@agentproto/auth 0.1.0-alpha.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/schema.ts","../src/define-auth-provider.ts","../src/manifest.ts","../src/builtins.ts","../src/registry.ts","../src/http.ts","../src/discover.ts","../src/token-store.ts","../src/flow-engines/pat.ts","../src/flow-engines/service-auth.ts","../src/flow-engines/index.ts","../src/run-flow.ts","../src/index.ts"],"names":["z","promisify","execFile"],"mappings":";;;;;;;;;;;;AAUO,IAAM,oBAAA,GAAuB,EACjC,MAAA,CAAO;AAAA,EACN,QAAA,EAAU,CAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA;AAAA,EAC1B,SAAS,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA;AAC7B,CAAC,EACA,MAAA;AAEI,IAAM,mBAAA,GAAsB,EAChC,MAAA,CAAO;AAAA,EACN,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EACrB,UAAA,EAAY;AACd,CAAC,EACA,MAAA,EAAO;AAEH,IAAM,uBAAA,GAA0B,EACpC,MAAA,CAAO;AAAA,EACN,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,cAAc,CAAA;AAAA,EAC9B,UAAU,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA,EAAS;AAAA,EACrC,WAAW,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA,EAAS;AAAA,EACtC,UAAA,EAAY;AACd,CAAC,EACA,MAAA,EAAO;AAEH,IAAM,gBAAA,GAAmB,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAC3D,mBAAA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,mBAAA,GAAsB,EAChC,MAAA,CAAO;AAAA,EACN,OAAA,EAAS,CAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA;AAAA,EACzB,YAAA,EAAc,CAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC;AAChC,CAAC,EACA,MAAA;AAEI,IAAM,6BAAA,GAAgC,EAC1C,MAAA,CAAO;AAAA,EACN,EAAA,EAAI,EAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA,CAAE,IAAI,EAAE,CAAA;AAAA,EAC5B,WAAA,EAAa,EAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA,CAAE,IAAI,GAAI,CAAA;AAAA,EACvC,OAAA,EAAS,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,EAAI;AAAA,EACxB,IAAA,EAAM,gBAAA;AAAA,EACN,OAAA,EAAS,oBAAoB,QAAA;AAC/B,CAAC,CAAA,CACA,QAAO,CACP,QAAA;AAAA,EACC;AACF;;;AC3CK,IAAM,qBAAqB,aAAA,CAGhC;AAAA,EACA,GAAA,EAAK,EAAA;AAAA,EACL,IAAA,EAAM,cAAA;AAAA,EACN,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,MAAA,GAAS,6BAAA,CAA8B,SAAA,CAAU,GAAG,CAAA;AAC1D,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,6BAAA,EAAgC,OAAO,KAAA,CAAM,MAAA,CAC1C,IAAI,CAAC,CAAA,KAAM,GAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,KAAK,CAAA,CAAE,OAAO,EAAE,CAAA,CAC9C,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,OACf;AAAA,IACF;AAAA,EACF,CAAA;AAAA,EACA,MAAM,GAAA,EAAK;AACT,IAAA,OAAO;AAAA,MACL,GAAG,GAAA;AAAA,MACH,MAAM,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,GAAA,CAAI,MAAM,CAAA;AAAA,MACnC,OAAA,EAAS,GAAA,CAAI,OAAA,GAAU,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,GAAA,CAAI,OAAA,EAAS,CAAA,GAAI;AAAA,KAC7D;AAAA,EACF;AACF,CAAC;ACZM,SAAS,6BACd,MAAA,EACsB;AACtB,EAAA,MAAM,MAAA,GAAS,OAAO,MAAM,CAAA;AAC5B,EAAA,IAAI,OAAO,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAE,WAAW,CAAA,EAAG;AACzC,IAAA,MAAM,IAAI,MAAM,yDAAyD,CAAA;AAAA,EAC3E;AACA,EAAA,MAAM,MAAA,GAAS,6BAAA,CAA8B,SAAA,CAAU,MAAA,CAAO,IAAI,CAAA;AAClE,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,sDAAA,EAAoD,OAAO,KAAA,CAAM,MAAA,CAC9D,IAAI,CAAC,CAAA,KAAM,GAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,KAAK,CAAA,CAAE,OAAO,EAAE,CAAA,CAC9C,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KACf;AAAA,EACF;AACA,EAAA,OAAO,EAAE,WAAA,EAAa,MAAA,CAAO,IAAA,EAAM,IAAA,EAAM,OAAO,OAAA,EAAQ;AAC1D;AAGO,SAAS,0BAA0B,MAAA,EAAoC;AAC5E,EAAA,MAAM,EAAE,WAAA,EAAY,GAAI,4BAAA,CAA6B,MAAM,CAAA;AAC3D,EAAA,OAAO,mBAAmB,WAAW,CAAA;AACvC;;;AC9BO,IAAM,qBAAqB,kBAAA,CAAmB;AAAA,EACnD,EAAA,EAAI,QAAA;AAAA,EACJ,WAAA,EACE,6FAAA;AAAA,EACF,OAAA,EAAS,yBAAA;AAAA,EACT,IAAA,EAAM;AAAA,IACJ,IAAA,EAAM,cAAA;AAAA,IACN,QAAA,EAAU,gBAAA;AAAA,IACV,UAAA,EAAY;AAAA,MACV,QAAA,EAAU,eAAA;AAAA,MACV,OAAA,EAAS;AAAA;AACX,GACF;AAAA,EACA,OAAA,EAAS;AAAA,IACP,OAAA,EAAS,oCAAA;AAAA,IACT,YAAA,EAAc;AAAA;AAElB,CAAC;AAEM,IAAM,sBAAA,GAAwD;AAAA,EACnE;AACF;;;AC3BA,IAAM,SAAA,uBAAgB,GAAA,EAAgC;AACtD,KAAA,MAAW,KAAK,sBAAA,EAAwB,SAAA,CAAU,GAAA,CAAI,CAAA,CAAE,IAAI,CAAC,CAAA;AAEtD,SAAS,qBAAqB,QAAA,EAAoC;AACvE,EAAA,SAAA,CAAU,GAAA,CAAI,QAAA,CAAS,EAAA,EAAI,QAAQ,CAAA;AACrC;AAEO,SAAS,gBAAgB,EAAA,EAA4C;AAC1E,EAAA,OAAO,SAAA,CAAU,IAAI,EAAE,CAAA;AACzB;AAEO,SAAS,iBAAA,GAA0C;AACxD,EAAA,OAAO,CAAC,GAAG,SAAA,CAAU,MAAA,EAAQ,CAAA;AAC/B;AAEO,SAAS,mBAAA,GAAgC;AAC9C,EAAA,OAAO,CAAC,GAAG,SAAA,CAAU,IAAA,EAAM,CAAA;AAC7B;;;ACZO,IAAM,uBAAA,GAA0B,GAAA;AAQhC,SAAS,gBAAgB,GAAA,EAAmB;AACjD,EAAA,IAAI,CAAA;AACJ,EAAA,IAAI;AACF,IAAA,CAAA,GAAI,IAAI,IAAI,GAAG,CAAA;AAAA,EACjB,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,aAAA,EAAgB,GAAG,CAAA,CAAE,CAAA;AAAA,EACvC;AACA,EAAA,IAAI,CAAA,CAAE,aAAa,QAAA,EAAU;AAC7B,EAAA,MAAM,OAAO,CAAA,CAAE,QAAA;AACf,EAAA,MAAM,UAAA,GACJ,IAAA,KAAS,WAAA,IACT,IAAA,KAAS,WAAA,IACT,IAAA,KAAS,KAAA,IACT,IAAA,KAAS,OAAA,IACT,IAAA,CAAK,QAAA,CAAS,YAAY,CAAA;AAC5B,EAAA,IAAI,CAAA,CAAE,QAAA,KAAa,OAAA,IAAW,UAAA,EAAY;AAC1C,EAAA,MAAM,IAAI,KAAA;AAAA,IACR,iBAAiB,GAAG,CAAA,mGAAA;AAAA,GAEtB;AACF;AAcO,SAAS,cAAA,CACd,WACA,KAAA,EACgB;AAChB,EAAA,MAAM,IAAA,GAAO,IAAI,eAAA,EAAgB;AACjC,EAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,KAAA,CAAM,OAAO,MAAM,CAAA;AAE9C,EAAA,IAAI,KAAA,EAAO;AACT,IAAA,IAAI,KAAA,CAAM,OAAA,EAAS,IAAA,CAAK,KAAA,CAAM,MAAM,MAAM,CAAA;AAAA,eAC/B,gBAAA,CAAiB,OAAA,EAAS,SAAS,EAAE,IAAA,EAAM,MAAM,CAAA;AAAA,EAC9D;AAEA,EAAA,MAAM,KAAA,GAAQ,UAAA;AAAA,IACZ,MAAM,KAAK,KAAA,CAAM,IAAI,MAAM,CAAA,wBAAA,EAA2B,SAAS,IAAI,CAAC,CAAA;AAAA,IACpE;AAAA,GACF;AAEA,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,KAAA,CAAM,KAAA,EAAM;AAE3C,EAAA,OAAO;AAAA,IACL,QAAQ,IAAA,CAAK,MAAA;AAAA,IACb,OAAO,MAAM;AACX,MAAA,YAAA,CAAa,KAAK,CAAA;AAClB,MAAA,KAAA,EAAO,mBAAA,CAAoB,SAAS,OAAO,CAAA;AAAA,IAC7C;AAAA,GACF;AACF;AAIA,eAAsB,kBACpB,GAAA,EACA,IAAA,GAAoB,EAAC,EACrB,YAAoB,uBAAA,EACD;AACnB,EAAA,MAAM,EAAE,QAAQ,KAAA,EAAM,GAAI,eAAe,SAAA,EAAW,IAAA,CAAK,UAAU,MAAS,CAAA;AAC5E,EAAA,IAAI;AACF,IAAA,OAAO,MAAM,KAAA,CAAM,GAAA,EAAK,EAAE,GAAG,IAAA,EAAM,QAAQ,CAAA;AAAA,EAC7C,CAAA,SAAE;AACA,IAAA,KAAA,EAAM;AAAA,EACR;AACF;;;ACjFO,IAAM,cAAA,GAAN,cAA6B,KAAA,CAAM;AAAA,EAC/B,SAAA;AAAA,EACT,WAAA,CAAY,SAAiB,SAAA,EAAmB;AAC9C,IAAA,KAAA,CAAM,CAAA,gBAAA,EAAmB,SAAS,CAAA,GAAA,EAAM,OAAO,CAAA,CAAE,CAAA;AACjD,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAAA,EACnB;AACF;AAKA,IAAM,SAAA,GAAYA,EACf,MAAA,CAAO;AAAA,EACN,QAAA,EAAUA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC9B,aAAA,EAAeA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACnC,uBAAuBA,CAAAA,CAAE,KAAA,CAAMA,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EACpD,kBAAkBA,CAAAA,CAAE,KAAA,CAAMA,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC/C,0BAA0BA,CAAAA,CAAE,KAAA,CAAMA,EAAE,MAAA,EAAQ,EAAE,QAAA;AAChD,CAAC,EACA,KAAA,EAAM;AAET,IAAM,YAAA,GAAeA,EAClB,MAAA,CAAO;AAAA,EACN,MAAA,EAAQA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC5B,cAAA,EAAgBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACpC,mBAAA,EAAqBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACzC,uBAAuBA,CAAAA,CAAE,KAAA,CAAMA,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EACpD,UAAA,EAAYA,EACT,MAAA,CAAO;AAAA,IACN,KAAA,EAAOA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,IAC3B,iBAAA,EAAmBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,IACvC,cAAA,EAAgBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,IACpC,eAAA,EAAiBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,IACrC,0BAA0BA,CAAAA,CAAE,KAAA,CAAMA,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,IACvD,oBAAoBA,CAAAA,CACjB,MAAA,CAAO,EAAE,yBAAA,EAA2BA,EAAE,KAAA,CAAMA,CAAAA,CAAE,MAAA,EAAQ,EAAE,QAAA,EAAS,EAAG,CAAA,CACpE,KAAA,GACA,QAAA;AAAS,GACb,CAAA,CACA,KAAA,EAAM,CACN,QAAA;AACL,CAAC,EACA,KAAA,EAAM;AAYT,eAAsB,iBAAA,CACpB,OAAA,EACA,IAAA,GAAwB,EAAC,EACK;AAC9B,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AAItC,EAAA,MAAM,SAAA,GAAyB;AAAA,IAC7B,QAAQ,IAAA,CAAK,MAAA;AAAA,IACb,QAAA,EAAU;AAAA,GACZ;AAGA,EAAA,MAAM,MAAA,GAAS,GAAG,IAAI,CAAA,qCAAA,CAAA;AACtB,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACF,IAAA,eAAA,CAAgB,MAAM,CAAA;AACtB,IAAA,MAAM,MAAM,MAAM,iBAAA,CAAkB,MAAA,EAAQ,SAAA,EAAW,KAAK,SAAS,CAAA;AACrE,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAI,cAAA;AAAA,QACR,CAAA,aAAA,EAAgB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA,CAAA;AAAA,QAC5C;AAAA,OACF;AAAA,IACF;AACA,IAAA,GAAA,GAAM,SAAA,CAAU,KAAA,CAAM,MAAM,GAAA,CAAI,MAAM,CAAA;AAAA,EACxC,SAAS,GAAA,EAAK;AACZ,IAAA,IAAI,GAAA,YAAe,gBAAgB,MAAM,GAAA;AACzC,IAAA,MAAM,IAAI,cAAA,CAAe,CAAA,kBAAA,EAAqB,GAAG,IAAI,OAAO,CAAA;AAAA,EAC9D;AAEA,EAAA,MAAM,iBAAiB,GAAA,CAAI,qBAAA,GAAwB,CAAC,CAAA,EAAG,OAAA,CAAQ,OAAO,EAAE,CAAA;AACxE,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,MAAM,IAAI,cAAA;AAAA,MACR,sCAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAGA,EAAA,MAAM,KAAA,GAAQ,GAAG,cAAc,CAAA,uCAAA,CAAA;AAC/B,EAAA,IAAI,EAAA;AACJ,EAAA,IAAI;AACF,IAAA,eAAA,CAAgB,KAAK,CAAA;AACrB,IAAA,MAAM,MAAM,MAAM,iBAAA,CAAkB,KAAA,EAAO,SAAA,EAAW,KAAK,SAAS,CAAA;AACpE,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAI,cAAA;AAAA,QACR,CAAA,qBAAA,EAAwB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA,CAAA;AAAA,QACpD;AAAA,OACF;AAAA,IACF;AACA,IAAA,EAAA,GAAK,YAAA,CAAa,KAAA,CAAM,MAAM,GAAA,CAAI,MAAM,CAAA;AAAA,EAC1C,SAAS,GAAA,EAAK;AACZ,IAAA,IAAI,GAAA,YAAe,gBAAgB,MAAM,GAAA;AACzC,IAAA,MAAM,IAAI,cAAA,CAAe,CAAA,0BAAA,EAA6B,GAAG,IAAI,OAAO,CAAA;AAAA,EACtE;AAEA,EAAA,MAAM,gBAAgB,EAAA,CAAG,cAAA;AACzB,EAAA,MAAM,gBAAA,GAAmB,GAAG,UAAA,EAAY,iBAAA;AACxC,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,MAAM,IAAI,cAAA,CAAe,oCAAA,EAAsC,OAAO,CAAA;AAAA,EACxE;AACA,EAAA,IAAI,CAAC,gBAAA,EAAkB;AACrB,IAAA,MAAM,IAAI,cAAA;AAAA,MACR,kDAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,QAAA,EAAU,IAAI,QAAA,IAAY,IAAA;AAAA,IAC1B,cAAc,GAAA,CAAI,aAAA;AAAA,IAClB,cAAA;AAAA,IACA,aAAA;AAAA,IACA,oBAAoB,EAAA,CAAG,mBAAA;AAAA,IACvB,gBAAA;AAAA,IACA,aAAA,EAAe,GAAG,UAAA,EAAY,cAAA;AAAA,IAC9B,sBAAA,EAAwB,EAAA,CAAG,UAAA,EAAY,wBAAA,IAA4B,EAAC;AAAA,IACpE,mBAAA,EAAqB,EAAA,CAAG,qBAAA,IAAyB;AAAC,GACpD;AACF;AC7IA,IAAM,IAAA,GAAO,UAAU,QAAQ,CAAA;AAS/B,SAAS,uBAAA,GAAgC;AACvC,EAAA,IAAI,OAAA,CAAQ,aAAa,QAAA,EAAU;AACjC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,sFAAA,EACoB,QAAQ,QAAQ,CAAA,2FAAA;AAAA,KAEtC;AAAA,EACF;AACF;AAGO,SAAS,cAAA,CACd,SACA,MAAA,EACQ;AACR,EAAA,IAAI,CAAC,SAAS,OAAO,MAAA;AACrB,EAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,UAAA,EAAY,MAAM,CAAA;AAC3C;AAGA,eAAsB,iBAAA,CACpB,SACA,OAAA,EAC6B;AAC7B,EAAA,uBAAA,EAAwB;AACxB,EAAA,IAAI;AACF,IAAA,MAAM,EAAE,MAAA,EAAO,GAAI,MAAM,KAAK,UAAA,EAAY;AAAA,MACxC,uBAAA;AAAA,MACA,IAAA;AAAA,MACA,OAAA;AAAA,MACA,IAAA;AAAA,MACA,OAAA;AAAA,MACA;AAAA,KACD,CAAA;AACD,IAAA,MAAM,CAAA,GAAI,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AAClC,IAAA,OAAO,CAAA,IAAK,KAAA,CAAA;AAAA,EACd,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAGA,eAAsB,kBAAA,CACpB,OAAA,EACA,OAAA,EACA,KAAA,EACe;AACf,EAAA,uBAAA,EAAwB;AACxB,EAAA,MAAM,KAAK,UAAA,EAAY;AAAA,IACrB,sBAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,OAAA;AAAA,IACA,IAAA;AAAA,IACA,OAAA;AAAA,IACA,IAAA;AAAA,IACA,KAAA;AAAA,IACA,IAAA;AAAA,IACA;AAAA,GACD,CAAA;AACH;;;ACxDA,eAAe,YAAY,KAAA,EAAgC;AACzD,EAAA,MAAM,QAAQ,OAAA,CAAQ,KAAA;AACtB,EAAA,MAAM,MAAM,OAAA,CAAQ,MAAA;AAEpB,EAAA,IAAI,CAAC,MAAM,KAAA,EAAO;AAChB,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,KAAY;AAC9B,MAAA,MAAM,KAAK,eAAA,CAAgB,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAK,CAAA;AACjD,MAAA,GAAA,CAAI,KAAA,CAAM,CAAA,EAAG,KAAK,CAAA,EAAA,CAAI,CAAA;AACtB,MAAA,EAAA,CAAG,QAAA,CAAS,EAAA,EAAI,CAAC,MAAA,KAAW;AAC1B,QAAA,EAAA,CAAG,KAAA,EAAM;AACT,QAAA,OAAA,CAAQ,MAAA,CAAO,MAAM,CAAA;AAAA,MACvB,CAAC,CAAA;AAAA,IACH,CAAC,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,IAAA,GAAA,CAAI,KAAA,CAAM,CAAA,EAAG,KAAK,CAAA,EAAA,CAAI,CAAA;AACtB,IAAA,MAAM,QAAkB,EAAC;AACzB,IAAA,KAAA,CAAM,WAAW,IAAI,CAAA;AACrB,IAAA,KAAA,CAAM,MAAA,EAAO;AACb,IAAA,KAAA,CAAM,YAAY,MAAM,CAAA;AAExB,IAAA,MAAM,UAAU,MAAM;AACpB,MAAA,KAAA,CAAM,WAAW,KAAK,CAAA;AACtB,MAAA,KAAA,CAAM,KAAA,EAAM;AACZ,MAAA,KAAA,CAAM,cAAA,CAAe,QAAQ,MAAM,CAAA;AAAA,IACrC,CAAA;AAEA,IAAA,MAAM,MAAA,GAAS,CAAC,KAAA,KAAkB;AAChC,MAAA,KAAA,MAAW,MAAM,KAAA,EAAO;AACtB,QAAA,QAAQ,EAAA;AAAI,UACV,KAAK,IAAA;AAAA,UACL,KAAK,IAAA;AACH,YAAA,GAAA,CAAI,MAAM,IAAI,CAAA;AACd,YAAA,OAAA,EAAQ;AACR,YAAA,OAAA,CAAQ,KAAA,CAAM,IAAA,CAAK,EAAE,CAAA,CAAE,MAAM,CAAA;AAC7B,YAAA;AAAA,UACF,KAAK,GAAA;AACH,YAAA,GAAA,CAAI,MAAM,IAAI,CAAA;AACd,YAAA,OAAA,EAAQ;AACR,YAAA,MAAA,CAAO,IAAI,KAAA,CAAM,gBAAgB,CAAC,CAAA;AAClC,YAAA;AAAA,UACF,KAAK,GAAA;AACH,YAAA,GAAA,CAAI,MAAM,IAAI,CAAA;AACd,YAAA,OAAA,EAAQ;AACR,YAAA,OAAA,CAAQ,KAAA,CAAM,IAAA,CAAK,EAAE,CAAA,CAAE,MAAM,CAAA;AAC7B,YAAA;AAAA,UACF,KAAK,MAAA;AAAA;AAAA,UACL,KAAK,IAAA;AACH,YAAA,IAAI,KAAA,CAAM,SAAS,CAAA,EAAG;AACpB,cAAA,KAAA,CAAM,GAAA,EAAI;AACV,cAAA,GAAA,CAAI,MAAM,OAAO,CAAA;AAAA,YACnB;AACA,YAAA;AAAA,UACF;AAEE,YAAA,IAAI,MAAM,GAAA,EAAK;AACb,cAAA,KAAA,CAAM,KAAK,EAAE,CAAA;AACb,cAAA,GAAA,CAAI,MAAM,GAAG,CAAA;AAAA,YACf;AAAA;AACJ,MACF;AAAA,IACF,CAAA;AAEA,IAAA,KAAA,CAAM,EAAA,CAAG,QAAQ,MAAM,CAAA;AAAA,EACzB,CAAC,CAAA;AACH;AAEO,IAAM,aAAA,GAA4B;AAAA,EACvC,EAAA,EAAI,KAAA;AAAA,EAEJ,MAAM,GAAA,CACJ,QAAA,EACA,WAAA,EACA,IAAA,EACqB;AACrB,IAAA,MAAM,EAAE,MAAK,GAAI,QAAA;AACjB,IAAA,IAAI,IAAA,CAAK,SAAS,KAAA,EAAO;AACvB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kCAAA,EAAqC,IAAA,CAAK,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,IACnE;AAEA,IAAA,MAAM,UAAU,cAAA,CAAe,IAAA,CAAK,UAAA,CAAW,OAAA,EAAS,KAAK,MAAM,CAAA;AAEnE,IAAA,IAAI,CAAC,KAAK,KAAA,EAAO;AACf,MAAA,MAAM,WAAW,MAAM,iBAAA,CAAkB,IAAA,CAAK,UAAA,CAAW,UAAU,OAAO,CAAA;AAC1E,MAAA,IAAI,QAAA,EAAU;AACZ,QAAA,OAAO,EAAE,WAAA,EAAa,QAAA,EAAU,SAAA,EAAW,KAAA,EAAM;AAAA,MACnD;AAAA,IACF;AAEA,IAAA,MAAM,QAAQ,MAAM,WAAA,CAAY,CAAA,EAAG,QAAA,CAAS,EAAE,CAAA,sBAAA,CAAwB,CAAA;AACtE,IAAA,IAAI,CAAC,KAAA,EAAO,MAAM,IAAI,MAAM,mBAAmB,CAAA;AAE/C,IAAA,OAAO,EAAE,WAAA,EAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAM;AAAA,EAChD;AACF,CAAA;ACjFA,IAAM,SAAA,GAAYC,UAAUC,QAAQ,CAAA;AAEpC,IAAM,gBAAA,GAAmB,wCAAA;AACzB,IAAM,qBAAA,GAAwB,6CAAA;AAC9B,IAAM,uBAAA,GAA0B,CAAA;AAQhC,IAAM,sBAAA,GAAyBF,EAC5B,MAAA,CAAO;AAAA,EACN,eAAA,EAAiBA,EAAE,MAAA,EAAO;AAAA,EAC1B,WAAA,EAAaA,EAAE,MAAA,EAAO;AAAA,EACtB,KAAA,EAAOA,EACJ,MAAA,CAAO;AAAA,IACN,SAAA,EAAWA,EAAE,MAAA,EAAO;AAAA,IACpB,gBAAA,EAAkBA,EAAE,MAAA,EAAO;AAAA,IAC3B,UAAA,EAAYA,EAAE,MAAA,EAAO;AAAA,IACrB,QAAA,EAAUA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAAS,GAC/B,EACA,KAAA;AACL,CAAC,EACA,KAAA,EAAM;AAGT,IAAM,kBAAA,GAAqBA,EACxB,MAAA,CAAO;AAAA,EACN,YAAA,EAAcA,EAAE,MAAA,EAAO;AAAA,EACvB,UAAA,EAAYA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAChC,aAAA,EAAeA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACnC,kBAAA,EAAoBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxC,oBAAA,EAAsBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC1C,iBAAA,EAAmBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAChC,CAAC,EACA,KAAA,EAAM;AAGT,IAAM,gBAAA,GAAmBA,EACtB,MAAA,CAAO;AAAA,EACN,KAAA,EAAOA,EAAE,MAAA,EAAO;AAAA,EAChB,iBAAA,EAAmBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAChC,CAAC,EACA,KAAA,EAAM;AAKT,IAAM,sBAAsBA,CAAAA,CAAE,KAAA,CAAM,CAAC,kBAAA,EAAoB,gBAAgB,CAAC,CAAA;AAM1E,eAAe,YAAY,GAAA,EAA4B;AACrD,EAAA,MAAM,CAAC,GAAA,EAAK,IAAI,CAAA,GACd,OAAA,CAAQ,QAAA,KAAa,QAAA,GACjB,CAAC,MAAA,EAAQ,CAAC,GAAG,CAAC,CAAA,GACd,OAAA,CAAQ,QAAA,KAAa,OAAA,GACnB,CAAC,KAAA,EAAO,CAAC,IAAA,EAAM,OAAA,EAAS,GAAG,CAAC,CAAA,GAC5B,CAAC,UAAA,EAAY,CAAC,GAAG,CAAC,CAAA;AAC1B,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,CAAU,KAAK,IAAI,CAAA;AAAA,EAC3B,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAEA,eAAe,QAAA,CACb,GAAA,EACA,IAAA,EACA,MAAA,EACA,MAAA,EACY;AACZ,EAAA,MAAM,GAAA,GAAM,MAAM,iBAAA,CAAkB,GAAA,EAAK;AAAA,IACvC,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,IAC9C,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA;AAAA,IACzB;AAAA,GACD,CAAA;AACD,EAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,IAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,IAAA,MAAM,IAAI,MAAM,CAAA,KAAA,EAAQ,GAAG,WAAM,GAAA,CAAI,MAAM,CAAA,EAAA,EAAK,IAAI,CAAA,CAAE,CAAA;AAAA,EACxD;AACA,EAAA,OAAO,MAAA,CAAO,KAAA,CAAM,MAAM,GAAA,CAAI,MAAM,CAAA;AACtC;AAKA,eAAe,QAAA,CACb,GAAA,EACA,MAAA,EACA,MAAA,EACA,MAAA,EACY;AACZ,EAAA,MAAM,GAAA,GAAM,MAAM,iBAAA,CAAkB,GAAA,EAAK;AAAA,IACvC,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,IAC/D,IAAA,EAAM,IAAI,eAAA,CAAgB,MAAM,EAAE,QAAA,EAAS;AAAA,IAC3C;AAAA,GACD,CAAA;AACD,EAAA,OAAO,MAAA,CAAO,KAAA,CAAM,MAAM,GAAA,CAAI,MAAM,CAAA;AACtC;AAEA,eAAe,aACb,aAAA,EACA,UAAA,EACA,QAAA,EACA,SAAA,EACA,WACA,MAAA,EACuB;AACvB,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA,GAAY,GAAA;AAC1C,EAAA,IAAI,SAAS,SAAA,GAAY,GAAA;AAEzB,EAAA,OAAO,IAAA,CAAK,GAAA,EAAI,GAAI,QAAA,EAAU;AAC5B,IAAA,IAAI,MAAA,EAAQ,OAAA,EAAS,MAAM,IAAI,MAAM,gBAAgB,CAAA;AACrD,IAAA,MAAM,IAAI,OAAA,CAAc,CAAC,MAAM,UAAA,CAAW,CAAA,EAAG,MAAM,CAAC,CAAA;AAEpD,IAAA,MAAM,OAAO,MAAM,QAAA;AAAA,MACjB,aAAA;AAAA,MACA;AAAA,QACE,UAAA,EAAY,gBAAA;AAAA,QACZ,WAAA,EAAa,UAAA;AAAA,QACb,SAAA,EAAW;AAAA,OACb;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,IAAI,EAAE,OAAA,IAAW,IAAA,CAAA,EAAO,OAAO,IAAA;AAE/B,IAAA,MAAM,UAAU,IAAA,CAAK,KAAA;AACrB,IAAA,IAAI,YAAY,uBAAA,EAAyB;AACzC,IAAA,IAAI,YAAY,WAAA,EAAa;AAC3B,MAAA,MAAA,IAAU,GAAA;AACV,MAAA;AAAA,IACF;AACA,IAAA,IAAI,YAAY,eAAA,EAAiB;AAC/B,MAAA,MAAM,IAAI,MAAM,wDAAmD,CAAA;AAAA,IACrE;AACA,IAAA,IAAI,YAAY,eAAA,EAAiB;AAC/B,MAAA,MAAM,IAAI,MAAM,8DAAyD,CAAA;AAAA,IAC3E;AAEA,IAAA,MAAM,OAAO,IAAA,CAAK,iBAAA;AAClB,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,OAAO,CAAA,EAAG,OAAO,CAAA,QAAA,EAAM,IAAI,CAAA,CAAA,GAAK,EAAE,CAAA,CAAE,CAAA;AAAA,EAC/E;AAEA,EAAA,MAAM,IAAI,MAAM,4CAAuC,CAAA;AACzD;AAQA,eAAe,iBAAA,CACb,aAAA,EACA,SAAA,EACA,QAAA,EACA,MAAA,EAC8B;AAC9B,EAAA,IAAI;AACF,IAAA,MAAM,OAAO,MAAM,QAAA;AAAA,MACjB,aAAA;AAAA,MACA;AAAA,QACE,UAAA,EAAY,qBAAA;AAAA,QACZ,SAAA;AAAA,QACA,SAAA,EAAW;AAAA,OACb;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,IAAI,OAAA,IAAW,MAAM,OAAO,IAAA;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAIO,IAAM,qBAAA,GAAoC;AAAA,EAC/C,EAAA,EAAI,cAAA;AAAA,EAEJ,MAAM,GAAA,CACJ,QAAA,EACA,UAAA,EACA,IAAA,EACqB;AACrB,IAAA,MAAM,EAAE,MAAK,GAAI,QAAA;AACjB,IAAA,IAAI,IAAA,CAAK,SAAS,cAAA,EAAgB;AAChC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,0CAAA,EAA6C,IAAA,CAAK,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,IAC3E;AAGA,IAAA,MAAM,MAAA,GAAS,IAAA;AACf,IAAA,MAAM,QAAA,GAAW,OAAO,QAAA,IAAY,gBAAA;AACpC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,EAAE,CAAA;AAG5C,IAAA,MAAM,gBAAA,GACJ,UAAA,EAAY,gBAAA,IAAoB,CAAA,EAAG,MAAM,CAAA,eAAA,CAAA;AAC3C,IAAA,MAAM,aAAA,GACJ,UAAA,EAAY,aAAA,IAAiB,CAAA,EAAG,MAAM,CAAA,YAAA,CAAA;AAGxC,IAAA,eAAA,CAAgB,gBAAgB,CAAA;AAChC,IAAA,eAAA,CAAgB,aAAa,CAAA;AAE7B,IAAA,MAAM,WAAA,GAAc,OAAO,UAAA,CAAW,QAAA;AACtC,IAAA,MAAM,OAAA,GAAU,cAAA,CAAe,MAAA,CAAO,UAAA,CAAW,SAAS,MAAM,CAAA;AAMhE,IAAA,IAAI,CAAC,KAAK,KAAA,EAAO;AACf,MAAA,MAAM,eAAA,GAAkB,MAAM,iBAAA,CAAkB,WAAA,EAAa,OAAO,CAAA;AACpE,MAAA,IAAI,eAAA,EAAiB;AACnB,QAAA,MAAM,YAAY,MAAM,iBAAA;AAAA,UACtB,aAAA;AAAA,UACA,eAAA;AAAA,UACA,QAAA;AAAA,UACA,IAAA,CAAK;AAAA,SACP;AACA,QAAA,IAAI,SAAA,EAAW;AAGb,UAAA,IAAI,UAAU,kBAAA,EAAoB;AAChC,YAAA,MAAM,kBAAA;AAAA,cACJ,WAAA;AAAA,cACA,OAAA;AAAA,cACA,SAAA,CAAU;AAAA,aACZ;AAAA,UACF;AACA,UAAA,OAAO;AAAA,YACL,aAAa,SAAA,CAAU,YAAA;AAAA,YACvB,GAAI,UAAU,kBAAA,GACV,EAAE,mBAAmB,SAAA,CAAU,kBAAA,KAC/B,EAAC;AAAA,YACL,SAAA,EAAW;AAAA,WACb;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,WAAW,MAAM,QAAA;AAAA,MACrB,gBAAA;AAAA,MACA;AAAA,QACE,IAAA,EAAM,cAAA;AAAA,QACN,SAAA,EAAW,QAAA;AAAA,QACX,GAAI,OAAO,SAAA,GAAY,EAAE,YAAY,MAAA,CAAO,SAAA,KAAc;AAAC,OAC7D;AAAA,MACA,sBAAA;AAAA,MACA,IAAA,CAAK;AAAA,KACP;AAEA,IAAA,MAAM,EAAE,WAAA,EAAa,KAAA,EAAM,GAAI,QAAA;AAC/B,IAAA,MAAM,SAAA,GAAY,MAAM,QAAA,IAAY,uBAAA;AACpC,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,KAAA,CAAM,aAAa,EAAE,CAAA;AAGlD,IAAA,OAAA,CAAQ,OAAO,KAAA,CAAM;AAAA,CAAI,CAAA;AACzB,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,UAAA,EAAa,QAAA,CAAS,EAAE,CAAA;;AAAA,CAA6B,CAAA;AAC1E,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,SAAA,EAAY,KAAA,CAAM,SAAS;AAAA,CAAI,CAAA;AACpD,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,SAAA,EAAY,KAAA,CAAM,gBAAgB;;AAAA,CAAM,CAAA;AAC7D,IAAA,MAAM,WAAA,CAAY,MAAM,gBAAgB,CAAA;AACxC,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,wBAAA,EAA2B,SAAS,CAAA;;AAAA,CAAY,CAAA;AAGrE,IAAA,MAAM,cAAc,MAAM,YAAA;AAAA,MACxB,aAAA;AAAA,MACA,WAAA;AAAA,MACA,QAAA;AAAA,MACA,SAAA;AAAA,MACA,KAAA,CAAM,UAAA;AAAA,MACN,IAAA,CAAK;AAAA,KACP;AAMA,IAAA,MAAM,cAAc,WAAA,CAAY,YAAA;AAChC,IAAA,MAAM,YAAY,WAAA,CAAY,kBAAA;AAE9B,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,MAAM,kBAAA,CAAmB,WAAA,EAAa,OAAA,EAAS,SAAS,CAAA;AAAA,IAC1D;AAGA,IAAA,IAAI,gBAAA;AACJ,IAAA,IAAI,YAAY,iBAAA,EAAmB;AACjC,MAAA,gBAAA,GAAmB,WAAA,CAAY,iBAAA;AAAA,IACjC,CAAA,MAAA,IAAW,YAAY,oBAAA,EAAsB;AAC3C,MAAA,gBAAA,GAAmB,IAAI,IAAA;AAAA,QACrB,IAAA,CAAK,GAAA,EAAI,GAAI,WAAA,CAAY,oBAAA,GAAuB;AAAA,QAChD,WAAA,EAAY;AAAA,IAChB;AAEA,IAAA,OAAO;AAAA,MACL,WAAA;AAAA,MACA,iBAAA,EAAmB,SAAA;AAAA,MACnB,gBAAA;AAAA,MACA,SAAA,EAAW;AAAA,KACb;AAAA,EACF;AACF,CAAA;;;ACpVO,IAAM,YAAA,GAAqD;AAAA,EAChE,CAAC,aAAA,CAAc,EAAE,GAAG,aAAA;AAAA,EACpB,CAAC,qBAAA,CAAsB,EAAE,GAAG;AAC9B;;;ACSA,eAAsB,WAAA,CACpB,UACA,IAAA,EACqB;AACrB,EAAA,MAAM,MAAA,GAAS,SAAS,IAAA,CAAK,IAAA;AAC7B,EAAA,MAAM,MAAA,GAAS,aAAa,MAAM,CAAA;AAClC,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,2BAAA,EAA8B,MAAM,CAAA,qBAAA,EAAmB,MAAA,CAAO,KAAK,YAAY,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KAC7F;AAAA,EACF;AAGA,EAAA,IAAI,UAAA,GACF,IAAA,CAAK,UAAA,KAAe,MAAA,GAAY,KAAK,UAAA,GAAa,IAAA;AAEpD,EAAA,IAAI,UAAA,KAAe,IAAA,IAAQ,MAAA,KAAW,cAAA,EAAgB;AACpD,IAAA,IAAI;AACF,MAAA,UAAA,GAAa,MAAM,kBAAkB,IAAA,CAAK,MAAA,EAAQ,EAAE,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA;AAAA,IAC3E,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,CAAC,KAAK,KAAA,EAAO;AACf,QAAA,MAAM,MACJ,GAAA,YAAe,cAAA,GACX,GAAA,CAAI,OAAA,GACJ,qBAAqB,GAAG,CAAA,CAAA;AAC9B,QAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,OAAA,EAAU,GAAG,CAAA;AAAA,CAA0B,CAAA;AAAA,MAC9D;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,MAAA,CAAO,GAAA,CAAI,QAAA,EAAU,UAAA,EAAY,IAAI,CAAA;AAC9C;;;ACQO,IAAM,SAAA,GAAY;AAClB,IAAM,YAAA,GAAe","file":"index.mjs","sourcesContent":["/**\n * AIP-50 auth-provider frontmatter / literal Zod schema.