@agent-native/core 0.7.50 → 0.7.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/dist/a2a/agent-card.d.ts.map +1 -1
  2. package/dist/a2a/agent-card.js +21 -16
  3. package/dist/a2a/agent-card.js.map +1 -1
  4. package/dist/a2a/auth-policy.d.ts +10 -0
  5. package/dist/a2a/auth-policy.d.ts.map +1 -0
  6. package/dist/a2a/auth-policy.js +34 -0
  7. package/dist/a2a/auth-policy.js.map +1 -0
  8. package/dist/a2a/handlers.d.ts.map +1 -1
  9. package/dist/a2a/handlers.js +5 -4
  10. package/dist/a2a/handlers.js.map +1 -1
  11. package/dist/a2a/index.d.ts +1 -0
  12. package/dist/a2a/index.d.ts.map +1 -1
  13. package/dist/a2a/index.js +1 -0
  14. package/dist/a2a/index.js.map +1 -1
  15. package/dist/a2a/server.d.ts.map +1 -1
  16. package/dist/a2a/server.js +16 -14
  17. package/dist/a2a/server.js.map +1 -1
  18. package/dist/client/resources/ResourceEditor.d.ts.map +1 -1
  19. package/dist/client/resources/ResourceEditor.js +2 -4
  20. package/dist/client/resources/ResourceEditor.js.map +1 -1
  21. package/dist/client/settings/AgentsSection.d.ts.map +1 -1
  22. package/dist/client/settings/AgentsSection.js +4 -6
  23. package/dist/client/settings/AgentsSection.js.map +1 -1
  24. package/dist/deploy/build.d.ts.map +1 -1
  25. package/dist/deploy/build.js +8 -0
  26. package/dist/deploy/build.js.map +1 -1
  27. package/dist/deploy/route-discovery.d.ts.map +1 -1
  28. package/dist/deploy/route-discovery.js +11 -2
  29. package/dist/deploy/route-discovery.js.map +1 -1
  30. package/dist/integrations/a2a-continuation-processor.d.ts.map +1 -1
  31. package/dist/integrations/a2a-continuation-processor.js +17 -11
  32. package/dist/integrations/a2a-continuation-processor.js.map +1 -1
  33. package/dist/integrations/a2a-continuations-store.d.ts +2 -1
  34. package/dist/integrations/a2a-continuations-store.d.ts.map +1 -1
  35. package/dist/integrations/a2a-continuations-store.js +33 -4
  36. package/dist/integrations/a2a-continuations-store.js.map +1 -1
  37. package/dist/integrations/webhook-handler.js +1 -1
  38. package/dist/integrations/webhook-handler.js.map +1 -1
  39. package/dist/resources/handlers.d.ts.map +1 -1
  40. package/dist/resources/handlers.js +2 -3
  41. package/dist/resources/handlers.js.map +1 -1
  42. package/dist/resources/metadata.d.ts +5 -0
  43. package/dist/resources/metadata.d.ts.map +1 -1
  44. package/dist/resources/metadata.js +17 -2
  45. package/dist/resources/metadata.js.map +1 -1
  46. package/dist/resources/store.d.ts.map +1 -1
  47. package/dist/resources/store.js +2 -1
  48. package/dist/resources/store.js.map +1 -1
  49. package/dist/server/agent-discovery.d.ts.map +1 -1
  50. package/dist/server/agent-discovery.js +7 -4
  51. package/dist/server/agent-discovery.js.map +1 -1
  52. package/dist/server/auth.d.ts.map +1 -1
  53. package/dist/server/auth.js +6 -0
  54. package/dist/server/auth.js.map +1 -1
  55. package/dist/vite/index.d.ts +1 -1
  56. package/dist/vite/index.d.ts.map +1 -1
  57. package/dist/vite/index.js +1 -1
  58. package/dist/vite/index.js.map +1 -1
  59. package/package.json +1 -1
package/dist/a2a/agent-card.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"agent-card.d.ts","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvD,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EACjB,OAAO,EAAE,MAAM,GACd,SAAS,CAqCX"}
1
+ {"version":3,"file":"agent-card.d.ts","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvD,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EACjB,OAAO,EAAE,MAAM,GACd,SAAS,CA6CX"}
package/dist/a2a/agent-card.js CHANGED
@@ -1,4 +1,5 @@
1
1
  import { withConfiguredAppBasePath } from "../server/app-base-path.js";
2
+ import { shouldAdvertiseJwtA2AAuth } from "./auth-policy.js";
2
3
  export function generateAgentCard(config, baseUrl) {
3
4
  const scopedUrl = withConfiguredAppBasePath(baseUrl);
4
5
  const card = {
@@ -14,25 +15,29 @@ export function generateAgentCard(config, baseUrl) {
14
15
  },
15
16
  skills: config.skills,
16
17
  };
17
- // Advertise JWT-based A2A identity when A2A_SECRET is configured
18
- if (process.env.A2A_SECRET) {
19
- card.securitySchemes = {
20
- jwtBearer: {
21
- type: "http",
22
- scheme: "bearer",
23
- bearerFormat: "JWT",
24
- },
18
+ const securitySchemes = {};
19
+ const security = [];
20
+ // Hosted production deployments require JWT-capable A2A even before card
21
+ // generation can prove whether auth will use the shared A2A_SECRET or an
22
+ // org-scoped secret from SQL.
23
+ if (shouldAdvertiseJwtA2AAuth()) {
24
+ securitySchemes.jwtBearer = {
25
+ type: "http",
26
+ scheme: "bearer",
27
+ bearerFormat: "JWT",
25
28
  };
26
- card.security = [{ jwtBearer: [] }];
29
+ security.push({ jwtBearer: [] });
27
30
  }
28
- else if (config.apiKeyEnv) {
29
- card.securitySchemes = {
30
- apiKey: {
31
- type: "http",
32
- scheme: "bearer",
33
- },
31
+ if (config.apiKeyEnv) {
32
+ securitySchemes.apiKey = {
33
+ type: "http",
34
+ scheme: "bearer",
34
35
  };
35
- card.security = [{ apiKey: [] }];
36
+ security.push({ apiKey: [] });
37
+ }
38
+ if (security.length > 0) {
39
+ card.securitySchemes = securitySchemes;
40
+ card.security = security;
36
41
  }
37
42
  return card;
38
43
  }
package/dist/a2a/agent-card.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"agent-card.js","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAEvE,MAAM,UAAU,iBAAiB,CAC/B,MAAiB,EACjB,OAAe;IAEf,MAAM,SAAS,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IACrD,MAAM,IAAI,GAAc;QACtB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,OAAO;QAClC,eAAe,EAAE,KAAK;QACtB,YAAY,EAAE;YACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;YACpC,iBAAiB,EAAE,KAAK;YACxB,sBAAsB,EAAE,IAAI;SAC7B;QACD,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;IAEF,iEAAiE;IACjE,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;QAC3B,IAAI,CAAC,eAAe,GAAG;YACrB,SAAS,EAAE;gBACT,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,QAAQ;gBAChB,YAAY,EAAE,KAAK;aACpB;SACF,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;IACtC,CAAC;SAAM,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG;YACrB,MAAM,EAAE;gBACN,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,QAAQ;aACjB;SACF,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["import type { A2AConfig, AgentCard } from \"./types.js\";\nimport { withConfiguredAppBasePath } from \"../server/app-base-path.js\";\n\nexport function generateAgentCard(\n config: A2AConfig,\n baseUrl: string,\n): AgentCard {\n const scopedUrl = withConfiguredAppBasePath(baseUrl);\n const card: AgentCard = {\n name: config.name,\n description: config.description,\n url: scopedUrl,\n version: config.version ?? \"1.0.0\",\n protocolVersion: \"0.3\",\n capabilities: {\n streaming: config.streaming ?? false,\n pushNotifications: false,\n stateTransitionHistory: true,\n },\n skills: config.skills,\n };\n\n // Advertise JWT-based A2A identity when A2A_SECRET is configured\n if (process.env.A2A_SECRET) {\n card.securitySchemes = {\n jwtBearer: {\n type: \"http\",\n scheme: \"bearer\",\n bearerFormat: \"JWT\",\n },\n };\n card.security = [{ jwtBearer: [] }];\n } else if (config.apiKeyEnv) {\n card.securitySchemes = {\n apiKey: {\n type: \"http\",\n scheme: \"bearer\",\n },\n };\n card.security = [{ apiKey: [] }];\n }\n\n return card;\n}\n"]}
1
+ {"version":3,"file":"agent-card.js","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAC;AAE7D,MAAM,UAAU,iBAAiB,CAC/B,MAAiB,EACjB,OAAe;IAEf,MAAM,SAAS,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IACrD,MAAM,IAAI,GAAc;QACtB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,OAAO;QAClC,eAAe,EAAE,KAAK;QACtB,YAAY,EAAE;YACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;YACpC,iBAAiB,EAAE,KAAK;YACxB,sBAAsB,EAAE,IAAI;SAC7B;QACD,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;IAEF,MAAM,eAAe,GAA8C,EAAE,CAAC;IACtE,MAAM,QAAQ,GAAuC,EAAE,CAAC;IAExD,yEAAyE;IACzE,yEAAyE;IACzE,8BAA8B;IAC9B,IAAI,yBAAyB,EAAE,EAAE,CAAC;QAChC,eAAe,CAAC,SAAS,GAAG;YAC1B,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,QAAQ;YAChB,YAAY,EAAE,KAAK;SACpB,CAAC;QACF,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,eAAe,CAAC,MAAM,GAAG;YACvB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,QAAQ;SACjB,CAAC;QACF,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["import type { A2AConfig, AgentCard } from \"./types.js\";\nimport { withConfiguredAppBasePath } from \"../server/app-base-path.js\";\nimport { shouldAdvertiseJwtA2AAuth } from \"./auth-policy.js\";\n\nexport function generateAgentCard(\n config: A2AConfig,\n baseUrl: string,\n): AgentCard {\n const scopedUrl = withConfiguredAppBasePath(baseUrl);\n const card: AgentCard = {\n name: config.name,\n description: config.description,\n url: scopedUrl,\n version: config.version ?? \"1.0.0\",\n protocolVersion: \"0.3\",\n capabilities: {\n streaming: config.streaming ?? false,\n pushNotifications: false,\n stateTransitionHistory: true,\n },\n skills: config.skills,\n };\n\n const securitySchemes: NonNullable<AgentCard[\"securitySchemes\"]> = {};\n const security: NonNullable<AgentCard[\"security\"]> = [];\n\n // Hosted production deployments require JWT-capable A2A even before card\n // generation can prove whether auth will use the shared A2A_SECRET or an\n // org-scoped secret from SQL.\n if (shouldAdvertiseJwtA2AAuth()) {\n securitySchemes.jwtBearer = {\n type: \"http\",\n scheme: \"bearer\",\n bearerFormat: \"JWT\",\n };\n security.push({ jwtBearer: [] });\n }\n\n if (config.apiKeyEnv) {\n securitySchemes.apiKey = {\n type: \"http\",\n scheme: \"bearer\",\n };\n security.push({ apiKey: [] });\n }\n\n if (security.length > 0) {\n card.securitySchemes = securitySchemes;\n card.security = security;\n }\n\n return card;\n}\n"]}
package/dist/a2a/auth-policy.d.ts ADDED
@@ -0,0 +1,10 @@
1
+ /**
2
+ * A2A auth policy helpers shared by discovery, the JSON-RPC gate, and task
3
+ * handlers. Serverless providers do not always expose `NODE_ENV=production`
4
+ * consistently at runtime, so production-like A2A checks also look at the
5
+ * provider flags those platforms set in deployed functions.
6
+ */
7
+ export declare function isA2AProductionRuntime(): boolean;
8
+ export declare function hasConfiguredA2ASecret(): boolean;
9
+ export declare function shouldAdvertiseJwtA2AAuth(): boolean;
10
+ //# sourceMappingURL=auth-policy.d.ts.map
package/dist/a2a/auth-policy.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-policy.d.ts","sourceRoot":"","sources":["../../src/a2a/auth-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,wBAAgB,sBAAsB,IAAI,OAAO,CAkBhD;AAED,wBAAgB,sBAAsB,IAAI,OAAO,CAEhD;AAED,wBAAgB,yBAAyB,IAAI,OAAO,CAEnD"}
package/dist/a2a/auth-policy.js ADDED
@@ -0,0 +1,34 @@
1
+ /**
2
+ * A2A auth policy helpers shared by discovery, the JSON-RPC gate, and task
3
+ * handlers. Serverless providers do not always expose `NODE_ENV=production`
4
+ * consistently at runtime, so production-like A2A checks also look at the
5
+ * provider flags those platforms set in deployed functions.
