@agent-native/core 0.46.0 → 0.48.1

package/bin/agent-native.js

@@ -0,0 +1,41 @@
+#!/usr/bin/env node
+
+import { spawn } from "node:child_process";
+import { existsSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath, pathToFileURL } from "node:url";
+
+const binDir = dirname(fileURLToPath(import.meta.url));
+const distEntry = join(binDir, "../dist/cli/index.js");
+
+if (existsSync(distEntry)) {
+  await import(pathToFileURL(distEntry).href);
+} else {
+  const sourceEntry = join(binDir, "../src/cli/index.ts");
+  if (!existsSync(sourceEntry)) {
+    console.error(
+      "agent-native CLI build output is missing. Run `pnpm --filter @agent-native/core build` and try again.",
+    );
+    process.exit(1);
+  }
+
+  const child = spawn("tsx", [sourceEntry, ...process.argv.slice(2)], {
+    stdio: "inherit",
+    env: process.env,
+  });
+
+  child.on("error", (error) => {
+    console.error(
+      `agent-native CLI build output is missing and the source fallback failed: ${error.message}`,
+    );
+    process.exit(1);
+  });
+
+  child.on("exit", (code, signal) => {
+    if (signal) {
+      process.kill(process.pid, signal);
+      return;
+    }
+    process.exit(code ?? 1);
+  });
+}

package/dist/a2a/handlers.js

@@ -141,7 +141,7 @@ export async function processA2ATaskFromQueue(taskId, config, event) {
  * Default A2A handler that delegates to agentChat.call().
  * Used when no custom handler is provided in A2AConfig.
  */
-const defaultHandler = async (message, context) => {
+const defaultHandler = async (message, _context) => {
     // Extract text from message parts
     const text = message.parts
         .filter((p) => p.type === "text")
@@ -237,7 +237,7 @@ function makeHandlerContext(taskId, contextId, metadata, event) {
  * Resolve org context from A2A metadata / event context and wrap `fn`
  * inside `runWithRequestContext` so downstream actions see the org.
  */
-async function withA2ARequestContext(metadata, event, fn) {
+async function withA2ARequestContext(_metadata, event, fn) {
     const { runWithRequestContext } = await import("../server/request-context.js");
     const verifiedEmail = event?.context?.__a2aVerifiedEmail ?? undefined;
     // Only trust the org domain from the cryptographically verified JWT claim on

package/dist/a2a/handlers.js.map

@@ -1 +1 @@
-{"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/a2a/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAU1D,OAAO,EACL,UAAU,EACV,OAAO,EACP,YAAY,EACZ,UAAU,EACV,yBAAyB,EACzB,uBAAuB,EACvB,gBAAgB,EAChB,0BAA0B,EAC1B,sBAAsB,GACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B,qEAAqE;AACrE,0EAA0E;AAC1E,iEAAiE;AACjE,MAAM,qBAAqB,GAAG,kCAAkC,CAAC;AACjE,MAAM,kCAAkC,GAAG,MAAM,CAAC;AAClD,MAAM,6BAA6B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACpD,MAAM,2BAA2B,GAAG,MAAM,CAAC;AAE3C;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,KAAsB;IAChD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,yBAAyB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/D,IAAI,sBAAsB,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,wFAAwF,CACzF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,KAAK,EAAE,OAAO,CAAC;QAC5D,MAAM,GAAG,GAAG,CAAC,IAAY,EAAsB,EAAE;YAC/C,IAAI,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAC;YAC/B,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBACtC,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;YACxC,CAAC;YACD,MAAM,GAAG,GAAG,OAA6C,CAAC;YAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACtD,CAAC,CAAC;QACF,MAAM,KAAK,GAAG,GAAG,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;QACjD,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,aAAa,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;QACpE,OAAO,yBAAyB,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,yBAAyB,CAC9B,oBAAoB,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAC/C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAU,EACV,MAAc;IAEd,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,qBAAqB,EAAE,CAAC;IACjD,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,IAAI,CAAC;QACH,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;QACvE,qEAAqE;QACrE,iBAAiB;IACnB,CAAC;IACD,qEAAqE;IACrE,wEAAwE;IACxE,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,eAAe,GAAG,KAAK,CAAC,GAAG,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;KACjC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACf,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,IAAI,CAAC;QACjB,eAAe;QACf,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;KACzD,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,MAAc,EACd,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,0DAA0D;QAC1D,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qCAAqC,EAAE,CAAC;aACvE;SACF,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAA4B,CAAC;IACjE,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,EAAE,CAA4B,CAAC;IAC9E,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,SAAS,GACZ,aAAa,CAAC,SAAuC,IAAI,SAAS,CAAC;IACtE,MAAM,cAAc,GACjB,aAAa,CAAC,cAGD,IAAI,SAAS,CAAC;IAE9B,MAAM,aAAa,GAAG,MAAM,uBAAuB,CACjD,aAAa,EACb,aAAa,CACd,CAAC;IAEF,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE;QACjC,sBAAsB,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAC3C,OAAO,CAAC,KAAK,CAAC,uCAAuC,EAAE,GAAG,CAAC,CAC5D,CAAC;IACJ,CAAC,EAAE,2BAA2B,CAAC,CAAC;IAE9B,SACD,CAAC,KAAK,EAAE,EAAE,CAAC;IACZ,IAAI,CAAC;QACH,MAAM,qBAAqB,CACzB,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,GAAG,EAAE,CACH,oBAAoB,CAClB,MAAM,EACN,OAAO,EACP,MAAM,EACN,SAAS,EACT,cAAc,EACd,KAAK,CACN,CACJ,CAAC;IACJ,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,iBAAiB,EAAE,CAAC;iBACnE;aACF,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,aAAa,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,cAAc,GAAe,KAAK,EACtC,OAAgB,EAChB,OAA0B,EACC,EAAE;IAC7B,kCAAkC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK;SACvB,MAAM,CAAC,CAAC,CAAC,EAAuC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;SACrE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAClB,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,4BAA4B,EAAE,CAAC;aAC9D;SACF,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,0EAA0E;IAC1E,wDAAwD;IACxD,4EAA4E;IAC5E,oEAAoE;IACpE,yEAAyE;IACzE,8BAA8B;IAC9B,qEAAqE;IACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACrE,MAAM,aAAa,GAAG,OAAO;QAC3B,CAAC,CAAC,+DAA+D,UAAU,sNAAsN,IAAI,EAAE;QACvS,CAAC,CAAC,IAAI,CAAC;IAET,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAEnD,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,SAAS,CAAC,IAAI,CAAC;YACb,IAAI,EAAE,eAAe;YACrB,WAAW,EAAE,6BAA6B;YAC1C,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,YAAY,EAAE,EAAE,CAAC;SAChE,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,KAAK,EAAE;gBACL,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;gBACvC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM;oBACzB,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,kBAAkB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;yBACrD;qBACF;oBACH,CAAC,CAAC,EAAE,CAAC;aACR;SACF;QACD,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,UAAU,CAAC,MAAiB;IACnC,OAAO,MAAM,CAAC,OAAO,IAAI,cAAc,CAAC;AAC1C,CAAC;AAED,SAAS,YAAY,CACnB,EAA0B,EAC1B,IAAY,EACZ,OAAe;IAEf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,EAAmB,EAAE,MAAe;IACzD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAc,EACd,SAAkB,EAClB,QAAkC,EAClC,KAAW;IAKX,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,MAAM,OAAO,GAAsB;QACjC,MAAM;QACN,SAAS;QACT,QAAQ;QACR,KAAK;QACL,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ;YACnC,MAAM,QAAQ,GAAa;gBACzB,IAAI;gBACJ,KAAK,EAAE,QAAQ;oBACb,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE;gCACJ,IAAI;gCACJ,QAAQ;gCACR,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;6BAC/C;yBACF;qBACF;oBACH,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;aACtC,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,qBAAqB,CAClC,QAA6C,EAC7C,KAAsB,EACtB,EAAoB;IAEpB,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;IAC1E,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,qCAAqC;IACrC,MAAM,SAAS,GACZ,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;IAEtE,MAAM,aAAa,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IAE9E,OAAO,qBAAqB,CAC1B,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,EAAE,CACW,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,aAAiC,EACjC,iBAAqC;IAErC,IAAI,iBAAiB,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,iBAAiB,CAAC,CAAC;YACxD,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAC,KAAK,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,OAAO,CAAC,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC,IAAI,SAAS,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,oBAAoB,CACjC,MAAc,EACd,OAAgB,EAChB,MAAiB,EACjB,SAA6B,EAC7B,QAA6C,EAC7C,KAAW;IAEX,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,MAAM,EACN,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEpD,IACE,MAAM;YACN,OAAO,MAAM,KAAK,QAAQ;YAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;YACD,IAAI,WAAgC,CAAC;YACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;gBAC1D,WAAW,GAAG,GAAG,CAAC;YACpB,CAAC;YACD,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,WAAW;gBACpB,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;aACxD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;QAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;QACxE,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,aAAa,CAAC,OAAO;YAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;SAC9D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,gBAAgB,EAAE,CAAC;aAClE;SACF,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAA+B,EAC/B,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,OAAO;YACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,sDAAsD,CACvD;YACD,GAAG,EAAE,CAAC;SACP,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IAExE,sEAAsE;IACtE,yEAAyE;IACzE,uEAAuE;IACvE,0EAA0E;IAC1E,6BAA6B;IAC7B,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,sEAAsE;IACtE,0EAA0E;IAC1E,8EAA8E;IAC9E,yEAAyE;IACzE,kEAAkE;IAClE,sEAAsE;IACtE,wEAAwE;IACxE,yEAAyE;IACzE,8CAA8C;IAC9C,MAAM,SAAS,GACb,MAAM,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,eAAe,KAAK,IAAI,CAAC,CAAC;IAE9E,IAAI,SAAS,EAAE,CAAC;QACd,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,0DAA0D;QAC1D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACxE,IAAI,sBAAsB,EAAE,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5D,OAAO;gBACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,+EAA+E,CAChF;gBACD,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;QACD,uEAAuE;QACvE,wEAAwE;QACxE,0EAA0E;QAC1E,sEAAsE;QACtE,0EAA0E;QAC1E,0EAA0E;QAC1E,oEAAoE;QACpE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;QAC1E,2EAA2E;QAC3E,iEAAiE;QACjE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;QAEtE,MAAM,YAAY,GAA4B;YAC5C,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;YACnB,eAAe,EAAE;gBACf,aAAa;gBACb,aAAa;gBACb,SAAS,EAAE,SAAS,IAAI,IAAI;gBAC5B,cAAc,EAAE,QAAQ,IAAI,IAAI;aACjC;SACF,CAAC;QACF,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,YAAY,EACZ,iBAAiB,CAClB,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhE,uBAAuB,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpD,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QACF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEpE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAExD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,WAAgC,CAAC;gBACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,WAAW,GAAG,GAAG,CAAC;gBACpB,CAAC;gBACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,WAAW;oBACpB,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;iBAChE,CAAC,CAAC;gBACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;YAClD,CAAC;YAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;YAClE,MAAM,YAAY,GAAG;gBACnB,GAAG,GAAG,CAAC,SAAS;gBAChB,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC;aACnC,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxC,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,EAAE,CAAC;iBACjE;aACF,CAAC,CAAC;YACH,OAAO;gBACL,GAAG,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC;gBAC3D,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,MAAiB,EACjB,GAAwD,EACxD,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC,MAAM,CACzE,CAAC;QACF,GAAG,CAAC,GAAG,EAAE,CAAC;QACV,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IACxE,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,MAAM,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QAEF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,IAAI,CAAC,EAAE,EACP,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAEpD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;wBAC7C,KAAK,EAAE,SAAS;wBAChB,OAAO,EAAE,GAAG;qBACb,CAAC,CAAC;oBACH,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,MAAM,CAC9D,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;gBAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;gBACxE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;oBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;iBAC9D,CAAC,CAAC;gBACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;gBACpE,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YAED,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACtC,KAAK,EAAE,WAAW;gBAClB,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC/C,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC,CAAC,MAAM,CACxF,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,aAAa;IACb,WAAW;IACX,WAAW;IACX,aAAa;IACb,cAAc;IACd,QAAQ;IACR,eAAe;IACf,eAAe;IACf,QAAQ;CACT,CAAC,CAAC;AAEH,SAAS,uBAAuB,CAAC,IAAS;IACxC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAErE,MAAM,IAAI,GAAG,IAAI,CAAC,QAAmC,CAAC;IACtD,MAAM,UAAU,GAA4B,EAAE,CAAC;IAC/C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,KAAK,iBAAiB;YAAE,SAAS;QACtC,IAAI,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAS;QAC7C,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,mBAAmB,CAC1B,cAA6B,EAC7B,KAAU,EACV,MAAiB;IAEjB,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IACrE,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;IAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;IAE9C,IAAI,YAAY,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;QAChD,mEAAmE;QACnE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,aAAa,CAAC,WAAW,EAAE,KAAK,cAAc,CAAC,WAAW,EAAE,EAAE,CAAC;YACjE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IACD,yEAAyE;IACzE,qDAAqD;IACrD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,4BAA4B,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,KAAK,CACrE,CAAC,GAAG,EAAE,EAAE;QACN,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,CAAC;QAC/D,OAAO,KAAK,CAAC;IACf,CAAC,CACF,CAAC;IACF,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAClC,IAAI,OAAO;YAAE,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,MAAc,EACd,KAAU;IAEV,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,eAAe;QAAE,OAAO,KAAK,CAAC;IAEnD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IACE,CAAC,KAAK,CAAC,WAAW,KAAK,WAAW,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC;QACtE,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,kCAAkC,EAC3D,CAAC;QACD,IAAI,MAAM,0BAA0B,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7C,MAAM,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC7C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IACE,KAAK,CAAC,WAAW,KAAK,YAAY;QAClC,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,6BAA6B,EACtD,CAAC;QACD,+DAA+D;QAC/D,yEAAyE;QACzE,wEAAwE;QACxE,MAAM,MAAM,GAAG,MAAM,gBAAgB,CACnC,MAAM,EACN,GAAG,GAAG,6BAA6B,EACnC,gFAAgF,CACjF,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IACzD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAS,EACT,KAAU,EACV,MAAiB;IAEjB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,YAAY,CAAC,IAAI,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,KAAK,EAAE,0BAA0B,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,MAAM,GAAI,IAAI,CAAC,MAAkC,IAAI,EAAE,CAAC;IAC9D,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;IAEnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACpB,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACvD,MAAM,EAAE,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,MAAM,CAAC;YACpC,OAAO,EAAE,GAAG,QAAQ,EAAE,EAAE,EAAqB,CAAC;QAChD,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBACtB,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,8CAA8C;YAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;YAC5B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,mBAAmB,CAAC,CAAC;YAC9D,iBAAiB,CAAC,KAAK,EAAE,eAAe,EAAE,UAAU,CAAC,CAAC;YACtD,iBAAiB,CAAC,KAAK,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;YACrD,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC/C,OAAO,SAAgB,CAAC,CAAC,gCAAgC;QAC3D,CAAC;QACD,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACtD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACzD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD;YACE,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,qBAAqB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;AACH,CAAC","sourcesContent":["import { setResponseHeader, setResponseStatus } from \"h3\";\nimport type {\n  A2AConfig,\n  A2AHandler,\n  A2AHandlerContext,\n  A2AHandlerResult,\n  JsonRpcResponse,\n  Message,\n  Artifact,\n} from \"./types.js\";\nimport {\n  createTask,\n  getTask,\n  getTaskOwner,\n  updateTask,\n  claimA2ATaskForProcessing,\n  getA2ATaskDispatchState,\n  failStuckA2ATask,\n  touchQueuedA2ATaskDispatch,\n  touchProcessingA2ATask,\n} from \"./task-store.js\";\nimport { agentChat } from \"../shared/agent-chat.js\";\nimport { signInternalToken } from \"../integrations/internal-token.js\";\nimport { withConfiguredAppBasePath } from \"../server/app-base-path.js\";\nimport {\n  hasConfiguredA2ASecret,\n  isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n// Inlined to avoid pulling the entire core-routes-plugin (and its h3\n// transitive deps) into the a2a/handlers test boundary. Must stay in sync\n// with FRAMEWORK_ROUTE_PREFIX in `server/core-routes-plugin.ts`.\nconst A2A_PROCESS_TASK_PATH = \"/_agent-native/a2a/_process-task\";\nconst A2A_QUEUED_DISPATCH_STUCK_AFTER_MS = 10_000;\nconst A2A_PROCESSING_STUCK_AFTER_MS = 5 * 60 * 1000;\nconst A2A_PROCESSING_HEARTBEAT_MS = 30_000;\n\n/**\n * Resolve the base URL we should fire the A2A processor request to. Mirrors\n * the integration-webhook resolveBaseUrl pattern — prefer explicit env vars\n * (most reliable on serverless), fall back to inbound request headers.\n */\nfunction resolveSelfBaseUrl(event: any | undefined): string {\n  const fromEnv =\n    process.env.APP_URL ||\n    process.env.URL ||\n    process.env.DEPLOY_URL ||\n    process.env.BETTER_AUTH_URL;\n  if (fromEnv) return withConfiguredAppBasePath(String(fromEnv));\n  if (isA2AProductionRuntime()) {\n    throw new Error(\n      \"A2A self-dispatch requires APP_URL, URL, DEPLOY_URL, or BETTER_AUTH_URL in production.\",\n    );\n  }\n\n  try {\n    const headers = event?.node?.req?.headers ?? event?.headers;\n    const get = (name: string): string | undefined => {\n      if (!headers) return undefined;\n      if (typeof headers.get === \"function\") {\n        return headers.get(name) ?? undefined;\n      }\n      const map = headers as Record<string, string | undefined>;\n      return map[name] ?? map[String(name).toLowerCase()];\n    };\n    const proto = get(\"x-forwarded-proto\") || \"http\";\n    const host = get(\"host\") || `localhost:${process.env.PORT || 3000}`;\n    return withConfiguredAppBasePath(`${proto}://${host}`);\n  } catch {\n    return withConfiguredAppBasePath(\n      `http://localhost:${process.env.PORT || 3000}`,\n    );\n  }\n}\n\n/**\n * Fire-and-forget POST to the A2A processor route on the same deployment.