@agentpress/sdk 0.4.15 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/index.cjs +56 -0
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +152 -1
  4. package/dist/index.d.cts.map +1 -1
  5. package/dist/index.d.mts +152 -1
  6. package/dist/index.d.mts.map +1 -1
  7. package/dist/index.mjs +55 -1
  8. package/dist/index.mjs.map +1 -1
  9. package/package.json +3 -2
package/dist/index.cjs CHANGED
@@ -619,6 +619,17 @@ var WebhooksClient = class {
619
619
  * Send an arbitrary webhook payload to AgentPress.
620
620
  * Signs the payload with HMAC-SHA256 (Svix-compatible).
621
621
  *
622
+ * On the happy path the response is synchronous: `{ success: true,
623
+ * actionId, data }`, or `{ success, actionId, alreadyExists: true, data }`
624
+ * when an action with the same `externalId` already existed (idempotency).
625
+ *
626
+ * Configuration/resolution failures (no action rule configured, rule
627
+ * disabled, user unresolved, action insert failure) do NOT throw — the
628
+ * event is buffered durably and AgentPress responds **202** with
629
+ * `{ success: true, buffered: true, eventId, reason }`. The event
630
+ * auto-processes once an operator fixes the configuration, so check
631
+ * {@link WebhookResponse.buffered} before relying on `actionId`.
632
+ *
622
633
  * @throws ConfigurationError if webhookSecret is not configured
623
634
  * @throws HttpError on non-2xx response
624
635
  * @throws TimeoutError if request exceeds timeout
@@ -782,6 +793,49 @@ const ACTION_EVENT_TYPES = [
782
793
  "action.expired"
783
794
  ];
784
795
  //#endregion
796
+ //#region src/webhooks/ingestSigning.ts
797
+ /**
798
+ * Sign an outbound request for an AgentPress inbound webhook listener that
799
+ * uses the `hmac_sha256` verification scheme
800
+ * (`POST /webhooks/ingest/:org/:identifier`).
801
+ *
802
+ * Produces the two headers AgentPress verifies:
803
+ *
804
+ * - `x-webhook-timestamp` — unix seconds; AgentPress rejects timestamps more
805
+ * than 5 minutes from its own clock.
806
+ * - `x-webhook-signature` — `v1=<hex HMAC-SHA256 of "${timestamp}.${rawBody}">`.
807
+ *
808
+ * Send the exact `rawBody` string you signed — any re-serialization after
809
+ * signing (re-ordered keys, whitespace changes) invalidates the signature.
810
+ *
811
+ * @example
812
+ * ```ts
813
+ * const rawBody = JSON.stringify({ eventType: "review.created", data: {...} });
814
+ * const { headers } = signHmacWebhookRequest({ secret, rawBody });
815
+ * await fetch(ingestUrl, {
816
+ * method: "POST",
817
+ * body: rawBody,
818
+ * headers: { "content-type": "application/json", ...headers },
819
+ * });
820
+ * ```
821
+ */
822
+ function signHmacWebhookRequest(params) {
823
+ const timestamp = Math.floor(params.timestamp ?? Date.now() / 1e3).toString();
824
+ return { headers: {
825
+ "x-webhook-timestamp": timestamp,
826
+ "x-webhook-signature": `v1=${(0, node_crypto.createHmac)("sha256", params.secret).update(`${timestamp}.${params.rawBody}`).digest("hex")}`
827
+ } };
828
+ }
829
+ /**
830
+ * Build the auth header for an AgentPress inbound webhook listener that uses
831
+ * the `shared_token` verification scheme. AgentPress also accepts
832
+ * `Authorization: Bearer <token>`; this helper uses the dedicated
833
+ * `x-webhook-token` header so it never collides with other auth middleware.
834
+ */
835
+ function sharedTokenHeaders(token) {
836
+ return { "x-webhook-token": token };
837
+ }
838
+ //#endregion
785
839
  exports.ACTION_EVENT_TYPES = ACTION_EVENT_TYPES;
786
840
  exports.ActionsClient = ActionsClient;
787
841
  exports.AgentPress = AgentPress;
@@ -795,5 +849,7 @@ exports.TimeoutError = TimeoutError;
795
849
  exports.UserApprovalsClient = UserApprovalsClient;
796
850
  exports.WebhookSignatureError = WebhookSignatureError;
797
851
  exports.WebhooksClient = WebhooksClient;
852
+ exports.sharedTokenHeaders = sharedTokenHeaders;
853
+ exports.signHmacWebhookRequest = signHmacWebhookRequest;
798
854
 
799
855
  //# sourceMappingURL=index.cjs.map
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.cjs","names":["SIGNATURE_PREFIX","joseErrors","verifySig","verifyKeyRotationImpl"],"sources":["../src/errors.ts","../src/utils.ts","../src/webhooks/signing.ts","../src/actions/client.ts","../src/http.ts","../src/partners/client.ts","../src/userApprovals/client.ts","../src/webhooks/keyRotation.ts","../src/webhooks/client.ts","../src/client.ts","../src/types.ts"],"sourcesContent":["/**\n * Base error class for all SDK errors. Catch this to handle any error\n * thrown by the AgentPress SDK regardless of specific type.\n */\nexport class AgentPressError extends Error {\n constructor(message: string) {\n super(message);\n this.name = \"AgentPressError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/**\n * Thrown at construction time when `AgentPressOptions` contains invalid values\n * (e.g., non-positive timeout, malformed `webhookSecret`).\n */\nexport class ConfigurationError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"ConfigurationError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/**\n * Thrown when the API returns a non-2xx HTTP response.\n *\n * Properties:\n * - `statusCode` - HTTP status code (e.g., 401, 404, 500)\n * - `responseBody` - Raw response body text for debugging\n * - `url` - The full request URL that failed\n */\nexport class HttpError extends AgentPressError {\n public readonly statusCode: number;\n public readonly responseBody: string;\n public readonly url: string;\n\n constructor(statusCode: number, responseBody: string, url: string) {\n super(`HTTP ${statusCode} from ${url}`);\n this.name = \"HttpError\";\n this.statusCode = statusCode;\n this.responseBody = responseBody;\n this.url = url;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/** Thrown when a request exceeds the configured `timeout` (default 30s). */\nexport class TimeoutError extends AgentPressError {\n constructor(url: string, timeout: number) {\n super(`Request to ${url} timed out after ${timeout}ms`);\n this.name = \"TimeoutError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/** Thrown by {@link WebhooksClient.verifyOrThrow} when an inbound webhook signature is invalid or expired. */\nexport class WebhookSignatureError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"WebhookSignatureError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/** Reason codes for {@link PartnerTokenError}. Maps 1:1 to RFC 6750 `error_description` values. */\nexport type PartnerTokenErrorReason =\n | \"signature_invalid\"\n | \"issuer_mismatch\"\n | \"audience_mismatch\"\n | \"expired\"\n | \"not_yet_valid\"\n | \"missing_claim\"\n | \"ext_provider_mismatch\"\n | \"algorithm_not_allowed\"\n | \"kid_missing_or_unknown\"\n | \"malformed\";\n\n/**\n * Thrown by {@link PartnersClient.verifyToken} when a Partner MCP Spec v1 JWT\n * fails verification. Partners map `reason` to their RFC 6750 `WWW-Authenticate`\n * response (`401 invalid_token` for all reasons in this class).\n */\nexport class PartnerTokenError extends AgentPressError {\n public readonly reason: PartnerTokenErrorReason;\n\n constructor(reason: PartnerTokenErrorReason, message: string) {\n super(message);\n this.name = \"PartnerTokenError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/** Reason codes for {@link KeyRotationVerifyError}. */\nexport type KeyRotationVerifyErrorReason =\n | \"invalid_signature\"\n | \"invalid_signature_format\"\n | \"timestamp_out_of_window\"\n | \"invalid_timestamp\"\n | \"payload_too_large\"\n | \"malformed_payload\";\n\n/**\n * Thrown by {@link WebhooksClient.verifyKeyRotation} when a `signing_key_rotation`\n * webhook fails HMAC / timestamp / payload validation.\n */\nexport class KeyRotationVerifyError extends AgentPressError {\n public readonly reason: KeyRotationVerifyErrorReason;\n\n constructor(reason: KeyRotationVerifyErrorReason, message: string) {\n super(message);\n this.name = \"KeyRotationVerifyError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n","import { randomUUID } from \"node:crypto\";\n\nexport function randomMessageId(): string {\n return `msg_${randomUUID()}`;\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst SIGNATURE_PREFIX = \"v1,\";\nconst DEFAULT_TOLERANCE_SECONDS = 5 * 60; // 5 minutes\n\n/**\n * Sign a webhook payload using Svix-compatible HMAC-SHA256.\n *\n * @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param msgId - Unique message ID (e.g., \"msg_<uuid>\")\n * @param timestamp - Unix timestamp in seconds\n * @param body - JSON stringified payload\n * @returns Signature string in format \"v1,<base64>\"\n */\nexport function sign(\n secret: string,\n msgId: string,\n timestamp: number,\n body: string,\n): string {\n const secretBytes = Buffer.from(secret.replace(/^whsec_/, \"\"), \"base64\");\n const message = `${msgId}.${timestamp}.${body}`;\n const signature = createHmac(\"sha256\", secretBytes)\n .update(message)\n .digest(\"base64\");\n return `${SIGNATURE_PREFIX}${signature}`;\n}\n\n/**\n * Verify a Svix webhook signature.\n *\n * @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param payload - Raw request body (string or Buffer)\n * @param headers - Svix headers object\n * @param toleranceSeconds - Max age of signature in seconds (default: 5 min)\n * @returns true if valid, false if invalid or expired\n */\nexport function verify(\n secret: string,\n payload: string | Buffer,\n headers: {\n \"svix-id\": string;\n \"svix-timestamp\": string;\n \"svix-signature\": string;\n },\n toleranceSeconds: number = DEFAULT_TOLERANCE_SECONDS,\n): boolean {\n const msgId = headers[\"svix-id\"];\n const timestampStr = headers[\"svix-timestamp\"];\n const signatureHeader = headers[\"svix-signature\"];\n\n const timestamp = parseInt(timestampStr, 10);\n if (Number.isNaN(timestamp)) return false;\n\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > toleranceSeconds) return false;\n\n const body =\n typeof payload === \"string\" ? payload : payload.toString(\"utf-8\");\n const expected = sign(secret, msgId, timestamp, body);\n\n const signatures = signatureHeader.split(\" \");\n const expectedBuf = Buffer.from(expected);\n\n for (const sig of signatures) {\n const sigBuf = Buffer.from(sig);\n if (\n sigBuf.length === expectedBuf.length &&\n timingSafeEqual(sigBuf, expectedBuf)\n ) {\n return true;\n }\n }\n\n return false;\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionManageResponse,\n ApproveActionParams,\n RejectActionParams,\n ResolvedOptions,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/**\n * Client for programmatically approving or rejecting staged actions.\n * Uses HMAC-SHA256 signing (Svix-compatible), identical to {@link WebhooksClient}.\n *\n * @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n *\n * // Approve a staged action\n * await client.actions.approve(\"act_123\", {\n * action: \"my_webhook_action\",\n * });\n *\n * // Reject with a reason\n * await client.actions.reject(\"act_456\", {\n * action: \"my_webhook_action\",\n * reason: \"Insufficient data\",\n * });\n * ```\n */\nexport class ActionsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /**\n * Approve a staged action, optionally modifying the tool call.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n */\n async approve(\n actionId: string,\n params: ApproveActionParams,\n ): Promise<ActionManageResponse> {\n const body: Record<string, unknown> = {};\n if (params.editedToolCall !== undefined) {\n body.editedToolCall = params.editedToolCall;\n }\n if (params.remember !== undefined) {\n body.remember = params.remember;\n }\n return this.manage(actionId, params.action, \"approve\", body);\n }\n\n /**\n * Reject a staged action.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n */\n async reject(\n actionId: string,\n params: RejectActionParams,\n ): Promise<ActionManageResponse> {\n return this.manage(actionId, params.action, \"reject\", {\n reason: params.reason,\n });\n }\n\n private async manage(\n actionId: string,\n webhookAction: string,\n operation: \"approve\" | \"reject\",\n body: Record<string, unknown>,\n ): Promise<ActionManageResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for action management operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${webhookAction}/manage/${actionId}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<ActionManageResponse>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { AgentPressError, HttpError, TimeoutError } from \"./errors\";\nimport type { ResolvedOptions } from \"./types\";\n\n/**\n * Internal shared HTTP client. Not part of the public API -- used by\n * namespace clients (e.g., `WebhooksClient`) to make authenticated requests.\n * @internal\n */\nexport class HttpClient {\n private readonly baseUrl: string;\n private readonly timeout: number;\n private readonly onRequest?: ResolvedOptions[\"onRequest\"];\n private readonly onResponse?: ResolvedOptions[\"onResponse\"];\n\n constructor(options: ResolvedOptions) {\n this.baseUrl = options.baseUrl;\n this.timeout = options.timeout;\n this.onRequest = options.onRequest;\n this.onResponse = options.onResponse;\n }\n\n /**\n * Send an HTTP request to the API. Constructs the full URL from `baseUrl` + `path`,\n * applies the configured timeout via `AbortSignal`, fires `onRequest`/`onResponse`\n * hooks, and parses the JSON response.\n *\n * @throws {TimeoutError} If the request exceeds the configured timeout.\n * @throws {HttpError} If the API returns a non-2xx status code.\n * @throws {AgentPressError} On network failures or non-JSON responses.\n */\n async request<T>(path: string, init: RequestInit): Promise<T> {\n const url = `${this.baseUrl}${path}`;\n\n const headers = new Headers(init.headers);\n if (!headers.has(\"Content-Type\")) {\n headers.set(\"Content-Type\", \"application/json\");\n }\n\n const requestInit: RequestInit = {\n ...init,\n headers,\n signal: AbortSignal.timeout(this.timeout),\n };\n\n this.onRequest?.(url, requestInit);\n\n let response: Response;\n try {\n response = await fetch(url, requestInit);\n } catch (error: unknown) {\n if (\n error instanceof Error &&\n (error.name === \"TimeoutError\" || error.name === \"AbortError\")\n ) {\n throw new TimeoutError(url, this.timeout);\n }\n const message =\n error instanceof Error ? error.message : \"Unknown fetch error\";\n throw new AgentPressError(`Request to ${url} failed: ${message}`);\n }\n\n this.onResponse?.(url, response.clone());\n\n const text = await response.text();\n\n if (!response.ok) {\n throw new HttpError(response.status, text, url);\n }\n\n try {\n return JSON.parse(text) as T;\n } catch {\n throw new AgentPressError(\n `Expected JSON response from ${url} but received: ${text.slice(0, 200)}`,\n );\n }\n }\n}\n","import {\n createRemoteJWKSet,\n type JWTVerifyGetKey,\n errors as joseErrors,\n jwtVerify,\n} from \"jose\";\n\nimport { ConfigurationError, PartnerTokenError } from \"../errors\";\nimport type {\n PartnerTokenClaims,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"../types\";\n\nconst ALGORITHMS = [\"EdDSA\"] as const;\n\ntype RemoteJwks = ReturnType<typeof createRemoteJWKSet>;\n\n/**\n * Client for Partner MCP Spec v1 helpers. Created automatically when\n * {@link AgentPressOptions.partnerMcp} is provided.\n *\n * State (JWKS cache) is per-instance, NOT module-global, so staging and\n * production clients can run side-by-side without cross-talk.\n */\nexport class PartnersClient {\n private readonly options: ResolvedOptions;\n private readonly partnerMcp: ResolvedPartnerMcpOptions | undefined;\n private jwks: RemoteJwks | null = null;\n private jwksKeyFn: JWTVerifyGetKey | null = null;\n\n constructor(options: ResolvedOptions) {\n this.options = options;\n this.partnerMcp = options.partnerMcp;\n }\n\n /**\n * Verify an inbound Partner MCP Spec v1 JWT against AgentPress's JWKS.\n *\n * Enforces the full spec: `algorithms: [\"EdDSA\"]` pinned; `iss`, `aud`,\n * `ext_provider` validated; `sub`, `jti`, `scope` required and non-empty;\n * `kid` header required; `exp` / `iat` validated with ±30s skew (configurable).\n *\n * @param token - Bare JWT string (no `Bearer ` prefix).\n * @returns Typed {@link PartnerTokenClaims}.\n * @throws {PartnerTokenError} with a typed `reason` for RFC 6750 mapping.\n * @throws {ConfigurationError} if `partnerMcp` is not configured.\n */\n async verifyToken(token: string): Promise<PartnerTokenClaims> {\n const cfg = this.requireConfig();\n const jwks = this.getJwks();\n\n let payload: Record<string, unknown>;\n let protectedHeader: { alg?: string; kid?: string; typ?: string };\n\n try {\n const result = await jwtVerify(token, jwks, {\n algorithms: [...ALGORITHMS],\n issuer: cfg.issuer,\n audience: cfg.audience,\n clockTolerance: cfg.clockTolerance,\n });\n payload = result.payload as Record<string, unknown>;\n protectedHeader = result.protectedHeader as {\n alg?: string;\n kid?: string;\n typ?: string;\n };\n } catch (err) {\n throw mapJoseError(err);\n }\n\n // kid header required by spec. jose does not enforce this on its own\n // when the key is resolvable — we enforce it explicitly so forged\n // tokens that elide the kid header can't slip through on a single-key\n // JWKS.\n if (!protectedHeader.kid || typeof protectedHeader.kid !== \"string\") {\n throw new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"JWT header missing required 'kid'\",\n );\n }\n\n const claims = payload as PartnerTokenClaims & Record<string, unknown>;\n\n // jose's jwtVerify checks `exp` (with clockTolerance) but not `iat`\n // future-time unless `maxTokenAge` is set. The spec requires both sides\n // of the skew window, so enforce the future-iat check explicitly.\n if (typeof claims.iat !== \"number\" || !Number.isFinite(claims.iat)) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'iat' claim must be a number\",\n );\n }\n const toleranceSeconds = toSeconds(cfg.clockTolerance);\n const nowSec = Math.floor(Date.now() / 1000);\n if (claims.iat - nowSec > toleranceSeconds) {\n throw new PartnerTokenError(\n \"not_yet_valid\",\n `'iat' is ${claims.iat - nowSec}s in the future, beyond ${toleranceSeconds}s tolerance`,\n );\n }\n\n if (typeof claims.sub !== \"string\" || claims.sub.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'sub' claim is required\");\n }\n if (typeof claims.jti !== \"string\" || claims.jti.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'jti' claim is required\");\n }\n if (typeof claims.scope !== \"string\") {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'scope' claim must be a string\",\n );\n }\n if (\n typeof claims.ext_provider !