@agent-native/core 0.7.2 → 0.7.4

package/dist/sharing/access.js

@@ -0,0 +1,149 @@
+/**
+ * Access-control helpers for shareable resources.
+ *
+ * The access model combines:
+ * 1. Direct ownership — `owner_email = currentUser`.
+ * 2. Visibility — `'private' | 'org' | 'public'`. `org` grants read to anyone
+ *    in the same org; `public` grants read to any authenticated user.
+ * 3. Share rows — per-user or per-org grants in the `{type}_shares` table
+ *    with a role (`viewer | editor | admin`).
+ *
+ * Use `applyAccessFilter()` on list/read queries to filter rows the current
+ * user can see. Use `assertAccess()` at the top of write actions to reject
+ * callers who lack the required role.
+ */
+import { and, eq, or, sql } from "drizzle-orm";
+import { getRequestUserEmail, getRequestOrgId, } from "../server/request-context.js";
+import { requireShareableResource, } from "./registry.js";
+import { ROLE_RANK } from "./schema.js";
+export class ForbiddenError extends Error {
+    statusCode = 403;
+    constructor(message = "Forbidden") {
+        super(message);
+        this.name = "ForbiddenError";
+    }
+}
+/** Current request's access context. Pulls from request-context ALS. */
+export function currentAccess() {
+    return {
+        userEmail: getRequestUserEmail(),
+        orgId: getRequestOrgId(),
+    };
+}
+/**
+ * Build a Drizzle `WHERE` clause that admits rows the current user can see.
+ * Pass the ownable resource table and its shares table; optional min role
+ * (defaults to 'viewer') gates which share rows count.
+ *
+ * Example:
+ *
+ *   const rows = await db
+ *     .select()
+ *     .from(schema.documents)
+ *     .where(accessFilter(schema.documents, schema.documentShares));
+ */
+export function accessFilter(resourceTable, sharesTable, ctx = currentAccess(), minRole = "viewer") {
+    const { userEmail, orgId } = ctx;
+    const clauses = [];
+    if (userEmail) {
+        clauses.push(eq(resourceTable.ownerEmail, userEmail));
+    }
+    clauses.push(eq(resourceTable.visibility, "public"));
+    if (orgId) {
+        clauses.push(and(eq(resourceTable.visibility, "org"), eq(resourceTable.orgId, orgId)));
+    }
+    if (userEmail) {
+        clauses.push(sql `exists (select 1 from ${sharesTable}
+                  where ${sharesTable.resourceId} = ${resourceTable.id}
+                    and ${sharesTable.principalType} = 'user'
+                    and ${sharesTable.principalId} = ${userEmail}
+                    and ${minRoleSql(minRole)})`);
+    }
+    if (orgId) {
+        clauses.push(sql `exists (select 1 from ${sharesTable}
+                  where ${sharesTable.resourceId} = ${resourceTable.id}
+                    and ${sharesTable.principalType} = 'org'
+                    and ${sharesTable.principalId} = ${orgId}
+                    and ${minRoleSql(minRole)})`);
+    }
+    // If there's no user and no org (fully anonymous), only public resources.
+    return or(...clauses) ?? eq(resourceTable.visibility, "public");
