@agent-native/core 0.51.15 → 0.53.0

package/dist/server/create-server.js

@@ -181,7 +181,7 @@ export function createServer(options = {}) {
             if (!isEnvVarWriteAllowed()) {
                 setResponseStatus(event, 403);
                 return {
-                    error: "env-vars endpoint disabled on multi-tenant deployments. Use saveCredential(key, value, { userEmail, orgId, scope: 'org' }) to store per-org credentials.",
+                    error: "env-vars endpoint disabled on multi-tenant deployments. Use scoped secrets or credentials for user/org API keys.",
                 };
             }
             const body = await readBody(event);

package/dist/server/create-server.js.map

@@ -1 +1 @@
-{"version":3,"file":"create-server.js","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AA0BxD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe,EACf,IAA2C;IAE3C,gEAAgE;IAChE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC;QAClC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,6BAA6B,GAAG,mDAAmD,CACpF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAE9B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,yBAAyB;IAC3B,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE7D,iCAAiC;IACjC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAChC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;YAClC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACtB,OAAO,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;IAClC,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,IAAI,CAAC;IAE3C,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;IACjE,CAAC;AACH,CAAC;AAOD;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,UAA+B,EAAE;IAEjC,MAAM,GAAG,GAAG,SAAS,CAAC;QACpB,OAAO,CAAC,KAAK,EAAE,KAAK;YAClB,yFAAyF;YACzF,MAAM,GAAG,GAAG,KAA8B,CAAC;YAC3C,MAAM,IAAI,GAAG,GAAG,EAAE,IAAI,IAAK,GAAG,EAAE,KAA+B,EAAE,IAAI,CAAC;YACtE,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,cAAc;gBAAE,OAAO;YAC7D,IAAI,GAAG,EAAE,OAAO,KAAK,SAAS;gBAAE,OAAO;YACvC,OAAO,CAAC,KAAK,CACX,gCAAgC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,EAAE,EAC5D,KAAK,CACN,CAAC;QACJ,CAAC;KACF,CAAC,CAAC;IAEH,kBAAkB;IAClB,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;QAChD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;QAE3D;;;;WAIG;QACH,GAAG,CAAC,GAAG,CACL,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACxD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YAChC,MAAM,gBAAgB,GAAG,MAAM,CAC7B,gBAAgB,CAAC,KAAK,EAAE,gCAAgC,CAAC,IAAI,EAAE,CAChE;iBACE,WAAW,EAAE;iBACb,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAClC,MAAM,gBAAgB,GACpB,oBAAoB,CAAC,aAAa,CAAC;gBACnC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC;oBAC3D,gBAAgB,CAAC,QAAQ,CAAC,uBAAuB,CAAC;oBAClD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;oBACrD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;oBACzD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;YAEvD;;;;;;;eAOG;YACH,MAAM,aAAa,GAAG,gBAAgB;gBACpC,CAAC,CAAC,aAAa;gBACf,CAAC,CAAC,oBAAoB,CAAC,aAAa,EAAE;oBAClC,cAAc;oBACd,6BAA6B,EAAE,CAAC,YAAY;oBAC5C,gEAAgE;oBAChE,mEAAmE;iBACpE,CAAC,CAAC;YACP,oEAAoE;YACpE,kEAAkE;YAClE,mEAAmE;YAEnE,IAAI,aAAa,EAAE,CAAC;gBAClB,iBAAiB,CACf,KAAK,EACL,6BAA6B,EAC7B,aAAa,CACd,CAAC;gBACF,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAC3C,6DAA6D;gBAC7D,8DAA8D;gBAC9D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,iDAAiD;gBACjD,IAAI,8BAA8B,CAAC,aAAa,CAAC,EAAE,CAAC;oBAClD,iBAAiB,CACf,KAAK,EACL,kCAAkC,EAClC,MAAM,CACP,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC1B,kEAAkE;gBAClE,gEAAgE;gBAChE,2CAA2C;gBAC3C,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC/D,CAAC;YAED,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;YACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,4BAA4B,CAC7B,CAAC;YAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,kEAAkE;gBAClE,+DAA+D;gBAC/D,mEAAmE;gBACnE,iEAAiE;gBACjE,qEAAqE;gBACrE,IAAI,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;oBACpC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEhB,eAAe;IACf,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,CACR,qBAAqB,EACrB,kBAAkB,CAAC,GAAG,EAAE;YACtB,MAAM,OAAO,GACX,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,MAAM,CAAC;YAC5D,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,4BAA4B;IAC5B,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAEhC,MAAM,CAAC,GAAG,CACR,2BAA2B,EAC3B,kBAAkB,CAAC,GAAG,EAAE;YACtB,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAC3B,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,KAAK;gBAC/B,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;gBAClC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpD,CAAC,CAAC,CAAC;QACN,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,yBAAyB,EACzB,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;YAC1C,kEAAkE;YAClE,0DAA0D;YAC1D,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;gBAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,0JAA0J;iBAC7J,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,EAAE,IAAI,EAAE,GAAG,IAEhB,CAAC;YAEF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;YAC1C,CAAC;YAED,6CAA6C;YAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvD,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAS,gBAAgB,CAAC,CAAC;YACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAC1B,CAAC,CAAC,EAAE,EAAE,CACJ,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;gBACzB,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACtB,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CACrC,CAAC;YACF,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;YACxD,CAAC;YAED,qBAAqB;YACrB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;YACjD,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAEvC,oEAAoE;YACpE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAC3B,CAAC;YAED,mDAAmD;YACnD,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAE3B,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AACzB,CAAC","sourcesContent":["import {\n  createApp,\n  createRouter,\n  defineEventHandler,\n  getMethod,\n  getRequestHeader,\n  setResponseHeader,\n  setResponseStatus,\n  type H3Event,\n} from \"h3\";\nimport path from \"path\";\nimport { agentEnv } from \"../shared/agent-env.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n  getAllowedCorsOrigin,\n  readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\nimport { isEnvVarWriteAllowed } from \"./env-var-writes.js\";\nimport { EMBED_TARGET_HEADER } from \"../shared/embed-auth.js\";\nimport {\n  EMBED_TRANSPLANT_HEADER,\n  isMcpEmbedCorsOrigin,\n  MCP_EMBED_CORS_ALLOW_HEADERS,\n  shouldAllowMcpEmbedCredentials,\n} from \"../shared/mcp-embed-headers.js\";\nimport { BUILDER_ENV_KEYS } from \"./builder-browser.js\";\n\nexport interface EnvKeyConfig {\n  /** Environment variable name (e.g. \"HUBSPOT_ACCESS_TOKEN\") */\n  key: string;\n  /** Human-readable label (e.g. \"HubSpot\") */\n  label: string;\n  /** Whether this key is required for the app to function */\n  required?: boolean;\n  /** Optional UI hint shown next to the field describing where to find this value. */\n  helpText?: string;\n}\n\nexport interface CreateServerOptions {\n  /** CORS options. Ignored (H3 handles CORS via middleware). Default: enabled. */\n  cors?: Record<string, unknown> | false;\n  /** JSON body parser limit. Kept for API compatibility (H3 uses readBody). */\n  jsonLimit?: string;\n  /** Custom ping message. Default: reads PING_MESSAGE env var, falls back to \"pong\" */\n  pingMessage?: string;\n  /** Disable the /_agent-native/ping health check. Default: false */\n  disablePing?: boolean;\n  /** Env key configuration for the settings UI. Enables /_agent-native/env-status and /_agent-native/env-vars routes. */\n  envKeys?: EnvKeyConfig[];\n}\n\n/**\n * Upsert vars into a .env file, preserving existing structure.\n */\nexport async function upsertEnvFile(\n  envPath: string,\n  vars: Array<{ key: string; value: string }>,\n): Promise<void> {\n  // Sanitize: reject values that could inject additional env vars\n  for (const { key, value } of vars) {\n    if (/[\\n\\r\\0]/.test(value)) {\n      throw new Error(\n        `Invalid env var value for ${key}: must not contain newlines or control characters`,\n      );\n    }\n  }\n\n  const fs = await import(\"fs\");\n\n  let content = \"\";\n  try {\n    content = fs.readFileSync(envPath, \"utf-8\");\n  } catch {\n    // File doesn't exist yet\n  }\n\n  const lines = content.split(\"\\n\");\n  const remaining = new Map(vars.map((v) => [v.key, v.value]));\n\n  // Update existing lines in place\n  const updated = lines.map((line) => {\n    const trimmed = line.trim();\n    if (!trimmed || trimmed.startsWith(\"#\")) return line;\n    const eqIndex = trimmed.indexOf(\"=\");\n    if (eqIndex === -1) return line;\n    const key = trimmed.slice(0, eqIndex).trim();\n    if (remaining.has(key)) {\n      const value = remaining.get(key)!;\n      remaining.delete(key);\n      return `${key}=${value}`;\n    }\n    return line;\n  });\n\n  // Append new vars\n  for (const [key, value] of remaining) {\n    updated.push(`${key}=${value}`);\n  }\n\n  // Ensure trailing newline\n  let result = updated.join(\"\\n\");\n  if (!result.endsWith(\"\\n\")) result += \"\\n\";\n\n  try {\n    fs.mkdirSync(path.dirname(envPath), { recursive: true });\n    fs.writeFileSync(envPath, result);\n  } catch {\n    // Edge runtimes don't have writable filesystem — skip silently\n  }\n}\n\nexport interface CreateServerResult {\n  app: ReturnType<typeof createApp>;\n  router: ReturnType<typeof createRouter>;\n}\n\n/**\n * Create a pre-configured H3 app with standard agent-native setup:\n * - CORS headers via middleware\n * - /_agent-native/ping health check\n * - /_agent-native/env-status and /_agent-native/env-vars (when envKeys is provided)\n *\n * Returns { app, router } — mount routes on `router`.\n */\nexport function createServer(\n  options: CreateServerOptions = {},\n): CreateServerResult {\n  const app = createApp({\n    onError(error, event) {\n      // Suppress connection-reset errors — client disconnected mid-request (tab close, reload)\n      const err = error as NodeJS.ErrnoException;\n      const code = err?.code || (err?.cause as NodeJS.ErrnoException)?.code;\n      if (code === \"ECONNRESET\" || code === \"ECONNABORTED\") return;\n      if (err?.message === \"aborted\") return;\n      console.error(\n        `[agent-native] Server error: ${event.method} ${event.path}`,\n        error,\n      );\n    },\n  });\n\n  // CORS middleware\n  if (options.cors !== false) {\n    const allowedOrigins = readCorsAllowedOrigins();\n    const isProduction = process.env.NODE_ENV === \"production\";\n\n    /**\n     * When CORS_ALLOWED_ORIGINS is unset, production only allows trusted\n     * localhost/native desktop origins. Development keeps the legacy \"echo\n     * any origin\" behavior so local tools and docs previews keep working.\n     */\n    app.use(\n      defineEventHandler((event) => {\n        const requestOrigin = getRequestHeader(event, \"origin\");\n        const method = getMethod(event);\n        const requestedHeaders = String(\n          getRequestHeader(event, \"access-control-request-headers\") ?? \"\",\n        )\n          .toLowerCase()\n          .split(\",\")\n          .map((header) => header.trim());\n        const embedCorsRequest =\n          isMcpEmbedCorsOrigin(requestOrigin) &&\n          (requestedHeaders.includes(EMBED_TARGET_HEADER.toLowerCase()) ||\n            requestedHeaders.includes(EMBED_TRANSPLANT_HEADER) ||\n            Boolean(getRequestHeader(event, EMBED_TARGET_HEADER)) ||\n            Boolean(getRequestHeader(event, EMBED_TRANSPLANT_HEADER)) ||\n            Boolean(getRequestHeader(event, \"authorization\")));\n\n        /**\n         * Decide whether the requesting origin is allowed. We never fall back\n         * to \"the first allowlist entry\" when the origin isn't in the list —\n         * that previously sent `Access-Control-Allow-Origin: <other-origin>`\n         * with credentials enabled to attacker-controlled origins, which was\n         * permissive enough that some clients followed through with the\n         * credentialed request.\n         */\n        const allowedOrigin = embedCorsRequest\n          ? requestOrigin\n          : getAllowedCorsOrigin(requestOrigin, {\n              allowedOrigins,\n              allowAnyOriginWhenNoAllowlist: !isProduction,\n              // Let the cors-origins default apply (dev-only). Passing `true`\n              // here unconditionally would re-open the production localhost gap.\n            });\n        // No origin header at all (same-origin fetch, server-to-server) and\n        // no allowlist → fall through with `*`-equivalent behaviour: omit\n        // ACAO entirely and let the browser apply its same-origin default.\n\n        if (allowedOrigin) {\n          setResponseHeader(\n            event,\n            \"Access-Control-Allow-Origin\",\n            allowedOrigin,\n          );\n          setResponseHeader(event, \"Vary\", \"Origin\");\n          // A specific origin means we can honor credentialed requests\n          // (fetch with `credentials: \"include\"` — used by desktop tray\n          // apps that share a same-site cookie with the web app). The\n          // wildcard `*` is spec-incompatible with credentials, so only\n          // set this when we're echoing a concrete origin.\n          if (shouldAllowMcpEmbedCredentials(allowedOrigin)) {\n            setResponseHeader(\n              event,\n              \"Access-Control-Allow-Credentials\",\n              \"true\",\n            );\n          }\n        } else if (!requestOrigin) {\n          // No origin header — preserve the legacy permissive behaviour for\n          // tools/scripts that hit the API directly (no credentialed CORS\n          // semantics apply when there's no Origin).\n          setResponseHeader(event, \"Access-Control-Allow-Origin\", \"*\");\n        }\n\n        setResponseHeader(\n          event,\n          \"Access-Control-Allow-Methods\",\n          \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n        );\n        setResponseHeader(\n          event,\n          \"Access-Control-Allow-Headers\",\n          MCP_EMBED_CORS_ALLOW_HEADERS,\n        );\n\n        if (method === \"OPTIONS\") {\n          // Reject preflights from disallowed cross-origin callers. We only\n          // 204 if either (a) there was no Origin header (same-origin or\n          // direct script invocation) or (b) the origin was in the allowlist\n          // / dev fallback above. Otherwise we 403 so the browser surfaces\n          // a hard CORS failure rather than blindly retrying with credentials.\n          if (requestOrigin && !allowedOrigin) {\n            return new Response(null, { status: 403 });\n          }\n          return new Response(null, { status: 204 });\n        }\n      }),\n    );\n  }\n\n  const router = createRouter();\n  app.use(router);\n\n  // Health check\n  if (!options.disablePing) {\n    router.get(\n      \"/_agent-native/ping\",\n      defineEventHandler(() => {\n        const message =\n          options.pingMessage ?? process.env.PING_MESSAGE ?? \"pong\";\n        return { message };\n      }),\n    );\n  }\n\n  // Env key management routes\n  if (options.envKeys) {\n    const envKeys = options.envKeys;\n\n    router.get(\n      \"/_agent-native/env-status\",\n      defineEventHandler(() => {\n        return envKeys.map((cfg) => ({\n          key: cfg.key,\n          label: cfg.label,\n          required: cfg.required ?? false,\n          configured: !!process.env[cfg.key],\n          ...(cfg.helpText ? { helpText: cfg.helpText } : {}),\n        }));\n      }),\n    );\n\n    router.post(\n      \"/_agent-native/env-vars\",\n      defineEventHandler(async (event: H3Event) => {\n        // Env vars are deployment-wide globals — see isEnvVarWriteAllowed\n        // above. Disable the endpoint on any multi-tenant deploy.\n        if (!isEnvVarWriteAllowed()) {\n          setResponseStatus(event, 403);\n          return {\n            error:\n              \"env-vars endpoint disabled on multi-tenant deployments. Use saveCredential(key, value, { userEmail, orgId, scope: 'org' }) to store per-org credentials.\",\n          };\n        }\n\n        const body = await readBody(event);\n        const { vars } = body as {\n          vars?: Array<{ key: string; value: string }>;\n        };\n\n        if (!Array.isArray(vars) || vars.length === 0) {\n          setResponseStatus(event, 400);\n          return { error: \"vars array required\" };\n        }\n\n        // Only allow keys that are in the env config\n        const allowedKeys = new Set(envKeys.map((k) => k.key));\n        const blockedEnvVarWriteKeys = new Set<string>(BUILDER_ENV_KEYS);\n        const filtered = vars.filter(\n          (v) =>\n            typeof v.key === \"string\" &&\n            allowedKeys.has(v.key) &&\n            !blockedEnvVarWriteKeys.has(v.key),\n        );\n        if (filtered.length === 0) {\n          setResponseStatus(event, 400);\n          return { error: \"No recognized env keys in request\" };\n        }\n\n        // Write to .env file\n        const envPath = path.join(process.cwd(), \".env\");\n        await upsertEnvFile(envPath, filtered);\n\n        // Update process.env so the app picks up the new values immediately\n        for (const { key, value } of filtered) {\n          process.env[key] = value;\n        }\n\n        // Notify parent (Builder or frame) via postMessage\n        agentEnv.setVars(filtered);\n\n        return { saved: filtered.map((v) => v.key) };\n      }),\n    );\n  }\n\n  return { app, router };\n}\n"]}
