@agent-native/dispatch 0.6.1 → 0.7.0

package/dist/server/lib/vault-store.js.map

@@ -1 +1 @@
-{"version":3,"file":"vault-store.js","sourceRoot":"","sources":["../../../src/server/lib/vault-store.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,2CAA2C,CAAC;AAC3E,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAgB7B;;;;GAIG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,UAAU,GAAG,iBAAiB,EAAE,CAAC;IACvC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,CAAC;AAC/C,CAAC;AAED,4EAA4E;AAC5E,SAAS,QAAQ,CACf,KAAQ,EACR,GAAa;IAEb,OAAO,EAAE,CACP,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,EACpC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAC7D,CAAC;AACJ,CAAC;AAED;;iDAEiD;AACjD,SAAS,SAAS,CAAC,GAGlB;IACC,OAAO,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;AAC1D,CAAC;AAED,SAAS,EAAE;IACT,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;AAC7B,CAAC;AAED,SAAS,GAAG;IACV,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;AACpB,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,SAAS,CAA4C,KAAQ;IACpE,MAAM,KAAK,GAAG,YAAY,EAAE,CAAC;IAC7B,OAAO,GAAG,CACR,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,CAAC,EACzC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CACrD,CAAC;AACJ,CAAC;AAED,qEAAqE;AAErE,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAOtC;IACC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;QAC3C,EAAE,EAAE,EAAE,EAAE;QACR,UAAU,EAAE,iBAAiB,EAAE;QAC/B,KAAK,EAAE,YAAY,EAAE;QACrB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;QAChC,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,iBAAiB,EAAE;QACzC,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI;QAC1D,SAAS,EAAE,GAAG,EAAE;KACjB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAK,GAAG,EAAE;IAC7C,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;SAC1B,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;SACtC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;SAC7C,KAAK,CAAC,KAAK,CAAC,CAAC;AAClB,CAAC;AAED,qEAAqE;AAErE,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;SACzB,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;SACrC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,QAAgB,EAAE,GAAa;IAC7D,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;SACzB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,EACpC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF;SACA,KAAK,CAAC,CAAC,CAAC,CAAC;IACZ,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAMC,EACD,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,EAAE,EAAE,CAAC;IACtB,MAAM,KAAK,GAAG,GAAG,CAAC,UAAU,CAAC;IAE7B,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC;QAC1C,EAAE,EAAE,QAAQ;QACZ,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;QAChC,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;QACtC,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;KACrB,CAAC,CAAC;IAEH,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,QAAQ;QACR,OAAO,EAAE,mBAAmB,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,aAAa,GAAG;QAClE,QAAQ,EAAE,EAAE,aAAa,EAAE,KAAK,CAAC,aAAa,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE;KAC3E,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,sBAAsB;QAC9B,UAAU,EAAE,cAAc;QAC1B,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,yBAAyB,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,aAAa,GAAG;KACzE,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAChD,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAEnD,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;SAC3B,GAAG,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC;SAChC,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,EACpC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,QAAQ;QACR,OAAO,EAAE,6BAA6B,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,aAAa,GAAG;KACnF,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAChD,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAEnD,iCAAiC;IACjC,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC9C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;SAC3B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,EACpC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,QAAQ;QACR,OAAO,EAAE,mBAAmB,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,aAAa,GAAG;KACzE,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,sBAAsB;QAC9B,UAAU,EAAE,cAAc;QAC1B,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,yBAAyB,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,aAAa,GAAG;KAC/E,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,oEAAoE;AAEpE,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAGhC;IACC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,UAAU,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IACnD,IAAI,MAAM,EAAE,QAAQ,EAAE,CAAC;QACrB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAQ,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;QAClB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAQ,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;SACzB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,OAAe,EACf,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,EAClC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAClC,CACF;SACA,KAAK,CAAC,CAAC,CAAC,CAAC;IACZ,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAgB,EAChB,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC9C,IAAI,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAEjD,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,EAAE,EAAE,CAAC;IACrB,MAAM,KAAK,GAAG,GAAG,CAAC,UAAU,CAAC;IAE7B,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;QACzC,EAAE,EAAE,OAAO;QACX,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,QAAQ;QACR,KAAK;QACL,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,QAAQ;QAChB,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;KACrB,CAAC,CAAC;IAEH,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,eAAe;QACvB,QAAQ;QACR,KAAK;QACL,OAAO,EAAE,YAAY,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,aAAa,QAAQ,KAAK,EAAE;QACzE,QAAQ,EAAE,EAAE,OAAO,EAAE;KACtB,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,qBAAqB;QAC7B,UAAU,EAAE,aAAa;QACzB,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,yBAAyB,MAAM,CAAC,IAAI,QAAQ,KAAK,EAAE;KAC7D,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,SAAmB,EACnB,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;IACvD,MAAM,cAAc,GAAG,CAAC,MAAM,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,CACzD,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,QAAQ,CACrC,CAAC;IACF,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAC/B,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAC9C,CAAC;IACF,MAAM,OAAO,GAAG,EAAE,CAAC;IACnB,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,QAAQ,IAAI,eAAe,EAAE,CAAC;QACvC,IAAI,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvB,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QACtD,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpB,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AACrC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAE/C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAEpD,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC;SAC5C,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,EAClC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAClC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,eAAe;QACvB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,WAAW,MAAM,EAAE,aAAa,IAAI,KAAK,CAAC,QAAQ,SAAS,KAAK,CAAC,KAAK,EAAE;QACjF,QAAQ,EAAE,EAAE,OAAO,EAAE;KACtB,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,qBAAqB;QAC7B,UAAU,EAAE,aAAa;QACzB,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,yBAAyB,MAAM,EAAE,IAAI,IAAI,KAAK,CAAC,QAAQ,UAAU,KAAK,CAAC,KAAK,EAAE;KACxF,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,kEAAkE;AAElE,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,KAAK,+BAA+B,CAAC,CAAC;IAE1E,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3C,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;IACjE,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACxC,CAAC;IAED,uCAAuC;IACvC,MAAM,IAAI,GAA0C,EAAE,CAAC;IACvD,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACpD,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,aAAa,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACxC,CAAC;IAED,sCAAsC;IACtC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,KAAK,CAAC,GAAG,yBAAyB,EAAE;QAC7D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;KAC/B,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,qBAAqB,KAAK,KAAK,GAAG,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAChC,MAAM,UAAU,GAAa,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;IAChD,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IAExB,0DAA0D;IAC1D,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACpD,IAAI,MAAM,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;YACxD,MAAM,EAAE;iBACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;iBAC1B,GAAG,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;iBAClD,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,eAAe;QACvB,KAAK;QACL,OAAO,EAAE,UAAU,UAAU,CAAC,MAAM,iBAAiB,KAAK,KAAK,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QACtF,QAAQ,EAAE,EAAE,UAAU,EAAE;KACzB,CAAC,CAAC;IAEH,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AAChE,CAAC;AAED,sEAAsE;AAEtE,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAA4B;IAC7D,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,UAAU,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC;IACrD,IAAI,MAAM,EAAE,MAAM,EAAE,CAAC;QACnB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAQ,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;SAC1B,KAAK,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;SACzB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,SAAiB,EACjB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;SAC1B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,EACtC,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CACpC,CACF;SACA,KAAK,CAAC,CAAC,CAAC,CAAC;IACZ,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAInC;IACC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,SAAS,GAAG,EAAE,EAAE,CAAC;IACvB,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAElC,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;QAC3C,EAAE,EAAE,SAAS;QACb,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,YAAY,EAAE;QACrB,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;QAC5B,WAAW,EAAE,KAAK;QAClB,MAAM,EAAE,SAAS;QACjB,UAAU,EAAE,IAAI;QAChB,UAAU,EAAE,IAAI;QAChB,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;KACrB,CAAC,CAAC;IAEH,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,iBAAiB;QACzB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,GAAG,KAAK,cAAc,KAAK,CAAC,aAAa,QAAQ,KAAK,CAAC,KAAK,EAAE;QACvE,QAAQ,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE;KAC9C,CAAC,CAAC;IAEH,MAAM,qBAAqB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAE9C,OAAO,UAAU,CAAC,SAAS,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,WAAmB,EACnB,UAAmB,EACnB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACjD,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACnD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC;IAEhC,qDAAqD;IACrD,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;SAC5B,GAAG,CAAC;QACH,MAAM,EAAE,UAAU;QAClB,UAAU,EAAE,QAAQ;QACpB,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,SAAS;KACrB,CAAC;SACD,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,EACtC,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CACpC,CACF,CAAC;IAEJ,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAEtC,uEAAuE;IACvE,MAAM,eAAe,GAAG,MAAM,EAAE;SAC7B,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;SACzB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,aAAa,CAAC,EAC5D,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAC1C,CACF,CAAC;IACJ,IAAI,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAExC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,MAAM,YAAY,CACzB;YACE,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,KAAK,EAAE,WAAW;YAClB,IAAI,EAAE,UAAU,IAAI,OAAO,CAAC,aAAa;SAC1C,EACD,UAAU,CACX,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,oDAAoD;QACpD,MAAM,WAAW,CAAC,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,kBAAkB;QAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,OAAO,EAAE,YAAY,OAAO,CAAC,aAAa,QAAQ,OAAO,CAAC,KAAK,kBAAkB,OAAO,CAAC,WAAW,GAAG;QACvG,QAAQ,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE;KAClC,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAAiB,EACjB,MAAsB,EACtB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACjD,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACnD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC;IAEhC,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;SAC5B,GAAG,CAAC;QACH,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE,QAAQ;QACpB,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,SAAS;KACrB,CAAC;SACD,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,EACtC,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CACpC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,OAAO,EAAE,UAAU,OAAO,CAAC,aAAa,QAAQ,OAAO,CAAC,KAAK,kBAAkB,OAAO,CAAC,WAAW,GAAG;QACrG,QAAQ,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE;KAC1C,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AACpC,CAAC;AAsBD,MAAM,CAAC,KAAK,UAAU,uBAAuB;IAC3C,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC;IAEpC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAEtE,MAAM,OAAO,GAAsB,EAAE,CAAC;IAEtC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,KAAK,CAAC,GAAG,2BAA2B,EAAE;gBAC/D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aAClC,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,OAAO,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,KAAK,CAAC,EAAE;oBACf,OAAO,EAAE,KAAK,CAAC,IAAI;oBACnB,GAAG,EAAE,KAAK,CAAC,GAAG;oBACd,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,YAAY,EAAE,EAAE;oBAChB,SAAS,EAAE,KAAK;iBACjB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,MAAM,SAAS,GAKV,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAEtB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAC7B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,CACrD,CAAC;YACF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;YAEnE,MAAM,YAAY,GAAuB,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC7D,MAAM,cAAc,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAChD,OAAO;oBACL,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,KAAK,EAAE,GAAG,CAAC,KAAK;oBAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,YAAY,EACV,CAAC,CAAC,cAAc,IAAI,gBAAgB,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC7D,aAAa,EAAE,cAAc,EAAE,EAAE;iBAClC,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,KAAK,CAAC,EAAE;gBACf,OAAO,EAAE,KAAK,CAAC,IAAI;gBACnB,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,YAAY;gBACZ,SAAS,EAAE,IAAI;aAChB,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,KAAK,CAAC,EAAE;gBACf,OAAO,EAAE,KAAK,CAAC,IAAI;gBACnB,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,YAAY,EAAE,EAAE;gBAChB,SAAS,EAAE,KAAK;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,oEAAoE;AAEpE,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACpD,WAAW,EAAE;QACb,UAAU,EAAE;QACZ,YAAY,EAAE;KACf,CAAC,CAAC;IAEH,OAAO;QACL,WAAW,EAAE,OAAO,CAAC,MAAM;QAC3B,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,MAAM;QACpE,mBAAmB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;KAC3E,CAAC;AACJ,CAAC;AAED,oEAAoE;AAEpE,KAAK,UAAU,qBAAqB,CAClC,SAAiB,EACjB,KAAuE;IAEvE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC7C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;IACnC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO;IAExC,oEAAoE;IACpE,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,MAAM,iBAAiB,EAAE,CAAC;IACzC,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAE/C,MAAM,IAAI,GAAG;QACX,mBAAmB,KAAK,CAAC,aAAa,QAAQ,KAAK,CAAC,KAAK,EAAE;QAC3D,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE;QAC7C,iBAAiB,iBAAiB,EAAE,EAAE;QACtC,EAAE;QACF,mBAAmB,MAAM,QAAQ;KAClC;SACE,MAAM,CAAC,OAAO,CAAC;SACf,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,MAAM,KAAK,CAAC,uCAAuC,EAAE;QACnD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,MAAM,EAAE;YACjC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;oBACrD,OAAO,EAAE,kBAAkB,KAAK,CAAC,aAAa,QAAQ,KAAK,CAAC,KAAK,EAAE;iBACpE;aACF;YACD,IAAI,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;YACrB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;YAC9C,WAAW,EAAE,EAAE,SAAS,EAAE;SAC3B,CAAC;KACH,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;AACrB,CAAC","sourcesContent":["import crypto from \"node:crypto\";\nimport { and, desc, eq, isNull, or } from \"drizzle-orm\";\nimport { discoverAgents } from \"@agent-native/core/server/agent-discovery\";\nimport { getDb, schema } from \"../../db/index.js\";\nimport {\n  currentOwnerEmail,\n  currentOrgId,\n  recordAudit,\n} from \"./dispatch-store.js\";\n\n/**\n * Caller-supplied access context for vault operations.\n *\n * Every getSecret / updateSecret / deleteSecret / createGrant call must\n * pass the ctx of the *current request* so the row is scoped to that\n * caller's tenant. Looking up a vault secret by id alone is unsafe — UUIDs\n * are not authorization. A row matches the ctx if either the caller owns\n * it or it lives in the caller's active org.\n */\nexport interface VaultCtx {\n  ownerEmail: string;\n  orgId: string | null;\n}\n\n/**\n * Build a VaultCtx from the current request. Throws if the request is\n * unauthenticated — the previous behavior of falling back to \"local@localhost\"\n * leaked rows across tenants when a misconfigured environment skipped auth.