+}
+function minRoleSql(minRole) {
+    if (minRole === "viewer") {
+        // any role satisfies viewer
+        return sql `1=1`;
+    }
+    if (minRole === "editor") {
+        return sql `role in ('editor','admin')`;
+    }
+    return sql `role = 'admin'`;
+}
+/**
+ * Return the effective role the current user has on a specific resource, or
+ * null if they have no access. Loads the resource and relevant share rows.
+ */
+export async function resolveAccess(resourceType, resourceId, ctx = currentAccess()) {
+    const reg = requireShareableResource(resourceType);
+    const db = reg.getDb();
+    const [resource] = await db
+        .select()
+        .from(reg.resourceTable)
+        .where(eq(reg.resourceTable.id, resourceId));
+    if (!resource)
+        return null;
+    const { userEmail, orgId } = ctx;
+    if (userEmail && resource.ownerEmail === userEmail) {
+        return { role: "owner", resource };
+    }
+    if (resource.visibility === "public") {
+        // No share row needed; default viewer unless upgraded below.
+        const role = await highestShareRole(reg, resourceId, ctx);
+        return { role: role ?? "viewer", resource };
+    }
+    if (resource.visibility === "org" && orgId && resource.orgId === orgId) {
+        const role = await highestShareRole(reg, resourceId, ctx);
+        return { role: role ?? "viewer", resource };
+    }
+    const role = await highestShareRole(reg, resourceId, ctx);
+    if (role)
+        return { role, resource };
+    return null;
+}
+async function highestShareRole(reg, resourceId, ctx) {
+    const { userEmail, orgId } = ctx;
+    if (!userEmail && !orgId)
+        return null;
+    const db = reg.getDb();
+    const rows = await db
+        .select()
+        .from(reg.sharesTable)
+        .where(eq(reg.sharesTable.resourceId, resourceId));
+    let best = null;
+    for (const r of rows) {
+        const matches = (r.principalType === "user" &&
+            userEmail &&
+            r.principalId === userEmail) ||
+            (r.principalType === "org" && orgId && r.principalId === orgId);
+        if (!matches)
+            continue;
+        if (!best || ROLE_RANK[r.role] > ROLE_RANK[best])
+            best = r.role;
+    }
+    return best;
+}
+/**
+ * Throw ForbiddenError if the current user can't act on this resource with at
+ * least the given role. Used at the top of update/delete actions.
+ */
+export async function assertAccess(resourceType, resourceId, minRole = "viewer", ctx = currentAccess()) {
+    const access = await resolveAccess(resourceType, resourceId, ctx);
+    if (!access) {
+        throw new ForbiddenError(`No access to ${resourceType} ${resourceId}`);
+    }
+    if (ROLE_RANK[access.role] < ROLE_RANK[minRole]) {
+        throw new ForbiddenError(`Requires ${minRole} role on ${resourceType} ${resourceId} (have ${access.role})`);
+    }
+    return access;
+}
+//# sourceMappingURL=access.js.map