+{"version":3,"file":"create-server.js","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AA0BxD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe,EACf,IAA2C;IAE3C,gEAAgE;IAChE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC;QAClC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,6BAA6B,GAAG,mDAAmD,CACpF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAE9B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,yBAAyB;IAC3B,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE7D,iCAAiC;IACjC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAChC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;YAClC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACtB,OAAO,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;IAClC,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,IAAI,CAAC;IAE3C,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;IACjE,CAAC;AACH,CAAC;AAOD;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,UAA+B,EAAE;IAEjC,MAAM,GAAG,GAAG,SAAS,CAAC;QACpB,OAAO,CAAC,KAAK,EAAE,KAAK;YAClB,yFAAyF;YACzF,MAAM,GAAG,GAAG,KAA8B,CAAC;YAC3C,MAAM,IAAI,GAAG,GAAG,EAAE,IAAI,IAAK,GAAG,EAAE,KAA+B,EAAE,IAAI,CAAC;YACtE,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,cAAc;gBAAE,OAAO;YAC7D,IAAI,GAAG,EAAE,OAAO,KAAK,SAAS;gBAAE,OAAO;YACvC,OAAO,CAAC,KAAK,CACX,gCAAgC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,EAAE,EAC5D,KAAK,CACN,CAAC;QACJ,CAAC;KACF,CAAC,CAAC;IAEH,kBAAkB;IAClB,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;QAChD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;QAE3D;;;;WAIG;QACH,GAAG,CAAC,GAAG,CACL,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACxD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YAChC,MAAM,gBAAgB,GAAG,MAAM,CAC7B,gBAAgB,CAAC,KAAK,EAAE,gCAAgC,CAAC,IAAI,EAAE,CAChE;iBACE,WAAW,EAAE;iBACb,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAClC,MAAM,gBAAgB,GACpB,oBAAoB,CAAC,aAAa,CAAC;gBACnC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC;oBAC3D,gBAAgB,CAAC,QAAQ,CAAC,uBAAuB,CAAC;oBAClD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;oBACrD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;oBACzD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;YAEvD;;;;;;;eAOG;YACH,MAAM,aAAa,GAAG,gBAAgB;gBACpC,CAAC,CAAC,aAAa;gBACf,CAAC,CAAC,oBAAoB,CAAC,aAAa,EAAE;oBAClC,cAAc;oBACd,6BAA6B,EAAE,CAAC,YAAY;oBAC5C,gEAAgE;oBAChE,mEAAmE;iBACpE,CAAC,CAAC;YACP,oEAAoE;YACpE,kEAAkE;YAClE,mEAAmE;YAEnE,IAAI,aAAa,EAAE,CAAC;gBAClB,iBAAiB,CACf,KAAK,EACL,6BAA6B,EAC7B,aAAa,CACd,CAAC;gBACF,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAC3C,6DAA6D;gBAC7D,8DAA8D;gBAC9D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,iDAAiD;gBACjD,IAAI,8BAA8B,CAAC,aAAa,CAAC,EAAE,CAAC;oBAClD,iBAAiB,CACf,KAAK,EACL,kCAAkC,EAClC,MAAM,CACP,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC1B,kEAAkE;gBAClE,gEAAgE;gBAChE,2CAA2C;gBAC3C,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC/D,CAAC;YAED,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;YACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,4BAA4B,CAC7B,CAAC;YAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,kEAAkE;gBAClE,+DAA+D;gBAC/D,mEAAmE;gBACnE,iEAAiE;gBACjE,qEAAqE;gBACrE,IAAI,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;oBACpC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEhB,eAAe;IACf,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,CACR,qBAAqB,EACrB,kBAAkB,CAAC,GAAG,EAAE;YACtB,MAAM,OAAO,GACX,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,MAAM,CAAC;YAC5D,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,4BAA4B;IAC5B,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAEhC,MAAM,CAAC,GAAG,CACR,2BAA2B,EAC3B,kBAAkB,CAAC,GAAG,EAAE;YACtB,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAC3B,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,KAAK;gBAC/B,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;gBAClC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpD,CAAC,CAAC,CAAC;QACN,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,yBAAyB,EACzB,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;YAC1C,kEAAkE;YAClE,0DAA0D;YAC1D,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;gBAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,kHAAkH;iBACrH,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,EAAE,IAAI,EAAE,GAAG,IAEhB,CAAC;YAEF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;YAC1C,CAAC;YAED,6CAA6C;YAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvD,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAS,gBAAgB,CAAC,CAAC;YACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAC1B,CAAC,CAAC,EAAE,EAAE,CACJ,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;gBACzB,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACtB,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CACrC,CAAC;YACF,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;YACxD,CAAC;YAED,qBAAqB;YACrB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;YACjD,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAEvC,oEAAoE;YACpE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAC3B,CAAC;YAED,mDAAmD;YACnD,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAE3B,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AACzB,CAAC","sourcesContent":["import {\n  createApp,\n  createRouter,\n  defineEventHandler,\n  getMethod,\n  getRequestHeader,\n  setResponseHeader,\n  setResponseStatus,\n  type H3Event,\n} from \"h3\";\nimport path from \"path\";\nimport { agentEnv } from \"../shared/agent-env.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n  getAllowedCorsOrigin,\n  readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\nimport { isEnvVarWriteAllowed } from \"./env-var-writes.js\";\nimport { EMBED_TARGET_HEADER } from \"../shared/embed-auth.js\";\nimport {\n  EMBED_TRANSPLANT_HEADER,\n  isMcpEmbedCorsOrigin,\n  MCP_EMBED_CORS_ALLOW_HEADERS,\n  shouldAllowMcpEmbedCredentials,\n} from \"../shared/mcp-embed-headers.js\";\nimport { BUILDER_ENV_KEYS } from \"./builder-browser.js\";\n\nexport interface EnvKeyConfig {\n  /** Environment variable name (e.g. \"HUBSPOT_ACCESS_TOKEN\") */\n  key: string;\n  /** Human-readable label (e.g. \"HubSpot\") */\n  label: string;\n  /** Whether this key is required for the app to function */\n  required?: boolean;\n  /** Optional UI hint shown next to the field describing where to find this value. */\n  helpText?: string;\n}\n\nexport interface CreateServerOptions {\n  /** CORS options. Ignored (H3 handles CORS via middleware). Default: enabled. */\n  cors?: Record<string, unknown> | false;\n  /** JSON body parser limit. Kept for API compatibility (H3 uses readBody). */\n  jsonLimit?: string;\n  /** Custom ping message. Default: reads PING_MESSAGE env var, falls back to \"pong\" */\n  pingMessage?: string;\n  /** Disable the /_agent-native/ping health check. Default: false */\n  disablePing?: boolean;\n  /** Env key configuration for the settings UI. Enables /_agent-native/env-status and /_agent-native/env-vars routes. */\n  envKeys?: EnvKeyConfig[];\n}\n\n/**\n * Upsert vars into a .env file, preserving existing structure.\n */\nexport async function upsertEnvFile(\n  envPath: string,\n  vars: Array<{ key: string; value: string }>,\n): Promise<void> {\n  // Sanitize: reject values that could inject additional env vars\n  for (const { key, value } of vars) {\n    if (/[\\n\\r\\0]/.test(value)) {\n      throw new Error(\n        `Invalid env var value for ${key}: must not contain newlines or control characters`,\n      );\n    }\n  }\n\n  const fs = await import(\"fs\");\n\n  let content = \"\";\n  try {\n    content = fs.readFileSync(envPath, \"utf-8\");\n  } catch {\n    // File doesn't exist yet\n  }\n\n  const lines = content.split(\"\\n\");\n  const remaining = new Map(vars.map((v) => [v.key, v.value]));\n\n  // Update existing lines in place\n  const updated = lines.map((line) => {\n    const trimmed = line.trim();\n    if (!trimmed || trimmed.startsWith(\"#\")) return line;\n    const eqIndex = trimmed.indexOf(\"=\");\n    if (eqIndex === -1) return line;\n    const key = trimmed.slice(0, eqIndex).trim();\n    if (remaining.has(key)) {\n      const value = remaining.get(key)!;\n      remaining.delete(key);\n      return `${key}=${value}`;\n    }\n    return line;\n  });\n\n  // Append new vars\n  for (const [key, value] of remaining) {\n    updated.push(`${key}=${value}`);\n  }\n\n  // Ensure trailing newline\n  let result = updated.join(\"\\n\");\n  if (!result.endsWith(\"\\n\")) result += \"\\n\";\n\n  try {\n    fs.mkdirSync(path.dirname(envPath), { recursive: true });\n    fs.writeFileSync(envPath, result);\n  } catch {\n    // Edge runtimes don't have writable filesystem — skip silently\n  }\n}\n\nexport interface CreateServerResult {\n  app: ReturnType<typeof createApp>;\n  router: ReturnType<typeof createRouter>;\n}\n\n/**\n * Create a pre-configured H3 app with standard agent-native setup:\n * - CORS headers via middleware\n * - /_agent-native/ping health check\n * - /_agent-native/env-status and /_agent-native/env-vars (when envKeys is provided)\n *\n * Returns { app, router } — mount routes on `router`.\n */\nexport function createServer(\n  options: CreateServerOptions = {},\n): CreateServerResult {\n  const app = createApp({\n    onError(error, event) {\n      // Suppress connection-reset errors — client disconnected mid-request (tab close, reload)\n      const err = error as NodeJS.ErrnoException;\n      const code = err?.code || (err?.cause as NodeJS.ErrnoException)?.code;\n      if (code === \"ECONNRESET\" || code === \"ECONNABORTED\") return;\n      if (err?.message === \"aborted\") return;\n      console.error(\n        `[agent-native] Server error: ${event.method} ${event.path}`,\n        error,\n      );\n    },\n  });\n\n  // CORS middleware\n  if (options.cors !== false) {\n    const allowedOrigins = readCorsAllowedOrigins();\n    const isProduction = process.env.NODE_ENV === \"production\";\n\n    /**\n     * When CORS_ALLOWED_ORIGINS is unset, production only allows trusted\n     * localhost/native desktop origins. Development keeps the legacy \"echo\n     * any origin\" behavior so local tools and docs previews keep working.\n     */\n    app.use(\n      defineEventHandler((event) => {\n        const requestOrigin = getRequestHeader(event, \"origin\");\n        const method = getMethod(event);\n        const requestedHeaders = String(\n          getRequestHeader(event, \"access-control-request-headers\") ?? \"\",\n        )\n          .toLowerCase()\n          .split(\",\")\n          .map((header) => header.trim());\n        const embedCorsRequest =\n          isMcpEmbedCorsOrigin(requestOrigin) &&\n          (requestedHeaders.includes(EMBED_TARGET_HEADER.toLowerCase()) ||\n            requestedHeaders.includes(EMBED_TRANSPLANT_HEADER) ||\n            Boolean(getRequestHeader(event, EMBED_TARGET_HEADER)) ||\n            Boolean(getRequestHeader(event, EMBED_TRANSPLANT_HEADER)) ||\n            Boolean(getRequestHeader(event, \"authorization\")));\n\n        /**\n         * Decide whether the requesting origin is allowed. We never fall back\n         * to \"the first allowlist entry\" when the origin isn't in the list —\n         * that previously sent `Access-Control-Allow-Origin: <other-origin>`\n         * with credentials enabled to attacker-controlled origins, which was\n         * permissive enough that some clients followed through with the\n         * credentialed request.\n         */\n        const allowedOrigin = embedCorsRequest\n          ? requestOrigin\n          : getAllowedCorsOrigin(requestOrigin, {\n              allowedOrigins,\n              allowAnyOriginWhenNoAllowlist: !isProduction,\n              // Let the cors-origins default apply (dev-only). Passing `true`\n              // here unconditionally would re-open the production localhost gap.\n            });\n        // No origin header at all (same-origin fetch, server-to-server) and\n        // no allowlist → fall through with `*`-equivalent behaviour: omit\n        // ACAO entirely and let the browser apply its same-origin default.\n\n        if (allowedOrigin) {\n          setResponseHeader(\n            event,\n            \"Access-Control-Allow-Origin\",\n            allowedOrigin,\n          );\n          setResponseHeader(event, \"Vary\", \"Origin\");\n          // A specific origin means we can honor credentialed requests\n          // (fetch with `credentials: \"include\"` — used by desktop tray\n          // apps that share a same-site cookie with the web app). The\n          // wildcard `*` is spec-incompatible with credentials, so only\n          // set this when we're echoing a concrete origin.\n          if (shouldAllowMcpEmbedCredentials(allowedOrigin)) {\n            setResponseHeader(\n              event,\n              \"Access-Control-Allow-Credentials\",\n              \"true\",\n            );\n          }\n        } else if (!requestOrigin) {\n          // No origin header — preserve the legacy permissive behaviour for\n          // tools/scripts that hit the API directly (no credentialed CORS\n          // semantics apply when there's no Origin).\n          setResponseHeader(event, \"Access-Control-Allow-Origin\", \"*\");\n        }\n\n        setResponseHeader(\n          event,\n          \"Access-Control-Allow-Methods\",\n          \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n        );\n        setResponseHeader(\n          event,\n          \"Access-Control-Allow-Headers\",\n          MCP_EMBED_CORS_ALLOW_HEADERS,\n        );\n\n        if (method === \"OPTIONS\") {\n          // Reject preflights from disallowed cross-origin callers. We only\n          // 204 if either (a) there was no Origin header (same-origin or\n          // direct script invocation) or (b) the origin was in the allowlist\n          // / dev fallback above. Otherwise we 403 so the browser surfaces\n          // a hard CORS failure rather than blindly retrying with credentials.\n          if (requestOrigin && !allowedOrigin) {\n            return new Response(null, { status: 403 });\n          }\n          return new Response(null, { status: 204 });\n        }\n      }),\n    );\n  }\n\n  const router = createRouter();\n  app.use(router);\n\n  // Health check\n  if (!options.disablePing) {\n    router.get(\n      \"/_agent-native/ping\",\n      defineEventHandler(() => {\n        const message =\n          options.pingMessage ?? process.env.PING_MESSAGE ?? \"pong\";\n        return { message };\n      }),\n    );\n  }\n\n  // Env key management routes\n  if (options.envKeys) {\n    const envKeys = options.envKeys;\n\n    router.get(\n      \"/_agent-native/env-status\",\n      defineEventHandler(() => {\n        return envKeys.map((cfg) => ({\n          key: cfg.key,\n          label: cfg.label,\n          required: cfg.required ?? false,\n          configured: !!process.env[cfg.key],\n          ...(cfg.helpText ? { helpText: cfg.helpText } : {}),\n        }));\n      }),\n    );\n\n    router.post(\n      \"/_agent-native/env-vars\",\n      defineEventHandler(async (event: H3Event) => {\n        // Env vars are deployment-wide globals — see isEnvVarWriteAllowed\n        // above. Disable the endpoint on any multi-tenant deploy.\n        if (!isEnvVarWriteAllowed()) {\n          setResponseStatus(event, 403);\n          return {\n            error:\n              \"env-vars endpoint disabled on multi-tenant deployments. Use scoped secrets or credentials for user/org API keys.\",\n          };\n        }\n\n        const body = await readBody(event);\n        const { vars } = body as {\n          vars?: Array<{ key: string; value: string }>;\n        };\n\n        if (!Array.isArray(vars) || vars.length === 0) {\n          setResponseStatus(event, 400);\n          return { error: \"vars array required\" };\n        }\n\n        // Only allow keys that are in the env config\n        const allowedKeys = new Set(envKeys.map((k) => k.key));\n        const blockedEnvVarWriteKeys = new Set<string>(BUILDER_ENV_KEYS);\n        const filtered = vars.filter(\n          (v) =>\n            typeof v.key === \"string\" &&\n            allowedKeys.has(v.key) &&\n            !blockedEnvVarWriteKeys.has(v.key),\n        );\n        if (filtered.length === 0) {\n          setResponseStatus(event, 400);\n          return { error: \"No recognized env keys in request\" };\n        }\n\n        // Write to .env file\n        const envPath = path.join(process.cwd(), \".env\");\n        await upsertEnvFile(envPath, filtered);\n\n        // Update process.env so the app picks up the new values immediately\n        for (const { key, value } of filtered) {\n          process.env[key] = value;\n        }\n\n        // Notify parent (Builder or frame) via postMessage\n        agentEnv.setVars(filtered);\n\n        return { saved: filtered.map((v) => v.key) };\n      }),\n    );\n  }\n\n  return { app, router };\n}\n"]}

package/dist/server/credential-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"credential-provider.d.ts","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAMH;;;;;;;;GAQG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC9B;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAK5C;AAED,qBAAa,yBAA0B,SAAQ,KAAK;IAClD,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAElB,IAAI,EAAE;QAChB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB;CAUF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAEvE;AAED;;;;;GAKG;AACH,wBAAgB,iCAAiC,IAAI,OAAO,CAG3D;AAED,wBAAgB,wCAAwC,IAAI,OAAO,CAIlE;AAiED,KAAK,uBAAuB,GAAG,MAAM,GAAG,KAAK,GAAG,WAAW,GAAG,KAAK,CAAC;AA0BpE,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAE7E;AAuMD;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKxB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAE7C;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAEvE;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGvE;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,OAAO,CAAC,CAEpE;AAED;;;GAGG;AACH,wBAAsB,mCAAmC,IAAI,OAAO,CAAC,OAAO,CAAC,CAG5E;AAED;;;;GAIG;AACH,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAO9F;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,IAAI,OAAO,CAAC;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,YAAY,EAAE,OAAO,GAAG,IAAI,CAAC;IAC7B,aAAa,EAAE,OAAO,GAAG,IAAI,CAAC;CAC/B,CAAC,CA0ED;AAID,MAAM,WAAW,4BAA4B;IAC3C,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,wBAAgB,4BAA4B,CAC1C,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,EAC1B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,MAAM,GAAG,IAAI,CAQf;AAMD,wBAAsB,+BAA+B,CACnD,KAAK,GAAE;IACL,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,GACL,OAAO,CAAC,4BAA4B,GAAG,IAAI,CAAC,CA0B9C;AAED,wBAAsB,kCAAkC,CAAC,OAAO,CAAC,EAAE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBhB;AAED,wBAAsB,iCAAiC,CAAC,KAAK,EAAE;IAC7D,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,GAAG,OAAO,CAAC,IAAI,CAAC,CAYhB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,KAAK,EAAE;IACL,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,YAAY,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAC9B,aAAa,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;CAChC,EACD,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GACxD,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA+FrD;AAED;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GACxD,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAiBrD;AAeD;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAyGvE;AAOD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAE9C;AAED,yEAAyE;AACzE,wBAAgB,qBAAqB,IAAI,MAAM,CAO9C;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAKjD;AAED;;;GAGG;AACH,wBAAgB,gCAAgC,IAAI,MAAM,CAKzD;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,IAAI,MAAM,CAKnD;AAED,uEAAuE;AACvE,wBAAgB,oBAAoB,IAAI,MAAM,GAAG,IAAI,CAGpD"}
