npm - @agent-native/core - Versions diffs - 0.56.1 → 0.57.0 - Mend

@agent-native/core 0.56.1 → 0.57.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/README.md +9 -7
package/dist/cli/plan-local.d.ts.map +1 -1
package/dist/cli/plan-local.js +66 -10
package/dist/cli/plan-local.js.map +1 -1
package/dist/cli/skills.d.ts +2 -2
package/dist/cli/skills.d.ts.map +1 -1
package/dist/cli/skills.js +13 -5
package/dist/cli/skills.js.map +1 -1
package/dist/client/AssistantChat.d.ts +8 -0
package/dist/client/AssistantChat.d.ts.map +1 -1
package/dist/client/AssistantChat.js +24 -4
package/dist/client/AssistantChat.js.map +1 -1
package/dist/client/agent-chat-adapter.d.ts.map +1 -1
package/dist/client/agent-chat-adapter.js +39 -4
package/dist/client/agent-chat-adapter.js.map +1 -1
package/dist/client/chat/index.d.ts +1 -1
package/dist/client/chat/index.d.ts.map +1 -1
package/dist/client/chat/index.js +1 -0
package/dist/client/chat/index.js.map +1 -1
package/dist/client/chat/runtime.d.ts +93 -0
package/dist/client/chat/runtime.d.ts.map +1 -1
package/dist/client/chat/runtime.js +934 -1
package/dist/client/chat/runtime.js.map +1 -1
package/dist/client/index.d.ts +1 -1
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +1 -0
package/dist/client/index.js.map +1 -1
package/dist/mcp/build-server.d.ts.map +1 -1
package/dist/mcp/build-server.js +48 -3
package/dist/mcp/build-server.js.map +1 -1
package/docs/content/actions.md +5 -1
package/docs/content/agent-surfaces.md +258 -0
package/docs/content/components.md +38 -17
package/docs/content/drop-in-agent.md +10 -5
package/docs/content/embedding-sdk.md +4 -0
package/docs/content/external-agents.md +1 -0
package/docs/content/getting-started.md +2 -0
package/docs/content/key-concepts.md +3 -2
package/docs/content/mcp-apps.md +1 -1
package/docs/content/native-chat-ui.md +69 -22
package/docs/content/plan-plugin.md +27 -1
package/docs/content/pure-agent-apps.md +2 -1
package/docs/content/using-your-agent.md +1 -0
package/docs/content/what-is-agent-native.md +3 -2
package/package.json +1 -1

package/dist/mcp/build-server.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"build-server.js","sourceRoot":"","sources":["../../src/mcp/build-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,6BAA6B,GAG9B,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,iCAAiC,EAAE,MAAM,gBAAgB,CAAC;AACnE,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,GAChB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,+BAA+B,EAAE,MAAM,yBAAyB,CAAC;AAC1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EACL,2BAA2B,EAC3B,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAEL,gBAAgB,EAChB,yBAAyB,GAC1B,MAAM,kBAAkB,CAAC;AAqI1B,SAAS,4BAA4B,CACnC,KAAkB,EAClB,MAA4B;IAE5B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,QAAQ,GACZ,KAAK,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC;IACrD,OAAO,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,gCAAgC,GAAG,IAAI,GAAG,CAAC;IAC/C,WAAW;IACX,UAAU;IACV,SAAS;IACT,gBAAgB;IAChB,sBAAsB;IACtB,0EAA0E;IAC1E,2EAA2E;IAC3E,6DAA6D;IAC7D,aAAa;CACd,CAAC,CAAC;AAEH,SAAS,wCAAwC,CAC/C,IAAY,EACZ,KAAkB,EAClB,MAAiB;IAEjB,IAAI,gCAAgC,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,IACG,KAAK,CAAC,MAAmD;QACxD,EAAE,cAAc,KAAK,IAAI,EAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,CAAC,oBAAoB,KAAK,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gCAAgC,CACvC,WAAuC;IAEvC,yEAAyE;IACzE,uEAAuE;IACvE,iDAAiD;IACjD,+EAA+E;IAC/E,uEAAuE;IACvE,2EAA2E;IAC3E,4EAA4E;IAC5E,uEAAuE;IACvE,uBAAuB;IACvB,IAAI,OAAO,CAAC,GAAG,CAAC,6BAA6B,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,WAAW,EAAE,WAAW,KAAK,IAAI,CAAC;AAC3C,CAAC;AAED,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAU,CAAC;AAEhD;;;;;GAKG;AACH,SAAS,qBAAqB,CAAC,SAAiB;IAC9C,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,6BAA6B,KAAK,GAAG;QAC/C,CAAC,CAAC,iCAAiC;QACnC,CAAC,CAAC,yDAAyD,CAAC;IAChE,MAAM,GAAG,GAAG,GAAG,MAAM,IAAI,SAAS,EAAE,CAAC;IACrC,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAC3C,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,CAAC,IAAI,CACV,qDAAqD,SAAS,eAAe,MAAM,IAAI;QACrF,6EAA6E;QAC7E,iFAAiF,CACpF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,0BAA0B,CAAC,IAAY,EAAE,MAAiB;IACjE,IAAI,gCAAgC,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,OAAO,MAAM,CAAC,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAChD,CAAC;AAwBD,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAChE,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,EAAE,CAAC;AACT,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE;QAAE,OAAO,SAAS,CAAC;IACjE,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAc;IAC9C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE;QAAE,OAAO,SAAS,CAAC;IACjE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC;QACH,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QACjB,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,SAAiB;IAC/C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,6BAA6B,CAAC;QAC3C,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YACnC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC;YAC1B,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QACvB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;QAC3D,OAAO,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YAC9B,CAAC,CAAC,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE;YAC3C,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,6BAA6B,CAAC;QAC3C,MAAM,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC1E,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAa;IACzC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,SAAS;YACnB,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC;YAChB,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACxD,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QAClE,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACzC,IAAI,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACtD,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,mBAAmB,CAAC,KAAc,EAAE,KAAK,GAAG,CAAC;IACpD,IAAI,KAAK,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,KAAK,CAAC;IAC/D,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,mBAAmB,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;YAC1E,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;gBACpD,sEAAsE;gBACtE,qEAAqE;gBACrE,SAAS;YACX,CAAC;YACD,GAAG,CAAC,GAAG,CAAC,GAAG,mBAAmB,CAAC,GAAG,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAC9B,MAAe,EACf,QAAgC,EAChC,IAAgC;IAEhC,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,aAAa,GACjB,OAAO,GAAG,CAAC,aAAa,KAAK,QAAQ;QACnC,CAAC,CAAC,GAAG,CAAC,aAAa;QACnB,CAAC,CAAC,GAAG,CAAC,KAAK,KAAK,IAAI;YAChB,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;YAC3B,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,4BAA4B,CAAC;YAChD,CAAC,CAAC,GAAG,CAAC,GAAG;YACT,CAAC,CAAC,IAAI,CAAC;IACb,IAAI,CAAC,aAAa;QAAE,OAAO,EAAE,CAAC;IAE9B,MAAM,MAAM,GAAG,iBAAiB,CAC9B,sBAAsB,CAAC,aAAa,CAAC,EACrC,IAAI,EAAE,MAAM,CACb,CAAC;IACF,MAAM,WAAW,GACf,OAAO,GAAG,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/D,MAAM,aAAa,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,IAAI,KAAK,CAAC;IAC/D,MAAM,KAAK,GACT,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;QAC3C,CAAC,CAAC,QAAQ,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE;QAC1B,CAAC,CAAC,aAAa,CAAC;IACpB,MAAM,IAAI,GACR,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;QAC7C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;QACjB,CAAC,CAAC,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YAC/C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YACjB,CAAC,CAAC,SAAS,CAAC;IAClB,sEAAsE;IACtE,qEAAqE;IACrE,oEAAoE;IACpE,qEAAqE;IACrE,uEAAuE;IACvE,uEAAuE;IACvE,qEAAqE;IACrE,+BAA+B;IAC/B,MAAM,iBAAiB,GACrB,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAC1B,CAAC,CAAC,IAAI;QACN,CAAC,CAAC,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;YAC/D,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YACjB,CAAC,CAAC,SAAS,CAAC;IAClB,MAAM,eAAe,GAAG,WAAW;QACjC,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;YACxD,CAAC,CAAC,GAAG,CAAC,GAAG;YACT,CAAC,CAAC,iBAAiB,CAAC;IACxB,MAAM,WAAW,GAAG,eAAe;QACjC,CAAC,CAAC,iBAAiB,CAAC,eAAe,EAAE,IAAI,EAAE,MAAM,CAAC;QAClD,CAAC,CAAC,IAAI,CAAC;IACT,uEAAuE;IACvE,2EAA2E;IAC3E,yEAAyE;IACzE,sEAAsE;IACtE,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE;QAC/B,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAC9B,MAAM,GAAG,GACP,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;YAC3C,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;YAChB,CAAC,CAAC,SAAS,CAAC;QAChB,IAAI,CAAC,GAAG;YAAE,OAAO,WAAW,CAAC;QAC7B,IAAI,yBAAyB,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3C,OAAO,gBAAgB,CAAC,WAAW,CAAC,CAAC;QACvC,CAAC;QACD,MAAM,WAAW,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;QACtD,IAAI,CAAC,WAAW;YAAE,OAAO,WAAW,CAAC;QACrC,MAAM,SAAS,GACb,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzE,MAAM,MAAM,GACV,GAAG,CAAC,MAAM,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC;YACxE,CAAC,CAAE,GAAG,CAAC,MAGH;YACJ,CAAC,CAAC,SAAS,CAAC;QAChB,OAAO,gBAAgB,CACrB,aAAa,CAAC;YACZ,GAAG;YACH,IAAI,EAAE,SAAS;YACf,EAAE,EAAE,WAAW;YACf,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9B,CAAC,CACH,CAAC;IACJ,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO;QACL,yBAAyB,EAAE;YACzB,QAAQ,EAAE,MAAM;YAChB,GAAG,CAAC,OAAO,GAAG,CAAC,cAAc,KAAK,QAAQ;gBACxC,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,cAAc,EAAE;gBACnC,CAAC,CAAC,EAAE,CAAC;SACR;QACD,GAAG,CAAC,WAAW;YACb,CAAC,CAAC;gBACE,uBAAuB,EAAE;oBACvB,KAAK;oBACL,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACzB,MAAM,EAAE,WAAW;oBACnB,UAAU,EAAE,kBAAkB,IAAI,WAAW;oBAC7C,SAAS,EAAE,eAAe,CAAC,WAAW,CAAC;iBACxC;aACF;YACH,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gCAAgC,CAC7C,MAAe,EACf,IAAgC;IAEhC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,GAAG,GAAG,MAAiC,CAAC;IAC9C,IAAI,GAAG,CAAC,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IACtC,IAAI,OAAO,GAAG,CAAC,aAAa,KAAK,QAAQ,IAAI,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,CAAC;QACtE,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IACE,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;QAC3B,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;QACd,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,EACxB,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC,IAAI,CACzD,CAAC,KAAK,EAAmB,EAAE,CACzB,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CACvD,CAAC;IACF,IAAI,CAAC,SAAS;QAAE,OAAO,MAAM,CAAC;IAE9B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;IACjC,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACpE,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACrD,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc;QAAE,OAAO,MAAM,CAAC;IAC9C,IAAI,cAAc,IAAI,CAAC,IAAI,EAAE,MAAM;QAAE,OAAO,MAAM,CAAC;IAEnD,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,MAAM,UAAU,GAAG,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAC1C,IAAI,CAAC,UAAU;QAAE,OAAO,MAAM,CAAC;IAE/B,MAAM,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,GAC1D,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;IAC7C,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IACzE,MAAM,UAAU,GAAG,wBAAwB,CACzC,sBAAsB,CAAC,OAAO,CAAC,EAC/B,IAAI,EAAE,MAAM,CACb,CAAC;IACF,IAAI,CAAC,UAAU;QAAE,OAAO,MAAM,CAAC;IAE/B,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC;QAC5C,UAAU;QACV,KAAK,EAAE,GAAG,EAAE,KAAK;QACjB,UAAU;QACV,KAAK,EAAE,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI;KAC1D,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACrD,MAAM,aAAa,GAAG,IAAI,EAAE,MAAM;QAChC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;QAC5C,CAAC,CAAC,SAAS,CAAC;IAEd,OAAO;QACL,GAAG,GAAG;QACN,aAAa;QACb,eAAe,EAAE,UAAU;QAC3B,cAAc,EAAE,MAAM,CAAC,SAAS;KACjC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,KAAkB,EAClB,IAAyB,EACzB,MAAW,EACX,IAAgC;IAKhC,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,UAAU;QAAE,OAAO,EAAE,CAAC;IAChD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QACpD,IAAI,CAAC,EAAE,EAAE,GAAG;YAAE,OAAO,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,yBAAyB,CAAC,EAAE,CAAC,GAAG,CAAC;YAC/C,CAAC,CAAC,8BAA8B,CAAC,EAAE,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;QACX,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,WAAW,GAAG,IAAI,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;QACrE,OAAO;YACL,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,KAAK,OAAO,WAAW,GAAG,EAAE;YACpE,KAAK,EAAE;gBACL,uBAAuB,EAAE;oBACvB,KAAK,EAAE,EAAE,CAAC,KAAK;oBACf,IAAI,EAAE,EAAE,CAAC,IAAI;oBACb,MAAM;oBACN,UAAU;oBACV,SAAS;iBACV;aACF;SACF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,iBAAiB,CACxB,MAAiB,EACjB,WAAwC,EACxC,WAA4B;IAE5B,IAAI,MAAM,CAAC,oBAAoB,KAAK,KAAK;QAAE,OAAO,WAAW,CAAC;IAC9D,MAAM,QAAQ,GAAG,uBAAuB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAgC,EAAE,GAAG,QAAQ,EAAE,CAAC;IAC5D,wDAAwD;IACxD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAAyB,EACzB,WAA4B;IAE5B,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,CAAC;QACH,IAAI,WAAW,EAAE,MAAM,EAAE,CAAC;YACxB,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,IAAI,wBAAwB,EAAE,CAAC;YACpE,MAAM,OAAO,GAAG,GAAG,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,QAAQ,GAAG,CAAC;YACxE,MAAM,aAAa,GACjB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;gBAClD,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;gBAC7B,CAAC,CAAC,OAAO,CAAC;YACd,OAAO,IAAI,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;QAC9C,CAAC;QACD,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,MAAiB,EAAE,WAA4B;IACpE,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK;QACxB,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACb,MAAM,GAAG,GAAG,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;QACvD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO;YACL,GAAG;YACH,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7C,CAAC;IACJ,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,IAAI,EAAoC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACrE,OAAO;QACL,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,OAAO;QAClC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE;YAC5B,CAAC,CAAC,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,EAAE;YAC5C,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAAyB,EAAE,QAAgB;IAChE,MAAM,UAAU,GAAG,CAAC,KAAK,IAAI,QAAQ,CAAC;SACnC,IAAI,EAAE;SACN,WAAW,EAAE;SACb,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC;SAC9B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,OAAO,UAAU,IAAI,QAAQ,CAAC;AAChC,CAAC;AAED,2EAA2E;AAC3E,2EAA2E;AAC3E,MAAM,8BAA8B,GAAG,WAAW,CAAC;AAEnD,SAAS,sBAAsB,CAAC,MAAiB,EAAE,UAAkB;IACnE,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACvE,MAAM,MAAM,GAAG,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACjD,OAAO,QAAQ,GAAG,IAAI,MAAM,EAAE,CAAC;AACjC,CAAC;AAED,SAAS,wBAAwB,CAC/B,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC1B,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,aAAa,GAAG,IAAI,8BAA8B,EAAE,CAAC;IAC3D,IAAI,YAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAClD,MAAM,CAAC,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,aAAa,CAAC;YAC9C,CAAC,CAAC,GAAG,IAAI,GAAG,aAAa,EAAE,CAAC;QAC9B,YAAY,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO;QACL,GAAG,EAAE,YAAY;QACjB,GAAG,CAAC,YAAY,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvD,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,GAAW;IAC7C,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ;aAC9B,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;aACpB,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;QACjC,OAAO,MAAM,CAAC,QAAQ,EAAE,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,kCAAkC,CAAC,GAAY;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO,CACL,0BAA0B,CAAC,OAAO,CAAC;QACnC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC,CACtE,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAC/B,WAAuC,EACvC,YAAqB;IAErB,IAAI,OAAO,YAAY,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACnD,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;IACtC,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAC/C,IAAI,WAAW,CAAC,UAAU,EAAE,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,aAAa,GAAG,kCAAkC,CAAC,SAAS,CAAC,CAAC;IACpE,MAAM,WAAW,GAAG,kCAAkC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACxE,OAAO,OAAO,CAAC,aAAa,IAAI,WAAW,IAAI,aAAa,KAAK,WAAW,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,oBAAoB,CAC3B,MAAiB,EACjB,UAAkB,EAClB,KAAkB;IAElB,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC;IACxC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,OAAO,GACX,QAAQ,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,sBAAsB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACrE,OAAO,wBAAwB,CAAC,OAAO,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,0BAA0B,CACjC,OAA6B,EAC7B,WAA4B;IAE5B,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,MAAM,MAAM,GAAG,WAAW,EAAE,MAAM,CAAC;IACnC,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAChC,MAAM,KAAK,iCAAiC,IAAI,MAAM;QACpD,CAAC,CAAC,CAAC,MAAM,CAAC;QACV,CAAC,CAAC,CAAC,MAAM,CAAC,CACb,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,SAAsC,EACtC,WAA4B;IAE5B,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,MAAM,GAAG,GAA6B,EAAE,CAAC;IACzC,MAAM,cAAc,GAAG,0BAA0B,CAC/C,SAAS,CAAC,cAAc,EACxB,WAAW,CACZ,CAAC;IACF,MAAM,eAAe,GAAG,0BAA0B,CAChD,SAAS,CAAC,eAAe,EACzB,WAAW,CACZ,CAAC;IACF,MAAM,YAAY,GAAG,0BAA0B,CAC7C,SAAS,CAAC,YAAY,EACtB,WAAW,CACZ,CAAC;IACF,IAAI,cAAc,EAAE,MAAM;QAAE,GAAG,CAAC,eAAe,GAAG,cAAc,CAAC;IACjE,IAAI,eAAe,EAAE,MAAM;QAAE,GAAG,CAAC,gBAAgB,GAAG,eAAe,CAAC;IACpE,IAAI,YAAY,EAAE,MAAM;QAAE,GAAG,CAAC,aAAa,GAAG,YAAY,CAAC;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;AACvD,CAAC;AAED,SAAS,YAAY,CACnB,QAAoC,EACpC,WAAwC,EACxC,WAA4B,EAC5B,WAAoB;IAEpB,MAAM,IAAI,GACR,QAAQ,CAAC,KAAK,IAAI,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ;QAClD,CAAC,CAAC,EAAE,GAAG,QAAQ,CAAC,KAAK,EAAE;QACvB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,UAAU,GACd,IAAI,CAAC,EAAE,IAAI,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/D,CAAC,CAAE,IAAI,CAAC,EAA8B;QACtC,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,EAAE,GAA4B,EAAE,GAAG,UAAU,EAAE,CAAC;IACtD,OAAO,EAAE,CAAC,MAAM,CAAC;IACjB,IAAI,WAAW,EAAE,CAAC;QAChB,EAAE,CAAC,GAAG,GAAG;YACP,GAAG,WAAW;YACd,cAAc,EAAE,0BAA0B,CACxC,WAAW,CAAC,cAAc,EAC1B,WAAW,CACZ;YACD,eAAe,EAAE,0BAA0B,CACzC,WAAW,CAAC,eAAe,EAC3B,WAAW,CACZ;YACD,YAAY,EAAE,0BAA0B,CACtC,WAAW,CAAC,YAAY,EACxB,WAAW,CACZ;YACD,cAAc,EAAE,0BAA0B,CACxC,WAAW,CAAC,cAAc,EAC1B,WAAW,CACZ;SACF,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,WAAW;QAAE,EAAE,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;IAChE,MAAM,kBAAkB,GACtB,wBAAwB,CAAC,QAAQ,CAAC,MAAM,CAAC;QACzC,wBAAwB,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,kBAAkB;QAAE,EAAE,CAAC,MAAM,GAAG,kBAAkB,CAAC;IACvD,MAAM,kBAAkB,GACtB,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC7B,YAAY,CAAC,EAAE,CAAC,MAAM,CAAC;QACvB,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC;QAC/B,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACpC,IAAI,OAAO,QAAQ,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAChD,EAAE,CAAC,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC;IAC5C,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IAC7C,IAAI,WAAW,IAAI,IAAI,CAAC,0BAA0B,CAAC,IAAI,IAAI,EAAE,CAAC;QAC5D,IAAI,CAAC,0BAA0B,CAAC,GAAG,WAAW,CAAC;IACjD,CAAC;IACD,IACE,OAAO,QAAQ,CAAC,aAAa,KAAK,SAAS;QAC3C,IAAI,CAAC,4BAA4B,CAAC,IAAI,IAAI,EAC1C,CAAC;QACD,IAAI,CAAC,4BAA4B,CAAC,GAAG,QAAQ,CAAC,aAAa,CAAC;IAC9D,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAC5D,IAAI,SAAS,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,IAAI,EAAE,CAAC;QAClD,IAAI,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC;IACvC,CAAC;IACD,IAAI,kBAAkB,IAAI,IAAI,CAAC,qBAAqB,CAAC,IAAI,IAAI,EAAE,CAAC;QAC9D,IAAI,CAAC,qBAAqB,CAAC,GAAG,kBAAkB,CAAC;IACnD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,QAAoC,EACpC,GAA0B;IAE1B,IAAI,CAAC,QAAQ,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IACpC,OAAO,OAAO,QAAQ,CAAC,GAAG,KAAK,UAAU;QACvC,CAAC,CAAC,MAAM,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;QACzB,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,MAAiB,EACjB,UAAkB,EAClB,KAAkB,EAClB,WAA4B;IAE5B,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC;IACxC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;IACpE,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;IACnE,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,QAAQ,EAAE;QACnD,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,aAAa,EAAE,WAAW,EAAE,MAAM;KACnC,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,YAAY,CAC/B,QAAQ,EACR,WAAW,EACX,WAAW,EACX,WAAW,CACZ,CAAC;IACF,OAAO;QACL,GAAG,EAAE,WAAW,CAAC,GAAG;QACpB,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,UAAU;QACzC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpD,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,iBAAiB;QAChD,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,2BAA2B,CACxC,MAAiB,EACjB,UAAkB,EAClB,KAAkB,EAClB,WAA4B;IAE5B,IAAI,CAAC;QACH,OAAO,MAAM,qBAAqB,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;IAC7E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CACV,+CAA+C,UAAU,+CAA+C,EACxG,KAAK,CACN,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,MAAiB,EACjB,OAAoC,EACpC,WAA4B;IAE5B,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAC5C,2BAA2B,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,CAAC,CAC9D,CACF,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAsC,EAAE,CACvE,OAAO,CAAC,QAAQ,CAAC,CAClB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgC,EAChC,UAAkB,EAClB,MAAiB,EACjB,WAA4B;IAE5B,IAAI,OAAO,QAAQ,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,IAAI,CAAC;YACnB,UAAU;YACV,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,aAAa,EAAE,WAAW,EAAE,MAAM;SACnC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC,IAAI,CAAC;AACvB,CAAC;AAED,SAAS,wBAAwB,CAC/B,QAAgC;IAEhC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC9C,MAAM,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACvE,OAAO;QACL,uBAAuB,EAAE,QAAQ,CAAC,GAAG;QACrC,gCAAgC,EAAE,WAAW,KAAK,EAAE;QACpD,+BAA+B,EAAE,GAAG,KAAK,QAAQ;QACjD,yBAAyB,EAAE,IAAI;QAC/B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC;YACnC,CAAC,CAAC,EAAE,kBAAkB,EAAE,SAAS,EAAE;YACnC,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,QAAgC;IAEhC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC9C,MAAM,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACvE,OAAO;QACL,uBAAuB,EAAE,QAAQ,CAAC,GAAG;QACrC,gCAAgC,EAAE,WAAW,KAAK,EAAE;QACpD,+BAA+B,EAAE,GAAG,KAAK,QAAQ;QACjD,yBAAyB,EAAE,IAAI;QAC/B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC;YACnC,CAAC,CAAC,EAAE,kBAAkB,EAAE,SAAS,EAAE;YACnC,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgC,EAChC,UAAmB;IAEnB,OAAO;QACL,WAAW,EAAE,QAAQ,CAAC,GAAG;QACzB,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC;KACtE,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,OAAO,KAAK,KAAK,QAAQ;QACzB,OAAO,KAAK,KAAK,SAAS,CAC3B,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,MAAe,EACf,IAAyC;IAEzC,MAAM,GAAG,GACP,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAC5D,CAAC,CAAC,EAAE,GAAI,MAAkC,EAAE;QAC5C,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,EAAE,MAAM,EAAE;YACZ,CAAC,CAAC,EAAE,CAAC;IACX,KAAK,MAAM,GAAG,IAAI,CAAC,eAAe,EAAE,UAAU,CAAC,EAAE,CAAC;QAChD,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,eAAe,CAAC,KAAK,CAAC;YAAE,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5D,OAAO,GAAG,CAAC,GAAG,CAAC;IACjB,CAAC;IACD,6EAA6E;IAC7E,2EAA2E;IAC3E,6EAA6E;IAC7E,6EAA6E;IAC7E,uEAAuE;IACvE,KAAK,MAAM,GAAG,IAAI;QAChB,iBAAiB;QACjB,gBAAgB;QAChB,QAAQ;QACR,aAAa;KACd,EAAE,CAAC;QACF,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;IAClB,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,EAAE,CAAC,uBAAuB,CAAC,CAAC;IACjD,IAAI,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzE,MAAM,MAAM,GAAI,QAAoC,CAAC,MAAM,CAAC;QAC5D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1D,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QAC9D,CAAC;QACD,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACxB,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,GAAG;YAAE,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC;IAC/D,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AAC9D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa,EAAE,GAAG,GAAG,IAAI;IACjD,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC;AACvC,CAAC;AAED,SAAS,qBAAqB,CAC5B,IAAY,EACZ,MAAe,EACf,iBAA0C;IAE1C,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC;IAC1C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QAClD,OAAO,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,IAAI,iBAAiB,CAAC,IAAI,CAAC;IAChE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QAC9C,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,YAAY,CAAC;IACrC,CAAC;IACD,MAAM,EAAE,GAAG,iBAAiB,CAAC,EAAE,CAAC;IAChC,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;QACxC,OAAO,GAAG,IAAI,kBAAkB,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC;IAC/C,CAAC;IACD,OAAO,GAAG,IAAI,aAAa,CAAC;AAC9B,CAAC;AAED,8EAA8E;AAC9E,mEAAmE;AACnE,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAiB,EACjB,QAAuC,EACvC,WAA4B;IAE5B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;IAC7E,MAAM,EACJ,sBAAsB,EACtB,qBAAqB,EACrB,0BAA0B,EAC1B,yBAAyB,EACzB,kCAAkC,GACnC,GAAG,MAAM,MAAM,CAAC,oCAAoC,CAAC,CAAC;IAEvD,uEAAuE;IACvE,0EAA0E;IAC1E,8DAA8D;IAC9D,4EAA4E;IAC5E,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,sBAAsB;IACtB,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,EAAE,CAAC;IAClE,MAAM,iBAAiB,GACrB,QAAQ;QACR,CAAC,YAAY;YACX,CAAC,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE;YACnD,CAAC,CAAC,SAAS,CAAC,CAAC;IAEjB,0EAA0E;IAC1E,yEAAyE;IACzE,yEAAyE;IACzE,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,yEAAyE;IACzE,YAAY;IACZ,MAAM,cAAc,GAAG,WAAW,EAAE,WAAW,KAAK,IAAI,IAAI,CAAC,CAAC,YAAY,CAAC;IAC3E,MAAM,WAAW,GACf,cAAc,IAAI,MAAM,CAAC,iBAAiB;QACxC,CAAC,CAAC,MAAM,CAAC,iBAAiB;QAC1B,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;IACrB,MAAM,OAAO,GAAG,iBAAiB,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;IACpE,MAAM,cAAc,GAAG,MAAM,CAAC,WAAW,CACvC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAC3C,4BAA4B,CAAC,KAAK,EAAE,iBAAiB,EAAE,WAAW,CAAC,CACpE,CACF,CAAC;IACF,MAAM,oBAAoB,GAAG,gCAAgC,CAAC,WAAW,CAAC,CAAC;IAC3E,yEAAyE;IACzE,4EAA4E;IAC5E,2EAA2E;IAC3E,wEAAwE;IACxE,yEAAyE;IACzE,kCAAkC;IAClC,MAAM,oBAAoB,GAAG,CAAC,oBAAoB,CAAC;IACnD,MAAM,gCAAgC,GAAG,oBAAoB;QAC3D,CAAC,CAAC,MAAM,CAAC,WAAW,CAChB,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CACtD,wCAAwC,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAC9D,CACF;QACH,CAAC,CAAC,cAAc,CAAC;IACnB,2EAA2E;IAC3E,6EAA6E;IAC7E,4EAA4E;IAC5E,+EAA+E;IAC/E,yEAAyE;IACzE,kEAAkE;IAClE,qDAAqD;IACrD,MAAM,sBAAsB,GAC1B,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;QACtC,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC;QAClC,CAAC,oBAAoB,CAAC;IACxB,4EAA4E;IAC5E,2EAA2E;IAC3E,8EAA8E;IAC9E,uFAAuF;IACvF,gEAAgE;IAChE,MAAM,iBAAiB,GAAG,sBAAsB;QAC9C,CAAC,CAAC,MAAM,CAAC,WAAW,CAChB,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAC/C,0BAA0B,CAAC,IAAI,EAAE,MAAM,CAAC,CACzC,CACF;QACH,CAAC,CAAC,gCAAgC,CAAC;IACrC,IAAI,oBAAoB,EAAE,CAAC;QACzB,qBAAqB,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAAC,CAAC;IAC/D,CAAC;IACD,MAAM,eAAe,GACnB,oBAAoB;QACpB,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC9C,