package/dist/sharing/access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.js","sourceRoot":"","sources":["../../src/sharing/access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAY,MAAM,aAAa,CAAC;AACzD,OAAO,EACL,mBAAmB,EACnB,eAAe,GAChB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,wBAAwB,GAEzB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,SAAS,EAAkB,MAAM,aAAa,CAAC;AAExD,MAAM,OAAO,cAAe,SAAQ,KAAK;IACvC,UAAU,GAAG,GAAG,CAAC;IACjB,YAAY,OAAO,GAAG,WAAW;QAC/B,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAOD,wEAAwE;AACxE,MAAM,UAAU,aAAa;IAC3B,OAAO;QACL,SAAS,EAAE,mBAAmB,EAAE;QAChC,KAAK,EAAE,eAAe,EAAE;KACzB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,YAAY,CAC1B,aAAkB,EAClB,WAAgB,EAChB,MAAqB,aAAa,EAAE,EACpC,UAAqB,QAAQ;IAE7B,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IACjC,MAAM,OAAO,GAAU,EAAE,CAAC;IAE1B,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;IACrD,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,IAAI,CACV,GAAG,CAAC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,EAAE,KAAK,CAAC,CAAE,CAC1E,CAAC;IACJ,CAAC;IACD,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,IAAI,CACV,GAAG,CAAA,yBAAyB,WAAW;0BACnB,WAAW,CAAC,UAAU,MAAM,aAAa,CAAC,EAAE;0BAC5C,WAAW,CAAC,aAAa;0BACzB,WAAW,CAAC,WAAW,MAAM,SAAS;0BACtC,UAAU,CAAC,OAAO,CAAC,GAAG,CAC3C,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,IAAI,CACV,GAAG,CAAA,yBAAyB,WAAW;0BACnB,WAAW,CAAC,UAAU,MAAM,aAAa,CAAC,EAAE;0BAC5C,WAAW,CAAC,aAAa;0BACzB,WAAW,CAAC,WAAW,MAAM,KAAK;0BAClC,UAAU,CAAC,OAAO,CAAC,GAAG,CAC3C,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,OAAO,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,UAAU,CAAC,OAAkB;IACpC,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,4BAA4B;QAC5B,OAAO,GAAG,CAAA,KAAK,CAAC;IAClB,CAAC;IACD,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,OAAO,GAAG,CAAA,4BAA4B,CAAC;IACzC,CAAC;IACD,OAAO,GAAG,CAAA,gBAAgB,CAAC;AAC7B,CAAC;AASD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,YAAoB,EACpB,UAAkB,EAClB,MAAqB,aAAa,EAAE;IAEpC,MAAM,GAAG,GAAG,wBAAwB,CAAC,YAAY,CAAC,CAAC;IACnD,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;IAE9B,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,EAAE;SACxB,MAAM,EAAE;SACR,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC;SACvB,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;IAC/C,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IAEjC,IAAI,SAAS,IAAI,QAAQ,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACnD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;IACrC,CAAC;IACD,IAAI,QAAQ,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACrC,6DAA6D;QAC7D,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QAC1D,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAC9C,CAAC;IACD,IAAI,QAAQ,CAAC,UAAU,KAAK,KAAK,IAAI,KAAK,IAAI,QAAQ,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QACvE,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QAC1D,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAC9C,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAC1D,IAAI,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACpC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,GAAkC,EAClC,UAAkB,EAClB,GAAkB;IAElB,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IACjC,IAAI,CAAC,SAAS,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACtC,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;IAC9B,MAAM,IAAI,GAAG,MAAM,EAAE;SAClB,MAAM,EAAE;SACR,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;SACrB,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC;IACrD,IAAI,IAAI,GAAqB,IAAI,CAAC;IAClC,KAAK,MAAM,CAAC,IAAI,IAId,EAAE,CAAC;QACH,MAAM,OAAO,GACX,CAAC,CAAC,CAAC,aAAa,KAAK,MAAM;YACzB,SAAS;YACT,CAAC,CAAC,WAAW,KAAK,SAAS,CAAC;YAC9B,CAAC,CAAC,CAAC,aAAa,KAAK,KAAK,IAAI,KAAK,IAAI,CAAC,CAAC,WAAW,KAAK,KAAK,CAAC,CAAC;QAClE,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC;YAAE,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;IAClE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,YAAoB,EACpB,UAAkB,EAClB,UAA+B,QAAQ,EACvC,MAAqB,aAAa,EAAE;IAEpC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,YAAY,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAClE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,cAAc,CAAC,gBAAgB,YAAY,IAAI,UAAU,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,cAAc,CACtB,YAAY,OAAO,YAAY,YAAY,IAAI,UAAU,UAAU,MAAM,CAAC,IAAI,GAAG,CAClF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/sharing/actions/list-resource-shares.d.ts

