@agent-native/dispatch 0.1.1

package/dist/server/lib/vault-store.js

@@ -0,0 +1,554 @@
+import crypto from "node:crypto";
+import { and, desc, eq, isNull, or } from "drizzle-orm";
+import { discoverAgents } from "@agent-native/core/server/agent-discovery";
+import { getDb, schema } from "../../db/index.js";
+import { currentOwnerEmail, currentOrgId, recordAudit, } from "./dispatch-store.js";
+/**
+ * Build a VaultCtx from the current request. Throws if the request is
+ * unauthenticated — the previous behavior of falling back to "local@localhost"
+ * leaked rows across tenants when a misconfigured environment skipped auth.
+ */
+export function requireVaultCtx() {
+    const ownerEmail = currentOwnerEmail();
+    if (!ownerEmail) {
+        throw new Error("Vault operation requires an authenticated user");
+    }
+    return { ownerEmail, orgId: currentOrgId() };
+}
+/** WHERE clause that limits a vault row to the caller's ownership scope. */
+function ctxScope(table, ctx) {
+    return or(eq(table.ownerEmail, ctx.ownerEmail), ctx.orgId ? eq(table.orgId, ctx.orgId) : isNull(table.orgId));
+}
+/** Build a ctx that scopes to a specific row's owner/org (used when a
+ * request approver acts on behalf of the original requester so the
+ * created secret lands in the request's org). */
+function ctxForRow(row) {
+    return { ownerEmail: row.ownerEmail, orgId: row.orgId };
+}
+function id() {
+    return crypto.randomUUID();
+}
+function now() {
+    return Date.now();
+}
+function safeJson(value) {
+    return JSON.stringify(value ?? null);
+}
+function orgFilter(table) {
+    const orgId = currentOrgId();
+    return and(eq(table.ownerEmail, currentOwnerEmail()), orgId ? eq(table.orgId, orgId) : isNull(table.orgId));
+}
+// ─── Vault Audit ──────────────────────────────────────────────────
+export async function recordVaultAudit(input) {
+    const db = getDb();
+    await db.insert(schema.vaultAuditLog).values({
+        id: id(),
+        ownerEmail: currentOwnerEmail(),
+        orgId: currentOrgId(),
+        secretId: input.secretId || null,
+        appId: input.appId || null,
+        action: input.action,
+        actor: input.actor || currentOwnerEmail(),
+        summary: input.summary,
+        metadata: input.metadata ? safeJson(input.metadata) : null,
+        createdAt: now(),
+    });
+}
+export async function listVaultAudit(limit = 50) {
+    const db = getDb();
+    return db
+        .select()
+        .from(schema.vaultAuditLog)
+        .where(orgFilter(schema.vaultAuditLog))
+        .orderBy(desc(schema.vaultAuditLog.createdAt))
+        .limit(limit);
+}
+// ─── Secrets ──────────────────────────────────────────────────────
+export async function listSecrets() {
+    const db = getDb();
+    return db
+        .select()
+        .from(schema.vaultSecrets)
+        .where(orgFilter(schema.vaultSecrets))
+        .orderBy(desc(schema.vaultSecrets.updatedAt));
+}
+export async function getSecret(secretId, ctx) {
+    const db = getDb();
+    const [row] = await db
+        .select()
+        .from(schema.vaultSecrets)
+        .where(and(eq(schema.vaultSecrets.id, secretId), ctxScope(schema.vaultSecrets, ctx)))
+        .limit(1);
+    return row ?? null;
+}
+export async function createSecret(input, ctx = requireVaultCtx()) {
+    const db = getDb();
+    const timestamp = now();
+    const secretId = id();
+    const actor = ctx.ownerEmail;
+    await db.insert(schema.vaultSecrets).values({
+        id: secretId,
+        ownerEmail: actor,
+        orgId: ctx.orgId,
+        name: input.name,
+        credentialKey: input.credentialKey,
+        value: input.value,
+        provider: input.provider || null,
+        description: input.description || null,
+        createdBy: actor,
+        createdAt: timestamp,
+        updatedAt: timestamp,
+    });
+    await recordVaultAudit({
+        action: "secret.created",
+        secretId,
+        summary: `Created secret "${input.name}" (${input.credentialKey})`,
+        metadata: { credentialKey: input.credentialKey, provider: input.provider },
+    });
+    await recordAudit({
+        action: "vault.secret.created",
+        targetType: "vault-secret",
+        targetId: secretId,
+        summary: `Created vault secret "${input.name}" (${input.credentialKey})`,
+    });
+    return getSecret(secretId, ctx);
+}
+export async function updateSecret(secretId, value, ctx = requireVaultCtx()) {
+    const db = getDb();
+    const existing = await getSecret(secretId, ctx);
+    if (!existing)
+        throw new Error("Secret not found");
+    await db
+        .update(schema.vaultSecrets)
+        .set({ value, updatedAt: now() })
+        .where(and(eq(schema.vaultSecrets.id, secretId), ctxScope(schema.vaultSecrets, ctx)));
+    await recordVaultAudit({
+        action: "secret.updated",
+        secretId,
+        summary: `Updated value for secret "${existing.name}" (${existing.credentialKey})`,
+    });
+    return getSecret(secretId, ctx);
+}
+export async function deleteSecret(secretId, ctx = requireVaultCtx()) {
+    const db = getDb();
+    const existing = await getSecret(secretId, ctx);
+    if (!existing)
+        throw new Error("Secret not found");
+    // Revoke all active grants first
+    const grants = await listGrants({ secretId });
+    for (const grant of grants) {
+        if (grant.status === "active") {
+            await revokeGrant(grant.id, ctx);
+        }
+    }
+    await db
+        .delete(schema.vaultSecrets)
+        .where(and(eq(schema.vaultSecrets.id, secretId), ctxScope(schema.vaultSecrets, ctx)));
+    await recordVaultAudit({
+        action: "secret.deleted",
+        secretId,
+        summary: `Deleted secret "${existing.name}" (${existing.credentialKey})`,
+    });
+    await recordAudit({
+        action: "vault.secret.deleted",
+        targetType: "vault-secret",
+        targetId: secretId,
+        summary: `Deleted vault secret "${existing.name}" (${existing.credentialKey})`,
+    });
+    return existing;
+}
+// ─── Grants ──────────────────────────────────────────────────────
+export async function listGrants(filter) {
+    const db = getDb();
+    const conditions = [orgFilter(schema.vaultGrants)];
+    if (filter?.secretId) {
+        conditions.push(eq(schema.vaultGrants.secretId, filter.secretId));
+    }
+    if (filter?.appId) {
+        conditions.push(eq(schema.vaultGrants.appId, filter.appId));
+    }
+    return db
+        .select()
+        .from(schema.vaultGrants)
+        .where(and(...conditions))
+        .orderBy(desc(schema.vaultGrants.updatedAt));
+}
+export async function getGrant(grantId, ctx = requireVaultCtx()) {
+    const db = getDb();
+    const [row] = await db
+        .select()
+        .from(schema.vaultGrants)
+        .where(and(eq(schema.vaultGrants.id, grantId), ctxScope(schema.vaultGrants, ctx)))
+        .limit(1);
+    return row ?? null;
+}
+export async function createGrant(secretId, appId, ctx = requireVaultCtx()) {
+    const db = getDb();
+    const secret = await getSecret(secretId, ctx);
