@apart-tech/intelligence-core 1.11.4 → 1.11.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth/ability.d.ts +148 -0
- package/dist/auth/ability.d.ts.map +1 -0
- package/dist/auth/ability.js +285 -0
- package/dist/auth/ability.js.map +1 -0
- package/dist/auth/ability.test.d.ts +2 -0
- package/dist/auth/ability.test.d.ts.map +1 -0
- package/dist/auth/ability.test.js +680 -0
- package/dist/auth/ability.test.js.map +1 -0
- package/dist/auth/delegation-jwt.d.ts +167 -0
- package/dist/auth/delegation-jwt.d.ts.map +1 -0
- package/dist/auth/delegation-jwt.js +237 -0
- package/dist/auth/delegation-jwt.js.map +1 -0
- package/dist/auth/delegation-jwt.test.d.ts +2 -0
- package/dist/auth/delegation-jwt.test.d.ts.map +1 -0
- package/dist/auth/delegation-jwt.test.js +283 -0
- package/dist/auth/delegation-jwt.test.js.map +1 -0
- package/dist/auth/principal.d.ts +94 -0
- package/dist/auth/principal.d.ts.map +1 -0
- package/dist/auth/principal.js +33 -0
- package/dist/auth/principal.js.map +1 -0
- package/dist/config/config.test.d.ts +2 -0
- package/dist/config/config.test.d.ts.map +1 -0
- package/dist/config/config.test.js +57 -0
- package/dist/config/config.test.js.map +1 -0
- package/dist/config/index.d.ts.map +1 -1
- package/dist/config/index.js +17 -0
- package/dist/config/index.js.map +1 -1
- package/dist/index.d.ts +13 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +6 -0
- package/dist/index.js.map +1 -1
- package/dist/lib/__tests__/jwt.test.d.ts +2 -0
- package/dist/lib/__tests__/jwt.test.d.ts.map +1 -0
- package/dist/lib/__tests__/jwt.test.js +97 -0
- package/dist/lib/__tests__/jwt.test.js.map +1 -0
- package/dist/lib/jwt.d.ts +20 -0
- package/dist/lib/jwt.d.ts.map +1 -1
- package/dist/lib/jwt.js +56 -3
- package/dist/lib/jwt.js.map +1 -1
- package/dist/services/__tests__/delegation-cleanup-service.test.d.ts +2 -0
- package/dist/services/__tests__/delegation-cleanup-service.test.d.ts.map +1 -0
- package/dist/services/__tests__/delegation-cleanup-service.test.js +211 -0
- package/dist/services/__tests__/delegation-cleanup-service.test.js.map +1 -0
- package/dist/services/agent-run-service.d.ts +44 -7
- package/dist/services/agent-run-service.d.ts.map +1 -1
- package/dist/services/agent-run-service.js +14 -0
- package/dist/services/agent-run-service.js.map +1 -1
- package/dist/services/agent-schedule-service.d.ts +21 -0
- package/dist/services/agent-schedule-service.d.ts.map +1 -1
- package/dist/services/agent-schedule-service.js +12 -0
- package/dist/services/agent-schedule-service.js.map +1 -1
- package/dist/services/audit-event-service.d.ts +76 -0
- package/dist/services/audit-event-service.d.ts.map +1 -0
- package/dist/services/audit-event-service.js +48 -0
- package/dist/services/audit-event-service.js.map +1 -0
- package/dist/services/delegation-cleanup-service.d.ts +133 -0
- package/dist/services/delegation-cleanup-service.d.ts.map +1 -0
- package/dist/services/delegation-cleanup-service.js +111 -0
- package/dist/services/delegation-cleanup-service.js.map +1 -0
- package/dist/services/edge-service.d.ts.map +1 -1
- package/dist/services/edge-service.js +3 -0
- package/dist/services/edge-service.js.map +1 -1
- package/dist/services/org-agent-type-service.d.ts +15 -0
- package/dist/services/org-agent-type-service.d.ts.map +1 -1
- package/dist/services/org-agent-type-service.js +2 -0
- package/dist/services/org-agent-type-service.js.map +1 -1
- package/dist/services/usage-service.d.ts +48 -0
- package/dist/services/usage-service.d.ts.map +1 -0
- package/dist/services/usage-service.js +116 -0
- package/dist/services/usage-service.js.map +1 -0
- package/dist/services/user-service.d.ts.map +1 -1
- package/dist/services/user-service.js +24 -6
- package/dist/services/user-service.js.map +1 -1
- package/dist/services/user-service.test.d.ts +2 -0
- package/dist/services/user-service.test.d.ts.map +1 -0
- package/dist/services/user-service.test.js +86 -0
- package/dist/services/user-service.test.js.map +1 -0
- package/dist/types/index.d.ts +13 -0
- package/dist/types/index.d.ts.map +1 -1
- package/package.json +3 -2
- package/prisma/schema.prisma +158 -82
- package/dist/db/schema.d.ts +0 -507
- package/dist/db/schema.d.ts.map +0 -1
- package/dist/db/schema.js +0 -77
- package/dist/db/schema.js.map +0 -1
|
@@ -16,6 +16,19 @@ export interface AgentScheduleRecord {
|
|
|
16
16
|
createdBy: string;
|
|
17
17
|
createdAt: Date;
|
|
18
18
|
updatedAt: Date;
|
|
19
|
+
/** Phase 1d follow-up (story 663c97e3): populated for OAuth-created
|
|
20
|
+
* schedules that participate in the delegation flow. The trigger
|
|
21
|
+
* route uses this presence check to shape-switch between the legacy
|
|
22
|
+
* api-key path and the scheduled-delegated AgentAuth variant. */
|
|
23
|
+
agentId: string | null;
|
|
24
|
+
scheduledByUserId: string | null;
|
|
25
|
+
/** Frozen CASL rule set computed at schedule-creation time via
|
|
26
|
+
* `intersect(userAbility, orgAgentType.intrinsicPolicy)`. Null for
|
|
27
|
+
* api-key-authored schedules and for any schedule created before
|
|
28
|
+
* story 663c97e3 shipped. `unknown` rather than `AppRawRule[]` here
|
|
29
|
+
* because the Principal module deliberately avoids importing CASL
|
|
30
|
+
* types — the orchestrator narrows at the read site. */
|
|
31
|
+
capturedAbility: unknown;
|
|
19
32
|
}
|
|
20
33
|
export interface CreateAgentScheduleInput {
|
|
21
34
|
name: string;
|
|
@@ -26,6 +39,14 @@ export interface CreateAgentScheduleInput {
|
|
|
26
39
|
prompt: string;
|
|
27
40
|
model?: string;
|
|
28
41
|
workspace?: string;
|
|
42
|
+
/** Phase 1d follow-up: set together for OAuth-created schedules that
|
|
43
|
+
* should fire as delegated agents. All three must be provided in the
|
|
44
|
+
* same call; the service does not enforce the tri-state because the
|
|
45
|
+
* route handler is the only caller that knows whether the request
|
|
46
|
+
* came from a user or an API key. */
|
|
47
|
+
scheduledByUserId?: string;
|
|
48
|
+
agentId?: string | null;
|
|
49
|
+
capturedAbility?: unknown;
|
|
29
50
|
}
|
|
30
51
|
export interface UpdateAgentScheduleInput {
|
|
31
52
|
name?: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"agent-schedule-service.d.ts","sourceRoot":"","sources":["../../src/services/agent-schedule-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,
|
|
1
|
+
{"version":3,"file":"agent-schedule-service.d.ts","sourceRoot":"","sources":["../../src/services/agent-schedule-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAU,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAiB3D,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB;;;sEAGkE;IAClE,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC;;;;;6DAKyD;IACzD,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,wBAAwB;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;0CAIsC;IACtC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,wBAAwB;IACvC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED,qBAAa,oBAAoB;IACnB,OAAO,CAAC,EAAE;gBAAF,EAAE,EAAE,YAAY;IAE9B,MAAM,CACV,cAAc,EAAE,MAAM,EACtB,KAAK,EAAE,wBAAwB,EAC/B,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,mBAAmB,CAAC;IA8BzB,MAAM,CACV,EAAE,EAAE,MAAM,EACV,cAAc,EAAE,MAAM,EACtB,KAAK,EAAE,wBAAwB,GAC9B,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAsBhC,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAW5D,OAAO,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAQhF,IAAI,CACR,cAAc,EAAE,MAAM,EACtB,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,GAC3B,OAAO,CAAC,mBAAmB,EAAE,CAAC;IAW3B,UAAU,CACd,EAAE,EAAE,MAAM,EACV,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAYhC,aAAa,CACjB,EAAE,EAAE,MAAM,EACV,cAAc,EAAE,MAAM,EACtB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;IAOV,aAAa,CACjB,EAAE,EAAE,MAAM,EACV,cAAc,EAAE,MAAM,EACtB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,IAAI,CAAC;IAUV,kBAAkB,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IASpF,OAAO,CAAC,QAAQ;CAuBjB"}