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAChC,CAAC;IACJ,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE;QAC5D,YAAY,EAAE;YACZ,KAAK,EAAE,EAAE;YACT,GAAG,CAAC,eAAe;gBACjB,CAAC,CAAC;oBACE,SAAS,EAAE,EAAE;oBACb,UAAU,EAAE;wBACV,CAAC,oBAAoB,CAAC,EAAE;4BACtB,SAAS,EAAE,CAAC,iBAAiB,CAAC;yBAC/B;qBACF;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;SACR;KACF,CAAC,CAAC;IAEH,qEAAqE;IACrE,wEAAwE;IACxE,sEAAsE;IACtE,qEAAqE;IACrE,wCAAwC;IACxC,MAAM,YAAY,GAAG,iBAAiB,EAAE,KAAK;QAC3C,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC;QAC1C,CAAC,CAAC,sBAAsB,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAEzD;;;;;;;;;;OAUG;IACH,KAAK,UAAU,iBAAiB,CAAI,EAAoB;QACtD,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC;QACjC,OAAO,qBAAqB,CAC1B;YACE,SAAS,EAAE,iBAAiB,EAAE,SAAS;YACvC,KAAK;YACL,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtE,EACD,EAAE,CACW,CAAC;IAClB,CAAC;IAED,wEAAwE;IACxE,wEAAwE;IACxE,8BAA8B;IAC9B,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QAC1D,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAC7B,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE;gBAC5D,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,UAAU,CAAC;gBACjD,MAAM,cAAc,GAAG,MAAM,2BAA2B,CACtD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;gBACF,MAAM,WAAW,GACd,KAAK,CAAC,IAAY,CAAC,KAAK;oBACzB,OAAQ,KAAK,CAAC,IAAY,CAAC,KAAK,KAAK,QAAQ;oBAC7C,CAAC,KAAK,CAAC,OAAO,CAAE,KAAK,CAAC,IAAY,CAAC,KAAK,CAAC;oBACvC,CAAC,CAAC,EAAE,GAAK,KAAK,CAAC,IAAY,CAAC,KAAiC,EAAE;oBAC/D,CAAC,CAAC,EAAE,CAAC;gBACT,MAAM,QAAQ,GAAG;oBACf,GAAG,WAAW;oBACd,GAAG,CAAC,cAAc;wBAChB,CAAC,CAAC;4BACE,GAAG,wBAAwB,CAAC,cAAc,CAAC;4BAC3C,CAAC,6BAA6B,CAAC,EAAE,cAAc,CAAC,GAAG;4BACnD,EAAE,EAAE,gBAAgB,CAClB,cAAc,EACd,KAAK,CAAC,MAAM,EAAE,UAAU;gCACtB,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,UAAU,CAC5C;yBACF;wBACH,CAAC,CAAC,EAAE,CAAC;iBACR,CAAC;gBACF,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC;gBACvD,MAAM,WAAW,GAA4B;oBAC3C,YAAY,EAAE,KAAK,CAAC,QAAQ,KAAK,IAAI;oBACrC,eAAe,EAAE,KAAK,CAAC,WAAW,EAAE,eAAe,KAAK,IAAI;oBAC5D,aAAa,EAAE,KAAK;iBACrB,CAAC;gBACF,IAAI,OAAO;oBAAE,WAAW,CAAC,+BAA+B,CAAC,GAAG,IAAI,CAAC;gBACjE,OAAO;oBACL,IAAI;oBACJ,WAAW,EAAE,OAAO;wBAClB,CAAC,CAAC,GAAG,eAAe,sEAAsE;wBAC1F,CAAC,CAAC,eAAe;oBACnB,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI;wBACpC,IAAI,EAAE,QAAiB;wBACvB,UAAU,EAAE,EAAE;qBACf;oBACD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChE,WAAW;iBACZ,CAAC;YACJ,CAAC,CAAC,CACH,CAAC;YAEF,IACE,CAAC,oBAAoB;gBACrB,CAAC,sBAAsB;gBACvB,MAAM,CAAC,QAAQ;gBACf,gBAAgB,CAAC,iBAAiB,EAAE,WAAW,EAAE,WAAW,CAAC,EAC7D,CAAC;gBACD,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,WAAW;oBACjB,WAAW,EACT,4EAA4E;wBAC5E,4EAA4E;wBAC5E,iCAAiC;oBACnC,WAAW,EAAE;wBACX,IAAI,EAAE,QAAiB;wBACvB,UAAU,EAAE;4BACV,OAAO,EAAE;gCACP,IAAI,EAAE,QAAQ;gCACd,WAAW,EAAE,kCAAkC;6BAChD;yBACF;wBACD,QAAQ,EAAE,CAAC,SAAS,CAAC;qBACtB;oBACD,WAAW,EAAE;wBACX,YAAY,EAAE,KAAK;wBACnB,eAAe,EAAE,KAAK;wBACtB,aAAa,EAAE,KAAK;qBACrB;iBACF,CAAC,CAAC;YACL,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,wEAAwE;IACxE,uEAAuE;IACvE,iEAAiE;IACjE,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QACrE,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;YAEjD,IAAI,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC5C,IAAI,oBAAoB,IAAI,sBAAsB,EAAE,CAAC;oBACnD,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;wBAC1D,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,gBAAgB,CAAC,iBAAiB,EAAE,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;oBACnE,OAAO;wBACL,OAAO,EAAE;4BACP;gCACE,IAAI,EAAE,MAAM;gCACZ,IAAI,EAAE,iDAAiD;6BACxD;yBACF;wBACD,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;gBACD,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;gBACvD,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;wBAC1D,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,6EAA6E;YAC7E,wEAAwE;YACxE,yDAAyD;YACzD,MAAM,eAAe,GACnB,oBAAoB,IAAI,sBAAsB;gBAC5C,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,OAAO,CAAC;YACd,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;YACpC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YACD,IACE,CAAC,4BAA4B,CAAC,KAAK,EAAE,iBAAiB,EAAE,WAAW,CAAC,EACpE,CAAC;gBACD,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE,8CAA8C,IAAI,EAAE;yBAC3D;qBACF;oBACD,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YAED,IAAI,CAAC;gBACH,mEAAmE;gBACnE,kEAAkE;gBAClE,6DAA6D;gBAC7D,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAE,IAA+B,IAAI,EAAE,EAAE;oBACrE,SAAS,EAAE,mBAAmB,EAAE;oBAChC,KAAK,EAAE,eAAe,EAAE,IAAI,IAAI;oBAChC,MAAM,EAAE,KAAK;iBACd,CAAC,CAAC;gBACH,MAAM,SAAS,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC5D,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;gBACrD,MAAM,eAAe,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC;gBAC5D,MAAM,gBAAgB,GACpB,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,SAAS,CAAC,GAAG;oBACf,OAAO,SAAS,CAAC,GAAG,KAAK,QAAQ;oBAChC,SAAS,CAAC,GAA+B,CAAC,OAAO,KAAK,IAAI,CAAC;gBAC9D,MAAM,cAAc,GAAG,MAAM,2BAA2B,CACtD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;gBACF,MAAM,kBAAkB,GAAG,cAAc;oBACvC,CAAC,CAAC,MAAM,gCAAgC,CAAC,SAAS,EAAE,WAAW,CAAC;oBAChE,CAAC,CAAC,SAAS,CAAC;gBACd,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,kBAAkB,CACzC,KAAK,EACJ,IAA4B,IAAI,EAAE,EACnC,kBAAkB,EAClB,WAAW,CACZ,CAAC;gBACF,MAAM,YAAY,GAA4B;oBAC5C,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;oBAChB,GAAG,CAAC,cAAc;wBAChB,CAAC,CAAC,uBAAuB,CACrB,kBAAkB,EAClB,cAAc,EACd,WAAW,CACZ;wBACH,CAAC,CAAC,EAAE,CAAC;oBACP,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;iBAChE,CAAC;gBACF,MAAM,UAAU,GAAG,cAAc,CAAE,KAAK,CAAC,IAAY,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACjE,MAAM,cAAc,GAAG,UAAU,CAAC,UAAU,CAAC;gBAC7C,MAAM,mBAAmB,GACvB,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;oBAC7B,cAAc,CAAC,MAAM,GAAG,CAAC;oBACzB,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC;gBAC3C,MAAM,iBAAiB,GAAG,cAAc;oBACtC,CAAC,CAAC,uBAAuB,CAAC,kBAAkB,EAAE,YAAY,CAAC;oBAC3D,CAAC,CAAC,mBAAmB;wBACjB,SAAS;wBACT,OAAO,SAAS,KAAK,QAAQ;wBAC7B,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;wBAC3B,CAAC,CAAE,SAAqC;wBACxC,CAAC,CAAC,SAAS,CAAC;gBAChB,MAAM,IAAI,GAAG,cAAc;oBACzB,CAAC,CAAC,qBAAqB,CAAC,IAAI,EAAE,eAAe,EAAE,iBAAkB,CAAC;oBAClE,CAAC,CAAC,OAAO,eAAe,KAAK,QAAQ;wBACnC,CAAC,CAAE,mBAAmB,CAAC,eAAe,CAAY;wBAClD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,mBAAmB,CAAC,eAAe,CAAC,CAAC,CAAC;gBAC3D,MAAM,OAAO,GAAU,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;gBAChD,IAAI,KAAK;oBAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAC/B,OAAO;oBACL,OAAO;oBACP,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC9C,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACnD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC;wBACtC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE;wBACzB,CAAC,CAAC,EAAE,CAAC;iBACR,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,CAAC,iBAAiB,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;YAC9D,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,EACN,iBAAiB,EACjB,WAAW,CACZ,CAAC;gBACF,OAAO;oBACL,SAAS,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;wBAC5C,GAAG,EAAE,QAAQ,CAAC,GAAG;wBACjB,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpD,GAAG,CAAC,QAAQ,CAAC,WAAW;4BACtB,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;4BACvC,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,EAAE,QAAQ,CAAC,QAAQ;wBAC3B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACrD,CAAC,CAAC;iBACJ,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,iBAAiB,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YACtE,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,EACN,iBAAiB,EACjB,WAAW,CACZ,CAAC;gBACF,OAAO;oBACL,iBAAiB,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;wBACpD,WAAW,EAAE,QAAQ,CAAC,GAAG;wBACzB,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpD,GAAG,CAAC,QAAQ,CAAC,WAAW;4BACtB,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;4BACvC,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,EAAE,QAAQ,CAAC,QAAQ;wBAC3B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACrD,CAAC,CAAC;iBACJ,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,iBAAiB,CACtB,yBAAyB,EACzB,KAAK,EAAE,OAAY,EAAE,EAAE;YACrB,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;gBAChC,IAAI,KAAK,GAGE,IAAI,CAAC;gBAChB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC9D,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;oBAC9D,IAAI,CAAC,WAAW,IAAI,CAAC,wBAAwB,CAAC,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;wBAChE,SAAS;oBACX,CAAC;oBACD,MAAM,QAAQ,GAAG,MAAM,2BAA2B,CAChD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;oBACF,IAAI,QAAQ,EAAE,CAAC;wBACb,KAAK,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;wBACvC,MAAM;oBACR,CAAC;oBACD,oEAAoE;oBACpE,8DAA8D;oBAC9D,kDAAkD;gBACpD,CAAC;gBACD,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO;oBACL,QAAQ,EAAE;wBACR;4BACE,GAAG;4BACH,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,QAAQ;4BACjC,IAAI,EAAE,gBAAgB,CACpB,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,UAAU,EAChB,MAAM,EACN,WAAW,CACZ;4BACD,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK;gCACtB,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,KAAK,EAAE;gCACjC,CAAC,CAAC,EAAE,CAAC;yBACR;qBACF;iBACF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,6EAA6E;AAC7E,gFAAgF;AAChF,8EAA8E;AAE9E,MAAM,UAAU,eAAe;IAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CACT,GAAG,KAAK;aACL,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAS,yBAAyB,CAChC,gBAAoC;IAEpC,MAAM,KAAK,GACT,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,EAAE;QAC5C,CAAC,OAAO,gBAAgB,KAAK,QAAQ,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;QACjE,EAAE,CAAC;IACL,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,UAA8B;IAE9B,IAAI,CAAC,UAAU;QAAE,OAAO,SAAS,CAAC;IAClC,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IACzD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACzC,CAAC;AAED,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAAiC;IAEjC,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,KAAa;IAEb,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,iBAAiB,GAAmC,IAAI,CAAC;IAC7D,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAA4B,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAE7D,MAAM,SAAS,GACb,OAAO,iBAAiB,CAAC,UAAU,KAAK,QAAQ;QAC9C,CAAC,CAAC,iBAAiB,CAAC,UAAU;QAC9B,CAAC,CAAC,SAAS,CAAC;IAChB,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,kBAAkB,CAChB,gBAAgB,EAChB,MAAM,oBAAoB,CAAC,SAAS,CAAC,CACtC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,0EAA0E;QAC5E,CAAC;IACH,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CACjC,CAAC;YACF,OAAO,OAAkC,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,gEAAgE;QAClE,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,GAAuB;IAEvB,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAC5E,IAAI,MAAM,YAAY,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1C,uDAAuD;QACvD,KAAK,cAAc,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,2EAA2E;QAC3E,4CAA4C;IAC9C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,gBAAqC,EACrC,UAAuE,EAAE;IAqBzE,oEAAoE;IACpE,yEAAyE;IACzE,0EAA0E;IAC1E,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC;IACtD,MAAM,KAAK,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;IACzC,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,aAAa,GAAG,MAAM,yBAAyB,CACnD,KAAK,EACL,OAAO,CAAC,WAAW,CACpB,CAAC;QACF,IAAI,aAAa,EAAE,CAAC;YAClB,IACE,aAAa,CAAC,QAAQ,KAAK,2BAA2B;gBACtD,CAAC,CAAC,MAAM,qBAAqB,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,EACjD,CAAC;gBACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YAC3B,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE;oBACR,SAAS,EAAE,aAAa,CAAC,SAAS;oBAClC,GAAG,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,aAAa,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC9D,SAAS,EAAE,aAAa,CAAC,SAAS;oBAClC,WAAW,EAAE,aAAa,CAAC,MAAM;oBACjC,aAAa,EAAE,aAAa,CAAC,QAAQ;iBACtC;gBACD,WAAW,EAAE,IAAI;gBACjB,+DAA+D;gBAC/D,oEAAoE;gBACpE,WAAW,EAAE,aAAa,CAAC,YAAY,KAAK,MAAM;aACnD,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,KAAK,EAAE,CAAC;QACzD,IAAI,OAAO,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;YACnC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;YACrD,uEAAuE;YACvE,sEAAsE;YACtE,uEAAuE;YACvE,iDAAiD;YACjD,WAAW,EAAE,CAAC,CAAC,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAErC,wEAAwE;IACxE,uDAAuD;IACvD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAChD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,UAAU,GACd,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAChE,IAAI,UAAU,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;YACnD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QAED,uEAAuE;QACvE,mEAAmE;QACnE,sEAAsE;QACtE,uDAAuD;QACvD,mEAAmE;QACnE,kDAAkD;QAClD,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;YACrC,IAAI,CAAC,CAAC,MAAM,qBAAqB,CAAC,OAAO,CAAC,GAAyB,CAAC,CAAC,EAAE,CAAC;gBACtE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE;gBACR,SAAS,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;gBACpE,sEAAsE;gBACtE,iEAAiE;gBACjE,kEAAkE;gBAClE,qEAAqE;gBACrE,GAAG,CAAC,OAAO,OAAO,CAAC,MAAM,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM;oBACtD,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,MAAgB,EAAE;oBACrC,CAAC,CAAC,EAAE,CAAC;gBACP,SAAS,EACP,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ;oBACpC,CAAC,CAAE,OAAO,CAAC,UAAqB;oBAChC,CAAC,CAAC,SAAS;aAChB;YACD,mEAAmE;YACnE,WAAW,EAAE,IAAI;YACjB,sEAAsE;YACtE,uEAAuE;YACvE,kDAAkD;YAClD,WAAW,EAAE,OAAO,CAAC,aAAa,KAAK,MAAM;SAC9C,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/C,IAAI,OAAO,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;YACnC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;YACrD,WAAW,EAAE,CAAC,CAAC,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,uEAAuE;IACvE,uEAAuE;IACvE,yEAAyE;IACzE,0EAA0E;IAC1E,4EAA4E;IAC5E,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACxD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE;YAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YACjD,OAAO,CACL,QAAQ,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;gBACpC,eAAe,CAAC,QAAQ,EAAE,SAAS,CAAC,CACrC,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;gBACrD,qDAAqD;gBACrD,WAAW,EAAE,IAAI;aAClB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,SAA6B;IAE7B,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAChD,OAAO,GAAG,EAAE,KAAK,IAAI,SAAS,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC","sourcesContent":["/*\n Shared MCP server builder.\n \n Extracted from `server.ts` so the stateless Streamable-HTTP mount\n * (`mountMCP`) and the stdio transport (`runMCPStdio --standalone`) build the\n * same MCP server from the same `ActionEntry` registry. Both surfaces:\n \n - expose every action as an MCP tool (+ the `ask-agent` meta-tool),\n * - append the framework deep-link block / `_meta` to every tool result,\n * - wrap `run()` / `askAgent()` in `runWithRequestContext` so per-user /\n * per-org scoping (accessFilter, resolveCredential, MCP visibility) is\n * honoured.\n \n `server.ts` re-exports `createMCPServerForRequest` and the auth helpers so\n * any (future) external importer of `@agent-native/core/mcp` keeps resolving.\n \n Node-only at the SDK level, but this module itself has no Node-only imports\n * — it can be bundled into the serverless function alongside `mountMCP`.\n /\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport { isMcpActionResult } from \"../mcp-client/app-result.js\";\nimport {\n MCP_APP_EXTENSION_ID,\n MCP_APP_MIME_TYPE,\n MCP_APP_RESOURCE_URI_META_KEY,\n type ActionMcpAppCsp,\n type ActionMcpAppResourceConfig,\n} from \"../action.js\";\nimport { MCP_APP_REQUEST_ORIGIN_CSP_SOURCE } from \"./embed-app.js\";\nimport {\n getRequestContext,\n getRequestOrgId,\n getRequestUserEmail,\n runWithRequestContext,\n} from \"../server/request-context.js\";\nimport {\n buildDeepLink,\n toAbsoluteOpenUrl,\n toDesktopOpenUrl,\n toVsCodeOpenUrl,\n} from \"../server/deep-link.js\";\nimport {\n isAgentNativeOpenDeepLink,\n withCollapsedAgentSidebarParam,\n} from \"../shared/agent-sidebar-url.js\";\nimport { MCP_APP_CHAT_BRIDGE_QUERY_PARAM } from \"../shared/embed-auth.js\";\nimport { getBuiltinCrossAppTools } from \"./builtin-tools.js\";\nimport {\n MCP_CONNECT_OAUTH_CLIENT_ID,\n MCP_CONNECT_SCOPE,\n} from \"./connect-store.js\";\nimport { getConfiguredAppBasePath } from \"../server/app-base-path.js\";\nimport {\n MCP_OAUTH_SCOPES,\n hasMcpOAuthScope,\n verifyMcpOAuthAccessToken,\n} from \"./oauth-token.js\";\n\nexport interface MCPConfig {\n /* App name shown in MCP server info /\n name: string;\n /* Optional human-facing app title shown by MCP hosts that support titles. /\n title?: string;\n /\n Canonical app id (directory under `apps/`, e.g. `mail`) this MCP server\n * is mounted for. Optional & back-compat: when omitted the builtin\n * cross-app tools fall back to lowercasing `name`. Used by `open_app` /\n * `ask_app` / `create_workspace_app` to tell \"this app\" from a cross-app\n * target so they resolve the target app's origin rather than echoing the\n * current request origin.\n /\n appId?: string;\n /* App description /\n description: string;\n /* Optional canonical website URL for hosts that surface MCP app details. /\n websiteUrl?: string;\n /* Optional app icons for MCP hosts that render server branding. /\n icons?: Array<{\n src: string;\n mimeType?: string;\n sizes?: string[];\n theme?: \"light\" \| \"dark\";\n }>;\n /* Version string (default \"1.0.0\") /\n version?: string;\n /* Action registry — same as agent chat and A2A /\n actions: Record<string, ActionEntry>;\n /\n Full (\"production\") action surface served to an *authenticated real\n caller** — a connect-minted token, an `agent-native mcp install` stdio\n * proxy (owner-email header / `AGENT_NATIVE_OWNER_EMAIL`), or a deployed /\n * `AGENT_MODE=production` app. In local dev `actions` is intentionally the\n * sparse, dev-toggled surface (builtins + read-only public-agent actions)\n * so the local agent chat and unauthenticated dev probes don't see every\n * mutating tool; but per the external-agents contract a real caller that\n * connected with a token MUST get the full surface even in dev. When unset\n * (production, where `actions` already IS the full set) the swap is a\n * no-op. See `external-agents` skill, \"Dev vs production tool surface\".\n /\n productionActions?: Record<string, ActionEntry>;\n /* Handler for the ask-agent meta-tool — runs the full agent loop /\n askAgent?: (message: string) => Promise<string>;\n /\n Disable the generic cross-app builtin tools (`list_apps`, `open_app`,\n * `ask_app`, `create_workspace_app`, `list_templates`). They are merged in\n * by default so external agents get a stable verb set; a template action of\n * the same name always wins (template precedence). Set to `false` only for\n * a constrained / locked-down mount.\n /\n builtinCrossAppTools?: boolean;\n /\n Curated allow-list of action names served to external connector clients\n * on a hosted multi-tenant deployment.\n \n Whenever this list is non-empty it is active by default for every\n * caller — hosted connectors, code/stdio clients, and the local CLI alike.\n * The MCP server trims both the advertised tool list and the callable\n * surface to exactly these names (plus any builtin cross-app tools such as\n * `list_apps` / `open_app`). Any tool call for a name not in the list is\n * rejected — it is not merely hidden. This prevents the ~105-tool full\n * catalog from landing in every external agent's context window and removes\n * footguns (db-exec, seed-, extension tools, browser-session tools, etc.)\n from connectors. It is no longer gated behind an environment variable, and\n * the catalog is never inferred from the client name/user-agent.\n \n `tool-search` stays available in the compact catalog so any trimmed tool is\n * reachable on demand. Callers who need the full surface up front opt in\n * explicitly with `agent-native connect --full-catalog` (embeds a\n * `catalog_scope: \"full\"` claim in the connect-minted JWT) or the\n * deployment-wide `AGENT_NATIVE_MCP_FULL_CATALOG=1` env override.\n \n Declare this in your template's `createAgentChatPlugin` options rather than\n * setting it on `MCPConfig` directly; the plugin copies it through.\n /\n connectorCatalog?: string[];\n}\n\n/\n Identity extracted from a verified MCP bearer token / JWT. Used to wrap\n * `entry.run()` and `config.askAgent()` calls in `runWithRequestContext`\n * so downstream tools (db-query, accessFilter, resolveCredential) honour\n * per-user / per-org scoping. Without this wrap the MCP endpoint would\n * silently bypass tenant isolation. See finding #6 in\n * /tmp/security-audit/12-mcp-a2a-agent.md.\n /\nexport interface MCPCallerIdentity {\n userEmail: string \| undefined;\n orgId?: string \| undefined;\n orgDomain: string \| undefined;\n /* Present only for standard remote MCP OAuth access tokens. /\n oauthScopes?: string[];\n /* Present only for standard remote MCP OAuth access tokens. /\n oauthClientId?: string;\n}\n\n/* Per-request context used to turn an action's relative deep link into the\n * absolute web URL (and desktop `agentnative://` URL) the external agent\n * surfaces. Derived from the inbound request headers in `mountMCP`, or from\n * the resolved local app origin in the stdio standalone path. /\nexport interface MCPRequestMeta {\n /* Origin of the running app, e.g. `http://localhost:8100`. /\n origin?: string;\n /* Optional mount prefix for path-mounted apps, e.g. `/mail`. /\n basePath?: string;\n /* Optional client preference for which URL the markdown link uses. /\n target?: \"browser\" \| \"desktop\" \| \"terminal\";\n /\n Best-effort caller label derived from MCP transport headers. Chat-style\n * remote hosts should stay on the compact catalog; code/stdio clients can\n * explicitly identify themselves to keep the full action surface.\n /\n clientName?: string;\n /* Explicit framework client hint from `x-agent-native-mcp-client`. /\n clientHint?: string;\n /* Explicit opt-in to the full tool catalog for code/stdio style clients. /\n fullCatalog?: boolean;\n /\n The caller authenticated with a real credential (verified A2A/connect\n * JWT, matching ACCESS_TOKEN, or a forwarded owner-email header from\n * `agent-native mcp install`) — not the unauthenticated local dev-open\n * path. When true, `createMCPServerForRequest` serves\n * `config.productionActions` (the full surface) instead of the sparse dev\n * `config.actions`. Set by `mountMCP` from `verifyAuth`.\n /\n fullSurface?: boolean;\n}\n\ntype McpOAuthScope = (typeof MCP_OAUTH_SCOPES)[number];\n\nfunction isActionVisibleForOAuthScope(\n entry: ActionEntry,\n scopes: string[] \| undefined,\n): boolean {\n if (!scopes) return true;\n const required: McpOAuthScope =\n entry.readOnly === true ? \"mcp:read\" : \"mcp:write\";\n return hasMcpOAuthScope(scopes, required);\n}\n\nconst COMPACT_MCP_APP_CATALOG_BUILTINS = new Set([\n \"list_apps\",\n \"open_app\",\n \"ask_app\",\n \"ask_app_status\",\n \"create_embed_session\",\n // `tool-search` MUST stay in every compact/connector surface: it is how a\n // compacted client discovers and loads any action on demand, which is what\n // makes \"small catalog by default\" safe instead of limiting.\n \"tool-search\",\n]);\n\nfunction isActionAdvertisedInCompactMcpAppCatalog(\n name: string,\n entry: ActionEntry,\n config: MCPConfig,\n): boolean {\n if (COMPACT_MCP_APP_CATALOG_BUILTINS.has(name)) return true;\n if (\n (entry.mcpApp as { compactCatalog?: unknown } \| undefined)\n ?.compactCatalog === true\n ) {\n return true;\n }\n if (config.builtinCrossAppTools === false && entry.mcpApp?.resource) {\n return true;\n }\n return false;\n}\n\nfunction explicitlyRequestsFullMcpCatalog(\n requestMeta: MCPRequestMeta \| undefined,\n): boolean {\n // Full catalog is a deliberate, rare opt-in — NEVER a default, and NEVER\n // inferred from the client name / user-agent. It is reached only by an\n // explicit deployment env or a token minted with\n // `agent-native connect --full-catalog` (which embeds `catalog_scope: \"full\"`,\n // surfaced here as requestMeta.fullCatalog). Dumping ~105 tool schemas\n // (100k+ tokens) into a context window just because a client called itself\n // \"code\"/\"cursor\"/\"codex\" was a recurring footgun. Everything else gets the\n // connector/compact catalog plus `tool-search`, which keeps every tool\n // reachable on demand.\n if (process.env.AGENT_NATIVE_MCP_FULL_CATALOG === \"1\") return true;\n return requestMeta?.fullCatalog === true;\n}\n\nconst warnedFullCatalogKeys = new Set<string>();\n\n/\n Loud, deduped warning emitted whenever the full MCP catalog is actually\n * served. Full catalog is a deliberate, rare opt-in (env or a `--full-catalog`\n * token claim); logging it makes an accidental ~100k-token tool dump visible\n * instead of silent, so a regression can't quietly reintroduce the footgun.\n /\nfunction warnFullCatalogServed(toolCount: number): void {\n const source =\n process.env.AGENT_NATIVE_MCP_FULL_CATALOG === \"1\"\n ? \"AGENT_NATIVE_MCP_FULL_CATALOG=1\"\n : \"a token minted with --full-catalog (catalog_scope:full)\";\n const key = `${source}:${toolCount}`;\n if (warnedFullCatalogKeys.has(key)) return;\n warnedFullCatalogKeys.add(key);\n console.warn(\n `[agent-native] Serving the FULL MCP tool catalog (${toolCount} tools) via ${source}. ` +\n `This is a large context payload meant to be a rare, explicit opt-in — most ` +\n `clients should use the default compact/connector catalog + tool-search instead.`,\n );\n}\n\n/\n Returns true when the given action name is in the template's connector\n * catalog, OR is a builtin cross-app tool that is always included for\n * external connector clients. Builtin tool names from\n * `COMPACT_MCP_APP_CATALOG_BUILTINS` are always allowed since they are the\n * stable external-agent verb set.\n /\nfunction isActionInConnectorCatalog(name: string, config: MCPConfig): boolean {\n if (COMPACT_MCP_APP_CATALOG_BUILTINS.has(name)) return true;\n if (!Array.isArray(config.connectorCatalog)) return false;\n return config.connectorCatalog.includes(name);\n}\n\ninterface ResolvedMcpAppResource {\n uri: string;\n legacyUris?: string[];\n name: string;\n title?: string;\n description?: string;\n html: ActionMcpAppResourceConfig[\"html\"];\n mimeType: typeof MCP_APP_MIME_TYPE;\n _meta?: Record<string, unknown>;\n}\n\ninterface McpAppResourceContext {\n actionName: string;\n appId?: string;\n requestOrigin?: string;\n}\n\ninterface VersionedMcpAppResourceUri {\n uri: string;\n legacyUris?: string[];\n}\n\nfunction metadataObject(value: unknown): Record<string, unknown> {\n return value && typeof value === \"object\" && !Array.isArray(value)\n ? (value as Record<string, unknown>)\n : {};\n}\n\nfunction originString(value: unknown): string \| undefined {\n if (typeof value !== \"string\" \|\| !value.trim()) return undefined;\n try {\n return new URL(value).origin;\n } catch {\n return undefined;\n }\n}\n\nfunction hostSpecificDomainString(value: unknown): string \| undefined {\n if (typeof value !