |\n * | `create_workspace_app`| scaffolds | `{ name, url, port, deepLink }` (+ link) |\n *\n * `open_app` / `create_workspace_app` return an **absolute** URL on the\n * *target* app's origin when it differs from this app (so a workspace link\n * lands in the right app), and a relative path for the same app / standalone.\n * `ask_app` routes to a *different* workspace app over A2A when possible and\n * reports `routedVia: \"a2a\"`; otherwise it answers locally\n * (`routedVia: \"local\"`) and never falsely claims cross-app delegation.\n * | `list_templates` | none | `{ templates: [...] }` (allow-list only) |\n *\n * Node-only at call time (workspace resolution + scaffolding use `fs`), but\n * the module has no top-level Node imports so it bundles fine alongside\n * `mountMCP` — the Node bits are dynamically imported inside `run()`.\n */\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport { buildDeepLink } from \"../server/deep-link.js\";\nimport { getConfiguredAppBasePath } from \"../server/app-base-path.js\";\nimport { MCP_APP_CHAT_BRIDGE_QUERY_PARAM } from \"../shared/embed-auth.js\";\nimport type { MCPConfig } from \"./build-server.js\";\nimport { fetchOrgApps, type OrgApp } from \"./org-directory.js\";\nimport { embedApp } from \"./embed-app.js\";\n\nimport type { ActionTool } from \"../agent/types.js\";\n\n/** Flat map of param name → JSON-schema property. */\ntype Params = Record<\n string,\n { type: string; description?: string; enum?: string[] }\n>;\n\n/**\n * Build an `ActionTool`. `parameters` is wrapped in the\n * `{ type:\"object\", properties, required }` shape `createMCPServerForRequest`\n * forwards verbatim as the MCP tool `inputSchema`.\n */\nfunction tool(\n description: string,\n parameters?: Params,\n required?: string[],\n): ActionTool {\n if (!parameters) return { description };\n return {\n description,\n parameters: {\n type: \"object\",\n properties: parameters,\n ...(required && required.length ? { required } : {}),\n },\n };\n}\n\n/**\n * The canonical app id this MCP server is mounted for. `MCPConfig.appId` is\n * authoritative; fall back to lowercasing `name` (which is the capitalized\n * app id at every call site) for back-compat with configs that predate the\n * `appId` field.\n */\nfunction currentAppId(config: MCPConfig): string {\n return (config.appId || config.name || \"app\").toLowerCase();\n}\n\nconst CONTROL_CHARS = new RegExp(\"[\\\\u0000-\\\\u001f\\\\u007f]\");\n\nfunction safeAppPath(raw: unknown): string | null {\n if (typeof raw !== \"string\" || !raw.trim()) return null;\n const value = raw.trim();\n if (CONTROL_CHARS.test(value)) return null;\n if (!value.startsWith(\"/\")) return null;\n if (value.startsWith(\"//\") || value.startsWith(\"/\\\\\")) return null;\n if (/^\\/[a-z][a-z0-9+.-]*:/i.test(value)) return null;\n return value;\n}\n\nfunction appendParamsToPath(\n path: string,\n params: Record<string, string | number | boolean> | undefined,\n): string {\n if (!params || Object.keys(params).length === 0) return path;\n const url = new URL(path, \"http://agent-native.invalid\");\n for (const [key, value] of Object.entries(params)) {\n url.searchParams.set(key, String(value));\n }\n return `${url.pathname}${url.search}${url.hash}`;\n}\n\nfunction viewToAppPath(view: string): string | null {\n const value = view.trim();\n if (!value) return null;\n return safeAppPath(value.startsWith(\"/\") ? value : `/${value}`);\n}\n\nfunction withConfiguredBasePath(path: string): string {\n const base = getConfiguredAppBasePath();\n if (!base || path === base || path.startsWith(`${base}/`)) return path;\n return `${base}${path}`;\n}\n\nfunction withMcpChatBridgeParam(path: string): string {\n try {\n const url = new URL(path, \"http://agent-native.invalid\");\n url.searchParams.set(MCP_APP_CHAT_BRIDGE_QUERY_PARAM, \"1\");\n return `${url.pathname}${url.search}${url.hash}`;\n } catch {\n return path;\n }\n}\n\n/**\n * Resolve the absolute origin of a *target* workspace app (e.g.