+    if (!secret)
+        throw new Error("Secret not found");
+    const timestamp = now();
+    const grantId = id();
+    const actor = ctx.ownerEmail;
+    await db.insert(schema.vaultGrants).values({
+        id: grantId,
+        ownerEmail: actor,
+        orgId: ctx.orgId,
+        secretId,
+        appId,
+        grantedBy: actor,
+        status: "active",
+        syncedAt: null,
+        createdAt: timestamp,
+        updatedAt: timestamp,
+    });
+    await recordVaultAudit({
+        action: "grant.created",
+        secretId,
+        appId,
+        summary: `Granted "${secret.name}" (${secret.credentialKey}) to ${appId}`,
+        metadata: { grantId },
+    });
+    await recordAudit({
+        action: "vault.grant.created",
+        targetType: "vault-grant",
+        targetId: grantId,
+        summary: `Granted vault secret "${secret.name}" to ${appId}`,
+    });
+    return getGrant(grantId);
+}
+export async function grantSecretsToApp(secretIds, appId, ctx = requireVaultCtx()) {
+    const uniqueSecretIds = Array.from(new Set(secretIds));
+    const existingActive = (await listGrants({ appId })).filter((grant) => grant.status === "active");
+    const existingSecretIds = new Set(existingActive.map((grant) => grant.secretId));
+    const created = [];
+    const skipped = [];
+    for (const secretId of uniqueSecretIds) {
+        if (existingSecretIds.has(secretId)) {
+            skipped.push(secretId);
+            continue;
+        }
+        const grant = await createGrant(secretId, appId, ctx);
+        if (grant) {
+            created.push(grant);
+            existingSecretIds.add(secretId);
+        }
+    }
+    return { appId, created, skipped };
+}
+export async function revokeGrant(grantId, ctx = requireVaultCtx()) {
+    const db = getDb();
+    const grant = await getGrant(grantId, ctx);
+    if (!grant)
+        throw new Error("Grant not found");
+    const secret = await getSecret(grant.secretId, ctx);
+    await db
+        .update(schema.vaultGrants)
+        .set({ status: "revoked", updatedAt: now() })
+        .where(and(eq(schema.vaultGrants.id, grantId), ctxScope(schema.vaultGrants, ctx)));
+    await recordVaultAudit({
+        action: "grant.revoked",
+        secretId: grant.secretId,
+        appId: grant.appId,
+        summary: `Revoked ${secret?.credentialKey || grant.secretId} from ${grant.appId}`,
+        metadata: { grantId },
+    });
+    await recordAudit({
+        action: "vault.grant.revoked",
+        targetType: "vault-grant",
+        targetId: grantId,
+        summary: `Revoked vault secret "${secret?.name || grant.secretId}" from ${grant.appId}`,
+    });
+    return getGrant(grantId, ctx);
+}
+// ─── Sync ──────────────────────────────────────────────────────
+export async function syncGrantsToApp(appId, ctx = requireVaultCtx()) {
+    const db = getDb();
+    const agents = await discoverAgents("dispatch");
+    const agent = agents.find((a) => a.id === appId);
+    if (!agent)
+        throw new Error(`App "${appId}" not found in agent registry`);
+    const grants = await listGrants({ appId });
+    const activeGrants = grants.filter((g) => g.status === "active");
+    if (activeGrants.length === 0) {
+        return { appId, synced: 0, keys: [] };
+    }
+    // Resolve secret values for each grant
+    const vars = [];
+    for (const grant of activeGrants) {
+        const secret = await getSecret(grant.secretId, ctx);
+        if (secret) {
+            vars.push({ key: secret.credentialKey, value: secret.value });
+        }
+    }
+    if (vars.length === 0) {
+        return { appId, synced: 0, keys: [] };
+    }
+    // Push to the app's env-vars endpoint
+    const res = await fetch(`${agent.url}/_agent-native/env-vars`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ vars }),
+    });
+    if (!res.ok) {
+        const err = await res.text().catch(() => "Unknown error");
+        throw new Error(`Failed to sync to ${appId}: ${err}`);
+    }
+    const result = await res.json();
+    const syncedKeys = result.saved || [];
+    const timestamp = now();
+    // Update syncedAt on grants that were successfully pushed
+    for (const grant of activeGrants) {
+        const secret = await getSecret(grant.secretId, ctx);
+        if (secret && syncedKeys.includes(secret.credentialKey)) {
+            await db
+                .update(schema.vaultGrants)
+                .set({ syncedAt: timestamp, updatedAt: timestamp })
+                .where(eq(schema.vaultGrants.id, grant.id));
+        }
+    }
+    await recordVaultAudit({
+        action: "secret.synced",
+        appId,
+        summary: `Synced ${syncedKeys.length} secret(s) to ${appId}: ${syncedKeys.join(", ")}`,
+        metadata: { syncedKeys },
+    });
+    return { appId, synced: syncedKeys.length, keys: syncedKeys };
+}
+// ─── Requests ──────────────────────────────────────────────────────
+export async function listRequests(filter) {
+    const db = getDb();
+    const conditions = [orgFilter(schema.vaultRequests)];
+    if (filter?.status) {
+        conditions.push(eq(schema.vaultRequests.status, filter.status));
+    }
+    return db
+        .select()
+        .from(schema.vaultRequests)
+        .where(and(...conditions))
+        .orderBy(desc(schema.vaultRequests.updatedAt));
+}
+export async function getRequest(requestId, ctx = requireVaultCtx()) {
+    const db = getDb();
+    const [row] = await db
+        .select()
+        .from(schema.vaultRequests)
+        .where(and(eq(schema.vaultRequests.id, requestId), ctxScope(schema.vaultRequests, ctx)))
+        .limit(1);
+    return row ?? null;
+}
+export async function createRequest(input) {
+    const db = getDb();
+    const timestamp = now();
+    const requestId = id();
+    const actor = currentOwnerEmail();
+    await db.insert(schema.vaultRequests).values({
+        id: requestId,
+        ownerEmail: actor,
+        orgId: currentOrgId(),
+        credentialKey: input.credentialKey,
+        appId: input.appId,
+        reason: input.reason || null,
+        requestedBy: actor,
+        status: "pending",
+        reviewedBy: null,
+        reviewedAt: null,
+        createdAt: timestamp,
+        updatedAt: timestamp,
+    });
+    await recordVaultAudit({
+        action: "request.created",
+        appId: input.appId,
+        summary: `${actor} requested ${input.credentialKey} for ${input.appId}`,
+        metadata: { requestId, reason: input.reason },
+    });
+    await notifyAdminsOfRequest(requestId, input);
+    return getRequest(requestId);
+}
+export async function approveRequest(requestId, secretValue, secretName, ctx = requireVaultCtx()) {
+    const db = getDb();
+    const request = await getRequest(requestId, ctx);
+    if (!request)
+        throw new Error("Request not found");
+    if (request.status !== "pending") {
+        throw new Error("Only pending requests can be approved");
+    }
+    const timestamp = now();
+    const reviewer = ctx.ownerEmail;
+    // Update request status — scoped to caller's tenant.
