@agent-native/core 0.8.2 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (169) hide show
  1. package/dist/agent/run-manager.d.ts +10 -0
  2. package/dist/agent/run-manager.d.ts.map +1 -1
  3. package/dist/agent/run-manager.js +77 -4
  4. package/dist/agent/run-manager.js.map +1 -1
  5. package/dist/agent/run-store.d.ts +4 -1
  6. package/dist/agent/run-store.d.ts.map +1 -1
  7. package/dist/agent/run-store.js +6 -5
  8. package/dist/agent/run-store.js.map +1 -1
  9. package/dist/cli/create.d.ts +9 -0
  10. package/dist/cli/create.d.ts.map +1 -1
  11. package/dist/cli/create.js +13 -1
  12. package/dist/cli/create.js.map +1 -1
  13. package/dist/cli/index.js +177 -22
  14. package/dist/cli/index.js.map +1 -1
  15. package/dist/cli/workspace-dev.js +66 -5
  16. package/dist/cli/workspace-dev.js.map +1 -1
  17. package/dist/client/AgentPanel.d.ts.map +1 -1
  18. package/dist/client/AgentPanel.js +1 -1
  19. package/dist/client/AgentPanel.js.map +1 -1
  20. package/dist/client/AssistantChat.d.ts.map +1 -1
  21. package/dist/client/AssistantChat.js +38 -84
  22. package/dist/client/AssistantChat.js.map +1 -1
  23. package/dist/client/agent-chat-adapter.d.ts.map +1 -1
  24. package/dist/client/agent-chat-adapter.js +122 -15
  25. package/dist/client/agent-chat-adapter.js.map +1 -1
  26. package/dist/client/analytics.d.ts +14 -0
  27. package/dist/client/analytics.d.ts.map +1 -1
  28. package/dist/client/analytics.js +34 -0
  29. package/dist/client/analytics.js.map +1 -1
  30. package/dist/client/components/PresenceBar.d.ts.map +1 -1
  31. package/dist/client/components/PresenceBar.js +21 -15
  32. package/dist/client/components/PresenceBar.js.map +1 -1
  33. package/dist/client/composer/ComposerPlusMenu.d.ts.map +1 -1
  34. package/dist/client/composer/ComposerPlusMenu.js +12 -11
  35. package/dist/client/composer/ComposerPlusMenu.js.map +1 -1
  36. package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
  37. package/dist/client/composer/TiptapComposer.js +5 -4
  38. package/dist/client/composer/TiptapComposer.js.map +1 -1
  39. package/dist/client/composer/VoiceButton.d.ts.map +1 -1
  40. package/dist/client/composer/VoiceButton.js +9 -8
  41. package/dist/client/composer/VoiceButton.js.map +1 -1
  42. package/dist/client/dev-overlay/DevOverlay.d.ts.map +1 -1
  43. package/dist/client/dev-overlay/DevOverlay.js +4 -3
  44. package/dist/client/dev-overlay/DevOverlay.js.map +1 -1
  45. package/dist/client/extensions/EmbeddedExtension.d.ts.map +1 -1
  46. package/dist/client/extensions/EmbeddedExtension.js +2 -1
  47. package/dist/client/extensions/EmbeddedExtension.js.map +1 -1
  48. package/dist/client/extensions/ExtensionEditor.d.ts.map +1 -1
  49. package/dist/client/extensions/ExtensionEditor.js +2 -1
  50. package/dist/client/extensions/ExtensionEditor.js.map +1 -1
  51. package/dist/client/extensions/ExtensionSlot.d.ts.map +1 -1
  52. package/dist/client/extensions/ExtensionSlot.js +2 -1
  53. package/dist/client/extensions/ExtensionSlot.js.map +1 -1
  54. package/dist/client/extensions/ExtensionViewer.d.ts.map +1 -1
  55. package/dist/client/extensions/ExtensionViewer.js +4 -3
  56. package/dist/client/extensions/ExtensionViewer.js.map +1 -1
  57. package/dist/client/extensions/ExtensionsSidebarSection.d.ts.map +1 -1
  58. package/dist/client/extensions/ExtensionsSidebarSection.js +10 -9
  59. package/dist/client/extensions/ExtensionsSidebarSection.js.map +1 -1
  60. package/dist/client/index.d.ts +2 -1
  61. package/dist/client/index.d.ts.map +1 -1
  62. package/dist/client/index.js +2 -1
  63. package/dist/client/index.js.map +1 -1
  64. package/dist/client/integrations/IntegrationCard.d.ts.map +1 -1
  65. package/dist/client/integrations/IntegrationCard.js +2 -1
  66. package/dist/client/integrations/IntegrationCard.js.map +1 -1
  67. package/dist/client/integrations/IntegrationsPanel.d.ts.map +1 -1
  68. package/dist/client/integrations/IntegrationsPanel.js +3 -2
  69. package/dist/client/integrations/IntegrationsPanel.js.map +1 -1
  70. package/dist/client/onboarding/OnboardingPanel.d.ts.map +1 -1
  71. package/dist/client/onboarding/OnboardingPanel.js +3 -2
  72. package/dist/client/onboarding/OnboardingPanel.js.map +1 -1
  73. package/dist/client/onboarding/SetupButton.d.ts.map +1 -1
  74. package/dist/client/onboarding/SetupButton.js +14 -13
  75. package/dist/client/onboarding/SetupButton.js.map +1 -1
  76. package/dist/client/org/InvitationBanner.d.ts +8 -2
  77. package/dist/client/org/InvitationBanner.d.ts.map +1 -1
  78. package/dist/client/org/InvitationBanner.js +27 -6
  79. package/dist/client/org/InvitationBanner.js.map +1 -1
  80. package/dist/client/org/OrgSwitcher.d.ts.map +1 -1
  81. package/dist/client/org/OrgSwitcher.js +29 -5
  82. package/dist/client/org/OrgSwitcher.js.map +1 -1
  83. package/dist/client/org/TeamPage.d.ts.map +1 -1
  84. package/dist/client/org/TeamPage.js +7 -6
  85. package/dist/client/org/TeamPage.js.map +1 -1
  86. package/dist/client/resources/ResourceEditor.d.ts.map +1 -1
  87. package/dist/client/resources/ResourceEditor.js +2 -1
  88. package/dist/client/resources/ResourceEditor.js.map +1 -1
  89. package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
  90. package/dist/client/resources/ResourcesPanel.js +9 -9
  91. package/dist/client/resources/ResourcesPanel.js.map +1 -1
  92. package/dist/client/settings/AgentsSection.d.ts.map +1 -1
  93. package/dist/client/settings/AgentsSection.js +8 -7
  94. package/dist/client/settings/AgentsSection.js.map +1 -1
  95. package/dist/client/settings/AutomationsSection.d.ts.map +1 -1
  96. package/dist/client/settings/AutomationsSection.js +4 -3
  97. package/dist/client/settings/AutomationsSection.js.map +1 -1
  98. package/dist/client/settings/SecretsSection.d.ts.map +1 -1
  99. package/dist/client/settings/SecretsSection.js +2 -1
  100. package/dist/client/settings/SecretsSection.js.map +1 -1
  101. package/dist/client/settings/SettingsPanel.d.ts.map +1 -1
  102. package/dist/client/settings/SettingsPanel.js +3 -2
  103. package/dist/client/settings/SettingsPanel.js.map +1 -1
  104. package/dist/client/settings/index.d.ts +1 -1
  105. package/dist/client/settings/index.d.ts.map +1 -1
  106. package/dist/client/settings/index.js.map +1 -1
  107. package/dist/client/sse-event-processor.d.ts.map +1 -1
  108. package/dist/client/sse-event-processor.js +45 -4
  109. package/dist/client/sse-event-processor.js.map +1 -1
  110. package/dist/client/use-session.d.ts.map +1 -1
  111. package/dist/client/use-session.js +14 -2
  112. package/dist/client/use-session.js.map +1 -1
  113. package/dist/collab/client.d.ts +1 -0
  114. package/dist/collab/client.d.ts.map +1 -1
  115. package/dist/collab/client.js +18 -1
  116. package/dist/collab/client.js.map +1 -1
  117. package/dist/org/auto-join-domain.d.ts +28 -0
  118. package/dist/org/auto-join-domain.d.ts.map +1 -0
  119. package/dist/org/auto-join-domain.js +92 -0
  120. package/dist/org/auto-join-domain.js.map +1 -0
  121. package/dist/org/index.d.ts +2 -0
  122. package/dist/org/index.d.ts.map +1 -1
  123. package/dist/org/index.js +1 -0
  124. package/dist/org/index.js.map +1 -1
  125. package/dist/scripts/db/exec.d.ts.map +1 -1
  126. package/dist/scripts/db/exec.js +27 -1
  127. package/dist/scripts/db/exec.js.map +1 -1
  128. package/dist/scripts/db/index.d.ts.map +1 -1
  129. package/dist/scripts/db/index.js +1 -0
  130. package/dist/scripts/db/index.js.map +1 -1
  131. package/dist/scripts/db/reset-dev-owner.d.ts +27 -0
  132. package/dist/scripts/db/reset-dev-owner.d.ts.map +1 -0
  133. package/dist/scripts/db/reset-dev-owner.js +225 -0
  134. package/dist/scripts/db/reset-dev-owner.js.map +1 -0
  135. package/dist/scripts/db/scoping.d.ts.map +1 -1
  136. package/dist/scripts/db/scoping.js +15 -30
  137. package/dist/scripts/db/scoping.js.map +1 -1
  138. package/dist/scripts/dev-session.d.ts +46 -0
  139. package/dist/scripts/dev-session.d.ts.map +1 -0
  140. package/dist/scripts/dev-session.js +81 -0
  141. package/dist/scripts/dev-session.js.map +1 -0
  142. package/dist/scripts/runner.d.ts.map +1 -1
  143. package/dist/scripts/runner.js +21 -0
  144. package/dist/scripts/runner.js.map +1 -1
  145. package/dist/secrets/register.d.ts +1 -1
  146. package/dist/secrets/register.d.ts.map +1 -1
  147. package/dist/secrets/register.js +4 -2
  148. package/dist/secrets/register.js.map +1 -1
  149. package/dist/secrets/routes.d.ts.map +1 -1
  150. package/dist/secrets/routes.js +32 -0
  151. package/dist/secrets/routes.js.map +1 -1
  152. package/dist/server/better-auth-instance.d.ts.map +1 -1
  153. package/dist/server/better-auth-instance.js +11 -0
  154. package/dist/server/better-auth-instance.js.map +1 -1
  155. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  156. package/dist/server/core-routes-plugin.js +56 -13
  157. package/dist/server/core-routes-plugin.js.map +1 -1
  158. package/dist/server/credential-provider.d.ts +47 -4
  159. package/dist/server/credential-provider.d.ts.map +1 -1
  160. package/dist/server/credential-provider.js +105 -29
  161. package/dist/server/credential-provider.js.map +1 -1
  162. package/dist/server/design-token-utils.d.ts +13 -2
  163. package/dist/server/design-token-utils.d.ts.map +1 -1
  164. package/dist/server/design-token-utils.js +48 -16
  165. package/dist/server/design-token-utils.js.map +1 -1
  166. package/dist/server/onboarding-html.d.ts.map +1 -1
  167. package/dist/server/onboarding-html.js +97 -8
  168. package/dist/server/onboarding-html.js.map +1 -1
  169. package/package.json +1 -1
package/dist/secrets/routes.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"routes.js","sourceRoot":"","sources":["../../src/secrets/routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAc,EACd,OAAe;IAEf,kEAAkE;IAClE,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,6CAA6C;IAC7C,IAAI,CAAC,GAAG,EAAE,KAAK;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC;AACtD,CAAC;AACD,OAAO,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,iBAAiB,GAGlB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,sBAAsB,GAEvB,MAAM,cAAc,CAAC;AAwBtB,SAAS,uBAAuB,CAAC,OAAe,EAAE,WAAmB;IACnE,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,OAAO,CAAC;IAC7C,OAAO,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACvD,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc,EACd,MAAwB;IAExB,IAAI,CAAC,MAAM,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,OAAO,EAAE,KAAK;QAAE,OAAO,KAAK,CAAC;IAClC,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAC7C,MAAM,CAAC,aAAa,EACpB,OAAO,CAAC,KAAK,CACd,CAAC;IACF,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,wEAAwE;AACxE,KAAK,UAAU,cAAc,CAC3B,KAAc,EACd,KAAkB;IAElB,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;QAC9D,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACpC,CAAC;IACD,YAAY;IACZ,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,GAAG,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;IAC9C,4EAA4E;IAC5E,0BAA0B;IAC1B,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,OAAO,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;AACtE,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;QACtC,MAAM,OAAO,GAA0B,EAAE,CAAC;QAE1C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAwB;gBAChC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;gBAC3B,MAAM,EAAE,OAAO;aAChB,CAAC;YAEF,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC5B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;gBAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;gBAC9C,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;oBACzB,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;wBACxD,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;oBACtC,CAAC;oBAAC,MAAM,CAAC;wBACP,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;oBACxB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YAED,kDAAkD;YAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC;gBAClC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,OAAO;aACR,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;YACrB,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;gBACpB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAClC,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAEvC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,OAAO,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,OAAO,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAc,EAAE,MAAwB;IACjE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,2CAA2C,MAAM,CAAC,eAAe,IAAI,gBAAgB,UAAU;SACrH,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAEpD,CAAC;IAEF,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO,EAAE,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;aAC/C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oDAAoD;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAc,EAAE,MAAwB;IAClE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,mEAAmE;SACzF,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,yEAAyE;SAC5E,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC;QACpC,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO;KACR,CAAC,CAAC;IACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC5B,iDAAiD;YACjD,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,KAAK,CAC3D,GAAG,EAAE,CAAC,KAAK,CACZ,CAAC;YACF,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;QACvD,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;YACjC,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpD,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC;iBAClD,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;aACtD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAiBD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C,SAAS,aAAa,CAAC,IAAgB;IACrC,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,GAAG;QACd,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,MAAM,KAAK,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC;YAChC,OAAO,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,KAAc;IAC3C,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,mBAAmB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,gBAAgB,CAAC,OAAO;QAC5C,CAAC,CAAC,MAAM,sBAAsB,CAAC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC;QACrE,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAyB,EAAE,CAAC;IACzC,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,QAAQ,EAAE,GAAG,aAAa,CAAC,EAAE,CAAC;QAClD,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACtC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,KAAc;IAC5C,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAMpD,CAAC;IAEF,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACnE,IAAI,CAAC,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,gFAAgF;SACnF,CAAC;IACJ,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,8DAA8D,IAAI,UAAU;SAC5F,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,KAAK,GAAgB,IAAI,CAAC,KAAK,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC;IAE7E,MAAM,WAAW,GACf,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QAC7D,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QACzB,CAAC,CAAC,SAAS,CAAC;IAEhB,IAAI,gBAAoC,CAAC;IACzC,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,IAAI,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;QAClE,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5D,IAAI,UAAU,CAAC,EAAE,KAAK,KAAK,EAAE,CAAC;YAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QACD,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,KAAK,KAAK,WAAW;QACrB,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,IAAI;YACT,KAAK;YACL,KAAK;YACL,OAAO;YACP,WAAW;YACX,YAAY,EAAE,gBAAgB;SAC/B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,KAAc,EAAE,IAAY;IAC3D,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,oEAAoE;SACpF,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IACrE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,2EAA2E;QAC3E,yEAAyE;QACzE,0EAA0E;QAC1E,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAClE,IAAI,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACtE,kEAAkE;gBAClE,gEAAgE;gBAChE,sDAAsD;gBACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YACtC,CAAC;YACD,MAAM,gBAAgB,GAAG,MAAM,eAAe,CAAC;gBAC7C,GAAG,EAAE,IAAI;gBACT,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,gBAAgB,CAAC,OAAO;aAClC,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9D,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAc;IAEd,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QACxE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,0CAA0C,EAAE,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACzB,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,sBAAsB;aAC1D,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC1D,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,0BAA0B;aAC9D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,sFAAsF;AACtF,SAAS,mBAAmB,CAC1B,KAAc,EACd,OAA4B,EAAE;IAE9B,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACxE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC","sourcesContent":["/**\n * H3 event handlers for the framework secrets registry.\n *\n * Mounted under `/_agent-native/secrets/*` by `core-routes-plugin`.\n *\n * NEVER return a secret's plain-text value from any of these handlers.\n */\n\nimport {\n defineEventHandler,\n getMethod,\n setResponseStatus,\n type H3Event,\n} from \"h3\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport { getSession } from \"../server/auth.js\";\nimport { getOrgContext } from \"../org/context.js\";\n\n/**\n * Workspace-scoped secret writes/deletes are deployment-wide for every\n * org member who shares the resolved scopeId — a curious or malicious\n * member could otherwise overwrite `OPENAI_API_KEY` (or any unregistered\n * key) with their own value, redirecting every other member's automations\n * through their key for skimming, billing abuse, or DoS by deletion.\n *\n * Allow workspace-scope writes only for org owners/admins. The \"solo\"\n * fallback scopeId (`solo:<email>`) is single-user, so it bypasses the\n * check. A normal session with no active org also passes — there's no\n * privilege gradient to enforce in that case.\n *\n * Returns true if the request is allowed to write/delete this scope.\n */\nasync function canMutateWorkspaceScope(\n event: H3Event,\n scopeId: string,\n): Promise<boolean> {\n // Solo / dev fallback scope — single user, no privilege gradient.\n if (scopeId.startsWith(\"solo:\")) return true;\n const ctx = await getOrgContext(event).catch(() => null);\n // No active org — single-tenant flow, allow.\n if (!ctx?.orgId) return true;\n return ctx.role === \"owner\" || ctx.role === \"admin\";\n}\nimport { listOAuthAccountsByOwner } from \"../oauth-tokens/store.js\";\nimport {\n listRequiredSecrets,\n getRequiredSecret,\n type RegisteredSecret,\n type SecretScope,\n} from \"./register.js\";\nimport {\n writeAppSecret,\n deleteAppSecret,\n getAppSecretMeta,\n readAppSecret,\n listAppSecretsForScope,\n type SecretMeta,\n} from \"./storage.js\";\n\nexport interface SecretStatusPayload {\n key: string;\n label: string;\n description?: string;\n docsUrl?: string;\n scope: SecretScope;\n kind: \"api-key\" | \"oauth\";\n required: boolean;\n /** \"set\" = value present; \"unset\" = not configured; \"invalid\" = validator failed. */\n status: \"set\" | \"unset\" | \"invalid\";\n /** Last 4 chars — only populated when status === \"set\" for api-key kind. */\n last4?: string;\n /** Timestamp (ms) of the last write — only populated when status === \"set\". */\n updatedAt?: number;\n /** OAuth-kind: the provider id backing this secret. */\n oauthProvider?: string;\n /** OAuth-kind: url the Connect button should point at. */\n oauthConnectUrl?: string;\n /** Validator error message if status === \"invalid\". */\n error?: string;\n}\n\nfunction redactSecretFromMessage(message: string, secretValue: string): string {\n if (!message || !secretValue) return message;\n return message.split(secretValue).join(\"[redacted]\");\n}\n\nasync function hasOAuthSecretForEvent(\n event: H3Event,\n secret: RegisteredSecret,\n): Promise<boolean> {\n if (!secret.oauthProvider) return false;\n const session = await getSession(event).catch(() => null);\n if (!session?.email) return false;\n const accounts = await listOAuthAccountsByOwner(\n secret.oauthProvider,\n session.email,\n );\n return accounts.length > 0;\n}\n\n/** Resolve the scopeId for a given scope, given the current session. */\nasync function resolveScopeId(\n event: H3Event,\n scope: SecretScope,\n): Promise<{ scopeId: string | null; reason?: string }> {\n if (scope === \"user\") {\n const session = await getSession(event).catch(() => null);\n if (!session?.email) {\n return { scopeId: null, reason: \"Authentication required\" };\n }\n return { scopeId: session.email };\n }\n // workspace\n const ctx = await getOrgContext(event).catch(() => null);\n if (ctx?.orgId) return { scopeId: ctx.orgId };\n // Fall back to session email in solo/dev mode so secrets still work without\n // an active organisation.