== \"string\" \|\| !value.trim()) return undefined;\n const trimmed = value.trim();\n try {\n new URL(trimmed);\n return undefined;\n } catch {\n return trimmed;\n }\n}\n\nfunction withMcpChatBridgeParam(urlOrPath: string): string {\n try {\n const base = \"http://agent-native.invalid\";\n const url = urlOrPath.startsWith(\"/\")\n ? new URL(urlOrPath, base)\n : new URL(urlOrPath);\n url.searchParams.set(MCP_APP_CHAT_BRIDGE_QUERY_PARAM, \"1\");\n return urlOrPath.startsWith(\"/\")\n ? `${url.pathname}${url.search}${url.hash}`\n : url.toString();\n } catch {\n return urlOrPath;\n }\n}\n\nfunction isEmbedStartUrl(value: string): boolean {\n try {\n const base = \"http://agent-native.invalid\";\n const url = value.startsWith(\"/\") ? new URL(value, base) : new URL(value);\n return url.pathname.includes(\"/_agent-native/embed/start\");\n } catch {\n return value.includes(\"/_agent-native/embed/start\");\n }\n}\n\nfunction routePathFromOpenUrl(value: string): string \| null {\n try {\n const hasScheme = /^[a-z][a-z0-9+.-]:\\/\\//i.test(value);\n const url = hasScheme\n ? new URL(value)\n : new URL(value, \"http://agent-native.invalid\");\n const route = `${url.pathname}${url.search}${url.hash}`;\n if (!route.startsWith(\"/\") \|\| route.startsWith(\"//\")) return null;\n if (route.startsWith(\"/\\\\\")) return null;\n if (/^\\/[a-z][a-z0-9+.-]:/i.test(route)) return null;\n return route;\n } catch {\n return null;\n }\n}\n\n/\n Recursively redact embed-ticket-bearing URLs from any value before it gets\n * serialized into a model-visible text payload. Embed start URLs carry a\n * single-use ticket that grants iframe access to the user's session — they\n * MUST stay in `_meta` (where the embed runtime can consume them) and never\n * appear in `content[].text` for the LLM. This is the generic safety net for\n * actions that return `{ embedStartUrl, ... }` without declaring\n * `mcpApp.resource` (the resource path already strips them via\n * `mcpAppStructuredContent`).\n \n Depth-capped to avoid pathological / circular structures. Strings that\n * embed an `isEmbedStartUrl` substring (e.g. a longer message that includes\n * the URL) are replaced with `[hidden embed URL]`.\n /\nfunction purgeEmbedStartUrls(value: unknown, depth = 0): unknown {\n if (depth > 5) return value;\n if (typeof value === \"string\") {\n return isEmbedStartUrl(value) ? \"[hidden embed URL]\" : value;\n }\n if (Array.isArray(value)) {\n return value.map((item) => purgeEmbedStartUrls(item, depth + 1));\n }\n if (value && typeof value === \"object\") {\n const out: Record<string, unknown> = {};\n for (const [key, val] of Object.entries(value as Record<string, unknown>)) {\n if (typeof val === \"string\" && isEmbedStartUrl(val)) {\n // Drop the key entirely for object-typed inputs so a tool result like\n // `{ embedStartUrl: \"...\" }` does not appear at all in the LLM text.\n continue;\n }\n out[key] = purgeEmbedStartUrls(val, depth + 1);\n }\n return out;\n }\n return value;\n}\n\nfunction mcpAppEmbedOpenLinkMeta(\n result: unknown,\n resource: ResolvedMcpAppResource,\n meta: MCPRequestMeta \| undefined,\n): Record<string, unknown> {\n const out = metadataObject(result);\n const embedStartUrl =\n typeof out.embedStartUrl === \"string\"\n ? out.embedStartUrl\n : out.embed === true &&\n typeof out.url === \"string\" &&\n out.url.includes(\"/_agent-native/embed/start\")\n ? out.url\n : null;\n if (!embedStartUrl) return {};\n\n const webUrl = toAbsoluteOpenUrl(\n withMcpChatBridgeParam(embedStartUrl),\n meta?.origin,\n );\n const deepLinkUrl =\n typeof out.deepLinkUrl === \"string\" ? out.deepLinkUrl : null;\n const fallbackLabel = resource.title ?? resource.name ?? \"app\";\n const label =\n typeof out.app === \"string\" && out.app.trim()\n ? `Open ${out.app.trim()}`\n : fallbackLabel;\n const view =\n typeof out.view === \"string\" && out.view.trim()\n ? out.view.trim()\n : typeof out.path === \"string\" && out.path.trim()\n ? out.path.trim()\n : undefined;\n // Only fabricate an open URL when there is a real path-like value: an\n // explicit deepLinkUrl, or a non-embed `out.url`, or a leading-slash\n // `view`/`path` that's already a route. Bare view-name strings like\n // \"inbox\" or \"deck\" must NOT be turned into `${origin}/inbox` — apps\n // route views at app-specific paths (e.g. slides routes `view: \"deck\"`\n // at `/deck/:id`), so a synthesized origin-relative URL is just a 404.\n // In that case omit `openLink` entirely; the embedStart meta carries\n // the actual launch reference.\n const pathFromRouteLike =\n view && view.startsWith(\"/\")\n ? view\n : typeof out.path === \"string\" && out.path.trim().startsWith(\"/\")\n ? out.path.trim()\n : undefined;\n const explicitOpenUrl = deepLinkUrl\n ? deepLinkUrl\n : typeof out.url === \"string\" && !isEmbedStartUrl(out.url)\n ? out.url\n : pathFromRouteLike;\n const safeOpenUrl = explicitOpenUrl\n ? toAbsoluteOpenUrl(explicitOpenUrl, meta?.origin)\n : null;\n // Embed open links expose the safe browser target in `webUrl`, but the\n // desktop URL must enter the app through the registered scheme so Electron\n // can focus the right webview. Preserve the full route/query in the `to`\n // param; focus ids are often only present on `url`, not `out.params`.\n const desktopDeepLinkUrl = (() => {\n if (!safeOpenUrl) return null;\n const app =\n typeof out.app === \"string\" && out.app.trim()\n ? out.app.trim()\n : undefined;\n if (!app) return safeOpenUrl;\n if (isAgentNativeOpenDeepLink(safeOpenUrl)) {\n return toDesktopOpenUrl(safeOpenUrl);\n }\n const targetRoute = routePathFromOpenUrl(safeOpenUrl);\n if (!targetRoute) return safeOpenUrl;\n const viewParam =\n typeof out.view === \"string\" && out.view.trim() ? out.view.trim() : \"\";\n const params =\n out.params && typeof out.params === \"object\" && !Array.isArray(out.params)\n ? (out.params as Record<\n string,\n string \| number \| boolean \| null \| undefined\n >)\n : undefined;\n return toDesktopOpenUrl(\n buildDeepLink({\n app,\n view: viewParam,\n to: targetRoute,\n ...(params ? { params } : {}),\n }),\n );\n })();\n\n return {\n \"agent-native/embedStart\": {\n startUrl: webUrl,\n ...(typeof out.embedExpiresAt === \"number\"\n ? { expiresAt: out.embedExpiresAt }\n : {}),\n },\n ...(safeOpenUrl\n ? {\n \"agent-native/openLink\": {\n label,\n ...(view ? { view } : {}),\n webUrl: safeOpenUrl,\n desktopUrl: desktopDeepLinkUrl ?? safeOpenUrl,\n vscodeUrl: toVsCodeOpenUrl(safeOpenUrl),\n },\n }\n : {}),\n };\n}\n\nasync function withServerMintedMcpAppEmbedStart(\n result: unknown,\n meta: MCPRequestMeta \| undefined,\n): Promise<unknown> {\n if (!result \|\| typeof result !== \"object\" \|\| Array.isArray(result)) {\n return result;\n }\n\n const out = result as Record<string, unknown>;\n if (out.embed !== true) return result;\n if (typeof out.embedStartUrl === \"string\" && out.embedStartUrl.trim()) {\n return result;\n }\n if (\n typeof out.url === \"string\" &&\n out.url.trim() &&\n isEmbedStartUrl(out.url)\n ) {\n return result;\n }\n\n const candidate = [out.url, out.path, out.deepLinkUrl].find(\n (value): value is string =>\n typeof value === \"string\" && value.trim().length > 0,\n );\n if (!candidate) return result;\n\n const trimmed = candidate.trim();\n const isPath = trimmed.startsWith(\"/\") && !trimmed.startsWith(\"//\");\n const isAbsoluteHttp = /^https?:\\/\\//i.test(trimmed);\n if (!isPath && !isAbsoluteHttp) return result;\n if (isAbsoluteHttp && !meta?.origin) return result;\n\n const ctx = getRequestContext();\n const ownerEmail = ctx?.userEmail?.trim();\n if (!ownerEmail) return result;\n\n const { normalizeEmbedTargetPath, createEmbedSessionTicket } =\n await import(\"../server/embed-session.js\");\n const { buildEmbedStartPath } = await import(\"../server/embed-route.js\");\n const targetPath = normalizeEmbedTargetPath(\n withMcpChatBridgeParam(trimmed),\n meta?.origin,\n );\n if (!targetPath) return result;\n\n const ticket = await createEmbedSessionTicket({\n ownerEmail,\n orgId: ctx?.orgId,\n targetPath,\n scope: typeof out.chrome === \"string\" ? out.chrome : null,\n });\n const startPath = buildEmbedStartPath(ticket.ticket);\n const embedStartUrl = meta?.origin\n ? new URL(startPath, meta.origin).toString()\n : startPath;\n\n return {\n ...out,\n embedStartUrl,\n embedTargetPath: targetPath,\n embedExpiresAt: ticket.expiresAt,\n };\n}\n\n/\n Build the deep-link content block + structured `_meta` for a tool result.\n * Best-effort: any throw / nullish link is swallowed so a bad `link` builder\n * never fails the tool call.\n /\nexport function buildLinkArtifacts(\n entry: ActionEntry,\n args: Record<string, any>,\n result: any,\n meta: MCPRequestMeta \| undefined,\n): {\n block?: { type: \"text\"; text: string };\n _meta?: Record<string, unknown>;\n} {\n if (typeof entry.link !== \"function\") return {};\n try {\n const lk = entry.link({ args: args ?? {}, result });\n if (!lk?.url) return {};\n const linkUrl = isAgentNativeOpenDeepLink(lk.url)\n ? withCollapsedAgentSidebarParam(lk.url)\n : lk.url;\n const webUrl = toAbsoluteOpenUrl(linkUrl, meta?.origin);\n const desktopUrl = toDesktopOpenUrl(linkUrl);\n const vscodeUrl = toVsCodeOpenUrl(webUrl);\n const markdownUrl = meta?.target === \"desktop\" ? desktopUrl : webUrl;\n return {\n block: { type: \"text\", text: `\\n\\n[${lk.label} →](${markdownUrl})` },\n _meta: {\n \"agent-native/openLink\": {\n label: lk.label,\n view: lk.view,\n webUrl,\n desktopUrl,\n vscodeUrl,\n },\n },\n };\n } catch {\n return {};\n }\n}\n\n/\n Merge the generic cross-app builtin tools into the config's action\n * registry. Template actions take precedence: if a template defines an\n * action with the same name as a builtin (e.g. its own `list_apps`), the\n * template entry wins and the builtin is dropped. This mirrors the\n * template-over-workspace-core precedence in `autoDiscoverActions`.\n \n The builtins are pure-ish navigators / scaffolders; they call back into the\n * same `config.actions` / `config.askAgent` so there is no second agent loop.\n /\nfunction mergeBuiltinTools(\n config: MCPConfig,\n baseActions: Record<string, ActionEntry>,\n requestMeta?: MCPRequestMeta,\n): Record<string, ActionEntry> {\n if (config.builtinCrossAppTools === false) return baseActions;\n const builtins = getBuiltinCrossAppTools(config, requestMeta);\n const merged: Record<string, ActionEntry> = { ...builtins };\n // Template / app actions overwrite same-named builtins.\n for (const [name, entry] of Object.entries(baseActions)) {\n merged[name] = entry;\n }\n return merged;\n}\n\nfunction absoluteMetadataUrl(\n value: string \| undefined,\n requestMeta?: MCPRequestMeta,\n): string \| undefined {\n const trimmed = value?.trim();\n if (!trimmed) return undefined;\n try {\n if (requestMeta?.origin) {\n const basePath = requestMeta.basePath ?? getConfiguredAppBasePath();\n const appBase = `${requestMeta.origin.replace(/\\/+$/, \"\")}${basePath}/`;\n const appLocalValue =\n trimmed.startsWith(\"/\") && !trimmed.startsWith(\"//\")\n ? trimmed.replace(/^\\/+/, \"\")\n : trimmed;\n return new URL(appLocalValue, appBase).href;\n }\n return new URL(trimmed).href;\n } catch {\n return trimmed;\n }\n}\n\nfunction mcpServerInfo(config: MCPConfig, requestMeta?: MCPRequestMeta) {\n const websiteUrl = absoluteMetadataUrl(config.websiteUrl, requestMeta);\n const icons = config.icons\n ?.map((icon) => {\n const src = absoluteMetadataUrl(icon.src, requestMeta);\n if (!src) return null;\n return {\n src,\n ...(icon.mimeType ? { mimeType: icon.mimeType } : {}),\n ...(icon.sizes?.length ? { sizes: icon.sizes } : {}),\n ...(icon.theme ? { theme: icon.theme } : {}),\n };\n })\n .filter((icon): icon is NonNullable<typeof icon> => Boolean(icon));\n return {\n name: config.name,\n version: config.version ?? \"1.0.0\",\n ...(config.title?.trim() ? { title: config.title.trim() } : {}),\n ...(config.description?.trim()\n ? { description: config.description.trim() }\n : {}),\n ...(websiteUrl ? { websiteUrl } : {}),\n ...(icons?.length ? { icons } : {}),\n };\n}\n\nfunction safeUiSegment(value: string \| undefined, fallback: string): string {\n const normalized = (value \|\| fallback)\n .trim()\n .toLowerCase()\n .replace(/[^a-z0-9._-]+/g, \"-\")\n .replace(/^-+\|-+$/g, \"\");\n return normalized \|\| fallback;\n}\n\n// ChatGPT and Claude cache MCP App resource HTML by `ui://` URI. Bump this\n// when the shared shell changes in a way that must invalidate host caches.\nconst MCP_APP_RESOURCE_SHELL_VERSION = \"shell-v43\";\n\nfunction legacyDefaultMcpAppUri(config: MCPConfig, actionName: string): string {\n const app = safeUiSegment(config.appId ?? config.name, \"agent-native\");\n const action = safeUiSegment(actionName, \"tool\");\n return `ui://${app}/${action}`;\n}\n\nfunction versionMcpAppResourceUri(\n rawUri: string,\n): VersionedMcpAppResourceUri \| null {\n const uri = rawUri.trim();\n if (!uri.startsWith(\"ui://\")) return null;\n const versionSuffix = `/${MCP_APP_RESOURCE_SHELL_VERSION}`;\n let versionedUri: string;\n try {\n const parsed = new URL(uri);\n const path = parsed.pathname.replace(/\\/+$/g, \"\");\n parsed.pathname = /\\/shell-v\\d+$/.test(path)\n ? path.replace(/\\/shell-v\\d+$/, versionSuffix)\n : `${path}${versionSuffix}`;\n versionedUri = parsed.toString();\n } catch {\n return null;\n }\n return {\n uri: versionedUri,\n ...(versionedUri !== uri ? { legacyUris: [uri] } : {}),\n };\n}\n\nfunction unversionMcpAppResourceUri(uri: string): string \| null {\n if (!uri.startsWith(\"ui://\")) return null;\n try {\n const parsed = new URL(uri);\n parsed.pathname = parsed.pathname\n .replace(/\\/+$/g, \"\")\n .replace(/\\/shell-v\\d+$/g, \"\");\n return parsed.toString();\n } catch {\n return null;\n }\n}\n\nfunction normalizeMcpAppResourceUriForMatch(uri: unknown): string \| null {\n if (typeof uri !== \"string\") return null;\n const trimmed = uri.trim();\n if (!trimmed.startsWith(\"ui://\")) return null;\n return (\n unversionMcpAppResourceUri(trimmed) ??\n trimmed.replace(/\\/+$/g, \"\").replace(/\\/shell-v\\d+(?=([?#]\|$))/g, \"\")\n );\n}\n\nfunction matchesMcpAppResourceUri(\n resourceUri: VersionedMcpAppResourceUri,\n requestedUri: unknown,\n): boolean {\n if (typeof requestedUri !== \"string\") return false;\n const requested = requestedUri.trim();\n if (resourceUri.uri === requested) return true;\n if (resourceUri.legacyUris?.includes(requested)) return true;\n const requestedBase = normalizeMcpAppResourceUriForMatch(requested);\n const currentBase = normalizeMcpAppResourceUriForMatch(resourceUri.uri);\n return Boolean(requestedBase && currentBase && requestedBase === currentBase);\n}\n\nfunction getMcpAppResourceUri(\n config: MCPConfig,\n actionName: string,\n entry: ActionEntry,\n): VersionedMcpAppResourceUri \| null {\n const resource = entry.mcpApp?.resource;\n if (!resource) return null;\n const baseUri =\n resource.uri?.trim() \|\| legacyDefaultMcpAppUri(config, actionName);\n return versionMcpAppResourceUri(baseUri);\n}\n\nfunction expandRequestOriginSources(\n sources: string[] \| undefined,\n requestMeta?: MCPRequestMeta,\n): string[] \| undefined {\n if (!sources) return undefined;\n const origin = requestMeta?.origin;\n return sources.flatMap((source) =>\n source === MCP_APP_REQUEST_ORIGIN_CSP_SOURCE && origin\n ? [origin]\n : [source],\n );\n}\n\nfunction openAiWidgetCsp(\n cspConfig: ActionMcpAppCsp \| undefined,\n requestMeta?: MCPRequestMeta,\n): Record<string, string[]> \| undefined {\n if (!cspConfig) return undefined;\n const csp: Record<string, string[]> = {};\n const connectDomains = expandRequestOriginSources(\n cspConfig.connectDomains,\n requestMeta,\n );\n const resourceDomains = expandRequestOriginSources(\n cspConfig.resourceDomains,\n requestMeta,\n );\n const frameDomains = expandRequestOriginSources(\n cspConfig.frameDomains,\n requestMeta,\n );\n if (connectDomains?.length) csp.connect_domains = connectDomains;\n if (resourceDomains?.length) csp.resource_domains = resourceDomains;\n if (frameDomains?.length) csp.frame_domains = frameDomains;\n return Object.keys(csp).length > 0 ? csp : undefined;\n}\n\nfunction mcpAppUiMeta(\n resource: ActionMcpAppResourceConfig,\n resolvedCsp: ActionMcpAppCsp \| undefined,\n requestMeta?: MCPRequestMeta,\n description?: string,\n): Record<string, unknown> \| undefined {\n const base =\n resource._meta && typeof resource._meta === \"object\"\n ? { ...resource._meta }\n : {};\n const existingUi =\n base.ui && typeof base.ui === \"object\" && !Array.isArray(base.ui)\n ? (base.ui as Record<string, unknown>)\n : {};\n const ui: Record<string, unknown> = { ...existingUi };\n delete ui.domain;\n if (resolvedCsp) {\n ui.csp = {\n ...resolvedCsp,\n connectDomains: expandRequestOriginSources(\n resolvedCsp.connectDomains,\n requestMeta,\n ),\n resourceDomains: expandRequestOriginSources(\n resolvedCsp.resourceDomains,\n requestMeta,\n ),\n frameDomains: expandRequestOriginSources(\n resolvedCsp.frameDomains,\n requestMeta,\n ),\n baseUriDomains: expandRequestOriginSources(\n resolvedCsp.baseUriDomains,\n requestMeta,\n ),\n };\n }\n if (resource.permissions) ui.permissions = resource.permissions;\n const hostSpecificDomain =\n hostSpecificDomainString(resource.domain) ??\n hostSpecificDomainString(existingUi.domain);\n if (hostSpecificDomain) ui.domain = hostSpecificDomain;\n const openAiWidgetDomain =\n originString(resource.domain) ??\n originString(ui.domain) ??\n originString(existingUi.domain) ??\n originString(requestMeta?.origin);\n if (typeof resource.prefersBorder === \"boolean\") {\n ui.prefersBorder = resource.prefersBorder;\n }\n if (Object.keys(ui).length > 0) base.ui = ui;\n if (description && base[\"openai/widgetDescription\"] == null) {\n base[\"openai/widgetDescription\"] = description;\n }\n if (\n typeof resource.prefersBorder === \"boolean\" &&\n base[\"openai/widgetPrefersBorder\"] == null\n ) {\n base[\"openai/widgetPrefersBorder\"] = resource.prefersBorder;\n }\n const openAiCsp = openAiWidgetCsp(resolvedCsp, requestMeta);\n if (openAiCsp && base[\"openai/widgetCSP\"] == null) {\n base[\"openai/widgetCSP\"] = openAiCsp;\n }\n if (openAiWidgetDomain && base[\"openai/widgetDomain\"] == null) {\n base[\"openai/widgetDomain\"] = openAiWidgetDomain;\n }\n return Object.keys(base).length > 0 ? base : undefined;\n}\n\nasync function resolveMcpAppCsp(\n resource: ActionMcpAppResourceConfig,\n ctx: McpAppResourceContext,\n): Promise<ActionMcpAppCsp \| undefined> {\n if (!resource.csp) return undefined;\n return typeof resource.csp === \"function\"\n ? await resource.csp(ctx)\n : resource.csp;\n}\n\nasync function resolveMcpAppResource(\n config: MCPConfig,\n actionName: string,\n entry: ActionEntry,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource \| null> {\n const resource = entry.mcpApp?.resource;\n if (!resource) return null;\n const resolvedUri = getMcpAppResourceUri(config, actionName, entry);\n if (!resolvedUri) return null;\n const description = resource.description ?? entry.tool.description;\n const resolvedCsp = await resolveMcpAppCsp(resource, {\n actionName,\n appId: config.appId,\n requestOrigin: requestMeta?.origin,\n });\n const resourceMeta = mcpAppUiMeta(\n resource,\n resolvedCsp,\n requestMeta,\n description,\n );\n return {\n uri: resolvedUri.uri,\n ...(resolvedUri.legacyUris ? { legacyUris: resolvedUri.legacyUris } : {}),\n name: resource.name?.trim() \|\| actionName,\n ...(resource.title ? { title: resource.title } : {}),\n ...(description ? { description } : {}),\n html: resource.html,\n mimeType: resource.mimeType ?? MCP_APP_MIME_TYPE,\n ...(resourceMeta ? { _meta: resourceMeta } : {}),\n };\n}\n\nasync function resolveMcpAppResourceSafely(\n config: MCPConfig,\n actionName: string,\n entry: ActionEntry,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource \| null> {\n try {\n return await resolveMcpAppResource(config, actionName, entry, requestMeta);\n } catch (error) {\n console.warn(\n `[mcp] Skipping MCP App resource for action \"${actionName}\" because its metadata could not be resolved.`,\n error,\n );\n return null;\n }\n}\n\nasync function getMcpAppResources(\n config: MCPConfig,\n actions: Record<string, ActionEntry>,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource[]> {\n const resources = await Promise.all(\n Object.entries(actions).map(([name, entry]) =>\n resolveMcpAppResourceSafely(config, name, entry, requestMeta),\n ),\n );\n return resources.filter((resource): resource is ResolvedMcpAppResource =>\n Boolean(resource),\n );\n}\n\nfunction renderMcpAppHtml(\n resource: ResolvedMcpAppResource,\n actionName: string,\n config: MCPConfig,\n requestMeta?: MCPRequestMeta,\n): string {\n if (typeof resource.html === \"function\") {\n return resource.html({\n actionName,\n appId: config.appId,\n requestOrigin: requestMeta?.origin,\n });\n }\n return resource.html;\n}\n\nfunction openAiToolDescriptorMeta(\n resource: ResolvedMcpAppResource,\n): Record<string, unknown> {\n const label = resource.title ?? resource.name;\n const widgetCsp = metadataObject(resource._meta?.[\"openai/widgetCSP\"]);\n return {\n \"openai/outputTemplate\": resource.uri,\n \"openai/toolInvocation/invoking\": `Opening ${label}`,\n \"openai/toolInvocation/invoked\": `${label} ready`,\n \"openai/widgetAccessible\": true,\n ...(Object.keys(widgetCsp).length > 0\n ? { \"openai/widgetCSP\": widgetCsp }\n : {}),\n };\n}\n\nfunction openAiToolResultMeta(\n resource: ResolvedMcpAppResource,\n): Record<string, unknown> {\n const label = resource.title ?? resource.name;\n const widgetCsp = metadataObject(resource._meta?.[\"openai/widgetCSP\"]);\n return {\n \"openai/outputTemplate\": resource.uri,\n \"openai/toolInvocation/invoking\": `Opening ${label}`,\n \"openai/toolInvocation/invoked\": `${label} ready`,\n \"openai/widgetAccessible\": true,\n ...(Object.keys(widgetCsp).length > 0\n ? { \"openai/widgetCSP\": widgetCsp }\n : {}),\n };\n}\n\nfunction mcpAppToolUiMeta(\n resource: ResolvedMcpAppResource,\n visibility: unknown,\n): Record<string, unknown> {\n return {\n resourceUri: resource.uri,\n visibility: Array.isArray(visibility) ? visibility : [\"model\", \"app\"],\n };\n}\n\nfunction primitiveValue(value: unknown): value is string \| number \| boolean {\n return (\n typeof value === \"string\" \|\|\n typeof value === \"number\" \|\|\n typeof value === \"boolean\"\n );\n}\n\nfunction mcpAppStructuredContent(\n result: unknown,\n meta: Record<string, unknown> \| undefined,\n): Record<string, unknown> {\n const out: Record<string, unknown> =\n result && typeof result === \"object\" && !Array.isArray(result)\n ? { ...(result as Record<string, unknown>) }\n : primitiveValue(result)\n ? { result }\n : {};\n for (const key of [\"embedStartUrl\", \"startUrl\"]) {\n const value = out[key];\n if (typeof value === \"string\" && isEmbedStartUrl(value)) delete out[key];\n }\n if (typeof out.url === \"string\" && isEmbedStartUrl(out.url)) {\n delete out.url;\n }\n // Internal embed-routing fields belong in `_meta[\"agent-native/embedStart\"]`\n // (consumed by the embed runtime), not in `structuredContent` (read by the\n // LLM). `embedTargetPath` reveals the exact route + thread/draft id the user\n // is looking at; `embedExpiresAt` is an unintended timestamp; ticket-bearing\n // fields are single-use credentials. Drop all of them unconditionally.\n for (const key of [\n \"embedTargetPath\",\n \"embedExpiresAt\",\n \"ticket\",\n \"embedTicket\",\n ]) {\n delete out[key];\n }\n for (const key of Object.keys(out)) {\n if (/Ticket$/.test(key)) delete out[key];\n }\n const openLink = meta?.[\"agent-native/openLink\"];\n if (openLink && typeof openLink === \"object\" && !Array.isArray(openLink)) {\n const webUrl = (openLink as Record<string, unknown>).webUrl;\n if (typeof webUrl === \"string\" && isEmbedStartUrl(webUrl)) {\n return Object.keys(out).length > 0 ? out : { status: \"ok\" };\n }\n out.openLink = openLink;\n if (typeof webUrl === \"string\" && !out.url) out.url = webUrl;\n }\n return Object.keys(out).length > 0 ? out : { status: \"ok\" };\n}\n\nfunction truncateToolText(value: string, max = 2000): string {\n if (value.length <= max) return value;\n return `${value.slice(0, max - 1)}…`;\n}\n\nfunction conciseMcpAppToolText(\n name: string,\n result: unknown,\n structuredContent: Record<string, unknown>,\n): string {\n if (typeof result === \"string\") return truncateToolText(result);\n const message = structuredContent.message;\n if (typeof message === \"string\" && message.trim()) {\n return truncateToolText(message.trim());\n }\n const title = structuredContent.title ?? structuredContent.name;\n if (typeof title === \"string\" && title.trim()) {\n return `${title.trim()} is ready.`;\n }\n const id = structuredContent.id;\n if (typeof id === \"string\" && id.trim()) {\n return `${name} completed for ${id.trim()}.`;\n }\n return `${name} completed.`;\n}\n\n// ---------------------------------------------------------------------------\n// MCP Server creation — converts ActionEntry registry to MCP tools\n// ---------------------------------------------------------------------------\n\n/\n Build a fully-wired MCP `Server` for a single request / session.\n \n Shared by the stateless Streamable-HTTP mount (`mountMCP`) and the stdio\n * standalone transport. The HTTP mount passes the per-request origin via\n * `requestMeta`; the stdio standalone path passes the resolved local app\n * origin so deep links still become absolute URLs.\n /\nexport async function createMCPServerForRequest(\n config: MCPConfig,\n identity: MCPCallerIdentity \| undefined,\n requestMeta?: MCPRequestMeta,\n) {\n const { Server } = await import(\"@modelcontextprotocol/sdk/server/index.js\");\n const {\n ListToolsRequestSchema,\n CallToolRequestSchema,\n ListResourcesRequestSchema,\n ReadResourceRequestSchema,\n ListResourceTemplatesRequestSchema,\n } = await import(\"@modelcontextprotocol/sdk/types.js\");\n\n // Resolve the effective caller identity. JWT / header-derived identity\n // (passed by `mountMCP` via `verifyAuth`) wins. When the caller passed no\n // identity — the stdio standalone* path — fall back to the\n // `AGENT_NATIVE_OWNER_EMAIL` env the `agent-native mcp install` flow writes\n // into the `agent-native mcp serve` process env, so standalone tool runs are\n // tenant-scoped to the configured owner instead of running unscoped. Stays\n // undefined for true dev-open (no token, no secret, no owner) — behavior\n // there is unchanged.\n const ownerFromEnv = process.env.AGENT_NATIVE_OWNER_EMAIL?.trim();\n const effectiveIdentity: MCPCallerIdentity \| undefined =\n identity ??\n (ownerFromEnv\n ? { userEmail: ownerFromEnv, orgDomain: undefined }\n : undefined);\n\n // The action set the request handlers operate on = base actions + generic\n // cross-app builtins (template wins on name collision). An authenticated\n // real caller (connect-minted token / `mcp install` owner / production —\n // `requestMeta.fullSurface`, or the stdio standalone path identified by\n // `AGENT_NATIVE_OWNER_EMAIL`) gets the full `productionActions` surface\n // even in local dev; the unauthenticated dev-open path keeps the sparse\n // `config.actions`. See `external-agents` skill, \"Dev vs production tool\n // surface\".