@apralabs/apra-fleet 0.2.2

package/dist/tools/provision-auth.js

@@ -0,0 +1,256 @@
+import { z } from 'zod';
+import fs from 'node:fs';
+import os from 'node:os';
+import { getStrategy } from '../services/strategy.js';
+import { getOsCommands } from '../os/index.js';
+import { getProvider } from '../providers/index.js';
+import { escapeDoubleQuoted } from '../utils/shell-escape.js';
+import { getAgentOS, touchAgent } from '../utils/agent-helpers.js';
+import { memberIdentifier, resolveMember } from '../utils/resolve-member.js';
+import { validateCredentials, credentialStatusNote } from '../utils/credential-validation.js';
+import { credentialResolve } from '../services/credential-store.js';
+import { encryptPassword, decryptPassword } from '../utils/crypto.js';
+import { updateAgent } from '../services/registry.js';
+import { collectOobApiKey } from '../services/auth-socket.js';
+import { logLine } from '../utils/log-helpers.js';
+export const provisionAuthSchema = z.object({
+    ...memberIdentifier,
+    api_key: z.string().optional().describe(`Your AI provider API key. If omitted, your local OAuth session is copied to the member instead. Supports {{secure.NAME}} token — value is resolved from the credential store before use.`),
+});
+/**
+ * Real auth check via `claude -p "hello"` — makes an actual API call.
+ * This is the only reliable validation for both OAuth and API key auth,
+ * since `claude auth status` doesn't actually validate API keys.
+ * Claude-only: other providers use a version check for verification.
+ */
+async function verifyWithClaudePrompt(agent, envPrefix) {
+    const cmds = getOsCommands(getAgentOS(agent));
+    const provider = getProvider('claude');
+    const strategy = getStrategy(agent);
+    const escapedFolder = escapeDoubleQuoted(agent.workFolder);
+    const prefix = envPrefix ? `${envPrefix} ` : '';
+    const cmd = `cd "${escapedFolder}" && ${prefix}${cmds.agentCommand(provider, '-p "hello" --output-format json --max-turns 1')}`;
+    try {
+        const result = await strategy.execCommand(cmd, 60000);
+        return result.code === 0;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Version-based CLI check with optional env prefix.
+ * Used to verify non-Claude providers after API key provisioning.
+ */
+async function verifyWithVersion(agent, provider, envPrefix) {
+    const cmds = getOsCommands(getAgentOS(agent));
+    const strategy = getStrategy(agent);
+    const prefix = envPrefix ? `${envPrefix} ` : '';
+    const cmd = `${prefix}${cmds.agentVersion(provider)}`;
+    try {
+        const result = await strategy.execCommand(cmd, 30000);
+        return result.code === 0;
+    }
+    catch {
+        return false;
+    }
+}
+// ---------------------------------------------------------------------------
+// Flow A: Copy OAuth credentials using the provider interface
+// ---------------------------------------------------------------------------
+async function provisionOAuthCopy(agent, provider) {
+    const cmds = getOsCommands(getAgentOS(agent));
+    const strategy = getStrategy(agent);
+    const credentialFiles = provider.oauthCredentialFiles();
+    if (!credentialFiles || credentialFiles.length === 0) {
+        return `❌ Provider "${provider.name}" does not support OAuth credential copy.`;
+    }
+    // 1. Copy credential files
+    let credStatus = null;
+    for (const file of credentialFiles) {
+        try {
+            const localPath = file.localPath.replace('~', os.homedir());
+            if (fs.existsSync(localPath)) {
+                const content = fs.readFileSync(localPath, 'utf-8');
+                // Validate credentials before sending
+                if (file.localPath.includes('.json')) {
+                    credStatus = validateCredentials(content);
+                    if (credStatus?.status === 'expired-no-refresh') {
+                        return `❌ OAuth token in ${file.localPath} is expired with no refresh token.
+`
+                            + `  Run /login in your ${provider.name} session, then re-run provision_llm_auth.`;
+                    }
+                }
+                const result = await strategy.execCommand(cmds.credentialFileWrite(content, file.remotePath), 10000);
+                if (result.code !== 0 && result.stderr) {
+                    return `❌ Failed to write ${file.remotePath} on "${agent.friendlyName}": ${result.stderr}`;
+                }
+            }
+            else {
+                return `❌ Could not find local credential file: ${localPath}`;
+            }
+        }
+        catch (err) {
+            return `❌ Failed to copy ${file.localPath} to "${agent.friendlyName}": ${err.message}`;
+        }
+    }
+    // 2. Merge settings
+    const mergeObj = provider.oauthSettingsMerge();
+    if (mergeObj) {
+        const settingsFile = credentialFiles.find(f => f.remotePath.includes('settings.json'));
+        const remoteSettingsPath = settingsFile ? settingsFile.remotePath : `${provider.credentialPath.replace(/\/$/, '')}/settings.json`;
+        try {
+            const result = await strategy.execCommand(cmds.deepMergeJson(remoteSettingsPath, mergeObj), 10000);
+            if (result.code !== 0 && result.stderr) {
+                return `❌ Failed to merge settings on "${agent.friendlyName}": ${result.stderr}`;
+            }
+        }
+        catch (err) {
+            return `❌ Failed to merge settings on "${agent.friendlyName}": ${err.message}`;
+        }
+    }
+    // 3. Unset env vars
+    const varsToUnset = provider.oauthEnvVarsToUnset() ?? [];
+    for (const envVar of varsToUnset) {
+        const unsetCmds = cmds.unsetEnv(envVar);
+        for (const cmd of unsetCmds) {
+            // Best effort, fire and forget
+            await strategy.execCommand(cmd, 15000).catch(() => { });
+        }
+    }
+    // 4. Verify auth
+    const authWorks = provider.name === 'claude'
+        ? await verifyWithClaudePrompt(agent)
+        : await verifyWithVersion(agent, provider);
+    touchAgent(agent.id);
+    const statusNote = credentialStatusNote(credStatus);
+    const suffix = statusNote ? `\n  ${statusNote}` : '';
+    if (authWorks) {
+        return `✅ OAuth credentials for ${provider.name} deployed to "${agent.friendlyName}"
+`
+            + `  Auth: verified with a successful ${provider.name} API call.${suffix}`;
+    }
+    return `⚠️ ${provider.name} OAuth credentials deployed to "${agent.friendlyName}" but could not verify auth.
