@agent-native/core 0.8.2 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (305) hide show
  1. package/README.md +4 -4
  2. package/dist/agent/engine/builder-engine.d.ts.map +1 -1
  3. package/dist/agent/engine/builder-engine.js +5 -4
  4. package/dist/agent/engine/builder-engine.js.map +1 -1
  5. package/dist/agent/engine/registry.d.ts +6 -3
  6. package/dist/agent/engine/registry.d.ts.map +1 -1
  7. package/dist/agent/engine/registry.js +8 -17
  8. package/dist/agent/engine/registry.js.map +1 -1
  9. package/dist/agent/production-agent.d.ts +1 -1
  10. package/dist/agent/production-agent.d.ts.map +1 -1
  11. package/dist/agent/production-agent.js +28 -11
  12. package/dist/agent/production-agent.js.map +1 -1
  13. package/dist/agent/run-manager.d.ts +10 -0
  14. package/dist/agent/run-manager.d.ts.map +1 -1
  15. package/dist/agent/run-manager.js +89 -7
  16. package/dist/agent/run-manager.js.map +1 -1
  17. package/dist/agent/run-store.d.ts +4 -1
  18. package/dist/agent/run-store.d.ts.map +1 -1
  19. package/dist/agent/run-store.js +6 -5
  20. package/dist/agent/run-store.js.map +1 -1
  21. package/dist/agent/thread-data-builder.d.ts +12 -0
  22. package/dist/agent/thread-data-builder.d.ts.map +1 -1
  23. package/dist/agent/thread-data-builder.js +96 -0
  24. package/dist/agent/thread-data-builder.js.map +1 -1
  25. package/dist/cli/create.d.ts +9 -0
  26. package/dist/cli/create.d.ts.map +1 -1
  27. package/dist/cli/create.js +29 -11
  28. package/dist/cli/create.js.map +1 -1
  29. package/dist/cli/index.js +177 -22
  30. package/dist/cli/index.js.map +1 -1
  31. package/dist/cli/workspace-dev.js +66 -5
  32. package/dist/cli/workspace-dev.js.map +1 -1
  33. package/dist/client/AgentPanel.d.ts.map +1 -1
  34. package/dist/client/AgentPanel.js +6 -20
  35. package/dist/client/AgentPanel.js.map +1 -1
  36. package/dist/client/AssistantChat.d.ts.map +1 -1
  37. package/dist/client/AssistantChat.js +146 -107
  38. package/dist/client/AssistantChat.js.map +1 -1
  39. package/dist/client/agent-chat-adapter.d.ts.map +1 -1
  40. package/dist/client/agent-chat-adapter.js +143 -22
  41. package/dist/client/agent-chat-adapter.js.map +1 -1
  42. package/dist/client/agent-sidebar-state.d.ts +3 -0
  43. package/dist/client/agent-sidebar-state.d.ts.map +1 -0
  44. package/dist/client/agent-sidebar-state.js +24 -0
  45. package/dist/client/agent-sidebar-state.js.map +1 -0
  46. package/dist/client/analytics.d.ts +39 -0
  47. package/dist/client/analytics.d.ts.map +1 -1
  48. package/dist/client/analytics.js +74 -0
  49. package/dist/client/analytics.js.map +1 -1
  50. package/dist/client/components/PresenceBar.d.ts.map +1 -1
  51. package/dist/client/components/PresenceBar.js +21 -15
  52. package/dist/client/components/PresenceBar.js.map +1 -1
  53. package/dist/client/components/ui/tooltip.d.ts +2 -1
  54. package/dist/client/components/ui/tooltip.d.ts.map +1 -1
  55. package/dist/client/components/ui/tooltip.js +9 -2
  56. package/dist/client/components/ui/tooltip.js.map +1 -1
  57. package/dist/client/composer/ComposerPlusMenu.d.ts.map +1 -1
  58. package/dist/client/composer/ComposerPlusMenu.js +51 -17
  59. package/dist/client/composer/ComposerPlusMenu.js.map +1 -1
  60. package/dist/client/composer/PromptComposer.d.ts.map +1 -1
  61. package/dist/client/composer/PromptComposer.js +30 -0
  62. package/dist/client/composer/PromptComposer.js.map +1 -1
  63. package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
  64. package/dist/client/composer/TiptapComposer.js +31 -5
  65. package/dist/client/composer/TiptapComposer.js.map +1 -1
  66. package/dist/client/composer/VoiceButton.d.ts.map +1 -1
  67. package/dist/client/composer/VoiceButton.js +9 -8
  68. package/dist/client/composer/VoiceButton.js.map +1 -1
  69. package/dist/client/dev-overlay/DevOverlay.d.ts.map +1 -1
  70. package/dist/client/dev-overlay/DevOverlay.js +4 -3
  71. package/dist/client/dev-overlay/DevOverlay.js.map +1 -1
  72. package/dist/client/error-format.d.ts.map +1 -1
  73. package/dist/client/error-format.js +6 -0
  74. package/dist/client/error-format.js.map +1 -1
  75. package/dist/client/extensions/EmbeddedExtension.d.ts.map +1 -1
  76. package/dist/client/extensions/EmbeddedExtension.js +14 -3
  77. package/dist/client/extensions/EmbeddedExtension.js.map +1 -1
  78. package/dist/client/extensions/ExtensionEditor.d.ts.map +1 -1
  79. package/dist/client/extensions/ExtensionEditor.js +6 -5
  80. package/dist/client/extensions/ExtensionEditor.js.map +1 -1
  81. package/dist/client/extensions/ExtensionSlot.d.ts.map +1 -1
  82. package/dist/client/extensions/ExtensionSlot.js +2 -1
  83. package/dist/client/extensions/ExtensionSlot.js.map +1 -1
  84. package/dist/client/extensions/ExtensionViewer.d.ts.map +1 -1
  85. package/dist/client/extensions/ExtensionViewer.js +40 -19
  86. package/dist/client/extensions/ExtensionViewer.js.map +1 -1
  87. package/dist/client/extensions/ExtensionsSidebarSection.d.ts.map +1 -1
  88. package/dist/client/extensions/ExtensionsSidebarSection.js +52 -51
  89. package/dist/client/extensions/ExtensionsSidebarSection.js.map +1 -1
  90. package/dist/client/index.d.ts +2 -1
  91. package/dist/client/index.d.ts.map +1 -1
  92. package/dist/client/index.js +2 -1
  93. package/dist/client/index.js.map +1 -1
  94. package/dist/client/integrations/IntegrationCard.d.ts.map +1 -1
  95. package/dist/client/integrations/IntegrationCard.js +2 -1
  96. package/dist/client/integrations/IntegrationCard.js.map +1 -1
  97. package/dist/client/integrations/IntegrationsPanel.d.ts.map +1 -1
  98. package/dist/client/integrations/IntegrationsPanel.js +3 -2
  99. package/dist/client/integrations/IntegrationsPanel.js.map +1 -1
  100. package/dist/client/notifications/NotificationsBell.d.ts.map +1 -1
  101. package/dist/client/notifications/NotificationsBell.js +42 -6
  102. package/dist/client/notifications/NotificationsBell.js.map +1 -1
  103. package/dist/client/onboarding/OnboardingPanel.d.ts.map +1 -1
  104. package/dist/client/onboarding/OnboardingPanel.js +3 -2
  105. package/dist/client/onboarding/OnboardingPanel.js.map +1 -1
  106. package/dist/client/onboarding/SetupButton.d.ts.map +1 -1
  107. package/dist/client/onboarding/SetupButton.js +14 -13
  108. package/dist/client/onboarding/SetupButton.js.map +1 -1
  109. package/dist/client/org/InvitationBanner.d.ts +8 -2
  110. package/dist/client/org/InvitationBanner.d.ts.map +1 -1
  111. package/dist/client/org/InvitationBanner.js +28 -7
  112. package/dist/client/org/InvitationBanner.js.map +1 -1
  113. package/dist/client/org/OrgSwitcher.d.ts.map +1 -1
  114. package/dist/client/org/OrgSwitcher.js +29 -5
  115. package/dist/client/org/OrgSwitcher.js.map +1 -1
  116. package/dist/client/org/TeamPage.d.ts.map +1 -1
  117. package/dist/client/org/TeamPage.js +9 -7
  118. package/dist/client/org/TeamPage.js.map +1 -1
  119. package/dist/client/resources/ResourceEditor.d.ts.map +1 -1
  120. package/dist/client/resources/ResourceEditor.js +2 -1
  121. package/dist/client/resources/ResourceEditor.js.map +1 -1
  122. package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
  123. package/dist/client/resources/ResourcesPanel.js +48 -14
  124. package/dist/client/resources/ResourcesPanel.js.map +1 -1
  125. package/dist/client/resources/use-mcp-servers.d.ts +2 -0
  126. package/dist/client/resources/use-mcp-servers.d.ts.map +1 -1
  127. package/dist/client/resources/use-mcp-servers.js +59 -3
  128. package/dist/client/resources/use-mcp-servers.js.map +1 -1
  129. package/dist/client/settings/AgentsSection.d.ts.map +1 -1
  130. package/dist/client/settings/AgentsSection.js +8 -7
  131. package/dist/client/settings/AgentsSection.js.map +1 -1
  132. package/dist/client/settings/AutomationsSection.d.ts.map +1 -1
  133. package/dist/client/settings/AutomationsSection.js +4 -3
  134. package/dist/client/settings/AutomationsSection.js.map +1 -1
  135. package/dist/client/settings/SecretsSection.d.ts.map +1 -1
  136. package/dist/client/settings/SecretsSection.js +11 -1
  137. package/dist/client/settings/SecretsSection.js.map +1 -1
  138. package/dist/client/settings/SettingsPanel.d.ts.map +1 -1
  139. package/dist/client/settings/SettingsPanel.js +15 -12
  140. package/dist/client/settings/SettingsPanel.js.map +1 -1
  141. package/dist/client/settings/VoiceTranscriptionSection.d.ts.map +1 -1
  142. package/dist/client/settings/VoiceTranscriptionSection.js +13 -30
  143. package/dist/client/settings/VoiceTranscriptionSection.js.map +1 -1
  144. package/dist/client/settings/index.d.ts +1 -1
  145. package/dist/client/settings/index.d.ts.map +1 -1
  146. package/dist/client/settings/index.js.map +1 -1
  147. package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
  148. package/dist/client/settings/useBuilderStatus.js +27 -1
  149. package/dist/client/settings/useBuilderStatus.js.map +1 -1
  150. package/dist/client/sharing/ShareButton.d.ts +4 -0
  151. package/dist/client/sharing/ShareButton.d.ts.map +1 -1
  152. package/dist/client/sharing/ShareButton.js +5 -1
  153. package/dist/client/sharing/ShareButton.js.map +1 -1
  154. package/dist/client/sse-event-processor.d.ts +1 -1
  155. package/dist/client/sse-event-processor.d.ts.map +1 -1
  156. package/dist/client/sse-event-processor.js +59 -11
  157. package/dist/client/sse-event-processor.js.map +1 -1
  158. package/dist/client/use-db-sync.d.ts.map +1 -1
  159. package/dist/client/use-db-sync.js +100 -19
  160. package/dist/client/use-db-sync.js.map +1 -1
  161. package/dist/client/use-session.d.ts.map +1 -1
  162. package/dist/client/use-session.js +14 -2
  163. package/dist/client/use-session.js.map +1 -1
  164. package/dist/collab/client.d.ts +1 -0
  165. package/dist/collab/client.d.ts.map +1 -1
  166. package/dist/collab/client.js +18 -1
  167. package/dist/collab/client.js.map +1 -1
  168. package/dist/deploy/build.d.ts.map +1 -1
  169. package/dist/deploy/build.js +5 -0
  170. package/dist/deploy/build.js.map +1 -1
  171. package/dist/deploy/route-discovery.d.ts.map +1 -1
  172. package/dist/deploy/route-discovery.js +1 -0
  173. package/dist/deploy/route-discovery.js.map +1 -1
  174. package/dist/deploy/workspace-core.d.ts +1 -1
  175. package/dist/deploy/workspace-core.d.ts.map +1 -1
  176. package/dist/deploy/workspace-core.js +1 -0
  177. package/dist/deploy/workspace-core.js.map +1 -1
  178. package/dist/extensions/actions.d.ts.map +1 -1
  179. package/dist/extensions/actions.js +17 -3
  180. package/dist/extensions/actions.js.map +1 -1
  181. package/dist/extensions/routes.js +1 -1
  182. package/dist/extensions/routes.js.map +1 -1
  183. package/dist/extensions/schema.d.ts +14 -14
  184. package/dist/extensions/schema.d.ts.map +1 -1
  185. package/dist/extensions/schema.js +4 -4
  186. package/dist/extensions/schema.js.map +1 -1
  187. package/dist/extensions/store.d.ts.map +1 -1
  188. package/dist/extensions/store.js +23 -0
  189. package/dist/extensions/store.js.map +1 -1
  190. package/dist/extensions/theme.d.ts +8 -1
  191. package/dist/extensions/theme.d.ts.map +1 -1
  192. package/dist/extensions/theme.js +43 -34
  193. package/dist/extensions/theme.js.map +1 -1
  194. package/dist/mcp-client/routes.d.ts +1 -0
  195. package/dist/mcp-client/routes.d.ts.map +1 -1
  196. package/dist/mcp-client/routes.js +28 -1
  197. package/dist/mcp-client/routes.js.map +1 -1
  198. package/dist/org/auto-join-domain.d.ts +28 -0
  199. package/dist/org/auto-join-domain.d.ts.map +1 -0
  200. package/dist/org/auto-join-domain.js +92 -0
  201. package/dist/org/auto-join-domain.js.map +1 -0
  202. package/dist/org/index.d.ts +2 -0
  203. package/dist/org/index.d.ts.map +1 -1
  204. package/dist/org/index.js +1 -0
  205. package/dist/org/index.js.map +1 -1
  206. package/dist/scripts/db/exec.d.ts.map +1 -1
  207. package/dist/scripts/db/exec.js +27 -1
  208. package/dist/scripts/db/exec.js.map +1 -1
  209. package/dist/scripts/db/index.d.ts.map +1 -1
  210. package/dist/scripts/db/index.js +1 -0
  211. package/dist/scripts/db/index.js.map +1 -1
  212. package/dist/scripts/db/reset-dev-owner.d.ts +27 -0
  213. package/dist/scripts/db/reset-dev-owner.d.ts.map +1 -0
  214. package/dist/scripts/db/reset-dev-owner.js +225 -0
  215. package/dist/scripts/db/reset-dev-owner.js.map +1 -0
  216. package/dist/scripts/db/scoping.d.ts.map +1 -1
