@agent-native/core 0.32.2 → 0.32.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (241) hide show
  1. package/README.md +3 -1
  2. package/dist/agent/run-store.d.ts.map +1 -1
  3. package/dist/agent/run-store.js +48 -10
  4. package/dist/agent/run-store.js.map +1 -1
  5. package/dist/agent/thread-data-builder.d.ts +12 -0
  6. package/dist/agent/thread-data-builder.d.ts.map +1 -1
  7. package/dist/agent/thread-data-builder.js +104 -6
  8. package/dist/agent/thread-data-builder.js.map +1 -1
  9. package/dist/cli/app-skill.js +2 -2
  10. package/dist/cli/app-skill.js.map +1 -1
  11. package/dist/cli/code-agent-executor.d.ts.map +1 -1
  12. package/dist/cli/code-agent-executor.js +6 -1
  13. package/dist/cli/code-agent-executor.js.map +1 -1
  14. package/dist/cli/code-agent-output-smoother.d.ts +7 -0
  15. package/dist/cli/code-agent-output-smoother.d.ts.map +1 -0
  16. package/dist/cli/code-agent-output-smoother.js +111 -0
  17. package/dist/cli/code-agent-output-smoother.js.map +1 -0
  18. package/dist/cli/connect.d.ts.map +1 -1
  19. package/dist/cli/connect.js +5 -0
  20. package/dist/cli/connect.js.map +1 -1
  21. package/dist/cli/migrate.d.ts.map +1 -1
  22. package/dist/cli/migrate.js +17 -42
  23. package/dist/cli/migrate.js.map +1 -1
  24. package/dist/cli/skills.d.ts +23 -2
  25. package/dist/cli/skills.d.ts.map +1 -1
  26. package/dist/cli/skills.js +405 -41
  27. package/dist/cli/skills.js.map +1 -1
  28. package/dist/cli/templates-meta.d.ts.map +1 -1
  29. package/dist/cli/templates-meta.js +7 -105
  30. package/dist/cli/templates-meta.js.map +1 -1
  31. package/dist/client/AgentPanel.d.ts.map +1 -1
  32. package/dist/client/AgentPanel.js +41 -7
  33. package/dist/client/AgentPanel.js.map +1 -1
  34. package/dist/client/AgentTaskCard.d.ts.map +1 -1
  35. package/dist/client/AgentTaskCard.js +0 -28
  36. package/dist/client/AgentTaskCard.js.map +1 -1
  37. package/dist/client/AssistantChat.d.ts +8 -23
  38. package/dist/client/AssistantChat.d.ts.map +1 -1
  39. package/dist/client/AssistantChat.js +359 -205
  40. package/dist/client/AssistantChat.js.map +1 -1
  41. package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
  42. package/dist/client/MultiTabAssistantChat.js +254 -14
  43. package/dist/client/MultiTabAssistantChat.js.map +1 -1
  44. package/dist/client/agent-chat-adapter.d.ts.map +1 -1
  45. package/dist/client/agent-chat-adapter.js +14 -9
  46. package/dist/client/agent-chat-adapter.js.map +1 -1
  47. package/dist/client/agent-chat.d.ts +24 -0
  48. package/dist/client/agent-chat.d.ts.map +1 -1
  49. package/dist/client/agent-chat.js +73 -0
  50. package/dist/client/agent-chat.js.map +1 -1
  51. package/dist/client/assistant-ui-recovery.d.ts +34 -0
  52. package/dist/client/assistant-ui-recovery.d.ts.map +1 -0
  53. package/dist/client/assistant-ui-recovery.js +122 -0
  54. package/dist/client/assistant-ui-recovery.js.map +1 -0
  55. package/dist/client/composer/PromptComposer.d.ts.map +1 -1
  56. package/dist/client/composer/PromptComposer.js +7 -1
  57. package/dist/client/composer/PromptComposer.js.map +1 -1
  58. package/dist/client/composer/TiptapComposer.d.ts +7 -1
  59. package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
  60. package/dist/client/composer/TiptapComposer.js +22 -2
  61. package/dist/client/composer/TiptapComposer.js.map +1 -1
  62. package/dist/client/frame-protocol.d.ts +6 -2
  63. package/dist/client/frame-protocol.d.ts.map +1 -1
  64. package/dist/client/frame-protocol.js.map +1 -1
  65. package/dist/client/index.d.ts +2 -1
  66. package/dist/client/index.d.ts.map +1 -1
  67. package/dist/client/index.js +2 -1
  68. package/dist/client/index.js.map +1 -1
  69. package/dist/client/org/OrgSwitcher.d.ts.map +1 -1
  70. package/dist/client/org/OrgSwitcher.js +2 -1
  71. package/dist/client/org/OrgSwitcher.js.map +1 -1
  72. package/dist/client/progress/RunsTray.d.ts +13 -3
  73. package/dist/client/progress/RunsTray.d.ts.map +1 -1
  74. package/dist/client/progress/RunsTray.js +105 -36
  75. package/dist/client/progress/RunsTray.js.map +1 -1
  76. package/dist/client/route-warmup.d.ts +61 -0
  77. package/dist/client/route-warmup.d.ts.map +1 -0
  78. package/dist/client/route-warmup.js +456 -0
  79. package/dist/client/route-warmup.js.map +1 -0
  80. package/dist/client/settings/SettingsPanel.d.ts.map +1 -1
  81. package/dist/client/settings/SettingsPanel.js +2 -1
  82. package/dist/client/settings/SettingsPanel.js.map +1 -1
  83. package/dist/client/settings/useBuilderStatus.d.ts +5 -0
  84. package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
  85. package/dist/client/settings/useBuilderStatus.js +10 -4
  86. package/dist/client/settings/useBuilderStatus.js.map +1 -1
  87. package/dist/client/use-action.d.ts +1 -0
  88. package/dist/client/use-action.d.ts.map +1 -1
  89. package/dist/client/use-action.js +22 -4
  90. package/dist/client/use-action.js.map +1 -1
  91. package/dist/code-agents/background-run.d.ts +2 -0
  92. package/dist/code-agents/background-run.d.ts.map +1 -1
  93. package/dist/code-agents/background-run.js.map +1 -1
  94. package/dist/db/client.d.ts +1 -1
  95. package/dist/db/client.d.ts.map +1 -1
  96. package/dist/db/client.js +25 -1
  97. package/dist/db/client.js.map +1 -1
  98. package/dist/deploy/build.d.ts +4 -0
  99. package/dist/deploy/build.d.ts.map +1 -1
  100. package/dist/deploy/build.js +171 -14
  101. package/dist/deploy/build.js.map +1 -1
  102. package/dist/deploy/immutable-assets.d.ts +1 -0
  103. package/dist/deploy/immutable-assets.d.ts.map +1 -1
  104. package/dist/deploy/immutable-assets.js +1 -0
  105. package/dist/deploy/immutable-assets.js.map +1 -1
  106. package/dist/index.browser.d.ts +1 -1
  107. package/dist/index.browser.d.ts.map +1 -1
  108. package/dist/index.browser.js +1 -1
  109. package/dist/index.browser.js.map +1 -1
  110. package/dist/index.d.ts +1 -1
  111. package/dist/index.d.ts.map +1 -1
  112. package/dist/index.js +1 -1
  113. package/dist/index.js.map +1 -1
  114. package/dist/mcp/connect-route.d.ts.map +1 -1
  115. package/dist/mcp/connect-route.js +118 -82
  116. package/dist/mcp/connect-route.js.map +1 -1
  117. package/dist/progress/routes.d.ts.map +1 -1
  118. package/dist/progress/routes.js +1 -0
  119. package/dist/progress/routes.js.map +1 -1
  120. package/dist/progress/store.d.ts +13 -0
  121. package/dist/progress/store.d.ts.map +1 -1
  122. package/dist/progress/store.js +18 -0
  123. package/dist/progress/store.js.map +1 -1
  124. package/dist/progress/types.d.ts +2 -0
  125. package/dist/progress/types.d.ts.map +1 -1
  126. package/dist/progress/types.js.map +1 -1
  127. package/dist/scripts/db/wipe-leaked-builder-keys.d.ts +2 -2
  128. package/dist/scripts/db/wipe-leaked-builder-keys.d.ts.map +1 -1
  129. package/dist/scripts/db/wipe-leaked-builder-keys.js +14 -3
  130. package/dist/scripts/db/wipe-leaked-builder-keys.js.map +1 -1
  131. package/dist/server/action-routes.d.ts +1 -0
  132. package/dist/server/action-routes.d.ts.map +1 -1
  133. package/dist/server/action-routes.js +36 -2
  134. package/dist/server/action-routes.js.map +1 -1
  135. package/dist/server/agent-chat-plugin.d.ts +5 -0
  136. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  137. package/dist/server/agent-chat-plugin.js +131 -26
  138. package/dist/server/agent-chat-plugin.js.map +1 -1
  139. package/dist/server/agent-discovery.d.ts.map +1 -1
  140. package/dist/server/agent-discovery.js +14 -1
  141. package/dist/server/agent-discovery.js.map +1 -1
  142. package/dist/server/agent-teams-run-queue.d.ts +80 -0
  143. package/dist/server/agent-teams-run-queue.d.ts.map +1 -0
  144. package/dist/server/agent-teams-run-queue.js +208 -0
  145. package/dist/server/agent-teams-run-queue.js.map +1 -0
  146. package/dist/server/agent-teams.d.ts +67 -0
  147. package/dist/server/agent-teams.d.ts.map +1 -1
  148. package/dist/server/agent-teams.js +607 -180
  149. package/dist/server/agent-teams.js.map +1 -1
  150. package/dist/server/auth-marketing.d.ts.map +1 -1
  151. package/dist/server/auth-marketing.js +0 -64
  152. package/dist/server/auth-marketing.js.map +1 -1
  153. package/dist/server/auth.d.ts.map +1 -1
  154. package/dist/server/auth.js +67 -14
  155. package/dist/server/auth.js.map +1 -1
  156. package/dist/server/builder-browser.d.ts +12 -2
  157. package/dist/server/builder-browser.d.ts.map +1 -1
  158. package/dist/server/builder-browser.js +24 -0
  159. package/dist/server/builder-browser.js.map +1 -1
  160. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  161. package/dist/server/core-routes-plugin.js +66 -5
  162. package/dist/server/core-routes-plugin.js.map +1 -1
  163. package/dist/server/credential-provider.d.ts +10 -0
  164. package/dist/server/credential-provider.d.ts.map +1 -1
  165. package/dist/server/credential-provider.js +82 -3
  166. package/dist/server/credential-provider.js.map +1 -1
  167. package/dist/server/csrf.d.ts.map +1 -1
  168. package/dist/server/csrf.js +3 -0
  169. package/dist/server/csrf.js.map +1 -1
  170. package/dist/server/index.d.ts +1 -0
  171. package/dist/server/index.d.ts.map +1 -1
  172. package/dist/server/index.js +1 -0
  173. package/dist/server/index.js.map +1 -1
  174. package/dist/server/onboarding-html.d.ts +1 -0
  175. package/dist/server/onboarding-html.d.ts.map +1 -1
  176. package/dist/server/onboarding-html.js +14 -1
  177. package/dist/server/onboarding-html.js.map +1 -1
  178. package/dist/server/self-dispatch.d.ts +44 -0
  179. package/dist/server/self-dispatch.d.ts.map +1 -0
  180. package/dist/server/self-dispatch.js +113 -0
  181. package/dist/server/self-dispatch.js.map +1 -0
  182. package/dist/server/social-og-image.d.ts +14 -0
  183. package/dist/server/social-og-image.d.ts.map +1 -0
  184. package/dist/server/social-og-image.js +251 -0
  185. package/dist/server/social-og-image.js.map +1 -0
  186. package/dist/server/ssr-handler.d.ts +1 -1
  187. package/dist/server/ssr-handler.d.ts.map +1 -1
  188. package/dist/server/ssr-handler.js +27 -11
  189. package/dist/server/ssr-handler.js.map +1 -1
  190. package/dist/shared/cache-control.d.ts +7 -0
  191. package/dist/shared/cache-control.d.ts.map +1 -1
  192. package/dist/shared/cache-control.js +7 -0
  193. package/dist/shared/cache-control.js.map +1 -1
  194. package/dist/shared/index.d.ts +1 -1
  195. package/dist/shared/index.d.ts.map +1 -1
  196. package/dist/shared/index.js +1 -1
  197. package/dist/shared/index.js.map +1 -1
  198. package/dist/shared/route-warmup-config.d.ts +28 -0
  199. package/dist/shared/route-warmup-config.d.ts.map +1 -0
  200. package/dist/shared/route-warmup-config.js +58 -0
  201. package/dist/shared/route-warmup-config.js.map +1 -0
  202. package/dist/shared/social-meta.d.ts +5 -0
  203. package/dist/shared/social-meta.d.ts.map +1 -1
  204. package/dist/shared/social-meta.js +36 -2
  205. package/dist/shared/social-meta.js.map +1 -1
  206. package/dist/shared/streaming-text-smoothing.d.ts +12 -0
  207. package/dist/shared/streaming-text-smoothing.d.ts.map +1 -0
  208. package/dist/shared/streaming-text-smoothing.js +52 -0
  209. package/dist/shared/streaming-text-smoothing.js.map +1 -0
  210. package/dist/styles/agent-native.css +4 -4
  211. package/dist/templates/default/AGENTS.md +9 -4
  212. package/dist/templates/default/DEVELOPING.md +15 -1
  213. package/dist/templates/workspace-core/AGENTS.md +7 -3
  214. package/dist/templates/workspace-root/AGENTS.md +7 -3
  215. package/dist/vite/client.d.ts +13 -0
  216. package/dist/vite/client.d.ts.map +1 -1
  217. package/dist/vite/client.js +26 -0
  218. package/dist/vite/client.js.map +1 -1
  219. package/dist/vite/index.d.ts +1 -0
  220. package/dist/vite/index.d.ts.map +1 -1
  221. package/dist/vite/index.js.map +1 -1
  222. package/docs/content/client.md +62 -1
  223. package/docs/content/code-agents-ui.md +6 -13
  224. package/docs/content/context-awareness.md +186 -21
  225. package/docs/content/deployment.md +8 -11
  226. package/docs/content/dispatch.md +1 -1
  227. package/docs/content/external-agents.md +32 -2
  228. package/docs/content/migration-workbench.md +4 -21
  229. package/docs/content/multi-app-workspace.md +1 -1
  230. package/docs/content/recurring-jobs.md +1 -1
  231. package/docs/content/security.md +0 -1
  232. package/docs/content/sharing.md +1 -3
  233. package/docs/content/skills-guide.md +12 -10
  234. package/docs/content/template-assets.md +21 -1
  235. package/docs/content/template-design.md +23 -5
  236. package/docs/content/template-dispatch.md +1 -1
  237. package/package.json +2 -1
  238. package/src/templates/default/AGENTS.md +9 -4
  239. package/src/templates/default/DEVELOPING.md +15 -1
  240. package/src/templates/workspace-core/AGENTS.md +7 -3
  241. package/src/templates/workspace-root/AGENTS.md +7 -3
package/dist/server/credential-provider.d.ts CHANGED
@@ -105,6 +105,11 @@ export declare function resolveBuilderCredentials(): Promise<{
105
105
  userId: string | null;
106
106
  orgName: string | null;
107
107
  orgKind: string | null;
108
+ subscription: string | null;
109
+ subscriptionLevel: string | null;
110
+ subscriptionName: string | null;
111
+ isEnterprise: boolean | null;
112
+ isFreeAccount: boolean | null;
108
113
  }>;
109
114
  export interface BuilderCredentialAuthFailure {
110
115
  fingerprint: string;
@@ -163,6 +168,11 @@ export declare function writeBuilderCredentials(email: string, creds: {
163
168
  userId?: string | null;
164
169
  orgName?: string | null;
165
170
  orgKind?: string | null;
171
+ subscription?: string | null;
172
+ subscriptionLevel?: string | null;
173
+ subscriptionName?: string | null;
174
+ isEnterprise?: boolean | null;
175
+ isFreeAccount?: boolean | null;
166
176
  }, options?: {
167
177
  orgId?: string | null;
168
178
  role?: string | null;
package/dist/server/credential-provider.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"credential-provider.d.ts","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAMH;;;;;;;;GAQG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC9B;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAK5C;AAED,qBAAa,yBAA0B,SAAQ,KAAK;IAClD,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAElB,IAAI,EAAE;QAChB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB;CAUF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAEvE;AAED;;;;;GAKG;AACH,wBAAgB,iCAAiC,IAAI,OAAO,CAG3D;AAED,wBAAgB,wCAAwC,IAAI,OAAO,CAIlE;AA4DD,KAAK,uBAAuB,GAAG,MAAM,GAAG,KAAK,GAAG,WAAW,GAAG,KAAK,CAAC;AAcpE,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAE7E;AAgMD;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKxB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAE7C;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAEvE;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGvE;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,OAAO,CAAC,CAEpE;AAED;;;GAGG;AACH,wBAAsB,mCAAmC,IAAI,OAAO,CAAC,OAAO,CAAC,CAG5E;AAED;;;;GAIG;AACH,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAO9F;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,IAAI,OAAO,CAAC;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAAC,CAsBD;AAID,MAAM,WAAW,4BAA4B;IAC3C,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,wBAAgB,4BAA4B,CAC1C,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,EAC1B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,MAAM,GAAG,IAAI,CAQf;AAMD,wBAAsB,+BAA+B,CACnD,KAAK,GAAE;IACL,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,GACL,OAAO,CAAC,4BAA4B,GAAG,IAAI,CAAC,CA0B9C;AAED,wBAAsB,kCAAkC,CAAC,OAAO,CAAC,EAAE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBhB;AAED,wBAAsB,iCAAiC,CAAC,KAAK,EAAE;IAC7D,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,GAAG,OAAO,CAAC,IAAI,CAAC,CAYhB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,KAAK,EAAE;IACL,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,EACD,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GACxD,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAoErD;AAED;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GACxD,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAiBrD;AAeD;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAyGvE;AAOD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAE9C;AAED,yEAAyE;AACzE,wBAAgB,qBAAqB,IAAI,MAAM,CAO9C;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAKjD;AAED;;;GAGG;AACH,wBAAgB,gCAAgC,IAAI,MAAM,CAKzD;AAED,uEAAuE;AACvE,wBAAgB,oBAAoB,IAAI,MAAM,GAAG,IAAI,CAGpD"}
1
+ {"version":3,"file":"credential-provider.d.ts","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAMH;;;;;;;;GAQG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC9B;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAK5C;AAED,qBAAa,yBAA0B,SAAQ,KAAK;IAClD,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAElB,IAAI,EAAE;QAChB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB;CAUF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAEvE;AAED;;;;;GAKG;AACH,wBAAgB,iCAAiC,IAAI,OAAO,CAG3D;AAED,wBAAgB,wCAAwC,IAAI,OAAO,CAIlE;AAiED,KAAK,uBAAuB,GAAG,MAAM,GAAG,KAAK,GAAG,WAAW,GAAG,KAAK,CAAC;AA0BpE,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAE7E;AAuMD;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKxB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAE7C;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAEvE;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGvE;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,OAAO,CAAC,CAEpE;AAED;;;GAGG;AACH,wBAAsB,mCAAmC,IAAI,OAAO,CAAC,OAAO,CAAC,CAG5E;AAED;;;;GAIG;AACH,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAO9F;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,IAAI,OAAO,CAAC;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,YAAY,EAAE,OAAO,GAAG,IAAI,CAAC;IAC7B,aAAa,EAAE,OAAO,GAAG,IAAI,CAAC;CAC/B,CAAC,CA0ED;AAID,MAAM,WAAW,4BAA4B;IAC3C,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,wBAAgB,4BAA4B,CAC1C,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,EAC1B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,MAAM,GAAG,IAAI,CAQf;AAMD,wBAAsB,+BAA+B,CACnD,KAAK,GAAE;IACL,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,GACL,OAAO,CAAC,4BAA4B,GAAG,IAAI,CAAC,CA0B9C;AAED,wBAAsB,kCAAkC,CAAC,OAAO,CAAC,EAAE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBhB;AAED,wBAAsB,iCAAiC,CAAC,KAAK,EAAE;IAC7D,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,GAAG,OAAO,CAAC,IAAI,CAAC,CAYhB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,KAAK,EAAE;IACL,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,YAAY,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAC9B,aAAa,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;CAChC,EACD,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GACxD,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA+FrD;AAED;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GACxD,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAiBrD;AAeD;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAyGvE;AAOD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAE9C;AAED,yEAAyE;AACzE,wBAAgB,qBAAqB,IAAI,MAAM,CAO9C;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAKjD;AAED;;;GAGG;AACH,wBAAgB,gCAAgC,IAAI,MAAM,CAKzD;AAED,uEAAuE;AACvE,wBAAgB,oBAAoB,IAAI,MAAM,GAAG,IAAI,CAGpD"}