+`
+        + `  Credential files were written — try running a prompt to confirm.${suffix}`;
+}
+// ---------------------------------------------------------------------------
+// Flow B — API Key Override (all providers)
+// ---------------------------------------------------------------------------
+async function provisionApiKey(agent, apiKey, provider) {
+    const cmds = getOsCommands(getAgentOS(agent));
+    const strategy = getStrategy(agent);
+    const envVarName = provider.authEnvVarForToken(apiKey);
+    const commands = cmds.setEnv(envVarName, apiKey);
+    const errors = [];
+    for (const cmd of commands) {
+        try {
+            const result = await strategy.execCommand(cmd, 15000);
+            if (result.code !== 0 && result.stderr) {
+                errors.push(`Command "${cmd.substring(0, 40)}..." stderr: ${result.stderr}`);
+            }
+        }
+        catch (err) {
+            errors.push(`Command failed: ${err.message}`);
+        }
+    }
+    // Store encrypted API key in the agent's registry entry
+    updateAgent(agent.id, {
+        encryptedEnvVars: { ...agent.encryptedEnvVars, [envVarName]: encryptPassword(apiKey) },
+    });
+    // Verify the key was persisted in a new shell
+    let verified = false;
+    try {
+        const verifyResult = await strategy.execCommand(cmds.apiKeyCheck(envVarName), 10000);
+        verified = verifyResult.stdout.trim().length > 5;
+    }
+    catch {
+        // May still work after re-login
+    }
+    // Verify with a real CLI call
+    const envPrefix = cmds.envPrefix(envVarName, apiKey);
+    const authWorks = provider.name === 'claude'
+        ? await verifyWithClaudePrompt(agent, envPrefix)
+        : await verifyWithVersion(agent, provider, envPrefix);
+    touchAgent(agent.id);
+    let result = '';
+    if (errors.length === 0) {
+        result += `✅ API key provisioned on "${agent.friendlyName}"
+`;
+    }
+    else {
+        result += `⚠️ API key provisioned with some issues on "${agent.friendlyName}":
+`;
+        for (const e of errors) {
+            result += `  - ${e}
+`;
+        }
+    }
+    result += `
+  Environment: ${envVarName} set in shell profiles and stored in member config
+`;
+    result += `  Verification: ${verified ? 'Key visible in new shell' : 'Key will be available after re-login'}
+`;
+    result += `  Auth test: ${authWorks ? `${provider.name} CLI authenticated successfully` : 'Could not verify — may need to re-login'}
+`;
+    return result;
+}
+// ---------------------------------------------------------------------------
+// Entry point
+// ---------------------------------------------------------------------------
+export async function provisionAuth(input) {
+    const agentOrError = resolveMember(input.member_id, input.member_name);
+    if (typeof agentOrError === 'string')
+        return agentOrError;
+    const agent = agentOrError;
+    if (agent.agentType === 'local') {
+        return `⏭️ Skipping "${agent.friendlyName}" — local members use this machine's credentials directly.`;
+    }
+    const strategy = getStrategy(agent);
+    const conn = await strategy.testConnection();
+    if (!conn.ok) {
+        return `❌ Member "${agent.friendlyName}" is offline: ${conn.error}`;
+    }
+    const provider = getProvider(agent.llmProvider);
+    // Flow B: API key is provided directly
+    if (input.api_key) {
+        const TOKEN_RE = /\{\{secure\.([a-zA-Z0-9_-]{1,64})\}\}/g;
+        const tokenNames = new Set();
+        let match;
+        while ((match = TOKEN_RE.exec(input.api_key)) !== null)
+            tokenNames.add(match[1]);
+        let resolvedKey = input.api_key;
+        for (const name of tokenNames) {
+            const entry = credentialResolve(name, agent.friendlyName);
+            if (!entry)
+                return `❌ Credential "${name}" not found. Run credential_store_set first.`;
+            if ('denied' in entry)
+                return `❌ ${entry.denied}`;
+            if ('expired' in entry)
+                return `❌ ${entry.expired}`;
+            resolvedKey = resolvedKey.replaceAll(`{{secure.${name}}}`, entry.plaintext);
+        }
+        const result = await provisionApiKey(agent, resolvedKey, provider);
+        if (!result.startsWith('❌'))
+            logLine('provision_llm_auth', `provider=${provider.name}`, agent);
+        return result;
+    }
+    // Flow A: OAuth credentials copy
+    if (provider.oauthCredentialFiles()?.length) {
+        const result = await provisionOAuthCopy(agent, provider);
+        if (!result.startsWith('❌'))
+            logLine('provision_llm_auth', `provider=${provider.name}`, agent);
+        return result;
+    }
+    // Fallback: OOB key collection for non-OAuth or non-copyable providers
+    const oob = await collectOobApiKey(agent.friendlyName, 'provision_llm_auth', {
+        prompt: `Enter API key for ${provider.name} on ${agent.friendlyName}`,
+    });
+    if ('fallback' in oob)
+        return oob.fallback ?? 'Error: OOB operation cancelled.';
+    const result = await provisionApiKey(agent, decryptPassword(oob.password), provider);
+    if (!result.startsWith('❌'))
+        logLine('provision_llm_auth', `provider=${provider.name}`, agent);
+    return result;
+}
+//# sourceMappingURL=provision-auth.js.map

