@agent-vm/gateway-interface 0.0.90 → 0.0.92

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/index.d.ts +42 -3
  2. package/dist/index.d.ts.map +1 -1
  3. package/dist/index.js +24 -1
  4. package/dist/index.js.map +1 -1
  5. package/package.json +3 -3
package/dist/index.d.ts CHANGED
@@ -191,7 +191,7 @@ declare const controllerRequestPolicies: {
191
191
  };
192
192
  //#endregion
193
193
  //#region src/health/agent-vm-health.d.ts
194
- declare const agentVmHealthEventKinds: readonly ["gateway-service-health", "gateway-control-link", "controller-request", "lease-renew", "lease-heartbeat", "tool-vm-ssh", "gateway-plugin-health"];
194
+ declare const agentVmHealthEventKinds: readonly ["gateway-service-health", "gateway-control-link", "controller-request", "lease-renew", "lease-heartbeat", "tool-vm-ssh", "gateway-plugin-health", "gateway-recovery", "gateway-recovery-suspended"];
195
195
  type AgentVmHealthEventKind = (typeof agentVmHealthEventKinds)[number];
196
196
  declare const agentVmHealthResultKinds: readonly ["ok", "failed", "timeout", "stale"];
197
197
  type AgentVmHealthResultKind = (typeof agentVmHealthResultKinds)[number];
@@ -201,6 +201,7 @@ interface AgentVmHealthEventBase {
201
201
  readonly zoneId: string;
202
202
  }
203
203
  type ToolVmSshHealthOperation = 'command' | 'file-bridge' | 'finalize' | 'probe';
204
+ type GatewayRecoveryHealthReason = 'gateway-control-link-unhealthy' | 'gateway-service-unhealthy';
204
205
  declare const gatewayControlLinkHealthPins: {
205
206
  readonly controllerHost: "controller.vm.host";
206
207
  readonly controllerPort: 18800;
@@ -251,10 +252,48 @@ type AgentVmHealthEvent = (AgentVmHealthEventBase & {
251
252
  readonly gatewayService: GatewayType;
252
253
  readonly kind: 'gateway-plugin-health';
253
254
  readonly state: 'starting' | 'ready' | 'stopping' | 'failed';
255
+ }) | (AgentVmHealthEventBase & {
256
+ readonly action: 'gateway-vm-restart';
257
+ readonly consecutiveFailures: number;
258
+ readonly cooldownMs: number;
259
+ readonly elapsedMs: number;
260
+ readonly kind: 'gateway-recovery';
261
+ readonly leaseReleaseFailureCount: number;
262
+ readonly newBootedAt: string;
263
+ readonly newHostPid: number;
264
+ readonly newVmId: string;
265
+ readonly oldBootedAt: string;
266
+ readonly oldHostPid: number;
267
+ readonly oldVmId: string;
268
+ readonly reason: GatewayRecoveryHealthReason;
269
+ readonly result: 'ok';
270
+ }) | (AgentVmHealthEventBase & {
271
+ readonly action: 'gateway-vm-restart';
272
+ readonly consecutiveFailures: number;
273
+ readonly cooldownMs: number;
274
+ readonly elapsedMs: number;
275
+ readonly errorCode: string;
276
+ readonly kind: 'gateway-recovery';
277
+ readonly leaseReleaseFailureCount?: number | undefined;
278
+ readonly oldBootedAt?: string | undefined;
279
+ readonly oldHostPid?: number | undefined;
280
+ readonly oldVmId?: string | undefined;
281
+ readonly reason: GatewayRecoveryHealthReason;
282
+ readonly result: 'failed';
283
+ }) | (AgentVmHealthEventBase & {
284
+ readonly action: 'gateway-vm-restart';
285
+ readonly consecutiveFailedRecoveries: number;
286
+ readonly consecutiveFailures: number;
287
+ readonly cooldownMs: number;
288
+ readonly errorCode: 'max-failed-recoveries';
289
+ readonly failedRecoveryResetMs: number;
290
+ readonly kind: 'gateway-recovery-suspended';
291
+ readonly reason: GatewayRecoveryHealthReason;
292
+ readonly result: 'failed';
254
293
  });
255
294
  declare const zoneHealthStateKinds: readonly ["unknown", "ok", "stale", "failed"];
256
295
  type ZoneHealthStateKind = (typeof zoneHealthStateKinds)[number];
257
- declare const zoneHealthIssueKinds: readonly ["gateway-service-unhealthy", "gateway-control-link-unhealthy", "controller-request-failing", "lease-heartbeat-failing", "lease-renew-failing", "tool-vm-ssh-failing", "gateway-plugin-unhealthy", "health-event-stale"];
296
+ declare const zoneHealthIssueKinds: readonly ["gateway-service-unhealthy", "gateway-control-link-unhealthy", "controller-request-failing", "lease-heartbeat-failing", "lease-renew-failing", "tool-vm-ssh-failing", "gateway-plugin-unhealthy", "gateway-recovery-failed", "gateway-recovery-suspended", "health-event-stale"];
258
297
  type ZoneHealthIssueKind = (typeof zoneHealthIssueKinds)[number];
259
298
  interface ZoneHealthIssue {
260
299
  readonly kind: ZoneHealthIssueKind;
@@ -804,5 +843,5 @@ interface ToolVmLeasePeek extends VmCapabilityLease<'ssh-sandbox'> {
804
843
  declare function isToolVmSshLease(value: unknown): value is ToolVmSshLease;
805
844
  declare function isToolVmLeasePeek(value: unknown): value is ToolVmLeasePeek;
806
845
  //#endregion
807
- export { type AgentVmHealthEvent, type AgentVmHealthEventBase, type AgentVmHealthEventKind, type AgentVmHealthResultKind, type BuildGatewayVmSpecOptions, type ControllerRequestPolicy, type ControllerRequestPolicyOperation, ControllerRequestPolicyTransportError, type ControllerRequestPolicyTransportErrorCode, type CreateToolVmActiveUseHandleOptions, type DeriveZoneHealthSnapshotOptions, type EgressHostConfig, type EndToolVmActiveUseRequest, type EnvInjectedGatewaySecretConfig, type ExternalControllerRoute, FORCE_IPV4_EGRESS_NODE_OPTIONS, type FetchControllerWithPolicyOptions, type GatewayAuthConfig, type GatewayHealthCheck, type GatewayIngressConfig, type GatewayInternalControllerRequestOperation, type GatewayLifecycle, type GatewayProcessSpec, type GatewaySecretConfig, type GatewayType, type GatewayVmSpec, type GatewayZoneAgentConfig, type GatewayZoneConfig, type GatewayZoneMcpPortalConfig, type GenericControllerRequestEventOperation, type HeartbeatToolVmActiveUseRequest, type HeartbeatToolVmActiveUseResponse, type HttpMediatedGatewaySecretConfig, OPENCLAW_STATE_SANDBOXES_VM_ROOT, OPENCLAW_STATE_VM_ROOT, type RuntimePathBacking, type RuntimePathCapabilities, type RuntimePathGuidanceVisibility, type RuntimePathLocations, type RuntimePathMapping, type RuntimePathNamespace, type RuntimePathPurpose, type RuntimePathRootMapping, type RuntimePathTranslation, type RuntimePathTranslationError, type RuntimePathTranslationErrorCode, type RuntimeVmAudience, type SecretInjectionConfig, type SplitResolvedGatewaySecretsResult, type SplitResolvedSecretsResult, type StartToolVmActiveUseRequest, type StartToolVmActiveUseResponse, TOOL_VM_SCRATCH_GUEST_ROOT, TOOL_VM_WORKSPACE_GUEST_ROOT, type ToolVmActiveUseCorrelation, type ToolVmActiveUseHandle, type ToolVmActiveUseOperationReport, type ToolVmActiveUseOutcome, type ToolVmLeaseId, type ToolVmLeasePeek, type ToolVmSshFailureKind, type ToolVmSshFailureReport, type ToolVmSshHealthOperation, type ToolVmSshLease, type ToolVmSshOperationPhase, type ToolVmSshOperationReport, type TranslateRuntimePathInput, type TranslateRuntimePathResult, type VmAudience, type VmCapabilityLease, type VmSshEndpoint, type VmSshLease, type VmSshPublicEndpoint, type WorkerInternalControllerRequestOperation, type ZoneHealthIssue, type ZoneHealthIssueKind, type ZoneHealthSnapshot, type ZoneHealthStateKind, agentVmHealthEventKinds, agentVmHealthResultKinds, buildGatewaySessionLabel, buildToolSessionLabel, composeNodeOptions, controllerRequestPolicies, controllerVmHost, createToolVmActiveUseHandle, createToolVmActiveUseId, createToolVmLeaseId, deriveZoneHealthSnapshot, drainControllerResponseBody, egressHostsForAudience, externalControllerRoutes, fetchControllerWithPolicy, gatewayControlLinkHealthPins, gatewayInternalControllerRequestOperations, gatewayTypeValues, gatewayVmAllowedHosts, genericControllerRequestEventOperations, healthEventBucketKey, isAgentVmHealthEvent, isToolVmActiveUseId, isToolVmLeaseId, isToolVmLeasePeek, isToolVmSshLease, isVmCapabilityLease, isVmSshEndpoint, isVmSshPublicEndpoint, mergeRuntimeGatewaySecrets, parseToolVmLeaseId, splitResolvedGatewaySecrets, splitResolvedSecretsByInjection, targetsAudience, translateRuntimePath, vmAudienceValues, workerInternalControllerRequestOperations, zoneHealthIssueKinds, zoneHealthStateKinds };
846
+ export { type AgentVmHealthEvent, type AgentVmHealthEventBase, type AgentVmHealthEventKind, type AgentVmHealthResultKind, type BuildGatewayVmSpecOptions, type ControllerRequestPolicy, type ControllerRequestPolicyOperation, ControllerRequestPolicyTransportError, type ControllerRequestPolicyTransportErrorCode, type CreateToolVmActiveUseHandleOptions, type DeriveZoneHealthSnapshotOptions, type EgressHostConfig, type EndToolVmActiveUseRequest, type EnvInjectedGatewaySecretConfig, type ExternalControllerRoute, FORCE_IPV4_EGRESS_NODE_OPTIONS, type FetchControllerWithPolicyOptions, type GatewayAuthConfig, type GatewayHealthCheck, type GatewayIngressConfig, type GatewayInternalControllerRequestOperation, type GatewayLifecycle, type GatewayProcessSpec, type GatewayRecoveryHealthReason, type GatewaySecretConfig, type GatewayType, type GatewayVmSpec, type GatewayZoneAgentConfig, type GatewayZoneConfig, type GatewayZoneMcpPortalConfig, type GenericControllerRequestEventOperation, type HeartbeatToolVmActiveUseRequest, type HeartbeatToolVmActiveUseResponse, type HttpMediatedGatewaySecretConfig, OPENCLAW_STATE_SANDBOXES_VM_ROOT, OPENCLAW_STATE_VM_ROOT, type RuntimePathBacking, type RuntimePathCapabilities, type RuntimePathGuidanceVisibility, type RuntimePathLocations, type RuntimePathMapping, type RuntimePathNamespace, type RuntimePathPurpose, type RuntimePathRootMapping, type RuntimePathTranslation, type RuntimePathTranslationError, type RuntimePathTranslationErrorCode, type RuntimeVmAudience, type SecretInjectionConfig, type SplitResolvedGatewaySecretsResult, type SplitResolvedSecretsResult, type StartToolVmActiveUseRequest, type StartToolVmActiveUseResponse, TOOL_VM_SCRATCH_GUEST_ROOT, TOOL_VM_WORKSPACE_GUEST_ROOT, type ToolVmActiveUseCorrelation, type ToolVmActiveUseHandle, type ToolVmActiveUseOperationReport, type ToolVmActiveUseOutcome, type ToolVmLeaseId, type ToolVmLeasePeek, type ToolVmSshFailureKind, type ToolVmSshFailureReport, type ToolVmSshHealthOperation, type ToolVmSshLease, type ToolVmSshOperationPhase, type ToolVmSshOperationReport, type TranslateRuntimePathInput, type TranslateRuntimePathResult, type VmAudience, type VmCapabilityLease, type VmSshEndpoint, type VmSshLease, type VmSshPublicEndpoint, type WorkerInternalControllerRequestOperation, type ZoneHealthIssue, type ZoneHealthIssueKind, type ZoneHealthSnapshot, type ZoneHealthStateKind, agentVmHealthEventKinds, agentVmHealthResultKinds, buildGatewaySessionLabel, buildToolSessionLabel, composeNodeOptions, controllerRequestPolicies, controllerVmHost, createToolVmActiveUseHandle, createToolVmActiveUseId, createToolVmLeaseId, deriveZoneHealthSnapshot, drainControllerResponseBody, egressHostsForAudience, externalControllerRoutes, fetchControllerWithPolicy, gatewayControlLinkHealthPins, gatewayInternalControllerRequestOperations, gatewayTypeValues, gatewayVmAllowedHosts, genericControllerRequestEventOperations, healthEventBucketKey, isAgentVmHealthEvent, isToolVmActiveUseId, isToolVmLeaseId, isToolVmLeasePeek, isToolVmSshLease, isVmCapabilityLease, isVmSshEndpoint, isVmSshPublicEndpoint, mergeRuntimeGatewaySecrets, parseToolVmLeaseId, splitResolvedGatewaySecrets, splitResolvedSecretsByInjection, targetsAudience, translateRuntimePath, vmAudienceValues, workerInternalControllerRequestOperations, zoneHealthIssueKinds, zoneHealthStateKinds };
808
847
  //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","names":[],"sources":["../src/gateway-runtime-contract.ts","../src/audience.ts","../src/health/controller-request-policy.ts","../src/health/agent-vm-health.ts","../src/force-ipv4-egress.ts","../src/gateway-process-spec.ts","../src/gateway-vm-spec.ts","../src/gateway-lifecycle.ts","../src/split-resolved-gateway-secrets.ts","../src/tool-vm-active-use.ts","../src/runtime-paths/runtime-path-mapping.ts","../src/tool-vm-lease-id.ts","../src/vm-capability-lease.ts","../src/tool-vm-lease.ts"],"mappings":";;;;cAAa,iBAAA;AAAA,KAED,WAAA,WAAsB,iBAAA;AAAA,iBAElB,wBAAA,CAAyB,gBAAA,UAA0B,MAAA;AAAA,iBAInD,qBAAA,CACf,gBAAA,UACA,MAAA,UACA,OAAA;;;cCXY,gBAAA;AAAA,KAED,UAAA,WAAqB,gBAAA;AAAA,KACrB,iBAAA,GAAoB,OAAA,CAAQ,UAAA;AAAA,UAEvB,gBAAA;EAAA,SACP,IAAA;EAAA,SACA,QAAA,EAAU,UAAA;AAAA;AAAA,cAGP,gBAAA;AAAA,iBAEG,eAAA,CACf,cAAA,EAAgB,UAAA,EAChB,eAAA,EAAiB,iBAAA;AAAA,iBAKF,sBAAA,CACf,WAAA,WAAsB,gBAAA,IACtB,eAAA,EAAiB,iBAAA;AAAA,iBAOF,qBAAA,CAAsB,WAAA,WAAsB,gBAAA;;;cC5B/C,0CAAA;AAAA,KAgBD,yCAAA,WACH,0CAAA;AAAA,cAEI,yCAAA;AAAA,KAKD,wCAAA,WACH,yCAAA;AAAA,KAEG,gCAAA,GACT,yCAAA,GACA,wCAAA;AAAA,cAEU,+CAAA;AAAA,KAKD,8CAAA,WACH,+CAAA;AAAA,KAEG,sCAAA,GAAyC,OAAA,CACpD,gCAAA,EACA,8CAAA;AAAA,cAaY,uCAAA,EAAuC,sCAAA;AAAA,cAKvC,wBAAA;AAAA,KAiBD,uBAAA,WAAkC,wBAAA;AAAA,KAElC,kCAAA;AAAA,UAEF,2BAAA;EAAA,SACA,WAAA,EAAa,kCAAA;EAAA,SACb,SAAA;AAAA;AAAA,KAGE,uBAAA,IACR,2BAAA;EAAA,SACQ,WAAA;EAAA,SACA,gBAAA;EAAA,SACA,YAAA;EAAA,SACA,aAAA;AAAA,MAER,2BAAA;EAAA,SACQ,WAAA;EAAA,SACA,gBAAA;EAAA,SACA,YAAA;EAAA,SACA,aAAA;AAAA;AAAA,KAGA,yCAAA;AAAA,cAIC,qCAAA,SAA8C,KAAA;EAAA,SACjD,IAAA,EAAM,yCAAA;EAAA,SACN,SAAA,EAAW,gCAAA;cAER,OAAA;IAAA,SACF,KAAA;IAAA,SACA,IAAA,EAAM,yCAAA;IAAA,SACN,SAAA,EAAW,gCAAA;EAAA;AAAA;AAAA,UAYL,gCAAA;EAAA,SACP,SAAA,IAAa,KAAA,WAAgB,GAAA,GAAM,OAAA,EAAS,IAAA,GAAO,WAAA,KAAgB,OAAA,CAAQ,QAAA;EAAA,SAC3E,IAAA,GAAO,WAAA;EAAA,SACP,KAAA,WAAgB,GAAA,GAAM,OAAA;EAAA,SACtB,SAAA,EAAW,gCAAA;EAAA,SACX,MAAA,GAAS,uBAAA;AAAA;AAAA,iBAyBG,2BAAA,CAA4B,QAAA,EAAU,QAAA,GAAW,OAAA;AAAA,iBAoDjD,yBAAA,CACrB,OAAA,EAAS,gCAAA,GACP,OAAA,CAAQ,QAAA;AAAA,cAyCE,yBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cCjPA,uBAAA;AAAA,KAUD,sBAAA,WAAiC,uBAAA;AAAA,cAEhC,wBAAA;AAAA,KAED,uBAAA,WAAkC,wBAAA;AAAA,UAE7B,sBAAA;EAAA,SACP,YAAA;EAAA,SACA,MAAA,EAAQ,uBAAA;EAAA,SACR,MAAA;AAAA;AAAA,KAGE,wBAAA;AAAA,cAEC,4BAAA;EAAA;;;;;KAOD,kBAAA,IACR,sBAAA;EAAA,SACQ,IAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;EAAA,SACA,UAAA;AAAA,MAER,sBAAA;EAAA,SACQ,cAAA,SAAuB,4BAAA,CAA6B,cAAA;EAAA,SACpD,cAAA,SAAuB,4BAAA,CAA6B,cAAA;EAAA,SACpD,SAAA;EAAA,SACA,IAAA;EAAA,SACA,SAAA,SAAkB,4BAAA,CAA6B,SAAA;EAAA,SAC/C,IAAA,SAAa,4BAAA,CAA6B,IAAA;AAAA,MAElD,sBAAA;EAAA,SACQ,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;EAAA,SACA,WAAA;EAAA,SACA,SAAA,EAAW,sCAAA;EAAA,SACX,UAAA;AAAA,MAER,sBAAA;EAAA,SACQ,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA;AAAA,MAER,sBAAA;EAAA,SACQ,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA;EAAA,SACA,KAAA;AAAA,MAER,sBAAA;EAAA,SACQ,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA;EAAA,SACA,SAAA,EAAW,wBAAA;AAAA,MAEnB,sBAAA;EAAA,SACQ,cAAA,EAAgB,WAAA;EAAA,SAChB,IAAA;EAAA,SACA,KAAA;AAAA;AAAA,cAGC,oBAAA;AAAA,KAED,mBAAA,WAA8B,oBAAA;AAAA,cAE7B,oBAAA;AAAA,KAWD,mBAAA,WAA8B,oBAAA;AAAA,UAEzB,eAAA;EAAA,SACP,IAAA,EAAM,mBAAA;EAAA,SACN,WAAA,EAAa,kBAAA;EAAA,SACb,OAAA;EAAA,SACA,OAAA;AAAA;AAAA,KAGE,kBAAA;EAAA,SAEA,IAAA;EAAA,SACA,MAAA;EAAA,SACA,MAAA;AAAA;EAAA,SAGA,IAAA;EAAA,SACA,YAAA,WAAuB,kBAAA;EAAA,SACvB,MAAA;AAAA;EAAA,SAGA,MAAA,WAAiB,eAAA;EAAA,SACjB,IAAA;EAAA,SACA,YAAA,WAAuB,kBAAA;EAAA,SACvB,MAAA;AAAA;AAAA,UAGK,+BAAA;EAAA,SACP,KAAA;EAAA,SACA,YAAA;EAAA,SACA,MAAA;AAAA;AAAA,iBAmCM,oBAAA,CAAqB,KAAA,YAAiB,KAAA,IAAS,kBAAA;AAAA,iBA8D/C,oBAAA,CAAqB,KAAA,EAAO,kBAAA;AAAA,iBAmE5B,wBAAA,CACf,MAAA,WAAiB,kBAAA,IACjB,OAAA,EAAS,+BAAA,GACP,kBAAA;;;;;;;AH9SH;;;;;AAEA;;;;;AAEA;;;;;AAIA;;;;;;;;;;;;ACRA;;;;cGmCa,8BAAA;AHjCb;;;;;AACA;;;;;AAEA;;;;;;;;;AAKA;;;;;AAEA;;;;;AAVA,iBGmEgB,kBAAA,CAAmB,SAAA;;;KCrEvB,kBAAA;EAAA,SACE,IAAA;EAAA,SAAuB,IAAA;EAAA,SAAuB,IAAA;AAAA;EAAA,SAC9C,IAAA;EAAA,SAA0B,OAAA;AAAA;;ALAxC;;;UKMiB,kBAAA;EAAA,SACP,gBAAA;EAAA,SACA,YAAA;EAAA,SACA,WAAA,EAAa,kBAAA;EAAA,SACb,eAAA;EAAA,SACA,OAAA;AAAA;;;;;ALbV;;UMOiB,aAAA;EAAA,SACP,WAAA,EAAa,MAAA;EAAA,SACb,SAAA,EAAW,MAAA,SAAe,YAAA;EAAA,SAC1B,eAAA,EAAiB,MAAA,SAAe,kBAAA;EAAA,SAChC,QAAA,EAAU,MAAA;EAAA,SACV,YAAA;EAAA,SACA,UAAA;EAAA,SACA,iBAAA;EAAA,SACA,YAAA;AAAA;;;;;;;UCJO,iBAAA;EPTM;;;;EAAA,SOcb,oBAAA;EPZ8B;;;;EAAA,SOkB9B,iBAAA,GACR,QAAA,UACA,OAAA;IAAA,SACU,UAAA;IAAA,SACA,OAAA;IAAA,SACA,UAAA;EAAA;AAAA;AAAA,UAKF,sBAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,iCAAA,SAA0C,sBAAA;EAAA,SAC1C,MAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGA,iCAAA,SAA0C,sBAAA;EAAA,SAC1C,MAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,4BAAA,SAAqC,sBAAA;EAAA,SACrC,MAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGE,uBAAA;AAAA,UAEK,gBAAA;EAAA,SACP,SAAA,EAAW,uBAAA;AAAA;AAAA,UAGJ,oBAAA;EAAA,SACP,uBAAA;EAAA,SACA,yBAAA;AAAA;AAAA,UAGO,gCAAA;EAAA,SACP,IAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,4BAAA;EAAA,SACA,IAAA,EAAM,WAAA;EAAA,SACN,MAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA,GAAU,oBAAA;EAAA,SACV,MAAA;EAAA,SACA,QAAA;EAAA,SACA,iBAAA;EAAA,SACA,GAAA,EAAK,gBAAA;EAAA,SACL,eAAA,GACN,4BAAA,GACA,iCAAA,GACA,iCAAA;AAAA;AAAA,UAIM,gCAAA,SAAyC,4BAAA;EAAA,SACzC,IAAA;EAAA,SACA,WAAA,EAAa,gCAAA;EAAA,SACb,YAAA;EAAA,SACA,mBAAA,GAAsB,QAAA,CAC9B,MAAA,SAEG,4BAAA,GACA,iCAAA,GACA,iCAAA;EAAA,SAGK,aAAA;AAAA;AAAA,UAGA,8BAAA,SAAuC,4BAAA;EAAA,SACvC,IAAA;AAAA;AAAA,KAGL,wBAAA,GAA2B,gCAAA,GAAmC,8BAAA;AAAA,UAEzD,6BAAA;EAAA,SACA,MAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGA,6BAAA;EAAA,SACA,MAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,wBAAA;EAAA,SACA,MAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGL,kBAAA,GACF,6BAAA,GACA,6BAAA,GACA,wBAAA;AAAA,KAES,8BAAA,GAAiC,kBAAA;EAAA,SACnC,QAAA;EAAA,SACA,SAAA;AAAA;AAAA,KAGE,+BAAA,GAAkC,kBAAA;EAAA,SACpC,QAAA,EAAU,UAAA;EAAA,SACV,SAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGE,mBAAA,GAAsB,8BAAA,GAAiC,+BAAA;ALrHnE;;;;AAAA,UK2HiB,iBAAA;EAAA,SACP,EAAA;EAAA,SACA,MAAA,YAAkB,sBAAA;EAAA,SAClB,OAAA,EAAS,wBAAA;EAAA,SACT,SAAA,GAAY,0BAAA;EAAA,SACZ,iBAAA,GAAoB,QAAA,CAAS,MAAA,SAAe,0BAAA;EAAA,SAC5C,sBAAA,GAAyB,QAAA,CAAS,MAAA,SAAe,kBAAA;EAAA,SACjD,kBAAA,GAAqB,QAAA,CAAS,MAAA;EAAA,SAC9B,oBAAA,GAAuB,QAAA,CAAS,MAAA,SAAe,QAAA,CAAS,MAAA;EAAA,SACxD,OAAA,EAAS,QAAA,CAAS,MAAA,SAAe,mBAAA;EAAA,SACjC,WAAA,WAAsB,gBAAA;EAAA,SACtB,eAAA;EAAA,SACA,oBAAA;AAAA;AAAA,UAGO,sBAAA;EAAA,SACP,EAAA;EAAA,SACA,aAAA;AAAA;AAAA,UAGO,0BAAA;EAAA,SACP,SAAA;AAAA;AAAA,UAGO,0BAAA;EAAA,SACP,OAAA,GAAU,QAAA,CAAS,MAAA;EAAA,SACnB,SAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGO,yBAAA;EAAA,SACP,cAAA;EAAA,SACA,eAAA;EAAA,SACA,gBAAA;EAAA,SACA,eAAA,EAAiB,MAAA;EAAA,SACjB,UAAA;EAAA,SACA,OAAA;IAAA,SACC,QAAA;IAAA,SACA,IAAA;EAAA;EAAA,SAED,IAAA,EAAM,iBAAA;AAAA;AAAA,UAGC,gBAAA;EL9HJ;;;;EAAA,SKmIH,UAAA,GAAa,iBAAA;ELlHX;;;;EKwHX,WAAA,CAAY,OAAA,EAAS,yBAAA,GAA4B,aAAA;ELtHtC;;;;EK4HX,gBAAA,CACC,IAAA,EAAM,iBAAA,EACN,eAAA,EAAiB,MAAA,mBACf,kBAAA;EL7HM;;;;EKmIT,gBAAA,EAAkB,IAAA,EAAM,iBAAA,EAAmB,cAAA,EAAgB,cAAA,GAAiB,OAAA;AAAA;;;UC9M5D,0BAAA;EAAA,SACP,kBAAA,EAAoB,MAAA;EAAA,SACpB,eAAA,EAAiB,MAAA,SAAe,kBAAA;AAAA;AAAA,UAGzB,iCAAA;EAAA,SACP,SAAA;EAAA,SACA,kBAAA,GAAqB,QAAA,CAAS,MAAA;EAAA,SAC9B,sBAAA,GAAyB,QAAA,CAAS,MAAA,SAAe,kBAAA;AAAA;AAAA,KAG/C,qBAAA,GAAwB,mBAAA;AAAA,UAEnB,2BAAA;EAAA,SACP,QAAA,EAAU,iBAAA;EAAA,SACV,SAAA;AAAA;AAAA,iBAGM,+BAAA,CACf,aAAA,EAAe,QAAA,CAAS,MAAA,SAAe,qBAAA,IACvC,eAAA,EAAiB,MAAA,kBACjB,OAAA,EAAS,2BAAA,GACP,0BAAA;AAAA,KA2CS,iCAAA,GAAoC,0BAAA;AAAA,iBAEhC,2BAAA,CACf,IAAA,EAAM,iBAAA,EACN,eAAA,EAAiB,MAAA,mBACf,iCAAA;AAAA,iBAgCa,0BAAA,CACf,WAAA,EAAa,0BAAA,EACb,OAAA,GAAS,iCAAA,GACP,0BAAA;;;KC5GS,sBAAA;AAAA,UAOK,0BAAA;EAAA,SACP,OAAA;EAAA,SACA,SAAA;EAAA,SACA,UAAA;EAAA,SACA,UAAA;EAAA,SACA,QAAA;AAAA;AAAA,KAGE,uBAAA;AAAA,KAOA,oBAAA;AAAA,UAMK,sBAAA;EAAA,SACP,IAAA,EAAM,oBAAA;EAAA,SACN,OAAA;AAAA;AAAA,UAGO,wBAAA;EAAA,SACP,OAAA,GAAU,sBAAA;EAAA,SACV,cAAA;AAAA;AAAA,UAGO,8BAAA;EAAA,SACP,YAAA;EAAA,SACA,KAAA,EAAO,uBAAA;EAAA,SACP,GAAA,GAAM,wBAAA;AAAA;AAAA,UAGC,2BAAA;EAAA,SACP,WAAA,GAAc,0BAAA;EAAA,SACd,MAAA,GAAS,8BAAA;EAAA,SACT,KAAA;AAAA;AAAA,UAGO,4BAAA;EAAA,SACP,SAAA;EAAA,SACA,gBAAA;EAAA,SACA,KAAA;AAAA;AAAA,UAGO,gCAAA;EAAA,SACP,SAAA;EAAA,SACA,gBAAA;AAAA;AAAA,UAGO,+BAAA;EAAA,SACP,MAAA,GAAS,8BAAA;AAAA;AAAA,UAGF,yBAAA;EAAA,SACP,OAAA,EAAS,sBAAA;EAAA,SACT,MAAA,GAAS,8BAAA;AAAA;AAAA,UAGF,qBAAA;EAAA,SACP,MAAA,EAAQ,WAAA;EAAA,SACR,KAAA;EACT,OAAA,CAAQ,OAAA,GAAU,sBAAA,GAAyB,OAAA;EAC3C,GAAA,CAAI,OAAA,GAAU,sBAAA,GAAyB,OAAA;EACvC,MAAA,CAAO,MAAA,EAAQ,8BAAA;AAAA;AAAA,UAGC,kCAAA;EAAA,SACP,WAAA,GAAc,0BAAA;EAAA,SACd,YAAA,GAAe,KAAA,UAAe,OAAA,EAAS,yBAAA,KAA8B,OAAA;EAAA,SACrE,kBAAA,GACR,KAAA,UACA,OAAA,EAAS,+BAAA,KACL,OAAA,CAAQ,gCAAA;EAAA,SACJ,oBAAA;EAAA,SACA,mBAAA,IAAuB,KAAA;EAAA,SACvB,2BAAA,IAA+B,KAAA;EAAA,SAC/B,aAAA,IAAiB,KAAA;EAAA,SACjB,mBAAA,IAAuB,KAAA;EAAA,SACvB,sBAAA;EAAA,SACA,OAAA;EAAA,SACA,6BAAA,IAAiC,KAAA,cAAmB,OAAA;EAAA,SACpD,UAAA;EAAA,SACA,cAAA,GACR,OAAA,EAAS,2BAAA,KACL,OAAA,CAAQ,4BAAA;EAAA,SACJ,cAAA,UAAwB,UAAA;EAAA,SACxB,gBAAA,UAA0B,YAAA;AAAA;AAAA,iBAqBpB,uBAAA,CAAA;AAAA,iBAIA,mBAAA,CAAoB,KAAA;AAAA,iBAId,2BAAA,CACrB,OAAA,EAAS,kCAAA,GACP,OAAA,CAAQ,qBAAA;;;cCnIE,4BAAA;AAAA,cACA,0BAAA;AAAA,cACA,sBAAA;AAAA,cACA,gCAAA;AAAA,KAED,oBAAA;AAAA,KACA,kBAAA;AAAA,UAEK,uBAAA;EAAA,SACP,YAAA;EAAA,SACA,UAAA;AAAA;AAAA,KAGE,kBAAA;EAAA,SAEA,IAAA;EAAA,SACA,UAAA;EAAA,SACA,MAAA;AAAA;EAAA,SAGA,IAAA;EAAA,SACA,UAAA;AAAA;AAAA,KAGA,oBAAA,GAAuB,OAAA,CAAQ,MAAA,CAAO,oBAAA;AAAA,KACtC,8BAAA;EAAA,SAEA,iBAAA;EAAA,SACA,kBAAA;EAAA,SACA,eAAA;AAAA;EAAA,SAGA,iBAAA;EAAA,SACA,kBAAA;EAAA,SACA,eAAA;AAAA;AAAA,UAEK,kCAAA;EAAA,SACP,iBAAA;EAAA,SACA,kBAAA;EAAA,SACA,eAAA;AAAA;AAAA,KAEE,6BAAA,GAAgC,OAAA,CAAQ,MAAA,CAAO,oBAAA;AAAA,UAEjD,0BAAA;EAAA,SACA,YAAA,EAAc,uBAAA;EAAA,SACd,aAAA;EAAA,SACA,EAAA;;;;AT3CV;WSgDU,eAAA;EAAA,SACA,cAAA,GAAiB,6BAAA;AAAA;AAAA,KAGf,sBAAA,IACR,0BAAA;EAAA,SACQ,OAAA,EAAS,OAAA,CAAQ,kBAAA;IAAA,SAA+B,IAAA;EAAA;EAAA,SAChD,SAAA,EAAW,8BAAA;AAAA,MAEnB,0BAAA;EAAA,SACQ,OAAA,EAAS,OAAA,CAAQ,kBAAA;IAAA,SAA+B,IAAA;EAAA;EAAA,SAChD,YAAA,EAAc,uBAAA;IAAA,SAAqC,UAAA;EAAA;EAAA,SACnD,SAAA,EAAW,kCAAA;AAAA;AAAA,UAGN,kBAAA;EAAA,SACP,EAAA;EAAA,SACA,KAAA,WAAgB,sBAAA;AAAA;AAAA,UAGT,yBAAA;EAAA,SACP,SAAA;EAAA,SACA,OAAA,EAAS,kBAAA;EAAA,SACT,OAAA,EAAS,kBAAA;EAAA,SACT,eAAA,GAAkB,oBAAA;EAAA,SAClB,eAAA,EAAiB,oBAAA;AAAA;AAAA,UAGV,sBAAA;EAAA,SACP,OAAA,EAAS,kBAAA;EAAA,SACT,YAAA,EAAc,uBAAA;EAAA,SACd,cAAA,EAAgB,oBAAA;EAAA,SAChB,SAAA;EAAA,SACA,SAAA;EAAA,SACA,eAAA,EAAiB,oBAAA;EAAA,SACjB,UAAA;EAAA,SACA,YAAA;EAAA,SACA,MAAA;AAAA;AAAA,KAGE,+BAAA;AAAA,UASK,2BAAA;EAAA,SACP,gBAAA;EAAA,SACA,IAAA,EAAM,+BAAA;EAAA,SACN,SAAA;EAAA,SACA,SAAA;EAAA,SACA,OAAA;EAAA,SACA,OAAA,EAAS,kBAAA;EAAA,SACT,aAAA;AAAA;AAAA,KAGE,0BAAA;EAAA,SAEA,EAAA;EAAA,SACA,KAAA,EAAO,sBAAA;AAAA;EAAA,SAGP,EAAA;EAAA,SACA,KAAA,EAAO,2BAAA;AAAA;AAAA,iBA0IH,oBAAA,CAAqB,KAAA,EAAO,yBAAA,GAA4B,0BAAA;;;cC7P1D,kBAAA;AAAA,KAEF,aAAA;EAAA,UACD,kBAAA;AAAA;AAAA,iBAGK,mBAAA,CAAA,GAAuB,aAAA;AAAA,iBAIvB,eAAA,CAAgB,KAAA,YAAiB,KAAA,IAAS,aAAA;AAAA,iBAI1C,kBAAA,CAAmB,KAAA,YAAiB,aAAA;;;;;;;AXhBpD;UYOiB,iBAAA;EAAA,SACP,OAAA;EAAA,SACA,SAAA,EAAW,UAAA;AAAA;AAAA,UAGJ,aAAA;EAAA,SACP,IAAA;EAAA,SACA,WAAA;EAAA,SACA,cAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,mBAAA;EAAA,SACP,IAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,UAAA,oCAA8C,iBAAA,CAAkB,UAAA;EAAA,SACvE,GAAA,EAAK,aAAA;AAAA;AAAA,iBAWC,mBAAA,2BAAA,CACf,KAAA,WACA,SAAA,EAAW,UAAA,GACT,KAAA,IAAS,iBAAA,CAAkB,UAAA;AAAA,iBASd,eAAA,CAAgB,KAAA,YAAiB,KAAA,IAAS,aAAA;AAAA,iBAY1C,qBAAA,CAAsB,KAAA,YAAiB,KAAA,IAAS,mBAAA;;;UCpD/C,cAAA,SAAuB,UAAA;EAAA,SAC9B,OAAA;EAAA,SACA,SAAA;EAAA,SACA,OAAA,EAAS,aAAA;EAAA,SACT,OAAA;EAAA,SACA,OAAA;AAAA;AAAA,UAGO,eAAA,SAAwB,iBAAA;EAAA,SAC/B,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,UAAA;EAAA,SACA,OAAA,EAAS,aAAA;EAAA,SACT,SAAA;EAAA,SACA,GAAA,EAAK,mBAAA;EAAA,SACL,OAAA;EAAA,SACA,OAAA;EAAA,SACA,MAAA;AAAA;AAAA,iBASM,gBAAA,CAAiB,KAAA,YAAiB,KAAA,IAAS,cAAA;AAAA,iBAc3C,iBAAA,CAAkB,KAAA,YAAiB,KAAA,IAAS,eAAA"}
1