== \"string\" ||\n claims.ext_provider.length === 0\n ) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'ext_provider' claim is required\",\n );\n }\n if (claims.ext_provider !== cfg.expectedExtProvider) {\n throw new PartnerTokenError(\n \"ext_provider_mismatch\",\n `ext_provider '${claims.ext_provider}' does not match expected '${cfg.expectedExtProvider}'`,\n );\n }\n\n return claims;\n }\n\n /**\n * Force the JWKS cache to refetch immediately. Call this from your\n * `signing_key_rotation` webhook handler after verifying the webhook —\n * otherwise the cache picks up new keys on the next `kid` miss (which\n * works, but with one failed verify latency penalty).\n */\n async refreshJwks(): Promise<void> {\n const jwks = this.getJwks();\n // jose's RemoteJWKSet exposes `.reload()` for exactly this use case.\n const anyJwks = jwks as unknown as { reload?: () => Promise<void> };\n if (typeof anyJwks.reload === \"function\") {\n await anyJwks.reload();\n }\n }\n\n private requireConfig(): ResolvedPartnerMcpOptions {\n if (!this.partnerMcp) {\n throw new ConfigurationError(\n \"partnerMcp options are required for partner token operations\",\n );\n }\n return this.partnerMcp;\n }\n\n private getJwks(): RemoteJwks {\n const cfg = this.requireConfig();\n if (!this.jwks) {\n this.jwks = createRemoteJWKSet(new URL(cfg.jwksUrl), {\n cacheMaxAge: cfg.jwksCacheMaxAgeMs,\n cooldownDuration: 30_000,\n });\n this.jwksKeyFn = this.jwks as unknown as JWTVerifyGetKey;\n }\n return this.jwks;\n }\n}\n\nfunction toSeconds(tolerance: string | number): number {\n if (typeof tolerance === \"number\") return tolerance;\n const match = tolerance.trim().match(/^(\\d+)\\s*(s|m|h)$/i);\n if (!match) return 30;\n const n = Number.parseInt(match[1] as string, 10);\n const unit = (match[2] as string).toLowerCase();\n if (unit === \"s\") return n;\n if (unit === \"m\") return n * 60;\n if (unit === \"h\") return n * 3600;\n return 30;\n}\n\nfunction mapJoseError(err: unknown): PartnerTokenError {\n if (err instanceof PartnerTokenError) return err;\n\n if (err instanceof joseErrors.JWSSignatureVerificationFailed) {\n return new PartnerTokenError(\n \"signature_invalid\",\n \"JWT signature verification failed\",\n );\n }\n if (err instanceof joseErrors.JWKSNoMatchingKey) {\n return new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"No JWKS key matches the JWT 'kid' header\",\n );\n }\n if (err instanceof joseErrors.JOSEAlgNotAllowed) {\n return new PartnerTokenError(\n \"algorithm_not_allowed\",\n \"JWT 'alg' is not EdDSA\",\n );\n }\n if (err instanceof joseErrors.JWTExpired) {\n return new PartnerTokenError(\"expired\", \"JWT has expired\");\n }\n if (err instanceof joseErrors.JWTClaimValidationFailed) {\n const claim = (err as { claim?: string }).claim;\n if (claim === \"iss\") {\n return new PartnerTokenError(\n \"issuer_mismatch\",\n \"JWT 'iss' does not match expected issuer\",\n );\n }\n if (claim === \"aud\") {\n return new PartnerTokenError(\n \"audience_mismatch\",\n \"JWT 'aud' does not match expected audience\",\n );\n }\n if (claim === \"iat\") {\n return new PartnerTokenError(\n \"not_yet_valid\",\n \"JWT 'iat' is in the future beyond clock tolerance\",\n );\n }\n return new PartnerTokenError(\n \"missing_claim\",\n err.message || \"Claim validation failed\",\n );\n }\n if (\n err instanceof joseErrors.JWTInvalid ||\n err instanceof joseErrors.JWSInvalid\n ) {\n return new PartnerTokenError(\"malformed\", err.message || \"Malformed JWT\");\n }\n if (err instanceof Error) {\n return new PartnerTokenError(\"malformed\", err.message);\n }\n return new PartnerTokenError(\"malformed\", String(err));\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n CreateUserApprovalParams,\n DeleteUserApprovalParams,\n GetUserApprovalWebhookMetadataParams,\n ListUserApprovalsParams,\n ListUserApprovalsResponse,\n ResolvedOptions,\n SyncUserApprovalsParams,\n SyncUserApprovalsResponse,\n UpdateUserApprovalParams,\n UserToolApproval,\n WebhookApprovalMetadata,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/**\n * Client for managing per-user auto-approval rules — the SDK equivalent of the\n * console's `/account/auto-approvals` settings page. Uses HMAC-SHA256 signing\n * (Svix-compatible), identical to {@link ActionsClient.manage}.\n *\n * Each call is scoped to a single webhook (identified by `webhookIdentifier`),\n * which both selects the signing secret and scopes which approvals are visible.\n *\n * @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n *\n * const metadata = await client.userApprovals.getWebhookMetadata({\n * webhookIdentifier: \"reviews\",\n * });\n * const selectedTool = getSelectedToolFromYourUi(metadata.availableTools);\n *\n * // Provision consent so future selectedTool triggers skip the approval prompt\n * await client.userApprovals.create({\n * webhookIdentifier: metadata.webhookIdentifier,\n * userId: \"user-uuid\",\n * toolName: selectedTool.toolName,\n * mode: \"always_allow\",\n * });\n *\n * // List rules (optionally filtered by userId)\n * const { approvals } = await client.userApprovals.list({\n * webhookIdentifier: \"reviews\",\n * });\n *\n * // Revoke\n * await client.userApprovals.delete(approvalId, { webhookIdentifier: \"reviews\" });\n * ```\n */\nexport class UserApprovalsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /**\n * List auto-approval rules for a webhook. Optionally filter by `userId`.\n * When `userId` is omitted, AgentPress returns all approval rules for the\n * signed webhook. Partner user-settings UIs should usually pass `userId` and\n * `authProvider`.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response. A 422 with\n * `code: \"USER_NOT_PROVISIONED\"` means the external user has not\n * authenticated into AgentPress yet or is not a member of the webhook's org.\n * @throws TimeoutError if request exceeds timeout\n */\n async list(\n params: ListUserApprovalsParams,\n ): Promise<ListUserApprovalsResponse> {\n const body: Record<string, unknown> = {};\n if (params.userId !== undefined) body.userId = params.userId;\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n return this.send<ListUserApprovalsResponse>(\n params.webhookIdentifier,\n \"list\",\n body,\n );\n }\n\n /**\n * Fetch metadata for a webhook plus the ordered tools that its default action\n * rule stages for approval. This is the SDK source of truth for partner\n * settings UIs; `actionWebhookId` in the response can be passed to older\n * AgentPress versions that still require it. Tool order matches the\n * AgentPress approval popup.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n */\n async getWebhookMetadata(\n params: GetUserApprovalWebhookMetadataParams,\n ): Promise<WebhookApprovalMetadata> {\n return this.send<WebhookApprovalMetadata>(\n params.webhookIdentifier,\n \"metadata\",\n {},\n );\n }\n\n /**\n * Create (or upsert) an auto-approval rule. If a rule with the same\n * `(userId, actionWebhookId, toolName)` triple already exists, it is\n * updated in place. `actionWebhookId` is optional for current AgentPress\n * core; the webhook URL scope resolves it from `webhookIdentifier`. Use\n * `toolName` values from `getWebhookMetadata().availableTools`.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response. A 422 with\n * `code: \"USER_NOT_PROVISIONED\"` means the external user has not\n * authenticated into AgentPress yet or is not a member of the webhook's org.\n * @throws TimeoutError if request exceeds timeout\n */\n async create(params: CreateUserApprovalParams): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {\n userId: params.userId,\n toolName: params.toolName,\n mode: params.mode ?? \"always_allow\",\n };\n if (params.actionWebhookId !== undefined)\n body.actionWebhookId = params.actionWebhookId;\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n \"create\",\n body,\n );\n }\n\n /**\n * Idempotently sync a partner settings UI's Allow/Ask choices for one user\n * and one webhook. `mode: \"ask\"` removes an existing allow rule for that\n * listed tool. Existing `always_deny` rules and non-listed tool rules are\n * preserved.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response. A 422 with\n * `code: \"USER_NOT_PROVISIONED\"` means the external user has not\n * authenticated into AgentPress yet or is not a member of the webhook's org.\n * @throws TimeoutError if request exceeds timeout\n */\n async sync(\n params: SyncUserApprovalsParams,\n ): Promise<SyncUserApprovalsResponse> {\n const body: Record<string, unknown> = {\n userId: params.userId,\n rules: params.rules,\n };\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n return this.send<SyncUserApprovalsResponse>(\n params.webhookIdentifier,\n \"sync\",\n body,\n );\n }\n\n /**\n * Patch an existing auto-approval rule (change mode or expiry).\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n */\n async update(\n id: string,\n params: UpdateUserApprovalParams,\n ): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {};\n if (params.mode !== undefined) body.mode = params.mode;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n `update/${id}`,\n body,\n );\n }\n\n /**\n * Revoke an auto-approval rule. Future triggers of the corresponding\n * `(user, webhook, tool)` combination will once again stage for approval.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n */\n async delete(\n id: string,\n params: DeleteUserApprovalParams,\n ): Promise<{ success: boolean }> {\n return this.send<{ success: boolean }>(\n params.webhookIdentifier,\n `delete/${id}`,\n {},\n );\n }\n\n /** Internal: HMAC-sign and POST the body to the scoped path. */\n private async send<T>(\n webhookIdentifier: string,\n operation: string,\n body: Record<string, unknown>,\n ): Promise<T> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for user approval management operations\",\n );\n }\n\n const path = `/webhooks/user-approvals/${this.options.org}/${webhookIdentifier}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<T>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nimport { ConfigurationError, KeyRotationVerifyError } from \"../errors\";\nimport type { KeyRotationEvent, KeyRotationVerifyParams } from \"../types\";\n\nconst MAX_PAYLOAD_BYTES = 8 * 1024; // 8 KB\nconst TIMESTAMP_SKEW_SECONDS = 300; // 5 minutes\nconst SIGNATURE_PREFIX = \"sha256=\";\n\n/**\n * Verify a `signing_key_rotation` webhook signed by AgentPress with\n * HMAC-SHA256 over the raw request body. Returns the typed\n * {@link KeyRotationEvent} payload.\n *\n * @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping.\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n */\nexport function verifyKeyRotation(\n secret: string | undefined,\n params: KeyRotationVerifyParams,\n): KeyRotationEvent {\n if (!secret) {\n throw new ConfigurationError(\n \"webhookSecret is required for key rotation webhook verification\",\n );\n }\n\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n\n const byteLength =\n typeof params.payload === \"string\"\n ? Buffer.byteLength(params.payload, \"utf-8\")\n : params.payload.length;\n if (byteLength > MAX_PAYLOAD_BYTES) {\n throw new KeyRotationVerifyError(\n \"payload_too_large\",\n `Payload exceeds ${MAX_PAYLOAD_BYTES} bytes`,\n );\n }\n\n const signatureHeader = readHeader(params.headers, \"x-agentpress-signature\");\n const timestampHeader = readHeader(params.headers, \"x-agentpress-timestamp\");\n\n if (!signatureHeader?.startsWith(SIGNATURE_PREFIX)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n `Signature header missing or does not start with '${SIGNATURE_PREFIX}'`,\n );\n }\n const providedHex = signatureHeader\n .slice(SIGNATURE_PREFIX.length)\n .toLowerCase();\n if (!/^[0-9a-f]+$/.test(providedHex)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n \"Signature is not a hex string\",\n );\n }\n\n if (!timestampHeader) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp header is required\",\n );\n }\n const timestamp = Number.parseInt(timestampHeader, 10);\n if (\n !Number.isFinite(timestamp) ||\n String(timestamp) !== timestampHeader.trim()\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp is not a valid unix seconds integer\",\n );\n }\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > TIMESTAMP_SKEW_SECONDS) {\n throw new KeyRotationVerifyError(\n \"timestamp_out_of_window\",\n `Timestamp skew ${Math.abs(now - timestamp)}s exceeds ${TIMESTAMP_SKEW_SECONDS}s tolerance`,\n );\n }\n\n const expectedHex = createHmac(\"sha256\", secret).update(body).digest(\"hex\");\n const providedBuf = Buffer.from(providedHex, \"hex\");\n const expectedBuf = Buffer.from(expectedHex, \"hex\");\n if (\n providedBuf.length !== expectedBuf.length ||\n !timingSafeEqual(providedBuf, expectedBuf)\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_signature\",\n \"HMAC signature mismatch\",\n );\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(body);\n } catch {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload is not valid JSON\",\n );\n }\n\n return validatePayload(parsed);\n}\n\nfunction readHeader(\n headers: Record<string, string | undefined>,\n name: string,\n): string | undefined {\n // Headers are case-insensitive; normalize without mutating the caller's object.\n const lowered = name.toLowerCase();\n for (const [k, v] of Object.entries(headers)) {\n if (k.toLowerCase() === lowered && typeof v === \"string\" && v.length > 0) {\n return v;\n }\n }\n return undefined;\n}\n\nfunction validatePayload(raw: unknown): KeyRotationEvent {\n if (!raw || typeof raw !== \"object\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload must be a JSON object\",\n );\n }\n const obj = raw as Record<string, unknown>;\n if (obj.event !== \"signing_key_rotation\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `Unexpected event '${String(obj.event)}'`,\n );\n }\n if (obj.type !== \"scheduled\" && obj.type !== \"emergency\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'type' must be 'scheduled' or 'emergency'\",\n );\n }\n for (const key of [\n \"retiredKid\",\n \"newCurrentKid\",\n \"retiredAt\",\n \"effectiveAt\",\n \"jwksUrl\",\n ]) {\n if (typeof obj[key] !== \"string\" || (obj[key] as string).length === 0) {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `'${key}' must be a non-empty string`,\n );\n }\n }\n if (obj.reason !== undefined && typeof obj.reason !== \"string\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'reason' must be a string when present\",\n );\n }\n\n const event: KeyRotationEvent = {\n event: \"signing_key_rotation\",\n type: obj.type as \"scheduled\" | \"emergency\",\n retiredKid: obj.retiredKid as string,\n newCurrentKid: obj.newCurrentKid as string,\n retiredAt: obj.retiredAt as string,\n effectiveAt: obj.effectiveAt as string,\n jwksUrl: obj.jwksUrl as string,\n };\n if (typeof obj.reason === \"string\") {\n event.reason = obj.reason;\n }\n return event;\n}\n","import {\n AgentPressError,\n ConfigurationError,\n WebhookSignatureError,\n} from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionCallbackPayload,\n KeyRotationEvent,\n KeyRotationVerifyParams,\n ResolvedOptions,\n WebhookResponse,\n WebhookSendParams,\n WebhookVerifyParams,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { verifyKeyRotation as verifyKeyRotationImpl } from \"./keyRotation\";\nimport { sign, verify as verifySig } from \"./signing\";\n\nexport class WebhooksClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /**\n * Send an arbitrary webhook payload to AgentPress.\n * Signs the payload with HMAC-SHA256 (Svix-compatible).\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n */\n async send(params: WebhookSendParams): Promise<WebhookResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${params.action}`;\n const body = JSON.stringify(params.payload);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(this.options.webhookSecret, msgId, timestamp, body);\n\n return this.http.request<WebhookResponse>(path, {\n method: \"POST\",\n body,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n\n /**\n * Verify an inbound Svix webhook signature.\n *\n * @returns true if valid, false if invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n */\n verify(params: WebhookVerifyParams): boolean {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook verification\",\n );\n }\n\n return verifySig(\n this.options.webhookSecret,\n params.payload,\n params.headers,\n );\n }\n\n /**\n * Verify an inbound Svix webhook signature, throwing on failure.\n * Useful for middleware patterns where invalid signatures should halt processing.\n *\n * @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n */\n verifyOrThrow(params: WebhookVerifyParams): void {\n if (!this.verify(params)) {\n throw new WebhookSignatureError(\"Invalid webhook signature\");\n }\n }\n\n /**\n * Verify and parse an inbound webhook from AgentPress.\n * Combines signature verification with JSON parsing and type casting.\n * This is the recommended way to handle incoming webhooks.\n *\n * @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws AgentPressError if payload is not valid JSON\n */\n constructEvent(params: WebhookVerifyParams): ActionCallbackPayload {\n this.verifyOrThrow(params);\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n try {\n return JSON.parse(body) as ActionCallbackPayload;\n } catch {\n throw new AgentPressError(\"Webhook payload is not valid JSON\");\n }\n }\n\n /**\n * Verify an inbound `signing_key_rotation` webhook (HMAC-SHA256 + timestamp\n * + typed payload) from AgentPress. See the Partner MCP Spec v1 for the\n * full contract.\n *\n * @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping\n * (401 for signature errors, 400 for malformed payload, 413 for oversize).\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n */\n verifyKeyRotation(params: KeyRotationVerifyParams): KeyRotationEvent {\n return verifyKeyRotationImpl(this.options.webhookSecret, params);\n }\n}\n","import { ActionsClient } from \"./actions/client\";\nimport { ConfigurationError } from \"./errors\";\nimport { HttpClient } from \"./http\";\nimport { PartnersClient } from \"./partners/client\";\nimport type {\n AgentPressOptions,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"./types\";\nimport { UserApprovalsClient } from \"./userApprovals/client\";\nimport { WebhooksClient } from \"./webhooks/client\";\n\n/**\n * Main entry point for the AgentPress SDK. Provides namespaced access to API\n * resources (e.g., `client.webhooks.send()`, `client.actions.approve()`).\n * Validates all configuration options at construction time, so invalid config fails fast.\n *\n * @example\n * ```ts\n * const client = new AgentPress({\n * apiKey: \"ak_...\",\n * webhookSecret: \"whsec_...