package/dist/server/credential-provider.js CHANGED
@@ -78,6 +78,11 @@ const BUILDER_CREDENTIAL_KEYS = [
78
78
  "BUILDER_USER_ID",
79
79
  "BUILDER_ORG_NAME",
80
80
  "BUILDER_ORG_KIND",
81
+ "BUILDER_SUBSCRIPTION",
82
+ "BUILDER_SUBSCRIPTION_LEVEL",
83
+ "BUILDER_SUBSCRIPTION_NAME",
84
+ "BUILDER_IS_ENTERPRISE",
85
+ "BUILDER_IS_FREE_ACCOUNT",
81
86
  ];
82
87
  function isBuilderCredentialKey(key) {
83
88
  return BUILDER_CREDENTIAL_KEYS.includes(key);
@@ -108,6 +113,11 @@ function shouldTraceCredentialResolve() {
108
113
  function isCompleteBuilderConnection(creds) {
109
114
  return Boolean(creds.privateKey && creds.publicKey);
110
115
  }
116
+ function readOptionalBuilderBoolean(value) {
117
+ if (value == null || value === "")
118
+ return null;
119
+ return /^(1|true)$/i.test(value);
120
+ }
111
121
  export function isBuilderPrivateKey(value) {
112
122
  return typeof value === "string" && value.trim().startsWith("bpk-");
113
123
  }
@@ -123,6 +133,11 @@ async function readBuilderCredentialScope(readAppSecret, scope, scopeId) {
123
133
  userId: map.get("BUILDER_USER_ID") ?? null,
124
134
  orgName: map.get("BUILDER_ORG_NAME") ?? null,
125
135
  orgKind: map.get("BUILDER_ORG_KIND") ?? null,
136
+ subscription: map.get("BUILDER_SUBSCRIPTION") ?? null,
137
+ subscriptionLevel: map.get("BUILDER_SUBSCRIPTION_LEVEL") ?? null,
138
+ subscriptionName: map.get("BUILDER_SUBSCRIPTION_NAME") ?? null,
139
+ isEnterprise: readOptionalBuilderBoolean(map.get("BUILDER_IS_ENTERPRISE")),
140
+ isFreeAccount: readOptionalBuilderBoolean(map.get("BUILDER_IS_FREE_ACCOUNT")),
126
141
  source: scope === "workspace" ? "workspace" : scope,
127
142
  };
128
143
  }
@@ -332,8 +347,19 @@ export async function resolveBuilderCredentialSource() {
332
347
  export async function resolveBuilderCredentials() {
333
348
  const scoped = await resolveScopedBuilderCredentials();
334
349
  if (scoped) {
335
- const { privateKey, publicKey, userId, orgName, orgKind } = scoped;
336
- return { privateKey, publicKey, userId, orgName, orgKind };
350
+ const { privateKey, publicKey, userId, orgName, orgKind, subscription, subscriptionLevel, subscriptionName, isEnterprise, isFreeAccount, } = scoped;
351
+ return {
352
+ privateKey,
353
+ publicKey,
354
+ userId,
355
+ orgName,
356
+ orgKind,
357
+ subscription,
358
+ subscriptionLevel,
359
+ subscriptionName,
360
+ isEnterprise,
361
+ isFreeAccount,
362
+ };
337
363
  }
338
364
  const privateKey = canUseBuilderDeployCredentialFallbackForRequest()
339
365
  ? (readDeployCredentialEnv("BUILDER_PRIVATE_KEY") ?? null)
@@ -350,7 +376,33 @@ export async function resolveBuilderCredentials() {
350
376
  const orgKind = canUseBuilderDeployCredentialFallbackForRequest()
351
377
  ? (readDeployCredentialEnv("BUILDER_ORG_KIND") ?? null)
352
378
  : null;
353
- return { privateKey, publicKey, userId, orgName, orgKind };
379
+ const subscription = canUseBuilderDeployCredentialFallbackForRequest()
380
+ ? (readDeployCredentialEnv("BUILDER_SUBSCRIPTION") ?? null)
381
+ : null;
382
+ const subscriptionLevel = canUseBuilderDeployCredentialFallbackForRequest()
383
+ ? (readDeployCredentialEnv("BUILDER_SUBSCRIPTION_LEVEL") ?? null)
384
+ : null;
385
+ const subscriptionName = canUseBuilderDeployCredentialFallbackForRequest()
386
+ ? (readDeployCredentialEnv("BUILDER_SUBSCRIPTION_NAME") ?? null)
387
+ : null;
388
+ const isEnterprise = canUseBuilderDeployCredentialFallbackForRequest()
389
+ ? readOptionalBuilderBoolean(readDeployCredentialEnv("BUILDER_IS_ENTERPRISE"))
390
+ : null;
391
+ const isFreeAccount = canUseBuilderDeployCredentialFallbackForRequest()
392
+ ? readOptionalBuilderBoolean(readDeployCredentialEnv("BUILDER_IS_FREE_ACCOUNT"))
393
+ : null;
394
+ return {
395
+ privateKey,
396
+ publicKey,
397
+ userId,
398
+ orgName,
399
+ orgKind,
400
+ subscription,
401
+ subscriptionLevel,
402
+ subscriptionName,
403
+ isEnterprise,
404
+ isFreeAccount,
405
+ };
354
406
  }
355
407
  const BUILDER_AUTH_FAILURE_SETTING_PREFIX = "builder-auth-failure:";
356
408
  export function builderCredentialFingerprint(privateKey, publicKey) {
@@ -490,6 +542,33 @@ export async function writeBuilderCredentials(email, creds, options) {
490
542
  if (creds.orgKind) {
491
543
  entries.push({ key: "BUILDER_ORG_KIND", value: creds.orgKind });
492
544
  }
545
+ if (creds.subscription) {
546
+ entries.push({ key: "BUILDER_SUBSCRIPTION", value: creds.subscription });
547
+ }
548
+ if (creds.subscriptionLevel) {
549
+ entries.push({
550
+ key: "BUILDER_SUBSCRIPTION_LEVEL",
551
+ value: creds.subscriptionLevel,
552
+ });
553
+ }
554
+ if (creds.subscriptionName) {
555
+ entries.push({
556
+ key: "BUILDER_SUBSCRIPTION_NAME",
557
+ value: creds.subscriptionName,
558
+ });
559
+ }
560
+ if (typeof creds.isEnterprise === "boolean") {
561
+ entries.push({
562
+ key: "BUILDER_IS_ENTERPRISE",
563
+ value: String(creds.isEnterprise),
564
+ });
565
+ }
566
+ if (typeof creds.isFreeAccount === "boolean") {
567
+ entries.push({
568
+ key: "BUILDER_IS_FREE_ACCOUNT",
569
+ value: String(creds.isFreeAccount),
570
+ });
571
+ }
493
572
  await Promise.all(entries.map(({ key, value }) => writeAppSecret({
494
573
  key,
495
574
  value,
package/dist/server/credential-provider.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"credential-provider.js","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD;;;;;;;;GAQG;AACH,MAAM,UAAU,2BAA2B,CACzC,KAAa,EACb,KAAgC,EAChC,IAA+B;IAE/B,IAAI,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,OAAO,CAAC,EAAE,CAAC;QACpD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IACzC,kBAAkB,CAAS;IAC3B,iBAAiB,CAAU;IAC3B,WAAW,CAAU;IAE9B,YAAY,IAKX;QACC,KAAK,CACH,IAAI,CAAC,OAAO;YACV,gCAAgC,IAAI,CAAC,kBAAkB,yCAAyC,CACnG,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;QACxC,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC;QAClD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;IACtC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iCAAiC;IAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvD,OAAO,eAAe,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,wCAAwC;IACtD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO,iCAAiC,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,uBAAuB,GAAG;IAC9B,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;CACV,CAAC;AAEX,SAAS,sBAAsB,CAAC,GAAW;IACzC,OAAQ,uBAA6C,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,wBAAwB;IAC/B,MAAM,gBAAgB,GAAG,OAAO,CAC9B,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAC7B,OAAO,CAAC,GAAG,CAAC,sBAAsB,CACnC,CAAC;IACF,OAAO,CACL,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,EAAE,CAAC;QAC5D,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,EAAE,CAAC;QACjE,gBAAgB,CACjB,CAAC;AACJ,CAAC;AAED,SAAS,+CAA+C;IACtD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,4EAA4E;IAC5E,4EAA4E;IAC5E,yEAAyE;IACzE,+CAA+C;IAC/C,IAAI,KAAK,IAAI,wBAAwB,EAAE;QAAE,OAAO,KAAK,CAAC;IACtD,OAAO,wCAAwC,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,4BAA4B;IACnC,OAAO,aAAa,CAAC,IAAI,CACvB,OAAO,CAAC,GAAG,CAAC,qCAAqC;QAC/C,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,EAAE,CACL,CAAC;AACJ,CAAC;AA2BD,SAAS,2BAA2B,CAAC,KAAiC;IACpE,OAAO,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAgC;IAClE,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AACtE,CAAC;AAED,KAAK,UAAU,0BAA0B,CACvC,aAAmE,EACnE,KAAmC,EACnC,OAAe;IAEf,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAC9B,uBAAuB,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACxC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,IAAI,IAAI,CAAU,CAAC;IAC/C,CAAC,CAAC,CACH,CAAC;IACF,MAAM,GAAG,GAAG,IAAI,GAAG,CAAwB,MAAM,CAAC,CAAC;IACnD,OAAO;QACL,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,IAAI;QAClD,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,IAAI;QAChD,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,IAAI;QAC1C,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,IAAI;QAC5C,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,IAAI;QAC5C,MAAM,EAAE,KAAK,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK;KACpD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,8BAA8B,CAC3C,GAAW;IAEX,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,yEAAyE;IACzE,sEAAsE;IACtE,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,IAAI,cAAc,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAEhE,sEAAsE;QACtE,iEAAiE;QACjE,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC;YACrC,GAAG;YACH,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,sBAAsB,CACrE,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACrD,CAAC;QAED,mEAAmE;QACnE,iEAAiE;QACjE,+DAA+D;QAC/D,6DAA6D;QAC7D,mEAAmE;QACnE,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,KAAK,EAAE,CAAC;YACV,cAAc,GAAG,KAAK,CAAC;YACvB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC;gBACpC,GAAG;gBACH,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,SAAS,EAAE,CAAC;gBACd,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,qBAAqB,CACnF,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YACnD,CAAC;YAED,iEAAiE;YACjE,qEAAqE;YACrE,yEAAyE;YACzE,cAAc,GAAG,WAAW,CAAC;YAC7B,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC;gBAC1C,GAAG;gBACH,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,eAAe,EAAE,CAAC;gBACpB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,2BAA2B,CACzF,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YAC/D,CAAC;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,gCAAgC,CAC9F,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,cAAc,GAAG,gBAAgB,CAAC;YAClC,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC;gBAC9C,GAAG;gBACH,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,QAAQ,KAAK,EAAE;aACzB,CAAC,CAAC;YACH,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,gCAAgC,CAC/E,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YACnE,CAAC;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,8CAA8C,CAC7F,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,cAAc,UAAW,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CACjH,CAAC;QACJ,CAAC;QACD,8CAA8C;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,+BAA+B;IAC5C,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,IAAI,cAAc,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAChE,MAAM,UAAU,GAAG,CAAC,KAAiC,EAAE,OAAe,EAAE,EAAE;YACxE,IAAI,CAAC,WAAW;gBAAE,OAAO;YACzB,OAAO,CAAC,GAAG,CACT,8BAA8B,KAAK,CAAC,MAAM,YAAY,OAAO,UAAU,KAAK,aAAa,2BAA2B,CAAC,KAAK,CAAC,YAAY,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CACtM,CAAC;QACJ,CAAC,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,0BAA0B,CAChD,aAAa,EACb,MAAM,EACN,KAAK,CACN,CAAC;QACF,UAAU,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7B,IAAI,2BAA2B,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;QAE7D,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,KAAK,EAAE,CAAC;YACV,cAAc,GAAG,KAAK,CAAC;YACvB,MAAM,QAAQ,GAAG,MAAM,0BAA0B,CAC/C,aAAa,EACb,KAAK,EACL,KAAK,CACN,CAAC;YACF,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;YAC5B,IAAI,2BAA2B,CAAC,QAAQ,CAAC;gBAAE,OAAO,QAAQ,CAAC;YAE3D,cAAc,GAAG,WAAW,CAAC;YAC7B,MAAM,cAAc,GAAG,MAAM,0BAA0B,CACrD,aAAa,EACb,WAAW,EACX,KAAK,CACN,CAAC;YACF,UAAU,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;YAClC,IAAI,2BAA2B,CAAC,cAAc,CAAC;gBAAE,OAAO,cAAc,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,cAAc,GAAG,gBAAgB,CAAC;YAClC,MAAM,OAAO,GAAG,QAAQ,KAAK,EAAE,CAAC;YAChC,MAAM,cAAc,GAAG,MAAM,0BAA0B,CACrD,aAAa,EACb,WAAW,EACX,OAAO,CACR,CAAC;YACF,UAAU,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;YACpC,IAAI,2BAA2B,CAAC,cAAc,CAAC;gBAAE,OAAO,cAAc,CAAC;QACzE,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,8BAA8B,KAAK,UAAU,cAAc,sBAAuB,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAClH,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,GAAW;IAEX,MAAM,MAAM,GAAG,MAAM,8BAA8B,CAAC,GAAG,CAAC,CAAC;IACzD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,KAAK,CAAC;IAChC,IAAI,CAAC,+CAA+C,EAAE;QAAE,OAAO,IAAI,CAAC;IACpE,OAAO,uBAAuB,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,OAAO,wBAAwB,CAAC,qBAAqB,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,MAAM,GAAG,GAAG,MAAM,wBAAwB,EAAE,CAAC;IAC7C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,OAAO,CAAC,CAAC,CAAC,MAAM,wBAAwB,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mCAAmC;IACvD,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;IAChD,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B;IAClD,MAAM,MAAM,GAAG,MAAM,+BAA+B,EAAE,CAAC;IACvD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,MAAM,CAAC;IACjC,OAAO,+CAA+C,EAAE;QACtD,OAAO,CAAC,GAAG,CAAC,mBAAmB;QAC/B,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB;IAO7C,MAAM,MAAM,GAAG,MAAM,+BAA+B,EAAE,CAAC;IACvD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;QACnE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAC7D,CAAC;IACD,MAAM,UAAU,GAAG,+CAA+C,EAAE;QAClE,CAAC,CAAC,CAAC,uBAAuB,CAAC,qBAAqB,CAAC,IAAI,IAAI,CAAC;QAC1D,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,SAAS,GAAG,+CAA+C,EAAE;QACjE,CAAC,CAAC,CAAC,uBAAuB,CAAC,oBAAoB,CAAC,IAAI,IAAI,CAAC;QACzD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,MAAM,GAAG,+CAA+C,EAAE;QAC9D,CAAC,CAAC,CAAC,uBAAuB,CAAC,iBAAiB,CAAC,IAAI,IAAI,CAAC;QACtD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,OAAO,GAAG,+CAA+C,EAAE;QAC/D,CAAC,CAAC,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC;QACvD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,OAAO,GAAG,+CAA+C,EAAE;QAC/D,CAAC,CAAC,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC;QACvD,CAAC,CAAC,IAAI,CAAC;IACT,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAC7D,CAAC;AAED,MAAM,mCAAmC,GAAG,uBAAuB,CAAC;AAYpE,MAAM,UAAU,4BAA4B,CAC1C,UAA0B,EAC1B,SAAyB;IAEzB,IAAI,CAAC,UAAU,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,SAAS,CAAC;SACjB,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,4BAA4B,CAAC,WAAmB;IACvD,OAAO,GAAG,mCAAmC,GAAG,WAAW,EAAE,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,QAGI,EAAE;IAEN,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;IACF,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,4BAA4B,CAAC,WAAW,CAAC,CAAC,CAAC;QACxE,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO;YACL,WAAW;YACX,OAAO,EACL,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,GAAG,CAAC,OAAO;gBAC5C,CAAC,CAAC,GAAG,CAAC,OAAO;gBACb,CAAC,CAAC,mEAAmE;YACzE,MAAM,EAAE,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YAC/D,IAAI,EAAE,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;YACzD,EAAE,EAAE,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;YACpD,UAAU,EACR,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACjE,KAAK,EAAE,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;SAC7D,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kCAAkC,CAAC,OAIxD;IACC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;QAChD,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;QACF,IAAI,CAAC,WAAW;YAAE,OAAO;QACzB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC5D,MAAM,UAAU,CAAC,4BAA4B,CAAC,WAAW,CAAC,EAAE;YAC1D,WAAW;YACX,OAAO,EACL,OAAO,EAAE,OAAO;gBAChB,mEAAmE;YACrE,GAAG,CAAC,OAAO,OAAO,EAAE,MAAM,KAAK,QAAQ,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;YACtE,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC;YAC5C,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;YACd,UAAU,EAAE,mBAAmB,EAAE,IAAI,IAAI;YACzC,KAAK,EAAE,eAAe,EAAE,IAAI,IAAI;SACjC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;IAC3E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iCAAiC,CAAC,KAGvD;IACC,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;IACF,IAAI,CAAC,WAAW;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC/D,MAAM,aAAa,CAAC,4BAA4B,CAAC,WAAW,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,qEAAqE;IACvE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAAa,EACb,KAMC,EACD,OAAyD;IAEzD,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC,mBAAmB,CAAC,UAAU,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,uKAAuK,CACxK,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,GACvC,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,2BAA2B,CACxC,KAAK,EACL,OAAO,EAAE,KAAK,IAAI,IAAI,EACtB,OAAO,EAAE,IAAI,IAAI,IAAI,CACtB,CAAC;IAEF,yEAAyE;IACzE,8CAA8C;IAC9C,MAAM,QAAQ,GAA4B,uBAAuB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAC5E,eAAe,CAAC;QACd,GAAG;QACH,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACnB,CAAC;IACF,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QAC3B,KAAK,MAAM,GAAG,IAAI,uBAAuB,EAAE,CAAC;YAC1C,QAAQ,CAAC,IAAI,CACX,eAAe,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE5B,MAAM,OAAO,GAA0C;QACrD,EAAE,GAAG,EAAE,qBAAqB,EAAE,KAAK,EAAE,UAAU,EAAE;QACjD,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,EAAE,SAAS,EAAE;KAChD,CAAC;IACF,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAC7B,cAAc,CAAC;QACb,GAAG;QACH,KAAK;QACL,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CACH,CACF,CAAC;IACF,MAAM,iCAAiC,CAAC;QACtC,UAAU;QACV,SAAS;KACV,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAAa,EACb,OAAyD;IAEzD,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,2BAA2B,CACxC,KAAK,EACL,OAAO,EAAE,KAAK,IAAI,IAAI,EACtB,OAAO,EAAE,IAAI,IAAI,IAAI,CACtB,CAAC;IACF,MAAM,OAAO,CAAC,GAAG,CACf,uBAAuB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAClC,eAAe,CAAC;QACd,GAAG;QACH,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACnB,CACF,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,2CAA2C;AAC3C,EAAE;AACF,0EAA0E;AAC1E,wEAAwE;AACxE,0EAA0E;AAC1E,4EAA4E;AAC5E,yEAAyE;AACzE,0EAA0E;AAC1E,mEAAmE;AACnE,2BAA2B;AAC3B,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW;IAC7C,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;YAChE,2BAA2B;YAC3B,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC;gBACrC,GAAG;gBACH,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,UAAU,EAAE,KAAK,EAAE,CAAC;gBACtB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,sBAAsB,CACjE,CAAC;gBACJ,CAAC;gBACD,OAAO,UAAU,CAAC,KAAK,CAAC;YAC1B,CAAC;YAED,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;YAChC,IAAI,KAAK,EAAE,CAAC;gBACV,kEAAkE;gBAClE,2CAA2C;gBAC3C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC;oBACpC,GAAG;oBACH,KAAK,EAAE,KAAK;oBACZ,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,IAAI,SAAS,EAAE,KAAK,EAAE,CAAC;oBACrB,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,KAAK,qBAAqB,CAC/E,CAAC;oBACJ,CAAC;oBACD,OAAO,SAAS,CAAC,KAAK,CAAC;gBACzB,CAAC;gBAED,6DAA6D;gBAC7D,mEAAmE;gBACnE,4BAA4B;gBAC5B,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC;oBAC1C,GAAG;oBACH,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,IAAI,eAAe,EAAE,KAAK,EAAE,CAAC;oBAC3B,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,KAAK,2BAA2B,CACrF,CAAC;oBACJ,CAAC;oBACD,OAAO,eAAe,CAAC,KAAK,CAAC;gBAC/B,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC;oBAC9C,GAAG;oBACH,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,QAAQ,KAAK,EAAE;iBACzB,CAAC,CAAC;gBACH,IAAI,mBAAmB,EAAE,KAAK,EAAE,CAAC;oBAC/B,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,gCAAgC,CAC3E,CAAC;oBACJ,CAAC;oBACD,OAAO,mBAAmB,CAAC,KAAK,CAAC;gBACnC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,oBAAqB,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAC/F,CAAC;YACJ,CAAC;YACD,8CAA8C;QAChD,CAAC;QACD,sEAAsE;QACtE,mEAAmE;QACnE,sEAAsE;QACtE,kDAAkD;QAClD,MAAM,WAAW,GAAG,CAClB,sBAAsB,CAAC,GAAG,CAAC;YACzB,CAAC,CAAC,+CAA+C,EAAE;YACnD,CAAC,CAAC,wCAAwC,EAAE,CAC/C;YACC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI;YAC1B,CAAC,CAAC,IAAI,CAAC;QACT,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,eAAe,EAAE,IAAI,QAAQ,UAAU,WAAW,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,CAAC,WAAW,EAAE,CACxJ,CAAC;QACJ,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IACD,uEAAuE;IACvE,mDAAmD;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IACvC,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,yCAAyC,CAAC,CAAC,KAAK,EAAE,CAC9E,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,uEAAuE;AACvE,iEAAiE;AACjE,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,qBAAqB;IACnC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,OAAO,CAAC,GAAG,CAAC,QAAQ;QACpB,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,wBAAwB,CACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,gDAAgD,CACjD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gCAAgC;IAC9C,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,iCAAiC;QAC7C,+CAA+C,CAChD,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,oBAAoB;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC","sourcesContent":["/**\n * Credential provider abstraction.