+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/gateway-runtime-contract.ts","../src/audience.ts","../src/health/controller-request-policy.ts","../src/health/agent-vm-health.ts","../src/force-ipv4-egress.ts","../src/gateway-process-spec.ts","../src/gateway-vm-spec.ts","../src/gateway-lifecycle.ts","../src/split-resolved-gateway-secrets.ts","../src/tool-vm-active-use.ts","../src/runtime-paths/runtime-path-mapping.ts","../src/tool-vm-lease-id.ts","../src/vm-capability-lease.ts","../src/tool-vm-lease.ts"],"mappings":";;;;cAAa,iBAAA;AAAA,KAED,WAAA,WAAsB,iBAAA;AAAA,iBAElB,wBAAA,CAAyB,gBAAA,UAA0B,MAAA;AAAA,iBAInD,qBAAA,CACf,gBAAA,UACA,MAAA,UACA,OAAA;;;cCXY,gBAAA;AAAA,KAED,UAAA,WAAqB,gBAAA;AAAA,KACrB,iBAAA,GAAoB,OAAA,CAAQ,UAAA;AAAA,UAEvB,gBAAA;EAAA,SACP,IAAA;EAAA,SACA,QAAA,EAAU,UAAA;AAAA;AAAA,cAGP,gBAAA;AAAA,iBAEG,eAAA,CACf,cAAA,EAAgB,UAAA,EAChB,eAAA,EAAiB,iBAAA;AAAA,iBAKF,sBAAA,CACf,WAAA,WAAsB,gBAAA,IACtB,eAAA,EAAiB,iBAAA;AAAA,iBAOF,qBAAA,CAAsB,WAAA,WAAsB,gBAAA;;;cC5B/C,0CAAA;AAAA,KAgBD,yCAAA,WACH,0CAAA;AAAA,cAEI,yCAAA;AAAA,KAKD,wCAAA,WACH,yCAAA;AAAA,KAEG,gCAAA,GACT,yCAAA,GACA,wCAAA;AAAA,cAEU,+CAAA;AAAA,KAKD,8CAAA,WACH,+CAAA;AAAA,KAEG,sCAAA,GAAyC,OAAA,CACpD,gCAAA,EACA,8CAAA;AAAA,cAaY,uCAAA,EAAuC,sCAAA;AAAA,cAKvC,wBAAA;AAAA,KAiBD,uBAAA,WAAkC,wBAAA;AAAA,KAElC,kCAAA;AAAA,UAEF,2BAAA;EAAA,SACA,WAAA,EAAa,kCAAA;EAAA,SACb,SAAA;AAAA;AAAA,KAGE,uBAAA,IACR,2BAAA;EAAA,SACQ,WAAA;EAAA,SACA,gBAAA;EAAA,SACA,YAAA;EAAA,SACA,aAAA;AAAA,MAER,2BAAA;EAAA,SACQ,WAAA;EAAA,SACA,gBAAA;EAAA,SACA,YAAA;EAAA,SACA,aAAA;AAAA;AAAA,KAGA,yCAAA;AAAA,cAIC,qCAAA,SAA8C,KAAA;EAAA,SACjD,IAAA,EAAM,yCAAA;EAAA,SACN,SAAA,EAAW,gCAAA;cAER,OAAA;IAAA,SACF,KAAA;IAAA,SACA,IAAA,EAAM,yCAAA;IAAA,SACN,SAAA,EAAW,gCAAA;EAAA;AAAA;AAAA,UAYL,gCAAA;EAAA,SACP,SAAA,IAAa,KAAA,WAAgB,GAAA,GAAM,OAAA,EAAS,IAAA,GAAO,WAAA,KAAgB,OAAA,CAAQ,QAAA;EAAA,SAC3E,IAAA,GAAO,WAAA;EAAA,SACP,KAAA,WAAgB,GAAA,GAAM,OAAA;EAAA,SACtB,SAAA,EAAW,gCAAA;EAAA,SACX,MAAA,GAAS,uBAAA;AAAA;AAAA,iBAyBG,2BAAA,CAA4B,QAAA,EAAU,QAAA,GAAW,OAAA;AAAA,iBAoDjD,yBAAA,CACrB,OAAA,EAAS,gCAAA,GACP,OAAA,CAAQ,QAAA;AAAA,cAyCE,yBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cCjPA,uBAAA;AAAA,KAYD,sBAAA,WAAiC,uBAAA;AAAA,cAEhC,wBAAA;AAAA,KAED,uBAAA,WAAkC,wBAAA;AAAA,UAE7B,sBAAA;EAAA,SACP,YAAA;EAAA,SACA,MAAA,EAAQ,uBAAA;EAAA,SACR,MAAA;AAAA;AAAA,KAGE,wBAAA;AAAA,KAEA,2BAAA;AAAA,cAIC,4BAAA;EAAA;;;;;KAOD,kBAAA,IACR,sBAAA;EAAA,SACQ,IAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;EAAA,SACA,UAAA;AAAA,MAER,sBAAA;EAAA,SACQ,cAAA,SAAuB,4BAAA,CAA6B,cAAA;EAAA,SACpD,cAAA,SAAuB,4BAAA,CAA6B,cAAA;EAAA,SACpD,SAAA;EAAA,SACA,IAAA;EAAA,SACA,SAAA,SAAkB,4BAAA,CAA6B,SAAA;EAAA,SAC/C,IAAA,SAAa,4BAAA,CAA6B,IAAA;AAAA,MAElD,sBAAA;EAAA,SACQ,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;EAAA,SACA,WAAA;EAAA,SACA,SAAA,EAAW,sCAAA;EAAA,SACX,UAAA;AAAA,MAER,sBAAA;EAAA,SACQ,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA;AAAA,MAER,sBAAA;EAAA,SACQ,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA;EAAA,SACA,KAAA;AAAA,MAER,sBAAA;EAAA,SACQ,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA;EAAA,SACA,SAAA,EAAW,wBAAA;AAAA,MAEnB,sBAAA;EAAA,SACQ,cAAA,EAAgB,WAAA;EAAA,SAChB,IAAA;EAAA,SACA,KAAA;AAAA,MAER,sBAAA;EAAA,SACQ,MAAA;EAAA,SACA,mBAAA;EAAA,SACA,UAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;EAAA,SACA,wBAAA;EAAA,SACA,WAAA;EAAA,SACA,UAAA;EAAA,SACA,OAAA;EAAA,SACA,WAAA;EAAA,SACA,UAAA;EAAA,SACA,OAAA;EAAA,SACA,MAAA,EAAQ,2BAAA;EAAA,SACR,MAAA;AAAA,MAER,sBAAA;EAAA,SACQ,MAAA;EAAA,SACA,mBAAA;EAAA,SACA,UAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,IAAA;EAAA,SACA,wBAAA;EAAA,SACA,WAAA;EAAA,SACA,UAAA;EAAA,SACA,OAAA;EAAA,SACA,MAAA,EAAQ,2BAAA;EAAA,SACR,MAAA;AAAA,MAER,sBAAA;EAAA,SACQ,MAAA;EAAA,SACA,2BAAA;EAAA,SACA,mBAAA;EAAA,SACA,UAAA;EAAA,SACA,SAAA;EAAA,SACA,qBAAA;EAAA,SACA,IAAA;EAAA,SACA,MAAA,EAAQ,2BAAA;EAAA,SACR,MAAA;AAAA;AAAA,cAGC,oBAAA;AAAA,KAED,mBAAA,WAA8B,oBAAA;AAAA,cAE7B,oBAAA;AAAA,KAaD,mBAAA,WAA8B,oBAAA;AAAA,UAEzB,eAAA;EAAA,SACP,IAAA,EAAM,mBAAA;EAAA,SACN,WAAA,EAAa,kBAAA;EAAA,SACb,OAAA;EAAA,SACA,OAAA;AAAA;AAAA,KAGE,kBAAA;EAAA,SAEA,IAAA;EAAA,SACA,MAAA;EAAA,SACA,MAAA;AAAA;EAAA,SAGA,IAAA;EAAA,SACA,YAAA,WAAuB,kBAAA;EAAA,SACvB,MAAA;AAAA;EAAA,SAGA,MAAA,WAAiB,eAAA;EAAA,SACjB,IAAA;EAAA,SACA,YAAA,WAAuB,kBAAA;EAAA,SACvB,MAAA;AAAA;AAAA,UAGK,+BAAA;EAAA,SACP,KAAA;EAAA,SACA,YAAA;EAAA,SACA,MAAA;AAAA;AAAA,iBA+CM,oBAAA,CAAqB,KAAA,YAAiB,KAAA,IAAS,kBAAA;AAAA,iBAmH/C,oBAAA,CAAqB,KAAA,EAAO,kBAAA;AAAA,iBA2E5B,wBAAA,CACf,MAAA,WAAiB,kBAAA,IACjB,OAAA,EAAS,+BAAA,GACP,kBAAA;;;;;;;AHxaH;;;;;AAEA;;;;;AAEA;;;;;AAIA;;;;;;;;;;;;ACRA;;;;cGmCa,8BAAA;AHjCb;;;;;AACA;;;;;AAEA;;;;;;;;;AAKA;;;;;AAEA;;;;;AAVA,iBGmEgB,kBAAA,CAAmB,SAAA;;;KCrEvB,kBAAA;EAAA,SACE,IAAA;EAAA,SAAuB,IAAA;EAAA,SAAuB,IAAA;AAAA;EAAA,SAC9C,IAAA;EAAA,SAA0B,OAAA;AAAA;;ALAxC;;;UKMiB,kBAAA;EAAA,SACP,gBAAA;EAAA,SACA,YAAA;EAAA,SACA,WAAA,EAAa,kBAAA;EAAA,SACb,eAAA;EAAA,SACA,OAAA;AAAA;;;;;ALbV;;UMOiB,aAAA;EAAA,SACP,WAAA,EAAa,MAAA;EAAA,SACb,SAAA,EAAW,MAAA,SAAe,YAAA;EAAA,SAC1B,eAAA,EAAiB,MAAA,SAAe,kBAAA;EAAA,SAChC,QAAA,EAAU,MAAA;EAAA,SACV,YAAA;EAAA,SACA,UAAA;EAAA,SACA,iBAAA;EAAA,SACA,YAAA;AAAA;;;;;;;UCJO,iBAAA;EPTM;;;;EAAA,SOcb,oBAAA;EPZ8B;;;;EAAA,SOkB9B,iBAAA,GACR,QAAA,UACA,OAAA;IAAA,SACU,UAAA;IAAA,SACA,OAAA;IAAA,SACA,UAAA;EAAA;AAAA;AAAA,UAKF,sBAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,iCAAA,SAA0C,sBAAA;EAAA,SAC1C,MAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGA,iCAAA,SAA0C,sBAAA;EAAA,SAC1C,MAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,4BAAA,SAAqC,sBAAA;EAAA,SACrC,MAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGE,uBAAA;AAAA,UAEK,gBAAA;EAAA,SACP,SAAA,EAAW,uBAAA;AAAA;AAAA,UAGJ,oBAAA;EAAA,SACP,uBAAA;EAAA,SACA,yBAAA;AAAA;AAAA,UAGO,gCAAA;EAAA,SACP,IAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,4BAAA;EAAA,SACA,IAAA,EAAM,WAAA;EAAA,SACN,MAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA,GAAU,oBAAA;EAAA,SACV,MAAA;EAAA,SACA,QAAA;EAAA,SACA,iBAAA;EAAA,SACA,GAAA,EAAK,gBAAA;EAAA,SACL,eAAA,GACN,4BAAA,GACA,iCAAA,GACA,iCAAA;AAAA;AAAA,UAIM,gCAAA,SAAyC,4BAAA;EAAA,SACzC,IAAA;EAAA,SACA,WAAA,EAAa,gCAAA;EAAA,SACb,YAAA;EAAA,SACA,mBAAA,GAAsB,QAAA,CAC9B,MAAA,SAEG,4BAAA,GACA,iCAAA,GACA,iCAAA;EAAA,SAGK,aAAA;AAAA;AAAA,UAGA,8BAAA,SAAuC,4BAAA;EAAA,SACvC,IAAA;AAAA;AAAA,KAGL,wBAAA,GAA2B,gCAAA,GAAmC,8BAAA;AAAA,UAEzD,6BAAA;EAAA,SACA,MAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGA,6BAAA;EAAA,SACA,MAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,wBAAA;EAAA,SACA,MAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGL,kBAAA,GACF,6BAAA,GACA,6BAAA,GACA,wBAAA;AAAA,KAES,8BAAA,GAAiC,kBAAA;EAAA,SACnC,QAAA;EAAA,SACA,SAAA;AAAA;AAAA,KAGE,+BAAA,GAAkC,kBAAA;EAAA,SACpC,QAAA,EAAU,UAAA;EAAA,SACV,SAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGE,mBAAA,GAAsB,8BAAA,GAAiC,+BAAA;ALrHnE;;;;AAAA,UK2HiB,iBAAA;EAAA,SACP,EAAA;EAAA,SACA,MAAA,YAAkB,sBAAA;EAAA,SAClB,OAAA,EAAS,wBAAA;EAAA,SACT,SAAA,GAAY,0BAAA;EAAA,SACZ,iBAAA,GAAoB,QAAA,CAAS,MAAA,SAAe,0BAAA;EAAA,SAC5C,sBAAA,GAAyB,QAAA,CAAS,MAAA,SAAe,kBAAA;EAAA,SACjD,kBAAA,GAAqB,QAAA,CAAS,MAAA;EAAA,SAC9B,oBAAA,GAAuB,QAAA,CAAS,MAAA,SAAe,QAAA,CAAS,MAAA;EAAA,SACxD,OAAA,EAAS,QAAA,CAAS,MAAA,SAAe,mBAAA;EAAA,SACjC,WAAA,WAAsB,gBAAA;EAAA,SACtB,eAAA;EAAA,SACA,oBAAA;AAAA;AAAA,UAGO,sBAAA;EAAA,SACP,EAAA;EAAA,SACA,aAAA;AAAA;AAAA,UAGO,0BAAA;EAAA,SACP,SAAA;AAAA;AAAA,UAGO,0BAAA;EAAA,SACP,OAAA,GAAU,QAAA,CAAS,MAAA;EAAA,SACnB,SAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGO,yBAAA;EAAA,SACP,cAAA;EAAA,SACA,eAAA;EAAA,SACA,gBAAA;EAAA,SACA,eAAA,EAAiB,MAAA;EAAA,SACjB,UAAA;EAAA,SACA,OAAA;IAAA,SACC,QAAA;IAAA,SACA,IAAA;EAAA;EAAA,SAED,IAAA,EAAM,iBAAA;AAAA;AAAA,UAGC,gBAAA;EL9HJ;;;;EAAA,SKmIH,UAAA,GAAa,iBAAA;ELlHX;;;;EKwHX,WAAA,CAAY,OAAA,EAAS,yBAAA,GAA4B,aAAA;ELtHtC;;;;EK4HX,gBAAA,CACC,IAAA,EAAM,iBAAA,EACN,eAAA,EAAiB,MAAA,mBACf,kBAAA;EL7HM;;;;EKmIT,gBAAA,EAAkB,IAAA,EAAM,iBAAA,EAAmB,cAAA,EAAgB,cAAA,GAAiB,OAAA;AAAA;;;UC9M5D,0BAAA;EAAA,SACP,kBAAA,EAAoB,MAAA;EAAA,SACpB,eAAA,EAAiB,MAAA,SAAe,kBAAA;AAAA;AAAA,UAGzB,iCAAA;EAAA,SACP,SAAA;EAAA,SACA,kBAAA,GAAqB,QAAA,CAAS,MAAA;EAAA,SAC9B,sBAAA,GAAyB,QAAA,CAAS,MAAA,SAAe,kBAAA;AAAA;AAAA,KAG/C,qBAAA,GAAwB,mBAAA;AAAA,UAEnB,2BAAA;EAAA,SACP,QAAA,EAAU,iBAAA;EAAA,SACV,SAAA;AAAA;AAAA,iBAGM,+BAAA,CACf,aAAA,EAAe,QAAA,CAAS,MAAA,SAAe,qBAAA,IACvC,eAAA,EAAiB,MAAA,kBACjB,OAAA,EAAS,2BAAA,GACP,0BAAA;AAAA,KA2CS,iCAAA,GAAoC,0BAAA;AAAA,iBAEhC,2BAAA,CACf,IAAA,EAAM,iBAAA,EACN,eAAA,EAAiB,MAAA,mBACf,iCAAA;AAAA,iBAgCa,0BAAA,CACf,WAAA,EAAa,0BAAA,EACb,OAAA,GAAS,iCAAA,GACP,0BAAA;;;KC5GS,sBAAA;AAAA,UAOK,0BAAA;EAAA,SACP,OAAA;EAAA,SACA,SAAA;EAAA,SACA,UAAA;EAAA,SACA,UAAA;EAAA,SACA,QAAA;AAAA;AAAA,KAGE,uBAAA;AAAA,KAOA,oBAAA;AAAA,UAMK,sBAAA;EAAA,SACP,IAAA,EAAM,oBAAA;EAAA,SACN,OAAA;AAAA;AAAA,UAGO,wBAAA;EAAA,SACP,OAAA,GAAU,sBAAA;EAAA,SACV,cAAA;AAAA;AAAA,UAGO,8BAAA;EAAA,SACP,YAAA;EAAA,SACA,KAAA,EAAO,uBAAA;EAAA,SACP,GAAA,GAAM,wBAAA;AAAA;AAAA,UAGC,2BAAA;EAAA,SACP,WAAA,GAAc,0BAAA;EAAA,SACd,MAAA,GAAS,8BAAA;EAAA,SACT,KAAA;AAAA;AAAA,UAGO,4BAAA;EAAA,SACP,SAAA;EAAA,SACA,gBAAA;EAAA,SACA,KAAA;AAAA;AAAA,UAGO,gCAAA;EAAA,SACP,SAAA;EAAA,SACA,gBAAA;AAAA;AAAA,UAGO,+BAAA;EAAA,SACP,MAAA,GAAS,8BAAA;AAAA;AAAA,UAGF,yBAAA;EAAA,SACP,OAAA,EAAS,sBAAA;EAAA,SACT,MAAA,GAAS,8BAAA;AAAA;AAAA,UAGF,qBAAA;EAAA,SACP,MAAA,EAAQ,WAAA;EAAA,SACR,KAAA;EACT,OAAA,CAAQ,OAAA,GAAU,sBAAA,GAAyB,OAAA;EAC3C,GAAA,CAAI,OAAA,GAAU,sBAAA,GAAyB,OAAA;EACvC,MAAA,CAAO,MAAA,EAAQ,8BAAA;AAAA;AAAA,UAGC,kCAAA;EAAA,SACP,WAAA,GAAc,0BAAA;EAAA,SACd,YAAA,GAAe,KAAA,UAAe,OAAA,EAAS,yBAAA,KAA8B,OAAA;EAAA,SACrE,kBAAA,GACR,KAAA,UACA,OAAA,EAAS,+BAAA,KACL,OAAA,CAAQ,gCAAA;EAAA,SACJ,oBAAA;EAAA,SACA,mBAAA,IAAuB,KAAA;EAAA,SACvB,2BAAA,IAA+B,KAAA;EAAA,SAC/B,aAAA,IAAiB,KAAA;EAAA,SACjB,mBAAA,IAAuB,KAAA;EAAA,SACvB,sBAAA;EAAA,SACA,OAAA;EAAA,SACA,6BAAA,IAAiC,KAAA,cAAmB,OAAA;EAAA,SACpD,UAAA;EAAA,SACA,cAAA,GACR,OAAA,EAAS,2BAAA,KACL,OAAA,CAAQ,4BAAA;EAAA,SACJ,cAAA,UAAwB,UAAA;EAAA,SACxB,gBAAA,UAA0B,YAAA;AAAA;AAAA,iBAqBpB,uBAAA,CAAA;AAAA,iBAIA,mBAAA,CAAoB,KAAA;AAAA,iBAId,2BAAA,CACrB,OAAA,EAAS,kCAAA,GACP,OAAA,CAAQ,qBAAA;;;cCnIE,4BAAA;AAAA,cACA,0BAAA;AAAA,cACA,sBAAA;AAAA,cACA,gCAAA;AAAA,KAED,oBAAA;AAAA,KACA,kBAAA;AAAA,UAEK,uBAAA;EAAA,SACP,YAAA;EAAA,SACA,UAAA;AAAA;AAAA,KAGE,kBAAA;EAAA,SAEA,IAAA;EAAA,SACA,UAAA;EAAA,SACA,MAAA;AAAA;EAAA,SAGA,IAAA;EAAA,SACA,UAAA;AAAA;AAAA,KAGA,oBAAA,GAAuB,OAAA,CAAQ,MAAA,CAAO,oBAAA;AAAA,KACtC,8BAAA;EAAA,SAEA,iBAAA;EAAA,SACA,kBAAA;EAAA,SACA,eAAA;AAAA;EAAA,SAGA,iBAAA;EAAA,SACA,kBAAA;EAAA,SACA,eAAA;AAAA;AAAA,UAEK,kCAAA;EAAA,SACP,iBAAA;EAAA,SACA,kBAAA;EAAA,SACA,eAAA;AAAA;AAAA,KAEE,6BAAA,GAAgC,OAAA,CAAQ,MAAA,CAAO,oBAAA;AAAA,UAEjD,0BAAA;EAAA,SACA,YAAA,EAAc,uBAAA;EAAA,SACd,aAAA;EAAA,SACA,EAAA;;;;AT3CV;WSgDU,eAAA;EAAA,SACA,cAAA,GAAiB,6BAAA;AAAA;AAAA,KAGf,sBAAA,IACR,0BAAA;EAAA,SACQ,OAAA,EAAS,OAAA,CAAQ,kBAAA;IAAA,SAA+B,IAAA;EAAA;EAAA,SAChD,SAAA,EAAW,8BAAA;AAAA,MAEnB,0BAAA;EAAA,SACQ,OAAA,EAAS,OAAA,CAAQ,kBAAA;IAAA,SAA+B,IAAA;EAAA;EAAA,SAChD,YAAA,EAAc,uBAAA;IAAA,SAAqC,UAAA;EAAA;EAAA,SACnD,SAAA,EAAW,kCAAA;AAAA;AAAA,UAGN,kBAAA;EAAA,SACP,EAAA;EAAA,SACA,KAAA,WAAgB,sBAAA;AAAA;AAAA,UAGT,yBAAA;EAAA,SACP,SAAA;EAAA,SACA,OAAA,EAAS,kBAAA;EAAA,SACT,OAAA,EAAS,kBAAA;EAAA,SACT,eAAA,GAAkB,oBAAA;EAAA,SAClB,eAAA,EAAiB,oBAAA;AAAA;AAAA,UAGV,sBAAA;EAAA,SACP,OAAA,EAAS,kBAAA;EAAA,SACT,YAAA,EAAc,uBAAA;EAAA,SACd,cAAA,EAAgB,oBAAA;EAAA,SAChB,SAAA;EAAA,SACA,SAAA;EAAA,SACA,eAAA,EAAiB,oBAAA;EAAA,SACjB,UAAA;EAAA,SACA,YAAA;EAAA,SACA,MAAA;AAAA;AAAA,KAGE,+BAAA;AAAA,UASK,2BAAA;EAAA,SACP,gBAAA;EAAA,SACA,IAAA,EAAM,+BAAA;EAAA,SACN,SAAA;EAAA,SACA,SAAA;EAAA,SACA,OAAA;EAAA,SACA,OAAA,EAAS,kBAAA;EAAA,SACT,aAAA;AAAA;AAAA,KAGE,0BAAA;EAAA,SAEA,EAAA;EAAA,SACA,KAAA,EAAO,sBAAA;AAAA;EAAA,SAGP,EAAA;EAAA,SACA,KAAA,EAAO,2BAAA;AAAA;AAAA,iBA0IH,oBAAA,CAAqB,KAAA,EAAO,yBAAA,GAA4B,0BAAA;;;cC7P1D,kBAAA;AAAA,KAEF,aAAA;EAAA,UACD,kBAAA;AAAA;AAAA,iBAGK,mBAAA,CAAA,GAAuB,aAAA;AAAA,iBAIvB,eAAA,CAAgB,KAAA,YAAiB,KAAA,IAAS,aAAA;AAAA,iBAI1C,kBAAA,CAAmB,KAAA,YAAiB,aAAA;;;;;;;AXhBpD;UYOiB,iBAAA;EAAA,SACP,OAAA;EAAA,SACA,SAAA,EAAW,UAAA;AAAA;AAAA,UAGJ,aAAA;EAAA,SACP,IAAA;EAAA,SACA,WAAA;EAAA,SACA,cAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,mBAAA;EAAA,SACP,IAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,UAAA,oCAA8C,iBAAA,CAAkB,UAAA;EAAA,SACvE,GAAA,EAAK,aAAA;AAAA;AAAA,iBAWC,mBAAA,2BAAA,CACf,KAAA,WACA,SAAA,EAAW,UAAA,GACT,KAAA,IAAS,iBAAA,CAAkB,UAAA;AAAA,iBASd,eAAA,CAAgB,KAAA,YAAiB,KAAA,IAAS,aAAA;AAAA,iBAY1C,qBAAA,CAAsB,KAAA,YAAiB,KAAA,IAAS,mBAAA;;;UCpD/C,cAAA,SAAuB,UAAA;EAAA,SAC9B,OAAA;EAAA,SACA,SAAA;EAAA,SACA,OAAA,EAAS,aAAA;EAAA,SACT,OAAA;EAAA,SACA,OAAA;AAAA;AAAA,UAGO,eAAA,SAAwB,iBAAA;EAAA,SAC/B,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,UAAA;EAAA,SACA,OAAA,EAAS,aAAA;EAAA,SACT,SAAA;EAAA,SACA,GAAA,EAAK,mBAAA;EAAA,SACL,OAAA;EAAA,SACA,OAAA;EAAA,SACA,MAAA;AAAA;AAAA,iBASM,gBAAA,CAAiB,KAAA,YAAiB,KAAA,IAAS,cAAA;AAAA,iBAc3C,iBAAA,CAAkB,KAAA,YAAiB,KAAA,IAAS,eAAA"}
package/dist/index.js CHANGED
@@ -301,7 +301,9 @@ const agentVmHealthEventKinds = [
301
301
  "lease-renew",
302
302
  "lease-heartbeat",
303
303
  "tool-vm-ssh",
304
- "gateway-plugin-health"
304
+ "gateway-plugin-health",
305
+ "gateway-recovery",
306
+ "gateway-recovery-suspended"
305
307
  ];
306
308
  const agentVmHealthResultKinds = [
307
309
  "ok",
@@ -329,6 +331,8 @@ const zoneHealthIssueKinds = [
329
331
  "lease-renew-failing",
330
332
  "tool-vm-ssh-failing",
331
333
  "gateway-plugin-unhealthy",
334
+ "gateway-recovery-failed",
335
+ "gateway-recovery-suspended",
332
336
  "health-event-stale"
333
337
  ];
334
338
  function isRecord(value) {
@@ -349,6 +353,15 @@ function optionalString(value) {
349
353
  function optionalStatusCode(value) {
350
354
  return value === void 0 || Number.isInteger(value);
351
355
  }
356
+ function optionalNonNegativeInteger(value) {
357
+ return value === void 0 || Number.isInteger(value) && Number(value) >= 0;
358
+ }
359
+ function isNonNegativeInteger(value) {
360
+ return Number.isInteger(value) && Number(value) >= 0;
361
+ }
362
+ function isPositiveInteger(value) {
363
+ return Number.isInteger(value) && Number(value) > 0;
364
+ }
352
365
  function isAgentVmHealthEvent(value) {
353
366
  if (!isRecord(value) || !hasBaseEventFields(value)) return false;
354
367
  switch (value.kind) {
@@ -369,6 +382,12 @@ function isAgentVmHealthEvent(value) {
369
382
  "stopping",
370
383
  "failed"
371
384
  ], value.state);
385
+ case "gateway-recovery":
386
+ if (value.action !== "gateway-vm-restart" || !isNonNegativeInteger(value.consecutiveFailures) || !isPositiveInteger(value.cooldownMs) || !isNonNegativeFiniteNumber(value.elapsedMs) || !isOneOf(["gateway-control-link-unhealthy", "gateway-service-unhealthy"], value.reason)) return false;
387
+ if (value.result === "ok") return isNonNegativeInteger(value.leaseReleaseFailureCount) && typeof value.newBootedAt === "string" && isNonNegativeInteger(value.newHostPid) && typeof value.newVmId === "string" && typeof value.oldBootedAt === "string" && isNonNegativeInteger(value.oldHostPid) && typeof value.oldVmId === "string" && value.errorCode === void 0;
388
+ if (value.result === "failed") return typeof value.errorCode === "string" && value.errorCode.length > 0 && optionalNonNegativeInteger(value.leaseReleaseFailureCount) && optionalString(value.oldBootedAt) && optionalNonNegativeInteger(value.oldHostPid) && optionalString(value.oldVmId) && value.newBootedAt === void 0 && value.newHostPid === void 0 && value.newVmId === void 0;
389
+ return false;
390
+ case "gateway-recovery-suspended": return value.action === "gateway-vm-restart" && isNonNegativeInteger(value.consecutiveFailedRecoveries) && isNonNegativeInteger(value.consecutiveFailures) && isPositiveInteger(value.cooldownMs) && value.errorCode === "max-failed-recoveries" && isPositiveInteger(value.failedRecoveryResetMs) && isOneOf(["gateway-control-link-unhealthy", "gateway-service-unhealthy"], value.reason) && value.result === "failed";
372
391
  default: return false;
373
392
  }
374
393
  }
@@ -381,6 +400,8 @@ function healthEventBucketKey(event) {
381
400
  case "lease-renew": return `${event.zoneId}:${event.kind}:${event.leaseId}`;
382
401
  case "tool-vm-ssh": return `${event.zoneId}:${event.kind}:${event.leaseId}:${event.operation}`;
383
402
  case "gateway-plugin-health": return `${event.zoneId}:${event.kind}:${event.gatewayService}`;
403
+ case "gateway-recovery": return `${event.zoneId}:${event.kind}:${event.action}`;
404
+ case "gateway-recovery-suspended": return `${event.zoneId}:${event.kind}:${event.action}`;
384
405
  }
385
406
  return assertNeverHealthEvent(event);
386
407
  }
@@ -393,6 +414,8 @@ function failedIssueKindForEvent(event) {
393
414
  case "lease-renew": return "lease-renew-failing";
394
415
  case "tool-vm-ssh": return "tool-vm-ssh-failing";
395
416
  case "gateway-plugin-health": return "gateway-plugin-unhealthy";
417
+ case "gateway-recovery": return "gateway-recovery-failed";
418
+ case "gateway-recovery-suspended": return "gateway-recovery-suspended";
396
419
  }
397
420
  return assertNeverHealthEvent(event);
398
421
  }
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","names":["uuidv7","validateUuid","uuidVersion","uuidv7","validateUuid","uuidVersion","objectValue"],"sources":["../src/gateway-runtime-contract.ts","../src/audience.ts","../src/health/controller-request-policy.ts","../src/health/agent-vm-health.ts","../src/force-ipv4-egress.ts","../src/split-resolved-gateway-secrets.ts","../src/tool-vm-active-use.ts","../src/runtime-paths/runtime-path-mapping.ts","../src/tool-vm-lease-id.ts","../src/vm-capability-lease.ts","../src/tool-vm-lease.ts"],"sourcesContent":["export const gatewayTypeValues = ['openclaw', 'worker'] as const;\n\nexport type GatewayType = (typeof gatewayTypeValues)[number];\n\nexport function buildGatewaySessionLabel(projectNamespace: string, zoneId: string): string {\n\treturn `${projectNamespace}:${zoneId}:gateway`;\n}\n\nexport function buildToolSessionLabel(\n\tprojectNamespace: string,\n\tzoneId: string,\n\ttcpSlot: number,\n): string {\n\treturn `${projectNamespace}:${zoneId}:tool:${tcpSlot}`;\n}\n","export const vmAudienceValues = ['gateway', 'tool-vm', 'both'] as const;\n\nexport type VmAudience = (typeof vmAudienceValues)[number];\nexport type RuntimeVmAudience = Exclude<VmAudience, 'both'>;\n\nexport interface EgressHostConfig {\n\treadonly host: string;\n\treadonly audience: VmAudience;\n}\n\nexport const controllerVmHost = 'controller.vm.host';\n\nexport function targetsAudience(\n\tconfigAudience: VmAudience,\n\truntimeAudience: RuntimeVmAudience,\n): boolean {\n\treturn configAudience === runtimeAudience || configAudience === 'both';\n}\n\nexport function egressHostsForAudience(\n\tegressHosts: readonly EgressHostConfig[],\n\truntimeAudience: RuntimeVmAudience,\n): readonly string[] {\n\treturn egressHosts\n\t\t.filter((egressHost) => targetsAudience(egressHost.audience, runtimeAudience))\n\t\t.map((egressHost) => egressHost.host);\n}\n\nexport function gatewayVmAllowedHosts(egressHosts: readonly EgressHostConfig[]): readonly string[] {\n\treturn Array.from(new Set([controllerVmHost, ...egressHostsForAudience(egressHosts, 'gateway')]));\n}\n","export const gatewayInternalControllerRequestOperations = [\n\t'controller-health',\n\t'health-event-publish',\n\t'openclaw-runtime-status',\n\t'zone-git-push',\n\t'lease-create',\n\t'lease-get',\n\t'lease-peek',\n\t'lease-list',\n\t'lease-renew',\n\t'lease-release',\n\t'lease-use-start',\n\t'lease-heartbeat',\n\t'lease-use-end',\n] as const;\n\nexport type GatewayInternalControllerRequestOperation =\n\t(typeof gatewayInternalControllerRequestOperations)[number];\n\nexport const workerInternalControllerRequestOperations = [\n\t'worker-push-branches',\n\t'worker-pull-default',\n] as const;\n\nexport type WorkerInternalControllerRequestOperation =\n\t(typeof workerInternalControllerRequestOperations)[number];\n\nexport type ControllerRequestPolicyOperation =\n\t| GatewayInternalControllerRequestOperation\n\t| WorkerInternalControllerRequestOperation;\n\nexport const dedicatedControllerRequestHealthEventOperations = [\n\t'lease-heartbeat',\n\t'lease-renew',\n] as const;\n\nexport type DedicatedControllerRequestHealthEventOperation =\n\t(typeof dedicatedControllerRequestHealthEventOperations)[number];\n\nexport type GenericControllerRequestEventOperation = Exclude<\n\tControllerRequestPolicyOperation,\n\tDedicatedControllerRequestHealthEventOperation\n>;\n\nconst dedicatedControllerRequestHealthEventOperationSet = new Set<ControllerRequestPolicyOperation>(\n\tdedicatedControllerRequestHealthEventOperations,\n);\n\nfunction isGenericControllerRequestEventOperation(\n\toperation: ControllerRequestPolicyOperation,\n): operation is GenericControllerRequestEventOperation {\n\treturn !dedicatedControllerRequestHealthEventOperationSet.has(operation);\n}\n\nexport const genericControllerRequestEventOperations = [\n\t...gatewayInternalControllerRequestOperations,\n\t...workerInternalControllerRequestOperations,\n].filter(isGenericControllerRequestEventOperation);\n\nexport const externalControllerRoutes = [\n\t'GET /controller-status',\n\t'GET /zones/:zoneId/status',\n\t'GET /zones/:zoneId/health',\n\t'GET /zones/:zoneId/zone-git/status',\n\t'GET /zones/:zoneId/logs',\n\t'POST /zones/:zoneId/credentials/refresh',\n\t'POST /zones/:zoneId/destroy',\n\t'POST /zones/:zoneId/upgrade',\n\t'GET /zones/:zoneId/tasks/:taskId',\n\t'POST /zones/:zoneId/worker-tasks',\n\t'POST /zones/:zoneId/tasks/:taskId/close',\n\t'POST /zones/:zoneId/enable-ssh',\n\t'POST /zones/:zoneId/execute-command',\n\t'POST /stop-controller',\n] as const;\n\nexport type ExternalControllerRoute = (typeof externalControllerRoutes)[number];\n\nexport type ControllerRequestPolicyIdempotency = 'read' | 'safe-mutation' | 'unsafe-mutation';\n\ninterface ControllerRequestPolicyBase {\n\treadonly idempotency: ControllerRequestPolicyIdempotency;\n\treadonly timeoutMs: number;\n}\n\nexport type ControllerRequestPolicy =\n\t| (ControllerRequestPolicyBase & {\n\t\t\treadonly maxAttempts: 1;\n\t\t\treadonly retryBaseDelayMs: 0;\n\t\t\treadonly retryEnabled: false;\n\t\t\treadonly retryStatuses: readonly [];\n\t })\n\t| (ControllerRequestPolicyBase & {\n\t\t\treadonly maxAttempts: number;\n\t\t\treadonly retryBaseDelayMs: number;\n\t\t\treadonly retryEnabled: true;\n\t\t\treadonly retryStatuses: readonly [number, ...number[]];\n\t });\n\nexport type ControllerRequestPolicyTransportErrorCode =\n\t| 'controller-request-failed'\n\t| 'controller-request-timeout';\n\nexport class ControllerRequestPolicyTransportError extends Error {\n\treadonly code: ControllerRequestPolicyTransportErrorCode;\n\treadonly operation: ControllerRequestPolicyOperation;\n\n\tconstructor(options: {\n\t\treadonly cause: unknown;\n\t\treadonly code: ControllerRequestPolicyTransportErrorCode;\n\t\treadonly operation: ControllerRequestPolicyOperation;\n\t}) {\n\t\tconst causeMessage =\n\t\t\toptions.cause instanceof Error ? options.cause.message : String(options.cause);\n\t\tsuper(`${options.operation} ${options.code}: ${causeMessage}`, {\n\t\t\tcause: options.cause,\n\t\t});\n\t\tthis.code = options.code;\n\t\tthis.operation = options.operation;\n\t}\n}\n\nexport interface FetchControllerWithPolicyOptions {\n\treadonly fetchImpl?: (input: string | URL | Request, init?: RequestInit) => Promise<Response>;\n\treadonly init?: RequestInit;\n\treadonly input: string | URL | Request;\n\treadonly operation: ControllerRequestPolicyOperation;\n\treadonly policy?: ControllerRequestPolicy;\n}\n\nfunction sleep(ms: number, signal?: AbortSignal): Promise<void> {\n\treturn new Promise((resolve, reject) => {\n\t\tif (signal?.aborted === true) {\n\t\t\treject(signal.reason);\n\t\t\treturn;\n\t\t}\n\t\tconst timeout = setTimeout(() => {\n\t\t\tsignal?.removeEventListener('abort', onAbort);\n\t\t\tresolve();\n\t\t}, ms);\n\t\tconst onAbort = (): void => {\n\t\t\tclearTimeout(timeout);\n\t\t\treject(signal?.reason);\n\t\t};\n\t\tsignal?.addEventListener('abort', onAbort, { once: true });\n\t});\n}\n\nfunction shouldRetryResponse(response: Response, policy: ControllerRequestPolicy): boolean {\n\treturn policy.retryEnabled && policy.retryStatuses.includes(response.status);\n}\n\nexport async function drainControllerResponseBody(response: Response): Promise<void> {\n\tif (response.bodyUsed) {\n\t\treturn;\n\t}\n\tawait response.text().catch(() => undefined);\n}\n\nasync function fetchWithTimeout(options: {\n\treadonly fetchImpl: (input: string | URL | Request, init?: RequestInit) => Promise<Response>;\n\treadonly init?: RequestInit | undefined;\n\treadonly input: string | URL | Request;\n\treadonly operation: ControllerRequestPolicyOperation;\n\treadonly timeoutMs: number;\n}): Promise<Response> {\n\tconst abortController = new AbortController();\n\tlet callerAborted = options.init?.signal?.aborted ?? false;\n\tlet timedOut = false;\n\tconst abortFromCaller = (): void => {\n\t\tcallerAborted = true;\n\t\tabortController.abort(options.init?.signal?.reason);\n\t};\n\tconst timeout = setTimeout(() => {\n\t\ttimedOut = true;\n\t\tabortController.abort(\n\t\t\tnew Error(`${options.operation} timed out after ${String(options.timeoutMs)}ms`),\n\t\t);\n\t}, options.timeoutMs);\n\tif (callerAborted) {\n\t\tabortController.abort(options.init?.signal?.reason);\n\t} else {\n\t\toptions.init?.signal?.addEventListener('abort', abortFromCaller, { once: true });\n\t}\n\ttry {\n\t\treturn await options.fetchImpl(options.input, {\n\t\t\t...options.init,\n\t\t\tsignal: abortController.signal,\n\t\t});\n\t} catch (error) {\n\t\tif (callerAborted) {\n\t\t\tthrow error;\n\t\t}\n\t\tthrow new ControllerRequestPolicyTransportError({\n\t\t\tcause: error,\n\t\t\tcode: timedOut ? 'controller-request-timeout' : 'controller-request-failed',\n\t\t\toperation: options.operation,\n\t\t});\n\t} finally {\n\t\tclearTimeout(timeout);\n\t\toptions.init?.signal?.removeEventListener('abort', abortFromCaller);\n\t}\n}\n\nexport async function fetchControllerWithPolicy(\n\toptions: FetchControllerWithPolicyOptions,\n): Promise<Response> {\n\tconst policy = options.policy ?? controllerRequestPolicies[options.operation];\n\tconst fetchImpl = options.fetchImpl ?? fetch;\n\tlet lastTransportError: ControllerRequestPolicyTransportError | undefined;\n\tfor (let attempt = 1; attempt <= policy.maxAttempts; attempt += 1) {\n\t\ttry {\n\t\t\t// oxlint-disable-next-line eslint/no-await-in-loop -- controller retries must remain ordered by attempt and backoff.