@agent-native/core 0.7.50 → 0.7.52

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (121) hide show
  1. package/dist/a2a/agent-card.d.ts.map +1 -1
  2. package/dist/a2a/agent-card.js +21 -16
  3. package/dist/a2a/agent-card.js.map +1 -1
  4. package/dist/a2a/artifact-response.d.ts.map +1 -1
  5. package/dist/a2a/artifact-response.js +109 -5
  6. package/dist/a2a/artifact-response.js.map +1 -1
  7. package/dist/a2a/auth-policy.d.ts +10 -0
  8. package/dist/a2a/auth-policy.d.ts.map +1 -0
  9. package/dist/a2a/auth-policy.js +34 -0
  10. package/dist/a2a/auth-policy.js.map +1 -0
  11. package/dist/a2a/handlers.d.ts.map +1 -1
  12. package/dist/a2a/handlers.js +5 -4
  13. package/dist/a2a/handlers.js.map +1 -1
  14. package/dist/a2a/index.d.ts +1 -0
  15. package/dist/a2a/index.d.ts.map +1 -1
  16. package/dist/a2a/index.js +1 -0
  17. package/dist/a2a/index.js.map +1 -1
  18. package/dist/a2a/server.d.ts.map +1 -1
  19. package/dist/a2a/server.js +27 -14
  20. package/dist/a2a/server.js.map +1 -1
  21. package/dist/client/resources/ResourceEditor.d.ts.map +1 -1
  22. package/dist/client/resources/ResourceEditor.js +2 -4
  23. package/dist/client/resources/ResourceEditor.js.map +1 -1
  24. package/dist/client/settings/AgentsSection.d.ts.map +1 -1
  25. package/dist/client/settings/AgentsSection.js +4 -6
  26. package/dist/client/settings/AgentsSection.js.map +1 -1
  27. package/dist/deploy/build.d.ts.map +1 -1
  28. package/dist/deploy/build.js +8 -0
  29. package/dist/deploy/build.js.map +1 -1
  30. package/dist/deploy/route-discovery.d.ts.map +1 -1
  31. package/dist/deploy/route-discovery.js +11 -2
  32. package/dist/deploy/route-discovery.js.map +1 -1
  33. package/dist/deploy/workspace-deploy.js +32 -3
  34. package/dist/deploy/workspace-deploy.js.map +1 -1
  35. package/dist/integrations/a2a-continuation-processor.d.ts.map +1 -1
  36. package/dist/integrations/a2a-continuation-processor.js +17 -11
  37. package/dist/integrations/a2a-continuation-processor.js.map +1 -1
  38. package/dist/integrations/a2a-continuations-store.d.ts +2 -1
  39. package/dist/integrations/a2a-continuations-store.d.ts.map +1 -1
  40. package/dist/integrations/a2a-continuations-store.js +33 -4
  41. package/dist/integrations/a2a-continuations-store.js.map +1 -1
  42. package/dist/integrations/plugin.d.ts.map +1 -1
  43. package/dist/integrations/plugin.js +2 -1
  44. package/dist/integrations/plugin.js.map +1 -1
  45. package/dist/integrations/webhook-handler.d.ts.map +1 -1
  46. package/dist/integrations/webhook-handler.js +11 -1
  47. package/dist/integrations/webhook-handler.js.map +1 -1
  48. package/dist/onboarding/plugin.d.ts.map +1 -1
  49. package/dist/onboarding/plugin.js +2 -1
  50. package/dist/onboarding/plugin.js.map +1 -1
  51. package/dist/org/plugin.d.ts.map +1 -1
  52. package/dist/org/plugin.js +2 -1
  53. package/dist/org/plugin.js.map +1 -1
  54. package/dist/resources/handlers.d.ts.map +1 -1
  55. package/dist/resources/handlers.js +2 -3
  56. package/dist/resources/handlers.js.map +1 -1
  57. package/dist/resources/metadata.d.ts +5 -0
  58. package/dist/resources/metadata.d.ts.map +1 -1
  59. package/dist/resources/metadata.js +17 -2
  60. package/dist/resources/metadata.js.map +1 -1
  61. package/dist/resources/store.d.ts.map +1 -1
  62. package/dist/resources/store.js +2 -1
  63. package/dist/resources/store.js.map +1 -1
  64. package/dist/scripts/call-agent.js +2 -2
  65. package/dist/scripts/call-agent.js.map +1 -1
  66. package/dist/server/action-routes.d.ts.map +1 -1
  67. package/dist/server/action-routes.js +5 -11
  68. package/dist/server/action-routes.js.map +1 -1
  69. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  70. package/dist/server/agent-chat-plugin.js +2 -1
  71. package/dist/server/agent-chat-plugin.js.map +1 -1
  72. package/dist/server/agent-discovery.d.ts.map +1 -1
  73. package/dist/server/agent-discovery.js +7 -4
  74. package/dist/server/agent-discovery.js.map +1 -1
  75. package/dist/server/auth-plugin.d.ts.map +1 -1
  76. package/dist/server/auth-plugin.js +2 -1
  77. package/dist/server/auth-plugin.js.map +1 -1
  78. package/dist/server/auth.d.ts.map +1 -1
  79. package/dist/server/auth.js +13 -12
  80. package/dist/server/auth.js.map +1 -1
  81. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  82. package/dist/server/core-routes-plugin.js +9 -29
  83. package/dist/server/core-routes-plugin.js.map +1 -1
  84. package/dist/server/cors-origins.d.ts +10 -0
  85. package/dist/server/cors-origins.d.ts.map +1 -0
  86. package/dist/server/cors-origins.js +34 -0
  87. package/dist/server/cors-origins.js.map +1 -0
  88. package/dist/server/create-server.d.ts.map +1 -1
  89. package/dist/server/create-server.js +10 -29
  90. package/dist/server/create-server.js.map +1 -1
  91. package/dist/server/framework-request-handler.d.ts +11 -0
  92. package/dist/server/framework-request-handler.d.ts.map +1 -1
  93. package/dist/server/framework-request-handler.js +24 -1
  94. package/dist/server/framework-request-handler.js.map +1 -1
  95. package/dist/server/resources-plugin.d.ts.map +1 -1
  96. package/dist/server/resources-plugin.js +2 -1
  97. package/dist/server/resources-plugin.js.map +1 -1
  98. package/dist/terminal/terminal-plugin.d.ts.map +1 -1
  99. package/dist/terminal/terminal-plugin.js +2 -1
  100. package/dist/terminal/terminal-plugin.js.map +1 -1
  101. package/dist/vite/index.d.ts +1 -1
  102. package/dist/vite/index.d.ts.map +1 -1
  103. package/dist/vite/index.js +1 -1
  104. package/dist/vite/index.js.map +1 -1
  105. package/docs/content/a2a-protocol.md +75 -6
  106. package/docs/content/creating-templates.md +10 -0
  107. package/docs/content/dispatch.md +94 -0
  108. package/docs/content/getting-started.md +8 -0
  109. package/docs/content/key-concepts.md +16 -0
  110. package/docs/content/messaging.md +45 -13
  111. package/docs/content/multi-app-workspace.md +10 -2
  112. package/docs/content/notifications.md +1 -1
  113. package/docs/content/observability.md +184 -0
  114. package/docs/content/onboarding.md +7 -2
  115. package/docs/content/template-dispatch.md +3 -1
  116. package/docs/content/tools.md +95 -1
  117. package/docs/content/tracking.md +1 -1
  118. package/docs/content/what-is-agent-native.md +3 -1
  119. package/docs/content/workspace-management.md +5 -5
  120. package/docs/content/workspace.md +2 -0
  121. package/package.json +1 -1
package/dist/a2a/handlers.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/a2a/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAW1D,OAAO,EACL,UAAU,EACV,OAAO,EACP,YAAY,EACZ,UAAU,EACV,yBAAyB,EACzB,uBAAuB,EACvB,yBAAyB,EACzB,0BAA0B,GAC3B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAEvE,qEAAqE;AACrE,0EAA0E;AAC1E,iEAAiE;AACjE,MAAM,qBAAqB,GAAG,kCAAkC,CAAC;AACjE,MAAM,kCAAkC,GAAG,MAAM,CAAC;AAClD,MAAM,6BAA6B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEpD;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,KAAsB;IAChD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,yBAAyB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAE/D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,KAAK,EAAE,OAAO,CAAC;QAC5D,MAAM,GAAG,GAAG,CAAC,IAAY,EAAsB,EAAE;YAC/C,IAAI,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAC;YAC/B,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBACtC,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;YACxC,CAAC;YACD,MAAM,GAAG,GAAG,OAA6C,CAAC;YAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACtD,CAAC,CAAC;QACF,MAAM,KAAK,GAAG,GAAG,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;QACjD,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,aAAa,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;QACpE,OAAO,yBAAyB,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,yBAAyB,CAC9B,oBAAoB,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAC/C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAU,EACV,MAAc;IAEd,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,qBAAqB,EAAE,CAAC;IACjD,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,IAAI,CAAC;QACH,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;QACvE,qEAAqE;QACrE,iBAAiB;IACnB,CAAC;IACD,qEAAqE;IACrE,wEAAwE;IACxE,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,eAAe,GAAG,KAAK,CAAC,GAAG,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;KACjC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACf,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,IAAI,CAAC;QACjB,eAAe;QACf,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;KACzD,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,MAAc,EACd,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,0DAA0D;QAC1D,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qCAAqC,EAAE,CAAC;aACvE;SACF,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAA4B,CAAC;IACjE,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,EAAE,CAA4B,CAAC;IAC9E,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,SAAS,GACZ,aAAa,CAAC,SAAuC,IAAI,SAAS,CAAC;IACtE,MAAM,cAAc,GACjB,aAAa,CAAC,cAGD,IAAI,SAAS,CAAC;IAE9B,MAAM,aAAa,GAAG,MAAM,uBAAuB,CACjD,aAAa,EACb,aAAa,CACd,CAAC;IAEF,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,qBAAqB,CACzB,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,GAAG,EAAE,CACH,oBAAoB,CAClB,MAAM,EACN,OAAO,EACP,MAAM,EACN,SAAS,EACT,cAAc,EACd,KAAK,CACN,CACJ,CAAC;IACJ,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,iBAAiB,EAAE,CAAC;iBACnE;aACF,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,cAAc,GAAe,KAAK,EACtC,OAAgB,EAChB,OAA0B,EACC,EAAE;IAC7B,kCAAkC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK;SACvB,MAAM,CAAC,CAAC,CAAC,EAAuC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;SACrE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAClB,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,4BAA4B,EAAE,CAAC;aAC9D;SACF,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,0EAA0E;IAC1E,wDAAwD;IACxD,4EAA4E;IAC5E,oEAAoE;IACpE,yEAAyE;IACzE,8BAA8B;IAC9B,qEAAqE;IACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACrE,MAAM,aAAa,GAAG,OAAO;QAC3B,CAAC,CAAC,+DAA+D,UAAU,sNAAsN,IAAI,EAAE;QACvS,CAAC,CAAC,IAAI,CAAC;IAET,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAEnD,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,SAAS,CAAC,IAAI,CAAC;YACb,IAAI,EAAE,eAAe;YACrB,WAAW,EAAE,6BAA6B;YAC1C,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,YAAY,EAAE,EAAE,CAAC;SAChE,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,KAAK,EAAE;gBACL,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;gBACvC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM;oBACzB,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,kBAAkB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;yBACrD;qBACF;oBACH,CAAC,CAAC,EAAE,CAAC;aACR;SACF;QACD,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,UAAU,CAAC,MAAiB;IACnC,OAAO,MAAM,CAAC,OAAO,IAAI,cAAc,CAAC;AAC1C,CAAC;AAED,SAAS,YAAY,CACnB,EAA0B,EAC1B,IAAY,EACZ,OAAe;IAEf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,EAAmB,EAAE,MAAe;IACzD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAc,EACd,SAAkB,EAClB,QAAkC,EAClC,KAAW;IAKX,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,MAAM,OAAO,GAAsB;QACjC,MAAM;QACN,SAAS;QACT,QAAQ;QACR,KAAK;QACL,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ;YACnC,MAAM,QAAQ,GAAa;gBACzB,IAAI;gBACJ,KAAK,EAAE,QAAQ;oBACb,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE;gCACJ,IAAI;gCACJ,QAAQ;gCACR,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;6BAC/C;yBACF;qBACF;oBACH,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;aACtC,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,qBAAqB,CAClC,QAA6C,EAC7C,KAAsB,EACtB,EAAoB;IAEpB,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;IAC1E,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,qCAAqC;IACrC,MAAM,SAAS,GACZ,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;IAEtE,MAAM,aAAa,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IAE9E,OAAO,qBAAqB,CAC1B,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,EAAE,CACW,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,aAAiC,EACjC,iBAAqC;IAErC,IAAI,iBAAiB,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,iBAAiB,CAAC,CAAC;YACxD,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAC,KAAK,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,OAAO,CAAC,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC,IAAI,SAAS,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,oBAAoB,CACjC,MAAc,EACd,OAAgB,EAChB,MAAiB,EACjB,SAA6B,EAC7B,QAA6C,EAC7C,KAAW;IAEX,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,MAAM,EACN,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEpD,IACE,MAAM;YACN,OAAO,MAAM,KAAK,QAAQ;YAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;YACD,IAAI,WAAgC,CAAC;YACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;gBAC1D,WAAW,GAAG,GAAG,CAAC;YACpB,CAAC;YACD,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,WAAW;gBACpB,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;aACxD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;QAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;QACxE,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,aAAa,CAAC,OAAO;YAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;SAC9D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,gBAAgB,EAAE,CAAC;aAClE;SACF,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAA+B,EAC/B,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,OAAO;YACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,sDAAsD,CACvD;YACD,GAAG,EAAE,CAAC;SACP,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IAExE,sEAAsE;IACtE,yEAAyE;IACzE,uEAAuE;IACvE,0EAA0E;IAC1E,6BAA6B;IAC7B,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,sEAAsE;IACtE,0EAA0E;IAC1E,8EAA8E;IAC9E,yEAAyE;IACzE,kEAAkE;IAClE,sEAAsE;IACtE,wEAAwE;IACxE,yEAAyE;IACzE,8CAA8C;IAC9C,MAAM,SAAS,GACb,MAAM,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,eAAe,KAAK,IAAI,CAAC,CAAC;IAE9E,IAAI,SAAS,EAAE,CAAC;QACd,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,0DAA0D;QAC1D,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACxE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;YACzE,OAAO;gBACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,+EAA+E,CAChF;gBACD,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;QACD,uEAAuE;QACvE,wEAAwE;QACxE,0EAA0E;QAC1E,sEAAsE;QACtE,0EAA0E;QAC1E,0EAA0E;QAC1E,oEAAoE;QACpE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;QAC1E,2EAA2E;QAC3E,iEAAiE;QACjE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;QAEtE,MAAM,YAAY,GAA4B;YAC5C,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;YACnB,eAAe,EAAE;gBACf,aAAa;gBACb,aAAa;gBACb,SAAS,EAAE,SAAS,IAAI,IAAI;gBAC5B,cAAc,EAAE,QAAQ,IAAI,IAAI;aACjC;SACF,CAAC;QACF,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,YAAY,EACZ,iBAAiB,CAClB,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhE,uBAAuB,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpD,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QACF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEpE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAExD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,WAAgC,CAAC;gBACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,WAAW,GAAG,GAAG,CAAC;gBACpB,CAAC;gBACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,WAAW;oBACpB,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;iBAChE,CAAC,CAAC;gBACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;YAClD,CAAC;YAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;YAClE,MAAM,YAAY,GAAG;gBACnB,GAAG,GAAG,CAAC,SAAS;gBAChB,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC;aACnC,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxC,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,EAAE,CAAC;iBACjE;aACF,CAAC,CAAC;YACH,OAAO;gBACL,GAAG,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC;gBAC3D,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,MAAiB,EACjB,GAAwD,EACxD,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC,MAAM,CACzE,CAAC;QACF,GAAG,CAAC,GAAG,EAAE,CAAC;QACV,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IACxE,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,MAAM,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QAEF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,IAAI,CAAC,EAAE,EACP,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAEpD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;wBAC7C,KAAK,EAAE,SAAS;wBAChB,OAAO,EAAE,GAAG;qBACb,CAAC,CAAC;oBACH,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,MAAM,CAC9D,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;gBAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;gBACxE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;oBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;iBAC9D,CAAC,CAAC;gBACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;gBACpE,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YAED,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACtC,KAAK,EAAE,WAAW;gBAClB,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC/C,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC,CAAC,MAAM,CACxF,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,aAAa;IACb,WAAW;IACX,WAAW;IACX,aAAa;IACb,cAAc;IACd,QAAQ;IACR,eAAe;IACf,eAAe;IACf,QAAQ;CACT,CAAC,CAAC;AAEH,SAAS,uBAAuB,CAAC,IAAS;IACxC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAErE,MAAM,IAAI,GAAG,IAAI,CAAC,QAAmC,CAAC;IACtD,MAAM,UAAU,GAA4B,EAAE,CAAC;IAC/C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,KAAK,iBAAiB;YAAE,SAAS;QACtC,IAAI,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAS;QAC7C,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,mBAAmB,CAC1B,cAA6B,EAC7B,KAAU,EACV,MAAiB;IAEjB,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IACrE,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IAE3D,IAAI,YAAY,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;QAChD,mEAAmE;QACnE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,aAAa,CAAC,WAAW,EAAE,KAAK,cAAc,CAAC,WAAW,EAAE,EAAE,CAAC;YACjE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IACD,yEAAyE;IACzE,qDAAqD;IACrD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,4BAA4B,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QAC1D,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IACH,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,MAAc,EACd,KAAU;IAEV,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO;IACnB,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,eAAe;QAAE,OAAO;IAE7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IACE,CAAC,KAAK,CAAC,WAAW,KAAK,WAAW,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC;QACtE,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,kCAAkC,EAC3D,CAAC;QACD,IAAI,MAAM,0BAA0B,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7C,MAAM,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO;IACT,CAAC;IAED,IACE,KAAK,CAAC,WAAW,KAAK,YAAY;QAClC,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,6BAA6B,EACtD,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,yBAAyB,CAC3C,MAAM,EACN,GAAG,GAAG,6BAA6B,CACpC,CAAC;QACF,IAAI,KAAK;YAAE,MAAM,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IACzD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAS,EACT,KAAU,EACV,MAAiB;IAEjB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,YAAY,CAAC,IAAI,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,KAAK,EAAE,0BAA0B,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,MAAM,GAAI,IAAI,CAAC,MAAkC,IAAI,EAAE,CAAC;IAC9D,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;IAEnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACpB,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACvD,MAAM,EAAE,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,MAAM,CAAC;YACpC,OAAO,EAAE,GAAG,QAAQ,EAAE,EAAE,EAAqB,CAAC;QAChD,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBACtB,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,8CAA8C;YAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;YAC5B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,mBAAmB,CAAC,CAAC;YAC9D,iBAAiB,CAAC,KAAK,EAAE,eAAe,EAAE,UAAU,CAAC,CAAC;YACtD,iBAAiB,CAAC,KAAK,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;YACrD,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC/C,OAAO,SAAgB,CAAC,CAAC,gCAAgC;QAC3D,CAAC;QACD,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACtD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACzD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD;YACE,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,qBAAqB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;AACH,CAAC","sourcesContent":["import { setResponseHeader, setResponseStatus } from \"h3\";\nimport type {\n A2AConfig,\n A2AHandler,\n A2AHandlerContext,\n A2AHandlerResult,\n JsonRpcRequest,\n JsonRpcResponse,\n Message,\n Artifact,\n} from \"./types.js\";\nimport {\n createTask,\n getTask,\n getTaskOwner,\n updateTask,\n claimA2ATaskForProcessing,\n getA2ATaskDispatchState,\n resetStuckA2ATaskForRetry,\n touchQueuedA2ATaskDispatch,\n} from \"./task-store.js\";\nimport { agentChat } from \"../shared/agent-chat.js\";\nimport { signInternalToken } from \"../integrations/internal-token.js\";\nimport { withConfiguredAppBasePath } from \"../server/app-base-path.js\";\n\n// Inlined to avoid pulling the entire core-routes-plugin (and its h3\n// transitive deps) into the a2a/handlers test boundary. Must stay in sync\n// with FRAMEWORK_ROUTE_PREFIX in `server/core-routes-plugin.ts`.\nconst A2A_PROCESS_TASK_PATH = \"/_agent-native/a2a/_process-task\";\nconst A2A_QUEUED_DISPATCH_STUCK_AFTER_MS = 10_000;\nconst A2A_PROCESSING_STUCK_AFTER_MS = 5 * 60 * 1000;\n\n/**\n * Resolve the base URL we should fire the A2A processor request to. Mirrors\n * the integration-webhook resolveBaseUrl pattern — prefer explicit env vars\n * (most reliable on serverless), fall back to inbound request headers.\n */\nfunction resolveSelfBaseUrl(event: any | undefined): string {\n const fromEnv =\n process.env.APP_URL ||\n process.env.URL ||\n process.env.DEPLOY_URL ||\n process.env.BETTER_AUTH_URL;\n if (fromEnv) return withConfiguredAppBasePath(String(fromEnv));\n\n try {\n const headers = event?.node?.req?.headers ?? event?.headers;\n const get = (name: string): string | undefined => {\n if (!headers) return undefined;\n if (typeof headers.get === \"function\") {\n return headers.get(name) ?? undefined;\n }\n const map = headers as Record<string, string | undefined>;\n return map[name] ?? map[String(name).toLowerCase()];\n };\n const proto = get(\"x-forwarded-proto\") || \"http\";\n const host = get(\"host\") || `localhost:${process.env.PORT || 3000}`;\n return withConfiguredAppBasePath(`${proto}://${host}`);\n } catch {\n return withConfiguredAppBasePath(\n `http://localhost:${process.env.PORT || 3000}`,\n );\n }\n}\n\n/**\n * Fire-and-forget POST to the A2A processor route on the same deployment.\n * Used when an A2A send is requested in async mode — the processor runs the\n * handler in a fresh function execution so it gets its own full timeout.\n */\nasync function fireProcessTaskDispatch(\n event: any,\n taskId: string,\n): Promise<void> {\n const baseUrl = resolveSelfBaseUrl(event);\n const url = `${baseUrl}${A2A_PROCESS_TASK_PATH}`;\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n try {\n headers[\"Authorization\"] = `Bearer ${signInternalToken(taskId)}`;\n } catch {\n // No A2A_SECRET configured — self-fire unsigned. The processor accepts\n // unsigned dispatches when no secret is set (mirrors the integration\n // webhook flow).\n }\n // Race the fetch against a short timer. On Netlify Lambda, returning\n // immediately can freeze the function before the outbound TCP handshake\n // starts, leaving the request stuck. This gives it ~250ms to leave the\n // box at the cost of slightly higher response latency on async A2A sends.\n const dispatchPromise = fetch(url, {\n method: \"POST\",\n headers,\n body: JSON.stringify({ taskId }),\n }).catch((err) => {\n console.error(\"[a2a] Process-task dispatch fetch failed:\", err);\n });\n await Promise.race([\n dispatchPromise,\n new Promise<void>((resolve) => setTimeout(resolve, 250)),\n ]);\n}\n\n/**\n * Process a previously-enqueued A2A task. Called by the `_process-task`\n * route in `server.ts`, in a fresh function execution. Atomically claims the\n * task, reconstructs the caller's request context from the task's metadata,\n * runs the handler, and persists the outcome.\n *\n * Idempotent on duplicate dispatches: the atomic claim returns null if some\n * other invocation already picked the task up, in which case we no-op.\n */\nexport async function processA2ATaskFromQueue(\n taskId: string,\n config: A2AConfig,\n event?: any,\n): Promise<void> {\n const claimed = await claimA2ATaskForProcessing(taskId);\n if (!claimed) {\n // Already in flight, terminal, or missing. Nothing to do.\n return;\n }\n\n const message = claimed.history?.[0];\n if (!message) {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: \"Task is missing its inbound message\" }],\n },\n });\n return;\n }\n\n const meta = (claimed.metadata ?? {}) as Record<string, unknown>;\n const processorMeta = (meta.__a2a_processor ?? {}) as Record<string, unknown>;\n const verifiedEmail = processorMeta.verifiedEmail as string | undefined;\n const orgDomainHint = processorMeta.orgDomainHint as string | undefined;\n const contextId =\n (processorMeta.contextId as string | null | undefined) ?? undefined;\n const callerMetadata =\n (processorMeta.callerMetadata as\n | Record<string, unknown>\n | null\n | undefined) ?? undefined;\n\n const resolvedOrgId = await resolveVerifiedA2AOrgId(\n verifiedEmail,\n orgDomainHint,\n );\n\n const { runWithRequestContext } =\n await import(\"../server/request-context.js\");\n try {\n await runWithRequestContext(\n { userEmail: verifiedEmail, orgId: resolvedOrgId },\n () =>\n runHandlerAndPersist(\n taskId,\n message,\n config,\n contextId,\n callerMetadata,\n event,\n ),\n );\n } catch (err: any) {\n try {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err?.message ?? \"Handler crashed\" }],\n },\n });\n } catch {}\n }\n}\n\n/**\n * Default A2A handler that delegates to agentChat.call().\n * Used when no custom handler is provided in A2AConfig.\n */\nconst defaultHandler: A2AHandler = async (\n message: Message,\n context: A2AHandlerContext,\n): Promise<A2AHandlerResult> => {\n // Extract text from message parts\n const text = message.parts\n .filter((p): p is { type: \"text\"; text: string } => p.type === \"text\")\n .map((p) => p.text)\n .join(\"\\n\");\n\n if (!text) {\n return {\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: \"No text content in message\" }],\n },\n };\n }\n\n // A2A note: this message arrived from a different app — the caller cannot\n // see this app's local state (open deck, selected slide, etc.). They only\n // see whatever this agent puts into the reply text. So:\n // 1) include any concrete result (deck/document/dashboard URL, ID, value)\n // explicitly in the reply — the caller can't navigate locally.\n // 2) URLs must be fully-qualified — relative paths resolve against the\n // caller's host and 404.\n // We prepend a one-line hint to the user message so the agent knows.\n const baseUrl = process.env.APP_URL || process.env.URL || \"\";\n const appBaseUrl = baseUrl ? withConfiguredAppBasePath(baseUrl) : \"\";\n const augmentedText = baseUrl\n ? `[Cross-app A2A request — the caller is on a different host (${appBaseUrl} is yours, theirs is different). Include the concrete result (URL, ID, value) explicitly in your reply text; the caller can't see your local UI state. Any URL MUST be fully-qualified, never a relative path.]\\n\\n${text}`\n : text;\n\n const result = await agentChat.call(augmentedText);\n\n const artifacts: Artifact[] = [];\n if (result.filesChanged.length > 0) {\n artifacts.push({\n name: \"files-changed\",\n description: \"Files modified by the agent\",\n parts: [{ type: \"data\", data: { files: result.filesChanged } }],\n });\n }\n\n return {\n message: {\n role: \"agent\",\n parts: [\n { type: \"text\", text: result.response },\n ...(result.warnings?.length\n ? [\n {\n type: \"text\" as const,\n text: `\\n\\nWarnings:\\n${result.warnings.join(\"\\n\")}`,\n },\n ]\n : []),\n ],\n },\n artifacts: artifacts.length > 0 ? artifacts : undefined,\n };\n};\n\nfunction getHandler(config: A2AConfig): A2AHandler {\n return config.handler ?? defaultHandler;\n}\n\nfunction jsonRpcError(\n id: string | number | null,\n code: number,\n message: string,\n): JsonRpcResponse {\n return { jsonrpc: \"2.0\", id, error: { code, message } };\n}\n\nfunction jsonRpcResult(id: string | number, result: unknown): JsonRpcResponse {\n return { jsonrpc: \"2.0\", id, result };\n}\n\nfunction makeHandlerContext(\n taskId: string,\n contextId?: string,\n metadata?: Record<string, unknown>,\n event?: any,\n): {\n context: A2AHandlerContext;\n artifacts: Artifact[];\n} {\n const artifacts: Artifact[] = [];\n const context: A2AHandlerContext = {\n taskId,\n contextId,\n metadata,\n event,\n writeArtifact(name, content, mimeType) {\n const artifact: Artifact = {\n name,\n parts: mimeType\n ? [\n {\n type: \"file\",\n file: {\n name,\n mimeType,\n bytes: Buffer.from(content).toString(\"base64\"),\n },\n },\n ]\n : [{ type: \"text\", text: content }],\n };\n artifacts.push(artifact);\n return name;\n },\n };\n return { context, artifacts };\n}\n\n/**\n * Resolve org context from A2A metadata / event context and wrap `fn`\n * inside `runWithRequestContext` so downstream actions see the org.\n */\nasync function withA2ARequestContext<T>(\n metadata: Record<string, unknown> | undefined,\n event: any | undefined,\n fn: () => Promise<T>,\n): Promise<T> {\n const { runWithRequestContext } =\n await import(\"../server/request-context.js\");\n\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n // Only trust the org domain from the cryptographically verified JWT claim on\n // the event context. metadata.orgDomain is caller-supplied and must not be\n // used for org resolution — an unauthenticated caller could forge it and\n // gain access to another org's data.\n const orgDomain =\n (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n const resolvedOrgId = await resolveVerifiedA2AOrgId(verifiedEmail, orgDomain);\n\n return runWithRequestContext(\n { userEmail: verifiedEmail, orgId: resolvedOrgId },\n fn,\n ) as Promise<T>;\n}\n\nasync function resolveVerifiedA2AOrgId(\n verifiedEmail: string | undefined,\n verifiedOrgDomain: string | undefined,\n): Promise<string | undefined> {\n if (verifiedOrgDomain) {\n try {\n const { resolveOrgByDomain } = await import(\"../org/context.js\");\n const org = await resolveOrgByDomain(verifiedOrgDomain);\n if (org) return org.orgId;\n } catch {\n // Org tables may not exist — continue without org context\n }\n }\n\n if (verifiedEmail) {\n try {\n const { resolveOrgIdForEmail } = await import(\"../org/context.js\");\n return (await resolveOrgIdForEmail(verifiedEmail)) ?? undefined;\n } catch {\n // Org tables may not exist — continue without org context\n }\n }\n\n return undefined;\n}\n\n/**\n * Run the handler against the message and persist the outcome to the task store.\n * Used in sync mode (awaited inline) and in async mode (called by the\n * `_process-task` processor route in a fresh function execution).\n */\nasync function runHandlerAndPersist(\n taskId: string,\n message: Message,\n config: A2AConfig,\n contextId: string | undefined,\n metadata: Record<string, unknown> | undefined,\n event?: any,\n): Promise<void> {\n const { context, artifacts } = makeHandlerContext(\n taskId,\n contextId,\n metadata,\n event,\n );\n try {\n const result = getHandler(config)(message, context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n let lastMessage: Message | undefined;\n for await (const msg of result as AsyncGenerator<Message>) {\n lastMessage = msg;\n }\n await updateTask(taskId, {\n state: \"completed\",\n message: lastMessage,\n artifacts: artifacts.length > 0 ? artifacts : undefined,\n });\n return;\n }\n\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n await updateTask(taskId, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n } catch (err: any) {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err?.message ?? \"Handler failed\" }],\n },\n });\n }\n}\n\nasync function handleSend(\n params: Record<string, unknown>,\n config: A2AConfig,\n event?: any,\n): Promise<JsonRpcResponse & { _id: string | number }> {\n const message = params.message as Message;\n if (!message || !message.role || !Array.isArray(message.parts)) {\n return {\n ...jsonRpcError(\n 0,\n -32602,\n \"Invalid params: message with role and parts required\",\n ),\n _id: 0,\n };\n }\n\n const contextId = params.contextId as string | undefined;\n const metadata = params.metadata as Record<string, unknown> | undefined;\n\n // The JWT-verified caller email (set by mountA2A in server.ts) is the\n // single source of truth for task ownership — bound at creation, checked\n // on every subsequent tasks/get and tasks/cancel call. Caller-supplied\n // metadata.userEmail is NEVER used for ownership; that would re-introduce\n // the IDOR class fixed here.\n const ownerEmailForTask =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n // Async mode: return the task immediately in `working` state, run the\n // handler in the background, and let the caller poll `tasks/get`. This is\n // the workaround for synchronous serverless request timeouts when the handler\n // runs LLM + tool loops that can exceed a single HTTP invocation budget.\n // SECURITY: only honor the explicit top-level `params.async`. The\n // metadata.async fallback was caller-controlled and could force async\n // dispatch (which has weaker auth than the sync path) on otherwise sync\n // requests. Async is also refused entirely when no auth is configured in\n // production — see the additional gate below.\n const asyncMode =\n params.async === true || (event && event.context?.__a2aForceAsync === true);\n\n if (asyncMode) {\n // Refuse async mode entirely when no auth is configured in production.\n // The async dispatch path self-fires the `_process-task` route, which\n // accepts unsigned dispatches when A2A_SECRET is unset — that combined\n // with the lack of caller identity here would let any unauthenticated\n // attacker queue and trigger handler runs. In production, require some\n // form of auth so the verifiedEmail is bound to the task.\n const hasA2ASecret = !!process.env.A2A_SECRET;\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n if (process.env.NODE_ENV === \"production\" && !hasA2ASecret && !hasApiKey) {\n return {\n ...jsonRpcError(\n 0,\n -32001,\n \"A2A async mode is not available — A2A_SECRET or apiKeyEnv must be configured.\",\n ),\n _id: 0,\n };\n }\n // Resolve identity up front (cheap), bake it into the task's metadata,\n // and dispatch the actual handler run to a SEPARATE function execution.\n // On serverless hosts (Netlify, Vercel, Cloudflare) detached promises get\n // killed when the response is flushed, so we self-fire a webhook to a\n // dedicated processor route — same cross-platform pattern the integration\n // webhook queue uses. The processor reconstructs the request context from\n // the task metadata and runs the handler with its own full timeout.\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n // Only trust the verified org domain from the JWT claim — do not fall back\n // to metadata.orgDomain which is caller-supplied and unverified.\n const orgDomainHint =\n (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n const taskMetadata: Record<string, unknown> = {\n ...(metadata ?? {}),\n __a2a_processor: {\n verifiedEmail,\n orgDomainHint,\n contextId: contextId ?? null,\n callerMetadata: metadata ?? null,\n },\n };\n const task = await createTask(\n message,\n contextId,\n taskMetadata,\n ownerEmailForTask,\n );\n const working = await updateTask(task.id, { state: \"working\" });\n\n fireProcessTaskDispatch(event, task.id).catch((err) => {\n console.error(\"[a2a] Failed to dispatch process-task:\", err);\n });\n\n return { ...jsonRpcResult(0, working ?? task), _id: 0 };\n }\n\n return withA2ARequestContext(metadata, event, async () => {\n const task = await createTask(\n message,\n contextId,\n undefined,\n ownerEmailForTask,\n );\n await updateTask(task.id, { state: \"working\" });\n\n const ctx = makeHandlerContext(task.id, contextId, metadata, event);\n\n try {\n const result = getHandler(config)(message, ctx.context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n let lastMessage: Message | undefined;\n for await (const msg of result as AsyncGenerator<Message>) {\n lastMessage = msg;\n }\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: lastMessage,\n artifacts: ctx.artifacts.length > 0 ? ctx.artifacts : undefined,\n });\n return { ...jsonRpcResult(0, updated), _id: 0 };\n }\n\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [\n ...ctx.artifacts,\n ...