@@ -0,0 +1,3 @@
+declare const _default: any;
+export default _default;
+//# sourceMappingURL=list-resource-shares.d.ts.map

package/dist/sharing/actions/list-resource-shares.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-resource-shares.d.ts","sourceRoot":"","sources":["../../../src/sharing/actions/list-resource-shares.ts"],"names":[],"mappings":";AAMA,wBAiCG"}

package/dist/sharing/actions/list-resource-shares.js

@@ -0,0 +1,38 @@
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+import { defineAction } from "../../action.js";
+import { resolveAccess } from "../access.js";
+import { requireShareableResource } from "../registry.js";
+export default defineAction({
+    description: "List the current visibility and share grants on a shareable resource. Any read access is sufficient.",
+    schema: z.object({
+        resourceType: z.string(),
+        resourceId: z.string(),
+    }),
+    http: { method: "GET" },
+    run: async (args) => {
+        const reg = requireShareableResource(args.resourceType);
+        const access = await resolveAccess(args.resourceType, args.resourceId);
+        if (!access)
+            return { ownerEmail: null, visibility: null, shares: [] };
+        const db = reg.getDb();
+        const shares = await db
+            .select()
+            .from(reg.sharesTable)
+            .where(eq(reg.sharesTable.resourceId, args.resourceId));
+        return {
+            ownerEmail: access.resource.ownerEmail ?? null,
+            orgId: access.resource.orgId ?? null,
+            visibility: access.resource.visibility ?? "private",
+            role: access.role,
+            shares: shares.map((s) => ({
+                id: s.id,
+                principalType: s.principalType,
+                principalId: s.principalId,
+                role: s.role,
+                createdAt: s.createdAt,
+            })),
+        };
+    },
+});
+//# sourceMappingURL=list-resource-shares.js.map

package/dist/sharing/actions/list-resource-shares.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-resource-shares.js","sourceRoot":"","sources":["../../../src/sharing/actions/list-resource-shares.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAE1D,eAAe,YAAY,CAAC;IAC1B,WAAW,EACT,sGAAsG;IACxG,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;KACvB,CAAC;IACF,IAAI,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;IACvB,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAClB,MAAM,GAAG,GAAG,wBAAwB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACvE,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QAEvE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;QAC9B,MAAM,MAAM,GAAG,MAAM,EAAE;aACpB,MAAM,EAAE;aACR,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;aACrB,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAE1D,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU,IAAI,IAAI;YAC9C,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK,IAAI,IAAI;YACpC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU,IAAI,SAAS;YACnD,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;gBAC9B,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,aAAa,EAAE,CAAC,CAAC,aAAa;gBAC9B,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,SAAS,EAAE,CAAC,CAAC,SAAS;aACvB,CAAC,CAAC;SACJ,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/dist/sharing/actions/set-resource-visibility.d.ts

@@ -0,0 +1,3 @@
+declare const _default: any;
+export default _default;
+//# sourceMappingURL=set-resource-visibility.d.ts.map

package/dist/sharing/actions/set-resource-visibility.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"set-resource-visibility.d.ts","sourceRoot":"","sources":["../../../src/sharing/actions/set-resource-visibility.ts"],"names":[],"mappings":";AAMA,wBAkBG"}

package/dist/sharing/actions/set-resource-visibility.js

@@ -0,0 +1,24 @@
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+import { defineAction } from "../../action.js";
+import { assertAccess } from "../access.js";
+import { requireShareableResource } from "../registry.js";
+export default defineAction({
+    description: "Change the coarse visibility of a shareable resource: 'private' | 'org' | 'public'. Owner or admin role required.",
+    schema: z.object({
+        resourceType: z.string(),
+        resourceId: z.string(),
+        visibility: z.enum(["private", "org", "public"]),
+    }),
+    run: async (args) => {
+        const reg = requireShareableResource(args.resourceType);
+        await assertAccess(args.resourceType, args.resourceId, "admin");
+        const db = reg.getDb();
+        await db
+            .update(reg.resourceTable)
+            .set({ visibility: args.visibility })
+            .where(eq(reg.resourceTable.id, args.resourceId));
+        return { ok: true, visibility: args.visibility };
+    },
+});
+//# sourceMappingURL=set-resource-visibility.js.map

package/dist/sharing/actions/set-resource-visibility.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"set-resource-visibility.js","sourceRoot":"","sources":["../../../src/sharing/actions/set-resource-visibility.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAE1D,eAAe,YAAY,CAAC;IAC1B,WAAW,EACT,mHAAmH;IACrH,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;KACjD,CAAC;IACF,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAClB,MAAM,GAAG,GAAG,wBAAwB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACxD,MAAM,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAChE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;QAC9B,MAAM,EAAE;aACL,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC;aACzB,GAAG,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC;aACpC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QACpD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC;IACnD,CAAC;CACF,CAAC,CAAC"}