\n\t\t\tconst response = await fetchWithTimeout({\n\t\t\t\tfetchImpl,\n\t\t\t\tinit: options.init,\n\t\t\t\tinput: options.input,\n\t\t\t\toperation: options.operation,\n\t\t\t\ttimeoutMs: policy.timeoutMs,\n\t\t\t});\n\t\t\tif (attempt < policy.maxAttempts && shouldRetryResponse(response, policy)) {\n\t\t\t\t// oxlint-disable-next-line eslint/no-await-in-loop -- drain before retrying so undici can release the response body.\n\t\t\t\tawait drainControllerResponseBody(response);\n\t\t\t\tif (policy.retryBaseDelayMs > 0) {\n\t\t\t\t\t// oxlint-disable-next-line eslint/no-await-in-loop -- retry backoff is intentionally sequential.\n\t\t\t\t\tawait sleep(policy.retryBaseDelayMs, options.init?.signal ?? undefined);\n\t\t\t\t}\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\treturn response;\n\t\t} catch (error) {\n\t\t\tif (!(error instanceof ControllerRequestPolicyTransportError)) {\n\t\t\t\tthrow error;\n\t\t\t}\n\t\t\tlastTransportError = error;\n\t\t\tif (!(policy.retryEnabled && attempt < policy.maxAttempts)) {\n\t\t\t\tthrow error;\n\t\t\t}\n\t\t\tif (policy.retryBaseDelayMs > 0) {\n\t\t\t\t// oxlint-disable-next-line eslint/no-await-in-loop -- retry backoff is intentionally sequential.\n\t\t\t\tawait sleep(policy.retryBaseDelayMs, options.init?.signal ?? undefined);\n\t\t\t}\n\t\t}\n\t}\n\tthrow lastTransportError ?? new Error(`${options.operation} failed without a response`);\n}\n\nexport const controllerRequestPolicies = {\n\t'controller-health': {\n\t\tidempotency: 'read',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 3_000,\n\t},\n\t'health-event-publish': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 3_000,\n\t},\n\t'openclaw-runtime-status': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 30,\n\t\tretryBaseDelayMs: 1_000,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [429, 503, 504],\n\t\ttimeoutMs: 3_000,\n\t},\n\t'zone-git-push': {\n\t\tidempotency: 'unsafe-mutation',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 120_000,\n\t},\n\t'lease-create': {\n\t\tidempotency: 'unsafe-mutation',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 180_000,\n\t},\n\t'lease-get': {\n\t\tidempotency: 'read',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'lease-peek': {\n\t\tidempotency: 'read',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'lease-list': {\n\t\tidempotency: 'read',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'lease-renew': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 3,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [429, 503, 504],\n\t\ttimeoutMs: 10_000,\n\t},\n\t'lease-release': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'lease-use-start': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [429, 503, 504],\n\t\ttimeoutMs: 10_000,\n\t},\n\t'lease-heartbeat': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [429, 503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'lease-use-end': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'worker-push-branches': {\n\t\tidempotency: 'unsafe-mutation',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 120_000,\n\t},\n\t'worker-pull-default': {\n\t\tidempotency: 'unsafe-mutation',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 120_000,\n\t},\n} satisfies Record<ControllerRequestPolicyOperation, ControllerRequestPolicy>;\n","import { gatewayTypeValues, type GatewayType } from '../gateway-runtime-contract.js';\nimport {\n\tgenericControllerRequestEventOperations,\n\ttype GenericControllerRequestEventOperation,\n} from './controller-request-policy.js';\n\nexport const agentVmHealthEventKinds = [\n\t'gateway-service-health',\n\t'gateway-control-link',\n\t'controller-request',\n\t'lease-renew',\n\t'lease-heartbeat',\n\t'tool-vm-ssh',\n\t'gateway-plugin-health',\n] as const;\n\nexport type AgentVmHealthEventKind = (typeof agentVmHealthEventKinds)[number];\n\nexport const agentVmHealthResultKinds = ['ok', 'failed', 'timeout', 'stale'] as const;\n\nexport type AgentVmHealthResultKind = (typeof agentVmHealthResultKinds)[number];\n\nexport interface AgentVmHealthEventBase {\n\treadonly observedAtMs: number;\n\treadonly result: AgentVmHealthResultKind;\n\treadonly zoneId: string;\n}\n\nexport type ToolVmSshHealthOperation = 'command' | 'file-bridge' | 'finalize' | 'probe';\n\nexport const gatewayControlLinkHealthPins = {\n\tcontrollerHost: 'controller.vm.host',\n\tcontrollerPort: 18800,\n\toperation: 'controller-health',\n\tpath: '/health',\n} as const;\n\nexport type AgentVmHealthEvent =\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly kind: 'gateway-service-health';\n\t\t\treadonly path: string;\n\t\t\treadonly port: number;\n\t\t\treadonly statusCode?: number | undefined;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly controllerHost: typeof gatewayControlLinkHealthPins.controllerHost;\n\t\t\treadonly controllerPort: typeof gatewayControlLinkHealthPins.controllerPort;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly kind: 'gateway-control-link';\n\t\t\treadonly operation: typeof gatewayControlLinkHealthPins.operation;\n\t\t\treadonly path: typeof gatewayControlLinkHealthPins.path;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly attempt: number;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly errorCode?: string | undefined;\n\t\t\treadonly kind: 'controller-request';\n\t\t\treadonly maxAttempts: number;\n\t\t\treadonly operation: GenericControllerRequestEventOperation;\n\t\t\treadonly statusCode?: number | undefined;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly agentId: string;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly errorCode?: string | undefined;\n\t\t\treadonly kind: 'lease-renew';\n\t\t\treadonly leaseId: string;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly agentId: string;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly errorCode?: string | undefined;\n\t\t\treadonly kind: 'lease-heartbeat';\n\t\t\treadonly leaseId: string;\n\t\t\treadonly useId: string;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly agentId: string;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly errorCode?: string | undefined;\n\t\t\treadonly kind: 'tool-vm-ssh';\n\t\t\treadonly leaseId: string;\n\t\t\treadonly operation: ToolVmSshHealthOperation;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly gatewayService: GatewayType;\n\t\t\treadonly kind: 'gateway-plugin-health';\n\t\t\treadonly state: 'starting' | 'ready' | 'stopping' | 'failed';\n\t });\n\nexport const zoneHealthStateKinds = ['unknown', 'ok', 'stale', 'failed'] as const;\n\nexport type ZoneHealthStateKind = (typeof zoneHealthStateKinds)[number];\n\nexport const zoneHealthIssueKinds = [\n\t'gateway-service-unhealthy',\n\t'gateway-control-link-unhealthy',\n\t'controller-request-failing',\n\t'lease-heartbeat-failing',\n\t'lease-renew-failing',\n\t'tool-vm-ssh-failing',\n\t'gateway-plugin-unhealthy',\n\t'health-event-stale',\n] as const;\n\nexport type ZoneHealthIssueKind = (typeof zoneHealthIssueKinds)[number];\n\nexport interface ZoneHealthIssue {\n\treadonly kind: ZoneHealthIssueKind;\n\treadonly latestEvent: AgentVmHealthEvent;\n\treadonly message: string;\n\treadonly sinceMs: number;\n}\n\nexport type ZoneHealthSnapshot =\n\t| {\n\t\t\treadonly kind: 'unknown';\n\t\t\treadonly reason: 'no-events';\n\t\t\treadonly zoneId: string;\n\t }\n\t| {\n\t\t\treadonly kind: 'ok';\n\t\t\treadonly latestEvents: readonly AgentVmHealthEvent[];\n\t\t\treadonly zoneId: string;\n\t }\n\t| {\n\t\t\treadonly issues: readonly ZoneHealthIssue[];\n\t\t\treadonly kind: 'stale' | 'failed';\n\t\t\treadonly latestEvents: readonly AgentVmHealthEvent[];\n\t\t\treadonly zoneId: string;\n\t };\n\nexport interface DeriveZoneHealthSnapshotOptions {\n\treadonly nowMs: number;\n\treadonly staleAfterMs: number;\n\treadonly zoneId: string;\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === 'object' && value !== null && !Array.isArray(value);\n}\n\nfunction isOneOf<TValues extends readonly string[]>(\n\tvalues: TValues,\n\tvalue: unknown,\n): value is TValues[number] {\n\treturn typeof value === 'string' && values.includes(value);\n}\n\nfunction isNonNegativeFiniteNumber(value: unknown): value is number {\n\treturn typeof value === 'number' && Number.isFinite(value) && value >= 0;\n}\n\nfunction hasBaseEventFields(record: Record<string, unknown>): boolean {\n\treturn (\n\t\tisNonNegativeFiniteNumber(record.observedAtMs) &&\n\t\tisOneOf(agentVmHealthResultKinds, record.result) &&\n\t\ttypeof record.zoneId === 'string' &&\n\t\trecord.zoneId.length > 0\n\t);\n}\n\nfunction optionalString(value: unknown): boolean {\n\treturn value === undefined || typeof value === 'string';\n}\n\nfunction optionalStatusCode(value: unknown): boolean {\n\treturn value === undefined || Number.isInteger(value);\n}\n\nexport function isAgentVmHealthEvent(value: unknown): value is AgentVmHealthEvent {\n\tif (!isRecord(value) || !hasBaseEventFields(value)) {\n\t\treturn false;\n\t}\n\tswitch (value.kind) {\n\t\tcase 'gateway-service-health':\n\t\t\treturn (\n\t\t\t\ttypeof value.path === 'string' &&\n\t\t\t\tvalue.path.length > 0 &&\n\t\t\t\tNumber.isInteger(value.port) &&\n\t\t\t\toptionalStatusCode(value.statusCode)\n\t\t\t);\n\t\tcase 'gateway-control-link':\n\t\t\treturn (\n\t\t\t\tvalue.controllerHost === gatewayControlLinkHealthPins.controllerHost &&\n\t\t\t\tvalue.controllerPort === gatewayControlLinkHealthPins.controllerPort &&\n\t\t\t\tisNonNegativeFiniteNumber(value.elapsedMs) &&\n\t\t\t\tvalue.operation === gatewayControlLinkHealthPins.operation &&\n\t\t\t\tvalue.path === gatewayControlLinkHealthPins.path\n\t\t\t);\n\t\tcase 'controller-request':\n\t\t\treturn (\n\t\t\t\tNumber.isInteger(value.attempt) &&\n\t\t\t\tisNonNegativeFiniteNumber(value.elapsedMs) &&\n\t\t\t\toptionalString(value.errorCode) &&\n\t\t\t\tNumber.isInteger(value.maxAttempts) &&\n\t\t\t\tisOneOf(genericControllerRequestEventOperations, value.operation) &&\n\t\t\t\toptionalStatusCode(value.statusCode)\n\t\t\t);\n\t\tcase 'lease-renew':\n\t\t\treturn (\n\t\t\t\ttypeof value.agentId === 'string' &&\n\t\t\t\tisNonNegativeFiniteNumber(value.elapsedMs) &&\n\t\t\t\toptionalString(value.errorCode) &&\n\t\t\t\ttypeof value.leaseId === 'string'\n\t\t\t);\n\t\tcase 'lease-heartbeat':\n\t\t\treturn (\n\t\t\t\ttypeof value.agentId === 'string' &&\n\t\t\t\tisNonNegativeFiniteNumber(value.elapsedMs) &&\n\t\t\t\toptionalString(value.errorCode) &&\n\t\t\t\ttypeof value.leaseId === 'string' &&\n\t\t\t\ttypeof value.useId === 'string'\n\t\t\t);\n\t\tcase 'tool-vm-ssh':\n\t\t\treturn (\n\t\t\t\ttypeof value.agentId === 'string' &&\n\t\t\t\tisNonNegativeFiniteNumber(value.elapsedMs) &&\n\t\t\t\toptionalString(value.errorCode) &&\n\t\t\t\ttypeof value.leaseId === 'string' &&\n\t\t\t\tisOneOf(['command', 'file-bridge', 'finalize', 'probe'] as const, value.operation)\n\t\t\t);\n\t\tcase 'gateway-plugin-health':\n\t\t\treturn (\n\t\t\t\tisOneOf(gatewayTypeValues, value.gatewayService) &&\n\t\t\t\tisOneOf(['starting', 'ready', 'stopping', 'failed'] as const, value.state)\n\t\t\t);\n\t\tdefault:\n\t\t\treturn false;\n\t}\n}\n\nexport function healthEventBucketKey(event: AgentVmHealthEvent): string {\n\tswitch (event.kind) {\n\t\tcase 'gateway-control-link':\n\t\t\treturn `${event.zoneId}:${event.kind}`;\n\t\tcase 'gateway-service-health':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.port}:${event.path}`;\n\t\tcase 'controller-request':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.operation}`;\n\t\tcase 'lease-heartbeat':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.leaseId}:${event.useId}`;\n\t\tcase 'lease-renew':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.leaseId}`;\n\t\tcase 'tool-vm-ssh':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.leaseId}:${event.operation}`;\n\t\tcase 'gateway-plugin-health':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.gatewayService}`;\n\t}\n\treturn assertNeverHealthEvent(event);\n}\n\nfunction failedIssueKindForEvent(event: AgentVmHealthEvent): ZoneHealthIssueKind {\n\tswitch (event.kind) {\n\t\tcase 'gateway-service-health':\n\t\t\treturn 'gateway-service-unhealthy';\n\t\tcase 'gateway-control-link':\n\t\t\treturn 'gateway-control-link-unhealthy';\n\t\tcase 'controller-request':\n\t\t\treturn 'controller-request-failing';\n\t\tcase 'lease-heartbeat':\n\t\t\treturn 'lease-heartbeat-failing';\n\t\tcase 'lease-renew':\n\t\t\treturn 'lease-renew-failing';\n\t\tcase 'tool-vm-ssh':\n\t\t\treturn 'tool-vm-ssh-failing';\n\t\tcase 'gateway-plugin-health':\n\t\t\treturn 'gateway-plugin-unhealthy';\n\t}\n\treturn assertNeverHealthEvent(event);\n}\n\nfunction assertNeverHealthEvent(event: never): never {\n\tthrow new Error(`Unhandled health event kind: ${JSON.stringify(event)}`);\n}\n\nfunction issueForEvent(\n\tevent: AgentVmHealthEvent,\n\toptions: DeriveZoneHealthSnapshotOptions,\n): ZoneHealthIssue | undefined {\n\tif (options.nowMs - event.observedAtMs > options.staleAfterMs) {\n\t\treturn {\n\t\t\tkind: 'health-event-stale',\n\t\t\tlatestEvent: event,\n\t\t\tmessage: `${event.kind} health event is stale`,\n\t\t\tsinceMs: event.observedAtMs,\n\t\t};\n\t}\n\tif (event.result === 'failed' || event.result === 'timeout' || event.result === 'stale') {\n\t\treturn {\n\t\t\tkind: failedIssueKindForEvent(event),\n\t\t\tlatestEvent: event,\n\t\t\tmessage: `${event.kind} health event reported ${event.result}`,\n\t\t\tsinceMs: event.observedAtMs,\n\t\t};\n\t}\n\treturn undefined;\n}\n\nexport function deriveZoneHealthSnapshot(\n\tevents: readonly AgentVmHealthEvent[],\n\toptions: DeriveZoneHealthSnapshotOptions,\n): ZoneHealthSnapshot {\n\tconst latestByKey = new Map<string, AgentVmHealthEvent>();\n\tfor (const event of events) {\n\t\tif (event.zoneId !== options.zoneId) {\n\t\t\tcontinue;\n\t\t}\n\t\tconst key = healthEventBucketKey(event);\n\t\tconst previous = latestByKey.get(key);\n\t\tif (!previous || previous.observedAtMs <= event.observedAtMs) {\n\t\t\tlatestByKey.set(key, event);\n\t\t}\n\t}\n\tconst latestEvents = [...latestByKey.values()].toSorted(\n\t\t(first, second) => second.observedAtMs - first.observedAtMs,\n\t);\n\tif (latestEvents.length === 0) {\n\t\treturn { kind: 'unknown', reason: 'no-events', zoneId: options.zoneId };\n\t}\n\tconst issues = latestEvents\n\t\t.map((event) => issueForEvent(event, options))\n\t\t.filter((issue): issue is ZoneHealthIssue => issue !== undefined);\n\tif (issues.length === 0) {\n\t\treturn { kind: 'ok', latestEvents, zoneId: options.zoneId };\n\t}\n\tif (issues.some((issue) => issue.kind === 'health-event-stale')) {\n\t\treturn { issues, kind: 'stale', latestEvents, zoneId: options.zoneId };\n\t}\n\treturn { issues, kind: 'failed', latestEvents, zoneId: options.zoneId };\n}\n","/**\n * Canonical NODE_OPTIONS value for forcing IPv4-preference egress\n * in agent-vm VMs.\n *\n * Background: Gondolin's synthetic DNS (when tcpHosts is enabled)\n * returns a per-host IPv4 (reverse-lookable) and a single shared\n * IPv4-mapped IPv6 (::ffff:198.18.0.1, NOT reverse-lookable). Node\n * 20+'s fetch (via undici, autoSelectFamily: true) races both\n * families; when the IPv6 race wins (~5-20% under sequential load),\n * gondolin cannot route it and the request fails with a non-JSON\n * 400 (HTTP) or 403 (TLS). The two flags below stop the race:\n *\n * --dns-result-order=ipv4first changes dns.lookup() so\n * IPv4 addresses are listed\n * before IPv6.\n *\n * --no-network-family-autoselection disables Node's Happy\n * Eyeballs entirely. This is\n * the load-bearing flag —\n * --dns-result-order alone\n * doesn't prevent Node from\n * racing both families if\n * IPv4 is slow.\n *\n * Composition: NODE_OPTIONS is whitespace-separated. To add more\n * flags downstream, append rather than replace. Example:\n *\n * NODE_OPTIONS: `${FORCE_IPV4_EGRESS_NODE_OPTIONS} --inspect`\n *\n * Reference: see `shravan-claw@0ddf5f2:docs/wip/debugging/\n * 2026-05-21-lease-keepalive-400-and-discord-403-ipv6-race.md`\n * for the full root-cause analysis. Node-side flag references:\n * https://github.com/nodejs/node/issues/54359 (autoSelectFamily\n * revert recommendation by the Node core team).\n */\nexport const FORCE_IPV4_EGRESS_NODE_OPTIONS =\n\t'--dns-result-order=ipv4first --no-network-family-autoselection';\n\nconst FORCE_IPV4_EGRESS_NODE_OPTION_FLAGS = FORCE_IPV4_EGRESS_NODE_OPTIONS.split(/\\s+/u);\n\n/**\n * Compose the forced IPv4-preference flags with a user-provided\n * NODE_OPTIONS value (if any).\n *\n * Use this at every site where NODE_OPTIONS is set into a VM env\n * block AFTER a spread of user-controlled secrets, to guarantee\n * the forced flags are always present in the final value even if\n * a zone secret happens to provide its own NODE_OPTIONS.\n *\n * Forced flags come FIRST so they are unambiguously applied.\n * User-provided flags are appended verbatim except for duplicate\n * forced IPv4-preference flags. Node treats NODE_OPTIONS as a\n * whitespace-separated list and all flags apply.\n *\n * Returns just the forced flags if the user value is undefined,\n * empty, or whitespace-only.\n *\n * Examples:\n *\n * composeNodeOptions(undefined)\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection'\n *\n * composeNodeOptions('')\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection'\n *\n * composeNodeOptions('--inspect=0.0.0.0:9229')\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection\n * --inspect=0.0.0.0:9229'\n */\nexport function composeNodeOptions(userValue: string | undefined): string {\n\tconst trimmed = userValue?.trim() ?? '';\n\tif (trimmed === '') {\n\t\treturn FORCE_IPV4_EGRESS_NODE_OPTIONS;\n\t}\n\tconst userFlags = trimmed\n\t\t.split(/\\s+/u)\n\t\t.filter((flag) => !FORCE_IPV4_EGRESS_NODE_OPTION_FLAGS.includes(flag));\n\tif (userFlags.length === 0) {\n\t\treturn FORCE_IPV4_EGRESS_NODE_OPTIONS;\n\t}\n\treturn `${FORCE_IPV4_EGRESS_NODE_OPTIONS} ${userFlags.join(' ')}`;\n}\n","import type { MediatedSecretSpec } from '@agent-vm/secret-management';\n\nimport { targetsAudience, type RuntimeVmAudience } from './audience.js';\nimport type { GatewaySecretConfig, GatewayZoneConfig } from './gateway-lifecycle.js';\n\nexport interface SplitResolvedSecretsResult {\n\treadonly environmentSecrets: Record<string, string>;\n\treadonly mediatedSecrets: Record<string, MediatedSecretSpec>;\n}\n\nexport interface MergeRuntimeGatewaySecretsOptions {\n\treadonly logPrefix?: string;\n\treadonly runtimeEnvironment?: Readonly<Record<string, string>> | undefined;\n\treadonly runtimeMediatedSecrets?: Readonly<Record<string, MediatedSecretSpec>> | undefined;\n}\n\nexport type SecretInjectionConfig = GatewaySecretConfig;\n\nexport interface SplitResolvedSecretsOptions {\n\treadonly audience: RuntimeVmAudience;\n\treadonly logPrefix?: string;\n}\n\nexport function splitResolvedSecretsByInjection(\n\tsecretConfigs: Readonly<Record<string, SecretInjectionConfig>>,\n\tresolvedSecrets: Record<string, string>,\n\toptions: SplitResolvedSecretsOptions,\n): SplitResolvedSecretsResult {\n\tconst environmentSecrets: Record<string, string> = {};\n\tconst mediatedSecrets: Record<string, MediatedSecretSpec> = {};\n\tconst logPrefix = options.logPrefix ?? 'split-resolved-secrets';\n\n\tfor (const [secretName, secretValue] of Object.entries(resolvedSecrets)) {\n\t\tconst secretConfig = secretConfigs[secretName];\n\t\tif (!secretConfig) {\n\t\t\tthrow new Error(\n\t\t\t\t`[${logPrefix}] Secret '${secretName}' was resolved but has no matching secret config.`,\n\t\t\t);\n\t\t}\n\t\tif (!targetsAudience(secretConfig.audience, options.audience)) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (secretConfig.injection === 'http-mediation') {\n\t\t\tif (secretConfig.hosts.length === 0) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`[${logPrefix}] Secret '${secretName}' uses http-mediation but declares no hosts.`,\n\t\t\t\t);\n\t\t\t}\n\t\t\tmediatedSecrets[secretName] = {\n\t\t\t\thosts: [...secretConfig.hosts],\n\t\t\t\tvalue: secretValue,\n\t\t\t};\n\t\t\tcontinue;\n\t\t}\n\n\t\tconst envSecretAudience = (secretConfig as { readonly audience: string }).audience;\n\t\tif (envSecretAudience !== 'gateway') {\n\t\t\tthrow new Error(\n\t\t\t\t`[${logPrefix}] Secret '${secretName}' uses env injection with non-gateway audience '${envSecretAudience}'.`,\n\t\t\t);\n\t\t}\n\t\tif (options.audience === 'gateway') {\n\t\t\tenvironmentSecrets[secretName] = secretValue;\n\t\t}\n\t}\n\n\treturn { environmentSecrets, mediatedSecrets };\n}\n\nexport type SplitResolvedGatewaySecretsResult = SplitResolvedSecretsResult;\n\nexport function splitResolvedGatewaySecrets(\n\tzone: GatewayZoneConfig,\n\tresolvedSecrets: Record<string, string>,\n): SplitResolvedGatewaySecretsResult {\n\treturn splitResolvedSecretsByInjection(zone.secrets, resolvedSecrets, {\n\t\taudience: 'gateway',\n\t\tlogPrefix: 'split-resolved-gateway-secrets',\n\t});\n}\n\nfunction assertNoRuntimeSecretCollision(\n\tsecretName: string,\n\ttarget: 'environment' | 'http-mediation',\n\tbaseSecrets: SplitResolvedSecretsResult,\n\truntimeSeen: Set<string>,\n\tlogPrefix: string,\n): void {\n\tif (runtimeSeen.has(secretName)) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway secret '${secretName}' is declared for both environment and http-mediation injection.`,\n\t\t);\n\t}\n\tif (secretName in baseSecrets.environmentSecrets) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway ${target} secret '${secretName}' would overwrite an authored environment secret.`,\n\t\t);\n\t}\n\tif (secretName in baseSecrets.mediatedSecrets) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway ${target} secret '${secretName}' would overwrite an authored http-mediation secret.`,\n\t\t);\n\t}\n\truntimeSeen.add(secretName);\n}\n\nexport function mergeRuntimeGatewaySecrets(\n\tbaseSecrets: SplitResolvedSecretsResult,\n\toptions: MergeRuntimeGatewaySecretsOptions = {},\n): SplitResolvedSecretsResult {\n\tconst logPrefix = options.logPrefix ?? 