\n * Used when an A2A send is requested in async mode — the processor runs the\n * handler in a fresh function execution so it gets its own full timeout.\n */\nasync function fireProcessTaskDispatch(\n  event: any,\n  taskId: string,\n): Promise<void> {\n  const baseUrl = resolveSelfBaseUrl(event);\n  const url = `${baseUrl}${A2A_PROCESS_TASK_PATH}`;\n  const headers: Record<string, string> = {\n    \"Content-Type\": \"application/json\",\n  };\n  try {\n    headers[\"Authorization\"] = `Bearer ${signInternalToken(taskId)}`;\n  } catch {\n    // No A2A_SECRET configured — self-fire unsigned. The processor accepts\n    // unsigned dispatches when no secret is set (mirrors the integration\n    // webhook flow).\n  }\n  // Race the fetch against a short timer. On Netlify Lambda, returning\n  // immediately can freeze the function before the outbound TCP handshake\n  // starts, leaving the request stuck. This gives it ~250ms to leave the\n  // box at the cost of slightly higher response latency on async A2A sends.\n  const dispatchPromise = fetch(url, {\n    method: \"POST\",\n    headers,\n    body: JSON.stringify({ taskId }),\n  }).catch((err) => {\n    console.error(\"[a2a] Process-task dispatch fetch failed:\", err);\n  });\n  await Promise.race([\n    dispatchPromise,\n    new Promise<void>((resolve) => setTimeout(resolve, 250)),\n  ]);\n}\n\n/**\n * Process a previously-enqueued A2A task. Called by the `_process-task`\n * route in `server.ts`, in a fresh function execution. Atomically claims the\n * task, reconstructs the caller's request context from the task's metadata,\n * runs the handler, and persists the outcome.\n *\n * Idempotent on duplicate dispatches: the atomic claim returns null if some\n * other invocation already picked the task up, in which case we no-op.\n */\nexport async function processA2ATaskFromQueue(\n  taskId: string,\n  config: A2AConfig,\n  event?: any,\n): Promise<void> {\n  const claimed = await claimA2ATaskForProcessing(taskId);\n  if (!claimed) {\n    // Already in flight, terminal, or missing. Nothing to do.\n    return;\n  }\n\n  const message = claimed.history?.[0];\n  if (!message) {\n    await updateTask(taskId, {\n      state: \"failed\",\n      message: {\n        role: \"agent\",\n        parts: [{ type: \"text\", text: \"Task is missing its inbound message\" }],\n      },\n    });\n    return;\n  }\n\n  const meta = (claimed.metadata ?? {}) as Record<string, unknown>;\n  const processorMeta = (meta.__a2a_processor ?? {}) as Record<string, unknown>;\n  const verifiedEmail = processorMeta.verifiedEmail as string | undefined;\n  const orgDomainHint = processorMeta.orgDomainHint as string | undefined;\n  const contextId =\n    (processorMeta.contextId as string | null | undefined) ?? undefined;\n  const callerMetadata =\n    (processorMeta.callerMetadata as\n      | Record<string, unknown>\n      | null\n      | undefined) ?? undefined;\n\n  const resolvedOrgId = await resolveVerifiedA2AOrgId(\n    verifiedEmail,\n    orgDomainHint,\n  );\n\n  const { runWithRequestContext } =\n    await import(\"../server/request-context.js\");\n  const heartbeat = setInterval(() => {\n    touchProcessingA2ATask(taskId).catch((err) =>\n      console.error(\"[a2a] Failed to heartbeat async task:\", err),\n    );\n  }, A2A_PROCESSING_HEARTBEAT_MS);\n  (\n    heartbeat as ReturnType<typeof setInterval> & { unref?: () => void }\n  ).unref?.();\n  try {\n    await runWithRequestContext(\n      { userEmail: verifiedEmail, orgId: resolvedOrgId },\n      () =>\n        runHandlerAndPersist(\n          taskId,\n          message,\n          config,\n          contextId,\n          callerMetadata,\n          event,\n        ),\n    );\n  } catch (err: any) {\n    try {\n      await updateTask(taskId, {\n        state: \"failed\",\n        message: {\n          role: \"agent\",\n          parts: [{ type: \"text\", text: err?.message ?? \"Handler crashed\" }],\n        },\n      });\n    } catch {}\n  } finally {\n    clearInterval(heartbeat);\n  }\n}\n\n/**\n * Default A2A handler that delegates to agentChat.call().\n * Used when no custom handler is provided in A2AConfig.\n */\nconst defaultHandler: A2AHandler = async (\n  message: Message,\n  context: A2AHandlerContext,\n): Promise<A2AHandlerResult> => {\n  // Extract text from message parts\n  const text = message.parts\n    .filter((p): p is { type: \"text\"; text: string } => p.type === \"text\")\n    .map((p) => p.text)\n    .join(\"\\n\");\n\n  if (!text) {\n    return {\n      message: {\n        role: \"agent\",\n        parts: [{ type: \"text\", text: \"No text content in message\" }],\n      },\n    };\n  }\n\n  // A2A note: this message arrived from a different app — the caller cannot\n  // see this app's local state (open deck, selected slide, etc.). They only\n  // see whatever this agent puts into the reply text. So:\n  //   1) include any concrete result (deck/document/dashboard URL, ID, value)\n  //      explicitly in the reply — the caller can't navigate locally.\n  //   2) URLs must be fully-qualified — relative paths resolve against the\n  //      caller's host and 404.\n  // We prepend a one-line hint to the user message so the agent knows.\n  const baseUrl = process.env.APP_URL || process.env.URL || \"\";\n  const appBaseUrl = baseUrl ? withConfiguredAppBasePath(baseUrl) : \"\";\n  const augmentedText = baseUrl\n    ? `[Cross-app A2A request — the caller is on a different host (${appBaseUrl} is yours, theirs is different). Include the concrete result (URL, ID, value) explicitly in your reply text; the caller can't see your local UI state. Any URL MUST be fully-qualified, never a relative path.]\\n\\n${text}`\n    : text;\n\n  const result = await agentChat.call(augmentedText);\n\n  const artifacts: Artifact[] = [];\n  if (result.filesChanged.length > 0) {\n    artifacts.push({\n      name: \"files-changed\",\n      description: \"Files modified by the agent\",\n      parts: [{ type: \"data\", data: { files: result.filesChanged } }],\n    });\n  }\n\n  return {\n    message: {\n      role: \"agent\",\n      parts: [\n        { type: \"text\", text: result.response },\n        ...(result.warnings?.length\n          ? [\n              {\n                type: \"text\" as const,\n                text: `\\n\\nWarnings:\\n${result.warnings.join(\"\\n\")}`,\n              },\n            ]\n          : []),\n      ],\n    },\n    artifacts: artifacts.length > 0 ? artifacts : undefined,\n  };\n};\n\nfunction getHandler(config: A2AConfig): A2AHandler {\n  return config.handler ?? defaultHandler;\n}\n\nfunction jsonRpcError(\n  id: string | number | null,\n  code: number,\n  message: string,\n): JsonRpcResponse {\n  return { jsonrpc: \"2.0\", id, error: { code, message } };\n}\n\nfunction jsonRpcResult(id: string | number, result: unknown): JsonRpcResponse {\n  return { jsonrpc: \"2.0\", id, result };\n}\n\nfunction makeHandlerContext(\n  taskId: string,\n  contextId?: string,\n  metadata?: Record<string, unknown>,\n  event?: any,\n): {\n  context: A2AHandlerContext;\n  artifacts: Artifact[];\n} {\n  const artifacts: Artifact[] = [];\n  const context: A2AHandlerContext = {\n    taskId,\n    contextId,\n    metadata,\n    event,\n    writeArtifact(name, content, mimeType) {\n      const artifact: Artifact = {\n        name,\n        parts: mimeType\n          ? [\n              {\n                type: \"file\",\n                file: {\n                  name,\n                  mimeType,\n                  bytes: Buffer.from(content).toString(\"base64\"),\n                },\n              },\n            ]\n          : [{ type: \"text\", text: content }],\n      };\n      artifacts.push(artifact);\n      return name;\n    },\n  };\n  return { context, artifacts };\n}\n\n/**\n * Resolve org context from A2A metadata / event context and wrap `fn`\n * inside `runWithRequestContext` so downstream actions see the org.\n */\nasync function withA2ARequestContext<T>(\n  metadata: Record<string, unknown> | undefined,\n  event: any | undefined,\n  fn: () => Promise<T>,\n): Promise<T> {\n  const { runWithRequestContext } =\n    await import(\"../server/request-context.js\");\n\n  const verifiedEmail =\n    (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n  // Only trust the org domain from the cryptographically verified JWT claim on\n  // the event context. metadata.orgDomain is caller-supplied and must not be\n  // used for org resolution — an unauthenticated caller could forge it and\n  // gain access to another org's data.\n  const orgDomain =\n    (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n  const resolvedOrgId = await resolveVerifiedA2AOrgId(verifiedEmail, orgDomain);\n\n  return runWithRequestContext(\n    { userEmail: verifiedEmail, orgId: resolvedOrgId },\n    fn,\n  ) as Promise<T>;\n}\n\nasync function resolveVerifiedA2AOrgId(\n  verifiedEmail: string | undefined,\n  verifiedOrgDomain: string | undefined,\n): Promise<string | undefined> {\n  if (verifiedOrgDomain) {\n    try {\n      const { resolveOrgByDomain } = await import(\"../org/context.js\");\n      const org = await resolveOrgByDomain(verifiedOrgDomain);\n      if (org) return org.orgId;\n    } catch {\n      // Org tables may not exist — continue without org context\n    }\n  }\n\n  if (verifiedEmail) {\n    try {\n      const { resolveOrgIdForEmail } = await import(\"../org/context.js\");\n      return (await resolveOrgIdForEmail(verifiedEmail)) ?? undefined;\n    } catch {\n      // Org tables may not exist — continue without org context\n    }\n  }\n\n  return undefined;\n}\n\n/**\n * Run the handler against the message and persist the outcome to the task store.\n * Used in sync mode (awaited inline) and in async mode (called by the\n * `_process-task` processor route in a fresh function execution).\n */\nasync function runHandlerAndPersist(\n  taskId: string,\n  message: Message,\n  config: A2AConfig,\n  contextId: string | undefined,\n  metadata: Record<string, unknown> | undefined,\n  event?: any,\n): Promise<void> {\n  const { context, artifacts } = makeHandlerContext(\n    taskId,\n    contextId,\n    metadata,\n    event,\n  );\n  try {\n    const result = getHandler(config)(message, context);\n\n    if (\n      result &&\n      typeof result === \"object\" &&\n      Symbol.asyncIterator in result\n    ) {\n      let lastMessage: Message | undefined;\n      for await (const msg of result as AsyncGenerator<Message>) {\n        lastMessage = msg;\n      }\n      await updateTask(taskId, {\n        state: \"completed\",\n        message: lastMessage,\n        artifacts: artifacts.length > 0 ? artifacts : undefined,\n      });\n      return;\n    }\n\n    const handlerResult = await (result as Promise<A2AHandlerResult>);\n    const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n    await updateTask(taskId, {\n      state: \"completed\",\n      message: handlerResult.message,\n      artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n    });\n  } catch (err: any) {\n    await updateTask(taskId, {\n      state: \"failed\",\n      message: {\n        role: \"agent\",\n        parts: [{ type: \"text\", text: err?.message ?? \"Handler failed\" }],\n      },\n    });\n  }\n}\n\nasync function handleSend(\n  params: Record<string, unknown>,\n  config: A2AConfig,\n  event?: any,\n): Promise<JsonRpcResponse & { _id: string | number }> {\n  const message = params.message as Message;\n  if (!message || !message.role || !Array.isArray(message.parts)) {\n    return {\n      ...jsonRpcError(\n        0,\n        -32602,\n        \"Invalid params: message with role and parts required\",\n      ),\n      _id: 0,\n    };\n  }\n\n  const contextId = params.contextId as string | undefined;\n  const metadata = params.metadata as Record<string, unknown> | undefined;\n\n  // The JWT-verified caller email (set by mountA2A in server.ts) is the\n  // single source of truth for task ownership — bound at creation, checked\n  // on every subsequent tasks/get and tasks/cancel call. Caller-supplied\n  // metadata.userEmail is NEVER used for ownership; that would re-introduce\n  // the IDOR class fixed here.\n  const ownerEmailForTask =\n    (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n  // Async mode: return the task immediately in `working` state, run the\n  // handler in the background, and let the caller poll `tasks/get`. This is\n  // the workaround for synchronous serverless request timeouts when the handler\n  // runs LLM + tool loops that can exceed a single HTTP invocation budget.\n  // SECURITY: only honor the explicit top-level `params.async`. The\n  // metadata.async fallback was caller-controlled and could force async\n  // dispatch (which has weaker auth than the sync path) on otherwise sync\n  // requests. Async is also refused entirely when no auth is configured in\n  // production — see the additional gate below.\n  const asyncMode =\n    params.async === true || (event && event.context?.__a2aForceAsync === true);\n\n  if (asyncMode) {\n    // Refuse async mode entirely when no auth is configured in production.\n    // The async dispatch path self-fires the `_process-task` route, which\n    // accepts unsigned dispatches when A2A_SECRET is unset — that combined\n    // with the lack of caller identity here would let any unauthenticated\n    // attacker queue and trigger handler runs. In production, require some\n    // form of auth so the verifiedEmail is bound to the task.\n    const hasA2ASecret = hasConfiguredA2ASecret();\n    const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n    if (isA2AProductionRuntime() && !hasA2ASecret && !hasApiKey) {\n      return {\n        ...jsonRpcError(\n          0,\n          -32001,\n          \"A2A async mode is not available — A2A_SECRET or apiKeyEnv must be configured.\",\n        ),\n        _id: 0,\n      };\n    }\n    // Resolve identity up front (cheap), bake it into the task's metadata,\n    // and dispatch the actual handler run to a SEPARATE function execution.\n    // On serverless hosts (Netlify, Vercel, Cloudflare) detached promises get\n    // killed when the response is flushed, so we self-fire a webhook to a\n    // dedicated processor route — same cross-platform pattern the integration\n    // webhook queue uses. The processor reconstructs the request context from\n    // the task metadata and runs the handler with its own full timeout.\n    const verifiedEmail =\n      (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n    // Only trust the verified org domain from the JWT claim — do not fall back\n    // to metadata.orgDomain which is caller-supplied and unverified.\n    const orgDomainHint =\n      (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n    const taskMetadata: Record<string, unknown> = {\n      ...(metadata ?? {}),\n      __a2a_processor: {\n        verifiedEmail,\n        orgDomainHint,\n        contextId: contextId ?? null,\n        callerMetadata: metadata ?? null,\n      },\n    };\n    const task = await createTask(\n      message,\n      contextId,\n      taskMetadata,\n      ownerEmailForTask,\n    );\n    const working = await updateTask(task.id, { state: \"working\" });\n\n    fireProcessTaskDispatch(event, task.id).catch((err) => {\n      console.error(\"[a2a] Failed to dispatch process-task:\", err);\n    });\n\n    return { ...jsonRpcResult(0, working ?? task), _id: 0 };\n  }\n\n  return withA2ARequestContext(metadata, event, async () => {\n    const task = await createTask(\n      message,\n      contextId,\n      undefined,\n      ownerEmailForTask,\n    );\n    await updateTask(task.id, { state: \"working\" });\n\n    const ctx = makeHandlerContext(task.id, contextId, metadata, event);\n\n    try {\n      const result = getHandler(config)(message, ctx.context);\n\n      if (\n        result &&\n        typeof result === \"object\" &&\n        Symbol.asyncIterator in result\n      ) {\n        let lastMessage: Message | undefined;\n        for await (const msg of result as AsyncGenerator<Message>) {\n          lastMessage = msg;\n        }\n        const updated = await updateTask(task.id, {\n          state: \"completed\",\n          message: lastMessage,\n          artifacts: ctx.artifacts.length > 0 ? ctx.artifacts : undefined,\n        });\n        return { ...jsonRpcResult(0, updated), _id: 0 };\n      }\n\n      const handlerResult = await (result as Promise<A2AHandlerResult>);\n      const allArtifacts = [\n        ...ctx.artifacts,\n        ...(handlerResult.artifacts ?? []),\n      ];\n      const updated = await updateTask(task.id, {\n        state: \"completed\",\n        message: handlerResult.message,\n        artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n      });\n      return { ...jsonRpcResult(0, updated), _id: 0 };\n    } catch (err: any) {\n      await updateTask(task.id, {\n        state: \"failed\",\n        message: {\n          role: \"agent\",\n          parts: [{ type: \"text\", text: err.message ?? \"Handler failed\" }],\n        },\n      });\n      return {\n        ...jsonRpcError(0, -32000, err.message ?? \"Handler failed\"),\n        _id: 0,\n      };\n    }\n  });\n}\n\nasync function handleStream(\n  params: Record<string, unknown>,\n  config: A2AConfig,\n  res: { write: (chunk: string) => void; end: () => void },\n  event?: any,\n): Promise<void> {\n  const message = params.message as Message;\n  if (!message || !message.role || !Array.isArray(message.parts)) {\n    res.write(\n      `data: ${JSON.stringify(jsonRpcError(0, -32602, \"Invalid params\"))}\\n\\n`,\n    );\n    res.end();\n    return;\n  }\n\n  const contextId = params.contextId as string | undefined;\n  const metadata = params.metadata as Record<string, unknown> | undefined;\n  const ownerEmailForTask =\n    (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n  await withA2ARequestContext(metadata, event, async () => {\n    const task = await createTask(\n      message,\n      contextId,\n      undefined,\n      ownerEmailForTask,\n    );\n\n    await updateTask(task.id, { state: \"working\" });\n\n    const { context, artifacts } = makeHandlerContext(\n      task.id,\n      contextId,\n      metadata,\n      event,\n    );\n\n    try {\n      const result = getHandler(config)(message, context);\n\n      if (\n        result &&\n        typeof result === \"object\" &&\n        Symbol.asyncIterator in result\n      ) {\n        for await (const msg of result as AsyncGenerator<Message>) {\n          const intermediate = await updateTask(task.id, {\n            state: \"working\",\n            message: msg,\n          });\n          res.write(\n            `data: ${JSON.stringify(jsonRpcResult(0, intermediate))}\\n\\n`,\n          );\n        }\n      } else {\n        const handlerResult = await (result as Promise<A2AHandlerResult>);\n        const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n        const updated = await updateTask(task.id, {\n          state: \"completed\",\n          message: handlerResult.message,\n          artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n        });\n        res.write(`data: ${JSON.stringify(jsonRpcResult(0, updated))}\\n\\n`);\n        res.end();\n        return;\n      }\n\n      const allArtifacts = [...artifacts];\n      const final = await updateTask(task.id, {\n        state: \"completed\",\n        artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n      });\n      res.write(`data: ${JSON.stringify(jsonRpcResult(0, final))}\\n\\n`);\n    } catch (err: any) {\n      await updateTask(task.id, { state: \"failed\" });\n      res.write(\n        `data: ${JSON.stringify(jsonRpcError(0, -32000, err.message ?? \"Handler failed\"))}\\n\\n`,\n      );\n    }\n\n    res.end();\n  });\n}\n\n/**\n * Caller-supplied metadata keys that may contain sensitive bearer / OAuth\n * material. Always stripped from `tasks/get` responses so a leaked task id\n * never discloses an OAuth token even when the original sender carelessly\n * stuffed one into `metadata` (see `production-agent.ts:1144-1156` for the\n * historical googleToken propagation pattern).