  217. package/dist/scripts/db/scoping.js +15 -30
  218. package/dist/scripts/db/scoping.js.map +1 -1
  219. package/dist/scripts/dev-session.d.ts +46 -0
  220. package/dist/scripts/dev-session.d.ts.map +1 -0
  221. package/dist/scripts/dev-session.js +81 -0
  222. package/dist/scripts/dev-session.js.map +1 -0
  223. package/dist/scripts/runner.d.ts.map +1 -1
  224. package/dist/scripts/runner.js +21 -0
  225. package/dist/scripts/runner.js.map +1 -1
  226. package/dist/secrets/register.d.ts +1 -1
  227. package/dist/secrets/register.d.ts.map +1 -1
  228. package/dist/secrets/register.js +4 -2
  229. package/dist/secrets/register.js.map +1 -1
  230. package/dist/secrets/routes.d.ts.map +1 -1
  231. package/dist/secrets/routes.js +32 -0
  232. package/dist/secrets/routes.js.map +1 -1
  233. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  234. package/dist/server/agent-chat-plugin.js +77 -102
  235. package/dist/server/agent-chat-plugin.js.map +1 -1
  236. package/dist/server/auth.d.ts.map +1 -1
  237. package/dist/server/auth.js +33 -0
  238. package/dist/server/auth.js.map +1 -1
  239. package/dist/server/better-auth-instance.d.ts.map +1 -1
  240. package/dist/server/better-auth-instance.js +11 -0
  241. package/dist/server/better-auth-instance.js.map +1 -1
  242. package/dist/server/builder-browser.d.ts.map +1 -1
  243. package/dist/server/builder-browser.js +169 -68
  244. package/dist/server/builder-browser.js.map +1 -1
  245. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  246. package/dist/server/core-routes-plugin.js +56 -13
  247. package/dist/server/core-routes-plugin.js.map +1 -1
  248. package/dist/server/credential-provider.d.ts +49 -6
  249. package/dist/server/credential-provider.d.ts.map +1 -1
  250. package/dist/server/credential-provider.js +133 -38
  251. package/dist/server/credential-provider.js.map +1 -1
  252. package/dist/server/design-token-utils.d.ts +13 -2
  253. package/dist/server/design-token-utils.d.ts.map +1 -1
  254. package/dist/server/design-token-utils.js +48 -16
  255. package/dist/server/design-token-utils.js.map +1 -1
  256. package/dist/server/framework-request-handler.d.ts.map +1 -1
  257. package/dist/server/framework-request-handler.js +31 -0
  258. package/dist/server/framework-request-handler.js.map +1 -1
  259. package/dist/server/google-realtime-session.d.ts.map +1 -1
  260. package/dist/server/google-realtime-session.js +19 -6
  261. package/dist/server/google-realtime-session.js.map +1 -1
  262. package/dist/server/index.d.ts +2 -0
  263. package/dist/server/index.d.ts.map +1 -1
  264. package/dist/server/index.js +2 -0
  265. package/dist/server/index.js.map +1 -1
  266. package/dist/server/onboarding-html.d.ts.map +1 -1
  267. package/dist/server/onboarding-html.js +142 -14
  268. package/dist/server/onboarding-html.js.map +1 -1
  269. package/dist/server/request-context.d.ts +17 -0
  270. package/dist/server/request-context.d.ts.map +1 -1
  271. package/dist/server/request-context.js +40 -1
  272. package/dist/server/request-context.js.map +1 -1
  273. package/dist/server/sentry-plugin.d.ts +11 -0
  274. package/dist/server/sentry-plugin.d.ts.map +1 -0
  275. package/dist/server/sentry-plugin.js +116 -0
  276. package/dist/server/sentry-plugin.js.map +1 -0
  277. package/dist/server/sentry.d.ts +92 -0
  278. package/dist/server/sentry.d.ts.map +1 -0
  279. package/dist/server/sentry.js +287 -0
  280. package/dist/server/sentry.js.map +1 -0
  281. package/dist/server/transcribe-voice.d.ts +2 -4
  282. package/dist/server/transcribe-voice.d.ts.map +1 -1
  283. package/dist/server/transcribe-voice.js +4 -16
  284. package/dist/server/transcribe-voice.js.map +1 -1
  285. package/dist/server/voice-providers-status.d.ts.map +1 -1
  286. package/dist/server/voice-providers-status.js +19 -35
  287. package/dist/server/voice-providers-status.js.map +1 -1
  288. package/dist/styles/agent-native.css +15 -0
  289. package/docs/content/cloneable-saas.md +7 -9
  290. package/docs/content/deployment.md +6 -2
  291. package/docs/content/dispatch.md +1 -1
  292. package/docs/content/extensions.md +177 -142
  293. package/docs/content/faq.md +2 -2
  294. package/docs/content/getting-started.md +13 -11
  295. package/docs/content/multi-app-workspace.md +2 -2
  296. package/docs/content/observability.md +47 -0
  297. package/docs/content/pure-agent-apps.md +1 -1
  298. package/docs/content/template-clips.md +3 -3
  299. package/docs/content/template-design.md +3 -3
  300. package/docs/content/template-dispatch.md +1 -1
  301. package/docs/content/template-forms.md +1 -1
  302. package/docs/content/template-mail.md +1 -1
  303. package/docs/content/what-is-agent-native.md +4 -4
  304. package/docs/content/workspace.md +1 -1
  305. package/package.json +1 -1
package/dist/scripts/runner.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"runner.js","sourceRoot":"","sources":["../../src/scripts/runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAErC,kFAAkF;AAClF,OAAO,EAAE,CAAC;AAEV,KAAK,UAAU,uBAAuB;IACpC,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,sBAAsB,CAAC,CAAC;IACzE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO;IAEzC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC;IAC9E,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC;IAC3B,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;QACjC,MAAM,MAAM,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS;IAC7B,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEnC,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;QAE/D,yDAAyD;QACzD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAC1D,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;QACrE,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,EAAE;iBACd,WAAW,CAAC,QAAQ,CAAC;iBACrB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,QAAQ,CAAC;iBAClD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;YACtC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;gBAC9B,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;oBAC1B,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;gBAC3B,CAAC;YACH,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,MAAM,SAAS,GAAG,kBAAkB,EAAE,CAAC;QACvC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;YAC1C,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;gBAC7B,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,2DAA2D;IAC3D,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,+BAA+B,UAAU,GAAG,CAAC,CAAC;QAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEnC,8EAA8E;IAC9E,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAC9B,OAAO,CAAC,GAAG,EAAE,EACb,SAAS,EACT,GAAG,UAAU,KAAK,CACnB,CAAC;IACF,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAC9B,OAAO,CAAC,GAAG,EAAE,EACb,SAAS,EACT,GAAG,UAAU,KAAK,CACnB,CAAC;IACF,MAAM,SAAS,GAAG,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC;IAEzE,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,uBAAuB,EAAE,CAAC;YAChC,MAAM,GAAG,GAAG,MAAM,MAAM;YACtB,kBAAkB,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,IAAI,CACjD,CAAC;YACF,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;YAC5B,sEAAsE;YACtE,IACE,OAAO;gBACP,OAAO,OAAO,KAAK,QAAQ;gBAC3B,OAAO,OAAO,CAAC,GAAG,KAAK,UAAU,EACjC,CAAC;gBACD,wDAAwD;gBACxD,MAAM,MAAM,GAA2B,EAAE,CAAC;gBAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;oBACpB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;wBAAE,SAAS;oBACpC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;oBAC/B,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;wBACd,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;oBACrD,CAAC;yBAAM,CAAC;wBACN,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;wBACzB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;wBACzB,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;4BACnC,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;4BACnB,CAAC,EAAE,CAAC;wBACN,CAAC;6BAAM,CAAC;4BACN,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC;wBACvB,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBACzC,IAAI,MAAM;oBAAE,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC;iBAAM,IAAI,OAAO,OAAO,KAAK,UAAU,EAAE,CAAC;gBACzC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CACX,WAAW,UAAU,uDAAuD,CAC7E,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACpC,OAAO,CAAC,KAAK,CAAC,WAAW,UAAU,WAAW,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAC;YACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,MAAM,UAAU,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAC3C,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,IAAI,CAAC,CAAC;YACvB,MAAM,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACpC,OAAO,CAAC,KAAK,CAAC,gBAAgB,UAAU,WAAW,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,OAAO,CAAC,KAAK,CACX,kBAAkB,UAAU,8DAA8D,CAC3F,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC","sourcesContent":["/**\n * Generic action dispatcher for @agent-native/core apps.\n *\n * Dynamically imports and runs actions from the app's actions/ directory.\n * Falls back to scripts/ directory for backwards compatibility, then to\n * core scripts (db-schema, db-query, db-exec, etc.) when no local action is found.\n *\n * Actions must export a default function: (args: string[]) => Promise<void>\n *\n * Usage: pnpm action <action-name> [--args]\n */\n\nimport path from \"path\";\nimport fs from \"fs\";\nimport { pathToFileURL } from \"url\";\nimport { coreScripts, getCoreScriptNames } from \"./core-scripts.js\";\nimport { closeDbExec } from \"../db/client.js\";\nimport { loadEnv } from \"./utils.js\";\n\n// Load .env from cwd so DATABASE_URL and other vars are available to all actions.\nloadEnv();\n\nasync function runAppDbPluginIfPresent(): Promise<void> {\n const dbPluginPath = path.resolve(process.cwd(), \"server/plugins/db.ts\");\n if (!fs.existsSync(dbPluginPath)) return;\n\n const mod = await import(/* @vite-ignore */ pathToFileURL(dbPluginPath).href);\n const plugin = mod.default;\n if (typeof plugin === \"function\") {\n await plugin({});\n }\n}\n\n/**\n * Run the action dispatcher. Call this from your app's actions/run.ts (or scripts/run.ts):\n *\n * import { runScript } from \"@agent-native/core\";\n * runScript();\n */\nexport async function runScript(): Promise<void> {\n const actionName = process.argv[2];\n\n if (!actionName || actionName === \"--help\") {\n console.log(`Usage: pnpm action <action-name> [--arg value ...]`);\n console.log(`\\nRun any action with --help for usage details.`);\n\n // List local actions (try actions/ first, then scripts/)\n const actionsDir = path.resolve(process.cwd(), \"actions\");\n const scriptsDir = path.resolve(process.cwd(), \"scripts\");\n const localDir = fs.existsSync(actionsDir) ? actionsDir : scriptsDir;\n if (fs.existsSync(localDir)) {\n const locals = fs\n .readdirSync(localDir)\n .filter((f) => f.endsWith(\".ts\") && f !== \"run.ts\")\n .map((f) => f.replace(/\\.ts$/, \"\"));\n if (locals.length > 0) {\n console.log(`\\nApp actions:`);\n for (const name of locals) {\n console.log(` ${name}`);\n }\n }\n }\n\n // List core scripts\n const coreNames = getCoreScriptNames();\n if (coreNames.length > 0) {\n console.log(`\\nCore actions (built-in):`);\n for (const name of coreNames) {\n console.log(` ${name}`);\n }\n }\n\n process.exit(0);\n }\n\n // Validate action name (only allow alphanumeric + hyphens)\n if (!/^[a-z][a-z0-9-]*$/.test(actionName)) {\n console.error(`Error: Invalid action name \"${actionName}\"`);\n process.exit(1);\n }\n\n const args = process.argv.slice(3);\n\n // 1. Try local app action first (actions/ then scripts/ for backwards compat)\n const actionsPath = path.resolve(\n process.cwd(),\n \"actions\",\n `${actionName}.ts`,\n );\n const scriptsPath = path.resolve(\n process.cwd(),\n \"scripts\",\n `${actionName}.ts`,\n );\n const localPath = fs.existsSync(actionsPath) ? actionsPath : scriptsPath;\n\n if (fs.existsSync(localPath)) {\n try {\n await runAppDbPluginIfPresent();\n const mod = await import(\n /* @vite-ignore */ pathToFileURL(localPath).href\n );\n const handler = mod.default;\n // Support defineAction-style default exports (object with run method)\n if (\n handler &&\n typeof handler === \"object\" &&\n typeof handler.run === \"function\"\n ) {\n // Parse --key=value and --key value pairs into a Record\n const parsed: Record<string, string> = {};\n for (let i = 0; i < args.length; i++) {\n const arg = args[i];\n if (!arg.startsWith(\"--\")) continue;\n const eqIdx = arg.indexOf(\"=\");\n if (eqIdx > 0) {\n parsed[arg.slice(2, eqIdx)] = arg.slice(eqIdx + 1);\n } else {\n const key = arg.slice(2);\n const next = args[i + 1];\n if (next && !next.startsWith(\"--\")) {\n parsed[key] = next;\n i++;\n } else {\n parsed[key] = \"true\";\n }\n }\n }\n const result = await handler.run(parsed);\n if (result) console.log(result);\n } else if (typeof handler === \"function\") {\n await handler(args);\n } else {\n console.error(\n `Action \"${actionName}\" does not export a default function or defineAction.`,\n );\n process.exit(1);\n }\n await closeDbExec().catch(() => {});\n process.exit(0);\n } catch (err: any) {\n await closeDbExec().catch(() => {});\n console.error(`Action \"${actionName}\" failed:`, err.message || err);\n process.exit(1);\n }\n }\n\n // 2. Fall back to core scripts\n const coreScript = coreScripts[actionName];\n if (coreScript) {\n try {\n await coreScript(args);\n await closeDbExec().catch(() => {});\n process.exit(0);\n } catch (err: any) {\n await closeDbExec().catch(() => {});\n console.error(`Core action \"${actionName}\" failed:`, err.message || err);\n process.exit(1);\n }\n }\n\n // 3. Not found anywhere\n console.error(\n `Error: Action \"${actionName}\" not found. Run \"pnpm action --help\" for available actions.`,\n );\n process.exit(1);\n}\n"]}