\",\n * });\n * await client.webhooks.send({ action: \"my_action\", payload: { ... } });\n * await client.actions.approve(\"act_123\", { action: \"my_action\" });\n * ```\n */\nexport class AgentPress {\n /** Webhook operations: send outbound webhooks and verify inbound signatures. */\n public readonly webhooks: WebhooksClient;\n /** Action management: approve or reject staged actions. */\n public readonly actions: ActionsClient;\n /** Per-user auto-approval rules (read / create / update / delete). */\n public readonly userApprovals: UserApprovalsClient;\n /** Partner MCP Spec v1 helpers (inbound JWT verification, JWKS refresh). */\n public readonly partners: PartnersClient;\n\n /**\n * @param options - SDK configuration. All fields are optional with sensible defaults.\n * @throws {ConfigurationError} If `timeout` is non-positive or `webhookSecret` has an invalid prefix.\n */\n constructor(options: AgentPressOptions = {}) {\n const resolved = resolveOptions(options);\n const http = new HttpClient(resolved);\n this.webhooks = new WebhooksClient(resolved, http);\n this.actions = new ActionsClient(resolved, http);\n this.userApprovals = new UserApprovalsClient(resolved, http);\n this.partners = new PartnersClient(resolved);\n }\n}\n\nfunction resolveOptions(options: AgentPressOptions): ResolvedOptions {\n const baseUrl = (options.baseUrl ?? \"https://api.agent.press\").replace(\n /\\/+$/,\n \"\",\n );\n const timeout = options.timeout ?? 30_000;\n const org = options.org ?? \"default-org\";\n\n if (timeout <= 0 || !Number.isFinite(timeout)) {\n throw new ConfigurationError(\"timeout must be a positive number\");\n }\n\n if (\n options.webhookSecret !== undefined &&\n !options.webhookSecret.startsWith(\"whsec_\")\n ) {\n throw new ConfigurationError('webhookSecret must start with \"whsec_\"');\n }\n\n return {\n baseUrl,\n timeout,\n org,\n webhookSecret: options.webhookSecret,\n apiKey: options.apiKey,\n partnerMcp: resolvePartnerMcp(options.partnerMcp),\n onRequest: options.onRequest,\n onResponse: options.onResponse,\n };\n}\n\nfunction resolvePartnerMcp(\n options: AgentPressOptions[\"partnerMcp\"],\n): ResolvedPartnerMcpOptions | undefined {\n if (!options) return undefined;\n\n if (typeof options.jwksUrl !== \"string\" || options.jwksUrl.length === 0) {\n throw new ConfigurationError(\"partnerMcp.jwksUrl is required\");\n }\n try {\n // Validate early so a bad URL fails at construction, not on first verify.\n new URL(options.jwksUrl);\n } catch {\n throw new ConfigurationError(\"partnerMcp.jwksUrl must be a valid URL\");\n }\n if (typeof options.issuer !== \"string\" || options.issuer.length === 0) {\n throw new ConfigurationError(\"partnerMcp.issuer is required\");\n }\n if (typeof options.audience !== \"string\" || options.audience.length === 0) {\n throw new ConfigurationError(\"partnerMcp.audience is required\");\n }\n if (\n typeof options.expectedExtProvider !== \"string\" ||\n options.expectedExtProvider.length === 0\n ) {\n throw new ConfigurationError(\"partnerMcp.expectedExtProvider is required\");\n }\n\n const clockTolerance = options.clockTolerance ?? \"30s\";\n const jwksCacheMaxAgeMs = options.jwksCacheMaxAgeMs ?? 3_600_000;\n if (jwksCacheMaxAgeMs <= 0 || !Number.isFinite(jwksCacheMaxAgeMs)) {\n throw new ConfigurationError(\n \"partnerMcp.jwksCacheMaxAgeMs must be a positive number\",\n );\n }\n\n return {\n jwksUrl: options.jwksUrl,\n issuer: options.issuer,\n audience: options.audience,\n expectedExtProvider: options.expectedExtProvider,\n clockTolerance,\n jwksCacheMaxAgeMs,\n };\n}\n","/** Constructor options for the {@link AgentPress} client. All fields are optional. */\nexport interface AgentPressOptions {\n /** Svix webhook signing secret for verifying inbound webhooks. Must start with `\"whsec_\"`. */\n webhookSecret?: string;\n /** API key for authenticated requests. */\n apiKey?: string;\n /** @default \"https://api.agent.press\" */\n baseUrl?: string;\n /** Request timeout in milliseconds. Must be a positive finite number. @default 30000 */\n timeout?: number;\n /** Organization identifier sent with requests. @default \"default-org\" */\n org?: string;\n /**\n * Partner MCP Spec v1 configuration. Required only if you call\n * {@link PartnersClient.verifyToken} or {@link WebhooksClient.verifyKeyRotation}.\n *\n * Each environment (staging / production) needs its own {@link AgentPress}\n * instance with its own `partnerMcp` block — never share a client between\n * environments. JWKS cache state is per-instance, so side-by-side staging\n * and prod clients have no cross-talk.\n */\n partnerMcp?: PartnerMcpOptions;\n /** Hook called before every outbound HTTP request (useful for logging/tracing). */\n onRequest?: (url: string, init: RequestInit) => void;\n /** Hook called after every HTTP response is received. */\n onResponse?: (url: string, response: Response) => void;\n}\n\n/** Partner MCP Spec v1 configuration. See {@link AgentPressOptions.partnerMcp}. */\nexport interface PartnerMcpOptions {\n /**\n * Full URL to the issuing AgentPress org's JWKS.\n * Per-org as of Partner MCP Spec v1 (per-org signing keys), e.g.\n * `https://api.agent.press/orgs/<org-slug>/.well-known/jwks.json`.\n * The org admin who registered you as a partner will give you the\n * exact URL along with their `<org-slug>`.\n */\n jwksUrl: string;\n /**\n * Exact match for the JWT `iss` claim. Per-org scoped, e.g.\n * `https://api.agent.press/orgs/<org-slug>`. The JWKS URL above is\n * always `<issuer>/.well-known/jwks.json`.\n */\n issuer: string;\n /** Exact match for the JWT `aud` claim — your partner MCP's stable URL. */\n audience: string;\n /** Required value for the `ext_provider` claim, e.g. `\"partner_auth\"`. */\n expectedExtProvider: string;\n /**\n * Clock skew tolerance for `iat` / `exp` validation. Accepts a jose duration\n * string (`\"30s\"`, `\"1m\"`) or a number of seconds.\n * @default \"30s\"\n */\n clockTolerance?: string | number;\n /**\n * JWKS cache max age in milliseconds. Cache is per-instance, not module-global.\n * @default 3_600_000 (1 hour)\n */\n jwksCacheMaxAgeMs?: number;\n}\n\n/** A verified Partner MCP Spec v1 JWT claim set. */\nexport interface PartnerTokenClaims {\n /** The external user id (verified non-empty). */\n sub: string;\n /** Space-separated scope string, per RFC 8693. May be empty but always present. */\n scope: string;\n /** External auth provider name; verified against {@link PartnerMcpOptions.expectedExtProvider}. */\n ext_provider: string;\n /** Unique token id. Non-empty. Partners build replay caches keyed by this. */\n jti: string;\n /** Already validated against {@link PartnerMcpOptions.issuer}; returned for audit logs. */\n iss: string;\n /** Already validated against {@link PartnerMcpOptions.audience}; returned for audit logs. */\n aud: string;\n /** Unix seconds. */\n iat: number;\n /** Unix seconds. */\n exp: number;\n /** AgentPress org identifier, optional. */\n org_id?: string;\n /** AgentPress thread identifier, optional. */\n thread_id?: string;\n /** Reserved for multi-tenant partner flows. */\n settings_id?: string;\n /** Forward-compat: any additional claims pass through. */\n [key: string]: unknown;\n}\n\n/** Parameters for {@link WebhooksClient.verifyKeyRotation}. */\nexport interface KeyRotationVerifyParams {\n /** Raw request body (string or Buffer) — must not be parsed/modified. */\n payload: string | Buffer;\n /**\n * Incoming HTTP headers. Accepts plain `Record<string, string | undefined>`\n * so Hono / Fastify / Express / Fetch / Worker all work interchangeably.\n * Must include `x-agentpress-signature` and `x-agentpress-timestamp`.\n */\n headers: Record<string, string | undefined>;\n}\n\n/** A verified `signing_key_rotation` webhook payload. */\nexport interface KeyRotationEvent {\n event: \"signing_key_rotation\";\n type: \"scheduled\" | \"emergency\";\n retiredKid: string;\n newCurrentKid: string;\n /** ISO 8601 timestamp. */\n retiredAt: string;\n /** ISO 8601 timestamp. */\n effectiveAt: string;\n /** Matches the configured partner JWKS URL. */\n jwksUrl: string;\n /** Present only on `type: \"emergency\"` rotations. */\n reason?: string;\n}\n\n/** Parameters for {@link WebhooksClient.send}. */\nexport interface WebhookSendParams {\n /** Webhook action name (matches an action rule on the server). */\n action: string;\n /** Arbitrary payload data forwarded to the webhook handler. */\n payload: Record<string, unknown>;\n}\n\n/** Parameters for verifying an inbound webhook signature via {@link WebhooksClient.verify} or {@link WebhooksClient.verifyOrThrow}. */\nexport interface WebhookVerifyParams {\n /** Raw request body (string or Buffer) -- must not be parsed/modified. */\n payload: string | Buffer;\n /** Svix signature headers from the incoming request. */\n headers: {\n \"svix-id\": string;\n \"svix-timestamp\": string;\n \"svix-signature\": string;\n };\n}\n\n/** Response from webhook send operations. */\nexport interface WebhookResponse {\n success: boolean;\n /** UUID of the created action (present on successful creation). */\n actionId?: string;\n /** `true` if an action with the same `externalId` already existed (idempotency). */\n alreadyExists?: boolean;\n skipped?: boolean;\n data?: Record<string, unknown>;\n}\n\n// ── Action Lifecycle Event Types ────────────────────────────────────\n\n/** Action lifecycle event types emitted by AgentPress. */\nexport type ActionEventType =\n | \"action.pending_approval\"\n | \"action.approved\"\n | \"action.completed\"\n | \"action.failed\"\n | \"action.rejected\"\n | \"action.expired\";\n\n/** All public action callback event types emitted by AgentPress. */\nexport const ACTION_EVENT_TYPES: readonly ActionEventType[] = [\n \"action.pending_approval\",\n \"action.approved\",\n \"action.completed\",\n \"action.failed\",\n \"action.rejected\",\n \"action.expired\",\n] as const;\n\n/** Structured approval summary for a staged tool call. */\nexport interface StagedToolCallSummary {\n /** Short action phrase, suitable for headings. */\n title: string;\n /** Full approval request sentence with the key action details. */\n detail: string;\n}\n\n/** A tool call staged for approval lifecycle callbacks. */\nexport interface StagedToolCall {\n toolName: string;\n toolCallId: string;\n arguments: Record<string, unknown>;\n /**\n * Generated approval summary. New callbacks use the structured shape; legacy\n * callbacks may contain a plain string.\n */\n summary?: string | StagedToolCallSummary;\n}\n\n/** Parameters for {@link ActionsClient.approve}. */\nexport interface ApproveActionParams {\n /** Webhook action identifier (from callback's webhookAction field). */\n action: string;\n /** Optionally modify the tool call arguments before execution. */\n editedToolCall?: {\n toolName: string;\n arguments: Record<string, unknown>;\n };\n /**\n * If `\"webhook\"`, also auto-approves future triggers of the same\n * `(user, webhook, tool)` combination — same effect as the UI's\n * \"Always allow for this webhook\" option.\n *\n * - `\"once\"` — approve only this action (default behavior).\n * - `\"webhook\"` — approve and remember for future triggers.\n */\n remember?: \"once\" | \"webhook\";\n}\n\n/** Parameters for {@link ActionsClient.reject}. */\nexport interface RejectActionParams {\n /** Webhook action identifier (from callback's webhookAction field). */\n action: string;\n /** Reason for rejection. */\n reason?: string;\n}\n\n/** Response from action approve/reject operations. */\nexport interface ActionManageResponse {\n success: boolean;\n actionId: string;\n status: ActionStatus;\n}\n\n// ── Outbound Webhook (Action Callback) Types ──────────────────────────\n\n/** Status of an action in the AgentPress system. */\nexport type ActionStatus =\n | \"pending\"\n | \"staged\"\n | \"approved\"\n | \"executing\"\n | \"rejected\"\n | \"completed\"\n | \"failed\"\n | \"expired\";\n\n/** A tool call made by the agent during action processing. */\nexport interface ToolCallResult {\n toolName: string;\n arguments: Record<string, unknown>;\n result: unknown;\n}\n\n/** The agent's response after processing an action. */\nexport interface AgentResponse {\n /** The agent's text response, if any. */\n text: string | null;\n /** Tool calls made by the agent during processing. */\n toolCalls: ToolCallResult[];\n}\n\n/**\n * Payload received from AgentPress outbound webhooks (post-event callbacks).\n * This is what your server receives for approval, terminal, and failure events.\n */\nexport interface ActionCallbackPayload {\n actionId: string;\n status: ActionStatus;\n actionType: string;\n /** Lifecycle event type (e.g., \"action.pending_approval\", \"action.completed\"). */\n eventType: ActionEventType;\n /** Webhook action identifier used to create this action. Needed for approve/reject. */\n webhookAction: string | null;\n /** Tool staged for approval lifecycle events when available. */\n stagedToolCall: StagedToolCall | null;\n /** ISO 8601 timestamp of when this callback event occurred. */\n occurredAt: string;\n /** ISO 8601 timestamp retained for backwards compatibility. */\n completedAt: string;\n /** Human-readable execution summary when populated on the action. */\n resultSummary: string | null;\n /** Original data from the inbound webhook that triggered this action. */\n sourceData: Record<string, unknown>;\n /** External system identifier. */\n externalId: string | null;\n /** AgentPress user ID associated with this action. */\n userId: string | null;\n /** Thread ID if the action created a conversation. */\n threadId: string | null;\n /** The agent's response including text and tool call results. */\n agentResponse: AgentResponse;\n /** Error message if the action failed. */\n errorMessage: string | null;\n /**\n * Structured error metadata for clients that need branching/logging without\n * displaying raw provider errors.\n */\n errorDetails: {\n code: string | null;\n provider: string | null;\n recoverable: boolean;\n userMessage: string | null;\n } | null;\n /** Reason provided if the action was rejected by a human reviewer. */\n rejectionReason: string | null;\n /** Additional custom fields from post-event configuration. */\n [key: string]: unknown;\n}\n\n// ── User Tool Approvals ─────────────────────────────────────────────\n\n/** Mode of a user tool approval rule. */\nexport type ApprovalMode = \"always_allow\" | \"always_deny\";\n\n/**\n * Mode accepted by settings UIs that sync Allow/Ask choices. `always_allow`\n * persists an allow rule. `ask` means no stored allow rule for that listed\n * tool. `always_deny` is intentionally not accepted by sync.\n */\nexport type ApprovalRuleSyncMode = \"always_allow\" | \"ask\";\n\n/**\n * A persisted rule that auto-approves (or auto-denies) a specific\n * `(user, webhook, tool)` triple, bypassing the per-action approval prompt.\n * Dates are ISO 8601 strings on the wire.\n */\nexport interface UserToolApproval {\n id: string;\n orgId: string;\n userId: string;\n actionWebhookId: string;\n toolName: string;\n mode: ApprovalMode;\n /** ISO 8601 timestamp. `null` means never expires. */\n expiresAt: string | null;\n /** ISO 8601 timestamp. */\n createdAt: string;\n /** ISO 8601 timestamp. */\n updatedAt: string;\n}\n\n/** Parameters for {@link UserApprovalsClient.list}. */\nexport interface ListUserApprovalsParams {\n /** Webhook identifier (slug) — required to scope the signing secret and the result. */\n webhookIdentifier: string;\n /**\n * Filter to a single user's approvals. Accepts either an internal AgentPress\n * user UUID, or — when paired with {@link authProvider} — an external user ID\n * from a custom auth provider. If omitted, lists every approval for the\n * signed webhook.\n */\n userId?: string;\n /**\n * Name of the registered external auth provider. When provided, `userId` is\n * treated as the external user ID and resolved to the internal user via\n * `users.external_auth_id`. The resolved user must belong to the webhook's\n * AgentPress org.\n */\n authProvider?: string;\n}\n\n/** Response from {@link UserApprovalsClient.list}. */\nexport interface ListUserApprovalsResponse {\n approvals: UserToolApproval[];\n}\n\n/** Metadata for one tool that the webhook's default rule stages for approval. */\nexport interface WebhookApprovalToolMetadata {\n /** Stable tool slug to use in create/sync rules. */\n toolName: string;\n /** Human-readable label matching AgentPress approval UI formatting. */\n label: string;\n /** Tool description, when exposed by the agent/tool catalog. */\n description: string | null;\n /** True/false when known; null when the tool catalog does not expose it. */\n destructiveHint: boolean | null;\n /** True/false when known; null when the tool catalog does not expose it. */\n sensitiveHint: boolean | null;\n}\n\n/** Webhook metadata plus the ordered approval-tool catalog for partner UIs. */\nexport interface WebhookApprovalMetadata {\n /** Same value as `actionWebhookId`; included for compatibility. */\n id: string;\n /** UUID of the `action_webhooks` row resolved from `webhookIdentifier`. */\n actionWebhookId: string;\n /** Stable webhook slug used in SDK calls and signed URLs. */\n webhookIdentifier: string;\n /** Human-readable webhook display name. */\n displayName: string;\n /** Alias of `displayName`; included for compatibility with webhook rows. */\n name: string;\n /** Organization that owns this webhook. */\n orgId: string;\n /** Default action rule attached to the webhook, if any. */\n defaultActionRuleId: string | null;\n /** Ordered tools matching the AgentPress approval popup order. */\n availableTools: WebhookApprovalToolMetadata[];\n /** Backwards-compatible ordered projection of `availableTools[].toolName`. */\n toolNames: string[];\n}\n\n/** Parameters for {@link UserApprovalsClient.create}. */\nexport interface CreateUserApprovalParams {\n /** Webhook identifier (slug) — required to scope the signing secret. */\n webhookIdentifier: string;\n /**\n * User identifier this rule applies to. Accepts either an internal AgentPress\n * user UUID, or — when paired with {@link authProvider} — an external user ID\n * from a custom auth provider.\n */\n userId: string;\n /**\n * Name of the registered external auth provider. When provided, `userId` is\n * treated as the external user ID and resolved to the internal user via\n * `users.external_auth_id`. The user must have authenticated through the\n * provider at least once and belong to the webhook's AgentPress org for\n * resolution to succeed.\n */\n authProvider?: string;\n /**\n * UUID of the `action_webhooks` row. Optional for SDK callers; when omitted,\n * AgentPress resolves it from `webhookIdentifier`. If supplied, core rejects\n * the request unless it matches the URL-scoped webhook.