\n *\n * Every feature that needs an external credential (Anthropic API key,\n * Google OAuth tokens, OpenAI key, Slack bot token, etc.) should go through\n * one of the resolve*() helpers here instead of reading `process.env`\n * directly. That way the same feature can work in three modes:\n *\n * 1. User set their own key in .env → use it directly\n * 2. User connected Builder via `/cli-auth` → route through Builder proxy\n * 3. Neither → throw FeatureNotConfigured\n *\n * Templates catch FeatureNotConfigured and show a \"Connect Builder (1 click) /\n * set up your own key (guide)\" card.\n *\n * Today these helpers are used by the Builder-hosted LLM gateway, and the\n * shape is meant to grow to cover future managed credential integrations\n * (e.g. additional Builder-hosted services) without rewrites.\n */\n\nimport { createHash } from \"node:crypto\";\nimport { getRequestUserEmail, getRequestOrgId } from \"./request-context.js\";\nimport { isLocalDatabase } from \"../db/client.js\";\n\n/**\n * Decide which `app_secrets` scope a Builder/credential write should use.\n *\n * Org scope (\"everyone in this org sees these credentials\") wins when the\n * connecting user is an owner or admin of an active org — the write\n * privileges shared infra. A plain member or a user without an active\n * org falls through to per-user scope so a teammate can't silently\n * overwrite the org-shared connection.\n */\nexport function resolveCredentialWriteScope(\n email: string,\n orgId: string | null | undefined,\n role: string | null | undefined,\n): { scope: \"user\" | \"org\"; scopeId: string } {\n if (orgId && (role === \"owner\" || role === \"admin\")) {\n return { scope: \"org\", scopeId: orgId };\n }\n return { scope: \"user\", scopeId: email };\n}\n\nexport class FeatureNotConfiguredError extends Error {\n readonly requiredCredential: string;\n readonly builderConnectUrl?: string;\n readonly byokDocsUrl?: string;\n\n constructor(opts: {\n requiredCredential: string;\n message?: string;\n builderConnectUrl?: string;\n byokDocsUrl?: string;\n }) {\n super(\n opts.message ??\n `Feature requires credential \"${opts.requiredCredential}\". Connect Builder or set your own key.`,\n );\n this.name = \"FeatureNotConfiguredError\";\n this.requiredCredential = opts.requiredCredential;\n this.builderConnectUrl = opts.builderConnectUrl;\n this.byokDocsUrl = opts.byokDocsUrl;\n }\n}\n\n/**\n * Deployment-level credential fallback for single-tenant/local operation.\n * Multi-tenant call sites must gate this explicitly before calling.\n */\nexport function readDeployCredentialEnv(key: string): string | undefined {\n return process.env[key] || undefined;\n}\n\n/**\n * Deployment-level credentials are safe as a runtime fallback only in local /\n * single-tenant contexts. In hosted production with a shared database, every\n * signed-in user needs their own user/org/workspace credential so one deploy\n * key does not silently power another tenant's chat.\n */\nexport function isDeployCredentialFallbackAllowed(): boolean {\n if (process.env.NODE_ENV !== \"production\") return true;\n return isLocalDatabase();\n}\n\nexport function canUseDeployCredentialFallbackForRequest(): boolean {\n const email = getRequestUserEmail();\n if (!email) return true;\n return isDeployCredentialFallbackAllowed();\n}\n\nconst BUILDER_CREDENTIAL_KEYS = [\n \"BUILDER_PRIVATE_KEY\",\n \"BUILDER_PUBLIC_KEY\",\n \"BUILDER_USER_ID\",\n \"BUILDER_ORG_NAME\",\n \"BUILDER_ORG_KIND\",\n] as const;\n\nfunction isBuilderCredentialKey(key: string): boolean {\n return (BUILDER_CREDENTIAL_KEYS as readonly string[]).includes(key);\n}\n\nfunction isHostedWorkspaceRuntime(): boolean {\n const hasFusionPreview = Boolean(\n process.env.FUSION_ENVIRONMENT ||\n process.env.FUSION_ENV_ORIGIN ||\n process.env.VITE_FUSION_ENV_ORIGIN,\n );\n return (\n /^(1|true)$/i.test(process.env.AGENT_NATIVE_WORKSPACE ?? \"\") ||\n /^(1|true)$/i.test(process.env.VITE_AGENT_NATIVE_WORKSPACE ?? \"\") ||\n hasFusionPreview\n );\n}\n\nfunction canUseBuilderDeployCredentialFallbackForRequest(): boolean {\n const email = getRequestUserEmail();\n // Builder workspace previews can run with NODE_ENV=development and their DB\n // detection can look local during early startup. Once a real signed-in user\n // is present, hosted workspace flags are enough to make deployment-level\n // Builder keys unsafe as an identity fallback.\n if (email && isHostedWorkspaceRuntime()) return false;\n return canUseDeployCredentialFallbackForRequest();\n}\n\nfunction shouldTraceCredentialResolve(): boolean {\n return /^(1|true)$/i.test(\n process.env.AGENT_NATIVE_DEBUG_CREDENTIAL_RESOLVE ??\n process.env.DEBUG_CREDENTIAL_RESOLVE ??\n \"\",\n );\n}\n\n// ---------------------------------------------------------------------------\n// Builder credential resolution:\n//\n// 1. **Request-scoped credentials.** A signed-in user can connect Builder\n// through the CLI-auth flow. Owner/admin connections land at org scope;\n// member/no-org connections land at user scope.\n//\n// 2. **Deployment fallback.** BUILDER_PRIVATE_KEY in env still makes local\n// and single-tenant deploys work out of the box, but it no longer blocks\n// per-user connect. Request-scoped credentials win whenever present.\n//\n// To run multi-tenant SaaS: prefer leaving BUILDER_PRIVATE_KEY unset unless a\n// shared fallback identity is intentional.\n// ---------------------------------------------------------------------------\n\ntype BuilderCredentialSource = \"user\" | \"org\" | \"workspace\" | \"env\";\ninterface BuilderResolvedCredentials {\n privateKey: string | null;\n publicKey: string | null;\n userId: string | null;\n orgName: string | null;\n orgKind: string | null;\n source: Exclude<BuilderCredentialSource, \"env\">;\n}\n\nfunction isCompleteBuilderConnection(creds: BuilderResolvedCredentials) {\n return Boolean(creds.privateKey && creds.publicKey);\n}\n\nexport function isBuilderPrivateKey(value: string | null | undefined): boolean {\n return typeof value === \"string\" && value.trim().startsWith(\"bpk-\");\n}\n\nasync function readBuilderCredentialScope(\n readAppSecret: typeof import(\"../secrets/storage.js\").readAppSecret,\n scope: \"user\" | \"org\" | \"workspace\",\n scopeId: string,\n): Promise<BuilderResolvedCredentials> {\n const values = await Promise.all(\n BUILDER_CREDENTIAL_KEYS.map(async (key) => {\n const secret = await readAppSecret({ key, scope, scopeId });\n return [key, secret?.value ?? null] as const;\n }),\n );\n const map = new Map<string, string | null>(values);\n return {\n privateKey: map.get(\"BUILDER_PRIVATE_KEY\") ?? null,\n publicKey: map.get(\"BUILDER_PUBLIC_KEY\") ?? null,\n userId: map.get(\"BUILDER_USER_ID\") ?? null,\n orgName: map.get(\"BUILDER_ORG_NAME\") ?? null,\n orgKind: map.get(\"BUILDER_ORG_KIND\") ?? null,\n source: scope === \"workspace\" ? \"workspace\" : scope,\n };\n}\n\nasync function resolveScopedBuilderCredential(\n key: string,\n): Promise<{ value: string; source: \"user\" | \"org\" | \"workspace\" } | null> {\n const email = getRequestUserEmail();\n if (!email) return null;\n\n // Trace only when explicitly requested. These diagnostics are useful for\n // support, but they include account identifiers and run on hot paths.\n const traceLookup = shouldTraceCredentialResolve();\n let scopeAttempted = \"user\";\n try {\n const { readAppSecret } = await import(\"../secrets/storage.js\");\n\n // 1. Per-user override: a user can paste their own key in settings to\n // overrule the org-shared one (handy for a personal sandbox).\n const userSecret = await readAppSecret({\n key,\n scope: \"user\",\n scopeId: email,\n });\n if (userSecret) {\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} scope=user hit=true`,\n );\n }\n return { value: userSecret.value, source: \"user\" };\n }\n\n // 2. Per-org shared credential: when one teammate connects Builder\n // as an owner/admin we write the OAuth result at org scope so\n // every member of that org gets the AI chat working without\n // re-running the connect flow. Resolution falls back here\n // silently — the caller never has to know which scope answered.\n const orgId = getRequestOrgId();\n if (orgId) {\n scopeAttempted = \"org\";\n const orgSecret = await readAppSecret({\n key,\n scope: \"org\",\n scopeId: orgId,\n });\n if (orgSecret) {\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} orgId=${orgId} scope=org hit=true`,\n );\n }\n return { value: orgSecret.value, source: \"org\" };\n }\n\n // Older setup flows wrote shared credentials at workspace scope.\n // Keep reading those rows so status UIs and runtime resolution agree\n // for users who connected before org-scoped Builder credentials existed.\n scopeAttempted = \"workspace\";\n const workspaceSecret = await readAppSecret({\n key,\n scope: \"workspace\",\n scopeId: orgId,\n });\n if (workspaceSecret) {\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} orgId=${orgId} scope=workspace hit=true`,\n );\n }\n return { value: workspaceSecret.value, source: \"workspace\" };\n }\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} orgId=${orgId} miss tried=user,org,workspace`,\n );\n }\n } else {\n scopeAttempted = \"workspace-solo\";\n const soloWorkspaceSecret = await readAppSecret({\n key,\n scope: \"workspace\",\n scopeId: `solo:${email}`,\n });\n if (soloWorkspaceSecret) {\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} scope=workspace-solo hit=true`,\n );\n }\n return { value: soloWorkspaceSecret.value, source: \"workspace\" };\n }\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} orgId=(none) miss tried=user,workspace-solo`,\n );\n }\n }\n } catch (err) {\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} scope=${scopeAttempted} error=${(err as Error)?.message ?? err}`,\n );\n }\n // Secrets table not ready — treat as missing.\n }\n return null;\n}\n\nasync function resolveScopedBuilderCredentials(): Promise<BuilderResolvedCredentials | null> {\n const email = getRequestUserEmail();\n if (!email) return null;\n\n const traceLookup = shouldTraceCredentialResolve();\n let scopeAttempted = \"user\";\n try {\n const { readAppSecret } = await import(\"../secrets/storage.js\");\n const traceScope = (creds: BuilderResolvedCredentials, scopeId: string) => {\n if (!traceLookup) return;\n console.log(\n `[builder-credential] scope=${creds.source} scopeId=${scopeId} email=${email} complete=${isCompleteBuilderConnection(creds)} private=${Boolean(creds.privateKey)} public=${Boolean(creds.publicKey)}`,\n );\n };\n\n const userCreds = await readBuilderCredentialScope(\n readAppSecret,\n \"user\",\n email,\n );\n traceScope(userCreds, email);\n if (isCompleteBuilderConnection(userCreds)) return userCreds;\n\n const orgId = getRequestOrgId();\n if (orgId) {\n scopeAttempted = \"org\";\n const orgCreds = await readBuilderCredentialScope(\n readAppSecret,\n \"org\",\n orgId,\n );\n traceScope(orgCreds, orgId);\n if (isCompleteBuilderConnection(orgCreds)) return orgCreds;\n\n scopeAttempted = \"workspace\";\n const workspaceCreds = await readBuilderCredentialScope(\n readAppSecret,\n \"workspace\",\n orgId,\n );\n traceScope(workspaceCreds, orgId);\n if (isCompleteBuilderConnection(workspaceCreds)) return workspaceCreds;\n } else {\n scopeAttempted = \"workspace-solo\";\n const scopeId = `solo:${email}`;\n const workspaceCreds = await readBuilderCredentialScope(\n readAppSecret,\n \"workspace\",\n scopeId,\n );\n traceScope(workspaceCreds, scopeId);\n if (isCompleteBuilderConnection(workspaceCreds)) return workspaceCreds;\n }\n } catch (err) {\n if (traceLookup) {\n console.log(\n `[builder-credential] email=${email} scope=${scopeAttempted} credentials error=${(err as Error)?.message ?? err}`,\n );\n }\n }\n return null;\n}\n\n/**\n * Resolve a Builder credential for the current request. User/org credentials\n * win; deployment env is only a fallback. This lets local/root .env keys keep\n * a template working while still allowing users to connect their own Builder\n * account from Settings or onboarding.\n */\nexport async function resolveBuilderCredential(\n key: string,\n): Promise<string | null> {\n const scoped = await resolveScopedBuilderCredential(key);\n if (scoped) return scoped.value;\n if (!canUseBuilderDeployCredentialFallbackForRequest()) return null;\n return readDeployCredentialEnv(key) ?? null;\n}\n\n/**\n * True when `BUILDER_PRIVATE_KEY` is set at the deployment level. This means\n * a deploy-level fallback exists; it does not prevent per-user connect.\n */\nexport function isBuilderEnvManaged(): boolean {\n return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/**\n * Resolve the Builder private key for the current request. User/org OAuth\n * credentials win; deploy-level `BUILDER_PRIVATE_KEY` is the fallback.\n */\nexport async function resolveBuilderPrivateKey(): Promise<string | null> {\n return resolveBuilderCredential(\"BUILDER_PRIVATE_KEY\");\n}\n\n/**\n * Resolve the current user's Builder auth header.\n * Returns `\"Bearer <key>\"` or null.\n */\nexport async function resolveBuilderAuthHeader(): Promise<string | null> {\n const key = await resolveBuilderPrivateKey();\n return key ? `Bearer ${key}` : null;\n}\n\n/**\n * Check whether the current user has a Builder private key configured\n * (per-user or deployment-level).\n */\nexport async function resolveHasBuilderPrivateKey(): Promise<boolean> {\n return !!(await resolveBuilderPrivateKey());\n}\n\n/**\n * Check whether the current request has the complete Builder credential bundle\n * needed for Builder-backed assistant/image-generation calls.\n */\nexport async function resolveHasCompleteBuilderConnection(): Promise<boolean> {\n const creds = await resolveBuilderCredentials();\n return !!(creds.privateKey && creds.publicKey);\n}\n\n/**\n * Resolve where the effective Builder assistant connection came from. This\n * intentionally requires a complete private+public key pair from one scope so\n * status UIs don't report a mixed user/org credential set as connected.\n */\nexport async function resolveBuilderCredentialSource(): Promise<BuilderCredentialSource | null> {\n const scoped = await resolveScopedBuilderCredentials();\n if (scoped) return scoped.source;\n return canUseBuilderDeployCredentialFallbackForRequest() &&\n process.env.BUILDER_PRIVATE_KEY\n ? \"env\"\n : null;\n}\n\n/**\n * Resolve the Builder assistant credential bundle from one complete scope.\n * A partial user row is treated as a miss so the org-shared connection can\n * still power the assistant for teammates.\n */\nexport async function resolveBuilderCredentials(): Promise<{\n privateKey: string | null;\n publicKey: string | null;\n userId: string | null;\n orgName: string | null;\n orgKind: string | null;\n}> {\n const scoped = await resolveScopedBuilderCredentials();\n if (scoped) {\n const { privateKey, publicKey, userId, orgName, orgKind } = scoped;\n return { privateKey, publicKey, userId, orgName, orgKind };\n }\n const privateKey = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_PRIVATE_KEY\") ?? null)\n : null;\n const publicKey = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_PUBLIC_KEY\") ?? null)\n : null;\n const userId = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_USER_ID\") ?? null)\n : null;\n const orgName = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_ORG_NAME\") ?? null)\n : null;\n const orgKind = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_ORG_KIND\") ?? null)\n : null;\n return { privateKey, publicKey, userId, orgName, orgKind };\n}\n\nconst BUILDER_AUTH_FAILURE_SETTING_PREFIX = \"builder-auth-failure:\";\n\nexport interface BuilderCredentialAuthFailure {\n fingerprint: string;\n message: string;\n status?: number;\n code?: string;\n at: number;\n ownerEmail?: string | null;\n orgId?: string | null;\n}\n\nexport function builderCredentialFingerprint(\n privateKey?: string | null,\n publicKey?: string | null,\n): string | null {\n if (!privateKey || !publicKey) return null;\n return createHash(\"sha256\")\n .update(privateKey)\n .update(\"\\0\")\n .update(publicKey)\n .digest(\"hex\")\n .slice(0, 24);\n}\n\nfunction builderAuthFailureSettingKey(fingerprint: string): string {\n return `${BUILDER_AUTH_FAILURE_SETTING_PREFIX}${fingerprint}`;\n}\n\nexport async function getBuilderCredentialAuthFailure(\n creds: {\n privateKey?: string | null;\n publicKey?: string | null;\n } = {},\n): Promise<BuilderCredentialAuthFailure | null> {\n const fingerprint = builderCredentialFingerprint(\n creds.privateKey,\n creds.publicKey,\n );\n if (!fingerprint) return null;\n try {\n const { getSetting } = await import(\"../settings/store.js\");\n const row = await getSetting(builderAuthFailureSettingKey(fingerprint));\n if (!row) return null;\n return {\n fingerprint,\n message:\n typeof row.message === \"string\" && row.message\n ? row.message\n : \"Builder rejected the connected credentials. Reconnect Builder.io.