+{"version":3,"file":"credential-provider.d.ts","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAMH;;;;;;;;GAQG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC9B;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAK5C;AAED,qBAAa,yBAA0B,SAAQ,KAAK;IAClD,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAElB,IAAI,EAAE;QAChB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB;CAUF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAEvE;AAED;;;;;GAKG;AACH,wBAAgB,iCAAiC,IAAI,OAAO,CAG3D;AAED,wBAAgB,wCAAwC,IAAI,OAAO,CAKlE;AAiED,KAAK,uBAAuB,GAAG,MAAM,GAAG,KAAK,GAAG,WAAW,GAAG,KAAK,CAAC;AA0BpE,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAE7E;AAuMD;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKxB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAE7C;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAEvE;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGvE;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,OAAO,CAAC,CAEpE;AAED;;;GAGG;AACH,wBAAsB,mCAAmC,IAAI,OAAO,CAAC,OAAO,CAAC,CAG5E;AAED;;;;GAIG;AACH,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAO9F;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,IAAI,OAAO,CAAC;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,YAAY,EAAE,OAAO,GAAG,IAAI,CAAC;IAC7B,aAAa,EAAE,OAAO,GAAG,IAAI,CAAC;CAC/B,CAAC,CA0ED;AAID,MAAM,WAAW,4BAA4B;IAC3C,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,wBAAgB,4BAA4B,CAC1C,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,EAC1B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,MAAM,GAAG,IAAI,CAQf;AAMD,wBAAsB,+BAA+B,CACnD,KAAK,GAAE;IACL,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,GACL,OAAO,CAAC,4BAA4B,GAAG,IAAI,CAAC,CA0B9C;AAED,wBAAsB,kCAAkC,CAAC,OAAO,CAAC,EAAE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBhB;AAED,wBAAsB,iCAAiC,CAAC,KAAK,EAAE;IAC7D,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,GAAG,OAAO,CAAC,IAAI,CAAC,CAYhB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,KAAK,EAAE;IACL,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,YAAY,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAC9B,aAAa,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;CAChC,EACD,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GACxD,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA+FrD;AAED;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GACxD,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAiBrD;AAeD;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAyGvE;AAOD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAE9C;AAED,yEAAyE;AACzE,wBAAgB,qBAAqB,IAAI,MAAM,CAO9C;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAKjD;AAED;;;GAGG;AACH,wBAAgB,gCAAgC,IAAI,MAAM,CAKzD;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,IAAI,MAAM,CAKnD;AAED,uEAAuE;AACvE,wBAAgB,oBAAoB,IAAI,MAAM,GAAG,IAAI,CAGpD"}

package/dist/server/credential-provider.js

@@ -68,6 +68,8 @@ export function isDeployCredentialFallbackAllowed() {
 }
 export function canUseDeployCredentialFallbackForRequest() {
     const email = getRequestUserEmail();
+    if (email && isHostedWorkspaceRuntime())
+        return false;
     if (!email)
         return true;
     return isDeployCredentialFallbackAllowed();

package/dist/server/credential-provider.js.map

@@ -1 +1 @@
-{"version":3,"file":"credential-provider.js","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD;;;;;;;;GAQG;AACH,MAAM,UAAU,2BAA2B,CACzC,KAAa,EACb,KAAgC,EAChC,IAA+B;IAE/B,IAAI,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,OAAO,CAAC,EAAE,CAAC;QACpD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IACzC,kBAAkB,CAAS;IAC3B,iBAAiB,CAAU;IAC3B,WAAW,CAAU;IAE9B,YAAY,IAKX;QACC,KAAK,CACH,IAAI,CAAC,OAAO;YACV,gCAAgC,IAAI,CAAC,kBAAkB,yCAAyC,CACnG,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;QACxC,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC;QAClD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;IACtC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iCAAiC;IAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvD,OAAO,eAAe,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,wCAAwC;IACtD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO,iCAAiC,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,uBAAuB,GAAG;IAC9B,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;IAClB,sBAAsB;IACtB,4BAA4B;IAC5B,2BAA2B;IAC3B,uBAAuB;IACvB,yBAAyB;CACjB,CAAC;AAEX,SAAS,sBAAsB,CAAC,GAAW;IACzC,OAAQ,uBAA6C,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,wBAAwB;IAC/B,MAAM,gBAAgB,GAAG,OAAO,CAC9B,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAC7B,OAAO,CAAC,GAAG,CAAC,sBAAsB,CACnC,CAAC;IACF,OAAO,CACL,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,EAAE,CAAC;QAC5D,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,EAAE,CAAC;QACjE,gBAAgB,CACjB,CAAC;AACJ,CAAC;AAED,SAAS,+CAA+C;IACtD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,4EAA4E;IAC5E,4EAA4E;IAC5E,yEAAyE;IACzE,+CAA+C;IAC/C,IAAI,KAAK,IAAI,wBAAwB,EAAE;QAAE,OAAO,KAAK,CAAC;IACtD,OAAO,wCAAwC,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,4BAA4B;IACnC,OAAO,aAAa,CAAC,IAAI,CACvB,OAAO,CAAC,GAAG,CAAC,qCAAqC;QAC/C,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,EAAE,CACL,CAAC;AACJ,CAAC;AAgCD,SAAS,2BAA2B,CAAC,KAAiC;IACpE,OAAO,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,0BAA0B,CACjC,KAAgC;IAEhC,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC/C,OAAO,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAgC;IAClE,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AACtE,CAAC;AAED,KAAK,UAAU,0BAA0B,CACvC,aAAmE,EACnE,KAAmC,EACnC,OAAe;IAEf,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAC9B,uBAAuB,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACxC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,IAAI,IAAI,CAAU,CAAC;IAC/C,CAAC,CAAC,CACH,CAAC;IACF,MAAM,GAAG,GAAG,IAAI,GAAG,CAAwB,MAAM,CAAC,CAAC;IACnD,OAAO;QACL,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,IAAI;QAClD,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,IAAI;QAChD,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,IAAI;QAC1C,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,IAAI;QAC5C,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,IAAI;QAC5C,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,IAAI;QACrD,iBAAiB,EAAE,GAAG,CAAC,GAAG,CAAC,4BAA4B,CAAC,IAAI,IAAI;QAChE,gBAAgB,EAAE,GAAG,CAAC,GAAG,CAAC,2BAA2B,CAAC,IAAI,IAAI;QAC9D,YAAY,EAAE,0BAA0B,CAAC,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAC1E,aAAa,EAAE,0BAA0B,CACvC,GAAG,CAAC,GAAG,CAAC,yBAAyB,CAAC,CACnC;QACD,MAAM,EAAE,KAAK,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK;KACpD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,8BAA8B,CAC3C,GAAW;IAEX,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,yEAAyE;IACzE,sEAAsE;IACtE,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,IAAI,cAAc,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAEhE,sEAAsE;QACtE,iEAAiE;QACjE,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC;YACrC,GAAG;YACH,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,sBAAsB,CACrE,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACrD,CAAC;QAED,mEAAmE;QACnE,iEAAiE;QACjE,+DAA+D;QAC/D,6DAA6D;QAC7D,mEAAmE;QACnE,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,KAAK,EAAE,CAAC;YACV,cAAc,GAAG,KAAK,CAAC;YACvB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC;gBACpC,GAAG;gBACH,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,SAAS,EAAE,CAAC;gBACd,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,qBAAqB,CACnF,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YACnD,CAAC;YAED,iEAAiE;YACjE,qEAAqE;YACrE,yEAAyE;YACzE,cAAc,GAAG,WAAW,CAAC;YAC7B,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC;gBAC1C,GAAG;gBACH,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,eAAe,EAAE,CAAC;gBACpB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,2BAA2B,CACzF,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YAC/D,CAAC;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,gCAAgC,CAC9F,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,cAAc,GAAG,gBAAgB,CAAC;YAClC,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC;gBAC9C,GAAG;gBACH,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,QAAQ,KAAK,EAAE;aACzB,CAAC,CAAC;YACH,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,gCAAgC,CAC/E,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YACnE,CAAC;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,8CAA8C,CAC7F,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,cAAc,UAAW,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CACjH,CAAC;QACJ,CAAC;QACD,8CAA8C;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,+BAA+B;IAC5C,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,IAAI,cAAc,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAChE,MAAM,UAAU,GAAG,CAAC,KAAiC,EAAE,OAAe,EAAE,EAAE;YACxE,IAAI,CAAC,WAAW;gBAAE,OAAO;YACzB,OAAO,CAAC,GAAG,CACT,8BAA8B,KAAK,CAAC,MAAM,YAAY,OAAO,UAAU,KAAK,aAAa,2BAA2B,CAAC,KAAK,CAAC,YAAY,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CACtM,CAAC;QACJ,CAAC,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,0BAA0B,CAChD,aAAa,EACb,MAAM,EACN,KAAK,CACN,CAAC;QACF,UAAU,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7B,IAAI,2BAA2B,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;QAE7D,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,KAAK,EAAE,CAAC;YACV,cAAc,GAAG,KAAK,CAAC;YACvB,MAAM,QAAQ,GAAG,MAAM,0BAA0B,CAC/C,aAAa,EACb,KAAK,EACL,KAAK,CACN,CAAC;YACF,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;YAC5B,IAAI,2BAA2B,CAAC,QAAQ,CAAC;gBAAE,OAAO,QAAQ,CAAC;YAE3D,cAAc,GAAG,WAAW,CAAC;YAC7B,MAAM,cAAc,GAAG,MAAM,0BAA0B,CACrD,aAAa,EACb,WAAW,EACX,KAAK,CACN,CAAC;YACF,UAAU,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;YAClC,IAAI,2BAA2B,CAAC,cAAc,CAAC;gBAAE,OAAO,cAAc,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,cAAc,GAAG,gBAAgB,CAAC;YAClC,MAAM,OAAO,GAAG,QAAQ,KAAK,EAAE,CAAC;YAChC,MAAM,cAAc,GAAG,MAAM,0BAA0B,CACrD,aAAa,EACb,WAAW,EACX,OAAO,CACR,CAAC;YACF,UAAU,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;YACpC,IAAI,2BAA2B,CAAC,cAAc,CAAC;gBAAE,OAAO,cAAc,CAAC;QACzE,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,8BAA8B,KAAK,UAAU,cAAc,sBAAuB,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAClH,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,GAAW;IAEX,MAAM,MAAM,GAAG,MAAM,8BAA8B,CAAC,GAAG,CAAC,CAAC;IACzD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,KAAK,CAAC;IAChC,IAAI,CAAC,+CAA+C,EAAE;QAAE,OAAO,IAAI,CAAC;IACpE,OAAO,uBAAuB,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,OAAO,wBAAwB,CAAC,qBAAqB,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,MAAM,GAAG,GAAG,MAAM,wBAAwB,EAAE,CAAC;IAC7C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,OAAO,CAAC,CAAC,CAAC,MAAM,wBAAwB,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mCAAmC;IACvD,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;IAChD,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B;IAClD,MAAM,MAAM,GAAG,MAAM,+BAA+B,EAAE,CAAC;IACvD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,MAAM,CAAC;IACjC,OAAO,+CAA+C,EAAE;QACtD,OAAO,CAAC,GAAG,CAAC,mBAAmB;QAC/B,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB;IAY7C,MAAM,MAAM,GAAG,MAAM,+BAA+B,EAAE,CAAC;IACvD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,EACJ,UAAU,EACV,SAAS,EACT,MAAM,EACN,OAAO,EACP,OAAO,EACP,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,aAAa,GACd,GAAG,MAAM,CAAC;QACX,OAAO;YACL,UAAU;YACV,SAAS;YACT,MAAM;YACN,OAAO;YACP,OAAO;YACP,YAAY;YACZ,iBAAiB;YACjB,gBAAgB;YAChB,YAAY;YACZ,aAAa;SACd,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,+CAA+C,EAAE;QAClE,CAAC,CAAC,CAAC,uBAAuB,CAAC,qBAAqB,CAAC,IAAI,IAAI,CAAC;QAC1D,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,SAAS,GAAG,+CAA+C,EAAE;QACjE,CAAC,CAAC,CAAC,uBAAuB,CAAC,oBAAoB,CAAC,IAAI,IAAI,CAAC;QACzD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,MAAM,GAAG,+CAA+C,EAAE;QAC9D,CAAC,CAAC,CAAC,uBAAuB,CAAC,iBAAiB,CAAC,IAAI,IAAI,CAAC;QACtD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,OAAO,GAAG,+CAA+C,EAAE;QAC/D,CAAC,CAAC,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC;QACvD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,OAAO,GAAG,+CAA+C,EAAE;QAC/D,CAAC,CAAC,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC;QACvD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,YAAY,GAAG,+CAA+C,EAAE;QACpE,CAAC,CAAC,CAAC,uBAAuB,CAAC,sBAAsB,CAAC,IAAI,IAAI,CAAC;QAC3D,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,iBAAiB,GAAG,+CAA+C,EAAE;QACzE,CAAC,CAAC,CAAC,uBAAuB,CAAC,4BAA4B,CAAC,IAAI,IAAI,CAAC;QACjE,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,gBAAgB,GAAG,+CAA+C,EAAE;QACxE,CAAC,CAAC,CAAC,uBAAuB,CAAC,2BAA2B,CAAC,IAAI,IAAI,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,YAAY,GAAG,+CAA+C,EAAE;QACpE,CAAC,CAAC,0BAA0B,CACxB,uBAAuB,CAAC,uBAAuB,CAAC,CACjD;QACH,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,aAAa,GAAG,+CAA+C,EAAE;QACrE,CAAC,CAAC,0BAA0B,CACxB,uBAAuB,CAAC,yBAAyB,CAAC,CACnD;QACH,CAAC,CAAC,IAAI,CAAC;IACT,OAAO;QACL,UAAU;QACV,SAAS;QACT,MAAM;QACN,OAAO;QACP,OAAO;QACP,YAAY;QACZ,iBAAiB;QACjB,gBAAgB;QAChB,YAAY;QACZ,aAAa;KACd,CAAC;AACJ,CAAC;AAED,MAAM,mCAAmC,GAAG,uBAAuB,CAAC;AAYpE,MAAM,UAAU,4BAA4B,CAC1C,UAA0B,EAC1B,SAAyB;IAEzB,IAAI,CAAC,UAAU,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,SAAS,CAAC;SACjB,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,4BAA4B,CAAC,WAAmB;IACvD,OAAO,GAAG,mCAAmC,GAAG,WAAW,EAAE,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,QAGI,EAAE;IAEN,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;IACF,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,4BAA4B,CAAC,WAAW,CAAC,CAAC,CAAC;QACxE,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO;YACL,WAAW;YACX,OAAO,EACL,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,GAAG,CAAC,OAAO;gBAC5C,CAAC,CAAC,GAAG,CAAC,OAAO;gBACb,CAAC,CAAC,mEAAmE;YACzE,MAAM,EAAE,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YAC/D,IAAI,EAAE,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;YACzD,EAAE,EAAE,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;YACpD,UAAU,EACR,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACjE,KAAK,EAAE,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;SAC7D,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kCAAkC,CAAC,OAIxD;IACC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;QAChD,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;QACF,IAAI,CAAC,WAAW;YAAE,OAAO;QACzB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC5D,MAAM,UAAU,CAAC,4BAA4B,CAAC,WAAW,CAAC,EAAE;YAC1D,WAAW;YACX,OAAO,EACL,OAAO,EAAE,OAAO;gBAChB,mEAAmE;YACrE,GAAG,CAAC,OAAO,OAAO,EAAE,MAAM,KAAK,QAAQ,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;YACtE,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC;YAC5C,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;YACd,UAAU,EAAE,mBAAmB,EAAE,IAAI,IAAI;YACzC,KAAK,EAAE,eAAe,EAAE,IAAI,IAAI;SACjC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;IAC3E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iCAAiC,CAAC,KAGvD;IACC,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;IACF,IAAI,CAAC,WAAW;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC/D,MAAM,aAAa,CAAC,4BAA4B,CAAC,WAAW,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,qEAAqE;IACvE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAAa,EACb,KAWC,EACD,OAAyD;IAEzD,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC,mBAAmB,CAAC,UAAU,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,uKAAuK,CACxK,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,GACvC,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,2BAA2B,CACxC,KAAK,EACL,OAAO,EAAE,KAAK,IAAI,IAAI,EACtB,OAAO,EAAE,IAAI,IAAI,IAAI,CACtB,CAAC;IAEF,yEAAyE;IACzE,8CAA8C;IAC9C,MAAM,QAAQ,GAA4B,uBAAuB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAC5E,eAAe,CAAC;QACd,GAAG;QACH,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACnB,CAAC;IACF,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QAC3B,KAAK,MAAM,GAAG,IAAI,uBAAuB,EAAE,CAAC;YAC1C,QAAQ,CAAC,IAAI,CACX,eAAe,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE5B,MAAM,OAAO,GAA0C;QACrD,EAAE,GAAG,EAAE,qBAAqB,EAAE,KAAK,EAAE,UAAU,EAAE;QACjD,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,EAAE,SAAS,EAAE;KAChD,CAAC;IACF,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;QAC5B,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,4BAA4B;YACjC,KAAK,EAAE,KAAK,CAAC,iBAAiB;SAC/B,CAAC,CAAC;IACL,CAAC;IACD,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,2BAA2B;YAChC,KAAK,EAAE,KAAK,CAAC,gBAAgB;SAC9B,CAAC,CAAC;IACL,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,uBAAuB;YAC5B,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC;SAClC,CAAC,CAAC;IACL,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,yBAAyB;YAC9B,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC;SACnC,CAAC,CAAC;IACL,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAC7B,cAAc,CAAC;QACb,GAAG;QACH,KAAK;QACL,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CACH,CACF,CAAC;IACF,MAAM,iCAAiC,CAAC;QACtC,UAAU;QACV,SAAS;KACV,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAAa,EACb,OAAyD;IAEzD,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,2BAA2B,CACxC,KAAK,EACL,OAAO,EAAE,KAAK,IAAI,IAAI,EACtB,OAAO,EAAE,IAAI,IAAI,IAAI,CACtB,CAAC;IACF,MAAM,OAAO,CAAC,GAAG,CACf,uBAAuB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAClC,eAAe,CAAC;QACd,GAAG;QACH,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACnB,CACF,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,2CAA2C;AAC3C,EAAE;AACF,0EAA0E;AAC1E,wEAAwE;AACxE,0EAA0E;AAC1E,4EAA4E;AAC5E,yEAAyE;AACzE,0EAA0E;AAC1E,mEAAmE;AACnE,2BAA2B;AAC3B,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW;IAC7C,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;YAChE,2BAA2B;YAC3B,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC;gBACrC,GAAG;gBACH,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,UAAU,EAAE,KAAK,EAAE,CAAC;gBACtB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,sBAAsB,CACjE,CAAC;gBACJ,CAAC;gBACD,OAAO,UAAU,CAAC,KAAK,CAAC;YAC1B,CAAC;YAED,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;YAChC,IAAI,KAAK,EAAE,CAAC;gBACV,kEAAkE;gBAClE,2CAA2C;gBAC3C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC;oBACpC,GAAG;oBACH,KAAK,EAAE,KAAK;oBACZ,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,IAAI,SAAS,EAAE,KAAK,EAAE,CAAC;oBACrB,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,KAAK,qBAAqB,CAC/E,CAAC;oBACJ,CAAC;oBACD,OAAO,SAAS,CAAC,KAAK,CAAC;gBACzB,CAAC;gBAED,6DAA6D;gBAC7D,mEAAmE;gBACnE,4BAA4B;gBAC5B,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC;oBAC1C,GAAG;oBACH,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,IAAI,eAAe,EAAE,KAAK,EAAE,CAAC;oBAC3B,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,KAAK,2BAA2B,CACrF,CAAC;oBACJ,CAAC;oBACD,OAAO,eAAe,CAAC,KAAK,CAAC;gBAC/B,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC;oBAC9C,GAAG;oBACH,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,QAAQ,KAAK,EAAE;iBACzB,CAAC,CAAC;gBACH,IAAI,mBAAmB,EAAE,KAAK,EAAE,CAAC;oBAC/B,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,gCAAgC,CAC3E,CAAC;oBACJ,CAAC;oBACD,OAAO,mBAAmB,CAAC,KAAK,CAAC;gBACnC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,oBAAqB,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAC/F,CAAC;YACJ,CAAC;YACD,8CAA8C;QAChD,CAAC;QACD,sEAAsE;QACtE,mEAAmE;QACnE,sEAAsE;QACtE,kDAAkD;QAClD,MAAM,WAAW,GAAG,CAClB,sBAAsB,CAAC,GAAG,CAAC;YACzB,CAAC,CAAC,+CAA+C,EAAE;YACnD,CAAC,CAAC,wCAAwC,EAAE,CAC/C;YACC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI;YAC1B,CAAC,CAAC,IAAI,CAAC;QACT,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,eAAe,EAAE,IAAI,QAAQ,UAAU,WAAW,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,CAAC,WAAW,EAAE,CACxJ,CAAC;QACJ,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IACD,uEAAuE;IACvE,mDAAmD;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IACvC,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,yCAAyC,CAAC,CAAC,KAAK,EAAE,CAC9E,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,uEAAuE;AACvE,iEAAiE;AACjE,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,qBAAqB;IACnC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,OAAO,CAAC,GAAG,CAAC,QAAQ;QACpB,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,wBAAwB,CACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,gDAAgD,CACjD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gCAAgC;IAC9C,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,iCAAiC;QAC7C,+CAA+C,CAChD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,2BAA2B;QACvC,mDAAmD,CACpD,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,oBAAoB;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC","sourcesContent":["/**\n * Credential provider abstraction.