package/dist/sharing/actions/share-resource.d.ts

@@ -0,0 +1,3 @@
+declare const _default: any;
+export default _default;
+//# sourceMappingURL=share-resource.d.ts.map

package/dist/sharing/actions/share-resource.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"share-resource.d.ts","sourceRoot":"","sources":["../../../src/sharing/actions/share-resource.ts"],"names":[],"mappings":";AAgBA,wBAyDG"}

package/dist/sharing/actions/share-resource.js

@@ -0,0 +1,64 @@
+import { and, eq } from "drizzle-orm";
+import { z } from "zod";
+import { defineAction } from "../../action.js";
+import { getRequestUserEmail } from "../../server/request-context.js";
+import { assertAccess, ForbiddenError } from "../access.js";
+import { requireShareableResource } from "../registry.js";
+function nanoid(size = 12) {
+    const chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+    let id = "";
+    const bytes = crypto.getRandomValues(new Uint8Array(size));
+    for (const byte of bytes)
+        id += chars[byte % chars.length];
+    return id;
+}
+export default defineAction({
+    description: "Grant a user or org access to a shareable resource. Owner or admin role required.",
+    schema: z.object({
+        resourceType: z
+            .string()
+            .describe("Registered resource type, e.g. 'document', 'form'."),
+        resourceId: z.string().describe("Id of the resource to share."),
+        principalType: z
+            .enum(["user", "org"])
+            .describe("'user' for an individual, 'org' for a whole organization."),
+        principalId: z
+            .string()
+            .describe("Email (user) or org id (org) of the principal."),
+        role: z
+            .enum(["viewer", "editor", "admin"])
+            .default("viewer")
+            .describe("Role to grant."),
+    }),
+    run: async (args) => {
+        const reg = requireShareableResource(args.resourceType);
+        await assertAccess(args.resourceType, args.resourceId, "admin");
+        const actor = getRequestUserEmail();
+        if (!actor)
+            throw new ForbiddenError("Not signed in");
+        const db = reg.getDb();
+        const [existing] = await db
+            .select()
+            .from(reg.sharesTable)
+            .where(and(eq(reg.sharesTable.resourceId, args.resourceId), eq(reg.sharesTable.principalType, args.principalType), eq(reg.sharesTable.principalId, args.principalId)));
+        if (existing) {
+            await db
+                .update(reg.sharesTable)
+                .set({ role: args.role })
+                .where(eq(reg.sharesTable.id, existing.id));
+            return { id: existing.id, updated: true };
+        }
+        const id = nanoid();
+        await db.insert(reg.sharesTable).values({
+            id,
+            resourceId: args.resourceId,
+            principalType: args.principalType,
+            principalId: args.principalId,
+            role: args.role,
+            createdBy: actor,
+            createdAt: new Date().toISOString(),
+        });
+        return { id, updated: false };
+    },
+});
+//# sourceMappingURL=share-resource.js.map