6
+ */
7
+ export function isA2AProductionRuntime() {
8
+ if (process.env.NODE_ENV === "production")
9
+ return true;
10
+ if (process.env.NETLIFY === "true" && process.env.NETLIFY_LOCAL !== "true") {
11
+ return true;
12
+ }
13
+ if (process.env.AWS_LAMBDA_FUNCTION_NAME &&
14
+ process.env.NETLIFY_LOCAL !== "true") {
15
+ return true;
16
+ }
17
+ if (process.env.CF_PAGES === "1")
18
+ return true;
19
+ if ("__cf_env" in globalThis)
20
+ return true;
21
+ if (process.env.VERCEL || process.env.VERCEL_ENV)
22
+ return true;
23
+ if (process.env.RENDER || process.env.FLY_APP_NAME || process.env.K_SERVICE) {
24
+ return true;
25
+ }
26
+ return false;
27
+ }
28
+ export function hasConfiguredA2ASecret() {
29
+ return !!process.env.A2A_SECRET?.trim();
30
+ }
31
+ export function shouldAdvertiseJwtA2AAuth() {
32
+ return hasConfiguredA2ASecret() || isA2AProductionRuntime();
33
+ }
34
+ //# sourceMappingURL=auth-policy.js.map
package/dist/a2a/auth-policy.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-policy.js","sourceRoot":"","sources":["../../src/a2a/auth-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB;IACpC,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;QAC3E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IACE,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,MAAM,EACpC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,UAAU,IAAI,UAAU;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC9D,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,OAAO,sBAAsB,EAAE,IAAI,sBAAsB,EAAE,CAAC;AAC9D,CAAC","sourcesContent":["/**\n * A2A auth policy helpers shared by discovery, the JSON-RPC gate, and task\n * handlers. Serverless providers do not always expose `NODE_ENV=production`\n * consistently at runtime, so production-like A2A checks also look at the\n * provider flags those platforms set in deployed functions.\n */\nexport function isA2AProductionRuntime(): boolean {\n if (process.env.NODE_ENV === \"production\") return true;\n if (process.env.NETLIFY === \"true\" && process.env.NETLIFY_LOCAL !== \"true\") {\n return true;\n }\n if (\n process.env.AWS_LAMBDA_FUNCTION_NAME &&\n process.env.NETLIFY_LOCAL !== \"true\"\n ) {\n return true;\n }\n if (process.env.CF_PAGES === \"1\") return true;\n if (\"__cf_env\" in globalThis) return true;\n if (process.env.VERCEL || process.env.VERCEL_ENV) return true;\n if (process.env.RENDER || process.env.FLY_APP_NAME || process.env.K_SERVICE) {\n return true;\n }\n return false;\n}\n\nexport function hasConfiguredA2ASecret(): boolean {\n return !!process.env.A2A_SECRET?.trim();\n}\n\nexport function shouldAdvertiseJwtA2AAuth(): boolean {\n return hasConfiguredA2ASecret() || isA2AProductionRuntime();\n}\n"]}
package/dist/a2a/handlers.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"handlers.d.ts","sourceRoot":"","sources":["../../src/a2a/handlers.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,SAAS,EAKT,eAAe,EAGhB,MAAM,YAAY,CAAC;AA6FpB;;;;;;;;GAQG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,SAAS,EACjB,KAAK,CAAC,EAAE,GAAG,GACV,OAAO,CAAC,IAAI,CAAC,CA8Df;AAgnBD;;;GAGG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,GAAG,EACV,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC,eAAe,CAAC,CAyC1B"}
1
+ {"version":3,"file":"handlers.d.ts","sourceRoot":"","sources":["../../src/a2a/handlers.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,SAAS,EAKT,eAAe,EAGhB,MAAM,YAAY,CAAC;AAiGpB;;;;;;;;GAQG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,SAAS,EACjB,KAAK,CAAC,EAAE,GAAG,GACV,OAAO,CAAC,IAAI,CAAC,CA8Df;AAgnBD;;;GAGG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,GAAG,EACT,KAAK,EAAE,GAAG,EACV,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC,eAAe,CAAC,CAyC1B"}
package/dist/a2a/handlers.js CHANGED
@@ -3,6 +3,7 @@ import { createTask, getTask, getTaskOwner, updateTask, claimA2ATaskForProcessin
3
3
  import { agentChat } from "../shared/agent-chat.js";
4
4
  import { signInternalToken } from "../integrations/internal-token.js";
5
5
  import { withConfiguredAppBasePath } from "../server/app-base-path.js";
6
+ import { hasConfiguredA2ASecret, isA2AProductionRuntime, } from "./auth-policy.js";
6
7
  // Inlined to avoid pulling the entire core-routes-plugin (and its h3
7
8
  // transitive deps) into the a2a/handlers test boundary. Must stay in sync
8
9
  // with FRAMEWORK_ROUTE_PREFIX in `server/core-routes-plugin.ts`.
@@ -333,9 +334,9 @@ async function handleSend(params, config, event) {
333
334
  // with the lack of caller identity here would let any unauthenticated
334
335
  // attacker queue and trigger handler runs. In production, require some
335
336
  // form of auth so the verifiedEmail is bound to the task.
336
- const hasA2ASecret = !!process.env.A2A_SECRET;
337
+ const hasA2ASecret = hasConfiguredA2ASecret();
337
338
  const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);
338
- if (process.env.NODE_ENV === "production" && !hasA2ASecret && !hasApiKey) {
339
+ if (isA2AProductionRuntime() && !hasA2ASecret && !hasApiKey) {
339
340
  return {
340
341
  ...jsonRpcError(0, -32001, "A2A async mode is not available — A2A_SECRET or apiKeyEnv must be configured."),
341
342
  _id: 0,
@@ -518,9 +519,9 @@ function sanitizeTaskForResponse(task) {
518
519
  */
519
520
  function authorizeTaskAccess(taskOwnerEmail, event, config) {
520
521
  const verifiedEmail = event?.context?.__a2aVerifiedEmail ?? null;
521
- const hasA2ASecret = !!process.env.A2A_SECRET;
522
+ const hasA2ASecret = hasConfiguredA2ASecret();
522
523
  const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);
523
- const inProduction = process.env.NODE_ENV === "production";
524
+ const inProduction = isA2AProductionRuntime();
524
525
  if (inProduction && !hasA2ASecret && !hasApiKey) {
525
526
  // No way to authenticate the caller in production — refuse access.
526
527
  return jsonRpcError(0, -32001, "Task not found");
package/dist/a2a/handlers.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/a2a/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAW1D,OAAO,EACL,UAAU,EACV,OAAO,EACP,YAAY,EACZ,UAAU,EACV,yBAAyB,EACzB,uBAAuB,EACvB,yBAAyB,EACzB,0BAA0B,GAC3B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAEvE,qEAAqE;AACrE,0EAA0E;AAC1E,iEAAiE;AACjE,MAAM,qBAAqB,GAAG,kCAAkC,CAAC;AACjE,MAAM,kCAAkC,GAAG,MAAM,CAAC;AAClD,MAAM,6BAA6B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEpD;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,KAAsB;IAChD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,yBAAyB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAE/D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,KAAK,EAAE,OAAO,CAAC;QAC5D,MAAM,GAAG,GAAG,CAAC,IAAY,EAAsB,EAAE;YAC/C,IAAI,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAC;YAC/B,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBACtC,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;YACxC,CAAC;YACD,MAAM,GAAG,GAAG,OAA6C,CAAC;YAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACtD,CAAC,CAAC;QACF,MAAM,KAAK,GAAG,GAAG,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;QACjD,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,aAAa,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;QACpE,OAAO,yBAAyB,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,yBAAyB,CAC9B,oBAAoB,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAC/C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAU,EACV,MAAc;IAEd,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,qBAAqB,EAAE,CAAC;IACjD,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,IAAI,CAAC;QACH,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;QACvE,qEAAqE;QACrE,iBAAiB;IACnB,CAAC;IACD,qEAAqE;IACrE,wEAAwE;IACxE,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,eAAe,GAAG,KAAK,CAAC,GAAG,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;KACjC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACf,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,IAAI,CAAC;QACjB,eAAe;QACf,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;KACzD,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,MAAc,EACd,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,0DAA0D;QAC1D,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qCAAqC,EAAE,CAAC;aACvE;SACF,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAA4B,CAAC;IACjE,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,EAAE,CAA4B,CAAC;IAC9E,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,SAAS,GACZ,aAAa,CAAC,SAAuC,IAAI,SAAS,CAAC;IACtE,MAAM,cAAc,GACjB,aAAa,CAAC,cAGD,IAAI,SAAS,CAAC;IAE9B,MAAM,aAAa,GAAG,MAAM,uBAAuB,CACjD,aAAa,EACb,aAAa,CACd,CAAC;IAEF,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,qBAAqB,CACzB,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,GAAG,EAAE,CACH,oBAAoB,CAClB,MAAM,EACN,OAAO,EACP,MAAM,EACN,SAAS,EACT,cAAc,EACd,KAAK,CACN,CACJ,CAAC;IACJ,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,iBAAiB,EAAE,CAAC;iBACnE;aACF,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,cAAc,GAAe,KAAK,EACtC,OAAgB,EAChB,OAA0B,EACC,EAAE;IAC7B,kCAAkC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK;SACvB,MAAM,CAAC,CAAC,CAAC,EAAuC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;SACrE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAClB,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,4BAA4B,EAAE,CAAC;aAC9D;SACF,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,0EAA0E;IAC1E,wDAAwD;IACxD,4EAA4E;IAC5E,oEAAoE;IACpE,yEAAyE;IACzE,8BAA8B;IAC9B,qEAAqE;IACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACrE,MAAM,aAAa,GAAG,OAAO;QAC3B,CAAC,CAAC,+DAA+D,UAAU,sNAAsN,IAAI,EAAE;QACvS,CAAC,CAAC,IAAI,CAAC;IAET,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAEnD,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,SAAS,CAAC,IAAI,CAAC;YACb,IAAI,EAAE,eAAe;YACrB,WAAW,EAAE,6BAA6B;YAC1C,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,YAAY,EAAE,EAAE,CAAC;SAChE,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,KAAK,EAAE;gBACL,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;gBACvC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM;oBACzB,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,kBAAkB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;yBACrD;qBACF;oBACH,CAAC,CAAC,EAAE,CAAC;aACR;SACF;QACD,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,UAAU,CAAC,MAAiB;IACnC,OAAO,MAAM,CAAC,OAAO,IAAI,cAAc,CAAC;AAC1C,CAAC;AAED,SAAS,YAAY,CACnB,EAA0B,EAC1B,IAAY,EACZ,OAAe;IAEf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,EAAmB,EAAE,MAAe;IACzD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAc,EACd,SAAkB,EAClB,QAAkC,EAClC,KAAW;IAKX,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,MAAM,OAAO,GAAsB;QACjC,MAAM;QACN,SAAS;QACT,QAAQ;QACR,KAAK;QACL,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ;YACnC,MAAM,QAAQ,GAAa;gBACzB,IAAI;gBACJ,KAAK,EAAE,QAAQ;oBACb,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE;gCACJ,IAAI;gCACJ,QAAQ;gCACR,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;6BAC/C;yBACF;qBACF;oBACH,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;aACtC,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,qBAAqB,CAClC,QAA6C,EAC7C,KAAsB,EACtB,EAAoB;IAEpB,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;IAC1E,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,qCAAqC;IACrC,MAAM,SAAS,GACZ,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;IAEtE,MAAM,aAAa,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IAE9E,OAAO,qBAAqB,CAC1B,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,EAAE,CACW,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,aAAiC,EACjC,iBAAqC;IAErC,IAAI,iBAAiB,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,iBAAiB,CAAC,CAAC;YACxD,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAC,KAAK,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,OAAO,CAAC,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC,IAAI,SAAS,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,oBAAoB,CACjC,MAAc,EACd,OAAgB,EAChB,MAAiB,EACjB,SAA6B,EAC7B,QAA6C,EAC7C,KAAW;IAEX,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,MAAM,EACN,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEpD,IACE,MAAM;YACN,OAAO,MAAM,KAAK,QAAQ;YAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;YACD,IAAI,WAAgC,CAAC;YACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;gBAC1D,WAAW,GAAG,GAAG,CAAC;YACpB,CAAC;YACD,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,WAAW;gBACpB,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;aACxD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;QAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;QACxE,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,aAAa,CAAC,OAAO;YAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;SAC9D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,gBAAgB,EAAE,CAAC;aAClE;SACF,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAA+B,EAC/B,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,OAAO;YACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,sDAAsD,CACvD;YACD,GAAG,EAAE,CAAC;SACP,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IAExE,sEAAsE;IACtE,yEAAyE;IACzE,uEAAuE;IACvE,0EAA0E;IAC1E,6BAA6B;IAC7B,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,sEAAsE;IACtE,0EAA0E;IAC1E,8EAA8E;IAC9E,yEAAyE;IACzE,kEAAkE;IAClE,sEAAsE;IACtE,wEAAwE;IACxE,yEAAyE;IACzE,8CAA8C;IAC9C,MAAM,SAAS,GACb,MAAM,