\n *\n * Every feature that needs an external credential (Anthropic API key,\n * Google OAuth tokens, OpenAI key, Slack bot token, etc.) should go through\n * one of the resolve*() helpers here instead of reading `process.env`\n * directly. That way the same feature can work in three modes:\n *\n *   1. User set their own key in .env              → use it directly\n *   2. User connected Builder via `/cli-auth`      → route through Builder proxy\n *   3. Neither                                      → throw FeatureNotConfigured\n *\n * Templates catch FeatureNotConfigured and show a \"Connect Builder (1 click) /\n * set up your own key (guide)\" card.\n *\n * Today these helpers are used by the Builder-hosted LLM gateway, and the\n * shape is meant to grow to cover future managed credential integrations\n * (e.g. additional Builder-hosted services) without rewrites.\n */\n\nimport { createHash } from \"node:crypto\";\nimport { getRequestUserEmail, getRequestOrgId } from \"./request-context.js\";\nimport { isLocalDatabase } from \"../db/client.js\";\n\n/**\n * Decide which `app_secrets` scope a Builder/credential write should use.\n *\n * Org scope (\"everyone in this org sees these credentials\") wins when the\n * connecting user is an owner or admin of an active org — the write\n * privileges shared infra. A plain member or a user without an active\n * org falls through to per-user scope so a teammate can't silently\n * overwrite the org-shared connection.\n */\nexport function resolveCredentialWriteScope(\n  email: string,\n  orgId: string | null | undefined,\n  role: string | null | undefined,\n): { scope: \"user\" | \"org\"; scopeId: string } {\n  if (orgId && (role === \"owner\" || role === \"admin\")) {\n    return { scope: \"org\", scopeId: orgId };\n  }\n  return { scope: \"user\", scopeId: email };\n}\n\nexport class FeatureNotConfiguredError extends Error {\n  readonly requiredCredential: string;\n  readonly builderConnectUrl?: string;\n  readonly byokDocsUrl?: string;\n\n  constructor(opts: {\n    requiredCredential: string;\n    message?: string;\n    builderConnectUrl?: string;\n    byokDocsUrl?: string;\n  }) {\n    super(\n      opts.message ??\n        `Feature requires credential \"${opts.requiredCredential}\". Connect Builder or set your own key.`,\n    );\n    this.name = \"FeatureNotConfiguredError\";\n    this.requiredCredential = opts.requiredCredential;\n    this.builderConnectUrl = opts.builderConnectUrl;\n    this.byokDocsUrl = opts.byokDocsUrl;\n  }\n}\n\n/**\n * Deployment-level credential fallback for single-tenant/local operation.\n * Multi-tenant call sites must gate this explicitly before calling.\n */\nexport function readDeployCredentialEnv(key: string): string | undefined {\n  return process.env[key] || undefined;\n}\n\n/**\n * Deployment-level credentials are safe as a runtime fallback only in local /\n * single-tenant contexts. In hosted production with a shared database, every\n * signed-in user needs their own user/org/workspace credential so one deploy\n * key does not silently power another tenant's chat.\n */\nexport function isDeployCredentialFallbackAllowed(): boolean {\n  if (process.env.NODE_ENV !== \"production\") return true;\n  return isLocalDatabase();\n}\n\nexport function canUseDeployCredentialFallbackForRequest(): boolean {\n  const email = getRequestUserEmail();\n  if (!email) return true;\n  return isDeployCredentialFallbackAllowed();\n}\n\nconst BUILDER_CREDENTIAL_KEYS = [\n  \"BUILDER_PRIVATE_KEY\",\n  \"BUILDER_PUBLIC_KEY\",\n  \"BUILDER_USER_ID\",\n  \"BUILDER_ORG_NAME\",\n  \"BUILDER_ORG_KIND\",\n  \"BUILDER_SUBSCRIPTION\",\n  \"BUILDER_SUBSCRIPTION_LEVEL\",\n  \"BUILDER_SUBSCRIPTION_NAME\",\n  \"BUILDER_IS_ENTERPRISE\",\n  \"BUILDER_IS_FREE_ACCOUNT\",\n] as const;\n\nfunction isBuilderCredentialKey(key: string): boolean {\n  return (BUILDER_CREDENTIAL_KEYS as readonly string[]).includes(key);\n}\n\nfunction isHostedWorkspaceRuntime(): boolean {\n  const hasFusionPreview = Boolean(\n    process.env.FUSION_ENVIRONMENT ||\n    process.env.FUSION_ENV_ORIGIN ||\n    process.env.VITE_FUSION_ENV_ORIGIN,\n  );\n  return (\n    /^(1|true)$/i.test(process.env.AGENT_NATIVE_WORKSPACE ?? \"\") ||\n    /^(1|true)$/i.test(process.env.VITE_AGENT_NATIVE_WORKSPACE ?? \"\") ||\n    hasFusionPreview\n  );\n}\n\nfunction canUseBuilderDeployCredentialFallbackForRequest(): boolean {\n  const email = getRequestUserEmail();\n  // Builder workspace previews can run with NODE_ENV=development and their DB\n  // detection can look local during early startup. Once a real signed-in user\n  // is present, hosted workspace flags are enough to make deployment-level\n  // Builder keys unsafe as an identity fallback.\n  if (email && isHostedWorkspaceRuntime()) return false;\n  return canUseDeployCredentialFallbackForRequest();\n}\n\nfunction shouldTraceCredentialResolve(): boolean {\n  return /^(1|true)$/i.test(\n    process.env.AGENT_NATIVE_DEBUG_CREDENTIAL_RESOLVE ??\n      process.env.DEBUG_CREDENTIAL_RESOLVE ??\n      \"\",\n  );\n}\n\n// ---------------------------------------------------------------------------\n// Builder credential resolution:\n//\n//   1. **Request-scoped credentials.** A signed-in user can connect Builder\n//      through the CLI-auth flow. Owner/admin connections land at org scope;\n//      member/no-org connections land at user scope.\n//\n//   2. **Deployment fallback.** BUILDER_PRIVATE_KEY in env still makes local\n//      and single-tenant deploys work out of the box, but it no longer blocks\n//      per-user connect. Request-scoped credentials win whenever present.\n//\n// To run multi-tenant SaaS: prefer leaving BUILDER_PRIVATE_KEY unset unless a\n// shared fallback identity is intentional.\n// ---------------------------------------------------------------------------\n\ntype BuilderCredentialSource = \"user\" | \"org\" | \"workspace\" | \"env\";\ninterface BuilderResolvedCredentials {\n  privateKey: string | null;\n  publicKey: string | null;\n  userId: string | null;\n  orgName: string | null;\n  orgKind: string | null;\n  subscription: string | null;\n  subscriptionLevel: string | null;\n  subscriptionName: string | null;\n  isEnterprise: boolean | null;\n  isFreeAccount: boolean | null;\n  source: Exclude<BuilderCredentialSource, \"env\">;\n}\n\nfunction isCompleteBuilderConnection(creds: BuilderResolvedCredentials) {\n  return Boolean(creds.privateKey && creds.publicKey);\n}\n\nfunction readOptionalBuilderBoolean(\n  value: string | null | undefined,\n): boolean | null {\n  if (value == null || value === \"\") return null;\n  return /^(1|true)$/i.test(value);\n}\n\nexport function isBuilderPrivateKey(value: string | null | undefined): boolean {\n  return typeof value === \"string\" && value.trim().startsWith(\"bpk-\");\n}\n\nasync function readBuilderCredentialScope(\n  readAppSecret: typeof import(\"../secrets/storage.js\").readAppSecret,\n  scope: \"user\" | \"org\" | \"workspace\",\n  scopeId: string,\n): Promise<BuilderResolvedCredentials> {\n  const values = await Promise.all(\n    BUILDER_CREDENTIAL_KEYS.map(async (key) => {\n      const secret = await readAppSecret({ key, scope, scopeId });\n      return [key, secret?.value ?? null] as const;\n    }),\n  );\n  const map = new Map<string, string | null>(values);\n  return {\n    privateKey: map.get(\"BUILDER_PRIVATE_KEY\") ?? null,\n    publicKey: map.get(\"BUILDER_PUBLIC_KEY\") ?? null,\n    userId: map.get(\"BUILDER_USER_ID\") ?? null,\n    orgName: map.get(\"BUILDER_ORG_NAME\") ?? null,\n    orgKind: map.get(\"BUILDER_ORG_KIND\") ?? null,\n    subscription: map.get(\"BUILDER_SUBSCRIPTION\") ?? null,\n    subscriptionLevel: map.get(\"BUILDER_SUBSCRIPTION_LEVEL\") ?? null,\n    subscriptionName: map.get(\"BUILDER_SUBSCRIPTION_NAME\") ?? null,\n    isEnterprise: readOptionalBuilderBoolean(map.get(\"BUILDER_IS_ENTERPRISE\")),\n    isFreeAccount: readOptionalBuilderBoolean(\n      map.get(\"BUILDER_IS_FREE_ACCOUNT\"),\n    ),\n    source: scope === \"workspace\" ? \"workspace\" : scope,\n  };\n}\n\nasync function resolveScopedBuilderCredential(\n  key: string,\n): Promise<{ value: string; source: \"user\" | \"org\" | \"workspace\" } | null> {\n  const email = getRequestUserEmail();\n  if (!email) return null;\n\n  // Trace only when explicitly requested. These diagnostics are useful for\n  // support, but they include account identifiers and run on hot paths.\n  const traceLookup = shouldTraceCredentialResolve();\n  let scopeAttempted = \"user\";\n  try {\n    const { readAppSecret } = await import(\"../secrets/storage.js\");\n\n    // 1. Per-user override: a user can paste their own key in settings to\n    //    overrule the org-shared one (handy for a personal sandbox).\n    const userSecret = await readAppSecret({\n      key,\n      scope: \"user\",\n      scopeId: email,\n    });\n    if (userSecret) {\n      if (traceLookup) {\n        console.log(\n          `[builder-credential] key=${key} email=${email} scope=user hit=true`,\n        );\n      }\n      return { value: userSecret.value, source: \"user\" };\n    }\n\n    // 2. Per-org shared credential: when one teammate connects Builder\n    //    as an owner/admin we write the OAuth result at org scope so\n    //    every member of that org gets the AI chat working without\n    //    re-running the connect flow. Resolution falls back here\n    //    silently — the caller never has to know which scope answered.\n    const orgId = getRequestOrgId();\n    if (orgId) {\n      scopeAttempted = \"org\";\n      const orgSecret = await readAppSecret({\n        key,\n        scope: \"org\",\n        scopeId: orgId,\n      });\n      if (orgSecret) {\n        if (traceLookup) {\n          console.log(\n            `[builder-credential] key=${key} email=${email} orgId=${orgId} scope=org hit=true`,\n          );\n        }\n        return { value: orgSecret.value, source: \"org\" };\n      }\n\n      // Older setup flows wrote shared credentials at workspace scope.\n      // Keep reading those rows so status UIs and runtime resolution agree\n      // for users who connected before org-scoped Builder credentials existed.\n      scopeAttempted = \"workspace\";\n      const workspaceSecret = await readAppSecret({\n        key,\n        scope: \"workspace\",\n        scopeId: orgId,\n      });\n      if (workspaceSecret) {\n        if (traceLookup) {\n          console.log(\n            `[builder-credential] key=${key} email=${email} orgId=${orgId} scope=workspace hit=true`,\n          );\n        }\n        return { value: workspaceSecret.value, source: \"workspace\" };\n      }\n      if (traceLookup) {\n        console.log(\n          `[builder-credential] key=${key} email=${email} orgId=${orgId} miss tried=user,org,workspace`,\n        );\n      }\n    } else {\n      scopeAttempted = \"workspace-solo\";\n      const soloWorkspaceSecret = await readAppSecret({\n        key,\n        scope: \"workspace\",\n        scopeId: `solo:${email}`,\n      });\n      if (soloWorkspaceSecret) {\n        if (traceLookup) {\n          console.log(\n            `[builder-credential] key=${key} email=${email} scope=workspace-solo hit=true`,\n          );\n        }\n        return { value: soloWorkspaceSecret.value, source: \"workspace\" };\n      }\n      if (traceLookup) {\n        console.log(\n          `[builder-credential] key=${key} email=${email} orgId=(none) miss tried=user,workspace-solo`,\n        );\n      }\n    }\n  } catch (err) {\n    if (traceLookup) {\n      console.log(\n        `[builder-credential] key=${key} email=${email} scope=${scopeAttempted} error=${(err as Error)?.message ?? err}`,\n      );\n    }\n    // Secrets table not ready — treat as missing.\n  }\n  return null;\n}\n\nasync function resolveScopedBuilderCredentials(): Promise<BuilderResolvedCredentials | null> {\n  const email = getRequestUserEmail();\n  if (!email) return null;\n\n  const traceLookup = shouldTraceCredentialResolve();\n  let scopeAttempted = \"user\";\n  try {\n    const { readAppSecret } = await import(\"../secrets/storage.js\");\n    const traceScope = (creds: BuilderResolvedCredentials, scopeId: string) => {\n      if (!traceLookup) return;\n      console.log(\n        `[builder-credential] scope=${creds.source} scopeId=${scopeId} email=${email} complete=${isCompleteBuilderConnection(creds)} private=${Boolean(creds.privateKey)} public=${Boolean(creds.publicKey)}`,\n      );\n    };\n\n    const userCreds = await readBuilderCredentialScope(\n      readAppSecret,\n      \"user\",\n      email,\n    );\n    traceScope(userCreds, email);\n    if (isCompleteBuilderConnection(userCreds)) return userCreds;\n\n    const orgId = getRequestOrgId();\n    if (orgId) {\n      scopeAttempted = \"org\";\n      const orgCreds = await readBuilderCredentialScope(\n        readAppSecret,\n        \"org\",\n        orgId,\n      );\n      traceScope(orgCreds, orgId);\n      if (isCompleteBuilderConnection(orgCreds)) return orgCreds;\n\n      scopeAttempted = \"workspace\";\n      const workspaceCreds = await readBuilderCredentialScope(\n        readAppSecret,\n        \"workspace\",\n        orgId,\n      );\n      traceScope(workspaceCreds, orgId);\n      if (isCompleteBuilderConnection(workspaceCreds)) return workspaceCreds;\n    } else {\n      scopeAttempted = \"workspace-solo\";\n      const scopeId = `solo:${email}`;\n      const workspaceCreds = await readBuilderCredentialScope(\n        readAppSecret,\n        \"workspace\",\n        scopeId,\n      );\n      traceScope(workspaceCreds, scopeId);\n      if (isCompleteBuilderConnection(workspaceCreds)) return workspaceCreds;\n    }\n  } catch (err) {\n    if (traceLookup) {\n      console.log(\n        `[builder-credential] email=${email} scope=${scopeAttempted} credentials error=${(err as Error)?.message ?? err}`,\n      );\n    }\n  }\n  return null;\n}\n\n/**\n * Resolve a Builder credential for the current request. User/org credentials\n * win; deployment env is only a fallback. This lets local/root .env keys keep\n * a template working while still allowing users to connect their own Builder\n * account from Settings or onboarding.\n */\nexport async function resolveBuilderCredential(\n  key: string,\n): Promise<string | null> {\n  const scoped = await resolveScopedBuilderCredential(key);\n  if (scoped) return scoped.value;\n  if (!canUseBuilderDeployCredentialFallbackForRequest()) return null;\n  return readDeployCredentialEnv(key) ?? null;\n}\n\n/**\n * True when `BUILDER_PRIVATE_KEY` is set at the deployment level. This means\n * a deploy-level fallback exists; it does not prevent per-user connect.\n */\nexport function isBuilderEnvManaged(): boolean {\n  return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/**\n * Resolve the Builder private key for the current request. User/org OAuth\n * credentials win; deploy-level `BUILDER_PRIVATE_KEY` is the fallback.\n */\nexport async function resolveBuilderPrivateKey(): Promise<string | null> {\n  return resolveBuilderCredential(\"BUILDER_PRIVATE_KEY\");\n}\n\n/**\n * Resolve the current user's Builder auth header.\n * Returns `\"Bearer <key>\"` or null.\n */\nexport async function resolveBuilderAuthHeader(): Promise<string | null> {\n  const key = await resolveBuilderPrivateKey();\n  return key ? `Bearer ${key}` : null;\n}\n\n/**\n * Check whether the current user has a Builder private key configured\n * (per-user or deployment-level).\n */\nexport async function resolveHasBuilderPrivateKey(): Promise<boolean> {\n  return !!(await resolveBuilderPrivateKey());\n}\n\n/**\n * Check whether the current request has the complete Builder credential bundle\n * needed for Builder-backed assistant/image-generation calls.\n */\nexport async function resolveHasCompleteBuilderConnection(): Promise<boolean> {\n  const creds = await resolveBuilderCredentials();\n  return !!(creds.privateKey && creds.publicKey);\n}\n\n/**\n * Resolve where the effective Builder assistant connection came from. This\n * intentionally requires a complete private+public key pair from one scope so\n * status UIs don't report a mixed user/org credential set as connected.\n */\nexport async function resolveBuilderCredentialSource(): Promise<BuilderCredentialSource | null> {\n  const scoped = await resolveScopedBuilderCredentials();\n  if (scoped) return scoped.source;\n  return canUseBuilderDeployCredentialFallbackForRequest() &&\n    process.env.BUILDER_PRIVATE_KEY\n    ? \"env\"\n    : null;\n}\n\n/**\n * Resolve the Builder assistant credential bundle from one complete scope.\n * A partial user row is treated as a miss so the org-shared connection can\n * still power the assistant for teammates.