'merge-runtime-gateway-secrets';\n\tconst runtimeSeen = new Set<string>();\n\tfor (const secretName of Object.keys(options.runtimeEnvironment ?? {})) {\n\t\tassertNoRuntimeSecretCollision(secretName, 'environment', baseSecrets, runtimeSeen, logPrefix);\n\t}\n\tfor (const secretName of Object.keys(options.runtimeMediatedSecrets ?? {})) {\n\t\tassertNoRuntimeSecretCollision(\n\t\t\tsecretName,\n\t\t\t'http-mediation',\n\t\t\tbaseSecrets,\n\t\t\truntimeSeen,\n\t\t\tlogPrefix,\n\t\t);\n\t}\n\n\treturn {\n\t\tenvironmentSecrets: {\n\t\t\t...baseSecrets.environmentSecrets,\n\t\t\t...options.runtimeEnvironment,\n\t\t},\n\t\tmediatedSecrets: {\n\t\t\t...baseSecrets.mediatedSecrets,\n\t\t\t...options.runtimeMediatedSecrets,\n\t\t},\n\t};\n}\n","import { v7 as uuidv7, validate as validateUuid, version as uuidVersion } from 'uuid';\n\nexport type ToolVmActiveUseOutcome =\n\t| 'abandoned'\n\t| 'cancelled'\n\t| 'completed'\n\t| 'failed'\n\t| 'timed-out';\n\nexport interface ToolVmActiveUseCorrelation {\n\treadonly agentId?: string | undefined;\n\treadonly sessionId?: string | undefined;\n\treadonly sessionKey?: string | undefined;\n\treadonly toolCallId?: string | undefined;\n\treadonly toolName?: string | undefined;\n}\n\nexport type ToolVmSshOperationPhase =\n\t| 'completed'\n\t| 'failed'\n\t| 'probe-succeeded'\n\t| 'running'\n\t| 'starting';\n\nexport type ToolVmSshFailureKind =\n\t| 'active-use-refreshable-failure'\n\t| 'ssh-command-failed'\n\t| 'ssh-command-timed-out'\n\t| 'ssh-probe-failed';\n\nexport interface ToolVmSshFailureReport {\n\treadonly kind: ToolVmSshFailureKind;\n\treadonly message: string;\n}\n\nexport interface ToolVmSshOperationReport {\n\treadonly failure?: ToolVmSshFailureReport | undefined;\n\treadonly probeSucceeded?: boolean | undefined;\n}\n\nexport interface ToolVmActiveUseOperationReport {\n\treadonly observedAtMs: number;\n\treadonly phase: ToolVmSshOperationPhase;\n\treadonly ssh?: ToolVmSshOperationReport | undefined;\n}\n\nexport interface StartToolVmActiveUseRequest {\n\treadonly correlation?: ToolVmActiveUseCorrelation | undefined;\n\treadonly report?: ToolVmActiveUseOperationReport | undefined;\n\treadonly useId: string;\n}\n\nexport interface StartToolVmActiveUseResponse {\n\treadonly expiresAt: number;\n\treadonly heartbeatAfterMs: number;\n\treadonly useId: string;\n}\n\nexport interface HeartbeatToolVmActiveUseResponse {\n\treadonly expiresAt: number;\n\treadonly heartbeatAfterMs: number;\n}\n\nexport interface HeartbeatToolVmActiveUseRequest {\n\treadonly report?: ToolVmActiveUseOperationReport | undefined;\n}\n\nexport interface EndToolVmActiveUseRequest {\n\treadonly outcome: ToolVmActiveUseOutcome;\n\treadonly report?: ToolVmActiveUseOperationReport | undefined;\n}\n\nexport interface ToolVmActiveUseHandle {\n\treadonly signal: AbortSignal;\n\treadonly useId: string;\n\tdispose(outcome?: ToolVmActiveUseOutcome): Promise<void>;\n\tend(outcome?: ToolVmActiveUseOutcome): Promise<void>;\n\treport(report: ToolVmActiveUseOperationReport): void;\n}\n\nexport interface CreateToolVmActiveUseHandleOptions {\n\treadonly correlation?: ToolVmActiveUseCorrelation | undefined;\n\treadonly endActiveUse: (useId: string, request: EndToolVmActiveUseRequest) => Promise<void>;\n\treadonly heartbeatActiveUse: (\n\t\tuseId: string,\n\t\trequest: HeartbeatToolVmActiveUseRequest,\n\t) => Promise<HeartbeatToolVmActiveUseResponse>;\n\treadonly heartbeatJitterRatio?: number | undefined;\n\treadonly isEndErrorTolerable?: (error: unknown) => boolean;\n\treadonly isHeartbeatErrorRefreshable?: (error: unknown) => boolean;\n\treadonly logEndFailure?: (error: unknown) => void;\n\treadonly logHeartbeatFailure?: (error: unknown) => void;\n\treadonly maxHeartbeatDurationMs?: number | undefined;\n\treadonly nowImpl?: (() => number) | undefined;\n\treadonly onRefreshableHeartbeatFailure?: (error: unknown) => Promise<void>;\n\treadonly randomImpl?: (() => number) | undefined;\n\treadonly startActiveUse: (\n\t\trequest: StartToolVmActiveUseRequest,\n\t) => Promise<StartToolVmActiveUseResponse>;\n\treadonly setTimeoutImpl?: typeof setTimeout | undefined;\n\treadonly clearTimeoutImpl?: typeof clearTimeout | undefined;\n}\n\ntype HeartbeatTimer = ReturnType<typeof setTimeout>;\n\nconst defaultMaxHeartbeatDurationMs = 12 * 60 * 60 * 1000;\n\nfunction jitterDelayMs(params: {\n\treadonly delayMs: number;\n\treadonly jitterRatio: number;\n\treadonly random: () => number;\n}): number {\n\tif (params.jitterRatio <= 0) {\n\t\treturn params.delayMs;\n\t}\n\tconst spreadMs = params.delayMs * params.jitterRatio;\n\tconst minMs = params.delayMs - spreadMs;\n\tconst jitteredMs = minMs + params.random() * spreadMs * 2;\n\treturn Math.max(1, Math.round(jitteredMs));\n}\n\nexport function createToolVmActiveUseId(): string {\n\treturn uuidv7();\n}\n\nexport function isToolVmActiveUseId(value: string): boolean {\n\treturn validateUuid(value) && uuidVersion(value) === 7;\n}\n\nexport async function createToolVmActiveUseHandle(\n\toptions: CreateToolVmActiveUseHandleOptions,\n): Promise<ToolVmActiveUseHandle> {\n\tconst useId = createToolVmActiveUseId();\n\tconst startedUse = await options.startActiveUse({\n\t\t...(options.correlation ? { correlation: options.correlation } : {}),\n\t\tuseId,\n\t});\n\tconst setTimeoutImpl = options.setTimeoutImpl ?? setTimeout;\n\tconst clearTimeoutImpl = options.clearTimeoutImpl ?? clearTimeout;\n\tconst now = options.nowImpl ?? Date.now;\n\tconst startedAt = now();\n\tconst maxHeartbeatDurationMs = options.maxHeartbeatDurationMs ?? defaultMaxHeartbeatDurationMs;\n\tconst heartbeatJitterRatio = options.heartbeatJitterRatio ?? 0.1;\n\tconst random = options.randomImpl ?? Math.random;\n\tconst operationAbortController = new AbortController();\n\tlet ended = false;\n\tlet heartbeatTimer: HeartbeatTimer | undefined;\n\tlet latestReport: ToolVmActiveUseOperationReport | undefined;\n\n\tconst clearHeartbeatTimer = (): void => {\n\t\tif (heartbeatTimer) {\n\t\t\tclearTimeoutImpl(heartbeatTimer);\n\t\t\theartbeatTimer = undefined;\n\t\t}\n\t};\n\n\tconst scheduleHeartbeat = (delayMs: number): void => {\n\t\tif (now() - startedAt >= maxHeartbeatDurationMs) {\n\t\t\treturn;\n\t\t}\n\t\tclearHeartbeatTimer();\n\t\theartbeatTimer = setTimeoutImpl(\n\t\t\t() => {\n\t\t\t\tif (now() - startedAt >= maxHeartbeatDurationMs) {\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tconst heartbeatRequest: HeartbeatToolVmActiveUseRequest =\n\t\t\t\t\tlatestReport === undefined ? {} : { report: latestReport };\n\t\t\t\tvoid options\n\t\t\t\t\t.heartbeatActiveUse(startedUse.useId, heartbeatRequest)\n\t\t\t\t\t.then((heartbeat) => {\n\t\t\t\t\t\tif (!ended) {\n\t\t\t\t\t\t\tscheduleHeartbeat(heartbeat.heartbeatAfterMs);\n\t\t\t\t\t\t}\n\t\t\t\t\t})\n\t\t\t\t\t.catch((error: unknown) => {\n\t\t\t\t\t\toptions.logHeartbeatFailure?.(error);\n\t\t\t\t\t\tif (\n\t\t\t\t\t\t\toptions.isHeartbeatErrorRefreshable?.(error) === true &&\n\t\t\t\t\t\t\toptions.onRefreshableHeartbeatFailure\n\t\t\t\t\t\t) {\n\t\t\t\t\t\t\toperationAbortController.abort(error);\n\t\t\t\t\t\t\tended = true;\n\t\t\t\t\t\t\tclearHeartbeatTimer();\n\t\t\t\t\t\t\tvoid options.onRefreshableHeartbeatFailure(error).catch((staleError: unknown) => {\n\t\t\t\t\t\t\t\toptions.logHeartbeatFailure?.(staleError);\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!ended) {\n\t\t\t\t\t\t\tscheduleHeartbeat(startedUse.heartbeatAfterMs);\n\t\t\t\t\t\t}\n\t\t\t\t\t});\n\t\t\t},\n\t\t\tjitterDelayMs({ delayMs, jitterRatio: heartbeatJitterRatio, random }),\n\t\t);\n\t};\n\n\tscheduleHeartbeat(startedUse.heartbeatAfterMs);\n\n\tconst end = async (outcome: ToolVmActiveUseOutcome = 'completed'): Promise<void> => {\n\t\tif (ended) {\n\t\t\treturn;\n\t\t}\n\t\tended = true;\n\t\tclearHeartbeatTimer();\n\t\ttry {\n\t\t\tawait options.endActiveUse(startedUse.useId, {\n\t\t\t\toutcome,\n\t\t\t\t...(latestReport === undefined ? {} : { report: latestReport }),\n\t\t\t});\n\t\t} catch (error) {\n\t\t\tif (options.isEndErrorTolerable?.(error) === true) {\n\t\t\t\toptions.logEndFailure?.(error);\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tthrow error;\n\t\t}\n\t};\n\n\treturn {\n\t\tsignal: operationAbortController.signal,\n\t\tuseId: startedUse.useId,\n\t\tdispose: end,\n\t\tend,\n\t\treport: (report): void => {\n\t\t\tif (ended) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tlatestReport = report;\n\t\t},\n\t};\n}\n","export const TOOL_VM_WORKSPACE_GUEST_ROOT = '/workspace';\nexport const TOOL_VM_SCRATCH_GUEST_ROOT = '/work';\nexport const OPENCLAW_STATE_VM_ROOT = '/home/openclaw/.openclaw/state';\nexport const OPENCLAW_STATE_SANDBOXES_VM_ROOT = `${OPENCLAW_STATE_VM_ROOT}/sandboxes`;\n\nexport type RuntimePathNamespace = 'controller-host' | 'openclaw-gateway' | 'tool-vm-guest';\nexport type RuntimePathPurpose = 'executionCwd' | 'leaseMount';\n\nexport interface RuntimePathCapabilities {\n\treadonly executionCwd: boolean;\n\treadonly leaseMount: boolean;\n}\n\nexport type RuntimePathBacking =\n\t| {\n\t\t\treadonly kind: 'host-realfs';\n\t\t\treadonly durability: 'durable' | 'runtime' | 'cache';\n\t\t\treadonly backup: 'included' | 'excluded';\n\t }\n\t| {\n\t\t\treadonly kind: 'guest-rootfs-cow';\n\t\t\treadonly durability: 'vm-lifetime';\n\t };\n\nexport type RuntimePathLocations = Partial<Record<RuntimePathNamespace, string>>;\nexport type RuntimePathHostRealfsLocations =\n\t| {\n\t\t\treadonly 'controller-host': string;\n\t\t\treadonly 'openclaw-gateway'?: string;\n\t\t\treadonly 'tool-vm-guest'?: string;\n\t }\n\t| {\n\t\t\treadonly 'controller-host'?: string;\n\t\t\treadonly 'openclaw-gateway': string;\n\t\t\treadonly 'tool-vm-guest'?: string;\n\t };\nexport interface RuntimePathGuestRootfsCowLocations {\n\treadonly 'controller-host'?: never;\n\treadonly 'openclaw-gateway'?: never;\n\treadonly 'tool-vm-guest': string;\n}\nexport type RuntimePathGuidanceVisibility = Partial<Record<RuntimePathNamespace, boolean>>;\n\ninterface RuntimePathRootMappingBase {\n\treadonly capabilities: RuntimePathCapabilities;\n\treadonly guidanceLabel: string;\n\treadonly id: string;\n\t/**\n\t * False for broad roots like /zone where mounting the root would expose\n\t * unrelated children; callers must request an explicit child path.\n\t */\n\treadonly rootPathAllowed: boolean;\n\treadonly showInGuidance?: RuntimePathGuidanceVisibility;\n}\n\nexport type RuntimePathRootMapping =\n\t| (RuntimePathRootMappingBase & {\n\t\t\treadonly backing: Extract<RuntimePathBacking, { readonly kind: 'host-realfs' }>;\n\t\t\treadonly locations: RuntimePathHostRealfsLocations;\n\t })\n\t| (RuntimePathRootMappingBase & {\n\t\t\treadonly backing: Extract<RuntimePathBacking, { readonly kind: 'guest-rootfs-cow' }>;\n\t\t\treadonly capabilities: RuntimePathCapabilities & { readonly leaseMount: false };\n\t\t\treadonly locations: RuntimePathGuestRootfsCowLocations;\n\t });\n\nexport interface RuntimePathMapping {\n\treadonly id: string;\n\treadonly roots: readonly RuntimePathRootMapping[];\n}\n\nexport interface TranslateRuntimePathInput {\n\treadonly inputPath: string;\n\treadonly mapping: RuntimePathMapping;\n\treadonly purpose: RuntimePathPurpose;\n\treadonly sourceNamespace?: RuntimePathNamespace;\n\treadonly targetNamespace: RuntimePathNamespace;\n}\n\nexport interface RuntimePathTranslation {\n\treadonly backing: RuntimePathBacking;\n\treadonly capabilities: RuntimePathCapabilities;\n\treadonly inputNamespace: RuntimePathNamespace;\n\treadonly inputPath: string;\n\treadonly mappingId: string;\n\treadonly outputNamespace: RuntimePathNamespace;\n\treadonly outputPath: string;\n\treadonly relativePath: string;\n\treadonly rootId: string;\n}\n\nexport type RuntimePathTranslationErrorCode =\n\t| 'path-not-absolute'\n\t| 'path-parent-traversal'\n\t| 'invalid-runtime-root'\n\t| 'unknown-runtime-path'\n\t| 'purpose-not-allowed'\n\t| 'root-path-not-allowed'\n\t| 'target-namespace-not-available';\n\nexport interface RuntimePathTranslationError {\n\treadonly allowedPathForms: readonly string[];\n\treadonly code: RuntimePathTranslationErrorCode;\n\treadonly inputPath: string;\n\treadonly mappingId: string;\n\treadonly message: string;\n\treadonly purpose: RuntimePathPurpose;\n\treadonly retryGuidance: string;\n}\n\nexport type TranslateRuntimePathResult =\n\t| {\n\t\t\treadonly ok: true;\n\t\t\treadonly value: RuntimePathTranslation;\n\t }\n\t| {\n\t\t\treadonly ok: false;\n\t\t\treadonly error: RuntimePathTranslationError;\n\t };\n\ninterface RuntimePathRootMatch {\n\treadonly inputNamespace: RuntimePathNamespace;\n\treadonly matchedRoot: string;\n\treadonly root: RuntimePathRootMapping;\n}\n\nconst guidanceNamespaceOrder = [\n\t'tool-vm-guest',\n\t'openclaw-gateway',\n\t'controller-host',\n] as const satisfies readonly RuntimePathNamespace[];\n\nfunction pathContainsParentTraversal(inputPath: string): boolean {\n\treturn inputPath.split(/\\/+/u).includes('..');\n}\n\nfunction normalizeAbsolutePath(inputPath: string): string {\n\tconst rawSegments = inputPath.split('/').filter((segment) => segment !== '' && segment !== '.');\n\treturn `/${rawSegments.join('/')}`;\n}\n\nfunction normalizeRoot(rootPath: string): string {\n\tconst normalizedRoot = normalizeAbsolutePath(rootPath);\n\treturn normalizedRoot === '/' ? normalizedRoot : normalizedRoot.replace(/\\/+$/u, '');\n}\n\nfunction pathMatchesRoot(candidatePath: string, rootPath: string): boolean {\n\treturn candidatePath === rootPath || candidatePath.startsWith(`${rootPath}/`);\n}\n\nfunction relativePathForRoot(candidatePath: string, rootPath: string): string {\n\treturn candidatePath === rootPath ? '' : candidatePath.slice(rootPath.length + 1);\n}\n\nfunction joinRootAndRelative(rootPath: string, relativePath: string): string {\n\treturn relativePath === '' ? rootPath : `${rootPath}/${relativePath}`;\n}\n\nfunction runtimeRootIsInvalid(rootPath: string): boolean {\n\treturn (\n\t\trootPath.trim() === '' || !rootPath.startsWith('/') || pathContainsParentTraversal(rootPath)\n\t);\n}\n\nfunction namespaceShouldShowInGuidance(\n\troot: RuntimePathRootMapping,\n\tnamespace: RuntimePathNamespace,\n): boolean {\n\tif (root.showInGuidance?.[namespace] !== undefined) {\n\t\treturn root.showInGuidance[namespace];\n\t}\n\treturn namespace !== 'controller-host';\n}\n\nfunction allowedPathFormsForMapping(\n\tmapping: RuntimePathMapping,\n\tpurpose: RuntimePathPurpose,\n): readonly string[] {\n\treturn mapping.roots.flatMap((root) => {\n\t\tif (!root.capabilities[purpose]) {\n\t\t\treturn [];\n\t\t}\n\t\tconst suffix = root.rootPathAllowed ? '[/subpath]' : '/<child>';\n\t\treturn guidanceNamespaceOrder.flatMap((namespace): string[] => {\n\t\t\tconst rootPath = root.locations[namespace];\n\t\t\tif (rootPath === undefined || !namespaceShouldShowInGuidance(root, namespace)) {\n\t\t\t\treturn [];\n\t\t\t}\n\t\t\treturn [`${normalizeRoot(rootPath)}${suffix}`];\n\t\t});\n\t});\n}\n\nfunction retryGuidanceForMapping(mapping: RuntimePathMapping, purpose: RuntimePathPurpose): string {\n\treturn `Use one of the allowed path forms for ${mapping.id} ${purpose}: ${allowedPathFormsForMapping(mapping, purpose).join(', ')}.`;\n}\n\nfunction errorResult(params: {\n\treadonly code: RuntimePathTranslationErrorCode;\n\treadonly inputPath: string;\n\treadonly mapping: RuntimePathMapping;\n\treadonly message: string;\n\treadonly purpose: RuntimePathPurpose;\n}): TranslateRuntimePathResult {\n\treturn {\n\t\terror: {\n\t\t\tallowedPathForms: allowedPathFormsForMapping(params.mapping, params.purpose),\n\t\t\tcode: params.code,\n\t\t\tinputPath: params.inputPath,\n\t\t\tmappingId: params.mapping.id,\n\t\t\tmessage: params.message,\n\t\t\tpurpose: params.purpose,\n\t\t\tretryGuidance: retryGuidanceForMapping(params.mapping, params.purpose),\n\t\t},\n\t\tok: false,\n\t};\n}\n\nfunction findBestRootMatch(params: {\n\treadonly inputPath: string;\n\treadonly mapping: RuntimePathMapping;\n\treadonly sourceNamespace?: RuntimePathNamespace;\n}): RuntimePathRootMatch | undefined {\n\tconst matches = params.mapping.roots.flatMap((root): RuntimePathRootMatch[] =>\n\t\tguidanceNamespaceOrder.flatMap((inputNamespace) => {\n\t\t\tconst rootPath = root.locations[inputNamespace];\n\t\t\tif (rootPath === undefined) {\n\t\t\t\treturn [];\n\t\t\t}\n\t\t\tif (params.sourceNamespace !== undefined && inputNamespace !== params.sourceNamespace) {\n\t\t\t\treturn [];\n\t\t\t}\n\t\t\tconst normalizedRoot = normalizeRoot(rootPath);\n\t\t\treturn pathMatchesRoot(params.inputPath, normalizedRoot)\n\t\t\t\t? [{ inputNamespace, matchedRoot: normalizedRoot, root }]\n\t\t\t\t: [];\n\t\t}),\n\t);\n\treturn matches.toSorted((left, right) => right.matchedRoot.length - left.matchedRoot.length)[0];\n}\n\nfunction findInvalidRoot(\n\tmapping: RuntimePathMapping,\n): { readonly rootId: string; readonly rootPath: string } | undefined {\n\tfor (const root of mapping.roots) {\n\t\tfor (const namespace of guidanceNamespaceOrder) {\n\t\t\tconst rootPath = root.locations[namespace];\n\t\t\tif (rootPath !== undefined && runtimeRootIsInvalid(rootPath)) {\n\t\t\t\treturn { rootId: root.id, rootPath };\n\t\t\t}\n\t\t}\n\t}\n\treturn undefined;\n}\n\nexport function translateRuntimePath(input: TranslateRuntimePathInput): TranslateRuntimePathResult {\n\tif (!input.inputPath.startsWith('/')) {\n\t\treturn errorResult({\n\t\t\tcode: 'path-not-absolute',\n\t\t\tinputPath: input.inputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${input.inputPath}' must be absolute.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\t// Reject traversal before normalization so /workspace/../secret cannot\n\t// collapse into a seemingly valid path under a trusted root.\n\tif (pathContainsParentTraversal(input.inputPath)) {\n\t\treturn errorResult({\n\t\t\tcode: 'path-parent-traversal',\n\t\t\tinputPath: input.inputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${input.inputPath}' must not contain parent traversal.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst invalidRoot = findInvalidRoot(input.mapping);\n\tif (invalidRoot !== undefined) {\n\t\treturn errorResult({\n\t\t\tcode: 'invalid-runtime-root',\n\t\t\tinputPath: input.inputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Runtime path root '${invalidRoot.rootId}' has invalid path '${invalidRoot.rootPath}'.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst normalizedInputPath = normalizeAbsolutePath(input.inputPath);\n\tconst match = findBestRootMatch({\n\t\tinputPath: normalizedInputPath,\n\t\tmapping: input.mapping,\n\t\t...(input.sourceNamespace === undefined ? {} : { sourceNamespace: input.sourceNamespace }),\n\t});\n\tif (match === undefined) {\n\t\treturn errorResult({\n\t\t\tcode: 'unknown-runtime-path',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' is not part of runtime path mapping '${input.mapping.id}'.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst relativePath = relativePathForRoot(normalizedInputPath, match.matchedRoot);\n\tif (relativePath === '' && !match.root.rootPathAllowed) {\n\t\treturn errorResult({\n\t\t\tcode: 'root-path-not-allowed',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' matched ${match.root.guidanceLabel}, but the root itself is not allowed for ${input.purpose}.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tif (!match.root.capabilities[input.purpose]) {\n\t\treturn errorResult({\n\t\t\tcode: 'purpose-not-allowed',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' matched ${match.root.guidanceLabel} but cannot be used for ${input.purpose}.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst targetRoot = match.root.locations[input.targetNamespace];\n\tif (targetRoot === undefined) {\n\t\treturn errorResult({\n\t\t\tcode: 'target-namespace-not-available',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' matched ${match.root.guidanceLabel}, but '${input.targetNamespace}' is not available for that root.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst normalizedTargetRoot = normalizeRoot(targetRoot);\n\treturn {\n\t\tok: true,\n\t\tvalue: {\n\t\t\tbacking: match.root.backing,\n\t\t\tcapabilities: match.root.capabilities,\n\t\t\tinputNamespace: match.inputNamespace,\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmappingId: input.mapping.id,\n\t\t\toutputNamespace: input.targetNamespace,\n\t\t\toutputPath: joinRootAndRelative(normalizedTargetRoot, relativePath),\n\t\t\trelativePath,\n\t\t\trootId: match.root.id,\n\t\t},\n\t};\n}\n","import { v7 as uuidv7, validate as validateUuid, version as uuidVersion } from 'uuid';\n\ndeclare const toolVmLeaseIdBrand: unique symbol;\n\nexport type ToolVmLeaseId = string & {\n\treadonly [toolVmLeaseIdBrand]: true;\n};\n\nexport function createToolVmLeaseId(): ToolVmLeaseId {\n\treturn parseToolVmLeaseId(uuidv7());\n}\n\nexport function isToolVmLeaseId(value: unknown): value is ToolVmLeaseId {\n\treturn typeof value === 'string' && validateUuid(value) && uuidVersion(value) === 7;\n}\n\nexport function parseToolVmLeaseId(value: unknown): ToolVmLeaseId {\n\tif (isToolVmLeaseId(value)) {\n\t\treturn value;\n\t}\n\tthrow new TypeError('Tool VM lease id must be an opaque UUIDv7 string.');\n}\n","const VM_SSH_PUBLIC_ENDPOINT_KEYS = new Set(['host', 'port', 'user']);\n\n/**\n * Small host-issued capability envelope shared by VM-backed transports. The\n * transport tag keeps SSH Tool VM leases distinct from future host-side\n * Gondolin RPC or bridge capabilities without inventing a transport object.\n */\nexport interface VmCapabilityLease<TTransport extends string> {\n\treadonly leaseId: string;\n\treadonly transport: TTransport;\n}\n\nexport interface VmSshEndpoint {\n\treadonly host: string;\n\treadonly identityPem: string;\n\treadonly knownHostsLine: string;\n\treadonly port: number;\n\treadonly user: string;\n}\n\nexport interface VmSshPublicEndpoint {\n\treadonly host: string;\n\treadonly port: number;\n\treadonly user: string;\n}\n\nexport interface VmSshLease<TTransport extends string> extends VmCapabilityLease<TTransport> {\n\treadonly ssh: VmSshEndpoint;\n}\n\nfunction objectValue(value: unknown): object | undefined {\n\treturn typeof value === 'object' && value !== null ? value : undefined;\n}\n\nfunction isNonEmptyString(value: unknown): value is string {\n\treturn typeof value === 'string' && value.trim().length > 0;\n}\n\nexport function isVmCapabilityLease<TTransport extends string>(\n\tvalue: unknown,\n\ttransport: TTransport,\n): value is VmCapabilityLease<TTransport> {\n\tconst record = objectValue(value);\n\treturn (\n\t\trecord !== undefined &&\n\t\ttypeof Reflect.get(record, 'leaseId') === 'string' &&\n\t\tReflect.get(record, 'transport') === transport\n\t);\n}\n\nexport function isVmSshEndpoint(value: unknown): value is VmSshEndpoint {\n\tconst record = objectValue(value);\n\treturn (\n\t\trecord !== undefined &&\n\t\ttypeof Reflect.get(record, 'host') === 'string' &&\n\t\tisNonEmptyString(Reflect.get(record, 'identityPem')) &&\n\t\ttypeof Reflect.get(record, 'knownHostsLine') === 'string' &&\n\t\ttypeof Reflect.get(record, 'port') === 'number' &&\n\t\ttypeof Reflect.get(record, 'user') === 'string'\n\t);\n}\n\nexport function isVmSshPublicEndpoint(value: unknown): value is VmSshPublicEndpoint {\n\tconst record = objectValue(value);\n\tif (record === undefined) {\n\t\treturn false;\n\t}\n\tfor (const key of Object.keys(record)) {\n\t\tif (!VM_SSH_PUBLIC_ENDPOINT_KEYS.has(key)) {\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn (\n\t\ttypeof Reflect.get(record, 'host') === 'string' &&\n\t\ttypeof Reflect.get(record, 'port') === 'number' &&\n\t\ttypeof Reflect.get(record, 'user') === 'string'\n\t);\n}\n","import { isToolVmLeaseId, type ToolVmLeaseId } from './tool-vm-lease-id.js';\nimport {\n\tisVmCapabilityLease,\n\tisVmSshEndpoint,\n\tisVmSshPublicEndpoint,\n\ttype VmCapabilityLease,\n\ttype VmSshLease,\n\ttype VmSshPublicEndpoint,\n} from './vm-capability-lease.js';\n\nexport interface ToolVmSshLease extends VmSshLease<'ssh-sandbox'> {\n\treadonly agentId: string;\n\treadonly idleTtlMs: number;\n\treadonly leaseId: ToolVmLeaseId;\n\treadonly tcpSlot: number;\n\treadonly workdir: string;\n}\n\nexport interface ToolVmLeasePeek extends VmCapabilityLease<'ssh-sandbox'> {\n\treadonly agentId: string;\n\treadonly createdAt: number;\n\treadonly idleTtlMs: number;\n\treadonly lastUsedAt: number;\n\treadonly leaseId: ToolVmLeaseId;\n\treadonly profileId: string;\n\treadonly ssh: VmSshPublicEndpoint;\n\treadonly tcpSlot: number;\n\treadonly workdir: string;\n\treadonly zoneId: string;\n}\n\nfunction objectValue(value: unknown): object | undefined {\n\treturn typeof value === 'object' && value !