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,eAAe,KAAK,IAAI,CAAC,CAAC;IAE9E,IAAI,SAAS,EAAE,CAAC;QACd,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,0DAA0D;QAC1D,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACxE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;YACzE,OAAO;gBACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,+EAA+E,CAChF;gBACD,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;QACD,uEAAuE;QACvE,wEAAwE;QACxE,0EAA0E;QAC1E,sEAAsE;QACtE,0EAA0E;QAC1E,0EAA0E;QAC1E,oEAAoE;QACpE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;QAC1E,2EAA2E;QAC3E,iEAAiE;QACjE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;QAEtE,MAAM,YAAY,GAA4B;YAC5C,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;YACnB,eAAe,EAAE;gBACf,aAAa;gBACb,aAAa;gBACb,SAAS,EAAE,SAAS,IAAI,IAAI;gBAC5B,cAAc,EAAE,QAAQ,IAAI,IAAI;aACjC;SACF,CAAC;QACF,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,YAAY,EACZ,iBAAiB,CAClB,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhE,uBAAuB,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpD,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QACF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEpE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAExD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,WAAgC,CAAC;gBACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,WAAW,GAAG,GAAG,CAAC;gBACpB,CAAC;gBACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,WAAW;oBACpB,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;iBAChE,CAAC,CAAC;gBACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;YAClD,CAAC;YAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;YAClE,MAAM,YAAY,GAAG;gBACnB,GAAG,GAAG,CAAC,SAAS;gBAChB,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC;aACnC,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxC,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,EAAE,CAAC;iBACjE;aACF,CAAC,CAAC;YACH,OAAO;gBACL,GAAG,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC;gBAC3D,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,MAAiB,EACjB,GAAwD,EACxD,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC,MAAM,CACzE,CAAC;QACF,GAAG,CAAC,GAAG,EAAE,CAAC;QACV,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IACxE,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,MAAM,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QAEF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,IAAI,CAAC,EAAE,EACP,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAEpD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;wBAC7C,KAAK,EAAE,SAAS;wBAChB,OAAO,EAAE,GAAG;qBACb,CAAC,CAAC;oBACH,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,MAAM,CAC9D,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;gBAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;gBACxE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;oBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;iBAC9D,CAAC,CAAC;gBACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;gBACpE,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YAED,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACtC,KAAK,EAAE,WAAW;gBAClB,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC/C,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC,CAAC,MAAM,CACxF,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,aAAa;IACb,WAAW;IACX,WAAW;IACX,aAAa;IACb,cAAc;IACd,QAAQ;IACR,eAAe;IACf,eAAe;IACf,QAAQ;CACT,CAAC,CAAC;AAEH,SAAS,uBAAuB,CAAC,IAAS;IACxC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAErE,MAAM,IAAI,GAAG,IAAI,CAAC,QAAmC,CAAC;IACtD,MAAM,UAAU,GAA4B,EAAE,CAAC;IAC/C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,KAAK,iBAAiB;YAAE,SAAS;QACtC,IAAI,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAS;QAC7C,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,mBAAmB,CAC1B,cAA6B,EAC7B,KAAU,EACV,MAAiB;IAEjB,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IACrE,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IAE3D,IAAI,YAAY,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;QAChD,mEAAmE;QACnE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,aAAa,CAAC,WAAW,EAAE,KAAK,cAAc,CAAC,WAAW,EAAE,EAAE,CAAC;YACjE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IACD,yEAAyE;IACzE,qDAAqD;IACrD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,4BAA4B,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QAC1D,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IACH,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,MAAc,EACd,KAAU;IAEV,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO;IACnB,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,eAAe;QAAE,OAAO;IAE7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IACE,CAAC,KAAK,CAAC,WAAW,KAAK,WAAW,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC;QACtE,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,kCAAkC,EAC3D,CAAC;QACD,IAAI,MAAM,0BAA0B,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7C,MAAM,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO;IACT,CAAC;IAED,IACE,KAAK,CAAC,WAAW,KAAK,YAAY;QAClC,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,6BAA6B,EACtD,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,yBAAyB,CAC3C,MAAM,EACN,GAAG,GAAG,6BAA6B,CACpC,CAAC;QACF,IAAI,KAAK;YAAE,MAAM,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IACzD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAS,EACT,KAAU,EACV,MAAiB;IAEjB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,YAAY,CAAC,IAAI,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,KAAK,EAAE,0BAA0B,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,MAAM,GAAI,IAAI,CAAC,MAAkC,IAAI,EAAE,CAAC;IAC9D,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;IAEnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACpB,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACvD,MAAM,EAAE,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,MAAM,CAAC;YACpC,OAAO,EAAE,GAAG,QAAQ,EAAE,EAAE,EAAqB,CAAC;QAChD,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBACtB,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,8CAA8C;YAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;YAC5B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,mBAAmB,CAAC,CAAC;YAC9D,iBAAiB,CAAC,KAAK,EAAE,eAAe,EAAE,UAAU,CAAC,CAAC;YACtD,iBAAiB,CAAC,KAAK,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;YACrD,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC/C,OAAO,SAAgB,CAAC,CAAC,gCAAgC;QAC3D,CAAC;QACD,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACtD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACzD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD;YACE,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,qBAAqB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;AACH,CAAC","sourcesContent":["import { setResponseHeader, setResponseStatus } from \"h3\";\nimport type {\n A2AConfig,\n A2AHandler,\n A2AHandlerContext,\n A2AHandlerResult,\n JsonRpcRequest,\n JsonRpcResponse,\n Message,\n Artifact,\n} from \"./types.js\";\nimport {\n createTask,\n getTask,\n getTaskOwner,\n updateTask,\n claimA2ATaskForProcessing,\n getA2ATaskDispatchState,\n resetStuckA2ATaskForRetry,\n touchQueuedA2ATaskDispatch,\n} from \"./task-store.js\";\nimport { agentChat } from \"../shared/agent-chat.js\";\nimport { signInternalToken } from \"../integrations/internal-token.js\";\nimport { withConfiguredAppBasePath } from \"../server/app-base-path.js\";\n\n// Inlined to avoid pulling the entire core-routes-plugin (and its h3\n// transitive deps) into the a2a/handlers test boundary. Must stay in sync\n// with FRAMEWORK_ROUTE_PREFIX in `server/core-routes-plugin.ts`.\nconst A2A_PROCESS_TASK_PATH = \"/_agent-native/a2a/_process-task\";\nconst A2A_QUEUED_DISPATCH_STUCK_AFTER_MS = 10_000;\nconst A2A_PROCESSING_STUCK_AFTER_MS = 5 * 60 * 1000;\n\n/**\n * Resolve the base URL we should fire the A2A processor request to. Mirrors\n * the integration-webhook resolveBaseUrl pattern — prefer explicit env vars\n * (most reliable on serverless), fall back to inbound request headers.\n */\nfunction resolveSelfBaseUrl(event: any | undefined): string {\n const fromEnv =\n process.env.APP_URL ||\n process.env.URL ||\n process.env.DEPLOY_URL ||\n process.env.BETTER_AUTH_URL;\n if (fromEnv) return withConfiguredAppBasePath(String(fromEnv));\n\n try {\n const headers = event?.node?.req?.headers ?? event?.headers;\n const get = (name: string): string | undefined => {\n if (!headers) return undefined;\n if (typeof headers.get === \"function\") {\n return headers.get(name) ?? undefined;\n }\n const map = headers as Record<string, string | undefined>;\n return map[name] ?? map[String(name).toLowerCase()];\n };\n const proto = get(\"x-forwarded-proto\") || \"http\";\n const host = get(\"host\") || `localhost:${process.env.PORT || 3000}`;\n return withConfiguredAppBasePath(`${proto}://${host}`);\n } catch {\n return withConfiguredAppBasePath(\n `http://localhost:${process.env.PORT || 3000}`,\n );\n }\n}\n\n/**\n * Fire-and-forget POST to the A2A processor route on the same deployment.\n * Used when an A2A send is requested in async mode — the processor runs the\n * handler in a fresh function execution so it gets its own full timeout.\n */\nasync function fireProcessTaskDispatch(\n event: any,\n taskId: string,\n): Promise<void> {\n const baseUrl = resolveSelfBaseUrl(event);\n const url = `${baseUrl}${A2A_PROCESS_TASK_PATH}`;\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n try {\n headers[\"Authorization\"] = `Bearer ${signInternalToken(taskId)}`;\n } catch {\n // No A2A_SECRET configured — self-fire unsigned. The processor accepts\n // unsigned dispatches when no secret is set (mirrors the integration\n // webhook flow).\n }\n // Race the fetch against a short timer. On Netlify Lambda, returning\n // immediately can freeze the function before the outbound TCP handshake\n // starts, leaving the request stuck. This gives it ~250ms to leave the\n // box at the cost of slightly higher response latency on async A2A sends.\n const dispatchPromise = fetch(url, {\n method: \"POST\",\n headers,\n body: JSON.stringify({ taskId }),\n }).catch((err) => {\n console.error(\"[a2a] Process-task dispatch fetch failed:\", err);\n });\n await Promise.race([\n dispatchPromise,\n new Promise<void>((resolve) => setTimeout(resolve, 250)),\n ]);\n}\n\n/**\n * Process a previously-enqueued A2A task. Called by the `_process-task`\n * route in `server.ts`, in a fresh function execution. Atomically claims the\n * task, reconstructs the caller's request context from the task's metadata,\n * runs the handler, and persists the outcome.\n *\n * Idempotent on duplicate dispatches: the atomic claim returns null if some\n * other invocation already picked the task up, in which case we no-op.\n */\nexport async function processA2ATaskFromQueue(\n taskId: string,\n config: A2AConfig,\n event?: any,\n): Promise<void> {\n const claimed = await claimA2ATaskForProcessing(taskId);\n if (!claimed) {\n // Already in flight, terminal, or missing. Nothing to do.\n return;\n }\n\n const message = claimed.history?.[0];\n if (!message) {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: \"Task is missing its inbound message\" }],\n },\n });\n return;\n }\n\n const meta = (claimed.metadata ?? {}) as Record<string, unknown>;\n const processorMeta = (meta.__a2a_processor ?? {}) as Record<string, unknown>;\n const verifiedEmail = processorMeta.verifiedEmail as string | undefined;\n const orgDomainHint = processorMeta.orgDomainHint as string | undefined;\n const contextId =\n (processorMeta.contextId as string | null | undefined) ?? undefined;\n const callerMetadata =\n (processorMeta.callerMetadata as\n | Record<string, unknown>\n | null\n | undefined) ?? undefined;\n\n const resolvedOrgId = await resolveVerifiedA2AOrgId(\n verifiedEmail,\n orgDomainHint,\n );\n\n const { runWithRequestContext } =\n await import(\"../server/request-context.js\");\n try {\n await runWithRequestContext(\n { userEmail: verifiedEmail, orgId: resolvedOrgId },\n () =>\n runHandlerAndPersist(\n taskId,\n message,\n config,\n contextId,\n callerMetadata,\n event,\n ),\n );\n } catch (err: any) {\n try {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err?.message ?? \"Handler crashed\" }],\n },\n });\n } catch {}\n }\n}\n\n/**\n * Default A2A handler that delegates to agentChat.call().\n * Used when no custom handler is provided in A2AConfig.\n */\nconst defaultHandler: A2AHandler = async (\n message: Message,\n context: A2AHandlerContext,\n): Promise<A2AHandlerResult> => {\n // Extract text from message parts\n const text = message.parts\n .filter((p): p is { type: \"text\"; text: string } => p.type === \"text\")\n .map((p) => p.text)\n .join(\"\\n\");\n\n if (!text) {\n return {\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: \"No text content in message\" }],\n },\n };\n }\n\n // A2A note: this message arrived from a different app — the caller cannot\n // see this app's local state (open deck, selected slide, etc.). They only\n // see whatever this agent puts into the reply text. So:\n // 1) include any concrete result (deck/document/dashboard URL, ID, value)\n // explicitly in the reply — the caller can't navigate locally.\n // 2) URLs must be fully-qualified — relative paths resolve against the\n // caller's host and 404.\n // We prepend a one-line hint to the user message so the agent knows.