\n */\nexport async function resolveBuilderCredentials(): Promise<{\n  privateKey: string | null;\n  publicKey: string | null;\n  userId: string | null;\n  orgName: string | null;\n  orgKind: string | null;\n  subscription: string | null;\n  subscriptionLevel: string | null;\n  subscriptionName: string | null;\n  isEnterprise: boolean | null;\n  isFreeAccount: boolean | null;\n}> {\n  const scoped = await resolveScopedBuilderCredentials();\n  if (scoped) {\n    const {\n      privateKey,\n      publicKey,\n      userId,\n      orgName,\n      orgKind,\n      subscription,\n      subscriptionLevel,\n      subscriptionName,\n      isEnterprise,\n      isFreeAccount,\n    } = scoped;\n    return {\n      privateKey,\n      publicKey,\n      userId,\n      orgName,\n      orgKind,\n      subscription,\n      subscriptionLevel,\n      subscriptionName,\n      isEnterprise,\n      isFreeAccount,\n    };\n  }\n  const privateKey = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_PRIVATE_KEY\") ?? null)\n    : null;\n  const publicKey = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_PUBLIC_KEY\") ?? null)\n    : null;\n  const userId = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_USER_ID\") ?? null)\n    : null;\n  const orgName = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_ORG_NAME\") ?? null)\n    : null;\n  const orgKind = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_ORG_KIND\") ?? null)\n    : null;\n  const subscription = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_SUBSCRIPTION\") ?? null)\n    : null;\n  const subscriptionLevel = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_SUBSCRIPTION_LEVEL\") ?? null)\n    : null;\n  const subscriptionName = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_SUBSCRIPTION_NAME\") ?? null)\n    : null;\n  const isEnterprise = canUseBuilderDeployCredentialFallbackForRequest()\n    ? readOptionalBuilderBoolean(\n        readDeployCredentialEnv(\"BUILDER_IS_ENTERPRISE\"),\n      )\n    : null;\n  const isFreeAccount = canUseBuilderDeployCredentialFallbackForRequest()\n    ? readOptionalBuilderBoolean(\n        readDeployCredentialEnv(\"BUILDER_IS_FREE_ACCOUNT\"),\n      )\n    : null;\n  return {\n    privateKey,\n    publicKey,\n    userId,\n    orgName,\n    orgKind,\n    subscription,\n    subscriptionLevel,\n    subscriptionName,\n    isEnterprise,\n    isFreeAccount,\n  };\n}\n\nconst BUILDER_AUTH_FAILURE_SETTING_PREFIX = \"builder-auth-failure:\";\n\nexport interface BuilderCredentialAuthFailure {\n  fingerprint: string;\n  message: string;\n  status?: number;\n  code?: string;\n  at: number;\n  ownerEmail?: string | null;\n  orgId?: string | null;\n}\n\nexport function builderCredentialFingerprint(\n  privateKey?: string | null,\n  publicKey?: string | null,\n): string | null {\n  if (!privateKey || !publicKey) return null;\n  return createHash(\"sha256\")\n    .update(privateKey)\n    .update(\"\\0\")\n    .update(publicKey)\n    .digest(\"hex\")\n    .slice(0, 24);\n}\n\nfunction builderAuthFailureSettingKey(fingerprint: string): string {\n  return `${BUILDER_AUTH_FAILURE_SETTING_PREFIX}${fingerprint}`;\n}\n\nexport async function getBuilderCredentialAuthFailure(\n  creds: {\n    privateKey?: string | null;\n    publicKey?: string | null;\n  } = {},\n): Promise<BuilderCredentialAuthFailure | null> {\n  const fingerprint = builderCredentialFingerprint(\n    creds.privateKey,\n    creds.publicKey,\n  );\n  if (!fingerprint) return null;\n  try {\n    const { getSetting } = await import(\"../settings/store.js\");\n    const row = await getSetting(builderAuthFailureSettingKey(fingerprint));\n    if (!row) return null;\n    return {\n      fingerprint,\n      message:\n        typeof row.message === \"string\" && row.message\n          ? row.message\n          : \"Builder rejected the connected credentials. Reconnect Builder.io.\",\n      status: typeof row.status === \"number\" ? row.status : undefined,\n      code: typeof row.code === \"string\" ? row.code : undefined,\n      at: typeof row.at === \"number\" ? row.at : Date.now(),\n      ownerEmail:\n        typeof row.ownerEmail === \"string\" ? row.ownerEmail : undefined,\n      orgId: typeof row.orgId === \"string\" ? row.orgId : undefined,\n    };\n  } catch {\n    return null;\n  }\n}\n\nexport async function recordBuilderCredentialAuthFailure(details?: {\n  status?: number;\n  code?: string;\n  message?: string;\n}): Promise<void> {\n  try {\n    const creds = await resolveBuilderCredentials();\n    const fingerprint = builderCredentialFingerprint(\n      creds.privateKey,\n      creds.publicKey,\n    );\n    if (!fingerprint) return;\n    const { putSetting } = await import(\"../settings/store.js\");\n    await putSetting(builderAuthFailureSettingKey(fingerprint), {\n      fingerprint,\n      message:\n        details?.message ||\n        \"Builder rejected the connected credentials. Reconnect Builder.io.\",\n      ...(typeof details?.status === \"number\" && { status: details.status }),\n      ...(details?.code && { code: details.code }),\n      at: Date.now(),\n      ownerEmail: getRequestUserEmail() ?? null,\n      orgId: getRequestOrgId() ?? null,\n    });\n  } catch {\n    // Best-effort marker only; the chat error is still returned to the user.\n  }\n}\n\nexport async function clearBuilderCredentialAuthFailure(creds: {\n  privateKey?: string | null;\n  publicKey?: string | null;\n}): Promise<void> {\n  const fingerprint = builderCredentialFingerprint(\n    creds.privateKey,\n    creds.publicKey,\n  );\n  if (!fingerprint) return;\n  try {\n    const { deleteSetting } = await import(\"../settings/store.js\");\n    await deleteSetting(builderAuthFailureSettingKey(fingerprint));\n  } catch {\n    // A stale failure marker should not block writing fresh credentials.\n  }\n}\n\n/**\n * Write Builder credentials to `app_secrets`.\n *\n * Scope decision (see `resolveCredentialWriteScope`): when the connecting\n * user is owner/admin of an active org we write at `scope: \"org\"` so every\n * member of that org auto-resolves the credentials via\n * `resolveBuilderCredential`'s org fallback — no per-user re-connect\n * needed. A plain member or a user with no active org writes at\n * `scope: \"user\"` (the safe default that doesn't trample the org's shared\n * connection).\n *\n * Stale-credential cleanup: before writing the new values we (1) clear ALL\n * five BUILDER_* keys at the target scope, so optional fields the new\n * connection doesn't carry (e.g. user picked a Builder space that returns\n * no orgName) don't leave the previous connection's metadata behind, and\n * (2) when writing at org scope, also clear the writer's own user-scope\n * BUILDER_* rows so a stale personal override from an earlier connect\n * doesn't shadow the new org write on resolution (user scope wins org\n * scope by design — see `resolveScopedBuilderCredential`). The org-scope\n * row is intentionally left alone when writing at user scope: that row is\n * shared with the rest of the org and a single user's personal override\n * shouldn't blow it away. (Victoria's \"I signed in again with my Builder\n * space and it still says no credits\" report on 2026-05-11 was exactly\n * this stale-shadow case.)\n *\n * Returns the actual scope/scopeId used so the caller can show \"Connected\n * for Builder.io\" vs \"Connected (personal)\" in the UI.\n */\nexport async function writeBuilderCredentials(\n  email: string,\n  creds: {\n    privateKey: string;\n    publicKey: string;\n    userId?: string | null;\n    orgName?: string | null;\n    orgKind?: string | null;\n    subscription?: string | null;\n    subscriptionLevel?: string | null;\n    subscriptionName?: string | null;\n    isEnterprise?: boolean | null;\n    isFreeAccount?: boolean | null;\n  },\n  options?: { orgId?: string | null; role?: string | null },\n): Promise<{ scope: \"user\" | \"org\"; scopeId: string }> {\n  const privateKey = creds.privateKey.trim();\n  const publicKey = creds.publicKey.trim();\n  if (!isBuilderPrivateKey(privateKey)) {\n    throw new Error(\n      \"Builder returned a credential that is not a Builder private key (expected bpk-...). Restart the Builder connect flow and choose a space that can issue a private key.\",\n    );\n  }\n  if (!publicKey) {\n    throw new Error(\n      \"Builder did not return a public API key. Restart the Builder connect flow.\",\n    );\n  }\n\n  const { writeAppSecret, deleteAppSecret } =\n    await import(\"../secrets/storage.js\");\n  const target = resolveCredentialWriteScope(\n    email,\n    options?.orgId ?? null,\n    options?.role ?? null,\n  );\n\n  // Clear stale rows before writing the new connection. See the function's\n  // doc comment for the two cases this handles.\n  const cleanups: Array<Promise<unknown>> = BUILDER_CREDENTIAL_KEYS.map((key) =>\n    deleteAppSecret({\n      key,\n      scope: target.scope,\n      scopeId: target.scopeId,\n    }).catch(() => {}),\n  );\n  if (target.scope === \"org\") {\n    for (const key of BUILDER_CREDENTIAL_KEYS) {\n      cleanups.push(\n        deleteAppSecret({ key, scope: \"user\", scopeId: email }).catch(() => {}),\n      );\n    }\n  }\n  await Promise.all(cleanups);\n\n  const entries: Array<{ key: string; value: string }> = [\n    { key: \"BUILDER_PRIVATE_KEY\", value: privateKey },\n    { key: \"BUILDER_PUBLIC_KEY\", value: publicKey },\n  ];\n  if (creds.userId) {\n    entries.push({ key: \"BUILDER_USER_ID\", value: creds.userId });\n  }\n  if (creds.orgName) {\n    entries.push({ key: \"BUILDER_ORG_NAME\", value: creds.orgName });\n  }\n  if (creds.orgKind) {\n    entries.push({ key: \"BUILDER_ORG_KIND\", value: creds.orgKind });\n  }\n  if (creds.subscription) {\n    entries.push({ key: \"BUILDER_SUBSCRIPTION\", value: creds.subscription });\n  }\n  if (creds.subscriptionLevel) {\n    entries.push({\n      key: \"BUILDER_SUBSCRIPTION_LEVEL\",\n      value: creds.subscriptionLevel,\n    });\n  }\n  if (creds.subscriptionName) {\n    entries.push({\n      key: \"BUILDER_SUBSCRIPTION_NAME\",\n      value: creds.subscriptionName,\n    });\n  }\n  if (typeof creds.isEnterprise === \"boolean\") {\n    entries.push({\n      key: \"BUILDER_IS_ENTERPRISE\",\n      value: String(creds.isEnterprise),\n    });\n  }\n  if (typeof creds.isFreeAccount === \"boolean\") {\n    entries.push({\n      key: \"BUILDER_IS_FREE_ACCOUNT\",\n      value: String(creds.isFreeAccount),\n    });\n  }\n  await Promise.all(\n    entries.map(({ key, value }) =>\n      writeAppSecret({\n        key,\n        value,\n        scope: target.scope,\n        scopeId: target.scopeId,\n      }),\n    ),\n  );\n  await clearBuilderCredentialAuthFailure({\n    privateKey,\n    publicKey,\n  });\n  return target;\n}\n\n/**\n * Delete Builder credentials.\n *\n * Default behaviour: clears only this user's per-user override (so a\n * member can disconnect their personal Builder identity without\n * collapsing the org-wide connection for every teammate). To revoke the\n * org's shared connection, pass `{ orgId, role }` for an owner/admin —\n * matching the same authority gate `writeBuilderCredentials` uses on\n * write. Plain members can never reach the org-scoped row.\n */\nexport async function deleteBuilderCredentials(\n  email: string,\n  options?: { orgId?: string | null; role?: string | null },\n): Promise<{ scope: \"user\" | \"org\"; scopeId: string }> {\n  const { deleteAppSecret } = await import(\"../secrets/storage.js\");\n  const target = resolveCredentialWriteScope(\n    email,\n    options?.orgId ?? null,\n    options?.role ?? null,\n  );\n  await Promise.all(\n    BUILDER_CREDENTIAL_KEYS.map((key) =>\n      deleteAppSecret({\n        key,\n        scope: target.scope,\n        scopeId: target.scopeId,\n      }).catch(() => {}),\n    ),\n  );\n  return target;\n}\n\n// ---------------------------------------------------------------------------\n// Generic request-scoped secret resolution\n//\n// New consumers should prefer this over reading `process.env.X` directly.\n// User-pasted and shared secrets live in `app_secrets` (encrypted). The\n// settings UI / onboarding panels can write user, org, or workspace rows.\n// Deploy-level env vars are the fallback for unauthenticated/CLI/background\n// contexts where there's no user to scope by — never the silent fallback\n// for an authenticated request, since on a multi-tenant deploy that would\n// silently identify every user as whoever set the deploy-level key\n// (KVesta Space, 2026-04).\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve a request-scoped secret. Reads from `app_secrets` first (current\n * user override, active org, then workspace row); falls back to `process.env`\n * only when the deploy fallback policy allows it.\n */\nexport async function resolveSecret(key: string): Promise<string | null> {\n  const traceLookup = shouldTraceCredentialResolve();\n  const email = getRequestUserEmail();\n  if (email) {\n    try {\n      const { readAppSecret } = await import(\"../secrets/storage.js\");\n      // Per-user override first.\n      const userSecret = await readAppSecret({\n        key,\n        scope: \"user\",\n        scopeId: email,\n      });\n      if (userSecret?.value) {\n        if (traceLookup) {\n          console.log(\n            `[resolve-secret] key=${key} email=${email} scope=user hit=true`,\n          );\n        }\n        return userSecret.value;\n      }\n\n      const orgId = getRequestOrgId();\n      if (orgId) {\n        // Fall back to the active org's shared row, when present. Builder\n        // Connect uses this first-class org scope.\n        const orgSecret = await readAppSecret({\n          key,\n          scope: \"org\",\n          scopeId: orgId,\n        });\n        if (orgSecret?.value) {\n          if (traceLookup) {\n            console.log(\n              `[resolve-secret] key=${key} email=${email} orgId=${orgId} scope=org hit=true`,\n            );\n          }\n          return orgSecret.value;\n        }\n\n        // Registered secrets historically used \"workspace\" scope for\n        // org-shared configuration. Keep reading it so Settings status and\n        // runtime resolution agree.\n        const workspaceSecret = await readAppSecret({\n          key,\n          scope: \"workspace\",\n          scopeId: orgId,\n        });\n        if (workspaceSecret?.value) {\n          if (traceLookup) {\n            console.log(\n              `[resolve-secret] key=${key} email=${email} orgId=${orgId} scope=workspace hit=true`,\n            );\n          }\n          return workspaceSecret.value;\n        }\n      } else {\n        const soloWorkspaceSecret = await readAppSecret({\n          key,\n          scope: \"workspace\",\n          scopeId: `solo:${email}`,\n        });\n        if (soloWorkspaceSecret?.value) {\n          if (traceLookup) {\n            console.log(\n              `[resolve-secret] key=${key} email=${email} scope=workspace-solo hit=true`,\n            );\n          }\n          return soloWorkspaceSecret.value;\n        }\n      }\n    } catch (err) {\n      if (traceLookup) {\n        console.log(\n          `[resolve-secret] key=${key} email=${email} scope=error err=${(err as Error)?.message ?? err}`,\n        );\n      }\n      // Secrets table not ready — treat as missing.\n    }\n    // Authenticated multi-tenant context: never fall back to process.env.\n    // The deploy-level value would silently impersonate the actual key\n    // owner across every tenant. Local/single-tenant deployments keep the\n    // original env fallback for BYO-server workflows.\n    const envFallback = (\n      isBuilderCredentialKey(key)\n        ? canUseBuilderDeployCredentialFallbackForRequest()\n        : canUseDeployCredentialFallbackForRequest()\n    )\n      ? process.env[key] || null\n      : null;\n    if (traceLookup) {\n      console.log(\n        `[resolve-secret] key=${key} email=${email} orgId=${getRequestOrgId() ?? \"(none)\"} scope=${envFallback ? \"env-fallback\" : \"none\"} hit=${!!envFallback}`,\n      );\n    }\n    return envFallback;\n  }\n  // Unauthenticated / local-dev / CLI / background context: env fallback\n  // is safe because there's no user to mis-identify.\n  const value = process.env[key] || null;\n  if (traceLookup) {\n    console.log(\n      `[resolve-secret] key=${key} email=(none) scope=env-anonymous hit=${!!value}`,\n    );\n  }\n  return value;\n}\n\n// ---------------------------------------------------------------------------\n// Synchronous helpers — env-only fallbacks for contexts where per-user\n// lookup isn't possible (sync isConfigured checks, CLI scripts).\n// ---------------------------------------------------------------------------\n\n/**\n * True when a Builder private key is configured at the deployment level.\n *\n * This is the same env-only check as `isBuilderEnvManaged()`. For \"does this\n * request have access to Builder via user/org/env credentials?\" use the async\n * `resolveHasBuilderPrivateKey()`.\n */\nexport function hasBuilderPrivateKey(): boolean {\n  return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/** The origin for Builder-proxied API calls. Overridable for testing. */\nexport function getBuilderProxyOrigin(): string {\n  return (\n    process.env.BUILDER_PROXY_ORIGIN ||\n    process.env.AIR_HOST ||\n    process.env.BUILDER_API_HOST ||\n    \"https://api.builder.io\"\n  );\n}\n\n/**\n * Base URL for the public Builder LLM gateway, which lives at\n * api.builder.io/agent-native/gateway.\n * Override via BUILDER_GATEWAY_BASE_URL for staging / testing.\n */\nexport function getBuilderGatewayBaseUrl(): string {\n  return (\n    process.env.BUILDER_GATEWAY_BASE_URL ||\n    \"https://api.builder.io/agent-native/gateway/v1\"\n  );\n}\n\n/**\n * Base URL for Builder-managed image generation.\n * Override via BUILDER_IMAGE_GENERATION_BASE_URL for staging / testing.\n */\nexport function getBuilderImageGenerationBaseUrl(): string {\n  return (\n    process.env.BUILDER_IMAGE_GENERATION_BASE_URL ||\n    \"https://api.builder.io/agent-native/images/v1\"\n  );\n}\n\n/**\n * Base URL for Builder-managed web search.\n * Override via BUILDER_WEB_SEARCH_BASE_URL for staging / testing.\n */\nexport function getBuilderWebSearchBaseUrl(): string {\n  return (\n    process.env.BUILDER_WEB_SEARCH_BASE_URL ||\n    \"https://api.builder.io/agent-native/web-search/v1\"\n  );\n}\n\n/** Authorization header value for Builder-proxied calls (env-only). */\nexport function getBuilderAuthHeader(): string | null {\n  const key = process.env.BUILDER_PRIVATE_KEY;\n  return key ? `Bearer ${key}` : null;\n}\n"]}