1
+ {"version":3,"file":"runner.js","sourceRoot":"","sources":["../../src/scripts/runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AACrC,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEvD,kFAAkF;AAClF,OAAO,EAAE,CAAC;AAEV,KAAK,UAAU,uBAAuB;IACpC,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,sBAAsB,CAAC,CAAC;IACzE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO;IAEzC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC;IAC9E,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC;IAC3B,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;QACjC,MAAM,MAAM,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS;IAC7B,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEnC,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;QAE/D,yDAAyD;QACzD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAC1D,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;QACrE,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,EAAE;iBACd,WAAW,CAAC,QAAQ,CAAC;iBACrB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,QAAQ,CAAC;iBAClD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;YACtC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;gBAC9B,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;oBAC1B,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;gBAC3B,CAAC;YACH,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,MAAM,SAAS,GAAG,kBAAkB,EAAE,CAAC;QACvC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;YAC1C,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;gBAC7B,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,2DAA2D;IAC3D,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,+BAA+B,UAAU,GAAG,CAAC,CAAC;QAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEnC,wEAAwE;IACxE,8DAA8D;IAC9D,iEAAiE;IACjE,oEAAoE;IACpE,iEAAiE;IACjE,wCAAwC;IACxC,EAAE;IACF,oEAAoE;IACpE,oEAAoE;IACpE,uEAAuE;IACvE,6DAA6D;IAC7D,mEAAmE;IACnE,6CAA6C;IAC7C,0DAA0D;IAC1D,MAAM,SAAS,GAAG,MAAM,mBAAmB,EAAE,CAAC;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,SAAS,CAAC;IAEpD,OAAO,qBAAqB,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,CACtD,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,CACjC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,UAAkB,EAClB,IAAc;IAEd,8EAA8E;IAC9E,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAC9B,OAAO,CAAC,GAAG,EAAE,EACb,SAAS,EACT,GAAG,UAAU,KAAK,CACnB,CAAC;IACF,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAC9B,OAAO,CAAC,GAAG,EAAE,EACb,SAAS,EACT,GAAG,UAAU,KAAK,CACnB,CAAC;IACF,MAAM,SAAS,GAAG,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC;IAEzE,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,uBAAuB,EAAE,CAAC;YAChC,MAAM,GAAG,GAAG,MAAM,MAAM;YACtB,kBAAkB,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,IAAI,CACjD,CAAC;YACF,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;YAC5B,sEAAsE;YACtE,IACE,OAAO;gBACP,OAAO,OAAO,KAAK,QAAQ;gBAC3B,OAAO,OAAO,CAAC,GAAG,KAAK,UAAU,EACjC,CAAC;gBACD,wDAAwD;gBACxD,MAAM,MAAM,GAA2B,EAAE,CAAC;gBAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;oBACpB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;wBAAE,SAAS;oBACpC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;oBAC/B,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;wBACd,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;oBACrD,CAAC;yBAAM,CAAC;wBACN,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;wBACzB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;wBACzB,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;4BACnC,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;4BACnB,CAAC,EAAE,CAAC;wBACN,CAAC;6BAAM,CAAC;4BACN,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC;wBACvB,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBACzC,IAAI,MAAM;oBAAE,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC;iBAAM,IAAI,OAAO,OAAO,KAAK,UAAU,EAAE,CAAC;gBACzC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CACX,WAAW,UAAU,uDAAuD,CAC7E,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACpC,OAAO,CAAC,KAAK,CAAC,WAAW,UAAU,WAAW,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAC;YACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,MAAM,UAAU,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAC3C,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,IAAI,CAAC,CAAC;YACvB,MAAM,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACpC,OAAO,CAAC,KAAK,CAAC,gBAAgB,UAAU,WAAW,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,OAAO,CAAC,KAAK,CACX,kBAAkB,UAAU,8DAA8D,CAC3F,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC","sourcesContent":["/**\n * Generic action dispatcher for @agent-native/core apps.\n *\n * Dynamically imports and runs actions from the app's actions/ directory.\n * Falls back to scripts/ directory for backwards compatibility, then to\n * core scripts (db-schema, db-query, db-exec, etc.) when no local action is found.\n *\n * Actions must export a default function: (args: string[]) => Promise<void>\n *\n * Usage: pnpm action <action-name> [--args]\n */\n\nimport path from \"path\";\nimport fs from \"fs\";\nimport { pathToFileURL } from \"url\";\nimport { coreScripts, getCoreScriptNames } from \"./core-scripts.js\";\nimport { closeDbExec } from \"../db/client.js\";\nimport { loadEnv } from \"./utils.js\";\nimport { runWithRequestContext } from \"../server/request-context.js\";\nimport { resolveDevUserEmail } from \"./dev-session.js\";\n\n// Load .env from cwd so DATABASE_URL and other vars are available to all actions.\nloadEnv();\n\nasync function runAppDbPluginIfPresent(): Promise<void> {\n const dbPluginPath = path.resolve(process.cwd(), \"server/plugins/db.ts\");\n if (!fs.existsSync(dbPluginPath)) return;\n\n const mod = await import(/* @vite-ignore */ pathToFileURL(dbPluginPath).href);\n const plugin = mod.default;\n if (typeof plugin === \"function\") {\n await plugin({});\n }\n}\n\n/**\n * Run the action dispatcher. Call this from your app's actions/run.ts (or scripts/run.ts):\n *\n * import { runScript } from \"@agent-native/core\";\n * runScript();\n */\nexport async function runScript(): Promise<void> {\n const actionName = process.argv[2];\n\n if (!actionName || actionName === \"--help\") {\n console.log(`Usage: pnpm action <action-name> [--arg value ...]`);\n console.log(`\\nRun any action with --help for usage details.`);\n\n // List local actions (try actions/ first, then scripts/)\n const actionsDir = path.resolve(process.cwd(), \"actions\");\n const scriptsDir = path.resolve(process.cwd(), \"scripts\");\n const localDir = fs.existsSync(actionsDir) ? actionsDir : scriptsDir;\n if (fs.existsSync(localDir)) {\n const locals = fs\n .readdirSync(localDir)\n .filter((f) => f.endsWith(\".ts\") && f !== \"run.ts\")\n .map((f) => f.replace(/\\.ts$/, \"\"));\n if (locals.length > 0) {\n console.log(`\\nApp actions:`);\n for (const name of locals) {\n console.log(` ${name}`);\n }\n }\n }\n\n // List core scripts\n const coreNames = getCoreScriptNames();\n if (coreNames.length > 0) {\n console.log(`\\nCore actions (built-in):`);\n for (const name of coreNames) {\n console.log(` ${name}`);\n }\n }\n\n process.exit(0);\n }\n\n // Validate action name (only allow alphanumeric + hyphens)\n if (!/^[a-z][a-z0-9-]*$/.test(actionName)) {\n console.error(`Error: Invalid action name \"${actionName}\"`);\n process.exit(1);\n }\n\n const args = process.argv.slice(3);\n\n // Establish a request context for the duration of this CLI run. Without\n // it, db-exec / db-query / db-patch and any action that calls\n // `getRequestUserEmail()` see no identity and refuse to run. The\n // resolver picks up `AGENT_USER_EMAIL` if explicitly set, otherwise\n // reads the most-recent signed-in session from the DB (dev-only,\n // narrowly gated — see dev-session.ts).\n //\n // This wrap is intentionally a single point of injection: it covers\n // both the local-action branch and the fall-through to core scripts\n // (db-query, db-exec, …) so every CLI entrypoint runs scoped to a real\n // user. It uses `runWithRequestContext` rather than mutating\n // `process.env.AGENT_USER_EMAIL` because env mutation leaks across\n // boundaries — see the cautionary comment in\n // `server/request-context.ts` about exactly that pattern.\n const userEmail = await resolveDevUserEmail();\n const orgId = process.env.AGENT_ORG_ID || undefined;\n\n return runWithRequestContext({ userEmail, orgId }, () =>\n dispatchAction(actionName, args),\n );\n}\n\nasync function dispatchAction(\n actionName: string,\n args: string[],\n): Promise<void> {\n // 1. Try local app action first (actions/ then scripts/ for backwards compat)\n const actionsPath = path.resolve(\n process.cwd(),\n \"actions\",\n `${actionName}.ts`,\n );\n const scriptsPath = path.resolve(\n process.cwd(),\n \"scripts\",\n `${actionName}.ts`,\n );\n const localPath = fs.existsSync(actionsPath) ? actionsPath : scriptsPath;\n\n if (fs.existsSync(localPath)) {\n try {\n await runAppDbPluginIfPresent();\n const mod = await import(\n /* @vite-ignore */ pathToFileURL(localPath).href\n );\n const handler = mod.default;\n // Support defineAction-style default exports (object with run method)\n if (\n handler &&\n typeof handler === \"object\" &&\n typeof handler.run === \"function\"\n ) {\n // Parse --key=value and --key value pairs into a Record\n const parsed: Record<string, string> = {};\n for (let i = 0; i < args.length; i++) {\n const arg = args[i];\n if (!arg.startsWith(\"--\")) continue;\n const eqIdx = arg.indexOf(\"=\");\n if (eqIdx > 0) {\n parsed[arg.slice(2, eqIdx)] = arg.slice(eqIdx + 1);\n } else {\n const key = arg.slice(2);\n const next = args[i + 1];\n if (next && !next.startsWith(\"--\")) {\n parsed[key] = next;\n i++;\n } else {\n parsed[key] = \"true\";\n }\n }\n }\n const result = await handler.run(parsed);\n if (result) console.log(result);\n } else if (typeof handler === \"function\") {\n await handler(args);\n } else {\n console.error(\n `Action \"${actionName}\" does not export a default function or defineAction.`,\n );\n process.exit(1);\n }\n await closeDbExec().catch(() => {});\n process.exit(0);\n } catch (err: any) {\n await closeDbExec().catch(() => {});\n console.error(`Action \"${actionName}\" failed:`, err.message || err);\n process.exit(1);\n }\n }\n\n // 2. Fall back to core scripts\n const coreScript = coreScripts[actionName];\n if (coreScript) {\n try {\n await coreScript(args);\n await closeDbExec().catch(() => {});\n process.exit(0);\n } catch (err: any) {\n await closeDbExec().catch(() => {});\n console.error(`Core action \"${actionName}\" failed:`, err.message || err);\n process.exit(1);\n }\n }\n\n // 3. Not found anywhere\n console.error(\n `Error: Action \"${actionName}\" not found. Run \"pnpm action --help\" for available actions.`,\n );\n process.exit(1);\n}\n"]}
package/dist/secrets/register.d.ts CHANGED
@@ -6,7 +6,7 @@
6
6
  * read from this registry on every request so overrides and late-registered
7
7
  * secrets are picked up without a restart.
