@agent-native/core 0.26.3 → 0.26.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (63) hide show
  1. package/dist/cli/skills.d.ts.map +1 -1
  2. package/dist/cli/skills.js +4 -1
  3. package/dist/cli/skills.js.map +1 -1
  4. package/dist/client/mcp-app-host.d.ts +1 -0
  5. package/dist/client/mcp-app-host.d.ts.map +1 -1
  6. package/dist/client/mcp-app-host.js +44 -6
  7. package/dist/client/mcp-app-host.js.map +1 -1
  8. package/dist/deploy/build.d.ts.map +1 -1
  9. package/dist/deploy/build.js +44 -7
  10. package/dist/deploy/build.js.map +1 -1
  11. package/dist/mcp/build-server.d.ts.map +1 -1
  12. package/dist/mcp/build-server.js +95 -8
  13. package/dist/mcp/build-server.js.map +1 -1
  14. package/dist/mcp/embed-app.d.ts.map +1 -1
  15. package/dist/mcp/embed-app.js +247 -30
  16. package/dist/mcp/embed-app.js.map +1 -1
  17. package/dist/mcp/server.d.ts +5 -7
  18. package/dist/mcp/server.d.ts.map +1 -1
  19. package/dist/mcp/server.js +16 -12
  20. package/dist/mcp/server.js.map +1 -1
  21. package/dist/server/action-routes.d.ts.map +1 -1
  22. package/dist/server/action-routes.js +23 -7
  23. package/dist/server/action-routes.js.map +1 -1
  24. package/dist/server/auth.d.ts.map +1 -1
  25. package/dist/server/auth.js +69 -38
  26. package/dist/server/auth.js.map +1 -1
  27. package/dist/server/core-routes-plugin.d.ts +12 -1
  28. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  29. package/dist/server/core-routes-plugin.js +48 -44
  30. package/dist/server/core-routes-plugin.js.map +1 -1
  31. package/dist/server/create-server.d.ts.map +1 -1
  32. package/dist/server/create-server.js +3 -1
  33. package/dist/server/create-server.js.map +1 -1
  34. package/dist/server/credential-provider.d.ts +1 -0
  35. package/dist/server/credential-provider.d.ts.map +1 -1
  36. package/dist/server/credential-provider.js +15 -4
  37. package/dist/server/credential-provider.js.map +1 -1
  38. package/dist/server/embed-route.d.ts.map +1 -1
  39. package/dist/server/embed-route.js +28 -2
  40. package/dist/server/embed-route.js.map +1 -1
  41. package/dist/server/embed-session.d.ts.map +1 -1
  42. package/dist/server/embed-session.js +26 -7
  43. package/dist/server/embed-session.js.map +1 -1
  44. package/dist/server/onboarding-html.d.ts.map +1 -1
  45. package/dist/server/onboarding-html.js +52 -5
  46. package/dist/server/onboarding-html.js.map +1 -1
  47. package/dist/server/ssr-handler.d.ts +1 -1
  48. package/dist/server/ssr-handler.d.ts.map +1 -1
  49. package/dist/server/ssr-handler.js +23 -10
  50. package/dist/server/ssr-handler.js.map +1 -1
  51. package/dist/shared/cache-control.d.ts +2 -0
  52. package/dist/shared/cache-control.d.ts.map +1 -0
  53. package/dist/shared/cache-control.js +2 -0
  54. package/dist/shared/cache-control.js.map +1 -0
  55. package/dist/shared/mcp-embed-headers.d.ts +2 -1
  56. package/dist/shared/mcp-embed-headers.d.ts.map +1 -1
  57. package/dist/shared/mcp-embed-headers.js +3 -1
  58. package/dist/shared/mcp-embed-headers.js.map +1 -1
  59. package/dist/templates/workspace-root/package.json +5 -0
  60. package/docs/content/mcp-protocol.md +0 -1
  61. package/docs/content/template-assets.md +5 -0
  62. package/package.json +2 -2
  63. package/src/templates/workspace-root/package.json +5 -0
package/dist/server/embed-session.js CHANGED
@@ -316,6 +316,10 @@ function isEmbedRuntimeRequest(event) {
316
316
  return (!!pathname &&
317
317
  (pathname === "/api" ||
318
318
  pathname.startsWith("/api/") ||
319
+ pathname.startsWith("/@") ||
320
+ pathname.startsWith("/app/") ||
321
+ pathname.startsWith("/node_modules/") ||
322
+ pathname.startsWith("/packages/") ||
319
323
  pathname === "/_agent-native" ||
320
324
  pathname.startsWith("/_agent-native/")));
321
325
  }
@@ -547,13 +551,21 @@ export async function resolveEmbedSessionFromRequest(event) {
547
551
  if (!verified.ok)
548
552
  continue;
549
553
  const matchesTarget = requestMatchesEmbedTarget(event, verified.claims.targetPath);
550
- const isRuntimeCookieRequest = candidate.source === "cookie" && isEmbedRuntimeRequest(event);
551
- if (!matchesTarget && !isRuntimeCookieRequest) {
554
+ const isRuntimeRequest = isEmbedRuntimeRequest(event);
555
+ const isRuntimeCookieRequest = candidate.source === "cookie" && isRuntimeRequest;
556
+ const isRuntimeQueryRequest = candidate.source === "query" && isRuntimeRequest;
557
+ if (!matchesTarget && !isRuntimeCookieRequest && !isRuntimeQueryRequest) {
552
558
  continue;
553
559
  }
554
560
  if (candidate.source === "query" && candidate.token) {
555
- setEmbedSessionCookie(event, candidate.token);
556
- setResponseHeader(event, "Referrer-Policy", "no-referrer");
561
+ try {
562
+ setEmbedSessionCookie(event, candidate.token);
563
+ setResponseHeader(event, "Referrer-Policy", "no-referrer");
564
+ }
565
+ catch {
566
+ // Some tests and edge runtimes expose read-only request shims. The
567
+ // query token itself is still valid for this request.
568
+ }
557
569
  }
558
570
  return {
559
571
  email: verified.claims.ownerEmail,
@@ -572,10 +584,17 @@ export function requestHasEmbedAuthMarker(event) {
572
584
  ? q[EMBED_TOKEN_QUERY_PARAM][0]
573
585
  : q[EMBED_TOKEN_QUERY_PARAM];
574
586
  const cookieToken = getCookie(event, EMBED_SESSION_COOKIE);
575
- for (const token of [queryToken, cookieToken]) {
576
- const verified = verifyEmbedSessionToken(token);
587
+ const candidates = [
588
+ { token: queryToken, allowRuntime: true },
589
+ { token: bearerToken(event), allowRuntime: false },
590
+ { token: cookieToken, allowRuntime: true },
591
+ ];
592
+ const runtimeRequest = isEmbedRuntimeRequest(event);
593
+ for (const candidate of candidates) {
594
+ const verified = verifyEmbedSessionToken(candidate.token);
577
595
  if (verified.ok &&
578
- requestMatchesEmbedTarget(event, verified.claims.targetPath)) {
596
+ (requestMatchesEmbedTarget(event, verified.claims.targetPath) ||
597
+ (candidate.allowRuntime && runtimeRequest))) {
579
598
  return true;
580
599
  }
581
600
  }
package/dist/server/embed-session.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"embed-session.js","sourceRoot":"","sources":["../../src/server/embed-session.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EACL,SAAS,EACT,SAAS,EACT,QAAQ,EACR,SAAS,EACT,iBAAiB,GAClB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,4BAA4B,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,MAAM,UAAU,GAAG,4BAA4B,CAAC;AAChD,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,CAAC;AAC1C,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,CAAC;AAC1C,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,0BAA0B,CAAC,CAAC;AAC7D,MAAM,eAAe,GAAG,qBAAqB,CAAC;AAC9C,MAAM,qBAAqB,GAA2B;IACpD,GAAG,EAAE,GAAG;IACR,QAAQ,EAAE,GAAG;IACb,OAAO,EAAE,SAAS;IAClB,SAAS,EAAE,YAAY;IACvB,IAAI,EAAE,GAAG;IACT,GAAG,EAAE,MAAM;IACX,SAAS,EAAE,SAAS;IACpB,MAAM,EAAE,SAAS;IACjB,MAAM,EAAE,SAAS;IACjB,MAAM,EAAE,UAAU;IAClB,OAAO,EAAE,UAAU;IACnB,QAAQ,EAAE,WAAW;CACtB,CAAC;AACF,MAAM,mBAAmB,GAA6B;IACpD,2EAA2E;IAC3E,wEAAwE;IACxE,iCAAiC;IACjC,GAAG,EAAE,CAAC,WAAW,CAAC;IAClB,YAAY,EAAE,CAAC,2CAA2C,CAAC;IAC3D,aAAa,EAAE,CAAC,2CAA2C,CAAC;IAC5D,UAAU,EAAE,CAAC,2CAA2C,CAAC;IACzD,oBAAoB,EAAE,CAAC,2CAA2C,CAAC;CACpE,CAAC;AAEF,IAAI,YAAuC,CAAC;AAC5C,IAAI,cAAkC,CAAC;AAkDvC,KAAK,UAAU,WAAW;IACxB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,CAAC,KAAK,IAAI,EAAE;YACzB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,MAAM,CAAC,OAAO,CAAC;;;;;;;uBAOJ,OAAO,EAAE;uBACT,OAAO,EAAE;wBACR,OAAO,EAAE;;OAE1B,CAAC,CAAC;QACL,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACjB,YAAY,GAAG,SAAS,CAAC;YACzB,MAAM,GAAG,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,4BAA4B,CAAC,mBAAmB,CAAC,CAAC;IACpD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,4IAA4I,CAC7I,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,cAAc,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,SAAS,eAAe,CAAC,GAAoB;IAC3C,MAAM,CAAC,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACnE,OAAO,CAAC;SACL,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,MAAM,GAAG,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAChE,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,eAAe,CACpB,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CACtE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,MAAc;IAChC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IACxB,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAChE,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAgB;IAC/C,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;IACxC,IAAI,CAAC,IAAI;QAAE,OAAO,QAAQ,CAAC;IAC3B,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,GAAG,CAAC;IAClC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;QACjC,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IAC5C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,UAAU,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,UAAU,EAAE,6BAA6B,CAAC,CAAC,QAAQ,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAgC;IACvD,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,OAAO,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IACzD,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrD,IACE,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QACrB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QACtB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EACrB,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,wBAAwB,CAC/B,OAAoB,EACpB,IAA+B;IAE/B,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,wBAAwB,CAAC,UAAkB;IAClD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,EAAE,6BAA6B,CAAC,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,IAAI,uBAAuB,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,eAAe,EAAE,CAAC;QAC9D,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,EAAE,GAAG,wBAAwB,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IAChE,wBAAwB,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAEtC,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC,IAAI,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,OAAO,CAAC;IACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAC1D,MAAM,YAAY,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAChD,wBAAwB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAChD,wBAAwB,CAAC,OAAO,EAAE,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;IAE/D,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;IACzE,IAAI,IAAI,KAAK,OAAO,IAAI,WAAW,EAAE,CAAC;QACpC,wBAAwB,CACtB,OAAO,EACP,UAAU,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAC5C,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;IACvE,IAAI,IAAI,KAAK,UAAU,IAAI,UAAU,EAAE,CAAC;QACtC,wBAAwB,CACtB,OAAO,EACP,aAAa,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAC9C,CAAC;IACJ,CAAC;IACD,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;IACzE,IAAI,IAAI,KAAK,YAAY,IAAI,WAAW,EAAE,CAAC;QACzC,wBAAwB,CACtB,OAAO,EACP,eAAe,kBAAkB,CAAC,WAAW,CAAC,EAAE,CACjD,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;IACnE,IAAI,QAAQ,EAAE,CAAC;QACb,wBAAwB,CACtB,OAAO,EACP,IAAI,KAAK,SAAS;YAChB,CAAC,CAAC,YAAY,kBAAkB,CAAC,QAAQ,CAAC,EAAE;YAC5C,CAAC,CAAC,WAAW,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAC9C,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;IACvE,IAAI,UAAU,EAAE,CAAC;QACf,wBAAwB,CACtB,OAAO,EACP,SAAS,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAC1C,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/D,IAAI,MAAM,EAAE,CAAC;QACX,wBAAwB,CACtB,OAAO,EACP,IAAI,KAAK,SAAS;YAChB,CAAC,CAAC,SAAS,kBAAkB,CAAC,MAAM,CAAC,UAAU;YAC/C,CAAC,CAAC,SAAS,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAC1C,CAAC;IACJ,CAAC;IACD,IACE,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAClD,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACpD,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,EACjD,CAAC;QACD,wBAAwB,CAAC,OAAO,EAAE,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;IACjE,CAAC;IACD,IACE,IAAI,KAAK,UAAU;QACnB,CAAC,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC/C,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EACxD,CAAC;QACD,wBAAwB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;IACnE,IAAI,YAAY,IAAI,QAAQ,EAAE,CAAC;QAC7B,wBAAwB,CACtB,OAAO,EACP,GAAG,YAAY,IAAI,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAClD,CAAC;IACJ,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,2BAA2B,CAAC,UAAkB;IACrD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,MAAM,MAAM,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACpB,KAAK,MAAM,WAAW,IAAI,mBAAmB,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;YAC5D,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,KAAK,MAAM,UAAU,IAAI,wBAAwB,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc;IACzC,MAAM,eAAe,GAAI,KAAa,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACjE,IAAI,OAAO,eAAe,KAAK,QAAQ,IAAI,eAAe,EAAE,CAAC;QAC3D,OAAO,GAAG,eAAe,GAAI,KAAa,CAAC,GAAG,EAAE,MAAM,IAAI,EAAE,EAAE,CAAC;IACjE,CAAC;IACD,OAAO,CACJ,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG;QAC3B,KAAa,CAAC,GAAG,EAAE,GAA0B;QAC7C,KAAa,CAAC,OAAO,EAAE,GAA0B;QAClD,KAAa,CAAC,IAAI;QAClB,KAAa,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE;QAChC,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAC,QAAQ,CAAC;QACtE,OAAO,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,MAAM,MAAM,GACT,KAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC;QAC1D,KAAa,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC;QACjD,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC;QACvD,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC,CAAC;IACzE,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QAClD,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,MAAM,MAAM,GACT,KAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC;QAC7C,KAAa,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC;QACpC,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC;IAC1C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;IACtE,IAAI,CAAC;QACH,OAAO,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,IAAI,GAAG,GACJ,KAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC;QAChD,KAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC;QACjD,KAAa,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC;QACvC,KAAa,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC;QACxC,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO;QACzC,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ;QAC3C,IAAI,CAAC;IACP,IAAI,CAAC;QACH,GAAG,GAAG,GAAG,IAAI,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC3E,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,GAAG,GAAG,IAAI,IAAI,CAAC;IACpB,CAAC;IACD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,IAAI,IAAI,QAAQ,CAAC,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAChD,OAAO,gBAAgB,CAAC,GAAG,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACpE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;AACH,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,KAAc,EACd,UAAkB;IAElB,MAAM,OAAO,GAAG,2BAA2B,CAAC,UAAU,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,MAAM,OAAO,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjD,MAAM,YAAY,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3D,MAAM,cAAc,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IACrD,OAAO,CAAC,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACxC,OAAO,CACL,CAAC,CAAC,QAAQ;QACV,CAAC,QAAQ,KAAK,MAAM;YAClB,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;YAC5B,QAAQ,KAAK,gBAAgB;YAC7B,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAC1C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,GAA8B,EAC9B,aAAsB;IAEtB,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,KAAK,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAErD,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;YAC9B,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;gBACxC,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;oBAAE,OAAO,IAAI,CAAC;YACrD,CAAC;YACD,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;YACxC,IACE,IAAI;gBACJ,MAAM,CAAC,QAAQ,KAAK,IAAI;gBACxB,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC,EACvC,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC5D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7C,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,IAAI,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAA8B;IAE9B,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,IAAI,CAAC,UAAU;QAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC9E,MAAM,UAAU,GAAG,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC9D,IAAI,CAAC,UAAU;QACb,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAEhE,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,0BAA0B,CAAC;IAClE,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,IAAI,CAAC;IACvD,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;QACxB,GAAG,EACD,yCAAyC;YACzC,8FAA8F;YAC9F,iCAAiC;QACnC,IAAI,EAAE;YACJ,UAAU;YACV,UAAU;YACV,KAAK,CAAC,KAAK,IAAI,IAAI;YACnB,UAAU;YACV,KAAK,CAAC,KAAK,IAAI,IAAI;YACnB,GAAG;YACH,SAAS;YACT,IAAI;SACL;KACF,CAAC,CAAC;IACH,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAiC,EACjC,UAA4C,EAAE;IAE9C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;QACzC,GAAG,EACD,uFAAuF;YACvF,uDAAuD;QACzD,IAAI,EAAE,CAAC,UAAU,CAAC;KACnB,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAQ,IAAI,CAAC,CAAC,CAAC,CAAC;IACzB,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAChE,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACnE,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IACzD,IAAI,UAAU,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,SAAS,IAAI,IAAI,IAAI,SAAS,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,OAAO,CAAC,aAAa,IAAI,KAAK,IAAI,KAAK,KAAK,OAAO,CAAC,aAAa,EAAE,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;QACvC,GAAG,EACD,wDAAwD;YACxD,+CAA+C;QACjD,IAAI,EAAE,CAAC,GAAG,EAAE,UAAU,CAAC;KACxB,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,YAAY,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3C,MAAM,UAAU,GAAG,wBAAwB,CACzC,iBAAiB,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC,CACrD,CAAC;IACF,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACxE,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,IAAI,SAAS,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAEjE,OAAO;QACL,UAAU;QACV,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3B,UAAU;QACV,GAAG,CAAC,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC;YAC9B,CAAC,CAAC,EAAE,KAAK,EAAE,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE;YACzC,CAAC,CAAC,EAAE,CAAC;QACP,SAAS;KACV,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAMrC;IACC,MAAM,UAAU,GAAG,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC;IACrE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,IAAI,yBAAyB,CAAC,CAAC;IACvE,MAAM,MAAM,GAA4B;QACtC,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,UAAU;QACV,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,GAAG;KACf,CAAC;IACF,IAAI,KAAK,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;IAC5C,IAAI,KAAK,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;IAC5C,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxD,OAAO,GAAG,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,KAAgC;IAEhC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACjD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IACxC,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;IACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;QACnE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IAED,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED,IACE,CAAC,MAAM;QACP,MAAM,CAAC,IAAI,KAAK,UAAU;QAC1B,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ;QACrC,CAAC,MAAM,CAAC,UAAU;QAClB,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAC5B,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IACzC,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IACD,MAAM,CAAC,UAAU,GAAG,wBAAwB,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC;IACvE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC9B,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACtD,IAAI,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC;QAC1C,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACxE,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB;IACxB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC;IACjD,OAAO,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAK1C,OAAO,cAAc,CAAC,KAAK,CAAC;QAC1B,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;QACvD,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAAc,EAAE,KAAa;IACjE,SAAS,CAAC,KAAK,EAAE,oBAAoB,EAAE,KAAK,EAAE;QAC5C,QAAQ,EAAE,IAAI;QACd,GAAG,oBAAoB,CAAC,KAAK,CAAC;QAC9B,GAAG,iBAAiB,EAAE;QACtB,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,yBAAyB;KAClC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3D,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;AAC5B,CAAC;AAED,SAAS,UAAU,CAAC,KAAc;IAChC,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,uBAAuB,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAChD,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,CAAC;QACH,OAAO,CACL,IAAI,GAAG,CACL,mBAAmB,CAAC,KAAK,CAAC,EAC1B,6BAA6B,CAC9B,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,SAAS,CACzD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,KAAc;IAEd,MAAM,UAAU,GAAG;QACjB,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE;QAC7C,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE;QAC/C,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,oBAAoB,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE;KACpE,CAAC;IACF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,SAAS;QAC3B,MAAM,aAAa,GAAG,yBAAyB,CAC7C,KAAK,EACL,QAAQ,CAAC,MAAM,CAAC,UAAU,CAC3B,CAAC;QACF,MAAM,sBAAsB,GAC1B,SAAS,CAAC,MAAM,KAAK,QAAQ,IAAI,qBAAqB,CAAC,KAAK,CAAC,CAAC;QAChE,IAAI,CAAC,aAAa,IAAI,CAAC,sBAAsB,EAAE,CAAC;YAC9C,SAAS;QACX,CAAC;QACD,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;YACpD,qBAAqB,CAAC,KAAK,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;YAC9C,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU;YACjC,KAAK,EAAE,SAAS,CAAC,KAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU;YACtC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACnE,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc;IACtD,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC;YAC1D,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC;YAC/B,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC;QAC/B,MAAM,WAAW,GAAG,SAAS,CAAC,KAAK,EAAE,oBAAoB,CAAC,CAAC;QAC3D,KAAK,MAAM,KAAK,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,EAAE,CAAC;YAC9C,MAAM,QAAQ,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;YAChD,IACE,QAAQ,CAAC,EAAE;gBACX,yBAAyB,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAC5D,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChC,OAAO,CACL,CAAC,CAAC,sBAAsB,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,sBAAsB,CAAC,KAAK,MAAM,CAC1E,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC","sourcesContent":["import crypto from \"node:crypto\";\nimport type { H3Event } from \"h3\";\nimport {\n getCookie,\n getHeader,\n getQuery,\n setCookie,\n setResponseHeader,\n} from \"h3\";\nimport { getDbExec, intType } from \"../db/client.js\";\nimport { getWorkspaceA2ADerivedSecret } from \"./derived-secret.js\";\nimport { getConfiguredAppBasePath } from \"./app-base-path.js\";\nimport {\n EMBED_MODE_QUERY_PARAM,\n EMBED_SESSION_COOKIE,\n EMBED_TARGET_HEADER,\n EMBED_TOKEN_QUERY_PARAM,\n} from \"../shared/embed-auth.js\";\n\nconst TOKEN_KIND = \"agent-native-embed-session\";\nconst DEFAULT_TOKEN_TTL_SECONDS = 60 * 60;\nconst DEFAULT_TICKET_TTL_SECONDS = 5 * 60;\nconst CONTROL_CHARS = new RegExp(\"[\\\\u0000-\\\\u001f\\\\u007f]\");\nconst OPEN_ROUTE_PATH = \"/_agent-native/open\";\nconst OPEN_ROUTE_VIEW_PATHS: Record<string, string> = {\n ask: \"/\",\n calendar: \"/\",\n capture: \"/search\",\n knowledge: \"/knowledge\",\n list: \"/\",\n ops: \"/ops\",\n proposals: \"/review\",\n review: \"/review\",\n search: \"/search\",\n source: \"/sources\",\n sources: \"/sources\",\n settings: \"/settings\",\n};\nconst EMBED_ROUTE_ALIASES: Record<string, string[]> = {\n // Dispatch's app root redirects to /overview. A ticket minted for the root\n // should survive that first-hop redirect instead of falling back to the\n // private deployment token gate.