(handlerResult.artifacts ?? []),\n ];\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n return { ...jsonRpcResult(0, updated), _id: 0 };\n } catch (err: any) {\n await updateTask(task.id, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err.message ?? \"Handler failed\" }],\n },\n });\n return {\n ...jsonRpcError(0, -32000, err.message ?? \"Handler failed\"),\n _id: 0,\n };\n }\n });\n}\n\nasync function handleStream(\n params: Record<string, unknown>,\n config: A2AConfig,\n res: { write: (chunk: string) => void; end: () => void },\n event?: any,\n): Promise<void> {\n const message = params.message as Message;\n if (!message || !message.role || !Array.isArray(message.parts)) {\n res.write(\n `data: ${JSON.stringify(jsonRpcError(0, -32602, \"Invalid params\"))}\\n\\n`,\n );\n res.end();\n return;\n }\n\n const contextId = params.contextId as string | undefined;\n const metadata = params.metadata as Record<string, unknown> | undefined;\n const ownerEmailForTask =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n await withA2ARequestContext(metadata, event, async () => {\n const task = await createTask(\n message,\n contextId,\n undefined,\n ownerEmailForTask,\n );\n\n await updateTask(task.id, { state: \"working\" });\n\n const { context, artifacts } = makeHandlerContext(\n task.id,\n contextId,\n metadata,\n event,\n );\n\n try {\n const result = getHandler(config)(message, context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n for await (const msg of result as AsyncGenerator<Message>) {\n const intermediate = await updateTask(task.id, {\n state: \"working\",\n message: msg,\n });\n res.write(\n `data: ${JSON.stringify(jsonRpcResult(0, intermediate))}\\n\\n`,\n );\n }\n } else {\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n res.write(`data: ${JSON.stringify(jsonRpcResult(0, updated))}\\n\\n`);\n res.end();\n return;\n }\n\n const allArtifacts = [...artifacts];\n const final = await updateTask(task.id, {\n state: \"completed\",\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n res.write(`data: ${JSON.stringify(jsonRpcResult(0, final))}\\n\\n`);\n } catch (err: any) {\n await updateTask(task.id, { state: \"failed\" });\n res.write(\n `data: ${JSON.stringify(jsonRpcError(0, -32000, err.message ?? \"Handler failed\"))}\\n\\n`,\n );\n }\n\n res.end();\n });\n}\n\n/**\n * Caller-supplied metadata keys that may contain sensitive bearer / OAuth\n * material. Always stripped from `tasks/get` responses so a leaked task id\n * never discloses an OAuth token even when the original sender carelessly\n * stuffed one into `metadata` (see `production-agent.ts:1144-1156` for the\n * historical googleToken propagation pattern).\n */\nconst SENSITIVE_METADATA_KEYS = new Set([\n \"googleToken\",\n \"userEmail\",\n \"orgDomain\",\n \"accessToken\",\n \"refreshToken\",\n \"apiKey\",\n \"Authorization\",\n \"authorization\",\n \"bearer\",\n]);\n\nfunction sanitizeTaskForResponse(task: any): any {\n if (!task || typeof task !== \"object\") return task;\n if (!task.metadata || typeof task.metadata !== \"object\") return task;\n\n const meta = task.metadata as Record<string, unknown>;\n const publicMeta: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(meta)) {\n if (k === \"__a2a_processor\") continue;\n if (SENSITIVE_METADATA_KEYS.has(k)) continue;\n publicMeta[k] = v;\n }\n return { ...task, metadata: publicMeta };\n}\n\n/**\n * Reject access when the task has a recorded owner that doesn't match the\n * verified caller. Returns a 404-shaped JSON-RPC error to avoid disclosing\n * task existence to the wrong caller (enumeration via UUID lookup).\n *\n * - When the task has no recorded owner (legacy row from before the\n * owner_email migration) we allow access if some verifiable bearer token\n * was presented; otherwise we still reject so an unsigned caller can never\n * read or cancel arbitrary task ids.\n * - When neither A2A_SECRET nor apiKeyEnv is configured AND we're in\n * production, we refuse `tasks/get` and `tasks/cancel` outright — there's\n * no way to authenticate the caller, so the only safe response is \"not\n * found\".\n */\nfunction authorizeTaskAccess(\n taskOwnerEmail: string | null,\n event: any,\n config: A2AConfig,\n): JsonRpcResponse | null {\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n const hasA2ASecret = !!process.env.A2A_SECRET;\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n const inProduction = process.env.NODE_ENV === \"production\";\n\n if (inProduction && !hasA2ASecret && !hasApiKey) {\n // No way to authenticate the caller in production — refuse access.\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n\n if (taskOwnerEmail) {\n if (!verifiedEmail) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n if (verifiedEmail.toLowerCase() !== taskOwnerEmail.toLowerCase()) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n }\n // Legacy row (no owner_email recorded). The route-level auth gate is the\n // only thing protecting it — fall through and serve.\n return null;\n}\n\nasync function handleGet(\n params: Record<string, unknown>,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n const id = params.id as string;\n if (!id) {\n return jsonRpcError(0, -32602, \"Invalid params: id required\");\n }\n const ownerEmail = await getTaskOwner(id);\n const denied = authorizeTaskAccess(ownerEmail, event, config);\n if (denied) return denied;\n\n const task = await getTask(id);\n if (!task) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n await refireStuckAsyncTaskIfNeeded(id, event).catch((err) => {\n console.error(\"[a2a] Failed to refire stuck async task:\", err);\n });\n return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\nasync function refireStuckAsyncTaskIfNeeded(\n taskId: string,\n event: any,\n): Promise<void> {\n const state = await getA2ATaskDispatchState(taskId);\n if (!state) return;\n if (!state.metadata?.__a2a_processor) return;\n\n const now = Date.now();\n if (\n (state.statusState === \"submitted\" || state.statusState === \"working\") &&\n state.updatedAt <= now - A2A_QUEUED_DISPATCH_STUCK_AFTER_MS\n ) {\n if (await touchQueuedA2ATaskDispatch(taskId)) {\n await fireProcessTaskDispatch(event, taskId);\n }\n return;\n }\n\n if (\n state.statusState === \"processing\" &&\n state.updatedAt <= now - A2A_PROCESSING_STUCK_AFTER_MS\n ) {\n const reset = await resetStuckA2ATaskForRetry(\n taskId,\n now - A2A_PROCESSING_STUCK_AFTER_MS,\n );\n if (reset) await fireProcessTaskDispatch(event, taskId);\n }\n}\n\nasync function handleCancel(\n params: Record<string, unknown>,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n const id = params.id as string;\n if (!id) {\n return jsonRpcError(0, -32602, \"Invalid params: id required\");\n }\n const ownerEmail = await getTaskOwner(id);\n const denied = authorizeTaskAccess(ownerEmail, event, config);\n if (denied) return denied;\n\n const task = await updateTask(id, { state: \"canceled\" });\n if (!task) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\n/**\n * H3-compatible JSON-RPC handler. Returns JSON directly (H3 serializes it).\n * Streaming is handled via H3's node response when needed.\n */\nexport async function handleJsonRpcH3(\n body: any,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n if (!body || body.jsonrpc !== \"2.0\" || !body.method) {\n setResponseStatus(event, 400);\n return jsonRpcError(body?.id ?? null, -32600, \"Invalid JSON-RPC request\");\n }\n\n const params = (body.params as Record<string, unknown>) ?? {};\n const id = body.id;\n\n switch (body.method) {\n case \"message/send\": {\n const result = await handleSend(params, config, event);\n const { _id, ...response } = result;\n return { ...response, id } as JsonRpcResponse;\n }\n case \"message/stream\": {\n if (!config.streaming) {\n return jsonRpcError(id, -32601, \"Streaming not supported\");\n }\n // Use the raw node response for SSE streaming\n const res = event.node?.res;\n if (!res) {\n return jsonRpcError(id, -32000, \"Streaming not available\");\n }\n setResponseHeader(event, \"Content-Type\", \"text/event-stream\");\n setResponseHeader(event, \"Cache-Control\", \"no-cache\");\n setResponseHeader(event, \"Connection\", \"keep-alive\");\n await handleStream(params, config, res, event);\n return undefined as any; // Response already sent via SSE\n }\n case \"tasks/get\": {\n const result = await handleGet(params, event, config);\n return { ...result, id } as JsonRpcResponse;\n }\n case \"tasks/cancel\": {\n const result = await handleCancel(params, event, config);\n return { ...result, id } as JsonRpcResponse;\n }\n default:\n return jsonRpcError(id, -32601, `Method not found: ${body.method}`);\n }\n}\n"]}
1
+ {"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/a2a/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAW1D,OAAO,EACL,UAAU,EACV,OAAO,EACP,YAAY,EACZ,UAAU,EACV,yBAAyB,EACzB,uBAAuB,EACvB,yBAAyB,EACzB,0BAA0B,GAC3B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B,qEAAqE;AACrE,0EAA0E;AAC1E,iEAAiE;AACjE,MAAM,qBAAqB,GAAG,kCAAkC,CAAC;AACjE,MAAM,kCAAkC,GAAG,MAAM,CAAC;AAClD,MAAM,6BAA6B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEpD;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,KAAsB;IAChD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,yBAAyB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAE/D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,KAAK,EAAE,OAAO,CAAC;QAC5D,MAAM,GAAG,GAAG,CAAC,IAAY,EAAsB,EAAE;YAC/C,IAAI,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAC;YAC/B,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBACtC,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;YACxC,CAAC;YACD,MAAM,GAAG,GAAG,OAA6C,CAAC;YAC1D,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACtD,CAAC,CAAC;QACF,MAAM,KAAK,GAAG,GAAG,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;QACjD,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,aAAa,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;QACpE,OAAO,yBAAyB,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,yBAAyB,CAC9B,oBAAoB,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAC/C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAU,EACV,MAAc;IAEd,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,qBAAqB,EAAE,CAAC;IACjD,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,IAAI,CAAC;QACH,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;QACvE,qEAAqE;QACrE,iBAAiB;IACnB,CAAC;IACD,qEAAqE;IACrE,wEAAwE;IACxE,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,eAAe,GAAG,KAAK,CAAC,GAAG,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;KACjC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACf,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,IAAI,CAAC;QACjB,eAAe;QACf,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;KACzD,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,MAAc,EACd,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,0DAA0D;QAC1D,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qCAAqC,EAAE,CAAC;aACvE;SACF,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAA4B,CAAC;IACjE,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,EAAE,CAA4B,CAAC;IAC9E,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAmC,CAAC;IACxE,MAAM,SAAS,GACZ,aAAa,CAAC,SAAuC,IAAI,SAAS,CAAC;IACtE,MAAM,cAAc,GACjB,aAAa,CAAC,cAGD,IAAI,SAAS,CAAC;IAE9B,MAAM,aAAa,GAAG,MAAM,uBAAuB,CACjD,aAAa,EACb,aAAa,CACd,CAAC;IAEF,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,qBAAqB,CACzB,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,GAAG,EAAE,CACH,oBAAoB,CAClB,MAAM,EACN,OAAO,EACP,MAAM,EACN,SAAS,EACT,cAAc,EACd,KAAK,CACN,CACJ,CAAC;IACJ,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,iBAAiB,EAAE,CAAC;iBACnE;aACF,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,cAAc,GAAe,KAAK,EACtC,OAAgB,EAChB,OAA0B,EACC,EAAE;IAC7B,kCAAkC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK;SACvB,MAAM,CAAC,CAAC,CAAC,EAAuC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;SACrE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAClB,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,4BAA4B,EAAE,CAAC;aAC9D;SACF,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,0EAA0E;IAC1E,wDAAwD;IACxD,4EAA4E;IAC5E,oEAAoE;IACpE,yEAAyE;IACzE,8BAA8B;IAC9B,qEAAqE;IACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACrE,MAAM,aAAa,GAAG,OAAO;QAC3B,CAAC,CAAC,+DAA+D,UAAU,sNAAsN,IAAI,EAAE;QACvS,CAAC,CAAC,IAAI,CAAC;IAET,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAEnD,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,SAAS,CAAC,IAAI,CAAC;YACb,IAAI,EAAE,eAAe;YACrB,WAAW,EAAE,6BAA6B;YAC1C,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,YAAY,EAAE,EAAE,CAAC;SAChE,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,KAAK,EAAE;gBACL,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;gBACvC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM;oBACzB,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,kBAAkB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;yBACrD;qBACF;oBACH,CAAC,CAAC,EAAE,CAAC;aACR;SACF;QACD,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,UAAU,CAAC,MAAiB;IACnC,OAAO,MAAM,CAAC,OAAO,IAAI,cAAc,CAAC;AAC1C,CAAC;AAED,SAAS,YAAY,CACnB,EAA0B,EAC1B,IAAY,EACZ,OAAe;IAEf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,EAAmB,EAAE,MAAe;IACzD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAc,EACd,SAAkB,EAClB,QAAkC,EAClC,KAAW;IAKX,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,MAAM,OAAO,GAAsB;QACjC,MAAM;QACN,SAAS;QACT,QAAQ;QACR,KAAK;QACL,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ;YACnC,MAAM,QAAQ,GAAa;gBACzB,IAAI;gBACJ,KAAK,EAAE,QAAQ;oBACb,CAAC,CAAC;wBACE;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE;gCACJ,IAAI;gCACJ,QAAQ;gCACR,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;6BAC/C;yBACF;qBACF;oBACH,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;aACtC,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,qBAAqB,CAClC,QAA6C,EAC7C,KAAsB,EACtB,EAAoB;IAEpB,MAAM,EAAE,qBAAqB,EAAE,GAC7B,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;IAC1E,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,qCAAqC;IACrC,MAAM,SAAS,GACZ,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;IAEtE,MAAM,aAAa,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IAE9E,OAAO,qBAAqB,CAC1B,EAAE,SAAS,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,EAClD,EAAE,CACW,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,aAAiC,EACjC,iBAAqC;IAErC,IAAI,iBAAiB,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,iBAAiB,CAAC,CAAC;YACxD,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAC,KAAK,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,OAAO,CAAC,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC,IAAI,SAAS,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,oBAAoB,CACjC,MAAc,EACd,OAAgB,EAChB,MAAiB,EACjB,SAA6B,EAC7B,QAA6C,EAC7C,KAAW;IAEX,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,MAAM,EACN,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEpD,IACE,MAAM;YACN,OAAO,MAAM,KAAK,QAAQ;YAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;YACD,IAAI,WAAgC,CAAC;YACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;gBAC1D,WAAW,GAAG,GAAG,CAAC;YACpB,CAAC;YACD,MAAM,UAAU,CAAC,MAAM,EAAE;gBACvB,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,WAAW;gBACpB,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;aACxD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;QAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;QACxE,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,aAAa,CAAC,OAAO;YAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;SAC9D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,UAAU,CAAC,MAAM,EAAE;YACvB,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,IAAI,gBAAgB,EAAE,CAAC;aAClE;SACF,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAA+B,EAC/B,MAAiB,EACjB,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,OAAO;YACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,sDAAsD,CACvD;YACD,GAAG,EAAE,CAAC;SACP,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IAExE,sEAAsE;IACtE,yEAAyE;IACzE,uEAAuE;IACvE,0EAA0E;IAC1E,6BAA6B;IAC7B,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,sEAAsE;IACtE,0EAA0E;IAC1E,8EAA8E;IAC9E,yEAAyE;IACzE,kEAAkE;IAClE,sEAAsE;IACtE,wEAAwE;IACxE,yEAAyE;IACzE,8CAA8C;IAC9C,MAAM,SAAS,GACb,MAAM,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,eAAe,KAAK,IAAI,CAAC,CAAC;IAE9E,IAAI,SAAS,EAAE,CAAC;QACd,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,0DAA0D;QAC1D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACxE,IAAI,sBAAsB,EAAE,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5D,OAAO;gBACL,GAAG,YAAY,CACb,CAAC,EACD,CAAC,KAAK,EACN,+EAA+E,CAChF;gBACD,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;QACD,uEAAuE;QACvE,wEAAwE;QACxE,0EAA0E;QAC1E,sEAAsE;QACtE,0EAA0E;QAC1E,0EAA0E;QAC1E,oEAAoE;QACpE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,SAAS,CAAC;QAC1E,2EAA2E;QAC3E,iEAAiE;QACjE,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,cAAqC,IAAI,SAAS,CAAC;QAEtE,MAAM,YAAY,GAA4B;YAC5C,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;YACnB,eAAe,EAAE;gBACf,aAAa;gBACb,aAAa;gBACb,SAAS,EAAE,SAAS,IAAI,IAAI;gBAC5B,cAAc,EAAE,QAAQ,IAAI,IAAI;aACjC;SACF,CAAC;QACF,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,YAAY,EACZ,iBAAiB,CAClB,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhE,uBAAuB,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpD,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QACF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEpE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAExD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,WAAgC,CAAC;gBACrC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,WAAW,GAAG,GAAG,CAAC;gBACpB,CAAC;gBACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,WAAW;oBACpB,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;iBAChE,CAAC,CAAC;gBACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;YAClD,CAAC;YAED,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;YAClE,MAAM,YAAY,GAAG;gBACnB,GAAG,GAAG,CAAC,SAAS;gBAChB,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC;aACnC,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxC,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACxB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,EAAE,CAAC;iBACjE;aACF,CAAC,CAAC;YACH,OAAO;gBACL,GAAG,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC;gBAC3D,GAAG,EAAE,CAAC;aACP,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,MAAiB,EACjB,GAAwD,EACxD,KAAW;IAEX,MAAM,OAAO,GAAG,MAAM,CAAC,OAAkB,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC,MAAM,CACzE,CAAC;QACF,GAAG,CAAC,GAAG,EAAE,CAAC;QACV,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAA+B,CAAC;IACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAA+C,CAAC;IACxE,MAAM,iBAAiB,GACpB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IAErE,MAAM,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,OAAO,EACP,SAAS,EACT,SAAS,EACT,iBAAiB,CAClB,CAAC;QAEF,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEhD,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAC/C,IAAI,CAAC,EAAE,EACP,SAAS,EACT,QAAQ,EACR,KAAK,CACN,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAEpD,IACE,MAAM;gBACN,OAAO,MAAM,KAAK,QAAQ;gBAC1B,MAAM,CAAC,aAAa,IAAI,MAAM,EAC9B,CAAC;gBACD,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAiC,EAAE,CAAC;oBAC1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;wBAC7C,KAAK,EAAE,SAAS;wBAChB,OAAO,EAAE,GAAG;qBACb,CAAC,CAAC;oBACH,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,MAAM,CAC9D,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,aAAa,GAAG,MAAO,MAAoC,CAAC;gBAClE,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;gBACxE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;oBACxC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,aAAa,CAAC,OAAO;oBAC9B,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;iBAC9D,CAAC,CAAC;gBACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;gBACpE,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YAED,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE;gBACtC,KAAK,EAAE,WAAW;gBAClB,SAAS,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAC9D,CAAC,CAAC;YACH,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC/C,GAAG,CAAC,KAAK,CACP,SAAS,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC,CAAC,MAAM,CACxF,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,aAAa;IACb,WAAW;IACX,WAAW;IACX,aAAa;IACb,cAAc;IACd,QAAQ;IACR,eAAe;IACf,eAAe;IACf,QAAQ;CACT,CAAC,CAAC;AAEH,SAAS,uBAAuB,CAAC,IAAS;IACxC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAErE,MAAM,IAAI,GAAG,IAAI,CAAC,QAAmC,CAAC;IACtD,MAAM,UAAU,GAA4B,EAAE,CAAC;IAC/C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,KAAK,iBAAiB;YAAE,SAAS;QACtC,IAAI,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAS;QAC7C,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,mBAAmB,CAC1B,cAA6B,EAC7B,KAAU,EACV,MAAiB;IAEjB,MAAM,aAAa,GAChB,KAAK,EAAE,OAAO,EAAE,kBAAyC,IAAI,IAAI,CAAC;IACrE,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;IAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;IAE9C,IAAI,YAAY,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;QAChD,mEAAmE;QACnE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,aAAa,CAAC,WAAW,EAAE,KAAK,cAAc,CAAC,WAAW,EAAE,EAAE,CAAC;YACjE,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IACD,yEAAyE;IACzE,qDAAqD;IACrD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,4BAA4B,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QAC1D,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IACH,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,MAAc,EACd,KAAU;IAEV,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO;IACnB,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,eAAe;QAAE,OAAO;IAE7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IACE,CAAC,KAAK,CAAC,WAAW,KAAK,WAAW,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC;QACtE,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,kCAAkC,EAC3D,CAAC;QACD,IAAI,MAAM,0BAA0B,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7C,MAAM,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO;IACT,CAAC;IAED,IACE,KAAK,CAAC,WAAW,KAAK,YAAY;QAClC,KAAK,CAAC,SAAS,IAAI,GAAG,GAAG,6BAA6B,EACtD,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,yBAAyB,CAC3C,MAAM,EACN,GAAG,GAAG,6BAA6B,CACpC,CAAC;QACF,IAAI,KAAK;YAAE,MAAM,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,MAA+B,EAC/B,KAAU,EACV,MAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAY,CAAC;IAC/B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IACzD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,YAAY,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,aAAa,CAAC,CAAC,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAS,EACT,KAAU,EACV,MAAiB;IAEjB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,YAAY,CAAC,IAAI,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,KAAK,EAAE,0BAA0B,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,MAAM,GAAI,IAAI,CAAC,MAAkC,IAAI,EAAE,CAAC;IAC9D,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;IAEnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACpB,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACvD,MAAM,EAAE,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,MAAM,CAAC;YACpC,OAAO,EAAE,GAAG,QAAQ,EAAE,EAAE,EAAqB,CAAC;QAChD,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBACtB,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,8CAA8C;YAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;YAC5B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;YAC7D,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,mBAAmB,CAAC,CAAC;YAC9D,iBAAiB,CAAC,KAAK,EAAE,eAAe,EAAE,UAAU,CAAC,CAAC;YACtD,iBAAiB,CAAC,KAAK,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;YACrD,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC/C,OAAO,SAAgB,CAAC,CAAC,gCAAgC;QAC3D,CAAC;QACD,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACtD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACzD,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAqB,CAAC;QAC9C,CAAC;QACD;YACE,OAAO,YAAY,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,qBAAqB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;AACH,CAAC","sourcesContent":["import { setResponseHeader, setResponseStatus } from \"h3\";\nimport type {\n A2AConfig,\n A2AHandler,\n A2AHandlerContext,\n A2AHandlerResult,\n JsonRpcRequest,\n JsonRpcResponse,\n Message,\n Artifact,\n} from \"./types.js\";\nimport {\n createTask,\n getTask,\n getTaskOwner,\n updateTask,\n claimA2ATaskForProcessing,\n getA2ATaskDispatchState,\n resetStuckA2ATaskForRetry,\n touchQueuedA2ATaskDispatch,\n} from \"./task-store.js\";\nimport { agentChat } from \"../shared/agent-chat.js\";\nimport { signInternalToken } from \"../integrations/internal-token.js\";\nimport { withConfiguredAppBasePath } from \"../server/app-base-path.js\";\nimport {\n hasConfiguredA2ASecret,\n isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n// Inlined to avoid pulling the entire core-routes-plugin (and its h3\n// transitive deps) into the a2a/handlers test boundary. Must stay in sync\n// with FRAMEWORK_ROUTE_PREFIX in `server/core-routes-plugin.ts`.\nconst A2A_PROCESS_TASK_PATH = \"/_agent-native/a2a/_process-task\";\nconst A2A_QUEUED_DISPATCH_STUCK_AFTER_MS = 10_000;\nconst A2A_PROCESSING_STUCK_AFTER_MS = 5 * 60 * 1000;\n\n/**\n * Resolve the base URL we should fire the A2A processor request to. Mirrors\n * the integration-webhook resolveBaseUrl pattern — prefer explicit env vars\n * (most reliable on serverless), fall back to inbound request headers.\n */\nfunction resolveSelfBaseUrl(event: any | undefined): string {\n const fromEnv =\n process.env.APP_URL ||\n process.env.URL ||\n process.env.DEPLOY_URL ||\n process.env.BETTER_AUTH_URL;\n if (fromEnv) return withConfiguredAppBasePath(String(fromEnv));\n\n try {\n const headers = event?.node?.req?.headers ?? event?.headers;\n const get = (name: string): string | undefined => {\n if (!headers) return undefined;\n if (typeof headers.get === \"function\") {\n return headers.get(name) ?? undefined;\n }\n const map = headers as Record<string, string | undefined>;\n return map[name] ?? map[String(name).toLowerCase()];\n };\n const proto = get(\"x-forwarded-proto\") || \"http\";\n const host = get(\"host\") || `localhost:${process.env.PORT || 3000}`;\n return withConfiguredAppBasePath(`${proto}://${host}`);\n } catch {\n return withConfiguredAppBasePath(\n `http://localhost:${process.env.PORT || 3000}`,\n );\n }\n}\n\n/**\n * Fire-and-forget POST to the A2A processor route on the same deployment.\n * Used when an A2A send is requested in async mode — the processor runs the\n * handler in a fresh function execution so it gets its own full timeout.\n */\nasync function fireProcessTaskDispatch(\n event: any,\n taskId: string,\n): Promise<void> {\n const baseUrl = resolveSelfBaseUrl(event);\n const url = `${baseUrl}${A2A_PROCESS_TASK_PATH}`;\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n try {\n headers[\"Authorization\"] = `Bearer ${signInternalToken(taskId)}`;\n } catch {\n // No A2A_SECRET configured — self-fire unsigned. The processor accepts\n // unsigned dispatches when no secret is set (mirrors the integration\n // webhook flow).\n }\n // Race the fetch against a short timer. On Netlify Lambda, returning\n // immediately can freeze the function before the outbound TCP handshake\n // starts, leaving the request stuck. This gives it ~250ms to leave the\n // box at the cost of slightly higher response latency on async A2A sends.\n const dispatchPromise = fetch(url, {\n method: \"POST\",\n headers,\n body: JSON.stringify({ taskId }),\n }).catch((err) => {\n console.error(\"[a2a] Process-task dispatch fetch failed:\", err);\n });\n await Promise.race([\n dispatchPromise,\n new Promise<void>((resolve) => setTimeout(resolve, 250)),\n ]);\n}\n\n/**\n * Process a previously-enqueued A2A task. Called by the `_process-task`\n * route in `server.ts`, in a fresh function execution. Atomically claims the\n * task, reconstructs the caller's request context from the task's metadata,\n * runs the handler, and persists the outcome.\n *\n * Idempotent on duplicate dispatches: the atomic claim returns null if some\n * other invocation already picked the task up, in which case we no-op.\n */\nexport async function processA2ATaskFromQueue(\n taskId: string,\n config: A2AConfig,\n event?: any,\n): Promise<void> {\n const claimed = await claimA2ATaskForProcessing(taskId);\n if (!claimed) {\n // Already in flight, terminal, or missing. Nothing to do.\n return;\n }\n\n const message = claimed.history?.[0];\n if (!message) {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: \"Task is missing its inbound message\" }],\n },\n });\n return;\n }\n\n const meta = (claimed.metadata ?? {}) as Record<string, unknown>;\n const processorMeta = (meta.__a2a_processor ?? {}) as Record<string, unknown>;\n const verifiedEmail = processorMeta.verifiedEmail as string | undefined;\n const orgDomainHint = processorMeta.orgDomainHint as string | undefined;\n const contextId =\n (processorMeta.contextId as string | null | undefined) ?? undefined;\n const callerMetadata =\n (processorMeta.callerMetadata as\n | Record<string, unknown>\n | null\n | undefined) ?? undefined;\n\n const resolvedOrgId = await resolveVerifiedA2AOrgId(\n verifiedEmail,\n orgDomainHint,\n );\n\n const { runWithRequestContext } =\n await import(\"../server/request-context.js\");\n try {\n await runWithRequestContext(\n { userEmail: verifiedEmail, orgId: resolvedOrgId },\n () =>\n runHandlerAndPersist(\n taskId,\n message,\n config,\n contextId,\n callerMetadata,\n event,\n ),\n );\n } catch (err: any) {\n try {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err?.message ?? \"Handler crashed\" }],\n },\n });\n } catch {}\n }\n}\n\n/**\n * Default A2A handler that delegates to agentChat.call().\n * Used when no custom handler is provided in A2AConfig.\n */\nconst defaultHandler: A2AHandler = async (\n message: Message,\n context: A2AHandlerContext,\n): Promise<A2AHandlerResult> => {\n // Extract text from message parts\n const text = message.parts\n .filter((p): p is { type: \"text\"; text: string } => p.type === \"text\")\n .map((p) => p.text)\n .join(\"\\n\");\n\n if (!text) {\n return {\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: \"No text content in message\" }],\n },\n };\n }\n\n // A2A note: this message arrived from a different app — the caller cannot\n // see this app's local state (open deck, selected slide, etc.). They only\n // see whatever this agent puts into the reply text. So:\n // 1) include any concrete result (deck/document/dashboard URL, ID, value)\n // explicitly in the reply — the caller can't navigate locally.\n // 2) URLs must be fully-qualified — relative paths resolve against the\n // caller's host and 404.\n // We prepend a one-line hint to the user message so the agent knows.\n const baseUrl = process.env.APP_URL || process.env.URL || \"\";\n const appBaseUrl = baseUrl ? withConfiguredAppBasePath(baseUrl) : \"\";\n const augmentedText = baseUrl\n ? `[Cross-app A2A request — the caller is on a different host (${appBaseUrl} is yours, theirs is different). Include the concrete result (URL, ID, value) explicitly in your reply text; the caller can't see your local UI state. Any URL MUST be fully-qualified, never a relative path.]\\n\\n${text}`\n : text;\n\n const result = await agentChat.call(augmentedText);\n\n const artifacts: Artifact[] = [];\n if (result.filesChanged.length > 0) {\n artifacts.push({\n name: \"files-changed\",\n description: \"Files modified by the agent\",\n parts: [{ type: \"data\", data: { files: result.filesChanged } }],\n });\n }\n\n return {\n message: {\n role: \"agent\",\n parts: [\n { type: \"text\", text: result.response },\n ...(result.warnings?.length\n ? [\n {\n type: \"text\" as const,\n text: `\\n\\nWarnings:\\n${result.warnings.join(\"\\n\")}`,\n },\n ]\n : []),\n ],\n },\n artifacts: artifacts.length > 0 ? artifacts : undefined,\n };\n};\n\nfunction getHandler(config: A2AConfig): A2AHandler {\n return config.handler ?? defaultHandler;\n}\n\nfunction jsonRpcError(\n id: string | number | null,\n code: number,\n message: string,\n): JsonRpcResponse {\n return { jsonrpc: \"2.0\", id, error: { code, message } };\n}\n\nfunction jsonRpcResult(id: string | number, result: unknown): JsonRpcResponse {\n return { jsonrpc: \"2.0\", id, result };\n}\n\nfunction makeHandlerContext(\n taskId: string,\n contextId?: string,\n metadata?: Record<string, unknown>,\n event?: any,\n): {\n context: A2AHandlerContext;\n artifacts: Artifact[];\n} {\n const artifacts: Artifact[] = [];\n const context: A2AHandlerContext = {\n taskId,\n contextId,\n metadata,\n event,\n writeArtifact(name, content, mimeType) {\n const artifact: Artifact = {\n name,\n parts: mimeType\n ? [\n {\n type: \"file\",\n file: {\n name,\n mimeType,\n bytes: Buffer.from(content).toString(\"base64\"),\n },\n },\n ]\n : [{ type: \"text\", text: content }],\n };\n artifacts.push(artifact);\n return name;\n },\n };\n return { context, artifacts };\n}\n\n/**\n * Resolve org context from A2A metadata / event context and wrap `fn`\n * inside `runWithRequestContext` so downstream actions see the org.\n */\nasync function withA2ARequestContext<T>(\n metadata: Record<string, unknown> | undefined,\n event: any | undefined,\n fn: () => Promise<T>,\n): Promise<T> {\n const { runWithRequestContext } =\n await import(\"../server/request-context.js\");\n\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n // Only trust the org domain from the cryptographically verified JWT claim on\n // the event context. metadata.orgDomain is caller-supplied and must not be\n // used for org resolution — an unauthenticated caller could forge it and\n // gain access to another org's data.\n const orgDomain =\n (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n const resolvedOrgId = await resolveVerifiedA2AOrgId(verifiedEmail, orgDomain);\n\n return runWithRequestContext(\n { userEmail: verifiedEmail, orgId: resolvedOrgId },\n fn,\n ) as Promise<T>;\n}\n\nasync function resolveVerifiedA2AOrgId(\n verifiedEmail: string | undefined,\n verifiedOrgDomain: string | undefined,\n): Promise<string | undefined> {\n if (verifiedOrgDomain) {\n try {\n const { resolveOrgByDomain } = await import(\"../org/context.js\");\n const org = await resolveOrgByDomain(verifiedOrgDomain);\n if (org) return org.orgId;\n } catch {\n // Org tables may not exist — continue without org context\n }\n }\n\n if (verifiedEmail) {\n try {\n const { resolveOrgIdForEmail } = await import(\"../org/context.js\");\n return (await resolveOrgIdForEmail(verifiedEmail)) ?? undefined;\n } catch {\n // Org tables may not exist — continue without org context\n }\n }\n\n return undefined;\n}\n\n/**\n * Run the handler against the message and persist the outcome to the task store.\n * Used in sync mode (awaited inline) and in async mode (called by the\n * `_process-task` processor route in a fresh function execution).