package/dist/sharing/actions/share-resource.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"share-resource.js","sourceRoot":"","sources":["../../../src/sharing/actions/share-resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAE1D,SAAS,MAAM,CAAC,IAAI,GAAG,EAAE;IACvB,MAAM,KAAK,GACT,gEAAgE,CAAC;IACnE,IAAI,EAAE,GAAG,EAAE,CAAC;IACZ,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,KAAK,MAAM,IAAI,IAAI,KAAK;QAAE,EAAE,IAAI,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3D,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,eAAe,YAAY,CAAC;IAC1B,WAAW,EACT,mFAAmF;IACrF,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,YAAY,EAAE,CAAC;aACZ,MAAM,EAAE;aACR,QAAQ,CAAC,oDAAoD,CAAC;QACjE,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,8BAA8B,CAAC;QAC/D,aAAa,EAAE,CAAC;aACb,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;aACrB,QAAQ,CAAC,2DAA2D,CAAC;QACxE,WAAW,EAAE,CAAC;aACX,MAAM,EAAE;aACR,QAAQ,CAAC,gDAAgD,CAAC;QAC7D,IAAI,EAAE,CAAC;aACJ,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;aACnC,OAAO,CAAC,QAAQ,CAAC;aACjB,QAAQ,CAAC,gBAAgB,CAAC;KAC9B,CAAC;IACF,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAClB,MAAM,GAAG,GAAG,wBAAwB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACxD,MAAM,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAChE,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;QACpC,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,cAAc,CAAC,eAAe,CAAC,CAAC;QAEtD,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;QAC9B,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,EAAE;aACxB,MAAM,EAAE;aACR,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;aACrB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,EAC/C,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,EAAE,IAAI,CAAC,aAAa,CAAC,EACrD,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,CAClD,CACF,CAAC;QAEJ,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,EAAE;iBACL,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC;iBACvB,GAAG,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;iBACxB,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;YAC9C,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC5C,CAAC;QAED,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;YACtC,EAAE;YACF,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,SAAS,EAAE,KAAK;YAChB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC,CAAC;QACH,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAChC,CAAC;CACF,CAAC,CAAC"}

package/dist/sharing/actions/unshare-resource.d.ts

@@ -0,0 +1,3 @@
+declare const _default: any;
+export default _default;
+//# sourceMappingURL=unshare-resource.d.ts.map

package/dist/sharing/actions/unshare-resource.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unshare-resource.d.ts","sourceRoot":"","sources":["../../../src/sharing/actions/unshare-resource.ts"],"names":[],"mappings":";AAMA,wBAwBG"}

package/dist/sharing/actions/unshare-resource.js

@@ -0,0 +1,24 @@
+import { and, eq } from "drizzle-orm";
+import { z } from "zod";
+import { defineAction } from "../../action.js";
+import { assertAccess } from "../access.js";
+import { requireShareableResource } from "../registry.js";
+export default defineAction({
+    description: "Revoke a previously granted share. Owner or admin role required.",
+    schema: z.object({
+        resourceType: z.string(),
+        resourceId: z.string(),
+        principalType: z.enum(["user", "org"]),
+        principalId: z.string(),
+    }),
+    run: async (args) => {
+        const reg = requireShareableResource(args.resourceType);
+        await assertAccess(args.resourceType, args.resourceId, "admin");
+        const db = reg.getDb();
+        await db
+            .delete(reg.sharesTable)
+            .where(and(eq(reg.sharesTable.resourceId, args.resourceId), eq(reg.sharesTable.principalType, args.principalType), eq(reg.sharesTable.principalId, args.principalId)));
+        return { ok: true };
+    },
+});
+//# sourceMappingURL=unshare-resource.js.map

package/dist/sharing/actions/unshare-resource.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unshare-resource.js","sourceRoot":"","sources":["../../../src/sharing/actions/unshare-resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAE1D,eAAe,YAAY,CAAC;IAC1B,WAAW,EACT,kEAAkE;IACpE,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QACtC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;KACxB,CAAC;IACF,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAClB,MAAM,GAAG,GAAG,wBAAwB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACxD,MAAM,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAChE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;QAC9B,MAAM,EAAE;aACL,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC;aACvB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,EAC/C,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,EAAE,IAAI,CAAC,aAAa,CAAC,EACrD,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,CAClD,CACF,CAAC;QACJ,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;CACF,CAAC,CAAC"}