\n \"/\": [\"/overview\"],\n \"/dashboard\": [\"/adhoc/agent-native-templates-first-party\"],\n \"/dashboards\": [\"/adhoc/agent-native-templates-first-party\"],\n \"/traffic\": [\"/adhoc/agent-native-templates-first-party\"],\n \"/traffic-dashboard\": [\"/adhoc/agent-native-templates-first-party\"],\n};\n\nlet _initPromise: Promise<void> | undefined;\nlet _devSigningKey: string | undefined;\n\nexport interface EmbedSessionTicketInput {\n ownerEmail: string;\n orgId?: string | null;\n targetPath: string;\n scope?: string | null;\n ttlSeconds?: number;\n}\n\nexport interface EmbedSessionTicket {\n ticket: string;\n ticketHash: string;\n expiresAt: number;\n}\n\nexport interface ConsumeEmbedSessionTicketOptions {\n expectedOrgId?: string | null;\n}\n\nexport interface ConsumedEmbedSessionTicket {\n ownerEmail: string;\n orgId?: string;\n targetPath: string;\n scope?: string;\n expiresAt: number;\n}\n\nexport interface EmbedSessionTokenClaims {\n kind: typeof TOKEN_KIND;\n ownerEmail: string;\n orgId?: string;\n targetPath: string;\n scope?: string;\n iat: number;\n exp: number;\n}\n\nexport type VerifyEmbedSessionTokenResult =\n | { ok: true; claims: EmbedSessionTokenClaims }\n | { ok: false; reason: string };\n\nexport type ResolvedEmbedSession = {\n email: string;\n orgId?: string;\n token: string;\n targetPath: string;\n scope?: string;\n};\n\nasync function ensureTable(): Promise<void> {\n if (!_initPromise) {\n _initPromise = (async () => {\n const client = getDbExec();\n await client.execute(`\n CREATE TABLE IF NOT EXISTS agent_native_embed_tickets (\n ticket_hash TEXT PRIMARY KEY,\n owner_email TEXT NOT NULL,\n org_id TEXT,\n target_path TEXT NOT NULL,\n scope TEXT,\n created_at ${intType()} NOT NULL,\n expires_at ${intType()} NOT NULL,\n consumed_at ${intType()}\n )\n `);\n })().catch((err) => {\n _initPromise = undefined;\n throw err;\n });\n }\n return _initPromise;\n}\n\nfunction getSigningKey(): string {\n const secret =\n process.env.OAUTH_STATE_SECRET ||\n process.env.BETTER_AUTH_SECRET ||\n getWorkspaceA2ADerivedSecret(\"short-lived-token\");\n if (secret) return secret;\n\n if (process.env.NODE_ENV === \"production\") {\n throw new Error(\n \"Embed session signing requires a server secret. Set OAUTH_STATE_SECRET, BETTER_AUTH_SECRET, or A2A_SECRET in production workspace deploys.\",\n );\n }\n\n if (!_devSigningKey) {\n _devSigningKey = crypto.randomBytes(32).toString(\"hex\");\n }\n return _devSigningKey;\n}\n\nfunction base64UrlEncode(buf: Buffer | string): string {\n const b = typeof buf === \"string\" ? Buffer.from(buf, \"utf8\") : buf;\n return b\n .toString(\"base64\")\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/g, \"\");\n}\n\nfunction base64UrlDecode(input: string): Buffer {\n const padded = input + \"=\".repeat((4 - (input.length % 4)) % 4);\n return Buffer.from(padded.replace(/-/g, \"+\").replace(/_/g, \"/\"), \"base64\");\n}\n\nfunction signPayload(payload: string): string {\n return base64UrlEncode(\n crypto.createHmac(\"sha256\", getSigningKey()).update(payload).digest(),\n );\n}\n\nfunction hashTicket(ticket: string): string {\n return crypto.createHash(\"sha256\").update(ticket).digest(\"hex\");\n}\n\nfunction numberOrNull(value: unknown): number | null {\n if (value == null) return null;\n const n = Number(value);\n return Number.isFinite(n) ? n : null;\n}\n\nfunction stringOrUndefined(value: unknown): string | undefined {\n return typeof value === \"string\" && value ? value : undefined;\n}\n\nfunction stripConfiguredBasePath(pathname: string): string {\n const base = getConfiguredAppBasePath();\n if (!base) return pathname;\n if (pathname === base) return \"/\";\n if (pathname.startsWith(`${base}/`))\n return pathname.slice(base.length) || \"/\";\n return pathname;\n}\n\nfunction pathnameFromPath(path: string): string | null {\n const normalized = normalizeEmbedTargetPath(path);\n if (!normalized) return null;\n try {\n return new URL(normalized, \"http://agent-native.invalid\").pathname;\n } catch {\n return null;\n }\n}\n\nfunction safePathSegment(value: string | null | undefined): string | null {\n const segment = value?.trim();\n if (!segment || CONTROL_CHARS.test(segment)) return null;\n if (segment === \".\" || segment === \"..\") return null;\n if (\n segment.includes(\"/\") ||\n segment.includes(\"\\\\\") ||\n segment.includes(\"?\")\n ) {\n return null;\n }\n if (segment.includes(\"#\")) return null;\n return segment;\n}\n\nfunction addResolvedOpenRoutePath(\n targets: Set<string>,\n path: string | null | undefined,\n): void {\n if (!path) return;\n const pathname = pathnameFromPath(path);\n if (pathname) targets.add(pathname);\n}\n\nfunction openRouteTargetPathnames(targetPath: string): Set<string> {\n const targets = new Set<string>();\n let url: URL;\n try {\n url = new URL(targetPath, \"http://agent-native.invalid\");\n } catch {\n return targets;\n }\n if (stripConfiguredBasePath(url.pathname) !== OPEN_ROUTE_PATH) {\n return targets;\n }\n\n const to = normalizeEmbedTargetPath(url.searchParams.get(\"to\"));\n addResolvedOpenRoutePath(targets, to);\n\n const view = url.searchParams.get(\"view\")?.trim();\n if (!view || CONTROL_CHARS.test(view)) return targets;\n const viewPath = view.startsWith(\"/\") ? view : `/${view}`;\n const viewPathname = pathnameFromPath(viewPath);\n addResolvedOpenRoutePath(targets, viewPathname);\n addResolvedOpenRoutePath(targets, OPEN_ROUTE_VIEW_PATHS[view]);\n\n const dashboardId = safePathSegment(url.searchParams.get(\"dashboardId\"));\n if (view === \"adhoc\" && dashboardId) {\n addResolvedOpenRoutePath(\n targets,\n `/adhoc/${encodeURIComponent(dashboardId)}`,\n );\n }\n const analysisId = safePathSegment(url.searchParams.get(\"analysisId\"));\n if (view === \"analyses\" && analysisId) {\n addResolvedOpenRoutePath(\n targets,\n `/analyses/${encodeURIComponent(analysisId)}`,\n );\n }\n const extensionId = safePathSegment(url.searchParams.get(\"extensionId\"));\n if (view === \"extensions\" && extensionId) {\n addResolvedOpenRoutePath(\n targets,\n `/extensions/${encodeURIComponent(extensionId)}`,\n );\n }\n const designId = safePathSegment(url.searchParams.get(\"designId\"));\n if (designId) {\n addResolvedOpenRoutePath(\n targets,\n view === \"present\"\n ? `/present/${encodeURIComponent(designId)}`\n : `/design/${encodeURIComponent(designId)}`,\n );\n }\n const documentId = safePathSegment(url.searchParams.get(\"documentId\"));\n if (documentId) {\n addResolvedOpenRoutePath(\n targets,\n `/page/${encodeURIComponent(documentId)}`,\n );\n }\n const deckId = safePathSegment(url.searchParams.get(\"deckId\"));\n if (deckId) {\n addResolvedOpenRoutePath(\n targets,\n view === \"present\"\n ? `/deck/${encodeURIComponent(deckId)}/present`\n : `/deck/${encodeURIComponent(deckId)}`,\n );\n }\n if (\n safePathSegment(url.searchParams.get(\"captureId\")) ||\n safePathSegment(url.searchParams.get(\"knowledgeId\")) ||\n safePathSegment(url.searchParams.get(\"sourceId\"))\n ) {\n addResolvedOpenRoutePath(targets, OPEN_ROUTE_VIEW_PATHS[view]);\n }\n if (\n view === \"calendar\" &&\n (safePathSegment(url.searchParams.get(\"eventId\")) ||\n safePathSegment(url.searchParams.get(\"eventDraftId\")))\n ) {\n addResolvedOpenRoutePath(targets, \"/\");\n }\n const threadId = safePathSegment(url.searchParams.get(\"threadId\"));\n if (viewPathname && threadId) {\n addResolvedOpenRoutePath(\n targets,\n `${viewPathname}/${encodeURIComponent(threadId)}`,\n );\n }\n\n return targets;\n}\n\nfunction allowedEmbedTargetPathnames(targetPath: string): Set<string> {\n const allowed = new Set<string>();\n const direct = pathnameFromPath(targetPath);\n if (direct) {\n allowed.add(direct);\n for (const aliasTarget of EMBED_ROUTE_ALIASES[direct] ?? []) {\n allowed.add(aliasTarget);\n }\n }\n for (const openTarget of openRouteTargetPathnames(targetPath)) {\n allowed.add(openTarget);\n }\n return allowed;\n}\n\nfunction requestUrlFromEvent(event: H3Event): string {\n const mountedPathname = (event as any).context?._mountedPathname;\n if (typeof mountedPathname === \"string\" && mountedPathname) {\n return `${mountedPathname}${(event as any).url?.search ?? \"\"}`;\n }\n return (\n (event as any).node?.req?.url ??\n ((event as any).req?.url as string | undefined) ??\n ((event as any).request?.url as string | undefined) ??\n (event as any).path ??\n (event as any).url?.toString?.() ??\n \"/\"\n );\n}\n\nfunction requestPathname(event: H3Event): string | null {\n const raw = requestUrlFromEvent(event);\n try {\n const pathname = new URL(raw, \"http://agent-native.invalid\").pathname;\n return stripConfiguredBasePath(pathname);\n } catch {\n return null;\n }\n}\n\nfunction headerTargetPathname(event: H3Event): string | null {\n const direct =\n (event as any).request?.headers?.get?.(EMBED_TARGET_HEADER) ??\n (event as any).headers?.get?.(EMBED_TARGET_HEADER) ??\n (event as any).node?.req?.headers?.[EMBED_TARGET_HEADER] ??\n (event as any).node?.req?.headers?.[EMBED_TARGET_HEADER.toLowerCase()];\n if (typeof direct === \"string\") return pathnameFromPath(direct);\n try {\n const raw = getHeader(event, EMBED_TARGET_HEADER);\n return typeof raw === \"string\" ? pathnameFromPath(raw) : null;\n } catch {\n return null;\n }\n}\n\nfunction requestHost(event: H3Event): string | null {\n const direct =\n (event as any).request?.headers?.get?.(\"host\") ??\n (event as any).headers?.get?.(\"host\") ??\n (event as any).node?.req?.headers?.host;\n if (typeof direct === \"string\" && direct.trim()) return direct.trim();\n try {\n return getHeader(event, \"host\") ?? null;\n } catch {\n return null;\n }\n}\n\nfunction referrerTargetPathname(event: H3Event): string | null {\n let raw: string | null =\n (event as any).request?.headers?.get?.