+    await db
+        .update(schema.vaultRequests)
+        .set({
+        status: "approved",
+        reviewedBy: reviewer,
+        reviewedAt: timestamp,
+        updatedAt: timestamp,
+    })
+        .where(and(eq(schema.vaultRequests.id, requestId), ctxScope(schema.vaultRequests, ctx)));
+    // Secret + grant must land in the REQUEST's tenant, not the approver's
+    // (the approver may be acting on behalf of another user in the same org).
+    const requestCtx = ctxForRow(request);
+    // Check if secret already exists in the request's tenant for this key.
+    const existingSecrets = await db
+        .select()
+        .from(schema.vaultSecrets)
+        .where(and(eq(schema.vaultSecrets.credentialKey, request.credentialKey), ctxScope(schema.vaultSecrets, requestCtx)));
+    let secret = existingSecrets[0] ?? null;
+    if (!secret) {
+        secret = await createSecret({
+            credentialKey: request.credentialKey,
+            value: secretValue,
+            name: secretName || request.credentialKey,
+        }, requestCtx);
+    }
+    if (secret) {
+        // Create the grant in the request's tenant as well.
+        await createGrant(secret.id, request.appId, requestCtx);
+    }
+    await recordVaultAudit({
+        action: "request.approved",
+        appId: request.appId,
+        summary: `Approved ${request.credentialKey} for ${request.appId} (requested by ${request.requestedBy})`,
+        metadata: { requestId, reviewer },
+    });
+    return getRequest(requestId, ctx);
+}
+export async function denyRequest(requestId, reason, ctx = requireVaultCtx()) {
+    const db = getDb();
+    const request = await getRequest(requestId, ctx);
+    if (!request)
+        throw new Error("Request not found");
+    if (request.status !== "pending") {
+        throw new Error("Only pending requests can be denied");
+    }
+    const timestamp = now();
+    const reviewer = ctx.ownerEmail;
+    await db
+        .update(schema.vaultRequests)
+        .set({
+        status: "denied",
+        reviewedBy: reviewer,
+        reviewedAt: timestamp,
+        updatedAt: timestamp,
+    })
+        .where(and(eq(schema.vaultRequests.id, requestId), ctxScope(schema.vaultRequests, ctx)));
+    await recordVaultAudit({
+        action: "request.denied",
+        appId: request.appId,
+        summary: `Denied ${request.credentialKey} for ${request.appId} (requested by ${request.requestedBy})`,
+        metadata: { requestId, reviewer, reason },
+    });
+    return getRequest(requestId, ctx);
+}
+export async function listIntegrationsCatalog() {
+    const agents = await discoverAgents("dispatch");
+    const grants = await listGrants();
+    const secrets = await listSecrets();
+    const secretByKey = new Map(secrets.map((s) => [s.credentialKey, s]));
+    const results = [];
+    for (const agent of agents) {
+        try {
+            const res = await fetch(`${agent.url}/_agent-native/env-status`, {
+                signal: AbortSignal.timeout(3000),
+            });
+            if (!res.ok) {
+                results.push({
+                    appId: agent.id,
+                    appName: agent.name,
+                    url: agent.url,
+                    color: agent.color,
+                    integrations: [],
+                    reachable: false,
+                });
+                continue;
+            }
+            const envStatus = await res.json();
+            const appGrants = grants.filter((g) => g.appId === agent.id && g.status === "active");
+            const grantedSecretIds = new Set(appGrants.map((g) => g.secretId));
+            const integrations = envStatus.map((env) => {
+                const matchingSecret = secretByKey.get(env.key);
+                return {
+                    key: env.key,
+                    label: env.label,
+                    required: env.required,
+                    configured: env.configured,
+                    vaultGranted: !!matchingSecret && grantedSecretIds.has(matchingSecret.id),
+                    vaultSecretId: matchingSecret?.id,
+                };
+            });
+            results.push({
+                appId: agent.id,
+                appName: agent.name,
+                url: agent.url,
+                color: agent.color,
+                integrations,
+                reachable: true,
+            });
+        }
+        catch {
+            results.push({
+                appId: agent.id,
+                appName: agent.name,
+                url: agent.url,
+                color: agent.color,
+                integrations: [],
+                reachable: false,
+            });
+        }
+    }
+    return results;
+}
+// ─── Vault Overview (for dashboard) ──────────────────────────────
+export async function listVaultOverview() {
+    const [secrets, grants, requests] = await Promise.all([
+        listSecrets(),
+        listGrants(),
+        listRequests(),
+    ]);
+    return {
+        secretCount: secrets.length,
+        activeGrantCount: grants.filter((g) => g.status === "active").length,
+        pendingRequestCount: requests.filter((r) => r.status === "pending").length,
+    };
+}
+// ─── SendGrid Notifications ──────────────────────────────────────
+async function notifyAdminsOfRequest(requestId, input) {
+    const apiKey = process.env.SENDGRID_API_KEY;
+    const from = process.env.SENDGRID_FROM_EMAIL;
+    const appUrl = process.env.APP_URL;
+    if (!apiKey || !from || !appUrl)
+        return;
+    // Use approval policy approver emails as admin notification targets
+    const { getApprovalPolicy } = await import("./dispatch-store.js");
+    const policy = await getApprovalPolicy();
+    if (policy.approverEmails.length === 0)
+        return;
+    const body = [
+        `Secret request: ${input.credentialKey} for ${input.appId}`,
+        input.reason ? `Reason: ${input.reason}` : "",
+        `Requested by: ${currentOwnerEmail()}`,
+        "",
+        `Review it here: ${appUrl}/vault`,
+    ]
+        .filter(Boolean)
+        .join("\n");
+    await fetch("https://api.sendgrid.com/v3/mail/send", {
+        method: "POST",
+        headers: {
+            Authorization: `Bearer ${apiKey}`,
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+            personalizations: [
+                {
+                    to: policy.approverEmails.map((email) => ({ email })),
+                    subject: `Vault request: ${input.credentialKey} for ${input.appId}`,
+                },
+            ],
+            from: { email: from },
+            content: [{ type: "text/plain", value: body }],
+            custom_args: { requestId },
+        }),
+    }).catch(() => { });
+}
+//# sourceMappingURL=vault-store.js.map