\n const session = await getSession(event).catch(() => null);\n if (session?.email) return { scopeId: `solo:${session.email}` };\n return { scopeId: null, reason: \"No workspace or session context\" };\n}\n\n/** GET /_agent-native/secrets — list registered secrets with status. */\nexport function createListSecretsHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const secrets = listRequiredSecrets();\n const payload: SecretStatusPayload[] = [];\n\n for (const secret of secrets) {\n const base: SecretStatusPayload = {\n key: secret.key,\n label: secret.label,\n description: secret.description,\n docsUrl: secret.docsUrl,\n scope: secret.scope,\n kind: secret.kind,\n required: !!secret.required,\n status: \"unset\",\n };\n\n if (secret.kind === \"oauth\") {\n base.oauthProvider = secret.oauthProvider;\n base.oauthConnectUrl = secret.oauthConnectUrl;\n if (secret.oauthProvider) {\n try {\n const has = await hasOAuthSecretForEvent(event, secret);\n base.status = has ? \"set\" : \"unset\";\n } catch {\n base.status = \"unset\";\n }\n }\n payload.push(base);\n continue;\n }\n\n // api-key: look up the stored row in app_secrets.\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n payload.push(base);\n continue;\n }\n const meta = await getAppSecretMeta({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n }).catch(() => null);\n if (meta) {\n base.status = \"set\";\n base.last4 = meta.last4;\n base.updatedAt = meta.updatedAt;\n }\n payload.push(base);\n }\n\n return payload;\n });\n}\n\n/** POST /_agent-native/secrets/:key — write a secret. */\nexport function createWriteSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const key = extractKeyFromEvent(event);\n\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n\n if (method === \"POST\" || method === \"PUT\") {\n return handleWrite(event, secret);\n }\n if (method === \"DELETE\") {\n return handleDelete(event, secret);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleWrite(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — connect via ${secret.oauthConnectUrl ?? \"the OAuth flow\"} instead`,\n };\n }\n const body = (await readBody(event).catch(() => ({}))) as {\n value?: unknown;\n };\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n\n // Run validator if registered — return the validator's error on failure.\n if (secret.validator) {\n try {\n const result = await secret.validator(value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n setResponseStatus(event, 400);\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return { error: redactSecretFromMessage(err, value) };\n }\n } catch (err) {\n setResponseStatus(event, 400);\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n }\n\n try {\n await writeAppSecret({\n key: secret.key,\n value,\n scope: secret.scope,\n scopeId,\n });\n } catch (err) {\n // Scrub: never surface the value in any error path.\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, status: \"set\" };\n}\n\nasync function handleDelete(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — disconnect via the OAuth flow instead`,\n };\n }\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can delete workspace-scoped secrets\",\n };\n }\n const removed = await deleteAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n return { ok: true, removed };\n}\n\n/**\n * POST /_agent-native/secrets/:key/test — re-run the validator against the\n * current stored value without changing anything. Useful for the \"Test\" button.\n */\nexport function createTestSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const key = extractKeyFromEvent(event, { suffix: \"/test\" });\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n if (secret.kind === \"oauth\") {\n // For OAuth we just report whether tokens exist.\n const has = await hasOAuthSecretForEvent(event, secret).catch(\n () => false,\n );\n return { ok: has };\n }\n if (!secret.validator) {\n return { ok: true, note: \"No validator registered\" };\n }\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: \"Unable to resolve scope\" };\n }\n const stored = await readAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n if (!stored) {\n setResponseStatus(event, 404);\n return { error: \"No value stored\" };\n }\n try {\n const result = await secret.validator(stored.value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return {\n ok: false,\n error: redactSecretFromMessage(err, stored.value),\n };\n }\n return { ok: true };\n } catch (err) {\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n ok: false,\n error: redactSecretFromMessage(message, stored.value),\n };\n }\n });\n}\n\n// ---------------------------------------------------------------------------\n// Ad-hoc secrets — user-/agent-created keys not in the registry\n// ---------------------------------------------------------------------------\n\nexport interface AdHocSecretPayload {\n name: string;\n scope: SecretScope;\n scopeId: string;\n description: string | null;\n last4: string;\n urlAllowlist: string[] | null;\n createdAt: number;\n updatedAt: number;\n}\n\nconst AD_HOC_NAME_REGEX = /^[A-Za-z0-9_-]+$/;\n\nfunction metaToPayload(meta: SecretMeta): AdHocSecretPayload {\n return {\n name: meta.key,\n scope: meta.scope,\n scopeId: meta.scopeId,\n description: meta.description,\n last4: meta.last4,\n urlAllowlist: meta.urlAllowlist,\n createdAt: meta.createdAt,\n updatedAt: meta.updatedAt,\n };\n}\n\n/**\n * Handler for `/_agent-native/secrets/adhoc[/:name]`.\n *\n * - GET (no name) — list all ad-hoc keys for the user's scope\n * - POST (no name) — create or update an ad-hoc key\n * - DELETE (with name) — delete an ad-hoc key\n *\n * Ad-hoc keys are arbitrary named secrets users or the agent create at\n * runtime for automation use (e.g. \"SLACK_WEBHOOK\", \"HUBSPOT_API_KEY\").\n * They differ from registered secrets (`registerRequiredSecret`) in that\n * they have no template-defined metadata, validator, or onboarding step.\n */\nexport function createAdHocSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const name = extractAdHocName(event);\n\n if (method === \"GET\" && !name) {\n return handleAdHocList(event);\n }\n if (method === \"POST\" && !name) {\n return handleAdHocWrite(event);\n }\n if (method === \"DELETE\" && name) {\n return handleAdHocDelete(event, name);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleAdHocList(event: H3Event) {\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n const registered = new Set(listRequiredSecrets().map((s) => s.key));\n const userRows = await listAppSecretsForScope(\"user\", scopeId);\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n const workspaceRows = workspaceContext.scopeId\n ? await listAppSecretsForScope(\"workspace\", workspaceContext.scopeId)\n : [];\n\n const payload: AdHocSecretPayload[] = [];\n for (const row of [...userRows, ...workspaceRows]) {\n if (registered.has(row.key)) continue;\n payload.push(metaToPayload(row));\n }\n return payload;\n}\n\nasync function handleAdHocWrite(event: H3Event) {\n const body = (await readBody(event).catch(() => ({}))) as {\n name?: unknown;\n value?: unknown;\n description?: unknown;\n scope?: unknown;\n urlAllowlist?: unknown;\n };\n\n const name = typeof body.name === \"string\" ? body.name.trim() : \"\";\n if (!name || !AD_HOC_NAME_REGEX.test(name)) {\n setResponseStatus(event, 400);\n return {\n error:\n \"name is required and may only contain letters, digits, underscores, and dashes\",\n };\n }\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — use POST /_agent-native/secrets/${name} instead`,\n };\n }\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const scope: SecretScope = body.scope === \"workspace\" ? \"workspace\" : \"user\";\n\n const description =\n typeof body.description === \"string\" && body.description.trim()\n ? body.description.trim()\n : undefined;\n\n let urlAllowlistJson: string | undefined;\n if (body.urlAllowlist !== undefined && body.urlAllowlist !== null) {\n const normalized = normalizeUrlAllowlist(body.urlAllowlist);\n if (normalized.ok === false) {\n setResponseStatus(event, 400);\n return { error: normalized.error };\n }\n urlAllowlistJson = JSON.stringify(normalized.origins);\n }\n\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n\n try {\n await writeAppSecret({\n key: name,\n value,\n scope,\n scopeId,\n description,\n urlAllowlist: urlAllowlistJson,\n });\n } catch (err) {\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, key: name };\n}\n\nasync function handleAdHocDelete(event: H3Event, name: string) {\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — delete via the registered route instead`,\n };\n }\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n const removed = await deleteAppSecret({ key: name, scope, scopeId });\n if (!removed) {\n // Fall back to workspace scope so the agent / UI can clean up shared keys.\n // Gate the fallback behind the org-admin check so a regular member can't\n // DoS every other member's automations by deleting shared workspace keys.\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n if (workspaceContext.scopeId) {\n if (!(await canMutateWorkspaceScope(event, workspaceContext.scopeId))) {\n // No-op silently for non-admins — the user-scope row didn't exist\n // and they don't have permission to touch the workspace row, so\n // there's nothing to remove from their point of view.\n return { ok: true, removed: false };\n }\n const removedWorkspace = await deleteAppSecret({\n key: name,\n scope: \"workspace\",\n scopeId: workspaceContext.scopeId,\n });\n return { ok: true, removed: removedWorkspace };\n }\n }\n return { ok: true, removed };\n}\n\nfunction extractAdHocName(event: H3Event): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n // The router strips the `/secrets/adhoc` prefix, so `parts[0]` (if present)\n // is the name. When the request is the bare `/adhoc` listing, parts is empty.\n const candidate = parts[0];\n if (!candidate) return null;\n return AD_HOC_NAME_REGEX.test(candidate) ? candidate : null;\n}\n\nfunction normalizeUrlAllowlist(\n input: unknown,\n): { ok: true; origins: string[] } | { ok: false; error: string } {\n if (!Array.isArray(input) || !input.every((v) => typeof v === \"string\")) {\n return { ok: false, error: \"urlAllowlist must be an array of strings\" };\n }\n\n const origins: string[] = [];\n for (const raw of input) {\n const value = raw.trim();\n if (!value) continue;\n let url: URL;\n try {\n url = new URL(value);\n } catch {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" is not a valid URL`,\n };\n }\n if (url.protocol !== \"https:\" && url.protocol !== \"http:\") {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" must use http or https`,\n };\n }\n if (!origins.includes(url.origin)) origins.push(url.origin);\n }\n return { ok: true, origins };\n}\n\n/** Extract the key from `/:key` or `/:key/test` after the `/secrets` prefix strip. */\nfunction extractKeyFromEvent(\n event: H3Event,\n opts: { suffix?: string } = {},\n): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n if (opts.suffix === \"/test\") {\n if (parts.length < 2 || parts[parts.length - 1] !== \"test\") return null;\n return parts[0];\n }\n return parts[0];\n}\n"]}
1
+ {"version":3,"file":"routes.js","sourceRoot":"","sources":["../../src/secrets/routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAc,EACd,OAAe;IAEf,kEAAkE;IAClE,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,6CAA6C;IAC7C,IAAI,CAAC,GAAG,EAAE,KAAK;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC;AACtD,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,iBAAiB,CAC9B,KAAc,EACd,OAAe;IAEf,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG,EAAE,KAAK,IAAI,GAAG,CAAC,KAAK,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IACvD,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC;AACtD,CAAC;AACD,OAAO,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,iBAAiB,GAGlB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,sBAAsB,GAEvB,MAAM,cAAc,CAAC;AAwBtB,SAAS,uBAAuB,CAAC,OAAe,EAAE,WAAmB;IACnE,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,OAAO,CAAC;IAC7C,OAAO,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACvD,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc,EACd,MAAwB;IAExB,IAAI,CAAC,MAAM,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,OAAO,EAAE,KAAK;QAAE,OAAO,KAAK,CAAC;IAClC,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAC7C,MAAM,CAAC,aAAa,EACpB,OAAO,CAAC,KAAK,CACd,CAAC;IACF,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,wEAAwE;AACxE,KAAK,UAAU,cAAc,CAC3B,KAAc,EACd,KAAkB;IAElB,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;QAC9D,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACpC,CAAC;IACD,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;QACpB,sEAAsE;QACtE,sEAAsE;QACtE,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACzD,IAAI,GAAG,EAAE,KAAK;YAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QAC9C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IAC7D,CAAC;IACD,YAAY;IACZ,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,GAAG,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;IAC9C,4EAA4E;IAC5E,0BAA0B;IAC1B,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,OAAO,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;AACtE,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;QACtC,MAAM,OAAO,GAA0B,EAAE,CAAC;QAE1C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAwB;gBAChC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;gBAC3B,MAAM,EAAE,OAAO;aAChB,CAAC;YAEF,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC5B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;gBAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;gBAC9C,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;oBACzB,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;wBACxD,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;oBACtC,CAAC;oBAAC,MAAM,CAAC;wBACP,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;oBACxB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YAED,kDAAkD;YAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC;gBAClC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,OAAO;aACR,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;YACrB,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;gBACpB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAClC,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAEvC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,OAAO,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,OAAO,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAc,EAAE,MAAwB;IACjE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,2CAA2C,MAAM,CAAC,eAAe,IAAI,gBAAgB,UAAU;SACrH,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAEpD,CAAC;IAEF,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,IAAI,CAAC,CAAC,MAAM,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;QACzE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,gEAAgE;SACxE,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO,EAAE,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;aAC/C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oDAAoD;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAc,EAAE,MAAwB;IAClE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,mEAAmE;SACzF,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,yEAAyE;SAC5E,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,IAAI,CAAC,CAAC,MAAM,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;QACzE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,mEAAmE;SACtE,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC;QACpC,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO;KACR,CAAC,CAAC;IACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC5B,iDAAiD;YACjD,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,KAAK,CAC3D,GAAG,EAAE,CAAC,KAAK,CACZ,CAAC;YACF,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;QACvD,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;YACjC,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpD,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC;iBAClD,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;aACtD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAiBD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C,SAAS,aAAa,CAAC,IAAgB;IACrC,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,GAAG;QACd,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,MAAM,KAAK,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC;YAChC,OAAO,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,KAAc;IAC3C,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,mBAAmB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,gBAAgB,CAAC,OAAO;QAC5C,CAAC,CAAC,MAAM,sBAAsB,CAAC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC;QACrE,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAyB,EAAE,CAAC;IACzC,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,QAAQ,EAAE,GAAG,aAAa,CAAC,EAAE,CAAC;QAClD,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACtC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,KAAc;IAC5C,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAMpD,CAAC;IAEF,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACnE,IAAI,CAAC,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,gFAAgF;SACnF,CAAC;IACJ,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,8DAA8D,IAAI,UAAU;SAC5F,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,KAAK,GAAgB,IAAI,CAAC,KAAK,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC;IAE7E,MAAM,WAAW,GACf,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QAC7D,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QACzB,CAAC,CAAC,SAAS,CAAC;IAEhB,IAAI,gBAAoC,CAAC;IACzC,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,IAAI,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;QAClE,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5D,IAAI,UAAU,CAAC,EAAE,KAAK,KAAK,EAAE,CAAC;YAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QACD,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,KAAK,KAAK,WAAW;QACrB,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,IAAI;YACT,KAAK;YACL,KAAK;YACL,OAAO;YACP,WAAW;YACX,YAAY,EAAE,gBAAgB;SAC/B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,KAAc,EAAE,IAAY;IAC3D,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,oEAAoE;SACpF,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IACrE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,2EAA2E;QAC3E,yEAAyE;QACzE,0EAA0E;QAC1E,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAClE,IAAI,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACtE,kEAAkE;gBAClE,gEAAgE;gBAChE,sDAAsD;gBACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YACtC,CAAC;YACD,MAAM,gBAAgB,GAAG,MAAM,eAAe,CAAC;gBAC7C,GAAG,EAAE,IAAI;gBACT,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,gBAAgB,CAAC,OAAO;aAClC,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9D,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAc;IAEd,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QACxE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,0CAA0C,EAAE,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACzB,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,sBAAsB;aAC1D,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC1D,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,0BAA0B;aAC9D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,sFAAsF;AACtF,SAAS,mBAAmB,CAC1B,KAAc,EACd,OAA4B,EAAE;IAE9B,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACxE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC","sourcesContent":["/**\n * H3 event handlers for the framework secrets registry.\n *\n * Mounted under `/_agent-native/secrets/*` by `core-routes-plugin`.\n *\n * NEVER return a secret's plain-text value from any of these handlers.\n */\n\nimport {\n defineEventHandler,\n getMethod,\n setResponseStatus,\n type H3Event,\n} from \"h3\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport { getSession } from \"../server/auth.js\";\nimport { getOrgContext } from \"../org/context.js\";\n\n/**\n * Workspace-scoped secret writes/deletes are deployment-wide for every\n * org member who shares the resolved scopeId — a curious or malicious\n * member could otherwise overwrite `OPENAI_API_KEY` (or any unregistered\n * key) with their own value, redirecting every other member's automations\n * through their key for skimming, billing abuse, or DoS by deletion.