(\"referer\") ??\n (event as any).request?.headers?.get?.(\"referrer\") ??\n (event as any).headers?.get?.(\"referer\") ??\n (event as any).headers?.get?.(\"referrer\") ??\n (event as any).node?.req?.headers?.referer ??\n (event as any).node?.req?.headers?.referrer ??\n null;\n try {\n raw = raw ?? getHeader(event, \"referer\") ?? getHeader(event, \"referrer\");\n } catch {\n raw = raw ?? null;\n }\n if (!raw) return null;\n try {\n const referrer = new URL(raw);\n const host = requestHost(event);\n if (host && referrer.host !== host) return null;\n return pathnameFromPath(`${referrer.pathname}${referrer.search}`);\n } catch {\n return pathnameFromPath(raw);\n }\n}\n\nexport function requestMatchesEmbedTarget(\n event: H3Event,\n targetPath: string,\n): boolean {\n const allowed = allowedEmbedTargetPathnames(targetPath);\n if (allowed.size === 0) return false;\n\n const current = requestPathname(event);\n if (current && allowed.has(current)) return true;\n\n const headerTarget = headerTargetPathname(event);\n if (headerTarget && allowed.has(headerTarget)) return true;\n\n const referrerTarget = referrerTargetPathname(event);\n return !!referrerTarget && allowed.has(referrerTarget);\n}\n\nfunction isEmbedRuntimeRequest(event: H3Event): boolean {\n const pathname = requestPathname(event);\n return (\n !!pathname &&\n (pathname === \"/api\" ||\n pathname.startsWith(\"/api/\") ||\n pathname === \"/_agent-native\" ||\n pathname.startsWith(\"/_agent-native/\"))\n );\n}\n\nexport function normalizeEmbedTargetPath(\n raw: string | undefined | null,\n requestOrigin?: string,\n): string | null {\n const value = String(raw ?? \"\").trim();\n if (!value || CONTROL_CHARS.test(value)) return null;\n\n let path = value;\n try {\n if (/^[a-z][a-z0-9+.-]*:\\/\\//i.test(value)) {\n const parsed = new URL(value);\n if (requestOrigin) {\n const expected = new URL(requestOrigin);\n if (parsed.origin !== expected.origin) return null;\n }\n const base = getConfiguredAppBasePath();\n if (\n base &&\n parsed.pathname !== base &&\n !parsed.pathname.startsWith(`${base}/`)\n ) {\n return null;\n }\n path = `${parsed.pathname}${parsed.search}${parsed.hash}`;\n }\n } catch {\n return null;\n }\n\n if (!path.startsWith(\"/\")) path = `/${path}`;\n if (path.startsWith(\"//\") || path.startsWith(\"/\\\\\")) return null;\n if (/^\\/[a-z][a-z0-9+.-]*:/i.test(path)) return null;\n return stripConfiguredBasePath(path);\n}\n\nexport async function createEmbedSessionTicket(\n input: EmbedSessionTicketInput,\n): Promise<EmbedSessionTicket> {\n const ownerEmail = input.ownerEmail.trim();\n if (!ownerEmail) throw new Error(\"Embed session ticket requires ownerEmail.\");\n const targetPath = normalizeEmbedTargetPath(input.targetPath);\n if (!targetPath)\n throw new Error(\"Embed session ticket requires a safe path.\");\n\n await ensureTable();\n const ticket = crypto.randomBytes(32).toString(\"base64url\");\n const ticketHash = hashTicket(ticket);\n const now = Date.now();\n const ttlSeconds = input.ttlSeconds ?? DEFAULT_TICKET_TTL_SECONDS;\n const expiresAt = now + Math.max(1, ttlSeconds) * 1000;\n await getDbExec().execute({\n sql:\n \"INSERT INTO agent_native_embed_tickets \" +\n \"(ticket_hash, owner_email, org_id, target_path, scope, created_at, expires_at, consumed_at) \" +\n \"VALUES (?, ?, ?, ?, ?, ?, ?, ?)\",\n args: [\n ticketHash,\n ownerEmail,\n input.orgId ?? null,\n targetPath,\n input.scope ?? null,\n now,\n expiresAt,\n null,\n ],\n });\n return { ticket, ticketHash, expiresAt };\n}\n\nexport async function consumeEmbedSessionTicket(\n ticket: string | undefined | null,\n options: ConsumeEmbedSessionTicketOptions = {},\n): Promise<ConsumedEmbedSessionTicket | null> {\n if (!ticket) return null;\n await ensureTable();\n const ticketHash = hashTicket(ticket);\n const now = Date.now();\n const { rows } = await getDbExec().execute({\n sql:\n \"SELECT ticket_hash, owner_email, org_id, target_path, scope, expires_at, consumed_at \" +\n \"FROM agent_native_embed_tickets WHERE ticket_hash = ?\",\n args: [ticketHash],\n });\n if (rows.length === 0) return null;\n const row: any = rows[0];\n const expiresAt = numberOrNull(row.expires_at ?? row.expiresAt);\n const consumedAt = numberOrNull(row.consumed_at ?? row.consumedAt);\n const orgId = stringOrUndefined(row.org_id ?? row.orgId);\n if (consumedAt != null) return null;\n if (expiresAt != null && expiresAt < now) return null;\n if (options.expectedOrgId && orgId && orgId !== options.expectedOrgId) {\n return null;\n }\n\n const result = await getDbExec().execute({\n sql:\n \"UPDATE agent_native_embed_tickets SET consumed_at = ? \" +\n \"WHERE ticket_hash = ? AND consumed_at IS NULL\",\n args: [now, ticketHash],\n });\n if (result.rowsAffected === 0) return null;\n\n const targetPath = normalizeEmbedTargetPath(\n stringOrUndefined(row.target_path ?? row.targetPath),\n );\n const ownerEmail = stringOrUndefined(row.owner_email ?? row.ownerEmail);\n if (!targetPath || !ownerEmail || expiresAt == null) return null;\n\n return {\n ownerEmail,\n ...(orgId ? { orgId } : {}),\n targetPath,\n ...(stringOrUndefined(row.scope)\n ? { scope: stringOrUndefined(row.scope) }\n : {}),\n expiresAt,\n };\n}\n\nexport function signEmbedSessionToken(input: {\n ownerEmail: string;\n orgId?: string | null;\n targetPath: string;\n scope?: string | null;\n ttlSeconds?: number;\n}): string {\n const targetPath = normalizeEmbedTargetPath(input.targetPath) ?? \"/\";\n const now = Math.floor(Date.now() / 1000);\n const ttl = Math.max(1, input.ttlSeconds ?? DEFAULT_TOKEN_TTL_SECONDS);\n const claims: EmbedSessionTokenClaims = {\n kind: TOKEN_KIND,\n ownerEmail: input.ownerEmail,\n targetPath,\n iat: now,\n exp: now + ttl,\n };\n if (input.orgId) claims.orgId = input.orgId;\n if (input.scope) claims.scope = input.scope;\n const payload = base64UrlEncode(JSON.stringify(claims));\n return `${payload}.${signPayload(payload)}`;\n}\n\nexport function verifyEmbedSessionToken(\n token: string | undefined | null,\n): VerifyEmbedSessionTokenResult {\n if (!token || typeof token !== \"string\") {\n return { ok: false, reason: \"missing\" };\n }\n const parts = token.split(\".\");\n if (parts.length !== 2 || !parts[0] || !parts[1]) {\n return { ok: false, reason: \"shape\" };\n }\n const [payload, signature] = parts;\n const expected = signPayload(payload);\n const sig = Buffer.from(signature);\n const exp = Buffer.from(expected);\n if (sig.length !== exp.length || !crypto.timingSafeEqual(sig, exp)) {\n return { ok: false, reason: \"signature\" };\n }\n\n let claims: EmbedSessionTokenClaims;\n try {\n claims = JSON.parse(base64UrlDecode(payload).toString(\"utf8\"));\n } catch {\n return { ok: false, reason: \"payload\" };\n }\n\n if (\n !claims ||\n claims.kind !== TOKEN_KIND ||\n typeof claims.ownerEmail !== \"string\" ||\n !claims.ownerEmail ||\n typeof claims.exp !== \"number\" ||\n !Number.isFinite(claims.exp)\n ) {\n return { ok: false, reason: \"claims\" };\n }\n if (claims.exp < Math.floor(Date.now() / 1000)) {\n return { ok: false, reason: \"expired\" };\n }\n claims.targetPath = normalizeEmbedTargetPath(claims.targetPath) ?? \"/\";\n return { ok: true, claims };\n}\n\nfunction isHttpsRequest(event: H3Event): boolean {\n try {\n const xfProto = getHeader(event, \"x-forwarded-proto\");\n if (xfProto && String(xfProto).split(\",\")[0].trim() === \"https\") {\n return true;\n }\n const url = event.url?.toString?.() ?? \"\";\n if (url.startsWith(\"https://\")) return true;\n const appUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL || \"\";\n if (appUrl.startsWith(\"https://\")) return true;\n } catch {\n // ignore\n }\n return false;\n}\n\nfunction cookieDomainAttrs(): { domain?: string } {\n const domain = process.env.COOKIE_DOMAIN?.trim();\n return domain ? { domain } : {};\n}\n\nfunction crossSiteCookieAttrs(event: H3Event): {\n sameSite: \"lax\" | \"none\";\n secure: boolean;\n partitioned?: boolean;\n} {\n return isHttpsRequest(event)\n ? { sameSite: \"none\", secure: true, partitioned: true }\n : { sameSite: \"lax\", secure: false };\n}\n\nexport function setEmbedSessionCookie(event: H3Event, token: string): void {\n setCookie(event, EMBED_SESSION_COOKIE, token, {\n httpOnly: true,\n ...crossSiteCookieAttrs(event),\n ...cookieDomainAttrs(),\n path: \"/\",\n maxAge: DEFAULT_TOKEN_TTL_SECONDS,\n });\n}\n\nfunction bearerToken(event: H3Event): string | undefined {\n const auth = getHeader(event, \"authorization\");\n if (!auth) return undefined;\n const match = /^Bearer\\s+(.+)$/i.exec(String(auth).trim());\n return match?.[1]?.trim();\n}\n\nfunction queryToken(event: H3Event): string | undefined {\n const raw = getQuery(event)?.[EMBED_TOKEN_QUERY_PARAM];\n const value = Array.isArray(raw) ? raw[0] : raw;\n if (value) return value;\n try {\n return (\n new URL(\n requestUrlFromEvent(event),\n \"http://agent-native.invalid\",\n ).searchParams.get(EMBED_TOKEN_QUERY_PARAM) ?? undefined\n );\n } catch {\n return undefined;\n }\n}\n\nexport async function resolveEmbedSessionFromRequest(\n event: H3Event,\n): Promise<ResolvedEmbedSession | null> {\n const candidates = [\n { token: queryToken(event), source: \"query\" },\n { token: bearerToken(event), source: \"bearer\" },\n { token: getCookie(event, EMBED_SESSION_COOKIE), source: \"cookie\" },\n ];\n for (const candidate of candidates) {\n const verified = verifyEmbedSessionToken(candidate.token);\n if (!verified.ok) continue;\n const matchesTarget = requestMatchesEmbedTarget(\n event,\n verified.claims.targetPath,\n );\n const isRuntimeCookieRequest =\n candidate.source === \"cookie\" && isEmbedRuntimeRequest(event);\n if (!matchesTarget && !isRuntimeCookieRequest) {\n continue;\n }\n if (candidate.source === \"query\" && candidate.token) {\n setEmbedSessionCookie(event, candidate.token);\n setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n }\n return {\n email: verified.claims.ownerEmail,\n token: candidate.token!,\n targetPath: verified.claims.targetPath,\n ...(verified.claims.orgId ? { orgId: verified.claims.orgId } : {}),\n ...(verified.claims.scope ? { scope: verified.claims.scope } : {}),\n };\n }\n return null;\n}\n\nexport function requestHasEmbedAuthMarker(event: H3Event): boolean {\n try {\n const q = getQuery(event) ?? {};\n const queryToken = Array.isArray(q[EMBED_TOKEN_QUERY_PARAM])\n ? q[EMBED_TOKEN_QUERY_PARAM][0]\n : q[EMBED_TOKEN_QUERY_PARAM];\n const cookieToken = getCookie(event, EMBED_SESSION_COOKIE);\n for (const token of [queryToken, cookieToken]) {\n const verified = verifyEmbedSessionToken(token);\n if (\n verified.ok &&\n requestMatchesEmbedTarget(event, verified.claims.targetPath)\n ) {\n return true;\n }\n }\n } catch {\n // ignore\n }\n return false;\n}\n\nexport function isEmbedModeRequest(event: H3Event): boolean {\n try {\n const q = getQuery(event) ?? {};\n return (\n q[EMBED_MODE_QUERY_PARAM] === \"1\" || q[EMBED_MODE_QUERY_PARAM] === \"true\"\n );\n } catch {\n return false;\n }\n}\n"]}
1