\n *\n * Single source of truth for both authoring paths: `defineAuthProvider`\n * (TS literal) and `parseAuthProviderManifest` (.md) run this same schema,\n * so a malformed literal and a malformed manifest fail identically.\n */\n\nimport { z } from \"zod\"\n\nexport const tokenStoreSpecSchema = z\n .object({\n keychain: z.string().min(1),\n account: z.string().min(1).optional(),\n })\n .strict()\n\nexport const patAuthConfigSchema = z\n .object({\n flow: z.literal(\"pat\"),\n tokenStore: tokenStoreSpecSchema,\n })\n .strict()\n\nexport const serviceAuthConfigSchema = z\n .object({\n flow: z.literal(\"service-auth\"),\n clientId: z.string().min(1).optional(),\n loginHint: z.string().min(1).optional(),\n tokenStore: tokenStoreSpecSchema,\n })\n .strict()\n\nexport const authConfigSchema = z.discriminatedUnion(\"flow\", [\n patAuthConfigSchema,\n serviceAuthConfigSchema,\n])\n\nexport const installConfigSchema = z\n .object({\n sealKey: z.string().min(1),\n secretBacked: z.string().min(1),\n })\n .strict()\n\nexport const authProviderFrontmatterSchema = z\n .object({\n id: z.string().min(2).max(80),\n description: z.string().min(1).max(2000),\n apiBase: z.string().url(),\n auth: authConfigSchema,\n install: installConfigSchema.optional(),\n })\n .strict()\n .describe(\n \"AIP-50 auth-provider manifest: how a CLI tool authenticates to an API server and (optionally) where to call the AIP-19 provision endpoints.\",\n )\n\nexport type AuthProviderFrontmatter = z.infer<typeof authProviderFrontmatterSchema>\n","/**\n * `defineAuthProvider` — TS-literal authoring path for an auth-provider.\n *\n * Built on `createDoctype` so it gets the cross-AIP invariants: id-pattern,\n * ≤2000-char description, frozen handle, canonical error prefix. Field-level\n * validation uses the shared Zod from `./schema.ts`, so a malformed literal\n * fails with the same diagnostic as a malformed `.md`.\n */\n\nimport { createDoctype } from \"@agentproto/define-doctype\"\nimport { authProviderFrontmatterSchema } from \"./schema.js\"\nimport type { AuthProviderDefinition, AuthProviderHandle } from \"./types.js\"\n\nexport const defineAuthProvider = createDoctype<\n AuthProviderDefinition,\n AuthProviderHandle\n>({\n aip: 50,\n name: \"authProvider\",\n validate(def) {\n const result = authProviderFrontmatterSchema.safeParse(def)\n if (!result.success) {\n throw new Error(\n `defineAuthProvider (AIP-50): ${result.error.issues\n .map((i) => `${i.path.join(\".\")}: ${i.message}`)\n .join(\"; \")}`,\n )\n }\n },\n build(def) {\n return {\n ...def,\n auth: Object.freeze({ ...def.auth }),\n install: def.install ? Object.freeze({ ...def.install }) : undefined,\n }\n },\n})\n","/**\n * `.md` authoring path for an auth-provider — parse a frontmatter manifest\n * into a frozen handle. Mirrors `parseRecipeManifest` from AIP-19: gray-matter\n * splits the frontmatter, the shared Zod validates it, `defineAuthProvider`\n * builds the handle so both authoring paths converge on one validated shape.\n *\n * This parser is the extension seam: a host reads its own external `.md`\n * manifests (e.g. vendor-shipped `guilde.auth.md`) and registers them without\n * editing this package.\n */\n\nimport matter from \"gray-matter\"\nimport {\n authProviderFrontmatterSchema,\n type AuthProviderFrontmatter,\n} from \"./schema.js\"\nimport { defineAuthProvider } from \"./define-auth-provider.js\"\nimport type { AuthProviderHandle } from \"./types.js\"\n\nexport interface AuthProviderManifest {\n frontmatter: AuthProviderFrontmatter\n body: string\n}\n\nexport function parseAuthProviderManifestRaw(\n source: string,\n): AuthProviderManifest {\n const parsed = matter(source)\n if (Object.keys(parsed.data).length === 0) {\n throw new Error(\"parseAuthProviderManifest: missing or empty frontmatter\")\n }\n const result = authProviderFrontmatterSchema.safeParse(parsed.data)\n if (!result.success) {\n throw new Error(\n `parseAuthProviderManifest: invalid frontmatter — ${result.error.issues\n .map((i) => `${i.path.join(\".\")}: ${i.message}`)\n .join(\"; \")}`,\n )\n }\n return { frontmatter: result.data, body: parsed.content }\n}\n\n/** Parse an auth-provider `.md` straight to a frozen handle. */\nexport function parseAuthProviderManifest(source: string): AuthProviderHandle {\n const { frontmatter } = parseAuthProviderManifestRaw(source)\n return defineAuthProvider(frontmatter)\n}\n","/**\n * Builtin auth-provider manifests — shipped as TS literals so they bundle\n * into the tsup output with zero filesystem reads at runtime. A host adds more\n * by parsing its own `.md` with `parseAuthProviderManifest` and registering\n * the result via `registerAuthProvider`.\n */\n\nimport { defineAuthProvider } from \"./define-auth-provider.js\"\nimport type { AuthProviderHandle } from \"./types.js\"\n\n/** Guilde AI company platform.\n *\n * Authenticates via the AIP-50 service-auth claim ceremony: browser opens,\n * user clicks Approve, bureau stores the oat_* access token.\n * Discovery from /.well-known/oauth-protected-resource supplies live endpoints;\n * the static fields below are the offline fallback. */\nexport const guildeAuthProvider = defineAuthProvider({\n id: \"guilde\",\n description:\n \"Guilde AI company platform. Authenticate via a browser-approve flow — no key to paste.\",\n apiBase: \"https://api.guilde.work\",\n auth: {\n flow: \"service-auth\",\n clientId: \"agentproto-cli\",\n tokenStore: {\n keychain: \"bureau-guilde\",\n account: \"{server}\",\n },\n },\n install: {\n sealKey: \"/guilde/api/v1/connectors/seal-key\",\n secretBacked: \"/guilde/api/v1/guilds/{guildId}/connectors/secret-backed\",\n },\n})\n\nexport const BUILTIN_AUTH_PROVIDERS: readonly AuthProviderHandle[] = [\n guildeAuthProvider,\n]\n","/**\n * Auth-provider registry — id → handle lookup, pre-seeded with builtins.\n *\n * Mirrors the provision-recipe registry shape (AIP-19). Re-registering an id\n * overrides it (last write wins), so a host can shadow a builtin.\n */\n\nimport { BUILTIN_AUTH_PROVIDERS } from \"./builtins.js\"\nimport type { AuthProviderHandle } from \"./types.js\"\n\nconst _registry = new Map<string, AuthProviderHandle>()\nfor (const p of BUILTIN_AUTH_PROVIDERS) _registry.set(p.id, p)\n\nexport function registerAuthProvider(provider: AuthProviderHandle): void {\n _registry.set(provider.id, provider)\n}\n\nexport function getAuthProvider(id: string): AuthProviderHandle | undefined {\n return _registry.get(id)\n}\n\nexport function listAuthProviders(): AuthProviderHandle[] {\n return [..._registry.values()]\n}\n\nexport function listAuthProviderIds(): string[] {\n return [..._registry.keys()]\n}\n","/**\n * Internal HTTP helpers — not part of the public API.\n *\n * Every network call in this package (discovery, the claim ceremony, token\n * refresh) must be bounded: a hung or slow server MUST NOT stall the CLI\n * indefinitely. `deadlineSignal` combines an optional caller `AbortSignal`\n * with a timeout into one signal to hand to `fetch`.\n *\n * Implemented with a plain `AbortController` + `setTimeout` rather than\n * `AbortSignal.any`/`AbortSignal.timeout` so it works on every runtime that\n * ships `fetch`, without assuming a specific Node minor.\n */\n\n/** Default per-request timeout. Discovery and token calls are small JSON\n * round-trips; 10s is generous without hanging an interactive CLI. */\nexport const DEFAULT_HTTP_TIMEOUT_MS = 10_000\n\n/**\n * AIP-50 §Security: discovery and auth requests MUST use HTTPS, to defeat\n * MITM/TOCTOU on the `.well-known` and token endpoints. Loopback http is\n * allowed — it isn't network-exposed — so local development against a dev\n * server keeps working. Throws on any other insecure URL.\n */\nexport function assertSecureUrl(url: string): void {\n let u: URL\n try {\n u = new URL(url)\n } catch {\n throw new Error(`invalid URL: ${url}`)\n }\n if (u.protocol === \"https:\") return\n const host = u.hostname\n const isLoopback =\n host === \"localhost\" ||\n host === \"127.0.0.1\" ||\n host === \"::1\" ||\n host === \"[::1]\" ||\n host.endsWith(\".localhost\")\n if (u.protocol === \"http:\" && isLoopback) return\n throw new Error(\n `insecure URL '${url}' — AIP-50 requires HTTPS for discovery/auth ` +\n `(loopback http is allowed for local development).`,\n )\n}\n\nexport interface DeadlineHandle {\n /** Signal to pass to `fetch(url, { signal })`. */\n signal: AbortSignal\n /** Cancel the timer + detach the outer listener once the request settles.\n * ALWAYS call this in a `finally` to avoid a dangling timer/listener. */\n clear: () => void\n}\n\n/**\n * Build an `AbortSignal` that fires when EITHER the timeout elapses or the\n * caller's `outer` signal aborts.\n */\nexport function deadlineSignal(\n timeoutMs: number,\n outer?: AbortSignal,\n): DeadlineHandle {\n const ctrl = new AbortController()\n const onAbort = () => ctrl.abort(outer?.reason)\n\n if (outer) {\n if (outer.aborted) ctrl.abort(outer.reason)\n else outer.addEventListener(\"abort\", onAbort, { once: true })\n }\n\n const timer = setTimeout(\n () => ctrl.abort(new Error(`request timed out after ${timeoutMs}ms`)),\n timeoutMs,\n )\n // Don't let a pending timeout keep the process alive on its own.\n if (typeof timer !== \"number\") timer.unref()\n\n return {\n signal: ctrl.signal,\n clear: () => {\n clearTimeout(timer)\n outer?.removeEventListener(\"abort\", onAbort)\n },\n }\n}\n\n/** `fetch` bounded by `deadlineSignal`. Merges any caller-supplied\n * `init.signal` with the timeout. */\nexport async function fetchWithDeadline(\n url: string,\n init: RequestInit = {},\n timeoutMs: number = DEFAULT_HTTP_TIMEOUT_MS,\n): Promise<Response> {\n const { signal, clear } = deadlineSignal(timeoutMs, init.signal ?? undefined)\n try {\n return await fetch(url, { ...init, signal })\n } finally {\n clear()\n }\n}\n","/**\n * Two-hop discovery per the auth.md standard (AIP-50 §Discovery algorithm).\n *\n * Hop 1: GET {apiBase}/.well-known/oauth-protected-resource (PRM, RFC 8414)\n * → extract authorization_servers[0] as authServerBase\n * Hop 2: GET {authServerBase}/.well-known/oauth-authorization-server (AS metadata)\n * → extract token_endpoint + agent_auth block\n *\n * Callers MUST catch DiscoveryError and fall back to static manifest config —\n * discovery failures are common (server predates auth.md) and MUST NOT prevent\n * the PAT or other static flows from working.\n */\n\nimport { z } from \"zod\"\nimport type { DiscoveredEndpoints } from \"./types.js\"\nimport { fetchWithDeadline, assertSecureUrl } from \"./http.js\"\n\nexport class DiscoveryError extends Error {\n readonly serverUrl: string\n constructor(message: string, serverUrl: string) {\n super(`DiscoveryError (${serverUrl}): ${message}`)\n this.name = \"DiscoveryError\"\n this.serverUrl = serverUrl\n }\n}\n\n// Discovery JSON is server-controlled, so it's validated rather than asserted.\n// Everything is optional + `.loose()`: the document evolves, and the required\n// fields are enforced explicitly below with precise DiscoveryError messages.\nconst prmSchema = z\n .object({\n resource: z.string().optional(),\n resource_name: z.string().optional(),\n authorization_servers: z.array(z.string()).optional(),\n scopes_supported: z.array(z.string()).optional(),\n bearer_methods_supported: z.array(z.string()).optional(),\n })\n .loose()\n\nconst asMetaSchema = z\n .object({\n issuer: z.string().optional(),\n token_endpoint: z.string().optional(),\n revocation_endpoint: z.string().optional(),\n grant_types_supported: z.array(z.string()).optional(),\n agent_auth: z\n .object({\n skill: z.string().optional(),\n identity_endpoint: z.string().optional(),\n claim_endpoint: z.string().optional(),\n events_endpoint: z.string().optional(),\n identity_types_supported: z.array(z.string()).optional(),\n identity_assertion: z\n .object({ assertion_types_supported: z.array(z.string()).optional() })\n .loose()\n .optional(),\n })\n .loose()\n .optional(),\n })\n .loose()\n\ntype PRMShape = z.infer<typeof prmSchema>\ntype ASMetaShape = z.infer<typeof asMetaSchema>\n\nexport interface DiscoverOptions {\n /** Abort the discovery fetches (e.g. on user Ctrl-C). */\n signal?: AbortSignal\n /** Per-hop timeout. Defaults to DEFAULT_HTTP_TIMEOUT_MS. */\n timeoutMs?: number\n}\n\nexport async function discoverEndpoints(\n apiBase: string,\n opts: DiscoverOptions = {},\n): Promise<DiscoveredEndpoints> {\n const base = apiBase.replace(/\\/$/, \"\")\n // AIP-50 §Security: HTTPS only (loopback exempt for dev), and never follow\n // redirects on discovery — a 3xx is treated as a failure, not chased to a\n // potentially-rogue endpoint.\n const fetchOpts: RequestInit = {\n signal: opts.signal,\n redirect: \"manual\",\n }\n\n // Hop 1 — PRM\n const prmUrl = `${base}/.well-known/oauth-protected-resource`\n let prm: PRMShape\n try {\n assertSecureUrl(prmUrl)\n const res = await fetchWithDeadline(prmUrl, fetchOpts, opts.timeoutMs)\n if (!res.ok) {\n throw new DiscoveryError(\n `PRM returned ${res.status} ${res.statusText}`,\n apiBase,\n )\n }\n prm = prmSchema.parse(await res.json())\n } catch (err) {\n if (err instanceof DiscoveryError) throw err\n throw new DiscoveryError(`PRM fetch failed: ${err}`, apiBase)\n }\n\n const authServerBase = prm.authorization_servers?.[0]?.replace(/\\/$/, \"\")\n if (!authServerBase) {\n throw new DiscoveryError(\n \"PRM missing authorization_servers[0]\",\n apiBase,\n )\n }\n\n // Hop 2 — AS metadata\n const asUrl = `${authServerBase}/.well-known/oauth-authorization-server`\n let as: ASMetaShape\n try {\n assertSecureUrl(asUrl)\n const res = await fetchWithDeadline(asUrl, fetchOpts, opts.timeoutMs)\n if (!res.ok) {\n throw new DiscoveryError(\n `AS metadata returned ${res.status} ${res.statusText}`,\n apiBase,\n )\n }\n as = asMetaSchema.parse(await res.json())\n } catch (err) {\n if (err instanceof DiscoveryError) throw err\n throw new DiscoveryError(`AS metadata fetch failed: ${err}`, apiBase)\n }\n\n const tokenEndpoint = as.token_endpoint\n const identityEndpoint = as.agent_auth?.identity_endpoint\n if (!tokenEndpoint) {\n throw new DiscoveryError(\"AS metadata missing token_endpoint\", apiBase)\n }\n if (!identityEndpoint) {\n throw new DiscoveryError(\n \"AS metadata missing agent_auth.identity_endpoint\",\n apiBase,\n )\n }\n\n return {\n resource: prm.resource ?? base,\n resourceName: prm.resource_name,\n authServerBase,\n tokenEndpoint,\n revocationEndpoint: as.revocation_endpoint,\n identityEndpoint,\n claimEndpoint: as.agent_auth?.claim_endpoint,\n identityTypesSupported: as.agent_auth?.identity_types_supported ?? [],\n grantTypesSupported: as.grant_types_supported ?? [],\n }\n}\n","/**\n * Keychain helpers — read/write a token in the platform Keychain.\n *\n * Uses the macOS `security` CLI. On non-macOS hosts, callers should swap this\n * module for a platform-appropriate equivalent (libsecret on Linux, Credential\n * Manager on Windows).\n */\n\nimport { execFile } from \"node:child_process\"\nimport { promisify } from \"node:util\"\n\nconst exec = promisify(execFile)\n\n/**\n * Guard the macOS-only backend. Without this, `readKeychainToken` would swallow\n * the missing-`security` error and return undefined on Linux/Windows — making a\n * stored credential look absent and re-prompting on every run — while\n * `writeKeychainToken` would throw an opaque ENOENT. Fail loudly and clearly\n * instead, until a libsecret / Credential Manager backend exists.\n */\nfunction assertKeychainSupported(): void {\n if (process.platform !== \"darwin\") {\n throw new Error(\n `@agentproto/auth token-store: the Keychain backend only supports macOS ` +\n `(got platform \"${process.platform}\"). Provide a libsecret (Linux) or ` +\n `Credential Manager (Windows) implementation to run here.`,\n )\n }\n}\n\n/** Substitute `{server}` template in a tokenStore account spec. */\nexport function resolveAccount(\n account: string | undefined,\n server: string,\n): string {\n if (!account) return server\n return account.replace(\"{server}\", server)\n}\n\n/** Read a token from the Keychain. Returns undefined if not found. */\nexport async function readKeychainToken(\n service: string,\n account: string,\n): Promise<string | undefined> {\n assertKeychainSupported()\n try {\n const { stdout } = await exec(\"security\", [\n \"find-generic-password\",\n \"-s\",\n service,\n \"-a\",\n account,\n \"-w\",\n ])\n const t = stdout.replace(/\\n$/, \"\")\n return t || undefined\n } catch {\n return undefined\n }\n}\n\n/** Write a token to the Keychain (-U updates in place). */\nexport async function writeKeychainToken(\n service: string,\n account: string,\n token: string,\n): Promise<void> {\n assertKeychainSupported()\n await exec(\"security\", [\n \"add-generic-password\",\n \"-U\",\n \"-s\",\n service,\n \"-a\",\n account,\n \"-w\",\n token,\n \"-D\",\n \"agentproto auth token\",\n ])\n}\n","/**\n * PAT flow engine — reads an existing token from the Keychain or prompts for one.\n *\n * This is the \"legacy-compatible\" flow: the user has a personal API key\n * (`gld_*`, `sk-*`, …) and the CLI needs to store/retrieve it. No browser\n * open, no ceremony. Use `service-auth` for the seamless browser-approve path.\n */\n\nimport { createInterface } from \"node:readline\"\nimport type {\n FlowEngine,\n FlowRunOptions,\n FlowResult,\n AuthProviderHandle,\n DiscoveredEndpoints,\n} from \"../types.js\"\nimport { resolveAccount, readKeychainToken } from \"../token-store.js\"\n\n/**\n * Read a secret from the terminal WITHOUT echoing it — the typed key must not\n * land on screen or in scrollback. On a TTY we drop to raw mode and render a `*`\n * mask per character. When stdin isn't a TTY (piped input, CI, tests) there's no\n * echo to suppress and no raw mode to enter, so we read a line normally.\n */\nasync function promptToken(label: string): Promise<string> {\n const input = process.stdin\n const out = process.stderr\n\n if (!input.isTTY) {\n return new Promise((resolve) => {\n const rl = createInterface({ input, output: out })\n out.write(`${label}: `)\n rl.question(\"\", (answer) => {\n rl.close()\n resolve(answer.trim())\n })\n })\n }\n\n return new Promise((resolve, reject) => {\n out.write(`${label}: `)\n const chars: string[] = []\n input.setRawMode(true)\n input.resume()\n input.setEncoding(\"utf8\")\n\n const cleanup = () => {\n input.setRawMode(false)\n input.pause()\n input.removeListener(\"data\", onData)\n }\n\n const onData = (chunk: string) => {\n for (const ch of chunk) {\n switch (ch) {\n case \"\\r\":\n case \"\\n\":\n out.write(\"\\n\")\n cleanup()\n resolve(chars.join(\"\").trim())\n return\n case \"\\u0003\": // Ctrl-C\n out.write(\"\\n\")\n cleanup()\n reject(new Error(\"auth cancelled\"))\n return\n case \"\\u0004\": // Ctrl-D — treat as end-of-input\n out.write(\"\\n\")\n cleanup()\n resolve(chars.join(\"\").trim())\n return\n case \"\\u007f\": // Backspace / Delete\n case \"\\b\":\n if (chars.length > 0) {\n chars.pop()\n out.write(\"\\b \\b\")\n }\n break\n default:\n // Mask printable input; ignore stray control characters.\n if (ch >= \" \") {\n chars.push(ch)\n out.write(\"*\")\n }\n }\n }\n }\n\n input.on(\"data\", onData)\n })\n}\n\nexport const patFlowEngine: FlowEngine = {\n id: \"pat\",\n\n async run(\n provider: AuthProviderHandle,\n _discovered: DiscoveredEndpoints | null,\n opts: FlowRunOptions,\n ): Promise<FlowResult> {\n const { auth } = provider\n if (auth.flow !== \"pat\") {\n throw new Error(`patFlowEngine: invoked with flow=\"${auth.flow}\"`)\n }\n\n const account = resolveAccount(auth.tokenStore.account, opts.server)\n\n if (!opts.force) {\n const existing = await readKeychainToken(auth.tokenStore.keychain, account)\n if (existing) {\n return { accessToken: existing, tokenKind: \"pat\" }\n }\n }\n\n const token = await promptToken(`${provider.id} personal access token`)\n if (!token) throw new Error(\"no token provided\")\n\n return { accessToken: token, tokenKind: \"pat\" }\n },\n}\n","/**\n * service-auth flow engine — auth.md claim ceremony.\n *\n * Protocol:\n * POST /agent/identity { type:\"service_auth\" }\n * → registration_id + claim_token + user_code + verification_uri\n * User approves at verification_uri in browser.\n * Poll POST {token_endpoint} with grant_type=urn:workos:agent-auth:grant-type:claim\n * until approved / denied / expired.\n * On success: store the identity_assertion JWT (AIP-50 §Token storage —\n * the assertion is the durable credential; the access_token MUST NOT be\n * persisted, and the claim_token stays in memory only).\n *\n * Subsequent runs skip the ceremony: the stored assertion is exchanged via the\n * jwt-bearer grant for a fresh access_token (\"this IS the refresh path\" — no\n * refresh_token). Only when the assertion is expired/rejected does a new\n * ceremony start.\n *\n * See: https://github.com/workos/auth.md / AIP-50\n */\n\nimport { execFile } from \"node:child_process\"\nimport { promisify } from \"node:util\"\nimport { z } from \"zod\"\nimport type {\n FlowEngine,\n FlowRunOptions,\n FlowResult,\n AuthProviderHandle,\n DiscoveredEndpoints,\n} from \"../types.js\"\nimport {\n resolveAccount,\n readKeychainToken,\n writeKeychainToken,\n} from \"../token-store.js\"\nimport { fetchWithDeadline, assertSecureUrl } from \"../http.js\"\n\nconst execAsync = promisify(execFile)\n\nconst CLAIM_GRANT_TYPE = \"urn:workos:agent-auth:grant-type:claim\"\nconst JWT_BEARER_GRANT_TYPE = \"urn:ietf:params:oauth:grant-type:jwt-bearer\"\nconst DEFAULT_POLL_INTERVAL_S = 5\n\n// ── response schemas ──────────────────────────────────────────────────────────\n//\n// JSON crosses a trust boundary here (the AS controls the bytes), so every\n// response is validated with Zod rather than asserted. `.loose()` keeps unknown\n// fields the spec may add. The inferred types feed the rest of the engine.