package/dist/server/lib/vault-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-store.js","sourceRoot":"","sources":["../../../src/server/lib/vault-store.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,2CAA2C,CAAC;AAC3E,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAgB7B;;;;GAIG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,UAAU,GAAG,iBAAiB,EAAE,CAAC;IACvC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,CAAC;AAC/C,CAAC;AAED,4EAA4E;AAC5E,SAAS,QAAQ,CACf,KAAQ,EACR,GAAa;IAEb,OAAO,EAAE,CACP,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,EACpC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAC7D,CAAC;AACJ,CAAC;AAED;;iDAEiD;AACjD,SAAS,SAAS,CAAC,GAGlB;IACC,OAAO,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;AAC1D,CAAC;AAED,SAAS,EAAE;IACT,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;AAC7B,CAAC;AAED,SAAS,GAAG;IACV,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;AACpB,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,SAAS,CAA4C,KAAQ;IACpE,MAAM,KAAK,GAAG,YAAY,EAAE,CAAC;IAC7B,OAAO,GAAG,CACR,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,CAAC,EACzC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CACrD,CAAC;AACJ,CAAC;AAED,qEAAqE;AAErE,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAOtC;IACC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;QAC3C,EAAE,EAAE,EAAE,EAAE;QACR,UAAU,EAAE,iBAAiB,EAAE;QAC/B,KAAK,EAAE,YAAY,EAAE;QACrB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;QAChC,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,iBAAiB,EAAE;QACzC,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI;QAC1D,SAAS,EAAE,GAAG,EAAE;KACjB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAK,GAAG,EAAE;IAC7C,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;SAC1B,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;SACtC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;SAC7C,KAAK,CAAC,KAAK,CAAC,CAAC;AAClB,CAAC;AAED,qEAAqE;AAErE,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;SACzB,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;SACrC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,QAAgB,EAAE,GAAa;IAC7D,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;SACzB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,EACpC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF;SACA,KAAK,CAAC,CAAC,CAAC,CAAC;IACZ,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAMC,EACD,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,EAAE,EAAE,CAAC;IACtB,MAAM,KAAK,GAAG,GAAG,CAAC,UAAU,CAAC;IAE7B,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC;QAC1C,EAAE,EAAE,QAAQ;QACZ,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;QAChC,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;QACtC,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;KACrB,CAAC,CAAC;IAEH,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,QAAQ;QACR,OAAO,EAAE,mBAAmB,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,aAAa,GAAG;QAClE,QAAQ,EAAE,EAAE,aAAa,EAAE,KAAK,CAAC,aAAa,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE;KAC3E,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,sBAAsB;QAC9B,UAAU,EAAE,cAAc;QAC1B,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,yBAAyB,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,aAAa,GAAG;KACzE,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAChD,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAEnD,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;SAC3B,GAAG,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC;SAChC,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,EACpC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,QAAQ;QACR,OAAO,EAAE,6BAA6B,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,aAAa,GAAG;KACnF,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAChD,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAEnD,iCAAiC;IACjC,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC9C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;SAC3B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,EACpC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,QAAQ;QACR,OAAO,EAAE,mBAAmB,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,aAAa,GAAG;KACzE,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,sBAAsB;QAC9B,UAAU,EAAE,cAAc;QAC1B,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,yBAAyB,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,aAAa,GAAG;KAC/E,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,oEAAoE;AAEpE,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAGhC;IACC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,UAAU,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IACnD,IAAI,MAAM,EAAE,QAAQ,EAAE,CAAC;QACrB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAQ,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;QAClB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAQ,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;SACzB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,OAAe,EACf,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,EAClC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAClC,CACF;SACA,KAAK,CAAC,CAAC,CAAC,CAAC;IACZ,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAgB,EAChB,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC9C,IAAI,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAEjD,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,EAAE,EAAE,CAAC;IACrB,MAAM,KAAK,GAAG,GAAG,CAAC,UAAU,CAAC;IAE7B,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;QACzC,EAAE,EAAE,OAAO;QACX,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,QAAQ;QACR,KAAK;QACL,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,QAAQ;QAChB,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;KACrB,CAAC,CAAC;IAEH,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,eAAe;QACvB,QAAQ;QACR,KAAK;QACL,OAAO,EAAE,YAAY,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,aAAa,QAAQ,KAAK,EAAE;QACzE,QAAQ,EAAE,EAAE,OAAO,EAAE;KACtB,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,qBAAqB;QAC7B,UAAU,EAAE,aAAa;QACzB,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,yBAAyB,MAAM,CAAC,IAAI,QAAQ,KAAK,EAAE;KAC7D,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,SAAmB,EACnB,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;IACvD,MAAM,cAAc,GAAG,CAAC,MAAM,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,CACzD,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,QAAQ,CACrC,CAAC;IACF,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAC/B,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAC9C,CAAC;IACF,MAAM,OAAO,GAAG,EAAE,CAAC;IACnB,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,QAAQ,IAAI,eAAe,EAAE,CAAC;QACvC,IAAI,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvB,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QACtD,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpB,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AACrC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAE/C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAEpD,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC;SAC5C,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,EAClC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAClC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,eAAe;QACvB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,WAAW,MAAM,EAAE,aAAa,IAAI,KAAK,CAAC,QAAQ,SAAS,KAAK,CAAC,KAAK,EAAE;QACjF,QAAQ,EAAE,EAAE,OAAO,EAAE;KACtB,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,qBAAqB;QAC7B,UAAU,EAAE,aAAa;QACzB,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,yBAAyB,MAAM,EAAE,IAAI,IAAI,KAAK,CAAC,QAAQ,UAAU,KAAK,CAAC,KAAK,EAAE;KACxF,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,kEAAkE;AAElE,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,KAAK,+BAA+B,CAAC,CAAC;IAE1E,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3C,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;IACjE,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACxC,CAAC;IAED,uCAAuC;IACvC,MAAM,IAAI,GAA0C,EAAE,CAAC;IACvD,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACpD,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,aAAa,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACxC,CAAC;IAED,sCAAsC;IACtC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,KAAK,CAAC,GAAG,yBAAyB,EAAE;QAC7D