\n *\n * Allow workspace-scope writes only for org owners/admins. The \"solo\"\n * fallback scopeId (`solo:<email>`) is single-user, so it bypasses the\n * check. A normal session with no active org also passes — there's no\n * privilege gradient to enforce in that case.\n *\n * Returns true if the request is allowed to write/delete this scope.\n */\nasync function canMutateWorkspaceScope(\n event: H3Event,\n scopeId: string,\n): Promise<boolean> {\n // Solo / dev fallback scope — single user, no privilege gradient.\n if (scopeId.startsWith(\"solo:\")) return true;\n const ctx = await getOrgContext(event).catch(() => null);\n // No active org — single-tenant flow, allow.\n if (!ctx?.orgId) return true;\n return ctx.role === \"owner\" || ctx.role === \"admin\";\n}\n\n/**\n * Org-scoped secrets (`scope: \"org\"`) live alongside `workspace` scope but\n * are stricter: they always require an active org and an owner/admin role.\n * No solo fallback — if the caller has no org, an org-scoped write makes no\n * sense and we refuse rather than write to an ambiguous row.\n */\nasync function canMutateOrgScope(\n event: H3Event,\n scopeId: string,\n): Promise<boolean> {\n const ctx = await getOrgContext(event).catch(() => null);\n if (!ctx?.orgId || ctx.orgId !== scopeId) return false;\n return ctx.role === \"owner\" || ctx.role === \"admin\";\n}\nimport { listOAuthAccountsByOwner } from \"../oauth-tokens/store.js\";\nimport {\n listRequiredSecrets,\n getRequiredSecret,\n type RegisteredSecret,\n type SecretScope,\n} from \"./register.js\";\nimport {\n writeAppSecret,\n deleteAppSecret,\n getAppSecretMeta,\n readAppSecret,\n listAppSecretsForScope,\n type SecretMeta,\n} from \"./storage.js\";\n\nexport interface SecretStatusPayload {\n key: string;\n label: string;\n description?: string;\n docsUrl?: string;\n scope: SecretScope;\n kind: \"api-key\" | \"oauth\";\n required: boolean;\n /** \"set\" = value present; \"unset\" = not configured; \"invalid\" = validator failed. */\n status: \"set\" | \"unset\" | \"invalid\";\n /** Last 4 chars — only populated when status === \"set\" for api-key kind. */\n last4?: string;\n /** Timestamp (ms) of the last write — only populated when status === \"set\". */\n updatedAt?: number;\n /** OAuth-kind: the provider id backing this secret. */\n oauthProvider?: string;\n /** OAuth-kind: url the Connect button should point at. */\n oauthConnectUrl?: string;\n /** Validator error message if status === \"invalid\". */\n error?: string;\n}\n\nfunction redactSecretFromMessage(message: string, secretValue: string): string {\n if (!message || !secretValue) return message;\n return message.split(secretValue).join(\"[redacted]\");\n}\n\nasync function hasOAuthSecretForEvent(\n event: H3Event,\n secret: RegisteredSecret,\n): Promise<boolean> {\n if (!secret.oauthProvider) return false;\n const session = await getSession(event).catch(() => null);\n if (!session?.email) return false;\n const accounts = await listOAuthAccountsByOwner(\n secret.oauthProvider,\n session.email,\n );\n return accounts.length > 0;\n}\n\n/** Resolve the scopeId for a given scope, given the current session. */\nasync function resolveScopeId(\n event: H3Event,\n scope: SecretScope,\n): Promise<{ scopeId: string | null; reason?: string }> {\n if (scope === \"user\") {\n const session = await getSession(event).catch(() => null);\n if (!session?.email) {\n return { scopeId: null, reason: \"Authentication required\" };\n }\n return { scopeId: session.email };\n }\n if (scope === \"org\") {\n // Org-scoped secrets require an active org — there's no solo fallback\n // because an \"org\" key without an org would land in an ambiguous row.\n const ctx = await getOrgContext(event).catch(() => null);\n if (ctx?.orgId) return { scopeId: ctx.orgId };\n return { scopeId: null, reason: \"No active organization\" };\n }\n // workspace\n const ctx = await getOrgContext(event).catch(() => null);\n if (ctx?.orgId) return { scopeId: ctx.orgId };\n // Fall back to session email in solo/dev mode so secrets still work without\n // an active organisation.\n const session = await getSession(event).catch(() => null);\n if (session?.email) return { scopeId: `solo:${session.email}` };\n return { scopeId: null, reason: \"No workspace or session context\" };\n}\n\n/** GET /_agent-native/secrets — list registered secrets with status. */\nexport function createListSecretsHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const secrets = listRequiredSecrets();\n const payload: SecretStatusPayload[] = [];\n\n for (const secret of secrets) {\n const base: SecretStatusPayload = {\n key: secret.key,\n label: secret.label,\n description: secret.description,\n docsUrl: secret.docsUrl,\n scope: secret.scope,\n kind: secret.kind,\n required: !!secret.required,\n status: \"unset\",\n };\n\n if (secret.kind === \"oauth\") {\n base.oauthProvider = secret.oauthProvider;\n base.oauthConnectUrl = secret.oauthConnectUrl;\n if (secret.oauthProvider) {\n try {\n const has = await hasOAuthSecretForEvent(event, secret);\n base.status = has ? \"set\" : \"unset\";\n } catch {\n base.status = \"unset\";\n }\n }\n payload.push(base);\n continue;\n }\n\n // api-key: look up the stored row in app_secrets.\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n payload.push(base);\n continue;\n }\n const meta = await getAppSecretMeta({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n }).catch(() => null);\n if (meta) {\n base.status = \"set\";\n base.last4 = meta.last4;\n base.updatedAt = meta.updatedAt;\n }\n payload.push(base);\n }\n\n return payload;\n });\n}\n\n/** POST /_agent-native/secrets/:key — write a secret. */\nexport function createWriteSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const key = extractKeyFromEvent(event);\n\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n\n if (method === \"POST\" || method === \"PUT\") {\n return handleWrite(event, secret);\n }\n if (method === \"DELETE\") {\n return handleDelete(event, secret);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleWrite(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — connect via ${secret.oauthConnectUrl ?? \"the OAuth flow\"} instead`,\n };\n }\n const body = (await readBody(event).catch(() => ({}))) as {\n value?: unknown;\n };\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n if (secret.scope === \"org\" && !(await canMutateOrgScope(event, scopeId))) {\n setResponseStatus(event, 403);\n return {\n error: \"Only organization owners and admins can set org-scoped secrets\",\n };\n }\n\n // Run validator if registered — return the validator's error on failure.\n if (secret.validator) {\n try {\n const result = await secret.validator(value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n setResponseStatus(event, 400);\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return { error: redactSecretFromMessage(err, value) };\n }\n } catch (err) {\n setResponseStatus(event, 400);\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n }\n\n try {\n await writeAppSecret({\n key: secret.key,\n value,\n scope: secret.scope,\n scopeId,\n });\n } catch (err) {\n // Scrub: never surface the value in any error path.\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, status: \"set\" };\n}\n\nasync function handleDelete(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — disconnect via the OAuth flow instead`,\n };\n }\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can delete workspace-scoped secrets\",\n };\n }\n if (secret.scope === \"org\" && !(await canMutateOrgScope(event, scopeId))) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can delete org-scoped secrets\",\n };\n }\n const removed = await deleteAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n return { ok: true, removed };\n}\n\n/**\n * POST /_agent-native/secrets/:key/test — re-run the validator against the\n * current stored value without changing anything. Useful for the \"Test\" button.\n */\nexport function createTestSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const key = extractKeyFromEvent(event, { suffix: \"/test\" });\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n if (secret.kind === \"oauth\") {\n // For OAuth we just report whether tokens exist.\n const has = await hasOAuthSecretForEvent(event, secret).catch(\n () => false,\n );\n return { ok: has };\n }\n if (!secret.validator) {\n return { ok: true, note: \"No validator registered\" };\n }\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: \"Unable to resolve scope\" };\n }\n const stored = await readAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n if (!stored) {\n setResponseStatus(event, 404);\n return { error: \"No value stored\" };\n }\n try {\n const result = await secret.validator(stored.value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return {\n ok: false,\n error: redactSecretFromMessage(err, stored.value),\n };\n }\n return { ok: true };\n } catch (err) {\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n ok: false,\n error: redactSecretFromMessage(message, stored.value),\n };\n }\n });\n}\n\n// ---------------------------------------------------------------------------\n// Ad-hoc secrets — user-/agent-created keys not in the registry\n// ---------------------------------------------------------------------------\n\nexport interface AdHocSecretPayload {\n name: string;\n scope: SecretScope;\n scopeId: string;\n description: string | null;\n last4: string;\n urlAllowlist: string[] | null;\n createdAt: number;\n updatedAt: number;\n}\n\nconst AD_HOC_NAME_REGEX = /^[A-Za-z0-9_-]+$/;\n\nfunction metaToPayload(meta: SecretMeta): AdHocSecretPayload {\n return {\n name: meta.key,\n scope: meta.scope,\n scopeId: meta.scopeId,\n description: meta.description,\n last4: meta.last4,\n urlAllowlist: meta.urlAllowlist,\n createdAt: meta.createdAt,\n updatedAt: meta.updatedAt,\n };\n}\n\n/**\n * Handler for `/_agent-native/secrets/adhoc[/:name]`.\n *\n * - GET (no name) — list all ad-hoc keys for the user's scope\n * - POST (no name) — create or update an ad-hoc key\n * - DELETE (with name) — delete an ad-hoc key\n *\n * Ad-hoc keys are arbitrary named secrets users or the agent create at\n * runtime for automation use (e.g. \"SLACK_WEBHOOK\", \"HUBSPOT_API_KEY\").\n * They differ from registered secrets (`registerRequiredSecret`) in that\n * they have no template-defined metadata, validator, or onboarding step.\n */\nexport function createAdHocSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const name = extractAdHocName(event);\n\n if (method === \"GET\" && !name) {\n return handleAdHocList(event);\n }\n if (method === \"POST\" && !name) {\n return handleAdHocWrite(event);\n }\n if (method === \"DELETE\" && name) {\n return handleAdHocDelete(event, name);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleAdHocList(event: H3Event) {\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n const registered = new Set(listRequiredSecrets().map((s) => s.key));\n const userRows = await listAppSecretsForScope(\"user\", scopeId);\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n const workspaceRows = workspaceContext.scopeId\n ? await listAppSecretsForScope(\"workspace\", workspaceContext.scopeId)\n : [];\n\n const payload: AdHocSecretPayload[] = [];\n for (const row of [...userRows, ...workspaceRows]) {\n if (registered.has(row.key)) continue;\n payload.push(metaToPayload(row));\n }\n return payload;\n}\n\nasync function handleAdHocWrite(event: H3Event) {\n const body = (await readBody(event).catch(() => ({}))) as {\n name?: unknown;\n value?: unknown;\n description?: unknown;\n scope?: unknown;\n urlAllowlist?: unknown;\n };\n\n const name = typeof body.name === \"string\" ? body.name.trim() : \"\";\n if (!name || !AD_HOC_NAME_REGEX.test(name)) {\n setResponseStatus(event, 400);\n return {\n error:\n \"name is required and may only contain letters, digits, underscores, and dashes\",\n };\n }\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — use POST /_agent-native/secrets/${name} instead`,\n };\n }\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const scope: SecretScope = body.scope === \"workspace\" ? \"workspace\" : \"user\";\n\n const description =\n typeof body.description === \"string\" && body.description.trim()\n ? body.description.trim()\n : undefined;\n\n let urlAllowlistJson: string | undefined;\n if (body.urlAllowlist !== undefined && body.urlAllowlist !== null) {\n const normalized = normalizeUrlAllowlist(body.urlAllowlist);\n if (normalized.ok === false) {\n setResponseStatus(event, 400);\n return { error: normalized.error };\n }\n urlAllowlistJson = JSON.stringify(normalized.origins);\n }\n\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n\n try {\n await writeAppSecret({\n key: name,\n value,\n scope,\n scopeId,\n description,\n urlAllowlist: urlAllowlistJson,\n });\n } catch (err) {\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, key: name };\n}\n\nasync function handleAdHocDelete(event: H3Event, name: string) {\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — delete via the registered route instead`,\n };\n }\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n const removed = await deleteAppSecret({ key: name, scope, scopeId });\n if (!removed) {\n // Fall back to workspace scope so the agent / UI can clean up shared keys.\n // Gate the fallback behind the org-admin check so a regular member can't\n // DoS every other member's automations by deleting shared workspace keys.\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n if (workspaceContext.scopeId) {\n if (!(await canMutateWorkspaceScope(event, workspaceContext.scopeId))) {\n // No-op silently for non-admins — the user-scope row didn't exist\n // and they don't have permission to touch the workspace row, so\n // there's nothing to remove from their point of view.\n return { ok: true, removed: false };\n }\n const removedWorkspace = await deleteAppSecret({\n key: name,\n scope: \"workspace\",\n scopeId: workspaceContext.scopeId,\n });\n return { ok: true, removed: removedWorkspace };\n }\n }\n return { ok: true, removed };\n}\n\nfunction extractAdHocName(event: H3Event): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n // The router strips the `/secrets/adhoc` prefix, so `parts[0]` (if present)\n // is the name. When the request is the bare `/adhoc` listing, parts is empty.\n const candidate = parts[0];\n if (!candidate) return null;\n return AD_HOC_NAME_REGEX.test(candidate) ? candidate : null;\n}\n\nfunction normalizeUrlAllowlist(\n input: unknown,\n): { ok: true; origins: string[] } | { ok: false; error: string } {\n if (!Array.isArray(input) || !input.every((v) => typeof v === \"string\")) {\n return { ok: false, error: \"urlAllowlist must be an array of strings\" };\n }\n\n const origins: string[] = [];\n for (const raw of input) {\n const value = raw.trim();\n if (!value) continue;\n let url: URL;\n try {\n url = new URL(value);\n } catch {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" is not a valid URL`,\n };\n }\n if (url.protocol !== \"https:\" && url.protocol !== \"http:\") {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" must use http or https`,\n };\n }\n if (!origins.includes(url.origin)) origins.push(url.origin);\n }\n return { ok: true, origins };\n}\n\n/** Extract the key from `/:key` or `/:key/test` after the `/secrets` prefix strip. */\nfunction extractKeyFromEvent(\n event: H3Event,\n opts: { suffix?: string } = {},\n): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n if (opts.suffix === \"/test\") {\n if (parts.length < 2 || parts[parts.length - 1] !== \"test\") return null;\n return parts[0];\n }\n return parts[0];\n}\n"]}
package/dist/server/better-auth-instance.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"better-auth-instance.d.ts","sourceRoot":"","sources":["../../src/server/better-auth-instance.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,EAAc,KAAK,iBAAiB,EAAE,MAAM,aAAa,CAAC;AA4JjE,wBAAgB,2BAA2B,IAAI,OAAO,CASrD;AAED,uDAAuD;AACvD,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAMD,4FAA4F;AAC5F,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjD,GAAG,EAAE;QACH,UAAU,EAAE,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC;YAClD,IAAI,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAC;gBAAC,IAAI,EAAE,MAAM,CAAA;aAAE,CAAC;YAClD,OAAO,EAAE;gBACP,EAAE,EAAE,MAAM,CAAC;gBACX,KAAK,EAAE,MAAM,CAAC;gBACd,SAAS,EAAE,IAAI,CAAC;gBAChB,oBAAoB,CAAC,EAAE,MAAM,CAAC;aAC/B,CAAC;SACH,GAAG,IAAI,CAAC,CAAC;QACV,WAAW,EAAE,CAAC,IAAI,EAAE;YAClB,IAAI,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAC;gBAAC,QAAQ,EAAE,MAAM,CAAA;aAAE,CAAC;SAC3C,KAAK,OAAO,CAAC;YAAE,KAAK,CAAC,EAAE,MAAM,CAAC;YAAC,IAAI,CAAC,EAAE,GAAG,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;QACrD,WAAW,EAAE,CAAC,IAAI,EAAE;YAClB,IAAI,EAAE;gBACJ,KAAK,EAAE,MAAM,CAAC;gBACd,QAAQ,EAAE,MAAM,CAAC;gBACjB,IAAI,EAAE,MAAM,CAAC;gBACb,WAAW,CAAC,EAAE,MAAM,CAAC;aACtB,CAAC;SACH,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;QACnB,OAAO,EAAE,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;QACtD,iBAAiB,EAAE,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;KAC1E,CAAC;CACH;AAED,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mEAAmE;IACnE,eAAe,CAAC,EAAE,iBAAiB,CAAC,iBAAiB,CAAC,CAAC;IACvD,qCAAqC;IACrC,OAAO,CAAC,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACvC;;;;;;;;;;;;;OAaG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAwSD;;;GAGG;AACH,wBAAsB,aAAa,CACjC,MAAM,CAAC,EAAE,gBAAgB,GACxB,OAAO,CAAC,kBAAkB,CAAC,CAO7B;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,kBAAkB,GAAG,SAAS,CAElE;AAED,wBAAwB;AACxB,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAWrD"}
1
+ {"version":3,"file":"better-auth-instance.d.ts","sourceRoot":"","sources":["../../src/server/better-auth-instance.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,EAAc,KAAK,iBAAiB,EAAE,MAAM,aAAa,CAAC;AA6JjE,wBAAgB,2BAA2B,IAAI,OAAO,CASrD;AAED,uDAAuD;AACvD,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAMD,4FAA4F;AAC5F,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjD,GAAG,EAAE;QACH,UAAU,EAAE,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC;YAClD,IAAI,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAC;gBAAC,IAAI,EAAE,MAAM,CAAA;aAAE,CAAC;YAClD,OAAO,EAAE;gBACP,EAAE,EAAE,MAAM,CAAC;gBACX,KAAK,EAAE,MAAM,CAAC;gBACd,SAAS,EAAE,IAAI,CAAC;gBAChB,oBAAoB,CAAC,EAAE,MAAM,CAAC;aAC/B,CAAC;SACH,GAAG,IAAI,CAAC,CAAC;QACV,WAAW,EAAE,CAAC,IAAI,EAAE;YAClB,IAAI,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAC;gBAAC,QAAQ,EAAE,MAAM,CAAA;aAAE,CAAC;SAC3C,KAAK,OAAO,CAAC;YAAE,KAAK,CAAC,EAAE,MAAM,CAAC;YAAC,IAAI,CAAC,EAAE,GAAG,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;QACrD,WAAW,EAAE,CAAC,IAAI,EAAE;YAClB,IAAI,EAAE;gBACJ,KAAK,EAAE,MAAM,CAAC;gBACd,QAAQ,EAAE,MAAM,CAAC;gBACjB,IAAI,EAAE,MAAM,CAAC;gBACb,WAAW,CAAC,EAAE,MAAM,CAAC;aACtB,CAAC;SACH,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;QACnB,OAAO,EAAE,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;QACtD,iBAAiB,EAAE,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;KAC1E,CAAC;CACH;AAED,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mEAAmE;IACnE,eAAe,CAAC,EAAE,iBAAiB,CAAC,iBAAiB,CAAC,CAAC;IACvD,qCAAqC;IACrC,OAAO,CAAC,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACvC;;;;;;;;;;;;;OAaG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAwSD;;;GAGG;AACH,wBAAsB,aAAa,CACjC,MAAM,CAAC,EAAE,gBAAgB,GACxB,OAAO,CAAC,kBAAkB,CAAC,CAO7B;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,kBAAkB,GAAG,SAAS,CAElE;AAED,wBAAwB;AACxB,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAWrD"}
package/dist/server/better-auth-instance.js CHANGED
@@ -17,6 +17,7 @@ import { renderResetPasswordEmail, renderVerifySignupEmail, } from "./email-temp
17
17
  import { getAppProductionUrl } from "./app-url.js";
18
18
  import { getDbExec, isPostgres } from "../db/client.js";
19
19
  import { acceptPendingInvitationsForEmail } from "../org/accept-pending.js";
20
+ import { autoJoinDomainMatchingOrgs } from "../org/auto-join-domain.js";
20
21
  import { saveOAuthTokens } from "../oauth-tokens/store.js";
21
22
  import { identify, track } from "../tracking/index.js";
22
23
  import { getDialect, getDatabaseUrl, getDatabaseAuthToken, } from "../db/client.js";
@@ -595,6 +596,16 @@ async function createBetterAuthInstance(config) {
595
596
  // Never block signup on invite bookkeeping — log and continue.
596
597
  console.error("[auth] failed to auto-accept pending invitations", err);
597
598
  }
599
+ try {
600
+ // Auto-join orgs whose `allowed_domain` matches this email
601
+ // domain. Lets a fresh `@builder.io` (or any org-domain)
602
+ // signup land inside the company org on first page load
603
+ // without going through the picker. No-ops when no match.
