@agent-native/core 0.7.56 → 0.7.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/a2a/agent-card.d.ts +1 -1
- package/dist/a2a/agent-card.d.ts.map +1 -1
- package/dist/a2a/agent-card.js +30 -2
- package/dist/a2a/agent-card.js.map +1 -1
- package/dist/a2a/server.d.ts.map +1 -1
- package/dist/a2a/server.js +1 -1
- package/dist/a2a/server.js.map +1 -1
- package/dist/client/settings/VoiceTranscriptionSection.d.ts.map +1 -1
- package/dist/client/settings/VoiceTranscriptionSection.js +114 -2
- package/dist/client/settings/VoiceTranscriptionSection.js.map +1 -1
- package/dist/integrations/adapters/slack.d.ts +2 -2
- package/dist/integrations/adapters/slack.js +20 -15
- package/dist/integrations/adapters/slack.js.map +1 -1
- package/package.json +1 -1
package/dist/a2a/agent-card.d.ts
CHANGED
|
@@ -1,3 +1,3 @@
|
|
|
1
1
|
import type { A2AConfig, AgentCard } from "./types.js";
|
|
2
|
-
export declare function generateAgentCard(config: A2AConfig, baseUrl: string): AgentCard;
|
|
2
|
+
export declare function generateAgentCard(config: A2AConfig, baseUrl: string, endpointPath?: string): AgentCard;
|
|
3
3
|
//# sourceMappingURL=agent-card.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"agent-card.d.ts","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvD,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EACjB,OAAO,EAAE,MAAM,
|
|
1
|
+
{"version":3,"file":"agent-card.d.ts","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvD,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EACjB,OAAO,EAAE,MAAM,EACf,YAAY,SAAuB,GAClC,SAAS,CA8CX"}
|
package/dist/a2a/agent-card.js
CHANGED
|
@@ -1,11 +1,12 @@
|
|
|
1
1
|
import { withConfiguredAppBasePath } from "../server/app-base-path.js";
|
|
2
2
|
import { shouldAdvertiseJwtA2AAuth } from "./auth-policy.js";
|
|
3
|
-
export function generateAgentCard(config, baseUrl) {
|
|
3
|
+
export function generateAgentCard(config, baseUrl, endpointPath = "/_agent-native/a2a") {
|
|
4
4
|
const scopedUrl = withConfiguredAppBasePath(baseUrl);
|
|
5
|
+
const endpointUrl = withEndpointPath(scopedUrl, endpointPath);
|
|
5
6
|
const card = {
|
|
6
7
|
name: config.name,
|
|
7
8
|
description: config.description,
|
|
8
|
-
url:
|
|
9
|
+
url: endpointUrl,
|
|
9
10
|
version: config.version ?? "1.0.0",
|
|
10
11
|
protocolVersion: "0.3",
|
|
11
12
|
capabilities: {
|
|
@@ -41,4 +42,31 @@ export function generateAgentCard(config, baseUrl) {
|
|
|
41
42
|
}
|
|
42
43
|
return card;
|
|
43
44
|
}
|
|
45
|
+
function normalizeEndpointPath(value) {
|
|
46
|
+
const normalized = value.trim().split("/").filter(Boolean).join("/");
|
|
47
|
+
return normalized ? `/${normalized}` : "";
|
|
48
|
+
}
|
|
49
|
+
function withEndpointPath(baseUrl, endpointPath) {
|
|
50
|
+
const path = normalizeEndpointPath(endpointPath);
|
|
51
|
+
const trimmed = baseUrl.replace(/\/$/, "");
|
|
52
|
+
if (!path)
|
|
53
|
+
return trimmed;
|
|
54
|
+
try {
|
|
55
|
+
const url = new URL(trimmed);
|
|
56
|
+
const pathname = url.pathname.replace(/\/$/, "");
|
|
57
|
+
if (pathname === path || pathname.endsWith(path)) {
|
|
58
|
+
return trimmed;
|
|
59
|
+
}
|
|
60
|
+
url.pathname = `${pathname === "/" ? "" : pathname}${path}`;
|
|
61
|
+
url.search = "";
|
|
62
|
+
url.hash = "";
|
|
63
|
+
return url.toString().replace(/\/$/, "");
|
|
64
|
+
}
|
|
65
|
+
catch {
|
|
66
|
+
// Fall through for relative or otherwise non-URL strings.
|
|
67
|
+
}
|
|
68
|
+
if (trimmed.endsWith(path))
|
|
69
|
+
return trimmed;
|
|
70
|
+
return `${trimmed}${path}`;
|
|
71
|
+
}
|
|
44
72
|
//# sourceMappingURL=agent-card.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"agent-card.js","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAC;AAE7D,MAAM,UAAU,iBAAiB,CAC/B,MAAiB,EACjB,OAAe;
|
|
1
|
+
{"version":3,"file":"agent-card.js","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAC;AAE7D,MAAM,UAAU,iBAAiB,CAC/B,MAAiB,EACjB,OAAe,EACf,YAAY,GAAG,oBAAoB;IAEnC,MAAM,SAAS,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IACrD,MAAM,WAAW,GAAG,gBAAgB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IAC9D,MAAM,IAAI,GAAc;QACtB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,GAAG,EAAE,WAAW;QAChB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,OAAO;QAClC,eAAe,EAAE,KAAK;QACtB,YAAY,EAAE;YACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;YACpC,iBAAiB,EAAE,KAAK;YACxB,sBAAsB,EAAE,IAAI;SAC7B;QACD,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;IAEF,MAAM,eAAe,GAA8C,EAAE,CAAC;IACtE,MAAM,QAAQ,GAAuC,EAAE,CAAC;IAExD,yEAAyE;IACzE,yEAAyE;IACzE,8BAA8B;IAC9B,IAAI,yBAAyB,EAAE,EAAE,CAAC;QAChC,eAAe,CAAC,SAAS,GAAG;YAC1B,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,QAAQ;YAChB,YAAY,EAAE,KAAK;SACpB,CAAC;QACF,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,eAAe,CAAC,MAAM,GAAG;YACvB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,QAAQ;SACjB,CAAC;QACF,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAa;IAC1C,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrE,OAAO,UAAU,CAAC,CAAC,CAAC,IAAI,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe,EAAE,YAAoB;IAC7D,MAAM,IAAI,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;IACjD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC3C,IAAI,CAAC,IAAI;QAAE,OAAO,OAAO,CAAC;IAE1B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjD,IAAI,QAAQ,KAAK,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,GAAG,CAAC,QAAQ,GAAG,GAAG,QAAQ,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,IAAI,EAAE,CAAC;QAC5D,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC;QAChB,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC;QACd,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,OAAO,CAAC;IAC3C,OAAO,GAAG,OAAO,GAAG,IAAI,EAAE,CAAC;AAC7B,CAAC","sourcesContent":["import type { A2AConfig, AgentCard } from \"./types.js\";\nimport { withConfiguredAppBasePath } from \"../server/app-base-path.js\";\nimport { shouldAdvertiseJwtA2AAuth } from \"./auth-policy.js\";\n\nexport function generateAgentCard(\n config: A2AConfig,\n baseUrl: string,\n endpointPath = \"/_agent-native/a2a\",\n): AgentCard {\n const scopedUrl = withConfiguredAppBasePath(baseUrl);\n const endpointUrl = withEndpointPath(scopedUrl, endpointPath);\n const card: AgentCard = {\n name: config.name,\n description: config.description,\n url: endpointUrl,\n version: config.version ?? \"1.0.0\",\n protocolVersion: \"0.3\",\n capabilities: {\n streaming: config.streaming ?? false,\n pushNotifications: false,\n stateTransitionHistory: true,\n },\n skills: config.skills,\n };\n\n const securitySchemes: NonNullable<AgentCard[\"securitySchemes\"]> = {};\n const security: NonNullable<AgentCard[\"security\"]> = [];\n\n // Hosted production deployments require JWT-capable A2A even before card\n // generation can prove whether auth will use the shared A2A_SECRET or an\n // org-scoped secret from SQL.\n if (shouldAdvertiseJwtA2AAuth()) {\n securitySchemes.jwtBearer = {\n type: \"http\",\n scheme: \"bearer\",\n bearerFormat: \"JWT\",\n };\n security.push({ jwtBearer: [] });\n }\n\n if (config.apiKeyEnv) {\n securitySchemes.apiKey = {\n type: \"http\",\n scheme: \"bearer\",\n };\n security.push({ apiKey: [] });\n }\n\n if (security.length > 0) {\n card.securitySchemes = securitySchemes;\n card.security = security;\n }\n\n return card;\n}\n\nfunction normalizeEndpointPath(value: string): string {\n const normalized = value.trim().split(\"/\").filter(Boolean).join(\"/\");\n return normalized ? `/${normalized}` : \"\";\n}\n\nfunction withEndpointPath(baseUrl: string, endpointPath: string): string {\n const path = normalizeEndpointPath(endpointPath);\n const trimmed = baseUrl.replace(/\\/$/, \"\");\n if (!path) return trimmed;\n\n try {\n const url = new URL(trimmed);\n const pathname = url.pathname.replace(/\\/$/, \"\");\n if (pathname === path || pathname.endsWith(path)) {\n return trimmed;\n }\n url.pathname = `${pathname === \"/\" ? \"\" : pathname}${path}`;\n url.search = \"\";\n url.hash = \"\";\n return url.toString().replace(/\\/$/, \"\");\n } catch {\n // Fall through for relative or otherwise non-URL strings.\n }\n\n if (trimmed.endsWith(path)) return trimmed;\n return `${trimmed}${path}`;\n}\n"]}
|
package/dist/a2a/server.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA4J5C;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,GAAG,EACb,MAAM,EAAE,SAAS,EACjB,WAAW,SAAmB,GAC7B,IAAI,
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA4J5C;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,GAAG,EACb,MAAM,EAAE,SAAS,EACjB,WAAW,SAAmB,GAC7B,IAAI,CAkON"}
|
package/dist/a2a/server.js
CHANGED
|
@@ -172,7 +172,7 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
|
|
|
172
172
|
return true;
|
|
173
173
|
return !id.startsWith("mcp__user_") && !id.startsWith("mcp__org_");
|
|
174
174
|
});
|
|
175
|
-
return generateAgentCard({ ...config, skills: filteredSkills }, baseUrl);
|
|
175
|
+
return generateAgentCard({ ...config, skills: filteredSkills }, baseUrl, `${routePrefix}/a2a`);
|
|
176
176
|
}));
|
|
177
177
|
// Async-mode processor route. MUST be mounted BEFORE the `/a2a` catch-all
|
|
178
178
|
// below, since h3's `.use()` matches by prefix and `/a2a` would otherwise
|
package/dist/a2a/server.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAElB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B;;;;;GAKG;AACH,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAC7B,SAAS,iBAAiB;IACxB,IAAI,gBAAgB;QAAE,OAAO;IAC7B,gBAAgB,GAAG,IAAI,CAAC;IACxB,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACV,mFAAmF;QACjF,4FAA4F,CAC/F,CAAC;AACJ,CAAC;AAWD,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAA0B;IAE1B,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,KAAsB;IACjD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,IAAI,OAAO,CAAC;QACtE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,IAAI;YAAE,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,KAAa,EACb,KAAsB;IAEtB,qEAAqE;IACrE,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,wBAAwB;IACxB,IAAI,aAAiC,CAAC;IACtC,IAAI,iBAA8C,CAAC;IACnD,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1C,aAAa,GAAG,iBAAiB,CAAC,UAAgC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC;YAC5D,kBAAkB,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAE3E,iDAAiD;IACjD,EAAE;IACF,kEAAkE;IAClE,qEAAqE;IACrE,wBAAwB;IACxB,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,uEAAuE;IACvE,oEAAoE;IACpE,kEAAkE;IAClE,oEAAoE;IACpE,uEAAuE;IACvE,sEAAsE;IACtE,qCAAqC;IACrC,IAAI,CAAC;QACH,MAAM,aAAa,GAA0B,EAAE,CAAC;QAChD,IAAI,iBAAiB,IAAI,OAAO,iBAAiB,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YACtE,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,GAAG;gBAAE,aAAa,CAAC,QAAQ,GAAG,GAAG,CAAC;QACxC,CAAC;QACD,IACE,iBAAiB;YACjB,OAAO,iBAAiB,CAAC,GAAG,KAAK,QAAQ;YACzC,iBAAiB,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAChC,CAAC;YACD,aAAa,CAAC,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,aAAa,CACd,CAAC;gBACF,OAAO;oBACL,KAAK,EAAG,OAAO,CAAC,GAAc,IAAI,IAAI;oBACtC,SAAS,EAAG,OAAO,CAAC,UAAqB,IAAI,IAAI;iBAClD,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;IAC5E,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,iDAAiD;IACjD,EAAE;IACF,wEAAwE;IACxE,qEAAqE;IACrE,oEAAoE;IACpE,qEAAqE;IACrE,wEAAwE;IACxE,wDAAwD;IACxD,2CAA2C;IAC3C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,8BAA8B,EAC9B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,QAAQ,GACZ,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC;YAC5C,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,WAAW,CAAC;QAC5D,MAAM,OAAO,GAAG,GAAG,QAAQ,MAAM,IAAI,EAAE,CAAC;QAExC,oEAAoE;QACpE,qEAAqE;QACrE,kEAAkE;QAClE,sEAAsE;QACtE,mBAAmB;QACnB,MAAM,cAAc,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YAC5D,MAAM,EAAE,GACL,KAAwC,CAAC,EAAE;gBAC3C,KAA2B,CAAC,IAAI;gBACjC,EAAE,CAAC;YACL,IAAI,OAAO,EAAE,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACxC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,OAAO,iBAAiB,CAAC,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,EAAE,OAAO,CAAC,CAAC;IAC3E,CAAC,CAAC,CACH,CAAC;IAEF,0EAA0E;IAC1E,0EAA0E;IAC1E,2EAA2E;IAC3E,gEAAgE;IAChE,EAAE;IACF,yEAAyE;IACzE,oEAAoE;IACpE,2EAA2E;IAC3E,2EAA2E;IAC3E,kEAAkE;IAClE,8BAA8B;IAC9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,oBAAoB,EAClC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAgC,CAAC;QACpE,MAAM,MAAM,GAAG,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QAED,mEAAmE;QACnE,qEAAqE;QACrE,qEAAqE;QACrE,8DAA8D;QAC9D,qEAAqE;QACrE,qEAAqE;QACrE,IAAI,sBAAsB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACrC,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;gBACtC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,uFAAuF;aAC1F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,iBAAiB,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,6CAA6C;IAC7C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,iEAAiE;QACjE,qEAAqE;QACrE,iEAAiE;QACjE,mEAAmE;QACnE,oDAAoD;QACpD,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO;QAE5C,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACnD,IAAI,mBAAmB,GAAkB,IAAI,CAAC;QAC9C,IAAI,iBAAiB,GAAkB,IAAI,CAAC;QAC5C,IAAI,yBAAyB,GAAG,KAAK,CAAC;QACtC,IAAI,wBAAwB,GAAG,KAAK,CAAC;QAErC,oEAAoE;QACpE,wEAAwE;QACxE,qEAAqE;QACrE,iEAAiE;QACjE,4DAA4D;QAC5D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QAExE,6EAA6E;QAC7E,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC9D,mBAAmB,GAAG,YAAY,CAAC,KAAK,CAAC;YACzC,iBAAiB,GAAG,YAAY,CAAC,SAAS,CAAC;YAC3C,wBAAwB,GAAG,CAAC,mBAAmB,CAAC;QAClD,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,mBAAmB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE;qBAC5D,CAAC;gBACJ,CAAC;gBACD,IAAI,WAAW,KAAK,WAAW,EAAE,CAAC;oBAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE;qBACpD,CAAC;gBACJ,CAAC;gBACD,yBAAyB,GAAG,IAAI,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,mBAAmB,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACvD,oEAAoE;YACpE,gEAAgE;YAChE,qEAAqE;YACrE,qCAAqC;YACrC,IAAI,wBAAwB,EAAE,CAAC;gBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,8BAA8B;qBACxC;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChC,IAAI,sBAAsB,EAAE,EAAE,CAAC;oBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE;4BACL,IAAI,EAAE,CAAC,KAAK;4BACZ,OAAO,EACL,qHAAqH;yBACxH;qBACF,CAAC;gBACJ,CAAC;gBACD,iBAAiB,EAAE,CAAC;YACtB,CAAC;iBAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;gBACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,yBAAyB;qBACnC;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,oEAAoE;QACpE,IAAI,mBAAmB,EAAE,CAAC;YACxB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,mBAAmB,CAAC;QACzD,CAAC;QACD,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,CAAC,OAAO,CAAC,cAAc,GAAG,iBAAiB,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CACH,CAAC;AACJ,CAAC","sourcesContent":["import * as jose from \"jose\";\nimport { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n defineEventHandler,\n setResponseHeader,\n setResponseStatus,\n getMethod,\n getRequestHeader,\n} from \"h3\";\nimport type { A2AConfig } from \"./types.js\";\nimport { generateAgentCard } from \"./agent-card.js\";\nimport { handleJsonRpcH3, processA2ATaskFromQueue } from \"./handlers.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n extractBearerToken,\n verifyInternalToken,\n} from \"../integrations/internal-token.js\";\nimport {\n hasConfiguredA2ASecret,\n isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n/**\n * One-time warning when A2A is running unauthenticated in development. We\n * don't refuse the request (local templates need to work out of the box),\n * but we log a single noisy line so operators notice if they accidentally\n * deploy with no auth configured.\n */\nlet _warnedUnauthA2A = false;\nfunction warnA2AUnauthOnce(): void {\n if (_warnedUnauthA2A) return;\n _warnedUnauthA2A = true;\n // eslint-disable-next-line no-console\n console.warn(\n \"[a2a] No A2A_SECRET or apiKeyEnv configured — A2A endpoint runs unauthenticated. \" +\n \"This is allowed in development but blocked in production. Set A2A_SECRET before deploying.\",\n );\n}\n\n/**\n * Verify an inbound A2A JWT signed with the shared A2A_SECRET.\n * Returns the caller's email (from `sub` claim) if valid, null otherwise.\n */\ninterface A2ATokenPayload {\n email: string | null;\n orgDomain: string | null;\n}\n\nfunction addSecretCandidate(\n candidates: string[],\n secret: string | undefined,\n): void {\n const trimmed = secret?.trim();\n if (!trimmed || candidates.includes(trimmed)) return;\n candidates.push(trimmed);\n}\n\n/**\n * Resolve the audience (`aud`) value to expect in an inbound JWT. We use the\n * receiver's app URL — it's the natural identifier of \"who this token was\n * minted for\". Falls back to undefined when no app URL is configured, in\n * which case the audience check is skipped (backward-compat with tokens\n * minted before the audience claim shipped).\n */\nfunction expectedJwtAudience(event: any | undefined): string | undefined {\n const fromEnv =\n process.env.APP_URL ||\n process.env.URL ||\n process.env.DEPLOY_URL ||\n process.env.BETTER_AUTH_URL;\n if (fromEnv) return String(fromEnv);\n // Best-effort: derive from the inbound request host. This is forgeable\n // (Host-header attack), but only useful as a hint when env-derived URL\n // is unset; the rest of the JWT verification still uses the secret.\n try {\n const proto = getRequestHeader(event, \"x-forwarded-proto\") || \"https\";\n const host = getRequestHeader(event, \"host\");\n if (host) return `${proto}://${host}`;\n } catch {}\n return undefined;\n}\n\nasync function verifyA2AToken(\n token: string,\n event: any | undefined,\n): Promise<A2ATokenPayload> {\n // Step 1: Peek at JWT claims WITHOUT verification to get org_domain.\n // This is safe because we only use org_domain to look up the secret,\n // then verify the full JWT with that secret. If someone forges a JWT\n // with a fake org_domain, verification will fail because they don't\n // have the real secret.\n let orgDomainHint: string | undefined;\n let unverifiedPayload: jose.JWTPayload | undefined;\n try {\n unverifiedPayload = jose.decodeJwt(token);\n orgDomainHint = unverifiedPayload.org_domain as string | undefined;\n } catch {\n // Malformed token — fall through to global secret attempt\n }\n\n // Step 2: Build a small, ordered set of candidate secrets. Tokens minted by\n // current callers prefer the shared A2A_SECRET; older callers may still use\n // an org-level secret. Try both without logging or reflecting secret details.\n const candidateSecrets: string[] = [];\n addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n if (orgDomainHint) {\n try {\n const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n const orgSecret = await getA2ASecretByDomain(orgDomainHint);\n addSecretCandidate(candidateSecrets, orgSecret);\n } catch {\n // DB not ready or column doesn't exist yet — fall through\n }\n }\n if (candidateSecrets.length === 0) return { email: null, orgDomain: null };\n\n // Step 3: Verify JWT with the candidate secrets.\n //\n // - `audience`: passed only when the token carries an `aud` claim\n // (backward-compat: tokens minted by older `signA2AToken` versions\n // don't include one).\n // - `issuer`: enforced when the token carries an `iss` claim. The\n // sender's `signA2AToken` (`a2a/client.ts:42`) sets the issuer to its\n // own app URL, so a verified token must self-identify a non-empty\n // string issuer. We accept any string the token claims (we don't pin\n // a specific expected issuer because dispatchers may legitimately\n // mint tokens from many sender URLs — dev tunnels, multi-deploy\n // setups). The pin is \"issuer must match the value the token says\n // it was minted from\", which `jose.jwtVerify` validates exactly when\n // `issuer` is supplied as a string. Backward-compat: when the token\n // has no `iss`, we skip the check.\n try {\n const verifyOptions: jose.JWTVerifyOptions = {};\n if (unverifiedPayload && typeof unverifiedPayload.aud !== \"undefined\") {\n const aud = expectedJwtAudience(event);\n if (aud) verifyOptions.audience = aud;\n }\n if (\n unverifiedPayload &&\n typeof unverifiedPayload.iss === \"string\" &&\n unverifiedPayload.iss.length > 0\n ) {\n verifyOptions.issuer = unverifiedPayload.iss;\n }\n for (const secret of candidateSecrets) {\n try {\n const { payload } = await jose.jwtVerify(\n token,\n new TextEncoder().encode(secret),\n verifyOptions,\n );\n return {\n email: (payload.sub as string) ?? null,\n orgDomain: (payload.org_domain as string) ?? null,\n };\n } catch {\n // Try the next candidate without leaking which secret failed.\n }\n }\n } catch {\n // Keep malformed option construction indistinguishable from auth failure.\n }\n return { email: null, orgDomain: null };\n}\n\n/**\n * Mount A2A protocol endpoints on an H3/Nitro app.\n *\n * - GET /.well-known/agent-card.json — public agent card (no auth)\n * - POST /_agent-native/a2a — JSON-RPC endpoint (with optional auth)\n *\n * When A2A_SECRET is set, inbound Bearer tokens are verified as JWTs\n * and the caller's email is extracted from the `sub` claim. This provides\n * cryptographic identity verification for cross-app A2A calls.\n */\nexport function mountA2A(\n nitroApp: any,\n config: A2AConfig,\n routePrefix = \"/_agent-native\",\n): void {\n // Public agent card endpoint (no auth required).\n //\n // SECURITY: per-user / per-org MCP tools are filtered out of the public\n // skills list. Their merged-key prefix (`mcp__user_<emailhash>_…` or\n // `mcp__org_<orgid>_…`) discloses (a) which users have integrations\n // attached, and (b) what those integrations are — fingerprinting the\n // tenant. Template- and framework-defined skills stay; only the dynamic\n // per-tenant MCP entries are dropped. See finding #7 in\n // /tmp/security-audit/12-mcp-a2a-agent.md.\n getH3App(nitroApp).use(\n \"/.well-known/agent-card.json\",\n defineEventHandler((event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const protocol =\n getRequestHeader(event, \"x-forwarded-proto\") ||\n (event.url?.protocol?.replace(\":\", \"\") ?? \"http\");\n const host = getRequestHeader(event, \"host\") ?? \"localhost\";\n const baseUrl = `${protocol}://${host}`;\n\n // Filter out per-user/per-org MCP tools to avoid tenant disclosure.\n // Note: stdio MCP tools loaded from a file-based mcp.config.json are\n // process-wide and don't carry a per-user/per-org prefix, so they\n // remain visible. That's intentional — they're an operator-controlled\n // capability list.\n const filteredSkills = (config.skills ?? []).filter((skill) => {\n const id =\n (skill as { id?: string; name?: string }).id ??\n (skill as { name?: string }).name ??\n \"\";\n if (typeof id !== \"string\") return true;\n return !id.startsWith(\"mcp__user_\") && !id.startsWith(\"mcp__org_\");\n });\n\n return generateAgentCard({ ...config, skills: filteredSkills }, baseUrl);\n }),\n );\n\n // Async-mode processor route. MUST be mounted BEFORE the `/a2a` catch-all\n // below, since h3's `.use()` matches by prefix and `/a2a` would otherwise\n // swallow `/a2a/_process-task` and return a JSON-RPC \"Invalid token\" error\n // (the JSON-RPC handler doesn't know about taskId-only bodies).\n //\n // When `message/send` is called with `async: true`, the JSON-RPC handler\n // enqueues the task and self-fires a POST to this route on the same\n // deployment so the actual handler runs in a fresh function execution (its\n // own full timeout). Authenticated with an HMAC token bound to the task id\n // (5-minute lifetime, signed with A2A_SECRET — same scheme as the\n // integration webhook queue).\n getH3App(nitroApp).use(\n `${routePrefix}/a2a/_process-task`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = (await readBody(event)) as { taskId?: unknown } | null;\n const taskId = body && typeof body.taskId === \"string\" ? body.taskId : \"\";\n if (!taskId) {\n setResponseStatus(event, 400);\n return { error: \"taskId required\" };\n }\n\n // When A2A_SECRET is set, require a valid HMAC token bound to this\n // taskId. In production, we REQUIRE A2A_SECRET to be set so unsigned\n // dispatches are never accepted (an attacker who fishes a taskId out\n // of logs / a share link could otherwise force-replay it). In\n // development, a missing secret is permitted so local templates work\n // out of the box, but we log a one-time warning so operators notice.\n if (hasConfiguredA2ASecret()) {\n const auth = getRequestHeader(event, \"authorization\");\n const tok = extractBearerToken(auth);\n if (!verifyInternalToken(taskId, tok)) {\n setResponseStatus(event, 401);\n return { error: \"Invalid or expired processor token\" };\n }\n } else if (isA2AProductionRuntime()) {\n setResponseStatus(event, 503);\n return {\n error:\n \"A2A processor not configured — set A2A_SECRET on this deployment to enable async A2A.\",\n };\n } else {\n warnA2AUnauthOnce();\n }\n\n try {\n await processA2ATaskFromQueue(taskId, config, event);\n return { ok: true };\n } catch (err: any) {\n console.error(\"[a2a] process-task failed:\", err);\n setResponseStatus(event, 500);\n return { error: err?.message ?? \"process-task failed\" };\n }\n }),\n );\n\n // JSON-RPC A2A endpoint (with optional auth)\n getH3App(nitroApp).use(\n `${routePrefix}/a2a`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n // h3 prefix-matches mounts, so a request to `/a2a/_process-task`\n // reaches this handler too. The dedicated mount above runs first and\n // takes the request, but if that returns `undefined` (or h3 ever\n // changes ordering semantics) defensively bail here. event.path is\n // stripped to the remainder after the mount prefix.\n const sub = (event.path || \"/\").split(\"?\")[0].replace(/^\\//, \"\");\n if (sub.startsWith(\"_process-task\")) return;\n\n const authHeader = getRequestHeader(event, \"authorization\");\n const bearerToken = extractBearerToken(authHeader);\n let verifiedCallerEmail: string | null = null;\n let verifiedOrgDomain: string | null = null;\n let legacyApiKeyAuthenticated = false;\n let bearerTokenRejectedByJwt = false;\n\n // SECURITY: when neither A2A_SECRET nor an apiKeyEnv is configured,\n // there's no way to authenticate the caller. Default to \"auth required\"\n // in production — return 503 with a clear message instead of running\n // the agent loop unauthenticated. In development, log a one-time\n // warning but allow so local templates work out of the box.\n const hasA2ASecret = hasConfiguredA2ASecret();\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n\n // Try JWT verification first (org-level or global A2A_SECRET-based identity)\n if (bearerToken) {\n const tokenPayload = await verifyA2AToken(bearerToken, event);\n verifiedCallerEmail = tokenPayload.email;\n verifiedOrgDomain = tokenPayload.orgDomain;\n bearerTokenRejectedByJwt = !verifiedCallerEmail;\n }\n\n // Fall back to legacy API key check (exact string match)\n if (!verifiedCallerEmail && config.apiKeyEnv) {\n const expectedKey = process.env[config.apiKeyEnv];\n if (expectedKey) {\n if (!bearerToken) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Authentication required\" },\n };\n }\n if (bearerToken !== expectedKey) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Invalid API key\" },\n };\n }\n legacyApiKeyAuthenticated = true;\n }\n }\n\n if (!verifiedCallerEmail && !legacyApiKeyAuthenticated) {\n // Any supplied bearer token that failed JWT verification is an auth\n // failure after the legacy exact-match apiKeyEnv path has had a\n // chance to succeed. Do not let bad tokens fall through to tasks/get\n // and get reported as lookup misses.\n if (bearerTokenRejectedByJwt) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message: \"Invalid or expired A2A token\",\n },\n };\n }\n\n if (!hasA2ASecret && !hasApiKey) {\n if (isA2AProductionRuntime()) {\n setResponseStatus(event, 503);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message:\n \"A2A authentication not configured. Set A2A_SECRET (preferred) or configure apiKeyEnv to accept inbound A2A traffic.\",\n },\n };\n }\n warnA2AUnauthOnce();\n } else if (isA2AProductionRuntime()) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message: \"Authentication required\",\n },\n };\n }\n }\n\n // Store verified caller identity on the event context so the handler\n // can set request context from a trusted source instead of metadata\n if (verifiedCallerEmail) {\n event.context.__a2aVerifiedEmail = verifiedCallerEmail;\n }\n if (verifiedOrgDomain) {\n event.context.__a2aOrgDomain = verifiedOrgDomain;\n }\n\n const body = await readBody(event);\n return handleJsonRpcH3(body, event, config);\n }),\n );\n}\n"]}