|
|
@@ -30,6 +30,15 @@ export class AgentScheduleService {
|
|
|
30
30
|
apiKeyEncrypted: encrypt(rawApiKey),
|
|
31
31
|
apiKeyHash: hashApiKey(rawApiKey),
|
|
32
32
|
createdBy,
|
|
33
|
+
// Phase 1d follow-up columns. All three default to null — only
|
|
34
|
+
// OAuth-created schedules populated by the route handler carry
|
|
35
|
+
// them. Prisma's typed null handling: pass `undefined` to leave
|
|
36
|
+
// the column unset, a concrete value to write.
|
|
37
|
+
scheduledByUserId: input.scheduledByUserId,
|
|
38
|
+
agentId: input.agentId ?? undefined,
|
|
39
|
+
capturedAbility: input.capturedAbility === undefined
|
|
40
|
+
? undefined
|
|
41
|
+
: input.capturedAbility,
|
|
33
42
|
},
|
|
34
43
|
});
|
|
35
44
|
return this.toRecord(schedule);
|
|
@@ -139,6 +148,9 @@ export class AgentScheduleService {
|
|
|
139
148
|
createdBy: schedule.createdBy,
|
|
140
149
|
createdAt: schedule.createdAt,
|
|
141
150
|
updatedAt: schedule.updatedAt,
|
|
151
|
+
agentId: schedule.agentId ?? null,
|
|
152
|
+
scheduledByUserId: schedule.scheduledByUserId ?? null,
|
|
153
|
+
capturedAbility: schedule.capturedAbility ?? null,
|
|
142
154
|
};
|
|
143
155
|
}
|
|
144
156
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"agent-schedule-service.js","sourceRoot":"","sources":["../../src/services/agent-schedule-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE9D,SAAS,OAAO,CAAC,SAAiB;IAChC,OAAO,aAAa,CAAC,SAAS,EAAE,iBAAiB,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,OAAO,CAAC,OAAe;IAC9B,OAAO,aAAa,CAAC,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,UAAU,CAAC,MAAc;IAChC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC3D,CAAC;
|
|
1
|
+
{"version":3,"file":"agent-schedule-service.js","sourceRoot":"","sources":["../../src/services/agent-schedule-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE9D,SAAS,OAAO,CAAC,SAAiB;IAChC,OAAO,aAAa,CAAC,SAAS,EAAE,iBAAiB,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,OAAO,CAAC,OAAe;IAC9B,OAAO,aAAa,CAAC,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,UAAU,CAAC,MAAc;IAChC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC3D,CAAC;AAgED,MAAM,OAAO,oBAAoB;IACX;IAApB,YAAoB,EAAgB;QAAhB,OAAE,GAAF,EAAE,CAAc;IAAG,CAAC;IAExC,KAAK,CAAC,MAAM,CACV,cAAsB,EACtB,KAA+B,EAC/B,SAAiB,EACjB,SAAiB;QAEjB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;YAClD,IAAI,EAAE;gBACJ,cAAc;gBACd,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,EAAE;gBACpC,cAAc,EAAE,KAAK,CAAC,cAAc;gBACpC,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,KAAK;gBACjC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,YAAY;gBAC1C,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,QAAQ;gBAC9B,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,eAAe,EAAE,OAAO,CAAC,SAAS,CAAC;gBACnC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC;gBACjC,SAAS;gBACT,+DAA+D;gBAC/D,+DAA+D;gBAC/D,gEAAgE;gBAChE,+CAA+C;gBAC/C,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;gBAC1C,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,SAAS;gBACnC,eAAe,EACb,KAAK,CAAC,eAAe,KAAK,SAAS;oBACjC,CAAC,CAAC,SAAS;oBACX,CAAC,CAAE,KAAK,CAAC,eAAyC;aACvD;SACF,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,MAAM,CACV,EAAU,EACV,cAAsB,EACtB,KAA+B;QAE/B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;gBAClD,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE;gBAC7B,IAAI,EAAE;oBACJ,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACzD,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC9E,GAAG,CAAC,KAAK,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvF,GAAG,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrE,GAAG,CAAC,KAAK,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACxE,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC/D,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC5D,GAAG,CAAC,KAAK,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACxE,SAAS,EAAE,IAAI,IAAI,EAAE;iBACtB;aACF,CAAC,CAAC;YACH,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU,EAAE,cAAsB;QAC7C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;gBACjC,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE;aAC9B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EAAU,EAAE,cAAsB;QAC9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,SAAS,CAAC;YACrD,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE;SAC9B,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC3B,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,IAAI,CACR,cAAsB,EACtB,IAA4B;QAE5B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC;YACrD,KAAK,EAAE;gBACL,cAAc;gBACd,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAClE;YACD,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;SAC/B,CAAC,CAAC;QACH,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,UAAU,CACd,EAAU,EACV,cAAsB,EACtB,OAAgB;QAEhB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;gBAClD,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE;gBAC7B,IAAI,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE;aACzC,CAAC,CAAC;YACH,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,EAAU,EACV,cAAsB,EACtB,UAAkB;QAElB,MAAM,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;YACjC,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE;YAC7B,IAAI,EAAE,EAAE,UAAU,EAAE;SACrB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,EAAU,EACV,cAAsB,EACtB,KAAa;QAEb,MAAM,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;YACjC,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE;YAC7B,IAAI,EAAE;gBACJ,eAAe,EAAE,IAAI,IAAI,EAAE;gBAC3B,SAAS,EAAE,KAAK;aACjB;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,EAAU,EAAE,cAAsB;QACzD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,SAAS,CAAC;YACrD,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE;YAC7B,MAAM,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE;SAClC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC3B,OAAO,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;IAC3C,CAAC;IAEO,QAAQ,CAAC,QAAa;QAC5B,OAAO;YACL,EAAE,EAAE,QAAQ,CAAC,EAAE;YACf,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,cAAc,EAAE,QAAQ,CAAC,cAAc;YACvC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,OAAO,EAAE,QAAQ,CAAC,OAAO;YACzB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,eAAe,EAAE,QAAQ,CAAC,eAAe;YACzC,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,IAAI;YACjC,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB,IAAI,IAAI;YACrD,eAAe,EAAE,QAAQ,CAAC,eAAe,IAAI,IAAI;SAClD,CAAC;IACJ,CAAC;CACF"}
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
import type { PrismaClient } from "@prisma/client";
|
|
2
|
+
/**
|
|
3
|
+
* Minimal audit-event writer (Phase 1d).