604
+ await autoJoinDomainMatchingOrgs(email);
605
+ }
606
+ catch (err) {
607
+ console.error("[auth] failed to auto-join domain-matching orgs", err);
608
+ }
598
609
  },
599
610
  },
600
611
  },
package/dist/server/better-auth-instance.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"better-auth-instance.js","sourceRoot":"","sources":["../../src/server/better-auth-instance.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,UAAU,EAA0B,MAAM,aAAa,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAChE,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC1D,OAAO,EACL,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EAAE,gCAAgC,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EACL,UAAU,EACV,cAAc,EACd,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,OAAO,EACP,IAAI,IAAI,MAAM,EACd,SAAS,IAAI,WAAW,EACxB,OAAO,IAAI,SAAS,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,WAAW,EACX,IAAI,IAAI,UAAU,EAClB,OAAO,IAAI,aAAa,GACzB,MAAM,yBAAyB,CAAC;AAEjC,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAS,iBAAiB;IACxB,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAE1E,yEAAyE;IACzE,wEAAwE;IACxE,uEAAuE;IACvE,oEAAoE;IACpE,kEAAkE;IAClE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,+EAA+E;YAC7E,0EAA0E;YAC1E,0DAA0D;YAC1D,wBAAwB,MAAM,MAAM;YACpC,uEAAuE;YACvE,uEAAuE;YACvE,qFAAqF;YACrF,qCAAqC,CACxC,CAAC;IACJ,CAAC;IAED,oEAAoE;IACpE,wEAAwE;IACxE,uEAAuE;IACvE,qEAAqE;IACrE,QAAQ;IACR,EAAE;IACF,yDAAyD;IACzD,+DAA+D;IAC/D,qEAAqE;IACrE,sEAAsE;IACtE,mDAAmD;IACnD,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAAC;QAC/D,MAAM,QAAQ,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;QAClD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,QAAQ,CAAC,CAAC,mGAAmG;YAC9I,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACzD,oBAAoB,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,SAAS,CAAC,CAAC,sGAAsG;QAClJ,OAAO,CAAC,GAAG,CACT,0EAA0E;YACxE,iDAAiD;YACjD,4EAA4E,CAC/E,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,qEAAqE;QACrE,oEAAoE;QACpE,qEAAqE;QACrE,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CACV,oEAAoE;YAClE,gEAAgE;YAChE,wDAAwD;YACxD,oFAAoF,CACvF,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,YAAoB;IAC9C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACtD,oEAAoE;QACpE,oEAAoE;QACpE,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CACrB,8DAA8D,CAC/D,CAAC;QACF,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,YAAoB,EAAE,MAAc;IAChE,MAAM,MAAM,GACV,+DAA+D;QAC/D,oEAAoE;QACpE,2DAA2D,CAAC;IAC9D,MAAM,IAAI,GAAG,sBAAsB,MAAM,IAAI,CAAC;IAE9C,yEAAyE;IACzE,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACvD,MAAM,mBAAmB,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC5E,EAAE,CAAC,cAAc,CACf,YAAY,EACZ,CAAC,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CACzD,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACjE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,2BAA2B;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;IACvD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,OAAO,UAAU,KAAK,EAAE,IAAI,UAAU,KAAK,GAAG,IAAI,UAAU,KAAK,OAAO,CAAC;AAC3E,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,aAAa;IAC3B,OAAO,iBAAiB,EAAE,CAAC;AAC7B,CAAC;AA2DD,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,IAAI,KAAqC,CAAC;AAC1C,IAAI,YAAqD,CAAC;AAC1D,8EAA8E;AAC9E,6EAA6E;AAC7E,wEAAwE;AACxE,IAAI,aAAkB,CAAC;AAEvB,MAAM,YAAY,GAAG;IACnB,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE;QACpB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAC9B,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACzC,aAAa,EAAE,SAAS,CAAC,gBAAgB,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;QACnE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;QACtB,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,OAAO,EAAE,OAAO,CAAC,SAAS,EAAE;QAC1B,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACzC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC;QAC/B,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,oBAAoB,EAAE,MAAM,CAAC,wBAAwB,CAAC;KACvD,CAAC;IACF,OAAO,EAAE,OAAO,CAAC,SAAS,EAAE;QAC1B,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC3C,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACnC,YAAY,EAAE,MAAM,CAAC,eAAe,CAAC;QACrC,OAAO,EAAE,MAAM,CAAC,UAAU,CAAC;QAC3B,oBAAoB,EAAE,WAAW,CAAC,yBAAyB,EAAE;YAC3D,YAAY,EAAE,IAAI;SACnB,CAAC;QACF,qBAAqB,EAAE,WAAW,CAAC,0BAA0B,EAAE;YAC7D,YAAY,EAAE,IAAI;SACnB,CAAC;QACF,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;QAC5B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,YAAY,EAAE,OAAO,CAAC,cAAc,EAAE;QACpC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,UAAU,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC1C,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QAChC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,YAAY,EAAE,OAAO,CAAC,cAAc,EAAE;QACpC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAC9B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACvC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;QAC5B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,MAAM,EAAE,OAAO,CAAC,QAAQ,EAAE;QACxB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,cAAc,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACnD,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;QAChD,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,UAAU,EAAE,OAAO,CAAC,YAAY,EAAE;QAChC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,cAAc,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACnD,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QAChC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;QACrD,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE;QACpB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC3C,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;KAC7D,CAAC;CACH,CAAC;AAEF,MAAM,gBAAgB,GAAG;IACvB,IAAI,EAAE,WAAW,CAAC,MAAM,EAAE;QACxB,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAClC,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC7C,aAAa,EAAE,aAAa,CAAC,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;aAChE,OAAO,EAAE;aACT,OAAO,CAAC,KAAK,CAAC;QACjB,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC;QAC1B,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,OAAO,EAAE,WAAW,CAAC,SAAS,EAAE;QAC9B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC7C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC;QACnC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC;QACnC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,oBAAoB,EAAE,UAAU,CAAC,wBAAwB,CAAC;KAC3D,CAAC;IACF,OAAO,EAAE,WAAW,CAAC,SAAS,EAAE;QAC9B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,UAAU,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC/C,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,WAAW,EAAE,UAAU,CAAC,cAAc,CAAC;QACvC,YAAY,EAAE,UAAU,CAAC,eAAe,CAAC;QACzC,OAAO,EAAE,UAAU,CAAC,UAAU,CAAC;QAC/B,oBAAoB,EAAE,aAAa,CAAC,yBAAyB,EAAE;YAC7D,IAAI,EAAE,cAAc;SACrB,CAAC;QACF,qBAAqB,EAAE,aAAa,CAAC,0BAA0B,EAAE;YAC/D,IAAI,EAAE,cAAc;SACrB,CAAC;QACF,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC;QAC1B,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;QAChC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,YAAY,EAAE,WAAW,CAAC,cAAc,EAAE;QACxC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,UAAU,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC9C,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QACpC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,YAAY,EAAE,WAAW,CAAC,cAAc,EAAE;QACxC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAClC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC3C,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC;QACxB,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;QAChC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,MAAM,EAAE,WAAW,CAAC,QAAQ,EAAE;QAC5B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,cAAc,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACvD,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;QACpD,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,UAAU,EAAE,WAAW,CAAC,YAAY,EAAE;QACpC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,cAAc,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACvD,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QACpC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC;QACxB,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;QACzD,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,IAAI,EAAE,WAAW,CAAC,MAAM,EAAE;QACxB,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,UAAU,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC/C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;KACjE,CAAC;CACH,CAAC;AAEF,SAAS,mBAAmB;IAC1B,OAAO,UAAU,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,gBAAgB,CAAC;AACxD,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,KAAK,UAAU,gCAAgC,CAAC,OAS/C;IACC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,KAAK,QAAQ;QAAE,OAAO;IACxD,IAAI,CAAC,OAAO,CAAC,MAAM;QAAE,OAAO;IAE5B,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,SAAS,CAAC;IACrD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,iEAAiE;QACjE,kEAAkE;QAClE,oDAAoD;QACpD,OAAO;IACT,CAAC;IAED,kCAAkC;IAClC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;IACvB,IAAI,KAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAChC,GAAG,EAAE,uCAAuC;YAC5C,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACvB,CAAC,CAAC;QACH,KAAK,GAAI,IAAI,CAAC,CAAC,CAAC,EAAE,KAA4B,IAAI,SAAS,CAAC;IAC9D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CACX,uEAAuE,EACvE,GAAG,CACJ,CAAC;QACF,OAAO;IACT,CAAC;IACD,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,uEAAuE;IACvE,6BAA6B;IAC7B,IAAI,UAA8B,CAAC;IACnC,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAAC;IACzC,IAAI,GAAG,YAAY,IAAI,EAAE,CAAC;QACxB,UAAU,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;IAC7B,CAAC;SAAM,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,UAAU,GAAG,GAAG,CAAC;IACnB,CAAC;SAAM,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IACpD,CAAC;IAED,MAAM,MAAM,GAA4B;QACtC,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,QAAQ;KACrB,CAAC;IACF,IAAI,OAAO,CAAC,YAAY;QAAE,MAAM,CAAC,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;IACtE,IAAI,UAAU;QAAE,MAAM,CAAC,WAAW,GAAG,UAAU,CAAC;IAChD,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAChD,IAAI,OAAO,CAAC,OAAO;QAAE,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAEvD,MAAM,eAAe,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,sBAAsB;IACnC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,UAAU,EAAE;QAC7B,CAAC,CAAC;YACE,sOAAsO;YACtO,iRAAiR;YACjR,sWAAsW;YACtW,mNAAmN;YACnN,4MAA4M;YAC5M,wNAAwN;YACxN,mSAAmS;YACnS,uKAAuK;SACxK;QACH,CAAC,CAAC;YACE,wNAAwN;YACxN,mQAAmQ;YACnQ,oVAAoV;YACpV,qMAAqM;YACrM,kMAAkM;YAClM,8MAA8M;YAC9M,qRAAqR;YACrR,6JAA6J;SAC9J,CAAC;IAEN,KAAK,MAAM,GAAG,IAAI,UAAU;QAAE,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAyB;IAEzB,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,YAAY,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;IAChD,KAAK,GAAG,MAAM,YAAY,CAAC;IAC3B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,wBAAwB;AACxB,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,KAAK,GAAG,SAAS,CAAC;IAClB,YAAY,GAAG,SAAS,CAAC;IACzB,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,GAAG,EAAE,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,4EAA4E;QAC9E,CAAC;QACD,aAAa,GAAG,SAAS,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,KAAK,UAAU,wBAAwB,CACrC,MAAyB;IAEzB,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAG,MAAM,EAAE,QAAQ,IAAI,wBAAwB,CAAC;IAC9D,MAAM,sBAAsB,EAAE,CAAC;IAE/B,uCAAuC;IACvC,MAAM,eAAe,GAAyC;QAC5D,GAAG,MAAM,EAAE,eAAe;KAC3B,CAAC;IAEF,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;QACrE,oEAAoE;QACpE,kEAAkE;QAClE,gEAAgE;QAChE,uEAAuE;QACvE,qEAAqE;QACrE,mEAAmE;QACnE,wCAAwC;QACxC,MAAM,WAAW,GAAG,MAAM,EAAE,YAAY,IAAI,EAAE,CAAC;QAC/C,MAAM,UAAU,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QAClD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,UAAU,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC1E,eAAe,CAAC,MAAM,GAAG;YACvB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB;YACtC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;YAC9C,GAAG,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;gBACxB,CAAC,CAAC;oBACE,KAAK,EAAE,YAAY;oBACnB,UAAU,EAAE,SAAkB;oBAC9B,MAAM,EAAE,SAAkB;iBAC3B;gBACH,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;QACrE,eAAe,CAAC,MAAM,GAAG;YACvB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB;YACtC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;SAC/C,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAEpD,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IAEnC,MAAM,MAAM,GAAG,mBAAmB,EAAE,CAAC;IACrC,MAAM,wBAAwB,GAC5B,iBAAiB,EAAE,IAAI,CAAC,2BAA2B,EAAE,CAAC;IAExD,MAAM,IAAI,GAAG,UAAU,CAAC;QACtB,QAAQ;QACR,OAAO,EAAE,MAAM;QACf,QAAQ;QACR,MAAM;QACN,gBAAgB,EAAE;YAChB,OAAO,EAAE,IAAI;YACb,iBAAiB,EAAE,CAAC;YACpB,wEAAwE;YACxE,sEAAsE;YACtE,uEAAuE;YACvE,uEAAuE;YACvE,yEAAyE;YACzE,wBAAwB;YACxB,iBAAiB,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;gBAC3C,qEAAqE;gBACrE,sEAAsE;gBACtE,MAAM,WAAW,GAAG,CAClB,OAAO,CAAC,GAAG,CAAC,kBAAkB;oBAC9B,OAAO,CAAC,GAAG,CAAC,aAAa;oBACzB,EAAE,CACH,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrB,MAAM,QAAQ,GAAG,GAAG,MAAM,GAAG,WAAW,mCAAmC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;gBACvG,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,wBAAwB,CAAC;oBACvD,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,QAAQ;iBACT,CAAC,CAAC;gBACH,MAAM,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,CAAC;SACF;QACD,iBAAiB,EAAE;YACjB,oEAAoE;YACpE,oEAAoE;YACpE,wCAAwC;YACxC,YAAY,EAAE,wBAAwB;YACtC,qEAAqE;YACrE,sEAAsE;YACtE,6CAA6C;YAC7C,2BAA2B,EAAE,IAAI;YACjC,qBAAqB,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;gBAC7C,qEAAqE;gBACrE,6EAA6E;gBAC7E,MAAM,cAAc,GAAG,CACrB,OAAO,CAAC,GAAG,CAAC,kBAAkB;oBAC9B,OAAO,CAAC,GAAG,CAAC,aAAa;oBACzB,EAAE,CACH,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrB,MAAM,SAAS,GAAG,cAAc;oBAC9B,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,iBAAiB,EAAE,KAAK,cAAc,IAAI,CAAC;oBACzD,CAAC,CAAC,GAAG,CAAC;gBACR,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,uBAAuB,CAAC;oBACtD,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,SAAS;iBACV,CAAC,CAAC;gBACH,MAAM,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,CAAC;SACF;QACD,eAAe;QACf,OAAO,EAAE;YACP,sEAAsE;YACtE,yEAAyE;YACzE,wEAAwE;YACxE,sEAAsE;YACtE,mEAAmE;YACnE,2BAA2B;YAC3B,cAAc,EAAE;gBACd,OAAO,EAAE,IAAI;gBACb,gBAAgB,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;aACvC;SACF;QACD,aAAa,EAAE;YACb,IAAI,EAAE;gBACJ,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EAAE,IAIb,EAAE,EAAE;wBACH,gEAAgE;wBAChE,+DAA+D;wBAC/D,8DAA8D;wBAC9D,sDAAsD;wBACtD,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;wBAC1B,IAAI,CAAC,KAAK;4BAAE,OAAO;wBACnB,QAAQ,CAAC,KAAK,EAAE;4BACd,KAAK;4BACL,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,SAAS;4BAC5B,UAAU,EAAE,IAAI,CAAC,EAAE;yBACpB,CAAC,CAAC;wBACH,KAAK,CACH,QAAQ,EACR;4BACE,aAAa,EAAE,aAAa;4BAC5B,YAAY,EAAE,IAAI,CAAC,EAAE;yBACtB,EACD,EAAE,MAAM,EAAE,KAAK,EAAE,CAClB,CAAC;wBACF,IAAI,CAAC;4BACH,MAAM,gCAAgC,CAAC,KAAK,CAAC,CAAC;wBAChD,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,+DAA+D;4BAC/D,OAAO,CAAC,KAAK,CACX,kDAAkD,EAClD,GAAG,CACJ,CAAC;wBACJ,CAAC;oBACH,CAAC;iBACF;aACF;YACD,OAAO,EAAE;gBACP,+DAA+D;gBAC/D,iEAAiE;gBACjE,kEAAkE;gBAClE,oDAAoD;gBACpD,EAAE;gBACF,+DAA+D;gBAC/D,+DAA+D;gBAC/D,+DAA+D;gBAC/D,gDAAgD;gBAChD,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;wBAC5B,MAAM,gCAAgC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;4BAC5D,OAAO,CAAC,KAAK,CACX,wEAAwE,EACxE,GAAG,CACJ,CAAC;wBACJ,CAAC,CAAC,CAAC;oBACL,CAAC;iBACF;gBACD,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;wBAC5B,MAAM,gCAAgC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;4BAC5D,OAAO,CAAC,KAAK,CACX,wEAAwE,EACxE,GAAG,CACJ,CAAC;wBACJ,CAAC,CAAC,CAAC;oBACL,CAAC;iBACF;aACF;SACF;QACD,OAAO,EAAE;YACP,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU;YACxC,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,gBAAgB;YACzC,WAAW,EAAE;gBACX,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,cAAc;aAC/B;SACF;QACD,QAAQ,EAAE;YACR,YAAY,EAAE,IAAI;YAClB,oEAAoE;YACpE,qEAAqE;YACrE,qEAAqE;YACrE,mCAAmC;YACnC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;gBAC/B,CAAC,CAAC;oBACE,uBAAuB,EAAE;wBACvB,QAAQ,EAAE,MAAe;wBACzB,MAAM,EAAE,IAAI;wBACZ,WAAW,EAAE,IAAI;qBAClB;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;SACR;QACD,OAAO,EAAE;YACP,wDAAwD;YACxD,YAAY,EAAE;YACd,kEAAkE;YAClE,GAAG,CAAC;gBACF,GAAG,EAAE;oBACH,MAAM,EAAE,MAAM;oBACd,cAAc,EAAE,KAAK;iBACtB;aACF,CAAC;YACF,+CAA+C;YAC/C,MAAM,EAAE;YACR,GAAG,CAAC,MAAM,EAAE,OAAO,IAAI,EAAE,CAAC;SAC3B;KACF,CAAC,CAAC;IAEH,OAAO,IAAqC,CAAC;AAC/C,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,OAAe;IAEf,IAAI,OAAO,KAAK,UAAU,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;QAC7B,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAE7D,yEAAyE;QACzE,wEAAwE;QACxE,sEAAsE;QACtE,IAAI,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;YAC1D,aAAa,GAAG,IAAI,IAAI,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,CAAC,CAAC;YACpD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;YAChE,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;YAC5D,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;YACxE,OAAO,cAAc,CAAC,EAAE,EAAE;gBACxB,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,YAAY;aACrB,CAAC,CAAC;QACL,CAAC;QAED,gEAAgE;QAChE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QACvD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE;YACxB,QAAQ,EAAE,GAAG,EAAE,GAAE,CAAC;YAClB,YAAY,EAAE,GAAG;YACjB,YAAY,EAAE,EAAE,GAAG,EAAE;YACrB,eAAe,EAAE,EAAE;YACnB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxD,CAAC,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAC5D,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;QAClD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;QACxE,OAAO,cAAc,CAAC,EAAE,EAAE;YACxB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,YAAY;SACrB,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,MAAM,GAAG,GAAG,cAAc,CAAC,oBAAoB,CAAC,CAAC;IAEjD,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,kCAAkC;QAClC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC7D,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACpC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;QAC/D,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;QACzD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;QACxE,OAAO,cAAc,CAAC,EAAE,EAAE;YACxB,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,gBAAgB;SACzB,CAAC,CAAC;IACL,CAAC;IAED,wBAAwB;IACxB,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACxD,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,oBAAoB,EAAE,EAAE,CAAC,CAAC;IACxE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACzD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IACxE,OAAO,cAAc,CAAC,EAAE,EAAE;QACxB,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,gBAAgB;KACzB,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Internal Better Auth instance — lazily created, not exported to templates.\n *\n * Templates interact with auth via the existing `getSession()`, `autoMountAuth()`,\n * `createAuthPlugin()`, and `createGoogleAuthPlugin()` APIs. Better Auth is an\n * implementation detail behind those interfaces.\n */\n\nimport crypto from \"node:crypto\";\nimport fs from \"node:fs\";\nimport path from \"node:path\";\nimport { betterAuth, type BetterAuthOptions } from \"better-auth\";\nimport { organization } from \"better-auth/plugins/organization\";\nimport { jwt } from \"better-auth/plugins/jwt\";\nimport { bearer } from \"better-auth/plugins/bearer\";\nimport { sendEmail, isEmailConfigured } from \"./email.js\";\nimport {\n renderResetPasswordEmail,\n renderVerifySignupEmail,\n} from \"./email-templates.js\";\nimport { getAppProductionUrl } from \"./app-url.js\";\nimport { getDbExec, isPostgres } from \"../db/client.js\";\nimport { acceptPendingInvitationsForEmail } from \"../org/accept-pending.js\";\nimport { saveOAuthTokens } from \"../oauth-tokens/store.js\";\nimport { identify, track } from \"../tracking/index.js\";\nimport {\n getDialect,\n getDatabaseUrl,\n getDatabaseAuthToken,\n} from \"../db/client.js\";\nimport {\n pgTable,\n text as pgText,\n timestamp as pgTimestamp,\n boolean as pgBoolean,\n} from \"drizzle-orm/pg-core\";\nimport {\n sqliteTable,\n text as sqliteText,\n integer as sqliteInteger,\n} from \"drizzle-orm/sqlite-core\";\n\n// ---------------------------------------------------------------------------\n// Persistent auth secret\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve the Better Auth signing secret.\n *\n * Resolution order:\n * 1. `BETTER_AUTH_SECRET` env var — explicit, recommended for prod.\n * 2. `.env.local` in the template cwd — a per-workspace persistent secret\n * that the framework writes once on first boot when no secret is set.\n * Gitignored by convention (`.env*` in template .gitignore files), so\n * it's safe to persist credentials here.\n * 3. Generate a new random 32-byte hex, write it to `.env.local`, and use\n * it. Subsequent restarts re-read the same file — so session cookies\n * signed by a previous boot remain valid across dev-server restarts.\n *\n * Why this matters: before this helper existed, missing `BETTER_AUTH_SECRET`\n * fell through to `GOOGLE_CLIENT_SECRET` / `ACCESS_TOKEN` / a hardcoded\n * string. If a template happened to have none of those, each dev-server\n * boot would re-fall back to the hardcoded value (still stable) — but\n * rotating Google credentials, toggling `ACCESS_TOKEN`, or churning the\n * fallback chain would invalidate every signed cookie and force everyone\n * to sign in again. Pinning the secret to `.env.local` on first boot\n * removes that footgun.