package/dist/sharing/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Framework-level sharing / privacy primitive.
+ *
+ * Templates make their resource tables ownable and register them here so the
+ * shared share actions and UI work end-to-end. See
+ * `.agents/skills/sharing/SKILL.md` for the full pattern.
+ */
+export { ownableColumns, createSharesTable, roleSatisfies, ROLE_RANK, type Visibility, type ShareRole, type PrincipalType, } from "./schema.js";
+export { registerShareableResource, getShareableResource, requireShareableResource, listShareableResources, type ShareableResourceRegistration, } from "./registry.js";
+export { accessFilter, resolveAccess, assertAccess, currentAccess, ForbiddenError, type AccessContext, type ResolvedAccess, } from "./access.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/sharing/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sharing/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,cAAc,EACd,iBAAiB,EACjB,aAAa,EACb,SAAS,EACT,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,aAAa,GACnB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,wBAAwB,EACxB,sBAAsB,EACtB,KAAK,6BAA6B,GACnC,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,aAAa,EACb,cAAc,EACd,KAAK,aAAa,EAClB,KAAK,cAAc,GACpB,MAAM,aAAa,CAAC"}

package/dist/sharing/index.js

@@ -0,0 +1,11 @@
+/**
+ * Framework-level sharing / privacy primitive.
+ *
+ * Templates make their resource tables ownable and register them here so the
+ * shared share actions and UI work end-to-end. See
+ * `.agents/skills/sharing/SKILL.md` for the full pattern.
+ */
+export { ownableColumns, createSharesTable, roleSatisfies, ROLE_RANK, } from "./schema.js";
+export { registerShareableResource, getShareableResource, requireShareableResource, listShareableResources, } from "./registry.js";
+export { accessFilter, resolveAccess, assertAccess, currentAccess, ForbiddenError, } from "./access.js";
+//# sourceMappingURL=index.js.map

package/dist/sharing/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sharing/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,cAAc,EACd,iBAAiB,EACjB,aAAa,EACb,SAAS,GAIV,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,wBAAwB,EACxB,sBAAsB,GAEvB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,aAAa,EACb,cAAc,GAGf,MAAM,aAAa,CAAC"}

package/dist/sharing/registry.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Registry of shareable resources.
+ *
+ * Each template registers its ownable resource(s) once on module load so the
+ * framework-level share actions (`share-resource`, `list-resource-shares`,
+ * etc.) can dispatch to the correct tables.
+ *
+ *   import { registerShareableResource } from "@agent-native/core/sharing";
+ *   import * as schema from "./schema.js";
+ *
+ *   registerShareableResource({
+ *     type: "document",
+ *     resourceTable: schema.documents,
+ *     sharesTable: schema.documentShares,
+ *     displayName: "Document",
+ *     titleColumn: "title",
+ *   });
+ */
+export interface ShareableResourceRegistration {
+    /** Stable identifier used across actions, UI, and analytics. e.g. "document". */
+    type: string;
+    /** Drizzle table for the parent resource (must have ownableColumns()). */
+    resourceTable: any;
+    /** Drizzle table produced by createSharesTable(). */
+    sharesTable: any;
+    /** Human-readable singular label shown in the share dialog. */
+    displayName: string;
+    /**
+     * Column on the resource table that holds a human-readable title for
+     * display in the share UI. Default: "title".
+     */
+    titleColumn?: string;
+    /**
+     * Drizzle DB accessor from the template's server/db/index.ts. Required —
+     * the framework-level share actions and access helpers call this to reach
+     * the right DB instance (schema is template-specific).
+     */
+    getDb: () => any;
+}
+export declare function registerShareableResource(entry: ShareableResourceRegistration): void;
+export declare function getShareableResource(type: string): ShareableResourceRegistration | undefined;
+export declare function requireShareableResource(type: string): ShareableResourceRegistration;
+export declare function listShareableResources(): ShareableResourceRegistration[];
+//# sourceMappingURL=registry.d.ts.map