\n */\nexport function requireVaultCtx(): VaultCtx {\n  const ownerEmail = currentOwnerEmail();\n  if (!ownerEmail) {\n    throw new Error(\"Vault operation requires an authenticated user\");\n  }\n  return { ownerEmail, orgId: currentOrgId() };\n}\n\n/** WHERE clause that limits a vault row to the caller's ownership scope. */\nfunction ctxScope<T extends { ownerEmail: any; orgId: any }>(\n  table: T,\n  ctx: VaultCtx,\n) {\n  return or(\n    eq(table.ownerEmail, ctx.ownerEmail),\n    ctx.orgId ? eq(table.orgId, ctx.orgId) : isNull(table.orgId),\n  );\n}\n\n/** Build a ctx that scopes to a specific row's owner/org (used when a\n * request approver acts on behalf of the original requester so the\n * created secret lands in the request's org). */\nfunction ctxForRow(row: {\n  ownerEmail: string;\n  orgId: string | null;\n}): VaultCtx {\n  return { ownerEmail: row.ownerEmail, orgId: row.orgId };\n}\n\nfunction id() {\n  return crypto.randomUUID();\n}\n\nfunction now() {\n  return Date.now();\n}\n\nfunction safeJson(value: unknown) {\n  return JSON.stringify(value ?? null);\n}\n\nfunction orgFilter<T extends { ownerEmail: any; orgId: any }>(table: T) {\n  const orgId = currentOrgId();\n  return and(\n    eq(table.ownerEmail, currentOwnerEmail()),\n    orgId ? eq(table.orgId, orgId) : isNull(table.orgId),\n  );\n}\n\n// ─── Vault Audit ──────────────────────────────────────────────────\n\nexport async function recordVaultAudit(input: {\n  action: string;\n  secretId?: string | null;\n  appId?: string | null;\n  summary: string;\n  metadata?: unknown;\n  actor?: string;\n}) {\n  const db = getDb();\n  await db.insert(schema.vaultAuditLog).values({\n    id: id(),\n    ownerEmail: currentOwnerEmail(),\n    orgId: currentOrgId(),\n    secretId: input.secretId || null,\n    appId: input.appId || null,\n    action: input.action,\n    actor: input.actor || currentOwnerEmail(),\n    summary: input.summary,\n    metadata: input.metadata ? safeJson(input.metadata) : null,\n    createdAt: now(),\n  });\n}\n\nexport async function listVaultAudit(limit = 50) {\n  const db = getDb();\n  return db\n    .select()\n    .from(schema.vaultAuditLog)\n    .where(orgFilter(schema.vaultAuditLog))\n    .orderBy(desc(schema.vaultAuditLog.createdAt))\n    .limit(limit);\n}\n\n// ─── Secrets ──────────────────────────────────────────────────────\n\nexport async function listSecrets() {\n  const db = getDb();\n  return db\n    .select()\n    .from(schema.vaultSecrets)\n    .where(orgFilter(schema.vaultSecrets))\n    .orderBy(desc(schema.vaultSecrets.updatedAt));\n}\n\nexport async function getSecret(secretId: string, ctx: VaultCtx) {\n  const db = getDb();\n  const [row] = await db\n    .select()\n    .from(schema.vaultSecrets)\n    .where(\n      and(\n        eq(schema.vaultSecrets.id, secretId),\n        ctxScope(schema.vaultSecrets, ctx),\n      ),\n    )\n    .limit(1);\n  return row ?? null;\n}\n\nexport async function createSecret(\n  input: {\n    credentialKey: string;\n    value: string;\n    name: string;\n    provider?: string | null;\n    description?: string | null;\n  },\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const timestamp = now();\n  const secretId = id();\n  const actor = ctx.ownerEmail;\n\n  await db.insert(schema.vaultSecrets).values({\n    id: secretId,\n    ownerEmail: actor,\n    orgId: ctx.orgId,\n    name: input.name,\n    credentialKey: input.credentialKey,\n    value: input.value,\n    provider: input.provider || null,\n    description: input.description || null,\n    createdBy: actor,\n    createdAt: timestamp,\n    updatedAt: timestamp,\n  });\n\n  await recordVaultAudit({\n    action: \"secret.created\",\n    secretId,\n    summary: `Created secret \"${input.name}\" (${input.credentialKey})`,\n    metadata: { credentialKey: input.credentialKey, provider: input.provider },\n  });\n\n  await recordAudit({\n    action: \"vault.secret.created\",\n    targetType: \"vault-secret\",\n    targetId: secretId,\n    summary: `Created vault secret \"${input.name}\" (${input.credentialKey})`,\n  });\n\n  return getSecret(secretId, ctx);\n}\n\nexport async function updateSecret(\n  secretId: string,\n  value: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const existing = await getSecret(secretId, ctx);\n  if (!existing) throw new Error(\"Secret not found\");\n\n  await db\n    .update(schema.vaultSecrets)\n    .set({ value, updatedAt: now() })\n    .where(\n      and(\n        eq(schema.vaultSecrets.id, secretId),\n        ctxScope(schema.vaultSecrets, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"secret.updated\",\n    secretId,\n    summary: `Updated value for secret \"${existing.name}\" (${existing.credentialKey})`,\n  });\n\n  return getSecret(secretId, ctx);\n}\n\nexport async function deleteSecret(\n  secretId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const existing = await getSecret(secretId, ctx);\n  if (!existing) throw new Error(\"Secret not found\");\n\n  // Revoke all active grants first\n  const grants = await listGrants({ secretId });\n  for (const grant of grants) {\n    if (grant.status === \"active\") {\n      await revokeGrant(grant.id, ctx);\n    }\n  }\n\n  await db\n    .delete(schema.vaultSecrets)\n    .where(\n      and(\n        eq(schema.vaultSecrets.id, secretId),\n        ctxScope(schema.vaultSecrets, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"secret.deleted\",\n    secretId,\n    summary: `Deleted secret \"${existing.name}\" (${existing.credentialKey})`,\n  });\n\n  await recordAudit({\n    action: \"vault.secret.deleted\",\n    targetType: \"vault-secret\",\n    targetId: secretId,\n    summary: `Deleted vault secret \"${existing.name}\" (${existing.credentialKey})`,\n  });\n\n  return existing;\n}\n\n// ─── Grants ──────────────────────────────────────────────────────\n\nexport async function listGrants(filter?: {\n  secretId?: string;\n  appId?: string;\n}) {\n  const db = getDb();\n  const conditions = [orgFilter(schema.vaultGrants)];\n  if (filter?.secretId) {\n    conditions.push(eq(schema.vaultGrants.secretId, filter.secretId) as any);\n  }\n  if (filter?.appId) {\n    conditions.push(eq(schema.vaultGrants.appId, filter.appId) as any);\n  }\n  return db\n    .select()\n    .from(schema.vaultGrants)\n    .where(and(...conditions))\n    .orderBy(desc(schema.vaultGrants.updatedAt));\n}\n\nexport async function getGrant(\n  grantId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const [row] = await db\n    .select()\n    .from(schema.vaultGrants)\n    .where(\n      and(\n        eq(schema.vaultGrants.id, grantId),\n        ctxScope(schema.vaultGrants, ctx),\n      ),\n    )\n    .limit(1);\n  return row ?? null;\n}\n\nexport async function createGrant(\n  secretId: string,\n  appId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const secret = await getSecret(secretId, ctx);\n  if (!secret) throw new Error(\"Secret not found\");\n\n  const timestamp = now();\n  const grantId = id();\n  const actor = ctx.ownerEmail;\n\n  await db.insert(schema.vaultGrants).values({\n    id: grantId,\n    ownerEmail: actor,\n    orgId: ctx.orgId,\n    secretId,\n    appId,\n    grantedBy: actor,\n    status: \"active\",\n    syncedAt: null,\n    createdAt: timestamp,\n    updatedAt: timestamp,\n  });\n\n  await recordVaultAudit({\n    action: \"grant.created\",\n    secretId,\n    appId,\n    summary: `Granted \"${secret.name}\" (${secret.credentialKey}) to ${appId}`,\n    metadata: { grantId },\n  });\n\n  await recordAudit({\n    action: \"vault.grant.created\",\n    targetType: \"vault-grant\",\n    targetId: grantId,\n    summary: `Granted vault secret \"${secret.name}\" to ${appId}`,\n  });\n\n  return getGrant(grantId);\n}\n\nexport async function grantSecretsToApp(\n  secretIds: string[],\n  appId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const uniqueSecretIds = Array.from(new Set(secretIds));\n  const existingActive = (await listGrants({ appId })).filter(\n    (grant) => grant.status === \"active\",\n  );\n  const existingSecretIds = new Set(\n    existingActive.map((grant) => grant.secretId),\n  );\n  const created = [];\n  const skipped: string[] = [];\n\n  for (const secretId of uniqueSecretIds) {\n    if (existingSecretIds.has(secretId)) {\n      skipped.push(secretId);\n      continue;\n    }\n    const grant = await createGrant(secretId, appId, ctx);\n    if (grant) {\n      created.push(grant);\n      existingSecretIds.add(secretId);\n    }\n  }\n\n  return { appId, created, skipped };\n}\n\nexport async function revokeGrant(\n  grantId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const grant = await getGrant(grantId, ctx);\n  if (!grant) throw new Error(\"Grant not found\");\n\n  const secret = await getSecret(grant.secretId, ctx);\n\n  await db\n    .update(schema.vaultGrants)\n    .set({ status: \"revoked\", updatedAt: now() })\n    .where(\n      and(\n        eq(schema.vaultGrants.id, grantId),\n        ctxScope(schema.vaultGrants, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"grant.revoked\",\n    secretId: grant.secretId,\n    appId: grant.appId,\n    summary: `Revoked ${secret?.credentialKey || grant.secretId} from ${grant.appId}`,\n    metadata: { grantId },\n  });\n\n  await recordAudit({\n    action: \"vault.grant.revoked\",\n    targetType: \"vault-grant\",\n    targetId: grantId,\n    summary: `Revoked vault secret \"${secret?.name || grant.secretId}\" from ${grant.appId}`,\n  });\n\n  return getGrant(grantId, ctx);\n}\n\n// ─── Sync ──────────────────────────────────────────────────────\n\nexport async function syncGrantsToApp(\n  appId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const agents = await discoverAgents(\"dispatch\");\n  const agent = agents.find((a) => a.id === appId);\n  if (!agent) throw new Error(`App \"${appId}\" not found in agent registry`);\n\n  const grants = await listGrants({ appId });\n  const activeGrants = grants.filter((g) => g.status === \"active\");\n  if (activeGrants.length === 0) {\n    return { appId, synced: 0, keys: [] };\n  }\n\n  // Resolve secret values for each grant\n  const vars: Array<{ key: string; value: string }> = [];\n  for (const grant of activeGrants) {\n    const secret = await getSecret(grant.secretId, ctx);\n    if (secret) {\n      vars.push({ key: secret.credentialKey, value: secret.value });\n    }\n  }\n\n  if (vars.length === 0) {\n    return { appId, synced: 0, keys: [] };\n  }\n\n  // Push to the app's env-vars endpoint\n  const res = await fetch(`${agent.url}/_agent-native/env-vars`, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify({ vars }),\n  });\n\n  if (!res.ok) {\n    const err = await res.text().catch(() => \"Unknown error\");\n    throw new Error(`Failed to sync to ${appId}: ${err}`);\n  }\n\n  const result = await res.json();\n  const syncedKeys: string[] = result.saved || [];\n  const timestamp = now();\n\n  // Update syncedAt on grants that were successfully pushed\n  for (const grant of activeGrants) {\n    const secret = await getSecret(grant.secretId, ctx);\n    if (secret && syncedKeys.includes(secret.credentialKey)) {\n      await db\n        .update(schema.vaultGrants)\n        .set({ syncedAt: timestamp, updatedAt: timestamp })\n        .where(eq(schema.vaultGrants.id, grant.id));\n    }\n  }\n\n  await recordVaultAudit({\n    action: \"secret.synced\",\n    appId,\n    summary: `Synced ${syncedKeys.length} secret(s) to ${appId}: ${syncedKeys.join(\", \")}`,\n    metadata: { syncedKeys },\n  });\n\n  return { appId, synced: syncedKeys.length, keys: syncedKeys };\n}\n\n// ─── Requests ──────────────────────────────────────────────────────\n\nexport async function listRequests(filter?: { status?: string }) {\n  const db = getDb();\n  const conditions = [orgFilter(schema.vaultRequests)];\n  if (filter?.status) {\n    conditions.push(eq(schema.vaultRequests.status, filter.status) as any);\n  }\n  return db\n    .select()\n    .from(schema.vaultRequests)\n    .where(and(...conditions))\n    .orderBy(desc(schema.vaultRequests.updatedAt));\n}\n\nexport async function getRequest(\n  requestId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const [row] = await db\n    .select()\n    .from(schema.vaultRequests)\n    .where(\n      and(\n        eq(schema.vaultRequests.id, requestId),\n        ctxScope(schema.vaultRequests, ctx),\n      ),\n    )\n    .limit(1);\n  return row ?? null;\n}\n\nexport async function createRequest(input: {\n  credentialKey: string;\n  appId: string;\n  reason?: string | null;\n}) {\n  const db = getDb();\n  const timestamp = now();\n  const requestId = id();\n  const actor = currentOwnerEmail();\n\n  await db.insert(schema.vaultRequests).values({\n    id: requestId,\n    ownerEmail: actor,\n    orgId: currentOrgId(),\n    credentialKey: input.credentialKey,\n    appId: input.appId,\n    reason: input.reason || null,\n    requestedBy: actor,\n    status: \"pending\",\n    reviewedBy: null,\n    reviewedAt: null,\n    createdAt: timestamp,\n    updatedAt: timestamp,\n  });\n\n  await recordVaultAudit({\n    action: \"request.created\",\n    appId: input.appId,\n    summary: `${actor} requested ${input.credentialKey} for ${input.appId}`,\n    metadata: { requestId, reason: input.reason },\n  });\n\n  await notifyAdminsOfRequest(requestId, input);\n\n  return getRequest(requestId);\n}\n\nexport async function approveRequest(\n  requestId: string,\n  secretValue: string,\n  secretName?: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const request = await getRequest(requestId, ctx);\n  if (!request) throw new Error(\"Request not found\");\n  if (request.status !== \"pending\") {\n    throw new Error(\"Only pending requests can be approved\");\n  }\n\n  const timestamp = now();\n  const reviewer = ctx.ownerEmail;\n\n  // Update request status — scoped to caller's tenant.\n  await db\n    .update(schema.vaultRequests)\n    .set({\n      status: \"approved\",\n      reviewedBy: reviewer,\n      reviewedAt: timestamp,\n      updatedAt: timestamp,\n    })\n    .where(\n      and(\n        eq(schema.vaultRequests.id, requestId),\n        ctxScope(schema.vaultRequests, ctx),\n      ),\n    );\n\n  // Secret + grant must land in the REQUEST's tenant, not the approver's\n  // (the approver may be acting on behalf of another user in the same org).\n  const requestCtx = ctxForRow(request);\n\n  // Check if secret already exists in the request's tenant for this key.\n  const existingSecrets = await db\n    .select()\n    .from(schema.vaultSecrets)\n    .where(\n      and(\n        eq(schema.vaultSecrets.credentialKey, request.credentialKey),\n        ctxScope(schema.vaultSecrets, requestCtx),\n      ),\n    );\n  let secret = existingSecrets[0] ?? null;\n\n  if (!secret) {\n    secret = await createSecret(\n      {\n        credentialKey: request.credentialKey,\n        value: secretValue,\n        name: secretName || request.credentialKey,\n      },\n      requestCtx,\n    );\n  }\n\n  if (secret) {\n    // Create the grant in the request's tenant as well.\n    await createGrant(secret.id, request.appId, requestCtx);\n  }\n\n  await recordVaultAudit({\n    action: \"request.approved\",\n    appId: request.appId,\n    summary: `Approved ${request.credentialKey} for ${request.appId} (requested by ${request.requestedBy})`,\n    metadata: { requestId, reviewer },\n  });\n\n  return getRequest(requestId, ctx);\n}\n\nexport async function denyRequest(\n  requestId: string,\n  reason?: string | null,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const request = await getRequest(requestId, ctx);\n  if (!request) throw new Error(\"Request not found\");\n  if (request.status !