8
8
  */
9
- export type SecretScope = "user" | "workspace";
9
+ export type SecretScope = "user" | "workspace" | "org";
10
10
  export type SecretKind = "api-key" | "oauth";
11
11
  export interface ValidatorResult {
12
12
  ok: boolean;
package/dist/secrets/register.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/secrets/register.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,WAAW,CAAC;AAC/C,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,OAAO,CAAC;AAE7C,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,OAAO,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,eAAe;IAC9B,CACE,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,eAAe,GAAG,OAAO,CAAC,GAAG,eAAe,GAAG,OAAO,CAAC;CACnE;AAED,MAAM,WAAW,gBAAgB;IAC/B,2DAA2D;IAC3D,GAAG,EAAE,MAAM,CAAC;IACZ,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IACd,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oEAAoE;IACpE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,KAAK,EAAE,WAAW,CAAC;IACnB,0EAA0E;IAC1E,IAAI,EAAE,UAAU,CAAC;IACjB,sEAAsE;IACtE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;;OAIG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAgBD;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI,CAiCrE;AAED,2DAA2D;AAC3D,wBAAgB,mBAAmB,IAAI,gBAAgB,EAAE,CAExD;AAED,iDAAiD;AACjD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS,CAE3E;AAED,sDAAsD;AACtD,wBAAgB,sBAAsB,IAAI,IAAI,CAE7C"}
1
+ {"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/secrets/register.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,WAAW,GAAG,KAAK,CAAC;AACvD,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,OAAO,CAAC;AAE7C,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,OAAO,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,eAAe;IAC9B,CACE,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,eAAe,GAAG,OAAO,CAAC,GAAG,eAAe,GAAG,OAAO,CAAC;CACnE;AAED,MAAM,WAAW,gBAAgB;IAC/B,2DAA2D;IAC3D,GAAG,EAAE,MAAM,CAAC;IACZ,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IACd,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oEAAoE;IACpE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,KAAK,EAAE,WAAW,CAAC;IACnB,0EAA0E;IAC1E,IAAI,EAAE,UAAU,CAAC;IACjB,sEAAsE;IACtE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;;OAIG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAgBD;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI,CAqCrE;AAED,2DAA2D;AAC3D,wBAAgB,mBAAmB,IAAI,gBAAgB,EAAE,CAExD;AAED,iDAAiD;AACjD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS,CAE3E;AAED,sDAAsD;AACtD,wBAAgB,sBAAsB,IAAI,IAAI,CAE7C"}
package/dist/secrets/register.js CHANGED
@@ -24,8 +24,10 @@ export function registerRequiredSecret(secret) {
24
24
  if (!secret || typeof secret.key !== "string" || !secret.key) {
25
25
  throw new Error("registerRequiredSecret: secret.key is required");
26
26
  }
27
- if (secret.scope !== "user" && secret.scope !== "workspace") {
28
- throw new Error(`registerRequiredSecret: secret.scope must be "user" or "workspace" (got "${secret.scope}")`);
27
+ if (secret.scope !== "user" &&
28
+ secret.scope !== "workspace" &&
29
+ secret.scope !== "org") {
30
+ throw new Error(`registerRequiredSecret: secret.scope must be "user", "workspace", or "org" (got "${secret.scope}")`);
29
31
  }
30
32
  if (secret.kind !== "api-key" && secret.kind !== "oauth") {
31
33
  throw new Error(`registerRequiredSecret: secret.kind must be "api-key" or "oauth" (got "${secret.kind}")`);
package/dist/secrets/register.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"register.js","sourceRoot":"","sources":["../../src/secrets/register.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAiDH,6EAA6E;AAC7E,qEAAqE;AACrE,wEAAwE;AACxE,uEAAuE;AACvE,sEAAsE;AACtE,mDAAmD;AACnD,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;AAIvE,MAAM,QAAQ,GAAkC,CAC9C,UACD,CAAC,YAAY,CAAC,KAAK,IAAI,GAAG,EAAE,CAAC,CAAC;AAE/B;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAwB;IAC7D,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,MAAM,IAAI,MAAM,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CACb,4EAA4E,MAAM,CAAC,KAAK,IAAI,CAC7F,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CACb,0EAA0E,MAAM,CAAC,IAAI,IAAI,CAC1F,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;QAClD,OAAO,CAAC,GAAG,CACT,gDAAgD,MAAM,CAAC,GAAG,0BAA0B,CACrF,CAAC;IACJ,CAAC;IACD,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAEjC,wEAAwE;IACxE,yEAAyE;IACzE,oCAAoC;IACpC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,yEAAyE;QACzE,kEAAkE;QAClE,MAAM,CAAC,iBAAiB,CAAC;aACtB,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,iCAAiC,CAAC,MAAM,CAAC,CAAC;aAC5D,KAAK,CAAC,GAAG,EAAE;YACV,4DAA4D;QAC9D,CAAC,CAAC,CAAC;IACP,CAAC;AACH,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,mBAAmB;IACjC,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;AACvC,CAAC;AAED,iDAAiD;AACjD,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,OAAO,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,sDAAsD;AACtD,MAAM,UAAU,sBAAsB;IACpC,QAAQ,CAAC,KAAK,EAAE,CAAC;AACnB,CAAC","sourcesContent":["/**\n * In-process registry of required / optional secrets.\n *\n * Templates call `registerRequiredSecret()` at module load time — typically\n * from a server plugin. The secrets HTTP routes and the sidebar settings UI\n * read from this registry on every request so overrides and late-registered\n * secrets are picked up without a restart.\n */\n\nexport type SecretScope = \"user\" | \"workspace\";\nexport type SecretKind = \"api-key\" | \"oauth\";\n\nexport interface ValidatorResult {\n ok: boolean;\n error?: string;\n}\n\nexport interface SecretValidator {\n (\n value: string,\n ): Promise<ValidatorResult | boolean> | ValidatorResult | boolean;\n}\n\nexport interface RegisteredSecret {\n /** Env var name & settings key — e.g. \"OPENAI_API_KEY\". */\n key: string;\n /** Human-readable label shown in the sidebar. */\n label: string;\n /** Short description shown below the label. */\n description?: string;\n /** URL where the user can obtain the key or connect the account. */\n docsUrl?: string;\n /** Whether the secret is per-user or shared across a workspace/org. */\n scope: SecretScope;\n /** UI affordance: \"api-key\" renders an input; \"oauth\" renders Connect. */\n kind: SecretKind;\n /** When true, an onboarding step is auto-injected for this secret. */\n required?: boolean;\n /**\n * Optional health check. Receives the plain-text value, returns `true` or\n * `{ ok: true }` on success. Returning `{ ok: false, error }` surfaces the\n * error to the UI. Never log the value from inside the validator.\n */\n validator?: SecretValidator;\n /**\n * For `kind: \"oauth\"` — the oauth-tokens provider id (e.g. \"google\") that\n * backs this registration. Used to surface OAuth status in the unified UI.\n */\n oauthProvider?: string;\n /**\n * For `kind: \"oauth\"` — URL the Connect button should point at. Typically\n * the framework's `/_agent-native/google/auth-url` or similar.\n */\n oauthConnectUrl?: string;\n}\n\n// Pin the registry to globalThis so templates that load `@agent-native/core`\n// via more than one ESM graph (e.g. dev-mode Vite + Nitro, symlinked\n// node_modules, dist/ vs src/) share a single registry. Without this, a\n// template's `register-secrets.ts` side-effect module may populate one\n// registry instance while the /_agent-native/secrets route reads from\n// another — net effect: the UI sees an empty list.\nconst REGISTRY_KEY = Symbol.for(\"@agent-native/core/secrets.registry\");\ninterface GlobalWithRegistry {\n [REGISTRY_KEY]?: Map<string, RegisteredSecret>;\n}\nconst registry: Map<string, RegisteredSecret> = ((\n globalThis as unknown as GlobalWithRegistry\n)[REGISTRY_KEY] ??= new Map());\n\n/**\n * Register (or override) a required secret.\n *\n * Subsequent registrations with the same `key` replace the previous\n * definition — later plugins can override framework defaults.\n */\nexport function registerRequiredSecret(secret: RegisteredSecret): void {\n if (!secret || typeof secret.key !== \"string\" || !secret.key) {\n throw new Error(\"registerRequiredSecret: secret.key is required\");\n }\n if (secret.scope !== \"user\" && secret.scope !== \"workspace\") {\n throw new Error(\n `registerRequiredSecret: secret.scope must be \"user\" or \"workspace\" (got \"${secret.scope}\")`,\n );\n }\n if (secret.kind !== \"api-key\" && secret.kind !== \"oauth\") {\n throw new Error(\n `registerRequiredSecret: secret.kind must be \"api-key\" or \"oauth\" (got \"${secret.kind}\")`,\n );\n }\n if (registry.has(secret.key) && process.env.DEBUG) {\n console.log(\n `[agent-native] Overriding registered secret \"${secret.key}\" with new registration.`,\n );\n }\n registry.set(secret.key, secret);\n\n // Auto-inject an onboarding step for required secrets. Done via dynamic\n // import to avoid a load-order cycle between register and the onboarding\n // registry during module bootstrap.\n if (secret.required) {\n // Lazy import — resolved synchronously in practice because the module is\n // already loaded once any route handler runs, but tolerate async.\n import(\"./onboarding.js\")\n .then((mod) => mod.maybeRegisterSecretOnboardingStep(secret))\n .catch(() => {\n // Onboarding is optional — never let it block registration.\n });\n }\n}\n\n/** Return all registered secrets in registration order. */\nexport function listRequiredSecrets(): RegisteredSecret[] {\n return Array.from(registry.values());\n}\n\n/** Look up a single registered secret by key. */\nexport function getRequiredSecret(key: string): RegisteredSecret | undefined {\n return registry.get(key);\n}\n\n/** Test helper — clears the registry between runs. */\nexport function __resetSecretsRegistry(): void {\n registry.clear();\n}\n"]}
1
+ {"version":3,"file":"register.js","sourceRoot":"","sources":["../../src/secrets/register.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAiDH,6EAA6E;AAC7E,qEAAqE;AACrE,wEAAwE;AACxE,uEAAuE;AACvE,sEAAsE;AACtE,mDAAmD;AACnD,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;AAIvE,MAAM,QAAQ,GAAkC,CAC9C,UACD,CAAC,YAAY,CAAC,KAAK,IAAI,GAAG,EAAE,CAAC,CAAC;AAE/B;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAwB;IAC7D,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,IACE,MAAM,CAAC,KAAK,KAAK,MAAM;QACvB,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,MAAM,CAAC,KAAK,KAAK,KAAK,EACtB,CAAC;QACD,MAAM,IAAI,KAAK,CACb,oFAAoF,MAAM,CAAC,KAAK,IAAI,CACrG,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CACb,0EAA0E,MAAM,CAAC,IAAI,IAAI,CAC1F,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;QAClD,OAAO,CAAC,GAAG,CACT,gDAAgD,MAAM,CAAC,GAAG,0BAA0B,CACrF,CAAC;IACJ,CAAC;IACD,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAEjC,wEAAwE;IACxE,yEAAyE;IACzE,oCAAoC;IACpC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,yEAAyE;QACzE,kEAAkE;QAClE,MAAM,CAAC,iBAAiB,CAAC;aACtB,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,iCAAiC,CAAC,MAAM,CAAC,CAAC;aAC5D,KAAK,CAAC,GAAG,EAAE;YACV,4DAA4D;QAC9D,CAAC,CAAC,CAAC;IACP,CAAC;AACH,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,mBAAmB;IACjC,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;AACvC,CAAC;AAED,iDAAiD;AACjD,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,OAAO,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,sDAAsD;AACtD,MAAM,UAAU,sBAAsB;IACpC,QAAQ,CAAC,KAAK,EAAE,CAAC;AACnB,CAAC","sourcesContent":["/**\n * In-process registry of required / optional secrets.\n *\n * Templates call `registerRequiredSecret()` at module load time — typically\n * from a server plugin. The secrets HTTP routes and the sidebar settings UI\n * read from this registry on every request so overrides and late-registered\n * secrets are picked up without a restart.\n */\n\nexport type SecretScope = \"user\" | \"workspace\" | \"org\";\nexport type SecretKind = \"api-key\" | \"oauth\";\n\nexport interface ValidatorResult {\n ok: boolean;\n error?: string;\n}\n\nexport interface SecretValidator {\n (\n value: string,\n ): Promise<ValidatorResult | boolean> | ValidatorResult | boolean;\n}\n\nexport interface RegisteredSecret {\n /** Env var name & settings key — e.g. \"OPENAI_API_KEY\". */\n key: string;\n /** Human-readable label shown in the sidebar. */\n label: string;\n /** Short description shown below the label. */\n description?: string;\n /** URL where the user can obtain the key or connect the account. */\n docsUrl?: string;\n /** Whether the secret is per-user or shared across a workspace/org. */\n scope: SecretScope;\n /** UI affordance: \"api-key\" renders an input; \"oauth\" renders Connect. */\n kind: SecretKind;\n /** When true, an onboarding step is auto-injected for this secret. */\n required?: boolean;\n /**\n * Optional health check. Receives the plain-text value, returns `true` or\n * `{ ok: true }` on success. Returning `{ ok: false, error }` surfaces the\n * error to the UI. Never log the value from inside the validator.\n */\n validator?: SecretValidator;\n /**\n * For `kind: \"oauth\"` — the oauth-tokens provider id (e.g. \"google\") that\n * backs this registration. Used to surface OAuth status in the unified UI.\n */\n oauthProvider?: string;\n /**\n * For `kind: \"oauth\"` — URL the Connect button should point at. Typically\n * the framework's `/_agent-native/google/auth-url` or similar.\n */\n oauthConnectUrl?: string;\n}\n\n// Pin the registry to globalThis so templates that load `@agent-native/core`\n// via more than one ESM graph (e.g. dev-mode Vite + Nitro, symlinked\n// node_modules, dist/ vs src/) share a single registry. Without this, a\n// template's `register-secrets.ts` side-effect module may populate one\n// registry instance while the /_agent-native/secrets route reads from\n// another — net effect: the UI sees an empty list.\nconst REGISTRY_KEY = Symbol.for(\"@agent-native/core/secrets.registry\");\ninterface GlobalWithRegistry {\n [REGISTRY_KEY]?: Map<string, RegisteredSecret>;\n}\nconst registry: Map<string, RegisteredSecret> = ((\n globalThis as unknown as GlobalWithRegistry\n)[REGISTRY_KEY] ??= new Map());\n\n/**\n * Register (or override) a required secret.\n *\n * Subsequent registrations with the same `key` replace the previous\n * definition — later plugins can override framework defaults.\n */\nexport function registerRequiredSecret(secret: RegisteredSecret): void {\n if (!secret || typeof secret.key !== \"string\" || !secret.key) {\n throw new Error(\"registerRequiredSecret: secret.key is required\");\n }\n if (\n secret.scope !== \"user\" &&\n secret.scope !== \"workspace\" &&\n secret.scope !== \"org\"\n ) {\n throw new Error(\n `registerRequiredSecret: secret.scope must be \"user\", \"workspace\", or \"org\" (got \"${secret.scope}\")`,\n );\n }\n if (secret.kind !== \"api-key\" && secret.kind !== \"oauth\") {\n throw new Error(\n `registerRequiredSecret: secret.kind must be \"api-key\" or \"oauth\" (got \"${secret.kind}\")`,\n );\n }\n if (registry.has(secret.key) && process.env.DEBUG) {\n console.log(\n `[agent-native] Overriding registered secret \"${secret.key}\" with new registration.`,\n );\n }\n registry.set(secret.key, secret);\n\n // Auto-inject an onboarding step for required secrets. Done via dynamic\n // import to avoid a load-order cycle between register and the onboarding\n // registry during module bootstrap.\n if (secret.required) {\n // Lazy import — resolved synchronously in practice because the module is\n // already loaded once any route handler runs, but tolerate async.\n import(\"./onboarding.js\")\n .then((mod) => mod.maybeRegisterSecretOnboardingStep(secret))\n .catch(() => {\n // Onboarding is optional — never let it block registration.\n });\n }\n}\n\n/** Return all registered secrets in registration order. */\nexport function listRequiredSecrets(): RegisteredSecret[] {\n return Array.from(registry.values());\n}\n\n/** Look up a single registered secret by key. */\nexport function getRequiredSecret(key: string): RegisteredSecret | undefined {\n return registry.get(key);\n}\n\n/** Test helper — clears the registry between runs. */\nexport function __resetSecretsRegistry(): void {\n registry.clear();\n}\n"]}