\n */\nconst SENSITIVE_METADATA_KEYS = new Set([\n  \"googleToken\",\n  \"userEmail\",\n  \"orgDomain\",\n  \"accessToken\",\n  \"refreshToken\",\n  \"apiKey\",\n  \"Authorization\",\n  \"authorization\",\n  \"bearer\",\n]);\n\nfunction sanitizeTaskForResponse(task: any): any {\n  if (!task || typeof task !== \"object\") return task;\n  if (!task.metadata || typeof task.metadata !== \"object\") return task;\n\n  const meta = task.metadata as Record<string, unknown>;\n  const publicMeta: Record<string, unknown> = {};\n  for (const [k, v] of Object.entries(meta)) {\n    if (k === \"__a2a_processor\") continue;\n    if (SENSITIVE_METADATA_KEYS.has(k)) continue;\n    publicMeta[k] = v;\n  }\n  return { ...task, metadata: publicMeta };\n}\n\n/**\n * Reject access when the task has a recorded owner that doesn't match the\n * verified caller. Returns a 404-shaped JSON-RPC error to avoid disclosing\n * task existence to the wrong caller (enumeration via UUID lookup).\n *\n * - When the task has no recorded owner (legacy row from before the\n *   owner_email migration) we allow access if some verifiable bearer token\n *   was presented; otherwise we still reject so an unsigned caller can never\n *   read or cancel arbitrary task ids.\n * - When neither A2A_SECRET nor apiKeyEnv is configured AND we're in\n *   production, we refuse `tasks/get` and `tasks/cancel` outright — there's\n *   no way to authenticate the caller, so the only safe response is \"not\n *   found\".\n */\nfunction authorizeTaskAccess(\n  taskOwnerEmail: string | null,\n  event: any,\n  config: A2AConfig,\n): JsonRpcResponse | null {\n  const verifiedEmail =\n    (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n  const hasA2ASecret = hasConfiguredA2ASecret();\n  const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n  const inProduction = isA2AProductionRuntime();\n\n  if (inProduction && !hasA2ASecret && !hasApiKey) {\n    // No way to authenticate the caller in production — refuse access.\n    return jsonRpcError(0, -32001, \"Task not found\");\n  }\n\n  if (taskOwnerEmail) {\n    if (!verifiedEmail) {\n      return jsonRpcError(0, -32001, \"Task not found\");\n    }\n    if (verifiedEmail.toLowerCase() !== taskOwnerEmail.toLowerCase()) {\n      return jsonRpcError(0, -32001, \"Task not found\");\n    }\n  }\n  // Legacy row (no owner_email recorded). The route-level auth gate is the\n  // only thing protecting it — fall through and serve.\n  return null;\n}\n\nasync function handleGet(\n  params: Record<string, unknown>,\n  event: any,\n  config: A2AConfig,\n): Promise<JsonRpcResponse> {\n  const id = params.id as string;\n  if (!id) {\n    return jsonRpcError(0, -32602, \"Invalid params: id required\");\n  }\n  const ownerEmail = await getTaskOwner(id);\n  const denied = authorizeTaskAccess(ownerEmail, event, config);\n  if (denied) return denied;\n\n  const task = await getTask(id);\n  if (!task) {\n    return jsonRpcError(0, -32001, \"Task not found\");\n  }\n  const taskChanged = await refireStuckAsyncTaskIfNeeded(id, event).catch(\n    (err) => {\n      console.error(\"[a2a] Failed to refire stuck async task:\", err);\n      return false;\n    },\n  );\n  if (taskChanged) {\n    const updated = await getTask(id);\n    if (updated) return jsonRpcResult(0, sanitizeTaskForResponse(updated));\n  }\n  return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\nasync function refireStuckAsyncTaskIfNeeded(\n  taskId: string,\n  event: any,\n): Promise<boolean> {\n  const state = await getA2ATaskDispatchState(taskId);\n  if (!state) return false;\n  if (!state.metadata?.__a2a_processor) return false;\n\n  const now = Date.now();\n  if (\n    (state.statusState === \"submitted\" || state.statusState === \"working\") &&\n    state.updatedAt <= now - A2A_QUEUED_DISPATCH_STUCK_AFTER_MS\n  ) {\n    if (await touchQueuedA2ATaskDispatch(taskId)) {\n      await fireProcessTaskDispatch(event, taskId);\n      return true;\n    }\n    return false;\n  }\n\n  if (\n    state.statusState === \"processing\" &&\n    state.updatedAt <= now - A2A_PROCESSING_STUCK_AFTER_MS\n  ) {\n    // A processor that died mid-handler may have already performed\n    // side-effectful work. Retrying from the top can duplicate artifacts, so\n    // fail deterministically and let the caller issue an intentional retry.\n    const failed = await failStuckA2ATask(\n      taskId,\n      now - A2A_PROCESSING_STUCK_AFTER_MS,\n      \"The async A2A processor timed out before completing. Please retry the request.\",\n    );\n    return failed;\n  }\n\n  return false;\n}\n\nasync function handleCancel(\n  params: Record<string, unknown>,\n  event: any,\n  config: A2AConfig,\n): Promise<JsonRpcResponse> {\n  const id = params.id as string;\n  if (!id) {\n    return jsonRpcError(0, -32602, \"Invalid params: id required\");\n  }\n  const ownerEmail = await getTaskOwner(id);\n  const denied = authorizeTaskAccess(ownerEmail, event, config);\n  if (denied) return denied;\n\n  const task = await updateTask(id, { state: \"canceled\" });\n  if (!task) {\n    return jsonRpcError(0, -32001, \"Task not found\");\n  }\n  return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\n/**\n * H3-compatible JSON-RPC handler. Returns JSON directly (H3 serializes it).\n * Streaming is handled via H3's node response when needed.\n */\nexport async function handleJsonRpcH3(\n  body: any,\n  event: any,\n  config: A2AConfig,\n): Promise<JsonRpcResponse> {\n  if (!body || body.jsonrpc !== \"2.0\" || !body.method) {\n    setResponseStatus(event, 400);\n    return jsonRpcError(body?.id ?? null, -32600, \"Invalid JSON-RPC request\");\n  }\n\n  const params = (body.params as Record<string, unknown>) ?? {};\n  const id = body.id;\n\n  switch (body.method) {\n    case \"message/send\": {\n      const result = await handleSend(params, config, event);\n      const { _id, ...response } = result;\n      return { ...response, id } as JsonRpcResponse;\n    }\n    case \"message/stream\": {\n      if (!config.streaming) {\n        return jsonRpcError(id, -32601, \"Streaming not supported\");\n      }\n      // Use the raw node response for SSE streaming\n      const res = event.node?.res;\n      if (!res) {\n        return jsonRpcError(id, -32000, \"Streaming not available\");\n      }\n      setResponseHeader(event, \"Content-Type\", \"text/event-stream\");\n      setResponseHeader(event, \"Cache-Control\", \"no-cache\");\n      setResponseHeader(event, \"Connection\", \"keep-alive\");\n      await handleStream(params, config, res, event);\n      return undefined as any; // Response already sent via SSE\n    }\n    case \"tasks/get\": {\n      const result = await handleGet(params, event, config);\n      return { ...result, id } as JsonRpcResponse;\n    }\n    case \"tasks/cancel\": {\n      const result = await handleCancel(params, event, config);\n      return { ...result, id } as JsonRpcResponse;\n    }\n    default:\n      return jsonRpcError(id, -32601, `Method not found: ${body.method}`);\n  }\n}\n"]}
+{"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/a2a/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAU1D,OAAO,EACL,UAAU,EACV,OAAO,EACP,YAAY,EACZ,UAAU,EACV,yBAAyB,EACzB,uBAAuB,EACvB,gBAAgB,EAChB,0BAA0B,EAC1B,sBAAsB,GACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B,qEAAqE;AACrE,0EAA0E;AAC1E,iEAAiE;AACjE,MAAM,qBAAqB,GAAG,kCAAkC,CAAC;AACjE,MAAM,kCAAkC,GAAG,MAAM,CAAC;AAClD,MAAM,6BAA6B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACpD,MAAM,2BAA2B,GAAG,MAAM,CAAC;AAE3C;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,KAAsB;IAChD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,yBAAyB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/D,IAAI,sBAAsB,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,wFAAwF,CACzF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,KAAK,EAAE,OAAO,CAAC;QAC5D,MAAM,GAAG,GAAG,CAAC,IAAY,EAAsB,EAAE;YAC/C,IAAI,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAC;YAC/B,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBACtC,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;YACxC,CAAC;YACD,MAAM,GAAG,GAAG,OAA6C,CAAC;YAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACtD,CAAC,CAAC;QACF,MAAM,KAAK,GAAG,GAAG,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;QACjD,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,aAAa,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;QACpE,OAAO,yBAAyB,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,yBAAyB,CAC9B,oBAAoB,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAC/C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAU,EACV,MAAc;IAEd,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,qBAAqB,EAAE,CAAC;IACjD,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,IAAI,CAAC;QACH,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;QACvE,qEAAqE;QACrE,iBAAiB;IACnB,CAAC;IACD,qEAAqE;IACrE,wEAAwE;IACxE,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,eAAe,GAAG,KAAK,CAAC,GAAG,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;KACjC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACf,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,IAAI,CAAC;QACjB,eAAe;QACf,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;KACzD,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,MAAc,EACd,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,0DAA0D;QAC1D,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qCAAqC,EAAE,CAAC;aACvE;SACF,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAA4B,CAAC;IACjE,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,EAAE,CAA4B,CAAC;IAC9E,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,SAAS,GACZ,aAAa,CAAC,SAAuC,IAAI,SAAS,CAAC;IACtE,MAAM,cAAc,GACjB,aAAa,CAAC,cAGD,IAAI,SAAS,CAAC;IAE9B,MAAM,aAAa,GAAG,MAAM,uBAAuB,CACjD,aAAa,EACb,aAAa,CACd,CAAC;IAEF,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE;QACjC,sBAAsB,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAC3C,OAAO,CAAC,KAAK,CAAC,uCAAuC,EAAE,GAAG,CAAC,CAC5D,CAAC;IACJ,CAAC,EAAE,2BAA2B,CAAC,CAAC;IAE9B,SACD,CAAC,KAAK,EAAE,EAAE,CAAC;IACZ,IAAI,CAAC;QACH,MAAM,qBAAqB,CACzB,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,GAAG,EAAE,CACH,oBAAoB,CAClB,MAAM,EACN,OAAO,EACP,MAAM,EACN,SAAS,EACT,cAAc,EACd,KAAK,CACN,CACJ,CAAC;IACJ,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,iBAAiB,EAAE,CAAC;iBACnE;aACF,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,aAAa,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,cAAc,GAAe,KAAK,EACtC,OAAgB,EAChB,QAA2B,EACA,EAAE;IAC7B,kCAAkC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK;SACvB,MAAM,CAAC,CAAC,CAAC,EAAuC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;SACrE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAClB,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,4BAA4B,EAAE,CAAC;aAC9D;SACF,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,0EAA0E;IAC1E,wDAAwD;IACxD,4EAA4E;IAC5E,oEAAoE;IACpE,yEAAyE;IACzE,8BAA8B;IAC9B,qEAAqE;IACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACrE,MAAM,aAAa,GAAG,OAAO;QAC3B,CAAC,CAAC,+DAA+D,UAAU,sNAAsN,IAAI,EAAE;QACvS,CAAC,CAAC,IAAI,CAAC;IAET,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAEnD,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,SAAS,CAAC,IAAI,CAAC;YACb,IAAI,EAAE,eAAe;YACrB,WAAW,EAAE,6BAA6B;YAC1C,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,YAAY,EAAE,EAAE,CAAC;SAChE,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,KAAK,EAAE;gBACL,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;gBACvC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM;oBACzB,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,kBAAkB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;yBACrD;qBACF;oBACH,CAAC,CAAC,EAAE,CAAC;aACR;SACF;QACD,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,UAAU,CAAC,MAAiB;IACnC,OAAO,MAAM,CAAC,OAAO,IAAI,cAAc,CAAC;AAC1C,CAAC;AAED,SAAS,YAAY,CACnB,EAA0B,EAC1B,IAAY,EACZ,OAAe;IAEf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,EAAmB,EAAE,MAAe;IACzD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAc,EACd,SAAkB,EAClB,QAAkC,EAClC,KAAW;IAKX,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,MAAM,OAAO,GAAsB;QACjC,MAAM;QACN,SAAS;QACT,QAAQ;QACR,KAAK;QACL,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ;YACnC,MAAM,QAAQ,GAAa;gBACzB,IAAI;gBACJ,KAAK,EAAE,QAAQ;oBACb,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE;gCACJ,IAAI;gCACJ,QAAQ;gCACR,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;6BAC/C;yBACF;qBACF;oBACH,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;aACtC,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,qBAAqB,CAClC,SAA8C,EAC9C,KAAsB,EACtB,EAAoB;IAEpB,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;IAC1E,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,qCAAqC;IACrC,MAAM,SAAS,GACZ,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;IAEtE,MAAM,aAAa,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IAE9E,OAAO,qBAAqB,CAC1B,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,EAAE,CACW,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,aAAiC,EACjC,iBAAqC;IAErC,IAAI,iBAAiB,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,iBAAiB,CAAC,CAAC;YACxD,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAC,KAAK,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,OAAO,CAAC,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC,IAAI,SAAS,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,oBAAoB,CACjC,MAAc,EACd,OAAgB,EAChB,MAAiB,EACjB,SAA6B,EAC7B,QAA6C,EAC7C,KAAW;IAEX,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,MAAM,EACN,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEpD,IACE,MAAM;YACN,OAAO,MAAM,KAAK,QAAQ;YAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;YACD,IAAI,WAAgC,CAAC;YACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;gBAC1D,WAAW,GAAG,GAAG,CAAC;YACpB,CAAC;YACD,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,WAAW;gBACpB,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;aACxD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;QAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;QACxE,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,aAAa,CAAC,OAAO;YAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;SAC9D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,gBAAgB,EAAE,CAAC;aAClE;SACF,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAA+B,EAC/B,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,OAAO;YACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,sDAAsD,CACvD;YACD,GAAG,EAAE,CAAC;SACP,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IAExE,sEAAsE;IACtE,yEAAyE;IACzE,uEAAuE;IACvE,0EAA0E;IAC1E,6BAA6B;IAC7B,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,sEAAsE;IACtE,0EAA0E;IAC1E,8EAA8E;IAC9E,yEAAyE;IACzE,kEAAkE;IAClE,sEAAsE;IACtE,wEAAwE;IACxE,yEAAyE;IACzE,8CAA8C;IAC9C,MAAM,SAAS,GACb,MAAM,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,eAAe,KAAK,IAAI,CAAC,CAAC;IAE9E,IAAI,SAAS,EAAE,CAAC;QACd,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,0DAA0D;QAC1D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACxE,IAAI,sBAAsB,EAAE,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5D,OAAO;gBACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,+EAA+E,CAChF;gBACD,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;QACD,uEAAuE;QACvE,wEAAwE;QACxE,0EAA0E;QAC1E,sEAAsE;QACtE,0EAA0E;QAC1E,0EAA0E;QAC1E,oEAAoE;QACpE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;QAC1E,2EAA2E;QAC3E,iEAAiE;QACjE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;QAEtE,MAAM,YAAY,GAA4B;YAC5C,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;YACnB,eAAe,EAAE;gBACf,aAAa;gBACb,aAAa;gBACb,SAAS,EAAE,SAAS,IAAI,IAAI;gBAC5B,cAAc,EAAE,QAAQ,IAAI,IAAI;aACjC;SACF,CAAC;QACF,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,YAAY,EACZ,iBAAiB,CAClB,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhE,uBAAuB,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpD,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QACF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEpE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAExD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,WAAgC,CAAC;gBACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,WAAW,GAAG,GAAG,CAAC;gBACpB,CAAC;gBACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,WAAW;oBACpB,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;iBAChE,CAAC,CAAC;gBACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;YAClD,CAAC;YAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;YAClE,MAAM,YAAY,GAAG;gBACnB,GAAG,GAAG,CAAC,SAAS;gBAChB,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC;aACnC,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxC,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,EAAE,CAAC;iBACjE;aACF,CAAC,CAAC;YACH,OAAO;gBACL,GAAG,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC;gBAC3D,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,MAAiB,EACjB,GAAwD,EACxD,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC,MAAM,CACzE,CAAC;QACF,GAAG,CAAC,GAAG,EAAE,CAAC;QACV,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IACxE,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,MAAM,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QAEF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,IAAI,CAAC,EAAE,EACP,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAEpD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;wBAC7C,KAAK,EAAE,SAAS;wBAChB,OAAO,EAAE,GAAG;qBACb,CAAC,CAAC;oBACH,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,MAAM,CAC9D,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;gBAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;gBACxE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;oBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;iBAC9D,CAAC,CAAC;gBACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;gBACpE,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YAED,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACtC,KAAK,EAAE,WAAW;gBAClB,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC/C,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC,CAAC,MAAM,CACxF,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,aAAa;IACb,WAAW;IACX,WAAW;IACX,aAAa;IACb,cAAc;IACd,QAAQ;IACR,eAAe;IACf,eAAe;IACf,QAAQ;CACT,CAAC,CAAC;AAEH,SAAS,uBAAuB,CAAC,IAAS;IACxC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAErE,MAAM,IAAI,GAAG,IAAI,CAAC,QAAmC,CAAC;IACtD,MAAM,UAAU,GAA4B,EAAE,CAAC;IAC/C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,KAAK,iBAAiB;YAAE,SAAS;QACtC,IAAI,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAS;QAC7C,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,mBAAmB,CAC1B,cAA6B,EAC7B,KAAU,EACV,MAAiB;IAEjB,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IACrE,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;IAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;IAE9C,IAAI,YAAY,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;QAChD,mEAAmE;QACnE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,aAAa,CAAC,WAAW,EAAE,KAAK,cAAc,CAAC,WAAW,EAAE,EAAE,CAAC;YACjE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IACD,yEAAyE;IACzE,qDAAqD;IACrD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,4BAA4B,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,KAAK,CACrE,CAAC,GAAG,EAAE,EAAE;QACN,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,CAAC;QAC/D,OAAO,KAAK,CAAC;IACf,CAAC,CACF,CAAC;IACF,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAClC,IAAI,OAAO;YAAE,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,MAAc,EACd,KAAU;IAEV,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,eAAe;QAAE,OAAO,KAAK,CAAC;IAEnD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IACE,CAAC,KAAK,CAAC,WAAW,KAAK,WAAW,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC;QACtE,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,kCAAkC,EAC3D,CAAC;QACD,IAAI,MAAM,0BAA0B,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7C,MAAM,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC7C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IACE,KAAK,CAAC,WAAW,KAAK,YAAY;QAClC,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,6BAA6B,EACtD,CAAC;QACD,+DAA+D;QAC/D,yEAAyE;QACzE,wEAAwE;QACxE,MAAM,MAAM,GAAG,MAAM,gBAAgB,CACnC,MAAM,EACN,GAAG,GAAG,6BAA6B,EACnC,gFAAgF,CACjF,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IACzD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAS,EACT,KAAU,EACV,MAAiB;IAEjB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,YAAY,CAAC,IAAI,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,KAAK,EAAE,0BAA0B,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,MAAM,GAAI,IAAI,CAAC,MAAkC,IAAI,EAAE,CAAC;IAC9D,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;IAEnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACpB,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACvD,MAAM,EAAE,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,MAAM,CAAC;YACpC,OAAO,EAAE,GAAG,QAAQ,EAAE,EAAE,EAAqB,CAAC;QAChD,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBACtB,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,8CAA8C;YAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;YAC5B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,mBAAmB,CAAC,CAAC;YAC9D,iBAAiB,CAAC,KAAK,EAAE,eAAe,EAAE,UAAU,CAAC,CAAC;YACtD,iBAAiB,CAAC,KAAK,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;YACrD,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC/C,OAAO,SAAgB,CAAC,CAAC,gCAAgC;QAC3D,CAAC;QACD,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACtD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACzD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD;YACE,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,qBAAqB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;AACH,CAAC","sourcesContent":["import { setResponseHeader, setResponseStatus } from \"h3\";\nimport type {\n  A2AConfig,\n  A2AHandler,\n  A2AHandlerContext,\n  A2AHandlerResult,\n  JsonRpcResponse,\n  Message,\n  Artifact,\n} from \"./types.js\";\nimport {\n  createTask,\n  getTask,\n  getTaskOwner,\n  updateTask,\n  claimA2ATaskForProcessing,\n  getA2ATaskDispatchState,\n  failStuckA2ATask,\n  touchQueuedA2ATaskDispatch,\n  touchProcessingA2ATask,\n} from \"./task-store.js\";\nimport { agentChat } from \"../shared/agent-chat.js\";\nimport { signInternalToken } from \"../integrations/internal-token.js\";\nimport { withConfiguredAppBasePath } from \"../server/app-base-path.js\";\nimport {\n  hasConfiguredA2ASecret,\n  isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n// Inlined to avoid pulling the entire core-routes-plugin (and its h3\n// transitive deps) into the a2a/handlers test boundary. Must stay in sync\n// with FRAMEWORK_ROUTE_PREFIX in `server/core-routes-plugin.ts`.\nconst A2A_PROCESS_TASK_PATH = \"/_agent-native/a2a/_process-task\";\nconst A2A_QUEUED_DISPATCH_STUCK_AFTER_MS = 10_000;\nconst A2A_PROCESSING_STUCK_AFTER_MS = 5 * 60 * 1000;\nconst A2A_PROCESSING_HEARTBEAT_MS = 30_000;\n\n/**\n * Resolve the base URL we should fire the A2A processor request to. Mirrors\n * the integration-webhook resolveBaseUrl pattern — prefer explicit env vars\n * (most reliable on serverless), fall back to inbound request headers.\n */\nfunction resolveSelfBaseUrl(event: any | undefined): string {\n  const fromEnv =\n    process.env.APP_URL ||\n    process.env.URL ||\n    process.env.DEPLOY_URL ||\n    process.env.BETTER_AUTH_URL;\n  if (fromEnv) return withConfiguredAppBasePath(String(fromEnv));\n  if (isA2AProductionRuntime()) {\n    throw new Error(\n      \"A2A self-dispatch requires APP_URL, URL, DEPLOY_URL, or BETTER_AUTH_URL in production.\",\n    );\n  }\n\n  try {\n    const headers = event?.node?.req?.headers ?? event?.headers;\n    const get = (name: string): string | undefined => {\n      if (!headers) return undefined;\n      if (typeof headers.get === \"function\") {\n        return headers.get(name) ?? undefined;\n      }\n      const map = headers as Record<string, string | undefined>;\n      return map[name] ?? map[String(name).toLowerCase()];\n    };\n    const proto = get(\"x-forwarded-proto\") || \"http\";\n    const host = get(\"host\") || `localhost:${process.env.PORT || 3000}`;\n    return withConfiguredAppBasePath(`${proto}://${host}`);\n  } catch {\n    return withConfiguredAppBasePath(\n      `http://localhost:${process.env.PORT || 3000}`,\n    );\n  }\n}\n\n/**\n * Fire-and-forget POST to the A2A processor route on the same deployment.\n * Used when an A2A send is requested in async mode — the processor runs the\n * handler in a fresh function execution so it gets its own full timeout.\n */\nasync function fireProcessTaskDispatch(\n  event: any,\n  taskId: string,\n): Promise<void> {\n  const baseUrl = resolveSelfBaseUrl(event);\n  const url = `${baseUrl}${A2A_PROCESS_TASK_PATH}`;\n  const headers: Record<string, string> = {\n    \"Content-Type\": \"application/json\",\n  };\n  try {\n    headers[\"Authorization\"] = `Bearer ${signInternalToken(taskId)}`;\n  } catch {\n    // No A2A_SECRET configured — self-fire unsigned. The processor accepts\n    // unsigned dispatches when no secret is set (mirrors the integration\n    // webhook flow).\n  }\n  // Race the fetch against a short timer. On Netlify Lambda, returning\n  // immediately can freeze the function before the outbound TCP handshake\n  // starts, leaving the request stuck. This gives it ~250ms to leave the\n  // box at the cost of slightly higher response latency on async A2A sends.\n  const dispatchPromise = fetch(url, {\n    method: \"POST\",\n    headers,\n    body: JSON.stringify({ taskId }),\n  }).catch((err) => {\n    console.error(\"[a2a] Process-task dispatch fetch failed:\", err);\n  });\n  await Promise.race([\n    dispatchPromise,\n    new Promise<void>((resolve) => setTimeout(resolve, 250)),\n  ]);\n}\n\n/**\n * Process a previously-enqueued A2A task. Called by the `_process-task`\n * route in `server.ts`, in a fresh function execution. Atomically claims the\n * task, reconstructs the caller's request context from the task's metadata,\n * runs the handler, and persists the outcome.\n *\n * Idempotent on duplicate dispatches: the atomic claim returns null if some\n * other invocation already picked the task up, in which case we no-op.\n */\nexport async function processA2ATaskFromQueue(\n  taskId: string,\n  config: A2AConfig,\n  event?: any,\n): Promise<void> {\n  const claimed = await claimA2ATaskForProcessing(taskId);\n  if (!claimed) {\n    // Already in flight, terminal, or missing. Nothing to do.\n    return;\n  }\n\n  const message = claimed.history?.[0];\n  if (!message) {\n    await updateTask(taskId, {\n      state: \"failed\",\n      message: {\n        role: \"agent\",\n        parts: [{ type: \"text\", text: \"Task is missing its inbound message\" }],\n      },\n    });\n    return;\n  }\n\n  const meta = (claimed.metadata ?? {}) as Record<string, unknown>;\n  const processorMeta = (meta.__a2a_processor ?? {}) as Record<string, unknown>;\n  const verifiedEmail = processorMeta.verifiedEmail as string | undefined;\n  const orgDomainHint = processorMeta.orgDomainHint as string | undefined;\n  const contextId =\n    (processorMeta.contextId as string | null | undefined) ?? undefined;\n  const callerMetadata =\n    (processorMeta.callerMetadata as\n      | Record<string, unknown>\n      | null\n      | undefined) ?? undefined;\n\n  const resolvedOrgId = await resolveVerifiedA2AOrgId(\n    verifiedEmail,\n    orgDomainHint,\n  );\n\n  const { runWithRequestContext } =\n    await import(\"../server/request-context.js\");\n  const heartbeat = setInterval(() => {\n    touchProcessingA2ATask(taskId).catch((err) =>\n      console.error(\"[a2a] Failed to heartbeat async task:\", err),\n    );\n  }, A2A_PROCESSING_HEARTBEAT_MS);\n  (\n    heartbeat as ReturnType<typeof setInterval> & { unref?: () => void }\n  ).unref?.();\n  try {\n    await runWithRequestContext(\n      { userEmail: verifiedEmail, orgId: resolvedOrgId },\n      () =>\n        runHandlerAndPersist(\n          taskId,\n          message,\n          config,\n          contextId,\n          callerMetadata,\n          event,\n        ),\n    );\n  } catch (err: any) {\n    try {\n      await updateTask(taskId, {\n        state: \"failed\",\n        message: {\n          role: \"agent\",\n          parts: [{ type: \"text\", text: err?.message ?? \"Handler crashed\" }],\n        },\n      });\n    } catch {}\n  } finally {\n    clearInterval(heartbeat);\n  }\n}\n\n/**\n * Default A2A handler that delegates to agentChat.call().\n * Used when no custom handler is provided in A2AConfig.\n */\nconst defaultHandler: A2AHandler = async (\n  message: Message,\n  _context: A2AHandlerContext,\n): Promise<A2AHandlerResult> => {\n  // Extract text from message parts\n  const text = message.parts\n    .filter((p): p is { type: \"text\"; text: string } => p.type === \"text\")\n    .map((p) => p.text)\n    .join(\"\\n\");\n\n  if (!text) {\n    return {\n      message: {\n        role: \"agent\",\n        parts: [{ type: \"text\", text: \"No text content in message\" }],\n      },\n    };\n  }\n\n  // A2A note: this message arrived from a different app — the caller cannot\n  // see this app's local state (open deck, selected slide, etc.). They only\n  // see whatever this agent puts into the reply text. So:\n  //   1) include any concrete result (deck/document/dashboard URL, ID, value)\n  //      explicitly in the reply — the caller can't navigate locally.\n  //   2) URLs must be fully-qualified — relative paths resolve against the\n  //      caller's host and 404.\n  // We prepend a one-line hint to the user message so the agent knows.\n  const baseUrl = process.env.APP_URL || process.env.URL || \"\";\n  const appBaseUrl = baseUrl ? withConfiguredAppBasePath(baseUrl) : \"\";\n  const augmentedText = baseUrl\n    ? `[Cross-app A2A request — the caller is on a different host (${appBaseUrl} is yours, theirs is different). Include the concrete result (URL, ID, value) explicitly in your reply text; the caller can't see your local UI state. Any URL MUST be fully-qualified, never a relative path.]\\n\\n${text}`\n    : text;\n\n  const result = await agentChat.call(augmentedText);\n\n  const artifacts: Artifact[] = [];\n  if (result.filesChanged.length > 0) {\n    artifacts.push({\n      name: \"files-changed\",\n      description: \"Files modified by the agent\",\n      parts: [{ type: \"data\", data: { files: result.filesChanged } }],\n    });\n  }\n\n  return {\n    message: {\n      role: \"agent\",\n      parts: [\n        { type: \"text\", text: result.response },\n        ...(result.warnings?.length\n          ? [\n              {\n                type: \"text\" as const,\n                text: `\\n\\nWarnings:\\n${result.warnings.join(\"\\n\")}`,\n              },\n            ]\n          : []),\n      ],\n    },\n    artifacts: artifacts.length > 0 ? artifacts : undefined,\n  };\n};\n\nfunction getHandler(config: A2AConfig): A2AHandler {\n  return config.handler ?? defaultHandler;\n}\n\nfunction jsonRpcError(\n  id: string | number | null,\n  code: number,\n  message: string,\n): JsonRpcResponse {\n  return { jsonrpc: \"2.0\", id, error: { code, message } };\n}\n\nfunction jsonRpcResult(id: string | number, result: unknown): JsonRpcResponse {\n  return { jsonrpc: \"2.0\", id, result };\n}\n\nfunction makeHandlerContext(\n  taskId: string,\n  contextId?: string,\n  metadata?: Record<string, unknown>,\n  event?: any,\n): {\n  context: A2AHandlerContext;\n  artifacts: Artifact[];\n} {\n  const artifacts: Artifact[] = [];\n  const context: A2AHandlerContext = {\n    taskId,\n    contextId,\n    metadata,\n    event,\n    writeArtifact(name, content, mimeType) {\n      const artifact: Artifact = {\n        name,\n        parts: mimeType\n          ? [\n              {\n                type: \"file\",\n                file: {\n                  name,\n                  mimeType,\n                  bytes: Buffer.from(content).toString(\"base64\"),\n                },\n              },\n            ]\n          : [{ type: \"text\", text: content }],\n      };\n      artifacts.push(artifact);\n      return name;\n    },\n  };\n  return { context, artifacts };\n}\n\n/**\n * Resolve org context from A2A metadata / event context and wrap `fn`\n * inside `runWithRequestContext` so downstream actions see the org.\n */\nasync function withA2ARequestContext<T>(\n  _metadata: Record<string, unknown> | undefined,\n  event: any | undefined,\n  fn: () => Promise<T>,\n): Promise<T> {\n  const { runWithRequestContext } =\n    await import(\"../server/request-context.js\");\n\n  const verifiedEmail =\n    (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n  // Only trust the org domain from the cryptographically verified JWT claim on\n  // the event context. metadata.orgDomain is caller-supplied and must not be\n  // used for org resolution — an unauthenticated caller could forge it and\n  // gain access to another org's data.\n  const orgDomain =\n    (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n  const resolvedOrgId = await resolveVerifiedA2AOrgId(verifiedEmail, orgDomain);\n\n  return runWithRequestContext(\n    { userEmail: verifiedEmail, orgId: resolvedOrgId },\n    fn,\n  ) as Promise<T>;\n}\n\nasync function resolveVerifiedA2AOrgId(\n  verifiedEmail: string | undefined,\n  verifiedOrgDomain: string | undefined,\n): Promise<string | undefined> {\n  if (verifiedOrgDomain) {\n    try {\n      const { resolveOrgByDomain } = await import(\"../org/context.js\");\n      const org = await resolveOrgByDomain(verifiedOrgDomain);\n      if (org) return org.orgId;\n    } catch {\n      // Org tables may not exist — continue without org context\n    }\n  }\n\n  if (verifiedEmail) {\n    try {\n      const { resolveOrgIdForEmail } = await import(\"../org/context.js\");\n      return (await resolveOrgIdForEmail(verifiedEmail)) ?? undefined;\n    } catch {\n      // Org tables may not exist — continue without org context\n    }\n  }\n\n  return undefined;\n}\n\n/**\n * Run the handler against the message and persist the outcome to the task store.\n * Used in sync mode (awaited inline) and in async mode (called by the\n * `_process-task` processor route in a fresh function execution).\n */\nasync function runHandlerAndPersist(\n  taskId: string,\n  message: Message,\n  config: A2AConfig,\n  contextId: string | undefined,\n  metadata: Record<string, unknown> | undefined,\n  event?: any,\n): Promise<void> {\n  const { context, artifacts } = makeHandlerContext(\n    taskId,\n    contextId,\n    metadata,\n    event,\n  );\n  try {\n    const result = getHandler(config)(message, context);\n\n    if (\n      result &&\n      typeof result === \"object\" &&\n      Symbol.asyncIterator in result\n    ) {\n      let lastMessage: Message | undefined;\n      for await (const msg of result as AsyncGenerator<Message>) {\n        lastMessage = msg;\n      }\n      await updateTask(taskId, {\n        state: \"completed\",\n        message: lastMessage,\n        artifacts: artifacts.length > 0 ? artifacts : undefined,\n      });\n      return;\n    }\n\n    const handlerResult = await (result as Promise<A2AHandlerResult>);\n    const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n    await updateTask(taskId, {\n      state: \"completed\",\n      message: handlerResult.message,\n      artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n    });\n  } catch (err: any) {\n    await updateTask(taskId, {\n      state: \"failed\",\n      message: {\n        role: \"agent\",\n        parts: [{ type: \"text\", text: err?.message ?? \"Handler failed\" }],\n      },\n    });\n  }\n}\n\nasync function handleSend(\n  params: Record<string, unknown>,\n  config: A2AConfig,\n  event?: any,\n): Promise<JsonRpcResponse & { _id: string | number }> {\n  const message = params.message as Message;\n  if (!message || !message.role || !Array.isArray(message.parts)) {\n    return {\n      ...jsonRpcError(\n        0,\n        -32602,\n        \"Invalid params: message with role and parts required\",\n      ),\n      _id: 0,\n    };\n  }\n\n  const contextId = params.contextId as string | undefined;\n  const metadata = params.metadata as Record<string, unknown> | undefined;\n\n  // The JWT-verified caller email (set by mountA2A in server.ts) is the\n  // single source of truth for task ownership — bound at creation, checked\n  // on every subsequent tasks/get and tasks/cancel call. Caller-supplied\n  // metadata.userEmail is NEVER used for ownership; that would re-introduce\n  // the IDOR class fixed here.\n  const ownerEmailForTask =\n    (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n  // Async mode: return the task immediately in `working` state, run the\n  // handler in the background, and let the caller poll `tasks/get`. This is\n  // the workaround for synchronous serverless request timeouts when the handler\n  // runs LLM + tool loops that can exceed a single HTTP invocation budget.\n  // SECURITY: only honor the explicit top-level `params.async`. The\n  // metadata.async fallback was caller-controlled and could force async\n  // dispatch (which has weaker auth than the sync path) on otherwise sync\n  // requests. Async is also refused entirely when no auth is configured in\n  // production — see the additional gate below.\n  const asyncMode =\n    params.async === true || (event && event.context?.__a2aForceAsync === true);\n\n  if (asyncMode) {\n    // Refuse async mode entirely when no auth is configured in production.\n    // The async dispatch path self-fires the `_process-task` route, which\n    // accepts unsigned dispatches when A2A_SECRET is unset — that combined\n    // with the lack of caller identity here would let any unauthenticated\n    // attacker queue and trigger handler runs. In production, require some\n    // form of auth so the verifiedEmail is bound to the task.\n    const hasA2ASecret = hasConfiguredA2ASecret();\n    const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n    if (isA2AProductionRuntime() && !hasA2ASecret && !hasApiKey) {\n      return {\n        ...jsonRpcError(\n          0,\n          -32001,\n          \"A2A async mode is not available — A2A_SECRET or apiKeyEnv must be configured.\",\n        ),\n        _id: 0,\n      };\n    }\n    // Resolve identity up front (cheap), bake it into the task's metadata,\n    // and dispatch the actual handler run to a SEPARATE function execution.\n    // On serverless hosts (Netlify, Vercel, Cloudflare) detached promises get\n    // killed when the response is flushed, so we self-fire a webhook to a\n    // dedicated processor route — same cross-platform pattern the integration\n    // webhook queue uses. The processor reconstructs the request context from\n    // the task metadata and runs the handler with its own full timeout.