\n\nconst identityResponseSchema = z\n .object({\n registration_id: z.string(),\n claim_token: z.string(),\n claim: z\n .object({\n user_code: z.string(),\n verification_uri: z.string(),\n expires_in: z.number(),\n interval: z.number().optional(),\n })\n .loose(),\n })\n .loose()\n\n/** Successful token/refresh/exchange response — the AS minted a credential. */\nconst tokenSuccessSchema = z\n .object({\n access_token: z.string(),\n token_type: z.string().optional(),\n refresh_token: z.string().optional(),\n identity_assertion: z.string().optional(),\n assertion_expires_in: z.number().optional(),\n assertion_expires: z.string().optional(),\n })\n .loose()\n\n/** OAuth error response (`authorization_pending`, `slow_down`, `access_denied`…). */\nconst tokenErrorSchema = z\n .object({\n error: z.string(),\n error_description: z.string().optional(),\n })\n .loose()\n\n/** A token endpoint reply is either a minted credential or an OAuth error.\n * Success is tried first so a body carrying an access_token never matches the\n * error arm. */\nconst tokenResponseSchema = z.union([tokenSuccessSchema, tokenErrorSchema])\n\ntype TokenSuccess = z.infer<typeof tokenSuccessSchema>\n\n// ── helpers ──────────────────────────────────────────────────────────────────\n\nasync function openBrowser(url: string): Promise<void> {\n const [cmd, args]: [string, string[]] =\n process.platform === \"darwin\"\n ? [\"open\", [url]]\n : process.platform === \"win32\"\n ? [\"cmd\", [\"/c\", \"start\", url]]\n : [\"xdg-open\", [url]]\n try {\n await execAsync(cmd, args)\n } catch {\n // best-effort — URL already printed to stderr\n }\n}\n\nasync function postJson<T>(\n url: string,\n body: unknown,\n schema: z.ZodType<T>,\n signal?: AbortSignal,\n): Promise<T> {\n const res = await fetchWithDeadline(url, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify(body),\n signal,\n })\n if (!res.ok) {\n const text = await res.text()\n throw new Error(`POST ${url} → ${res.status}: ${text}`)\n }\n return schema.parse(await res.json())\n}\n\n// NOTE: deliberately does NOT check res.ok — the OAuth device/claim flow returns\n// HTTP 400 with a JSON `{ error }` body for authorization_pending / slow_down,\n// which the poll loop reads as data. Throwing on non-2xx would break polling.\nasync function postForm<T>(\n url: string,\n params: Record<string, string>,\n schema: z.ZodType<T>,\n signal?: AbortSignal,\n): Promise<T> {\n const res = await fetchWithDeadline(url, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: new URLSearchParams(params).toString(),\n signal,\n })\n return schema.parse(await res.json())\n}\n\nasync function pollForToken(\n tokenEndpoint: string,\n claimToken: string,\n clientId: string,\n intervalS: number,\n expiresIn: number,\n signal?: AbortSignal,\n): Promise<TokenSuccess> {\n const deadline = Date.now() + expiresIn * 1_000\n let pollMs = intervalS * 1_000\n\n while (Date.now() < deadline) {\n if (signal?.aborted) throw new Error(\"auth cancelled\")\n await new Promise<void>((r) => setTimeout(r, pollMs))\n\n const data = await postForm(\n tokenEndpoint,\n {\n grant_type: CLAIM_GRANT_TYPE,\n claim_token: claimToken,\n client_id: clientId,\n },\n tokenResponseSchema,\n signal,\n )\n\n if (!(\"error\" in data)) return data\n\n const pollErr = data.error\n if (pollErr === \"authorization_pending\") continue\n if (pollErr === \"slow_down\") {\n pollMs += 5_000\n continue\n }\n if (pollErr === \"expired_token\") {\n throw new Error(\"auth timeout — claim expired before user approved\")\n }\n if (pollErr === \"access_denied\") {\n throw new Error(\"access denied — user rejected the authorisation request\")\n }\n\n const desc = data.error_description\n throw new Error(`token endpoint error: ${pollErr}${desc ? ` — ${desc}` : \"\"}`)\n }\n\n throw new Error(\"auth timeout — approval window closed\")\n}\n\n// ── Identity-assertion exchange (jwt-bearer, RFC 7523) ────────────────────────\n//\n// The stored credential IS the identity_assertion JWT. Exchange it at the token\n// endpoint for a fresh, short-lived access token — the AIP-50 refresh path, with\n// no refresh_token involved. Returns null on any error (expired / invalid_grant\n// / server doesn't support the grant) so the caller falls back to a ceremony.\nasync function exchangeAssertion(\n tokenEndpoint: string,\n assertion: string,\n clientId: string,\n signal?: AbortSignal,\n): Promise<TokenSuccess | null> {\n try {\n const data = await postForm(\n tokenEndpoint,\n {\n grant_type: JWT_BEARER_GRANT_TYPE,\n assertion,\n client_id: clientId,\n },\n tokenResponseSchema,\n signal,\n )\n if (\"error\" in data) return null\n return data\n } catch {\n return null\n }\n}\n\n// ── engine ───────────────────────────────────────────────────────────────────\n\nexport const serviceAuthFlowEngine: FlowEngine = {\n id: \"service-auth\",\n\n async run(\n provider: AuthProviderHandle,\n discovered: DiscoveredEndpoints | null,\n opts: FlowRunOptions,\n ): Promise<FlowResult> {\n const { auth } = provider\n if (auth.flow !== \"service-auth\") {\n throw new Error(`serviceAuthFlowEngine: invoked with flow=\"${auth.flow}\"`)\n }\n // `auth.flow === \"service-auth\"` is guaranteed by the guard above, so the\n // discriminated union has already narrowed `auth` to ServiceAuthConfig.\n const config = auth\n const clientId = config.clientId ?? \"agentproto-cli\"\n const server = opts.server.replace(/\\/$/, \"\")\n\n // Endpoint resolution — prefer live discovery, fall back to conventions\n const identityEndpoint =\n discovered?.identityEndpoint ?? `${server}/agent/identity`\n const tokenEndpoint =\n discovered?.tokenEndpoint ?? `${server}/oauth/token`\n\n // AIP-50 §Security: auth requests MUST use HTTPS (loopback exempt for dev).\n assertSecureUrl(identityEndpoint)\n assertSecureUrl(tokenEndpoint)\n\n const primarySlot = config.tokenStore.keychain\n const account = resolveAccount(config.tokenStore.account, server)\n\n // Cached path — the stored credential IS the identity_assertion JWT (AIP-50:\n // never the access token, never a refresh token). Exchange it via jwt-bearer\n // for a fresh access token; on failure (expired / invalid_grant) fall through\n // to a full browser ceremony.\n if (!opts.force) {\n const storedAssertion = await readKeychainToken(primarySlot, account)\n if (storedAssertion) {\n const exchanged = await exchangeAssertion(\n tokenEndpoint,\n storedAssertion,\n clientId,\n opts.signal,\n )\n if (exchanged) {\n // If the server rotated the assertion, persist the new one; otherwise\n // the existing assertion stays valid for the next exchange.\n if (exchanged.identity_assertion) {\n await writeKeychainToken(\n primarySlot,\n account,\n exchanged.identity_assertion,\n )\n }\n return {\n accessToken: exchanged.access_token,\n ...(exchanged.identity_assertion\n ? { identityAssertion: exchanged.identity_assertion }\n : {}),\n tokenKind: \"oat\",\n }\n }\n }\n }\n\n // 1 — POST /agent/identity to start the claim ceremony\n const identity = await postJson(\n identityEndpoint,\n {\n type: \"service_auth\",\n client_id: clientId,\n ...(config.loginHint ? { login_hint: config.loginHint } : {}),\n },\n identityResponseSchema,\n opts.signal,\n )\n\n const { claim_token, claim } = identity\n const intervalS = claim.interval ?? DEFAULT_POLL_INTERVAL_S\n const windowMin = Math.round(claim.expires_in / 60)\n\n // 2 — Print code + open browser\n process.stderr.write(`\\n`)\n process.stderr.write(` Approve ${provider.id} access in your browser\\n\\n`)\n process.stderr.write(` Code: ${claim.user_code}\\n`)\n process.stderr.write(` URL: ${claim.verification_uri}\\n\\n`)\n await openBrowser(claim.verification_uri)\n process.stderr.write(` Waiting for approval (${windowMin} min)…\\n\\n`)\n\n // 3 — Poll until approved / denied / expired\n const tokenResult = await pollForToken(\n tokenEndpoint,\n claim_token,\n clientId,\n intervalS,\n claim.expires_in,\n opts.signal,\n )\n\n // 4 — Store the identity_assertion as the durable credential (AIP-50: the\n // access_token is ephemeral and MUST NOT be persisted; the claim_token\n // was held in memory only). The assertion is re-exchanged via jwt-bearer\n // on the next run.\n const accessToken = tokenResult.access_token\n const assertion = tokenResult.identity_assertion\n\n if (assertion) {\n await writeKeychainToken(primarySlot, account, assertion)\n }\n\n // Resolve assertion expiry as ISO 8601\n let assertionExpires: string | undefined\n if (tokenResult.assertion_expires) {\n assertionExpires = tokenResult.assertion_expires\n } else if (tokenResult.assertion_expires_in) {\n assertionExpires = new Date(\n Date.now() + tokenResult.assertion_expires_in * 1_000,\n ).toISOString()\n }\n\n return {\n accessToken,\n identityAssertion: assertion,\n assertionExpires,\n tokenKind: \"oat\",\n }\n },\n}\n","/**\n * Flow engine registry — dispatch by `provider.auth.flow`.\n *\n * Add a new engine:\n * 1. Implement `FlowEngine` in a sibling file\n * 2. Add it here — no if/switch chains at call sites\n */\n\nimport type { FlowEngine } from \"../types.js\"\nimport { patFlowEngine } from \"./pat.js\"\nimport { serviceAuthFlowEngine } from \"./service-auth.js\"\n\nexport const FLOW_ENGINES: Readonly<Record<string, FlowEngine>> = {\n [patFlowEngine.id]: patFlowEngine,\n [serviceAuthFlowEngine.id]: serviceAuthFlowEngine,\n}\n","/**\n * `runAuthFlow` — resolve provider → discover endpoints → dispatch to engine.\n *\n * Discovery is attempted silently; callers receive the result without knowing\n * whether live or static endpoint config was used. The flow engine receives\n * `null` for `discovered` if discovery failed or was not attempted.\n */\n\nimport { FLOW_ENGINES } from \"./flow-engines/index.js\"\nimport { discoverEndpoints, DiscoveryError } from \"./discover.js\"\nimport type {\n AuthProviderHandle,\n DiscoveredEndpoints,\n FlowResult,\n FlowRunOptions,\n} from \"./types.js\"\n\nexport interface RunFlowOptions extends FlowRunOptions {\n /** Pre-resolved endpoints (skip discovery). Pass null to force re-discovery. */\n discovered?: DiscoveredEndpoints | null\n /** Suppress debug output. Default: false. */\n quiet?: boolean\n}\n\nexport async function runAuthFlow(\n provider: AuthProviderHandle,\n opts: RunFlowOptions,\n): Promise<FlowResult> {\n const flowId = provider.auth.flow\n const engine = FLOW_ENGINES[flowId]\n if (!engine) {\n throw new Error(\n `runAuthFlow: unknown flow \"${flowId}\" — registered: ${Object.keys(FLOW_ENGINES).join(\", \")}`,\n )\n }\n\n // Discovery: try unless caller already provided endpoints\n let discovered: DiscoveredEndpoints | null =\n opts.discovered !== undefined ? opts.discovered : null\n\n if (discovered === null && flowId === \"service-auth\") {\n try {\n discovered = await discoverEndpoints(opts.server, { signal: opts.signal })\n } catch (err) {\n if (!opts.quiet) {\n const msg =\n err instanceof DiscoveryError\n ? err.message\n : `discovery failed: ${err}`\n process.stderr.write(`[auth] ${msg} — using static config\\n`)\n }\n }\n }\n\n return engine.run(provider, discovered, opts)\n}\n","/**\n * @agentproto/auth — AIP-50 AUTH.md reference implementation.\n *\n * Public API:\n * defineAuthProvider(def) — TS-literal authoring (frozen handle)\n * parseAuthProviderManifest(source) — .md authoring (gray-matter + Zod)\n * registerAuthProvider(handle) — extend the module-level registry\n * getAuthProvider(id) — lookup by vendor id\n * listAuthProviderIds() — enumerate known providers\n * discoverEndpoints(apiBase) — two-hop PRM → AS metadata discovery\n * runAuthFlow(provider, opts) — resolve + discover + dispatch to engine\n * FLOW_ENGINES — registered flow engines (pat, …)\n * writeKeychainToken(svc, acct, t) — persist a credential to Keychain\n * readKeychainToken(svc, acct) — read a credential from Keychain\n * resolveAccount(acct, server) — expand {server} template\n */\n\nexport { defineAuthProvider } from \"./define-auth-provider.js\"\nexport {\n parseAuthProviderManifest,\n parseAuthProviderManifestRaw,\n type AuthProviderManifest,\n} from \"./manifest.js\"\nexport {\n registerAuthProvider,\n getAuthProvider,\n listAuthProviders,\n listAuthProviderIds,\n} from \"./registry.js\"\nexport {\n discoverEndpoints,\n DiscoveryError,\n} from \"./discover.js\"\nexport { runAuthFlow, type RunFlowOptions } from \"./run-flow.js\"\nexport { FLOW_ENGINES } from \"./flow-engines/index.js\"\nexport {\n readKeychainToken,\n writeKeychainToken,\n resolveAccount,\n} from \"./token-store.js\"\nexport { guildeAuthProvider, BUILTIN_AUTH_PROVIDERS } from \"./builtins.js\"\nexport {\n authProviderFrontmatterSchema,\n authConfigSchema,\n tokenStoreSpecSchema,\n installConfigSchema,\n type AuthProviderFrontmatter,\n} from \"./schema.js\"\nexport type {\n AuthProviderDefinition,\n AuthProviderHandle,\n AuthConfig,\n PATAuthConfig,\n ServiceAuthConfig,\n InstallConfig,\n TokenStoreSpec,\n FlowEngine,\n FlowId,\n FlowResult,\n FlowRunOptions,\n DiscoveredEndpoints,\n} from \"./types.js\"\n\nexport const SPEC_NAME = \"agentauth\"\nexport const SPEC_VERSION = \"v1\"\n"]}
1
+ {"version":3,"sources":["../src/schema.ts","../src/define-auth-provider.ts","../src/manifest.ts","../src/builtins.ts","../src/registry.ts","../src/http.ts","../src/discover.ts","../src/token-store.ts","../src/store/keychain-store.ts","../src/store/resolve-ref.ts","../src/flow-engines/pat.ts","../src/flow-engines/device-grant.ts","../src/flow-engines/service-auth.ts","../src/flow-engines/device-code.ts","../src/flow-engines/index.ts","../src/run-flow.ts","../src/store/memory-store.ts","../src/store/file-store.ts","../src/broker.ts","../src/index.ts"],"names":["z","promisify","execFile","DEFAULT_POLL_INTERVAL_S","keyOf","headers"],"mappings":";;;;;;;;;;;;;;;AAUO,IAAM,oBAAA,GAAuB,EACjC,MAAA,CAAO;AAAA,EACN,QAAA,EAAU,CAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA;AAAA,EAC1B,MAAM,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA,EAAS;AAAA,EACjC,SAAS,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA;AAC7B,CAAC,EACA,MAAA;AAEI,IAAM,mBAAA,GAAsB,EAChC,MAAA,CAAO;AAAA,EACN,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EACrB,UAAA,EAAY;AACd,CAAC,EACA,MAAA,EAAO;AAEH,IAAM,uBAAA,GAA0B,EACpC,MAAA,CAAO;AAAA,EACN,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,cAAc,CAAA;AAAA,EAC9B,UAAU,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA,EAAS;AAAA,EACrC,WAAW,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA,EAAS;AAAA,EACtC,UAAA,EAAY;AACd,CAAC,EACA,MAAA,EAAO;AAEH,IAAM,0BAAA,GAA6B,EACvC,MAAA,CAAO;AAAA,EACN,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC7B,UAAU,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA,EAAS;AAAA,EACrC,OAAO,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA,EAAS;AAAA,EAClC,aAAa,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA,EAAS;AAAA,EACxC,UAAA,EAAY;AACd,CAAC,EACA,MAAA,EAAO;AAEH,IAAM,gBAAA,GAAmB,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAC3D,mBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,mBAAA,GAAsB,EAChC,MAAA,CAAO;AAAA,EACN,OAAA,EAAS,CAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA;AAAA,EACzB,YAAA,EAAc,CAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC;AAChC,CAAC,EACA,MAAA;AAEI,IAAM,6BAAA,GAAgC,EAC1C,MAAA,CAAO;AAAA,EACN,EAAA,EAAI,EAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA,CAAE,IAAI,EAAE,CAAA;AAAA,EAC5B,WAAA,EAAa,EAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA,CAAE,IAAI,GAAI,CAAA;AAAA,EACvC,OAAA,EAAS,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,EAAI;AAAA,EACxB,IAAA,EAAM,gBAAA;AAAA,EACN,OAAA,EAAS,oBAAoB,QAAA,EAAS;AAAA;AAAA,EAEtC,UAAU,CAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA;AAC9B,CAAC,CAAA,CACA,QAAO,CACP,QAAA;AAAA,EACC;AACF;;;ACzDK,IAAM,qBAAqB,aAAA,CAGhC;AAAA,EACA,GAAA,EAAK,EAAA;AAAA,EACL,IAAA,EAAM,cAAA;AAAA,EACN,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,MAAA,GAAS,6BAAA,CAA8B,SAAA,CAAU,GAAG,CAAA;AAC1D,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,6BAAA,EAAgC,OAAO,KAAA,CAAM,MAAA,CAC1C,IAAI,CAAC,CAAA,KAAM,GAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,KAAK,CAAA,CAAE,OAAO,EAAE,CAAA,CAC9C,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,OACf;AAAA,IACF;AAAA,EACF,CAAA;AAAA,EACA,MAAM,GAAA,EAAK;AACT,IAAA,OAAO;AAAA,MACL,GAAG,GAAA;AAAA,MACH,MAAM,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,GAAA,CAAI,MAAM,CAAA;AAAA,MACnC,OAAA,EAAS,GAAA,CAAI,OAAA,GAAU,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,GAAA,CAAI,OAAA,EAAS,CAAA,GAAI;AAAA,KAC7D;AAAA,EACF;AACF,CAAC;ACZM,SAAS,6BACd,MAAA,EACsB;AACtB,EAAA,MAAM,MAAA,GAAS,OAAO,MAAM,CAAA;AAC5B,EAAA,IAAI,OAAO,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAE,WAAW,CAAA,EAAG;AACzC,IAAA,MAAM,IAAI,MAAM,yDAAyD,CAAA;AAAA,EAC3E;AACA,EAAA,MAAM,MAAA,GAAS,6BAAA,CAA8B,SAAA,CAAU,MAAA,CAAO,IAAI,CAAA;AAClE,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,sDAAA,EAAoD,OAAO,KAAA,CAAM,MAAA,CAC9D,IAAI,CAAC,CAAA,KAAM,GAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,KAAK,CAAA,CAAE,OAAO,EAAE,CAAA,CAC9C,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KACf;AAAA,EACF;AACA,EAAA,OAAO,EAAE,WAAA,EAAa,MAAA,CAAO,IAAA,EAAM,IAAA,EAAM,OAAO,OAAA,EAAQ;AAC1D;AAGO,SAAS,0BAA0B,MAAA,EAAoC;AAC5E,EAAA,MAAM,EAAE,WAAA,EAAY,GAAI,4BAAA,CAA6B,MAAM,CAAA;AAC3D,EAAA,OAAO,mBAAmB,WAAW,CAAA;AACvC;;;AC9BO,IAAM,qBAAqB,kBAAA,CAAmB;AAAA,EACnD,EAAA,EAAI,QAAA;AAAA,EACJ,WAAA,EACE,6FAAA;AAAA,EACF,OAAA,EAAS,yBAAA;AAAA,EACT,QAAA,EAAU,KAAA;AAAA,EACV,IAAA,EAAM;AAAA,IACJ,IAAA,EAAM,cAAA;AAAA,IACN,QAAA,EAAU,gBAAA;AAAA,IACV,UAAA,EAAY;AAAA,MACV,QAAA,EAAU,eAAA;AAAA,MACV,OAAA,EAAS;AAAA;AACX,GACF;AAAA,EACA,OAAA,EAAS;AAAA,IACP,OAAA,EAAS,oCAAA;AAAA,IACT,YAAA,EAAc;AAAA;AAElB,CAAC;AAEM,IAAM,sBAAA,GAAwD;AAAA,EACnE;AACF;;;AC5BA,IAAM,SAAA,uBAAgB,GAAA,EAAgC;AACtD,KAAA,MAAW,KAAK,sBAAA,EAAwB,SAAA,CAAU,GAAA,CAAI,CAAA,CAAE,IAAI,CAAC,CAAA;AAEtD,SAAS,qBAAqB,QAAA,EAAoC;AACvE,EAAA,SAAA,CAAU,GAAA,CAAI,QAAA,CAAS,EAAA,EAAI,QAAQ,CAAA;AACrC;AAEO,SAAS,gBAAgB,EAAA,EAA4C;AAC1E,EAAA,OAAO,SAAA,CAAU,IAAI,EAAE,CAAA;AACzB;AAEO,SAAS,iBAAA,GAA0C;AACxD,EAAA,OAAO,CAAC,GAAG,SAAA,CAAU,MAAA,EAAQ,CAAA;AAC/B;AAEO,SAAS,mBAAA,GAAgC;AAC9C,EAAA,OAAO,CAAC,GAAG,SAAA,CAAU,IAAA,EAAM,CAAA;AAC7B;;;ACZO,IAAM,uBAAA,GAA0B,GAAA;AAQhC,SAAS,gBAAgB,GAAA,EAAmB;AACjD,EAAA,IAAI,CAAA;AACJ,EAAA,IAAI;AACF,IAAA,CAAA,GAAI,IAAI,IAAI,GAAG,CAAA;AAAA,EACjB,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,aAAA,EAAgB,GAAG,CAAA,CAAE,CAAA;AAAA,EACvC;AACA,EAAA,IAAI,CAAA,CAAE,aAAa,QAAA,EAAU;AAC7B,EAAA,MAAM,OAAO,CAAA,CAAE,QAAA;AACf,EAAA,MAAM,UAAA,GACJ,IAAA,KAAS,WAAA,IACT,IAAA,KAAS,WAAA,IACT,IAAA,KAAS,KAAA,IACT,IAAA,KAAS,OAAA,IACT,IAAA,CAAK,QAAA,CAAS,YAAY,CAAA;AAC5B,EAAA,IAAI,CAAA,CAAE,QAAA,KAAa,OAAA,IAAW,UAAA,EAAY;AAC1C,EAAA,MAAM,IAAI,KAAA;AAAA,IACR,iBAAiB,GAAG,CAAA,mGAAA;AAAA,GAEtB;AACF;AAcO,SAAS,cAAA,CACd,WACA,KAAA,EACgB;AAChB,EAAA,MAAM,IAAA,GAAO,IAAI,eAAA,EAAgB;AACjC,EAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,KAAA,CAAM,OAAO,MAAM,CAAA;AAE9C,EAAA,IAAI,KAAA,EAAO;AACT,IAAA,IAAI,KAAA,CAAM,OAAA,EAAS,IAAA,CAAK,KAAA,CAAM,MAAM,MAAM,CAAA;AAAA,eAC/B,gBAAA,CAAiB,OAAA,EAAS,SAAS,EAAE,IAAA,EAAM,MAAM,CAAA;AAAA,EAC9D;AAEA,EAAA,MAAM,KAAA,GAAQ,UAAA;AAAA,IACZ,MAAM,KAAK,KAAA,CAAM,IAAI,MAAM,CAAA,wBAAA,EAA2B,SAAS,IAAI,CAAC,CAAA;AAAA,IACpE;AAAA,GACF;AAEA,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,KAAA,CAAM,KAAA,EAAM;AAE3C,EAAA,OAAO;AAAA,IACL,QAAQ,IAAA,CAAK,MAAA;AAAA,IACb,OAAO,MAAM;AACX,MAAA,YAAA,CAAa,KAAK,CAAA;AAClB,MAAA,KAAA,EAAO,mBAAA,CAAoB,SAAS,OAAO,CAAA;AAAA,IAC7C;AAAA,GACF;AACF;AAIA,eAAsB,kBACpB,GAAA,EACA,IAAA,GAAoB,EAAC,EACrB,YAAoB,uBAAA,EACD;AACnB,EAAA,MAAM,EAAE,QAAQ,KAAA,EAAM,GAAI,eAAe,SAAA,EAAW,IAAA,CAAK,UAAU,MAAS,CAAA;AAC5E,EAAA,IAAI;AACF,IAAA,OAAO,MAAM,KAAA,CAAM,GAAA,EAAK,EAAE,GAAG,IAAA,EAAM,QAAQ,CAAA;AAAA,EAC7C,CAAA,SAAE;AACA,IAAA,KAAA,EAAM;AAAA,EACR;AACF;;;AC3EO,IAAM,cAAA,GAAN,cAA6B,KAAA,CAAM;AAAA,EAC/B,SAAA;AAAA,EACT,WAAA,CAAY,SAAiB,SAAA,EAAmB;AAC9C,IAAA,KAAA,CAAM,CAAA,gBAAA,EAAmB,SAAS,CAAA,GAAA,EAAM,OAAO,CAAA,CAAE,CAAA;AACjD,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAAA,EACnB;AACF;AAKA,IAAM,SAAA,GAAYA,EACf,MAAA,CAAO;AAAA,EACN,QAAA,EAAUA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC9B,aAAA,EAAeA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACnC,uBAAuBA,CAAAA,CAAE,KAAA,CAAMA,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EACpD,kBAAkBA,CAAAA,CAAE,KAAA,CAAMA,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC/C,0BAA0BA,CAAAA,CAAE,KAAA,CAAMA,EAAE,MAAA,EAAQ,EAAE,QAAA;AAChD,CAAC,EACA,KAAA,EAAM;AAET,IAAM,YAAA,GAAeA,EAClB,MAAA,CAAO;AAAA,EACN,MAAA,EAAQA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC5B,cAAA,EAAgBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACpC,mBAAA,EAAqBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACzC,6BAAA,EAA+BA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACnD,uBAAuBA,CAAAA,CAAE,KAAA,CAAMA,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EACpD,UAAA,EAAYA,EACT,MAAA,CAAO;AAAA,IACN,KAAA,EAAOA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,IAC3B,iBAAA,EAAmBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,IACvC,cAAA,EAAgBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,IACpC,eAAA,EAAiBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,IACrC,0BAA0BA,CAAAA,CAAE,KAAA,CAAMA,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,IACvD,oBAAoBA,CAAAA,CACjB,MAAA,CAAO,EAAE,yBAAA,EAA2BA,EAAE,KAAA,CAAMA,CAAAA,CAAE,MAAA,EAAQ,EAAE,QAAA,EAAS,EAAG,CAAA,CACpE,KAAA,GACA,QAAA;AAAS,GACb,CAAA,CACA,KAAA,EAAM,CACN,QAAA;AACL,CAAC,EACA,KAAA,EAAM;AAET,IAAM,cAAA,GAAiBA,EACpB,MAAA,CAAO;AAAA,EACN,6BAAA,EAA+BA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACnD,cAAA,EAAgBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACpC,mBAAA,EAAqBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAClC,CAAC,EACA,KAAA,EAAM;AAaT,eAAe,cAAA,CACb,IAAA,EACA,SAAA,EACA,IAAA,EAC8B;AAE9B,EAAA,MAAM,MAAA,GAAS,GAAG,IAAI,CAAA,qCAAA,CAAA;AACtB,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACF,IAAA,eAAA,CAAgB,MAAM,CAAA;AACtB,IAAA,MAAM,MAAM,MAAM,iBAAA,CAAkB,MAAA,EAAQ,SAAA,EAAW,KAAK,SAAS,CAAA;AACrE,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAI,cAAA;AAAA,QACR,CAAA,aAAA,EAAgB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA,CAAA;AAAA,QAC5C;AAAA,OACF;AAAA,IACF;AACA,IAAA,GAAA,GAAM,SAAA,CAAU,KAAA,CAAM,MAAM,GAAA,CAAI,MAAM,CAAA;AAAA,EACxC,SAAS,GAAA,EAAK;AACZ,IAAA,IAAI,GAAA,YAAe,gBAAgB,MAAM,GAAA;AACzC,IAAA,MAAM,IAAI,cAAA,CAAe,CAAA,kBAAA,EAAqB,GAAG,IAAI,IAAI,CAAA;AAAA,EAC3D;AAEA,EAAA,MAAM,iBAAiB,GAAA,CAAI,qBAAA,GAAwB,CAAC,CAAA,EAAG,OAAA,CAAQ,OAAO,EAAE,CAAA;AACxE,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,MAAM,IAAI,cAAA;AAAA,MACR,sCAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAGA,EAAA,MAAM,KAAA,GAAQ,GAAG,cAAc,CAAA,uCAAA,CAAA;AAC/B,EAAA,IAAI,EAAA;AACJ,EAAA,IAAI;AACF,IAAA,eAAA,CAAgB,KAAK,CAAA;AACrB,IAAA,MAAM,MAAM,MAAM,iBAAA,CAAkB,KAAA,EAAO,SAAA,EAAW,KAAK,SAAS,CAAA;AACpE,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAI,cAAA;AAAA,QACR,CAAA,qBAAA,EAAwB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA,CAAA;AAAA,QACpD;AAAA,OACF;AAAA,IACF;AACA,IAAA,EAAA,GAAK,YAAA,CAAa,KAAA,CAAM,MAAM,GAAA,CAAI,MAAM,CAAA;AAAA,EAC1C,SAAS,GAAA,EAAK;AACZ,IAAA,IAAI,GAAA,YAAe,gBAAgB,MAAM,GAAA;AACzC,IAAA,MAAM,IAAI,cAAA,CAAe,CAAA,0BAAA,EAA6B,GAAG,IAAI,IAAI,CAAA;AAAA,EACnE;AAEA,EAAA,MAAM,gBAAgB,EAAA,CAAG,cAAA;AACzB,EAAA,MAAM,gBAAA,GAAmB,GAAG,UAAA,EAAY,iBAAA;AACxC,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,MAAM,IAAI,cAAA,CAAe,oCAAA,EAAsC,IAAI,CAAA;AAAA,EACrE;AACA,EAAA,IAAI,CAAC,gBAAA,EAAkB;AACrB,IAAA,MAAM,IAAI,cAAA;AAAA,MACR,kDAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,QAAA,EAAU,IAAI,QAAA,IAAY,IAAA;AAAA,IAC1B,cAAc,GAAA,CAAI,aAAA;AAAA,IAClB,cAAA;AAAA,IACA,aAAA;AAAA,IACA,oBAAoB,EAAA,CAAG,mBAAA;AAAA,IACvB,gBAAA;AAAA,IACA,aAAA,EAAe,GAAG,UAAA,EAAY,cAAA;AAAA,IAC9B,6BAA6B,EAAA,CAAG,6BAAA;AAAA,IAChC,sBAAA,EAAwB,EAAA,CAAG,UAAA,EAAY,wBAAA,IAA4B,EAAC;AAAA,IACpE,mBAAA,EAAqB,EAAA,CAAG,qBAAA,IAAyB;AAAC,GACpD;AACF;AAEA,eAAe,mBAAA,CACb,IAAA,EACA,SAAA,EACA,IAAA,EAC8B;AAC9B,EAAA,MAAM,GAAA,GAAM,GAAG,IAAI,CAAA,iCAAA,CAAA;AACnB,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACF,IAAA,eAAA,CAAgB,GAAG,CAAA;AACnB,IAAA,MAAM,MAAM,MAAM,iBAAA,CAAkB,GAAA,EAAK,SAAA,EAAW,KAAK,SAAS,CAAA;AAClE,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAI,cAAA;AAAA,QACR,CAAA,8BAAA,EAAiC,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA,CAAA;AAAA,QAC7D;AAAA,OACF;AAAA,IACF;AACA,IAAA,GAAA,GAAM,cAAA,CAAe,KAAA,CAAM,MAAM,GAAA,CAAI,MAAM,CAAA;AAAA,EAC7C,SAAS,GAAA,EAAK;AACZ,IAAA,IAAI,GAAA,YAAe,gBAAgB,MAAM,GAAA;AACzC,IAAA,MAAM,IAAI,cAAA,CAAe,CAAA,mCAAA,EAAsC,GAAG,IAAI,IAAI,CAAA;AAAA,EAC5E;AAEA,EAAA,IAAI,CAAC,IAAI,cAAA,EAAgB;AACvB,IAAA,MAAM,IAAI,cAAA;AAAA,MACR,6CAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AACA,EAAA,IAAI,CAAC,IAAI,6BAAA,EAA+B;AACtC,IAAA,MAAM,IAAI,cAAA;AAAA,MACR,4DAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,QAAA,EAAU,IAAA;AAAA,IACV,cAAA,EAAgB,IAAA;AAAA,IAChB,eAAe,GAAA,CAAI,cAAA;AAAA,IACnB,oBAAoB,GAAA,CAAI,mBAAA;AAAA,IACxB,6BAA6B,GAAA,CAAI,6BAAA;AAAA,IACjC,wBAAwB,EAAC;AAAA,IACzB,qBAAqB;AAAC,GACxB;AACF;AAEA,eAAsB,iBAAA,CACpB,OAAA,EACA,IAAA,GAAwB,EAAC,EACK;AAC9B,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AAItC,EAAA,MAAM,SAAA,GAAyB;AAAA,IAC7B,QAAQ,IAAA,CAAK,MAAA;AAAA,IACb,QAAA,EAAU;AAAA,GACZ;AAEA,EAAA,IAAI;AACF,IAAA,OAAO,MAAM,cAAA,CAAe,IAAA,EAAM,SAAA,EAAW,IAAI,CAAA;AAAA,EACnD,SAAS,MAAA,EAAQ;AAKf,IAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,OAAA,EAAS,MAAM,MAAA;AAKhC,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,mBAAA,CAAoB,IAAA,EAAM,SAAA,EAAW,IAAI,CAAA;AAAA,IACxD,CAAA,CAAA,MAAQ;AACN,MAAA,MAAM,MAAA;AAAA,IACR;AAAA,EACF;AACF;ACrOA,IAAM,IAAA,GAAO,UAAU,QAAQ,CAAA;AAS/B,SAAS,uBAAA,GAAgC;AACvC,EAAA,IAAI,OAAA,CAAQ,aAAa,QAAA,EAAU;AACjC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,sFAAA,EACoB,QAAQ,QAAQ,CAAA,2FAAA;AAAA,KAEtC;AAAA,EACF;AACF;AAGO,SAAS,cAAA,CACd,SACA,MAAA,EACQ;AACR,EAAA,IAAI,CAAC,SAAS,OAAO,MAAA;AACrB,EAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,UAAA,EAAY,MAAM,CAAA;AAC3C;AAGA,eAAsB,iBAAA,CACpB,SACA,OAAA,EAC6B;AAC7B,EAAA,uBAAA,EAAwB;AACxB,EAAA,IAAI;AACF,IAAA,MAAM,EAAE,MAAA,EAAO,GAAI,MAAM,KAAK,UAAA,EAAY;AAAA,MACxC,uBAAA;AAAA,MACA,IAAA;AAAA,MACA,OAAA;AAAA,MACA,IAAA;AAAA,MACA,OAAA;AAAA,MACA;AAAA,KACD,CAAA;AACD,IAAA,MAAM,CAAA,GAAI,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AAClC,IAAA,OAAO,CAAA,IAAK,KAAA,CAAA;AAAA,EACd,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAGA,eAAsB,kBAAA,CACpB,OAAA,EACA,OAAA,EACA,KAAA,EACe;AACf,EAAA,uBAAA,EAAwB;AACxB,EAAA,MAAM,KAAK,UAAA,EAAY;AAAA,IACrB,sBAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,OAAA;AAAA,IACA,IAAA;AAAA,IACA,OAAA;AAAA,IACA,IAAA;AAAA,IACA,KAAA;AAAA,IACA,IAAA;AAAA,IACA;AAAA,GACD,CAAA;AACH;;;AC/DA,IAAM,cAAA,GAAiBA,EAAE,MAAA,CAAO;AAAA,EAC9B,CAAA,EAAGA,EAAE,MAAA,EAAO;AAAA,EACZ,CAAA,EAAGA,EAAE,IAAA,CAAK,CAAC,OAAO,WAAA,EAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,EAC/C,CAAA,EAAGA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACvB,CAAA,EAAGA,CAAAA,CAAE,MAAA,CAAOA,CAAAA,CAAE,MAAA,IAAUA,CAAAA,CAAE,OAAA,EAAS,CAAA,CAAE,QAAA;AACvC,CAAC,CAAA;AAEM,IAAM,gBAAN,MAA+C;AAAA,EACpD,MAAM,KAAK,GAAA,EAAsD;AAC/D,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,OAAA,IAAW,GAAA,CAAI,IAAA;AACnC,IAAA,MAAM,GAAA,GAAM,MAAM,iBAAA,CAAkB,GAAA,CAAI,MAAM,OAAO,CAAA;AACrD,IAAA,IAAI,GAAA,KAAQ,QAAW,OAAO,MAAA;AAE9B,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,cAAA,CAAe,KAAA,CAAM,IAAA,CAAK,KAAA,CAAM,GAAG,CAAC,CAAA;AACrD,MAAA,OAAO;AAAA,QACL,OAAO,QAAA,CAAS,CAAA;AAAA,QAChB,MAAM,QAAA,CAAS,CAAA;AAAA,QACf,GAAI,SAAS,CAAA,KAAM,KAAA,CAAA,GAAY,EAAE,SAAA,EAAW,QAAA,CAAS,CAAA,EAAE,GAAI,EAAC;AAAA,QAC5D,GAAI,SAAS,CAAA,KAAM,KAAA,CAAA,GAAY,EAAE,QAAA,EAAU,QAAA,CAAS,CAAA,EAAE,GAAI;AAAC,OAC7D;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,EAAE,KAAA,EAAO,GAAA,EAAK,IAAA,EAAM,KAAA,EAAM;AAAA,IACnC;AAAA,EACF;AAAA,EAEA,MAAM,KAAA,CAAM,GAAA,EAAe,IAAA,EAAuC;AAChE,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,OAAA,IAAW,GAAA,CAAI,IAAA;AACnC,IAAA,MAAM,QAAA,GAA2C;AAAA,MAC/C,GAAG,IAAA,CAAK,KAAA;AAAA,MACR,GAAG,IAAA,CAAK,IAAA;AAAA,MACR,GAAI,KAAK,SAAA,KAAc,MAAA,GAAY,EAAE,CAAA,EAAG,IAAA,CAAK,SAAA,EAAU,GAAI,EAAC;AAAA,MAC5D,GAAI,KAAK,QAAA,KAAa,MAAA,GAAY,EAAE,CAAA,EAAG,IAAA,CAAK,QAAA,EAAS,GAAI;AAAC,KAC5D;AACA,IAAA,MAAM,mBAAmB,GAAA,CAAI,IAAA,EAAM,SAAS,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAC,CAAA;AAAA,EACtE;AACF;;;ACtCO,SAAS,eAAA,CACd,IAAA,EACA,MAAA,EACA,QAAA,EACU;AACV,EAAA,MAAM,IAAA,GAAO,IAAA,CAAK,IAAA,IAAQ,IAAA,CAAK,QAAA;AAC/B,EAAA,OAAO;AAAA,IACL,MAAM,QAAA,GAAW,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA,GAAK,IAAA;AAAA,IACzC,OAAA,EAAS,cAAA,CAAe,IAAA,CAAK,OAAA,EAAS,MAAM;AAAA,GAC9C;AACF;AAOO,SAAS,gBAAA,CACd,IAAA,EACA,MAAA,EACA,QAAA,EACwC;AACxC,EAAA,MAAM,GAAA,GAAM,eAAA,CAAgB,IAAA,EAAM,MAAA,EAAQ,QAAQ,CAAA;AAClD,EAAA,MAAM,SAAA,GAAY,QAAA,GAAW,eAAA,CAAgB,IAAA,EAAM,MAAM,CAAA,GAAI,GAAA;AAC7D,EAAA,OAAO,EAAE,KAAK,SAAA,EAAU;AAC1B;AAcA,eAAsB,wBAAA,CACpB,KAAA,EACA,GAAA,EACA,SAAA,EACuC;AACvC,EAAA,MAAM,MAAA,GAAS,MAAM,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA;AACnC,EAAA,IAAI,QAAQ,OAAO,MAAA;AACnB,EAAA,IAAI,IAAI,IAAA,KAAS,SAAA,CAAU,QAAQ,GAAA,CAAI,OAAA,KAAY,UAAU,OAAA,EAAS;AACpE,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,OAAO,KAAA,CAAM,KAAK,SAAS,CAAA;AAC7B;;;ACxCA,eAAe,YAAY,KAAA,EAAgC;AACzD,EAAA,MAAM,QAAQ,OAAA,CAAQ,KAAA;AACtB,EAAA,MAAM,MAAM,OAAA,CAAQ,MAAA;AAEpB,EAAA,IAAI,CAAC,MAAM,KAAA,EAAO;AAChB,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,KAAY;AAC9B,MAAA,MAAM,KAAK,eAAA,CAAgB,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAK,CAAA;AACjD,MAAA,GAAA,CAAI,KAAA,CAAM,CAAA,EAAG,KAAK,CAAA,EAAA,CAAI,CAAA;AACtB,MAAA,EAAA,CAAG,QAAA,CAAS,EAAA,EAAI,CAAC,MAAA,KAAW;AAC1B,QAAA,EAAA,CAAG,KAAA,EAAM;AACT,QAAA,OAAA,CAAQ,MAAA,CAAO,MAAM,CAAA;AAAA,MACvB,CAAC,CAAA;AAAA,IACH,CAAC,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,IAAA,GAAA,CAAI,KAAA,CAAM,CAAA,EAAG,KAAK,CAAA,EAAA,CAAI,CAAA;AACtB,IAAA,MAAM,QAAkB,EAAC;AACzB,IAAA,KAAA,CAAM,WAAW,IAAI,CAAA;AACrB,IAAA,KAAA,CAAM,MAAA,EAAO;AACb,IAAA,KAAA,CAAM,YAAY,MAAM,CAAA;AAExB,IAAA,MAAM,UAAU,MAAM;AACpB,MAAA,KAAA,CAAM,WAAW,KAAK,CAAA;AACtB,MAAA,KAAA,CAAM,KAAA,EAAM;AACZ,MAAA,KAAA,CAAM,cAAA,CAAe,QAAQ,MAAM,CAAA;AAAA,IACrC,CAAA;AAEA,IAAA,MAAM,MAAA,GAAS,CAAC,KAAA,KAAkB;AAChC,MAAA,KAAA,MAAW,MAAM,KAAA,EAAO;AACtB,QAAA,QAAQ,EAAA;AAAI,UACV,KAAK,IAAA;AAAA,UACL,KAAK,IAAA;AACH,YAAA,GAAA,CAAI,MAAM,IAAI,CAAA;AACd,YAAA,OAAA,EAAQ;AACR,YAAA,OAAA,CAAQ,KAAA,CAAM,IAAA,CAAK,EAAE,CAAA,CAAE,MAAM,CAAA;AAC7B,YAAA;AAAA,UACF,KAAK,GAAA;AACH,YAAA,GAAA,CAAI,MAAM,IAAI,CAAA;AACd,YAAA,OAAA,EAAQ;AACR,YAAA,MAAA,CAAO,IAAI,KAAA,CAAM,gBAAgB,CAAC,CAAA;AAClC,YAAA;AAAA,UACF,KAAK,GAAA;AACH,YAAA,GAAA,CAAI,MAAM,IAAI,CAAA;AACd,YAAA,OAAA,EAAQ;AACR,YAAA,OAAA,CAAQ,KAAA,CAAM,IAAA,CAAK,EAAE,CAAA,CAAE,MAAM,CAAA;AAC7B,YAAA;AAAA,UACF,KAAK,MAAA;AAAA;AAAA,UACL,KAAK,IAAA;AACH,YAAA,IAAI,KAAA,CAAM,SAAS,CAAA,EAAG;AACpB,cAAA,KAAA,CAAM,GAAA,EAAI;AACV,cAAA,GAAA,CAAI,MAAM,OAAO,CAAA;AAAA,YACnB;AACA,YAAA;AAAA,UACF;AAEE,YAAA,IAAI,MAAM,GAAA,EAAK;AACb,cAAA,KAAA,CAAM,KAAK,EAAE,CAAA;AACb,cAAA,GAAA,CAAI,MAAM,GAAG,CAAA;AAAA,YACf;AAAA;AACJ,MACF;AAAA,IACF,CAAA;AAEA,IAAA,KAAA,CAAM,EAAA,CAAG,QAAQ,MAAM,CAAA;AAAA,EACzB,CAAC,CAAA;AACH;AAEO,IAAM,aAAA,GAA4B;AAAA,EACvC,EAAA,EAAI,KAAA;AAAA,EAEJ,MAAM,GAAA,CACJ,QAAA,EACA,WAAA,EACA,IAAA,EACqB;AACrB,IAAA,MAAM,EAAE,MAAK,GAAI,QAAA;AACjB,IAAA,IAAI,IAAA,CAAK,SAAS,KAAA,EAAO;AACvB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kCAAA,EAAqC,IAAA,CAAK,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,IACnE;AAEA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,IAAS,IAAI,aAAA,EAAc;AAC9C,IAAA,MAAM,EAAE,GAAA,EAAK,SAAA,EAAU,GAAI,gBAAA;AAAA,MACzB,IAAA,CAAK,UAAA;AAAA,MACL,IAAA,CAAK,MAAA;AAAA,MACL,QAAA,CAAS;AAAA,KACX;AAEA,IAAA,IAAI,CAAC,KAAK,KAAA,EAAO;AACf,MAAA,MAAM,QAAA,GAAW,MAAM,wBAAA,CAAyB,KAAA,EAAO,KAAK,SAAS,CAAA;AACrE,MAAA,IAAI,QAAA,EAAU;AACZ,QAAA,OAAO,EAAE,WAAA,EAAa,QAAA,CAAS,KAAA,EAAO,WAAW,KAAA,EAAM;AAAA,MACzD;AAAA,IACF;AAEA,IAAA,MAAM,QAAQ,MAAM,WAAA,CAAY,CAAA,EAAG,QAAA,CAAS,EAAE,CAAA,sBAAA,CAAwB,CAAA;AACtE,IAAA,IAAI,CAAC,KAAA,EAAO,MAAM,IAAI,MAAM,mBAAmB,CAAA;AAE/C,IAAA,MAAM,KAAA,CAAM,MAAM,GAAA,EAAK,EAAE,OAAO,KAAA,EAAO,IAAA,EAAM,OAAO,CAAA;AAEpD,IAAA,OAAO,EAAE,WAAA,EAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAM;AAAA,EAChD;AACF,CAAA;AC/GA,IAAM,SAAA,GAAYC,UAAUC,QAAQ,CAAA;AAS7B,IAAM,kBAAA,GAAqBF,EAC/B,MAAA,CAAO;AAAA,EACN,YAAA,EAAcA,EAAE,MAAA,EAAO;AAAA,EACvB,UAAA,EAAYA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAChC,aAAA,EAAeA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACnC,kBAAA,EAAoBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxC,oBAAA,EAAsBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC1C,iBAAA,EAAmBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA;AAAA,EAEvC,UAAA,EAAYA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAChC,KAAA,EAAOA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC3B,OAAA,EAASA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC7B,aAAA,EAAeA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAC5B,CAAC,EACA,KAAA,EAAM;AAGF,IAAM,gBAAA,GAAmBA,EAC7B,MAAA,CAAO;AAAA,EACN,KAAA,EAAOA,EAAE,MAAA,EAAO;AAAA,EAChB,iBAAA,EAAmBA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAChC,CAAC,EACA,KAAA,EAAM;AAKF,IAAM,sBAAsBA,CAAAA,CAAE,KAAA,CAAM,CAAC,kBAAA,EAAoB,gBAAgB,CAAC,CAAA;AAMjF,eAAsB,YAAY,GAAA,EAA4B;AAC5D,EAAA,MAAM,CAAC,GAAA,EAAK,IAAI,CAAA,GACd,OAAA,CAAQ,QAAA,KAAa,QAAA,GACjB,CAAC,MAAA,EAAQ,CAAC,GAAG,CAAC,CAAA,GACd,OAAA,CAAQ,QAAA,KAAa,OAAA,GACnB,CAAC,KAAA,EAAO,CAAC,IAAA,EAAM,OAAA,EAAS,GAAG,CAAC,CAAA,GAC5B,CAAC,UAAA,EAAY,CAAC,GAAG,CAAC,CAAA;AAC1B,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,CAAU,KAAK,IAAI,CAAA;AAAA,EAC3B,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAKA,eAAsB,aAAA,CACpB,GAAA,EACA,MAAA,EACA,MAAA,EACA,MAAA,EACY;AACZ,EAAA,MAAM,GAAA,GAAM,MAAM,iBAAA,CAAkB,GAAA,EAAK;AAAA,IACvC,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,IAC/D,IAAA,EAAM,IAAI,eAAA,CAAgB,MAAM,EAAE,QAAA,EAAS;AAAA,IAC3C;AAAA,GACD,CAAA;AACD,EAAA,OAAO,MAAA,CAAO,KAAA,CAAM,MAAM,GAAA,CAAI,MAAM,CAAA;AACtC;AAmBA,eAAsB,gBACpB,CAAA,EACuB;AACvB,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,GAAA,EAAI,GAAI,EAAE,SAAA,GAAY,GAAA;AAC5C,EAAA,IAAI,MAAA,GAAS,EAAE,SAAA,GAAY,GAAA;AAE3B,EAAA,OAAO,IAAA,CAAK,GAAA,EAAI,GAAI,QAAA,EAAU;AAC5B,IAAA,IAAI,EAAE,MAAA,EAAQ,OAAA,EAAS,MAAM,IAAI,MAAM,gBAAgB,CAAA;AACvD,IAAA,MAAM,IAAI,OAAA,CAAc,CAAC,MAAM,UAAA,CAAW,CAAA,EAAG,MAAM,CAAC,CAAA;AAEpD,IAAA,MAAM,OAAO,MAAM,aAAA;AAAA,MACjB,CAAA,CAAE,aAAA;AAAA,MACF,EAAE,UAAA,EAAY,CAAA,CAAE,SAAA,EAAW,GAAG,EAAE,MAAA,EAAO;AAAA,MACvC,mBAAA;AAAA,MACA,CAAA,CAAE;AAAA,KACJ;AAEA,IAAA,IAAI,EAAE,OAAA,IAAW,IAAA,CAAA,EAAO,OAAO,IAAA;AAE/B,IAAA,MAAM,UAAU,IAAA,CAAK,KAAA;AACrB,IAAA,IAAI,YAAY,uBAAA,EAAyB;AACzC,IAAA,IAAI,YAAY,WAAA,EAAa;AAC3B,MAAA,MAAA,IAAU,GAAA;AACV,MAAA;AAAA,IACF;AACA,IAAA,IAAI,YAAY,eAAA,EAAiB;AAC/B,MAAA,MAAM,IAAI,MAAM,wDAAmD,CAAA;AAAA,IACrE;AACA,IAAA,IAAI,YAAY,eAAA,EAAiB;AAC/B,MAAA,MAAM,IAAI,MAAM,8DAAyD,CAAA;AAAA,IAC3E;AAEA,IAAA,MAAM,OAAO,IAAA,CAAK,iBAAA;AAClB,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,OAAO,CAAA,EAAG,OAAO,CAAA,QAAA,EAAM,IAAI,CAAA,CAAA,GAAK,EAAE,CAAA,CAAE,CAAA;AAAA,EAC/E;AAEA,EAAA,MAAM,IAAI,MAAM,4CAAuC,CAAA;AACzD;;;ACxGA,IAAM,gBAAA,GAAmB,wCAAA;AACzB,IAAM,qBAAA,GAAwB,6CAAA;AAC9B,IAAM,uBAAA,GAA0B,CAAA;AAUhC,IAAM,sBAAA,GAAyBA,EAC5B,MAAA,CAAO;AAAA,EACN,eAAA,EAAiBA,EAAE,MAAA,EAAO;AAAA,EAC1B,WAAA,EAAaA,EAAE,MAAA,EAAO;AAAA,EACtB,KAAA,EAAOA,EACJ,MAAA,CAAO;AAAA,IACN,SAAA,EAAWA,EAAE,MAAA,EAAO;AAAA,IACpB,gBAAA,EAAkBA,EAAE,MAAA,EAAO;AAAA,IAC3B,UAAA,EAAYA,EAAE,MAAA,EAAO;AAAA,IACrB,QAAA,EAAUA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAAS,GAC/B,EACA,KAAA;AACL,CAAC,EACA,KAAA,EAAM;AAIT,eAAe,QAAA,CACb,GAAA,EACA,IAAA,EACA,MAAA,EACA,MAAA,EACY;AACZ,EAAA,MAAM,GAAA,GAAM,MAAM,iBAAA,CAAkB,GAAA,EAAK;AAAA,IACvC,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,IAC9C,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA;AAAA,IACzB;AAAA,GACD,CAAA;AACD,EAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,IAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,IAAA,MAAM,IAAI,MAAM,CAAA,KAAA,EAAQ,GAAG,WAAM,GAAA,CAAI,MAAM,CAAA,EAAA,EAAK,IAAI,CAAA,CAAE,CAAA;AAAA,EACxD;AACA,EAAA,OAAO,MAAA,CAAO,KAAA,CAAM,MAAM,GAAA,CAAI,MAAM,CAAA;AACtC;AAQA,eAAe,iBAAA,CACb,aAAA,EACA,SAAA,EACA,QAAA,EACA,MAAA,EAC8B;AAC9B,EAAA,IAAI;AACF,IAAA,MAAM,OAAO,MAAM,aAAA;AAAA,MACjB,aAAA;AAAA,MACA;AAAA,QACE,UAAA,EAAY,qBAAA;AAAA,QACZ,SAAA;AAAA,QACA,SAAA,EAAW;AAAA,OACb;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,IAAI,OAAA,IAAW,MAAM,OAAO,IAAA;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAIO,IAAM,qBAAA,GAAoC;AAAA,EAC/C,EAAA,EAAI,cAAA;AAAA,EAEJ,MAAM,GAAA,CACJ,QAAA,EACA,UAAA,EACA,IAAA,EACqB;AACrB,IAAA,MAAM,EAAE,MAAK,GAAI,QAAA;AACjB,IAAA,IAAI,IAAA,CAAK,SAAS,cAAA,EAAgB;AAChC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,0CAAA,EAA6C,IAAA,CAAK,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,IAC3E;AAGA,IAAA,MAAM,MAAA,GAAS,IAAA;AACf,IAAA,MAAM,QAAA,GAAW,OAAO,QAAA,IAAY,gBAAA;AACpC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,EAAE,CAAA;AAG5C,IAAA,MAAM,gBAAA,GACJ,UAAA,EAAY,gBAAA,IAAoB,CAAA,EAAG,MAAM,CAAA,eAAA,CAAA;AAC3C,IAAA,MAAM,aAAA,GACJ,UAAA,EAAY,aAAA,IAAiB,CAAA,EAAG,MAAM,CAAA,YAAA,CAAA;AAGxC,IAAA,eAAA,CAAgB,gBAAgB,CAAA;AAChC,IAAA,eAAA,CAAgB,aAAa,CAAA;AAE7B,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,IAAS,IAAI,aAAA,EAAc;AAC9C,IAAA,MAAM,EAAE,GAAA,EAAK,SAAA,EAAU,GAAI,gBAAA;AAAA,MACzB,MAAA,CAAO,UAAA;AAAA,MACP,MAAA;AAAA,MACA,QAAA,CAAS;AAAA,KACX;AAMA,IAAA,IAAI,CAAC,KAAK,KAAA,EAAO;AACf,MAAA,MAAM,MAAA,GAAS,MAAM,wBAAA,CAAyB,KAAA,EAAO,KAAK,SAAS,CAAA;AACnE,MAAA,IAAI,MAAA,EAAQ;AACV,QAAA,MAAM,YAAY,MAAM,iBAAA;AAAA,UACtB,aAAA;AAAA,UACA,MAAA,CAAO,KAAA;AAAA,UACP,QAAA;AAAA,UACA,IAAA,CAAK;AAAA,SACP;AACA,QAAA,IAAI,SAAA,EAAW;AAGb,UAAA,IAAI,UAAU,kBAAA,EAAoB;AAChC,YAAA,MAAM,KAAA,CAAM,MAAM,GAAA,EAAK;AAAA,cACrB,OAAO,SAAA,CAAU,kBAAA;AAAA,cACjB,IAAA,EAAM;AAAA,aACP,CAAA;AAAA,UACH;AACA,UAAA,OAAO;AAAA,YACL,aAAa,SAAA,CAAU,YAAA;AAAA,YACvB,GAAI,UAAU,kBAAA,GACV,EAAE,mBAAmB,SAAA,CAAU,kBAAA,KAC/B,EAAC;AAAA,YACL,SAAA,EAAW;AAAA,WACb;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,WAAW,MAAM,QAAA;AAAA,MACrB,gBAAA;AAAA,MACA;AAAA,QACE,IAAA,EAAM,cAAA;AAAA,QACN,SAAA,EAAW,QAAA;AAAA,QACX,GAAI,OAAO,SAAA,GAAY,EAAE,YAAY,MAAA,CAAO,SAAA,KAAc;AAAC,OAC7D;AAAA,MACA,sBAAA;AAAA,MACA,IAAA,CAAK;AAAA,KACP;AAEA,IAAA,MAAM,EAAE,WAAA,EAAa,KAAA,EAAM,GAAI,QAAA;AAC/B,IAAA,MAAM,SAAA,GAAY,MAAM,QAAA,IAAY,uBAAA;AACpC,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,KAAA,CAAM,aAAa,EAAE,CAAA;AAGlD,IAAA,OAAA,CAAQ,OAAO,KAAA,CAAM;AAAA,CAAI,CAAA;AACzB,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,UAAA,EAAa,QAAA,CAAS,EAAE,CAAA;;AAAA,CAA6B,CAAA;AAC1E,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,SAAA,EAAY,KAAA,CAAM,SAAS;AAAA,CAAI,CAAA;AACpD,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,SAAA,EAAY,KAAA,CAAM,gBAAgB;;AAAA,CAAM,CAAA;AAC7D,IAAA,IAAI,IAAA,CAAK,gBAAgB,KAAA,EAAO;AAC9B,MAAA,MAAM,WAAA,CAAY,MAAM,gBAAgB,CAAA;AAAA,IAC1C;AACA,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,wBAAA,EAA2B,SAAS,CAAA;;AAAA,CAAY,CAAA;AAGrE,IAAA,MAAM,WAAA,GAAc,MAAM,eAAA,CAAgB;AAAA,MACxC,aAAA;AAAA,MACA,SAAA,EAAW,gBAAA;AAAA,MACX,MAAA,EAAQ,EAAE,WAAA,EAAa,SAAA,EAAW,QAAA,EAAS;AAAA,MAC3C,SAAA;AAAA,MACA,WAAW,KAAA,CAAM,UAAA;AAAA,MACjB,QAAQ,IAAA,CAAK;AAAA,KACd,CAAA;AAMD,IAAA,MAAM,cAAc,WAAA,CAAY,YAAA;AAChC,IAAA,MAAM,YAAY,WAAA,CAAY,kBAAA;AAG9B,IAAA,IAAI,gBAAA;AACJ,IAAA,IAAI,YAAY,iBAAA,EAAmB;AACjC,MAAA,gBAAA,GAAmB,WAAA,CAAY,iBAAA;AAAA,IACjC,CAAA,MAAA,IAAW,YAAY,oBAAA,EAAsB;AAC3C,MAAA,gBAAA,GAAmB,IAAI,IAAA;AAAA,QACrB,IAAA,CAAK,GAAA,EAAI,GAAI,WAAA,CAAY,oBAAA,GAAuB;AAAA,QAChD,WAAA,EAAY;AAAA,IAChB;AAEA,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,MAAM,KAAA,CAAM,MAAM,GAAA,EAAK;AAAA,QACrB,KAAA,EAAO,SAAA;AAAA,QACP,IAAA,EAAM,WAAA;AAAA,QACN,GAAI,gBAAA,GAAmB,EAAE,SAAA,EAAW,gBAAA,KAAqB;AAAC,OAC3D,CAAA;AAAA,IACH;AAEA,IAAA,OAAO;AAAA,MACL,WAAA;AAAA,MACA,iBAAA,EAAmB,SAAA;AAAA,MACnB,gBAAA;AAAA,MACA,SAAA,EAAW;AAAA,KACb;AAAA,EACF;AACF,CAAA;ACzNA,IAAM,sBAAA,GAAyB,8CAAA;AAC/B,IAAM,kBAAA,GAAqB,eAAA;AAC3B,IAAMG,wBAAAA,GAA0B,CAAA;AAOzB,IAAM,qBAAA,GAAN,cAAoC,KAAA,CAAM;AAAA,EAC/C,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,uBAAA;AAAA,EACd;AACF;AAQA,IAAM,iCAAA,GAAoCH,EACvC,MAAA,CAAO;AAAA,EACN,WAAA,EAAaA,EAAE,MAAA,EAAO;AAAA,EACtB,SAAA,EAAWA,EAAE,MAAA,EAAO;AAAA,EACpB,gBAAA,EAAkBA,EAAE,MAAA,EAAO;AAAA,EAC3B,yBAAA,EAA2BA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC/C,UAAA,EAAYA,EAAE,MAAA,EAAO;AAAA,EACrB,QAAA,EAAUA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AACvB,CAAC,EACA,KAAA,EAAM;AAIT,eAAe,uBAAA,CACb,GAAA,EACA,MAAA,EACA,MAAA,EACA;AACA,EAAA,MAAM,GAAA,GAAM,MAAM,iBAAA,CAAkB,GAAA,EAAK;AAAA,IACvC,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,IAC/D,IAAA,EAAM,IAAI,eAAA,CAAgB,MAAM,EAAE,QAAA,EAAS;AAAA,IAC3C;AAAA,GACD,CAAA;AACD,EAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,IAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,IAAA,MAAM,IAAI,MAAM,CAAA,KAAA,EAAQ,GAAG,WAAM,GAAA,CAAI,MAAM,CAAA,EAAA,EAAK,IAAI,CAAA,CAAE,CAAA;AAAA,EACxD;AACA,EAAA,OAAO,iCAAA,CAAkC,KAAA,CAAM,MAAM,GAAA,CAAI,MAAM,CAAA;AACjE;AAIA,SAAS,UAAA,CACP,UACA,GAAA,EACoB;AACpB,EAAA,MAAM,CAAA,GAAI,WAAW,GAAG,CAAA;AACxB,EAAA,OAAO,OAAO,CAAA,KAAM,QAAA,GAAW,CAAA,GAAI,MAAA;AACrC;AAEA,SAAS,UAAU,IAAA,EAAiC;AAClD,EAAA,IAAI,CAAC,IAAA,CAAK,SAAA,EAAW,OAAO,KAAA;AAC5B,EAAA,MAAM,CAAA,GAAI,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAS,CAAA;AACnC,EAAA,IAAI,MAAA,CAAO,KAAA,CAAM,CAAC,CAAA,EAAG,OAAO,IAAA;AAC5B,EAAA,OAAO,CAAA,IAAK,KAAK,GAAA,EAAI;AACvB;AAEA,SAAS,iBAAiB,IAAA,EAAoC;AAC5D,EAAA,MAAM,YAAA,GAAe,UAAA,CAAW,IAAA,CAAK,QAAA,EAAU,cAAc,CAAA;AAC7D,EAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,IAAA,CAAK,QAAA,EAAU,OAAO,CAAA;AAC/C,EAAA,MAAM,OAAA,GAAU,UAAA,CAAW,IAAA,CAAK,QAAA,EAAU,SAAS,CAAA;AACnD,EAAA,MAAM,YAAA,GAAe,UAAA,CAAW,IAAA,CAAK,QAAA,EAAU,cAAc,CAAA;AAC7D,EAAA,OAAO;AAAA,IACL,aAAa,IAAA,CAAK,KAAA;AAAA,IAClB,SAAA,EAAW,QAAA;AAAA,IACX,GAAI,YAAA,GAAe,EAAE,YAAA,KAAiB,EAAC;AAAA,IACvC,GAAI,KAAA,GAAQ,EAAE,KAAA,KAAU,EAAC;AAAA,IACzB,GAAI,OAAA,GAAU,EAAE,OAAA,KAAY,EAAC;AAAA,IAC7B,GAAI,YAAA,GAAe,EAAE,YAAA,KAAiB;AAAC,GACzC;AACF;AAKA,eAAe,kBAAA,CACb,aAAA,EACA,YAAA,EACA,QAAA,EACA,MAAA,EAC8B;AAC9B,EAAA,IAAI;AACF,IAAA,MAAM,OAAO,MAAM,aAAA;AAAA,MACjB,aAAA;AAAA,MACA;AAAA,QACE,UAAA,EAAY,kBAAA;AAAA,QACZ,aAAA,EAAe,YAAA;AAAA,QACf,SAAA,EAAW;AAAA,OACb;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,IAAI,OAAA,IAAW,MAAM,OAAO,IAAA;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAEA,eAAe,gBAAA,CACb,KAAA,EACA,GAAA,EACA,CAAA,EASqB;AACrB,EAAA,MAAM,SAAA,GAAY,CAAA,CAAE,SAAA,GAChB,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,EAAI,GAAI,CAAA,CAAE,SAAA,GAAY,GAAK,CAAA,CAAE,aAAY,GACvD,MAAA;AAEJ,EAAA,MAAM,QAAA,GAAoC;AAAA,IACxC,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IACnC,GAAI,EAAE,YAAA,GAAe,EAAE,cAAc,CAAA,CAAE,YAAA,KAAiB,EAAC;AAAA,IACzD,GAAI,EAAE,KAAA,GAAQ,EAAE,OAAO,CAAA,CAAE,KAAA,KAAU,EAAC;AAAA,IACpC,GAAI,EAAE,OAAA,GAAU,EAAE,SAAS,CAAA,CAAE,OAAA,KAAY,EAAC;AAAA,IAC1C,GAAI,EAAE,WAAA,GAAc,EAAE,aAAa,CAAA,CAAE,WAAA,KAAgB,EAAC;AAAA,IACtD,GAAI,EAAE,YAAA,GAAe,EAAE,cAAc,CAAA,CAAE,YAAA,KAAiB;AAAC,GAC3D;AAEA,EAAA,MAAM,KAAA,CAAM,MAAM,GAAA,EAAK;AAAA,IACrB,OAAO,CAAA,CAAE,WAAA;AAAA,IACT,IAAA,EAAM,QAAA;AAAA,IACN,GAAI,SAAA,GAAY,EAAE,SAAA,KAAc,EAAC;AAAA,IACjC;AAAA,GACD,CAAA;AAED,EAAA,OAAO;AAAA,IACL,aAAa,CAAA,CAAE,WAAA;AAAA,IACf,SAAA,EAAW,QAAA;AAAA,IACX,GAAI,EAAE,YAAA,GAAe,EAAE,cAAc,CAAA,CAAE,YAAA,KAAiB,EAAC;AAAA,IACzD,GAAI,EAAE,KAAA,GAAQ,EAAE,OAAO,CAAA,CAAE,KAAA,KAAU,EAAC;AAAA,IACpC,GAAI,EAAE,OAAA,GAAU,EAAE,SAAS,CAAA,CAAE,OAAA,KAAY,EAAC;AAAA,IAC1C,GAAI,EAAE,YAAA,GAAe,EAAE,cAAc,CAAA,CAAE,YAAA,KAAiB;AAAC,GAC3D;AACF;AAIO,IAAM,oBAAA,GAAmC;AAAA,EAC9C,EAAA,EAAI,aAAA;AAAA,EAEJ,MAAM,GAAA,CACJ,QAAA,EACA,UAAA,EACA,IAAA,EACqB;AACrB,IAAA,MAAM,EAAE,MAAK,GAAI,QAAA;AACjB,IAAA,IAAI,IAAA,CAAK,SAAS,aAAA,EAAe;AAC/B,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yCAAA,EAA4C,IAAA,CAAK,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,IAC1E;AAGA,IAAA,MAAM,MAAA,GAAS,IAAA;AACf,IAAA,MAAM,QAAA,GAAW,OAAO,QAAA,IAAY,gBAAA;AACpC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,EAAE