+ {"version":3,"file":"embed-session.js","sourceRoot":"","sources":["../../src/server/embed-session.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EACL,SAAS,EACT,SAAS,EACT,QAAQ,EACR,SAAS,EACT,iBAAiB,GAClB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,4BAA4B,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,MAAM,UAAU,GAAG,4BAA4B,CAAC;AAChD,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,CAAC;AAC1C,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,CAAC;AAC1C,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,0BAA0B,CAAC,CAAC;AAC7D,MAAM,eAAe,GAAG,qBAAqB,CAAC;AAC9C,MAAM,qBAAqB,GAA2B;IACpD,GAAG,EAAE,GAAG;IACR,QAAQ,EAAE,GAAG;IACb,OAAO,EAAE,SAAS;IAClB,SAAS,EAAE,YAAY;IACvB,IAAI,EAAE,GAAG;IACT,GAAG,EAAE,MAAM;IACX,SAAS,EAAE,SAAS;IACpB,MAAM,EAAE,SAAS;IACjB,MAAM,EAAE,SAAS;IACjB,MAAM,EAAE,UAAU;IAClB,OAAO,EAAE,UAAU;IACnB,QAAQ,EAAE,WAAW;CACtB,CAAC;AACF,MAAM,mBAAmB,GAA6B;IACpD,2EAA2E;IAC3E,wEAAwE;IACxE,iCAAiC;IACjC,GAAG,EAAE,CAAC,WAAW,CAAC;IAClB,YAAY,EAAE,CAAC,2CAA2C,CAAC;IAC3D,aAAa,EAAE,CAAC,2CAA2C,CAAC;IAC5D,UAAU,EAAE,CAAC,2CAA2C,CAAC;IACzD,oBAAoB,EAAE,CAAC,2CAA2C,CAAC;CACpE,CAAC;AAEF,IAAI,YAAuC,CAAC;AAC5C,IAAI,cAAkC,CAAC;AAkDvC,KAAK,UAAU,WAAW;IACxB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,CAAC,KAAK,IAAI,EAAE;YACzB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,MAAM,CAAC,OAAO,CAAC;;;;;;;uBAOJ,OAAO,EAAE;uBACT,OAAO,EAAE;wBACR,OAAO,EAAE;;OAE1B,CAAC,CAAC;QACL,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACjB,YAAY,GAAG,SAAS,CAAC;YACzB,MAAM,GAAG,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,4BAA4B,CAAC,mBAAmB,CAAC,CAAC;IACpD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,4IAA4I,CAC7I,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,cAAc,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,SAAS,eAAe,CAAC,GAAoB;IAC3C,MAAM,CAAC,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACnE,OAAO,CAAC;SACL,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,MAAM,GAAG,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAChE,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,eAAe,CACpB,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CACtE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,MAAc;IAChC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IACxB,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAChE,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAgB;IAC/C,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;IACxC,IAAI,CAAC,IAAI;QAAE,OAAO,QAAQ,CAAC;IAC3B,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,GAAG,CAAC;IAClC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;QACjC,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IAC5C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,UAAU,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,UAAU,EAAE,6BAA6B,CAAC,CAAC,QAAQ,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAgC;IACvD,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,OAAO,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IACzD,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrD,IACE,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QACrB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QACtB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EACrB,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,wBAAwB,CAC/B,OAAoB,EACpB,IAA+B;IAE/B,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,wBAAwB,CAAC,UAAkB;IAClD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,EAAE,6BAA6B,CAAC,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,IAAI,uBAAuB,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,eAAe,EAAE,CAAC;QAC9D,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,EAAE,GAAG,wBAAwB,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IAChE,wBAAwB,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAEtC,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC,IAAI,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,OAAO,CAAC;IACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAC1D,MAAM,YAAY,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAChD,wBAAwB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAChD,wBAAwB,CAAC,OAAO,EAAE,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;IAE/D,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;IACzE,IAAI,IAAI,KAAK,OAAO,IAAI,WAAW,EAAE,CAAC;QACpC,wBAAwB,CACtB,OAAO,EACP,UAAU,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAC5C,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;IACvE,IAAI,IAAI,KAAK,UAAU,IAAI,UAAU,EAAE,CAAC;QACtC,wBAAwB,CACtB,OAAO,EACP,aAAa,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAC9C,CAAC;IACJ,CAAC;IACD,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;IACzE,IAAI,IAAI,KAAK,YAAY,IAAI,WAAW,EAAE,CAAC;QACzC,wBAAwB,CACtB,OAAO,EACP,eAAe,kBAAkB,CAAC,WAAW,CAAC,EAAE,CACjD,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;IACnE,IAAI,QAAQ,EAAE,CAAC;QACb,wBAAwB,CACtB,OAAO,EACP,IAAI,KAAK,SAAS;YAChB,CAAC,CAAC,YAAY,kBAAkB,CAAC,QAAQ,CAAC,EAAE;YAC5C,CAAC,CAAC,WAAW,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAC9C,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;IACvE,IAAI,UAAU,EAAE,CAAC;QACf,wBAAwB,CACtB,OAAO,EACP,SAAS,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAC1C,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/D,IAAI,MAAM,EAAE,CAAC;QACX,wBAAwB,CACtB,OAAO,EACP,IAAI,KAAK,SAAS;YAChB,CAAC,CAAC,SAAS,kBAAkB,CAAC,MAAM,CAAC,UAAU;YAC/C,CAAC,CAAC,SAAS,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAC1C,CAAC;IACJ,CAAC;IACD,IACE,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAClD,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACpD,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,EACjD,CAAC;QACD,wBAAwB,CAAC,OAAO,EAAE,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;IACjE,CAAC;IACD,IACE,IAAI,KAAK,UAAU;QACnB,CAAC,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC/C,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EACxD,CAAC;QACD,wBAAwB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;IACnE,IAAI,YAAY,IAAI,QAAQ,EAAE,CAAC;QAC7B,wBAAwB,CACtB,OAAO,EACP,GAAG,YAAY,IAAI,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAClD,CAAC;IACJ,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,2BAA2B,CAAC,UAAkB;IACrD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,MAAM,MAAM,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACpB,KAAK,MAAM,WAAW,IAAI,mBAAmB,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;YAC5D,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,KAAK,MAAM,UAAU,IAAI,wBAAwB,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc;IACzC,MAAM,eAAe,GAAI,KAAa,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACjE,IAAI,OAAO,eAAe,KAAK,QAAQ,IAAI,eAAe,EAAE,CAAC;QAC3D,OAAO,GAAG,eAAe,GAAI,KAAa,CAAC,GAAG,EAAE,MAAM,IAAI,EAAE,EAAE,CAAC;IACjE,CAAC;IACD,OAAO,CACJ,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG;QAC3B,KAAa,CAAC,GAAG,EAAE,GAA0B;QAC7C,KAAa,CAAC,OAAO,EAAE,GAA0B;QAClD,KAAa,CAAC,IAAI;QAClB,KAAa,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE;QAChC,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAC,QAAQ,CAAC;QACtE,OAAO,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,MAAM,MAAM,GACT,KAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC;QAC1D,KAAa,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC;QACjD,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC;QACvD,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC,CAAC;IACzE,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QAClD,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,MAAM,MAAM,GACT,KAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC;QAC7C,KAAa,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC;QACpC,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC;IAC1C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;IACtE,IAAI,CAAC;QACH,OAAO,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,IAAI,GAAG,GACJ,KAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC;QAChD,KAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC;QACjD,KAAa,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC;QACvC,KAAa,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC;QACxC,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO;QACzC,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ;QAC3C,IAAI,CAAC;IACP,IAAI,CAAC;QACH,GAAG,GAAG,GAAG,IAAI,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC3E,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,GAAG,GAAG,IAAI,IAAI,CAAC;IACpB,CAAC;IACD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,IAAI,IAAI,QAAQ,CAAC,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAChD,OAAO,gBAAgB,CAAC,GAAG,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACpE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;AACH,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,KAAc,EACd,UAAkB;IAElB,MAAM,OAAO,GAAG,2BAA2B,CAAC,UAAU,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,MAAM,OAAO,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjD,MAAM,YAAY,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3D,MAAM,cAAc,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IACrD,OAAO,CAAC,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACxC,OAAO,CACL,CAAC,CAAC,QAAQ;QACV,CAAC,QAAQ,KAAK,MAAM;YAClB,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;YAC5B,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC;YACzB,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;YAC5B,QAAQ,CAAC,UAAU,CAAC,gBAAgB,CAAC;YACrC,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;YACjC,QAAQ,KAAK,gBAAgB;YAC7B,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAC1C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,GAA8B,EAC9B,aAAsB;IAEtB,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,KAAK,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAErD,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;YAC9B,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;gBACxC,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;oBAAE,OAAO,IAAI,CAAC;YACrD,CAAC;YACD,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;YACxC,IACE,IAAI;gBACJ,MAAM,CAAC,QAAQ,KAAK,IAAI;gBACxB,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC,EACvC,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC5D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7C,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,IAAI,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAA8B;IAE9B,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,IAAI,CAAC,UAAU;QAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC9E,MAAM,UAAU,GAAG,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC9D,IAAI,CAAC,UAAU;QACb,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAEhE,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,0BAA0B,CAAC;IAClE,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,IAAI,CAAC;IACvD,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;QACxB,GAAG,EACD,yCAAyC;YACzC,8FAA8F;YAC9F,iCAAiC;QACnC,IAAI,EAAE;YACJ,UAAU;YACV,UAAU;YACV,KAAK,CAAC,KAAK,IAAI,IAAI;YACnB,UAAU;YACV,KAAK,CAAC,KAAK,IAAI,IAAI;YACnB,GAAG;YACH,SAAS;YACT,IAAI;SACL;KACF,CAAC,CAAC;IACH,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAiC,EACjC,UAA4C,EAAE;IAE9C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;QACzC,GAAG,EACD,uFAAuF;YACvF,uDAAuD;QACzD,IAAI,EAAE,CAAC,UAAU,CAAC;KACnB,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAQ,IAAI,CAAC,CAAC,CAAC,CAAC;IACzB,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAChE,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACnE,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IACzD,IAAI,UAAU,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,SAAS,IAAI,IAAI,IAAI,SAAS,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,OAAO,CAAC,aAAa,IAAI,KAAK,IAAI,KAAK,KAAK,OAAO,CAAC,aAAa,EAAE,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;QACvC,GAAG,EACD,wDAAwD;YACxD,+CAA+C;QACjD,IAAI,EAAE,CAAC,GAAG,EAAE,UAAU,CAAC;KACxB,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,YAAY,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3C,MAAM,UAAU,GAAG,wBAAwB,CACzC,iBAAiB,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC,CACrD,CAAC;IACF,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACxE,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,IAAI,SAAS,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAEjE,OAAO;QACL,UAAU;QACV,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3B,UAAU;QACV,GAAG,CAAC,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC;YAC9B,CAAC,CAAC,EAAE,KAAK,EAAE,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE;YACzC,CAAC,CAAC,EAAE,CAAC;QACP,SAAS;KACV,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAMrC;IACC,MAAM,UAAU,GAAG,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC;IACrE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,IAAI,yBAAyB,CAAC,CAAC;IACvE,MAAM,MAAM,GAA4B;QACtC,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,UAAU;QACV,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,GAAG;KACf,CAAC;IACF,IAAI,KAAK,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;IAC5C,IAAI,KAAK,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;IAC5C,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxD,OAAO,GAAG,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,KAAgC;IAEhC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACjD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IACxC,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;IACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;QACnE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IAED,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED,IACE,CAAC,MAAM;QACP,MAAM,CAAC,IAAI,KAAK,UAAU;QAC1B,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ;QACrC,CAAC,MAAM,CAAC,UAAU;QAClB,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAC5B,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IACzC,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IACD,MAAM,CAAC,UAAU,GAAG,wBAAwB,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC;IACvE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC9B,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACtD,IAAI,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC;QAC1C,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACxE,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB;IACxB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC;IACjD,OAAO,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAK1C,OAAO,cAAc,CAAC,KAAK,CAAC;QAC1B,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;QACvD,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAAc,EAAE,KAAa;IACjE,SAAS,CAAC,KAAK,EAAE,oBAAoB,EAAE,KAAK,EAAE;QAC5C,QAAQ,EAAE,IAAI;QACd,GAAG,oBAAoB,CAAC,KAAK,CAAC;QAC9B,GAAG,iBAAiB,EAAE;QACtB,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,yBAAyB;KAClC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3D,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;AAC5B,CAAC;AAED,SAAS,UAAU,CAAC,KAAc;IAChC,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,uBAAuB,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAChD,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,CAAC;QACH,OAAO,CACL,IAAI,GAAG,CACL,mBAAmB,CAAC,KAAK,CAAC,EAC1B,6BAA6B,CAC9B,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,SAAS,CACzD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,KAAc;IAEd,MAAM,UAAU,GAAG;QACjB,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE;QAC7C,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE;QAC/C,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,oBAAoB,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE;KACpE,CAAC;IACF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,SAAS;QAC3B,MAAM,aAAa,GAAG,yBAAyB,CAC7C,KAAK,EACL,QAAQ,CAAC,MAAM,CAAC,UAAU,CAC3B,CAAC;QACF,MAAM,gBAAgB,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,sBAAsB,GAC1B,SAAS,CAAC,MAAM,KAAK,QAAQ,IAAI,gBAAgB,CAAC;QACpD,MAAM,qBAAqB,GACzB,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,gBAAgB,CAAC;QACnD,IAAI,CAAC,aAAa,IAAI,CAAC,sBAAsB,IAAI,CAAC,qBAAqB,EAAE,CAAC;YACxE,SAAS;QACX,CAAC;QACD,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;YACpD,IAAI,CAAC;gBACH,qBAAqB,CAAC,KAAK,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;gBAC9C,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;YAC7D,CAAC;YAAC,MAAM,CAAC;gBACP,mEAAmE;gBACnE,sDAAsD;YACxD,CAAC;QACH,CAAC;QACD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU;YACjC,KAAK,EAAE,SAAS,CAAC,KAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU;YACtC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACnE,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc;IACtD,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC;YAC1D,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC;YAC/B,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC;QAC/B,MAAM,WAAW,GAAG,SAAS,CAAC,KAAK,EAAE,oBAAoB,CAAC,CAAC;QAC3D,MAAM,UAAU,GAAG;YACjB,EAAE,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,IAAI,EAAE;YACzC,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE;YAClD,EAAE,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE;SAC3C,CAAC;QACF,MAAM,cAAc,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACpD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAC1D,IACE,QAAQ,CAAC,EAAE;gBACX,CAAC,yBAAyB,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC;oBAC3D,CAAC,SAAS,CAAC,YAAY,IAAI,cAAc,CAAC,CAAC,EAC7C,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChC,OAAO,CACL,CAAC,CAAC,sBAAsB,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,sBAAsB,CAAC,KAAK,MAAM,CAC1E,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC","sourcesContent":["import crypto from \"node:crypto\";\nimport type { H3Event } from \"h3\";\nimport {\n getCookie,\n getHeader,\n getQuery,\n setCookie,\n setResponseHeader,\n} from \"h3\";\nimport { getDbExec, intType } from \"../db/client.js\";\nimport { getWorkspaceA2ADerivedSecret } from \"./derived-secret.js\";\nimport { getConfiguredAppBasePath } from \"./app-base-path.js\";\nimport {\n EMBED_MODE_QUERY_PARAM,\n EMBED_SESSION_COOKIE,\n EMBED_TARGET_HEADER,\n EMBED_TOKEN_QUERY_PARAM,\n} from \"../shared/embed-auth.js\";\n\nconst TOKEN_KIND = \"agent-native-embed-session\";\nconst DEFAULT_TOKEN_TTL_SECONDS = 60 * 60;\nconst DEFAULT_TICKET_TTL_SECONDS = 5 * 60;\nconst CONTROL_CHARS = new RegExp(\"[\\\\u0000-\\\\u001f\\\\u007f]\");\nconst OPEN_ROUTE_PATH = \"/_agent-native/open\";\nconst OPEN_ROUTE_VIEW_PATHS: Record<string, string> = {\n ask: \"/\",\n calendar: \"/\",\n capture: \"/search\",\n knowledge: \"/knowledge\",\n list: \"/\",\n ops: \"/ops\",\n proposals: \"/review\",\n review: \"/review\",\n search: \"/search\",\n source: \"/sources\",\n sources: \"/sources\",\n settings: \"/settings\",\n};\nconst EMBED_ROUTE_ALIASES: Record<string, string[]> = {\n // Dispatch's app root redirects to /overview. A ticket minted for the root\n // should survive that first-hop redirect instead of falling back to the\n // private deployment token gate.\n \"/\": [\"/overview\"],\n \"/dashboard\": [\"/adhoc/agent-native-templates-first-party\"],\n \"/dashboards\": [\"/adhoc/agent-native-templates-first-party\"],\n \"/traffic\": [\"/adhoc/agent-native-templates-first-party\"],\n \"/traffic-dashboard\": [\"/adhoc/agent-native-templates-first-party\"],\n};\n\nlet _initPromise: Promise<void> | undefined;\nlet _devSigningKey: string | undefined;\n\nexport interface EmbedSessionTicketInput {\n ownerEmail: string;\n orgId?: string | null;\n targetPath: string;\n scope?: string | null;\n ttlSeconds?: number;\n}\n\nexport interface EmbedSessionTicket {\n ticket: string;\n ticketHash: string;\n expiresAt: number;\n}\n\nexport interface ConsumeEmbedSessionTicketOptions {\n expectedOrgId?: string | null;\n}\n\nexport interface ConsumedEmbedSessionTicket {\n ownerEmail: string;\n orgId?: string;\n targetPath: string;\n scope?: string;\n expiresAt: number;\n}\n\nexport interface EmbedSessionTokenClaims {\n kind: typeof TOKEN_KIND;\n ownerEmail: string;\n orgId?: string;\n targetPath: string;\n scope?: string;\n iat: number;\n exp: number;\n}\n\nexport type VerifyEmbedSessionTokenResult =\n | { ok: true; claims: EmbedSessionTokenClaims }\n | { ok: false; reason: string };\n\nexport type ResolvedEmbedSession = {\n email: string;\n orgId?: string;\n token: string;\n targetPath: string;\n scope?: string;\n};\n\nasync function ensureTable(): Promise<void> {\n if (!_initPromise) {\n _initPromise = (async () => {\n const client = getDbExec();\n await client.execute(`\n CREATE TABLE IF NOT EXISTS agent_native_embed_tickets (\n ticket_hash TEXT PRIMARY KEY,\n owner_email TEXT NOT NULL,\n org_id TEXT,\n target_path TEXT NOT NULL,\n scope TEXT,\n created_at ${intType()} NOT NULL,\n expires_at ${intType()} NOT NULL,\n consumed_at ${intType()}\n )\n `);\n })().catch((err) => {\n _initPromise = undefined;\n throw err;\n });\n }\n return _initPromise;\n}\n\nfunction getSigningKey(): string {\n const secret =\n process.env.OAUTH_STATE_SECRET ||\n process.env.BETTER_AUTH_SECRET ||\n getWorkspaceA2ADerivedSecret(\"short-lived-token\");\n if (secret) return secret;\n\n if (process.env.NODE_ENV === \"production\") {\n throw new Error(\n \"Embed session signing requires a server secret. Set OAUTH_STATE_SECRET, BETTER_AUTH_SECRET, or A2A_SECRET in production workspace deploys.\",\n );\n }\n\n if (!_devSigningKey) {\n _devSigningKey = crypto.randomBytes(32).toString(\"hex\");\n }\n return _devSigningKey;\n}\n\nfunction base64UrlEncode(buf: Buffer | string): string {\n const b = typeof buf === \"string\" ? Buffer.from(buf, \"utf8\") : buf;\n return b\n .toString(\"base64\")\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/g, \"\");\n}\n\nfunction base64UrlDecode(input: string): Buffer {\n const padded = input + \"=\".repeat((4 - (input.length % 4)) % 4);\n return Buffer.from(padded.replace(/-/g, \"+\").replace(/_/g, \"/\"), \"base64\");\n}\n\nfunction signPayload(payload: string): string {\n return base64UrlEncode(\n crypto.createHmac(\"sha256\", getSigningKey()).update(payload).digest(),\n );\n}\n\nfunction hashTicket(ticket: string): string {\n return crypto.createHash(\"sha256\").update(ticket).digest(\"hex\");\n}\n\nfunction numberOrNull(value: unknown): number | null {\n if (value == null) return null;\n const n = Number(value);\n return Number.isFinite(n) ? n : null;\n}\n\nfunction stringOrUndefined(value: unknown): string | undefined {\n return typeof value === \"string\" && value ? value : undefined;\n}\n\nfunction stripConfiguredBasePath(pathname: string): string {\n const base = getConfiguredAppBasePath();\n if (!base) return pathname;\n if (pathname === base) return \"/\";\n if (pathname.startsWith(`${base}/`))\n return pathname.slice(base.length) || \"/\";\n return pathname;\n}\n\nfunction pathnameFromPath(path: string): string | null {\n const normalized = normalizeEmbedTargetPath(path);\n if (!normalized) return null;\n try {\n return new URL(normalized, \"http://agent-native.invalid\").pathname;\n } catch {\n return null;\n }\n}\n\nfunction safePathSegment(value: string | null | undefined): string | null {\n const segment = value?.trim();\n if (!segment || CONTROL_CHARS.test(segment)) return null;\n if (segment === \".