\n const baseUrl = process.env.APP_URL || process.env.URL || \"\";\n const appBaseUrl = baseUrl ? withConfiguredAppBasePath(baseUrl) : \"\";\n const augmentedText = baseUrl\n ? `[Cross-app A2A request — the caller is on a different host (${appBaseUrl} is yours, theirs is different). Include the concrete result (URL, ID, value) explicitly in your reply text; the caller can't see your local UI state. Any URL MUST be fully-qualified, never a relative path.]\\n\\n${text}`\n : text;\n\n const result = await agentChat.call(augmentedText);\n\n const artifacts: Artifact[] = [];\n if (result.filesChanged.length > 0) {\n artifacts.push({\n name: \"files-changed\",\n description: \"Files modified by the agent\",\n parts: [{ type: \"data\", data: { files: result.filesChanged } }],\n });\n }\n\n return {\n message: {\n role: \"agent\",\n parts: [\n { type: \"text\", text: result.response },\n ...(result.warnings?.length\n ? [\n {\n type: \"text\" as const,\n text: `\\n\\nWarnings:\\n${result.warnings.join(\"\\n\")}`,\n },\n ]\n : []),\n ],\n },\n artifacts: artifacts.length > 0 ? artifacts : undefined,\n };\n};\n\nfunction getHandler(config: A2AConfig): A2AHandler {\n return config.handler ?? defaultHandler;\n}\n\nfunction jsonRpcError(\n id: string | number | null,\n code: number,\n message: string,\n): JsonRpcResponse {\n return { jsonrpc: \"2.0\", id, error: { code, message } };\n}\n\nfunction jsonRpcResult(id: string | number, result: unknown): JsonRpcResponse {\n return { jsonrpc: \"2.0\", id, result };\n}\n\nfunction makeHandlerContext(\n taskId: string,\n contextId?: string,\n metadata?: Record<string, unknown>,\n event?: any,\n): {\n context: A2AHandlerContext;\n artifacts: Artifact[];\n} {\n const artifacts: Artifact[] = [];\n const context: A2AHandlerContext = {\n taskId,\n contextId,\n metadata,\n event,\n writeArtifact(name, content, mimeType) {\n const artifact: Artifact = {\n name,\n parts: mimeType\n ? [\n {\n type: \"file\",\n file: {\n name,\n mimeType,\n bytes: Buffer.from(content).toString(\"base64\"),\n },\n },\n ]\n : [{ type: \"text\", text: content }],\n };\n artifacts.push(artifact);\n return name;\n },\n };\n return { context, artifacts };\n}\n\n/**\n * Resolve org context from A2A metadata / event context and wrap `fn`\n * inside `runWithRequestContext` so downstream actions see the org.\n */\nasync function withA2ARequestContext<T>(\n metadata: Record<string, unknown> | undefined,\n event: any | undefined,\n fn: () => Promise<T>,\n): Promise<T> {\n const { runWithRequestContext } =\n await import(\"../server/request-context.js\");\n\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n // Only trust the org domain from the cryptographically verified JWT claim on\n // the event context. metadata.orgDomain is caller-supplied and must not be\n // used for org resolution — an unauthenticated caller could forge it and\n // gain access to another org's data.\n const orgDomain =\n (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n const resolvedOrgId = await resolveVerifiedA2AOrgId(verifiedEmail, orgDomain);\n\n return runWithRequestContext(\n { userEmail: verifiedEmail, orgId: resolvedOrgId },\n fn,\n ) as Promise<T>;\n}\n\nasync function resolveVerifiedA2AOrgId(\n verifiedEmail: string | undefined,\n verifiedOrgDomain: string | undefined,\n): Promise<string | undefined> {\n if (verifiedOrgDomain) {\n try {\n const { resolveOrgByDomain } = await import(\"../org/context.js\");\n const org = await resolveOrgByDomain(verifiedOrgDomain);\n if (org) return org.orgId;\n } catch {\n // Org tables may not exist — continue without org context\n }\n }\n\n if (verifiedEmail) {\n try {\n const { resolveOrgIdForEmail } = await import(\"../org/context.js\");\n return (await resolveOrgIdForEmail(verifiedEmail)) ?? undefined;\n } catch {\n // Org tables may not exist — continue without org context\n }\n }\n\n return undefined;\n}\n\n/**\n * Run the handler against the message and persist the outcome to the task store.\n * Used in sync mode (awaited inline) and in async mode (called by the\n * `_process-task` processor route in a fresh function execution).\n */\nasync function runHandlerAndPersist(\n taskId: string,\n message: Message,\n config: A2AConfig,\n contextId: string | undefined,\n metadata: Record<string, unknown> | undefined,\n event?: any,\n): Promise<void> {\n const { context, artifacts } = makeHandlerContext(\n taskId,\n contextId,\n metadata,\n event,\n );\n try {\n const result = getHandler(config)(message, context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n let lastMessage: Message | undefined;\n for await (const msg of result as AsyncGenerator<Message>) {\n lastMessage = msg;\n }\n await updateTask(taskId, {\n state: \"completed\",\n message: lastMessage,\n artifacts: artifacts.length > 0 ? artifacts : undefined,\n });\n return;\n }\n\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n await updateTask(taskId, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n } catch (err: any) {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err?.message ?? \"Handler failed\" }],\n },\n });\n }\n}\n\nasync function handleSend(\n params: Record<string, unknown>,\n config: A2AConfig,\n event?: any,\n): Promise<JsonRpcResponse & { _id: string | number }> {\n const message = params.message as Message;\n if (!message || !message.role || !Array.isArray(message.parts)) {\n return {\n ...jsonRpcError(\n 0,\n -32602,\n \"Invalid params: message with role and parts required\",\n ),\n _id: 0,\n };\n }\n\n const contextId = params.contextId as string | undefined;\n const metadata = params.metadata as Record<string, unknown> | undefined;\n\n // The JWT-verified caller email (set by mountA2A in server.ts) is the\n // single source of truth for task ownership — bound at creation, checked\n // on every subsequent tasks/get and tasks/cancel call. Caller-supplied\n // metadata.userEmail is NEVER used for ownership; that would re-introduce\n // the IDOR class fixed here.\n const ownerEmailForTask =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n // Async mode: return the task immediately in `working` state, run the\n // handler in the background, and let the caller poll `tasks/get`. This is\n // the workaround for synchronous serverless request timeouts when the handler\n // runs LLM + tool loops that can exceed a single HTTP invocation budget.\n // SECURITY: only honor the explicit top-level `params.async`. The\n // metadata.async fallback was caller-controlled and could force async\n // dispatch (which has weaker auth than the sync path) on otherwise sync\n // requests. Async is also refused entirely when no auth is configured in\n // production — see the additional gate below.\n const asyncMode =\n params.async === true || (event && event.context?.__a2aForceAsync === true);\n\n if (asyncMode) {\n // Refuse async mode entirely when no auth is configured in production.\n // The async dispatch path self-fires the `_process-task` route, which\n // accepts unsigned dispatches when A2A_SECRET is unset — that combined\n // with the lack of caller identity here would let any unauthenticated\n // attacker queue and trigger handler runs. In production, require some\n // form of auth so the verifiedEmail is bound to the task.\n const hasA2ASecret = !!process.env.A2A_SECRET;\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n if (process.env.NODE_ENV === \"production\" && !hasA2ASecret && !hasApiKey) {\n return {\n ...jsonRpcError(\n 0,\n -32001,\n \"A2A async mode is not available — A2A_SECRET or apiKeyEnv must be configured.\",\n ),\n _id: 0,\n };\n }\n // Resolve identity up front (cheap), bake it into the task's metadata,\n // and dispatch the actual handler run to a SEPARATE function execution.\n // On serverless hosts (Netlify, Vercel, Cloudflare) detached promises get\n // killed when the response is flushed, so we self-fire a webhook to a\n // dedicated processor route — same cross-platform pattern the integration\n // webhook queue uses. The processor reconstructs the request context from\n // the task metadata and runs the handler with its own full timeout.\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n // Only trust the verified org domain from the JWT claim — do not fall back\n // to metadata.orgDomain which is caller-supplied and unverified.\n const orgDomainHint =\n (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n const taskMetadata: Record<string, unknown> = {\n ...(metadata ?? {}),\n __a2a_processor: {\n verifiedEmail,\n orgDomainHint,\n contextId: contextId ?? null,\n callerMetadata: metadata ?? null,\n },\n };\n const task = await createTask(\n message,\n contextId,\n taskMetadata,\n ownerEmailForTask,\n );\n const working = await updateTask(task.id, { state: \"working\" });\n\n fireProcessTaskDispatch(event, task.id).catch((err) => {\n console.error(\"[a2a] Failed to dispatch process-task:\", err);\n });\n\n return { ...jsonRpcResult(0, working ?? task), _id: 0 };\n }\n\n return withA2ARequestContext(metadata, event, async () => {\n const task = await createTask(\n message,\n contextId,\n undefined,\n ownerEmailForTask,\n );\n await updateTask(task.id, { state: \"working\" });\n\n const ctx = makeHandlerContext(task.id, contextId, metadata, event);\n\n try {\n const result = getHandler(config)(message, ctx.context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n let lastMessage: Message | undefined;\n for await (const msg of result as AsyncGenerator<Message>) {\n lastMessage = msg;\n }\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: lastMessage,\n artifacts: ctx.artifacts.length > 0 ? ctx.artifacts : undefined,\n });\n return { ...jsonRpcResult(0, updated), _id: 0 };\n }\n\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [\n ...ctx.artifacts,\n ...(handlerResult.artifacts ?? []),\n ];\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n return { ...jsonRpcResult(0, updated), _id: 0 };\n } catch (err: any) {\n await updateTask(task.id, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err.message ?? \"Handler failed\" }],\n },\n });\n return {\n ...jsonRpcError(0, -32000, err.message ?? \"Handler failed\"),\n _id: 0,\n };\n }\n });\n}\n\nasync function handleStream(\n params: Record<string, unknown>,\n config: A2AConfig,\n res: { write: (chunk: string) => void; end: () => void },\n event?: any,\n): Promise<void> {\n const message = params.message as Message;\n if (!message || !message.role || !Array.isArray(message.parts)) {\n res.write(\n `data: ${JSON.stringify(jsonRpcError(0, -32602, \"Invalid params\"))}\\n\\n`,\n );\n res.end();\n return;\n }\n\n const contextId = params.contextId as string | undefined;\n const metadata = params.metadata as Record<string, unknown> | undefined;\n const ownerEmailForTask =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n await withA2ARequestContext(metadata, event, async () => {\n const task = await createTask(\n message,\n contextId,\n undefined,\n ownerEmailForTask,\n );\n\n await updateTask(task.id, { state: \"working\" });\n\n const { context, artifacts } = makeHandlerContext(\n task.id,\n contextId,\n metadata,\n event,\n );\n\n try {\n const result = getHandler(config)(message, context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n for await (const msg of result as AsyncGenerator<Message>) {\n const intermediate = await updateTask(task.id, {\n state: \"working\",\n message: msg,\n });\n res.write(\n `data: ${JSON.stringify(jsonRpcResult(0, intermediate))}\\n\\n`,\n );\n }\n } else {\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n res.write(`data: ${JSON.stringify(jsonRpcResult(0, updated))}\\n\\n`);\n res.end();\n return;\n }\n\n const allArtifacts = [...artifacts];\n const final = await updateTask(task.id, {\n state: \"completed\",\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n res.write(`data: ${JSON.stringify(jsonRpcResult(0, final))}\\n\\n`);\n } catch (err: any) {\n await updateTask(task.id, { state: \"failed\" });\n res.write(\n `data: ${JSON.stringify(jsonRpcError(0, -32000, err.message ?? \"Handler failed\"))}\\n\\n`,\n );\n }\n\n res.end();\n });\n}\n\n/**\n * Caller-supplied metadata keys that may contain sensitive bearer / OAuth\n * material. Always stripped from `tasks/get` responses so a leaked task id\n * never discloses an OAuth token even when the original sender carelessly\n * stuffed one into `metadata` (see `production-agent.ts:1144-1156` for the\n * historical googleToken propagation pattern).\n */\nconst SENSITIVE_METADATA_KEYS = new Set([\n \"googleToken\",\n \"userEmail\",\n \"orgDomain\",\n \"accessToken\",\n \"refreshToken\",\n \"apiKey\",\n \"Authorization\",\n \"authorization\",\n \"bearer\",\n]);\n\nfunction sanitizeTaskForResponse(task: any): any {\n if (!task || typeof task !== \"object\") return task;\n if (!task.metadata || typeof task.metadata !== \"object\") return task;\n\n const meta = task.metadata as Record<string, unknown>;\n const publicMeta: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(meta)) {\n if (k === \"__a2a_processor\") continue;\n if (SENSITIVE_METADATA_KEYS.has(k)) continue;\n publicMeta[k] = v;\n }\n return { ...task, metadata: publicMeta };\n}\n\n/**\n * Reject access when the task has a recorded owner that doesn't match the\n * verified caller. Returns a 404-shaped JSON-RPC error to avoid disclosing\n * task existence to the wrong caller (enumeration via UUID lookup).