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;KAC/B,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,qBAAqB,KAAK,KAAK,GAAG,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAChC,MAAM,UAAU,GAAa,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;IAChD,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IAExB,0DAA0D;IAC1D,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACpD,IAAI,MAAM,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;YACxD,MAAM,EAAE;iBACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;iBAC1B,GAAG,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;iBAClD,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,eAAe;QACvB,KAAK;QACL,OAAO,EAAE,UAAU,UAAU,CAAC,MAAM,iBAAiB,KAAK,KAAK,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QACtF,QAAQ,EAAE,EAAE,UAAU,EAAE;KACzB,CAAC,CAAC;IAEH,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AAChE,CAAC;AAED,sEAAsE;AAEtE,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAA4B;IAC7D,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,UAAU,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC;IACrD,IAAI,MAAM,EAAE,MAAM,EAAE,CAAC;QACnB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAQ,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;SAC1B,KAAK,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;SACzB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,SAAiB,EACjB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;SAC1B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,EACtC,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CACpC,CACF;SACA,KAAK,CAAC,CAAC,CAAC,CAAC;IACZ,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAInC;IACC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,SAAS,GAAG,EAAE,EAAE,CAAC;IACvB,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAElC,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;QAC3C,EAAE,EAAE,SAAS;QACb,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,YAAY,EAAE;QACrB,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;QAC5B,WAAW,EAAE,KAAK;QAClB,MAAM,EAAE,SAAS;QACjB,UAAU,EAAE,IAAI;QAChB,UAAU,EAAE,IAAI;QAChB,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;KACrB,CAAC,CAAC;IAEH,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,iBAAiB;QACzB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,GAAG,KAAK,cAAc,KAAK,CAAC,aAAa,QAAQ,KAAK,CAAC,KAAK,EAAE;QACvE,QAAQ,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE;KAC9C,CAAC,CAAC;IAEH,MAAM,qBAAqB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAE9C,OAAO,UAAU,CAAC,SAAS,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,WAAmB,EACnB,UAAmB,EACnB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACjD,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACnD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC;IAEhC,qDAAqD;IACrD,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;SAC5B,GAAG,CAAC;QACH,MAAM,EAAE,UAAU;QAClB,UAAU,EAAE,QAAQ;QACpB,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,SAAS;KACrB,CAAC;SACD,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,EACtC,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CACpC,CACF,CAAC;IAEJ,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAEtC,uEAAuE;IACvE,MAAM,eAAe,GAAG,MAAM,EAAE;SAC7B,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;SACzB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,aAAa,CAAC,EAC5D,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAC1C,CACF,CAAC;IACJ,IAAI,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAExC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,MAAM,YAAY,CACzB;YACE,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,KAAK,EAAE,WAAW;YAClB,IAAI,EAAE,UAAU,IAAI,OAAO,CAAC,aAAa;SAC1C,EACD,UAAU,CACX,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,oDAAoD;QACpD,MAAM,WAAW,CAAC,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,kBAAkB;QAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,OAAO,EAAE,YAAY,OAAO,CAAC,aAAa,QAAQ,OAAO,CAAC,KAAK,kBAAkB,OAAO,CAAC,WAAW,GAAG;QACvG,QAAQ,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE;KAClC,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAAiB,EACjB,MAAsB,EACtB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACjD,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACnD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC;IAEhC,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;SAC5B,GAAG,CAAC;QACH,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE,QAAQ;QACpB,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,SAAS;KACrB,CAAC;SACD,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,EACtC,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CACpC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,OAAO,EAAE,UAAU,OAAO,CAAC,aAAa,QAAQ,OAAO,CAAC,KAAK,kBAAkB,OAAO,CAAC,WAAW,GAAG;QACrG,QAAQ,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE;KAC1C,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AACpC,CAAC;AAsBD,MAAM,CAAC,KAAK,UAAU,uBAAuB;IAC3C,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC;IAEpC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAEtE,MAAM,OAAO,GAAsB,EAAE,CAAC;IAEtC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,KAAK,CAAC,GAAG,2BAA2B,EAAE;gBAC/D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aAClC,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,OAAO,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,KAAK,CAAC,EAAE;oBACf,OAAO,EAAE,KAAK,CAAC,IAAI;oBACnB,GAAG,EAAE,KAAK,CAAC,GAAG;oBACd,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,YAAY,EAAE,EAAE;oBAChB,SAAS,EAAE,KAAK;iBACjB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,MAAM,SAAS,GAKV,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAEtB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAC7B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,CACrD,CAAC;YACF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;YAEnE,MAAM,YAAY,GAAuB,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC7D,MAAM,cAAc,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAChD,OAAO;oBACL,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,KAAK,EAAE,GAAG,CAAC,KAAK;oBAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,YAAY,EACV,CAAC,CAAC,cAAc,IAAI,gBAAgB,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC7D,aAAa,EAAE,cAAc,EAAE,EAAE;iBAClC,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,KAAK,CAAC,EAAE;gBACf,OAAO,EAAE,KAAK,CAAC,IAAI;gBACnB,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,YAAY;gBACZ,SAAS,EAAE,IAAI;aAChB,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,KAAK,CAAC,EAAE;gBACf,OAAO,EAAE,KAAK,CAAC,IAAI;gBACnB,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,YAAY,EAAE,EAAE;gBAChB,SAAS,EAAE,KAAK;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,oEAAoE;AAEpE,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACpD,WAAW,EAAE;QACb,UAAU,EAAE;QACZ,YAAY,EAAE;KACf,CAAC,CAAC;IAEH,OAAO;QACL,WAAW,EAAE,OAAO,CAAC,MAAM;QAC3B,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,MAAM;QACpE,mBAAmB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;KAC3E,CAAC;AACJ,CAAC;AAED,oEAAoE;AAEpE,KAAK,UAAU,qBAAqB,CAClC,SAAiB,EACjB,KAAuE;IAEvE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC7C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;IACnC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO;IAExC,oEAAoE;IACpE,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,MAAM,iBAAiB,EAAE,CAAC;IACzC,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAE/C,MAAM,IAAI,GAAG;QACX,mBAAmB,KAAK,CAAC,aAAa,QAAQ,KAAK,CAAC,KAAK,EAAE;QAC3D,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE;QAC7C,iBAAiB,iBAAiB,EAAE,EAAE;QACtC,EAAE;QACF,mBAAmB,MAAM,QAAQ;KAClC;SACE,MAAM,CAAC,OAAO,CAAC;SACf,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,MAAM,KAAK,CAAC,uCAAuC,EAAE;QACnD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,MAAM,EAAE;YACjC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;oBACrD,OAAO,EAAE,kBAAkB,KAAK,CAAC,aAAa,QAAQ,KAAK,CAAC,KAAK,EAAE;iBACpE;aACF;YACD,IAAI,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;YACrB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;YAC9C,WAAW,EAAE,EAAE,SAAS,EAAE;SAC3B,CAAC;KACH,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;AACrB,CAAC","sourcesContent":["import crypto from \"node:crypto\";\nimport { and, desc, eq, isNull, or } from \"drizzle-orm\";\nimport { discoverAgents } from \"@agent-native/core/server/agent-discovery\";\nimport { getDb, schema } from \"../../db/index.js\";\nimport {\n  currentOwnerEmail,\n  currentOrgId,\n  recordAudit,\n} from \"./dispatch-store.js\";\n\n/**\n * Caller-supplied access context for vault operations.