package/dist/secrets/routes.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/secrets/routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAsCH,OAAO,EAIL,KAAK,WAAW,EACjB,MAAM,eAAe,CAAC;AAUvB,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,WAAW,CAAC;IACnB,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC;IAC1B,QAAQ,EAAE,OAAO,CAAC;IAClB,qFAAqF;IACrF,MAAM,EAAE,KAAK,GAAG,OAAO,GAAG,SAAS,CAAC;IACpC,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,+EAA+E;IAC/E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,0DAA0D;IAC1D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,uDAAuD;IACvD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AA2CD,wEAAwE;AACxE,wBAAgB,wBAAwB;;IA0DvC;AAED,yDAAyD;AACzD,wBAAgB,wBAAwB;;;;;;;;;;;;;;;;IAyBvC;AAiHD;;;GAGG;AACH,wBAAgB,uBAAuB;;;;;;;;;;;;;;;;IAiEtC;AAMD,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAiBD;;;;;;;;;;;GAWG;AACH,wBAAgB,wBAAwB;;;;;;;;;;IAiBvC"}
1
+ {"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/secrets/routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAqDH,OAAO,EAIL,KAAK,WAAW,EACjB,MAAM,eAAe,CAAC;AAUvB,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,WAAW,CAAC;IACnB,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC;IAC1B,QAAQ,EAAE,OAAO,CAAC;IAClB,qFAAqF;IACrF,MAAM,EAAE,KAAK,GAAG,OAAO,GAAG,SAAS,CAAC;IACpC,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,+EAA+E;IAC/E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,0DAA0D;IAC1D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,uDAAuD;IACvD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAkDD,wEAAwE;AACxE,wBAAgB,wBAAwB;;IA0DvC;AAED,yDAAyD;AACzD,wBAAgB,wBAAwB;;;;;;;;;;;;;;;;IAyBvC;AA8HD;;;GAGG;AACH,wBAAgB,uBAAuB;;;;;;;;;;;;;;;;IAiEtC;AAMD,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAiBD;;;;;;;;;;;GAWG;AACH,wBAAgB,wBAAwB;;;;;;;;;;IAiBvC"}
package/dist/secrets/routes.js CHANGED
@@ -33,6 +33,18 @@ async function canMutateWorkspaceScope(event, scopeId) {
33
33
  return true;
34
34
  return ctx.role === "owner" || ctx.role === "admin";
35
35
  }
36
+ /**
37
+ * Org-scoped secrets (`scope: "org"`) live alongside `workspace` scope but
38
+ * are stricter: they always require an active org and an owner/admin role.
39
+ * No solo fallback — if the caller has no org, an org-scoped write makes no
40
+ * sense and we refuse rather than write to an ambiguous row.
41
+ */
42
+ async function canMutateOrgScope(event, scopeId) {
43
+ const ctx = await getOrgContext(event).catch(() => null);
44
+ if (!ctx?.orgId || ctx.orgId !== scopeId)
45
+ return false;
46
+ return ctx.role === "owner" || ctx.role === "admin";
47
+ }
36
48
  import { listOAuthAccountsByOwner } from "../oauth-tokens/store.js";
37
49
  import { listRequiredSecrets, getRequiredSecret, } from "./register.js";
38
50
  import { writeAppSecret, deleteAppSecret, getAppSecretMeta, readAppSecret, listAppSecretsForScope, } from "./storage.js";
@@ -59,6 +71,14 @@ async function resolveScopeId(event, scope) {
59
71
  }
60
72
  return { scopeId: session.email };
61
73
  }
74
+ if (scope === "org") {
75
+ // Org-scoped secrets require an active org — there's no solo fallback
76
+ // because an "org" key without an org would land in an ambiguous row.
77
+ const ctx = await getOrgContext(event).catch(() => null);
78
+ if (ctx?.orgId)
79
+ return { scopeId: ctx.orgId };
80
+ return { scopeId: null, reason: "No active organization" };
81
+ }
62
82
  // workspace
63
83
  const ctx = await getOrgContext(event).catch(() => null);
64
84
  if (ctx?.orgId)
@@ -175,6 +195,12 @@ async function handleWrite(event, secret) {
175
195
  error: "Only organization owners and admins can set workspace-scoped secrets",
176
196
  };
177
197
  }
198
+ if (secret.scope === "org" && !(await canMutateOrgScope(event, scopeId))) {
199
+ setResponseStatus(event, 403);
200
+ return {
201
+ error: "Only organization owners and admins can set org-scoped secrets",
202
+ };
203
+ }
178
204
  // Run validator if registered — return the validator's error on failure.
179
205
  if (secret.validator) {
180
206
  try {
@@ -237,6 +263,12 @@ async function handleDelete(event, secret) {
237
263
  error: "Only organization owners and admins can delete workspace-scoped secrets",
238
264
  };
239
265
  }
266
+ if (secret.scope === "org" && !(await canMutateOrgScope(event, scopeId))) {
267
+ setResponseStatus(event, 403);
268
+ return {
269
+ error: "Only organization owners and admins can delete org-scoped secrets",
270
+ };
271
+ }
240
272
  const removed = await deleteAppSecret({
241
273
  key: secret.key,
242
274
  scope: secret.scope,
package/dist/secrets/routes.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"routes.js","sourceRoot":"","sources":["../../src/secrets/routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAc,EACd,OAAe;IAEf,kEAAkE;IAClE,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,6CAA6C;IAC7C,IAAI,CAAC,GAAG,EAAE,KAAK;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC;AACtD,CAAC;AACD,OAAO,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,iBAAiB,GAGlB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,sBAAsB,GAEvB,MAAM,cAAc,CAAC;AAwBtB,SAAS,uBAAuB,CAAC,OAAe,EAAE,WAAmB;IACnE,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,OAAO,CAAC;IAC7C,OAAO,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACvD,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc,EACd,MAAwB;IAExB,IAAI,CAAC,MAAM,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,OAAO,EAAE,KAAK;QAAE,OAAO,KAAK,CAAC;IAClC,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAC7C,MAAM,CAAC,aAAa,EACpB,OAAO,CAAC,KAAK,CACd,CAAC;IACF,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,wEAAwE;AACxE,KAAK,UAAU,cAAc,CAC3B,KAAc,EACd,KAAkB;IAElB,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;QAC9D,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACpC,CAAC;IACD,YAAY;IACZ,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,GAAG,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;IAC9C,4EAA4E;IAC5E,0BAA0B;IAC1B,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,OAAO,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;AACtE,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;QACtC,MAAM,OAAO,GAA0B,EAAE,CAAC;QAE1C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAwB;gBAChC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;gBAC3B,MAAM,EAAE,OAAO;aAChB,CAAC;YAEF,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC5B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;gBAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;gBAC9C,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;oBACzB,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;wBACxD,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;oBACtC,CAAC;oBAAC,MAAM,CAAC;wBACP,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;oBACxB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YAED,kDAAkD;YAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC;gBAClC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,OAAO;aACR,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;YACrB,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;gBACpB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAClC,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAEvC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,OAAO,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,OAAO,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAc,EAAE,MAAwB;IACjE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,2CAA2C,MAAM,CAAC,eAAe,IAAI,gBAAgB,UAAU;SACrH,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAEpD,CAAC;IAEF,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO,EAAE,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;aAC/C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oDAAoD;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAc,EAAE,MAAwB;IAClE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,mEAAmE;SACzF,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,yEAAyE;SAC5E,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC;QACpC,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO;KACR,CAAC,CAAC;IACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC5B,iDAAiD;YACjD,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,KAAK,CAC3D,GAAG,EAAE,CAAC,KAAK,CACZ,CAAC;YACF,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;QACvD,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;YACjC,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpD,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC;iBAClD,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;aACtD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAiBD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C,SAAS,aAAa,CAAC,IAAgB;IACrC,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,GAAG;QACd,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,MAAM,KAAK,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC;YAChC,OAAO,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,KAAc;IAC3C,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,mBAAmB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,gBAAgB,CAAC,OAAO;QAC5C,CAAC,CAAC,MAAM,sBAAsB,CAAC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC;QACrE,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAyB,EAAE,CAAC;IACzC,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,QAAQ,EAAE,GAAG,aAAa,CAAC,EAAE,CAAC;QAClD,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACtC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,KAAc;IAC5C,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAMpD,CAAC;IAEF,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACnE,IAAI,CAAC,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,gFAAgF;SACnF,CAAC;IACJ,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,8DAA8D,IAAI,UAAU;SAC5F,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,KAAK,GAAgB,IAAI,CAAC,KAAK,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC;IAE7E,MAAM,WAAW,GACf,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QAC7D,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QACzB,CAAC,CAAC,SAAS,CAAC;IAEhB,IAAI,gBAAoC,CAAC;IACzC,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,IAAI,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;QAClE,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5D,IAAI,UAAU,CAAC,EAAE,KAAK,KAAK,EAAE,CAAC;YAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QACD,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,KAAK,KAAK,WAAW;QACrB,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,IAAI;YACT,KAAK;YACL,KAAK;YACL,OAAO;YACP,WAAW;YACX,YAAY,EAAE,gBAAgB;SAC/B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,KAAc,EAAE,IAAY;IAC3D,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,oEAAoE;SACpF,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IACrE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,2EAA2E;QAC3E,yEAAyE;QACzE,0EAA0E;QAC1E,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAClE,IAAI,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACtE,kEAAkE;gBAClE,gEAAgE;gBAChE,sDAAsD;gBACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YACtC,CAAC;YACD,MAAM,gBAAgB,GAAG,MAAM,eAAe,CAAC;gBAC7C,GAAG,EAAE,IAAI;gBACT,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,gBAAgB,CAAC,OAAO;aAClC,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9D,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAc;IAEd,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QACxE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,0CAA0C,EAAE,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACzB,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,sBAAsB;aAC1D,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC1D,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,0BAA0B;aAC9D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,sFAAsF;AACtF,SAAS,mBAAmB,CAC1B,KAAc,EACd,OAA4B,EAAE;IAE9B,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACxE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC","sourcesContent":["/**\n * H3 event handlers for the framework secrets registry.\n *\n * Mounted under `/_agent-native/secrets/*` by `core-routes-plugin`.\n *\n * NEVER return a secret's plain-text value from any of these handlers.\n */\n\nimport {\n defineEventHandler,\n getMethod,\n setResponseStatus,\n type H3Event,\n} from \"h3\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport { getSession } from \"../server/auth.js\";\nimport { getOrgContext } from \"../org/context.js\";\n\n/**\n * Workspace-scoped secret writes/deletes are deployment-wide for every\n * org member who shares the resolved scopeId — a curious or malicious\n * member could otherwise overwrite `OPENAI_API_KEY` (or any unregistered\n * key) with their own value, redirecting every other member's automations\n * through their key for skimming, billing abuse, or DoS by deletion.