== null ? value : undefined;\n}\n\nconst deprecatedScopeKeyPropertyName = ['scope', 'Key'].join('');\n\nexport function isToolVmSshLease(value: unknown): value is ToolVmSshLease {\n\tconst record = objectValue(value);\n\treturn (\n\t\tisVmCapabilityLease(record, 'ssh-sandbox') &&\n\t\tisToolVmLeaseId(Reflect.get(record, 'leaseId')) &&\n\t\tisVmSshEndpoint(Reflect.get(record, 'ssh')) &&\n\t\ttypeof Reflect.get(record, 'agentId') === 'string' &&\n\t\ttypeof Reflect.get(record, 'idleTtlMs') === 'number' &&\n\t\ttypeof Reflect.get(record, 'tcpSlot') === 'number' &&\n\t\ttypeof Reflect.get(record, 'workdir') === 'string' &&\n\t\t!Reflect.has(record, deprecatedScopeKeyPropertyName)\n\t);\n}\n\nexport function isToolVmLeasePeek(value: unknown): value is ToolVmLeasePeek {\n\tconst record = objectValue(value);\n\treturn (\n\t\tisVmCapabilityLease(record, 'ssh-sandbox') &&\n\t\tisToolVmLeaseId(Reflect.get(record, 'leaseId')) &&\n\t\ttypeof Reflect.get(record, 'agentId') === 'string' &&\n\t\ttypeof Reflect.get(record, 'createdAt') === 'number' &&\n\t\ttypeof Reflect.get(record, 'idleTtlMs') === 'number' &&\n\t\ttypeof Reflect.get(record, 'lastUsedAt') === 'number' &&\n\t\ttypeof Reflect.get(record, 'profileId') === 'string' &&\n\t\tisVmSshPublicEndpoint(Reflect.get(record, 'ssh')) &&\n\t\ttypeof Reflect.get(record, 'tcpSlot') === 'number' &&\n\t\ttypeof Reflect.get(record, 'workdir') === 'string' &&\n\t\ttypeof Reflect.get(record, 'zoneId') === 'string' &&\n\t\t!Reflect.has(record, deprecatedScopeKeyPropertyName)\n\t);\n}\n"],"mappings":";;AAAA,MAAa,oBAAoB,CAAC,YAAY,SAAS;AAIvD,SAAgB,yBAAyB,kBAA0B,QAAwB;CAC1F,OAAO,GAAG,iBAAiB,GAAG,OAAO;;AAGtC,SAAgB,sBACf,kBACA,QACA,SACS;CACT,OAAO,GAAG,iBAAiB,GAAG,OAAO,QAAQ;;;;ACb9C,MAAa,mBAAmB;CAAC;CAAW;CAAW;CAAO;AAU9D,MAAa,mBAAmB;AAEhC,SAAgB,gBACf,gBACA,iBACU;CACV,OAAO,mBAAmB,mBAAmB,mBAAmB;;AAGjE,SAAgB,uBACf,aACA,iBACoB;CACpB,OAAO,YACL,QAAQ,eAAe,gBAAgB,WAAW,UAAU,gBAAgB,CAAC,CAC7E,KAAK,eAAe,WAAW,KAAK;;AAGvC,SAAgB,sBAAsB,aAA6D;CAClG,OAAO,MAAM,KAAK,IAAI,IAAI,CAAC,kBAAkB,GAAG,uBAAuB,aAAa,UAAU,CAAC,CAAC,CAAC;;;;AC7BlG,MAAa,6CAA6C;CACzD;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AAKD,MAAa,4CAA4C,CACxD,wBACA,sBACA;AAsBD,MAAM,oDAAoD,IAAI,IAC7D,CAbA,mBACA,cAYA,CACA;AAED,SAAS,yCACR,WACsD;CACtD,OAAO,CAAC,kDAAkD,IAAI,UAAU;;AAGzE,MAAa,0CAA0C,CACtD,GAAG,4CACH,GAAG,0CACH,CAAC,OAAO,yCAAyC;AAElD,MAAa,2BAA2B;CACvC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AA6BD,IAAa,wCAAb,cAA2D,MAAM;CAChE;CACA;CAEA,YAAY,SAIT;EACF,MAAM,eACL,QAAQ,iBAAiB,QAAQ,QAAQ,MAAM,UAAU,OAAO,QAAQ,MAAM;EAC/E,MAAM,GAAG,QAAQ,UAAU,GAAG,QAAQ,KAAK,IAAI,gBAAgB,EAC9D,OAAO,QAAQ,OACf,CAAC;EACF,KAAK,OAAO,QAAQ;EACpB,KAAK,YAAY,QAAQ;;;AAY3B,SAAS,MAAM,IAAY,QAAqC;CAC/D,OAAO,IAAI,SAAS,SAAS,WAAW;EACvC,IAAI,QAAQ,YAAY,MAAM;GAC7B,OAAO,OAAO,OAAO;GACrB;;EAED,MAAM,UAAU,iBAAiB;GAChC,QAAQ,oBAAoB,SAAS,QAAQ;GAC7C,SAAS;KACP,GAAG;EACN,MAAM,gBAAsB;GAC3B,aAAa,QAAQ;GACrB,OAAO,QAAQ,OAAO;;EAEvB,QAAQ,iBAAiB,SAAS,SAAS,EAAE,MAAM,MAAM,CAAC;GACzD;;AAGH,SAAS,oBAAoB,UAAoB,QAA0C;CAC1F,OAAO,OAAO,gBAAgB,OAAO,cAAc,SAAS,SAAS,OAAO;;AAG7E,eAAsB,4BAA4B,UAAmC;CACpF,IAAI,SAAS,UACZ;CAED,MAAM,SAAS,MAAM,CAAC,YAAY,KAAA,EAAU;;AAG7C,eAAe,iBAAiB,SAMV;CACrB,MAAM,kBAAkB,IAAI,iBAAiB;CAC7C,IAAI,gBAAgB,QAAQ,MAAM,QAAQ,WAAW;CACrD,IAAI,WAAW;CACf,MAAM,wBAA8B;EACnC,gBAAgB;EAChB,gBAAgB,MAAM,QAAQ,MAAM,QAAQ,OAAO;;CAEpD,MAAM,UAAU,iBAAiB;EAChC,WAAW;EACX,gBAAgB,sBACf,IAAI,MAAM,GAAG,QAAQ,UAAU,mBAAmB,OAAO,QAAQ,UAAU,CAAC,IAAI,CAChF;IACC,QAAQ,UAAU;CACrB,IAAI,eACH,gBAAgB,MAAM,QAAQ,MAAM,QAAQ,OAAO;MAEnD,QAAQ,MAAM,QAAQ,iBAAiB,SAAS,iBAAiB,EAAE,MAAM,MAAM,CAAC;CAEjF,IAAI;EACH,OAAO,MAAM,QAAQ,UAAU,QAAQ,OAAO;GAC7C,GAAG,QAAQ;GACX,QAAQ,gBAAgB;GACxB,CAAC;UACM,OAAO;EACf,IAAI,eACH,MAAM;EAEP,MAAM,IAAI,sCAAsC;GAC/C,OAAO;GACP,MAAM,WAAW,+BAA+B;GAChD,WAAW,QAAQ;GACnB,CAAC;WACO;EACT,aAAa,QAAQ;EACrB,QAAQ,MAAM,QAAQ,oBAAoB,SAAS,gBAAgB;;;AAIrE,eAAsB,0BACrB,SACoB;CACpB,MAAM,SAAS,QAAQ,UAAU,0BAA0B,QAAQ;CACnE,MAAM,YAAY,QAAQ,aAAa;CACvC,IAAI;CACJ,KAAK,IAAI,UAAU,GAAG,WAAW,OAAO,aAAa,WAAW,GAC/D,IAAI;EAEH,MAAM,WAAW,MAAM,iBAAiB;GACvC;GACA,MAAM,QAAQ;GACd,OAAO,QAAQ;GACf,WAAW,QAAQ;GACnB,WAAW,OAAO;GAClB,CAAC;EACF,IAAI,UAAU,OAAO,eAAe,oBAAoB,UAAU,OAAO,EAAE;GAE1E,MAAM,4BAA4B,SAAS;GAC3C,IAAI,OAAO,mBAAmB,GAE7B,MAAM,MAAM,OAAO,kBAAkB,QAAQ,MAAM,UAAU,KAAA,EAAU;GAExE;;EAED,OAAO;UACC,OAAO;EACf,IAAI,EAAE,iBAAiB,wCACtB,MAAM;EAEP,qBAAqB;EACrB,IAAI,EAAE,OAAO,gBAAgB,UAAU,OAAO,cAC7C,MAAM;EAEP,IAAI,OAAO,mBAAmB,GAE7B,MAAM,MAAM,OAAO,kBAAkB,QAAQ,MAAM,UAAU,KAAA,EAAU;;CAI1E,MAAM,sCAAsB,IAAI,MAAM,GAAG,QAAQ,UAAU,4BAA4B;;AAGxF,MAAa,4BAA4B;CACxC,qBAAqB;EACpB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD,wBAAwB;EACvB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD,2BAA2B;EAC1B,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe;GAAC;GAAK;GAAK;GAAI;EAC9B,WAAW;EACX;CACD,iBAAiB;EAChB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD,gBAAgB;EACf,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD,aAAa;EACZ,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,CAAC,KAAK,IAAI;EACzB,WAAW;EACX;CACD,cAAc;EACb,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,CAAC,KAAK,IAAI;EACzB,WAAW;EACX;CACD,cAAc;EACb,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,CAAC,KAAK,IAAI;EACzB,WAAW;EACX;CACD,eAAe;EACd,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe;GAAC;GAAK;GAAK;GAAI;EAC9B,WAAW;EACX;CACD,iBAAiB;EAChB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,CAAC,KAAK,IAAI;EACzB,WAAW;EACX;CACD,mBAAmB;EAClB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe;GAAC;GAAK;GAAK;GAAI;EAC9B,WAAW;EACX;CACD,mBAAmB;EAClB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe;GAAC;GAAK;GAAK;GAAI;EAC9B,WAAW;EACX;CACD,iBAAiB;EAChB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,CAAC,KAAK,IAAI;EACzB,WAAW;EACX;CACD,wBAAwB;EACvB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD,uBAAuB;EACtB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD;;;AC1WD,MAAa,0BAA0B;CACtC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AAID,MAAa,2BAA2B;CAAC;CAAM;CAAU;CAAW;CAAQ;AAY5E,MAAa,+BAA+B;CAC3C,gBAAgB;CAChB,gBAAgB;CAChB,WAAW;CACX,MAAM;CACN;AAuDD,MAAa,uBAAuB;CAAC;CAAW;CAAM;CAAS;CAAS;AAIxE,MAAa,uBAAuB;CACnC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AAmCD,SAAS,SAAS,OAAkD;CACnE,OAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,MAAM;;AAG5E,SAAS,QACR,QACA,OAC2B;CAC3B,OAAO,OAAO,UAAU,YAAY,OAAO,SAAS,MAAM;;AAG3D,SAAS,0BAA0B,OAAiC;CACnE,OAAO,OAAO,UAAU,YAAY,OAAO,SAAS,MAAM,IAAI,SAAS;;AAGxE,SAAS,mBAAmB,QAA0C;CACrE,OACC,0BAA0B,OAAO,aAAa,IAC9C,QAAQ,0BAA0B,OAAO,OAAO,IAChD,OAAO,OAAO,WAAW,YACzB,OAAO,OAAO,SAAS;;AAIzB,SAAS,eAAe,OAAyB;CAChD,OAAO,UAAU,KAAA,KAAa,OAAO,UAAU;;AAGhD,SAAS,mBAAmB,OAAyB;CACpD,OAAO,UAAU,KAAA,KAAa,OAAO,UAAU,MAAM;;AAGtD,SAAgB,qBAAqB,OAA6C;CACjF,IAAI,CAAC,SAAS,MAAM,IAAI,CAAC,mBAAmB,MAAM,EACjD,OAAO;CAER,QAAQ,MAAM,MAAd;EACC,KAAK,0BACJ,OACC,OAAO,MAAM,SAAS,YACtB,MAAM,KAAK,SAAS,KACpB,OAAO,UAAU,MAAM,KAAK,IAC5B,mBAAmB,MAAM,WAAW;EAEtC,KAAK,wBACJ,OACC,MAAM,mBAAmB,6BAA6B,kBACtD,MAAM,mBAAmB,6BAA6B,kBACtD,0BAA0B,MAAM,UAAU,IAC1C,MAAM,cAAc,6BAA6B,aACjD,MAAM,SAAS,6BAA6B;EAE9C,KAAK,sBACJ,OACC,OAAO,UAAU,MAAM,QAAQ,IAC/B,0BAA0B,MAAM,UAAU,IAC1C,eAAe,MAAM,UAAU,IAC/B,OAAO,UAAU,MAAM,YAAY,IACnC,QAAQ,yCAAyC,MAAM,UAAU,IACjE,mBAAmB,MAAM,WAAW;EAEtC,KAAK,eACJ,OACC,OAAO,MAAM,YAAY,YACzB,0BAA0B,MAAM,UAAU,IAC1C,eAAe,MAAM,UAAU,IAC/B,OAAO,MAAM,YAAY;EAE3B,KAAK,mBACJ,OACC,OAAO,MAAM,YAAY,YACzB,0BAA0B,MAAM,UAAU,IAC1C,eAAe,MAAM,UAAU,IAC/B,OAAO,MAAM,YAAY,YACzB,OAAO,MAAM,UAAU;EAEzB,KAAK,eACJ,OACC,OAAO,MAAM,YAAY,YACzB,0BAA0B,MAAM,UAAU,IAC1C,eAAe,MAAM,UAAU,IAC/B,OAAO,MAAM,YAAY,YACzB,QAAQ;GAAC;GAAW;GAAe;GAAY;GAAQ,EAAW,MAAM,UAAU;EAEpF,KAAK,yBACJ,OACC,QAAQ,mBAAmB,MAAM,eAAe,IAChD,QAAQ;GAAC;GAAY;GAAS;GAAY;GAAS,EAAW,MAAM,MAAM;EAE5E,SACC,OAAO;;;AAIV,SAAgB,qBAAqB,OAAmC;CACvE,QAAQ,MAAM,MAAd;EACC,KAAK,wBACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM;EACjC,KAAK,0BACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM,KAAK,GAAG,MAAM;EAC7D,KAAK,sBACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM;EAC/C,KAAK,mBACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM,QAAQ,GAAG,MAAM;EAChE,KAAK,eACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM;EAC/C,KAAK,eACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM,QAAQ,GAAG,MAAM;EAChE,KAAK,yBACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM;;CAEhD,OAAO,uBAAuB,MAAM;;AAGrC,SAAS,wBAAwB,OAAgD;CAChF,QAAQ,MAAM,MAAd;EACC,KAAK,0BACJ,OAAO;EACR,KAAK,wBACJ,OAAO;EACR,KAAK,sBACJ,OAAO;EACR,KAAK,mBACJ,OAAO;EACR,KAAK,eACJ,OAAO;EACR,KAAK,eACJ,OAAO;EACR,KAAK,yBACJ,OAAO;;CAET,OAAO,uBAAuB,MAAM;;AAGrC,SAAS,uBAAuB,OAAqB;CACpD,MAAM,IAAI,MAAM,gCAAgC,KAAK,UAAU,MAAM,GAAG;;AAGzE,SAAS,cACR,OACA,SAC8B;CAC9B,IAAI,QAAQ,QAAQ,MAAM,eAAe,QAAQ,cAChD,OAAO;EACN,MAAM;EACN,aAAa;EACb,SAAS,GAAG,MAAM,KAAK;EACvB,SAAS,MAAM;EACf;CAEF,IAAI,MAAM,WAAW,YAAY,MAAM,WAAW,aAAa,MAAM,WAAW,SAC/E,OAAO;EACN,MAAM,wBAAwB,MAAM;EACpC,aAAa;EACb,SAAS,GAAG,MAAM,KAAK,yBAAyB,MAAM;EACtD,SAAS,MAAM;EACf;;AAKH,SAAgB,yBACf,QACA,SACqB;CACrB,MAAM,8BAAc,IAAI,KAAiC;CACzD,KAAK,MAAM,SAAS,QAAQ;EAC3B,IAAI,MAAM,WAAW,QAAQ,QAC5B;EAED,MAAM,MAAM,qBAAqB,MAAM;EACvC,MAAM,WAAW,YAAY,IAAI,IAAI;EACrC,IAAI,CAAC,YAAY,SAAS,gBAAgB,MAAM,cAC/C,YAAY,IAAI,KAAK,MAAM;;CAG7B,MAAM,eAAe,CAAC,GAAG,YAAY,QAAQ,CAAC,CAAC,UAC7C,OAAO,WAAW,OAAO,eAAe,MAAM,aAC/C;CACD,IAAI,aAAa,WAAW,GAC3B,OAAO;EAAE,MAAM;EAAW,QAAQ;EAAa,QAAQ,QAAQ;EAAQ;CAExE,MAAM,SAAS,aACb,KAAK,UAAU,cAAc,OAAO,QAAQ,CAAC,CAC7C,QAAQ,UAAoC,UAAU,KAAA,EAAU;CAClE,IAAI,OAAO,WAAW,GACrB,OAAO;EAAE,MAAM;EAAM;EAAc,QAAQ,QAAQ;EAAQ;CAE5D,IAAI,OAAO,MAAM,UAAU,MAAM,SAAS,qBAAqB,EAC9D,OAAO;EAAE;EAAQ,MAAM;EAAS;EAAc,QAAQ,QAAQ;EAAQ;CAEvE,OAAO;EAAE;EAAQ,MAAM;EAAU;EAAc,QAAQ,QAAQ;EAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACtSxE,MAAa,iCACZ;AAED,MAAM,sCAAsC,+BAA+B,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BxF,SAAgB,mBAAmB,WAAuC;CACzE,MAAM,UAAU,WAAW,MAAM,IAAI;CACrC,IAAI,YAAY,IACf,OAAO;CAER,MAAM,YAAY,QAChB,MAAM,OAAO,CACb,QAAQ,SAAS,CAAC,oCAAoC,SAAS,KAAK,CAAC;CACvE,IAAI,UAAU,WAAW,GACxB,OAAO;CAER,OAAO,GAAG,+BAA+B,GAAG,UAAU,KAAK,IAAI;;;;ACzDhE,SAAgB,gCACf,eACA,iBACA,SAC6B;CAC7B,MAAM,qBAA6C,EAAE;CACrD,MAAM,kBAAsD,EAAE;CAC9D,MAAM,YAAY,QAAQ,aAAa;CAEvC,KAAK,MAAM,CAAC,YAAY,gBAAgB,OAAO,QAAQ,gBAAgB,EAAE;EACxE,MAAM,eAAe,cAAc;EACnC,IAAI,CAAC,cACJ,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,mDACrC;EAEF,IAAI,CAAC,gBAAgB,aAAa,UAAU,QAAQ,SAAS,EAC5D;EAGD,IAAI,aAAa,cAAc,kBAAkB;GAChD,IAAI,aAAa,MAAM,WAAW,GACjC,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,8CACrC;GAEF,gBAAgB,cAAc;IAC7B,OAAO,CAAC,GAAG,aAAa,MAAM;IAC9B,OAAO;IACP;GACD;;EAGD,MAAM,oBAAqB,aAA+C;EAC1E,IAAI,sBAAsB,WACzB,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,kDAAkD,kBAAkB,IACzG;EAEF,IAAI,QAAQ,aAAa,WACxB,mBAAmB,cAAc;;CAInC,OAAO;EAAE;EAAoB;EAAiB;;AAK/C,SAAgB,4BACf,MACA,iBACoC;CACpC,OAAO,gCAAgC,KAAK,SAAS,iBAAiB;EACrE,UAAU;EACV,WAAW;EACX,CAAC;;AAGH,SAAS,+BACR,YACA,QACA,aACA,aACA,WACO;CACP,IAAI,YAAY,IAAI,WAAW,EAC9B,MAAM,IAAI,MACT,IAAI,UAAU,4BAA4B,WAAW,kEACrD;CAEF,IAAI,cAAc,YAAY,oBAC7B,MAAM,IAAI,MACT,IAAI,UAAU,oBAAoB,OAAO,WAAW,WAAW,mDAC/D;CAEF,IAAI,cAAc,YAAY,iBAC7B,MAAM,IAAI,MACT,IAAI,UAAU,oBAAoB,OAAO,WAAW,WAAW,sDAC/D;CAEF,YAAY,IAAI,WAAW;;AAG5B,SAAgB,2BACf,aACA,UAA6C,EAAE,EAClB;CAC7B,MAAM,YAAY,QAAQ,aAAa;CACvC,MAAM,8BAAc,IAAI,KAAa;CACrC,KAAK,MAAM,cAAc,OAAO,KAAK,QAAQ,sBAAsB,EAAE,CAAC,EACrE,+BAA+B,YAAY,eAAe,aAAa,aAAa,UAAU;CAE/F,KAAK,MAAM,cAAc,OAAO,KAAK,QAAQ,0BAA0B,EAAE,CAAC,EACzE,+BACC,YACA,kBACA,aACA,aACA,UACA;CAGF,OAAO;EACN,oBAAoB;GACnB,GAAG,YAAY;GACf,GAAG,QAAQ;GACX;EACD,iBAAiB;GAChB,GAAG,YAAY;GACf,GAAG,QAAQ;GACX;EACD;;;;AC9BF,MAAM,gCAAgC,MAAU,KAAK;AAErD,SAAS,cAAc,QAIZ;CACV,IAAI,OAAO,eAAe,GACzB,OAAO,OAAO;CAEf,MAAM,WAAW,OAAO,UAAU,OAAO;CAEzC,MAAM,aADQ,OAAO,UAAU,WACJ,OAAO,QAAQ,GAAG,WAAW;CACxD,OAAO,KAAK,IAAI,GAAG,KAAK,MAAM,WAAW,CAAC;;AAG3C,SAAgB,0BAAkC;CACjD,OAAOA,IAAQ;;AAGhB,SAAgB,oBAAoB,OAAwB;CAC3D,OAAOC,SAAa,MAAM,IAAIC,QAAY,MAAM,KAAK;;AAGtD,eAAsB,4BACrB,SACiC;CACjC,MAAM,QAAQ,yBAAyB;CACvC,MAAM,aAAa,MAAM,QAAQ,eAAe;EAC/C,GAAI,QAAQ,cAAc,EAAE,aAAa,QAAQ,aAAa,GAAG,EAAE;EACnE;EACA,CAAC;CACF,MAAM,iBAAiB,QAAQ,kBAAkB;CACjD,MAAM,mBAAmB,QAAQ,oBAAoB;CACrD,MAAM,MAAM,QAAQ,WAAW,KAAK;CACpC,MAAM,YAAY,KAAK;CACvB,MAAM,yBAAyB,QAAQ,0BAA0B;CACjE,MAAM,uBAAuB,QAAQ,wBAAwB;CAC7D,MAAM,SAAS,QAAQ,cAAc,KAAK;CAC1C,MAAM,2BAA2B,IAAI,iBAAiB;CACtD,IAAI,QAAQ;CACZ,IAAI;CACJ,IAAI;CAEJ,MAAM,4BAAkC;EACvC,IAAI,gBAAgB;GACnB,iBAAiB,eAAe;GAChC,iBAAiB,KAAA;;;CAInB,MAAM,qBAAqB,YAA0B;EACpD,IAAI,KAAK,GAAG,aAAa,wBACxB;EAED,qBAAqB;EACrB,iBAAiB,qBACV;GACL,IAAI,KAAK,GAAG,aAAa,wBACxB;GAED,MAAM,mBACL,iBAAiB,KAAA,IAAY,EAAE,GAAG,EAAE,QAAQ,cAAc;GAC3D,QACE,mBAAmB,WAAW,OAAO,iBAAiB,CACtD,MAAM,cAAc;IACpB,IAAI,CAAC,OACJ,kBAAkB,UAAU,iBAAiB;KAE7C,CACD,OAAO,UAAmB;IAC1B,QAAQ,sBAAsB,MAAM;IACpC,IACC,QAAQ,8BAA8B,MAAM,KAAK,QACjD,QAAQ,+BACP;KACD,yBAAyB,MAAM,MAAM;KACrC,QAAQ;KACR,qBAAqB;KACrB,QAAa,8BAA8B,MAAM,CAAC,OAAO,eAAwB;MAChF,QAAQ,sBAAsB,WAAW;OACxC;KACF;;IAED,IAAI,CAAC,OACJ,kBAAkB,WAAW,iBAAiB;KAE9C;KAEJ,cAAc;GAAE;GAAS,aAAa;GAAsB;GAAQ,CAAC,CACrE;;CAGF,kBAAkB,WAAW,iBAAiB;CAE9C,MAAM,MAAM,OAAO,UAAkC,gBAA+B;EACnF,IAAI,OACH;EAED,QAAQ;EACR,qBAAqB;EACrB,IAAI;GACH,MAAM,QAAQ,aAAa,WAAW,OAAO;IAC5C;IACA,GAAI,iBAAiB,KAAA,IAAY,EAAE,GAAG,EAAE,QAAQ,cAAc;IAC9D,CAAC;WACM,OAAO;GACf,IAAI,QAAQ,sBAAsB,MAAM,KAAK,MAAM;IAClD,QAAQ,gBAAgB,MAAM;IAC9B;;GAED,MAAM;;;CAIR,OAAO;EACN,QAAQ,yBAAyB;EACjC,OAAO,WAAW;EAClB,SAAS;EACT;EACA,SAAS,WAAiB;GACzB,IAAI,OACH;GAED,eAAe;;EAEhB;;;;ACvOF,MAAa,+BAA+B;AAC5C,MAAa,6BAA6B;AAC1C,MAAa,yBAAyB;AACtC,MAAa,mCAAmC,GAAG,uBAAuB;AA2H1E,MAAM,yBAAyB;CAC9B;CACA;CACA;CACA;AAED,SAAS,4BAA4B,WAA4B;CAChE,OAAO,UAAU,MAAM,OAAO,CAAC,SAAS,KAAK;;AAG9C,SAAS,sBAAsB,WAA2B;CAEzD,OAAO,IADa,UAAU,MAAM,IAAI,CAAC,QAAQ,YAAY,YAAY,MAAM,YAAY,IACrE,CAAC,KAAK,IAAI;;AAGjC,SAAS,cAAc,UAA0B;CAChD,MAAM,iBAAiB,sBAAsB,SAAS;CACtD,OAAO,mBAAmB,MAAM,iBAAiB,eAAe,QAAQ,SAAS,GAAG;;AAGrF,SAAS,gBAAgB,eAAuB,UAA2B;CAC1E,OAAO,kBAAkB,YAAY,cAAc,WAAW,GAAG,SAAS,GAAG;;AAG9E,SAAS,oBAAoB,eAAuB,UAA0B;CAC7E,OAAO,kBAAkB,WAAW,KAAK,cAAc,MAAM,SAAS,SAAS,EAAE;;AAGlF,SAAS,oBAAoB,UAAkB,cAA8B;CAC5E,OAAO,iBAAiB,KAAK,WAAW,GAAG,SAAS,GAAG;;AAGxD,SAAS,qBAAqB,UAA2B;CACxD,OACC,SAAS,MAAM,KAAK,MAAM,CAAC,SAAS,WAAW,IAAI,IAAI,4BAA4B,SAAS;;AAI9F,SAAS,8BACR,MACA,WACU;CACV,IAAI,KAAK,iBAAiB,eAAe,KAAA,GACxC,OAAO,KAAK,eAAe;CAE5B,OAAO,cAAc;;AAGtB,SAAS,2BACR,SACA,SACoB;CACpB,OAAO,QAAQ,MAAM,SAAS,SAAS;EACtC,IAAI,CAAC,KAAK,aAAa,UACtB,OAAO,EAAE;EAEV,MAAM,SAAS,KAAK,kBAAkB,eAAe;EACrD,OAAO,uBAAuB,SAAS,cAAwB;GAC9D,MAAM,WAAW,KAAK,UAAU;GAChC,IAAI,aAAa,KAAA,KAAa,CAAC,8BAA8B,MAAM,UAAU,EAC5E,OAAO,EAAE;GAEV,OAAO,CAAC,GAAG,cAAc,SAAS,GAAG,SAAS;IAC7C;GACD;;AAGH,SAAS,wBAAwB,SAA6B,SAAqC;CAClG,OAAO,yCAAyC,QAAQ,GAAG,GAAG,QAAQ,IAAI,2BAA2B,SAAS,QAAQ,CAAC,KAAK,KAAK,CAAC;;AAGnI,SAAS,YAAY,QAMU;CAC9B,OAAO;EACN,OAAO;GACN,kBAAkB,2BAA2B,OAAO,SAAS,OAAO,QAAQ;GAC5E,MAAM,OAAO;GACb,WAAW,OAAO;GAClB,WAAW,OAAO,QAAQ;GAC1B,SAAS,OAAO;GAChB,SAAS,OAAO;GAChB,eAAe,wBAAwB,OAAO,SAAS,OAAO,QAAQ;GACtE;EACD,IAAI;EACJ;;AAGF,SAAS,kBAAkB,QAIU;CAgBpC,OAfgB,OAAO,QAAQ,MAAM,SAAS,SAC7C,uBAAuB,SAAS,mBAAmB;EAClD,MAAM,WAAW,KAAK,UAAU;EAChC,IAAI,aAAa,KAAA,GAChB,OAAO,EAAE;EAEV,IAAI,OAAO,oBAAoB,KAAA,KAAa,mBAAmB,OAAO,iBACrE,OAAO,EAAE;EAEV,MAAM,iBAAiB,cAAc,SAAS;EAC9C,OAAO,gBAAgB,OAAO,WAAW,eAAe,GACrD,CAAC;GAAE;GAAgB,aAAa;GAAgB;GAAM,CAAC,GACvD,EAAE;GACJ,CAEW,CAAC,UAAU,MAAM,UAAU,MAAM,YAAY,SAAS,KAAK,YAAY,OAAO,CAAC;;AAG9F,SAAS,gBACR,SACqE;CACrE,KAAK,MAAM,QAAQ,QAAQ,OAC1B,KAAK,MAAM,aAAa,wBAAwB;EAC/C,MAAM,WAAW,KAAK,UAAU;EAChC,IAAI,aAAa,KAAA,KAAa,qBAAqB,SAAS,EAC3D,OAAO;GAAE,QAAQ,KAAK;GAAI;GAAU;;;AAOxC,SAAgB,qBAAqB,OAA8D;CAClG,IAAI,CAAC,MAAM,UAAU,WAAW,IAAI,EACnC,OAAO,YAAY;EAClB,MAAM;EACN,WAAW,MAAM;EACjB,SAAS,MAAM;EACf,SAAS,SAAS,MAAM,UAAU;EAClC,SAAS,MAAM;EACf,CAAC;CAIH,IAAI,4BAA4B,MAAM,UAAU,EAC/C,OAAO,YAAY;EAClB,MAAM;EACN,WAAW,MAAM;EACjB,SAAS,MAAM;EACf,SAAS,SAAS,MAAM,UAAU;EAClC,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,cAAc,gBAAgB,MAAM,QAAQ;CAClD,IAAI,gBAAgB,KAAA,GACnB,OAAO,YAAY;EAClB,MAAM;EACN,WAAW,MAAM;EACjB,SAAS,MAAM;EACf,SAAS,sBAAsB,YAAY,OAAO,sBAAsB,YAAY,SAAS;EAC7F,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,sBAAsB,sBAAsB,MAAM,UAAU;CAClE,MAAM,QAAQ,kBAAkB;EAC/B,WAAW;EACX,SAAS,MAAM;EACf,GAAI,MAAM,oBAAoB,KAAA,IAAY,EAAE,GAAG,EAAE,iBAAiB,MAAM,iBAAiB;EACzF,CAAC;CACF,IAAI,UAAU,KAAA,GACb,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,yCAAyC,MAAM,QAAQ,GAAG;EAChG,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,eAAe,oBAAoB,qBAAqB,MAAM,YAAY;CAChF,IAAI,iBAAiB,MAAM,CAAC,MAAM,KAAK,iBACtC,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,YAAY,MAAM,KAAK,cAAc,2CAA2C,MAAM,QAAQ;EACpI,SAAS,MAAM;EACf,CAAC;CAEH,IAAI,CAAC,MAAM,KAAK,aAAa,MAAM,UAClC,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,YAAY,MAAM,KAAK,cAAc,0BAA0B,MAAM,QAAQ;EACnH,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,aAAa,MAAM,KAAK,UAAU,MAAM;CAC9C,IAAI,eAAe,KAAA,GAClB,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,YAAY,MAAM,KAAK,cAAc,SAAS,MAAM,gBAAgB;EAC1G,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,uBAAuB,cAAc,WAAW;CACtD,OAAO;EACN,IAAI;EACJ,OAAO;GACN,SAAS,MAAM,KAAK;GACpB,cAAc,MAAM,KAAK;GACzB,gBAAgB,MAAM;GACtB,WAAW;GACX,WAAW,MAAM,QAAQ;GACzB,iBAAiB,MAAM;GACvB,YAAY,oBAAoB,sBAAsB,aAAa;GACnE;GACA,QAAQ,MAAM,KAAK;GACnB;EACD;;;;AChVF,SAAgB,sBAAqC;CACpD,OAAO,mBAAmBC,IAAQ,CAAC;;AAGpC,SAAgB,gBAAgB,OAAwC;CACvE,OAAO,OAAO,UAAU,YAAYC,SAAa,MAAM,IAAIC,QAAY,MAAM,KAAK;;AAGnF,SAAgB,mBAAmB,OAA+B;CACjE,IAAI,gBAAgB,MAAM,EACzB,OAAO;CAER,MAAM,IAAI,UAAU,oDAAoD;;;;ACpBzE,MAAM,8BAA8B,IAAI,IAAI;CAAC;CAAQ;CAAQ;CAAO,CAAC;AA8BrE,SAASC,cAAY,OAAoC;CACxD,OAAO,OAAO,UAAU,YAAY,UAAU,OAAO,QAAQ,KAAA;;AAG9D,SAAS,iBAAiB,OAAiC;CAC1D,OAAO,OAAO,UAAU,YAAY,MAAM,MAAM,CAAC,SAAS;;AAG3D,SAAgB,oBACf,OACA,WACyC;CACzC,MAAM,SAASA,cAAY,MAAM;CACjC,OACC,WAAW,KAAA,KACX,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,QAAQ,IAAI,QAAQ,YAAY,KAAK;;AAIvC,SAAgB,gBAAgB,OAAwC;CACvE,MAAM,SAASA,cAAY,MAAM;CACjC,OACC,WAAW,KAAA,KACX,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,iBAAiB,QAAQ,IAAI,QAAQ,cAAc,CAAC,IACpD,OAAO,QAAQ,IAAI,QAAQ,iBAAiB,KAAK,YACjD,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK;;AAIzC,SAAgB,sBAAsB,OAA8C;CACnF,MAAM,SAASA,cAAY,MAAM;CACjC,IAAI,WAAW,KAAA,GACd,OAAO;CAER,KAAK,MAAM,OAAO,OAAO,KAAK,OAAO,EACpC,IAAI,CAAC,4BAA4B,IAAI,IAAI,EACxC,OAAO;CAGT,OACC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK;;;;AC5CzC,SAAS,YAAY,OAAoC;CACxD,OAAO,OAAO,UAAU,YAAY,UAAU,OAAO,QAAQ,KAAA;;AAG9D,MAAM,iCAAiC,CAAC,SAAS,MAAM,CAAC,KAAK,GAAG;AAEhE,SAAgB,iBAAiB,OAAyC;CACzE,MAAM,SAAS,YAAY,MAAM;CACjC,OACC,oBAAoB,QAAQ,cAAc,IAC1C,gBAAgB,QAAQ,IAAI,QAAQ,UAAU,CAAC,IAC/C,gBAAgB,QAAQ,IAAI,QAAQ,MAAM,CAAC,IAC3C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,CAAC,QAAQ,IAAI,QAAQ,+BAA+B;;AAItD,SAAgB,kBAAkB,OAA0C;CAC3E,MAAM,SAAS,YAAY,MAAM;CACjC,OACC,oBAAoB,QAAQ,cAAc,IAC1C,gBAAgB,QAAQ,IAAI,QAAQ,UAAU,CAAC,IAC/C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,aAAa,KAAK,YAC7C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,sBAAsB,QAAQ,IAAI,QAAQ,MAAM,CAAC,IACjD,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,SAAS,KAAK,YACzC,CAAC,QAAQ,IAAI,QAAQ,+BAA+B"}
1
+ {"version":3,"file":"index.js","names":["uuidv7","validateUuid","uuidVersion","uuidv7","validateUuid","uuidVersion","objectValue"],"sources":["../src/gateway-runtime-contract.ts","../src/audience.ts","../src/health/controller-request-policy.ts","../src/health/agent-vm-health.ts","../src/force-ipv4-egress.ts","../src/split-resolved-gateway-secrets.ts","../src/tool-vm-active-use.ts","../src/runtime-paths/runtime-path-mapping.ts","../src/tool-vm-lease-id.ts","../src/vm-capability-lease.ts","../src/tool-vm-lease.ts"],"sourcesContent":["export const gatewayTypeValues = ['openclaw', 'worker'] as const;\n\nexport type GatewayType = (typeof gatewayTypeValues)[number];\n\nexport function buildGatewaySessionLabel(projectNamespace: string, zoneId: string): string {\n\treturn `${projectNamespace}:${zoneId}:gateway`;\n}\n\nexport function buildToolSessionLabel(\n\tprojectNamespace: string,\n\tzoneId: string,\n\ttcpSlot: number,\n): string {\n\treturn `${projectNamespace}:${zoneId}:tool:${tcpSlot}`;\n}\n","export const vmAudienceValues = ['gateway', 'tool-vm', 'both'] as const;\n\nexport type VmAudience = (typeof vmAudienceValues)[number];\nexport type RuntimeVmAudience = Exclude<VmAudience, 'both'>;\n\nexport interface EgressHostConfig {\n\treadonly host: string;\n\treadonly audience: VmAudience;\n}\n\nexport const controllerVmHost = 'controller.vm.host';\n\nexport function targetsAudience(\n\tconfigAudience: VmAudience,\n\truntimeAudience: RuntimeVmAudience,\n): boolean {\n\treturn configAudience === runtimeAudience || configAudience === 'both';\n}\n\nexport function egressHostsForAudience(\n\tegressHosts: readonly EgressHostConfig[],\n\truntimeAudience: RuntimeVmAudience,\n): readonly string[] {\n\treturn egressHosts\n\t\t.filter((egressHost) => targetsAudience(egressHost.audience, runtimeAudience))\n\t\t.map((egressHost) => egressHost.host);\n}\n\nexport function gatewayVmAllowedHosts(egressHosts: readonly EgressHostConfig[]): readonly string[] {\n\treturn Array.from(new Set([controllerVmHost, ...egressHostsForAudience(egressHosts, 'gateway')]));\n}\n","export const gatewayInternalControllerRequestOperations = [\n\t'controller-health',\n\t'health-event-publish',\n\t'openclaw-runtime-status',\n\t'zone-git-push',\n\t'lease-create',\n\t'lease-get',\n\t'lease-peek',\n\t'lease-list',\n\t'lease-renew',\n\t'lease-release',\n\t'lease-use-start',\n\t'lease-heartbeat',\n\t'lease-use-end',\n] as const;\n\nexport type GatewayInternalControllerRequestOperation =\n\t(typeof gatewayInternalControllerRequestOperations)[number];\n\nexport const workerInternalControllerRequestOperations = [\n\t'worker-push-branches',\n\t'worker-pull-default',\n] as const;\n\nexport type WorkerInternalControllerRequestOperation =\n\t(typeof workerInternalControllerRequestOperations)[number];\n\nexport type ControllerRequestPolicyOperation =\n\t| GatewayInternalControllerRequestOperation\n\t| WorkerInternalControllerRequestOperation;\n\nexport const dedicatedControllerRequestHealthEventOperations = [\n\t'lease-heartbeat',\n\t'lease-renew',\n] as const;\n\nexport type DedicatedControllerRequestHealthEventOperation =\n\t(typeof dedicatedControllerRequestHealthEventOperations)[number];\n\nexport type GenericControllerRequestEventOperation = Exclude<\n\tControllerRequestPolicyOperation,\n\tDedicatedControllerRequestHealthEventOperation\n>;\n\nconst dedicatedControllerRequestHealthEventOperationSet = new Set<ControllerRequestPolicyOperation>(\n\tdedicatedControllerRequestHealthEventOperations,\n);\n\nfunction isGenericControllerRequestEventOperation(\n\toperation: ControllerRequestPolicyOperation,\n): operation is GenericControllerRequestEventOperation {\n\treturn !dedicatedControllerRequestHealthEventOperationSet.has(operation);\n}\n\nexport const genericControllerRequestEventOperations = [\n\t...gatewayInternalControllerRequestOperations,\n\t...workerInternalControllerRequestOperations,\n].filter(isGenericControllerRequestEventOperation);\n\nexport const externalControllerRoutes = [\n\t'GET /controller-status',\n\t'GET /zones/:zoneId/status',\n\t'GET /zones/:zoneId/health',\n\t'GET /zones/:zoneId/zone-git/status',\n\t'GET /zones/:zoneId/logs',\n\t'POST /zones/:zoneId/credentials/refresh',\n\t'POST /zones/:zoneId/destroy',\n\t'POST /zones/:zoneId/upgrade',\n\t'GET /zones/:zoneId/tasks/:taskId',\n\t'POST /zones/:zoneId/worker-tasks',\n\t'POST /zones/:zoneId/tasks/:taskId/close',\n\t'POST /zones/:zoneId/enable-ssh',\n\t'POST /zones/:zoneId/execute-command',\n\t'POST /stop-controller',\n] as const;\n\nexport type ExternalControllerRoute = (typeof externalControllerRoutes)[number];\n\nexport type ControllerRequestPolicyIdempotency = 'read' | 'safe-mutation' | 'unsafe-mutation';\n\ninterface ControllerRequestPolicyBase {\n\treadonly idempotency: ControllerRequestPolicyIdempotency;\n\treadonly timeoutMs: number;\n}\n\nexport type ControllerRequestPolicy =\n\t| (ControllerRequestPolicyBase & {\n\t\t\treadonly maxAttempts: 1;\n\t\t\treadonly retryBaseDelayMs: 0;\n\t\t\treadonly retryEnabled: false;\n\t\t\treadonly retryStatuses: readonly [];\n\t })\n\t| (ControllerRequestPolicyBase & {\n\t\t\treadonly maxAttempts: number;\n\t\t\treadonly retryBaseDelayMs: number;\n\t\t\treadonly retryEnabled: true;\n\t\t\treadonly retryStatuses: readonly [number, ...number[]];\n\t });\n\nexport type ControllerRequestPolicyTransportErrorCode =\n\t| 'controller-request-failed'\n\t| 'controller-request-timeout';\n\nexport class ControllerRequestPolicyTransportError extends Error {\n\treadonly code: ControllerRequestPolicyTransportErrorCode;\n\treadonly operation: ControllerRequestPolicyOperation;\n\n\tconstructor(options: {\n\t\treadonly cause: unknown;\n\t\treadonly code: ControllerRequestPolicyTransportErrorCode;\n\t\treadonly operation: ControllerRequestPolicyOperation;\n\t}) {\n\t\tconst causeMessage =\n\t\t\toptions.cause instanceof Error ? options.cause.message : String(options.cause);\n\t\tsuper(`${options.operation} ${options.code}: ${causeMessage}`, {\n\t\t\tcause: options.cause,\n\t\t});\n\t\tthis.code = options.code;\n\t\tthis.operation = options.operation;\n\t}\n}\n\nexport interface FetchControllerWithPolicyOptions {\n\treadonly fetchImpl?: (input: string | URL | Request, init?: RequestInit) => Promise<Response>;\n\treadonly init?: RequestInit;\n\treadonly input: string | URL | Request;\n\treadonly operation: ControllerRequestPolicyOperation;\n\treadonly policy?: ControllerRequestPolicy;\n}\n\nfunction sleep(ms: number, signal?: AbortSignal): Promise<void> {\n\treturn new Promise((resolve, reject) => {\n\t\tif (signal?.aborted === true) {\n\t\t\treject(signal.reason);\n\t\t\treturn;\n\t\t}\n\t\tconst timeout = setTimeout(() => {\n\t\t\tsignal?.removeEventListener('abort', onAbort);\n\t\t\tresolve();\n\t\t}, ms);\n\t\tconst onAbort = (): void => {\n\t\t\tclearTimeout(timeout);\n\t\t\treject(signal?.reason);\n\t\t};\n\t\tsignal?.addEventListener('abort', onAbort, { once: true });\n\t});\n}\n\nfunction shouldRetryResponse(response: Response, policy: ControllerRequestPolicy): boolean {\n\treturn policy.retryEnabled && policy.retryStatuses.includes(response.status);\n}\n\nexport async function drainControllerResponseBody(response: Response): Promise<void> {\n\tif (response.bodyUsed) {\n\t\treturn;\n\t}\n\tawait response.text().catch(() => undefined);\n}\n\nasync function fetchWithTimeout(options: {\n\treadonly fetchImpl: (input: string | URL | Request, init?: RequestInit) => Promise<Response>;\n\treadonly init?: RequestInit | undefined;\n\treadonly input: string | URL | Request;\n\treadonly operation: ControllerRequestPolicyOperation;\n\treadonly timeoutMs: number;\n}): Promise<Response> {\n\tconst abortController = new AbortController();\n\tlet callerAborted = options.init?.signal?.aborted ?? false;\n\tlet timedOut = false;\n\tconst abortFromCaller = (): void => {\n\t\tcallerAborted = true;\n\t\tabortController.abort(options.init?.signal?.reason);\n\t};\n\tconst timeout = setTimeout(() => {\n\t\ttimedOut = true;\n\t\tabortController.abort(\n\t\t\tnew Error(`${options.operation} timed out after ${String(options.timeoutMs)}ms`),\n\t\t);\n\t}, options.timeoutMs);\n\tif (callerAborted) {\n\t\tabortController.abort(options.init?.signal?.reason);\n\t} else {\n\t\toptions.init?.signal?.addEventListener('abort', abortFromCaller, { once: true });\n\t}\n\ttry {\n\t\treturn await options.fetchImpl(options.input, {\n\t\t\t...options.init,\n\t\t\tsignal: abortController.signal,\n\t\t});\n\t} catch (error) {\n\t\tif (callerAborted) {\n\t\t\tthrow error;\n\t\t}\n\t\tthrow new ControllerRequestPolicyTransportError({\n\t\t\tcause: error,\n\t\t\tcode: timedOut ? 