\n * `http://127.0.0.1:8101`) so cross-app deep links / A2A calls point at the\n * right app instead of the current request's origin. Reuses the same\n * workspace resolution `list_apps` / the stdio proxy use.\n *\n * Returns `null` when:\n * - the target is the current app (caller should keep relative behavior),\n * - there is no workspace info (standalone / single app), or\n * - the target app is unknown.\n */\nasync function resolveTargetAppOrigin(\n config: MCPConfig,\n targetAppId: string,\n): Promise<{ origin: string; id: string } | null> {\n const target = targetAppId.trim().toLowerCase();\n if (!target || target === currentAppId(config)) return null;\n try {\n const { resolveWorkspace } = await import(\"./workspace-resolve.js\");\n const ws = await resolveWorkspace();\n if (!ws.isWorkspace) return null;\n const match = ws.apps.find((a) => a.id.toLowerCase() === target);\n if (!match) return null;\n return { origin: match.url, id: match.id };\n } catch {\n return null;\n }\n}\n\n// ---------------------------------------------------------------------------\n// list_apps\n// ---------------------------------------------------------------------------\n\nfunction listAppsTool(\n config: MCPConfig,\n requestMeta?: { origin?: string },\n): ActionEntry {\n return {\n tool: tool(\n \"List the workspace apps and their URLs. Use this to discover which \" +\n \"apps exist before opening or asking one. In a single-app project \" +\n \"this returns just that app. When an org directory is configured \" +\n \"this also includes the org's deployed sibling apps.\",\n ),\n readOnly: true,\n parallelSafe: true,\n run: async () => {\n const { resolveWorkspace } = await import(\"./workspace-resolve.js\");\n const ws = await resolveWorkspace();\n\n // The MCP request is served BY the current app, so it is provably\n // reachable at the inbound request origin — that beats a guessed\n // `PORT || 5173` probe (which reports the wrong URL + `running:false`\n // whenever the dev server picked a non-default port, e.g. `agent-\n // native dev` on :8080). For the entry that IS this app (the sole\n // entry when single-app, or the id matching `config.appId` in a\n // workspace) prefer the live origin; other workspace apps keep their\n // probed values.\n const liveOrigin = requestMeta?.origin?.replace(/\\/+$/, \"\") || \"\";\n let livePort = 0;\n if (liveOrigin) {\n try {\n const u = new URL(liveOrigin);\n livePort = Number(u.port) || (u.protocol === \"https:\" ? 443 : 80);\n } catch {\n livePort = 0;\n }\n }\n const selfId = (config.appId ?? \"\").toLowerCase();\n const isSelf = (id: string) =>\n !!liveOrigin &&\n (!ws.isWorkspace || (!!selfId && id.toLowerCase() === selfId));\n\n interface AppEntry {\n id: string;\n url: string;\n port: number | undefined;\n running: boolean;\n source: \"workspace\" | \"org-directory\";\n }\n\n const apps: AppEntry[] = ws.apps.map((a) =>\n isSelf(a.id)\n ? {\n id: a.id,\n url: liveOrigin,\n port: (livePort || a.port) as number | undefined,\n running: true,\n source: \"workspace\" as const,\n }\n : {\n id: a.id,\n url: a.url,\n port: a.port as number | undefined,\n running: a.running,\n source: \"workspace\" as const,\n },\n );\n const seenIds = new Set(apps.map((a) => a.id.toLowerCase()));\n const seenOrigins = new Set(apps.map((a) => a.url.replace(/\\/+$/, \"\")));\n\n // Merge the org directory's deployed sibling apps. Inactive (no env)\n // or any failure ⇒ fetchOrgApps() returns [] and this is a no-op, so\n // the existing local/workspace behavior is preserved exactly.\n const orgApps = await fetchOrgApps({\n selfId: currentAppId(config),\n }).catch(() => [] as OrgApp[]);\n for (const oa of orgApps) {\n const idKey = oa.id.toLowerCase();\n const originKey = oa.url.replace(/\\/+$/, \"\");\n // Dedupe by id OR origin — a workspace app already listed wins.