\",\n status: typeof row.status === \"number\" ? row.status : undefined,\n code: typeof row.code === \"string\" ? row.code : undefined,\n at: typeof row.at === \"number\" ? row.at : Date.now(),\n ownerEmail:\n typeof row.ownerEmail === \"string\" ? row.ownerEmail : undefined,\n orgId: typeof row.orgId === \"string\" ? row.orgId : undefined,\n };\n } catch {\n return null;\n }\n}\n\nexport async function recordBuilderCredentialAuthFailure(details?: {\n status?: number;\n code?: string;\n message?: string;\n}): Promise<void> {\n try {\n const creds = await resolveBuilderCredentials();\n const fingerprint = builderCredentialFingerprint(\n creds.privateKey,\n creds.publicKey,\n );\n if (!fingerprint) return;\n const { putSetting } = await import(\"../settings/store.js\");\n await putSetting(builderAuthFailureSettingKey(fingerprint), {\n fingerprint,\n message:\n details?.message ||\n \"Builder rejected the connected credentials. Reconnect Builder.io.\",\n ...(typeof details?.status === \"number\" && { status: details.status }),\n ...(details?.code && { code: details.code }),\n at: Date.now(),\n ownerEmail: getRequestUserEmail() ?? null,\n orgId: getRequestOrgId() ?? null,\n });\n } catch {\n // Best-effort marker only; the chat error is still returned to the user.\n }\n}\n\nexport async function clearBuilderCredentialAuthFailure(creds: {\n privateKey?: string | null;\n publicKey?: string | null;\n}): Promise<void> {\n const fingerprint = builderCredentialFingerprint(\n creds.privateKey,\n creds.publicKey,\n );\n if (!fingerprint) return;\n try {\n const { deleteSetting } = await import(\"../settings/store.js\");\n await deleteSetting(builderAuthFailureSettingKey(fingerprint));\n } catch {\n // A stale failure marker should not block writing fresh credentials.\n }\n}\n\n/**\n * Write Builder credentials to `app_secrets`.\n *\n * Scope decision (see `resolveCredentialWriteScope`): when the connecting\n * user is owner/admin of an active org we write at `scope: \"org\"` so every\n * member of that org auto-resolves the credentials via\n * `resolveBuilderCredential`'s org fallback — no per-user re-connect\n * needed. A plain member or a user with no active org writes at\n * `scope: \"user\"` (the safe default that doesn't trample the org's shared\n * connection).\n *\n * Stale-credential cleanup: before writing the new values we (1) clear ALL\n * five BUILDER_* keys at the target scope, so optional fields the new\n * connection doesn't carry (e.g. user picked a Builder space that returns\n * no orgName) don't leave the previous connection's metadata behind, and\n * (2) when writing at org scope, also clear the writer's own user-scope\n * BUILDER_* rows so a stale personal override from an earlier connect\n * doesn't shadow the new org write on resolution (user scope wins org\n * scope by design — see `resolveScopedBuilderCredential`). The org-scope\n * row is intentionally left alone when writing at user scope: that row is\n * shared with the rest of the org and a single user's personal override\n * shouldn't blow it away. (Victoria's \"I signed in again with my Builder\n * space and it still says no credits\" report on 2026-05-11 was exactly\n * this stale-shadow case.)\n *\n * Returns the actual scope/scopeId used so the caller can show \"Connected\n * for Builder.io\" vs \"Connected (personal)\" in the UI.\n */\nexport async function writeBuilderCredentials(\n email: string,\n creds: {\n privateKey: string;\n publicKey: string;\n userId?: string | null;\n orgName?: string | null;\n orgKind?: string | null;\n },\n options?: { orgId?: string | null; role?: string | null },\n): Promise<{ scope: \"user\" | \"org\"; scopeId: string }> {\n const privateKey = creds.privateKey.trim();\n const publicKey = creds.publicKey.trim();\n if (!isBuilderPrivateKey(privateKey)) {\n throw new Error(\n \"Builder returned a credential that is not a Builder private key (expected bpk-...). Restart the Builder connect flow and choose a space that can issue a private key.\",\n );\n }\n if (!publicKey) {\n throw new Error(\n \"Builder did not return a public API key. Restart the Builder connect flow.\",\n );\n }\n\n const { writeAppSecret, deleteAppSecret } =\n await import(\"../secrets/storage.js\");\n const target = resolveCredentialWriteScope(\n email,\n options?.orgId ?? null,\n options?.role ?? null,\n );\n\n // Clear stale rows before writing the new connection. See the function's\n // doc comment for the two cases this handles.\n const cleanups: Array<Promise<unknown>> = BUILDER_CREDENTIAL_KEYS.map((key) =>\n deleteAppSecret({\n key,\n scope: target.scope,\n scopeId: target.scopeId,\n }).catch(() => {}),\n );\n if (target.scope === \"org\") {\n for (const key of BUILDER_CREDENTIAL_KEYS) {\n cleanups.push(\n deleteAppSecret({ key, scope: \"user\", scopeId: email }).catch(() => {}),\n );\n }\n }\n await Promise.all(cleanups);\n\n const entries: Array<{ key: string; value: string }> = [\n { key: \"BUILDER_PRIVATE_KEY\", value: privateKey },\n { key: \"BUILDER_PUBLIC_KEY\", value: publicKey },\n ];\n if (creds.userId) {\n entries.push({ key: \"BUILDER_USER_ID\", value: creds.userId });\n }\n if (creds.orgName) {\n entries.push({ key: \"BUILDER_ORG_NAME\", value: creds.orgName });\n }\n if (creds.orgKind) {\n entries.push({ key: \"BUILDER_ORG_KIND\", value: creds.orgKind });\n }\n await Promise.all(\n entries.map(({ key, value }) =>\n writeAppSecret({\n key,\n value,\n scope: target.scope,\n scopeId: target.scopeId,\n }),\n ),\n );\n await clearBuilderCredentialAuthFailure({\n privateKey,\n publicKey,\n });\n return target;\n}\n\n/**\n * Delete Builder credentials.\n *\n * Default behaviour: clears only this user's per-user override (so a\n * member can disconnect their personal Builder identity without\n * collapsing the org-wide connection for every teammate). To revoke the\n * org's shared connection, pass `{ orgId, role }` for an owner/admin —\n * matching the same authority gate `writeBuilderCredentials` uses on\n * write. Plain members can never reach the org-scoped row.\n */\nexport async function deleteBuilderCredentials(\n email: string,\n options?: { orgId?: string | null; role?: string | null },\n): Promise<{ scope: \"user\" | \"org\"; scopeId: string }> {\n const { deleteAppSecret } = await import(\"../secrets/storage.js\");\n const target = resolveCredentialWriteScope(\n email,\n options?.orgId ?? null,\n options?.role ?? null,\n );\n await Promise.all(\n BUILDER_CREDENTIAL_KEYS.map((key) =>\n deleteAppSecret({\n key,\n scope: target.scope,\n scopeId: target.scopeId,\n }).catch(() => {}),\n ),\n );\n return target;\n}\n\n// ---------------------------------------------------------------------------\n// Generic request-scoped secret resolution\n//\n// New consumers should prefer this over reading `process.env.X` directly.\n// User-pasted and shared secrets live in `app_secrets` (encrypted). The\n// settings UI / onboarding panels can write user, org, or workspace rows.\n// Deploy-level env vars are the fallback for unauthenticated/CLI/background\n// contexts where there's no user to scope by — never the silent fallback\n// for an authenticated request, since on a multi-tenant deploy that would\n// silently identify every user as whoever set the deploy-level key\n// (KVesta Space, 2026-04).\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve a request-scoped secret. Reads from `app_secrets` first (current\n * user override, active org, then workspace row); falls back to `process.env`\n * only when the deploy fallback policy allows it.\n */\nexport async function resolveSecret(key: string): Promise<string | null> {\n const traceLookup = shouldTraceCredentialResolve();\n const email = getRequestUserEmail();\n if (email) {\n try {\n const { readAppSecret } = await import(\"../secrets/storage.js\");\n // Per-user override first.\n const userSecret = await readAppSecret({\n key,\n scope: \"user\",\n scopeId: email,\n });\n if (userSecret?.value) {\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} scope=user hit=true`,\n );\n }\n return userSecret.value;\n }\n\n const orgId = getRequestOrgId();\n if (orgId) {\n // Fall back to the active org's shared row, when present. Builder\n // Connect uses this first-class org scope.\n const orgSecret = await readAppSecret({\n key,\n scope: \"org\",\n scopeId: orgId,\n });\n if (orgSecret?.value) {\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} orgId=${orgId} scope=org hit=true`,\n );\n }\n return orgSecret.value;\n }\n\n // Registered secrets historically used \"workspace\" scope for\n // org-shared configuration. Keep reading it so Settings status and\n // runtime resolution agree.\n const workspaceSecret = await readAppSecret({\n key,\n scope: \"workspace\",\n scopeId: orgId,\n });\n if (workspaceSecret?.value) {\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} orgId=${orgId} scope=workspace hit=true`,\n );\n }\n return workspaceSecret.value;\n }\n } else {\n const soloWorkspaceSecret = await readAppSecret({\n key,\n scope: \"workspace\",\n scopeId: `solo:${email}`,\n });\n if (soloWorkspaceSecret?.value) {\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} scope=workspace-solo hit=true`,\n );\n }\n return soloWorkspaceSecret.value;\n }\n }\n } catch (err) {\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} scope=error err=${(err as Error)?.message ?? err}`,\n );\n }\n // Secrets table not ready — treat as missing.\n }\n // Authenticated multi-tenant context: never fall back to process.env.\n // The deploy-level value would silently impersonate the actual key\n // owner across every tenant. Local/single-tenant deployments keep the\n // original env fallback for BYO-server workflows.\n const envFallback = (\n isBuilderCredentialKey(key)\n ? canUseBuilderDeployCredentialFallbackForRequest()\n : canUseDeployCredentialFallbackForRequest()\n )\n ? process.env[key] || null\n : null;\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} orgId=${getRequestOrgId() ?? \"(none)\"} scope=${envFallback ? \"env-fallback\" : \"none\"} hit=${!!envFallback}`,\n );\n }\n return envFallback;\n }\n // Unauthenticated / local-dev / CLI / background context: env fallback\n // is safe because there's no user to mis-identify.\n const value = process.env[key] || null;\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=(none) scope=env-anonymous hit=${!!value}`,\n );\n }\n return value;\n}\n\n// ---------------------------------------------------------------------------\n// Synchronous helpers — env-only fallbacks for contexts where per-user\n// lookup isn't possible (sync isConfigured checks, CLI scripts).\n// ---------------------------------------------------------------------------\n\n/**\n * True when a Builder private key is configured at the deployment level.\n *\n * This is the same env-only check as `isBuilderEnvManaged()`. For \"does this\n * request have access to Builder via user/org/env credentials?\" use the async\n * `resolveHasBuilderPrivateKey()`.\n */\nexport function hasBuilderPrivateKey(): boolean {\n return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/** The origin for Builder-proxied API calls. Overridable for testing. */\nexport function getBuilderProxyOrigin(): string {\n return (\n process.env.BUILDER_PROXY_ORIGIN ||\n process.env.AIR_HOST ||\n process.env.BUILDER_API_HOST ||\n \"https://api.builder.io\"\n );\n}\n\n/**\n * Base URL for the public Builder LLM gateway, which lives at\n * api.builder.io/agent-native/gateway.\n * Override via BUILDER_GATEWAY_BASE_URL for staging / testing.\n */\nexport function getBuilderGatewayBaseUrl(): string {\n return (\n process.env.BUILDER_GATEWAY_BASE_URL ||\n \"https://api.builder.io/agent-native/gateway/v1\"\n );\n}\n\n/**\n * Base URL for Builder-managed image generation.\n * Override via BUILDER_IMAGE_GENERATION_BASE_URL for staging / testing.\n */\nexport function getBuilderImageGenerationBaseUrl(): string {\n return (\n process.env.BUILDER_IMAGE_GENERATION_BASE_URL ||\n \"https://api.builder.io/agent-native/images/v1\"\n );\n}\n\n/** Authorization header value for Builder-proxied calls (env-only). */\nexport function getBuilderAuthHeader(): string | null {\n const key = process.env.BUILDER_PRIVATE_KEY;\n return key ? `Bearer ${key}` : null;\n}\n"]}
1
+ {"version":3,"file":"credential-provider.js","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD;;;;;;;;GAQG;AACH,MAAM,UAAU,2BAA2B,CACzC,KAAa,EACb,KAAgC,EAChC,IAA+B;IAE/B,IAAI,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,OAAO,CAAC,EAAE,CAAC;QACpD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IACzC,kBAAkB,CAAS;IAC3B,iBAAiB,CAAU;IAC3B,WAAW,CAAU;IAE9B,YAAY,IAKX;QACC,KAAK,CACH,IAAI,CAAC,OAAO;YACV,gCAAgC,IAAI,CAAC,kBAAkB,yCAAyC,CACnG,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;QACxC,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC;QAClD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;IACtC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iCAAiC;IAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvD,OAAO,eAAe,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,wCAAwC;IACtD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO,iCAAiC,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,uBAAuB,GAAG;IAC9B,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;IAClB,sBAAsB;IACtB,4BAA4B;IAC5B,2BAA2B;IAC3B,uBAAuB;IACvB,yBAAyB;CACjB,CAAC;AAEX,SAAS,sBAAsB,CAAC,GAAW;IACzC,OAAQ,uBAA6C,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,wBAAwB;IAC/B,MAAM,gBAAgB,GAAG,OAAO,CAC9B,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAC7B,OAAO,CAAC,GAAG,CAAC,sBAAsB,CACnC,CAAC;IACF,OAAO,CACL,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,EAAE,CAAC;QAC5D,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,EAAE,CAAC;QACjE,gBAAgB,CACjB,CAAC;AACJ,CAAC;AAED,SAAS,+CAA+C;IACtD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,4EAA4E;IAC5E,4EAA4E;IAC5E,yEAAyE;IACzE,+CAA+C;IAC/C,IAAI,KAAK,IAAI,wBAAwB,EAAE;QAAE,OAAO,KAAK,CAAC;IACtD,OAAO,wCAAwC,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,4BAA4B;IACnC,OAAO,aAAa,CAAC,IAAI,CACvB,OAAO,CAAC,GAAG,CAAC,qCAAqC;QAC/C,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,EAAE,CACL,CAAC;AACJ,CAAC;AAgCD,SAAS,2BAA2B,CAAC,KAAiC;IACpE,OAAO,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,0BAA0B,CACjC,KAAgC;IAEhC,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC/C,OAAO,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAgC;IAClE,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AACtE,CAAC;AAED,KAAK,UAAU,0BAA0B,CACvC,aAAmE,EACnE,KAAmC,EACnC,OAAe;IAEf,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAC9B,uBAAuB,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACxC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,IAAI,IAAI,CAAU,CAAC;IAC/C,CAAC,CAAC,CACH,CAAC;IACF,MAAM,GAAG,GAAG,IAAI,GAAG,CAAwB,MAAM,CAAC,CAAC;IACnD,OAAO;QACL,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,IAAI;QAClD,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,IAAI;QAChD,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,IAAI;QAC1C,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,IAAI;QAC5C,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,IAAI;QAC5C,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,IAAI;QACrD,iBAAiB,EAAE,GAAG,CAAC,GAAG,CAAC,4BAA4B,CAAC,IAAI,IAAI;QAChE,gBAAgB,EAAE,GAAG,CAAC,GAAG,CAAC,2BAA2B,CAAC,IAAI,IAAI;QAC9D,YAAY,EAAE,0BAA0B,CAAC,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAC1E,aAAa,EAAE,0BAA0B,CACvC,GAAG,CAAC,GAAG,CAAC,yBAAyB,CAAC,CACnC;QACD,MAAM,EAAE,KAAK,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK;KACpD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,8BAA8B,CAC3C,GAAW;IAEX,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,yEAAyE;IACzE,sEAAsE;IACtE,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,IAAI,cAAc,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAEhE,sEAAsE;QACtE,iEAAiE;QACjE,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC;YACrC,GAAG;YACH,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,sBAAsB,CACrE,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACrD,CAAC;QAED,mEAAmE;QACnE,iEAAiE;QACjE,+DAA+D;QAC/D,6DAA6D;QAC7D,mEAAmE;QACnE,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,KAAK,EAAE,CAAC;YACV,cAAc,GAAG,KAAK,CAAC;YACvB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC;gBACpC,GAAG;gBACH,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,SAAS,EAAE,CAAC;gBACd,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,qBAAqB,CACnF,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YACnD,CAAC;YAED,iEAAiE;YACjE,qEAAqE;YACrE,yEAAyE;YACzE,cAAc,GAAG,WAAW,CAAC;YAC7B,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC;gBAC1C,GAAG;gBACH,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,eAAe,EAAE,CAAC;gBACpB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,2BAA2B,CACzF,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YAC/D,CAAC;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,gCAAgC,CAC9F,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,cAAc,GAAG,gBAAgB,CAAC;YAClC,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC;gBAC9C,GAAG;gBACH,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,QAAQ,KAAK,EAAE;aACzB,CAAC,CAAC;YACH,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,gCAAgC,CAC/E,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YACnE,CAAC;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,8CAA8C,CAC7F,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,cAAc,UAAW,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CACjH,CAAC;QACJ,CAAC;QACD,8CAA8C;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,+BAA+B;IAC5C,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,IAAI,cAAc,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAChE,MAAM,UAAU,GAAG,CAAC,KAAiC,EAAE,OAAe,EAAE,EAAE;YACxE,IAAI,CAAC,WAAW;gBAAE,OAAO;YACzB,OAAO,CAAC,GAAG,CACT,8BAA8B,KAAK,CAAC,MAAM,YAAY,OAAO,UAAU,KAAK,aAAa,2BAA2B,CAAC,KAAK,CAAC,YAAY,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CACtM,CAAC;QACJ,CAAC,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,0BAA0B,CAChD,aAAa,EACb,MAAM,EACN,KAAK,CACN,CAAC;QACF,UAAU,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7B,IAAI,2BAA2B,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;QAE7D,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,KAAK,EAAE,CAAC;YACV,cAAc,GAAG,KAAK,CAAC;YACvB,MAAM,QAAQ,GAAG,MAAM,0BAA0B,CAC/C,aAAa,EACb,KAAK,EACL,KAAK,CACN,CAAC;YACF,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;YAC5B,IAAI,2BAA2B,CAAC,QAAQ,CAAC;gBAAE,OAAO,QAAQ,CAAC;YAE3D,cAAc,GAAG,WAAW,CAAC;YAC7B,MAAM,cAAc,GAAG,MAAM,0BAA0B,CACrD,aAAa,EACb,WAAW,EACX,KAAK,CACN,CAAC;YACF,UAAU,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;YAClC,IAAI,2BAA2B,CAAC,cAAc,CAAC;gBAAE,OAAO,cAAc,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,cAAc,GAAG,gBAAgB,CAAC;YAClC,MAAM,OAAO,GAAG,QAAQ,KAAK,EAAE,CAAC;YAChC,MAAM,cAAc,GAAG,MAAM,0BAA0B,CACrD,aAAa,EACb,WAAW,EACX,OAAO,CACR,CAAC;YACF,UAAU,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;