'controller-request-timeout' : 'controller-request-failed',\n\t\t\toperation: options.operation,\n\t\t});\n\t} finally {\n\t\tclearTimeout(timeout);\n\t\toptions.init?.signal?.removeEventListener('abort', abortFromCaller);\n\t}\n}\n\nexport async function fetchControllerWithPolicy(\n\toptions: FetchControllerWithPolicyOptions,\n): Promise<Response> {\n\tconst policy = options.policy ?? controllerRequestPolicies[options.operation];\n\tconst fetchImpl = options.fetchImpl ?? fetch;\n\tlet lastTransportError: ControllerRequestPolicyTransportError | undefined;\n\tfor (let attempt = 1; attempt <= policy.maxAttempts; attempt += 1) {\n\t\ttry {\n\t\t\t// oxlint-disable-next-line eslint/no-await-in-loop -- controller retries must remain ordered by attempt and backoff.\n\t\t\tconst response = await fetchWithTimeout({\n\t\t\t\tfetchImpl,\n\t\t\t\tinit: options.init,\n\t\t\t\tinput: options.input,\n\t\t\t\toperation: options.operation,\n\t\t\t\ttimeoutMs: policy.timeoutMs,\n\t\t\t});\n\t\t\tif (attempt < policy.maxAttempts && shouldRetryResponse(response, policy)) {\n\t\t\t\t// oxlint-disable-next-line eslint/no-await-in-loop -- drain before retrying so undici can release the response body.\n\t\t\t\tawait drainControllerResponseBody(response);\n\t\t\t\tif (policy.retryBaseDelayMs > 0) {\n\t\t\t\t\t// oxlint-disable-next-line eslint/no-await-in-loop -- retry backoff is intentionally sequential.\n\t\t\t\t\tawait sleep(policy.retryBaseDelayMs, options.init?.signal ?? undefined);\n\t\t\t\t}\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\treturn response;\n\t\t} catch (error) {\n\t\t\tif (!(error instanceof ControllerRequestPolicyTransportError)) {\n\t\t\t\tthrow error;\n\t\t\t}\n\t\t\tlastTransportError = error;\n\t\t\tif (!(policy.retryEnabled && attempt < policy.maxAttempts)) {\n\t\t\t\tthrow error;\n\t\t\t}\n\t\t\tif (policy.retryBaseDelayMs > 0) {\n\t\t\t\t// oxlint-disable-next-line eslint/no-await-in-loop -- retry backoff is intentionally sequential.\n\t\t\t\tawait sleep(policy.retryBaseDelayMs, options.init?.signal ?? undefined);\n\t\t\t}\n\t\t}\n\t}\n\tthrow lastTransportError ?? new Error(`${options.operation} failed without a response`);\n}\n\nexport const controllerRequestPolicies = {\n\t'controller-health': {\n\t\tidempotency: 'read',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 3_000,\n\t},\n\t'health-event-publish': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 3_000,\n\t},\n\t'openclaw-runtime-status': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 30,\n\t\tretryBaseDelayMs: 1_000,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [429, 503, 504],\n\t\ttimeoutMs: 3_000,\n\t},\n\t'zone-git-push': {\n\t\tidempotency: 'unsafe-mutation',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 120_000,\n\t},\n\t'lease-create': {\n\t\tidempotency: 'unsafe-mutation',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 180_000,\n\t},\n\t'lease-get': {\n\t\tidempotency: 'read',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'lease-peek': {\n\t\tidempotency: 'read',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'lease-list': {\n\t\tidempotency: 'read',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'lease-renew': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 3,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [429, 503, 504],\n\t\ttimeoutMs: 10_000,\n\t},\n\t'lease-release': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'lease-use-start': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [429, 503, 504],\n\t\ttimeoutMs: 10_000,\n\t},\n\t'lease-heartbeat': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [429, 503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'lease-use-end': {\n\t\tidempotency: 'safe-mutation',\n\t\tmaxAttempts: 2,\n\t\tretryBaseDelayMs: 250,\n\t\tretryEnabled: true,\n\t\tretryStatuses: [503, 504],\n\t\ttimeoutMs: 5_000,\n\t},\n\t'worker-push-branches': {\n\t\tidempotency: 'unsafe-mutation',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 120_000,\n\t},\n\t'worker-pull-default': {\n\t\tidempotency: 'unsafe-mutation',\n\t\tmaxAttempts: 1,\n\t\tretryBaseDelayMs: 0,\n\t\tretryEnabled: false,\n\t\tretryStatuses: [],\n\t\ttimeoutMs: 120_000,\n\t},\n} satisfies Record<ControllerRequestPolicyOperation, ControllerRequestPolicy>;\n","import { gatewayTypeValues, type GatewayType } from '../gateway-runtime-contract.js';\nimport {\n\tgenericControllerRequestEventOperations,\n\ttype GenericControllerRequestEventOperation,\n} from './controller-request-policy.js';\n\nexport const agentVmHealthEventKinds = [\n\t'gateway-service-health',\n\t'gateway-control-link',\n\t'controller-request',\n\t'lease-renew',\n\t'lease-heartbeat',\n\t'tool-vm-ssh',\n\t'gateway-plugin-health',\n\t'gateway-recovery',\n\t'gateway-recovery-suspended',\n] as const;\n\nexport type AgentVmHealthEventKind = (typeof agentVmHealthEventKinds)[number];\n\nexport const agentVmHealthResultKinds = ['ok', 'failed', 'timeout', 'stale'] as const;\n\nexport type AgentVmHealthResultKind = (typeof agentVmHealthResultKinds)[number];\n\nexport interface AgentVmHealthEventBase {\n\treadonly observedAtMs: number;\n\treadonly result: AgentVmHealthResultKind;\n\treadonly zoneId: string;\n}\n\nexport type ToolVmSshHealthOperation = 'command' | 'file-bridge' | 'finalize' | 'probe';\n\nexport type GatewayRecoveryHealthReason =\n\t| 'gateway-control-link-unhealthy'\n\t| 'gateway-service-unhealthy';\n\nexport const gatewayControlLinkHealthPins = {\n\tcontrollerHost: 'controller.vm.host',\n\tcontrollerPort: 18800,\n\toperation: 'controller-health',\n\tpath: '/health',\n} as const;\n\nexport type AgentVmHealthEvent =\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly kind: 'gateway-service-health';\n\t\t\treadonly path: string;\n\t\t\treadonly port: number;\n\t\t\treadonly statusCode?: number | undefined;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly controllerHost: typeof gatewayControlLinkHealthPins.controllerHost;\n\t\t\treadonly controllerPort: typeof gatewayControlLinkHealthPins.controllerPort;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly kind: 'gateway-control-link';\n\t\t\treadonly operation: typeof gatewayControlLinkHealthPins.operation;\n\t\t\treadonly path: typeof gatewayControlLinkHealthPins.path;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly attempt: number;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly errorCode?: string | undefined;\n\t\t\treadonly kind: 'controller-request';\n\t\t\treadonly maxAttempts: number;\n\t\t\treadonly operation: GenericControllerRequestEventOperation;\n\t\t\treadonly statusCode?: number | undefined;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly agentId: string;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly errorCode?: string | undefined;\n\t\t\treadonly kind: 'lease-renew';\n\t\t\treadonly leaseId: string;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly agentId: string;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly errorCode?: string | undefined;\n\t\t\treadonly kind: 'lease-heartbeat';\n\t\t\treadonly leaseId: string;\n\t\t\treadonly useId: string;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly agentId: string;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly errorCode?: string | undefined;\n\t\t\treadonly kind: 'tool-vm-ssh';\n\t\t\treadonly leaseId: string;\n\t\t\treadonly operation: ToolVmSshHealthOperation;\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly gatewayService: GatewayType;\n\t\t\treadonly kind: 'gateway-plugin-health';\n\t\t\treadonly state: 'starting' | 'ready' | 'stopping' | 'failed';\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly action: 'gateway-vm-restart';\n\t\t\treadonly consecutiveFailures: number;\n\t\t\treadonly cooldownMs: number;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly kind: 'gateway-recovery';\n\t\t\treadonly leaseReleaseFailureCount: number;\n\t\t\treadonly newBootedAt: string;\n\t\t\treadonly newHostPid: number;\n\t\t\treadonly newVmId: string;\n\t\t\treadonly oldBootedAt: string;\n\t\t\treadonly oldHostPid: number;\n\t\t\treadonly oldVmId: string;\n\t\t\treadonly reason: GatewayRecoveryHealthReason;\n\t\t\treadonly result: 'ok';\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly action: 'gateway-vm-restart';\n\t\t\treadonly consecutiveFailures: number;\n\t\t\treadonly cooldownMs: number;\n\t\t\treadonly elapsedMs: number;\n\t\t\treadonly errorCode: string;\n\t\t\treadonly kind: 'gateway-recovery';\n\t\t\treadonly leaseReleaseFailureCount?: number | undefined;\n\t\t\treadonly oldBootedAt?: string | undefined;\n\t\t\treadonly oldHostPid?: number | undefined;\n\t\t\treadonly oldVmId?: string | undefined;\n\t\t\treadonly reason: GatewayRecoveryHealthReason;\n\t\t\treadonly result: 'failed';\n\t })\n\t| (AgentVmHealthEventBase & {\n\t\t\treadonly action: 'gateway-vm-restart';\n\t\t\treadonly consecutiveFailedRecoveries: number;\n\t\t\treadonly consecutiveFailures: number;\n\t\t\treadonly cooldownMs: number;\n\t\t\treadonly errorCode: 'max-failed-recoveries';\n\t\t\treadonly failedRecoveryResetMs: number;\n\t\t\treadonly kind: 'gateway-recovery-suspended';\n\t\t\treadonly reason: GatewayRecoveryHealthReason;\n\t\t\treadonly result: 'failed';\n\t });\n\nexport const zoneHealthStateKinds = ['unknown', 'ok', 'stale', 'failed'] as const;\n\nexport type ZoneHealthStateKind = (typeof zoneHealthStateKinds)[number];\n\nexport const zoneHealthIssueKinds = [\n\t'gateway-service-unhealthy',\n\t'gateway-control-link-unhealthy',\n\t'controller-request-failing',\n\t'lease-heartbeat-failing',\n\t'lease-renew-failing',\n\t'tool-vm-ssh-failing',\n\t'gateway-plugin-unhealthy',\n\t'gateway-recovery-failed',\n\t'gateway-recovery-suspended',\n\t'health-event-stale',\n] as const;\n\nexport type ZoneHealthIssueKind = (typeof zoneHealthIssueKinds)[number];\n\nexport interface ZoneHealthIssue {\n\treadonly kind: ZoneHealthIssueKind;\n\treadonly latestEvent: AgentVmHealthEvent;\n\treadonly message: string;\n\treadonly sinceMs: number;\n}\n\nexport type ZoneHealthSnapshot =\n\t| {\n\t\t\treadonly kind: 'unknown';\n\t\t\treadonly reason: 'no-events';\n\t\t\treadonly zoneId: string;\n\t }\n\t| {\n\t\t\treadonly kind: 'ok';\n\t\t\treadonly latestEvents: readonly AgentVmHealthEvent[];\n\t\t\treadonly zoneId: string;\n\t }\n\t| {\n\t\t\treadonly issues: readonly ZoneHealthIssue[];\n\t\t\treadonly kind: 'stale' | 'failed';\n\t\t\treadonly latestEvents: readonly AgentVmHealthEvent[];\n\t\t\treadonly zoneId: string;\n\t };\n\nexport interface DeriveZoneHealthSnapshotOptions {\n\treadonly nowMs: number;\n\treadonly staleAfterMs: number;\n\treadonly zoneId: string;\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === 'object' && value !== null && !Array.isArray(value);\n}\n\nfunction isOneOf<TValues extends readonly string[]>(\n\tvalues: TValues,\n\tvalue: unknown,\n): value is TValues[number] {\n\treturn typeof value === 'string' && values.includes(value);\n}\n\nfunction isNonNegativeFiniteNumber(value: unknown): value is number {\n\treturn typeof value === 'number' && Number.isFinite(value) && value >= 0;\n}\n\nfunction hasBaseEventFields(record: Record<string, unknown>): boolean {\n\treturn (\n\t\tisNonNegativeFiniteNumber(record.observedAtMs) &&\n\t\tisOneOf(agentVmHealthResultKinds, record.result) &&\n\t\ttypeof record.zoneId === 'string' &&\n\t\trecord.zoneId.length > 0\n\t);\n}\n\nfunction optionalString(value: unknown): boolean {\n\treturn value === undefined || typeof value === 'string';\n}\n\nfunction optionalStatusCode(value: unknown): boolean {\n\treturn value === undefined || Number.isInteger(value);\n}\n\nfunction optionalNonNegativeInteger(value: unknown): boolean {\n\treturn value === undefined || (Number.isInteger(value) && Number(value) >= 0);\n}\n\nfunction isNonNegativeInteger(value: unknown): value is number {\n\treturn Number.isInteger(value) && Number(value) >= 0;\n}\n\nfunction isPositiveInteger(value: unknown): value is number {\n\treturn Number.isInteger(value) && Number(value) > 0;\n}\n\nexport function isAgentVmHealthEvent(value: unknown): value is AgentVmHealthEvent {\n\tif (!isRecord(value) || !hasBaseEventFields(value)) {\n\t\treturn false;\n\t}\n\tswitch (value.kind) {\n\t\tcase 'gateway-service-health':\n\t\t\treturn (\n\t\t\t\ttypeof value.path === 'string' &&\n\t\t\t\tvalue.path.length > 0 &&\n\t\t\t\tNumber.isInteger(value.port) &&\n\t\t\t\toptionalStatusCode(value.statusCode)\n\t\t\t);\n\t\tcase 'gateway-control-link':\n\t\t\treturn (\n\t\t\t\tvalue.controllerHost === gatewayControlLinkHealthPins.controllerHost &&\n\t\t\t\tvalue.controllerPort === gatewayControlLinkHealthPins.controllerPort &&\n\t\t\t\tisNonNegativeFiniteNumber(value.elapsedMs) &&\n\t\t\t\tvalue.operation === gatewayControlLinkHealthPins.operation &&\n\t\t\t\tvalue.path === gatewayControlLinkHealthPins.path\n\t\t\t);\n\t\tcase 'controller-request':\n\t\t\treturn (\n\t\t\t\tNumber.isInteger(value.attempt) &&\n\t\t\t\tisNonNegativeFiniteNumber(value.elapsedMs) &&\n\t\t\t\toptionalString(value.errorCode) &&\n\t\t\t\tNumber.isInteger(value.maxAttempts) &&\n\t\t\t\tisOneOf(genericControllerRequestEventOperations, value.operation) &&\n\t\t\t\toptionalStatusCode(value.statusCode)\n\t\t\t);\n\t\tcase 'lease-renew':\n\t\t\treturn (\n\t\t\t\ttypeof value.agentId === 'string' &&\n\t\t\t\tisNonNegativeFiniteNumber(value.elapsedMs) &&\n\t\t\t\toptionalString(value.errorCode) &&\n\t\t\t\ttypeof value.leaseId === 'string'\n\t\t\t);\n\t\tcase 'lease-heartbeat':\n\t\t\treturn (\n\t\t\t\ttypeof value.agentId === 'string' &&\n\t\t\t\tisNonNegativeFiniteNumber(value.elapsedMs) &&\n\t\t\t\toptionalString(value.errorCode) &&\n\t\t\t\ttypeof value.leaseId === 'string' &&\n\t\t\t\ttypeof value.useId === 'string'\n\t\t\t);\n\t\tcase 'tool-vm-ssh':\n\t\t\treturn (\n\t\t\t\ttypeof value.agentId === 'string' &&\n\t\t\t\tisNonNegativeFiniteNumber(value.elapsedMs) &&\n\t\t\t\toptionalString(value.errorCode) &&\n\t\t\t\ttypeof value.leaseId === 'string' &&\n\t\t\t\tisOneOf(['command', 'file-bridge', 'finalize', 'probe'] as const, value.operation)\n\t\t\t);\n\t\tcase 'gateway-plugin-health':\n\t\t\treturn (\n\t\t\t\tisOneOf(gatewayTypeValues, value.gatewayService) &&\n\t\t\t\tisOneOf(['starting', 'ready', 'stopping', 'failed'] as const, value.state)\n\t\t\t);\n\t\tcase 'gateway-recovery':\n\t\t\tif (\n\t\t\t\tvalue.action !== 'gateway-vm-restart' ||\n\t\t\t\t!isNonNegativeInteger(value.consecutiveFailures) ||\n\t\t\t\t!isPositiveInteger(value.cooldownMs) ||\n\t\t\t\t!isNonNegativeFiniteNumber(value.elapsedMs) ||\n\t\t\t\t!isOneOf(\n\t\t\t\t\t['gateway-control-link-unhealthy', 'gateway-service-unhealthy'] as const,\n\t\t\t\t\tvalue.reason,\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tif (value.result === 'ok') {\n\t\t\t\treturn (\n\t\t\t\t\tisNonNegativeInteger(value.leaseReleaseFailureCount) &&\n\t\t\t\t\ttypeof value.newBootedAt === 'string' &&\n\t\t\t\t\tisNonNegativeInteger(value.newHostPid) &&\n\t\t\t\t\ttypeof value.newVmId === 'string' &&\n\t\t\t\t\ttypeof value.oldBootedAt === 'string' &&\n\t\t\t\t\tisNonNegativeInteger(value.oldHostPid) &&\n\t\t\t\t\ttypeof value.oldVmId === 'string' &&\n\t\t\t\t\tvalue.errorCode === undefined\n\t\t\t\t);\n\t\t\t}\n\t\t\tif (value.result === 'failed') {\n\t\t\t\treturn (\n\t\t\t\t\ttypeof value.errorCode === 'string' &&\n\t\t\t\t\tvalue.errorCode.length > 0 &&\n\t\t\t\t\toptionalNonNegativeInteger(value.leaseReleaseFailureCount) &&\n\t\t\t\t\toptionalString(value.oldBootedAt) &&\n\t\t\t\t\toptionalNonNegativeInteger(value.oldHostPid) &&\n\t\t\t\t\toptionalString(value.oldVmId) &&\n\t\t\t\t\tvalue.newBootedAt === undefined &&\n\t\t\t\t\tvalue.newHostPid === undefined &&\n\t\t\t\t\tvalue.newVmId === undefined\n\t\t\t\t);\n\t\t\t}\n\t\t\treturn false;\n\t\tcase 'gateway-recovery-suspended':\n\t\t\treturn (\n\t\t\t\tvalue.action === 'gateway-vm-restart' &&\n\t\t\t\tisNonNegativeInteger(value.consecutiveFailedRecoveries) &&\n\t\t\t\tisNonNegativeInteger(value.consecutiveFailures) &&\n\t\t\t\tisPositiveInteger(value.cooldownMs) &&\n\t\t\t\tvalue.errorCode === 'max-failed-recoveries' &&\n\t\t\t\tisPositiveInteger(value.failedRecoveryResetMs) &&\n\t\t\t\tisOneOf(\n\t\t\t\t\t['gateway-control-link-unhealthy', 'gateway-service-unhealthy'] as const,\n\t\t\t\t\tvalue.reason,\n\t\t\t\t) &&\n\t\t\t\tvalue.result === 'failed'\n\t\t\t);\n\t\tdefault:\n\t\t\treturn false;\n\t}\n}\n\nexport function healthEventBucketKey(event: AgentVmHealthEvent): string {\n\tswitch (event.kind) {\n\t\tcase 'gateway-control-link':\n\t\t\treturn `${event.zoneId}:${event.kind}`;\n\t\tcase 'gateway-service-health':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.port}:${event.path}`;\n\t\tcase 'controller-request':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.operation}`;\n\t\tcase 'lease-heartbeat':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.leaseId}:${event.useId}`;\n\t\tcase 'lease-renew':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.leaseId}`;\n\t\tcase 'tool-vm-ssh':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.leaseId}:${event.operation}`;\n\t\tcase 'gateway-plugin-health':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.gatewayService}`;\n\t\tcase 'gateway-recovery':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.action}`;\n\t\tcase 'gateway-recovery-suspended':\n\t\t\treturn `${event.zoneId}:${event.kind}:${event.action}`;\n\t}\n\treturn assertNeverHealthEvent(event);\n}\n\nfunction failedIssueKindForEvent(event: AgentVmHealthEvent): ZoneHealthIssueKind {\n\tswitch (event.kind) {\n\t\tcase 'gateway-service-health':\n\t\t\treturn 'gateway-service-unhealthy';\n\t\tcase 'gateway-control-link':\n\t\t\treturn 'gateway-control-link-unhealthy';\n\t\tcase 'controller-request':\n\t\t\treturn 'controller-request-failing';\n\t\tcase 'lease-heartbeat':\n\t\t\treturn 'lease-heartbeat-failing';\n\t\tcase 'lease-renew':\n\t\t\treturn 'lease-renew-failing';\n\t\tcase 'tool-vm-ssh':\n\t\t\treturn 'tool-vm-ssh-failing';\n\t\tcase 'gateway-plugin-health':\n\t\t\treturn 'gateway-plugin-unhealthy';\n\t\tcase 'gateway-recovery':\n\t\t\treturn 'gateway-recovery-failed';\n\t\tcase 'gateway-recovery-suspended':\n\t\t\treturn 'gateway-recovery-suspended';\n\t}\n\treturn assertNeverHealthEvent(event);\n}\n\nfunction assertNeverHealthEvent(event: never): never {\n\tthrow new Error(`Unhandled health event kind: ${JSON.stringify(event)}`);\n}\n\nfunction issueForEvent(\n\tevent: AgentVmHealthEvent,\n\toptions: DeriveZoneHealthSnapshotOptions,\n): ZoneHealthIssue | undefined {\n\tif (options.nowMs - event.observedAtMs > options.staleAfterMs) {\n\t\treturn {\n\t\t\tkind: 'health-event-stale',\n\t\t\tlatestEvent: event,\n\t\t\tmessage: `${event.kind} health event is stale`,\n\t\t\tsinceMs: event.observedAtMs,\n\t\t};\n\t}\n\tif (event.result === 'failed' || event.result === 'timeout' || event.result === 'stale') {\n\t\treturn {\n\t\t\tkind: failedIssueKindForEvent(event),\n\t\t\tlatestEvent: event,\n\t\t\tmessage: `${event.kind} health event reported ${event.result}`,\n\t\t\tsinceMs: event.observedAtMs,\n\t\t};\n\t}\n\treturn undefined;\n}\n\nexport function deriveZoneHealthSnapshot(\n\tevents: readonly AgentVmHealthEvent[],\n\toptions: DeriveZoneHealthSnapshotOptions,\n): ZoneHealthSnapshot {\n\tconst latestByKey = new Map<string, AgentVmHealthEvent>();\n\tfor (const event of events) {\n\t\tif (event.zoneId !== options.zoneId) {\n\t\t\tcontinue;\n\t\t}\n\t\tconst key = healthEventBucketKey(event);\n\t\tconst previous = latestByKey.get(key);\n\t\tif (!previous || previous.observedAtMs <= event.observedAtMs) {\n\t\t\tlatestByKey.set(key, event);\n\t\t}\n\t}\n\tconst latestEvents = [...latestByKey.values()].toSorted(\n\t\t(first, second) => second.observedAtMs - first.observedAtMs,\n\t);\n\tif (latestEvents.length === 0) {\n\t\treturn { kind: 'unknown', reason: 'no-events', zoneId: options.zoneId };\n\t}\n\tconst issues = latestEvents\n\t\t.map((event) => issueForEvent(event, options))\n\t\t.filter((issue): issue is ZoneHealthIssue => issue !== undefined);\n\tif (issues.length === 0) {\n\t\treturn { kind: 'ok', latestEvents, zoneId: options.zoneId };\n\t}\n\tif (issues.some((issue) => issue.kind === 'health-event-stale')) {\n\t\treturn { issues, kind: 'stale', latestEvents, zoneId: options.zoneId };\n\t}\n\treturn { issues, kind: 'failed', latestEvents, zoneId: options.zoneId };\n}\n","/**\n * Canonical NODE_OPTIONS value for forcing IPv4-preference egress\n * in agent-vm VMs.\n *\n * Background: Gondolin's synthetic DNS (when tcpHosts is enabled)\n * returns a per-host IPv4 (reverse-lookable) and a single shared\n * IPv4-mapped IPv6 (::ffff:198.18.0.1, NOT reverse-lookable). Node\n * 20+'s fetch (via undici, autoSelectFamily: true) races both\n * families; when the IPv6 race wins (~5-20% under sequential load),\n * gondolin cannot route it and the request fails with a non-JSON\n * 400 (HTTP) or 403 (TLS). The two flags below stop the race:\n *\n * --dns-result-order=ipv4first changes dns.lookup() so\n * IPv4 addresses are listed\n * before IPv6.\n *\n * --no-network-family-autoselection disables Node's Happy\n * Eyeballs entirely. This is\n * the load-bearing flag —\n * --dns-result-order alone\n * doesn't prevent Node from\n * racing both families if\n * IPv4 is slow.\n *\n * Composition: NODE_OPTIONS is whitespace-separated. To add more\n * flags downstream, append rather than replace. Example:\n *\n * NODE_OPTIONS: `${FORCE_IPV4_EGRESS_NODE_OPTIONS} --inspect`\n *\n * Reference: see `shravan-claw@0ddf5f2:docs/wip/debugging/\n * 2026-05-21-lease-keepalive-400-and-discord-403-ipv6-race.md`\n * for the full root-cause analysis. Node-side flag references:\n * https://github.com/nodejs/node/issues/54359 (autoSelectFamily\n * revert recommendation by the Node core team).\n */\nexport const FORCE_IPV4_EGRESS_NODE_OPTIONS =\n\t'--dns-result-order=ipv4first --no-network-family-autoselection';\n\nconst FORCE_IPV4_EGRESS_NODE_OPTION_FLAGS = FORCE_IPV4_EGRESS_NODE_OPTIONS.split(/\\s+/u);\n\n/**\n * Compose the forced IPv4-preference flags with a user-provided\n * NODE_OPTIONS value (if any).\n *\n * Use this at every site where NODE_OPTIONS is set into a VM env\n * block AFTER a spread of user-controlled secrets, to guarantee\n * the forced flags are always present in the final value even if\n * a zone secret happens to provide its own NODE_OPTIONS.\n *\n * Forced flags come FIRST so they are unambiguously applied.\n * User-provided flags are appended verbatim except for duplicate\n * forced IPv4-preference flags. Node treats NODE_OPTIONS as a\n * whitespace-separated list and all flags apply.\n *\n * Returns just the forced flags if the user value is undefined,\n * empty, or whitespace-only.\n *\n * Examples:\n *\n * composeNodeOptions(undefined)\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection'\n *\n * composeNodeOptions('')\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection'\n *\n * composeNodeOptions('--inspect=0.0.0.0:9229')\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection\n * --inspect=0.0.0.0:9229'\n */\nexport function composeNodeOptions(userValue: string | undefined): string {\n\tconst trimmed = userValue?.trim() ?? '';\n\tif (trimmed === '') {\n\t\treturn FORCE_IPV4_EGRESS_NODE_OPTIONS;\n\t}\n\tconst userFlags = trimmed\n\t\t.split(/\\s+/u)\n\t\t.filter((flag) => !FORCE_IPV4_EGRESS_NODE_OPTION_FLAGS.includes(flag));\n\tif (userFlags.length === 0) {\n\t\treturn FORCE_IPV4_EGRESS_NODE_OPTIONS;\n\t}\n\treturn `${FORCE_IPV4_EGRESS_NODE_OPTIONS} ${userFlags.join(' ')}`;\n}\n","import type { MediatedSecretSpec } from '@agent-vm/secret-management';\n\nimport { targetsAudience, type RuntimeVmAudience } from './audience.js';\nimport type { GatewaySecretConfig, GatewayZoneConfig } from './gateway-lifecycle.js';\n\nexport interface SplitResolvedSecretsResult {\n\treadonly environmentSecrets: Record<string, string>;\n\treadonly mediatedSecrets: Record<string, MediatedSecretSpec>;\n}\n\nexport interface MergeRuntimeGatewaySecretsOptions {\n\treadonly logPrefix?: string;\n\treadonly runtimeEnvironment?: Readonly<Record<string, string>> | undefined;\n\treadonly runtimeMediatedSecrets?: Readonly<Record<string, MediatedSecretSpec>> | undefined;\n}\n\nexport type SecretInjectionConfig = GatewaySecretConfig;\n\nexport interface SplitResolvedSecretsOptions {\n\treadonly audience: RuntimeVmAudience;\n\treadonly logPrefix?: string;\n}\n\nexport function splitResolvedSecretsByInjection(\n\tsecretConfigs: Readonly<Record<string, SecretInjectionConfig>>,\n\tresolvedSecrets: Record<string, string>,\n\toptions: SplitResolvedSecretsOptions,\n): SplitResolvedSecretsResult {\n\tconst environmentSecrets: Record<string, string> = {};\n\tconst mediatedSecrets: Record<string, MediatedSecretSpec> = {};\n\tconst logPrefix = options.logPrefix ?? 