\n */\nfunction resolveAuthSecret(): string {\n if (process.env.BETTER_AUTH_SECRET) return process.env.BETTER_AUTH_SECRET;\n\n // In production, never auto-generate or fall back. A regenerated/derived\n // secret invalidates every signed session cookie on the next cold start\n // (serverless filesystems aren't persistent), and the legacy hardcoded\n // fallback is identical across every deploy that hits it — both are\n // serious enough to fail the boot loudly so the deployer notices.\n if (process.env.NODE_ENV === \"production\") {\n const sample = crypto.randomBytes(32).toString(\"hex\");\n throw new Error(\n \"[agent-native] BETTER_AUTH_SECRET is not set. This is required in production \" +\n \"so signed session cookies stay valid across deploys. Set it as a deploy \" +\n \"environment variable (any 32-byte hex string), e.g.:\\n\\n\" +\n ` BETTER_AUTH_SECRET=${sample}\\n\\n` +\n \"Generate your own with `openssl rand -hex 32`. If you already have a \" +\n \"running deploy on the legacy hardcoded fallback and need to preserve \" +\n \"existing sessions, set BETTER_AUTH_SECRET=agent-native-local-dev-secret-k9x2m7q4w8 \" +\n \"first, then rotate to a real value.\",\n );\n }\n\n // Dev: persist a generated secret to .env.local so sessions survive\n // dev-server restarts. Falls back to an in-memory random secret only if\n // the filesystem isn't writable (rare in dev, e.g. read-only mounts) —\n // sessions reset on every dev-process restart in that case, which is\n // fine.\n //\n // SECURITY (audit 09 LOW-2): the previous fallback chain\n // (`GOOGLE_CLIENT_SECRET || ACCESS_TOKEN || hardcoded`) reused\n // cross-purpose secrets and a public hardcoded literal as the cookie\n // HMAC. Dropped entirely — better to mint an ephemeral secret than to\n // re-use a Google client secret or a known string.\n try {\n const envLocalPath = path.resolve(process.cwd(), \".env.local\");\n const existing = readEnvLocalSecret(envLocalPath);\n if (existing) {\n process.env.BETTER_AUTH_SECRET = existing; // guard:allow-env-mutation — boot-time secret resolution from .env.local, runs once at module init\n return existing;\n }\n\n const generated = crypto.randomBytes(32).toString(\"hex\");\n appendEnvLocalSecret(envLocalPath, generated);\n process.env.BETTER_AUTH_SECRET = generated; // guard:allow-env-mutation — boot-time secret generation, runs once at module init before any request\n console.log(\n \"[agent-native] Generated a persistent BETTER_AUTH_SECRET in .env.local. \" +\n \"Sessions will now survive dev-server restarts. \" +\n \"(Delete .env.local to rotate; set BETTER_AUTH_SECRET in .env to override.)\",\n );\n return generated;\n } catch {\n // Filesystem unwritable (read-only mount, sandboxed test env, etc.).\n // Mint a per-process random secret so cookies stay unique per boot.\n // Sessions reset when the dev process restarts — acceptable for dev.\n const ephemeral = crypto.randomBytes(32).toString(\"hex\");\n console.warn(\n \"[agent-native] Could not persist BETTER_AUTH_SECRET to .env.local \" +\n \"(filesystem unwritable). Using an ephemeral in-memory secret. \" +\n \"Sessions will reset every time this process restarts. \" +\n \"Set BETTER_AUTH_SECRET in your environment to keep sessions valid across restarts.\",\n );\n return ephemeral;\n }\n}\n\nfunction readEnvLocalSecret(envLocalPath: string): string | undefined {\n try {\n const content = fs.readFileSync(envLocalPath, \"utf8\");\n // Match `BETTER_AUTH_SECRET=...` on its own line. Tolerate optional\n // quotes and leading `export `. Stop at the first newline or quote.\n const m = content.match(\n /^(?:export\\s+)?BETTER_AUTH_SECRET\\s*=\\s*\"?([^\"\\r\\n]+)\"?\\s*$/m,\n );\n return m?.[1]?.trim() || undefined;\n } catch {\n return undefined;\n }\n}\n\nfunction appendEnvLocalSecret(envLocalPath: string, secret: string): void {\n const header =\n \"# Auto-generated by agent-native on first boot. Gitignored.\\n\" +\n \"# Keeps signed session cookies valid across dev-server restarts.\\n\" +\n \"# Delete this file (or this line) to rotate the secret.\\n\";\n const line = `BETTER_AUTH_SECRET=${secret}\\n`;\n\n // If the file already exists, just append; otherwise create with header.\n if (fs.existsSync(envLocalPath)) {\n const existing = fs.readFileSync(envLocalPath, \"utf8\");\n const needsLeadingNewline = existing.length > 0 && !existing.endsWith(\"\\n\");\n fs.appendFileSync(\n envLocalPath,\n (needsLeadingNewline ? \"\\n\" : \"\") + \"\\n\" + header + line,\n );\n } else {\n fs.writeFileSync(envLocalPath, header + line, { mode: 0o600 });\n }\n}\n\nexport function shouldSkipEmailVerification(): boolean {\n const value = process.env.AUTH_SKIP_EMAIL_VERIFICATION;\n if (value == null) {\n return (\n process.env.NODE_ENV === \"development\" || process.env.NODE_ENV === \"test\"\n );\n }\n const normalized = value.trim().toLowerCase();\n return normalized !== \"\" && normalized !== \"0\" && normalized !== \"false\";\n}\n\n/** Read-only accessor for the resolved auth secret. */\nexport function getAuthSecret(): string {\n return resolveAuthSecret();\n}\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\n/** The shape we need from a Better Auth instance (internal — not exported to templates). */\nexport interface BetterAuthInstance {\n handler: (request: Request) => Promise<Response>;\n api: {\n getSession: (opts: { headers: Headers }) => Promise<{\n user: { id: string; email: string; name: string };\n session: {\n id: string;\n token: string;\n expiresAt: Date;\n activeOrganizationId?: string;\n };\n } | null>;\n signInEmail: (opts: {\n body: { email: string; password: string };\n }) => Promise<{ token?: string; user?: any } | null>;\n signUpEmail: (opts: {\n body: {\n email: string;\n password: string;\n name: string;\n callbackURL?: string;\n };\n }) => Promise<any>;\n signOut: (opts: { headers: Headers }) => Promise<any>;\n listOrganizations: (opts: { headers: Headers }) => Promise<any[] | null>;\n };\n}\n\nexport interface BetterAuthConfig {\n /** Base path for Better Auth routes. Default: \"/_agent-native/auth/ba\" */\n basePath?: string;\n /** Additional social providers beyond what env vars auto-detect */\n socialProviders?: BetterAuthOptions[\"socialProviders\"];\n /** Additional Better Auth plugins */\n plugins?: BetterAuthOptions[\"plugins\"];\n /**\n * Additional Google OAuth scopes (Gmail, Calendar, etc.) to request\n * up front during the primary \"Sign in with Google\" flow, beyond the\n * default identity scopes (`openid`, `email`, `profile`).\n *\n * When set, the Google social provider also opts into:\n * - `accessType: \"offline\"` — so a refresh token is issued\n * - `prompt: \"consent\"` — so the refresh token is reissued every sign-in\n *\n * Tokens are mirrored into `oauth_tokens` via a databaseHooks.account\n * hook so existing template code that reads from `oauth_tokens` (mail's\n * Gmail client, calendar's events fetcher) works without any separate\n * \"Connect Google\" page.\n */\n googleScopes?: string[];\n}\n\n// ---------------------------------------------------------------------------\n// Lazy instance\n// ---------------------------------------------------------------------------\n\nlet _auth: BetterAuthInstance | undefined;\nlet _initPromise: Promise<BetterAuthInstance> | undefined;\n// Track the Neon serverless Pool we open for Better Auth so closeBetterAuth()\n// can release it. The Pool keeps WebSocket connections open; leaking them on\n// hot-reload or process restart exhausts Neon's connection slot budget.\nlet _neonAuthPool: any;\n\nconst pgAuthSchema = {\n user: pgTable(\"user\", {\n id: pgText(\"id\").primaryKey(),\n name: pgText(\"name\").notNull(),\n email: pgText(\"email\").notNull().unique(),\n emailVerified: pgBoolean(\"email_verified\").notNull().default(false),\n image: pgText(\"image\"),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n session: pgTable(\"session\", {\n id: pgText(\"id\").primaryKey(),\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\n token: pgText(\"token\").notNull().unique(),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n ipAddress: pgText(\"ip_address\"),\n userAgent: pgText(\"user_agent\"),\n userId: pgText(\"user_id\").notNull(),\n activeOrganizationId: pgText(\"active_organization_id\"),\n }),\n account: pgTable(\"account\", {\n id: pgText(\"id\").primaryKey(),\n accountId: pgText(\"account_id\").notNull(),\n providerId: pgText(\"provider_id\").notNull(),\n userId: pgText(\"user_id\").notNull(),\n accessToken: pgText(\"access_token\"),\n refreshToken: pgText(\"refresh_token\"),\n idToken: pgText(\"id_token\"),\n accessTokenExpiresAt: pgTimestamp(\"access_token_expires_at\", {\n withTimezone: true,\n }),\n refreshTokenExpiresAt: pgTimestamp(\"refresh_token_expires_at\", {\n withTimezone: true,\n }),\n scope: pgText(\"scope\"),\n password: pgText(\"password\"),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n verification: pgTable(\"verification\", {\n id: pgText(\"id\").primaryKey(),\n identifier: pgText(\"identifier\").notNull(),\n value: pgText(\"value\").notNull(),\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n organization: pgTable(\"organization\", {\n id: pgText(\"id\").primaryKey(),\n name: pgText(\"name\").notNull(),\n slug: pgText(\"slug\").notNull().unique(),\n logo: pgText(\"logo\"),\n metadata: pgText(\"metadata\"),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n member: pgTable(\"member\", {\n id: pgText(\"id\").primaryKey(),\n organizationId: pgText(\"organization_id\").notNull(),\n userId: pgText(\"user_id\").notNull(),\n role: pgText(\"role\").notNull().default(\"member\"),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n invitation: pgTable(\"invitation\", {\n id: pgText(\"id\").primaryKey(),\n organizationId: pgText(\"organization_id\").notNull(),\n email: pgText(\"email\").notNull(),\n role: pgText(\"role\"),\n status: pgText(\"status\").notNull().default(\"pending\"),\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\n inviterId: pgText(\"inviter_id\").notNull(),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n jwks: pgTable(\"jwks\", {\n id: pgText(\"id\").primaryKey(),\n publicKey: pgText(\"public_key\").notNull(),\n privateKey: pgText(\"private_key\").notNull(),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }),\n }),\n};\n\nconst sqliteAuthSchema = {\n user: sqliteTable(\"user\", {\n id: sqliteText(\"id\").primaryKey(),\n name: sqliteText(\"name\").notNull(),\n email: sqliteText(\"email\").notNull().unique(),\n emailVerified: sqliteInteger(\"email_verified\", { mode: \"boolean\" })\n .notNull()\n .default(false),\n image: sqliteText(\"image\"),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n session: sqliteTable(\"session\", {\n id: sqliteText(\"id\").primaryKey(),\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\n token: sqliteText(\"token\").notNull().unique(),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n ipAddress: sqliteText(\"ip_address\"),\n userAgent: sqliteText(\"user_agent\"),\n userId: sqliteText(\"user_id\").notNull(),\n activeOrganizationId: sqliteText(\"active_organization_id\"),\n }),\n account: sqliteTable(\"account\", {\n id: sqliteText(\"id\").primaryKey(),\n accountId: sqliteText(\"account_id\").notNull(),\n providerId: sqliteText(\"provider_id\").notNull(),\n userId: sqliteText(\"user_id\").notNull(),\n accessToken: sqliteText(\"access_token\"),\n refreshToken: sqliteText(\"refresh_token\"),\n idToken: sqliteText(\"id_token\"),\n accessTokenExpiresAt: sqliteInteger(\"access_token_expires_at\", {\n mode: \"timestamp_ms\",\n }),\n refreshTokenExpiresAt: sqliteInteger(\"refresh_token_expires_at\", {\n mode: \"timestamp_ms\",\n }),\n scope: sqliteText(\"scope\"),\n password: sqliteText(\"password\"),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n verification: sqliteTable(\"verification\", {\n id: sqliteText(\"id\").primaryKey(),\n identifier: sqliteText(\"identifier\").notNull(),\n value: sqliteText(\"value\").notNull(),\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n organization: sqliteTable(\"organization\", {\n id: sqliteText(\"id\").primaryKey(),\n name: sqliteText(\"name\").notNull(),\n slug: sqliteText(\"slug\").notNull().unique(),\n logo: sqliteText(\"logo\"),\n metadata: sqliteText(\"metadata\"),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n member: sqliteTable(\"member\", {\n id: sqliteText(\"id\").primaryKey(),\n organizationId: sqliteText(\"organization_id\").notNull(),\n userId: sqliteText(\"user_id\").notNull(),\n role: sqliteText(\"role\").notNull().default(\"member\"),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n invitation: sqliteTable(\"invitation\", {\n id: sqliteText(\"id\").primaryKey(),\n organizationId: sqliteText(\"organization_id\").notNull(),\n email: sqliteText(\"email\").notNull(),\n role: sqliteText(\"role\"),\n status: sqliteText(\"status\").notNull().default(\"pending\"),\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\n inviterId: sqliteText(\"inviter_id\").notNull(),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n jwks: sqliteTable(\"jwks\", {\n id: sqliteText(\"id\").primaryKey(),\n publicKey: sqliteText(\"public_key\").notNull(),\n privateKey: sqliteText(\"private_key\").notNull(),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }),\n }),\n};\n\nfunction getBetterAuthSchema() {\n return isPostgres() ? pgAuthSchema : sqliteAuthSchema;\n}\n\n/**\n * Mirror a Better Auth `account` row for Google into the `oauth_tokens`\n * table that template code (mail's Gmail client, calendar's events fetcher)\n * reads from. Called from the `databaseHooks.account.create.after` and\n * `.update.after` hooks so tokens captured during the primary \"Sign in\n * with Google\" flow flow straight to the apps that need them — no\n * separate \"Connect Google\" page required.\n *\n * Resolves `account.userId` to the user's email by querying the `user`\n * table (Better Auth always quotes \"user\" because it's a reserved word\n * in Postgres; SQLite accepts the quotes too).\n *\n * The hook is fire-and-forget from the caller's perspective — every\n * failure is caught upstream so a flake in `oauth_tokens` never blocks\n * sign-in. We still no-op on missing fields here as a defense in depth.\n */\nasync function mirrorGoogleAccountToOAuthTokens(account: {\n providerId?: string;\n userId?: string;\n accountId?: string;\n accessToken?: string | null;\n refreshToken?: string | null;\n accessTokenExpiresAt?: Date | string | number | null;\n scope?: string | null;\n idToken?: string | null;\n}): Promise<void> {\n if (!account || account.providerId !== \"google\") return;\n if (!account.userId) return;\n\n const accessToken = account.accessToken ?? undefined;\n if (!accessToken) {\n // Better Auth sometimes upserts an account row before tokens are\n // attached (e.g. linking flows). Nothing to mirror yet — the next\n // update hook will run once the access token lands.\n return;\n }\n\n // Resolve user email from userId.\n const db = getDbExec();\n let email: string | undefined;\n try {\n const { rows } = await db.execute({\n sql: 'SELECT email FROM \"user\" WHERE id = ?',\n args: [account.userId],\n });\n email = (rows[0]?.email as string | undefined) ?? undefined;\n } catch (err) {\n console.error(\n \"[auth] mirror Google tokens: failed to resolve user email from userId\",\n err,\n );\n return;\n }\n if (!email) return;\n\n // Normalise expiry to epoch ms (Google's \"expiry_date\" convention used\n // throughout the templates).\n let expiryDate: number | undefined;\n const raw = account.accessTokenExpiresAt;\n if (raw instanceof Date) {\n expiryDate = raw.getTime();\n } else if (typeof raw === \"number\") {\n expiryDate = raw;\n } else if (typeof raw === \"string\") {\n const ms = Date.parse(raw);\n expiryDate = Number.isFinite(ms) ? ms : undefined;\n }\n\n const tokens: Record<string, unknown> = {\n access_token: accessToken,\n token_type: \"Bearer\",\n };\n if (account.refreshToken) tokens.refresh_token = account.refreshToken;\n if (expiryDate) tokens.expiry_date = expiryDate;\n if (account.scope) tokens.scope = account.scope;\n if (account.idToken) tokens.id_token = account.idToken;\n\n await saveOAuthTokens(\"google\", email, tokens, email);\n}\n\nasync function ensureBetterAuthTables(): Promise<void> {\n const db = getDbExec();\n const statements = isPostgres()\n ? [\n `CREATE TABLE IF NOT EXISTS \"user\" (id TEXT PRIMARY KEY, name TEXT NOT NULL, email TEXT NOT NULL UNIQUE, email_verified BOOLEAN NOT NULL DEFAULT FALSE, image TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"session\" (id TEXT PRIMARY KEY, expires_at TIMESTAMPTZ NOT NULL, token TEXT NOT NULL UNIQUE, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL, ip_address TEXT, user_agent TEXT, user_id TEXT NOT NULL, active_organization_id TEXT)`,\n `CREATE TABLE IF NOT EXISTS \"account\" (id TEXT PRIMARY KEY, account_id TEXT NOT NULL, provider_id TEXT NOT NULL, user_id TEXT NOT NULL, access_token TEXT, refresh_token TEXT, id_token TEXT, access_token_expires_at TIMESTAMPTZ, refresh_token_expires_at TIMESTAMPTZ, scope TEXT, password TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"verification\" (id TEXT PRIMARY KEY, identifier TEXT NOT NULL, value TEXT NOT NULL, expires_at TIMESTAMPTZ NOT NULL, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"organization\" (id TEXT PRIMARY KEY, name TEXT NOT NULL, slug TEXT NOT NULL UNIQUE, logo TEXT, metadata TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"member\" (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, user_id TEXT NOT NULL, role TEXT NOT NULL DEFAULT 'member', created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"invitation\" (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, email TEXT NOT NULL, role TEXT, status TEXT NOT NULL DEFAULT 'pending', expires_at TIMESTAMPTZ NOT NULL, inviter_id TEXT NOT NULL, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"jwks\" (id TEXT PRIMARY KEY, public_key TEXT NOT NULL, private_key TEXT NOT NULL, created_at TIMESTAMPTZ NOT NULL, expires_at TIMESTAMPTZ)`,\n ]\n : [\n `CREATE TABLE IF NOT EXISTS user (id TEXT PRIMARY KEY, name TEXT NOT NULL, email TEXT NOT NULL UNIQUE, email_verified INTEGER NOT NULL DEFAULT 0, image TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS session (id TEXT PRIMARY KEY, expires_at INTEGER NOT NULL, token TEXT NOT NULL UNIQUE, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL, ip_address TEXT, user_agent TEXT, user_id TEXT NOT NULL, active_organization_id TEXT)`,\n `CREATE TABLE IF NOT EXISTS account (id TEXT PRIMARY KEY, account_id TEXT NOT NULL, provider_id TEXT NOT NULL, user_id TEXT NOT NULL, access_token TEXT, refresh_token TEXT, id_token TEXT, access_token_expires_at INTEGER, refresh_token_expires_at INTEGER, scope TEXT, password TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS verification (id TEXT PRIMARY KEY, identifier TEXT NOT NULL, value TEXT NOT NULL, expires_at INTEGER NOT NULL, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS organization (id TEXT PRIMARY KEY, name TEXT NOT NULL, slug TEXT NOT NULL UNIQUE, logo TEXT, metadata TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS member (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, user_id TEXT NOT NULL, role TEXT NOT NULL DEFAULT 'member', created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS invitation (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, email TEXT NOT NULL, role TEXT, status TEXT NOT NULL DEFAULT 'pending', expires_at INTEGER NOT NULL, inviter_id TEXT NOT NULL, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS jwks (id TEXT PRIMARY KEY, public_key TEXT NOT NULL, private_key TEXT NOT NULL, created_at INTEGER NOT NULL, expires_at INTEGER)`,\n ];\n\n for (const sql of statements) await db.execute(sql);\n}\n\n/**\n * Get or create the Better Auth instance.\n * Lazily initialized on first call — the database must be reachable by then.\n */\nexport async function getBetterAuth(\n config?: BetterAuthConfig,\n): Promise<BetterAuthInstance> {\n if (_auth) return _auth;\n if (_initPromise) return _initPromise;\n\n _initPromise = createBetterAuthInstance(config);\n _auth = await _initPromise;\n return _auth;\n}\n\n/**\n * Synchronous getter — returns the instance if already initialized, else undefined.\n * Use this in hot paths where you know init has already happened.\n */\nexport function getBetterAuthSync(): BetterAuthInstance | undefined {\n return _auth;\n}\n\n/** Reset for testing */\nexport async function resetBetterAuth(): Promise<void> {\n _auth = undefined;\n _initPromise = undefined;\n if (_neonAuthPool) {\n try {\n await _neonAuthPool.end();\n } catch {\n // Pool may have already closed (process exiting, etc.) — don't block reset.\n }\n _neonAuthPool = undefined;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Instance creation\n// ---------------------------------------------------------------------------\n\nasync function createBetterAuthInstance(\n config?: BetterAuthConfig,\n): Promise<BetterAuthInstance> {\n const dialect = getDialect();\n const basePath = config?.basePath ?? \"/_agent-native/auth/ba\";\n await ensureBetterAuthTables();\n\n // Build social providers from env vars\n const socialProviders: BetterAuthOptions[\"socialProviders\"] = {\n ...config?.socialProviders,\n };\n\n if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {\n // When the template requests broader scopes (Gmail, Calendar, etc.)\n // ask for them on the primary sign-in flow so a separate \"Connect\n // Google\" round-trip isn't needed. `accessType: \"offline\"` plus\n // `prompt: \"consent\"` ensures we always receive a refresh token back —\n // Google only re-issues a refresh token on consent, so re-signing in\n // (e.g. after switching machines) would otherwise leave us with an\n // access token that can't be refreshed.