,CAAA;AAG5C,IAAA,MAAM,2BAAA,GACJ,UAAA,EAAY,2BAAA,IAA+B,CAAA,EAAG,MAAM,CAAA,aAAA,CAAA;AACtD,IAAA,MAAM,aAAA,GAAgB,UAAA,EAAY,aAAA,IAAiB,CAAA,EAAG,MAAM,CAAA,YAAA,CAAA;AAG5D,IAAA,eAAA,CAAgB,2BAA2B,CAAA;AAC3C,IAAA,eAAA,CAAgB,aAAa,CAAA;AAE7B,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,IAAS,IAAI,aAAA,EAAc;AAC9C,IAAA,MAAM,EAAE,GAAA,EAAK,SAAA,EAAU,GAAI,gBAAA;AAAA,MACzB,MAAA,CAAO,UAAA;AAAA,MACP,MAAA;AAAA,MACA,QAAA,CAAS;AAAA,KACX;AAMA,IAAA,eAAe,WAAW,MAAA,EAAsD;AAC9E,MAAA,MAAM,YAAA,GAAe,UAAA,CAAW,MAAA,CAAO,QAAA,EAAU,cAAc,CAAA;AAC/D,MAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAC1B,MAAA,MAAM,YAAY,MAAM,kBAAA;AAAA,QACtB,aAAA;AAAA,QACA,YAAA;AAAA,QACA,QAAA;AAAA,QACA,IAAA,CAAK;AAAA,OACP;AACA,MAAA,IAAI,CAAC,WAAW,OAAO,IAAA;AACvB,MAAA,OAAO,gBAAA,CAAiB,OAAO,GAAA,EAAK;AAAA,QAClC,aAAa,SAAA,CAAU,YAAA;AAAA,QACvB,WAAW,SAAA,CAAU,UAAA;AAAA,QACrB,YAAA,EAAc,UAAU,aAAA,IAAiB,YAAA;AAAA,QACzC,OAAO,SAAA,CAAU,KAAA,IAAS,UAAA,CAAW,MAAA,CAAO,UAAU,OAAO,CAAA;AAAA,QAC7D,SAAS,SAAA,CAAU,OAAA,IAAW,UAAA,CAAW,MAAA,CAAO,UAAU,SAAS,CAAA;AAAA,QACnE,aACE,MAAA,CAAO,WAAA,IAAe,UAAA,CAAW,MAAA,CAAO,UAAU,aAAa,CAAA;AAAA,QACjE,cACE,SAAA,CAAU,aAAA,IAAiB,UAAA,CAAW,MAAA,CAAO,UAAU,cAAc;AAAA,OACxE,CAAA;AAAA,IACH;AAKA,IAAA,IAAI,KAAK,WAAA,EAAa;AACpB,MAAA,MAAM,MAAA,GAAS,MAAM,wBAAA,CAAyB,KAAA,EAAO,KAAK,SAAS,CAAA;AACnE,MAAA,IAAI,MAAA,EAAQ;AACV,QAAA,IAAI,CAAC,SAAA,CAAU,MAAM,CAAA,EAAG;AACtB,UAAA,OAAO,iBAAiB,MAAM,CAAA;AAAA,QAChC;AACA,QAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAM,CAAA;AACzC,QAAA,IAAI,WAAW,OAAO,SAAA;AAAA,MACxB;AACA,MAAA,MAAM,IAAI,qBAAA;AAAA,QACR,CAAA,EAAG,SAAS,EAAE,CAAA,0HAAA;AAAA,OAChB;AAAA,IACF;AAMA,IAAA,IAAI,CAAC,KAAK,KAAA,EAAO;AACf,MAAA,MAAM,MAAA,GAAS,MAAM,wBAAA,CAAyB,KAAA,EAAO,KAAK,SAAS,CAAA;AACnE,MAAA,IAAI,MAAA,EAAQ;AACV,QAAA,IAAI,CAAC,SAAA,CAAU,MAAM,CAAA,EAAG;AACtB,UAAA,OAAO,iBAAiB,MAAM,CAAA;AAAA,QAChC;AACA,QAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAM,CAAA;AACzC,QAAA,IAAI,WAAW,OAAO,SAAA;AAAA,MAExB;AAAA,IACF;AAGA,IAAA,MAAM,MAAA,GAAiC,EAAE,SAAA,EAAW,QAAA,EAAS;AAC7D,IAAA,IAAI,MAAA,CAAO,KAAA,EAAO,MAAA,CAAO,KAAA,GAAQ,MAAA,CAAO,KAAA;AACxC,IAAA,IAAI,MAAA,CAAO,WAAA,EAAa,MAAA,CAAO,YAAA,GAAe,MAAA,CAAO,WAAA;AAErD,IAAA,MAAM,QAAQ,MAAM,uBAAA;AAAA,MAClB,2BAAA;AAAA,MACA,MAAA;AAAA,MACA,IAAA,CAAK;AAAA,KACP;AAEA,IAAA,MAAM,SAAA,GAAY,MAAM,QAAA,IAAYG,wBAAAA;AACpC,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,KAAA,CAAM,aAAa,EAAE,CAAA;AAGlD,IAAA,OAAA,CAAQ,OAAO,KAAA,CAAM;AAAA,CAAI,CAAA;AACzB,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,UAAA,EAAa,QAAA,CAAS,EAAE,CAAA;;AAAA,CAA6B,CAAA;AAC1E,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,SAAA,EAAY,KAAA,CAAM,SAAS;AAAA,CAAI,CAAA;AACpD,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,SAAA,EAAY,KAAA,CAAM,gBAAgB;;AAAA,CAAM,CAAA;AAC7D,IAAA,IAAI,IAAA,CAAK,gBAAgB,KAAA,EAAO;AAC9B,MAAA,MAAM,WAAA,CAAY,KAAA,CAAM,yBAAA,IAA6B,KAAA,CAAM,gBAAgB,CAAA;AAAA,IAC7E;AACA,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,wBAAA,EAA2B,SAAS,CAAA;;AAAA,CAAY,CAAA;AAGrE,IAAA,MAAM,WAAA,GAAc,MAAM,eAAA,CAAgB;AAAA,MACxC,aAAA;AAAA,MACA,SAAA,EAAW,sBAAA;AAAA,MACX,QAAQ,EAAE,WAAA,EAAa,KAAA,CAAM,WAAA,EAAa,WAAW,QAAA,EAAS;AAAA,MAC9D,SAAA;AAAA,MACA,WAAW,KAAA,CAAM,UAAA;AAAA,MACjB,QAAQ,IAAA,CAAK;AAAA,KACd,CAAA;AAGD,IAAA,OAAO,gBAAA,CAAiB,OAAO,GAAA,EAAK;AAAA,MAClC,aAAa,WAAA,CAAY,YAAA;AAAA,MACzB,WAAW,WAAA,CAAY,UAAA;AAAA,MACvB,cAAc,WAAA,CAAY,aAAA;AAAA,MAC1B,OAAO,WAAA,CAAY,KAAA;AAAA,MACnB,SAAS,WAAA,CAAY,OAAA;AAAA,MACrB,aAAa,MAAA,CAAO,WAAA;AAAA,MACpB,cAAc,WAAA,CAAY;AAAA,KAC3B,CAAA;AAAA,EACH;AACF,CAAA;;;AClUO,IAAM,YAAA,GAAqD;AAAA,EAChE,CAAC,aAAA,CAAc,EAAE,GAAG,aAAA;AAAA,EACpB,CAAC,qBAAA,CAAsB,EAAE,GAAG,qBAAA;AAAA,EAC5B,CAAC,oBAAA,CAAqB,EAAE,GAAG;AAC7B;;;ACOA,eAAsB,WAAA,CACpB,UACA,IAAA,EACqB;AACrB,EAAA,MAAM,MAAA,GAAS,SAAS,IAAA,CAAK,IAAA;AAC7B,EAAA,MAAM,MAAA,GAAS,aAAa,MAAM,CAAA;AAClC,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,2BAAA,EAA8B,MAAM,CAAA,qBAAA,EAAmB,MAAA,CAAO,KAAK,YAAY,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KAC7F;AAAA,EACF;AAGA,EAAA,IAAI,UAAA,GACF,IAAA,CAAK,UAAA,KAAe,MAAA,GAAY,KAAK,UAAA,GAAa,IAAA;AAEpD,EAAA,IACE,UAAA,KAAe,IAAA,KACd,MAAA,KAAW,cAAA,IAAkB,WAAW,aAAA,CAAA,EACzC;AACA,IAAA,IAAI;AACF,MAAA,UAAA,GAAa,MAAM,kBAAkB,IAAA,CAAK,MAAA,EAAQ,EAAE,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA;AAAA,IAC3E,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,CAAC,KAAK,KAAA,EAAO;AACf,QAAA,MAAM,MACJ,GAAA,YAAe,cAAA,GACX,GAAA,CAAI,OAAA,GACJ,qBAAqB,GAAG,CAAA,CAAA;AAC9B,QAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,OAAA,EAAU,GAAG,CAAA;AAAA,CAA0B,CAAA;AAAA,MAC9D;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,MAAA,CAAO,GAAA,CAAI,QAAA,EAAU,UAAA,EAAY,IAAI,CAAA;AAC9C;;;ACjDA,SAAS,MAAM,GAAA,EAAuB;AACpC,EAAA,OAAO,GAAG,GAAA,CAAI,IAAI,KAAI,GAAA,CAAI,OAAA,IAAW,IAAI,IAAI,CAAA,CAAA;AAC/C;AAEO,IAAM,cAAN,MAA6C;AAAA,EACjC,OAAA,uBAAc,GAAA,EAA8B;AAAA,EAE7D,MAAM,KAAK,GAAA,EAAsD;AAC/D,IAAA,MAAM,QAAQ,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,CAAC,CAAA;AACzC,IAAA,OAAO,KAAA,GAAQ,EAAE,GAAG,KAAA,EAAM,GAAI,MAAA;AAAA,EAChC;AAAA,EAEA,MAAM,KAAA,CAAM,GAAA,EAAe,IAAA,EAAuC;AAChE,IAAA,IAAA,CAAK,OAAA,CAAQ,IAAI,KAAA,CAAM,GAAG,GAAG,EAAE,GAAG,MAAM,CAAA;AAAA,EAC1C;AAAA,EAEA,MAAM,OAAO,GAAA,EAA8B;AACzC,IAAA,IAAA,CAAK,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AAAA,EAChC;AACF;ACTA,IAAM,SAAA,GAAY,aAAA;AAClB,IAAM,WAAA,GAAc,sBAAA;AACpB,IAAM,QAAA,GAAW,EAAA;AAEjB,IAAM,iBAAA,GAAoBH,EAAE,MAAA,CAAO;AAAA,EACjC,EAAA,EAAIA,EAAE,MAAA,EAAO;AAAA,EACb,GAAA,EAAKA,EAAE,MAAA,EAAO;AAAA,EACd,UAAA,EAAYA,EAAE,MAAA;AAChB,CAAC,CAAA;AAGD,IAAM,mBAAmBA,CAAAA,CAAE,MAAA,CAAOA,CAAAA,CAAE,MAAA,IAAU,iBAAiB,CAAA;AAE/D,IAAM,sBAAA,GAAyBA,EAAE,MAAA,CAAO;AAAA,EACtC,KAAA,EAAOA,EAAE,MAAA,EAAO;AAAA,EAChB,IAAA,EAAMA,EAAE,IAAA,CAAK,CAAC,OAAO,WAAA,EAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,EAClD,SAAA,EAAWA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC/B,QAAA,EAAUA,CAAAA,CAAE,MAAA,CAAOA,CAAAA,CAAE,MAAA,IAAUA,CAAAA,CAAE,OAAA,EAAS,CAAA,CAAE,QAAA;AAC9C,CAAC,CAAA;AAED,SAASI,OAAM,GAAA,EAAuB;AACpC,EAAA,OAAO,GAAG,GAAA,CAAI,IAAI,IAAI,GAAA,CAAI,OAAA,IAAW,IAAI,IAAI,CAAA,CAAA;AAC/C;AAEA,SAAS,SAAS,GAAA,EAAuB;AACvC,EAAA,OACE,OAAO,QAAQ,QAAA,IACf,GAAA,KAAQ,QACR,MAAA,IAAU,GAAA,IACV,IAAI,IAAA,KAAS,QAAA;AAEjB;AAGA,SAAS,OAAA,GAAkB;AACzB,EAAA,MAAM,GAAA,GAAM,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA;AACnC,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,sBAAsB,WAAW,CAAA,gIAAA;AAAA,KAGnC;AAAA,EACF;AACA,EAAA,MAAM,GAAA,GAAM,mBAAA,CAAoB,IAAA,CAAK,GAAG,CAAA,GACpC,MAAA,CAAO,IAAA,CAAK,GAAA,EAAK,KAAK,CAAA,GACtB,MAAA,CAAO,IAAA,CAAK,KAAK,QAAQ,CAAA;AAC7B,EAAA,IAAI,GAAA,CAAI,WAAW,EAAA,EAAI;AACrB,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,WAAA,EAAc,WAAW,CAAA,sCAAA,EACpB,GAAA,CAAI,MAAM,CAAA,4DAAA;AAAA,KACjB;AAAA,EACF;AACA,EAAA,OAAO,GAAA;AACT;AAEA,SAAS,IAAA,CAAK,KAAa,SAAA,EAAgC;AACzD,EAAA,MAAM,EAAA,GAAK,YAAY,QAAQ,CAAA;AAC/B,EAAA,MAAM,MAAA,GAAS,cAAA,CAAe,SAAA,EAAW,GAAA,EAAK,EAAE,CAAA;AAChD,EAAA,MAAM,UAAA,GAAa,OAAO,MAAA,CAAO;AAAA,IAC/B,MAAA,CAAO,MAAA,CAAO,SAAA,EAAW,MAAM,CAAA;AAAA,IAC/B,OAAO,KAAA;AAAM,GACd,CAAA;AACD,EAAA,OAAO;AAAA,IACL,EAAA,EAAI,EAAA,CAAG,QAAA,CAAS,QAAQ,CAAA;AAAA,IACxB,GAAA,EAAK,MAAA,CAAO,UAAA,EAAW,CAAE,SAAS,QAAQ,CAAA;AAAA,IAC1C,UAAA,EAAY,UAAA,CAAW,QAAA,CAAS,QAAQ;AAAA,GAC1C;AACF;AAEA,SAAS,MAAA,CAAO,KAAa,KAAA,EAA4B;AACvD,EAAA,MAAM,QAAA,GAAW,gBAAA;AAAA,IACf,SAAA;AAAA,IACA,GAAA;AAAA,IACA,MAAA,CAAO,IAAA,CAAK,KAAA,CAAM,EAAA,EAAI,QAAQ;AAAA,GAChC;AACA,EAAA,QAAA,CAAS,WAAW,MAAA,CAAO,IAAA,CAAK,KAAA,CAAM,GAAA,EAAK,QAAQ,CAAC,CAAA;AACpD,EAAA,MAAM,SAAA,GAAY,OAAO,MAAA,CAAO;AAAA,IAC9B,SAAS,MAAA,CAAO,MAAA,CAAO,KAAK,KAAA,CAAM,UAAA,EAAY,QAAQ,CAAC,CAAA;AAAA,IACvD,SAAS,KAAA;AAAM,GAChB,CAAA;AACD,EAAA,OAAO,SAAA,CAAU,SAAS,MAAM,CAAA;AAClC;AAEO,IAAM,YAAN,MAA2C;AAAA,EAChD,YAA6B,QAAA,EAAkB;AAAlB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AAAA,EAAmB;AAAA,EAAnB,QAAA;AAAA,EAE7B,MAAM,KAAK,GAAA,EAAsD;AAC/D,IAAA,MAAM,MAAM,OAAA,EAAQ;AACpB,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,QAAA,EAAS;AACjC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAKA,MAAAA,CAAM,GAAG,CAAC,CAAA;AAC9B,IAAA,IAAI,CAAC,QAAQ,OAAO,MAAA;AACpB,IAAA,OAAO,sBAAA,CAAuB,MAAM,IAAA,CAAK,KAAA,CAAM,OAAO,GAAA,EAAK,MAAM,CAAC,CAAC,CAAA;AAAA,EACrE;AAAA,EAEA,MAAM,KAAA,CAAM,GAAA,EAAe,IAAA,EAAuC;AAChE,IAAA,MAAM,MAAM,OAAA,EAAQ;AACpB,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,QAAA,EAAS;AACjC,IAAA,IAAA,CAAKA,MAAAA,CAAM,GAAG,CAAC,CAAA,GAAI,KAAK,GAAA,EAAK,IAAA,CAAK,SAAA,CAAU,IAAI,CAAC,CAAA;AACjD,IAAA,MAAM,IAAA,CAAK,UAAU,IAAI,CAAA;AAAA,EAC3B;AAAA,EAEA,MAAM,OAAO,GAAA,EAA8B;AACzC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,QAAA,EAAS;AACjC,IAAA,OAAO,IAAA,CAAKA,MAAAA,CAAM,GAAG,CAAC,CAAA;AACtB,IAAA,MAAM,IAAA,CAAK,UAAU,IAAI,CAAA;AAAA,EAC3B;AAAA,EAEA,MAAc,QAAA,GAAiD;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,MAAM,QAAA,CAAS,IAAA,CAAK,UAAU,MAAM,CAAA;AAChD,MAAA,OAAO,gBAAA,CAAiB,KAAA,CAAM,IAAA,CAAK,KAAA,CAAM,GAAG,CAAC,CAAA;AAAA,IAC/C,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,QAAA,CAAS,GAAG,CAAA,EAAG,OAAO,EAAC;AAC3B,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAc,UAAU,IAAA,EAAkD;AACxE,IAAA,MAAM,KAAA,CAAM,QAAQ,IAAA,CAAK,QAAQ,GAAG,EAAE,SAAA,EAAW,MAAM,CAAA;AACvD,IAAA,MAAM,SAAA,CAAU,KAAK,QAAA,EAAU,IAAA,CAAK,UAAU,IAAA,EAAM,IAAA,EAAM,CAAC,CAAA,EAAG,MAAM,CAAA;AAAA,EACtE;AACF;;;AC5HA,IAAM,cAAA,GAAiB,GAAA;AAgBvB,SAAS,UAAU,IAAA,EAA0B;AAC3C,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA;AAC9B,EAAA,IAAI,KAAA,KAAU,EAAA,EAAI,OAAO,EAAE,YAAY,IAAA,EAAK;AAC5C,EAAA,OAAO,EAAE,UAAA,EAAY,IAAA,CAAK,KAAA,CAAM,CAAA,EAAG,KAAK,CAAA,EAAG,OAAA,EAAS,IAAA,CAAK,KAAA,CAAM,KAAA,GAAQ,CAAC,CAAA,EAAE;AAC5E;AAKA,SAAS,QAAQ,IAAA,EAAiC;AAChD,EAAA,IAAI,CAAC,IAAA,CAAK,SAAA,EAAW,OAAO,IAAA;AAC5B,EAAA,MAAM,WAAA,GAAc,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAS,CAAA;AAC7C,EAAA,IAAI,MAAA,CAAO,KAAA,CAAM,WAAW,CAAA,EAAG,OAAO,KAAA;AACtC,EAAA,OAAO,WAAA,GAAc,cAAA,GAAiB,IAAA,CAAK,GAAA,EAAI;AACjD;AAMA,SAAS,aAAA,CACP,OACA,IAAA,EACoC;AACpC,EAAA,IAAI,IAAA,KAAS,KAAA,IAAS,IAAA,KAAS,KAAA,IAAS,SAAS,QAAA,EAAU;AACzD,IAAA,OAAO,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,KAAK,CAAA,CAAA,EAAG;AAAA,EAC5C;AACA,EAAA,OAAO,MAAA;AACT;AAEO,IAAM,mBAAN,MAAuB;AAAA,EACX,KAAA;AAAA,EACA,WAAA;AAAA,EAEjB,YAAY,IAAA,EAA+B;AACzC,IAAA,IAAA,CAAK,QAAQ,IAAA,CAAK,KAAA;AAClB,IAAA,IAAA,CAAK,cAAc,IAAA,CAAK,WAAA;AAAA,EAC1B;AAAA,EAEA,MAAM,eAAe,CAAA,EASe;AAClC,IAAA,MAAM,EAAE,UAAA,EAAY,OAAA,EAAQ,GAAI,SAAA,CAAU,EAAE,IAAI,CAAA;AAChD,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,WAAA,CAAY,UAAU,CAAA;AAC5C,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yCAAA,EAA4C,UAAU,CAAA,CAAA,CAAG,CAAA;AAAA,IAC3E;AAEA,IAAA,IACE,CAAA,CAAE,aAAa,MAAA,IACf,QAAA,CAAS,aAAa,MAAA,IACtB,CAAA,CAAE,QAAA,KAAa,QAAA,CAAS,QAAA,EACxB;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,+BAA+B,UAAU,CAAA,yBAAA,EAA4B,SAAS,QAAQ,CAAA,cAAA,EAAiB,EAAE,QAAQ,CAAA,CAAA;AAAA,OACnH;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,GAAS,CAAA,CAAE,MAAA,IAAU,QAAA,CAAS,OAAA;AACpC,IAAA,MAAM,EAAE,GAAA,EAAK,SAAA,EAAU,GAAI,gBAAA;AAAA,MACzB,SAAS,IAAA,CAAK,UAAA;AAAA,MACd,MAAA;AAAA,MACA,QAAA,CAAS;AAAA,KACX;AACA,IAAA,IAAI,YAAY,MAAA,EAAW;AACzB,MAAA,GAAA,CAAI,OAAA,GAAU,OAAA;AACd,MAAA,SAAA,CAAU,OAAA,GAAU,OAAA;AAAA,IACtB;AAEA,IAAA,MAAM,SAAS,MAAM,wBAAA,CAAyB,IAAA,CAAK,KAAA,EAAO,KAAK,SAAS,CAAA;AACxE,IAAA,IAAI,MAAA,IAAU,OAAA,CAAQ,MAAM,CAAA,EAAG;AAC7B,MAAA,MAAMC,QAAAA,GAAU,aAAA,CAAc,MAAA,CAAO,KAAA,EAAO,OAAO,IAAI,CAAA;AACvD,MAAA,IAAIA,UAAS,OAAOA,QAAAA;AAAA,IACtB;AAEA,IAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,QAAA,EAAU;AAAA,MACzC,MAAA;AAAA,MACA,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,QAAQ,CAAA,CAAE;AAAA,KACX,CAAA;AACD,IAAA,MAAM,OAAA,GACJ,OAAO,WAAA,KAAgB,MAAA,GACnB,cAAc,MAAA,CAAO,WAAA,EAAa,MAAA,CAAO,SAAS,CAAA,GAClD,MAAA;AACN,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,oCAAoC,UAAU,CAAA,iCAAA;AAAA,OAChD;AAAA,IACF;AACA,IAAA,OAAO,OAAA;AAAA,EACT;AACF;;;ACjDO,IAAM,SAAA,GAAY;AAClB,IAAM,YAAA,GAAe","file":"index.mjs","sourcesContent":["/**\n * AIP-50 auth-provider frontmatter / literal Zod schema.\n *\n * Single source of truth for both authoring paths: `defineAuthProvider`\n * (TS literal) and `parseAuthProviderManifest` (.md) run this same schema,\n * so a malformed literal and a malformed manifest fail identically.\n */\n\nimport { z } from \"zod\"\n\nexport const tokenStoreSpecSchema = z\n .object({\n keychain: z.string().min(1),\n path: z.string().min(1).optional(),\n account: z.string().min(1).optional(),\n })\n .strict()\n\nexport const patAuthConfigSchema = z\n .object({\n flow: z.literal(\"pat\"),\n tokenStore: tokenStoreSpecSchema,\n })\n .strict()\n\nexport const serviceAuthConfigSchema = z\n .object({\n flow: z.literal(\"service-auth\"),\n clientId: z.string().min(1).optional(),\n loginHint: z.string().min(1).optional(),\n tokenStore: tokenStoreSpecSchema,\n })\n .strict()\n\nexport const deviceCodeAuthConfigSchema = z\n .object({\n flow: z.literal(\"device-code\"),\n clientId: z.string().min(1).optional(),\n scope: z.string().min(1).optional(),\n deviceLabel: z.string().min(1).optional(),\n tokenStore: tokenStoreSpecSchema,\n })\n .strict()\n\nexport const authConfigSchema = z.discriminatedUnion(\"flow\", [\n patAuthConfigSchema,\n serviceAuthConfigSchema,\n deviceCodeAuthConfigSchema,\n])\n\nexport const installConfigSchema = z\n .object({\n sealKey: z.string().min(1),\n secretBacked: z.string().min(1),\n })\n .strict()\n\nexport const authProviderFrontmatterSchema = z\n .object({\n id: z.string().min(2).max(80),\n description: z.string().min(1).max(2000),\n apiBase: z.string().url(),\n auth: authConfigSchema,\n install: installConfigSchema.optional(),\n // Recommended values \"tunnel\" | \"api\" | \"mcp\" — free-form allowed, not an enum.\n audience: z.string().min(1).optional(),\n })\n .strict()\n .describe(\n \"AIP-50 auth-provider manifest: how a CLI tool authenticates to an API server and (optionally) where to call the AIP-19 provision endpoints.\",\n )\n\nexport type AuthProviderFrontmatter = z.infer<typeof authProviderFrontmatterSchema>\n","/**\n * `defineAuthProvider` — TS-literal authoring path for an auth-provider.\n *\n * Built on `createDoctype` so it gets the cross-AIP invariants: id-pattern,\n * ≤2000-char description, frozen handle, canonical error prefix. Field-level\n * validation uses the shared Zod from `./schema.ts`, so a malformed literal\n * fails with the same diagnostic as a malformed `.md`.\n */\n\nimport { createDoctype } from \"@agentproto/define-doctype\"\nimport { authProviderFrontmatterSchema } from \"./schema.js\"\nimport type { AuthProviderDefinition, AuthProviderHandle } from \"./types.js\"\n\nexport const defineAuthProvider = createDoctype<\n AuthProviderDefinition,\n AuthProviderHandle\n>({\n aip: 50,\n name: \"authProvider\",\n validate(def) {\n const result = authProviderFrontmatterSchema.safeParse(def)\n if (!result.success) {\n throw new Error(\n `defineAuthProvider (AIP-50): ${result.error.issues\n .map((i) => `${i.path.join(\".\")}: ${i.message}`)\n .join(\"; \")}`,\n )\n }\n },\n build(def) {\n return {\n ...def,\n auth: Object.freeze({ ...def.auth }),\n install: def.install ? Object.freeze({ ...def.install }) : undefined,\n }\n },\n})\n","/**\n * `.md` authoring path for an auth-provider — parse a frontmatter manifest\n * into a frozen handle. Mirrors `parseRecipeManifest` from AIP-19: gray-matter\n * splits the frontmatter, the shared Zod validates it, `defineAuthProvider`\n * builds the handle so both authoring paths converge on one validated shape.\n *\n * This parser is the extension seam: a host reads its own external `.md`\n * manifests (e.g. vendor-shipped `guilde.auth.md`) and registers them without\n * editing this package.\n */\n\nimport matter from \"gray-matter\"\nimport {\n authProviderFrontmatterSchema,\n type AuthProviderFrontmatter,\n} from \"./schema.js\"\nimport { defineAuthProvider } from \"./define-auth-provider.js\"\nimport type { AuthProviderHandle } from \"./types.js\"\n\nexport interface AuthProviderManifest {\n frontmatter: AuthProviderFrontmatter\n body: string\n}\n\nexport function parseAuthProviderManifestRaw(\n source: string,\n): AuthProviderManifest {\n const parsed = matter(source)\n if (Object.keys(parsed.data).length === 0) {\n throw new Error(\"parseAuthProviderManifest: missing or empty frontmatter\")\n }\n const result = authProviderFrontmatterSchema.safeParse(parsed.data)\n if (!result.success) {\n throw new Error(\n `parseAuthProviderManifest: invalid frontmatter — ${result.error.issues\n .map((i) => `${i.path.join(\".\")}: ${i.message}`)\n .join(\"; \")}`,\n )\n }\n return { frontmatter: result.data, body: parsed.content }\n}\n\n/** Parse an auth-provider `.md` straight to a frozen handle. */\nexport function parseAuthProviderManifest(source: string): AuthProviderHandle {\n const { frontmatter } = parseAuthProviderManifestRaw(source)\n return defineAuthProvider(frontmatter)\n}\n","/**\n * Builtin auth-provider manifests — shipped as TS literals so they bundle\n * into the tsup output with zero filesystem reads at runtime. A host adds more\n * by parsing its own `.md` with `parseAuthProviderManifest` and registering\n * the result via `registerAuthProvider`.\n */\n\nimport { defineAuthProvider } from \"./define-auth-provider.js\"\nimport type { AuthProviderHandle } from \"./types.js\"\n\n/** Guilde AI company platform.\n *\n * Authenticates via the AIP-50 service-auth claim ceremony: browser opens,\n * user clicks Approve, bureau stores the oat_* access token.\n * Discovery from /.well-known/oauth-protected-resource supplies live endpoints;\n * the static fields below are the offline fallback. */\nexport const guildeAuthProvider = defineAuthProvider({\n id: \"guilde\",\n description:\n \"Guilde AI company platform. Authenticate via a browser-approve flow — no key to paste.\",\n apiBase: \"https://api.guilde.work\",\n audience: \"api\",\n auth: {\n flow: \"service-auth\",\n clientId: \"agentproto-cli\",\n tokenStore: {\n keychain: \"bureau-guilde\",\n account: \"{server}\",\n },\n },\n install: {\n sealKey: \"/guilde/api/v1/connectors/seal-key\",\n secretBacked: \"/guilde/api/v1/guilds/{guildId}/connectors/secret-backed\",\n },\n})\n\nexport const BUILTIN_AUTH_PROVIDERS: readonly AuthProviderHandle[] = [\n guildeAuthProvider,\n]\n","/**\n * Auth-provider registry — id → handle lookup, pre-seeded with builtins.\n *\n * Mirrors the provision-recipe registry shape (AIP-19). Re-registering an id\n * overrides it (last write wins), so a host can shadow a builtin.\n */\n\nimport { BUILTIN_AUTH_PROVIDERS } from \"./builtins.js\"\nimport type { AuthProviderHandle } from \"./types.js\"\n\nconst _registry = new Map<string, AuthProviderHandle>()\nfor (const p of BUILTIN_AUTH_PROVIDERS) _registry.set(p.id, p)\n\nexport function registerAuthProvider(provider: AuthProviderHandle): void {\n _registry.set(provider.id, provider)\n}\n\nexport function getAuthProvider(id: string): AuthProviderHandle | undefined {\n return _registry.get(id)\n}\n\nexport function listAuthProviders(): AuthProviderHandle[] {\n return [..._registry.values()]\n}\n\nexport function listAuthProviderIds(): string[] {\n return [..._registry.keys()]\n}\n","/**\n * Internal HTTP helpers — not part of the public API.\n *\n * Every network call in this package (discovery, the claim ceremony, token\n * refresh) must be bounded: a hung or slow server MUST NOT stall the CLI\n * indefinitely. `deadlineSignal` combines an optional caller `AbortSignal`\n * with a timeout into one signal to hand to `fetch`.\n *\n * Implemented with a plain `AbortController` + `setTimeout` rather than\n * `AbortSignal.any`/`AbortSignal.timeout` so it works on every runtime that\n * ships `fetch`, without assuming a specific Node minor.\n */\n\n/** Default per-request timeout. Discovery and token calls are small JSON\n * round-trips; 10s is generous without hanging an interactive CLI. */\nexport const DEFAULT_HTTP_TIMEOUT_MS = 10_000\n\n/**\n * AIP-50 §Security: discovery and auth requests MUST use HTTPS, to defeat\n * MITM/TOCTOU on the `.well-known` and token endpoints. Loopback http is\n * allowed — it isn't network-exposed — so local development against a dev\n * server keeps working. Throws on any other insecure URL.\n */\nexport function assertSecureUrl(url: string): void {\n let u: URL\n try {\n u = new URL(url)\n } catch {\n throw new Error(`invalid URL: ${url}`)\n }\n if (u.protocol === \"https:\") return\n const host = u.hostname\n const isLoopback =\n host === \"localhost\" ||\n host === \"127.0.0.1\" ||\n host === \"::1\" ||\n host === \"[::1]\" ||\n host.endsWith(\".localhost\")\n if (u.protocol === \"http:\" && isLoopback) return\n throw new Error(\n `insecure URL '${url}' — AIP-50 requires HTTPS for discovery/auth ` +\n `(loopback http is allowed for local development).`,\n )\n}\n\nexport interface DeadlineHandle {\n /** Signal to pass to `fetch(url, { signal })`. */\n signal: AbortSignal\n /** Cancel the timer + detach the outer listener once the request settles.\n * ALWAYS call this in a `finally` to avoid a dangling timer/listener. */\n clear: () => void\n}\n\n/**\n * Build an `AbortSignal` that fires when EITHER the timeout elapses or the\n * caller's `outer` signal aborts.\n */\nexport function deadlineSignal(\n timeoutMs: number,\n outer?: AbortSignal,\n): DeadlineHandle {\n const ctrl = new AbortController()\n const onAbort = () => ctrl.abort(outer?.reason)\n\n if (outer) {\n if (outer.aborted) ctrl.abort(outer.reason)\n else outer.addEventListener(\"abort\", onAbort, { once: true })\n }\n\n const timer = setTimeout(\n () => ctrl.abort(new Error(`request timed out after ${timeoutMs}ms`)),\n timeoutMs,\n )\n // Don't let a pending timeout keep the process alive on its own.\n if (typeof timer !