|
|
4
|
+
*
|
|
5
|
+
* The `audit_events` table was added in Phase 1c but no code path
|
|
6
|
+
* populated it. Phase 1d is the first sub-phase that writes rows: the
|
|
7
|
+
* spawn path records `delegation.mint` on every agent run that is
|
|
8
|
+
* created, and the execution-side middleware (sub-commit 4) records
|
|
9
|
+
* `delegation.verify` on every delegation-token authorization check.
|
|
10
|
+
*
|
|
11
|
+
* Why a dedicated service rather than raw `db.auditEvent.create`:
|
|
12
|
+
* - Central place to coerce the `effectiveAbility` JSON field (which
|
|
13
|
+
* accepts `unknown` at the call site) into the shape Prisma expects.
|
|
14
|
+
* - Single typed vocabulary for `action` and `result` so spawn-path
|
|
15
|
+
* and middleware stay aligned on what the audit log looks like.
|
|
16
|
+
* - Single place to add downstream fanout (e.g. ship to an external
|
|
17
|
+
* audit sink) without revisiting every call site.
|
|
18
|
+
*
|
|
19
|
+
* This service is intentionally thin. It is not a query API — read
|
|
20
|
+
* access to `audit_events` is not exposed through a service in Phase
|
|
21
|
+
* 1d because no code path reads it yet. When a read path is added
|
|
22
|
+
* (e.g. a per-org audit log UI), extend this service rather than
|
|
23
|
+
* sprinkling `db.auditEvent.findMany` across packages.
|
|
24
|
+
*/
|
|
25
|
+
/**
|
|
26
|
+
* Typed discriminant for the `action` column. Keep this list in sync
|
|
27
|
+
* with the call sites — adding a new action to the schema without
|
|
28
|
+
* adding it here means the call site is stringly-typed.
|
|
29
|
+
*/
|
|
30
|
+
export type AuditAction = "delegation.mint" | "delegation.verify" | "delegation.revoke";
|
|
31
|
+
/**
|
|
32
|
+
* Typed discriminant for the `result` column. `allow` and `deny` are
|
|
33
|
+
* the two normal outcomes; `error` is reserved for failures inside
|
|
34
|
+
* the check itself (e.g. DB lookup failed) that are neither an
|
|
35
|
+
* intentional deny nor a successful allow.
|
|
36
|
+
*/
|
|
37
|
+
export type AuditResult = "allow" | "deny" | "error";
|
|
38
|
+
/**
|
|
39
|
+
* Input shape for `AuditEventService.record`. Fields map one-to-one
|
|
40
|
+
* to `audit_events` columns. `effectiveAbility` is typed `unknown`
|
|
41
|
+
* because the captured rule set comes from `AppRawRule[]` on one side
|
|
42
|
+
* and from arbitrary JSON-from-DB on the other; callers should pass
|
|
43
|
+
* whatever they have and trust the service to coerce.
|
|
44
|
+
*/
|
|
45
|
+
export interface RecordAuditEventInput {
|
|
46
|
+
agentRunId?: string | null;
|
|
47
|
+
principalType: string;
|
|
48
|
+
principalId: string;
|
|
49
|
+
organizationId: string;
|
|
50
|
+
action: AuditAction;
|
|
51
|
+
subjectType?: string | null;
|
|
52
|
+
subjectId?: string | null;
|
|
53
|
+
effectiveAbility?: unknown;
|
|
54
|
+
result: AuditResult;
|
|
55
|
+
}
|
|
56
|
+
export declare class AuditEventService {
|
|
57
|
+
private db;
|
|
58
|
+
constructor(db: PrismaClient);
|
|
59
|
+
/**
|
|
60
|
+
* Insert one row into `audit_events`. Never throws for a
|
|
61
|
+
* non-present Prisma connection — audit writes must not break the
|
|
62
|
+
* hot path. If the insert fails, the error is swallowed and logged;
|
|
63
|
+
* the caller's main operation still succeeds.
|
|
64
|
+
*
|
|
65
|
+
* The rationale for fire-and-forget is that audit events are a
|
|
66
|
+
* side-channel, not a correctness guarantee. A missing audit row is
|
|
67
|
+
* a visibility problem, not a security hole — the security
|
|
68
|
+
* guarantee comes from the actual authorization check, not from the
|
|
69
|
+
* audit log that records its outcome. Making the hot path depend on
|
|
70
|
+
* a successful audit write would add a failure mode that matters
|
|
71
|
+
* more than the visibility signal it provides. Phase 1g's audit-
|
|
72
|
+
* pipeline work can revisit this tradeoff.
|
|
73
|
+
*/
|
|
74
|
+
record(input: RecordAuditEventInput): Promise<void>;
|
|
75
|
+
}
|
|
76
|
+
//# sourceMappingURL=audit-event-service.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"audit-event-service.d.ts","sourceRoot":"","sources":["../../src/services/audit-event-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAEnD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH;;;;GAIG;AACH,MAAM,MAAM,WAAW,GACnB,iBAAiB,GACjB,mBAAmB,GACnB,mBAAmB,CAAC;AAExB;;;;;GAKG;AACH,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;AAErD;;;;;;GAMG;AACH,MAAM,WAAW,qBAAqB;IACpC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,WAAW,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,MAAM,EAAE,WAAW,CAAC;CACrB;AAED,qBAAa,iBAAiB;IAChB,OAAO,CAAC,EAAE;gBAAF,EAAE,EAAE,YAAY;IAEpC;;;;;;;;;;;;;;OAcG;IACG,MAAM,CAAC,KAAK,EAAE,qBAAqB,GAAG,OAAO,CAAC,IAAI,CAAC;CA0B1D"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
export class AuditEventService {
|
|
2
|
+
db;
|
|
3
|
+
constructor(db) {
|
|
4
|
+
this.db = db;
|
|
5
|
+
}
|
|
6
|
+
/**
|
|
7
|
+
* Insert one row into `audit_events`. Never throws for a
|
|
8
|
+
* non-present Prisma connection — audit writes must not break the
|
|
9
|
+
* hot path. If the insert fails, the error is swallowed and logged;
|
|
10
|
+
* the caller's main operation still succeeds.
|
|
11
|
+
*
|
|
12
|
+
* The rationale for fire-and-forget is that audit events are a
|
|
13
|
+
* side-channel, not a correctness guarantee. A missing audit row is
|
|
14
|
+
* a visibility problem, not a security hole — the security
|
|
15
|
+
* guarantee comes from the actual authorization check, not from the
|
|
16
|
+
* audit log that records its outcome. Making the hot path depend on
|
|
17
|
+
* a successful audit write would add a failure mode that matters
|
|
18
|
+
* more than the visibility signal it provides. Phase 1g's audit-
|
|
19
|
+
* pipeline work can revisit this tradeoff.