\n */\nasync function runHandlerAndPersist(\n taskId: string,\n message: Message,\n config: A2AConfig,\n contextId: string | undefined,\n metadata: Record<string, unknown> | undefined,\n event?: any,\n): Promise<void> {\n const { context, artifacts } = makeHandlerContext(\n taskId,\n contextId,\n metadata,\n event,\n );\n try {\n const result = getHandler(config)(message, context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n let lastMessage: Message | undefined;\n for await (const msg of result as AsyncGenerator<Message>) {\n lastMessage = msg;\n }\n await updateTask(taskId, {\n state: \"completed\",\n message: lastMessage,\n artifacts: artifacts.length > 0 ? artifacts : undefined,\n });\n return;\n }\n\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n await updateTask(taskId, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n } catch (err: any) {\n await updateTask(taskId, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err?.message ?? \"Handler failed\" }],\n },\n });\n }\n}\n\nasync function handleSend(\n params: Record<string, unknown>,\n config: A2AConfig,\n event?: any,\n): Promise<JsonRpcResponse & { _id: string | number }> {\n const message = params.message as Message;\n if (!message || !message.role || !Array.isArray(message.parts)) {\n return {\n ...jsonRpcError(\n 0,\n -32602,\n \"Invalid params: message with role and parts required\",\n ),\n _id: 0,\n };\n }\n\n const contextId = params.contextId as string | undefined;\n const metadata = params.metadata as Record<string, unknown> | undefined;\n\n // The JWT-verified caller email (set by mountA2A in server.ts) is the\n // single source of truth for task ownership — bound at creation, checked\n // on every subsequent tasks/get and tasks/cancel call. Caller-supplied\n // metadata.userEmail is NEVER used for ownership; that would re-introduce\n // the IDOR class fixed here.\n const ownerEmailForTask =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n // Async mode: return the task immediately in `working` state, run the\n // handler in the background, and let the caller poll `tasks/get`. This is\n // the workaround for synchronous serverless request timeouts when the handler\n // runs LLM + tool loops that can exceed a single HTTP invocation budget.\n // SECURITY: only honor the explicit top-level `params.async`. The\n // metadata.async fallback was caller-controlled and could force async\n // dispatch (which has weaker auth than the sync path) on otherwise sync\n // requests. Async is also refused entirely when no auth is configured in\n // production — see the additional gate below.\n const asyncMode =\n params.async === true || (event && event.context?.__a2aForceAsync === true);\n\n if (asyncMode) {\n // Refuse async mode entirely when no auth is configured in production.\n // The async dispatch path self-fires the `_process-task` route, which\n // accepts unsigned dispatches when A2A_SECRET is unset — that combined\n // with the lack of caller identity here would let any unauthenticated\n // attacker queue and trigger handler runs. In production, require some\n // form of auth so the verifiedEmail is bound to the task.\n const hasA2ASecret = hasConfiguredA2ASecret();\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n if (isA2AProductionRuntime() && !hasA2ASecret && !hasApiKey) {\n return {\n ...jsonRpcError(\n 0,\n -32001,\n \"A2A async mode is not available — A2A_SECRET or apiKeyEnv must be configured.\",\n ),\n _id: 0,\n };\n }\n // Resolve identity up front (cheap), bake it into the task's metadata,\n // and dispatch the actual handler run to a SEPARATE function execution.\n // On serverless hosts (Netlify, Vercel, Cloudflare) detached promises get\n // killed when the response is flushed, so we self-fire a webhook to a\n // dedicated processor route — same cross-platform pattern the integration\n // webhook queue uses. The processor reconstructs the request context from\n // the task metadata and runs the handler with its own full timeout.\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? undefined;\n // Only trust the verified org domain from the JWT claim — do not fall back\n // to metadata.orgDomain which is caller-supplied and unverified.\n const orgDomainHint =\n (event?.context?.__a2aOrgDomain as string | undefined) ?? undefined;\n\n const taskMetadata: Record<string, unknown> = {\n ...(metadata ?? {}),\n __a2a_processor: {\n verifiedEmail,\n orgDomainHint,\n contextId: contextId ?? null,\n callerMetadata: metadata ?? null,\n },\n };\n const task = await createTask(\n message,\n contextId,\n taskMetadata,\n ownerEmailForTask,\n );\n const working = await updateTask(task.id, { state: \"working\" });\n\n fireProcessTaskDispatch(event, task.id).catch((err) => {\n console.error(\"[a2a] Failed to dispatch process-task:\", err);\n });\n\n return { ...jsonRpcResult(0, working ?? task), _id: 0 };\n }\n\n return withA2ARequestContext(metadata, event, async () => {\n const task = await createTask(\n message,\n contextId,\n undefined,\n ownerEmailForTask,\n );\n await updateTask(task.id, { state: \"working\" });\n\n const ctx = makeHandlerContext(task.id, contextId, metadata, event);\n\n try {\n const result = getHandler(config)(message, ctx.context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n let lastMessage: Message | undefined;\n for await (const msg of result as AsyncGenerator<Message>) {\n lastMessage = msg;\n }\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: lastMessage,\n artifacts: ctx.artifacts.length > 0 ? ctx.artifacts : undefined,\n });\n return { ...jsonRpcResult(0, updated), _id: 0 };\n }\n\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [\n ...ctx.artifacts,\n ...(handlerResult.artifacts ?? []),\n ];\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n return { ...jsonRpcResult(0, updated), _id: 0 };\n } catch (err: any) {\n await updateTask(task.id, {\n state: \"failed\",\n message: {\n role: \"agent\",\n parts: [{ type: \"text\", text: err.message ?? \"Handler failed\" }],\n },\n });\n return {\n ...jsonRpcError(0, -32000, err.message ?? \"Handler failed\"),\n _id: 0,\n };\n }\n });\n}\n\nasync function handleStream(\n params: Record<string, unknown>,\n config: A2AConfig,\n res: { write: (chunk: string) => void; end: () => void },\n event?: any,\n): Promise<void> {\n const message = params.message as Message;\n if (!message || !message.role || !Array.isArray(message.parts)) {\n res.write(\n `data: ${JSON.stringify(jsonRpcError(0, -32602, \"Invalid params\"))}\\n\\n`,\n );\n res.end();\n return;\n }\n\n const contextId = params.contextId as string | undefined;\n const metadata = params.metadata as Record<string, unknown> | undefined;\n const ownerEmailForTask =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n\n await withA2ARequestContext(metadata, event, async () => {\n const task = await createTask(\n message,\n contextId,\n undefined,\n ownerEmailForTask,\n );\n\n await updateTask(task.id, { state: \"working\" });\n\n const { context, artifacts } = makeHandlerContext(\n task.id,\n contextId,\n metadata,\n event,\n );\n\n try {\n const result = getHandler(config)(message, context);\n\n if (\n result &&\n typeof result === \"object\" &&\n Symbol.asyncIterator in result\n ) {\n for await (const msg of result as AsyncGenerator<Message>) {\n const intermediate = await updateTask(task.id, {\n state: \"working\",\n message: msg,\n });\n res.write(\n `data: ${JSON.stringify(jsonRpcResult(0, intermediate))}\\n\\n`,\n );\n }\n } else {\n const handlerResult = await (result as Promise<A2AHandlerResult>);\n const allArtifacts = [...artifacts, ...(handlerResult.artifacts ?? [])];\n const updated = await updateTask(task.id, {\n state: \"completed\",\n message: handlerResult.message,\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n res.write(`data: ${JSON.stringify(jsonRpcResult(0, updated))}\\n\\n`);\n res.end();\n return;\n }\n\n const allArtifacts = [...artifacts];\n const final = await updateTask(task.id, {\n state: \"completed\",\n artifacts: allArtifacts.length > 0 ? allArtifacts : undefined,\n });\n res.write(`data: ${JSON.stringify(jsonRpcResult(0, final))}\\n\\n`);\n } catch (err: any) {\n await updateTask(task.id, { state: \"failed\" });\n res.write(\n `data: ${JSON.stringify(jsonRpcError(0, -32000, err.message ?? \"Handler failed\"))}\\n\\n`,\n );\n }\n\n res.end();\n });\n}\n\n/**\n * Caller-supplied metadata keys that may contain sensitive bearer / OAuth\n * material. Always stripped from `tasks/get` responses so a leaked task id\n * never discloses an OAuth token even when the original sender carelessly\n * stuffed one into `metadata` (see `production-agent.ts:1144-1156` for the\n * historical googleToken propagation pattern).\n */\nconst SENSITIVE_METADATA_KEYS = new Set([\n \"googleToken\",\n \"userEmail\",\n \"orgDomain\",\n \"accessToken\",\n \"refreshToken\",\n \"apiKey\",\n \"Authorization\",\n \"authorization\",\n \"bearer\",\n]);\n\nfunction sanitizeTaskForResponse(task: any): any {\n if (!task || typeof task !== \"object\") return task;\n if (!task.metadata || typeof task.metadata !== \"object\") return task;\n\n const meta = task.metadata as Record<string, unknown>;\n const publicMeta: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(meta)) {\n if (k === \"__a2a_processor\") continue;\n if (SENSITIVE_METADATA_KEYS.has(k)) continue;\n publicMeta[k] = v;\n }\n return { ...task, metadata: publicMeta };\n}\n\n/**\n * Reject access when the task has a recorded owner that doesn't match the\n * verified caller. Returns a 404-shaped JSON-RPC error to avoid disclosing\n * task existence to the wrong caller (enumeration via UUID lookup).\n *\n * - When the task has no recorded owner (legacy row from before the\n * owner_email migration) we allow access if some verifiable bearer token\n * was presented; otherwise we still reject so an unsigned caller can never\n * read or cancel arbitrary task ids.\n * - When neither A2A_SECRET nor apiKeyEnv is configured AND we're in\n * production, we refuse `tasks/get` and `tasks/cancel` outright — there's\n * no way to authenticate the caller, so the only safe response is \"not\n * found\".\n */\nfunction authorizeTaskAccess(\n taskOwnerEmail: string | null,\n event: any,\n config: A2AConfig,\n): JsonRpcResponse | null {\n const verifiedEmail =\n (event?.context?.__a2aVerifiedEmail as string | undefined) ?? null;\n const hasA2ASecret = hasConfiguredA2ASecret();\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n const inProduction = isA2AProductionRuntime();\n\n if (inProduction && !hasA2ASecret && !hasApiKey) {\n // No way to authenticate the caller in production — refuse access.\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n\n if (taskOwnerEmail) {\n if (!verifiedEmail) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n if (verifiedEmail.toLowerCase() !== taskOwnerEmail.toLowerCase()) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n }\n // Legacy row (no owner_email recorded). The route-level auth gate is the\n // only thing protecting it — fall through and serve.\n return null;\n}\n\nasync function handleGet(\n params: Record<string, unknown>,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n const id = params.id as string;\n if (!id) {\n return jsonRpcError(0, -32602, \"Invalid params: id required\");\n }\n const ownerEmail = await getTaskOwner(id);\n const denied = authorizeTaskAccess(ownerEmail, event, config);\n if (denied) return denied;\n\n const task = await getTask(id);\n if (!task) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n await refireStuckAsyncTaskIfNeeded(id, event).catch((err) => {\n console.error(\"[a2a] Failed to refire stuck async task:\", err);\n });\n return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\nasync function refireStuckAsyncTaskIfNeeded(\n taskId: string,\n event: any,\n): Promise<void> {\n const state = await getA2ATaskDispatchState(taskId);\n if (!state) return;\n if (!state.metadata?.__a2a_processor) return;\n\n const now = Date.now();\n if (\n (state.statusState === \"submitted\" || state.statusState === \"working\") &&\n state.updatedAt <= now - A2A_QUEUED_DISPATCH_STUCK_AFTER_MS\n ) {\n if (await touchQueuedA2ATaskDispatch(taskId)) {\n await fireProcessTaskDispatch(event, taskId);\n }\n return;\n }\n\n if (\n state.statusState === \"processing\" &&\n state.updatedAt <= now - A2A_PROCESSING_STUCK_AFTER_MS\n ) {\n const reset = await resetStuckA2ATaskForRetry(\n taskId,\n now - A2A_PROCESSING_STUCK_AFTER_MS,\n );\n if (reset) await fireProcessTaskDispatch(event, taskId);\n }\n}\n\nasync function handleCancel(\n params: Record<string, unknown>,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n const id = params.id as string;\n if (!id) {\n return jsonRpcError(0, -32602, \"Invalid params: id required\");\n }\n const ownerEmail = await getTaskOwner(id);\n const denied = authorizeTaskAccess(ownerEmail, event, config);\n if (denied) return denied;\n\n const task = await updateTask(id, { state: \"canceled\" });\n if (!task) {\n return jsonRpcError(0, -32001, \"Task not found\");\n }\n return jsonRpcResult(0, sanitizeTaskForResponse(task));\n}\n\n/**\n * H3-compatible JSON-RPC handler. Returns JSON directly (H3 serializes it).\n * Streaming is handled via H3's node response when needed.\n */\nexport async function handleJsonRpcH3(\n body: any,\n event: any,\n config: A2AConfig,\n): Promise<JsonRpcResponse> {\n if (!body || body.jsonrpc !== \"2.0\" || !body.method) {\n setResponseStatus(event, 400);\n return jsonRpcError(body?.id ?? null, -32600, \"Invalid JSON-RPC request\");\n }\n\n const params = (body.params as Record<string, unknown>) ?? {};\n const id = body.id;\n\n switch (body.method) {\n case \"message/send\": {\n const result = await handleSend(params, config, event);\n const { _id, ...response } = result;\n return { ...response, id } as JsonRpcResponse;\n }\n case \"message/stream\": {\n if (!config.streaming) {\n return jsonRpcError(id, -32601, \"Streaming not supported\");\n }\n // Use the raw node response for SSE streaming\n const res = event.node?.res;\n if (!res) {\n return jsonRpcError(id, -32000, \"Streaming not available\");\n }\n setResponseHeader(event, \"Content-Type\", \"text/event-stream\");\n setResponseHeader(event, \"Cache-Control\", \"no-cache\");\n setResponseHeader(event, \"Connection\", \"keep-alive\");\n await handleStream(params, config, res, event);\n return undefined as any; // Response already sent via SSE\n }\n case \"tasks/get\": {\n const result = await handleGet(params, event, config);\n return { ...result, id } as JsonRpcResponse;\n }\n case \"tasks/cancel\": {\n const result = await handleCancel(params, event, config);\n return { ...result, id } as JsonRpcResponse;\n }\n default:\n return jsonRpcError(id, -32601, `Method not found: ${body.method}`);\n }\n}\n"]}
package/dist/a2a/index.d.ts CHANGED
@@ -1,4 +1,5 @@
1
1
  export { mountA2A } from "./server.js";
2
+ export { generateAgentCard } from "./agent-card.js";
2
3
  export { A2AClient, callAgent, signA2AToken } from "./client.js";
3
4
  export type { A2AConfig, A2AHandler, A2AHandlerContext, A2AHandlerResult, AgentCard, AgentSkill, AgentCapabilities, Task, TaskState, TaskStatus, Message, Part, TextPart, FilePart, DataPart, Artifact, JsonRpcRequest, JsonRpcResponse, } from "./types.js";
4
5
  //# sourceMappingURL=index.d.ts.map
package/dist/a2a/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/a2a/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGjE,YAAY,EACV,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,IAAI,EACJ,SAAS,EACT,UAAU,EACV,OAAO,EACP,IAAI,EACJ,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,cAAc,EACd,eAAe,GAChB,MAAM,YAAY,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/a2a/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAGpD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGjE,YAAY,EACV,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,IAAI,EACJ,SAAS,EACT,UAAU,EACV,OAAO,EACP,IAAI,EACJ,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,cAAc,EACd,eAAe,GAChB,MAAM,YAAY,CAAC"}
package/dist/a2a/index.js CHANGED
@@ -1,5 +1,6 @@
1
1
  // Server (H3/Nitro)
2
2
  export { mountA2A } from "./server.js";
3
+ export { generateAgentCard } from "./agent-card.js";
3
4
  // Client
4
5
  export { A2AClient, callAgent, signA2AToken } from "./client.js";
5
6
  //# sourceMappingURL=index.js.map
package/dist/a2a/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/a2a/index.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,SAAS;AACT,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC","sourcesContent":["// Server (H3/Nitro)\nexport { mountA2A } from \"./server.js\";\n\n// Client\nexport { A2AClient, callAgent, signA2AToken } from \"./client.js\";\n\n// Types\nexport type {\n A2AConfig,\n A2AHandler,\n A2AHandlerContext,\n A2AHandlerResult,\n AgentCard,\n AgentSkill,\n AgentCapabilities,\n Task,\n TaskState,\n TaskStatus,\n Message,\n Part,\n TextPart,\n FilePart,\n DataPart,\n Artifact,\n JsonRpcRequest,\n JsonRpcResponse,\n} from \"./types.js\";\n"]}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/a2a/index.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEpD,SAAS;AACT,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC","sourcesContent":["// Server (H3/Nitro)\nexport { mountA2A } from \"./server.js\";\nexport { generateAgentCard } from \"./agent-card.js\";\n\n// Client\nexport { A2AClient, callAgent, signA2AToken } from \"./client.js\";\n\n// Types\nexport type {\n A2AConfig,\n A2AHandler,\n A2AHandlerContext,\n A2AHandlerResult,\n AgentCard,\n AgentSkill,\n AgentCapabilities,\n Task,\n TaskState,\n TaskStatus,\n Message,\n Part,\n TextPart,\n FilePart,\n DataPart,\n Artifact,\n JsonRpcRequest,\n JsonRpcResponse,\n} from \"./types.js\";\n"]}
package/dist/a2a/server.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA0J5C;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,GAAG,EACb,MAAM,EAAE,SAAS,EACjB,WAAW,SAAmB,GAC7B,IAAI,CAkNN"}
1
+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA4J5C;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,GAAG,EACb,MAAM,EAAE,SAAS,EACjB,WAAW,SAAmB,GAC7B,IAAI,CA8NN"}
package/dist/a2a/server.js CHANGED
@@ -5,6 +5,7 @@ import { generateAgentCard } from "./agent-card.js";
5
5
  import { handleJsonRpcH3, processA2ATaskFromQueue } from "./handlers.js";
6
6
  import { readBody } from "../server/h3-helpers.js";
7
7
  import { extractBearerToken, verifyInternalToken, } from "../integrations/internal-token.js";
8
+ import { hasConfiguredA2ASecret, isA2AProductionRuntime, } from "./auth-policy.js";
8
9
  /**
9
10
  * One-time warning when A2A is running unauthenticated in development. We
10
11
  * don't refuse the request (local templates need to work out of the box),
@@ -52,8 +53,7 @@ function expectedJwtAudience(event) {
52
53
  catch { }
53
54
  return undefined;
54
55
  }
55
- async function verifyA2AToken(authHeader, event) {
56
- const token = authHeader.replace("Bearer ", "");
56
+ async function verifyA2AToken(token, event) {
57
57
  // Step 1: Peek at JWT claims WITHOUT verification to get org_domain.