package/dist/tools/provision-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provision-auth.js","sourceRoot":"","sources":["../../src/tools/provision-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC7E,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AAC9F,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAIlD,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,GAAG,gBAAgB;IACnB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CACrC,0LAA0L,CAC3L;CACF,CAAC,CAAC;AAIH;;;;;GAKG;AACH,KAAK,UAAU,sBAAsB,CAAC,KAAY,EAAE,SAAkB;IACpE,MAAM,IAAI,GAAG,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,aAAa,GAAG,kBAAkB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAChD,MAAM,GAAG,GAAG,OAAO,aAAa,QAAQ,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,+CAA+C,CAAC,EAAE,CAAC;IAChI,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACtD,OAAO,MAAM,CAAC,IAAI,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,iBAAiB,CAAC,KAAY,EAAE,QAAyB,EAAE,SAAkB;IAC1F,MAAM,IAAI,GAAG,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAChD,MAAM,GAAG,GAAG,GAAG,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;IACtD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACtD,OAAO,MAAM,CAAC,IAAI,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,8DAA8D;AAC9D,8EAA8E;AAC9E,KAAK,UAAU,kBAAkB,CAAC,KAAY,EAAE,QAAyB;IACvE,MAAM,IAAI,GAAG,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAEpC,MAAM,eAAe,GAAG,QAAQ,CAAC,oBAAoB,EAAE,CAAC;IACxD,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,eAAe,QAAQ,CAAC,IAAI,2CAA2C,CAAC;IACjF,CAAC;IAED,2BAA2B;IAC3B,IAAI,UAAU,GAAkD,IAAI,CAAC;IACrE,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5D,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC7B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;gBACpD,sCAAsC;gBACtC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBACnC,UAAU,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;oBAC1C,IAAI,UAAU,EAAE,MAAM,KAAK,oBAAoB,EAAE,CAAC;wBAChD,OAAO,oBAAoB,IAAI,CAAC,SAAS;CACtD;8BACiB,wBAAwB,QAAQ,CAAC,IAAI,2CAA2C,CAAC;oBACvF,CAAC;gBACL,CAAC;gBACD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,CAAC,CAAC;gBACrG,IAAI,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;oBACvC,OAAO,qBAAqB,IAAI,CAAC,UAAU,QAAQ,KAAK,CAAC,YAAY,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC;gBAC7F,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,2CAA2C,SAAS,EAAE,CAAC;YAChE,CAAC;QACH,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,oBAAoB,IAAI,CAAC,SAAS,QAAQ,KAAK,CAAC,YAAY,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC;QACzF,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,QAAQ,GAAG,QAAQ,CAAC,kBAAkB,EAAE,CAAC;IAC/C,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;QACvF,MAAM,kBAAkB,GAAG,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC;QAClI,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,aAAa,CAAC,kBAAkB,EAAE,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC;YACnG,IAAI,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBACvC,OAAO,kCAAkC,KAAK,CAAC,YAAY,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC;YACnF,CAAC;QACH,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,kCAAkC,KAAK,CAAC,YAAY,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC;QACjF,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,WAAW,GAAG,QAAQ,CAAC,mBAAmB,EAAE,IAAI,EAAE,CAAC;IACzD,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;QACjC,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACxC,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;YAC5B,+BAA+B;YAC/B,MAAM,QAAQ,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,KAAK,QAAQ;QAC1C,CAAC,CAAC,MAAM,sBAAsB,CAAC,KAAK,CAAC;QACrC,CAAC,CAAC,MAAM,iBAAiB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAE7C,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAErB,MAAM,UAAU,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAErD,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,2BAA2B,QAAQ,CAAC,IAAI,iBAAiB,KAAK,CAAC,YAAY;CACrF;cACO,sCAAsC,QAAQ,CAAC,IAAI,aAAa,MAAM,EAAE,CAAC;IAC/E,CAAC;IAED,OAAO,MAAM,QAAQ,CAAC,IAAI,mCAAmC,KAAK,CAAC,YAAY;CAChF;UACK,qEAAqE,MAAM,EAAE,CAAC;AACpF,CAAC;AAGD,8EAA8E;AAC9E,4CAA4C;AAC5C,8EAA8E;AAE9E,KAAK,UAAU,eAAe,CAAC,KAAY,EAAE,MAAc,EAAE,QAAyB;IACpF,MAAM,IAAI,GAAG,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,UAAU,GAAG,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACtD,IAAI,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBACvC,MAAM,CAAC,IAAI,CAAC,YAAY,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YAC/E,CAAC;QACH,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,IAAI,CAAC,mBAAmB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE;QACpB,gBAAgB,EAAE,EAAE,GAAG,KAAK,CAAC,gBAAgB,EAAE,CAAC,UAAU,CAAC,EAAE,eAAe,CAAC,MAAM,CAAC,EAAE;KACvF,CAAC,CAAC;IAEH,8CAA8C;IAC9C,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE,KAAK,CAAC,CAAC;QACrF,QAAQ,GAAG,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,gCAAgC;IAClC,CAAC;IAED,8BAA8B;IAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,KAAK,QAAQ;QAC1C,CAAC,CAAC,MAAM,sBAAsB,CAAC,KAAK,EAAE,SAAS,CAAC;QAChD,CAAC,CAAC,MAAM,iBAAiB,CAAC,KAAK,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IAExD,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAErB,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,6BAA6B,KAAK,CAAC,YAAY;CAC5D,CAAC;IACA,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,+CAA+C,KAAK,CAAC,YAAY;CAC9E,CAAC;QACE,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,IAAI,OAAO,CAAC;CACvB,CAAC;QACE,CAAC;IACH,CAAC;IAED,MAAM,IAAI;iBACK,UAAU;CAC1B,CAAC;IACA,MAAM,IAAI,mBAAmB,QAAQ,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC,CAAC,sCAAsC;CAC5G,CAAC;IACA,MAAM,IAAI,gBAAgB,SAAS,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,IAAI,iCAAiC,CAAC,CAAC,CAAC,yCAAyC;CACpI,CAAC;IAEA,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAyB;IAC3D,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;IACvE,IAAI,OAAO,YAAY,KAAK,QAAQ;QAAE,OAAO,YAAY,CAAC;IAC1D,MAAM,KAAK,GAAG,YAAqB,CAAC;IAEpC,IAAI,KAAK,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;QAChC,OAAO,gBAAgB,KAAK,CAAC,YAAY,4DAA4D,CAAC;IACxG,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAC;IAC7C,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,OAAO,aAAa,KAAK,CAAC,YAAY,iBAAiB,IAAI,CAAC,KAAK,EAAE,CAAC;IACtE,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAEhD,uCAAuC;IACvC,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,QAAQ,GAAG,wCAAwC,CAAC;QAC1D,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;QACrC,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI;YAAE,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACjF,IAAI,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC;QAChC,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;YAC1D,IAAI,CAAC,KAAK;gBAAE,OAAO,iBAAiB,IAAI,8CAA8C,CAAC;YACvF,IAAI,QAAQ,IAAI,KAAK;gBAAE,OAAO,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;YAClD,IAAI,SAAS,IAAI,KAAK;gBAAE,OAAO,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;YACpD,WAAW,GAAG,WAAW,CAAC,UAAU,CAAC,YAAY,IAAI,IAAI,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC9E,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QACnE,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,CAAC,oBAAoB,EAAE,YAAY,QAAQ,CAAC,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;QAC/F,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,iCAAiC;IACjC,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,CAAC,oBAAoB,EAAE,YAAY,QAAQ,CAAC,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;QAC/F,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,uEAAuE;IACvE,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,YAAY,EAAE,oBAAoB,EAAE;QAC3E,MAAM,EAAE,qBAAqB,QAAQ,CAAC,IAAI,OAAO,KAAK,CAAC,YAAY,EAAE;KACtE,CAAC,CAAC;IACH,IAAI,UAAU,IAAI,GAAG;QAAE,OAAO,GAAG,CAAC,QAAQ,IAAI,iCAAiC,CAAC;IAChF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,eAAe,CAAC,GAAG,CAAC,QAAS,CAAC,EAAE,QAAQ,CAAC,CAAC;IACtF,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,CAAC,oBAAoB,EAAE,YAAY,QAAQ,CAAC,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;IAC/F,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/tools/provision-vcs-auth.d.ts

@@ -0,0 +1,50 @@
+import { z } from 'zod';
+export declare const provisionVcsAuthSchema: z.ZodObject<{
+    provider: z.ZodEnum<["github", "bitbucket", "azure-devops"]>;
+    label: z.ZodOptional<z.ZodString>;
+    scope_url: z.ZodOptional<z.ZodString>;
+    github_mode: z.ZodOptional<z.ZodEnum<["github-app", "pat"]>>;
+    token: z.ZodOptional<z.ZodString>;
+    git_access: z.ZodOptional<z.ZodEnum<["read", "push", "admin", "issues", "full"]>>;
+    repos: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    email: z.ZodOptional<z.ZodString>;
+    api_token: z.ZodOptional<z.ZodString>;
+    workspace: z.ZodOptional<z.ZodString>;
+    org_url: z.ZodOptional<z.ZodString>;
+    pat: z.ZodOptional<z.ZodString>;
+    member_id: z.ZodOptional<z.ZodString>;
+    member_name: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    provider: "github" | "bitbucket" | "azure-devops";
+    token?: string | undefined;
+    git_access?: "read" | "push" | "admin" | "issues" | "full" | undefined;
+    pat?: string | undefined;
+    repos?: string[] | undefined;
+    workspace?: string | undefined;
+    email?: string | undefined;
+    member_id?: string | undefined;
+    member_name?: string | undefined;
+    label?: string | undefined;
+    scope_url?: string | undefined;
+    github_mode?: "github-app" | "pat" | undefined;
+    api_token?: string | undefined;
+    org_url?: string | undefined;
+}, {
+    provider: "github" | "bitbucket" | "azure-devops";
+    token?: string | undefined;
+    git_access?: "read" | "push" | "admin" | "issues" | "full" | undefined;
+    pat?: string | undefined;
+    repos?: string[] | undefined;
+    workspace?: string | undefined;
+    email?: string | undefined;
+    member_id?: string | undefined;
+    member_name?: string | undefined;
+    label?: string | undefined;
+    scope_url?: string | undefined;
+    github_mode?: "github-app" | "pat" | undefined;
+    api_token?: string | undefined;
+    org_url?: string | undefined;
+}>;
+export type ProvisionVcsAuthInput = z.infer<typeof provisionVcsAuthSchema>;
+export declare function provisionVcsAuth(input: ProvisionVcsAuthInput): Promise<string>;
+//# sourceMappingURL=provision-vcs-auth.d.ts.map

package/dist/tools/provision-vcs-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provision-vcs-auth.d.ts","sourceRoot":"","sources":["../../src/tools/provision-vcs-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AA0CxB,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoBjC,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AA0B3E,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,GAAG,OAAO,CAAC,MAAM,CAAC,CA4GpF"}

package/dist/tools/provision-vcs-auth.js

@@ -0,0 +1,187 @@
+import { z } from 'zod';
+import { getStrategy } from '../services/strategy.js';
+import { getOsCommands } from '../os/index.js';
+import { getAgentOS, touchAgent, checkVcsTokenExpiry } from '../utils/agent-helpers.js';
+import { memberIdentifier, resolveMember } from '../utils/resolve-member.js';
+import { updateAgent } from '../services/registry.js';
+import { credentialResolve } from '../services/credential-store.js';
+import { collectOobApiKey } from '../services/auth-socket.js';
+import { decryptPassword } from '../utils/crypto.js';
+import { githubProvider } from '../services/vcs/github.js';
+import { bitbucketProvider } from '../services/vcs/bitbucket.js';
+import { azureDevOpsProvider } from '../services/vcs/azure-devops.js';
+import { scheduleCredentialCleanup, cancelCredentialCleanup } from '../services/credential-cleanup.js';
+import { PROVIDER_HOSTS } from '../services/vcs/constants.js';
+import { logLine } from '../utils/log-helpers.js';
+const TOKEN_RE = /\{\{secure\.([a-zA-Z0-9_-]{1,64})\}\}/g;
+function resolveSecureField(value, callingMember) {
+    const tokenNames = new Set();
+    let match;
+    TOKEN_RE.lastIndex = 0;
+    while ((match = TOKEN_RE.exec(value)) !== null)
+        tokenNames.add(match[1]);
+    let resolved = value;
+    for (const name of tokenNames) {
+        const entry = credentialResolve(name, callingMember);
+        if (!entry)
+            return { error: `Credential "${name}" not found. Run credential_store_set first.` };
+        if ('denied' in entry)
+            return { error: entry.denied };
+        if ('expired' in entry)
+            return { error: entry.expired };
+        resolved = resolved.replaceAll(`{{secure.${name}}}`, entry.plaintext);
+    }
+    return { resolved };
+}
+const providers = {
+    'github': githubProvider,
+    'bitbucket': bitbucketProvider,
+    'azure-devops': azureDevOpsProvider,
+};
+export const provisionVcsAuthSchema = z.object({