\n */\n actionWebhookId?: string;\n /** Tool slug from `WebhookApprovalMetadata.availableTools[].toolName`. */\n toolName: string;\n /** Stored approval mode. Defaults to `\"always_allow\"`. */\n mode?: ApprovalMode;\n /** `null` or omitted = never expires. */\n expiresAt?: Date | null;\n}\n\n/** Parameters for {@link UserApprovalsClient.update}. */\nexport interface UpdateUserApprovalParams {\n /** Webhook identifier (slug) the approval belongs to — required for signing. */\n webhookIdentifier: string;\n mode?: ApprovalMode;\n expiresAt?: Date | null;\n}\n\n/** Parameters for {@link UserApprovalsClient.delete}. */\nexport interface DeleteUserApprovalParams {\n /** Webhook identifier (slug) the approval belongs to — required for signing. */\n webhookIdentifier: string;\n}\n\n/** Parameters for {@link UserApprovalsClient.getWebhookMetadata}. */\nexport interface GetUserApprovalWebhookMetadataParams {\n /** Webhook identifier (slug) — required to scope the signing secret. */\n webhookIdentifier: string;\n}\n\nexport interface SyncUserApprovalRule {\n /** Tool slug from `WebhookApprovalMetadata.availableTools[].toolName`. */\n toolName: string;\n /** Desired partner UI state for this listed tool. */\n mode: ApprovalRuleSyncMode;\n}\n\n/** Parameters for {@link UserApprovalsClient.sync}. */\nexport interface SyncUserApprovalsParams {\n /** Webhook identifier (slug) — required to scope the signing secret. */\n webhookIdentifier: string;\n /**\n * User identifier this sync applies to. Accepts either an internal AgentPress\n * user UUID, or — when paired with {@link authProvider} — an external user ID.\n */\n userId: string;\n /**\n * Name of the registered external auth provider. The user must have\n * authenticated through that provider at least once and belong to the\n * webhook's AgentPress org.\n */\n authProvider?: string;\n /**\n * Complete desired Allow/Ask state for the tools your UI manages. Tools not\n * listed here are left untouched. Existing always_deny rules are preserved.\n */\n rules: SyncUserApprovalRule[];\n}\n\nexport interface SyncUserApprovalsResponse {\n /** Approval rows remaining after sync for this user and webhook. */\n approvals: UserToolApproval[];\n summary: {\n /** Unique tool names requested after duplicate tool names are collapsed. */\n requested: number;\n /** Number of allow upserts attempted. */\n upserted: number;\n /** Number of existing non-deny rows removed for `ask`. */\n removed: number;\n /** Number of requested rows that already had the desired no-op state. */\n unchanged: number;\n /** Number of requested tools skipped because an always_deny rule exists. */\n preservedDeny: number;\n };\n /** Tool names whose existing always_deny rows were intentionally preserved. */\n preservedDenyTools: string[];\n}\n\n/** @internal Resolved (validated, defaulted) options. Not exported from the public API. */\nexport interface ResolvedOptions {\n baseUrl: string;\n timeout: number;\n org: string;\n webhookSecret?: string;\n apiKey?: string;\n partnerMcp?: ResolvedPartnerMcpOptions;\n onRequest?: AgentPressOptions[\"onRequest\"];\n onResponse?: AgentPressOptions[\"onResponse\"];\n}\n\n/** @internal Resolved (validated, defaulted) partner MCP options. */\nexport interface ResolvedPartnerMcpOptions {\n jwksUrl: string;\n issuer: string;\n audience: string;\n expectedExtProvider: string;\n clockTolerance: string | number;\n jwksCacheMaxAgeMs: number;\n}\n"],"mappings":";;;;;;;;AAIA,IAAa,kBAAb,cAAqC,MAAM;CACzC,YAAY,SAAiB;EAC3B,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;;;;AAMA,IAAa,qBAAb,cAAwC,gBAAgB;CACtD,YAAY,SAAiB;EAC3B,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;;;;;;;;AAUA,IAAa,YAAb,cAA+B,gBAAgB;CAC7C;CACA;CACA;CAEA,YAAY,YAAoB,cAAsB,KAAa;EACjE,MAAM,QAAQ,WAAW,QAAQ,KAAK;EACtC,KAAK,OAAO;EACZ,KAAK,aAAa;EAClB,KAAK,eAAe;EACpB,KAAK,MAAM;EACX,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;AAGA,IAAa,eAAb,cAAkC,gBAAgB;CAChD,YAAY,KAAa,SAAiB;EACxC,MAAM,cAAc,IAAI,mBAAmB,QAAQ,GAAG;EACtD,KAAK,OAAO;EACZ,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;AAGA,IAAa,wBAAb,cAA2C,gBAAgB;CACzD,YAAY,SAAiB;EAC3B,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;;;;;AAoBA,IAAa,oBAAb,cAAuC,gBAAgB;CACrD;CAEA,YAAY,QAAiC,SAAiB;EAC5D,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,KAAK,SAAS;EACd,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;;;;AAeA,IAAa,yBAAb,cAA4C,gBAAgB;CAC1D;CAEA,YAAY,QAAsC,SAAiB;EACjE,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,KAAK,SAAS;EACd,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;;AClHA,SAAgB,kBAA0B;CACxC,OAAO,QAAA,GAAA,YAAA,WAAA,CAAkB;AAC3B;;;ACFA,MAAMA,qBAAmB;AACzB,MAAM,4BAA4B;;;;;;;;;;AAWlC,SAAgB,KACd,QACA,OACA,WACA,MACQ;CACR,MAAM,cAAc,OAAO,KAAK,OAAO,QAAQ,WAAW,EAAE,GAAG,QAAQ;CACvE,MAAM,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG;CAIzC,OAAO,GAAGA,sBAAAA,GAAAA,YAAAA,WAAAA,CAHmB,UAAU,WAAW,CAAC,CAChD,OAAO,OAAO,CAAC,CACf,OAAO,QAC2B;AACvC;;;;;;;;;;AAWA,SAAgB,OACd,QACA,SACA,SAKA,mBAA2B,2BAClB;CACT,MAAM,QAAQ,QAAQ;CACtB,MAAM,eAAe,QAAQ;CAC7B,MAAM,kBAAkB,QAAQ;CAEhC,MAAM,YAAY,SAAS,cAAc,EAAE;CAC3C,IAAI,OAAO,MAAM,SAAS,GAAG,OAAO;CAEpC,MAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;CACxC,IAAI,KAAK,IAAI,MAAM,SAAS,IAAI,kBAAkB,OAAO;CAIzD,MAAM,WAAW,KAAK,QAAQ,OAAO,WADnC,OAAO,YAAY,WAAW,UAAU,QAAQ,SAAS,OAAO,CACd;CAEpD,MAAM,aAAa,gBAAgB,MAAM,GAAG;CAC5C,MAAM,cAAc,OAAO,KAAK,QAAQ;CAExC,KAAK,MAAM,OAAO,YAAY;EAC5B,MAAM,SAAS,OAAO,KAAK,GAAG;EAC9B,IACE,OAAO,WAAW,YAAY,WAAA,GAAA,YAAA,gBAAA,CACd,QAAQ,WAAW,GAEnC,OAAO;CAEX;CAEA,OAAO;AACT;;;;;;;;;;;;;;;;;;;;;;;AC5CA,IAAa,gBAAb,MAA2B;CACzB;CACA;CAEA,YAAY,SAA0B,MAAkB;EACtD,KAAK,UAAU;EACf,KAAK,OAAO;CACd;;;;;;;;CASA,MAAM,QACJ,UACA,QAC+B;EAC/B,MAAM,OAAgC,CAAC;EACvC,IAAI,OAAO,mBAAmB,KAAA,GAC5B,KAAK,iBAAiB,OAAO;EAE/B,IAAI,OAAO,aAAa,KAAA,GACtB,KAAK,WAAW,OAAO;EAEzB,OAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,WAAW,IAAI;CAC7D;;;;;;;;CASA,MAAM,OACJ,UACA,QAC+B;EAC/B,OAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,UAAU,EACpD,QAAQ,OAAO,OACjB,CAAC;CACH;CAEA,MAAc,OACZ,UACA,eACA,WACA,MAC+B;EAC/B,IAAI,CAAC,KAAK,QAAQ,eAChB,MAAM,IAAI,mBACR,4DACF;EAGF,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,cAAc,UAAU,SAAS,GAAG;EAC1F,MAAM,UAAU,KAAK,UAAU,IAAI;EACnC,MAAM,QAAQ,gBAAgB;EAC9B,MAAM,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;EAC9C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,OACF;EAEA,OAAO,KAAK,KAAK,QAA8B,MAAM;GACnD,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,SAAS;IAClC,kBAAkB;GACpB;EACF,CAAC;CACH;AACF;;;;;;;;ACtGA,IAAa,aAAb,MAAwB;CACtB;CACA;CACA;CACA;CAEA,YAAY,SAA0B;EACpC,KAAK,UAAU,QAAQ;EACvB,KAAK,UAAU,QAAQ;EACvB,KAAK,YAAY,QAAQ;EACzB,KAAK,aAAa,QAAQ;CAC5B;;;;;;;;;;CAWA,MAAM,QAAW,MAAc,MAA+B;EAC5D,MAAM,MAAM,GAAG,KAAK,UAAU;EAE9B,MAAM,UAAU,IAAI,QAAQ,KAAK,OAAO;EACxC,IAAI,CAAC,QAAQ,IAAI,cAAc,GAC7B,QAAQ,IAAI,gBAAgB,kBAAkB;EAGhD,MAAM,cAA2B;GAC/B,GAAG;GACH;GACA,QAAQ,YAAY,QAAQ,KAAK,OAAO;EAC1C;EAEA,KAAK,YAAY,KAAK,WAAW;EAEjC,IAAI;EACJ,IAAI;GACF,WAAW,MAAM,MAAM,KAAK,WAAW;EACzC,SAAS,OAAgB;GACvB,IACE,iBAAiB,UAChB,MAAM,SAAS,kBAAkB,MAAM,SAAS,eAEjD,MAAM,IAAI,aAAa,KAAK,KAAK,OAAO;GAI1C,MAAM,IAAI,gBAAgB,cAAc,IAAI,WAD1C,iBAAiB,QAAQ,MAAM,UAAU,uBACqB;EAClE;EAEA,KAAK,aAAa,KAAK,SAAS,MAAM,CAAC;EAEvC,MAAM,OAAO,MAAM,SAAS,KAAK;EAEjC,IAAI,CAAC,SAAS,IACZ,MAAM,IAAI,UAAU,SAAS,QAAQ,MAAM,GAAG;EAGhD,IAAI;GACF,OAAO,KAAK,MAAM,IAAI;EACxB,QAAQ;GACN,MAAM,IAAI,gBACR,+BAA+B,IAAI,iBAAiB,KAAK,MAAM,GAAG,GAAG,GACvE;EACF;CACF;AACF;;;AC/DA,MAAM,aAAa,CAAC,OAAO;;;;;;;;AAW3B,IAAa,iBAAb,MAA4B;CAC1B;CACA;CACA,OAAkC;CAClC,YAA4C;CAE5C,YAAY,SAA0B;EACpC,KAAK,UAAU;EACf,KAAK,aAAa,QAAQ;CAC5B;;;;;;;;;;;;;CAcA,MAAM,YAAY,OAA4C;EAC5D,MAAM,MAAM,KAAK,cAAc;EAC/B,MAAM,OAAO,KAAK,QAAQ;EAE1B,IAAI;EACJ,IAAI;EAEJ,IAAI;GACF,MAAM,SAAS,OAAA,GAAA,KAAA,UAAA,CAAgB,OAAO,MAAM;IAC1C,YAAY,CAAC,GAAG,UAAU;IAC1B,QAAQ,IAAI;IACZ,UAAU,IAAI;IACd,gBAAgB,IAAI;GACtB,CAAC;GACD,UAAU,OAAO;GACjB,kBAAkB,OAAO;EAK3B,SAAS,KAAK;GACZ,MAAM,aAAa,GAAG;EACxB;EAMA,IAAI,CAAC,gBAAgB,OAAO,OAAO,gBAAgB,QAAQ,UACzD,MAAM,IAAI,kBACR,0BACA,mCACF;EAGF,MAAM,SAAS;EAKf,IAAI,OAAO,OAAO,QAAQ,YAAY,CAAC,OAAO,SAAS,OAAO,GAAG,GAC/D,MAAM,IAAI,kBACR,iBACA,8BACF;EAEF,MAAM,mBAAmB,UAAU,IAAI,cAAc;EACrD,MAAM,SAAS,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;EAC3C,IAAI,OAAO,MAAM,SAAS,kBACxB,MAAM,IAAI,kBACR,iBACA,YAAY,OAAO,MAAM,OAAO,0BAA0B,iBAAiB,YAC7E;EAGF,IAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,GAC1D,MAAM,IAAI,kBAAkB,iBAAiB,yBAAyB;EAExE,IAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,GAC1D,MAAM,IAAI,kBAAkB,iBAAiB,yBAAyB;EAExE,IAAI,OAAO,OAAO,UAAU,UAC1B,MAAM,IAAI,kBACR,iBACA,gCACF;EAEF,IACE,OAAO,OAAO,iBAAiB,YAC/B,OAAO,aAAa,WAAW,GAE/B,MAAM,IAAI,kBACR,iBACA,kCACF;EAEF,IAAI,OAAO,iBAAiB,IAAI,qBAC9B,MAAM,IAAI,kBACR,yBACA,iBAAiB,OAAO,aAAa,6BAA6B,IAAI,oBAAoB,EAC5F;EAGF,OAAO;CACT;;;;;;;CAQA,MAAM,cAA6B;EAGjC,MAAM,UAFO,KAAK,QAEC;EACnB,IAAI,OAAO,QAAQ,WAAW,YAC5B,MAAM,QAAQ,OAAO;CAEzB;CAEA,gBAAmD;EACjD,IAAI,CAAC,KAAK,YACR,MAAM,IAAI,mBACR,8DACF;EAEF,OAAO,KAAK;CACd;CAEA,UAA8B;EAC5B,MAAM,MAAM,KAAK,cAAc;EAC/B,IAAI,CAAC,KAAK,MAAM;GACd,KAAK,QAAA,GAAA,KAAA,mBAAA,CAA0B,IAAI,IAAI,IAAI,OAAO,GAAG;IACnD,aAAa,IAAI;IACjB,kBAAkB;GACpB,CAAC;GACD,KAAK,YAAY,KAAK;EACxB;EACA,OAAO,KAAK;CACd;AACF;AAEA,SAAS,UAAU,WAAoC;CACrD,IAAI,OAAO,cAAc,UAAU,OAAO;CAC1C,MAAM,QAAQ,UAAU,KAAK,CAAC,CAAC,MAAM,oBAAoB;CACzD,IAAI,CAAC,OAAO,OAAO;CACnB,MAAM,IAAI,OAAO,SAAS,MAAM,IAAc,EAAE;CAChD,MAAM,OAAQ,MAAM,EAAE,CAAY,YAAY;CAC9C,IAAI,SAAS,KAAK,OAAO;CACzB,IAAI,SAAS,KAAK,OAAO,IAAI;CAC7B,IAAI,SAAS,KAAK,OAAO,IAAI;CAC7B,OAAO;AACT;AAEA,SAAS,aAAa,KAAiC;CACrD,IAAI,eAAe,mBAAmB,OAAO;CAE7C,IAAI,eAAeC,KAAAA,OAAW,gCAC5B,OAAO,IAAI,kBACT,qBACA,mCACF;CAEF,IAAI,eAAeA,KAAAA,OAAW,mBAC5B,OAAO,IAAI,kBACT,0BACA,0CACF;CAEF,IAAI,eAAeA,KAAAA,OAAW,mBAC5B,OAAO,IAAI,kBACT,yBACA,wBACF;CAEF,IAAI,eAAeA,KAAAA,OAAW,YAC5B,OAAO,IAAI,kBAAkB,WAAW,iBAAiB;CAE3D,IAAI,eAAeA,KAAAA,OAAW,0BAA0B;EACtD,MAAM,QAAS,IAA2B;EAC1C,IAAI,UAAU,OACZ,OAAO,IAAI,kBACT,mBACA,0CACF;EAEF,IAAI,UAAU,OACZ,OAAO,IAAI,kBACT,qBACA,4CACF;EAEF,IAAI,UAAU,OACZ,OAAO,IAAI,kBACT,iBACA,mDACF;EAEF,OAAO,IAAI,kBACT,iBACA,IAAI,WAAW,yBACjB;CACF;CACA,IACE,eAAeA,KAAAA,OAAW,cAC1B,eAAeA,KAAAA,OAAW,YAE1B,OAAO,IAAI,kBAAkB,aAAa,IAAI,WAAW,eAAe;CAE1E,IAAI,eAAe,OACjB,OAAO,IAAI,kBAAkB,aAAa,IAAI,OAAO;CAEvD,OAAO,IAAI,kBAAkB,aAAa,OAAO,GAAG,CAAC;AACvD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC9LA,IAAa,sBAAb,MAAiC;CAC/B;CACA;CAEA,YAAY,SAA0B,MAAkB;EACtD,KAAK,UAAU;EACf,KAAK,OAAO;CACd;;;;;;;;;;;;;CAcA,MAAM,KACJ,QACoC;EACpC,MAAM,OAAgC,CAAC;EACvC,IAAI,OAAO,WAAW,KAAA,GAAW,KAAK,SAAS,OAAO;EACtD,IAAI,OAAO,iBAAiB,KAAA,GAC1B,KAAK,eAAe,OAAO;EAC7B,OAAO,KAAK,KACV,OAAO,mBACP,QACA,IACF;CACF;;;;;;;;;;;;CAaA,MAAM,mBACJ,QACkC;EAClC,OAAO,KAAK,KACV,OAAO,mBACP,YACA,CAAC,CACH;CACF;;;;;;;;;;;;;;CAeA,MAAM,OAAO,QAA6D;EACxE,MAAM,OAAgC;GACpC,QAAQ,OAAO;GACf,UAAU,OAAO;GACjB,MAAM,OAAO,QAAQ;EACvB;EACA,IAAI,OAAO,oBAAoB,KAAA,GAC7B,KAAK,kBAAkB,OAAO;EAChC,IAAI,OAAO,iBAAiB,KAAA,GAC1B,KAAK,eAAe,OAAO;EAC7B,IAAI,OAAO,cAAc,KAAA,GACvB,KAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,YAAY;EAEpE,OAAO,KAAK,KACV,OAAO,mBACP,UACA,IACF;CACF;;;;;;;;;;;;;CAcA,MAAM,KACJ,QACoC;EACpC,MAAM,OAAgC;GACpC,QAAQ,OAAO;GACf,OAAO,OAAO;EAChB;EACA,IAAI,OAAO,iBAAiB,KAAA,GAC1B,KAAK,eAAe,OAAO;EAC7B,OAAO,KAAK,KACV,OAAO,mBACP,QACA,IACF;CACF;;;;;;;;CASA,MAAM,OACJ,IACA,QAC2B;EAC3B,MAAM,OAAgC,CAAC;EACvC,IAAI,OAAO,SAAS,KAAA,GAAW,KAAK,OAAO,OAAO;EAClD,IAAI,OAAO,cAAc,KAAA,GACvB,KAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,YAAY;EAEpE,OAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,IACF;CACF;;;;;;;;;CAUA,MAAM,OACJ,IACA,QAC+B;EAC/B,OAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,CAAC,CACH;CACF;;CAGA,MAAc,KACZ,mBACA,WACA,MACY;EACZ,IAAI,CAAC,KAAK,QAAQ,eAChB,MAAM,IAAI,mBACR,mEACF;EAGF,MAAM,OAAO,4BAA4B,KAAK,QAAQ,IAAI,GAAG,kBAAkB,GAAG;EAClF,MAAM,UAAU,KAAK,UAAU,IAAI;EACnC,MAAM,QAAQ,gBAAgB;EAC9B,MAAM,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;EAC9C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,OACF;EAEA,OAAO,KAAK,KAAK,QAAW,MAAM;GAChC,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,SAAS;IAClC,kBAAkB;GACpB;EACF,CAAC;CACH;AACF;;;ACjPA,MAAM,oBAAoB,IAAI;AAC9B,MAAM,yBAAyB;AAC/B,MAAM,mBAAmB;;;;;;;;;AAUzB,SAAgB,kBACd,QACA,QACkB;CAClB,IAAI,CAAC,QACH,MAAM,IAAI,mBACR,iEACF;CAGF,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,OAAO;CAMrC,KAHE,OAAO,OAAO,YAAY,WACtB,OAAO,WAAW,OAAO,SAAS,OAAO,IACzC,OAAO,QAAQ,UACJ,mBACf,MAAM,IAAI,uBACR,qBACA,mBAAmB,kBAAkB,OACvC;CAGF,MAAM,kBAAkB,WAAW,OAAO,SAAS,wBAAwB;CAC3E,MAAM,kBAAkB,WAAW,OAAO,SAAS,wBAAwB;CAE3E,IAAI,CAAC,iBAAiB,WAAW,gBAAgB,GAC/C,MAAM,IAAI,uBACR,4BACA,oDAAoD,iBAAiB,EACvE;CAEF,MAAM,cAAc,gBACjB,MAAM,CAAuB,CAAC,CAC9B,YAAY;CACf,IAAI,CAAC,cAAc,KAAK,WAAW,GACjC,MAAM,IAAI,uBACR,4BACA,+BACF;CAGF,IAAI,CAAC,iBACH,MAAM,IAAI,uBACR,qBACA,2CACF;CAEF,MAAM,YAAY,OAAO,SAAS,iBAAiB,EAAE;CACrD,IACE,CAAC,OAAO,SAAS,SAAS,KAC1B,OAAO,SAAS,MAAM,gBAAgB,KAAK,GAE3C,MAAM,IAAI,uBACR,qBACA,4DACF;CAEF,MAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;CACxC,IAAI,KAAK,IAAI,MAAM,SAAS,IAAI,wBAC9B,MAAM,IAAI,uBACR,2BACA,kBAAkB,KAAK,IAAI,MAAM,SAAS,EAAE,YAAY,uBAAuB,YACjF;CAGF,MAAM,eAAA,GAAA,YAAA,WAAA,CAAyB,UAAU,MAAM,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,KAAK;CAC1E,MAAM,cAAc,OAAO,KAAK,aAAa,KAAK;CAClD,MAAM,cAAc,OAAO,KAAK,aAAa,KAAK;CAClD,IACE,YAAY,WAAW,YAAY,UACnC,EAAA,GAAA,YAAA,gBAAA,CAAiB,aAAa,WAAW,GAEzC,MAAM,IAAI,uBACR,qBACA,yBACF;CAGF,IAAI;CACJ,IAAI;EACF,SAAS,KAAK,MAAM,IAAI;CAC1B,QAAQ;EACN,MAAM,IAAI,uBACR,qBACA,2BACF;CACF;CAEA,OAAO,gBAAgB,MAAM;AAC/B;AAEA,SAAS,WACP,SACA,MACoB;CAEpB,MAAM,UAAU,KAAK,YAAY;CACjC,KAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,OAAO,GACzC,IAAI,EAAE,YAAY,MAAM,WAAW,OAAO,MAAM,YAAY,EAAE,SAAS,GACrE,OAAO;AAIb;AAEA,SAAS,gBAAgB,KAAgC;CACvD,IAAI,CAAC,OAAO,OAAO,QAAQ,UACzB,MAAM,IAAI,uBACR,qBACA,+BACF;CAEF,MAAM,MAAM;CACZ,IAAI,IAAI,UAAU,wBAChB,MAAM,IAAI,uBACR,qBACA,qBAAqB,OAAO,IAAI,KAAK,EAAE,EACzC;CAEF,IAAI,IAAI,SAAS,eAAe,IAAI,SAAS,aAC3C,MAAM,IAAI,uBACR,qBACA,2CACF;CAEF,KAAK,MAAM,OAAO;EAChB;EACA;EACA;EACA;EACA;CACF,GACE,IAAI,OAAO,IAAI,SAAS,YAAa,IAAI,IAAI,CAAY,WAAW,GAClE,MAAM,IAAI,uBACR,qBACA,IAAI,IAAI,6BACV;CAGJ,IAAI,IAAI,WAAW,KAAA,KAAa,OAAO,IAAI,WAAW,UACpD,MAAM,IAAI,uBACR,qBACA,wCACF;CAGF,MAAM,QAA0B;EAC9B,OAAO;EACP,MAAM,IAAI;EACV,YAAY,IAAI;EAChB,eAAe,IAAI;EACnB,WAAW,IAAI;EACf,aAAa,IAAI;EACjB,SAAS,IAAI;CACf;CACA,IAAI,OAAO,IAAI,WAAW,UACxB,MAAM,SAAS,IAAI;CAErB,OAAO;AACT;;;ACjKA,IAAa,iBAAb,MAA4B;CAC1B;CACA;CAEA,YAAY,SAA0B,MAAkB;EACtD,KAAK,UAAU;EACf,KAAK,OAAO;CACd;;;;;;;;;CAUA,MAAM,KAAK,QAAqD;EAC9D,IAAI,CAAC,KAAK,QAAQ,eAChB,MAAM,IAAI,mBACR,kDACF;EAGF,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,OAAO;EAC7D,MAAM,OAAO,KAAK,UAAU,OAAO,OAAO;EAC1C,MAAM,QAAQ,gBAAgB;EAC9B,MAAM,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;EAC9C,MAAM,YAAY,KAAK,KAAK,QAAQ,eAAe,OAAO,WAAW,IAAI;EAEzE,OAAO,KAAK,KAAK,QAAyB,MAAM;GAC9C,QAAQ;GACR;GACA,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,SAAS;IAClC,kBAAkB;GACpB;EACF,CAAC;CACH;;;;;;;CAQA,OAAO,QAAsC;EAC3C,IAAI,CAAC,KAAK,QAAQ,eAChB,MAAM,IAAI,mBACR,oDACF;EAGF,OAAOC,OACL,KAAK,QAAQ,eACb,OAAO,SACP,OAAO,OACT;CACF;;;;;;;;CASA,cAAc,QAAmC;EAC/C,IAAI,CAAC,KAAK,OAAO,MAAM,GACrB,MAAM,IAAI,sBAAsB,2BAA2B;CAE/D;;;;;;;;;;CAWA,eAAe,QAAoD;EACjE,KAAK,cAAc,MAAM;EACzB,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,OAAO;EACrC,IAAI;GACF,OAAO,KAAK,MAAM,IAAI;EACxB,QAAQ;GACN,MAAM,IAAI,gBAAgB,mCAAmC;EAC/D;CACF;;;;;;;;;;CAWA,kBAAkB,QAAmD;EACnE,OAAOC,kBAAsB,KAAK,QAAQ,eAAe,MAAM;CACjE;AACF;;;;;;;;;;;;;;;;;;ACpGA,IAAa,aAAb,MAAwB;;CAEtB;;CAEA;;CAEA;;CAEA;;;;;CAMA,YAAY,UAA6B,CAAC,GAAG;EAC3C,MAAM,WAAW,eAAe,OAAO;EACvC,MAAM,OAAO,IAAI,WAAW,QAAQ;EACpC,KAAK,WAAW,IAAI,eAAe,UAAU,IAAI;EACjD,KAAK,UAAU,IAAI,cAAc,UAAU,IAAI;EAC/C,KAAK,gBAAgB,IAAI,oBAAoB,UAAU,IAAI;EAC3D,KAAK,WAAW,IAAI,eAAe,QAAQ;CAC7C;AACF;AAEA,SAAS,eAAe,SAA6C;CACnE,MAAM,WAAW,QAAQ,WAAW,0BAAA,CAA2B,QAC7D,QACA,EACF;CACA,MAAM,UAAU,QAAQ,WAAW;CACnC,MAAM,MAAM,QAAQ,OAAO;CAE3B,IAAI,WAAW,KAAK,CAAC,OAAO,SAAS,OAAO,GAC1C,MAAM,IAAI,mBAAmB,mCAAmC;CAGlE,IACE,QAAQ,kBAAkB,KAAA,KAC1B,CAAC,QAAQ,cAAc,WAAW,QAAQ,GAE1C,MAAM,IAAI,mBAAmB,0CAAwC;CAGvE,OAAO;EACL;EACA;EACA;EACA,eAAe,QAAQ;EACvB,QAAQ,QAAQ;EAChB,YAAY,kBAAkB,QAAQ,UAAU;EAChD,WAAW,QAAQ;EACnB,YAAY,QAAQ;CACtB;AACF;AAEA,SAAS,kBACP,SACuC;CACvC,IAAI,CAAC,SAAS,OAAO,KAAA;CAErB,IAAI,OAAO,QAAQ,YAAY,YAAY,QAAQ,QAAQ,WAAW,GACpE,MAAM,IAAI,mBAAmB,gCAAgC;CAE/D,IAAI;EAEF,IAAI,IAAI,QAAQ,OAAO;CACzB,QAAQ;EACN,MAAM,IAAI,mBAAmB,wCAAwC;CACvE;CACA,IAAI,OAAO,QAAQ,WAAW,YAAY,QAAQ,OAAO,WAAW,GAClE,MAAM,IAAI,mBAAmB,+BAA+B;CAE9D,IAAI,OAAO,QAAQ,aAAa,YAAY,QAAQ,SAAS,WAAW,GACtE,MAAM,IAAI,mBAAmB,iCAAiC;CAEhE,IACE,OAAO,QAAQ,wBAAwB,YACvC,QAAQ,oBAAoB,WAAW,GAEvC,MAAM,IAAI,mBAAmB,4CAA4C;CAG3E,MAAM,iBAAiB,QAAQ,kBAAkB;CACjD,MAAM,oBAAoB,QAAQ,qBAAqB;CACvD,IAAI,qBAAqB,KAAK,CAAC,OAAO,SAAS,iBAAiB,GAC9D,MAAM,IAAI,mBACR,wDACF;CAGF,OAAO;EACL,SAAS,QAAQ;EACjB,QAAQ,QAAQ;EAChB,UAAU,QAAQ;EAClB,qBAAqB,QAAQ;EAC7B;EACA;CACF;AACF;;;;ACmCA,MAAa,qBAAiD;CAC5D;CACA;CACA;CACA;CACA;CACA;AACF"}
1