\n    const verifiedEmail =\n      (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n    // Only trust the verified org domain from the JWT claim — do not fall back\n    // to metadata.orgDomain which is caller-supplied and unverified.\n    const orgDomainHint =\n      (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n    const taskMetadata: Record<string, unknown> = {\n      ...(metadata ?? {}),\n      __a2a_processor: {\n        verifiedEmail,\n        orgDomainHint,\n        contextId: contextId ?? null,\n        callerMetadata: metadata ?? null,\n      },\n    };\n    const task = await createTask(\n      message,\n      contextId,\n      taskMetadata,\n      ownerEmailForTask,\n    );\n    const working = await updateTask(task.id, { state: \"working\" });\n\n    fireProcessTaskDispatch(event, task.id).catch((err) => {\n      console.error(\"[a2a] Failed to dispatch process-task:\", err);\n    });\n\n    return { ...jsonRpcResult(0, working ?? task), _id: 0 };\n  }\n\n  return withA2ARequestContext(metadata, event, async () => {\n    const task = await createTask(\n      message,\n      contextId,\n      undefined,\n      ownerEmailForTask,\n    );\n    await updateTask(task.id, { state: \"working\" });\n\n    const ctx = makeHandlerContext(task.id, contextId, metadata, event);\n\n    try {\n      const result = getHandler(config)(message, ctx.context);\n\n      if (\n        result &&\n        typeof result === \"object\" &&\n        Symbol.asyncIterator in result\n      ) {\n        let lastMessage: Message | undefined;\n        for await (const msg of result as AsyncGenerator<Message>) {\n          lastMessage = msg;\n        }\n        const updated = await updateTask(task.id, {\n          state: \"completed\",\n          message: lastMessage,\n          artifacts: ctx.artifacts.length > 0 ? ctx.artifacts : undefined,\n        });\n        return { ...jsonRpcResult(0, updated), _id: 0 };\n      }\n\n      const handlerResult = await (result as Promise<A2AHandlerResult>);\n      const allArtifacts = [\n        ...ctx.artifacts,\n        ...(handlerResult.artifacts ?? []),\n      ];\n      const updated = await updateTask(task.id, {\n        state: \"completed\",\n        message: handlerResult.message,\n        artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n      });\n      return { ...jsonRpcResult(0, updated), _id: 0 };\n    } catch (err: any) {\n      await updateTask(task.id, {\n        state: \"failed\",\n        message: {\n          role: \"agent\",\n          parts: [{ type: \"text\", text: err.message ?? \"Handler failed\" }],\n        },\n      });\n      return {\n        ...jsonRpcError(0, -32000, err.message ?? \"Handler failed\"),\n        _id: 0,\n      };\n    }\n  });\n}\n\nasync function handleStream(\n  params: Record<string, unknown>,\n  config: A2AConfig,\n  res: { write: (chunk: string) => void; end: () => void },\n  event?: any,\n): Promise<void> {\n  const message = params.message as Message;\n  if (!message || !message.role || !Array.isArray(message.parts)) {\n    res.write(\n      `data: ${JSON.stringify(jsonRpcError(0, -32602, \"Invalid params\"))}\\n\\n`,\n    );\n    res.end();\n    return;\n  }\n\n  const contextId = params.contextId as string | undefined;\n  const metadata = params.metadata as Record<string, unknown> | undefined;\n  const ownerEmailForTask =\n    (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n  await withA2ARequestContext(metadata, event, async () => {\n    const task = await createTask(\n      message,\n      contextId,\n      undefined,\n      ownerEmailForTask,\n    );\n\n    await updateTask(task.id, { state: \"working\" });\n\n    const { context, artifacts } = makeHandlerContext(\n      task.id,\n      contextId,\n      metadata,\n      event,\n    );\n\n    try {\n      const result = getHandler(config)(message, context);\n\n      if (\n        result &&\n        typeof result === \"object\" &&\n        Symbol.asyncIterator in result\n      ) {\n        for await (const msg of result as AsyncGenerator<Message>) {\n          const intermediate = await updateTask(task.id, {\n            state: \"working\",\n            message: msg,\n          });\n          res.write(\n            `data: ${JSON.stringify(jsonRpcResult(0, intermediate))}\\n\\n`,\n          );\n        }\n      } else {\n        const handlerResult = await (result as Promise<A2AHandlerResult>);\n        const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n        const updated = await updateTask(task.id, {\n          state: \"completed\",\n          message: handlerResult.message,\n          artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n        });\n        res.write(`data: ${JSON.stringify(jsonRpcResult(0, updated))}\\n\\n`);\n        res.end();\n        return;\n      }\n\n      const allArtifacts = [...artifacts];\n      const final = await updateTask(task.id, {\n        state: \"completed\",\n        artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n      });\n      res.write(`data: ${JSON.stringify(jsonRpcResult(0, final))}\\n\\n`);\n    } catch (err: any) {\n      await updateTask(task.id, { state: \"failed\" });\n      res.write(\n        `data: ${JSON.stringify(jsonRpcError(0, -32000, err.message ?? \"Handler failed\"))}\\n\\n`,\n      );\n    }\n\n    res.end();\n  });\n}\n\n/**\n * Caller-supplied metadata keys that may contain sensitive bearer / OAuth\n * material. Always stripped from `tasks/get` responses so a leaked task id\n * never discloses an OAuth token even when the original sender carelessly\n * stuffed one into `metadata` (see `production-agent.ts:1144-1156` for the\n * historical googleToken propagation pattern).\n */\nconst SENSITIVE_METADATA_KEYS = new Set([\n  \"googleToken\",\n  \"userEmail\",\n  \"orgDomain\",\n  \"accessToken\",\n  \"refreshToken\",\n  \"apiKey\",\n  \"Authorization\",\n  \"authorization\",\n  \"bearer\",\n]);\n\nfunction sanitizeTaskForResponse(task: any): any {\n  if (!task || typeof task !== \"object\") return task;\n  if (!task.metadata || typeof task.metadata !== \"object\") return task;\n\n  const meta = task.metadata as Record<string, unknown>;\n  const publicMeta: Record<string, unknown> = {};\n  for (const [k, v] of Object.entries(meta)) {\n    if (k === \"__a2a_processor\") continue;\n    if (SENSITIVE_METADATA_KEYS.has(k)) continue;\n    publicMeta[k] = v;\n  }\n  return { ...task, metadata: publicMeta };\n}\n\n/**\n * Reject access when the task has a recorded owner that doesn't match the\n * verified caller. Returns a 404-shaped JSON-RPC error to avoid disclosing\n * task existence to the wrong caller (enumeration via UUID lookup).\n *\n * - When the task has no recorded owner (legacy row from before the\n *   owner_email migration) we allow access if some verifiable bearer token\n *   was presented; otherwise we still reject so an unsigned caller can never\n *   read or cancel arbitrary task ids.\n * - When neither A2A_SECRET nor apiKeyEnv is configured AND we're in\n *   production, we refuse `tasks/get` and `tasks/cancel` outright — there's\n *   no way to authenticate the caller, so the only safe response is \"not\n *   found\".\n */\nfunction authorizeTaskAccess(\n  taskOwnerEmail: string | null,\n  event: any,\n  config: A2AConfig,\n): JsonRpcResponse | null {\n  const verifiedEmail =\n    (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n  const hasA2ASecret = hasConfiguredA2ASecret();\n  const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n  const inProduction = isA2AProductionRuntime();\n\n  if (inProduction && !hasA2ASecret && !hasApiKey) {\n    // No way to authenticate the caller in production — refuse access.\n    return jsonRpcError(0, -32001, \"Task not found\");\n  }\n\n  if (taskOwnerEmail) {\n    if (!verifiedEmail) {\n      return jsonRpcError(0, -32001, \"Task not found\");\n    }\n    if (verifiedEmail.toLowerCase() !== taskOwnerEmail.toLowerCase()) {\n      return jsonRpcError(0, -32001, \"Task not found\");\n    }\n  }\n  // Legacy row (no owner_email recorded). The route-level auth gate is the\n  // only thing protecting it — fall through and serve.\n  return null;\n}\n\nasync function handleGet(\n  params: Record<string, unknown>,\n  event: any,\n  config: A2AConfig,\n): Promise<JsonRpcResponse> {\n  const id = params.id as string;\n  if (!id) {\n    return jsonRpcError(0, -32602, \"Invalid params: id required\");\n  }\n  const ownerEmail = await getTaskOwner(id);\n  const denied = authorizeTaskAccess(ownerEmail, event, config);\n  if (denied) return denied;\n\n  const task = await getTask(id);\n  if (!task) {\n    return jsonRpcError(0, -32001, \"Task not found\");\n  }\n  const taskChanged = await refireStuckAsyncTaskIfNeeded(id, event).catch(\n    (err) => {\n      console.error(\"[a2a] Failed to refire stuck async task:\", err);\n      return false;\n    },\n  );\n  if (taskChanged) {\n    const updated = await getTask(id);\n    if (updated) return jsonRpcResult(0, sanitizeTaskForResponse(updated));\n  }\n  return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\nasync function refireStuckAsyncTaskIfNeeded(\n  taskId: string,\n  event: any,\n): Promise<boolean> {\n  const state = await getA2ATaskDispatchState(taskId);\n  if (!state) return false;\n  if (!state.metadata?.__a2a_processor) return false;\n\n  const now = Date.now();\n  if (\n    (state.statusState === \"submitted\" || state.statusState === \"working\") &&\n    state.updatedAt <= now - A2A_QUEUED_DISPATCH_STUCK_AFTER_MS\n  ) {\n    if (await touchQueuedA2ATaskDispatch(taskId)) {\n      await fireProcessTaskDispatch(event, taskId);\n      return true;\n    }\n    return false;\n  }\n\n  if (\n    state.statusState === \"processing\" &&\n    state.updatedAt <= now - A2A_PROCESSING_STUCK_AFTER_MS\n  ) {\n    // A processor that died mid-handler may have already performed\n    // side-effectful work. Retrying from the top can duplicate artifacts, so\n    // fail deterministically and let the caller issue an intentional retry.\n    const failed = await failStuckA2ATask(\n      taskId,\n      now - A2A_PROCESSING_STUCK_AFTER_MS,\n      \"The async A2A processor timed out before completing. Please retry the request.\",\n    );\n    return failed;\n  }\n\n  return false;\n}\n\nasync function handleCancel(\n  params: Record<string, unknown>,\n  event: any,\n  config: A2AConfig,\n): Promise<JsonRpcResponse> {\n  const id = params.id as string;\n  if (!id) {\n    return jsonRpcError(0, -32602, \"Invalid params: id required\");\n  }\n  const ownerEmail = await getTaskOwner(id);\n  const denied = authorizeTaskAccess(ownerEmail, event, config);\n  if (denied) return denied;\n\n  const task = await updateTask(id, { state: \"canceled\" });\n  if (!task) {\n    return jsonRpcError(0, -32001, \"Task not found\");\n  }\n  return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\n/**\n * H3-compatible JSON-RPC handler. Returns JSON directly (H3 serializes it).\n * Streaming is handled via H3's node response when needed.\n */\nexport async function handleJsonRpcH3(\n  body: any,\n  event: any,\n  config: A2AConfig,\n): Promise<JsonRpcResponse> {\n  if (!body || body.jsonrpc !== \"2.0\" || !body.method) {\n    setResponseStatus(event, 400);\n    return jsonRpcError(body?.id ?? null, -32600, \"Invalid JSON-RPC request\");\n  }\n\n  const params = (body.params as Record<string, unknown>) ?? {};\n  const id = body.id;\n\n  switch (body.method) {\n    case \"message/send\": {\n      const result = await handleSend(params, config, event);\n      const { _id, ...response } = result;\n      return { ...response, id } as JsonRpcResponse;\n    }\n    case \"message/stream\": {\n      if (!config.streaming) {\n        return jsonRpcError(id, -32601, \"Streaming not supported\");\n      }\n      // Use the raw node response for SSE streaming\n      const res = event.node?.res;\n      if (!res) {\n        return jsonRpcError(id, -32000, \"Streaming not available\");\n      }\n      setResponseHeader(event, \"Content-Type\", \"text/event-stream\");\n      setResponseHeader(event, \"Cache-Control\", \"no-cache\");\n      setResponseHeader(event, \"Connection\", \"keep-alive\");\n      await handleStream(params, config, res, event);\n      return undefined as any; // Response already sent via SSE\n    }\n    case \"tasks/get\": {\n      const result = await handleGet(params, event, config);\n      return { ...result, id } as JsonRpcResponse;\n    }\n    case \"tasks/cancel\": {\n      const result = await handleCancel(params, event, config);\n      return { ...result, id } as JsonRpcResponse;\n    }\n    default:\n      return jsonRpcError(id, -32601, `Method not found: ${body.method}`);\n  }\n}\n"]}

package/dist/a2a/server.js

@@ -77,7 +77,7 @@ async function verifyA2AToken(token, event) {
         try {
             const { getA2ASecretByDomain } = await import("../org/context.js");
             const orgSecret = await getA2ASecretByDomain(orgDomainHint);
-            addSecretCandidate(candidateSecrets, orgSecret);
+            addSecretCandidate(candidateSecrets, orgSecret ?? undefined);
         }
         catch {
             // DB not ready or column doesn't exist yet — fall through
@@ -193,7 +193,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
         if (hasConfiguredA2ASecret()) {
             const auth = getRequestHeader(event, "authorization");
             const tok = extractBearerToken(auth);
-            if (!verifyInternalToken(taskId, tok)) {
+            if (!verifyInternalToken(taskId, tok ?? "")) {
                 setResponseStatus(event, 401);
                 return { error: "Invalid or expired processor token" };
             }

package/dist/a2a/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B;;;;;GAKG;AACH,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAC7B,SAAS,iBAAiB;IACxB,IAAI,gBAAgB;QAAE,OAAO;IAC7B,gBAAgB,GAAG,IAAI,CAAC;IACxB,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACV,mFAAmF;QACjF,4FAA4F,CAC/F,CAAC;AACJ,CAAC;AAWD,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAA0B;IAE1B,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,KAAsB;IACjD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,IAAI,OAAO,CAAC;QACtE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,IAAI;YAAE,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,KAAa,EACb,KAAsB;IAEtB,qEAAqE;IACrE,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,wBAAwB;IACxB,IAAI,aAAiC,CAAC;IACtC,IAAI,iBAA8C,CAAC;IACnD,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1C,aAAa,GAAG,iBAAiB,CAAC,UAAgC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC;YAC5D,kBAAkB,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAE3E,iDAAiD;IACjD,EAAE;IACF,kEAAkE;IAClE,qEAAqE;IACrE,wBAAwB;IACxB,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,uEAAuE;IACvE,oEAAoE;IACpE,kEAAkE;IAClE,oEAAoE;IACpE,uEAAuE;IACvE,sEAAsE;IACtE,qCAAqC;IACrC,IAAI,CAAC;QACH,MAAM,aAAa,GAA0B,EAAE,CAAC;QAChD,IAAI,iBAAiB,IAAI,OAAO,iBAAiB,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YACtE,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,GAAG;gBAAE,aAAa,CAAC,QAAQ,GAAG,GAAG,CAAC;QACxC,CAAC;QACD,IACE,iBAAiB;YACjB,OAAO,iBAAiB,CAAC,GAAG,KAAK,QAAQ;YACzC,iBAAiB,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAChC,CAAC;YACD,aAAa,CAAC,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,aAAa,CACd,CAAC;gBACF,OAAO;oBACL,KAAK,EAAG,OAAO,CAAC,GAAc,IAAI,IAAI;oBACtC,SAAS,EAAG,OAAO,CAAC,UAAqB,IAAI,IAAI;iBAClD,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;IAC5E,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,iDAAiD;IACjD,EAAE;IACF,wEAAwE;IACxE,qEAAqE;IACrE,oEAAoE;IACpE,qEAAqE;IACrE,wEAAwE;IACxE,wDAAwD;IACxD,2CAA2C;IAC3C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,8BAA8B,EAC9B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,QAAQ,GACZ,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC;YAC5C,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,WAAW,CAAC;QAC5D,MAAM,OAAO,GAAG,GAAG,QAAQ,MAAM,IAAI,EAAE,CAAC;QAExC,MAAM,cAAc,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC;QAE3D,OAAO,iBAAiB,CACtB,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,EACrC,OAAO,EACP,GAAG,WAAW,MAAM,CACrB,CAAC;IACJ,CAAC,CAAC,CACH,CAAC;IAEF,0EAA0E;IAC1E,0EAA0E;IAC1E,2EAA2E;IAC3E,gEAAgE;IAChE,EAAE;IACF,yEAAyE;IACzE,oEAAoE;IACpE,2EAA2E;IAC3E,2EAA2E;IAC3E,kEAAkE;IAClE,8BAA8B;IAC9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,oBAAoB,EAClC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAgC,CAAC;QACpE,MAAM,MAAM,GAAG,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QAED,mEAAmE;QACnE,qEAAqE;QACrE,qEAAqE;QACrE,8DAA8D;QAC9D,qEAAqE;QACrE,qEAAqE;QACrE,IAAI,sBAAsB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACrC,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;gBACtC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,uFAAuF;aAC1F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,iBAAiB,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,6CAA6C;IAC7C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,iEAAiE;QACjE,qEAAqE;QACrE,iEAAiE;QACjE,mEAAmE;QACnE,oDAAoD;QACpD,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO;QAE5C,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACnD,IAAI,mBAAmB,GAAkB,IAAI,CAAC;QAC9C,IAAI,iBAAiB,GAAkB,IAAI,CAAC;QAC5C,IAAI,yBAAyB,GAAG,KAAK,CAAC;QACtC,IAAI,wBAAwB,GAAG,KAAK,CAAC;QAErC,oEAAoE;QACpE,wEAAwE;QACxE,qEAAqE;QACrE,iEAAiE;QACjE,4DAA4D;QAC5D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QAExE,6EAA6E;QAC7E,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC9D,mBAAmB,GAAG,YAAY,CAAC,KAAK,CAAC;YACzC,iBAAiB,GAAG,YAAY,CAAC,SAAS,CAAC;YAC3C,wBAAwB,GAAG,CAAC,mBAAmB,CAAC;QAClD,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,mBAAmB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE;qBAC5D,CAAC;gBACJ,CAAC;gBACD,IAAI,WAAW,KAAK,WAAW,EAAE,CAAC;oBAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE;qBACpD,CAAC;gBACJ,CAAC;gBACD,yBAAyB,GAAG,IAAI,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,mBAAmB,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACvD,oEAAoE;YACpE,gEAAgE;YAChE,qEAAqE;YACrE,qCAAqC;YACrC,IAAI,wBAAwB,EAAE,CAAC;gBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,8BAA8B;qBACxC;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChC,IAAI,sBAAsB,EAAE,EAAE,CAAC;oBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE;4BACL,IAAI,EAAE,CAAC,KAAK;4BACZ,OAAO,EACL,qHAAqH;yBACxH;qBACF,CAAC;gBACJ,CAAC;gBACD,iBAAiB,EAAE,CAAC;YACtB,CAAC;iBAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;gBACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,yBAAyB;qBACnC;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,oEAAoE;QACpE,IAAI,mBAAmB,EAAE,CAAC;YACxB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,mBAAmB,CAAC;QACzD,CAAC;QACD,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,CAAC,OAAO,CAAC,cAAc,GAAG,iBAAiB,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAAiB;IAC3D,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QAC5C,MAAM,EAAE,GACL,KAAwC,CAAC,EAAE;YAC3C,KAA2B,CAAC,IAAI;YACjC,EAAE,CAAC;QACL,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC3B,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC9D,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,IAAI,KAAK,CAAC,YAAY,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;YAC1E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,gBAAgB;YAAE,OAAO,IAAI,CAAC;QAE1C,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;YACtB,OAAO,CACL,KAAK,CAAC,WAAW,CAAC,MAAM,KAAK,IAAI;gBACjC,KAAK,CAAC,WAAW,CAAC,QAAQ,KAAK,IAAI;gBACnC,KAAK,CAAC,WAAW,CAAC,YAAY,KAAK,IAAI;gBACvC,KAAK,CAAC,WAAW,CAAC,eAAe,KAAK,IAAI,CAC3C,CAAC;QACJ,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,QAAQ,KAAK,KAAK,CAAC;IAC3D,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import * as jose from \"jose\";\nimport { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n  defineEventHandler,\n  setResponseStatus,\n  getMethod,\n  getRequestHeader,\n} from \"h3\";\nimport type { A2AConfig } from \"./types.js\";\nimport { generateAgentCard } from \"./agent-card.js\";\nimport { handleJsonRpcH3, processA2ATaskFromQueue } from \"./handlers.