+{"version":3,"file":"credential-provider.js","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD;;;;;;;;GAQG;AACH,MAAM,UAAU,2BAA2B,CACzC,KAAa,EACb,KAAgC,EAChC,IAA+B;IAE/B,IAAI,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,OAAO,CAAC,EAAE,CAAC;QACpD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IACzC,kBAAkB,CAAS;IAC3B,iBAAiB,CAAU;IAC3B,WAAW,CAAU;IAE9B,YAAY,IAKX;QACC,KAAK,CACH,IAAI,CAAC,OAAO;YACV,gCAAgC,IAAI,CAAC,kBAAkB,yCAAyC,CACnG,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;QACxC,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC;QAClD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;IACtC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iCAAiC;IAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvD,OAAO,eAAe,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,wCAAwC;IACtD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,KAAK,IAAI,wBAAwB,EAAE;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO,iCAAiC,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,uBAAuB,GAAG;IAC9B,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;IAClB,sBAAsB;IACtB,4BAA4B;IAC5B,2BAA2B;IAC3B,uBAAuB;IACvB,yBAAyB;CACjB,CAAC;AAEX,SAAS,sBAAsB,CAAC,GAAW;IACzC,OAAQ,uBAA6C,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,wBAAwB;IAC/B,MAAM,gBAAgB,GAAG,OAAO,CAC9B,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAC7B,OAAO,CAAC,GAAG,CAAC,sBAAsB,CACnC,CAAC;IACF,OAAO,CACL,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,EAAE,CAAC;QAC5D,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,EAAE,CAAC;QACjE,gBAAgB,CACjB,CAAC;AACJ,CAAC;AAED,SAAS,+CAA+C;IACtD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,4EAA4E;IAC5E,4EAA4E;IAC5E,yEAAyE;IACzE,+CAA+C;IAC/C,IAAI,KAAK,IAAI,wBAAwB,EAAE;QAAE,OAAO,KAAK,CAAC;IACtD,OAAO,wCAAwC,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,4BAA4B;IACnC,OAAO,aAAa,CAAC,IAAI,CACvB,OAAO,CAAC,GAAG,CAAC,qCAAqC;QAC/C,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,EAAE,CACL,CAAC;AACJ,CAAC;AAgCD,SAAS,2BAA2B,CAAC,KAAiC;IACpE,OAAO,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,0BAA0B,CACjC,KAAgC;IAEhC,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC/C,OAAO,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAgC;IAClE,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AACtE,CAAC;AAED,KAAK,UAAU,0BAA0B,CACvC,aAAmE,EACnE,KAAmC,EACnC,OAAe;IAEf,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAC9B,uBAAuB,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACxC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,IAAI,IAAI,CAAU,CAAC;IAC/C,CAAC,CAAC,CACH,CAAC;IACF,MAAM,GAAG,GAAG,IAAI,GAAG,CAAwB,MAAM,CAAC,CAAC;IACnD,OAAO;QACL,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,IAAI;QAClD,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,IAAI;QAChD,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,IAAI;QAC1C,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,IAAI;QAC5C,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,IAAI;QAC5C,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,IAAI;QACrD,iBAAiB,EAAE,GAAG,CAAC,GAAG,CAAC,4BAA4B,CAAC,IAAI,IAAI;QAChE,gBAAgB,EAAE,GAAG,CAAC,GAAG,CAAC,2BAA2B,CAAC,IAAI,IAAI;QAC9D,YAAY,EAAE,0BAA0B,CAAC,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAC1E,aAAa,EAAE,0BAA0B,CACvC,GAAG,CAAC,GAAG,CAAC,yBAAyB,CAAC,CACnC;QACD,MAAM,EAAE,KAAK,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK;KACpD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,8BAA8B,CAC3C,GAAW;IAEX,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,yEAAyE;IACzE,sEAAsE;IACtE,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,IAAI,cAAc,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAEhE,sEAAsE;QACtE,iEAAiE;QACjE,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC;YACrC,GAAG;YACH,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,sBAAsB,CACrE,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACrD,CAAC;QAED,mEAAmE;QACnE,iEAAiE;QACjE,+DAA+D;QAC/D,6DAA6D;QAC7D,mEAAmE;QACnE,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,KAAK,EAAE,CAAC;YACV,cAAc,GAAG,KAAK,CAAC;YACvB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC;gBACpC,GAAG;gBACH,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,SAAS,EAAE,CAAC;gBACd,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,qBAAqB,CACnF,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YACnD,CAAC;YAED,iEAAiE;YACjE,qEAAqE;YACrE,yEAAyE;YACzE,cAAc,GAAG,WAAW,CAAC;YAC7B,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC;gBAC1C,GAAG;gBACH,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,eAAe,EAAE,CAAC;gBACpB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,2BAA2B,CACzF,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YAC/D,CAAC;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,KAAK,gCAAgC,CAC9F,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,cAAc,GAAG,gBAAgB,CAAC;YAClC,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC;gBAC9C,GAAG;gBACH,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,QAAQ,KAAK,EAAE;aACzB,CAAC,CAAC;YACH,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,gCAAgC,CAC/E,CAAC;gBACJ,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YACnE,CAAC;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,8CAA8C,CAC7F,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,4BAA4B,GAAG,UAAU,KAAK,UAAU,cAAc,UAAW,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CACjH,CAAC;QACJ,CAAC;QACD,8CAA8C;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,+BAA+B;IAC5C,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,IAAI,cAAc,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAChE,MAAM,UAAU,GAAG,CAAC,KAAiC,EAAE,OAAe,EAAE,EAAE;YACxE,IAAI,CAAC,WAAW;gBAAE,OAAO;YACzB,OAAO,CAAC,GAAG,CACT,8BAA8B,KAAK,CAAC,MAAM,YAAY,OAAO,UAAU,KAAK,aAAa,2BAA2B,CAAC,KAAK,CAAC,YAAY,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CACtM,CAAC;QACJ,CAAC,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,0BAA0B,CAChD,aAAa,EACb,MAAM,EACN,KAAK,CACN,CAAC;QACF,UAAU,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7B,IAAI,2BAA2B,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;QAE7D,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,KAAK,EAAE,CAAC;YACV,cAAc,GAAG,KAAK,CAAC;YACvB,MAAM,QAAQ,GAAG,MAAM,0BAA0B,CAC/C,aAAa,EACb,KAAK,EACL,KAAK,CACN,CAAC;YACF,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;YAC5B,IAAI,2BAA2B,CAAC,QAAQ,CAAC;gBAAE,OAAO,QAAQ,CAAC;YAE3D,cAAc,GAAG,WAAW,CAAC;YAC7B,MAAM,cAAc,GAAG,MAAM,0BAA0B,CACrD,aAAa,EACb,WAAW,EACX,KAAK,CACN,CAAC;YACF,UAAU,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;YAClC,IAAI,2BAA2B,CAAC,cAAc,CAAC;gBAAE,OAAO,cAAc,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,cAAc,GAAG,gBAAgB,CAAC;YAClC,MAAM,OAAO,GAAG,QAAQ,KAAK,EAAE,CAAC;YAChC,MAAM,cAAc,GAAG,MAAM,0BAA0B,CACrD,aAAa,EACb,WAAW,EACX,OAAO,CACR,CAAC;YACF,UAAU,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;YACpC,IAAI,2BAA2B,CAAC,cAAc,CAAC;gBAAE,OAAO,cAAc,CAAC;QACzE,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,8BAA8B,KAAK,UAAU,cAAc,sBAAuB,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAClH,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,GAAW;IAEX,MAAM,MAAM,GAAG,MAAM,8BAA8B,CAAC,GAAG,CAAC,CAAC;IACzD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,KAAK,CAAC;IAChC,IAAI,CAAC,+CAA+C,EAAE;QAAE,OAAO,IAAI,CAAC;IACpE,OAAO,uBAAuB,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,OAAO,wBAAwB,CAAC,qBAAqB,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,MAAM,GAAG,GAAG,MAAM,wBAAwB,EAAE,CAAC;IAC7C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,OAAO,CAAC,CAAC,CAAC,MAAM,wBAAwB,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mCAAmC;IACvD,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;IAChD,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B;IAClD,MAAM,MAAM,GAAG,MAAM,+BAA+B,EAAE,CAAC;IACvD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,MAAM,CAAC;IACjC,OAAO,+CAA+C,EAAE;QACtD,OAAO,CAAC,GAAG,CAAC,mBAAmB;QAC/B,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB;IAY7C,MAAM,MAAM,GAAG,MAAM,+BAA+B,EAAE,CAAC;IACvD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,EACJ,UAAU,EACV,SAAS,EACT,MAAM,EACN,OAAO,EACP,OAAO,EACP,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,aAAa,GACd,GAAG,MAAM,CAAC;QACX,OAAO;YACL,UAAU;YACV,SAAS;YACT,MAAM;YACN,OAAO;YACP,OAAO;YACP,YAAY;YACZ,iBAAiB;YACjB,gBAAgB;YAChB,YAAY;YACZ,aAAa;SACd,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,+CAA+C,EAAE;QAClE,CAAC,CAAC,CAAC,uBAAuB,CAAC,qBAAqB,CAAC,IAAI,IAAI,CAAC;QAC1D,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,SAAS,GAAG,+CAA+C,EAAE;QACjE,CAAC,CAAC,CAAC,uBAAuB,CAAC,oBAAoB,CAAC,IAAI,IAAI,CAAC;QACzD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,MAAM,GAAG,+CAA+C,EAAE;QAC9D,CAAC,CAAC,CAAC,uBAAuB,CAAC,iBAAiB,CAAC,IAAI,IAAI,CAAC;QACtD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,OAAO,GAAG,+CAA+C,EAAE;QAC/D,CAAC,CAAC,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC;QACvD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,OAAO,GAAG,+CAA+C,EAAE;QAC/D,CAAC,CAAC,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC;QACvD,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,YAAY,GAAG,+CAA+C,EAAE;QACpE,CAAC,CAAC,CAAC,uBAAuB,CAAC,sBAAsB,CAAC,IAAI,IAAI,CAAC;QAC3D,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,iBAAiB,GAAG,+CAA+C,EAAE;QACzE,CAAC,CAAC,CAAC,uBAAuB,CAAC,4BAA4B,CAAC,IAAI,IAAI,CAAC;QACjE,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,gBAAgB,GAAG,+CAA+C,EAAE;QACxE,CAAC,CAAC,CAAC,uBAAuB,CAAC,2BAA2B,CAAC,IAAI,IAAI,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,YAAY,GAAG,+CAA+C,EAAE;QACpE,CAAC,CAAC,0BAA0B,CACxB,uBAAuB,CAAC,uBAAuB,CAAC,CACjD;QACH,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,aAAa,GAAG,+CAA+C,EAAE;QACrE,CAAC,CAAC,0BAA0B,CACxB,uBAAuB,CAAC,yBAAyB,CAAC,CACnD;QACH,CAAC,CAAC,IAAI,CAAC;IACT,OAAO;QACL,UAAU;QACV,SAAS;QACT,MAAM;QACN,OAAO;QACP,OAAO;QACP,YAAY;QACZ,iBAAiB;QACjB,gBAAgB;QAChB,YAAY;QACZ,aAAa;KACd,CAAC;AACJ,CAAC;AAED,MAAM,mCAAmC,GAAG,uBAAuB,CAAC;AAYpE,MAAM,UAAU,4BAA4B,CAC1C,UAA0B,EAC1B,SAAyB;IAEzB,IAAI,CAAC,UAAU,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,SAAS,CAAC;SACjB,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,4BAA4B,CAAC,WAAmB;IACvD,OAAO,GAAG,mCAAmC,GAAG,WAAW,EAAE,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,QAGI,EAAE;IAEN,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;IACF,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,4BAA4B,CAAC,WAAW,CAAC,CAAC,CAAC;QACxE,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO;YACL,WAAW;YACX,OAAO,EACL,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,GAAG,CAAC,OAAO;gBAC5C,CAAC,CAAC,GAAG,CAAC,OAAO;gBACb,CAAC,CAAC,mEAAmE;YACzE,MAAM,EAAE,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YAC/D,IAAI,EAAE,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;YACzD,EAAE,EAAE,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;YACpD,UAAU,EACR,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACjE,KAAK,EAAE,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;SAC7D,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kCAAkC,CAAC,OAIxD;IACC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,yBAAyB,EAAE,CAAC;QAChD,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;QACF,IAAI,CAAC,WAAW;YAAE,OAAO;QACzB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC5D,MAAM,UAAU,CAAC,4BAA4B,CAAC,WAAW,CAAC,EAAE;YAC1D,WAAW;YACX,OAAO,EACL,OAAO,EAAE,OAAO;gBAChB,mEAAmE;YACrE,GAAG,CAAC,OAAO,OAAO,EAAE,MAAM,KAAK,QAAQ,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;YACtE,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC;YAC5C,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;YACd,UAAU,EAAE,mBAAmB,EAAE,IAAI,IAAI;YACzC,KAAK,EAAE,eAAe,EAAE,IAAI,IAAI;SACjC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;IAC3E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iCAAiC,CAAC,KAGvD;IACC,MAAM,WAAW,GAAG,4BAA4B,CAC9C,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,SAAS,CAChB,CAAC;IACF,IAAI,CAAC,WAAW;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC/D,MAAM,aAAa,CAAC,4BAA4B,CAAC,WAAW,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,qEAAqE;IACvE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAAa,EACb,KAWC,EACD,OAAyD;IAEzD,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC,mBAAmB,CAAC,UAAU,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,uKAAuK,CACxK,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,GACvC,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,2BAA2B,CACxC,KAAK,EACL,OAAO,EAAE,KAAK,IAAI,IAAI,EACtB,OAAO,EAAE,IAAI,IAAI,IAAI,CACtB,CAAC;IAEF,yEAAyE;IACzE,8CAA8C;IAC9C,MAAM,QAAQ,GAA4B,uBAAuB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAC5E,eAAe,CAAC;QACd,GAAG;QACH,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACnB,CAAC;IACF,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QAC3B,KAAK,MAAM,GAAG,IAAI,uBAAuB,EAAE,CAAC;YAC1C,QAAQ,CAAC,IAAI,CACX,eAAe,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE5B,MAAM,OAAO,GAA0C;QACrD,EAAE,GAAG,EAAE,qBAAqB,EAAE,KAAK,EAAE,UAAU,EAAE;QACjD,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,EAAE,SAAS,EAAE;KAChD,CAAC;IACF,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;QAC5B,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,4BAA4B;YACjC,KAAK,EAAE,KAAK,CAAC,iBAAiB;SAC/B,CAAC,CAAC;IACL,CAAC;IACD,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,2BAA2B;YAChC,KAAK,EAAE,KAAK,CAAC,gBAAgB;SAC9B,CAAC,CAAC;IACL,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,uBAAuB;YAC5B,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC;SAClC,CAAC,CAAC;IACL,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,yBAAyB;YAC9B,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC;SACnC,CAAC,CAAC;IACL,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAC7B,cAAc,CAAC;QACb,GAAG;QACH,KAAK;QACL,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CACH,CACF,CAAC;IACF,MAAM,iCAAiC,CAAC;QACtC,UAAU;QACV,SAAS;KACV,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAAa,EACb,OAAyD;IAEzD,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,2BAA2B,CACxC,KAAK,EACL,OAAO,EAAE,KAAK,IAAI,IAAI,EACtB,OAAO,EAAE,IAAI,IAAI,IAAI,CACtB,CAAC;IACF,MAAM,OAAO,CAAC,GAAG,CACf,uBAAuB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAClC,eAAe,CAAC;QACd,GAAG;QACH,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACnB,CACF,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,2CAA2C;AAC3C,EAAE;AACF,0EAA0E;AAC1E,wEAAwE;AACxE,0EAA0E;AAC1E,4EAA4E;AAC5E,yEAAyE;AACzE,0EAA0E;AAC1E,mEAAmE;AACnE,2BAA2B;AAC3B,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW;IAC7C,MAAM,WAAW,GAAG,4BAA4B,EAAE,CAAC;IACnD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;YAChE,2BAA2B;YAC3B,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC;gBACrC,GAAG;gBACH,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,UAAU,EAAE,KAAK,EAAE,CAAC;gBACtB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,sBAAsB,CACjE,CAAC;gBACJ,CAAC;gBACD,OAAO,UAAU,CAAC,KAAK,CAAC;YAC1B,CAAC;YAED,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;YAChC,IAAI,KAAK,EAAE,CAAC;gBACV,kEAAkE;gBAClE,2CAA2C;gBAC3C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC;oBACpC,GAAG;oBACH,KAAK,EAAE,KAAK;oBACZ,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,IAAI,SAAS,EAAE,KAAK,EAAE,CAAC;oBACrB,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,KAAK,qBAAqB,CAC/E,CAAC;oBACJ,CAAC;oBACD,OAAO,SAAS,CAAC,KAAK,CAAC;gBACzB,CAAC;gBAED,6DAA6D;gBAC7D,mEAAmE;gBACnE,4BAA4B;gBAC5B,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC;oBAC1C,GAAG;oBACH,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,IAAI,eAAe,EAAE,KAAK,EAAE,CAAC;oBAC3B,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,KAAK,2BAA2B,CACrF,CAAC;oBACJ,CAAC;oBACD,OAAO,eAAe,CAAC,KAAK,CAAC;gBAC/B,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC;oBAC9C,GAAG;oBACH,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,QAAQ,KAAK,EAAE;iBACzB,CAAC,CAAC;gBACH,IAAI,mBAAmB,EAAE,KAAK,EAAE,CAAC;oBAC/B,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,gCAAgC,CAC3E,CAAC;oBACJ,CAAC;oBACD,OAAO,mBAAmB,CAAC,KAAK,CAAC;gBACnC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,oBAAqB,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAC/F,CAAC;YACJ,CAAC;YACD,8CAA8C;QAChD,CAAC;QACD,sEAAsE;QACtE,mEAAmE;QACnE,sEAAsE;QACtE,kDAAkD;QAClD,MAAM,WAAW,GAAG,CAClB,sBAAsB,CAAC,GAAG,CAAC;YACzB,CAAC,CAAC,+CAA+C,EAAE;YACnD,CAAC,CAAC,wCAAwC,EAAE,CAC/C;YACC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI;YAC1B,CAAC,CAAC,IAAI,CAAC;QACT,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,UAAU,KAAK,UAAU,eAAe,EAAE,IAAI,QAAQ,UAAU,WAAW,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,CAAC,WAAW,EAAE,CACxJ,CAAC;QACJ,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IACD,uEAAuE;IACvE,mDAAmD;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IACvC,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,wBAAwB,GAAG,yCAAyC,CAAC,CAAC,KAAK,EAAE,CAC9E,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,uEAAuE;AACvE,iEAAiE;AACjE,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,qBAAqB;IACnC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,OAAO,CAAC,GAAG,CAAC,QAAQ;QACpB,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,wBAAwB,CACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,gDAAgD,CACjD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gCAAgC;IAC9C,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,iCAAiC;QAC7C,+CAA+C,CAChD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,2BAA2B;QACvC,mDAAmD,CACpD,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,oBAAoB;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC","sourcesContent":["/**\n * Credential provider abstraction.\n *\n * Every feature that needs an external credential (Anthropic API key,\n * Google OAuth tokens, OpenAI key, Slack bot token, etc.) should go through\n * one of the resolve*() helpers here instead of reading `process.env`\n * directly. That way the same feature can work in three modes:\n *\n *   1. User set their own key in .env              → use it directly\n *   2. User connected Builder via `/cli-auth`      → route through Builder proxy\n *   3. Neither                                      → throw FeatureNotConfigured\n *\n * Templates catch FeatureNotConfigured and show a \"Connect Builder (1 click) /\n * set up your own key (guide)\" card.\n *\n * Today these helpers are used by the Builder-hosted LLM gateway, and the\n * shape is meant to grow to cover future managed credential integrations\n * (e.g. additional Builder-hosted services) without rewrites.\n */\n\nimport { createHash } from \"node:crypto\";\nimport { getRequestUserEmail, getRequestOrgId } from \"./request-context.js\";\nimport { isLocalDatabase } from \"../db/client.js\";\n\n/**\n * Decide which `app_secrets` scope a Builder/credential write should use.\n *\n * Org scope (\"everyone in this org sees these credentials\") wins when the\n * connecting user is an owner or admin of an active org — the write\n * privileges shared infra. A plain member or a user without an active\n * org falls through to per-user scope so a teammate can't silently\n * overwrite the org-shared connection.\n */\nexport function resolveCredentialWriteScope(\n  email: string,\n  orgId: string | null | undefined,\n  role: string | null | undefined,\n): { scope: \"user\" | \"org\"; scopeId: string } {\n  if (orgId && (role === \"owner\" || role === \"admin\")) {\n    return { scope: \"org\", scopeId: orgId };\n  }\n  return { scope: \"user\", scopeId: email };\n}\n\nexport class FeatureNotConfiguredError extends Error {\n  readonly requiredCredential: string;\n  readonly builderConnectUrl?: string;\n  readonly byokDocsUrl?: string;\n\n  constructor(opts: {\n    requiredCredential: string;\n    message?: string;\n    builderConnectUrl?: string;\n    byokDocsUrl?: string;\n  }) {\n    super(\n      opts.message ??\n        `Feature requires credential \"${opts.requiredCredential}\". Connect Builder or set your own key.`,\n    );\n    this.name = \"FeatureNotConfiguredError\";\n    this.requiredCredential = opts.requiredCredential;\n    this.builderConnectUrl = opts.builderConnectUrl;\n    this.byokDocsUrl = opts.byokDocsUrl;\n  }\n}\n\n/**\n * Deployment-level credential fallback for single-tenant/local operation.\n * Multi-tenant call sites must gate this explicitly before calling.\n */\nexport function readDeployCredentialEnv(key: string): string | undefined {\n  return process.env[key] || undefined;\n}\n\n/**\n * Deployment-level credentials are safe as a runtime fallback only in local /\n * single-tenant contexts. In hosted production with a shared database, every\n * signed-in user needs their own user/org/workspace credential so one deploy\n * key does not silently power another tenant's chat.\n */\nexport function isDeployCredentialFallbackAllowed(): boolean {\n  if (process.env.NODE_ENV !