YACpC,IAAI,2BAA2B,CAAC,cAAc,CAAC;gBAAE,OAAO,cAAc,CAAC;QACzE,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,8BAA8B,KAAK,UAAU,cAAc,sBAAuB,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAClH,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,GAAW;IAEX,MAAM,MAAM,GAAG,MAAM,8BAA8B,CAAC,GAAG,CAAC,CAAC;IACzD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,KAAK,CAAC;IAChC,IAAI,CAAC,+CAA+C,EAAE;QAAE,OAAO,IAAI,CAAC;IACpE,OAAO,uBAAuB,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,OAAO,wBAAwB,CAAC,qBAAqB,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,MAAM,GAAG,GAAG,MAAM,wBAAwB,EAAE,CAAC;IAC7C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,OAAO,CAAC,CAAC,CAAC,MAAM,wBAAwB,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mCAAmC;IACvD,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;IAChD,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B;IAClD,MAAM,MAAM,GAAG,MAAM,+BAA+B,EAAE,CAAC;IACvD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,MAAM,CAAC;IACjC,OAAO,+CAA+C,EAAE;QACtD,OAAO,CAAC,GAAG,CAAC,mBAAmB;QAC/B,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB;IAY7C,MAAM,MAAM,GAAG,MAAM,+BAA+B,EAAE,CAAC;IACvD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,EACJ,UAAU,EACV,SAAS,EACT,MAAM,EACN,OAAO,EACP,OAAO,EACP,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,aAAa,GACd,GAAG,MAAM,CAAC;QACX,OAAO;YACL,UAAU;YACV,SAAS;YACT,MAAM;YACN,OAAO;YACP,OAAO;YACP,YAAY;YACZ,iBAAiB;YACjB,gBAAgB;YAChB,YAAY;YACZ,aAAa;SACd,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,+CAA+C,EAAE;QAClE,CAAC,CAAC,CAAC,uBAAuB,CAAC,qBAAqB,CAAC,IAAI,IAAI,CAAC;QAC1D,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,SAAS,GAAG,+CAA+C,EAAE;QACjE,CAAC,CAAC,CAAC,uBAAuB,CAAC,oBAAoB,CAAC,IAAI,IAAI,CAAC;QACzD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,MAAM,GAAG,+CAA+C,EAAE;QAC9D,CAAC,CAAC,CAAC,uBAAuB,CAAC,iBAAiB,CAAC,IAAI,IAAI,CAAC;QACtD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,OAAO,GAAG,+CAA+C,EAAE;QAC/D,CAAC,CAAC,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC;QACvD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,OAAO,GAAG,+CAA+C,EAAE;QAC/D,CAAC,CAAC,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC;QACvD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,YAAY,GAAG,+CAA+C,EAAE;QACpE,CAAC,CAAC,CAAC,uBAAuB,CAAC,sBAAsB,CAAC,IAAI,IAAI,CAAC;QAC3D,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,iBAAiB,GAAG,+CAA+C,EAAE;QACzE,CAAC,CAAC,CAAC,uBAAuB,CAAC,4BAA4B,CAAC,IAAI,IAAI,CAAC;QACjE,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,gBAAgB,GAAG,+CAA+C,EAAE;QACxE,CAAC,CAAC,CAAC,uBAAuB,CAAC,2BAA2B,CAAC,IAAI,IAAI,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,YAAY,GAAG,+CAA+C,EAAE;QACpE,CAAC,CAAC,0BAA0B,CACxB,uBAAuB,CAAC,uBAAuB,CAAC,CACjD;QACH,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,aAAa,GAAG,+CAA+C,EAAE;QACrE,CAAC,CAAC,0BAA0B,CACxB,uBAAuB,CAAC,yBAAyB,CAAC,CACnD;QACH,CAAC,CAAC,IAAI,CAAC;IACT,OAAO;QACL,UAAU;QACV,SAAS;QACT,MAAM;QACN,OAAO;QACP,OAAO;QACP,YAAY;QACZ,iBAAiB;QACjB,gBAAgB;QAChB,YAAY;QACZ,aAAa;KACd,CAAC;AACJ,CAAC;AAED,MAAM,mCAAmC,GAAG,uBAAuB,CAAC;AAYpE,MAAM,UAAU,4BAA4B,CAC1C,UAA0B,EAC1B,SAAyB;IAEzB,IAAI,CAAC,UAAU,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,SAAS,CAAC;SACjB,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,4BAA4B,CAAC,WAAmB;IACvD,OAAO,GAAG,mCAAmC,GAAG,WAAW,EAAE,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,QAGI,EAAE;IAEN,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;IACF,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,4BAA4B,CAAC,WAAW,CAAC,CAAC,CAAC;QACxE,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO;YACL,WAAW;YACX,OAAO,EACL,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,GAAG,CAAC,OAAO;gBAC5C,CAAC,CAAC,GAAG,CAAC,OAAO;gBACb,CAAC,CAAC,mEAAmE;YACzE,MAAM,EAAE,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YAC/D,IAAI,EAAE,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;YACzD,EAAE,EAAE,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;YACpD,UAAU,EACR,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACjE,KAAK,EAAE,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;SAC7D,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kCAAkC,CAAC,OAIxD;IACC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;QAChD,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;QACF,IAAI,CAAC,WAAW;YAAE,OAAO;QACzB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC5D,MAAM,UAAU,CAAC,4BAA4B,CAAC,WAAW,CAAC,EAAE;YAC1D,WAAW;YACX,OAAO,EACL,OAAO,EAAE,OAAO;gBAChB,mEAAmE;YACrE,GAAG,CAAC,OAAO,OAAO,EAAE,MAAM,KAAK,QAAQ,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;YACtE,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC;YAC5C,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;YACd,UAAU,EAAE,mBAAmB,EAAE,IAAI,IAAI;YACzC,KAAK,EAAE,eAAe,EAAE,IAAI,IAAI;SACjC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;IAC3E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iCAAiC,CAAC,KAGvD;IACC,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;IACF,IAAI,CAAC,WAAW;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC/D,MAAM,aAAa,CAAC,4BAA4B,CAAC,WAAW,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,qEAAqE;IACvE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAAa,EACb,KAWC,EACD,OAAyD;IAEzD,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC,mBAAmB,CAAC,UAAU,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,uKAAuK,CACxK,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,GACvC,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,2BAA2B,CACxC,KAAK,EACL,OAAO,EAAE,KAAK,IAAI,IAAI,EACtB,OAAO,EAAE,IAAI,IAAI,IAAI,CACtB,CAAC;IAEF,yEAAyE;IACzE,8CAA8C;IAC9C,MAAM,QAAQ,GAA4B,uBAAuB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAC5E,eAAe,CAAC;QACd,GAAG;QACH,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACnB,CAAC;IACF,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QAC3B,KAAK,MAAM,GAAG,IAAI,uBAAuB,EAAE,CAAC;YAC1C,QAAQ,CAAC,IAAI,CACX,eAAe,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE5B,MAAM,OAAO,GAA0C;QACrD,EAAE,GAAG,EAAE,qBAAqB,EAAE,KAAK,EAAE,UAAU,EAAE;QACjD,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,EAAE,SAAS,EAAE;KAChD,CAAC;IACF,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;QAC5B,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,4BAA4B;YACjC,KAAK,EAAE,KAAK,CAAC,iBAAiB;SAC/B,CAAC,CAAC;IACL,CAAC;IACD,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,2BAA2B;YAChC,KAAK,EAAE,KAAK,CAAC,gBAAgB;SAC9B,CAAC,CAAC;IACL,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,uBAAuB;YAC5B,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC;SAClC,CAAC,CAAC;IACL,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,yBAAyB;YAC9B,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC;SACnC,CAAC,CAAC;IACL,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAC7B,cAAc,CAAC;QACb,GAAG;QACH,KAAK;QACL,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CACH,CACF,CAAC;IACF,MAAM,iCAAiC,CAAC;QACtC,UAAU;QACV,SAAS;KACV,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAAa,EACb,OAAyD;IAEzD,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,2BAA2B,CACxC,KAAK,EACL,OAAO,EAAE,KAAK,IAAI,IAAI,EACtB,OAAO,EAAE,IAAI,IAAI,IAAI,CACtB,CAAC;IACF,MAAM,OAAO,CAAC,GAAG,CACf,uBAAuB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAClC,eAAe,CAAC;QACd,GAAG;QACH,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACnB,CACF,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,2CAA2C;AAC3C,EAAE;AACF,0EAA0E;AAC1E,wEAAwE;AACxE,0EAA0E;AAC1E,4EAA4E;AAC5E,yEAAyE;AACzE,0EAA0E;AAC1E,mEAAmE;AACnE,2BAA2B;AAC3B,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW;IAC7C,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;YAChE,2BAA2B;YAC3B,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC;gBACrC,GAAG;gBACH,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,UAAU,EAAE,KAAK,EAAE,CAAC;gBACtB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,sBAAsB,CACjE,CAAC;gBACJ,CAAC;gBACD,OAAO,UAAU,CAAC,KAAK,CAAC;YAC1B,CAAC;YAED,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;YAChC,IAAI,KAAK,EAAE,CAAC;gBACV,kEAAkE;gBAClE,2CAA2C;gBAC3C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC;oBACpC,GAAG;oBACH,KAAK,EAAE,KAAK;oBACZ,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,IAAI,SAAS,EAAE,KAAK,EAAE,CAAC;oBACrB,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,KAAK,qBAAqB,CAC/E,CAAC;oBACJ,CAAC;oBACD,OAAO,SAAS,CAAC,KAAK,CAAC;gBACzB,CAAC;gBAED,6DAA6D;gBAC7D,mEAAmE;gBACnE,4BAA4B;gBAC5B,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC;oBAC1C,GAAG;oBACH,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,IAAI,eAAe,EAAE,KAAK,EAAE,CAAC;oBAC3B,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,KAAK,2BAA2B,CACrF,CAAC;oBACJ,CAAC;oBACD,OAAO,eAAe,CAAC,KAAK,CAAC;gBAC/B,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC;oBAC9C,GAAG;oBACH,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,QAAQ,KAAK,EAAE;iBACzB,CAAC,CAAC;gBACH,IAAI,mBAAmB,EAAE,KAAK,EAAE,CAAC;oBAC/B,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,gCAAgC,CAC3E,CAAC;oBACJ,CAAC;oBACD,OAAO,mBAAmB,CAAC,KAAK,CAAC;gBACnC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,oBAAqB,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAC/F,CAAC;YACJ,CAAC;YACD,8CAA8C;QAChD,CAAC;QACD,sEAAsE;QACtE,mEAAmE;QACnE,sEAAsE;QACtE,kDAAkD;QAClD,MAAM,WAAW,GAAG,CAClB,sBAAsB,CAAC,GAAG,CAAC;YACzB,CAAC,CAAC,+CAA+C,EAAE;YACnD,CAAC,CAAC,wCAAwC,EAAE,CAC/C;YACC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI;YAC1B,CAAC,CAAC,IAAI,CAAC;QACT,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,eAAe,EAAE,IAAI,QAAQ,UAAU,WAAW,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,CAAC,WAAW,EAAE,CACxJ,CAAC;QACJ,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IACD,uEAAuE;IACvE,mDAAmD;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IACvC,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,yCAAyC,CAAC,CAAC,KAAK,EAAE,CAC9E,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,uEAAuE;AACvE,iEAAiE;AACjE,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,qBAAqB;IACnC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,OAAO,CAAC,GAAG,CAAC,QAAQ;QACpB,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,wBAAwB,CACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,gDAAgD,CACjD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gCAAgC;IAC9C,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,iCAAiC;QAC7C,+CAA+C,CAChD,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,oBAAoB;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC","sourcesContent":["/**\n * Credential provider abstraction.\n *\n * Every feature that needs an external credential (Anthropic API key,\n * Google OAuth tokens, OpenAI key, Slack bot token, etc.) should go through\n * one of the resolve*() helpers here instead of reading `process.env`\n * directly. That way the same feature can work in three modes:\n *\n * 1. User set their own key in .env → use it directly\n * 2. User connected Builder via `/cli-auth` → route through Builder proxy\n * 3. Neither → throw FeatureNotConfigured\n *\n * Templates catch FeatureNotConfigured and show a \"Connect Builder (1 click) /\n * set up your own key (guide)\" card.\n *\n * Today these helpers are used by the Builder-hosted LLM gateway, and the\n * shape is meant to grow to cover future managed credential integrations\n * (e.g. additional Builder-hosted services) without rewrites.\n */\n\nimport { createHash } from \"node:crypto\";\nimport { getRequestUserEmail, getRequestOrgId } from \"./request-context.js\";\nimport { isLocalDatabase } from \"../db/client.js\";\n\n/**\n * Decide which `app_secrets` scope a Builder/credential write should use.\n *\n * Org scope (\"everyone in this org sees these credentials\") wins when the\n * connecting user is an owner or admin of an active org — the write\n * privileges shared infra. A plain member or a user without an active\n * org falls through to per-user scope so a teammate can't silently\n * overwrite the org-shared connection.\n */\nexport function resolveCredentialWriteScope(\n email: string,\n orgId: string | null | undefined,\n role: string | null | undefined,\n): { scope: \"user\" | \"org\"; scopeId: string } {\n if (orgId && (role === \"owner\" || role === \"admin\")) {\n return { scope: \"org\", scopeId: orgId };\n }\n return { scope: \"user\", scopeId: email };\n}\n\nexport class FeatureNotConfiguredError extends Error {\n readonly requiredCredential: string;\n readonly builderConnectUrl?: string;\n readonly byokDocsUrl?: string;\n\n constructor(opts: {\n requiredCredential: string;\n message?: string;\n builderConnectUrl?: string;\n byokDocsUrl?: string;\n }) {\n super(\n opts.message ??\n `Feature requires credential \"${opts.requiredCredential}\". Connect Builder or set your own key.`,\n );\n this.name = \"FeatureNotConfiguredError\";\n this.requiredCredential = opts.requiredCredential;\n this.builderConnectUrl = opts.builderConnectUrl;\n this.byokDocsUrl = opts.byokDocsUrl;\n }\n}\n\n/**\n * Deployment-level credential fallback for single-tenant/local operation.\n * Multi-tenant call sites must gate this explicitly before calling.\n */\nexport function readDeployCredentialEnv(key: string): string | undefined {\n return process.env[key] || undefined;\n}\n\n/**\n * Deployment-level credentials are safe as a runtime fallback only in local /\n * single-tenant contexts. In hosted production with a shared database, every\n * signed-in user needs their own user/org/workspace credential so one deploy\n * key does not silently power another tenant's chat.\n */\nexport function isDeployCredentialFallbackAllowed(): boolean {\n if (process.env.NODE_ENV !== \"production\") return true;\n return isLocalDatabase();\n}\n\nexport function canUseDeployCredentialFallbackForRequest(): boolean {\n const email = getRequestUserEmail();\n if (!email) return true;\n return isDeployCredentialFallbackAllowed();\n}\n\nconst BUILDER_CREDENTIAL_KEYS = [\n \"BUILDER_PRIVATE_KEY\",\n \"BUILDER_PUBLIC_KEY\",\n \"BUILDER_USER_ID\",\n \"BUILDER_ORG_NAME\",\n \"BUILDER_ORG_KIND\",\n \"BUILDER_SUBSCRIPTION\",\n \"BUILDER_SUBSCRIPTION_LEVEL\",\n \"BUILDER_SUBSCRIPTION_NAME\",\n \"BUILDER_IS_ENTERPRISE\",\n \"BUILDER_IS_FREE_ACCOUNT\",\n] as const;\n\nfunction isBuilderCredentialKey(key: string): boolean {\n return (BUILDER_CREDENTIAL_KEYS as readonly string[]).includes(key);\n}\n\nfunction isHostedWorkspaceRuntime(): boolean {\n const hasFusionPreview = Boolean(\n process.env.FUSION_ENVIRONMENT ||\n process.env.FUSION_ENV_ORIGIN ||\n process.env.VITE_FUSION_ENV_ORIGIN,\n );\n return (\n /^(1|true)$/i.test(process.env.AGENT_NATIVE_WORKSPACE ?? \"\") ||\n /^(1|true)$/i.test(process.env.VITE_AGENT_NATIVE_WORKSPACE ?? \"\") ||\n hasFusionPreview\n );\n}\n\nfunction canUseBuilderDeployCredentialFallbackForRequest(): boolean {\n const email = getRequestUserEmail();\n // Builder workspace previews can run with NODE_ENV=development and their DB\n // detection can look local during early startup. Once a real signed-in user\n // is present, hosted workspace flags are enough to make deployment-level\n // Builder keys unsafe as an identity fallback.\n if (email && isHostedWorkspaceRuntime()) return false;\n return canUseDeployCredentialFallbackForRequest();\n}\n\nfunction shouldTraceCredentialResolve(): boolean {\n return /^(1|true)$/i.test(\n process.env.AGENT_NATIVE_DEBUG_CREDENTIAL_RESOLVE ??\n process.env.DEBUG_CREDENTIAL_RESOLVE ??\n \"\",\n );\n}\n\n// ---------------------------------------------------------------------------\n// Builder credential resolution:\n//\n// 1. **Request-scoped credentials.** A signed-in user can connect Builder\n// through the CLI-auth flow. Owner/admin connections land at org scope;\n// member/no-org connections land at user scope.\n//\n// 2. **Deployment fallback.** BUILDER_PRIVATE_KEY in env still makes local\n// and single-tenant deploys work out of the box, but it no longer blocks\n// per-user connect. Request-scoped credentials win whenever present.\n//\n// To run multi-tenant SaaS: prefer leaving BUILDER_PRIVATE_KEY unset unless a\n// shared fallback identity is intentional.\n// ---------------------------------------------------------------------------\n\ntype BuilderCredentialSource = \"user\" | \"org\" | \"workspace\" | \"env\";\ninterface BuilderResolvedCredentials {\n privateKey: string | null;\n publicKey: string | null;\n userId: string | null;\n orgName: string | null;\n orgKind: string | null;\n subscription: string | null;\n subscriptionLevel: string | null;\n subscriptionName: string | null;\n isEnterprise: boolean | null;\n isFreeAccount: boolean | null;\n source: Exclude<BuilderCredentialSource, \"env\">;\n}\n\nfunction isCompleteBuilderConnection(creds: BuilderResolvedCredentials) {\n return Boolean(creds.privateKey && creds.publicKey);\n}\n\nfunction readOptionalBuilderBoolean(\n value: string | null | undefined,\n): boolean | null {\n if (value == null || value === \"\") return null;\n return /^(1|true)$/i.test(value);\n}\n\nexport function isBuilderPrivateKey(value: string | null | undefined): boolean {\n return typeof value === \"string\" && value.trim().startsWith(\"bpk-\");\n}\n\nasync function readBuilderCredentialScope(\n readAppSecret: typeof import(\"../secrets/storage.js\").readAppSecret,\n scope: \"user\" | \"org\" | \"workspace\",\n scopeId: string,\n): Promise<BuilderResolvedCredentials> {\n const values = await Promise.all(\n BUILDER_CREDENTIAL_KEYS.map(async (key) => {\n const secret = await readAppSecret({ key, scope, scopeId });\n return [key, secret?.value ?? null] as const;\n }),\n );\n const map = new Map<string, string | null>(values);\n return {\n privateKey: map.get(\"BUILDER_PRIVATE_KEY\") ?? null,\n publicKey: map.get(\"BUILDER_PUBLIC_KEY\") ?? null,\n userId: map.get(\"BUILDER_USER_ID\") ?? null,\n orgName: map.get(\"BUILDER_ORG_NAME\") ?? null,\n orgKind: map.get(\"BUILDER_ORG_KIND\") ?? null,\n subscription: map.get(\"BUILDER_SUBSCRIPTION\") ?? null,\n subscriptionLevel: map.get(\"BUILDER_SUBSCRIPTION_LEVEL\") ?? null,\n subscriptionName: map.get(\"BUILDER_SUBSCRIPTION_NAME\") ?? null,\n isEnterprise: readOptionalBuilderBoolean(map.get(\"BUILDER_IS_ENTERPRISE\")),\n isFreeAccount: readOptionalBuilderBoolean(\n map.get(\"BUILDER_IS_FREE_ACCOUNT\"),\n ),\n source: scope === \"workspace\" ? \"workspace\" : scope,\n };\n}\n\nasync function resolveScopedBuilderCredential(\n key: string,\n): Promise<{ value: string; source: \"user\" | \"org\" | \"workspace\" } | null> {\n const email = getRequestUserEmail();\n if (!email) return null;\n\n // Trace only when explicitly requested. These diagnostics are useful for\n // support, but they include account identifiers and run on hot paths.\n const traceLookup = shouldTraceCredentialResolve();\n let scopeAttempted = \"user\";\n try {\n const { readAppSecret } = await import(\"../secrets/storage.js\");\n\n // 1. Per-user override: a user can paste their own key in settings to\n // overrule the org-shared one (handy for a personal sandbox).