\n const useFullSurface = requestMeta?.fullSurface === true \|\| !!ownerFromEnv;\n const baseActions =\n useFullSurface && config.productionActions\n ? config.productionActions\n : config.actions;\n const actions = mergeBuiltinTools(config, baseActions, requestMeta);\n const visibleActions = Object.fromEntries(\n Object.entries(actions).filter(([, entry]) =>\n isActionVisibleForOAuthScope(entry, effectiveIdentity?.oauthScopes),\n ),\n );\n const fullCatalogRequested = explicitlyRequestsFullMcpCatalog(requestMeta);\n // Compact/connector is the DEFAULT for every caller — hosted connectors,\n // code clients (Claude Code / Cursor / Codex), and the local CLI alike. The\n // full ~105-tool catalog is served only on the explicit opt-in above, so a\n // host can never dump every action schema into one giant tool card. The\n // `mcp:apps` scope still lands on this compact MCP-Apps surface; with no\n // opt-in, everyone else does too.\n const compactMcpAppCatalog = !fullCatalogRequested;\n const advertisedActionsBeforeConnector = compactMcpAppCatalog\n ? Object.fromEntries(\n Object.entries(visibleActions).filter(([name, entry]) =>\n isActionAdvertisedInCompactMcpAppCatalog(name, entry, config),\n ),\n )\n : visibleActions;\n // Connector-catalog tier: when a template declares a connector allow-list,\n // serve exactly that curated surface (+ cross-app builtins + tool-search) to\n // external callers unless they explicitly opted into the full catalog. This\n // is active by default whenever a catalog is declared — no env flag required —\n // so the ~105-tool full catalog can never leak just because a deployment\n // forgot to set one. It also keeps db-exec / seed-* / extension /\n // browser-session footguns off the external surface.\n const connectorCatalogActive =\n Array.isArray(config.connectorCatalog) &&\n config.connectorCatalog.length > 0 &&\n !fullCatalogRequested;\n // When the connector catalog is active, filter directly from visibleActions\n // rather than advertisedActionsBeforeConnector. This ensures the connector\n // tier is an independent, template-declared surface that doesn't accidentally\n // narrow to just the compact-catalog builtins when shouldUseCompactMcpCatalogByDefault\n // would have activated the compact catalog for the same caller.\n const advertisedActions = connectorCatalogActive\n ? Object.fromEntries(\n Object.entries(visibleActions).filter(([name]) =>\n isActionInConnectorCatalog(name, config),\n ),\n )\n : advertisedActionsBeforeConnector;\n if (fullCatalogRequested) {\n warnFullCatalogServed(Object.keys(advertisedActions).length);\n }\n const supportsMcpApps =\n compactMcpAppCatalog \|\|\n Object.values(advertisedActions).some((entry) =>\n Boolean(entry.mcpApp?.resource),\n );\n const server = new Server(mcpServerInfo(config, requestMeta), {\n capabilities: {\n tools: {},\n ...(supportsMcpApps\n ? {\n resources: {},\n extensions: {\n [MCP_APP_EXTENSION_ID]: {\n mimeTypes: [MCP_APP_MIME_TYPE],\n },\n },\n }\n : {}),\n },\n });\n\n // Resolve orgId once per request (DB lookup) so subsequent wraps are\n // synchronous. The caller identity may be undefined for true dev-open —\n // in that case we run with no userEmail/orgId, which makes downstream\n // tools that require per-user scope return empty results rather than\n // cross-tenant data (the safe default).\n const orgIdPromise = effectiveIdentity?.orgId\n ? Promise.resolve(effectiveIdentity.orgId)\n : resolveOrgIdFromDomain(effectiveIdentity?.orgDomain);\n\n /*\n Wrap a callback in\n * `runWithRequestContext({ userEmail, orgId, requestOrigin }, fn)`.\n * Both the tools/list and tools/call handlers go through this so\n * downstream `accessFilter`, `resolveCredential`, and per-user MCP\n * visibility checks see the verified caller's identity. `requestOrigin`\n * is the live server origin derived from the inbound request (same value\n * used to absolutize deep links) so actions that build fetchable URLs\n * (e.g. design `export-coding-handoff`'s signed raw-code URL) resolve the\n * correct local-workspace origin instead of a prod/localhost fallback.\n /\n async function withCallerContext<T>(fn: () => Promise<T>): Promise<T> {\n const orgId = await orgIdPromise;\n return runWithRequestContext(\n {\n userEmail: effectiveIdentity?.userEmail,\n orgId,\n ...(requestMeta?.origin ? { requestOrigin: requestMeta.origin } : {}),\n },\n fn,\n ) as Promise<T>;\n }\n\n // tools/list — return all actions + ask-agent meta-tool. Wrapped in the\n // request context so per-user MCP visibility (mcp-client/visibility.ts)\n // applies to the listing too.\n server.setRequestHandler(ListToolsRequestSchema, async () => {\n return withCallerContext(async () => {\n const tools = await Promise.all(\n Object.entries(advertisedActions).map(async ([name, entry]) => {\n const hasLink = typeof entry.link === \"function\";\n const mcpAppResource = await resolveMcpAppResourceSafely(\n config,\n name,\n entry,\n requestMeta,\n );\n const rawToolMeta =\n (entry.tool as any)._meta &&\n typeof (entry.tool as any)._meta === \"object\" &&\n !Array.isArray((entry.tool as any)._meta)\n ? { ...((entry.tool as any)._meta as Record<string, unknown>) }\n : {};\n const toolMeta = {\n ...rawToolMeta,\n ...(mcpAppResource\n ? {\n ...openAiToolDescriptorMeta(mcpAppResource),\n [MCP_APP_RESOURCE_URI_META_KEY]: mcpAppResource.uri,\n ui: mcpAppToolUiMeta(\n mcpAppResource,\n entry.mcpApp?.visibility ??\n metadataObject(rawToolMeta.ui).visibility,\n ),\n }\n : {}),\n };\n const baseDescription = entry.tool.description ?? name;\n const annotations: Record<string, unknown> = {\n readOnlyHint: entry.readOnly === true,\n destructiveHint: entry.publicAgent?.isConsequential === true,\n openWorldHint: false,\n };\n if (hasLink) annotations[\"agent-native/producesOpenLink\"] = true;\n return {\n name,\n description: hasLink\n ? `${baseDescription} After calling, surface the returned \"Open in … →\" link to the user.`\n : baseDescription,\n inputSchema: entry.tool.parameters ?? {\n type: \"object\" as const,\n properties: {},\n },\n ...(Object.keys(toolMeta).length > 0 ? { _meta: toolMeta } : {}),\n annotations,\n };\n }),\n );\n\n if (\n !compactMcpAppCatalog &&\n !connectorCatalogActive &&\n config.askAgent &&\n hasMcpOAuthScope(effectiveIdentity?.oauthScopes, \"mcp:write\")\n ) {\n tools.push({\n name: \"ask-agent\",\n description:\n \"Send a natural-language message to the app's AI agent and get a response. \" +\n \"Use this for complex, multi-step tasks that require the agent's reasoning \" +\n \"and full context about the app.\",\n inputSchema: {\n type: \"object\" as const,\n properties: {\n message: {\n type: \"string\",\n description: \"The message to send to the agent\",\n },\n },\n required: [\"message\"],\n },\n annotations: {\n readOnlyHint: false,\n destructiveHint: false,\n openWorldHint: false,\n },\n });\n }\n\n return { tools };\n });\n });\n\n // tools/call — dispatch to action registry or ask-agent. Wrapped in the\n // request context so the action's `run(args)` and `askAgent()` execute\n // with the verified caller's identity, not the platform default.\n server.setRequestHandler(CallToolRequestSchema, async (request: any) => {\n return withCallerContext(async () => {\n const { name, arguments: args } = request.params;\n\n if (name === \"ask-agent\" && config.askAgent) {\n if (compactMcpAppCatalog \|\| connectorCatalogActive) {\n return {\n content: [{ type: \"text\", text: `Unknown tool: ${name}` }],\n isError: true,\n };\n }\n if (!hasMcpOAuthScope(effectiveIdentity?.oauthScopes, \"mcp:write\")) {\n return {\n content: [\n {\n type: \"text\",\n text: \"Forbidden: OAuth scope does not allow ask-agent\",\n },\n ],\n isError: true,\n };\n }\n const message = args?.message ?? \"\";\n try {\n const result = await config.askAgent(message);\n return { content: [{ type: \"text\", text: result }] };\n } catch (err: any) {\n return {\n content: [{ type: \"text\", text: `Error: ${err.message}` }],\n isError: true,\n };\n }\n }\n\n // Connector-catalog tier: when active, callableActions === advertisedActions\n // (the filtered set). Non-listed tools are not callable — mirroring how\n // compactMcpAppCatalog gates calls on advertisedActions.\n const callableActions =\n compactMcpAppCatalog \|\| connectorCatalogActive\n ? advertisedActions\n : actions;\n const entry = callableActions[name];\n if (!entry) {\n return {\n content: [{ type: \"text\", text: `Unknown tool: ${name}` }],\n isError: true,\n };\n }\n if (\n !isActionVisibleForOAuthScope(entry, effectiveIdentity?.oauthScopes)\n ) {\n return {\n content: [\n {\n type: \"text\",\n text: `Forbidden: OAuth scope does not allow tool ${name}`,\n },\n ],\n isError: true,\n };\n }\n\n try {\n // We're inside `withCallerContext`, so the request-context getters\n // resolve the verified MCP caller's identity (do NOT inject a dev\n // fallback). Tag the call as an external-agent MCP dispatch.\n const result = await entry.run((args as Record<string, string>) ?? {}, {\n userEmail: getRequestUserEmail(),\n orgId: getRequestOrgId() ?? null,\n caller: \"mcp\",\n });\n const mcpResult = isMcpActionResult(result) ? result : null;\n const rawResult = mcpResult ? mcpResult.raw : result;\n const resultForClient = mcpResult ? mcpResult.text : result;\n const mcpResultIsError =\n !!mcpResult &&\n !!mcpResult.raw &&\n typeof mcpResult.raw === \"object\" &&\n (mcpResult.raw as Record<string, unknown>).isError === true;\n const mcpAppResource = await resolveMcpAppResourceSafely(\n config,\n name,\n entry,\n requestMeta,\n );\n const rawResultForClient = mcpAppResource\n ? await withServerMintedMcpAppEmbedStart(rawResult, requestMeta)\n : rawResult;\n const { block, _meta } = buildLinkArtifacts(\n entry,\n (args as Record<string, any>) ?? {},\n rawResultForClient,\n requestMeta,\n );\n const responseMeta: Record<string, unknown> = {\n ...(_meta ?? {}),\n ...(mcpAppResource\n ? mcpAppEmbedOpenLinkMeta(\n rawResultForClient,\n mcpAppResource,\n requestMeta,\n )\n : {}),\n ...(mcpAppResource ? openAiToolResultMeta(mcpAppResource) : {}),\n };\n const toolUiMeta = metadataObject((entry.tool as any)._meta?.ui);\n const toolVisibility = toolUiMeta.visibility;\n const isAppOnlyVisibility =\n Array.isArray(toolVisibility) &&\n toolVisibility.length > 0 &&\n toolVisibility.every((v) => v === \"app\");\n const structuredContent = mcpAppResource\n ? mcpAppStructuredContent(rawResultForClient, responseMeta)\n : isAppOnlyVisibility &&\n rawResult &&\n typeof rawResult === \"object\" &&\n !Array.isArray(rawResult)\n ? (rawResult as Record<string, unknown>)\n : undefined;\n const text = mcpAppResource\n ? conciseMcpAppToolText(name, resultForClient, structuredContent!)\n : typeof resultForClient === \"string\"\n ? (purgeEmbedStartUrls(resultForClient) as string)\n : JSON.stringify(purgeEmbedStartUrls(resultForClient));\n const content: any[] = [{ type: \"text\", text }];\n if (block) content.push(block);\n return {\n content,\n ...(mcpResultIsError ? { isError: true } : {}),\n ...(structuredContent ? { structuredContent } : {}),\n ...(Object.keys(responseMeta).length > 0\n ? { _meta: responseMeta }\n : {}),\n };\n } catch (err: any) {\n return {\n content: [{ type: \"text\", text: `Error: ${err.message}` }],\n isError: true,\n };\n }\n });\n });\n\n if (supportsMcpApps) {\n server.setRequestHandler(ListResourcesRequestSchema, async () => {\n return withCallerContext(async () => {\n const mcpAppResources = await getMcpAppResources(\n config,\n advertisedActions,\n requestMeta,\n );\n return {\n resources: mcpAppResources.map((resource) => ({\n uri: resource.uri,\n name: resource.name,\n ...(resource.title ? { title: resource.title } : {}),\n ...(resource.description\n ? { description: resource.description }\n : {}),\n mimeType: resource.mimeType,\n ...(resource._meta ? { _meta: resource._meta } : {}),\n })),\n };\n });\n });\n\n server.setRequestHandler(ListResourceTemplatesRequestSchema, async () => {\n return withCallerContext(async () => {\n const mcpAppResources = await getMcpAppResources(\n config,\n advertisedActions,\n requestMeta,\n );\n return {\n resourceTemplates: mcpAppResources.map((resource) => ({\n uriTemplate: resource.uri,\n name: resource.name,\n ...(resource.title ? { title: resource.title } : {}),\n ...(resource.description\n ? { description: resource.description }\n : {}),\n mimeType: resource.mimeType,\n ...(resource._meta ? { _meta: resource._meta } : {}),\n })),\n };\n });\n });\n\n server.setRequestHandler(\n ReadResourceRequestSchema,\n async (request: any) => {\n return withCallerContext(async () => {\n const uri = request.params?.uri;\n let found: {\n actionName: string;\n resource: ResolvedMcpAppResource;\n } \| null = null;\n for (const [name, entry] of Object.entries(advertisedActions)) {\n const resourceUri = getMcpAppResourceUri(config, name, entry);\n if (!resourceUri \|\| !matchesMcpAppResourceUri(resourceUri, uri)) {\n continue;\n }\n const resource = await resolveMcpAppResourceSafely(\n config,\n name,\n entry,\n requestMeta,\n );\n if (resource) {\n found = { actionName: name, resource };\n break;\n }\n // resolveMcpAppResourceSafely returned null (e.g. an async resolver\n // threw) — keep scanning the remaining candidates rather than\n // aborting and reporting the resource as missing.\n }\n if (!found) {\n throw new Error(`MCP App resource not found: ${uri}`);\n }\n return {\n contents: [\n {\n uri,\n mimeType: found.resource.mimeType,\n text: renderMcpAppHtml(\n found.resource,\n found.actionName,\n config,\n requestMeta,\n ),\n ...(found.resource._meta\n ? { _meta: found.resource._meta }\n : {}),\n },\n ],\n };\n });\n },\n );\n }\n\n return server;\n}\n\n// ---------------------------------------------------------------------------\n// Auth — reuses the same pattern as A2A (Bearer token or JWT). Shared so the\n// HTTP mount and any stdio-side auth-aware helper resolve identity identically.\n// ---------------------------------------------------------------------------\n\nexport function getAccessTokens(): string[] {\n const single = process.env.ACCESS_TOKEN;\n const multi = process.env.ACCESS_TOKENS;\n const tokens: string[] = [];\n if (single) tokens.push(single);\n if (multi) {\n tokens.push(\n ...multi\n .split(\",\")\n .map((t) => t.trim())\n .filter(Boolean),\n );\n }\n return tokens;\n}\n\n/\n Resolve the caller identity for a static-token (or dev-open) auth path.\n \n Static `ACCESS_TOKEN` / `ACCESS_TOKENS` auth carries no per-caller claims,\n * so without this the MCP endpoint would run every tool with\n * `userEmail === undefined` and per-user / per-org scoped actions\n * (`accessFilter`, `resolveAccess`, `resolveCredential`) would return\n * empty / wrong data. The `agent-native mcp install` flow writes\n * `AGENT_NATIVE_OWNER_EMAIL` into the client config env and the stdio proxy\n * forwards it as the `X-Agent-Native-Owner-Email` request header (see\n * `mcp/stdio.ts#authHeaders`). We trust that owner hint only on the\n * static-token path — JWT auth already carries a cryptographically verified\n * `sub`, so the header is ignored there and never widens JWT scope.\n \n Precedence is server-trusted-first: the server process's\n * `AGENT_NATIVE_OWNER_EMAIL` env (set out-of-band by the operator / deploy)\n * ALWAYS wins, and a client-supplied `X-Agent-Native-Owner-Email` header is\n * honored only as a fallback when that env is unset. A static `ACCESS_TOKEN`\n * is a shared bearer secret; letting a request header override a\n * server-configured owner would let anyone holding a leaked token act as any\n * user. The header path remains for the single-tenant local-dev install flow\n * where the app server process has no owner env and the token is the\n * workspace secret; multi-tenant deployments must use A2A JWT (verified `sub`),\n * not a static token, for per-user scope.\n \n Returns `undefined` when no owner email is available (true dev-open: no\n * token, no secret, no owner) so behavior there stays unchanged.\n /\nfunction deriveStaticTokenIdentity(\n ownerEmailHeader: string \| undefined,\n): MCPCallerIdentity \| undefined {\n const owner =\n process.env.AGENT_NATIVE_OWNER_EMAIL?.trim() \|\|\n (typeof ownerEmailHeader === \"string\" && ownerEmailHeader.trim()) \|\|\n \"\";\n if (!owner) return undefined;\n return { userEmail: owner, orgDomain: undefined };\n}\n\nexport function getBearerToken(\n authHeader: string \| undefined,\n): string \| undefined {\n if (!authHeader) return undefined;\n const match = /^Bearer\\s+(.+)$/i.exec(authHeader.trim());\n return match?.[1]?.trim() \|\| undefined;\n}\n\nfunction addSecretCandidate(\n candidates: string[],\n secret: string \| null \| undefined,\n): void {\n const trimmed = secret?.trim();\n if (!trimmed \|\| candidates.includes(trimmed)) return;\n candidates.push(trimmed);\n}\n\nasync function verifyA2AJwtForMcp(\n token: string,\n): Promise<Record<string, unknown> \| null> {\n const jose = await import(\"jose\");\n let unverifiedPayload: Record<string, unknown> \| null = null;\n try {\n unverifiedPayload = jose.decodeJwt(token) as Record<string, unknown>;\n } catch {\n return null;\n }\n\n const candidateSecrets: string[] = [];\n addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n\n const orgDomain =\n typeof unverifiedPayload.org_domain === \"string\"\n ? unverifiedPayload.org_domain\n : undefined;\n if (orgDomain) {\n try {\n const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n addSecretCandidate(\n candidateSecrets,\n await getA2ASecretByDomain(orgDomain),\n );\n } catch {\n // DB not ready or org lookup unavailable — fall back to other candidates.\n }\n }\n\n for (const secret of candidateSecrets) {\n try {\n const { payload } = await jose.jwtVerify(\n token,\n new TextEncoder().encode(secret),\n );\n return payload as Record<string, unknown>;\n } catch {\n // Try the next candidate without exposing which secret matched.\n }\n }\n\n return null;\n}\n\nasync function isConnectTokenAllowed(\n jti: string \| undefined,\n): Promise<boolean> {\n if (!jti) return false;\n try {\n const { isJtiRevoked, touchTokenUsed } = await import(\"./connect-store.js\");\n if (await isJtiRevoked(jti)) return false;\n // Best-effort usage telemetry — never blocks / throws.\n void touchTokenUsed(jti);\n } catch {\n // Store import / lookup failed — fail open. Signature verification already\n // passed; this only gates explicit revokes.\n }\n return true;\n}\n\n/\n Verify the inbound auth header. Returns:\n * - { authed: true, identity } when verified — `identity` is derived from\n * the JWT (`sub` / `org_domain`) for JWT auth, or from the\n * `AGENT_NATIVE_OWNER_EMAIL` env / `X-Agent-Native-Owner-Email` header\n * for static-token auth (the `agent-native mcp install` flow). `identity`\n * is undefined only for true dev-open with no owner hint.\n * - { authed: false } on rejection.\n \n When A2A_SECRET is set we extract the JWT's `sub` (caller email) and\n * `org_domain` claims so the MCP endpoint can wrap tool runs in\n * `runWithRequestContext({ userEmail, orgId })`. Without that wrap, the\n * MCP endpoint loses tenant identity and downstream `accessFilter` /\n * `resolveCredential` calls fall back to platform-wide defaults.\n \n `ownerEmailHeader` is the forwarded `X-Agent-Native-Owner-Email` value; it\n * is consulted ONLY on the static-token / dev-open path (never to influence\n * verified JWT identity), so the install flow runs tools as the configured\n * owner instead of an unscoped anonymous caller.\n /\nexport async function verifyAuth(\n authHeader: string \| undefined,\n ownerEmailHeader?: string \| undefined,\n options: { allowDevOpen?: boolean; resourceUrl?: string \| string[] } = {},\n): Promise<{\n authed: boolean;\n identity?: MCPCallerIdentity;\n /\n The caller presented a real credential — a verified A2A/connect JWT, a\n * matching ACCESS_TOKEN, or (on the no-auth-configured path) a forwarded\n * owner-email header from `agent-native mcp install`. Drives the full vs\n * sparse MCP tool surface in local dev. The pure unauthenticated dev-open\n * path (no secret, no token, no owner header) is `false`.\n /\n fullSurface?: boolean;\n /\n The caller explicitly opted up to the full connector catalog by minting\n * their token with `--full-catalog` (or equivalent). When `true`, the\n * compact/connector-catalog tier filter (active by default whenever a\n * `connectorCatalog` is declared) is bypassed for this caller. Derived from a\n * `catalog_scope: \"full\"` claim in the verified A2A/connect JWT.\n /\n fullCatalog?: boolean;\n}> {\n // No auth configured → allow only when the route caller has already\n // established that this is a loopback/local dev request. Still honour an\n // owner hint there so the local install/connect flow stays tenant-scoped.\n const accessTokens = getAccessTokens();\n const hasA2ASecret = !!process.env.A2A_SECRET?.trim();\n const token = getBearerToken(authHeader);\n if (token) {\n const oauthIdentity = await verifyMcpOAuthAccessToken(\n token,\n options.resourceUrl,\n );\n if (oauthIdentity) {\n if (\n oauthIdentity.clientId === MCP_CONNECT_OAUTH_CLIENT_ID &&\n !(await isConnectTokenAllowed(oauthIdentity.jti))\n ) {\n return { authed: false };\n }\n return {\n authed: true,\n identity: {\n userEmail: oauthIdentity.userEmail,\n ...(oauthIdentity.orgId ? { orgId: oauthIdentity.orgId } : {}),\n orgDomain: oauthIdentity.orgDomain,\n oauthScopes: oauthIdentity.scopes,\n oauthClientId: oauthIdentity.clientId,\n },\n fullSurface: true,\n // Per-token opt-up: `catalog_scope: \"full\"` in the OAuth token\n // bypasses the connector-catalog tier filter on hosted deployments.\n fullCatalog: oauthIdentity.catalogScope === \"full\",\n };\n }\n }\n if (accessTokens.length === 0 && !hasA2ASecret && !token) {\n if (options.allowDevOpen === false) {\n return { authed: false };\n }\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n // `mcp install`'s stdio proxy forwards an owner-email header even when\n // the local app has no secret configured — that is a real, identified\n // caller and gets the full surface. A bare browser/curl dev probe with\n // no owner hint stays on the sparse dev surface.\n fullSurface: !!(ownerEmailHeader && ownerEmailHeader.trim()),\n };\n }\n\n if (!token) return { authed: false };\n\n // Try an A2A JWT via the shared A2A_SECRET first, then the caller org's\n // synced A2A secret when the token carries org_domain.\n const payload = await verifyA2AJwtForMcp(token);\n if (payload) {\n const tokenScope =\n typeof payload.scope === \"string\" ? payload.scope : undefined;\n if (tokenScope && tokenScope !== MCP_CONNECT_SCOPE) {\n return { authed: false };\n }\n\n // Connect-minted tokens (scope === \"mcp-connect\") carry a random `jti`\n // and are individually revocable. Only these tokens hit the revoke\n // store — ordinary A2A delegation JWTs skip the DB lookup entirely so\n // the hot path is unchanged. The signature was already\n // cryptographically verified, so failing open here only widens the\n // explicit-revoke gate, never the trust boundary.\n if (tokenScope === MCP_CONNECT_SCOPE) {\n if (!(await isConnectTokenAllowed(payload.jti as string \| undefined))) {\n return { authed: false };\n }\n }\n\n return {\n authed: true,\n identity: {\n userEmail: typeof payload.sub === \"string\" ? payload.sub : undefined,\n // Org SERVICE tokens (connect-minted, synthetic `svc-@service.<org>`\n // subject) carry the org id directly as an `org_id` claim so the\n // resolved identity is org-scoped even when the org has no domain\n // mapping. Personal/delegation JWTs don't set the claim — unchanged.\n ...(typeof payload.org_id === \"string\" && payload.org_id\n ? { orgId: payload.org_id as string }\n : {}),\n orgDomain:\n typeof payload.org_domain === \"string\"\n ? (payload.org_domain as string)\n : undefined,\n },\n // Verified JWT (connect-minted or A2A delegation) — a real caller.\n fullSurface: true,\n // Per-token opt-up: `catalog_scope: \"full\"` embedded at mint time via\n // `agent-native connect --full-catalog` bypasses the connector-catalog\n // tier filter on hosted multi-tenant deployments.\n fullCatalog: payload.catalog_scope === \"full\",\n };\n }\n\n if (accessTokens.length === 0 && !hasA2ASecret) {\n if (options.allowDevOpen === false) {\n return { authed: false };\n }\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n fullSurface: !!(ownerEmailHeader && ownerEmailHeader.trim()),\n };\n }\n\n // Try ACCESS_TOKEN / ACCESS_TOKENS exact match. Static tokens carry no\n // per-caller claims, so derive identity from the forwarded owner-email\n // hint (install flow) — otherwise tools would run unscoped. Compare in\n // constant time (matching the rest of this subsystem's secret-comparison\n // discipline); node:crypto is imported dynamically because this module is\n // bundled into the serverless function and avoids static Node-only imports.\n if (accessTokens.length > 0) {\n const { timingSafeEqual } = await import(\"node:crypto\");\n const candidate = Buffer.from(token, \"utf8\");\n const matched = accessTokens.some((configured) => {\n const expected = Buffer.from(configured, \"utf8\");\n return (\n expected.length === candidate.length &&\n timingSafeEqual(expected, candidate)\n );\n });\n if (matched) {\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n // Matched a configured ACCESS_TOKEN — a real caller.\n fullSurface: true,\n };\n }\n }\n\n return { authed: false };\n}\n\nexport async function resolveOrgIdFromDomain(\n orgDomain: string \| undefined,\n): Promise<string \| undefined> {\n if (!orgDomain) return undefined;\n try {\n const { resolveOrgByDomain } = await import(\"../org/context.js\");\n const org = await resolveOrgByDomain(orgDomain);\n return org?.orgId ?? undefined;\n } catch {\n return undefined;\n }\n}\n"]}