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n  extractBearerToken,\n  verifyInternalToken,\n} from \"../integrations/internal-token.js\";\nimport {\n  hasConfiguredA2ASecret,\n  isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n/**\n * One-time warning when A2A is running unauthenticated in development. We\n * don't refuse the request (local templates need to work out of the box),\n * but we log a single noisy line so operators notice if they accidentally\n * deploy with no auth configured.\n */\nlet _warnedUnauthA2A = false;\nfunction warnA2AUnauthOnce(): void {\n  if (_warnedUnauthA2A) return;\n  _warnedUnauthA2A = true;\n  // eslint-disable-next-line no-console\n  console.warn(\n    \"[a2a] No A2A_SECRET or apiKeyEnv configured — A2A endpoint runs unauthenticated. \" +\n      \"This is allowed in development but blocked in production. Set A2A_SECRET before deploying.\",\n  );\n}\n\n/**\n * Verify an inbound A2A JWT signed with the shared A2A_SECRET.\n * Returns the caller's email (from `sub` claim) if valid, null otherwise.\n */\ninterface A2ATokenPayload {\n  email: string | null;\n  orgDomain: string | null;\n}\n\nfunction addSecretCandidate(\n  candidates: string[],\n  secret: string | undefined,\n): void {\n  const trimmed = secret?.trim();\n  if (!trimmed || candidates.includes(trimmed)) return;\n  candidates.push(trimmed);\n}\n\n/**\n * Resolve the audience (`aud`) value to expect in an inbound JWT. We use the\n * receiver's app URL — it's the natural identifier of \"who this token was\n * minted for\". Falls back to undefined when no app URL is configured, in\n * which case the audience check is skipped (backward-compat with tokens\n * minted before the audience claim shipped).\n */\nfunction expectedJwtAudience(event: any | undefined): string | undefined {\n  const fromEnv =\n    process.env.APP_URL ||\n    process.env.URL ||\n    process.env.DEPLOY_URL ||\n    process.env.BETTER_AUTH_URL;\n  if (fromEnv) return String(fromEnv);\n  // Best-effort: derive from the inbound request host. This is forgeable\n  // (Host-header attack), but only useful as a hint when env-derived URL\n  // is unset; the rest of the JWT verification still uses the secret.\n  try {\n    const proto = getRequestHeader(event, \"x-forwarded-proto\") || \"https\";\n    const host = getRequestHeader(event, \"host\");\n    if (host) return `${proto}://${host}`;\n  } catch {}\n  return undefined;\n}\n\nasync function verifyA2AToken(\n  token: string,\n  event: any | undefined,\n): Promise<A2ATokenPayload> {\n  // Step 1: Peek at JWT claims WITHOUT verification to get org_domain.\n  // This is safe because we only use org_domain to look up the secret,\n  // then verify the full JWT with that secret. If someone forges a JWT\n  // with a fake org_domain, verification will fail because they don't\n  // have the real secret.\n  let orgDomainHint: string | undefined;\n  let unverifiedPayload: jose.JWTPayload | undefined;\n  try {\n    unverifiedPayload = jose.decodeJwt(token);\n    orgDomainHint = unverifiedPayload.org_domain as string | undefined;\n  } catch {\n    // Malformed token — fall through to global secret attempt\n  }\n\n  // Step 2: Build a small, ordered set of candidate secrets. Tokens minted by\n  // current callers prefer the shared A2A_SECRET; older callers may still use\n  // an org-level secret. Try both without logging or reflecting secret details.\n  const candidateSecrets: string[] = [];\n  addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n  if (orgDomainHint) {\n    try {\n      const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n      const orgSecret = await getA2ASecretByDomain(orgDomainHint);\n      addSecretCandidate(candidateSecrets, orgSecret);\n    } catch {\n      // DB not ready or column doesn't exist yet — fall through\n    }\n  }\n  if (candidateSecrets.length === 0) return { email: null, orgDomain: null };\n\n  // Step 3: Verify JWT with the candidate secrets.\n  //\n  // - `audience`: passed only when the token carries an `aud` claim\n  //   (backward-compat: tokens minted by older `signA2AToken` versions\n  //   don't include one).\n  // - `issuer`: enforced when the token carries an `iss` claim. The\n  //   sender's `signA2AToken` (`a2a/client.ts:42`) sets the issuer to its\n  //   own app URL, so a verified token must self-identify a non-empty\n  //   string issuer. We accept any string the token claims (we don't pin\n  //   a specific expected issuer because dispatchers may legitimately\n  //   mint tokens from many sender URLs — dev tunnels, multi-deploy\n  //   setups). The pin is \"issuer must match the value the token says\n  //   it was minted from\", which `jose.jwtVerify` validates exactly when\n  //   `issuer` is supplied as a string. Backward-compat: when the token\n  //   has no `iss`, we skip the check.\n  try {\n    const verifyOptions: jose.JWTVerifyOptions = {};\n    if (unverifiedPayload && typeof unverifiedPayload.aud !== \"undefined\") {\n      const aud = expectedJwtAudience(event);\n      if (aud) verifyOptions.audience = aud;\n    }\n    if (\n      unverifiedPayload &&\n      typeof unverifiedPayload.iss === \"string\" &&\n      unverifiedPayload.iss.length > 0\n    ) {\n      verifyOptions.issuer = unverifiedPayload.iss;\n    }\n    for (const secret of candidateSecrets) {\n      try {\n        const { payload } = await jose.jwtVerify(\n          token,\n          new TextEncoder().encode(secret),\n          verifyOptions,\n        );\n        return {\n          email: (payload.sub as string) ?? null,\n          orgDomain: (payload.org_domain as string) ?? null,\n        };\n      } catch {\n        // Try the next candidate without leaking which secret failed.\n      }\n    }\n  } catch {\n    // Keep malformed option construction indistinguishable from auth failure.\n  }\n  return { email: null, orgDomain: null };\n}\n\n/**\n * Mount A2A protocol endpoints on an H3/Nitro app.\n *\n * - GET /.well-known/agent-card.json — public agent card (no auth)\n * - POST /_agent-native/a2a — JSON-RPC endpoint (with optional auth)\n *\n * When A2A_SECRET is set, inbound Bearer tokens are verified as JWTs\n * and the caller's email is extracted from the `sub` claim. This provides\n * cryptographic identity verification for cross-app A2A calls.\n */\nexport function mountA2A(\n  nitroApp: any,\n  config: A2AConfig,\n  routePrefix = \"/_agent-native\",\n): void {\n  // Public agent card endpoint (no auth required).\n  //\n  // SECURITY: per-user / per-org MCP tools are filtered out of the public\n  // skills list. Their merged-key prefix (`mcp__user_<emailhash>_…` or\n  // `mcp__org_<orgid>_…`) discloses (a) which users have integrations\n  // attached, and (b) what those integrations are — fingerprinting the\n  // tenant. Template- and framework-defined skills stay; only the dynamic\n  // per-tenant MCP entries are dropped. See finding #7 in\n  // /tmp/security-audit/12-mcp-a2a-agent.md.\n  getH3App(nitroApp).use(\n    \"/.well-known/agent-card.json\",\n    defineEventHandler((event) => {\n      if (getMethod(event) !== \"GET\") {\n        setResponseStatus(event, 405);\n        return { error: \"Method not allowed\" };\n      }\n      const protocol =\n        getRequestHeader(event, \"x-forwarded-proto\") ||\n        (event.url?.protocol?.replace(\":\", \"\") ?? \"http\");\n      const host = getRequestHeader(event, \"host\") ?? \"localhost\";\n      const baseUrl = `${protocol}://${host}`;\n\n      const filteredSkills = filterPublicAgentCardSkills(config);\n\n      return generateAgentCard(\n        { ...config, skills: filteredSkills },\n        baseUrl,\n        `${routePrefix}/a2a`,\n      );\n    }),\n  );\n\n  // Async-mode processor route. MUST be mounted BEFORE the `/a2a` catch-all\n  // below, since h3's `.use()` matches by prefix and `/a2a` would otherwise\n  // swallow `/a2a/_process-task` and return a JSON-RPC \"Invalid token\" error\n  // (the JSON-RPC handler doesn't know about taskId-only bodies).\n  //\n  // When `message/send` is called with `async: true`, the JSON-RPC handler\n  // enqueues the task and self-fires a POST to this route on the same\n  // deployment so the actual handler runs in a fresh function execution (its\n  // own full timeout). Authenticated with an HMAC token bound to the task id\n  // (5-minute lifetime, signed with A2A_SECRET — same scheme as the\n  // integration webhook queue).\n  getH3App(nitroApp).use(\n    `${routePrefix}/a2a/_process-task`,\n    defineEventHandler(async (event) => {\n      if (getMethod(event) !== \"POST\") {\n        setResponseStatus(event, 405);\n        return { error: \"Method not allowed\" };\n      }\n\n      const body = (await readBody(event)) as { taskId?: unknown } | null;\n      const taskId = body && typeof body.taskId === \"string\" ? body.taskId : \"\";\n      if (!taskId) {\n        setResponseStatus(event, 400);\n        return { error: \"taskId required\" };\n      }\n\n      // When A2A_SECRET is set, require a valid HMAC token bound to this\n      // taskId. In production, we REQUIRE A2A_SECRET to be set so unsigned\n      // dispatches are never accepted (an attacker who fishes a taskId out\n      // of logs / a share link could otherwise force-replay it). In\n      // development, a missing secret is permitted so local templates work\n      // out of the box, but we log a one-time warning so operators notice.\n      if (hasConfiguredA2ASecret()) {\n        const auth = getRequestHeader(event, \"authorization\");\n        const tok = extractBearerToken(auth);\n        if (!verifyInternalToken(taskId, tok)) {\n          setResponseStatus(event, 401);\n          return { error: \"Invalid or expired processor token\" };\n        }\n      } else if (isA2AProductionRuntime()) {\n        setResponseStatus(event, 503);\n        return {\n          error:\n            \"A2A processor not configured — set A2A_SECRET on this deployment to enable async A2A.\",\n        };\n      } else {\n        warnA2AUnauthOnce();\n      }\n\n      try {\n        await processA2ATaskFromQueue(taskId, config, event);\n        return { ok: true };\n      } catch (err: any) {\n        console.error(\"[a2a] process-task failed:\", err);\n        setResponseStatus(event, 500);\n        return { error: err?.message ?? \"process-task failed\" };\n      }\n    }),\n  );\n\n  // JSON-RPC A2A endpoint (with optional auth)\n  getH3App(nitroApp).use(\n    `${routePrefix}/a2a`,\n    defineEventHandler(async (event) => {\n      if (getMethod(event) !== \"POST\") {\n        setResponseStatus(event, 405);\n        return { error: \"Method not allowed\" };\n      }\n\n      // h3 prefix-matches mounts, so a request to `/a2a/_process-task`\n      // reaches this handler too. The dedicated mount above runs first and\n      // takes the request, but if that returns `undefined` (or h3 ever\n      // changes ordering semantics) defensively bail here. event.path is\n      // stripped to the remainder after the mount prefix.\n      const sub = (event.path || \"/\").split(\"?\")[0].replace(/^\\//, \"\");\n      if (sub.startsWith(\"_process-task\")) return;\n\n      const authHeader = getRequestHeader(event, \"authorization\");\n      const bearerToken = extractBearerToken(authHeader);\n      let verifiedCallerEmail: string | null = null;\n      let verifiedOrgDomain: string | null = null;\n      let legacyApiKeyAuthenticated = false;\n      let bearerTokenRejectedByJwt = false;\n\n      // SECURITY: when neither A2A_SECRET nor an apiKeyEnv is configured,\n      // there's no way to authenticate the caller. Default to \"auth required\"\n      // in production — return 503 with a clear message instead of running\n      // the agent loop unauthenticated. In development, log a one-time\n      // warning but allow so local templates work out of the box.\n      const hasA2ASecret = hasConfiguredA2ASecret();\n      const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n\n      // Try JWT verification first (org-level or global A2A_SECRET-based identity)\n      if (bearerToken) {\n        const tokenPayload = await verifyA2AToken(bearerToken, event);\n        verifiedCallerEmail = tokenPayload.email;\n        verifiedOrgDomain = tokenPayload.orgDomain;\n        bearerTokenRejectedByJwt = !verifiedCallerEmail;\n      }\n\n      // Fall back to legacy API key check (exact string match)\n      if (!verifiedCallerEmail && config.apiKeyEnv) {\n        const expectedKey = process.env[config.apiKeyEnv];\n        if (expectedKey) {\n          if (!bearerToken) {\n            setResponseStatus(event, 401);\n            return {\n              jsonrpc: \"2.0\",\n              id: null,\n              error: { code: -32001, message: \"Authentication required\" },\n            };\n          }\n          if (bearerToken !== expectedKey) {\n            setResponseStatus(event, 401);\n            return {\n              jsonrpc: \"2.0\",\n              id: null,\n              error: { code: -32001, message: \"Invalid API key\" },\n            };\n          }\n          legacyApiKeyAuthenticated = true;\n        }\n      }\n\n      if (!verifiedCallerEmail && !legacyApiKeyAuthenticated) {\n        // Any supplied bearer token that failed JWT verification is an auth\n        // failure after the legacy exact-match apiKeyEnv path has had a\n        // chance to succeed. Do not let bad tokens fall through to tasks/get\n        // and get reported as lookup misses.\n        if (bearerTokenRejectedByJwt) {\n          setResponseStatus(event, 401);\n          return {\n            jsonrpc: \"2.0\",\n            id: null,\n            error: {\n              code: -32001,\n              message: \"Invalid or expired A2A token\",\n            },\n          };\n        }\n\n        if (!hasA2ASecret && !hasApiKey) {\n          if (isA2AProductionRuntime()) {\n            setResponseStatus(event, 503);\n            return {\n              jsonrpc: \"2.0\",\n              id: null,\n              error: {\n                code: -32001,\n                message:\n                  \"A2A authentication not configured. Set A2A_SECRET (preferred) or configure apiKeyEnv to accept inbound A2A traffic.\",\n              },\n            };\n          }\n          warnA2AUnauthOnce();\n        } else if (isA2AProductionRuntime()) {\n          setResponseStatus(event, 401);\n          return {\n            jsonrpc: \"2.0\",\n            id: null,\n            error: {\n              code: -32001,\n              message: \"Authentication required\",\n            },\n          };\n        }\n      }\n\n      // Store verified caller identity on the event context so the handler\n      // can set request context from a trusted source instead of metadata\n      if (verifiedCallerEmail) {\n        event.context.__a2aVerifiedEmail = verifiedCallerEmail;\n      }\n      if (verifiedOrgDomain) {\n        event.context.__a2aOrgDomain = verifiedOrgDomain;\n      }\n\n      const body = await readBody(event);\n      return handleJsonRpcH3(body, event, config);\n    }),\n  );\n}\n\nexport function filterPublicAgentCardSkills(config: A2AConfig) {\n  return (config.skills ?? []).filter((skill) => {\n    const id =\n      (skill as { id?: string; name?: string }).id ??\n      (skill as { name?: string }).name ??\n      \"\";\n    if (typeof id === \"string\") {\n      if (id.startsWith(\"mcp__user_\") || id.startsWith(\"mcp__org_\")) {\n        return false;\n      }\n    }\n\n    if (skill.public === false || skill.requiresAuth || skill.isConsequential) {\n      return false;\n    }\n\n    if (!config.publicSkillsOnly) return true;\n\n    if (skill.publicAgent) {\n      return (\n        skill.publicAgent.expose === true &&\n        skill.publicAgent.readOnly === true &&\n        skill.publicAgent.requiresAuth !== true &&\n        skill.publicAgent.isConsequential !== true\n      );\n    }\n\n    return skill.public === true && skill.readOnly !== false;\n  });\n}\n"]}
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B;;;;;GAKG;AACH,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAC7B,SAAS,iBAAiB;IACxB,IAAI,gBAAgB;QAAE,OAAO;IAC7B,gBAAgB,GAAG,IAAI,CAAC;IACxB,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACV,mFAAmF;QACjF,4FAA4F,CAC/F,CAAC;AACJ,CAAC;AAWD,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAA0B;IAE1B,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,KAAsB;IACjD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,IAAI,OAAO,CAAC;QACtE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,IAAI;YAAE,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,KAAa,EACb,KAAsB;IAEtB,qEAAqE;IACrE,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,wBAAwB;IACxB,IAAI,aAAiC,CAAC;IACtC,IAAI,iBAA8C,CAAC;IACnD,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1C,aAAa,GAAG,iBAAiB,CAAC,UAAgC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC;YAC5D,kBAAkB,CAAC,gBAAgB,EAAE,SAAS,IAAI,SAAS,CAAC,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAE3E,iDAAiD;IACjD,EAAE;IACF,kEAAkE;IAClE,qEAAqE;IACrE,wBAAwB;IACxB,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,uEAAuE;IACvE,oEAAoE;IACpE,kEAAkE;IAClE,oEAAoE;IACpE,uEAAuE;IACvE,sEAAsE;IACtE,qCAAqC;IACrC,IAAI,CAAC;QACH,MAAM,aAAa,GAA0B,EAAE,CAAC;QAChD,IAAI,iBAAiB,IAAI,OAAO,iBAAiB,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YACtE,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,GAAG;gBAAE,aAAa,CAAC,QAAQ,GAAG,GAAG,CAAC;QACxC,CAAC;QACD,IACE,iBAAiB;YACjB,OAAO,iBAAiB,CAAC,GAAG,KAAK,QAAQ;YACzC,iBAAiB,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAChC,CAAC;YACD,aAAa,CAAC,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,aAAa,CACd,CAAC;gBACF,OAAO;oBACL,KAAK,EAAG,OAAO,CAAC,GAAc,IAAI,IAAI;oBACtC,SAAS,EAAG,OAAO,CAAC,UAAqB,IAAI,IAAI;iBAClD,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;IAC5E,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,iDAAiD;IACjD,EAAE;IACF,wEAAwE;IACxE,qEAAqE;IACrE,oEAAoE;IACpE,qEAAqE;IACrE,wEAAwE;IACxE,wDAAwD;IACxD,2CAA2C;IAC3C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,8BAA8B,EAC9B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,QAAQ,GACZ,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC;YAC5C,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,WAAW,CAAC;QAC5D,MAAM,OAAO,GAAG,GAAG,QAAQ,MAAM,IAAI,EAAE,CAAC;QAExC,MAAM,cAAc,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC;QAE3D,OAAO,iBAAiB,CACtB,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,EACrC,OAAO,EACP,GAAG,WAAW,MAAM,CACrB,CAAC;IACJ,CAAC,CAAC,CACH,CAAC;IAEF,0EAA0E;IAC1E,0EAA0E;IAC1E,2EAA2E;IAC3E,gEAAgE;IAChE,EAAE;IACF,yEAAyE;IACzE,oEAAoE;IACpE,2EAA2E;IAC3E,2EAA2E;IAC3E,kEAAkE;IAClE,8BAA8B;IAC9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,oBAAoB,EAClC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAgC,CAAC;QACpE,MAAM,MAAM,GAAG,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QAED,mEAAmE;QACnE,qEAAqE;QACrE,qEAAqE;QACrE,8DAA8D;QAC9D,qEAAqE;QACrE,qEAAqE;QACrE,IAAI,sBAAsB