\n if (seenIds.has(idKey) || seenOrigins.has(originKey)) continue;\n seenIds.add(idKey);\n seenOrigins.add(originKey);\n apps.push({\n id: oa.id,\n url: oa.url,\n port: undefined,\n running: true,\n source: \"org-directory\",\n });\n }\n\n return {\n workspace: ws.isWorkspace,\n gatewayUrl: ws.gatewayUrl,\n apps,\n };\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// open_app\n// ---------------------------------------------------------------------------\n\nfunction openAppTool(\n config: MCPConfig,\n requestMeta?: { origin?: string },\n): ActionEntry {\n return {\n tool: tool(\n \"Build a deep link that opens an app at a specific view/record or \" +\n \"focused route/component. No side \" +\n \"effects — returns a URL the user can click to land in the running UI. \" +\n \"Set embed:true when a UI-capable MCP host should render the live app \" +\n \"or focused route/component inline.\",\n {\n app: { type: \"string\", description: \"App id, e.g. 'mail'\" },\n view: {\n type: \"string\",\n description:\n \"Target view, e.g. 'inbox' (maps to navigate command). Optional when path is provided.\",\n },\n path: {\n type: \"string\",\n description:\n \"Optional app route to open directly, e.g. '/extensions/abc', '/adhoc/q2', or '/chart?panel=...'. Must be same-origin relative.\",\n },\n params: {\n type: \"object\",\n description:\n \"Optional record-focus / filter params, e.g. { threadId: 'abc' }\",\n },\n embed: {\n type: \"boolean\",\n description:\n \"Render the full app or focused route/component inline in MCP Apps when the host supports it.\",\n },\n chrome: {\n type: \"string\",\n enum: [\"full\", \"minimal\"],\n description:\n \"Embed chrome preference for compatible app routes. Defaults to full.\",\n },\n },\n [\"app\"],\n ),\n readOnly: true,\n parallelSafe: true,\n run: async (args: Record<string, any>) => {\n const app = String(args.app ?? \"\").trim();\n const view = String(args.view ?? \"\").trim();\n const path = safeAppPath(args.path);\n if (!app || (!view && !path)) {\n throw new Error(\"open_app requires 'app' and either 'view' or 'path'.\");\n }\n let params: Record<string, string | number | boolean> | undefined;\n const raw = args.params;\n if (raw && typeof raw === \"object\") {\n params = raw as Record<string, string | number | boolean>;\n } else if (typeof raw === \"string\" && raw.trim()) {\n try {\n params = JSON.parse(raw);\n } catch {\n params = undefined;\n }\n }\n const embeddedParam = params?.embed;\n const chromeParam = params?.chrome;\n let embed = args.embed === true || args.embed === \"true\";\n if (\n args.embed == null &&\n (embeddedParam === true || embeddedParam === \"true\")\n ) {\n embed = true;\n } else if (\n args.embed == null &&\n (embeddedParam === false || embeddedParam === \"false\")\n ) {\n embed = false;\n }\n if (\n embeddedParam === true ||\n embeddedParam === false ||\n embeddedParam === \"true\" ||\n embeddedParam === \"false\"\n ) {\n delete params?.embed;\n }\n\n const chrome =\n typeof args.chrome === \"string\"\n ? args.chrome\n : chromeParam === \"full\" || chromeParam === \"minimal\"\n ? chromeParam\n : undefined;\n if (chromeParam === \"full\" || chromeParam === \"minimal\") {\n delete params?.chrome;\n }\n if (params && Object.keys(params).length === 0) params = undefined;\n\n const directViewPath = embed && view ? viewToAppPath(view) : null;\n const relUrl = path\n ? appendParamsToPath(path, params)\n : directViewPath\n ? appendParamsToPath(directViewPath, params)\n : buildDeepLink({ app, view, params });\n const sameAppUrl =\n path || directViewPath ? withConfiguredBasePath(relUrl) : relUrl;\n\n // Cross-app target in a workspace: resolve the TARGET app's origin and\n // return an absolute URL. Otherwise the MCP layer would prefix the\n // relative path with the CURRENT request origin, landing the user in\n // the wrong app (e.g. open_app({app:\"calendar\"}) served from Mail).