+ {"version":3,"file":"index.cjs","names":["SIGNATURE_PREFIX","joseErrors","verifySig","verifyKeyRotationImpl"],"sources":["../src/errors.ts","../src/utils.ts","../src/webhooks/signing.ts","../src/actions/client.ts","../src/http.ts","../src/partners/client.ts","../src/userApprovals/client.ts","../src/webhooks/keyRotation.ts","../src/webhooks/client.ts","../src/client.ts","../src/types.ts","../src/webhooks/ingestSigning.ts"],"sourcesContent":["/**\n * Base error class for all SDK errors. Catch this to handle any error\n * thrown by the AgentPress SDK regardless of specific type.\n */\nexport class AgentPressError extends Error {\n constructor(message: string) {\n super(message);\n this.name = \"AgentPressError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/**\n * Thrown at construction time when `AgentPressOptions` contains invalid values\n * (e.g., non-positive timeout, malformed `webhookSecret`).\n */\nexport class ConfigurationError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"ConfigurationError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/**\n * Thrown when the API returns a non-2xx HTTP response.\n *\n * Properties:\n * - `statusCode` - HTTP status code (e.g., 401, 404, 500)\n * - `responseBody` - Raw response body text for debugging\n * - `url` - The full request URL that failed\n */\nexport class HttpError extends AgentPressError {\n public readonly statusCode: number;\n public readonly responseBody: string;\n public readonly url: string;\n\n constructor(statusCode: number, responseBody: string, url: string) {\n super(`HTTP ${statusCode} from ${url}`);\n this.name = \"HttpError\";\n this.statusCode = statusCode;\n this.responseBody = responseBody;\n this.url = url;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/** Thrown when a request exceeds the configured `timeout` (default 30s). */\nexport class TimeoutError extends AgentPressError {\n constructor(url: string, timeout: number) {\n super(`Request to ${url} timed out after ${timeout}ms`);\n this.name = \"TimeoutError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/** Thrown by {@link WebhooksClient.verifyOrThrow} when an inbound webhook signature is invalid or expired. */\nexport class WebhookSignatureError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"WebhookSignatureError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/** Reason codes for {@link PartnerTokenError}. Maps 1:1 to RFC 6750 `error_description` values. */\nexport type PartnerTokenErrorReason =\n | \"signature_invalid\"\n | \"issuer_mismatch\"\n | \"audience_mismatch\"\n | \"expired\"\n | \"not_yet_valid\"\n | \"missing_claim\"\n | \"ext_provider_mismatch\"\n | \"algorithm_not_allowed\"\n | \"kid_missing_or_unknown\"\n | \"malformed\";\n\n/**\n * Thrown by {@link PartnersClient.verifyToken} when a Partner MCP Spec v1 JWT\n * fails verification. Partners map `reason` to their RFC 6750 `WWW-Authenticate`\n * response (`401 invalid_token` for all reasons in this class).\n */\nexport class PartnerTokenError extends AgentPressError {\n public readonly reason: PartnerTokenErrorReason;\n\n constructor(reason: PartnerTokenErrorReason, message: string) {\n super(message);\n this.name = \"PartnerTokenError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/** Reason codes for {@link KeyRotationVerifyError}. */\nexport type KeyRotationVerifyErrorReason =\n | \"invalid_signature\"\n | \"invalid_signature_format\"\n | \"timestamp_out_of_window\"\n | \"invalid_timestamp\"\n | \"payload_too_large\"\n | \"malformed_payload\";\n\n/**\n * Thrown by {@link WebhooksClient.verifyKeyRotation} when a `signing_key_rotation`\n * webhook fails HMAC / timestamp / payload validation.\n */\nexport class KeyRotationVerifyError extends AgentPressError {\n public readonly reason: KeyRotationVerifyErrorReason;\n\n constructor(reason: KeyRotationVerifyErrorReason, message: string) {\n super(message);\n this.name = \"KeyRotationVerifyError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n","import { randomUUID } from \"node:crypto\";\n\nexport function randomMessageId(): string {\n return `msg_${randomUUID()}`;\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst SIGNATURE_PREFIX = \"v1,\";\nconst DEFAULT_TOLERANCE_SECONDS = 5 * 60; // 5 minutes\n\n/**\n * Sign a webhook payload using Svix-compatible HMAC-SHA256.\n *\n * @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param msgId - Unique message ID (e.g., \"msg_<uuid>\")\n * @param timestamp - Unix timestamp in seconds\n * @param body - JSON stringified payload\n * @returns Signature string in format \"v1,<base64>\"\n */\nexport function sign(\n secret: string,\n msgId: string,\n timestamp: number,\n body: string,\n): string {\n const secretBytes = Buffer.from(secret.replace(/^whsec_/, \"\"), \"base64\");\n const message = `${msgId}.${timestamp}.${body}`;\n const signature = createHmac(\"sha256\", secretBytes)\n .update(message)\n .digest(\"base64\");\n return `${SIGNATURE_PREFIX}${signature}`;\n}\n\n/**\n * Verify a Svix webhook signature.\n *\n * @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param payload - Raw request body (string or Buffer)\n * @param headers - Svix headers object\n * @param toleranceSeconds - Max age of signature in seconds (default: 5 min)\n * @returns true if valid, false if invalid or expired\n */\nexport function verify(\n secret: string,\n payload: string | Buffer,\n headers: {\n \"svix-id\": string;\n \"svix-timestamp\": string;\n \"svix-signature\": string;\n },\n toleranceSeconds: number = DEFAULT_TOLERANCE_SECONDS,\n): boolean {\n const msgId = headers[\"svix-id\"];\n const timestampStr = headers[\"svix-timestamp\"];\n const signatureHeader = headers[\"svix-signature\"];\n\n const timestamp = parseInt(timestampStr, 10);\n if (Number.isNaN(timestamp)) return false;\n\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > toleranceSeconds) return false;\n\n const body =\n typeof payload === \"string\" ? payload : payload.toString(\"utf-8\");\n const expected = sign(secret, msgId, timestamp, body);\n\n const signatures = signatureHeader.split(\" \");\n const expectedBuf = Buffer.from(expected);\n\n for (const sig of signatures) {\n const sigBuf = Buffer.from(sig);\n if (\n sigBuf.length === expectedBuf.length &&\n timingSafeEqual(sigBuf, expectedBuf)\n ) {\n return true;\n }\n }\n\n return false;\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionManageResponse,\n ApproveActionParams,\n RejectActionParams,\n ResolvedOptions,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/**\n * Client for programmatically approving or rejecting staged actions.\n * Uses HMAC-SHA256 signing (Svix-compatible), identical to {@link WebhooksClient}.\n *\n * @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n *\n * // Approve a staged action\n * await client.actions.approve(\"act_123\", {\n * action: \"my_webhook_action\",\n * });\n *\n * // Reject with a reason\n * await client.actions.reject(\"act_456\", {\n * action: \"my_webhook_action\",\n * reason: \"Insufficient data\",\n * });\n * ```\n */\nexport class ActionsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /**\n * Approve a staged action, optionally modifying the tool call.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n */\n async approve(\n actionId: string,\n params: ApproveActionParams,\n ): Promise<ActionManageResponse> {\n const body: Record<string, unknown> = {};\n if (params.editedToolCall !== undefined) {\n body.editedToolCall = params.editedToolCall;\n }\n if (params.remember !== undefined) {\n body.remember = params.remember;\n }\n return this.manage(actionId, params.action, \"approve\", body);\n }\n\n /**\n * Reject a staged action.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n */\n async reject(\n actionId: string,\n params: RejectActionParams,\n ): Promise<ActionManageResponse> {\n return this.manage(actionId, params.action, \"reject\", {\n reason: params.reason,\n });\n }\n\n private async manage(\n actionId: string,\n webhookAction: string,\n operation: \"approve\" | \"reject\",\n body: Record<string, unknown>,\n ): Promise<ActionManageResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for action management operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${webhookAction}/manage/${actionId}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<ActionManageResponse>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { AgentPressError, HttpError, TimeoutError } from \"./errors\";\nimport type { ResolvedOptions } from \"./types\";\n\n/**\n * Internal shared HTTP client. Not part of the public API -- used by\n * namespace clients (e.g., `WebhooksClient`) to make authenticated requests.\n * @internal\n */\nexport class HttpClient {\n private readonly baseUrl: string;\n private readonly timeout: number;\n private readonly onRequest?: ResolvedOptions[\"onRequest\"];\n private readonly onResponse?: ResolvedOptions[\"onResponse\"];\n\n constructor(options: ResolvedOptions) {\n this.baseUrl = options.baseUrl;\n this.timeout = options.timeout;\n this.onRequest = options.onRequest;\n this.onResponse = options.onResponse;\n }\n\n /**\n * Send an HTTP request to the API. Constructs the full URL from `baseUrl` + `path`,\n * applies the configured timeout via `AbortSignal`, fires `onRequest`/`onResponse`\n * hooks, and parses the JSON response.\n *\n * @throws {TimeoutError} If the request exceeds the configured timeout.\n * @throws {HttpError} If the API returns a non-2xx status code.\n * @throws {AgentPressError} On network failures or non-JSON responses.\n */\n async request<T>(path: string, init: RequestInit): Promise<T> {\n const url = `${this.baseUrl}${path}`;\n\n const headers = new Headers(init.headers);\n if (!headers.has(\"Content-Type\")) {\n headers.set(\"Content-Type\", \"application/json\");\n }\n\n const requestInit: RequestInit = {\n ...init,\n headers,\n signal: AbortSignal.timeout(this.timeout),\n };\n\n this.onRequest?.(url, requestInit);\n\n let response: Response;\n try {\n response = await fetch(url, requestInit);\n } catch (error: unknown) {\n if (\n error instanceof Error &&\n (error.name === \"TimeoutError\" || error.name === \"AbortError\")\n ) {\n throw new TimeoutError(url, this.timeout);\n }\n const message =\n error instanceof Error ? error.message : \"Unknown fetch error\";\n throw new AgentPressError(`Request to ${url} failed: ${message}`);\n }\n\n this.onResponse?.(url, response.clone());\n\n const text = await response.text();\n\n if (!response.ok) {\n throw new HttpError(response.status, text, url);\n }\n\n try {\n return JSON.parse(text) as T;\n } catch {\n throw new AgentPressError(\n `Expected JSON response from ${url} but received: ${text.slice(0, 200)}`,\n );\n }\n }\n}\n","import {\n createRemoteJWKSet,\n type JWTVerifyGetKey,\n errors as joseErrors,\n jwtVerify,\n} from \"jose\";\n\nimport { ConfigurationError, PartnerTokenError } from \"../errors\";\nimport type {\n PartnerTokenClaims,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"../types\";\n\nconst ALGORITHMS = [\"EdDSA\"] as const;\n\ntype RemoteJwks = ReturnType<typeof createRemoteJWKSet>;\n\n/**\n * Client for Partner MCP Spec v1 helpers. Created automatically when\n * {@link AgentPressOptions.partnerMcp} is provided.\n *\n * State (JWKS cache) is per-instance, NOT module-global, so staging and\n * production clients can run side-by-side without cross-talk.\n */\nexport class PartnersClient {\n private readonly options: ResolvedOptions;\n private readonly partnerMcp: ResolvedPartnerMcpOptions | undefined;\n private jwks: RemoteJwks | null = null;\n private jwksKeyFn: JWTVerifyGetKey | null = null;\n\n constructor(options: ResolvedOptions) {\n this.options = options;\n this.partnerMcp = options.partnerMcp;\n }\n\n /**\n * Verify an inbound Partner MCP Spec v1 JWT against AgentPress's JWKS.\n *\n * Enforces the full spec: `algorithms: [\"EdDSA\"]` pinned; `iss`, `aud`,\n * `ext_provider` validated; `sub`, `jti`, `scope` required and non-empty;\n * `kid` header required; `exp` / `iat` validated with ±30s skew (configurable).\n *\n * @param token - Bare JWT string (no `Bearer ` prefix).\n * @returns Typed {@link PartnerTokenClaims}.\n * @throws {PartnerTokenError} with a typed `reason` for RFC 6750 mapping.\n * @throws {ConfigurationError} if `partnerMcp` is not configured.\n */\n async verifyToken(token: string): Promise<PartnerTokenClaims> {\n const cfg = this.requireConfig();\n const jwks = this.getJwks();\n\n let payload: Record<string, unknown>;\n let protectedHeader: { alg?: string; kid?: string; typ?: string };\n\n try {\n const result = await jwtVerify(token, jwks, {\n algorithms: [...ALGORITHMS],\n issuer: cfg.issuer,\n audience: cfg.audience,\n clockTolerance: cfg.clockTolerance,\n });\n payload = result.payload as Record<string, unknown>;\n protectedHeader = result.protectedHeader as {\n alg?: string;\n kid?: string;\n typ?: string;\n };\n } catch (err) {\n throw mapJoseError(err);\n }\n\n // kid header required by spec. jose does not enforce this on its own\n // when the key is resolvable — we enforce it explicitly so forged\n // tokens that elide the kid header can't slip through on a single-key\n // JWKS.\n if (!protectedHeader.kid || typeof protectedHeader.kid !== \"string\") {\n throw new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"JWT header missing required 'kid'\",\n );\n }\n\n const claims = payload as PartnerTokenClaims & Record<string, unknown>;\n\n // jose's jwtVerify checks `exp` (with clockTolerance) but not `iat`\n // future-time unless `maxTokenAge` is set. The spec requires both sides\n // of the skew window, so enforce the future-iat check explicitly.\n if (typeof claims.iat !== \"number\" || !Number.isFinite(claims.iat)) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'iat' claim must be a number\",\n );\n }\n const toleranceSeconds = toSeconds(cfg.clockTolerance);\n const nowSec = Math.floor(Date.now() / 1000);\n if (claims.iat - nowSec > toleranceSeconds) {\n throw new PartnerTokenError(\n \"not_yet_valid\",\n `'iat' is ${claims.iat - nowSec}s in the future, beyond ${toleranceSeconds}s tolerance`,\n );\n }\n\n if (typeof claims.sub !== \"string\" || claims.sub.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'sub' claim is required\");\n }\n if (typeof claims.jti !== \"string\" || claims.jti.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'jti' claim is required\");\n }\n if (typeof claims.scope !== \"string\") {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'scope' claim must be a string\",\n );\n }\n if (\n typeof claims.ext_provider !== \"string\" ||\n claims.ext_provider.length === 0\n ) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'ext_provider' claim is required\",\n );\n }\n if (claims.ext_provider !== cfg.expectedExtProvider) {\n throw new PartnerTokenError(\n \"ext_provider_mismatch\",\n `ext_provider '${claims.ext_provider}' does not match expected '${cfg.expectedExtProvider}'`,\n );\n }\n\n return claims;\n }\n\n /**\n * Force the JWKS cache to refetch immediately. Call this from your\n * `signing_key_rotation` webhook handler after verifying the webhook —\n * otherwise the cache picks up new keys on the next `kid` miss (which\n * works, but with one failed verify latency penalty).\n */\n async refreshJwks(): Promise<void> {\n const jwks = this.getJwks();\n // jose's RemoteJWKSet exposes `.reload()` for exactly this use case.\n const anyJwks = jwks as unknown as { reload?: () => Promise<void> };\n if (typeof anyJwks.reload === \"function\") {\n await anyJwks.reload();\n }\n }\n\n private requireConfig(): ResolvedPartnerMcpOptions {\n if (!this.partnerMcp) {\n throw new ConfigurationError(\n \"partnerMcp options are required for partner token operations\",\n );\n }\n return this.partnerMcp;\n }\n\n private getJwks(): RemoteJwks {\n const cfg = this.requireConfig();\n if (!this.jwks) {\n this.jwks = createRemoteJWKSet(new URL(cfg.jwksUrl), {\n cacheMaxAge: cfg.jwksCacheMaxAgeMs,\n cooldownDuration: 30_000,\n });\n this.jwksKeyFn = this.jwks as unknown as JWTVerifyGetKey;\n }\n return this.jwks;\n }\n}\n\nfunction toSeconds(tolerance: string | number): number {\n if (typeof tolerance === \"number\") return tolerance;\n const match = tolerance.trim().match(/^(\\d+)\\s*(s|m|h)$/i);\n if (!match) return 30;\n const n = Number.parseInt(match[1] as string, 10);\n const unit = (match[2] as string).toLowerCase();\n if (unit === \"s\") return n;\n if (unit === \"m\") return n * 60;\n if (unit === \"h\") return n * 3600;\n return 30;\n}\n\nfunction mapJoseError(err: unknown): PartnerTokenError {\n if (err instanceof PartnerTokenError) return err;\n\n if (err instanceof joseErrors.JWSSignatureVerificationFailed) {\n return new PartnerTokenError(\n \"signature_invalid\",\n \"JWT signature verification failed\",\n );\n }\n if (err instanceof joseErrors.JWKSNoMatchingKey) {\n return new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"No JWKS key matches the JWT 'kid' header\",\n );\n }\n if (err instanceof joseErrors.JOSEAlgNotAllowed) {\n return new PartnerTokenError(\n \"algorithm_not_allowed\",\n \"JWT 'alg' is not EdDSA\",\n );\n }\n if (err instanceof joseErrors.JWTExpired) {\n return new PartnerTokenError(\"expired\", \"JWT has expired\");\n }\n if (err instanceof joseErrors.JWTClaimValidationFailed) {\n const claim = (err as { claim?: string }).claim;\n if (claim === \"iss\") {\n return new PartnerTokenError(\n \"issuer_mismatch\",\n \"JWT 'iss' does not match expected issuer\",\n );\n }\n if (claim === \"aud\") {\n return new PartnerTokenError(\n \"audience_mismatch\",\n \"JWT 'aud' does not match expected audience\",\n );\n }\n if (claim === \"iat\") {\n return new PartnerTokenError(\n \"not_yet_valid\",\n \"JWT 'iat' is in the future beyond clock tolerance\",\n );\n }\n return new PartnerTokenError(\n \"missing_claim\",\n err.message || \"Claim validation failed\",\n );\n }\n if (\n err instanceof joseErrors.JWTInvalid ||\n err instanceof joseErrors.JWSInvalid\n ) {\n return new PartnerTokenError(\"malformed\", err.message || \"Malformed JWT\");\n }\n if (err instanceof Error) {\n return new PartnerTokenError(\"malformed\", err.message);\n }\n return new PartnerTokenError(\"malformed\", String(err));\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n CreateUserApprovalParams,\n DeleteUserApprovalParams,\n GetUserApprovalWebhookMetadataParams,\n ListUserApprovalsParams,\n ListUserApprovalsResponse,\n ResolvedOptions,\n SyncUserApprovalsParams,\n SyncUserApprovalsResponse,\n UpdateUserApprovalParams,\n UserToolApproval,\n WebhookApprovalMetadata,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/**\n * Client for managing per-user auto-approval rules — the SDK equivalent of the\n * console's `/account/auto-approvals` settings page. Uses HMAC-SHA256 signing\n * (Svix-compatible), identical to {@link ActionsClient.manage}.\n *\n * Each call is scoped to a single webhook (identified by `webhookIdentifier`),\n * which both selects the signing secret and scopes which approvals are visible.\n *\n * @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n *\n * const metadata = await client.userApprovals.getWebhookMetadata({\n * webhookIdentifier: \"reviews\",\n * });\n * const selectedTool = getSelectedToolFromYourUi(metadata.availableTools);\n *\n * // Provision consent so future selectedTool triggers skip the approval prompt\n * await client.userApprovals.create({\n * webhookIdentifier: metadata.webhookIdentifier,\n * userId: \"user-uuid\",\n * toolName: selectedTool.toolName,\n * mode: \"always_allow\",\n * });\n *\n * // List rules (optionally filtered by userId)\n * const { approvals } = await client.userApprovals.list({\n * webhookIdentifier: \"reviews\",\n * });\n *\n * // Revoke\n * await client.userApprovals.delete(approvalId, { webhookIdentifier: \"reviews\" });\n * ```\n */\nexport class UserApprovalsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /**\n * List auto-approval rules for a webhook. Optionally filter by `userId`.\n * When `userId` is omitted, AgentPress returns all approval rules for the\n * signed webhook. Partner user-settings UIs should usually pass `userId` and\n * `authProvider`.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response. A 422 with\n * `code: \"USER_NOT_PROVISIONED\"` means the external user has not\n * authenticated into AgentPress yet or is not a member of the webhook's org.\n * @throws TimeoutError if request exceeds timeout\n */\n async list(\n params: ListUserApprovalsParams,\n ): Promise<ListUserApprovalsResponse> {\n const body: Record<string, unknown> = {};\n if (params.userId !