== \"production\") return true;\n  return isLocalDatabase();\n}\n\nexport function canUseDeployCredentialFallbackForRequest(): boolean {\n  const email = getRequestUserEmail();\n  if (email && isHostedWorkspaceRuntime()) return false;\n  if (!email) return true;\n  return isDeployCredentialFallbackAllowed();\n}\n\nconst BUILDER_CREDENTIAL_KEYS = [\n  \"BUILDER_PRIVATE_KEY\",\n  \"BUILDER_PUBLIC_KEY\",\n  \"BUILDER_USER_ID\",\n  \"BUILDER_ORG_NAME\",\n  \"BUILDER_ORG_KIND\",\n  \"BUILDER_SUBSCRIPTION\",\n  \"BUILDER_SUBSCRIPTION_LEVEL\",\n  \"BUILDER_SUBSCRIPTION_NAME\",\n  \"BUILDER_IS_ENTERPRISE\",\n  \"BUILDER_IS_FREE_ACCOUNT\",\n] as const;\n\nfunction isBuilderCredentialKey(key: string): boolean {\n  return (BUILDER_CREDENTIAL_KEYS as readonly string[]).includes(key);\n}\n\nfunction isHostedWorkspaceRuntime(): boolean {\n  const hasFusionPreview = Boolean(\n    process.env.FUSION_ENVIRONMENT ||\n    process.env.FUSION_ENV_ORIGIN ||\n    process.env.VITE_FUSION_ENV_ORIGIN,\n  );\n  return (\n    /^(1|true)$/i.test(process.env.AGENT_NATIVE_WORKSPACE ?? \"\") ||\n    /^(1|true)$/i.test(process.env.VITE_AGENT_NATIVE_WORKSPACE ?? \"\") ||\n    hasFusionPreview\n  );\n}\n\nfunction canUseBuilderDeployCredentialFallbackForRequest(): boolean {\n  const email = getRequestUserEmail();\n  // Builder workspace previews can run with NODE_ENV=development and their DB\n  // detection can look local during early startup. Once a real signed-in user\n  // is present, hosted workspace flags are enough to make deployment-level\n  // Builder keys unsafe as an identity fallback.\n  if (email && isHostedWorkspaceRuntime()) return false;\n  return canUseDeployCredentialFallbackForRequest();\n}\n\nfunction shouldTraceCredentialResolve(): boolean {\n  return /^(1|true)$/i.test(\n    process.env.AGENT_NATIVE_DEBUG_CREDENTIAL_RESOLVE ??\n      process.env.DEBUG_CREDENTIAL_RESOLVE ??\n      \"\",\n  );\n}\n\n// ---------------------------------------------------------------------------\n// Builder credential resolution:\n//\n//   1. **Request-scoped credentials.** A signed-in user can connect Builder\n//      through the CLI-auth flow. Owner/admin connections land at org scope;\n//      member/no-org connections land at user scope.\n//\n//   2. **Deployment fallback.** BUILDER_PRIVATE_KEY in env still makes local\n//      and single-tenant deploys work out of the box, but it no longer blocks\n//      per-user connect. Request-scoped credentials win whenever present.\n//\n// To run multi-tenant SaaS: prefer leaving BUILDER_PRIVATE_KEY unset unless a\n// shared fallback identity is intentional.\n// ---------------------------------------------------------------------------\n\ntype BuilderCredentialSource = \"user\" | \"org\" | \"workspace\" | \"env\";\ninterface BuilderResolvedCredentials {\n  privateKey: string | null;\n  publicKey: string | null;\n  userId: string | null;\n  orgName: string | null;\n  orgKind: string | null;\n  subscription: string | null;\n  subscriptionLevel: string | null;\n  subscriptionName: string | null;\n  isEnterprise: boolean | null;\n  isFreeAccount: boolean | null;\n  source: Exclude<BuilderCredentialSource, \"env\">;\n}\n\nfunction isCompleteBuilderConnection(creds: BuilderResolvedCredentials) {\n  return Boolean(creds.privateKey && creds.publicKey);\n}\n\nfunction readOptionalBuilderBoolean(\n  value: string | null | undefined,\n): boolean | null {\n  if (value == null || value === \"\") return null;\n  return /^(1|true)$/i.test(value);\n}\n\nexport function isBuilderPrivateKey(value: string | null | undefined): boolean {\n  return typeof value === \"string\" && value.trim().startsWith(\"bpk-\");\n}\n\nasync function readBuilderCredentialScope(\n  readAppSecret: typeof import(\"../secrets/storage.js\").readAppSecret,\n  scope: \"user\" | \"org\" | \"workspace\",\n  scopeId: string,\n): Promise<BuilderResolvedCredentials> {\n  const values = await Promise.all(\n    BUILDER_CREDENTIAL_KEYS.map(async (key) => {\n      const secret = await readAppSecret({ key, scope, scopeId });\n      return [key, secret?.value ?? null] as const;\n    }),\n  );\n  const map = new Map<string, string | null>(values);\n  return {\n    privateKey: map.get(\"BUILDER_PRIVATE_KEY\") ?? null,\n    publicKey: map.get(\"BUILDER_PUBLIC_KEY\") ?? null,\n    userId: map.get(\"BUILDER_USER_ID\") ?? null,\n    orgName: map.get(\"BUILDER_ORG_NAME\") ?? null,\n    orgKind: map.get(\"BUILDER_ORG_KIND\") ?? null,\n    subscription: map.get(\"BUILDER_SUBSCRIPTION\") ?? null,\n    subscriptionLevel: map.get(\"BUILDER_SUBSCRIPTION_LEVEL\") ?? null,\n    subscriptionName: map.get(\"BUILDER_SUBSCRIPTION_NAME\") ?? null,\n    isEnterprise: readOptionalBuilderBoolean(map.get(\"BUILDER_IS_ENTERPRISE\")),\n    isFreeAccount: readOptionalBuilderBoolean(\n      map.get(\"BUILDER_IS_FREE_ACCOUNT\"),\n    ),\n    source: scope === \"workspace\" ? \"workspace\" : scope,\n  };\n}\n\nasync function resolveScopedBuilderCredential(\n  key: string,\n): Promise<{ value: string; source: \"user\" | \"org\" | \"workspace\" } | null> {\n  const email = getRequestUserEmail();\n  if (!email) return null;\n\n  // Trace only when explicitly requested. These diagnostics are useful for\n  // support, but they include account identifiers and run on hot paths.\n  const traceLookup = shouldTraceCredentialResolve();\n  let scopeAttempted = \"user\";\n  try {\n    const { readAppSecret } = await import(\"../secrets/storage.js\");\n\n    // 1. Per-user override: a user can paste their own key in settings to\n    //    overrule the org-shared one (handy for a personal sandbox).\n    const userSecret = await readAppSecret({\n      key,\n      scope: \"user\",\n      scopeId: email,\n    });\n    if (userSecret) {\n      if (traceLookup) {\n        console.log(\n          `[builder-credential] key=${key} email=${email} scope=user hit=true`,\n        );\n      }\n      return { value: userSecret.value, source: \"user\" };\n    }\n\n    // 2. Per-org shared credential: when one teammate connects Builder\n    //    as an owner/admin we write the OAuth result at org scope so\n    //    every member of that org gets the AI chat working without\n    //    re-running the connect flow. Resolution falls back here\n    //    silently — the caller never has to know which scope answered.\n    const orgId = getRequestOrgId();\n    if (orgId) {\n      scopeAttempted = \"org\";\n      const orgSecret = await readAppSecret({\n        key,\n        scope: \"org\",\n        scopeId: orgId,\n      });\n      if (orgSecret) {\n        if (traceLookup) {\n          console.log(\n            `[builder-credential] key=${key} email=${email} orgId=${orgId} scope=org hit=true`,\n          );\n        }\n        return { value: orgSecret.value, source: \"org\" };\n      }\n\n      // Older setup flows wrote shared credentials at workspace scope.\n      // Keep reading those rows so status UIs and runtime resolution agree\n      // for users who connected before org-scoped Builder credentials existed.\n      scopeAttempted = \"workspace\";\n      const workspaceSecret = await readAppSecret({\n        key,\n        scope: \"workspace\",\n        scopeId: orgId,\n      });\n      if (workspaceSecret) {\n        if (traceLookup) {\n          console.log(\n            `[builder-credential] key=${key} email=${email} orgId=${orgId} scope=workspace hit=true`,\n          );\n        }\n        return { value: workspaceSecret.value, source: \"workspace\" };\n      }\n      if (traceLookup) {\n        console.log(\n          `[builder-credential] key=${key} email=${email} orgId=${orgId} miss tried=user,org,workspace`,\n        );\n      }\n    } else {\n      scopeAttempted = \"workspace-solo\";\n      const soloWorkspaceSecret = await readAppSecret({\n        key,\n        scope: \"workspace\",\n        scopeId: `solo:${email}`,\n      });\n      if (soloWorkspaceSecret) {\n        if (traceLookup) {\n          console.log(\n            `[builder-credential] key=${key} email=${email} scope=workspace-solo hit=true`,\n          );\n        }\n        return { value: soloWorkspaceSecret.value, source: \"workspace\" };\n      }\n      if (traceLookup) {\n        console.log(\n          `[builder-credential] key=${key} email=${email} orgId=(none) miss tried=user,workspace-solo`,\n        );\n      }\n    }\n  } catch (err) {\n    if (traceLookup) {\n      console.log(\n        `[builder-credential] key=${key} email=${email} scope=${scopeAttempted} error=${(err as Error)?.message ?? err}`,\n      );\n    }\n    // Secrets table not ready — treat as missing.\n  }\n  return null;\n}\n\nasync function resolveScopedBuilderCredentials(): Promise<BuilderResolvedCredentials | null> {\n  const email = getRequestUserEmail();\n  if (!email) return null;\n\n  const traceLookup = shouldTraceCredentialResolve();\n  let scopeAttempted = \"user\";\n  try {\n    const { readAppSecret } = await import(\"../secrets/storage.js\");\n    const traceScope = (creds: BuilderResolvedCredentials, scopeId: string) => {\n      if (!traceLookup) return;\n      console.log(\n        `[builder-credential] scope=${creds.source} scopeId=${scopeId} email=${email} complete=${isCompleteBuilderConnection(creds)} private=${Boolean(creds.privateKey)} public=${Boolean(creds.publicKey)}`,\n      );\n    };\n\n    const userCreds = await readBuilderCredentialScope(\n      readAppSecret,\n      \"user\",\n      email,\n    );\n    traceScope(userCreds, email);\n    if (isCompleteBuilderConnection(userCreds)) return userCreds;\n\n    const orgId = getRequestOrgId();\n    if (orgId) {\n      scopeAttempted = \"org\";\n      const orgCreds = await readBuilderCredentialScope(\n        readAppSecret,\n        \"org\",\n        orgId,\n      );\n      traceScope(orgCreds, orgId);\n      if (isCompleteBuilderConnection(orgCreds)) return orgCreds;\n\n      scopeAttempted = \"workspace\";\n      const workspaceCreds = await readBuilderCredentialScope(\n        readAppSecret,\n        \"workspace\",\n        orgId,\n      );\n      traceScope(workspaceCreds, orgId);\n      if (isCompleteBuilderConnection(workspaceCreds)) return workspaceCreds;\n    } else {\n      scopeAttempted = \"workspace-solo\";\n      const scopeId = `solo:${email}`;\n      const workspaceCreds = await readBuilderCredentialScope(\n        readAppSecret,\n        \"workspace\",\n        scopeId,\n      );\n      traceScope(workspaceCreds, scopeId);\n      if (isCompleteBuilderConnection(workspaceCreds)) return workspaceCreds;\n    }\n  } catch (err) {\n    if (traceLookup) {\n      console.log(\n        `[builder-credential] email=${email} scope=${scopeAttempted} credentials error=${(err as Error)?.message ?? err}`,\n      );\n    }\n  }\n  return null;\n}\n\n/**\n * Resolve a Builder credential for the current request. User/org credentials\n * win; deployment env is only a fallback. This lets local/root .env keys keep\n * a template working while still allowing users to connect their own Builder\n * account from Settings or onboarding.\n */\nexport async function resolveBuilderCredential(\n  key: string,\n): Promise<string | null> {\n  const scoped = await resolveScopedBuilderCredential(key);\n  if (scoped) return scoped.value;\n  if (!canUseBuilderDeployCredentialFallbackForRequest()) return null;\n  return readDeployCredentialEnv(key) ?? null;\n}\n\n/**\n * True when `BUILDER_PRIVATE_KEY` is set at the deployment level. This means\n * a deploy-level fallback exists; it does not prevent per-user connect.\n */\nexport function isBuilderEnvManaged(): boolean {\n  return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/**\n * Resolve the Builder private key for the current request. User/org OAuth\n * credentials win; deploy-level `BUILDER_PRIVATE_KEY` is the fallback.\n */\nexport async function resolveBuilderPrivateKey(): Promise<string | null> {\n  return resolveBuilderCredential(\"BUILDER_PRIVATE_KEY\");\n}\n\n/**\n * Resolve the current user's Builder auth header.\n * Returns `\"Bearer <key>\"` or null.\n */\nexport async function resolveBuilderAuthHeader(): Promise<string | null> {\n  const key = await resolveBuilderPrivateKey();\n  return key ? `Bearer ${key}` : null;\n}\n\n/**\n * Check whether the current user has a Builder private key configured\n * (per-user or deployment-level).\n */\nexport async function resolveHasBuilderPrivateKey(): Promise<boolean> {\n  return !!(await resolveBuilderPrivateKey());\n}\n\n/**\n * Check whether the current request has the complete Builder credential bundle\n * needed for Builder-backed assistant/image-generation calls.\n */\nexport async function resolveHasCompleteBuilderConnection(): Promise<boolean> {\n  const creds = await resolveBuilderCredentials();\n  return !!(creds.privateKey && creds.publicKey);\n}\n\n/**\n * Resolve where the effective Builder assistant connection came from. This\n * intentionally requires a complete private+public key pair from one scope so\n * status UIs don't report a mixed user/org credential set as connected.\n */\nexport async function resolveBuilderCredentialSource(): Promise<BuilderCredentialSource | null> {\n  const scoped = await resolveScopedBuilderCredentials();\n  if (scoped) return scoped.source;\n  return canUseBuilderDeployCredentialFallbackForRequest() &&\n    process.env.BUILDER_PRIVATE_KEY\n    ? \"env\"\n    : null;\n}\n\n/**\n * Resolve the Builder assistant credential bundle from one complete scope.\n * A partial user row is treated as a miss so the org-shared connection can\n * still power the assistant for teammates.\n */\nexport async function resolveBuilderCredentials(): Promise<{\n  privateKey: string | null;\n  publicKey: string | null;\n  userId: string | null;\n  orgName: string | null;\n  orgKind: string | null;\n  subscription: string | null;\n  subscriptionLevel: string | null;\n  subscriptionName: string | null;\n  isEnterprise: boolean | null;\n  isFreeAccount: boolean | null;\n}> {\n  const scoped = await resolveScopedBuilderCredentials();\n  if (scoped) {\n    const {\n      privateKey,\n      publicKey,\n      userId,\n      orgName,\n      orgKind,\n      subscription,\n      subscriptionLevel,\n      subscriptionName,\n      isEnterprise,\n      isFreeAccount,\n    } = scoped;\n    return {\n      privateKey,\n      publicKey,\n      userId,\n      orgName,\n      orgKind,\n      subscription,\n      subscriptionLevel,\n      subscriptionName,\n      isEnterprise,\n      isFreeAccount,\n    };\n  }\n  const privateKey = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_PRIVATE_KEY\") ?? null)\n    : null;\n  const publicKey = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_PUBLIC_KEY\") ?? null)\n    : null;\n  const userId = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_USER_ID\") ?? null)\n    : null;\n  const orgName = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_ORG_NAME\") ?? null)\n    : null;\n  const orgKind = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_ORG_KIND\") ?? null)\n    : null;\n  const subscription = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_SUBSCRIPTION\") ?? null)\n    : null;\n  const subscriptionLevel = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_SUBSCRIPTION_LEVEL\") ?? null)\n    : null;\n  const subscriptionName = canUseBuilderDeployCredentialFallbackForRequest()\n    ? (readDeployCredentialEnv(\"BUILDER_SUBSCRIPTION_NAME\") ?? null)\n    : null;\n  const isEnterprise = canUseBuilderDeployCredentialFallbackForRequest()\n    ? readOptionalBuilderBoolean(\n        readDeployCredentialEnv(\"BUILDER_IS_ENTERPRISE\"),\n      )\n    : null;\n  const isFreeAccount = canUseBuilderDeployCredentialFallbackForRequest()\n    ? readOptionalBuilderBoolean(\n        readDeployCredentialEnv(\"BUILDER_IS_FREE_ACCOUNT\"),\n      )\n    : null;\n  return {\n    privateKey,\n    publicKey,\n    userId,\n    orgName,\n    orgKind,\n    subscription,\n    subscriptionLevel,\n    subscriptionName,\n    isEnterprise,\n    isFreeAccount,\n  };\n}\n\nconst BUILDER_AUTH_FAILURE_SETTING_PREFIX = \"builder-auth-failure:\";\n\nexport interface BuilderCredentialAuthFailure {\n  fingerprint: string;\n  message: string;\n  status?: number;\n  code?: string;\n  at: number;\n  ownerEmail?: string | null;\n  orgId?: string | null;\n}\n\nexport function builderCredentialFingerprint(\n  privateKey?: string | null,\n  publicKey?: string | null,\n): string | null {\n  if (!privateKey || !publicKey) return null;\n  return createHash(\"sha256\")\n    .update(privateKey)\n    .update(\"\\0\")\n    .update(publicKey)\n    .digest(\"hex\")\n    .slice(0, 24);\n}\n\nfunction builderAuthFailureSettingKey(fingerprint: string): string {\n  return `${BUILDER_AUTH_FAILURE_SETTING_PREFIX}${fingerprint}`;\n}\n\nexport async function getBuilderCredentialAuthFailure(\n  creds: {\n    privateKey?: string | null;\n    publicKey?: string | null;\n  } = {},\n): Promise<BuilderCredentialAuthFailure | null> {\n  const fingerprint = builderCredentialFingerprint(\n    creds.privateKey,\n    creds.publicKey,\n  );\n  if (!fingerprint) return null;\n  try {\n    const { getSetting } = await import(\"../settings/store.js\");\n    const row = await getSetting(builderAuthFailureSettingKey(fingerprint));\n    if (!row) return null;\n    return {\n      fingerprint,\n      message:\n        typeof row.message === \"string\" && row.message\n          ? row.message\n          : \"Builder rejected the connected credentials. Reconnect Builder.io.\",\n      status: typeof row.status === \"number\" ? row.status : undefined,\n      code: typeof row.code === \"string\" ? row.code : undefined,\n      at: typeof row.at === \"number\" ? row.at : Date.now(),\n      ownerEmail:\n        typeof row.ownerEmail === \"string\" ? row.ownerEmail : undefined,\n      orgId: typeof row.orgId === \"string\" ? row.orgId : undefined,\n    };\n  } catch {\n    return null;\n  }\n}\n\nexport async function recordBuilderCredentialAuthFailure(details?: {\n  status?: number;\n  code?: string;\n  message?: string;\n}): Promise<void> {\n  try {\n    const creds = await resolveBuilderCredentials();\n    const fingerprint = builderCredentialFingerprint(\n      creds.privateKey,\n      creds.publicKey,\n    );\n    if (!fingerprint) return;\n    const { putSetting } = await import(\"../settings/store.js\");\n    await putSetting(builderAuthFailureSettingKey(fingerprint), {\n      fingerprint,\n      message:\n        details?.message ||\n        \"Builder rejected the connected credentials. Reconnect Builder.io.\",\n      ...(typeof details?.status === \"number\" && { status: details.status }),\n      ...(details?.code && { code: details.code }),\n      at: Date.now(),\n      ownerEmail: getRequestUserEmail() ?? null,\n      orgId: getRequestOrgId() ?? null,\n    });\n  } catch {\n    // Best-effort marker only; the chat error is still returned to the user.\n  }\n}\n\nexport async function clearBuilderCredentialAuthFailure(creds: {\n  privateKey?: string | null;\n  publicKey?: string | null;\n}): Promise<void> {\n  const fingerprint = builderCredentialFingerprint(\n    creds.privateKey,\n    creds.publicKey,\n  );\n  if (!fingerprint) return;\n  try {\n    const { deleteSetting } = await import(\"../settings/store.js\");\n    await deleteSetting(builderAuthFailureSettingKey(fingerprint));\n  } catch {\n    // A stale failure marker should not block writing fresh credentials.\n  }\n}\n\n/**\n * Write Builder credentials to `app_secrets`.