+    ...memberIdentifier,
+    provider: z.enum(['github', 'bitbucket', 'azure-devops']).describe('VCS provider to configure'),
+    label: z.string().regex(/^[a-zA-Z0-9_-]{1,64}$/).optional().describe('Credential label (slug, e.g. "work-github"). Defaults to provider name. Enables multiple credentials per provider.'),
+    scope_url: z.string().optional().describe('Git credential scope URL (e.g. "https://github.com/my-org"). Defaults to "https://<host>".'),
+    // GitHub fields
+    github_mode: z.enum(['github-app', 'pat']).optional().describe('GitHub auth mode: github-app (mint via configured app) or pat (personal access token)'),
+    token: z.string().optional().describe('Personal access token (GitHub PAT or Azure DevOps PAT). Supports {{secure.NAME}} token — value is resolved from the credential store before use.'),
+    git_access: z.enum(['read', 'push', 'admin', 'issues', 'full']).optional().describe('GitHub App access level override'),
+    repos: z.array(z.string()).optional().describe('GitHub App repository list override'),
+    // Bitbucket fields
+    email: z.string().optional().describe('Bitbucket account email'),
+    api_token: z.string().optional().describe('Bitbucket API token. Supports {{secure.NAME}} token — value is resolved from the credential store before use.'),
+    workspace: z.string().optional().describe('Bitbucket workspace slug'),
+    // Azure DevOps fields
+    org_url: z.string().optional().describe('Azure DevOps organization URL (e.g. https://dev.azure.com/myorg)'),
+    pat: z.string().optional().describe('Azure DevOps personal access token. Supports {{secure.NAME}} token — value is resolved from the credential store before use.'),
+});
+function buildCredentials(input) {
+    switch (input.provider) {
+        case 'github': {
+            const mode = input.github_mode ?? 'github-app';
+            if (mode === 'pat') {
+                if (!input.token)
+                    return 'GitHub PAT mode requires "token" field.';
+                return { type: 'pat', token: input.token };
+            }
+            return { type: 'github-app', git_access: input.git_access, repos: input.repos };
+        }
+        case 'bitbucket': {
+            if (!input.email || !input.api_token || !input.workspace) {
+                return 'Bitbucket requires "email", "api_token", and "workspace" fields.';
+            }
+            return { email: input.email, api_token: input.api_token, workspace: input.workspace };
+        }
+        case 'azure-devops': {
+            const azPat = input.pat ?? input.token;
+            if (!input.org_url || !azPat)
+                return 'Azure DevOps requires "org_url" and "pat" (or "token") fields.';
+            return { org_url: input.org_url, pat: azPat };
+        }
+    }
+}
+export async function provisionVcsAuth(input) {
+    const agentOrError = resolveMember(input.member_id, input.member_name);
+    if (typeof agentOrError === 'string')
+        return agentOrError;
+    const agent = agentOrError;
+    const service = providers[input.provider];
+    // Resolve {{secure.NAME}} tokens in credential fields
+    const resolvedInput = { ...input };
+    for (const field of ['token', 'api_token', 'pat']) {
+        if (resolvedInput[field]) {
+            const r = resolveSecureField(resolvedInput[field], agent.friendlyName);
+            if ('error' in r)
+                return `❌ ${r.error}`;
+            resolvedInput[field] = r.resolved;
+        }
+    }
+    // OOB fallback for absent credential fields
+    if (resolvedInput.provider === 'github' && (resolvedInput.github_mode ?? 'github-app') === 'pat' && resolvedInput.token === undefined) {
+        const oob = await collectOobApiKey(agent.friendlyName, 'provision_vcs_auth', {
+            prompt: `Enter GitHub personal access token for ${agent.friendlyName}`,
+        });
+        if ('fallback' in oob)
+            return oob.fallback ?? 'Error: OOB operation cancelled.';
+        resolvedInput.token = decryptPassword(oob.password);
+    }
+    if (resolvedInput.provider === 'bitbucket' && resolvedInput.api_token === undefined) {
+        const oob = await collectOobApiKey(agent.friendlyName, 'provision_vcs_auth', {
+            prompt: `Enter Bitbucket API token for ${agent.friendlyName}`,
+        });
+        if ('fallback' in oob)
+            return oob.fallback ?? 'Error: OOB operation cancelled.';
+        resolvedInput.api_token = decryptPassword(oob.password);
+    }
+    if (resolvedInput.provider === 'azure-devops' && resolvedInput.pat === undefined && resolvedInput.token === undefined) {
+        const oob = await collectOobApiKey(agent.friendlyName, 'provision_vcs_auth', {
+            prompt: `Enter Azure DevOps personal access token for ${agent.friendlyName}`,
+        });
+        if ('fallback' in oob)
+            return oob.fallback ?? 'Error: OOB operation cancelled.';
+        resolvedInput.pat = decryptPassword(oob.password);
+    }
+    const creds = buildCredentials(resolvedInput);
+    if (typeof creds === 'string')
+        return `❌ ${creds}`;
+    const label = input.label ?? input.provider;
+    const host = PROVIDER_HOSTS[input.provider];
+    const scopeUrl = input.scope_url ?? `https://${host}`;
+    // Cancel any existing credential cleanup timer before re-provisioning
+    cancelCredentialCleanup(agent.id);
+    const strategy = getStrategy(agent);
+    const conn = await strategy.testConnection();
+    if (!conn.ok)
+        return `❌ Member "${agent.friendlyName}" is offline: ${conn.error}`;
+    const cmds = getOsCommands(getAgentOS(agent));
+    const exec = async (cmd) => {
+        const result = await strategy.execCommand(cmd, 15000);
+        if (result.code !== 0 && result.stderr)
+            throw new Error(result.stderr);
+        return result.stdout;
+    };
+    // Legacy migration: remove old single-file credential helpers
+    try {
+        await exec(cmds.gitCredentialHelperRemove(host));
+    }
+    catch { /* best-effort */ }