58
58
  // This is safe because we only use org_domain to look up the secret,
59
59
  // then verify the full JWT with that secret. If someone forges a JWT
@@ -202,7 +202,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
202
202
  // of logs / a share link could otherwise force-replay it). In
203
203
  // development, a missing secret is permitted so local templates work
204
204
  // out of the box, but we log a one-time warning so operators notice.
205
- if (process.env.A2A_SECRET) {
205
+ if (hasConfiguredA2ASecret()) {
206
206
  const auth = getRequestHeader(event, "authorization");
207
207
  const tok = extractBearerToken(auth);
208
208
  if (!verifyInternalToken(taskId, tok)) {
@@ -210,7 +210,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
210
210
  return { error: "Invalid or expired processor token" };
211
211
  }
212
212
  }
213
- else if (process.env.NODE_ENV === "production") {
213
+ else if (isA2AProductionRuntime()) {
214
214
  setResponseStatus(event, 503);
215
215
  return {
216
216
  error: "A2A processor not configured — set A2A_SECRET on this deployment to enable async A2A.",
@@ -244,6 +244,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
244
244
  if (sub.startsWith("_process-task"))
245
245
  return;
246
246
  const authHeader = getRequestHeader(event, "authorization");
247
+ const bearerToken = extractBearerToken(authHeader);
247
248
  let verifiedCallerEmail = null;
248
249
  let verifiedOrgDomain = null;
249
250
  let legacyApiKeyAuthenticated = false;
@@ -253,11 +254,11 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
253
254
  // in production — return 503 with a clear message instead of running
254
255
  // the agent loop unauthenticated. In development, log a one-time
255
256
  // warning but allow so local templates work out of the box.
256
- const hasA2ASecret = !!process.env.A2A_SECRET;
257
+ const hasA2ASecret = hasConfiguredA2ASecret();
257
258
  const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);
258
259
  // Try JWT verification first (org-level or global A2A_SECRET-based identity)
259
- if (authHeader?.startsWith("Bearer ")) {
260
- const tokenPayload = await verifyA2AToken(authHeader, event);
260
+ if (bearerToken) {
261
+ const tokenPayload = await verifyA2AToken(bearerToken, event);
261
262
  verifiedCallerEmail = tokenPayload.email;
262
263
  verifiedOrgDomain = tokenPayload.orgDomain;
263
264
  bearerTokenRejectedByJwt = !verifiedCallerEmail;
@@ -266,7 +267,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
266
267
  if (!verifiedCallerEmail && config.apiKeyEnv) {
267
268
  const expectedKey = process.env[config.apiKeyEnv];
268
269
  if (expectedKey) {
269
- if (!authHeader || !authHeader.startsWith("Bearer ")) {
270
+ if (!bearerToken) {
270
271
  setResponseStatus(event, 401);
271
272
  return {
272
273
  jsonrpc: "2.0",
@@ -274,8 +275,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
274
275
  error: { code: -32001, message: "Authentication required" },
275
276
  };
276
277
  }
277
- const token = authHeader.slice(7);
278
- if (token !== expectedKey) {
278
+ if (bearerToken !== expectedKey) {
279
279
  setResponseStatus(event, 401);
280
280
  return {
281
281
  jsonrpc: "2.0",
@@ -287,9 +287,11 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
287
287
  }
288
288
  }
289
289
  if (!verifiedCallerEmail && !legacyApiKeyAuthenticated) {
290
- // If a global secret exists and JWT verification failed, reject after
291
- // giving the legacy exact-match apiKeyEnv path a chance to succeed.
292
- if (bearerTokenRejectedByJwt && process.env.A2A_SECRET) {
290
+ // Any supplied bearer token that failed JWT verification is an auth
291
+ // failure after the legacy exact-match apiKeyEnv path has had a
292
+ // chance to succeed. Do not let bad tokens fall through to tasks/get
293
+ // and get reported as lookup misses.
294
+ if (bearerTokenRejectedByJwt) {
293
295
  setResponseStatus(event, 401);
294
296
  return {
295
297
  jsonrpc: "2.0",
@@ -301,7 +303,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
301
303
  };
302
304
  }
303
305
  if (!hasA2ASecret && !hasApiKey) {
304
- if (process.env.NODE_ENV === "production") {
306
+ if (isA2AProductionRuntime()) {
305
307
  setResponseStatus(event, 503);
306
308
  return {
307
309
  jsonrpc: "2.0",
@@ -314,6 +316,17 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
314
316
  }
315
317
  warnA2AUnauthOnce();
316
318
  }
319
+ else if (isA2AProductionRuntime()) {
320
+ setResponseStatus(event, 401);
321
+ return {
322
+ jsonrpc: "2.0",
323
+ id: null,
324
+ error: {
325
+ code: -32001,
326
+ message: "Authentication required",
327
+ },
328
+ };
329
+ }
317
330
  }
318
331
  // Store verified caller identity on the event context so the handler
319
332
  // can set request context from a trusted source instead of metadata
package/dist/a2a/server.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAElB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAE3C;;;;;GAKG;AACH,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAC7B,SAAS,iBAAiB;IACxB,IAAI,gBAAgB;QAAE,OAAO;IAC7B,gBAAgB,GAAG,IAAI,CAAC;IACxB,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACV,mFAAmF;QACjF,4FAA4F,CAC/F,CAAC;AACJ,CAAC;AAWD,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAA0B;IAE1B,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,KAAsB;IACjD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,IAAI,OAAO,CAAC;QACtE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,IAAI;YAAE,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,UAAkB,EAClB,KAAsB;IAEtB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAEhD,qEAAqE;IACrE,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,wBAAwB;IACxB,IAAI,aAAiC,CAAC;IACtC,IAAI,iBAA8C,CAAC;IACnD,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1C,aAAa,GAAG,iBAAiB,CAAC,UAAgC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC;YAC5D,kBAAkB,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAE3E,iDAAiD;IACjD,EAAE;IACF,kEAAkE;IAClE,qEAAqE;IACrE,wBAAwB;IACxB,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,uEAAuE;IACvE,oEAAoE;IACpE,kEAAkE;IAClE,oEAAoE;IACpE,uEAAuE;IACvE,sEAAsE;IACtE,qCAAqC;IACrC,IAAI,CAAC;QACH,MAAM,aAAa,GAA0B,EAAE,CAAC;QAChD,IAAI,iBAAiB,IAAI,OAAO,iBAAiB,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YACtE,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,GAAG;gBAAE,aAAa,CAAC,QAAQ,GAAG,GAAG,CAAC;QACxC,CAAC;QACD,IACE,iBAAiB;YACjB,OAAO,iBAAiB,CAAC,GAAG,KAAK,QAAQ;YACzC,iBAAiB,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAChC,CAAC;YACD,aAAa,CAAC,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,aAAa,CACd,CAAC;gBACF,OAAO;oBACL,KAAK,EAAG,OAAO,CAAC,GAAc,IAAI,IAAI;oBACtC,SAAS,EAAG,OAAO,CAAC,UAAqB,IAAI,IAAI;iBAClD,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;IAC5E,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,iDAAiD;IACjD,EAAE;IACF,wEAAwE;IACxE,qEAAqE;IACrE,oEAAoE;IACpE,qEAAqE;IACrE,wEAAwE;IACxE,wDAAwD;IACxD,2CAA2C;IAC3C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,8BAA8B,EAC9B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,QAAQ,GACZ,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC;YAC5C,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,WAAW,CAAC;QAC5D,MAAM,OAAO,GAAG,GAAG,QAAQ,MAAM,IAAI,EAAE,CAAC;QAExC,oEAAoE;QACpE,qEAAqE;QACrE,kEAAkE;QAClE,sEAAsE;QACtE,mBAAmB;QACnB,MAAM,cAAc,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YAC5D,MAAM,EAAE,GACL,KAAwC,CAAC,EAAE;gBAC3C,KAA2B,CAAC,IAAI;gBACjC,EAAE,CAAC;YACL,IAAI,OAAO,EAAE,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACxC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,OAAO,iBAAiB,CAAC,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,EAAE,OAAO,CAAC,CAAC;IAC3E,CAAC,CAAC,CACH,CAAC;IAEF,0EAA0E;IAC1E,0EAA0E;IAC1E,2EAA2E;IAC3E,gEAAgE;IAChE,EAAE;IACF,yEAAyE;IACzE,oEAAoE;IACpE,2EAA2E;IAC3E,2EAA2E;IAC3E,kEAAkE;IAClE,8BAA8B;IAC9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,oBAAoB,EAClC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAgC,CAAC;QACpE,MAAM,MAAM,GAAG,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QAED,mEAAmE;QACnE,qEAAqE;QACrE,qEAAqE;QACrE,8DAA8D;QAC9D,qEAAqE;QACrE,qEAAqE;QACrE,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACrC,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;gBACtC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,uFAAuF;aAC1F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,iBAAiB,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,6CAA6C;IAC7C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,iEAAiE;QACjE,qEAAqE;QACrE,iEAAiE;QACjE,mEAAmE;QACnE,oDAAoD;QACpD,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO;QAE5C,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,IAAI,mBAAmB,GAAkB,IAAI,CAAC;QAC9C,IAAI,iBAAiB,GAAkB,IAAI,CAAC;QAC5C,IAAI,yBAAyB,GAAG,KAAK,CAAC;QACtC,IAAI,wBAAwB,GAAG,KAAK,CAAC;QAErC,oEAAoE;QACpE,wEAAwE;QACxE,qEAAqE;QACrE,iEAAiE;QACjE,4DAA4D;QAC5D,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QAExE,6EAA6E;QAC7E,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACtC,MAAM,YAAY,GAAG,MAAM,cAAc,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YAC7D,mBAAmB,GAAG,YAAY,CAAC,KAAK,CAAC;YACzC,iBAAiB,GAAG,YAAY,CAAC,SAAS,CAAC;YAC3C,wBAAwB,GAAG,CAAC,mBAAmB,CAAC;QAClD,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,mBAAmB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;oBACrD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE;qBAC5D,CAAC;gBACJ,CAAC;gBACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAClC,IAAI,KAAK,KAAK,WAAW,EAAE,CAAC;oBAC1B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE;qBACpD,CAAC;gBACJ,CAAC;gBACD,yBAAyB,GAAG,IAAI,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,mBAAmB,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACvD,sEAAsE;YACtE,oEAAoE;YACpE,IAAI,wBAAwB,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;gBACvD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,8BAA8B;qBACxC;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChC,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;oBAC1C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE;4BACL,IAAI,EAAE,CAAC,KAAK;4BACZ,OAAO,EACL,qHAAqH;yBACxH;qBACF,CAAC;gBACJ,CAAC;gBACD,iBAAiB,EAAE,CAAC;YACtB,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,oEAAoE;QACpE,IAAI,mBAAmB,EAAE,CAAC;YACxB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,mBAAmB,CAAC;QACzD,CAAC;QACD,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,CAAC,OAAO,CAAC,cAAc,GAAG,iBAAiB,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CACH,CAAC;AACJ,CAAC","sourcesContent":["import * as jose from \"jose\";\nimport { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n defineEventHandler,\n setResponseHeader,\n setResponseStatus,\n getMethod,\n getRequestHeader,\n} from \"h3\";\nimport type { A2AConfig } from \"./types.js\";\nimport { generateAgentCard } from \"./agent-card.js\";\nimport { handleJsonRpcH3, processA2ATaskFromQueue } from \"./handlers.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n extractBearerToken,\n verifyInternalToken,\n} from \"../integrations/internal-token.js\";\n\n/**\n * One-time warning when A2A is running unauthenticated in development. We\n * don't refuse the request (local templates need to work out of the box),\n * but we log a single noisy line so operators notice if they accidentally\n * deploy with no auth configured.\n */\nlet _warnedUnauthA2A = false;\nfunction warnA2AUnauthOnce(): void {\n if (_warnedUnauthA2A) return;\n _warnedUnauthA2A = true;\n // eslint-disable-next-line no-console\n console.warn(\n \"[a2a] No A2A_SECRET or apiKeyEnv configured — A2A endpoint runs unauthenticated. \" +\n \"This is allowed in development but blocked in production. Set A2A_SECRET before deploying.\",\n );\n}\n\n/**\n * Verify an inbound A2A JWT signed with the shared A2A_SECRET.\n * Returns the caller's email (from `sub` claim) if valid, null otherwise.\n */\ninterface A2ATokenPayload {\n email: string | null;\n orgDomain: string | null;\n}\n\nfunction addSecretCandidate(\n candidates: string[],\n secret: string | undefined,\n): void {\n const trimmed = secret?.trim();\n if (!trimmed || candidates.includes(trimmed)) return;\n candidates.push(trimmed);\n}\n\n/**\n * Resolve the audience (`aud`) value to expect in an inbound JWT. We use the\n * receiver's app URL — it's the natural identifier of \"who this token was\n * minted for\". Falls back to undefined when no app URL is configured, in\n * which case the audience check is skipped (backward-compat with tokens\n * minted before the audience claim shipped).\n */\nfunction expectedJwtAudience(event: any | undefined): string | undefined {\n const fromEnv =\n process.env.APP_URL ||\n process.env.URL ||\n process.env.DEPLOY_URL ||\n process.env.BETTER_AUTH_URL;\n if (fromEnv) return String(fromEnv);\n // Best-effort: derive from the inbound request host. This is forgeable\n // (Host-header attack), but only useful as a hint when env-derived URL\n // is unset; the rest of the JWT verification still uses the secret.\n try {\n const proto = getRequestHeader(event, \"x-forwarded-proto\") || \"https\";\n const host = getRequestHeader(event, \"host\");\n if (host) return `${proto}://${host}`;\n } catch {}\n return undefined;\n}\n\nasync function verifyA2AToken(\n authHeader: string,\n event: any | undefined,\n): Promise<A2ATokenPayload> {\n const token = authHeader.replace(\"Bearer \", \"\");\n\n // Step 1: Peek at JWT claims WITHOUT verification to get org_domain.\n // This is safe because we only use org_domain to look up the secret,\n // then verify the full JWT with that secret. If someone forges a JWT\n // with a fake org_domain, verification will fail because they don't\n // have the real secret.\n let orgDomainHint: string | undefined;\n let unverifiedPayload: jose.JWTPayload | undefined;\n try {\n unverifiedPayload = jose.decodeJwt(token);\n orgDomainHint = unverifiedPayload.org_domain as string | undefined;\n } catch {\n // Malformed token — fall through to global secret attempt\n }\n\n // Step 2: Build a small, ordered set of candidate secrets. Tokens minted by\n // current callers prefer the shared A2A_SECRET; older callers may still use\n // an org-level secret. Try both without logging or reflecting secret details.\n const candidateSecrets: string[] = [];\n addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n if (orgDomainHint) {\n try {\n const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n const orgSecret = await getA2ASecretByDomain(orgDomainHint);\n addSecretCandidate(candidateSecrets, orgSecret);\n } catch {\n // DB not ready or column doesn't exist yet — fall through\n }\n }\n if (candidateSecrets.length === 0) return { email: null, orgDomain: null };\n\n // Step 3: Verify JWT with the candidate secrets.\n //\n // - `audience`: passed only when the token carries an `aud` claim\n // (backward-compat: tokens minted by older `signA2AToken` versions\n // don't include one).\n // - `issuer`: enforced when the token carries an `iss` claim. The\n // sender's `signA2AToken` (`a2a/client.ts:42`) sets the issuer to its\n // own app URL, so a verified token must self-identify a non-empty\n // string issuer. We accept any string the token claims (we don't pin\n // a specific expected issuer because dispatchers may legitimately\n // mint tokens from many sender URLs — dev tunnels, multi-deploy\n // setups). The pin is \"issuer must match the value the token says\n // it was minted from\", which `jose.jwtVerify` validates exactly when\n // `issuer` is supplied as a string. Backward-compat: when the token\n // has no `iss`, we skip the check.