|
|
20
|
+
*/
|
|
21
|
+
async record(input) {
|
|
22
|
+
try {
|
|
23
|
+
await this.db.auditEvent.create({
|
|
24
|
+
data: {
|
|
25
|
+
agentRunId: input.agentRunId ?? null,
|
|
26
|
+
principalType: input.principalType,
|
|
27
|
+
principalId: input.principalId,
|
|
28
|
+
organizationId: input.organizationId,
|
|
29
|
+
action: input.action,
|
|
30
|
+
subjectType: input.subjectType ?? null,
|
|
31
|
+
subjectId: input.subjectId ?? null,
|
|
32
|
+
// Prisma's Json? accepts a plain object or array; `unknown`
|
|
33
|
+
// needs to be coerced to something Prisma recognizes. If the
|
|
34
|
+
// caller passed nothing, default to `{}` to match the column
|
|
35
|
+
// default.
|
|
36
|
+
effectiveAbility: input.effectiveAbility ?? {},
|
|
37
|
+
result: input.result,
|
|
38
|
+
},
|
|
39
|
+
});
|
|
40
|
+
}
|
|
41
|
+
catch (err) {
|
|
42
|
+
// Intentionally swallow. See docstring above for rationale.
|
|
43
|
+
// eslint-disable-next-line no-console
|
|
44
|
+
console.error("[audit] failed to record event:", err);
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
//# sourceMappingURL=audit-event-service.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"audit-event-service.js","sourceRoot":"","sources":["../../src/services/audit-event-service.ts"],"names":[],"mappings":"AA+DA,MAAM,OAAO,iBAAiB;IACR;IAApB,YAAoB,EAAgB;QAAhB,OAAE,GAAF,EAAE,CAAc;IAAG,CAAC;IAExC;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,MAAM,CAAC,KAA4B;QACvC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC;gBAC9B,IAAI,EAAE;oBACJ,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;oBACpC,aAAa,EAAE,KAAK,CAAC,aAAa;oBAClC,WAAW,EAAE,KAAK,CAAC,WAAW;oBAC9B,cAAc,EAAE,KAAK,CAAC,cAAc;oBACpC,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;oBACtC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;oBAClC,4DAA4D;oBAC5D,6DAA6D;oBAC7D,6DAA6D;oBAC7D,WAAW;oBACX,gBAAgB,EACb,KAAK,CAAC,gBAA8C,IAAI,EAAE;oBAC7D,MAAM,EAAE,KAAK,CAAC,MAAM;iBACrB;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,4DAA4D;YAC5D,sCAAsC;YACtC,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,GAAG,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Revocation cleanup (Phase 1d).
|
|
3
|
+
*
|
|
4
|
+
* Phase 1d's revocation story is "the AgentRun row is the source of
|
|
5
|
+
* truth for whether a delegation token still works." The auth
|
|
6
|
+
* middleware checks `AgentRun.status` on every delegation-token
|
|
7
|
+
* verification — a status other than `pending` or `running` is a 401.
|
|
8
|
+
* That check is only effective if something eventually flips the
|
|
9
|
+
* status of revoked runs from `pending`/`running` to `cancelled`.
|
|
10
|
+
* This module is that something.
|
|
11
|
+
*
|
|
12
|
+
* Revocation semantics
|
|
13
|
+
* --------------------
|
|
14
|
+
*
|
|
15
|
+
* A run is revoked when the user who spawned it no longer has
|
|
16
|
+
* authority to act in the run's organization. In practice today,
|
|
17
|
+
* "authority" = "membership in the org", because that is the only
|
|
18
|
+
* structural signal the `users` and `memberships` tables carry. A
|
|
19
|
+
* future phase that adds a `users.deactivatedAt` column or a finer
|
|
20
|
+
* suspension mechanism will grow this signal; for Phase 1d,
|
|
21
|
+
* membership removal is both necessary and sufficient.
|
|
22
|
+
*
|
|
23
|
+
* The sweep cancels every `AgentRun` that satisfies:
|
|
24
|
+
* - `status IN ('pending', 'running')`
|
|
25
|
+
* - `invokedByUserId IS NOT NULL`
|
|
26
|
+
* - no `memberships` row for (invokedByUserId, organizationId)
|
|
27
|
+
*
|
|
28
|
+
* API-key-authored runs (where `invokedByUserId` is null) are
|
|
29
|
+
* ignored — they do not participate in the delegation flow.
|
|
30
|
+
*
|
|
31
|
+
* Why a sweep and not a hook
|
|
32
|
+
* --------------------------
|
|
33
|
+
*
|
|
34
|
+
* The obvious alternative is "on membership delete, cancel matching
|
|
35
|
+
* runs" — a database trigger or a Prisma extension. We do not do
|
|
36
|
+
* this because (a) a trigger scatters the revocation logic across
|
|
37
|
+
* the schema and the service layer, and (b) membership deletion is
|
|
38
|
+
* not the only revocation path — a future role downgrade or a
|
|
39
|
+
* push-based invalidation event should also feed into the same
|
|
40
|
+
* cleanup surface. A periodic sweep that interrogates current state
|
|
41
|
+
* is simpler, survives missed events, and is the pattern the repo
|
|
42
|
+
* already uses for session expiry at
|
|
43
|
+
* `packages/api/src/lib/session-store.ts:55`.
|
|
44
|
+
*
|
|
45
|
+
* Why fire-and-forget audit writes
|
|
46
|
+
* --------------------------------
|
|
47
|
+
*
|
|
48
|
+
* Every cancellation writes a `delegation.revoke` audit event via
|
|
49
|
+
* `AuditEventService.record`, which is itself fire-and-forget. A
|
|
50
|
+
* missed audit row is a visibility problem, not a correctness
|
|
51
|
+
* problem — the cancellation itself (the state transition on the
|
|
52
|
+
* AgentRun row) is what enforces revocation.
|
|
53
|
+
*/
|
|
54
|
+
/**
|
|
55
|
+
* Narrow DB surface required by `cancelOrphanedAgentRuns`. Satisfied
|
|
56
|
+
* by a real `PrismaClient` — the narrow interface exists so the
|
|
57
|
+
* function can be unit-tested with an in-memory fake that does not
|
|
58
|
+
* need to satisfy the full Prisma type signature.