\n const userSecret = await readAppSecret({\n key,\n scope: \"user\",\n scopeId: email,\n });\n if (userSecret) {\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} scope=user hit=true`,\n );\n }\n return { value: userSecret.value, source: \"user\" };\n }\n\n // 2. Per-org shared credential: when one teammate connects Builder\n // as an owner/admin we write the OAuth result at org scope so\n // every member of that org gets the AI chat working without\n // re-running the connect flow. Resolution falls back here\n // silently — the caller never has to know which scope answered.\n const orgId = getRequestOrgId();\n if (orgId) {\n scopeAttempted = \"org\";\n const orgSecret = await readAppSecret({\n key,\n scope: \"org\",\n scopeId: orgId,\n });\n if (orgSecret) {\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} orgId=${orgId} scope=org hit=true`,\n );\n }\n return { value: orgSecret.value, source: \"org\" };\n }\n\n // Older setup flows wrote shared credentials at workspace scope.\n // Keep reading those rows so status UIs and runtime resolution agree\n // for users who connected before org-scoped Builder credentials existed.\n scopeAttempted = \"workspace\";\n const workspaceSecret = await readAppSecret({\n key,\n scope: \"workspace\",\n scopeId: orgId,\n });\n if (workspaceSecret) {\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} orgId=${orgId} scope=workspace hit=true`,\n );\n }\n return { value: workspaceSecret.value, source: \"workspace\" };\n }\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} orgId=${orgId} miss tried=user,org,workspace`,\n );\n }\n } else {\n scopeAttempted = \"workspace-solo\";\n const soloWorkspaceSecret = await readAppSecret({\n key,\n scope: \"workspace\",\n scopeId: `solo:${email}`,\n });\n if (soloWorkspaceSecret) {\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} scope=workspace-solo hit=true`,\n );\n }\n return { value: soloWorkspaceSecret.value, source: \"workspace\" };\n }\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} orgId=(none) miss tried=user,workspace-solo`,\n );\n }\n }\n } catch (err) {\n if (traceLookup) {\n console.log(\n `[builder-credential] key=${key} email=${email} scope=${scopeAttempted} error=${(err as Error)?.message ?? err}`,\n );\n }\n // Secrets table not ready — treat as missing.\n }\n return null;\n}\n\nasync function resolveScopedBuilderCredentials(): Promise<BuilderResolvedCredentials | null> {\n const email = getRequestUserEmail();\n if (!email) return null;\n\n const traceLookup = shouldTraceCredentialResolve();\n let scopeAttempted = \"user\";\n try {\n const { readAppSecret } = await import(\"../secrets/storage.js\");\n const traceScope = (creds: BuilderResolvedCredentials, scopeId: string) => {\n if (!traceLookup) return;\n console.log(\n `[builder-credential] scope=${creds.source} scopeId=${scopeId} email=${email} complete=${isCompleteBuilderConnection(creds)} private=${Boolean(creds.privateKey)} public=${Boolean(creds.publicKey)}`,\n );\n };\n\n const userCreds = await readBuilderCredentialScope(\n readAppSecret,\n \"user\",\n email,\n );\n traceScope(userCreds, email);\n if (isCompleteBuilderConnection(userCreds)) return userCreds;\n\n const orgId = getRequestOrgId();\n if (orgId) {\n scopeAttempted = \"org\";\n const orgCreds = await readBuilderCredentialScope(\n readAppSecret,\n \"org\",\n orgId,\n );\n traceScope(orgCreds, orgId);\n if (isCompleteBuilderConnection(orgCreds)) return orgCreds;\n\n scopeAttempted = \"workspace\";\n const workspaceCreds = await readBuilderCredentialScope(\n readAppSecret,\n \"workspace\",\n orgId,\n );\n traceScope(workspaceCreds, orgId);\n if (isCompleteBuilderConnection(workspaceCreds)) return workspaceCreds;\n } else {\n scopeAttempted = \"workspace-solo\";\n const scopeId = `solo:${email}`;\n const workspaceCreds = await readBuilderCredentialScope(\n readAppSecret,\n \"workspace\",\n scopeId,\n );\n traceScope(workspaceCreds, scopeId);\n if (isCompleteBuilderConnection(workspaceCreds)) return workspaceCreds;\n }\n } catch (err) {\n if (traceLookup) {\n console.log(\n `[builder-credential] email=${email} scope=${scopeAttempted} credentials error=${(err as Error)?.message ?? err}`,\n );\n }\n }\n return null;\n}\n\n/**\n * Resolve a Builder credential for the current request. User/org credentials\n * win; deployment env is only a fallback. This lets local/root .env keys keep\n * a template working while still allowing users to connect their own Builder\n * account from Settings or onboarding.\n */\nexport async function resolveBuilderCredential(\n key: string,\n): Promise<string | null> {\n const scoped = await resolveScopedBuilderCredential(key);\n if (scoped) return scoped.value;\n if (!canUseBuilderDeployCredentialFallbackForRequest()) return null;\n return readDeployCredentialEnv(key) ?? null;\n}\n\n/**\n * True when `BUILDER_PRIVATE_KEY` is set at the deployment level. This means\n * a deploy-level fallback exists; it does not prevent per-user connect.\n */\nexport function isBuilderEnvManaged(): boolean {\n return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/**\n * Resolve the Builder private key for the current request. User/org OAuth\n * credentials win; deploy-level `BUILDER_PRIVATE_KEY` is the fallback.\n */\nexport async function resolveBuilderPrivateKey(): Promise<string | null> {\n return resolveBuilderCredential(\"BUILDER_PRIVATE_KEY\");\n}\n\n/**\n * Resolve the current user's Builder auth header.\n * Returns `\"Bearer <key>\"` or null.\n */\nexport async function resolveBuilderAuthHeader(): Promise<string | null> {\n const key = await resolveBuilderPrivateKey();\n return key ? `Bearer ${key}` : null;\n}\n\n/**\n * Check whether the current user has a Builder private key configured\n * (per-user or deployment-level).\n */\nexport async function resolveHasBuilderPrivateKey(): Promise<boolean> {\n return !!(await resolveBuilderPrivateKey());\n}\n\n/**\n * Check whether the current request has the complete Builder credential bundle\n * needed for Builder-backed assistant/image-generation calls.\n */\nexport async function resolveHasCompleteBuilderConnection(): Promise<boolean> {\n const creds = await resolveBuilderCredentials();\n return !!(creds.privateKey && creds.publicKey);\n}\n\n/**\n * Resolve where the effective Builder assistant connection came from. This\n * intentionally requires a complete private+public key pair from one scope so\n * status UIs don't report a mixed user/org credential set as connected.\n */\nexport async function resolveBuilderCredentialSource(): Promise<BuilderCredentialSource | null> {\n const scoped = await resolveScopedBuilderCredentials();\n if (scoped) return scoped.source;\n return canUseBuilderDeployCredentialFallbackForRequest() &&\n process.env.BUILDER_PRIVATE_KEY\n ? \"env\"\n : null;\n}\n\n/**\n * Resolve the Builder assistant credential bundle from one complete scope.\n * A partial user row is treated as a miss so the org-shared connection can\n * still power the assistant for teammates.\n */\nexport async function resolveBuilderCredentials(): Promise<{\n privateKey: string | null;\n publicKey: string | null;\n userId: string | null;\n orgName: string | null;\n orgKind: string | null;\n subscription: string | null;\n subscriptionLevel: string | null;\n subscriptionName: string | null;\n isEnterprise: boolean | null;\n isFreeAccount: boolean | null;\n}> {\n const scoped = await resolveScopedBuilderCredentials();\n if (scoped) {\n const {\n privateKey,\n publicKey,\n userId,\n orgName,\n orgKind,\n subscription,\n subscriptionLevel,\n subscriptionName,\n isEnterprise,\n isFreeAccount,\n } = scoped;\n return {\n privateKey,\n publicKey,\n userId,\n orgName,\n orgKind,\n subscription,\n subscriptionLevel,\n subscriptionName,\n isEnterprise,\n isFreeAccount,\n };\n }\n const privateKey = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_PRIVATE_KEY\") ?? null)\n : null;\n const publicKey = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_PUBLIC_KEY\") ?? null)\n : null;\n const userId = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_USER_ID\") ?? null)\n : null;\n const orgName = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_ORG_NAME\") ?? null)\n : null;\n const orgKind = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_ORG_KIND\") ?? null)\n : null;\n const subscription = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_SUBSCRIPTION\") ?? null)\n : null;\n const subscriptionLevel = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_SUBSCRIPTION_LEVEL\") ?? null)\n : null;\n const subscriptionName = canUseBuilderDeployCredentialFallbackForRequest()\n ? (readDeployCredentialEnv(\"BUILDER_SUBSCRIPTION_NAME\") ?? null)\n : null;\n const isEnterprise = canUseBuilderDeployCredentialFallbackForRequest()\n ? readOptionalBuilderBoolean(\n readDeployCredentialEnv(\"BUILDER_IS_ENTERPRISE\"),\n )\n : null;\n const isFreeAccount = canUseBuilderDeployCredentialFallbackForRequest()\n ? readOptionalBuilderBoolean(\n readDeployCredentialEnv(\"BUILDER_IS_FREE_ACCOUNT\"),\n )\n : null;\n return {\n privateKey,\n publicKey,\n userId,\n orgName,\n orgKind,\n subscription,\n subscriptionLevel,\n subscriptionName,\n isEnterprise,\n isFreeAccount,\n };\n}\n\nconst BUILDER_AUTH_FAILURE_SETTING_PREFIX = \"builder-auth-failure:\";\n\nexport interface BuilderCredentialAuthFailure {\n fingerprint: string;\n message: string;\n status?: number;\n code?: string;\n at: number;\n ownerEmail?: string | null;\n orgId?: string | null;\n}\n\nexport function builderCredentialFingerprint(\n privateKey?: string | null,\n publicKey?: string | null,\n): string | null {\n if (!privateKey || !publicKey) return null;\n return createHash(\"sha256\")\n .update(privateKey)\n .update(\"\\0\")\n .update(publicKey)\n .digest(\"hex\")\n .slice(0, 24);\n}\n\nfunction builderAuthFailureSettingKey(fingerprint: string): string {\n return `${BUILDER_AUTH_FAILURE_SETTING_PREFIX}${fingerprint}`;\n}\n\nexport async function getBuilderCredentialAuthFailure(\n creds: {\n privateKey?: string | null;\n publicKey?: string | null;\n } = {},\n): Promise<BuilderCredentialAuthFailure | null> {\n const fingerprint = builderCredentialFingerprint(\n creds.privateKey,\n creds.publicKey,\n );\n if (!fingerprint) return null;\n try {\n const { getSetting } = await import(\"../settings/store.js\");\n const row = await getSetting(builderAuthFailureSettingKey(fingerprint));\n if (!row) return null;\n return {\n fingerprint,\n message:\n typeof row.message === \"string\" && row.message\n ? row.message\n : \"Builder rejected the connected credentials. Reconnect Builder.io.\",\n status: typeof row.status === \"number\" ? row.status : undefined,\n code: typeof row.code === \"string\" ? row.code : undefined,\n at: typeof row.at === \"number\" ? row.at : Date.now(),\n ownerEmail:\n typeof row.ownerEmail === \"string\" ? row.ownerEmail : undefined,\n orgId: typeof row.orgId === \"string\" ? row.orgId : undefined,\n };\n } catch {\n return null;\n }\n}\n\nexport async function recordBuilderCredentialAuthFailure(details?: {\n status?: number;\n code?: string;\n message?: string;\n}): Promise<void> {\n try {\n const creds = await resolveBuilderCredentials();\n const fingerprint = builderCredentialFingerprint(\n creds.privateKey,\n creds.publicKey,\n );\n if (!fingerprint) return;\n const { putSetting } = await import(\"../settings/store.js\");\n await putSetting(builderAuthFailureSettingKey(fingerprint), {\n fingerprint,\n message:\n details?.message ||\n \"Builder rejected the connected credentials. Reconnect Builder.io.\",\n ...(typeof details?.status === \"number\" && { status: details.status }),\n ...(details?.code && { code: details.code }),\n at: Date.now(),\n ownerEmail: getRequestUserEmail() ?? null,\n orgId: getRequestOrgId() ?? null,\n });\n } catch {\n // Best-effort marker only; the chat error is still returned to the user.\n }\n}\n\nexport async function clearBuilderCredentialAuthFailure(creds: {\n privateKey?: string | null;\n publicKey?: string | null;\n}): Promise<void> {\n const fingerprint = builderCredentialFingerprint(\n creds.privateKey,\n creds.publicKey,\n );\n if (!fingerprint) return;\n try {\n const { deleteSetting } = await import(\"../settings/store.js\");\n await deleteSetting(builderAuthFailureSettingKey(fingerprint));\n } catch {\n // A stale failure marker should not block writing fresh credentials.\n }\n}\n\n/**\n * Write Builder credentials to `app_secrets`.\n *\n * Scope decision (see `resolveCredentialWriteScope`): when the connecting\n * user is owner/admin of an active org we write at `scope: \"org\"` so every\n * member of that org auto-resolves the credentials via\n * `resolveBuilderCredential`'s org fallback — no per-user re-connect\n * needed. A plain member or a user with no active org writes at\n * `scope: \"user\"` (the safe default that doesn't trample the org's shared\n * connection).\n *\n * Stale-credential cleanup: before writing the new values we (1) clear ALL\n * five BUILDER_* keys at the target scope, so optional fields the new\n * connection doesn't carry (e.g. user picked a Builder space that returns\n * no orgName) don't leave the previous connection's metadata behind, and\n * (2) when writing at org scope, also clear the writer's own user-scope\n * BUILDER_* rows so a stale personal override from an earlier connect\n * doesn't shadow the new org write on resolution (user scope wins org\n * scope by design — see `resolveScopedBuilderCredential`). The org-scope\n * row is intentionally left alone when writing at user scope: that row is\n * shared with the rest of the org and a single user's personal override\n * shouldn't blow it away. (Victoria's \"I signed in again with my Builder\n * space and it still says no credits\" report on 2026-05-11 was exactly\n * this stale-shadow case.)\n *\n * Returns the actual scope/scopeId used so the caller can show \"Connected\n * for Builder.io\" vs \"Connected (personal)\" in the UI.\n */\nexport async function writeBuilderCredentials(\n email: string,\n creds: {\n privateKey: string;\n publicKey: string;\n userId?: string | null;\n orgName?: string | null;\n orgKind?: string | null;\n subscription?: string | null;\n subscriptionLevel?: string | null;\n subscriptionName?: string | null;\n isEnterprise?: boolean | null;\n isFreeAccount?: boolean | null;\n },\n options?: { orgId?: string | null; role?: string | null },\n): Promise<{ scope: \"user\" | \"org\"; scopeId: string }> {\n const privateKey = creds.privateKey.trim();\n const publicKey = creds.publicKey.trim();\n if (!isBuilderPrivateKey(privateKey)) {\n throw new Error(\n \"Builder returned a credential that is not a Builder private key (expected bpk-...). Restart the Builder connect flow and choose a space that can issue a private key.\",\n );\n }\n if (!publicKey) {\n throw new Error(\n \"Builder did not return a public API key. Restart the Builder connect flow.\",\n );\n }\n\n const { writeAppSecret, deleteAppSecret } =\n await import(\"../secrets/storage.js\");\n const target = resolveCredentialWriteScope(\n email,\n options?.orgId ?? null,\n options?.role ?? null,\n );\n\n // Clear stale rows before writing the new connection. See the function's\n // doc comment for the two cases this handles.\n const cleanups: Array<Promise<unknown>> = BUILDER_CREDENTIAL_KEYS.map((key) =>\n deleteAppSecret({\n key,\n scope: target.scope,\n scopeId: target.scopeId,\n }).catch(() => {}),\n );\n if (target.scope === \"org\") {\n for (const key of BUILDER_CREDENTIAL_KEYS) {\n cleanups.push(\n deleteAppSecret({ key, scope: \"user\", scopeId: email }).catch(() => {}),\n );\n }\n }\n await Promise.all(cleanups);\n\n const entries: Array<{ key: string; value: string }> = [\n { key: \"BUILDER_PRIVATE_KEY\", value: privateKey },\n { key: \"BUILDER_PUBLIC_KEY\", value: publicKey },\n ];\n if (creds.userId) {\n entries.push({ key: \"BUILDER_USER_ID\", value: creds.userId });\n }\n if (creds.orgName) {\n entries.push({ key: \"BUILDER_ORG_NAME\", value: creds.orgName });\n }\n if (creds.orgKind) {\n entries.push({ key: \"BUILDER_ORG_KIND\", value: creds.orgKind });\n }\n if (creds.subscription) {\n entries.push({ key: \"BUILDER_SUBSCRIPTION\", value: creds.subscription });\n }\n if (creds.subscriptionLevel) {\n entries.push({\n key: \"BUILDER_SUBSCRIPTION_LEVEL\",\n value: creds.subscriptionLevel,\n });\n }\n if (creds.subscriptionName) {\n entries.push({\n key: \"BUILDER_SUBSCRIPTION_NAME\",\n value: creds.subscriptionName,\n });\n }\n if (typeof creds.isEnterprise === \"boolean\") {\n entries.push({\n key: \"BUILDER_IS_ENTERPRISE\",\n value: String(creds.isEnterprise),\n });\n }\n if (typeof creds.isFreeAccount === \"boolean\") {\n entries.push({\n key: \"BUILDER_IS_FREE_ACCOUNT\",\n value: String(creds.isFreeAccount),\n });\n }\n await Promise.all(\n entries.map(({ key, value }) =>\n writeAppSecret({\n key,\n value,\n scope: target.scope,\n scopeId: target.scopeId,\n }),\n ),\n );\n await clearBuilderCredentialAuthFailure({\n privateKey,\n publicKey,\n });\n return target;\n}\n\n/**\n * Delete Builder credentials.\n *\n * Default behaviour: clears only this user's per-user override (so a\n * member can disconnect their personal Builder identity without\n * collapsing the org-wide connection for every teammate). To revoke the\n * org's shared connection, pass `{ orgId, role }` for an owner/admin —\n * matching the same authority gate `writeBuilderCredentials` uses on\n * write. Plain members can never reach the org-scoped row.\n */\nexport async function deleteBuilderCredentials(\n email: string,\n options?: { orgId?: string | null; role?: string | null },\n): Promise<{ scope: \"user\" | \"org\"; scopeId: string }> {\n const { deleteAppSecret } = await import(\"../secrets/storage.js\");\n const target = resolveCredentialWriteScope(\n email,\n options?.orgId ?? null,\n options?.role ?? null,\n );\n await Promise.all(\n BUILDER_CREDENTIAL_KEYS.map((key) =>\n deleteAppSecret({\n key,\n scope: target.scope,\n scopeId: target.scopeId,\n }).catch(() => {}),\n ),\n );\n return target;\n}\n\n// ---------------------------------------------------------------------------\n// Generic request-scoped secret resolution\n//\n// New consumers should prefer this over reading `process.env.X` directly.\n// User-pasted and shared secrets live in `app_secrets` (encrypted). The\n// settings UI / onboarding panels can write user, org, or workspace rows.\n// Deploy-level env vars are the fallback for unauthenticated/CLI/background\n// contexts where there's no user to scope by — never the silent fallback\n// for an authenticated request, since on a multi-tenant deploy that would\n// silently identify every user as whoever set the deploy-level key\n// (KVesta Space, 2026-04).