\n *\n * Every getSecret / updateSecret / deleteSecret / createGrant call must\n * pass the ctx of the *current request* so the row is scoped to that\n * caller's tenant. Looking up a vault secret by id alone is unsafe — UUIDs\n * are not authorization. A row matches the ctx if either the caller owns\n * it or it lives in the caller's active org.\n */\nexport interface VaultCtx {\n  ownerEmail: string;\n  orgId: string | null;\n}\n\n/**\n * Build a VaultCtx from the current request. Throws if the request is\n * unauthenticated — the previous behavior of falling back to \"local@localhost\"\n * leaked rows across tenants when a misconfigured environment skipped auth.\n */\nexport function requireVaultCtx(): VaultCtx {\n  const ownerEmail = currentOwnerEmail();\n  if (!ownerEmail) {\n    throw new Error(\"Vault operation requires an authenticated user\");\n  }\n  return { ownerEmail, orgId: currentOrgId() };\n}\n\n/** WHERE clause that limits a vault row to the caller's ownership scope. */\nfunction ctxScope<T extends { ownerEmail: any; orgId: any }>(\n  table: T,\n  ctx: VaultCtx,\n) {\n  return or(\n    eq(table.ownerEmail, ctx.ownerEmail),\n    ctx.orgId ? eq(table.orgId, ctx.orgId) : isNull(table.orgId),\n  );\n}\n\n/** Build a ctx that scopes to a specific row's owner/org (used when a\n * request approver acts on behalf of the original requester so the\n * created secret lands in the request's org). */\nfunction ctxForRow(row: {\n  ownerEmail: string;\n  orgId: string | null;\n}): VaultCtx {\n  return { ownerEmail: row.ownerEmail, orgId: row.orgId };\n}\n\nfunction id() {\n  return crypto.randomUUID();\n}\n\nfunction now() {\n  return Date.now();\n}\n\nfunction safeJson(value: unknown) {\n  return JSON.stringify(value ?? null);\n}\n\nfunction orgFilter<T extends { ownerEmail: any; orgId: any }>(table: T) {\n  const orgId = currentOrgId();\n  return and(\n    eq(table.ownerEmail, currentOwnerEmail()),\n    orgId ? eq(table.orgId, orgId) : isNull(table.orgId),\n  );\n}\n\n// ─── Vault Audit ──────────────────────────────────────────────────\n\nexport async function recordVaultAudit(input: {\n  action: string;\n  secretId?: string | null;\n  appId?: string | null;\n  summary: string;\n  metadata?: unknown;\n  actor?: string;\n}) {\n  const db = getDb();\n  await db.insert(schema.vaultAuditLog).values({\n    id: id(),\n    ownerEmail: currentOwnerEmail(),\n    orgId: currentOrgId(),\n    secretId: input.secretId || null,\n    appId: input.appId || null,\n    action: input.action,\n    actor: input.actor || currentOwnerEmail(),\n    summary: input.summary,\n    metadata: input.metadata ? safeJson(input.metadata) : null,\n    createdAt: now(),\n  });\n}\n\nexport async function listVaultAudit(limit = 50) {\n  const db = getDb();\n  return db\n    .select()\n    .from(schema.vaultAuditLog)\n    .where(orgFilter(schema.vaultAuditLog))\n    .orderBy(desc(schema.vaultAuditLog.createdAt))\n    .limit(limit);\n}\n\n// ─── Secrets ──────────────────────────────────────────────────────\n\nexport async function listSecrets() {\n  const db = getDb();\n  return db\n    .select()\n    .from(schema.vaultSecrets)\n    .where(orgFilter(schema.vaultSecrets))\n    .orderBy(desc(schema.vaultSecrets.updatedAt));\n}\n\nexport async function getSecret(secretId: string, ctx: VaultCtx) {\n  const db = getDb();\n  const [row] = await db\n    .select()\n    .from(schema.vaultSecrets)\n    .where(\n      and(\n        eq(schema.vaultSecrets.id, secretId),\n        ctxScope(schema.vaultSecrets, ctx),\n      ),\n    )\n    .limit(1);\n  return row ?? null;\n}\n\nexport async function createSecret(\n  input: {\n    credentialKey: string;\n    value: string;\n    name: string;\n    provider?: string | null;\n    description?: string | null;\n  },\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const timestamp = now();\n  const secretId = id();\n  const actor = ctx.ownerEmail;\n\n  await db.insert(schema.vaultSecrets).values({\n    id: secretId,\n    ownerEmail: actor,\n    orgId: ctx.orgId,\n    name: input.name,\n    credentialKey: input.credentialKey,\n    value: input.value,\n    provider: input.provider || null,\n    description: input.description || null,\n    createdBy: actor,\n    createdAt: timestamp,\n    updatedAt: timestamp,\n  });\n\n  await recordVaultAudit({\n    action: \"secret.created\",\n    secretId,\n    summary: `Created secret \"${input.name}\" (${input.credentialKey})`,\n    metadata: { credentialKey: input.credentialKey, provider: input.provider },\n  });\n\n  await recordAudit({\n    action: \"vault.secret.created\",\n    targetType: \"vault-secret\",\n    targetId: secretId,\n    summary: `Created vault secret \"${input.name}\" (${input.credentialKey})`,\n  });\n\n  return getSecret(secretId, ctx);\n}\n\nexport async function updateSecret(\n  secretId: string,\n  value: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const existing = await getSecret(secretId, ctx);\n  if (!existing) throw new Error(\"Secret not found\");\n\n  await db\n    .update(schema.vaultSecrets)\n    .set({ value, updatedAt: now() })\n    .where(\n      and(\n        eq(schema.vaultSecrets.id, secretId),\n        ctxScope(schema.vaultSecrets, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"secret.updated\",\n    secretId,\n    summary: `Updated value for secret \"${existing.name}\" (${existing.credentialKey})`,\n  });\n\n  return getSecret(secretId, ctx);\n}\n\nexport async function deleteSecret(\n  secretId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const existing = await getSecret(secretId, ctx);\n  if (!existing) throw new Error(\"Secret not found\");\n\n  // Revoke all active grants first\n  const grants = await listGrants({ secretId });\n  for (const grant of grants) {\n    if (grant.status === \"active\") {\n      await revokeGrant(grant.id, ctx);\n    }\n  }\n\n  await db\n    .delete(schema.vaultSecrets)\n    .where(\n      and(\n        eq(schema.vaultSecrets.id, secretId),\n        ctxScope(schema.vaultSecrets, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"secret.deleted\",\n    secretId,\n    summary: `Deleted secret \"${existing.name}\" (${existing.credentialKey})`,\n  });\n\n  await recordAudit({\n    action: \"vault.secret.deleted\",\n    targetType: \"vault-secret\",\n    targetId: secretId,\n    summary: `Deleted vault secret \"${existing.name}\" (${existing.credentialKey})`,\n  });\n\n  return existing;\n}\n\n// ─── Grants ──────────────────────────────────────────────────────\n\nexport async function listGrants(filter?: {\n  secretId?: string;\n  appId?: string;\n}) {\n  const db = getDb();\n  const conditions = [orgFilter(schema.vaultGrants)];\n  if (filter?.secretId) {\n    conditions.push(eq(schema.vaultGrants.secretId, filter.secretId) as any);\n  }\n  if (filter?.appId) {\n    conditions.push(eq(schema.vaultGrants.appId, filter.appId) as any);\n  }\n  return db\n    .select()\n    .from(schema.vaultGrants)\n    .where(and(...conditions))\n    .orderBy(desc(schema.vaultGrants.updatedAt));\n}\n\nexport async function getGrant(\n  grantId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const [row] = await db\n    .select()\n    .from(schema.vaultGrants)\n    .where(\n      and(\n        eq(schema.vaultGrants.id, grantId),\n        ctxScope(schema.vaultGrants, ctx),\n      ),\n    )\n    .limit(1);\n  return row ?? null;\n}\n\nexport async function createGrant(\n  secretId: string,\n  appId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const secret = await getSecret(secretId, ctx);\n  if (!secret) throw new Error(\"Secret not found\");\n\n  const timestamp = now();\n  const grantId = id();\n  const actor = ctx.ownerEmail;\n\n  await db.insert(schema.vaultGrants).values({\n    id: grantId,\n    ownerEmail: actor,\n    orgId: ctx.orgId,\n    secretId,\n    appId,\n    grantedBy: actor,\n    status: \"active\",\n    syncedAt: null,\n    createdAt: timestamp,\n    updatedAt: timestamp,\n  });\n\n  await recordVaultAudit({\n    action: \"grant.created\",\n    secretId,\n    appId,\n    summary: `Granted \"${secret.name}\" (${secret.credentialKey}) to ${appId}`,\n    metadata: { grantId },\n  });\n\n  await recordAudit({\n    action: \"vault.grant.created\",\n    targetType: \"vault-grant\",\n    targetId: grantId,\n    summary: `Granted vault secret \"${secret.name}\" to ${appId}`,\n  });\n\n  return getGrant(grantId);\n}\n\nexport async function grantSecretsToApp(\n  secretIds: string[],\n  appId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const uniqueSecretIds = Array.from(new Set(secretIds));\n  const existingActive = (await listGrants({ appId })).filter(\n    (grant) => grant.status === \"active\",\n  );\n  const existingSecretIds = new Set(\n    existingActive.map((grant) => grant.secretId),\n  );\n  const created = [];\n  const skipped: string[] = [];\n\n  for (const secretId of uniqueSecretIds) {\n    if (existingSecretIds.has(secretId)) {\n      skipped.push(secretId);\n      continue;\n    }\n    const grant = await createGrant(secretId, appId, ctx);\n    if (grant) {\n      created.push(grant);\n      existingSecretIds.add(secretId);\n    }\n  }\n\n  return { appId, created, skipped };\n}\n\nexport async function revokeGrant(\n  grantId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const grant = await getGrant(grantId, ctx);\n  if (!grant) throw new Error(\"Grant not found\");\n\n  const secret = await getSecret(grant.secretId, ctx);\n\n  await db\n    .update(schema.vaultGrants)\n    .set({ status: \"revoked\", updatedAt: now() })\n    .where(\n      and(\n        eq(schema.vaultGrants.id, grantId),\n        ctxScope(schema.vaultGrants, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"grant.revoked\",\n    secretId: grant.secretId,\n    appId: grant.appId,\n    summary: `Revoked ${secret?.credentialKey || grant.secretId} from ${grant.appId}`,\n    metadata: { grantId },\n  });\n\n  await recordAudit({\n    action: \"vault.grant.revoked\",\n    targetType: \"vault-grant\",\n    targetId: grantId,\n    summary: `Revoked vault secret \"${secret?.name || grant.secretId}\" from ${grant.appId}`,\n  });\n\n  return getGrant(grantId, ctx);\n}\n\n// ─── Sync ──────────────────────────────────────────────────────\n\nexport async function syncGrantsToApp(\n  appId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const agents = await discoverAgents(\"dispatch\");\n  const agent = agents.find((a) => a.id === appId);\n  if (!agent) throw new Error(`App \"${appId}\" not found in agent registry`);\n\n  const grants = await listGrants({ appId });\n  const activeGrants = grants.filter((g) => g.status === \"active\");\n  if (activeGrants.length === 0) {\n    return { appId, synced: 0, keys: [] };\n  }\n\n  // Resolve secret values for each grant\n  const vars: Array<{ key: string; value: string }> = [];\n  for (const grant of activeGrants) {\n    const secret = await getSecret(grant.secretId, ctx);\n    if (secret) {\n      vars.push({ key: secret.credentialKey, value: secret.value });\n    }\n  }\n\n  if (vars.length === 0) {\n    return { appId, synced: 0, keys: [] };\n  }\n\n  // Push to the app's env-vars endpoint\n  const res = await fetch(`${agent.url}/_agent-native/env-vars`, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify({ vars }),\n  });\n\n  if (!res.ok) {\n    const err = await res.text().catch(() => \"Unknown error\");\n    throw new Error(`Failed to sync to ${appId}: ${err}`);\n  }\n\n  const result = await res.json();\n  const syncedKeys: string[] = result.saved || [];\n  const timestamp = now();\n\n  // Update syncedAt on grants that were successfully pushed\n  for (const grant of activeGrants) {\n    const secret = await getSecret(grant.secretId, ctx);\n    if (secret && syncedKeys.includes(secret.credentialKey)) {\n      await db\n        .update(schema.vaultGrants)\n        .set({ syncedAt: timestamp, updatedAt: timestamp })\n        .where(eq(schema.vaultGrants.id, grant.id));\n    }\n  }\n\n  await recordVaultAudit({\n    action: \"secret.synced\",\n    appId,\n    summary: `Synced ${syncedKeys.length} secret(s) to ${appId}: ${syncedKeys.join(\", \")}`,\n    metadata: { syncedKeys },\n  });\n\n  return { appId, synced: syncedKeys.length, keys: syncedKeys };\n}\n\n// ─── Requests ──────────────────────────────────────────────────────\n\nexport async function listRequests(filter?: { status?: string }) {\n  const db = getDb();\n  const conditions = [orgFilter(schema.vaultRequests)];\n  if (filter?.status) {\n    conditions.push(eq(schema.vaultRequests.status, filter.status) as any);\n  }\n  return db\n    .select()\n    .from(schema.vaultRequests)\n    .where(and(...conditions))\n    .orderBy(desc(schema.vaultRequests.updatedAt));\n}\n\nexport async function getRequest(\n  requestId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const [row] = await db\n    .select()\n    .from(schema.vaultRequests)\n    .where(\n      and(\n        eq(schema.vaultRequests.id, requestId),\n        ctxScope(schema.vaultRequests, ctx),\n      ),\n    )\n    .limit(1);\n  return row ?? null;\n}\n\nexport async function createRequest(input: {\n  credentialKey: string;\n  appId: string;\n  reason?: string | null;\n}) {\n  const db = getDb();\n  const timestamp = now();\n  const requestId = id();\n  const actor = currentOwnerEmail();\n\n  await db.insert(schema.vaultRequests).values({\n    id: requestId,\n    ownerEmail: actor,\n    orgId: currentOrgId(),\n    credentialKey: input.credentialKey,\n    appId: input.appId,\n    reason: input.reason || null,\n    requestedBy: actor,\n    status: \"pending\",\n    reviewedBy: null,\n    reviewedAt: null,\n    createdAt: timestamp,\n    updatedAt: timestamp,\n  });\n\n  await recordVaultAudit({\n    action: \"request.created\",\n    appId: input.appId,\n    summary: `${actor} requested ${input.credentialKey} for ${input.appId}`,\n    metadata: { requestId, reason: input.reason },\n  });\n\n  await notifyAdminsOfRequest(requestId, input);\n\n  return getRequest(requestId);\n}\n\nexport async function approveRequest(\n  requestId: string,\n  secretValue: string,\n  secretName?: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const request = await getRequest(requestId, ctx);\n  if (!request) throw new Error(\"Request not found\");\n  if (request.status !