\n const extraScopes = config?.googleScopes ?? [];\n const baseScopes = [\"openid\", \"email\", \"profile\"];\n const mergedScopes = Array.from(new Set([...baseScopes, ...extraScopes]));\n socialProviders.google = {\n clientId: process.env.GOOGLE_CLIENT_ID,\n clientSecret: process.env.GOOGLE_CLIENT_SECRET,\n ...(extraScopes.length > 0\n ? {\n scope: mergedScopes,\n accessType: \"offline\" as const,\n prompt: \"consent\" as const,\n }\n : {}),\n };\n }\n\n if (process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET) {\n socialProviders.github = {\n clientId: process.env.GITHUB_CLIENT_ID,\n clientSecret: process.env.GITHUB_CLIENT_SECRET,\n };\n }\n\n // Build database config\n const database = await buildDatabaseConfig(dialect);\n\n const secret = resolveAuthSecret();\n\n const appUrl = getAppProductionUrl();\n const requireEmailVerification =\n isEmailConfigured() && !shouldSkipEmailVerification();\n\n const auth = betterAuth({\n basePath,\n baseURL: appUrl,\n database,\n secret,\n emailAndPassword: {\n enabled: true,\n minPasswordLength: 8,\n // Only require email verification when an email provider is configured.\n // Without a provider, verification emails can't be sent, so requiring\n // verification would lock users out of signup entirely. Local dev/test\n // skip verification by default so +qa accounts can be created quickly;\n // hosted QA deployments can opt out with AUTH_SKIP_EMAIL_VERIFICATION=1.\n requireEmailVerification,\n sendResetPassword: async ({ user, token }) => {\n // APP_BASE_PATH lets this app mount under a prefix (e.g. /mail). The\n // reset link must include that prefix so the page resolves correctly.\n const appBasePath = (\n process.env.VITE_APP_BASE_PATH ||\n process.env.APP_BASE_PATH ||\n \"\"\n ).replace(/\\/$/, \"\");\n const resetUrl = `${appUrl}${appBasePath}/_agent-native/auth/reset?token=${encodeURIComponent(token)}`;\n const { subject, html, text } = renderResetPasswordEmail({\n email: user.email,\n resetUrl,\n });\n await sendEmail({ to: user.email, subject, html, text });\n },\n },\n emailVerification: {\n // Fire verification email right after signup, before the user has a\n // session — pairs with requireEmailVerification above. Only enabled\n // when an email provider is configured.\n sendOnSignUp: requireEmailVerification,\n // Auto-create a session once the user clicks the link. Without this,\n // verified users would have to go back and sign in manually, which is\n // a confusing dead-end on the verify screen.\n autoSignInAfterVerification: true,\n sendVerificationEmail: async ({ user, url }) => {\n // APP_BASE_PATH lets this app mount under a prefix (e.g. /mail). The\n // verification link must include that prefix so the page resolves correctly.\n const verifyBasePath = (\n process.env.VITE_APP_BASE_PATH ||\n process.env.APP_BASE_PATH ||\n \"\"\n ).replace(/\\/$/, \"\");\n const verifyUrl = verifyBasePath\n ? url.replace(/(\\/\\/[^/]+)(\\/)/, `$1${verifyBasePath}$2`)\n : url;\n const { subject, html, text } = renderVerifySignupEmail({\n email: user.email,\n verifyUrl,\n });\n await sendEmail({ to: user.email, subject, html, text });\n },\n },\n socialProviders,\n account: {\n // Merge accounts when a user signs in with a social provider using an\n // email that already has a local email/password account (or vice versa).\n // Only providers listed in `trustedProviders` auto-link — these are the\n // ones that verify emails at the identity layer. Never add a provider\n // here that lets users claim an unverified email; that would be an\n // account-takeover vector.\n accountLinking: {\n enabled: true,\n trustedProviders: [\"google\", \"github\"],\n },\n },\n databaseHooks: {\n user: {\n create: {\n after: async (user: {\n id?: string;\n email?: string;\n name?: string | null;\n }) => {\n // When a newly-created user's email has pending org invitations\n // (common when someone is invited *before* they've signed up),\n // auto-accept them so the user lands in the org on their very\n // first page load instead of a blank-slate workspace.\n const email = user?.email;\n if (!email) return;\n identify(email, {\n email,\n name: user.name ?? undefined,\n authUserId: user.id,\n });\n track(\n \"signup\",\n {\n auth_provider: \"better-auth\",\n auth_user_id: user.id,\n },\n { userId: email },\n );\n try {\n await acceptPendingInvitationsForEmail(email);\n } catch (err) {\n // Never block signup on invite bookkeeping — log and continue.\n console.error(\n \"[auth] failed to auto-accept pending invitations\",\n err,\n );\n }\n },\n },\n },\n account: {\n // Mirror Google account tokens into `oauth_tokens` so existing\n // template code (mail's Gmail client, calendar's events fetcher)\n // can pick up Gmail/Calendar credentials from the primary sign-in\n // flow — no separate \"Set up Google\" page required.\n //\n // Better Auth fires `create` for first-time social sign-in and\n // `update` whenever a session re-issues tokens (e.g., the user\n // re-signs in to refresh the token). Both branches do the same\n // mirroring work; failures never block sign-in.\n create: {\n after: async (account: any) => {\n await mirrorGoogleAccountToOAuthTokens(account).catch((err) => {\n console.error(\n \"[auth] failed to mirror Google account tokens to oauth_tokens (create)\",\n err,\n );\n });\n },\n },\n update: {\n after: async (account: any) => {\n await mirrorGoogleAccountToOAuthTokens(account).catch((err) => {\n console.error(\n \"[auth] failed to mirror Google account tokens to oauth_tokens (update)\",\n err,\n );\n });\n },\n },\n },\n },\n session: {\n expiresIn: 60 * 60 * 24 * 30, // 30 days\n updateAge: 60 * 60 * 24, // refresh daily\n cookieCache: {\n enabled: true,\n maxAge: 5 * 60, // 5 min cache\n },\n },\n advanced: {\n cookiePrefix: \"an\",\n // Emit `SameSite=None; Secure` when the app is served over HTTPS so\n // session cookies are delivered inside third-party iframes (e.g. the\n // Builder.io editor). Plain-HTTP dev keeps the default (Lax) because\n // `SameSite=None` requires Secure.\n ...(appUrl.startsWith(\"https://\")\n ? {\n defaultCookieAttributes: {\n sameSite: \"none\" as const,\n secure: true,\n partitioned: true,\n },\n }\n : {}),\n },\n plugins: [\n // Organizations: many:many user:org, roles, invitations\n organization(),\n // JWT: issue tokens for A2A calls, JWKS endpoint for verification\n jwt({\n jwt: {\n issuer: appUrl,\n expirationTime: \"15m\",\n },\n }),\n // Bearer: accept Bearer tokens on API requests\n bearer(),\n ...(config?.plugins ?? []),\n ],\n });\n\n return auth as unknown as BetterAuthInstance;\n}\n\nasync function buildDatabaseConfig(\n dialect: string,\n): Promise<BetterAuthOptions[\"database\"]> {\n if (dialect === \"postgres\") {\n const url = getDatabaseUrl();\n const { isNeonUrl } = await import(\"../db/create-get-db.js\");\n\n // Neon via @neondatabase/serverless (WebSockets over HTTPS). postgres-js\n // opens a raw TCP connection on port 5432 which frequently times out on\n // Netlify Functions / Vercel / CF Workers when Neon's pooler is cold.\n if (isNeonUrl(url)) {\n const { Pool } = await import(\"@neondatabase/serverless\");\n _neonAuthPool = new Pool({ connectionString: url });\n const { drizzle } = await import(\"drizzle-orm/neon-serverless\");\n const db = drizzle(_neonAuthPool, { schema: pgAuthSchema });\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\n return drizzleAdapter(db, {\n provider: \"pg\",\n schema: pgAuthSchema,\n });\n }\n\n // Non-Neon Postgres (Supabase, self-hosted, etc.) → postgres-js\n const { default: postgres } = await import(\"postgres\");\n const sql = postgres(url, {\n onnotice: () => {},\n idle_timeout: 240,\n max_lifetime: 60 * 30,\n connect_timeout: 10,\n ...(url.includes(\"supabase\") ? { prepare: false } : {}),\n });\n const { drizzle } = await import(\"drizzle-orm/postgres-js\");\n const db = drizzle(sql, { schema: pgAuthSchema });\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\n return drizzleAdapter(db, {\n provider: \"pg\",\n schema: pgAuthSchema,\n });\n }\n\n // SQLite / libsql\n const url = getDatabaseUrl(\"file:./data/app.db\");\n\n if (url.startsWith(\"file:\") || !url.includes(\"://\")) {\n // Local SQLite via better-sqlite3\n const { default: Database } = await import(\"better-sqlite3\");\n const filePath = url.replace(/^file:/, \"\");\n const sqlite = new Database(filePath);\n sqlite.pragma(\"journal_mode = WAL\");\n const { drizzle } = await import(\"drizzle-orm/better-sqlite3\");\n const db = drizzle(sqlite, { schema: sqliteAuthSchema });\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\n return drizzleAdapter(db, {\n provider: \"sqlite\",\n schema: sqliteAuthSchema,\n });\n }\n\n // Remote libsql (Turso)\n const { createClient } = await import(\"@libsql/client\");\n const client = createClient({ url, authToken: getDatabaseAuthToken() });\n const { drizzle } = await import(\"drizzle-orm/libsql\");\n const db = drizzle(client, { schema: sqliteAuthSchema });\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\n return drizzleAdapter(db, {\n provider: \"sqlite\",\n schema: sqliteAuthSchema,\n });\n}\n"]}
1
+ {"version":3,"file":"better-auth-instance.js","sourceRoot":"","sources":["../../src/server/better-auth-instance.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,UAAU,EAA0B,MAAM,aAAa,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAChE,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC1D,OAAO,EACL,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EAAE,gCAAgC,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,0BAA0B,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EACL,UAAU,EACV,cAAc,EACd,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,OAAO,EACP,IAAI,IAAI,MAAM,EACd,SAAS,IAAI,WAAW,EACxB,OAAO,IAAI,SAAS,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,WAAW,EACX,IAAI,IAAI,UAAU,EAClB,OAAO,IAAI,aAAa,GACzB,MAAM,yBAAyB,CAAC;AAEjC,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAS,iBAAiB;IACxB,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAE1E,yEAAyE;IACzE,wEAAwE;IACxE,uEAAuE;IACvE,oEAAoE;IACpE,kEAAkE;IAClE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,+EAA+E;YAC7E,0EAA0E;YAC1E,0DAA0D;YAC1D,wBAAwB,MAAM,MAAM;YACpC,uEAAuE;YACvE,uEAAuE;YACvE,qFAAqF;YACrF,qCAAqC,CACxC,CAAC;IACJ,CAAC;IAED,oEAAoE;IACpE,wEAAwE;IACxE,uEAAuE;IACvE,qEAAqE;IACrE,QAAQ;IACR,EAAE;IACF,yDAAyD;IACzD,+DAA+D;IAC/D,qEAAqE;IACrE,sEAAsE;IACtE,mDAAmD;IACnD,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAAC;QAC/D,MAAM,QAAQ,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;QAClD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,QAAQ,CAAC,CAAC,mGAAmG;YAC9I,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACzD,oBAAoB,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,SAAS,CAAC,CAAC,sGAAsG;QAClJ,OAAO,CAAC,GAAG,CACT,0EAA0E;YACxE,iDAAiD;YACjD,4EAA4E,CAC/E,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,qEAAqE;QACrE,oEAAoE;QACpE,qEAAqE;QACrE,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CACV,oEAAoE;YAClE,gEAAgE;YAChE,wDAAwD;YACxD,oFAAoF,CACvF,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,YAAoB;IAC9C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACtD,oEAAoE;QACpE,oEAAoE;QACpE,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CACrB,8DAA8D,CAC/D,CAAC;QACF,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,YAAoB,EAAE,MAAc;IAChE,MAAM,MAAM,GACV,+DAA+D;QAC/D,oEAAoE;QACpE,2DAA2D,CAAC;IAC9D,MAAM,IAAI,GAAG,sBAAsB,MAAM,IAAI,CAAC;IAE9C,yEAAyE;IACzE,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACvD,MAAM,mBAAmB,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC5E,EAAE,CAAC,cAAc,CACf,YAAY,EACZ,CAAC,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CACzD,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACjE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,2BAA2B;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;IACvD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,OAAO,UAAU,KAAK,EAAE,IAAI,UAAU,KAAK,GAAG,IAAI,UAAU,KAAK,OAAO,CAAC;AAC3E,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,aAAa;IAC3B,OAAO,iBAAiB,EAAE,CAAC;AAC7B,CAAC;AA2DD,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,IAAI,KAAqC,CAAC;AAC1C,IAAI,YAAqD,CAAC;AAC1D,8EAA8E;AAC9E,6EAA6E;AAC7E,wEAAwE;AACxE,IAAI,aAAkB,CAAC;AAEvB,MAAM,YAAY,GAAG;IACnB,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE;QACpB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAC9B,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACzC,aAAa,EAAE,SAAS,CAAC,gBAAgB,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;QACnE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;QACtB,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,OAAO,EAAE,OAAO,CAAC,SAAS,EAAE;QAC1B,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACzC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC;QAC/B,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,oBAAoB,EAAE,MAAM,CAAC,wBAAwB,CAAC;KACvD,CAAC;IACF,OAAO,EAAE,OAAO,CAAC,SAAS,EAAE;QAC1B,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC3C,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC;QACnC,YAAY,EAAE,MAAM,CAAC,eAAe,CAAC;QACrC,OAAO,EAAE,MAAM,CAAC,UAAU,CAAC;QAC3B,oBAAoB,EAAE,WAAW,CAAC,yBAAyB,EAAE;YAC3D,YAAY,EAAE,IAAI;SACnB,CAAC;QACF,qBAAqB,EAAE,WAAW,CAAC,0BAA0B,EAAE;YAC7D,YAAY,EAAE,IAAI;SACnB,CAAC;QACF,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;QAC5B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,YAAY,EAAE,OAAO,CAAC,cAAc,EAAE;QACpC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,UAAU,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC1C,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QAChC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,YAAY,EAAE,OAAO,CAAC,cAAc,EAAE;QACpC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAC9B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QACvC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;QAC5B,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,MAAM,EAAE,OAAO,CAAC,QAAQ,EAAE;QACxB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,cAAc,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACnD,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACnC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;QAChD,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,UAAU,EAAE,OAAO,CAAC,YAAY,EAAE;QAChC,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,cAAc,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACnD,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QAChC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;QACrD,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KACvE,CAAC;IACF,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE;QACpB,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QAC7B,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QACzC,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC3C,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QACtE,SAAS,EAAE,WAAW,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;KAC7D,CAAC;CACH,CAAC;AAEF,MAAM,gBAAgB,GAAG;IACvB,IAAI,EAAE,WAAW,CAAC,MAAM,EAAE;QACxB,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAClC,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC7C,aAAa,EAAE,aAAa,CAAC,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;aAChE,OAAO,EAAE;aACT,OAAO,CAAC,KAAK,CAAC;QACjB,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC;QAC1B,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,OAAO,EAAE,WAAW,CAAC,SAAS,EAAE;QAC9B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC7C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC;QACnC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC;QACnC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,oBAAoB,EAAE,UAAU,CAAC,wBAAwB,CAAC;KAC3D,CAAC;IACF,OAAO,EAAE,WAAW,CAAC,SAAS,EAAE;QAC9B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,UAAU,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC/C,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,WAAW,EAAE,UAAU,CAAC,cAAc,CAAC;QACvC,YAAY,EAAE,UAAU,CAAC,eAAe,CAAC;QACzC,OAAO,EAAE,UAAU,CAAC,UAAU,CAAC;QAC/B,oBAAoB,EAAE,aAAa,CAAC,yBAAyB,EAAE;YAC7D,IAAI,EAAE,cAAc;SACrB,CAAC;QACF,qBAAqB,EAAE,aAAa,CAAC,0BAA0B,EAAE;YAC/D,IAAI,EAAE,cAAc;SACrB,CAAC;QACF,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC;QAC1B,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;QAChC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,YAAY,EAAE,WAAW,CAAC,cAAc,EAAE;QACxC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,UAAU,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC9C,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QACpC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,YAAY,EAAE,WAAW,CAAC,cAAc,EAAE;QACxC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE;QAClC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;QAC3C,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC;QACxB,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;QAChC,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,MAAM,EAAE,WAAW,CAAC,QAAQ,EAAE;QAC5B,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,cAAc,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACvD,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;QACvC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;QACpD,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,UAAU,EAAE,WAAW,CAAC,YAAY,EAAE;QACpC,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,cAAc,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;QACvD,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;QACpC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC;QACxB,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;QACzD,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;KAC3E,CAAC;IACF,IAAI,EAAE,WAAW,CAAC,MAAM,EAAE;QACxB,EAAE,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;QACjC,SAAS,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;QAC7C,UAAU,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;QAC/C,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1E,SAAS,EAAE,aAAa,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;KACjE,CAAC;CACH,CAAC;AAEF,SAAS,mBAAmB;IAC1B,OAAO,UAAU,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,gBAAgB,CAAC;AACxD,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,KAAK,UAAU,gCAAgC,CAAC,OAS/C;IACC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,KAAK,QAAQ;QAAE,OAAO;IACxD,IAAI,CAAC,OAAO,CAAC,MAAM;QAAE,OAAO;IAE5B,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,SAAS,CAAC;IACrD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,iEAAiE;QACjE,kEAAkE;QAClE,oDAAoD;QACpD,OAAO;IACT,CAAC;IAED,kCAAkC;IAClC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;IACvB,IAAI,KAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAChC,GAAG,EAAE,uCAAuC;YAC5C,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACvB,CAAC,CAAC;QACH,KAAK,GAAI,IAAI,CAAC,CAAC,CAAC,EAAE,KAA4B,IAAI,SAAS,CAAC;IAC9D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CACX,uEAAuE,EACvE,GAAG,CACJ,CAAC;QACF,OAAO;IACT,CAAC;IACD,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,uEAAuE;IACvE,6BAA6B;IAC7B,IAAI,UAA8B,CAAC;IACnC,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAAC;IACzC,IAAI,GAAG,YAAY,IAAI,EAAE,CAAC;QACxB,UAAU,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;IAC7B,CAAC;SAAM,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,UAAU,GAAG,GAAG,CAAC;IACnB,CAAC;SAAM,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IACpD,CAAC;IAED,MAAM,MAAM,GAA4B;QACtC,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,QAAQ;KACrB,CAAC;IACF,IAAI,OAAO,CAAC,YAAY;QAAE,MAAM,CAAC,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;IACtE,IAAI,UAAU;QAAE,MAAM,CAAC,WAAW,GAAG,UAAU,CAAC;IAChD,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAChD,IAAI,OAAO,CAAC,OAAO;QAAE,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAEvD,MAAM,eAAe,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,sBAAsB;IACnC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,UAAU,EAAE;QAC7B,CAAC,CAAC;YACE,sOAAsO;YACtO,iRAAiR;YACjR,sWAAsW;YACtW,mNAAmN;YACnN,4MAA4M;YAC5M,wNAAwN;YACxN,mSAAmS;YACnS,uKAAuK;SACxK;QACH,CAAC,CAAC;YACE,wNAAwN;YACxN,mQAAmQ;YACnQ,oVAAoV;YACpV,qMAAqM;YACrM,kMAAkM;YAClM,8MAA8M;YAC9M,qRAAqR;YACrR,6JAA6J;SAC9J,CAAC;IAEN,KAAK,MAAM,GAAG,IAAI,UAAU;QAAE,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAyB;IAEzB,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,YAAY,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;IAChD,KAAK,GAAG,MAAM,YAAY,CAAC;IAC3B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,wBAAwB;AACxB,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,KAAK,GAAG,SAAS,CAAC;IAClB,YAAY,GAAG,SAAS,CAAC;IACzB,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,GAAG,EAAE,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,4EAA4E;QAC9E,CAAC;QACD,aAAa,GAAG,SAAS,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,KAAK,UAAU,wBAAwB,CACrC,MAAyB;IAEzB,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAG,MAAM,EAAE,QAAQ,IAAI,wBAAwB,CAAC;IAC9D,MAAM,sBAAsB,EAAE,CAAC;IAE/B,uCAAuC;IACvC,MAAM,eAAe,GAAyC;QAC5D,GAAG,MAAM,EAAE,eAAe;KAC3B,CAAC;IAEF,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;QACrE,oEAAoE;QACpE,kEAAkE;QAClE,gEAAgE;QAChE,uEAAuE;QACvE,qEAAqE;QACrE,mEAAmE;QACnE,wCAAwC;QACxC,MAAM,WAAW,GAAG,MAAM,EAAE,YAAY,IAAI,EAAE,CAAC;QAC/C,MAAM,UAAU,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QAClD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,UAAU,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC1E,eAAe,CAAC,MAAM,GAAG;YACvB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB;YACtC