\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve a request-scoped secret. Reads from `app_secrets` first (current\n * user override, active org, then workspace row); falls back to `process.env`\n * only when the deploy fallback policy allows it.\n */\nexport async function resolveSecret(key: string): Promise<string | null> {\n const traceLookup = shouldTraceCredentialResolve();\n const email = getRequestUserEmail();\n if (email) {\n try {\n const { readAppSecret } = await import(\"../secrets/storage.js\");\n // Per-user override first.\n const userSecret = await readAppSecret({\n key,\n scope: \"user\",\n scopeId: email,\n });\n if (userSecret?.value) {\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} scope=user hit=true`,\n );\n }\n return userSecret.value;\n }\n\n const orgId = getRequestOrgId();\n if (orgId) {\n // Fall back to the active org's shared row, when present. Builder\n // Connect uses this first-class org scope.\n const orgSecret = await readAppSecret({\n key,\n scope: \"org\",\n scopeId: orgId,\n });\n if (orgSecret?.value) {\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} orgId=${orgId} scope=org hit=true`,\n );\n }\n return orgSecret.value;\n }\n\n // Registered secrets historically used \"workspace\" scope for\n // org-shared configuration. Keep reading it so Settings status and\n // runtime resolution agree.\n const workspaceSecret = await readAppSecret({\n key,\n scope: \"workspace\",\n scopeId: orgId,\n });\n if (workspaceSecret?.value) {\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} orgId=${orgId} scope=workspace hit=true`,\n );\n }\n return workspaceSecret.value;\n }\n } else {\n const soloWorkspaceSecret = await readAppSecret({\n key,\n scope: \"workspace\",\n scopeId: `solo:${email}`,\n });\n if (soloWorkspaceSecret?.value) {\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} scope=workspace-solo hit=true`,\n );\n }\n return soloWorkspaceSecret.value;\n }\n }\n } catch (err) {\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} scope=error err=${(err as Error)?.message ?? err}`,\n );\n }\n // Secrets table not ready — treat as missing.\n }\n // Authenticated multi-tenant context: never fall back to process.env.\n // The deploy-level value would silently impersonate the actual key\n // owner across every tenant. Local/single-tenant deployments keep the\n // original env fallback for BYO-server workflows.\n const envFallback = (\n isBuilderCredentialKey(key)\n ? canUseBuilderDeployCredentialFallbackForRequest()\n : canUseDeployCredentialFallbackForRequest()\n )\n ? process.env[key] || null\n : null;\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=${email} orgId=${getRequestOrgId() ?? \"(none)\"} scope=${envFallback ? \"env-fallback\" : \"none\"} hit=${!!envFallback}`,\n );\n }\n return envFallback;\n }\n // Unauthenticated / local-dev / CLI / background context: env fallback\n // is safe because there's no user to mis-identify.\n const value = process.env[key] || null;\n if (traceLookup) {\n console.log(\n `[resolve-secret] key=${key} email=(none) scope=env-anonymous hit=${!!value}`,\n );\n }\n return value;\n}\n\n// ---------------------------------------------------------------------------\n// Synchronous helpers — env-only fallbacks for contexts where per-user\n// lookup isn't possible (sync isConfigured checks, CLI scripts).\n// ---------------------------------------------------------------------------\n\n/**\n * True when a Builder private key is configured at the deployment level.\n *\n * This is the same env-only check as `isBuilderEnvManaged()`. For \"does this\n * request have access to Builder via user/org/env credentials?\" use the async\n * `resolveHasBuilderPrivateKey()`.\n */\nexport function hasBuilderPrivateKey(): boolean {\n return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/** The origin for Builder-proxied API calls. Overridable for testing. */\nexport function getBuilderProxyOrigin(): string {\n return (\n process.env.BUILDER_PROXY_ORIGIN ||\n process.env.AIR_HOST ||\n process.env.BUILDER_API_HOST ||\n \"https://api.builder.io\"\n );\n}\n\n/**\n * Base URL for the public Builder LLM gateway, which lives at\n * api.builder.io/agent-native/gateway.\n * Override via BUILDER_GATEWAY_BASE_URL for staging / testing.\n */\nexport function getBuilderGatewayBaseUrl(): string {\n return (\n process.env.BUILDER_GATEWAY_BASE_URL ||\n \"https://api.builder.io/agent-native/gateway/v1\"\n );\n}\n\n/**\n * Base URL for Builder-managed image generation.\n * Override via BUILDER_IMAGE_GENERATION_BASE_URL for staging / testing.\n */\nexport function getBuilderImageGenerationBaseUrl(): string {\n return (\n process.env.BUILDER_IMAGE_GENERATION_BASE_URL ||\n \"https://api.builder.io/agent-native/images/v1\"\n );\n}\n\n/** Authorization header value for Builder-proxied calls (env-only). */\nexport function getBuilderAuthHeader(): string | null {\n const key = process.env.BUILDER_PRIVATE_KEY;\n return key ? `Bearer ${key}` : null;\n}\n"]}
package/dist/server/csrf.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/server/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AA8GH;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,GAAE,MAAyB;;GAqB3C"}
1
+ {"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/server/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAiHH;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,GAAE,MAAyB;;GAqB3C"}
package/dist/server/csrf.js CHANGED
@@ -52,6 +52,9 @@ import { defineEventHandler, getMethod, getRequestHeader, setResponseStatus, } f
52
52
  const CSRF_ALLOWLIST_PREFIXES = [
53
53
  // Integration webhooks — verified by HMAC against a per-integration secret.
54
54
  "/integrations/",
55
+ // Agent Teams durable sub-agent processor self-fire — verified by the same
56
+ // HMAC internal-token scheme as the integration/A2A processors.
57
+ "/agent-teams/",
55
58
  // A2A JSON-RPC endpoints — verified by signed JWT (when A2A_SECRET set) or
56
59
  // explicitly opt-in unauthenticated (handled at the A2A layer).
57
60
  "/a2a",
package/dist/server/csrf.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/server/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,IAAI,CAAC;AAEZ;;;;;GAKG;AACH,MAAM,uBAAuB,GAAG;IAC9B,4EAA4E;IAC5E,gBAAgB;IAChB,2EAA2E;IAC3E,gEAAgE;IAChE,MAAM;IACN,sEAAsE;IACtE,0EAA0E;IAC1E,4DAA4D;IAC5D,QAAQ;IACR,8DAA8D;IAC9D,kBAAkB;IAClB,uEAAuE;IACvE,2EAA2E;IAC3E,SAAS;IACT,sEAAsE;IACtE,yEAAyE;IACzE,yEAAyE;IACzE,qEAAqE;IACrE,+BAA+B;IAC/B,SAAS;IACT,0EAA0E;IAC1E,uEAAuE;IACvE,mBAAmB;CACpB,CAAC;AAEF,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAE3E;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAS,eAAe,CAAC,KAAU;IACjC,MAAM,GAAG,GAAG,gBAAgB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACtD,IAAI,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,CAAC,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,WAAW,GAAG,gBAAgB,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;IAC5D,IACE,WAAW;QACX,OAAO,WAAW,KAAK,QAAQ;QAC/B,WAAW,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EACtD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;GAKG;AACH,SAAS,iBAAiB,CAAC,KAAU;IACnC,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACjD,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;AAChE,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,QAAgB,EAAE,eAAuB;IAC9D,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACnD,KAAK,MAAM,OAAO,IAAI,uBAAuB,EAAE,CAAC;QAC9C,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;IAC3C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,oBAAoB,CAClC,kBAA0B,gBAAgB;IAE1C,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,SAAS,CAAC;QAE1D,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;QAC3C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO,SAAS,CAAC;QAC5D,IAAI,aAAa,CAAC,QAAQ,EAAE,eAAe,CAAC;YAAE,OAAO,SAAS,CAAC;QAE/D,qEAAqE;QACrE,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QAEhD,IAAI,eAAe,CAAC,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QAE7C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,6IAA6I;SAChJ,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Defense-in-depth CSRF check for framework state-changing routes.\n *\n * Threat model: action endpoints (`/_agent-native/actions/*`), extension\n * endpoints (`/_agent-native/extensions/*` and the legacy\n * `/_agent-native/tools/*` alias), and a handful of other state-changing\n * `/_agent-native/*` routes use the better-auth session cookie, which is\n * configured with `SameSite=None; Secure; Partitioned` so the iframe editor\n * (and other cross-site embeds) can authenticate. `SameSite=None` means the\n * browser ships the session cookie on top-level form POSTs from any origin —\n * which is exactly the precondition for classic cross-site request forgery.\n *\n * The browser still gates \"non-simple\" requests behind a CORS preflight, so\n * an attacker who has to send `Content-Type: application/json` is forced\n * through OPTIONS, which our CORS middleware (`create-server.ts`) rejects\n * for disallowed origins. But the simple-request bypass (`Content-Type:\n * text/plain` on a `<form enctype=\"text/plain\">` POST, or `multipart/form-data`)\n * never preflights — the browser delivers it cross-origin with cookies.\n *\n * Mitigation: this middleware rejects any state-changing\n * (`POST/PUT/PATCH/DELETE`) request to `/_agent-native/*` that\n *\n * 1. carries the auth-cookie pattern (any cookie at all is a heuristic\n * good-enough proxy — we don't want to deny anonymous fetches), AND\n * 2. is NOT clearly same-origin / first-party. We trust:\n * - `Sec-Fetch-Site: same-origin` (sent by every modern browser on\n * same-origin fetch — Chrome/Firefox/Safari/Edge all support it).\n * - `X-Agent-Native-CSRF` custom header. Custom headers force a\n * preflight, so an attacker can't add one cross-origin.\n * - `Content-Type: application/json` request body. Same logic — JSON\n * Content-Type is a non-simple request that triggers preflight.\n *\n * Why the existing CORS check isn't enough: a simple-request POST never\n * preflights, so the browser sends it through and only blocks the *response*\n * from being readable cross-origin. The state change (delete-account, write\n * SQL, etc.) happens server-side regardless. We need a server-side check that\n * proves first-party intent before running the action.\n *\n * Opt-out marker: a handful of routes legitimately accept cross-origin POSTs\n * — webhook endpoints (Slack, Telegram, email), the public A2A endpoint\n * (`/_agent-native/a2a`), the integrations process-task self-fire, and so on.\n * Those are listed in `CSRF_ALLOWLIST_PREFIXES` below; if you add a new\n * cross-origin-callable route, add it there.\n */\n\nimport {\n defineEventHandler,\n getMethod,\n getRequestHeader,\n setResponseStatus,\n} from \"h3\";\n\n/**\n * Path prefixes (relative to the framework prefix `/_agent-native`) that are\n * allowed to receive cross-origin state-changing POSTs without first-party\n * markers. These are signed/authenticated through other mechanisms (HMAC,\n * JWT, internal token) so they don't need cookie-based CSRF protection.\n */\nconst CSRF_ALLOWLIST_PREFIXES = [\n // Integration webhooks — verified by HMAC against a per-integration secret.\n \"/integrations/\",\n // A2A JSON-RPC endpoints — verified by signed JWT (when A2A_SECRET set) or\n // explicitly opt-in unauthenticated (handled at the A2A layer).\n \"/a2a\",\n // Better Auth's own login/sign-in/social-callback routes. Better Auth\n // ships its own CSRF protection (Origin/Sec-Fetch checks on its handlers)\n // and cookies are needed for the OAuth callback round-trip.\n \"/auth/\",\n // Stripe / Paddle / billing webhooks dropped in by templates.\n \"/billing/webhook\",\n // Public share endpoints — read-only and never cookie-driven, but kept\n // here so a templated POST (e.g. comment-on-public-recording) doesn't 403.\n \"/share/\",\n // OAuth callbacks (Builder, Google, Slack, Notion, Zoom). These get a\n // `code` query param via top-level navigation — they DO ride the session\n // cookie and they SHOULD validate state, but the framework can't see the\n // state token. Each callback handler is responsible for its own CSRF\n // check (signed state tokens).\n \"/oauth/\",\n // Builder's CLI-auth callback — uses the BUILDER_STATE_PARAM signed token\n // to authenticate the round-trip; framework CSRF check would block it.\n \"/builder/callback\",\n];\n\nconst STATE_CHANGING_METHODS = new Set([\"POST\", \"PUT\", \"PATCH\", \"DELETE\"]);\n\n/**\n * Decide whether a request is \"first-party enough\" to trust as not-CSRF.\n * Any of the following make a request non-CSRF:\n *\n * - `Sec-Fetch-Site: same-origin` (or `none` for top-level navigations\n * to our own pages — but state-changing methods don't ship `none`).\n * - `X-Agent-Native-CSRF` header (any value, even \"1\"). This is a custom\n * header so the browser forces a preflight cross-origin, which our\n * CORS layer rejects for disallowed origins.\n * - `Content-Type: application/json` (case-insensitive). JSON content\n * type is a non-simple request that triggers preflight.\n *\n * We accept ANY of these — the goal is \"did the request come through a\n * channel the browser would have preflighted\", not a strict-mode token.\n *\n * NOTE: `Sec-Fetch-Site: same-site` is deliberately NOT trusted. Under a\n * shared cookie domain (COOKIE_DOMAIN / crossSubDomainCookies), the browser\n * labels a request from a SIBLING subdomain (evil.example.com → app.example.com)\n * as `same-site` even though it is cross-origin and would ride the shared\n * session cookie — a CSRF vector. Legitimate first-party clients all also send\n * `X-Agent-Native-CSRF` or `application/json`, so they still pass via those\n * paths and iframe/embed flows are unaffected.\n */\nfunction looksFirstParty(event: any): boolean {\n const sfs = getRequestHeader(event, \"sec-fetch-site\");\n if (sfs === \"same-origin\" || sfs === \"none\") {\n return true;\n }\n if (getRequestHeader(event, \"x-agent-native-csrf\")) {\n return true;\n }\n const contentType = getRequestHeader(event, \"content-type\");\n if (\n contentType &&\n typeof contentType === \"string\" &&\n contentType.toLowerCase().includes(\"application/json\")\n ) {\n return true;\n }\n return false;\n}\n\n/**\n * Returns true when the request carries any cookie. We use \"has any cookie\"\n * as a coarse heuristic for \"the browser is going to attach the session\n * cookie\" — anonymous tools (curl, server-to-server) typically don't send\n * cookies, so they bypass this check entirely.\n */\nfunction requestHasCookies(event: any): boolean {\n const cookie = getRequestHeader(event, \"cookie\");\n return typeof cookie === \"string\" && cookie.trim().length > 0;\n}\n\n/**\n * Path passed in is the full request URL pathname (e.g. `/_agent-native/actions/foo`).\n * `frameworkPrefix` should be the framework route prefix without trailing slash,\n * e.g. `/_agent-native`.\n */\nfunction isOnAllowlist(pathname: string, frameworkPrefix: string): boolean {\n if (!pathname.startsWith(frameworkPrefix)) return false;\n const sub = pathname.slice(frameworkPrefix.length);\n for (const allowed of CSRF_ALLOWLIST_PREFIXES) {\n if (sub.startsWith(allowed)) return true;\n }\n return false;\n}\n\n/**\n * Create the framework CSRF middleware.\n *\n * Mount this BEFORE any state-changing route handler. The middleware\n * - lets every non-state-changing method through (GET/HEAD/OPTIONS).\n * - lets requests without cookies through (anonymous/server tools).\n * - lets allowlisted paths through (webhooks, A2A, OAuth callbacks).\n * - lets first-party-shaped requests through (custom header, JSON\n * Content-Type, or `Sec-Fetch-Site: same-origin`).\n * - rejects everything else with 403.\n */\nexport function createCsrfMiddleware(\n frameworkPrefix: string = \"/_agent-native\",\n) {\n return defineEventHandler((event) => {\n const method = getMethod(event);\n if (!STATE_CHANGING_METHODS.has(method)) return undefined;\n\n const pathname = event.url?.pathname ?? \"\";\n if (!pathname.startsWith(frameworkPrefix)) return undefined;\n if (isOnAllowlist(pathname, frameworkPrefix)) return undefined;\n\n // No cookie = no risk of confused-deputy CSRF on the session cookie.\n if (!requestHasCookies(event)) return undefined;\n\n if (looksFirstParty(event)) return undefined;\n\n setResponseStatus(event, 403);\n return {\n error:\n \"CSRF check failed: state-changing requests must include a same-origin marker. Set Content-Type: application/json or X-Agent-Native-CSRF: 1.\",\n };\n });\n}\n"]}
1