+    let deployResult;
+    try {
+        deployResult = await service.deploy(agent, cmds, exec, creds, label, scopeUrl);
+    }
+    catch (err) {
+        return `❌ Failed to deploy ${input.provider} credentials on "${agent.friendlyName}": ${err.message}`;
+    }
+    if (!deployResult.success)
+        return `❌ ${deployResult.message}`;
+    // Persist VCS provider and token expiry in the agent registry
+    updateAgent(agent.id, {
+        vcsProvider: input.provider,
+        vcsTokenExpiresAt: deployResult.metadata?.expiresAt,
+    });
+    // Schedule auto-cleanup when token expires
+    scheduleCredentialCleanup(agent.id, deployResult.metadata?.expiresAt);
+    // Best-effort connectivity test
+    let connectivity;
+    try {
+        connectivity = await service.testConnectivity(agent, exec);
+    }
+    catch {
+        connectivity = { success: false, message: 'connectivity test threw' };
+    }
+    touchAgent(agent.id);
+    logLine('provision_vcs_auth', `provider=${input.provider}`, agent);
+    const meta = deployResult.metadata
+        ? Object.entries(deployResult.metadata).map(([k, v]) => `  ${k}: ${v}`).join('\n')
+        : '';
+    // Check if the just-deployed token is already near expiry
+    const expiryWarning = deployResult.metadata?.expiresAt
+        ? checkVcsTokenExpiry({ ...agent, vcsTokenExpiresAt: deployResult.metadata.expiresAt })
+        : null;
+    return `✅ ${deployResult.message} on "${agent.friendlyName}"\n`
+        + (meta ? meta + '\n' : '')
+        + `  Verification: ${connectivity.success ? connectivity.message : `⚠️ ${connectivity.message}`}`
+        + (expiryWarning ? `\n  ${expiryWarning}` : '');
+}
+//# sourceMappingURL=provision-vcs-auth.js.map

package/dist/tools/provision-vcs-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provision-vcs-auth.js","sourceRoot":"","sources":["../../src/tools/provision-vcs-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACxF,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC7E,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AACvG,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAIlD,MAAM,QAAQ,GAAG,wCAAwC,CAAC;AAE1D,SAAS,kBAAkB,CAAC,KAAa,EAAE,aAAqB;IAC9D,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,IAAI,KAA6B,CAAC;IAClC,QAAQ,CAAC,SAAS,GAAG,CAAC,CAAC;IACvB,OAAO,CAAC,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI;QAAE,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QACrD,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,eAAe,IAAI,8CAA8C,EAAE,CAAC;QAChG,IAAI,QAAQ,IAAI,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;QACtD,IAAI,SAAS,IAAI,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QACxD,QAAQ,GAAG,QAAQ,CAAC,UAAU,CAAC,YAAY,IAAI,IAAI,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,SAAS,GAAuC;IACpD,QAAQ,EAAE,cAAc;IACxB,WAAW,EAAE,iBAAiB;IAC9B,cAAc,EAAE,mBAAmB;CACpC,CAAC;AAEF,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,GAAG,gBAAgB;IACnB,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,2BAA2B,CAAC;IAC/F,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oHAAoH,CAAC;IAC1L,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,4FAA4F,CAAC;IAEvI,gBAAgB;IAChB,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,uFAAuF,CAAC;IACvJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kJAAkJ,CAAC;IACzL,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kCAAkC,CAAC;IACvH,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,qCAAqC,CAAC;IAErF,mBAAmB;IACnB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,yBAAyB,CAAC;IAChE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,+GAA+G,CAAC;IAC1J,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,0BAA0B,CAAC;IAErE,sBAAsB;IACtB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kEAAkE,CAAC;IAC3G,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,8HAA8H,CAAC;CACpK,CAAC,CAAC;AAIH,SAAS,gBAAgB,CAAC,KAA4B;IACpD,QAAQ,KAAK,CAAC,QAAQ,EAAE,CAAC;QACvB,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,IAAI,GAAG,KAAK,CAAC,WAAW,IAAI,YAAY,CAAC;YAC/C,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;gBACnB,IAAI,CAAC,KAAK,CAAC,KAAK;oBAAE,OAAO,yCAAyC,CAAC;gBACnE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;YAC7C,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;QAClF,CAAC;QACD,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;gBACzD,OAAO,kEAAkE,CAAC;YAC5E,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC;QACxF,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,IAAI,KAAK,CAAC,KAAK,CAAC;YACvC,IAAI,CAAC,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK;gBAAE,OAAO,gEAAgE,CAAC;YACtG,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAA4B;IACjE,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;IACvE,IAAI,OAAO,YAAY,KAAK,QAAQ;QAAE,OAAO,YAAY,CAAC;IAC1D,MAAM,KAAK,GAAG,YAAqB,CAAC;IAEpC,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAE1C,sDAAsD;IACtD,MAAM,aAAa,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;IACnC,KAAK,MAAM,KAAK,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,KAAK,CAAU,EAAE,CAAC;QAC3D,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,CAAC,GAAG,kBAAkB,CAAC,aAAa,CAAC,KAAK,CAAE,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;YACxE,IAAI,OAAO,IAAI,CAAC;gBAAE,OAAO,KAAK,CAAC,CAAC,KAAK,EAAE,CAAC;YACxC,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QACpC,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,IAAI,aAAa,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,aAAa,CAAC,WAAW,IAAI,YAAY,CAAC,KAAK,KAAK,IAAI,aAAa,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACtI,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,YAAY,EAAE,oBAAoB,EAAE;YAC3E,MAAM,EAAE,0CAA0C,KAAK,CAAC,YAAY,EAAE;SACvE,CAAC,CAAC;QACH,IAAI,UAAU,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC,QAAQ,IAAI,iCAAiC,CAAC;QAChF,aAAa,CAAC,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,QAAS,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,aAAa,CAAC,QAAQ,KAAK,WAAW,IAAI,aAAa,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpF,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