\" || segment === \"..\") return null;\n if (\n segment.includes(\"/\") ||\n segment.includes(\"\\\\\") ||\n segment.includes(\"?\")\n ) {\n return null;\n }\n if (segment.includes(\"#\")) return null;\n return segment;\n}\n\nfunction addResolvedOpenRoutePath(\n targets: Set<string>,\n path: string | null | undefined,\n): void {\n if (!path) return;\n const pathname = pathnameFromPath(path);\n if (pathname) targets.add(pathname);\n}\n\nfunction openRouteTargetPathnames(targetPath: string): Set<string> {\n const targets = new Set<string>();\n let url: URL;\n try {\n url = new URL(targetPath, \"http://agent-native.invalid\");\n } catch {\n return targets;\n }\n if (stripConfiguredBasePath(url.pathname) !== OPEN_ROUTE_PATH) {\n return targets;\n }\n\n const to = normalizeEmbedTargetPath(url.searchParams.get(\"to\"));\n addResolvedOpenRoutePath(targets, to);\n\n const view = url.searchParams.get(\"view\")?.trim();\n if (!view || CONTROL_CHARS.test(view)) return targets;\n const viewPath = view.startsWith(\"/\") ? view : `/${view}`;\n const viewPathname = pathnameFromPath(viewPath);\n addResolvedOpenRoutePath(targets, viewPathname);\n addResolvedOpenRoutePath(targets, OPEN_ROUTE_VIEW_PATHS[view]);\n\n const dashboardId = safePathSegment(url.searchParams.get(\"dashboardId\"));\n if (view === \"adhoc\" && dashboardId) {\n addResolvedOpenRoutePath(\n targets,\n `/adhoc/${encodeURIComponent(dashboardId)}`,\n );\n }\n const analysisId = safePathSegment(url.searchParams.get(\"analysisId\"));\n if (view === \"analyses\" && analysisId) {\n addResolvedOpenRoutePath(\n targets,\n `/analyses/${encodeURIComponent(analysisId)}`,\n );\n }\n const extensionId = safePathSegment(url.searchParams.get(\"extensionId\"));\n if (view === \"extensions\" && extensionId) {\n addResolvedOpenRoutePath(\n targets,\n `/extensions/${encodeURIComponent(extensionId)}`,\n );\n }\n const designId = safePathSegment(url.searchParams.get(\"designId\"));\n if (designId) {\n addResolvedOpenRoutePath(\n targets,\n view === \"present\"\n ? `/present/${encodeURIComponent(designId)}`\n : `/design/${encodeURIComponent(designId)}`,\n );\n }\n const documentId = safePathSegment(url.searchParams.get(\"documentId\"));\n if (documentId) {\n addResolvedOpenRoutePath(\n targets,\n `/page/${encodeURIComponent(documentId)}`,\n );\n }\n const deckId = safePathSegment(url.searchParams.get(\"deckId\"));\n if (deckId) {\n addResolvedOpenRoutePath(\n targets,\n view === \"present\"\n ? `/deck/${encodeURIComponent(deckId)}/present`\n : `/deck/${encodeURIComponent(deckId)}`,\n );\n }\n if (\n safePathSegment(url.searchParams.get(\"captureId\")) ||\n safePathSegment(url.searchParams.get(\"knowledgeId\")) ||\n safePathSegment(url.searchParams.get(\"sourceId\"))\n ) {\n addResolvedOpenRoutePath(targets, OPEN_ROUTE_VIEW_PATHS[view]);\n }\n if (\n view === \"calendar\" &&\n (safePathSegment(url.searchParams.get(\"eventId\")) ||\n safePathSegment(url.searchParams.get(\"eventDraftId\")))\n ) {\n addResolvedOpenRoutePath(targets, \"/\");\n }\n const threadId = safePathSegment(url.searchParams.get(\"threadId\"));\n if (viewPathname && threadId) {\n addResolvedOpenRoutePath(\n targets,\n `${viewPathname}/${encodeURIComponent(threadId)}`,\n );\n }\n\n return targets;\n}\n\nfunction allowedEmbedTargetPathnames(targetPath: string): Set<string> {\n const allowed = new Set<string>();\n const direct = pathnameFromPath(targetPath);\n if (direct) {\n allowed.add(direct);\n for (const aliasTarget of EMBED_ROUTE_ALIASES[direct] ?? []) {\n allowed.add(aliasTarget);\n }\n }\n for (const openTarget of openRouteTargetPathnames(targetPath)) {\n allowed.add(openTarget);\n }\n return allowed;\n}\n\nfunction requestUrlFromEvent(event: H3Event): string {\n const mountedPathname = (event as any).context?._mountedPathname;\n if (typeof mountedPathname === \"string\" && mountedPathname) {\n return `${mountedPathname}${(event as any).url?.search ?? \"\"}`;\n }\n return (\n (event as any).node?.req?.url ??\n ((event as any).req?.url as string | undefined) ??\n ((event as any).request?.url as string | undefined) ??\n (event as any).path ??\n (event as any).url?.toString?.() ??\n \"/\"\n );\n}\n\nfunction requestPathname(event: H3Event): string | null {\n const raw = requestUrlFromEvent(event);\n try {\n const pathname = new URL(raw, \"http://agent-native.invalid\").pathname;\n return stripConfiguredBasePath(pathname);\n } catch {\n return null;\n }\n}\n\nfunction headerTargetPathname(event: H3Event): string | null {\n const direct =\n (event as any).request?.headers?.get?.(EMBED_TARGET_HEADER) ??\n (event as any).headers?.get?.(EMBED_TARGET_HEADER) ??\n (event as any).node?.req?.headers?.[EMBED_TARGET_HEADER] ??\n (event as any).node?.req?.headers?.[EMBED_TARGET_HEADER.toLowerCase()];\n if (typeof direct === \"string\") return pathnameFromPath(direct);\n try {\n const raw = getHeader(event, EMBED_TARGET_HEADER);\n return typeof raw === \"string\" ? pathnameFromPath(raw) : null;\n } catch {\n return null;\n }\n}\n\nfunction requestHost(event: H3Event): string | null {\n const direct =\n (event as any).request?.headers?.get?.(\"host\") ??\n (event as any).headers?.get?.(\"host\") ??\n (event as any).node?.req?.headers?.host;\n if (typeof direct === \"string\" && direct.trim()) return direct.trim();\n try {\n return getHeader(event, \"host\") ?? null;\n } catch {\n return null;\n }\n}\n\nfunction referrerTargetPathname(event: H3Event): string | null {\n let raw: string | null =\n (event as any).request?.headers?.get?.(\"referer\") ??\n (event as any).request?.headers?.get?.(\"referrer\") ??\n (event as any).headers?.get?.(\"referer\") ??\n (event as any).headers?.get?.(\"referrer\") ??\n (event as any).node?.req?.headers?.referer ??\n (event as any).node?.req?.headers?.referrer ??\n null;\n try {\n raw = raw ?? getHeader(event, \"referer\") ?? getHeader(event, \"referrer\");\n } catch {\n raw = raw ?? null;\n }\n if (!raw) return null;\n try {\n const referrer = new URL(raw);\n const host = requestHost(event);\n if (host && referrer.host !== host) return null;\n return pathnameFromPath(`${referrer.pathname}${referrer.search}`);\n } catch {\n return pathnameFromPath(raw);\n }\n}\n\nexport function requestMatchesEmbedTarget(\n event: H3Event,\n targetPath: string,\n): boolean {\n const allowed = allowedEmbedTargetPathnames(targetPath);\n if (allowed.size === 0) return false;\n\n const current = requestPathname(event);\n if (current && allowed.has(current)) return true;\n\n const headerTarget = headerTargetPathname(event);\n if (headerTarget && allowed.has(headerTarget)) return true;\n\n const referrerTarget = referrerTargetPathname(event);\n return !!referrerTarget && allowed.has(referrerTarget);\n}\n\nfunction isEmbedRuntimeRequest(event: H3Event): boolean {\n const pathname = requestPathname(event);\n return (\n !!pathname &&\n (pathname === \"/api\" ||\n pathname.startsWith(\"/api/\") ||\n pathname.startsWith(\"/@\") ||\n pathname.startsWith(\"/app/\") ||\n pathname.startsWith(\"/node_modules/\") ||\n pathname.startsWith(\"/packages/\") ||\n pathname === \"/_agent-native\" ||\n pathname.startsWith(\"/_agent-native/\"))\n );\n}\n\nexport function normalizeEmbedTargetPath(\n raw: string | undefined | null,\n requestOrigin?: string,\n): string | null {\n const value = String(raw ?? \"\").trim();\n if (!value || CONTROL_CHARS.test(value)) return null;\n\n let path = value;\n try {\n if (/^[a-z][a-z0-9+.-]*:\\/\\//i.test(value)) {\n const parsed = new URL(value);\n if (requestOrigin) {\n const expected = new URL(requestOrigin);\n if (parsed.origin !== expected.origin) return null;\n }\n const base = getConfiguredAppBasePath();\n if (\n base &&\n parsed.pathname !== base &&\n !parsed.pathname.startsWith(`${base}/`)\n ) {\n return null;\n }\n path = `${parsed.pathname}${parsed.search}${parsed.hash}`;\n }\n } catch {\n return null;\n }\n\n if (!path.startsWith(\"/\")) path = `/${path}`;\n if (path.startsWith(\"//\") || path.startsWith(\"/\\\\\")) return null;\n if (/^\\/[a-z][a-z0-9+.-]*:/i.test(path)) return null;\n return stripConfiguredBasePath(path);\n}\n\nexport async function createEmbedSessionTicket(\n input: EmbedSessionTicketInput,\n): Promise<EmbedSessionTicket> {\n const ownerEmail = input.ownerEmail.trim();\n if (!ownerEmail) throw new Error(\"Embed session ticket requires ownerEmail.\");\n const targetPath = normalizeEmbedTargetPath(input.targetPath);\n if (!targetPath)\n throw new Error(\"Embed session ticket requires a safe path.\");\n\n await ensureTable();\n const ticket = crypto.randomBytes(32).toString(\"base64url\");\n const ticketHash = hashTicket(ticket);\n const now = Date.now();\n const ttlSeconds = input.ttlSeconds ?? DEFAULT_TICKET_TTL_SECONDS;\n const expiresAt = now + Math.max(1, ttlSeconds) * 1000;\n await getDbExec().execute({\n sql:\n \"INSERT INTO agent_native_embed_tickets \" +\n \"(ticket_hash, owner_email, org_id, target_path, scope, created_at, expires_at, consumed_at) \" +\n \"VALUES (?, ?, ?, ?, ?, ?, ?, ?)\",\n args: [\n ticketHash,\n ownerEmail,\n input.orgId ?? null,\n targetPath,\n input.scope ?? null,\n now,\n expiresAt,\n null,\n ],\n });\n return { ticket, ticketHash, expiresAt };\n}\n\nexport async function consumeEmbedSessionTicket(\n ticket: string | undefined | null,\n options: ConsumeEmbedSessionTicketOptions = {},\n): Promise<ConsumedEmbedSessionTicket | null> {\n if (!ticket) return null;\n await ensureTable();\n const ticketHash = hashTicket(ticket);\n const now = Date.now();\n const { rows } = await getDbExec().execute({\n sql:\n \"SELECT ticket_hash, owner_email, org_id, target_path, scope, expires_at, consumed_at \" +\n \"FROM agent_native_embed_tickets WHERE ticket_hash = ?\",\n args: [ticketHash],\n });\n if (rows.length === 0) return null;\n const row: any = rows[0];\n const expiresAt = numberOrNull(row.expires_at ?? row.expiresAt);\n const consumedAt = numberOrNull(row.consumed_at ?? row.consumedAt);\n const orgId = stringOrUndefined(row.org_id ?? row.orgId);\n if (consumedAt != null) return null;\n if (expiresAt != null && expiresAt < now) return null;\n if (options.expectedOrgId && orgId && orgId !== options.expectedOrgId) {\n return null;\n }\n\n const result = await getDbExec().execute({\n sql:\n \"UPDATE agent_native_embed_tickets SET consumed_at = ? \" +\n \"WHERE ticket_hash = ? AND consumed_at IS NULL\",\n args: [now, ticketHash],\n });\n if (result.rowsAffected === 0) return null;\n\n const targetPath = normalizeEmbedTargetPath(\n stringOrUndefined(row.target_path ?? row.targetPath),\n );\n const ownerEmail = stringOrUndefined(row.owner_email ?? row.ownerEmail);\n if (!targetPath || !ownerEmail || expiresAt == null) return null;\n\n return {\n ownerEmail,\n ...(orgId ? { orgId } : {}),\n targetPath,\n ...