'split-resolved-secrets';\n\n\tfor (const [secretName, secretValue] of Object.entries(resolvedSecrets)) {\n\t\tconst secretConfig = secretConfigs[secretName];\n\t\tif (!secretConfig) {\n\t\t\tthrow new Error(\n\t\t\t\t`[${logPrefix}] Secret '${secretName}' was resolved but has no matching secret config.`,\n\t\t\t);\n\t\t}\n\t\tif (!targetsAudience(secretConfig.audience, options.audience)) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (secretConfig.injection === 'http-mediation') {\n\t\t\tif (secretConfig.hosts.length === 0) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`[${logPrefix}] Secret '${secretName}' uses http-mediation but declares no hosts.`,\n\t\t\t\t);\n\t\t\t}\n\t\t\tmediatedSecrets[secretName] = {\n\t\t\t\thosts: [...secretConfig.hosts],\n\t\t\t\tvalue: secretValue,\n\t\t\t};\n\t\t\tcontinue;\n\t\t}\n\n\t\tconst envSecretAudience = (secretConfig as { readonly audience: string }).audience;\n\t\tif (envSecretAudience !== 'gateway') {\n\t\t\tthrow new Error(\n\t\t\t\t`[${logPrefix}] Secret '${secretName}' uses env injection with non-gateway audience '${envSecretAudience}'.`,\n\t\t\t);\n\t\t}\n\t\tif (options.audience === 'gateway') {\n\t\t\tenvironmentSecrets[secretName] = secretValue;\n\t\t}\n\t}\n\n\treturn { environmentSecrets, mediatedSecrets };\n}\n\nexport type SplitResolvedGatewaySecretsResult = SplitResolvedSecretsResult;\n\nexport function splitResolvedGatewaySecrets(\n\tzone: GatewayZoneConfig,\n\tresolvedSecrets: Record<string, string>,\n): SplitResolvedGatewaySecretsResult {\n\treturn splitResolvedSecretsByInjection(zone.secrets, resolvedSecrets, {\n\t\taudience: 'gateway',\n\t\tlogPrefix: 'split-resolved-gateway-secrets',\n\t});\n}\n\nfunction assertNoRuntimeSecretCollision(\n\tsecretName: string,\n\ttarget: 'environment' | 'http-mediation',\n\tbaseSecrets: SplitResolvedSecretsResult,\n\truntimeSeen: Set<string>,\n\tlogPrefix: string,\n): void {\n\tif (runtimeSeen.has(secretName)) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway secret '${secretName}' is declared for both environment and http-mediation injection.`,\n\t\t);\n\t}\n\tif (secretName in baseSecrets.environmentSecrets) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway ${target} secret '${secretName}' would overwrite an authored environment secret.`,\n\t\t);\n\t}\n\tif (secretName in baseSecrets.mediatedSecrets) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway ${target} secret '${secretName}' would overwrite an authored http-mediation secret.`,\n\t\t);\n\t}\n\truntimeSeen.add(secretName);\n}\n\nexport function mergeRuntimeGatewaySecrets(\n\tbaseSecrets: SplitResolvedSecretsResult,\n\toptions: MergeRuntimeGatewaySecretsOptions = {},\n): SplitResolvedSecretsResult {\n\tconst logPrefix = options.logPrefix ?? 'merge-runtime-gateway-secrets';\n\tconst runtimeSeen = new Set<string>();\n\tfor (const secretName of Object.keys(options.runtimeEnvironment ?? {})) {\n\t\tassertNoRuntimeSecretCollision(secretName, 'environment', baseSecrets, runtimeSeen, logPrefix);\n\t}\n\tfor (const secretName of Object.keys(options.runtimeMediatedSecrets ?? {})) {\n\t\tassertNoRuntimeSecretCollision(\n\t\t\tsecretName,\n\t\t\t'http-mediation',\n\t\t\tbaseSecrets,\n\t\t\truntimeSeen,\n\t\t\tlogPrefix,\n\t\t);\n\t}\n\n\treturn {\n\t\tenvironmentSecrets: {\n\t\t\t...baseSecrets.environmentSecrets,\n\t\t\t...options.runtimeEnvironment,\n\t\t},\n\t\tmediatedSecrets: {\n\t\t\t...baseSecrets.mediatedSecrets,\n\t\t\t...options.runtimeMediatedSecrets,\n\t\t},\n\t};\n}\n","import { v7 as uuidv7, validate as validateUuid, version as uuidVersion } from 'uuid';\n\nexport type ToolVmActiveUseOutcome =\n\t| 'abandoned'\n\t| 'cancelled'\n\t| 'completed'\n\t| 'failed'\n\t| 'timed-out';\n\nexport interface ToolVmActiveUseCorrelation {\n\treadonly agentId?: string | undefined;\n\treadonly sessionId?: string | undefined;\n\treadonly sessionKey?: string | undefined;\n\treadonly toolCallId?: string | undefined;\n\treadonly toolName?: string | undefined;\n}\n\nexport type ToolVmSshOperationPhase =\n\t| 'completed'\n\t| 'failed'\n\t| 'probe-succeeded'\n\t| 'running'\n\t| 'starting';\n\nexport type ToolVmSshFailureKind =\n\t| 'active-use-refreshable-failure'\n\t| 'ssh-command-failed'\n\t| 'ssh-command-timed-out'\n\t| 'ssh-probe-failed';\n\nexport interface ToolVmSshFailureReport {\n\treadonly kind: ToolVmSshFailureKind;\n\treadonly message: string;\n}\n\nexport interface ToolVmSshOperationReport {\n\treadonly failure?: ToolVmSshFailureReport | undefined;\n\treadonly probeSucceeded?: boolean | undefined;\n}\n\nexport interface ToolVmActiveUseOperationReport {\n\treadonly observedAtMs: number;\n\treadonly phase: ToolVmSshOperationPhase;\n\treadonly ssh?: ToolVmSshOperationReport | undefined;\n}\n\nexport interface StartToolVmActiveUseRequest {\n\treadonly correlation?: ToolVmActiveUseCorrelation | undefined;\n\treadonly report?: ToolVmActiveUseOperationReport | undefined;\n\treadonly useId: string;\n}\n\nexport interface StartToolVmActiveUseResponse {\n\treadonly expiresAt: number;\n\treadonly heartbeatAfterMs: number;\n\treadonly useId: string;\n}\n\nexport interface HeartbeatToolVmActiveUseResponse {\n\treadonly expiresAt: number;\n\treadonly heartbeatAfterMs: number;\n}\n\nexport interface HeartbeatToolVmActiveUseRequest {\n\treadonly report?: ToolVmActiveUseOperationReport | undefined;\n}\n\nexport interface EndToolVmActiveUseRequest {\n\treadonly outcome: ToolVmActiveUseOutcome;\n\treadonly report?: ToolVmActiveUseOperationReport | undefined;\n}\n\nexport interface ToolVmActiveUseHandle {\n\treadonly signal: AbortSignal;\n\treadonly useId: string;\n\tdispose(outcome?: ToolVmActiveUseOutcome): Promise<void>;\n\tend(outcome?: ToolVmActiveUseOutcome): Promise<void>;\n\treport(report: ToolVmActiveUseOperationReport): void;\n}\n\nexport interface CreateToolVmActiveUseHandleOptions {\n\treadonly correlation?: ToolVmActiveUseCorrelation | undefined;\n\treadonly endActiveUse: (useId: string, request: EndToolVmActiveUseRequest) => Promise<void>;\n\treadonly heartbeatActiveUse: (\n\t\tuseId: string,\n\t\trequest: HeartbeatToolVmActiveUseRequest,\n\t) => Promise<HeartbeatToolVmActiveUseResponse>;\n\treadonly heartbeatJitterRatio?: number | undefined;\n\treadonly isEndErrorTolerable?: (error: unknown) => boolean;\n\treadonly isHeartbeatErrorRefreshable?: (error: unknown) => boolean;\n\treadonly logEndFailure?: (error: unknown) => void;\n\treadonly logHeartbeatFailure?: (error: unknown) => void;\n\treadonly maxHeartbeatDurationMs?: number | undefined;\n\treadonly nowImpl?: (() => number) | undefined;\n\treadonly onRefreshableHeartbeatFailure?: (error: unknown) => Promise<void>;\n\treadonly randomImpl?: (() => number) | undefined;\n\treadonly startActiveUse: (\n\t\trequest: StartToolVmActiveUseRequest,\n\t) => Promise<StartToolVmActiveUseResponse>;\n\treadonly setTimeoutImpl?: typeof setTimeout | undefined;\n\treadonly clearTimeoutImpl?: typeof clearTimeout | undefined;\n}\n\ntype HeartbeatTimer = ReturnType<typeof setTimeout>;\n\nconst defaultMaxHeartbeatDurationMs = 12 * 60 * 60 * 1000;\n\nfunction jitterDelayMs(params: {\n\treadonly delayMs: number;\n\treadonly jitterRatio: number;\n\treadonly random: () => number;\n}): number {\n\tif (params.jitterRatio <= 0) {\n\t\treturn params.delayMs;\n\t}\n\tconst spreadMs = params.delayMs * params.jitterRatio;\n\tconst minMs = params.delayMs - spreadMs;\n\tconst jitteredMs = minMs + params.random() * spreadMs * 2;\n\treturn Math.max(1, Math.round(jitteredMs));\n}\n\nexport function createToolVmActiveUseId(): string {\n\treturn uuidv7();\n}\n\nexport function isToolVmActiveUseId(value: string): boolean {\n\treturn validateUuid(value) && uuidVersion(value) === 7;\n}\n\nexport async function createToolVmActiveUseHandle(\n\toptions: CreateToolVmActiveUseHandleOptions,\n): Promise<ToolVmActiveUseHandle> {\n\tconst useId = createToolVmActiveUseId();\n\tconst startedUse = await options.startActiveUse({\n\t\t...(options.correlation ? { correlation: options.correlation } : {}),\n\t\tuseId,\n\t});\n\tconst setTimeoutImpl = options.setTimeoutImpl ?? setTimeout;\n\tconst clearTimeoutImpl = options.clearTimeoutImpl ?? clearTimeout;\n\tconst now = options.nowImpl ?? Date.now;\n\tconst startedAt = now();\n\tconst maxHeartbeatDurationMs = options.maxHeartbeatDurationMs ?? defaultMaxHeartbeatDurationMs;\n\tconst heartbeatJitterRatio = options.heartbeatJitterRatio ?? 0.1;\n\tconst random = options.randomImpl ?? Math.random;\n\tconst operationAbortController = new AbortController();\n\tlet ended = false;\n\tlet heartbeatTimer: HeartbeatTimer | undefined;\n\tlet latestReport: ToolVmActiveUseOperationReport | undefined;\n\n\tconst clearHeartbeatTimer = (): void => {\n\t\tif (heartbeatTimer) {\n\t\t\tclearTimeoutImpl(heartbeatTimer);\n\t\t\theartbeatTimer = undefined;\n\t\t}\n\t};\n\n\tconst scheduleHeartbeat = (delayMs: number): void => {\n\t\tif (now() - startedAt >= maxHeartbeatDurationMs) {\n\t\t\treturn;\n\t\t}\n\t\tclearHeartbeatTimer();\n\t\theartbeatTimer = setTimeoutImpl(\n\t\t\t() => {\n\t\t\t\tif (now() - startedAt >= maxHeartbeatDurationMs) {\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tconst heartbeatRequest: HeartbeatToolVmActiveUseRequest =\n\t\t\t\t\tlatestReport === undefined ? {} : { report: latestReport };\n\t\t\t\tvoid options\n\t\t\t\t\t.heartbeatActiveUse(startedUse.useId, heartbeatRequest)\n\t\t\t\t\t.then((heartbeat) => {\n\t\t\t\t\t\tif (!ended) {\n\t\t\t\t\t\t\tscheduleHeartbeat(heartbeat.heartbeatAfterMs);\n\t\t\t\t\t\t}\n\t\t\t\t\t})\n\t\t\t\t\t.catch((error: unknown) => {\n\t\t\t\t\t\toptions.logHeartbeatFailure?.(error);\n\t\t\t\t\t\tif (\n\t\t\t\t\t\t\toptions.isHeartbeatErrorRefreshable?.(error) === true &&\n\t\t\t\t\t\t\toptions.onRefreshableHeartbeatFailure\n\t\t\t\t\t\t) {\n\t\t\t\t\t\t\toperationAbortController.abort(error);\n\t\t\t\t\t\t\tended = true;\n\t\t\t\t\t\t\tclearHeartbeatTimer();\n\t\t\t\t\t\t\tvoid options.onRefreshableHeartbeatFailure(error).catch((staleError: unknown) => {\n\t\t\t\t\t\t\t\toptions.logHeartbeatFailure?.(staleError);\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!ended) {\n\t\t\t\t\t\t\tscheduleHeartbeat(startedUse.heartbeatAfterMs);\n\t\t\t\t\t\t}\n\t\t\t\t\t});\n\t\t\t},\n\t\t\tjitterDelayMs({ delayMs, jitterRatio: heartbeatJitterRatio, random }),\n\t\t);\n\t};\n\n\tscheduleHeartbeat(startedUse.heartbeatAfterMs);\n\n\tconst end = async (outcome: ToolVmActiveUseOutcome = 'completed'): Promise<void> => {\n\t\tif (ended) {\n\t\t\treturn;\n\t\t}\n\t\tended = true;\n\t\tclearHeartbeatTimer();\n\t\ttry {\n\t\t\tawait options.endActiveUse(startedUse.useId, {\n\t\t\t\toutcome,\n\t\t\t\t...(latestReport === undefined ? {} : { report: latestReport }),\n\t\t\t});\n\t\t} catch (error) {\n\t\t\tif (options.isEndErrorTolerable?.(error) === true) {\n\t\t\t\toptions.logEndFailure?.(error);\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tthrow error;\n\t\t}\n\t};\n\n\treturn {\n\t\tsignal: operationAbortController.signal,\n\t\tuseId: startedUse.useId,\n\t\tdispose: end,\n\t\tend,\n\t\treport: (report): void => {\n\t\t\tif (ended) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tlatestReport = report;\n\t\t},\n\t};\n}\n","export const TOOL_VM_WORKSPACE_GUEST_ROOT = '/workspace';\nexport const TOOL_VM_SCRATCH_GUEST_ROOT = '/work';\nexport const OPENCLAW_STATE_VM_ROOT = '/home/openclaw/.openclaw/state';\nexport const OPENCLAW_STATE_SANDBOXES_VM_ROOT = `${OPENCLAW_STATE_VM_ROOT}/sandboxes`;\n\nexport type RuntimePathNamespace = 'controller-host' | 'openclaw-gateway' | 'tool-vm-guest';\nexport type RuntimePathPurpose = 'executionCwd' | 'leaseMount';\n\nexport interface RuntimePathCapabilities {\n\treadonly executionCwd: boolean;\n\treadonly leaseMount: boolean;\n}\n\nexport type RuntimePathBacking =\n\t| {\n\t\t\treadonly kind: 'host-realfs';\n\t\t\treadonly durability: 'durable' | 'runtime' | 'cache';\n\t\t\treadonly backup: 'included' | 'excluded';\n\t }\n\t| {\n\t\t\treadonly kind: 'guest-rootfs-cow';\n\t\t\treadonly durability: 'vm-lifetime';\n\t };\n\nexport type RuntimePathLocations = Partial<Record<RuntimePathNamespace, string>>;\nexport type RuntimePathHostRealfsLocations =\n\t| {\n\t\t\treadonly 'controller-host': string;\n\t\t\treadonly 'openclaw-gateway'?: string;\n\t\t\treadonly 'tool-vm-guest'?: string;\n\t }\n\t| {\n\t\t\treadonly 'controller-host'?: string;\n\t\t\treadonly 'openclaw-gateway': string;\n\t\t\treadonly 'tool-vm-guest'?: string;\n\t };\nexport interface RuntimePathGuestRootfsCowLocations {\n\treadonly 'controller-host'?: never;\n\treadonly 'openclaw-gateway'?: never;\n\treadonly 'tool-vm-guest': string;\n}\nexport type RuntimePathGuidanceVisibility = Partial<Record<RuntimePathNamespace, boolean>>;\n\ninterface RuntimePathRootMappingBase {\n\treadonly capabilities: RuntimePathCapabilities;\n\treadonly guidanceLabel: string;\n\treadonly id: string;\n\t/**\n\t * False for broad roots like /zone where mounting the root would expose\n\t * unrelated children; callers must request an explicit child path.\n\t */\n\treadonly rootPathAllowed: boolean;\n\treadonly showInGuidance?: RuntimePathGuidanceVisibility;\n}\n\nexport type RuntimePathRootMapping =\n\t| (RuntimePathRootMappingBase & {\n\t\t\treadonly backing: Extract<RuntimePathBacking, { readonly kind: 'host-realfs' }>;\n\t\t\treadonly locations: RuntimePathHostRealfsLocations;\n\t })\n\t| (RuntimePathRootMappingBase & {\n\t\t\treadonly backing: Extract<RuntimePathBacking, { readonly kind: 'guest-rootfs-cow' }>;\n\t\t\treadonly capabilities: RuntimePathCapabilities & { readonly leaseMount: false };\n\t\t\treadonly locations: RuntimePathGuestRootfsCowLocations;\n\t });\n\nexport interface RuntimePathMapping {\n\treadonly id: string;\n\treadonly roots: readonly RuntimePathRootMapping[];\n}\n\nexport interface TranslateRuntimePathInput {\n\treadonly inputPath: string;\n\treadonly mapping: RuntimePathMapping;\n\treadonly purpose: RuntimePathPurpose;\n\treadonly sourceNamespace?: RuntimePathNamespace;\n\treadonly targetNamespace: RuntimePathNamespace;\n}\n\nexport interface RuntimePathTranslation {\n\treadonly backing: RuntimePathBacking;\n\treadonly capabilities: RuntimePathCapabilities;\n\treadonly inputNamespace: RuntimePathNamespace;\n\treadonly inputPath: string;\n\treadonly mappingId: string;\n\treadonly outputNamespace: RuntimePathNamespace;\n\treadonly outputPath: string;\n\treadonly relativePath: string;\n\treadonly rootId: string;\n}\n\nexport type RuntimePathTranslationErrorCode =\n\t| 'path-not-absolute'\n\t| 'path-parent-traversal'\n\t| 'invalid-runtime-root'\n\t| 'unknown-runtime-path'\n\t| 'purpose-not-allowed'\n\t| 'root-path-not-allowed'\n\t| 'target-namespace-not-available';\n\nexport interface RuntimePathTranslationError {\n\treadonly allowedPathForms: readonly string[];\n\treadonly code: RuntimePathTranslationErrorCode;\n\treadonly inputPath: string;\n\treadonly mappingId: string;\n\treadonly message: string;\n\treadonly purpose: RuntimePathPurpose;\n\treadonly retryGuidance: string;\n}\n\nexport type TranslateRuntimePathResult =\n\t| {\n\t\t\treadonly ok: true;\n\t\t\treadonly value: RuntimePathTranslation;\n\t }\n\t| {\n\t\t\treadonly ok: false;\n\t\t\treadonly error: RuntimePathTranslationError;\n\t };\n\ninterface RuntimePathRootMatch {\n\treadonly inputNamespace: RuntimePathNamespace;\n\treadonly matchedRoot: string;\n\treadonly root: RuntimePathRootMapping;\n}\n\nconst guidanceNamespaceOrder = [\n\t'tool-vm-guest',\n\t'openclaw-gateway',\n\t'controller-host',\n] as const satisfies readonly RuntimePathNamespace[];\n\nfunction pathContainsParentTraversal(inputPath: string): boolean {\n\treturn inputPath.split(/\\/+/u).includes('..');\n}\n\nfunction normalizeAbsolutePath(inputPath: string): string {\n\tconst rawSegments = inputPath.split('/').filter((segment) => segment !== '' && segment !== '.');\n\treturn `/${rawSegments.join('/')}`;\n}\n\nfunction normalizeRoot(rootPath: string): string {\n\tconst normalizedRoot = normalizeAbsolutePath(rootPath);\n\treturn normalizedRoot === '/' ? normalizedRoot : normalizedRoot.replace(/\\/+$/u, '');\n}\n\nfunction pathMatchesRoot(candidatePath: string, rootPath: string): boolean {\n\treturn candidatePath === rootPath || candidatePath.startsWith(`${rootPath}/`);\n}\n\nfunction relativePathForRoot(candidatePath: string, rootPath: string): string {\n\treturn candidatePath === rootPath ? '' : candidatePath.slice(rootPath.length + 1);\n}\n\nfunction joinRootAndRelative(rootPath: string, relativePath: string): string {\n\treturn relativePath === '' ? rootPath : `${rootPath}/${relativePath}`;\n}\n\nfunction runtimeRootIsInvalid(rootPath: string): boolean {\n\treturn (\n\t\trootPath.trim() === '' || !rootPath.startsWith('/') || pathContainsParentTraversal(rootPath)\n\t);\n}\n\nfunction namespaceShouldShowInGuidance(\n\troot: RuntimePathRootMapping,\n\tnamespace: RuntimePathNamespace,\n): boolean {\n\tif (root.showInGuidance?.[namespace] !== undefined) {\n\t\treturn root.showInGuidance[namespace];\n\t}\n\treturn namespace !== 'controller-host';\n}\n\nfunction allowedPathFormsForMapping(\n\tmapping: RuntimePathMapping,\n\tpurpose: RuntimePathPurpose,\n): readonly string[] {\n\treturn mapping.roots.flatMap((root) => {\n\t\tif (!root.capabilities[purpose]) {\n\t\t\treturn [];\n\t\t}\n\t\tconst suffix = root.rootPathAllowed ? '[/subpath]' : '/<child>';\n\t\treturn guidanceNamespaceOrder.flatMap((namespace): string[] => {\n\t\t\tconst rootPath = root.locations[namespace];\n\t\t\tif (rootPath === undefined || !namespaceShouldShowInGuidance(root, namespace)) {\n\t\t\t\treturn [];\n\t\t\t}\n\t\t\treturn [`${normalizeRoot(rootPath)}${suffix}`];\n\t\t});\n\t});\n}\n\nfunction retryGuidanceForMapping(mapping: RuntimePathMapping, purpose: RuntimePathPurpose): string {\n\treturn `Use one of the allowed path forms for ${mapping.id} ${purpose}: ${allowedPathFormsForMapping(mapping, purpose).join(', ')}.`;\n}\n\nfunction errorResult(params: {\n\treadonly code: RuntimePathTranslationErrorCode;\n\treadonly inputPath: string;\n\treadonly mapping: RuntimePathMapping;\n\treadonly message: string;\n\treadonly purpose: RuntimePathPurpose;\n}): TranslateRuntimePathResult {\n\treturn {\n\t\terror: {\n\t\t\tallowedPathForms: allowedPathFormsForMapping(params.mapping, params.purpose),\n\t\t\tcode: params.code,\n\t\t\tinputPath: params.inputPath,\n\t\t\tmappingId: params.mapping.id,\n\t\t\tmessage: params.message,\n\t\t\tpurpose: params.purpose,\n\t\t\tretryGuidance: retryGuidanceForMapping(params.mapping, params.purpose),\n\t\t},\n\t\tok: false,\n\t};\n}\n\nfunction findBestRootMatch(params: {\n\treadonly inputPath: string;\n\treadonly mapping: RuntimePathMapping;\n\treadonly sourceNamespace?: RuntimePathNamespace;\n}): RuntimePathRootMatch | undefined {\n\tconst matches = params.mapping.roots.flatMap((root): RuntimePathRootMatch[] =>\n\t\tguidanceNamespaceOrder.flatMap((inputNamespace) => {\n\t\t\tconst rootPath = root.locations[inputNamespace];\n\t\t\tif (rootPath === undefined) {\n\t\t\t\treturn [];\n\t\t\t}\n\t\t\tif (params.sourceNamespace !== undefined && inputNamespace !== params.sourceNamespace) {\n\t\t\t\treturn [];\n\t\t\t}\n\t\t\tconst normalizedRoot = normalizeRoot(rootPath);\n\t\t\treturn pathMatchesRoot(params.inputPath, normalizedRoot)\n\t\t\t\t? [{ inputNamespace, matchedRoot: normalizedRoot, root }]\n\t\t\t\t: [];\n\t\t}),\n\t);\n\treturn matches.toSorted((left, right) => right.matchedRoot.length - left.matchedRoot.length)[0];\n}\n\nfunction findInvalidRoot(\n\tmapping: RuntimePathMapping,\n): { readonly rootId: string; readonly rootPath: string } | undefined {\n\tfor (const root of mapping.roots) {\n\t\tfor (const namespace of guidanceNamespaceOrder) {\n\t\t\tconst rootPath = root.locations[namespace];\n\t\t\tif (rootPath !== undefined && runtimeRootIsInvalid(rootPath)) {\n\t\t\t\treturn { rootId: root.id, rootPath };\n\t\t\t}\n\t\t}\n\t}\n\treturn undefined;\n}\n\nexport function translateRuntimePath(input: TranslateRuntimePathInput): TranslateRuntimePathResult {\n\tif (!input.inputPath.startsWith('/')) {\n\t\treturn errorResult({\n\t\t\tcode: 'path-not-absolute',\n\t\t\tinputPath: input.inputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${input.inputPath}' must be absolute.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\t// Reject traversal before normalization so /workspace/../secret cannot\n\t// collapse into a seemingly valid path under a trusted root.\n\tif (pathContainsParentTraversal(input.inputPath)) {\n\t\treturn errorResult({\n\t\t\tcode: 'path-parent-traversal',\n\t\t\tinputPath: input.inputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${input.inputPath}' must not contain parent traversal.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst invalidRoot = findInvalidRoot(input.mapping);\n\tif (invalidRoot !== undefined) {\n\t\treturn errorResult({\n\t\t\tcode: 'invalid-runtime-root',\n\t\t\tinputPath: input.inputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Runtime path root '${invalidRoot.rootId}' has invalid path '${invalidRoot.rootPath}'.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst normalizedInputPath = normalizeAbsolutePath(input.inputPath);\n\tconst match = findBestRootMatch({\n\t\tinputPath: normalizedInputPath,\n\t\tmapping: input.mapping,\n\t\t...(input.sourceNamespace === undefined ? {} : { sourceNamespace: input.sourceNamespace }),\n\t});\n\tif (match === undefined) {\n\t\treturn errorResult({\n\t\t\tcode: 'unknown-runtime-path',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' is not part of runtime path mapping '${input.mapping.id}'.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst relativePath = relativePathForRoot(normalizedInputPath, match.matchedRoot);\n\tif (relativePath === '' && !match.root.rootPathAllowed) {\n\t\treturn errorResult({\n\t\t\tcode: 'root-path-not-allowed',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' matched ${match.root.guidanceLabel}, but the root itself is not allowed for ${input.purpose}.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tif (!match.root.capabilities[input.purpose]) {\n\t\treturn errorResult({\n\t\t\tcode: 'purpose-not-allowed',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' matched ${match.root.guidanceLabel} but cannot be used for ${input.purpose}.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst targetRoot = match.root.locations[input.targetNamespace];\n\tif (targetRoot === undefined) {\n\t\treturn errorResult({\n\t\t\tcode: 'target-namespace-not-available',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' matched ${match.root.guidanceLabel}, but '${input.targetNamespace}' is not available for that root.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst normalizedTargetRoot = normalizeRoot(targetRoot);\n\treturn {\n\t\tok: true,\n\t\tvalue: {\n\t\t\tbacking: match.root.backing,\n\t\t\tcapabilities: match.root.capabilities,\n\t\t\tinputNamespace: match.inputNamespace,\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmappingId: input.mapping.id,\n\t\t\toutputNamespace: input.targetNamespace,\n\t\t\toutputPath: joinRootAndRelative(normalizedTargetRoot, relativePath),\n\t\t\trelativePath,\n\t\t\trootId: match.root.id,\n\t\t},\n\t};\n}\n","import { v7 as uuidv7, validate as validateUuid, version as uuidVersion } from 'uuid';\n\ndeclare const toolVmLeaseIdBrand: unique symbol;\n\nexport type ToolVmLeaseId = string & {\n\treadonly [toolVmLeaseIdBrand]: true;\n};\n\nexport function createToolVmLeaseId(): ToolVmLeaseId {\n\treturn parseToolVmLeaseId(uuidv7());\n}\n\nexport function isToolVmLeaseId(value: unknown): value is ToolVmLeaseId {\n\treturn typeof value === 'string' && validateUuid(value) && uuidVersion(value) === 7;\n}\n\nexport function parseToolVmLeaseId(value: unknown): ToolVmLeaseId {\n\tif (isToolVmLeaseId(value)) {\n\t\treturn value;\n\t}\n\tthrow new TypeError('Tool VM lease id must be an opaque UUIDv7 string.');\n}\n","const VM_SSH_PUBLIC_ENDPOINT_KEYS = new Set(['host', 'port', 'user']);\n\n/**\n * Small host-issued capability envelope shared by VM-backed transports. The\n * transport tag keeps SSH Tool VM leases distinct from future host-side\n * Gondolin RPC or bridge capabilities without inventing a transport object.