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACrC,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC,EAAE,CAAC;gBAC5C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,uFAAuF;aAC1F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,iBAAiB,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,6CAA6C;IAC7C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,iEAAiE;QACjE,qEAAqE;QACrE,iEAAiE;QACjE,mEAAmE;QACnE,oDAAoD;QACpD,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO;QAE5C,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACnD,IAAI,mBAAmB,GAAkB,IAAI,CAAC;QAC9C,IAAI,iBAAiB,GAAkB,IAAI,CAAC;QAC5C,IAAI,yBAAyB,GAAG,KAAK,CAAC;QACtC,IAAI,wBAAwB,GAAG,KAAK,CAAC;QAErC,oEAAoE;QACpE,wEAAwE;QACxE,qEAAqE;QACrE,iEAAiE;QACjE,4DAA4D;QAC5D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QAExE,6EAA6E;QAC7E,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC9D,mBAAmB,GAAG,YAAY,CAAC,KAAK,CAAC;YACzC,iBAAiB,GAAG,YAAY,CAAC,SAAS,CAAC;YAC3C,wBAAwB,GAAG,CAAC,mBAAmB,CAAC;QAClD,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,mBAAmB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE;qBAC5D,CAAC;gBACJ,CAAC;gBACD,IAAI,WAAW,KAAK,WAAW,EAAE,CAAC;oBAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE;qBACpD,CAAC;gBACJ,CAAC;gBACD,yBAAyB,GAAG,IAAI,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,mBAAmB,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACvD,oEAAoE;YACpE,gEAAgE;YAChE,qEAAqE;YACrE,qCAAqC;YACrC,IAAI,wBAAwB,EAAE,CAAC;gBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,8BAA8B;qBACxC;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChC,IAAI,sBAAsB,EAAE,EAAE,CAAC;oBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE;4BACL,IAAI,EAAE,CAAC,KAAK;4BACZ,OAAO,EACL,qHAAqH;yBACxH;qBACF,CAAC;gBACJ,CAAC;gBACD,iBAAiB,EAAE,CAAC;YACtB,CAAC;iBAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;gBACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,yBAAyB;qBACnC;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,oEAAoE;QACpE,IAAI,mBAAmB,EAAE,CAAC;YACxB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,mBAAmB,CAAC;QACzD,CAAC;QACD,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,CAAC,OAAO,CAAC,cAAc,GAAG,iBAAiB,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAAiB;IAC3D,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QAC5C,MAAM,EAAE,GACL,KAAwC,CAAC,EAAE;YAC3C,KAA2B,CAAC,IAAI;YACjC,EAAE,CAAC;QACL,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC3B,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC9D,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,IAAI,KAAK,CAAC,YAAY,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;YAC1E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,gBAAgB;YAAE,OAAO,IAAI,CAAC;QAE1C,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;YACtB,OAAO,CACL,KAAK,CAAC,WAAW,CAAC,MAAM,KAAK,IAAI;gBACjC,KAAK,CAAC,WAAW,CAAC,QAAQ,KAAK,IAAI;gBACnC,KAAK,CAAC,WAAW,CAAC,YAAY,KAAK,IAAI;gBACvC,KAAK,CAAC,WAAW,CAAC,eAAe,KAAK,IAAI,CAC3C,CAAC;QACJ,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,QAAQ,KAAK,KAAK,CAAC;IAC3D,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import * as jose from \"jose\";\nimport { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n  defineEventHandler,\n  setResponseStatus,\n  getMethod,\n  getRequestHeader,\n} from \"h3\";\nimport type { A2AConfig } from \"./types.js\";\nimport { generateAgentCard } from \"./agent-card.js\";\nimport { handleJsonRpcH3, processA2ATaskFromQueue } from \"./handlers.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n  extractBearerToken,\n  verifyInternalToken,\n} from \"../integrations/internal-token.js\";\nimport {\n  hasConfiguredA2ASecret,\n  isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n/**\n * One-time warning when A2A is running unauthenticated in development. We\n * don't refuse the request (local templates need to work out of the box),\n * but we log a single noisy line so operators notice if they accidentally\n * deploy with no auth configured.\n */\nlet _warnedUnauthA2A = false;\nfunction warnA2AUnauthOnce(): void {\n  if (_warnedUnauthA2A) return;\n  _warnedUnauthA2A = true;\n  // eslint-disable-next-line no-console\n  console.warn(\n    \"[a2a] No A2A_SECRET or apiKeyEnv configured — A2A endpoint runs unauthenticated. \" +\n      \"This is allowed in development but blocked in production. Set A2A_SECRET before deploying.\",\n  );\n}\n\n/**\n * Verify an inbound A2A JWT signed with the shared A2A_SECRET.\n * Returns the caller's email (from `sub` claim) if valid, null otherwise.\n */\ninterface A2ATokenPayload {\n  email: string | null;\n  orgDomain: string | null;\n}\n\nfunction addSecretCandidate(\n  candidates: string[],\n  secret: string | undefined,\n): void {\n  const trimmed = secret?.trim();\n  if (!trimmed || candidates.includes(trimmed)) return;\n  candidates.push(trimmed);\n}\n\n/**\n * Resolve the audience (`aud`) value to expect in an inbound JWT. We use the\n * receiver's app URL — it's the natural identifier of \"who this token was\n * minted for\". Falls back to undefined when no app URL is configured, in\n * which case the audience check is skipped (backward-compat with tokens\n * minted before the audience claim shipped).\n */\nfunction expectedJwtAudience(event: any | undefined): string | undefined {\n  const fromEnv =\n    process.env.APP_URL ||\n    process.env.URL ||\n    process.env.DEPLOY_URL ||\n    process.env.BETTER_AUTH_URL;\n  if (fromEnv) return String(fromEnv);\n  // Best-effort: derive from the inbound request host. This is forgeable\n  // (Host-header attack), but only useful as a hint when env-derived URL\n  // is unset; the rest of the JWT verification still uses the secret.\n  try {\n    const proto = getRequestHeader(event, \"x-forwarded-proto\") || \"https\";\n    const host = getRequestHeader(event, \"host\");\n    if (host) return `${proto}://${host}`;\n  } catch {}\n  return undefined;\n}\n\nasync function verifyA2AToken(\n  token: string,\n  event: any | undefined,\n): Promise<A2ATokenPayload> {\n  // Step 1: Peek at JWT claims WITHOUT verification to get org_domain.\n  // This is safe because we only use org_domain to look up the secret,\n  // then verify the full JWT with that secret. If someone forges a JWT\n  // with a fake org_domain, verification will fail because they don't\n  // have the real secret.\n  let orgDomainHint: string | undefined;\n  let unverifiedPayload: jose.JWTPayload | undefined;\n  try {\n    unverifiedPayload = jose.decodeJwt(token);\n    orgDomainHint = unverifiedPayload.org_domain as string | undefined;\n  } catch {\n    // Malformed token — fall through to global secret attempt\n  }\n\n  // Step 2: Build a small, ordered set of candidate secrets. Tokens minted by\n  // current callers prefer the shared A2A_SECRET; older callers may still use\n  // an org-level secret. Try both without logging or reflecting secret details.\n  const candidateSecrets: string[] = [];\n  addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n  if (orgDomainHint) {\n    try {\n      const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n      const orgSecret = await getA2ASecretByDomain(orgDomainHint);\n      addSecretCandidate(candidateSecrets, orgSecret ?? undefined);\n    } catch {\n      // DB not ready or column doesn't exist yet — fall through\n    }\n  }\n  if (candidateSecrets.length === 0) return { email: null, orgDomain: null };\n\n  // Step 3: Verify JWT with the candidate secrets.\n  //\n  // - `audience`: passed only when the token carries an `aud` claim\n  //   (backward-compat: tokens minted by older `signA2AToken` versions\n  //   don't include one).\n  // - `issuer`: enforced when the token carries an `iss` claim. The\n  //   sender's `signA2AToken` (`a2a/client.ts:42`) sets the issuer to its\n  //   own app URL, so a verified token must self-identify a non-empty\n  //   string issuer. We accept any string the token claims (we don't pin\n  //   a specific expected issuer because dispatchers may legitimately\n  //   mint tokens from many sender URLs — dev tunnels, multi-deploy\n  //   setups). The pin is \"issuer must match the value the token says\n  //   it was minted from\", which `jose.jwtVerify` validates exactly when\n  //   `issuer` is supplied as a string. Backward-compat: when the token\n  //   has no `iss`, we skip the check.\n  try {\n    const verifyOptions: jose.JWTVerifyOptions = {};\n    if (unverifiedPayload && typeof unverifiedPayload.aud !== \"undefined\") {\n      const aud = expectedJwtAudience(event);\n      if (aud) verifyOptions.audience = aud;\n    }\n    if (\n      unverifiedPayload &&\n      typeof unverifiedPayload.iss === \"string\" &&\n      unverifiedPayload.iss.length > 0\n    ) {\n      verifyOptions.issuer = unverifiedPayload.iss;\n    }\n    for (const secret of candidateSecrets) {\n      try {\n        const { payload } = await jose.jwtVerify(\n          token,\n          new TextEncoder().encode(secret),\n          verifyOptions,\n        );\n        return {\n          email: (payload.sub as string) ?? null,\n          orgDomain: (payload.org_domain as string) ?? null,\n        };\n      } catch {\n        // Try the next candidate without leaking which secret failed.\n      }\n    }\n  } catch {\n    // Keep malformed option construction indistinguishable from auth failure.\n  }\n  return { email: null, orgDomain: null };\n}\n\n/**\n * Mount A2A protocol endpoints on an H3/Nitro app.\n *\n * - GET /.well-known/agent-card.json — public agent card (no auth)\n * - POST /_agent-native/a2a — JSON-RPC endpoint (with optional auth)\n *\n * When A2A_SECRET is set, inbound Bearer tokens are verified as JWTs\n * and the caller's email is extracted from the `sub` claim. This provides\n * cryptographic identity verification for cross-app A2A calls.\n */\nexport function mountA2A(\n  nitroApp: any,\n  config: A2AConfig,\n  routePrefix = \"/_agent-native\",\n): void {\n  // Public agent card endpoint (no auth required).\n  //\n  // SECURITY: per-user / per-org MCP tools are filtered out of the public\n  // skills list. Their merged-key prefix (`mcp__user_<emailhash>_…` or\n  // `mcp__org_<orgid>_…`) discloses (a) which users have integrations\n  // attached, and (b) what those integrations are — fingerprinting the\n  // tenant. Template- and framework-defined skills stay; only the dynamic\n  // per-tenant MCP entries are dropped. See finding #7 in\n  // /tmp/security-audit/12-mcp-a2a-agent.md.\n  getH3App(nitroApp).use(\n    \"/.well-known/agent-card.json\",\n    defineEventHandler((event) => {\n      if (getMethod(event) !== \"GET\") {\n        setResponseStatus(event, 405);\n        return { error: \"Method not allowed\" };\n      }\n      const protocol =\n        getRequestHeader(event, \"x-forwarded-proto\") ||\n        (event.url?.protocol?.replace(\":\", \"\") ?? \"http\");\n      const host = getRequestHeader(event, \"host\") ?? \"localhost\";\n      const baseUrl = `${protocol}://${host}`;\n\n      const filteredSkills = filterPublicAgentCardSkills(config);\n\n      return generateAgentCard(\n        { ...config, skills: filteredSkills },\n        baseUrl,\n        `${routePrefix}/a2a`,\n      );\n    }),\n  );\n\n  // Async-mode processor route. MUST be mounted BEFORE the `/a2a` catch-all\n  // below, since h3's `.use()` matches by prefix and `/a2a` would otherwise\n  // swallow `/a2a/_process-task` and return a JSON-RPC \"Invalid token\" error\n  // (the JSON-RPC handler doesn't know about taskId-only bodies).\n  //\n  // When `message/send` is called with `async: true`, the JSON-RPC handler\n  // enqueues the task and self-fires a POST to this route on the same\n  // deployment so the actual handler runs in a fresh function execution (its\n  // own full timeout). Authenticated with an HMAC token bound to the task id\n  // (5-minute lifetime, signed with A2A_SECRET — same scheme as the\n  // integration webhook queue).\n  getH3App(nitroApp).use(\n    `${routePrefix}/a2a/_process-task`,\n    defineEventHandler(async (event) => {\n      if (getMethod(event) !== \"POST\") {\n        setResponseStatus(event, 405);\n        return { error: \"Method not allowed\" };\n      }\n\n      const body = (await readBody(event)) as { taskId?: unknown } | null;\n      const taskId = body && typeof body.taskId === \"string\" ? body.taskId : \"\";\n      if (!taskId) {\n        setResponseStatus(event, 400);\n        return { error: \"taskId required\" };\n      }\n\n      // When A2A_SECRET is set, require a valid HMAC token bound to this\n      // taskId. In production, we REQUIRE A2A_SECRET to be set so unsigned\n      // dispatches are never accepted (an attacker who fishes a taskId out\n      // of logs / a share link could otherwise force-replay it). In\n      // development, a missing secret is permitted so local templates work\n      // out of the box, but we log a one-time warning so operators notice.\n      if (hasConfiguredA2ASecret()) {\n        const auth = getRequestHeader(event, \"authorization\");\n        const tok = extractBearerToken(auth);\n        if (!verifyInternalToken(taskId, tok ?? \"\")) {\n          setResponseStatus(event, 401);\n          return { error: \"Invalid or expired processor token\" };\n        }\n      } else if (isA2AProductionRuntime()) {\n        setResponseStatus(event, 503);\n        return {\n          error:\n            \"A2A processor not configured — set A2A_SECRET on this deployment to enable async A2A.\",\n        };\n      } else {\n        warnA2AUnauthOnce();\n      }\n\n      try {\n        await processA2ATaskFromQueue(taskId, config, event);\n        return { ok: true };\n      } catch (err: any) {\n        console.error(\"[a2a] process-task failed:\", err);\n        setResponseStatus(event, 500);\n        return { error: err?.message ?? \"process-task failed\" };\n      }\n    }),\n  );\n\n  // JSON-RPC A2A endpoint (with optional auth)\n  getH3App(nitroApp).use(\n    `${routePrefix}/a2a`,\n    defineEventHandler(async (event) => {\n      if (getMethod(event) !== \"POST\") {\n        setResponseStatus(event, 405);\n        return { error: \"Method not allowed\" };\n      }\n\n      // h3 prefix-matches mounts, so a request to `/a2a/_process-task`\n      // reaches this handler too. The dedicated mount above runs first and\n      // takes the request, but if that returns `undefined` (or h3 ever\n      // changes ordering semantics) defensively bail here. event.path is\n      // stripped to the remainder after the mount prefix.\n      const sub = (event.path || \"/\").split(\"?\")[0].replace(/^\\//, \"\");\n      if (sub.startsWith(\"_process-task\")) return;\n\n      const authHeader = getRequestHeader(event, \"authorization\");\n      const bearerToken = extractBearerToken(authHeader);\n      let verifiedCallerEmail: string | null = null;\n      let verifiedOrgDomain: string | null = null;\n      let legacyApiKeyAuthenticated = false;\n      let bearerTokenRejectedByJwt = false;\n\n      // SECURITY: when neither A2A_SECRET nor an apiKeyEnv is configured,\n      // there's no way to authenticate the caller. Default to \"auth required\"\n      // in production — return 503 with a clear message instead of running\n      // the agent loop unauthenticated. In development, log a one-time\n      // warning but allow so local templates work out of the box.\n      const hasA2ASecret = hasConfiguredA2ASecret();\n      const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n\n      // Try JWT verification first (org-level or global A2A_SECRET-based identity)\n      if (bearerToken) {\n        const tokenPayload = await verifyA2AToken(bearerToken, event);\n        verifiedCallerEmail = tokenPayload.email;\n        verifiedOrgDomain = tokenPayload.orgDomain;\n        bearerTokenRejectedByJwt = !verifiedCallerEmail;\n      }\n\n      // Fall back to legacy API key check (exact string match)\n      if (!verifiedCallerEmail && config.apiKeyEnv) {\n        const expectedKey = process.env[config.apiKeyEnv];\n        if (expectedKey) {\n          if (!bearerToken) {\n            setResponseStatus(event, 401);\n            return {\n              jsonrpc: \"2.0\",\n              id: null,\n              error: { code: -32001, message: \"Authentication required\" },\n            };\n          }\n          if (bearerToken !== expectedKey) {\n            setResponseStatus(event, 401);\n            return {\n              jsonrpc: \"2.0\",\n              id: null,\n              error: { code: -32001, message: \"Invalid API key\" },\n            };\n          }\n          legacyApiKeyAuthenticated = true;\n        }\n      }\n\n      if (!verifiedCallerEmail && !legacyApiKeyAuthenticated) {\n        // Any supplied bearer token that failed JWT verification is an auth\n        // failure after the legacy exact-match apiKeyEnv path has had a\n        // chance to succeed. Do not let bad tokens fall through to tasks/get\n        // and get reported as lookup misses.\n        if (bearerTokenRejectedByJwt) {\n          setResponseStatus(event, 401);\n          return {\n            jsonrpc: \"2.0\",\n            id: null,\n            error: {\n              code: -32001,\n              message: \"Invalid or expired A2A token\",\n            },\n          };\n        }\n\n        if (!hasA2ASecret && !hasApiKey) {\n          if (isA2AProductionRuntime()) {\n            setResponseStatus(event, 503);\n            return {\n              jsonrpc: \"2.0\",\n              id: null,\n              error: {\n                code: -32001,\n                message:\n                  \"A2A authentication not configured. Set A2A_SECRET (preferred) or configure apiKeyEnv to accept inbound A2A traffic.\",\n              },\n            };\n          }\n          warnA2AUnauthOnce();\n        } else if (isA2AProductionRuntime()) {\n          setResponseStatus(event, 401);\n          return {\n            jsonrpc: \"2.0\",\n            id: null,\n            error: {\n              code: -32001,\n              message: \"Authentication required\",\n            },\n          };\n        }\n      }\n\n      // Store verified caller identity on the event context so the handler\n      // can set request context from a trusted source instead of metadata\n      if (verifiedCallerEmail) {\n        event.context.__a2aVerifiedEmail = verifiedCallerEmail;\n      }\n      if (verifiedOrgDomain) {\n        event.context.__a2aOrgDomain = verifiedOrgDomain;\n      }\n\n      const body = await readBody(event);\n      return handleJsonRpcH3(body, event, config);\n    }),\n  );\n}\n\nexport function filterPublicAgentCardSkills(config: A2AConfig) {\n  return (config.skills ?? []).filter((skill) => {\n    const id =\n      (skill as { id?: string; name?: string }).id ??\n      (skill as { name?: string }).name ??\n      \"\";\n    if (typeof id === \"string\") {\n      if (id.startsWith(\"mcp__user_\") || id.startsWith(\"mcp__org_\")) {\n        return false;\n      }\n    }\n\n    if (skill.public === false || skill.requiresAuth || skill.isConsequential) {\n      return false;\n    }\n\n    if (!config.publicSkillsOnly) return true;\n\n    if (skill.publicAgent) {\n      return (\n        skill.publicAgent.expose === true &&\n        skill.publicAgent.readOnly === true &&\n        skill.publicAgent.requiresAuth !== true &&\n        skill.publicAgent.isConsequential !== true\n      );\n    }\n\n    return skill.public === true && skill.readOnly !== false;\n  });\n}\n"]}

package/dist/action.d.ts

@@ -54,6 +54,17 @@ export interface ActionRunContext {
      * off mid-stream and triggers a continuation loop.