== \"pending\") {\n    throw new Error(\"Only pending requests can be denied\");\n  }\n\n  const timestamp = now();\n  const reviewer = ctx.ownerEmail;\n\n  await db\n    .update(schema.vaultRequests)\n    .set({\n      status: \"denied\",\n      reviewedBy: reviewer,\n      reviewedAt: timestamp,\n      updatedAt: timestamp,\n    })\n    .where(\n      and(\n        eq(schema.vaultRequests.id, requestId),\n        ctxScope(schema.vaultRequests, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"request.denied\",\n    appId: request.appId,\n    summary: `Denied ${request.credentialKey} for ${request.appId} (requested by ${request.requestedBy})`,\n    metadata: { requestId, reviewer, reason },\n  });\n\n  return getRequest(requestId, ctx);\n}\n\n// ─── Integrations Catalog ────────────────────────────────────────\n\nexport interface IntegrationEntry {\n  key: string;\n  label: string;\n  required: boolean;\n  configured: boolean;\n  vaultGranted: boolean;\n  vaultSecretId?: string;\n}\n\nexport interface AppIntegrations {\n  appId: string;\n  appName: string;\n  url: string;\n  color: string;\n  integrations: IntegrationEntry[];\n  reachable: boolean;\n}\n\nexport async function listIntegrationsCatalog(): Promise<AppIntegrations[]> {\n  const agents = await discoverAgents(\"dispatch\");\n  const grants = await listGrants();\n  const secrets = await listSecrets();\n\n  const secretByKey = new Map(secrets.map((s) => [s.credentialKey, s]));\n\n  const results: AppIntegrations[] = [];\n\n  for (const agent of agents) {\n    try {\n      const res = await fetch(`${agent.url}/_agent-native/env-status`, {\n        signal: AbortSignal.timeout(3000),\n      });\n      if (!res.ok) {\n        results.push({\n          appId: agent.id,\n          appName: agent.name,\n          url: agent.url,\n          color: agent.color,\n          integrations: [],\n          reachable: false,\n        });\n        continue;\n      }\n\n      const envStatus: Array<{\n        key: string;\n        label: string;\n        required: boolean;\n        configured: boolean;\n      }> = await res.json();\n\n      const appGrants = grants.filter(\n        (g) => g.appId === agent.id && g.status === \"active\",\n      );\n      const grantedSecretIds = new Set(appGrants.map((g) => g.secretId));\n\n      const integrations: IntegrationEntry[] = envStatus.map((env) => {\n        const matchingSecret = secretByKey.get(env.key);\n        return {\n          key: env.key,\n          label: env.label,\n          required: env.required,\n          configured: env.configured,\n          vaultGranted:\n            !!matchingSecret && grantedSecretIds.has(matchingSecret.id),\n          vaultSecretId: matchingSecret?.id,\n        };\n      });\n\n      results.push({\n        appId: agent.id,\n        appName: agent.name,\n        url: agent.url,\n        color: agent.color,\n        integrations,\n        reachable: true,\n      });\n    } catch {\n      results.push({\n        appId: agent.id,\n        appName: agent.name,\n        url: agent.url,\n        color: agent.color,\n        integrations: [],\n        reachable: false,\n      });\n    }\n  }\n\n  return results;\n}\n\n// ─── Vault Overview (for dashboard) ──────────────────────────────\n\nexport async function listVaultOverview() {\n  const [secrets, grants, requests] = await Promise.all([\n    listSecrets(),\n    listGrants(),\n    listRequests(),\n  ]);\n\n  return {\n    secretCount: secrets.length,\n    activeGrantCount: grants.filter((g) => g.status === \"active\").length,\n    pendingRequestCount: requests.filter((r) => r.status === \"pending\").length,\n  };\n}\n\n// ─── SendGrid Notifications ──────────────────────────────────────\n\nasync function notifyAdminsOfRequest(\n  requestId: string,\n  input: { credentialKey: string; appId: string; reason?: string | null },\n) {\n  const apiKey = process.env.SENDGRID_API_KEY;\n  const from = process.env.SENDGRID_FROM_EMAIL;\n  const appUrl = process.env.APP_URL;\n  if (!apiKey || !from || !appUrl) return;\n\n  // Use approval policy approver emails as admin notification targets\n  const { getApprovalPolicy } = await import(\"./dispatch-store.js\");\n  const policy = await getApprovalPolicy();\n  if (policy.approverEmails.length === 0) return;\n\n  const body = [\n    `Secret request: ${input.credentialKey} for ${input.appId}`,\n    input.reason ? `Reason: ${input.reason}` : \"\",\n    `Requested by: ${currentOwnerEmail()}`,\n    \"\",\n    `Review it here: ${appUrl}/vault`,\n  ]\n    .filter(Boolean)\n    .join(\"\\n\");\n\n  await fetch(\"https://api.sendgrid.com/v3/mail/send\", {\n    method: \"POST\",\n    headers: {\n      Authorization: `Bearer ${apiKey}`,\n      \"Content-Type\": \"application/json\",\n    },\n    body: JSON.stringify({\n      personalizations: [\n        {\n          to: policy.approverEmails.map((email) => ({ email })),\n          subject: `Vault request: ${input.credentialKey} for ${input.appId}`,\n        },\n      ],\n      from: { email: from },\n      content: [{ type: \"text/plain\", value: body }],\n      custom_args: { requestId },\n    }),\n  }).catch(() => {});\n}\n"]}
+{"version":3,"file":"vault-store.js","sourceRoot":"","sources":["../../../src/server/lib/vault-store.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,2CAA2C,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAoB,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EACL,aAAa,EACb,cAAc,EACd,aAAa,EACb,cAAc,GACf,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAE7B,MAAM,yBAAyB,GAAG,gCAAgC,CAAC;AAwBnE;;;;GAIG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,UAAU,GAAG,iBAAiB,EAAE,CAAC;IACvC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,CAAC;AAC/C,CAAC;AAED,4EAA4E;AAC5E,SAAS,QAAQ,CACf,KAAQ,EACR,GAAa;IAEb,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;QACf,OAAO,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED;;iDAEiD;AACjD,SAAS,SAAS,CAAC,GAGlB;IACC,OAAO,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;AAC1D,CAAC;AAED,SAAS,EAAE;IACT,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;AAC7B,CAAC;AAED,SAAS,GAAG;IACV,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;AACpB,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,YAAY,CAA4C,KAAQ;IACvE,OAAO,QAAQ,CAAC,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAa;IAC3C,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,KAAK,GAAG,YAAY,EAAE,CAAC;IAC7B,IAAI,KAAK;QAAE,OAAO,EAAE,KAAK,EAAE,KAAc,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5D,OAAO,EAAE,KAAK,EAAE,MAAe,EAAE,OAAO,EAAE,iBAAiB,EAAE,EAAE,CAAC;AAClE,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC;AACpD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB;IAC1C,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,MAAM,GAAG,GACP,KAAK,CAAC,KAAK,KAAK,KAAK;QACnB,CAAC,CAAC,MAAM,aAAa,CAAC,KAAK,CAAC,OAAO,EAAE,yBAAyB,CAAC;QAC/D,CAAC,CAAC,MAAM,cAAc,CAAC,KAAK,CAAC,OAAO,EAAE,yBAAyB,CAAC,CAAC;IACrE,OAAO;QACL,GAAG,KAAK;QACR,IAAI,EAAE,oBAAoB,CAAC,GAAG,EAAE,IAAI,CAAC;KACtC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,KAE5C;IACC,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,EAAE,IAAI,EAAE,oBAAoB,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;IACxD,IAAI,KAAK,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QAC1B,MAAM,aAAa,CAAC,KAAK,CAAC,OAAO,EAAE,yBAAyB,EAAE,IAAI,CAAC,CAAC;IACtE,CAAC;SAAM,CAAC;QACN,MAAM,cAAc,CAAC,KAAK,CAAC,OAAO,EAAE,yBAAyB,EAAE,IAAI,CAAC,CAAC;IACvE,CAAC;IACD,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,+BAA+B;QACvC,UAAU,EAAE,gBAAgB;QAC5B,QAAQ,EAAE,yBAAyB;QACnC,OAAO,EACL,IAAI,CAAC,IAAI,KAAK,UAAU;YACtB,CAAC,CAAC,wCAAwC;YAC1C,CAAC,CAAC,2CAA2C;QACjD,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC;IACH,OAAO,sBAAsB,EAAE,CAAC;AAClC,CAAC;AAED,qEAAqE;AAErE,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAOtC;IACC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;QAC3C,EAAE,EAAE,EAAE,EAAE;QACR,UAAU,EAAE,iBAAiB,EAAE;QAC/B,KAAK,EAAE,YAAY,EAAE;QACrB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;QAChC,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,iBAAiB,EAAE;QACzC,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI;QAC1D,SAAS,EAAE,GAAG,EAAE;KACjB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAK,GAAG,EAAE;IAC7C,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;SAC1B,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;SACzC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;SAC7C,KAAK,CAAC,KAAK,CAAC,CAAC;AAClB,CAAC;AAED,qEAAqE;AAErE,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;SACzB,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;SACxC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,QAAgB,EAAE,GAAa;IAC7D,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;SACzB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,EACpC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF;SACA,KAAK,CAAC,CAAC,CAAC,CAAC;IACZ,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAMC,EACD,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,aAAa,GAAG,sBAAsB,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAClE,IAAI,CAAC,aAAa;QAAE,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAG,MAAM,EAAE;SACtB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;SACzB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,aAAa,EAAE,aAAa,CAAC,EACpD,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF;SACA,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;SAC5C,KAAK,CAAC,CAAC,CAAC,CAAC;IAEZ,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;QAChB,MAAM,EAAE;aACL,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;aAC3B,GAAG,CAAC;YACH,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,aAAa;YACb,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;YAChC,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;YACtC,SAAS,EAAE,SAAS;SACrB,CAAC;aACD,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,EAC1C,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF,CAAC;QAEJ,MAAM,gBAAgB,CAAC;YACrB,MAAM,EAAE,gBAAgB;YACxB,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;YACxB,OAAO,EAAE,mBAAmB,KAAK,CAAC,IAAI,MAAM,aAAa,GAAG;YAC5D,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE;SACtD,CAAC,CAAC;QAEH,MAAM,WAAW,CAAC;YAChB,MAAM,EAAE,sBAAsB;YAC9B,UAAU,EAAE,cAAc;YAC1B,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;YACxB,OAAO,EAAE,yBAAyB,KAAK,CAAC,IAAI,MAAM,aAAa,GAAG;SACnE,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,QAAQ,GAAG,EAAE,EAAE,CAAC;IACtB,MAAM,KAAK,GAAG,GAAG,CAAC,UAAU,CAAC;IAE7B,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC;QAC1C,EAAE,EAAE,QAAQ;QACZ,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,aAAa;QACb,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;QAChC,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;QACtC,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;KACrB,CAAC,CAAC;IAEH,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,QAAQ;QACR,OAAO,EAAE,mBAAmB,KAAK,CAAC,IAAI,MAAM,aAAa,GAAG;QAC5D,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE;KACtD,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,sBAAsB;QAC9B,UAAU,EAAE,cAAc;QAC1B,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,yBAAyB,KAAK,CAAC,IAAI,MAAM,aAAa,GAAG;KACnE,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAChD,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAEnD,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;SAC3B,GAAG,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC;SAChC,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,EACpC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,QAAQ;QACR,OAAO,EAAE,6BAA6B,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,aAAa,GAAG;KACnF,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAChD,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAEnD,iCAAiC;IACjC,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC9C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;SAC3B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,EACpC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,CACnC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,QAAQ;QACR,OAAO,EAAE,mBAAmB,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,aAAa,GAAG;KACzE,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,sBAAsB;QAC9B,UAAU,EAAE,cAAc;QAC1B,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,yBAAyB,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,aAAa,GAAG;KAC/E,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,oEAAoE;AAEpE,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAGhC;IACC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,UAAU,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IACtD,IAAI,MAAM,EAAE,QAAQ,EAAE,CAAC;QACrB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAQ,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;QAClB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAQ,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;SACzB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,OAAe,EACf,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,EAClC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAClC,CACF;SACA,KAAK,CAAC,CAAC,CAAC,CAAC;IACZ,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAgB,EAChB,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC9C,IAAI,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAEjD,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,EAAE,EAAE,CAAC;IACrB,MAAM,KAAK,GAAG,GAAG,CAAC,UAAU,CAAC;IAE7B,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;QACzC,EAAE,EAAE,OAAO;QACX,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,QAAQ;QACR,KAAK;QACL,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,QAAQ;QAChB,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;KACrB,CAAC,CAAC;IAEH,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,eAAe;QACvB,QAAQ;QACR,KAAK;QACL,OAAO,EAAE,YAAY,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,aAAa,QAAQ,KAAK,EAAE;QACzE,QAAQ,EAAE,EAAE,OAAO,EAAE;KACtB,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,qBAAqB;QAC7B,UAAU,EAAE,aAAa;QACzB,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,yBAAyB,MAAM,CAAC,IAAI,QAAQ,KAAK,EAAE;KAC7D,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,SAAmB,EACnB,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,MAAM,GAAG,MAAM,sBAAsB,EAAE,CAAC;IAC9C,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;IACvD,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,OAAO,EAAE,EAAE;YACX,OAAO,EAAE,eAAe;SACzB,CAAC;IACJ,CAAC;IACD,MAAM,cAAc,GAAG,CAAC,MAAM,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,CACzD,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,QAAQ,CACrC,CAAC;IACF,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAC/B,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAC9C,CAAC;IACF,MAAM,OAAO,GAAG,EAAE,CAAC;IACnB,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,QAAQ,IAAI,eAAe,EAAE,CAAC;QACvC,IAAI,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvB,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QACtD,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpB,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAC9D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAE/C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAEpD,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC;SAC5C,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,EAClC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAClC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,eAAe;QACvB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,WAAW,MAAM,EAAE,aAAa,IAAI,KAAK,CAAC,QAAQ,SAAS,KAAK,CAAC,KAAK,EAAE;QACjF,QAAQ,EAAE,EAAE,OAAO,EAAE;KACtB,CAAC,CAAC;IAEH,MAAM,WAAW,CAAC;QAChB,MAAM,EAAE,qBAAqB;QAC7B,UAAU,EAAE,aAAa;QACzB,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,yBAAyB,MAAM,EAAE,IAAI,IAAI,KAAK,CAAC,QAAQ,UAAU,KAAK,CAAC,KAAK,EAAE;KACxF,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAChC,CAAC;AAMD,MAAM,UAAU,+BAA+B,CAAC,GAAa;IAI3D,IAAI,GAAG,CAAC,KAAK;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;IAC3D,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,GAAG,CAAC,UAAU,EAAE,EAAE,CAAC;AACnE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAyB,EACzB,GAAa;IAEb,MAAM,MAAM,GAAG,+BAA+B,CAAC,GAAG,CAAC,CAAC;IACpD,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,KAAK;YAAE,SAAS;QACrD,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,MAAM,CAAC,aAAa;YACzB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,+BAA+B,MAAM,CAAC,IAAI,EAAE;SAC1D,CAAC,CAAC;QACH,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IACxC,CAAC;IAED,OAAO,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACzC,CAAC;AAED,kEAAkE;AAElE,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,MAAM,GAAG,MAAM,sBAAsB,EAAE,CAAC;IAC9C,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,KAAK,+BAA+B,CAAC,CAAC;IAE1E,MAAM,aAAa,GAAqB,EAAE,CAAC;IAC3C,MAAM,YAAY,GAChB,MAAM,CAAC,IAAI,KAAK,QAAQ;QACtB,CAAC,CAAC,CAAC,MAAM,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC;QACpE,CAAC,CAAC,EAAE,CAAC;IAET,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC;QACpC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YACpD,IAAI,MAAM,EAAE,CAAC;gBACX,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACjE,CAAC;IAED,MAAM,mBAAmB,GAAG,MAAM,4BAA4B,CAC5D,aAAa,EACb,GAAG,CACJ,CAAC;IACF,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC1C,GAAG,EAAE,MAAM,CAAC,aAAa;QACzB,KAAK,EAAE,MAAM,CAAC,KAAK;KACpB,CAAC,CAAC,CAAC;IACJ,IAAI,UAGoC,CAAC;IAEzC,0EAA0E;IAC1E,2EAA2E;IAC3E,2EAA2E;IAC3E,uCAAuC;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,KAAK,CAAC,GAAG,yBAAyB,EAAE;YAC7D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;SAC/B,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACX,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAChC,UAAU,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;QAC9D,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;YAC1D,UAAU,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAClD,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,UAAU,GAAG;YACX,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACzD,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,mBAAmB,CAAC,IAAI,CAAC;IAC5C,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IAExB,wEAAwE;IACxE,wEAAwE;IACxE,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACpD,IAAI,MAAM,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;YACxD,MAAM,EAAE;iBACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;iBAC1B,GAAG,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;iBAClD,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,eAAe;QACvB,KAAK;QACL,OAAO,EAAE,UAAU,UAAU,CAAC,MAAM,iBAAiB,KAAK,KAAK,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QACtF,QAAQ,EAAE;YACR,UAAU;YACV,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,eAAe,EAAE;gBACf,KAAK,EAAE,mBAAmB,CAAC,KAAK;gBAChC,OAAO,EAAE,mBAAmB,CAAC,OAAO;aACrC;YACD,OAAO,EAAE,UAAU;SACpB;KACF,CAAC,CAAC;IAEH,OAAO;QACL,KAAK;QACL,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,MAAM,EAAE,UAAU,CAAC,MAAM;QACzB,IAAI,EAAE,UAAU;QAChB,eAAe,EAAE;YACf,KAAK,EAAE,mBAAmB,CAAC,KAAK;YAChC,OAAO,EAAE,mBAAmB,CAAC,OAAO;YACpC,MAAM,EAAE,mBAAmB,CAAC,IAAI,CAAC,MAAM;SACxC;QACD,OAAO,EAAE,UAAU;KACpB,CAAC;AACJ,CAAC;AAED,sEAAsE;AAEtE,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAA4B;IAC7D,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,UAAU,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC;IACxD,IAAI,MAAM,EAAE,MAAM,EAAE,CAAC;QACnB,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAQ,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;SAC1B,KAAK,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;SACzB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,SAAiB,EACjB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE;SACnB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;SAC1B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,EACtC,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CACpC,CACF;SACA,KAAK,CAAC,CAAC,CAAC,CAAC;IACZ,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAInC;IACC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,SAAS,GAAG,EAAE,EAAE