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;YAC9C,GAAG,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;gBACxB,CAAC,CAAC;oBACE,KAAK,EAAE,YAAY;oBACnB,UAAU,EAAE,SAAkB;oBAC9B,MAAM,EAAE,SAAkB;iBAC3B;gBACH,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;QACrE,eAAe,CAAC,MAAM,GAAG;YACvB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB;YACtC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;SAC/C,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAEpD,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IAEnC,MAAM,MAAM,GAAG,mBAAmB,EAAE,CAAC;IACrC,MAAM,wBAAwB,GAC5B,iBAAiB,EAAE,IAAI,CAAC,2BAA2B,EAAE,CAAC;IAExD,MAAM,IAAI,GAAG,UAAU,CAAC;QACtB,QAAQ;QACR,OAAO,EAAE,MAAM;QACf,QAAQ;QACR,MAAM;QACN,gBAAgB,EAAE;YAChB,OAAO,EAAE,IAAI;YACb,iBAAiB,EAAE,CAAC;YACpB,wEAAwE;YACxE,sEAAsE;YACtE,uEAAuE;YACvE,uEAAuE;YACvE,yEAAyE;YACzE,wBAAwB;YACxB,iBAAiB,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;gBAC3C,qEAAqE;gBACrE,sEAAsE;gBACtE,MAAM,WAAW,GAAG,CAClB,OAAO,CAAC,GAAG,CAAC,kBAAkB;oBAC9B,OAAO,CAAC,GAAG,CAAC,aAAa;oBACzB,EAAE,CACH,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrB,MAAM,QAAQ,GAAG,GAAG,MAAM,GAAG,WAAW,mCAAmC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;gBACvG,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,wBAAwB,CAAC;oBACvD,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,QAAQ;iBACT,CAAC,CAAC;gBACH,MAAM,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,CAAC;SACF;QACD,iBAAiB,EAAE;YACjB,oEAAoE;YACpE,oEAAoE;YACpE,wCAAwC;YACxC,YAAY,EAAE,wBAAwB;YACtC,qEAAqE;YACrE,sEAAsE;YACtE,6CAA6C;YAC7C,2BAA2B,EAAE,IAAI;YACjC,qBAAqB,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;gBAC7C,qEAAqE;gBACrE,6EAA6E;gBAC7E,MAAM,cAAc,GAAG,CACrB,OAAO,CAAC,GAAG,CAAC,kBAAkB;oBAC9B,OAAO,CAAC,GAAG,CAAC,aAAa;oBACzB,EAAE,CACH,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrB,MAAM,SAAS,GAAG,cAAc;oBAC9B,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,iBAAiB,EAAE,KAAK,cAAc,IAAI,CAAC;oBACzD,CAAC,CAAC,GAAG,CAAC;gBACR,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,uBAAuB,CAAC;oBACtD,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,SAAS;iBACV,CAAC,CAAC;gBACH,MAAM,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,CAAC;SACF;QACD,eAAe;QACf,OAAO,EAAE;YACP,sEAAsE;YACtE,yEAAyE;YACzE,wEAAwE;YACxE,sEAAsE;YACtE,mEAAmE;YACnE,2BAA2B;YAC3B,cAAc,EAAE;gBACd,OAAO,EAAE,IAAI;gBACb,gBAAgB,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;aACvC;SACF;QACD,aAAa,EAAE;YACb,IAAI,EAAE;gBACJ,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EAAE,IAIb,EAAE,EAAE;wBACH,gEAAgE;wBAChE,+DAA+D;wBAC/D,8DAA8D;wBAC9D,sDAAsD;wBACtD,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;wBAC1B,IAAI,CAAC,KAAK;4BAAE,OAAO;wBACnB,QAAQ,CAAC,KAAK,EAAE;4BACd,KAAK;4BACL,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,SAAS;4BAC5B,UAAU,EAAE,IAAI,CAAC,EAAE;yBACpB,CAAC,CAAC;wBACH,KAAK,CACH,QAAQ,EACR;4BACE,aAAa,EAAE,aAAa;4BAC5B,YAAY,EAAE,IAAI,CAAC,EAAE;yBACtB,EACD,EAAE,MAAM,EAAE,KAAK,EAAE,CAClB,CAAC;wBACF,IAAI,CAAC;4BACH,MAAM,gCAAgC,CAAC,KAAK,CAAC,CAAC;wBAChD,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,+DAA+D;4BAC/D,OAAO,CAAC,KAAK,CACX,kDAAkD,EAClD,GAAG,CACJ,CAAC;wBACJ,CAAC;wBACD,IAAI,CAAC;4BACH,2DAA2D;4BAC3D,yDAAyD;4BACzD,wDAAwD;4BACxD,0DAA0D;4BAC1D,MAAM,0BAA0B,CAAC,KAAK,CAAC,CAAC;wBAC1C,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,OAAO,CAAC,KAAK,CACX,iDAAiD,EACjD,GAAG,CACJ,CAAC;wBACJ,CAAC;oBACH,CAAC;iBACF;aACF;YACD,OAAO,EAAE;gBACP,+DAA+D;gBAC/D,iEAAiE;gBACjE,kEAAkE;gBAClE,oDAAoD;gBACpD,EAAE;gBACF,+DAA+D;gBAC/D,+DAA+D;gBAC/D,+DAA+D;gBAC/D,gDAAgD;gBAChD,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;wBAC5B,MAAM,gCAAgC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;4BAC5D,OAAO,CAAC,KAAK,CACX,wEAAwE,EACxE,GAAG,CACJ,CAAC;wBACJ,CAAC,CAAC,CAAC;oBACL,CAAC;iBACF;gBACD,MAAM,EAAE;oBACN,KAAK,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;wBAC5B,MAAM,gCAAgC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;4BAC5D,OAAO,CAAC,KAAK,CACX,wEAAwE,EACxE,GAAG,CACJ,CAAC;wBACJ,CAAC,CAAC,CAAC;oBACL,CAAC;iBACF;aACF;SACF;QACD,OAAO,EAAE;YACP,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU;YACxC,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,gBAAgB;YACzC,WAAW,EAAE;gBACX,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,cAAc;aAC/B;SACF;QACD,QAAQ,EAAE;YACR,YAAY,EAAE,IAAI;YAClB,oEAAoE;YACpE,qEAAqE;YACrE,qEAAqE;YACrE,mCAAmC;YACnC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;gBAC/B,CAAC,CAAC;oBACE,uBAAuB,EAAE;wBACvB,QAAQ,EAAE,MAAe;wBACzB,MAAM,EAAE,IAAI;wBACZ,WAAW,EAAE,IAAI;qBAClB;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;SACR;QACD,OAAO,EAAE;YACP,wDAAwD;YACxD,YAAY,EAAE;YACd,kEAAkE;YAClE,GAAG,CAAC;gBACF,GAAG,EAAE;oBACH,MAAM,EAAE,MAAM;oBACd,cAAc,EAAE,KAAK;iBACtB;aACF,CAAC;YACF,+CAA+C;YAC/C,MAAM,EAAE;YACR,GAAG,CAAC,MAAM,EAAE,OAAO,IAAI,EAAE,CAAC;SAC3B;KACF,CAAC,CAAC;IAEH,OAAO,IAAqC,CAAC;AAC/C,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,OAAe;IAEf,IAAI,OAAO,KAAK,UAAU,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;QAC7B,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAE7D,yEAAyE;QACzE,wEAAwE;QACxE,sEAAsE;QACtE,IAAI,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;YAC1D,aAAa,GAAG,IAAI,IAAI,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,CAAC,CAAC;YACpD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;YAChE,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;YAC5D,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;YACxE,OAAO,cAAc,CAAC,EAAE,EAAE;gBACxB,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,YAAY;aACrB,CAAC,CAAC;QACL,CAAC;QAED,gEAAgE;QAChE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QACvD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE;YACxB,QAAQ,EAAE,GAAG,EAAE,GAAE,CAAC;YAClB,YAAY,EAAE,GAAG;YACjB,YAAY,EAAE,EAAE,GAAG,EAAE;YACrB,eAAe,EAAE,EAAE;YACnB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxD,CAAC,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAC5D,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;QAClD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;QACxE,OAAO,cAAc,CAAC,EAAE,EAAE;YACxB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,YAAY;SACrB,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,MAAM,GAAG,GAAG,cAAc,CAAC,oBAAoB,CAAC,CAAC;IAEjD,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,kCAAkC;QAClC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC7D,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACpC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;QAC/D,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;QACzD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;QACxE,OAAO,cAAc,CAAC,EAAE,EAAE;YACxB,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,gBAAgB;SACzB,CAAC,CAAC;IACL,CAAC;IAED,wBAAwB;IACxB,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACxD,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,oBAAoB,EAAE,EAAE,CAAC,CAAC;IACxE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACzD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;IACxE,OAAO,cAAc,CAAC,EAAE,EAAE;QACxB,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,gBAAgB;KACzB,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Internal Better Auth instance — lazily created, not exported to templates.\n *\n * Templates interact with auth via the existing `getSession()`, `autoMountAuth()`,\n * `createAuthPlugin()`, and `createGoogleAuthPlugin()` APIs. Better Auth is an\n * implementation detail behind those interfaces.\n */\n\nimport crypto from \"node:crypto\";\nimport fs from \"node:fs\";\nimport path from \"node:path\";\nimport { betterAuth, type BetterAuthOptions } from \"better-auth\";\nimport { organization } from \"better-auth/plugins/organization\";\nimport { jwt } from \"better-auth/plugins/jwt\";\nimport { bearer } from \"better-auth/plugins/bearer\";\nimport { sendEmail, isEmailConfigured } from \"./email.js\";\nimport {\n renderResetPasswordEmail,\n renderVerifySignupEmail,\n} from \"./email-templates.js\";\nimport { getAppProductionUrl } from \"./app-url.js\";\nimport { getDbExec, isPostgres } from \"../db/client.js\";\nimport { acceptPendingInvitationsForEmail } from \"../org/accept-pending.js\";\nimport { autoJoinDomainMatchingOrgs } from \"../org/auto-join-domain.js\";\nimport { saveOAuthTokens } from \"../oauth-tokens/store.js\";\nimport { identify, track } from \"../tracking/index.js\";\nimport {\n getDialect,\n getDatabaseUrl,\n getDatabaseAuthToken,\n} from \"../db/client.js\";\nimport {\n pgTable,\n text as pgText,\n timestamp as pgTimestamp,\n boolean as pgBoolean,\n} from \"drizzle-orm/pg-core\";\nimport {\n sqliteTable,\n text as sqliteText,\n integer as sqliteInteger,\n} from \"drizzle-orm/sqlite-core\";\n\n// ---------------------------------------------------------------------------\n// Persistent auth secret\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve the Better Auth signing secret.\n *\n * Resolution order:\n * 1. `BETTER_AUTH_SECRET` env var — explicit, recommended for prod.\n * 2. `.env.local` in the template cwd — a per-workspace persistent secret\n * that the framework writes once on first boot when no secret is set.\n * Gitignored by convention (`.env*` in template .gitignore files), so\n * it's safe to persist credentials here.\n * 3. Generate a new random 32-byte hex, write it to `.env.local`, and use\n * it. Subsequent restarts re-read the same file — so session cookies\n * signed by a previous boot remain valid across dev-server restarts.\n *\n * Why this matters: before this helper existed, missing `BETTER_AUTH_SECRET`\n * fell through to `GOOGLE_CLIENT_SECRET` / `ACCESS_TOKEN` / a hardcoded\n * string. If a template happened to have none of those, each dev-server\n * boot would re-fall back to the hardcoded value (still stable) — but\n * rotating Google credentials, toggling `ACCESS_TOKEN`, or churning the\n * fallback chain would invalidate every signed cookie and force everyone\n * to sign in again. Pinning the secret to `.env.local` on first boot\n * removes that footgun.\n */\nfunction resolveAuthSecret(): string {\n if (process.env.BETTER_AUTH_SECRET) return process.env.BETTER_AUTH_SECRET;\n\n // In production, never auto-generate or fall back. A regenerated/derived\n // secret invalidates every signed session cookie on the next cold start\n // (serverless filesystems aren't persistent), and the legacy hardcoded\n // fallback is identical across every deploy that hits it — both are\n // serious enough to fail the boot loudly so the deployer notices.\n if (process.env.NODE_ENV === \"production\") {\n const sample = crypto.randomBytes(32).toString(\"hex\");\n throw new Error(\n \"[agent-native] BETTER_AUTH_SECRET is not set. This is required in production \" +\n \"so signed session cookies stay valid across deploys. Set it as a deploy \" +\n \"environment variable (any 32-byte hex string), e.g.:\\n\\n\" +\n ` BETTER_AUTH_SECRET=${sample}\\n\\n` +\n \"Generate your own with `openssl rand -hex 32`. If you already have a \" +\n \"running deploy on the legacy hardcoded fallback and need to preserve \" +\n \"existing sessions, set BETTER_AUTH_SECRET=agent-native-local-dev-secret-k9x2m7q4w8 \" +\n \"first, then rotate to a real value.\",\n );\n }\n\n // Dev: persist a generated secret to .env.local so sessions survive\n // dev-server restarts. Falls back to an in-memory random secret only if\n // the filesystem isn't writable (rare in dev, e.g. read-only mounts) —\n // sessions reset on every dev-process restart in that case, which is\n // fine.\n //\n // SECURITY (audit 09 LOW-2): the previous fallback chain\n // (`GOOGLE_CLIENT_SECRET || ACCESS_TOKEN || hardcoded`) reused\n // cross-purpose secrets and a public hardcoded literal as the cookie\n // HMAC. Dropped entirely — better to mint an ephemeral secret than to\n // re-use a Google client secret or a known string.\n try {\n const envLocalPath = path.resolve(process.cwd(), \".env.local\");\n const existing = readEnvLocalSecret(envLocalPath);\n if (existing) {\n process.env.BETTER_AUTH_SECRET = existing; // guard:allow-env-mutation — boot-time secret resolution from .env.local, runs once at module init\n return existing;\n }\n\n const generated = crypto.randomBytes(32).toString(\"hex\");\n appendEnvLocalSecret(envLocalPath, generated);\n process.env.BETTER_AUTH_SECRET = generated; // guard:allow-env-mutation — boot-time secret generation, runs once at module init before any request\n console.log(\n \"[agent-native] Generated a persistent BETTER_AUTH_SECRET in .env.local. \" +\n \"Sessions will now survive dev-server restarts. \" +\n \"(Delete .env.local to rotate; set BETTER_AUTH_SECRET in .env to override.)\",\n );\n return generated;\n } catch {\n // Filesystem unwritable (read-only mount, sandboxed test env, etc.).\n // Mint a per-process random secret so cookies stay unique per boot.\n // Sessions reset when the dev process restarts — acceptable for dev.\n const ephemeral = crypto.randomBytes(32).toString(\"hex\");\n console.warn(\n \"[agent-native] Could not persist BETTER_AUTH_SECRET to .env.local \" +\n \"(filesystem unwritable). Using an ephemeral in-memory secret. \" +\n \"Sessions will reset every time this process restarts. \" +\n \"Set BETTER_AUTH_SECRET in your environment to keep sessions valid across restarts.\",\n );\n return ephemeral;\n }\n}\n\nfunction readEnvLocalSecret(envLocalPath: string): string | undefined {\n try {\n const content = fs.readFileSync(envLocalPath, \"utf8\");\n // Match `BETTER_AUTH_SECRET=...` on its own line. Tolerate optional\n // quotes and leading `export `. Stop at the first newline or quote.\n const m = content.match(\n /^(?:export\\s+)?BETTER_AUTH_SECRET\\s*=\\s*\"?([^\"\\r\\n]+)\"?\\s*$/m,\n );\n return m?.[1]?.trim() || undefined;\n } catch {\n return undefined;\n }\n}\n\nfunction appendEnvLocalSecret(envLocalPath: string, secret: string): void {\n const header =\n \"# Auto-generated by agent-native on first boot. Gitignored.\\n\" +\n \"# Keeps signed session cookies valid across dev-server restarts.\\n\" +\n \"# Delete this file (or this line) to rotate the secret.\\n\";\n const line = `BETTER_AUTH_SECRET=${secret}\\n`;\n\n // If the file already exists, just append; otherwise create with header.\n if (fs.existsSync(envLocalPath)) {\n const existing = fs.readFileSync(envLocalPath, \"utf8\");\n const needsLeadingNewline = existing.length > 0 && !existing.endsWith(\"\\n\");\n fs.appendFileSync(\n envLocalPath,\n (needsLeadingNewline ? \"\\n\" : \"\") + \"\\n\" + header + line,\n );\n } else {\n fs.writeFileSync(envLocalPath, header + line, { mode: 0o600 });\n }\n}\n\nexport function shouldSkipEmailVerification(): boolean {\n const value = process.env.AUTH_SKIP_EMAIL_VERIFICATION;\n if (value == null) {\n return (\n process.env.NODE_ENV === \"development\" || process.env.NODE_ENV === \"test\"\n );\n }\n const normalized = value.trim().toLowerCase();\n return normalized !== \"\" && normalized !== \"0\" && normalized !== \"false\";\n}\n\n/** Read-only accessor for the resolved auth secret. */\nexport function getAuthSecret(): string {\n return resolveAuthSecret();\n}\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\n/** The shape we need from a Better Auth instance (internal — not exported to templates). */\nexport interface BetterAuthInstance {\n handler: (request: Request) => Promise<Response>;\n api: {\n getSession: (opts: { headers: Headers }) => Promise<{\n user: { id: string; email: string; name: string };\n session: {\n id: string;\n token: string;\n expiresAt: Date;\n activeOrganizationId?: string;\n };\n } | null>;\n signInEmail: (opts: {\n body: { email: string; password: string };\n }) => Promise<{ token?: string; user?: any } | null>;\n signUpEmail: (opts: {\n body: {\n email: string;\n password: string;\n name: string;\n callbackURL?: string;\n };\n }) => Promise<any>;\n signOut: (opts: { headers: Headers }) => Promise<any>;\n listOrganizations: (opts: { headers: Headers }) => Promise<any[] | null>;\n };\n}\n\nexport interface BetterAuthConfig {\n /** Base path for Better Auth routes. Default: \"/_agent-native/auth/ba\" */\n basePath?: string;\n /** Additional social providers beyond what env vars auto-detect */\n socialProviders?: BetterAuthOptions[\"socialProviders\"];\n /** Additional Better Auth plugins */\n plugins?: BetterAuthOptions[\"plugins\"];\n /**\n * Additional Google OAuth scopes (Gmail, Calendar, etc.) to request\n * up front during the primary \"Sign in with Google\" flow, beyond the\n * default identity scopes (`openid`, `email`, `profile`).\n *\n * When set, the Google social provider also opts into:\n * - `accessType: \"offline\"` — so a refresh token is issued\n * - `prompt: \"consent\"` — so the refresh token is reissued every sign-in\n *\n * Tokens are mirrored into `oauth_tokens` via a databaseHooks.account\n * hook so existing template code that reads from `oauth_tokens` (mail's\n * Gmail client, calendar's events fetcher) works without any separate\n * \"Connect Google\" page.\n */\n googleScopes?: string[];\n}\n\n// ---------------------------------------------------------------------------\n// Lazy instance\n// ---------------------------------------------------------------------------\n\nlet _auth: BetterAuthInstance | undefined;\nlet _initPromise: Promise<BetterAuthInstance> | undefined;\n// Track the Neon serverless Pool we open for Better Auth so closeBetterAuth()\n// can release it. The Pool keeps WebSocket connections open; leaking them on\n// hot-reload or process restart exhausts Neon's connection slot budget.\nlet _neonAuthPool: any;\n\nconst pgAuthSchema = {\n user: pgTable(\"user\", {\n id: pgText(\"id\").primaryKey(),\n name: pgText(\"name\").notNull(),\n email: pgText(\"email\").notNull().unique(),\n emailVerified: pgBoolean(\"email_verified\").notNull().default(false),\n image: pgText(\"image\"),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n session: pgTable(\"session\", {\n id: pgText(\"id\").primaryKey(),\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\n token: pgText(\"token\").notNull().unique(),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n ipAddress: pgText(\"ip_address\"),\n userAgent: pgText(\"user_agent\"),\n userId: pgText(\"user_id\").notNull(),\n activeOrganizationId: pgText(\"active_organization_id\"),\n }),\n account: pgTable(\"account\", {\n id: pgText(\"id\").primaryKey(),\n accountId: pgText(\"account_id\").notNull(),\n providerId: pgText(\"provider_id\").notNull(),\n userId: pgText(\"user_id\").notNull(),\n accessToken: pgText(\"access_token\"),\n refreshToken: pgText(\"refresh_token\"),\n idToken: pgText(\"id_token\"),\n accessTokenExpiresAt: pgTimestamp(\"access_token_expires_at\", {\n withTimezone: true,\n }),\n refreshTokenExpiresAt: pgTimestamp(\"refresh_token_expires_at\", {\n withTimezone: true,\n }),\n scope: pgText(\"scope\"),\n password: pgText(\"password\"),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n verification: pgTable(\"verification\", {\n id: pgText(\"id\").primaryKey(),\n identifier: pgText(\"identifier\").notNull(),\n value: pgText(\"value\").notNull(),\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n organization: pgTable(\"organization\", {\n id: pgText(\"id\").primaryKey(),\n name: pgText(\"name\").notNull(),\n slug: pgText(\"slug\").notNull().unique(),\n logo: pgText(\"logo\"),\n metadata: pgText(\"metadata\"),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n member: pgTable(\"member\", {\n id: pgText(\"id\").primaryKey(),\n organizationId: pgText(\"organization_id\").notNull(),\n userId: pgText(\"user_id\").notNull(),\n role: pgText(\"role\").notNull().default(\"member\"),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n invitation: pgTable(\"invitation\", {\n id: pgText(\"id\").primaryKey(),\n organizationId: pgText(\"organization_id\").notNull(),\n email: pgText(\"email\").notNull(),\n role: pgText(\"role\"),\n status: pgText(\"status\").notNull().default(\"pending\"),\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }).notNull(),\n inviterId: pgText(\"inviter_id\").notNull(),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n updatedAt: pgTimestamp(\"updated_at\", { withTimezone: true }).notNull(),\n }),\n jwks: pgTable(\"jwks\", {\n id: pgText(\"id\").primaryKey(),\n publicKey: pgText(\"public_key\").notNull(),\n privateKey: pgText(\"private_key\").notNull(),\n createdAt: pgTimestamp(\"created_at\", { withTimezone: true }).notNull(),\n expiresAt: pgTimestamp(\"expires_at\", { withTimezone: true }),\n }),\n};\n\nconst sqliteAuthSchema = {\n user: sqliteTable(\"user\", {\n id: sqliteText(\"id\").primaryKey(),\n name: sqliteText(\"name\").notNull(),\n email: sqliteText(\"email\").notNull().unique(),\n emailVerified: sqliteInteger(\"email_verified\", { mode: \"boolean\" })\n .notNull()\n .default(false),\n image: sqliteText(\"image\"),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n session: sqliteTable(\"session\", {\n id: sqliteText(\"id\").primaryKey(),\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\n token: sqliteText(\"token\").notNull().unique(),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n ipAddress: sqliteText(\"ip_address\"),\n userAgent: sqliteText(\"user_agent\"),\n userId: sqliteText(\"user_id\").notNull(),\n activeOrganizationId: sqliteText(\"active_organization_id\"),\n }),\n account: sqliteTable(\"account\", {\n id: sqliteText(\"id\").primaryKey(),\n accountId: sqliteText(\"account_id\").notNull(),\n providerId: sqliteText(\"provider_id\").notNull(),\n userId: sqliteText(\"user_id\").notNull(),\n accessToken: sqliteText(\"access_token\"),\n refreshToken: sqliteText(\"refresh_token\"),\n idToken: sqliteText(\"id_token\"),\n accessTokenExpiresAt: sqliteInteger(\"access_token_expires_at\", {\n mode: \"timestamp_ms\",\n }),\n refreshTokenExpiresAt: sqliteInteger(\"refresh_token_expires_at\", {\n mode: \"timestamp_ms\",\n }),\n scope: sqliteText(\"scope\"),\n password: sqliteText(\"password\"),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n verification: sqliteTable(\"verification\", {\n id: sqliteText(\"id\").primaryKey(),\n identifier: sqliteText(\"identifier\").notNull(),\n value: sqliteText(\"value\").notNull(),\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n organization: sqliteTable(\"organization\", {\n id: sqliteText(\"id\").primaryKey(),\n name: sqliteText(\"name\").notNull(),\n slug: sqliteText(\"slug\").notNull().unique(),\n logo: sqliteText(\"logo\"),\n metadata: sqliteText(\"metadata\"),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n member: sqliteTable(\"member\", {\n id: sqliteText(\"id\").primaryKey(),\n organizationId: sqliteText(\"organization_id\").notNull(),\n userId: sqliteText(\"user_id\").notNull(),\n role: sqliteText(\"role\").notNull().default(\"member\"),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n invitation: sqliteTable(\"invitation\", {\n id: sqliteText(\"id\").primaryKey(),\n organizationId: sqliteText(\"organization_id\").notNull(),\n email: sqliteText(\"email\").notNull(),\n role: sqliteText(\"role\"),\n status: sqliteText(\"status\").notNull().default(\"pending\"),\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }).notNull(),\n inviterId: sqliteText(\"inviter_id\").notNull(),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n updatedAt: sqliteInteger(\"updated_at\", { mode: \"timestamp_ms\" }).notNull(),\n }),\n jwks: sqliteTable(\"jwks\", {\n id: sqliteText(\"id\").primaryKey(),\n publicKey: sqliteText(\"public_key\").notNull(),\n privateKey: sqliteText(\"private_key\").notNull(),\n createdAt: sqliteInteger(\"created_at\", { mode: \"timestamp_ms\" }).notNull(),\n expiresAt: sqliteInteger(\"expires_at\", { mode: \"timestamp_ms\" }),\n }),\n};\n\nfunction getBetterAuthSchema() {\n return isPostgres() ? pgAuthSchema : sqliteAuthSchema;\n}\n\n/**\n * Mirror a Better Auth `account` row for Google into the `oauth_tokens`\n * table that template code (mail's Gmail client, calendar's events fetcher)\n * reads from. Called from the `databaseHooks.account.create.after` and\n * `.update.after` hooks so tokens captured during the primary \"Sign in\n * with Google\" flow flow straight to the apps that need them — no\n * separate \"Connect Google\" page required.