\n // Same-app / standalone keeps the relative path (current behavior).\n const targetApp = await resolveTargetAppOrigin(config, app);\n const appUrl = targetApp\n ? `${targetApp.origin.replace(/\\/+$/, \"\")}${relUrl}`\n : sameAppUrl;\n const url = appUrl;\n let embedStartUrl: string | undefined;\n let embedTargetPath: string | undefined;\n let embedExpiresAt: number | undefined;\n\n if (embed && !targetApp) {\n const { getRequestContext } =\n await import(\"../server/request-context.js\");\n const ctx = getRequestContext();\n const ownerEmail = ctx?.userEmail?.trim();\n if (ownerEmail) {\n const { normalizeEmbedTargetPath, createEmbedSessionTicket } =\n await import(\"../server/embed-session.js\");\n const { buildEmbedStartPath } =\n await import(\"../server/embed-route.js\");\n const targetPath = normalizeEmbedTargetPath(\n withMcpChatBridgeParam(url),\n requestMeta?.origin,\n );\n if (targetPath) {\n const ticket = await createEmbedSessionTicket({\n ownerEmail,\n orgId: ctx?.orgId,\n targetPath,\n scope: chrome ?? null,\n });\n const startPath = buildEmbedStartPath(ticket.ticket);\n embedStartUrl = requestMeta?.origin\n ? new URL(startPath, requestMeta.origin).toString()\n : startPath;\n embedTargetPath = targetPath;\n embedExpiresAt = ticket.expiresAt;\n }\n }\n }\n\n return {\n app,\n ...(view ? { view } : {}),\n ...(path ? { path } : {}),\n url,\n ...(embedStartUrl ? { embedStartUrl } : {}),\n ...(embedTargetPath ? { embedTargetPath } : {}),\n ...(embedExpiresAt ? { embedExpiresAt } : {}),\n embed,\n };\n },\n link: ({ result }) => {\n if (!result || typeof result !== \"object\") return null;\n const r = result as {\n url?: string;\n app?: string;\n view?: string;\n embed?: boolean;\n };\n if (r.embed) return null;\n if (!r.url) return null;\n return {\n url: r.url,\n label: `Open ${r.app ?? \"app\"}`,\n view: r.view,\n };\n },\n mcpApp: {\n resource: embedApp({\n title: \"Open app\",\n description: \"Render the requested app route inline.\",\n iframeTitle: \"Agent Native app\",\n openLabel: \"Open app\",\n }),\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// create_embed_session\n// ---------------------------------------------------------------------------\n\nfunction createEmbedSessionTool(requestMeta?: {\n origin?: string;\n}): ActionEntry {\n return {\n tool: {\n ...tool(\n \"MCP Apps helper: create a one-time browser embed session for a same-origin app URL. Usually called by an MCP App iframe, not directly by the model.\",\n {\n url: {\n type: \"string\",\n description:\n \"Same-origin absolute URL or app-relative path to embed.\",\n },\n path: {\n type: \"string\",\n description: \"Same-origin app-relative path to embed.\",\n },\n chrome: {\n type: \"string\",\n enum: [\"full\", \"minimal\"],\n description: \"Embed chrome preference. Defaults to full.\",\n },\n },\n ),\n _meta: { ui: { visibility: [\"app\"] } },\n } as ActionTool,\n // App-only bootstrap helper: the ticket becomes a normal browser session,\n // so keep it write-scoped until embed sessions can enforce MCP scopes.\n readOnly: false,\n parallelSafe: true,\n run: async (args: Record<string, any>) => {\n const { getRequestContext } =\n await import(\"../server/request-context.js\");\n const ctx = getRequestContext();\n const ownerEmail = ctx?.userEmail?.trim();\n if (!ownerEmail) {\n throw new Error(\n \"create_embed_session requires an authenticated MCP caller.\",\n );\n }\n\n const { normalizeEmbedTargetPath, createEmbedSessionTicket } =\n await import(\"../server/embed-session.js\");\n const { buildEmbedStartPath } = await import(\"../server/embed-route.js\");\n const rawTarget =\n typeof args.url === \"string\" && args.url.trim()\n ? args.url\n : typeof args.path === \"string\"\n ? args.path\n : \"\";\n const targetPath = normalizeEmbedTargetPath(\n rawTarget,\n requestMeta?.origin,\n );\n if (!targetPath) {\n throw new Error(\n \"create_embed_session can only embed same-origin app-relative URLs.