,CAAC;IACvB,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAElC,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;QAC3C,EAAE,EAAE,SAAS;QACb,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,YAAY,EAAE;QACrB,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;QAC5B,WAAW,EAAE,KAAK;QAClB,MAAM,EAAE,SAAS;QACjB,UAAU,EAAE,IAAI;QAChB,UAAU,EAAE,IAAI;QAChB,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;KACrB,CAAC,CAAC;IAEH,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,iBAAiB;QACzB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,GAAG,KAAK,cAAc,KAAK,CAAC,aAAa,QAAQ,KAAK,CAAC,KAAK,EAAE;QACvE,QAAQ,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE;KAC9C,CAAC,CAAC;IAEH,MAAM,qBAAqB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAE9C,OAAO,UAAU,CAAC,SAAS,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,WAAmB,EACnB,UAAmB,EACnB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACjD,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACnD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC;IAEhC,qDAAqD;IACrD,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;SAC5B,GAAG,CAAC;QACH,MAAM,EAAE,UAAU;QAClB,UAAU,EAAE,QAAQ;QACpB,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,SAAS;KACrB,CAAC;SACD,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,EACtC,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CACpC,CACF,CAAC;IAEJ,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAEtC,uEAAuE;IACvE,MAAM,eAAe,GAAG,MAAM,EAAE;SAC7B,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;SACzB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,aAAa,CAAC,EAC5D,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAC1C,CACF,CAAC;IACJ,IAAI,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAExC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,MAAM,YAAY,CACzB;YACE,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,KAAK,EAAE,WAAW;YAClB,IAAI,EAAE,UAAU,IAAI,OAAO,CAAC,aAAa;SAC1C,EACD,UAAU,CACX,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,oDAAoD;QACpD,MAAM,WAAW,CAAC,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,kBAAkB;QAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,OAAO,EAAE,YAAY,OAAO,CAAC,aAAa,QAAQ,OAAO,CAAC,KAAK,kBAAkB,OAAO,CAAC,WAAW,GAAG;QACvG,QAAQ,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE;KAClC,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAAiB,EACjB,MAAsB,EACtB,MAAgB,eAAe,EAAE;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACjD,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACnD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC;IAEhC,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;SAC5B,GAAG,CAAC;QACH,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE,QAAQ;QACpB,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,SAAS;KACrB,CAAC;SACD,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,CAAC,EACtC,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CACpC,CACF,CAAC;IAEJ,MAAM,gBAAgB,CAAC;QACrB,MAAM,EAAE,gBAAgB;QACxB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,OAAO,EAAE,UAAU,OAAO,CAAC,aAAa,QAAQ,OAAO,CAAC,KAAK,kBAAkB,OAAO,CAAC,WAAW,GAAG;QACrG,QAAQ,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE;KAC1C,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AACpC,CAAC;AAuBD,MAAM,CAAC,KAAK,UAAU,uBAAuB;IAC3C,MAAM,MAAM,GAAG,MAAM,sBAAsB,EAAE,CAAC;IAC9C,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC;IAEpC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAEtE,MAAM,OAAO,GAAsB,EAAE,CAAC;IAEtC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,KAAK,CAAC,GAAG,2BAA2B,EAAE;gBAC/D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aAClC,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,OAAO,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,KAAK,CAAC,EAAE;oBACf,OAAO,EAAE,KAAK,CAAC,IAAI;oBACnB,GAAG,EAAE,KAAK,CAAC,GAAG;oBACd,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,YAAY,EAAE,EAAE;oBAChB,eAAe,EAAE,MAAM,CAAC,IAAI;oBAC5B,SAAS,EAAE,KAAK;iBACjB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,MAAM,SAAS,GAKV,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAEtB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAC7B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,CACrD,CAAC;YACF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;YAEnE,MAAM,YAAY,GAAuB,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC7D,MAAM,cAAc,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAChD,OAAO;oBACL,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,KAAK,EAAE,GAAG,CAAC,KAAK;oBAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,YAAY,EACV,CAAC,CAAC,cAAc;wBAChB,CAAC,MAAM,CAAC,IAAI,KAAK,UAAU;4BACzB,gBAAgB,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC;oBAC5C,aAAa,EAAE,cAAc,EAAE,EAAE;iBAClC,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,KAAK,CAAC,EAAE;gBACf,OAAO,EAAE,KAAK,CAAC,IAAI;gBACnB,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,YAAY;gBACZ,eAAe,EAAE,MAAM,CAAC,IAAI;gBAC5B,SAAS,EAAE,IAAI;aAChB,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,KAAK,CAAC,EAAE;gBACf,OAAO,EAAE,KAAK,CAAC,IAAI;gBACnB,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,YAAY,EAAE,EAAE;gBAChB,eAAe,EAAE,MAAM,CAAC,IAAI;gBAC5B,SAAS,EAAE,KAAK;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,oEAAoE;AAEpE,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC5D,WAAW,EAAE;QACb,UAAU,EAAE;QACZ,YAAY,EAAE;QACd,sBAAsB,EAAE;KACzB,CAAC,CAAC;IACH,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IAE5E,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,WAAW,EAAE,OAAO,CAAC,MAAM;QAC3B,gBAAgB,EACd,MAAM,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB;QAChE,gBAAgB;QAChB,mBAAmB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;KAC3E,CAAC;AACJ,CAAC;AAED,oEAAoE;AAEpE,KAAK,UAAU,qBAAqB,CAClC,SAAiB,EACjB,KAAuE;IAEvE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC7C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;IACnC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO;IAExC,oEAAoE;IACpE,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,MAAM,iBAAiB,EAAE,CAAC;IACzC,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAE/C,MAAM,IAAI,GAAG;QACX,mBAAmB,KAAK,CAAC,aAAa,QAAQ,KAAK,CAAC,KAAK,EAAE;QAC3D,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE;QAC7C,iBAAiB,iBAAiB,EAAE,EAAE;QACtC,EAAE;QACF,mBAAmB,MAAM,QAAQ;KAClC;SACE,MAAM,CAAC,OAAO,CAAC;SACf,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,MAAM,KAAK,CAAC,uCAAuC,EAAE;QACnD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,MAAM,EAAE;YACjC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;oBACrD,OAAO,EAAE,kBAAkB,KAAK,CAAC,aAAa,QAAQ,KAAK,CAAC,KAAK,EAAE;iBACpE;aACF;YACD,IAAI,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;YACrB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;YAC9C,WAAW,EAAE,EAAE,SAAS,EAAE;SAC3B,CAAC;KACH,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;AACrB,CAAC","sourcesContent":["import crypto from \"node:crypto\";\nimport { and, desc, eq, isNull, or } from \"drizzle-orm\";\nimport { discoverAgents } from \"@agent-native/core/server/agent-discovery\";\nimport { writeAppSecret, type SecretScope } from \"@agent-native/core/secrets\";\nimport {\n  getOrgSetting,\n  getUserSetting,\n  putOrgSetting,\n  putUserSetting,\n} from \"@agent-native/core/settings\";\nimport { getDb, schema } from \"../../db/index.js\";\nimport {\n  currentOwnerEmail,\n  currentOrgId,\n  recordAudit,\n} from \"./dispatch-store.js\";\n\nconst VAULT_ACCESS_SETTINGS_KEY = \"dispatch-vault-access-settings\";\n\nexport type VaultAccessMode = \"all-apps\" | \"manual\";\n\nexport interface VaultAccessSettings {\n  mode: VaultAccessMode;\n  scope: \"org\" | \"user\";\n  scopeId: string;\n}\n\n/**\n * Caller-supplied access context for vault operations.\n *\n * Every getSecret / updateSecret / deleteSecret / createGrant call must\n * pass the ctx of the *current request* so the row is scoped to that\n * caller's tenant. Looking up a vault secret by id alone is unsafe — UUIDs\n * are not authorization. A row matches the ctx if either the caller owns\n * it or it lives in the caller's active org.\n */\nexport interface VaultCtx {\n  ownerEmail: string;\n  orgId: string | null;\n}\n\n/**\n * Build a VaultCtx from the current request. Throws if the request is\n * unauthenticated — the previous behavior of falling back to \"local@localhost\"\n * leaked rows across tenants when a misconfigured environment skipped auth.\n */\nexport function requireVaultCtx(): VaultCtx {\n  const ownerEmail = currentOwnerEmail();\n  if (!ownerEmail) {\n    throw new Error(\"Vault operation requires an authenticated user\");\n  }\n  return { ownerEmail, orgId: currentOrgId() };\n}\n\n/** WHERE clause that limits a vault row to the caller's ownership scope. */\nfunction ctxScope<T extends { ownerEmail: any; orgId: any }>(\n  table: T,\n  ctx: VaultCtx,\n) {\n  if (!ctx.orgId) {\n    return and(eq(table.ownerEmail, ctx.ownerEmail), isNull(table.orgId));\n  }\n  return or(eq(table.ownerEmail, ctx.ownerEmail), eq(table.orgId, ctx.orgId));\n}\n\n/** Build a ctx that scopes to a specific row's owner/org (used when a\n * request approver acts on behalf of the original requester so the\n * created secret lands in the request's org). */\nfunction ctxForRow(row: {\n  ownerEmail: string;\n  orgId: string | null;\n}): VaultCtx {\n  return { ownerEmail: row.ownerEmail, orgId: row.orgId };\n}\n\nfunction id() {\n  return crypto.randomUUID();\n}\n\nfunction now() {\n  return Date.now();\n}\n\nfunction safeJson(value: unknown) {\n  return JSON.stringify(value ?? null);\n}\n\nfunction scopedFilter<T extends { ownerEmail: any; orgId: any }>(table: T) {\n  return ctxScope(table, requireVaultCtx());\n}\n\nfunction normalizeCredentialKey(value: string) {\n  return value.trim();\n}\n\nfunction vaultAccessScope() {\n  const orgId = currentOrgId();\n  if (orgId) return { scope: \"org\" as const, scopeId: orgId };\n  return { scope: \"user\" as const, scopeId: currentOwnerEmail() };\n}\n\nfunction parseVaultAccessMode(value: unknown): VaultAccessMode {\n  return value === \"manual\" ? \"manual\" : \"all-apps\";\n}\n\nexport async function getVaultAccessSettings(): Promise<VaultAccessSettings> {\n  const scope = vaultAccessScope();\n  const raw =\n    scope.scope === \"org\"\n      ? await getOrgSetting(scope.scopeId, VAULT_ACCESS_SETTINGS_KEY)\n      : await getUserSetting(scope.scopeId, VAULT_ACCESS_SETTINGS_KEY);\n  return {\n    ...scope,\n    mode: parseVaultAccessMode(raw?.mode),\n  };\n}\n\nexport async function setVaultAccessSettings(input: {\n  mode: VaultAccessMode;\n}): Promise<VaultAccessSettings> {\n  const scope = vaultAccessScope();\n  const next = { mode: parseVaultAccessMode(input.mode) };\n  if (scope.scope === \"org\") {\n    await putOrgSetting(scope.scopeId, VAULT_ACCESS_SETTINGS_KEY, next);\n  } else {\n    await putUserSetting(scope.scopeId, VAULT_ACCESS_SETTINGS_KEY, next);\n  }\n  await recordAudit({\n    action: \"vault.access-settings.updated\",\n    targetType: \"vault-settings\",\n    targetId: VAULT_ACCESS_SETTINGS_KEY,\n    summary:\n      next.mode === \"all-apps\"\n        ? \"Set vault access to all workspace apps\"\n        : \"Set vault access to manual per-app grants\",\n    metadata: next,\n  });\n  return getVaultAccessSettings();\n}\n\n// ─── Vault Audit ──────────────────────────────────────────────────\n\nexport async function recordVaultAudit(input: {\n  action: string;\n  secretId?: string | null;\n  appId?: string | null;\n  summary: string;\n  metadata?: unknown;\n  actor?: string;\n}) {\n  const db = getDb();\n  await db.insert(schema.vaultAuditLog).values({\n    id: id(),\n    ownerEmail: currentOwnerEmail(),\n    orgId: currentOrgId(),\n    secretId: input.secretId || null,\n    appId: input.appId || null,\n    action: input.action,\n    actor: input.actor || currentOwnerEmail(),\n    summary: input.summary,\n    metadata: input.metadata ? safeJson(input.metadata) : null,\n    createdAt: now(),\n  });\n}\n\nexport async function listVaultAudit(limit = 50) {\n  const db = getDb();\n  return db\n    .select()\n    .from(schema.vaultAuditLog)\n    .where(scopedFilter(schema.vaultAuditLog))\n    .orderBy(desc(schema.vaultAuditLog.createdAt))\n    .limit(limit);\n}\n\n// ─── Secrets ──────────────────────────────────────────────────────\n\nexport async function listSecrets() {\n  const db = getDb();\n  return db\n    .select()\n    .from(schema.vaultSecrets)\n    .where(scopedFilter(schema.vaultSecrets))\n    .orderBy(desc(schema.vaultSecrets.updatedAt));\n}\n\nexport async function getSecret(secretId: string, ctx: VaultCtx) {\n  const db = getDb();\n  const [row] = await db\n    .select()\n    .from(schema.vaultSecrets)\n    .where(\n      and(\n        eq(schema.vaultSecrets.id, secretId),\n        ctxScope(schema.vaultSecrets, ctx),\n      ),\n    )\n    .limit(1);\n  return row ?? null;\n}\n\nexport async function createSecret(\n  input: {\n    credentialKey: string;\n    value: string;\n    name: string;\n    provider?: string | null;\n    description?: string | null;\n  },\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const timestamp = now();\n  const credentialKey = normalizeCredentialKey(input.credentialKey);\n  if (!credentialKey) throw new Error(\"Credential key is required\");\n  const existing = await db\n    .select()\n    .from(schema.vaultSecrets)\n    .where(\n      and(\n        eq(schema.vaultSecrets.credentialKey, credentialKey),\n        ctxScope(schema.vaultSecrets, ctx),\n      ),\n    )\n    .orderBy(desc(schema.vaultSecrets.updatedAt))\n    .limit(1);\n\n  if (existing[0]) {\n    await db\n      .update(schema.vaultSecrets)\n      .set({\n        name: input.name,\n        credentialKey,\n        value: input.value,\n        provider: input.provider || null,\n        description: input.description || null,\n        updatedAt: timestamp,\n      })\n      .where(\n        and(\n          eq(schema.vaultSecrets.id, existing[0].id),\n          ctxScope(schema.vaultSecrets, ctx),\n        ),\n      );\n\n    await recordVaultAudit({\n      action: \"secret.updated\",\n      secretId: existing[0].id,\n      summary: `Updated secret \"${input.name}\" (${credentialKey})`,\n      metadata: { credentialKey, provider: input.provider },\n    });\n\n    await recordAudit({\n      action: \"vault.secret.updated\",\n      targetType: \"vault-secret\",\n      targetId: existing[0].id,\n      summary: `Updated vault secret \"${input.name}\" (${credentialKey})`,\n    });\n\n    return getSecret(existing[0].id, ctx);\n  }\n\n  const secretId = id();\n  const actor = ctx.ownerEmail;\n\n  await db.insert(schema.vaultSecrets).values({\n    id: secretId,\n    ownerEmail: actor,\n    orgId: ctx.orgId,\n    name: input.name,\n    credentialKey,\n    value: input.value,\n    provider: input.provider || null,\n    description: input.description || null,\n    createdBy: actor,\n    createdAt: timestamp,\n    updatedAt: timestamp,\n  });\n\n  await recordVaultAudit({\n    action: \"secret.created\",\n    secretId,\n    summary: `Created secret \"${input.name}\" (${credentialKey})`,\n    metadata: { credentialKey, provider: input.provider },\n  });\n\n  await recordAudit({\n    action: \"vault.secret.created\",\n    targetType: \"vault-secret\",\n    targetId: secretId,\n    summary: `Created vault secret \"${input.name}\" (${credentialKey})`,\n  });\n\n  return getSecret(secretId, ctx);\n}\n\nexport async function updateSecret(\n  secretId: string,\n  value: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const existing = await getSecret(secretId, ctx);\n  if (!existing) throw new Error(\"Secret not found\");\n\n  await db\n    .update(schema.vaultSecrets)\n    .set({ value, updatedAt: now() })\n    .where(\n      and(\n        eq(schema.vaultSecrets.id, secretId),\n        ctxScope(schema.vaultSecrets, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"secret.updated\",\n    secretId,\n    summary: `Updated value for secret \"${existing.name}\" (${existing.credentialKey})`,\n  });\n\n  return getSecret(secretId, ctx);\n}\n\nexport async function deleteSecret(\n  secretId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const existing = await getSecret(secretId, ctx);\n  if (!existing) throw new Error(\"Secret not found\");\n\n  // Revoke all active grants first\n  const grants = await listGrants({ secretId });\n  for (const grant of grants) {\n    if (grant.status === \"active\") {\n      await revokeGrant(grant.id, ctx);\n    }\n  }\n\n  await db\n    .delete(schema.vaultSecrets)\n    .where(\n      and(\n        eq(schema.vaultSecrets.id, secretId),\n        ctxScope(schema.vaultSecrets, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"secret.deleted\",\n    secretId,\n    summary: `Deleted secret \"${existing.name}\" (${existing.credentialKey})`,\n  });\n\n  await recordAudit({\n    action: \"vault.secret.deleted\",\n    targetType: \"vault-secret\",\n    targetId: secretId,\n    summary: `Deleted vault secret \"${existing.name}\" (${existing.credentialKey})`,\n  });\n\n  return existing;\n}\n\n// ─── Grants ──────────────────────────────────────────────────────\n\nexport async function listGrants(filter?: {\n  secretId?: string;\n  appId?: string;\n}) {\n  const db = getDb();\n  const conditions = [scopedFilter(schema.vaultGrants)];\n  if (filter?.secretId) {\n    conditions.push(eq(schema.vaultGrants.secretId, filter.secretId) as any);\n  }\n  if (filter?.appId) {\n    conditions.push(eq(schema.vaultGrants.appId, filter.appId) as any);\n  }\n  return db\n    .select()\n    .from(schema.vaultGrants)\n    .where(and(...conditions))\n    .orderBy(desc(schema.vaultGrants.updatedAt));\n}\n\nexport async function getGrant(\n  grantId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const [row] = await db\n    .select()\n    .from(schema.vaultGrants)\n    .where(\n      and(\n        eq(schema.vaultGrants.id, grantId),\n        ctxScope(schema.vaultGrants, ctx),\n      ),\n    )\n    .limit(1);\n  return row ?? null;\n}\n\nexport async function createGrant(\n  secretId: string,\n  appId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const secret = await getSecret(secretId, ctx);\n  if (!secret) throw new Error(\"Secret not found\");\n\n  const timestamp = now();\n  const grantId = id();\n  const actor = ctx.ownerEmail;\n\n  await db.insert(schema.vaultGrants).values({\n    id: grantId,\n    ownerEmail: actor,\n    orgId: ctx.orgId,\n    secretId,\n    appId,\n    grantedBy: actor,\n    status: \"active\",\n    syncedAt: null,\n    createdAt: timestamp,\n    updatedAt: timestamp,\n  });\n\n  await recordVaultAudit({\n    action: \"grant.created\",\n    secretId,\n    appId,\n    summary: `Granted \"${secret.name}\" (${secret.credentialKey}) to ${appId}`,\n    metadata: { grantId },\n  });\n\n  await recordAudit({\n    action: \"vault.grant.created\",\n    targetType: \"vault-grant\",\n    targetId: grantId,\n    summary: `Granted vault secret \"${secret.name}\" to ${appId}`,\n  });\n\n  return getGrant(grantId);\n}\n\nexport async function grantSecretsToApp(\n  secretIds: string[],\n  appId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const access = await getVaultAccessSettings();\n  const uniqueSecretIds = Array.from(new Set(secretIds));\n  if (access.mode === \"all-apps\") {\n    return {\n      appId,\n      accessMode: access.mode,\n      created: [],\n      skipped: uniqueSecretIds,\n    };\n  }\n  const existingActive = (await listGrants({ appId })).filter(\n    (grant) => grant.status === \"active\",\n  );\n  const existingSecretIds = new Set(\n    existingActive.map((grant) => grant.secretId),\n  );\n  const created = [];\n  const skipped: string[] = [];\n\n  for (const secretId of uniqueSecretIds) {\n    if (existingSecretIds.has(secretId)) {\n      skipped.push(secretId);\n      continue;\n    }\n    const grant = await createGrant(secretId, appId, ctx);\n    if (grant) {\n      created.push(grant);\n      existingSecretIds.add(secretId);\n    }\n  }\n\n  return { appId, accessMode: access.mode, created, skipped };\n}\n\nexport async function revokeGrant(\n  grantId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const grant = await getGrant(grantId, ctx);\n  if (!grant) throw new Error(\"Grant not found\");\n\n  const secret = await getSecret(grant.secretId, ctx);\n\n  await db\n    .update(schema.vaultGrants)\n    .set({ status: \"revoked\", updatedAt: now() })\n    .where(\n      and(\n        eq(schema.vaultGrants.id, grantId),\n        ctxScope(schema.vaultGrants, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"grant.revoked\",\n    secretId: grant.secretId,\n    appId: grant.appId,\n    summary: `Revoked ${secret?.credentialKey || grant.secretId} from ${grant.appId}`,\n    metadata: { grantId },\n  });\n\n  await recordAudit({\n    action: \"vault.grant.revoked\",\n    targetType: \"vault-grant\",\n    targetId: grantId,\n    summary: `Revoked vault secret \"${secret?.name || grant.secretId}\" from ${grant.appId}`,\n  });\n\n  return getGrant(grantId, ctx);\n}\n\n// ─── Shared Credential Store Sync ─────────────────────────────────\n\ntype VaultSecretRow = typeof schema.vaultSecrets.$inferSelect;\n\nexport function credentialStoreScopeForVaultCtx(ctx: VaultCtx): {\n  scope: Extract<SecretScope, \"org\" | \"workspace\">;\n  scopeId: string;\n} {\n  if (ctx.orgId) return { scope: \"org\", scopeId: ctx.orgId };\n  return { scope: \"workspace\", scopeId: `solo:${ctx.ownerEmail}` };\n}\n\nexport async function syncSecretsToCredentialStore(\n  secrets: VaultSecretRow[],\n  ctx: VaultCtx,\n) {\n  const target = credentialStoreScopeForVaultCtx(ctx);\n  const syncedKeys: string[] = [];\n\n  for (const secret of secrets) {\n    if (!secret.credentialKey || !secret.value) continue;\n    await writeAppSecret({\n      key: secret.credentialKey,\n      value: secret.value,\n      scope: target.scope,\n      scopeId: target.scopeId,\n      description: `Synced from Dispatch vault: ${secret.name}`,\n    });\n    syncedKeys.push(secret.credentialKey);\n  }\n\n  return { ...target, keys: syncedKeys };\n}\n\n// ─── Sync ──────────────────────────────────────────────────────\n\nexport async function syncGrantsToApp(\n  appId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const access = await getVaultAccessSettings();\n  const agents = await discoverAgents(\"dispatch\");\n  const agent = agents.find((a) => a.id === appId);\n  if (!agent) throw new Error(`App \"${appId}\" not found in agent registry`);\n\n  const secretsToSync: VaultSecretRow[] = [];\n  const activeGrants =\n    access.mode === \"manual\"\n      ? (await listGrants({ appId })).filter((g) => g.status === \"active\")\n      : [];\n\n  if (access.mode === \"all-apps\") {\n    const secrets = await listSecrets();\n    for (const secret of secrets) {\n      secretsToSync.push(secret);\n    }\n  } else {\n    for (const grant of activeGrants) {\n      const secret = await getSecret(grant.secretId, ctx);\n      if (secret) {\n        secretsToSync.push(secret);\n      }\n    }\n  }\n\n  if (secretsToSync.length === 0) {\n    return { appId, accessMode: access.mode, synced: 0, keys: [] };\n  }\n\n  const credentialStoreSync = await syncSecretsToCredentialStore(\n    secretsToSync,\n    ctx,\n  );\n  const vars = secretsToSync.map((secret) => ({\n    key: secret.credentialKey,\n    value: secret.value,\n  }));\n  let envVarSync:\n    | { status: \"synced\"; keys: string[] }\n    | { status: \"skipped\"; reason: string }\n    | { status: \"failed\"; reason: string };\n\n  // Best-effort push to the app's env-vars endpoint for local/dev apps that\n  // still read process.env directly. Production/shared-DB apps intentionally\n  // reject env writes; the encrypted app_secrets sync above is the canonical\n  // path for request-scoped credentials.\n  try {\n    const res = await fetch(`${agent.url}/_agent-native/env-vars`, {\n      method: \"POST\",\n      headers: { \"Content-Type\": \"application/json\" },\n      body: JSON.stringify({ vars }),\n    });\n\n    if (res.ok) {\n      const result = await res.json();\n      envVarSync = { status: \"synced\", keys: result.saved || [] };\n    } else {\n      const err = await res.text().catch(() => \"Unknown error\");\n      envVarSync = { status: \"skipped\", reason: err };\n    }\n  } catch (err) {\n    envVarSync = {\n      status: \"failed\",\n      reason: err instanceof Error ? err.message : String(err),\n    };\n  }\n\n  const syncedKeys = credentialStoreSync.keys;\n  const timestamp = now();\n\n  // Update syncedAt on grants that were successfully pushed to the shared\n  // credential store. All-apps mode has no explicit grant rows to update.\n  for (const grant of activeGrants) {\n    const secret = await getSecret(grant.secretId, ctx);\n    if (secret && syncedKeys.includes(secret.credentialKey)) {\n      await db\n        .update(schema.vaultGrants)\n        .set({ syncedAt: timestamp, updatedAt: timestamp })\n        .where(eq(schema.vaultGrants.id, grant.id));\n    }\n  }\n\n  await recordVaultAudit({\n    action: \"secret.synced\",\n    appId,\n    summary: `Synced ${syncedKeys.length} secret(s) to ${appId}: ${syncedKeys.join(\", \")}`,\n    metadata: {\n      syncedKeys,\n      accessMode: access.mode,\n      credentialStore: {\n        scope: credentialStoreSync.scope,\n        scopeId: credentialStoreSync.scopeId,\n      },\n      envVars: envVarSync,\n    },\n  });\n\n  return {\n    appId,\n    accessMode: access.mode,\n    synced: syncedKeys.length,\n    keys: syncedKeys,\n    credentialStore: {\n      scope: credentialStoreSync.scope,\n      scopeId: credentialStoreSync.scopeId,\n      synced: credentialStoreSync.keys.length,\n    },\n    envVars: envVarSync,\n  };\n}\n\n// ─── Requests ──────────────────────────────────────────────────────\n\nexport async function listRequests(filter?: { status?: string }) {\n  const db = getDb();\n  const conditions = [scopedFilter(schema.vaultRequests)];\n  if (filter?.status) {\n    conditions.push(eq(schema.vaultRequests.status, filter.status) as any);\n  }\n  return db\n    .select()\n    .from(schema.vaultRequests)\n    .where(and(...conditions))\n    .orderBy(desc(schema.vaultRequests.updatedAt));\n}\n\nexport async function getRequest(\n  requestId: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const [row] = await db\n    .select()\n    .from(schema.vaultRequests)\n    .where(\n      and(\n        eq(schema.vaultRequests.id, requestId),\n        ctxScope(schema.vaultRequests, ctx),\n      ),\n    )\n    .limit(1);\n  return row ?? null;\n}\n\nexport async function createRequest(input: {\n  credentialKey: string;\n  appId: string;\n  reason?: string | null;\n}) {\n  const db = getDb();\n  const timestamp = now();\n  const requestId = id();\n  const actor = currentOwnerEmail();\n\n  await db.insert(schema.vaultRequests).values({\n    id: requestId,\n    ownerEmail: actor,\n    orgId: currentOrgId(),\n    credentialKey: input.credentialKey,\n    appId: input.appId,\n    reason: input.reason || null,\n    requestedBy: actor,\n    status: \"pending\",\n    reviewedBy: null,\n    reviewedAt: null,\n    createdAt: timestamp,\n    updatedAt: timestamp,\n  });\n\n  await recordVaultAudit({\n    action: \"request.created\",\n    appId: input.appId,\n    summary: `${actor} requested ${input.credentialKey} for ${input.appId}`,\n    metadata: { requestId, reason: input.reason },\n  });\n\n  await notifyAdminsOfRequest(requestId, input);\n\n  return getRequest(requestId);\n}\n\nexport async function approveRequest(\n  requestId: string,\n  secretValue: string,\n  secretName?: string,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const request = await getRequest(requestId, ctx);\n  if (!request) throw new Error(\"Request not found\");\n  if (request.status !== \"pending\") {\n    throw new Error(\"Only pending requests can be approved\");\n  }\n\n  const timestamp = now();\n  const reviewer = ctx.ownerEmail;\n\n  // Update request status — scoped to caller's tenant.\n  await db\n    .update(schema.vaultRequests)\n    .set({\n      status: \"approved\",\n      reviewedBy: reviewer,\n      reviewedAt: timestamp,\n      updatedAt: timestamp,\n    })\n    .where(\n      and(\n        eq(schema.vaultRequests.id, requestId),\n        ctxScope(schema.vaultRequests, ctx),\n      ),\n    );\n\n  // Secret + grant must land in the REQUEST's tenant, not the approver's\n  // (the approver may be acting on behalf of another user in the same org).\n  const requestCtx = ctxForRow(request);\n\n  // Check if secret already exists in the request's tenant for this key.\n  const existingSecrets = await db\n    .select()\n    .from(schema.vaultSecrets)\n    .where(\n      and(\n        eq(schema.vaultSecrets.credentialKey, request.credentialKey),\n        ctxScope(schema.vaultSecrets, requestCtx),\n      ),\n    );\n  let secret = existingSecrets[0] ?? null;\n\n  if (!secret) {\n    secret = await createSecret(\n      {\n        credentialKey: request.credentialKey,\n        value: secretValue,\n        name: secretName || request.credentialKey,\n      },\n      requestCtx,\n    );\n  }\n\n  if (secret) {\n    // Create the grant in the request's tenant as well.\n    await createGrant(secret.id, request.appId, requestCtx);\n  }\n\n  await recordVaultAudit({\n    action: \"request.approved\",\n    appId: request.appId,\n    summary: `Approved ${request.credentialKey} for ${request.appId} (requested by ${request.requestedBy})`,\n    metadata: { requestId, reviewer },\n  });\n\n  return getRequest(requestId, ctx);\n}\n\nexport async function denyRequest(\n  requestId: string,\n  reason?: string | null,\n  ctx: VaultCtx = requireVaultCtx(),\n) {\n  const db = getDb();\n  const request = await getRequest(requestId, ctx);\n  if (!request) throw new Error(\"Request not found\");\n  if (request.status !== \"pending\") {\n    throw new Error(\"Only pending requests can be denied\");\n  }\n\n  const timestamp = now();\n  const reviewer = ctx.ownerEmail;\n\n  await db\n    .update(schema.vaultRequests)\n    .set({\n      status: \"denied\",\n      reviewedBy: reviewer,\n      reviewedAt: timestamp,\n      updatedAt: timestamp,\n    })\n    .where(\n      and(\n        eq(schema.vaultRequests.id, requestId),\n        ctxScope(schema.vaultRequests, ctx),\n      ),\n    );\n\n  await recordVaultAudit({\n    action: \"request.denied\",\n    appId: request.appId,\n    summary: `Denied ${request.credentialKey} for ${request.appId} (requested by ${request.requestedBy})`,\n    metadata: { requestId, reviewer, reason },\n  });\n\n  return getRequest(requestId, ctx);\n}\n\n// ─── Integrations Catalog ────────────────────────────────────────\n\nexport interface IntegrationEntry {\n  key: string;\n  label: string;\n  required: boolean;\n  configured: boolean;\n  vaultGranted: boolean;\n  vaultSecretId?: string;\n}\n\nexport interface AppIntegrations {\n  appId: string;\n  appName: string;\n  url: string;\n  color: string;\n  integrations: IntegrationEntry[];\n  vaultAccessMode: VaultAccessMode;\n  reachable: boolean;\n}\n\nexport async function listIntegrationsCatalog(): Promise<AppIntegrations[]> {\n  const access = await getVaultAccessSettings();\n  const agents = await discoverAgents(\"dispatch\");\n  const grants = await listGrants();\n  const secrets = await listSecrets();\n\n  const secretByKey = new Map(secrets.map((s) => [s.credentialKey, s]));\n\n  const results: AppIntegrations[] = [];\n\n  for (const agent of agents) {\n    try {\n      const res = await fetch(`${agent.url}/_agent-native/env-status`, {\n        signal: AbortSignal.timeout(3000),\n      });\n      if (!res.ok) {\n        results.push({\n          appId: agent.id,\n          appName: agent.name,\n          url: agent.url,\n          color: agent.color,\n          integrations: [],\n          vaultAccessMode: access.mode,\n          reachable: false,\n        });\n        continue;\n      }\n\n      const envStatus: Array<{\n        key: string;\n        label: string;\n        required: boolean;\n        configured: boolean;\n      }> = await res.json();\n\n      const appGrants = grants.filter(\n        (g) => g.appId === agent.id && g.status === \"active\",\n      );\n      const grantedSecretIds = new Set(appGrants.map((g) => g.secretId));\n\n      const integrations: IntegrationEntry[] = envStatus.map((env) => {\n        const matchingSecret = secretByKey.get(env.key);\n        return {\n          key: env.key,\n          label: env.label,\n          required: env.required,\n          configured: env.configured,\n          vaultGranted:\n            !!matchingSecret &&\n            (access.mode === \"all-apps\" ||\n              grantedSecretIds.has(matchingSecret.id)),\n          vaultSecretId: matchingSecret?.id,\n        };\n      });\n\n      results.push({\n        appId: agent.id,\n        appName: agent.name,\n        url: agent.url,\n        color: agent.color,\n        integrations,\n        vaultAccessMode: access.mode,\n        reachable: true,\n      });\n    } catch {\n      results.push({\n        appId: agent.id,\n        appName: agent.name,\n        url: agent.url,\n        color: agent.color,\n        integrations: [],\n        vaultAccessMode: access.mode,\n        reachable: false,\n      });\n    }\n  }\n\n  return results;\n}\n\n// ─── Vault Overview (for dashboard) ──────────────────────────────\n\nexport async function listVaultOverview() {\n  const [secrets, grants, requests, access] = await Promise.all([\n    listSecrets(),\n    listGrants(),\n    listRequests(),\n    getVaultAccessSettings(),\n  ]);\n  const manualGrantCount = grants.filter((g) => g.status === \"active\").length;\n\n  return {\n    accessMode: access.mode,\n    secretCount: secrets.length,\n    activeGrantCount:\n      access.mode === \"all-apps\" ? secrets.length : manualGrantCount,\n    manualGrantCount,\n    pendingRequestCount: requests.filter((r) => r.status === \"pending\").length,\n  };\n}\n\n// ─── SendGrid Notifications ──────────────────────────────────────\n\nasync function notifyAdminsOfRequest(\n  requestId: string,\n  input: { credentialKey: string; appId: string; reason?: string | null },\n) {\n  const apiKey = process.env.SENDGRID_API_KEY;\n  const from = process.env.SENDGRID_FROM_EMAIL;\n  const appUrl = process.env.APP_URL;\n  if (!apiKey || !from || !appUrl) return;\n\n  // Use approval policy approver emails as admin notification targets\n  const { getApprovalPolicy } = await import(\"./dispatch-store.js\");\n  const policy = await getApprovalPolicy();\n  if (policy.approverEmails.length === 0) return;\n\n  const body = [\n    `Secret request: ${input.credentialKey} for ${input.appId}`,\n    input.reason ? `Reason: ${input.reason}` : \"\",\n    `Requested by: ${currentOwnerEmail()}`,\n    \"\",\n    `Review it here: ${appUrl}/vault`,\n  ]\n    .filter(Boolean)\n    .join(\"\\n\");\n\n  await fetch(\"https://api.sendgrid.com/v3/mail/send\", {\n    method: \"POST\",\n    headers: {\n      Authorization: `Bearer ${apiKey}`,\n      \"Content-Type\": \"application/json\",\n    },\n    body: JSON.stringify({\n      personalizations: [\n        {\n          to: policy.approverEmails.map((email) => ({ email })),\n          subject: `Vault request: ${input.credentialKey} for ${input.appId}`,\n        },\n      ],\n      from: { email: from },\n      content: [{ type: \"text/plain\", value: body }],\n      custom_args: { requestId },\n    }),\n  }).catch(() => {});\n}\n"]}