|
|
1
|
+
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAElB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B;;;;;GAKG;AACH,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAC7B,SAAS,iBAAiB;IACxB,IAAI,gBAAgB;QAAE,OAAO;IAC7B,gBAAgB,GAAG,IAAI,CAAC;IACxB,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACV,mFAAmF;QACjF,4FAA4F,CAC/F,CAAC;AACJ,CAAC;AAWD,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAA0B;IAE1B,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,KAAsB;IACjD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,IAAI,OAAO,CAAC;QACtE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,IAAI;YAAE,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,KAAa,EACb,KAAsB;IAEtB,qEAAqE;IACrE,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,wBAAwB;IACxB,IAAI,aAAiC,CAAC;IACtC,IAAI,iBAA8C,CAAC;IACnD,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1C,aAAa,GAAG,iBAAiB,CAAC,UAAgC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC;YAC5D,kBAAkB,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAE3E,iDAAiD;IACjD,EAAE;IACF,kEAAkE;IAClE,qEAAqE;IACrE,wBAAwB;IACxB,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,uEAAuE;IACvE,oEAAoE;IACpE,kEAAkE;IAClE,oEAAoE;IACpE,uEAAuE;IACvE,sEAAsE;IACtE,qCAAqC;IACrC,IAAI,CAAC;QACH,MAAM,aAAa,GAA0B,EAAE,CAAC;QAChD,IAAI,iBAAiB,IAAI,OAAO,iBAAiB,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YACtE,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,GAAG;gBAAE,aAAa,CAAC,QAAQ,GAAG,GAAG,CAAC;QACxC,CAAC;QACD,IACE,iBAAiB;YACjB,OAAO,iBAAiB,CAAC,GAAG,KAAK,QAAQ;YACzC,iBAAiB,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAChC,CAAC;YACD,aAAa,CAAC,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,aAAa,CACd,CAAC;gBACF,OAAO;oBACL,KAAK,EAAG,OAAO,CAAC,GAAc,IAAI,IAAI;oBACtC,SAAS,EAAG,OAAO,CAAC,UAAqB,IAAI,IAAI;iBAClD,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;IAC5E,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,iDAAiD;IACjD,EAAE;IACF,wEAAwE;IACxE,qEAAqE;IACrE,oEAAoE;IACpE,qEAAqE;IACrE,wEAAwE;IACxE,wDAAwD;IACxD,2CAA2C;IAC3C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,8BAA8B,EAC9B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,QAAQ,GACZ,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC;YAC5C,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,WAAW,CAAC;QAC5D,MAAM,OAAO,GAAG,GAAG,QAAQ,MAAM,IAAI,EAAE,CAAC;QAExC,oEAAoE;QACpE,qEAAqE;QACrE,kEAAkE;QAClE,sEAAsE;QACtE,mBAAmB;QACnB,MAAM,cAAc,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YAC5D,MAAM,EAAE,GACL,KAAwC,CAAC,EAAE;gBAC3C,KAA2B,CAAC,IAAI;gBACjC,EAAE,CAAC;YACL,IAAI,OAAO,EAAE,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACxC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,OAAO,iBAAiB,CACtB,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,EACrC,OAAO,EACP,GAAG,WAAW,MAAM,CACrB,CAAC;IACJ,CAAC,CAAC,CACH,CAAC;IAEF,0EAA0E;IAC1E,0EAA0E;IAC1E,2EAA2E;IAC3E,gEAAgE;IAChE,EAAE;IACF,yEAAyE;IACzE,oEAAoE;IACpE,2EAA2E;IAC3E,2EAA2E;IAC3E,kEAAkE;IAClE,8BAA8B;IAC9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,oBAAoB,EAClC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAgC,CAAC;QACpE,MAAM,MAAM,GAAG,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QAED,mEAAmE;QACnE,qEAAqE;QACrE,qEAAqE;QACrE,8DAA8D;QAC9D,qEAAqE;QACrE,qEAAqE;QACrE,IAAI,sBAAsB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACrC,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;gBACtC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,uFAAuF;aAC1F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,iBAAiB,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,6CAA6C;IAC7C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,iEAAiE;QACjE,qEAAqE;QACrE,iEAAiE;QACjE,mEAAmE;QACnE,oDAAoD;QACpD,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO;QAE5C,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACnD,IAAI,mBAAmB,GAAkB,IAAI,CAAC;QAC9C,IAAI,iBAAiB,GAAkB,IAAI,CAAC;QAC5C,IAAI,yBAAyB,GAAG,KAAK,CAAC;QACtC,IAAI,wBAAwB,GAAG,KAAK,CAAC;QAErC,oEAAoE;QACpE,wEAAwE;QACxE,qEAAqE;QACrE,iEAAiE;QACjE,4DAA4D;QAC5D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QAExE,6EAA6E;QAC7E,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC9D,mBAAmB,GAAG,YAAY,CAAC,KAAK,CAAC;YACzC,iBAAiB,GAAG,YAAY,CAAC,SAAS,CAAC;YAC3C,wBAAwB,GAAG,CAAC,mBAAmB,CAAC;QAClD,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,mBAAmB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE;qBAC5D,CAAC;gBACJ,CAAC;gBACD,IAAI,WAAW,KAAK,WAAW,EAAE,CAAC;oBAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE;qBACpD,CAAC;gBACJ,CAAC;gBACD,yBAAyB,GAAG,IAAI,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,mBAAmB,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACvD,oEAAoE;YACpE,gEAAgE;YAChE,qEAAqE;YACrE,qCAAqC;YACrC,IAAI,wBAAwB,EAAE,CAAC;gBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,8BAA8B;qBACxC;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChC,IAAI,sBAAsB,EAAE,EAAE,CAAC;oBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE;4BACL,IAAI,EAAE,CAAC,KAAK;4BACZ,OAAO,EACL,qHAAqH;yBACxH;qBACF,CAAC;gBACJ,CAAC;gBACD,iBAAiB,EAAE,CAAC;YACtB,CAAC;iBAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;gBACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,yBAAyB;qBACnC;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,oEAAoE;QACpE,IAAI,mBAAmB,EAAE,CAAC;YACxB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,mBAAmB,CAAC;QACzD,CAAC;QACD,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,CAAC,OAAO,CAAC,cAAc,GAAG,iBAAiB,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CACH,CAAC;AACJ,CAAC","sourcesContent":["import * as jose from \"jose\";\nimport { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n defineEventHandler,\n setResponseHeader,\n setResponseStatus,\n getMethod,\n getRequestHeader,\n} from \"h3\";\nimport type { A2AConfig } from \"./types.js\";\nimport { generateAgentCard } from \"./agent-card.js\";\nimport { handleJsonRpcH3, processA2ATaskFromQueue } from \"./handlers.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n extractBearerToken,\n verifyInternalToken,\n} from \"../integrations/internal-token.js\";\nimport {\n hasConfiguredA2ASecret,\n isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n/**\n * One-time warning when A2A is running unauthenticated in development. We\n * don't refuse the request (local templates need to work out of the box),\n * but we log a single noisy line so operators notice if they accidentally\n * deploy with no auth configured.\n */\nlet _warnedUnauthA2A = false;\nfunction warnA2AUnauthOnce(): void {\n if (_warnedUnauthA2A) return;\n _warnedUnauthA2A = true;\n // eslint-disable-next-line no-console\n console.warn(\n \"[a2a] No A2A_SECRET or apiKeyEnv configured — A2A endpoint runs unauthenticated. \" +\n \"This is allowed in development but blocked in production. Set A2A_SECRET before deploying.\",\n );\n}\n\n/**\n * Verify an inbound A2A JWT signed with the shared A2A_SECRET.\n * Returns the caller's email (from `sub` claim) if valid, null otherwise.\n */\ninterface A2ATokenPayload {\n email: string | null;\n orgDomain: string | null;\n}\n\nfunction addSecretCandidate(\n candidates: string[],\n secret: string | undefined,\n): void {\n const trimmed = secret?.trim();\n if (!trimmed || candidates.includes(trimmed)) return;\n candidates.push(trimmed);\n}\n\n/**\n * Resolve the audience (`aud`) value to expect in an inbound JWT. We use the\n * receiver's app URL — it's the natural identifier of \"who this token was\n * minted for\". Falls back to undefined when no app URL is configured, in\n * which case the audience check is skipped (backward-compat with tokens\n * minted before the audience claim shipped).\n */\nfunction expectedJwtAudience(event: any | undefined): string | undefined {\n const fromEnv =\n process.env.APP_URL ||\n process.env.URL ||\n process.env.DEPLOY_URL ||\n process.env.BETTER_AUTH_URL;\n if (fromEnv) return String(fromEnv);\n // Best-effort: derive from the inbound request host. This is forgeable\n // (Host-header attack), but only useful as a hint when env-derived URL\n // is unset; the rest of the JWT verification still uses the secret.\n try {\n const proto = getRequestHeader(event, \"x-forwarded-proto\") || \"https\";\n const host = getRequestHeader(event, \"host\");\n if (host) return `${proto}://${host}`;\n } catch {}\n return undefined;\n}\n\nasync function verifyA2AToken(\n token: string,\n event: any | undefined,\n): Promise<A2ATokenPayload> {\n // Step 1: Peek at JWT claims WITHOUT verification to get org_domain.\n // This is safe because we only use org_domain to look up the secret,\n // then verify the full JWT with that secret. If someone forges a JWT\n // with a fake org_domain, verification will fail because they don't\n // have the real secret.\n let orgDomainHint: string | undefined;\n let unverifiedPayload: jose.JWTPayload | undefined;\n try {\n unverifiedPayload = jose.decodeJwt(token);\n orgDomainHint = unverifiedPayload.org_domain as string | undefined;\n } catch {\n // Malformed token — fall through to global secret attempt\n }\n\n // Step 2: Build a small, ordered set of candidate secrets. Tokens minted by\n // current callers prefer the shared A2A_SECRET; older callers may still use\n // an org-level secret. Try both without logging or reflecting secret details.\n const candidateSecrets: string[] = [];\n addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n if (orgDomainHint) {\n try {\n const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n const orgSecret = await getA2ASecretByDomain(orgDomainHint);\n addSecretCandidate(candidateSecrets, orgSecret);\n } catch {\n // DB not ready or column doesn't exist yet — fall through\n }\n }\n if (candidateSecrets.length === 0) return { email: null, orgDomain: null };\n\n // Step 3: Verify JWT with the candidate secrets.\n //\n // - `audience`: passed only when the token carries an `aud` claim\n // (backward-compat: tokens minted by older `signA2AToken` versions\n // don't include one).\n // - `issuer`: enforced when the token carries an `iss` claim. The\n // sender's `signA2AToken` (`a2a/client.ts:42`) sets the issuer to its\n // own app URL, so a verified token must self-identify a non-empty\n // string issuer. We accept any string the token claims (we don't pin\n // a specific expected issuer because dispatchers may legitimately\n // mint tokens from many sender URLs — dev tunnels, multi-deploy\n // setups). The pin is \"issuer must match the value the token says\n // it was minted from\", which `jose.jwtVerify` validates exactly when\n // `issuer` is supplied as a string. Backward-compat: when the token\n // has no `iss`, we skip the check.\n try {\n const verifyOptions: jose.JWTVerifyOptions = {};\n if (unverifiedPayload && typeof unverifiedPayload.aud !== \"undefined\") {\n const aud = expectedJwtAudience(event);\n if (aud) verifyOptions.audience = aud;\n }\n if (\n unverifiedPayload &&\n typeof unverifiedPayload.iss === \"string\" &&\n unverifiedPayload.iss.length > 0\n ) {\n verifyOptions.issuer = unverifiedPayload.iss;\n }\n for (const secret of candidateSecrets) {\n try {\n const { payload } = await jose.jwtVerify(\n token,\n new TextEncoder().encode(secret),\n verifyOptions,\n );\n return {\n email: (payload.sub as string) ?? null,\n orgDomain: (payload.org_domain as string) ?? null,\n };\n } catch {\n // Try the next candidate without leaking which secret failed.\n }\n }\n } catch {\n // Keep malformed option construction indistinguishable from auth failure.\n }\n return { email: null, orgDomain: null };\n}\n\n/**\n * Mount A2A protocol endpoints on an H3/Nitro app.\n *\n * - GET /.well-known/agent-card.json — public agent card (no auth)\n * - POST /_agent-native/a2a — JSON-RPC endpoint (with optional auth)\n *\n * When A2A_SECRET is set, inbound Bearer tokens are verified as JWTs\n * and the caller's email is extracted from the `sub` claim. This provides\n * cryptographic identity verification for cross-app A2A calls.\n */\nexport function mountA2A(\n nitroApp: any,\n config: A2AConfig,\n routePrefix = \"/_agent-native\",\n): void {\n // Public agent card endpoint (no auth required).\n //\n // SECURITY: per-user / per-org MCP tools are filtered out of the public\n // skills list. Their merged-key prefix (`mcp__user_<emailhash>_…` or\n // `mcp__org_<orgid>_…`) discloses (a) which users have integrations\n // attached, and (b) what those integrations are — fingerprinting the\n // tenant. Template- and framework-defined skills stay; only the dynamic\n // per-tenant MCP entries are dropped. See finding #7 in\n // /tmp/security-audit/12-mcp-a2a-agent.md.\n getH3App(nitroApp).use(\n \"/.well-known/agent-card.json\",\n defineEventHandler((event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const protocol =\n getRequestHeader(event, \"x-forwarded-proto\") ||\n (event.url?.protocol?.replace(\":\", \"\") ?? \"http\");\n const host = getRequestHeader(event, \"host\") ?? \"localhost\";\n const baseUrl = `${protocol}://${host}`;\n\n // Filter out per-user/per-org MCP tools to avoid tenant disclosure.\n // Note: stdio MCP tools loaded from a file-based mcp.config.json are\n // process-wide and don't carry a per-user/per-org prefix, so they\n // remain visible. That's intentional — they're an operator-controlled\n // capability list.\n const filteredSkills = (config.skills ?? []).filter((skill) => {\n const id =\n (skill as { id?: string; name?: string }).id ??\n (skill as { name?: string }).name ??\n \"\";\n if (typeof id !== \"string\") return true;\n return !id.startsWith(\"mcp__user_\") && !id.startsWith(\"mcp__org_\");\n });\n\n return generateAgentCard(\n { ...config, skills: filteredSkills },\n baseUrl,\n `${routePrefix}/a2a`,\n );\n }),\n );\n\n // Async-mode processor route. MUST be mounted BEFORE the `/a2a` catch-all\n // below, since h3's `.use()` matches by prefix and `/a2a` would otherwise\n // swallow `/a2a/_process-task` and return a JSON-RPC \"Invalid token\" error\n // (the JSON-RPC handler doesn't know about taskId-only bodies).\n //\n // When `message/send` is called with `async: true`, the JSON-RPC handler\n // enqueues the task and self-fires a POST to this route on the same\n // deployment so the actual handler runs in a fresh function execution (its\n // own full timeout). Authenticated with an HMAC token bound to the task id\n // (5-minute lifetime, signed with A2A_SECRET — same scheme as the\n // integration webhook queue).\n getH3App(nitroApp).use(\n `${routePrefix}/a2a/_process-task`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = (await readBody(event)) as { taskId?: unknown } | null;\n const taskId = body && typeof body.taskId === \"string\" ? body.taskId : \"\";\n if (!taskId) {\n setResponseStatus(event, 400);\n return { error: \"taskId required\" };\n }\n\n // When A2A_SECRET is set, require a valid HMAC token bound to this\n // taskId. In production, we REQUIRE A2A_SECRET to be set so unsigned\n // dispatches are never accepted (an attacker who fishes a taskId out\n // of logs / a share link could otherwise force-replay it). In\n // development, a missing secret is permitted so local templates work\n // out of the box, but we log a one-time warning so operators notice.\n if (hasConfiguredA2ASecret()) {\n const auth = getRequestHeader(event, \"authorization\");\n const tok = extractBearerToken(auth);\n if (!verifyInternalToken(taskId, tok)) {\n setResponseStatus(event, 401);\n return { error: \"Invalid or expired processor token\" };\n }\n } else if (isA2AProductionRuntime()) {\n setResponseStatus(event, 503);\n return {\n error:\n \"A2A processor not configured — set A2A_SECRET on this deployment to enable async A2A.\",\n };\n } else {\n warnA2AUnauthOnce();\n }\n\n try {\n await processA2ATaskFromQueue(taskId, config, event);\n return { ok: true };\n } catch (err: any) {\n console.error(\"[a2a] process-task failed:\", err);\n setResponseStatus(event, 500);\n return { error: err?.message ?? \"process-task failed\" };\n }\n }),\n );\n\n // JSON-RPC A2A endpoint (with optional auth)\n getH3App(nitroApp).use(\n `${routePrefix}/a2a`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n // h3 prefix-matches mounts, so a request to `/a2a/_process-task`\n // reaches this handler too. The dedicated mount above runs first and\n // takes the request, but if that returns `undefined` (or h3 ever\n // changes ordering semantics) defensively bail here. event.path is\n // stripped to the remainder after the mount prefix.\n const sub = (event.path || \"/\").split(\"?\")[0].replace(/^\\//, \"\");\n if (sub.startsWith(\"_process-task\")) return;\n\n const authHeader = getRequestHeader(event, \"authorization\");\n const bearerToken = extractBearerToken(authHeader);\n let verifiedCallerEmail: string | null = null;\n let verifiedOrgDomain: string | null = null;\n let legacyApiKeyAuthenticated = false;\n let bearerTokenRejectedByJwt = false;\n\n // SECURITY: when neither A2A_SECRET nor an apiKeyEnv is configured,\n // there's no way to authenticate the caller. Default to \"auth required\"\n // in production — return 503 with a clear message instead of running\n // the agent loop unauthenticated. In development, log a one-time\n // warning but allow so local templates work out of the box.\n const hasA2ASecret = hasConfiguredA2ASecret();\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n\n // Try JWT verification first (org-level or global A2A_SECRET-based identity)\n if (bearerToken) {\n const tokenPayload = await verifyA2AToken(bearerToken, event);\n verifiedCallerEmail = tokenPayload.email;\n verifiedOrgDomain = tokenPayload.orgDomain;\n bearerTokenRejectedByJwt = !verifiedCallerEmail;\n }\n\n // Fall back to legacy API key check (exact string match)\n if (!verifiedCallerEmail && config.apiKeyEnv) {\n const expectedKey = process.env[config.apiKeyEnv];\n if (expectedKey) {\n if (!bearerToken) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Authentication required\" },\n };\n }\n if (bearerToken !== expectedKey) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Invalid API key\" },\n };\n }\n legacyApiKeyAuthenticated = true;\n }\n }\n\n if (!verifiedCallerEmail && !legacyApiKeyAuthenticated) {\n // Any supplied bearer token that failed JWT verification is an auth\n // failure after the legacy exact-match apiKeyEnv path has had a\n // chance to succeed. Do not let bad tokens fall through to tasks/get\n // and get reported as lookup misses.\n if (bearerTokenRejectedByJwt) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message: \"Invalid or expired A2A token\",\n },\n };\n }\n\n if (!hasA2ASecret && !hasApiKey) {\n if (isA2AProductionRuntime()) {\n setResponseStatus(event, 503);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message:\n \"A2A authentication not configured. Set A2A_SECRET (preferred) or configure apiKeyEnv to accept inbound A2A traffic.\",\n },\n };\n }\n warnA2AUnauthOnce();\n } else if (isA2AProductionRuntime()) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message: \"Authentication required\",\n },\n };\n }\n }\n\n // Store verified caller identity on the event context so the handler\n // can set request context from a trusted source instead of metadata\n if (verifiedCallerEmail) {\n event.context.__a2aVerifiedEmail = verifiedCallerEmail;\n }\n if (verifiedOrgDomain) {\n event.context.__a2aOrgDomain = verifiedOrgDomain;\n }\n\n const body = await readBody(event);\n return handleJsonRpcH3(body, event, config);\n }),\n );\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"VoiceTranscriptionSection.d.ts","sourceRoot":"","sources":["../../../src/client/settings/VoiceTranscriptionSection.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;
|
|
1
|
+
{"version":3,"file":"VoiceTranscriptionSection.d.ts","sourceRoot":"","sources":["../../../src/client/settings/VoiceTranscriptionSection.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AA0GH,wBAAgB,yBAAyB,4CA8lBxC;AAsPD,wBAAgB,sBAAsB,4CAErC"}
|
|
@@ -12,7 +12,7 @@ import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
|
|
|
12
12
|
*/
|
|
13
13
|
import { useCallback, useEffect, useState } from "react";
|
|
14
14
|
import { agentNativePath } from "../api-path.js";
|
|
15
|
-
import { IconCheck, IconChevronDown, IconChevronRight, IconExternalLink, IconLoader2, IconMicrophone, } from "@tabler/icons-react";
|
|
15
|
+
import { IconAlertCircle, IconCheck, IconChevronDown, IconChevronRight, IconExternalLink, IconLoader2, IconLockOpen, IconMicrophone, } from "@tabler/icons-react";
|
|
16
16
|
import { useBuilderStatus } from "./useBuilderStatus.js";
|
|
17
17
|
const PREFS_URL = agentNativePath("/_agent-native/application-state/voice-transcription-prefs");
|
|
18
18
|
const CLEANUP_PREFS_URL = agentNativePath("/_agent-native/application-state/voice-cleanup-prefs");
|
|
@@ -276,7 +276,7 @@ export function VoiceTranscriptionSection() {
|
|
|
276
276
|
e.stopPropagation();
|
|
277
277
|
setShowAdvanced(true);
|
|
278
278
|
focusKey("GOOGLE_APPLICATION_CREDENTIALS");
|
|
279
|
-
}, className: "inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:bg-accent/40 hover:text-foreground", children: ["Configure", _jsx(IconExternalLink, { size: 10 })] })) }), _jsx(ProviderOption, { id: "batch", selected: transcriptionMode === "batch", onSelect: () => chooseSource("batch"), title: "Batch", subtitle: "Universal fallback. Sends audio after recording stops through Builder Gemini, Gemini, Groq, then OpenAI." })] })] }), _jsxs("div", { className: "flex items-start justify-between gap-3 rounded-md border border-border bg-accent/30 px-2.5 py-2", children: [_jsxs("div", { className: "min-w-0", children: [_jsx("div", { className: "text-[11px] font-medium text-foreground", children: "AI cleanup" }), _jsx("p", { className: "text-[10px] text-muted-foreground mt-0.5", children: "Polish punctuation, casing, filler words, titles, and summaries after capture. Builder Gemini is tried first; BYOK Gemini is the fallback." })] }), _jsxs("div", { className: "flex shrink-0 flex-col items-end gap-1", children: [_jsx("button", { type: "button", role: "switch", "aria-checked": !!cleanupEnabled, onClick: () => toggleCleanup(!cleanupEnabled),
|
|
279
|
+
}, className: "inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:bg-accent/40 hover:text-foreground", children: ["Configure", _jsx(IconExternalLink, { size: 10 })] })) }), _jsx(ProviderOption, { id: "batch", selected: transcriptionMode === "batch", onSelect: () => chooseSource("batch"), title: "Batch", subtitle: "Universal fallback. Sends audio after recording stops through Builder Gemini, Gemini, Groq, then OpenAI." }), _jsx(SystemAudioStatus, {})] })] }), _jsxs("div", { className: "flex items-start justify-between gap-3 rounded-md border border-border bg-accent/30 px-2.5 py-2", children: [_jsxs("div", { className: "min-w-0", children: [_jsx("div", { className: "text-[11px] font-medium text-foreground", children: "AI cleanup" }), _jsx("p", { className: "text-[10px] text-muted-foreground mt-0.5", children: "Polish punctuation, casing, filler words, titles, and summaries after capture. Builder Gemini is tried first; BYOK Gemini is the fallback." })] }), _jsxs("div", { className: "flex shrink-0 flex-col items-end gap-1", children: [_jsx("button", { type: "button", role: "switch", "aria-checked": !!cleanupEnabled, onClick: () => toggleCleanup(!cleanupEnabled),
|
|
280
280
|
// Theme tokens; streaming agent owns layout.
|
|
281
281
|
className: `relative inline-flex h-4 w-7 shrink-0 cursor-pointer items-center rounded-full transition-colors ${cleanupEnabled
|
|
282
282
|
? "bg-primary"
|
|
@@ -330,6 +330,118 @@ function ProviderOption({ id, selected, disabled, onSelect, title, subtitle, rig
|
|
|
330
330
|
? "border-primary bg-primary"
|
|
331
331
|
: "border-muted-foreground/40 bg-background"}`, children: selected && (_jsx("span", { className: "h-1.5 w-1.5 rounded-full bg-primary-foreground" })) }), _jsxs("div", { className: "min-w-0 flex-1", children: [_jsxs("div", { className: "flex items-center justify-between gap-2", children: [_jsx("div", { className: "text-[11px] font-medium text-foreground", children: title }), rightSlot && _jsx("div", { className: "shrink-0", children: rightSlot })] }), subtitle && (_jsx("p", { className: "text-[10px] text-muted-foreground mt-0.5", children: subtitle }))] })] }));
|
|
332
332
|
}
|
|
333
|
+
function SystemAudioStatus() {
|
|
334
|
+
const [state, setState] = useState(null);
|
|
335
|
+
useEffect(() => {
|
|
336
|
+
let cancelled = false;
|
|
337
|
+
if (typeof window === "undefined")
|
|
338
|
+
return;
|
|
339
|
+
const tauri = window
|
|
340
|
+
.__TAURI_INTERNALS__;
|
|
341
|
+
if (!tauri)
|
|
342
|
+
return; // Web users: render nothing.
|
|
343
|
+
setState({ kind: "loading" });
|
|
344
|
+
// Dynamic import keeps `@tauri-apps/api` out of the web bundle's static
|
|
345
|
+
// graph; it is only resolved inside the desktop shell where the dep is
|
|
346
|
+
// present at build time.
|
|
347
|
+
// Cast to suppress missing types — `@tauri-apps/api` is a desktop-shell
|
|
348
|
+
// dep, not a static dep of `packages/core`. Resolves at runtime only when
|
|
349
|
+
// we're inside Tauri (gated by the `__TAURI_INTERNALS__` check above).
|
|
350
|
+
import(/* @vite-ignore */ "@tauri-apps/api/core")
|
|
351
|
+
.then(async ({ invoke }) => {
|
|
352
|
+
try {
|
|
353
|
+
const status = (await invoke("system_audio_version_status"));
|
|
354
|
+
if (cancelled)
|
|
355
|
+
return;
|
|
356
|
+
if (status && !status.supported) {
|
|
357
|
+
setState({
|
|
358
|
+
kind: "unsupported",
|
|
359
|
+
reason: status.reason ??
|
|
360
|
+
`ScreenCaptureKit is unavailable on ${status.os_version}.`,
|
|
361
|
+
});
|
|
362
|
+
return;
|
|
363
|
+
}
|
|
364
|
+
// Supported — now probe permission. This may prompt; calling it
|
|
365
|
+
// here matches the original on-mount semantics requested in the
|
|
366
|
+
// settings flow.
|
|
367
|
+
try {
|
|
368
|
+
const granted = (await invoke("system_audio_request_permission"));
|
|
369
|
+
if (cancelled)
|
|
370
|
+
return;
|
|
371
|
+
setState(granted ? { kind: "available" } : { kind: "denied" });
|
|
372
|
+
}
|
|
373
|
+
catch (err) {
|
|
374
|
+
if (cancelled)
|
|
375
|
+
return;
|
|
376
|
+
const msg = String(err ?? "");
|
|
377
|
+
if (/macOS\s*1[0-2]|requires macOS 13/i.test(msg)) {
|
|
378
|
+
setState({ kind: "unsupported", reason: msg });
|
|
379
|
+
}
|
|
380
|
+
else {
|
|
381
|
+
setState({ kind: "denied" });
|
|
382
|
+
}
|
|
383
|
+
}
|
|
384
|
+
}
|
|
385
|
+
catch {
|
|
386
|
+
// Older desktop builds may not have the new command yet —
|
|
387
|
+
// fall back to the permission probe.
|
|
388
|
+
if (cancelled)
|
|
389
|
+
return;
|
|
390
|
+
try {
|
|
391
|
+
const granted = (await invoke("system_audio_request_permission"));
|
|
392
|
+
if (cancelled)
|
|
393
|
+
return;
|
|
394
|
+
setState(granted ? { kind: "available" } : { kind: "denied" });
|
|
395
|
+
}
|
|
396
|
+
catch (err) {
|
|
397
|
+
if (cancelled)
|
|
398
|
+
return;
|
|
399
|
+
const msg = String(err ?? "");
|
|
400
|
+
if (/macOS|ScreenCaptureKit/i.test(msg)) {
|
|
401
|
+
setState({ kind: "unsupported", reason: msg });
|
|
402
|
+
}
|
|
403
|
+
else {
|
|
404
|
+
setState({ kind: "denied" });
|
|
405
|
+
}
|
|
406
|
+
}
|
|
407
|
+
}
|
|
408
|
+
})
|
|
409
|
+
.catch(() => {
|
|
410
|
+
// @tauri-apps/api not resolvable -> behave like web.
|
|
411
|
+
if (!cancelled)
|
|
412
|
+
setState(null);
|
|
413
|
+
});
|
|
414
|
+
return () => {
|
|
415
|
+
cancelled = true;
|
|
416
|
+
};
|
|
417
|
+
}, []);
|
|
418
|
+
const openPrivacy = useCallback(() => {
|
|
419
|
+
if (typeof window === "undefined")
|
|
420
|
+
return;
|
|
421
|
+
const tauri = window
|
|
422
|
+
.__TAURI_INTERNALS__;
|
|
423
|
+
if (!tauri)
|
|
424
|
+
return;
|
|
425
|
+
// Cast to suppress missing types — `@tauri-apps/api` is a desktop-shell
|
|
426
|
+
// dep, not a static dep of `packages/core`. Resolves at runtime only when
|
|
427
|
+
// we're inside Tauri (gated by the `__TAURI_INTERNALS__` check above).
|
|
428
|
+
import(/* @vite-ignore */ "@tauri-apps/api/core")
|
|
429
|
+
.then(({ invoke }) => invoke("system_audio_open_privacy_settings"))
|
|
430
|
+
.catch(() => {
|
|
431
|
+
// Older desktop builds without this command — no-op.