1	+ {"version":3,"file":"build-server.js","sourceRoot":"","sources":["../../src/mcp/build-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,6BAA6B,GAG9B,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,iCAAiC,EAAE,MAAM,gBAAgB,CAAC;AACnE,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,GAChB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,+BAA+B,EAAE,MAAM,yBAAyB,CAAC;AAC1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EACL,2BAA2B,EAC3B,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAEL,gBAAgB,EAChB,yBAAyB,GAC1B,MAAM,kBAAkB,CAAC;AAqI1B,SAAS,4BAA4B,CACnC,KAAkB,EAClB,MAA4B;IAE5B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,QAAQ,GACZ,KAAK,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC;IACrD,OAAO,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,gCAAgC,GAAG,IAAI,GAAG,CAAC;IAC/C,WAAW;IACX,UAAU;IACV,SAAS;IACT,gBAAgB;IAChB,sBAAsB;IACtB,0EAA0E;IAC1E,2EAA2E;IAC3E,6DAA6D;IAC7D,aAAa;CACd,CAAC,CAAC;AAEH,SAAS,wCAAwC,CAC/C,IAAY,EACZ,KAAkB,EAClB,MAAiB;IAEjB,IAAI,gCAAgC,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,IACG,KAAK,CAAC,MAAmD;QACxD,EAAE,cAAc,KAAK,IAAI,EAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,CAAC,oBAAoB,KAAK,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gCAAgC,CACvC,WAAuC;IAEvC,yEAAyE;IACzE,uEAAuE;IACvE,iDAAiD;IACjD,+EAA+E;IAC/E,uEAAuE;IACvE,2EAA2E;IAC3E,4EAA4E;IAC5E,uEAAuE;IACvE,uBAAuB;IACvB,IAAI,OAAO,CAAC,GAAG,CAAC,6BAA6B,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,WAAW,EAAE,WAAW,KAAK,IAAI,CAAC;AAC3C,CAAC;AAED,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAU,CAAC;AAEhD;;;;;GAKG;AACH,SAAS,qBAAqB,CAAC,SAAiB;IAC9C,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,6BAA6B,KAAK,GAAG;QAC/C,CAAC,CAAC,iCAAiC;QACnC,CAAC,CAAC,yDAAyD,CAAC;IAChE,MAAM,GAAG,GAAG,GAAG,MAAM,IAAI,SAAS,EAAE,CAAC;IACrC,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAC3C,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,CAAC,IAAI,CACV,qDAAqD,SAAS,eAAe,MAAM,IAAI;QACrF,6EAA6E;QAC7E,iFAAiF,CACpF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,0BAA0B,CAAC,IAAY,EAAE,MAAiB;IACjE,IAAI,gCAAgC,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,OAAO,MAAM,CAAC,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAChD,CAAC;AAwBD,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAChE,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,EAAE,CAAC;AACT,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE;QAAE,OAAO,SAAS,CAAC;IACjE,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAc;IAC9C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE;QAAE,OAAO,SAAS,CAAC;IACjE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC;QACH,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QACjB,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,SAAiB;IAC/C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,6BAA6B,CAAC;QAC3C,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YACnC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC;YAC1B,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QACvB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;QAC3D,OAAO,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YAC9B,CAAC,CAAC,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE;YAC3C,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,6BAA6B,CAAC;QAC3C,MAAM,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC1E,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAa;IACzC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,SAAS;YACnB,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC;YAChB,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACxD,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QAClE,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACzC,IAAI,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACtD,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,mBAAmB,CAAC,KAAc,EAAE,KAAK,GAAG,CAAC;IACpD,IAAI,KAAK,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,KAAK,CAAC;IAC/D,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,mBAAmB,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;YAC1E,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;gBACpD,sEAAsE;gBACtE,qEAAqE;gBACrE,SAAS;YACX,CAAC;YACD,GAAG,CAAC,GAAG,CAAC,GAAG,mBAAmB,CAAC,GAAG,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAC9B,MAAe,EACf,QAAgC,EAChC,IAAgC;IAEhC,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,aAAa,GACjB,OAAO,GAAG,CAAC,aAAa,KAAK,QAAQ;QACnC,CAAC,CAAC,GAAG,CAAC,aAAa;QACnB,CAAC,CAAC,GAAG,CAAC,KAAK,KAAK,IAAI;YAChB,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;YAC3B,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,4BAA4B,CAAC;YAChD,CAAC,CAAC,GAAG,CAAC,GAAG;YACT,CAAC,CAAC,IAAI,CAAC;IACb,IAAI,CAAC,aAAa;QAAE,OAAO,EAAE,CAAC;IAE9B,MAAM,MAAM,GAAG,iBAAiB,CAC9B,sBAAsB,CAAC,aAAa,CAAC,EACrC,IAAI,EAAE,MAAM,CACb,CAAC;IACF,MAAM,WAAW,GACf,OAAO,GAAG,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/D,MAAM,aAAa,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,IAAI,KAAK,CAAC;IAC/D,MAAM,KAAK,GACT,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;QAC3C,CAAC,CAAC,QAAQ,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE;QAC1B,CAAC,CAAC,aAAa,CAAC;IACpB,MAAM,IAAI,GACR,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;QAC7C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;QACjB,CAAC,CAAC,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YAC/C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YACjB,CAAC,CAAC,SAAS,CAAC;IAClB,sEAAsE;IACtE,qEAAqE;IACrE,oEAAoE;IACpE,qEAAqE;IACrE,uEAAuE;IACvE,uEAAuE;IACvE,qEAAqE;IACrE,+BAA+B;IAC/B,MAAM,iBAAiB,GACrB,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAC1B,CAAC,CAAC,IAAI;QACN,CAAC,CAAC,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;YAC/D,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YACjB,CAAC,CAAC,SAAS,CAAC;IAClB,MAAM,eAAe,GAAG,WAAW;QACjC,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;YACxD,CAAC,CAAC,GAAG,CAAC,GAAG;YACT,CAAC,CAAC,iBAAiB,CAAC;IACxB,MAAM,WAAW,GAAG,eAAe;QACjC,CAAC,CAAC,iBAAiB,CAAC,eAAe,EAAE,IAAI,EAAE,MAAM,CAAC;QAClD,CAAC,CAAC,IAAI,CAAC;IACT,uEAAuE;IACvE,2EAA2E;IAC3E,yEAAyE;IACzE,sEAAsE;IACtE,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE;QAC/B,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAC9B,MAAM,GAAG,GACP,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;YAC3C,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;YAChB,CAAC,CAAC,SAAS,CAAC;QAChB,IAAI,CAAC,GAAG;YAAE,OAAO,WAAW,CAAC;QAC7B,IAAI,yBAAyB,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3C,OAAO,gBAAgB,CAAC,WAAW,CAAC,CAAC;QACvC,CAAC;QACD,MAAM,WAAW,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;QACtD,IAAI,CAAC,WAAW;YAAE,OAAO,WAAW,CAAC;QACrC,MAAM,SAAS,GACb,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzE,MAAM,MAAM,GACV,GAAG,CAAC,MAAM,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC;YACxE,CAAC,CAAE,GAAG,CAAC,MAGH;YACJ,CAAC,CAAC,SAAS,CAAC;QAChB,OAAO,gBAAgB,CACrB,aAAa,CAAC;YACZ,GAAG;YACH,IAAI,EAAE,SAAS;YACf,EAAE,EAAE,WAAW;YACf,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9B,CAAC,CACH,CAAC;IACJ,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO;QACL,yBAAyB,EAAE;YACzB,QAAQ,EAAE,MAAM;YAChB,GAAG,CAAC,OAAO,GAAG,CAAC,cAAc,KAAK,QAAQ;gBACxC,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,cAAc,EAAE;gBACnC,CAAC,CAAC,EAAE,CAAC;SACR;QACD,GAAG,CAAC,WAAW;YACb,CAAC,CAAC;gBACE,uBAAuB,EAAE;oBACvB,KAAK;oBACL,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACzB,MAAM,EAAE,WAAW;oBACnB,UAAU,EAAE,kBAAkB,IAAI,WAAW;oBAC7C,SAAS,EAAE,eAAe,CAAC,WAAW,CAAC;iBACxC;aACF;YACH,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gCAAgC,CAC7C,MAAe,EACf,IAAgC;IAEhC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,GAAG,GAAG,MAAiC,CAAC;IAC9C,IAAI,GAAG,CAAC,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IACtC,IAAI,OAAO,GAAG,CAAC,aAAa,KAAK,QAAQ,IAAI,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,CAAC;QACtE,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IACE,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;QAC3B,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;QACd,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,EACxB,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC,IAAI,CACzD,CAAC,KAAK,EAAmB,EAAE,CACzB,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CACvD,CAAC;IACF,IAAI,CAAC,SAAS;QAAE,OAAO,MAAM,CAAC;IAE9B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;IACjC,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACpE,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACrD,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc;QAAE,OAAO,MAAM,CAAC;IAC9C,IAAI,cAAc,IAAI,CAAC,IAAI,EAAE,MAAM;QAAE,OAAO,MAAM,CAAC;IAEnD,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,MAAM,UAAU,GAAG,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAC1C,IAAI,CAAC,UAAU;QAAE,OAAO,MAAM,CAAC;IAE/B,MAAM,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,GAC1D,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;IAC7C,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IACzE,MAAM,UAAU,GAAG,wBAAwB,CACzC,sBAAsB,CAAC,OAAO,CAAC,EAC/B,IAAI,EAAE,MAAM,CACb,CAAC;IACF,IAAI,CAAC,UAAU;QAAE,OAAO,MAAM,CAAC;IAE/B,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC;QAC5C,UAAU;QACV,KAAK,EAAE,GAAG,EAAE,KAAK;QACjB,UAAU;QACV,KAAK,EAAE,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI;KAC1D,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACrD,MAAM,aAAa,GAAG,IAAI,EAAE,MAAM;QAChC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;QAC5C,CAAC,CAAC,SAAS,CAAC;IAEd,OAAO;QACL,GAAG,GAAG;QACN,aAAa;QACb,eAAe,EAAE,UAAU;QAC3B,cAAc,EAAE,MAAM,CAAC,SAAS;KACjC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,KAAkB,EAClB,IAAyB,EACzB,MAAW,EACX,IAAgC;IAKhC,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,UAAU;QAAE,OAAO,EAAE,CAAC;IAChD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QACpD,IAAI,CAAC,EAAE,EAAE,GAAG;YAAE,OAAO,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,yBAAyB,CAAC,EAAE,CAAC,GAAG,CAAC;YAC/C,CAAC,CAAC,8BAA8B,CAAC,EAAE,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;QACX,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,WAAW,GAAG,IAAI,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;QACrE,OAAO;YACL,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,KAAK,OAAO,WAAW,GAAG,EAAE;YACpE,KAAK,EAAE;gBACL,uBAAuB,EAAE;oBACvB,KAAK,EAAE,EAAE,CAAC,KAAK;oBACf,IAAI,EAAE,EAAE,CAAC,IAAI;oBACb,MAAM;oBACN,UAAU;oBACV,SAAS;iBACV;aACF;SACF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,iBAAiB,CACxB,MAAiB,EACjB,WAAwC,EACxC,WAA4B;IAE5B,IAAI,MAAM,CAAC,oBAAoB,KAAK,KAAK;QAAE,OAAO,WAAW,CAAC;IAC9D,MAAM,QAAQ,GAAG,uBAAuB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAgC,EAAE,GAAG,QAAQ,EAAE,CAAC;IAC5D,wDAAwD;IACxD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAAyB,EACzB,WAA4B;IAE5B,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,CAAC;QACH,IAAI,WAAW,EAAE,MAAM,EAAE,CAAC;YACxB,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,IAAI,wBAAwB,EAAE,CAAC;YACpE,MAAM,OAAO,GAAG,GAAG,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,QAAQ,GAAG,CAAC;YACxE,MAAM,aAAa,GACjB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;gBAClD,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;gBAC7B,CAAC,CAAC,OAAO,CAAC;YACd,OAAO,IAAI,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;QAC9C,CAAC;QACD,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,MAAiB,EAAE,WAA4B;IACpE,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK;QACxB,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACb,MAAM,GAAG,GAAG,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;QACvD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO;YACL,GAAG;YACH,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7C,CAAC;IACJ,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,IAAI,EAAoC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACrE,OAAO;QACL,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,OAAO;QAClC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE;YAC5B,CAAC,CAAC,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,EAAE;YAC5C,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAAyB,EAAE,QAAgB;IAChE,MAAM,UAAU,GAAG,CAAC,KAAK,IAAI,QAAQ,CAAC;SACnC,IAAI,EAAE;SACN,WAAW,EAAE;SACb,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC;SAC9B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,OAAO,UAAU,IAAI,QAAQ,CAAC;AAChC,CAAC;AAED,2EAA2E;AAC3E,2EAA2E;AAC3E,MAAM,8BAA8B,GAAG,WAAW,CAAC;AAEnD,SAAS,sBAAsB,CAAC,MAAiB,EAAE,UAAkB;IACnE,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACvE,MAAM,MAAM,GAAG,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACjD,OAAO,QAAQ,GAAG,IAAI,MAAM,EAAE,CAAC;AACjC,CAAC;AAED,SAAS,wBAAwB,CAC/B,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC1B,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,aAAa,GAAG,IAAI,8BAA8B,EAAE,CAAC;IAC3D,IAAI,YAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAClD,MAAM,CAAC,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,aAAa,CAAC;YAC9C,CAAC,CAAC,GAAG,IAAI,GAAG,aAAa,EAAE,CAAC;QAC9B,YAAY,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO;QACL,GAAG,EAAE,YAAY;QACjB,GAAG,CAAC,YAAY,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvD,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,GAAW;IAC7C,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ;aAC9B,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;aACpB,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;QACjC,OAAO,MAAM,CAAC,QAAQ,EAAE,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,kCAAkC,CAAC,GAAY;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO,CACL,0BAA0B,CAAC,OAAO,CAAC;QACnC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC,CACtE,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAC/B,WAAuC,EACvC,YAAqB;IAErB,IAAI,OAAO,YAAY,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACnD,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;IACtC,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAC/C,IAAI,WAAW,CAAC,UAAU,EAAE,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,aAAa,GAAG,kCAAkC,CAAC,SAAS,CAAC,CAAC;IACpE,MAAM,WAAW,GAAG,kCAAkC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACxE,OAAO,OAAO,CAAC,aAAa,IAAI,WAAW,IAAI,aAAa,KAAK,WAAW,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,oBAAoB,CAC3B,MAAiB,EACjB,UAAkB,EAClB,KAAkB;IAElB,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC;IACxC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,OAAO,GACX,QAAQ,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,sBAAsB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACrE,OAAO,wBAAwB,CAAC,OAAO,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,0BAA0B,CACjC,OAA6B,EAC7B,WAA4B;IAE5B,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,MAAM,MAAM,GAAG,WAAW,EAAE,MAAM,CAAC;IACnC,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAChC,MAAM,KAAK,iCAAiC,IAAI,MAAM;QACpD,CAAC,CAAC,CAAC,MAAM,CAAC;QACV,CAAC,CAAC,CAAC,MAAM,CAAC,CACb,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,SAAsC,EACtC,WAA4B;IAE5B,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,MAAM,GAAG,GAA6B,EAAE,CAAC;IACzC,MAAM,cAAc,GAAG,0BAA0B,CAC/C,SAAS,CAAC,cAAc,EACxB,WAAW,CACZ,CAAC;IACF,MAAM,eAAe,GAAG,0BAA0B,CAChD,SAAS,CAAC,eAAe,EACzB,WAAW,CACZ,CAAC;IACF,MAAM,YAAY,GAAG,0BAA0B,CAC7C,SAAS,CAAC,YAAY,EACtB,WAAW,CACZ,CAAC;IACF,IAAI,cAAc,EAAE,MAAM;QAAE,GAAG,CAAC,eAAe,GAAG,cAAc,CAAC;IACjE,IAAI,eAAe,EAAE,MAAM;QAAE,GAAG,CAAC,gBAAgB,GAAG,eAAe,CAAC;IACpE,IAAI,YAAY,EAAE,MAAM;QAAE,GAAG,CAAC,aAAa,GAAG,YAAY,CAAC;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;AACvD,CAAC;AAED,SAAS,YAAY,CACnB,QAAoC,EACpC,WAAwC,EACxC,WAA4B,EAC5B,WAAoB;IAEpB,MAAM,IAAI,GACR,QAAQ,CAAC,KAAK,IAAI,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ;QAClD,CAAC,CAAC,EAAE,GAAG,QAAQ,CAAC,KAAK,EAAE;QACvB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,UAAU,GACd,IAAI,CAAC,EAAE,IAAI,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/D,CAAC,CAAE,IAAI,CAAC,EAA8B;QACtC,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,EAAE,GAA4B,EAAE,GAAG,UAAU,EAAE,CAAC;IACtD,OAAO,EAAE,CAAC,MAAM,CAAC;IACjB,IAAI,WAAW,EAAE,CAAC;QAChB,EAAE,CAAC,GAAG,GAAG;YACP,GAAG,WAAW;YACd,cAAc,EAAE,0BAA0B,CACxC,WAAW,CAAC,cAAc,EAC1B,WAAW,CACZ;YACD,eAAe,EAAE,0BAA0B,CACzC,WAAW,CAAC,eAAe,EAC3B,WAAW,CACZ;YACD,YAAY,EAAE,0BAA0B,CACtC,WAAW,CAAC,YAAY,EACxB,WAAW,CACZ;YACD,cAAc,EAAE,0BAA0B,CACxC,WAAW,CAAC,cAAc,EAC1B,WAAW,CACZ;SACF,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,WAAW;QAAE,EAAE,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;IAChE,MAAM,kBAAkB,GACtB,wBAAwB,CAAC,QAAQ,CAAC,MAAM,CAAC;QACzC,wBAAwB,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,kBAAkB;QAAE,EAAE,CAAC,MAAM,GAAG,kBAAkB,CAAC;IACvD,MAAM,kBAAkB,GACtB,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC7B,YAAY,CAAC,EAAE,CAAC,MAAM,CAAC;QACvB,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC;QAC/B,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACpC,IAAI,OAAO,QAAQ,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAChD,EAAE,CAAC,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC;IAC5C,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IAC7C,IAAI,WAAW,IAAI,IAAI,CAAC,0BAA0B,CAAC,IAAI,IAAI,EAAE,CAAC;QAC5D,IAAI,CAAC,0BAA0B,CAAC,GAAG,WAAW,CAAC;IACjD,CAAC;IACD,IACE,OAAO,QAAQ,CAAC,aAAa,KAAK,SAAS;QAC3C,IAAI,CAAC,4BAA4B,CAAC,IAAI,IAAI,EAC1C,CAAC;QACD,IAAI,CAAC,4BAA4B,CAAC,GAAG,QAAQ,CAAC,aAAa,CAAC;IAC9D,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAC5D,IAAI,SAAS,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,IAAI,EAAE,CAAC;QAClD,IAAI,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC;IACvC,CAAC;IACD,IAAI,kBAAkB,IAAI,IAAI,CAAC,qBAAqB,CAAC,IAAI,IAAI,EAAE,CAAC;QAC9D,IAAI,CAAC,qBAAqB,CAAC,GAAG,kBAAkB,CAAC;IACnD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,QAAoC,EACpC,GAA0B;IAE1B,IAAI,CAAC,QAAQ,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IACpC,OAAO,OAAO,QAAQ,CAAC,GAAG,KAAK,UAAU;QACvC,CAAC,CAAC,MAAM,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;QACzB,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,MAAiB,EACjB,UAAkB,EAClB,KAAkB,EAClB,WAA4B;IAE5B,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC;IACxC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;IACpE,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;IACnE,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,QAAQ,EAAE;QACnD,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,aAAa,EAAE,WAAW,EAAE,MAAM;KACnC,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,YAAY,CAC/B,QAAQ,EACR,WAAW,EACX,WAAW,EACX,WAAW,CACZ,CAAC;IACF,OAAO;QACL,GAAG,EAAE,WAAW,CAAC,GAAG;QACpB,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,UAAU;QACzC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpD,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,iBAAiB;QAChD,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,2BAA2B,CACxC,MAAiB,EACjB,UAAkB,EAClB,KAAkB,EAClB,WAA4B;IAE5B,IAAI,CAAC;QACH,OAAO,MAAM,qBAAqB,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;IAC7E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CACV,+CAA+C,UAAU,+CAA+C,EACxG,KAAK,CACN,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,MAAiB,EACjB,OAAoC,EACpC,WAA4B;IAE5B,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAC5C,2BAA2B,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,CAAC,CAC9D,CACF,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAsC,EAAE,CACvE,OAAO,CAAC,QAAQ,CAAC,CAClB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgC,EAChC,UAAkB,EAClB,MAAiB,EACjB,WAA4B;IAE5B,IAAI,OAAO,QAAQ,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,IAAI,CAAC;YACnB,UAAU;YACV,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,aAAa,EAAE,WAAW,EAAE,MAAM;SACnC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC,IAAI,CAAC;AACvB,CAAC;AAED,SAAS,wBAAwB,CAC/B,QAAgC;IAEhC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC9C,MAAM,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACvE,OAAO;QACL,uBAAuB,EAAE,QAAQ,CAAC,GAAG;QACrC,gCAAgC,EAAE,WAAW,KAAK,EAAE;QACpD,+BAA+B,EAAE,GAAG,KAAK,QAAQ;QACjD,yBAAyB,EAAE,IAAI;QAC/B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC;YACnC,CAAC,CAAC,EAAE,kBAAkB,EAAE,SAAS,EAAE;YACnC,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,QAAgC;IAEhC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC9C,MAAM,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACvE,OAAO;QACL,uBAAuB,EAAE,QAAQ,CAAC,GAAG;QACrC,gCAAgC,EAAE,WAAW,KAAK,EAAE;QACpD,+BAA+B,EAAE,GAAG,KAAK,QAAQ;QACjD,yBAAyB,EAAE,IAAI;QAC/B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC;YACnC,CAAC,CAAC,EAAE,kBAAkB,EAAE,SAAS,EAAE;YACnC,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgC,EAChC,UAAmB;IAEnB,OAAO;QACL,WAAW,EAAE,QAAQ,CAAC,GAAG;QACzB,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC;KACtE,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,OAAO,KAAK,KAAK,QAAQ;QACzB,OAAO,KAAK,KAAK,SAAS,CAC3B,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,MAAe,EACf,IAAyC;IAEzC,MAAM,GAAG,GACP,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAC5D,CAAC,CAAC,EAAE,GAAI,MAAkC,EAAE;QAC5C,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,EAAE,MAAM,EAAE;YACZ,CAAC,CAAC,EAAE,CAAC;IACX,KAAK,MAAM,GAAG,IAAI,CAAC,eAAe,EAAE,UAAU,CAAC,EAAE,CAAC;QAChD,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,eAAe,CAAC,KAAK,CAAC;YAAE,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5D,OAAO,GAAG,CAAC,GAAG,CAAC;IACjB,CAAC;IACD,6EAA6E;IAC7E,2EAA2E;IAC3E,6EAA6E;IAC7E,6EAA6E;IAC7E,uEAAuE;IACvE,KAAK,MAAM,GAAG,IAAI;QAChB,iBAAiB;QACjB,gBAAgB;QAChB,QAAQ;QACR,aAAa;KACd,EAAE,CAAC;QACF,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;IAClB,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,EAAE,CAAC,uBAAuB,CAAC,CAAC;IACjD,IAAI,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzE,MAAM,MAAM,GAAI,QAAoC,CAAC,MAAM,CAAC;QAC5D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1D,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QAC9D,CAAC;QACD,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACxB,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,GAAG;YAAE,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC;IAC/D,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AAC9D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa,EAAE,GAAG,GAAG,IAAI;IACjD,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC;AACvC,CAAC;AAED,SAAS,qBAAqB,CAC5B,IAAY,EACZ,MAAe,EACf,iBAA0C;IAE1C,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC;IAC1C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QAClD,OAAO,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,IAAI,iBAAiB,CAAC,IAAI,CAAC;IAChE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QAC9C,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,YAAY,CAAC;IACrC,CAAC;IACD,MAAM,EAAE,GAAG,iBAAiB,CAAC,EAAE,CAAC;IAChC,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;QACxC,OAAO,GAAG,IAAI,kBAAkB,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC;IAC/C,CAAC;IACD,OAAO,GAAG,IAAI,aAAa,CAAC;AAC9B,CAAC;AAED,SAAS,mBAAmB,CAAC,KAA8B;IACzD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACxB,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;QACxB,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,IAAI,KAAK,IAAI,CAAC;QAC5D,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrB,OAAO,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,WAAW,CAAC;QACrE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY,EAAE,MAAe;IAC1D,MAAM,MAAM,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC3C,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,IAAI,IAAI;QAAE,OAAO,GAAG,IAAI,aAAa,CAAC;IACnE,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,MAAM,MAAM,GAAG,MAAiC,CAAC;QACjD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC;QACjD,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;YAClD,OAAO,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,CAAC;QAC1D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC;QAC1C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAC9C,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC/B,OAAO,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,IAAI,EAAE;gBACxC,CAAC,CAAC,GAAG,SAAS,KAAK,EAAE,CAAC,IAAI,EAAE,aAAa;gBACzC,CAAC,CAAC,GAAG,SAAS,YAAY,CAAC;QAC/B,CAAC;QACD,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;YACxC,OAAO,GAAG,IAAI,kBAAkB,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC;QAC/C,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC;QACxD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAC5C,OAAO,GAAG,IAAI,eAAe,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC;QACpE,CAAC;QACD,IAAI,mBAAmB,CAAC,MAAM,CAAC;YAAE,OAAO,GAAG,IAAI,aAAa,CAAC;IAC/D,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,aAAa,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;AAC5E,CAAC;AAED,8EAA8E;AAC9E,mEAAmE;AACnE,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAiB,EACjB,QAAuC,EACvC,WAA4B;IAE5B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;IAC7E,MAAM,EACJ,sBAAsB,EACtB,qBAAqB,EACrB,0BAA0B,EAC1B,yBAAyB,EACzB,kCAAkC,GACnC,GAAG,MAAM,MAAM,CAAC,oCAAoC,CAAC,CAAC;IAEvD,uEAAuE;IACvE,0EAA0E;IAC1E,8DAA8D;IAC9D,4EAA4E;IAC5E,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,sBAAsB;IACtB,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,EAAE,CAAC;IAClE,MAAM,iBAAiB,GACrB,QAAQ;QACR,CAAC,YAAY;YACX,CAAC,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE;YACnD,CAAC,CAAC,SAAS,CAAC,CAAC;IAEjB,0EAA0E;IAC1E,yEAAyE;IACzE,yEAAyE;IACzE,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,yEAAyE;IACzE,YAAY;IACZ,MAAM,cAAc,GAAG,WAAW,EAAE,WAAW,KAAK,IAAI,IAAI,CAAC,CAAC,YAAY,CAAC;IAC3E,MAAM,WAAW,GACf,cAAc,IAAI,MAAM,CAAC,iBAAiB;QACxC,CAAC,CAAC,MAAM,CAAC,iBAAiB;QAC1B,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;IACrB,MAAM,OAAO,GAAG,iBAAiB,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;IACpE,MAAM,cAAc,GAAG,MAAM,CAAC,WAAW,CACvC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAC3C,4BAA4B,CAAC,KAAK,EAAE,iBAAiB,EAAE,WAAW,CAAC,CACpE,CACF,CAAC;IACF,MAAM,oBAAoB,GAAG,gCAAgC,CAAC,WAAW,CAAC,CAAC;IAC3E,yEAAyE;IACzE,4EAA4E;IAC5E,2EAA2E;IAC3E,wEAAwE;IACxE,yEAAyE;IACzE,kCAAkC;IAClC,MAAM,oBAAoB,GAAG,CAAC,oBAAoB,CAAC;IACnD,MAAM,gCAAgC,GAAG,oBAAoB;QAC3D,CAAC,CAAC,MAAM,CAAC,WAAW,CAChB,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CACtD,wCAAwC,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAC9D,CACF;QACH,CAAC,CAAC,cAAc,CAAC;IACnB,2EAA2E;IAC3E,6EAA6E;IAC7E,4EAA4E;IAC5E,+EAA+E;IAC/E,yEAAyE;IACzE,kEAAkE;IAClE,qDAAqD;IACrD,MAAM,sBAAsB,GAC1B,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;QACtC,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC;QAClC,CAAC,oBAAoB,CAAC;IACxB,4EAA4E;IAC5E,2EAA2E;IAC3E,8EAA8E;IAC9E,uFAAuF;IACvF,gEAAgE;IAChE,MAAM,iBAAiB,GAAG,sBAAsB;QAC9C,CAAC,CAAC,MAAM,CAAC,WAAW,CAChB,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAC/C,0BAA0B,CAAC,IAAI,EAAE,MAAM,CAAC,CACzC,CACF;QACH,CAAC,CAAC,gCAAgC,CAAC;IACrC,IAAI,oBAAoB,EAAE,CAAC;QACzB,qBAAqB,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAAC,CAAC;IAC/D,CAAC;IACD,MAAM,eAAe,GACnB,oBAAoB;QACpB,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC9C,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAChC,CAAC;IACJ,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE;QAC5D,YAAY,EAAE;YACZ,KAAK,EAAE,EAAE;YACT,GAAG,CAAC,eAAe;gBACjB,CAAC,CAAC;oBACE,SAAS,EAAE,EAAE;oBACb,UAAU,EAAE;wBACV,CAAC,oBAAoB,CAAC,EAAE;4BACtB,SAAS,EAAE,CAAC,iBAAiB,CAAC;yBAC/B;qBACF;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;SACR;KACF,CAAC,CAAC;IAEH,qEAAqE;IACrE,wEAAwE;IACxE,sEAAsE;IACtE,qEAAqE;IACrE,wCAAwC;IACxC,MAAM,YAAY,GAAG,iBAAiB,EAAE,KAAK;QAC3C,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC;QAC1C,CAAC,CAAC,sBAAsB,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAEzD;;;;;;;;;;OAUG;IACH,KAAK,UAAU,iBAAiB,CAAI,EAAoB;QACtD,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC;QACjC,OAAO,qBAAqB,CAC1B;YACE,SAAS,EAAE,iBAAiB,EAAE,SAAS;YACvC,KAAK;YACL,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtE,EACD,EAAE,CACW,CAAC;IAClB,CAAC;IAED,wEAAwE;IACxE,wEAAwE;IACxE,8BAA8B;IAC9B,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QAC1D,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAC7B,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE;gBAC5D,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,UAAU,CAAC;gBACjD,MAAM,cAAc,GAAG,MAAM,2BAA2B,CACtD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;gBACF,MAAM,WAAW,GACd,KAAK,CAAC,IAAY,CAAC,KAAK;oBACzB,OAAQ,KAAK,CAAC,IAAY,CAAC,KAAK,KAAK,QAAQ;oBAC7C,CAAC,KAAK,CAAC,OAAO,CAAE,KAAK,CAAC,IAAY,CAAC,KAAK,CAAC;oBACvC,CAAC,CAAC,EAAE,GAAK,KAAK,CAAC,IAAY,CAAC,KAAiC,EAAE;oBAC/D,CAAC,CAAC,EAAE,CAAC;gBACT,MAAM,QAAQ,GAAG;oBACf,GAAG,WAAW;oBACd,GAAG,CAAC