package/dist/sharing/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/sharing/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,MAAM,WAAW,6BAA6B;IAC5C,iFAAiF;IACjF,IAAI,EAAE,MAAM,CAAC;IACb,0EAA0E;IAC1E,aAAa,EAAE,GAAG,CAAC;IACnB,qDAAqD;IACrD,WAAW,EAAE,GAAG,CAAC;IACjB,+DAA+D;IAC/D,WAAW,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,KAAK,EAAE,MAAM,GAAG,CAAC;CAClB;AAuBD,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,6BAA6B,GACnC,IAAI,CAEN;AAED,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,MAAM,GACX,6BAA6B,GAAG,SAAS,CAE3C;AAED,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,MAAM,GACX,6BAA6B,CAS/B;AAED,wBAAgB,sBAAsB,IAAI,6BAA6B,EAAE,CAExE"}

package/dist/sharing/registry.js

@@ -0,0 +1,54 @@
+/**
+ * Registry of shareable resources.
+ *
+ * Each template registers its ownable resource(s) once on module load so the
+ * framework-level share actions (`share-resource`, `list-resource-shares`,
+ * etc.) can dispatch to the correct tables.
+ *
+ *   import { registerShareableResource } from "@agent-native/core/sharing";
+ *   import * as schema from "./schema.js";
+ *
+ *   registerShareableResource({
+ *     type: "document",
+ *     resourceTable: schema.documents,
+ *     sharesTable: schema.documentShares,
+ *     displayName: "Document",
+ *     titleColumn: "title",
+ *   });
+ */
+// Stash the registry on globalThis so it survives SSR bundle duplication.
+// Vite SSR's `noExternal: /^(?!node:)/` policy means @agent-native/core gets
+// inlined into every server bundle that imports it — and each bundle gets its
+// own module-level state. A plain `new Map()` here would create one Map per
+// bundle, so the template's `registerShareableResource()` (called from the
+// Nitro plugin graph) wouldn't be visible to the framework's auto-mounted
+// share-resource action (loaded via `import("../sharing/actions/...js")` in a
+// different module instance). Using globalThis collapses them back to one Map.
+const REGISTRY_KEY = "__agentNativeShareableResources__";
+const globalRegistry = globalThis;
+function getRegistry() {
+    let r = globalRegistry[REGISTRY_KEY];
+    if (!r) {
+        r = new Map();
+        globalRegistry[REGISTRY_KEY] = r;
+    }
+    return r;
+}
+export function registerShareableResource(entry) {
+    getRegistry().set(entry.type, entry);
+}
+export function getShareableResource(type) {
+    return getRegistry().get(type);
+}
+export function requireShareableResource(type) {
+    const reg = getRegistry();
+    const entry = reg.get(type);
+    if (!entry) {
+        throw new Error(`Unknown shareable resource type: "${type}". Did you forget registerShareableResource()?`);
+    }
+    return entry;
+}
+export function listShareableResources() {
+    return Array.from(getRegistry().values());
+}
+//# sourceMappingURL=registry.js.map

package/dist/sharing/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/sharing/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAwBH,0EAA0E;AAC1E,6EAA6E;AAC7E,8EAA8E;AAC9E,4EAA4E;AAC5E,2EAA2E;AAC3E,0EAA0E;AAC1E,8EAA8E;AAC9E,+EAA+E;AAC/E,MAAM,YAAY,GAAG,mCAAmC,CAAC;AAEzD,MAAM,cAAc,GAClB,UAAiB,CAAC;AACpB,SAAS,WAAW;IAClB,IAAI,CAAC,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;IACrC,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,CAAC,GAAG,IAAI,GAAG,EAAyC,CAAC;QACrD,cAAc,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,KAAoC;IAEpC,WAAW,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,IAAY;IAEZ,OAAO,WAAW,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,IAAY;IAEZ,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;IAC1B,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC5B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,qCAAqC,IAAI,gDAAgD,CAC1F,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,OAAO,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;AAC5C,CAAC"}