\n *\n * Scope decision (see `resolveCredentialWriteScope`): when the connecting\n * user is owner/admin of an active org we write at `scope: \"org\"` so every\n * member of that org auto-resolves the credentials via\n * `resolveBuilderCredential`'s org fallback — no per-user re-connect\n * needed. A plain member or a user with no active org writes at\n * `scope: \"user\"` (the safe default that doesn't trample the org's shared\n * connection).\n *\n * Stale-credential cleanup: before writing the new values we (1) clear ALL\n * five BUILDER_* keys at the target scope, so optional fields the new\n * connection doesn't carry (e.g. user picked a Builder space that returns\n * no orgName) don't leave the previous connection's metadata behind, and\n * (2) when writing at org scope, also clear the writer's own user-scope\n * BUILDER_* rows so a stale personal override from an earlier connect\n * doesn't shadow the new org write on resolution (user scope wins org\n * scope by design — see `resolveScopedBuilderCredential`). The org-scope\n * row is intentionally left alone when writing at user scope: that row is\n * shared with the rest of the org and a single user's personal override\n * shouldn't blow it away. (Victoria's \"I signed in again with my Builder\n * space and it still says no credits\" report on 2026-05-11 was exactly\n * this stale-shadow case.)\n *\n * Returns the actual scope/scopeId used so the caller can show \"Connected\n * for Builder.io\" vs \"Connected (personal)\" in the UI.\n */\nexport async function writeBuilderCredentials(\n  email: string,\n  creds: {\n    privateKey: string;\n    publicKey: string;\n    userId?: string | null;\n    orgName?: string | null;\n    orgKind?: string | null;\n    subscription?: string | null;\n    subscriptionLevel?: string | null;\n    subscriptionName?: string | null;\n    isEnterprise?: boolean | null;\n    isFreeAccount?: boolean | null;\n  },\n  options?: { orgId?: string | null; role?: string | null },\n): Promise<{ scope: \"user\" | \"org\"; scopeId: string }> {\n  const privateKey = creds.privateKey.trim();\n  const publicKey = creds.publicKey.trim();\n  if (!isBuilderPrivateKey(privateKey)) {\n    throw new Error(\n      \"Builder returned a credential that is not a Builder private key (expected bpk-...). Restart the Builder connect flow and choose a space that can issue a private key.\",\n    );\n  }\n  if (!publicKey) {\n    throw new Error(\n      \"Builder did not return a public API key. Restart the Builder connect flow.\",\n    );\n  }\n\n  const { writeAppSecret, deleteAppSecret } =\n    await import(\"../secrets/storage.js\");\n  const target = resolveCredentialWriteScope(\n    email,\n    options?.orgId ?? null,\n    options?.role ?? null,\n  );\n\n  // Clear stale rows before writing the new connection. See the function's\n  // doc comment for the two cases this handles.\n  const cleanups: Array<Promise<unknown>> = BUILDER_CREDENTIAL_KEYS.map((key) =>\n    deleteAppSecret({\n      key,\n      scope: target.scope,\n      scopeId: target.scopeId,\n    }).catch(() => {}),\n  );\n  if (target.scope === \"org\") {\n    for (const key of BUILDER_CREDENTIAL_KEYS) {\n      cleanups.push(\n        deleteAppSecret({ key, scope: \"user\", scopeId: email }).catch(() => {}),\n      );\n    }\n  }\n  await Promise.all(cleanups);\n\n  const entries: Array<{ key: string; value: string }> = [\n    { key: \"BUILDER_PRIVATE_KEY\", value: privateKey },\n    { key: \"BUILDER_PUBLIC_KEY\", value: publicKey },\n  ];\n  if (creds.userId) {\n    entries.push({ key: \"BUILDER_USER_ID\", value: creds.userId });\n  }\n  if (creds.orgName) {\n    entries.push({ key: \"BUILDER_ORG_NAME\", value: creds.orgName });\n  }\n  if (creds.orgKind) {\n    entries.push({ key: \"BUILDER_ORG_KIND\", value: creds.orgKind });\n  }\n  if (creds.subscription) {\n    entries.push({ key: \"BUILDER_SUBSCRIPTION\", value: creds.subscription });\n  }\n  if (creds.subscriptionLevel) {\n    entries.push({\n      key: \"BUILDER_SUBSCRIPTION_LEVEL\",\n      value: creds.subscriptionLevel,\n    });\n  }\n  if (creds.subscriptionName) {\n    entries.push({\n      key: \"BUILDER_SUBSCRIPTION_NAME\",\n      value: creds.subscriptionName,\n    });\n  }\n  if (typeof creds.isEnterprise === \"boolean\") {\n    entries.push({\n      key: \"BUILDER_IS_ENTERPRISE\",\n      value: String(creds.isEnterprise),\n    });\n  }\n  if (typeof creds.isFreeAccount === \"boolean\") {\n    entries.push({\n      key: \"BUILDER_IS_FREE_ACCOUNT\",\n      value: String(creds.isFreeAccount),\n    });\n  }\n  await Promise.all(\n    entries.map(({ key, value }) =>\n      writeAppSecret({\n        key,\n        value,\n        scope: target.scope,\n        scopeId: target.scopeId,\n      }),\n    ),\n  );\n  await clearBuilderCredentialAuthFailure({\n    privateKey,\n    publicKey,\n  });\n  return target;\n}\n\n/**\n * Delete Builder credentials.\n *\n * Default behaviour: clears only this user's per-user override (so a\n * member can disconnect their personal Builder identity without\n * collapsing the org-wide connection for every teammate). To revoke the\n * org's shared connection, pass `{ orgId, role }` for an owner/admin —\n * matching the same authority gate `writeBuilderCredentials` uses on\n * write. Plain members can never reach the org-scoped row.\n */\nexport async function deleteBuilderCredentials(\n  email: string,\n  options?: { orgId?: string | null; role?: string | null },\n): Promise<{ scope: \"user\" | \"org\"; scopeId: string }> {\n  const { deleteAppSecret } = await import(\"../secrets/storage.js\");\n  const target = resolveCredentialWriteScope(\n    email,\n    options?.orgId ?? null,\n    options?.role ?? null,\n  );\n  await Promise.all(\n    BUILDER_CREDENTIAL_KEYS.map((key) =>\n      deleteAppSecret({\n        key,\n        scope: target.scope,\n        scopeId: target.scopeId,\n      }).catch(() => {}),\n    ),\n  );\n  return target;\n}\n\n// ---------------------------------------------------------------------------\n// Generic request-scoped secret resolution\n//\n// New consumers should prefer this over reading `process.env.X` directly.\n// User-pasted and shared secrets live in `app_secrets` (encrypted). The\n// settings UI / onboarding panels can write user, org, or workspace rows.\n// Deploy-level env vars are the fallback for unauthenticated/CLI/background\n// contexts where there's no user to scope by — never the silent fallback\n// for an authenticated request, since on a multi-tenant deploy that would\n// silently identify every user as whoever set the deploy-level key\n// (KVesta Space, 2026-04).\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve a request-scoped secret. Reads from `app_secrets` first (current\n * user override, active org, then workspace row); falls back to `process.env`\n * only when the deploy fallback policy allows it.\n */\nexport async function resolveSecret(key: string): Promise<string | null> {\n  const traceLookup = shouldTraceCredentialResolve();\n  const email = getRequestUserEmail();\n  if (email) {\n    try {\n      const { readAppSecret } = await import(\"../secrets/storage.js\");\n      // Per-user override first.\n      const userSecret = await readAppSecret({\n        key,\n        scope: \"user\",\n        scopeId: email,\n      });\n      if (userSecret?.value) {\n        if (traceLookup) {\n          console.log(\n            `[resolve-secret] key=${key} email=${email} scope=user hit=true`,\n          );\n        }\n        return userSecret.value;\n      }\n\n      const orgId = getRequestOrgId();\n      if (orgId) {\n        // Fall back to the active org's shared row, when present. Builder\n        // Connect uses this first-class org scope.\n        const orgSecret = await readAppSecret({\n          key,\n          scope: \"org\",\n          scopeId: orgId,\n        });\n        if (orgSecret?.value) {\n          if (traceLookup) {\n            console.log(\n              `[resolve-secret] key=${key} email=${email} orgId=${orgId} scope=org hit=true`,\n            );\n          }\n          return orgSecret.value;\n        }\n\n        // Registered secrets historically used \"workspace\" scope for\n        // org-shared configuration. Keep reading it so Settings status and\n        // runtime resolution agree.\n        const workspaceSecret = await readAppSecret({\n          key,\n          scope: \"workspace\",\n          scopeId: orgId,\n        });\n        if (workspaceSecret?.value) {\n          if (traceLookup) {\n            console.log(\n              `[resolve-secret] key=${key} email=${email} orgId=${orgId} scope=workspace hit=true`,\n            );\n          }\n          return workspaceSecret.value;\n        }\n      } else {\n        const soloWorkspaceSecret = await readAppSecret({\n          key,\n          scope: \"workspace\",\n          scopeId: `solo:${email}`,\n        });\n        if (soloWorkspaceSecret?.value) {\n          if (traceLookup) {\n            console.log(\n              `[resolve-secret] key=${key} email=${email} scope=workspace-solo hit=true`,\n            );\n          }\n          return soloWorkspaceSecret.value;\n        }\n      }\n    } catch (err) {\n      if (traceLookup) {\n        console.log(\n          `[resolve-secret] key=${key} email=${email} scope=error err=${(err as Error)?.message ?? err}`,\n        );\n      }\n      // Secrets table not ready — treat as missing.\n    }\n    // Authenticated multi-tenant context: never fall back to process.env.\n    // The deploy-level value would silently impersonate the actual key\n    // owner across every tenant. Local/single-tenant deployments keep the\n    // original env fallback for BYO-server workflows.\n    const envFallback = (\n      isBuilderCredentialKey(key)\n        ? canUseBuilderDeployCredentialFallbackForRequest()\n        : canUseDeployCredentialFallbackForRequest()\n    )\n      ? process.env[key] || null\n      : null;\n    if (traceLookup) {\n      console.log(\n        `[resolve-secret] key=${key} email=${email} orgId=${getRequestOrgId() ?? \"(none)\"} scope=${envFallback ? \"env-fallback\" : \"none\"} hit=${!!envFallback}`,\n      );\n    }\n    return envFallback;\n  }\n  // Unauthenticated / local-dev / CLI / background context: env fallback\n  // is safe because there's no user to mis-identify.\n  const value = process.env[key] || null;\n  if (traceLookup) {\n    console.log(\n      `[resolve-secret] key=${key} email=(none) scope=env-anonymous hit=${!!value}`,\n    );\n  }\n  return value;\n}\n\n// ---------------------------------------------------------------------------\n// Synchronous helpers — env-only fallbacks for contexts where per-user\n// lookup isn't possible (sync isConfigured checks, CLI scripts).\n// ---------------------------------------------------------------------------\n\n/**\n * True when a Builder private key is configured at the deployment level.\n *\n * This is the same env-only check as `isBuilderEnvManaged()`. For \"does this\n * request have access to Builder via user/org/env credentials?\" use the async\n * `resolveHasBuilderPrivateKey()`.\n */\nexport function hasBuilderPrivateKey(): boolean {\n  return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/** The origin for Builder-proxied API calls. Overridable for testing. */\nexport function getBuilderProxyOrigin(): string {\n  return (\n    process.env.BUILDER_PROXY_ORIGIN ||\n    process.env.AIR_HOST ||\n    process.env.BUILDER_API_HOST ||\n    \"https://api.builder.io\"\n  );\n}\n\n/**\n * Base URL for the public Builder LLM gateway, which lives at\n * api.builder.io/agent-native/gateway.\n * Override via BUILDER_GATEWAY_BASE_URL for staging / testing.\n */\nexport function getBuilderGatewayBaseUrl(): string {\n  return (\n    process.env.BUILDER_GATEWAY_BASE_URL ||\n    \"https://api.builder.io/agent-native/gateway/v1\"\n  );\n}\n\n/**\n * Base URL for Builder-managed image generation.\n * Override via BUILDER_IMAGE_GENERATION_BASE_URL for staging / testing.\n */\nexport function getBuilderImageGenerationBaseUrl(): string {\n  return (\n    process.env.BUILDER_IMAGE_GENERATION_BASE_URL ||\n    \"https://api.builder.io/agent-native/images/v1\"\n  );\n}\n\n/**\n * Base URL for Builder-managed web search.\n * Override via BUILDER_WEB_SEARCH_BASE_URL for staging / testing.\n */\nexport function getBuilderWebSearchBaseUrl(): string {\n  return (\n    process.env.BUILDER_WEB_SEARCH_BASE_URL ||\n    \"https://api.builder.io/agent-native/web-search/v1\"\n  );\n}\n\n/** Authorization header value for Builder-proxied calls (env-only). */\nexport function getBuilderAuthHeader(): string | null {\n  const key = process.env.BUILDER_PRIVATE_KEY;\n  return key ? `Bearer ${key}` : null;\n}\n"]}

package/dist/server/framework-request-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"framework-request-handler.d.ts","sourceRoot":"","sources":["../../src/server/framework-request-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,KAAK,EAAE,YAAY,EAAW,MAAM,IAAI,CAAC;AAQhD,QAAA,MAAM,gBAAgB,mBAAmB,CAAC;AAiD1C;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;IAC/C,GAAG,CAAC,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAQ3E;AAED;;;;;;;;GAQG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,GAAG,GAAG,SAAS,CA0DjD;AA0CD;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAOjE;AAmBD;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,GAAG,EACb,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,EACtB,OAAO,GAAE;IAAE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;CAAO,GACjC,IAAI,CA0BN;AAkCD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,GAAG,EACb,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAqBf;AA8SD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,uBAAuB,CAC3C,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,GAAG,CAAC,CAyBd;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAC"}
+{"version":3,"file":"framework-request-handler.d.ts","sourceRoot":"","sources":["../../src/server/framework-request-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,KAAK,EAAE,YAAY,EAAW,MAAM,IAAI,CAAC;AAQhD,QAAA,MAAM,gBAAgB,mBAAmB,CAAC;AAkD1C;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;IAC/C,GAAG,CAAC,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAQ3E;AAED;;;;;;;;GAQG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,GAAG,GAAG,SAAS,CA0DjD;AA0CD;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAOjE;AAmBD;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,GAAG,EACb,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,EACtB,OAAO,GAAE;IAAE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;CAAO,GACjC,IAAI,CAuCN;AAmDD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,GAAG,EACb,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAqBf;AAkTD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,uBAAuB,CAC3C,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,GAAG,CAAC,CAyBd;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAC"}

package/dist/server/framework-request-handler.js

@@ -10,6 +10,7 @@ const APP_SHIM_KEY = "_agentNativeH3Shim";
 const BOOTSTRAP_PROMISE_KEY = "_agentNativeBootstrapPromise";
 const PLUGIN_READY_KEY = "_agentNativePluginReadyPromise";
 const PLUGIN_READY_PLACEHOLDERS_KEY = "_agentNativePluginReadyPlaceholders";
+const PLUGIN_FAILED_KEY = "_agentNativePluginInitFailures";
 const PROVIDED_PLUGIN_STEMS_KEY = "_agentNativeProvidedPluginStems";
 const MIDDLEWARE_DISPATCHER_PATCHED_KEY = "_agentNativeMiddlewareDispatcherPatched";
 function getAppBasePath() {
@@ -204,6 +205,17 @@ export function trackPluginInit(nitroApp, promise, options = {}) {
     // is still observable when awaitPluginsReady() re-awaits the promise.
     const safe = promise.catch((err) => {
         console.error("[agent-native] Plugin init failed:", err.message || err);
+        // Record the failure so the readiness gate can return a retryable 503 for
+        // this plugin's routes instead of letting them fall through to a bare
+        // "Cannot find any route matching" 404. That bare 404 is what kept biting
+        // external MCP clients (pi/codex/claude) and the connect flow on cold /
+        // propagating instances whose async init rejected (e.g. DB not yet
+        // reachable): the route never registered, so the placeholder released into
+        // a 404 the client couldn't recover from. A 503 is at least retryable.
+        const failures = (nitroApp[PLUGIN_FAILED_KEY] ??= new Map());
+        const msg = err?.message || String(err);
+        for (const p of options.paths?.filter(Boolean) ?? [])
+            failures.set(p, msg);
     });
     const entry = {
         promise: safe,
@@ -230,7 +242,24 @@ function installPluginReadyPlaceholders(nitroApp, paths) {
         installed.add(path);
         registerMiddleware(nitroApp, path, (async (event) => {
             const eventAny = event;
-            await awaitFrameworkRoutesReadyForRequest(nitroApp, eventAny.context?._mountedPathname ?? event.url?.pathname ?? path);
+            const reqPath = eventAny.context?._mountedPathname ?? event.url?.pathname ?? path;
+            await awaitFrameworkRoutesReadyForRequest(nitroApp, reqPath);
+            // If this plugin's async init failed, its real route was never
+            // registered. Return a retryable 503 instead of releasing into a bare
+            // 404 (external MCP clients can't recover from a 404; a 503 is at least
+            // a "try again" the client / next instance can act on).
+            const failures = nitroApp[PLUGIN_FAILED_KEY];
+            if (failures?.size) {
+                for (const [failedPath, msg] of failures) {
+                    if (resolveMountMatch(reqPath, failedPath)) {
+                        setResponseStatus(event, 503);
+                        setResponseHeader(event, "retry-after", "5");
+                        return {
+                            error: `agent-native route is initializing or unavailable: ${msg}`,
+                        };
+                    }
+                }
+            }
             return undefined;
         }), {
             prepend: true,
@@ -452,6 +481,7 @@ async function bootstrapDefaultPlugins(nitroApp) {
         const terminalModule = await import("../terminal/terminal-plugin.js");
         const integrationsModule = await import("../integrations/plugin.js");
         const contextXrayModule = await import("../agent/context-xray/plugin.js");
+        const observationalMemoryModule = await import("../agent/observational-memory/plugin.js");
         const orgModule = await import("../org/plugin.js");
         const onboardingModule = await import("../onboarding/plugin.js");
         const frameworkImpls = {
@@ -460,6 +490,8 @@ async function bootstrapDefaultPlugins(nitroApp) {
             "context-xray": contextXrayModule.defaultContextXrayPlugin,
             "core-routes": serverModule.defaultCoreRoutesPlugin,
             integrations: integrationsModule.defaultIntegrationsPlugin,
+            "observational-memory": observationalMemoryModule
+                .defaultObservationalMemoryPlugin,
             onboarding: onboardingModule.defaultOnboardingPlugin,
             org: orgModule.defaultOrgPlugin,
             resources: serverModule.defaultResourcesPlugin,