|
|
59
|
+
*/
|
|
60
|
+
export interface DelegationCleanupDb {
|
|
61
|
+
agentRun: {
|
|
62
|
+
findMany: (args: {
|
|
63
|
+
where: {
|
|
64
|
+
status: {
|
|
65
|
+
in: string[];
|
|
66
|
+
};
|
|
67
|
+
invokedByUserId: {
|
|
68
|
+
not: null;
|
|
69
|
+
};
|
|
70
|
+
};
|
|
71
|
+
select: {
|
|
72
|
+
id: true;
|
|
73
|
+
organizationId: true;
|
|
74
|
+
invokedByUserId: true;
|
|
75
|
+
};
|
|
76
|
+
}) => Promise<Array<{
|
|
77
|
+
id: string;
|
|
78
|
+
organizationId: string;
|
|
79
|
+
invokedByUserId: string | null;
|
|
80
|
+
}>>;
|
|
81
|
+
updateMany: (args: {
|
|
82
|
+
where: {
|
|
83
|
+
id: {
|
|
84
|
+
in: string[];
|
|
85
|
+
};
|
|
86
|
+
};
|
|
87
|
+
data: {
|
|
88
|
+
status: string;
|
|
89
|
+
completedAt: Date;
|
|
90
|
+
error: string;
|
|
91
|
+
};
|
|
92
|
+
}) => Promise<{
|
|
93
|
+
count: number;
|
|
94
|
+
}>;
|
|
95
|
+
};
|
|
96
|
+
membership: {
|
|
97
|
+
findUnique: (args: {
|
|
98
|
+
where: {
|
|
99
|
+
userId_organizationId: {
|
|
100
|
+
userId: string;
|
|
101
|
+
organizationId: string;
|
|
102
|
+
};
|
|
103
|
+
};
|
|
104
|
+
}) => Promise<{
|
|
105
|
+
id: string;
|
|
106
|
+
} | null>;
|
|
107
|
+
};
|
|
108
|
+
auditEvent: {
|
|
109
|
+
create: (args: any) => Promise<any>;
|
|
110
|
+
};
|
|
111
|
+
}
|
|
112
|
+
/**
|
|
113
|
+
* Result shape for one sweep. `cancelledRunIds` is the authoritative
|
|
114
|
+
* list of transitions; callers can log it and reconcile with
|
|
115
|
+
* downstream state. `scannedCount` is the number of candidate runs
|
|
116
|
+
* inspected — useful for monitoring how hot the hot path is.
|
|
117
|
+
*/
|
|
118
|
+
export interface CancelOrphanedAgentRunsResult {
|
|
119
|
+
scannedCount: number;
|
|
120
|
+
cancelledRunIds: string[];
|
|
121
|
+
}
|
|
122
|
+
/**
|
|
123
|
+
* Run one revocation sweep against the given DB handle. Intended to
|
|
124
|
+
* be called on a recurring interval — see
|
|
125
|
+
* `packages/api/src/lib/delegation-cleanup.ts` for the scheduler.
|
|
126
|
+
*
|
|
127
|
+
* Never throws for an individual failed lookup or update — the sweep
|
|
128
|
+
* logs and continues so a single bad row cannot starve the rest of
|
|
129
|
+
* the backlog. The return value still reflects only the runs that
|
|
130
|
+
* successfully transitioned.
|
|
131
|
+
*/
|
|
132
|
+
export declare function cancelOrphanedAgentRuns(db: DelegationCleanupDb): Promise<CancelOrphanedAgentRunsResult>;
|
|
133
|
+
//# sourceMappingURL=delegation-cleanup-service.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"delegation-cleanup-service.d.ts","sourceRoot":"","sources":["../../src/services/delegation-cleanup-service.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE;QACR,QAAQ,EAAE,CAAC,IAAI,EAAE;YACf,KAAK,EAAE;gBACL,MAAM,EAAE;oBAAE,EAAE,EAAE,MAAM,EAAE,CAAA;iBAAE,CAAC;gBACzB,eAAe,EAAE;oBAAE,GAAG,EAAE,IAAI,CAAA;iBAAE,CAAC;aAChC,CAAC;YACF,MAAM,EAAE;gBACN,EAAE,EAAE,IAAI,CAAC;gBACT,cAAc,EAAE,IAAI,CAAC;gBACrB,eAAe,EAAE,IAAI,CAAC;aACvB,CAAC;SACH,KAAK,OAAO,CACX,KAAK,CAAC;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,cAAc,EAAE,MAAM,CAAC;YAAC,eAAe,EAAE,MAAM,GAAG,IAAI,CAAA;SAAE,CAAC,CAC9E,CAAC;QACF,UAAU,EAAE,CAAC,IAAI,EAAE;YACjB,KAAK,EAAE;gBAAE,EAAE,EAAE;oBAAE,EAAE,EAAE,MAAM,EAAE,CAAA;iBAAE,CAAA;aAAE,CAAC;YAChC,IAAI,EAAE;gBACJ,MAAM,EAAE,MAAM,CAAC;gBACf,WAAW,EAAE,IAAI,CAAC;gBAClB,KAAK,EAAE,MAAM,CAAC;aACf,CAAC;SACH,KAAK,OAAO,CAAC;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAClC,CAAC;IACF,UAAU,EAAE;QACV,UAAU,EAAE,CAAC,IAAI,EAAE;YACjB,KAAK,EAAE;gBACL,qBAAqB,EAAE;oBAAE,MAAM,EAAE,MAAM,CAAC;oBAAC,cAAc,EAAE,MAAM,CAAA;iBAAE,CAAC;aACnE,CAAC;SACH,KAAK,OAAO,CAAC;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC,CAAC;KACtC,CAAC;IAUF,UAAU,EAAE;QAEV,MAAM,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;KACrC,CAAC;CACH;AAED;;;;;GAKG;AACH,MAAM,WAAW,6BAA6B;IAC5C,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;;;;;;;GASG;AACH,wBAAsB,uBAAuB,CAC3C,EAAE,EAAE,mBAAmB,GACtB,OAAO,CAAC,6BAA6B,CAAC,CAuGxC"}
|
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
import { AuditEventService } from "./audit-event-service.js";
|
|
2
|
+
/**
|
|
3
|
+
* Run one revocation sweep against the given DB handle. Intended to
|
|
4
|
+
* be called on a recurring interval — see
|
|
5
|
+
* `packages/api/src/lib/delegation-cleanup.ts` for the scheduler.
|
|
6
|
+
*
|
|
7
|
+
* Never throws for an individual failed lookup or update — the sweep
|
|
8
|
+
* logs and continues so a single bad row cannot starve the rest of
|
|
9
|
+
* the backlog. The return value still reflects only the runs that
|
|
10
|
+
* successfully transitioned.
|
|
11
|
+
*/
|
|
12
|
+
export async function cancelOrphanedAgentRuns(db) {
|
|
13
|
+
const candidates = await db.agentRun.findMany({
|
|
14
|
+
where: {
|
|
15
|
+
status: { in: ["pending", "running"] },
|
|
16
|
+
invokedByUserId: { not: null },
|
|
17
|
+
},
|
|
18
|
+
select: {
|
|
19
|
+
id: true,
|
|
20
|
+
organizationId: true,
|
|
21
|
+
invokedByUserId: true,
|
|
22
|
+
},
|
|
23
|
+
});
|
|
24
|
+
// Walk each candidate and check whether its invoking user still has
|
|
25
|
+
// a membership in the run's org. N+1 by design — the candidate set
|
|
26
|
+
// is small in steady state (only actively-pending agent runs) and
|
|
27
|
+
// the alternative (a single `NOT EXISTS (SELECT ... FROM
|
|
28
|
+
// memberships)` query) is not expressible through the narrow DB
|
|
29
|
+
// interface without either raw SQL or a much wider seam. Revisit
|
|
30
|
+
// if the candidate count ever grows to the thousands.