\",\n );\n }\n\n const ticket = await createEmbedSessionTicket({\n ownerEmail,\n orgId: ctx?.orgId,\n targetPath,\n scope: typeof args.chrome === \"string\" ? args.chrome : null,\n });\n const startPath = buildEmbedStartPath(ticket.ticket);\n const startUrl = requestMeta?.origin\n ? new URL(startPath, requestMeta.origin).toString()\n : startPath;\n return {\n startUrl,\n targetPath,\n expiresAt: ticket.expiresAt,\n };\n },\n };\n}\n\n/**\n * Route an `ask_app` message to a *different* app's agent over A2A. Shared by\n * the workspace-resolved path and the org-directory-resolved path so the A2A\n * call logic is not duplicated. `origin` is the target app's A2A base\n * (workspace dev origin or the directory's `a2aUrl`); `id` is reported back.\n *\n * Throws on failure so the caller can be honest — it never falls back to this\n * app's agent and pretends it was the target.\n */\nasync function routeAskOverA2A(\n origin: string,\n id: string,\n message: string,\n): Promise<{ app: string; routedVia: \"a2a\"; response: string }> {\n const { callAgent } = await import(\"../a2a/client.js\");\n const { resolveA2ACallerAuth } = await import(\"../a2a/caller-auth.js\");\n // The MCP handler runs inside `runWithRequestContext`, so this is the\n // verified caller identity and org scope. Reuse the same auth resolver as\n // org-directory discovery so the directory lookup and actual A2A call are\n // scoped the same way.\n const auth = await resolveA2ACallerAuth();\n const response = await callAgent(origin, message, {\n apiKey: auth.apiKey,\n userEmail: auth.userEmail,\n orgDomain: auth.orgDomain,\n orgSecret: auth.orgSecret,\n // Bound the wait — cross-app A2A polls async by default.\n timeoutMs: 5 * 60_000,\n });\n return { app: id, routedVia: \"a2a\", response };\n}\n\n// ---------------------------------------------------------------------------\n// ask_app\n// ---------------------------------------------------------------------------\n\nfunction askAppTool(config: MCPConfig): ActionEntry {\n return {\n tool: tool(\n \"Send a natural-language message to an app's AI agent and get its \" +\n \"response. Use for complex, multi-step tasks needing the agent's \" +\n \"reasoning and full app context. In a single-app project the 'app' \" +\n \"param is optional (defaults to this app). When 'app' names a \" +\n \"different workspace app it is routed there over A2A; the result's \" +\n \"'routedVia' field reports whether it ran cross-app or locally.\",\n {\n app: {\n type: \"string\",\n description: \"App id to route to (optional in a single-app project)\",\n },\n message: {\n type: \"string\",\n description: \"The message to send to the app's agent\",\n },\n },\n [\"message\"],\n ),\n run: async (args: Record<string, any>) => {\n const message = String(args.message ?? \"\").trim();\n if (!message) throw new Error(\"ask_app requires a 'message'.\");\n const requestedApp = String(args.app ?? \"\").trim();\n const selfId = currentAppId(config);\n\n // Cross-app: the caller named a *different* workspace app. Route the\n // message to THAT app's agent over A2A (its `/_agent-native/a2a`\n // endpoint runs the real agent loop with JWT identity) rather than\n // silently answering from this app's agent and claiming delegation.\n const targetApp = await resolveTargetAppOrigin(config, requestedApp);\n if (targetApp) {\n try {\n return await routeAskOverA2A(targetApp.origin, targetApp.id, message);\n } catch (err: any) {\n // Be honest: routing was attempted and failed — do NOT fall back to\n // this app's agent and pretend it was the target.