\n *\n * Resolves `account.userId` to the user's email by querying the `user`\n * table (Better Auth always quotes \"user\" because it's a reserved word\n * in Postgres; SQLite accepts the quotes too).\n *\n * The hook is fire-and-forget from the caller's perspective — every\n * failure is caught upstream so a flake in `oauth_tokens` never blocks\n * sign-in. We still no-op on missing fields here as a defense in depth.\n */\nasync function mirrorGoogleAccountToOAuthTokens(account: {\n providerId?: string;\n userId?: string;\n accountId?: string;\n accessToken?: string | null;\n refreshToken?: string | null;\n accessTokenExpiresAt?: Date | string | number | null;\n scope?: string | null;\n idToken?: string | null;\n}): Promise<void> {\n if (!account || account.providerId !== \"google\") return;\n if (!account.userId) return;\n\n const accessToken = account.accessToken ?? undefined;\n if (!accessToken) {\n // Better Auth sometimes upserts an account row before tokens are\n // attached (e.g. linking flows). Nothing to mirror yet — the next\n // update hook will run once the access token lands.\n return;\n }\n\n // Resolve user email from userId.\n const db = getDbExec();\n let email: string | undefined;\n try {\n const { rows } = await db.execute({\n sql: 'SELECT email FROM \"user\" WHERE id = ?',\n args: [account.userId],\n });\n email = (rows[0]?.email as string | undefined) ?? undefined;\n } catch (err) {\n console.error(\n \"[auth] mirror Google tokens: failed to resolve user email from userId\",\n err,\n );\n return;\n }\n if (!email) return;\n\n // Normalise expiry to epoch ms (Google's \"expiry_date\" convention used\n // throughout the templates).\n let expiryDate: number | undefined;\n const raw = account.accessTokenExpiresAt;\n if (raw instanceof Date) {\n expiryDate = raw.getTime();\n } else if (typeof raw === \"number\") {\n expiryDate = raw;\n } else if (typeof raw === \"string\") {\n const ms = Date.parse(raw);\n expiryDate = Number.isFinite(ms) ? ms : undefined;\n }\n\n const tokens: Record<string, unknown> = {\n access_token: accessToken,\n token_type: \"Bearer\",\n };\n if (account.refreshToken) tokens.refresh_token = account.refreshToken;\n if (expiryDate) tokens.expiry_date = expiryDate;\n if (account.scope) tokens.scope = account.scope;\n if (account.idToken) tokens.id_token = account.idToken;\n\n await saveOAuthTokens(\"google\", email, tokens, email);\n}\n\nasync function ensureBetterAuthTables(): Promise<void> {\n const db = getDbExec();\n const statements = isPostgres()\n ? [\n `CREATE TABLE IF NOT EXISTS \"user\" (id TEXT PRIMARY KEY, name TEXT NOT NULL, email TEXT NOT NULL UNIQUE, email_verified BOOLEAN NOT NULL DEFAULT FALSE, image TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"session\" (id TEXT PRIMARY KEY, expires_at TIMESTAMPTZ NOT NULL, token TEXT NOT NULL UNIQUE, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL, ip_address TEXT, user_agent TEXT, user_id TEXT NOT NULL, active_organization_id TEXT)`,\n `CREATE TABLE IF NOT EXISTS \"account\" (id TEXT PRIMARY KEY, account_id TEXT NOT NULL, provider_id TEXT NOT NULL, user_id TEXT NOT NULL, access_token TEXT, refresh_token TEXT, id_token TEXT, access_token_expires_at TIMESTAMPTZ, refresh_token_expires_at TIMESTAMPTZ, scope TEXT, password TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"verification\" (id TEXT PRIMARY KEY, identifier TEXT NOT NULL, value TEXT NOT NULL, expires_at TIMESTAMPTZ NOT NULL, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"organization\" (id TEXT PRIMARY KEY, name TEXT NOT NULL, slug TEXT NOT NULL UNIQUE, logo TEXT, metadata TEXT, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"member\" (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, user_id TEXT NOT NULL, role TEXT NOT NULL DEFAULT 'member', created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"invitation\" (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, email TEXT NOT NULL, role TEXT, status TEXT NOT NULL DEFAULT 'pending', expires_at TIMESTAMPTZ NOT NULL, inviter_id TEXT NOT NULL, created_at TIMESTAMPTZ NOT NULL, updated_at TIMESTAMPTZ NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS \"jwks\" (id TEXT PRIMARY KEY, public_key TEXT NOT NULL, private_key TEXT NOT NULL, created_at TIMESTAMPTZ NOT NULL, expires_at TIMESTAMPTZ)`,\n ]\n : [\n `CREATE TABLE IF NOT EXISTS user (id TEXT PRIMARY KEY, name TEXT NOT NULL, email TEXT NOT NULL UNIQUE, email_verified INTEGER NOT NULL DEFAULT 0, image TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS session (id TEXT PRIMARY KEY, expires_at INTEGER NOT NULL, token TEXT NOT NULL UNIQUE, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL, ip_address TEXT, user_agent TEXT, user_id TEXT NOT NULL, active_organization_id TEXT)`,\n `CREATE TABLE IF NOT EXISTS account (id TEXT PRIMARY KEY, account_id TEXT NOT NULL, provider_id TEXT NOT NULL, user_id TEXT NOT NULL, access_token TEXT, refresh_token TEXT, id_token TEXT, access_token_expires_at INTEGER, refresh_token_expires_at INTEGER, scope TEXT, password TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS verification (id TEXT PRIMARY KEY, identifier TEXT NOT NULL, value TEXT NOT NULL, expires_at INTEGER NOT NULL, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS organization (id TEXT PRIMARY KEY, name TEXT NOT NULL, slug TEXT NOT NULL UNIQUE, logo TEXT, metadata TEXT, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS member (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, user_id TEXT NOT NULL, role TEXT NOT NULL DEFAULT 'member', created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS invitation (id TEXT PRIMARY KEY, organization_id TEXT NOT NULL, email TEXT NOT NULL, role TEXT, status TEXT NOT NULL DEFAULT 'pending', expires_at INTEGER NOT NULL, inviter_id TEXT NOT NULL, created_at INTEGER NOT NULL, updated_at INTEGER NOT NULL)`,\n `CREATE TABLE IF NOT EXISTS jwks (id TEXT PRIMARY KEY, public_key TEXT NOT NULL, private_key TEXT NOT NULL, created_at INTEGER NOT NULL, expires_at INTEGER)`,\n ];\n\n for (const sql of statements) await db.execute(sql);\n}\n\n/**\n * Get or create the Better Auth instance.\n * Lazily initialized on first call — the database must be reachable by then.\n */\nexport async function getBetterAuth(\n config?: BetterAuthConfig,\n): Promise<BetterAuthInstance> {\n if (_auth) return _auth;\n if (_initPromise) return _initPromise;\n\n _initPromise = createBetterAuthInstance(config);\n _auth = await _initPromise;\n return _auth;\n}\n\n/**\n * Synchronous getter — returns the instance if already initialized, else undefined.\n * Use this in hot paths where you know init has already happened.\n */\nexport function getBetterAuthSync(): BetterAuthInstance | undefined {\n return _auth;\n}\n\n/** Reset for testing */\nexport async function resetBetterAuth(): Promise<void> {\n _auth = undefined;\n _initPromise = undefined;\n if (_neonAuthPool) {\n try {\n await _neonAuthPool.end();\n } catch {\n // Pool may have already closed (process exiting, etc.) — don't block reset.\n }\n _neonAuthPool = undefined;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Instance creation\n// ---------------------------------------------------------------------------\n\nasync function createBetterAuthInstance(\n config?: BetterAuthConfig,\n): Promise<BetterAuthInstance> {\n const dialect = getDialect();\n const basePath = config?.basePath ?? \"/_agent-native/auth/ba\";\n await ensureBetterAuthTables();\n\n // Build social providers from env vars\n const socialProviders: BetterAuthOptions[\"socialProviders\"] = {\n ...config?.socialProviders,\n };\n\n if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {\n // When the template requests broader scopes (Gmail, Calendar, etc.)\n // ask for them on the primary sign-in flow so a separate \"Connect\n // Google\" round-trip isn't needed. `accessType: \"offline\"` plus\n // `prompt: \"consent\"` ensures we always receive a refresh token back —\n // Google only re-issues a refresh token on consent, so re-signing in\n // (e.g. after switching machines) would otherwise leave us with an\n // access token that can't be refreshed.\n const extraScopes = config?.googleScopes ?? [];\n const baseScopes = [\"openid\", \"email\", \"profile\"];\n const mergedScopes = Array.from(new Set([...baseScopes, ...extraScopes]));\n socialProviders.google = {\n clientId: process.env.GOOGLE_CLIENT_ID,\n clientSecret: process.env.GOOGLE_CLIENT_SECRET,\n ...(extraScopes.length > 0\n ? {\n scope: mergedScopes,\n accessType: \"offline\" as const,\n prompt: \"consent\" as const,\n }\n : {}),\n };\n }\n\n if (process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET) {\n socialProviders.github = {\n clientId: process.env.GITHUB_CLIENT_ID,\n clientSecret: process.env.GITHUB_CLIENT_SECRET,\n };\n }\n\n // Build database config\n const database = await buildDatabaseConfig(dialect);\n\n const secret = resolveAuthSecret();\n\n const appUrl = getAppProductionUrl();\n const requireEmailVerification =\n isEmailConfigured() && !shouldSkipEmailVerification();\n\n const auth = betterAuth({\n basePath,\n baseURL: appUrl,\n database,\n secret,\n emailAndPassword: {\n enabled: true,\n minPasswordLength: 8,\n // Only require email verification when an email provider is configured.\n // Without a provider, verification emails can't be sent, so requiring\n // verification would lock users out of signup entirely. Local dev/test\n // skip verification by default so +qa accounts can be created quickly;\n // hosted QA deployments can opt out with AUTH_SKIP_EMAIL_VERIFICATION=1.\n requireEmailVerification,\n sendResetPassword: async ({ user, token }) => {\n // APP_BASE_PATH lets this app mount under a prefix (e.g. /mail). The\n // reset link must include that prefix so the page resolves correctly.\n const appBasePath = (\n process.env.VITE_APP_BASE_PATH ||\n process.env.APP_BASE_PATH ||\n \"\"\n ).replace(/\\/$/, \"\");\n const resetUrl = `${appUrl}${appBasePath}/_agent-native/auth/reset?token=${encodeURIComponent(token)}`;\n const { subject, html, text } = renderResetPasswordEmail({\n email: user.email,\n resetUrl,\n });\n await sendEmail({ to: user.email, subject, html, text });\n },\n },\n emailVerification: {\n // Fire verification email right after signup, before the user has a\n // session — pairs with requireEmailVerification above. Only enabled\n // when an email provider is configured.\n sendOnSignUp: requireEmailVerification,\n // Auto-create a session once the user clicks the link. Without this,\n // verified users would have to go back and sign in manually, which is\n // a confusing dead-end on the verify screen.\n autoSignInAfterVerification: true,\n sendVerificationEmail: async ({ user, url }) => {\n // APP_BASE_PATH lets this app mount under a prefix (e.g. /mail). The\n // verification link must include that prefix so the page resolves correctly.\n const verifyBasePath = (\n process.env.VITE_APP_BASE_PATH ||\n process.env.APP_BASE_PATH ||\n \"\"\n ).replace(/\\/$/, \"\");\n const verifyUrl = verifyBasePath\n ? url.replace(/(\\/\\/[^/]+)(\\/)/, `$1${verifyBasePath}$2`)\n : url;\n const { subject, html, text } = renderVerifySignupEmail({\n email: user.email,\n verifyUrl,\n });\n await sendEmail({ to: user.email, subject, html, text });\n },\n },\n socialProviders,\n account: {\n // Merge accounts when a user signs in with a social provider using an\n // email that already has a local email/password account (or vice versa).\n // Only providers listed in `trustedProviders` auto-link — these are the\n // ones that verify emails at the identity layer. Never add a provider\n // here that lets users claim an unverified email; that would be an\n // account-takeover vector.\n accountLinking: {\n enabled: true,\n trustedProviders: [\"google\", \"github\"],\n },\n },\n databaseHooks: {\n user: {\n create: {\n after: async (user: {\n id?: string;\n email?: string;\n name?: string | null;\n }) => {\n // When a newly-created user's email has pending org invitations\n // (common when someone is invited *before* they've signed up),\n // auto-accept them so the user lands in the org on their very\n // first page load instead of a blank-slate workspace.\n const email = user?.email;\n if (!email) return;\n identify(email, {\n email,\n name: user.name ?? undefined,\n authUserId: user.id,\n });\n track(\n \"signup\",\n {\n auth_provider: \"better-auth\",\n auth_user_id: user.id,\n },\n { userId: email },\n );\n try {\n await acceptPendingInvitationsForEmail(email);\n } catch (err) {\n // Never block signup on invite bookkeeping — log and continue.\n console.error(\n \"[auth] failed to auto-accept pending invitations\",\n err,\n );\n }\n try {\n // Auto-join orgs whose `allowed_domain` matches this email\n // domain. Lets a fresh `@builder.io` (or any org-domain)\n // signup land inside the company org on first page load\n // without going through the picker. No-ops when no match.\n await autoJoinDomainMatchingOrgs(email);\n } catch (err) {\n console.error(\n \"[auth] failed to auto-join domain-matching orgs\",\n err,\n );\n }\n },\n },\n },\n account: {\n // Mirror Google account tokens into `oauth_tokens` so existing\n // template code (mail's Gmail client, calendar's events fetcher)\n // can pick up Gmail/Calendar credentials from the primary sign-in\n // flow — no separate \"Set up Google\" page required.\n //\n // Better Auth fires `create` for first-time social sign-in and\n // `update` whenever a session re-issues tokens (e.g., the user\n // re-signs in to refresh the token). Both branches do the same\n // mirroring work; failures never block sign-in.\n create: {\n after: async (account: any) => {\n await mirrorGoogleAccountToOAuthTokens(account).catch((err) => {\n console.error(\n \"[auth] failed to mirror Google account tokens to oauth_tokens (create)\",\n err,\n );\n });\n },\n },\n update: {\n after: async (account: any) => {\n await mirrorGoogleAccountToOAuthTokens(account).catch((err) => {\n console.error(\n \"[auth] failed to mirror Google account tokens to oauth_tokens (update)\",\n err,\n );\n });\n },\n },\n },\n },\n session: {\n expiresIn: 60 * 60 * 24 * 30, // 30 days\n updateAge: 60 * 60 * 24, // refresh daily\n cookieCache: {\n enabled: true,\n maxAge: 5 * 60, // 5 min cache\n },\n },\n advanced: {\n cookiePrefix: \"an\",\n // Emit `SameSite=None; Secure` when the app is served over HTTPS so\n // session cookies are delivered inside third-party iframes (e.g. the\n // Builder.io editor). Plain-HTTP dev keeps the default (Lax) because\n // `SameSite=None` requires Secure.\n ...(appUrl.startsWith(\"https://\")\n ? {\n defaultCookieAttributes: {\n sameSite: \"none\" as const,\n secure: true,\n partitioned: true,\n },\n }\n : {}),\n },\n plugins: [\n // Organizations: many:many user:org, roles, invitations\n organization(),\n // JWT: issue tokens for A2A calls, JWKS endpoint for verification\n jwt({\n jwt: {\n issuer: appUrl,\n expirationTime: \"15m\",\n },\n }),\n // Bearer: accept Bearer tokens on API requests\n bearer(),\n ...(config?.plugins ?? []),\n ],\n });\n\n return auth as unknown as BetterAuthInstance;\n}\n\nasync function buildDatabaseConfig(\n dialect: string,\n): Promise<BetterAuthOptions[\"database\"]> {\n if (dialect === \"postgres\") {\n const url = getDatabaseUrl();\n const { isNeonUrl } = await import(\"../db/create-get-db.js\");\n\n // Neon via @neondatabase/serverless (WebSockets over HTTPS). postgres-js\n // opens a raw TCP connection on port 5432 which frequently times out on\n // Netlify Functions / Vercel / CF Workers when Neon's pooler is cold.\n if (isNeonUrl(url)) {\n const { Pool } = await import(\"@neondatabase/serverless\");\n _neonAuthPool = new Pool({ connectionString: url });\n const { drizzle } = await import(\"drizzle-orm/neon-serverless\");\n const db = drizzle(_neonAuthPool, { schema: pgAuthSchema });\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\n return drizzleAdapter(db, {\n provider: \"pg\",\n schema: pgAuthSchema,\n });\n }\n\n // Non-Neon Postgres (Supabase, self-hosted, etc.) → postgres-js\n const { default: postgres } = await import(\"postgres\");\n const sql = postgres(url, {\n onnotice: () => {},\n idle_timeout: 240,\n max_lifetime: 60 * 30,\n connect_timeout: 10,\n ...(url.includes(\"supabase\") ? { prepare: false } : {}),\n });\n const { drizzle } = await import(\"drizzle-orm/postgres-js\");\n const db = drizzle(sql, { schema: pgAuthSchema });\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\n return drizzleAdapter(db, {\n provider: \"pg\",\n schema: pgAuthSchema,\n });\n }\n\n // SQLite / libsql\n const url = getDatabaseUrl(\"file:./data/app.db\");\n\n if (url.startsWith(\"file:\") || !url.includes(\"://\")) {\n // Local SQLite via better-sqlite3\n const { default: Database } = await import(\"better-sqlite3\");\n const filePath = url.replace(/^file:/, \"\");\n const sqlite = new Database(filePath);\n sqlite.pragma(\"journal_mode = WAL\");\n const { drizzle } = await import(\"drizzle-orm/better-sqlite3\");\n const db = drizzle(sqlite, { schema: sqliteAuthSchema });\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\n return drizzleAdapter(db, {\n provider: \"sqlite\",\n schema: sqliteAuthSchema,\n });\n }\n\n // Remote libsql (Turso)\n const { createClient } = await import(\"@libsql/client\");\n const client = createClient({ url, authToken: getDatabaseAuthToken() });\n const { drizzle } = await import(\"drizzle-orm/libsql\");\n const db = drizzle(client, { schema: sqliteAuthSchema });\n const { drizzleAdapter } = await import(\"better-auth/adapters/drizzle\");\n return drizzleAdapter(db, {\n provider: \"sqlite\",\n schema: sqliteAuthSchema,\n });\n}\n"]}
package/dist/server/core-routes-plugin.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"core-routes-plugin.d.ts","sourceRoot":"","sources":["../../src/server/core-routes-plugin.ts"],"names":[],"mappings":"AAqBA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAyEvD;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,mBAAmB,CAAC;AAqCvD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,MAAM,GAAG,IAAI,CAWf;AAUD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,uBAAuB;IACtC,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,oDAAoD;IACpD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,qEAAqE;IACrE,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,uBAA4B,GACpC,cAAc,CAssDhB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAAyC,CAAC"}
1
+ {"version":3,"file":"core-routes-plugin.d.ts","sourceRoot":"","sources":["../../src/server/core-routes-plugin.ts"],"names":[],"mappings":"AAqBA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAyEvD;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,mBAAmB,CAAC;AAqCvD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,MAAM,GAAG,IAAI,CAWf;AAUD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,uBAAuB;IACtC,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,oDAAoD;IACpD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,qEAAqE;IACrE,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,uBAA4B,GACpC,cAAc,CAuvDhB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAAyC,CAAC"}