package/dist/server/plugins/agent-chat.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"agent-chat.d.ts","sourceRoot":"","sources":["../../../src/server/plugins/agent-chat.ts"],"names":[],"mappings":";AAIA,wBAiCG"}
+{"version":3,"file":"agent-chat.d.ts","sourceRoot":"","sources":["../../../src/server/plugins/agent-chat.ts"],"names":[],"mappings":";AAIA,wBAkCG"}

package/dist/server/plugins/agent-chat.js

@@ -26,8 +26,9 @@ Use the standard workspace primitives:
 - Read and update resources like AGENTS.md, LEARNINGS.md, jobs/*.md, agents/*.md, and remote-agents/*.json when appropriate.
 - Use recurring jobs for scheduled behavior.
 - Use custom agent profiles in agents/*.md for local spawned work and remote-agents/*.json for remote A2A apps.
+- You receive a compact available-apps block with sibling workspace app names and descriptions. Use it to pick the right A2A target, and call list-connected-agents or tool-search only when you need fresh details.
 - When answering whether workspace apps expose agent cards or A2A endpoints, call list-workspace-apps with includeAgentCards=true. If you have not requested that probe, absence of agent-card fields means unchecked, not unavailable.
-- When creating a new workspace app, create a separate app under apps/<app-id> with apps/<app-id>/package.json, mount it at /<app-id>, use relative /<app-id> links, never hardcode localhost or dev ports, use shadcn/ui with @tabler/icons-react rather than lucide-react, and ensure the React Router client entry preserves APP_BASE_PATH/VITE_APP_BASE_PATH via appBasePath(). There is no separate workspace app registry to edit.
+- When creating a new workspace app, create a separate app under apps/<app-id> with apps/<app-id>/package.json including a concise generated description, mount it at /<app-id>, use relative /<app-id> links, never hardcode localhost or dev ports, use shadcn/ui with @tabler/icons-react rather than lucide-react, and ensure the React Router client entry preserves APP_BASE_PATH/VITE_APP_BASE_PATH via appBasePath(). There is no separate workspace app registry to edit.
 - Treat first-party apps such as Mail, Calendar, Analytics, and Dispatch as existing hosted/connected neighbors available through links and A2A/default connected agents. Do not create wrapper apps, child apps, nested routes, or cloned template copies just to give a new app access to them; build only the genuinely new workflow and delegate cross-app work to those existing apps.
 
 When a user asks for something like a digest, reminder, routing rule, or saved behavior:

package/dist/server/plugins/agent-chat.js.map

@@ -1 +1 @@
-{"version":3,"file":"agent-chat.js","sourceRoot":"","sources":["../../../src/server/plugins/agent-chat.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,eAAe,qBAAqB,CAAC;IACnC,KAAK,EAAE,UAAU;IACjB,0EAA0E;IAC1E,2EAA2E;IAC3E,2EAA2E;IAC3E,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;QACvC,OAAO,GAAG,CAAC,KAAK,CAAC;IACnB,CAAC;IACD,2EAA2E;IAC3E,2EAA2E;IAC3E,wEAAwE;IACxE,OAAO,EAAE,eAAe;IACxB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;4EAmB4D;CAC3E,CAAC,CAAC","sourcesContent":["import { createAgentChatPlugin } from \"@agent-native/core/server\";\nimport { getOrgContext } from \"@agent-native/core/org\";\nimport { dispatchActions } from \"../../actions/index.js\";\n\nexport default createAgentChatPlugin({\n  appId: \"dispatch\",\n  // Without this, AGENT_ORG_ID is never set on agent action calls and every\n  // row written through the frontend (vault secrets, destinations, workspace\n  // resources) lands with org_id=NULL — breaking data isolation across orgs.\n  resolveOrgId: async (event) => {\n    const ctx = await getOrgContext(event);\n    return ctx.orgId;\n  },\n  // Read actions directly from the package's own action map rather than from\n  // a build-time-generated `.generated/actions-registry.ts` (the latter is a\n  // template-only construct that the Vite plugin emits next to actions/).\n  actions: dispatchActions,\n  systemPrompt: `You are the central dispatch for this workspace.\n\nDefault posture:\n- Treat Slack and Telegram as shared entrypoints into the workspace.\n- Heavily delegate domain work to specialized agents through A2A when another app owns the job.\n- Keep durable memory and operating instructions in resources rather than ephemeral chat.\n- Prefer replying in the current external thread unless the user explicitly asks you to send to a saved destination.\n\nUse the standard workspace primitives:\n- Read and update resources like AGENTS.md, LEARNINGS.md, jobs/*.md, agents/*.md, and remote-agents/*.json when appropriate.\n- Use recurring jobs for scheduled behavior.\n- Use custom agent profiles in agents/*.md for local spawned work and remote-agents/*.json for remote A2A apps.\n- When answering whether workspace apps expose agent cards or A2A endpoints, call list-workspace-apps with includeAgentCards=true. If you have not requested that probe, absence of agent-card fields means unchecked, not unavailable.\n- When creating a new workspace app, create a separate app under apps/<app-id> with apps/<app-id>/package.json, mount it at /<app-id>, use relative /<app-id> links, never hardcode localhost or dev ports, use shadcn/ui with @tabler/icons-react rather than lucide-react, and ensure the React Router client entry preserves APP_BASE_PATH/VITE_APP_BASE_PATH via appBasePath(). There is no separate workspace app registry to edit.\n- Treat first-party apps such as Mail, Calendar, Analytics, and Dispatch as existing hosted/connected neighbors available through links and A2A/default connected agents. Do not create wrapper apps, child apps, nested routes, or cloned template copies just to give a new app access to them; build only the genuinely new workflow and delegate cross-app work to those existing apps.\n\nWhen a user asks for something like a digest, reminder, routing rule, or saved behavior:\n- First decide whether it should be a resource, a recurring job, a destination, or a delegated task.\n- Keep responses concise and operational.\n- Avoid inventing integrations or destinations that are not configured yet.`,\n});\n"]}
+{"version":3,"file":"agent-chat.js","sourceRoot":"","sources":["../../../src/server/plugins/agent-chat.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,eAAe,qBAAqB,CAAC;IACnC,KAAK,EAAE,UAAU;IACjB,0EAA0E;IAC1E,2EAA2E;IAC3E,2EAA2E;IAC3E,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;QACvC,OAAO,GAAG,CAAC,KAAK,CAAC;IACnB,CAAC;IACD,2EAA2E;IAC3E,2EAA2E;IAC3E,wEAAwE;IACxE,OAAO,EAAE,eAAe;IACxB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;4EAoB4D;CAC3E,CAAC,CAAC","sourcesContent":["import { createAgentChatPlugin } from \"@agent-native/core/server\";\nimport { getOrgContext } from \"@agent-native/core/org\";\nimport { dispatchActions } from \"../../actions/index.js\";\n\nexport default createAgentChatPlugin({\n  appId: \"dispatch\",\n  // Without this, AGENT_ORG_ID is never set on agent action calls and every\n  // row written through the frontend (vault secrets, destinations, workspace\n  // resources) lands with org_id=NULL — breaking data isolation across orgs.\n  resolveOrgId: async (event) => {\n    const ctx = await getOrgContext(event);\n    return ctx.orgId;\n  },\n  // Read actions directly from the package's own action map rather than from\n  // a build-time-generated `.generated/actions-registry.ts` (the latter is a\n  // template-only construct that the Vite plugin emits next to actions/).\n  actions: dispatchActions,\n  systemPrompt: `You are the central dispatch for this workspace.\n\nDefault posture:\n- Treat Slack and Telegram as shared entrypoints into the workspace.\n- Heavily delegate domain work to specialized agents through A2A when another app owns the job.\n- Keep durable memory and operating instructions in resources rather than ephemeral chat.\n- Prefer replying in the current external thread unless the user explicitly asks you to send to a saved destination.\n\nUse the standard workspace primitives:\n- Read and update resources like AGENTS.md, LEARNINGS.md, jobs/*.md, agents/*.md, and remote-agents/*.json when appropriate.\n- Use recurring jobs for scheduled behavior.\n- Use custom agent profiles in agents/*.md for local spawned work and remote-agents/*.json for remote A2A apps.\n- You receive a compact available-apps block with sibling workspace app names and descriptions. Use it to pick the right A2A target, and call list-connected-agents or tool-search only when you need fresh details.\n- When answering whether workspace apps expose agent cards or A2A endpoints, call list-workspace-apps with includeAgentCards=true. If you have not requested that probe, absence of agent-card fields means unchecked, not unavailable.\n- When creating a new workspace app, create a separate app under apps/<app-id> with apps/<app-id>/package.json including a concise generated description, mount it at /<app-id>, use relative /<app-id> links, never hardcode localhost or dev ports, use shadcn/ui with @tabler/icons-react rather than lucide-react, and ensure the React Router client entry preserves APP_BASE_PATH/VITE_APP_BASE_PATH via appBasePath(). There is no separate workspace app registry to edit.\n- Treat first-party apps such as Mail, Calendar, Analytics, and Dispatch as existing hosted/connected neighbors available through links and A2A/default connected agents. Do not create wrapper apps, child apps, nested routes, or cloned template copies just to give a new app access to them; build only the genuinely new workflow and delegate cross-app work to those existing apps.\n\nWhen a user asks for something like a digest, reminder, routing rule, or saved behavior:\n- First decide whether it should be a resource, a recurring job, a destination, or a delegated task.\n- Keep responses concise and operational.\n- Avoid inventing integrations or destinations that are not configured yet.`,\n});\n"]}