,cAAc;wBAChB,CAAC,CAAC;4BACE,GAAG,wBAAwB,CAAC,cAAc,CAAC;4BAC3C,CAAC,6BAA6B,CAAC,EAAE,cAAc,CAAC,GAAG;4BACnD,EAAE,EAAE,gBAAgB,CAClB,cAAc,EACd,KAAK,CAAC,MAAM,EAAE,UAAU;gCACtB,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,UAAU,CAC5C;yBACF;wBACH,CAAC,CAAC,EAAE,CAAC;iBACR,CAAC;gBACF,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC;gBACvD,MAAM,WAAW,GAA4B;oBAC3C,YAAY,EAAE,KAAK,CAAC,QAAQ,KAAK,IAAI;oBACrC,eAAe,EAAE,KAAK,CAAC,WAAW,EAAE,eAAe,KAAK,IAAI;oBAC5D,aAAa,EAAE,KAAK;iBACrB,CAAC;gBACF,IAAI,OAAO;oBAAE,WAAW,CAAC,+BAA+B,CAAC,GAAG,IAAI,CAAC;gBACjE,OAAO;oBACL,IAAI;oBACJ,WAAW,EAAE,OAAO;wBAClB,CAAC,CAAC,GAAG,eAAe,sEAAsE;wBAC1F,CAAC,CAAC,eAAe;oBACnB,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI;wBACpC,IAAI,EAAE,QAAiB;wBACvB,UAAU,EAAE,EAAE;qBACf;oBACD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChE,WAAW;iBACZ,CAAC;YACJ,CAAC,CAAC,CACH,CAAC;YAEF,IACE,CAAC,oBAAoB;gBACrB,CAAC,sBAAsB;gBACvB,MAAM,CAAC,QAAQ;gBACf,gBAAgB,CAAC,iBAAiB,EAAE,WAAW,EAAE,WAAW,CAAC,EAC7D,CAAC;gBACD,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,WAAW;oBACjB,WAAW,EACT,4EAA4E;wBAC5E,4EAA4E;wBAC5E,iCAAiC;oBACnC,WAAW,EAAE;wBACX,IAAI,EAAE,QAAiB;wBACvB,UAAU,EAAE;4BACV,OAAO,EAAE;gCACP,IAAI,EAAE,QAAQ;gCACd,WAAW,EAAE,kCAAkC;6BAChD;yBACF;wBACD,QAAQ,EAAE,CAAC,SAAS,CAAC;qBACtB;oBACD,WAAW,EAAE;wBACX,YAAY,EAAE,KAAK;wBACnB,eAAe,EAAE,KAAK;wBACtB,aAAa,EAAE,KAAK;qBACrB;iBACF,CAAC,CAAC;YACL,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,wEAAwE;IACxE,uEAAuE;IACvE,iEAAiE;IACjE,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QACrE,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;YAEjD,IAAI,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC5C,IAAI,oBAAoB,IAAI,sBAAsB,EAAE,CAAC;oBACnD,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;wBAC1D,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,gBAAgB,CAAC,iBAAiB,EAAE,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;oBACnE,OAAO;wBACL,OAAO,EAAE;4BACP;gCACE,IAAI,EAAE,MAAM;gCACZ,IAAI,EAAE,iDAAiD;6BACxD;yBACF;wBACD,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;gBACD,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;gBACvD,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;wBAC1D,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,6EAA6E;YAC7E,wEAAwE;YACxE,yDAAyD;YACzD,MAAM,eAAe,GACnB,oBAAoB,IAAI,sBAAsB;gBAC5C,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,OAAO,CAAC;YACd,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;YACpC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YACD,IACE,CAAC,4BAA4B,CAAC,KAAK,EAAE,iBAAiB,EAAE,WAAW,CAAC,EACpE,CAAC;gBACD,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE,8CAA8C,IAAI,EAAE;yBAC3D;qBACF;oBACD,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YAED,IAAI,CAAC;gBACH,mEAAmE;gBACnE,kEAAkE;gBAClE,6DAA6D;gBAC7D,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAE,IAA+B,IAAI,EAAE,EAAE;oBACrE,SAAS,EAAE,mBAAmB,EAAE;oBAChC,KAAK,EAAE,eAAe,EAAE,IAAI,IAAI;oBAChC,MAAM,EAAE,KAAK;iBACd,CAAC,CAAC;gBACH,MAAM,SAAS,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC5D,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;gBACrD,MAAM,eAAe,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC;gBAC5D,MAAM,gBAAgB,GACpB,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,SAAS,CAAC,GAAG;oBACf,OAAO,SAAS,CAAC,GAAG,KAAK,QAAQ;oBAChC,SAAS,CAAC,GAA+B,CAAC,OAAO,KAAK,IAAI,CAAC;gBAC9D,MAAM,cAAc,GAAG,MAAM,2BAA2B,CACtD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;gBACF,MAAM,kBAAkB,GAAG,cAAc;oBACvC,CAAC,CAAC,MAAM,gCAAgC,CAAC,SAAS,EAAE,WAAW,CAAC;oBAChE,CAAC,CAAC,SAAS,CAAC;gBACd,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,kBAAkB,CACzC,KAAK,EACJ,IAA4B,IAAI,EAAE,EACnC,kBAAkB,EAClB,WAAW,CACZ,CAAC;gBACF,MAAM,YAAY,GAA4B;oBAC5C,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;oBAChB,GAAG,CAAC,cAAc;wBAChB,CAAC,CAAC,uBAAuB,CACrB,kBAAkB,EAClB,cAAc,EACd,WAAW,CACZ;wBACH,CAAC,CAAC,EAAE,CAAC;oBACP,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;iBAChE,CAAC;gBACF,MAAM,UAAU,GAAG,cAAc,CAAE,KAAK,CAAC,IAAY,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACjE,MAAM,cAAc,GAAG,UAAU,CAAC,UAAU,CAAC;gBAC7C,MAAM,mBAAmB,GACvB,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;oBAC7B,cAAc,CAAC,MAAM,GAAG,CAAC;oBACzB,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC;gBAC3C,MAAM,iBAAiB,GAAG,cAAc;oBACtC,CAAC,CAAC,uBAAuB,CAAC,kBAAkB,EAAE,YAAY,CAAC;oBAC3D,CAAC,CAAC,mBAAmB;wBACjB,SAAS;wBACT,OAAO,SAAS,KAAK,QAAQ;wBAC7B,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;wBAC3B,CAAC,CAAE,SAAqC;wBACxC,CAAC,CAAC,SAAS,CAAC;gBAChB,MAAM,IAAI,GAAG,cAAc;oBACzB,CAAC,CAAC,qBAAqB,CAAC,IAAI,EAAE,eAAe,EAAE,iBAAkB,CAAC;oBAClE,CAAC,CAAC,qBAAqB,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;gBACjD,MAAM,OAAO,GAAU,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;gBAChD,IAAI,KAAK;oBAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAC/B,OAAO;oBACL,OAAO;oBACP,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC9C,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACnD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC;wBACtC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE;wBACzB,CAAC,CAAC,EAAE,CAAC;iBACR,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,CAAC,iBAAiB,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;YAC9D,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,EACN,iBAAiB,EACjB,WAAW,CACZ,CAAC;gBACF,OAAO;oBACL,SAAS,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;wBAC5C,GAAG,EAAE,QAAQ,CAAC,GAAG;wBACjB,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpD,GAAG,CAAC,QAAQ,CAAC,WAAW;4BACtB,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;4BACvC,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,EAAE,QAAQ,CAAC,QAAQ;wBAC3B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACrD,CAAC,CAAC;iBACJ,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,iBAAiB,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YACtE,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,EACN,iBAAiB,EACjB,WAAW,CACZ,CAAC;gBACF,OAAO;oBACL,iBAAiB,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;wBACpD,WAAW,EAAE,QAAQ,CAAC,GAAG;wBACzB,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpD,GAAG,CAAC,QAAQ,CAAC,WAAW;4BACtB,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;4BACvC,CAAC,CAAC,EAAE,CAAC;wBACP,QAAQ,EAAE,QAAQ,CAAC,QAAQ;wBAC3B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACrD,CAAC,CAAC;iBACJ,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,iBAAiB,CACtB,yBAAyB,EACzB,KAAK,EAAE,OAAY,EAAE,EAAE;YACrB,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;gBAClC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;gBAChC,IAAI,KAAK,GAGE,IAAI,CAAC;gBAChB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC9D,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;oBAC9D,IAAI,CAAC,WAAW,IAAI,CAAC,wBAAwB,CAAC,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;wBAChE,SAAS;oBACX,CAAC;oBACD,MAAM,QAAQ,GAAG,MAAM,2BAA2B,CAChD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,WAAW,CACZ,CAAC;oBACF,IAAI,QAAQ,EAAE,CAAC;wBACb,KAAK,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;wBACvC,MAAM;oBACR,CAAC;oBACD,oEAAoE;oBACpE,8DAA8D;oBAC9D,kDAAkD;gBACpD,CAAC;gBACD,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO;oBACL,QAAQ,EAAE;wBACR;4BACE,GAAG;4BACH,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,QAAQ;4BACjC,IAAI,EAAE,gBAAgB,CACpB,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,UAAU,EAChB,MAAM,EACN,WAAW,CACZ;4BACD,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK;gCACtB,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,KAAK,EAAE;gCACjC,CAAC,CAAC,EAAE,CAAC;yBACR;qBACF;iBACF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,6EAA6E;AAC7E,gFAAgF;AAChF,8EAA8E;AAE9E,MAAM,UAAU,eAAe;IAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CACT,GAAG,KAAK;aACL,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAS,yBAAyB,CAChC,gBAAoC;IAEpC,MAAM,KAAK,GACT,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,EAAE;QAC5C,CAAC,OAAO,gBAAgB,KAAK,QAAQ,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;QACjE,EAAE,CAAC;IACL,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,UAA8B;IAE9B,IAAI,CAAC,UAAU;QAAE,OAAO,SAAS,CAAC;IAClC,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IACzD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACzC,CAAC;AAED,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAAiC;IAEjC,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,KAAa;IAEb,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,iBAAiB,GAAmC,IAAI,CAAC;IAC7D,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAA4B,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAE7D,MAAM,SAAS,GACb,OAAO,iBAAiB,CAAC,UAAU,KAAK,QAAQ;QAC9C,CAAC,CAAC,iBAAiB,CAAC,UAAU;QAC9B,CAAC,CAAC,SAAS,CAAC;IAChB,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,kBAAkB,CAChB,gBAAgB,EAChB,MAAM,oBAAoB,CAAC,SAAS,CAAC,CACtC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,0EAA0E;QAC5E,CAAC;IACH,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CACjC,CAAC;YACF,OAAO,OAAkC,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,gEAAgE;QAClE,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,GAAuB;IAEvB,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAC5E,IAAI,MAAM,YAAY,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1C,uDAAuD;QACvD,KAAK,cAAc,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,2EAA2E;QAC3E,4CAA4C;IAC9C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,gBAAqC,EACrC,UAAuE,EAAE;IAqBzE,oEAAoE;IACpE,yEAAyE;IACzE,0EAA0E;IAC1E,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC;IACtD,MAAM,KAAK,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;IACzC,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,aAAa,GAAG,MAAM,yBAAyB,CACnD,KAAK,EACL,OAAO,CAAC,WAAW,CACpB,CAAC;QACF,IAAI,aAAa,EAAE,CAAC;YAClB,IACE,aAAa,CAAC,QAAQ,KAAK,2BAA2B;gBACtD,CAAC,CAAC,MAAM,qBAAqB,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,EACjD,CAAC;gBACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YAC3B,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE;oBACR,SAAS,EAAE,aAAa,CAAC,SAAS;oBAClC,GAAG,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,aAAa,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC9D,SAAS,EAAE,aAAa,CAAC,SAAS;oBAClC,WAAW,EAAE,aAAa,CAAC,MAAM;oBACjC,aAAa,EAAE,aAAa,CAAC,QAAQ;iBACtC;gBACD,WAAW,EAAE,IAAI;gBACjB,+DAA+D;gBAC/D,oEAAoE;gBACpE,WAAW,EAAE,aAAa,CAAC,YAAY,KAAK,MAAM;aACnD,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,KAAK,EAAE,CAAC;QACzD,IAAI,OAAO,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;YACnC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;YACrD,uEAAuE;YACvE,sEAAsE;YACtE,uEAAuE;YACvE,iDAAiD;YACjD,WAAW,EAAE,CAAC,CAAC,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAErC,wEAAwE;IACxE,uDAAuD;IACvD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAChD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,UAAU,GACd,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAChE,IAAI,UAAU,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;YACnD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QAED,uEAAuE;QACvE,mEAAmE;QACnE,sEAAsE;QACtE,uDAAuD;QACvD,mEAAmE;QACnE,kDAAkD;QAClD,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;YACrC,IAAI,CAAC,CAAC,MAAM,qBAAqB,CAAC,OAAO,CAAC,GAAyB,CAAC,CAAC,EAAE,CAAC;gBACtE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE;gBACR,SAAS,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;gBACpE,sEAAsE;gBACtE,iEAAiE;gBACjE,kEAAkE;gBAClE,qEAAqE;gBACrE,GAAG,CAAC,OAAO,OAAO,CAAC,MAAM,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM;oBACtD,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,MAAgB,EAAE;oBACrC,CAAC,CAAC,EAAE,CAAC;gBACP,SAAS,EACP,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ;oBACpC,CAAC,CAAE,OAAO,CAAC,UAAqB;oBAChC,CAAC,CAAC,SAAS;aAChB;YACD,mEAAmE;YACnE,WAAW,EAAE,IAAI;YACjB,sEAAsE;YACtE,uEAAuE;YACvE,kDAAkD;YAClD,WAAW,EAAE,OAAO,CAAC,aAAa,KAAK,MAAM;SAC9C,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/C,IAAI,OAAO,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;YACnC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;YACrD,WAAW,EAAE,CAAC,CAAC,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,uEAAuE;IACvE,uEAAuE;IACvE,yEAAyE;IACzE,0EAA0E;IAC1E,4EAA4E;IAC5E,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACxD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE;YAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YACjD,OAAO,CACL,QAAQ,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;gBACpC,eAAe,CAAC,QAAQ,EAAE,SAAS,CAAC,CACrC,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE,yBAAyB,CAAC,gBAAgB,CAAC;gBACrD,qDAAqD;gBACrD,WAAW,EAAE,IAAI;aAClB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,SAA6B;IAE7B,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAChD,OAAO,GAAG,EAAE,KAAK,IAAI,SAAS,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC","sourcesContent":["/*\n Shared MCP server builder.\n \n Extracted from `server.ts` so the stateless Streamable-HTTP mount\n * (`mountMCP`) and the stdio transport (`runMCPStdio --standalone`) build the\n * same MCP server from the same `ActionEntry` registry. Both surfaces:\n \n - expose every action as an MCP tool (+ the `ask-agent` meta-tool),\n * - append the framework deep-link block / `_meta` to every tool result,\n * - wrap `run()` / `askAgent()` in `runWithRequestContext` so per-user /\n * per-org scoping (accessFilter, resolveCredential, MCP visibility) is\n * honoured.\n \n `server.ts` re-exports `createMCPServerForRequest` and the auth helpers so\n * any (future) external importer of `@agent-native/core/mcp` keeps resolving.\n \n Node-only at the SDK level, but this module itself has no Node-only imports\n * — it can be bundled into the serverless function alongside `mountMCP`.\n /\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport { isMcpActionResult } from \"../mcp-client/app-result.js\";\nimport {\n MCP_APP_EXTENSION_ID,\n MCP_APP_MIME_TYPE,\n MCP_APP_RESOURCE_URI_META_KEY,\n type ActionMcpAppCsp,\n type ActionMcpAppResourceConfig,\n} from \"../action.js\";\nimport { MCP_APP_REQUEST_ORIGIN_CSP_SOURCE } from \"./embed-app.js\";\nimport {\n getRequestContext,\n getRequestOrgId,\n getRequestUserEmail,\n runWithRequestContext,\n} from \"../server/request-context.js\";\nimport {\n buildDeepLink,\n toAbsoluteOpenUrl,\n toDesktopOpenUrl,\n toVsCodeOpenUrl,\n} from \"../server/deep-link.js\";\nimport {\n isAgentNativeOpenDeepLink,\n withCollapsedAgentSidebarParam,\n} from \"../shared/agent-sidebar-url.js\";\nimport { MCP_APP_CHAT_BRIDGE_QUERY_PARAM } from \"../shared/embed-auth.js\";\nimport { getBuiltinCrossAppTools } from \"./builtin-tools.js\";\nimport {\n MCP_CONNECT_OAUTH_CLIENT_ID,\n MCP_CONNECT_SCOPE,\n} from \"./connect-store.js\";\nimport { getConfiguredAppBasePath } from \"../server/app-base-path.js\";\nimport {\n MCP_OAUTH_SCOPES,\n hasMcpOAuthScope,\n verifyMcpOAuthAccessToken,\n} from \"./oauth-token.js\";\n\nexport interface MCPConfig {\n /* App name shown in MCP server info /\n name: string;\n /* Optional human-facing app title shown by MCP hosts that support titles. /\n title?: string;\n /\n Canonical app id (directory under `apps/`, e.g. `mail`) this MCP server\n * is mounted for. Optional & back-compat: when omitted the builtin\n * cross-app tools fall back to lowercasing `name`. Used by `open_app` /\n * `ask_app` / `create_workspace_app` to tell \"this app\" from a cross-app\n * target so they resolve the target app's origin rather than echoing the\n * current request origin.\n /\n appId?: string;\n /* App description /\n description: string;\n /* Optional canonical website URL for hosts that surface MCP app details. /\n websiteUrl?: string;\n /* Optional app icons for MCP hosts that render server branding. /\n icons?: Array<{\n src: string;\n mimeType?: string;\n sizes?: string[];\n theme?: \"light\" \| \"dark\";\n }>;\n /* Version string (default \"1.0.0\") /\n version?: string;\n /* Action registry — same as agent chat and A2A /\n actions: Record<string, ActionEntry>;\n /\n Full (\"production\") action surface served to an *authenticated real\n caller** — a connect-minted token, an `agent-native mcp install` stdio\n * proxy (owner-email header / `AGENT_NATIVE_OWNER_EMAIL`), or a deployed /\n * `AGENT_MODE=production` app. In local dev `actions` is intentionally the\n * sparse, dev-toggled surface (builtins + read-only public-agent actions)\n * so the local agent chat and unauthenticated dev probes don't see every\n * mutating tool; but per the external-agents contract a real caller that\n * connected with a token MUST get the full surface even in dev. When unset\n * (production, where `actions` already IS the full set) the swap is a\n * no-op. See `external-agents` skill, \"Dev vs production tool surface\".\n /\n productionActions?: Record<string, ActionEntry>;\n /* Handler for the ask-agent meta-tool — runs the full agent loop /\n askAgent?: (message: string) => Promise<string>;\n /\n Disable the generic cross-app builtin tools (`list_apps`, `open_app`,\n * `ask_app`, `create_workspace_app`, `list_templates`). They are merged in\n * by default so external agents get a stable verb set; a template action of\n * the same name always wins (template precedence). Set to `false` only for\n * a constrained / locked-down mount.\n /\n builtinCrossAppTools?: boolean;\n /\n Curated allow-list of action names served to external connector clients\n * on a hosted multi-tenant deployment.\n \n Whenever this list is non-empty it is active by default for every\n * caller — hosted connectors, code/stdio clients, and the local CLI alike.\n * The MCP server trims both the advertised tool list and the callable\n * surface to exactly these names (plus any builtin cross-app tools such as\n * `list_apps` / `open_app`). Any tool call for a name not in the list is\n * rejected — it is not merely hidden. This prevents the ~105-tool full\n * catalog from landing in every external agent's context window and removes\n * footguns (db-exec, seed-, extension tools, browser-session tools, etc.)\n from connectors. It is no longer gated behind an environment variable, and\n * the catalog is never inferred from the client name/user-agent.\n \n `tool-search` stays available in the compact catalog so any trimmed tool is\n * reachable on demand. Callers who need the full surface up front opt in\n * explicitly with `agent-native connect --full-catalog` (embeds a\n * `catalog_scope: \"full\"` claim in the connect-minted JWT) or the\n * deployment-wide `AGENT_NATIVE_MCP_FULL_CATALOG=1` env override.\n \n Declare this in your template's `createAgentChatPlugin` options rather than\n * setting it on `MCPConfig` directly; the plugin copies it through.\n /\n connectorCatalog?: string[];\n}\n\n/\n Identity extracted from a verified MCP bearer token / JWT. Used to wrap\n * `entry.run()` and `config.askAgent()` calls in `runWithRequestContext`\n * so downstream tools (db-query, accessFilter, resolveCredential) honour\n * per-user / per-org scoping. Without this wrap the MCP endpoint would\n * silently bypass tenant isolation. See finding #6 in\n * /tmp/security-audit/12-mcp-a2a-agent.md.\n /\nexport interface MCPCallerIdentity {\n userEmail: string \| undefined;\n orgId?: string \| undefined;\n orgDomain: string \| undefined;\n /* Present only for standard remote MCP OAuth access tokens. /\n oauthScopes?: string[];\n /* Present only for standard remote MCP OAuth access tokens. /\n oauthClientId?: string;\n}\n\n/* Per-request context used to turn an action's relative deep link into the\n * absolute web URL (and desktop `agentnative://` URL) the external agent\n * surfaces. Derived from the inbound request headers in `mountMCP`, or from\n * the resolved local app origin in the stdio standalone path. /\nexport interface MCPRequestMeta {\n /* Origin of the running app, e.g. `http://localhost:8100`. /\n origin?: string;\n /* Optional mount prefix for path-mounted apps, e.g. `/mail`. /\n basePath?: string;\n /* Optional client preference for which URL the markdown link uses. /\n target?: \"browser\" \| \"desktop\" \| \"terminal\";\n /\n Best-effort caller label derived from MCP transport headers. Chat-style\n * remote hosts should stay on the compact catalog; code/stdio clients can\n * explicitly identify themselves to keep the full action surface.\n /\n clientName?: string;\n /* Explicit framework client hint from `x-agent-native-mcp-client`. /\n clientHint?: string;\n /* Explicit opt-in to the full tool catalog for code/stdio style clients. /\n fullCatalog?: boolean;\n /\n The caller authenticated with a real credential (verified A2A/connect\n * JWT, matching ACCESS_TOKEN, or a forwarded owner-email header from\n * `agent-native mcp install`) — not the unauthenticated local dev-open\n * path. When true, `createMCPServerForRequest` serves\n * `config.productionActions` (the full surface) instead of the sparse dev\n * `config.actions`. Set by `mountMCP` from `verifyAuth`.\n /\n fullSurface?: boolean;\n}\n\ntype McpOAuthScope = (typeof MCP_OAUTH_SCOPES)[number];\n\nfunction isActionVisibleForOAuthScope(\n entry: ActionEntry,\n scopes: string[] \| undefined,\n): boolean {\n if (!scopes) return true;\n const required: McpOAuthScope =\n entry.readOnly === true ? \"mcp:read\" : \"mcp:write\";\n return hasMcpOAuthScope(scopes, required);\n}\n\nconst COMPACT_MCP_APP_CATALOG_BUILTINS = new Set([\n \"list_apps\",\n \"open_app\",\n \"ask_app\",\n \"ask_app_status\",\n \"create_embed_session\",\n // `tool-search` MUST stay in every compact/connector surface: it is how a\n // compacted client discovers and loads any action on demand, which is what\n // makes \"small catalog by default\" safe instead of limiting.\n \"tool-search\",\n]);\n\nfunction isActionAdvertisedInCompactMcpAppCatalog(\n name: string,\n entry: ActionEntry,\n config: MCPConfig,\n): boolean {\n if (COMPACT_MCP_APP_CATALOG_BUILTINS.has(name)) return true;\n if (\n (entry.mcpApp as { compactCatalog?: unknown } \| undefined)\n ?.compactCatalog === true\n ) {\n return true;\n }\n if (config.builtinCrossAppTools === false && entry.mcpApp?.resource) {\n return true;\n }\n return false;\n}\n\nfunction explicitlyRequestsFullMcpCatalog(\n requestMeta: MCPRequestMeta \| undefined,\n): boolean {\n // Full catalog is a deliberate, rare opt-in — NEVER a default, and NEVER\n // inferred from the client name / user-agent. It is reached only by an\n // explicit deployment env or a token minted with\n // `agent-native connect --full-catalog` (which embeds `catalog_scope: \"full\"`,\n // surfaced here as requestMeta.fullCatalog). Dumping ~105 tool schemas\n // (100k+ tokens) into a context window just because a client called itself\n // \"code\"/\"cursor\"/\"codex\" was a recurring footgun. Everything else gets the\n // connector/compact catalog plus `tool-search`, which keeps every tool\n // reachable on demand.\n if (process.env.AGENT_NATIVE_MCP_FULL_CATALOG === \"1\") return true;\n return requestMeta?.fullCatalog === true;\n}\n\nconst warnedFullCatalogKeys = new Set<string>();\n\n/\n Loud, deduped warning emitted whenever the full MCP catalog is actually\n * served. Full catalog is a deliberate, rare opt-in (env or a `--full-catalog`\n * token claim); logging it makes an accidental ~100k-token tool dump visible\n * instead of silent, so a regression can't quietly reintroduce the footgun.\n /\nfunction warnFullCatalogServed(toolCount: number): void {\n const source =\n process.env.AGENT_NATIVE_MCP_FULL_CATALOG === \"1\"\n ? \"AGENT_NATIVE_MCP_FULL_CATALOG=1\"\n : \"a token minted with --full-catalog (catalog_scope:full)\";\n const key = `${source}:${toolCount}`;\n if (warnedFullCatalogKeys.has(key)) return;\n warnedFullCatalogKeys.add(key);\n console.warn(\n `[agent-native] Serving the FULL MCP tool catalog (${toolCount} tools) via ${source}. ` +\n `This is a large context payload meant to be a rare, explicit opt-in — most ` +\n `clients should use the default compact/connector catalog + tool-search instead.`,\n );\n}\n\n/\n Returns true when the given action name is in the template's connector\n * catalog, OR is a builtin cross-app tool that is always included for\n * external connector clients. Builtin tool names from\n * `COMPACT_MCP_APP_CATALOG_BUILTINS` are always allowed since they are the\n * stable external-agent verb set.\n /\nfunction isActionInConnectorCatalog(name: string, config: MCPConfig): boolean {\n if (COMPACT_MCP_APP_CATALOG_BUILTINS.has(name)) return true;\n if (!Array.isArray(config.connectorCatalog)) return false;\n return config.connectorCatalog.includes(name);\n}\n\ninterface ResolvedMcpAppResource {\n uri: string;\n legacyUris?: string[];\n name: string;\n title?: string;\n description?: string;\n html: ActionMcpAppResourceConfig[\"html\"];\n mimeType: typeof MCP_APP_MIME_TYPE;\n _meta?: Record<string, unknown>;\n}\n\ninterface McpAppResourceContext {\n actionName: string;\n appId?: string;\n requestOrigin?: string;\n}\n\ninterface VersionedMcpAppResourceUri {\n uri: string;\n legacyUris?: string[];\n}\n\nfunction metadataObject(value: unknown): Record<string, unknown> {\n return value && typeof value === \"object\" && !Array.isArray(value)\n ? (value as Record<string, unknown>)\n : {};\n}\n\nfunction originString(value: unknown): string \| undefined {\n if (typeof value !== \"string\" \|\| !value.trim()) return undefined;\n try {\n return new URL(value).origin;\n } catch {\n return undefined;\n }\n}\n\nfunction hostSpecificDomainString(value: unknown): string \| undefined {\n if (typeof value !== \"string\" \|\| !value.trim()) return undefined;\n const trimmed = value.trim();\n try {\n new URL(trimmed);\n return undefined;\n } catch {\n return trimmed;\n }\n}\n\nfunction withMcpChatBridgeParam(urlOrPath: string): string {\n try {\n const base = \"http://agent-native.invalid\";\n const url = urlOrPath.startsWith(\"/\")\n ? new URL(urlOrPath, base)\n : new URL(urlOrPath);\n url.searchParams.set(MCP_APP_CHAT_BRIDGE_QUERY_PARAM, \"1\");\n return urlOrPath.startsWith(\"/\")\n ? `${url.pathname}${url.search}${url.hash}`\n : url.toString();\n } catch {\n return urlOrPath;\n }\n}\n\nfunction isEmbedStartUrl(value: string): boolean {\n try {\n const base = \"http://agent-native.invalid\";\n const url = value.startsWith(\"/\") ? new URL(value, base) : new URL(value);\n return url.pathname.includes(\"/_agent-native/embed/start\");\n } catch {\n return value.includes(\"/_agent-native/embed/start\");\n }\n}\n\nfunction routePathFromOpenUrl(value: string): string \| null {\n try {\n const hasScheme = /^[a-z][a-z0-9+.-]:\\/\\//i.test(value);\n const url = hasScheme\n ? new URL(value)\n : new URL(value, \"http://agent-native.invalid\");\n const route = `${url.pathname}${url.search}${url.hash}`;\n if (!route.startsWith(\"/\") \|\| route.startsWith(\"//\")) return null;\n if (route.startsWith(\"/\\\\\")) return null;\n if (/^\\/[a-z][a-z0-9+.-]:/i.test(route)) return null;\n return route;\n } catch {\n return null;\n }\n}\n\n/\n Recursively redact embed-ticket-bearing URLs from any value before it gets\n * serialized into a model-visible text payload. Embed start URLs carry a\n * single-use ticket that grants iframe access to the user's session — they\n * MUST stay in `_meta` (where the embed runtime can consume them) and never\n * appear in `content[].text` for the LLM. This is the generic safety net for\n * actions that return `{ embedStartUrl, ... }` without declaring\n * `mcpApp.resource` (the resource path already strips them via\n * `mcpAppStructuredContent`).