== undefined) body.userId = params.userId;\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n return this.send<ListUserApprovalsResponse>(\n params.webhookIdentifier,\n \"list\",\n body,\n );\n }\n\n /**\n * Fetch metadata for a webhook plus the ordered tools that its default action\n * rule stages for approval. This is the SDK source of truth for partner\n * settings UIs; `actionWebhookId` in the response can be passed to older\n * AgentPress versions that still require it. Tool order matches the\n * AgentPress approval popup.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n */\n async getWebhookMetadata(\n params: GetUserApprovalWebhookMetadataParams,\n ): Promise<WebhookApprovalMetadata> {\n return this.send<WebhookApprovalMetadata>(\n params.webhookIdentifier,\n \"metadata\",\n {},\n );\n }\n\n /**\n * Create (or upsert) an auto-approval rule. If a rule with the same\n * `(userId, actionWebhookId, toolName)` triple already exists, it is\n * updated in place. `actionWebhookId` is optional for current AgentPress\n * core; the webhook URL scope resolves it from `webhookIdentifier`. Use\n * `toolName` values from `getWebhookMetadata().availableTools`.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response. A 422 with\n * `code: \"USER_NOT_PROVISIONED\"` means the external user has not\n * authenticated into AgentPress yet or is not a member of the webhook's org.\n * @throws TimeoutError if request exceeds timeout\n */\n async create(params: CreateUserApprovalParams): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {\n userId: params.userId,\n toolName: params.toolName,\n mode: params.mode ?? \"always_allow\",\n };\n if (params.actionWebhookId !== undefined)\n body.actionWebhookId = params.actionWebhookId;\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n \"create\",\n body,\n );\n }\n\n /**\n * Idempotently sync a partner settings UI's Allow/Ask choices for one user\n * and one webhook. `mode: \"ask\"` removes an existing allow rule for that\n * listed tool. Existing `always_deny` rules and non-listed tool rules are\n * preserved.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response. A 422 with\n * `code: \"USER_NOT_PROVISIONED\"` means the external user has not\n * authenticated into AgentPress yet or is not a member of the webhook's org.\n * @throws TimeoutError if request exceeds timeout\n */\n async sync(\n params: SyncUserApprovalsParams,\n ): Promise<SyncUserApprovalsResponse> {\n const body: Record<string, unknown> = {\n userId: params.userId,\n rules: params.rules,\n };\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n return this.send<SyncUserApprovalsResponse>(\n params.webhookIdentifier,\n \"sync\",\n body,\n );\n }\n\n /**\n * Patch an existing auto-approval rule (change mode or expiry).\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n */\n async update(\n id: string,\n params: UpdateUserApprovalParams,\n ): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {};\n if (params.mode !== undefined) body.mode = params.mode;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n `update/${id}`,\n body,\n );\n }\n\n /**\n * Revoke an auto-approval rule. Future triggers of the corresponding\n * `(user, webhook, tool)` combination will once again stage for approval.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n */\n async delete(\n id: string,\n params: DeleteUserApprovalParams,\n ): Promise<{ success: boolean }> {\n return this.send<{ success: boolean }>(\n params.webhookIdentifier,\n `delete/${id}`,\n {},\n );\n }\n\n /** Internal: HMAC-sign and POST the body to the scoped path. */\n private async send<T>(\n webhookIdentifier: string,\n operation: string,\n body: Record<string, unknown>,\n ): Promise<T> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for user approval management operations\",\n );\n }\n\n const path = `/webhooks/user-approvals/${this.options.org}/${webhookIdentifier}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<T>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nimport { ConfigurationError, KeyRotationVerifyError } from \"../errors\";\nimport type { KeyRotationEvent, KeyRotationVerifyParams } from \"../types\";\n\nconst MAX_PAYLOAD_BYTES = 8 * 1024; // 8 KB\nconst TIMESTAMP_SKEW_SECONDS = 300; // 5 minutes\nconst SIGNATURE_PREFIX = \"sha256=\";\n\n/**\n * Verify a `signing_key_rotation` webhook signed by AgentPress with\n * HMAC-SHA256 over the raw request body. Returns the typed\n * {@link KeyRotationEvent} payload.\n *\n * @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping.\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n */\nexport function verifyKeyRotation(\n secret: string | undefined,\n params: KeyRotationVerifyParams,\n): KeyRotationEvent {\n if (!secret) {\n throw new ConfigurationError(\n \"webhookSecret is required for key rotation webhook verification\",\n );\n }\n\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n\n const byteLength =\n typeof params.payload === \"string\"\n ? Buffer.byteLength(params.payload, \"utf-8\")\n : params.payload.length;\n if (byteLength > MAX_PAYLOAD_BYTES) {\n throw new KeyRotationVerifyError(\n \"payload_too_large\",\n `Payload exceeds ${MAX_PAYLOAD_BYTES} bytes`,\n );\n }\n\n const signatureHeader = readHeader(params.headers, \"x-agentpress-signature\");\n const timestampHeader = readHeader(params.headers, \"x-agentpress-timestamp\");\n\n if (!signatureHeader?.startsWith(SIGNATURE_PREFIX)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n `Signature header missing or does not start with '${SIGNATURE_PREFIX}'`,\n );\n }\n const providedHex = signatureHeader\n .slice(SIGNATURE_PREFIX.length)\n .toLowerCase();\n if (!/^[0-9a-f]+$/.test(providedHex)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n \"Signature is not a hex string\",\n );\n }\n\n if (!timestampHeader) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp header is required\",\n );\n }\n const timestamp = Number.parseInt(timestampHeader, 10);\n if (\n !Number.isFinite(timestamp) ||\n String(timestamp) !== timestampHeader.trim()\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp is not a valid unix seconds integer\",\n );\n }\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > TIMESTAMP_SKEW_SECONDS) {\n throw new KeyRotationVerifyError(\n \"timestamp_out_of_window\",\n `Timestamp skew ${Math.abs(now - timestamp)}s exceeds ${TIMESTAMP_SKEW_SECONDS}s tolerance`,\n );\n }\n\n const expectedHex = createHmac(\"sha256\", secret).update(body).digest(\"hex\");\n const providedBuf = Buffer.from(providedHex, \"hex\");\n const expectedBuf = Buffer.from(expectedHex, \"hex\");\n if (\n providedBuf.length !== expectedBuf.length ||\n !timingSafeEqual(providedBuf, expectedBuf)\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_signature\",\n \"HMAC signature mismatch\",\n );\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(body);\n } catch {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload is not valid JSON\",\n );\n }\n\n return validatePayload(parsed);\n}\n\nfunction readHeader(\n headers: Record<string, string | undefined>,\n name: string,\n): string | undefined {\n // Headers are case-insensitive; normalize without mutating the caller's object.\n const lowered = name.toLowerCase();\n for (const [k, v] of Object.entries(headers)) {\n if (k.toLowerCase() === lowered && typeof v === \"string\" && v.length > 0) {\n return v;\n }\n }\n return undefined;\n}\n\nfunction validatePayload(raw: unknown): KeyRotationEvent {\n if (!raw || typeof raw !== \"object\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload must be a JSON object\",\n );\n }\n const obj = raw as Record<string, unknown>;\n if (obj.event !== \"signing_key_rotation\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `Unexpected event '${String(obj.event)}'`,\n );\n }\n if (obj.type !== \"scheduled\" && obj.type !== \"emergency\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'type' must be 'scheduled' or 'emergency'\",\n );\n }\n for (const key of [\n \"retiredKid\",\n \"newCurrentKid\",\n \"retiredAt\",\n \"effectiveAt\",\n \"jwksUrl\",\n ]) {\n if (typeof obj[key] !== \"string\" || (obj[key] as string).length === 0) {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `'${key}' must be a non-empty string`,\n );\n }\n }\n if (obj.reason !== undefined && typeof obj.reason !== \"string\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'reason' must be a string when present\",\n );\n }\n\n const event: KeyRotationEvent = {\n event: \"signing_key_rotation\",\n type: obj.type as \"scheduled\" | \"emergency\",\n retiredKid: obj.retiredKid as string,\n newCurrentKid: obj.newCurrentKid as string,\n retiredAt: obj.retiredAt as string,\n effectiveAt: obj.effectiveAt as string,\n jwksUrl: obj.jwksUrl as string,\n };\n if (typeof obj.reason === \"string\") {\n event.reason = obj.reason;\n }\n return event;\n}\n","import {\n AgentPressError,\n ConfigurationError,\n WebhookSignatureError,\n} from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionCallbackPayload,\n KeyRotationEvent,\n KeyRotationVerifyParams,\n ResolvedOptions,\n WebhookResponse,\n WebhookSendParams,\n WebhookVerifyParams,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { verifyKeyRotation as verifyKeyRotationImpl } from \"./keyRotation\";\nimport { sign, verify as verifySig } from \"./signing\";\n\nexport class WebhooksClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /**\n * Send an arbitrary webhook payload to AgentPress.\n * Signs the payload with HMAC-SHA256 (Svix-compatible).\n *\n * On the happy path the response is synchronous: `{ success: true,\n * actionId, data }`, or `{ success, actionId, alreadyExists: true, data }`\n * when an action with the same `externalId` already existed (idempotency).\n *\n * Configuration/resolution failures (no action rule configured, rule\n * disabled, user unresolved, action insert failure) do NOT throw — the\n * event is buffered durably and AgentPress responds **202** with\n * `{ success: true, buffered: true, eventId, reason }`. The event\n * auto-processes once an operator fixes the configuration, so check\n * {@link WebhookResponse.buffered} before relying on `actionId`.\n *\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n */\n async send(params: WebhookSendParams): Promise<WebhookResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${params.action}`;\n const body = JSON.stringify(params.payload);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(this.options.webhookSecret, msgId, timestamp, body);\n\n return this.http.request<WebhookResponse>(path, {\n method: \"POST\",\n body,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n\n /**\n * Verify an inbound Svix webhook signature.\n *\n * @returns true if valid, false if invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n */\n verify(params: WebhookVerifyParams): boolean {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook verification\",\n );\n }\n\n return verifySig(\n this.options.webhookSecret,\n params.payload,\n params.headers,\n );\n }\n\n /**\n * Verify an inbound Svix webhook signature, throwing on failure.\n * Useful for middleware patterns where invalid signatures should halt processing.\n *\n * @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n */\n verifyOrThrow(params: WebhookVerifyParams): void {\n if (!this.verify(params)) {\n throw new WebhookSignatureError(\"Invalid webhook signature\");\n }\n }\n\n /**\n * Verify and parse an inbound webhook from AgentPress.\n * Combines signature verification with JSON parsing and type casting.\n * This is the recommended way to handle incoming webhooks.\n *\n * @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws AgentPressError if payload is not valid JSON\n */\n constructEvent(params: WebhookVerifyParams): ActionCallbackPayload {\n this.verifyOrThrow(params);\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n try {\n return JSON.parse(body) as ActionCallbackPayload;\n } catch {\n throw new AgentPressError(\"Webhook payload is not valid JSON\");\n }\n }\n\n /**\n * Verify an inbound `signing_key_rotation` webhook (HMAC-SHA256 + timestamp\n * + typed payload) from AgentPress. See the Partner MCP Spec v1 for the\n * full contract.\n *\n * @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping\n * (401 for signature errors, 400 for malformed payload, 413 for oversize).\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n */\n verifyKeyRotation(params: KeyRotationVerifyParams): KeyRotationEvent {\n return verifyKeyRotationImpl(this.options.webhookSecret, params);\n }\n}\n","import { ActionsClient } from \"./actions/client\";\nimport { ConfigurationError } from \"./errors\";\nimport { HttpClient } from \"./http\";\nimport { PartnersClient } from \"./partners/client\";\nimport type {\n AgentPressOptions,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"./types\";\nimport { UserApprovalsClient } from \"./userApprovals/client\";\nimport { WebhooksClient } from \"./webhooks/client\";\n\n/**\n * Main entry point for the AgentPress SDK. Provides namespaced access to API\n * resources (e.g., `client.webhooks.send()`, `client.actions.approve()`).\n * Validates all configuration options at construction time, so invalid config fails fast.\n *\n * @example\n * ```ts\n * const client = new AgentPress({\n * apiKey: \"ak_...\",\n * webhookSecret: \"whsec_...\",\n * });\n * await client.webhooks.send({ action: \"my_action\", payload: { ... } });\n * await client.actions.approve(\"act_123\", { action: \"my_action\" });\n * ```\n */\nexport class AgentPress {\n /** Webhook operations: send outbound webhooks and verify inbound signatures. */\n public readonly webhooks: WebhooksClient;\n /** Action management: approve or reject staged actions. */\n public readonly actions: ActionsClient;\n /** Per-user auto-approval rules (read / create / update / delete). */\n public readonly userApprovals: UserApprovalsClient;\n /** Partner MCP Spec v1 helpers (inbound JWT verification, JWKS refresh). */\n public readonly partners: PartnersClient;\n\n /**\n * @param options - SDK configuration. All fields are optional with sensible defaults.\n * @throws {ConfigurationError} If `timeout` is non-positive or `webhookSecret` has an invalid prefix.\n */\n constructor(options: AgentPressOptions = {}) {\n const resolved = resolveOptions(options);\n const http = new HttpClient(resolved);\n this.webhooks = new WebhooksClient(resolved, http);\n this.actions = new ActionsClient(resolved, http);\n this.userApprovals = new UserApprovalsClient(resolved, http);\n this.partners = new PartnersClient(resolved);\n }\n}\n\nfunction resolveOptions(options: AgentPressOptions): ResolvedOptions {\n const baseUrl = (options.baseUrl ?? \"https://api.agent.press\").replace(\n /\\/+$/,\n \"\",\n );\n const timeout = options.timeout ?? 30_000;\n const org = options.org ?? \"default-org\";\n\n if (timeout <= 0 || !Number.isFinite(timeout)) {\n throw new ConfigurationError(\"timeout must be a positive number\");\n }\n\n if (\n options.webhookSecret !== undefined &&\n !options.webhookSecret.startsWith(\"whsec_\")\n ) {\n throw new ConfigurationError('webhookSecret must start with \"whsec_\"');\n }\n\n return {\n baseUrl,\n timeout,\n org,\n webhookSecret: options.webhookSecret,\n apiKey: options.apiKey,\n partnerMcp: resolvePartnerMcp(options.partnerMcp),\n onRequest: options.onRequest,\n onResponse: options.onResponse,\n };\n}\n\nfunction resolvePartnerMcp(\n options: AgentPressOptions[\"partnerMcp\"],\n): ResolvedPartnerMcpOptions | undefined {\n if (!options) return undefined;\n\n if (typeof options.jwksUrl !== \"string\" || options.jwksUrl.length === 0) {\n throw new ConfigurationError(\"partnerMcp.jwksUrl is required\");\n }\n try {\n // Validate early so a bad URL fails at construction, not on first verify.\n new URL(options.jwksUrl);\n } catch {\n throw new ConfigurationError(\"partnerMcp.jwksUrl must be a valid URL\");\n }\n if (typeof options.issuer !== \"string\" || options.issuer.length === 0) {\n throw new ConfigurationError(\"partnerMcp.issuer is required\");\n }\n if (typeof options.audience !== \"string\" || options.audience.length === 0) {\n throw new ConfigurationError(\"partnerMcp.audience is required\");\n }\n if (\n typeof options.expectedExtProvider !== \"string\" ||\n options.expectedExtProvider.length === 0\n ) {\n throw new ConfigurationError(\"partnerMcp.expectedExtProvider is required\");\n }\n\n const clockTolerance = options.clockTolerance ?? \"30s\";\n const jwksCacheMaxAgeMs = options.jwksCacheMaxAgeMs ?? 3_600_000;\n if (jwksCacheMaxAgeMs <= 0 || !Number.isFinite(jwksCacheMaxAgeMs)) {\n throw new ConfigurationError(\n \"partnerMcp.jwksCacheMaxAgeMs must be a positive number\",\n );\n }\n\n return {\n jwksUrl: options.jwksUrl,\n issuer: options.issuer,\n audience: options.audience,\n expectedExtProvider: options.expectedExtProvider,\n clockTolerance,\n jwksCacheMaxAgeMs,\n };\n}\n","/** Constructor options for the {@link AgentPress} client. All fields are optional. */\nexport interface AgentPressOptions {\n /** Svix webhook signing secret for verifying inbound webhooks. Must start with `\"whsec_\"`. */\n webhookSecret?: string;\n /** API key for authenticated requests. */\n apiKey?: string;\n /** @default \"https://api.agent.press\" */\n baseUrl?: string;\n /** Request timeout in milliseconds. Must be a positive finite number. @default 30000 */\n timeout?: number;\n /** Organization identifier sent with requests. @default \"default-org\" */\n org?: string;\n /**\n * Partner MCP Spec v1 configuration. Required only if you call\n * {@link PartnersClient.verifyToken} or {@link WebhooksClient.verifyKeyRotation}.\n *\n * Each environment (staging / production) needs its own {@link AgentPress}\n * instance with its own `partnerMcp` block — never share a client between\n * environments. JWKS cache state is per-instance, so side-by-side staging\n * and prod clients have no cross-talk.\n */\n partnerMcp?: PartnerMcpOptions;\n /** Hook called before every outbound HTTP request (useful for logging/tracing). */\n onRequest?: (url: string, init: RequestInit) => void;\n /** Hook called after every HTTP response is received. */\n onResponse?: (url: string, response: Response) => void;\n}\n\n/** Partner MCP Spec v1 configuration. See {@link AgentPressOptions.partnerMcp}. */\nexport interface PartnerMcpOptions {\n /**\n * Full URL to the issuing AgentPress org's JWKS.\n * Per-org as of Partner MCP Spec v1 (per-org signing keys), e.g.\n * `https://api.agent.press/orgs/<org-slug>/.well-known/jwks.json`.\n * The org admin who registered you as a partner will give you the\n * exact URL along with their `<org-slug>`.