== \"pending\") {\n    throw new Error(\"Only pending requests can be approved\");\n  }\n\n  const timestamp = now();\n  const reviewer = ctx.ownerEmail;\n\n  // Update request status — scoped to caller's tenant.\n  await db\n    .update(schema.vaultRequests)\n    .set({\n      status: \"approved\",\n      reviewedBy: reviewer,\n      reviewedAt: timestamp,\n      updatedAt: timestamp,\n    })\n    .where(\n      and(\n        eq(schema.vaultRequests.id, requestId),\n        ctxScope(schema.vaultRequests, ctx),\n      ),\n    );\n\n  // Secret + grant must land in the REQUEST's tenant, not the approver's\n  // (the approver may be acting on behalf of another user in the same org).\n  const requestCtx = ctxForRow(request);\n\n  // Check if secret already exists in the request's tenant for this key.\n  const existingSecrets = await db\n    .select()\n    .from(schema.vaultSecrets)\n    .where(\n      and(\n        eq(schema.vaultSecrets.credentialKey, request.credentialKey),\n        ctxScope(schema.vaultSecrets, requestCtx),\n      ),\n    );\n  let secret = existingSecrets[0] ?? null;\n\n  if (!secret) {\n    secret = await createSecret(\n      {\n        credentialKey: request.credentialKey,\n        value: secretValue,\n        name: secretName || request.credentialKey,\n      },\n      requestCtx,\n    );\n  }\n\n  if (secret) {\n    // Create the grant in the request's tenant as well.\n    await createGrant(secret.id, request.appId, requestCtx);\n  }\n\n  await recordVaultAudit({\n    action: \"request.approved\",\n    appId: request.appId,\n    summary: `Approved ${request.credentialKey} for ${request.appId} (requested by ${request.requestedBy})`,\n    metadata: { requestId, reviewer },\n  });\n\n  return getRequest(requestId, ctx);\n}\n\nexport async function denyRequest(\n  requestId: string,\n  reason?: string | null,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const request = await getRequest(requestId, ctx);\n  if (!request) throw new Error(\"Request not found\");\n  if (request.status !== \"pending\") {\n    throw new Error(\"Only pending requests can be denied\");\n  }\n\n  const timestamp = now();\n  const reviewer = ctx.ownerEmail;\n\n  await db\n    .update(schema.vaultRequests)\n    .set({\n      status: \"denied\",\n      reviewedBy: reviewer,\n      reviewedAt: timestamp,\n      updatedAt: timestamp,\n    })\n    .where(\n      and(\n        eq(schema.vaultRequests.id, requestId),\n        ctxScope(schema.vaultRequests, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"request.denied\",\n    appId: request.appId,\n    summary: `Denied ${request.credentialKey} for ${request.appId} (requested by ${request.requestedBy})`,\n    metadata: { requestId, reviewer, reason },\n  });\n\n  return getRequest(requestId, ctx);\n}\n\n// ─── Integrations Catalog ────────────────────────────────────────\n\nexport interface IntegrationEntry {\n  key: string;\n  label: string;\n  required: boolean;\n  configured: boolean;\n  vaultGranted: boolean;\n  vaultSecretId?: string;\n}\n\nexport interface AppIntegrations {\n  appId: string;\n  appName: string;\n  url: string;\n  color: string;\n  integrations: IntegrationEntry[];\n  reachable: boolean;\n}\n\nexport async function listIntegrationsCatalog(): Promise<AppIntegrations[]> {\n  const agents = await discoverAgents(\"dispatch\");\n  const grants = await listGrants();\n  const secrets = await listSecrets();\n\n  const secretByKey = new Map(secrets.map((s) => [s.credentialKey, s]));\n\n  const results: AppIntegrations[] = [];\n\n  for (const agent of agents) {\n    try {\n      const res = await fetch(`${agent.url}/_agent-native/env-status`, {\n        signal: AbortSignal.timeout(3000),\n      });\n      if (!res.ok) {\n        results.push({\n          appId: agent.id,\n          appName: agent.name,\n          url: agent.url,\n          color: agent.color,\n          integrations: [],\n          reachable: false,\n        });\n        continue;\n      }\n\n      const envStatus: Array<{\n        key: string;\n        label: string;\n        required: boolean;\n        configured: boolean;\n      }> = await res.json();\n\n      const appGrants = grants.filter(\n        (g) => g.appId === agent.id && g.status === \"active\",\n      );\n      const grantedSecretIds = new Set(appGrants.map((g) => g.secretId));\n\n      const integrations: IntegrationEntry[] = envStatus.map((env) => {\n        const matchingSecret = secretByKey.get(env.key);\n        return {\n          key: env.key,\n          label: env.label,\n          required: env.required,\n          configured: env.configured,\n          vaultGranted:\n            !!matchingSecret && grantedSecretIds.has(matchingSecret.id),\n          vaultSecretId: matchingSecret?.id,\n        };\n      });\n\n      results.push({\n        appId: agent.id,\n        appName: agent.name,\n        url: agent.url,\n        color: agent.color,\n        integrations,\n        reachable: true,\n      });\n    } catch {\n      results.push({\n        appId: agent.id,\n        appName: agent.name,\n        url: agent.url,\n        color: agent.color,\n        integrations: [],\n        reachable: false,\n      });\n    }\n  }\n\n  return results;\n}\n\n// ─── Vault Overview (for dashboard) ──────────────────────────────\n\nexport async function listVaultOverview() {\n  const [secrets, grants, requests] = await Promise.all([\n    listSecrets(),\n    listGrants(),\n    listRequests(),\n  ]);\n\n  return {\n    secretCount: secrets.length,\n    activeGrantCount: grants.filter((g) => g.status === \"active\").length,\n    pendingRequestCount: requests.filter((r) => r.status === \"pending\").length,\n  };\n}\n\n// ─── SendGrid Notifications ──────────────────────────────────────\n\nasync function notifyAdminsOfRequest(\n  requestId: string,\n  input: { credentialKey: string; appId: string; reason?: string | null },\n) {\n  const apiKey = process.env.SENDGRID_API_KEY;\n  const from = process.env.SENDGRID_FROM_EMAIL;\n  const appUrl = process.env.APP_URL;\n  if (!apiKey || !from || !appUrl) return;\n\n  // Use approval policy approver emails as admin notification targets\n  const { getApprovalPolicy } = await import(\"./dispatch-store.js\");\n  const policy = await getApprovalPolicy();\n  if (policy.approverEmails.length === 0) return;\n\n  const body = [\n    `Secret request: ${input.credentialKey} for ${input.appId}`,\n    input.reason ? `Reason: ${input.reason}` : \"\",\n    `Requested by: ${currentOwnerEmail()}`,\n    \"\",\n    `Review it here: ${appUrl}/vault`,\n  ]\n    .filter(Boolean)\n    .join(\"\\n\");\n\n  await fetch(\"https://api.sendgrid.com/v3/mail/send\", {\n    method: \"POST\",\n    headers: {\n      Authorization: `Bearer ${apiKey}`,\n      \"Content-Type\": \"application/json\",\n    },\n    body: JSON.stringify({\n      personalizations: [\n        {\n          to: policy.approverEmails.map((email) => ({ email })),\n          subject: `Vault request: ${input.credentialKey} for ${input.appId}`,\n        },\n      ],\n      from: { email: from },\n      content: [{ type: \"text/plain\", value: body }],\n      custom_args: { requestId },\n    }),\n  }).catch(() => {});\n}\n"]}