|
|
432
|
+
});
|
|
433
|
+
}, []);
|
|
434
|
+
if (!state || state.kind === "loading")
|
|
435
|
+
return null;
|
|
436
|
+
if (state.kind === "available") {
|
|
437
|
+
return (_jsxs("div", { className: "flex items-center gap-1.5 px-0.5 pt-1 text-[10px] text-muted-foreground", children: [_jsx(IconCheck, { size: 11, className: "text-green-500" }), _jsx("span", { children: "System audio capture available." })] }));
|
|
438
|
+
}
|
|
439
|
+
if (state.kind === "unsupported") {
|
|
440
|
+
return (_jsxs("div", { className: "flex items-center gap-1.5 px-0.5 pt-1 text-[10px] text-muted-foreground", children: [_jsx("span", { className: "inline-block h-1.5 w-1.5 shrink-0 rounded-full bg-red-500", "aria-hidden": true }), _jsx("span", { children: "System audio requires macOS 13 or later \u2014 meetings will use mic-only." })] }));
|
|
441
|
+
}
|
|
442
|
+
// denied
|
|
443
|
+
return (_jsxs("div", { className: "flex items-start gap-1.5 px-0.5 pt-1 text-[10px] text-muted-foreground", children: [_jsx(IconAlertCircle, { size: 11, className: "mt-[1px] shrink-0 text-amber-500" }), _jsxs("div", { className: "flex-1", children: [_jsx("span", { children: "Grant Screen Recording permission in System Settings -> Privacy." }), _jsxs("button", { type: "button", onClick: openPrivacy, className: "ml-1 inline-flex items-center gap-1 rounded border border-border px-1.5 py-0.5 text-[10px] text-muted-foreground hover:bg-accent/40 hover:text-foreground", children: [_jsx(IconLockOpen, { size: 10 }), "Open System Settings"] })] })] }));
|
|
444
|
+
}
|
|
333
445
|
export function VoiceTranscriptionIcon() {
|
|
334
446
|
return _jsx(IconMicrophone, { size: 14 });
|
|
335
447
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"VoiceTranscriptionSection.js","sourceRoot":"","sources":["../../../src/client/settings/VoiceTranscriptionSection.tsx"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;AAEH,OAAc,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EACL,SAAS,EACT,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,WAAW,EACX,cAAc,GACf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAkCzD,MAAM,SAAS,GAAG,eAAe,CAC/B,4DAA4D,CAC7D,CAAC;AACF,MAAM,iBAAiB,GAAG,eAAe,CACvC,sDAAsD,CACvD,CAAC;AACF,MAAM,WAAW,GAAG,eAAe,CAAC,wBAAwB,CAAC,CAAC;AAC9D,MAAM,mBAAmB,GAAG,eAAe,CACzC,uCAAuC,CACxC,CAAC;AACF,MAAM,0BAA0B,GAAsB,OAAO,CAAC;AAC9D,MAAM,sBAAsB,GAAa,MAAM,CAAC;AAEhD,SAAS,UAAU,CAAC,KAAc;IAChC,OAAO,CACL,KAAK,KAAK,MAAM;QAChB,KAAK,KAAK,QAAQ;QAClB,KAAK,KAAK,gBAAgB;QAC1B,KAAK,KAAK,SAAS;QACnB,KAAK,KAAK,SAAS;QACnB,KAAK,KAAK,QAAQ;QAClB,KAAK,KAAK,MAAM,CACjB,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc;IACzC,OAAO,CACL,KAAK,KAAK,YAAY,IAAI,KAAK,KAAK,iBAAiB,IAAI,KAAK,KAAK,OAAO,CAC3E,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,KAAK,CAAC;AACxD,CAAC;AAED,SAAS,sBAAsB,CAAC,QAAyB;IACvD,IAAI,QAAQ,KAAK,SAAS;QAAE,OAAO,YAAY,CAAC;IAChD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CACtB,IAAuB,EACvB,eAAgC;IAEhC,IAAI,IAAI,KAAK,YAAY;QAAE,OAAO,SAAS,CAAC;IAC5C,IAAI,IAAI,KAAK,iBAAiB;QAAE,OAAO,MAAM,CAAC;IAC9C,IAAI,CAAC,eAAe,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QACtD,OAAO,sBAAsB,CAAC;IAChC,CAAC;IACD,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,SAAS,aAAa,CAAC,QAAyB;IAC9C,IAAI,CAAC,QAAQ,IAAI,QAAQ,KAAK,SAAS;QAAE,OAAO,sBAAsB,CAAC;IACvE,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,MAAM,CAAC,iBAAiB,EAAE,oBAAoB,CAAC,GAC7C,QAAQ,CAA2B,IAAI,CAAC,CAAC;IAC3C,MAAM,CAAC,QAAQ,EAAE,WAAW,CAAC,GAAG,QAAQ,CAAW,sBAAsB,CAAC,CAAC;IAC3E,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC;IACrD,MAAM,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,GAAG,QAAQ,CACtD,IAAI,CACL,CAAC;IACF,MAAM,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,GAAG,QAAQ,CACtD,IAAI,CACL,CAAC;IACF,MAAM,CAAC,cAAc,EAAE,iBAAiB,CAAC,GAAG,QAAQ,CAAiB,IAAI,CAAC,CAAC;IAC3E,MAAM,CAAC,wBAAwB,EAAE,2BAA2B,CAAC,GAAG,QAAQ,CAEtE,IAAI,CAAC,CAAC;IACR,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5C,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,GAAG,QAAQ,CAAgB,IAAI,CAAC,CAAC;IAChE,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IACxD,MAAM,CAAC,cAAc,EAAE,iBAAiB,CAAC,GAAG,QAAQ,CAAiB,IAAI,CAAC,CAAC;IAC3E,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAAC;IACrD,MAAM,oBAAoB,GACxB,CAAC,CAAC,aAAa,EAAE,oBAAoB;QACrC,CAAC,CAAC,aAAa,EAAE,mBAAmB,CAAC;IACvC,MAAM,mBAAmB,GACvB,CAAC,CAAC,wBAAwB,IAAI,oBAAoB,CAAC;IAErD,6DAA6D;IAC7D,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,KAAK,CAAC,iBAAiB,CAAC;aACrB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;aACrC,IAAI,CACH,CACE,IAGQ,EACR,EAAE;YACF,IAAI,SAAS;gBAAE,OAAO;YACtB,MAAM,MAAM,GACT,IAAqC,EAAE,OAAO;gBAC9C,IAAiD,EAAE,KAAK,EAAE,OAAO,CAAC;YACrE,IAAI,OAAO,MAAM,KAAK,SAAS;gBAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC;;gBACtD,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,qCAAqC;QACrE,CAAC,CACF;aACA,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,SAAS,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;QACtD,OAAO,GAAG,EAAE;YACV,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC,CAAC;IACJ,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,cAAc,KAAK,IAAI;YAAE,OAAO;QACpC,IAAI,aAAa,EAAE,UAAU,KAAK,SAAS,EAAE,CAAC;YAC5C,iBAAiB,CAAC,CAAC,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,EAAE,CAAC,aAAa,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC;IAEhD,MAAM,aAAa,GAAG,KAAK,EAAE,IAAa,EAAE,EAAE;QAC5C,MAAM,QAAQ,GAAG,cAAc,CAAC;QAChC,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,iBAAiB,EAAE;gBACzC,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;aACxC,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC,CAAC;IAEF,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,KAAK,CAAC,SAAS,CAAC;aACb,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;aACrC,IAAI,CAAC,CAAC,IAAsC,EAAE,EAAE;YAC/C,IAAI,SAAS;gBAAE,OAAO;YACtB,MAAM,KAAK,GACR,IAAiC,EAAE,KAAK,IAAK,IAAqB,CAAC;YACtE,MAAM,CAAC,GAAG,iBAAiB,CACxB,IAAqB,EAAE,QAAQ;gBAC7B,IAAiC,EAAE,KAAK,EAAE,QAAQ,CACtD,CAAC;YACF,MAAM,UAAU,GAAG,mBAAmB,CAAC,KAAK,EAAE,iBAAiB,CAAC;gBAC9D,CAAC,CAAC,KAAK,CAAC,iBAAiB;gBACzB,CAAC,CAAC,IAAI,CAAC;YACT,MAAM,IAAI,GACR,UAAU;gBACV,CAAC,CAAC,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC;YAC/D,MAAM,iBAAiB,GACpB,IAAqB,EAAE,YAAY;gBACnC,IAAiC,EAAE,KAAK,EAAE,YAAY,CAAC;YAC1D,oBAAoB,CAAC,IAAI,CAAC,CAAC;YAC3B,WAAW,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACtC,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;gBAC1C,eAAe,CAAC,iBAAiB,CAAC,CAAC;YACrC,CAAC;QACH,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,oBAAoB,CAAC,0BAA0B,CAAC,CAAC;gBACjD,WAAW,CAAC,sBAAsB,CAAC,CAAC;YACtC,CAAC;QACH,CAAC,CAAC,CAAC;QACL,OAAO,GAAG,EAAE;YACV,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC,CAAC;IACJ,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,KAAK,CAAC,mBAAmB,CAAC;aACvB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;aACrC,IAAI,CAAC,CAAC,MAA6B,EAAE,EAAE;YACtC,IAAI,SAAS;gBAAE,OAAO;YACtB,IAAI,MAAM,EAAE,CAAC;gBACX,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;gBACnC,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;gBACnC,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC/B,2BAA2B,CAAC,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;gBACrD,OAAO;YACT,CAAC;YACD,OAAO,KAAK,CAAC,WAAW,CAAC;iBACtB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;iBACnC,IAAI,CAAC,CAAC,IAAoB,EAAE,EAAE;gBAC7B,IAAI,SAAS;oBAAE,OAAO;gBACtB,MAAM,IAAI,GAAG,CAAC,GAAW,EAAE,EAAE,CAC3B,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC/D,mBAAmB,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,MAAM,KAAK,KAAK,CAAC,CAAC;gBAC9D,mBAAmB,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,MAAM,KAAK,KAAK,CAAC,CAAC;gBAC9D,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,MAAM,KAAK,KAAK,CAAC,CAAC;gBAC1D,2BAA2B,CACzB,IAAI,CAAC,gCAAgC,CAAC,EAAE,MAAM,KAAK,KAAK,CACzD,CAAC;YACJ,CAAC,CAAC,CAAC;QACP,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,mBAAmB,CAAC,KAAK,CAAC,CAAC;gBAC3B,mBAAmB,CAAC,KAAK,CAAC,CAAC;gBAC3B,iBAAiB,CAAC,KAAK,CAAC,CAAC;gBACzB,2BAA2B,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC;QACH,CAAC,CAAC,CAAC;QACL,OAAO,GAAG,EAAE;YACV,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC,CAAC;IACJ,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,OAAO,GAAG,WAAW,CACzB,KAAK,EACH,QAA2B,EAC3B,YAAsB,EACtB,gBAAwB,EACxB,QAIC,EACD,EAAE;QACF,SAAS,CAAC,IAAI,CAAC,CAAC;QAChB,YAAY,CAAC,IAAI,CAAC,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;gBACjC,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,iBAAiB,EAAE,QAAQ;oBAC3B,QAAQ,EAAE,YAAY;oBACtB,YAAY,EAAE,gBAAgB,CAAC,IAAI,EAAE;iBACtC,CAAC;aACH,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,+DAA+D;YAC/D,oBAAoB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;YACjD,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC/B,eAAe,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACvC,YAAY,CACV,kBAAmB,GAAa,EAAE,OAAO,IAAI,eAAe,cAAc,CAC3E,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,SAAS,CAAC,KAAK,CAAC,CAAC;QACnB,CAAC;IACH,CAAC,EACD,EAAE,CACH,CAAC;IAEF,MAAM,QAAQ,GAAG,CAAC,GAAW,EAAE,EAAE;QAC/B,IAAI,OAAO,MAAM,KAAK,WAAW;YAAE,OAAO;QAC1C,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,YAAY,GAAG,EAAE,CAAC;IAC3C,CAAC,CAAC;IAEF,MAAM,YAAY,GAAG,CAAC,IAAuB,EAAE,EAAE;QAC/C,IAAI,IAAI,KAAK,iBAAiB;YAAE,OAAO;QACvC,IAAI,IAAI,KAAK,iBAAiB,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACvD,eAAe,CAAC,IAAI,CAAC,CAAC;YACtB,IAAI,CAAC,wBAAwB,EAAE,CAAC;gBAC9B,QAAQ,CAAC,gCAAgC,CAAC,CAAC;YAC7C,CAAC;iBAAM,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBACjC,kBAAkB,EAAE,CAAC;YACvB,CAAC;YACD,OAAO;QACT,CAAC;QACD,MAAM,QAAQ,GAAG,EAAE,iBAAiB,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;QAC/D,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACrD,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAC3B,WAAW,CAAC,YAAY,CAAC,CAAC;QAC1B,KAAK,OAAO,CAAC,IAAI,EAAE,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;IAC3D,CAAC,CAAC;IAEF,MAAM,kBAAkB,GAAG,GAAG,EAAE;QAC9B,IAAI,OAAO,MAAM,KAAK,WAAW;YAAE,OAAO;QAC1C,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,eAAe,CAAC,gCAAgC,CAAC,EACjD,MAAM,CAAC,QAAQ,CAAC,MAAM,CACvB,CAAC,IAAI,CAAC;QACP,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,0CAA0C,CAAC,CAAC;IACzE,CAAC,CAAC;IAEF,MAAM,mBAAmB,GAAG,CAAC,IAAc,EAAE,EAAE;QAC7C,MAAM,YAAY,GAAG,aAAa,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5D,IAAI,iBAAiB,KAAK,OAAO,IAAI,YAAY,KAAK,QAAQ;YAAE,OAAO;QACvE,MAAM,QAAQ,GAAG,EAAE,iBAAiB,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;QAC/D,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAC9B,WAAW,CAAC,YAAY,CAAC,CAAC;QAC1B,KAAK,OAAO,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;IAC9D,CAAC,CAAC;IAEF,MAAM,kBAAkB,GAAG,CAAC,IAAY,EAAE,EAAE;QAC1C,MAAM,QAAQ,GAAG,EAAE,iBAAiB,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;QAC/D,eAAe,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,OAAO,CAAC,iBAAiB,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC,CAAC;IAEF,IAAI,iBAAiB,KAAK,IAAI,EAAE,CAAC;QAC/B,OAAO,CACL,eAAK,SAAS,EAAC,6DAA6D,aAC1E,KAAC,WAAW,IAAC,IAAI,EAAE,EAAE,EAAE,SAAS,EAAC,cAAc,GAAG,qBAE9C,CACP,CAAC;IACJ,CAAC;IAED,OAAO,CACL,eAAK,SAAS,EAAC,WAAW,aACxB,eAAK,SAAS,EAAC,mDAAmD,aAChE,cAAK,SAAS,EAAC,oDAAoD,YACjE,0BACE,cAAK,SAAS,EAAC,yCAAyC,mCAElD,EACN,YAAG,SAAS,EAAC,0CAA0C,gGAGnD,IACA,GACF,EACN,eAAK,SAAS,EAAC,WAAW,aACxB,KAAC,cAAc,IACb,EAAE,EAAC,YAAY,EACf,QAAQ,EAAE,iBAAiB,KAAK,YAAY,EAC5C,QAAQ,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,CAAC,EAC1C,KAAK,EAAC,YAAY,EAClB,QAAQ,EAAC,wGAAwG,EACjH,SAAS,EACP,eAAM,SAAS,EAAC,mCAAmC,8BAE5C,GAET,EACF,KAAC,cAAc,IACb,EAAE,EAAC,iBAAiB,EACpB,QAAQ,EAAE,iBAAiB,KAAK,iBAAiB,EACjD,QAAQ,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,iBAAiB,CAAC,EAC/C,QAAQ,EAAE,CAAC,mBAAmB,EAC9B,KAAK,EAAC,iBAAiB,EACvB,QAAQ,EACN,mBAAmB;oCACjB,CAAC,CAAC,mFAAmF;oCACrF,CAAC,CAAC,wBAAwB;wCACxB,CAAC,CAAC,8FAA8F;wCAChG,CAAC,CAAC,kFAAkF,EAE1F,SAAS,EACP,mBAAmB,CAAC,CAAC,CAAC,CACpB,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,aAElB,CACR,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,CAC7B,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,kBAAkB,EAAE,CAAC;oCACvB,CAAC,EACD,SAAS,EAAC,oJAAoJ,mCAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,eAAe,CAAC,IAAI,CAAC,CAAC;wCACtB,QAAQ,CAAC,gCAAgC,CAAC,CAAC;oCAC7C,CAAC,EACD,SAAS,EAAC,oJAAoJ,0BAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,EACF,KAAC,cAAc,IACb,EAAE,EAAC,OAAO,EACV,QAAQ,EAAE,iBAAiB,KAAK,OAAO,EACvC,QAAQ,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,EACrC,KAAK,EAAC,OAAO,EACb,QAAQ,EAAC,0GAA0G,GACnH,IACE,IACF,EAEN,eAAK,SAAS,EAAC,iGAAiG,aAC9G,eAAK,SAAS,EAAC,SAAS,aACtB,cAAK,SAAS,EAAC,yCAAyC,2BAElD,EACN,YAAG,SAAS,EAAC,0CAA0C,2JAInD,IACA,EACN,eAAK,SAAS,EAAC,wCAAwC,aACrD,iBACE,IAAI,EAAC,QAAQ,EACb,IAAI,EAAC,QAAQ,kBACC,CAAC,CAAC,cAAc,EAC9B,OAAO,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,CAAC,cAAc,CAAC;gCAC7C,6CAA6C;gCAC7C,SAAS,EAAE,oGACT,cAAc;oCACZ,CAAC,CAAC,YAAY;oCACd,CAAC,CAAC,qDACN,EAAE,YAEF,eACE,SAAS,EAAE,kFACT,cAAc,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBACvC,EAAE,GACF,GACK,EACR,cAAc,IAAI,CACjB,eAAM,SAAS,EAAC,mCAAmC,YAChD,aAAa,EAAE,UAAU;oCACxB,CAAC,CAAC,eAAe;oCACjB,CAAC,CAAC,gBAAgB;wCAChB,CAAC,CAAC,gBAAgB;wCAClB,CAAC,CAAC,WAAW,GACZ,CACR,IACG,IACF,EAEN,eAAK,SAAS,EAAC,+CAA+C,aAC5D,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EACzC,SAAS,EAAC,2EAA2E,aAErF,gBAAM,SAAS,EAAC,wEAAwE,aACrF,YAAY,CAAC,CAAC,CAAC,CACd,KAAC,eAAe,IAAC,IAAI,EAAE,EAAE,GAAI,CAC9B,CAAC,CAAC,CAAC,CACF,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,CAC/B,oBAEI,EACP,eAAM,SAAS,EAAC,mCAAmC,mEAE5C,IACA,EAER,YAAY,IAAI,CACf,eAAK,SAAS,EAAC,qBAAqB,aAClC,KAAC,cAAc,IACb,EAAE,EAAC,wBAAwB,EAC3B,QAAQ,EAAE,iBAAiB,KAAK,iBAAiB,EACjD,QAAQ,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,iBAAiB,CAAC,EAC/C,QAAQ,EAAE,CAAC,mBAAmB,EAC9B,KAAK,EAAC,uCAAuC,EAC7C,QAAQ,EACN,wBAAwB;oCACtB,CAAC,CAAC,8FAA8F;oCAChG,CAAC,CAAC,yFAAyF,EAE/F,SAAS,EACP,wBAAwB;oCACxB,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAClC,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,aAElB,CACR,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,CAC7B,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,kBAAkB,EAAE,CAAC;oCACvB,CAAC,EACD,SAAS,EAAC,oJAAoJ,mCAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,QAAQ,CAAC,gCAAgC,CAAC,CAAC;oCAC7C,CAAC,EACD,SAAS,EAAC,oJAAoJ,0BAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,EAEF,KAAC,cAAc,IACb,EAAE,EAAC,MAAM,EACT,QAAQ,EAAE,iBAAiB,KAAK,OAAO,IAAI,QAAQ,KAAK,MAAM,EAC9D,QAAQ,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAC3C,KAAK,EAAC,0BAA0B,EAChC,QAAQ,EAAC,mFAAmF,GAC5F,EAEF,KAAC,cAAc,IACb,EAAE,EAAC,gBAAgB,EACnB,QAAQ,EACN,iBAAiB,KAAK,OAAO,IAAI,QAAQ,KAAK,gBAAgB,EAEhE,QAAQ,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,gBAAgB,CAAC,EACrD,QAAQ,EAAE,CAAC,aAAa,EAAE,UAAU,EACpC,KAAK,EAAC,oBAAoB,EAC1B,QAAQ,EACN,aAAa,EAAE,UAAU;oCACvB,CAAC,CAAC,2EAA2E;oCAC7E,CAAC,CAAC,gGAAgG,EAEtG,SAAS,EACP,aAAa,EAAE,UAAU,CAAC,CAAC,CAAC,CAC1B,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,iBAElB,CACR,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,kBAAkB,EAAE,CAAC;oCACvB,CAAC,EACD,SAAS,EAAC,oJAAoJ,mCAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,EAEF,KAAC,cAAc,IACb,EAAE,EAAC,QAAQ,EACX,QAAQ,EAAE,iBAAiB,KAAK,OAAO,IAAI,QAAQ,KAAK,QAAQ,EAChE,QAAQ,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAC7C,KAAK,EAAC,eAAe,EACrB,QAAQ,EAAC,qEAAqE,EAC9E,SAAS,EACP,gBAAgB,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CACpD,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,eAElB,CACR,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,QAAQ,CAAC,gBAAgB,CAAC,CAAC;oCAC7B,CAAC,EACD,SAAS,EAAC,oJAAoJ,wBAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,EAEF,KAAC,cAAc,IACb,EAAE,EAAC,QAAQ,EACX,QAAQ,EAAE,iBAAiB,KAAK,OAAO,IAAI,QAAQ,KAAK,QAAQ,EAChE,QAAQ,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAC7C,KAAK,EAAC,gBAAgB,EACtB,QAAQ,EAAC,qDAAqD,EAC9D,SAAS,EACP,gBAAgB,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CACpD,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,eAElB,CACR,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,QAAQ,CAAC,gBAAgB,CAAC,CAAC;oCAC7B,CAAC,EACD,SAAS,EAAC,oJAAoJ,wBAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,EAEF,KAAC,cAAc,IACb,EAAE,EAAC,MAAM,EACT,QAAQ,EAAE,iBAAiB,KAAK,OAAO,IAAI,QAAQ,KAAK,MAAM,EAC9D,QAAQ,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAC3C,KAAK,EAAC,cAAc,EACpB,QAAQ,EAAC,uDAAuD,EAChE,SAAS,EACP,cAAc,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAChD,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,eAElB,CACR,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,QAAQ,CAAC,cAAc,CAAC,CAAC;oCAC3B,CAAC,EACD,SAAS,EAAC,oJAAoJ,wBAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,IACE,CACP,IACG,EAEL,CAAC,cAAc,IAAI,iBAAiB,KAAK,OAAO,CAAC,IAAI,CACpD,eAAK,SAAS,EAAC,0DAA0D,aACvE,gBACE,OAAO,EAAC,kCAAkC,EAC1C,SAAS,EAAC,+CAA+C,oCAGnD,EACR,mBACE,EAAE,EAAC,kCAAkC,EACrC,KAAK,EAAE,YAAY,EACnB,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,EAC3D,WAAW,EAAC,0DAA0D,EACtE,SAAS,EAAC,mMAAmM,GAC7M,EACF,YAAG,SAAS,EAAC,wCAAwC,kEAEjD,IACA,CACP,EAEA,MAAM,IAAI,YAAG,SAAS,EAAC,mCAAmC,6BAAY,EACtE,SAAS,IAAI,CAAC,MAAM,IAAI,CACvB,YAAG,SAAS,EAAC,0BAA0B,EAAC,IAAI,EAAC,OAAO,YACjD,SAAS,GACR,CACL,IACG,CACP,CAAC;AACJ,CAAC;AAYD,SAAS,cAAc,CAAC,EACtB,EAAE,EACF,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,KAAK,EACL,QAAQ,EACR,SAAS,GACW;IACpB,MAAM,MAAM,GAAG,GAAG,EAAE;QAClB,IAAI,CAAC,QAAQ;YAAE,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC;IAEF,MAAM,SAAS,GAAG,CAAC,KAA0C,EAAE,EAAE;QAC/D,IAAI,QAAQ;YAAE,OAAO;QACrB,IAAI,KAAK,CAAC,GAAG,KAAK,OAAO,IAAI,KAAK,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;YAC/C,KAAK,CAAC,cAAc,EAAE,CAAC;YACvB,QAAQ,EAAE,CAAC;QACb,CAAC;IACH,CAAC,CAAC;IAEF,OAAO,CACL,eACE,IAAI,EAAC,QAAQ,EACb,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAC3B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,SAAS,kBACN,QAAQ,mBACP,QAAQ,IAAI,SAAS;QACpC,6CAA6C;QAC7C,SAAS,EAAE,yEACT,QAAQ;YACN,CAAC,CAAC,8BAA8B;YAChC,CAAC,CAAC,+CACN,IAAI,QAAQ,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,EAAE,EAAE,aAErD,eACE,SAAS,EAAE,sFACT,QAAQ;oBACN,CAAC,CAAC,2BAA2B;oBAC7B,CAAC,CAAC,0CACN,EAAE,YAED,QAAQ,IAAI,CACX,eAAM,SAAS,EAAC,gDAAgD,GAAG,CACpE,GACI,EACP,eAAK,SAAS,EAAC,gBAAgB,aAC7B,eAAK,SAAS,EAAC,yCAAyC,aACtD,cAAK,SAAS,EAAC,yCAAyC,YAAE,KAAK,GAAO,EACrE,SAAS,IAAI,cAAK,SAAS,EAAC,UAAU,YAAE,SAAS,GAAO,IACrD,EACL,QAAQ,IAAI,CACX,YAAG,SAAS,EAAC,0CAA0C,YAAE,QAAQ,GAAK,CACvE,IACG,IACF,CACP,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,OAAO,KAAC,cAAc,IAAC,IAAI,EAAE,EAAE,GAAI,CAAC;AACtC,CAAC","sourcesContent":["/**\n * <VoiceTranscriptionSection /> — source + cleanup settings for voice input.\n *\n * Writes the selection to application_state under `voice-transcription-prefs`\n * so the composer's `useVoiceDictation` hook picks it up on next record. The\n * legacy `provider` field is still written alongside `transcriptionMode` so\n * older clients continue to normalize safely.\n *\n * Provider status comes from `/_agent-native/voice-providers/status`, which\n * mirrors the server transcription route's key/env resolution.\n */\n\nimport React, { useCallback, useEffect, useState } from \"react\";\nimport { agentNativePath } from \"../api-path.js\";\nimport {\n IconCheck,\n IconChevronDown,\n IconChevronRight,\n IconExternalLink,\n IconLoader2,\n IconMicrophone,\n} from \"@tabler/icons-react\";\nimport { useBuilderStatus } from \"./useBuilderStatus.js\";\n\ntype TranscriptionMode = \"mac-native\" | \"google-realtime\" | \"batch\";\n\ntype Provider =\n | \"auto\"\n | \"openai\"\n | \"builder-gemini\"\n | \"builder\"\n | \"browser\"\n | \"gemini\"\n | \"groq\";\n\ninterface Prefs {\n transcriptionMode?: TranscriptionMode;\n provider?: Provider;\n instructions?: string;\n}\n\ninterface SecretStatus {\n key: string;\n status: \"set\" | \"unset\" | \"invalid\";\n}\n\ninterface ProviderStatus {\n builder: boolean;\n gemini: boolean;\n openai: boolean;\n groq: boolean;\n googleRealtime?: boolean;\n browser: true;\n native?: true;\n}\n\nconst PREFS_URL = agentNativePath(\n \"/_agent-native/application-state/voice-transcription-prefs\",\n);\nconst CLEANUP_PREFS_URL = agentNativePath(\n \"/_agent-native/application-state/voice-cleanup-prefs\",\n);\nconst SECRETS_URL = agentNativePath(\"/_agent-native/secrets\");\nconst PROVIDER_STATUS_URL = agentNativePath(\n \"/_agent-native/voice-providers/status\",\n);\nconst DEFAULT_TRANSCRIPTION_MODE: TranscriptionMode = \"batch\";\nconst DEFAULT_BATCH_PROVIDER: Provider = \"auto\";\n\nfunction isProvider(value: unknown): value is Provider {\n return (\n value === \"auto\" ||\n value === \"openai\" ||\n value === \"builder-gemini\" ||\n value === \"builder\" ||\n value === \"browser\" ||\n value === \"gemini\" ||\n value === \"groq\"\n );\n}\n\nfunction isTranscriptionMode(value: unknown): value is TranscriptionMode {\n return (\n value === \"mac-native\" || value === \"google-realtime\" || value === \"batch\"\n );\n}\n\nfunction normalizeProvider(value: unknown): Provider | null {\n if (!isProvider(value)) return null;\n return value === \"builder\" ? \"builder-gemini\" : value;\n}\n\nfunction legacyModeFromProvider(provider: Provider | null): TranscriptionMode {\n if (provider === \"browser\") return \"mac-native\";\n return \"batch\";\n}\n\nfunction providerForMode(\n mode: TranscriptionMode,\n currentProvider: Provider | null,\n): Provider {\n if (mode === \"mac-native\") return \"browser\";\n if (mode === \"google-realtime\") return \"auto\";\n if (!currentProvider || currentProvider === \"browser\") {\n return DEFAULT_BATCH_PROVIDER;\n }\n return currentProvider;\n}\n\nfunction batchProvider(provider: Provider | null): Provider {\n if (!provider || provider === \"browser\") return DEFAULT_BATCH_PROVIDER;\n return provider;\n}\n\nexport function VoiceTranscriptionSection() {\n const [transcriptionMode, setTranscriptionMode] =\n useState<TranscriptionMode | null>(null);\n const [provider, setProvider] = useState<Provider>(DEFAULT_BATCH_PROVIDER);\n const [instructions, setInstructions] = useState(\"\");\n const [openAiConfigured, setOpenAiConfigured] = useState<boolean | null>(\n null,\n );\n const [geminiConfigured, setGeminiConfigured] = useState<boolean | null>(\n null,\n );\n const [groqConfigured, setGroqConfigured] = useState<boolean | null>(null);\n const [googleRealtimeConfigured, setGoogleRealtimeConfigured] = useState<\n boolean | null\n >(null);\n const [saving, setSaving] = useState(false);\n const [saveError, setSaveError] = useState<string | null>(null);\n const [showAdvanced, setShowAdvanced] = useState(false);\n const [cleanupEnabled, setCleanupEnabled] = useState<boolean | null>(null);\n const { status: builderStatus } = useBuilderStatus();\n const builderRealtimeReady =\n !!builderStatus?.privateKeyConfigured &&\n !!builderStatus?.publicKeyConfigured;\n const googleRealtimeReady =\n !!googleRealtimeConfigured && builderRealtimeReady;\n\n // Read cleanup pref (default: true if Builder is connected).\n useEffect(() => {\n let cancelled = false;\n fetch(CLEANUP_PREFS_URL)\n .then((r) => (r.ok ? r.json() : null))\n .then(\n (\n body:\n | { enabled?: boolean }\n | { value?: { enabled?: boolean } }\n | null,\n ) => {\n if (cancelled) return;\n const stored =\n (body as { enabled?: boolean } | null)?.enabled ??\n (body as { value?: { enabled?: boolean } } | null)?.value?.enabled;\n if (typeof stored === \"boolean\") setCleanupEnabled(stored);\n else setCleanupEnabled(null); // resolve once builderStatus arrives\n },\n )\n .catch(() => !cancelled && setCleanupEnabled(null));\n return () => {\n cancelled = true;\n };\n }, []);\n\n useEffect(() => {\n if (cleanupEnabled !== null) return;\n if (builderStatus?.configured !== undefined) {\n setCleanupEnabled(!!builderStatus.configured);\n }\n }, [builderStatus?.configured, cleanupEnabled]);\n\n const toggleCleanup = async (next: boolean) => {\n const previous = cleanupEnabled;\n setCleanupEnabled(next);\n try {\n const res = await fetch(CLEANUP_PREFS_URL, {\n method: \"PUT\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ enabled: next }),\n });\n if (!res.ok) {\n throw new Error(`HTTP ${res.status}`);\n }\n } catch {\n setCleanupEnabled(previous);\n }\n };\n\n useEffect(() => {\n let cancelled = false;\n fetch(PREFS_URL)\n .then((r) => (r.ok ? r.json() : null))\n .then((body: Prefs | { value?: Prefs } | null) => {\n if (cancelled) return;\n const value =\n (body as { value?: Prefs } | null)?.value ?? (body as Prefs | null);\n const p = normalizeProvider(\n (body as Prefs | null)?.provider ??\n (body as { value?: Prefs } | null)?.value?.provider,\n );\n const storedMode = isTranscriptionMode(value?.transcriptionMode)\n ? value.transcriptionMode\n : null;\n const mode =\n storedMode ??\n (p ? legacyModeFromProvider(p) : DEFAULT_TRANSCRIPTION_MODE);\n const savedInstructions =\n (body as Prefs | null)?.instructions ??\n (body as { value?: Prefs } | null)?.value?.instructions;\n setTranscriptionMode(mode);\n setProvider(providerForMode(mode, p));\n if (typeof savedInstructions === \"string\") {\n setInstructions(savedInstructions);\n }\n })\n .catch(() => {\n if (!cancelled) {\n setTranscriptionMode(DEFAULT_TRANSCRIPTION_MODE);\n setProvider(DEFAULT_BATCH_PROVIDER);\n }\n });\n return () => {\n cancelled = true;\n };\n }, []);\n\n useEffect(() => {\n let cancelled = false;\n fetch(PROVIDER_STATUS_URL)\n .then((r) => (r.ok ? r.json() : null))\n .then((status: ProviderStatus | null) => {\n if (cancelled) return;\n if (status) {\n setOpenAiConfigured(status.openai);\n setGeminiConfigured(status.gemini);\n setGroqConfigured(status.groq);\n setGoogleRealtimeConfigured(!!status.googleRealtime);\n return;\n }\n return fetch(SECRETS_URL)\n .then((r) => (r.ok ? r.json() : []))\n .then((list: SecretStatus[]) => {\n if (cancelled) return;\n const find = (key: string) =>\n Array.isArray(list) ? list.find((s) => s.key === key) : null;\n setOpenAiConfigured(find(\"OPENAI_API_KEY\")?.status === \"set\");\n setGeminiConfigured(find(\"GEMINI_API_KEY\")?.status === \"set\");\n setGroqConfigured(find(\"GROQ_API_KEY\")?.status === \"set\");\n setGoogleRealtimeConfigured(\n find(\"GOOGLE_APPLICATION_CREDENTIALS\")?.status === \"set\",\n );\n });\n })\n .catch(() => {\n if (!cancelled) {\n setOpenAiConfigured(false);\n setGeminiConfigured(false);\n setGroqConfigured(false);\n setGoogleRealtimeConfigured(false);\n }\n });\n return () => {\n cancelled = true;\n };\n }, []);\n\n const persist = useCallback(\n async (\n nextMode: TranscriptionMode,\n nextProvider: Provider,\n nextInstructions: string,\n previous: {\n transcriptionMode: TranscriptionMode | null;\n provider: Provider;\n instructions: string;\n },\n ) => {\n setSaving(true);\n setSaveError(null);\n try {\n const res = await fetch(PREFS_URL, {\n method: \"PUT\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({\n transcriptionMode: nextMode,\n provider: nextProvider,\n instructions: nextInstructions.trim(),\n }),\n });\n if (!res.ok) {\n throw new Error(`HTTP ${res.status}`);\n }\n } catch (err) {\n // Revert the optimistic update so the UI matches server state.