|
|
31
|
+
const orphanedIds = [];
|
|
32
|
+
for (const run of candidates) {
|
|
33
|
+
if (!run.invokedByUserId)
|
|
34
|
+
continue;
|
|
35
|
+
try {
|
|
36
|
+
const membership = await db.membership.findUnique({
|
|
37
|
+
where: {
|
|
38
|
+
userId_organizationId: {
|
|
39
|
+
userId: run.invokedByUserId,
|
|
40
|
+
organizationId: run.organizationId,
|
|
41
|
+
},
|
|
42
|
+
},
|
|
43
|
+
});
|
|
44
|
+
if (!membership) {
|
|
45
|
+
orphanedIds.push(run.id);
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
catch (err) {
|
|
49
|
+
// eslint-disable-next-line no-console
|
|
50
|
+
console.error(`[delegation-cleanup] membership lookup failed for run ${run.id}:`, err);
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
if (orphanedIds.length === 0) {
|
|
54
|
+
return { scannedCount: candidates.length, cancelledRunIds: [] };
|
|
55
|
+
}
|
|
56
|
+
// One bulk update transitions all orphaned runs to cancelled. This
|
|
57
|
+
// is idempotent — if a concurrent sweep cancelled the same runs
|
|
58
|
+
// first, the updateMany still succeeds (0 rows updated) and the
|
|
59
|
+
// audit write below still fires for this sweep. The idempotency
|
|
60
|
+
// matters because Phase 1d runs this in-process inside Cloud Run,
|
|
61
|
+
// and multiple Cloud Run instances sweep concurrently.
|
|
62
|
+
let updateResult;
|
|
63
|
+
try {
|
|
64
|
+
updateResult = await db.agentRun.updateMany({
|
|
65
|
+
where: { id: { in: orphanedIds } },
|
|
66
|
+
data: {
|
|
67
|
+
status: "cancelled",
|
|
68
|
+
completedAt: new Date(),
|
|
69
|
+
error: "Revoked: user no longer has membership in organization",
|
|
70
|
+
},
|
|
71
|
+
});
|
|
72
|
+
}
|
|
73
|
+
catch (err) {
|
|
74
|
+
// eslint-disable-next-line no-console
|
|
75
|
+
console.error("[delegation-cleanup] bulk cancel failed:", err);
|
|
76
|
+
return { scannedCount: candidates.length, cancelledRunIds: [] };
|
|
77
|
+
}
|
|
78
|
+
// Record one audit event per cancellation. We have the run
|
|
79
|
+
// metadata from the earlier findMany — rebuild the map so each
|
|
80
|
+
// audit row carries the correct organizationId and invokedByUserId
|
|
81
|
+
// without a second round-trip.
|
|
82
|
+
//
|
|
83
|
+
// The audit service normally takes a PrismaClient. Here we bridge
|
|
84
|
+
// via the narrow DB interface: we construct a tiny adapter that
|
|
85
|
+
// forwards to the cleanup DB's auditEvent.create.
|
|
86
|
+
const auditAdapter = {
|
|
87
|
+
auditEvent: db.auditEvent,
|
|
88
|
+
};
|
|
89
|
+
const audit = new AuditEventService(auditAdapter);
|
|
90
|
+
const runById = new Map(candidates.map((r) => [r.id, r]));
|
|
91
|
+
for (const id of orphanedIds) {
|
|
92
|
+
const run = runById.get(id);
|
|
93
|
+
if (!run)
|
|
94
|
+
continue;
|
|
95
|
+
void audit.record({
|
|
96
|
+
agentRunId: id,
|
|
97
|
+
principalType: "system",
|
|
98
|
+
principalId: "delegation-cleanup",
|
|
99
|
+
organizationId: run.organizationId,
|
|
100
|
+
action: "delegation.revoke",
|
|
101
|
+
subjectType: "AgentRun",
|
|
102
|
+
subjectId: id,
|
|
103
|
+
result: "allow",
|
|
104
|
+
});
|
|
105
|
+
}
|
|
106
|
+
return {
|
|
107
|
+
scannedCount: candidates.length,
|
|
108
|
+
cancelledRunIds: orphanedIds.slice(0, updateResult.count),
|
|
109
|
+
};
|
|
110
|
+
}
|
|
111
|
+
//# sourceMappingURL=delegation-cleanup-service.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"delegation-cleanup-service.js","sourceRoot":"","sources":["../../src/services/delegation-cleanup-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAuH7D;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,EAAuB;IAEvB,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5C,KAAK,EAAE;YACL,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE;YACtC,eAAe,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE;SAC/B;QACD,MAAM,EAAE;YACN,EAAE,EAAE,IAAI;YACR,cAAc,EAAE,IAAI;YACpB,eAAe,EAAE,IAAI;SACtB;KACF,CAAC,CAAC;IAEH,oEAAoE;IACpE,mEAAmE;IACnE,kEAAkE;IAClE,yDAAyD;IACzD,gEAAgE;IAChE,iEAAiE;IACjE,sDAAsD;IACtD,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,CAAC,GAAG,CAAC,eAAe;YAAE,SAAS;QACnC,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;gBAChD,KAAK,EAAE;oBACL,qBAAqB,EAAE;wBACrB,MAAM,EAAE,GAAG,CAAC,eAAe;wBAC3B,cAAc,EAAE,GAAG,CAAC,cAAc;qBACnC;iBACF;aACF,CAAC,CAAC;YACH,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,sCAAsC;YACtC,OAAO,CAAC,KAAK,CACX,yDAAyD,GAAG,CAAC,EAAE,GAAG,EAClE,GAAG,CACJ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,YAAY,EAAE,UAAU,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IAClE,CAAC;IAED,mEAAmE;IACnE,gEAAgE;IAChE,gEAAgE;IAChE,gEAAgE;IAChE,kEAAkE;IAClE,uDAAuD;IACvD,IAAI,YAA+B,CAAC;IACpC,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;YAC1C,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE;YAClC,IAAI,EAAE;gBACJ,MAAM,EAAE,WAAW;gBACnB,WAAW,EAAE,IAAI,IAAI,EAAE;gBACvB,KAAK,EAAE,wDAAwD;aAChE;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,sCAAsC;QACtC,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,CAAC;QAC/D,OAAO,EAAE,YAAY,EAAE,UAAU,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IAClE,CAAC;IAED,2DAA2D;IAC3D,+DAA+D;IAC/D,mEAAmE;IACnE,+BAA+B;IAC/B,EAAE;IACF,kEAAkE;IAClE,gEAAgE;IAChE,kDAAkD;IAClD,MAAM,YAAY,GAAG;QACnB,UAAU,EAAE,EAAE,CAAC,UAAU;KACuC,CAAC;IACnE,MAAM,KAAK,GAAG,IAAI,iBAAiB,CAAC,YAAY,CAAC,CAAC;IAElD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1D,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC5B,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,KAAK,KAAK,CAAC,MAAM,CAAC;YAChB,UAAU,EAAE,EAAE;YACd,aAAa,EAAE,QAAQ;YACvB,WAAW,EAAE,oBAAoB;YACjC,cAAc,EAAE,GAAG,CAAC,cAAc;YAClC,MAAM,EAAE,mBAAmB;YAC3B,WAAW,EAAE,UAAU;YACvB,SAAS,EAAE,EAAE;YACb,MAAM,EAAE,OAAO;SAChB,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,YAAY,EAAE,UAAU,CAAC,MAAM;QAC/B,eAAe,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC;KAC1D,CAAC;AACJ,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"edge-service.d.ts","sourceRoot":"","sources":["../../src/services/edge-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAU,MAAM,gBAAgB,CAAC;AAC3D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAwB,KAAK,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAE3E,qBAAa,WAAW;IAGV,OAAO,CAAC,EAAE;IAFtB,OAAO,CAAC,SAAS,CAAgB;gBAEb,EAAE,EAAE,YAAY,EAAE,SAAS,CAAC,EAAE,aAAa;IAIzD,MAAM,CAAC,KAAK,EAAE;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,CAAC;QACrB,gBAAgB,EAAE,MAAM,CAAC;QACzB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACnC,SAAS,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,IAAI,CAAC;IAcX,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAS5C,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,SAAI,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"edge-service.d.ts","sourceRoot":"","sources":["../../src/services/edge-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAU,MAAM,gBAAgB,CAAC;AAC3D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAwB,KAAK,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAE3E,qBAAa,WAAW;IAGV,OAAO,CAAC,EAAE;IAFtB,OAAO,CAAC,SAAS,CAAgB;gBAEb,EAAE,EAAE,YAAY,EAAE,SAAS,CAAC,EAAE,aAAa;IAIzD,MAAM,CAAC,KAAK,EAAE;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,CAAC;QACrB,gBAAgB,EAAE,MAAM,CAAC;QACzB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACnC,SAAS,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,IAAI,CAAC;IAcX,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAS5C,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,SAAI,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAwC5D,qBAAqB,IAAI,OAAO,CACpC;QAAE,gBAAgB,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EAAE,CAC9C;IAWK,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC;IAQZ,MAAM,CACV,EAAE,EAAE,MAAM,EACV,KAAK,EAAE;QAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,GACxF,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IAejB,