\n try {\n const verifyOptions: jose.JWTVerifyOptions = {};\n if (unverifiedPayload && typeof unverifiedPayload.aud !== \"undefined\") {\n const aud = expectedJwtAudience(event);\n if (aud) verifyOptions.audience = aud;\n }\n if (\n unverifiedPayload &&\n typeof unverifiedPayload.iss === \"string\" &&\n unverifiedPayload.iss.length > 0\n ) {\n verifyOptions.issuer = unverifiedPayload.iss;\n }\n for (const secret of candidateSecrets) {\n try {\n const { payload } = await jose.jwtVerify(\n token,\n new TextEncoder().encode(secret),\n verifyOptions,\n );\n return {\n email: (payload.sub as string) ?? null,\n orgDomain: (payload.org_domain as string) ?? null,\n };\n } catch {\n // Try the next candidate without leaking which secret failed.\n }\n }\n } catch {\n // Keep malformed option construction indistinguishable from auth failure.\n }\n return { email: null, orgDomain: null };\n}\n\n/**\n * Mount A2A protocol endpoints on an H3/Nitro app.\n *\n * - GET /.well-known/agent-card.json — public agent card (no auth)\n * - POST /_agent-native/a2a — JSON-RPC endpoint (with optional auth)\n *\n * When A2A_SECRET is set, inbound Bearer tokens are verified as JWTs\n * and the caller's email is extracted from the `sub` claim. This provides\n * cryptographic identity verification for cross-app A2A calls.\n */\nexport function mountA2A(\n nitroApp: any,\n config: A2AConfig,\n routePrefix = \"/_agent-native\",\n): void {\n // Public agent card endpoint (no auth required).\n //\n // SECURITY: per-user / per-org MCP tools are filtered out of the public\n // skills list. Their merged-key prefix (`mcp__user_<emailhash>_…` or\n // `mcp__org_<orgid>_…`) discloses (a) which users have integrations\n // attached, and (b) what those integrations are — fingerprinting the\n // tenant. Template- and framework-defined skills stay; only the dynamic\n // per-tenant MCP entries are dropped. See finding #7 in\n // /tmp/security-audit/12-mcp-a2a-agent.md.\n getH3App(nitroApp).use(\n \"/.well-known/agent-card.json\",\n defineEventHandler((event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const protocol =\n getRequestHeader(event, \"x-forwarded-proto\") ||\n (event.url?.protocol?.replace(\":\", \"\") ?? \"http\");\n const host = getRequestHeader(event, \"host\") ?? \"localhost\";\n const baseUrl = `${protocol}://${host}`;\n\n // Filter out per-user/per-org MCP tools to avoid tenant disclosure.\n // Note: stdio MCP tools loaded from a file-based mcp.config.json are\n // process-wide and don't carry a per-user/per-org prefix, so they\n // remain visible. That's intentional — they're an operator-controlled\n // capability list.\n const filteredSkills = (config.skills ?? []).filter((skill) => {\n const id =\n (skill as { id?: string; name?: string }).id ??\n (skill as { name?: string }).name ??\n \"\";\n if (typeof id !== \"string\") return true;\n return !id.startsWith(\"mcp__user_\") && !id.startsWith(\"mcp__org_\");\n });\n\n return generateAgentCard({ ...config, skills: filteredSkills }, baseUrl);\n }),\n );\n\n // Async-mode processor route. MUST be mounted BEFORE the `/a2a` catch-all\n // below, since h3's `.use()` matches by prefix and `/a2a` would otherwise\n // swallow `/a2a/_process-task` and return a JSON-RPC \"Invalid token\" error\n // (the JSON-RPC handler doesn't know about taskId-only bodies).\n //\n // When `message/send` is called with `async: true`, the JSON-RPC handler\n // enqueues the task and self-fires a POST to this route on the same\n // deployment so the actual handler runs in a fresh function execution (its\n // own full timeout). Authenticated with an HMAC token bound to the task id\n // (5-minute lifetime, signed with A2A_SECRET — same scheme as the\n // integration webhook queue).\n getH3App(nitroApp).use(\n `${routePrefix}/a2a/_process-task`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = (await readBody(event)) as { taskId?: unknown } | null;\n const taskId = body && typeof body.taskId === \"string\" ? body.taskId : \"\";\n if (!taskId) {\n setResponseStatus(event, 400);\n return { error: \"taskId required\" };\n }\n\n // When A2A_SECRET is set, require a valid HMAC token bound to this\n // taskId. In production, we REQUIRE A2A_SECRET to be set so unsigned\n // dispatches are never accepted (an attacker who fishes a taskId out\n // of logs / a share link could otherwise force-replay it). In\n // development, a missing secret is permitted so local templates work\n // out of the box, but we log a one-time warning so operators notice.\n if (process.env.A2A_SECRET) {\n const auth = getRequestHeader(event, \"authorization\");\n const tok = extractBearerToken(auth);\n if (!verifyInternalToken(taskId, tok)) {\n setResponseStatus(event, 401);\n return { error: \"Invalid or expired processor token\" };\n }\n } else if (process.env.NODE_ENV === \"production\") {\n setResponseStatus(event, 503);\n return {\n error:\n \"A2A processor not configured — set A2A_SECRET on this deployment to enable async A2A.\",\n };\n } else {\n warnA2AUnauthOnce();\n }\n\n try {\n await processA2ATaskFromQueue(taskId, config, event);\n return { ok: true };\n } catch (err: any) {\n console.error(\"[a2a] process-task failed:\", err);\n setResponseStatus(event, 500);\n return { error: err?.message ?? \"process-task failed\" };\n }\n }),\n );\n\n // JSON-RPC A2A endpoint (with optional auth)\n getH3App(nitroApp).use(\n `${routePrefix}/a2a`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n // h3 prefix-matches mounts, so a request to `/a2a/_process-task`\n // reaches this handler too. The dedicated mount above runs first and\n // takes the request, but if that returns `undefined` (or h3 ever\n // changes ordering semantics) defensively bail here. event.path is\n // stripped to the remainder after the mount prefix.\n const sub = (event.path || \"/\").split(\"?\")[0].replace(/^\\//, \"\");\n if (sub.startsWith(\"_process-task\")) return;\n\n const authHeader = getRequestHeader(event, \"authorization\");\n let verifiedCallerEmail: string | null = null;\n let verifiedOrgDomain: string | null = null;\n let legacyApiKeyAuthenticated = false;\n let bearerTokenRejectedByJwt = false;\n\n // SECURITY: when neither A2A_SECRET nor an apiKeyEnv is configured,\n // there's no way to authenticate the caller. Default to \"auth required\"\n // in production — return 503 with a clear message instead of running\n // the agent loop unauthenticated. In development, log a one-time\n // warning but allow so local templates work out of the box.\n const hasA2ASecret = !!process.env.A2A_SECRET;\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n\n // Try JWT verification first (org-level or global A2A_SECRET-based identity)\n if (authHeader?.startsWith(\"Bearer \")) {\n const tokenPayload = await verifyA2AToken(authHeader, event);\n verifiedCallerEmail = tokenPayload.email;\n verifiedOrgDomain = tokenPayload.orgDomain;\n bearerTokenRejectedByJwt = !verifiedCallerEmail;\n }\n\n // Fall back to legacy API key check (exact string match)\n if (!verifiedCallerEmail && config.apiKeyEnv) {\n const expectedKey = process.env[config.apiKeyEnv];\n if (expectedKey) {\n if (!authHeader || !authHeader.startsWith(\"Bearer \")) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Authentication required\" },\n };\n }\n const token = authHeader.slice(7);\n if (token !== expectedKey) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Invalid API key\" },\n };\n }\n legacyApiKeyAuthenticated = true;\n }\n }\n\n if (!verifiedCallerEmail && !legacyApiKeyAuthenticated) {\n // If a global secret exists and JWT verification failed, reject after\n // giving the legacy exact-match apiKeyEnv path a chance to succeed.\n if (bearerTokenRejectedByJwt && process.env.A2A_SECRET) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message: \"Invalid or expired A2A token\",\n },\n };\n }\n\n if (!hasA2ASecret && !hasApiKey) {\n if (process.env.NODE_ENV === \"production\") {\n setResponseStatus(event, 503);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message:\n \"A2A authentication not configured. Set A2A_SECRET (preferred) or configure apiKeyEnv to accept inbound A2A traffic.\",\n },\n };\n }\n warnA2AUnauthOnce();\n }\n }\n\n // Store verified caller identity on the event context so the handler\n // can set request context from a trusted source instead of metadata\n if (verifiedCallerEmail) {\n event.context.__a2aVerifiedEmail = verifiedCallerEmail;\n }\n if (verifiedOrgDomain) {\n event.context.__a2aOrgDomain = verifiedOrgDomain;\n }\n\n const body = await readBody(event);\n return handleJsonRpcH3(body, event, config);\n }),\n );\n}\n"]}
1
+ {"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAElB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B;;;;;GAKG;AACH,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAC7B,SAAS,iBAAiB;IACxB,IAAI,gBAAgB;QAAE,OAAO;IAC7B,gBAAgB,GAAG,IAAI,CAAC;IACxB,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACV,mFAAmF;QACjF,4FAA4F,CAC/F,CAAC;AACJ,CAAC;AAWD,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAA0B;IAE1B,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,KAAsB;IACjD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,IAAI,OAAO,CAAC;QACtE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,IAAI;YAAE,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,KAAa,EACb,KAAsB;IAEtB,qEAAqE;IACrE,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,wBAAwB;IACxB,IAAI,aAAiC,CAAC;IACtC,IAAI,iBAA8C,CAAC;IACnD,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1C,aAAa,GAAG,iBAAiB,CAAC,UAAgC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC;YAC5D,kBAAkB,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAE3E,iDAAiD;IACjD,EAAE;IACF,kEAAkE;IAClE,qEAAqE;IACrE,wBAAwB;IACxB,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,uEAAuE;IACvE,oEAAoE;IACpE,kEAAkE;IAClE,oEAAoE;IACpE,uEAAuE;IACvE,sEAAsE;IACtE,qCAAqC;IACrC,IAAI,CAAC;QACH,MAAM,aAAa,GAA0B,EAAE,CAAC;QAChD,IAAI,iBAAiB,IAAI,OAAO,iBAAiB,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YACtE,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,GAAG;gBAAE,aAAa,CAAC,QAAQ,GAAG,GAAG,CAAC;QACxC,CAAC;QACD,IACE,iBAAiB;YACjB,OAAO,iBAAiB,CAAC,GAAG,KAAK,QAAQ;YACzC,iBAAiB,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAChC,CAAC;YACD,aAAa,CAAC,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,aAAa,CACd,CAAC;gBACF,OAAO;oBACL,KAAK,EAAG,OAAO,CAAC,GAAc,IAAI,IAAI;oBACtC,SAAS,EAAG,OAAO,CAAC,UAAqB,IAAI,IAAI;iBAClD,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;IAC5E,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,iDAAiD;IACjD,EAAE;IACF,wEAAwE;IACxE,qEAAqE;IACrE,oEAAoE;IACpE,qEAAqE;IACrE,wEAAwE;IACxE,wDAAwD;IACxD,2CAA2C;IAC3C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,8BAA8B,EAC9B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,QAAQ,GACZ,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC;YAC5C,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,WAAW,CAAC;QAC5D,MAAM,OAAO,GAAG,GAAG,QAAQ,MAAM,IAAI,EAAE,CAAC;QAExC,oEAAoE;QACpE,qEAAqE;QACrE,kEAAkE;QAClE,sEAAsE;QACtE,mBAAmB;QACnB,MAAM,cAAc,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YAC5D,MAAM,EAAE,GACL,KAAwC,CAAC,EAAE;gBAC3C,KAA2B,CAAC,IAAI;gBACjC,EAAE,CAAC;YACL,IAAI,OAAO,EAAE,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACxC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,OAAO,iBAAiB,CAAC,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,EAAE,OAAO,CAAC,CAAC;IAC3E,CAAC,CAAC,CACH,CAAC;IAEF,0EAA0E;IAC1E,0EAA0E;IAC1E,2EAA2E;IAC3E,gEAAgE;IAChE,EAAE;IACF,yEAAyE;IACzE,oEAAoE;IACpE,2EAA2E;IAC3E,2EAA2E;IAC3E,kEAAkE;IAClE,8BAA8B;IAC9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,oBAAoB,EAClC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAgC,CAAC;QACpE,MAAM,MAAM,GAAG,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QAED,mEAAmE;QACnE,qEAAqE;QACrE,qEAAqE;QACrE,8DAA8D;QAC9D,qEAAqE;QACrE,qEAAqE;QACrE,IAAI,sBAAsB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACrC,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;gBACtC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,uFAAuF;aAC1F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,iBAAiB,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,6CAA6C;IAC7C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,iEAAiE;QACjE,qEAAqE;QACrE,iEAAiE;QACjE,mEAAmE;QACnE,oDAAoD;QACpD,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO;QAE5C,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACnD,IAAI,mBAAmB,GAAkB,IAAI,CAAC;QAC9C,IAAI,iBAAiB,GAAkB,IAAI,CAAC;QAC5C,IAAI,yBAAyB,GAAG,KAAK,CAAC;QACtC,IAAI,wBAAwB,GAAG,KAAK,CAAC;QAErC,oEAAoE;QACpE,wEAAwE;QACxE,qEAAqE;QACrE,iEAAiE;QACjE,4DAA4D;QAC5D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QAExE,6EAA6E;QAC7E,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC9D,mBAAmB,GAAG,YAAY,CAAC,KAAK,CAAC;YACzC,iBAAiB,GAAG,YAAY,CAAC,SAAS,CAAC;YAC3C,wBAAwB,GAAG,CAAC,mBAAmB,CAAC;QAClD,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,mBAAmB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE;qBAC5D,CAAC;gBACJ,CAAC;gBACD,IAAI,WAAW,KAAK,WAAW,EAAE,CAAC;oBAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE;qBACpD,CAAC;gBACJ,CAAC;gBACD,yBAAyB,GAAG,IAAI,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,mBAAmB,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACvD,oEAAoE;YACpE,gEAAgE;YAChE,qEAAqE;YACrE,qCAAqC;YACrC,IAAI,wBAAwB,EAAE,CAAC;gBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,8BAA8B;qBACxC;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChC,IAAI,sBAAsB,EAAE,EAAE,CAAC;oBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE;4BACL,IAAI,EAAE,CAAC,KAAK;4BACZ,OAAO,EACL,qHAAqH;yBACxH;qBACF,CAAC;gBACJ,CAAC;gBACD,iBAAiB,EAAE,CAAC;YACtB,CAAC;iBAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;gBACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,yBAAyB;qBACnC;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,oEAAoE;QACpE,IAAI,mBAAmB,EAAE,CAAC;YACxB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,mBAAmB,CAAC;QACzD,CAAC;QACD,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,CAAC,OAAO,CAAC,cAAc,GAAG,iBAAiB,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CACH,CAAC;AACJ,CAAC","sourcesContent":["import * as jose from \"jose\";\nimport { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n defineEventHandler,\n setResponseHeader,\n setResponseStatus,\n getMethod,\n getRequestHeader,\n} from \"h3\";\nimport type { A2AConfig } from \"./types.js\";\nimport { generateAgentCard } from \"./agent-card.js\";\nimport { handleJsonRpcH3, processA2ATaskFromQueue } from \"./handlers.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n extractBearerToken,\n verifyInternalToken,\n} from \"../integrations/internal-token.js\";\nimport {\n hasConfiguredA2ASecret,\n isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n/**\n * One-time warning when A2A is running unauthenticated in development. We\n * don't refuse the request (local templates need to work out of the box),\n * but we log a single noisy line so operators notice if they accidentally\n * deploy with no auth configured.\n */\nlet _warnedUnauthA2A = false;\nfunction warnA2AUnauthOnce(): void {\n if (_warnedUnauthA2A) return;\n _warnedUnauthA2A = true;\n // eslint-disable-next-line no-console\n console.warn(\n \"[a2a] No A2A_SECRET or apiKeyEnv configured — A2A endpoint runs unauthenticated. \" +\n \"This is allowed in development but blocked in production. Set A2A_SECRET before deploying.