,YAAY,EAAE,oBAAoB,EAAE;YAC3E,MAAM,EAAE,iCAAiC,KAAK,CAAC,YAAY,EAAE;SAC9D,CAAC,CAAC;QACH,IAAI,UAAU,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC,QAAQ,IAAI,iCAAiC,CAAC;QAChF,aAAa,CAAC,SAAS,GAAG,eAAe,CAAC,GAAG,CAAC,QAAS,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,aAAa,CAAC,QAAQ,KAAK,cAAc,IAAI,aAAa,CAAC,GAAG,KAAK,SAAS,IAAI,aAAa,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACtH,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,YAAY,EAAE,oBAAoB,EAAE;YAC3E,MAAM,EAAE,gDAAgD,KAAK,CAAC,YAAY,EAAE;SAC7E,CAAC,CAAC;QACH,IAAI,UAAU,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC,QAAQ,IAAI,iCAAiC,CAAC;QAChF,aAAa,CAAC,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC,QAAS,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,KAAK,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IAC9C,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,KAAK,EAAE,CAAC;IAEnD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,QAAQ,CAAC;IAC5C,MAAM,IAAI,GAAG,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAS,IAAI,WAAW,IAAI,EAAE,CAAC;IAEtD,sEAAsE;IACtE,uBAAuB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAElC,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAC;IAC7C,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,aAAa,KAAK,CAAC,YAAY,iBAAiB,IAAI,CAAC,KAAK,EAAE,CAAC;IAElF,MAAM,IAAI,GAAG,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,KAAK,EAAE,GAAW,EAAmB,EAAE;QAClD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACtD,IAAI,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,MAAM,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACvE,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC,CAAC;IAEF,8DAA8D;IAC9D,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAE7B,IAAI,YAAY,CAAC;IACjB,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;IACjF,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,sBAAsB,KAAK,CAAC,QAAQ,oBAAoB,KAAK,CAAC,YAAY,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC;IACvG,CAAC;IAED,IAAI,CAAC,YAAY,CAAC,OAAO;QAAE,OAAO,KAAK,YAAY,CAAC,OAAO,EAAE,CAAC;IAE9D,8DAA8D;IAC9D,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE;QACpB,WAAW,EAAE,KAAK,CAAC,QAAQ;QAC3B,iBAAiB,EAAE,YAAY,CAAC,QAAQ,EAAE,SAAS;KACpD,CAAC,CAAC;IAEH,2CAA2C;IAC3C,yBAAyB,CAAC,KAAK,CAAC,EAAE,EAAE,YAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAEtE,gCAAgC;IAChC,IAAI,YAAY,CAAC;IACjB,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,YAAY,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;IACxE,CAAC;IAED,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACrB,OAAO,CAAC,oBAAoB,EAAE,YAAY,KAAK,CAAC,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC;IAEnE,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ;QAChC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;QAClF,CAAC,CAAC,EAAE,CAAC;IAEP,0DAA0D;IAC1D,MAAM,aAAa,GAAG,YAAY,CAAC,QAAQ,EAAE,SAAS;QACpD,CAAC,CAAC,mBAAmB,CAAC,EAAE,GAAG,KAAK,EAAE,iBAAiB,EAAE,YAAY,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QACvF,CAAC,CAAC,IAAI,CAAC;IAET,OAAO,KAAK,YAAY,CAAC,OAAO,QAAQ,KAAK,CAAC,YAAY,KAAK;UAC3D,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;UACzB,mBAAmB,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,YAAY,CAAC,OAAO,EAAE,EAAE;UAC/F,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACpD,CAAC"}

package/dist/tools/receive-files.d.ts

@@ -0,0 +1,20 @@
+import { z } from 'zod';
+export declare const receiveFilesSchema: z.ZodObject<{
+    remote_paths: z.ZodArray<z.ZodString, "many">;
+    local_dest_dir: z.ZodString;
+    member_id: z.ZodOptional<z.ZodString>;
+    member_name: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    remote_paths: string[];
+    local_dest_dir: string;
+    member_id?: string | undefined;
+    member_name?: string | undefined;
+}, {
+    remote_paths: string[];
+    local_dest_dir: string;
+    member_id?: string | undefined;
+    member_name?: string | undefined;
+}>;
+export type ReceiveFilesInput = z.infer<typeof receiveFilesSchema>;
+export declare function receiveFiles(input: ReceiveFilesInput, extra?: any): Promise<string>;
+//# sourceMappingURL=receive-files.d.ts.map

package/dist/tools/receive-files.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"receive-files.d.ts","sourceRoot":"","sources":["../../src/tools/receive-files.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAUxB,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;EAW7B,CAAC;AAEH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEnE,wBAAsB,YAAY,CAAC,KAAK,EAAE,iBAAiB,EAAE,KAAK,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAuEzF"}

package/dist/tools/receive-files.js

@@ -0,0 +1,82 @@
+import path from 'node:path';
+import { z } from 'zod';
+import { getStrategy } from '../services/strategy.js';
+import { touchAgent } from '../utils/agent-helpers.js';
+import { memberIdentifier, resolveMember } from '../utils/resolve-member.js';
+import { writeStatusline } from '../services/statusline.js';
+import { ensureCloudReady } from '../services/cloud/lifecycle.js';
+import { isContainedInWorkFolder } from '../utils/platform.js';
+import { LogScope } from '../utils/log-helpers.js';
+export const receiveFilesSchema = z.object({
+    ...memberIdentifier,
+    remote_paths: z.array(z.string()).describe('Paths on the member to download. Relative paths resolved from work_folder. ' +
+        'Absolute paths must remain within work_folder — paths outside it are rejected. ' +
+        'Always batch multiple files into a single call.'),
+    // No boundary restriction — caller controls their own local filesystem
+    local_dest_dir: z.string().describe('Required. Local directory to write the downloaded files into.'),
+});
+export async function receiveFiles(input, extra) {
+    const agentOrError = resolveMember(input.member_id, input.member_name);
+    if (typeof agentOrError === 'string')
+        return agentOrError;
+    let agent;
+    try {
+        agent = await ensureCloudReady(agentOrError); // auto-start if stopped
+    }
+    catch (err) {