(stringOrUndefined(row.scope)\n ? { scope: stringOrUndefined(row.scope) }\n : {}),\n expiresAt,\n };\n}\n\nexport function signEmbedSessionToken(input: {\n ownerEmail: string;\n orgId?: string | null;\n targetPath: string;\n scope?: string | null;\n ttlSeconds?: number;\n}): string {\n const targetPath = normalizeEmbedTargetPath(input.targetPath) ?? \"/\";\n const now = Math.floor(Date.now() / 1000);\n const ttl = Math.max(1, input.ttlSeconds ?? DEFAULT_TOKEN_TTL_SECONDS);\n const claims: EmbedSessionTokenClaims = {\n kind: TOKEN_KIND,\n ownerEmail: input.ownerEmail,\n targetPath,\n iat: now,\n exp: now + ttl,\n };\n if (input.orgId) claims.orgId = input.orgId;\n if (input.scope) claims.scope = input.scope;\n const payload = base64UrlEncode(JSON.stringify(claims));\n return `${payload}.${signPayload(payload)}`;\n}\n\nexport function verifyEmbedSessionToken(\n token: string | undefined | null,\n): VerifyEmbedSessionTokenResult {\n if (!token || typeof token !== \"string\") {\n return { ok: false, reason: \"missing\" };\n }\n const parts = token.split(\".\");\n if (parts.length !== 2 || !parts[0] || !parts[1]) {\n return { ok: false, reason: \"shape\" };\n }\n const [payload, signature] = parts;\n const expected = signPayload(payload);\n const sig = Buffer.from(signature);\n const exp = Buffer.from(expected);\n if (sig.length !== exp.length || !crypto.timingSafeEqual(sig, exp)) {\n return { ok: false, reason: \"signature\" };\n }\n\n let claims: EmbedSessionTokenClaims;\n try {\n claims = JSON.parse(base64UrlDecode(payload).toString(\"utf8\"));\n } catch {\n return { ok: false, reason: \"payload\" };\n }\n\n if (\n !claims ||\n claims.kind !== TOKEN_KIND ||\n typeof claims.ownerEmail !== \"string\" ||\n !claims.ownerEmail ||\n typeof claims.exp !== \"number\" ||\n !Number.isFinite(claims.exp)\n ) {\n return { ok: false, reason: \"claims\" };\n }\n if (claims.exp < Math.floor(Date.now() / 1000)) {\n return { ok: false, reason: \"expired\" };\n }\n claims.targetPath = normalizeEmbedTargetPath(claims.targetPath) ?? \"/\";\n return { ok: true, claims };\n}\n\nfunction isHttpsRequest(event: H3Event): boolean {\n try {\n const xfProto = getHeader(event, \"x-forwarded-proto\");\n if (xfProto && String(xfProto).split(\",\")[0].trim() === \"https\") {\n return true;\n }\n const url = event.url?.toString?.() ?? \"\";\n if (url.startsWith(\"https://\")) return true;\n const appUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL || \"\";\n if (appUrl.startsWith(\"https://\")) return true;\n } catch {\n // ignore\n }\n return false;\n}\n\nfunction cookieDomainAttrs(): { domain?: string } {\n const domain = process.env.COOKIE_DOMAIN?.trim();\n return domain ? { domain } : {};\n}\n\nfunction crossSiteCookieAttrs(event: H3Event): {\n sameSite: \"lax\" | \"none\";\n secure: boolean;\n partitioned?: boolean;\n} {\n return isHttpsRequest(event)\n ? { sameSite: \"none\", secure: true, partitioned: true }\n : { sameSite: \"lax\", secure: false };\n}\n\nexport function setEmbedSessionCookie(event: H3Event, token: string): void {\n setCookie(event, EMBED_SESSION_COOKIE, token, {\n httpOnly: true,\n ...crossSiteCookieAttrs(event),\n ...cookieDomainAttrs(),\n path: \"/\",\n maxAge: DEFAULT_TOKEN_TTL_SECONDS,\n });\n}\n\nfunction bearerToken(event: H3Event): string | undefined {\n const auth = getHeader(event, \"authorization\");\n if (!auth) return undefined;\n const match = /^Bearer\\s+(.+)$/i.exec(String(auth).trim());\n return match?.[1]?.trim();\n}\n\nfunction queryToken(event: H3Event): string | undefined {\n const raw = getQuery(event)?.[EMBED_TOKEN_QUERY_PARAM];\n const value = Array.isArray(raw) ? raw[0] : raw;\n if (value) return value;\n try {\n return (\n new URL(\n requestUrlFromEvent(event),\n \"http://agent-native.invalid\",\n ).searchParams.get(EMBED_TOKEN_QUERY_PARAM) ?? undefined\n );\n } catch {\n return undefined;\n }\n}\n\nexport async function resolveEmbedSessionFromRequest(\n event: H3Event,\n): Promise<ResolvedEmbedSession | null> {\n const candidates = [\n { token: queryToken(event), source: \"query\" },\n { token: bearerToken(event), source: \"bearer\" },\n { token: getCookie(event, EMBED_SESSION_COOKIE), source: \"cookie\" },\n ];\n for (const candidate of candidates) {\n const verified = verifyEmbedSessionToken(candidate.token);\n if (!verified.ok) continue;\n const matchesTarget = requestMatchesEmbedTarget(\n event,\n verified.claims.targetPath,\n );\n const isRuntimeRequest = isEmbedRuntimeRequest(event);\n const isRuntimeCookieRequest =\n candidate.source === \"cookie\" && isRuntimeRequest;\n const isRuntimeQueryRequest =\n candidate.source === \"query\" && isRuntimeRequest;\n if (!matchesTarget && !isRuntimeCookieRequest && !isRuntimeQueryRequest) {\n continue;\n }\n if (candidate.source === \"query\" && candidate.token) {\n try {\n setEmbedSessionCookie(event, candidate.token);\n setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n } catch {\n // Some tests and edge runtimes expose read-only request shims. The\n // query token itself is still valid for this request.\n }\n }\n return {\n email: verified.claims.ownerEmail,\n token: candidate.token!,\n targetPath: verified.claims.targetPath,\n ...(verified.claims.orgId ? { orgId: verified.claims.orgId } : {}),\n ...(verified.claims.scope ? { scope: verified.claims.scope } : {}),\n };\n }\n return null;\n}\n\nexport function requestHasEmbedAuthMarker(event: H3Event): boolean {\n try {\n const q = getQuery(event) ?? {};\n const queryToken = Array.isArray(q[EMBED_TOKEN_QUERY_PARAM])\n ? q[EMBED_TOKEN_QUERY_PARAM][0]\n : q[EMBED_TOKEN_QUERY_PARAM];\n const cookieToken = getCookie(event, EMBED_SESSION_COOKIE);\n const candidates = [\n { token: queryToken, allowRuntime: true },\n { token: bearerToken(event), allowRuntime: false },\n { token: cookieToken, allowRuntime: true },\n ];\n const runtimeRequest = isEmbedRuntimeRequest(event);\n for (const candidate of candidates) {\n const verified = verifyEmbedSessionToken(candidate.token);\n if (\n verified.ok &&\n (requestMatchesEmbedTarget(event, verified.claims.targetPath) ||\n (candidate.allowRuntime && runtimeRequest))\n ) {\n return true;\n }\n }\n } catch {\n // ignore\n }\n return false;\n}\n\nexport function isEmbedModeRequest(event: H3Event): boolean {\n try {\n const q = getQuery(event) ?? {};\n return (\n q[EMBED_MODE_QUERY_PARAM] === \"1\" || q[EMBED_MODE_QUERY_PARAM] === \"true\"\n );\n } catch {\n return false;\n }\n}\n"]}
package/dist/server/onboarding-html.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"onboarding-html.d.ts","sourceRoot":"","sources":["../../src/server/onboarding-html.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAEL,KAAK,cAAc,EACpB,MAAM,uBAAuB,CAAC;AAwC/B,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;OAIG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,qBAA0B,GAAG,MAAM,CA4uD1E;AAED,kDAAkD;AAClD,eAAO,MAAM,eAAe,QAAsB,CAAC;AAEnD;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CA0G7C"}
1
+ {"version":3,"file":"onboarding-html.d.ts","sourceRoot":"","sources":["../../src/server/onboarding-html.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAEL,KAAK,cAAc,EACpB,MAAM,uBAAuB,CAAC;AAwC/B,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;OAIG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,qBAA0B,GAAG,MAAM,CA2xD1E;AAED,kDAAkD;AAClD,eAAO,MAAM,eAAe,QAAsB,CAAC;AAEnD;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CA0G7C"}
package/dist/server/onboarding-html.js CHANGED
@@ -990,7 +990,7 @@ ${googleOnly
990
990
  return;
991
991
  }
992
992
  __anSetOAuthDebug('OAuth exchange redeemed; returning to the app', flowId);
993
- window.location.href = ret || '/';
993
+ __anRedirectToSignedInApp(ret);
994
994
  }
995
995
  function __anGetReturnPath() {
996
996
  try {
@@ -999,6 +999,53 @@ ${googleOnly
999
999
  } catch(e) {}
1000
1000
  return window.location.pathname + window.location.search;
1001
1001
  }
1002
+ function __anMountedPathname(pathname) {
1003
+ var base = __anBasePath();
1004
+ if (base && pathname.indexOf(base + '/') === 0) return pathname.slice(base.length);
1005
+ if (base && pathname === base) return '/';
1006
+ return pathname || '/';
1007
+ }
1008
+ function __anIsAuthEntryPath(pathname) {
1009
+ var p = __anMountedPathname(pathname);
1010
+ return p === '/login' || p === '/signup' || p === '/_agent-native/sign-in';
1011
+ }
1012
+ function __anGetSignedInReturnPath() {
1013
+ try {
1014
+ var inner = new URLSearchParams(window.location.search).get('return');
1015
+ if (inner) return inner;
1016
+ } catch(e) {}
1017
+ if (__anIsAuthEntryPath(window.location.pathname)) return __anPath('/');
1018
+ return window.location.pathname + window.location.search + window.location.hash;
1019
+ }
1020
+ function __anWithAuthCacheBypass(ret) {
1021
+ try {
1022
+ var url = new URL(ret || __anPath('/'), window.location.origin);
1023
+ url.searchParams.set('__an_auth_redirect', Date.now().toString(36));
1024
+ return url.pathname + url.search + url.hash;
1025
+ } catch(e) {
1026
+ var fallback = ret || __anPath('/');
1027
+ var hashIndex = fallback.indexOf('#');
1028
+ var beforeHash = hashIndex === -1 ? fallback : fallback.slice(0, hashIndex);
1029
+ var hash = hashIndex === -1 ? '' : fallback.slice(hashIndex);
1030
+ var sep = beforeHash.indexOf('?') === -1 ? '?' : '&';
1031
+ return beforeHash + sep + '__an_auth_redirect=' + Date.now().toString(36) + hash;
1032
+ }
1033
+ }
1034
+ function __anRedirectToSignedInApp(ret) {
1035
+ window.location.replace(__anWithAuthCacheBypass(ret || __anGetSignedInReturnPath()));
1036
+ }
1037
+ (function __anRedirectIfAlreadySignedIn() {
1038
+ fetch(__anPath('/_agent-native/auth/session'), {
1039
+ headers: { 'Accept': 'application/json' },
1040
+ credentials: 'include',
1041
+ cache: 'no-store',
1042
+ }).then(function(res) {
1043
+ if (!res.ok) return null;
1044
+ return res.json().catch(function() { return null; });
1045
+ }).then(function(data) {
1046
+ if (data && data.email && !data.error) __anRedirectToSignedInApp();
1047
+ }).catch(function() {});
1048
+ })();
1002
1049
  var __anBuilderPreviewSeen = false;
1003
1050
  function __anRememberBuilderPreview() {
1004
1051
  __anBuilderPreviewSeen = true;
@@ -1340,7 +1387,7 @@ ${googleOnly
1340
1387
  body: JSON.stringify({ email: email, password: password }),
1341
1388
  });
1342
1389
  if (res.ok) {
1343
- window.location.reload();
1390
+ __anRedirectToSignedInApp();
1344
1391
  return { ok: true };
1345
1392
  }
1346
1393
  var data = await res.json().catch(function() { return {}; });
@@ -1372,7 +1419,7 @@ ${googleOnly
1372
1419
  });
1373
1420
  var data = await res.json().catch(function() { return {}; });
1374
1421
  if (res.ok && data && data.email && !data.error) {
1375
- window.location.reload();
1422
+ __anRedirectToSignedInApp();
1376
1423
  return;
1377
1424
  }
1378
1425
  var loginResult = await signInWithPendingSignup();
@@ -1539,7 +1586,7 @@ ${googleOnly
1539
1586
  if (loginRes.ok) {
1540
1587
  msg.textContent = 'Account created — signing you in…';
1541
1588
  msg.classList.add('show', 'success');
1542
- window.location.reload();
1589
+ __anRedirectToSignedInApp();
1543
1590
  return;
1544
1591
  }
1545
1592
  btn.disabled = false;
@@ -1661,7 +1708,7 @@ ${googleOnly
1661
1708
  }),
1662
1709
  });
1663
1710
  if (res.ok) {
1664
- window.location.reload();
1711
+ __anRedirectToSignedInApp();
1665
1712
  return;
1666
1713
  }
1667
1714
  var data = await res.json().catch(function() { return {}; });