package/dist/server/plugins/core-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"core-routes.d.ts","sourceRoot":"","sources":["../../../src/server/plugins/core-routes.ts"],"names":[],"mappings":";AAGA,wBAEG"}
+{"version":3,"file":"core-routes.d.ts","sourceRoot":"","sources":["../../../src/server/plugins/core-routes.ts"],"names":[],"mappings":";AAQA,wBAEG"}

package/dist/server/plugins/core-routes.js

@@ -1,5 +1,9 @@
 import { createCoreRoutesPlugin } from "@agent-native/core/server";
 import { envKeys } from "../lib/env-config.js";
+import { registerDispatchOnboardingSteps } from "../lib/onboarding-steps.js";
+// Register before the core plugin so "create your first app" (order 5) appears
+// above the auto-generated Slack/Telegram steps (order 60). Idempotent.
+registerDispatchOnboardingSteps();
 export default createCoreRoutesPlugin({
     envKeys,
 });

package/dist/server/plugins/core-routes.js.map

@@ -1 +1 @@
-{"version":3,"file":"core-routes.js","sourceRoot":"","sources":["../../../src/server/plugins/core-routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAE/C,eAAe,sBAAsB,CAAC;IACpC,OAAO;CACR,CAAC,CAAC","sourcesContent":["import { createCoreRoutesPlugin } from \"@agent-native/core/server\";\nimport { envKeys } from \"../lib/env-config.js\";\n\nexport default createCoreRoutesPlugin({\n  envKeys,\n});\n"]}
+{"version":3,"file":"core-routes.js","sourceRoot":"","sources":["../../../src/server/plugins/core-routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAC/C,OAAO,EAAE,+BAA+B,EAAE,MAAM,4BAA4B,CAAC;AAE7E,+EAA+E;AAC/E,wEAAwE;AACxE,+BAA+B,EAAE,CAAC;AAElC,eAAe,sBAAsB,CAAC;IACpC,OAAO;CACR,CAAC,CAAC","sourcesContent":["import { createCoreRoutesPlugin } from \"@agent-native/core/server\";\nimport { envKeys } from \"../lib/env-config.js\";\nimport { registerDispatchOnboardingSteps } from \"../lib/onboarding-steps.js\";\n\n// Register before the core plugin so \"create your first app\" (order 5) appears\n// above the auto-generated Slack/Telegram steps (order 60). Idempotent.\nregisterDispatchOnboardingSteps();\n\nexport default createCoreRoutesPlugin({\n  envKeys,\n});\n"]}

package/dist/server/plugins/integrations.js

@@ -7,7 +7,7 @@ const DISPATCH_INTEGRATION_SYSTEM_PROMPT = `You are the central dispatch for thi
 Default posture:
 - Treat Slack, Telegram, and email as shared entrypoints into the workspace.
 - Heavily delegate domain work to specialized agents through A2A (call-agent) when another app owns the job. Apps you can delegate to include slides (decks/presentations), analytics (data/dashboards), content (docs/articles), videos (Remotion compositions), forms (form builder), clips (screen recordings), design (visual designs), and images (brand image libraries and generated raster imagery).
-- Use list-connected-agents to see what agents are available before assuming a request must be handled locally.
+- Use the available-apps prompt context first, then list-connected-agents when you need fresh details, to see what agents are available before assuming a request must be handled locally.
 - When asked whether workspace apps expose agent cards or A2A endpoints, call list-workspace-apps with includeAgentCards=true. Without that probe, missing agent-card fields mean unchecked, not unavailable.
 - Treat first-party apps such as Mail, Calendar, Analytics, and Dispatch as existing hosted/connected neighbors available through links and A2A/default connected agents. Do not create wrapper apps, child apps, nested routes, or cloned template copies just to give a new app access to them; build only the genuinely new workflow and delegate cross-app work to those existing apps.
 - Keep durable memory and operating instructions in resources rather than ephemeral chat.
@@ -19,7 +19,7 @@ When a user asks for something:
 - Exception: if the downstream agent reports a missing model/provider credential, do not name exact env vars, Vault keys, tokens, or secrets. Say the target app needs an LLM connection and recommend connecting Builder/managed LLM for that app; keep bring-your-own provider keys as a secondary option only if the user asks.
 - If the user asks to create, build, make, scaffold, or generate an "agent" from Dispatch chat or by tagging @agent-native in Slack, email, or Telegram, first classify the ask. If it is a simple Dispatch-native behavior like a reminder, digest, monitor, routing rule, saved instruction, or recurring workflow, create or update the recurring job/resource/destination in Dispatch. If it is a robust unique product or teammate that needs its own UI, data model, actions, integrations, or domain workflow, treat it as a new workspace app and call start-workspace-app-creation.
 - If a new-app prompt asks for access to Mail, Calendar, Analytics, or similar first-party app data/agents, keep using the existing hosted/connected app and A2A path. Do not ask Builder to scaffold those apps as children of the new app unless the user explicitly asks for a customized fork/copy.
-- If the user explicitly asks for a new app or workspace app, call start-workspace-app-creation with their prompt. Do not satisfy a new-app request by adding a route, page, component, or file inside apps/starter or another existing app unless the user explicitly asks to modify that existing app. If the request is too vague to classify, ask one concise follow-up. If the action returns mode "builder", reply with the Builder branch URL; Builder is responsible for creating the separate workspace app under apps/<app-id>, mounting it at /<app-id>, ensuring apps/<app-id>/package.json exists so Dispatch discovers it, using relative /<app-id> links instead of hardcoded localhost/dev ports, and preserving APP_BASE_PATH/VITE_APP_BASE_PATH via appBasePath() in the React Router client entry. The new app lives at the workspace root /<app-id>, NOT under /dispatch/<app-id>, /apps/<app-id>, or any other Dispatch tab — when telling the user where to find it, link to /<app-id> only. There is no separate workspace app registry to edit. If it returns mode "local-agent", tell the user it is ready for the local code agent and include the returned app path/prompt summary. If it returns mode "coming-soon" or "builder-unavailable", explain the missing Builder setup and ask them to connect/configure Builder.
+- If the user explicitly asks for a new app or workspace app, call start-workspace-app-creation with their prompt and include a concise generated description when possible. Do not satisfy a new-app request by adding a route, page, component, or file inside apps/starter or another existing app unless the user explicitly asks to modify that existing app. If the request is too vague to classify, ask one concise follow-up. If the action returns mode "builder", reply with the Builder branch URL; Builder is responsible for creating the separate workspace app under apps/<app-id>, mounting it at /<app-id>, ensuring apps/<app-id>/package.json exists with name/displayName and description so Dispatch discovers it, using relative /<app-id> links instead of hardcoded localhost/dev ports, and preserving APP_BASE_PATH/VITE_APP_BASE_PATH via appBasePath() in the React Router client entry. The new app lives at the workspace root /<app-id>, NOT under /dispatch/<app-id>, /apps/<app-id>, or any other Dispatch tab — when telling the user where to find it, link to /<app-id> only. There is no separate workspace app registry to edit. If it returns mode "local-agent", tell the user it is ready for the local code agent and include the returned app path/prompt summary. If it returns mode "coming-soon" or "builder-unavailable", explain the missing Builder setup and ask them to connect/configure Builder.
 - For digests, reminders, or saved behavior, prefer recurring jobs, resources, or destinations over chat replies.
 - Keep responses concise and operational — messaging platforms have character limits.
 - Use markdown sparingly (bold and lists are fine, avoid complex formatting).