\n throw new Error(\n `Failed to route ask_app to \"${targetApp.id}\" via A2A: ` +\n `${err?.message ?? err}`,\n );\n }\n }\n\n // Not a known local/workspace app — try the org directory. When a\n // directory is configured and the requested app is one of the org's\n // deployed sibling apps, route to it over A2A (same path as above,\n // against its `a2aUrl`). Inactive directory / any failure ⇒ orgApps is\n // [] and this is skipped, preserving the exact local-only behavior.\n if (requestedApp && requestedApp.toLowerCase() !== selfId) {\n const orgApps = await fetchOrgApps({ selfId }).catch(\n () => [] as OrgApp[],\n );\n const dirMatch = orgApps.find(\n (a) => a.id === requestedApp.toLowerCase(),\n );\n if (dirMatch) {\n try {\n return await routeAskOverA2A(dirMatch.a2aUrl, dirMatch.id, message);\n } catch (err: any) {\n throw new Error(\n `Failed to route ask_app to \"${dirMatch.id}\" via A2A ` +\n `(org directory): ${err?.message ?? err}`,\n );\n }\n }\n }\n\n // Same app (or no workspace / unknown target): answer locally with this\n // app's own ask-agent handler — the same entry point the HTTP MCP mount\n // + A2A use, so there is no second agent runner.\n if (!config.askAgent) {\n throw new Error(\n \"This app does not expose an agent (no ask-agent handler).\",\n );\n }\n\n // If the caller named an app we couldn't route to (unknown id, or no\n // workspace), say so honestly instead of claiming we reached it.\n const unresolved =\n !!requestedApp && requestedApp.toLowerCase() !== selfId;\n const response = await config.askAgent(message);\n return {\n app: selfId,\n routedVia: \"local\",\n ...(unresolved\n ? {\n note:\n `Requested app \"${requestedApp}\" is not a reachable workspace ` +\n `app; answered with this app (\"${selfId}\") instead.`,\n }\n : {}),\n response,\n };\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// list_templates\n// ---------------------------------------------------------------------------\n\nfunction listTemplatesTool(): ActionEntry {\n return {\n tool: tool(\n \"List the first-party templates that can be scaffolded into a workspace \" +\n \"(allow-listed templates only).\",\n ),\n readOnly: true,\n parallelSafe: true,\n run: async () => {\n const { visibleTemplates } = await import(\"../cli/templates-meta.js\");\n return {\n templates: visibleTemplates().map((t) => ({\n name: t.name,\n label: t.label,\n hint: t.hint,\n })),\n };\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// create_workspace_app\n// ---------------------------------------------------------------------------\n\nfunction createWorkspaceAppTool(): ActionEntry {\n return {\n tool: tool(\n \"Scaffold a new app into the current workspace from an allow-listed \" +\n \"template, then return a deep link to open it. Idempotent: if an app \" +\n \"with that name already exists it is reused.\",\n {\n name: {\n type: \"string\",\n description: \"New app id (directory under apps/), e.g. 'mymail'\",\n },\n template: {\n type: \"string\",\n description:\n \"Template to scaffold from — must be allow-listed (see list_templates)\",\n },\n },\n [\"name\", \"template\"],\n ),\n run: async (args: Record<string, any>) => {\n const name = String(args.name ?? \"\").trim();\n const template = String(args.template ?? \"\").trim();\n if (!name || !template) {\n throw new Error(\n \"create_workspace_app requires both 'name' and 'template'.\",\n );\n }\n\n // Enforce the strict public template allow-list. The authoritative,\n // dependency-free source inside @agent-native/core is cli/templates-meta\n // (kept in sync with packages/shared-app-config/templates.ts; CI guard).\n const { visibleTemplates } = await import(\"../cli/templates-meta.js\");\n const allowed = new Set(visibleTemplates().map((t) => t.name));\n if (!allowed.has(template)) {\n throw new Error(\n `Template \"${template}\" is not allow-listed. Allowed: ${[...allowed]\n .sort()\n .join(\", \")}`,\n );\n }\n\n const { findWorkspaceRoot, resolveWorkspace } =\n await import(\"./workspace-resolve.js\");\n const fs = await import(\"node:fs\");\n const path = await import(\"node:path\");\n\n const root = findWorkspaceRoot(process.cwd());\n if (!root) {\n throw new Error(\n \"Not inside a workspace. create_workspace_app only works in a \" +\n \"multi-app workspace (run from the workspace root).