\n *\n * - When the task has no recorded owner (legacy row from before the\n * owner_email migration) we allow access if some verifiable bearer token\n * was presented; otherwise we still reject so an unsigned caller can never\n * read or cancel arbitrary task ids.\n * - When neither A2A_SECRET nor apiKeyEnv is configured AND we're in\n * production, we refuse `tasks/get` and `tasks/cancel` outright — there's\n * no way to authenticate the caller, so the only safe response is \"not\n * found\".\n */\nfunction authorizeTaskAccess(\n taskOwnerEmail: string | null,\n event: any,\n config: A2AConfig,\n): JsonRpcResponse | null {\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n const hasA2ASecret = !!process.env.A2A_SECRET;\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n const inProduction = process.env.NODE_ENV === \"production\";\n\n if (inProduction && !hasA2ASecret && !hasApiKey) {\n // No way to authenticate the caller in production — refuse access.\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n\n if (taskOwnerEmail) {\n if (!verifiedEmail) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n if (verifiedEmail.toLowerCase() !== taskOwnerEmail.toLowerCase()) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n }\n // Legacy row (no owner_email recorded). The route-level auth gate is the\n // only thing protecting it — fall through and serve.\n return null;\n}\n\nasync function handleGet(\n params: Record<string, unknown>,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n const id = params.id as string;\n if (!id) {\n return jsonRpcError(0, -32602, \"Invalid params: id required\");\n }\n const ownerEmail = await getTaskOwner(id);\n const denied = authorizeTaskAccess(ownerEmail, event, config);\n if (denied) return denied;\n\n const task = await getTask(id);\n if (!task) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n await refireStuckAsyncTaskIfNeeded(id, event).catch((err) => {\n console.error(\"[a2a] Failed to refire stuck async task:\", err);\n });\n return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\nasync function refireStuckAsyncTaskIfNeeded(\n taskId: string,\n event: any,\n): Promise<void> {\n const state = await getA2ATaskDispatchState(taskId);\n if (!state) return;\n if (!state.metadata?.__a2a_processor) return;\n\n const now = Date.now();\n if (\n (state.statusState === \"submitted\" || state.statusState === \"working\") &&\n state.updatedAt <= now - A2A_QUEUED_DISPATCH_STUCK_AFTER_MS\n ) {\n if (await touchQueuedA2ATaskDispatch(taskId)) {\n await fireProcessTaskDispatch(event, taskId);\n }\n return;\n }\n\n if (\n state.statusState === \"processing\" &&\n state.updatedAt <= now - A2A_PROCESSING_STUCK_AFTER_MS\n ) {\n const reset = await resetStuckA2ATaskForRetry(\n taskId,\n now - A2A_PROCESSING_STUCK_AFTER_MS,\n );\n if (reset) await fireProcessTaskDispatch(event, taskId);\n }\n}\n\nasync function handleCancel(\n params: Record<string, unknown>,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n const id = params.id as string;\n if (!id) {\n return jsonRpcError(0, -32602, \"Invalid params: id required\");\n }\n const ownerEmail = await getTaskOwner(id);\n const denied = authorizeTaskAccess(ownerEmail, event, config);\n if (denied) return denied;\n\n const task = await updateTask(id, { state: \"canceled\" });\n if (!task) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\n/**\n * H3-compatible JSON-RPC handler. Returns JSON directly (H3 serializes it).\n * Streaming is handled via H3's node response when needed.\n */\nexport async function handleJsonRpcH3(\n body: any,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n if (!body || body.jsonrpc !== \"2.0\" || !body.method) {\n setResponseStatus(event, 400);\n return jsonRpcError(body?.id ?? null, -32600, \"Invalid JSON-RPC request\");\n }\n\n const params = (body.params as Record<string, unknown>) ?? {};\n const id = body.id;\n\n switch (body.method) {\n case \"message/send\": {\n const result = await handleSend(params, config, event);\n const { _id, ...response } = result;\n return { ...response, id } as JsonRpcResponse;\n }\n case \"message/stream\": {\n if (!config.streaming) {\n return jsonRpcError(id, -32601, \"Streaming not supported\");\n }\n // Use the raw node response for SSE streaming\n const res = event.node?.res;\n if (!res) {\n return jsonRpcError(id, -32000, \"Streaming not available\");\n }\n setResponseHeader(event, \"Content-Type\", \"text/event-stream\");\n setResponseHeader(event, \"Cache-Control\", \"no-cache\");\n setResponseHeader(event, \"Connection\", \"keep-alive\");\n await handleStream(params, config, res, event);\n return undefined as any; // Response already sent via SSE\n }\n case \"tasks/get\": {\n const result = await handleGet(params, event, config);\n return { ...result, id } as JsonRpcResponse;\n }\n case \"tasks/cancel\": {\n const result = await handleCancel(params, event, config);\n return { ...result, id } as JsonRpcResponse;\n }\n default:\n return jsonRpcError(id, -32601, `Method not found: ${body.method}`);\n }\n}\n"]}
1
+ {"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/a2a/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAW1D,OAAO,EACL,UAAU,EACV,OAAO,EACP,YAAY,EACZ,UAAU,EACV,yBAAyB,EACzB,uBAAuB,EACvB,yBAAyB,EACzB,0BAA0B,GAC3B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B,qEAAqE;AACrE,0EAA0E;AAC1E,iEAAiE;AACjE,MAAM,qBAAqB,GAAG,kCAAkC,CAAC;AACjE,MAAM,kCAAkC,GAAG,MAAM,CAAC;AAClD,MAAM,6BAA6B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEpD;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,KAAsB;IAChD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,yBAAyB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAE/D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,KAAK,EAAE,OAAO,CAAC;QAC5D,MAAM,GAAG,GAAG,CAAC,IAAY,EAAsB,EAAE;YAC/C,IAAI,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAC;YAC/B,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBACtC,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;YACxC,CAAC;YACD,MAAM,GAAG,GAAG,OAA6C,CAAC;YAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACtD,CAAC,CAAC;QACF,MAAM,KAAK,GAAG,GAAG,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;QACjD,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,aAAa,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;QACpE,OAAO,yBAAyB,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,yBAAyB,CAC9B,oBAAoB,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAC/C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAU,EACV,MAAc;IAEd,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,qBAAqB,EAAE,CAAC;IACjD,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,IAAI,CAAC;QACH,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;QACvE,qEAAqE;QACrE,iBAAiB;IACnB,CAAC;IACD,qEAAqE;IACrE,wEAAwE;IACxE,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,eAAe,GAAG,KAAK,CAAC,GAAG,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;KACjC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACf,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,IAAI,CAAC;QACjB,eAAe;QACf,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;KACzD,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,MAAc,EACd,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,0DAA0D;QAC1D,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qCAAqC,EAAE,CAAC;aACvE;SACF,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAA4B,CAAC;IACjE,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,EAAE,CAA4B,CAAC;IAC9E,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,SAAS,GACZ,aAAa,CAAC,SAAuC,IAAI,SAAS,CAAC;IACtE,MAAM,cAAc,GACjB,aAAa,CAAC,cAGD,IAAI,SAAS,CAAC;IAE9B,MAAM,aAAa,GAAG,MAAM,uBAAuB,CACjD,aAAa,EACb,aAAa,CACd,CAAC;IAEF,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,qBAAqB,CACzB,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,GAAG,EAAE,CACH,oBAAoB,CAClB,MAAM,EACN,OAAO,EACP,MAAM,EACN,SAAS,EACT,cAAc,EACd,KAAK,CACN,CACJ,CAAC;IACJ,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,iBAAiB,EAAE,CAAC;iBACnE;aACF,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,cAAc,GAAe,KAAK,EACtC,OAAgB,EAChB,OAA0B,EACC,EAAE;IAC7B,kCAAkC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK;SACvB,MAAM,CAAC,CAAC,CAAC,EAAuC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;SACrE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAClB,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,4BAA4B,EAAE,CAAC;aAC9D;SACF,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,0EAA0E;IAC1E,wDAAwD;IACxD,4EAA4E;IAC5E,oEAAoE;IACpE,yEAAyE;IACzE,8BAA8B;IAC9B,qEAAqE;IACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACrE,MAAM,aAAa,GAAG,OAAO;QAC3B,CAAC,CAAC,+DAA+D,UAAU,sNAAsN,IAAI,EAAE;QACvS,CAAC,CAAC,IAAI,CAAC;IAET,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAEnD,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,SAAS,CAAC,IAAI,CAAC;YACb,IAAI,EAAE,eAAe;YACrB,WAAW,EAAE,6BAA6B;YAC1C,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,YAAY,EAAE,EAAE,CAAC;SAChE,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,KAAK,EAAE;gBACL,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;gBACvC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM;oBACzB,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,kBAAkB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;yBACrD;qBACF;oBACH,CAAC,CAAC,EAAE,CAAC;aACR;SACF;QACD,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,UAAU,CAAC,MAAiB;IACnC,OAAO,MAAM,CAAC,OAAO,IAAI,cAAc,CAAC;AAC1C,CAAC;AAED,SAAS,YAAY,CACnB,EAA0B,EAC1B,IAAY,EACZ,OAAe;IAEf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,EAAmB,EAAE,MAAe;IACzD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAc,EACd,SAAkB,EAClB,QAAkC,EAClC,KAAW;IAKX,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,MAAM,OAAO,GAAsB;QACjC,MAAM;QACN,SAAS;QACT,QAAQ;QACR,KAAK;QACL,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ;YACnC,MAAM,QAAQ,GAAa;gBACzB,IAAI;gBACJ,KAAK,EAAE,QAAQ;oBACb,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE;gCACJ,IAAI;gCACJ,QAAQ;gCACR,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;6BAC/C;yBACF;qBACF;oBACH,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;aACtC,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,qBAAqB,CAClC,QAA6C,EAC7C,KAAsB,EACtB,EAAoB;IAEpB,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;IAC1E,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,qCAAqC;IACrC,MAAM,SAAS,GACZ,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;IAEtE,MAAM,aAAa,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IAE9E,OAAO,qBAAqB,CAC1B,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,EAAE,CACW,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,aAAiC,EACjC,iBAAqC;IAErC,IAAI,iBAAiB,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,iBAAiB,CAAC,CAAC;YACxD,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAC,KAAK,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,OAAO,CAAC,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC,IAAI,SAAS,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,oBAAoB,CACjC,MAAc,EACd,OAAgB,EAChB,MAAiB,EACjB,SAA6B,EAC7B,QAA6C,EAC7C,KAAW;IAEX,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,MAAM,EACN,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEpD,IACE,MAAM;YACN,OAAO,MAAM,KAAK,QAAQ;YAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;YACD,IAAI,WAAgC,CAAC;YACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;gBAC1D,WAAW,GAAG,GAAG,CAAC;YACpB,CAAC;YACD,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,WAAW;gBACpB,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;aACxD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;QAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;QACxE,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,aAAa,CAAC,OAAO;YAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;SAC9D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,gBAAgB,EAAE,CAAC;aAClE;SACF,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAA+B,EAC/B,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,OAAO;YACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,sDAAsD,CACvD;YACD,GAAG,EAAE,CAAC;SACP,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IAExE,sEAAsE;IACtE,yEAAyE;IACzE,uEAAuE;IACvE,0EAA0E;IAC1E,6BAA6B;IAC7B,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,sEAAsE;IACtE,0EAA0E;IAC1E,8EAA8E;IAC9E,yEAAyE;IACzE,kEAAkE;IAClE,sEAAsE;IACtE,wEAAwE;IACxE,yEAAyE;IACzE,8CAA8C;IAC9C,MAAM,SAAS,GACb,MAAM,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,eAAe,KAAK,IAAI,CAAC,CAAC;IAE9E,IAAI,SAAS,EAAE,CAAC;QACd,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,0DAA0D;QAC1D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACxE,IAAI,sBAAsB,EAAE,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5D,OAAO;gBACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,+EAA+E,CAChF;gBACD,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;QACD,uEAAuE;QACvE,wEAAwE;QACxE,0EAA0E;QAC1E,sEAAsE;QACtE,0EAA0E;QAC1E,0EAA0E;QAC1E,oEAAoE;QACpE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;QAC1E,2EAA2E;QAC3E,iEAAiE;QACjE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;QAEtE,MAAM,YAAY