\n \n Depth-capped to avoid pathological / circular structures. Strings that\n * embed an `isEmbedStartUrl` substring (e.g. a longer message that includes\n * the URL) are replaced with `[hidden embed URL]`.\n /\nfunction purgeEmbedStartUrls(value: unknown, depth = 0): unknown {\n if (depth > 5) return value;\n if (typeof value === \"string\") {\n return isEmbedStartUrl(value) ? \"[hidden embed URL]\" : value;\n }\n if (Array.isArray(value)) {\n return value.map((item) => purgeEmbedStartUrls(item, depth + 1));\n }\n if (value && typeof value === \"object\") {\n const out: Record<string, unknown> = {};\n for (const [key, val] of Object.entries(value as Record<string, unknown>)) {\n if (typeof val === \"string\" && isEmbedStartUrl(val)) {\n // Drop the key entirely for object-typed inputs so a tool result like\n // `{ embedStartUrl: \"...\" }` does not appear at all in the LLM text.\n continue;\n }\n out[key] = purgeEmbedStartUrls(val, depth + 1);\n }\n return out;\n }\n return value;\n}\n\nfunction mcpAppEmbedOpenLinkMeta(\n result: unknown,\n resource: ResolvedMcpAppResource,\n meta: MCPRequestMeta \| undefined,\n): Record<string, unknown> {\n const out = metadataObject(result);\n const embedStartUrl =\n typeof out.embedStartUrl === \"string\"\n ? out.embedStartUrl\n : out.embed === true &&\n typeof out.url === \"string\" &&\n out.url.includes(\"/_agent-native/embed/start\")\n ? out.url\n : null;\n if (!embedStartUrl) return {};\n\n const webUrl = toAbsoluteOpenUrl(\n withMcpChatBridgeParam(embedStartUrl),\n meta?.origin,\n );\n const deepLinkUrl =\n typeof out.deepLinkUrl === \"string\" ? out.deepLinkUrl : null;\n const fallbackLabel = resource.title ?? resource.name ?? \"app\";\n const label =\n typeof out.app === \"string\" && out.app.trim()\n ? `Open ${out.app.trim()}`\n : fallbackLabel;\n const view =\n typeof out.view === \"string\" && out.view.trim()\n ? out.view.trim()\n : typeof out.path === \"string\" && out.path.trim()\n ? out.path.trim()\n : undefined;\n // Only fabricate an open URL when there is a real path-like value: an\n // explicit deepLinkUrl, or a non-embed `out.url`, or a leading-slash\n // `view`/`path` that's already a route. Bare view-name strings like\n // \"inbox\" or \"deck\" must NOT be turned into `${origin}/inbox` — apps\n // route views at app-specific paths (e.g. slides routes `view: \"deck\"`\n // at `/deck/:id`), so a synthesized origin-relative URL is just a 404.\n // In that case omit `openLink` entirely; the embedStart meta carries\n // the actual launch reference.\n const pathFromRouteLike =\n view && view.startsWith(\"/\")\n ? view\n : typeof out.path === \"string\" && out.path.trim().startsWith(\"/\")\n ? out.path.trim()\n : undefined;\n const explicitOpenUrl = deepLinkUrl\n ? deepLinkUrl\n : typeof out.url === \"string\" && !isEmbedStartUrl(out.url)\n ? out.url\n : pathFromRouteLike;\n const safeOpenUrl = explicitOpenUrl\n ? toAbsoluteOpenUrl(explicitOpenUrl, meta?.origin)\n : null;\n // Embed open links expose the safe browser target in `webUrl`, but the\n // desktop URL must enter the app through the registered scheme so Electron\n // can focus the right webview. Preserve the full route/query in the `to`\n // param; focus ids are often only present on `url`, not `out.params`.\n const desktopDeepLinkUrl = (() => {\n if (!safeOpenUrl) return null;\n const app =\n typeof out.app === \"string\" && out.app.trim()\n ? out.app.trim()\n : undefined;\n if (!app) return safeOpenUrl;\n if (isAgentNativeOpenDeepLink(safeOpenUrl)) {\n return toDesktopOpenUrl(safeOpenUrl);\n }\n const targetRoute = routePathFromOpenUrl(safeOpenUrl);\n if (!targetRoute) return safeOpenUrl;\n const viewParam =\n typeof out.view === \"string\" && out.view.trim() ? out.view.trim() : \"\";\n const params =\n out.params && typeof out.params === \"object\" && !Array.isArray(out.params)\n ? (out.params as Record<\n string,\n string \| number \| boolean \| null \| undefined\n >)\n : undefined;\n return toDesktopOpenUrl(\n buildDeepLink({\n app,\n view: viewParam,\n to: targetRoute,\n ...(params ? { params } : {}),\n }),\n );\n })();\n\n return {\n \"agent-native/embedStart\": {\n startUrl: webUrl,\n ...(typeof out.embedExpiresAt === \"number\"\n ? { expiresAt: out.embedExpiresAt }\n : {}),\n },\n ...(safeOpenUrl\n ? {\n \"agent-native/openLink\": {\n label,\n ...(view ? { view } : {}),\n webUrl: safeOpenUrl,\n desktopUrl: desktopDeepLinkUrl ?? safeOpenUrl,\n vscodeUrl: toVsCodeOpenUrl(safeOpenUrl),\n },\n }\n : {}),\n };\n}\n\nasync function withServerMintedMcpAppEmbedStart(\n result: unknown,\n meta: MCPRequestMeta \| undefined,\n): Promise<unknown> {\n if (!result \|\| typeof result !== \"object\" \|\| Array.isArray(result)) {\n return result;\n }\n\n const out = result as Record<string, unknown>;\n if (out.embed !== true) return result;\n if (typeof out.embedStartUrl === \"string\" && out.embedStartUrl.trim()) {\n return result;\n }\n if (\n typeof out.url === \"string\" &&\n out.url.trim() &&\n isEmbedStartUrl(out.url)\n ) {\n return result;\n }\n\n const candidate = [out.url, out.path, out.deepLinkUrl].find(\n (value): value is string =>\n typeof value === \"string\" && value.trim().length > 0,\n );\n if (!candidate) return result;\n\n const trimmed = candidate.trim();\n const isPath = trimmed.startsWith(\"/\") && !trimmed.startsWith(\"//\");\n const isAbsoluteHttp = /^https?:\\/\\//i.test(trimmed);\n if (!isPath && !isAbsoluteHttp) return result;\n if (isAbsoluteHttp && !meta?.origin) return result;\n\n const ctx = getRequestContext();\n const ownerEmail = ctx?.userEmail?.trim();\n if (!ownerEmail) return result;\n\n const { normalizeEmbedTargetPath, createEmbedSessionTicket } =\n await import(\"../server/embed-session.js\");\n const { buildEmbedStartPath } = await import(\"../server/embed-route.js\");\n const targetPath = normalizeEmbedTargetPath(\n withMcpChatBridgeParam(trimmed),\n meta?.origin,\n );\n if (!targetPath) return result;\n\n const ticket = await createEmbedSessionTicket({\n ownerEmail,\n orgId: ctx?.orgId,\n targetPath,\n scope: typeof out.chrome === \"string\" ? out.chrome : null,\n });\n const startPath = buildEmbedStartPath(ticket.ticket);\n const embedStartUrl = meta?.origin\n ? new URL(startPath, meta.origin).toString()\n : startPath;\n\n return {\n ...out,\n embedStartUrl,\n embedTargetPath: targetPath,\n embedExpiresAt: ticket.expiresAt,\n };\n}\n\n/\n Build the deep-link content block + structured `_meta` for a tool result.\n * Best-effort: any throw / nullish link is swallowed so a bad `link` builder\n * never fails the tool call.\n /\nexport function buildLinkArtifacts(\n entry: ActionEntry,\n args: Record<string, any>,\n result: any,\n meta: MCPRequestMeta \| undefined,\n): {\n block?: { type: \"text\"; text: string };\n _meta?: Record<string, unknown>;\n} {\n if (typeof entry.link !== \"function\") return {};\n try {\n const lk = entry.link({ args: args ?? {}, result });\n if (!lk?.url) return {};\n const linkUrl = isAgentNativeOpenDeepLink(lk.url)\n ? withCollapsedAgentSidebarParam(lk.url)\n : lk.url;\n const webUrl = toAbsoluteOpenUrl(linkUrl, meta?.origin);\n const desktopUrl = toDesktopOpenUrl(linkUrl);\n const vscodeUrl = toVsCodeOpenUrl(webUrl);\n const markdownUrl = meta?.target === \"desktop\" ? desktopUrl : webUrl;\n return {\n block: { type: \"text\", text: `\\n\\n[${lk.label} →](${markdownUrl})` },\n _meta: {\n \"agent-native/openLink\": {\n label: lk.label,\n view: lk.view,\n webUrl,\n desktopUrl,\n vscodeUrl,\n },\n },\n };\n } catch {\n return {};\n }\n}\n\n/\n Merge the generic cross-app builtin tools into the config's action\n * registry. Template actions take precedence: if a template defines an\n * action with the same name as a builtin (e.g. its own `list_apps`), the\n * template entry wins and the builtin is dropped. This mirrors the\n * template-over-workspace-core precedence in `autoDiscoverActions`.\n \n The builtins are pure-ish navigators / scaffolders; they call back into the\n * same `config.actions` / `config.askAgent` so there is no second agent loop.\n /\nfunction mergeBuiltinTools(\n config: MCPConfig,\n baseActions: Record<string, ActionEntry>,\n requestMeta?: MCPRequestMeta,\n): Record<string, ActionEntry> {\n if (config.builtinCrossAppTools === false) return baseActions;\n const builtins = getBuiltinCrossAppTools(config, requestMeta);\n const merged: Record<string, ActionEntry> = { ...builtins };\n // Template / app actions overwrite same-named builtins.\n for (const [name, entry] of Object.entries(baseActions)) {\n merged[name] = entry;\n }\n return merged;\n}\n\nfunction absoluteMetadataUrl(\n value: string \| undefined,\n requestMeta?: MCPRequestMeta,\n): string \| undefined {\n const trimmed = value?.trim();\n if (!trimmed) return undefined;\n try {\n if (requestMeta?.origin) {\n const basePath = requestMeta.basePath ?? getConfiguredAppBasePath();\n const appBase = `${requestMeta.origin.replace(/\\/+$/, \"\")}${basePath}/`;\n const appLocalValue =\n trimmed.startsWith(\"/\") && !trimmed.startsWith(\"//\")\n ? trimmed.replace(/^\\/+/, \"\")\n : trimmed;\n return new URL(appLocalValue, appBase).href;\n }\n return new URL(trimmed).href;\n } catch {\n return trimmed;\n }\n}\n\nfunction mcpServerInfo(config: MCPConfig, requestMeta?: MCPRequestMeta) {\n const websiteUrl = absoluteMetadataUrl(config.websiteUrl, requestMeta);\n const icons = config.icons\n ?.map((icon) => {\n const src = absoluteMetadataUrl(icon.src, requestMeta);\n if (!src) return null;\n return {\n src,\n ...(icon.mimeType ? { mimeType: icon.mimeType } : {}),\n ...(icon.sizes?.length ? { sizes: icon.sizes } : {}),\n ...(icon.theme ? { theme: icon.theme } : {}),\n };\n })\n .filter((icon): icon is NonNullable<typeof icon> => Boolean(icon));\n return {\n name: config.name,\n version: config.version ?? \"1.0.0\",\n ...(config.title?.trim() ? { title: config.title.trim() } : {}),\n ...(config.description?.trim()\n ? { description: config.description.trim() }\n : {}),\n ...(websiteUrl ? { websiteUrl } : {}),\n ...(icons?.length ? { icons } : {}),\n };\n}\n\nfunction safeUiSegment(value: string \| undefined, fallback: string): string {\n const normalized = (value \|\| fallback)\n .trim()\n .toLowerCase()\n .replace(/[^a-z0-9._-]+/g, \"-\")\n .replace(/^-+\|-+$/g, \"\");\n return normalized \|\| fallback;\n}\n\n// ChatGPT and Claude cache MCP App resource HTML by `ui://` URI. Bump this\n// when the shared shell changes in a way that must invalidate host caches.\nconst MCP_APP_RESOURCE_SHELL_VERSION = \"shell-v43\";\n\nfunction legacyDefaultMcpAppUri(config: MCPConfig, actionName: string): string {\n const app = safeUiSegment(config.appId ?? config.name, \"agent-native\");\n const action = safeUiSegment(actionName, \"tool\");\n return `ui://${app}/${action}`;\n}\n\nfunction versionMcpAppResourceUri(\n rawUri: string,\n): VersionedMcpAppResourceUri \| null {\n const uri = rawUri.trim();\n if (!uri.startsWith(\"ui://\")) return null;\n const versionSuffix = `/${MCP_APP_RESOURCE_SHELL_VERSION}`;\n let versionedUri: string;\n try {\n const parsed = new URL(uri);\n const path = parsed.pathname.replace(/\\/+$/g, \"\");\n parsed.pathname = /\\/shell-v\\d+$/.test(path)\n ? path.replace(/\\/shell-v\\d+$/, versionSuffix)\n : `${path}${versionSuffix}`;\n versionedUri = parsed.toString();\n } catch {\n return null;\n }\n return {\n uri: versionedUri,\n ...(versionedUri !== uri ? { legacyUris: [uri] } : {}),\n };\n}\n\nfunction unversionMcpAppResourceUri(uri: string): string \| null {\n if (!uri.startsWith(\"ui://\")) return null;\n try {\n const parsed = new URL(uri);\n parsed.pathname = parsed.pathname\n .replace(/\\/+$/g, \"\")\n .replace(/\\/shell-v\\d+$/g, \"\");\n return parsed.toString();\n } catch {\n return null;\n }\n}\n\nfunction normalizeMcpAppResourceUriForMatch(uri: unknown): string \| null {\n if (typeof uri !== \"string\") return null;\n const trimmed = uri.trim();\n if (!trimmed.startsWith(\"ui://\")) return null;\n return (\n unversionMcpAppResourceUri(trimmed) ??\n trimmed.replace(/\\/+$/g, \"\").replace(/\\/shell-v\\d+(?=([?#]\|$))/g, \"\")\n );\n}\n\nfunction matchesMcpAppResourceUri(\n resourceUri: VersionedMcpAppResourceUri,\n requestedUri: unknown,\n): boolean {\n if (typeof requestedUri !== \"string\") return false;\n const requested = requestedUri.trim();\n if (resourceUri.uri === requested) return true;\n if (resourceUri.legacyUris?.includes(requested)) return true;\n const requestedBase = normalizeMcpAppResourceUriForMatch(requested);\n const currentBase = normalizeMcpAppResourceUriForMatch(resourceUri.uri);\n return Boolean(requestedBase && currentBase && requestedBase === currentBase);\n}\n\nfunction getMcpAppResourceUri(\n config: MCPConfig,\n actionName: string,\n entry: ActionEntry,\n): VersionedMcpAppResourceUri \| null {\n const resource = entry.mcpApp?.resource;\n if (!resource) return null;\n const baseUri =\n resource.uri?.trim() \|\| legacyDefaultMcpAppUri(config, actionName);\n return versionMcpAppResourceUri(baseUri);\n}\n\nfunction expandRequestOriginSources(\n sources: string[] \| undefined,\n requestMeta?: MCPRequestMeta,\n): string[] \| undefined {\n if (!sources) return undefined;\n const origin = requestMeta?.origin;\n return sources.flatMap((source) =>\n source === MCP_APP_REQUEST_ORIGIN_CSP_SOURCE && origin\n ? [origin]\n : [source],\n );\n}\n\nfunction openAiWidgetCsp(\n cspConfig: ActionMcpAppCsp \| undefined,\n requestMeta?: MCPRequestMeta,\n): Record<string, string[]> \| undefined {\n if (!cspConfig) return undefined;\n const csp: Record<string, string[]> = {};\n const connectDomains = expandRequestOriginSources(\n cspConfig.connectDomains,\n requestMeta,\n );\n const resourceDomains = expandRequestOriginSources(\n cspConfig.resourceDomains,\n requestMeta,\n );\n const frameDomains = expandRequestOriginSources(\n cspConfig.frameDomains,\n requestMeta,\n );\n if (connectDomains?.length) csp.connect_domains = connectDomains;\n if (resourceDomains?.length) csp.resource_domains = resourceDomains;\n if (frameDomains?.length) csp.frame_domains = frameDomains;\n return Object.keys(csp).length > 0 ? csp : undefined;\n}\n\nfunction mcpAppUiMeta(\n resource: ActionMcpAppResourceConfig,\n resolvedCsp: ActionMcpAppCsp \| undefined,\n requestMeta?: MCPRequestMeta,\n description?: string,\n): Record<string, unknown> \| undefined {\n const base =\n resource._meta && typeof resource._meta === \"object\"\n ? { ...resource._meta }\n : {};\n const existingUi =\n base.ui && typeof base.ui === \"object\" && !Array.isArray(base.ui)\n ? (base.ui as Record<string, unknown>)\n : {};\n const ui: Record<string, unknown> = { ...existingUi };\n delete ui.domain;\n if (resolvedCsp) {\n ui.csp = {\n ...resolvedCsp,\n connectDomains: expandRequestOriginSources(\n resolvedCsp.connectDomains,\n requestMeta,\n ),\n resourceDomains: expandRequestOriginSources(\n resolvedCsp.resourceDomains,\n requestMeta,\n ),\n frameDomains: expandRequestOriginSources(\n resolvedCsp.frameDomains,\n requestMeta,\n ),\n baseUriDomains: expandRequestOriginSources(\n resolvedCsp.baseUriDomains,\n requestMeta,\n ),\n };\n }\n if (resource.permissions) ui.permissions = resource.permissions;\n const hostSpecificDomain =\n hostSpecificDomainString(resource.domain) ??\n hostSpecificDomainString(existingUi.domain);\n if (hostSpecificDomain) ui.domain = hostSpecificDomain;\n const openAiWidgetDomain =\n originString(resource.domain) ??\n originString(ui.domain) ??\n originString(existingUi.domain) ??\n originString(requestMeta?.origin);\n if (typeof resource.prefersBorder === \"boolean\") {\n ui.prefersBorder = resource.prefersBorder;\n }\n if (Object.keys(ui).length > 0) base.ui = ui;\n if (description && base[\"openai/widgetDescription\"] == null) {\n base[\"openai/widgetDescription\"] = description;\n }\n if (\n typeof resource.prefersBorder === \"boolean\" &&\n base[\"openai/widgetPrefersBorder\"] == null\n ) {\n base[\"openai/widgetPrefersBorder\"] = resource.prefersBorder;\n }\n const openAiCsp = openAiWidgetCsp(resolvedCsp, requestMeta);\n if (openAiCsp && base[\"openai/widgetCSP\"] == null) {\n base[\"openai/widgetCSP\"] = openAiCsp;\n }\n if (openAiWidgetDomain && base[\"openai/widgetDomain\"] == null) {\n base[\"openai/widgetDomain\"] = openAiWidgetDomain;\n }\n return Object.keys(base).length > 0 ? base : undefined;\n}\n\nasync function resolveMcpAppCsp(\n resource: ActionMcpAppResourceConfig,\n ctx: McpAppResourceContext,\n): Promise<ActionMcpAppCsp \| undefined> {\n if (!resource.csp) return undefined;\n return typeof resource.csp === \"function\"\n ? await resource.csp(ctx)\n : resource.csp;\n}\n\nasync function resolveMcpAppResource(\n config: MCPConfig,\n actionName: string,\n entry: ActionEntry,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource \| null> {\n const resource = entry.mcpApp?.resource;\n if (!resource) return null;\n const resolvedUri = getMcpAppResourceUri(config, actionName, entry);\n if (!resolvedUri) return null;\n const description = resource.description ?? entry.tool.description;\n const resolvedCsp = await resolveMcpAppCsp(resource, {\n actionName,\n appId: config.appId,\n requestOrigin: requestMeta?.origin,\n });\n const resourceMeta = mcpAppUiMeta(\n resource,\n resolvedCsp,\n requestMeta,\n description,\n );\n return {\n uri: resolvedUri.uri,\n ...(resolvedUri.legacyUris ? { legacyUris: resolvedUri.legacyUris } : {}),\n name: resource.name?.trim() \|\| actionName,\n ...(resource.title ? { title: resource.title } : {}),\n ...(description ? { description } : {}),\n html: resource.html,\n mimeType: resource.mimeType ?? MCP_APP_MIME_TYPE,\n ...(resourceMeta ? { _meta: resourceMeta } : {}),\n };\n}\n\nasync function resolveMcpAppResourceSafely(\n config: MCPConfig,\n actionName: string,\n entry: ActionEntry,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource \| null> {\n try {\n return await resolveMcpAppResource(config, actionName, entry, requestMeta);\n } catch (error) {\n console.warn(\n `[mcp] Skipping MCP App resource for action \"${actionName}\" because its metadata could not be resolved.`,\n error,\n );\n return null;\n }\n}\n\nasync function getMcpAppResources(\n config: MCPConfig,\n actions: Record<string, ActionEntry>,\n requestMeta?: MCPRequestMeta,\n): Promise<ResolvedMcpAppResource[]> {\n const resources = await Promise.all(\n Object.entries(actions).map(([name, entry]) =>\n resolveMcpAppResourceSafely(config, name, entry, requestMeta),\n ),\n );\n return resources.filter((resource): resource is ResolvedMcpAppResource =>\n Boolean(resource),\n );\n}\n\nfunction renderMcpAppHtml(\n resource: ResolvedMcpAppResource,\n actionName: string,\n config: MCPConfig,\n requestMeta?: MCPRequestMeta,\n): string {\n if (typeof resource.html === \"function\") {\n return resource.html({\n actionName,\n appId: config.appId,\n requestOrigin: requestMeta?.origin,\n });\n }\n return resource.html;\n}\n\nfunction openAiToolDescriptorMeta(\n resource: ResolvedMcpAppResource,\n): Record<string, unknown> {\n const label = resource.title ?? resource.name;\n const widgetCsp = metadataObject(resource._meta?.[\"openai/widgetCSP\"]);\n return {\n \"openai/outputTemplate\": resource.uri,\n \"openai/toolInvocation/invoking\": `Opening ${label}`,\n \"openai/toolInvocation/invoked\": `${label} ready`,\n \"openai/widgetAccessible\": true,\n ...(Object.keys(widgetCsp).length > 0\n ? { \"openai/widgetCSP\": widgetCsp }\n : {}),\n };\n}\n\nfunction openAiToolResultMeta(\n resource: ResolvedMcpAppResource,\n): Record<string, unknown> {\n const label = resource.title ?? resource.name;\n const widgetCsp = metadataObject(resource._meta?.[\"openai/widgetCSP\"]);\n return {\n \"openai/outputTemplate\": resource.uri,\n \"openai/toolInvocation/invoking\": `Opening ${label}`,\n \"openai/toolInvocation/invoked\": `${label} ready`,\n \"openai/widgetAccessible\": true,\n ...(Object.keys(widgetCsp).length > 0\n ? { \"openai/widgetCSP\": widgetCsp }\n : {}),\n };\n}\n\nfunction mcpAppToolUiMeta(\n resource: ResolvedMcpAppResource,\n visibility: unknown,\n): Record<string, unknown> {\n return {\n resourceUri: resource.uri,\n visibility: Array.isArray(visibility) ? visibility : [\"model\", \"app\"],\n };\n}\n\nfunction primitiveValue(value: unknown): value is string \| number \| boolean {\n return (\n typeof value === \"string\" \|\|\n typeof value === \"number\" \|\|\n typeof value === \"boolean\"\n );\n}\n\nfunction mcpAppStructuredContent(\n result: unknown,\n meta: Record<string, unknown> \| undefined,\n): Record<string, unknown> {\n const out: Record<string, unknown> =\n result && typeof result === \"object\" && !Array.isArray(result)\n ? { ...(result as Record<string, unknown>) }\n : primitiveValue(result)\n ? { result }\n : {};\n for (const key of [\"embedStartUrl\", \"startUrl\"]) {\n const value = out[key];\n if (typeof value === \"string\" && isEmbedStartUrl(value)) delete out[key];\n }\n if (typeof out.url === \"string\" && isEmbedStartUrl(out.url)) {\n delete out.url;\n }\n // Internal embed-routing fields belong in `_meta[\"agent-native/embedStart\"]`\n // (consumed by the embed runtime), not in `structuredContent` (read by the\n // LLM). `embedTargetPath` reveals the exact route + thread/draft id the user\n // is looking at; `embedExpiresAt` is an unintended timestamp; ticket-bearing\n // fields are single-use credentials. Drop all of them unconditionally.\n for (const key of [\n \"embedTargetPath\",\n \"embedExpiresAt\",\n \"ticket\",\n \"embedTicket\",\n ]) {\n delete out[key];\n }\n for (const key of Object.keys(out)) {\n if (/Ticket$/.test(key)) delete out[key];\n }\n const openLink = meta?.[\"agent-native/openLink\"];\n if (openLink && typeof openLink === \"object\" && !Array.isArray(openLink)) {\n const webUrl = (openLink as Record<string, unknown>).webUrl;\n if (typeof webUrl === \"string\" && isEmbedStartUrl(webUrl)) {\n return Object.keys(out).length > 0 ? out : { status: \"ok\" };\n }\n out.openLink = openLink;\n if (typeof webUrl === \"string\" && !out.url) out.url = webUrl;\n }\n return Object.keys(out).length > 0 ? out : { status: \"ok\" };\n}\n\nfunction truncateToolText(value: string, max = 2000): string {\n if (value.length <= max) return value;\n return `${value.slice(0, max - 1)}…`;\n}\n\nfunction conciseMcpAppToolText(\n name: string,\n result: unknown,\n structuredContent: Record<string, unknown>,\n): string {\n if (typeof result === \"string\") return truncateToolText(result);\n const message = structuredContent.message;\n if (typeof message === \"string\" && message.trim()) {\n return truncateToolText(message.trim());\n }\n const title = structuredContent.title ?? structuredContent.name;\n if (typeof title === \"string\" && title.trim()) {\n return `${title.trim()} is ready.`;\n }\n const id = structuredContent.id;\n if (typeof id === \"string\" && id.trim()) {\n return `${name} completed for ${id.trim()}.`;\n }\n return `${name} completed.`;\n}\n\nfunction isSuccessOnlyResult(value: Record<string, unknown>): boolean {\n const keys = Object.keys(value);\n if (keys.length === 0) return true;\n return keys.every((key) => {\n const item = value[key];\n if (key === \"ok\" \|\| key === \"success\") return item === true;\n if (key === \"status\") {\n return item === \"ok\" \|\| item === \"success\" \|\| item === \"completed\";\n }\n return false;\n });\n}\n\nfunction conciseToolResultText(name: string, result: unknown): string {\n const purged = purgeEmbedStartUrls(result);\n if (typeof purged === \"string\") return truncateToolText(purged);\n if (purged === true \|\| purged == null) return `${name} completed.`;\n if (purged && typeof purged === \"object\" && !Array.isArray(purged)) {\n const record = purged as Record<string, unknown>;\n const message = record.message ?? record.summary;\n if (typeof message === \"string\" && message.trim()) {\n return truncateToolText(message.trim());\n }\n const id = record.id ?? record.planId ?? record.commentId;\n const title = record.title ?? record.name;\n if (typeof title === \"string\" && title.trim()) {\n const titleText = title.trim();\n return typeof id === \"string\" && id.trim()\n ? `${titleText} (${id.trim()}) is ready.`\n : `${titleText} is ready.`;\n }\n if (typeof id === \"string\" && id.trim()) {\n return `${name} completed for ${id.trim()}.`;\n }\n const link = record.url ?? record.webUrl ?? record.path;\n if (typeof link === \"string\" && link.trim()) {\n return `${name} completed: ${truncateToolText(link.trim(), 500)}`;\n }\n if (isSuccessOnlyResult(record)) return `${name} completed.`;\n }\n const text = JSON.stringify(purged);\n return text === undefined ? `${name} completed.` : truncateToolText(text);\n}\n\n// ---------------------------------------------------------------------------\n// MCP Server creation — converts ActionEntry registry to MCP tools\n// ---------------------------------------------------------------------------\n\n/\n Build a fully-wired MCP `Server` for a single request / session.\n \n Shared by the stateless Streamable-HTTP mount (`mountMCP`) and the stdio\n * standalone transport. The HTTP mount passes the per-request origin via\n * `requestMeta`; the stdio standalone path passes the resolved local app\n * origin so deep links still become absolute URLs.\n /\nexport async function createMCPServerForRequest(\n config: MCPConfig,\n identity: MCPCallerIdentity \| undefined,\n requestMeta?: MCPRequestMeta,\n) {\n const { Server } = await import(\"@modelcontextprotocol/sdk/server/index.js\");\n const {\n ListToolsRequestSchema,\n CallToolRequestSchema,\n ListResourcesRequestSchema,\n ReadResourceRequestSchema,\n ListResourceTemplatesRequestSchema,\n } = await import(\"@modelcontextprotocol/sdk/types.js\");\n\n // Resolve the effective caller identity. JWT / header-derived identity\n // (passed by `mountMCP` via `verifyAuth`) wins. When the caller passed no\n // identity — the stdio standalone* path — fall back to the\n // `AGENT_NATIVE_OWNER_EMAIL` env the `agent-native mcp install` flow writes\n // into the `agent-native mcp serve` process env, so standalone tool runs are\n // tenant-scoped to the configured owner instead of running unscoped. Stays\n // undefined for true dev-open (no token, no secret, no owner) — behavior\n // there is unchanged.\n const ownerFromEnv = process.env.AGENT_NATIVE_OWNER_EMAIL?.trim();\n const effectiveIdentity: MCPCallerIdentity \| undefined =\n identity ??\n (ownerFromEnv\n ? { userEmail: ownerFromEnv, orgDomain: undefined }\n : undefined);\n\n // The action set the request handlers operate on = base actions + generic\n // cross-app builtins (template wins on name collision). An authenticated\n // real caller (connect-minted token / `mcp install` owner / production —\n // `requestMeta.fullSurface`, or the stdio standalone path identified by\n // `AGENT_NATIVE_OWNER_EMAIL`) gets the full `productionActions` surface\n // even in local dev; the unauthenticated dev-open path keeps the sparse\n // `config.actions`. See `external-agents` skill, \"Dev vs production tool\n // surface\".