\n setTranscriptionMode(previous.transcriptionMode);\n setProvider(previous.provider);\n setInstructions(previous.instructions);\n setSaveError(\n `Couldn't save: ${(err as Error)?.message ?? \"network error\"}. Try again.`,\n );\n } finally {\n setSaving(false);\n }\n },\n [],\n );\n\n const focusKey = (key: string) => {\n if (typeof window === \"undefined\") return;\n window.location.hash = `#secrets:${key}`;\n };\n\n const chooseSource = (next: TranscriptionMode) => {\n if (next === transcriptionMode) return;\n if (next === \"google-realtime\" && !googleRealtimeReady) {\n setShowAdvanced(true);\n if (!googleRealtimeConfigured) {\n focusKey(\"GOOGLE_APPLICATION_CREDENTIALS\");\n } else if (!builderRealtimeReady) {\n openBuilderConnect();\n }\n return;\n }\n const previous = { transcriptionMode, provider, instructions };\n const nextProvider = providerForMode(next, provider);\n setTranscriptionMode(next);\n setProvider(nextProvider);\n void persist(next, nextProvider, instructions, previous);\n };\n\n const openBuilderConnect = () => {\n if (typeof window === \"undefined\") return;\n const url = new URL(\n agentNativePath(\"/_agent-native/builder/connect\"),\n window.location.origin,\n ).href;\n window.open(url, \"_blank\", \"noopener,noreferrer,width=600,height=700\");\n };\n\n const chooseBatchProvider = (next: Provider) => {\n const nextProvider = batchProvider(normalizeProvider(next));\n if (transcriptionMode === \"batch\" && nextProvider === provider) return;\n const previous = { transcriptionMode, provider, instructions };\n setTranscriptionMode(\"batch\");\n setProvider(nextProvider);\n void persist(\"batch\", nextProvider, instructions, previous);\n };\n\n const updateInstructions = (next: string) => {\n const previous = { transcriptionMode, provider, instructions };\n setInstructions(next);\n if (transcriptionMode) {\n void persist(transcriptionMode, provider, next, previous);\n }\n };\n\n if (transcriptionMode === null) {\n return (\n <div className=\"flex items-center gap-1.5 text-[10px] text-muted-foreground\">\n <IconLoader2 size={10} className=\"animate-spin\" />\n Loading…\n </div>\n );\n }\n\n return (\n <div className=\"space-y-2\">\n <div className=\"rounded-md border border-border bg-background p-2\">\n <div className=\"mb-2 flex items-start justify-between gap-3 px-0.5\">\n <div>\n <div className=\"text-[11px] font-medium text-foreground\">\n Live transcription\n </div>\n <p className=\"mt-0.5 text-[10px] text-muted-foreground\">\n Choose where real-time words come from. Batch still runs after\n recording stops.\n </p>\n </div>\n </div>\n <div className=\"space-y-2\">\n <ProviderOption\n id=\"mac-native\"\n selected={transcriptionMode === \"mac-native\"}\n onSelect={() => chooseSource(\"mac-native\")}\n title=\"Mac Native\"\n subtitle=\"Free and fast in the macOS Tauri app. Web clients use the existing browser-native path when available.\"\n rightSlot={\n <span className=\"text-[10px] text-muted-foreground\">\n Tauri default\n </span>\n }\n />\n <ProviderOption\n id=\"google-realtime\"\n selected={transcriptionMode === \"google-realtime\"}\n onSelect={() => chooseSource(\"google-realtime\")}\n disabled={!googleRealtimeReady}\n title=\"Google Realtime\"\n subtitle={\n googleRealtimeReady\n ? \"BYOK only for v1. Streams live partials and finals through Google Speech-to-Text.\"\n : googleRealtimeConfigured\n ? \"Google credentials are set. Connect Builder completely to mint the managed realtime session.\"\n : \"BYOK only for v1. Configure Google service account before selecting this source.\"\n }\n rightSlot={\n googleRealtimeReady ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Ready\n </span>\n ) : googleRealtimeConfigured ? (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n openBuilderConnect();\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:bg-accent/40 hover:text-foreground\"\n >\n Connect Builder.io\n <IconExternalLink size={10} />\n </button>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n setShowAdvanced(true);\n focusKey(\"GOOGLE_APPLICATION_CREDENTIALS\");\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:bg-accent/40 hover:text-foreground\"\n >\n Configure\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n <ProviderOption\n id=\"batch\"\n selected={transcriptionMode === \"batch\"}\n onSelect={() => chooseSource(\"batch\")}\n title=\"Batch\"\n subtitle=\"Universal fallback. Sends audio after recording stops through Builder Gemini, Gemini, Groq, then OpenAI.\"\n />\n </div>\n </div>\n\n <div className=\"flex items-start justify-between gap-3 rounded-md border border-border bg-accent/30 px-2.5 py-2\">\n <div className=\"min-w-0\">\n <div className=\"text-[11px] font-medium text-foreground\">\n AI cleanup\n </div>\n <p className=\"text-[10px] text-muted-foreground mt-0.5\">\n Polish punctuation, casing, filler words, titles, and summaries\n after capture. Builder Gemini is tried first; BYOK Gemini is the\n fallback.\n </p>\n </div>\n <div className=\"flex shrink-0 flex-col items-end gap-1\">\n <button\n type=\"button\"\n role=\"switch\"\n aria-checked={!!cleanupEnabled}\n onClick={() => toggleCleanup(!cleanupEnabled)}\n // Theme tokens; streaming agent owns layout.\n className={`relative inline-flex h-4 w-7 shrink-0 cursor-pointer items-center rounded-full transition-colors ${\n cleanupEnabled\n ? \"bg-primary\"\n : \"bg-muted-foreground/30 hover:bg-muted-foreground/50\"\n }`}\n >\n <span\n className={`inline-block h-3 w-3 transform rounded-full bg-background transition-transform ${\n cleanupEnabled ? \"translate-x-3.5\" : \"translate-x-0.5\"\n }`}\n />\n </button>\n {cleanupEnabled && (\n <span className=\"text-[10px] text-muted-foreground\">\n {builderStatus?.configured\n ? \"Builder ready\"\n : geminiConfigured\n ? \"Gemini key set\"\n : \"Needs key\"}\n </span>\n )}\n </div>\n </div>\n\n <div className=\"rounded-md border border-border bg-background\">\n <button\n type=\"button\"\n onClick={() => setShowAdvanced((v) => !v)}\n className=\"w-full flex items-center justify-between gap-2 px-2.5 py-2 cursor-pointer\"\n >\n <span className=\"text-[11px] font-medium text-foreground inline-flex items-center gap-1\">\n {showAdvanced ? (\n <IconChevronDown size={12} />\n ) : (\n <IconChevronRight size={12} />\n )}\n Add API keys\n </span>\n <span className=\"text-[10px] text-muted-foreground\">\n Google STT · Gemini · Groq · OpenAI\n </span>\n </button>\n\n {showAdvanced && (\n <div className=\"px-2 pb-2 space-y-2\">\n <ProviderOption\n id=\"google-service-account\"\n selected={transcriptionMode === \"google-realtime\"}\n onSelect={() => chooseSource(\"google-realtime\")}\n disabled={!googleRealtimeReady}\n title=\"Google Speech-to-Text service account\"\n subtitle={\n googleRealtimeConfigured\n ? \"Service-account JSON is set. Connect Builder to mint the managed realtime WebSocket session.\"\n : \"Service-account JSON for the dedicated realtime WebSocket to Google StreamingRecognize.\"\n }\n rightSlot={\n googleRealtimeConfigured ===\n null ? null : googleRealtimeReady ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Ready\n </span>\n ) : googleRealtimeConfigured ? (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n openBuilderConnect();\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Connect Builder.io\n <IconExternalLink size={10} />\n </button>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n focusKey(\"GOOGLE_APPLICATION_CREDENTIALS\");\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Configure\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n\n <ProviderOption\n id=\"auto\"\n selected={transcriptionMode === \"batch\" && provider === \"auto\"}\n onSelect={() => chooseBatchProvider(\"auto\")}\n title=\"Automatic batch fallback\"\n subtitle=\"Keep the current Clips fallback chain: Builder Gemini, Gemini, Groq, then OpenAI.\"\n />\n\n <ProviderOption\n id=\"builder-gemini\"\n selected={\n transcriptionMode === \"batch\" && provider === \"builder-gemini\"\n }\n onSelect={() => chooseBatchProvider(\"builder-gemini\")}\n disabled={!builderStatus?.configured}\n title=\"Builder.io Connect\"\n subtitle={\n builderStatus?.configured\n ? \"Use Builder-hosted Gemini Flash-Lite for batch transcription and cleanup.\"\n : \"One-click connect for Gemini Flash-Lite cleanup and batch transcription. No Google key needed.\"\n }\n rightSlot={\n builderStatus?.configured ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Connected\n </span>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n openBuilderConnect();\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Connect Builder.io\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n\n <ProviderOption\n id=\"gemini\"\n selected={transcriptionMode === \"batch\" && provider === \"gemini\"}\n onSelect={() => chooseBatchProvider(\"gemini\")}\n title=\"Google Gemini\"\n subtitle=\"BYOK Gemini for AI cleanup and optional strict batch transcription.\"\n rightSlot={\n geminiConfigured === null ? null : geminiConfigured ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Key set\n </span>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n focusKey(\"GEMINI_API_KEY\");\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Add key\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n\n <ProviderOption\n id=\"openai\"\n selected={transcriptionMode === \"batch\" && provider === \"openai\"}\n onSelect={() => chooseBatchProvider(\"openai\")}\n title=\"OpenAI Whisper\"\n subtitle=\"Batch Whisper provider. Requires an OpenAI API key.\"\n rightSlot={\n openAiConfigured === null ? null : openAiConfigured ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Key set\n </span>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n focusKey(\"OPENAI_API_KEY\");\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Add key\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n\n <ProviderOption\n id=\"groq\"\n selected={transcriptionMode === \"batch\" && provider === \"groq\"}\n onSelect={() => chooseBatchProvider(\"groq\")}\n title=\"Groq Whisper\"\n subtitle=\"Fast Whisper batch provider. Requires a Groq API key.\"\n rightSlot={\n groqConfigured === null ? null : groqConfigured ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Key set\n </span>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n focusKey(\"GROQ_API_KEY\");\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Add key\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n </div>\n )}\n </div>\n\n {(cleanupEnabled || transcriptionMode === \"batch\") && (\n <div className=\"rounded-md border border-border bg-accent/20 px-2.5 py-2\">\n <label\n htmlFor=\"voice-transcription-instructions\"\n className=\"block text-[10px] font-medium text-foreground\"\n >\n Custom instructions\n </label>\n <textarea\n id=\"voice-transcription-instructions\"\n value={instructions}\n onChange={(event) => updateInstructions(event.target.value)}\n placeholder=\"Names, casing, punctuation, style, or terms to preserve.\"\n className=\"mt-1 min-h-16 w-full resize-y rounded border border-border bg-background px-2 py-1.5 text-[11px] text-foreground outline-none placeholder:text-muted-foreground/50 focus:ring-1 focus:ring-accent\"\n />\n <p className=\"mt-1 text-[10px] text-muted-foreground\">\n Included with batch transcription and AI cleanup.\n </p>\n </div>\n )}\n\n {saving && <p className=\"text-[10px] text-muted-foreground\">Saving…</p>}\n {saveError && !saving && (\n <p className=\"text-[10px] text-red-500\" role=\"alert\">\n {saveError}\n </p>\n )}\n </div>\n );\n}\n\ninterface ProviderOptionProps {\n id: string;\n selected: boolean;\n disabled?: boolean;\n onSelect: () => void;\n title: string;\n subtitle?: React.ReactNode;\n rightSlot?: React.ReactNode;\n}\n\nfunction ProviderOption({\n id,\n selected,\n disabled,\n onSelect,\n title,\n subtitle,\n rightSlot,\n}: ProviderOptionProps) {\n const select = () => {\n if (!disabled) onSelect();\n };\n\n const onKeyDown = (event: React.KeyboardEvent<HTMLDivElement>) => {\n if (disabled) return;\n if (event.key === \"Enter\" || event.key === \" \") {\n event.preventDefault();\n onSelect();\n }\n };\n\n return (\n <div\n role=\"button\"\n tabIndex={disabled ? -1 : 0}\n onClick={select}\n onKeyDown={onKeyDown}\n aria-pressed={selected}\n aria-disabled={disabled || undefined}\n // Theme tokens; streaming agent owns layout.\n className={`w-full text-left rounded-md border px-2.5 py-2 flex items-start gap-2 ${\n selected\n ? \"border-primary bg-primary/10\"\n : \"border-border bg-accent/30 hover:bg-accent/50\"\n } ${disabled ? \"opacity-60 cursor-not-allowed\" : \"\"}`}\n >\n <span\n className={`mt-[2px] shrink-0 flex h-3.5 w-3.5 items-center justify-center rounded-full border ${\n selected\n ? \"border-primary bg-primary\"\n : \"border-muted-foreground/40 bg-background\"\n }`}\n >\n {selected && (\n <span className=\"h-1.5 w-1.5 rounded-full bg-primary-foreground\" />\n )}\n </span>\n <div className=\"min-w-0 flex-1\">\n <div className=\"flex items-center justify-between gap-2\">\n <div className=\"text-[11px] font-medium text-foreground\">{title}</div>\n {rightSlot && <div className=\"shrink-0\">{rightSlot}</div>}\n </div>\n {subtitle && (\n <p className=\"text-[10px] text-muted-foreground mt-0.5\">{subtitle}</p>\n )}\n </div>\n </div>\n );\n}\n\nexport function VoiceTranscriptionIcon() {\n return <IconMicrophone size={14} />;\n}\n"]}
|
|
1
|
+
{"version":3,"file":"VoiceTranscriptionSection.js","sourceRoot":"","sources":["../../../src/client/settings/VoiceTranscriptionSection.tsx"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;AAEH,OAAc,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EACL,eAAe,EACf,SAAS,EACT,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,WAAW,EACX,YAAY,EACZ,cAAc,GACf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAkCzD,MAAM,SAAS,GAAG,eAAe,CAC/B,4DAA4D,CAC7D,CAAC;AACF,MAAM,iBAAiB,GAAG,eAAe,CACvC,sDAAsD,CACvD,CAAC;AACF,MAAM,WAAW,GAAG,eAAe,CAAC,wBAAwB,CAAC,CAAC;AAC9D,MAAM,mBAAmB,GAAG,eAAe,CACzC,uCAAuC,CACxC,CAAC;AACF,MAAM,0BAA0B,GAAsB,OAAO,CAAC;AAC9D,MAAM,sBAAsB,GAAa,MAAM,CAAC;AAEhD,SAAS,UAAU,CAAC,KAAc;IAChC,OAAO,CACL,KAAK,KAAK,MAAM;QAChB,KAAK,KAAK,QAAQ;QAClB,KAAK,KAAK,gBAAgB;QAC1B,KAAK,KAAK,SAAS;QACnB,KAAK,KAAK,SAAS;QACnB,KAAK,KAAK,QAAQ;QAClB,KAAK,KAAK,MAAM,CACjB,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc;IACzC,OAAO,CACL,KAAK,KAAK,YAAY,IAAI,KAAK,KAAK,iBAAiB,IAAI,KAAK,KAAK,OAAO,CAC3E,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,KAAK,CAAC;AACxD,CAAC;AAED,SAAS,sBAAsB,CAAC,QAAyB;IACvD,IAAI,QAAQ,KAAK,SAAS;QAAE,OAAO,YAAY,CAAC;IAChD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CACtB,IAAuB,EACvB,eAAgC;IAEhC,IAAI,IAAI,KAAK,YAAY;QAAE,OAAO,SAAS,CAAC;IAC5C,IAAI,IAAI,KAAK,iBAAiB;QAAE,OAAO,MAAM,CAAC;IAC9C,IAAI,CAAC,eAAe,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QACtD,OAAO,sBAAsB,CAAC;IAChC,CAAC;IACD,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,SAAS,aAAa,CAAC,QAAyB;IAC9C,IAAI,CAAC,QAAQ,IAAI,QAAQ,KAAK,SAAS;QAAE,OAAO,sBAAsB,CAAC;IACvE,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,MAAM,CAAC,iBAAiB,EAAE,oBAAoB,CAAC,GAC7C,QAAQ,CAA2B,IAAI,CAAC,CAAC;IAC3C,MAAM,CAAC,QAAQ,EAAE,WAAW,CAAC,GAAG,QAAQ,CAAW,sBAAsB,CAAC,CAAC;IAC3E,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC;IACrD,MAAM,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,GAAG,QAAQ,CACtD,IAAI,CACL,CAAC;IACF,MAAM,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,GAAG,QAAQ,CACtD,IAAI,CACL,CAAC;IACF,MAAM,CAAC,cAAc,EAAE,iBAAiB,CAAC,GAAG,QAAQ,CAAiB,IAAI,CAAC,CAAC;IAC3E,MAAM,CAAC,wBAAwB,EAAE,2BAA2B,CAAC,GAAG,QAAQ,CAEtE,IAAI,CAAC,CAAC;IACR,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5C,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,GAAG,QAAQ,CAAgB,IAAI,CAAC,CAAC;IAChE,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IACxD,MAAM,CAAC,cAAc,EAAE,iBAAiB,CAAC,GAAG,QAAQ,CAAiB,IAAI,CAAC,CAAC;IAC3E,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAAC;IACrD,MAAM,oBAAoB,GACxB,CAAC,CAAC,aAAa,EAAE,oBAAoB;QACrC,CAAC,CAAC,aAAa,EAAE,mBAAmB,CAAC;IACvC,MAAM,mBAAmB,GACvB,CAAC,CAAC,wBAAwB,IAAI,oBAAoB,CAAC;IAErD,6DAA6D;IAC7D,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,KAAK,CAAC,iBAAiB,CAAC;aACrB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;aACrC,IAAI,CACH,CACE,IAGQ,EACR,EAAE;YACF,IAAI,SAAS;gBAAE,OAAO;YACtB,MAAM,MAAM,GACT,IAAqC,EAAE,OAAO;gBAC9C,IAAiD,EAAE,KAAK,EAAE,OAAO,CAAC;YACrE,IAAI,OAAO,MAAM,KAAK,SAAS;gBAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC;;gBACtD,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,qCAAqC;QACrE,CAAC,CACF;aACA,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,SAAS,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;QACtD,OAAO,GAAG,EAAE;YACV,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC,CAAC;IACJ,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,cAAc,KAAK,IAAI;YAAE,OAAO;QACpC,IAAI,aAAa,EAAE,UAAU,KAAK,SAAS,EAAE,CAAC;YAC5C,iBAAiB,CAAC,CAAC,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,EAAE,CAAC,aAAa,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC;IAEhD,MAAM,aAAa,GAAG,KAAK,EAAE,IAAa,EAAE,EAAE;QAC5C,MAAM,QAAQ,GAAG,cAAc,CAAC;QAChC,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,iBAAiB,EAAE;gBACzC,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;aACxC,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC,CAAC;IAEF,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,KAAK,CAAC,SAAS,CAAC;aACb,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;aACrC,IAAI,CAAC,CAAC,IAAsC,EAAE,EAAE;YAC/C,IAAI,SAAS;gBAAE,OAAO;YACtB,MAAM,KAAK,GACR,IAAiC,EAAE,KAAK,IAAK,IAAqB,CAAC;YACtE,MAAM,CAAC,GAAG,iBAAiB,CACxB,IAAqB,EAAE,QAAQ;gBAC7B,IAAiC,EAAE,KAAK,EAAE,QAAQ,CACtD,CAAC;YACF,MAAM,UAAU,GAAG,mBAAmB,CAAC,KAAK,EAAE,iBAAiB,CAAC;gBAC9D,CAAC,CAAC,KAAK,CAAC,iBAAiB;gBACzB,CAAC,CAAC,IAAI,CAAC;YACT,MAAM,IAAI,GACR,UAAU;gBACV,CAAC,CAAC,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC;YAC/D,MAAM,iBAAiB,GACpB,IAAqB,EAAE,YAAY;gBACnC,IAAiC,EAAE,KAAK,EAAE,YAAY,CAAC;YAC1D,oBAAoB,CAAC,IAAI,CAAC,CAAC;YAC3B,WAAW,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACtC,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;gBAC1C,eAAe,CAAC,iBAAiB,CAAC,CAAC;YACrC,CAAC;QACH,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,oBAAoB,CAAC,0BAA0B,CAAC,CAAC;gBACjD,WAAW,CAAC,sBAAsB,CAAC,CAAC;YACtC,CAAC;QACH,CAAC,CAAC,CAAC;QACL,OAAO,GAAG,EAAE;YACV,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC,CAAC;IACJ,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,KAAK,CAAC,mBAAmB,CAAC;aACvB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;aACrC,IAAI,CAAC,CAAC,MAA6B,EAAE,EAAE;YACtC,IAAI,SAAS;gBAAE,OAAO;YACtB,IAAI,MAAM,EAAE,CAAC;gBACX,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;gBACnC,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;gBACnC,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC/B,2BAA2B,CAAC,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;gBACrD,OAAO;YACT,CAAC;YACD,OAAO,KAAK,CAAC,WAAW,CAAC;iBACtB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;iBACnC,IAAI,CAAC,CAAC,IAAoB,EAAE,EAAE;gBAC7B,IAAI,SAAS;oBAAE,OAAO;gBACtB,MAAM,IAAI,GAAG,CAAC,GAAW,EAAE,EAAE,CAC3B,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC/D,mBAAmB,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,MAAM,KAAK,KAAK,CAAC,CAAC;gBAC9D,mBAAmB,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,MAAM,KAAK,KAAK,CAAC,CAAC;gBAC9D,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,MAAM,KAAK,KAAK,CAAC,CAAC;gBAC1D,2BAA2B,CACzB,IAAI,CAAC,gCAAgC,CAAC,EAAE,MAAM,KAAK,KAAK,CACzD,CAAC;YACJ,CAAC,CAAC,CAAC;QACP,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,mBAAmB,CAAC,KAAK,CAAC,CAAC;gBAC3B,mBAAmB,CAAC,KAAK,CAAC,CAAC;gBAC3B,iBAAiB,CAAC,KAAK,CAAC,CAAC;gBACzB,2BAA2B,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC;QACH,CAAC,CAAC,CAAC;QACL,OAAO,GAAG,EAAE;YACV,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC,CAAC;IACJ,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,OAAO,GAAG,WAAW,CACzB,KAAK,EACH,QAA2B,EAC3B,YAAsB,EACtB,gBAAwB,EACxB,QAIC,EACD,EAAE;QACF,SAAS,CAAC,IAAI,CAAC,CAAC;QAChB,YAAY,CAAC,IAAI,CAAC,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;gBACjC,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,iBAAiB,EAAE,QAAQ;oBAC3B,QAAQ,EAAE,YAAY;oBACtB,YAAY,EAAE,gBAAgB,CAAC,IAAI,EAAE;iBACtC,CAAC;aACH,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,+DAA+D;YAC/D,oBAAoB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;YACjD,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC/B,eAAe,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACvC,YAAY,CACV,kBAAmB,GAAa,EAAE,OAAO,IAAI,eAAe,cAAc,CAC3E,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,SAAS,CAAC,KAAK,CAAC,CAAC;QACnB,CAAC;IACH,CAAC,EACD,EAAE,CACH,CAAC;IAEF,MAAM,QAAQ,GAAG,CAAC,GAAW,EAAE,EAAE;QAC/B,IAAI,OAAO,MAAM,KAAK,WAAW;YAAE,OAAO;QAC1C,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,YAAY,GAAG,EAAE,CAAC;IAC3C,CAAC,CAAC;IAEF,MAAM,YAAY,GAAG,CAAC,IAAuB,EAAE,EAAE;QAC/C,IAAI,IAAI,KAAK,iBAAiB;YAAE,OAAO;QACvC,IAAI,IAAI,KAAK,iBAAiB,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACvD,eAAe,CAAC,IAAI,CAAC,CAAC;YACtB,IAAI,CAAC,wBAAwB,EAAE,CAAC;gBAC9B,QAAQ,CAAC,gCAAgC,CAAC,CAAC;YAC7C,CAAC;iBAAM,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBACjC,kBAAkB,EAAE,CAAC;YACvB,CAAC;YACD,OAAO;QACT,CAAC;QACD,MAAM,QAAQ,GAAG,EAAE,iBAAiB,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;QAC/D,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACrD,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAC3B,WAAW,CAAC,YAAY,CAAC,CAAC;QAC1B,KAAK,OAAO,CAAC,IAAI,EAAE,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;IAC3D,CAAC,CAAC;IAEF,MAAM,kBAAkB,GAAG,GAAG,EAAE;QAC9B,IAAI,OAAO,MAAM,KAAK,WAAW;YAAE,OAAO;QAC1C,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,eAAe,CAAC,gCAAgC,CAAC,EACjD,MAAM,CAAC,QAAQ,CAAC,MAAM,CACvB,CAAC,IAAI,CAAC;QACP,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,0CAA0C,CAAC,CAAC;IACzE,CAAC,CAAC;IAEF,MAAM,mBAAmB,GAAG,CAAC,IAAc,EAAE,EAAE;QAC7C,MAAM,YAAY,GAAG,aAAa,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5D,IAAI,iBAAiB,KAAK,OAAO,IAAI,YAAY,KAAK,QAAQ;YAAE,OAAO;QACvE,MAAM,QAAQ,GAAG,EAAE,iBAAiB,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;QAC/D,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAC9B,WAAW,CAAC,YAAY,CAAC,CAAC;QAC1B,KAAK,OAAO,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;IAC9D,CAAC,CAAC;IAEF,MAAM,kBAAkB,GAAG,CAAC,IAAY,EAAE,EAAE;QAC1C,MAAM,QAAQ,GAAG,EAAE,iBAAiB,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;QAC/D,eAAe,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,OAAO,CAAC,iBAAiB,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC,CAAC;IAEF,IAAI,iBAAiB,KAAK,IAAI,EAAE,CAAC;QAC/B,OAAO,CACL,eAAK,SAAS,EAAC,6DAA6D,aAC1E,KAAC,WAAW,IAAC,IAAI,EAAE,EAAE,EAAE,SAAS,EAAC,cAAc,GAAG,qBAE9C,CACP,CAAC;IACJ,CAAC;IAED,OAAO,CACL,eAAK,SAAS,EAAC,WAAW,aACxB,eAAK,SAAS,EAAC,mDAAmD,aAChE,cAAK,SAAS,EAAC,oDAAoD,YACjE,0BACE,cAAK,SAAS,EAAC,yCAAyC,mCAElD,EACN,YAAG,SAAS,EAAC,0CAA0C,gGAGnD,IACA,GACF,EACN,eAAK,SAAS,EAAC,WAAW,aACxB,KAAC,cAAc,IACb,EAAE,EAAC,YAAY,EACf,QAAQ,EAAE,iBAAiB,KAAK,YAAY,EAC5C,QAAQ,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,CAAC,EAC1C,KAAK,EAAC,YAAY,EAClB,QAAQ,EAAC,wGAAwG,EACjH,SAAS,EACP,eAAM,SAAS,EAAC,mCAAmC,8BAE5C,GAET,EACF,KAAC,cAAc,IACb,EAAE,EAAC,iBAAiB,EACpB,QAAQ,EAAE,iBAAiB,KAAK,iBAAiB,EACjD,QAAQ,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,iBAAiB,CAAC,EAC/C,QAAQ,EAAE,CAAC,mBAAmB,EAC9B,KAAK,EAAC,iBAAiB,EACvB,QAAQ,EACN,mBAAmB;oCACjB,CAAC,CAAC,mFAAmF;oCACrF,CAAC,CAAC,wBAAwB;wCACxB,CAAC,CAAC,8FAA8F;wCAChG,CAAC,CAAC,kFAAkF,EAE1F,SAAS,EACP,mBAAmB,CAAC,CAAC,CAAC,CACpB,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,aAElB,CACR,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,CAC7B,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,kBAAkB,EAAE,CAAC;oCACvB,CAAC,EACD,SAAS,EAAC,oJAAoJ,mCAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,eAAe,CAAC,IAAI,CAAC,CAAC;wCACtB,QAAQ,CAAC,gCAAgC,CAAC,CAAC;oCAC7C,CAAC,EACD,SAAS,EAAC,oJAAoJ,0BAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,EACF,KAAC,cAAc,IACb,EAAE,EAAC,OAAO,EACV,QAAQ,EAAE,iBAAiB,KAAK,OAAO,EACvC,QAAQ,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,EACrC,KAAK,EAAC,OAAO,EACb,QAAQ,EAAC,0GAA0G,GACnH,EACF,KAAC,iBAAiB,KAAG,IACjB,IACF,EAEN,eAAK,SAAS,EAAC,iGAAiG,aAC9G,eAAK,SAAS,EAAC,SAAS,aACtB,cAAK,SAAS,EAAC,yCAAyC,2BAElD,EACN,YAAG,SAAS,EAAC,0CAA0C,2JAInD,IACA,EACN,eAAK,SAAS,EAAC,wCAAwC,aACrD,iBACE,IAAI,EAAC,QAAQ,EACb,IAAI,EAAC,QAAQ,kBACC,CAAC,CAAC,cAAc,EAC9B,OAAO,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,CAAC,cAAc,CAAC;gCAC7C,6CAA6C;gCAC7C,SAAS,EAAE,oGACT,cAAc;oCACZ,CAAC,CAAC,YAAY;oCACd,CAAC,CAAC,qDACN,EAAE,YAEF,eACE,SAAS,EAAE,kFACT,cAAc,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBACvC,EAAE,GACF,GACK,EACR,cAAc,IAAI,CACjB,eAAM,SAAS,EAAC,mCAAmC,YAChD,aAAa,EAAE,UAAU;oCACxB,CAAC,CAAC,eAAe;oCACjB,CAAC,CAAC,gBAAgB;wCAChB,CAAC,CAAC,gBAAgB;wCAClB,CAAC,CAAC,WAAW,GACZ,CACR,IACG,IACF,EAEN,eAAK,SAAS,EAAC,+CAA+C,aAC5D,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EACzC,SAAS,EAAC,2EAA2E,aAErF,gBAAM,SAAS,EAAC,wEAAwE,aACrF,YAAY,CAAC,CAAC,CAAC,CACd,KAAC,eAAe,IAAC,IAAI,EAAE,EAAE,GAAI,CAC9B,CAAC,CAAC,CAAC,CACF,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,CAC/B,oBAEI,EACP,eAAM,SAAS,EAAC,mCAAmC,mEAE5C,IACA,EAER,YAAY,IAAI,CACf,eAAK,SAAS,EAAC,qBAAqB,aAClC,KAAC,cAAc,IACb,EAAE,EAAC,wBAAwB,EAC3B,QAAQ,EAAE,iBAAiB,KAAK,iBAAiB,EACjD,QAAQ,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,iBAAiB,CAAC,EAC/C,QAAQ,EAAE,CAAC,mBAAmB,EAC9B,KAAK,EAAC,uCAAuC,EAC7C,QAAQ,EACN,wBAAwB;oCACtB,CAAC,CAAC,8FAA8F;oCAChG,CAAC,CAAC,yFAAyF,EAE/F,SAAS,EACP,wBAAwB;oCACxB,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAClC,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,aAElB,CACR,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,CAC7B,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,kBAAkB,EAAE,CAAC;oCACvB,CAAC,EACD,SAAS,EAAC,oJAAoJ,mCAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,QAAQ,CAAC,gCAAgC,CAAC,CAAC;oCAC7C,CAAC,EACD,SAAS,EAAC,oJAAoJ,0BAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,EAEF,KAAC,cAAc,IACb,EAAE,EAAC,MAAM,EACT,QAAQ,EAAE,iBAAiB,KAAK,OAAO,IAAI,QAAQ,KAAK,MAAM,EAC9D,QAAQ,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAC3C,KAAK,EAAC,0BAA0B,EAChC,QAAQ,EAAC,mFAAmF,GAC5F,EAEF,KAAC,cAAc,IACb,EAAE,EAAC,gBAAgB,EACnB,QAAQ,EACN,iBAAiB,KAAK,OAAO,IAAI,QAAQ,KAAK,gBAAgB,EAEhE,QAAQ,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,gBAAgB,CAAC,EACrD,QAAQ,EAAE,CAAC,aAAa,EAAE,UAAU,EACpC,KAAK,EAAC,oBAAoB,EAC1B,QAAQ,EACN,aAAa,EAAE,UAAU;oCACvB,CAAC,CAAC,2EAA2E;oCAC7E,CAAC,CAAC,gGAAgG,EAEtG,SAAS,EACP,aAAa,EAAE,UAAU,CAAC,CAAC,CAAC,CAC1B,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,iBAElB,CACR,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,kBAAkB,EAAE,CAAC;oCACvB,CAAC,EACD,SAAS,EAAC,oJAAoJ,mCAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,EAEF,KAAC,cAAc,IACb,EAAE,EAAC,QAAQ,EACX,QAAQ,EAAE,iBAAiB,KAAK,OAAO,IAAI,QAAQ,KAAK,QAAQ,EAChE,QAAQ,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAC7C,KAAK,EAAC,eAAe,EACrB,QAAQ,EAAC,qEAAqE,EAC9E,SAAS,EACP,gBAAgB,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CACpD,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,eAElB,CACR,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,QAAQ,CAAC,gBAAgB,CAAC,CAAC;oCAC7B,CAAC,EACD,SAAS,EAAC,oJAAoJ,wBAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,EAEF,KAAC,cAAc,IACb,EAAE,EAAC,QAAQ,EACX,QAAQ,EAAE,iBAAiB,KAAK,OAAO,IAAI,QAAQ,KAAK,QAAQ,EAChE,QAAQ,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAC7C,KAAK,EAAC,gBAAgB,EACtB,QAAQ,EAAC,qDAAqD,EAC9D,SAAS,EACP,gBAAgB,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CACpD,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,eAElB,CACR,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,QAAQ,CAAC,gBAAgB,CAAC,CAAC;oCAC7B,CAAC,EACD,SAAS,EAAC,oJAAoJ,wBAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,EAEF,KAAC,cAAc,IACb,EAAE,EAAC,MAAM,EACT,QAAQ,EAAE,iBAAiB,KAAK,OAAO,IAAI,QAAQ,KAAK,MAAM,EAC9D,QAAQ,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAC3C,KAAK,EAAC,cAAc,EACpB,QAAQ,EAAC,uDAAuD,EAChE,SAAS,EACP,cAAc,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAChD,gBAAM,SAAS,EAAC,oDAAoD,aAClE,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,GAAI,eAElB,CACR,CAAC,CAAC,CAAC,CACF,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wCACb,CAAC,CAAC,eAAe,EAAE,CAAC;wCACpB,QAAQ,CAAC,cAAc,CAAC,CAAC;oCAC3B,CAAC,EACD,SAAS,EAAC,oJAAoJ,wBAG9J,KAAC,gBAAgB,IAAC,IAAI,EAAE,EAAE,GAAI,IACvB,CACV,GAEH,IACE,CACP,IACG,EAEL,CAAC,cAAc,IAAI,iBAAiB,KAAK,OAAO,CAAC,IAAI,CACpD,eAAK,SAAS,EAAC,0DAA0D,aACvE,gBACE,OAAO,EAAC,kCAAkC,EAC1C,SAAS,EAAC,+CAA+C,oCAGnD,EACR,mBACE,EAAE,EAAC,kCAAkC,EACrC,KAAK,EAAE,YAAY,EACnB,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,EAC3D,WAAW,EAAC,0DAA0D,EACtE,SAAS,EAAC,mMAAmM,GAC7M,EACF,YAAG,SAAS,EAAC,wCAAwC,kEAEjD,IACA,CACP,EAEA,MAAM,IAAI,YAAG,SAAS,EAAC,mCAAmC,6BAAY,EACtE,SAAS,IAAI,CAAC,MAAM,IAAI,CACvB,YAAG,SAAS,EAAC,0BAA0B,EAAC,IAAI,EAAC,OAAO,YACjD,SAAS,GACR,CACL,IACG,CACP,CAAC;AACJ,CAAC;AAYD,SAAS,cAAc,CAAC,EACtB,EAAE,EACF,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,KAAK,EACL,QAAQ,EACR,SAAS,GACW;IACpB,MAAM,MAAM,GAAG,GAAG,EAAE;QAClB,IAAI,CAAC,QAAQ;YAAE,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC;IAEF,MAAM,SAAS,GAAG,CAAC,KAA0C,EAAE,EAAE;QAC/D,IAAI,QAAQ;YAAE,OAAO;QACrB,IAAI,KAAK,CAAC,GAAG,KAAK,OAAO,IAAI,KAAK,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;YAC/C,KAAK,CAAC,cAAc,EAAE,CAAC;YACvB,QAAQ,EAAE,CAAC;QACb,CAAC;IACH,CAAC,CAAC;IAEF,OAAO,CACL,eACE,IAAI,EAAC,QAAQ,EACb,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAC3B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,SAAS,kBACN,QAAQ,mBACP,QAAQ,IAAI,SAAS;QACpC,6CAA6C;QAC7C,SAAS,EAAE,yEACT,QAAQ;YACN,CAAC,CAAC,8BAA8B;YAChC,CAAC,CAAC,+CACN,IAAI,QAAQ,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,EAAE,EAAE,aAErD,eACE,SAAS,EAAE,sFACT,QAAQ;oBACN,CAAC,CAAC,2BAA2B;oBAC7B,CAAC,CAAC,0CACN,EAAE,YAED,QAAQ,IAAI,CACX,eAAM,SAAS,EAAC,gDAAgD,GAAG,CACpE,GACI,EACP,eAAK,SAAS,EAAC,gBAAgB,aAC7B,eAAK,SAAS,EAAC,yCAAyC,aACtD,cAAK,SAAS,EAAC,yCAAyC,YAAE,KAAK,GAAO,EACrE,SAAS,IAAI,cAAK,SAAS,EAAC,UAAU,YAAE,SAAS,GAAO,IACrD,EACL,QAAQ,IAAI,CACX,YAAG,SAAS,EAAC,0CAA0C,YAAE,QAAQ,GAAK,CACvE,IACG,IACF,CACP,CAAC;AACJ,CAAC;AA2BD,SAAS,iBAAiB;IACxB,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,GAAG,QAAQ,CAA0B,IAAI,CAAC,CAAC;IAElE,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,IAAI,OAAO,MAAM,KAAK,WAAW;YAAE,OAAO;QAC1C,MAAM,KAAK,GAAI,MAAuD;aACnE,mBAAmB,CAAC;QACvB,IAAI,CAAC,KAAK;YAAE,OAAO,CAAC,6BAA6B;QACjD,QAAQ,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;QAC9B,wEAAwE;QACxE,uEAAuE;QACvE,yBAAyB;QACzB,wEAAwE;QACxE,0EAA0E;QAC1E,uEAAuE;QAErE,MAAM,CAAC,kBAAkB,CAAC,sBAAgC,CAG3D;aACE,IAAI,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;YACzB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAE9C,CAAC;gBACd,IAAI,SAAS;oBAAE,OAAO;gBACtB,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;oBAChC,QAAQ,CAAC;wBACP,IAAI,EAAE,aAAa;wBACnB,MAAM,EACJ,MAAM,CAAC,MAAM;4BACb,sCAAsC,MAAM,CAAC,UAAU,GAAG;qBAC7D,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBACD,gEAAgE;gBAChE,gEAAgE;gBAChE,iBAAiB;gBACjB,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,CAAC,MAAM,MAAM,CAC3B,iCAAiC,CAClC,CAAY,CAAC;oBACd,IAAI,SAAS;wBAAE,OAAO;oBACtB,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACjE,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,SAAS;wBAAE,OAAO;oBACtB,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC;oBAC9B,IAAI,mCAAmC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;wBAClD,QAAQ,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;oBACjD,CAAC;yBAAM,CAAC;wBACN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,0DAA0D;gBAC1D,qCAAqC;gBACrC,IAAI,SAAS;oBAAE,OAAO;gBACtB,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,CAAC,MAAM,MAAM,CAC3B,iCAAiC,CAClC,CAAY,CAAC;oBACd,IAAI,SAAS;wBAAE,OAAO;oBACtB,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACjE,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,SAAS;wBAAE,OAAO;oBACtB,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC;oBAC9B,IAAI,yBAAyB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;wBACxC,QAAQ,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;oBACjD,CAAC;yBAAM,CAAC;wBACN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,EAAE;YACV,qDAAqD;YACrD,IAAI,CAAC,SAAS;gBAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QACL,OAAO,GAAG,EAAE;YACV,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC,CAAC;IACJ,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,EAAE;QACnC,IAAI,OAAO,MAAM,KAAK,WAAW;YAAE,OAAO;QAC1C,MAAM,KAAK,GAAI,MAAuD;aACnE,mBAAmB,CAAC;QACvB,IAAI,CAAC,KAAK;YAAE,OAAO;QACnB,wEAAwE;QACxE,0EAA0E;QAC1E,uEAAuE;QAErE,MAAM,CAAC,kBAAkB,CAAC,sBAAgC,CAG3D;aACE,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,MAAM,CAAC,oCAAoC,CAAC,CAAC;aAClE,KAAK,CAAC,GAAG,EAAE;YACV,qDAAqD;QACvD,CAAC,CAAC,CAAC;IACP,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAEpD,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAC/B,OAAO,CACL,eAAK,SAAS,EAAC,yEAAyE,aACtF,KAAC,SAAS,IAAC,IAAI,EAAE,EAAE,EAAE,SAAS,EAAC,gBAAgB,GAAG,EAClD,6DAA4C,IACxC,CACP,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QACjC,OAAO,CACL,eAAK,SAAS,EAAC,yEAAyE,aACtF,eACE,SAAS,EAAC,2DAA2D,wBAErE,EACF,wGAEO,IACH,CACP,CAAC;IACJ,CAAC;IAED,SAAS;IACT,OAAO,CACL,eAAK,SAAS,EAAC,wEAAwE,aACrF,KAAC,eAAe,IAAC,IAAI,EAAE,EAAE,EAAE,SAAS,EAAC,kCAAkC,GAAG,EAC1E,eAAK,SAAS,EAAC,QAAQ,aACrB,8FAEO,EACP,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,WAAW,EACpB,SAAS,EAAC,2JAA2J,aAErK,KAAC,YAAY,IAAC,IAAI,EAAE,EAAE,GAAI,4BAEnB,IACL,IACF,CACP,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,OAAO,KAAC,cAAc,IAAC,IAAI,EAAE,EAAE,GAAI,CAAC;AACtC,CAAC","sourcesContent":["/**\n * <VoiceTranscriptionSection /> — source + cleanup settings for voice input.\n *\n * Writes the selection to application_state under `voice-transcription-prefs`\n * so the composer's `useVoiceDictation` hook picks it up on next record. The\n * legacy `provider` field is still written alongside `transcriptionMode` so\n * older clients continue to normalize safely.\n *\n * Provider status comes from `/_agent-native/voice-providers/status`, which\n * mirrors the server transcription route's key/env resolution.\n */\n\nimport React, { useCallback, useEffect, useState } from \"react\";\nimport { agentNativePath } from \"../api-path.js\";\nimport {\n IconAlertCircle,\n IconCheck,\n IconChevronDown,\n IconChevronRight,\n IconExternalLink,\n IconLoader2,\n IconLockOpen,\n IconMicrophone,\n} from \"@tabler/icons-react\";\nimport { useBuilderStatus } from \"./useBuilderStatus.js\";\n\ntype TranscriptionMode = \"mac-native\" | \"google-realtime\" | \"batch\";\n\ntype Provider =\n | \"auto\"\n | \"openai\"\n | \"builder-gemini\"\n | \"builder\"\n | \"browser\"\n | \"gemini\"\n | \"groq\";\n\ninterface Prefs {\n transcriptionMode?: TranscriptionMode;\n provider?: Provider;\n instructions?: string;\n}\n\ninterface SecretStatus {\n key: string;\n status: \"set\" | \"unset\" | \"invalid\";\n}\n\ninterface ProviderStatus {\n builder: boolean;\n gemini: boolean;\n openai: boolean;\n groq: boolean;\n googleRealtime?: boolean;\n browser: true;\n native?: true;\n}\n\nconst PREFS_URL = agentNativePath(\n \"/_agent-native/application-state/voice-transcription-prefs\",\n);\nconst CLEANUP_PREFS_URL = agentNativePath(\n \"/_agent-native/application-state/voice-cleanup-prefs\",\n);\nconst SECRETS_URL = agentNativePath(\"/_agent-native/secrets\");\nconst PROVIDER_STATUS_URL = agentNativePath(\n \"/_agent-native/voice-providers/status\",\n);\nconst DEFAULT_TRANSCRIPTION_MODE: TranscriptionMode = \"batch\";\nconst DEFAULT_BATCH_PROVIDER: Provider = \"auto\";\n\nfunction isProvider(value: unknown): value is Provider {\n return (\n value === \"auto\" ||\n value === \"openai\" ||\n value === \"builder-gemini\" ||\n value === \"builder\" ||\n value === \"browser\" ||\n value === \"gemini\" ||\n value === \"groq\"\n );\n}\n\nfunction isTranscriptionMode(value: unknown): value is TranscriptionMode {\n return (\n value === \"mac-native\" || value === \"google-realtime\" || value === \"batch\"\n );\n}\n\nfunction normalizeProvider(value: unknown): Provider | null {\n if (!isProvider(value)) return null;\n return value === \"builder\" ? \"builder-gemini\" : value;\n}\n\nfunction legacyModeFromProvider(provider: Provider | null): TranscriptionMode {\n if (provider === \"browser\") return \"mac-native\";\n return \"batch\";\n}\n\nfunction providerForMode(\n mode: TranscriptionMode,\n currentProvider: Provider | null,\n): Provider {\n if (mode === \"mac-native\") return \"browser\";\n if (mode === \"google-realtime\") return \"auto\";\n if (!currentProvider || currentProvider === \"browser\") {\n return DEFAULT_BATCH_PROVIDER;\n }\n return currentProvider;\n}\n\nfunction batchProvider(provider: Provider | null): Provider {\n if (!provider || provider === \"browser\") return DEFAULT_BATCH_PROVIDER;\n return provider;\n}\n\nexport function VoiceTranscriptionSection() {\n const [transcriptionMode, setTranscriptionMode] =\n useState<TranscriptionMode | null>(null);\n const [provider, setProvider] = useState<Provider>(DEFAULT_BATCH_PROVIDER);\n const [instructions, setInstructions] = useState(\"\");\n const [openAiConfigured, setOpenAiConfigured] = useState<boolean | null>(\n null,\n );\n const [geminiConfigured, setGeminiConfigured] = useState<boolean | null>(\n null,\n );\n const [groqConfigured, setGroqConfigured] = useState<boolean | null>(null);\n const [googleRealtimeConfigured, setGoogleRealtimeConfigured] = useState<\n boolean | null\n >(null);\n const [saving, setSaving] = useState(false);\n const [saveError, setSaveError] = useState<string | null>(null);\n const [showAdvanced, setShowAdvanced] = useState(false);\n const [cleanupEnabled, setCleanupEnabled] = useState<boolean | null>(null);\n const { status: builderStatus } = useBuilderStatus();\n const builderRealtimeReady =\n !!builderStatus?.privateKeyConfigured &&\n !!builderStatus?.publicKeyConfigured;\n const googleRealtimeReady =\n !!googleRealtimeConfigured && builderRealtimeReady;\n\n // Read cleanup pref (default: true if Builder is connected).\n useEffect(() => {\n let cancelled = false;\n fetch(CLEANUP_PREFS_URL)\n .then((r) => (r.ok ? r.json() : null))\n .then(\n (\n body:\n | { enabled?: boolean }\n | { value?: { enabled?: boolean } }\n | null,\n ) => {\n if (cancelled) return;\n const stored =\n (body as { enabled?: boolean } | null)?.enabled ??\n (body as { value?: { enabled?: boolean } } | null)?.value?.enabled;\n if (typeof stored === \"boolean\") setCleanupEnabled(stored);\n else setCleanupEnabled(null); // resolve once builderStatus arrives\n },\n )\n .catch(() => !cancelled && setCleanupEnabled(null));\n return () => {\n cancelled = true;\n };\n }, []);\n\n useEffect(() => {\n if (cleanupEnabled !== null) return;\n if (builderStatus?.configured !== undefined) {\n setCleanupEnabled(!!builderStatus.configured);\n }\n }, [builderStatus?.configured, cleanupEnabled]);\n\n const toggleCleanup = async (next: boolean) => {\n const previous = cleanupEnabled;\n setCleanupEnabled(next);\n try {\n const res = await fetch(CLEANUP_PREFS_URL, {\n method: \"PUT\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ enabled: next }),\n });\n if (!res.ok) {\n throw new Error(`HTTP ${res.status}`);\n }\n } catch {\n setCleanupEnabled(previous);\n }\n };\n\n useEffect(() => {\n let cancelled = false;\n fetch(PREFS_URL)\n .then((r) => (r.ok ? r.json() : null))\n .then((body: Prefs | { value?: Prefs } | null) => {\n if (cancelled) return;\n const value =\n (body as { value?: Prefs } | null)?.value ?? (body as Prefs | null);\n const p = normalizeProvider(\n (body as Prefs | null)?.provider ??\n (body as { value?: Prefs } | null)?.value?.provider,\n );\n const storedMode = isTranscriptionMode(value?.transcriptionMode)\n ? value.transcriptionMode\n : null;\n const mode =\n storedMode ??\n (p ? legacyModeFromProvider(p) : DEFAULT_TRANSCRIPTION_MODE);\n const savedInstructions =\n (body as Prefs | null)?.instructions ??\n (body as { value?: Prefs } | null)?.value?.instructions;\n setTranscriptionMode(mode);\n setProvider(providerForMode(mode, p));\n if (typeof savedInstructions === \"string\") {\n setInstructions(savedInstructions);\n }\n })\n .catch(() => {\n if (!cancelled) {\n setTranscriptionMode(DEFAULT_TRANSCRIPTION_MODE);\n setProvider(DEFAULT_BATCH_PROVIDER);\n }\n });\n return () => {\n cancelled = true;\n };\n }, []);\n\n useEffect(() => {\n let cancelled = false;\n fetch(PROVIDER_STATUS_URL)\n .then((r) => (r.ok ? r.json() : null))\n .then((status: ProviderStatus | null) => {\n if (cancelled) return;\n if (status) {\n setOpenAiConfigured(status.openai);\n setGeminiConfigured(status.gemini);\n setGroqConfigured(status.groq);\n setGoogleRealtimeConfigured(!!status.googleRealtime);\n return;\n }\n return fetch(SECRETS_URL)\n .then((r) => (r.ok ? r.json() : []))\n .then((list: SecretStatus[]) => {\n if (cancelled) return;\n const find = (key: string) =>\n Array.isArray(list) ? list.find((s) => s.key === key) : null;\n setOpenAiConfigured(find(\"OPENAI_API_KEY\")?.status === \"set\");\n setGeminiConfigured(find(\"GEMINI_API_KEY\")?.status === \"set\");\n setGroqConfigured(find(\"GROQ_API_KEY\")?.status === \"set\");\n setGoogleRealtimeConfigured(\n find(\"GOOGLE_APPLICATION_CREDENTIALS\")?.status === \"set\",\n );\n });\n })\n .catch(() => {\n if (!cancelled) {\n setOpenAiConfigured(false);\n setGeminiConfigured(false);\n setGroqConfigured(false);\n setGoogleRealtimeConfigured(false);\n }\n });\n return () => {\n cancelled = true;\n };\n }, []);\n\n const persist = useCallback(\n async (\n nextMode: TranscriptionMode,\n nextProvider: Provider,\n nextInstructions: string,\n previous: {\n transcriptionMode: TranscriptionMode | null;\n provider: Provider;\n instructions: string;\n },\n ) => {\n setSaving(true);\n setSaveError(null);\n try {\n const res = await fetch(PREFS_URL, {\n method: \"PUT\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({\n transcriptionMode: nextMode,\n provider: nextProvider,\n instructions: nextInstructions.trim(),\n }),\n });\n if (!res.ok) {\n throw new Error(`HTTP ${res.status}`);\n }\n } catch (err) {\n // Revert the optimistic update so the UI matches server state.\n setTranscriptionMode(previous.transcriptionMode);\n setProvider(previous.provider);\n setInstructions(previous.instructions);\n setSaveError(\n `Couldn't save: ${(err as Error)?.message ?? \"network error\"}. Try again.`,\n );\n } finally {\n setSaving(false);\n }\n },\n [],\n );\n\n const focusKey = (key: string) => {\n if (typeof window === \"undefined\") return;\n window.location.hash = `#secrets:${key}`;\n };\n\n const chooseSource = (next: TranscriptionMode) => {\n if (next === transcriptionMode) return;\n if (next === \"google-realtime\" && !googleRealtimeReady) {\n setShowAdvanced(true);\n if (!googleRealtimeConfigured) {\n focusKey(\"GOOGLE_APPLICATION_CREDENTIALS\");\n } else if (!builderRealtimeReady) {\n openBuilderConnect();\n }\n return;\n }\n const previous = { transcriptionMode, provider, instructions };\n const nextProvider = providerForMode(next, provider);\n setTranscriptionMode(next);\n setProvider(nextProvider);\n void persist(next, nextProvider, instructions, previous);\n };\n\n const openBuilderConnect = () => {\n if (typeof window === \"undefined\") return;\n const url = new URL(\n agentNativePath(\"/_agent-native/builder/connect\"),\n window.location.origin,\n ).href;\n window.open(url, \"_blank\", \"noopener,noreferrer,width=600,height=700\");\n };\n\n const chooseBatchProvider = (next: Provider) => {\n const nextProvider = batchProvider(normalizeProvider(next));\n if (transcriptionMode === \"batch\" && nextProvider === provider) return;\n const previous = { transcriptionMode, provider, instructions };\n setTranscriptionMode(\"batch\");\n setProvider(nextProvider);\n void persist(\"batch\", nextProvider, instructions, previous);\n };\n\n const updateInstructions = (next: string) => {\n const previous = { transcriptionMode, provider, instructions };\n setInstructions(next);\n if (transcriptionMode) {\n void persist(transcriptionMode, provider, next, previous);\n }\n };\n\n if (transcriptionMode === null) {\n return (\n <div className=\"flex items-center gap-1.5 text-[10px] text-muted-foreground\">\n <IconLoader2 size={10} className=\"animate-spin\" />\n Loading…\n </div>\n );\n }\n\n return (\n <div className=\"space-y-2\">\n <div className=\"rounded-md border border-border bg-background p-2\">\n <div className=\"mb-2 flex items-start justify-between gap-3 px-0.5\">\n <div>\n <div className=\"text-[11px] font-medium text-foreground\">\n Live transcription\n </div>\n <p className=\"mt-0.5 text-[10px] text-muted-foreground\">\n Choose where real-time words come from. Batch still runs after\n recording stops.\n </p>\n </div>\n </div>\n <div className=\"space-y-2\">\n <ProviderOption\n id=\"mac-native\"\n selected={transcriptionMode === \"mac-native\"}\n onSelect={() => chooseSource(\"mac-native\")}\n title=\"Mac Native\"\n subtitle=\"Free and fast in the macOS Tauri app. Web clients use the existing browser-native path when available.\"\n rightSlot={\n <span className=\"text-[10px] text-muted-foreground\">\n Tauri default\n </span>\n }\n />\n <ProviderOption\n id=\"google-realtime\"\n selected={transcriptionMode === \"google-realtime\"}\n onSelect={() => chooseSource(\"google-realtime\")}\n disabled={!googleRealtimeReady}\n title=\"Google Realtime\"\n subtitle={\n googleRealtimeReady\n ? \"BYOK only for v1. Streams live partials and finals through Google Speech-to-Text.\"\n : googleRealtimeConfigured\n ? \"Google credentials are set. Connect Builder completely to mint the managed realtime session.\"\n : \"BYOK only for v1. Configure Google service account before selecting this source.\"\n }\n rightSlot={\n googleRealtimeReady ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Ready\n </span>\n ) : googleRealtimeConfigured ? (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n openBuilderConnect();\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:bg-accent/40 hover:text-foreground\"\n >\n Connect Builder.io\n <IconExternalLink size={10} />\n </button>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n setShowAdvanced(true);\n focusKey(\"GOOGLE_APPLICATION_CREDENTIALS\");\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:bg-accent/40 hover:text-foreground\"\n >\n Configure\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n <ProviderOption\n id=\"batch\"\n selected={transcriptionMode === \"batch\"}\n onSelect={() => chooseSource(\"batch\")}\n title=\"Batch\"\n subtitle=\"Universal fallback. Sends audio after recording stops through Builder Gemini, Gemini, Groq, then OpenAI.\"\n />\n <SystemAudioStatus />\n </div>\n </div>\n\n <div className=\"flex items-start justify-between gap-3 rounded-md border border-border bg-accent/30 px-2.5 py-2\">\n <div className=\"min-w-0\">\n <div className=\"text-[11px] font-medium text-foreground\">\n AI cleanup\n </div>\n <p className=\"text-[10px] text-muted-foreground mt-0.5\">\n Polish punctuation, casing, filler words, titles, and summaries\n after capture. Builder Gemini is tried first; BYOK Gemini is the\n fallback.\n </p>\n </div>\n <div className=\"flex shrink-0 flex-col items-end gap-1\">\n <button\n type=\"button\"\n role=\"switch\"\n aria-checked={!!cleanupEnabled}\n onClick={() => toggleCleanup(!cleanupEnabled)}\n // Theme tokens; streaming agent owns layout.\n className={`relative inline-flex h-4 w-7 shrink-0 cursor-pointer items-center rounded-full transition-colors ${\n cleanupEnabled\n ? \"bg-primary\"\n : \"bg-muted-foreground/30 hover:bg-muted-foreground/50\"\n }`}\n >\n <span\n className={`inline-block h-3 w-3 transform rounded-full bg-background transition-transform ${\n cleanupEnabled ? \"translate-x-3.5\" : \"translate-x-0.5\"\n }`}\n />\n </button>\n {cleanupEnabled && (\n <span className=\"text-[10px] text-muted-foreground\">\n {builderStatus?.configured\n ? \"Builder ready\"\n : geminiConfigured\n ? \"Gemini key set\"\n : \"Needs key\"}\n </span>\n )}\n </div>\n </div>\n\n <div className=\"rounded-md border border-border bg-background\">\n <button\n type=\"button\"\n onClick={() => setShowAdvanced((v) => !v)}\n className=\"w-full flex items-center justify-between gap-2 px-2.5 py-2 cursor-pointer\"\n >\n <span className=\"text-[11px] font-medium text-foreground inline-flex items-center gap-1\">\n {showAdvanced ? (\n <IconChevronDown size={12} />\n ) : (\n <IconChevronRight size={12} />\n )}\n Add API keys\n </span>\n <span className=\"text-[10px] text-muted-foreground\">\n Google STT · Gemini · Groq · OpenAI\n </span>\n </button>\n\n {showAdvanced && (\n <div className=\"px-2 pb-2 space-y-2\">\n <ProviderOption\n id=\"google-service-account\"\n selected={transcriptionMode === \"google-realtime\"}\n onSelect={() => chooseSource(\"google-realtime\")}\n disabled={!googleRealtimeReady}\n title=\"Google Speech-to-Text service account\"\n subtitle={\n googleRealtimeConfigured\n ? \"Service-account JSON is set. Connect Builder to mint the managed realtime WebSocket session.\"\n : \"Service-account JSON for the dedicated realtime WebSocket to Google StreamingRecognize.\"\n }\n rightSlot={\n googleRealtimeConfigured ===\n null ? null : googleRealtimeReady ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Ready\n </span>\n ) : googleRealtimeConfigured ? (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n openBuilderConnect();\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Connect Builder.io\n <IconExternalLink size={10} />\n </button>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n focusKey(\"GOOGLE_APPLICATION_CREDENTIALS\");\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Configure\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n\n <ProviderOption\n id=\"auto\"\n selected={transcriptionMode === \"batch\" && provider === \"auto\"}\n onSelect={() => chooseBatchProvider(\"auto\")}\n title=\"Automatic batch fallback\"\n subtitle=\"Keep the current Clips fallback chain: Builder Gemini, Gemini, Groq, then OpenAI.\"\n />\n\n <ProviderOption\n id=\"builder-gemini\"\n selected={\n transcriptionMode === \"batch\" && provider === \"builder-gemini\"\n }\n onSelect={() => chooseBatchProvider(\"builder-gemini\")}\n disabled={!builderStatus?.configured}\n title=\"Builder.io Connect\"\n subtitle={\n builderStatus?.configured\n ? \"Use Builder-hosted Gemini Flash-Lite for batch transcription and cleanup.\"\n : \"One-click connect for Gemini Flash-Lite cleanup and batch transcription. No Google key needed.\"\n }\n rightSlot={\n builderStatus?.configured ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Connected\n </span>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n openBuilderConnect();\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Connect Builder.io\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n\n <ProviderOption\n id=\"gemini\"\n selected={transcriptionMode === \"batch\" && provider === \"gemini\"}\n onSelect={() => chooseBatchProvider(\"gemini\")}\n title=\"Google Gemini\"\n subtitle=\"BYOK Gemini for AI cleanup and optional strict batch transcription.\"\n rightSlot={\n geminiConfigured === null ? null : geminiConfigured ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Key set\n </span>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n focusKey(\"GEMINI_API_KEY\");\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Add key\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n\n <ProviderOption\n id=\"openai\"\n selected={transcriptionMode === \"batch\" && provider === \"openai\"}\n onSelect={() => chooseBatchProvider(\"openai\")}\n title=\"OpenAI Whisper\"\n subtitle=\"Batch Whisper provider. Requires an OpenAI API key.\"\n rightSlot={\n openAiConfigured === null ? null : openAiConfigured ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Key set\n </span>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n focusKey(\"OPENAI_API_KEY\");\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Add key\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n\n <ProviderOption\n id=\"groq\"\n selected={transcriptionMode === \"batch\" && provider === \"groq\"}\n onSelect={() => chooseBatchProvider(\"groq\")}\n title=\"Groq Whisper\"\n subtitle=\"Fast Whisper batch provider. Requires a Groq API key.\"\n rightSlot={\n groqConfigured === null ? null : groqConfigured ? (\n <span className=\"flex items-center gap-1 text-[10px] text-green-500\">\n <IconCheck size={10} />\n Key set\n </span>\n ) : (\n <button\n type=\"button\"\n onClick={(e) => {\n e.stopPropagation();\n focusKey(\"GROQ_API_KEY\");\n }}\n className=\"inline-flex items-center gap-1 rounded border border-border px-2 py-0.5 text-[10px] text-muted-foreground hover:text-foreground hover:bg-accent/40\"\n >\n Add key\n <IconExternalLink size={10} />\n </button>\n )\n }\n />\n </div>\n )}\n </div>\n\n {(cleanupEnabled || transcriptionMode === \"batch\") && (\n <div className=\"rounded-md border border-border bg-accent/20 px-2.5 py-2\">\n <label\n htmlFor=\"voice-transcription-instructions\"\n className=\"block text-[10px] font-medium text-foreground\"\n >\n Custom instructions\n </label>\n <textarea\n id=\"voice-transcription-instructions\"\n value={instructions}\n onChange={(event) => updateInstructions(event.target.value)}\n placeholder=\"Names, casing, punctuation, style, or terms to preserve.