,GAA4B;YAC5C,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;YACnB,eAAe,EAAE;gBACf,aAAa;gBACb,aAAa;gBACb,SAAS,EAAE,SAAS,IAAI,IAAI;gBAC5B,cAAc,EAAE,QAAQ,IAAI,IAAI;aACjC;SACF,CAAC;QACF,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,YAAY,EACZ,iBAAiB,CAClB,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhE,uBAAuB,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpD,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QACF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEpE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAExD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,WAAgC,CAAC;gBACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,WAAW,GAAG,GAAG,CAAC;gBACpB,CAAC;gBACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,WAAW;oBACpB,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;iBAChE,CAAC,CAAC;gBACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;YAClD,CAAC;YAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;YAClE,MAAM,YAAY,GAAG;gBACnB,GAAG,GAAG,CAAC,SAAS;gBAChB,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC;aACnC,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxC,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,EAAE,CAAC;iBACjE;aACF,CAAC,CAAC;YACH,OAAO;gBACL,GAAG,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC;gBAC3D,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,MAAiB,EACjB,GAAwD,EACxD,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC,MAAM,CACzE,CAAC;QACF,GAAG,CAAC,GAAG,EAAE,CAAC;QACV,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IACxE,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,MAAM,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QAEF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,IAAI,CAAC,EAAE,EACP,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAEpD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;wBAC7C,KAAK,EAAE,SAAS;wBAChB,OAAO,EAAE,GAAG;qBACb,CAAC,CAAC;oBACH,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,MAAM,CAC9D,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;gBAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;gBACxE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;oBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;iBAC9D,CAAC,CAAC;gBACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;gBACpE,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YAED,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACtC,KAAK,EAAE,WAAW;gBAClB,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC/C,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC,CAAC,MAAM,CACxF,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,aAAa;IACb,WAAW;IACX,WAAW;IACX,aAAa;IACb,cAAc;IACd,QAAQ;IACR,eAAe;IACf,eAAe;IACf,QAAQ;CACT,CAAC,CAAC;AAEH,SAAS,uBAAuB,CAAC,IAAS;IACxC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAErE,MAAM,IAAI,GAAG,IAAI,CAAC,QAAmC,CAAC;IACtD,MAAM,UAAU,GAA4B,EAAE,CAAC;IAC/C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,KAAK,iBAAiB;YAAE,SAAS;QACtC,IAAI,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAS;QAC7C,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,mBAAmB,CAC1B,cAA6B,EAC7B,KAAU,EACV,MAAiB;IAEjB,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IACrE,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;IAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;IAE9C,IAAI,YAAY,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;QAChD,mEAAmE;QACnE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,aAAa,CAAC,WAAW,EAAE,KAAK,cAAc,CAAC,WAAW,EAAE,EAAE,CAAC;YACjE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IACD,yEAAyE;IACzE,qDAAqD;IACrD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,4BAA4B,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QAC1D,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IACH,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,MAAc,EACd,KAAU;IAEV,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO;IACnB,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,eAAe;QAAE,OAAO;IAE7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IACE,CAAC,KAAK,CAAC,WAAW,KAAK,WAAW,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC;QACtE,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,kCAAkC,EAC3D,CAAC;QACD,IAAI,MAAM,0BAA0B,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7C,MAAM,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO;IACT,CAAC;IAED,IACE,KAAK,CAAC,WAAW,KAAK,YAAY;QAClC,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,6BAA6B,EACtD,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,yBAAyB,CAC3C,MAAM,EACN,GAAG,GAAG,6BAA6B,CACpC,CAAC;QACF,IAAI,KAAK;YAAE,MAAM,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IACzD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAS,EACT,KAAU,EACV,MAAiB;IAEjB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,YAAY,CAAC,IAAI,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,KAAK,EAAE,0BAA0B,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,MAAM,GAAI,IAAI,CAAC,MAAkC,IAAI,EAAE,CAAC;IAC9D,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;IAEnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACpB,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACvD,MAAM,EAAE,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,MAAM,CAAC;YACpC,OAAO,EAAE,GAAG,QAAQ,EAAE,EAAE,EAAqB,CAAC;QAChD,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBACtB,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,8CAA8C;YAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;YAC5B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,mBAAmB,CAAC,CAAC;YAC9D,iBAAiB,CAAC,KAAK,EAAE,eAAe,EAAE,UAAU,CAAC,CAAC;YACtD,iBAAiB,CAAC,KAAK,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;YACrD,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC/C,OAAO,SAAgB,CAAC,CAAC,gCAAgC;QAC3D,CAAC;QACD,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACtD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACzD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD;YACE,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,qBAAqB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;AACH,CAAC","sourcesContent":["import { setResponseHeader, setResponseStatus } from \"h3\";\nimport type {\n A2AConfig,\n A2AHandler,\n A2AHandlerContext,\n A2AHandlerResult,\n JsonRpcRequest,\n JsonRpcResponse,\n Message,\n Artifact,\n} from \"./types.js\";\nimport {\n createTask,\n getTask,\n getTaskOwner,\n updateTask,\n claimA2ATaskForProcessing,\n getA2ATaskDispatchState,\n resetStuckA2ATaskForRetry,\n touchQueuedA2ATaskDispatch,\n} from \"./task-store.js\";\nimport { agentChat } from \"../shared/agent-chat.js\";\nimport { signInternalToken } from \"../integrations/internal-token.js\";\nimport { withConfiguredAppBasePath } from \"../server/app-base-path.js\";\nimport {\n hasConfiguredA2ASecret,\n isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n// Inlined to avoid pulling the entire core-routes-plugin (and its h3\n// transitive deps) into the a2a/handlers test boundary. Must stay in sync\n// with FRAMEWORK_ROUTE_PREFIX in `server/core-routes-plugin.ts`.\nconst A2A_PROCESS_TASK_PATH = \"/_agent-native/a2a/_process-task\";\nconst A2A_QUEUED_DISPATCH_STUCK_AFTER_MS = 10_000;\nconst A2A_PROCESSING_STUCK_AFTER_MS = 5 * 60 * 1000;\n\n/**\n * Resolve the base URL we should fire the A2A processor request to. Mirrors\n * the integration-webhook resolveBaseUrl pattern — prefer explicit env vars\n * (most reliable on serverless), fall back to inbound request headers.\n */\nfunction resolveSelfBaseUrl(event: any | undefined): string {\n const fromEnv =\n process.env.APP_URL ||\n process.env.URL ||\n process.env.DEPLOY_URL ||\n process.env.BETTER_AUTH_URL;\n if (fromEnv) return withConfiguredAppBasePath(String(fromEnv));\n\n try {\n const headers = event?.node?.req?.headers ?? event?.headers;\n const get = (name: string): string | undefined => {\n if (!headers) return undefined;\n if (typeof headers.get === \"function\") {\n return headers.get(name) ?? undefined;\n }\n const map = headers as Record<string, string | undefined>;\n return map[name] ?? map[String(name).toLowerCase()];\n };\n const proto = get(\"x-forwarded-proto\") || \"http\";\n const host = get(\"host\") || `localhost:${process.env.PORT || 3000}`;\n return withConfiguredAppBasePath(`${proto}://${host}`);\n } catch {\n return withConfiguredAppBasePath(\n `http://localhost:${process.env.PORT || 3000}`,\n );\n }\n}\n\n/**\n * Fire-and-forget POST to the A2A processor route on the same deployment.\n * Used when an A2A send is requested in async mode — the processor runs the\n * handler in a fresh function execution so it gets its own full timeout.\n */\nasync function fireProcessTaskDispatch(\n event: any,\n taskId: string,\n): Promise<void> {\n const baseUrl = resolveSelfBaseUrl(event);\n const url = `${baseUrl}${A2A_PROCESS_TASK_PATH}`;\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n try {\n headers[\"Authorization\"] = `Bearer ${signInternalToken(taskId)}`;\n } catch {\n // No A2A_SECRET configured — self-fire unsigned. The processor accepts\n // unsigned dispatches when no secret is set (mirrors the integration\n // webhook flow).\n }\n // Race the fetch against a short timer. On Netlify Lambda, returning\n // immediately can freeze the function before the outbound TCP handshake\n // starts, leaving the request stuck. This gives it ~250ms to leave the\n // box at the cost of slightly higher response latency on async A2A sends.\n const dispatchPromise = fetch(url, {\n method: \"POST\",\n headers,\n body: JSON.stringify({ taskId }),\n }).catch((err) => {\n console.error(\"[a2a] Process-task dispatch fetch failed:\", err);\n });\n await Promise.race([\n dispatchPromise,\n new Promise<void>((resolve) => setTimeout(resolve, 250)),\n ]);\n}\n\n/**\n * Process a previously-enqueued A2A task. Called by the `_process-task`\n * route in `server.ts`, in a fresh function execution. Atomically claims the\n * task, reconstructs the caller's request context from the task's metadata,\n * runs the handler, and persists the outcome.\n *\n * Idempotent on duplicate dispatches: the atomic claim returns null if some\n * other invocation already picked the task up, in which case we no-op.\n */\nexport async function processA2ATaskFromQueue(\n taskId: string,\n config: A2AConfig,\n event?: any,\n): Promise<void> {\n const claimed = await claimA2ATaskForProcessing(taskId);\n if (!claimed) {\n // Already in flight, terminal, or missing. Nothing to do.\n return;\n }\n\n const message = claimed.history?.[0];\n if (!message) {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: \"Task is missing its inbound message\" }],\n },\n });\n return;\n }\n\n const meta = (claimed.metadata ?? {}) as Record<string, unknown>;\n const processorMeta = (meta.__a2a_processor ?? {}) as Record<string, unknown>;\n const verifiedEmail = processorMeta.verifiedEmail as string | undefined;\n const orgDomainHint = processorMeta.orgDomainHint as string | undefined;\n const contextId =\n (processorMeta.contextId as string | null | undefined) ?? undefined;\n const callerMetadata =\n (processorMeta.callerMetadata as\n | Record<string, unknown>\n | null\n | undefined) ?? undefined;\n\n const resolvedOrgId = await resolveVerifiedA2AOrgId(\n verifiedEmail,\n orgDomainHint,\n );\n\n const { runWithRequestContext } =\n await import(\"../server/request-context.js\");\n try {\n await runWithRequestContext(\n { userEmail: verifiedEmail, orgId: resolvedOrgId },\n () =>\n runHandlerAndPersist(\n taskId,\n message,\n config,\n contextId,\n callerMetadata,\n event,\n ),\n );\n } catch (err: any) {\n try {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err?.message ?? \"Handler crashed\" }],\n },\n });\n } catch {}\n }\n}\n\n/**\n * Default A2A handler that delegates to agentChat.call().\n * Used when no custom handler is provided in A2AConfig.\n */\nconst defaultHandler: A2AHandler = async (\n message: Message,\n context: A2AHandlerContext,\n): Promise<A2AHandlerResult> => {\n // Extract text from message parts\n const text = message.parts\n .filter((p): p is { type: \"text\"; text: string } => p.type === \"text\")\n .map((p) => p.text)\n .join(\"\\n\");\n\n if (!text) {\n return {\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: \"No text content in message\" }],\n },\n };\n }\n\n // A2A note: this message arrived from a different app — the caller cannot\n // see this app's local state (open deck, selected slide, etc.). They only\n // see whatever this agent puts into the reply text. So:\n // 1) include any concrete result (deck/document/dashboard URL, ID, value)\n // explicitly in the reply — the caller can't navigate locally.\n // 2) URLs must be fully-qualified — relative paths resolve against the\n // caller's host and 404.\n // We prepend a one-line hint to the user message so the agent knows.\n const baseUrl = process.env.APP_URL || process.env.URL || \"\";\n const appBaseUrl = baseUrl ? withConfiguredAppBasePath(baseUrl) : \"\";\n const augmentedText = baseUrl\n ? `[Cross-app A2A request — the caller is on a different host (${appBaseUrl} is yours, theirs is different). Include the concrete result (URL, ID, value) explicitly in your reply text; the caller can't see your local UI state. Any URL MUST be fully-qualified, never a relative path.]