== \"number\") timer.unref()\n\n return {\n signal: ctrl.signal,\n clear: () => {\n clearTimeout(timer)\n outer?.removeEventListener(\"abort\", onAbort)\n },\n }\n}\n\n/** `fetch` bounded by `deadlineSignal`. Merges any caller-supplied\n * `init.signal` with the timeout. */\nexport async function fetchWithDeadline(\n url: string,\n init: RequestInit = {},\n timeoutMs: number = DEFAULT_HTTP_TIMEOUT_MS,\n): Promise<Response> {\n const { signal, clear } = deadlineSignal(timeoutMs, init.signal ?? undefined)\n try {\n return await fetch(url, { ...init, signal })\n } finally {\n clear()\n }\n}\n","/**\n * Two-hop discovery per the auth.md standard (AIP-50 §Discovery algorithm),\n * with a second strategy for hosts that don't speak auth.md.\n *\n * Strategy 1 (OAuth PRM chain):\n * Hop 1: GET {apiBase}/.well-known/oauth-protected-resource (PRM, RFC 8414)\n * → extract authorization_servers[0] as authServerBase\n * Hop 2: GET {authServerBase}/.well-known/oauth-authorization-server (AS metadata)\n * → extract token_endpoint + agent_auth block\n *\n * Strategy 2 (agentproto-host.json), tried when strategy 1 fails:\n * GET {apiBase}/.well-known/agentproto-host.json\n * → extract device_authorization_endpoint + token_endpoint\n *\n * Callers MUST catch DiscoveryError and fall back to static manifest config —\n * discovery failures are common (server predates auth.md) and MUST NOT prevent\n * the PAT or other static flows from working.\n */\n\nimport { z } from \"zod\"\nimport type { DiscoveredEndpoints } from \"./types.js\"\nimport { fetchWithDeadline, assertSecureUrl } from \"./http.js\"\n\nexport class DiscoveryError extends Error {\n readonly serverUrl: string\n constructor(message: string, serverUrl: string) {\n super(`DiscoveryError (${serverUrl}): ${message}`)\n this.name = \"DiscoveryError\"\n this.serverUrl = serverUrl\n }\n}\n\n// Discovery JSON is server-controlled, so it's validated rather than asserted.\n// Everything is optional + `.loose()`: the document evolves, and the required\n// fields are enforced explicitly below with precise DiscoveryError messages.\nconst prmSchema = z\n .object({\n resource: z.string().optional(),\n resource_name: z.string().optional(),\n authorization_servers: z.array(z.string()).optional(),\n scopes_supported: z.array(z.string()).optional(),\n bearer_methods_supported: z.array(z.string()).optional(),\n })\n .loose()\n\nconst asMetaSchema = z\n .object({\n issuer: z.string().optional(),\n token_endpoint: z.string().optional(),\n revocation_endpoint: z.string().optional(),\n device_authorization_endpoint: z.string().optional(),\n grant_types_supported: z.array(z.string()).optional(),\n agent_auth: z\n .object({\n skill: z.string().optional(),\n identity_endpoint: z.string().optional(),\n claim_endpoint: z.string().optional(),\n events_endpoint: z.string().optional(),\n identity_types_supported: z.array(z.string()).optional(),\n identity_assertion: z\n .object({ assertion_types_supported: z.array(z.string()).optional() })\n .loose()\n .optional(),\n })\n .loose()\n .optional(),\n })\n .loose()\n\nconst hostJsonSchema = z\n .object({\n device_authorization_endpoint: z.string().optional(),\n token_endpoint: z.string().optional(),\n revocation_endpoint: z.string().optional(),\n })\n .loose()\n\ntype PRMShape = z.infer<typeof prmSchema>\ntype ASMetaShape = z.infer<typeof asMetaSchema>\ntype HostJsonShape = z.infer<typeof hostJsonSchema>\n\nexport interface DiscoverOptions {\n /** Abort the discovery fetches (e.g. on user Ctrl-C). */\n signal?: AbortSignal\n /** Per-hop timeout. Defaults to DEFAULT_HTTP_TIMEOUT_MS. */\n timeoutMs?: number\n}\n\nasync function discoverViaPRM(\n base: string,\n fetchOpts: RequestInit,\n opts: DiscoverOptions,\n): Promise<DiscoveredEndpoints> {\n // Hop 1 — PRM\n const prmUrl = `${base}/.well-known/oauth-protected-resource`\n let prm: PRMShape\n try {\n assertSecureUrl(prmUrl)\n const res = await fetchWithDeadline(prmUrl, fetchOpts, opts.timeoutMs)\n if (!res.ok) {\n throw new DiscoveryError(\n `PRM returned ${res.status} ${res.statusText}`,\n base,\n )\n }\n prm = prmSchema.parse(await res.json())\n } catch (err) {\n if (err instanceof DiscoveryError) throw err\n throw new DiscoveryError(`PRM fetch failed: ${err}`, base)\n }\n\n const authServerBase = prm.authorization_servers?.[0]?.replace(/\\/$/, \"\")\n if (!authServerBase) {\n throw new DiscoveryError(\n \"PRM missing authorization_servers[0]\",\n base,\n )\n }\n\n // Hop 2 — AS metadata\n const asUrl = `${authServerBase}/.well-known/oauth-authorization-server`\n let as: ASMetaShape\n try {\n assertSecureUrl(asUrl)\n const res = await fetchWithDeadline(asUrl, fetchOpts, opts.timeoutMs)\n if (!res.ok) {\n throw new DiscoveryError(\n `AS metadata returned ${res.status} ${res.statusText}`,\n base,\n )\n }\n as = asMetaSchema.parse(await res.json())\n } catch (err) {\n if (err instanceof DiscoveryError) throw err\n throw new DiscoveryError(`AS metadata fetch failed: ${err}`, base)\n }\n\n const tokenEndpoint = as.token_endpoint\n const identityEndpoint = as.agent_auth?.identity_endpoint\n if (!tokenEndpoint) {\n throw new DiscoveryError(\"AS metadata missing token_endpoint\", base)\n }\n if (!identityEndpoint) {\n throw new DiscoveryError(\n \"AS metadata missing agent_auth.identity_endpoint\",\n base,\n )\n }\n\n return {\n resource: prm.resource ?? base,\n resourceName: prm.resource_name,\n authServerBase,\n tokenEndpoint,\n revocationEndpoint: as.revocation_endpoint,\n identityEndpoint,\n claimEndpoint: as.agent_auth?.claim_endpoint,\n deviceAuthorizationEndpoint: as.device_authorization_endpoint,\n identityTypesSupported: as.agent_auth?.identity_types_supported ?? [],\n grantTypesSupported: as.grant_types_supported ?? [],\n }\n}\n\nasync function discoverViaHostJson(\n base: string,\n fetchOpts: RequestInit,\n opts: DiscoverOptions,\n): Promise<DiscoveredEndpoints> {\n const url = `${base}/.well-known/agentproto-host.json`\n let doc: HostJsonShape\n try {\n assertSecureUrl(url)\n const res = await fetchWithDeadline(url, fetchOpts, opts.timeoutMs)\n if (!res.ok) {\n throw new DiscoveryError(\n `agentproto-host.json returned ${res.status} ${res.statusText}`,\n base,\n )\n }\n doc = hostJsonSchema.parse(await res.json())\n } catch (err) {\n if (err instanceof DiscoveryError) throw err\n throw new DiscoveryError(`agentproto-host.json fetch failed: ${err}`, base)\n }\n\n if (!doc.token_endpoint) {\n throw new DiscoveryError(\n \"agentproto-host.json missing token_endpoint\",\n base,\n )\n }\n if (!doc.device_authorization_endpoint) {\n throw new DiscoveryError(\n \"agentproto-host.json missing device_authorization_endpoint\",\n base,\n )\n }\n\n return {\n resource: base,\n authServerBase: base,\n tokenEndpoint: doc.token_endpoint,\n revocationEndpoint: doc.revocation_endpoint,\n deviceAuthorizationEndpoint: doc.device_authorization_endpoint,\n identityTypesSupported: [],\n grantTypesSupported: [],\n }\n}\n\nexport async function discoverEndpoints(\n apiBase: string,\n opts: DiscoverOptions = {},\n): Promise<DiscoveredEndpoints> {\n const base = apiBase.replace(/\\/$/, \"\")\n // AIP-50 §Security: HTTPS only (loopback exempt for dev), and never follow\n // redirects on discovery — a 3xx is treated as a failure, not chased to a\n // potentially-rogue endpoint.\n const fetchOpts: RequestInit = {\n signal: opts.signal,\n redirect: \"manual\",\n }\n\n try {\n return await discoverViaPRM(base, fetchOpts, opts)\n } catch (prmErr) {\n // A caller-initiated abort is terminal — don't fire a second round of\n // requests on a signal that has already aborted (its \"abort\" event has\n // already fired once and a fresh listener on it will never see it again,\n // hanging the fallback forever).\n if (opts.signal?.aborted) throw prmErr\n // Second strategy: a host that doesn't speak the auth.md PRM chain may\n // still expose device-code endpoints via agentproto-host.json. If that\n // also fails, surface the ORIGINAL PRM error — it's almost always the\n // more informative one (host.json 404s are the common case).\n try {\n return await discoverViaHostJson(base, fetchOpts, opts)\n } catch {\n throw prmErr\n }\n }\n}\n","/**\n * Keychain helpers — read/write a token in the platform Keychain.\n *\n * Uses the macOS `security` CLI. On non-macOS hosts, callers should swap this\n * module for a platform-appropriate equivalent (libsecret on Linux, Credential\n * Manager on Windows).\n */\n\nimport { execFile } from \"node:child_process\"\nimport { promisify } from \"node:util\"\n\nconst exec = promisify(execFile)\n\n/**\n * Guard the macOS-only backend. Without this, `readKeychainToken` would swallow\n * the missing-`security` error and return undefined on Linux/Windows — making a\n * stored credential look absent and re-prompting on every run — while\n * `writeKeychainToken` would throw an opaque ENOENT. Fail loudly and clearly\n * instead, until a libsecret / Credential Manager backend exists.\n */\nfunction assertKeychainSupported(): void {\n if (process.platform !== \"darwin\") {\n throw new Error(\n `@agentproto/auth token-store: the Keychain backend only supports macOS ` +\n `(got platform \"${process.platform}\"). Provide a libsecret (Linux) or ` +\n `Credential Manager (Windows) implementation to run here.`,\n )\n }\n}\n\n/** Substitute `{server}` template in a tokenStore account spec. */\nexport function resolveAccount(\n account: string | undefined,\n server: string,\n): string {\n if (!account) return server\n return account.replace(\"{server}\", server)\n}\n\n/** Read a token from the Keychain. Returns undefined if not found. */\nexport async function readKeychainToken(\n service: string,\n account: string,\n): Promise<string | undefined> {\n assertKeychainSupported()\n try {\n const { stdout } = await exec(\"security\", [\n \"find-generic-password\",\n \"-s\",\n service,\n \"-a\",\n account,\n \"-w\",\n ])\n const t = stdout.replace(/\\n$/, \"\")\n return t || undefined\n } catch {\n return undefined\n }\n}\n\n/** Write a token to the Keychain (-U updates in place). */\nexport async function writeKeychainToken(\n service: string,\n account: string,\n token: string,\n): Promise<void> {\n assertKeychainSupported()\n await exec(\"security\", [\n \"add-generic-password\",\n \"-U\",\n \"-s\",\n service,\n \"-a\",\n account,\n \"-w\",\n token,\n \"-D\",\n \"agentproto auth token\",\n ])\n}\n","/**\n * KeychainStore — `CredentialStore` backed by the platform Keychain.\n *\n * Wraps the low-level `token-store.ts` helpers (macOS `security` CLI today).\n * The Keychain only holds one opaque string per entry, so `kind`/`expiresAt`/\n * `metadata` are packed into a small JSON envelope that IS that string.\n *\n * Back-compat: an entry written before this store existed (or by any other\n * tool) is a bare token string, not an envelope. `read` falls back to\n * treating the whole string as the value with kind `\"pat\"` — the only flow\n * that pre-dates this store — rather than failing on non-JSON content.\n */\n\nimport { z } from \"zod\"\nimport { readKeychainToken, writeKeychainToken } from \"../token-store.js\"\nimport type { CredentialStore, StoreRef, StoredCredential } from \"./types.js\"\n\nconst envelopeSchema = z.object({\n v: z.string(),\n k: z.enum([\"pat\", \"assertion\", \"oat\", \"daemon\"]),\n e: z.string().optional(),\n m: z.record(z.string(), z.unknown()).optional(),\n})\n\nexport class KeychainStore implements CredentialStore {\n async read(ref: StoreRef): Promise<StoredCredential | undefined> {\n const account = ref.account ?? ref.path\n const raw = await readKeychainToken(ref.path, account)\n if (raw === undefined) return undefined\n\n try {\n const envelope = envelopeSchema.parse(JSON.parse(raw))\n return {\n value: envelope.v,\n kind: envelope.k,\n ...(envelope.e !== undefined ? { expiresAt: envelope.e } : {}),\n ...(envelope.m !== undefined ? { metadata: envelope.m } : {}),\n }\n } catch {\n return { value: raw, kind: \"pat\" }\n }\n }\n\n async write(ref: StoreRef, cred: StoredCredential): Promise<void> {\n const account = ref.account ?? ref.path\n const envelope: z.infer<typeof envelopeSchema> = {\n v: cred.value,\n k: cred.kind,\n ...(cred.expiresAt !== undefined ? { e: cred.expiresAt } : {}),\n ...(cred.metadata !== undefined ? { m: cred.metadata } : {}),\n }\n await writeKeychainToken(ref.path, account, JSON.stringify(envelope))\n }\n}\n","/**\n * Map a provider's `TokenStoreSpec` to a backend-agnostic `StoreRef`.\n *\n * Shared by every flow engine so the `path`/`keychain` back-compat alias and\n * the `{server}` account template are resolved identically everywhere.\n */\n\nimport { resolveAccount } from \"../token-store.js\"\nimport type { TokenStoreSpec } from \"../types.js\"\nimport type { CredentialStore, StoreRef, StoredCredential } from \"./types.js\"\n\n/** When `audience` is declared, it's folded into the physical store key —\n * `${audience}:${path}` — so credentials scoped to different audiences\n * (e.g. \"tunnel\" vs \"api\") never collide under the same slot. Absent\n * `audience` = today's unprefixed path, unchanged. */\nexport function resolveStoreRef(\n spec: TokenStoreSpec,\n server: string,\n audience?: string,\n): StoreRef {\n const path = spec.path ?? spec.keychain\n return {\n path: audience ? `${audience}:${path}` : path,\n account: resolveAccount(spec.account, server),\n }\n}\n\n/** Derive both the audience-prefixed `ref` and the unprefixed `legacyRef` in\n * one call — the pair every flow engine and the broker need for the\n * audience back-compat read (`readStoreRefWithFallback`). When no audience\n * is declared, `legacyRef === ref` (same object), matching `resolveStoreRef`\n * called with `audience` undefined. */\nexport function resolveStoreRefs(\n spec: TokenStoreSpec,\n server: string,\n audience?: string,\n): { ref: StoreRef; legacyRef: StoreRef } {\n const ref = resolveStoreRef(spec, server, audience)\n const legacyRef = audience ? resolveStoreRef(spec, server) : ref\n return { ref, legacyRef }\n}\n\n/**\n * Read through `ref`, falling back once to `legacyRef` on a miss.\n *\n * This is the read half of the audience back-compat rule: a write always\n * targets the audience-prefixed ref, but a credential written before the\n * provider adopted an audience still lives at the unprefixed (legacy) path.\n * Rather than duplicate that fallback at every flow-engine/broker read site,\n * it lives here, next to `resolveStoreRef` — the one place that already\n * knows how prefixed vs. legacy refs are derived. Callers that don't declare\n * an audience pass `ref === legacyRef` (or just call `store.read` directly);\n * this only does extra work when the two refs actually differ.\n */\nexport async function readStoreRefWithFallback(\n store: CredentialStore,\n ref: StoreRef,\n legacyRef: StoreRef,\n): Promise<StoredCredential | undefined> {\n const stored = await store.read(ref)\n if (stored) return stored\n if (ref.path === legacyRef.path && ref.account === legacyRef.account) {\n return undefined\n }\n return store.read(legacyRef)\n}\n","/**\n * PAT flow engine — reads an existing token from the Keychain or prompts for one.\n *\n * This is the \"legacy-compatible\" flow: the user has a personal API key\n * (`gld_*`, `sk-*`, …) and the CLI needs to store/retrieve it. No browser\n * open, no ceremony. Use `service-auth` for the seamless browser-approve path.\n */\n\nimport { createInterface } from \"node:readline\"\nimport type {\n FlowEngine,\n FlowRunOptions,\n FlowResult,\n AuthProviderHandle,\n DiscoveredEndpoints,\n} from \"../types.js\"\nimport { KeychainStore } from \"../store/keychain-store.js\"\nimport { resolveStoreRefs, readStoreRefWithFallback } from \"../store/resolve-ref.js\"\n\n/**\n * Read a secret from the terminal WITHOUT echoing it — the typed key must not\n * land on screen or in scrollback. On a TTY we drop to raw mode and render a `*`\n * mask per character. When stdin isn't a TTY (piped input, CI, tests) there's no\n * echo to suppress and no raw mode to enter, so we read a line normally.\n */\nasync function promptToken(label: string): Promise<string> {\n const input = process.stdin\n const out = process.stderr\n\n if (!input.isTTY) {\n return new Promise((resolve) => {\n const rl = createInterface({ input, output: out })\n out.write(`${label}: `)\n rl.question(\"\", (answer) => {\n rl.close()\n resolve(answer.trim())\n })\n })\n }\n\n return new Promise((resolve, reject) => {\n out.write(`${label}: `)\n const chars: string[] = []\n input.setRawMode(true)\n input.resume()\n input.setEncoding(\"utf8\")\n\n const cleanup = () => {\n input.setRawMode(false)\n input.pause()\n input.removeListener(\"data\", onData)\n }\n\n const onData = (chunk: string) => {\n for (const ch of chunk) {\n switch (ch) {\n case \"\\r\":\n case \"\\n\":\n out.write(\"\\n\")\n cleanup()\n resolve(chars.join(\"\").trim())\n return\n case \"\\u0003\": // Ctrl-C\n out.write(\"\\n\")\n cleanup()\n reject(new Error(\"auth cancelled\"))\n return\n case \"\\u0004\": // Ctrl-D — treat as end-of-input\n out.write(\"\\n\")\n cleanup()\n resolve(chars.join(\"\").trim())\n return\n case \"\\u007f\": // Backspace / Delete\n case \"\\b\":\n if (chars.length > 0) {\n chars.pop()\n out.write(\"\\b \\b\")\n }\n break\n default:\n // Mask printable input; ignore stray control characters.\n if (ch >= \" \") {\n chars.push(ch)\n out.write(\"*\")\n }\n }\n }\n }\n\n input.on(\"data\", onData)\n })\n}\n\nexport const patFlowEngine: FlowEngine = {\n id: \"pat\",\n\n async run(\n provider: AuthProviderHandle,\n _discovered: DiscoveredEndpoints | null,\n opts: FlowRunOptions,\n ): Promise<FlowResult> {\n const { auth } = provider\n if (auth.flow !== \"pat\") {\n throw new Error(`patFlowEngine: invoked with flow=\"${auth.flow}\"`)\n }\n\n const store = opts.store ?? new KeychainStore()\n const { ref, legacyRef } = resolveStoreRefs(\n auth.tokenStore,\n opts.server,\n provider.audience,\n )\n\n if (!opts.force) {\n const existing = await readStoreRefWithFallback(store, ref, legacyRef)\n if (existing) {\n return { accessToken: existing.value, tokenKind: \"pat\" }\n }\n }\n\n const token = await promptToken(`${provider.id} personal access token`)\n if (!token) throw new Error(\"no token provided\")\n\n await store.write(ref, { value: token, kind: \"pat\" })\n\n return { accessToken: token, tokenKind: \"pat\" }\n },\n}\n","/**\n * Shared RFC 8628 device-grant polling primitive (internal, not exported from\n * the package root).\n *\n * Both the auth.md claim ceremony (`service-auth.ts`) and the device-code flow\n * poll an OAuth token endpoint with a grant-specific URN until the AS reports\n * success or a terminal error. This module holds that shared poll loop plus\n * the small HTTP/browser helpers both flows need — lifted verbatim from\n * `service-auth.ts` so new flow engines have somewhere to reuse them from.\n */\n\nimport { execFile } from \"node:child_process\"\nimport { promisify } from \"node:util\"\nimport { z } from \"zod\"\nimport { fetchWithDeadline } from \"../http.js\"\n\nconst execAsync = promisify(execFile)\n\n// ── response schemas ──────────────────────────────────────────────────────────\n//\n// JSON crosses a trust boundary here (the AS controls the bytes), so every\n// response is validated with Zod rather than asserted. `.loose()` keeps unknown\n// fields the spec may add. The inferred types feed the rest of the engine.\n\n/** Successful token/refresh/exchange response — the AS minted a credential. */\nexport const tokenSuccessSchema = z\n .object({\n access_token: z.string(),\n token_type: z.string().optional(),\n refresh_token: z.string().optional(),\n identity_assertion: z.string().optional(),\n assertion_expires_in: z.number().optional(),\n assertion_expires: z.string().optional(),\n // device-code flow fields (ignored by service-auth today; see WP-2).\n expires_in: z.number().optional(),\n scope: z.string().optional(),\n subject: z.string().optional(),\n revocation_id: z.string().optional(),\n })\n .loose()\n\n/** OAuth error response (`authorization_pending`, `slow_down`, `access_denied`…). */\nexport const tokenErrorSchema = z\n .object({\n error: z.string(),\n error_description: z.string().optional(),\n })\n .loose()\n\n/** A token endpoint reply is either a minted credential or an OAuth error.\n * Success is tried first so a body carrying an access_token never matches the\n * error arm. */\nexport const tokenResponseSchema = z.union([tokenSuccessSchema, tokenErrorSchema])\n\nexport type TokenSuccess = z.infer<typeof tokenSuccessSchema>\n\n// ── helpers ──────────────────────────────────────────────────────────────────\n\nexport async function openBrowser(url: string): Promise<void> {\n const [cmd, args]: [string, string[]] =\n process.platform === \"darwin\"\n ? [\"open\", [url]]\n : process.platform === \"win32\"\n ? [\"cmd\", [\"/c\", \"start\", url]]\n : [\"xdg-open\", [url]]\n try {\n await execAsync(cmd, args)\n } catch {\n // best-effort — URL already printed to stderr\n }\n}\n\n// NOTE: deliberately does NOT check res.ok — the OAuth device/claim flow returns\n// HTTP 400 with a JSON `{ error }` body for authorization_pending / slow_down,\n// which the poll loop reads as data. Throwing on non-2xx would break polling.