\n *\n * Allow workspace-scope writes only for org owners/admins. The \"solo\"\n * fallback scopeId (`solo:<email>`) is single-user, so it bypasses the\n * check. A normal session with no active org also passes — there's no\n * privilege gradient to enforce in that case.\n *\n * Returns true if the request is allowed to write/delete this scope.\n */\nasync function canMutateWorkspaceScope(\n event: H3Event,\n scopeId: string,\n): Promise<boolean> {\n // Solo / dev fallback scope — single user, no privilege gradient.\n if (scopeId.startsWith(\"solo:\")) return true;\n const ctx = await getOrgContext(event).catch(() => null);\n // No active org — single-tenant flow, allow.\n if (!ctx?.orgId) return true;\n return ctx.role === \"owner\" || ctx.role === \"admin\";\n}\nimport { listOAuthAccountsByOwner } from \"../oauth-tokens/store.js\";\nimport {\n listRequiredSecrets,\n getRequiredSecret,\n type RegisteredSecret,\n type SecretScope,\n} from \"./register.js\";\nimport {\n writeAppSecret,\n deleteAppSecret,\n getAppSecretMeta,\n readAppSecret,\n listAppSecretsForScope,\n type SecretMeta,\n} from \"./storage.js\";\n\nexport interface SecretStatusPayload {\n key: string;\n label: string;\n description?: string;\n docsUrl?: string;\n scope: SecretScope;\n kind: \"api-key\" | \"oauth\";\n required: boolean;\n /** \"set\" = value present; \"unset\" = not configured; \"invalid\" = validator failed. */\n status: \"set\" | \"unset\" | \"invalid\";\n /** Last 4 chars — only populated when status === \"set\" for api-key kind. */\n last4?: string;\n /** Timestamp (ms) of the last write — only populated when status === \"set\". */\n updatedAt?: number;\n /** OAuth-kind: the provider id backing this secret. */\n oauthProvider?: string;\n /** OAuth-kind: url the Connect button should point at. */\n oauthConnectUrl?: string;\n /** Validator error message if status === \"invalid\". */\n error?: string;\n}\n\nfunction redactSecretFromMessage(message: string, secretValue: string): string {\n if (!message || !secretValue) return message;\n return message.split(secretValue).join(\"[redacted]\");\n}\n\nasync function hasOAuthSecretForEvent(\n event: H3Event,\n secret: RegisteredSecret,\n): Promise<boolean> {\n if (!secret.oauthProvider) return false;\n const session = await getSession(event).catch(() => null);\n if (!session?.email) return false;\n const accounts = await listOAuthAccountsByOwner(\n secret.oauthProvider,\n session.email,\n );\n return accounts.length > 0;\n}\n\n/** Resolve the scopeId for a given scope, given the current session. */\nasync function resolveScopeId(\n event: H3Event,\n scope: SecretScope,\n): Promise<{ scopeId: string | null; reason?: string }> {\n if (scope === \"user\") {\n const session = await getSession(event).catch(() => null);\n if (!session?.email) {\n return { scopeId: null, reason: \"Authentication required\" };\n }\n return { scopeId: session.email };\n }\n // workspace\n const ctx = await getOrgContext(event).catch(() => null);\n if (ctx?.orgId) return { scopeId: ctx.orgId };\n // Fall back to session email in solo/dev mode so secrets still work without\n // an active organisation.\n const session = await getSession(event).catch(() => null);\n if (session?.email) return { scopeId: `solo:${session.email}` };\n return { scopeId: null, reason: \"No workspace or session context\" };\n}\n\n/** GET /_agent-native/secrets — list registered secrets with status. */\nexport function createListSecretsHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const secrets = listRequiredSecrets();\n const payload: SecretStatusPayload[] = [];\n\n for (const secret of secrets) {\n const base: SecretStatusPayload = {\n key: secret.key,\n label: secret.label,\n description: secret.description,\n docsUrl: secret.docsUrl,\n scope: secret.scope,\n kind: secret.kind,\n required: !!secret.required,\n status: \"unset\",\n };\n\n if (secret.kind === \"oauth\") {\n base.oauthProvider = secret.oauthProvider;\n base.oauthConnectUrl = secret.oauthConnectUrl;\n if (secret.oauthProvider) {\n try {\n const has = await hasOAuthSecretForEvent(event, secret);\n base.status = has ? \"set\" : \"unset\";\n } catch {\n base.status = \"unset\";\n }\n }\n payload.push(base);\n continue;\n }\n\n // api-key: look up the stored row in app_secrets.\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n payload.push(base);\n continue;\n }\n const meta = await getAppSecretMeta({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n }).catch(() => null);\n if (meta) {\n base.status = \"set\";\n base.last4 = meta.last4;\n base.updatedAt = meta.updatedAt;\n }\n payload.push(base);\n }\n\n return payload;\n });\n}\n\n/** POST /_agent-native/secrets/:key — write a secret. */\nexport function createWriteSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const key = extractKeyFromEvent(event);\n\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n\n if (method === \"POST\" || method === \"PUT\") {\n return handleWrite(event, secret);\n }\n if (method === \"DELETE\") {\n return handleDelete(event, secret);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleWrite(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — connect via ${secret.oauthConnectUrl ?? \"the OAuth flow\"} instead`,\n };\n }\n const body = (await readBody(event).catch(() => ({}))) as {\n value?: unknown;\n };\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n\n // Run validator if registered — return the validator's error on failure.\n if (secret.validator) {\n try {\n const result = await secret.validator(value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n setResponseStatus(event, 400);\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return { error: redactSecretFromMessage(err, value) };\n }\n } catch (err) {\n setResponseStatus(event, 400);\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n }\n\n try {\n await writeAppSecret({\n key: secret.key,\n value,\n scope: secret.scope,\n scopeId,\n });\n } catch (err) {\n // Scrub: never surface the value in any error path.\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, status: \"set\" };\n}\n\nasync function handleDelete(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — disconnect via the OAuth flow instead`,\n };\n }\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can delete workspace-scoped secrets\",\n };\n }\n const removed = await deleteAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n return { ok: true, removed };\n}\n\n/**\n * POST /_agent-native/secrets/:key/test — re-run the validator against the\n * current stored value without changing anything. Useful for the \"Test\" button.\n */\nexport function createTestSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const key = extractKeyFromEvent(event, { suffix: \"/test\" });\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n if (secret.kind === \"oauth\") {\n // For OAuth we just report whether tokens exist.\n const has = await hasOAuthSecretForEvent(event, secret).catch(\n () => false,\n );\n return { ok: has };\n }\n if (!secret.validator) {\n return { ok: true, note: \"No validator registered\" };\n }\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: \"Unable to resolve scope\" };\n }\n const stored = await readAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n if (!stored) {\n setResponseStatus(event, 404);\n return { error: \"No value stored\" };\n }\n try {\n const result = await secret.validator(stored.value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return {\n ok: false,\n error: redactSecretFromMessage(err, stored.value),\n };\n }\n return { ok: true };\n } catch (err) {\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n ok: false,\n error: redactSecretFromMessage(message, stored.value),\n };\n }\n });\n}\n\n// ---------------------------------------------------------------------------\n// Ad-hoc secrets — user-/agent-created keys not in the registry\n// ---------------------------------------------------------------------------\n\nexport interface AdHocSecretPayload {\n name: string;\n scope: SecretScope;\n scopeId: string;\n description: string | null;\n last4: string;\n urlAllowlist: string[] | null;\n createdAt: number;\n updatedAt: number;\n}\n\nconst AD_HOC_NAME_REGEX = /^[A-Za-z0-9_-]+$/;\n\nfunction metaToPayload(meta: SecretMeta): AdHocSecretPayload {\n return {\n name: meta.key,\n scope: meta.scope,\n scopeId: meta.scopeId,\n description: meta.description,\n last4: meta.last4,\n urlAllowlist: meta.urlAllowlist,\n createdAt: meta.createdAt,\n updatedAt: meta.updatedAt,\n };\n}\n\n/**\n * Handler for `/_agent-native/secrets/adhoc[/:name]`.\n *\n * - GET (no name) — list all ad-hoc keys for the user's scope\n * - POST (no name) — create or update an ad-hoc key\n * - DELETE (with name) — delete an ad-hoc key\n *\n * Ad-hoc keys are arbitrary named secrets users or the agent create at\n * runtime for automation use (e.g. \"SLACK_WEBHOOK\", \"HUBSPOT_API_KEY\").\n * They differ from registered secrets (`registerRequiredSecret`) in that\n * they have no template-defined metadata, validator, or onboarding step.\n */\nexport function createAdHocSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const name = extractAdHocName(event);\n\n if (method === \"GET\" && !name) {\n return handleAdHocList(event);\n }\n if (method === \"POST\" && !name) {\n return handleAdHocWrite(event);\n }\n if (method === \"DELETE\" && name) {\n return handleAdHocDelete(event, name);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleAdHocList(event: H3Event) {\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n const registered = new Set(listRequiredSecrets().map((s) => s.key));\n const userRows = await listAppSecretsForScope(\"user\", scopeId);\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n const workspaceRows = workspaceContext.scopeId\n ? await listAppSecretsForScope(\"workspace\", workspaceContext.scopeId)\n : [];\n\n const payload: AdHocSecretPayload[] = [];\n for (const row of [...userRows, ...workspaceRows]) {\n if (registered.has(row.key)) continue;\n payload.push(metaToPayload(row));\n }\n return payload;\n}\n\nasync function handleAdHocWrite(event: H3Event) {\n const body = (await readBody(event).catch(() => ({}))) as {\n name?: unknown;\n value?: unknown;\n description?: unknown;\n scope?: unknown;\n urlAllowlist?: unknown;\n };\n\n const name = typeof body.name === \"string\" ? body.name.trim() : \"\";\n if (!name || !AD_HOC_NAME_REGEX.test(name)) {\n setResponseStatus(event, 400);\n return {\n error:\n \"name is required and may only contain letters, digits, underscores, and dashes\",\n };\n }\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — use POST /_agent-native/secrets/${name} instead`,\n };\n }\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const scope: SecretScope = body.scope === \"workspace\" ? \"workspace\" : \"user\";\n\n const description =\n typeof body.description === \"string\" && body.description.trim()\n ? body.description.trim()\n : undefined;\n\n let urlAllowlistJson: string | undefined;\n if (body.urlAllowlist !== undefined && body.urlAllowlist !== null) {\n const normalized = normalizeUrlAllowlist(body.urlAllowlist);\n if (normalized.ok === false) {\n setResponseStatus(event, 400);\n return { error: normalized.error };\n }\n urlAllowlistJson = JSON.stringify(normalized.origins);\n }\n\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n\n try {\n await writeAppSecret({\n key: name,\n value,\n scope,\n scopeId,\n description,\n urlAllowlist: urlAllowlistJson,\n });\n } catch (err) {\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, key: name };\n}\n\nasync function handleAdHocDelete(event: H3Event, name: string) {\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — delete via the registered route instead`,\n };\n }\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n const removed = await deleteAppSecret({ key: name, scope, scopeId });\n if (!removed) {\n // Fall back to workspace scope so the agent / UI can clean up shared keys.\n // Gate the fallback behind the org-admin check so a regular member can't\n // DoS every other member's automations by deleting shared workspace keys.\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n if (workspaceContext.scopeId) {\n if (!(await canMutateWorkspaceScope(event, workspaceContext.scopeId))) {\n // No-op silently for non-admins — the user-scope row didn't exist\n // and they don't have permission to touch the workspace row, so\n // there's nothing to remove from their point of view.\n return { ok: true, removed: false };\n }\n const removedWorkspace = await deleteAppSecret({\n key: name,\n scope: \"workspace\",\n scopeId: workspaceContext.scopeId,\n });\n return { ok: true, removed: removedWorkspace };\n }\n }\n return { ok: true, removed };\n}\n\nfunction extractAdHocName(event: H3Event): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n // The router strips the `/secrets/adhoc` prefix, so `parts[0]` (if present)\n // is the name. When the request is the bare `/adhoc` listing, parts is empty.\n const candidate = parts[0];\n if (!candidate) return null;\n return AD_HOC_NAME_REGEX.test(candidate) ? candidate : null;\n}\n\nfunction normalizeUrlAllowlist(\n input: unknown,\n): { ok: true; origins: string[] } | { ok: false; error: string } {\n if (!Array.isArray(input) || !input.every((v) => typeof v === \"string\")) {\n return { ok: false, error: \"urlAllowlist must be an array of strings\" };\n }\n\n const origins: string[] = [];\n for (const raw of input) {\n const value = raw.trim();\n if (!value) continue;\n let url: URL;\n try {\n url = new URL(value);\n } catch {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" is not a valid URL`,\n };\n }\n if (url.protocol !== \"https:\" && url.protocol !== \"http:\") {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" must use http or https`,\n };\n }\n if (!origins.includes(url.origin)) origins.push(url.origin);\n }\n return { ok: true, origins };\n}\n\n/** Extract the key from `/:key` or `/:key/test` after the `/secrets` prefix strip. */\nfunction extractKeyFromEvent(\n event: H3Event,\n opts: { suffix?: string } = {},\n): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n if (opts.suffix === \"/test\") {\n if (parts.length < 2 || parts[parts.length - 1] !== \"test\") return null;\n return parts[0];\n }\n return parts[0];\n}\n"]}
1