\\n\\n${text}`\n : text;\n\n const result = await agentChat.call(augmentedText);\n\n const artifacts: Artifact[] = [];\n if (result.filesChanged.length > 0) {\n artifacts.push({\n name: \"files-changed\",\n description: \"Files modified by the agent\",\n parts: [{ type: \"data\", data: { files: result.filesChanged } }],\n });\n }\n\n return {\n message: {\n role: \"agent\",\n parts: [\n { type: \"text\", text: result.response },\n ...(result.warnings?.length\n ? [\n {\n type: \"text\" as const,\n text: `\\n\\nWarnings:\\n${result.warnings.join(\"\\n\")}`,\n },\n ]\n : []),\n ],\n },\n artifacts: artifacts.length > 0 ? artifacts : undefined,\n };\n};\n\nfunction getHandler(config: A2AConfig): A2AHandler {\n return config.handler ?? defaultHandler;\n}\n\nfunction jsonRpcError(\n id: string | number | null,\n code: number,\n message: string,\n): JsonRpcResponse {\n return { jsonrpc: \"2.0\", id, error: { code, message } };\n}\n\nfunction jsonRpcResult(id: string | number, result: unknown): JsonRpcResponse {\n return { jsonrpc: \"2.0\", id, result };\n}\n\nfunction makeHandlerContext(\n taskId: string,\n contextId?: string,\n metadata?: Record<string, unknown>,\n event?: any,\n): {\n context: A2AHandlerContext;\n artifacts: Artifact[];\n} {\n const artifacts: Artifact[] = [];\n const context: A2AHandlerContext = {\n taskId,\n contextId,\n metadata,\n event,\n writeArtifact(name, content, mimeType) {\n const artifact: Artifact = {\n name,\n parts: mimeType\n ? [\n {\n type: \"file\",\n file: {\n name,\n mimeType,\n bytes: Buffer.from(content).toString(\"base64\"),\n },\n },\n ]\n : [{ type: \"text\", text: content }],\n };\n artifacts.push(artifact);\n return name;\n },\n };\n return { context, artifacts };\n}\n\n/**\n * Resolve org context from A2A metadata / event context and wrap `fn`\n * inside `runWithRequestContext` so downstream actions see the org.\n */\nasync function withA2ARequestContext<T>(\n metadata: Record<string, unknown> | undefined,\n event: any | undefined,\n fn: () => Promise<T>,\n): Promise<T> {\n const { runWithRequestContext } =\n await import(\"../server/request-context.js\");\n\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n // Only trust the org domain from the cryptographically verified JWT claim on\n // the event context. metadata.orgDomain is caller-supplied and must not be\n // used for org resolution — an unauthenticated caller could forge it and\n // gain access to another org's data.\n const orgDomain =\n (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n const resolvedOrgId = await resolveVerifiedA2AOrgId(verifiedEmail, orgDomain);\n\n return runWithRequestContext(\n { userEmail: verifiedEmail, orgId: resolvedOrgId },\n fn,\n ) as Promise<T>;\n}\n\nasync function resolveVerifiedA2AOrgId(\n verifiedEmail: string | undefined,\n verifiedOrgDomain: string | undefined,\n): Promise<string | undefined> {\n if (verifiedOrgDomain) {\n try {\n const { resolveOrgByDomain } = await import(\"../org/context.js\");\n const org = await resolveOrgByDomain(verifiedOrgDomain);\n if (org) return org.orgId;\n } catch {\n // Org tables may not exist — continue without org context\n }\n }\n\n if (verifiedEmail) {\n try {\n const { resolveOrgIdForEmail } = await import(\"../org/context.js\");\n return (await resolveOrgIdForEmail(verifiedEmail)) ?? undefined;\n } catch {\n // Org tables may not exist — continue without org context\n }\n }\n\n return undefined;\n}\n\n/**\n * Run the handler against the message and persist the outcome to the task store.\n * Used in sync mode (awaited inline) and in async mode (called by the\n * `_process-task` processor route in a fresh function execution).\n */\nasync function runHandlerAndPersist(\n taskId: string,\n message: Message,\n config: A2AConfig,\n contextId: string | undefined,\n metadata: Record<string, unknown> | undefined,\n event?: any,\n): Promise<void> {\n const { context, artifacts } = makeHandlerContext(\n taskId,\n contextId,\n metadata,\n event,\n );\n try {\n const result = getHandler(config)(message, context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n let lastMessage: Message | undefined;\n for await (const msg of result as AsyncGenerator<Message>) {\n lastMessage = msg;\n }\n await updateTask(taskId, {\n state: \"completed\",\n message: lastMessage,\n artifacts: artifacts.length > 0 ? artifacts : undefined,\n });\n return;\n }\n\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n await updateTask(taskId, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n } catch (err: any) {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err?.message ?? \"Handler failed\" }],\n },\n });\n }\n}\n\nasync function handleSend(\n params: Record<string, unknown>,\n config: A2AConfig,\n event?: any,\n): Promise<JsonRpcResponse & { _id: string | number }> {\n const message = params.message as Message;\n if (!message || !message.role || !Array.isArray(message.parts)) {\n return {\n ...jsonRpcError(\n 0,\n -32602,\n \"Invalid params: message with role and parts required\",\n ),\n _id: 0,\n };\n }\n\n const contextId = params.contextId as string | undefined;\n const metadata = params.metadata as Record<string, unknown> | undefined;\n\n // The JWT-verified caller email (set by mountA2A in server.ts) is the\n // single source of truth for task ownership — bound at creation, checked\n // on every subsequent tasks/get and tasks/cancel call. Caller-supplied\n // metadata.userEmail is NEVER used for ownership; that would re-introduce\n // the IDOR class fixed here.\n const ownerEmailForTask =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n // Async mode: return the task immediately in `working` state, run the\n // handler in the background, and let the caller poll `tasks/get`. This is\n // the workaround for synchronous serverless request timeouts when the handler\n // runs LLM + tool loops that can exceed a single HTTP invocation budget.\n // SECURITY: only honor the explicit top-level `params.async`. The\n // metadata.async fallback was caller-controlled and could force async\n // dispatch (which has weaker auth than the sync path) on otherwise sync\n // requests. Async is also refused entirely when no auth is configured in\n // production — see the additional gate below.\n const asyncMode =\n params.async === true || (event && event.context?.__a2aForceAsync === true);\n\n if (asyncMode) {\n // Refuse async mode entirely when no auth is configured in production.\n // The async dispatch path self-fires the `_process-task` route, which\n // accepts unsigned dispatches when A2A_SECRET is unset — that combined\n // with the lack of caller identity here would let any unauthenticated\n // attacker queue and trigger handler runs. In production, require some\n // form of auth so the verifiedEmail is bound to the task.\n const hasA2ASecret = hasConfiguredA2ASecret();\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n if (isA2AProductionRuntime() && !hasA2ASecret && !hasApiKey) {\n return {\n ...jsonRpcError(\n 0,\n -32001,\n \"A2A async mode is not available — A2A_SECRET or apiKeyEnv must be configured.\",\n ),\n _id: 0,\n };\n }\n // Resolve identity up front (cheap), bake it into the task's metadata,\n // and dispatch the actual handler run to a SEPARATE function execution.\n // On serverless hosts (Netlify, Vercel, Cloudflare) detached promises get\n // killed when the response is flushed, so we self-fire a webhook to a\n // dedicated processor route — same cross-platform pattern the integration\n // webhook queue uses. The processor reconstructs the request context from\n // the task metadata and runs the handler with its own full timeout.\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n // Only trust the verified org domain from the JWT claim — do not fall back\n // to metadata.orgDomain which is caller-supplied and unverified.\n const orgDomainHint =\n (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n const taskMetadata: Record<string, unknown> = {\n ...(metadata ?? {}),\n __a2a_processor: {\n verifiedEmail,\n orgDomainHint,\n contextId: contextId ?? null,\n callerMetadata: metadata ?? null,\n },\n };\n const task = await createTask(\n message,\n contextId,\n taskMetadata,\n ownerEmailForTask,\n );\n const working = await updateTask(task.id, { state: \"working\" });\n\n fireProcessTaskDispatch(event, task.id).catch((err) => {\n console.error(\"[a2a] Failed to dispatch process-task:\", err);\n });\n\n return { ...jsonRpcResult(0, working ?? task), _id: 0 };\n }\n\n return withA2ARequestContext(metadata, event, async () => {\n const task = await createTask(\n message,\n contextId,\n undefined,\n ownerEmailForTask,\n );\n await updateTask(task.id, { state: \"working\" });\n\n const ctx = makeHandlerContext(task.id, contextId, metadata, event);\n\n try {\n const result = getHandler(config)(message, ctx.context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n let lastMessage: Message | undefined;\n for await (const msg of result as AsyncGenerator<Message>) {\n lastMessage = msg;\n }\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: lastMessage,\n artifacts: ctx.artifacts.length > 0 ? ctx.artifacts : undefined,\n });\n return { ...jsonRpcResult(0, updated), _id: 0 };\n }\n\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [\n ...ctx.artifacts,\n ...(handlerResult.artifacts ?? []),\n ];\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n return { ...jsonRpcResult(0, updated), _id: 0 };\n } catch (err: any) {\n await updateTask(task.id, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err.message ?? \"Handler failed\" }],\n },\n });\n return {\n ...jsonRpcError(0, -32000, err.message ?? \"Handler failed\"),\n _id: 0,\n };\n }\n });\n}\n\nasync function handleStream(\n params: Record<string, unknown>,\n config: A2AConfig,\n res: { write: (chunk: string) => void; end: () => void },\n event?: any,\n): Promise<void> {\n const message = params.message as Message;\n if (!message || !message.role || !Array.isArray(message.parts)) {\n res.write(\n `data: ${JSON.stringify(jsonRpcError(0, -32602, \"Invalid params\"))}\\n\\n`,\n );\n res.end();\n return;\n }\n\n const contextId = params.contextId as string | undefined;\n const metadata = params.metadata as Record<string, unknown> | undefined;\n const ownerEmailForTask =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n await withA2ARequestContext(metadata, event, async () => {\n const task = await createTask(\n message,\n contextId,\n undefined,\n ownerEmailForTask,\n );\n\n await updateTask(task.id, { state: \"working\" });\n\n const { context, artifacts } = makeHandlerContext(\n task.id,\n contextId,\n metadata,\n event,\n );\n\n try {\n const result = getHandler(config)(message, context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n for await (const msg of result as AsyncGenerator<Message>) {\n const intermediate = await updateTask(task.id, {\n state: \"working\",\n message: msg,\n });\n res.write(\n `data: ${JSON.stringify(jsonRpcResult(0, intermediate))}\\n\\n`,\n );\n }\n } else {\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n res.write(`data: ${JSON.stringify(jsonRpcResult(0, updated))}\\n\\n`);\n res.end();\n return;\n }\n\n const allArtifacts = [...artifacts];\n const final = await updateTask(task.id, {\n state: \"completed\",\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n res.write(`data: ${JSON.stringify(jsonRpcResult(0, final))}\\n\\n`);\n } catch (err: any) {\n await updateTask(task.id, { state: \"failed\" });\n res.write(\n `data: ${JSON.stringify(jsonRpcError(0, -32000, err.message ?? \"Handler failed\"))}\\n\\n`,\n );\n }\n\n res.end();\n });\n}\n\n/**\n * Caller-supplied metadata keys that may contain sensitive bearer / OAuth\n * material. Always stripped from `tasks/get` responses so a leaked task id\n * never discloses an OAuth token even when the original sender carelessly\n * stuffed one into `metadata` (see `production-agent.ts:1144-1156` for the\n * historical googleToken propagation pattern).\n */\nconst SENSITIVE_METADATA_KEYS = new Set([\n \"googleToken\",\n \"userEmail\",\n \"orgDomain\",\n \"accessToken\",\n \"refreshToken\",\n \"apiKey\",\n \"Authorization\",\n \"authorization\",\n \"bearer\",\n]);\n\nfunction sanitizeTaskForResponse(task: any): any {\n if (!task || typeof task !== \"object\") return task;\n if (!task.metadata || typeof task.metadata !== \"object\") return task;\n\n const meta = task.metadata as Record<string, unknown>;\n const publicMeta: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(meta)) {\n if (k === \"__a2a_processor\") continue;\n if (SENSITIVE_METADATA_KEYS.has(k)) continue;\n publicMeta[k] = v;\n }\n return { ...task, metadata: publicMeta };\n}\n\n/**\n * Reject access when the task has a recorded owner that doesn't match the\n * verified caller. Returns a 404-shaped JSON-RPC error to avoid disclosing\n * task existence to the wrong caller (enumeration via UUID lookup).\n *\n * - When the task has no recorded owner (legacy row from before the\n * owner_email migration) we allow access if some verifiable bearer token\n * was presented; otherwise we still reject so an unsigned caller can never\n * read or cancel arbitrary task ids.