\",\n );\n }\n\n const appDir = path.join(root, \"apps\", name);\n const alreadyExisted = fs.existsSync(appDir);\n\n if (!alreadyExisted) {\n // Reuse the CLI scaffolder directly (no second `agent-native`\n // subprocess). `addAppToWorkspace(name, { template })` takes the\n // non-interactive single-template path when name + one template are\n // given. Run it from the workspace root so detectWorkspace resolves.\n const prevCwd = process.cwd();\n try {\n process.chdir(root);\n const { addAppToWorkspace } = await import(\"../cli/create.js\");\n await addAppToWorkspace(name, { template, noInstall: true });\n } finally {\n try {\n process.chdir(prevCwd);\n } catch {\n // best-effort cwd restore\n }\n }\n }\n\n // The workspace gateway auto-detects new apps/* dirs (fs.watch +\n // 2s sync) and lazily boots the dev server on first request, so we\n // don't spawn vite ourselves — opening the deep link warms it. Resolve\n // the port the gateway will use so we can report it.\n const ws = await resolveWorkspace(root);\n const appInfo = ws.apps.find((a) => a.id === name);\n const port = appInfo?.port;\n // The scaffolded app is always a *different* app from the host MCP\n // server, so anchor the deep link to the new app's own origin. A\n // relative path would otherwise be prefixed with the current request\n // origin and land on the wrong app. Fall back to the relative path\n // only if the gateway hasn't reported the new app's URL yet.\n const relDeepLink = buildDeepLink({ app: name, view: \"home\" });\n const deepLink = appInfo?.url\n ? `${appInfo.url.replace(/\\/+$/, \"\")}${relDeepLink}`\n : relDeepLink;\n\n return {\n name,\n template,\n created: !alreadyExisted,\n reused: alreadyExisted,\n port,\n url: appInfo?.url,\n gatewayUrl: ws.gatewayUrl,\n deepLink,\n };\n },\n link: ({ result }) => {\n if (!result || typeof result !== \"object\") return null;\n const r = result as { deepLink?: string; name?: string };\n if (!r.deepLink) return null;\n return {\n url: r.deepLink,\n label: `Open ${r.name ?? \"app\"}`,\n view: \"home\",\n };\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// Registry\n// ---------------------------------------------------------------------------\n\n/**\n * Build the generic cross-app builtin tool registry. Called by\n * `createMCPServerForRequest`; the result is merged UNDER the config's\n * actions so template actions of the same name win.\n */\nexport function getBuiltinCrossAppTools(\n config: MCPConfig,\n requestMeta?: { origin?: string },\n): Record<string, ActionEntry> {\n return {\n list_apps: listAppsTool(config, requestMeta),\n open_app: openAppTool(config, requestMeta),\n create_embed_session: createEmbedSessionTool(requestMeta),\n ask_app: askAppTool(config),\n create_workspace_app: createWorkspaceAppTool(),\n list_templates: listTemplatesTool(),\n };\n}\n"]}
|
|
@@ -209,6 +209,9 @@ Claude and ChatGPT can cache tool and resource metadata for an existing custom
|
|
|
209
209
|
connector. After changing MCP App metadata, verify with a fresh tool call; if
|
|
210
210
|
the host still uses the old descriptor, reconnect the Claude connector or
|
|
211
211
|
rescan/review the ChatGPT connector so it refreshes the catalog.
|
|
212
|
+
If Claude logs a warning about `_meta.ui.csp` or `_meta.ui.permissions` living
|
|
213
|
+
on the tool descriptor after a deploy, that connector is using stale metadata:
|
|
214
|
+
delete/reconnect the Claude connector and start a fresh chat.
|
|
212
215
|
|
|
213
216
|
### First-class MCP App bridge {#mcp-app-bridge}
|
|
214
217
|
|
package/package.json
CHANGED