+        return `Failed to download files from "${agentOrError.friendlyName}": ${err.message}`;
+    }
+    // Path security: verify each remote_path stays within work_folder
+    for (const remotePath of input.remote_paths) {
+        if (remotePath.includes('\0')) {
+            return `⛔ Invalid remote_path: null bytes are not allowed.`;
+        }
+        if (agent.agentType === 'local') {
+            const resolved = path.resolve(agent.workFolder, remotePath);
+            const workFolderNorm = path.resolve(agent.workFolder);
+            if (resolved !== workFolderNorm && !resolved.startsWith(workFolderNorm + path.sep)) {
+                return `remote_path "${remotePath}" resolves outside member work_folder — read blocked`;
+            }
+        }
+        else {
+            if (!isContainedInWorkFolder(agent.workFolder, remotePath)) {
+                return `remote_path "${remotePath}" resolves outside member work_folder — read blocked`;
+            }
+        }
+    }
+    const strategy = getStrategy(agent);
+    const pathSummary = input.remote_paths[0] ?? '';
+    const scope = new LogScope('receive_files', `${input.remote_paths.length} file(s) ← ${agent.friendlyName}:${pathSummary}`, agent);
+    writeStatusline(new Map([[agent.id, 'busy']]));
+    try {
+        const result = await strategy.receiveFiles(input.remote_paths, input.local_dest_dir, extra?.signal);
+        touchAgent(agent.id);
+        let output = '';
+        if (result.success.length > 0) {
+            output += `✅ Successfully downloaded ${result.success.length} file(s) from ${agent.friendlyName}:\n`;
+            for (const f of result.success) {
+                output += `  - ${f}\n`;
+            }
+        }
+        if (result.failed.length > 0) {
+            output += `\n❌ Failed to download ${result.failed.length} file(s):\n`;
+            for (const f of result.failed) {
+                output += `  - ${f.path}: ${f.error}\n`;
+            }
+        }
+        output += `\nLocal destination: ${input.local_dest_dir}`;
+        if (result.failed.length > 0 && result.success.length > 0)
+            scope.fail(`${result.success.length} ok, ${result.failed.length} failed`);
+        else if (result.failed.length > 0)
+            scope.abort(`all ${result.failed.length} file(s) failed`);
+        else
+            scope.ok(`${result.success.length} file(s)`);
+        return output;
+    }
+    catch (err) {
+        writeStatusline(new Map([[agent.id, 'offline']]));
+        scope.abort(err.message);
+        return `Failed to download files from "${agent.friendlyName}": ${err.message}`;
+    }
+}
+//# sourceMappingURL=receive-files.js.map

package/dist/tools/receive-files.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"receive-files.js","sourceRoot":"","sources":["../../src/tools/receive-files.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC7E,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAClE,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AAGnD,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,GAAG,gBAAgB;IACnB,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CACxC,6EAA6E;QAC7E,iFAAiF;QACjF,iDAAiD,CAClD;IACD,uEAAuE;IACvE,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CACjC,+DAA+D,CAChE;CACF,CAAC,CAAC;AAIH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAwB,EAAE,KAAW;IACtE,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;IACvE,IAAI,OAAO,YAAY,KAAK,QAAQ;QAAE,OAAO,YAAY,CAAC;IAC1D,IAAI,KAAY,CAAC;IACjB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,gBAAgB,CAAC,YAAqB,CAAC,CAAC,CAAC,wBAAwB;IACjF,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,kCAAmC,YAAsB,CAAC,YAAY,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC;IACnG,CAAC;IAED,kEAAkE;IAClE,KAAK,MAAM,UAAU,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;QAC5C,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,OAAO,oDAAoD,CAAC;QAC9D,CAAC;QACD,IAAI,KAAK,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;YAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;YAC5D,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YACtD,IAAI,QAAQ,KAAK,cAAc,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnF,OAAO,gBAAgB,UAAU,sDAAsD,CAAC;YAC1F,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,uBAAuB,CAAC,KAAK,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,CAAC;gBAC3D,OAAO,gBAAgB,UAAU,sDAAsD,CAAC;YAC1F,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAEpC,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,eAAe,EAAE,GAAG,KAAK,CAAC,YAAY,CAAC,MAAM,cAAc,KAAK,CAAC,YAAY,IAAI,WAAW,EAAE,EAAE,KAAK,CAAC,CAAC;IAElI,eAAe,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAE/C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,CAAC,cAAc,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAEpG,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAErB,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,6BAA6B,MAAM,CAAC,OAAO,CAAC,MAAM,iBAAiB,KAAK,CAAC,YAAY,KAAK,CAAC;YACrG,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBAC/B,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;YACzB,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,0BAA0B,MAAM,CAAC,MAAM,CAAC,MAAM,aAAa,CAAC;YACtE,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAC9B,MAAM,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC;YAC1C,CAAC;QACH,CAAC;QAED,MAAM,IAAI,wBAAwB,KAAK,CAAC,cAAc,EAAE,CAAC;QAEzD,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;YACvD,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,QAAQ,MAAM,CAAC,MAAM,CAAC,MAAM,SAAS,CAAC,CAAC;aACvE,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YAC/B,KAAK,CAAC,KAAK,CAAC,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,iBAAiB,CAAC,CAAC;;YAE1D,KAAK,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,UAAU,CAAC,CAAC;QAE/C,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,eAAe,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAClD,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACzB,OAAO,kCAAkC,KAAK,CAAC,YAAY,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC;IACjF,CAAC;AACH,CAAC"}