      */
     attachments?: AgentChatAttachment[];
+    /**
+     * Abort signal for the current agent run. Fires when the run is soft-timed
+     * out, user-cancelled, or the server is shutting down. Well-behaved actions
+     * can observe this signal to cancel in-flight work early instead of waiting
+     * for the per-tool 60-second hard timeout.
+     *
+     * Populated only inside the agent tool loop (`caller: "tool"`); `undefined`
+     * on every other surface. Never throws — checking `signal.aborted` or
+     * attaching an `"abort"` listener is always safe.
+     */
+    signal?: AbortSignal;
 }
 export interface AgentActionStopOptions {
     /** Optional stable code surfaced in run metadata and tests. */
@@ -288,6 +299,36 @@ interface DefineActionWithParams<TParams extends Record<string, ParameterSchema>
     /** Optional MCP Apps UI resource. See schema overload above. */
     mcpApp?: ActionMcpAppConfig;
 }
+/**
+ * Opaque typed wrapper returned by `defineAction`. The type parameters carry
+ * the schema-inferred input and the `run` return type so that:
+ *
+ * - The generated `.generated/action-types.d.ts` can extract them via
+ *   `typeof import("../actions/my-action").default.run` and augment
+ *   `ActionRegistry` with concrete param/result types.
+ * - `useActionQuery` / `useActionMutation` / `callAction` in the client hooks
+ *   flow the correct types end-to-end without manual generic annotations.
+ *
+ * Runtime shape is unchanged — this is a declaration-only wrapper.
+ */
+export interface ActionDefinition<TInput, TReturn> {
+    /**
+     * Typed run function — declaration only; infer input/return from this.
+     * `TInput` is the schema's input type (optional defaults allowed at call
+     * sites); `TReturn` is the awaited result type of the run callback.
+     */
+    readonly run: (args: TInput, ctx?: ActionRunContext) => Promise<TReturn> | TReturn;
+    /** @internal Framework use only — do not call directly. */
+    readonly tool: import("./agent/types.js").ActionTool;
+    readonly http?: ActionHttpConfig | false;
+    readonly agentTool?: boolean;
+    readonly readOnly?: boolean;
+    readonly parallelSafe?: boolean;
+    readonly toolCallable?: boolean;
+    readonly publicAgent?: PublicAgentActionConfig;
+    readonly link?: ActionLinkBuilder;
+    readonly mcpApp?: ActionMcpAppConfig;
+}
 /**
  * Define an agent action. Place in `actions/` directory — auto-discovered by the framework.
  *
@@ -325,7 +366,7 @@ interface DefineActionWithParams<TParams extends Record<string, ParameterSchema>
  * });
  * ```
  */
-export declare function defineAction<TSchema extends StandardSchemaV1, TReturn>(options: DefineActionWithSchema<TSchema, TReturn>): any;
-export declare function defineAction<TParams extends Record<string, ParameterSchema> | undefined, TReturn>(options: DefineActionWithParams<TParams, TReturn>): any;
+export declare function defineAction<TSchema extends StandardSchemaV1, TReturn>(options: DefineActionWithSchema<TSchema, TReturn>): ActionDefinition<StandardSchemaV1.InferInput<TSchema>, TReturn>;
+export declare function defineAction<TParams extends Record<string, ParameterSchema> | undefined, TReturn>(options: DefineActionWithParams<TParams, TReturn>): ActionDefinition<InferParams<TParams>, TReturn>;
 export {};
 //# sourceMappingURL=action.d.ts.map

package/dist/action.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action.d.ts","sourceRoot":"","sources":["../src/action.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAEV,mBAAmB,EACnB,cAAc,EACf,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAE9D;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC;AAEhF;;;;;;;;GAQG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,cAAc,KAAK,IAAI,CAAC;IACvC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,mCAAmC;IACnC,MAAM,EAAE,YAAY,CAAC;IACrB;;;;;;;;;;OAUG;IACH,WAAW,CAAC,EAAE,mBAAmB,EAAE,CAAC;CACrC;AAED,MAAM,WAAW,sBAAsB;IACrC,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,qBAAa,oBAAqB,SAAQ,KAAK;IAC7C,QAAQ,CAAC,eAAe,QAAQ;IAChC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;gBAEjB,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,sBAA2B;CAMlE;AAED,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,OAAO,GACX,GAAG,IAAI,oBAAoB,CAU7B;AAED,0CAA0C;AAC1C,MAAM,WAAW,gBAAgB;IAC/B,qEAAqE;IACrE,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC;IAC3C,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,8EAA8E;AAC9E,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,OAAO,CAAC;IAClB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;mEACmE;AACnE,MAAM,WAAW,cAAc;IAC7B;;kFAE8E;IAC9E,GAAG,EAAE,MAAM,CAAC;IACZ,uDAAuD;IACvD,KAAK,EAAE,MAAM,CAAC;IACd,kEAAkE;IAClE,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;kDAGkD;AAClD,MAAM,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE;IACpC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1B,MAAM,EAAE,GAAG,CAAC;CACb,KAAK,cAAc,GAAG,IAAI,GAAG,SAAS,CAAC;AAExC,eAAO,MAAM,oBAAoB,EAAG,4BAAqC,CAAC;AAC1E,eAAO,MAAM,iBAAiB,EAAG,2BAAoC,CAAC;AACtE,eAAO,MAAM,6BAA6B,EAAG,gBAAyB,CAAC;AAEvE,MAAM,WAAW,eAAe;IAC9B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,KAAK,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;AAEjD,MAAM,WAAW,uBAAuB;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACpC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,wBAAwB;IACvC,GAAG,CAAC,EAAE,eAAe,GAAG,sBAAsB,CAAC;IAC/C,WAAW,CAAC,EAAE,uBAAuB,CAAC;IACtC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,KAAK,MAAM,CAAC;AAEb,MAAM,WAAW,0BAA0B;IACzC,2DAA2D;IAC3D,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sDAAsD;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,IAAI,EAAE,MAAM,GAAG,uBAAuB,CAAC;IACvC,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,OAAO,iBAAiB,CAAC;IACpC,6EAA6E;IAC7E,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,GAAG,CAAC,EAAE,eAAe,GAAG,sBAAsB,CAAC;IAC/C,WAAW,CAAC,EAAE,uBAAuB,CAAC;IACtC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,0BAA0B,CAAC;IACtC;;;OAGG;IACH,UAAU,CAAC,EAAE,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,CAAC;IACpC;;;;;OAKG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,kFAAkF;AAClF,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,wEAAwE;AACxE,KAAK,WAAW,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAAG,SAAS,IACpE,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GACrC;KAAG,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM;CAAE,GAC3B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAM7B,UAAU,sBAAsB,CAC9B,OAAO,SAAS,gBAAgB,EAChC,OAAO,GAAG,GAAG;IAEb,WAAW,EAAE,MAAM,CAAC;IACpB;;4EAEwE;IACxE,MAAM,EAAE,OAAO,CAAC;IAChB,6DAA6D;IAC7D,UAAU,CAAC,EAAE,KAAK,CAAC;IACnB,GAAG,EAAE,CACH,IAAI,EAAE,gBAAgB,CAAC,WAAW,CAAC,OAAO,CAAC,EAC3C,GAAG,CAAC,EAAE,gBAAgB,KACnB,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAChC,IAAI,CAAC,EAAE,gBAAgB,GAAG,KAAK,CAAC;IAChC;;;;;;;;0FAQsF;IACtF,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;;;oFAGgF;IAChF,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;yDAGqD;IACrD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;;;;;;;;;gDAU4C;IAC5C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;+EAE2E;IAC3E,WAAW,CAAC,EAAE,uBAAuB,CAAC;IACtC;;;mFAG+E;IAC/E,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB;;oCAEgC;IAChC,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B;AAMD,UAAU,sBAAsB,CAC9B,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAAG,SAAS,GACvD,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,SAAS,EACb,OAAO,GAAG,GAAG;IAEb,WAAW,EAAE,MAAM,CAAC;IACpB;oEACgE;IAChE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,mDAAmD;IACnD,MAAM,CAAC,EAAE,KAAK,CAAC;IACf,GAAG,EAAE,CACH,IAAI,EAAE,WAAW,CAAC,OAAO,CAAC,EAC1B,GAAG,CAAC,EAAE,gBAAgB,KACnB,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAChC,IAAI,CAAC,EAAE,gBAAgB,GAAG,KAAK,CAAC;IAChC;;gFAE4E;IAC5E,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;iFAC6E;IAC7E,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;gFAC4E;IAC5E,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;wDAEoD;IACpD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,0EAA0E;IAC1E,WAAW,CAAC,EAAE,uBAAuB,CAAC;IACtC,6DAA6D;IAC7D,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB,gEAAgE;IAChE,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,wBAAgB,YAAY,CAAC,OAAO,SAAS,gBAAgB,EAAE,OAAO,EACpE,OAAO,EAAE,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,GAChD,GAAG,CAAC;AACP,wBAAgB,YAAY,CAC1B,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAAG,SAAS,EAC3D,OAAO,EACP,OAAO,EAAE,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,GAAG,CAAC"}
+{"version":3,"file":"action.d.ts","sourceRoot":"","sources":["../src/action.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAEV,mBAAmB,EACnB,cAAc,EACf,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAE9D;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC;AAEhF;;;;;;;;GAQG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,cAAc,KAAK,IAAI,CAAC;IACvC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,mCAAmC;IACnC,MAAM,EAAE,YAAY,CAAC;IACrB;;;;;;;;;;OAUG;IACH,WAAW,CAAC,EAAE,mBAAmB,EAAE,CAAC;IACpC;;;;;;;;;OASG;IACH,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,sBAAsB;IACrC,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,qBAAa,oBAAqB,SAAQ,KAAK;IAC7C,QAAQ,CAAC,eAAe,QAAQ;IAChC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;gBAEjB,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,sBAA2B;CAMlE;AAED,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,OAAO,GACX,GAAG,IAAI,oBAAoB,CAU7B;AAED,0CAA0C;AAC1C,MAAM,WAAW,gBAAgB;IAC/B,qEAAqE;IACrE,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC;IAC3C,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,8EAA8E;AAC9E,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,OAAO,CAAC;IAClB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;mEACmE;AACnE,MAAM,WAAW,cAAc;IAC7B;;kFAE8E;IAC9E,GAAG,EAAE,MAAM,CAAC;IACZ,uDAAuD;IACvD,KAAK,EAAE,MAAM,CAAC;IACd,kEAAkE;IAClE,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;kDAGkD;AAClD,MAAM,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE;IACpC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1B,MAAM,EAAE,GAAG,CAAC;CACb,KAAK,cAAc,GAAG,IAAI,GAAG,SAAS,CAAC;AAExC,eAAO,MAAM,oBAAoB,EAAG,4BAAqC,CAAC;AAC1E,eAAO,MAAM,iBAAiB,EAAG,2BAAoC,CAAC;AACtE,eAAO,MAAM,6BAA6B,EAAG,gBAAyB,CAAC;AAEvE,MAAM,WAAW,eAAe;IAC9B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,KAAK,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;AAEjD,MAAM,WAAW,uBAAuB;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACpC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,wBAAwB;IACvC,GAAG,CAAC,EAAE,eAAe,GAAG,sBAAsB,CAAC;IAC/C,WAAW,CAAC,EAAE,uBAAuB,CAAC;IACtC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,KAAK,MAAM,CAAC;AAEb,MAAM,WAAW,0BAA0B;IACzC,2DAA2D;IAC3D,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sDAAsD;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,IAAI,EAAE,MAAM,GAAG,uBAAuB,CAAC;IACvC,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,OAAO,iBAAiB,CAAC;IACpC,6EAA6E;IAC7E,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,GAAG,CAAC,EAAE,eAAe,GAAG,sBAAsB,CAAC;IAC/C,WAAW,CAAC,EAAE,uBAAuB,CAAC;IACtC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,0BAA0B,CAAC;IACtC;;;OAGG;IACH,UAAU,CAAC,EAAE,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,CAAC;IACpC;;;;;OAKG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,kFAAkF;AAClF,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,wEAAwE;AACxE,KAAK,WAAW,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAAG,SAAS,IACpE,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GACrC;KAAG,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM;CAAE,GAC3B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAM7B,UAAU,sBAAsB,CAC9B,OAAO,SAAS,gBAAgB,EAChC,OAAO,GAAG,GAAG;IAEb,WAAW,EAAE,MAAM,CAAC;IACpB;;4EAEwE;IACxE,MAAM,EAAE,OAAO,CAAC;IAChB,6DAA6D;IAC7D,UAAU,CAAC,EAAE,KAAK,CAAC;IACnB,GAAG,EAAE,CACH,IAAI,EAAE,gBAAgB,CAAC,WAAW,CAAC,OAAO,CAAC,EAC3C,GAAG,CAAC,EAAE,gBAAgB,KACnB,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAChC,IAAI,CAAC,EAAE,gBAAgB,GAAG,KAAK,CAAC;IAChC;;;;;;;;0FAQsF;IACtF,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;;;oFAGgF;IAChF,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;yDAGqD;IACrD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;;;;;;;;;gDAU4C;IAC5C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;+EAE2E;IAC3E,WAAW,CAAC,EAAE,uBAAuB,CAAC;IACtC;;;mFAG+E;IAC/E,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB;;oCAEgC;IAChC,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B;AAMD,UAAU,sBAAsB,CAC9B,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAAG,SAAS,GACvD,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,SAAS,EACb,OAAO,GAAG,GAAG;IAEb,WAAW,EAAE,MAAM,CAAC;IACpB;oEACgE;IAChE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,mDAAmD;IACnD,MAAM,CAAC,EAAE,KAAK,CAAC;IACf,GAAG,EAAE,CACH,IAAI,EAAE,WAAW,CAAC,OAAO,CAAC,EAC1B,GAAG,CAAC,EAAE,gBAAgB,KACnB,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAChC,IAAI,CAAC,EAAE,gBAAgB,GAAG,KAAK,CAAC;IAChC;;gFAE4E;IAC5E,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;iFAC6E;IAC7E,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;gFAC4E;IAC5E,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;wDAEoD;IACpD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,0EAA0E;IAC1E,WAAW,CAAC,EAAE,uBAAuB,CAAC;IACtC,6DAA6D;IAC7D,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB,gEAAgE;IAChE,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B;AAMD;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,gBAAgB,CAAC,MAAM,EAAE,OAAO;IAC/C;;;;OAIG;IACH,QAAQ,CAAC,GAAG,EAAE,CACZ,IAAI,EAAE,MAAM,EACZ,GAAG,CAAC,EAAE,gBAAgB,KACnB,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAChC,2DAA2D;IAC3D,QAAQ,CAAC,IAAI,EAAE,OAAO,kBAAkB,EAAE,UAAU,CAAC;IACrD,QAAQ,CAAC,IAAI,CAAC,EAAE,gBAAgB,GAAG,KAAK,CAAC;IACzC,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;IAChC,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,uBAAuB,CAAC;IAC/C,QAAQ,CAAC,IAAI,CAAC,EAAE,iBAAiB,CAAC;IAClC,QAAQ,CAAC,MAAM,CAAC,EAAE,kBAAkB,CAAC;CACtC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,wBAAgB,YAAY,CAAC,OAAO,SAAS,gBAAgB,EAAE,OAAO,EACpE,OAAO,EAAE,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,GAChD,gBAAgB,CAAC,gBAAgB,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC;AACnE,wBAAgB,YAAY,CAC1B,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAAG,SAAS,EAC3D,OAAO,EAEP,OAAO,EAAE,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,GAChD,gBAAgB,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC"}