package/dist/server/plugins/integrations.js.map

@@ -1 +1 @@
-{"version":3,"file":"integrations.js","sourceRoot":"","sources":["../../../src/server/plugins/integrations.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EACL,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,kCAAkC,GAAG;;;;;;;;;;;;;;;;;;;;;4FAqBiD,CAAC;AAE7F;;;;GAIG;AACH,MAAM,0BAA0B,GAAG,KAAK,EAAE,QAAa,EAAE,EAAE;IACzD,MAAM,EAAE,YAAY,GAAG,EAAE,EAAE,GAAG,iBAAiB,EAAE,CAAC;IAClD,MAAM,cAAc,GAAG,YAAY,CAAC,YAAY,CAAC;IACjD,MAAM,YAAY,GAChB,OAAO,cAAc,KAAK,QAAQ;QAChC,CAAC,CAAC,cAAc;QAChB,CAAC,CAAC,OAAO,cAAc,KAAK,UAAU;YACpC,CAAC,CAAC,cAAc,CAAC,kCAAkC,CAAC;YACpD,CAAC,CAAC,kCAAkC,CAAC;IAE3C,MAAM,MAAM,GAAG,wBAAwB,CAAC;QACtC,KAAK,EAAE,UAAU;QACjB,OAAO,EAAE,eAAe;QACxB,YAAY,EAAE,oBAAoB;QAClC,aAAa,EAAE,qBAAqB;QACpC,YAAY;QACZ,wDAAwD;QACxD,yEAAyE;QACzE,+DAA+D;QAC/D,6EAA6E;KAC9E,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC;AAC1B,CAAC,CAAC;AAEF,eAAe,0BAA0B,CAAC","sourcesContent":["import { createIntegrationsPlugin } from \"@agent-native/core/server\";\nimport {\n  beforeDispatchProcess,\n  resolveDispatchOwner,\n} from \"../lib/dispatch-integrations.js\";\nimport { getDispatchConfig } from \"../index.js\";\nimport { dispatchActions } from \"../../actions/index.js\";\n\nconst DISPATCH_INTEGRATION_SYSTEM_PROMPT = `You are the central dispatch for this workspace, responding via a messaging platform integration (Slack, Telegram, email, etc.).\n\nDefault posture:\n- Treat Slack, Telegram, and email as shared entrypoints into the workspace.\n- Heavily delegate domain work to specialized agents through A2A (call-agent) when another app owns the job. Apps you can delegate to include slides (decks/presentations), analytics (data/dashboards), content (docs/articles), videos (Remotion compositions), forms (form builder), clips (screen recordings), design (visual designs), and images (brand image libraries and generated raster imagery).\n- Use list-connected-agents to see what agents are available before assuming a request must be handled locally.\n- When asked whether workspace apps expose agent cards or A2A endpoints, call list-workspace-apps with includeAgentCards=true. Without that probe, missing agent-card fields mean unchecked, not unavailable.\n- Treat first-party apps such as Mail, Calendar, Analytics, and Dispatch as existing hosted/connected neighbors available through links and A2A/default connected agents. Do not create wrapper apps, child apps, nested routes, or cloned template copies just to give a new app access to them; build only the genuinely new workflow and delegate cross-app work to those existing apps.\n- Keep durable memory and operating instructions in resources rather than ephemeral chat.\n- Reply in the originating thread unless the user explicitly asks you to send to a saved destination.\n\nWhen a user asks for something:\n- If it belongs to analytics, content, slides, videos, images, etc., delegate via call-agent — do not re-implement the domain logic in dispatch.\n- After call-agent returns an answer, RELAY IT DIRECTLY to the user with at most a one-line preface — do not rephrase, summarize, or add commentary. The downstream agent already crafted the answer; your job is delivery, not editing. This minimizes round-trips and keeps the user-visible reply fast.\n- Exception: if the downstream agent reports a missing model/provider credential, do not name exact env vars, Vault keys, tokens, or secrets. Say the target app needs an LLM connection and recommend connecting Builder/managed LLM for that app; keep bring-your-own provider keys as a secondary option only if the user asks.\n- If the user asks to create, build, make, scaffold, or generate an \"agent\" from Dispatch chat or by tagging @agent-native in Slack, email, or Telegram, first classify the ask. If it is a simple Dispatch-native behavior like a reminder, digest, monitor, routing rule, saved instruction, or recurring workflow, create or update the recurring job/resource/destination in Dispatch. If it is a robust unique product or teammate that needs its own UI, data model, actions, integrations, or domain workflow, treat it as a new workspace app and call start-workspace-app-creation.\n- If a new-app prompt asks for access to Mail, Calendar, Analytics, or similar first-party app data/agents, keep using the existing hosted/connected app and A2A path. Do not ask Builder to scaffold those apps as children of the new app unless the user explicitly asks for a customized fork/copy.\n- If the user explicitly asks for a new app or workspace app, call start-workspace-app-creation with their prompt. Do not satisfy a new-app request by adding a route, page, component, or file inside apps/starter or another existing app unless the user explicitly asks to modify that existing app. If the request is too vague to classify, ask one concise follow-up. If the action returns mode \"builder\", reply with the Builder branch URL; Builder is responsible for creating the separate workspace app under apps/<app-id>, mounting it at /<app-id>, ensuring apps/<app-id>/package.json exists so Dispatch discovers it, using relative /<app-id> links instead of hardcoded localhost/dev ports, and preserving APP_BASE_PATH/VITE_APP_BASE_PATH via appBasePath() in the React Router client entry. The new app lives at the workspace root /<app-id>, NOT under /dispatch/<app-id>, /apps/<app-id>, or any other Dispatch tab — when telling the user where to find it, link to /<app-id> only. There is no separate workspace app registry to edit. If it returns mode \"local-agent\", tell the user it is ready for the local code agent and include the returned app path/prompt summary. If it returns mode \"coming-soon\" or \"builder-unavailable\", explain the missing Builder setup and ask them to connect/configure Builder.\n- For digests, reminders, or saved behavior, prefer recurring jobs, resources, or destinations over chat replies.\n- Keep responses concise and operational — messaging platforms have character limits.\n- Use markdown sparingly (bold and lists are fine, avoid complex formatting).\n- If a task requires many steps, summarize what you did rather than streaming every detail.`;\n\n/**\n * Defer plugin construction until the Nitro plugin actually fires so the\n * config-aware system prompt resolves AFTER `setupDispatch(config)` has\n * stamped the active config (plugin module load order is not guaranteed).\n */\nconst dispatchIntegrationsPlugin = async (nitroApp: any) => {\n  const { integrations = {} } = getDispatchConfig();\n  const promptOverride = integrations.systemPrompt;\n  const systemPrompt =\n    typeof promptOverride === \"string\"\n      ? promptOverride\n      : typeof promptOverride === \"function\"\n        ? promptOverride(DISPATCH_INTEGRATION_SYSTEM_PROMPT)\n        : DISPATCH_INTEGRATION_SYSTEM_PROMPT;\n\n  const plugin = createIntegrationsPlugin({\n    appId: \"dispatch\",\n    actions: dispatchActions,\n    resolveOwner: resolveDispatchOwner,\n    beforeProcess: beforeDispatchProcess,\n    systemPrompt,\n    // Inherit the framework default (claude-sonnet-4-6 from\n    // packages/core/src/integrations/plugin.ts). Haiku was tried for latency\n    // but hallucinated URLs/IDs after delegated call-agent results\n    // (e.g. inventing `https://slides.workspace.com/deck/builder-io-deck-2024`).\n  });\n\n  return plugin(nitroApp);\n};\n\nexport default dispatchIntegrationsPlugin;\n"]}
+{"version":3,"file":"integrations.js","sourceRoot":"","sources":["../../../src/server/plugins/integrations.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EACL,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,kCAAkC,GAAG;;;;;;;;;;;;;;;;;;;;;4FAqBiD,CAAC;AAE7F;;;;GAIG;AACH,MAAM,0BAA0B,GAAG,KAAK,EAAE,QAAa,EAAE,EAAE;IACzD,MAAM,EAAE,YAAY,GAAG,EAAE,EAAE,GAAG,iBAAiB,EAAE,CAAC;IAClD,MAAM,cAAc,GAAG,YAAY,CAAC,YAAY,CAAC;IACjD,MAAM,YAAY,GAChB,OAAO,cAAc,KAAK,QAAQ;QAChC,CAAC,CAAC,cAAc;QAChB,CAAC,CAAC,OAAO,cAAc,KAAK,UAAU;YACpC,CAAC,CAAC,cAAc,CAAC,kCAAkC,CAAC;YACpD,CAAC,CAAC,kCAAkC,CAAC;IAE3C,MAAM,MAAM,GAAG,wBAAwB,CAAC;QACtC,KAAK,EAAE,UAAU;QACjB,OAAO,EAAE,eAAe;QACxB,YAAY,EAAE,oBAAoB;QAClC,aAAa,EAAE,qBAAqB;QACpC,YAAY;QACZ,wDAAwD;QACxD,yEAAyE;QACzE,+DAA+D;QAC/D,6EAA6E;KAC9E,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC;AAC1B,CAAC,CAAC;AAEF,eAAe,0BAA0B,CAAC","sourcesContent":["import { createIntegrationsPlugin } from \"@agent-native/core/server\";\nimport {\n  beforeDispatchProcess,\n  resolveDispatchOwner,\n} from \"../lib/dispatch-integrations.js\";\nimport { getDispatchConfig } from \"../index.js\";\nimport { dispatchActions } from \"../../actions/index.js\";\n\nconst DISPATCH_INTEGRATION_SYSTEM_PROMPT = `You are the central dispatch for this workspace, responding via a messaging platform integration (Slack, Telegram, email, etc.).\n\nDefault posture:\n- Treat Slack, Telegram, and email as shared entrypoints into the workspace.\n- Heavily delegate domain work to specialized agents through A2A (call-agent) when another app owns the job. Apps you can delegate to include slides (decks/presentations), analytics (data/dashboards), content (docs/articles), videos (Remotion compositions), forms (form builder), clips (screen recordings), design (visual designs), and images (brand image libraries and generated raster imagery).\n- Use the available-apps prompt context first, then list-connected-agents when you need fresh details, to see what agents are available before assuming a request must be handled locally.\n- When asked whether workspace apps expose agent cards or A2A endpoints, call list-workspace-apps with includeAgentCards=true. Without that probe, missing agent-card fields mean unchecked, not unavailable.\n- Treat first-party apps such as Mail, Calendar, Analytics, and Dispatch as existing hosted/connected neighbors available through links and A2A/default connected agents. Do not create wrapper apps, child apps, nested routes, or cloned template copies just to give a new app access to them; build only the genuinely new workflow and delegate cross-app work to those existing apps.\n- Keep durable memory and operating instructions in resources rather than ephemeral chat.\n- Reply in the originating thread unless the user explicitly asks you to send to a saved destination.\n\nWhen a user asks for something:\n- If it belongs to analytics, content, slides, videos, images, etc., delegate via call-agent — do not re-implement the domain logic in dispatch.\n- After call-agent returns an answer, RELAY IT DIRECTLY to the user with at most a one-line preface — do not rephrase, summarize, or add commentary. The downstream agent already crafted the answer; your job is delivery, not editing. This minimizes round-trips and keeps the user-visible reply fast.\n- Exception: if the downstream agent reports a missing model/provider credential, do not name exact env vars, Vault keys, tokens, or secrets. Say the target app needs an LLM connection and recommend connecting Builder/managed LLM for that app; keep bring-your-own provider keys as a secondary option only if the user asks.\n- If the user asks to create, build, make, scaffold, or generate an \"agent\" from Dispatch chat or by tagging @agent-native in Slack, email, or Telegram, first classify the ask. If it is a simple Dispatch-native behavior like a reminder, digest, monitor, routing rule, saved instruction, or recurring workflow, create or update the recurring job/resource/destination in Dispatch. If it is a robust unique product or teammate that needs its own UI, data model, actions, integrations, or domain workflow, treat it as a new workspace app and call start-workspace-app-creation.\n- If a new-app prompt asks for access to Mail, Calendar, Analytics, or similar first-party app data/agents, keep using the existing hosted/connected app and A2A path. Do not ask Builder to scaffold those apps as children of the new app unless the user explicitly asks for a customized fork/copy.\n- If the user explicitly asks for a new app or workspace app, call start-workspace-app-creation with their prompt and include a concise generated description when possible. Do not satisfy a new-app request by adding a route, page, component, or file inside apps/starter or another existing app unless the user explicitly asks to modify that existing app. If the request is too vague to classify, ask one concise follow-up. If the action returns mode \"builder\", reply with the Builder branch URL; Builder is responsible for creating the separate workspace app under apps/<app-id>, mounting it at /<app-id>, ensuring apps/<app-id>/package.json exists with name/displayName and description so Dispatch discovers it, using relative /<app-id> links instead of hardcoded localhost/dev ports, and preserving APP_BASE_PATH/VITE_APP_BASE_PATH via appBasePath() in the React Router client entry. The new app lives at the workspace root /<app-id>, NOT under /dispatch/<app-id>, /apps/<app-id>, or any other Dispatch tab — when telling the user where to find it, link to /<app-id> only. There is no separate workspace app registry to edit. If it returns mode \"local-agent\", tell the user it is ready for the local code agent and include the returned app path/prompt summary. If it returns mode \"coming-soon\" or \"builder-unavailable\", explain the missing Builder setup and ask them to connect/configure Builder.\n- For digests, reminders, or saved behavior, prefer recurring jobs, resources, or destinations over chat replies.\n- Keep responses concise and operational — messaging platforms have character limits.\n- Use markdown sparingly (bold and lists are fine, avoid complex formatting).\n- If a task requires many steps, summarize what you did rather than streaming every detail.`;\n\n/**\n * Defer plugin construction until the Nitro plugin actually fires so the\n * config-aware system prompt resolves AFTER `setupDispatch(config)` has\n * stamped the active config (plugin module load order is not guaranteed).\n */\nconst dispatchIntegrationsPlugin = async (nitroApp: any) => {\n  const { integrations = {} } = getDispatchConfig();\n  const promptOverride = integrations.systemPrompt;\n  const systemPrompt =\n    typeof promptOverride === \"string\"\n      ? promptOverride\n      : typeof promptOverride === \"function\"\n        ? promptOverride(DISPATCH_INTEGRATION_SYSTEM_PROMPT)\n        : DISPATCH_INTEGRATION_SYSTEM_PROMPT;\n\n  const plugin = createIntegrationsPlugin({\n    appId: \"dispatch\",\n    actions: dispatchActions,\n    resolveOwner: resolveDispatchOwner,\n    beforeProcess: beforeDispatchProcess,\n    systemPrompt,\n    // Inherit the framework default (claude-sonnet-4-6 from\n    // packages/core/src/integrations/plugin.ts). Haiku was tried for latency\n    // but hallucinated URLs/IDs after delegated call-agent results\n    // (e.g. inventing `https://slides.workspace.com/deck/builder-io-deck-2024`).\n  });\n\n  return plugin(nitroApp);\n};\n\nexport default dispatchIntegrationsPlugin;\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agent-native/dispatch",
-  "version": "0.6.1",
+  "version": "0.7.0",
   "type": "module",
   "description": "Dispatch — workspace control plane for agent-native apps. Vault, integrations, destinations, scheduled jobs, and cross-app delegation, shipped as a single drop-in package.",
   "license": "MIT",
@@ -31,6 +31,14 @@
     "dist",
     "src"
   ],
+  "scripts": {
+    "build": "tsc && tsc-alias --resolve-full-paths",
+    "dev": "tsc --watch & tsc-alias --watch --resolve-full-paths",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest --run src --passWithNoTests",
+    "prepack": "cp ../../README.md ./README.md",
+    "prepublishOnly": "npm run build"
+  },
   "peerDependencies": {
     "@agent-native/core": ">=0.8.0",
     "react": ">=18",
@@ -85,6 +93,7 @@
     "zod": "^4.3.6"
   },
   "devDependencies": {
+    "@agent-native/core": "workspace:*",
     "@react-router/dev": "^7.13.1",
     "@types/node": "^24.2.1",
     "@types/react": "^19.2.14",
@@ -94,14 +103,7 @@
     "react-router": "^7.13.1",
     "tsc-alias": "^1.8.10",
     "typescript": "^6.0.3",
-    "vite": "8.0.3",
-    "vitest": "^4.1.5",
-    "@agent-native/core": "0.14.2"
-  },
-  "scripts": {
-    "build": "tsc && tsc-alias --resolve-full-paths",
-    "dev": "tsc --watch & tsc-alias --watch --resolve-full-paths",
-    "typecheck": "tsc --noEmit",
-    "test": "vitest --run src --passWithNoTests"
+    "vite": "catalog:",
+    "vitest": "^4.1.5"
   }
-}
+}

package/src/actions/create-pylon-ticket.ts

@@ -0,0 +1,109 @@
+import { defineAction } from "@agent-native/core";
+import { z } from "zod";
+import { recordAudit } from "../server/lib/dispatch-store.js";
+
+const PYLON_API_BASE =
+  process.env.PYLON_API_BASE_URL || "https://api.usepylon.com";
+
+export default defineAction({
+  description:
+    "Create a Pylon ticket. Use to escalate blockers from client meetings, route unmatched #customer-* posts that have no Slack channel, or open a follow-up that needs tracking. Requires PYLON_API_KEY in the Vault.",
+  schema: z.object({
+    title: z.string().min(1).describe("Short ticket title"),
+    bodyHtml: z
+      .string()
+      .min(1)
+      .describe("HTML body — Pylon renders this in the ticket"),
+    requesterEmail: z
+      .string()
+      .email()
+      .optional()
+      .describe("Email of the person the ticket is on behalf of"),
+    requesterName: z.string().optional(),
+    accountId: z
+      .string()
+      .optional()
+      .describe(
+        "Pylon account ID — provide either this OR requesterEmail to identify the subject",
+      ),
+    priority: z.enum(["urgent", "high", "medium", "low"]).optional(),
+    tags: z.array(z.string()).optional(),
+    assigneeId: z.string().optional(),
+    teamId: z.string().optional(),
+  }),
+  run: async (input) => {
+    const apiKey = process.env.PYLON_API_KEY;
+    if (!apiKey) {
+      throw new Error(
+        "PYLON_API_KEY is not set. Add it to the Dispatch Vault.",
+      );
+    }
+    if (!input.accountId && !input.requesterEmail) {
+      throw new Error(
+        "Pylon requires either accountId or requesterEmail to identify the ticket subject.",
+      );
+    }
+
+    const payload: Record<string, unknown> = {
+      title: input.title,
+      body_html: input.bodyHtml,
+    };
+    if (input.accountId) payload.account_id = input.accountId;
+    if (input.requesterEmail) payload.requester_email = input.requesterEmail;
+    if (input.requesterName) payload.requester_name = input.requesterName;
+    if (input.priority) payload.priority = input.priority;
+    if (input.tags?.length) payload.tags = input.tags;
+    if (input.assigneeId) payload.assignee_id = input.assigneeId;
+    if (input.teamId) payload.team_id = input.teamId;
+
+    const res = await fetch(`${PYLON_API_BASE}/issues`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify(payload),
+    });
+
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new Error(
+        `Pylon ticket creation failed (HTTP ${res.status})${text ? `: ${text.slice(0, 500)}` : ""}`,
+      );
+    }
+
+    const data = (await res.json().catch(() => null)) as Record<
+      string,
+      unknown
+    > | null;
+    const issue =
+      data && typeof data === "object" && "issue" in data
+        ? ((data as { issue?: Record<string, unknown> }).issue ?? {})
+        : (data ?? {});
+    const ticketId =
+      issue && typeof (issue as { id?: unknown }).id === "string"
+        ? (issue as { id: string }).id
+        : "";
+
+    await recordAudit({
+      action: "pylon.ticket.created",
+      targetType: "pylon-ticket",
+      targetId: ticketId || null,
+      summary: `Created Pylon ticket: ${input.title}`,
+      metadata: {
+        title: input.title,
+        priority: input.priority,
+        tags: input.tags,
+        accountId: input.accountId,
+        requesterEmail: input.requesterEmail,
+        ticketId,
+      },
+    });
+
+    return {
+      ok: true as const,
+      ticketId,
+      ticket: issue,
+    };
+  },
+});

package/src/actions/create-vault-grant.ts

@@ -4,7 +4,7 @@ import { createGrant } from "../server/lib/vault-store.js";
 
 export default defineAction({
   description:
-    "Grant an app access to a vault secret. The secret can then be synced to the app. Admin only.",
+    "Grant an app access to a vault secret in manual vault access mode. Admin only.",
   schema: z.object({
     secretId: z.string().describe("ID of the secret to grant"),
     appId: z

package/src/actions/create-vault-secret.ts

@@ -4,13 +4,14 @@ import { createSecret } from "../server/lib/vault-store.js";
 
 export default defineAction({
   description:
-    "Store a new secret in the workspace vault. Admin only. The secret can then be granted to specific apps.",
+    "Store a secret in the workspace vault. Admin only. Existing credential keys are updated. By default, saved vault keys are available to every workspace app; manual mode uses per-app grants.",
   schema: z.object({
     credentialKey: z
       .string()
+      .min(1)
       .describe("Environment variable name, e.g. GOOGLE_CLIENT_ID"),
-    value: z.string().describe("The secret value"),
-    name: z.string().describe("Human-readable label for this secret"),
+    value: z.string().min(1).describe("The secret value"),
+    name: z.string().min(1).describe("Human-readable label for this secret"),
     provider: z
       .string()
       .optional()

package/src/actions/get-vault-access-settings.ts

@@ -0,0 +1,11 @@
+import { defineAction } from "@agent-native/core";
+import { z } from "zod";
+import { getVaultAccessSettings } from "../server/lib/vault-store.js";
+
+export default defineAction({
+  description:
+    "Get the Dispatch vault access mode. Defaults to all-apps, where every workspace app can use every vault key.",
+  schema: z.object({}),
+  http: { method: "GET" },
+  run: async () => getVaultAccessSettings(),
+});

package/src/actions/grant-vault-secrets-to-app.ts

@@ -4,7 +4,7 @@ import { grantSecretsToApp } from "../server/lib/vault-store.js";
 
 export default defineAction({
   description:
-    "Grant multiple Dispatch vault secrets to a workspace app. Existing active grants are skipped.",
+    "Grant multiple Dispatch vault secrets to a workspace app in manual vault access mode. Existing active grants are skipped.",
   http: { method: "POST" },
   schema: z.object({
     appId: z