\"\n className=\"mt-1 min-h-16 w-full resize-y rounded border border-border bg-background px-2 py-1.5 text-[11px] text-foreground outline-none placeholder:text-muted-foreground/50 focus:ring-1 focus:ring-accent\"\n />\n <p className=\"mt-1 text-[10px] text-muted-foreground\">\n Included with batch transcription and AI cleanup.\n </p>\n </div>\n )}\n\n {saving && <p className=\"text-[10px] text-muted-foreground\">Saving…</p>}\n {saveError && !saving && (\n <p className=\"text-[10px] text-red-500\" role=\"alert\">\n {saveError}\n </p>\n )}\n </div>\n );\n}\n\ninterface ProviderOptionProps {\n id: string;\n selected: boolean;\n disabled?: boolean;\n onSelect: () => void;\n title: string;\n subtitle?: React.ReactNode;\n rightSlot?: React.ReactNode;\n}\n\nfunction ProviderOption({\n id,\n selected,\n disabled,\n onSelect,\n title,\n subtitle,\n rightSlot,\n}: ProviderOptionProps) {\n const select = () => {\n if (!disabled) onSelect();\n };\n\n const onKeyDown = (event: React.KeyboardEvent<HTMLDivElement>) => {\n if (disabled) return;\n if (event.key === \"Enter\" || event.key === \" \") {\n event.preventDefault();\n onSelect();\n }\n };\n\n return (\n <div\n role=\"button\"\n tabIndex={disabled ? -1 : 0}\n onClick={select}\n onKeyDown={onKeyDown}\n aria-pressed={selected}\n aria-disabled={disabled || undefined}\n // Theme tokens; streaming agent owns layout.\n className={`w-full text-left rounded-md border px-2.5 py-2 flex items-start gap-2 ${\n selected\n ? \"border-primary bg-primary/10\"\n : \"border-border bg-accent/30 hover:bg-accent/50\"\n } ${disabled ? \"opacity-60 cursor-not-allowed\" : \"\"}`}\n >\n <span\n className={`mt-[2px] shrink-0 flex h-3.5 w-3.5 items-center justify-center rounded-full border ${\n selected\n ? \"border-primary bg-primary\"\n : \"border-muted-foreground/40 bg-background\"\n }`}\n >\n {selected && (\n <span className=\"h-1.5 w-1.5 rounded-full bg-primary-foreground\" />\n )}\n </span>\n <div className=\"min-w-0 flex-1\">\n <div className=\"flex items-center justify-between gap-2\">\n <div className=\"text-[11px] font-medium text-foreground\">{title}</div>\n {rightSlot && <div className=\"shrink-0\">{rightSlot}</div>}\n </div>\n {subtitle && (\n <p className=\"text-[10px] text-muted-foreground mt-0.5\">{subtitle}</p>\n )}\n </div>\n </div>\n );\n}\n\n/**\n * Surfaces the desktop app's system-audio capture readiness inside the live\n * transcription box. Renders nothing in non-Tauri contexts (web users) so the\n * existing browser-only flow is unaffected. The Rust side\n * (`templates/clips/desktop/src-tauri/src/system_audio.rs`) returns either a\n * structured `VersionStatus` via `system_audio_version_status` (preferred,\n * no error-string parsing) or an unsupported-OS error from\n * `system_audio_request_permission`. We surface three states:\n *\n * - macOS 13+ + permission granted -> green check (\"System audio capture available\")\n * - macOS < 13 -> red dot (\"...requires macOS 13 or later\")\n * - permission denied / pending -> amber + \"Open System Settings\" affordance\n */\ntype SystemAudioState =\n | { kind: \"loading\" }\n | { kind: \"available\" }\n | { kind: \"unsupported\"; reason: string }\n | { kind: \"denied\" };\n\ninterface VersionStatusPayload {\n supported: boolean;\n os_version: string;\n reason?: string;\n}\n\nfunction SystemAudioStatus() {\n const [state, setState] = useState<SystemAudioState | null>(null);\n\n useEffect(() => {\n let cancelled = false;\n if (typeof window === \"undefined\") return;\n const tauri = (window as unknown as { __TAURI_INTERNALS__?: unknown })\n .__TAURI_INTERNALS__;\n if (!tauri) return; // Web users: render nothing.\n setState({ kind: \"loading\" });\n // Dynamic import keeps `@tauri-apps/api` out of the web bundle's static\n // graph; it is only resolved inside the desktop shell where the dep is\n // present at build time.\n // Cast to suppress missing types — `@tauri-apps/api` is a desktop-shell\n // dep, not a static dep of `packages/core`. Resolves at runtime only when\n // we're inside Tauri (gated by the `__TAURI_INTERNALS__` check above).\n (\n import(/* @vite-ignore */ \"@tauri-apps/api/core\" as string) as Promise<{\n invoke: (cmd: string, args?: unknown) => Promise<unknown>;\n }>\n )\n .then(async ({ invoke }) => {\n try {\n const status = (await invoke(\"system_audio_version_status\")) as\n | VersionStatusPayload\n | undefined;\n if (cancelled) return;\n if (status && !status.supported) {\n setState({\n kind: \"unsupported\",\n reason:\n status.reason ??\n `ScreenCaptureKit is unavailable on ${status.os_version}.`,\n });\n return;\n }\n // Supported — now probe permission. This may prompt; calling it\n // here matches the original on-mount semantics requested in the\n // settings flow.\n try {\n const granted = (await invoke(\n \"system_audio_request_permission\",\n )) as boolean;\n if (cancelled) return;\n setState(granted ? { kind: \"available\" } : { kind: \"denied\" });\n } catch (err) {\n if (cancelled) return;\n const msg = String(err ?? \"\");\n if (/macOS\\s*1[0-2]|requires macOS 13/i.test(msg)) {\n setState({ kind: \"unsupported\", reason: msg });\n } else {\n setState({ kind: \"denied\" });\n }\n }\n } catch {\n // Older desktop builds may not have the new command yet —\n // fall back to the permission probe.\n if (cancelled) return;\n try {\n const granted = (await invoke(\n \"system_audio_request_permission\",\n )) as boolean;\n if (cancelled) return;\n setState(granted ? { kind: \"available\" } : { kind: \"denied\" });\n } catch (err) {\n if (cancelled) return;\n const msg = String(err ?? \"\");\n if (/macOS|ScreenCaptureKit/i.test(msg)) {\n setState({ kind: \"unsupported\", reason: msg });\n } else {\n setState({ kind: \"denied\" });\n }\n }\n }\n })\n .catch(() => {\n // @tauri-apps/api not resolvable -> behave like web.\n if (!cancelled) setState(null);\n });\n return () => {\n cancelled = true;\n };\n }, []);\n\n const openPrivacy = useCallback(() => {\n if (typeof window === \"undefined\") return;\n const tauri = (window as unknown as { __TAURI_INTERNALS__?: unknown })\n .__TAURI_INTERNALS__;\n if (!tauri) return;\n // Cast to suppress missing types — `@tauri-apps/api` is a desktop-shell\n // dep, not a static dep of `packages/core`. Resolves at runtime only when\n // we're inside Tauri (gated by the `__TAURI_INTERNALS__` check above).\n (\n import(/* @vite-ignore */ \"@tauri-apps/api/core\" as string) as Promise<{\n invoke: (cmd: string, args?: unknown) => Promise<unknown>;\n }>\n )\n .then(({ invoke }) => invoke(\"system_audio_open_privacy_settings\"))\n .catch(() => {\n // Older desktop builds without this command — no-op.\n });\n }, []);\n\n if (!state || state.kind === \"loading\") return null;\n\n if (state.kind === \"available\") {\n return (\n <div className=\"flex items-center gap-1.5 px-0.5 pt-1 text-[10px] text-muted-foreground\">\n <IconCheck size={11} className=\"text-green-500\" />\n <span>System audio capture available.</span>\n </div>\n );\n }\n\n if (state.kind === \"unsupported\") {\n return (\n <div className=\"flex items-center gap-1.5 px-0.5 pt-1 text-[10px] text-muted-foreground\">\n <span\n className=\"inline-block h-1.5 w-1.5 shrink-0 rounded-full bg-red-500\"\n aria-hidden\n />\n <span>\n System audio requires macOS 13 or later — meetings will use mic-only.\n </span>\n </div>\n );\n }\n\n // denied\n return (\n <div className=\"flex items-start gap-1.5 px-0.5 pt-1 text-[10px] text-muted-foreground\">\n <IconAlertCircle size={11} className=\"mt-[1px] shrink-0 text-amber-500\" />\n <div className=\"flex-1\">\n <span>\n Grant Screen Recording permission in System Settings -> Privacy.\n </span>\n <button\n type=\"button\"\n onClick={openPrivacy}\n className=\"ml-1 inline-flex items-center gap-1 rounded border border-border px-1.5 py-0.5 text-[10px] text-muted-foreground hover:bg-accent/40 hover:text-foreground\"\n >\n <IconLockOpen size={10} />\n Open System Settings\n </button>\n </div>\n </div>\n );\n}\n\nexport function VoiceTranscriptionIcon() {\n return <IconMicrophone size={14} />;\n}\n"]}
|
|
@@ -9,12 +9,12 @@ import type { PlatformAdapter } from "../types.js";
|
|
|
9
9
|
* Optional env vars:
|
|
10
10
|
* - SLACK_ALLOWED_TEAM_IDS — Comma-separated list of Slack workspace
|
|
11
11
|
* `team_id` values (e.g. "T012ABCDEF,T034GHIJKL") that this deployment
|
|
12
|
-
* accepts events from.
|
|
12
|
+
* accepts events from. Required in production and strongly recommended
|
|
13
13
|
* to prevent cross-workspace event injection (H1 in the webhook audit):
|
|
14
14
|
* the global `SLACK_SIGNING_SECRET` is the same key for every workspace
|
|
15
15
|
* the app is installed to, so without an allowlist any installed
|
|
16
16
|
* workspace can drive the agent. When unset the adapter accepts events
|
|
17
|
-
* from any workspace
|
|
17
|
+
* from any workspace in development, but rejects events in production.
|
|
18
18
|
* - SLACK_ALLOWED_API_APP_IDS — Comma-separated list of Slack app IDs
|
|
19
19
|
* (`api_app_id`) to additionally pin events to. Useful when the same
|
|
20
20
|
* signing secret rotation surfaces multiple app installs.
|
|
@@ -12,12 +12,12 @@ const SLACK_API_TIMEOUT_MS = 10_000;
|
|
|
12
12
|
* Optional env vars:
|
|
13
13
|
* - SLACK_ALLOWED_TEAM_IDS — Comma-separated list of Slack workspace
|
|
14
14
|
* `team_id` values (e.g. "T012ABCDEF,T034GHIJKL") that this deployment
|
|
15
|
-
* accepts events from.
|
|
15
|
+
* accepts events from. Required in production and strongly recommended
|
|
16
16
|
* to prevent cross-workspace event injection (H1 in the webhook audit):
|
|
17
17
|
* the global `SLACK_SIGNING_SECRET` is the same key for every workspace
|
|
18
18
|
* the app is installed to, so without an allowlist any installed
|
|
19
19
|
* workspace can drive the agent. When unset the adapter accepts events
|
|
20
|
-
* from any workspace
|
|
20
|
+
* from any workspace in development, but rejects events in production.
|
|
21
21
|
* - SLACK_ALLOWED_API_APP_IDS — Comma-separated list of Slack app IDs
|
|
22
22
|
* (`api_app_id`) to additionally pin events to. Useful when the same
|
|
23
23
|
* signing secret rotation surfaces multiple app installs.
|
|
@@ -333,11 +333,11 @@ let _missingAllowlistWarned = false;
|
|
|
333
333
|
* `api_app_id` isn't in the list (bot apps can be installed under the
|
|
334
334
|
* same Slack app id across multiple workspaces — pinning both keeps
|
|
335
335
|
* the surface tight when team_id allows multiple workspaces).
|
|
336
|
-
* - If
|
|
337
|
-
*
|
|
338
|
-
*
|
|
339
|
-
*
|
|
340
|
-
*
|
|
336
|
+
* - If `SLACK_ALLOWED_TEAM_IDS` is unset/empty in production: reject the
|
|
337
|
+
* event. Production must fail closed so any workspace with the shared
|
|
338
|
+
* signing secret cannot drive the agent.
|
|
339
|
+
* - If `SLACK_ALLOWED_TEAM_IDS` is unset/empty in dev / single-tenant: log a
|
|
340
|
+
* one-time warning and accept (current local setup behavior).
|
|
341
341
|
*
|
|
342
342
|
* Throws an h3 401 error when an allowlisted-but-mismatched payload is
|
|
343
343
|
* received, which the integrations plugin surfaces to the caller as
|
|
@@ -348,6 +348,19 @@ function enforceWorkspaceAllowlist(payload) {
|
|
|
348
348
|
const apiAppId = typeof payload?.api_app_id === "string" ? payload.api_app_id : undefined;
|
|
349
349
|
const allowedTeamIds = parseAllowlistEnv("SLACK_ALLOWED_TEAM_IDS");
|
|
350
350
|
const allowedAppIds = parseAllowlistEnv("SLACK_ALLOWED_API_APP_IDS");
|
|
351
|
+
if (!allowedTeamIds) {
|
|
352
|
+
if (process.env.NODE_ENV === "production") {
|
|
353
|
+
throw createError({
|
|
354
|
+
statusCode: 401,
|
|
355
|
+
statusMessage: "Slack workspace allowlist is not configured",
|
|
356
|
+
});
|
|
357
|
+
}
|
|
358
|
+
if (!_missingAllowlistWarned) {
|
|
359
|
+
_missingAllowlistWarned = true;
|
|
360
|
+
console.warn("[slack] SLACK_ALLOWED_TEAM_IDS not set — accepting events from any workspace whose signature matches SLACK_SIGNING_SECRET. " +
|
|
361
|
+
"Set SLACK_ALLOWED_TEAM_IDS to a comma-separated list of allowed team_id values before deploying to production.");
|
|
362
|
+
}
|
|
363
|
+
}
|
|
351
364
|
if (allowedTeamIds) {
|
|
352
365
|
if (!teamId || !allowedTeamIds.has(teamId)) {
|
|
353
366
|
throw createError({
|
|
@@ -364,14 +377,6 @@ function enforceWorkspaceAllowlist(payload) {
|
|
|
364
377
|
});
|
|
365
378
|
}
|
|
366
379
|
}
|
|
367
|
-
if (!allowedTeamIds &&
|
|
368
|
-
!allowedAppIds &&
|
|
369
|
-
process.env.NODE_ENV === "production" &&
|
|
370
|
-
!_missingAllowlistWarned) {
|
|
371
|
-
_missingAllowlistWarned = true;
|
|
372
|
-
console.warn("[slack] SLACK_ALLOWED_TEAM_IDS not set in production — accepting events from any workspace whose signature matches SLACK_SIGNING_SECRET. " +
|
|
373
|
-
"Set SLACK_ALLOWED_TEAM_IDS to a comma-separated list of allowed team_id values to prevent cross-workspace event injection (H1 in the webhook audit).");
|
|
374
|
-
}
|
|
375
380
|
}
|
|
376
381
|
/**
|
|
377
382
|
* Read the raw request body as a string and cache on the event context.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"slack.js","sourceRoot":"","sources":["../../../src/integrations/adapters/slack.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,IAAI,CAAC;AAWzD,iCAAiC;AACjC,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAC9B,MAAM,oBAAoB,GAAG,MAAM,CAAC;AAEpC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,OAAO;QAEd,kBAAkB;YAChB,OAAO;gBACL;oBACE,GAAG,EAAE,iBAAiB;oBACtB,KAAK,EAAE,iBAAiB;oBACxB,QAAQ,EAAE,IAAI;oBACd,QAAQ,EACN,iGAAiG;iBACpG;gBACD;oBACE,GAAG,EAAE,sBAAsB;oBAC3B,KAAK,EAAE,sBAAsB;oBAC7B,QAAQ,EAAE,IAAI;oBACd,QAAQ,EACN,qFAAqF;iBACxF;aACF,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,kBAAkB,CACtB,KAAc;YAEd,kEAAkE;YAClE,uEAAuE;YACvE,oEAAoE;YACpE,2DAA2D;YAC3D,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC5C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAChC,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBACvC,8DAA8D;oBAC9D,mEAAmE;oBACnE,8DAA8D;oBAC9D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC;gBACvD,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;YACV,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;QAED,KAAK,CAAC,aAAa,CAAC,KAAc;YAChC,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;YACvD,IAAI,CAAC,aAAa;gBAAE,OAAO,KAAK,CAAC;YAEjC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;YACxD,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,2BAA2B,CAAC,CAAC;YAChE,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS;gBAAE,OAAO,KAAK,CAAC;YAE3C,2DAA2D;YAC3D,MAAM,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,EAAE,CAAC,GAAG,GAAG;gBAAE,OAAO,KAAK,CAAC;YAEzD,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC5C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;YAC7C,MAAM,iBAAiB,GACrB,KAAK;gBACL,MAAM;qBACH,UAAU,CAAC,QAAQ,EAAE,aAAa,CAAC;qBACnC,MAAM,CAAC,UAAU,CAAC;qBAClB,MAAM,CAAC,KAAK,CAAC,CAAC;YAEnB,yBAAyB;YACzB,IAAI,CAAC;gBACH,OAAO,MAAM,CAAC,eAAe,CAC3B,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EACtB,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAC/B,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,KAAK,CAAC,oBAAoB,CACxB,KAAc;YAEd,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC3C,IAAI,OAAY,CAAC;YACjB,IAAI,CAAC;gBACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;YAED,kEAAkE;YAClE,sEAAsE;YACtE,qEAAqE;YACrE,mEAAmE;YACnE,oEAAoE;YACpE,oEAAoE;YACpE,mEAAmE;YACnE,iCAAiC;YACjC,yBAAyB,CAAC,OAAO,CAAC,CAAC;YAEnC,4BAA4B;YAC5B,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;gBACtC,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC;gBACxB,IAAI,CAAC,CAAC;oBAAE,OAAO,IAAI,CAAC;gBAEpB,sBAAsB;gBACtB,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,OAAO,KAAK,aAAa;oBAAE,OAAO,IAAI,CAAC;gBACzD,mCAAmC;gBACnC,IAAI,CAAC,CAAC,OAAO,KAAK,iBAAiB,IAAI,CAAC,CAAC,OAAO,KAAK,iBAAiB;oBACpE,OAAO,IAAI,CAAC;gBAEd,+CAA+C;gBAC/C,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,IAAI;oBAAE,OAAO,IAAI,CAAC;gBAEvB,+EAA+E;gBAC/E,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3D,IAAI,CAAC,SAAS;oBAAE,OAAO,IAAI,CAAC;gBAE5B,gEAAgE;gBAChE,MAAM,QAAQ,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,EAAE,CAAC;gBACrC,MAAM,gBAAgB,GAAG,GAAG,CAAC,CAAC,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAEpD,OAAO;oBACL,QAAQ,EAAE,OAAO;oBACjB,gBAAgB;oBAChB,IAAI,EAAE,SAAS;oBACf,UAAU,EAAE,CAAC,CAAC,IAAI;oBAClB,QAAQ,EAAE,CAAC,CAAC,IAAI;oBAChB,eAAe,EAAE;wBACf,SAAS,EAAE,CAAC,CAAC,OAAO;wBACpB,QAAQ,EAAE,QAAQ;wBAClB,SAAS,EAAE,CAAC,CAAC,EAAE;wBACf,MAAM,EAAE,OAAO,CAAC,OAAO;wBACvB,OAAO,EAAE,OAAO,CAAC,QAAQ;qBAC1B;oBACD,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC;iBAC/C,CAAC;YACJ,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAED,KAAK,CAAC,yBAAyB,CAC7B,QAAyB;YAEzB,gEAAgE;YAChE,sEAAsE;YACtE,kEAAkE;YAClE,oEAAoE;YACpE,sEAAsE;YACtE,sCAAsC;YACtC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;YAC1C,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YAExB,MAAM,SAAS,GAAG,QAAQ,CAAC,eAAe,CAAC,SAAmB,CAAC;YAC/D,MAAM,QAAQ,GAAG,QAAQ,CAAC,eAAe,CAAC,QAAkB,CAAC;YAC7D,IAAI,CAAC,SAAS,IAAI,CAAC,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAEzC,sEAAsE;YACtE,qEAAqE;YACrE,mCAAmC;YACnC,uBAAuB,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,KAAK,CAAC,YAAY,CAChB,OAAwB,EACxB,OAAwB,EACxB,IAAkC;YAElC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;YAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YAED,MAAM,SAAS,GAAG,OAAO,CAAC,eAAe,CAAC,SAAmB,CAAC;YAC9D,MAAM,QAAQ,GAAG,OAAO,CAAC,eAAe,CAAC,QAAkB,CAAC;YAC5D,MAAM,MAAM,GAAI,OAAO,CAAC,eAAuB,EAAE,MAEpC,CAAC;YACd,MAAM,cAAc,GAAG,IAAI,EAAE,cAAc,CAAC;YAE5C,wEAAwE;YACxE,qEAAqE;YACrE,wEAAwE;YACxE,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;YAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAEnC,MAAM,WAAW,GACf,MAAM;gBACN,mBAAmB,CAAC,UAAU,EAAE;oBAC9B,iBAAiB,EAAG,OAAO,CAAC,eAAuB;wBACjD,EAAE,iBAAiB;iBACtB,CAAC,CAAC;YAEL,MAAM,QAAQ,GAA4B;gBACxC,OAAO,EAAE,SAAS;gBAClB,IAAI,EAAE,UAAU;gBAChB,MAAM,EAAE,WAAW;gBACnB,YAAY,EAAE,KAAK;gBACnB,YAAY,EAAE,KAAK;gBACnB,MAAM,EAAE,IAAI;aACb,CAAC;YAEF,IAAI,CAAC;gBACH,IAAI,cAAc,EAAE,CAAC;oBACnB,gDAAgD;oBAChD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,mCAAmC,EAAE;wBACnE,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE;4BACP,aAAa,EAAE,UAAU,KAAK,EAAE;4BAChC,cAAc,EAAE,kBAAkB;yBACnC;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,QAAQ,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC;qBAC1D,CAAC,CAAC;oBACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAG7B,CAAC;oBACF,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;wBACb,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;wBACxD,2DAA2D;wBAC3D,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;oBACxD,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;gBACxD,CAAC;gBAED,8DAA8D;gBAC9D,sDAAsD;gBACtD,IAAI,QAAQ,EAAE,CAAC;oBACb,uBAAuB,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;gBAC1D,CAAC;gBAED,uEAAuE;gBACvE,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;oBAC/B,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE;wBAC1C,OAAO,EAAE,SAAS;wBAClB,IAAI,EAAE,KAAK;wBACX,YAAY,EAAE,KAAK;wBACnB,YAAY,EAAE,KAAK;wBACnB,MAAM,EAAE,IAAI;qBACb,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,GAAG,CAAC,CAAC;gBACtD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,KAAK,CAAC,mBAAmB,CACvB,OAAwB,EACxB,MAAsB;YAEtB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;YAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;YAC5D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,MAAM,IAAI,GAA4B;oBACpC,OAAO,EAAE,MAAM,CAAC,WAAW;oBAC3B,IAAI,EAAE,KAAK;iBACZ,CAAC;gBACF,IAAI,MAAM,CAAC,SAAS;oBAAE,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;gBAExD,IAAI,CAAC;oBACH,MAAM,GAAG,GAAG,MAAM,aAAa,CAC7B,wCAAwC,EACxC;wBACE,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE;4BACP,aAAa,EAAE,UAAU,KAAK,EAAE;4BAChC,cAAc,EAAE,kBAAkB;yBACnC;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;qBAC3B,CACF,CAAC;oBACF,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoC,CAAC;oBACnE,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;wBACb,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,yBAAyB,CAAC,CAAC;oBAC3D,CAAC;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;oBAChE,MAAM,GAAG,CAAC;gBACZ,CAAC;YACH,CAAC;QACH,CAAC;QAED,mBAAmB,CACjB,IAAY,EACZ,IAAqC;YAErC,OAAO;gBACL,IAAI,EAAE,qBAAqB,CAAC,IAAI,CAAC;gBACjC,eAAe,EAAE,IAAI,EAAE,iBAAiB;oBACtC,CAAC,CAAC,EAAE,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,EAAE;oBAC/C,CAAC,CAAC,EAAE;aACP,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,SAAS,CAAC,OAAgB;YAC9B,MAAM,QAAQ,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;YAC/C,MAAM,SAAS,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;YACrD,MAAM,UAAU,GAAG,QAAQ,IAAI,SAAS,CAAC;YAEzC,OAAO;gBACL,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,KAAK,EAAE,uBAAuB;gBACvC,UAAU;gBACV,OAAO,EAAE;oBACP,QAAQ;oBACR,SAAS;iBACV;gBACD,KAAK,EAAE,CAAC,UAAU;oBAChB,CAAC,CAAC,kEAAkE;oBACpE,CAAC,CAAC,SAAS;aACd,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,IAAY;IACrC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,MAAM,GAAG,GAAG;SACf,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrC,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;AACzB,CAAC;AAED,IAAI,uBAAuB,GAAG,KAAK,CAAC;AAEpC;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,SAAS,yBAAyB,CAAC,OAAY;IAC7C,MAAM,MAAM,GACV,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;IACrE,MAAM,QAAQ,GACZ,OAAO,OAAO,EAAE,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;IAE3E,MAAM,cAAc,GAAG,iBAAiB,CAAC,wBAAwB,CAAC,CAAC;IACnE,MAAM,aAAa,GAAG,iBAAiB,CAAC,2BAA2B,CAAC,CAAC;IAErE,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3C,MAAM,WAAW,CAAC;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,8BAA8B;aAC9C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC,QAAQ,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9C,MAAM,WAAW,CAAC;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,8BAA8B;aAC9C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IACE,CAAC,cAAc;QACf,CAAC,aAAa;QACd,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QACrC,CAAC,uBAAuB,EACxB,CAAC;QACD,uBAAuB,GAAG,IAAI,CAAC;QAC/B,OAAO,CAAC,IAAI,CACV,2IAA2I;YACzI,sJAAsJ,CACzJ,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,iBAAiB,CAAC,KAAc;IAC7C,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;IACvC,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC;IAC9C,wEAAwE;IACxE,wEAAwE;IACxE,gDAAgD;IAChD,MAAM,GAAG,GAAG,CAAC,MAAM,WAAW,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7C,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,GAAG,CAAC;IAC9B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uEAAuE;AACvE,SAAS,YAAY,CAAC,IAAY,EAAE,SAAiB;IACnD,IAAI,IAAI,CAAC,MAAM,IAAI,SAAS;QAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,SAAS,GAAG,IAAI,CAAC;IACrB,OAAO,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,MAAM;QACR,CAAC;QACD,4BAA4B;QAC5B,IAAI,QAAQ,GAAG,SAAS,CAAC,WAAW,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QACtD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAClB,0BAA0B;YAC1B,QAAQ,GAAG,SAAS,CAAC,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAClB,QAAQ,GAAG,SAAS,CAAC;QACvB,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC1C,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,SAAS,EAAE,CAAC;IACpD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;4EAK4E;AAC5E,MAAM,iBAAiB,GAAG,MAAM,CAAC;AAEjC;;;;;;;;GAQG;AACH,SAAS,qBAAqB,CAAC,IAAY;IACzC,MAAM,OAAO,GACX,IAAI,CAAC,MAAM,GAAG,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC5E,OAAO,CACL,OAAO;SACJ,OAAO,CAAC,0BAA0B,EAAE,SAAS,CAAC;QAC/C,sEAAsE;QACtE,sEAAsE;SACrE,OAAO,CAAC,oCAAoC,EAAE,MAAM,CAAC;QACtD,oEAAoE;QACpE,gEAAgE;QAChE,sEAAsE;QACtE,iEAAiE;QACjE,gDAAgD;SAC/C,OAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,CAC9C,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,uBAAuB,CAC9B,KAAa,EACb,SAAiB,EACjB,QAAgB,EAChB,MAAc;IAEd,aAAa,CAAC,mDAAmD,EAAE;QACjE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,EAAE;YAChC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,UAAU,EAAE,SAAS;YACrB,SAAS,EAAE,QAAQ;YACnB,MAAM;SACP,CAAC;KACH,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;AACrB,CAAC;AAED;;;;;GAKG;AACH,SAAS,mBAAmB,CAC1B,IAAY,EACZ,IAAoC;IAEpC,MAAM,MAAM,GAAU;QACpB;YACE,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,IAAI,iBAAiB,EAAE;SAC1D;KACF,CAAC;IACF,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC3B,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,SAAS;YACf,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC9D,GAAG,EAAE,IAAI,CAAC,iBAAiB;oBAC3B,SAAS,EAAE,sBAAsB;iBAClC;aACF;SACF,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,SAAS,CACtB,KAAa,EACb,SAAiB,EACjB,QAA4B,EAC5B,IAA6B;IAE7B,MAAM,OAAO,GAA4B;QACvC,GAAG,IAAI;QACP,OAAO,EAAE,SAAS;KACnB,CAAC;IACF,IAAI,QAAQ,IAAI,CAAC,OAAO,CAAC,SAAS;QAAE,OAAO,CAAC,SAAS,GAAG,QAAQ,CAAC;IACjE,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,wCAAwC,EAAE;QACxE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,EAAE;YAChC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;KAC9B,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoC,CAAC;IACnE,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,yBAAyB,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,GAAW,EACX,IAAiB;IAEjB,MAAM,UAAU,GACd,OAAO,eAAe,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,eAAe,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7E,MAAM,KAAK,GAAG,UAAU;QACtB,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,oBAAoB,CAAC;QAC5D,CAAC,CAAC,SAAS,CAAC;IACd,IAAI,CAAC;QACH,OAAO,MAAM,KAAK,CAAC,GAAG,EAAE;YACtB,GAAG,IAAI;YACP,MAAM,EAAE,UAAU,EAAE,MAAM,IAAI,IAAI,CAAC,MAAM;SAC1C,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,IAAI,KAAK;YAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;AACH,CAAC","sourcesContent":["import type { H3Event } from \"h3\";\nimport { createError, getHeader, readRawBody } from \"h3\";\nimport type {\n PlatformAdapter,\n IncomingMessage,\n OutgoingMessage,\n IntegrationStatus,\n OutboundTarget,\n} from \"../types.js\";\nimport type { EnvKeyConfig } from \"../../server/create-server.js\";\nimport { getIntegrationConfig } from \"../config-store.js\";\n\n/** Slack's max message length */\nconst SLACK_MAX_LENGTH = 4000;\nconst SLACK_API_TIMEOUT_MS = 10_000;\n\n/**\n * Create a Slack platform adapter.\n *\n * Required env vars:\n * - SLACK_BOT_TOKEN — Bot user OAuth token (xoxb-...)