\nexport async function postFormOAuth<T>(\n url: string,\n params: Record<string, string>,\n schema: z.ZodType<T>,\n signal?: AbortSignal,\n): Promise<T> {\n const res = await fetchWithDeadline(url, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: new URLSearchParams(params).toString(),\n signal,\n })\n return schema.parse(await res.json())\n}\n\nexport interface DeviceGrantPollOptions {\n /** Token endpoint URL to poll. */\n tokenEndpoint: string\n /** Grant-type URN sent on every poll (e.g. the claim or device_code grant). */\n grantType: string\n /** Token-carrying form params — e.g. `claim_token`/`device_code` plus\n * `client_id`. `grant_type` is added automatically; do not include it here. */\n params: Record<string, string>\n /** Poll interval in seconds; grows by 5s on each `slow_down`. */\n intervalS: number\n /** Approval window in seconds, measured from when polling starts. */\n expiresIn: number\n signal?: AbortSignal\n}\n\n/** RFC 8628 poll loop shared by every grant that polls a token endpoint for\n * user approval (auth.md claim ceremony, device-code). */\nexport async function pollDeviceGrant(\n o: DeviceGrantPollOptions,\n): Promise<TokenSuccess> {\n const deadline = Date.now() + o.expiresIn * 1_000\n let pollMs = o.intervalS * 1_000\n\n while (Date.now() < deadline) {\n if (o.signal?.aborted) throw new Error(\"auth cancelled\")\n await new Promise<void>((r) => setTimeout(r, pollMs))\n\n const data = await postFormOAuth(\n o.tokenEndpoint,\n { grant_type: o.grantType, ...o.params },\n tokenResponseSchema,\n o.signal,\n )\n\n if (!(\"error\" in data)) return data\n\n const pollErr = data.error\n if (pollErr === \"authorization_pending\") continue\n if (pollErr === \"slow_down\") {\n pollMs += 5_000\n continue\n }\n if (pollErr === \"expired_token\") {\n throw new Error(\"auth timeout — claim expired before user approved\")\n }\n if (pollErr === \"access_denied\") {\n throw new Error(\"access denied — user rejected the authorisation request\")\n }\n\n const desc = data.error_description\n throw new Error(`token endpoint error: ${pollErr}${desc ? ` — ${desc}` : \"\"}`)\n }\n\n throw new Error(\"auth timeout — approval window closed\")\n}\n","/**\n * service-auth flow engine — auth.md claim ceremony.\n *\n * Protocol:\n * POST /agent/identity { type:\"service_auth\" }\n * → registration_id + claim_token + user_code + verification_uri\n * User approves at verification_uri in browser.\n * Poll POST {token_endpoint} with grant_type=urn:workos:agent-auth:grant-type:claim\n * until approved / denied / expired.\n * On success: store the identity_assertion JWT (AIP-50 §Token storage —\n * the assertion is the durable credential; the access_token MUST NOT be\n * persisted, and the claim_token stays in memory only).\n *\n * Subsequent runs skip the ceremony: the stored assertion is exchanged via the\n * jwt-bearer grant for a fresh access_token (\"this IS the refresh path\" — no\n * refresh_token). Only when the assertion is expired/rejected does a new\n * ceremony start.\n *\n * See: https://github.com/workos/auth.md / AIP-50\n */\n\nimport { z } from \"zod\"\nimport type {\n FlowEngine,\n FlowRunOptions,\n FlowResult,\n AuthProviderHandle,\n DiscoveredEndpoints,\n} from \"../types.js\"\nimport { KeychainStore } from \"../store/keychain-store.js\"\nimport { resolveStoreRefs, readStoreRefWithFallback } from \"../store/resolve-ref.js\"\nimport { fetchWithDeadline, assertSecureUrl } from \"../http.js\"\nimport {\n openBrowser,\n postFormOAuth,\n pollDeviceGrant,\n tokenResponseSchema,\n type TokenSuccess,\n} from \"./device-grant.js\"\n\nconst CLAIM_GRANT_TYPE = \"urn:workos:agent-auth:grant-type:claim\"\nconst JWT_BEARER_GRANT_TYPE = \"urn:ietf:params:oauth:grant-type:jwt-bearer\"\nconst DEFAULT_POLL_INTERVAL_S = 5\n\n// ── response schemas ──────────────────────────────────────────────────────────\n//\n// JSON crosses a trust boundary here (the AS controls the bytes), so every\n// response is validated with Zod rather than asserted. `.loose()` keeps unknown\n// fields the spec may add. The inferred types feed the rest of the engine.\n// (Token success/error schemas live in device-grant.ts, shared with every flow\n// that polls a token endpoint.)\n\nconst identityResponseSchema = z\n .object({\n registration_id: z.string(),\n claim_token: z.string(),\n claim: z\n .object({\n user_code: z.string(),\n verification_uri: z.string(),\n expires_in: z.number(),\n interval: z.number().optional(),\n })\n .loose(),\n })\n .loose()\n\n// ── helpers ──────────────────────────────────────────────────────────────────\n\nasync function postJson<T>(\n url: string,\n body: unknown,\n schema: z.ZodType<T>,\n signal?: AbortSignal,\n): Promise<T> {\n const res = await fetchWithDeadline(url, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify(body),\n signal,\n })\n if (!res.ok) {\n const text = await res.text()\n throw new Error(`POST ${url} → ${res.status}: ${text}`)\n }\n return schema.parse(await res.json())\n}\n\n// ── Identity-assertion exchange (jwt-bearer, RFC 7523) ────────────────────────\n//\n// The stored credential IS the identity_assertion JWT. Exchange it at the token\n// endpoint for a fresh, short-lived access token — the AIP-50 refresh path, with\n// no refresh_token involved. Returns null on any error (expired / invalid_grant\n// / server doesn't support the grant) so the caller falls back to a ceremony.\nasync function exchangeAssertion(\n tokenEndpoint: string,\n assertion: string,\n clientId: string,\n signal?: AbortSignal,\n): Promise<TokenSuccess | null> {\n try {\n const data = await postFormOAuth(\n tokenEndpoint,\n {\n grant_type: JWT_BEARER_GRANT_TYPE,\n assertion,\n client_id: clientId,\n },\n tokenResponseSchema,\n signal,\n )\n if (\"error\" in data) return null\n return data\n } catch {\n return null\n }\n}\n\n// ── engine ───────────────────────────────────────────────────────────────────\n\nexport const serviceAuthFlowEngine: FlowEngine = {\n id: \"service-auth\",\n\n async run(\n provider: AuthProviderHandle,\n discovered: DiscoveredEndpoints | null,\n opts: FlowRunOptions,\n ): Promise<FlowResult> {\n const { auth } = provider\n if (auth.flow !== \"service-auth\") {\n throw new Error(`serviceAuthFlowEngine: invoked with flow=\"${auth.flow}\"`)\n }\n // `auth.flow === \"service-auth\"` is guaranteed by the guard above, so the\n // discriminated union has already narrowed `auth` to ServiceAuthConfig.\n const config = auth\n const clientId = config.clientId ?? \"agentproto-cli\"\n const server = opts.server.replace(/\\/$/, \"\")\n\n // Endpoint resolution — prefer live discovery, fall back to conventions\n const identityEndpoint =\n discovered?.identityEndpoint ?? `${server}/agent/identity`\n const tokenEndpoint =\n discovered?.tokenEndpoint ?? `${server}/oauth/token`\n\n // AIP-50 §Security: auth requests MUST use HTTPS (loopback exempt for dev).\n assertSecureUrl(identityEndpoint)\n assertSecureUrl(tokenEndpoint)\n\n const store = opts.store ?? new KeychainStore()\n const { ref, legacyRef } = resolveStoreRefs(\n config.tokenStore,\n server,\n provider.audience,\n )\n\n // Cached path — the stored credential IS the identity_assertion JWT (AIP-50:\n // never the access token, never a refresh token). Exchange it via jwt-bearer\n // for a fresh access token; on failure (expired / invalid_grant) fall through\n // to a full browser ceremony.\n if (!opts.force) {\n const stored = await readStoreRefWithFallback(store, ref, legacyRef)\n if (stored) {\n const exchanged = await exchangeAssertion(\n tokenEndpoint,\n stored.value,\n clientId,\n opts.signal,\n )\n if (exchanged) {\n // If the server rotated the assertion, persist the new one; otherwise\n // the existing assertion stays valid for the next exchange.\n if (exchanged.identity_assertion) {\n await store.write(ref, {\n value: exchanged.identity_assertion,\n kind: \"assertion\",\n })\n }\n return {\n accessToken: exchanged.access_token,\n ...(exchanged.identity_assertion\n ? { identityAssertion: exchanged.identity_assertion }\n : {}),\n tokenKind: \"oat\",\n }\n }\n }\n }\n\n // 1 — POST /agent/identity to start the claim ceremony\n const identity = await postJson(\n identityEndpoint,\n {\n type: \"service_auth\",\n client_id: clientId,\n ...(config.loginHint ? { login_hint: config.loginHint } : {}),\n },\n identityResponseSchema,\n opts.signal,\n )\n\n const { claim_token, claim } = identity\n const intervalS = claim.interval ?? DEFAULT_POLL_INTERVAL_S\n const windowMin = Math.round(claim.expires_in / 60)\n\n // 2 — Print code + open browser\n process.stderr.write(`\\n`)\n process.stderr.write(` Approve ${provider.id} access in your browser\\n\\n`)\n process.stderr.write(` Code: ${claim.user_code}\\n`)\n process.stderr.write(` URL: ${claim.verification_uri}\\n\\n`)\n if (opts.openBrowser !== false) {\n await openBrowser(claim.verification_uri)\n }\n process.stderr.write(` Waiting for approval (${windowMin} min)…\\n\\n`)\n\n // 3 — Poll until approved / denied / expired\n const tokenResult = await pollDeviceGrant({\n tokenEndpoint,\n grantType: CLAIM_GRANT_TYPE,\n params: { claim_token, client_id: clientId },\n intervalS,\n expiresIn: claim.expires_in,\n signal: opts.signal,\n })\n\n // 4 — Store the identity_assertion as the durable credential (AIP-50: the\n // access_token is ephemeral and MUST NOT be persisted; the claim_token\n // was held in memory only). The assertion is re-exchanged via jwt-bearer\n // on the next run.\n const accessToken = tokenResult.access_token\n const assertion = tokenResult.identity_assertion\n\n // Resolve assertion expiry as ISO 8601\n let assertionExpires: string | undefined\n if (tokenResult.assertion_expires) {\n assertionExpires = tokenResult.assertion_expires\n } else if (tokenResult.assertion_expires_in) {\n assertionExpires = new Date(\n Date.now() + tokenResult.assertion_expires_in * 1_000,\n ).toISOString()\n }\n\n if (assertion) {\n await store.write(ref, {\n value: assertion,\n kind: \"assertion\",\n ...(assertionExpires ? { expiresAt: assertionExpires } : {}),\n })\n }\n\n return {\n accessToken,\n identityAssertion: assertion,\n assertionExpires,\n tokenKind: \"oat\",\n }\n },\n}\n","/**\n * device-code flow engine — plain RFC 8628 device-authorization ceremony.\n *\n * Protocol:\n * POST {device_authorization_endpoint} { client_id, scope?, device_label? }\n * → device_code + user_code + verification_uri(_complete) + expires_in\n * User approves at verification_uri in browser.\n * Poll POST {token_endpoint} with grant_type=urn:ietf:params:oauth:grant-type:device_code\n * until approved / denied / expired.\n * On success: store the access_token as the durable credential (kind:\"daemon\")\n * — unlike service-auth, the access token IS the thing that's persisted;\n * refresh_token/scope/subject/revocation_id ride in `metadata`.\n *\n * Subsequent runs: a fresh stored credential (or one with no expiry) short-\n * circuits the ceremony. An expired credential with a stored refresh_token is\n * exchanged via `grant_type=refresh_token`; on failure (or when no\n * refresh_token was stored) a new ceremony starts.\n */\n\nimport { z } from \"zod\"\nimport type {\n FlowEngine,\n FlowRunOptions,\n FlowResult,\n AuthProviderHandle,\n DiscoveredEndpoints,\n} from \"../types.js\"\nimport { KeychainStore } from \"../store/keychain-store.js\"\nimport { resolveStoreRefs, readStoreRefWithFallback } from \"../store/resolve-ref.js\"\nimport type { CredentialStore, StoreRef, StoredCredential } from \"../store/types.js\"\nimport { fetchWithDeadline, assertSecureUrl } from \"../http.js\"\nimport {\n openBrowser,\n postFormOAuth,\n pollDeviceGrant,\n tokenResponseSchema,\n type TokenSuccess,\n} from \"./device-grant.js\"\n\nconst DEVICE_CODE_GRANT_TYPE = \"urn:ietf:params:oauth:grant-type:device_code\"\nconst REFRESH_GRANT_TYPE = \"refresh_token\"\nconst DEFAULT_POLL_INTERVAL_S = 5\n\n/** Thrown by the device-code engine when `opts.refreshOnly` is set and no\n * fresh or refreshable credential is available — the only remaining path\n * would be an interactive ceremony, which `refreshOnly` callers explicitly\n * opt out of. Callers (e.g. `serve` boot on a headless host) catch this to\n * fall back to their own non-interactive behavior instead of hanging. */\nexport class CeremonyRequiredError extends Error {\n constructor(message: string) {\n super(message)\n this.name = \"CeremonyRequiredError\"\n }\n}\n\n// ── response schema ───────────────────────────────────────────────────────────\n//\n// JSON crosses a trust boundary here (the AS controls the bytes), so the\n// response is validated with Zod rather than asserted. `.loose()` keeps\n// unknown fields the spec may add.\n\nconst deviceAuthorizationResponseSchema = z\n .object({\n device_code: z.string(),\n user_code: z.string(),\n verification_uri: z.string(),\n verification_uri_complete: z.string().optional(),\n expires_in: z.number(),\n interval: z.number().optional(),\n })\n .loose()\n\n// ── helpers ──────────────────────────────────────────────────────────────────\n\nasync function postDeviceAuthorization(\n url: string,\n params: Record<string, string>,\n signal?: AbortSignal,\n) {\n const res = await fetchWithDeadline(url, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: new URLSearchParams(params).toString(),\n signal,\n })\n if (!res.ok) {\n const text = await res.text()\n throw new Error(`POST ${url} → ${res.status}: ${text}`)\n }\n return deviceAuthorizationResponseSchema.parse(await res.json())\n}\n\n/** Read a string metadata field without an `as` cast — `metadata` is\n * `Record<string, unknown>`, so every read is a runtime type check. */\nfunction metaString(\n metadata: Record<string, unknown> | undefined,\n key: string,\n): string | undefined {\n const v = metadata?.[key]\n return typeof v === \"string\" ? v : undefined\n}\n\nfunction isExpired(cred: StoredCredential): boolean {\n if (!cred.expiresAt) return false\n const t = Date.parse(cred.expiresAt)\n if (Number.isNaN(t)) return true\n return t <= Date.now()\n}\n\nfunction resultFromStored(cred: StoredCredential): FlowResult {\n const refreshToken = metaString(cred.metadata, \"refreshToken\")\n const scope = metaString(cred.metadata, \"scope\")\n const subject = metaString(cred.metadata, \"subject\")\n const revocationId = metaString(cred.metadata, \"revocationId\")\n return {\n accessToken: cred.value,\n tokenKind: \"daemon\",\n ...(refreshToken ? { refreshToken } : {}),\n ...(scope ? { scope } : {}),\n ...(subject ? { subject } : {}),\n ...(revocationId ? { revocationId } : {}),\n }\n}\n\n/** Refresh via `grant_type=refresh_token`. Returns null on any error\n * (expired / invalid_grant / server doesn't support the grant) so the\n * caller falls back to a full ceremony. */\nasync function refreshAccessToken(\n tokenEndpoint: string,\n refreshToken: string,\n clientId: string,\n signal?: AbortSignal,\n): Promise<TokenSuccess | null> {\n try {\n const data = await postFormOAuth(\n tokenEndpoint,\n {\n grant_type: REFRESH_GRANT_TYPE,\n refresh_token: refreshToken,\n client_id: clientId,\n },\n tokenResponseSchema,\n signal,\n )\n if (\"error\" in data) return null\n return data\n } catch {\n return null\n }\n}\n\nasync function persistAndResult(\n store: CredentialStore,\n ref: StoreRef,\n o: {\n accessToken: string\n expiresIn?: number\n refreshToken?: string\n scope?: string\n subject?: string\n deviceLabel?: string\n revocationId?: string\n },\n): Promise<FlowResult> {\n const expiresAt = o.expiresIn\n ? new Date(Date.now() + o.expiresIn * 1_000).toISOString()\n : undefined\n\n const metadata: Record<string, unknown> = {\n obtainedAt: new Date().toISOString(),\n ...(o.refreshToken ? { refreshToken: o.refreshToken } : {}),\n ...(o.scope ? { scope: o.scope } : {}),\n ...(o.subject ? { subject: o.subject } : {}),\n ...(o.deviceLabel ? { deviceLabel: o.deviceLabel } : {}),\n ...(o.revocationId ? { revocationId: o.revocationId } : {}),\n }\n\n await store.write(ref, {\n value: o.accessToken,\n kind: \"daemon\",\n ...(expiresAt ? { expiresAt } : {}),\n metadata,\n })\n\n return {\n accessToken: o.accessToken,\n tokenKind: \"daemon\",\n ...(o.refreshToken ? { refreshToken: o.refreshToken } : {}),\n ...(o.scope ? { scope: o.scope } : {}),\n ...(o.subject ? { subject: o.subject } : {}),\n ...(o.revocationId ? { revocationId: o.revocationId } : {}),\n }\n}\n\n// ── engine ───────────────────────────────────────────────────────────────────\n\nexport const deviceCodeFlowEngine: FlowEngine = {\n id: \"device-code\",\n\n async run(\n provider: AuthProviderHandle,\n discovered: DiscoveredEndpoints | null,\n opts: FlowRunOptions,\n ): Promise<FlowResult> {\n const { auth } = provider\n if (auth.flow !== \"device-code\") {\n throw new Error(`deviceCodeFlowEngine: invoked with flow=\"${auth.flow}\"`)\n }\n // `auth.flow === \"device-code\"` is guaranteed by the guard above, so the\n // discriminated union has already narrowed `auth` to DeviceCodeAuthConfig.\n const config = auth\n const clientId = config.clientId ?? \"agentproto-cli\"\n const server = opts.server.replace(/\\/$/, \"\")\n\n // Endpoint resolution — prefer live discovery, fall back to conventions.\n const deviceAuthorizationEndpoint =\n discovered?.deviceAuthorizationEndpoint ?? `${server}/oauth/device`\n const tokenEndpoint = discovered?.tokenEndpoint ?? `${server}/oauth/token`\n\n // AIP-50 §Security: auth requests MUST use HTTPS (loopback exempt for dev).\n assertSecureUrl(deviceAuthorizationEndpoint)\n assertSecureUrl(tokenEndpoint)\n\n const store = opts.store ?? new KeychainStore()\n const { ref, legacyRef } = resolveStoreRefs(\n config.tokenStore,\n server,\n provider.audience,\n )\n\n // Shared by both the ordinary cached path and `refreshOnly`: exchange a\n // stored refresh_token for a fresh access token, persisting the result.\n // Returns null (never throws) on a missing refresh_token or any grant\n // failure, so both callers can decide what to do next.\n async function tryRefresh(stored: StoredCredential): Promise<FlowResult | null> {\n const refreshToken = metaString(stored.metadata, \"refreshToken\")\n if (!refreshToken) return null\n const refreshed = await refreshAccessToken(\n tokenEndpoint,\n refreshToken,\n clientId,\n opts.signal,\n )\n if (!refreshed) return null\n return persistAndResult(store, ref, {\n accessToken: refreshed.access_token,\n expiresIn: refreshed.expires_in,\n refreshToken: refreshed.refresh_token ?? refreshToken,\n scope: refreshed.scope ?? metaString(stored.metadata, \"scope\"),\n subject: refreshed.subject ?? metaString(stored.metadata, \"subject\"),\n deviceLabel:\n config.deviceLabel ?? metaString(stored.metadata, \"deviceLabel\"),\n revocationId:\n refreshed.revocation_id ?? metaString(stored.metadata, \"revocationId\"),\n })\n }\n\n // `refreshOnly` — attempt only the cached/refresh path, never the\n // interactive ceremony. Distinct from the ordinary cached path below so\n // a refresh failure here throws instead of falling through.\n if (opts.refreshOnly) {\n const stored = await readStoreRefWithFallback(store, ref, legacyRef)\n if (stored) {\n if (!isExpired(stored)) {\n return resultFromStored(stored)\n }\n const refreshed = await tryRefresh(stored)\n if (refreshed) return refreshed\n }\n throw new CeremonyRequiredError(\n `${provider.id}: no fresh or refreshable device-code credential — an interactive ceremony would be required, but refreshOnly was set`,\n )\n }\n\n // Cached path — the stored credential IS the access token (pat-class\n // persistence). A fresh (or expiry-less) credential short-circuits the\n // ceremony entirely; an expired one with a refresh_token is renewed via\n // grant_type=refresh_token before falling back to a ceremony.\n if (!opts.force) {\n const stored = await readStoreRefWithFallback(store, ref, legacyRef)\n if (stored) {\n if (!isExpired(stored)) {\n return resultFromStored(stored)\n }\n const refreshed = await tryRefresh(stored)\n if (refreshed) return refreshed\n // refresh failed (expired / invalid_grant) — fall through to a ceremony\n }\n }\n\n // 1 — POST the device-authorization endpoint to start the ceremony\n const params: Record<string, string> = { client_id: clientId }\n if (config.scope) params.scope = config.scope\n if (config.deviceLabel) params.device_label = config.deviceLabel\n\n const authz = await postDeviceAuthorization(\n deviceAuthorizationEndpoint,\n params,\n opts.signal,\n )\n\n const intervalS = authz.interval ?? DEFAULT_POLL_INTERVAL_S\n const windowMin = Math.round(authz.expires_in / 60)\n\n // 2 — Print code + open browser\n process.stderr.write(`\\n`)\n process.stderr.write(` Approve ${provider.id} access in your browser\\n\\n`)\n process.stderr.write(` Code: ${authz.user_code}\\n`)\n process.stderr.write(` URL: ${authz.verification_uri}\\n\\n`)\n if (opts.openBrowser !== false) {\n await openBrowser(authz.verification_uri_complete ?? authz.verification_uri)\n }\n process.stderr.write(` Waiting for approval (${windowMin} min)…\\n\\n`)\n\n // 3 — Poll until approved / denied / expired\n const tokenResult = await pollDeviceGrant({\n tokenEndpoint,\n grantType: DEVICE_CODE_GRANT_TYPE,\n params: { device_code: authz.device_code, client_id: clientId },\n intervalS,\n expiresIn: authz.expires_in,\n signal: opts.signal,\n })\n\n // 4 — Persist the access token as the durable credential (pat-class).\n return persistAndResult(store, ref, {\n accessToken: tokenResult.access_token,\n expiresIn: tokenResult.expires_in,\n refreshToken: tokenResult.refresh_token,\n scope: tokenResult.scope,\n subject: tokenResult.subject,\n deviceLabel: config.deviceLabel,\n revocationId: tokenResult.revocation_id,\n })\n },\n}\n","/**\n * Flow engine registry — dispatch by `provider.auth.flow`.\n *\n * Add a new engine:\n * 1. Implement `FlowEngine` in a sibling file\n * 2. Add it here — no if/switch chains at call sites\n */\n\nimport type { FlowEngine } from \"../types.js\"\nimport { patFlowEngine } from \"./pat.js\"\nimport { serviceAuthFlowEngine } from \"./service-auth.js\"\nimport { deviceCodeFlowEngine } from \"./device-code.js\"\n\nexport const FLOW_ENGINES: Readonly<Record<string, FlowEngine>> = {\n [patFlowEngine.id]: patFlowEngine,\n [serviceAuthFlowEngine.id]: serviceAuthFlowEngine,\n [deviceCodeFlowEngine.id]: deviceCodeFlowEngine,\n}\n","/**\n * `runAuthFlow` — resolve provider → discover endpoints → dispatch to engine.\n *\n * Discovery is attempted silently; callers receive the result without knowing\n * whether live or static endpoint config was used. The flow engine receives\n * `null` for `discovered` if discovery failed or was not attempted.