+ {"version":3,"file":"routes.js","sourceRoot":"","sources":["../../src/secrets/routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAc,EACd,OAAe;IAEf,kEAAkE;IAClE,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,6CAA6C;IAC7C,IAAI,CAAC,GAAG,EAAE,KAAK;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC;AACtD,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,iBAAiB,CAC9B,KAAc,EACd,OAAe;IAEf,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG,EAAE,KAAK,IAAI,GAAG,CAAC,KAAK,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IACvD,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC;AACtD,CAAC;AACD,OAAO,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,iBAAiB,GAGlB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,sBAAsB,GAEvB,MAAM,cAAc,CAAC;AAwBtB,SAAS,uBAAuB,CAAC,OAAe,EAAE,WAAmB;IACnE,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,OAAO,CAAC;IAC7C,OAAO,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACvD,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc,EACd,MAAwB;IAExB,IAAI,CAAC,MAAM,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,OAAO,EAAE,KAAK;QAAE,OAAO,KAAK,CAAC;IAClC,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAC7C,MAAM,CAAC,aAAa,EACpB,OAAO,CAAC,KAAK,CACd,CAAC;IACF,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,wEAAwE;AACxE,KAAK,UAAU,cAAc,CAC3B,KAAc,EACd,KAAkB;IAElB,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;QAC9D,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACpC,CAAC;IACD,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;QACpB,sEAAsE;QACtE,sEAAsE;QACtE,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACzD,IAAI,GAAG,EAAE,KAAK;YAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QAC9C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IAC7D,CAAC;IACD,YAAY;IACZ,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,GAAG,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;IAC9C,4EAA4E;IAC5E,0BAA0B;IAC1B,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,OAAO,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;AACtE,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;QACtC,MAAM,OAAO,GAA0B,EAAE,CAAC;QAE1C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAwB;gBAChC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;gBAC3B,MAAM,EAAE,OAAO;aAChB,CAAC;YAEF,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC5B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;gBAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;gBAC9C,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;oBACzB,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;wBACxD,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;oBACtC,CAAC;oBAAC,MAAM,CAAC;wBACP,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;oBACxB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YAED,kDAAkD;YAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC;gBAClC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,OAAO;aACR,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;YACrB,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;gBACpB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAClC,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAEvC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,OAAO,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,OAAO,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAc,EAAE,MAAwB;IACjE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,2CAA2C,MAAM,CAAC,eAAe,IAAI,gBAAgB,UAAU;SACrH,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAEpD,CAAC;IAEF,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,IAAI,CAAC,CAAC,MAAM,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;QACzE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,gEAAgE;SACxE,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO,EAAE,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;aAC/C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oDAAoD;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAc,EAAE,MAAwB;IAClE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,mEAAmE;SACzF,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,yEAAyE;SAC5E,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,IAAI,CAAC,CAAC,MAAM,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;QACzE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,mEAAmE;SACtE,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC;QACpC,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO;KACR,CAAC,CAAC;IACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC5B,iDAAiD;YACjD,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,KAAK,CAC3D,GAAG,EAAE,CAAC,KAAK,CACZ,CAAC;YACF,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;QACvD,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;YACjC,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpD,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC;iBAClD,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;aACtD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAiBD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C,SAAS,aAAa,CAAC,IAAgB;IACrC,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,GAAG;QACd,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,MAAM,KAAK,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC;YAChC,OAAO,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,KAAc;IAC3C,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,mBAAmB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,gBAAgB,CAAC,OAAO;QAC5C,CAAC,CAAC,MAAM,sBAAsB,CAAC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC;QACrE,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAyB,EAAE,CAAC;IACzC,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,QAAQ,EAAE,GAAG,aAAa,CAAC,EAAE,CAAC;QAClD,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACtC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,KAAc;IAC5C,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAMpD,CAAC;IAEF,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACnE,IAAI,CAAC,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,gFAAgF;SACnF,CAAC;IACJ,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,8DAA8D,IAAI,UAAU;SAC5F,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,KAAK,GAAgB,IAAI,CAAC,KAAK,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC;IAE7E,MAAM,WAAW,GACf,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QAC7D,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QACzB,CAAC,CAAC,SAAS,CAAC;IAEhB,IAAI,gBAAoC,CAAC;IACzC,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,IAAI,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;QAClE,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5D,IAAI,UAAU,CAAC,EAAE,KAAK,KAAK,EAAE,CAAC;YAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QACD,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,KAAK,KAAK,WAAW;QACrB,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,IAAI;YACT,KAAK;YACL,KAAK;YACL,OAAO;YACP,WAAW;YACX,YAAY,EAAE,gBAAgB;SAC/B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,KAAc,EAAE,IAAY;IAC3D,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,oEAAoE;SACpF,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IACrE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,2EAA2E;QAC3E,yEAAyE;QACzE,0EAA0E;QAC1E,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAClE,IAAI,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACtE,kEAAkE;gBAClE,gEAAgE;gBAChE,sDAAsD;gBACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YACtC,CAAC;YACD,MAAM,gBAAgB,GAAG,MAAM,eAAe,CAAC;gBAC7C,GAAG,EAAE,IAAI;gBACT,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,gBAAgB,CAAC,OAAO;aAClC,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9D,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAc;IAEd,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QACxE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,0CAA0C,EAAE,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACzB,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,sBAAsB;aAC1D,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC1D,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,0BAA0B;aAC9D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,sFAAsF;AACtF,SAAS,mBAAmB,CAC1B,KAAc,EACd,OAA4B,EAAE;IAE9B,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACxE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC","sourcesContent":["/**\n * H3 event handlers for the framework secrets registry.\n *\n * Mounted under `/_agent-native/secrets/*` by `core-routes-plugin`.\n *\n * NEVER return a secret's plain-text value from any of these handlers.\n */\n\nimport {\n defineEventHandler,\n getMethod,\n setResponseStatus,\n type H3Event,\n} from \"h3\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport { getSession } from \"../server/auth.js\";\nimport { getOrgContext } from \"../org/context.js\";\n\n/**\n * Workspace-scoped secret writes/deletes are deployment-wide for every\n * org member who shares the resolved scopeId — a curious or malicious\n * member could otherwise overwrite `OPENAI_API_KEY` (or any unregistered\n * key) with their own value, redirecting every other member's automations\n * through their key for skimming, billing abuse, or DoS by deletion.\n *\n * Allow workspace-scope writes only for org owners/admins. The \"solo\"\n * fallback scopeId (`solo:<email>`) is single-user, so it bypasses the\n * check. A normal session with no active org also passes — there's no\n * privilege gradient to enforce in that case.\n *\n * Returns true if the request is allowed to write/delete this scope.\n */\nasync function canMutateWorkspaceScope(\n event: H3Event,\n scopeId: string,\n): Promise<boolean> {\n // Solo / dev fallback scope — single user, no privilege gradient.\n if (scopeId.startsWith(\"solo:\")) return true;\n const ctx = await getOrgContext(event).catch(() => null);\n // No active org — single-tenant flow, allow.\n if (!ctx?.orgId) return true;\n return ctx.role === \"owner\" || ctx.role === \"admin\";\n}\n\n/**\n * Org-scoped secrets (`scope: \"org\"`) live alongside `workspace` scope but\n * are stricter: they always require an active org and an owner/admin role.\n * No solo fallback — if the caller has no org, an org-scoped write makes no\n * sense and we refuse rather than write to an ambiguous row.\n */\nasync function canMutateOrgScope(\n event: H3Event,\n scopeId: string,\n): Promise<boolean> {\n const ctx = await getOrgContext(event).catch(() => null);\n if (!ctx?.orgId || ctx.orgId !== scopeId) return false;\n return ctx.role === \"owner\" || ctx.role === \"admin\";\n}\nimport { listOAuthAccountsByOwner } from \"../oauth-tokens/store.js\";\nimport {\n listRequiredSecrets,\n getRequiredSecret,\n type RegisteredSecret,\n type SecretScope,\n} from \"./register.js\";\nimport {\n writeAppSecret,\n deleteAppSecret,\n getAppSecretMeta,\n readAppSecret,\n listAppSecretsForScope,\n type SecretMeta,\n} from \"./storage.js\";\n\nexport interface SecretStatusPayload {\n key: string;\n label: string;\n description?: string;\n docsUrl?: string;\n scope: SecretScope;\n kind: \"api-key\" | \"oauth\";\n required: boolean;\n /** \"set\" = value present; \"unset\" = not configured; \"invalid\" = validator failed. */\n status: \"set\" | \"unset\" | \"invalid\";\n /** Last 4 chars — only populated when status === \"set\" for api-key kind. */\n last4?: string;\n /** Timestamp (ms) of the last write — only populated when status === \"set\". */\n updatedAt?: number;\n /** OAuth-kind: the provider id backing this secret. */\n oauthProvider?: string;\n /** OAuth-kind: url the Connect button should point at. */\n oauthConnectUrl?: string;\n /** Validator error message if status === \"invalid\". */\n error?: string;\n}\n\nfunction redactSecretFromMessage(message: string, secretValue: string): string {\n if (!message || !secretValue) return message;\n return message.split(secretValue).join(\"[redacted]\");\n}\n\nasync function hasOAuthSecretForEvent(\n event: H3Event,\n secret: RegisteredSecret,\n): Promise<boolean> {\n if (!secret.oauthProvider) return false;\n const session = await getSession(event).catch(() => null);\n if (!session?.email) return false;\n const accounts = await listOAuthAccountsByOwner(\n secret.oauthProvider,\n session.email,\n );\n return accounts.length > 0;\n}\n\n/** Resolve the scopeId for a given scope, given the current session. */\nasync function resolveScopeId(\n event: H3Event,\n scope: SecretScope,\n): Promise<{ scopeId: string | null; reason?: string }> {\n if (scope === \"user\") {\n const session = await getSession(event).catch(() => null);\n if (!session?.email) {\n return { scopeId: null, reason: \"Authentication required\" };\n }\n return { scopeId: session.email };\n }\n if (scope === \"org\") {\n // Org-scoped secrets require an active org — there's no solo fallback\n // because an \"org\" key without an org would land in an ambiguous row.\n const ctx = await getOrgContext(event).catch(() => null);\n if (ctx?.orgId) return { scopeId: ctx.orgId };\n return { scopeId: null, reason: \"No active organization\" };\n }\n // workspace\n const ctx = await getOrgContext(event).catch(() => null);\n if (ctx?.orgId) return { scopeId: ctx.orgId };\n // Fall back to session email in solo/dev mode so secrets still work without\n // an active organisation.\n const session = await getSession(event).catch(() => null);\n if (session?.email) return { scopeId: `solo:${session.email}` };\n return { scopeId: null, reason: \"No workspace or session context\" };\n}\n\n/** GET /_agent-native/secrets — list registered secrets with status. */\nexport function createListSecretsHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const secrets = listRequiredSecrets();\n const payload: SecretStatusPayload[] = [];\n\n for (const secret of secrets) {\n const base: SecretStatusPayload = {\n key: secret.key,\n label: secret.label,\n description: secret.description,\n docsUrl: secret.docsUrl,\n scope: secret.scope,\n kind: secret.kind,\n required: !!secret.required,\n status: \"unset\",\n };\n\n if (secret.kind === \"oauth\") {\n base.oauthProvider = secret.oauthProvider;\n base.oauthConnectUrl = secret.oauthConnectUrl;\n if (secret.oauthProvider) {\n try {\n const has = await hasOAuthSecretForEvent(event, secret);\n base.status = has ? \"set\" : \"unset\";\n } catch {\n base.status = \"unset\";\n }\n }\n payload.push(base);\n continue;\n }\n\n // api-key: look up the stored row in app_secrets.