\n */\n jwksUrl: string;\n /**\n * Exact match for the JWT `iss` claim. Per-org scoped, e.g.\n * `https://api.agent.press/orgs/<org-slug>`. The JWKS URL above is\n * always `<issuer>/.well-known/jwks.json`.\n */\n issuer: string;\n /** Exact match for the JWT `aud` claim — your partner MCP's stable URL. */\n audience: string;\n /** Required value for the `ext_provider` claim, e.g. `\"partner_auth\"`. */\n expectedExtProvider: string;\n /**\n * Clock skew tolerance for `iat` / `exp` validation. Accepts a jose duration\n * string (`\"30s\"`, `\"1m\"`) or a number of seconds.\n * @default \"30s\"\n */\n clockTolerance?: string | number;\n /**\n * JWKS cache max age in milliseconds. Cache is per-instance, not module-global.\n * @default 3_600_000 (1 hour)\n */\n jwksCacheMaxAgeMs?: number;\n}\n\n/** A verified Partner MCP Spec v1 JWT claim set. */\nexport interface PartnerTokenClaims {\n /** The external user id (verified non-empty). */\n sub: string;\n /** Space-separated scope string, per RFC 8693. May be empty but always present. */\n scope: string;\n /** External auth provider name; verified against {@link PartnerMcpOptions.expectedExtProvider}. */\n ext_provider: string;\n /** Unique token id. Non-empty. Partners build replay caches keyed by this. */\n jti: string;\n /** Already validated against {@link PartnerMcpOptions.issuer}; returned for audit logs. */\n iss: string;\n /** Already validated against {@link PartnerMcpOptions.audience}; returned for audit logs. */\n aud: string;\n /** Unix seconds. */\n iat: number;\n /** Unix seconds. */\n exp: number;\n /** AgentPress org identifier, optional. */\n org_id?: string;\n /** AgentPress thread identifier, optional. */\n thread_id?: string;\n /** Reserved for multi-tenant partner flows. */\n settings_id?: string;\n /** Forward-compat: any additional claims pass through. */\n [key: string]: unknown;\n}\n\n/** Parameters for {@link WebhooksClient.verifyKeyRotation}. */\nexport interface KeyRotationVerifyParams {\n /** Raw request body (string or Buffer) — must not be parsed/modified. */\n payload: string | Buffer;\n /**\n * Incoming HTTP headers. Accepts plain `Record<string, string | undefined>`\n * so Hono / Fastify / Express / Fetch / Worker all work interchangeably.\n * Must include `x-agentpress-signature` and `x-agentpress-timestamp`.\n */\n headers: Record<string, string | undefined>;\n}\n\n/** A verified `signing_key_rotation` webhook payload. */\nexport interface KeyRotationEvent {\n event: \"signing_key_rotation\";\n type: \"scheduled\" | \"emergency\";\n retiredKid: string;\n newCurrentKid: string;\n /** ISO 8601 timestamp. */\n retiredAt: string;\n /** ISO 8601 timestamp. */\n effectiveAt: string;\n /** Matches the configured partner JWKS URL. */\n jwksUrl: string;\n /** Present only on `type: \"emergency\"` rotations. */\n reason?: string;\n}\n\n/** Parameters for {@link WebhooksClient.send}. */\nexport interface WebhookSendParams {\n /** Webhook action name (matches an action rule on the server). */\n action: string;\n /** Arbitrary payload data forwarded to the webhook handler. */\n payload: Record<string, unknown>;\n}\n\n/** Parameters for verifying an inbound webhook signature via {@link WebhooksClient.verify} or {@link WebhooksClient.verifyOrThrow}. */\nexport interface WebhookVerifyParams {\n /** Raw request body (string or Buffer) -- must not be parsed/modified. */\n payload: string | Buffer;\n /** Svix signature headers from the incoming request. */\n headers: {\n \"svix-id\": string;\n \"svix-timestamp\": string;\n \"svix-signature\": string;\n };\n}\n\n/** Response from webhook send operations. */\nexport interface WebhookResponse {\n success: boolean;\n /** UUID of the created action (present on successful creation). */\n actionId?: string;\n /** `true` if an action with the same `externalId` already existed (idempotency). */\n alreadyExists?: boolean;\n skipped?: boolean;\n /**\n * `true` when AgentPress accepted the event (HTTP 202) but could not create\n * an action yet — e.g. no action rule configured, the rule is disabled, or\n * the user could not be resolved. The event is buffered durably and\n * auto-processes once an operator fixes the configuration. No `actionId`\n * is returned in this case; use {@link eventId} to correlate.\n */\n buffered?: boolean;\n /** UUID of the buffered `webhook_events` row (present when `buffered` is `true`). */\n eventId?: string;\n /** Machine-readable reason the event was buffered (e.g. `\"no_action_rule_configured\"`). */\n reason?: string;\n data?: Record<string, unknown>;\n}\n\n// ── Inbound Webhook Ingest Signing (sender side) ──────────────────────\n\n/** Parameters for {@link signHmacWebhookRequest}. */\nexport interface SignHmacWebhookRequestParams {\n /** The webhook listener's shared secret. */\n secret: string;\n /**\n * The exact raw request body string that will be sent. The signature is\n * computed over `\"${timestamp}.${rawBody}\"`, so any re-serialization after\n * signing invalidates it.\n */\n rawBody: string;\n /** Unix timestamp in seconds. @default now */\n timestamp?: number;\n}\n\n/** Signed headers returned by {@link signHmacWebhookRequest}. */\nexport interface SignedHmacWebhookRequest {\n /** Headers to attach to the outbound HTTP request. */\n headers: {\n /** Unix timestamp (seconds) the signature was computed for. */\n \"x-webhook-timestamp\": string;\n /** `v1=<hex HMAC-SHA256 of \"${timestamp}.${rawBody}\">`. */\n \"x-webhook-signature\": string;\n };\n}\n\n// ── Inbound Webhook Listener Configuration ─────────────────────────────\n\n/**\n * Verification scheme for an inbound webhook listener\n * (`POST /webhooks/ingest/:org/:identifier`).\n *\n * - `\"svix\"` — Svix-style signing (`svix-id` / `svix-timestamp` / `svix-signature`).\n * - `\"hmac_sha256\"` — `x-webhook-timestamp` + `x-webhook-signature` headers;\n * sign with {@link signHmacWebhookRequest}.\n * - `\"shared_token\"` — `Authorization: Bearer <token>` or `x-webhook-token`;\n * build with {@link sharedTokenHeaders}.\n * - `\"none\"` — capability URL: the unguessable random suffix appended to the\n * endpoint identifier at creation time is the credential.\n */\nexport type WebhookVerificationScheme =\n | \"svix\"\n | \"hmac_sha256\"\n | \"shared_token\"\n | \"none\";\n\n/** Environment label for an inbound webhook listener. */\nexport type WebhookEnvironment = \"dev\" | \"sandbox\" | \"prod\";\n\n/** Per-listener routing configuration ({@link IWebhookListenerConfig.routingConfig}). */\nexport interface IWebhookListenerRoutingConfig {\n /** Event types to skip (marked `skipped`, never dispatched to an agent). */\n ignoredEventTypes?: string[];\n /**\n * `\"route\"` dispatches buffered events to the target agent;\n * `\"buffer_only\"` accepts + logs events but skips agent dispatch.\n */\n mode?: \"route\" | \"buffer_only\";\n /** Retention window in days for processed/skipped events. */\n retentionDays?: number;\n /** Sender IPs allowed to hit the ingest endpoint. Empty/omitted = all. */\n ipAllowlist?: string[];\n /**\n * Webhook-specific guidance appended to the agent prompt on every\n * dispatched event (payload shapes, which tools to call, etc.).\n */\n instructions?: string;\n /** Ingest quota for this listener. Defaults to 100, capped at 1000. */\n rateLimitPerMinute?: number;\n}\n\n/**\n * An inbound webhook listener as configured in AgentPress. Listeners receive\n * external events on `POST /webhooks/ingest/:org/:identifier`, buffer them\n * durably, and route them into actions for the target agent.\n */\nexport interface IWebhookListenerConfig {\n /** Human-readable display name. */\n name: string;\n /** Stable slug used in the ingest URL path. */\n identifier: string;\n /** How inbound requests are authenticated. */\n verificationScheme: WebhookVerificationScheme;\n /** Environment label for the listener. */\n environment: WebhookEnvironment;\n /** Disabled listeners reject inbound events at the edge. */\n enabled: boolean;\n /** Agent on the listener's default action rule (quick-setup path). */\n targetAgentId: string | null;\n /** Fallback user actions run as when the payload does not resolve one. */\n runAsUserId: string | null;\n /** Routing, retention, and rate-limit configuration. */\n routingConfig: IWebhookListenerRoutingConfig;\n}\n\n/**\n * An action rule's listen subscription. Rules that subscribe to a listening\n * webhook receive its buffered events in addition to the webhook's default\n * rule, so one listening URL can fan out to several rules.\n */\nexport interface IActionRuleListenSubscription {\n /** Webhook listener this rule subscribes to; `null` = no subscription. */\n listenWebhookId: string | null;\n /** Event types to receive; empty array = all event types. */\n listenEventTypes: string[];\n}\n\n// ── Action Lifecycle Event Types ────────────────────────────────────\n\n/** Action lifecycle event types emitted by AgentPress. */\nexport type ActionEventType =\n | \"action.pending_approval\"\n | \"action.approved\"\n | \"action.completed\"\n | \"action.failed\"\n | \"action.rejected\"\n | \"action.expired\";\n\n/** All public action callback event types emitted by AgentPress. */\nexport const ACTION_EVENT_TYPES: readonly ActionEventType[] = [\n \"action.pending_approval\",\n \"action.approved\",\n \"action.completed\",\n \"action.failed\",\n \"action.rejected\",\n \"action.expired\",\n] as const;\n\n/** Structured approval summary for a staged tool call. */\nexport interface StagedToolCallSummary {\n /** Short action phrase, suitable for headings. */\n title: string;\n /** Full approval request sentence with the key action details. */\n detail: string;\n}\n\n/** A tool call staged for approval lifecycle callbacks. */\nexport interface StagedToolCall {\n toolName: string;\n toolCallId: string;\n arguments: Record<string, unknown>;\n /**\n * Generated approval summary. New callbacks use the structured shape; legacy\n * callbacks may contain a plain string.\n */\n summary?: string | StagedToolCallSummary;\n}\n\n/** Parameters for {@link ActionsClient.approve}. */\nexport interface ApproveActionParams {\n /** Webhook action identifier (from callback's webhookAction field). */\n action: string;\n /** Optionally modify the tool call arguments before execution. */\n editedToolCall?: {\n toolName: string;\n arguments: Record<string, unknown>;\n };\n /**\n * If `\"webhook\"`, also auto-approves future triggers of the same\n * `(user, webhook, tool)` combination — same effect as the UI's\n * \"Always allow for this webhook\" option.\n *\n * - `\"once\"` — approve only this action (default behavior).\n * - `\"webhook\"` — approve and remember for future triggers.\n */\n remember?: \"once\" | \"webhook\";\n}\n\n/** Parameters for {@link ActionsClient.reject}. */\nexport interface RejectActionParams {\n /** Webhook action identifier (from callback's webhookAction field). */\n action: string;\n /** Reason for rejection. */\n reason?: string;\n}\n\n/** Response from action approve/reject operations. */\nexport interface ActionManageResponse {\n success: boolean;\n actionId: string;\n status: ActionStatus;\n}\n\n// ── Outbound Webhook (Action Callback) Types ──────────────────────────\n\n/** Status of an action in the AgentPress system. */\nexport type ActionStatus =\n | \"pending\"\n | \"staged\"\n | \"approved\"\n | \"executing\"\n | \"rejected\"\n | \"completed\"\n | \"failed\"\n | \"expired\";\n\n/** A tool call made by the agent during action processing. */\nexport interface ToolCallResult {\n toolName: string;\n arguments: Record<string, unknown>;\n result: unknown;\n}\n\n/** The agent's response after processing an action. */\nexport interface AgentResponse {\n /** The agent's text response, if any. */\n text: string | null;\n /** Tool calls made by the agent during processing. */\n toolCalls: ToolCallResult[];\n}\n\n/**\n * Payload received from AgentPress outbound webhooks (post-event callbacks).\n * This is what your server receives for approval, terminal, and failure events.\n */\nexport interface ActionCallbackPayload {\n actionId: string;\n status: ActionStatus;\n actionType: string;\n /** Lifecycle event type (e.g., \"action.pending_approval\", \"action.completed\"). */\n eventType: ActionEventType;\n /** Webhook action identifier used to create this action. Needed for approve/reject. */\n webhookAction: string | null;\n /** Tool staged for approval lifecycle events when available. */\n stagedToolCall: StagedToolCall | null;\n /** ISO 8601 timestamp of when this callback event occurred. */\n occurredAt: string;\n /** ISO 8601 timestamp retained for backwards compatibility. */\n completedAt: string;\n /** Human-readable execution summary when populated on the action. */\n resultSummary: string | null;\n /** Original data from the inbound webhook that triggered this action. */\n sourceData: Record<string, unknown>;\n /** External system identifier. */\n externalId: string | null;\n /** AgentPress user ID associated with this action. */\n userId: string | null;\n /** Thread ID if the action created a conversation. */\n threadId: string | null;\n /** The agent's response including text and tool call results. */\n agentResponse: AgentResponse;\n /** Error message if the action failed. */\n errorMessage: string | null;\n /**\n * Structured error metadata for clients that need branching/logging without\n * displaying raw provider errors.\n */\n errorDetails: {\n code: string | null;\n provider: string | null;\n recoverable: boolean;\n userMessage: string | null;\n } | null;\n /** Reason provided if the action was rejected by a human reviewer. */\n rejectionReason: string | null;\n /** Additional custom fields from post-event configuration. */\n [key: string]: unknown;\n}\n\n// ── User Tool Approvals ─────────────────────────────────────────────\n\n/** Mode of a user tool approval rule. */\nexport type ApprovalMode = \"always_allow\" | \"always_deny\";\n\n/**\n * Mode accepted by settings UIs that sync Allow/Ask choices. `always_allow`\n * persists an allow rule. `ask` means no stored allow rule for that listed\n * tool. `always_deny` is intentionally not accepted by sync.\n */\nexport type ApprovalRuleSyncMode = \"always_allow\" | \"ask\";\n\n/**\n * A persisted rule that auto-approves (or auto-denies) a specific\n * `(user, webhook, tool)` triple, bypassing the per-action approval prompt.\n * Dates are ISO 8601 strings on the wire.\n */\nexport interface UserToolApproval {\n id: string;\n orgId: string;\n userId: string;\n actionWebhookId: string;\n toolName: string;\n mode: ApprovalMode;\n /** ISO 8601 timestamp. `null` means never expires. */\n expiresAt: string | null;\n /** ISO 8601 timestamp. */\n createdAt: string;\n /** ISO 8601 timestamp. */\n updatedAt: string;\n}\n\n/** Parameters for {@link UserApprovalsClient.list}. */\nexport interface ListUserApprovalsParams {\n /** Webhook identifier (slug) — required to scope the signing secret and the result. */\n webhookIdentifier: string;\n /**\n * Filter to a single user's approvals. Accepts either an internal AgentPress\n * user UUID, or — when paired with {@link authProvider} — an external user ID\n * from a custom auth provider. If omitted, lists every approval for the\n * signed webhook.\n */\n userId?: string;\n /**\n * Name of the registered external auth provider. When provided, `userId` is\n * treated as the external user ID and resolved to the internal user via\n * `users.external_auth_id`. The resolved user must belong to the webhook's\n * AgentPress org.\n */\n authProvider?: string;\n}\n\n/** Response from {@link UserApprovalsClient.list}. */\nexport interface ListUserApprovalsResponse {\n approvals: UserToolApproval[];\n}\n\n/** Metadata for one tool that the webhook's default rule stages for approval. */\nexport interface WebhookApprovalToolMetadata {\n /** Stable tool slug to use in create/sync rules. */\n toolName: string;\n /** Human-readable label matching AgentPress approval UI formatting. */\n label: string;\n /** Tool description, when exposed by the agent/tool catalog. */\n description: string | null;\n /** True/false when known; null when the tool catalog does not expose it. */\n destructiveHint: boolean | null;\n /** True/false when known; null when the tool catalog does not expose it. */\n sensitiveHint: boolean | null;\n}\n\n/** Webhook metadata plus the ordered approval-tool catalog for partner UIs. */\nexport interface WebhookApprovalMetadata {\n /** Same value as `actionWebhookId`; included for compatibility. */\n id: string;\n /** UUID of the `action_webhooks` row resolved from `webhookIdentifier`. */\n actionWebhookId: string;\n /** Stable webhook slug used in SDK calls and signed URLs. */\n webhookIdentifier: string;\n /** Human-readable webhook display name. */\n displayName: string;\n /** Alias of `displayName`; included for compatibility with webhook rows. */\n name: string;\n /** Organization that owns this webhook. */\n orgId: string;\n /** Default action rule attached to the webhook, if any. */\n defaultActionRuleId: string | null;\n /** Ordered tools matching the AgentPress approval popup order. */\n availableTools: WebhookApprovalToolMetadata[];\n /** Backwards-compatible ordered projection of `availableTools[].toolName`. */\n toolNames: string[];\n}\n\n/** Parameters for {@link UserApprovalsClient.create}. */\nexport interface CreateUserApprovalParams {\n /** Webhook identifier (slug) — required to scope the signing secret. */\n webhookIdentifier: string;\n /**\n * User identifier this rule applies to. Accepts either an internal AgentPress\n * user UUID, or — when paired with {@link authProvider} — an external user ID\n * from a custom auth provider.\n */\n userId: string;\n /**\n * Name of the registered external auth provider. When provided, `userId` is\n * treated as the external user ID and resolved to the internal user via\n * `users.external_auth_id`. The user must have authenticated through the\n * provider at least once and belong to the webhook's AgentPress org for\n * resolution to succeed.\n */\n authProvider?: string;\n /**\n * UUID of the `action_webhooks` row. Optional for SDK callers; when omitted,\n * AgentPress resolves it from `webhookIdentifier`. If supplied, core rejects\n * the request unless it matches the URL-scoped webhook.