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAQ3C"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"edge-service.js","sourceRoot":"","sources":["../../src/services/edge-service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAAsB,MAAM,iBAAiB,CAAC;AAE3E,MAAM,OAAO,WAAW;IAGF;IAFZ,SAAS,CAAgB;IAEjC,YAAoB,EAAgB,EAAE,SAAyB;QAA3C,OAAE,GAAF,EAAE,CAAc;QAClC,IAAI,CAAC,SAAS,GAAG,SAAS,IAAI,EAAE,cAAc,EAAE,oBAAoB,EAAE,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAOZ;QACC,OAAO,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACzB,IAAI,EAAE;gBACJ,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;gBACxC,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG;gBAC3B,QAAQ,EAAE,CAAC,KAAK,CAAC,QAAQ,IAAI,EAAE,CAA0B;gBACzD,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc;aAC9C;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAc;QAC9B,OAAO,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;YAC3B,KAAK,EAAE;gBACL,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc;gBAC7C,EAAE,EAAE,CAAC,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;aACzD;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,MAAc,EAAE,KAAK,GAAG,CAAC;QAC5C,4BAA4B;QAC5B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QACjD,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;QAEtC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,YAAY,KAAK,MAAM;gBAAE,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACrE,IAAI,IAAI,CAAC,YAAY,KAAK,MAAM;gBAAE,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACvE,CAAC;QAED,IAAI,KAAK,IAAI,CAAC;YAAE,OAAO,CAAC,GAAG,WAAW,CAAC,CAAC;QAExC,4CAA4C;QAC5C,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1C,IAAI,QAAQ,GAAG,CAAC,GAAG,WAAW,CAAC,CAAC;QAEhC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;YAC/B,MAAM,YAAY,GAAa,EAAE,CAAC;YAClC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;gBAC3B,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC/B,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACjB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;gBAC3C,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;oBAC1B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;wBACjC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;oBACvC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;wBACjC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;YACD,QAAQ,GAAG,YAAY,CAAC;QAC1B,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACvB,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,qBAAqB;QAGzB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;YACxC,EAAE,EAAE,CAAC,kBAAkB,CAAC;YACxB,MAAM,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE;SACnC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACxB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;YACpC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,gBAAgB;SACjC,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,UAAU,CACd,QAAgB,EAChB,MAAc;QAEd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;YAC3C,KAAK,EAAE,EAAE,gBAAgB,EAAE,QAAQ,EAAE;YACrC,IAAI,EAAE,EAAE,gBAAgB,EAAE,MAAM,EAAE;SACnC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,MAAM,CACV,EAAU,EACV,KAAyF;QAEzF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;YAC5C,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE;SAC7D,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC3B,OAAO,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACzB,KAAK,EAAE,EAAE,EAAE,EAAE;YACb,IAAI,EAAE;gBACJ,GAAG,CAAC,KAAK,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,KAAK,CAAC,gBAAgB,EAAE,CAAC;gBACzF,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;gBAC3D,GAAG,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAiC,EAAE,CAAC;aAC3F;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;YAC7C,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF"}
|
|
1
|
+
{"version":3,"file":"edge-service.js","sourceRoot":"","sources":["../../src/services/edge-service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAAsB,MAAM,iBAAiB,CAAC;AAE3E,MAAM,OAAO,WAAW;IAGF;IAFZ,SAAS,CAAgB;IAEjC,YAAoB,EAAgB,EAAE,SAAyB;QAA3C,OAAE,GAAF,EAAE,CAAc;QAClC,IAAI,CAAC,SAAS,GAAG,SAAS,IAAI,EAAE,cAAc,EAAE,oBAAoB,EAAE,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAOZ;QACC,OAAO,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACzB,IAAI,EAAE;gBACJ,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;gBACxC,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG;gBAC3B,QAAQ,EAAE,CAAC,KAAK,CAAC,QAAQ,IAAI,EAAE,CAA0B;gBACzD,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc;aAC9C;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAc;QAC9B,OAAO,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;YAC3B,KAAK,EAAE;gBACL,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc;gBAC7C,EAAE,EAAE,CAAC,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;aACzD;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,MAAc,EAAE,KAAK,GAAG,CAAC;QAC5C,4BAA4B;QAC5B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QACjD,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;QAEtC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,YAAY,KAAK,MAAM;gBAAE,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACrE,IAAI,IAAI,CAAC,YAAY,KAAK,MAAM;gBAAE,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACvE,CAAC;QAED,IAAI,KAAK,IAAI,CAAC;YAAE,OAAO,CAAC,GAAG,WAAW,CAAC,CAAC;QAExC,4CAA4C;QAC5C,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1C,IAAI,QAAQ,GAAG,CAAC,GAAG,WAAW,CAAC,CAAC;QAEhC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;YAC/B,MAAM,YAAY,GAAa,EAAE,CAAC;YAClC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;gBAC3B,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC/B,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACjB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;gBAC3C,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;oBAC1B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;wBACjC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;oBACvC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;wBACjC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;YACD,QAAQ,GAAG,YAAY,CAAC;QAC1B,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACvB,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,qBAAqB;QAGzB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;YACxC,EAAE,EAAE,CAAC,kBAAkB,CAAC;YACxB,MAAM,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE;SACnC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACxB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;YACpC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,gBAAgB;SACjC,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,UAAU,CACd,QAAgB,EAChB,MAAc;QAEd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;YAC3C,KAAK,EAAE,EAAE,gBAAgB,EAAE,QAAQ,EAAE;YACrC,IAAI,EAAE,EAAE,gBAAgB,EAAE,MAAM,EAAE;SACnC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,MAAM,CACV,EAAU,EACV,KAAyF;QAEzF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;YAC5C,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE;SAC7D,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC3B,OAAO,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACzB,KAAK,EAAE,EAAE,EAAE,EAAE;YACb,IAAI,EAAE;gBACJ,GAAG,CAAC,KAAK,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,KAAK,CAAC,gBAAgB,EAAE,CAAC;gBACzF,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;gBAC3D,GAAG,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAiC,EAAE,CAAC;aAC3F;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;YAC7C,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF"}
|
|
@@ -1,11 +1,26 @@
|
|
|
1
1
|
import type { PrismaClient } from "@prisma/client";
|
|
2
2
|
export interface OrgAgentTypeRecord {
|
|
3
|
+
/**
|
|
4
|
+
* The DB primary key. Needed by the Phase 1d spawn path to populate
|
|
5
|
+
* `AgentRun.agentId` so every run is linked back to the agent type
|
|
6
|
+
* it was spawned as.