\n */\nexport interface VmCapabilityLease<TTransport extends string> {\n\treadonly leaseId: string;\n\treadonly transport: TTransport;\n}\n\nexport interface VmSshEndpoint {\n\treadonly host: string;\n\treadonly identityPem: string;\n\treadonly knownHostsLine: string;\n\treadonly port: number;\n\treadonly user: string;\n}\n\nexport interface VmSshPublicEndpoint {\n\treadonly host: string;\n\treadonly port: number;\n\treadonly user: string;\n}\n\nexport interface VmSshLease<TTransport extends string> extends VmCapabilityLease<TTransport> {\n\treadonly ssh: VmSshEndpoint;\n}\n\nfunction objectValue(value: unknown): object | undefined {\n\treturn typeof value === 'object' && value !== null ? value : undefined;\n}\n\nfunction isNonEmptyString(value: unknown): value is string {\n\treturn typeof value === 'string' && value.trim().length > 0;\n}\n\nexport function isVmCapabilityLease<TTransport extends string>(\n\tvalue: unknown,\n\ttransport: TTransport,\n): value is VmCapabilityLease<TTransport> {\n\tconst record = objectValue(value);\n\treturn (\n\t\trecord !== undefined &&\n\t\ttypeof Reflect.get(record, 'leaseId') === 'string' &&\n\t\tReflect.get(record, 'transport') === transport\n\t);\n}\n\nexport function isVmSshEndpoint(value: unknown): value is VmSshEndpoint {\n\tconst record = objectValue(value);\n\treturn (\n\t\trecord !== undefined &&\n\t\ttypeof Reflect.get(record, 'host') === 'string' &&\n\t\tisNonEmptyString(Reflect.get(record, 'identityPem')) &&\n\t\ttypeof Reflect.get(record, 'knownHostsLine') === 'string' &&\n\t\ttypeof Reflect.get(record, 'port') === 'number' &&\n\t\ttypeof Reflect.get(record, 'user') === 'string'\n\t);\n}\n\nexport function isVmSshPublicEndpoint(value: unknown): value is VmSshPublicEndpoint {\n\tconst record = objectValue(value);\n\tif (record === undefined) {\n\t\treturn false;\n\t}\n\tfor (const key of Object.keys(record)) {\n\t\tif (!VM_SSH_PUBLIC_ENDPOINT_KEYS.has(key)) {\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn (\n\t\ttypeof Reflect.get(record, 'host') === 'string' &&\n\t\ttypeof Reflect.get(record, 'port') === 'number' &&\n\t\ttypeof Reflect.get(record, 'user') === 'string'\n\t);\n}\n","import { isToolVmLeaseId, type ToolVmLeaseId } from './tool-vm-lease-id.js';\nimport {\n\tisVmCapabilityLease,\n\tisVmSshEndpoint,\n\tisVmSshPublicEndpoint,\n\ttype VmCapabilityLease,\n\ttype VmSshLease,\n\ttype VmSshPublicEndpoint,\n} from './vm-capability-lease.js';\n\nexport interface ToolVmSshLease extends VmSshLease<'ssh-sandbox'> {\n\treadonly agentId: string;\n\treadonly idleTtlMs: number;\n\treadonly leaseId: ToolVmLeaseId;\n\treadonly tcpSlot: number;\n\treadonly workdir: string;\n}\n\nexport interface ToolVmLeasePeek extends VmCapabilityLease<'ssh-sandbox'> {\n\treadonly agentId: string;\n\treadonly createdAt: number;\n\treadonly idleTtlMs: number;\n\treadonly lastUsedAt: number;\n\treadonly leaseId: ToolVmLeaseId;\n\treadonly profileId: string;\n\treadonly ssh: VmSshPublicEndpoint;\n\treadonly tcpSlot: number;\n\treadonly workdir: string;\n\treadonly zoneId: string;\n}\n\nfunction objectValue(value: unknown): object | undefined {\n\treturn typeof value === 'object' && value !== null ? value : undefined;\n}\n\nconst deprecatedScopeKeyPropertyName = ['scope', 'Key'].join('');\n\nexport function isToolVmSshLease(value: unknown): value is ToolVmSshLease {\n\tconst record = objectValue(value);\n\treturn (\n\t\tisVmCapabilityLease(record, 'ssh-sandbox') &&\n\t\tisToolVmLeaseId(Reflect.get(record, 'leaseId')) &&\n\t\tisVmSshEndpoint(Reflect.get(record, 'ssh')) &&\n\t\ttypeof Reflect.get(record, 'agentId') === 'string' &&\n\t\ttypeof Reflect.get(record, 'idleTtlMs') === 'number' &&\n\t\ttypeof Reflect.get(record, 'tcpSlot') === 'number' &&\n\t\ttypeof Reflect.get(record, 'workdir') === 'string' &&\n\t\t!Reflect.has(record, deprecatedScopeKeyPropertyName)\n\t);\n}\n\nexport function isToolVmLeasePeek(value: unknown): value is ToolVmLeasePeek {\n\tconst record = objectValue(value);\n\treturn (\n\t\tisVmCapabilityLease(record, 'ssh-sandbox') &&\n\t\tisToolVmLeaseId(Reflect.get(record, 'leaseId')) &&\n\t\ttypeof Reflect.get(record, 'agentId') === 'string' &&\n\t\ttypeof Reflect.get(record, 'createdAt') === 'number' &&\n\t\ttypeof Reflect.get(record, 'idleTtlMs') === 'number' &&\n\t\ttypeof Reflect.get(record, 'lastUsedAt') === 'number' &&\n\t\ttypeof Reflect.get(record, 'profileId') === 'string' &&\n\t\tisVmSshPublicEndpoint(Reflect.get(record, 'ssh')) &&\n\t\ttypeof Reflect.get(record, 'tcpSlot') === 'number' &&\n\t\ttypeof Reflect.get(record, 'workdir') === 'string' &&\n\t\ttypeof Reflect.get(record, 'zoneId') === 'string' &&\n\t\t!Reflect.has(record, deprecatedScopeKeyPropertyName)\n\t);\n}\n"],"mappings":";;AAAA,MAAa,oBAAoB,CAAC,YAAY,SAAS;AAIvD,SAAgB,yBAAyB,kBAA0B,QAAwB;CAC1F,OAAO,GAAG,iBAAiB,GAAG,OAAO;;AAGtC,SAAgB,sBACf,kBACA,QACA,SACS;CACT,OAAO,GAAG,iBAAiB,GAAG,OAAO,QAAQ;;;;ACb9C,MAAa,mBAAmB;CAAC;CAAW;CAAW;CAAO;AAU9D,MAAa,mBAAmB;AAEhC,SAAgB,gBACf,gBACA,iBACU;CACV,OAAO,mBAAmB,mBAAmB,mBAAmB;;AAGjE,SAAgB,uBACf,aACA,iBACoB;CACpB,OAAO,YACL,QAAQ,eAAe,gBAAgB,WAAW,UAAU,gBAAgB,CAAC,CAC7E,KAAK,eAAe,WAAW,KAAK;;AAGvC,SAAgB,sBAAsB,aAA6D;CAClG,OAAO,MAAM,KAAK,IAAI,IAAI,CAAC,kBAAkB,GAAG,uBAAuB,aAAa,UAAU,CAAC,CAAC,CAAC;;;;AC7BlG,MAAa,6CAA6C;CACzD;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AAKD,MAAa,4CAA4C,CACxD,wBACA,sBACA;AAsBD,MAAM,oDAAoD,IAAI,IAC7D,CAbA,mBACA,cAYA,CACA;AAED,SAAS,yCACR,WACsD;CACtD,OAAO,CAAC,kDAAkD,IAAI,UAAU;;AAGzE,MAAa,0CAA0C,CACtD,GAAG,4CACH,GAAG,0CACH,CAAC,OAAO,yCAAyC;AAElD,MAAa,2BAA2B;CACvC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AA6BD,IAAa,wCAAb,cAA2D,MAAM;CAChE;CACA;CAEA,YAAY,SAIT;EACF,MAAM,eACL,QAAQ,iBAAiB,QAAQ,QAAQ,MAAM,UAAU,OAAO,QAAQ,MAAM;EAC/E,MAAM,GAAG,QAAQ,UAAU,GAAG,QAAQ,KAAK,IAAI,gBAAgB,EAC9D,OAAO,QAAQ,OACf,CAAC;EACF,KAAK,OAAO,QAAQ;EACpB,KAAK,YAAY,QAAQ;;;AAY3B,SAAS,MAAM,IAAY,QAAqC;CAC/D,OAAO,IAAI,SAAS,SAAS,WAAW;EACvC,IAAI,QAAQ,YAAY,MAAM;GAC7B,OAAO,OAAO,OAAO;GACrB;;EAED,MAAM,UAAU,iBAAiB;GAChC,QAAQ,oBAAoB,SAAS,QAAQ;GAC7C,SAAS;KACP,GAAG;EACN,MAAM,gBAAsB;GAC3B,aAAa,QAAQ;GACrB,OAAO,QAAQ,OAAO;;EAEvB,QAAQ,iBAAiB,SAAS,SAAS,EAAE,MAAM,MAAM,CAAC;GACzD;;AAGH,SAAS,oBAAoB,UAAoB,QAA0C;CAC1F,OAAO,OAAO,gBAAgB,OAAO,cAAc,SAAS,SAAS,OAAO;;AAG7E,eAAsB,4BAA4B,UAAmC;CACpF,IAAI,SAAS,UACZ;CAED,MAAM,SAAS,MAAM,CAAC,YAAY,KAAA,EAAU;;AAG7C,eAAe,iBAAiB,SAMV;CACrB,MAAM,kBAAkB,IAAI,iBAAiB;CAC7C,IAAI,gBAAgB,QAAQ,MAAM,QAAQ,WAAW;CACrD,IAAI,WAAW;CACf,MAAM,wBAA8B;EACnC,gBAAgB;EAChB,gBAAgB,MAAM,QAAQ,MAAM,QAAQ,OAAO;;CAEpD,MAAM,UAAU,iBAAiB;EAChC,WAAW;EACX,gBAAgB,sBACf,IAAI,MAAM,GAAG,QAAQ,UAAU,mBAAmB,OAAO,QAAQ,UAAU,CAAC,IAAI,CAChF;IACC,QAAQ,UAAU;CACrB,IAAI,eACH,gBAAgB,MAAM,QAAQ,MAAM,QAAQ,OAAO;MAEnD,QAAQ,MAAM,QAAQ,iBAAiB,SAAS,iBAAiB,EAAE,MAAM,MAAM,CAAC;CAEjF,IAAI;EACH,OAAO,MAAM,QAAQ,UAAU,QAAQ,OAAO;GAC7C,GAAG,QAAQ;GACX,QAAQ,gBAAgB;GACxB,CAAC;UACM,OAAO;EACf,IAAI,eACH,MAAM;EAEP,MAAM,IAAI,sCAAsC;GAC/C,OAAO;GACP,MAAM,WAAW,+BAA+B;GAChD,WAAW,QAAQ;GACnB,CAAC;WACO;EACT,aAAa,QAAQ;EACrB,QAAQ,MAAM,QAAQ,oBAAoB,SAAS,gBAAgB;;;AAIrE,eAAsB,0BACrB,SACoB;CACpB,MAAM,SAAS,QAAQ,UAAU,0BAA0B,QAAQ;CACnE,MAAM,YAAY,QAAQ,aAAa;CACvC,IAAI;CACJ,KAAK,IAAI,UAAU,GAAG,WAAW,OAAO,aAAa,WAAW,GAC/D,IAAI;EAEH,MAAM,WAAW,MAAM,iBAAiB;GACvC;GACA,MAAM,QAAQ;GACd,OAAO,QAAQ;GACf,WAAW,QAAQ;GACnB,WAAW,OAAO;GAClB,CAAC;EACF,IAAI,UAAU,OAAO,eAAe,oBAAoB,UAAU,OAAO,EAAE;GAE1E,MAAM,4BAA4B,SAAS;GAC3C,IAAI,OAAO,mBAAmB,GAE7B,MAAM,MAAM,OAAO,kBAAkB,QAAQ,MAAM,UAAU,KAAA,EAAU;GAExE;;EAED,OAAO;UACC,OAAO;EACf,IAAI,EAAE,iBAAiB,wCACtB,MAAM;EAEP,qBAAqB;EACrB,IAAI,EAAE,OAAO,gBAAgB,UAAU,OAAO,cAC7C,MAAM;EAEP,IAAI,OAAO,mBAAmB,GAE7B,MAAM,MAAM,OAAO,kBAAkB,QAAQ,MAAM,UAAU,KAAA,EAAU;;CAI1E,MAAM,sCAAsB,IAAI,MAAM,GAAG,QAAQ,UAAU,4BAA4B;;AAGxF,MAAa,4BAA4B;CACxC,qBAAqB;EACpB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD,wBAAwB;EACvB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD,2BAA2B;EAC1B,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe;GAAC;GAAK;GAAK;GAAI;EAC9B,WAAW;EACX;CACD,iBAAiB;EAChB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD,gBAAgB;EACf,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD,aAAa;EACZ,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,CAAC,KAAK,IAAI;EACzB,WAAW;EACX;CACD,cAAc;EACb,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,CAAC,KAAK,IAAI;EACzB,WAAW;EACX;CACD,cAAc;EACb,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,CAAC,KAAK,IAAI;EACzB,WAAW;EACX;CACD,eAAe;EACd,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe;GAAC;GAAK;GAAK;GAAI;EAC9B,WAAW;EACX;CACD,iBAAiB;EAChB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,CAAC,KAAK,IAAI;EACzB,WAAW;EACX;CACD,mBAAmB;EAClB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe;GAAC;GAAK;GAAK;GAAI;EAC9B,WAAW;EACX;CACD,mBAAmB;EAClB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe;GAAC;GAAK;GAAK;GAAI;EAC9B,WAAW;EACX;CACD,iBAAiB;EAChB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,CAAC,KAAK,IAAI;EACzB,WAAW;EACX;CACD,wBAAwB;EACvB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD,uBAAuB;EACtB,aAAa;EACb,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd,eAAe,EAAE;EACjB,WAAW;EACX;CACD;;;AC1WD,MAAa,0BAA0B;CACtC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AAID,MAAa,2BAA2B;CAAC;CAAM;CAAU;CAAW;CAAQ;AAgB5E,MAAa,+BAA+B;CAC3C,gBAAgB;CAChB,gBAAgB;CAChB,WAAW;CACX,MAAM;CACN;AAgGD,MAAa,uBAAuB;CAAC;CAAW;CAAM;CAAS;CAAS;AAIxE,MAAa,uBAAuB;CACnC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AAmCD,SAAS,SAAS,OAAkD;CACnE,OAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,MAAM;;AAG5E,SAAS,QACR,QACA,OAC2B;CAC3B,OAAO,OAAO,UAAU,YAAY,OAAO,SAAS,MAAM;;AAG3D,SAAS,0BAA0B,OAAiC;CACnE,OAAO,OAAO,UAAU,YAAY,OAAO,SAAS,MAAM,IAAI,SAAS;;AAGxE,SAAS,mBAAmB,QAA0C;CACrE,OACC,0BAA0B,OAAO,aAAa,IAC9C,QAAQ,0BAA0B,OAAO,OAAO,IAChD,OAAO,OAAO,WAAW,YACzB,OAAO,OAAO,SAAS;;AAIzB,SAAS,eAAe,OAAyB;CAChD,OAAO,UAAU,KAAA,KAAa,OAAO,UAAU;;AAGhD,SAAS,mBAAmB,OAAyB;CACpD,OAAO,UAAU,KAAA,KAAa,OAAO,UAAU,MAAM;;AAGtD,SAAS,2BAA2B,OAAyB;CAC5D,OAAO,UAAU,KAAA,KAAc,OAAO,UAAU,MAAM,IAAI,OAAO,MAAM,IAAI;;AAG5E,SAAS,qBAAqB,OAAiC;CAC9D,OAAO,OAAO,UAAU,MAAM,IAAI,OAAO,MAAM,IAAI;;AAGpD,SAAS,kBAAkB,OAAiC;CAC3D,OAAO,OAAO,UAAU,MAAM,IAAI,OAAO,MAAM,GAAG;;AAGnD,SAAgB,qBAAqB,OAA6C;CACjF,IAAI,CAAC,SAAS,MAAM,IAAI,CAAC,mBAAmB,MAAM,EACjD,OAAO;CAER,QAAQ,MAAM,MAAd;EACC,KAAK,0BACJ,OACC,OAAO,MAAM,SAAS,YACtB,MAAM,KAAK,SAAS,KACpB,OAAO,UAAU,MAAM,KAAK,IAC5B,mBAAmB,MAAM,WAAW;EAEtC,KAAK,wBACJ,OACC,MAAM,mBAAmB,6BAA6B,kBACtD,MAAM,mBAAmB,6BAA6B,kBACtD,0BAA0B,MAAM,UAAU,IAC1C,MAAM,cAAc,6BAA6B,aACjD,MAAM,SAAS,6BAA6B;EAE9C,KAAK,sBACJ,OACC,OAAO,UAAU,MAAM,QAAQ,IAC/B,0BAA0B,MAAM,UAAU,IAC1C,eAAe,MAAM,UAAU,IAC/B,OAAO,UAAU,MAAM,YAAY,IACnC,QAAQ,yCAAyC,MAAM,UAAU,IACjE,mBAAmB,MAAM,WAAW;EAEtC,KAAK,eACJ,OACC,OAAO,MAAM,YAAY,YACzB,0BAA0B,MAAM,UAAU,IAC1C,eAAe,MAAM,UAAU,IAC/B,OAAO,MAAM,YAAY;EAE3B,KAAK,mBACJ,OACC,OAAO,MAAM,YAAY,YACzB,0BAA0B,MAAM,UAAU,IAC1C,eAAe,MAAM,UAAU,IAC/B,OAAO,MAAM,YAAY,YACzB,OAAO,MAAM,UAAU;EAEzB,KAAK,eACJ,OACC,OAAO,MAAM,YAAY,YACzB,0BAA0B,MAAM,UAAU,IAC1C,eAAe,MAAM,UAAU,IAC/B,OAAO,MAAM,YAAY,YACzB,QAAQ;GAAC;GAAW;GAAe;GAAY;GAAQ,EAAW,MAAM,UAAU;EAEpF,KAAK,yBACJ,OACC,QAAQ,mBAAmB,MAAM,eAAe,IAChD,QAAQ;GAAC;GAAY;GAAS;GAAY;GAAS,EAAW,MAAM,MAAM;EAE5E,KAAK;GACJ,IACC,MAAM,WAAW,wBACjB,CAAC,qBAAqB,MAAM,oBAAoB,IAChD,CAAC,kBAAkB,MAAM,WAAW,IACpC,CAAC,0BAA0B,MAAM,UAAU,IAC3C,CAAC,QACA,CAAC,kCAAkC,4BAA4B,EAC/D,MAAM,OACN,EAED,OAAO;GAER,IAAI,MAAM,WAAW,MACpB,OACC,qBAAqB,MAAM,yBAAyB,IACpD,OAAO,MAAM,gBAAgB,YAC7B,qBAAqB,MAAM,WAAW,IACtC,OAAO,MAAM,YAAY,YACzB,OAAO,MAAM,gBAAgB,YAC7B,qBAAqB,MAAM,WAAW,IACtC,OAAO,MAAM,YAAY,YACzB,MAAM,cAAc,KAAA;GAGtB,IAAI,MAAM,WAAW,UACpB,OACC,OAAO,MAAM,cAAc,YAC3B,MAAM,UAAU,SAAS,KACzB,2BAA2B,MAAM,yBAAyB,IAC1D,eAAe,MAAM,YAAY,IACjC,2BAA2B,MAAM,WAAW,IAC5C,eAAe,MAAM,QAAQ,IAC7B,MAAM,gBAAgB,KAAA,KACtB,MAAM,eAAe,KAAA,KACrB,MAAM,YAAY,KAAA;GAGpB,OAAO;EACR,KAAK,8BACJ,OACC,MAAM,WAAW,wBACjB,qBAAqB,MAAM,4BAA4B,IACvD,qBAAqB,MAAM,oBAAoB,IAC/C,kBAAkB,MAAM,WAAW,IACnC,MAAM,cAAc,2BACpB,kBAAkB,MAAM,sBAAsB,IAC9C,QACC,CAAC,kCAAkC,4BAA4B,EAC/D,MAAM,OACN,IACD,MAAM,WAAW;EAEnB,SACC,OAAO;;;AAIV,SAAgB,qBAAqB,OAAmC;CACvE,QAAQ,MAAM,MAAd;EACC,KAAK,wBACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM;EACjC,KAAK,0BACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM,KAAK,GAAG,MAAM;EAC7D,KAAK,sBACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM;EAC/C,KAAK,mBACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM,QAAQ,GAAG,MAAM;EAChE,KAAK,eACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM;EAC/C,KAAK,eACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM,QAAQ,GAAG,MAAM;EAChE,KAAK,yBACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM;EAC/C,KAAK,oBACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM;EAC/C,KAAK,8BACJ,OAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,MAAM;;CAEhD,OAAO,uBAAuB,MAAM;;AAGrC,SAAS,wBAAwB,OAAgD;CAChF,QAAQ,MAAM,MAAd;EACC,KAAK,0BACJ,OAAO;EACR,KAAK,wBACJ,OAAO;EACR,KAAK,sBACJ,OAAO;EACR,KAAK,mBACJ,OAAO;EACR,KAAK,eACJ,OAAO;EACR,KAAK,eACJ,OAAO;EACR,KAAK,yBACJ,OAAO;EACR,KAAK,oBACJ,OAAO;EACR,KAAK,8BACJ,OAAO;;CAET,OAAO,uBAAuB,MAAM;;AAGrC,SAAS,uBAAuB,OAAqB;CACpD,MAAM,IAAI,MAAM,gCAAgC,KAAK,UAAU,MAAM,GAAG;;AAGzE,SAAS,cACR,OACA,SAC8B;CAC9B,IAAI,QAAQ,QAAQ,MAAM,eAAe,QAAQ,cAChD,OAAO;EACN,MAAM;EACN,aAAa;EACb,SAAS,GAAG,MAAM,KAAK;EACvB,SAAS,MAAM;EACf;CAEF,IAAI,MAAM,WAAW,YAAY,MAAM,WAAW,aAAa,MAAM,WAAW,SAC/E,OAAO;EACN,MAAM,wBAAwB,MAAM;EACpC,aAAa;EACb,SAAS,GAAG,MAAM,KAAK,yBAAyB,MAAM;EACtD,SAAS,MAAM;EACf;;AAKH,SAAgB,yBACf,QACA,SACqB;CACrB,MAAM,8BAAc,IAAI,KAAiC;CACzD,KAAK,MAAM,SAAS,QAAQ;EAC3B,IAAI,MAAM,WAAW,QAAQ,QAC5B;EAED,MAAM,MAAM,qBAAqB,MAAM;EACvC,MAAM,WAAW,YAAY,IAAI,IAAI;EACrC,IAAI,CAAC,YAAY,SAAS,gBAAgB,MAAM,cAC/C,YAAY,IAAI,KAAK,MAAM;;CAG7B,MAAM,eAAe,CAAC,GAAG,YAAY,QAAQ,CAAC,CAAC,UAC7C,OAAO,WAAW,OAAO,eAAe,MAAM,aAC/C;CACD,IAAI,aAAa,WAAW,GAC3B,OAAO;EAAE,MAAM;EAAW,QAAQ;EAAa,QAAQ,QAAQ;EAAQ;CAExE,MAAM,SAAS,aACb,KAAK,UAAU,cAAc,OAAO,QAAQ,CAAC,CAC7C,QAAQ,UAAoC,UAAU,KAAA,EAAU;CAClE,IAAI,OAAO,WAAW,GACrB,OAAO;EAAE,MAAM;EAAM;EAAc,QAAQ,QAAQ;EAAQ;CAE5D,IAAI,OAAO,MAAM,UAAU,MAAM,SAAS,qBAAqB,EAC9D,OAAO;EAAE;EAAQ,MAAM;EAAS;EAAc,QAAQ,QAAQ;EAAQ;CAEvE,OAAO;EAAE;EAAQ,MAAM;EAAU;EAAc,QAAQ,QAAQ;EAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AChaxE,MAAa,iCACZ;AAED,MAAM,sCAAsC,+BAA+B,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BxF,SAAgB,mBAAmB,WAAuC;CACzE,MAAM,UAAU,WAAW,MAAM,IAAI;CACrC,IAAI,YAAY,IACf,OAAO;CAER,MAAM,YAAY,QAChB,MAAM,OAAO,CACb,QAAQ,SAAS,CAAC,oCAAoC,SAAS,KAAK,CAAC;CACvE,IAAI,UAAU,WAAW,GACxB,OAAO;CAER,OAAO,GAAG,+BAA+B,GAAG,UAAU,KAAK,IAAI;;;;ACzDhE,SAAgB,gCACf,eACA,iBACA,SAC6B;CAC7B,MAAM,qBAA6C,EAAE;CACrD,MAAM,kBAAsD,EAAE;CAC9D,MAAM,YAAY,QAAQ,aAAa;CAEvC,KAAK,MAAM,CAAC,YAAY,gBAAgB,OAAO,QAAQ,gBAAgB,EAAE;EACxE,MAAM,eAAe,cAAc;EACnC,IAAI,CAAC,cACJ,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,mDACrC;EAEF,IAAI,CAAC,gBAAgB,aAAa,UAAU,QAAQ,SAAS,EAC5D;EAGD,IAAI,aAAa,cAAc,kBAAkB;GAChD,IAAI,aAAa,MAAM,WAAW,GACjC,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,8CACrC;GAEF,gBAAgB,cAAc;IAC7B,OAAO,CAAC,GAAG,aAAa,MAAM;IAC9B,OAAO;IACP;GACD;;EAGD,MAAM,oBAAqB,aAA+C;EAC1E,IAAI,sBAAsB,WACzB,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,kDAAkD,kBAAkB,IACzG;EAEF,IAAI,QAAQ,aAAa,WACxB,mBAAmB,cAAc;;CAInC,OAAO;EAAE;EAAoB;EAAiB;;AAK/C,SAAgB,4BACf,MACA,iBACoC;CACpC,OAAO,gCAAgC,KAAK,SAAS,iBAAiB;EACrE,UAAU;EACV,WAAW;EACX,CAAC;;AAGH,SAAS,+BACR,YACA,QACA,aACA,aACA,WACO;CACP,IAAI,YAAY,IAAI,WAAW,EAC9B,MAAM,IAAI,MACT,IAAI,UAAU,4BAA4B,WAAW,kEACrD;CAEF,IAAI,cAAc,YAAY,oBAC7B,MAAM,IAAI,MACT,IAAI,UAAU,oBAAoB,OAAO,WAAW,WAAW,mDAC/D;CAEF,IAAI,cAAc,YAAY,iBAC7B,MAAM,IAAI,MACT,IAAI,UAAU,oBAAoB,OAAO,WAAW,WAAW,sDAC/D;CAEF,YAAY,IAAI,WAAW;;AAG5B,SAAgB,2BACf,aACA,UAA6C,EAAE,EAClB;CAC7B,MAAM,YAAY,QAAQ,aAAa;CACvC,MAAM,8BAAc,IAAI,KAAa;CACrC,KAAK,MAAM,cAAc,OAAO,KAAK,QAAQ,sBAAsB,EAAE,CAAC,EACrE,+BAA+B,YAAY,eAAe,aAAa,aAAa,UAAU;CAE/F,KAAK,MAAM,cAAc,OAAO,KAAK,QAAQ,0BAA0B,EAAE,CAAC,EACzE,+BACC,YACA,kBACA,aACA,aACA,UACA;CAGF,OAAO;EACN,oBAAoB;GACnB,GAAG,YAAY;GACf,GAAG,QAAQ;GACX;EACD,iBAAiB;GAChB,GAAG,YAAY;GACf,GAAG,QAAQ;GACX;EACD;;;;AC9BF,MAAM,gCAAgC,MAAU,KAAK;AAErD,SAAS,cAAc,QAIZ;CACV,IAAI,OAAO,eAAe,GACzB,OAAO,OAAO;CAEf,MAAM,WAAW,OAAO,UAAU,OAAO;CAEzC,MAAM,aADQ,OAAO,UAAU,WACJ,OAAO,QAAQ,GAAG,WAAW;CACxD,OAAO,KAAK,IAAI,GAAG,KAAK,MAAM,WAAW,CAAC;;AAG3C,SAAgB,0BAAkC;CACjD,OAAOA,IAAQ;;AAGhB,SAAgB,oBAAoB,OAAwB;CAC3D,OAAOC,SAAa,MAAM,IAAIC,QAAY,MAAM,KAAK;;AAGtD,eAAsB,4BACrB,SACiC;CACjC,MAAM,QAAQ,yBAAyB;CACvC,MAAM,aAAa,MAAM,QAAQ,eAAe;EAC/C,GAAI,QAAQ,cAAc,EAAE,aAAa,QAAQ,aAAa,GAAG,EAAE;EACnE;EACA,CAAC;CACF,MAAM,iBAAiB,QAAQ,kBAAkB;CACjD,MAAM,mBAAmB,QAAQ,oBAAoB;CACrD,MAAM,MAAM,QAAQ,WAAW,KAAK;CACpC,MAAM,YAAY,KAAK;CACvB,MAAM,yBAAyB,QAAQ,0BAA0B;CACjE,MAAM,uBAAuB,QAAQ,wBAAwB;CAC7D,MAAM,SAAS,QAAQ,cAAc,KAAK;CAC1C,MAAM,2BAA2B,IAAI,iBAAiB;CACtD,IAAI,QAAQ;CACZ,IAAI;CACJ,IAAI;CAEJ,MAAM,4BAAkC;EACvC,IAAI,gBAAgB;GACnB,iBAAiB,eAAe;GAChC,iBAAiB,KAAA;;;CAInB,MAAM,qBAAqB,YAA0B;EACpD,IAAI,KAAK,GAAG,aAAa,wBACxB;EAED,qBAAqB;EACrB,iBAAiB,qBACV;GACL,IAAI,KAAK,GAAG,aAAa,wBACxB;GAED,MAAM,mBACL,iBAAiB,KAAA,IAAY,EAAE,GAAG,EAAE,QAAQ,cAAc;GAC3D,QACE,mBAAmB,WAAW,OAAO,iBAAiB,CACtD,MAAM,cAAc;IACpB,IAAI,CAAC,OACJ,kBAAkB,UAAU,iBAAiB;KAE7C,CACD,OAAO,UAAmB;IAC1B,QAAQ,sBAAsB,MAAM;IACpC,IACC,QAAQ,8BAA8B,MAAM,KAAK,QACjD,QAAQ,+BACP;KACD,yBAAyB,MAAM,MAAM;KACrC,QAAQ;KACR,qBAAqB;KACrB,QAAa,8BAA8B,MAAM,CAAC,OAAO,eAAwB;MAChF,QAAQ,sBAAsB,WAAW;OACxC;KACF;;IAED,IAAI,CAAC,OACJ,kBAAkB,WAAW,iBAAiB;KAE9C;KAEJ,cAAc;GAAE;GAAS,aAAa;GAAsB;GAAQ,CAAC,CACrE;;CAGF,kBAAkB,WAAW,iBAAiB;CAE9C,MAAM,MAAM,OAAO,UAAkC,gBAA+B;EACnF,IAAI,OACH;EAED,QAAQ;EACR,qBAAqB;EACrB,IAAI;GACH,MAAM,QAAQ,aAAa,WAAW,OAAO;IAC5C;IACA,GAAI,iBAAiB,KAAA,IAAY,EAAE,GAAG,EAAE,QAAQ,cAAc;IAC9D,CAAC;WACM,OAAO;GACf,IAAI,QAAQ,sBAAsB,MAAM,KAAK,MAAM;IAClD,QAAQ,gBAAgB,MAAM;IAC9B;;GAED,MAAM;;;CAIR,OAAO;EACN,QAAQ,yBAAyB;EACjC,OAAO,WAAW;EAClB,SAAS;EACT;EACA,SAAS,WAAiB;GACzB,IAAI,OACH;GAED,eAAe;;EAEhB;;;;ACvOF,MAAa,+BAA+B;AAC5C,MAAa,6BAA6B;AAC1C,MAAa,yBAAyB;AACtC,MAAa,mCAAmC,GAAG,uBAAuB;AA2H1E,MAAM,yBAAyB;CAC9B;CACA;CACA;CACA;AAED,SAAS,4BAA4B,WAA4B;CAChE,OAAO,UAAU,MAAM,OAAO,CAAC,SAAS,KAAK;;AAG9C,SAAS,sBAAsB,WAA2B;CAEzD,OAAO,IADa,UAAU,MAAM,IAAI,CAAC,QAAQ,YAAY,YAAY,MAAM,YAAY,IACrE,CAAC,KAAK,IAAI;;AAGjC,SAAS,cAAc,UAA0B;CAChD,MAAM,iBAAiB,sBAAsB,SAAS;CACtD,OAAO,mBAAmB,MAAM,iBAAiB,eAAe,QAAQ,SAAS,GAAG;;AAGrF,SAAS,gBAAgB,eAAuB,UAA2B;CAC1E,OAAO,kBAAkB,YAAY,cAAc,WAAW,GAAG,SAAS,GAAG;;AAG9E,SAAS,oBAAoB,eAAuB,UAA0B;CAC7E,OAAO,kBAAkB,WAAW,KAAK,cAAc,MAAM,SAAS,SAAS,EAAE;;AAGlF,SAAS,oBAAoB,UAAkB,cAA8B;CAC5E,OAAO,iBAAiB,KAAK,WAAW,GAAG,SAAS,GAAG;;AAGxD,SAAS,qBAAqB,UAA2B;CACxD,OACC,SAAS,MAAM,KAAK,MAAM,CAAC,SAAS,WAAW,IAAI,IAAI,4BAA4B,SAAS;;AAI9F,SAAS,8BACR,MACA,WACU;CACV,IAAI,KAAK,iBAAiB,eAAe,KAAA,GACxC,OAAO,KAAK,eAAe;CAE5B,OAAO,cAAc;;AAGtB,SAAS,2BACR,SACA,SACoB;CACpB,OAAO,QAAQ,MAAM,SAAS,SAAS;EACtC,IAAI,CAAC,KAAK,aAAa,UACtB,OAAO,EAAE;EAEV,MAAM,SAAS,KAAK,kBAAkB,eAAe;EACrD,OAAO,uBAAuB,SAAS,cAAwB;GAC9D,MAAM,WAAW,KAAK,UAAU;GAChC,IAAI,aAAa,KAAA,KAAa,CAAC,8BAA8B,MAAM,UAAU,EAC5E,OAAO,EAAE;GAEV,OAAO,CAAC,GAAG,cAAc,SAAS,GAAG,SAAS;IAC7C;GACD;;AAGH,SAAS,wBAAwB,SAA6B,SAAqC;CAClG,OAAO,yCAAyC,QAAQ,GAAG,GAAG,QAAQ,IAAI,2BAA2B,SAAS,QAAQ,CAAC,KAAK,KAAK,CAAC;;AAGnI,SAAS,YAAY,QAMU;CAC9B,OAAO;EACN,OAAO;GACN,kBAAkB,2BAA2B,OAAO,SAAS,OAAO,QAAQ;GAC5E,MAAM,OAAO;GACb,WAAW,OAAO;GAClB,WAAW,OAAO,QAAQ;GAC1B,SAAS,OAAO;GAChB,SAAS,OAAO;GAChB,eAAe,wBAAwB,OAAO,SAAS,OAAO,QAAQ;GACtE;EACD,IAAI;EACJ;;AAGF,SAAS,kBAAkB,QAIU;CAgBpC,OAfgB,OAAO,QAAQ,MAAM,SAAS,SAC7C,uBAAuB,SAAS,mBAAmB;EAClD,MAAM,WAAW,KAAK,UAAU;EAChC,IAAI,aAAa,KAAA,GAChB,OAAO,EAAE;EAEV,IAAI,OAAO,oBAAoB,KAAA,KAAa,mBAAmB,OAAO,iBACrE,OAAO,EAAE;EAEV,MAAM,iBAAiB,cAAc,SAAS;EAC9C,OAAO,gBAAgB,OAAO,WAAW,eAAe,GACrD,CAAC;GAAE;GAAgB,aAAa;GAAgB;GAAM,CAAC,GACvD,EAAE;GACJ,CAEW,CAAC,UAAU,MAAM,UAAU,MAAM,YAAY,SAAS,KAAK,YAAY,OAAO,CAAC;;AAG9F,SAAS,gBACR,SACqE;CACrE,KAAK,MAAM,QAAQ,QAAQ,OAC1B,KAAK,MAAM,aAAa,wBAAwB;EAC/C,MAAM,WAAW,KAAK,UAAU;EAChC,IAAI,aAAa,KAAA,KAAa,qBAAqB,SAAS,EAC3D,OAAO;GAAE,QAAQ,KAAK;GAAI;GAAU;;;AAOxC,SAAgB,qBAAqB,OAA8D;CAClG,IAAI,CAAC,MAAM,UAAU,WAAW,IAAI,EACnC,OAAO,YAAY;EAClB,MAAM;EACN,WAAW,MAAM;EACjB,SAAS,MAAM;EACf,SAAS,SAAS,MAAM,UAAU;EAClC,SAAS,MAAM;EACf,CAAC;CAIH,IAAI,4BAA4B,MAAM,UAAU,EAC/C,OAAO,YAAY;EAClB,MAAM;EACN,WAAW,MAAM;EACjB,SAAS,MAAM;EACf,SAAS,SAAS,MAAM,UAAU;EAClC,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,cAAc,gBAAgB,MAAM,QAAQ;CAClD,IAAI,gBAAgB,KAAA,GACnB,OAAO,YAAY;EAClB,MAAM;EACN,WAAW,MAAM;EACjB,SAAS,MAAM;EACf,SAAS,sBAAsB,YAAY,OAAO,sBAAsB,YAAY,SAAS;EAC7F,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,sBAAsB,sBAAsB,MAAM,UAAU;CAClE,MAAM,QAAQ,kBAAkB;EAC/B,WAAW;EACX,SAAS,MAAM;EACf,GAAI,MAAM,oBAAoB,KAAA,IAAY,EAAE,GAAG,EAAE,iBAAiB,MAAM,iBAAiB;EACzF,CAAC;CACF,IAAI,UAAU,KAAA,GACb,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,yCAAyC,MAAM,QAAQ,GAAG;EAChG,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,eAAe,oBAAoB,qBAAqB,MAAM,YAAY;CAChF,IAAI,iBAAiB,MAAM,CAAC,MAAM,KAAK,iBACtC,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,YAAY,MAAM,KAAK,cAAc,2CAA2C,MAAM,QAAQ;EACpI,SAAS,MAAM;EACf,CAAC;CAEH,IAAI,CAAC,MAAM,KAAK,aAAa,MAAM,UAClC,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,YAAY,MAAM,KAAK,cAAc,0BAA0B,MAAM,QAAQ;EACnH,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,aAAa,MAAM,KAAK,UAAU,MAAM;CAC9C,IAAI,eAAe,KAAA,GAClB,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,YAAY,MAAM,KAAK,cAAc,SAAS,MAAM,gBAAgB;EAC1G,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,uBAAuB,cAAc,WAAW;CACtD,OAAO;EACN,IAAI;EACJ,OAAO;GACN,SAAS,MAAM,KAAK;GACpB,cAAc,MAAM,KAAK;GACzB,gBAAgB,MAAM;GACtB,WAAW;GACX,WAAW,MAAM,QAAQ;GACzB,iBAAiB,MAAM;GACvB,YAAY,oBAAoB,sBAAsB,aAAa;GACnE;GACA,QAAQ,MAAM,KAAK;GACnB;EACD;;;;AChVF,SAAgB,sBAAqC;CACpD,OAAO,mBAAmBC,IAAQ,CAAC;;AAGpC,SAAgB,gBAAgB,OAAwC;CACvE,OAAO,OAAO,UAAU,YAAYC,SAAa,MAAM,IAAIC,QAAY,MAAM,KAAK;;AAGnF,SAAgB,mBAAmB,OAA+B;CACjE,IAAI,gBAAgB,MAAM,EACzB,OAAO;CAER,MAAM,IAAI,UAAU,oDAAoD;;;;ACpBzE,MAAM,8BAA8B,IAAI,IAAI;CAAC;CAAQ;CAAQ;CAAO,CAAC;AA8BrE,SAASC,cAAY,OAAoC;CACxD,OAAO,OAAO,UAAU,YAAY,UAAU,OAAO,QAAQ,KAAA;;AAG9D,SAAS,iBAAiB,OAAiC;CAC1D,OAAO,OAAO,UAAU,YAAY,MAAM,MAAM,CAAC,SAAS;;AAG3D,SAAgB,oBACf,OACA,WACyC;CACzC,MAAM,SAASA,cAAY,MAAM;CACjC,OACC,WAAW,KAAA,KACX,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,QAAQ,IAAI,QAAQ,YAAY,KAAK;;AAIvC,SAAgB,gBAAgB,OAAwC;CACvE,MAAM,SAASA,cAAY,MAAM;CACjC,OACC,WAAW,KAAA,KACX,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,iBAAiB,QAAQ,IAAI,QAAQ,cAAc,CAAC,IACpD,OAAO,QAAQ,IAAI,QAAQ,iBAAiB,KAAK,YACjD,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK;;AAIzC,SAAgB,sBAAsB,OAA8C;CACnF,MAAM,SAASA,cAAY,MAAM;CACjC,IAAI,WAAW,KAAA,GACd,OAAO;CAER,KAAK,MAAM,OAAO,OAAO,KAAK,OAAO,EACpC,IAAI,CAAC,4BAA4B,IAAI,IAAI,EACxC,OAAO;CAGT,OACC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK;;;;AC5CzC,SAAS,YAAY,OAAoC;CACxD,OAAO,OAAO,UAAU,YAAY,UAAU,OAAO,QAAQ,KAAA;;AAG9D,MAAM,iCAAiC,CAAC,SAAS,MAAM,CAAC,KAAK,GAAG;AAEhE,SAAgB,iBAAiB,OAAyC;CACzE,MAAM,SAAS,YAAY,MAAM;CACjC,OACC,oBAAoB,QAAQ,cAAc,IAC1C,gBAAgB,QAAQ,IAAI,QAAQ,UAAU,CAAC,IAC/C,gBAAgB,QAAQ,IAAI,QAAQ,MAAM,CAAC,IAC3C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,CAAC,QAAQ,IAAI,QAAQ,+BAA+B;;AAItD,SAAgB,kBAAkB,OAA0C;CAC3E,MAAM,SAAS,YAAY,MAAM;CACjC,OACC,oBAAoB,QAAQ,cAAc,IAC1C,gBAAgB,QAAQ,IAAI,QAAQ,UAAU,CAAC,IAC/C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,aAAa,KAAK,YAC7C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,sBAAsB,QAAQ,IAAI,QAAQ,MAAM,CAAC,IACjD,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,SAAS,KAAK,YACzC,CAAC,QAAQ,IAAI,QAAQ,+BAA+B"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agent-vm/gateway-interface",
3
- "version": "0.0.90",
3
+ "version": "0.0.92",
4
4
  "description": "Shared TypeScript interfaces for VM gateway lifecycles, VmSpec, and ProcessSpec.",
5
5
  "homepage": "https://github.com/ShravanSunder/agent-vm#readme",
6
6
  "bugs": {
@@ -30,8 +30,8 @@
30
30
  },
31
31
  "dependencies": {
32
32
  "uuid": "^11.1.1",
33
- "@agent-vm/secret-management": "0.0.90",
34
- "@agent-vm/gondolin-adapter": "0.0.90"
33
+ "@agent-vm/gondolin-adapter": "0.0.92",
34
+ "@agent-vm/secret-management": "0.0.92"
35
35
  },
36
36
  "scripts": {
37
37
  "build": "tsdown",