\n * - SLACK_SIGNING_SECRET — Used to verify webhook signatures\n *\n * Optional env vars:\n * - SLACK_ALLOWED_TEAM_IDS — Comma-separated list of Slack workspace\n * `team_id` values (e.g. \"T012ABCDEF,T034GHIJKL\") that this deployment\n * accepts events from. Strongly recommended in multi-tenant deployments\n * to prevent cross-workspace event injection (H1 in the webhook audit):\n * the global `SLACK_SIGNING_SECRET` is the same key for every workspace\n * the app is installed to, so without an allowlist any installed\n * workspace can drive the agent. When unset the adapter accepts events\n * from any workspace — fine for single-tenant dev, unsafe for prod.\n * - SLACK_ALLOWED_API_APP_IDS — Comma-separated list of Slack app IDs\n * (`api_app_id`) to additionally pin events to. Useful when the same\n * signing secret rotation surfaces multiple app installs.\n */\nexport function slackAdapter(): PlatformAdapter {\n return {\n platform: \"slack\",\n label: \"Slack\",\n\n getRequiredEnvKeys(): EnvKeyConfig[] {\n return [\n {\n key: \"SLACK_BOT_TOKEN\",\n label: \"Slack Bot Token\",\n required: true,\n helpText:\n \"In your Slack app's left nav: OAuth & Permissions → Bot User OAuth Token (starts with `xoxb-`).\",\n },\n {\n key: \"SLACK_SIGNING_SECRET\",\n label: \"Slack Signing Secret\",\n required: true,\n helpText:\n \"In your Slack app's left nav: Basic Information → App Credentials → Signing Secret.\",\n },\n ];\n },\n\n async handleVerification(\n event: H3Event,\n ): Promise<{ handled: boolean; response?: unknown }> {\n // Slack sends url_verification when first setting up the webhook.\n // readRawBodyCached caches the raw bytes on event.context.__rawBody so\n // subsequent verifyWebhook + parseIncomingMessage calls re-use them\n // without re-stringifying a parsed body (M2 in the audit).\n const body = await readRawBodyCached(event);\n try {\n const parsed = JSON.parse(body);\n if (parsed.type === \"url_verification\") {\n // Slack's URL verifier expects the raw challenge value in the\n // response body. Returning JSON works for some clients but the app\n // settings verifier rejects it as not matching the challenge.\n return { handled: true, response: parsed.challenge };\n }\n } catch {}\n return { handled: false };\n },\n\n async verifyWebhook(event: H3Event): Promise<boolean> {\n const signingSecret = process.env.SLACK_SIGNING_SECRET;\n if (!signingSecret) return false;\n\n const signature = getHeader(event, \"x-slack-signature\");\n const timestamp = getHeader(event, \"x-slack-request-timestamp\");\n if (!signature || !timestamp) return false;\n\n // Reject requests older than 5 minutes (replay protection)\n const ts = parseInt(timestamp, 10);\n if (Math.abs(Date.now() / 1000 - ts) > 300) return false;\n\n const body = await readRawBodyCached(event);\n const crypto = await import(\"node:crypto\");\n const basestring = `v0:${timestamp}:${body}`;\n const expectedSignature =\n \"v0=\" +\n crypto\n .createHmac(\"sha256\", signingSecret)\n .update(basestring)\n .digest(\"hex\");\n\n // Timing-safe comparison\n try {\n return crypto.timingSafeEqual(\n Buffer.from(signature),\n Buffer.from(expectedSignature),\n );\n } catch {\n return false;\n }\n },\n\n async parseIncomingMessage(\n event: H3Event,\n ): Promise<IncomingMessage | null> {\n const raw = await readRawBodyCached(event);\n let payload: any;\n try {\n payload = JSON.parse(raw);\n } catch {\n return null;\n }\n\n // H1 (webhook audit): cross-workspace event injection. The global\n // SLACK_SIGNING_SECRET is the same key for every workspace this Slack\n // app is installed to — without a per-tenant allowlist any installed\n // workspace can drive the agent. We enforce SLACK_ALLOWED_TEAM_IDS\n // here AFTER the signature has already been verified by the webhook\n // handler, so this is purely a tenant-isolation gate (not a forgery\n // defense). When unset in production we surface a one-time warning\n // recommending it be configured.\n enforceWorkspaceAllowlist(payload);\n\n // Handle Events API wrapper\n if (payload.type === \"event_callback\") {\n const e = payload.event;\n if (!e) return null;\n\n // Ignore bot messages\n if (e.bot_id || e.subtype === \"bot_message\") return null;\n // Ignore message edits and deletes\n if (e.subtype === \"message_changed\" || e.subtype === \"message_deleted\")\n return null;\n\n // Handle both direct messages and app_mentions\n const text = e.text?.trim();\n if (!text) return null;\n\n // Remove bot mention from text (e.g., \"<@U123> do something\" → \"do something\")\n const cleanText = text.replace(/<@[A-Z0-9]+>/g, \"\").trim();\n if (!cleanText) return null;\n\n // Thread ID: use thread_ts if in a thread, otherwise message ts\n const threadTs = e.thread_ts || e.ts;\n const externalThreadId = `${e.channel}:${threadTs}`;\n\n return {\n platform: \"slack\",\n externalThreadId,\n text: cleanText,\n senderName: e.user,\n senderId: e.user,\n platformContext: {\n channelId: e.channel,\n threadTs: threadTs,\n messageTs: e.ts,\n teamId: payload.team_id,\n eventId: payload.event_id,\n },\n timestamp: Math.floor(parseFloat(e.ts) * 1000),\n };\n }\n\n return null;\n },\n\n async postProcessingPlaceholder(\n incoming: IncomingMessage,\n ): Promise<{ placeholderRef: string } | null> {\n // No placeholder reply in the thread — Slack's native assistant\n // status bar (\"agent-native is thinking…\", below the composer) is the\n // loading affordance. A second visible \"Working on it…\" reply was\n // redundant and added an extra chunk that we then had to overwrite.\n // We just set the native status and return null so sendResponse posts\n // the final reply as a fresh message.\n const token = process.env.SLACK_BOT_TOKEN;\n if (!token) return null;\n\n const channelId = incoming.platformContext.channelId as string;\n const threadTs = incoming.platformContext.threadTs as string;\n if (!channelId || !threadTs) return null;\n\n // Best-effort: flip the native AI-assistant \"is thinking…\" status bar\n // in the channel input area. Requires `assistant:write` scope on the\n // app — otherwise silently no-ops.\n setSlackAssistantStatus(token, channelId, threadTs, \"is thinking…\");\n return null;\n },\n\n async sendResponse(\n message: OutgoingMessage,\n context: IncomingMessage,\n opts?: { placeholderRef?: string },\n ): Promise<void> {\n const token = process.env.SLACK_BOT_TOKEN;\n if (!token) {\n console.error(\"[slack] SLACK_BOT_TOKEN not configured\");\n return;\n }\n\n const channelId = context.platformContext.channelId as string;\n const threadTs = context.platformContext.threadTs as string;\n const blocks = (message.platformContext as any)?.blocks as\n | unknown[]\n | undefined;\n const placeholderRef = opts?.placeholderRef;\n\n // Block-rich path: split text into chunks but render the FIRST chunk as\n // blocks (so we keep the in-place edit + button) and any overflow as\n // plain follow-up posts. The vast majority of replies fit in one block.\n const chunks = splitMessage(message.text, SLACK_MAX_LENGTH);\n const firstChunk = chunks[0] ?? \"\";\n const restChunks = chunks.slice(1);\n\n const finalBlocks =\n blocks ??\n buildResponseBlocks(firstChunk, {\n threadDeepLinkUrl: (message.platformContext as any)\n ?.threadDeepLinkUrl,\n });\n\n const baseBody: Record<string, unknown> = {\n channel: channelId,\n text: firstChunk,\n blocks: finalBlocks,\n unfurl_links: false,\n unfurl_media: false,\n mrkdwn: true,\n };\n\n try {\n if (placeholderRef) {\n // Replace the \"thinking…\" placeholder in place.\n const res = await slackApiFetch(\"https://slack.com/api/chat.update\", {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${token}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify({ ...baseBody, ts: placeholderRef }),\n });\n const data = (await res.json()) as {\n ok: boolean;\n error?: string;\n };\n if (!data.ok) {\n console.error(\"[slack] chat.update error:\", data.error);\n // Fall back to a fresh post so the user still sees a reply\n await postFresh(token, channelId, threadTs, baseBody);\n }\n } else {\n await postFresh(token, channelId, threadTs, baseBody);\n }\n\n // Clear the AI-assistant \"is thinking…\" status now that we've\n // delivered the final answer. Empty status clears it.\n if (threadTs) {\n setSlackAssistantStatus(token, channelId, threadTs, \"\");\n }\n\n // Overflow chunks (rare) — post as plain follow-ups in the same thread\n for (const chunk of restChunks) {\n await postFresh(token, channelId, threadTs, {\n channel: channelId,\n text: chunk,\n unfurl_links: false,\n unfurl_media: false,\n mrkdwn: true,\n });\n }\n } catch (err) {\n console.error(\"[slack] Failed to send message:\", err);\n throw err;\n }\n },\n\n async sendMessageToTarget(\n message: OutgoingMessage,\n target: OutboundTarget,\n ): Promise<void> {\n const token = process.env.SLACK_BOT_TOKEN;\n if (!token) {\n console.error(\"[slack] SLACK_BOT_TOKEN not configured\");\n return;\n }\n\n const chunks = splitMessage(message.text, SLACK_MAX_LENGTH);\n for (const chunk of chunks) {\n const body: Record<string, unknown> = {\n channel: target.destination,\n text: chunk,\n };\n if (target.threadRef) body.thread_ts = target.threadRef;\n\n try {\n const res = await slackApiFetch(\n \"https://slack.com/api/chat.postMessage\",\n {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${token}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify(body),\n },\n );\n const data = (await res.json()) as { ok: boolean; error?: string };\n if (!data.ok) {\n throw new Error(data.error || \"chat.postMessage failed\");\n }\n } catch (err) {\n console.error(\"[slack] Failed to send proactive message:\", err);\n throw err;\n }\n }\n },\n\n formatAgentResponse(\n text: string,\n opts?: { threadDeepLinkUrl?: string },\n ): OutgoingMessage {\n return {\n text: markdownToSlackMrkdwn(text),\n platformContext: opts?.threadDeepLinkUrl\n ? { threadDeepLinkUrl: opts.threadDeepLinkUrl }\n : {},\n };\n },\n\n async getStatus(baseUrl?: string): Promise<IntegrationStatus> {\n const hasToken = !!process.env.SLACK_BOT_TOKEN;\n const hasSecret = !!process.env.SLACK_SIGNING_SECRET;\n const configured = hasToken && hasSecret;\n\n return {\n platform: \"slack\",\n label: \"Slack\",\n enabled: false, // overridden by plugin\n configured,\n details: {\n hasToken,\n hasSecret,\n },\n error: !configured\n ? \"Set SLACK_BOT_TOKEN and SLACK_SIGNING_SECRET in your environment\"\n : undefined,\n };\n },\n };\n}\n\n/**\n * Parse a comma-separated env var into a Set of trimmed, non-empty values.\n * Returns null when the env var is unset or empty (so callers can\n * distinguish \"no allowlist configured\" from \"empty allowlist\").\n */\nfunction parseAllowlistEnv(name: string): Set<string> | null {\n const raw = process.env[name];\n if (!raw) return null;\n const values = raw\n .split(\",\")\n .map((v) => v.trim())\n .filter((v) => v.length > 0);\n if (values.length === 0) return null;\n return new Set(values);\n}\n\nlet _missingAllowlistWarned = false;\n\n/**\n * Enforce that an incoming Slack event comes from an allowlisted workspace.\n *\n * H1 in the webhook audit: the framework uses a SINGLE global\n * SLACK_SIGNING_SECRET for every workspace the Slack app is installed to,\n * so a valid signature alone doesn't prove the request belongs to the\n * tenant the deployment intends to serve. This helper layers a per-tenant\n * allowlist on top of signature verification.\n *\n * Behavior:\n * - If `SLACK_ALLOWED_TEAM_IDS` is set: reject any payload whose\n * `team_id` isn't in the list.\n * - If `SLACK_ALLOWED_API_APP_IDS` is set: also reject payloads whose\n * `api_app_id` isn't in the list (bot apps can be installed under the\n * same Slack app id across multiple workspaces — pinning both keeps\n * the surface tight when team_id allows multiple workspaces).\n * - If neither is set AND `NODE_ENV === \"production\"`: log a one-time\n * warning recommending the env var be configured. Continue (preserves\n * existing behavior to avoid breaking single-tenant prod deployments\n * that have always run without an allowlist).\n * - If neither is set in dev / single-tenant: accept (current behavior).\n *\n * Throws an h3 401 error when an allowlisted-but-mismatched payload is\n * received, which the integrations plugin surfaces to the caller as\n * \"Unrecognized Slack workspace\" without enqueuing the event.\n */\nfunction enforceWorkspaceAllowlist(payload: any): void {\n const teamId =\n typeof payload?.team_id === \"string\" ? payload.team_id : undefined;\n const apiAppId =\n typeof payload?.api_app_id === \"string\" ? payload.api_app_id : undefined;\n\n const allowedTeamIds = parseAllowlistEnv(\"SLACK_ALLOWED_TEAM_IDS\");\n const allowedAppIds = parseAllowlistEnv(\"SLACK_ALLOWED_API_APP_IDS\");\n\n if (allowedTeamIds) {\n if (!teamId || !allowedTeamIds.has(teamId)) {\n throw createError({\n statusCode: 401,\n statusMessage: \"Unrecognized Slack workspace\",\n });\n }\n }\n\n if (allowedAppIds) {\n if (!apiAppId || !allowedAppIds.has(apiAppId)) {\n throw createError({\n statusCode: 401,\n statusMessage: \"Unrecognized Slack workspace\",\n });\n }\n }\n\n if (\n !allowedTeamIds &&\n !allowedAppIds &&\n process.env.NODE_ENV === \"production\" &&\n !_missingAllowlistWarned\n ) {\n _missingAllowlistWarned = true;\n console.warn(\n \"[slack] SLACK_ALLOWED_TEAM_IDS not set in production — accepting events from any workspace whose signature matches SLACK_SIGNING_SECRET. \" +\n \"Set SLACK_ALLOWED_TEAM_IDS to a comma-separated list of allowed team_id values to prevent cross-workspace event injection (H1 in the webhook audit).\",\n );\n }\n}\n\n/**\n * Read the raw request body as a string and cache on the event context.\n *\n * This MUST read raw bytes from the request stream — never `JSON.stringify`\n * a parsed body, because Slack's HMAC is computed over the exact bytes Slack\n * sent. Re-stringifying a parsed object loses key ordering, whitespace, and\n * Unicode-escape choices, so the signature check would silently fail for\n * legitimate requests (M2 in the webhook security audit).\n *\n * h3 v2's body stream is consume-once, so we cache the raw string on the\n * event context after the first read. All call sites (handleVerification,\n * verifyWebhook, parseIncomingMessage) MUST go through this helper.\n */\nasync function readRawBodyCached(event: H3Event): Promise<string> {\n const cached = event.context.__rawBody;\n if (typeof cached === \"string\") return cached;\n // h3's readRawBody returns the bytes Slack actually sent, defaulting to\n // utf8-decoded. Returns undefined for empty bodies — we coerce to \"\" so\n // the HMAC check can proceed deterministically.\n const raw = (await readRawBody(event)) ?? \"\";\n event.context.__rawBody = raw;\n return raw;\n}\n\n/** Split a message into chunks that fit within the platform's limit */\nfunction splitMessage(text: string, maxLength: number): string[] {\n if (text.length <= maxLength) return [text];\n const chunks: string[] = [];\n let remaining = text;\n while (remaining.length > 0) {\n if (remaining.length <= maxLength) {\n chunks.push(remaining);\n break;\n }\n // Try to split at a newline\n let splitIdx = remaining.lastIndexOf(\"\\n\", maxLength);\n if (splitIdx <= 0) {\n // Try to split at a space\n splitIdx = remaining.lastIndexOf(\" \", maxLength);\n }\n if (splitIdx <= 0) {\n splitIdx = maxLength;\n }\n chunks.push(remaining.slice(0, splitIdx));\n remaining = remaining.slice(splitIdx).trimStart();\n }\n return chunks;\n}\n\n/** Hard cap on input length we feed to the regex-based mrkdwn converter.\n * L2 in the webhook audit: `\\*\\*(.+?)\\*\\*` with the `s` flag on a long\n * string of asterisks can exhibit super-linear backtracking. Slack\n * itself caps message bodies at 4000 chars (SLACK_MAX_LENGTH); we cap\n * the input here at 10x that as a defensive bound for any caller that\n * passes a longer rendering source through this helper before chunking. */\nconst MRKDWN_MAX_LENGTH = 40_000;\n\n/**\n * Convert standard markdown to Slack's mrkdwn dialect.\n * - `[text](url)` → `<url|text>`\n * - `**bold**` → `*bold*` (Slack uses single asterisks for bold)\n *\n * Inputs longer than MRKDWN_MAX_LENGTH are truncated before the regex\n * pass to bound worst-case backtracking on pathological input (L2 in the\n * webhook audit).\n */\nfunction markdownToSlackMrkdwn(text: string): string {\n const bounded =\n text.length > MRKDWN_MAX_LENGTH ? text.slice(0, MRKDWN_MAX_LENGTH) : text;\n return (\n bounded\n .replace(/\\[([^\\]]+)\\]\\(([^)]+)\\)/g, \"<$2|$1>\")\n // Do not wrap bare URLs in Slack bold markers. Slack's autolinker can\n // treat the trailing `*` as part of the URL, producing a broken link.\n .replace(/\\*\\*<?(https?:\\/\\/[^\\s>*]+)>?\\*\\*/g, \"<$1>\")\n // Bounded character class instead of `.+?` with the `s` flag — caps\n // each bold span at 5000 chars so an attacker can't construct a\n // pathological \"**\" sequence that exhibits super-linear backtracking.\n // Newlines are allowed because `[^*]` excludes only the asterisk\n // itself, so multi-line bold spans still match.\n .replace(/\\*\\*([^*]{1,5000})\\*\\*/g, \"*$1*\")\n );\n}\n\n/**\n * Optionally set Slack's native AI-assistant status indicator (the small\n * \"is thinking…\" line under the message composer) for an app configured\n * with the `assistant:write` scope. Pure best-effort — fails silently for\n * apps that aren't set up as AI assistants.\n */\nfunction setSlackAssistantStatus(\n token: string,\n channelId: string,\n threadTs: string,\n status: string,\n): void {\n slackApiFetch(\"https://slack.com/api/assistant.threads.setStatus\", {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${token}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify({\n channel_id: channelId,\n thread_ts: threadTs,\n status,\n }),\n }).catch(() => {});\n}\n\n/**\n * Block Kit payload for the final answer. We avoid auto-unfurl previews by\n * separating the deep-link out into a button instead of inlining it as a\n * `<url|text>` markdown link in the section body — that's what was producing\n * the giant \"Agent-Native Dispatch\" card in every thread reply.\n */\nfunction buildResponseBlocks(\n text: string,\n opts: { threadDeepLinkUrl?: string },\n): unknown[] {\n const blocks: any[] = [\n {\n type: \"section\",\n text: { type: \"mrkdwn\", text: text || \"_(no response)_\" },\n },\n ];\n if (opts.threadDeepLinkUrl) {\n blocks.push({\n type: \"actions\",\n elements: [\n {\n type: \"button\",\n text: { type: \"plain_text\", text: \"Open thread\", emoji: true },\n url: opts.threadDeepLinkUrl,\n action_id: \"open_dispatch_thread\",\n },\n ],\n });\n }\n return blocks;\n}\n\n/**\n * Post a fresh message to a thread. Used as the placeholder-fallback path\n * (e.g. when chat.update fails) and for follow-up overflow chunks.\n */\nasync function postFresh(\n token: string,\n channelId: string,\n threadTs: string | undefined,\n body: Record<string, unknown>,\n): Promise<void> {\n const payload: Record<string, unknown> = {\n ...body,\n channel: channelId,\n };\n if (threadTs && !payload.thread_ts) payload.thread_ts = threadTs;\n const res = await slackApiFetch(\"https://slack.com/api/chat.postMessage\", {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${token}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify(payload),\n });\n const data = (await res.json()) as { ok: boolean; error?: string };\n if (!data.ok) {\n console.error(\"[slack] chat.postMessage error:\", data.error);\n throw new Error(data.error || \"chat.postMessage failed\");\n }\n}\n\nasync function slackApiFetch(\n url: string,\n init: RequestInit,\n): Promise<Response> {\n const controller =\n typeof AbortController !== \"undefined\" ? new AbortController() : undefined;\n const timer = controller\n ? setTimeout(() => controller.abort(), SLACK_API_TIMEOUT_MS)\n : undefined;\n try {\n return await fetch(url, {\n ...init,\n signal: controller?.signal ?? init.signal,\n });\n } finally {\n if (timer) clearTimeout(timer);\n }\n}\n"]}
|
|
1
|
+
{"version":3,"file":"slack.js","sourceRoot":"","sources":["../../../src/integrations/adapters/slack.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,IAAI,CAAC;AAWzD,iCAAiC;AACjC,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAC9B,MAAM,oBAAoB,GAAG,MAAM,CAAC;AAEpC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,OAAO;QAEd,kBAAkB;YAChB,OAAO;gBACL;oBACE,GAAG,EAAE,iBAAiB;oBACtB,KAAK,EAAE,iBAAiB;oBACxB,QAAQ,EAAE,IAAI;oBACd,QAAQ,EACN,iGAAiG;iBACpG;gBACD;oBACE,GAAG,EAAE,sBAAsB;oBAC3B,KAAK,EAAE,sBAAsB;oBAC7B,QAAQ,EAAE,IAAI;oBACd,QAAQ,EACN,qFAAqF;iBACxF;aACF,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,kBAAkB,CACtB,KAAc;YAEd,kEAAkE;YAClE,uEAAuE;YACvE,oEAAoE;YACpE,2DAA2D;YAC3D,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC5C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAChC,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBACvC,8DAA8D;oBAC9D,mEAAmE;oBACnE,8DAA8D;oBAC9D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC;gBACvD,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;YACV,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;QAED,KAAK,CAAC,aAAa,CAAC,KAAc;YAChC,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;YACvD,IAAI,CAAC,aAAa;gBAAE,OAAO,KAAK,CAAC;YAEjC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;YACxD,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,2BAA2B,CAAC,CAAC;YAChE,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS;gBAAE,OAAO,KAAK,CAAC;YAE3C,2DAA2D;YAC3D,MAAM,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,EAAE,CAAC,GAAG,GAAG;gBAAE,OAAO,KAAK,CAAC;YAEzD,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC5C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;YAC7C,MAAM,iBAAiB,GACrB,KAAK;gBACL,MAAM;qBACH,UAAU,CAAC,QAAQ,EAAE,aAAa,CAAC;qBACnC,MAAM,CAAC,UAAU,CAAC;qBAClB,MAAM,CAAC,KAAK,CAAC,CAAC;YAEnB,yBAAyB;YACzB,IAAI,CAAC;gBACH,OAAO,MAAM,CAAC,eAAe,CAC3B,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EACtB,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAC/B,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,KAAK,CAAC,oBAAoB,CACxB,KAAc;YAEd,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC3C,IAAI,OAAY,CAAC;YACjB,IAAI,CAAC;gBACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;YAED,kEAAkE;YAClE,sEAAsE;YACtE,qEAAqE;YACrE,mEAAmE;YACnE,oEAAoE;YACpE,oEAAoE;YACpE,mEAAmE;YACnE,iCAAiC;YACjC,yBAAyB,CAAC,OAAO,CAAC,CAAC;YAEnC,4BAA4B;YAC5B,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;gBACtC,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC;gBACxB,IAAI,CAAC,CAAC;oBAAE,OAAO,IAAI,CAAC;gBAEpB,sBAAsB;gBACtB,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,OAAO,KAAK,aAAa;oBAAE,OAAO,IAAI,CAAC;gBACzD,mCAAmC;gBACnC,IAAI,CAAC,CAAC,OAAO,KAAK,iBAAiB,IAAI,CAAC,CAAC,OAAO,KAAK,iBAAiB;oBACpE,OAAO,IAAI,CAAC;gBAEd,+CAA+C;gBAC/C,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,IAAI;oBAAE,OAAO,IAAI,CAAC;gBAEvB,+EAA+E;gBAC/E,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3D,IAAI,CAAC,SAAS;oBAAE,OAAO,IAAI,CAAC;gBAE5B,gEAAgE;gBAChE,MAAM,QAAQ,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,EAAE,CAAC;gBACrC,MAAM,gBAAgB,GAAG,GAAG,CAAC,CAAC,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAEpD,OAAO;oBACL,QAAQ,EAAE,OAAO;oBACjB,gBAAgB;oBAChB,IAAI,EAAE,SAAS;oBACf,UAAU,EAAE,CAAC,CAAC,IAAI;oBAClB,QAAQ,EAAE,CAAC,CAAC,IAAI;oBAChB,eAAe,EAAE;wBACf,SAAS,EAAE,CAAC,CAAC,OAAO;wBACpB,QAAQ,EAAE,QAAQ;wBAClB,SAAS,EAAE,CAAC,CAAC,EAAE;wBACf,MAAM,EAAE,OAAO,CAAC,OAAO;wBACvB,OAAO,EAAE,OAAO,CAAC,QAAQ;qBAC1B;oBACD,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC;iBAC/C,CAAC;YACJ,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAED,KAAK,CAAC,yBAAyB,CAC7B,QAAyB;YAEzB,gEAAgE;YAChE,sEAAsE;YACtE,kEAAkE;YAClE,oEAAoE;YACpE,sEAAsE;YACtE,sCAAsC;YACtC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;YAC1C,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YAExB,MAAM,SAAS,GAAG,QAAQ,CAAC,eAAe,CAAC,SAAmB,CAAC;YAC/D,MAAM,QAAQ,GAAG,QAAQ,CAAC,eAAe,CAAC,QAAkB,CAAC;YAC7D,IAAI,CAAC,SAAS,IAAI,CAAC,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAEzC,sEAAsE;YACtE,qEAAqE;YACrE,mCAAmC;YACnC,uBAAuB,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,KAAK,CAAC,YAAY,CAChB,OAAwB,EACxB,OAAwB,EACxB,IAAkC;YAElC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;YAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YAED,MAAM,SAAS,GAAG,OAAO,CAAC,eAAe,CAAC,SAAmB,CAAC;YAC9D,MAAM,QAAQ,GAAG,OAAO,CAAC,eAAe,CAAC,QAAkB,CAAC;YAC5D,MAAM,MAAM,GAAI,OAAO,CAAC,eAAuB,EAAE,MAEpC,CAAC;YACd,MAAM,cAAc,GAAG,IAAI,EAAE,cAAc,CAAC;YAE5C,wEAAwE;YACxE,qEAAqE;YACrE,wEAAwE;YACxE,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;YAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAEnC,MAAM,WAAW,GACf,MAAM;gBACN,mBAAmB,CAAC,UAAU,EAAE;oBAC9B,iBAAiB,EAAG,OAAO,CAAC,eAAuB;wBACjD,EAAE,iBAAiB;iBACtB,CAAC,CAAC;YAEL,MAAM,QAAQ,GAA4B;gBACxC,OAAO,EAAE,SAAS;gBAClB,IAAI,EAAE,UAAU;gBAChB,MAAM,EAAE,WAAW;gBACnB,YAAY,EAAE,KAAK;gBACnB,YAAY,EAAE,KAAK;gBACnB,MAAM,EAAE,IAAI;aACb,CAAC;YAEF,IAAI,CAAC;gBACH,IAAI,cAAc,EAAE,CAAC;oBACnB,gDAAgD;oBAChD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,mCAAmC,EAAE;wBACnE,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE;4BACP,aAAa,EAAE,UAAU,KAAK,EAAE;4BAChC,cAAc,EAAE,kBAAkB;yBACnC;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,QAAQ,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC;qBAC1D,CAAC,CAAC;oBACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAG7B,CAAC;oBACF,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;wBACb,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;wBACxD,2DAA2D;wBAC3D,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;oBACxD,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;gBACxD,CAAC;gBAED,8DAA8D;gBAC9D,sDAAsD;gBACtD,IAAI,QAAQ,EAAE,CAAC;oBACb,uBAAuB,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;gBAC1D,CAAC;gBAED,uEAAuE;gBACvE,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;oBAC/B,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE;wBAC1C,OAAO,EAAE,SAAS;wBAClB,IAAI,EAAE,KAAK;wBACX,YAAY,EAAE,KAAK;wBACnB,YAAY,EAAE,KAAK;wBACnB,MAAM,EAAE,IAAI;qBACb,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,GAAG,CAAC,CAAC;gBACtD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,KAAK,CAAC,mBAAmB,CACvB,OAAwB,EACxB,MAAsB;YAEtB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;YAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;YAC5D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,MAAM,IAAI,GAA4B;oBACpC,OAAO,EAAE,MAAM,CAAC,WAAW;oBAC3B,IAAI,EAAE,KAAK;iBACZ,CAAC;gBACF,IAAI,MAAM,CAAC,SAAS;oBAAE,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;gBAExD,IAAI,CAAC;oBACH,MAAM,GAAG,GAAG,MAAM,aAAa,CAC7B,wCAAwC,EACxC;wBACE,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE;4BACP,aAAa,EAAE,UAAU,KAAK,EAAE;4BAChC,cAAc,EAAE,kBAAkB;yBACnC;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;qBAC3B,CACF,CAAC;oBACF,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoC,CAAC;oBACnE,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;wBACb,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,yBAAyB,CAAC,CAAC;oBAC3D,CAAC;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;oBAChE,MAAM,GAAG,CAAC;gBACZ,CAAC;YACH,CAAC;QACH,CAAC;QAED,mBAAmB,CACjB,IAAY,EACZ,IAAqC;YAErC,OAAO;gBACL,IAAI,EAAE,qBAAqB,CAAC,IAAI,CAAC;gBACjC,eAAe,EAAE,IAAI,EAAE,iBAAiB;oBACtC,CAAC,CAAC,EAAE,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,EAAE;oBAC/C,CAAC,CAAC,EAAE;aACP,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,SAAS,CAAC,OAAgB;YAC9B,MAAM,QAAQ,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;YAC/C,MAAM,SAAS,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;YACrD,MAAM,UAAU,GAAG,QAAQ,IAAI,SAAS,CAAC;YAEzC,OAAO;gBACL,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,KAAK,EAAE,uBAAuB;gBACvC,UAAU;gBACV,OAAO,EAAE;oBACP,QAAQ;oBACR,SAAS;iBACV;gBACD,KAAK,EAAE,CAAC,UAAU;oBAChB,CAAC,CAAC,kEAAkE;oBACpE,CAAC,CAAC,SAAS;aACd,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,IAAY;IACrC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,MAAM,GAAG,GAAG;SACf,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrC,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;AACzB,CAAC;AAED,IAAI,uBAAuB,GAAG,KAAK,CAAC;AAEpC;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,SAAS,yBAAyB,CAAC,OAAY;IAC7C,MAAM,MAAM,GACV,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;IACrE,MAAM,QAAQ,GACZ,OAAO,OAAO,EAAE,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;IAE3E,MAAM,cAAc,GAAG,iBAAiB,CAAC,wBAAwB,CAAC,CAAC;IACnE,MAAM,aAAa,GAAG,iBAAiB,CAAC,2BAA2B,CAAC,CAAC;IAErE,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC1C,MAAM,WAAW,CAAC;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,6CAA6C;aAC7D,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAC7B,uBAAuB,GAAG,IAAI,CAAC;YAC/B,OAAO,CAAC,IAAI,CACV,6HAA6H;gBAC3H,gHAAgH,CACnH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3C,MAAM,WAAW,CAAC;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,8BAA8B;aAC9C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC,QAAQ,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9C,MAAM,WAAW,CAAC;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,8BAA8B;aAC9C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,iBAAiB,CAAC,KAAc;IAC7C,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;IACvC,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC;IAC9C,wEAAwE;IACxE,wEAAwE;IACxE,gDAAgD;IAChD,MAAM,GAAG,GAAG,CAAC,MAAM,WAAW,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7C,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,GAAG,CAAC;IAC9B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uEAAuE;AACvE,SAAS,YAAY,CAAC,IAAY,EAAE,SAAiB;IACnD,IAAI,IAAI,CAAC,MAAM,IAAI,SAAS;QAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,SAAS,GAAG,IAAI,CAAC;IACrB,OAAO,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,MAAM;QACR,CAAC;QACD,4BAA4B;QAC5B,IAAI,QAAQ,GAAG,SAAS,CAAC,WAAW,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QACtD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAClB,0BAA0B;YAC1B,QAAQ,GAAG,SAAS,CAAC,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAClB,QAAQ,GAAG,SAAS,CAAC;QACvB,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC1C,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,SAAS,EAAE,CAAC;IACpD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;4EAK4E;AAC5E,MAAM,iBAAiB,GAAG,MAAM,CAAC;AAEjC;;;;;;;;GAQG;AACH,SAAS,qBAAqB,CAAC,IAAY;IACzC,MAAM,OAAO,GACX,IAAI,CAAC,MAAM,GAAG,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC5E,OAAO,CACL,OAAO;SACJ,OAAO,CAAC,0BAA0B,EAAE,SAAS,CAAC;QAC/C,sEAAsE;QACtE,sEAAsE;SACrE,OAAO,CAAC,oCAAoC,EAAE,MAAM,CAAC;QACtD,oEAAoE;QACpE,gEAAgE;QAChE,sEAAsE;QACtE,iEAAiE;QACjE,gDAAgD;SAC/C,OAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,CAC9C,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,uBAAuB,CAC9B,KAAa,EACb,SAAiB,EACjB,QAAgB,EAChB,MAAc;IAEd,aAAa,CAAC,mDAAmD,EAAE;QACjE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,EAAE;YAChC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,UAAU,EAAE,SAAS;YACrB,SAAS,EAAE,QAAQ;YACnB,MAAM;SACP,CAAC;KACH,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;AACrB,CAAC;AAED;;;;;GAKG;AACH,SAAS,mBAAmB,CAC1B,IAAY,EACZ,IAAoC;IAEpC,MAAM,MAAM,GAAU;QACpB;YACE,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,IAAI,iBAAiB,EAAE;SAC1D;KACF,CAAC;IACF,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC3B,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,SAAS;YACf,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC9D,GAAG,EAAE,IAAI,CAAC,iBAAiB;oBAC3B,SAAS,EAAE,sBAAsB;iBAClC;aACF;SACF,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,SAAS,CACtB,KAAa,EACb,SAAiB,EACjB,QAA4B,EAC5B,IAA6B;IAE7B,MAAM,OAAO,GAA4B;QACvC,GAAG,IAAI;QACP,OAAO,EAAE,SAAS;KACnB,CAAC;IACF,IAAI,QAAQ,IAAI,CAAC,OAAO,CAAC,SAAS;QAAE,OAAO,CAAC,SAAS,GAAG,QAAQ,CAAC;IACjE,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,wCAAwC,EAAE;QACxE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,EAAE;YAChC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;KAC9B,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoC,CAAC;IACnE,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,yBAAyB,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,GAAW,EACX,IAAiB;IAEjB,MAAM,UAAU,GACd,OAAO,eAAe,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,eAAe,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7E,MAAM,KAAK,GAAG,UAAU;QACtB,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,oBAAoB,CAAC;QAC5D,CAAC,CAAC,SAAS,CAAC;IACd,IAAI,CAAC;QACH,OAAO,MAAM,KAAK,CAAC,GAAG,EAAE;YACtB,GAAG,IAAI;YACP,MAAM,EAAE,UAAU,EAAE,MAAM,IAAI,IAAI,CAAC,MAAM;SAC1C,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,IAAI,KAAK;YAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;AACH,CAAC","sourcesContent":["import type { H3Event } from \"h3\";\nimport { createError, getHeader, readRawBody } from \"h3\";\nimport type {\n PlatformAdapter,\n IncomingMessage,\n OutgoingMessage,\n IntegrationStatus,\n OutboundTarget,\n} from \"../types.js\";\nimport type { EnvKeyConfig } from \"../../server/create-server.js\";\nimport { getIntegrationConfig } from \"../config-store.js\";\n\n/** Slack's max message length */\nconst SLACK_MAX_LENGTH = 4000;\nconst SLACK_API_TIMEOUT_MS = 10_000;\n\n/**\n * Create a Slack platform adapter.\n *\n * Required env vars:\n * - SLACK_BOT_TOKEN — Bot user OAuth token (xoxb-...)\n * - SLACK_SIGNING_SECRET — Used to verify webhook signatures\n *\n * Optional env vars:\n * - SLACK_ALLOWED_TEAM_IDS — Comma-separated list of Slack workspace\n * `team_id` values (e.g. \"T012ABCDEF,T034GHIJKL\") that this deployment\n * accepts events from. Required in production and strongly recommended\n * to prevent cross-workspace event injection (H1 in the webhook audit):\n * the global `SLACK_SIGNING_SECRET` is the same key for every workspace\n * the app is installed to, so without an allowlist any installed\n * workspace can drive the agent. When unset the adapter accepts events\n * from any workspace in development, but rejects events in production.\n * - SLACK_ALLOWED_API_APP_IDS — Comma-separated list of Slack app IDs\n * (`api_app_id`) to additionally pin events to. Useful when the same\n * signing secret rotation surfaces multiple app installs.\n */\nexport function slackAdapter(): PlatformAdapter {\n return {\n platform: \"slack\",\n label: \"Slack\",\n\n getRequiredEnvKeys(): EnvKeyConfig[] {\n return [\n {\n key: \"SLACK_BOT_TOKEN\",\n label: \"Slack Bot Token\",\n required: true,\n helpText:\n \"In your Slack app's left nav: OAuth & Permissions → Bot User OAuth Token (starts with `xoxb-`).\",\n },\n {\n key: \"SLACK_SIGNING_SECRET\",\n label: \"Slack Signing Secret\",\n required: true,\n helpText:\n \"In your Slack app's left nav: Basic Information → App Credentials → Signing Secret.\",\n },\n ];\n },\n\n async handleVerification(\n event: H3Event,\n ): Promise<{ handled: boolean; response?: unknown }> {\n // Slack sends url_verification when first setting up the webhook.\n // readRawBodyCached caches the raw bytes on event.context.__rawBody so\n // subsequent verifyWebhook + parseIncomingMessage calls re-use them\n // without re-stringifying a parsed body (M2 in the audit).\n const body = await readRawBodyCached(event);\n try {\n const parsed = JSON.parse(body);\n if (parsed.type === \"url_verification\") {\n // Slack's URL verifier expects the raw challenge value in the\n // response body. Returning JSON works for some clients but the app\n // settings verifier rejects it as not matching the challenge.\n return { handled: true, response: parsed.challenge };\n }\n } catch {}\n return { handled: false };\n },\n\n async verifyWebhook(event: H3Event): Promise<boolean> {\n const signingSecret = process.env.SLACK_SIGNING_SECRET;\n if (!signingSecret) return false;\n\n const signature = getHeader(event, \"x-slack-signature\");\n const timestamp = getHeader(event, \"x-slack-request-timestamp\");\n if (!signature || !timestamp) return false;\n\n // Reject requests older than 5 minutes (replay protection)\n const ts = parseInt(timestamp, 10);\n if (Math.abs(Date.now() / 1000 - ts) > 300) return false;\n\n const body = await readRawBodyCached(event);\n const crypto = await import(\"node:crypto\");\n const basestring = `v0:${timestamp}:${body}`;\n const expectedSignature =\n \"v0=\" +\n crypto\n .createHmac(\"sha256\", signingSecret)\n .update(basestring)\n .digest(\"hex\");\n\n // Timing-safe comparison\n try {\n return crypto.timingSafeEqual(\n Buffer.from(signature),\n Buffer.from(expectedSignature),\n );\n } catch {\n return false;\n }\n },\n\n async parseIncomingMessage(\n event: H3Event,\n ): Promise<IncomingMessage | null> {\n const raw = await readRawBodyCached(event);\n let payload: any;\n try {\n payload = JSON.parse(raw);\n } catch {\n return null;\n }\n\n // H1 (webhook audit): cross-workspace event injection. The global\n // SLACK_SIGNING_SECRET is the same key for every workspace this Slack\n // app is installed to — without a per-tenant allowlist any installed\n // workspace can drive the agent. We enforce SLACK_ALLOWED_TEAM_IDS\n // here AFTER the signature has already been verified by the webhook\n // handler, so this is purely a tenant-isolation gate (not a forgery\n // defense). When unset in production we surface a one-time warning\n // recommending it be configured.\n enforceWorkspaceAllowlist(payload);\n\n // Handle Events API wrapper\n if (payload.type === \"event_callback\") {\n const e = payload.event;\n if (!e) return null;\n\n // Ignore bot messages\n if (e.bot_id || e.subtype === \"bot_message\") return null;\n // Ignore message edits and deletes\n if (e.subtype === \"message_changed\" || e.subtype === \"message_deleted\")\n return null;\n\n // Handle both direct messages and app_mentions\n const text = e.text?.trim();\n if (!text) return null;\n\n // Remove bot mention from text (e.g., \"<@U123> do something\" → \"do something\")\n const cleanText = text.replace(/<@[A-Z0-9]+>/g, \"\").trim();\n if (!cleanText) return null;\n\n // Thread ID: use thread_ts if in a thread, otherwise message ts\n const threadTs = e.thread_ts || e.ts;\n const externalThreadId = `${e.channel}:${threadTs}`;\n\n return {\n platform: \"slack\",\n externalThreadId,\n text: cleanText,\n senderName: e.user,\n senderId: e.user,\n platformContext: {\n channelId: e.channel,\n threadTs: threadTs,\n messageTs: e.ts,\n teamId: payload.team_id,\n eventId: payload.event_id,\n },\n timestamp: Math.floor(parseFloat(e.ts) * 1000),\n };\n }\n\n return null;\n },\n\n async postProcessingPlaceholder(\n incoming: IncomingMessage,\n ): Promise<{ placeholderRef: string } | null> {\n // No placeholder reply in the thread — Slack's native assistant\n // status bar (\"agent-native is thinking…\", below the composer) is the\n // loading affordance. A second visible \"Working on it…\" reply was\n // redundant and added an extra chunk that we then had to overwrite.\n // We just set the native status and return null so sendResponse posts\n // the final reply as a fresh message.\n const token = process.env.SLACK_BOT_TOKEN;\n if (!token) return null;\n\n const channelId = incoming.platformContext.channelId as string;\n const threadTs = incoming.platformContext.threadTs as string;\n if (!channelId || !threadTs) return null;\n\n // Best-effort: flip the native AI-assistant \"is thinking…\" status bar\n // in the channel input area. Requires `assistant:write` scope on the\n // app — otherwise silently no-ops.\n setSlackAssistantStatus(token, channelId, threadTs, \"is thinking…\");\n return null;\n },\n\n async sendResponse(\n message: OutgoingMessage,\n context: IncomingMessage,\n opts?: { placeholderRef?: string },\n ): Promise<void> {\n const token = process.env.SLACK_BOT_TOKEN;\n if (!token) {\n console.error(\"[slack] SLACK_BOT_TOKEN not configured\");\n return;\n }\n\n const channelId = context.platformContext.channelId as string;\n const threadTs = context.platformContext.threadTs as string;\n const blocks = (message.platformContext as any)?.blocks as\n | unknown[]\n | undefined;\n const placeholderRef = opts?.placeholderRef;\n\n // Block-rich path: split text into chunks but render the FIRST chunk as\n // blocks (so we keep the in-place edit + button) and any overflow as\n // plain follow-up posts. The vast majority of replies fit in one block.\n const chunks = splitMessage(message.text, SLACK_MAX_LENGTH);\n const firstChunk = chunks[0] ?? \"\";\n const restChunks = chunks.slice(1);\n\n const finalBlocks =\n blocks ??\n buildResponseBlocks(firstChunk, {\n threadDeepLinkUrl: (message.platformContext as any)\n ?.threadDeepLinkUrl,\n });\n\n const baseBody: Record<string, unknown> = {\n channel: channelId,\n text: firstChunk,\n blocks: finalBlocks,\n unfurl_links: false,\n unfurl_media: false,\n mrkdwn: true,\n };\n\n try {\n if (placeholderRef) {\n // Replace the \"thinking…\" placeholder in place.\n const res = await slackApiFetch(\"https://slack.com/api/chat.update\", {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${token}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify({ ...baseBody, ts: placeholderRef }),\n });\n const data = (await res.json()) as {\n ok: boolean;\n error?: string;\n };\n if (!data.ok) {\n console.error(\"[slack] chat.update error:\", data.error);\n // Fall back to a fresh post so the user still sees a reply\n await postFresh(token, channelId, threadTs, baseBody);\n }\n } else {\n await postFresh(token, channelId, threadTs, baseBody);\n }\n\n // Clear the AI-assistant \"is thinking…\" status now that we've\n // delivered the final answer. Empty status clears it.\n if (threadTs) {\n setSlackAssistantStatus(token, channelId, threadTs, \"\");\n }\n\n // Overflow chunks (rare) — post as plain follow-ups in the same thread\n for (const chunk of restChunks) {\n await postFresh(token, channelId, threadTs, {\n channel: channelId,\n text: chunk,\n unfurl_links: false,\n unfurl_media: false,\n mrkdwn: true,\n });\n }\n } catch (err) {\n console.error(\"[slack] Failed to send message:\", err);\n throw err;\n }\n },\n\n async sendMessageToTarget(\n message: OutgoingMessage,\n target: OutboundTarget,\n ): Promise<void> {\n const token = process.env.SLACK_BOT_TOKEN;\n if (!token) {\n console.error(\"[slack] SLACK_BOT_TOKEN not configured\");\n return;\n }\n\n const chunks = splitMessage(message.text, SLACK_MAX_LENGTH);\n for (const chunk of chunks) {\n const body: Record<string, unknown> = {\n channel: target.destination,\n text: chunk,\n };\n if (target.threadRef) body.thread_ts = target.threadRef;\n\n try {\n const res = await slackApiFetch(\n \"https://slack.com/api/chat.postMessage\",\n {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${token}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify(body),\n },\n );\n const data = (await res.json()) as { ok: boolean; error?: string };\n if (!data.ok) {\n throw new Error(data.error || \"chat.postMessage failed\");\n }\n } catch (err) {\n console.error(\"[slack] Failed to send proactive message:\", err);\n throw err;\n }\n }\n },\n\n formatAgentResponse(\n text: string,\n opts?: { threadDeepLinkUrl?: string },\n ): OutgoingMessage {\n return {\n text: markdownToSlackMrkdwn(text),\n platformContext: opts?.threadDeepLinkUrl\n ? { threadDeepLinkUrl: opts.threadDeepLinkUrl }\n : {},\n };\n },\n\n async getStatus(baseUrl?: string): Promise<IntegrationStatus> {\n const hasToken = !!process.env.SLACK_BOT_TOKEN;\n const hasSecret = !!process.env.SLACK_SIGNING_SECRET;\n const configured = hasToken && hasSecret;\n\n return {\n platform: \"slack\",\n label: \"Slack\",\n enabled: false, // overridden by plugin\n configured,\n details: {\n hasToken,\n hasSecret,\n },\n error: !configured\n ? \"Set SLACK_BOT_TOKEN and SLACK_SIGNING_SECRET in your environment\"\n : undefined,\n };\n },\n };\n}\n\n/**\n * Parse a comma-separated env var into a Set of trimmed, non-empty values.\n * Returns null when the env var is unset or empty (so callers can\n * distinguish \"no allowlist configured\" from \"empty allowlist\").\n */\nfunction parseAllowlistEnv(name: string): Set<string> | null {\n const raw = process.env[name];\n if (!raw) return null;\n const values = raw\n .split(\",\")\n .map((v) => v.trim())\n .filter((v) => v.length > 0);\n if (values.length === 0) return null;\n return new Set(values);\n}\n\nlet _missingAllowlistWarned = false;\n\n/**\n * Enforce that an incoming Slack event comes from an allowlisted workspace.\n *\n * H1 in the webhook audit: the framework uses a SINGLE global\n * SLACK_SIGNING_SECRET for every workspace the Slack app is installed to,\n * so a valid signature alone doesn't prove the request belongs to the\n * tenant the deployment intends to serve. This helper layers a per-tenant\n * allowlist on top of signature verification.\n *\n * Behavior:\n * - If `SLACK_ALLOWED_TEAM_IDS` is set: reject any payload whose\n * `team_id` isn't in the list.\n * - If `SLACK_ALLOWED_API_APP_IDS` is set: also reject payloads whose\n * `api_app_id` isn't in the list (bot apps can be installed under the\n * same Slack app id across multiple workspaces — pinning both keeps\n * the surface tight when team_id allows multiple workspaces).\n * - If `SLACK_ALLOWED_TEAM_IDS` is unset/empty in production: reject the\n * event. Production must fail closed so any workspace with the shared\n * signing secret cannot drive the agent.\n * - If `SLACK_ALLOWED_TEAM_IDS` is unset/empty in dev / single-tenant: log a\n * one-time warning and accept (current local setup behavior).\n *\n * Throws an h3 401 error when an allowlisted-but-mismatched payload is\n * received, which the integrations plugin surfaces to the caller as\n * \"Unrecognized Slack workspace\" without enqueuing the event.\n */\nfunction enforceWorkspaceAllowlist(payload: any): void {\n const teamId =\n typeof payload?.team_id === \"string\" ? payload.team_id : undefined;\n const apiAppId =\n typeof payload?.api_app_id === \"string\" ? payload.api_app_id : undefined;\n\n const allowedTeamIds = parseAllowlistEnv(\"SLACK_ALLOWED_TEAM_IDS\");\n const allowedAppIds = parseAllowlistEnv(\"SLACK_ALLOWED_API_APP_IDS\");\n\n if (!allowedTeamIds) {\n if (process.env.NODE_ENV === \"production\") {\n throw createError({\n statusCode: 401,\n statusMessage: \"Slack workspace allowlist is not configured\",\n });\n }\n if (!_missingAllowlistWarned) {\n _missingAllowlistWarned = true;\n console.warn(\n \"[slack] SLACK_ALLOWED_TEAM_IDS not set — accepting events from any workspace whose signature matches SLACK_SIGNING_SECRET. \" +\n \"Set SLACK_ALLOWED_TEAM_IDS to a comma-separated list of allowed team_id values before deploying to production.\",\n );\n }\n }\n\n if (allowedTeamIds) {\n if (!teamId || !allowedTeamIds.has(teamId)) {\n throw createError({\n statusCode: 401,\n statusMessage: \"Unrecognized Slack workspace\",\n });\n }\n }\n\n if (allowedAppIds) {\n if (!apiAppId || !allowedAppIds.has(apiAppId)) {\n throw createError({\n statusCode: 401,\n statusMessage: \"Unrecognized Slack workspace\",\n });\n }\n }\n}\n\n/**\n * Read the raw request body as a string and cache on the event context.\n *\n * This MUST read raw bytes from the request stream — never `JSON.stringify`\n * a parsed body, because Slack's HMAC is computed over the exact bytes Slack\n * sent. Re-stringifying a parsed object loses key ordering, whitespace, and\n * Unicode-escape choices, so the signature check would silently fail for\n * legitimate requests (M2 in the webhook security audit).\n *\n * h3 v2's body stream is consume-once, so we cache the raw string on the\n * event context after the first read. All call sites (handleVerification,\n * verifyWebhook, parseIncomingMessage) MUST go through this helper.\n */\nasync function readRawBodyCached(event: H3Event): Promise<string> {\n const cached = event.context.__rawBody;\n if (typeof cached === \"string\") return cached;\n // h3's readRawBody returns the bytes Slack actually sent, defaulting to\n // utf8-decoded. Returns undefined for empty bodies — we coerce to \"\" so\n // the HMAC check can proceed deterministically.\n const raw = (await readRawBody(event)) ?? \"\";\n event.context.__rawBody = raw;\n return raw;\n}\n\n/** Split a message into chunks that fit within the platform's limit */\nfunction splitMessage(text: string, maxLength: number): string[] {\n if (text.length <= maxLength) return [text];\n const chunks: string[] = [];\n let remaining = text;\n while (remaining.length > 0) {\n if (remaining.length <= maxLength) {\n chunks.push(remaining);\n break;\n }\n // Try to split at a newline\n let splitIdx = remaining.lastIndexOf(\"\\n\", maxLength);\n if (splitIdx <= 0) {\n // Try to split at a space\n splitIdx = remaining.lastIndexOf(\" \", maxLength);\n }\n if (splitIdx <= 0) {\n splitIdx = maxLength;\n }\n chunks.push(remaining.slice(0, splitIdx));\n remaining = remaining.slice(splitIdx).trimStart();\n }\n return chunks;\n}\n\n/** Hard cap on input length we feed to the regex-based mrkdwn converter.\n * L2 in the webhook audit: `\\*\\*(.+?)\\*\\*` with the `s` flag on a long\n * string of asterisks can exhibit super-linear backtracking. Slack\n * itself caps message bodies at 4000 chars (SLACK_MAX_LENGTH); we cap\n * the input here at 10x that as a defensive bound for any caller that\n * passes a longer rendering source through this helper before chunking. */\nconst MRKDWN_MAX_LENGTH = 40_000;\n\n/**\n * Convert standard markdown to Slack's mrkdwn dialect.\n * - `[text](url)` → `<url|text>`\n * - `**bold**` → `*bold*` (Slack uses single asterisks for bold)\n *\n * Inputs longer than MRKDWN_MAX_LENGTH are truncated before the regex\n * pass to bound worst-case backtracking on pathological input (L2 in the\n * webhook audit).\n */\nfunction markdownToSlackMrkdwn(text: string): string {\n const bounded =\n text.length > MRKDWN_MAX_LENGTH ? text.slice(0, MRKDWN_MAX_LENGTH) : text;\n return (\n bounded\n .replace(/\\[([^\\]]+)\\]\\(([^)]+)\\)/g, \"<$2|$1>\")\n // Do not wrap bare URLs in Slack bold markers. Slack's autolinker can\n // treat the trailing `*` as part of the URL, producing a broken link.\n .replace(/\\*\\*<?(https?:\\/\\/[^\\s>*]+)>?\\*\\*/g, \"<$1>\")\n // Bounded character class instead of `.+?` with the `s` flag — caps\n // each bold span at 5000 chars so an attacker can't construct a\n // pathological \"**\" sequence that exhibits super-linear backtracking.\n // Newlines are allowed because `[^*]` excludes only the asterisk\n // itself, so multi-line bold spans still match.\n .replace(/\\*\\*([^*]{1,5000})\\*\\*/g, \"*$1*\")\n );\n}\n\n/**\n * Optionally set Slack's native AI-assistant status indicator (the small\n * \"is thinking…\" line under the message composer) for an app configured\n * with the `assistant:write` scope. Pure best-effort — fails silently for\n * apps that aren't set up as AI assistants.\n */\nfunction setSlackAssistantStatus(\n token: string,\n channelId: string,\n threadTs: string,\n status: string,\n): void {\n slackApiFetch(\"https://slack.com/api/assistant.threads.setStatus\", {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${token}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify({\n channel_id: channelId,\n thread_ts: threadTs,\n status,\n }),\n }).catch(() => {});\n}\n\n/**\n * Block Kit payload for the final answer. We avoid auto-unfurl previews by\n * separating the deep-link out into a button instead of inlining it as a\n * `<url|text>` markdown link in the section body — that's what was producing\n * the giant \"Agent-Native Dispatch\" card in every thread reply.\n */\nfunction buildResponseBlocks(\n text: string,\n opts: { threadDeepLinkUrl?: string },\n): unknown[] {\n const blocks: any[] = [\n {\n type: \"section\",\n text: { type: \"mrkdwn\", text: text || \"_(no response)_\" },\n },\n ];\n if (opts.threadDeepLinkUrl) {\n blocks.push({\n type: \"actions\",\n elements: [\n {\n type: \"button\",\n text: { type: \"plain_text\", text: \"Open thread\", emoji: true },\n url: opts.threadDeepLinkUrl,\n action_id: \"open_dispatch_thread\",\n },\n ],\n });\n }\n return blocks;\n}\n\n/**\n * Post a fresh message to a thread. Used as the placeholder-fallback path\n * (e.g. when chat.update fails) and for follow-up overflow chunks.\n */\nasync function postFresh(\n token: string,\n channelId: string,\n threadTs: string | undefined,\n body: Record<string, unknown>,\n): Promise<void> {\n const payload: Record<string, unknown> = {\n ...body,\n channel: channelId,\n };\n if (threadTs && !payload.thread_ts) payload.thread_ts = threadTs;\n const res = await slackApiFetch(\"https://slack.com/api/chat.postMessage\", {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${token}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify(payload),\n });\n const data = (await res.json()) as { ok: boolean; error?: string };\n if (!data.ok) {\n console.error(\"[slack] chat.postMessage error:\", data.error);\n throw new Error(data.error || \"chat.postMessage failed\");\n }\n}\n\nasync function slackApiFetch(\n url: string,\n init: RequestInit,\n): Promise<Response> {\n const controller =\n typeof AbortController !== \"undefined\" ? new AbortController() : undefined;\n const timer = controller\n ? setTimeout(() => controller.abort(), SLACK_API_TIMEOUT_MS)\n : undefined;\n try {\n return await fetch(url, {\n ...init,\n signal: controller?.signal ?? init.signal,\n });\n } finally {\n if (timer) clearTimeout(timer);\n }\n}\n"]}
|