\n */\n actionWebhookId?: string;\n /** Tool slug from `WebhookApprovalMetadata.availableTools[].toolName`. */\n toolName: string;\n /** Stored approval mode. Defaults to `\"always_allow\"`. */\n mode?: ApprovalMode;\n /** `null` or omitted = never expires. */\n expiresAt?: Date | null;\n}\n\n/** Parameters for {@link UserApprovalsClient.update}. */\nexport interface UpdateUserApprovalParams {\n /** Webhook identifier (slug) the approval belongs to — required for signing. */\n webhookIdentifier: string;\n mode?: ApprovalMode;\n expiresAt?: Date | null;\n}\n\n/** Parameters for {@link UserApprovalsClient.delete}. */\nexport interface DeleteUserApprovalParams {\n /** Webhook identifier (slug) the approval belongs to — required for signing. */\n webhookIdentifier: string;\n}\n\n/** Parameters for {@link UserApprovalsClient.getWebhookMetadata}. */\nexport interface GetUserApprovalWebhookMetadataParams {\n /** Webhook identifier (slug) — required to scope the signing secret. */\n webhookIdentifier: string;\n}\n\nexport interface SyncUserApprovalRule {\n /** Tool slug from `WebhookApprovalMetadata.availableTools[].toolName`. */\n toolName: string;\n /** Desired partner UI state for this listed tool. */\n mode: ApprovalRuleSyncMode;\n}\n\n/** Parameters for {@link UserApprovalsClient.sync}. */\nexport interface SyncUserApprovalsParams {\n /** Webhook identifier (slug) — required to scope the signing secret. */\n webhookIdentifier: string;\n /**\n * User identifier this sync applies to. Accepts either an internal AgentPress\n * user UUID, or — when paired with {@link authProvider} — an external user ID.\n */\n userId: string;\n /**\n * Name of the registered external auth provider. The user must have\n * authenticated through that provider at least once and belong to the\n * webhook's AgentPress org.\n */\n authProvider?: string;\n /**\n * Complete desired Allow/Ask state for the tools your UI manages. Tools not\n * listed here are left untouched. Existing always_deny rules are preserved.\n */\n rules: SyncUserApprovalRule[];\n}\n\nexport interface SyncUserApprovalsResponse {\n /** Approval rows remaining after sync for this user and webhook. */\n approvals: UserToolApproval[];\n summary: {\n /** Unique tool names requested after duplicate tool names are collapsed. */\n requested: number;\n /** Number of allow upserts attempted. */\n upserted: number;\n /** Number of existing non-deny rows removed for `ask`. */\n removed: number;\n /** Number of requested rows that already had the desired no-op state. */\n unchanged: number;\n /** Number of requested tools skipped because an always_deny rule exists. */\n preservedDeny: number;\n };\n /** Tool names whose existing always_deny rows were intentionally preserved. */\n preservedDenyTools: string[];\n}\n\n/** @internal Resolved (validated, defaulted) options. Not exported from the public API. */\nexport interface ResolvedOptions {\n baseUrl: string;\n timeout: number;\n org: string;\n webhookSecret?: string;\n apiKey?: string;\n partnerMcp?: ResolvedPartnerMcpOptions;\n onRequest?: AgentPressOptions[\"onRequest\"];\n onResponse?: AgentPressOptions[\"onResponse\"];\n}\n\n/** @internal Resolved (validated, defaulted) partner MCP options. */\nexport interface ResolvedPartnerMcpOptions {\n jwksUrl: string;\n issuer: string;\n audience: string;\n expectedExtProvider: string;\n clockTolerance: string | number;\n jwksCacheMaxAgeMs: number;\n}\n","import { createHmac } from \"node:crypto\";\n\nimport type {\n SignedHmacWebhookRequest,\n SignHmacWebhookRequestParams,\n} from \"../types\";\n\n/**\n * Sign an outbound request for an AgentPress inbound webhook listener that\n * uses the `hmac_sha256` verification scheme\n * (`POST /webhooks/ingest/:org/:identifier`).\n *\n * Produces the two headers AgentPress verifies:\n *\n * - `x-webhook-timestamp` — unix seconds; AgentPress rejects timestamps more\n * than 5 minutes from its own clock.\n * - `x-webhook-signature` — `v1=<hex HMAC-SHA256 of \"${timestamp}.${rawBody}\">`.\n *\n * Send the exact `rawBody` string you signed — any re-serialization after\n * signing (re-ordered keys, whitespace changes) invalidates the signature.\n *\n * @example\n * ```ts\n * const rawBody = JSON.stringify({ eventType: \"review.created\", data: {...} });\n * const { headers } = signHmacWebhookRequest({ secret, rawBody });\n * await fetch(ingestUrl, {\n * method: \"POST\",\n * body: rawBody,\n * headers: { \"content-type\": \"application/json\", ...headers },\n * });\n * ```\n */\nexport function signHmacWebhookRequest(\n params: SignHmacWebhookRequestParams,\n): SignedHmacWebhookRequest {\n const timestamp = Math.floor(\n params.timestamp ?? Date.now() / 1000,\n ).toString();\n const signature = createHmac(\"sha256\", params.secret)\n .update(`${timestamp}.${params.rawBody}`)\n .digest(\"hex\");\n return {\n headers: {\n \"x-webhook-timestamp\": timestamp,\n \"x-webhook-signature\": `v1=${signature}`,\n },\n };\n}\n\n/**\n * Build the auth header for an AgentPress inbound webhook listener that uses\n * the `shared_token` verification scheme. AgentPress also accepts\n * `Authorization: Bearer <token>`; this helper uses the dedicated\n * `x-webhook-token` header so it never collides with other auth middleware.\n */\nexport function sharedTokenHeaders(token: string): {\n \"x-webhook-token\": string;\n} {\n return { \"x-webhook-token\": token };\n}\n"],"mappings":";;;;;;;;AAIA,IAAa,kBAAb,cAAqC,MAAM;CACzC,YAAY,SAAiB;EAC3B,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;;;;AAMA,IAAa,qBAAb,cAAwC,gBAAgB;CACtD,YAAY,SAAiB;EAC3B,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;;;;;;;;AAUA,IAAa,YAAb,cAA+B,gBAAgB;CAC7C;CACA;CACA;CAEA,YAAY,YAAoB,cAAsB,KAAa;EACjE,MAAM,QAAQ,WAAW,QAAQ,KAAK;EACtC,KAAK,OAAO;EACZ,KAAK,aAAa;EAClB,KAAK,eAAe;EACpB,KAAK,MAAM;EACX,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;AAGA,IAAa,eAAb,cAAkC,gBAAgB;CAChD,YAAY,KAAa,SAAiB;EACxC,MAAM,cAAc,IAAI,mBAAmB,QAAQ,GAAG;EACtD,KAAK,OAAO;EACZ,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;AAGA,IAAa,wBAAb,cAA2C,gBAAgB;CACzD,YAAY,SAAiB;EAC3B,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;;;;;AAoBA,IAAa,oBAAb,cAAuC,gBAAgB;CACrD;CAEA,YAAY,QAAiC,SAAiB;EAC5D,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,KAAK,SAAS;EACd,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;;;;AAeA,IAAa,yBAAb,cAA4C,gBAAgB;CAC1D;CAEA,YAAY,QAAsC,SAAiB;EACjE,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,KAAK,SAAS;EACd,OAAO,eAAe,MAAM,IAAI,OAAO,SAAS;CAClD;AACF;;;AClHA,SAAgB,kBAA0B;CACxC,OAAO,QAAA,GAAA,YAAA,WAAA,CAAkB;AAC3B;;;ACFA,MAAMA,qBAAmB;AACzB,MAAM,4BAA4B;;;;;;;;;;AAWlC,SAAgB,KACd,QACA,OACA,WACA,MACQ;CACR,MAAM,cAAc,OAAO,KAAK,OAAO,QAAQ,WAAW,EAAE,GAAG,QAAQ;CACvE,MAAM,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG;CAIzC,OAAO,GAAGA,sBAAAA,GAAAA,YAAAA,WAAAA,CAHmB,UAAU,WAAW,CAAC,CAChD,OAAO,OAAO,CAAC,CACf,OAAO,QAC2B;AACvC;;;;;;;;;;AAWA,SAAgB,OACd,QACA,SACA,SAKA,mBAA2B,2BAClB;CACT,MAAM,QAAQ,QAAQ;CACtB,MAAM,eAAe,QAAQ;CAC7B,MAAM,kBAAkB,QAAQ;CAEhC,MAAM,YAAY,SAAS,cAAc,EAAE;CAC3C,IAAI,OAAO,MAAM,SAAS,GAAG,OAAO;CAEpC,MAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;CACxC,IAAI,KAAK,IAAI,MAAM,SAAS,IAAI,kBAAkB,OAAO;CAIzD,MAAM,WAAW,KAAK,QAAQ,OAAO,WADnC,OAAO,YAAY,WAAW,UAAU,QAAQ,SAAS,OAAO,CACd;CAEpD,MAAM,aAAa,gBAAgB,MAAM,GAAG;CAC5C,MAAM,cAAc,OAAO,KAAK,QAAQ;CAExC,KAAK,MAAM,OAAO,YAAY;EAC5B,MAAM,SAAS,OAAO,KAAK,GAAG;EAC9B,IACE,OAAO,WAAW,YAAY,WAAA,GAAA,YAAA,gBAAA,CACd,QAAQ,WAAW,GAEnC,OAAO;CAEX;CAEA,OAAO;AACT;;;;;;;;;;;;;;;;;;;;;;;AC5CA,IAAa,gBAAb,MAA2B;CACzB;CACA;CAEA,YAAY,SAA0B,MAAkB;EACtD,KAAK,UAAU;EACf,KAAK,OAAO;CACd;;;;;;;;CASA,MAAM,QACJ,UACA,QAC+B;EAC/B,MAAM,OAAgC,CAAC;EACvC,IAAI,OAAO,mBAAmB,KAAA,GAC5B,KAAK,iBAAiB,OAAO;EAE/B,IAAI,OAAO,aAAa,KAAA,GACtB,KAAK,WAAW,OAAO;EAEzB,OAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,WAAW,IAAI;CAC7D;;;;;;;;CASA,MAAM,OACJ,UACA,QAC+B;EAC/B,OAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,UAAU,EACpD,QAAQ,OAAO,OACjB,CAAC;CACH;CAEA,MAAc,OACZ,UACA,eACA,WACA,MAC+B;EAC/B,IAAI,CAAC,KAAK,QAAQ,eAChB,MAAM,IAAI,mBACR,4DACF;EAGF,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,cAAc,UAAU,SAAS,GAAG;EAC1F,MAAM,UAAU,KAAK,UAAU,IAAI;EACnC,MAAM,QAAQ,gBAAgB;EAC9B,MAAM,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;EAC9C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,OACF;EAEA,OAAO,KAAK,KAAK,QAA8B,MAAM;GACnD,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,SAAS;IAClC,kBAAkB;GACpB;EACF,CAAC;CACH;AACF;;;;;;;;ACtGA,IAAa,aAAb,MAAwB;CACtB;CACA;CACA;CACA;CAEA,YAAY,SAA0B;EACpC,KAAK,UAAU,QAAQ;EACvB,KAAK,UAAU,QAAQ;EACvB,KAAK,YAAY,QAAQ;EACzB,KAAK,aAAa,QAAQ;CAC5B;;;;;;;;;;CAWA,MAAM,QAAW,MAAc,MAA+B;EAC5D,MAAM,MAAM,GAAG,KAAK,UAAU;EAE9B,MAAM,UAAU,IAAI,QAAQ,KAAK,OAAO;EACxC,IAAI,CAAC,QAAQ,IAAI,cAAc,GAC7B,QAAQ,IAAI,gBAAgB,kBAAkB;EAGhD,MAAM,cAA2B;GAC/B,GAAG;GACH;GACA,QAAQ,YAAY,QAAQ,KAAK,OAAO;EAC1C;EAEA,KAAK,YAAY,KAAK,WAAW;EAEjC,IAAI;EACJ,IAAI;GACF,WAAW,MAAM,MAAM,KAAK,WAAW;EACzC,SAAS,OAAgB;GACvB,IACE,iBAAiB,UAChB,MAAM,SAAS,kBAAkB,MAAM,SAAS,eAEjD,MAAM,IAAI,aAAa,KAAK,KAAK,OAAO;GAI1C,MAAM,IAAI,gBAAgB,cAAc,IAAI,WAD1C,iBAAiB,QAAQ,MAAM,UAAU,uBACqB;EAClE;EAEA,KAAK,aAAa,KAAK,SAAS,MAAM,CAAC;EAEvC,MAAM,OAAO,MAAM,SAAS,KAAK;EAEjC,IAAI,CAAC,SAAS,IACZ,MAAM,IAAI,UAAU,SAAS,QAAQ,MAAM,GAAG;EAGhD,IAAI;GACF,OAAO,KAAK,MAAM,IAAI;EACxB,QAAQ;GACN,MAAM,IAAI,gBACR,+BAA+B,IAAI,iBAAiB,KAAK,MAAM,GAAG,GAAG,GACvE;EACF;CACF;AACF;;;AC/DA,MAAM,aAAa,CAAC,OAAO;;;;;;;;AAW3B,IAAa,iBAAb,MAA4B;CAC1B;CACA;CACA,OAAkC;CAClC,YAA4C;CAE5C,YAAY,SAA0B;EACpC,KAAK,UAAU;EACf,KAAK,aAAa,QAAQ;CAC5B;;;;;;;;;;;;;CAcA,MAAM,YAAY,OAA4C;EAC5D,MAAM,MAAM,KAAK,cAAc;EAC/B,MAAM,OAAO,KAAK,QAAQ;EAE1B,IAAI;EACJ,IAAI;EAEJ,IAAI;GACF,MAAM,SAAS,OAAA,GAAA,KAAA,UAAA,CAAgB,OAAO,MAAM;IAC1C,YAAY,CAAC,GAAG,UAAU;IAC1B,QAAQ,IAAI;IACZ,UAAU,IAAI;IACd,gBAAgB,IAAI;GACtB,CAAC;GACD,UAAU,OAAO;GACjB,kBAAkB,OAAO;EAK3B,SAAS,KAAK;GACZ,MAAM,aAAa,GAAG;EACxB;EAMA,IAAI,CAAC,gBAAgB,OAAO,OAAO,gBAAgB,QAAQ,UACzD,MAAM,IAAI,kBACR,0BACA,mCACF;EAGF,MAAM,SAAS;EAKf,IAAI,OAAO,OAAO,QAAQ,YAAY,CAAC,OAAO,SAAS,OAAO,GAAG,GAC/D,MAAM,IAAI,kBACR,iBACA,8BACF;EAEF,MAAM,mBAAmB,UAAU,IAAI,cAAc;EACrD,MAAM,SAAS,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;EAC3C,IAAI,OAAO,MAAM,SAAS,kBACxB,MAAM,IAAI,kBACR,iBACA,YAAY,OAAO,MAAM,OAAO,0BAA0B,iBAAiB,YAC7E;EAGF,IAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,GAC1D,MAAM,IAAI,kBAAkB,iBAAiB,yBAAyB;EAExE,IAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,GAC1D,MAAM,IAAI,kBAAkB,iBAAiB,yBAAyB;EAExE,IAAI,OAAO,OAAO,UAAU,UAC1B,MAAM,IAAI,kBACR,iBACA,gCACF;EAEF,IACE,OAAO,OAAO,iBAAiB,YAC/B,OAAO,aAAa,WAAW,GAE/B,MAAM,IAAI,kBACR,iBACA,kCACF;EAEF,IAAI,OAAO,iBAAiB,IAAI,qBAC9B,MAAM,IAAI,kBACR,yBACA,iBAAiB,OAAO,aAAa,6BAA6B,IAAI,oBAAoB,EAC5F;EAGF,OAAO;CACT;;;;;;;CAQA,MAAM,cAA6B;EAGjC,MAAM,UAFO,KAAK,QAEC;EACnB,IAAI,OAAO,QAAQ,WAAW,YAC5B,MAAM,QAAQ,OAAO;CAEzB;CAEA,gBAAmD;EACjD,IAAI,CAAC,KAAK,YACR,MAAM,IAAI,mBACR,8DACF;EAEF,OAAO,KAAK;CACd;CAEA,UAA8B;EAC5B,MAAM,MAAM,KAAK,cAAc;EAC/B,IAAI,CAAC,KAAK,MAAM;GACd,KAAK,QAAA,GAAA,KAAA,mBAAA,CAA0B,IAAI,IAAI,IAAI,OAAO,GAAG;IACnD,aAAa,IAAI;IACjB,kBAAkB;GACpB,CAAC;GACD,KAAK,YAAY,KAAK;EACxB;EACA,OAAO,KAAK;CACd;AACF;AAEA,SAAS,UAAU,WAAoC;CACrD,IAAI,OAAO,cAAc,UAAU,OAAO;CAC1C,MAAM,QAAQ,UAAU,KAAK,CAAC,CAAC,MAAM,oBAAoB;CACzD,IAAI,CAAC,OAAO,OAAO;CACnB,MAAM,IAAI,OAAO,SAAS,MAAM,IAAc,EAAE;CAChD,MAAM,OAAQ,MAAM,EAAE,CAAY,YAAY;CAC9C,IAAI,SAAS,KAAK,OAAO;CACzB,IAAI,SAAS,KAAK,OAAO,IAAI;CAC7B,IAAI,SAAS,KAAK,OAAO,IAAI;CAC7B,OAAO;AACT;AAEA,SAAS,aAAa,KAAiC;CACrD,IAAI,eAAe,mBAAmB,OAAO;CAE7C,IAAI,eAAeC,KAAAA,OAAW,gCAC5B,OAAO,IAAI,kBACT,qBACA,mCACF;CAEF,IAAI,eAAeA,KAAAA,OAAW,mBAC5B,OAAO,IAAI,kBACT,0BACA,0CACF;CAEF,IAAI,eAAeA,KAAAA,OAAW,mBAC5B,OAAO,IAAI,kBACT,yBACA,wBACF;CAEF,IAAI,eAAeA,KAAAA,OAAW,YAC5B,OAAO,IAAI,kBAAkB,WAAW,iBAAiB;CAE3D,IAAI,eAAeA,KAAAA,OAAW,0BAA0B;EACtD,MAAM,QAAS,IAA2B;EAC1C,IAAI,UAAU,OACZ,OAAO,IAAI,kBACT,mBACA,0CACF;EAEF,IAAI,UAAU,OACZ,OAAO,IAAI,kBACT,qBACA,4CACF;EAEF,IAAI,UAAU,OACZ,OAAO,IAAI,kBACT,iBACA,mDACF;EAEF,OAAO,IAAI,kBACT,iBACA,IAAI,WAAW,yBACjB;CACF;CACA,IACE,eAAeA,KAAAA,OAAW,cAC1B,eAAeA,KAAAA,OAAW,YAE1B,OAAO,IAAI,kBAAkB,aAAa,IAAI,WAAW,eAAe;CAE1E,IAAI,eAAe,OACjB,OAAO,IAAI,kBAAkB,aAAa,IAAI,OAAO;CAEvD,OAAO,IAAI,kBAAkB,aAAa,OAAO,GAAG,CAAC;AACvD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC9LA,IAAa,sBAAb,MAAiC;CAC/B;CACA;CAEA,YAAY,SAA0B,MAAkB;EACtD,KAAK,UAAU;EACf,KAAK,OAAO;CACd;;;;;;;;;;;;;CAcA,MAAM,KACJ,QACoC;EACpC,MAAM,OAAgC,CAAC;EACvC,IAAI,OAAO,WAAW,KAAA,GAAW,KAAK,SAAS,OAAO;EACtD,IAAI,OAAO,iBAAiB,KAAA,GAC1B,KAAK,eAAe,OAAO;EAC7B,OAAO,KAAK,KACV,OAAO,mBACP,QACA,IACF;CACF;;;;;;;;;;;;CAaA,MAAM,mBACJ,QACkC;EAClC,OAAO,KAAK,KACV,OAAO,mBACP,YACA,CAAC,CACH;CACF;;;;;;;;;;;;;;CAeA,MAAM,OAAO,QAA6D;EACxE,MAAM,OAAgC;GACpC,QAAQ,OAAO;GACf,UAAU,OAAO;GACjB,MAAM,OAAO,QAAQ;EACvB;EACA,IAAI,OAAO,oBAAoB,KAAA,GAC7B,KAAK,kBAAkB,OAAO;EAChC,IAAI,OAAO,iBAAiB,KAAA,GAC1B,KAAK,eAAe,OAAO;EAC7B,IAAI,OAAO,cAAc,KAAA,GACvB,KAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,YAAY;EAEpE,OAAO,KAAK,KACV,OAAO,mBACP,UACA,IACF;CACF;;;;;;;;;;;;;CAcA,MAAM,KACJ,QACoC;EACpC,MAAM,OAAgC;GACpC,QAAQ,OAAO;GACf,OAAO,OAAO;EAChB;EACA,IAAI,OAAO,iBAAiB,KAAA,GAC1B,KAAK,eAAe,OAAO;EAC7B,OAAO,KAAK,KACV,OAAO,mBACP,QACA,IACF;CACF;;;;;;;;CASA,MAAM,OACJ,IACA,QAC2B;EAC3B,MAAM,OAAgC,CAAC;EACvC,IAAI,OAAO,SAAS,KAAA,GAAW,KAAK,OAAO,OAAO;EAClD,IAAI,OAAO,cAAc,KAAA,GACvB,KAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,YAAY;EAEpE,OAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,IACF;CACF;;;;;;;;;CAUA,MAAM,OACJ,IACA,QAC+B;EAC/B,OAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,CAAC,CACH;CACF;;CAGA,MAAc,KACZ,mBACA,WACA,MACY;EACZ,IAAI,CAAC,KAAK,QAAQ,eAChB,MAAM,IAAI,mBACR,mEACF;EAGF,MAAM,OAAO,4BAA4B,KAAK,QAAQ,IAAI,GAAG,kBAAkB,GAAG;EAClF,MAAM,UAAU,KAAK,UAAU,IAAI;EACnC,MAAM,QAAQ,gBAAgB;EAC9B,MAAM,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;EAC9C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,OACF;EAEA,OAAO,KAAK,KAAK,QAAW,MAAM;GAChC,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,SAAS;IAClC,kBAAkB;GACpB;EACF,CAAC;CACH;AACF;;;ACjPA,MAAM,oBAAoB,IAAI;AAC9B,MAAM,yBAAyB;AAC/B,MAAM,mBAAmB;;;;;;;;;AAUzB,SAAgB,kBACd,QACA,QACkB;CAClB,IAAI,CAAC,QACH,MAAM,IAAI,mBACR,iEACF;CAGF,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,OAAO;CAMrC,KAHE,OAAO,OAAO,YAAY,WACtB,OAAO,WAAW,OAAO,SAAS,OAAO,IACzC,OAAO,QAAQ,UACJ,mBACf,MAAM,IAAI,uBACR,qBACA,mBAAmB,kBAAkB,OACvC;CAGF,MAAM,kBAAkB,WAAW,OAAO,SAAS,wBAAwB;CAC3E,MAAM,kBAAkB,WAAW,OAAO,SAAS,wBAAwB;CAE3E,IAAI,CAAC,iBAAiB,WAAW,gBAAgB,GAC/C,MAAM,IAAI,uBACR,4BACA,oDAAoD,iBAAiB,EACvE;CAEF,MAAM,cAAc,gBACjB,MAAM,CAAuB,CAAC,CAC9B,YAAY;CACf,IAAI,CAAC,cAAc,KAAK,WAAW,GACjC,MAAM,IAAI,uBACR,4BACA,+BACF;CAGF,IAAI,CAAC,iBACH,MAAM,IAAI,uBACR,qBACA,2CACF;CAEF,MAAM,YAAY,OAAO,SAAS,iBAAiB,EAAE;CACrD,IACE,CAAC,OAAO,SAAS,SAAS,KAC1B,OAAO,SAAS,MAAM,gBAAgB,KAAK,GAE3C,MAAM,IAAI,uBACR,qBACA,4DACF;CAEF,MAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;CACxC,IAAI,KAAK,IAAI,MAAM,SAAS,IAAI,wBAC9B,MAAM,IAAI,uBACR,2BACA,kBAAkB,KAAK,IAAI,MAAM,SAAS,EAAE,YAAY,uBAAuB,YACjF;CAGF,MAAM,eAAA,GAAA,YAAA,WAAA,CAAyB,UAAU,MAAM,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,KAAK;CAC1E,MAAM,cAAc,OAAO,KAAK,aAAa,KAAK;CAClD,MAAM,cAAc,OAAO,KAAK,aAAa,KAAK;CAClD,IACE,YAAY,WAAW,YAAY,UACnC,EAAA,GAAA,YAAA,gBAAA,CAAiB,aAAa,WAAW,GAEzC,MAAM,IAAI,uBACR,qBACA,yBACF;CAGF,IAAI;CACJ,IAAI;EACF,SAAS,KAAK,MAAM,IAAI;CAC1B,QAAQ;EACN,MAAM,IAAI,uBACR,qBACA,2BACF;CACF;CAEA,OAAO,gBAAgB,MAAM;AAC/B;AAEA,SAAS,WACP,SACA,MACoB;CAEpB,MAAM,UAAU,KAAK,YAAY;CACjC,KAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,OAAO,GACzC,IAAI,EAAE,YAAY,MAAM,WAAW,OAAO,MAAM,YAAY,EAAE,SAAS,GACrE,OAAO;AAIb;AAEA,SAAS,gBAAgB,KAAgC;CACvD,IAAI,CAAC,OAAO,OAAO,QAAQ,UACzB,MAAM,IAAI,uBACR,qBACA,+BACF;CAEF,MAAM,MAAM;CACZ,IAAI,IAAI,UAAU,wBAChB,MAAM,IAAI,uBACR,qBACA,qBAAqB,OAAO,IAAI,KAAK,EAAE,EACzC;CAEF,IAAI,IAAI,SAAS,eAAe,IAAI,SAAS,aAC3C,MAAM,IAAI,uBACR,qBACA,2CACF;CAEF,KAAK,MAAM,OAAO;EAChB;EACA;EACA;EACA;EACA;CACF,GACE,IAAI,OAAO,IAAI,SAAS,YAAa,IAAI,IAAI,CAAY,WAAW,GAClE,MAAM,IAAI,uBACR,qBACA,IAAI,IAAI,6BACV;CAGJ,IAAI,IAAI,WAAW,KAAA,KAAa,OAAO,IAAI,WAAW,UACpD,MAAM,IAAI,uBACR,qBACA,wCACF;CAGF,MAAM,QAA0B;EAC9B,OAAO;EACP,MAAM,IAAI;EACV,YAAY,IAAI;EAChB,eAAe,IAAI;EACnB,WAAW,IAAI;EACf,aAAa,IAAI;EACjB,SAAS,IAAI;CACf;CACA,IAAI,OAAO,IAAI,WAAW,UACxB,MAAM,SAAS,IAAI;CAErB,OAAO;AACT;;;ACjKA,IAAa,iBAAb,MAA4B;CAC1B;CACA;CAEA,YAAY,SAA0B,MAAkB;EACtD,KAAK,UAAU;EACf,KAAK,OAAO;CACd;;;;;;;;;;;;;;;;;;;;CAqBA,MAAM,KAAK,QAAqD;EAC9D,IAAI,CAAC,KAAK,QAAQ,eAChB,MAAM,IAAI,mBACR,kDACF;EAGF,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,OAAO;EAC7D,MAAM,OAAO,KAAK,UAAU,OAAO,OAAO;EAC1C,MAAM,QAAQ,gBAAgB;EAC9B,MAAM,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;EAC9C,MAAM,YAAY,KAAK,KAAK,QAAQ,eAAe,OAAO,WAAW,IAAI;EAEzE,OAAO,KAAK,KAAK,QAAyB,MAAM;GAC9C,QAAQ;GACR;GACA,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,SAAS;IAClC,kBAAkB;GACpB;EACF,CAAC;CACH;;;;;;;CAQA,OAAO,QAAsC;EAC3C,IAAI,CAAC,KAAK,QAAQ,eAChB,MAAM,IAAI,mBACR,oDACF;EAGF,OAAOC,OACL,KAAK,QAAQ,eACb,OAAO,SACP,OAAO,OACT;CACF;;;;;;;;CASA,cAAc,QAAmC;EAC/C,IAAI,CAAC,KAAK,OAAO,MAAM,GACrB,MAAM,IAAI,sBAAsB,2BAA2B;CAE/D;;;;;;;;;;CAWA,eAAe,QAAoD;EACjE,KAAK,cAAc,MAAM;EACzB,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,OAAO;EACrC,IAAI;GACF,OAAO,KAAK,MAAM,IAAI;EACxB,QAAQ;GACN,MAAM,IAAI,gBAAgB,mCAAmC;EAC/D;CACF;;;;;;;;;;CAWA,kBAAkB,QAAmD;EACnE,OAAOC,kBAAsB,KAAK,QAAQ,eAAe,MAAM;CACjE;AACF;;;;;;;;;;;;;;;;;;AC/GA,IAAa,aAAb,MAAwB;;CAEtB;;CAEA;;CAEA;;CAEA;;;;;CAMA,YAAY,UAA6B,CAAC,GAAG;EAC3C,MAAM,WAAW,eAAe,OAAO;EACvC,MAAM,OAAO,IAAI,WAAW,QAAQ;EACpC,KAAK,WAAW,IAAI,eAAe,UAAU,IAAI;EACjD,KAAK,UAAU,IAAI,cAAc,UAAU,IAAI;EAC/C,KAAK,gBAAgB,IAAI,oBAAoB,UAAU,IAAI;EAC3D,KAAK,WAAW,IAAI,eAAe,QAAQ;CAC7C;AACF;AAEA,SAAS,eAAe,SAA6C;CACnE,MAAM,WAAW,QAAQ,WAAW,0BAAA,CAA2B,QAC7D,QACA,EACF;CACA,MAAM,UAAU,QAAQ,WAAW;CACnC,MAAM,MAAM,QAAQ,OAAO;CAE3B,IAAI,WAAW,KAAK,CAAC,OAAO,SAAS,OAAO,GAC1C,MAAM,IAAI,mBAAmB,mCAAmC;CAGlE,IACE,QAAQ,kBAAkB,KAAA,KAC1B,CAAC,QAAQ,cAAc,WAAW,QAAQ,GAE1C,MAAM,IAAI,mBAAmB,0CAAwC;CAGvE,OAAO;EACL;EACA;EACA;EACA,eAAe,QAAQ;EACvB,QAAQ,QAAQ;EAChB,YAAY,kBAAkB,QAAQ,UAAU;EAChD,WAAW,QAAQ;EACnB,YAAY,QAAQ;CACtB;AACF;AAEA,SAAS,kBACP,SACuC;CACvC,IAAI,CAAC,SAAS,OAAO,KAAA;CAErB,IAAI,OAAO,QAAQ,YAAY,YAAY,QAAQ,QAAQ,WAAW,GACpE,MAAM,IAAI,mBAAmB,gCAAgC;CAE/D,IAAI;EAEF,IAAI,IAAI,QAAQ,OAAO;CACzB,QAAQ;EACN,MAAM,IAAI,mBAAmB,wCAAwC;CACvE;CACA,IAAI,OAAO,QAAQ,WAAW,YAAY,QAAQ,OAAO,WAAW,GAClE,MAAM,IAAI,mBAAmB,+BAA+B;CAE9D,IAAI,OAAO,QAAQ,aAAa,YAAY,QAAQ,SAAS,WAAW,GACtE,MAAM,IAAI,mBAAmB,iCAAiC;CAEhE,IACE,OAAO,QAAQ,wBAAwB,YACvC,QAAQ,oBAAoB,WAAW,GAEvC,MAAM,IAAI,mBAAmB,4CAA4C;CAG3E,MAAM,iBAAiB,QAAQ,kBAAkB;CACjD,MAAM,oBAAoB,QAAQ,qBAAqB;CACvD,IAAI,qBAAqB,KAAK,CAAC,OAAO,SAAS,iBAAiB,GAC9D,MAAM,IAAI,mBACR,wDACF;CAGF,OAAO;EACL,SAAS,QAAQ;EACjB,QAAQ,QAAQ;EAChB,UAAU,QAAQ;EAClB,qBAAqB,QAAQ;EAC7B;EACA;CACF;AACF;;;;AC2JA,MAAa,qBAAiD;CAC5D;CACA;CACA;CACA;CACA;CACA;AACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC/PA,SAAgB,uBACd,QAC0B;CAC1B,MAAM,YAAY,KAAK,MACrB,OAAO,aAAa,KAAK,IAAI,IAAI,GACnC,CAAC,CAAC,SAAS;CAIX,OAAO,EACL,SAAS;EACP,uBAAuB;EACvB,uBAAuB,OAAA,GAAA,YAAA,WAAA,CANE,UAAU,OAAO,MAAM,CAAC,CAClD,OAAO,GAAG,UAAU,GAAG,OAAO,SAAS,CAAC,CACxC,OAAO,KAI+B;CACvC,EACF;AACF;;;;;;;AAQA,SAAgB,mBAAmB,OAEjC;CACA,OAAO,EAAE,mBAAmB,MAAM;AACpC"}