\",\n );\n}\n\n/**\n * Verify an inbound A2A JWT signed with the shared A2A_SECRET.\n * Returns the caller's email (from `sub` claim) if valid, null otherwise.\n */\ninterface A2ATokenPayload {\n email: string | null;\n orgDomain: string | null;\n}\n\nfunction addSecretCandidate(\n candidates: string[],\n secret: string | undefined,\n): void {\n const trimmed = secret?.trim();\n if (!trimmed || candidates.includes(trimmed)) return;\n candidates.push(trimmed);\n}\n\n/**\n * Resolve the audience (`aud`) value to expect in an inbound JWT. We use the\n * receiver's app URL — it's the natural identifier of \"who this token was\n * minted for\". Falls back to undefined when no app URL is configured, in\n * which case the audience check is skipped (backward-compat with tokens\n * minted before the audience claim shipped).\n */\nfunction expectedJwtAudience(event: any | undefined): string | undefined {\n const fromEnv =\n process.env.APP_URL ||\n process.env.URL ||\n process.env.DEPLOY_URL ||\n process.env.BETTER_AUTH_URL;\n if (fromEnv) return String(fromEnv);\n // Best-effort: derive from the inbound request host. This is forgeable\n // (Host-header attack), but only useful as a hint when env-derived URL\n // is unset; the rest of the JWT verification still uses the secret.\n try {\n const proto = getRequestHeader(event, \"x-forwarded-proto\") || \"https\";\n const host = getRequestHeader(event, \"host\");\n if (host) return `${proto}://${host}`;\n } catch {}\n return undefined;\n}\n\nasync function verifyA2AToken(\n token: string,\n event: any | undefined,\n): Promise<A2ATokenPayload> {\n // Step 1: Peek at JWT claims WITHOUT verification to get org_domain.\n // This is safe because we only use org_domain to look up the secret,\n // then verify the full JWT with that secret. If someone forges a JWT\n // with a fake org_domain, verification will fail because they don't\n // have the real secret.\n let orgDomainHint: string | undefined;\n let unverifiedPayload: jose.JWTPayload | undefined;\n try {\n unverifiedPayload = jose.decodeJwt(token);\n orgDomainHint = unverifiedPayload.org_domain as string | undefined;\n } catch {\n // Malformed token — fall through to global secret attempt\n }\n\n // Step 2: Build a small, ordered set of candidate secrets. Tokens minted by\n // current callers prefer the shared A2A_SECRET; older callers may still use\n // an org-level secret. Try both without logging or reflecting secret details.\n const candidateSecrets: string[] = [];\n addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n if (orgDomainHint) {\n try {\n const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n const orgSecret = await getA2ASecretByDomain(orgDomainHint);\n addSecretCandidate(candidateSecrets, orgSecret);\n } catch {\n // DB not ready or column doesn't exist yet — fall through\n }\n }\n if (candidateSecrets.length === 0) return { email: null, orgDomain: null };\n\n // Step 3: Verify JWT with the candidate secrets.\n //\n // - `audience`: passed only when the token carries an `aud` claim\n // (backward-compat: tokens minted by older `signA2AToken` versions\n // don't include one).\n // - `issuer`: enforced when the token carries an `iss` claim. The\n // sender's `signA2AToken` (`a2a/client.ts:42`) sets the issuer to its\n // own app URL, so a verified token must self-identify a non-empty\n // string issuer. We accept any string the token claims (we don't pin\n // a specific expected issuer because dispatchers may legitimately\n // mint tokens from many sender URLs — dev tunnels, multi-deploy\n // setups). The pin is \"issuer must match the value the token says\n // it was minted from\", which `jose.jwtVerify` validates exactly when\n // `issuer` is supplied as a string. Backward-compat: when the token\n // has no `iss`, we skip the check.\n try {\n const verifyOptions: jose.JWTVerifyOptions = {};\n if (unverifiedPayload && typeof unverifiedPayload.aud !== \"undefined\") {\n const aud = expectedJwtAudience(event);\n if (aud) verifyOptions.audience = aud;\n }\n if (\n unverifiedPayload &&\n typeof unverifiedPayload.iss === \"string\" &&\n unverifiedPayload.iss.length > 0\n ) {\n verifyOptions.issuer = unverifiedPayload.iss;\n }\n for (const secret of candidateSecrets) {\n try {\n const { payload } = await jose.jwtVerify(\n token,\n new TextEncoder().encode(secret),\n verifyOptions,\n );\n return {\n email: (payload.sub as string) ?? null,\n orgDomain: (payload.org_domain as string) ?? null,\n };\n } catch {\n // Try the next candidate without leaking which secret failed.\n }\n }\n } catch {\n // Keep malformed option construction indistinguishable from auth failure.\n }\n return { email: null, orgDomain: null };\n}\n\n/**\n * Mount A2A protocol endpoints on an H3/Nitro app.\n *\n * - GET /.well-known/agent-card.json — public agent card (no auth)\n * - POST /_agent-native/a2a — JSON-RPC endpoint (with optional auth)\n *\n * When A2A_SECRET is set, inbound Bearer tokens are verified as JWTs\n * and the caller's email is extracted from the `sub` claim. This provides\n * cryptographic identity verification for cross-app A2A calls.\n */\nexport function mountA2A(\n nitroApp: any,\n config: A2AConfig,\n routePrefix = \"/_agent-native\",\n): void {\n // Public agent card endpoint (no auth required).\n //\n // SECURITY: per-user / per-org MCP tools are filtered out of the public\n // skills list. Their merged-key prefix (`mcp__user_<emailhash>_…` or\n // `mcp__org_<orgid>_…`) discloses (a) which users have integrations\n // attached, and (b) what those integrations are — fingerprinting the\n // tenant. Template- and framework-defined skills stay; only the dynamic\n // per-tenant MCP entries are dropped. See finding #7 in\n // /tmp/security-audit/12-mcp-a2a-agent.md.\n getH3App(nitroApp).use(\n \"/.well-known/agent-card.json\",\n defineEventHandler((event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const protocol =\n getRequestHeader(event, \"x-forwarded-proto\") ||\n (event.url?.protocol?.replace(\":\", \"\") ?? \"http\");\n const host = getRequestHeader(event, \"host\") ?? \"localhost\";\n const baseUrl = `${protocol}://${host}`;\n\n // Filter out per-user/per-org MCP tools to avoid tenant disclosure.\n // Note: stdio MCP tools loaded from a file-based mcp.config.json are\n // process-wide and don't carry a per-user/per-org prefix, so they\n // remain visible. That's intentional — they're an operator-controlled\n // capability list.\n const filteredSkills = (config.skills ?? []).filter((skill) => {\n const id =\n (skill as { id?: string; name?: string }).id ??\n (skill as { name?: string }).name ??\n \"\";\n if (typeof id !== \"string\") return true;\n return !id.startsWith(\"mcp__user_\") && !id.startsWith(\"mcp__org_\");\n });\n\n return generateAgentCard({ ...config, skills: filteredSkills }, baseUrl);\n }),\n );\n\n // Async-mode processor route. MUST be mounted BEFORE the `/a2a` catch-all\n // below, since h3's `.use()` matches by prefix and `/a2a` would otherwise\n // swallow `/a2a/_process-task` and return a JSON-RPC \"Invalid token\" error\n // (the JSON-RPC handler doesn't know about taskId-only bodies).\n //\n // When `message/send` is called with `async: true`, the JSON-RPC handler\n // enqueues the task and self-fires a POST to this route on the same\n // deployment so the actual handler runs in a fresh function execution (its\n // own full timeout). Authenticated with an HMAC token bound to the task id\n // (5-minute lifetime, signed with A2A_SECRET — same scheme as the\n // integration webhook queue).\n getH3App(nitroApp).use(\n `${routePrefix}/a2a/_process-task`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = (await readBody(event)) as { taskId?: unknown } | null;\n const taskId = body && typeof body.taskId === \"string\" ? body.taskId : \"\";\n if (!taskId) {\n setResponseStatus(event, 400);\n return { error: \"taskId required\" };\n }\n\n // When A2A_SECRET is set, require a valid HMAC token bound to this\n // taskId. In production, we REQUIRE A2A_SECRET to be set so unsigned\n // dispatches are never accepted (an attacker who fishes a taskId out\n // of logs / a share link could otherwise force-replay it). In\n // development, a missing secret is permitted so local templates work\n // out of the box, but we log a one-time warning so operators notice.\n if (hasConfiguredA2ASecret()) {\n const auth = getRequestHeader(event, \"authorization\");\n const tok = extractBearerToken(auth);\n if (!verifyInternalToken(taskId, tok)) {\n setResponseStatus(event, 401);\n return { error: \"Invalid or expired processor token\" };\n }\n } else if (isA2AProductionRuntime()) {\n setResponseStatus(event, 503);\n return {\n error:\n \"A2A processor not configured — set A2A_SECRET on this deployment to enable async A2A.\",\n };\n } else {\n warnA2AUnauthOnce();\n }\n\n try {\n await processA2ATaskFromQueue(taskId, config, event);\n return { ok: true };\n } catch (err: any) {\n console.error(\"[a2a] process-task failed:\", err);\n setResponseStatus(event, 500);\n return { error: err?.message ?? \"process-task failed\" };\n }\n }),\n );\n\n // JSON-RPC A2A endpoint (with optional auth)\n getH3App(nitroApp).use(\n `${routePrefix}/a2a`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n // h3 prefix-matches mounts, so a request to `/a2a/_process-task`\n // reaches this handler too. The dedicated mount above runs first and\n // takes the request, but if that returns `undefined` (or h3 ever\n // changes ordering semantics) defensively bail here. event.path is\n // stripped to the remainder after the mount prefix.\n const sub = (event.path || \"/\").split(\"?\")[0].replace(/^\\//, \"\");\n if (sub.startsWith(\"_process-task\")) return;\n\n const authHeader = getRequestHeader(event, \"authorization\");\n const bearerToken = extractBearerToken(authHeader);\n let verifiedCallerEmail: string | null = null;\n let verifiedOrgDomain: string | null = null;\n let legacyApiKeyAuthenticated = false;\n let bearerTokenRejectedByJwt = false;\n\n // SECURITY: when neither A2A_SECRET nor an apiKeyEnv is configured,\n // there's no way to authenticate the caller. Default to \"auth required\"\n // in production — return 503 with a clear message instead of running\n // the agent loop unauthenticated. In development, log a one-time\n // warning but allow so local templates work out of the box.\n const hasA2ASecret = hasConfiguredA2ASecret();\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n\n // Try JWT verification first (org-level or global A2A_SECRET-based identity)\n if (bearerToken) {\n const tokenPayload = await verifyA2AToken(bearerToken, event);\n verifiedCallerEmail = tokenPayload.email;\n verifiedOrgDomain = tokenPayload.orgDomain;\n bearerTokenRejectedByJwt = !verifiedCallerEmail;\n }\n\n // Fall back to legacy API key check (exact string match)\n if (!verifiedCallerEmail && config.apiKeyEnv) {\n const expectedKey = process.env[config.apiKeyEnv];\n if (expectedKey) {\n if (!bearerToken) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Authentication required\" },\n };\n }\n if (bearerToken !== expectedKey) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Invalid API key\" },\n };\n }\n legacyApiKeyAuthenticated = true;\n }\n }\n\n if (!verifiedCallerEmail && !legacyApiKeyAuthenticated) {\n // Any supplied bearer token that failed JWT verification is an auth\n // failure after the legacy exact-match apiKeyEnv path has had a\n // chance to succeed. Do not let bad tokens fall through to tasks/get\n // and get reported as lookup misses.\n if (bearerTokenRejectedByJwt) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message: \"Invalid or expired A2A token\",\n },\n };\n }\n\n if (!hasA2ASecret && !hasApiKey) {\n if (isA2AProductionRuntime()) {\n setResponseStatus(event, 503);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message:\n \"A2A authentication not configured. Set A2A_SECRET (preferred) or configure apiKeyEnv to accept inbound A2A traffic.\",\n },\n };\n }\n warnA2AUnauthOnce();\n } else if (isA2AProductionRuntime()) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message: \"Authentication required\",\n },\n };\n }\n }\n\n // Store verified caller identity on the event context so the handler\n // can set request context from a trusted source instead of metadata\n if (verifiedCallerEmail) {\n event.context.__a2aVerifiedEmail = verifiedCallerEmail;\n }\n if (verifiedOrgDomain) {\n event.context.__a2aOrgDomain = verifiedOrgDomain;\n }\n\n const body = await readBody(event);\n return handleJsonRpcH3(body, event, config);\n }),\n );\n}\n"]}
package/dist/client/resources/ResourceEditor.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"ResourceEditor.d.ts","sourceRoot":"","sources":["../../../src/client/resources/ResourceEditor.tsx"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAWnD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,QAAQ,CAAC;IACnB,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAClC,qFAAqF;IACrF,IAAI,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,CAAC,CAAC,EAAE,QAAQ,GAAG,MAAM,KAAK,IAAI,CAAC;IAC9C,0CAA0C;IAC1C,kBAAkB,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,GAAG,QAAQ,GAAG,OAAO,KAAK,IAAI,CAAC;IACnE,6DAA6D;IAC7D,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAgiCD,wBAAgB,cAAc,CAAC,EAC7B,QAAQ,EACR,MAAM,EACN,IAAI,EAAE,cAAc,EACpB,YAAY,EACZ,kBAAkB,EAClB,WAAW,GACZ,EAAE,mBAAmB,2CAuLrB"}
1
+ {"version":3,"file":"ResourceEditor.d.ts","sourceRoot":"","sources":["../../../src/client/resources/ResourceEditor.tsx"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAYnD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,QAAQ,CAAC;IACnB,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAClC,qFAAqF;IACrF,IAAI,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,CAAC,CAAC,EAAE,QAAQ,GAAG,MAAM,KAAK,IAAI,CAAC;IAC9C,0CAA0C;IAC1C,kBAAkB,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,GAAG,QAAQ,GAAG,OAAO,KAAK,IAAI,CAAC;IACnE,6DAA6D;IAC7D,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AA8hCD,wBAAgB,cAAc,CAAC,EAC7B,QAAQ,EACR,MAAM,EACN,IAAI,EAAE,cAAc,EACpB,YAAY,EACZ,kBAAkB,EAClB,WAAW,GACZ,EAAE,mBAAmB,2CAuLrB"}
package/dist/client/resources/ResourceEditor.js CHANGED
@@ -7,7 +7,7 @@ import Link from "@tiptap/extension-link";
7
7
  import { Markdown } from "tiptap-markdown";
8
8
  import { cn } from "../utils.js";
9
9
  import { agentNativePath } from "../api-path.js";
10
- import { getFrontmatterValue, isCustomAgentPath, isRemoteAgentPath, isSkillPath, parseFrontmatter, serializeFrontmatter, } from "../../resources/metadata.js";
10
+ import { getRemoteAgentIdFromPath, getFrontmatterValue, isCustomAgentPath, isRemoteAgentPath, isSkillPath, parseFrontmatter, serializeFrontmatter, } from "../../resources/metadata.js";
11
11
  const CONTROL_STYLE = { fontSize: 12, lineHeight: 1 };
12
12
  const VIEW_PREF_KEY = "resource-editor-view";
13
13
  function getViewPref() {
@@ -633,9 +633,7 @@ function VisualMarkdownEditor({ content, onChange, resourcePath, }) {
633
633
  } })), _jsx(InlineBubbleToolbar, { editor: editor }), _jsx(SlashMenu, { editor: editor }), _jsx(EditorContent, { editor: editor })] }));
634
634
  }
635
635
  function parseRemoteAgentContent(content, path) {
636
- const fallbackId = path
637
- .replace(/^remote-agents\//, "")
638
- .replace(/\.json$/, "");
636
+ const fallbackId = getRemoteAgentIdFromPath(path);
639
637
  try {
640
638
  const data = JSON.parse(content || "{}");
641
639
  return {