\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n payload.push(base);\n continue;\n }\n const meta = await getAppSecretMeta({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n }).catch(() => null);\n if (meta) {\n base.status = \"set\";\n base.last4 = meta.last4;\n base.updatedAt = meta.updatedAt;\n }\n payload.push(base);\n }\n\n return payload;\n });\n}\n\n/** POST /_agent-native/secrets/:key — write a secret. */\nexport function createWriteSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const key = extractKeyFromEvent(event);\n\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n\n if (method === \"POST\" || method === \"PUT\") {\n return handleWrite(event, secret);\n }\n if (method === \"DELETE\") {\n return handleDelete(event, secret);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleWrite(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — connect via ${secret.oauthConnectUrl ?? \"the OAuth flow\"} instead`,\n };\n }\n const body = (await readBody(event).catch(() => ({}))) as {\n value?: unknown;\n };\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n if (secret.scope === \"org\" && !(await canMutateOrgScope(event, scopeId))) {\n setResponseStatus(event, 403);\n return {\n error: \"Only organization owners and admins can set org-scoped secrets\",\n };\n }\n\n // Run validator if registered — return the validator's error on failure.\n if (secret.validator) {\n try {\n const result = await secret.validator(value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n setResponseStatus(event, 400);\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return { error: redactSecretFromMessage(err, value) };\n }\n } catch (err) {\n setResponseStatus(event, 400);\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n }\n\n try {\n await writeAppSecret({\n key: secret.key,\n value,\n scope: secret.scope,\n scopeId,\n });\n } catch (err) {\n // Scrub: never surface the value in any error path.\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, status: \"set\" };\n}\n\nasync function handleDelete(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — disconnect via the OAuth flow instead`,\n };\n }\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can delete workspace-scoped secrets\",\n };\n }\n if (secret.scope === \"org\" && !(await canMutateOrgScope(event, scopeId))) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can delete org-scoped secrets\",\n };\n }\n const removed = await deleteAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n return { ok: true, removed };\n}\n\n/**\n * POST /_agent-native/secrets/:key/test — re-run the validator against the\n * current stored value without changing anything. Useful for the \"Test\" button.\n */\nexport function createTestSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const key = extractKeyFromEvent(event, { suffix: \"/test\" });\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n if (secret.kind === \"oauth\") {\n // For OAuth we just report whether tokens exist.\n const has = await hasOAuthSecretForEvent(event, secret).catch(\n () => false,\n );\n return { ok: has };\n }\n if (!secret.validator) {\n return { ok: true, note: \"No validator registered\" };\n }\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: \"Unable to resolve scope\" };\n }\n const stored = await readAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n if (!stored) {\n setResponseStatus(event, 404);\n return { error: \"No value stored\" };\n }\n try {\n const result = await secret.validator(stored.value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return {\n ok: false,\n error: redactSecretFromMessage(err, stored.value),\n };\n }\n return { ok: true };\n } catch (err) {\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n ok: false,\n error: redactSecretFromMessage(message, stored.value),\n };\n }\n });\n}\n\n// ---------------------------------------------------------------------------\n// Ad-hoc secrets — user-/agent-created keys not in the registry\n// ---------------------------------------------------------------------------\n\nexport interface AdHocSecretPayload {\n name: string;\n scope: SecretScope;\n scopeId: string;\n description: string | null;\n last4: string;\n urlAllowlist: string[] | null;\n createdAt: number;\n updatedAt: number;\n}\n\nconst AD_HOC_NAME_REGEX = /^[A-Za-z0-9_-]+$/;\n\nfunction metaToPayload(meta: SecretMeta): AdHocSecretPayload {\n return {\n name: meta.key,\n scope: meta.scope,\n scopeId: meta.scopeId,\n description: meta.description,\n last4: meta.last4,\n urlAllowlist: meta.urlAllowlist,\n createdAt: meta.createdAt,\n updatedAt: meta.updatedAt,\n };\n}\n\n/**\n * Handler for `/_agent-native/secrets/adhoc[/:name]`.\n *\n * - GET (no name) — list all ad-hoc keys for the user's scope\n * - POST (no name) — create or update an ad-hoc key\n * - DELETE (with name) — delete an ad-hoc key\n *\n * Ad-hoc keys are arbitrary named secrets users or the agent create at\n * runtime for automation use (e.g. \"SLACK_WEBHOOK\", \"HUBSPOT_API_KEY\").\n * They differ from registered secrets (`registerRequiredSecret`) in that\n * they have no template-defined metadata, validator, or onboarding step.\n */\nexport function createAdHocSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const name = extractAdHocName(event);\n\n if (method === \"GET\" && !name) {\n return handleAdHocList(event);\n }\n if (method === \"POST\" && !name) {\n return handleAdHocWrite(event);\n }\n if (method === \"DELETE\" && name) {\n return handleAdHocDelete(event, name);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleAdHocList(event: H3Event) {\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n const registered = new Set(listRequiredSecrets().map((s) => s.key));\n const userRows = await listAppSecretsForScope(\"user\", scopeId);\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n const workspaceRows = workspaceContext.scopeId\n ? await listAppSecretsForScope(\"workspace\", workspaceContext.scopeId)\n : [];\n\n const payload: AdHocSecretPayload[] = [];\n for (const row of [...userRows, ...workspaceRows]) {\n if (registered.has(row.key)) continue;\n payload.push(metaToPayload(row));\n }\n return payload;\n}\n\nasync function handleAdHocWrite(event: H3Event) {\n const body = (await readBody(event).catch(() => ({}))) as {\n name?: unknown;\n value?: unknown;\n description?: unknown;\n scope?: unknown;\n urlAllowlist?: unknown;\n };\n\n const name = typeof body.name === \"string\" ? body.name.trim() : \"\";\n if (!name || !AD_HOC_NAME_REGEX.test(name)) {\n setResponseStatus(event, 400);\n return {\n error:\n \"name is required and may only contain letters, digits, underscores, and dashes\",\n };\n }\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — use POST /_agent-native/secrets/${name} instead`,\n };\n }\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const scope: SecretScope = body.scope === \"workspace\" ? \"workspace\" : \"user\";\n\n const description =\n typeof body.description === \"string\" && body.description.trim()\n ? body.description.trim()\n : undefined;\n\n let urlAllowlistJson: string | undefined;\n if (body.urlAllowlist !== undefined && body.urlAllowlist !== null) {\n const normalized = normalizeUrlAllowlist(body.urlAllowlist);\n if (normalized.ok === false) {\n setResponseStatus(event, 400);\n return { error: normalized.error };\n }\n urlAllowlistJson = JSON.stringify(normalized.origins);\n }\n\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n\n try {\n await writeAppSecret({\n key: name,\n value,\n scope,\n scopeId,\n description,\n urlAllowlist: urlAllowlistJson,\n });\n } catch (err) {\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, key: name };\n}\n\nasync function handleAdHocDelete(event: H3Event, name: string) {\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — delete via the registered route instead`,\n };\n }\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n const removed = await deleteAppSecret({ key: name, scope, scopeId });\n if (!removed) {\n // Fall back to workspace scope so the agent / UI can clean up shared keys.\n // Gate the fallback behind the org-admin check so a regular member can't\n // DoS every other member's automations by deleting shared workspace keys.\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n if (workspaceContext.scopeId) {\n if (!(await canMutateWorkspaceScope(event, workspaceContext.scopeId))) {\n // No-op silently for non-admins — the user-scope row didn't exist\n // and they don't have permission to touch the workspace row, so\n // there's nothing to remove from their point of view.\n return { ok: true, removed: false };\n }\n const removedWorkspace = await deleteAppSecret({\n key: name,\n scope: \"workspace\",\n scopeId: workspaceContext.scopeId,\n });\n return { ok: true, removed: removedWorkspace };\n }\n }\n return { ok: true, removed };\n}\n\nfunction extractAdHocName(event: H3Event): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n // The router strips the `/secrets/adhoc` prefix, so `parts[0]` (if present)\n // is the name. When the request is the bare `/adhoc` listing, parts is empty.\n const candidate = parts[0];\n if (!candidate) return null;\n return AD_HOC_NAME_REGEX.test(candidate) ? candidate : null;\n}\n\nfunction normalizeUrlAllowlist(\n input: unknown,\n): { ok: true; origins: string[] } | { ok: false; error: string } {\n if (!Array.isArray(input) || !input.every((v) => typeof v === \"string\")) {\n return { ok: false, error: \"urlAllowlist must be an array of strings\" };\n }\n\n const origins: string[] = [];\n for (const raw of input) {\n const value = raw.trim();\n if (!value) continue;\n let url: URL;\n try {\n url = new URL(value);\n } catch {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" is not a valid URL`,\n };\n }\n if (url.protocol !== \"https:\" && url.protocol !== \"http:\") {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" must use http or https`,\n };\n }\n if (!origins.includes(url.origin)) origins.push(url.origin);\n }\n return { ok: true, origins };\n}\n\n/** Extract the key from `/:key` or `/:key/test` after the `/secrets` prefix strip. */\nfunction extractKeyFromEvent(\n event: H3Event,\n opts: { suffix?: string } = {},\n): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n if (opts.suffix === \"/test\") {\n if (parts.length < 2 || parts[parts.length - 1] !== \"test\") return null;\n return parts[0];\n }\n return parts[0];\n}\n"]}
package/dist/server/agent-chat-plugin.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"agent-chat-plugin.d.ts","sourceRoot":"","sources":["../../src/server/agent-chat-plugin.ts"],"names":[],"mappings":"AAaA,OAAO,EAUL,KAAK,WAAW,EACjB,MAAM,8BAA8B,CAAC;AAKtC,OAAO,KAAK,EACV,cAAc,EAEd,eAAe,EAEhB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,gBAAgB,EAUjB,MAAM,wBAAwB,CAAC;AA4ChC,OAAO,EAGL,KAAK,0BAA0B,EAC/B,KAAK,oBAAoB,EAC1B,MAAM,6BAA6B,CAAC;AAkIrC,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,SAAS,cAAc,EAAE,EACjC,WAAW,EAAE,SAAS,oBAAoB,EAAE,EAC5C,OAAO,GAAE,0BAA0B,GAAG;IAAE,KAAK,CAAC,EAAE,GAAG,CAAA;CAAO,GACzD;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAO7C;AAmiCD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,sBAAsB;IACrC,+DAA+D;IAC/D,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,wCAAwC;IACxC,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,mEAAmE;IACnE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qDAAqD;IACrD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;sDAGkD;IAClD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,MAAM,CAAC,EACH,OAAO,0BAA0B,EAAE,WAAW,GAC9C,MAAM,GACN;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IACtD,qDAAqD;IACrD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,+DAA+D;IAC/D,gBAAgB,CAAC,EACb,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;IAClD,kFAAkF;IAClF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;;;;;OASG;IACH,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACtE;;;;;;;;;;;;;;OAcG;IACH,YAAY,CAAC,EAAE,CACb,KAAK,EAAE,GAAG,EACV,KAAK,EAAE,MAAM,KACV,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC5C;;;;;;;;;;;;;;OAcG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;;;;;;;;OAaG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB;;;;;;;;;;;;;;;;;;OAkBG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAowBD,wBAAgB,qBAAqB,CACnC,OAAO,CAAC,EAAE,sBAAsB,GAC/B,cAAc,CA6gFhB;AAED;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,cAAwC,CAAC;AAa9E,yEAAyE;AACzE,wBAAgB,mBAAmB,IAAI,gBAAgB,GAAG,IAAI,CAE7D"}
1
+ {"version":3,"file":"agent-chat-plugin.d.ts","sourceRoot":"","sources":["../../src/server/agent-chat-plugin.ts"],"names":[],"mappings":"AAaA,OAAO,EAUL,KAAK,WAAW,EACjB,MAAM,8BAA8B,CAAC;AAKtC,OAAO,KAAK,EACV,cAAc,EAEd,eAAe,EAEhB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,gBAAgB,EAUjB,MAAM,wBAAwB,CAAC;AA6ChC,OAAO,EAGL,KAAK,0BAA0B,EAC/B,KAAK,oBAAoB,EAC1B,MAAM,6BAA6B,CAAC;AAkIrC,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,SAAS,cAAc,EAAE,EACjC,WAAW,EAAE,SAAS,oBAAoB,EAAE,EAC5C,OAAO,GAAE,0BAA0B,GAAG;IAAE,KAAK,CAAC,EAAE,GAAG,CAAA;CAAO,GACzD;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAO7C;AAmiCD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,sBAAsB;IACrC,+DAA+D;IAC/D,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,wCAAwC;IACxC,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,mEAAmE;IACnE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qDAAqD;IACrD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;sDAGkD;IAClD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,MAAM,CAAC,EACH,OAAO,0BAA0B,EAAE,WAAW,GAC9C,MAAM,GACN;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IACtD,qDAAqD;IACrD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,+DAA+D;IAC/D,gBAAgB,CAAC,EACb,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;IAClD,kFAAkF;IAClF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;;;;;OASG;IACH,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACtE;;;;;;;;;;;;;;OAcG;IACH,YAAY,CAAC,EAAE,CACb,KAAK,EAAE,GAAG,EACV,KAAK,EAAE,MAAM,KACV,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC5C;;;;;;;;;;;;;;OAcG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;;;;;;;;OAaG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB;;;;;;;;;;;;;;;;;;OAkBG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAowBD,wBAAgB,qBAAqB,CACnC,OAAO,CAAC,EAAE,sBAAsB,GAC/B,cAAc,CAo/EhB;AAED;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,cAAwC,CAAC;AAa9E,yEAAyE;AACzE,wBAAgB,mBAAmB,IAAI,gBAAgB,GAAG,IAAI,CAE7D"}