\n * - When neither A2A_SECRET nor apiKeyEnv is configured AND we're in\n * production, we refuse `tasks/get` and `tasks/cancel` outright — there's\n * no way to authenticate the caller, so the only safe response is \"not\n * found\".\n */\nfunction authorizeTaskAccess(\n taskOwnerEmail: string | null,\n event: any,\n config: A2AConfig,\n): JsonRpcResponse | null {\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n const hasA2ASecret = hasConfiguredA2ASecret();\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n const inProduction = isA2AProductionRuntime();\n\n if (inProduction && !hasA2ASecret && !hasApiKey) {\n // No way to authenticate the caller in production — refuse access.\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n\n if (taskOwnerEmail) {\n if (!verifiedEmail) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n if (verifiedEmail.toLowerCase() !== taskOwnerEmail.toLowerCase()) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n }\n // Legacy row (no owner_email recorded). The route-level auth gate is the\n // only thing protecting it — fall through and serve.\n return null;\n}\n\nasync function handleGet(\n params: Record<string, unknown>,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n const id = params.id as string;\n if (!id) {\n return jsonRpcError(0, -32602, \"Invalid params: id required\");\n }\n const ownerEmail = await getTaskOwner(id);\n const denied = authorizeTaskAccess(ownerEmail, event, config);\n if (denied) return denied;\n\n const task = await getTask(id);\n if (!task) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n await refireStuckAsyncTaskIfNeeded(id, event).catch((err) => {\n console.error(\"[a2a] Failed to refire stuck async task:\", err);\n });\n return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\nasync function refireStuckAsyncTaskIfNeeded(\n taskId: string,\n event: any,\n): Promise<void> {\n const state = await getA2ATaskDispatchState(taskId);\n if (!state) return;\n if (!state.metadata?.__a2a_processor) return;\n\n const now = Date.now();\n if (\n (state.statusState === \"submitted\" || state.statusState === \"working\") &&\n state.updatedAt <= now - A2A_QUEUED_DISPATCH_STUCK_AFTER_MS\n ) {\n if (await touchQueuedA2ATaskDispatch(taskId)) {\n await fireProcessTaskDispatch(event, taskId);\n }\n return;\n }\n\n if (\n state.statusState === \"processing\" &&\n state.updatedAt <= now - A2A_PROCESSING_STUCK_AFTER_MS\n ) {\n const reset = await resetStuckA2ATaskForRetry(\n taskId,\n now - A2A_PROCESSING_STUCK_AFTER_MS,\n );\n if (reset) await fireProcessTaskDispatch(event, taskId);\n }\n}\n\nasync function handleCancel(\n params: Record<string, unknown>,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n const id = params.id as string;\n if (!id) {\n return jsonRpcError(0, -32602, \"Invalid params: id required\");\n }\n const ownerEmail = await getTaskOwner(id);\n const denied = authorizeTaskAccess(ownerEmail, event, config);\n if (denied) return denied;\n\n const task = await updateTask(id, { state: \"canceled\" });\n if (!task) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\n/**\n * H3-compatible JSON-RPC handler. Returns JSON directly (H3 serializes it).\n * Streaming is handled via H3's node response when needed.\n */\nexport async function handleJsonRpcH3(\n body: any,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n if (!body || body.jsonrpc !== \"2.0\" || !body.method) {\n setResponseStatus(event, 400);\n return jsonRpcError(body?.id ?? null, -32600, \"Invalid JSON-RPC request\");\n }\n\n const params = (body.params as Record<string, unknown>) ?? {};\n const id = body.id;\n\n switch (body.method) {\n case \"message/send\": {\n const result = await handleSend(params, config, event);\n const { _id, ...response } = result;\n return { ...response, id } as JsonRpcResponse;\n }\n case \"message/stream\": {\n if (!config.streaming) {\n return jsonRpcError(id, -32601, \"Streaming not supported\");\n }\n // Use the raw node response for SSE streaming\n const res = event.node?.res;\n if (!res) {\n return jsonRpcError(id, -32000, \"Streaming not available\");\n }\n setResponseHeader(event, \"Content-Type\", \"text/event-stream\");\n setResponseHeader(event, \"Cache-Control\", \"no-cache\");\n setResponseHeader(event, \"Connection\", \"keep-alive\");\n await handleStream(params, config, res, event);\n return undefined as any; // Response already sent via SSE\n }\n case \"tasks/get\": {\n const result = await handleGet(params, event, config);\n return { ...result, id } as JsonRpcResponse;\n }\n case \"tasks/cancel\": {\n const result = await handleCancel(params, event, config);\n return { ...result, id } as JsonRpcResponse;\n }\n default:\n return jsonRpcError(id, -32601, `Method not found: ${body.method}`);\n }\n}\n"]}
package/dist/a2a/index.d.ts CHANGED
@@ -1,4 +1,5 @@
1
1
  export { mountA2A } from "./server.js";
2
+ export { generateAgentCard } from "./agent-card.js";
2
3
  export { A2AClient, callAgent, signA2AToken } from "./client.js";
3
4
  export type { A2AConfig, A2AHandler, A2AHandlerContext, A2AHandlerResult, AgentCard, AgentSkill, AgentCapabilities, Task, TaskState, TaskStatus, Message, Part, TextPart, FilePart, DataPart, Artifact, JsonRpcRequest, JsonRpcResponse, } from "./types.js";
4
5
  //# sourceMappingURL=index.d.ts.map
package/dist/a2a/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/a2a/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGjE,YAAY,EACV,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,IAAI,EACJ,SAAS,EACT,UAAU,EACV,OAAO,EACP,IAAI,EACJ,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,cAAc,EACd,eAAe,GAChB,MAAM,YAAY,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/a2a/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAGpD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGjE,YAAY,EACV,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,IAAI,EACJ,SAAS,EACT,UAAU,EACV,OAAO,EACP,IAAI,EACJ,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,cAAc,EACd,eAAe,GAChB,MAAM,YAAY,CAAC"}
package/dist/a2a/index.js CHANGED
@@ -1,5 +1,6 @@
1
1
  // Server (H3/Nitro)
2
2
  export { mountA2A } from "./server.js";
3
+ export { generateAgentCard } from "./agent-card.js";
3
4
  // Client
4
5
  export { A2AClient, callAgent, signA2AToken } from "./client.js";
5
6
  //# sourceMappingURL=index.js.map
package/dist/a2a/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/a2a/index.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,SAAS;AACT,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC","sourcesContent":["// Server (H3/Nitro)\nexport { mountA2A } from \"./server.js\";\n\n// Client\nexport { A2AClient, callAgent, signA2AToken } from \"./client.js\";\n\n// Types\nexport type {\n A2AConfig,\n A2AHandler,\n A2AHandlerContext,\n A2AHandlerResult,\n AgentCard,\n AgentSkill,\n AgentCapabilities,\n Task,\n TaskState,\n TaskStatus,\n Message,\n Part,\n TextPart,\n FilePart,\n DataPart,\n Artifact,\n JsonRpcRequest,\n JsonRpcResponse,\n} from \"./types.js\";\n"]}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/a2a/index.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEpD,SAAS;AACT,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC","sourcesContent":["// Server (H3/Nitro)\nexport { mountA2A } from \"./server.js\";\nexport { generateAgentCard } from \"./agent-card.js\";\n\n// Client\nexport { A2AClient, callAgent, signA2AToken } from \"./client.js\";\n\n// Types\nexport type {\n A2AConfig,\n A2AHandler,\n A2AHandlerContext,\n A2AHandlerResult,\n AgentCard,\n AgentSkill,\n AgentCapabilities,\n Task,\n TaskState,\n TaskStatus,\n Message,\n Part,\n TextPart,\n FilePart,\n DataPart,\n Artifact,\n JsonRpcRequest,\n JsonRpcResponse,\n} from \"./types.js\";\n"]}
package/dist/a2a/server.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA0J5C;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,GAAG,EACb,MAAM,EAAE,SAAS,EACjB,WAAW,SAAmB,GAC7B,IAAI,CAkNN"}
1
+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA4J5C;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,GAAG,EACb,MAAM,EAAE,SAAS,EACjB,WAAW,SAAmB,GAC7B,IAAI,CAoNN"}
package/dist/a2a/server.js CHANGED
@@ -5,6 +5,7 @@ import { generateAgentCard } from "./agent-card.js";
5
5
  import { handleJsonRpcH3, processA2ATaskFromQueue } from "./handlers.js";
6
6
  import { readBody } from "../server/h3-helpers.js";
7
7
  import { extractBearerToken, verifyInternalToken, } from "../integrations/internal-token.js";
8
+ import { hasConfiguredA2ASecret, isA2AProductionRuntime, } from "./auth-policy.js";
8
9
  /**
9
10
  * One-time warning when A2A is running unauthenticated in development. We
10
11
  * don't refuse the request (local templates need to work out of the box),
@@ -52,8 +53,7 @@ function expectedJwtAudience(event) {
52
53
  catch { }
53
54
  return undefined;
54
55
  }
55
- async function verifyA2AToken(authHeader, event) {
56
- const token = authHeader.replace("Bearer ", "");
56
+ async function verifyA2AToken(token, event) {
57
57
  // Step 1: Peek at JWT claims WITHOUT verification to get org_domain.
58
58
  // This is safe because we only use org_domain to look up the secret,
59
59
  // then verify the full JWT with that secret. If someone forges a JWT
@@ -202,7 +202,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
202
202
  // of logs / a share link could otherwise force-replay it). In
203
203
  // development, a missing secret is permitted so local templates work
204
204
  // out of the box, but we log a one-time warning so operators notice.
205
- if (process.env.A2A_SECRET) {
205
+ if (hasConfiguredA2ASecret()) {
206
206
  const auth = getRequestHeader(event, "authorization");
207
207
  const tok = extractBearerToken(auth);
208
208
  if (!verifyInternalToken(taskId, tok)) {
@@ -210,7 +210,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
210
210
  return { error: "Invalid or expired processor token" };
211
211
  }
212
212
  }
213
- else if (process.env.NODE_ENV === "production") {
213
+ else if (isA2AProductionRuntime()) {
214
214
  setResponseStatus(event, 503);
215
215
  return {
216
216
  error: "A2A processor not configured — set A2A_SECRET on this deployment to enable async A2A.",
@@ -244,6 +244,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
244
244
  if (sub.startsWith("_process-task"))
245
245
  return;
246
246
  const authHeader = getRequestHeader(event, "authorization");
247
+ const bearerToken = extractBearerToken(authHeader);
247
248
  let verifiedCallerEmail = null;
248
249
  let verifiedOrgDomain = null;
249
250
  let legacyApiKeyAuthenticated = false;
@@ -253,11 +254,11 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
253
254
  // in production — return 503 with a clear message instead of running
254
255
  // the agent loop unauthenticated. In development, log a one-time
255
256
  // warning but allow so local templates work out of the box.
256
- const hasA2ASecret = !!process.env.A2A_SECRET;
257
+ const hasA2ASecret = hasConfiguredA2ASecret();
257
258
  const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);
258
259
  // Try JWT verification first (org-level or global A2A_SECRET-based identity)
259
- if (authHeader?.startsWith("Bearer ")) {
260
- const tokenPayload = await verifyA2AToken(authHeader, event);
260
+ if (bearerToken) {
261
+ const tokenPayload = await verifyA2AToken(bearerToken, event);
261
262
  verifiedCallerEmail = tokenPayload.email;
262
263
  verifiedOrgDomain = tokenPayload.orgDomain;
263
264
  bearerTokenRejectedByJwt = !verifiedCallerEmail;
@@ -266,7 +267,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
266
267
  if (!verifiedCallerEmail && config.apiKeyEnv) {
267
268
  const expectedKey = process.env[config.apiKeyEnv];
268
269
  if (expectedKey) {
269
- if (!authHeader || !authHeader.startsWith("Bearer ")) {
270
+ if (!bearerToken) {
270
271
  setResponseStatus(event, 401);
271
272
  return {
272
273
  jsonrpc: "2.0",
@@ -274,8 +275,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
274
275
  error: { code: -32001, message: "Authentication required" },
275
276
  };
276
277
  }
277
- const token = authHeader.slice(7);
278
- if (token !== expectedKey) {
278
+ if (bearerToken !== expectedKey) {
279
279
  setResponseStatus(event, 401);
280
280
  return {
281
281
  jsonrpc: "2.0",
@@ -287,9 +287,11 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
287
287
  }
288
288
  }
289
289
  if (!verifiedCallerEmail && !legacyApiKeyAuthenticated) {
290
- // If a global secret exists and JWT verification failed, reject after
291
- // giving the legacy exact-match apiKeyEnv path a chance to succeed.
292
- if (bearerTokenRejectedByJwt && process.env.A2A_SECRET) {
290
+ // Any supplied bearer token that failed JWT verification is an auth
291
+ // failure after the legacy exact-match apiKeyEnv path has had a
292
+ // chance to succeed. Do not let bad tokens fall through to tasks/get
293
+ // and get reported as lookup misses.
294
+ if (bearerTokenRejectedByJwt) {
293
295
  setResponseStatus(event, 401);
294
296
  return {
295
297
  jsonrpc: "2.0",
@@ -301,7 +303,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
301
303
  };
302
304
  }
303
305
  if (!hasA2ASecret && !hasApiKey) {
304
- if (process.env.NODE_ENV === "production") {
306
+ if (isA2AProductionRuntime()) {
305
307
  setResponseStatus(event, 503);
306
308
  return {
307
309
  jsonrpc: "2.0",