\n */\n\nimport { FLOW_ENGINES } from \"./flow-engines/index.js\"\nimport { discoverEndpoints, DiscoveryError } from \"./discover.js\"\nimport type {\n AuthProviderHandle,\n DiscoveredEndpoints,\n FlowResult,\n FlowRunOptions,\n} from \"./types.js\"\n\nexport interface RunFlowOptions extends FlowRunOptions {\n /** Pre-resolved endpoints (skip discovery). Pass null to force re-discovery. */\n discovered?: DiscoveredEndpoints | null\n /** Suppress debug output. Default: false. */\n quiet?: boolean\n}\n\nexport async function runAuthFlow(\n provider: AuthProviderHandle,\n opts: RunFlowOptions,\n): Promise<FlowResult> {\n const flowId = provider.auth.flow\n const engine = FLOW_ENGINES[flowId]\n if (!engine) {\n throw new Error(\n `runAuthFlow: unknown flow \"${flowId}\" — registered: ${Object.keys(FLOW_ENGINES).join(\", \")}`,\n )\n }\n\n // Discovery: try unless caller already provided endpoints\n let discovered: DiscoveredEndpoints | null =\n opts.discovered !== undefined ? opts.discovered : null\n\n if (\n discovered === null &&\n (flowId === \"service-auth\" || flowId === \"device-code\")\n ) {\n try {\n discovered = await discoverEndpoints(opts.server, { signal: opts.signal })\n } catch (err) {\n if (!opts.quiet) {\n const msg =\n err instanceof DiscoveryError\n ? err.message\n : `discovery failed: ${err}`\n process.stderr.write(`[auth] ${msg} — using static config\\n`)\n }\n }\n }\n\n return engine.run(provider, discovered, opts)\n}\n","/**\n * MemoryStore — in-process `CredentialStore` backed by a `Map`.\n *\n * Ephemeral: gone when the process exits. Used for tests and short-lived\n * tooling that shouldn't touch a real backend.\n */\n\nimport type { CredentialStore, StoreRef, StoredCredential } from \"./types.js\"\n\nfunction keyOf(ref: StoreRef): string {\n return `${ref.path}\u0000${ref.account ?? ref.path}`\n}\n\nexport class MemoryStore implements CredentialStore {\n private readonly entries = new Map<string, StoredCredential>()\n\n async read(ref: StoreRef): Promise<StoredCredential | undefined> {\n const entry = this.entries.get(keyOf(ref))\n return entry ? { ...entry } : undefined\n }\n\n async write(ref: StoreRef, cred: StoredCredential): Promise<void> {\n this.entries.set(keyOf(ref), { ...cred })\n }\n\n async delete(ref: StoreRef): Promise<void> {\n this.entries.delete(keyOf(ref))\n }\n}\n","/**\n * FileStore — encrypted-JSON-file `CredentialStore`.\n *\n * Every entry is sealed independently with AES-256-GCM under a key read from\n * `AGENTPROTO_STORE_KEY` (hex or base64, 32 raw bytes). There is no plaintext\n * fallback: a missing or malformed key throws rather than writing credentials\n * to disk in the clear.\n */\n\nimport {\n createCipheriv,\n createDecipheriv,\n randomBytes,\n} from \"node:crypto\"\nimport { mkdir, readFile, writeFile } from \"node:fs/promises\"\nimport { dirname } from \"node:path\"\nimport { z } from \"zod\"\nimport type { CredentialStore, StoreRef, StoredCredential } from \"./types.js\"\n\nconst ALGORITHM = \"aes-256-gcm\"\nconst KEY_ENV_VAR = \"AGENTPROTO_STORE_KEY\"\nconst IV_BYTES = 12\n\nconst sealedEntrySchema = z.object({\n iv: z.string(),\n tag: z.string(),\n ciphertext: z.string(),\n})\ntype SealedEntry = z.infer<typeof sealedEntrySchema>\n\nconst sealedFileSchema = z.record(z.string(), sealedEntrySchema)\n\nconst storedCredentialSchema = z.object({\n value: z.string(),\n kind: z.enum([\"pat\", \"assertion\", \"oat\", \"daemon\"]),\n expiresAt: z.string().optional(),\n metadata: z.record(z.string(), z.unknown()).optional(),\n})\n\nfunction keyOf(ref: StoreRef): string {\n return `${ref.path} ${ref.account ?? ref.path}`\n}\n\nfunction isEnoent(err: unknown): boolean {\n return (\n typeof err === \"object\" &&\n err !== null &&\n \"code\" in err &&\n err.code === \"ENOENT\"\n )\n}\n\n/** Decode `AGENTPROTO_STORE_KEY` (hex or base64) into exactly 32 raw bytes. */\nfunction loadKey(): Buffer {\n const raw = process.env[KEY_ENV_VAR]\n if (!raw) {\n throw new Error(\n `FileStore: missing ${KEY_ENV_VAR} — set a 32-byte key (64 hex chars, ` +\n `or base64) to use the encrypted file store. Refusing to store ` +\n `credentials in plaintext.`,\n )\n }\n const key = /^[0-9a-fA-F]{64}$/.test(raw)\n ? Buffer.from(raw, \"hex\")\n : Buffer.from(raw, \"base64\")\n if (key.length !== 32) {\n throw new Error(\n `FileStore: ${KEY_ENV_VAR} must decode to exactly 32 bytes (got ` +\n `${key.length}). Provide a 64-char hex string or base64 encoding 32 bytes.`,\n )\n }\n return key\n}\n\nfunction seal(key: Buffer, plaintext: string): SealedEntry {\n const iv = randomBytes(IV_BYTES)\n const cipher = createCipheriv(ALGORITHM, key, iv)\n const ciphertext = Buffer.concat([\n cipher.update(plaintext, \"utf8\"),\n cipher.final(),\n ])\n return {\n iv: iv.toString(\"base64\"),\n tag: cipher.getAuthTag().toString(\"base64\"),\n ciphertext: ciphertext.toString(\"base64\"),\n }\n}\n\nfunction unseal(key: Buffer, entry: SealedEntry): string {\n const decipher = createDecipheriv(\n ALGORITHM,\n key,\n Buffer.from(entry.iv, \"base64\"),\n )\n decipher.setAuthTag(Buffer.from(entry.tag, \"base64\"))\n const plaintext = Buffer.concat([\n decipher.update(Buffer.from(entry.ciphertext, \"base64\")),\n decipher.final(),\n ])\n return plaintext.toString(\"utf8\")\n}\n\nexport class FileStore implements CredentialStore {\n constructor(private readonly filePath: string) {}\n\n async read(ref: StoreRef): Promise<StoredCredential | undefined> {\n const key = loadKey()\n const file = await this.readFile()\n const sealed = file[keyOf(ref)]\n if (!sealed) return undefined\n return storedCredentialSchema.parse(JSON.parse(unseal(key, sealed)))\n }\n\n async write(ref: StoreRef, cred: StoredCredential): Promise<void> {\n const key = loadKey()\n const file = await this.readFile()\n file[keyOf(ref)] = seal(key, JSON.stringify(cred))\n await this.writeFile(file)\n }\n\n async delete(ref: StoreRef): Promise<void> {\n const file = await this.readFile()\n delete file[keyOf(ref)]\n await this.writeFile(file)\n }\n\n private async readFile(): Promise<Record<string, SealedEntry>> {\n try {\n const raw = await readFile(this.filePath, \"utf8\")\n return sealedFileSchema.parse(JSON.parse(raw))\n } catch (err) {\n if (isEnoent(err)) return {}\n throw err\n }\n }\n\n private async writeFile(file: Record<string, SealedEntry>): Promise<void> {\n await mkdir(dirname(this.filePath), { recursive: true })\n await writeFile(this.filePath, JSON.stringify(file, null, 2), \"utf8\")\n }\n}\n","/**\n * CredentialBroker — resolve ready-to-use auth headers for a `<providerId>`\n * or `<providerId>/<account>` path, auto-refreshing via the flow engine when\n * the stored credential is missing, expired, or not directly usable.\n *\n * Agent.pw-parity API: callers ask for headers by path and never touch\n * tokens, flows, or the underlying store directly.\n */\n\nimport { runAuthFlow } from \"./run-flow.js\"\nimport { resolveStoreRefs, readStoreRefWithFallback } from \"./store/resolve-ref.js\"\nimport type { CredentialStore, StoredCredential } from \"./store/types.js\"\nimport type { AuthProviderHandle } from \"./types.js\"\n\n/** Refresh this long before the actual expiry, so a credential that's about\n * to expire mid-request gets renewed proactively instead of failing. */\nconst EXPIRY_SKEW_MS = 60_000\n\nexport interface CredentialBrokerOptions {\n /** Backend to read cached credentials from and persist refreshed ones to. */\n store: CredentialStore\n /** Provider lookup — pass `getAuthProvider` from the registry, or a custom\n * resolver (e.g. scoped to a single host's providers). */\n getProvider: (id: string) => AuthProviderHandle | undefined\n}\n\ninterface ParsedPath {\n providerId: string\n account?: string\n}\n\n/** Split `\"<providerId>\"` or `\"<providerId>/<account>\"` on the first `/`. */\nfunction parsePath(path: string): ParsedPath {\n const slash = path.indexOf(\"/\")\n if (slash === -1) return { providerId: path }\n return { providerId: path.slice(0, slash), account: path.slice(slash + 1) }\n}\n\n/** `expiresAt` in the future (past the refresh skew), or absent entirely. A\n * malformed `expiresAt` is treated as expired — refresh rather than risk\n * serving a header that a downstream API will reject. */\nfunction isFresh(cred: StoredCredential): boolean {\n if (!cred.expiresAt) return true\n const expiresAtMs = Date.parse(cred.expiresAt)\n if (Number.isNaN(expiresAtMs)) return false\n return expiresAtMs - EXPIRY_SKEW_MS > Date.now()\n}\n\n/** Header map for a credential usable as a bearer token directly, or\n * `undefined` when it isn't. `assertion` is never bearer-usable — it must be\n * exchanged by a flow engine first — so it always falls through to\n * `runAuthFlow`. */\nfunction bearerHeaders(\n value: string,\n kind: StoredCredential[\"kind\"],\n): Record<string, string> | undefined {\n if (kind === \"pat\" || kind === \"oat\" || kind === \"daemon\") {\n return { Authorization: `Bearer ${value}` }\n }\n return undefined\n}\n\nexport class CredentialBroker {\n private readonly store: CredentialStore\n private readonly getProvider: (id: string) => AuthProviderHandle | undefined\n\n constructor(opts: CredentialBrokerOptions) {\n this.store = opts.store\n this.getProvider = opts.getProvider\n }\n\n async resolveHeaders(o: {\n path: string\n server?: string\n signal?: AbortSignal\n /** Audience the caller expects this credential to be scoped to. Checked\n * only when the resolved provider also declares one — see the mismatch\n * error below. Does not itself change which store key is read; the\n * provider's own `audience` (not the caller's) determines that. */\n audience?: string\n }): Promise<Record<string, string>> {\n const { providerId, account } = parsePath(o.path)\n const provider = this.getProvider(providerId)\n if (!provider) {\n throw new Error(`CredentialBroker: unknown auth provider \"${providerId}\"`)\n }\n\n if (\n o.audience !== undefined &&\n provider.audience !== undefined &&\n o.audience !== provider.audience\n ) {\n throw new Error(\n `CredentialBroker: provider \"${providerId}\" is scoped to audience \"${provider.audience}\", requested \"${o.audience}\"`,\n )\n }\n\n const server = o.server ?? provider.apiBase\n const { ref, legacyRef } = resolveStoreRefs(\n provider.auth.tokenStore,\n server,\n provider.audience,\n )\n if (account !== undefined) {\n ref.account = account\n legacyRef.account = account\n }\n\n const stored = await readStoreRefWithFallback(this.store, ref, legacyRef)\n if (stored && isFresh(stored)) {\n const headers = bearerHeaders(stored.value, stored.kind)\n if (headers) return headers\n }\n\n const result = await runAuthFlow(provider, {\n server,\n store: this.store,\n signal: o.signal,\n })\n const headers =\n result.accessToken !== undefined\n ? bearerHeaders(result.accessToken, result.tokenKind)\n : undefined\n if (!headers) {\n throw new Error(\n `CredentialBroker: auth flow for \"${providerId}\" produced no usable access token`,\n )\n }\n return headers\n }\n}\n","/**\n * @agentproto/auth — AIP-50 AUTH.md reference implementation.\n *\n * Public API:\n * defineAuthProvider(def) — TS-literal authoring (frozen handle)\n * parseAuthProviderManifest(source) — .md authoring (gray-matter + Zod)\n * registerAuthProvider(handle) — extend the module-level registry\n * getAuthProvider(id) — lookup by vendor id\n * listAuthProviderIds() — enumerate known providers\n * discoverEndpoints(apiBase) — two-hop PRM → AS metadata discovery\n * runAuthFlow(provider, opts) — resolve + discover + dispatch to engine\n * FLOW_ENGINES — registered flow engines (pat, …)\n * CeremonyRequiredError — thrown by device-code's refreshOnly\n * mode when only an interactive\n * ceremony would satisfy the request\n * writeKeychainToken(svc, acct, t) — persist a credential to Keychain\n * readKeychainToken(svc, acct) — read a credential from Keychain\n * resolveAccount(acct, server) — expand {server} template\n * KeychainStore / MemoryStore / FileStore — built-in CredentialStore backends\n * resolveStoreRef(spec, server) — map a TokenStoreSpec to a StoreRef\n * CredentialBroker — path → ready-to-use auth headers\n */\n\nexport { defineAuthProvider } from \"./define-auth-provider.js\"\nexport {\n parseAuthProviderManifest,\n parseAuthProviderManifestRaw,\n type AuthProviderManifest,\n} from \"./manifest.js\"\nexport {\n registerAuthProvider,\n getAuthProvider,\n listAuthProviders,\n listAuthProviderIds,\n} from \"./registry.js\"\nexport {\n discoverEndpoints,\n DiscoveryError,\n} from \"./discover.js\"\nexport { runAuthFlow, type RunFlowOptions } from \"./run-flow.js\"\nexport { FLOW_ENGINES } from \"./flow-engines/index.js\"\nexport { CeremonyRequiredError } from \"./flow-engines/device-code.js\"\nexport {\n readKeychainToken,\n writeKeychainToken,\n resolveAccount,\n} from \"./token-store.js\"\nexport { KeychainStore } from \"./store/keychain-store.js\"\nexport { MemoryStore } from \"./store/memory-store.js\"\nexport { FileStore } from \"./store/file-store.js\"\nexport { resolveStoreRef } from \"./store/resolve-ref.js\"\nexport type {\n CredentialStore,\n StoreRef,\n StoredCredential,\n} from \"./store/types.js\"\nexport { CredentialBroker, type CredentialBrokerOptions } from \"./broker.js\"\nexport { guildeAuthProvider, BUILTIN_AUTH_PROVIDERS } from \"./builtins.js\"\nexport {\n authProviderFrontmatterSchema,\n authConfigSchema,\n tokenStoreSpecSchema,\n installConfigSchema,\n type AuthProviderFrontmatter,\n} from \"./schema.js\"\nexport type {\n AuthProviderDefinition,\n AuthProviderHandle,\n AuthConfig,\n PATAuthConfig,\n ServiceAuthConfig,\n DeviceCodeAuthConfig,\n InstallConfig,\n TokenStoreSpec,\n FlowEngine,\n FlowId,\n FlowResult,\n FlowRunOptions,\n DiscoveredEndpoints,\n} from \"./types.js\"\n\nexport const SPEC_NAME = \"agentauth\"\nexport const SPEC_VERSION = \"v1\"\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agentproto/auth",
3
- "version": "0.1.0-alpha.0",
3
+ "version": "0.1.1",
4
4
  "description": "@agentproto/auth — AIP-50 AUTH.md reference implementation. Auth-provider doctype: how CLI tools and agents authenticate to API servers via a standardized discovery chain and pluggable flow engines, aligned to the WorkOS auth.md open standard.",
5
5
  "keywords": [
6
6
  "agentproto",
@@ -19,7 +19,7 @@
19
19
  "bugs": {
20
20
  "url": "https://github.com/agentproto/ts/issues"
21
21
  },
22
- "license": "MIT",
22
+ "license": "Apache-2.0",
23
23
  "type": "module",
24
24
  "main": "dist/index.mjs",
25
25
  "module": "dist/index.mjs",
@@ -34,6 +34,7 @@
34
34
  },
35
35
  "files": [
36
36
  "dist",
37
+ "skill",
37
38
  "README.md",
38
39
  "LICENSE"
39
40
  ],
@@ -43,7 +44,7 @@
43
44
  "dependencies": {
44
45
  "gray-matter": "^4.0.3",
45
46
  "zod": "^4.4.3",
46
- "@agentproto/define-doctype": "0.1.0"
47
+ "@agentproto/define-doctype": "0.1.1"
47
48
  },
48
49
  "devDependencies": {
49
50
  "@types/node": "^25.6.2",
@@ -0,0 +1,131 @@
1
+ ---
2
+ name: auth
3
+ description:
4
+ Authenticate an agentproto agent or MCP connector to a service via
5
+ @agentproto/auth's credential broker — declare an auth provider
6
+ (pat / service-auth / device-code), store the credential ONCE in a
7
+ CredentialStore, and resolve fresh Authorization headers at call/connect
8
+ time. Use to wire a Bearer/OAuth API (agentpush, a hosted MCP server, an
9
+ internal service) into an agent WITHOUT putting secrets in env vars or
10
+ .mcp.json.
11
+ metadata:
12
+ tags: agentproto, auth, aip-50, credentials, broker, mcp, secrets, bearer, oauth
13
+ ---
14
+
15
+ ## When to use
16
+
17
+ Reach for this whenever an agent (or a child MCP it mounts) must present a
18
+ credential to a remote service and you don't want that secret sprayed into the
19
+ daemon's global env or hardcoded in a config file. The hallmark: "how do I give
20
+ this agent access to `<service>` without leaking the key to every other agent?"
21
+
22
+ - A tool/agent calls a Bearer API (agentpush, Stripe, an internal API).
23
+ - A hosted/remote MCP server needs an `Authorization` header.
24
+ - You want ONE place to store a key, scoped per service, resolved fresh (with
25
+ refresh) at use-time instead of a long-lived env var.
26
+
27
+ Do NOT use for the daemon's own tunnel login (that's `agentproto auth login`, a
28
+ device-code flow already wired) — though it uses the same substrate underneath.
29
+
30
+ ## The model — one source of truth, resolved on demand
31
+
32
+ ```
33
+ auth provider (declares WHERE/HOW) ──┐
34
+ CredentialStore (holds the secret) ──┤─▶ CredentialBroker.resolveHeaders({ path, audience })
35
+ │ → { Authorization: "Bearer …" } (fresh, per call)
36
+ ```
37
+
38
+ - **Provider** — a manifest declaring a service's `id`, `apiBase`, and `auth`
39
+ flow. Config only, never the secret. Registered once (`registerAuthProvider`).
40
+ - **CredentialStore** — where the secret lives: `KeychainStore` (macOS CLI),
41
+ `FileStore` (AES-256-GCM, headless — key from `AGENTPROTO_STORE_KEY`),
42
+ `MemoryStore` (tests). Swap the backend, same interface.
43
+ - **Broker** — `resolveHeaders({ path, audience?, signal? })` turns a provider
44
+ `path` into ready-to-use headers: serves a fresh stored bearer, else runs the
45
+ flow. `audience` (`api` / `mcp` / `tunnel`) scopes the credential so it can't
46
+ be reused cross-plane.
47
+ - **Flows** — pick one per service: `pat` (static token you store/paste),
48
+ `service-auth` (auth.md claim ceremony → short oat + durable assertion),
49
+ `device-code` (RFC 8628 → durable daemon token + refresh).
50
+
51
+ ## Recipe
52
+
53
+ ### 1. Declare + register the provider
54
+
55
+ TS literal (builtin/tests):
56
+ ```ts
57
+ import { defineAuthProvider, registerAuthProvider } from "@agentproto/auth"
58
+
59
+ registerAuthProvider(defineAuthProvider({
60
+ id: "agentpush",
61
+ description: "AgentPush API — paste a personal API key.",
62
+ apiBase: "https://api.agentpush.example",
63
+ audience: "mcp", // or "api"
64
+ auth: { flow: "pat", tokenStore: { keychain: "agentpush", account: "{server}" } },
65
+ }))
66
+ ```
67
+ Or ship a vendor `*.auth.md` and `parseAuthProviderManifest(...)` → `registerAuthProvider(...)` — a host adds providers without editing this package.
68
+
69
+ ### 2. Store the secret ONCE (out of env, into the store)
70
+
71
+ ```ts
72
+ import { KeychainStore, resolveStoreRef, getAuthProvider } from "@agentproto/auth"
73
+
74
+ const p = getAuthProvider("agentpush")!
75
+ const store = new KeychainStore() // or FileStore for headless
76
+ await store.write(resolveStoreRef(p.auth.tokenStore, p.apiBase, p.audience),
77
+ { value: process.env.AGENTPUSH_API_KEY!, kind: "pat" })
78
+ ```
79
+ Do this once (onboarding / a `secrets set` step) — then delete the env var.
80
+
81
+ ### 3. Resolve at use-time
82
+
83
+ ```ts
84
+ import { CredentialBroker, getAuthProvider } from "@agentproto/auth"
85
+
86
+ const broker = new CredentialBroker({ store, getProvider: getAuthProvider })
87
+ const headers = await broker.resolveHeaders({ path: "agentpush", audience: "mcp" })
88
+ // → { Authorization: "Bearer …" } — attach to your fetch / MCP transport
89
+ ```
90
+ Fresh every call; for `service-auth`/`device-code` it auto-refreshes. No secret
91
+ touches env or `.mcp.json`.
92
+
93
+ ## Two consumption paths
94
+
95
+ **A. Agent calls the service in its own code/tool.** Works TODAY: resolve via the
96
+ broker (step 3) and attach the header. Nothing else to wire.
97
+
98
+ **B. Service exposed as a child MCP the agent mounts.** The clean target is a
99
+ **`credentialRef`** on the child-mcp spec that the daemon resolves via the broker
100
+ at connect-time (the `mcp-header` exposure pattern — `resolveMcpHeaderExposure`
101
+ turns a `credentialPath` into headers via a structural resolver the broker
102
+ satisfies). **Gap:** `agent_start.mcpServers` today carries only
103
+ `{ name, ref, transport }` — no `headers`/`credentialRef` — so brokered auth
104
+ can't yet reach a child MCP at mount. Until that plumbing lands, either use path
105
+ A, or resolve the header at spawn and pass it through your own mount path.
106
+
107
+ ## Worked example — agentpush
108
+
109
+ agentpush uses a static Bearer key. Clean-auth wiring:
110
+ 1. Register `agentpush` as a `pat` provider (step 1), `audience: "mcp"`.
111
+ 2. Move `AGENTPUSH_API_KEY` from the daemon env into the store (step 2).
112
+ 3. In-code callers resolve `broker.resolveHeaders({ path: "agentpush" })` (path A) —
113
+ works now, key out of the global env, scoped to this agent.
114
+ 4. For agentpush-as-child-MCP (path B), a `credentialRef: "agentpush"` on the
115
+ child-mcp spec + daemon broker-resolve-at-connect is the north star (reuses
116
+ everything here; needs the `agent_start.mcpServers` credentialRef plumbing).
117
+
118
+ ## Common mistakes
119
+
120
+ - **Storing the key in the daemon's global env** — every spawned agent inherits
121
+ it. The whole point of the store is per-service, per-spawn scoping.
122
+ - **Skipping `audience`** — set it (`api`/`mcp`/`tunnel`) so a credential minted
123
+ for one plane can't be presented on another (defense-in-depth; the normative
124
+ boundary is server-side).
125
+ - **Caching `resolveHeaders` output** — resolve per call; the broker owns
126
+ freshness/refresh. A cached header defeats `service-auth`/`device-code` refresh.
127
+ - **`pat` where the service issues short-lived tokens** — use `service-auth`
128
+ (mint + refresh) instead of pasting a token that expires.
129
+ - **Wrong header shape** — `resolveHeaders` returns a header map; a service that
130
+ wants `X-Api-Key` (not `Authorization`) needs the provider/flow to emit that
131
+ shape, not a Bearer.