|
|
7
|
+
*/
|
|
8
|
+
id: string;
|
|
3
9
|
slug: string;
|
|
4
10
|
label: string;
|
|
5
11
|
description: string;
|
|
6
12
|
prompt: string;
|
|
7
13
|
defaultTimeoutMinutes: number;
|
|
8
14
|
isBuiltinOverride: boolean;
|
|
15
|
+
/**
|
|
16
|
+
* Raw CASL rule set (an array of `AppRawRule`) stored as JSON. Phase 1c
|
|
17
|
+
* added the column with a `{}` empty-object default, so rows that were
|
|
18
|
+
* created before Phase 1d wires the value for real will surface that
|
|
19
|
+
* object here. Callers that consume `intrinsicPolicy` MUST handle the
|
|
20
|
+
* non-array case — the Phase 1d intersect helper and spawn path treat
|
|
21
|
+
* anything that is not an array as "no rules" (deny-by-default).
|
|
22
|
+
*/
|
|
23
|
+
intrinsicPolicy: unknown;
|
|
9
24
|
createdBy: string;
|
|
10
25
|
createdAt: Date;
|
|
11
26
|
updatedAt: Date;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"org-agent-type-service.d.ts","sourceRoot":"","sources":["../../src/services/org-agent-type-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAEnD,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,qBAAqB,EAAE,MAAM,CAAC;IAC9B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;
|
|
1
|
+
{"version":3,"file":"org-agent-type-service.d.ts","sourceRoot":"","sources":["../../src/services/org-agent-type-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAEnD,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,qBAAqB,EAAE,MAAM,CAAC;IAC9B,iBAAiB,EAAE,OAAO,CAAC;IAC3B;;;;;;;OAOG;IACH,eAAe,EAAE,OAAO,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAoBD,qBAAa,mBAAmB;IAClB,OAAO,CAAC,EAAE;gBAAF,EAAE,EAAE,YAAY;IAE9B,IAAI,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAQ3D,SAAS,CAAC,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAOnF,MAAM,CACV,cAAc,EAAE,MAAM,EACtB,KAAK,EAAE,uBAAuB,EAC9B,YAAY,EAAE,MAAM,EAAE,GACrB,OAAO,CAAC,kBAAkB,CAAC;IAoCxB,MAAM,CACV,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CAAC,kBAAkB,CAAC;IAcxB,MAAM,CAAC,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAUrE"}
|
|
@@ -1,12 +1,14 @@
|
|
|
1
1
|
const SLUG_REGEX = /^[a-z][a-z0-9-]*$/;
|
|
2
2
|
function toRecord(row) {
|
|
3
3
|
return {
|
|
4
|
+
id: row.id,
|
|
4
5
|
slug: row.slug,
|
|
5
6
|
label: row.label,
|
|
6
7
|
description: row.description,
|
|
7
8
|
prompt: row.prompt,
|
|
8
9
|
defaultTimeoutMinutes: row.defaultTimeoutMinutes,
|
|
9
10
|
isBuiltinOverride: row.isBuiltinOverride,
|
|
11
|
+
intrinsicPolicy: row.intrinsicPolicy,
|
|
10
12
|
createdBy: row.createdBy,
|
|
11
13
|
createdAt: row.createdAt,
|
|
12
14
|
updatedAt: row.updatedAt,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"org-agent-type-service.js","sourceRoot":"","sources":["../../src/services/org-agent-type-service.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"org-agent-type-service.js","sourceRoot":"","sources":["../../src/services/org-agent-type-service.ts"],"names":[],"mappings":"AA8CA,MAAM,UAAU,GAAG,mBAAmB,CAAC;AAEvC,SAAS,QAAQ,CAAC,GAAQ;IACxB,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,qBAAqB,EAAE,GAAG,CAAC,qBAAqB;QAChD,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;QACxC,eAAe,EAAE,GAAG,CAAC,eAAe;QACpC,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,SAAS,EAAE,GAAG,CAAC,SAAS;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,mBAAmB;IACV;IAApB,YAAoB,EAAgB;QAAhB,OAAE,GAAF,EAAE,CAAc;IAAG,CAAC;IAExC,KAAK,CAAC,IAAI,CAAC,cAAsB;QAC/B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC;YAC/C,KAAK,EAAE,EAAE,cAAc,EAAE;YACzB,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE;SACzB,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,cAAsB,EAAE,IAAY;QAClD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC;YAChD,KAAK,EAAE,EAAE,mBAAmB,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,EAAE;SACzD,CAAC,CAAC;QACH,OAAO,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CACV,cAAsB,EACtB,KAA8B,EAC9B,YAAsB;QAEtB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACpF,MAAM,IAAI,KAAK,CAAC,wFAAwF,CAAC,CAAC;QAC5G,CAAC;QAED,MAAM,UAAU,GAAG,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC;QACpD,IAAI,UAAU,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,oBAAoB,KAAK,CAAC,IAAI,8BAA8B,CAAC,CAAC;QAChF,CAAC;QACD,IAAI,CAAC,UAAU,IAAI,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,SAAS,KAAK,CAAC,IAAI,+EAA+E,CAAC,CAAC;QACtH,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;YAC5C,KAAK,EAAE,EAAE,mBAAmB,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,EAAE;YACpE,MAAM,EAAE;gBACN,cAAc;gBACd,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,EAAE;gBACpC,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,qBAAqB,EAAE,KAAK,CAAC,qBAAqB,IAAI,EAAE;gBACxD,iBAAiB,EAAE,UAAU;gBAC7B,SAAS,EAAE,KAAK,CAAC,SAAS;aAC3B;YACD,MAAM,EAAE;gBACN,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,EAAE;gBACpC,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,qBAAqB,EAAE,KAAK,CAAC,qBAAqB,IAAI,EAAE;gBACxD,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB;SACF,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,MAAM,CACV,cAAsB,EACtB,IAAY,EACZ,KAA8B;QAE9B,MAAM,IAAI,GAAwB,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;QAC5D,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS;YAAE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;QACxD,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS;YAAE,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;QAC1E,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS;YAAE,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;QAC3D,IAAI,KAAK,CAAC,qBAAqB,KAAK,SAAS;YAAE,IAAI,CAAC,qBAAqB,GAAG,KAAK,CAAC,qBAAqB,CAAC;QAExG,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;YAC5C,KAAK,EAAE,EAAE,mBAAmB,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,EAAE;YACxD,IAAI;SACL,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,cAAsB,EAAE,IAAY;QAC/C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;gBAChC,KAAK,EAAE,EAAE,mBAAmB,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,EAAE;aACzD,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF"}
|