\n const useFullSurface = requestMeta?.fullSurface === true \|\| !!ownerFromEnv;\n const baseActions =\n useFullSurface && config.productionActions\n ? config.productionActions\n : config.actions;\n const actions = mergeBuiltinTools(config, baseActions, requestMeta);\n const visibleActions = Object.fromEntries(\n Object.entries(actions).filter(([, entry]) =>\n isActionVisibleForOAuthScope(entry, effectiveIdentity?.oauthScopes),\n ),\n );\n const fullCatalogRequested = explicitlyRequestsFullMcpCatalog(requestMeta);\n // Compact/connector is the DEFAULT for every caller — hosted connectors,\n // code clients (Claude Code / Cursor / Codex), and the local CLI alike. The\n // full ~105-tool catalog is served only on the explicit opt-in above, so a\n // host can never dump every action schema into one giant tool card. The\n // `mcp:apps` scope still lands on this compact MCP-Apps surface; with no\n // opt-in, everyone else does too.\n const compactMcpAppCatalog = !fullCatalogRequested;\n const advertisedActionsBeforeConnector = compactMcpAppCatalog\n ? Object.fromEntries(\n Object.entries(visibleActions).filter(([name, entry]) =>\n isActionAdvertisedInCompactMcpAppCatalog(name, entry, config),\n ),\n )\n : visibleActions;\n // Connector-catalog tier: when a template declares a connector allow-list,\n // serve exactly that curated surface (+ cross-app builtins + tool-search) to\n // external callers unless they explicitly opted into the full catalog. This\n // is active by default whenever a catalog is declared — no env flag required —\n // so the ~105-tool full catalog can never leak just because a deployment\n // forgot to set one. It also keeps db-exec / seed-* / extension /\n // browser-session footguns off the external surface.\n const connectorCatalogActive =\n Array.isArray(config.connectorCatalog) &&\n config.connectorCatalog.length > 0 &&\n !fullCatalogRequested;\n // When the connector catalog is active, filter directly from visibleActions\n // rather than advertisedActionsBeforeConnector. This ensures the connector\n // tier is an independent, template-declared surface that doesn't accidentally\n // narrow to just the compact-catalog builtins when shouldUseCompactMcpCatalogByDefault\n // would have activated the compact catalog for the same caller.\n const advertisedActions = connectorCatalogActive\n ? Object.fromEntries(\n Object.entries(visibleActions).filter(([name]) =>\n isActionInConnectorCatalog(name, config),\n ),\n )\n : advertisedActionsBeforeConnector;\n if (fullCatalogRequested) {\n warnFullCatalogServed(Object.keys(advertisedActions).length);\n }\n const supportsMcpApps =\n compactMcpAppCatalog \|\|\n Object.values(advertisedActions).some((entry) =>\n Boolean(entry.mcpApp?.resource),\n );\n const server = new Server(mcpServerInfo(config, requestMeta), {\n capabilities: {\n tools: {},\n ...(supportsMcpApps\n ? {\n resources: {},\n extensions: {\n [MCP_APP_EXTENSION_ID]: {\n mimeTypes: [MCP_APP_MIME_TYPE],\n },\n },\n }\n : {}),\n },\n });\n\n // Resolve orgId once per request (DB lookup) so subsequent wraps are\n // synchronous. The caller identity may be undefined for true dev-open —\n // in that case we run with no userEmail/orgId, which makes downstream\n // tools that require per-user scope return empty results rather than\n // cross-tenant data (the safe default).\n const orgIdPromise = effectiveIdentity?.orgId\n ? Promise.resolve(effectiveIdentity.orgId)\n : resolveOrgIdFromDomain(effectiveIdentity?.orgDomain);\n\n /*\n Wrap a callback in\n * `runWithRequestContext({ userEmail, orgId, requestOrigin }, fn)`.\n * Both the tools/list and tools/call handlers go through this so\n * downstream `accessFilter`, `resolveCredential`, and per-user MCP\n * visibility checks see the verified caller's identity. `requestOrigin`\n * is the live server origin derived from the inbound request (same value\n * used to absolutize deep links) so actions that build fetchable URLs\n * (e.g. design `export-coding-handoff`'s signed raw-code URL) resolve the\n * correct local-workspace origin instead of a prod/localhost fallback.\n /\n async function withCallerContext<T>(fn: () => Promise<T>): Promise<T> {\n const orgId = await orgIdPromise;\n return runWithRequestContext(\n {\n userEmail: effectiveIdentity?.userEmail,\n orgId,\n ...(requestMeta?.origin ? { requestOrigin: requestMeta.origin } : {}),\n },\n fn,\n ) as Promise<T>;\n }\n\n // tools/list — return all actions + ask-agent meta-tool. Wrapped in the\n // request context so per-user MCP visibility (mcp-client/visibility.ts)\n // applies to the listing too.\n server.setRequestHandler(ListToolsRequestSchema, async () => {\n return withCallerContext(async () => {\n const tools = await Promise.all(\n Object.entries(advertisedActions).map(async ([name, entry]) => {\n const hasLink = typeof entry.link === \"function\";\n const mcpAppResource = await resolveMcpAppResourceSafely(\n config,\n name,\n entry,\n requestMeta,\n );\n const rawToolMeta =\n (entry.tool as any)._meta &&\n typeof (entry.tool as any)._meta === \"object\" &&\n !Array.isArray((entry.tool as any)._meta)\n ? { ...((entry.tool as any)._meta as Record<string, unknown>) }\n : {};\n const toolMeta = {\n ...rawToolMeta,\n ...(mcpAppResource\n ? {\n ...openAiToolDescriptorMeta(mcpAppResource),\n [MCP_APP_RESOURCE_URI_META_KEY]: mcpAppResource.uri,\n ui: mcpAppToolUiMeta(\n mcpAppResource,\n entry.mcpApp?.visibility ??\n metadataObject(rawToolMeta.ui).visibility,\n ),\n }\n : {}),\n };\n const baseDescription = entry.tool.description ?? name;\n const annotations: Record<string, unknown> = {\n readOnlyHint: entry.readOnly === true,\n destructiveHint: entry.publicAgent?.isConsequential === true,\n openWorldHint: false,\n };\n if (hasLink) annotations[\"agent-native/producesOpenLink\"] = true;\n return {\n name,\n description: hasLink\n ? `${baseDescription} After calling, surface the returned \"Open in … →\" link to the user.`\n : baseDescription,\n inputSchema: entry.tool.parameters ?? {\n type: \"object\" as const,\n properties: {},\n },\n ...(Object.keys(toolMeta).length > 0 ? { _meta: toolMeta } : {}),\n annotations,\n };\n }),\n );\n\n if (\n !compactMcpAppCatalog &&\n !connectorCatalogActive &&\n config.askAgent &&\n hasMcpOAuthScope(effectiveIdentity?.oauthScopes, \"mcp:write\")\n ) {\n tools.push({\n name: \"ask-agent\",\n description:\n \"Send a natural-language message to the app's AI agent and get a response. \" +\n \"Use this for complex, multi-step tasks that require the agent's reasoning \" +\n \"and full context about the app.\",\n inputSchema: {\n type: \"object\" as const,\n properties: {\n message: {\n type: \"string\",\n description: \"The message to send to the agent\",\n },\n },\n required: [\"message\"],\n },\n annotations: {\n readOnlyHint: false,\n destructiveHint: false,\n openWorldHint: false,\n },\n });\n }\n\n return { tools };\n });\n });\n\n // tools/call — dispatch to action registry or ask-agent. Wrapped in the\n // request context so the action's `run(args)` and `askAgent()` execute\n // with the verified caller's identity, not the platform default.\n server.setRequestHandler(CallToolRequestSchema, async (request: any) => {\n return withCallerContext(async () => {\n const { name, arguments: args } = request.params;\n\n if (name === \"ask-agent\" && config.askAgent) {\n if (compactMcpAppCatalog \|\| connectorCatalogActive) {\n return {\n content: [{ type: \"text\", text: `Unknown tool: ${name}` }],\n isError: true,\n };\n }\n if (!hasMcpOAuthScope(effectiveIdentity?.oauthScopes, \"mcp:write\")) {\n return {\n content: [\n {\n type: \"text\",\n text: \"Forbidden: OAuth scope does not allow ask-agent\",\n },\n ],\n isError: true,\n };\n }\n const message = args?.message ?? \"\";\n try {\n const result = await config.askAgent(message);\n return { content: [{ type: \"text\", text: result }] };\n } catch (err: any) {\n return {\n content: [{ type: \"text\", text: `Error: ${err.message}` }],\n isError: true,\n };\n }\n }\n\n // Connector-catalog tier: when active, callableActions === advertisedActions\n // (the filtered set). Non-listed tools are not callable — mirroring how\n // compactMcpAppCatalog gates calls on advertisedActions.\n const callableActions =\n compactMcpAppCatalog \|\| connectorCatalogActive\n ? advertisedActions\n : actions;\n const entry = callableActions[name];\n if (!entry) {\n return {\n content: [{ type: \"text\", text: `Unknown tool: ${name}` }],\n isError: true,\n };\n }\n if (\n !isActionVisibleForOAuthScope(entry, effectiveIdentity?.oauthScopes)\n ) {\n return {\n content: [\n {\n type: \"text\",\n text: `Forbidden: OAuth scope does not allow tool ${name}`,\n },\n ],\n isError: true,\n };\n }\n\n try {\n // We're inside `withCallerContext`, so the request-context getters\n // resolve the verified MCP caller's identity (do NOT inject a dev\n // fallback). Tag the call as an external-agent MCP dispatch.\n const result = await entry.run((args as Record<string, string>) ?? {}, {\n userEmail: getRequestUserEmail(),\n orgId: getRequestOrgId() ?? null,\n caller: \"mcp\",\n });\n const mcpResult = isMcpActionResult(result) ? result : null;\n const rawResult = mcpResult ? mcpResult.raw : result;\n const resultForClient = mcpResult ? mcpResult.text : result;\n const mcpResultIsError =\n !!mcpResult &&\n !!mcpResult.raw &&\n typeof mcpResult.raw === \"object\" &&\n (mcpResult.raw as Record<string, unknown>).isError === true;\n const mcpAppResource = await resolveMcpAppResourceSafely(\n config,\n name,\n entry,\n requestMeta,\n );\n const rawResultForClient = mcpAppResource\n ? await withServerMintedMcpAppEmbedStart(rawResult, requestMeta)\n : rawResult;\n const { block, _meta } = buildLinkArtifacts(\n entry,\n (args as Record<string, any>) ?? {},\n rawResultForClient,\n requestMeta,\n );\n const responseMeta: Record<string, unknown> = {\n ...(_meta ?? {}),\n ...(mcpAppResource\n ? mcpAppEmbedOpenLinkMeta(\n rawResultForClient,\n mcpAppResource,\n requestMeta,\n )\n : {}),\n ...(mcpAppResource ? openAiToolResultMeta(mcpAppResource) : {}),\n };\n const toolUiMeta = metadataObject((entry.tool as any)._meta?.ui);\n const toolVisibility = toolUiMeta.visibility;\n const isAppOnlyVisibility =\n Array.isArray(toolVisibility) &&\n toolVisibility.length > 0 &&\n toolVisibility.every((v) => v === \"app\");\n const structuredContent = mcpAppResource\n ? mcpAppStructuredContent(rawResultForClient, responseMeta)\n : isAppOnlyVisibility &&\n rawResult &&\n typeof rawResult === \"object\" &&\n !Array.isArray(rawResult)\n ? (rawResult as Record<string, unknown>)\n : undefined;\n const text = mcpAppResource\n ? conciseMcpAppToolText(name, resultForClient, structuredContent!)\n : conciseToolResultText(name, resultForClient);\n const content: any[] = [{ type: \"text\", text }];\n if (block) content.push(block);\n return {\n content,\n ...(mcpResultIsError ? { isError: true } : {}),\n ...(structuredContent ? { structuredContent } : {}),\n ...(Object.keys(responseMeta).length > 0\n ? { _meta: responseMeta }\n : {}),\n };\n } catch (err: any) {\n return {\n content: [{ type: \"text\", text: `Error: ${err.message}` }],\n isError: true,\n };\n }\n });\n });\n\n if (supportsMcpApps) {\n server.setRequestHandler(ListResourcesRequestSchema, async () => {\n return withCallerContext(async () => {\n const mcpAppResources = await getMcpAppResources(\n config,\n advertisedActions,\n requestMeta,\n );\n return {\n resources: mcpAppResources.map((resource) => ({\n uri: resource.uri,\n name: resource.name,\n ...(resource.title ? { title: resource.title } : {}),\n ...(resource.description\n ? { description: resource.description }\n : {}),\n mimeType: resource.mimeType,\n ...(resource._meta ? { _meta: resource._meta } : {}),\n })),\n };\n });\n });\n\n server.setRequestHandler(ListResourceTemplatesRequestSchema, async () => {\n return withCallerContext(async () => {\n const mcpAppResources = await getMcpAppResources(\n config,\n advertisedActions,\n requestMeta,\n );\n return {\n resourceTemplates: mcpAppResources.map((resource) => ({\n uriTemplate: resource.uri,\n name: resource.name,\n ...(resource.title ? { title: resource.title } : {}),\n ...(resource.description\n ? { description: resource.description }\n : {}),\n mimeType: resource.mimeType,\n ...(resource._meta ? { _meta: resource._meta } : {}),\n })),\n };\n });\n });\n\n server.setRequestHandler(\n ReadResourceRequestSchema,\n async (request: any) => {\n return withCallerContext(async () => {\n const uri = request.params?.uri;\n let found: {\n actionName: string;\n resource: ResolvedMcpAppResource;\n } \| null = null;\n for (const [name, entry] of Object.entries(advertisedActions)) {\n const resourceUri = getMcpAppResourceUri(config, name, entry);\n if (!resourceUri \|\| !matchesMcpAppResourceUri(resourceUri, uri)) {\n continue;\n }\n const resource = await resolveMcpAppResourceSafely(\n config,\n name,\n entry,\n requestMeta,\n );\n if (resource) {\n found = { actionName: name, resource };\n break;\n }\n // resolveMcpAppResourceSafely returned null (e.g. an async resolver\n // threw) — keep scanning the remaining candidates rather than\n // aborting and reporting the resource as missing.\n }\n if (!found) {\n throw new Error(`MCP App resource not found: ${uri}`);\n }\n return {\n contents: [\n {\n uri,\n mimeType: found.resource.mimeType,\n text: renderMcpAppHtml(\n found.resource,\n found.actionName,\n config,\n requestMeta,\n ),\n ...(found.resource._meta\n ? { _meta: found.resource._meta }\n : {}),\n },\n ],\n };\n });\n },\n );\n }\n\n return server;\n}\n\n// ---------------------------------------------------------------------------\n// Auth — reuses the same pattern as A2A (Bearer token or JWT). Shared so the\n// HTTP mount and any stdio-side auth-aware helper resolve identity identically.\n// ---------------------------------------------------------------------------\n\nexport function getAccessTokens(): string[] {\n const single = process.env.ACCESS_TOKEN;\n const multi = process.env.ACCESS_TOKENS;\n const tokens: string[] = [];\n if (single) tokens.push(single);\n if (multi) {\n tokens.push(\n ...multi\n .split(\",\")\n .map((t) => t.trim())\n .filter(Boolean),\n );\n }\n return tokens;\n}\n\n/\n Resolve the caller identity for a static-token (or dev-open) auth path.\n \n Static `ACCESS_TOKEN` / `ACCESS_TOKENS` auth carries no per-caller claims,\n * so without this the MCP endpoint would run every tool with\n * `userEmail === undefined` and per-user / per-org scoped actions\n * (`accessFilter`, `resolveAccess`, `resolveCredential`) would return\n * empty / wrong data. The `agent-native mcp install` flow writes\n * `AGENT_NATIVE_OWNER_EMAIL` into the client config env and the stdio proxy\n * forwards it as the `X-Agent-Native-Owner-Email` request header (see\n * `mcp/stdio.ts#authHeaders`). We trust that owner hint only on the\n * static-token path — JWT auth already carries a cryptographically verified\n * `sub`, so the header is ignored there and never widens JWT scope.\n \n Precedence is server-trusted-first: the server process's\n * `AGENT_NATIVE_OWNER_EMAIL` env (set out-of-band by the operator / deploy)\n * ALWAYS wins, and a client-supplied `X-Agent-Native-Owner-Email` header is\n * honored only as a fallback when that env is unset. A static `ACCESS_TOKEN`\n * is a shared bearer secret; letting a request header override a\n * server-configured owner would let anyone holding a leaked token act as any\n * user. The header path remains for the single-tenant local-dev install flow\n * where the app server process has no owner env and the token is the\n * workspace secret; multi-tenant deployments must use A2A JWT (verified `sub`),\n * not a static token, for per-user scope.\n \n Returns `undefined` when no owner email is available (true dev-open: no\n * token, no secret, no owner) so behavior there stays unchanged.\n /\nfunction deriveStaticTokenIdentity(\n ownerEmailHeader: string \| undefined,\n): MCPCallerIdentity \| undefined {\n const owner =\n process.env.AGENT_NATIVE_OWNER_EMAIL?.trim() \|\|\n (typeof ownerEmailHeader === \"string\" && ownerEmailHeader.trim()) \|\|\n \"\";\n if (!owner) return undefined;\n return { userEmail: owner, orgDomain: undefined };\n}\n\nexport function getBearerToken(\n authHeader: string \| undefined,\n): string \| undefined {\n if (!authHeader) return undefined;\n const match = /^Bearer\\s+(.+)$/i.exec(authHeader.trim());\n return match?.[1]?.trim() \|\| undefined;\n}\n\nfunction addSecretCandidate(\n candidates: string[],\n secret: string \| null \| undefined,\n): void {\n const trimmed = secret?.trim();\n if (!trimmed \|\| candidates.includes(trimmed)) return;\n candidates.push(trimmed);\n}\n\nasync function verifyA2AJwtForMcp(\n token: string,\n): Promise<Record<string, unknown> \| null> {\n const jose = await import(\"jose\");\n let unverifiedPayload: Record<string, unknown> \| null = null;\n try {\n unverifiedPayload = jose.decodeJwt(token) as Record<string, unknown>;\n } catch {\n return null;\n }\n\n const candidateSecrets: string[] = [];\n addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n\n const orgDomain =\n typeof unverifiedPayload.org_domain === \"string\"\n ? unverifiedPayload.org_domain\n : undefined;\n if (orgDomain) {\n try {\n const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n addSecretCandidate(\n candidateSecrets,\n await getA2ASecretByDomain(orgDomain),\n );\n } catch {\n // DB not ready or org lookup unavailable — fall back to other candidates.\n }\n }\n\n for (const secret of candidateSecrets) {\n try {\n const { payload } = await jose.jwtVerify(\n token,\n new TextEncoder().encode(secret),\n );\n return payload as Record<string, unknown>;\n } catch {\n // Try the next candidate without exposing which secret matched.\n }\n }\n\n return null;\n}\n\nasync function isConnectTokenAllowed(\n jti: string \| undefined,\n): Promise<boolean> {\n if (!jti) return false;\n try {\n const { isJtiRevoked, touchTokenUsed } = await import(\"./connect-store.js\");\n if (await isJtiRevoked(jti)) return false;\n // Best-effort usage telemetry — never blocks / throws.\n void touchTokenUsed(jti);\n } catch {\n // Store import / lookup failed — fail open. Signature verification already\n // passed; this only gates explicit revokes.\n }\n return true;\n}\n\n/\n Verify the inbound auth header. Returns:\n * - { authed: true, identity } when verified — `identity` is derived from\n * the JWT (`sub` / `org_domain`) for JWT auth, or from the\n * `AGENT_NATIVE_OWNER_EMAIL` env / `X-Agent-Native-Owner-Email` header\n * for static-token auth (the `agent-native mcp install` flow). `identity`\n * is undefined only for true dev-open with no owner hint.\n * - { authed: false } on rejection.\n \n When A2A_SECRET is set we extract the JWT's `sub` (caller email) and\n * `org_domain` claims so the MCP endpoint can wrap tool runs in\n * `runWithRequestContext({ userEmail, orgId })`. Without that wrap, the\n * MCP endpoint loses tenant identity and downstream `accessFilter` /\n * `resolveCredential` calls fall back to platform-wide defaults.\n \n `ownerEmailHeader` is the forwarded `X-Agent-Native-Owner-Email` value; it\n * is consulted ONLY on the static-token / dev-open path (never to influence\n * verified JWT identity), so the install flow runs tools as the configured\n * owner instead of an unscoped anonymous caller.\n /\nexport async function verifyAuth(\n authHeader: string \| undefined,\n ownerEmailHeader?: string \| undefined,\n options: { allowDevOpen?: boolean; resourceUrl?: string \| string[] } = {},\n): Promise<{\n authed: boolean;\n identity?: MCPCallerIdentity;\n /\n The caller presented a real credential — a verified A2A/connect JWT, a\n * matching ACCESS_TOKEN, or (on the no-auth-configured path) a forwarded\n * owner-email header from `agent-native mcp install`. Drives the full vs\n * sparse MCP tool surface in local dev. The pure unauthenticated dev-open\n * path (no secret, no token, no owner header) is `false`.\n /\n fullSurface?: boolean;\n /\n The caller explicitly opted up to the full connector catalog by minting\n * their token with `--full-catalog` (or equivalent). When `true`, the\n * compact/connector-catalog tier filter (active by default whenever a\n * `connectorCatalog` is declared) is bypassed for this caller. Derived from a\n * `catalog_scope: \"full\"` claim in the verified A2A/connect JWT.\n /\n fullCatalog?: boolean;\n}> {\n // No auth configured → allow only when the route caller has already\n // established that this is a loopback/local dev request. Still honour an\n // owner hint there so the local install/connect flow stays tenant-scoped.\n const accessTokens = getAccessTokens();\n const hasA2ASecret = !!process.env.A2A_SECRET?.trim();\n const token = getBearerToken(authHeader);\n if (token) {\n const oauthIdentity = await verifyMcpOAuthAccessToken(\n token,\n options.resourceUrl,\n );\n if (oauthIdentity) {\n if (\n oauthIdentity.clientId === MCP_CONNECT_OAUTH_CLIENT_ID &&\n !(await isConnectTokenAllowed(oauthIdentity.jti))\n ) {\n return { authed: false };\n }\n return {\n authed: true,\n identity: {\n userEmail: oauthIdentity.userEmail,\n ...(oauthIdentity.orgId ? { orgId: oauthIdentity.orgId } : {}),\n orgDomain: oauthIdentity.orgDomain,\n oauthScopes: oauthIdentity.scopes,\n oauthClientId: oauthIdentity.clientId,\n },\n fullSurface: true,\n // Per-token opt-up: `catalog_scope: \"full\"` in the OAuth token\n // bypasses the connector-catalog tier filter on hosted deployments.\n fullCatalog: oauthIdentity.catalogScope === \"full\",\n };\n }\n }\n if (accessTokens.length === 0 && !hasA2ASecret && !token) {\n if (options.allowDevOpen === false) {\n return { authed: false };\n }\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n // `mcp install`'s stdio proxy forwards an owner-email header even when\n // the local app has no secret configured — that is a real, identified\n // caller and gets the full surface. A bare browser/curl dev probe with\n // no owner hint stays on the sparse dev surface.\n fullSurface: !!(ownerEmailHeader && ownerEmailHeader.trim()),\n };\n }\n\n if (!token) return { authed: false };\n\n // Try an A2A JWT via the shared A2A_SECRET first, then the caller org's\n // synced A2A secret when the token carries org_domain.\n const payload = await verifyA2AJwtForMcp(token);\n if (payload) {\n const tokenScope =\n typeof payload.scope === \"string\" ? payload.scope : undefined;\n if (tokenScope && tokenScope !== MCP_CONNECT_SCOPE) {\n return { authed: false };\n }\n\n // Connect-minted tokens (scope === \"mcp-connect\") carry a random `jti`\n // and are individually revocable. Only these tokens hit the revoke\n // store — ordinary A2A delegation JWTs skip the DB lookup entirely so\n // the hot path is unchanged. The signature was already\n // cryptographically verified, so failing open here only widens the\n // explicit-revoke gate, never the trust boundary.\n if (tokenScope === MCP_CONNECT_SCOPE) {\n if (!(await isConnectTokenAllowed(payload.jti as string \| undefined))) {\n return { authed: false };\n }\n }\n\n return {\n authed: true,\n identity: {\n userEmail: typeof payload.sub === \"string\" ? payload.sub : undefined,\n // Org SERVICE tokens (connect-minted, synthetic `svc-@service.<org>`\n // subject) carry the org id directly as an `org_id` claim so the\n // resolved identity is org-scoped even when the org has no domain\n // mapping. Personal/delegation JWTs don't set the claim — unchanged.\n ...(typeof payload.org_id === \"string\" && payload.org_id\n ? { orgId: payload.org_id as string }\n : {}),\n orgDomain:\n typeof payload.org_domain === \"string\"\n ? (payload.org_domain as string)\n : undefined,\n },\n // Verified JWT (connect-minted or A2A delegation) — a real caller.\n fullSurface: true,\n // Per-token opt-up: `catalog_scope: \"full\"` embedded at mint time via\n // `agent-native connect --full-catalog` bypasses the connector-catalog\n // tier filter on hosted multi-tenant deployments.\n fullCatalog: payload.catalog_scope === \"full\",\n };\n }\n\n if (accessTokens.length === 0 && !hasA2ASecret) {\n if (options.allowDevOpen === false) {\n return { authed: false };\n }\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n fullSurface: !!(ownerEmailHeader && ownerEmailHeader.trim()),\n };\n }\n\n // Try ACCESS_TOKEN / ACCESS_TOKENS exact match. Static tokens carry no\n // per-caller claims, so derive identity from the forwarded owner-email\n // hint (install flow) — otherwise tools would run unscoped. Compare in\n // constant time (matching the rest of this subsystem's secret-comparison\n // discipline); node:crypto is imported dynamically because this module is\n // bundled into the serverless function and avoids static Node-only imports.\n if (accessTokens.length > 0) {\n const { timingSafeEqual } = await import(\"node:crypto\");\n const candidate = Buffer.from(token, \"utf8\");\n const matched = accessTokens.some((configured) => {\n const expected = Buffer.from(configured, \"utf8\");\n return (\n expected.length === candidate.length &&\n timingSafeEqual(expected, candidate)\n );\n });\n if (matched) {\n return {\n authed: true,\n identity: deriveStaticTokenIdentity(ownerEmailHeader),\n // Matched a configured ACCESS_TOKEN — a real caller.\n fullSurface: true,\n };\n }\n }\n\n return { authed: false };\n}\n\nexport async function resolveOrgIdFromDomain(\n orgDomain: string \| undefined,\n): Promise<string \| undefined> {\n if (!orgDomain) return undefined;\n try {\n const { resolveOrgByDomain } = await import(\"../org/context.js\");\n const org = await resolveOrgByDomain(orgDomain);\n return org?.orgId ?? undefined;\n } catch {\n return undefined;\n }\n}\n"]}

package/docs/content/actions.md CHANGED Viewed

@@ -16,6 +16,8 @@ Actions are the single source of truth for anything your app does. Define an act
 - **A CLI command** — `pnpm action <name>` for scripting and dev loops.
 One definition, seven consumers. This is rung 3 of the [ladder](/docs/what-is-agent-native#the-ladder).
+If you are deciding whether to expose an operation headlessly, in chat, in an
+embedded sidecar, or as a full app screen, see [Agent Surfaces](/docs/agent-surfaces).
 ## Defining an action {#defining}
@@ -355,7 +357,9 @@ The built-in discriminants are `"data-table"`, `"data-chart"`, and
 `"data-insights"`. Their server-safe builders and schemas are exported from
 `@agent-native/core/data-widgets`, and native renderer ids are exported from
 `@agent-native/core`. See [Native Chat UI](/docs/native-chat-ui) for the full
-result contract and BYO runtime guidance.
+result contract and BYO runtime guidance, or [Agent Surfaces](/docs/agent-surfaces)
+for how this same action can stay headless, render in chat, or grow into a full
+screen.
 ## Calling it from the CLI {#cli}