+ {"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/server/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,IAAI,CAAC;AAEZ;;;;;GAKG;AACH,MAAM,uBAAuB,GAAG;IAC9B,4EAA4E;IAC5E,gBAAgB;IAChB,2EAA2E;IAC3E,gEAAgE;IAChE,eAAe;IACf,2EAA2E;IAC3E,gEAAgE;IAChE,MAAM;IACN,sEAAsE;IACtE,0EAA0E;IAC1E,4DAA4D;IAC5D,QAAQ;IACR,8DAA8D;IAC9D,kBAAkB;IAClB,uEAAuE;IACvE,2EAA2E;IAC3E,SAAS;IACT,sEAAsE;IACtE,yEAAyE;IACzE,yEAAyE;IACzE,qEAAqE;IACrE,+BAA+B;IAC/B,SAAS;IACT,0EAA0E;IAC1E,uEAAuE;IACvE,mBAAmB;CACpB,CAAC;AAEF,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAE3E;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAS,eAAe,CAAC,KAAU;IACjC,MAAM,GAAG,GAAG,gBAAgB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACtD,IAAI,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,CAAC,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,WAAW,GAAG,gBAAgB,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;IAC5D,IACE,WAAW;QACX,OAAO,WAAW,KAAK,QAAQ;QAC/B,WAAW,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EACtD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;GAKG;AACH,SAAS,iBAAiB,CAAC,KAAU;IACnC,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACjD,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;AAChE,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,QAAgB,EAAE,eAAuB;IAC9D,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACnD,KAAK,MAAM,OAAO,IAAI,uBAAuB,EAAE,CAAC;QAC9C,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;IAC3C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,oBAAoB,CAClC,kBAA0B,gBAAgB;IAE1C,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,SAAS,CAAC;QAE1D,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;QAC3C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO,SAAS,CAAC;QAC5D,IAAI,aAAa,CAAC,QAAQ,EAAE,eAAe,CAAC;YAAE,OAAO,SAAS,CAAC;QAE/D,qEAAqE;QACrE,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QAEhD,IAAI,eAAe,CAAC,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QAE7C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,6IAA6I;SAChJ,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Defense-in-depth CSRF check for framework state-changing routes.\n *\n * Threat model: action endpoints (`/_agent-native/actions/*`), extension\n * endpoints (`/_agent-native/extensions/*` and the legacy\n * `/_agent-native/tools/*` alias), and a handful of other state-changing\n * `/_agent-native/*` routes use the better-auth session cookie, which is\n * configured with `SameSite=None; Secure; Partitioned` so the iframe editor\n * (and other cross-site embeds) can authenticate. `SameSite=None` means the\n * browser ships the session cookie on top-level form POSTs from any origin —\n * which is exactly the precondition for classic cross-site request forgery.\n *\n * The browser still gates \"non-simple\" requests behind a CORS preflight, so\n * an attacker who has to send `Content-Type: application/json` is forced\n * through OPTIONS, which our CORS middleware (`create-server.ts`) rejects\n * for disallowed origins. But the simple-request bypass (`Content-Type:\n * text/plain` on a `<form enctype=\"text/plain\">` POST, or `multipart/form-data`)\n * never preflights — the browser delivers it cross-origin with cookies.\n *\n * Mitigation: this middleware rejects any state-changing\n * (`POST/PUT/PATCH/DELETE`) request to `/_agent-native/*` that\n *\n * 1. carries the auth-cookie pattern (any cookie at all is a heuristic\n * good-enough proxy — we don't want to deny anonymous fetches), AND\n * 2. is NOT clearly same-origin / first-party. We trust:\n * - `Sec-Fetch-Site: same-origin` (sent by every modern browser on\n * same-origin fetch — Chrome/Firefox/Safari/Edge all support it).\n * - `X-Agent-Native-CSRF` custom header. Custom headers force a\n * preflight, so an attacker can't add one cross-origin.\n * - `Content-Type: application/json` request body. Same logic — JSON\n * Content-Type is a non-simple request that triggers preflight.\n *\n * Why the existing CORS check isn't enough: a simple-request POST never\n * preflights, so the browser sends it through and only blocks the *response*\n * from being readable cross-origin. The state change (delete-account, write\n * SQL, etc.) happens server-side regardless. We need a server-side check that\n * proves first-party intent before running the action.\n *\n * Opt-out marker: a handful of routes legitimately accept cross-origin POSTs\n * — webhook endpoints (Slack, Telegram, email), the public A2A endpoint\n * (`/_agent-native/a2a`), the integrations process-task self-fire, and so on.\n * Those are listed in `CSRF_ALLOWLIST_PREFIXES` below; if you add a new\n * cross-origin-callable route, add it there.\n */\n\nimport {\n defineEventHandler,\n getMethod,\n getRequestHeader,\n setResponseStatus,\n} from \"h3\";\n\n/**\n * Path prefixes (relative to the framework prefix `/_agent-native`) that are\n * allowed to receive cross-origin state-changing POSTs without first-party\n * markers. These are signed/authenticated through other mechanisms (HMAC,\n * JWT, internal token) so they don't need cookie-based CSRF protection.\n */\nconst CSRF_ALLOWLIST_PREFIXES = [\n // Integration webhooks — verified by HMAC against a per-integration secret.\n \"/integrations/\",\n // Agent Teams durable sub-agent processor self-fire — verified by the same\n // HMAC internal-token scheme as the integration/A2A processors.\n \"/agent-teams/\",\n // A2A JSON-RPC endpoints — verified by signed JWT (when A2A_SECRET set) or\n // explicitly opt-in unauthenticated (handled at the A2A layer).\n \"/a2a\",\n // Better Auth's own login/sign-in/social-callback routes. Better Auth\n // ships its own CSRF protection (Origin/Sec-Fetch checks on its handlers)\n // and cookies are needed for the OAuth callback round-trip.\n \"/auth/\",\n // Stripe / Paddle / billing webhooks dropped in by templates.\n \"/billing/webhook\",\n // Public share endpoints — read-only and never cookie-driven, but kept\n // here so a templated POST (e.g. comment-on-public-recording) doesn't 403.\n \"/share/\",\n // OAuth callbacks (Builder, Google, Slack, Notion, Zoom). These get a\n // `code` query param via top-level navigation — they DO ride the session\n // cookie and they SHOULD validate state, but the framework can't see the\n // state token. Each callback handler is responsible for its own CSRF\n // check (signed state tokens).\n \"/oauth/\",\n // Builder's CLI-auth callback — uses the BUILDER_STATE_PARAM signed token\n // to authenticate the round-trip; framework CSRF check would block it.\n \"/builder/callback\",\n];\n\nconst STATE_CHANGING_METHODS = new Set([\"POST\", \"PUT\", \"PATCH\", \"DELETE\"]);\n\n/**\n * Decide whether a request is \"first-party enough\" to trust as not-CSRF.\n * Any of the following make a request non-CSRF:\n *\n * - `Sec-Fetch-Site: same-origin` (or `none` for top-level navigations\n * to our own pages — but state-changing methods don't ship `none`).\n * - `X-Agent-Native-CSRF` header (any value, even \"1\"). This is a custom\n * header so the browser forces a preflight cross-origin, which our\n * CORS layer rejects for disallowed origins.\n * - `Content-Type: application/json` (case-insensitive). JSON content\n * type is a non-simple request that triggers preflight.\n *\n * We accept ANY of these — the goal is \"did the request come through a\n * channel the browser would have preflighted\", not a strict-mode token.\n *\n * NOTE: `Sec-Fetch-Site: same-site` is deliberately NOT trusted. Under a\n * shared cookie domain (COOKIE_DOMAIN / crossSubDomainCookies), the browser\n * labels a request from a SIBLING subdomain (evil.example.com → app.example.com)\n * as `same-site` even though it is cross-origin and would ride the shared\n * session cookie — a CSRF vector. Legitimate first-party clients all also send\n * `X-Agent-Native-CSRF` or `application/json`, so they still pass via those\n * paths and iframe/embed flows are unaffected.\n */\nfunction looksFirstParty(event: any): boolean {\n const sfs = getRequestHeader(event, \"sec-fetch-site\");\n if (sfs === \"same-origin\" || sfs === \"none\") {\n return true;\n }\n if (getRequestHeader(event, \"x-agent-native-csrf\")) {\n return true;\n }\n const contentType = getRequestHeader(event, \"content-type\");\n if (\n contentType &&\n typeof contentType === \"string\" &&\n contentType.toLowerCase().includes(\"application/json\")\n ) {\n return true;\n }\n return false;\n}\n\n/**\n * Returns true when the request carries any cookie. We use \"has any cookie\"\n * as a coarse heuristic for \"the browser is going to attach the session\n * cookie\" — anonymous tools (curl, server-to-server) typically don't send\n * cookies, so they bypass this check entirely.\n */\nfunction requestHasCookies(event: any): boolean {\n const cookie = getRequestHeader(event, \"cookie\");\n return typeof cookie === \"string\" && cookie.trim().length > 0;\n}\n\n/**\n * Path passed in is the full request URL pathname (e.g. `/_agent-native/actions/foo`).\n * `frameworkPrefix` should be the framework route prefix without trailing slash,\n * e.g. `/_agent-native`.\n */\nfunction isOnAllowlist(pathname: string, frameworkPrefix: string): boolean {\n if (!pathname.startsWith(frameworkPrefix)) return false;\n const sub = pathname.slice(frameworkPrefix.length);\n for (const allowed of CSRF_ALLOWLIST_PREFIXES) {\n if (sub.startsWith(allowed)) return true;\n }\n return false;\n}\n\n/**\n * Create the framework CSRF middleware.\n *\n * Mount this BEFORE any state-changing route handler. The middleware\n * - lets every non-state-changing method through (GET/HEAD/OPTIONS).\n * - lets requests without cookies through (anonymous/server tools).\n * - lets allowlisted paths through (webhooks, A2A, OAuth callbacks).\n * - lets first-party-shaped requests through (custom header, JSON\n * Content-Type, or `Sec-Fetch-Site: same-origin`).\n * - rejects everything else with 403.\n */\nexport function createCsrfMiddleware(\n frameworkPrefix: string = \"/_agent-native\",\n) {\n return defineEventHandler((event) => {\n const method = getMethod(event);\n if (!STATE_CHANGING_METHODS.has(method)) return undefined;\n\n const pathname = event.url?.pathname ?? \"\";\n if (!pathname.startsWith(frameworkPrefix)) return undefined;\n if (isOnAllowlist(pathname, frameworkPrefix)) return undefined;\n\n // No cookie = no risk of confused-deputy CSRF on the session cookie.\n if (!requestHasCookies(event)) return undefined;\n\n if (looksFirstParty(event)) return undefined;\n\n setResponseStatus(event, 403);\n return {\n error:\n \"CSRF check failed: state-changing requests must include a same-origin marker. Set Content-Type: application/json or X-Agent-Native-CSRF: 1.\",\n };\n });\n}\n"]}
package/dist/server/index.d.ts CHANGED
@@ -27,6 +27,7 @@ export { configureAgentNativeEmbeddedEnvironment, createAgentNativeEmbeddedAuthO
27
27
  export { createThread, getThread, listThreads, updateThreadData, deleteThread, setThreadArchived, setThreadPinned, setThreadScope, type ChatThread, type ChatThreadScope, type ChatThreadSummary, type ListThreadsOptions, } from "../chat-threads/store.js";
28
28
  export { createResourcesPlugin, defaultResourcesPlugin, } from "./resources-plugin.js";
29
29
  export { createCoreRoutesPlugin, defaultCoreRoutesPlugin, FRAMEWORK_ROUTE_PREFIX, type CoreRoutesPluginOptions, } from "./core-routes-plugin.js";
30
+ export { AGENT_NATIVE_OG_IMAGE_CACHE_CONTROL, AGENT_NATIVE_OG_IMAGE_HEIGHT, AGENT_NATIVE_OG_IMAGE_NETLIFY_CACHE_CONTROL, AGENT_NATIVE_OG_IMAGE_WIDTH, agentNativeOgImageResponseHeaders, createAgentNativeOgImageHandler, renderAgentNativeOgImagePng, renderAgentNativeOgImageSvg, type AgentNativeOgImageInput, } from "./social-og-image.js";
30
31
  export { createBrowserSessionActionEntries, type CreateBrowserSessionActionEntriesOptions, } from "../browser-sessions/actions.js";
31
32
  export { DEFAULT_BROWSER_SESSION_REQUEST_POLL_MS, DEFAULT_BROWSER_SESSION_REQUEST_TIMEOUT_MS, DEFAULT_BROWSER_SESSION_TTL_MS, callBrowserSession, claimBrowserSessionRequest, completeBrowserSessionRequest, createBrowserSessionRequest, disconnectBrowserSession, getBrowserSession, getBrowserSessionRequest, listBrowserSessions, registerBrowserSession, waitForBrowserSessionRequest, } from "../browser-sessions/store.js";
32
33
  export { mountBrowserSessionRoutes, type MountBrowserSessionRoutesOptions, } from "../browser-sessions/routes.js";
package/dist/server/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,YAAY,GAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,aAAa,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAE,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAChF,OAAO,EACL,4BAA4B,EAC5B,mBAAmB,EACnB,KAAK,sBAAsB,GAC5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,wBAAwB,EACxB,yBAAyB,EACzB,8BAA8B,EAC9B,qBAAqB,EACrB,qBAAqB,EACrB,uBAAuB,EACvB,KAAK,0BAA0B,EAC/B,KAAK,gCAAgC,EACrC,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EACzB,KAAK,6BAA6B,GACnC,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,WAAW,EACX,UAAU,EACV,aAAa,EACb,eAAe,EACf,+BAA+B,EAC/B,yBAAyB,EACzB,4BAA4B,EAC5B,YAAY,EACZ,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,EACd,KAAK,2BAA2B,EAChC,KAAK,WAAW,EAChB,KAAK,WAAW,GACjB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,KAAK,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,EAC5B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,sBAAsB,EAC3B,KAAK,UAAU,EACf,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,EAChC,KAAK,kCAAkC,EACvC,KAAK,iCAAiC,EACtC,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,GAChC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,GACb,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,iBAAiB,EACjB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,4BAA4B,EAC5B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAI7E,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,KAAK,sBAAsB,GAC5B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,uCAAuC,EACvC,oCAAoC,EACpC,+BAA+B,EAC/B,wBAAwB,EACxB,mCAAmC,EACnC,KAAK,8BAA8B,EACnC,KAAK,6BAA6B,EAClC,KAAK,8BAA8B,EACnC,KAAK,gCAAgC,GACtC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,iBAAiB,EACjB,eAAe,EACf,cAAc,EACd,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,GACxB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,iCAAiC,EACjC,KAAK,wCAAwC,GAC9C,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,uCAAuC,EACvC,0CAA0C,EAC1C,8BAA8B,EAC9B,kBAAkB,EAClB,0BAA0B,EAC1B,6BAA6B,EAC7B,2BAA2B,EAC3B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,yBAAyB,EACzB,KAAK,gCAAgC,GACtC,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,yBAAyB,EACzB,+BAA+B,EAC/B,+BAA+B,EAC/B,gCAAgC,EAChC,sCAAsC,EACtC,oCAAoC,EACpC,2CAA2C,EAC3C,sCAAsC,GACvC,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,qBAAqB,GAC3B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,EAClB,KAAK,mBAAmB,GACzB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,EACf,KAAK,SAAS,EACd,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,EACd,yBAAyB,EACzB,KAAK,SAAS,GACf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,GAC9B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,EAC1B,KAAK,cAAc,EACnB,KAAK,iBAAiB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,EACzB,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,eAAe,EACf,YAAY,EACZ,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,GAC/B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,wBAAwB,EACxB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,2BAA2B,EAC3B,mCAAmC,EACnC,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,6BAA6B,EAC7B,gCAAgC,EAChC,eAAe,EACf,KAAK,qBAAqB,GAC3B,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,SAAS,EACT,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,QAAQ,GACd,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,KAAK,qBAAqB,EAC1B,KAAK,YAAY,IAAI,2BAA2B,GACjD,MAAM,wBAAwB,CAAC;AAUhC,MAAM,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AACrE,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,cAAc,CAErE"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,YAAY,GAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,aAAa,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAE,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAChF,OAAO,EACL,4BAA4B,EAC5B,mBAAmB,EACnB,KAAK,sBAAsB,GAC5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,wBAAwB,EACxB,yBAAyB,EACzB,8BAA8B,EAC9B,qBAAqB,EACrB,qBAAqB,EACrB,uBAAuB,EACvB,KAAK,0BAA0B,EAC/B,KAAK,gCAAgC,EACrC,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EACzB,KAAK,6BAA6B,GACnC,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,WAAW,EACX,UAAU,EACV,aAAa,EACb,eAAe,EACf,+BAA+B,EAC/B,yBAAyB,EACzB,4BAA4B,EAC5B,YAAY,EACZ,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,EACd,KAAK,2BAA2B,EAChC,KAAK,WAAW,EAChB,KAAK,WAAW,GACjB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,KAAK,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,EAC5B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,sBAAsB,EAC3B,KAAK,UAAU,EACf,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,EAChC,KAAK,kCAAkC,EACvC,KAAK,iCAAiC,EACtC,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,GAChC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,GACb,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,iBAAiB,EACjB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,4BAA4B,EAC5B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAI7E,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,KAAK,sBAAsB,GAC5B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,uCAAuC,EACvC,oCAAoC,EACpC,+BAA+B,EAC/B,wBAAwB,EACxB,mCAAmC,EACnC,KAAK,8BAA8B,EACnC,KAAK,6BAA6B,EAClC,KAAK,8BAA8B,EACnC,KAAK,gCAAgC,GACtC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,iBAAiB,EACjB,eAAe,EACf,cAAc,EACd,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,GACxB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,mCAAmC,EACnC,4BAA4B,EAC5B,2CAA2C,EAC3C,2BAA2B,EAC3B,iCAAiC,EACjC,+BAA+B,EAC/B,2BAA2B,EAC3B,2BAA2B,EAC3B,KAAK,uBAAuB,GAC7B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,iCAAiC,EACjC,KAAK,wCAAwC,GAC9C,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,uCAAuC,EACvC,0CAA0C,EAC1C,8BAA8B,EAC9B,kBAAkB,EAClB,0BAA0B,EAC1B,6BAA6B,EAC7B,2BAA2B,EAC3B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,yBAAyB,EACzB,KAAK,gCAAgC,GACtC,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,yBAAyB,EACzB,+BAA+B,EAC/B,+BAA+B,EAC/B,gCAAgC,EAChC,sCAAsC,EACtC,oCAAoC,EACpC,2CAA2C,EAC3C,sCAAsC,GACvC,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,qBAAqB,GAC3B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,EAClB,KAAK,mBAAmB,GACzB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,EACf,KAAK,SAAS,EACd,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,EACd,yBAAyB,EACzB,KAAK,SAAS,GACf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,GAC9B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,EAC1B,KAAK,cAAc,EACnB,KAAK,iBAAiB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,EACzB,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,eAAe,EACf,YAAY,EACZ,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,GAC/B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,wBAAwB,EACxB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,2BAA2B,EAC3B,mCAAmC,EACnC,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,6BAA6B,EAC7B,gCAAgC,EAChC,eAAe,EACf,KAAK,qBAAqB,GAC3B,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,SAAS,EACT,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,QAAQ,GACd,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,KAAK,qBAAqB,EAC1B,KAAK,YAAY,IAAI,2BAA2B,GACjD,MAAM,wBAAwB,CAAC;AAUhC,MAAM,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AACrE,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,cAAc,CAErE"}
package/dist/server/index.js CHANGED
@@ -29,6 +29,7 @@ export { configureAgentNativeEmbeddedEnvironment, createAgentNativeEmbeddedAuthO
29
29
  export { createThread, getThread, listThreads, updateThreadData, deleteThread, setThreadArchived, setThreadPinned, setThreadScope, } from "../chat-threads/store.js";
30
30
  export { createResourcesPlugin, defaultResourcesPlugin, } from "./resources-plugin.js";
31
31
  export { createCoreRoutesPlugin, defaultCoreRoutesPlugin, FRAMEWORK_ROUTE_PREFIX, } from "./core-routes-plugin.js";
32
+ export { AGENT_NATIVE_OG_IMAGE_CACHE_CONTROL, AGENT_NATIVE_OG_IMAGE_HEIGHT, AGENT_NATIVE_OG_IMAGE_NETLIFY_CACHE_CONTROL, AGENT_NATIVE_OG_IMAGE_WIDTH, agentNativeOgImageResponseHeaders, createAgentNativeOgImageHandler, renderAgentNativeOgImagePng, renderAgentNativeOgImageSvg, } from "./social-og-image.js";
32
33
  export { createBrowserSessionActionEntries, } from "../browser-sessions/actions.js";
33
34
  export { DEFAULT_BROWSER_SESSION_REQUEST_POLL_MS, DEFAULT_BROWSER_SESSION_REQUEST_TIMEOUT_MS, DEFAULT_BROWSER_SESSION_TTL_MS, callBrowserSession, claimBrowserSessionRequest, completeBrowserSessionRequest, createBrowserSessionRequest, disconnectBrowserSession, getBrowserSession, getBrowserSessionRequest, listBrowserSessions, registerBrowserSession, waitForBrowserSessionRequest, } from "../browser-sessions/store.js";
34
35
  export { mountBrowserSessionRoutes, } from "../browser-sessions/routes.js";